Emergency Diesel Generator for a UK Nuclear Licensed Site

Rationale: Integration test verifying the hardwired start demand interface at the system boundary. Direct measurement of contact closure voltage and latency at ECP terminals is the only method that confirms actual cable routing, contact wetting, and latency under realistic conditions.

Rationale: Test verifies solenoid valve opening latency and fail-safe behaviour at the air system boundary. Pressure transducer measurement directly confirms opening time in the pneumatic circuit rather than inferred from electrical signal alone.

Rationale: Governor-engine interface verification requires an actual load step test to confirm combined governor and actuator dynamic response. Static bench testing of the fuel actuator alone does not verify end-to-end latency including mechanical linkage and engine response.

Rationale: End-to-end system integration test exercising the complete start chain from LOOP detection through EDG run-up to Class 1E load pickup. This is the primary system-level acceptance test for the emergency power function and cannot be decomposed into subsystem tests because timing dependencies span component boundaries.

Rationale: Secondary injection testing is the accepted method for numerical relay protection function verification per IEC 60255 (Measuring relays and protection equipment). Testing at three load points confirms load-independence of the trip time.

Rationale: Direct physical test of the hardwired interlock is required to confirm the mechanical and electrical interlock functions independently of any software logic, as mandated by the SIL 3 classification for this protection function.

Rationale: Tests both the fail-safe trip function and the continuous monitoring capability of the trip circuit. 60-second monitoring detection time is consistent with periodic self-test interval requirements for SIL 3 systems under IEC 61508 proof test interval calculations.

Rationale: Combined test exercises both the ALC-SBTC interface (IFC-REQ-006) and the transfer completion timing requirement (SUB-REQ-012). Ten repeat tests provide statistical confidence in the timing margin without requiring full endurance testing at this stage.

Rationale: Calibration injection test verifies the 4-20mA interface accuracy and the living-zero fault detection capability of IFC-REQ-005. The 20ms detection time is verified against the VSMU-GPR signal latency budget.

Rationale: Fuel supply interface parameters must be verified under real operating load conditions, not bench test, because Fuel Oil System pump output varies with demand and engine-room temperature affects fuel temperature. Test at four load points covers the full EDG operating range.

Rationale: Critical speed analysis is required by design before assembly because it cannot be safely tested by overspeed (doing so risks destructive resonance). The post-run inspection confirms that the coupling torque margin is adequate for transient load conditions experienced during acceptance test.

Rationale: Cooling interface verification requires sustained load conditions because coolant temperatures take several minutes to stabilise; spot checks or bench tests do not capture steady-state thermal equilibrium. Step load test confirms the intercooler transient response is sufficient to prevent charge air temperature exceedance during sudden load acceptance.

Rationale: SIL-2 safety function requiring measured response time under controlled conditions. The three-test repeatability requirement provides statistical confidence without excessive engine risk. Governor channel independence test confirms the SIL-2 diversity requirement between control and safety trip paths is maintained.

Rationale: Mechanical overspeed trip must be verified by direct actuation rather than overspeed run to avoid damaging the engine or alternator. The fuel rack physical position check confirms the mechanical linkage is functional, independent of any electronic indication that might mask a failure. Governor power removal test confirms independence from electronic systems.

Rationale: End-to-end integration test exercises all five diesel engine components simultaneously and provides system-level evidence that the combined subsystem meets SYS-REQ-001 and SYS-REQ-003. The 8-second target for the diesel provides 2-second margin for the ALC and switchgear actions within the 10-second system start requirement.

Rationale: SUB-REQ-001 is a SIL-3 requirement for the critical LOOP detection function. The 200ms timing criterion is the ALC sub-budget from SYS-REQ-003. Ten consecutive trials provide statistical confidence in consistent detection performance. The 24-hour standby observation tests for spurious start demand generation, which could cause unplanned EDG starts and nuclear safety bus disturbance.

Rationale: SUB-REQ-002 is the compressed air energy storage requirement for the Starting and Control Subsystem. Three consecutive cranking attempts without recharging is the design basis for the nuclear class emergency start scenario, where AC power to recharge the air receivers may not be available. The pass criterion confirms the stored energy budget is sufficient for the worst-case start sequence.

Rationale: SUB-REQ-003 specifies the steady-state governor accuracy that determines output frequency compliance for safety bus consumers. The ±0.5% (±7.5 RPM) limit maintains generator frequency within the ±2% system tolerance. Load step testing is the standard commissioning verification for isochronous governor performance per BS 5514 (Reciprocating internal combustion engines) and IEC 60034-3 generator specifications.

