Emergency Diesel Generator for a UK Nuclear Licensed Site

Rationale: Cold start at -10°C is the worst-case scenario for start time per STK-REQ-017; if the engine meets the 3-second criterion at minimum temperature it will meet it at all higher temperatures. The test confirms fuel injection system and compression pressure are sufficient for cold combustion. Procedure: record time via exhaust thermocouple response and starter air valve closure.

Rationale: Testing with the digital control system de-energised confirms fail-safe operation of the hardwired protection as required by ARC-REQ-002 and IEC 61513. The 2-second criterion is derived from the 5-second engine standstill requirement (VER-REQ-003) leaving margin for fuel rack response. Each channel must be tested independently to confirm there is no shared-mode defeat path.

Rationale: Testing at 50% load represents a conservative loaded condition without risk of overloading the test power system. Five seconds to standstill bounds the fuel injection system response time and confirms the mechanical trip train integrity. Each of the three channels is tested in independent runs to eliminate compensating failure detection.

Rationale: The 3.0–5.0 bar pressure range is the OEM injection pump inlet specification; exceedance causes injector spray pattern degradation and sub-band triggers pump cavitation. ISO 4406 class 18/16/13 is the OEM-specified cleanliness limit above which injection nozzle wear rate increases non-linearly. Test at rated load produces worst-case fuel flow and thermal state.

Rationale: The 25–30 bar inlet pressure range brackets the OEM cranking torque requirement for reliable first-cycle ignition. Achieving 120 rpm within 1.5 seconds confirms the air volume and flow rate are sufficient for the mechanical compression ratio of the engine. Repeating at -10°C validates the system under the worst-case viscosity and thermal conditions per STK-REQ-017.

Rationale: This integrated test verifies the complete start chain: LOOP detection (SYS-REQ-002), engine start (SUB-REQ-001), rated output (SYS-REQ-001), and load sequencing (SYS-REQ-003). Testing under 100% rated load step represents the worst-case voltage dip at breaker close. Data sampled at 100 Hz from LOOP detection to full load connection provides the evidence chain for ONR surveillance records.

Rationale: The 24-hour duration demonstrates suitability for extended station blackout events per IEEE 387 and STK-REQ-005. Speed variation ±1% of synchronous speed (750 ±7.5 rpm) is the IEC 60034 governing limit for generator frequency stability; exceedance would cause protective relay operations. Speed is recorded at 1-second intervals at 0h, 1h, 4h, 8h, 16h, and 24h to detect drift and degradation.

Rationale: Three consecutive tests from cold standby demonstrate the statistical reliability of the start chain rather than a single-shot result. The 5.80 kV stimulus (below the 5.94 kV threshold) represents the worst-case detection-margin operating point. Ten-second voltage rise aligns with SYS-REQ-001 and IEEE 387 acceptance criteria for nuclear emergency diesel generators.

Rationale: IEEE 344 (IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations) is the mandatory qualification standard for safety-related equipment. Analysis using the Original Design Specification static seismic loads is the primary method; shake table testing per IEC 60980 is the fallback if analysis is insufficient. Qualification covers engine cradle welds, generator stator support, and control panel anchors.

Rationale: The 1-second first-group connection criterion limits the dip in essential bus voltage to within generator transient recovery limits. The 10-second total restoration window aligns with SYS-REQ-003 load connection requirement. The 500 ms minimum interval between groups is the OEM-specified generator transient recovery time to prevent cumulative voltage collapse. Test uses a resistive load bank per priority group at 10 ms timestamp resolution.

Rationale: SUB-REQ-007 mandates ±3% cylinder-to-cylinder fuel variation to prevent thermal overload; this VER entry provides the specific test procedure — combustion analyser measurement during the monthly surveillance test (SYS-REQ-013). Without an explicit test, injection pump calibration drift could exceed the limit between overhaul intervals, increasing crankshaft fatigue and catastrophic failure risk (hazard H-001).

Rationale: SUB-REQ-011 mandates a 7,000-litre minimum inventory for 7-day mission duration. Inspection of tank contents and fuel quality certificate ensures the 7-day SBO mission (STK-REQ-005, SYS-REQ-008) can be sustained. Fuel quality verification (CIMAC DM) prevents injection system contamination damage during extended operation when no commercial resupply is possible.

