← All reports
PDF Excel ReqIF

Emergency Diesel Generator for a UK Nuclear Licensed Site

System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org

About this report

This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.

Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.

Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.

Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.

Referenced Standards

StandardTitle
BS 476
BS EN 12601
BS EN 15004
BS EN 1998-1
BS EN 60947-2
BS EN 61000
BS EN 61513
IEC 60034
IEC 60034-1
IEC 60034-3
IEC 60255
IEC 60255-151
IEC 60780
IEC 60980
IEC 61000-4
IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61511 Functional safety — Safety instrumented systems for the process industry sector
IEC 61513 Nuclear power plants — Instrumentation and control important to safety
IEC 62271-100
IEC 62645
IEEE 308
IEEE 344
IEEE 384
IEEE 387
ISO 16890
ISO 4406
ISO 8573-1
NFPA 2001
NFPA 750

Acronyms & Abbreviations

AcronymExpansion
ARC Architecture Decisions
CCCS Completeness, Consistency, Correctness, Stability
EARS Easy Approach to Requirements Syntax
IFC Interface Requirements
ONR Office for Nuclear Regulation
STK Stakeholder Requirements
SUB Subsystem Requirements
SYS System Requirements
UHT Universal Hex Taxonomy
VER Verification Plan
189
Requirements
75
Classified Entities
9
Subsystems
11
Diagrams
147
Relationships
10
Hazards

Stakeholders

StakeholderRelationshipHex Code
Control Room Operator Primary operational interface, monitors status, initiates starts, authorises transfers (Scenarios 1-5)
Shift Supervisor Authorises LCO entry/exit, emergency response decisions, maintenance approval (Scenarios 2-3, 5-6)
Mechanical Technician Performs maintenance and repairs, responds to failures (Scenarios 2-3, 6)
I&C Technician Maintains control/protection systems, calibrates sensors, troubleshoots (Scenarios 2, 4, 6)
ONR Regulatory approval of safety case, inspection, enforcement of Site Licence Conditions (all scenarios)
Licensee Ultimate safety responsibility, funding, personnel, compliance demonstration (all scenarios)
EDG OEM Technical support, spare parts, engineering change notices, qualification documentation
Local Community Expects prevention of nuclear accidents through reliable backup power

Operating Environment & Constraints

CategoryConstraint
Seismic Seismic Category I, 0.2g PGA design basis earthquake, functional during and after DBE per EUR requirements
Environmental -10°C to +40°C ambient operating range, IP54 enclosure minimum, coastal salt-laden atmosphere compatibility
EMC EMI immunity per IEC 61000-4 series, no spurious actuation from EMI, emissions within limits for co-located safety I&C
Regulatory ONR Safety Assessment Principles (SAPs), IEC 61513 (nuclear I&C), IEC 62645 (cyber security), Site Licence Condition compliance
Reliability 0.975 start-on-demand probability, 0.999 mission reliability for 24-hour run, demonstration via surveillance testing
Fuel 7-day minimum fuel inventory at 100% rated load, fuel quality per EN 590, water/contamination monitoring, diverse supply routes
Time Start and reach rated voltage/frequency within 10 seconds of LOOP signal, full load acceptance within 15 seconds

External Interfaces

SystemInterfaceHex Code
National Grid Primary power source, LOOP detection triggers EDG start, return-to-service requires grid stability verification 54F77258
Emergency AC Bus EDG output connects via generator breaker, load sequencer controls connection of safety loads, voltage 6.6kV nominal
Ultimate Heat Sink Raw water cooling for engine jacket/aftercooler if water-cooled design, availability during LOOP essential 02850011
Plant Protection System Receives LOOP signal for auto-start, provides EDG status for safeguards logic, hardwired or qualified digital 51F77859
Main Control Room EDG status display, manual start/stop, alarm annunciation, parameter monitoring (kW, Hz, V, oil pressure, coolant temp)
Fuel Supply Road tanker delivery, bulk tanks (50,000L typical), automatic transfer to day tank, level monitoring to site systems 46851259
DC Battery System 125VDC for control power, starting battery (24VDC for air start valves), battery charger fed from EDG output

Hazard Register

HazardSeverityFrequencySILSafe State
H-001: Failure to start on demand catastrophic low SIL 3 Reactor trip with diverse backup power (gas turbine or batteries) or immediate controlled shutdown
H-002: Loss of output during operation catastrophic rare SIL 3 Automatic transfer to alternate EDG or grid restoration with reactor trip if neither available
H-003: Engine overspeed critical rare SIL 2 Engine stopped via mechanical overspeed trip and fuel cutoff
H-004: Fire in EDG building critical rare SIL 2 Fire suppression activated, EDG isolated, alternate EDG available
H-005: Fuel contamination or exhaustion critical low SIL 2 Transfer to alternate fuel tank, activate fuel replenishment, alternate EDG available
H-006: Cooling system failure critical low SIL 2 EDG trips on high temperature, alternate EDG takes load
H-007: Common cause failure of multiple EDGs catastrophic rare SIL 4 Diverse alternate AC source (gas turbine, portable generator), DC battery for essential loads, reactor trip and passive cooling
H-008: Seismic damage critical rare SIL 2 Post-seismic inspection before reliance, seismically qualified to design basis
H-009: Spurious start or protection trip major medium SIL 1 Operator verification, manual override with appropriate authorisation
H-010: Cyber attack on control system catastrophic rare SIL 3 Air-gapped backup controls, hardwired trips, manual local operation capability

System Context

flowchart TB
  n0["system<br>Emergency Diesel Generator"]
  n1["actor<br>National Grid"]
  n2["actor<br>Emergency AC Bus"]
  n3["actor<br>Plant Protection System"]
  n4["actor<br>Main Control Room"]
  n5["actor<br>Ultimate Heat Sink"]
  n6["actor<br>Fuel Supply"]
  n7["actor<br>DC Battery System"]
  n1 -->|LOOP signal| n0
  n0 -->|6.6kV AC power| n2
  n3 -->|Start/stop commands| n0
  n0 -->|Status signals| n3
  n0 -->|HMI data| n4
  n4 -->|Manual controls| n0
  n5 -->|Cooling water| n0
  n6 -->|Diesel fuel| n0
  n7 -->|Control/start power| n0

EDG System Context

System Decomposition

flowchart TB
  n0["subsystem<br>Diesel Engine Assembly"]
  n1["subsystem<br>Synchronous Generator"]
  n2["subsystem<br>Fuel Oil System"]
  n3["subsystem<br>Engine Cooling System"]
  n4["subsystem<br>Lubrication Oil System"]
  n5["subsystem<br>Starting Air System"]
  n6["subsystem<br>EDG Instrumentation and Control System"]
  n7["subsystem<br>Electrical Switchgear and Load Sequencer"]
  n8["subsystem<br>EDG Building and Support Systems"]
  n5 -->|Compressed air for cranking| n0
  n2 -->|Diesel fuel supply| n0
  n3 -->|Jacket water coolant| n0
  n4 -->|Lubricating oil| n0
  n0 -->|Mechanical torque via shaft coupling| n1
  n1 -->|6.6kV 3-phase AC output| n7
  n0 -->|Speed, temp, pressure signals| n6
  n6 -->|Auto-start initiation| n5
  n6 -->|Governor control / trip| n0
  n6 -->|Breaker control commands| n7

Emergency Diesel Generator — Decomposition

Decomposition Tree

Spec Tree — Per-Subsystem Completeness

SubsystemDiagramSILStatus
Diesel Engine Assembly diagram-1774489045070 SIL 3 complete
Synchronous Generator diagram-1774512337659 in-progress
Fuel Oil System diagram-1774512336071 SIL 2 in-progress
Engine Cooling System diagram-1774512336567 SIL 2 in-progress
Lubrication Oil System diagram-1774512337046 in-progress
Starting Air System diagram-1774492500356 SIL 3 complete
EDG Instrumentation and Control System diagram-1774492460008 SIL 3 complete
Electrical Switchgear and Load Sequencer diagram-1774508666044 SIL 3 complete
EDG Building and Support Systems diagram-1774512338118 SIL 2 complete

Stakeholder Requirements (STK)

Ref Requirement V&V Tags
STK-REQ-001 The Emergency Diesel Generator system SHALL provide the control room operator with continuous real-time display of EDG operating parameters including output power (kW), frequency (Hz), terminal voltage (V), lubricating oil pressure, and engine coolant temperature.
Rationale: Control Room Operator, LOOP Response scenario: operator monitors EDG from desk displays showing kW, frequency, oil pressure, coolant temp to verify EDG is supplying safety loads correctly.
 Demonstration stakeholder, stk-control-room-operator, session-570, idempotency:stk-cro-display-570
STK-REQ-002 The Emergency Diesel Generator system SHALL enable the control room operator to manually start, stop, and authorise load transfers for each EDG train from the main control room.
Rationale: Control Room Operator, LOOP Response scenario: operator initiates fast start and authorises transfer back to grid. Surveillance Test scenario: operator initiates fast start from control room.
 Demonstration stakeholder, stk-control-room-operator, session-570, idempotency:stk-cro-manual-570
STK-REQ-003 The Emergency Diesel Generator system SHALL annunciate all abnormal EDG conditions as distinct alarms in the main control room within 2 seconds of detection.
Rationale: Control Room Operator, EDG Failure to Start scenario: alarm 'EDG-A FAIL TO START' annunciates immediately so operator can verify Train B is carrying loads and initiate LCO entry.
 Test stakeholder, stk-control-room-operator, session-570, idempotency:stk-cro-alarm-570
STK-REQ-004 The Emergency Diesel Generator system SHALL provide sufficient information to the shift supervisor to support Limiting Condition for Operation entry and exit decisions, including EDG operability status and allowed outage time tracking.
Rationale: Shift Supervisor, EDG Failure to Start scenario: supervisor must enter LCO 3.8.1 with 72-hour restoration window. Trip During Operation scenario: supervisor re-evaluates allowed outage time with one EDG lost.
 Demonstration stakeholder, stk-shift-supervisor, session-570, idempotency:stk-ss-lco-570
STK-REQ-005 The Emergency Diesel Generator system SHALL support implementation of station blackout emergency operating procedures, including load shedding prioritisation and connection of portable backup power sources.
Rationale: Shift Supervisor, Station Blackout scenario: shift supervisor implements SBO EOP, deploys portable pump, coordinates mobile diesel generator connection. System must support this response.
 Demonstration stakeholder, stk-shift-supervisor, session-570, idempotency:stk-ss-sbo-570
STK-REQ-006 The Emergency Diesel Generator system SHALL enable fault diagnosis through locally accessible instrumentation and test points, permitting on-site repair by mechanical maintenance personnel.
Rationale: Mechanical Technician, EDG Failure to Start scenario: mechanic dispatched to EDG building, diagnoses stuck fuel rack solenoid, replaces component. Requires accessible instrumentation for diagnosis.
 Inspection stakeholder, stk-mechanical-technician, session-570, idempotency:stk-mech-diag-570
STK-REQ-007 The Emergency Diesel Generator system SHALL support safe maintenance isolation through lock-out/tag-out provisions on all energy sources including fuel, electrical, compressed air, and cooling water.
Rationale: Mechanical Technician, Planned Major Maintenance scenario: formal LOTO applied — fuel isolated, batteries disconnected, start air vented. All energy sources require isolation capability.
 Inspection stakeholder, stk-mechanical-technician, session-570, idempotency:stk-mech-loto-570
STK-REQ-008 The Emergency Diesel Generator system SHALL support calibration and functional testing of all protection and control instrumentation without requiring EDG operation or compromising safety system availability.
Rationale: I&C Technician, Surveillance Test and Maintenance scenarios: I&C technician calibrates sensors and troubleshoots protection systems. Must be possible without taking EDG out of service unnecessarily.
 Demonstration stakeholder, stk-ic-technician, session-570, idempotency:stk-ic-cal-570
STK-REQ-009 The Emergency Diesel Generator system SHALL provide diagnostic access to control system parameters and protection setpoints for troubleshooting by qualified I&C personnel.
Rationale: I&C Technician, EDG Failure to Start and Trip scenarios: technician troubleshoots control/protection system faults. Requires access to parameters, setpoints, and fault history.
 Demonstration stakeholder, stk-ic-technician, session-570, idempotency:stk-ic-diag-570
STK-REQ-010 The Emergency Diesel Generator system SHALL demonstrate compliance with ONR Safety Assessment Principles (SAPs) for engineered safety features, including diversity, redundancy, and independence requirements.
Rationale: ONR, all scenarios: ONR provides regulatory approval of the safety case and inspects compliance with SAPs. The EDG as a Class 1 safety system must meet SAP targets for reliability and independence.
 Analysis stakeholder, stk-onr, session-570, idempotency:stk-onr-sap-570
STK-REQ-011 The Emergency Diesel Generator system SHALL maintain a deterministic safety case demonstrating that the EDG fulfils its nuclear safety function under all design basis conditions, as required by UK nuclear site licence conditions.
Rationale: ONR, all scenarios: site licence conditions require a living safety case. The EDG safety case must cover all design basis events including LOOP, SBO, seismic, and common cause failure.
 Analysis stakeholder, stk-onr, session-570, idempotency:stk-onr-safetycase-570
STK-REQ-012 The Emergency Diesel Generator system SHALL achieve a start-on-demand reliability of at least 0.975 and a 24-hour mission reliability of at least 0.999, demonstrable through surveillance testing records.
Rationale: Licensee, all scenarios: the licensee bears ultimate safety responsibility. Reliability targets from the probabilistic safety assessment define the minimum performance the EDG must demonstrate.
 Analysis stakeholder, stk-licensee, session-570, idempotency:stk-licensee-reliability-570
STK-REQ-013 The Emergency Diesel Generator system SHALL maintain complete qualification evidence, maintenance records, and modification history traceable to the original design basis throughout the plant operating life.
Rationale: Licensee, Planned Maintenance scenario: quality records archived after overhaul. Documentation must demonstrate continued qualification through life — ONR can inspect at any time.
 Inspection stakeholder, stk-licensee, session-570, idempotency:stk-licensee-docs-570
STK-REQ-014 The Emergency Diesel Generator system SHALL accommodate OEM-specified maintenance regimes and accept qualified replacement parts without invalidating the safety case or equipment qualification.
Rationale: EDG OEM, Planned Maintenance scenario: 5-yearly overhaul uses OEM work package (replace injectors, valve adjustment, turbo inspection). Maintenance regime must align with OEM requirements.
 Analysis stakeholder, stk-oem, session-570, idempotency:stk-oem-maint-570
STK-REQ-015 The Emergency Diesel Generator system SHALL prevent failure of backup power supply from contributing to an uncontrolled release of radioactive material, by providing sufficient redundancy and diversity in standby power sources.
Rationale: Local Community: the community's fundamental expectation is that the nuclear site prevents accidents. The EDG is the last line of defence against station blackout leading to core damage and radioactive release.
 Analysis stakeholder, stk-local-community, session-570, idempotency:stk-community-safety-570
STK-REQ-016 The Emergency Diesel Generator system SHALL remain functional during and after a design basis earthquake of 0.2g peak ground acceleration, as required by Seismic Category I qualification per EUR requirements.
Rationale: Operating Environment, Seismic constraint: the EDG must survive the design basis earthquake and start afterward if needed. Seismic qualification is a fundamental safety requirement for UK nuclear sites.
 Analysis stakeholder, stk-environment, session-570, idempotency:stk-env-seismic-570
STK-REQ-017 The Emergency Diesel Generator system SHALL operate across the full ambient temperature range of -10°C to +40°C and withstand a coastal salt-laden atmosphere without degradation of safety function.
Rationale: Operating Environment: UK coastal nuclear sites experience temperature extremes and salt-laden air. EDG must start and run reliably at temperature extremes and resist corrosion from marine atmosphere.
 Test stakeholder, stk-environment, session-570, idempotency:stk-env-climate-570
STK-REQ-018 The Emergency Diesel Generator system SHALL not produce electromagnetic interference that could cause spurious actuation of co-located safety-related instrumentation and control systems, per IEC 61000-4 (Electromagnetic compatibility — testing and measurement techniques) series requirements.
Rationale: Operating Environment, EMC constraint: the EDG shares a site with sensitive nuclear safety I&C. EMI from EDG starting or running must not cause spurious reactor protection system actuation.
 Test stakeholder, stk-environment, session-570, idempotency:stk-env-emc-570

System Requirements (SYS)

Ref Requirement V&V Tags
SYS-REQ-001 The Emergency Diesel Generator SHALL start and reach rated voltage (6.6kV ±10%) and rated frequency (50Hz ±2%) within 10 seconds of receiving a loss-of-offsite-power start signal.
Rationale: Derived from start-on-demand requirement and LOOP Response scenario. The 10-second target is the maximum time before safety loads lose cooling function. Exceeding 10 seconds risks fuel damage in a LOCA coincident with LOOP. H-001 (failure to start) is SIL 3.
 Test system, sil-3, performance, session-570, idempotency:sys-start-time-570
SYS-REQ-002 The Emergency Diesel Generator SHALL automatically start upon detection of bus undervoltage below 5.94kV (90% of nominal) without operator action, with LOOP detection completed within 100ms of grid voltage loss.
Rationale: Derived from operator alarm and LCO support needs. Automatic start eliminates operator response time from the safety function timeline. The 100ms detection window is standard for nuclear EDG undervoltage relays per IEEE 387 (IEEE Standard for the Design and Application of Diesel Generator Units for Class 1E Nuclear Power Generating Stations). H-001 SIL 3.
 Test system, sil-3, safety, session-570, idempotency:sys-auto-start-570
SYS-REQ-003 The Emergency Diesel Generator SHALL connect safety loads to the emergency bus via a priority-based load sequencer, with all safety loads energised within 60 seconds of EDG reaching rated output.
Rationale: Derived from operator display and LOOP Response scenario: loads sequenced in priority order — charging pumps first, then component cooling, then HVAC. 60-second window ensures reactor cooling is restored before fuel damage threshold.
 Test system, sil-3, performance, session-570, idempotency:sys-load-sequence-570
SYS-REQ-004 The Emergency Diesel Generator SHALL achieve a start-on-demand reliability of not less than 0.975 per demand, demonstrated through a minimum of 100 valid surveillance demands.
Rationale: Derived from licensee reliability target (STK-012). The 0.975 value comes from the probabilistic safety assessment; the 100-demand demonstration requirement provides 95% confidence that the true reliability meets the target.
 Analysis system, reliability, session-570, idempotency:sys-start-reliability-570
SYS-REQ-005 The Emergency Diesel Generator SHALL sustain continuous operation at rated load for a minimum of 24 hours with a mission reliability of not less than 0.999, without manual intervention beyond monitoring.
Rationale: Derived from licensee reliability target and Extended LOOP scenario: Day 2 of extended LOOP requires sustained EDG operation. The 24-hour mission defines the minimum design endurance before fuel replenishment or grid restoration.
 Test system, reliability, session-570, idempotency:sys-mission-reliability-570
SYS-REQ-006 The Emergency Diesel Generator SHALL maintain output voltage within 6.6kV ±10% and frequency within 50Hz ±2% under all load conditions from no-load to 110% rated load.
Rationale: Derived from operator display requirements. Safety loads (motors, transformers, UPS) require stable voltage and frequency. The ±10%/±2% tolerances are per IEEE 387 for Class 1E diesel generators. Voltage excursions outside these limits cause motor thermal damage or relay malfunction.
 Test system, performance, session-570, idempotency:sys-output-quality-570
SYS-REQ-007 The Emergency Diesel Generator installation SHALL comprise two independent, redundant trains (Train A and Train B) with no shared active components, such that a single failure in one train does not prevent the other from performing its safety function.
Rationale: Derived from ONR SAP compliance and community safety expectations. Single failure criterion is fundamental to nuclear safety system design per ONR SAP EKP.3. Common cause failure (H-007, SIL 4) is the highest-risk hazard identified.
 Analysis system, sil-4, safety, session-570, idempotency:sys-redundancy-570
SYS-REQ-008 The Emergency Diesel Generator fuel storage system SHALL hold a minimum 7-day fuel inventory at 100% rated load, with automatic transfer from bulk storage to engine day tank and continuous level monitoring.
Rationale: Derived from fuel constraint and Extended LOOP/SBO scenarios. The 7-day inventory covers the design basis LOOP duration plus margin for fuel delivery delays. H-005 (fuel exhaustion) is SIL 2.
 Inspection system, sil-2, performance, session-570, idempotency:sys-fuel-capacity-570
SYS-REQ-009 The Emergency Diesel Generator SHALL remain functional during and after a design basis earthquake of 0.2g peak ground acceleration (Seismic Category I), with no loss of ability to start and carry load.
Rationale: Derived from seismic environment constraint (STK-016) and H-008 (seismic damage, SIL 2). Seismic qualification per EUR requirements and IEC 60980 (Recommended practices for seismic qualification of electrical equipment of the safety system for nuclear generating stations). Post-earthquake operability is essential if LOOP coincides with seismic event.
 Analysis system, sil-2, safety, session-570, idempotency:sys-seismic-570
SYS-REQ-010 The Emergency Diesel Generator engine SHALL be protected by independent, hardwired trip circuits for overspeed (>115% rated), high coolant temperature, low lubricating oil pressure, and overcurrent, each capable of shutting down the engine within 2 seconds of trip setpoint.
Rationale: Derived from hazards H-003 (overspeed, SIL 2) and H-006 (cooling failure, SIL 2). Hardwired trips ensure protection even with digital control system failure. The 2-second trip time prevents engine mechanical damage at overspeed.
 Test system, sil-2, safety, session-570, idempotency:sys-protection-570
SYS-REQ-011 The Emergency Diesel Generator building SHALL incorporate automatic fire detection and suppression to extinguish diesel fuel fires without manual intervention, with inter-train fire barriers maintaining operability of the alternate EDG train.
Rationale: Derived from H-004 (fire in EDG building, SIL 2). Fire suppression must not damage the alternate EDG train. Train separation or fire barriers are needed to prevent common cause failure from fire propagation.
 Test system, sil-2, safety, session-570, idempotency:sys-fire-protection-570, reqs-eng-session-583
SYS-REQ-012 The Emergency Diesel Generator safety-related control and protection systems SHALL be isolated from non-safety networks, with safety trip functions implemented through hardwired circuits that cannot be defeated by cyber attack, per IEC 62645 (Nuclear power plants — Instrumentation, control and electrical power systems — Cybersecurity requirements).
Rationale: Derived from H-010 (cyber attack, SIL 3) and ONR SAP compliance. Air-gapped hardwired trip circuits provide defence-in-depth against cyber threats to digital control systems.
 Analysis system, sil-3, safety, session-570, idempotency:sys-cyber-security-570
SYS-REQ-013 The Emergency Diesel Generator SHALL support monthly surveillance testing via simulated LOOP signal initiation, a 2-hour run at 75% rated load, and automated parameter recording, without reducing availability of the alternate EDG train.
Rationale: Derived from I&C calibration needs and Surveillance Test scenario: monthly test at 75% load for 2 hours with all parameters recorded. Test must not compromise the other train's availability.
 Demonstration system, testability, session-570, idempotency:sys-surveillance-570, reqs-eng-session-583
SYS-REQ-014 When one EDG train is inoperable, the remaining train SHALL be capable of supplying 100% of the safety-critical electrical load, with the plant entering a Limiting Condition for Operation allowing no more than 72 hours for restoration before requiring controlled shutdown.
Rationale: Derived from shift supervisor LCO needs and EDG Failure to Start scenario: LCO 3.8.1 gives 72 hours. Each train must be sized for full safety load — no load shedding between trains.
 Analysis system, sil-3, safety, session-570, idempotency:sys-single-train-570
SYS-REQ-015 The Emergency Diesel Generator system SHALL provide a diverse alternate AC power source connection point, capable of accepting a mobile diesel generator of at least 50% safety load capacity within 4 hours of station blackout declaration.
Rationale: Derived from H-007 (common cause failure, SIL 4) and Station Blackout scenario: mobile generator connected after 4.5 hours. The 4-hour target aligns with DC battery capacity and provides margin before battery exhaustion.
 Demonstration system, sil-4, safety, session-570, idempotency:sys-diverse-ac-570

Subsystem Requirements (SUB)