Rationale: SUB-REQ-015 is a SIL-3 safe-state requirement. The Generator Protection Relay must fail to the safe state (generator disconnected) on internal failure, not to a stuck-at-normal state that could leave an unprotected generator connected to the safety bus. The 500ms timing criterion and MGCB trip verification demonstrate compliance with the IEC 61508 (Functional safety of E/E/PE safety-related systems) fail-safe requirement.

Rationale: SUB-REQ-016 is a SIL-3 fail-safe requirement for the overspeed protection path. The governor watchdog is the last line of electronic defence against uncontrolled engine acceleration in the event of governor processor failure. The 100ms watchdog timeout is derived from the overspeed detection time budget in the engine safety case. Testing must confirm both the timing criterion and the effectiveness of fuel cut-off in achieving engine shutdown.

Rationale: IFC-REQ-007 defines the Class 1E power supply interface that maintains ALC hardwired functions during loss of offsite power. The 2-hour battery endurance is the design-basis mission duration for post-accident EDG operation. Supply voltage limits of 22–28VDC ensure correct logic threshold levels for all hardwired circuits. This is an integration test verifying the interface between the 24VDC panel and the ALC under design-basis conditions.

Rationale: Direct measurement of trip time under controlled conditions with calibrated injection is the only method providing traceability to the 200ms requirement. Testing 10 successive cycles provides statistical confidence at SIL 2 PFD level. Single-channel tolerance test verifies the 1oo2D voting architecture.

Rationale: Power-loss safe-state test must be performed with a controlled voltage ramp to verify the exact threshold and response time. Testing to 0VDC verifies complete de-energisation and prevents latent partial energisation failures.

Rationale: Fault injection tests must be performed per channel to verify the 1oo2D diagnostic coverage claim. Testing all 10 sensor channels (5 parameters x 2 channels) is required for SIL 2 independent channel validation.

Rationale: Hardwired interface verification requires both electrical measurement and topology inspection to prove no software path exists between PTLU and ECP. Contact resistance measurement confirms integrity. Topology inspection is a mandatory Inspection verification step for safety-classified hardwired circuits per BS IEC 61511-1.

Rationale: 4-hour run is sufficient to achieve thermal equilibrium (typically within 45 minutes). 38 deg C represents a conservative sub-maximum ambient test condition achievable in the UK climate during summer surveillance testing. Stability criterion distinguishes genuine steady-state from transient cooldown.

Rationale: Direct measurement of tank endurance at full load is the only reliable acceptance criterion — analysis of tank volume and fuel consumption alone does not capture real-world effects of temperature variation, pump cycling, and fill-pipe backflow.

Rationale: Auto-start timing and fill rate are safety-functional behaviours that cannot be verified by inspection or analysis alone; full end-to-end test with the EDG running is required to account for actual pipeline losses and pump performance at operating temperature.

Rationale: Interface compliance must be verified under load and at worst-case filter condition (0.3 bar DP blockage alarm). Gravity-head pressure depends on tank level, which varies during operation — measurement at both H and L tank levels confirms the full operating range is maintained within specification.

Rationale: 100ms first-out display latency is required because nuclear EDG protective trip chains can produce cascading secondary trips within 200–500ms of the initiating event (e.g., low oil pressure initiates followed by overspeed as the engine governor reacts): if the LAIP (Local Alarm and Indication Panel) display latency exceeds the inter-trip interval, the displayed first-out may incorrectly show a secondary trip as the initiating cause. IEC 62138 (Software for computers important to safety for nuclear power stations) and NUREG/CR-6572 guidance for nuclear annunciation systems establish ≤100ms as the required maximum response time for first-out discrimination. ONR inspection requirements for nuclear EDGs specify that first-out identification must be unambiguous for both surveillance testing post-trips and licensing event reports. The 500ms value in the superseded SUB-REQ-035 was insufficient to meet this discrimination requirement. Supersedes SUB-REQ-035.

Rationale: Steady-state test at full load provides direct evidence of regulation under the worst-case sustained condition. Step-load test reproduces the block-load application scenario from SYS-REQ-007. Both tests must be performed at rated power factor (0.8 lagging) to exercise the AVR's reactive power control loop.

Rationale: Black-start voltage build-up must be demonstrated under real conditions because PMG magnetic saturation and AVR initial state affect the transient behaviour in ways that cannot be fully predicted by analysis alone. Three repeats are required to confirm reliability consistent with the safety-functional PFD requirement.

Rationale: Six-point calibration check confirms linearity across the full operating range including the 120% overvoltage point that the AVR OEL must respond to. 500V isolation test demonstrates compliance with IEC 61010-1 requirements and confirms the cable screening is correctly earthed at one end only (a wiring error that would cause ground loop noise cannot be detected at DC but the isolation test would reveal un-screened conductors).

