Hazard & Risk Analysis (HRA) — ISO/IEC/IEEE 15289 — Report | IEC 61508 Phase 3
Generated 2026-03-27 — UHT Journal / universalhex.org
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| Failure to start on demand: Loss of standby power on LOOP | catastrophic | — | Diverse backup power or reactor trip | |
| Loss of output during operation: EDG trip while loaded | catastrophic | — | Auto-transfer to alternate EDG | |
| Engine overspeed: Uncontrolled speed above rated RPM | critical | — | Mechanical trip and fuel cutoff | |
| Fire in EDG building: Fuel or lubricant ignition | critical | — | Fire suppression, alternate EDG | |
| Fuel contamination/exhaustion: Degraded or depleted fuel supply | critical | — | Alternate tank, replenishment | |
| Cooling system failure: Loss of engine cooling | critical | — | High-temp trip, alternate EDG | |
| Common cause failure (both EDGs): Simultaneous loss of all diesel generators | catastrophic | — | Diverse AC, DC batteries, passive cooling | |
| Seismic damage: Earthquake exceeding design basis | critical | — | Post-seismic inspection | |
| Spurious start/trip: Undemanded engine start or trip | major | — | Operator verification | |
| Cyber attack: Malicious interference with control systems | catastrophic | — | Air-gapped backup, hardwired trips |
| Ref | SIL | Requirement | V&V |
|---|---|---|---|
| IFC-REQ-001 | SIL 3 | The interface between the Automatic Load Controller and the Engine Control Panel SHALL convey the start demand signal as a hardwired 24VDC contact clo... | Test |
| IFC-REQ-002 | SIL 3 | The interface between the Engine Control Panel and the Compressed Air Starting System SHALL use a 24VDC solenoid valve signal, with the start air sole... | Test |
| IFC-REQ-003 | SIL 2 | The interface between the Isochronous Governor System and the Diesel Engine Subsystem SHALL provide dual independent magnetic pick-up speed sensors (m... | Test |
| IFC-REQ-004 | SIL 3 | The interface between the Generator Protection Relay and the Main Generator Circuit Breaker SHALL transmit the generator trip signal as a hardwired 11... | Test |
| IFC-REQ-005 | SIL 2 | The interface between the Voltage Sensing and Monitoring Unit and the Generator Protection Relay SHALL provide analogue voltage measurement signals as... | Test |
| IFC-REQ-006 | SIL 3 | The interface between the Automatic Load Controller and the Safety Bus Transfer Contactor SHALL transmit the bus transfer command as a hardwired 24V D... | Test |
| IFC-REQ-008 | SIL 2 | The interface between the Fuel Injection System and the Fuel Oil System SHALL deliver diesel fuel at a supply pressure of 3 to 6 bar and a maximum tem... | Test |
| IFC-REQ-009 | SIL 2 | The interface between the Engine Block and Rotating Assembly and the Alternator Subsystem SHALL be a rigid flanged coupling rated for the full engine ... | Inspection |
| IFC-REQ-010 | SIL 2 | The interface between the Diesel Engine Subsystem and the Cooling System SHALL maintain engine jacket water inlet temperature between 70°C and 85°C at... | Test |
| IFC-REQ-011 | SIL 2 | The interface between the Engine Parameter Sensor Array and the Protective Trip Logic Unit SHALL use dual 4-20mA current loops per parameter, with loo... | Test |
| IFC-REQ-012 | SIL 2 | The interface between the Protective Trip Logic Unit and the Engine Control Panel SHALL use hardwired de-energised-to-trip (open contact = shutdown in... | Test |
| IFC-REQ-015 | SIL 2 | The interface between the Day Tank and the Fuel Injection System SHALL supply diesel fuel at a gauge pressure of 0.3 to 0.7 bar (gravity head from tan... | Test |
| IFC-REQ-016 | SIL 2 | The interface between the Fuel Transfer Pump Set and the Day Tank SHALL deliver fuel at a nominal flow rate of no less than 150% of rated engine fuel ... | Test |
| IFC-REQ-017 | SIL 2 | The interface between the Fuel Oil System level switches (Day Tank LL, L, H, HH and Bulk Tank L, LL) and the Local Alarm and Indication Panel SHALL us... | Test |
| IFC-REQ-018 | SIL 2 | The interface between the Voltage Sensing and Monitoring Unit and the Automatic Voltage Regulator SHALL provide a 4-20mA analogue signal representing ... | Test |
| IFC-REQ-019 | SIL 2 | The mechanical interface between the Diesel Engine Subsystem crankshaft flange and the Synchronous Generator Assembly drive-end shaft SHALL use a rigi... | Analysis |
| IFC-REQ-020 | SIL 2 | The interface between the Generator Stator Winding and Thermal Protection PT100 RTDs and the Protective Trip Logic Unit SHALL use a 3-wire PT100 conne... | Test |
| STK-REQ-001 | SIL 3 | The site operator SHALL have access to qualified emergency AC standby power capable of supplying all safety-classified loads within 10 seconds of loss... | Demonstration |
| STK-REQ-002 | SIL 3 | The site operator SHALL maintain continuous emergency power supply for a minimum of 7 days without external fuel resupply, to cover extended loss of o... | Demonstration |
| STK-REQ-005 | SIL 3 | The site owner SHALL ensure the EDG can survive and remain operational following site design basis seismic events to Peak Ground Acceleration (PGA) no... | Inspection |
| STK-REQ-007 | SIL 4 | The site owner SHALL ensure that in the event of simultaneous loss of all EDG trains, the safety-classified DC battery system provides sufficient back... | Demonstration |
| SUB-REQ-001 | SIL 3 | The Automatic Load Controller SHALL detect a loss-of-offsite-power condition and generate a start demand signal to the Engine Control Panel within 200... | Test |
| SUB-REQ-002 | SIL 3 | The Compressed Air Starting System SHALL maintain a minimum stored compressed air capacity equivalent to 3 complete cranking attempts, each of 15-seco... | Test |
| SUB-REQ-003 | SIL 2 | The Isochronous Governor System SHALL maintain engine speed within ±0.5% of 1500 RPM (±7.5 RPM) under steady-state loading conditions from no-load to ... | Test |
| SUB-REQ-004 | SIL 3 | The Engine Control Panel SHALL initiate an engine shutdown within 500 milliseconds of engine speed exceeding 110% of rated speed (1650 RPM), via a har... | Test |
| SUB-REQ-005 | SIL 3 | When 3 consecutive start attempts have failed to reach rated speed within the allotted cranking time, the Starting and Control Subsystem SHALL latch i... | Test |
| SUB-REQ-006 | SIL 3 | The Automatic Load Controller SHALL implement a dual-channel voting architecture (2oo2 for start demand) such that a single hardware or software failu... | Test |
| SUB-REQ-007 | SIL 3 | The Automatic Load Controller SHALL provide a hardwired inhibit input that, when activated by a key-operated switch at the local control panel, preven... | Test |
| SUB-REQ-008 | SIL 2 | The Isochronous Governor System SHALL provide a manual speed trim input allowing the operator to adjust output frequency between 49 Hz and 51 Hz in 0.... | Demonstration |
| SUB-REQ-009 | SIL 3 | The Generator Protection Relay SHALL detect an internal generator winding fault (87G differential protection) and issue a trip signal to the Main Gene... | Test |
| SUB-REQ-010 | SIL 3 | The Generator Protection Relay SHALL provide time-delayed overcurrent protection (51/51N) with a definite minimum time characteristic, coordinated wit... | Test |
| SUB-REQ-011 | SIL 3 | The Main Generator Circuit Breaker SHALL interrupt fault currents up to the rated short-circuit breaking capacity of the switchgear assembly (minimum ... | Test |
| SUB-REQ-012 | SIL 3 | The Safety Bus Transfer Contactor SHALL complete transfer of the nuclear safety bus from the normal offsite supply to the EDG supply within 150 millis... | Test |
| SUB-REQ-013 | SIL 3 | The Safety Bus Transfer Contactor SHALL incorporate a hardwired mechanical and electrical interlock with the Main Generator Circuit Breaker that preve... | Test |
| SUB-REQ-014 | SIL 2 | The Voltage Sensing and Monitoring Unit SHALL implement dual-channel redundant voltage measurement on both the generator output and safety bus, with t... | Test |
| SUB-REQ-015 | SIL 3 | When the Generator Protection Relay detects an internal self-test failure or watchdog timeout, the relay SHALL output a fail-safe trip signal to the M... | Test |
| SUB-REQ-017 | SIL 2 | The Engine Block and Rotating Assembly SHALL accelerate the Alternator Subsystem rotor from standstill to 1500 RPM (50Hz ±1%) within 10 seconds of sta... | Test |
| SUB-REQ-018 | SIL 2 | The Diesel Engine Subsystem SHALL sustain continuous rated shaft power output for a minimum of 168 hours without requiring engine shutdown, provided t... | Test |
