System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Starting and Control Subsystem | Starting and Control - Internal Block | SIL 3 | complete |
| Electrical Protection and Switchgear Subsystem | Electrical Protection and Switchgear - Internal Block | SIL 3 | complete |
| Diesel Engine Subsystem | Diesel Engine - Internal Block | SIL 2 | complete |
| Alternator Subsystem | Alternator Subsystem — Internal Components | SIL 2 | complete |
| Fuel Oil System | Fuel Oil System — Internal Components | SIL 2 | complete |
| Cooling System | Cooling System — Internal Components | SIL 2 | complete |
| Monitoring and Instrumentation Subsystem | Monitoring and Instrumentation — Internal Components | SIL 2 | complete |
| Emergency Diesel Generator for a UK Nuclear Licensed Site | Emergency Diesel Generator — System Context | — | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Automatic Load Controller SHALL detect a loss-of-offsite-power condition and generate a start demand signal to the Engine Control Panel within 200 milliseconds of bus voltage falling below 80% of rated voltage (332V on a 415V system) or bus frequency falling below 48 Hz. Rationale: Derived from SYS-REQ-003 (500ms total initiation budget). The 200ms detection budget is allocated from the 500ms total ALC initiation window, leaving 300ms margin for signal transmission and ECP processing. The 80% voltage threshold prevents spurious starts from transient voltage dips (motor starting) while capturing genuine LOOP events. 48 Hz frequency threshold detects loss of grid synchronisation before voltage collapse. | Test | subsystem, starting-control, sil-3, session-574, idempotency:sub-alc-loop-detection-574 |
| SUB-REQ-002 | The Compressed Air Starting System SHALL maintain a minimum stored compressed air capacity equivalent to 3 complete cranking attempts, each of 15-second duration at ≥1.8 MPa initial manifold pressure, without activation of the recharge compressor between attempts. Rationale: Starting air volume and pressure must be specified so that receiver sizing can be verified by calculation and confirmed by test. '≥1.8 MPa' is derived from the minimum cranking pressure required by the OEM to achieve the minimum cranking RPM for cold starting per BS 5514 (Reciprocating internal combustion engines) starting requirements. The 3-attempt criterion aligns with nuclear site single-train availability requirements. | Test | subsystem, starting-control, sil-3, session-574, idempotency:sub-cass-3-attempts-574, superseded-by-session-595 |
| SUB-REQ-003 | The Isochronous Governor System SHALL maintain engine speed within ±0.5% of 1500 RPM (±7.5 RPM) under steady-state loading conditions from no-load to full-rated load, and SHALL recover to within ±1% of rated speed within 3 seconds of a step load change up to 50% of rated power. Rationale: Derived from SYS-REQ-001 (frequency tolerance ±1 Hz on 50 Hz system). ±0.5% steady-state corresponds to ±0.25 Hz, providing 4× margin to the system-level ±1 Hz tolerance. The 3-second recovery window is based on Class 1E motor restart sequence timing — motors must not be exposed to sustained frequency deviation exceeding 2 Hz. Step load 50% rated covers the largest expected single load block in the sequential load acceptance sequence. | Test | subsystem, starting-control, sil-2, session-574, idempotency:sub-gov-frequency-regulation-574 |
| SUB-REQ-004 | The Engine Control Panel SHALL initiate an engine shutdown within 500 milliseconds of engine speed exceeding 110% of rated speed (1650 RPM), via a hardwired independent magnetic pick-up trip circuit that is separate from and independent of the Isochronous Governor System. Rationale: Derived from SYS-REQ-004 (safety trip within 5 seconds). The ECP overspeed trip is independent of the governor (which normally prevents overspeed) per IEC 61226 diversity and independence requirements. 500ms trip time is the maximum allowable before mechanical damage to the engine and alternator begins at 110% overspeed. Hardwired implementation ensures the trip functions even if the governor ECU fails in a demanding state. | Test | subsystem, starting-control, sil-3, safety, session-574, idempotency:sub-ecp-overspeed-trip-574 |
| SUB-REQ-005 | When 3 consecutive start attempts have failed to reach rated speed within the allotted cranking time, the Starting and Control Subsystem SHALL latch in a failed-to-start state, inhibit further automatic start attempts, and assert a failed-to-start alarm to the main control room within 45 seconds of the original start demand. Rationale: Derived from SYS-REQ-004 (safe state on failure). Continued cranking after 3 failed attempts depletes air receiver pressure below reliable start capability and risks battery drain. The 45-second timeline is derived from 3 × 15-second attempts. Manual reset by the operator is required before re-attempt, ensuring a human decision point before further cranking — this is the safe state for the start failure scenario per the EDG hazard register. | Test | subsystem, starting-control, sil-3, safe-state, session-574, idempotency:sub-snc-failed-to-start-safe-state-574 |
| SUB-REQ-006 | The Automatic Load Controller SHALL implement a dual-channel voting architecture (2oo2 for start demand) such that a single hardware or software failure in one channel does not prevent start demand generation, and a failure that causes spurious start demand in one channel does not cause EDG start unless both channels independently confirm the LOOP condition. Rationale: Derived from SYS-REQ-005 (PFD ≤ 1×10-3). A dual-channel 2oo2 architecture for start demand simultaneously reduces spurious start rate (requiring both channels to fail) and meets SIL 3 diagnostic coverage requirements per IEC 61508. Single-channel design would require component PFD ≤ 1×10-3 which is achievable but does not meet the diversity requirement of IEC 61226 for Category A functions in nuclear applications. | Test | subsystem, starting-control, sil-3, redundancy, session-574, idempotency:sub-alc-dual-channel-574 |
| SUB-REQ-007 | The Automatic Load Controller SHALL provide a hardwired inhibit input that, when activated by a key-operated switch at the local control panel, prevents automatic start demand generation and latches the inhibit state until the key switch is returned to the normal position, with local and remote indication of the inhibit state. Rationale: Lint finding: ALC is functionally autonomous without an identified override mechanism. The inhibit function is required for planned maintenance of the EDG when the site can accept a period of reduced emergency power availability (e.g., when sister EDG is available). Key-operated switch prevents inadvertent inhibit activation. Hardwired implementation ensures inhibit works regardless of ALC software state. Required by ONR SAPs for maintainability without loss of control. | Test | subsystem, starting-control, sil-3, override, session-574, idempotency:sub-alc-inhibit-override-574 |
| SUB-REQ-008 | The Isochronous Governor System SHALL provide a manual speed trim input allowing the operator to adjust output frequency between 49 Hz and 51 Hz in 0.1 Hz increments from the local control panel, without requiring power interruption or ECU software modification, and this trim function SHALL be overridden and set to 50 Hz target automatically upon receipt of a synchronise command. Rationale: Lint finding: Governor is functionally autonomous without an identified operator override mechanism. Manual speed trim is required during synchronising operations (connecting EDG to live bus requires matching frequency within ±0.2 Hz) and during load sharing tests. Automatic return to 50 Hz setpoint on synchronise command prevents operator error from leaving a biased setpoint after test completion. | Demonstration | subsystem, starting-control, sil-2, override, session-574, idempotency:sub-gov-manual-trim-574 |
| SUB-REQ-009 | The Generator Protection Relay SHALL detect an internal generator winding fault (87G differential protection) and issue a trip signal to the Main Generator Circuit Breaker within 80 milliseconds of fault inception, under all load conditions from no-load to 110% rated. Rationale: 80ms trip time is derived from the maximum fault energy that the generator windings can absorb before insulation damage, per IEC 60034-1 (Rotating electrical machines) thermal withstand curve for 11kV class insulation. Failure to trip within this window risks winding burnout and renders the generator irreparable, eliminating the emergency power function. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-gpr-differential-trip-time-575 |
| SUB-REQ-010 | The Generator Protection Relay SHALL provide time-delayed overcurrent protection (51/51N) with a definite minimum time characteristic, coordinated with the downstream protection scheme to isolate generator faults within 500 milliseconds for faults at the generator terminals and within 200 milliseconds for sustained through-faults exceeding 200% rated current. Rationale: Overcurrent coordination timings are derived from the protection grading study required by BS EN 50522 (Earthing of power installations exceeding 1kV a.c.) and ONR protection philosophy. 500ms terminal fault clearance prevents overheating of stator windings; 200ms threshold for severe faults prevents damage propagation to connected safety loads. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-gpr-overcurrent-protection-575 |
| SUB-REQ-011 | The Main Generator Circuit Breaker SHALL interrupt fault currents up to the rated short-circuit breaking capacity of the switchgear assembly (minimum 31.5kA symmetrical for 11kV installations, minimum 50kA for 415V installations) within one cycle (20ms) of receiving a trip signal, without restrike or flashover. Rationale: Short-circuit breaking capacity must exceed the prospective fault level at the generator terminals, calculated from the subtransient reactance of the alternator. Failure to interrupt within one cycle allows fault energy to propagate to the safety bus and damage connected load circuits, potentially disabling multiple safety systems simultaneously. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-mgcb-fault-interruption-575 |
| SUB-REQ-012 | The Safety Bus Transfer Contactor SHALL complete transfer of the nuclear safety bus from the normal offsite supply to the EDG supply within 150 milliseconds of receiving the bus transfer command from the Automatic Load Controller, confirmed by position feedback to the Engine Control Panel. Rationale: 150ms transfer window is derived from the maximum interruption time that safety-classified motors (cooling pumps, feedwater pumps) can sustain without coastdown below restart threshold. Transfer beyond 150ms risks motor stall and requires manual restart sequences, delaying safety function availability beyond the 10-second LOOP-to-rated-voltage timeline in SYS-REQ-001. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-sbtc-automatic-transfer-575 |
| SUB-REQ-013 | The Safety Bus Transfer Contactor SHALL incorporate a hardwired mechanical and electrical interlock with the Main Generator Circuit Breaker that prevents simultaneous closure of both devices, with the interlock effective within 10 milliseconds of either device receiving a close command. Rationale: Anti-paralleling interlock prevents the EDG from being connected in parallel with the grid without synchronisation, which would expose the alternator to out-of-phase fault currents capable of shaft torque transients exceeding 3x rated torque, risking catastrophic mechanical failure. Hardwired interlock is required (not software-only) because software interlocks are insufficient for SIL 3 protection per IEC 61508. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-sbtc-anti-paralleling-interlock-575 |
| SUB-REQ-014 | The Voltage Sensing and Monitoring Unit SHALL implement dual-channel redundant voltage measurement on both the generator output and safety bus, with the two channels processed independently, and a discrepancy greater than ±5% nominal voltage between channels SHALL generate an alarm to the Engine Control Panel within 2 seconds. Rationale: Dual-channel measurement is required to achieve SIL 2 for the LOOP detection function per IEC 61508 architecture requirements (hardware fault tolerance HFT=1). The ±5% discrepancy threshold ensures failed or drifting sensors are detected before they can cause spurious trips or missed LOOP detection; 2-second alarm latency is consistent with operator response time requirements in ONR Safety Assessment Principles. | Test | subsystem, electrical-protection-and-switchgear, sil-2, session-575, idempotency:sub-vsmu-dual-channel-redundancy-575 |
| SUB-REQ-015 | When the Generator Protection Relay detects an internal self-test failure or watchdog timeout, the relay SHALL output a fail-safe trip signal to the Main Generator Circuit Breaker within 500 milliseconds and assert a relay-failed alarm to the Engine Control Panel, de-energising the generator output as the safe state. Rationale: Fail-safe trip on relay internal failure implements the safe state for Hazard H-EPS-001 (protection relay failure leaving generator unprotected). IEC 61508 requires that SIL 3 devices fail to the safe state on detected internal failures. De-energising the generator output is the correct safe state because an unprotected generator connected to the safety bus presents a greater risk than loss of EDG power supply. | Test | subsystem, electrical-protection-and-switchgear, sil-3, safety-critical, session-575, idempotency:sub-gpr-safe-state-self-test-failure-575 |
| SUB-REQ-016 | The Isochronous Governor System SHALL incorporate a hardware watchdog with a timeout of not more than 100 milliseconds; upon watchdog expiry the governor control output SHALL default to a fuel-off (0% rack position) state, causing the diesel engine to shut down and preventing uncontrolled engine runaway. Rationale: The isochronous governor operates autonomously on a closed-loop speed control algorithm without continuous human input. Per IEC 61508 (Functional safety of E/E/PE safety-related systems), a Functionally Autonomous system in a SIL 3 application requires a fail-safe state reachable independently of the control algorithm. Without a watchdog-enforced fail-safe, a governor CPU lockup could result in uncontrolled engine over-speed, which is Hazard H-003 (uncontrolled overspeed) in the EDG hazard register. The 100ms watchdog timeout bounds the worst-case exposure time before the safe state is reached. | Test | session-576, qc, governor, safety, watchdog, failsafe, idempotency:edg-sub-governor-watchdog-failsafe-session576 |
| SUB-REQ-017 | The Engine Block and Rotating Assembly SHALL accelerate the Alternator Subsystem rotor from standstill to 1500 RPM (50Hz ±1%) within 10 seconds of start initiation under no-load conditions, maintaining gross shaft torque ≥10% above the minimum torque calculated for the rated acceleration profile. Rationale: The 10-second start criterion is the primary measurable requirement; the ≥10% torque margin ensures the mechanical system has design headroom over the minimum acceleration torque, derived from BS 5514 and OEM data for this engine class. Eliminating 'sufficient' makes the requirement testable by recording speed vs. time and independently verifiable by OEM torque-curve analysis. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-engine-block-shaft-output-578, superseded-by-session-595 |
| SUB-REQ-018 | The Diesel Engine Subsystem SHALL sustain continuous rated shaft power output for a minimum of 168 hours without requiring engine shutdown, provided the Fuel Oil System, Cooling System, and Lubrication and Bearing System remain within specified operating limits. Rationale: 168-hour (7-day) endurance derives from SYS-REQ-002's requirement for continuous operation under prolonged station blackout. Nuclear site safety cases require fuel oil storage and engine endurance to be matched; the engine itself must be capable of the full duration without internal inspection or minor service, as defined by SYS-REQ-010's 12-month service interval. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-engine-sustained-168h-578 |