Ref Requirement V&V Tags
SUB-REQ-001 The Diesel Engine Assembly SHALL achieve self-sustaining engine rotation within 3 seconds of receiving a start signal from the Starting Air System, with cylinder firing confirmed by all cylinders contributing to power output within 5 seconds, to support delivery of rated generator output within the 10-second system requirement.
Rationale: The 10-second system start requirement (SYS-REQ-001) is decomposed across the start chain: Starting Air System cranks the engine (0-3s), engine achieves self-sustaining combustion (3-5s), engine accelerates to rated speed and Synchronous Generator reaches rated voltage (5-10s). The 3-second self-sustain budget is consistent with medium-speed diesel cranking at 750 rpm with pre-heated coolant (>10°C). If self-sustaining rotation is not achieved within this window, an automatic start retry is required — not possible within the 10-second window without exceeding air receiver start attempt budget.
 Test subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-start-performance-571
SUB-REQ-002 The Diesel Engine Assembly SHALL maintain engine speed within 750 rpm ±1.5 rpm (±0.2%) in steady-state operation under all loads from 0% to 110% rated power, and within 750 rpm ±22.5 rpm (±3%) during transient load steps of up to 30% rated power applied or removed in under 1 second.
Rationale: The generator output frequency tolerance of 50 Hz ±2% (SYS-REQ-006) maps to engine speed 750 ±15 rpm for a 4-pole generator. The ±1.5 rpm steady-state budget leaves margin for the isochronous governor droop and generator slip. The ±3% transient budget accommodates the governor's response time before the fuel rack settles; IEC 60034-1 allows transient ±10% frequency excursion if recovery is within 5 seconds. The 30% step load case reflects connection of the largest individual safety load (ECCS pump motor) during load sequencing.
 Test subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-speed-stability-571
SUB-REQ-003 The Diesel Engine Assembly SHALL sustain continuous mechanical power output at 100% rated brake mean effective pressure for a minimum of 720 hours (30 days) between major maintenance interventions, consistent with a 24-hour mission reliability of 0.999 per demand.
Rationale: The 30-day between-overhaul endurance requirement derives from the nuclear site's fuel storage capability (SYS-REQ-026: 7-day minimum at 100% load), post-accident monitoring requirements, and refuelling interval planning. MTBF data from qualified medium-speed nuclear diesels (e.g., PAXMAN, MAN, CATERPILLAR nuclear-grade) show B10 lives exceeding 5,000 hours for pistons, liners and bearings at rated BMEP; 720 hours represents a conservative continuous run mission within this envelope. Failure to sustain 24h continuous operation would invalidate the mission reliability figure of 0.999.
 Analysis subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-endurance-571
SUB-REQ-004 The Engine Protection Relay Package SHALL detect engine overspeed exceeding 863 rpm (115% of rated 750 rpm), and SHALL trip the Diesel Fuel Injection System fuel rack to the minimum position within 1 second of setpoint crossing, independent of the digital control system.
Rationale: Overspeed is hazard H-001 in the EDG hazard register — uncontrolled acceleration to destructive speed (>1,200 rpm) can cause catastrophic engine failure including crankcase fragmentation, with potential for radioactive release if co-located safety systems are damaged. The 115% trip setpoint is the nuclear industry standard per IEEE Std 741 (Standard Criteria and Guidelines for the Design, Installation, and Qualification of Emergency Diesel Generators); the 1-second response time ensures the engine is stopped before the mechanical runaway speed range of 130% rated is reached. The hardwired relay implementation ensures this function is immune to digital system faults per ARC-REQ-002 (hardware/software diversity).
 Test subsystem, diesel-engine-assembly, sil-3, safety-trip, session-571, idempotency:sub-dea-overspeed-trip-571
SUB-REQ-005 The Engine Protection Relay Package SHALL detect engine lubricating oil pressure below 2.0 bar at the main oil gallery, and SHALL initiate an engine trip within 2 seconds of setpoint crossing, with a pre-trip alarm annunciated to the Main Control Room at 2.5 bar.
Rationale: Low lubricating oil pressure causes hydrodynamic bearing film collapse within 2-5 seconds of pressure loss, leading to metallic contact, bearing seizure, and crankshaft failure (hazard H-003). The 2.0 bar trip setpoint is established by OEM bearing film requirements at rated speed; 2.5 bar alarm provides 30-60 seconds of operator warning before the trip, consistent with IEEE Std 741. The 2-second trip response must be faster than the bearing-film collapse time to prevent irreversible damage. The pre-trip alarm supports Limiting Condition for Operation assessment by the shift supervisor (STK-REQ-004).
 Test subsystem, diesel-engine-assembly, sil-3, safety-trip, session-571, idempotency:sub-dea-lop-trip-571
SUB-REQ-006 The Engine Protection Relay Package SHALL detect engine jacket water coolant temperature exceeding 90°C at the cylinder head outlet, and SHALL initiate an engine trip within 2 seconds of setpoint crossing, with a pre-trip alarm annunciated at 85°C.
Rationale: Jacket water temperature exceeding 90°C risks coolant boiling with consequent loss of cooling flow and rapid piston seizure (hazard H-006, SIL 2 per the hazard register). The 90°C trip setpoint is at least 10°C below the coolant boiling point at system pressure (typically 110°C at 1.5 bar system pressure), providing margin for continued heat rejection before coolant vaporises. The 85°C alarm setpoint gives operators 2-5 minutes of warning at typical heat-up rates. Consistent with vendor qualification data and IEEE Std 741 guidance for diesel engine protection.
 Test subsystem, diesel-engine-assembly, sil-3, safety-trip, session-571, idempotency:sub-dea-hct-trip-571
SUB-REQ-007 The Diesel Fuel Injection System SHALL meter fuel delivery with a maximum cylinder-to-cylinder variation of ±3% of mean fuel quantity per injection event, measured under steady-state rated load conditions, to ensure balanced combustion and prevent individual cylinder thermal overload.
Rationale: Cylinder-to-cylinder fuel imbalance exceeding ±5% causes differential cylinder thermal loading, accelerated liner wear, and uneven power contribution to the crankshaft — increasing vibration and fatigue loading of the crankshaft (linked to catastrophic failure hazard H-001). The ±3% requirement provides a 2× margin below the OEM tolerance for injection pump wear and is consistent with nuclear-grade diesel maintenance practice. Verification by combustion analyser during pre-operational surveillance testing per Technical Specification monthly test (SYS-REQ-013 / STK-REQ-008).
 Test subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-fuel-metering-571
SUB-REQ-008 The Diesel Engine Assembly, including all sub-components and their mounting interfaces, SHALL be qualified to remain functional during and after a seismic event with a peak ground acceleration of 0.2g and response spectra consistent with EUR Seismic Category I requirements, with no loss of rated power delivery capability post-event.
Rationale: EDG seismic qualification is required by nuclear site licence conditions and ONR Safety Assessment Principles for Seismic Category I equipment per EUR Document EUR 001 Rev. D. The 0.2g PGA represents the UK design basis earthquake for modern nuclear sites; earlier UK sites may use lower values per site-specific PSA. Qualification must cover the engine block mounting bolts (moment loading during horizontal excitation), the turbocharger (cantilevered mass), and the generator coupling alignment (relative displacement). Failure of EDG during the design basis earthquake when offsite power may also be lost represents a simultaneous loss of all AC power sources — a cliff-edge risk to reactor safety.
 Analysis subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-seismic-571
SUB-REQ-009 When any Engine Protection Relay Package trip setpoint is exceeded, the Diesel Engine Assembly SHALL transition to its safe state (all fuel injection ceased, crankshaft deceleration to standstill) within 5 seconds of the trip signal, with no manual operator action required.
Rationale: Safe state for the Diesel Engine Assembly is defined as 'engine stopped with no fuel flow' — the fail-safe condition for all four protection trip functions (overspeed, high coolant temp, low oil pressure, overcurrent). The 5-second transition time encompasses the worst-case governor response, fuel rack travel to minimum stop, and engine deceleration from 115% rated speed to rest (kinetic energy decay at no-load). This safe state is consistent with IEC 61508 (Functional safety of E/E/PE safety-related systems) safe state analysis for SIL 3 protection functions and eliminates the hazardous condition before it can escalate to structural damage.
 Test subsystem, diesel-engine-assembly, sil-3, safety-trip, safe-state, session-571, idempotency:sub-dea-safe-state-571
SUB-REQ-010 The Electrical Switchgear and Load Sequencer Subsystem SHALL implement a priority-based load sequencer that connects safety loads to the 6.6kV emergency bus in a fixed priority sequence within 10 seconds of generator breaker closure, with each load group delayed by a minimum of 500ms to prevent simultaneous inrush currents from exceeding generator transient overload capacity.
Rationale: SYS-REQ-003 requires connection of safety loads via a priority-based load sequencer. The 500ms inter-group delay prevents cumulative inrush currents (typically 6× FLA per motor) from exceeding the generator's short-time overload rating during the critical bus restoration sequence following a LOOP event. This timing is consistent with IEEE 387 load-acceptance test criteria.
 Test session-572, qc, switchgear-load-sequencer, idempotency:sub-els-load-sequencer-572
SUB-REQ-011 The Fuel Oil System SHALL maintain at least 7,000 litres usable fuel per EDG train across day tanks and bulk storage, meeting CIMAC Class DM specification, sustaining rated-load operation for 7 days.
Rationale: SYS-REQ-008 requires 7-day fuel storage capacity. At rated output of a typical nuclear EDG (approximately 2-4 MW), fuel consumption is approximately 800-1200 litres/hour; 7,000 litres per day times 7 days = 49,000 litres minimum. Day tank sizing of 750-1,000 litres provides 1-hour autonomous operation; bulk tank supplies replenishment via transfer pump. CIMAC Class DM is the UK nuclear industry fuel specification for safety-related diesel engines.
 Inspection session-572, qc, fuel-oil-system, idempotency:sub-fos-fuel-storage-572, reqs-eng-session-583
SUB-REQ-012 The Engine Protection Relay Package SHALL implement a fail-safe de-energise-to-trip relay architecture such that loss of 125VDC control power to any trip relay automatically initiates engine trip to standstill, with a hardware-keyed maintenance inhibit that requires physical key insertion at the relay panel to suppress any individual trip function for maintenance, and automatically cancels on key removal.
Rationale: IEC 61513 (Nuclear power plants — Instrumentation and control systems — General requirements for systems) requires safety-related I&C to fail safe. The engine protection relay package classified as Functionally Autonomous (hex D6B73858) requires explicit fail-safe mode definition: de-energise-to-trip ensures DC power loss does not disable protection. The hardware-keyed inhibit (as opposed to software override) prevents cyber attack from disabling engine protection and ensures every inhibit is traceable to a physical human action per ONR SAPs. Without this, the relay package can be de-feated remotely.
 Demonstration session-580, qc, engine-protection, fail-safe, sil-3, idempotency:sub-eprp-failsafe-override-580
SUB-REQ-013 The Diesel Fuel Injection System SHALL operate from a dedicated 24VDC Class 1E power supply with supply voltage maintained within 24VDC ±10% across all load conditions, with a minimum 4-hour battery-backed autonomy for the fuel injection control module independent of engine cranking loads, to ensure injection function is sustained during EDG start transients and any short-duration DC bus disturbances.
Rationale: The diesel fuel injection system is classified as Powered (hex D6D53218, bit 4), requiring explicit power source, voltage range, and consumption requirements per the UHT classification. At nuclear sites, all safety-related powered equipment must have a defined Class 1E power source per IEEE 308 (Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations). The 24VDC ±10% tolerance ensures electronic fuel injection control modules remain within operating specification during DC bus voltage excursions under LOOP conditions. Without a defined power budget, injection failure during a fault-initiated trip creates an unverifiable failure mode.
 Test session-580, qc, fuel-injection, power-supply, class-1e, idempotency:sub-fuel-injection-power-580
SUB-REQ-014 The Starting Air System Air Receiver Banks (A and B) SHALL each maintain a minimum stored pressure of 25 bar and a maximum operating pressure of 30 bar, providing sufficient capacity for a minimum of three consecutive start attempts at 20°C ambient.
Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 3 start function requires redundant air trains. Three start attempts is the ONR-mandated minimum to account for false cranks. 25 bar minimum is the minimum inlet pressure required by the air start distributor valve to achieve the cranking torque needed to overcome diesel engine compression at cold soak (10°C). Derived from SYS-REQ-004 (start reliability 0.975 per demand) — insufficient air receiver capacity is the primary single cause of failed start attempts.
 Test subsystem, starting-air-system, sil-3, session-581, idempotency:sub-sas-receivers-pressure-581
SUB-REQ-015 The Starting Air System Air Start Valve and Distribution Manifold SHALL fully open and deliver compressed air to all engine cylinders within 0.5 seconds of receiving an electrical start command from the EDG Instrumentation and Control System.
Rationale: The 3-second self-sustaining combustion budget (SUB-REQ-001) requires that cranking air reaches the cylinders within 0.5 s of start signal to allow sufficient compression-ignition cycles before the 3-second window expires. Valve actuation latency is the dominant timing contributor in the start chain from signal to first compression stroke. Verified by instrumented start test measuring solenoid energisation to first cylinder pressure rise.
 Test subsystem, starting-air-system, sil-3, session-581, idempotency:sub-sas-startvalve-actuation-581
SUB-REQ-016 The Starting Air System Air Compressor and Recharge Unit SHALL restore both Air Receiver Banks from a post-three-attempt low (minimum 20 bar) to full operating pressure of 30 bar within 30 minutes of start completion.
Rationale: Technical Specifications for nuclear EDGs typically require the EDG to be returned to operability within one hour of a surveillance test. A 30-minute recharge allows 30 minutes for post-test inspection before the operability clock expires. Recharge time is driven by compressor capacity against receiver volume; 30 minutes corresponds to approximately 5 kW of compressor power for a 250-litre dual-receiver installation.
 Test subsystem, starting-air-system, session-581, idempotency:sub-sas-compressor-recharge-581
SUB-REQ-017 The Starting Air System Moisture Separator and Drain System SHALL maintain compressed air dewpoint at or below minus 40 degrees C at atmospheric pressure throughout the air receiver and distribution manifold.
Rationale: Compressed air with dewpoint above minus 40 C risks liquid water formation in the air start distributor valve and manifold at the minimum site ambient temperature of 5 C. Water ingress to engine cylinders can cause hydraulic lock and crankshaft failure on cranking — a catastrophic failure mode that would prevent EDG start and require major engine overhaul. The minus 40 C threshold is derived from EN ISO 8573-1 Quality Class 3 and is consistent with nuclear plant instrument air specifications.
 Inspection subsystem, starting-air-system, session-581, idempotency:sub-sas-moisture-dewpoint-581
SUB-REQ-018 When Starting Air System receiver pressure drops to 27 bar on either bank, the Pressure Monitoring and Low-Pressure Alarm component SHALL generate a control room annunciation within 5 seconds. When pressure drops to 22 bar, the EDG Instrumentation and Control System SHALL inhibit further start attempts from that bank until pressure is restored to minimum 25 bar.
Rationale: 27 bar alarm provides operator time to investigate before reaching the 25 bar start minimum. 22 bar inhibit prevents a start attempt on insufficient air supply, which would cause a failed crank and consume remaining air without achieving engine rotation. The inhibit is the safe state for this failure mode per IEC 61508 SIL 3 requirements — a failed start with depleted air is worse than no start attempt. Aligns with SYS-REQ-010 (independent hardwired trip functions).
 Test subsystem, starting-air-system, sil-3, safe-state, session-581, idempotency:sub-sas-lowpressure-alarm-581
SUB-REQ-019 The EDG Instrumentation and Control System Automatic Start Logic Controller SHALL detect emergency bus undervoltage below 5.94 kV within 100 ms and issue an air start command to the Starting Air System within 200 ms of detection, confirmed by hardwired LOOP signal from the Plant Protection System.
Rationale: SYS-REQ-002 requires automatic start on bus undervoltage below 5.94 kV. The 100 ms detection budget is allocated to the I&C from the total 200 ms LOOP detection budget (SYS-REQ-002), with the remaining 100 ms allocated to the air start valve actuation (SUB-REQ-015). Hardwired confirmation from the Plant Protection System prevents spurious start on transient undervoltage. Derived from SYS-REQ-001 (10-second start) and SYS-REQ-002 (automatic LOOP start).
 Test subsystem, ic-system, sil-3, session-581, idempotency:sub-ic-loop-detection-581
SUB-REQ-020 The EDG Instrumentation and Control System Engine and Generator Protection Logic SHALL generate a de-energise-to-trip relay output within 200 ms of any monitored parameter exceeding its trip setpoint, and SHALL be designed to IEC 61508 Safety Integrity Level 3 with a Probability of Failure on Demand not exceeding 1x10 to the power minus 3.
Rationale: 200 ms trip response is the maximum permissible latency before continued engine operation at overspeed, low oil pressure, or high coolant temperature would cause irreversible mechanical damage. This budget is consistent with medium-speed diesel protection practice and is tighter than the engine mechanical failure time constants (overspeed damage onset approximately 800 ms at 115 percent rated speed). SIL 3 PFD target of 1e-3 per demand derives from the nuclear site safety case requirement for EDG start reliability of at least 0.975 per demand (SYS-REQ-004), apportioning protection logic unavailability to 0.001.
 Analysis subsystem, ic-system, sil-3, safety-critical, session-581, idempotency:sub-ic-protection-trip-response-581
SUB-REQ-021 The EDG Instrumentation and Control System Qualified I/O Module Assembly SHALL provide Class 1E qualified electrical isolation of at least 1.5 kV RMS between safety-classified inputs and outputs and any non-Class-1E circuit, and SHALL maintain isolation integrity following a design basis seismic event of 0.3g PGA.
Rationale: IEC 60780 (Nuclear power plants - Electrical equipment of the safety system) and ONR SAP EKP.4 require Class 1E equipment to be electrically isolated from non-Class-1E circuits to prevent common-cause failure propagation. The 0.3g PGA seismic requirement derives from SYS-REQ-009. Loss of I/O isolation is a common-cause failure mode that could simultaneously disable both EDG trains by coupling a fault from the normal power distribution into the safety bus.
 Test subsystem, ic-system, sil-3, seismic, session-581, idempotency:sub-ic-io-isolation-581
SUB-REQ-022 The EDG Instrumentation and Control System Plant Communication Gateway SHALL be implemented as a unidirectional data diode transmitting EDG status data to the Main Control Room network, with no return data path capable of propagating a signal to the safety-classified I&C equipment.
Rationale: SYS-REQ-012 requires safety-related control and protection systems to be isolated from non-safety networks. A unidirectional data diode is the only hardware-enforced implementation that prevents network-originated signals from reaching the safety bus. Bidirectional gateways with software-enforced isolation have been rejected as they introduce a shared-cause vulnerability where gateway compromise can propagate adversarial commands to the safety logic. Consistent with IEC 62645 (Nuclear power plants - Instrumentation and control systems - Requirements for security programmes).
 Inspection subsystem, ic-system, sil-3, cybersecurity, session-581, idempotency:sub-ic-comms-gateway-isolation-581
SUB-REQ-023 When the EDG Instrumentation and Control System Automatic Start Logic Controller detects a self-diagnostic fault in any SIL 3 function, the I&C System SHALL transition to a de-energised safe state within 500 ms, initiating engine protection trip and generating a control room fault alarm, while preserving the last-good EDG status data at the Annunciation and HMI Panel.
Rationale: IEC 61508 SIL 3 requires defined safe states for all safety function failures. The safe state for I&C logic failure is de-energise-to-trip (engine stopped) rather than latched-run, because an uncontrolled engine running without protection monitoring is the more dangerous failure mode. 500 ms transition budget is chosen to ensure the trip is complete before any monitored protection parameter would reach a damage threshold from the unprotected state.
 Test subsystem, ic-system, sil-3, safe-state, session-581, idempotency:sub-ic-safe-state-581
SUB-REQ-024 The Bus Undervoltage Sensing Relay SHALL detect 6.6kV emergency bus voltage below 4.6kV (70% nominal) sustained for more than 200ms and issue an EDG automatic start initiation signal within 200ms of threshold crossing, using two-out-of-three voting logic across three independent voltage transformer inputs.
Rationale: 200ms detection threshold is derived from the maximum permissible bus blackout time before safety systems (RCP seal injection, EFWS) deplete their Class 1E UPS reserves. The 4.6kV setpoint (70% nominal) discriminates credible LOOP from transient voltage dips caused by motor starts on the emergency bus. Two-out-of-three voting prevents spurious EDG starts on single VT failure while ensuring detection on dual-channel loss. Drives SYS-REQ-002.
 Test subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-buvr-loop-detection-582
SUB-REQ-025 The Generator Circuit Breaker SHALL close onto the 6.6kV emergency bus within 100ms of receiving a close command from the Synchronising Check Relay (live-bus condition) or within 100ms of receiving a dead-bus close command, and SHALL trip open within 100ms of receiving a trip command from the Generator Electrical Protection Relay Package or from the I&C system emergency trip.
Rationale: 100ms close time is derived from the 10-second full bus restoration budget (SYS-REQ-001): generator acceleration 8s, GCB mechanical operation 0.1s, leaving margin for sequencer timing. 100ms trip time is the maximum permissible to limit fault energy on the emergency bus during a generator electrical fault; longer trip times risk thermal damage to bus conductors at 25kA fault level. Class 1E spring-charged mechanism provides deterministic operating time independent of DC supply voltage variation ±20%.
 Test subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-gcb-close-trip-time-582
SUB-REQ-026 The Synchronising Check Relay SHALL permit Generator Circuit Breaker closure only when EDG output voltage is within ±10% of 6.6kV, frequency is within ±0.5Hz of 50Hz, and phase angle difference is within ±10 degrees, and SHALL issue an unconditional dead-bus close permission when bus voltage is below 20% of nominal (1.32kV) for more than 500ms without requiring frequency or phase angle synchronisation.
Rationale: ±10% voltage and ±0.5Hz frequency windows represent the limits within which out-of-phase closing transient currents remain below the generator's mechanical endurance rating (typically 3 per unit peak for 100ms). ±10 degree phase angle limit bounds the closing transient to less than 0.5 per unit. Dead-bus override threshold of 20% nominal ensures the relay distinguishes a truly de-energised bus (LOOP condition requiring immediate connection) from a very low-voltage live bus. Without the dead-bus override the EDG could not connect during a LOOP, defeating its safety function.
 Test subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-sync-check-relay-582
SUB-REQ-027 The Generator Electrical Protection Relay Package SHALL provide differential protection (87G) with a minimum operating current of 10% rated generator current, overcurrent protection (51) with time-inverse characteristic, loss-of-excitation protection (40) with offset-mho impedance characteristic, and reverse power protection (32) with 2% of rated power pickup, each issuing an independent hardwired trip signal to the Generator Circuit Breaker within 100ms of fault detection.
Rationale: The 87G minimum operating threshold of 10% rated current detects internal generator faults while remaining insensitive to CT mismatch (typically 1-2%). Loss-of-excitation (40) protection prevents generator motoring and loss of reactive power support to the safety bus, which would cause bus voltage collapse. Reverse power (32) at 2% pickup detects engine failure with the generator motoring from the bus. Each protection function is independent per IEEE C37.102 (Guide for AC Generator Protection) to prevent common-cause failure disabling all electrical protection. Hardwired trip path ensures operation independent of I&C system availability.
 Test subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-gen-elec-protection-582
SUB-REQ-028 When the Generator Electrical Protection Relay Package detects a protection trip condition or when the Class 1E Switchgear Control Power Supply falls below 95VDC, the Electrical Switchgear and Load Sequencer Subsystem SHALL open the Generator Circuit Breaker within 200ms and inhibit all close commands until the fault condition is cleared and a manual reset is performed by a licensed operator.
