Emergency Diesel Generator for a UK Nuclear Licensed Site

Rationale: ONR Safety Assessment Principles (SAPs) require that nuclear licensed sites maintain diverse and redundant emergency power supplies to ensure safe shutdown functions can be performed following loss of offsite power (LOOP). The 10-second start requirement is derived from maximum permissible interruption time for Class 1E loads (pump motors, valve actuators) without loss of safety function.

Rationale: ONR SAPs specify that the EDG must sustain safety functions throughout design basis accident (DBA) sequences and beyond-design-basis events. 7-day autonomy is the UK nuclear industry standard derived from historical extended blackout scenarios and the time required for grid restoration or alternative fuel supply logistics.

Rationale: UK nuclear sites operate under the Nuclear Installations Act 1965 and ONR regulatory oversight. Non-compliance with applicable standards constitutes a licensing offence and directly endangers public safety. IEC 61226 classifies EDG functions as Category A (highest importance to safety).

Rationale: ONR requires periodic surveillance testing to verify EDG operability. Monthly full-load tests are the UK nuclear industry standard per site licence conditions. The ability to test without degrading availability requires load test capability while the sister EDG (if applicable) remains available — this drives the requirement for test bus configuration.

Rationale: UK nuclear site safety cases (ONR guidance NS-TAST-GD-013) require Class 1E systems to survive and function after design basis external hazards. PGA 0.25g aligns with typical UK nuclear site seismic design basis; 72-hour return-to-service is the operator action window before battery DC supplies are exhausted. Specific numeric limits replace the original reference to 'site safety case' which is unverifiable without access to a site-specific document.

Rationale: Site licence conditions and plant availability targets require that EDGs are maintainable within planned outage windows. 12-month minor and 5-year major intervals are standard for medium-speed diesels of this class. On-site tooling requirement is driven by nuclear site security constraints on external personnel and equipment access.

Rationale: The Station Blackout ConOps scenario (both EDGs lost due to common-cause failure) requires that a stakeholder-level requirement captures the diverse backup power mandate. Without this STK requirement, SYS-REQ-011 (CCF architecture) has no stakeholder-level derivation, leaving a gap in the top-down trace from stakeholder need to system architecture. ONR SAPs require site licensees to demonstrate that common-cause failure of primary emergency power does not preclude reactor safe state maintenance.

Rationale: Derived from STK-REQ-001. The 10-second limit is the maximum permissible power interruption for Class 1E safety loads (emergency coolant injection pumps, containment isolation valves) per IEC 61226 Category A. Voltage and frequency tolerances are per BS EN 50160 and IEC 60038 for nuclear plant auxiliary systems. Failure to meet this requirement means safety loads may not start following a LOOP event coincident with a design basis accident.

Rationale: Derived from STK-REQ-002. 168 hours corresponds to 7-day operational autonomy. Value derived from analysis of maximum grid restoration time following major network failure scenarios and site isolation scenarios in the UK nuclear industry. Exceeding this limit would require manual fuel delivery under potentially degraded access conditions, creating a logistics risk to plant safety.

Rationale: Derived from STK-REQ-001. The 500ms initiation window is the maximum allowable delay between LOOP detection and EDG crank initiation, derived by back-calculating from the 10-second load-ready requirement minus engine run-up time (8s) and voltage/frequency stabilisation time (1.5s). Operator action is excluded to ensure the system functions during control room evacuation scenarios.

Rationale: Derived from STK-REQ-002 and ONR SAPs. Specific trip thresholds are per engine manufacturer limits and IEEE 308. Latched trip with manual reset is required to prevent automatic restart into a persistent fault, which could cause escalating damage (e.g., engine seizure from oil starvation) and reduce EDG availability for subsequent demand. The 5-second shutdown window protects engine mechanical integrity while allowing load transfer to occur on parallel safety systems.