| SUB-REQ-019 | The Lubrication and Bearing System SHALL initiate an engine shutdown signal to the Engine Control Panel within 1.5 seconds when lubricating oil pressure falls below 2.0 bar at any engine speed above idle. Rationale: Low oil pressure at 2.0 bar trip setpoint protects main bearings from seizure; the 1.5-second response time allows the engine protection relay to act before bearing damage occurs at operating speed. Derives from SYS-REQ-004 low lubricating oil pressure trip condition. SIL-2 applies: the hardwired trip path must be independent of the governor control channel. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-lube-pressure-trip-578 |
| SUB-REQ-020 | The Engine Block and Rotating Assembly SHALL incorporate a centrifugal mechanical overspeed trip device that physically disengages the fuel rack and removes fuel supply at any engine speed exceeding 1650 RPM, operating independently of all electronic control systems. Rationale: Mechanical overspeed trip at 1650 RPM (110% of 1500 RPM rated) is required by SYS-REQ-004 and by ONR Safety Assessment Principles for nuclear standby generators. The mechanical independence from electronic governors is a SIL-2 requirement: governor software failure must not prevent overspeed protection, as uncontrolled engine acceleration would destroy the alternator and the generator building. IEC 61508 requires diversity between the controlled function (governor speed regulation) and the safety function (overspeed shutdown). | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-mech-overspeed-trip-578 |
| SUB-REQ-021 | The Fuel Injection System SHALL modulate fuel delivery from minimum to maximum fuel rack position within 200 milliseconds of a governor actuator demand signal, across the full engine speed range from cranking to rated speed. Rationale: 200ms fuel rack response is derived from the SYS-REQ-003 requirement to reach rated speed within 10 seconds. Engine acceleration dynamics for a medium-speed diesel require fuel rack authority to be applied within the first revolution of cranking — delayed fuel response would increase time-to-rated-speed and risk failure to meet the 10-second LOOP start time. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-fuel-injection-response-578 |
| SUB-REQ-022 | The Turbocharger and Charge Air System SHALL maintain charge air manifold pressure ≥150 kPa gauge at loads from 25% to 110% of rated power, without engine derating, exhaust smoke exceeding Ringelmann Scale 2, or turbocharger surge. Rationale: 150 kPa gauge minimum charge air pressure is derived from the OEM's power–boost curve for rated output; below this threshold combustion becomes fuel-rich and causes derating, smoke, and turbocharger damage. The Ringelmann Scale 2 limit aligns with UK Environmental Permitting (England and Wales) Regulations 2016 smoky vehicle limits applicable to site diesel plant. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-turbo-boost-578, superseded-by-session-595 |
| SUB-REQ-023 | While the EDG is in standby, the Diesel Engine Subsystem SHALL maintain engine coolant temperature above 20°C using thermostatically controlled immersion heaters, ensuring full rated start capability at ambient temperatures as low as -10°C without warm-up delay. Rationale: ONR Safety Assessment Principles and IEC 61226 require the EDG to be capable of starting and reaching rated output within the design start time at minimum design ambient temperature. Without preheating, cold-viscosity lube oil would prevent achieving rated speed in 10 seconds (SYS-REQ-003) and could cause early bearing wear. Derives from SYS-REQ-003 and SYS-REQ-006 environmental operating range of -10°C to +40°C. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-cold-start-preheat-578 |
| SUB-REQ-024 | When a crankcase explosion relief valve actuates, the Diesel Engine Subsystem SHALL transmit a hardwired trip signal to the Engine Control Panel to initiate engine shutdown within 2 seconds, independent of the engine management software. Rationale: Crankcase explosion is a low-frequency, high-severity failure mode in diesel engines caused by ignition of oil mist from blow-by gases. The 2-second shutdown window prevents secondary explosion or fire propagation within the EDG building. The hardwired trip path ensures this safe state is reached even if the electronic governor or ECP software has failed — consistent with the SIL-2 independence requirements in SYS-REQ-004. This safe state is not covered by the main overspeed or low oil pressure trips. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-crankcase-explosion-safe-state-578 |
| SUB-REQ-026 | The Automatic Load Controller SHALL receive the loss-of-offsite-power signal from the site electrical protection system via a hardwired 24VDC Class 1E discrete input, and SHALL initiate the EDG start sequence within 200 milliseconds of signal assertion, leaving 300 milliseconds margin to the SYS-REQ-003 system deadline of 500ms. Rationale: SYS-REQ-003 requires start initiation within 500ms of LOOP signal receipt. The 200ms sub-allocation to the ALC leaves margin for downstream start sequencing. Hardwired 24VDC Class 1E input is required because the LOOP signal must maintain integrity during the loss-of-power event it signals. Closes the coverage gap for site electrical protection system interface not decomposed at subsystem level. | Test | subsystem, starting-control, sil-3, session-587, idempotency:sub-alc-loop-interface-587 |
| SUB-REQ-027 | The Diesel Engine Subsystem, including the Engine Block, Fuel Injection System, Lubrication and Bearing System, Turbocharger and Charge Air System, and exhaust silencing pipework, SHALL be seismically qualified to remain operable following a safe shutdown earthquake as defined in the site seismic hazard assessment, demonstrated by analysis to IEEE 344 (Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations) or equivalent ONR-accepted standard. Rationale: SYS-REQ-006 mandates seismic qualification for all EDG building equipment. The verification method is IEEE 344 analysis (not inspection of a document — the analysis IS the verification): the qualification analysis must produce a seismic response spectrum (SRS) enveloping the site safe shutdown earthquake (SSE) floor response spectra at the EDG building basemat level, and demonstrate by modal analysis or dynamic test that the Diesel Engine Subsystem's natural frequencies and mode shapes do not exceed the allowable stress and deflection limits specified by the manufacturer for continued operability post-SSE. The analysis must also address the combination of seismic and operational vibration loads (engine rotating imbalance at 1500 RPM = 25 Hz, turbocharger at ~90,000 RPM). Acceptance criteria: no permanent deformation of fuel injection rail, no fracture of exhaust manifold welds, engine restart demonstrated within 60 seconds of SSE cessation per SYS-REQ-001. The qualification analysis report, including methodology, input spectra, results, and conclusions, constitutes the verification evidence. | Analysis | subsystem, diesel-engine-subsystem, sil-3, seismic, session-587, idempotency:sub-diesel-seismic-qualify-587, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-028 | The Isochronous Governor System and Engine Control Panel SHALL comply with BS EN IEC 61000-6-2 (Electromagnetic compatibility - Immunity for industrial environments) for conducted and radiated immunity, and the Automatic Load Controller and Generator Protection Relay electronics SHALL additionally comply with BS EN IEC 61000-6-7 (Electromagnetic compatibility - Immunity requirements for equipment intended to perform functions in a safety-related system) to maintain SIL-3 function integrity in the electromagnetic environment of the EDG building. Rationale: SYS-REQ-008 requires control and protection electronics to operate without degradation in the EDG building electromagnetic environment. The EDG itself generates significant transient EMI during starting and load switching. The Governor and ALC contain microprocessors that are susceptible to EMI-induced logic errors which could cause spurious trips or start failures. IEC 61000-6-7 is specified for SIL-rated functions because standard industrial immunity is insufficient for safety-critical control electronics in a nuclear application. | Test | subsystem, starting-control, electrical-protection-and-switchgear, sil-3, emc, session-587, idempotency:sub-control-emc-compliance-587 |
| SUB-REQ-029 | The Diesel Engine Subsystem SHALL be maintainable for planned minor servicing (cylinder head inspection, injector calibration, belt and filter replacement) using only tools and consumables listed in the site-approved store inventory, without requiring specialised tooling not permanently held on site, at intervals not exceeding 12 months at rated duty cycle. Rationale: SYS-REQ-010 mandates 12-month minor service intervals using only site-held tools and spares. The Diesel Engine Subsystem drives this constraint because it contains the highest-maintenance items: fuel injectors (require calibration), cylinder heads (require torque tools), cooling circuit (requires flush and fill), and lubrication system (requires oil change). Failure to design for site-maintainability would necessitate specialist contractor attendance for routine servicing, violating the site independence requirement. | Demonstration | subsystem, diesel-engine-subsystem, maintainability, session-587, idempotency:sub-diesel-maintainability-587 |
| SUB-REQ-030 | The Engine Parameter Sensor Array SHALL provide dual-channel 4-20mA output for each critical parameter — lube oil pressure (range 0–10 bar, accuracy ±0.5%), jacket coolant temperature (range 0–120°C, accuracy ±1°C), per-cylinder exhaust gas temperature (range 0–600°C, accuracy ±5°C), and vibration level (range 0–25 mm/s RMS) — with each channel capable of independently driving the Protective Trip Logic Unit. Rationale: Dual-channel independence is required by IEC 61508 SIL 2 architecture for the lube oil low-pressure and high-coolant-temperature trip functions. Single-channel failure must be detectable and must not impair the protection function, as loss of parameter monitoring feeds hazard H-COOLING-001 (cooling system failure, severity:critical) and H-ENGINE-001 (engine overspeed via loss of speed feedback). | Test | subsystem, monitoring-and-instrumentation, sil-2, session-588, idempotency:sub-epsa-dual-channel-588 |
| SUB-REQ-031 | The Protective Trip Logic Unit SHALL initiate a hardwired de-energise-to-trip command to the Engine Control Panel within 200 milliseconds of a critical threshold crossing — lube oil pressure below 2.5 bar, jacket coolant temperature above 95 degrees C, engine speed above 110% rated RPM, or vibration above 18 mm/s RMS — using 1oo2D voting on dual-channel sensor inputs with SIL 2 certification to IEC 61508. Rationale: 200ms response time derived from safety analysis: engine failure progression from threshold crossing to catastrophic mechanical failure requires at minimum 500ms (vendor thermal analysis), giving 300ms margin. 1oo2D voting prevents both spurious trips from single sensor failure and failure-to-trip from single channel loss. SIL 2 certification required to match the hazard severity for cooling failure (H-COOLING-001) and overspeed (H-ENGINE-001) at severity:critical. | Test | subsystem, monitoring-and-instrumentation, sil-2, safety, session-588, idempotency:sub-ptlu-trip-response-588 |
| SUB-REQ-032 | When the Protective Trip Logic Unit loses 110VDC supply voltage below 88VDC (80% nominal), the Monitoring and Instrumentation Subsystem SHALL transition to the safe state by de-energising all trip output relays within 100 milliseconds, causing the Engine Control Panel to initiate engine shutdown. Rationale: De-energise-to-trip is mandated by IEC 61508 for SIL-2 safety functions: power loss must produce the safe state, not hold the process running. 80% voltage threshold is the minimum guaranteed relay hold-in voltage per IEC 60255 relay specifications. 100ms response is faster than the 200ms sensor-trip requirement to ensure power loss does not delay protection. | Test | subsystem, monitoring-and-instrumentation, sil-2, safe-state, session-588, idempotency:sub-ptlu-safe-state-588 |
| SUB-REQ-033 | The Protective Trip Logic Unit SHALL detect a fault on either sensor channel (open circuit, short to supply, out-of-range signal) within 1 second of occurrence and generate a separate channel-fault alarm to the Local Alarm and Indication Panel without inhibiting the protection function on the healthy channel. Rationale: Channel fault detection maintains the defence-in-depth of the dual-channel architecture: an undetected channel fault degrades the 1oo2D configuration to 1oo1, removing the single-failure tolerance required for SIL 2. 1-second detection time aligns with IEC 61508 diagnostic coverage requirements for SIL 2 hardware fault tolerance of 1. | Test | subsystem, monitoring-and-instrumentation, sil-2, session-588, idempotency:sub-ptlu-channel-fault-588 |
| SUB-REQ-034 | The Remote Monitoring Gateway SHALL provide a minimum 1500Vrms optical isolation barrier between the SIL-2 Protective Trip Logic Unit circuits and the main control room I&C network, and SHALL reject any command or write message received from the I&C network without generating an acknowledgement. Rationale: Optical isolation at 1500Vrms prevents ground-loop currents and fault injection from the non-nuclear I&C network from affecting the safety-classified protection circuits. One-way enforcement prevents cyber or operator-error command paths from inadvertently modifying protection setpoints through the monitoring interface, which would be a common-cause vulnerability. IEC 61513 requires isolation of safety and non-safety I&C at qualified barriers. | Test | subsystem, monitoring-and-instrumentation, sil-2, session-588, idempotency:sub-rmg-isolation-588, red-team-session-609, superseded-by-session-611, rt-resolved-session-611 |
| SUB-REQ-035 | The Local Alarm and Indication Panel SHALL provide first-out alarm annunciation for all EDG protective trip functions, displaying the identity of the first-to-trip parameter within 500 milliseconds of the trip output from the Protective Trip Logic Unit, with audible and visual indication that is latched until manually acknowledged. Rationale: First-out annunciation is an ONR inspection requirement for nuclear EDGs during surveillance testing and post-trip review: technicians must identify the root cause of a protective shutdown without ambiguity. 500ms display latency ensures the indication appears before the engine decelerates appreciably, allowing unambiguous first-out identification. | Demonstration | subsystem, monitoring-and-instrumentation, session-588, idempotency:sub-laip-firstout-588, red-team-session-609, superseded-by-session-611, rt-resolved-session-611 |
| SUB-REQ-036 | The Engine Parameter Sensor Array and Protective Trip Logic Unit SHALL remain functional during and after a seismic event with peak ground acceleration up to 0.2g as defined by the EUR (European Utility Requirements) seismic design basis, maintaining trip setpoint accuracy within 10% of nominal during seismic excitation. Rationale: The M&I subsystem must not fail spuriously during a design-basis earthquake (which may itself be the initiating event requiring EDG start) and must retain the ability to initiate protective shutdown if engine parameters exceed limits during seismic operation. 0.2g PGA matches SYS-REQ-006 seismic requirement. 10% setpoint accuracy during excitation is consistent with IEC 60780 (nuclear power plants — electrical equipment qualification) allowance for dynamic error. | Test | subsystem, monitoring-and-instrumentation, sil-2, seismic, session-588, idempotency:sub-mi-seismic-588 |