Rationale: Safe state requirement per IEC 61508 (Functional safety of E/E/PE safety-related systems) for SIL 3 subsystem. Generator electrical fault requires immediate isolation to prevent propagation to the Class 1E emergency bus. 200ms safe state transition time allows for GCB mechanical operation (100ms) plus protection relay operate time (100ms). Control power undervoltage at 95VDC (76% of 125VDC nominal) ensures the GCB trip coil receives sufficient energy for reliable operation even at battery end-of-discharge. Manual reset requirement prevents automatic reconnection after a fault, requiring a licensed operator to assess cause and authorise restart per nuclear site licence condition.
 Test subsystem, electrical-switchgear-and-load-sequencer, sil-3, safe-state, safety-critical, session-582, idempotency:sub-swgr-safe-state-582
SUB-REQ-029 The EDG Building and Support Systems SHALL incorporate an automatic gaseous total-flood fire suppression system (HFC-227ea or CO2 with pre-discharge alarm) rated to extinguish a Class B diesel fuel fire within 30 seconds of actuation, with a two-hour fire-rated separation barrier between Train A and Train B EDG rooms to maintain operability of the alternate train during a single-train fire event.
Rationale: SYS-REQ-011 derives from hazard H-004 (fire in EDG building, SIL 2). The 30-second suppression criterion is taken from NFPA 750 (Standard on Water Mist Fire Protection Systems) and BS EN 15004 (Fixed firefighting systems — Gas extinguishing systems) for unattended machinery spaces with flammable liquid hazards. The two-hour barrier rating satisfies BS 476 Part 22 (Fire tests on building materials and structures) for Class B fire separation between redundant safety-classified rooms, ensuring that a single fire event cannot disable both EDG trains simultaneously.
 Inspection session-585, qc, edg-building, fire-protection, sil-2, idempotency:sub-building-fire-585
SUB-REQ-030 The Category 1 Building Structure SHALL maintain structural integrity and continue to house and protect all installed EDG equipment during and following a design basis earthquake of 0.2g PGA, with no structural deformation exceeding 10mm at any equipment anchor point.
Rationale: SYS-REQ-009 requires EDG operability at 0.2g PGA; the building is the primary seismic protection boundary. The 10mm anchor-point deformation limit is derived from engine skid anchor bolt clearance tolerances specified by the engine OEM to prevent bearing misalignment during post-seismic operation. Seismic Category I classification follows BS EN 1998-1 and ONR Safety Assessment Principles.
 Test subsystem, edg-building, sil-2, seismic, session-586, idempotency:sub-building-seismic-struct-586
SUB-REQ-031 The Category 1 Building Structure SHALL provide physical separation between EDG trains by a minimum 2-hour rated fire barrier, such that a design basis fire in one train enclosure cannot propagate to the redundant train enclosure.
Rationale: SYS-REQ-007 requires two independent redundant trains; SYS-REQ-011 requires fire barriers maintaining alternate train operability. The 2-hour fire rating is derived from UK ONR technical guidance on nuclear fire safety and the maximum credible fire duration in an EDG enclosure containing a 4,000L fuel day tank. Physical train separation is preferred over shared space with fire barriers alone, as it eliminates common-cause fire-suppression-agent discharge scenarios.
 Inspection subsystem, edg-building, sil-2, fire, session-586, idempotency:sub-building-train-sep-586
SUB-REQ-032 The Ventilation and Combustion Air System SHALL supply a minimum of 0.55 kg/s of combustion air per MW of rated engine output at an inlet temperature not exceeding 40°C and maintain engine room ambient temperature below 45°C during continuous full-load operation.
Rationale: The 0.55 kg/s per MW combustion air figure is derived from the engine manufacturer's fuel-air ratio at rated output plus 10% margin for combustion efficiency degradation over service life. The 45°C engine room limit is the upper ambient limit specified in the engine qualification envelope; exceedance causes derating of the turbocharger and reduces start-on-demand margin. The inlet 40°C limit reflects the UK nuclear site extreme summer ambient design temperature per CIBSE Guide A.
 Test subsystem, edg-building, sil-2, hvac, session-586, idempotency:sub-building-hvac-airflow-586
SUB-REQ-033 When the EDG receives an automatic start signal, the Ventilation and Combustion Air System SHALL initiate fan motor start within 5 seconds and achieve rated airflow within 30 seconds of the engine start signal.
Rationale: SYS-REQ-001 requires the EDG to reach rated voltage within 10 seconds of start signal. The HVAC must reach rated airflow before the engine reaches rated speed at approximately 15-20 seconds. The 5-second fan start and 30-second rated airflow time allows the fan to be running when the engine reaches full combustion load, preventing thermal stress from inadequate air exchange during the critical ramp-up phase.
 Test subsystem, edg-building, sil-2, hvac, session-586, idempotency:sub-building-hvac-start-586
SUB-REQ-034 The Exhaust Silencer and Discharge Stack SHALL limit exhaust gas backpressure to not more than 50 mbar at the turbocharger outlet under all operating conditions from no-load to 110% rated load, and remain structurally intact following a design basis earthquake of 0.2g PGA.
Rationale: The 50 mbar backpressure limit is specified by the diesel engine OEM as the maximum permissible backpressure for rated power output without turbocharger surge or thermal overloading. Exceedance reduces available output power and risks turbocharger damage; below this threshold the silencer can be designed for adequate noise attenuation. Seismic qualification prevents stack collapse blocking the exhaust and stalling the engine after the earthquake mission begins.
 Test subsystem, edg-building, sil-2, exhaust, session-586, idempotency:sub-building-exhaust-back-586
SUB-REQ-035 The Drain and Spill Containment System SHALL provide bunded containment with a minimum capacity of 110% of the largest single fluid inventory within the building (diesel day tank: 4,000 litres), with sump high-level alarm annunciation to the main control room within 60 seconds of breach detection.
Rationale: The 110% bunded capacity rule follows UK Environment Agency Pollution Prevention Guidance PPG2 for above-ground oil storage. The 4,000L day tank is the dominant spill risk; containing 110% prevents secondary containment overflow under worst-case scenario. 60-second control room annunciation enables operator response before a spill migrates to an uncontained area, and derives from the same alarm response time budget used in the fire detection system design.
 Inspection subsystem, edg-building, flood, sil-2, session-586, idempotency:sub-building-drain-cap-586
SUB-REQ-036 When a Category 1 Building Structure breach is detected by the structural monitoring system, the EDG Building and Support Systems SHALL automatically isolate the affected train and generate a control room alarm within 30 seconds, while maintaining operability of the redundant train.
Rationale: SIL 2 safety function requires a defined safe state on failure. A structural breach (seismic damage, impact) that degrades protection for one train must not cascade to the redundant train. The 30-second alarm response time allows operators to take manual action before secondary effects (flooding, fire) propagate. This requirement implements the safe state for the EDG Building Structure SIL 2 function as required by IEC 61508 (Functional Safety of E/E/PE Safety-Related Systems).
 Demonstration subsystem, edg-building, sil-2, safe-state, session-586, idempotency:sub-building-safe-state-586
SUB-REQ-037 The Engine Cooling System SHALL maintain engine jacket water outlet temperature within 75°C to 85°C during continuous operation at any load from 25% to 110% of rated power.
Rationale: IEC 61508 SIL 2 derived from SYS-REQ-005. Jacket water temperature band of 75–85°C is the manufacturer-specified operating envelope for medium-speed 4-stroke diesel engines in standby duty; operation above 85°C degrades lubricant film viscosity and risks liner cavitation, while operation below 75°C increases fuel consumption and causes condensation-related cylinder corrosion. Failure to maintain this band during the 24-hour rated-load run risks premature engine failure.
 Test subsystem, engine-cooling, sil-2, session-591
SUB-REQ-038 While in standby, the Engine Cooling System SHALL maintain jacket water temperature at not less than 35°C using the Engine Pre-heat System to ensure the engine is capable of reaching rated speed within 10 seconds of start signal.
Rationale: Derived from SYS-REQ-001 (10-second start-to-rated-speed requirement). A cold engine at ambient -10°C has insufficient lubricant film and may fail to fire reliably; 35°C is the minimum jacket water temperature at which the OEM guarantees start reliability consistent with the 0.975 start-on-demand probability in SYS-REQ-004. Below 35°C, start transient torque and lube oil flow rates fall outside the OEM qualification envelope.
 Demonstration subsystem, engine-cooling, sil-2, session-591
SUB-REQ-039 The Engine Cooling System SHALL dissipate engine thermal rejection at not less than 110% of rated thermal load at a maximum ambient temperature of 35°C without exceeding the jacket water temperature limit defined in SUB-REQ-036.
Rationale: Derived from SYS-REQ-005 (24-hour continuous operation) and SYS-REQ-017 (35°C maximum ambient). The 110% margin accounts for fouling of the heat exchanger surface during extended operation and provides headroom against ambient temperature excursions. Without this margin, summer ambient conditions combined with heat exchanger fouling could cause sustained coolant temperature exceedance during multi-day operation in a LOOP event.
 Test subsystem, engine-cooling, sil-2, session-591
SUB-REQ-040 When jacket water outlet temperature exceeds 95°C or jacket water circuit pressure falls below 0.5 bar gauge, the Engine Cooling System SHALL generate a hardwired engine trip signal to the EDG Instrumentation and Control System within 200 milliseconds.
Rationale: SIL 2 safe-state requirement derived from SYS-REQ-010 (hardwired engine trip circuits). The 95°C threshold is set 10°C above the 85°C upper operating limit to allow brief transients without spurious trip, while preventing sustained overtemperature that causes head gasket failure. The 0.5 bar pressure threshold detects coolant loss before dry-running engine damage occurs. The 200 ms trip response is required by IEC 61511 (Functional safety of SIS in the process industry) SIL 2 to ensure the safe state is reached before coolant system damage propagates to piston seizure.
 Test subsystem, engine-cooling, sil-2, safety-trip, safe-state, session-591
SUB-REQ-041 The Coolant Circulation Pump SHALL maintain a minimum coolant flow rate of 150 L/min at 0.8 bar differential pressure throughout the engine load range from 25% to 110% of rated power.
Rationale: Derived from SYS-REQ-005. Flow rate of 150 L/min at 0.8 bar is determined by the OEM heat balance for a medium-speed diesel in this power range; below this flow, the jacket water outlet temperature differential across the engine block exceeds 10°C, creating thermal gradients that cause head distortion over extended operation. The pump is engine-driven, so performance must be verified across the full engine speed range.
 Test subsystem, engine-cooling, sil-2, session-591
SUB-REQ-042 The Thermostatic Control Valve SHALL modulate bypass coolant flow to maintain jacket water temperature within ±3°C of the 80°C setpoint during steady-state engine operation at rated load.
Rationale: Derived from SYS-REQ-006 (voltage and frequency stability). Jacket water temperature stability directly affects fuel injection timing and cylinder firing consistency; a ±3°C band ensures combustion stability within the OEM governor envelope. Wider temperature excursions during steady-state operation indicate valve hysteresis and are a precursor to temperature hunting, which has caused premature valve failure in comparable standby diesel applications (UK nuclear site operating experience).
 Test subsystem, engine-cooling, sil-2, session-591
SUB-REQ-043 The Engine Cooling System pressure boundary, including the Engine Jacket Water Circuit, Coolant Circulation Pump, and Radiator/Heat Exchanger, SHALL remain leak-free and functional following a Design Basis Earthquake of 0.25g PGA as specified in SYS-REQ-009, with post-seismic coolant flow re-established within 30 seconds.
Rationale: SIL 2 seismic requirement derived from SYS-REQ-009. The Engine Cooling System must survive the DBE because loss of cooling following a seismic event would prevent the EDG from fulfilling its post-earthquake safe shutdown function. Analysis (rather than test) is used because shake-table testing of a full cooling system assembly is impractical; seismic qualification by analysis per ASCE 4 (Seismic Analysis of Safety-Related Nuclear Structures) and IEEE 344 (Recommended practice for seismic qualification of Class 1E equipment for nuclear power generating stations) provides equivalent evidence.
 Analysis subsystem, engine-cooling, sil-2, seismic, session-591
SUB-REQ-044 The Fuel Oil System SHALL supply diesel fuel to the engine injection system at a pressure of 0.3 bar to 0.7 bar gauge and a flow rate sufficient for rated engine power output throughout the full 24-hour operating duration specified in SYS-REQ-005.
Rationale: IEC 61511 SIL 2 derived from SYS-REQ-005. The 0.3–0.7 bar delivery pressure range is determined by the OEM fuel injection pump inlet specification; pressures outside this range cause either injector dribble (low pressure) or premature injection pump seal failure (high pressure). Flow rate adequacy at rated power must be demonstrated under fuel temperature extremes since viscosity variation of up to 20% affects pump volumetric efficiency.
 Test subsystem, fuel-oil, sil-2, session-591
SUB-REQ-045 The Bulk Storage Tank SHALL maintain a minimum fuel inventory of 110% of the 7-day fuel demand at 100% rated load as specified in SYS-REQ-008, with a high-level alarm at 95% fill and a low-level alarm at 20% fill providing warning before reserve depletion.
Rationale: The 110% margin over the SYS-REQ-008 7-day inventory provides one day of additional reserve for extended LOOP events or unexpected consumption increases from abnormal engine loading. The alarm thresholds are set to provide sufficient time for a refuelling team to respond before approaching the minimum reserve, based on typical fuel delivery response times at UK nuclear sites (4–8 hours).
 Inspection subsystem, fuel-oil, sil-2, session-591
SUB-REQ-046 The Day Tank SHALL maintain a working inventory of not less than 4 hours of fuel at rated engine load to provide autonomous operation during a Bulk Storage Tank refuelling transfer interruption, with a low-level alarm at 60 minutes remaining inventory.
Rationale: The 4-hour Day Tank autonomy decouples the engine from the Bulk Storage Tank transfer system, ensuring that a transfer pump failure or valve seizure does not immediately starve the engine. The 60-minute low-level alarm provides the operating crew sufficient time to initiate corrective action (transfer pump restart or backup transfer) before engine fuel starvation occurs.
 Test subsystem, fuel-oil, sil-2, session-591
SUB-REQ-047 The Fuel Oil Strainer and Filter Assembly SHALL maintain fuel particle contamination downstream of the filter element at ISO 4406 cleanliness code 16/13/10 or better under maximum flow conditions, with a differential pressure alarm at 0.5 bar indicating filter blockage requiring maintenance.
Rationale: ISO 4406 cleanliness code 16/13/10 is the maximum fuel contamination level specified by the OEM for the injection pump and injector nozzles; exceeding this level causes accelerated injector wear and nozzle blockage that degrades fuel spray quality and reduces available power. The 0.5 bar differential pressure alarm threshold is set 50% above the clean filter pressure drop of 0.3 bar, providing adequate warning before the bypass valve opens and unfiltered fuel reaches the injectors.
 Test subsystem, fuel-oil, sil-2, session-591
SUB-REQ-048 When Day Tank level falls below the transfer initiation setpoint, the Fuel Transfer Pump SHALL automatically start and transfer fuel from the Bulk Storage Tank to the Day Tank within 30 minutes, with automatic stop on high level alarm and manual override capability from the EDG local control panel.
Rationale: Automatic transfer control ensures the Day Tank is replenished without operator intervention during sustained LOOP events when control room operator workload may be high. The 30-minute transfer time is derived from the Day Tank volume and transfer pump rated flow rate; this must be less than the 60-minute low-level alarm-to-starvation window to ensure reliable autonomous refill.
 Demonstration subsystem, fuel-oil, sil-2, session-591
SUB-REQ-049 When Day Tank fuel level falls below the engine fuel inlet connection height, the Fuel Oil System SHALL generate a hardwired low-fuel trip signal to the EDG Instrumentation and Control System and the engine SHALL be shut down in a controlled manner to prevent injection pump dry-running damage.
Rationale: SIL 2 safe-state requirement derived from SYS-REQ-010. Dry-running of the fuel injection pump for more than 30 seconds causes irreversible pump damage. A controlled shutdown (rather than sudden cutoff) is specified to allow the engine governor to reduce load before fuel cut-off, preventing electrical transients on the emergency bus. The trip signal follows the same hardwired, fail-safe discrete output architecture as the cooling loss trip.
 Test subsystem, fuel-oil, sil-2, safety-trip, safe-state, session-591
SUB-REQ-050 The Fuel Oil System bulk storage tank, day tank, pipework, and filter assembly SHALL comply with ATEX Directive 2014/34/EU Zone 2 classification, include double-walled bund containment capable of retaining 110% of the bulk tank volume, and be equipped with fuel leak detection with annunciation to the EDG control panel.
Rationale: Diesel fuel storage at nuclear licensed sites is regulated under the ONR (Office for Nuclear Regulation) SA-EAF standard for fire and explosion prevention. ATEX Zone 2 classification is required because diesel vapour release in the EDG building during refuelling creates an intermittent flammable atmosphere. Double-walled bunding and leak detection are required by Environment Agency guidance on oil storage (PPG 2) to prevent fuel release into the nuclear site drainage system.
 Inspection subsystem, fuel-oil, sil-2, safety, atex, session-591
SUB-REQ-051 The Pre-Lube and Post-Lube Pump SHALL establish a minimum lubricating oil pressure of 1.5 bar at the engine main gallery within 20 seconds of receiving the pre-lubrication command, prior to the start air valve opening, to ensure all main and big-end bearings are wetted before cranking begins.
Rationale: Dry start bearing damage is the primary engine wear failure mode for standby diesel engines. A minimum 1.5 bar gallery pressure confirmed before air start valve energisation ensures oil film thickness on all critical bearing surfaces; IEEE Std 387 and BS EN 12601 require pre-lubrication as a condition precedent to starting for standby EDGs.
 Test
SUB-REQ-052 The Engine-Driven Lube Oil Pump SHALL maintain engine main gallery oil pressure within 3.5 bar to 5.5 bar at rated engine speed (750 rpm) and all operating temperatures within the normal range of 60°C to 100°C.
Rationale: Sustained bearing film integrity requires oil pressure to exceed the hydrodynamic minimum across the full thermal operating range. The 3.5–5.5 bar band is derived from OEM bearing clearance analysis; pressures below 3.5 bar trigger thin-film conditions at operating temperature, and pressures above 5.5 bar risk seal extrusion on the crankshaft front and rear seals.
 Test
SUB-REQ-053 The Lube Oil Cooler SHALL maintain engine lubricating oil outlet temperature within 80°C to 100°C at 100% rated engine load and maximum ambient design temperature of 40°C, using the closed-circuit engine jacket water as the cooling medium.
Rationale: Oil viscosity falls non-linearly above 100°C; at temperatures exceeding 105°C, multigrade oil viscosity index is insufficient to prevent metal-to-metal contact in the turbocharger bearings. 80°C lower bound is set to prevent oil condensation and sludging during warm-up transients. Jacket water as cooling medium avoids the need for an independent cooler circuit, consistent with ARC-REQ-006.
 Test
SUB-REQ-054 The Lube Oil Filter and Strainer SHALL maintain lubricating oil particle contamination downstream of the filter to ISO 4406 Class 17/15/12 or better throughout the EDG operational life, with an integral differential pressure indicator and high-differential-pressure alarm at 1.0 bar to alert operators before bypass valve opening.
Rationale: Turbocharger bearing clearances on high-speed turbines are in the 20–30 micron range; contamination above ISO 4406 Class 17 introduces particulates large enough to score bearing surfaces. The 1.0 bar differential alarm provides advance warning at 50% of the bypass-open setpoint (2.0 bar), allowing a maintenance window without forced shutdown.
 Test
SUB-REQ-055 The Pre-Lube and Post-Lube Pump SHALL continue post-shutdown lubrication circulation for a minimum of 10 minutes following EDG shutdown, maintaining oil gallery pressure above 0.8 bar to purge residual heat from the turbocharger bearing cartridge and prevent oil coking.
Rationale: Turbocharger bearing cartridges retain thermal mass after shutdown; without continued lubrication, residual heat oxidises oil in the bearing clearances (oil coking), producing deposits that can block the oil feed bore on the next start. A 10-minute post-lube duration at 0.8 bar gallery pressure is consistent with OEM turbocharger specifications for medium-speed diesel engines at this power rating.
 Test
SUB-REQ-056 When engine lubricating oil gallery pressure falls below 2.0 bar at any time during engine operation, the Engine Protection Relay Package SHALL initiate a hardwired engine trip within 500 ms, consistent with SUB-REQ-005, and the Lubrication and Bearing System SHALL shed all non-essential electrical consumers to prevent secondary damage.
Rationale: 2.0 bar is the minimum hydrodynamic film-forming pressure at operating temperature for the main bearings; sustained operation below this threshold causes bearing wiping within 10–30 seconds. The 500 ms trip time limit is consistent with SUB-REQ-005 and provides a conservative margin above the estimated bearing failure time.
 Test
SUB-REQ-057 The Automatic Voltage Regulator SHALL maintain the Synchronous Generator terminal voltage within ±1% of 6.6kV in steady-state at any load from 0% to 100% rated output current and power factor between 0.8 lagging and unity.
Rationale: The 6.6kV emergency bus supplies Class 1E switchgear and motor starters with a declared operating voltage window of 6.6kV ±10%; maintaining AVR regulation to ±1% allocates a conservative tolerance budget that prevents motor starting problems even when the bus is at the low-voltage limit. Tighter regulation than the ±10% load-shedding protection window ensures stable operation under load sequencer step changes.
 Test
SUB-REQ-058 The Automatic Voltage Regulator SHALL restore terminal voltage to within ±3% of 6.6kV within 1.5 seconds following a step load application of any individual safety load group connected by the load sequencer, without causing a generator protection trip.
Rationale: Each load sequencer step applies a block load to the generator bus. The 1.5-second recovery window is derived from the motor starting immunity characteristic of downstream Class 1E motor starters; voltage dips exceeding 20% (i.e., below 5.28kV) lasting longer than 1.5 seconds can cause contactor dropout and loss of safety function. The AVR transient response specification directly supports SUB-REQ-010 load sequencer timing.
 Test
SUB-REQ-059 The Generator Neutral Earthing Unit SHALL limit the earth fault current at the generator terminals to not more than 5 amperes (high-impedance earthing), using a resistor-loaded distribution transformer connected between the generator neutral point and earth, to restrict stator core damage during a phase-to-earth fault.
Rationale: Unrestricted earth fault currents on medium-voltage generators cause stator core lamination burning that requires costly rewinding or core replacement. 5A high-impedance earthing is the standard approach for class I generators per IEC 60034-3; it limits core damage to the faulted slot only, allowing repair rather than replacement, and is consistent with the generator protection relay differential and earth-fault scheme in SUB-REQ-027.
 Analysis
SUB-REQ-060 The Generator Cooling Fan SHALL start automatically upon engine rotation exceeding 50 rpm, maintain airflow through the stator winding and rotor end-turns throughout the operating period, and continue to rotate by inertia for not less than 5 minutes following engine shutdown to remove residual stator winding heat.
Rationale: Stator winding insulation class H (maximum 180°C hotspot) requires continuous forced cooling during and immediately after rated-load operation. The 50 rpm start threshold ensures cooling airflow is established before excitation is applied; the 5-minute coasting period is derived from the thermal time constant of the stator winding insulation system at rated load, preventing insulation ageing by capping post-load hotspot temperature rise.
 Test
SUB-REQ-061 The Automatic Voltage Regulator SHALL be classified as Class 1E I&C equipment per IEC 60780 and IEEE Std 603, and SHALL be qualified to operate across the seismic demand of the EDG site (0.5g peak spectral acceleration at 5 Hz) per IEEE Std 344, with at least one full operational test cycle performed under simulated seismic conditions.
Rationale: The AVR is an active I&C function whose failure during a seismic event would deprive the site of AC power at the moment it is most needed (post-earthquake station blackout). IEEE Std 603 and IEC 60780 require Class 1E qualification for I&C elements that are credited in the safety case; IEEE Std 344 seismic qualification is mandated by the ONR ENSREG SSE design basis, consistent with SYS-REQ-009 and ARC-REQ-002.
 Inspection