Rationale: Derived from STK-REQ-003. PFD ≤ 1×10⁻³ corresponds to SIL 3 allocation for a single channel per IEC 61508 (Functional safety of E/E/PE safety-related systems). This target is established in the nuclear site probabilistic safety assessment (PSA) as the required reliability for the emergency power function, based on overall plant risk limits. Failing to meet PFD means the EDG contributes unacceptably to core damage frequency. Verification by Analysis: the IEC 61508 Part 6 simplified fault tree method produces a PFD calculation report with MTBF inputs, proof test interval, and common-cause beta-factor for the dual-train EDG architecture. The analysis must demonstrate PFD ≤ 1×10⁻³ across the 12-month surveillance interval; if the fault tree result exceeds this, the surveillance interval must be shortened or component reliability improved. Inspection of a procedure document alone does not verify the PFD target — the analysis must be performed with actual component failure rate data from manufacturer datasheets and site historical records.

Rationale: Derived from STK-REQ-005. Loss of the EDG during a seismic event — the scenario most likely to simultaneously cause LOOP and equipment damage — would eliminate emergency power at the point of maximum demand. IEEE 344 qualification analysis is the accepted method per UK nuclear industry practice and ONR guidance. Safe state: if the EDG fails to restart following an SSE (verified by the post-seismic start attempt within 60 seconds per SYS-REQ-001), the safe state is maintained by the diverse backup systems identified in SYS-REQ-011 (DC battery system with ≥8-hour coping time, and passive decay heat removal). The EDG failure following SSE SHALL be annunciated in the main control room within 30 seconds via the unavailability signal, triggering the operator to activate the backup power strategy per site emergency operating procedure. The qualification analysis must confirm that seismic-induced failure modes do not cause the EDG to energise the safety bus incorrectly (wrong voltage/frequency), which would be a worse failure than simply remaining unavailable.

Rationale: Derived from SYS-REQ-001. Large motor inrush currents from simultaneous load application can cause generator voltage collapse. The 15% voltage dip limit and 3 Hz frequency limit are the maximum tolerable by Class 1E motor starters and associated contactors per IEEE 308. Sequential loading at 2-second intervals ensures the engine governor and AVR stabilise between steps.

Rationale: Derived from STK-REQ-003. EDG buildings contain large rotating machinery generating significant EMI. Control and protection circuits that malfunction due to EMI can cause spurious trips or failure to start — both are safety-significant. BS EN IEC 61000 compliance is mandatory for Class 1E electronic equipment on UK nuclear sites.

Rationale: Derived from STK-REQ-004. 30-minute load test duration is the minimum specified in site licence conditions to verify EDG thermal performance and governor stability under sustained load. 10-minute return-to-standby is the maximum duration for the EDG to be unavailable after testing, per site Technical Specifications.

Rationale: Derived from STK-REQ-006. 12-month minor and 5-year major intervals align with medium-speed diesel manufacturer recommendations and site outage planning constraints. On-site tooling requirement flows from nuclear site security constraints on external contractor access during security-heightened states.

Rationale: Hazard H-006 (Common-cause failure of both EDGs) is classified SIL-4 at the plant level because the EDG system provides two of the four redundant power channels required by the site safety case; loss of both EDGs simultaneously removes two channels, creating a plant-level SIL-4 risk scenario. IEC 61508-2 (Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 2: Requirements for E/E/PE safety-related systems) SIL-4 architectural constraint HFT=1 applies to the overall emergency AC power function, NOT to the EDG subsystems individually — each EDG channel is SIL-3 per SYS-REQ-005, but together they must satisfy the HFT=1 constraint at the plant level. The SIL gap addressed by this requirement: no prior SYS requirement established that the EDG architecture must be designed to ENABLE diverse fallback — only to perform its own function. Safe state for the CCF scenario: reactor in cold shutdown, core cooled by passive decay heat removal (natural circulation) and DC battery-backed instrumentation maintaining monitoring for ≥8 hours. The diverse AC backup (separate AC supply train with separate fuel and cabling routes) must be demonstrated independent from both EDG trains to prevent common-cause vulnerability from propagating to the backup. Verification: safety case analysis demonstrating diversity and independence per IEC 61508-2 Table A.15 (avoidance of dependent failures).