Rationale: Resistance substitution test is the standard acceptance test for PT100 instrumentation channels (IEC 60751). The fault injection test is critical for confirming the fail-to-alarm (not spurious trip) design principle: an instrument cable fault during an active LOOP mission must not cause an unnecessary EDG trip. This test must be performed with the EDG running under load because some PTLU inputs behave differently when the trip logic chain is energised vs de-energised.

Rationale: Fault injection test with the EDG running under load is required because governor channel behaviour under load differs from bench test. ±3% speed deviation tolerance corresponds to the ±1% frequency tolerance in SYS-REQ-001 plus a transient margin; testing at 50% load represents a worst-case governor response scenario due to the load-to-speed gain characteristic.

Rationale: Pump switchover test under full load is required because Day Tank level dynamics at rated fuel consumption are the most demanding test condition for the 30-second changeover criterion. Testing at 100% load confirms the standby pump delivery rate is sufficient when engine fuel consumption is highest.

Rationale: Type-test certificate inspection is the appropriate verification method for standard compliance of safety-classified protection relays — in-situ re-testing to IEC 60255 is not practicable on an energised generator. The 5-year certificate validity window aligns with typical relay firmware revision cycles that would invalidate earlier certificates.

Rationale: Operational testing verification must demonstrate the safety bus isolation function (not just EDG load performance) because the critical safety claim is that the test does not interrupt normal plant safety functions. The 2-hour test duration exceeds the monthly operational test duration requirement to provide margin.

Rationale: SUB-REQ-004 is the primary overspeed protection function derived from SYS-REQ-004. The 500 ms criterion must be verified by direct injection test, not analysis, because it depends on hardware relay response time and cannot be analytically bounded without physical characterisation. Independence of the trip circuit from the governor must be confirmed by deliberate governor isolation.

Rationale: SUB-REQ-010 specifies 500ms for terminal faults and 200ms for through-faults at 200% rated. These time-current characteristics must be verified by secondary injection because relay coordination cannot be confirmed analytically without site-specific relay settings. The test validates both the timing and coordination compliance with the downstream protection scheme.

Rationale: SUB-REQ-024 is a safety shutdown function for an extreme engine failure mode (crankcase explosion). The 2-second timing and software independence are fundamental to the safe state — a delayed or software-dependent trip could escalate a crankcase event. Physical actuation test is the only valid verification method; analysis cannot confirm hardware path integrity.

Rationale: SUB-REQ-033 requires fault detection within 1 second with no inhibition of the healthy channel — these are quantified safety properties that must be tested under realistic fault conditions. Each fault mode (OC, S-supply, OOR) produces different loop current profiles; all three must be confirmed. Analysis cannot substitute because the detection algorithm depends on PTLU firmware implementation.

Rationale: SUB-REQ-044 is a fire safety mitigation function with a 10-second timing criterion. Late valve closure allows fire to propagate via bulk fuel supply. The day tank gravity-feed continuity condition is equally critical — closing bulk supply without confirming day tank path means the engine cannot be brought to controlled shutdown. Both must be verified by physical actuation test.

Rationale: SUB-REQ-047 specifies alarm at 130°C and trip at 155°C with ±2°C accuracy — all three are quantified thresholds that must be verified by PT100 simulation. Stator thermal protection prevents insulation failure from overtemperature; incorrect trip thresholds could allow winding damage or cause spurious trips. Calibration traceability to NAMAS is required for Class 1E instrument validation on nuclear sites.

Rationale: SUB-REQ-058 specifies a 2-second alarm presentation criterion that must be confirmed by timed injection test — operator response to process alarms depends on prompt display. EEMUA 191 compliance requires documentary evidence of priority classification and suppression design. Testing during transients is essential because start/stop transients generate many out-of-range signals that could inhibit real alarms if suppression is misconfigured.

Rationale: SUB-REQ-050 specifies 200ms isolation of both voltage sources from the stator winding after a GPR earth fault trip. This dual-path isolation timing is a measurable safety criterion that prevents continued fault current flow that could degrade stator insulation. Both heater and AVR de-energisation must be confirmed independently — failure of either leaves a voltage source on a faulted winding.

Rationale: Simulating 3 consecutive cranking failures exercises the same logic path as genuine start failures. Inhibiting speed feedback isolates the test to starting-circuit logic without requiring manual engine immobilisation. MCR: Main Control Room. 45-second alarm latency is realistic given 3×15s cranking cycles plus logic sequencing time — derived from SUB-REQ-005. The latch function prevents automatic start cycling during a sustained fault (e.g., frozen fuel at –20°C, fuel pickup line blockage) that would cycle-damage the battery and starter. ×3 repetitions are required to validate that the interlock state is consistent and not affected by prior test history or transient state.