Interface Requirements (IFC)

Ref Requirement V&V Tags
IFC-REQ-001 The interface between the Emergency Diesel Generator and the National Grid SHALL detect loss of offsite power via redundant undervoltage relays monitoring 6.6kV bus voltage, with relay pickup at 90% nominal (5.94kV) and dropout at 70% nominal (4.62kV), and a time delay of no more than 100ms to discriminate between LOOP and transient voltage dips.
Rationale: External interface with National Grid. MoP basis: 90% nominal (5.94 kV) relay pickup is the IEEE C37.90 (Relays and Relay Systems Associated with Electric Power Apparatus) minimum undervoltage threshold for safety bus protection, confirmed as the ONR-preferred discrimination point between LOOP and motor starting voltage dips (typically 85-90% nominal). 70% dropout (4.62 kV) provides hysteresis to prevent relay chatter during voltage recovery. The 100 ms discrimination delay is derived from the maximum duration of a motor-starting voltage dip on the 6.6 kV bus; false positives consume reliability margin and trigger unnecessary maintenance entries.
 Test interface, external, session-570, idempotency:ifc-ext-grid-570, reqs-eng-session-577
IFC-REQ-002 The interface between the Emergency Diesel Generator and the Emergency AC Bus SHALL deliver 6.6kV 3-phase 50Hz power through a generator output breaker rated for the full fault current of the bus, with the generator breaker closing within 500ms of the EDG reaching rated voltage and frequency.
Rationale: External interface with Emergency AC Bus: the generator breaker is the boundary between EDG output and plant safety loads. Breaker closing time directly adds to the total power restoration time.
 Test interface, external, session-570, idempotency:ifc-ext-bus-570
IFC-REQ-003 The interface between the Emergency Diesel Generator and the Ultimate Heat Sink SHALL provide cooling water flow of at least 150 m3/h at a maximum inlet temperature of 30°C for engine jacket water and aftercooler heat rejection, when a water-cooled design is selected.
Rationale: External interface with Ultimate Heat Sink. MoP basis: 150 m3/h cooling water flow rate is derived from the engine OEM thermal balance calculation: at rated brake power, jacket water heat rejection is approximately 1.2 MW requiring this flow at a 5°C temperature rise across the heat exchanger. The 30°C maximum inlet temperature is the UK coastal site 99th percentile sea/river water temperature from UK Met Office climatological data; exceeding this would reduce heat exchanger effectiveness and drive coolant temperature above the 88°C jacket water thermostat setpoint under sustained full-load operation.
 Test interface, external, session-570, idempotency:ifc-ext-uhs-570, reqs-eng-session-577
IFC-REQ-004 The interface between the Emergency Diesel Generator and the Plant Protection System SHALL accept a hardwired LOOP start signal (24VDC energise-to-start) and provide EDG status feedback signals (running, loaded, tripped, available) to the protection system safeguards logic.
Rationale: External interface with Plant Protection System: the start signal is the safety-critical command that initiates EDG response. Hardwired implementation per IEC 61513 (Nuclear power plants — Instrumentation and control important to safety) ensures independence from digital system common cause failure.
 Test interface, external, session-570, idempotency:ifc-ext-pps-570
IFC-REQ-005 The interface between the Emergency Diesel Generator and the Main Control Room SHALL provide continuous analogue and digital signals for display of EDG operating parameters, alarm inputs for all abnormal conditions, and command outputs for manual start/stop and transfer authorisation, over qualified Class 1E cabling.
Rationale: External interface with Main Control Room: operator situational awareness depends on real-time parameter display. All scenarios require operator monitoring and command capability from MCR.
 Demonstration interface, external, session-570, idempotency:ifc-ext-mcr-570
IFC-REQ-006 The interface between the Emergency Diesel Generator and the Fuel Supply infrastructure SHALL accept diesel fuel delivery via road tanker to bulk storage tanks through a fill connection with overfill protection, with automatic day tank level management maintaining a minimum 2-hour fuel reserve at all times.
Rationale: External interface with Fuel Supply: the fill connection and overfill protection are the boundary between off-site logistics and on-site fuel management. The 2-hour day tank reserve ensures EDG continues running even if bulk transfer pump fails temporarily.
 Inspection interface, external, session-570, idempotency:ifc-ext-fuel-570
IFC-REQ-007 The interface between the Emergency Diesel Generator and the DC Battery System SHALL provide 125VDC Class 1E control power for EDG instrumentation and control, and 24VDC starting battery power for air start solenoid valves, with battery chargers powered from the EDG output bus to maintain charge during LOOP.
Rationale: External interface with DC Battery System: DC power is essential for EDG control and starting. The battery charger feedback loop (EDG powers charger, charger maintains battery, battery enables next start) must be validated for extended LOOP scenarios.
 Test interface, external, session-570, idempotency:ifc-ext-dc-570
IFC-REQ-008 The interface between the Diesel Engine Assembly (Fuel Injection System) and the Fuel Oil System SHALL deliver filtered diesel fuel at 3.0 to 5.0 bar gauge feed pressure at the injection pump inlet, with fuel cleanliness compliant with ISO 4406 cleanliness class 18/16/13, and a minimum flow rate of 1.5× maximum injection pump demand at rated power.
Rationale: The injection pump requires minimum feed pressure to prevent vapour locking and maintain injection accuracy; 3.0 bar provides a positive pressure margin above injection pump inlet requirements even at maximum ambient temperature. ISO 4406 cleanliness class 18/16/13 is consistent with the injection pump manufacturer's requirement for particulate cleanliness; contamination above this level causes accelerated pump barrel-plunger wear. The 1.5× flow factor accounts for fuel return flow from the overflow valve and provides margin during transient load demand.
 Test interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-fuel-supply-571
IFC-REQ-009 The interface between the Diesel Engine Assembly (Engine Block) and the Engine Cooling System SHALL accept coolant flow at the engine inlet at a minimum of 120 m3/h at 70°C to 85°C inlet temperature, with jacket water pressure at the engine block coolant ports maintained between 0.5 and 2.0 bar gauge to prevent cavitation erosion of the wet-liner cylinder bores.
Rationale: Jacket water temperature range and flow rate are set by the engine OEM thermal model to keep metal temperatures within allowable limits: cylinder liner temperature must remain below 180°C to prevent lubricant film breakdown; below 70°C inlet temperature causes condensation and acid corrosion in the liner bores. Jacket water pressure must be positive to prevent cavitation erosion of aluminium-bronze liners during high-frequency combustion pressure pulses — a known failure mode in medium-speed diesels operating below minimum specified flow. Interface defined here because the cooling system is a separate SIL-2 subsystem per ARC-REQ-006.
 Test interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-cooling-571
IFC-REQ-010 The interface between the Diesel Engine Assembly (Engine Block, Turbocharger) and the Lubrication Oil System SHALL provide lubricating oil at the main gallery entry at 4.0 to 6.5 bar gauge and oil temperature between 60°C and 90°C, with oil cleanliness compliant with ISO 4406 class 16/14/11, sustained from cold start until the engine reaches rated speed.
Rationale: Main gallery oil pressure of 4.0-6.5 bar is the OEM requirement for hydrodynamic bearing film formation at 750 rpm; the low-pressure trip at 2.0 bar (SUB-REQ-005) provides a 2 bar margin below minimum operating pressure. Oil temperature below 60°C causes high viscosity and reduced flow to the turbocharger bearings, risking coking during start-up; above 90°C the oil viscosity drops below the minimum for bearing film formation. The ISO 4406 cleanliness class is tighter than the fuel requirement because the turbocharger bearings at 30,000+ rpm are more sensitive to particulate contamination than the injection pump.
 Test interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-lubrication-571
IFC-REQ-011 The Starting Air System–Engine Assembly interface SHALL supply 25–30 bar compressed air to the air start distributor inlet, cranking the engine to at least 120 rpm within 1.5 seconds of start signal at -10°C ambient.
Rationale: Air start distributor inlet pressure of 25-30 bar is the OEM cranking design pressure, providing enough torque to overcome cold-oil viscosity at -10°C ambient; below 20 bar the cranking torque is insufficient for reliable self-sustaining combustion achievement within the 3-second budget (SUB-REQ-001). The 120 rpm minimum cranking speed is the threshold at which compression-ignition diesels reliably achieve first combustion on qualified nuclear-grade engines. Per ARC-REQ-004, the compressed air starting choice is driven by consistent cold-weather cranking torque versus battery starting alternatives.
 Test interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-starting-air-571, reqs-eng-session-583
IFC-REQ-012 The interface between the Diesel Engine Assembly and the EDG Instrumentation and Control System SHALL provide continuous 4-20 mA analogue signals for: engine speed (0-1000 rpm), jacket water outlet temperature (0-120°C), lubricating oil pressure (0-10 bar), and fuel rack position (0-100%); and SHALL provide hardwired 24VDC discrete inputs from the Engine Protection Relay Package to the I&C for each trip function status (overspeed, high coolant temp, low oil pressure, overcurrent), with signal cable rated for Class 1E nuclear service per IEEE Std 383 (Standard for Type Testing of Class 1E Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations).
Rationale: The 4-20 mA standard loop signal is the nuclear industry standard for qualified analogue instrumentation — it is immune to common mode voltage, allows wire-break detection (open = 0 mA), and is compatible with Class 1E qualified transmitters and I&C input cards. The parameter ranges are set to span the full operating and alarm ranges with 10% headroom. The hardwired discrete inputs for protection status ensure the I&C system receives protection status via a deterministic path, not via network communication which could be disrupted. Class 1E cable qualification per IEEE Std 383 is required for safety system cabling in nuclear plants.
 Inspection interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-ic-signals-571
IFC-REQ-013 The interface between the Diesel Engine Assembly (Crankshaft and Flexible Shaft Coupling) and the Synchronous Generator rotor shaft SHALL transmit rated mechanical power at 750 rpm with maximum torsional vibration amplitude not exceeding ±5% of rated torque at any harmonic order, and SHALL accommodate misalignment of up to 0.3 mm parallel offset and 0.1° angular without transmitting bending loads to either crankshaft or generator shaft bearing.
Rationale: The torsional vibration limit of ±5% is derived from the synchronous generator's design basis for oscillatory torque on the rotor shaft and drive-end bearing — exceeding this causes cyclic fatigue in the shaft key and coupling hub. The misalignment tolerance of 0.3 mm / 0.1° is the flexible coupling manufacturer's specification for the expected thermal growth differential between the engine and generator frames under operating conditions; rigidly coupling without misalignment accommodation would transmit bending moments to the crankshaft main bearings, violating their design load case.
 Test interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-generator-coupling-571
IFC-REQ-014 The interface between the EDG Instrumentation and Control System and the Starting Air System Air Start Valve SHALL transmit a 125VDC Class 1E start command via a dedicated hardwired discrete signal, energising the solenoid valve within 200 ms of LOOP detection to initiate engine cranking.
Rationale: The start command interface is on the critical timing path between LOOP detection and engine cranking. A hardwired discrete signal (not networked) is required to achieve the deterministic 200 ms timing budget and to maintain SIL 3 integrity — network-routed commands introduce non-deterministic latency and shared-cause vulnerability. 125VDC Class 1E power ensures the interface remains functional under loss of normal AC power, which is the exact condition requiring EDG start.
 Test interface, starting-air-system, ic-system, sil-3, session-581, idempotency:ifc-ic-sas-start-command-581
IFC-REQ-015 The interface between the Starting Air System Pressure Monitoring and Low-Pressure Alarm and the EDG Instrumentation and Control System SHALL transmit continuous 4-20 mA analogue pressure signals from each receiver bank at a minimum scan rate of 1 Hz, with hardwired discrete alarm contacts closing within 5 seconds of low-pressure threshold being reached.
Rationale: Continuous pressure monitoring enables trend-based maintenance scheduling and early detection of receiver leakage. The 1 Hz scan rate is sufficient to track pressure decay curves between start attempts. The hardwired alarm contact is required independently of the analogue signal so that the alarm function is not defeated by I&C software failure — consistent with SIL 3 architecture requiring independence of alarm and control paths.
 Test interface, starting-air-system, ic-system, session-581, idempotency:ifc-sas-pressure-to-ic-581
IFC-REQ-016 The interface between the Bus Undervoltage Sensing Relay and the Generator Circuit Breaker shall carry a hardwired Class 1E 125VDC discrete start initiation signal; the signal shall be current-limited to 50mA, the cable routing shall be segregated from non-Class 1E cabling per IEEE 384, and signal transmission shall be failsafe such that an open-circuit condition is interpreted as a start demand.
Rationale: Hardwired 125VDC discrete interface prevents cyber interference with the LOOP initiation path per SYS-REQ-012. 50mA current limit prevents cable insulation damage from a ground fault causing an inadvertent start. IEEE 384 segregation ensures a fire or cable fault cannot simultaneously disable both the signal and the return circuit. Open-circuit failsafe ensures cable damage generates a conservative start demand rather than silently defeating the safety function.
 Test interface, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:ifc-buvr-gcb-start-582
IFC-REQ-017 The interface between the Synchronising Check Relay and the Generator Circuit Breaker SHALL carry a hardwired 125VDC discrete close-permission signal active only when synchronising conditions are satisfied or dead-bus override is active; the interface SHALL include a mechanical anti-pumping interlock preventing more than one close attempt per close command, and the permissive signal SHALL be removed within 50ms of a synchronising condition violation.
Rationale: Hardwired close permission keeps the synchronising function independent of digital control systems. Anti-pumping interlock prevents repeated GCB close-open-close cycles on a marginal synchronising condition, which would mechanically stress the GCB mechanism and risk weld failure of contacts. 50ms permissive withdrawal time ensures the GCB cannot complete a close operation outside the synchronising window given its 100ms mechanical close time, preventing out-of-phase closure.
 Test interface, electrical-switchgear-and-load-sequencer, sil-3, session-582, idempotency:ifc-scr-gcb-close-permission-582
IFC-REQ-018 The interface between the Generator Electrical Protection Relay Package and the Generator Circuit Breaker SHALL deliver a hardwired trip signal via a dedicated Class 1E trip coil circuit with a maximum resistance of 10 ohms total (cable plus coil), the trip contact shall be rated for interrupting 5A inductive DC load at 125VDC, and the trip circuit shall be continuously supervised such that a broken or high-resistance circuit triggers an alarm to the Main Control Room within 5 seconds.
Rationale: Maximum 10 ohm trip circuit resistance ensures the GCB trip coil receives minimum 11.9A at lowest battery voltage (95VDC), exceeding the minimum trip coil pick-up current. Trip contact 5A inductive DC rating matches the GCB trip coil inrush current at 125VDC. Continuous trip circuit supervision (wiring integrity monitoring) detects broken trip wires before a protection demand occurs; the 5-second alarm delay filters transient monitoring glitches without leaving the generator unprotected. Required per BS EN 60947-2 circuit breaker protection application.
 Test interface, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:ifc-geprp-gcb-trip-582
IFC-REQ-019 The interface between the Ventilation and Combustion Air System and the Diesel Engine Assembly SHALL supply combustion air at a velocity not exceeding 8 m/s at the engine air intake plenum, with particulate filtration to ISO 16890 ePM1 55% efficiency to prevent ingestion of construction debris or environmental particulates.
Rationale: Excessive inlet velocity causes turbulent losses in the engine air intake, degrading volumetric efficiency and potentially raising intake manifold temperature. The 8 m/s limit matches engine OEM intake ductwork design constraints. ISO 16890 ePM1 55% filtration is the minimum grade that prevents turbocharger fouling during the expected 7-day extended run period per nuclear ConOps.
 Test interface, edg-building, hvac, session-586, idempotency:ifc-hvac-engine-air-586
IFC-REQ-020 The interface between the Fire Detection and Suppression System and the Ventilation and Combustion Air System SHALL transmit a hardwired ventilation isolation signal within 5 seconds of confirmed fire detection, causing the Ventilation and Combustion Air System to close all dampers and shut off fans to prevent gaseous suppression agent dilution.
Rationale: Gaseous total-flood fire suppression (CO2 or FM200) requires isolation of all air paths into the protected enclosure to maintain agent concentration above the minimum extinguishing design concentration for 10 minutes per NFPA 2001 and BS EN 15004. If ventilation continues, the agent disperses below minimum concentration before the fire is extinguished. The 5-second isolation time precedes typical suppression discharge delay of 30-60 seconds, ensuring ventilation is off before agent release.
 Test interface, edg-building, fire, hvac, session-586, idempotency:ifc-fire-hvac-shutdown-586
IFC-REQ-021 The interface between the Drain and Spill Containment System and the Fuel Oil System SHALL provide a continuous bunded collection path for all Fuel Oil System components within the EDG building, such that any fuel release up to the full day-tank volume (4,000 litres) is captured within the sump without reaching an ignition source or drainage to uncontrolled discharge.
Rationale: The Fuel Oil System day tank is the largest single flammable fluid inventory in the EDG building. Without a continuous bunded path from every fuel connection to the sump, a pipe joint failure or tank overflow would flow across an unprotected floor to the engine exhaust system, which operates at 600-700°C and provides an ignition source. This interface requirement enforces the physical routing of drains established by the fire risk assessment per UK HSE Process Safety Management standards.
 Inspection interface, edg-building, flood, fuel, session-586, idempotency:ifc-drain-fuel-contain-586
IFC-REQ-022 The interface between the Coolant Circulation Pump and the Engine Jacket Water Circuit SHALL transmit coolant at a minimum flow rate of 150 L/min at 0.8 bar gauge pressure, with pump suction pressure maintained above 0.2 bar to prevent cavitation across the full engine load range.
Rationale: Cavitation at pump inlet during high-speed engine operation is a known failure mode in standby diesel cooling circuits; the 0.2 bar suction minimum is derived from pump NPSH data and the circuit head loss at maximum flow. Loss of this interface during a LOOP event would cause engine overtemperature within minutes.
 Test interface, engine-cooling, sil-2, session-591
IFC-REQ-023 The interface between the Engine Pre-heat System and the Engine Jacket Water Circuit SHALL maintain standby jacket water temperature at ≥35°C using a 3 kW electric immersion heater circuit controlled by a thermostat with ±2°C hysteresis, supplied from the station UPS to remain active during AC blackout conditions.
Rationale: The pre-heat circuit must operate during blackout to maintain start readiness — this is precisely the scenario in which the EDG is required. AC supply from the UPS (rather than normal supply) ensures the heater remains energised during the bus blackout that triggers the EDG start demand. The ±2°C thermostat hysteresis prevents rapid cycling that degrades the heater element.
 Demonstration interface, engine-cooling, sil-2, session-591
IFC-REQ-024 The interface between the Thermostatic Control Valve and the Radiator/Heat Exchanger SHALL route hot-side coolant flow to the heat exchanger at 0% to 100% of pump flow as a linear function of jacket water temperature between 75°C (full bypass) and 82°C (full radiator flow), with valve stroke response time not exceeding 5 seconds.
Rationale: A 5-second stroke response is required to prevent the coolant temperature overshooting the 85°C upper limit during load step changes; faster valves introduce hunting. The 75–82°C operating band is set to provide a 10°C margin above the 75°C warm-up floor and a 3°C margin below the 85°C operating limit.
 Test interface, engine-cooling, sil-2, session-591
IFC-REQ-025 The interface between the Engine Cooling System and the EDG Instrumentation and Control System SHALL provide two independent 4-20 mA Pt100 temperature signals from the jacket water outlet header, a hardwired discrete trip output on cooling loss (active low, fail-safe), and a 4-20 mA coolant pressure signal, all routed on SIL 2 qualified cable with physical segregation from non-safety circuits.
Rationale: Two independent temperature signals provide 1-of-2 voting logic in the I&C system for the engine overtemperature trip, consistent with IEC 61511 SIL 2 diagnostic coverage requirements. The fail-safe active-low trip output ensures that loss of signal (cable break) defaults to the safe state (engine trip). Physical segregation is required by BS EN 61000 (Electromagnetic compatibility) to prevent I&C trip spurious actuation from EMI generated by engine ignition circuits.
 Inspection interface, engine-cooling, sil-2, safety-critical, session-591
IFC-REQ-026 The interface between the Fuel Transfer Pump and the Day Tank SHALL deliver fuel at a minimum transfer rate of 50 L/min from the Bulk Storage Tank, controlled by a float-switch level signal from the Day Tank Level Control and Alarm unit, with transfer pump status (running/fault) monitored by the EDG I&C system.
Rationale: 50 L/min transfer rate is derived from the Day Tank volume and the 30-minute refill requirement in SUB-REQ-048; lower rates risk delayed refill that allows the Day Tank to reach the low-fuel alarm threshold before transfer completes. Pump status monitoring is required for operator awareness during sustained LOOP events.
 Test interface, fuel-oil, sil-2, session-591
IFC-REQ-027 The interface between the Day Tank and the engine fuel injection system SHALL provide a continuous, uninterrupted fuel supply at 0.3 bar to 0.7 bar gauge with fuel temperature maintained between 10°C and 40°C to ensure fuel viscosity remains within the OEM injection pump specification throughout the engine operating range.
Rationale: Fuel temperature limits are required because marine diesel viscosity varies by a factor of three between -5°C and 50°C; at the extremes, pump volumetric efficiency and atomisation quality degrade to the point where governor control authority is insufficient to maintain rated frequency. Tank heating and insulation are required in the EDG building HVAC design to maintain the 10°C lower limit at the -10°C ambient design minimum.
 Test interface, fuel-oil, sil-2, session-591
IFC-REQ-028 The interface between the Fuel Oil Strainer and Filter Assembly and the engine fuel injection system SHALL provide clean fuel at ISO 4406 ≤16/13/10, with differential pressure measurement across the filter element transmitted as a 4-20 mA signal to the EDG I&C panel, and a mechanical bypass valve set to open at 1.0 bar differential to protect the injection pump in the event of filter blockage.
Rationale: The bypass valve protects the injection pump from starvation caused by a blocked filter during an unattended LOOP event. The bypass set-point of 1.0 bar is set above the 0.5 bar alarm threshold (SUB-REQ-047) to allow the alarm to trigger before bypass occurs, so the shift supervisor can initiate maintenance before unfiltered fuel reaches the injectors.
 Inspection interface, fuel-oil, sil-2, session-591

Architecture Decisions (ARC)

Ref Requirement V&V Tags
ARC-REQ-001 The Emergency Diesel Generator design SHALL employ a medium-speed 4-stroke turbocharged diesel engine operating at 750 rpm or 1,000 rpm, achieving a start-on-demand probability of not less than 0.975.
Rationale: Medium-speed 4-stroke turbocharged diesels (750/1000 rpm) are the established nuclear-grade choice for emergency power: they achieve >0.975 start-on-demand probability, are qualified under IEEE 387 and IEC 60034 by multiple OEMs, and have 5,000+ hour overhaul intervals compatible with refuelling outage maintenance cycles. High-speed units achieve faster start but exhibit inferior long-term reliability; 2-stroke diesels are not available at the required power class.
 Inspection architecture, engine, session-570, idempotency:arc-engine-570, informational, session-572, reqs-eng-session-577
ARC-REQ-002 The Emergency Diesel Generator design SHALL implement engine protection trip functions (overspeed, overtemperature, low oil pressure) as hardwired relay circuits physically independent of the digital monitoring and control system.
Rationale: Separation of protection and control is mandated by IEC 61513 (Nuclear power plants — I&C systems — General requirements for systems) and UK ONR Safety Assessment Principles (SAPs). Hardwired relay protection provides deterministic, software-independent trip response and eliminates common-cause software failure and cyber vulnerabilities (hazard H-010) from the safety-critical trip path.
 Inspection architecture, ic-system, session-570, idempotency:arc-ic-separation-570, informational, session-572, reqs-eng-session-577
ARC-REQ-003 The Emergency Diesel Generator design SHALL provide two fully independent trains (Train A and Train B), each with dedicated engine, generator, fuel storage, cooling, starting air, I&C, and switchgear housed in separate fire-rated buildings.
Rationale: Train independence is required by UK GDA process and ONR SAPs to meet single-failure criterion: any active failure in one train must not prevent the other train from fulfilling its safety function. Physical separation in fire-rated buildings eliminates propagating hazards (fire, flood) and directly supports the N+1 redundancy allocation across EDG trains A and B.
 Inspection architecture, redundancy, session-570, idempotency:arc-train-independence-570, informational, session-572, reqs-eng-session-577
ARC-REQ-004 The Emergency Diesel Generator design SHALL use compressed-air starting with air receivers sized for not fewer than 5 consecutive start attempts without recharge.
Rationale: Compressed air starting is the industry standard for diesel engines above 500 kW. It provides consistent cranking torque (15-25 bar) independent of ambient temperature, whereas battery cold-cranking capacity degrades by ~40% below 0°C. Five consecutive starts per demand event are consistent with IEEE 387 starting-reliability requirements.
 Demonstration architecture, starting-air, session-570, idempotency:arc-starting-570, informational, session-572, reqs-eng-session-577
ARC-REQ-005 The Emergency Diesel Generator design SHALL integrate LOOP detection, generator breaker control, and load sequencing within a single Electrical Switchgear and Load Sequencer subsystem sharing the 6.6 kV bus environment.
Rationale: Grouping these functions in one subsystem reduces the interface count and eliminates race conditions from distribution across I&C and power subsystems. All three functions share the 6.6 kV bus environment, common failure modes, and are tested together under IEEE 387 load-acceptance tests. A single subsystem boundary simplifies post-event audit trails for nuclear post-event analysis.
 Inspection architecture, switchgear, session-570, idempotency:arc-switchgear-570, informational, session-572, reqs-eng-session-577
ARC-REQ-006 The Emergency Diesel Generator design SHALL implement engine cooling as a dedicated subsystem independent of the Diesel Engine Assembly, with a separate fault tree analysis satisfying SIL 2 targets for hazard H-006.
Rationale: Hazard H-006 (cooling system failure) is classified SIL 2 under IEC 61508 (Functional safety of E/E/PE safety-related systems), requiring independent fault tree analysis. The cooling subsystem has distinct failure modes (fan belt, radiator blockage, coolant chemistry degradation) not correlated with engine mechanical failure, interfaces externally to a separate heat sink, and requires a distinct maintenance regime.
 Inspection architecture, cooling, session-570, idempotency:arc-cooling-570, informational, session-572, reqs-eng-session-577
ARC-REQ-007 ARC: EDG Building and Support Systems — Seismic Category I dedicated enclosure with four integrated sub-functions. The building is decomposed into: (1) EDG Building Structure (Seismic Cat I reinforced concrete providing missile/blast protection and inter-train physical separation); (2) EDG Building HVAC System (Class 1E ventilation providing combustion air and room cooling, auto-starting with engine); (3) EDG Flood and Drainage System (passive barriers plus active bunded sump providing worst-case flood containment without affecting engine operability); (4) EDG Building Access Control System (security zone management, SIL 0, backed by Class 1E 125VDC). Alternatives considered: (a) shared HVAC between trains — rejected because common-cause HVAC failure could disable both trains; (b) active flood pumps as primary barrier — rejected because passive first-line protection is more reliable during LOOP when pump power may be interrupted. The SIL 2 allocation applies to Structure, HVAC, and Flood systems; Access Control is SIL 0 (security function, not safety).
Rationale: Decomposition decision required to prevent common-cause structural, thermal, and flood failure paths from coupling the two EDG trains. Each component has distinct failure modes and testing intervals, necessitating separate classification and independent requirement derivation. SIL 2 is inherited from SYS-REQ-009 (seismic) and SYS-REQ-011 (fire/flood) which bound the building safety functions.
 Inspection architecture, edg-building, session-586, idempotency:arc-edg-building-586, informational, qc-session-589
ARC-REQ-008 ARC: Fuel Oil System — Gravity-fed Day Tank with automatic transfer from bulk storage. The system uses a two-level storage architecture (Bulk Storage Tank → Day Tank → engine) to decouple the engine from the bulk transfer system. The Day Tank is elevated to provide gravity-fed fuel supply to the injection pump without a booster pump, eliminating a potential single-point failure in the fuel supply path. Fuel transfer is controlled by float-switch automation rather than a timed sequence to accommodate variable engine fuel consumption rates across the load range. The Bulk Storage Tank is sized at 110% of the 7-day SYS requirement to provide operating margin for the gravity-feed architecture's inability to fully drain to zero.
Rationale: The two-level gravity-feed architecture was selected over a direct single-tank pumped supply because: (1) Day Tank gravity feed eliminates pump failure as an engine starvation cause; (2) the architectural separation allows the bulk transfer pump to be maintained or replaced without interrupting engine operation; (3) float-switch control is simpler and more reliable than timed or flow-metered control in a nuclear qualified environment.
 Inspection architecture, fuel-oil, session-591, idempotency:arc-fuel-oil-system-591

Verification Plan (VER)