| SUB-REQ-019 | SIL 2 | The Lubrication and Bearing System SHALL initiate an engine shutdown signal to the Engine Control Panel within 1.5 seconds when lubricating oil pressu... | Test |
| SUB-REQ-020 | SIL 2 | The Engine Block and Rotating Assembly SHALL incorporate a centrifugal mechanical overspeed trip device that physically disengages the fuel rack and r... | Test |
| SUB-REQ-021 | SIL 2 | The Fuel Injection System SHALL modulate fuel delivery from minimum to maximum fuel rack position within 200 milliseconds of a governor actuator deman... | Test |
| SUB-REQ-022 | SIL 2 | The Turbocharger and Charge Air System SHALL maintain charge air manifold pressure ≥150 kPa gauge at loads from 25% to 110% of rated power, without en... | Test |
| SUB-REQ-023 | SIL 2 | While the EDG is in standby, the Diesel Engine Subsystem SHALL maintain engine coolant temperature above 20°C using thermostatically controlled immers... | Test |
| SUB-REQ-024 | SIL 2 | When a crankcase explosion relief valve actuates, the Diesel Engine Subsystem SHALL transmit a hardwired trip signal to the Engine Control Panel to in... | Test |
| SUB-REQ-026 | SIL 3 | The Automatic Load Controller SHALL receive the loss-of-offsite-power signal from the site electrical protection system via a hardwired 24VDC Class 1E... | Test |
| SUB-REQ-027 | SIL 3 | The Diesel Engine Subsystem, including the Engine Block, Fuel Injection System, Lubrication and Bearing System, Turbocharger and Charge Air System, an... | Analysis |
| SUB-REQ-028 | SIL 3 | The Isochronous Governor System and Engine Control Panel SHALL comply with BS EN IEC 61000-6-2 (Electromagnetic compatibility - Immunity for industria... | Test |
| SUB-REQ-030 | SIL 2 | The Engine Parameter Sensor Array SHALL provide dual-channel 4-20mA output for each critical parameter — lube oil pressure (range 0–10 bar, accuracy ±... | Test |
| SUB-REQ-031 | SIL 2 | The Protective Trip Logic Unit SHALL initiate a hardwired de-energise-to-trip command to the Engine Control Panel within 200 milliseconds of a critica... | Test |
| SUB-REQ-032 | SIL 2 | When the Protective Trip Logic Unit loses 110VDC supply voltage below 88VDC (80% nominal), the Monitoring and Instrumentation Subsystem SHALL transiti... | Test |
| SUB-REQ-033 | SIL 2 | The Protective Trip Logic Unit SHALL detect a fault on either sensor channel (open circuit, short to supply, out-of-range signal) within 1 second of o... | Test |
| SUB-REQ-034 | SIL 2 | The Remote Monitoring Gateway SHALL provide a minimum 1500Vrms optical isolation barrier between the SIL-2 Protective Trip Logic Unit circuits and the... | Test |
| SUB-REQ-036 | SIL 2 | The Engine Parameter Sensor Array and Protective Trip Logic Unit SHALL remain functional during and after a seismic event with peak ground acceleratio... | Test |
| SUB-REQ-037 | SIL 2 | The Jacket Water Pump SHALL maintain coolant circulation through the engine block at a minimum flow rate of 200 litres per minute at all engine speeds... | Test |
| SUB-REQ-039 | SIL 2 | When the engine jacket coolant outlet temperature exceeds 95 degrees Celsius, the Cooling System SHALL generate a hardwired high-temperature alarm sig... | Test |
| SUB-REQ-040 | SIL 2 | The Day Tank SHALL provide a minimum fuel reserve of 8 hours of continuous operation at rated engine load without replenishment from the Fuel Transfer... | Test |
| SUB-REQ-041 | SIL 2 | The Bulk Fuel Storage Tank SHALL hold a minimum usable fuel volume of 42,000 litres, with nominal tank capacity ≥48,300 litres (115% of minimum usable... | Test |
| SUB-REQ-042 | SIL 2 | The Fuel Transfer Pump Set SHALL automatically start the duty pump within 10 seconds of the Day Tank level falling to the Low (L) set-point, and autom... | Test |
| SUB-REQ-043 | SIL 2 | The Fuel Filtration Assembly SHALL remove particulate matter to a maximum particle size of 10 microns nominal and separate free water from the fuel st... | Test |
| SUB-REQ-044 | SIL 2 | When a confirmed fire detection signal is received from the EDG building fire detection system, the Fuel Supply Pipework and Valve Assembly SHALL auto... | Test |
| SUB-REQ-045 | SIL 2 | The Fuel Oil System SHALL maintain fuel temperature in the Day Tank above 5°C under site minimum ambient temperature conditions (-10°C at the EDG buil... | Demonstration |
| SUB-REQ-046 | SIL 2 | The Automatic Voltage Regulator SHALL maintain the Synchronous Generator Assembly terminal voltage within ±0.5% of set-point under steady-state condit... | Test |
| SUB-REQ-047 | SIL 2 | The Generator Stator Winding and Thermal Protection SHALL alarm to the Protective Trip Logic Unit when any stator winding PT100 RTD reading exceeds 13... | Test |
| SUB-REQ-048 | SIL 2 | The Generator Bearing and Mechanical Support Assembly SHALL alarm to the Protective Trip Logic Unit when any bearing PT100 RTD reading exceeds 90°C an... | Test |
| SUB-REQ-049 | SIL 2 | The Brushless Excitation System SHALL build terminal voltage from zero (black-start) to within ±6% of rated voltage within 3 seconds of the engine rea... | Test |
| SUB-REQ-050 | SIL 2 | When a Generator Protection Relay (GPR) stator earth fault trip signal is received, the Alternator Subsystem SHALL de-energise the anti-condensation h... | Test |
| SUB-REQ-051 | SIL 3 | The Isochronous Governor System SHALL incorporate dual independent speed-sensing channels, such that the failure of one channel (open circuit, sensor ... | Test |
| SUB-REQ-052 | SIL 2 | The Fuel Injection System SHALL deliver fuel injection timing within ±2 degrees of crankshaft rotation of the nominal injection advance angle across t... | Test |
| SUB-REQ-053 | SIL 2 | The Fuel Transfer Pump Set SHALL consist of two independently-powered duty/standby pumps, each capable of supplying 150% of rated engine fuel consumpt... | Test |
| SUB-REQ-054 | SIL 2 | The Cooling System SHALL maintain engine jacket water temperature within the operational band (70°C–88°C) following the failure of a single Jacket Wat... | Test |
| SUB-REQ-055 | SIL 3 | The Generator Protection Relay SHALL comply with IEC 60255-151 (Measuring relays and protection equipment — Functional requirements for over/under vol... | Inspection |
| SUB-REQ-056 | SIL 3 | The Main Generator Circuit Breaker SHALL comply with BS EN 62271-100 (High-voltage switchgear and controlgear — AC circuit-breakers) or BS EN 61439-1 ... | Inspection |
| SUB-REQ-057 | SIL 2 | The Fuel Oil System bunding and containment SHALL comply with the Environmental Permitting (England and Wales) Regulations 2016 and CIRIA C736 (Contai... | Inspection |
| SUB-REQ-058 | SIL 2 | The Local Alarm and Indication Panel SHALL present any new alarm condition within 2 seconds of the initiating parameter exceeding its alarm threshold,... | Test |
| SUB-REQ-059 | SIL 3 | The Starting and Control Subsystem SHALL provide a test mode that enables full-rated-load operational testing of the EDG system without connecting to ... | Demonstration |
| SUB-REQ-060 | SIL 2 | Each major subsystem of the EDG system (Diesel Engine Subsystem, Alternator Subsystem, Fuel Oil System, Cooling System, Starting and Control Subsystem... | Inspection |
| SUB-REQ-062 | SIL 3 | The Compressed Air Starting System SHALL store compressed air at no less than 25 bar gauge to deliver a minimum of 3 complete 15-second cranking cycle... | Test |
| SUB-REQ-063 | SIL 2 | The Engine Block and Rotating Assembly SHALL accelerate the coupled shaft to 1500 RPM nominal (50 Hz ±1% at the alternator output) within 10 seconds o... | Test |
| SUB-REQ-064 | SIL 2 | The Turbocharger and Charge Air System SHALL deliver combustion air at the boost pressure defined in the engine manufacturer's performance map across ... | Test |
| SUB-REQ-065 | SIL 2 | The Bulk Fuel Storage Tank SHALL have a minimum nominal capacity of 115% of the quantity required for 168 hours of continuous EDG operation at rated l... | Inspection |
| SUB-REQ-066 | SIL 3 | Before reinstatement to operational service following any planned maintenance activity requiring LOTO isolation, the EDG system SHALL successfully com... | Demonstration |
| SUB-REQ-067 | SIL 3 | Before any planned maintenance activity requiring physical isolation of EDG components, the Starting and Control Subsystem SHALL enforce a controlled ... | Demonstration |
| SUB-REQ-068 | SIL 2 | The Remote Monitoring Gateway SHALL provide a minimum 2500Vrms galvanic isolation barrier (optical isolator or equivalent qualified isolator device) b... | Test |