Rationale: Verification of SUB-REQ-006 dual-channel 2oo2 architecture is achieved by inspecting the ALC hardware design documentation and software V&V report against IEC 61513 compliance checklist, and by simulating single-channel hardware failure to confirm no spurious start demand. The primary evidence is document review (Inspection); the channel isolation test provides corroborating evidence. Inspection is the appropriate IEC 61508 verification method for software-intensive voting architectures where the compliance argument is embodied in the design documentation.

Rationale: SUB-REQ-007 requires a hardwired key-switch inhibit to prevent unintended automatic starts during maintenance. The functional test confirms inhibit effectiveness and latch behaviour. The wiring inspection confirms the inhibit cannot be bypassed by a software failure, which is an IEC 61513 Class 1E requirement for maintenance override functions.

Rationale: SUB-REQ-008 requires operator-accessible frequency trimming without software modification for manual synchronisation. The demonstration at multiple load levels confirms the trim function is effective across the operating range and that the auto-revert on synchronise command prevents operator error leaving the EDG at an incorrect frequency when connecting to the safety bus.

Rationale: SUB-REQ-011 sets the fault-clearing duty for the MGCB based on site short-circuit level. Type test certificates provide the primary verification of breaking capacity since site fault level testing at full prospective current is not practicable. The operational trip test confirms installed wiring integrity without requiring full current injection.

Rationale: SUB-REQ-012 sets the 150 ms safety bus transfer time to ensure safety system power is restored within the allowable interruption time for Class 1E equipment. The timed test directly measures the parameter. Repeating ×5 times provides statistical confidence that the timing is consistently met and not an isolated result.

Rationale: SUB-REQ-014 requires dual-channel voltage monitoring with a 2-second discrepancy alarm to detect instrument failures before they propagate to incorrect relay trip decisions. The 5.1% injection (just over the 5% threshold) and timing test directly measures the alarm latency criterion. The documentation review confirms independent processing — a shared component failure could defeat the redundancy.

Rationale: IFC-REQ-013 defines the signal protocol and latency for the PTLU-to-RMG interface. Testing with injected values and a timing measurement directly verifies both signal type (optically isolated contacts, 4-20mA) and the 2-second latency criterion. The isolation test confirms the 24VDC isolation required to prevent RMG-side faults from propagating to Class 1E PTLU circuits.

Rationale: IFC-REQ-014 defines the mechanical interface between the jacket water pump and radiator, including bore size, pressure and temperature rating, and isolation valve provision for maintainability. Inspection of the installed pipework and pressure test certificate provides the primary verification — the dimensional and material requirements cannot be verified by functional test alone without risk of damage to the cooling circuit.

Rationale: IFC-REQ-016 sets a minimum 150% delivery margin to ensure the Day Tank cannot be depleted during continuous full-load operation. The flow meter test at full load directly measures compliance with the 150% margin. Confirmation that fill line terminates below High level prevents air entrainment in the fuel injection system, which could cause fuel quality degradation.

Rationale: IFC-REQ-019 sets the torsional coupling requirements between engine and alternator. Analysis is the only practicable verification method for torsional natural frequencies — measurement during operation risks equipment damage if resonances are present. ISO 14694 compliance provides independent validation of the analysis method.

Rationale: SUB-REQ-017 sets the engine torque delivery requirement by specifying 50 Hz ±1% within 10 seconds under no-load, which is the precondition for load pickup in SUB-REQ-001. The timed test from cold standby directly measures whether the engine block and rotating assembly meets the acceleration requirement. Testing at temperature extremes confirms performance margin is maintained across the operating envelope.

Rationale: Pass criteria must be binary and measurable. Replacing 'adequate fuel supply' with a specific ≥10% reserve threshold allows unambiguous pass/fail determination at test completion. The 168-hour test at 100% load is the primary verification method for SUB-REQ-018 endurance performance; IEC 61508 (Functional safety of E/E/PE safety-related systems) requires safety-critical performance to be demonstrated by test, not extrapolation.

Rationale: SUB-REQ-065 sets the tank capacity as a calculated value from test bed fuel consumption data. Analysis of the calculation against the declared design data sheet is the correct verification method — volumetric capacity cannot be confirmed by functional test. The ENA TS 09-3 reference provides an independent standard for the 115% factor components.