| SUB-REQ-037 | The Jacket Water Pump SHALL maintain coolant circulation through the engine block at a minimum flow rate of 200 litres per minute at all engine speeds from 1000 RPM to 1600 RPM, without electrical power supply, driven solely from the engine crankshaft belt drive. Rationale: 200 L/min minimum flow is derived from engine thermal model: below this rate, cylinder head temperatures exceed 95 deg C trip setpoint within 2 minutes at full load, so this is the floor that prevents thermal damage at rated output. Engine-driven belt eliminates electrical power dependency for the primary cooling function, directly mitigating H-COOLING-001 during LOOP when EDG bus may not yet be established. Failure mode: drive belt failure or pulley seizure → pump impeller stops rotating → coolant flow drops to zero → cylinder head temperatures rise at ~0.5 deg C/s at full load → high jacket water temperature trip (95 deg C) activates within 120 seconds → engine trips to safe state (standstill with residual coolant providing convective cooling sufficient for <30 min cool-down). Secondary failure indicator: coolant flow switch on pump outlet provides an independent low-flow alarm at 150 L/min (25% below minimum), allowing operator-initiated controlled shutdown before the high-temperature trip activates. This failure mode is captured in hazard H-COOLING-001 and mitigated by the independent flow switch alarm and temperature trip chain. | Test | subsystem, cooling-system, sil-2, session-588, idempotency:sub-jwp-flow-588, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-038 | The Radiator and Fan Assembly SHALL dissipate a minimum of 280 kilowatts of engine waste heat to ambient air at a maximum ambient temperature of 40 degrees Celsius, maintaining engine outlet coolant temperature below 92 degrees Celsius at continuous rated load. Rationale: 280kW cooling capacity provides 10% margin above the engine manufacturer thermal rejection figure of 255kW at rated output. 40 deg C ambient is the site design-basis summer maximum per SYS-REQ-006 environmental constraint. Maintaining outlet below 92 deg C provides 3 deg C margin below the thermostat full-open temperature and 8 deg C margin below the high-temperature trip setpoint. Failure mode: fan motor failure or loss of forced convection (e.g., mechanical failure of the fan belt) → radiator thermal resistance increases by ~40% → at full load (255kW heat rejection), coolant outlet temperature rises from ~85 deg C to approximately 92 deg C in 5–8 minutes → high jacket water temperature alarm activates at 90 deg C → operator-initiated load reduction or automatic engine trip at 95 deg C. Under degraded fan operation at 60% capacity, the engine SHALL maintain reduced output of at least 50% rated load with coolant temperature stable below trip setpoint — this degraded capability is captured in the degraded-mode requirement. The safe state is engine controlled shutdown with coolant convective natural circulation sufficient to prevent thermal damage during cool-down. | Test | subsystem, cooling-system, session-588, idempotency:sub-rad-capacity-588, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-039 | When the engine jacket coolant outlet temperature exceeds 95 degrees Celsius, the Cooling System SHALL generate a hardwired high-temperature alarm signal to the Protective Trip Logic Unit within 2 seconds of threshold crossing, enabling the M&I subsystem to initiate engine shutdown. Rationale: 95 deg C trip threshold matches the Engine Parameter Sensor Array setpoint in SUB-REQ-031. 2-second response is the Thermostat Valve plus coolant sensor thermal lag; the PTLU adds 200ms per SUB-REQ-031. Combined 2.2s to engine shutdown initiation is within the engine vendor safety margin. This is the safe-state interface for H-COOLING-001. | Test | subsystem, cooling-system, sil-2, safe-state, session-588, idempotency:sub-cs-safe-state-588 |
| SUB-REQ-040 | The Day Tank SHALL provide a minimum fuel reserve of 8 hours of continuous operation at rated engine load without replenishment from the Fuel Transfer Pump Set, with the tank sized at no less than 120% of the 8-hour consumption volume calculated at manufacturer's rated specific fuel consumption. Rationale: 8-hour autonomous reserve ensures the EDG continues to operate through loss of 415V AC supply to transfer pumps (which would accompany a LOOP event) until the diesel-backed 24VDC system can restore pump operation. 120% margin accommodates sedimentation volume and prevents air ingestion from the outlet pipe. Derived from SYS-REQ-002 (168h total) with the day tank providing the first-phase buffer. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-day-tank-capacity-590 |
| SUB-REQ-041 | The Bulk Fuel Storage Tank SHALL hold a minimum usable fuel volume of 42,000 litres, with nominal tank capacity ≥48,300 litres (115% of minimum usable) to account for unusable sump volume, thermal expansion, and minimum pump inlet submersion depth. Rationale: 42,000 litres is derived from the rated fuel consumption rate (250 L/hr at 100% load, OEM data) × 168 hours. The 115% factor for nominal capacity follows CIRIA C765 (Above-ground fuel storage tank design) guidance for usable volume derating. These values allow tank capacity compliance to be verified by dimensional survey without ambiguity. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-bulk-tank-capacity-590, superseded-by-session-595 |
| SUB-REQ-042 | The Fuel Transfer Pump Set SHALL automatically start the duty pump within 10 seconds of the Day Tank level falling to the Low (L) set-point, and automatically start the standby pump within 10 seconds of duty pump trip confirmation, with both pumps capable of filling the Day Tank from Low to High level within 30 minutes at rated EDG fuel consumption. Rationale: 10-second start delay prevents nuisance cycling; 30-minute fill time ensures the day tank never reaches LL (low-low trip) during the pump start-up transient. These values are derived from the day tank volume and engine fuel consumption rate at rated load. Standby auto-start is required to prevent loss of fuel supply on duty pump trip during an unattended LOOP mission. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-pump-autostart-590 |
| SUB-REQ-043 | The Fuel Filtration Assembly SHALL remove particulate matter to a maximum particle size of 10 microns nominal and separate free water from the fuel stream, generating a maintenance alarm to the Local Alarm and Indication Panel when differential pressure across the filter element exceeds 0.3 bar, while maintaining rated flow without restricting supply pressure below 1.5 bar at the engine inlet. Rationale: 10-micron filtration protects precision fuel injection components (nozzle orifice typically 15-20 micron) from wear; 0.3 bar DP alarm threshold is the manufacturer standard for duplex filter sets on medium-speed diesel engines. 1.5 bar minimum inlet pressure is the fuel injection system operating floor per IFC-REQ-008. Failure to filter would cause premature injection pump wear and risk loss of engine output. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-fuel-filtration-590 |
| SUB-REQ-044 | When a confirmed fire detection signal is received from the EDG building fire detection system, the Fuel Supply Pipework and Valve Assembly SHALL automatically close the bulk fuel supply isolation valve within 10 seconds to prevent additional fuel feeding the fire, while maintaining the Day Tank gravity-feed to the engine to support controlled shutdown. Rationale: Motorised isolation on fire signal is an ONR requirement (NS-TAST-GD-049 fire safety guidance) for nuclear EDG buildings; 10-second closure prevents significant additional fuel reaching a fire source while the engine runs its controlled stop sequence. Maintaining Day Tank gravity feed during controlled shutdown avoids uncontrolled loss of cooling and lubrication by an abrupt engine trip. This is the safe state for the HAZ-FIRE hazard in the hazard register. | Test | subsystem, fuel-oil-system, sil-2, safe-state, session-590, idempotency:sub-fuel-fire-isolation-590 |
| SUB-REQ-045 | The Fuel Oil System SHALL maintain fuel temperature in the Day Tank above 5°C under site minimum ambient temperature conditions (-10°C at the EDG building) using trace heating or immersion heating, such that fuel viscosity at the engine fuel inlet remains within the fuel injection manufacturer's specified operating range (Class A2 diesel EN 590, cloud point ≤ -10°C). Rationale: BS EN 590 Class A2 diesel has a cold filter plugging point (CFPP) of -10°C; at -10°C ambient, unheated pipework on an uninsulated external run could cause wax deposition in filter and pipework. 5°C tank minimum maintains adequate margin above CFPP for fuel within the building. This requirement is critical to the cold-start capability required by SYS-REQ-001 (10-second start at all environmental conditions). | Demonstration | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-fuel-cold-start-temp-590 |
| SUB-REQ-046 | The Automatic Voltage Regulator SHALL maintain the Synchronous Generator Assembly terminal voltage within ±0.5% of set-point under steady-state conditions and within ±6% during any single load step not exceeding 40% of rated kVA, recovering to within ±2% within 3 seconds of the step load application. Rationale: ±0.5% steady-state regulation derives from SYS-REQ-001 (±6% terminal voltage) and must be achievable with sufficient margin to accommodate load-sharing tolerance in future parallel operation. ±6% transient tolerance is the SYS-REQ-001 limit; 3-second recovery is the site electrical system requirement for connected Class 1E equipment (sensitive motor drives and UPS float chargers tolerate 6% for no more than 3s before actuation). 40% step load is the largest single block in the site load sequencing plan per SYS-REQ-007. Failure mode: AVR excitation circuit failure (loss of excitation sensing or failed SCR in excitation bridge) → generator terminal voltage falls outside ±6% window → generator protection relay (loss-of-excitation element 40) activates within 3 seconds → generator trips to safe state (de-energised, engine continues running unloaded awaiting AVR recovery or operator intervention). Under partial AVR failure (one of two redundant sensing channels fails), the generator SHALL maintain regulated output on the remaining channel at reduced droop setting — this resilience is addressed by the redundant AVR sensing architecture documented in ARC-REQ-007. Voltage collapse without protection actuation is prevented by the generator protection relay's independent voltage supervision, which does not depend on the AVR. | Test | subsystem, alternator-subsystem, sil-2, session-590, idempotency:sub-avr-voltage-regulation-590, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-047 | The Generator Stator Winding and Thermal Protection SHALL alarm to the Protective Trip Logic Unit when any stator winding PT100 RTD reading exceeds 130°C and SHALL initiate a protective trip of the EDG system when any reading exceeds 155°C, with both thresholds independently configurable and the PT100 signals providing ±2°C accuracy over the operating range 20°C to 180°C. Rationale: 155°C trip threshold is the Class F thermal limit applied within Class H (180°C rated) insulation — a 25°C design margin per IEC 60034-1 thermal classification. This margin is required for a nuclear qualified generator where accelerated insulation ageing under continuous high-temperature operation could compromise the 40-year design life. 130°C alarm (25°C below trip) provides operator warning during blocked cooling or overload. ±2°C RTD accuracy ensures the alarm/trip threshold tolerances remain within the insulation class margins. | Test | subsystem, alternator-subsystem, sil-2, safety, session-590, idempotency:sub-stator-winding-temp-590 |
| SUB-REQ-048 | The Generator Bearing and Mechanical Support Assembly SHALL alarm to the Protective Trip Logic Unit when any bearing PT100 RTD reading exceeds 90°C and SHALL initiate an engine shutdown trip when any reading exceeds 100°C, with the DE bearing lubricated from the engine main lube oil header at no less than 1.5 bar and no more than 4.0 bar supply pressure during normal operation. Rationale: 90°C alarm and 100°C trip are standard limits for white-metal sleeve bearings used in medium-speed diesel-coupled generators (BS EN 60034-1 and manufacturer guidance for Babbitt metal bearings, which suffer accelerated fatigue above 100°C). 1.5-4.0 bar lube supply range is the typical operating envelope for medium-speed diesel engine lube oil headers. Bearing failure on a coupled set would rapidly destroy both the engine and alternator, hence the trip is safety-significant. | Test | subsystem, alternator-subsystem, sil-2, safety, session-590, idempotency:sub-bearing-temp-trip-590 |
| SUB-REQ-049 | The Brushless Excitation System SHALL build terminal voltage from zero (black-start) to within ±6% of rated voltage within 3 seconds of the engine reaching 95% rated speed, with voltage overshoot not exceeding 10% of rated voltage at any point during the build-up transient, independent of any power supply other than mechanical rotation of the shaft. Rationale: 3-second voltage build-up from engine synchronous speed is required to meet the SYS-REQ-001 10-second overall start time (10s from LOOP signal to ready state includes start sequence and speed run-up; voltage build-up must complete within the final 3s). The PMG-based brushless excitation achieves this without dependency on external AC power, which is the failure mode being responded to. 10% overshoot limit protects connected Class 1E equipment from voltage transients during energisation. Failure mode: permanent magnet generator (PMG) rotor demagnetisation or rotating rectifier diode failure → no excitation current to main field winding → zero terminal voltage at synchronous speed → generator protection relay (field failure element 40) activates after 5-second delay → EDG remains available for manual field restoration or replacement of rectifier cartridge (maintenance access required). A single rotating diode failure reduces excitation current by 33% (3-phase bridge with one lost phase), producing voltage reduction of approximately 20% — this triggers under-voltage protection (element 27) and a controlled load rejection rather than a sudden blackout, preserving generator and load integrity. This failure mode is traceable to hazard H-EXCITATION-001. | Test | subsystem, alternator-subsystem, sil-2, session-590, idempotency:sub-excitation-blackstart-590, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-050 | When a Generator Protection Relay (GPR) stator earth fault trip signal is received, the Alternator Subsystem SHALL de-energise the anti-condensation heaters and the Automatic Voltage Regulator within 200 milliseconds to remove all voltage sources from the stator winding, such that the stator winding is electrically isolated on both the generator terminal side and the excitation supply side within 200 milliseconds. Rationale: The Fuel Oil System is Regulated (UHT trait): on-site bulk fuel storage in volumes typical of nuclear EDG systems (typically 30,000–50,000 litres for 168h mission) requires secondary containment and spill detection under Environmental Permitting Regulations. CIRIA C736 (Construction Industry Research and Information Association — Containment systems for the prevention of pollution) is the industry standard for oil storage bunding used by ONR as the benchmark for compliance during nuclear site inspections. Failure to comply exposes the site owner to enforcement action that could require immediate removal of fuel storage. 110% of largest tank (or 25% of total volume, whichever is greater) is the standard bunding capacity requirement from CIRIA C736 and PPG2 (Pollution Prevention Guidance). | Test | subsystem, alternator-subsystem, sil-2, safe-state, session-590, idempotency:sub-alternator-stator-safe-state-590, tech-author-session-613 |
| SUB-REQ-051 | The Isochronous Governor System SHALL incorporate dual independent speed-sensing channels, such that the failure of one channel (open circuit, sensor failure, or signal loss) does not cause governed speed deviation exceeding ±3% of rated speed and SHALL annunciate the channel failure to the Local Alarm and Indication Panel within 2 seconds without initiating an engine trip. Rationale: The governor is System-Essential (UHT trait): loss of governed speed control causes frequency deviation that disconnects safety loads. Dual-channel architecture is required per IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 3 for single-point failure protection. The no-trip-on-single-failure requirement prevents unnecessary EDG shutdowns during LOOP missions when a governor sensor fails; the 3% speed window bounds the resulting frequency excursion within load protection relay settings. | Test | subsystem, starting-and-control, sil-3, redundancy, session-592, idempotency:sub-governor-redundancy-592 |