| SYS-REQ-001 | SIL 3 | The EDG system SHALL reach rated voltage (415V ±6% or 11kV ±6%) and frequency (50Hz ±1%) and be ready to accept the first Class 1E load block within 1... | Test |
| SYS-REQ-002 | SIL 3 | The EDG system SHALL sustain continuous rated output for a minimum of 168 hours (7 days) at rated load conditions without any external intervention, p... | Test |
| SYS-REQ-003 | SIL 3 | When a loss-of-offsite-power (LOOP) signal is received from the site electrical protection system, the EDG system SHALL initiate the automatic start s... | Test |
| SYS-REQ-004 | SIL 3 | When a safety trip condition is detected (overspeed >110% rated, low lubricating oil pressure <2.5 bar, high coolant temperature >95°C, generator diff... | Test |
| SYS-REQ-005 | SIL 3 | The EDG system SHALL achieve a probability of failure on demand (PFD) not exceeding 1×10⁻³ per demand, assessed over a 12-month surveillance interval ... | Analysis |
| SYS-REQ-006 | SIL 3 | The EDG system, including all associated fuel, cooling, and control equipment within the EDG building, SHALL remain operable following a safe shutdown... | Inspection |
| SYS-REQ-011 | SIL 4 | The EDG system architecture SHALL ensure that a common-cause failure of both EDG trains does not prevent reactor core cooling, with diverse and indepe... | Inspection |
| SYS-REQ-012 | SIL 2 | When one or more EDG subsystems experience a fault that does not trigger a safety trip, the EDG system SHALL continue to operate in degraded mode, mai... | Test |
| SYS-REQ-014 | SIL 2 | When offsite power is restored and the Class 1E bus is transferred to normal supply, the EDG system SHALL enter a controlled cooldown period of not le... | Test |
| SYS-REQ-015 | SIL 3 | When a single EDG train fails to start or trips during an active Loss-of-Offsite-Power event, the Class 1E safety bus served by the failed train SHALL... | Test |
| SYS-REQ-016 | SIL 3 | The EDG control and protection system (Automatic Load Controller, Engine Control Panel, Protective Trip Logic Unit, and Isochronous Governor System) S... | Inspection |
| SYS-REQ-017 | SIL 2 | When the fault condition causing Degraded Operation mode is cleared or isolated, the EDG system SHALL restore full rated output power and return to no... | Test |
| VER-REQ-004 | SIL 3 | Verify SYS-REQ-001 and SYS-REQ-003 end-to-end: Simulate LOOP condition by dropping Class 1E bus voltage to 0V. Record time from voltage drop to EDG br... | Test |
| VER-REQ-005 | SIL 3 | Verify SUB-REQ-009: Inject a simulated 87G differential fault condition into the Generator Protection Relay secondary test terminals at 3 rated curren... | Test |
| VER-REQ-006 | SIL 3 | Verify SUB-REQ-013: With MGCB in the closed position, issue a close command to the SBTC and measure time from command to mechanical interlock engageme... | Test |
| VER-REQ-007 | SIL 3 | Verify IFC-REQ-004: De-energise the 110V DC trip circuit supply and measure time from de-energisation to MGCB open position using a 1ms timer. Introdu... | Test |
| VER-REQ-008 | SIL 3 | Verify IFC-REQ-006 and SUB-REQ-012 combined: Simulate a LOOP event at the ALC input and measure total time from ALC bus transfer command output to con... | Test |
| VER-REQ-009 | SIL 2 | Verify IFC-REQ-005: Connect a calibrated current source to the VSMU 4-20mA output loop and apply 4mA (0V), 12mA (60% nominal), 16mA (100% nominal), an... | Test |
| VER-REQ-013 | SIL 2 | Verify SUB-REQ-019: With engine running at rated speed, progressively restrict oil supply to reduce oil pressure. Measure elapsed time from 2.0 bar th... | Test |
| VER-REQ-014 | SIL 2 | Verify SUB-REQ-020: With the engine at no-load, manually actuate the mechanical overspeed trip device and confirm fuel rack physically disengages to z... | Test |
| VER-REQ-015 | SIL 2 | Verify end-to-end Diesel Engine Subsystem integration: Start EDG from cold standby condition (coolant at preheat temperature, fuel system primed). Rec... | Test |
| VER-REQ-016 | SIL 3 | Verify SUB-REQ-001: With EDG in standby and offsite power connected, simulate a Class 1E bus voltage loss by tripping the upstream transformer protect... | Test |
| VER-REQ-017 | SIL 3 | Verify SUB-REQ-002: With compressed air receivers fully charged, perform 3 complete cranking cycles at maximum cranking duration (as specified by the ... | Test |
| VER-REQ-018 | SIL 3 | Verify SUB-REQ-003: With the EDG running at rated speed and connected to a resistive load bank, apply step load changes from 25% to 75% and 75% to 25%... | Test |
| VER-REQ-019 | SIL 3 | Verify SUB-REQ-015: Induce a simulated internal self-test failure in the Generator Protection Relay by interrupting the watchdog keep-alive signal. Me... | Test |
| VER-REQ-020 | SIL 3 | Verify SUB-REQ-016: With the EDG running at rated speed and no-load, interrupt the governor processor watchdog keep-alive path. Measure time from watc... | Test |
| VER-REQ-021 | SIL 3 | Verify IFC-REQ-007: With normal 415V AC supply removed, confirm the 24VDC Class 1E distribution panel switches to battery supply. Measure terminal vol... | Test |
| VER-REQ-022 | SIL 2 | Verify SUB-REQ-031: With the EDG running at rated speed and a calibrated signal injector on each sensor channel, step the injected oil pressure signal... | Test |
| VER-REQ-023 | SIL 2 | Verify SUB-REQ-032: With the EDG running and M&I system energised, reduce the 110VDC supply to the Protective Trip Logic Unit to 85VDC using a variabl... | Test |
| VER-REQ-024 | SIL 2 | Verify IFC-REQ-011: With the M&I system energised from 24VDC supply, apply open-circuit and short-to-supply faults to each sensor loop in turn and ver... | Test |
| VER-REQ-025 | SIL 2 | Verify IFC-REQ-012: With the EDG stopped, energise each PTLU trip relay in turn and measure contact resistance (pass: below 0.1 ohm). With contacts en... | Test |
| VER-REQ-027 | SIL 2 | Verify SUB-REQ-040: Fill the Day Tank to High (H) level, stop the Fuel Transfer Pump Set, run the EDG at 100% rated load, and measure elapsed time to ... | Test |
| VER-REQ-028 | SIL 2 | Verify SUB-REQ-042: With EDG running and Fuel Transfer Pump Set in automatic, drain the Day Tank to below Low (L) set-point via test drain valve. Meas... | Test |
| VER-REQ-029 | SIL 2 | Verify IFC-REQ-015: With EDG running at 100% rated load, install calibrated pressure gauges at the fuel inlet to the Fuel Injection System. Record pre... | Test |
| VER-REQ-030 | SIL 2 | Verify IFC-REQ-017: With the Day Tank and Bulk Tank level instruments energised from 24VDC, verify each level switch (Day Tank LL, L, H, HH and Bulk T... | Test |
| VER-REQ-031 | SIL 2 | Verify SUB-REQ-046: With EDG running at rated speed and connected to a programmable load bank, apply a steady-state resistive load of 100% rated kVA a... | Test |
| VER-REQ-032 | SIL 2 | Verify SUB-REQ-049: Start the EDG from cold standby with no pre-existing excitation supply (confirm PMG output is the only excitation source). At 95% ... | Test |
| VER-REQ-033 | SIL 2 | Verify IFC-REQ-018: With EDG running at rated speed, apply known reference voltages from a calibrated voltage source to the VSMU input terminals at 0%... | Test |
| VER-REQ-034 | SIL 2 | Verify IFC-REQ-020: With the EDG stopped, connect a calibrated resistance decade box in place of each PT100 RTD in turn and verify PTLU displays the c... | Test |
| VER-REQ-035 | SIL 3 | Verify SUB-REQ-051: With the EDG running at 50% load, disconnect the primary speed sensor channel. Confirm: (a) governed speed deviation does not exce... | Test |
| VER-REQ-036 | SIL 2 | Verify SUB-REQ-053: With the EDG running at 100% load and the duty fuel transfer pump active, simulate pump failure by closing the duty pump discharge... | Test |
| VER-REQ-037 | SIL 3 | Verify SUB-REQ-055: Inspect IEC 60255-151 and IEC 60255-181 type-test certificates from an accredited test laboratory for the Generator Protection Rel... | Inspection |
| VER-REQ-038 | SIL 3 | Verify SUB-REQ-059: With the EDG disconnected from the safety bus (load bank connected), initiate test mode via key-switch on Engine Control Panel. Ra... | Demonstration |
| VER-REQ-048 | SIL 3 | Verify SUB-REQ-006: Review the ALC hardware design documentation and software V&V report to confirm dual-channel 2oo2 voting architecture. Verify that... | Inspection |
| VER-REQ-062 | SIL 3 | Verify SUB-REQ-026: With the ALC supplied from 24VDC Class 1E bus, assert the LOOP input discrete by closing a calibrated relay contact. Measure elaps... | Test |