Rationale: SUB-REQ-064 references the manufacturer's performance map as the defined acceptance criterion. The test directly compares measured boost pressure against the map at key load points. The Bosch Smoke Number criterion (≤3.0) is the industry-standard pass/fail for incomplete combustion. Turbocharger surge would indicate operation outside the compressor map, which is a precursor to compressor wheel damage.

Rationale: SUB-REQ-026 allocates 200ms to the ALC detection and initiation step within the 500ms SYS-REQ-003 system budget. A 10-repeat relay injection test at 1ms resolution directly measures this timing allocation. Ten repeats confirm repeatability; a single-shot test would not distinguish a marginal design from a compliant one. SIL-3 requires Test verification for timing-critical functions.

Rationale: SUB-REQ-027 seismic qualification for a UK nuclear site is verified by inspecting the qualified seismic analysis report (to IEEE 344) or the witnessed shake-table test certificate issued by an ONR-approved Qualifying Engineer. The verification activity is review of a formal qualification document — Inspection is the correct IEC 61508 evidence type. Analysis is the technique used within the qualification report; the EDG project team inspects the results, not re-performs the analysis.

Rationale: SUB-REQ-028 requires EMC immunity compliance as a condition of maintaining SIL-3 function integrity. Third-party UKAS-accredited laboratory testing is the only accepted method for demonstrating compliance with IEC 61000-6-7 — analysis or inspection cannot substitute for radiated and conducted immunity testing. The explicit verification of SIL-3 function during testing goes beyond standard EMC compliance to confirm safety function availability under EMC stress.

Rationale: SUB-REQ-056 is a standards compliance requirement satisfied by type-test certification, not by repeat testing at site. Inspection of the manufacturer's type test certificate against the standard's requirements is the correct and accepted verification method for switchgear standards compliance. Re-testing at rated fault current on site would be destructive. The E2 class (10,000 cycles) aligns with the EDG's expected surveillance test frequency over a 40-year plant life.

Rationale: SYS-REQ-011 common-cause failure argument for SIL-4 is verified by inspecting the independent architectural safety analysis submitted to ONR. The verification team inspects the analysis methodology, separation evidence, and passive cooling arguments against IEC 61508-2 SIL-4 architectural constraints. The analysis is commissioned externally; the project team's role is Inspection of the resulting safety case document, not re-derivation of the analysis.

Rationale: SUB-REQ-034 provides a one-way isolation barrier (RMG) between the I&C network and the SIL-2 PTLU — this is the primary mitigation for H-010 (Cyber attack) hazard. A functional penetration test confirming zero write-through is the only way to demonstrate the read-only isolation property. Isolation resistance measurement confirms the 1500Vrms optical barrier is intact. Test is required (not Analysis) because SUB-REQ-034 is a SIL-2 safety function claim.

Rationale: SUB-REQ-025 is SIL-3 (H-001: Failure to start on demand). The LOOP signal processing is the triggering event for the entire EDG start sequence. A functional test with measured latency is mandatory for SIL-3 — analysis alone cannot demonstrate the hardwired independence claim. 100ms criterion is derived from the 10-second start budget (SYS-REQ-001).

Rationale: SUB-REQ-062 is SIL-3 (H-001: Failure to start). The compressed air starting store is the primary start energy source — insufficient air pressure is a known EDG failure mode. Three-start minimum ensures the system can re-attempt after a wet-stack or failed start attempt without recharging. Minimum pressure threshold must be demonstrated by test per IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 requirements.

Rationale: SUB-REQ-039 is SIL-2 (H-006: Cooling system failure). The 95°C high-temperature trip is a primary mitigation for engine seizure. A functional injection test is required rather than analysis because the hardwired relay path must be proven end-to-end — software-based simulation cannot confirm the physical trip circuit.

Rationale: SUB-REQ-021 is SIL-2 (H-003: Engine overspeed). Fuel rack response time is the primary control input affecting speed transient magnitude — a slow or oscillatory rack response leads to overspeed. The 200ms limit is derived from governor stability analysis; functional test is required to confirm real hardware meets the analytical model.

Rationale: SUB-REQ-041 is SIL-2 (H-005: Fuel contamination/exhaustion). Fuel volume is a physical measurement — Inspection (dimensional survey with calculation) is the appropriate method; continuous Test operation for 168h is not warranted. The 10% margin accounts for measurement uncertainty and unusable heel variation.

Rationale: SUB-REQ-036 is SIL-2 (H-008: Seismic damage). The I&C instruments protecting the EDG must survive the DBE to maintain safety function. Seismic qualification by test per IEEE 344 is the industry standard for nuclear Class 1E equipment; Analysis alone is not acceptable for SIL-2 safety instruments.