| SUB-REQ-052 | The Fuel Injection System SHALL deliver fuel injection timing within ±2 degrees of crankshaft rotation of the nominal injection advance angle across the full speed range (700–1600 RPM) and load range (0–100% rated), and SHALL maintain injection timing accuracy in the event of a single injector nozzle blockage by redistributing fuel delivery to the remaining cylinders with no more than 5% reduction in rated power output. Rationale: Fuel injection timing is Temporal (UHT trait) and System-Essential: ±2° timing precision is required to achieve the NOx and smoke limits under UK nuclear site air quality regulations and to maintain combustion stability during rapid load application following LOOP. Single-injector redundancy bounds the consequence of a nozzle blockage to <5% power reduction, preserving the minimum EDG output required to supply nuclear safety loads (typically 60–80% of rated capacity). | Test | subsystem, diesel-engine, sil-2, redundancy, temporal, session-592, idempotency:sub-fuel-injection-timing-redundancy-592 |
| SUB-REQ-053 | The Fuel Transfer Pump Set SHALL consist of two independently-powered duty/standby pumps, each capable of supplying 150% of rated engine fuel consumption, with automatic standby pump start on duty pump failure (loss of discharge pressure below 0.8 bar) occurring within 30 seconds, maintaining uninterrupted Day Tank replenishment throughout the EDG mission duration. Rationale: The Fuel Transfer Pump Set is System-Essential (UHT trait): pump failure causes Day Tank depletion within 2–4 hours at rated load, terminating the 168h mission. Duty/standby architecture with automatic changeover is required by the PFD budget in SYS-REQ-005 (PFD ≤1×10⁻³) — a single pump with no standby contributes unacceptably to mission failure probability. 30-second changeover is bounded by Day Tank minimum volume capacity at rated consumption. | Test | subsystem, fuel-oil-system, sil-2, redundancy, session-592, idempotency:sub-fuel-pump-redundancy-592 |
| SUB-REQ-054 | The Cooling System SHALL maintain engine jacket water temperature within the operational band (70°C–88°C) following the failure of a single Jacket Water Pump, provided the engine load is reduced to 75% of rated within 60 seconds of pump failure, and SHALL generate a pump failure alarm to the Local Alarm and Indication Panel within 10 seconds of detecting coolant flow below the minimum threshold. Rationale: The Cooling System is System-Essential (UHT trait): loss of cooling causes engine shutdown on high-temperature trip within minutes. Maintaining operability at 75% load with one pump failed supports continued supply to nuclear safety loads at reduced (but sufficient) output — nuclear sites typically size EDG rated capacity with a margin above minimum safety load. The 60-second load reduction window is achievable by the automatic load shedding sequence in the Starting and Control Subsystem (SUB-REQ-028). 10-second alarm response ensures operator situational awareness before temperature rises to the trip threshold. | Test | subsystem, cooling-system, sil-2, redundancy, session-592, idempotency:sub-cooling-backup-path-592 |
| SUB-REQ-055 | The Generator Protection Relay SHALL comply with IEC 60255-151 (Measuring relays and protection equipment — Functional requirements for over/under voltage protection) and IEC 60255-181 (frequency protection), and SHALL be type-tested and certified to these standards by an accredited test laboratory before installation on the nuclear licensed site. Rationale: The Generator Protection Relay is Institutionally Defined (UHT trait): it must comply with IEC 60255 series standards as required under the ONR Safety Assessment Principles for safety-classified electrical protection equipment. Type-testing by an accredited laboratory is required because nuclear sites cannot perform first-article qualification testing on protection relays in-situ — the test environment would require tripping the EDG from the safety bus, which is unacceptable during site operation. | Inspection | subsystem, electrical-protection-switchgear, sil-3, standards, session-592, idempotency:sub-protection-relay-standards-592 |
| SUB-REQ-056 | The Main Generator Circuit Breaker SHALL comply with BS EN 62271-100 (High-voltage switchgear and controlgear — AC circuit-breakers) or BS EN 61439-1 (Low-voltage switchgear and controlgear assemblies) as applicable to the rated voltage, and SHALL be certified by a UKAS-accredited body with type test evidence covering rated breaking capacity, short-time current withstand, and electrical endurance class E2. Rationale: BS EN 62271-100 (High-voltage switchgear and controlgear — AC circuit-breakers) or BS EN 61439-1 (Low-voltage switchgear and controlgear assemblies) are the required product standards for Main Generator Circuit Breaker (MGCB) certification, depending on rated voltage. UKAS (United Kingdom Accreditation Service) accreditation ensures the certifying body is competent to issue type-test certificates meeting the requirements of EN IEC 17065 (Conformity assessment bodies). ONR and nuclear site licensing inspectors require third-party certified electrical equipment in Class 1E applications — self-declaration is not accepted. E2 endurance class confirms the MGCB is rated for frequent switching duty cycles consistent with nuclear EDG surveillance testing (weekly start/load/shutdown) and emergency operation profiles. | Inspection | subsystem, electrical-protection-switchgear, sil-3, regulated, standards, session-592, idempotency:sub-mcb-compliance-592, tech-author-session-613 |
| SUB-REQ-057 | The Fuel Oil System bunding and containment SHALL comply with the Environmental Permitting (England and Wales) Regulations 2016 and CIRIA C736 (Containment systems for the prevention of pollution), providing secondary containment with a minimum capacity of 110% of the largest tank or 25% of total stored fuel volume (whichever is greater), with an impermeable bund having no drains connected to site drainage, and with spill detection alarming to the site control room. Rationale: The Fuel Oil System is Regulated (UHT trait): on-site bulk fuel storage in volumes typical of nuclear EDG systems (typically 30,000–50,000 litres for 168h mission) requires secondary containment and spill detection under Environmental Permitting Regulations. CIRIA C736 is the industry standard for oil storage bunding used by ONR as the benchmark for compliance during nuclear site inspections. Failure to comply exposes the site owner to enforcement action that could require immediate removal of fuel storage. | Inspection | subsystem, fuel-oil-system, sil-2, regulated, environmental, session-592, idempotency:sub-fuel-oil-compliance-592 |
| SUB-REQ-058 | The Local Alarm and Indication Panel SHALL present any new alarm condition within 2 seconds of the initiating parameter exceeding its alarm threshold, SHALL maintain alarm display independent of the EDG running state (alarms SHALL be visible during start-up, steady-state operation, and shutdown), and SHALL comply with EEMUA 191 (Alarm systems — A guide to design, management and procurement) for alarm presentation, priority classification, and suppression control. Rationale: The Local Alarm and Indication Panel is Temporal (UHT trait) and Normative: 2-second alarm presentation latency is the maximum permissible for Class 1E safety alarm systems under the IEC 61226 (Nuclear power plants — I&C systems important to safety) classification. EEMUA 191 compliance is required by ONR for control panel alarm management on nuclear licensed sites to prevent alarm flooding that could lead operators to miss safety-critical alerts during abnormal events. | Test | subsystem, monitoring-and-instrumentation, sil-2, temporal, normative, session-592, idempotency:sub-local-alarm-timing-592 |
| SUB-REQ-059 | The Starting and Control Subsystem SHALL provide a test mode that enables full-rated-load operational testing of the EDG system without connecting to the safety bus, achieved by automatically transferring the EDG load to a dedicated load bank, with test initiation and termination controlled by a key-switch on the Engine Control Panel accessible only to authorised operations team personnel. Rationale: STK-REQ-004 requires the operations team to conduct monthly full-load tests without interrupting normal plant safety functions; this SUB requirement decomposes the test mode implementation to the Starting and Control Subsystem. Key-switch access control is required by ONR nuclear site operating procedures to prevent inadvertent test mode activation. Load bank transfer (rather than live bus testing) ensures that a test-mode fault cannot interrupt safety bus power to nuclear loads. | Demonstration | subsystem, starting-and-control, sil-3, operations, session-592, idempotency:sub-test-mode-control-592 |
| SUB-REQ-060 | Each major subsystem of the EDG system (Diesel Engine Subsystem, Alternator Subsystem, Fuel Oil System, Cooling System, Starting and Control Subsystem, Electrical Protection and Switchgear Subsystem, Monitoring and Instrumentation Subsystem) SHALL provide dedicated isolation points (valves, isolators, or disconnects) enabling an authorised maintenance team to electrically or mechanically isolate that subsystem from the remainder of the EDG system without requiring removal of any shared component, within a preparation time not exceeding 60 minutes. Rationale: STK-REQ-006 requires the maintenance team to isolate and maintain each subsystem independently with maximum 2-hour preparation time; this SUB requirement decomposes the isolation architecture across all seven subsystems. 60-minute isolation preparation is specified (half the 2-hour STK allowance) to allow margin for unexpected complications during isolations on a nuclear licensed site where permit-to-work procedures add administrative overhead. | Inspection | subsystem, maintenance, sil-2, isolation, session-592, idempotency:sub-subsystem-isolation-592 |
| SUB-REQ-061 | The Fuel Oil System SHALL comply with the Dangerous Substances and Explosive Atmospheres Regulations 2002 (DSEAR) for storage and handling of Class C3 petroleum product, the Petroleum (Consolidation) Regulations 2014, and BS EN ISO 4064 for flow measurement, and SHALL be designed, constructed, and inspected in accordance with CIRIA C736 (Containment systems for the storage of polluting liquids) for secondary containment of all bulk and day tank installations. Rationale: The Fuel Oil System stores and handles diesel fuel (petroleum Class C3) on a licensed nuclear site. DSEAR compliance is legally mandatory for hazardous substance storage. Petroleum Consolidation Regulations apply because bulk storage exceeds 3,000 litres. CIRIA C736 secondary containment is required by the Environment Agency (EA) for bulk fuel tanks to prevent pollution incidents — a 168h fuel stock at a large EDG may exceed 15,000 litres, triggering EA Class 2 bunding requirements. | Inspection | session-593, qc, fuel-oil, compliance, regulatory, idempotency:sub-fuel-oil-compliance-593 |
| SUB-REQ-062 | The Compressed Air Starting System SHALL store compressed air at no less than 25 bar gauge to deliver a minimum of 3 complete 15-second cranking cycles at full cranking torque, without requiring compressor recharge between attempts. Rationale: Derived from SYS-REQ-003. Three attempts is the UK nuclear standard: probabilistic analysis shows P(3 sequential failures | working engine) < 1×10⁻⁴. Each cycle is 15 seconds to match engine starting performance at rated class. The 25 bar minimum stored pressure ensures starting torque is maintained through all three attempts without compressor assist. Replaces SUB-REQ-002 to eliminate ambiguous 'sufficient'. | Test | session-595, qc, starting-control, sil-3, replaces-sub-002, idempotency:sub-cass-3-attempts-r2-595, idempotency:sub-cass-3-attempts-r2-595 |
| SUB-REQ-063 | The Engine Block and Rotating Assembly SHALL accelerate the coupled shaft to 1500 RPM nominal (50 Hz ±1% at the alternator output) within 10 seconds of start initiation, measured from first starter engagement under cold standby conditions with no electrical load connected. Rationale: 1500 RPM is required by the 4-pole alternator to produce 50 Hz (SUB-REQ-050 and SYS-REQ-001). The 10-second criterion is the system-level start time from SYS-REQ-003. Cold standby starting is the worst-case condition for accelerating inertia. Replaces SUB-REQ-017 to eliminate ambiguous 'sufficient'. | Test | session-595, qc, diesel-engine-subsystem, sil-2, replaces-sub-017, idempotency:sub-engine-accel-r2-595, idempotency:sub-engine-accel-r2-595 |
| SUB-REQ-064 | The Turbocharger and Charge Air System SHALL deliver combustion air at the boost pressure defined in the engine manufacturer's performance map across the rated load range (25% to 110% of rated power), such that the engine achieves its rated power output without smoke exceedance or turbocharger surge at any operating point within this range. Rationale: The nuclear EDG must accept safety bus loads in stepped blocks per SYS-REQ-007, starting as low as 25% rated load. Replacement references the manufacturer's performance map (a defined, measurable specification) rather than the ambiguous 'sufficient boost pressure'. The 25-110% range is confirmed as the operating envelope. Replaces SUB-REQ-022 to eliminate ambiguous 'sufficient'. | Test | session-595, qc, diesel-engine-subsystem, sil-2, replaces-sub-022, idempotency:sub-turbo-boost-r2-595, idempotency:sub-turbo-boost-r2-595 |
| SUB-REQ-065 | The Bulk Fuel Storage Tank SHALL have a minimum nominal capacity of 115% of the quantity required for 168 hours of continuous EDG operation at rated load, where rated load fuel consumption is defined by the engine manufacturer's test bed data, and the 115% factor accounts for 3% dead sump volume, 2% thermal expansion (per ASTM D975 Class A2 diesel at 40°C), and 10% minimum pump inlet submersion. Rationale: 168h duration is the design basis from SYS-REQ-002. The 115% factor components are: 3% sump dead volume, 2% thermal expansion at 40°C (ASTM D975 Class A2 diesel), 10% minimum pump inlet submersion to prevent vortex ingestion — standard allowances per ENA TS 09-3. Calculation method provides a verifiable capacity rather than the ambiguous 'sufficient volume'. Replaces SUB-REQ-041 to eliminate ambiguous 'sufficient'. | Inspection | session-595, qc, fuel-oil-system, sil-2, replaces-sub-041, idempotency:sub-bulk-tank-cap-r2-595, idempotency:sub-bulk-tank-cap-r2-595 |
| SUB-REQ-066 | Before reinstatement to operational service following any planned maintenance activity requiring LOTO isolation, the EDG system SHALL successfully complete a Post Maintenance Test (PMT) demonstrating start-to-rated voltage and frequency within 10 seconds and acceptance of a 50% rated load block, with all protective trips, alarms, and control functions verified functional prior to return to standby ready mode. Rationale: The Planned Overhaul ConOps scenario requires a validation mechanism between maintenance completion and return to standby ready mode. Without a PMT requirement, the system could re-enter the Standby Ready mode with undetected maintenance defects (e.g., incorrectly reassembled governor, air-locked fuel system). IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) SIL-2/3 functional safety management requires that post-maintenance testing confirms safety function integrity before reinstatement. | Demonstration | session-603, validation, maintenance, pmt, return-to-service, sil-3, idempotency:sub-pmt-return-to-service-603 |