Rationale: Derived from H-002 (Loss of output during operation) and H-003 (Engine overspeed) hazards: subsystem faults that are non-trip-inducing must not cause total loss of EDG function. The 60% minimum output threshold is derived from the minimum safety load demand during cold shutdown; 2-hour duration aligns with operator action time to transfer to alternate EDG or mobile generator. Annunciation requirement ensures control room awareness within the LOOP response scenario.

Rationale: ConOps Cooldown Shutdown scenario: no SYS requirement existed for the post-LOOP cooldown transition. IEC 60034-1 (Rotating electrical machines) and engine manufacturer specifications require a minimum no-load cooldown run before stopping a loaded diesel engine; thermal shock from immediate hot-stop can cause cracking of the engine block, cylinder head distortion, and turbocharger bearing seizure — all of which degrade EDG availability for the next demand. The 5-minute minimum and 80°C limit are derived from CEGB/EDF diesel engine maintenance standards for nuclear standby plant.

Rationale: H-001 (Failure to start, SIL-3) and H-002 (Loss of output, SIL-3) safe states require diverse backup power. In the two-train architecture, a single-train failure leaves the affected Class 1E bus without AC; the 8-hour DC coping window (from STK-REQ-007) must explicitly apply. Verification method changed from Analysis to Test: the 8-hour coping duration is verifiable by IEEE 450 (Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid Batteries) battery capacity test — discharge battery under rated load profile, measure actual Ah capacity, then demonstrate analytically using measured (not design) capacity that 8-hour autonomy is achieved. This hybrid test+analysis method constitutes Test verification per IEC 61508 because the critical capacity value comes from direct measurement.

Rationale: H-010 (Cyber attack, SIL-3 per ONR cybersecurity guidance for Category A safety systems) requires the safe state to be maintained by air-gapped backup and hardwired trips. SYS-REQ-004 establishes the hardwired trip principle but does not explicitly prohibit network connectivity of the control system. This requirement closes the gap: a networked EDG controller at a UK nuclear licensed site would require ONR agreement as a Category A cyber security change, and the standard mitigation is physical isolation. Safe state for detected breach attempt: if the Remote Monitoring Gateway detects an inbound command attempt or any bidirectional traffic on the data diode output, the gateway SHALL (a) generate a Cyber Security Alert in the main control room within 5 seconds, and (b) maintain the EDG in its current operational state without any modification to protection setpoints or control parameters — the safe state is operational continuation with alerting, NOT automatic trip, to prevent adversary-induced spurious shutdowns. The inspection method verifies design documentation, cable schedule, and network diagram confirming no IP-connected interfaces; additionally, a penetration test of the monitoring interface data diode SHALL be conducted at commissioning to confirm unidirectional enforcement (IEC 62645 (Nuclear power plants — Instrumentation and control systems — Requirements for security programmes for computer-based systems) baseline).

Rationale: The Degraded Operation mode (SYS-REQ-012) specifies entry conditions and minimum performance floor (60% rated, 50Hz ±2%, 2-hour minimum). However, no requirement defines the exit condition — what happens when the fault is cleared. In the scenario 'EDG Trip During Extended LOOP', the cooling fan belt failure causes high-temp trip; if the fault were recoverable (e.g., subsystem fault that clears), the operator needs the EDG to restore full output without restarting. Without an exit requirement, the Degraded Operation mode is a dead-end: once entered, no defined path back to normal. This requirement closes the mode transition gap identified in validation session 606.

Rationale: Derived from STK-REQ-002 (7-day continuous operation) and the Degraded Operation mode in the ConOps. Quantified minimum performance of 60% rated power provides sufficient margin to supply priority safety loads while excluding non-essential loads. The 2-hour minimum provides time for operator diagnosis and load transfer to alternate EDG. The 2% frequency tolerance is relaxed from normal 1% but within acceptable tolerance of Class 1E equipment.