Rationale: SUB-REQ-030 is SIL-2 (H-006 and H-003). Dual-channel I&C is the primary diversity mechanism for safety parameter monitoring. A cross-comparison test validates channel independence and confirms both channels are able to initiate trips — Analysis cannot substitute for functional channel separation proof per IEC 61511 (Functional safety of safety-instrumented systems for the process industry sector).

Rationale: SUB-REQ-054 is SIL-2 (H-006: Cooling system failure). The cooling system response to cold-start/full-load is the worst-case thermal transient — the 95°C trip setpoint must not be exceeded during normal LOOP load pickup. Test under actual thermal conditions is required because cooling model uncertainties (thermostat hysteresis, airflow resistance) are too large to verify by Analysis alone.

Rationale: SUB-REQ-022 is SIL-2 (H-003: Engine overspeed via under-fuelling from inadequate air). Turbocharger boost pressure determines the air-fuel ratio at rated power. Insufficient boost causes either under-fuelling (output drop, possible LOOP fail) or rich-burn (black smoke, possible engine damage). Functional test at rated load conditions is the only way to confirm the real turbocharger matches the engine power curve — Analysis uses test data that may not reflect installation effects.

Rationale: SYS-REQ-012 is SIL-2 (H-002: Loss of output during operation). The degraded mode requirement must be verified by inducing a representative non-trip fault and confirming minimum output is sustained. Analysis cannot verify the annunciation path or the minimum 60% power floor under degraded governor operation — physical test under actual fault conditions is required.

Rationale: SYS-REQ-002 specifies a 168-hour minimum continuous run capability — IEC 60034 (Rotating electrical machines) and CEGB diesel generator requirements mandate endurance demonstration by full-duration test. Spot checks or extrapolation are not acceptable for this safety-critical performance requirement.

Rationale: SYS-REQ-004 specifies the safety trip response chain at SIL-3. IEC 61508 (Functional safety of E/E/PE safety-related systems) requires that SIL-3 safety functions be verified by Test with full stimulus-response measurement; Analysis alone cannot demonstrate the actual trip time for the hardware-in-the-loop trip path.

Rationale: PFD_avg reliability calculations are analytical computations (RBD, FTA), not documentary inspections. IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 6 Annex B classifies probabilistic assessment as Analysis. Inspection applies to physical artefacts; Analysis applies to mathematical models and calculations. Updated from Inspection to Analysis.

Rationale: SYS-REQ-006 seismic survivability to 0.25g PGA is verified by inspecting the ONR-approved seismic qualification analysis report. The report confirms Design Basis Earthquake spectrum compliance, natural frequency margins, and bolted connection adequacy. Inspection of an externally commissioned and independently approved analysis report is the appropriate verification method for structural seismic qualification on a UK nuclear licensed site.

Rationale: SUB-REQ-023 requires standby coolant pre-heat temperature maintenance for rapid start capability at SIL-2. Compliance cannot be demonstrated by analysis alone — the thermal lag of the cooling system depends on actual heat loss rates, heater capacity, and ambient temperature that must be measured in situ.

Rationale: SUB-REQ-037 specifies minimum coolant flow for engine thermal management at SIL-2. Flow rate must be measured directly; pump curve analysis is insufficient because pipe losses and temperature-dependent viscosity affect actual delivered flow. In-situ measurement validates the installed configuration.

Rationale: SUB-REQ-043 specifies fuel cleanliness for fuel injection system protection at SIL-2. Filter ratings must be verified by downstream particle count, not upstream specification, as filter bypass or bypass valve operation can admit contaminated fuel. Direct measurement is required per BS EN ISO 16889 (Hydraulic fluid power — Filters).

Rationale: SUB-REQ-045 requires fuel temperature ≥5°C at site minimum ambient. Verification requires physical measurement of fuel temperature at minimum ambient (−5°C or equivalent chamber test) over a 12-hour soak with the heater system active. This is a Test: quantified environmental condition applied, temperature measured at prescribed intervals, pass/fail against a numeric threshold. The analysis-based alternative (thermal model) is accepted only if the physical test is not practicable during commissioning; the primary verification method is Test.

Rationale: SUB-REQ-048 specifies the bearing high-temperature alarm at SIL-2. The PT100 input, alarm logic, and annunciator output form a safety-related measurement chain that must be proven end-to-end. Injection testing at the field instrument connection verifies the full chain without requiring actual bearing overheating.

Rationale: SUB-REQ-052 specifies fuel injection timing accuracy for combustion efficiency and emission compliance at SIL-2. Injection timing drift is a known failure mode leading to hard starting and excessive smoke; direct measurement at three load points is required per BS EN ISO 4165 (Road vehicles — Electrical connections) diesel test standards. Analysis cannot substitute for measurement of the mechanical injection pump's actual timing.