| VER-REQ-063 | SIL 3 | Verify SUB-REQ-027: Commission a seismic qualification analysis of the Diesel Engine Subsystem to IEEE 344 (Recommended Practice for Seismic Qualifica... | Inspection |
| VER-REQ-064 | SIL 3 | Verify SUB-REQ-028: Subject the Isochronous Governor System and Engine Control Panel to BS EN IEC 61000-6-2 (Electromagnetic compatibility — Immunity ... | Test |
| VER-REQ-065 | SIL 3 | Verify SUB-REQ-056: Obtain the circuit breaker type test certificate from the manufacturer issued by a UKAS-accredited body. Review the certificate ag... | Inspection |
| VER-REQ-066 | SIL 4 | Verify SYS-REQ-011: Commission an independent architectural safety analysis demonstrating that common-cause failure of both EDG trains does not preven... | Inspection |
| VER-REQ-067 | SIL 2 | Verify SUB-REQ-034: With the Remote Monitoring Gateway powered and connected to a simulated I&C network test port, transmit write commands, parameter ... | Test |
| VER-REQ-068 | SIL 3 | Verify SUB-REQ-025: With the EDG in standby mode, apply a simulated LOOP signal to the Automatic Load Controller input representing bus voltage drop b... | Test |
| VER-REQ-069 | SIL 3 | Verify SUB-REQ-062: With compressed air receivers at minimum pressure (25 bar gauge), perform 3 consecutive cranking cycles without recharging between... | Test |
| VER-REQ-070 | SIL 2 | Verify SUB-REQ-039: With the EDG running at rated load, use an external calibrated temperature source to inject a simulated coolant outlet temperature... | Test |
| VER-REQ-071 | SIL 2 | Verify SUB-REQ-021: With the EDG running at 50% rated load, command a step demand change to 100% rated load via the governor. Measure the fuel rack po... | Test |
| VER-REQ-072 | SIL 2 | Verify SUB-REQ-041: Perform volumetric survey of Bulk Fuel Storage Tank at installation, confirming usable capacity not less than required for 168 hou... | Inspection |
| VER-REQ-073 | SIL 2 | Verify SUB-REQ-036: Following seismic qualification testing per IEEE 344 (Recommended Practice for Seismic Qualification of Class 1E Equipment), subje... | Test |
| VER-REQ-074 | SIL 2 | Verify SUB-REQ-030: Connect calibrated reference instruments in parallel with the Engine Parameter Sensor Array 4-20mA dual-channel outputs for lube o... | Test |
| VER-REQ-075 | SIL 2 | Verify SUB-REQ-054: With the EDG running at no-load and jacket water temperature pre-stabilised at preheat temperature (35°C ±5°C), apply a step load ... | Test |
| VER-REQ-076 | SIL 2 | Verify SUB-REQ-022: With the EDG running at rated speed and full load for 30 minutes (thermal steady state), measure charge air manifold pressure with... | Test |
| VER-REQ-077 | SIL 2 | Verify SYS-REQ-012: Induce a non-trip fault in the Isochronous Governor System (simulated sensor failure causing governor to operate in degraded open-... | Test |
| VER-REQ-078 | SIL 3 | Verify SYS-REQ-002: Run the EDG at rated load continuously for 168 hours. Monitor fuel consumption rate, coolant temperature, lube oil pressure, and b... | Test |
| VER-REQ-079 | SIL 3 | Verify SYS-REQ-004: Inject each trip condition in sequence (overspeed, low lube oil pressure, high coolant temperature, high exhaust temperature, over... | Test |
| VER-REQ-081 | SIL 2 | Verify SYS-REQ-006: Review the seismic qualification analysis report for all EDG building structural elements and mechanical equipment. Confirm analys... | Inspection |
| VER-REQ-082 | SIL 2 | Verify SUB-REQ-023: With EDG in standby mode (heaters energised), measure jacket water temperature using calibrated thermocouple at engine inlet and o... | Test |
| VER-REQ-083 | SIL 2 | Verify SUB-REQ-037: With engine at operating temperature (coolant 75-85°C), install calibrated ultrasonic flow meter on jacket water pump outlet. Meas... | Test |
| VER-REQ-084 | SIL 2 | Verify SUB-REQ-043: Sample fuel downstream of the Fuel Filtration Assembly during EDG operation at rated load. Analyse sample using ISO 4406 particle ... | Test |
| VER-REQ-085 | SIL 2 | Verify SUB-REQ-045: Monitor Day Tank fuel temperature at minimum ambient winter conditions (site minimum -5°C, or use temperature-controlled test cham... | Test |
| VER-REQ-086 | SIL 2 | Verify SUB-REQ-048: Inject a simulated PT100 RTD resistance value equivalent to 91°C into the Protective Trip Logic Unit input for each generator bear... | Test |
| VER-REQ-087 | SIL 2 | Verify SUB-REQ-052: Using a crankshaft position sensor and calibrated fuel pressure transducer at injector inlet, measure injection timing relative to... | Test |
| VER-REQ-088 | SIL 2 | Verify SUB-REQ-057: Inspect all fuel oil bunding and containment around the Day Tank, service tank, and fuel transfer pipework. Verify bund capacity ≥... | Inspection |
| VER-REQ-089 | SIL 2 | Verify SUB-REQ-060: With EDG in Maintenance Out-of-Service mode (LOTO applied), inspect access routes and clearances around all major subsystems (Dies... | Inspection |
| VER-REQ-090 | SIL 3 | Verify SYS-REQ-007: Apply a simulated LOOP event and initiate load sequencing with three load blocks representing: safety injection (50kW), emergency ... | Test |
| VER-REQ-094 | SIL 2 | Verify SUB-REQ-035: Inject each protective trip function (oil pressure, coolant temp, overspeed, vibration, channel fault) one at a time into the Prot... | Test |
| VER-REQ-097 | SIL 3 | Validate STK-REQ-001 (stakeholder acceptance): Conduct a witnessed system acceptance test with the site safety authority. From a cold standby state, a... | Demonstration |
| VER-REQ-098 | SIL 3 | Verify H-010 cyber security mitigation (SYS-REQ-004 and control system architecture): Conduct a structured cyber security assessment of all digital co... | Inspection |
| VER-REQ-099 | SIL 4 | Verify H-007 CCF safe state — DC battery coping time under station blackout load profile (SYS-REQ-011): With both EDGs inhibited and all AC power remo... | Test |
| VER-REQ-100 | SIL 2 | The EDG system SHALL be tested in degraded mode: introduce a simulated subsystem fault (simulate a cooling fan belt fault via belt tension sensor over... | Test |
| VER-REQ-102 | SIL 4 | The EDG system SHALL be demonstrated to have physical and electrical separation between Train A and Train B meeting CCF exclusion criteria: using a po... | Demonstration |
| VER-REQ-103 | SIL 2 | Verify SYS-REQ-014: Following a full-rated-load run test, restore offsite power supply and transfer the Class 1E bus to normal supply. Inhibit the EDG... | Test |
| VER-REQ-104 | SIL 3 | Verify SYS-REQ-015: Perform a battery capacity test per IEEE 450 (Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid B... | Test |
| VER-REQ-105 | SIL 3 | Verify SYS-REQ-016 cyber isolation: Inspect the EDG control system design documentation, network architecture diagram, and cable schedule. Confirm: (a... | Inspection |
| VER-REQ-106 | SIL 3 | Verify SUB-REQ-006 channel voting under single-channel failure: (a) Disable ALC Channel A processing unit by removing power connector; confirm EDG doe... | Test |
| VER-REQ-107 | SIL 2 | Verify SYS-REQ-017 degraded mode exit recovery: With the EDG running at 60% rated load in simulated degraded mode (subsystem fault injected via test i... | Test |
| VER-REQ-108 | SIL 3 | Verify SYS-REQ-016 cyber resilience under active attack simulation: Engage an independent nuclear cyber security assessor to conduct a structured pene... | Test |
| VER-REQ-109 | SIL 3 | Verify SUB-REQ-067 Maintenance Out-of-Service mode entry: Simulate a maintenance transition request with EDG in Standby Ready state. Confirm: (a) unav... | Test |
Goal Structuring Notation per GSN Community Standard v3. Top goal decomposes into hazard mitigation sub-goals, each supported by SIL-allocated requirements and verification evidence.
flowchart TD
G0["<b>G0: Top Goal</b><br/>Emergency Diesel Generator for a UK Nuclear Licensed Site is acceptably safe"]
S0{"<b>S0: Strategy</b><br/>Argument by hazard<br/>mitigation per IEC 61508"}
G0 --> S0
G1["<b>G1: H-001</b><br/>Failure to start on demand: Loss of standby power on LOOP<br/>SIL ?"]
S0 --> G1
Sn0_0(["<b>SYS-REQ-015</b>"])
G1 --> Sn0_0
Sn0_1(["<b>VER-REQ-068</b>"])
G1 --> Sn0_1
Sn0_2(["<b>VER-REQ-069</b>"])
G1 --> Sn0_2
G2["<b>G2: H-002</b><br/>Loss of output during operation: EDG trip while loaded<br/>SIL ?"]
S0 --> G2
Sn1_0(["<b>SYS-REQ-012</b>"])
G2 --> Sn1_0
Sn1_1(["<b>SYS-REQ-015</b>"])
G2 --> Sn1_1
Sn1_2(["<b>VER-REQ-077</b>"])
G2 --> Sn1_2
G3["<b>G3: H-003</b><br/>Engine overspeed: Uncontrolled speed above rated RPM<br/>SIL ?"]