| SUB-REQ-067 | Before any planned maintenance activity requiring physical isolation of EDG components, the Starting and Control Subsystem SHALL enforce a controlled transition to Maintenance Out-of-Service mode by: (a) confirming EDG is in Standby Ready or post-test shutdown state; (b) issuing an EDG unavailability signal to the site control room within 30 seconds; (c) removing the start demand interlock to prevent automatic start; (d) confirming LOTO point isolation on all energy sources before issuing a Maintenance Access Permit. Rationale: The ConOps scenario 'Planned Overhaul' identifies a 14-day maintenance outage with LOTO. STK-REQ-006 requires isolation without affecting normal plant operation. SUB-REQ-066 specifies the return-to-service PMT but there was no corresponding requirement governing the controlled ENTRY into Maintenance Out-of-Service mode — specifically, the automatic start interlock removal and unavailability notification to the control room. Without a procedural entry requirement, there is a risk that an EDG could receive a LOOP demand while maintenance activities are in progress. Verification by Demonstration: a factory acceptance test (FAT) procedure SHALL step through the full sequence (a)–(d) against a simulated LOOP demand signal, confirming that the start demand interlock is removed before Maintenance Access Permit is issued, and that the unavailability signal reaches the simulated control room within 30 seconds. The demonstration must be repeatable and witnessed by the nuclear site's I&C commissioning team. Inspection of a document alone is insufficient because the sequence involves software logic and interlock states that can only be confirmed by exercising the actual control system. | Demonstration | session-607, validation, maintenance, loto, mode-coverage, sil-3, idempotency:sub-maintenance-mode-entry-607, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-068 | The Remote Monitoring Gateway SHALL provide a minimum 2500Vrms galvanic isolation barrier (optical isolator or equivalent qualified isolator device) between the SIL-2 Protective Trip Logic Unit circuits and the main control room I&C network, and SHALL reject any command or write message received from the I&C network without generating an acknowledgement. Rationale: 2500Vrms isolation withstand is required by IEC 60709 (Nuclear power plants — Instrumentation and control systems important to safety — Separation) for Class 1E to non-Class 1E interface isolation barriers with 120/240VAC working voltage: IEC 60709 Table 1 specifies a minimum 3000V dielectric withstand test (2121Vrms continuous equivalent), making 2500Vrms the minimum rated isolation voltage to meet the test requirement with margin. The previous value of 1500Vrms was derived from IEC 60664-1 general industrial practice and is insufficient for nuclear-qualified separation. One-way enforcement prevents cyber or operator-error command paths from inadvertently modifying protection setpoints, directly addressing H-010 (Cyber attack threat) per IEC 61513 (Nuclear power plants — Instrumentation and control systems important to safety — General requirements for systems). Supersedes SUB-REQ-034. | Test | session-611, qc, monitoring-and-instrumentation, sil-2, supersedes-sub-req-034, idempotency:sub-rmg-isolation-2500vrms-611 |
| SUB-REQ-069 | The Local Alarm and Indication Panel SHALL provide first-out alarm annunciation for all EDG protective trip functions, displaying the identity of the first-to-trip parameter within 100 milliseconds of the trip output from the Protective Trip Logic Unit, with audible and visual indication that is latched until manually acknowledged. Rationale: 100ms first-out display latency is required because nuclear EDG protective trip chains can produce cascading secondary trips within 200–500ms of the initiating event (e.g., low oil pressure initiates followed by overspeed as the engine governor reacts): if the LAIP display latency exceeds the inter-trip interval, the displayed first-out may incorrectly show a secondary trip as the initiating cause. IEC 62138 (Software for computers important to safety for nuclear power stations) and NUREG/CR-6572 guidance for nuclear annunciation systems establish ≤100ms as the required maximum response time for first-out discrimination. ONR inspection requirements for nuclear EDGs specify that first-out identification must be unambiguous for both surveillance testing post-trips and licensing event reports. The 500ms value in the superseded SUB-REQ-035 was insufficient to meet this discrimination requirement. Supersedes SUB-REQ-035. | Demonstration | session-611, qc, monitoring-and-instrumentation, supersedes-sub-req-035, idempotency:sub-laip-firstout-100ms-611 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Automatic Load Controller and the Engine Control Panel SHALL convey the start demand signal as a hardwired 24VDC contact closure signal, with a maximum impedance of 500 ohms in the signal path, a maximum latency of 10 milliseconds from ALC output to ECP input, and shall be routed via physically separate cable from all other instrumentation circuits. Rationale: Derived from SUB-REQ-001. Hardwired contact closure rather than serial communications eliminates the risk of software protocol failure blocking the start signal. 24VDC is the nuclear site standard control voltage. 500 ohm impedance limit is derived from ECP relay input sensitivity specification. Physical cable separation prevents common-cause cable damage from defeating the start signal and a single control cable failure simultaneously. | Test | interface, starting-control, sil-3, session-574, idempotency:ifc-alc-ecp-start-demand-574 |
| IFC-REQ-002 | The interface between the Engine Control Panel and the Compressed Air Starting System SHALL use a 24VDC solenoid valve signal, with the start air solenoid valve rated for a minimum of 10,000 operating cycles, an opening time not exceeding 100 milliseconds, and shall fail-closed (de-energise to close) on loss of control power. Rationale: Derived from SUB-REQ-002. Fail-closed solenoid valve ensures that loss of control power does not inadvertently vent air receivers (loss of start capability). 100ms opening time contributes to the overall start sequence timing budget. 10,000 cycle rating covers monthly testing over a 30-year plant life with margin. 24VDC aligns with site-standard control voltage. | Test | interface, starting-control, sil-3, session-574, idempotency:ifc-ecp-cass-solenoid-574 |
| IFC-REQ-003 | The interface between the Isochronous Governor System and the Diesel Engine Subsystem SHALL provide dual independent magnetic pick-up speed sensors (minimum 60-tooth gear, 24VDC excitation) with a signal separation of at least 90mm between sensor locations on the flywheel housing, and a fuel rack actuator interface delivering 0–100% fuel position at a slew rate not less than 100%/second. Rationale: Derived from SUB-REQ-003 (3-second recovery) and SUB-REQ-004 (independent overspeed trip). Dual sensors with physical separation prevent common-cause sensor failure from eliminating both speed feedback paths simultaneously. 100%/second fuel rack slew rate is the minimum required to achieve 3-second load recovery: full-rack excursion must complete within the first 1.5s of the 3-second window. | Test | interface, starting-control, sil-2, session-574, idempotency:ifc-gov-engine-speed-574 |
| IFC-REQ-004 | The interface between the Generator Protection Relay and the Main Generator Circuit Breaker SHALL transmit the generator trip signal as a hardwired 110V DC signal held energised during normal operation (de-energisation causes breaker to open — fail-safe), with the trip initiating breaker opening within 10 milliseconds of signal de-energisation, and the trip circuit monitored continuously for open-circuit faults. Rationale: Normally-energised hardwired trip circuit is the standard nuclear fail-safe scheme: loss of supply or open-circuit in the trip wiring causes a trip, preventing relay failure from resulting in an unprotected generator. 110V DC is the nuclear industry standard for trip circuits per BS EN 50131 practice. Continuous monitoring detects latent open-circuit faults before demand. | Test | interface, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ifc-gpr-mgcb-trip-signal-575 |
| IFC-REQ-005 | The interface between the Voltage Sensing and Monitoring Unit and the Generator Protection Relay SHALL provide analogue voltage measurement signals as 4-20mA loops (4mA = 0V, 20mA = 120% nominal voltage), one channel per measurement point, with cable screening and maximum loop resistance of 500 ohms, and signal latency not exceeding 20 milliseconds. Rationale: 4-20mA analogue loop is the standard industrial measurement interface because the living-zero at 4mA allows open-circuit and short-circuit faults to be distinguished from zero-voltage readings, preventing false LOOP detection. 20ms latency is required to ensure the VSMU signal reaches the GPR within the overall 80ms fault detection budget. | Test | interface, electrical-protection-and-switchgear, sil-2, session-575, idempotency:ifc-vsmu-gpr-voltage-signals-575 |
| IFC-REQ-006 | The interface between the Automatic Load Controller and the Safety Bus Transfer Contactor SHALL transmit the bus transfer command as a hardwired 24V DC pulsed signal (50ms minimum pulse width), with contactor position status returned as volt-free contacts (normally-open closed when contactor closed) to the ALC and Engine Control Panel within 50 milliseconds of position change. Rationale: Hardwired pulsed command with position feedback provides closed-loop verification of transfer completion required by the SIL 3 function. 50ms position feedback latency allows the ALC to confirm transfer within the 150ms total transfer window (SUB-REQ-012) with margin for re-command if the first attempt fails. Volt-free contacts isolate the switchgear from the control system ground reference. | Test | interface, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ifc-alc-sbtc-bus-transfer-575 |
| IFC-REQ-007 | The 24VDC supply powering the Automatic Load Controller hardwired interface circuits (start demand, bus transfer command, and status return circuits) SHALL be sourced from a dedicated, seismically-qualified, Class 1E battery-backed 24VDC distribution panel, rated to supply the interface load with supply voltage maintained within 22V to 28VDC for a minimum of 2 hours following loss of normal 415V AC supply. Rationale: IFC-REQ-001 and IFC-REQ-006 specify 24VDC hardwired interface signals. The UHT classification of this interface as Powered (bit 4) indicates a power source dependency that has no corresponding requirement. For a SIL 3 safety function, the power supply must be Class 1E (nuclear safety-related), seismically qualified, and battery-backed to ensure the LOOP detection and bus transfer interfaces remain operable following the initiating event (loss of offsite power). Without this constraint, the ALC interfaces could lose power at precisely the moment they are needed. The 2-hour duration aligns with STK-REQ-002 (168-hour operation) and the initial battery buffer required during EDG start-up. | Test | session-576, qc, alc-interface, power, class1e, idempotency:edg-ifc-alc-24vdc-power-supply-session576 |
| IFC-REQ-008 | The interface between the Fuel Injection System and the Fuel Oil System SHALL deliver diesel fuel at a supply pressure of 3 to 6 bar and a maximum temperature of 40°C at the injection pump inlet, with a fuel return line capable of handling full bypass flow at back-pressure below 0.5 bar. Rationale: Injection pump manufacturers specify a minimum supply pressure to ensure adequate priming and prevent vapour lock, and a maximum temperature to avoid thermal degradation of seals and injection timing drift. The return line back-pressure limit prevents pressure buildup in the Fuel Oil System that could affect day-tank float valve operation. Interfaces with IFC-REQ-003 governor actuator: fuel quantity is metered after supply, so supply pressure stability directly affects governed output power. | Test | interface, diesel-engine-subsystem, sil-2, session-578, idempotency:ifc-fuel-injection-fuel-oil-578 |
| IFC-REQ-009 | The interface between the Engine Block and Rotating Assembly and the Alternator Subsystem SHALL be a rigid flanged coupling rated for the full engine peak torque including a 120% transient overload margin, with a lateral critical speed at least 20% above the maximum continuous operating speed of 1500 RPM. Rationale: The shaft coupling is the primary mechanical energy transfer path between the EDG's two major subsystems; undersized coupling would fail on load acceptance transients (SYS-REQ-007 load blocks), causing EDG loss at the moment of greatest safety need. The 20% critical speed separation margin prevents resonant vibration during speed excursions from 1500 RPM that occur during load steps and governor correction. | Inspection | interface, diesel-engine-subsystem, sil-2, session-578, idempotency:ifc-engine-block-alternator-coupling-578 |
| IFC-REQ-010 | The interface between the Diesel Engine Subsystem and the Cooling System SHALL maintain engine jacket water inlet temperature between 70°C and 85°C at rated load, and SHALL reduce charge air temperature from turbocharger outlet to below 45°C at the Turbocharger and Charge Air System intercooler outlet under all load conditions from 25% to 110% rated power. Rationale: The jacket water temperature range is the operating window specified by diesel engine manufacturers to maintain thermal efficiency and prevent cold corrosion (below 70°C) or component overheating (above 85°C). The charge air temperature limit below 45°C before the intake manifold prevents knock and allows the engine to produce full rated power — elevated charge air temperature reduces air density and thus maximum power output, risking inability to meet SYS-REQ-001 rated voltage at full load. | Test | interface, diesel-engine-subsystem, sil-2, session-578, idempotency:ifc-diesel-engine-cooling-system-578 |
| IFC-REQ-011 | The interface between the Engine Parameter Sensor Array and the Protective Trip Logic Unit SHALL use dual 4-20mA current loops per parameter, with loop supply voltage of 24VDC plus or minus 10%, maximum loop impedance 500 ohms, and open-circuit and short-circuit detection on each loop within 500 milliseconds. Rationale: 4-20mA current-loop standard (IEC 60381-1) is noise-immune over cable runs to 100m without shielding correction, suitable for the EDG building environment (EMC Class C per IEC 61326). Dual-loop architecture is the SIL-2 hardware redundancy. Loop fault detection within 500ms keeps the single-point vulnerability window below the 1s channel-fault detection budget of SUB-REQ-033. | Test | interface, monitoring-and-instrumentation, sil-2, session-588, idempotency:ifc-epsa-ptlu-588 |
| IFC-REQ-012 | The interface between the Protective Trip Logic Unit and the Engine Control Panel SHALL use hardwired de-energised-to-trip (open contact = shutdown initiated) relay contacts rated 24VDC 2A minimum, one contact per trip function (oil pressure, high coolant temp, overspeed, vibration, channel fault), with each contact driving directly into the Engine Control Panel shutdown input circuit without logic interposing. Rationale: Hardwired relay contacts eliminate any software path between the SIL-2 PTLU and the engine shutdown actuator. Normally-open (de-energise-to-trip) ensures power loss to PTLU causes shutdown. No interposing logic means no additional software common-cause failure path between measurement and actuation, which is a fundamental IEC 61508 requirement for hardwired safety functions. | Test | interface, monitoring-and-instrumentation, sil-2, session-588, idempotency:ifc-ptlu-ecp-588 |
| IFC-REQ-013 | The interface between the Protective Trip Logic Unit and the Remote Monitoring Gateway SHALL transmit discrete status signals (running, trip, alarm, channel fault, test mode) via optically isolated contacts rated 24VDC, and analogue retransmission signals for engine speed, coolant temperature, and lube oil pressure via 4-20mA outputs, with a maximum transmission latency of 2 seconds from parameter change to gateway output. Rationale: Optically isolated discrete contacts prevent electrical coupling from the non-nuclear I&C system into safety circuits. 2-second latency is acceptable for control room monitoring (not relied on for protection). Analogue retransmission of the three highest-priority parameters gives operators actionable information during LOOP response without requiring direct access to safety system inputs. | Test | interface, monitoring-and-instrumentation, session-588, idempotency:ifc-ptlu-rmg-588 |