Rationale: IFC-REQ-003 defines the cooling water flow and temperature requirement at the EDG/UHS boundary. Testing under rated load conditions is required to confirm heat exchanger performance prior to nuclear plant commissioning — failure to achieve adequate flow would cause engine overtemperature and forced shutdown of the EDG, defeating the safety function during accident conditions.

Rationale: IFC-REQ-005 specifies the MCR interface signals required for operator monitoring and control. Functional testing of all alarm and command channels is required by ONR Safety Assessment Principles — the operator must be able to diagnose and respond to EDG abnormalities from the MCR during a design basis accident. Without testing, Class 1E cabling faults may prevent alarms from reaching the operator at the critical moment.

Rationale: IFC-REQ-006 defines overfill protection and day tank management at the external fuel supply boundary. Demonstration of overfill cutoff prevents environmental release of diesel fuel (a licensable offence at a nuclear site). The 2-hour day tank reserve demonstration confirms EDG resilience to a short-duration bulk transfer pump failure without manual intervention, which is the credited operator action in the fuel replenishment scenario.

Rationale: IFC-REQ-007 specifies the DC power interface critical for EDG control system function and subsequent restart capability. The battery charger re-energisation test validates the feedback loop (EDG powers charger → charger maintains battery → battery enables subsequent starts) that must function during extended LOOP events. Voltage tolerance of ±2% ensures relay pick-up voltages remain within manufacturer specification throughout the demand event.

Rationale: Direct pressure measurement confirms receiver sizing and charge pressure setpoints. Three-blow test confirms capacity margin for the minimum required start attempts without recharging.

Rationale: Timing verification at 1 ms resolution is necessary to demonstrate 100 ms detection budget compliance. Five repetitions provide statistical confidence that the timing is not marginal. Pass criterion is 100 percent compliance — a single timing violation fails the test.

Rationale: Individual and combination testing confirms that no single trip function can be masked by another and that the combined protection logic does not introduce additional latency when multiple alarms are active simultaneously.

Rationale: Safe-state transition testing is mandatory under IEC 61508 SIL 3 to demonstrate the safe failure fraction target. Five repetitions confirm reproducibility. HMI data preservation is verified separately to confirm operators are not left without status during a critical event.

Rationale: Integration test at the physical interface confirms hardwired signal routing, voltage level, and timing as actually installed — bench-level component tests cannot confirm cable routing or terminal block integrity.

Rationale: Separate verification of the analogue and discrete paths confirms both are functional simultaneously — a common failure mode is a broken hardwired contact that is masked by the healthy analogue signal.

Rationale: Three test scenarios verify the three distinct aspects of SUB-REQ-024: timing, transient rejection, and voting logic. All three must pass for the requirement to be verified; failure of any one scenario is a compliance failure against the safety function.

Rationale: Boundary condition testing of each synchronising window independently confirms the requirement is met at the most challenging operating points. The dead-bus override test uses 10% nominal (half the 20% threshold) to confirm reliable operation; testing at exactly 20% is insufficient because relay operating band tolerances could cause a false pass.

Rationale: Three verification methods address the three distinct aspects of IFC-REQ-016: cable resistance (continuity), failsafe logic (functional), and segregation (inspection). Resistance must be measured at commissioning not just at factory because field cable lengths are not fixed at design. Segregation requires visual inspection against as-built drawings since it cannot be functionally tested.

Rationale: Trip circuit resistance and timing must both be measured at commissioning because field cabling resistance is not determined until installation. The supervision alarm test verifies the wiring integrity monitoring function independently. Testing at 95VDC (minimum battery voltage) is required by IEC 61508 SIL 3 hardware validation to demonstrate worst-case operation under degraded power supply conditions.

Rationale: Nine boundary-combination tests are the minimum to verify the AND logic of the three synchronising conditions without testing all permutations. Anti-pumping and permission-withdrawal tests verify the two protection mechanisms specified in IFC-REQ-017 that cannot be inferred from steady-state tests alone.

Rationale: SUB-REQ-025 specifies GCB close time of 100 ms; safety-critical because post-LOOP bus restoration depends on GCB closing before load sequencing begins, and a slow GCB extends bus dead time beyond the 10-second SYS-REQ-001 budget. MoP basis: IEC 62271-100 (High-voltage alternating-current circuit-breakers) defines close-time as the interval from close-coil energisation to primary contact make; 100 ms is within the Class C2 mechanical operating time envelope for 6.6 kV vacuum circuit-breakers.