S0 --> G3
Sn2_0(["<b>SYS-REQ-012</b>"])
G3 --> Sn2_0
Sn2_1(["<b>VER-REQ-071</b>"])
G3 --> Sn2_1
Sn2_2(["<b>VER-REQ-074</b>"])
G3 --> Sn2_2
G4["<b>G4: H-004</b><br/>Fire in EDG building: Fuel or lubricant ignition<br/>SIL ?"]
S0 --> G4
G5["<b>G5: H-005</b><br/>Fuel contamination/exhaustion: Degraded or depleted fuel sup...<br/>SIL ?"]
S0 --> G5
Sn4_0(["<b>VER-REQ-072</b>"])
G5 --> Sn4_0
G6["<b>G6: H-006</b><br/>Cooling system failure: Loss of engine cooling<br/>SIL ?"]
S0 --> G6
Sn5_0(["<b>SYS-REQ-011</b>"])
G6 --> Sn5_0
Sn5_1(["<b>VER-REQ-070</b>"])
G6 --> Sn5_1
Sn5_2(["<b>VER-REQ-074</b>"])
G6 --> Sn5_2
G7["<b>G7: H-007</b><br/>Common cause failure (both EDGs): Simultaneous loss of all d...<br/>SIL ?"]
S0 --> G7
Sn6_0(["<b>VER-REQ-099</b>"])
G7 --> Sn6_0
G8["<b>G8: H-008</b><br/>Seismic damage: Earthquake exceeding design basis<br/>SIL ?"]
S0 --> G8
Sn7_0(["<b>VER-REQ-073</b>"])
G8 --> Sn7_0
G9["<b>G9: H-009</b><br/>Spurious start/trip: Undemanded engine start or trip<br/>SIL ?"]
S0 --> G9
Sn8_0(["<b>VER-REQ-106</b>"])
G9 --> Sn8_0
G10["<b>G10: H-010</b><br/>Cyber attack: Malicious interference with control systems<br/>SIL ?"]
S0 --> G10
Sn9_0(["<b>SUB-REQ-068</b>"])
G10 --> Sn9_0
Sn9_1(["<b>SYS-REQ-016</b>"])
G10 --> Sn9_1
Sn9_2(["<b>VER-REQ-067</b>"])
G10 --> Sn9_2 Machine-readable safety case structure. Import into GSN tools (Astah GSN, ASCE, NOR-STA).
# GSN Safety Case — Emergency Diesel Generator for a UK Nuclear Licensed Site
# Generated 2026-03-27
# Goal Structuring Notation (GSN) per GSN Community Standard v3
goals:
G0:
text: "Emergency Diesel Generator for a UK Nuclear Licensed Site is acceptably safe"
type: top-goal
supported_by: [S0]
strategies:
S0:
text: "Argument by hazard mitigation per IEC 61508"
supported_by: [G1, G2, G3, G4, G5, G6, G7, G8, G9, G10]
G1:
text: "H-001: Failure to start on demand: Loss of standby power on LOOP"
sil: unassigned
safe_state: "Diverse backup power or reactor trip"
supported_by: [SYS-REQ-015, VER-REQ-068, VER-REQ-069, VER-REQ-104, VER-REQ-106]
evidence: [VER-REQ-104, SUB-REQ-026, SUB-REQ-025, SUB-REQ-062, SYS-REQ-015, SUB-REQ-006]
G2:
text: "H-002: Loss of output during operation: EDG trip while loaded"
sil: unassigned
safe_state: "Auto-transfer to alternate EDG"
supported_by: [SYS-REQ-012, SYS-REQ-015, VER-REQ-077, VER-REQ-104]
evidence: [VER-REQ-100, VER-REQ-077, VER-REQ-104, SYS-REQ-012, SYS-REQ-015]
G3:
text: "H-003: Engine overspeed: Uncontrolled speed above rated RPM"
sil: unassigned
safe_state: "Mechanical trip and fuel cutoff"
supported_by: [SYS-REQ-012, VER-REQ-071, VER-REQ-074, VER-REQ-076]
evidence: [VER-REQ-100, VER-REQ-077, SUB-REQ-021, SUB-REQ-030, SUB-REQ-022]
G4:
text: "H-004: Fire in EDG building: Fuel or lubricant ignition"
sil: unassigned
safe_state: "Fire suppression, alternate EDG"
supported_by: []
evidence: []
G5:
text: "H-005: Fuel contamination/exhaustion: Degraded or depleted fuel supply"
sil: unassigned
safe_state: "Alternate tank, replenishment"
supported_by: [VER-REQ-072]
evidence: [SUB-REQ-041]
G6:
text: "H-006: Cooling system failure: Loss of engine cooling"
sil: unassigned
safe_state: "High-temp trip, alternate EDG"
supported_by: [SYS-REQ-011, VER-REQ-070, VER-REQ-074, VER-REQ-075]
evidence: [VER-REQ-102, VER-REQ-099, VER-REQ-066, SUB-REQ-039, SUB-REQ-030, SUB-REQ-054]
G7:
text: "H-007: Common cause failure (both EDGs): Simultaneous loss of all diesel generators"
sil: unassigned
safe_state: "Diverse AC, DC batteries, passive cooling"
supported_by: [VER-REQ-099]
evidence: [STK-REQ-007, SYS-REQ-011]
G8:
text: "H-008: Seismic damage: Earthquake exceeding design basis"
sil: unassigned
safe_state: "Post-seismic inspection"
supported_by: [VER-REQ-073]
evidence: [ARC-REQ-004, SUB-REQ-036]
G9:
text: "H-009: Spurious start/trip: Undemanded engine start or trip"
sil: unassigned
safe_state: "Operator verification"
supported_by: [VER-REQ-106]
evidence: [SUB-REQ-006]
G10:
text: "H-010: Cyber attack: Malicious interference with control systems"
sil: unassigned
safe_state: "Air-gapped backup, hardwired trips"
supported_by: [SUB-REQ-068, SYS-REQ-016, VER-REQ-067, VER-REQ-098, VER-REQ-108]
evidence: [VER-REQ-108, VER-REQ-105, SUB-REQ-034, SYS-REQ-004, SYS-REQ-016]
solutions:
IFC-REQ-001:
text: "The interface between the Automatic Load Controller and the Engine Control Panel SHALL convey the start demand signal as"
verification: Test
sil: 3
IFC-REQ-002:
text: "The interface between the Engine Control Panel and the Compressed Air Starting System SHALL use a 24VDC solenoid valve s"
verification: Test
sil: 3
IFC-REQ-003:
text: "The interface between the Isochronous Governor System and the Diesel Engine Subsystem SHALL provide dual independent mag"
verification: Test
sil: 2
IFC-REQ-004:
text: "The interface between the Generator Protection Relay and the Main Generator Circuit Breaker SHALL transmit the generator"
verification: Test
sil: 3
IFC-REQ-005:
text: "The interface between the Voltage Sensing and Monitoring Unit and the Generator Protection Relay SHALL provide analogue "
verification: Test
sil: 2
IFC-REQ-006:
text: "The interface between the Automatic Load Controller and the Safety Bus Transfer Contactor SHALL transmit the bus transfe"
verification: Test
sil: 3
IFC-REQ-008:
text: "The interface between the Fuel Injection System and the Fuel Oil System SHALL deliver diesel fuel at a supply pressure o"
verification: Test
sil: 2
IFC-REQ-009:
text: "The interface between the Engine Block and Rotating Assembly and the Alternator Subsystem SHALL be a rigid flanged coupl"
verification: Inspection
sil: 2
IFC-REQ-010:
text: "The interface between the Diesel Engine Subsystem and the Cooling System SHALL maintain engine jacket water inlet temper"
verification: Test
sil: 2
IFC-REQ-011:
text: "The interface between the Engine Parameter Sensor Array and the Protective Trip Logic Unit SHALL use dual 4-20mA current"
verification: Test
sil: 2
IFC-REQ-012:
text: "The interface between the Protective Trip Logic Unit and the Engine Control Panel SHALL use hardwired de-energised-to-tr"
verification: Test
sil: 2
IFC-REQ-015:
text: "The interface between the Day Tank and the Fuel Injection System SHALL supply diesel fuel at a gauge pressure of 0.3 to "
verification: Test
sil: 2
IFC-REQ-016:
text: "The interface between the Fuel Transfer Pump Set and the Day Tank SHALL deliver fuel at a nominal flow rate of no less t"
verification: Test
sil: 2
IFC-REQ-017:
text: "The interface between the Fuel Oil System level switches (Day Tank LL, L, H, HH and Bulk Tank L, LL) and the Local Alarm"
verification: Test
sil: 2
IFC-REQ-018:
text: "The interface between the Voltage Sensing and Monitoring Unit and the Automatic Voltage Regulator SHALL provide a 4-20mA"
verification: Test
sil: 2
IFC-REQ-019:
text: "The mechanical interface between the Diesel Engine Subsystem crankshaft flange and the Synchronous Generator Assembly dr"
verification: Analysis
sil: 2
IFC-REQ-020:
text: "The interface between the Generator Stator Winding and Thermal Protection PT100 RTDs and the Protective Trip Logic Unit "
verification: Test
sil: 2
STK-REQ-001:
text: "The site operator SHALL have access to qualified emergency AC standby power capable of supplying all safety-classified l"
verification: Demonstration
sil: 3
STK-REQ-002:
text: "The site operator SHALL maintain continuous emergency power supply for a minimum of 7 days without external fuel resuppl"
verification: Demonstration
sil: 3
STK-REQ-005:
text: "The site owner SHALL ensure the EDG can survive and remain operational following site design basis seismic events to Pea"
verification: Inspection
sil: 3
STK-REQ-007:
text: "The site owner SHALL ensure that in the event of simultaneous loss of all EDG trains, the safety-classified DC battery s"
verification: Demonstration
sil: 4
SUB-REQ-001:
text: "The Automatic Load Controller SHALL detect a loss-of-offsite-power condition and generate a start demand signal to the E"
verification: Test
sil: 3
SUB-REQ-002:
text: "The Compressed Air Starting System SHALL maintain a minimum stored compressed air capacity equivalent to 3 complete cran"
verification: Test
sil: 3
SUB-REQ-003:
text: "The Isochronous Governor System SHALL maintain engine speed within ±0.5% of 1500 RPM (±7.5 RPM) under steady-state loadi"
verification: Test
sil: 2
SUB-REQ-004:
text: "The Engine Control Panel SHALL initiate an engine shutdown within 500 milliseconds of engine speed exceeding 110% of rat"
verification: Test
sil: 3
SUB-REQ-005:
text: "When 3 consecutive start attempts have failed to reach rated speed within the allotted cranking time, the Starting and C"
verification: Test
sil: 3
SUB-REQ-006:
text: "The Automatic Load Controller SHALL implement a dual-channel voting architecture (2oo2 for start demand) such that a sin"
verification: Test
sil: 3
SUB-REQ-007:
text: "The Automatic Load Controller SHALL provide a hardwired inhibit input that, when activated by a key-operated switch at t"
verification: Test
sil: 3
SUB-REQ-008:
text: "The Isochronous Governor System SHALL provide a manual speed trim input allowing the operator to adjust output frequency"
verification: Demonstration
sil: 2
SUB-REQ-009:
text: "The Generator Protection Relay SHALL detect an internal generator winding fault (87G differential protection) and issue "
verification: Test
sil: 3
SUB-REQ-010:
text: "The Generator Protection Relay SHALL provide time-delayed overcurrent protection (51/51N) with a definite minimum time c"
verification: Test
sil: 3
SUB-REQ-011:
text: "The Main Generator Circuit Breaker SHALL interrupt fault currents up to the rated short-circuit breaking capacity of the"
verification: Test
sil: 3
SUB-REQ-012:
text: "The Safety Bus Transfer Contactor SHALL complete transfer of the nuclear safety bus from the normal offsite supply to th"
verification: Test
sil: 3
SUB-REQ-013:
text: "The Safety Bus Transfer Contactor SHALL incorporate a hardwired mechanical and electrical interlock with the Main Genera"
verification: Test
sil: 3
SUB-REQ-014:
text: "The Voltage Sensing and Monitoring Unit SHALL implement dual-channel redundant voltage measurement on both the generator"
verification: Test
sil: 2
SUB-REQ-015:
text: "When the Generator Protection Relay detects an internal self-test failure or watchdog timeout, the relay SHALL output a "
verification: Test
sil: 3
SUB-REQ-017:
text: "The Engine Block and Rotating Assembly SHALL accelerate the Alternator Subsystem rotor from standstill to 1500 RPM (50Hz"
verification: Test
sil: 2
SUB-REQ-018:
text: "The Diesel Engine Subsystem SHALL sustain continuous rated shaft power output for a minimum of 168 hours without requiri"
verification: Test
sil: 2
SUB-REQ-019:
text: "The Lubrication and Bearing System SHALL initiate an engine shutdown signal to the Engine Control Panel within 1.5 secon"
verification: Test
sil: 2
SUB-REQ-020:
text: "The Engine Block and Rotating Assembly SHALL incorporate a centrifugal mechanical overspeed trip device that physically "
verification: Test
sil: 2
SUB-REQ-021:
text: "The Fuel Injection System SHALL modulate fuel delivery from minimum to maximum fuel rack position within 200 millisecond"
verification: Test
sil: 2
SUB-REQ-022:
text: "The Turbocharger and Charge Air System SHALL maintain charge air manifold pressure ≥150 kPa gauge at loads from 25% to 1"
verification: Test
sil: 2
SUB-REQ-023:
text: "While the EDG is in standby, the Diesel Engine Subsystem SHALL maintain engine coolant temperature above 20°C using ther"
verification: Test
sil: 2
SUB-REQ-024:
text: "When a crankcase explosion relief valve actuates, the Diesel Engine Subsystem SHALL transmit a hardwired trip signal to "
verification: Test
sil: 2
SUB-REQ-026:
text: "The Automatic Load Controller SHALL receive the loss-of-offsite-power signal from the site electrical protection system "
verification: Test
sil: 3
SUB-REQ-027:
text: "The Diesel Engine Subsystem, including the Engine Block, Fuel Injection System, Lubrication and Bearing System, Turbocha"
verification: Analysis
sil: 3
SUB-REQ-028:
text: "The Isochronous Governor System and Engine Control Panel SHALL comply with BS EN IEC 61000-6-2 (Electromagnetic compatib"
verification: Test
sil: 3
SUB-REQ-030:
text: "The Engine Parameter Sensor Array SHALL provide dual-channel 4-20mA output for each critical parameter — lube oil pressu"
verification: Test
sil: 2
SUB-REQ-031:
text: "The Protective Trip Logic Unit SHALL initiate a hardwired de-energise-to-trip command to the Engine Control Panel within"
verification: Test
sil: 2
SUB-REQ-032:
text: "When the Protective Trip Logic Unit loses 110VDC supply voltage below 88VDC (80% nominal), the Monitoring and Instrument"
verification: Test
sil: 2
SUB-REQ-033:
text: "The Protective Trip Logic Unit SHALL detect a fault on either sensor channel (open circuit, short to supply, out-of-rang"
verification: Test
sil: 2
SUB-REQ-034:
text: "The Remote Monitoring Gateway SHALL provide a minimum 1500Vrms optical isolation barrier between the SIL-2 Protective Tr"
verification: Test
sil: 2
SUB-REQ-036:
text: "The Engine Parameter Sensor Array and Protective Trip Logic Unit SHALL remain functional during and after a seismic even"
verification: Test
sil: 2
SUB-REQ-037:
text: "The Jacket Water Pump SHALL maintain coolant circulation through the engine block at a minimum flow rate of 200 litres p"
verification: Test
sil: 2
SUB-REQ-039:
text: "When the engine jacket coolant outlet temperature exceeds 95 degrees Celsius, the Cooling System SHALL generate a hardwi"
verification: Test
sil: 2
SUB-REQ-040:
text: "The Day Tank SHALL provide a minimum fuel reserve of 8 hours of continuous operation at rated engine load without replen"
verification: Test
sil: 2
SUB-REQ-041:
text: "The Bulk Fuel Storage Tank SHALL hold a minimum usable fuel volume of 42,000 litres, with nominal tank capacity ≥48,300 "
verification: Test
sil: 2
SUB-REQ-042:
text: "The Fuel Transfer Pump Set SHALL automatically start the duty pump within 10 seconds of the Day Tank level falling to th"
verification: Test
sil: 2
SUB-REQ-043:
text: "The Fuel Filtration Assembly SHALL remove particulate matter to a maximum particle size of 10 microns nominal and separa"
verification: Test
sil: 2
SUB-REQ-044:
text: "When a confirmed fire detection signal is received from the EDG building fire detection system, the Fuel Supply Pipework"
verification: Test
sil: 2
SUB-REQ-045:
text: "The Fuel Oil System SHALL maintain fuel temperature in the Day Tank above 5°C under site minimum ambient temperature con"
verification: Demonstration
sil: 2
SUB-REQ-046:
text: "The Automatic Voltage Regulator SHALL maintain the Synchronous Generator Assembly terminal voltage within ±0.5% of set-p"
verification: Test
sil: 2
SUB-REQ-047:
text: "The Generator Stator Winding and Thermal Protection SHALL alarm to the Protective Trip Logic Unit when any stator windin"
verification: Test
sil: 2
SUB-REQ-048:
text: "The Generator Bearing and Mechanical Support Assembly SHALL alarm to the Protective Trip Logic Unit when any bearing PT1"
verification: Test
sil: 2
SUB-REQ-049:
text: "The Brushless Excitation System SHALL build terminal voltage from zero (black-start) to within ±6% of rated voltage with"
verification: Test
sil: 2
SUB-REQ-050:
text: "When a Generator Protection Relay (GPR) stator earth fault trip signal is received, the Alternator Subsystem SHALL de-en"
verification: Test
sil: 2
SUB-REQ-051:
text: "The Isochronous Governor System SHALL incorporate dual independent speed-sensing channels, such that the failure of one "
verification: Test
sil: 3
SUB-REQ-052:
text: "The Fuel Injection System SHALL deliver fuel injection timing within ±2 degrees of crankshaft rotation of the nominal in"
verification: Test
sil: 2
SUB-REQ-053:
text: "The Fuel Transfer Pump Set SHALL consist of two independently-powered duty/standby pumps, each capable of supplying 150%"
verification: Test
sil: 2
SUB-REQ-054:
text: "The Cooling System SHALL maintain engine jacket water temperature within the operational band (70°C–88°C) following the "
verification: Test
sil: 2
SUB-REQ-055:
text: "The Generator Protection Relay SHALL comply with IEC 60255-151 (Measuring relays and protection equipment — Functional r"
verification: Inspection
sil: 3
SUB-REQ-056:
text: "The Main Generator Circuit Breaker SHALL comply with BS EN 62271-100 (High-voltage switchgear and controlgear — AC circu"