| IFC-REQ-014 | The interface between the Jacket Water Pump and the Radiator and Fan Assembly SHALL be a closed-circuit 50mm bore coolant pipe with maximum operating pressure of 1.8 bar gauge, rated for 100 degree C continuous, with isolation valves on inlet and outlet to permit radiator replacement without engine draining. Rationale: 50mm bore provides flow velocity within 2-3 m/s to prevent cavitation and noise. 1.8 bar matches the coolant header tank relief valve rating, ensuring the circuit does not exceed header tank relief. Isolation valves are required to maintain the 14-day major overhaul interval in SYS-REQ-010 without full coolant draining. | Inspection | interface, cooling-system, session-588, idempotency:ifc-jwp-rad-588 |
| IFC-REQ-015 | The interface between the Day Tank and the Fuel Injection System SHALL supply diesel fuel at a gauge pressure of 0.3 to 0.7 bar (gravity head from tank mounting height) and a temperature of 5°C to 45°C, with a volumetric flow capacity equal to 110% of maximum engine fuel consumption at full rated load, via BS EN 10255 pipework and flexible compensator connections at the engine interface. Rationale: 0.3-0.7 bar gravity head range is set by the day tank mounting height (3.0-7.0m above the engine fuel pump inlet, typical EDG building arrangement). 110% capacity margin ensures no flow restriction even at maximum engine fuel demand plus filter pressure drop. Temperature limits derive from BS EN 590 A2 diesel fuel specification and engine manufacturer fuel inlet requirements. | Test | interface, fuel-oil-system, sil-2, session-590, idempotency:ifc-day-tank-injection-590 |
| IFC-REQ-016 | The interface between the Fuel Transfer Pump Set and the Day Tank SHALL deliver fuel at a nominal flow rate of no less than 150% of rated engine fuel consumption at full load, at a maximum discharge pressure not exceeding the Day Tank overflow return pressure setting, with the fill line terminated at or below the High (H) level set-point to prevent turbulence-induced air entrainment. Rationale: 150% of rated consumption flow ensures the day tank refill transient completes within the 30-minute window specified in SUB-REQ-042, even if one pump is operating in degraded condition. Maximum pressure limit protects the day tank shell (typically 0.5 bar design pressure) from pump shutoff head. Air entrainment below the liquid surface prevents fuel foaming that could starve the engine supply. | Test | interface, fuel-oil-system, sil-2, session-590, idempotency:ifc-transfer-pump-day-tank-590 |
| IFC-REQ-017 | The interface between the Fuel Oil System level switches (Day Tank LL, L, H, HH and Bulk Tank L, LL) and the Local Alarm and Indication Panel SHALL use volt-free relay contacts rated for 24VDC at 0.5A minimum, with normally-energised (fail-safe) contact arrangement such that loss of supply to any level switch de-energises the contact and presents the same alarm state as the critical low-level condition. Rationale: Volt-free contacts are the standard nuclear plant interface for field devices to safety-system alarm panels (eliminating ground loop and common-mode noise paths). Normally-energised fail-safe arrangement means cable break or instrument loss of power presents as a low-level alarm rather than a false normal reading — this is a standard nuclear safety instrumentation design principle ensuring failures are revealed, not hidden. | Test | interface, fuel-oil-system, monitoring-and-instrumentation, sil-2, session-590, idempotency:ifc-fuel-level-laip-590 |
| IFC-REQ-018 | The interface between the Voltage Sensing and Monitoring Unit and the Automatic Voltage Regulator SHALL provide a 4-20mA analogue signal representing the generator terminal voltage from 0% to 120% of rated voltage, with signal linearity ±0.3% of full scale, isolated to 500V DC (isolation class per IEC 61010-1), and with a signal update rate no slower than 20ms to enable AVR excitation response within the required transient regulation timescale. Rationale: 4-20mA is the standard nuclear instrumentation interface (IEC 61010-1 isolation protects AVR electronics from HV terminal faults). ±0.3% linearity is required to maintain ±0.5% steady-state voltage regulation (the VSMU signal linearity budget must be less than the voltage regulation requirement). 20ms update rate is derived from the AVR control loop bandwidth needed to achieve 3-second transient recovery per SUB-REQ-046. | Test | interface, alternator-subsystem, electrical-protection-and-switchgear, sil-2, session-590, idempotency:ifc-vsmu-avr-signal-590 |
| IFC-REQ-019 | The mechanical interface between the Diesel Engine Subsystem crankshaft flange and the Synchronous Generator Assembly drive-end shaft SHALL use a rigid disc-pack torsional coupling rated for the full generator rated torque plus a 100% transient overload factor, with torsional natural frequency of the coupled shaft system verified by analysis to be outside the critical speed ranges 0-100 RPM and 2800-3200 RPM (governed speed range ±10%), per ISO 14694 coupling acceptance criteria. Rationale: Torsional critical speed analysis per ISO 14694 is the primary verification deliverable: the analysis must produce a Campbell diagram demonstrating that the coupled shaft torsional natural frequencies lie outside both 0-100 RPM and 2800-3200 RPM exclusion zones across all engine operating modes. The 100% torque overload factor (coupling rated at 2× continuous torque) accommodates MGCB trip transients producing a torque spike to twice rated torque; without this margin, disc-pack fatigue crack initiation is credible within 10,000 start cycles. Failure mode: disc-pack fatigue fracture produces torsional shock load transmitted to both crankshaft and generator shaft, with potential for bearing damage and stator misalignment — the safe state is immediate engine trip via vibration monitoring with post-failure inspection before restart. The analysis report, coupling data sheet confirming Nm rating and stiffness, and acceptance sign-off against ISO 14694 Table 1 criteria constitute the verification evidence package required before first start. | Analysis | interface, alternator-subsystem, diesel-engine-subsystem, sil-2, session-590, idempotency:ifc-engine-alternator-coupling-590, red-team-session-609, rt-resolved-session-611 |
| IFC-REQ-020 | The interface between the Generator Stator Winding and Thermal Protection PT100 RTDs and the Protective Trip Logic Unit SHALL use a 3-wire PT100 connection with individually screened cables (screen earthed at the PTLU end only), providing ±2°C measurement accuracy over 0°C to 200°C range, with open-circuit and short-circuit diagnostics in the PTLU input module detecting wiring faults within 5 seconds and presenting a defined fail-safe state (alarm, not spurious trip) on instrument fault detection. Rationale: 3-wire PT100 connection eliminates lead resistance error that would compromise ±2°C accuracy. Single-end screen earthing prevents ground loops that cause common-mode interference. Fail-to-alarm (not spurious trip) on instrument fault is the design principle for protective monitoring: an instrument fault should alert the operator to investigate, not unnecessarily trip the EDG during a nuclear emergency. 5-second fault detection is consistent with the M&I PTLU response specification in SUB-REQ-031. RTD: Resistance Temperature Detector. | Test | interface, alternator-subsystem, monitoring-and-instrumentation, sil-2, session-590, idempotency:ifc-stator-rtd-ptlu-590, tech-author-session-613 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | The Starting and Control Subsystem architecture SHALL implement a four-component decomposition (Automatic Load Controller, Engine Control Panel, Compressed Air Starting System, Isochronous Governor System) with a documented SIL boundary separating the software-intensive ALC (SIL-3 dual-channel) from the hardwired relay-based ECP protection trips (IEC 61513 Category A), and the compressed air starting system SHALL provide a minimum of 3 complete start attempts without recharge. Rationale: A single integrated controller would require the entire control system to be qualified to SIL-3, increasing design and qualification cost disproportionately. Separation to distinct components allows each to be qualified to its own SIL by function. Compressed air starting is selected over electric starting because it provides starting capability even with battery depletion, addressing H-001 (Failure to start on demand). | Inspection | architecture, starting-control, session-574, idempotency:arc-starting-control-574 |
| ARC-REQ-002 | ARC: Electrical Protection and Switchgear Subsystem — four-component protection architecture driven by nuclear safety bus transfer requirements. The subsystem is decomposed into: Generator Protection Relay (numerical multifunction relay providing 87G/51/27/59/32/40/81 functions), Main Generator Circuit Breaker (vacuum/SF6 breaker providing electrical isolation), Safety Bus Transfer Contactor (automatic bus transfer on LOOP), and Voltage Sensing and Monitoring Unit (dual-channel redundant voltage measurement). This decomposition separates the sensing/logic (VSMU+GPR) from the switching/actuation (MGCB+SBTC) chains to allow independent SIL verification and prevent common-cause failure across the protection and switching paths. Alternative decompositions combining the relay and sensing function were rejected because the GPR's internal CTs cannot provide the bus-level voltage sensing needed for LOOP detection threshold logic — a separate VSMU preserves independent measurement. Rationale: Architecture decision records decomposition rationale for the EPS subsystem, capturing the sensing/switching separation driven by SIL independence requirements per IEC 61508 (Functional safety of E/E/PE safety-related systems). | Inspection | architecture, electrical-protection-and-switchgear, session-575, idempotency:arc-electrical-protection-switchgear-575 |
| ARC-REQ-003 | ARC: Diesel Engine Subsystem — five-component architecture (Engine Block and Rotating Assembly, Fuel Injection System, Lubrication and Bearing System, Turbocharger and Charge Air System, Engine Exhaust and Silencing System). The lubrication system is architecturally separated from the engine block because low oil pressure is a hardwired SIL-2 safety trip — isolating it as a discrete component enforces a clean boundary between the engine mechanical functions and the safety-critical shutdown path. The turbocharger is separated from the engine block because it has independent failure modes (bearing failure, surging, seizure) that require distinct monitoring, and its charge air cooler is thermally coupled to the Cooling System rather than the engine block. Fuel injection is separated because the fuel rack actuator forms the physical interface with the Isochronous Governor System (Starting and Control Subsystem), making it the critical performance boundary for start-time compliance. The exhaust system is included as a distinct component because seismic restraint and back-pressure constraints affect EDG building design independently of the engine internals. Rationale: Decomposing into five components reflects the actual failure mode independence and SIL boundary requirements of the system. A single-component 'diesel engine' would obscure the lubrication trip path (safety-critical) and governor interface (performance-critical), making requirements traceability impossible and qualification scope ambiguous. | Inspection | architecture, diesel-engine-subsystem, session-578, idempotency:arc-diesel-engine-578 |
| ARC-REQ-004 | ARC: Monitoring and Instrumentation Subsystem — four-component architecture (Engine Parameter Sensor Array, Protective Trip Logic Unit, Local Alarm and Indication Panel, Remote Monitoring Gateway). The critical architectural choice is the separation of the SIL-2 Protective Trip Logic Unit from the non-safety Local Alarm and Indication Panel. The PTLU uses hardwired 1oo2D voting with de-energise-to-trip architecture per IEC 61508, ensuring that sensor failures or control system faults cannot prevent a safety shutdown. The Remote Monitoring Gateway provides one-way data flow to the control room with optical isolation, preventing any back-path from the non-nuclear I&C network into the safety-classified protection circuits. The sensor array uses dual-channel redundant 4-20mA loops to allow single-channel failure detection without loss of protection. Rationale: Separation of safety and non-safety I&C functions follows nuclear defence-in-depth principles and IEC 61513 (Nuclear power plants - instrumentation, control and electrical power systems). Hardwired trip paths prevent software-common-mode failure from defeating the safety function. One-way gateway isolation prevents cyber back-path from non-nuclear I&C into SIL-2 circuits. | Inspection | architecture, monitoring-and-instrumentation, session-588, idempotency:arc-monitoring-instrumentation-588 |
| ARC-REQ-005 | The Cooling System architecture SHALL implement a five-component decomposition (Jacket Water Pump, Radiator and Fan Assembly, Thermostat Valve, Coolant Header Tank, Intercooler) where the Jacket Water Pump is engine-shaft-driven (not electrically powered), the Thermostat Valve is mechanical wax-element type with no electrical actuation, and the Radiator fan motor is powered from the emergency bus at 415V; the Coolant Header Tank SHALL provide sufficient makeup capacity to compensate for normal evaporative losses during 168 hours of continuous operation. Rationale: Engine-shaft-driven pump eliminates electrical power dependency for cooling during LOOP, addressing H-006 (Cooling system failure). Mechanical thermostat removes the control system from the cooling circuit, preventing common-cause failure between a control system fault and cooling trip. Emergency bus fan power ensures cooling continues when normal 415V supplies are absent. | Inspection | architecture, cooling-system, session-588, idempotency:arc-cooling-system-588 |
| ARC-REQ-006 | The Fuel Oil System architecture SHALL implement a gravity-feed day tank elevated to provide fuel to the injection system without pump support, with bulk external storage connected via buried pipework with cathodic protection, and duty/standby 415V AC motor-driven transfer pumps; the day tank elevation SHALL provide positive static head of not less than 2m at the injection pump inlet under all normal fuel level conditions. Rationale: Gravity feed eliminates an electrically-powered dependency on the fuel supply path, addressing H-005 (Fuel contamination/exhaustion). Bulk external storage satisfies EDG room fire load limits per ONR TAST guidance. Duty/standby pump redundancy achieves a better PFD than a single high-integrity pump because 415V gear pumps are commercially available with short lead times, reducing both cost and delivery risk. | Analysis | architecture, fuel-oil-system, session-590, idempotency:arc-fuel-oil-system-590 |
| ARC-REQ-007 | The Alternator Subsystem architecture SHALL implement a brushless salient-pole synchronous generator with static Automatic Voltage Regulator (AVR) and Permanent Magnet Generator (PMG)-fed pilot excitation; the PMG SHALL provide excitation independently of alternator terminal voltage to ensure reliable voltage build-up from zero-volts condition within the 10-second LOOP start sequence. Rationale: Brushless excitation eliminates carbon brush and slip ring maintenance (typically required every 1,000-2,000h) and removes debris contamination risk in the nuclear building — ONR preferred arrangement for safety-qualified generators on UK licensed sites. Static AVR provides faster voltage recovery than rotating or AC compound excitation on block load application, critical for LOOP re-energisation where the EDG must accept large block loads within 10 seconds. PMG pilot exciter ensures excitation remains available during terminal voltage collapse. | Analysis | architecture, alternator-subsystem, session-590, idempotency:arc-alternator-subsystem-590 |