Ref Requirement V&V Tags
VER-REQ-001 The Diesel Engine Assembly cold-start acceptance test SHALL confirm self-sustaining rotation within 3 seconds of start signal when tested from -10°C ambient with the starting air system pre-charged to 25 bar.
Rationale: Cold start at -10°C is the worst-case scenario for start time per STK-REQ-017; if the engine meets the 3-second criterion at minimum temperature it will meet it at all higher temperatures. The test confirms fuel injection system and compression pressure are sufficient for cold combustion. Procedure: record time via exhaust thermocouple response and starter air valve closure.
 Test verification, diesel-engine-assembly, session-571, idempotency:ver-sub001-cold-start-571, reqs-eng-session-577
VER-REQ-002 The Engine Protection Relay Package functional test SHALL confirm each trip relay (overspeed at 865 rpm, high coolant temperature at 91°C, low oil pressure at 1.9 bar) actuates within 2 seconds with the digital control system de-energised.
Rationale: Testing with the digital control system de-energised confirms fail-safe operation of the hardwired protection as required by ARC-REQ-002 and IEC 61513. The 2-second criterion is derived from the 5-second engine standstill requirement (VER-REQ-003) leaving margin for fuel rack response. Each channel must be tested independently to confirm there is no shared-mode defeat path.
 Test verification, diesel-engine-assembly, sil-3, safety-trip, session-571, idempotency:ver-sub-protection-trips-571, reqs-eng-session-577
VER-REQ-003 The Diesel Engine Assembly protection trip test SHALL confirm engine standstill (crankshaft speed below 5 rpm) within 5 seconds of manual trip signal for each of the three protection relay channels at 50% rated load.
Rationale: Testing at 50% load represents a conservative loaded condition without risk of overloading the test power system. Five seconds to standstill bounds the fuel injection system response time and confirms the mechanical trip train integrity. Each of the three channels is tested in independent runs to eliminate compensating failure detection.
 Test verification, diesel-engine-assembly, sil-3, safe-state, session-571, idempotency:ver-sub009-safe-state-571, reqs-eng-session-577
VER-REQ-004 The Fuel Injection System interface acceptance test SHALL confirm steady-state fuel feed pressure at the injection pump inlet is 3.0–5.0 bar and fuel cleanliness is ISO 4406 class 18/16/13 or cleaner at rated engine load.
Rationale: The 3.0–5.0 bar pressure range is the OEM injection pump inlet specification; exceedance causes injector spray pattern degradation and sub-band triggers pump cavitation. ISO 4406 class 18/16/13 is the OEM-specified cleanliness limit above which injection nozzle wear rate increases non-linearly. Test at rated load produces worst-case fuel flow and thermal state.
 Test verification, diesel-engine-assembly, session-571, idempotency:ver-ifc008-fuel-supply-571, reqs-eng-session-577
VER-REQ-005 The Starting Air System interface test SHALL confirm air start distributor inlet pressure of 25–30 bar at start signal initiation and engine cranking speed reaching 120 rpm within 1.5 seconds, repeated at -10°C ambient.
Rationale: The 25–30 bar inlet pressure range brackets the OEM cranking torque requirement for reliable first-cycle ignition. Achieving 120 rpm within 1.5 seconds confirms the air volume and flow rate are sufficient for the mechanical compression ratio of the engine. Repeating at -10°C validates the system under the worst-case viscosity and thermal conditions per STK-REQ-017.
 Test verification, diesel-engine-assembly, sil-3, session-571, idempotency:ver-ifc011-start-air-571, reqs-eng-session-577
VER-REQ-006 The end-to-end EDG start chain acceptance test SHALL confirm bus undervoltage detection within 100 ms, rated voltage and frequency within 10 seconds, and all safety loads connected within 60 seconds of a LOOP signal below 5.94 kV under 100% rated load.
Rationale: This integrated test verifies the complete start chain: LOOP detection (SYS-REQ-002), engine start (SUB-REQ-001), rated output (SYS-REQ-001), and load sequencing (SYS-REQ-003). Testing under 100% rated load step represents the worst-case voltage dip at breaker close. Data sampled at 100 Hz from LOOP detection to full load connection provides the evidence chain for ONR surveillance records.
 Test verification, integration, sil-3, session-571, idempotency:ver-integration-edg-start-chain-571, reqs-eng-session-577
VER-REQ-007 The Diesel Engine Assembly 24-hour endurance test SHALL confirm continuous operation at rated output with speed variation not exceeding 750 rpm ±7.5 rpm at all measurement points throughout the test duration.
Rationale: The 24-hour duration demonstrates suitability for extended station blackout events per IEEE 387 and STK-REQ-005. Speed variation ±1% of synchronous speed (750 ±7.5 rpm) is the IEC 60034 governing limit for generator frequency stability; exceedance would cause protective relay operations. Speed is recorded at 1-second intervals at 0h, 1h, 4h, 8h, 16h, and 24h to detect drift and degradation.
 Test session-572, verification, diesel-engine-assembly, idempotency:ver-sub002-003-endurance-572, reqs-eng-session-577
VER-REQ-008 The EDG automatic start acceptance test SHALL confirm LOOP detection within 200 ms and bus voltage rising to 6.6 kV ±10% within 10 seconds of a simulated undervoltage signal at 5.80 kV, verified in three consecutive tests from cold standby.
Rationale: Three consecutive tests from cold standby demonstrate the statistical reliability of the start chain rather than a single-shot result. The 5.80 kV stimulus (below the 5.94 kV threshold) represents the worst-case detection-margin operating point. Ten-second voltage rise aligns with SYS-REQ-001 and IEEE 387 acceptance criteria for nuclear emergency diesel generators.
 Test session-572, verification, loop-detection, idempotency:ver-ifc001-002-loop-572, reqs-eng-session-577
VER-REQ-009 The Emergency Diesel Generator seismic qualification SHALL demonstrate by analysis per IEEE 344 that all safety-related mounting interfaces maintain structural integrity and functionality at Seismic Category I (0.3g horizontal, 0.2g vertical ZPA).
Rationale: IEEE 344 (IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations) is the mandatory qualification standard for safety-related equipment. Analysis using the Original Design Specification static seismic loads is the primary method; shake table testing per IEC 60980 is the fallback if analysis is insufficient. Qualification covers engine cradle welds, generator stator support, and control panel anchors.
 Analysis session-572, verification, seismic, idempotency:ver-sub008-seismic-572, reqs-eng-session-577
VER-REQ-010 The Load Sequencer acceptance test SHALL confirm the first priority load group connects within 1 second of generator breaker closure and total safety load restoration completes within 10 seconds with generator voltage remaining within 6.6 kV ±10%.
Rationale: The 1-second first-group connection criterion limits the dip in essential bus voltage to within generator transient recovery limits. The 10-second total restoration window aligns with SYS-REQ-003 load connection requirement. The 500 ms minimum interval between groups is the OEM-specified generator transient recovery time to prevent cumulative voltage collapse. Test uses a resistive load bank per priority group at 10 ms timestamp resolution.
 Test session-572, verification, switchgear-load-sequencer, idempotency:ver-sub010-load-seq-572, reqs-eng-session-577
VER-REQ-011 The Diesel Fuel Injection System acceptance test SHALL confirm fuel delivery metering by measuring cylinder-to-cylinder fuel quantity variation using a calibrated combustion analyser at steady-state rated load, achieving ≤±3% of mean fuel quantity per injection event per SUB-REQ-007.
Rationale: SUB-REQ-007 mandates ±3% cylinder-to-cylinder fuel variation to prevent thermal overload; this VER entry provides the specific test procedure — combustion analyser measurement during the monthly surveillance test (SYS-REQ-013). Without an explicit test, injection pump calibration drift could exceed the limit between overhaul intervals, increasing crankshaft fatigue and catastrophic failure risk (hazard H-001).
 Test session-580, qc, verification, diesel-engine-assembly, idempotency:ver-fuel-injection-metering-580
VER-REQ-012 The Fuel Oil System volume acceptance test SHALL confirm minimum usable fuel inventory by physical measurement of day tank and bulk storage tank levels under operating conditions, verifying ≥7,000 litres per EDG train with fuel meeting CIMAC Class DM specification per SUB-REQ-011.
Rationale: SUB-REQ-011 mandates a 7,000-litre minimum inventory for 7-day mission duration. Inspection of tank contents and fuel quality certificate ensures the 7-day SBO mission (STK-REQ-005, SYS-REQ-008) can be sustained. Fuel quality verification (CIMAC DM) prevents injection system contamination damage during extended operation when no commercial resupply is possible.
 Inspection session-580, qc, verification, fuel-oil-system, idempotency:ver-fuel-oil-inventory-580
VER-REQ-013 The Ultimate Heat Sink cooling water interface acceptance test SHALL confirm minimum flow of 150 m³/h at ≤30°C inlet temperature under rated load conditions using calibrated flow meters, verifying IFC-REQ-003 compliance and confirming jacket water outlet temperature remains below 88°C thermostat setpoint.
Rationale: IFC-REQ-003 defines the cooling water flow and temperature requirement at the EDG/UHS boundary. Testing under rated load conditions is required to confirm heat exchanger performance prior to nuclear plant commissioning — failure to achieve adequate flow would cause engine overtemperature and forced shutdown of the EDG, defeating the safety function during accident conditions.
 Test session-580, qc, verification, cooling, idempotency:ver-uhs-cooling-interface-580
VER-REQ-014 The Emergency Diesel Generator MCR interface functional test SHALL verify that all specified analogue and digital EDG operating parameters display correctly at the MCR console, all abnormal condition alarms actuate within 2 seconds of simulated fault injection, and manual start/stop commands are executed within 5 seconds, over the qualified Class 1E cabling per IFC-REQ-005.
Rationale: IFC-REQ-005 specifies the MCR interface signals required for operator monitoring and control. Functional testing of all alarm and command channels is required by ONR Safety Assessment Principles — the operator must be able to diagnose and respond to EDG abnormalities from the MCR during a design basis accident. Without testing, Class 1E cabling faults may prevent alarms from reaching the operator at the critical moment.
 Test session-580, qc, verification, mcr-interface, idempotency:ver-mcr-interface-580
VER-REQ-015 The Fuel Supply infrastructure interface inspection SHALL verify the fuel fill connection, overfill protection activation at 95% tank capacity, and automatic day tank level management by confirming minimum 2-hour fuel reserve is maintained during simulated bulk transfer pump failure per IFC-REQ-006.
Rationale: IFC-REQ-006 defines overfill protection and day tank management at the external fuel supply boundary. Demonstration of overfill cutoff prevents environmental release of diesel fuel (a licensable offence at a nuclear site). The 2-hour day tank reserve demonstration confirms EDG resilience to a short-duration bulk transfer pump failure without manual intervention, which is the credited operator action in the fuel replenishment scenario.
 Demonstration session-580, qc, verification, fuel-supply-interface, idempotency:ver-fuel-supply-interface-580
VER-REQ-016 The DC Battery System interface acceptance test SHALL verify 125VDC Class 1E control power availability to EDG instrumentation and control equipment with battery voltage maintained within ±2% of nominal during simulated LOOP conditions, and confirm battery charger re-energisation from EDG output bus within 30 seconds of EDG starting per IFC-REQ-007.
Rationale: IFC-REQ-007 specifies the DC power interface critical for EDG control system function and subsequent restart capability. The battery charger re-energisation test validates the feedback loop (EDG powers charger → charger maintains battery → battery enables subsequent starts) that must function during extended LOOP events. Voltage tolerance of ±2% ensures relay pick-up voltages remain within manufacturer specification throughout the demand event.
 Test session-580, qc, verification, dc-battery-interface, idempotency:ver-dc-battery-interface-580
VER-REQ-017 Verify SUB-REQ-014: Starting Air System factory acceptance test SHALL measure actual air receiver bank pressure using calibrated gauges after full charge, confirm minimum 25 bar and maximum 30 bar on both banks, then perform three consecutive simulated start blows and confirm post-test pressure on each bank remains above 20 bar.
Rationale: Direct pressure measurement confirms receiver sizing and charge pressure setpoints. Three-blow test confirms capacity margin for the minimum required start attempts without recharging.
 Test verification, starting-air-system, session-581, idempotency:ver-sub014-sas-receivers-581
VER-REQ-018 Verify SUB-REQ-019: I&C LOOP detection acceptance test SHALL apply a simulated bus undervoltage to the Qualified I/O Module input, confirm undervoltage flag set within 100 ms by data logging at 1 ms resolution, and confirm air start command hardwired output energised within 200 ms of input application. Test shall be repeated five times with no failures.
Rationale: Timing verification at 1 ms resolution is necessary to demonstrate 100 ms detection budget compliance. Five repetitions provide statistical confidence that the timing is not marginal. Pass criterion is 100 percent compliance — a single timing violation fails the test.
 Test verification, ic-system, sil-3, session-581, idempotency:ver-sub019-ic-loop-detection-581
VER-REQ-019 Verify SUB-REQ-020: Engine and Generator Protection Logic functional test SHALL inject simulated overspeed, low oil pressure, and high coolant temperature signals at trip setpoints and confirm de-energise-to-trip relay output achieved within 200 ms of signal injection, measured by oscilloscope at 0.1 ms resolution. Each trip function shall be tested individually and in combination.
Rationale: Individual and combination testing confirms that no single trip function can be masked by another and that the combined protection logic does not introduce additional latency when multiple alarms are active simultaneously.
 Test verification, ic-system, sil-3, safety-trip, session-581, idempotency:ver-sub020-ic-protection-trip-581
VER-REQ-020 Verify SUB-REQ-023: I&C self-diagnostic safe-state test SHALL inject a simulated SIL 3 logic self-fault and confirm de-energise-to-trip output within 500 ms, control room fault alarm within 5 seconds, and last-good HMI status data preserved. Pass criterion: all three conditions met in five consecutive fault injections.
Rationale: Safe-state transition testing is mandatory under IEC 61508 SIL 3 to demonstrate the safe failure fraction target. Five repetitions confirm reproducibility. HMI data preservation is verified separately to confirm operators are not left without status during a critical event.
 Test verification, ic-system, sil-3, safe-state, session-581, idempotency:ver-sub023-ic-safe-state-581
VER-REQ-021 Verify IFC-REQ-014: Integration test SHALL energise the I&C start command hardwired output to the SAS air start valve, confirm solenoid energisation by discrete feedback within 200 ms of simulated LOOP signal, and verify 125VDC Class 1E power rail maintained throughout the test cycle under simulated loss of normal AC supply.
Rationale: Integration test at the physical interface confirms hardwired signal routing, voltage level, and timing as actually installed — bench-level component tests cannot confirm cable routing or terminal block integrity.
 Test verification, interface, starting-air-system, ic-system, session-581, idempotency:ver-ifc014-ic-sas-start-581
VER-REQ-022 Verify IFC-REQ-015: SAS pressure monitoring interface test SHALL confirm 4-20 mA signal range maps correctly to 0-35 bar at the I&C input, scan interval at 1 Hz or faster, and hardwired alarm contacts close within 5 seconds of simulated low-pressure fault injection on each bank independently.
Rationale: Separate verification of the analogue and discrete paths confirms both are functional simultaneously — a common failure mode is a broken hardwired contact that is masked by the healthy analogue signal.
 Test verification, interface, starting-air-system, ic-system, session-581, idempotency:ver-ifc015-sas-pressure-monitor-581
VER-REQ-023 Verify SUB-REQ-024: The Bus Undervoltage Sensing Relay factory acceptance test SHALL inject a simulated 4.5kV signal (sustained for 250ms) on each of the three VT inputs independently and confirm automatic start output active within 200ms; SHALL inject a transient dip to 4.5kV lasting only 150ms and confirm no start output; SHALL disable one VT input and confirm two-out-of-three voting still produces start output at 4.5kV sustained 250ms.
Rationale: Three test scenarios verify the three distinct aspects of SUB-REQ-024: timing, transient rejection, and voting logic. All three must pass for the requirement to be verified; failure of any one scenario is a compliance failure against the safety function.
 Test verification, electrical-switchgear-and-load-sequencer, sil-3, session-582, idempotency:ver-sub024-buvr-582
VER-REQ-024 Verify SUB-REQ-026: The Synchronising Check Relay acceptance test SHALL inject voltage, frequency, and phase angle combinations at boundary conditions (voltage ±10% nominal, frequency ±0.5Hz, phase ±10 degrees) and verify close permission asserts only within the window; SHALL reduce bus voltage to 10% nominal (0.66kV) sustained for 600ms and verify dead-bus close permission asserts without frequency or phase angle check within 500ms.
Rationale: Boundary condition testing of each synchronising window independently confirms the requirement is met at the most challenging operating points. The dead-bus override test uses 10% nominal (half the 20% threshold) to confirm reliable operation; testing at exactly 20% is insufficient because relay operating band tolerances could cause a false pass.
 Test verification, electrical-switchgear-and-load-sequencer, sil-3, session-582, idempotency:ver-sub026-sync-check-582
VER-REQ-025 Verify IFC-REQ-016: Integration test SHALL measure cable loop resistance on the BUVR-to-GCB start circuit at commissioning and confirm it is below 20 ohms; SHALL inject open-circuit fault on the start signal cable and confirm the EDG automatic start sequence initiates (failsafe open-circuit equals start demand); SHALL verify cable routing segregation from non-Class 1E cables by visual inspection against cable tray drawings.
Rationale: Three verification methods address the three distinct aspects of IFC-REQ-016: cable resistance (continuity), failsafe logic (functional), and segregation (inspection). Resistance must be measured at commissioning not just at factory because field cable lengths are not fixed at design. Segregation requires visual inspection against as-built drawings since it cannot be functionally tested.
 Test verification, electrical-switchgear-and-load-sequencer, sil-3, session-582, idempotency:ver-ifc016-buvr-gcb-582
VER-REQ-026 Verify IFC-REQ-018: The trip circuit commissioning test SHALL measure total trip circuit resistance and confirm it does not exceed 10 ohms; SHALL apply an open-circuit fault at the protection relay trip contact and verify an MCR alarm appears within 5 seconds; SHALL inject a simulated protection trip and measure GCB trip time from protection relay output to GCB open confirming it is within 100ms at nominal 125VDC and 95VDC.
Rationale: Trip circuit resistance and timing must both be measured at commissioning because field cabling resistance is not determined until installation. The supervision alarm test verifies the wiring integrity monitoring function independently. Testing at 95VDC (minimum battery voltage) is required by IEC 61508 SIL 3 hardware validation to demonstrate worst-case operation under degraded power supply conditions.
 Test verification, electrical-switchgear-and-load-sequencer, sil-3, session-582, idempotency:ver-ifc018-geprp-gcb-trip-582
VER-REQ-027 Verify IFC-REQ-017: The Synchronising Check Relay to GCB close-permission interface acceptance test SHALL confirm close permission asserts only when both voltage and frequency are simultaneously within window (boundary combination testing with 9 combinations covering all quadrant boundaries); SHALL inject an anti-pumping test with two consecutive close commands and confirm only one close attempt completes; SHALL withdraw synchronising permission mid-operation and confirm GCB close does not complete.
Rationale: Nine boundary-combination tests are the minimum to verify the AND logic of the three synchronising conditions without testing all permutations. Anti-pumping and permission-withdrawal tests verify the two protection mechanisms specified in IFC-REQ-017 that cannot be inferred from steady-state tests alone.
 Test verification, electrical-switchgear-and-load-sequencer, sil-3, session-582, idempotency:ver-ifc017-scr-gcb-close-582
VER-REQ-028 The Generator Circuit Breaker close-time acceptance test SHALL confirm GCB closure onto the 6.6 kV emergency bus within 100 ms of receiving a close command, measured from control relay energisation to primary contact make, under rated bus voltage with simulated safety load.
Rationale: SUB-REQ-025 specifies GCB close time of 100 ms; safety-critical because post-LOOP bus restoration depends on GCB closing before load sequencing begins, and a slow GCB extends bus dead time beyond the 10-second SYS-REQ-001 budget. MoP basis: IEC 62271-100 (High-voltage alternating-current circuit-breakers) defines close-time as the interval from close-coil energisation to primary contact make; 100 ms is within the Class C2 mechanical operating time envelope for 6.6 kV vacuum circuit-breakers.
 Test idempotency:ver-req-sub025-gcb-583, reqs-eng-session-583
VER-REQ-029 The Generator Electrical Protection Relay Package functional test SHALL inject a simulated differential current exceeding 5% of rated CT primary current and confirm trip relay operation within 50 ms, with secondary injection confirming correct phase angle discrimination.
Rationale: SUB-REQ-027 requires 87G differential protection with a pickup threshold; this test confirms relay operation within specified timing at the threshold current, the minimum demonstration needed for IEC 60255-151 (Measuring relays and protection equipment) compliance on a UK nuclear site.
 Test idempotency:ver-req-sub027-gen-87g-583, reqs-eng-session-583
VER-REQ-030 The Generator Electrical Protection Relay Package trip circuit test SHALL confirm that a protection trip condition causes GCB trip coil energisation within 60 ms and generator field de-excitation within 200 ms, measured from initial fault signal to generator terminal voltage below 10% rated.
Rationale: SUB-REQ-028 specifies the generator de-energise path on protection trip; timing from fault to terminal voltage collapse determines the duration of fault current fed into any bus fault, so the 60ms/200ms thresholds protect against damage to safety loads on the 6.6kV bus. MoP basis: IEC 60255-151 (Measuring relays and protection equipment — functional requirements for over/undercurrent protection) requires relay operate time measurement within ±5% of stated value; 60 ms trip coil energisation and 200 ms field collapse are derived from the generator manufacturer's demagnetisation time constant (typically 100–300 ms for safety-grade machines).
 Test idempotency:ver-req-sub028-gen-trip-583, reqs-eng-session-583
VER-REQ-031 The EDG I&C Qualified I/O Module Assembly isolation qualification test SHALL apply 1.5 kV RMS AC voltage for 60 seconds between each safety-classified circuit and non-Class-1E circuit, confirming leakage current below 1 mA, and SHALL repeat after a simulated 0.3g PGA seismic table test per IEEE 344.
Rationale: SUB-REQ-021 requires 1.5 kV RMS Class 1E isolation maintained post-seismic; IEC 60780 (Nuclear power plants — Electrical equipment of the safety system) and IEC 60255 (Measuring relays and protection equipment) both specify dielectric withstand at 1.5 kV as the acceptance threshold for Class 1E signal isolation. The post-seismic repeat confirms that the seismic event has not degraded the isolation barrier — a critical pass for the common-cause failure safety argument.
 Test idempotency:ver-req-sub021-io-isolation-583, reqs-eng-session-583
VER-REQ-032 The Starting Air System Air Compressor and Recharge Unit recharge acceptance test SHALL start both compressors with both Air Receiver Banks at 20 bar and confirm pressure of 30 bar is reached within 30 minutes, measured at the receiver outlets, with the compressors at ambient temperature at test start.
Rationale: SUB-REQ-016 specifies a 30-bar/30-minute recharge criterion following a three-start sequence. Post-start recharge capability is safety-critical because a second emergency demand within 30 minutes requires a full-pressure air system. The acceptance test must start from the worst-case 20-bar post-start low to confirm the compressor capacity under design conditions, not just steady-state operation.
 Test session-585, qc, starting-air-system, idempotency:ver-sub016-recharge-585
VER-REQ-033 The Starting Air System Moisture Separator and Drain System commissioning inspection SHALL measure compressed air dewpoint at each Air Receiver Bank outlet using a calibrated chilled-mirror hygrometer after 24 hours of system operation, confirming dewpoint at or below minus 40°C at atmospheric pressure.
Rationale: SUB-REQ-017 requires dewpoint ≤ −40°C to prevent ice formation in distribution manifolds and air-start valves during cold ambient conditions (design minimum: −15°C). Chilled-mirror hygrometry is the accepted reference measurement method per ISO 8573-1 (Compressed air quality). The 24-hour steady-state operation period ensures the separator and auto-drain cycle are active and the air system has purged residual commissioning moisture before measurement.
 Inspection session-585, qc, starting-air-system, idempotency:ver-sub017-dewpoint-585
VER-REQ-034 The Starting Air System pressure monitoring functional test SHALL verify: (a) with receiver pressure reduced to 27 bar, a control room annunciation appears within 5 seconds; (b) with pressure reduced to 22 bar, the EDG I&C inhibits further start attempts from that bank; (c) with pressure restored above 25 bar, the inhibit clears and start attempts are permitted.
Rationale: SUB-REQ-018 requires two threshold-triggered actions (27-bar alarm, 22-bar inhibit) that protect the starting air system from being depleted below the minimum single-start pressure. Testing each threshold in sequence verifies both the alarm function and the inhibit logic, and the restore test confirms the inhibit is not latching beyond design intent — all three checks are required to verify the complete requirement.
 Test session-585, qc, starting-air-system, idempotency:ver-sub018-pressure-alarm-585
VER-REQ-035 The EDG I&C Plant Communication Gateway isolation verification test SHALL confirm unidirectionality by: (a) transmitting a data packet from the safety-classified I&C to the MCR network side; (b) injecting an arbitrary signal on the MCR network side and confirming no signal is detectable on the safety-classified I&C side using a calibrated oscilloscope with 1mV sensitivity.
Rationale: SUB-REQ-022 requires a data diode with no return path to safety-classified I&C. A passive electrical injection test from the normal side — not just a software-level attempt — is required because the safety case must exclude hardware-level coupled pathways. The 1mV sensitivity threshold is taken from IEC 62645 (Nuclear power plants — I&C systems — Requirements for security programmes) acceptance criteria for isolation verification.
 Test session-585, qc, ic-system, cybersecurity, idempotency:ver-sub022-data-diode-585
VER-REQ-036 The EDG Building fire protection commissioning inspection SHALL confirm: (a) automatic suppression system actuates on test signal within 5 seconds of detector activation and achieves gas concentration per BS EN 15004 within 30 seconds; (b) two-hour fire-rated barrier is confirmed by documentation review of BS 476 Part 22 certification for all penetrations, doors, and cable transits between Train A and Train B rooms.
Rationale: SUB-REQ-029 specifies a 30-second suppression criterion and a two-hour fire barrier. The inspection combines a functional actuation test (verifying the 30-second time criterion on the actual installed system) with documentary evidence review for the barrier certification, since the two-hour rating is established by material qualification test certificates, not an in-situ burndown test.
 Inspection session-585, qc, edg-building, fire-protection, idempotency:ver-sub029-fire-585
VER-REQ-037 Verify IFC-REQ-019: During commissioning, measure combustion air velocity at three points across the engine intake plenum cross-section using a calibrated anemometer at rated fan speed. PASS if all readings are at or below 8 m/s and filter differential pressure is within the range specified for ISO 16890 ePM1 55% filters.
Rationale: Integration test verifying intake air velocity and filter compliance at the engine air intake plenum. Velocity at three points covers the cross-section to detect non-uniform flow distribution that could cause localised engine intake starvation.
 Test verification, edg-building, hvac, session-586, idempotency:ver-ifc019-hvac-air-v2-586
VER-REQ-038 Verify IFC-REQ-020: During integrated fire protection commissioning, simulate a confirmed fire detection signal and measure elapsed time from signal generation to full damper closure and fan de-energisation. PASS if both conditions are achieved within 5 seconds on all three test repetitions; any single-run time exceeding 7 seconds is a fail.
Rationale: End-to-end functional test of the fire detection to HVAC isolation hardwired interface. Three repetitions detect intermittent relay faults or damper actuator stiction. The 7-second single-run limit provides margin for relay pick-up jitter while ensuring the mean meets the 5-second requirement threshold.
 Test verification, edg-building, fire, hvac, session-586, idempotency:ver-ifc020-fire-hvac-v2-586
VER-REQ-039 Verify IFC-REQ-021: During commissioning inspection, trace the bunded drain path from each Fuel Oil System component (day tank, fill connections, transfer pump, fuel filter) to the sump. PASS if every fuel-wetted component has a continuous bunded path to the sump with no uncontained intermediate drip points, and sump net capacity (measured by survey) equals or exceeds 4,400 litres.
Rationale: Bunded drain path integrity cannot be verified by functional test without deliberate fuel release; inspection of the physical drain routing during commissioning is the appropriate verification method. Sump capacity is verified by dimensional survey against the design drawing, which is both more accurate and safer than a wet test with 4,000L of diesel fuel in a nuclear facility.
 Inspection verification, edg-building, flood, fuel, session-586, idempotency:ver-ifc021-drain-fuel-586
VER-REQ-040 Verify SUB-REQ-030: Perform seismic analysis of the Category 1 Building Structure in accordance with BS EN 1998-1 (Eurocode 8: Design of Structures for Earthquake Resistance) using the site-specific design basis spectrum at 0.2g PGA. PASS if maximum computed deflection at any equipment anchor point is at or below 10mm under the design basis loading combination.
Rationale: Full-scale seismic testing of a reinforced concrete EDG building is not practicable; analysis to Eurocode 8 is the standard method accepted by ONR for demonstrating seismic Category I structural integrity. The analysis must use the site-specific design response spectrum, not a generic spectrum, to account for local soil conditions at the nuclear site.
 Analysis verification, edg-building, seismic, sil-2, session-586, idempotency:ver-sub030-seismic-586
VER-REQ-041 Verify EDG Building and Support Systems integration: During EDG system integrated test, initiate EDG start from simulated LOOP signal and verify simultaneously: (a) HVAC fans reach rated airflow within 30 seconds; (b) exhaust backpressure does not exceed 50 mbar at 100% rated load; (c) sump high-level alarm is operational; (d) fire detection to HVAC damper isolation operates within 5 seconds on test signal. PASS if all four criteria are met in a single test run at rated load.
Rationale: Integration test exercises all EDG Building and Support Systems components simultaneously as the EDG loads to rated output. Individual component tests cannot detect integration conflicts such as HVAC fan vibration affecting fire detector sensitivity, or exhaust system resonance under combined HVAC and engine load. This test validates that all building sub-functions are compatible at full load.
 Test verification, edg-building, integration, session-586, idempotency:ver-building-integration-586
VER-REQ-042 Verify EDG Building inter-train separation: During pre-operational inspection, measure the clear distance between Train A and Train B building compartments at the nearest point and confirm not less than 600 mm. Verify that no penetrations, shared ducting, or cable routes cross the separation barrier without fire stops. PASS if measured separation is ≥600 mm and no unprotected penetrations are found.
Rationale: Physical separation between trains is a passive, permanent attribute of the building structure that can only be verified by dimensional inspection; functional testing cannot confirm structural independence. The 600 mm minimum from SUB-REQ-031 is derived from nuclear separation distance requirements in BS EN 61513.
 Inspection verification, edg-building, seismic, session-589, qc, idempotency:ver-building-separation-589, idempotency:ver-building-separation-589
VER-REQ-043 Verify Ventilation and Combustion Air System airflow performance: With the EDG running at 100% rated load, measure total combustion air mass flow at the engine air intake manifold using calibrated anemometry. PASS criterion: measured airflow ≥0.55 kg/s. Perform at ambient temperatures of 10°C, 25°C, and 40°C to verify margin across the design envelope.
Rationale: Combustion air supply is a direct determinant of engine power output and fuel combustion efficiency; insufficient airflow at rated load causes manifold pressure drop, elevated exhaust temperature, and power output shortfall. Testing at three ambient temperatures confirms that the passive inlet design in SUB-REQ-032 delivers the required flow across the full UK operating temperature range.
 Test verification, edg-building, hvac, session-589, qc, idempotency:ver-combustion-air-flow-589, idempotency:ver-combustion-air-flow-589
VER-REQ-044 Verify EDG Building structural breach detection and automatic trip: With EDG in running state, simulate a structural breach detection signal via test input to the structural monitoring system. Verify that the EDG automatic trip signal is generated and the engine initiates shutdown within 5 seconds of simulated breach detection. PASS if shutdown sequence initiates within 5 seconds and main control room alarm is annunciated within 60 seconds.
Rationale: Structural breach detection and automatic trip is a safety function preventing EDG operation in a structurally compromised enclosure (e.g., post-seismic event with building damage); the trip must be fast enough to prevent additional secondary damage while the main control room alarm allows operators to assess and respond. Functional test using simulated input per IEC 61513 (Nuclear power plants — Instrumentation and control important to safety — General requirements for systems) verification requirements is necessary to confirm the monitoring-to-trip signal chain without inducing actual structural damage.
 Test verification, edg-building, seismic, session-589, qc, idempotency:ver-building-breach-trip-589, idempotency:ver-building-breach-trip-589
VER-REQ-047 Verify IFC-REQ-022: Coolant Circulation Pump performance test at 25%, 50%, 75%, 100%, and 110% rated engine load. Pass criterion: flow ≥150 L/min, delivery pressure ≥0.8 bar gauge, suction pressure ≥0.2 bar at each load point. Measured by calibrated flow meter and pressure transducers at pump inlet and outlet.
Rationale: Integration test to verify interface compliance at system boundaries. Pump cavitation at standby diesel start-up has caused cooling circuit failures in similar nuclear applications; physical flow measurement under load is the only reliable verification method.
 Test verification, engine-cooling, sil-2, session-591, idempotency:ver-ifc022-ec-pump-v2-591
VER-REQ-048 The Pre-Lube and Post-Lube Pump pre-lubrication functional test SHALL confirm that lubricating oil gallery pressure reaches 1.5 bar within 20 seconds of pre-lube command initiation during factory acceptance testing, with the engine at rest, oil at 20°C ambient temperature, and the start air valve confirm-closed interlock engaged.
Rationale: Verifies REQ-SEEDGUKNUCLEAR-066: demonstrates that pre-lube timing and pressure specification are met before air start valve is permitted to open, as required for IEEE 387 compliance
 Test
VER-REQ-049 The Engine-Driven Lube Oil Pump pressure performance test SHALL confirm oil gallery pressure within 3.5 bar to 5.5 bar at rated engine speed (750 rpm) across the operating temperature range by measuring main gallery pressure at three oil temperatures: 60°C, 80°C, and 100°C during the 24-hour endurance run.
Rationale: Verifies REQ-SEEDGUKNUCLEAR-067: temperature-swept pressure measurement during endurance test confirms pump performance at all operating viscosity points; cannot be verified by inspection alone as viscosity-dependent performance requires thermal soak
 Test
VER-REQ-050 The Post-Lube and post-shutdown oil circulation test SHALL confirm that oil gallery pressure remains above 0.8 bar for no less than 10 minutes following a simulated manual shutdown from 100% rated load, with turbocharger inlet temperature measured at 1-minute intervals to confirm thermal purge.
Rationale: Verifies REQ-SEEDGUKNUCLEAR-070: post-lube duration at minimum pressure is the only way to confirm that turbocharger bearing cartridge heat purge is adequate; analysis alone cannot substitute for empirical thermal measurement
 Test
VER-REQ-051 The Automatic Voltage Regulator steady-state regulation acceptance test SHALL apply step loads at 25%, 50%, 75%, and 100% rated output at power factors of 0.8 lagging and unity, measuring terminal voltage at each steady-state point to confirm it remains within ±1% of 6.6kV (6.534kV to 6.666kV).
Rationale: Verifies REQ-SEEDGUKNUCLEAR-072: steady-state voltage accuracy at all load points and power factors must be measured empirically; the IEEE Std 387 generator acceptance test protocol requires voltage regulation verification across the full load envelope
 Test
VER-REQ-052 The Automatic Voltage Regulator transient recovery test SHALL apply a block load step equivalent to the largest single load group in the sequencer table while measuring terminal voltage at 100ms intervals, confirming voltage recovery to within ±3% of 6.6kV within 1.5 seconds with no generator protection trip.
Rationale: Verifies REQ-SEEDGUKNUCLEAR-073: block-load step testing is mandatory per IEEE Std 387 generator acceptance; the 1.5-second window and ±3% recovery threshold must be demonstrated empirically to confirm downstream motor contactor immunity
 Test
VER-REQ-053 The Generator Neutral Earthing Unit design verification SHALL confirm by calculation per IEC 60034-3 that the resistor-loaded transformer limits phase-to-earth fault current to not more than 5 amperes at generator terminal voltage, with the calculation peer-reviewed and included in the safety case documentation.
Rationale: Verifies REQ-SEEDGUKNUCLEAR-074: high-impedance earthing is verified by design analysis rather than fault injection testing, as intentional earth fault injection at generator voltage would risk winding damage; impedance calculation is standard practice per IEC 60034-3 and ONR NS-TAST-GD-013
 Analysis
VER-REQ-054 The Automatic Voltage Regulator Class 1E qualification inspection SHALL verify by review of the equipment qualification documentation file (EQF) that the AVR has been qualified per IEC 60780 (Class 1E), IEEE Std 344 (seismic at 0.5g/5Hz), and IEEE Std 603 (safety I&C requirements), with certificates reviewed by the Nuclear Licensing Inspector.
Rationale: Verifies REQ-SEEDGUKNUCLEAR-076: Class 1E qualification is verified by inspection of the EQF and qualification test reports; physical re-testing on site is not required provided the original qualification envelope (environment, seismic demand) bounds the as-installed conditions, consistent with ONR ENSREG qualification guidance
 Inspection
VER-REQ-055 Verify IFC-REQ-023: Pre-heat system functional test during AC blackout simulation. Procedure: disconnect normal AC supply, confirm UPS feed energises heater, measure jacket water temperature over 4 hours from ambient 10°C. Pass criterion: temperature ≥35°C maintained throughout; thermostat cycling within ±2°C hysteresis band.
Rationale: The pre-heat must remain active during AC blackout precisely when it matters most. A blackout simulation is the only way to verify UPS supply path continuity and thermostat control under actual LOOP event conditions.
 Demonstration verification, engine-cooling, sil-2, session-591, idempotency:ver-ifc023-ec-preheat-v2-591
VER-REQ-056 Verify IFC-REQ-024: Thermostatic valve response time and flow characteristic test. Apply 10°C step change from 72°C to 85°C at pump inlet; measure valve stroke completion time and flow split at outlet. Pass: full stroke within 5 seconds; bypass flow ≤5% at 82°C; bypass flow ≥95% at 75°C.
Rationale: The valve stroke response time determines peak coolant temperature overshoot during load steps; measurement at representative temperatures is required to confirm the thermostat characteristic matches design intent.
 Test verification, engine-cooling, sil-2, session-591, idempotency:ver-ifc024-ec-thermostat-v2-591
VER-REQ-057 Verify IFC-REQ-025: Engine Cooling to I&C signal interface inspection and functional test. Perform cable routing inspection for physical segregation; loop calibration of both Pt100 4-20mA channels against traceable reference; inject simulated overtemperature condition and confirm trip signal received by I&C within 200ms. Pass: segregation verified, channels within ±1°C, trip response ≤200ms.
Rationale: SIL 2 signal interface requires physical segregation inspection per BS EN 61000 and channel calibration; 200ms trip response is the SIL 2 safety function response time. Only system-level injection test can verify the complete signal chain from sensor to protection relay.
 Test verification, engine-cooling, sil-2, safety-critical, session-591, idempotency:ver-ifc025-ec-ic-signals-591
VER-REQ-058 Verify SUB-REQ-037 and SUB-REQ-039: Endurance test at 110% rated load, 35°C ambient, for 4 hours minimum. Pass criterion: jacket water outlet temperature 75°C–85°C maintained continuously; no coolant loss; heat exchanger outlet air below design maximum. Instrumentation: 4 Pt100 sensors in jacket water circuit, 2 in radiator airflow.
Rationale: Combined thermal performance requirements can only be verified together under simultaneous high-load and high-ambient conditions representative of a summer LOOP event. Four hours ensures steady-state thermal equilibrium is reached after the warm-up transient.
 Test verification, engine-cooling, sil-2, session-591, idempotency:ver-sub037-039-ec-thermal-591
VER-REQ-059 Verify IFC-REQ-026: Fuel Transfer Pump commissioning test. Simulate low Day Tank level (float switch activation), confirm pump starts automatically and delivers fuel at ≥50 L/min to Day Tank. Measure transfer time from low-level alarm to high-level cutoff. Pass: transfer completes within 30 minutes, pump auto-stops on high level, I&C panel shows correct pump status.
Rationale: The automatic transfer sequence must be verified end-to-end to confirm that float switch, pump control, and I&C monitoring all function correctly together under conditions representative of autonomous engine room operation during a LOOP event.
 Test verification, fuel-oil, sil-2, session-591, idempotency:ver-ifc026-fo-pump-591
VER-REQ-060 Verify IFC-REQ-027 and SUB-REQ-044: Fuel system endurance and temperature test. Run engine at 100% rated load for 2 hours. Measure fuel inlet pressure and temperature at injection pump inlet at 30-minute intervals. Pass: pressure continuously 0.3–0.7 bar; temperature 10–40°C; no fuel system faults or alarms; engine maintains rated load throughout.
Rationale: Fuel delivery temperature and pressure must be verified under sustained engine loading to confirm that the EDG building thermal environment and fuel system design maintain the OEM injection pump operating envelope. Short-duration tests do not expose thermal soak effects.
 Test verification, fuel-oil, sil-2, session-591, idempotency:ver-ifc027-fo-supply-591
VER-REQ-061 Verify IFC-REQ-028 and SUB-REQ-047: Fuel filter differential pressure test. Introduce controlled particulate loading to filter inlet to simulate contaminated fuel. Measure differential pressure and downstream cleanliness (particle count). Pass: alarm activates at 0.5 bar differential; bypass opens at 1.0 bar; downstream cleanliness ≤ISO 4406 16/13/10 below bypass threshold.
Rationale: Filter performance under contamination conditions is the only means to verify that the bypass valve set-point relationship with the alarm threshold meets the design intent that alarm precedes bypass. Reliance on specification data alone is insufficient for SIL 2 verification.
 Test verification, fuel-oil, sil-2, session-591, idempotency:ver-ifc028-fo-filter-591