verification: Inspection
sil: 3
SUB-REQ-057:
text: "The Fuel Oil System bunding and containment SHALL comply with the Environmental Permitting (England and Wales) Regulatio"
verification: Inspection
sil: 2
SUB-REQ-058:
text: "The Local Alarm and Indication Panel SHALL present any new alarm condition within 2 seconds of the initiating parameter "
verification: Test
sil: 2
SUB-REQ-059:
text: "The Starting and Control Subsystem SHALL provide a test mode that enables full-rated-load operational testing of the EDG"
verification: Demonstration
sil: 3
SUB-REQ-060:
text: "Each major subsystem of the EDG system (Diesel Engine Subsystem, Alternator Subsystem, Fuel Oil System, Cooling System, "
verification: Inspection
sil: 2
SUB-REQ-062:
text: "The Compressed Air Starting System SHALL store compressed air at no less than 25 bar gauge to deliver a minimum of 3 com"
verification: Test
sil: 3
SUB-REQ-063:
text: "The Engine Block and Rotating Assembly SHALL accelerate the coupled shaft to 1500 RPM nominal (50 Hz ±1% at the alternat"
verification: Test
sil: 2
SUB-REQ-064:
text: "The Turbocharger and Charge Air System SHALL deliver combustion air at the boost pressure defined in the engine manufact"
verification: Test
sil: 2
SUB-REQ-065:
text: "The Bulk Fuel Storage Tank SHALL have a minimum nominal capacity of 115% of the quantity required for 168 hours of conti"
verification: Inspection
sil: 2
SUB-REQ-066:
text: "Before reinstatement to operational service following any planned maintenance activity requiring LOTO isolation, the EDG"
verification: Demonstration
sil: 3
SUB-REQ-067:
text: "Before any planned maintenance activity requiring physical isolation of EDG components, the Starting and Control Subsyst"
verification: Demonstration
sil: 3
SUB-REQ-068:
text: "The Remote Monitoring Gateway SHALL provide a minimum 2500Vrms galvanic isolation barrier (optical isolator or equivalen"
verification: Test
sil: 2
SYS-REQ-001:
text: "The EDG system SHALL reach rated voltage (415V ±6% or 11kV ±6%) and frequency (50Hz ±1%) and be ready to accept the firs"
verification: Test
sil: 3
SYS-REQ-002:
text: "The EDG system SHALL sustain continuous rated output for a minimum of 168 hours (7 days) at rated load conditions withou"
verification: Test
sil: 3
SYS-REQ-003:
text: "When a loss-of-offsite-power (LOOP) signal is received from the site electrical protection system, the EDG system SHALL "
verification: Test
sil: 3
SYS-REQ-004:
text: "When a safety trip condition is detected (overspeed >110% rated, low lubricating oil pressure <2.5 bar, high coolant tem"
verification: Test
sil: 3
SYS-REQ-005:
text: "The EDG system SHALL achieve a probability of failure on demand (PFD) not exceeding 1×10⁻³ per demand, assessed over a 1"
verification: Analysis
sil: 3
SYS-REQ-006:
text: "The EDG system, including all associated fuel, cooling, and control equipment within the EDG building, SHALL remain oper"
verification: Inspection
sil: 3
SYS-REQ-011:
text: "The EDG system architecture SHALL ensure that a common-cause failure of both EDG trains does not prevent reactor core co"
verification: Inspection
sil: 4
SYS-REQ-012:
text: "When one or more EDG subsystems experience a fault that does not trigger a safety trip, the EDG system SHALL continue to"
verification: Test
sil: 2
SYS-REQ-014:
text: "When offsite power is restored and the Class 1E bus is transferred to normal supply, the EDG system SHALL enter a contro"
verification: Test
sil: 2
SYS-REQ-015:
text: "When a single EDG train fails to start or trips during an active Loss-of-Offsite-Power event, the Class 1E safety bus se"
verification: Test
sil: 3
SYS-REQ-016:
text: "The EDG control and protection system (Automatic Load Controller, Engine Control Panel, Protective Trip Logic Unit, and "
verification: Inspection
sil: 3
SYS-REQ-017:
text: "When the fault condition causing Degraded Operation mode is cleared or isolated, the EDG system SHALL restore full rated"
verification: Test
sil: 2
VER-REQ-004:
text: "Verify SYS-REQ-001 and SYS-REQ-003 end-to-end: Simulate LOOP condition by dropping Class 1E bus voltage to 0V. Record ti"
verification: Test
sil: 3
VER-REQ-005:
text: "Verify SUB-REQ-009: Inject a simulated 87G differential fault condition into the Generator Protection Relay secondary te"
verification: Test
sil: 3
VER-REQ-006:
text: "Verify SUB-REQ-013: With MGCB in the closed position, issue a close command to the SBTC and measure time from command to"
verification: Test
sil: 3
VER-REQ-007:
text: "Verify IFC-REQ-004: De-energise the 110V DC trip circuit supply and measure time from de-energisation to MGCB open posit"
verification: Test
sil: 3
VER-REQ-008:
text: "Verify IFC-REQ-006 and SUB-REQ-012 combined: Simulate a LOOP event at the ALC input and measure total time from ALC bus "
verification: Test
sil: 3
VER-REQ-009:
text: "Verify IFC-REQ-005: Connect a calibrated current source to the VSMU 4-20mA output loop and apply 4mA (0V), 12mA (60% nom"
verification: Test
sil: 2
VER-REQ-013:
text: "Verify SUB-REQ-019: With engine running at rated speed, progressively restrict oil supply to reduce oil pressure. Measur"
verification: Test
sil: 2
VER-REQ-014:
text: "Verify SUB-REQ-020: With the engine at no-load, manually actuate the mechanical overspeed trip device and confirm fuel r"
verification: Test
sil: 2
VER-REQ-015:
text: "Verify end-to-end Diesel Engine Subsystem integration: Start EDG from cold standby condition (coolant at preheat tempera"
verification: Test
sil: 2
VER-REQ-016:
text: "Verify SUB-REQ-001: With EDG in standby and offsite power connected, simulate a Class 1E bus voltage loss by tripping th"
verification: Test
sil: 3
VER-REQ-017:
text: "Verify SUB-REQ-002: With compressed air receivers fully charged, perform 3 complete cranking cycles at maximum cranking "
verification: Test
sil: 3
VER-REQ-018:
text: "Verify SUB-REQ-003: With the EDG running at rated speed and connected to a resistive load bank, apply step load changes "
verification: Test
sil: 3
VER-REQ-019:
text: "Verify SUB-REQ-015: Induce a simulated internal self-test failure in the Generator Protection Relay by interrupting the "
verification: Test
sil: 3
VER-REQ-020:
text: "Verify SUB-REQ-016: With the EDG running at rated speed and no-load, interrupt the governor processor watchdog keep-aliv"
verification: Test
sil: 3
VER-REQ-021:
text: "Verify IFC-REQ-007: With normal 415V AC supply removed, confirm the 24VDC Class 1E distribution panel switches to batter"
verification: Test
sil: 3
VER-REQ-022:
text: "Verify SUB-REQ-031: With the EDG running at rated speed and a calibrated signal injector on each sensor channel, step th"
verification: Test
sil: 2
VER-REQ-023:
text: "Verify SUB-REQ-032: With the EDG running and M&I system energised, reduce the 110VDC supply to the Protective Trip Logic"
verification: Test
sil: 2
VER-REQ-024:
text: "Verify IFC-REQ-011: With the M&I system energised from 24VDC supply, apply open-circuit and short-to-supply faults to ea"
verification: Test
sil: 2
VER-REQ-025:
text: "Verify IFC-REQ-012: With the EDG stopped, energise each PTLU trip relay in turn and measure contact resistance (pass: be"
verification: Test
sil: 2
VER-REQ-027:
text: "Verify SUB-REQ-040: Fill the Day Tank to High (H) level, stop the Fuel Transfer Pump Set, run the EDG at 100% rated load"
verification: Test
sil: 2
VER-REQ-028:
text: "Verify SUB-REQ-042: With EDG running and Fuel Transfer Pump Set in automatic, drain the Day Tank to below Low (L) set-po"
verification: Test
sil: 2
VER-REQ-029:
text: "Verify IFC-REQ-015: With EDG running at 100% rated load, install calibrated pressure gauges at the fuel inlet to the Fue"
verification: Test
sil: 2
VER-REQ-030:
text: "Verify IFC-REQ-017: With the Day Tank and Bulk Tank level instruments energised from 24VDC, verify each level switch (Da"
verification: Test
sil: 2
VER-REQ-031:
text: "Verify SUB-REQ-046: With EDG running at rated speed and connected to a programmable load bank, apply a steady-state resi"
verification: Test
sil: 2
VER-REQ-032:
text: "Verify SUB-REQ-049: Start the EDG from cold standby with no pre-existing excitation supply (confirm PMG output is the on"
verification: Test