Rationale: SUB-REQ-057 is an environmental compliance requirement mandated by UK environmental regulations. Inspection by a qualified engineer against CIRIA C736 checklist is the standard compliance verification method; analysis cannot substitute for physical inspection of bund integrity and volume.

Rationale: SUB-REQ-060 addresses maintainability and safe access at SIL-2 (common cause failure prevention through maintainability). Physical inspection is the only valid verification method; drawings cannot confirm that as-built plant matches design intent or that all maintenance tools physically fit in the space.

Rationale: SYS-REQ-007 specifies load sequencing constraints directly driven by the 10-second LOOP Response ConOps scenario. An uncontrolled voltage dip >15% risks contactor dropout on safety-classified loads, breaking the load sequencing chain. Testing at the exact threshold with a data logger at 200Hz confirms the 3-second recovery requirement is met under worst-case thermal load conditions and is not achievable by analysis alone.

Rationale: SYS-REQ-008 addresses BS EN IEC 61000 (Electromagnetic compatibility) compliance for EDG control electronics in a high-EMI environment generated by the EDG itself (ignition transients, large motor switching). A spurious trip during a real LOOP event caused by conducted EMI would be a SIL-3 failure. EMC testing at Level 4 is the only way to demonstrate immunity; analysis cannot predict EMI coupling paths in the as-installed plant configuration.

Rationale: SYS-REQ-009 is the direct implementation requirement for the Monthly Surveillance Test ConOps scenario. The 30-minute duration and 10-minute hot standby recovery are site licence condition requirements; failure to demonstrate these would put the plant in a limiting condition for operation. Demonstration against the as-installed test infrastructure confirms the test mode works without any safety bus perturbation.

Rationale: SYS-REQ-010 is a maintainability requirement driven by STK-REQ-006 (maintenance team access without off-site tools) and the Planned Overhaul ConOps scenario. Inspection of stores inventory and maintenance records is the appropriate method because the requirement governs material availability and organisational process, not a measurable physical performance parameter.

Rationale: SUB-REQ-035 is a 500ms first-out annunciation requirement for the LAIP. This is the diagnostic interface for the Failure to Start and EDG Trip During Extended LOOP scenarios — the operator needs to identify the trip cause within the first 500ms to initiate correct recovery action. Only physical injection testing through the trip logic confirms the timing and latching logic; simulation cannot account for relay coil delay and indicator driver response time.

Rationale: SUB-REQ-029 is a maintainability constraint ensuring independence from OEM field-service visits for planned minor maintenance. This supports the Planned Overhaul ConOps scenario where 14-day maintenance must be completable without off-site tooling logistics. Witnessing an actual servicing event is the only way to confirm site stores coverage — analysis would merely confirm the written inventory, not whether the stored items are serviceable and appropriate.

Rationale: SUB-REQ-061 requires compliance with DSEAR, Petroleum (Consolidation) Regulations 2014, and CIRIA C736 — all of which are regulatory/statutory requirements enforced by inspection of documentation, licences, and design records rather than physical testing. The 168-hour fuel endurance test (VER-REQ-059) verifies operational performance; this requirement verifies the legal compliance basis.

Rationale: STK-REQ-001 is the primary emergency start stakeholder requirement — the criterion that motivates the entire EDG system. A witnessed acceptance Demonstration with the site safety authority is the appropriate validation method at stakeholder level (above system-level Test VER-REQ-004) because it closes the gap between design verification and operational validation in the presence of the licensing body.

Rationale: H-010 identifies cyber attack as a SIL-3 hazard with safe state of air-gapped backup and hardwired trips. No dedicated cyber security VER requirement existed prior to this session. IEC 62645 is the primary standard for nuclear I&C cyber security assessment. Inspection is appropriate because the primary control measure is architectural (air-gap, one-way diode, hardwired relays) — these are verified by physical inspection and architectural review, not by simulated cyber attack.

Rationale: H-007 (CCF both EDGs, SIL-4) has a safe state of diverse AC, DC batteries, and passive cooling. Session 600 flagged that SYS-REQ-011→VER-REQ-066 relies entirely on analysis — no Test-method verification of DC battery coping time existed. IEC 61508-2 SIL-4 requires hardware fault tolerance (HFT=1) to be demonstrated, not just analysed. VER-REQ-066 is an architecture analysis review; this Test requirement directly measures the 8-hour battery coping claim under realistic station blackout load.