Internal Diagrams

flowchart TB
  n0["component<br>Diesel Engine Block and Crankcase"]
  n1["component<br>Diesel Fuel Injection System"]
  n2["component<br>Diesel Engine Turbocharger"]
  n3["component<br>Engine Governor and Speed Control Unit"]
  n4["component<br>Engine Protection Relay Package"]
  n5["component<br>Engine Exhaust System"]
  n6["component<br>Crankshaft and Flexible Shaft Coupling"]
  n1 -->|Metered high-pressure fuel| n0
  n2 -->|Charged combustion air| n0
  n0 -->|Exhaust gas to turbine| n2
  n0 -->|Post-turbine exhaust gases| n5
  n3 -->|Fuel rack position signal| n0
  n0 -->|Engine speed feedback| n3
  n4 -->|Protective trip signal| n0
  n0 -->|Reciprocating to rotary torque| n6

Diesel Engine Assembly — Internal

flowchart TB
  n0["component<br>Automatic Start Logic Controller"]
  n1["component<br>Load Management and AVR Interface"]
  n2["component<br>Engine and Generator Protection Logic"]
  n3["component<br>Annunciation and HMI Panel"]
  n4["component<br>Qualified I/O Module Assembly"]
  n5["component<br>Plant Communication Gateway"]
  n4 -->|Field start signals and interlocks| n0
  n4 -->|Speed, temp, pressure, power measurements| n2
  n0 -->|Air start valve commands| n4
  n2 -->|Trip and alarm relay outputs| n4
  n2 -->|Alarm and trip annunciation| n3
  n1 -->|AVR voltage set-point output| n4
  n0 -->|EDG operating status data| n5
  n1 -->|Load and voltage parameters| n3

EDG Instrumentation and Control System — Internal

flowchart TB
  n0["component<br>Air Receiver Bank A"]
  n1["component<br>Air Receiver Bank B"]
  n2["component<br>Air Start Valve and Distribution Manifold"]
  n3["component<br>Air Compressor and Recharge Unit"]
  n4["component<br>Moisture Separator and Drain System"]
  n5["component<br>Pressure Monitoring and Low-Pressure Alarm"]
  n0 -->|30-bar air train A| n2
  n1 -->|30-bar air train B| n2
  n3 -->|Recharge to 30 bar| n0
  n3 -->|Recharge to 30 bar| n1
  n4 -->|Dehumidified compressed air| n0
  n0 -->|Receiver pressure signal| n5
  n1 -->|Receiver pressure signal| n5

Starting Air System — Internal

flowchart TB
  n0["component<br>Generator Circuit Breaker"]
  n1["component<br>Bus Undervoltage Sensing Relay"]
  n2["component<br>Load Sequencer Logic Controller"]
  n3["component<br>Generator Electrical Protection Relay Package"]
  n4["component<br>Synchronising Check Relay"]
  n5["component<br>Class 1E Switchgear Control Power Supply"]
  n1 -->|LOOP trip signal| n0
  n4 -->|close permissive| n0
  n3 -->|protection trip| n0
  n5 -->|125VDC control power| n0
  n5 -->|125VDC control power| n2
  n2 -->|load pickup command| n0

Electrical Switchgear and Load Sequencer — Internal

flowchart TB
  n0["component<br>Bulk Storage Tank"]
  n1["component<br>Day Tank"]
  n2["component<br>Fuel Transfer Pump"]
  n3["component<br>Fuel Oil Strainer and Filter Assembly"]
  n4["component<br>Day Tank Level Control and Alarm"]
  n0 -->|bulk fuel supply| n2
  n2 -->|filtered fuel| n3
  n4 -->|start/stop signal| n2
  n2 -->|fuel delivery| n1
  n3 -->|clean fuel to day tank| n1

Fuel Oil System — Internal Components

flowchart TB
  n0["component<br>Engine Jacket Water Circuit"]
  n1["component<br>Radiator/Heat Exchanger"]
  n2["component<br>Coolant Circulation Pump"]
  n3["component<br>Thermostatic Control Valve"]
  n4["component<br>Engine Pre-heat System"]
  n2 -->|coolant flow| n0
  n0 -->|hot coolant return| n3
  n3 -->|coolant to cooler| n1
  n1 -->|cooled coolant| n2
  n4 -->|standby heat| n0

Engine Cooling System — Internal Components

flowchart TB
  n0["component<br>Engine Lube Oil Sump"]
  n1["component<br>Engine-Driven Lube Oil Pump"]
  n2["component<br>Pre-Lube and Post-Lube Pump"]
  n3["component<br>Lube Oil Cooler"]
  n4["component<br>Lube Oil Filter and Strainer"]
  n0 -->|oil draw| n1
  n1 -->|pressurised oil| n3
  n3 -->|cooled oil| n4
  n2 -->|pre/post-lube flow| n0

Lubrication Oil System — Internal Components

flowchart TB
  n0["component<br>Stator and Stator Winding Assembly"]
  n1["component<br>Rotor and Field Winding"]
  n2["component<br>Automatic Voltage Regulator"]
  n3["component<br>Generator Neutral Earthing Unit"]
  n4["component<br>Generator Cooling Fan"]
  n2 -->|excitation current| n1
  n1 -->|rotating magnetic field| n0
  n0 -->|neutral connection| n3
  n4 -->|cooling airflow| n0
  n0 -->|terminal voltage feedback| n2

Synchronous Generator — Internal Components

flowchart TB
  n0["component<br>Ventilation and Combustion Air System"]
  n1["component<br>Exhaust Silencer and Discharge Stack"]
  n2["component<br>Fire Detection and Suppression System"]
  n3["component<br>Category 1 Building Structure"]
  n4["component<br>Drain and Spill Containment System"]
  n3 -->|air intake penetrations| n0
  n3 -->|exhaust penetration| n1
  n2 -->|fire/shutdown signal| n0
  n3 -->|floor drain collection| n4