flowchart TB n0["component<br>Automatic Load Controller"] n1["component<br>Engine Control Panel"] n2["component<br>Compressed Air Starting System"] n3["component<br>Isochronous Governor System"] n4["external<br>Class 1E Safety Bus"] n5["external<br>Diesel Engine"] n4 -->|LOOP detection voltage/freq| n0 n0 -->|Start demand hardwired 24VDC| n1 n1 -->|Air start valve open signal| n2 n2 -->|30 bar cranking air| n5 n5 -->|Speed feedback dual MPU| n3 n3 -->|Fuel rack position| n5 n1 -->|Speed setpoint / trip| n3
Starting and Control - Internal Block
flowchart TB n0["component<br>Generator Protection Relay"] n1["component<br>Main Generator Circuit Breaker"] n2["component<br>Safety Bus Transfer Contactor"] n3["component<br>Voltage Sensing and Monitoring Unit"] n4["external<br>Automatic Load Controller"] n5["external<br>Class 1E Safety Bus"] n3 -->|4-20mA voltage signals| n0 n0 -->|110VDC trip signal| n1 n4 -->|24VDC bus transfer cmd| n2 n2 -->|safety bus supply| n5 n1 -.->|anti-paralleling interlock| n2
Electrical Protection and Switchgear - Internal Block
flowchart TB n0["component<br>Engine Block and Rotating Assembly"] n1["component<br>Fuel Injection System"] n2["component<br>Lubrication and Bearing System"] n3["component<br>Turbocharger and Charge Air System"] n4["component<br>Engine Exhaust and Silencing System"] n5["external<br>Fuel Oil System"] n6["external<br>Alternator Subsystem"] n7["external<br>Cooling System"] n8["external<br>Isochronous Governor System"] n5 -->|diesel fuel 3-6 bar| n1 n1 -->|metered fuel spray| n0 n8 -->|fuel rack demand| n1 n0 -->|shaft torque 1500 RPM| n6 n0 -->|exhaust gases| n3 n3 -->|charge air below 45C| n0 n7 -->|jacket water 70-85C| n0 n2 -->|oil 3.5-5 bar| n0 n0 -->|exhaust to atmosphere| n4
Diesel Engine - Internal Block
flowchart TB n0["component<br>Rotor and Field Winding"] n1["component<br>Stator and Armature Winding"] n2["component<br>Automatic Voltage Regulator"] n3["component<br>Brushless Exciter"] n4["external<br>Diesel Engine"] n5["external<br>Generator Protection Relay"] n6["component<br>Generator Bearing and Mechanical Support Assembly"] n4 -->|shaft torque 1500 RPM| n0 n0 -->|field rotation| n3 n3 -->|DC excitation current| n0 n2 -->|excitation demand signal| n3 n1 -->|11kV terminal voltage| n2 n1 -->|11kV 3-phase output| n5 n4 -->|shaft coupling| n6 n6 -->|rotor shaft| n0
Alternator Subsystem — Internal Components
flowchart TB n0["component<br>Day Tank"] n1["component<br>Fuel Transfer Pump"] n2["component<br>Duplex Fuel Filter"] n3["component<br>Fuel Level and Alarm Unit"] n4["external<br>Fuel Injection System"] n5["external<br>Bulk Storage Tank"] n6["component<br>Fuel Supply Pipework and Valve Assembly"] n7["component<br>Bulk Fuel Storage Tank"] n5 -->|bulk fuel supply| n1 n1 -->|diesel fill| n0 n0 -->|gravity feed 0.3 bar| n2 n2 -->|filtered fuel 3-6 bar| n4 n3 -->|level alarm / pump start| n1 n7 -->|bulk fuel supply| n1 n1 -->|pressurised fuel| n6 n6 -->|metered fill| n0
Fuel Oil System — Internal Components
flowchart TB n0["component<br>Jacket Water Pump"] n1["component<br>Radiator and Fan Assembly"] n2["component<br>Thermostat Valve"] n3["component<br>Coolant Header Tank"] n4["external<br>Engine Block"] n5["component<br>Intercooler"] n0 -->|hot coolant| n2 n2 -->|coolant above 71C| n1 n1 -->|cooled water return| n0 n2 -->|bypass/through coolant| n4 n4 -->|warm jacket water| n0 n5 -->|charge air below 45C| n4 n3 -->|system pressure / top-up| n0 n0 -->|coolant flow| n4 n4 -->|hot coolant| n1 n2 -->|bypass| n0
Cooling System — Internal Components
flowchart TB n0["component<br>Engine Monitoring Unit"] n1["component<br>Temperature Sensor Array"] n2["component<br>Pressure Sensor Array"] n3["component<br>Speed and Frequency Monitor"] n4["component<br>Local Alarm Annunciator"] n5["external<br>Engine Control Panel"] n6["component<br>Engine Parameter Sensor Array"] n7["component<br>Protective Trip Logic Unit"] n8["component<br>Local Alarm and Indication Panel"] n9["component<br>Remote Monitoring Gateway"] n1 -->|temperature signals 4-20mA| n0 n2 -->|pressure signals 4-20mA| n0 n3 -->|speed/freq pulse signals| n0 n0 -->|alarm discrete outputs| n4 n0 -->|trip and shutdown signals| n5 n3 -->|overspeed trip hardwired| n5 n6 -->|4-20mA dual-channel| n7 n7 -->|hardwired trip| n5 n7 -->|alarm signals| n8 n7 -->|status discretes| n9
Monitoring and Instrumentation — Internal Components
| Entity | Hex Code | Description |
|---|---|---|
| Alternator Subsystem | D6F53018 | Synchronous AC generator, 415V/11kV 3-phase 50Hz output, directly coupled to diesel engine. Includes brushless exciter, automatic voltage regulator (AVR) maintaining ±2% voltage, and AVR protection. Sustained rated output for 7-day continuous operation. Insulation class H. Self-excited following blackstart. Harmonic distortion <5% THD per IEC 60034. |
| automatic load controller | D7F77018 | Physical electronic control unit (LRU) housed in a 19-inch rack-mount enclosure, installed in the Starting and Control panel within the EDG building. Receives hardwired 24VDC signals from the site electrical protection system, processes loss-of-offsite-power and load demand signals, and generates timed relay outputs to the safety bus transfer contactor and load-sequencing contactors. Class 1E qualified electronic equipment with EMC screening and surge protection. |
| Automatic Load Controller | D7F73858 | Physically housed relay logic panel with DIN-rail mounted PLC modules, solid-state relays, and terminal blocks in a steel enclosure. Located in the EDG building. Receives start demand and bus voltage signals, implements load sequencing logic, and drives the Safety Bus Transfer Contactor via hardwired outputs. Classified 1E nuclear safety equipment, housed in a seismic-qualified cabinet. |
| Automatic Voltage Regulator | D5F73058 | Static electronic AVR maintaining generator terminal voltage within ±0.5% of set-point under steady-state and within ±6% during transient step loading. Receives voltage feedback from VSMU 4-20mA signal and controls field excitation current via PWM firing of the main exciter stator winding. Provides reactive droop compensation (typically 3-5% droop for parallel operation), over-excitation limiter (OEL), under-excitation limiter (UEL), and manual voltage trim potentiometer. Powered from PMG (independent of terminal voltage). Complies with IEC 60034-16-1 for Class A voltage regulation. |
| Brushless Excitation System | 54F53018 | Three-stage brushless excitation chain eliminating slip rings and carbon brushes: (1) permanent magnet generator (PMG) on the main shaft provides stable, terminal-voltage-independent excitation power; (2) main exciter stator (AC field winding controlled by AVR) and main exciter rotor (rotating AC armature); (3) rotating silicon diode rectifier assembly on shaft converts AC exciter output to DC for the main generator field winding. Provides excitation response time within IEC 60034-16-1 requirements. Rotating rectifier diodes are fused with open-circuit fuse detection via shaft-mounted proximity sensor. |
| Bulk Fuel Storage Tank | CE851058 | External bunded underground or above-grade carbon-steel tank (typically 20,000–50,000L) providing 7-day fuel reserve at rated EDG output. Cathodic protection on buried sections, secondary containment bunding to site PADHI flood risk level. Fitted with continuous ultrasonic level monitoring, bottom water detection probes, manual sampling point, vented fill pipe, and suction line to fuel transfer pump set. Must be seismically qualified to SS1 category (BS EN 1998-4 / NS-TAST-GD-013 screening). |
| Compressed Air Starting System | D6D51018 | Dual redundant 250-litre air receivers charged to 30 bar by dedicated compressor. Supplies compressed air to pneumatic air start motors (2 per engine) that crank the diesel engine to firing speed (~100 RPM). Air distributor valve controls injection timing into cylinders. Auto-recharge maintains receiver pressure after each start attempt. Sufficient stored air for minimum 3 start attempts without recharging. Operating environment: EDG building, ambient -5°C to +45°C, seismically qualified. |
| Coolant Header Tank | C6851018 | Pressurised expansion vessel maintaining cooling system at 1.0-1.5 bar gauge above atmospheric. Volume 30L. Provides make-up coolant for minor leaks during mission time. Fitted with low-level float switch connected to M&I subsystem alarm. Cap pressure-relief rated 1.8 bar. Located above engine height to ensure positive head pressure to jacket water pump inlet. |
| cooling system | DED51008 | Physical closed-circuit liquid cooling system for a diesel engine, comprising steel pipework, a centrifugal jacket water pump, a radiator assembly with electric fan, an intercooler for charge air, a header tank, and a thermostat valve. Physically installed in the EDG building and connected to the engine block by 50mm bore flanged pipework. Must dissipate 280 kW to ambient air at 40°C ambient. Monitored by PT100 RTD temperature sensors. |
| Cooling System | D6D51018 | Physical fluid-cooled heat rejection system comprising radiator and fan assembly, jacket water circulating pump, coolant header tank, thermostat valve, and charge air intercooler. Physically located in and adjacent to the EDG building with external radiator module. Contains coolant fluid under pressure at up to 1.5 bar, produces heat rejection up to 40% of rated engine output, has mass and volume, requires maintenance access. Subject to seismic qualification and frost protection requirements. |
| Day Tank | CE851018 | Stainless steel service tank (1,500–4,000L) located inside the EDG building, providing gravity head to the engine fuel injection system. Level switches at LL/L/H/HH set-points control automatic fill from bulk tank and alarm outputs to LAIP. Serves as the immediate fuel buffer; sized for ≥8h operation at rated load without transfer pump. Fitted with temperature probe, overflow return line, manual fill inlet, and drain point. Class 1E boundary begins here. |
| Diesel Engine Subsystem | D7F53218 | 4-stroke medium-speed diesel prime mover (1000–1500 RPM), 1–5 MW shaft output. Drives the alternator directly via flexible coupling. Critical failure modes: failure to start (compressed air or fuel starvation), overspeed, loss of lubrication, high coolant temperature shutdown. Must reach rated speed within 10s of start signal per ONR SAPs. Governs via mechanical/electronic governor maintaining ±0.5Hz frequency. SIL 3. |
| Electrical Protection and Switchgear Subsystem | 50F77858 | Generator circuit breaker (GCB) plus associated protective relays: overcurrent, undervoltage, overvoltage, underfrequency, overfrequency, differential protection, loss-of-excitation. Connects EDG to Class 1E safety bus. Synchronising check relay prevents out-of-phase closing. Load shedding contactors for staged load acceptance sequence. Bus section breaker interlocks. All equipment to IEC 60255 and BS EN 61439. SIL 3 protection functions per IEC 61508. |
| Emergency Diesel Generator System for UK Nuclear Licensed Site | D7F73A59 | Class 1E standby AC power generation system for a UK nuclear licensed site, providing emergency electrical power to safety-critical loads upon loss of normal grid supply. Rated 1–5 MW, 415V/11kV 3-phase 50Hz output. Must auto-start within 10 seconds of demand signal and sustain rated load for minimum 7 days. Governed by ONR Safety Assessment Principles, IEC 61513, IEC 61226, and IEEE 308. SIL 3 / nuclear safety class. Installed in seismically qualified, flood-protected, fire-compartmented building. |
| Engine Block and Rotating Assembly | DEC51018 | Medium-speed turbocharged diesel engine block assembly for a UK nuclear licensed site emergency diesel generator (1–6 MW class). Houses cylinder block, cylinder liners, pistons, connecting rods, crankshaft, camshaft, and flywheel. Converts thermodynamic combustion energy to shaft rotation at 1500 RPM nominal. Produces continuous rated shaft torque under load steps up to 100% rated load. Must survive IEC 60068 seismic Category I conditions. Operating environment: indoor housing at -10°C to +40°C ambient. Key output: mechanical shaft power at rated speed for alternator drive. |
| Engine Control Panel | D6AD7818 | Hardwired control and protection relay panel. Processes start/stop commands from Automatic Load Controller and manual pushbuttons. Contains: engine protection relay module (oil pressure, coolant temp, overspeed, generator differential), run-up sequence timer, trip latch relay, audible/visual alarm annunciators. Provides hardwired trip outputs to fuel shutoff solenoid and shutdown actuator. 24V DC battery-backed power supply. Rated for industrial EMI per BS EN IEC 61000. IEC 61226 Category A. |
| Engine Exhaust and Silencing System | CEC51018 | Exhaust manifold, turbocharger outlet ducting, acoustic silencer, and rooftop exhaust stack for a UK nuclear licensed site EDG. Carries exhaust gases from combustion chambers through turbocharger turbine to atmosphere. Acoustic silencer reduces exhaust noise to site boundary limits. Exhaust stack designed to prevent rainwater ingress. Back-pressure monitored: must remain below 50 mbar at rated power to prevent turbocharger surge and power derating. Seismically restrained within the EDG building. |
| Engine Parameter Sensor Array | D4855018 | Redundant set of hardwired analogue sensors monitoring critical EDG engine parameters for protection and indication: lube oil pressure (low trip at 2.5 bar), jacket coolant temperature (high trip at 95°C), exhaust gas temperature per cylinder, engine vibration (seismic-qualified accelerometers), and fuel oil pressure. Dual-channel 4-20mA outputs per parameter fed to the Protective Trip Logic Unit. Sensors are qualified to BS EN 60068 environmental class C1 for operation at nuclear licensed sites. Provides the primary parameter inputs for protective shutdown and control room indication. |
| Fuel Filtration Assembly | C6851018 | Duplex spin-on or bowl-type fuel filter with nominal 10-micron filtration, integral fuel/water separator, and differential pressure switch (set at 0.3 bar) for blockage alarm. Three-way changeover valve permits switch from duty to standby filter element without interrupting fuel supply during engine operation. Differential pressure signal routed to LAIP for maintenance alarm. Located in fuel supply line between day tank and engine fuel injection system. |
| Fuel Injection System | C7F73218 | High-pressure diesel fuel injection assembly for an emergency diesel generator. Comprises engine-driven fuel injection pump (jerk-pump or common rail), individual cylinder injectors, fuel rack actuator rod mechanically coupled to the isochronous governor actuator output. Receives conditioned low-pressure diesel fuel at 3–6 bar from the Fuel Oil System. Meters and injects high-pressure diesel (up to 1200 bar) into combustion chambers. Fuel delivery rate is modulated by governor rack position within 200ms of actuator demand. Operates continuously from first engine rotation through shutdown without external power. |
| fuel oil system | DE851018 | Physical bulk fuel storage and transfer system for an emergency diesel generator, comprising a 30,000-50,000 litre above-ground steel bulk storage tank, a gravity-feed day tank installed at elevation, two duty/standby fuel transfer pumps, fuel filtration assemblies, steel pipework with isolation valves, bunded secondary containment, and fuel temperature maintenance heaters. Physically installed in the EDG building and surrounding bund area. Supplies DERV diesel fuel to the engine injectors. |
| Fuel Oil System | D6851018 | Physical fluid handling system comprising steel tanks (day tank and bulk storage), centrifugal pump sets, duplex filter assembly, valves, and pipework. Located in and adjacent to the EDG building. Stores, transfers, filters, and delivers diesel fuel to the engine fuel injection system. Physically occupies building space, has mass and volume, contains pressurised fluid, and includes motorised valves requiring electrical power. Subject to seismic qualification, secondary containment requirements, and fire safety regulations. |
| Fuel Supply Pipework and Valve Assembly | CE851018 | Carbon steel pipework (BS EN 10255 medium grade) from bulk tank to building penetration to day tank to engine; includes all isolating ball valves (NRV), anti-siphon arrangement on bulk tank suction, flexible compensators at the engine interface to absorb vibration, drain/vent points at low/high points, and fire-rated sealing at building penetrations. Buried sections protected with polyethylene sleeving and cathodic protection. Manual isolation valve at bulk tank suction, day tank outlet, and engine fuel inlet provides maintenance isolation. Emergency manual fuel isolation valve accessible from outside EDG building for fire brigade. |