Rationale: SUB-REQ-027 requires 87G differential protection with a pickup threshold; this test confirms relay operation within specified timing at the threshold current, the minimum demonstration needed for IEC 60255-151 (Measuring relays and protection equipment) compliance on a UK nuclear site.

Rationale: SUB-REQ-028 specifies the generator de-energise path on protection trip; timing from fault to terminal voltage collapse determines the duration of fault current fed into any bus fault, so the 60ms/200ms thresholds protect against damage to safety loads on the 6.6kV bus. MoP basis: IEC 60255-151 (Measuring relays and protection equipment — functional requirements for over/undercurrent protection) requires relay operate time measurement within ±5% of stated value; 60 ms trip coil energisation and 200 ms field collapse are derived from the generator manufacturer's demagnetisation time constant (typically 100–300 ms for safety-grade machines).

Rationale: SUB-REQ-021 requires 1.5 kV RMS Class 1E isolation maintained post-seismic; IEC 60780 (Nuclear power plants — Electrical equipment of the safety system) and IEC 60255 (Measuring relays and protection equipment) both specify dielectric withstand at 1.5 kV as the acceptance threshold for Class 1E signal isolation. The post-seismic repeat confirms that the seismic event has not degraded the isolation barrier — a critical pass for the common-cause failure safety argument.

Rationale: SUB-REQ-016 specifies a 30-bar/30-minute recharge criterion following a three-start sequence. Post-start recharge capability is safety-critical because a second emergency demand within 30 minutes requires a full-pressure air system. The acceptance test must start from the worst-case 20-bar post-start low to confirm the compressor capacity under design conditions, not just steady-state operation.

Rationale: SUB-REQ-017 requires dewpoint ≤ −40°C to prevent ice formation in distribution manifolds and air-start valves during cold ambient conditions (design minimum: −15°C). Chilled-mirror hygrometry is the accepted reference measurement method per ISO 8573-1 (Compressed air quality). The 24-hour steady-state operation period ensures the separator and auto-drain cycle are active and the air system has purged residual commissioning moisture before measurement.

Rationale: SUB-REQ-018 requires two threshold-triggered actions (27-bar alarm, 22-bar inhibit) that protect the starting air system from being depleted below the minimum single-start pressure. Testing each threshold in sequence verifies both the alarm function and the inhibit logic, and the restore test confirms the inhibit is not latching beyond design intent — all three checks are required to verify the complete requirement.

Rationale: SUB-REQ-022 requires a data diode with no return path to safety-classified I&C. A passive electrical injection test from the normal side — not just a software-level attempt — is required because the safety case must exclude hardware-level coupled pathways. The 1mV sensitivity threshold is taken from IEC 62645 (Nuclear power plants — I&C systems — Requirements for security programmes) acceptance criteria for isolation verification.

Rationale: SUB-REQ-029 specifies a 30-second suppression criterion and a two-hour fire barrier. The inspection combines a functional actuation test (verifying the 30-second time criterion on the actual installed system) with documentary evidence review for the barrier certification, since the two-hour rating is established by material qualification test certificates, not an in-situ burndown test.

Rationale: Integration test verifying intake air velocity and filter compliance at the engine air intake plenum. Velocity at three points covers the cross-section to detect non-uniform flow distribution that could cause localised engine intake starvation.

Rationale: End-to-end functional test of the fire detection to HVAC isolation hardwired interface. Three repetitions detect intermittent relay faults or damper actuator stiction. The 7-second single-run limit provides margin for relay pick-up jitter while ensuring the mean meets the 5-second requirement threshold.

Rationale: Bunded drain path integrity cannot be verified by functional test without deliberate fuel release; inspection of the physical drain routing during commissioning is the appropriate verification method. Sump capacity is verified by dimensional survey against the design drawing, which is both more accurate and safer than a wet test with 4,000L of diesel fuel in a nuclear facility.

Rationale: Full-scale seismic testing of a reinforced concrete EDG building is not practicable; analysis to Eurocode 8 is the standard method accepted by ONR for demonstrating seismic Category I structural integrity. The analysis must use the site-specific design response spectrum, not a generic spectrum, to account for local soil conditions at the nuclear site.

Rationale: Integration test exercises all EDG Building and Support Systems components simultaneously as the EDG loads to rated output. Individual component tests cannot detect integration conflicts such as HVAC fan vibration affecting fire detector sensitivity, or exhaust system resonance under combined HVAC and engine load. This test validates that all building sub-functions are compatible at full load.