EDG Building and Support Systems — Internal Components

Classified Entities

Entity Hex Code Description
Bus Undervoltage Sensing Relay D5B77818 Hardwired solid-state relay monitoring 6.6kV Class 1E emergency AC bus voltage. Initiates EDG automatic start sequence and opens tie breaker to grid on detection of bus voltage dropping below 70% of nominal (4.6kV) for more than 0.2 seconds (LOOP condition). De-energise-to-trip logic for fail-safe operation. Powered from Class 1E 125VDC battery. Seismic-qualified. Two-out-of-three voting logic with redundant voltage transformers to prevent spurious trips.
Class 1E Switchgear Control Power Supply D6851058 Dedicated 125VDC Class 1E battery-backed DC distribution panel supplying control power to the Generator Circuit Breaker close/trip coils, Bus Undervoltage Sensing Relay, Load Sequencer Logic Controller, and Generator Electrical Protection Relay Package. Powered from the Class 1E 125VDC battery system with automatic changeover from normal AC rectifier on loss of AC. Battery autonomy minimum 8 hours at full switchgear control load. Seismic-qualified. Provides Class 1E/non-Class 1E isolation barriers per IEEE 384.
Common cause failure of redundant diesel generators hazard 10040211 Simultaneous failure of multiple redundant EDGs due to shared vulnerability: common fuel supply contamination, common design defect, common maintenance error, seismic event exceeding design basis, flooding. Nuclear sites typically have 2-4 redundant EDGs but common cause failures defeat redundancy. Consequence: station blackout with no AC power, potentially leading to core damage within hours. Defence requires diversity (e.g., gas turbine alternative) and protection against external hazards.
Cool Diesel Engine 56D51000 System function of nuclear EDG: removes waste heat from engine block, cylinder heads, and turbocharger aftercooler via closed-loop jacket water circuit. Heat rejection to atmosphere via radiator/fan units or to raw water via heat exchanger. Must maintain coolant temperature below 95°C at full load in 40°C ambient. Failure mode: engine trip on high temperature (H-006).
Cooldown Shutdown mode of Emergency Diesel Generator 50943A10 Controlled unloading and stopping after emergency mission complete. Loads transferred back to restored grid supply, EDG runs unloaded for cooldown period (typically 10-30 minutes) to prevent thermal shock to turbocharger and engine components. Gradual reduction of fuel, engine stops, post-lube pump maintains oil circulation. Entry: offsite power restored and verified stable. Exit: engine stopped, transition to post-shutdown checks. Operator involvement typically required for shutdown authorisation in nuclear context.
Crankshaft and Flexible Shaft Coupling CEC51018 Forged alloy steel crankshaft and flexible coupling assembly transmitting mechanical power from the diesel engine to the synchronous generator rotor. Crankshaft journals run at 750 rpm with hydrodynamic oil-film bearings at 4-6 bar oil pressure. Flexible coupling accommodates axial and angular misalignment (typically ±2mm axial, ±0.5° angular) and provides torsional damping to protect generator shaft from engine combustion impulses. Coupling rated for instantaneous torques up to 3× nominal during short-circuit events. Seismically qualified. SIL 3 via parent — coupling failure results in immediate loss of electrical output.
Cyber attack on diesel generator control system hazard 40043B59 Malicious interference with EDG digital control or protection systems. Potential attack vectors: maintenance laptop, compromised firmware, network intrusion if connected. Consequences: prevent start, cause spurious trip, mask alarms, alter setpoints. IEC 62645 and ONR guidance require cyber security assessment and hardening of nuclear I&C. Air-gapping and secure development processes required.
Degraded Operation mode of Emergency Diesel Generator 50541A51 EDG running but with reduced capability or margin due to equipment fault or environmental condition. Examples: one turbocharger failed (reduced max power), cooling system degraded (reduced continuous rating), fuel quality degraded (reduced reliability). Operator must assess whether degraded EDG satisfies minimum safety function. May trigger entry into Limiting Condition for Operation requiring shutdown if not restored. Automatic protection trips may be bypassed with operator authorisation to maintain core cooling during genuine emergency.
Detect Loss of Offsite Power 44F77811 System function of nuclear EDG: detects grid undervoltage below 5.94kV (90% nominal) within 100ms using redundant undervoltage relays on the 6.6kV safety bus. Input: grid voltage from potential transformers. Output: LOOP signal to EDG start circuit. Safety-critical function — false negative delays start, false positive causes unnecessary start.
Diesel Engine Assembly DEC51018 Subsystem of nuclear EDG: medium-speed 4-stroke turbocharged diesel engine (typically 12-18 cylinders, 1000-3000 kW class). Functions: cranking/starting, fuel injection and combustion, mechanical power output to alternator shaft. Key components: engine block, crankshaft, pistons, cylinder liners, turbocharger, exhaust manifold, flywheel coupling. Operating at 750 or 1000 rpm depending on generator pole count. Must start reliably from -10°C to +40°C. Seismic Category I qualified mounting.
Diesel Engine Block and Crankcase DE851018 Main structural casting of a medium-speed (750 rpm) 4-stroke turbocharged diesel engine rated ~2-4 MW for nuclear emergency power generation. Houses crankshaft, cylinder liners, piston assemblies, and main bearing journals. Cast ductile iron construction, seismically qualified per EUR Category I (0.2g PGA). Key interfaces: cylinder liners receive fuel/air charge, crankshaft transfers mechanical energy to generator shaft coupling, sump provides oil reservoir for lubrication system, coolant passages interface to engine cooling system. SIL 3 via parent. Failure mode: catastrophic crankcase fracture (seismic), cylinder liner scoring (lubrication failure).
Diesel Engine Turbocharger C6C51018 Exhaust-gas driven centrifugal turbocharger on a medium-speed nuclear-grade diesel engine. Compresses combustion air from atmospheric to ~2.5 bar absolute, enabling full rated power output. Coupled to aftercooler (intercooler) to reduce charge air temperature and increase air density. Turbocharger rotor speed typically 20,000-40,000 rpm. No lubrication from external systems — bearing oil supplied from engine main oil gallery at 4-6 bar. Seismically qualified. Failure mode: turbine blade failure causes loss of boost pressure and 60-70% derated output; bearing failure causes oil fire risk.
Diesel Fuel Injection System D6D53218 High-pressure mechanical fuel injection system for a nuclear-grade medium-speed diesel engine, comprising a camshaft-driven injection pump, high-pressure fuel lines (up to 1500 bar), and injector nozzles per cylinder. Receives filtered diesel fuel from the day tank at 3-5 bar feed pressure. Injection timing and quantity controlled by mechanical governor in low-load and by electronic governor overlay at rated speed. No software in the safety-critical injection path. Failure mode: injector nozzle wear causes misfiring, injection pump seizure causes engine stop. SIL 3 via parent — loss of injection results in loss of power generation.
Diesel Fuel Supply Infrastructure 46851259 External fuel delivery system: road tanker access, bulk storage tanks, fuel transfer pumps, day tank replenishment. Must provide diverse supply routes and 7-day inventory. Interface with site fuel management system for inventory monitoring and reorder.
Diesel Generator Original Equipment Manufacturer 40805098 Company that designed and supplied the diesel generator set. Provides technical support, spare parts, engineering change notices, and service bulletins. May provide long-term service agreement. Source of design basis information and qualification documentation. Key supplier for life extension and obsolescence management.
EDG Building Access Control System 54AD7859 Physical security and access management for a nuclear-licensed EDG building. Card-reader and keypad entry to nuclear security zone; CCTV covering all entry points and engine room; intruder detection (PIR and door contacts) linked to site security alarm system. Emergency exit routes with break-glass release. Visitor/contractor management via permit-to-work system. Access control power backed by Class 1E 125VDC to maintain security logging during LOOP. Not safety-related (SIL 0) but interfacing with site physical protection plan under ONR security assessment principles.
EDG Building and Support Systems DE851018 Subsystem of nuclear EDG: physical enclosure housing one EDG train with associated support systems. Functions: provide Seismic Category I building structure (reinforced concrete), fire detection and CO2/foam suppression, building HVAC for combustion air and heat removal, lighting, seismic mounting for engine-generator skid, personnel access with radiological/industrial safety provisions. Each train housed in separate fire-rated building to prevent common cause failure. Building must withstand 0.2g PGA DBE and external hazards (flooding, missile protection per site safety case).
EDG Building HVAC System 55F73018 Engine room ventilation system for a nuclear-grade EDG building. Supplies combustion air at ≥0.5 kg/s per MW rated output through louvred intakes; exhausts engine room heat via thermostatically controlled roof fans to maintain ambient ≤40°C at full load; maintains slight negative pressure in engine room to prevent fuel vapour accumulation in occupied areas. Fan motors are Class 1E-qualified at SIL 2. Controls integrated with EDG control panel: fans auto-start on engine start signal, fail-safe open on loss of control power. Seismically qualified to same standard as building structure.
EDG Building Structure CE851058 Seismic Category I reinforced concrete building housing one EDG train on a UK nuclear licensed site. Provides missile and blast protection to NUREG-0800/BS EN 1998-1 standards; floor-to-roof height ~8m to accommodate engine exhaust routing; mass concrete walls ≥600mm thick; tornado-missile-proof louvres on combustion air intake and exhaust openings. Building maintains structural integrity at 0.2g PGA design basis earthquake. Provides physical separation between EDG trains to prevent common-cause structural failure.
EDG Failure to Start scenario 00841200 Failure scenario: one EDG fails to start on LOOP signal. Tests redundancy and operator response. Scenario involves diagnosis of failure cause, reliance on redundant EDG, entry into limiting condition for operation, maintenance mobilisation.
EDG Flood and Drainage System CE851018 Passive and active flood protection for the EDG building. Ground-level flood barriers (kerbs and door seals) to 600mm above external finished floor level matching the site design basis flood. Internal bunded sump to contain maximum fuel day-tank volume (4,000L) plus lube oil system volume with no external spillage. Sump pump with high-level alarm to main control room. Drainage routed to controlled discharge point. Designed to maintain EDG operability during and after design basis external flood event (concurrent with LOOP per nuclear ConOps). Seismically qualified Class 1E instrumentation.
EDG Instrumentation and Control System 55F77858 Subsystem of nuclear EDG: provides monitoring, control, and protection functions for diesel engine and generator. Functions: measure all operating parameters (kW, Hz, V, A, oil pressure, coolant temp, exhaust temp, vibration), transmit to main control room, process operator commands, manage AVR and governor setpoints, execute hardwired protection trips (overspeed >115%, high coolant temp, low oil pressure, overcurrent). Safety-critical trip functions are hardwired and independent of digital control. Local control panel in EDG building, remote interface to MCR. Must comply with IEC 62645 cyber security and IEC 61513 nuclear I&C standards.
EDG Instrumentation and Control Technician 00A530F8 Specialist in control systems, protection logic, and instrumentation. Calibrates sensors, tests protection relays, maintains PLC/DCS systems, troubleshoots electrical faults. Works under nuclear I&C quality programme. Requires specific training on EDG control system architecture. Responds to spurious alarms and control faults.
EDG Mechanical Maintenance Technician 018C28F8 Skilled tradesperson responsible for mechanical maintenance of diesel engines. Performs oil changes, filter replacement, injector servicing, turbocharger maintenance, coolant system work. Works under work permit system with LOTO. Must be trained on nuclear safety culture and EDG-specific procedures. Responds to call-outs for emergency repairs.
EDG Trip During Operation scenario 00040200 Running EDG trips unexpectedly mid-mission due to genuine or spurious protection actuation. Tests transfer to redundant EDG and diagnosis under pressure.
Electrical Switchgear and Load Sequencer 55F73A58 Subsystem of nuclear EDG: manages electrical connections between EDG output, 6.6kV emergency bus, and normal grid supply. Functions: detect LOOP via undervoltage relays, open/close generator output breaker, sequence safety load breakers in priority order (charging pumps → component cooling → HVAC) over 60s, manage return-to-grid transfer with synchronisation check, prevent paralleling with degraded grid. Key components: generator breaker, bus section breakers, load breakers, undervoltage relays, synch-check relay, load sequencer logic (PLC or relay-based), CTs and PTs. SIL 3 for LOOP detection function.
Emergency Diesel Generator for a UK Nuclear Licensed Site DFF73A59 Standby electrical power generation system installed at a UK nuclear licensed site, providing emergency AC power to safety-critical loads when normal grid supply is lost. Must comply with Office for Nuclear Regulation (ONR) Safety Assessment Principles, IEC 61513 for I&C, IEC 62645 for cybersecurity, and UK Nuclear Site Licence Conditions. Operates in seismic Category I environment, designed to withstand design basis earthquake. Comprises diesel engine, alternator, fuel system, cooling system, starting system, and control/protection systems. Must achieve defined reliability targets (e.g., 0.999 start-on-demand) and reach rated power within specified time (typically 10-15 seconds). Safety function: maintain cooling of reactor fuel during loss-of-offsite-power events to prevent core damage.
Emergency Start mode of Emergency Diesel Generator 55F73A58 Automatic start sequence initiated by loss-of-offsite-power detection or manual emergency start. Air motor cranks engine, fuel injection begins, engine fires and accelerates to rated speed. Parallel sequence energises field excitation, builds voltage, synchronises to emergency bus. Duration: 10-15 seconds from start signal to rated voltage and frequency. Critical window where start failure constitutes safety system unavailability. Multiple redundant start air receivers and starting motors for reliability.
Engine Cooling System 57D73010 Subsystem of nuclear EDG: removes 30-40% of engine thermal output via closed-loop jacket water circuit. Functions: circulate coolant through engine block and heads, reject heat via radiator/fan units (air-cooled design) or raw water heat exchanger (water-cooled), regulate temperature via thermostatic valves, cool turbocharger aftercooler. Must maintain coolant below 95°C at full load in 40°C ambient. Failure leads to engine trip (H-006, SIL 2). Includes pre-heater to keep engine warm in standby.
Engine cooling system failure hazard 00050200 Loss of coolant, pump failure, radiator blockage, or ultimate heat sink unavailability. Diesel engines generate significant waste heat requiring continuous removal. Consequence: engine overheats, trips on high temperature, or seizes. Particularly critical in extended run scenarios. Some EDGs use raw water cooling from ultimate heat sink; failure of that sink affects EDG.
Engine Exhaust System CEC51018 Exhaust gas routing system for a nuclear-grade medium-speed diesel engine in an enclosed EDG building. Comprises: turbine-side exhaust manifold, expansion bellows (seismic isolation), silencer/muffler, and insulated exhaust stack penetrating the EDG building roof. Exhaust gas temperature at manifold 400-550°C. Stack sized to prevent exhaust recirculation into engine air intake under all wind directions. Equipped with spark arrestor for fire safety (diesel fuel environment). Seismically qualified supports per EUR Category I. Failure mode: exhaust manifold crack causes hot gas release in building, silencer blockage causes backpressure and engine trip.
Engine Governor and Speed Control Unit D5F73A18 Isochronous speed governor for a nuclear-grade emergency diesel generator engine. Maintains 50 Hz ±2% output frequency under transient loads by controlling fuel injection rack position via electro-hydraulic actuator. Incorporates: (1) mechanical overspeed trip at 115% rated speed (750 rpm nominal → trip at ~863 rpm) — hardwired, not software; (2) electronic speed sensor providing speed feedback to digital governor processor; (3) speed setpoint adjustment for synchronisation. Receives 24VDC from Class 1E battery. SIL 3 via parent — loss of speed control can cause overspeed trip or frequency deviation outside ±2%.
Engine overspeed hazard 00011211 Governor failure causes engine to accelerate beyond safe speed. Consequences: mechanical destruction of engine, projectile hazard from disintegrating components, fire from fuel spray. Diesel engines have stored kinetic energy in flywheel and reciprocating mass. Overspeed protection must be diverse (mechanical and electronic).
Engine Protection Relay Package D6B73858 Hardwired relay-based protection package for a nuclear-grade emergency diesel engine. Implements four independent trip functions per ARC-REQ-002 (SYS-REQ-010 in prior numbering): (1) overspeed trip (>115% rated speed, 2s response), (2) high coolant temperature (>90°C on jacket water, 2s response), (3) low lubricating oil pressure (<2.0 bar, 2s response), (4) overcurrent/overload (electrical, 2s response). Each trip channel is physically separate with independent sensors and relay coils. Hardwired circuits prevent defeat by software or cyber attack. Powered from 125VDC Class 1E battery. SIL 3 — directly implements engine safety trips for H-001 (engine overspeed), H-003 (lubrication failure), H-006 (cooling failure).
Exhaust Silencer and Discharge Stack CE851018 Engineered exhaust gas routing system for a nuclear-grade medium-speed diesel engine within a Category I building on a UK nuclear site. Routes hot exhaust gases (600-700°C) from the turbocharger outlet through a purpose-built silencer vessel and vertical discharge stack to atmosphere. Silencer maintains engine backpressure below 50 mbar at rated load; stack penetrates building roof with missile-proof flanged rain cap. Both silencer vessel and stack are seismically restrained to Seismic Category I standards. Stainless steel construction; thermal insulation prevents surface temperatures exceeding 60°C at accessible surfaces per UK Health and Safety Executive guidance.
Failure to start on demand hazard 00051219 EDG fails to start when LOOP signal received. Causes: air start system failure, fuel system blockage, control logic fault, battery failure. Consequence: no AC power to safety loads, potential loss of reactor cooling, core damage within hours if not recovered. This is the primary safety concern for nuclear EDGs.
Fire in diesel generator building hazard 04000211 Fire originating from fuel leak, lube oil leak, exhaust system failure, or electrical fault. Large fuel inventory (thousands of litres), hot exhaust surfaces, and electrical equipment create fire triangle. Consequence: loss of EDG, potential common-cause failure if fire spreads to adjacent EDG, personnel injury. Nuclear sites require fire barriers between redundant safety systems.
Fuel contamination or exhaustion hazard 00010218 Fuel unusable due to water ingress, microbial growth, or simply running out during extended LOOP. Day tank depletion, bulk tank depletion, fuel transfer pump failure, or blocked fuel lines. Consequence: engine stops mid-mission. Nuclear sites typically require 7 days fuel inventory with diverse supply arrangements. Fuel quality monitoring is ongoing requirement.
Fuel Oil System 5E951018 Subsystem of nuclear EDG: stores, conditions, and delivers EN 590 diesel fuel to engine injection system. Functions: bulk storage (50,000L capacity per train, 7-day inventory), automatic day tank transfer, water/contamination monitoring, fuel filtering (10-micron), fuel heating in cold weather. Key components: bulk storage tanks, day tank, transfer pumps (redundant), duplex filters, fuel oil cooler, water separator, level instrumentation. Seismic Category I piping and tank anchorage.
Generate Electrical Power 54D53218 System function of nuclear EDG: converts diesel engine mechanical rotation to 6.6kV 50Hz 3-phase electrical power via synchronous alternator with automatic voltage regulator. Input: shaft rotation at rated speed. Output: 6.6kV ±10%, 50Hz ±2% electrical power up to rated kW. Continuous duty for minimum 7 days.
Generator Circuit Breaker D6B53018 6.6kV vacuum circuit breaker connecting the EDG synchronous generator to the Class 1E emergency AC bus. Motor-operated mechanism with spring-charged close/trip coils powered from Class 1E 125VDC. Rated fault current interruption capacity approximately 25kA symmetrical at 6.6kV. Receives close command from synchronising check relay and trip command from generator protection relay package and I&C system. Operates in the nuclear-grade switchgear environment at up to 40°C ambient with seismic qualification to OBE/SSE requirements. Must trip within 100ms on protection command.
Generator Electrical Protection Relay Package D0F57058 Numerical protection relay providing electrical protection for the 6.6kV synchronous generator and its interconnection to the emergency bus. Functions include: differential protection (87G), overcurrent (51), loss-of-excitation (40), reverse power (32), overvoltage (59), undervoltage (27), negative sequence (46). Trip output to Generator Circuit Breaker within 100ms. Class 1E qualified, seismic-qualified to OBE/SSE. Powered from Class 1E 125VDC. Isolated from non-Class 1E systems via qualified isolation devices.
Load Sequencer Logic Controller D4B53A58 Hardwired relay logic controller (or qualified PLC for SIL 3) that sequences connection of safety loads to the 6.6kV emergency AC bus following generator breaker closure. Implements fixed priority table: Group 1 (reactor cooling pump, RCP seal injection), Group 2 (emergency feedwater), Group 3 (auxiliary systems). Inter-group time delay 500ms minimum to prevent simultaneous inrush exceeding generator transient capability. Powered from Class 1E 125VDC. Seismic-qualified. No software modifications permitted without Class 1E qualification.
Local Community near Nuclear Site 000412BD Residents and businesses within the emergency planning zone around the nuclear site. Concerned about nuclear safety and environmental impact. Represented through Site Stakeholder Group and local authority liaison. Could be affected by accident or emergency requiring evacuation. Expects reliable backup power to prevent accidents.
Loss of Offsite Power Response scenario 51F77A10 Primary ConOps scenario for EDG: grid failure triggers automatic start sequence. Scenario begins with stable reactor operation at power, EDG in standby ready. Grid voltage drops below threshold, LOOP relays actuate, start signal sent to EDG. Air motors crank engine, fuel injection begins, engine fires within 3 seconds. Voltage builds, synchronises to emergency bus within 10 seconds. Safety loads sequenced onto bus. Operator verifies EDG parameters from control room. EDG runs continuously until grid restored hours or days later. Controlled transfer back to grid, EDG cooldown, return to standby.
Loss of output during operation hazard 00010209 EDG stops or trips while supplying safety loads during LOOP event. Causes: fuel exhaustion, cooling failure, protection trip (overspeed, low oil pressure, high temperature). Consequence: loss of AC power during event when offsite power unavailable, potential core damage. More severe than failure to start because loads were relying on EDG.
Lubrication Oil System 56951218 Subsystem of nuclear EDG: provides pressurised lubricating oil to engine bearings, turbocharger bearings, and valve train. Functions: pre-lube in standby (electric pump), main lube during operation (engine-driven pump), oil filtering (25-micron duplex), oil cooling via heat exchanger, oil level and pressure monitoring. Key components: engine-driven oil pump, electric pre-lube pump, duplex oil filter, oil cooler, sump/wet sump, pressure relief valve, low-pressure trip switch. Oil quality degrades with runtime — condition monitoring drives maintenance intervals.
Maintenance Out-of-Service mode of Emergency Diesel Generator 40843A58 Controlled isolation for preventive or corrective maintenance. Engine de-energised, fuel isolated, start inhibited, lockout-tagout applied. Work includes oil changes, filter replacement, injector servicing, overhauls. Entry requires formal work control process and approval considering reactor state and redundancy. Duration limited by Technical Specifications (e.g., 72 hours with reactor at power). Return-to-service requires post-maintenance testing before declaring operable. Multiple EDGs ensure at least one remains available during maintenance of another.
Monitor and Control EDG 55F57818 System function of nuclear EDG: provides instrumentation for all operating parameters (kW, Hz, V, oil pressure, coolant temp, exhaust temp), transmits to main control room displays, processes operator commands (manual start/stop, transfer authorisation), manages automatic voltage regulator and governor. Includes local control panel in EDG building and remote interface to MCR.
Monthly Surveillance Test scenario 00802A50 Routine periodic testing to demonstrate EDG availability per Technical Specifications. Tests start reliability, load capacity, and transfer time without challenging system during genuine emergency.
National Grid Transmission System 54F77258 UK 400kV/275kV transmission network operated by National Grid ESO. Primary power source for nuclear site. EDG function is to replace this when unavailable. Interface via site grid connection (typically 400kV or 132kV). LOOP detection based on grid voltage/frequency monitoring.
Nuclear Plant Control Room Operator 00AD6AF9 Licensed operator responsible for monitoring and controlling reactor and safety systems from main control room. Initiates manual EDG starts, monitors EDG status, authorises transfers between power sources. Works 12-hour rotating shifts. Must hold valid Site Licence Condition 12 authorisation. Primary human interface with EDG during normal and emergency operations.
Nuclear Plant Protection System 51F77859 Safety I&C system that detects unsafe conditions and initiates reactor trip and engineered safeguards actuation. Sends LOOP signal to EDG start logic. Receives confirmation of EDG availability for logic decisions. Class 1E, qualified to IEC 61513.
Nuclear Plant Shift Supervisor 01857AF9 Senior authorised person with overall responsibility for safe plant operation during shift. Makes decisions on LCO entry/exit, authorises EDG maintenance, directs emergency response. Reports to Site Manager. Required to approve any non-routine EDG operation. Accountable for compliance with Operating Technical Specifications.
Nuclear Safety Bus Electrical Distribution 54853059 Class 1E electrical distribution bus supplying power to nuclear safety-related loads: reactor coolant pumps, emergency feedwater pumps, HVAC, essential lighting, safety I&C. Receives power from grid or EDG via automatic transfer. Voltage typically 6.6kV or 11kV for large motors, stepped down for smaller loads.
Nuclear Site Licence Company 008538FD Organisation holding the nuclear site licence from ONR, responsible for nuclear safety. Owns and operates the nuclear power station. Bears ultimate responsibility for EDG availability and compliance. Funds maintenance, modifications, and life extension. Employs all site personnel. Must demonstrate adequate financial and technical resources to maintain nuclear safety.
Nuclear Ultimate Heat Sink 02850011 Final repository for decay heat removal: sea, river, cooling pond, or atmosphere. EDG cooling system may use raw water from ultimate heat sink for engine jacket cooling. Loss of UHS affects both reactor cooling and EDG cooling. Design must consider UHS availability under accident conditions.
Office for Nuclear Regulation 008578FD UK independent nuclear safety regulator. Enforces compliance with Nuclear Installations Act 1965 and Site Licence Conditions. Reviews and approves safety cases. Conducts inspections. Can issue improvement notices or prohibit unsafe operations. Requires demonstration of EDG reliability and adequacy of emergency power provisions. Key regulatory stakeholder whose approval is required for design changes.
Planned Major Maintenance scenario 40843A59 Scheduled overhaul of EDG during reactor outage. Tests maintenance isolation, return-to-service process, and configuration control.
Protect Engine from Damage 41B73800 System function of nuclear EDG: monitors engine parameters and triggers protective shutdown on overspeed (>115% rated), high coolant temperature, low oil pressure, and overcurrent. Hardwired trip circuits independent of digital control system. Must act within 2 seconds of setpoint. Includes mechanical overspeed trip as ultimate backup. H-003 (overspeed) and H-006 (cooling failure).
Provide Starting Energy 56C51018 System function of nuclear EDG: stores and delivers compressed air at 30 bar to pneumatic starting motors that crank the diesel engine to firing speed (150 rpm). Includes air compressor, receiver tanks (sized for 5 consecutive start attempts without recharge), moisture separator, and solenoid-operated start valves. Must function at -10°C. Battery backup for start valve control.
Running Loaded mode of Emergency Diesel Generator 55F73A18 Full-power operation supplying emergency AC bus with safety loads connected. Engine running at rated speed (typically 750 or 1000 rpm for 50Hz), alternator producing rated voltage (typically 6.6kV or 11kV) and frequency (50Hz). Continuous monitoring of oil pressure, coolant temperature, exhaust temperature, vibration, output power quality. Automatic load shedding if overload detected. Duration: potentially hours to days depending on grid restoration. The EDG must run continuously without human intervention until offsite power is restored or reactor reaches cold shutdown.
Seismic damage to diesel generator hazard 10000259 Earthquake exceeding design basis damages EDG structure, piping, or anchorage. Diesel engines are heavy rotating machinery requiring robust mounting. Fuel and cooling pipes can fail at supports. Control cabinets can fall. UK seismic hazard is low but not negligible; design basis earthquake for nuclear sites is typically 0.1-0.25g PGA. Post-earthquake inspection may be required before relying on EDG.
Sequence Safety Loads 40B53A10 System function of nuclear EDG: connects safety loads to emergency bus in priority order to prevent generator overload during cold start. Sequence: charging pumps first, then component cooling water pumps, then HVAC. Input: EDG at rated voltage. Output: timed closure of load breakers over 60-second window. Load acceptance must not cause voltage dip below 75% nominal.
Spurious start or protection trip hazard 00000010 EDG starts when not required (wasting fuel, causing wear, creating noise) or protection trips when not justified (causing loss of power during genuine emergency). Causes: sensor drift, EMI, software bugs, wiring faults. Consequence: reduced reliability, reduced remaining life, potential loss of power during actual LOOP if spurious trip. Nuclear-grade I&C requires extensive verification and fail-safe design.
Standby Ready mode of Emergency Diesel Generator 50B43218 Quiescent state where the EDG is not running but is pre-heated, pre-lubricated, and maintained ready for immediate start. Fuel tanks full, batteries charged, jacket water heaters maintaining engine block at 40-50°C for cold-start prevention. Continuous monitoring via supervisory system. Entry: post-maintenance return-to-service or post-test shutdown. Exit: start signal from LOOP detection or manual initiation. Duration: 99%+ of operational life. The EDG must be capable of transitioning to running within 10-15 seconds from this state.
Start and Accelerate Diesel Engine 55F53218 System function of nuclear EDG: cranks diesel engine using compressed air starting motors to 150 rpm, initiates fuel injection, accelerates to rated speed (750 or 1000 rpm depending on pole count). Input: LOOP start signal, starting air at 30 bar. Output: mechanical shaft rotation at rated speed within 8-10 seconds. Must achieve reliable ignition across -10°C to +40°C ambient range.
Starting Air System 56D51018 Subsystem of nuclear EDG: stores and delivers compressed air at 25-30 bar to pneumatic starting motors for engine cranking. Functions: compress and store starting air (sized for 5 consecutive start attempts without recharge), deliver via solenoid valves to air motors, crank engine to 150 rpm firing speed. Key components: air compressor (electric-driven), two air receiver tanks per train, moisture separator, solenoid start valves, air start motor/distributor, pressure instruments. Must function at -10°C — moisture in air lines is a common cause of failure to start.
Station Blackout scenario 00000201 Worst-case scenario: LOOP coincides with failure of all EDGs (common cause). Tests diverse backup power, coping time, and emergency procedures.
Supply and Manage Fuel 42973218 System function of nuclear EDG: stores, transfers, filters, and delivers diesel fuel from 50,000L bulk tanks through day tank to engine injection system. Automatic bulk-to-day-tank transfer on level. Fuel quality monitoring for water contamination per EN 590. Must sustain 7-day operation at 100% load without external replenishment.
Surveillance Test mode of Emergency Diesel Generator 54C43A50 Periodic testing to demonstrate EDG availability and reliability per Technical Specifications. Includes monthly start tests, load run tests, 24-hour endurance runs. Testing must minimise challenge to the system while providing confidence in start-on-demand probability. Test procedure requires pre-test checks, controlled start (either fast or slow depending on test type), load application, parameter monitoring, and controlled shutdown. ONR requires demonstration of 0.975+ start reliability. Testing creates temporary unavailability risk managed through limiting conditions for operation.
Synchronising Check Relay D4B73810 Relay verifying voltage magnitude, frequency, and phase angle match between the EDG output and a live emergency bus before permitting Generator Circuit Breaker closure. Voltage match window: ±10% of 6.6kV. Frequency match window: ±0.5Hz. Phase angle window: ±10 degrees. Includes dead-bus override: when bus is de-energised (LOOP condition), closes GCB without synchronising check. Class 1E qualified. Powered from Class 1E 125VDC. Critical for preventing out-of-phase closing which could damage the generator.
Synchronous Generator D6F53018 Subsystem of nuclear EDG: brushless synchronous alternator rated for continuous duty at 6.6kV 50Hz 3-phase output. Functions: convert shaft rotation to electrical power, regulate voltage via automatic voltage regulator (AVR) and excitation system. Key components: stator windings, rotor, brushless exciter, AVR, output terminals, neutral grounding. Must maintain ±10% voltage and ±2% frequency from no-load to 110% rated. Directly coupled to diesel engine flywheel.
Transfer Power to Grid and Back 40B53A18 System function of nuclear EDG: manages electrical connection between EDG output, emergency bus, and normal grid supply. Includes generator output breaker, bus tie breaker, LOOP detection relays, and synchronising equipment for return-to-grid transfer. Must prevent paralleling EDG with degraded grid. Return-to-service requires 30-minute grid stability verification.
UK nuclear site seismic qualification environment 40853851 Seismic Category I qualification required for nuclear safety-related SSCs. UK design basis earthquake typically 0.1-0.25g peak ground acceleration. EDG must remain functional during and after DBE. Requires seismic analysis, anchorage design, and qualification testing.