Rationale: Degraded mode operation test verifies REQ-SEEMERGENCYDIESELGENERATORFORAUKNUCLEARLICENSEDSITE-001 under simulated fault conditions. MCR: Main Control Room. Coolant fan belt fault is selected because (a) it's a realistic non-safety-critical fault (loose belt, belt wear, slipping pulley) that can be detected via belt tension sensor override, (b) it reduces cooling capacity without immediately causing overheat trip, and (c) it can be simulated without disabling safety interlocks or modifying protection setpoints. The 2-hour duration matches STK-REQ-002 (degraded operation must sustain sufficient time for operator diagnosis and load transfer) — 2 hours is derived from nuclear site operating procedures for fault diagnosis and EDG load transfer. The 60% rated power floor (3.0 MW from 5.0 MW) ensures priority safety loads can be supplied while excluding non-essential loads. Two load levels (60% and 80%) are required to validate that degraded mode is not a pass/fail state change but a gradual performance envelope degradation.

Rationale: SUB-REQ-066 requires a PMT before reinstatement. This Demonstration verifies that maintenance has not degraded start performance, governor function, or protective trip operation. The 50% load acceptance test is chosen as a representative functional test that exercises the fuel system, governor, and alternator without requiring full-rated load bank deployment during routine post-maintenance checks.

Rationale: SYS-REQ-011 is SIL-4 and requires HFT=1 — architectural independence of the two EDG trains. IEC 61508-2 (Requirements for E/E/PE safety-related systems) SIL-4 mandates that hardware fault tolerance be demonstrated under fault injection, not only confirmed by documentation Inspection. VER-REQ-066 (Inspection) and VER-REQ-099 (DC battery test) address specific aspects but neither demonstrates Train B operability under Train A total failure. This Demonstration closes the SIL-4 verification gap for the CCF exclusion argument.

Rationale: SYS-REQ-014 requires 5-minute minimum cooldown at ≤10% load with coolant below 80°C. This test verifies the ALC timer logic, the coolant temperature trending, and lubricant circulation under actual post-run thermal conditions. Analytical methods cannot substitute for the thermal transient measurement — the test must be performed under hot conditions following a loaded run to capture real cooldown dynamics.

Rationale: SYS-REQ-015 specifies the 8-hour DC coping window for single-train failure (SIL-3, H-001/H-002). Verification changed from pure analysis to Test: IEEE 450 capacity test directly measures the actual battery capacity under load, eliminating reliance on design data that may not reflect actual installed condition, cell aging, or electrolyte condition. The test also constitutes mandatory nuclear surveillance per IEEE 450 Section 6 interval requirements. Using measured rather than design capacity satisfies the IEC 61508 requirement for Test verification of SIL-3 functions.

Rationale: SYS-REQ-016 is a design-phase cyber isolation requirement. The verification method is inspection of documentation and physical hardware because network isolation is a property of the design, not of runtime behaviour. An Inspection by an ONR-approved assessor is the required evidence under the ONR Security Assessment Principles for Category A safety systems.

Rationale: SUB-REQ-006 specifies SIL-3 2oo2 voting to prevent both loss-of-start (single-channel failure prevents demand) and spurious start (single-channel assertion causes demand). H-001 (Failure to start, SIL-3) and H-009 (Spurious start, SIL-1) are mitigated by this architecture. VER-REQ-048 (Inspection of design documentation) verifies the design intent but does not demonstrate the functional voting behaviour under failure conditions. This functional test closes the IEC 61508 requirement for Test verification of safety-critical SIL-3 logic at the commissioning stage.

Rationale: SYS-REQ-017 requires fault-cleared recovery to full power within 60 seconds without restart. Demonstrating this by test confirms the governor and load control system can smoothly ramp from degraded to full power following fault isolation. Analysis alone cannot confirm the dynamic ramp behaviour of the combined governor-fuel system, which depends on commissioning tuning.

Rationale: SYS-REQ-016 is SIL-3 (H-010 cyber attack, catastrophic severity). VER-REQ-105 provides only Inspection of design documentation. For SIL-3 cyber requirements in nuclear applications, IEC 62443-3-3 (Security for Industrial Automation and Control Systems) and ONR Safety Assessment Principles require demonstration under adversarial conditions, not documentation review alone. This Test verification adds active penetration testing using a hardware-identical test bed, closing the verification adequacy gap for H-010.

Rationale: SUB-REQ-067 (session 607) defines the controlled entry into Maintenance Out-of-Service mode. Inspection alone cannot verify that the start demand interlock is actually removed and that the EDG is unable to respond to a spurious LOOP demand while maintenance access is granted. This Test verification confirms the interlock removal is effective by attempting a live LOOP signal injection.