Rationale: Physical separation between trains is a passive, permanent attribute of the building structure that can only be verified by dimensional inspection; functional testing cannot confirm structural independence. The 600 mm minimum from SUB-REQ-031 is derived from nuclear separation distance requirements in BS EN 61513.

Rationale: Combustion air supply is a direct determinant of engine power output and fuel combustion efficiency; insufficient airflow at rated load causes manifold pressure drop, elevated exhaust temperature, and power output shortfall. Testing at three ambient temperatures confirms that the passive inlet design in SUB-REQ-032 delivers the required flow across the full UK operating temperature range.

Rationale: Structural breach detection and automatic trip is a safety function preventing EDG operation in a structurally compromised enclosure (e.g., post-seismic event with building damage); the trip must be fast enough to prevent additional secondary damage while the main control room alarm allows operators to assess and respond. Functional test using simulated input per IEC 61513 (Nuclear power plants — Instrumentation and control important to safety — General requirements for systems) verification requirements is necessary to confirm the monitoring-to-trip signal chain without inducing actual structural damage.

Rationale: Integration test to verify interface compliance at system boundaries. Pump cavitation at standby diesel start-up has caused cooling circuit failures in similar nuclear applications; physical flow measurement under load is the only reliable verification method.

Rationale: Verifies REQ-SEEDGUKNUCLEAR-066: demonstrates that pre-lube timing and pressure specification are met before air start valve is permitted to open, as required for IEEE 387 compliance

Rationale: Verifies REQ-SEEDGUKNUCLEAR-067: temperature-swept pressure measurement during endurance test confirms pump performance at all operating viscosity points; cannot be verified by inspection alone as viscosity-dependent performance requires thermal soak

Rationale: Verifies REQ-SEEDGUKNUCLEAR-070: post-lube duration at minimum pressure is the only way to confirm that turbocharger bearing cartridge heat purge is adequate; analysis alone cannot substitute for empirical thermal measurement

Rationale: Verifies REQ-SEEDGUKNUCLEAR-072: steady-state voltage accuracy at all load points and power factors must be measured empirically; the IEEE Std 387 generator acceptance test protocol requires voltage regulation verification across the full load envelope

Rationale: Verifies REQ-SEEDGUKNUCLEAR-073: block-load step testing is mandatory per IEEE Std 387 generator acceptance; the 1.5-second window and ±3% recovery threshold must be demonstrated empirically to confirm downstream motor contactor immunity

Rationale: Verifies REQ-SEEDGUKNUCLEAR-074: high-impedance earthing is verified by design analysis rather than fault injection testing, as intentional earth fault injection at generator voltage would risk winding damage; impedance calculation is standard practice per IEC 60034-3 and ONR NS-TAST-GD-013

Rationale: Verifies REQ-SEEDGUKNUCLEAR-076: Class 1E qualification is verified by inspection of the EQF and qualification test reports; physical re-testing on site is not required provided the original qualification envelope (environment, seismic demand) bounds the as-installed conditions, consistent with ONR ENSREG qualification guidance

Rationale: The pre-heat must remain active during AC blackout precisely when it matters most. A blackout simulation is the only way to verify UPS supply path continuity and thermostat control under actual LOOP event conditions.

Rationale: The valve stroke response time determines peak coolant temperature overshoot during load steps; measurement at representative temperatures is required to confirm the thermostat characteristic matches design intent.

Rationale: SIL 2 signal interface requires physical segregation inspection per BS EN 61000 and channel calibration; 200ms trip response is the SIL 2 safety function response time. Only system-level injection test can verify the complete signal chain from sensor to protection relay.

Rationale: Combined thermal performance requirements can only be verified together under simultaneous high-load and high-ambient conditions representative of a summer LOOP event. Four hours ensures steady-state thermal equilibrium is reached after the warm-up transient.

Rationale: The automatic transfer sequence must be verified end-to-end to confirm that float switch, pump control, and I&C monitoring all function correctly together under conditions representative of autonomous engine room operation during a LOOP event.

Rationale: Fuel delivery temperature and pressure must be verified under sustained engine loading to confirm that the EDG building thermal environment and fuel system design maintain the OEM injection pump operating envelope. Short-duration tests do not expose thermal soak effects.

Rationale: Filter performance under contamination conditions is the only means to verify that the bypass valve set-point relationship with the alarm threshold meets the design intent that alarm precedes bypass. Reliance on specification data alone is insufficient for SIL 2 verification.