sil: 2
VER-REQ-033:
text: "Verify IFC-REQ-018: With EDG running at rated speed, apply known reference voltages from a calibrated voltage source to "
verification: Test
sil: 2
VER-REQ-034:
text: "Verify IFC-REQ-020: With the EDG stopped, connect a calibrated resistance decade box in place of each PT100 RTD in turn "
verification: Test
sil: 2
VER-REQ-035:
text: "Verify SUB-REQ-051: With the EDG running at 50% load, disconnect the primary speed sensor channel. Confirm: (a) governed"
verification: Test
sil: 3
VER-REQ-036:
text: "Verify SUB-REQ-053: With the EDG running at 100% load and the duty fuel transfer pump active, simulate pump failure by c"
verification: Test
sil: 2
VER-REQ-037:
text: "Verify SUB-REQ-055: Inspect IEC 60255-151 and IEC 60255-181 type-test certificates from an accredited test laboratory fo"
verification: Inspection
sil: 3
VER-REQ-038:
text: "Verify SUB-REQ-059: With the EDG disconnected from the safety bus (load bank connected), initiate test mode via key-swit"
verification: Demonstration
sil: 3
VER-REQ-048:
text: "Verify SUB-REQ-006: Review the ALC hardware design documentation and software V&V report to confirm dual-channel 2oo2 vo"
verification: Inspection
sil: 3
VER-REQ-062:
text: "Verify SUB-REQ-026: With the ALC supplied from 24VDC Class 1E bus, assert the LOOP input discrete by closing a calibrate"
verification: Test
sil: 3
VER-REQ-063:
text: "Verify SUB-REQ-027: Commission a seismic qualification analysis of the Diesel Engine Subsystem to IEEE 344 (Recommended "
verification: Inspection
sil: 3
VER-REQ-064:
text: "Verify SUB-REQ-028: Subject the Isochronous Governor System and Engine Control Panel to BS EN IEC 61000-6-2 (Electromagn"
verification: Test
sil: 3
VER-REQ-065:
text: "Verify SUB-REQ-056: Obtain the circuit breaker type test certificate from the manufacturer issued by a UKAS-accredited b"
verification: Inspection
sil: 3
VER-REQ-066:
text: "Verify SYS-REQ-011: Commission an independent architectural safety analysis demonstrating that common-cause failure of b"
verification: Inspection
sil: 4
VER-REQ-067:
text: "Verify SUB-REQ-034: With the Remote Monitoring Gateway powered and connected to a simulated I&C network test port, trans"
verification: Test
sil: 2
VER-REQ-068:
text: "Verify SUB-REQ-025: With the EDG in standby mode, apply a simulated LOOP signal to the Automatic Load Controller input r"
verification: Test
sil: 3
VER-REQ-069:
text: "Verify SUB-REQ-062: With compressed air receivers at minimum pressure (25 bar gauge), perform 3 consecutive cranking cyc"
verification: Test
sil: 3
VER-REQ-070:
text: "Verify SUB-REQ-039: With the EDG running at rated load, use an external calibrated temperature source to inject a simula"
verification: Test
sil: 2
VER-REQ-071:
text: "Verify SUB-REQ-021: With the EDG running at 50% rated load, command a step demand change to 100% rated load via the gove"
verification: Test
sil: 2
VER-REQ-072:
text: "Verify SUB-REQ-041: Perform volumetric survey of Bulk Fuel Storage Tank at installation, confirming usable capacity not "
verification: Inspection
sil: 2
VER-REQ-073:
text: "Verify SUB-REQ-036: Following seismic qualification testing per IEEE 344 (Recommended Practice for Seismic Qualification"
verification: Test
sil: 2
VER-REQ-074:
text: "Verify SUB-REQ-030: Connect calibrated reference instruments in parallel with the Engine Parameter Sensor Array 4-20mA d"
verification: Test
sil: 2
VER-REQ-075:
text: "Verify SUB-REQ-054: With the EDG running at no-load and jacket water temperature pre-stabilised at preheat temperature ("
verification: Test
sil: 2
VER-REQ-076:
text: "Verify SUB-REQ-022: With the EDG running at rated speed and full load for 30 minutes (thermal steady state), measure cha"
verification: Test
sil: 2
VER-REQ-077:
text: "Verify SYS-REQ-012: Induce a non-trip fault in the Isochronous Governor System (simulated sensor failure causing governo"
verification: Test
sil: 2
VER-REQ-078:
text: "Verify SYS-REQ-002: Run the EDG at rated load continuously for 168 hours. Monitor fuel consumption rate, coolant tempera"
verification: Test
sil: 3
VER-REQ-079:
text: "Verify SYS-REQ-004: Inject each trip condition in sequence (overspeed, low lube oil pressure, high coolant temperature, "
verification: Test
sil: 3
VER-REQ-081:
text: "Verify SYS-REQ-006: Review the seismic qualification analysis report for all EDG building structural elements and mechan"
verification: Inspection
sil: 2
VER-REQ-082:
text: "Verify SUB-REQ-023: With EDG in standby mode (heaters energised), measure jacket water temperature using calibrated ther"
verification: Test
sil: 2
VER-REQ-083:
text: "Verify SUB-REQ-037: With engine at operating temperature (coolant 75-85°C), install calibrated ultrasonic flow meter on "
verification: Test
sil: 2
VER-REQ-084:
text: "Verify SUB-REQ-043: Sample fuel downstream of the Fuel Filtration Assembly during EDG operation at rated load. Analyse s"
verification: Test
sil: 2
VER-REQ-085:
text: "Verify SUB-REQ-045: Monitor Day Tank fuel temperature at minimum ambient winter conditions (site minimum -5°C, or use te"
verification: Test
sil: 2
VER-REQ-086:
text: "Verify SUB-REQ-048: Inject a simulated PT100 RTD resistance value equivalent to 91°C into the Protective Trip Logic Unit"
verification: Test
sil: 2
VER-REQ-087:
text: "Verify SUB-REQ-052: Using a crankshaft position sensor and calibrated fuel pressure transducer at injector inlet, measur"
verification: Test
sil: 2
VER-REQ-088:
text: "Verify SUB-REQ-057: Inspect all fuel oil bunding and containment around the Day Tank, service tank, and fuel transfer pi"
verification: Inspection
sil: 2
VER-REQ-089:
text: "Verify SUB-REQ-060: With EDG in Maintenance Out-of-Service mode (LOTO applied), inspect access routes and clearances aro"
verification: Inspection
sil: 2
VER-REQ-090:
text: "Verify SYS-REQ-007: Apply a simulated LOOP event and initiate load sequencing with three load blocks representing: safet"
verification: Test
sil: 3
VER-REQ-094:
text: "Verify SUB-REQ-035: Inject each protective trip function (oil pressure, coolant temp, overspeed, vibration, channel faul"
verification: Test
sil: 2
VER-REQ-097:
text: "Validate STK-REQ-001 (stakeholder acceptance): Conduct a witnessed system acceptance test with the site safety authority"
verification: Demonstration
sil: 3
VER-REQ-098:
text: "Verify H-010 cyber security mitigation (SYS-REQ-004 and control system architecture): Conduct a structured cyber securit"
verification: Inspection
sil: 3
VER-REQ-099:
text: "Verify H-007 CCF safe state — DC battery coping time under station blackout load profile (SYS-REQ-011): With both EDGs i"
verification: Test
sil: 4
VER-REQ-100:
text: "The EDG system SHALL be tested in degraded mode: introduce a simulated subsystem fault (simulate a cooling fan belt faul"
verification: Test
sil: 2
VER-REQ-102:
text: "The EDG system SHALL be demonstrated to have physical and electrical separation between Train A and Train B meeting CCF "
verification: Demonstration
sil: 4
VER-REQ-103:
text: "Verify SYS-REQ-014: Following a full-rated-load run test, restore offsite power supply and transfer the Class 1E bus to "
verification: Test
sil: 2
VER-REQ-104:
text: "Verify SYS-REQ-015: Perform a battery capacity test per IEEE 450 (Recommended Practice for Maintenance, Testing, and Rep"
verification: Test
sil: 3
VER-REQ-105:
text: "Verify SYS-REQ-016 cyber isolation: Inspect the EDG control system design documentation, network architecture diagram, a"
verification: Inspection
sil: 3
VER-REQ-106:
text: "Verify SUB-REQ-006 channel voting under single-channel failure: (a) Disable ALC Channel A processing unit by removing po"
verification: Test
sil: 3
VER-REQ-107:
text: "Verify SYS-REQ-017 degraded mode exit recovery: With the EDG running at 60% rated load in simulated degraded mode (subsy"
verification: Test
sil: 2
VER-REQ-108:
text: "Verify SYS-REQ-016 cyber resilience under active attack simulation: Engage an independent nuclear cyber security assesso"
verification: Test
sil: 3
VER-REQ-109:
text: "Verify SUB-REQ-067 Maintenance Out-of-Service mode entry: Simulate a maintenance transition request with EDG in Standby "
verification: Test
sil: 3