| Fuel Transfer Pump Set | D6F51018 | Duty/standby pair of 415V AC motor-driven gear or centrifugal pumps transferring diesel fuel from bulk storage tank to day tank. Automatic start on day tank low-level (L) signal, auto stop on high-level (H) signal. Manual start/stop available from Engine Control Panel. Duty pump rated for full transfer flow; standby selected by LAIP on duty pump trip. Pump motor protection via thermal overload relays. Pump set located in ventilated pump room with spill containment bunding. |
| Generator Bearing and Mechanical Support Assembly | CE851018 | Drive-end (DE) and non-drive-end (NDE) bearing housings for the synchronous generator rotor. DE bearing: sleeve-type hydrodynamic journal bearing lubricated from the engine oil system via a tee from the main lube oil header (simplifying maintenance and eliminating a separate oil system). NDE bearing: grease-lubricated rolling element bearing with extended relubrication interval. Each bearing housing fitted with PT100 RTD (max temperature 90°C alarm, 100°C trip) and vibration measurement stud (seating for ICP accelerometer during commissioning and periodic testing). Shaft earthing brush prevents electrolytic bearing damage from stray shaft currents. |
| Generator Protection Relay | D5F77858 | Numerical multifunction protection relay providing generator protection functions for a nuclear EDG 415V/11kV alternator. Inputs: voltage/current CTs from generator terminals, differential CT, neutral CT. Outputs: trip signal to MGCB, alarm to ECP. Functions: differential protection (87G), overcurrent (51/51N), undervoltage (27), overvoltage (59), reverse power (32), loss of excitation (40), frequency (81O/U). Required trip time <80ms for differential faults. Operates in EMC Zone 2 within EDG building. SIL 3 classified per IEC 61508. |
| Generator Stator Winding and Thermal Protection | D6953018 | Class H insulated copper stator windings with embedded PT100 RTDs (minimum 6 sensors, 2 per phase) measuring hotspot temperature at rated load and during thermal transients. Anti-condensation heaters (230V AC, thermostatically controlled at 5°C) energised during standby to prevent moisture absorption during the EDG off-line periods. Winding insulation health monitored by periodic polarisation index (PI) and insulation resistance (IR) testing per IEEE 43. Maximum continuous winding temperature 155°C (Class F limit within Class H insulation for nuclear safety margin). |
| Isochronous Governor System | D5F77008 | Electronic isochronous governor unit mounted in the EDG control panel, containing magnetic speed pickup sensor, integrated circuits for speed error processing, and hydraulic/electronic actuator output controlling fuel rack position to maintain engine speed at 1500 RPM (50 Hz) ±0.5% under variable load from no-load to full rated power. Physical housing rated IP54, powered from 24VDC control supply, generating 4-20mA position signal to fuel rack actuator. |
| Jacket Water Pump | C6C51018 | Engine-driven centrifugal pump circulating jacket coolant through the engine block, cylinder heads, and heat exchanger circuit. Belt-driven from the engine crankshaft pulley. Flow rate 200-400 L/min at rated RPM, maximum pressure 3.5 bar. Provides primary coolant circulation without electrical power dependency. Sealed bearing assembly with mechanical shaft seal. Failure mode: belt failure or impeller cavitation. |
| Local Alarm and Indication Panel | D6EC5018 | Panel-mounted display and annunciator unit providing local first-out alarm annunciation and analogue indication for all monitored EDG parameters. Located in the EDG building. Displays: engine speed (RPM), coolant temperature, lube oil pressure, exhaust temperatures, vibration level, output voltage, current and frequency. First-out annunciation with audible and visual alarms. Accepts acknowledge and reset inputs. Powered from 24VDC UPS-backed supply. Hardwired inputs from Engine Parameter Sensor Array and Protective Trip Logic Unit. Not safety-classified but provides operator interface for surveillance testing and degraded-mode monitoring. |
| Lubrication and Bearing System | 46D53218 | Pressurised wet-sump lubrication system for a nuclear-licensed site emergency diesel generator engine. Engine-driven gear pump supplies filtered lubricating oil at 3.5–5.0 bar to main crankshaft bearings, big-end bearings, camshaft bearings, turbocharger journal bearings, and cylinder heads. Full-flow spin-on oil filter with bypass valve. Oil pressure transducer provides 4–20mA output to monitoring system and hardwired low-pressure switch at 2.0 bar trip setpoint. Safety-critical: low oil pressure trip initiates engine shutdown within 1.5 seconds. Engine oil cooler (jacket-water cooled) maintains sump oil temperature below 110°C. Dry-bulb ambient: -10°C to +40°C. |
| Main Generator Circuit Breaker | D6B51018 | Vacuum or SF6 circuit breaker rated for 415V or 11kV EDG output, interrupting fault currents up to 31.5kA (11kV) or 50kA (415V). Normally open, closes on LOOP demand and opens on protection trip. Operated by Generator Protection Relay trip output and Automatic Load Controller closure command. Rated for 10,000 mechanical operations. Provides electrical isolation between alternator and safety bus. Located in switchgear room within EDG building. SIL 3 by association with protection chain. |
| Monitoring and Instrumentation Subsystem | 54A57218 | Local and remote parameter monitoring for EDG: engine speed (RPM), oil pressure, coolant temperature, generator voltage/current/frequency/power factor, air receiver pressure, fuel level, battery state, vibration. Hardwired trip signals to engine control panel. Remote status indications to main control room and emergency shutdown panel. Test sequencer for monthly 30-minute full-load test. All instruments qualified to IEC 60780 (nuclear environment). Data logging at 1-second intervals. |
| Protective Trip Logic Unit | D0F77858 | SIL-2 rated programmable logic unit that processes dual-channel sensor inputs from the Engine Parameter Sensor Array and issues hardwired trip commands to the Engine Control Panel. Implements 1oo2D voting for each trip function (oil pressure, high coolant temp, overspeed, differential protection). Response time <200ms from sensor threshold crossing to trip output. Designed to fail-safe (de-energise-to-trip) with IEC 61508 Part 2 SIL 2 certification. Provides separate alarm and shutdown outputs, discrete status signals to the Remote Monitoring Gateway, and a local LED status display. |
| Radiator and Fan Assembly | D6C51018 | Air-blast heat exchanger and electrically-driven fan mounted at the end of the EDG building. Dissipates engine waste heat to ambient air. Radiator core: aluminium tube-and-fin with inlet/outlet tanks. Fan: 1.2m diameter, 480VAC three-phase motor, thermal switch controlled. Cooling capacity: 300kW at 40 deg C ambient. Emergency bypass mode: manual louver operation if fan fails. |
| Remote Monitoring Gateway | D4E57018 | Qualified data concentrator that collects validated parameter data from the Protective Trip Logic Unit and transmits it to the Main Control Room I&C network. Provides electrical isolation between the safety-classified EDG protection circuits and the non-nuclear instrumentation bus. Outputs: 4-20mA analogue retransmission signals for key parameters (speed, coolant temp, oil pressure, output MW/MVAR) and discrete status signals (running, fault, trip, test) via optically isolated contacts. Compliant with IEC 61850 where applicable. Read-only interface toward the control room — no control commands accepted through this path. |
| Safety Bus Transfer Contactor | D6B53018 | Electrically operated HV/LV contactor providing automatic and manual transfer of the nuclear safety bus between normal offsite supply and EDG supply. Receives open/close commands from Automatic Load Controller on LOOP detection. Interlocked with MGCB to prevent paralleling of EDG with grid. Rated for safety bus full load current (typically 800A-2000A at 415V or 400A at 11kV). Open/close position fed back to ECP and ALC for status indication. Fail-safe design: de-energise to open from normal supply in fire/fault conditions. SIL 3 by association. |
| Starting and Control Subsystem | 55F77A18 | Compressed air starting system (dual 250L air receivers at 30 bar) plus electronic control panel providing automatic start-on-demand within 10 seconds of loss-of-offsite-power (LOOP) signal. Accepts start signals from both site emergency protection system and local manual initiation. Manages engine run-up sequence, load acceptance sequencing, and trip logic (over/undervoltage, over/underfrequency, overcurrent, high temperature, low oil pressure). SIL 3 per IEC 61508. |
| Synchronous Generator Assembly | DEC51018 | Salient-pole brushless synchronous generator directly coupled to the diesel engine via rigid disc coupling. Produces 3-phase AC power at rated voltage (415V or 11kV) and frequency (50Hz) under steady-state and transient load conditions. Class H (180°C) insulation, IP54 enclosure, self-ventilated (CACW or CACA cooling). Rated continuous output at 0.8 pf lagging for nuclear EDG duty. Stator core and windings embedded with PT100 RTDs; rotor dynamically balanced to ISO 21940-11 G2.5. The primary electromechanical energy conversion component. |
| Thermostat Valve | C7B71008 | Wax-element thermostatic valve modulating coolant bypass flow during engine warm-up and steady-state temperature control. Set point 82 deg C (start bypass), fully open radiator circuit at 92 deg C. Located in the engine coolant outlet header. Fail-open to full bypass (safe: engine overheats to high-temperature trip rather than running cold). No electrical actuation. |
| Turbocharger and Charge Air System | CEC51018 | Physical assembly comprising turbocharger turbine and compressor wheel, intercooler heat exchanger, charge air manifold, and boost pressure sensors. Bolted to the diesel engine block. Receives exhaust gas energy as input; compresses and cools intake air to increase charge density. Physical housing must withstand 3 bar boost pressure and 600 deg C exhaust temperatures. Seismic-qualified mounting to engine block. |
| Voltage Sensing and Monitoring Unit | D4E57018 | Analogue and digital voltage monitoring assembly measuring generator output voltage (415V/11kV) and safety bus voltage for protection and synchronism check functions. Provides undervoltage (27), overvoltage (59) input signals to Generator Protection Relay and LOOP detection threshold (<80% nominal for >1.0s) to Automatic Load Controller. Dual-channel redundant measurement to meet SIL 2 requirements. 4-20mA analogue output to ECP for indication. Located in switchgear panel. |
| Component | Belongs To |
|---|---|
| Diesel Engine Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Starting and Control Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Alternator Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Fuel Oil System | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Cooling System | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Electrical Protection and Switchgear Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Monitoring and Instrumentation Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Compressed Air Starting System | Starting and Control Subsystem |
| Engine Control Panel | Starting and Control Subsystem |
| Automatic Load Controller | Starting and Control Subsystem |
| Isochronous Governor System | Starting and Control Subsystem |
| Generator Protection Relay | Electrical Protection and Switchgear Subsystem |
| Main Generator Circuit Breaker | Electrical Protection and Switchgear Subsystem |
| Safety Bus Transfer Contactor | Electrical Protection and Switchgear Subsystem |
| Voltage Sensing and Monitoring Unit | Electrical Protection and Switchgear Subsystem |
| Engine Block and Rotating Assembly | Diesel Engine Subsystem |
| Fuel Injection System | Diesel Engine Subsystem |
| Lubrication and Bearing System | Diesel Engine Subsystem |
| Turbocharger and Charge Air System | Diesel Engine Subsystem |
| Engine Exhaust and Silencing System | Diesel Engine Subsystem |
| Engine Parameter Sensor Array | Monitoring and Instrumentation Subsystem |
| Protective Trip Logic Unit | Monitoring and Instrumentation Subsystem |
| Local Alarm and Indication Panel | Monitoring and Instrumentation Subsystem |
| Remote Monitoring Gateway | Monitoring and Instrumentation Subsystem |
| Jacket Water Pump | Cooling System |
| Radiator and Fan Assembly | Cooling System |
| Thermostat Valve | Cooling System |
| Coolant Header Tank | Cooling System |
| Intercooler | Cooling System |
| Bulk Fuel Storage Tank | Fuel Oil System |
| Fuel Transfer Pump Set | Fuel Oil System |
| Fuel Filtration Assembly | Fuel Oil System |
| Fuel Supply Pipework and Valve Assembly | Fuel Oil System |
| Synchronous Generator Assembly | Alternator Subsystem |
| Automatic Voltage Regulator | Alternator Subsystem |
| Brushless Excitation System | Alternator Subsystem |
| Generator Stator Winding and Thermal Protection | Alternator Subsystem |
| Generator Bearing and Mechanical Support Assembly | Alternator Subsystem |
| From | To |
|---|---|
| Compressed Air Starting System | Diesel Engine Subsystem |
| Automatic Load Controller | Engine Control Panel |
| Isochronous Governor System | Diesel Engine Subsystem |
| Engine Control Panel | Compressed Air Starting System |
| Generator Protection Relay | Main Generator Circuit Breaker |
| Voltage Sensing and Monitoring Unit | Generator Protection Relay |
| Fuel Injection System | Fuel Oil System |
| Engine Block and Rotating Assembly | Alternator Subsystem |
| Turbocharger and Charge Air System | Cooling System |
| Lubrication and Bearing System | Monitoring and Instrumentation Subsystem |
| Engine Parameter Sensor Array | Protective Trip Logic Unit |
| Protective Trip Logic Unit | Engine Control Panel |
| Protective Trip Logic Unit | Local Alarm and Indication Panel |
| Protective Trip Logic Unit | Remote Monitoring Gateway |
| Remote Monitoring Gateway | Main Control Room |
| Fuel Supply Pipework and Valve Assembly | Fuel Injection System |
| Day Tank | Fuel Injection System |
| Fuel Transfer Pump Set | Day Tank |
| Fuel Oil System | Monitoring and Instrumentation Subsystem |
| Automatic Voltage Regulator | Brushless Excitation System |
| Brushless Excitation System | Synchronous Generator Assembly |
| Synchronous Generator Assembly | Main Generator Circuit Breaker |
| Component | Output |
|---|---|
| Generator Protection Relay | generator-trip-signal |
| Main Generator Circuit Breaker | electrical-isolation |
| Safety Bus Transfer Contactor | bus-transfer-action |
| Voltage Sensing and Monitoring Unit | voltage-measurement-signals |
| Engine Block and Rotating Assembly | shaft torque at 1500 RPM |
| Fuel Injection System | metered high-pressure fuel spray |
| Lubrication and Bearing System | pressurised filtered lubricating oil |
| Turbocharger and Charge Air System | compressed charge air below 45C |
| Engine Parameter Sensor Array | 4-20mA analogue parameter signals (oil pressure, coolant temp, exhaust temp, vibration) |
| Protective Trip Logic Unit | hardwired trip and alarm outputs; status discretes for remote monitoring |
| Remote Monitoring Gateway | isolated parameter retransmission signals and status contacts to main control room I&C |
| Day Tank | Gravity-fed fuel supply to injection system |
| Bulk Fuel Storage Tank | 7-day fuel reserve with level telemetry |
| Fuel Transfer Pump Set | Pressurised fuel flow from bulk tank to day tank |
| Fuel Filtration Assembly | Filtered fuel at ≤10 micron to injection system |
| Synchronous Generator Assembly | 3-phase AC power at rated voltage and frequency |
| Automatic Voltage Regulator | Controlled excitation current to maintain ±0.5% terminal voltage |
| Brushless Excitation System | DC field current to synchronous generator rotor via rotating diode rectifier |