Decomposition Relationships

Part-Of

ComponentBelongs To
Diesel Engine AssemblyEmergency Diesel Generator for a UK Nuclear Licensed Site
Synchronous GeneratorEmergency Diesel Generator for a UK Nuclear Licensed Site
Fuel Oil SystemEmergency Diesel Generator for a UK Nuclear Licensed Site
Engine Cooling SystemEmergency Diesel Generator for a UK Nuclear Licensed Site
Lubrication Oil SystemEmergency Diesel Generator for a UK Nuclear Licensed Site
Starting Air SystemEmergency Diesel Generator for a UK Nuclear Licensed Site
EDG Instrumentation and Control SystemEmergency Diesel Generator for a UK Nuclear Licensed Site
Electrical Switchgear and Load SequencerEmergency Diesel Generator for a UK Nuclear Licensed Site
EDG Building and Support SystemsEmergency Diesel Generator for a UK Nuclear Licensed Site
Diesel Engine Block and CrankcaseDiesel Engine Assembly
Diesel Fuel Injection SystemDiesel Engine Assembly
Diesel Engine TurbochargerDiesel Engine Assembly
Engine Governor and Speed Control UnitDiesel Engine Assembly
Engine Protection Relay PackageDiesel Engine Assembly
Engine Exhaust SystemDiesel Engine Assembly
Crankshaft and Flexible Shaft CouplingDiesel Engine Assembly
Generator Circuit BreakerElectrical Switchgear and Load Sequencer
Bus Undervoltage Sensing RelayElectrical Switchgear and Load Sequencer
Load Sequencer Logic ControllerElectrical Switchgear and Load Sequencer
Generator Electrical Protection Relay PackageElectrical Switchgear and Load Sequencer
Synchronising Check RelayElectrical Switchgear and Load Sequencer
Class 1E Switchgear Control Power SupplyElectrical Switchgear and Load Sequencer
Stator and Stator Winding AssemblySynchronous Generator
Rotor and Field WindingSynchronous Generator
Automatic Voltage RegulatorSynchronous Generator
Generator Neutral Earthing UnitSynchronous Generator
Generator Cooling FanSynchronous Generator
Bulk Storage TankFuel Oil System
Day TankFuel Oil System
Fuel Transfer PumpFuel Oil System
Fuel Oil Strainer and Filter AssemblyFuel Oil System
Day Tank Level Control and AlarmFuel Oil System
Engine Jacket Water CircuitEngine Cooling System
Radiator/Heat ExchangerEngine Cooling System
Coolant Circulation PumpEngine Cooling System
Thermostatic Control ValveEngine Cooling System
Engine Pre-heat SystemEngine Cooling System
Engine Lube Oil SumpLubrication Oil System
Engine-Driven Lube Oil PumpLubrication Oil System
Pre-Lube and Post-Lube PumpLubrication Oil System
Lube Oil CoolerLubrication Oil System
Lube Oil Filter and StrainerLubrication Oil System
Ventilation and Combustion Air SystemEDG Building and Support Systems
Exhaust Silencer and Discharge StackEDG Building and Support Systems
Fire Detection and Suppression SystemEDG Building and Support Systems
Category 1 Building StructureEDG Building and Support Systems
Drain and Spill Containment SystemEDG Building and Support Systems
EDG Building StructureEDG Building and Support Systems
EDG Building HVAC SystemEDG Building and Support Systems
EDG Flood and Drainage SystemEDG Building and Support Systems
EDG Building Access Control SystemEDG Building and Support Systems

Connections

FromTo
Bus Undervoltage Sensing RelayGenerator Circuit Breaker
Synchronising Check RelayGenerator Circuit Breaker
Generator Electrical Protection Relay PackageGenerator Circuit Breaker
Class 1E Switchgear Control Power SupplyGenerator Circuit Breaker
Class 1E Switchgear Control Power SupplyLoad Sequencer Logic Controller
EDG Building HVAC SystemDiesel Engine Assembly
EDG Flood and Drainage SystemFuel Oil System
Coolant Circulation PumpEngine Jacket Water Circuit
Engine Pre-heat SystemEngine Jacket Water Circuit
Thermostatic Control ValveRadiator/Heat Exchanger
Engine Cooling SystemEDG Instrumentation and Control System
Fuel Transfer PumpDay Tank
Day Tank Level Control and AlarmFuel Transfer Pump
Day TankDiesel Fuel Injection System
Fuel Oil Strainer and Filter AssemblyDiesel Fuel Injection System
Bulk Storage TankFuel Transfer Pump

Produces

ComponentOutput
Diesel Engine Block and Crankcasemechanical rotation at crankshaft
Diesel Fuel Injection Systemmetered fuel charge to cylinders
Diesel Engine Turbochargerpressurised combustion air
Engine Governor and Speed Control Unitfuel rack position signal at constant 50Hz
Engine Protection Relay Packageengine trip signal on fault
Engine Exhaust Systemrouted exhaust gas to atmosphere
Crankshaft and Flexible Shaft Couplingmechanical power transfer to generator
Bus Undervoltage Sensing RelayLOOP initiation signal
Generator Circuit Breaker6.6kV supply to emergency bus
Load Sequencer Logic Controllersequenced load connect commands
Generator Electrical Protection Relay PackageGCB trip command

Traceability Matrix — Derivation

SourceTargetTypeDescription
REQ-SEEDGUKNUCLEAR-026 ARC-REQ-008 derives Fuel Oil System architecture decision derives from fuel storage capacity requirement
REQ-SEEDGUKNUCLEAR-029 ARC-REQ-007 derives
REQ-SEEDGUKNUCLEAR-023 REQ-SEEDGUKNUCLEAR-039 derives Separate cooling architecture realises sustained operation system requirement
REQ-SEEDGUKNUCLEAR-021 REQ-SEEDGUKNUCLEAR-038 derives Switchgear integration architecture realises load sequencing system requirement
REQ-SEEDGUKNUCLEAR-020 REQ-SEEDGUKNUCLEAR-037 derives Pneumatic starting architecture realises automatic start system requirement
REQ-SEEDGUKNUCLEAR-019 REQ-SEEDGUKNUCLEAR-034 derives Medium-speed diesel architecture realises 10-second start system requirement
REQ-SEEDGUKNUCLEAR-030 REQ-SEEDGUKNUCLEAR-035 derives Hardwired protection architecture realises cybersecurity isolation system requirement
REQ-SEEDGUKNUCLEAR-025 REQ-SEEDGUKNUCLEAR-036 derives Train independence architecture realises two-train redundancy system requirement
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-041 derives Coolant pump flow specification derives from sustained rated-load endurance
REQ-SEEDGUKNUCLEAR-023 REQ-SEEDGUKNUCLEAR-075 derives Generator Cooling Fan continuous airflow derives from sustained rated-load operation requirement
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-050 derives Fuel system standards compliance derives from sustained operation quality and safety requirements
REQ-SEEDGUKNUCLEAR-026 SUB-REQ-048 derives Fuel transfer pump auto-transfer derives from 7-day fuel storage requirement
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-042 derives Thermostatic control valve modulation derives from rated-load coolant temperature requirement
REQ-SEEDGUKNUCLEAR-030 REQ-SEEDGUKNUCLEAR-076 derives Class 1E I&C classification requirement cascades to AVR as active voltage control element
REQ-SEEDGUKNUCLEAR-024 REQ-SEEDGUKNUCLEAR-073 derives AVR transient recovery requirement derives from bus voltage stability during load sequencer steps
REQ-SEEDGUKNUCLEAR-024 REQ-SEEDGUKNUCLEAR-072 derives AVR steady-state regulation derives from bus voltage stability requirement
REQ-SEEDGUKNUCLEAR-028 REQ-SEEDGUKNUCLEAR-071 derives Hardwired engine protection trip matrix includes low lube oil pressure as primary seizure precursor
REQ-SEEDGUKNUCLEAR-019 REQ-SEEDGUKNUCLEAR-066 derives 10-second start requires pre-lube completion before air start valve opens
REQ-SEEDGUKNUCLEAR-023 REQ-SEEDGUKNUCLEAR-069 derives Filter cleanliness derives from sustained engine reliability requirement
REQ-SEEDGUKNUCLEAR-023 REQ-SEEDGUKNUCLEAR-068 derives Lube oil cooler performance derives from rated-load thermal requirement
REQ-SEEDGUKNUCLEAR-023 REQ-SEEDGUKNUCLEAR-066 derives Sustained 24h operation requires lube oil system pressure before cranking
REQ-SEEDGUKNUCLEAR-019 SUB-REQ-001 derives Engine start self-sustain budget derives from system 10-second start requirement
REQ-SEEDGUKNUCLEAR-024 SUB-REQ-002 derives DUPLICATE of link-1774489385208 (SYS-006→SUB-002 engine speed)
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-003 derives DUPLICATE of link-1774489385901 (SYS-005→SUB-003 engine endurance)
REQ-SEEDGUKNUCLEAR-019 SUB-REQ-001 derives DUPLICATE of link-1774489349041 (SYS-001→SUB-001 engine start budget)
REQ-SEEDGUKNUCLEAR-024 SUB-REQ-002 derives Engine speed tolerance from frequency requirement
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-003 derives Engine endurance from 24-hour mission reliability
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-004 derives Hardwired trip function decomposed from system trip requirement
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-005 derives Hardwired trip function decomposed from system trip requirement
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-006 derives Hardwired trip function decomposed from system trip requirement
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-009 derives Hardwired trip function decomposed from system trip requirement
REQ-SEEDGUKNUCLEAR-027 SUB-REQ-008 derives Engine seismic qualification from system seismic requirement
REQ-SEEDGUKNUCLEAR-021 SUB-REQ-010 derives Load sequencing requirement derives to switchgear and load sequencer subsystem
REQ-SEEDGUKNUCLEAR-026 SUB-REQ-011 derives Fuel storage capacity requirement derives to fuel oil system inventory subsystem
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-007 derives 24-hour endurance requirement derives to fuel injection system metering criterion
REQ-SEEDGUKNUCLEAR-022 SUB-REQ-001 derives System reliability target allocates to engine start criterion
REQ-SEEDGUKNUCLEAR-032 SUB-REQ-003 derives Single train 100% load capability requires each engine to sustain full rated output
REQ-SEEDGUKNUCLEAR-030 SUB-REQ-004 derives Cyber isolation system requirement derives to hardwired overspeed relay subsystem req
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-012 derives Fail-safe de-energise-to-trip relay architecture derives from hardwired engine protection requirement
REQ-SEEDGUKNUCLEAR-022 SUB-REQ-014 derives SAS receiver pressure derives from start reliability requirement
REQ-SEEDGUKNUCLEAR-019 SUB-REQ-015 derives Valve actuation timing derived from 10-second start budget
REQ-SEEDGUKNUCLEAR-031 SUB-REQ-016 derives Compressor recharge time derived from surveillance testing operability return
REQ-SEEDGUKNUCLEAR-027 SUB-REQ-017 derives Moisture separator dewpoint derived from environmental survivability requirement
REQ-SEEDGUKNUCLEAR-030 SUB-REQ-021 derives Class 1E I/O isolation derives from safety system isolation requirement
REQ-SEEDGUKNUCLEAR-030 SUB-REQ-022 derives Data diode isolation derives from safety system network isolation requirement
REQ-SEEDGUKNUCLEAR-020 SUB-REQ-024 derives BUVR detection derives from automatic start on bus undervoltage
REQ-SEEDGUKNUCLEAR-019 SUB-REQ-025 derives GCB close time allocated from 10-second bus restoration budget
REQ-SEEDGUKNUCLEAR-021 SUB-REQ-026 derives Sync check relay conditions govern GCB closure enabling load connection
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-027 derives Generator electrical protection implements hardwired protection requirement
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-028 derives Switchgear safe state derives from hardwired engine and generator protection requirement
REQ-SEEDGUKNUCLEAR-029 SUB-REQ-029 derives EDG building fire suppression and inter-train barrier requirement derives from SYS-REQ-011
REQ-SEEDGUKNUCLEAR-027 SUB-REQ-030 derives Building seismic integrity requirement derives from system seismic operability requirement
REQ-SEEDGUKNUCLEAR-025 SUB-REQ-031 derives Train independence requirement drives inter-train fire barrier specification
REQ-SEEDGUKNUCLEAR-019 SUB-REQ-033 derives EDG start timing requirement drives HVAC auto-start timing
REQ-SEEDGUKNUCLEAR-022 SUB-REQ-032 derives Start-on-demand reliability requirement drives HVAC combustion air margin
REQ-SEEDGUKNUCLEAR-027 SUB-REQ-036 derives Seismic operability requirement drives building breach safe-state requirement
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-034 derives
REQ-SEEDGUKNUCLEAR-026 SUB-REQ-035 derives
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-037 derives Jacket water temperature band derives from 24h rated-load endurance requirement
REQ-SEEDGUKNUCLEAR-019 SUB-REQ-038 derives Pre-heat standby requirement derives from 10-second start time requirement
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-039 derives 110% heat rejection margin derives from rated-load endurance at maximum ambient
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-040 derives Cooling loss trip derives from engine protection hardwired trip circuits requirement
REQ-SEEDGUKNUCLEAR-027 SUB-REQ-043 derives Seismic survivability of cooling pressure boundary derives from DBE functional survival
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-044 derives Fuel delivery pressure/flow requirement derives from rated-load 24h endurance
REQ-SEEDGUKNUCLEAR-026 SUB-REQ-045 derives Bulk tank 110% inventory margin derives from 7-day fuel storage requirement
REQ-SEEDGUKNUCLEAR-028 SUB-REQ-049 derives Low-fuel safe-state trip derives from engine protection hardwired trip circuits requirement
REQ-SEEDGUKNUCLEAR-023 SUB-REQ-046 derives Day Tank 4-hour autonomy derives from continuous operation requirement
REQ-SEEDGUKNUCLEAR-023 IFC-REQ-028 derives Filter to Day Tank interface derives from fuel cleanliness requirement for extended operation
REQ-SEEDGUKNUCLEAR-023 IFC-REQ-027 derives Day Tank to engine fuel supply interface derives from continuous operation at rated load
REQ-SEEDGUKNUCLEAR-026 IFC-REQ-026 derives Transfer pump to Day Tank interface derives from 7-day fuel storage and continuous replenishment requirement
REQ-SEEDGUKNUCLEAR-023 IFC-REQ-022 derives Coolant pump to jacket water interface derives from sustained rated-load endurance
REQ-SEEDGUKNUCLEAR-028 IFC-REQ-025 derives Cooling system to I&C signal interface derives from engine protection trip requirement
REQ-SEEDGUKNUCLEAR-023 IFC-REQ-024 derives Thermostat-radiator interface derives from sustained rated-load operation requirement
REQ-SEEDGUKNUCLEAR-019 IFC-REQ-023 derives Pre-heat circuit interface derives from 10-second start time requirement
REQ-SEEDGUKNUCLEAR-033 REQ-SEEDGUKNUCLEAR-044 derives Diverse AC connection capability requires MCR interface support for operator switchover
REQ-SEEDGUKNUCLEAR-019 IFC-REQ-013 derives 10-second start performance requirement derives to generator-to-bus coupling interface
REQ-SEEDGUKNUCLEAR-028 IFC-REQ-012 derives Hardwired engine protection requirement derives to EDG instrumentation and control interface
REQ-SEEDGUKNUCLEAR-023 IFC-REQ-010 derives 24-hour operation requirement derives to lube oil system interface for engine protection
REQ-SEEDGUKNUCLEAR-023 IFC-REQ-009 derives 24-hour operation requirement derives to engine cooling interface thermal performance
REQ-SEEDGUKNUCLEAR-025 REQ-SEEDGUKNUCLEAR-046 derives Two-train redundancy requirement derives to DC battery system interface
REQ-SEEDGUKNUCLEAR-026 REQ-SEEDGUKNUCLEAR-045 derives Fuel storage requirement derives to fuel supply infrastructure fill interface
REQ-SEEDGUKNUCLEAR-031 REQ-SEEDGUKNUCLEAR-044 derives Surveillance test requirement derives to MCR monitoring and command interface
REQ-SEEDGUKNUCLEAR-020 REQ-SEEDGUKNUCLEAR-043 derives Automatic start requirement derives to plant protection system signal interface
REQ-SEEDGUKNUCLEAR-023 REQ-SEEDGUKNUCLEAR-042 derives 24-hour endurance requirement derives to ultimate heat sink cooling water interface
REQ-SEEDGUKNUCLEAR-019 REQ-SEEDGUKNUCLEAR-041 derives 10-second start requirement derives to emergency AC bus voltage and frequency interface
REQ-SEEDGUKNUCLEAR-020 REQ-SEEDGUKNUCLEAR-040 derives Automatic LOOP detection requirement derives to national grid loss-of-supply interface
REQ-SEEDGUKNUCLEAR-015 REQ-SEEDGUKNUCLEAR-028 derives Failure prevention stakeholder need derives hardwired protection trip specification
REQ-SEEDGUKNUCLEAR-005 REQ-SEEDGUKNUCLEAR-026 derives SBO procedure support need drives 7-day autonomous fuel inventory specification
REQ-SEEDGUKNUCLEAR-012 REQ-SEEDGUKNUCLEAR-024 derives Voltage regulation requirement derives from stakeholder reliability requirement
REQ-SEEDGUKNUCLEAR-013 REQ-SEEDGUKNUCLEAR-025 derives Qualification evidence requirement derives to dual-train redundancy system architecture
REQ-SEEDGUKNUCLEAR-018 REQ-SEEDGUKNUCLEAR-033 derives EMC requirement derives to diverse AC power source for SBO
REQ-SEEDGUKNUCLEAR-017 REQ-SEEDGUKNUCLEAR-023 derives Ambient temperature range requirement derives to 24-hour mission endurance requirement
REQ-SEEDGUKNUCLEAR-014 REQ-SEEDGUKNUCLEAR-023 derives OEM maintenance interval requirement derives to 24-hour mission endurance requirement
REQ-SEEDGUKNUCLEAR-011 REQ-SEEDGUKNUCLEAR-021 derives Deterministic safety case need drives load sequencer specification
REQ-SEEDGUKNUCLEAR-009 REQ-SEEDGUKNUCLEAR-030 derives Diagnostic access requirement derives to cyber-secure control system requirement
REQ-SEEDGUKNUCLEAR-008 REQ-SEEDGUKNUCLEAR-031 derives Calibration and test requirement derives to monthly surveillance test requirement
REQ-SEEDGUKNUCLEAR-007 REQ-SEEDGUKNUCLEAR-029 derives Train isolation maintenance need drives inter-train fire barrier specification
REQ-SEEDGUKNUCLEAR-006 REQ-SEEDGUKNUCLEAR-030 derives Fault diagnosis requirement derives to cyber-secure control system requirement
REQ-SEEDGUKNUCLEAR-005 REQ-SEEDGUKNUCLEAR-031 derives SBO support requirement derives to monthly surveillance test
REQ-SEEDGUKNUCLEAR-002 REQ-SEEDGUKNUCLEAR-031 derives Operator control requirement derives to monthly surveillance and test requirement
REQ-SEEDGUKNUCLEAR-010 REQ-SEEDGUKNUCLEAR-030 derives ONR SAP compliance need drives network isolation specification
REQ-SEEDGUKNUCLEAR-016 REQ-SEEDGUKNUCLEAR-027 derives Site DBE operability need directly derives seismic qualification requirement
REQ-SEEDGUKNUCLEAR-012 REQ-SEEDGUKNUCLEAR-022 derives Stakeholder reliability target directly derives system reliability criterion
REQ-SEEDGUKNUCLEAR-001 REQ-SEEDGUKNUCLEAR-019 derives Operator monitoring need drives start sequence performance specification
REQ-SEEDGUKNUCLEAR-004 REQ-SEEDGUKNUCLEAR-032 derives LCO support need derives single-train full-load capability
REQ-SEEDGUKNUCLEAR-003 REQ-SEEDGUKNUCLEAR-020 derives Alarm annunciation need derives automatic LOOP detection and start
REQ-SEEDGUKNUCLEAR-010 REQ-SEEDGUKNUCLEAR-025 derives ONR SAP compliance derives dual-train redundancy with single failure criterion
REQ-SEEDGUKNUCLEAR-015 REQ-SEEDGUKNUCLEAR-033 derives Community expectation of accident prevention derives diverse AC source for SBO
REQ-SEEDGUKNUCLEAR-012 REQ-SEEDGUKNUCLEAR-023 derives Licensee reliability target derives 24-hour mission reliability requirement

Traceability Matrix — Verification

RequirementVerified ByTypeDescription
REQ-SEEDGUKNUCLEAR-062 SUB-REQ-039 verifies Endurance test also verifies SUB-REQ-039 heat rejection margin
REQ-SEEDGUKNUCLEAR-083 REQ-SEEDGUKNUCLEAR-076 verifies EQF inspection verifies AVR Class 1E qualification certificates
REQ-SEEDGUKNUCLEAR-082 REQ-SEEDGUKNUCLEAR-074 verifies Design analysis verifies neutral earthing unit limits fault current to 5A
REQ-SEEDGUKNUCLEAR-081 REQ-SEEDGUKNUCLEAR-073 verifies Block-load transient test verifies 1.5s AVR recovery window
REQ-SEEDGUKNUCLEAR-080 REQ-SEEDGUKNUCLEAR-072 verifies AVR steady-state test verifies voltage regulation ±1% across load envelope
REQ-SEEDGUKNUCLEAR-079 REQ-SEEDGUKNUCLEAR-070 verifies Post-lube duration test verifies 10-minute minimum post-shutdown circulation
REQ-SEEDGUKNUCLEAR-078 REQ-SEEDGUKNUCLEAR-067 verifies Engine-Driven pump pressure test verifies steady-state oil pressure band
REQ-SEEDGUKNUCLEAR-077 REQ-SEEDGUKNUCLEAR-066 verifies Pre-lube acceptance test verifies pre-lube timing and pressure spec
REQ-SEEDGUKNUCLEAR-065 SUB-REQ-047 verifies Filter test also verifies SUB-REQ-047 contamination class specification
REQ-SEEDGUKNUCLEAR-064 SUB-REQ-044 verifies Fuel endurance test also verifies SUB-REQ-044 fuel delivery pressure
VER-REQ-003 SUB-REQ-009 verifies Safe state test verifies engine transition to standstill within 5 seconds
VER-REQ-002 SUB-REQ-006 verifies Protection trip test verifies hardwired trip function
VER-REQ-002 SUB-REQ-005 verifies Protection trip test verifies hardwired trip function
VER-REQ-002 SUB-REQ-004 verifies Protection trip test verifies hardwired trip function
VER-REQ-001 SUB-REQ-001 verifies Cold start acceptance test verifies engine start self-sustain budget
VER-REQ-006 SUB-REQ-001 verifies End-to-end start chain test verifies cold start self-sustaining rotation requirement
VER-REQ-007 SUB-REQ-002 verifies 24-hour endurance test verifies engine speed regulation within ±1.5 rpm
VER-REQ-007 SUB-REQ-003 verifies 24-hour endurance test verifies engine steady-state speed regulation
VER-REQ-009 SUB-REQ-008 verifies Seismic qualification analysis verifies engine assembly seismic resistance
VER-REQ-010 SUB-REQ-010 verifies Load sequencer test verifies priority-based load connection sequence
VER-REQ-023 SUB-REQ-024 verifies BUVR factory acceptance test verifies SUB-REQ-024 detection threshold and voting logic
VER-REQ-024 SUB-REQ-026 verifies Sync check relay acceptance test verifies SUB-REQ-026 synchronising windows and dead-bus override
VER-REQ-020 SUB-REQ-023 verifies I&C safe-state test verifies de-energise-to-trip transition
VER-REQ-019 SUB-REQ-020 verifies Protection trip timing test verifies I&C response latency
VER-REQ-018 SUB-REQ-019 verifies LOOP detection timing test verifies I&C start command latency
VER-REQ-017 SUB-REQ-014 verifies Receiver pressure acceptance test verifies SAS capacity requirement
VER-REQ-012 SUB-REQ-011 verifies Tank volume inspection verifies 7,000-litre minimum fuel inventory
VER-REQ-011 SUB-REQ-007 verifies Combustion analyser metering test verifies ±3% fuel variation requirement
VER-REQ-002 SUB-REQ-012 verifies Engine Protection Relay Package test verifies fail-safe architecture
VER-REQ-011 SUB-REQ-013 verifies Fuel Injection System test under Class 1E supply verifies power supply requirement
VER-REQ-005 SUB-REQ-015 verifies Starting Air interface test confirms air start valve opening performance
REQ-SEEDGUKNUCLEAR-047 SUB-REQ-025 verifies GCB acceptance test verifies 100ms close-time requirement
REQ-SEEDGUKNUCLEAR-048 SUB-REQ-027 verifies Differential protection test verifies 87G pickup threshold and trip timing
REQ-SEEDGUKNUCLEAR-049 SUB-REQ-028 verifies Generator trip circuit test verifies protection trip timing and de-excitation
REQ-SEEDGUKNUCLEAR-050 SUB-REQ-021 verifies Class 1E isolation qualification test verifies I/O module isolation and seismic survivability
VER-REQ-032 SUB-REQ-016 verifies Air receiver recharge acceptance test verifies compressor recharge capacity
VER-REQ-033 SUB-REQ-017 verifies Dewpoint commissioning inspection verifies moisture separator performance
VER-REQ-034 SUB-REQ-018 verifies Pressure alarm and inhibit functional test verifies both threshold actions
VER-REQ-035 SUB-REQ-022 verifies Data diode unidirectionality test verifies no return path to safety I&C
VER-REQ-036 SUB-REQ-029 verifies Fire protection commissioning inspection verifies suppression time and fire barrier certification
VER-REQ-040 SUB-REQ-030 verifies Seismic structural analysis verifies building structure anchor deformation requirement
VER-REQ-041 SUB-REQ-034 verifies
VER-REQ-041 SUB-REQ-035 verifies
VER-REQ-041 SUB-REQ-033 verifies
VER-REQ-042 SUB-REQ-031 verifies
VER-REQ-043 SUB-REQ-032 verifies
VER-REQ-044 SUB-REQ-036 verifies
VER-REQ-001 SUB-REQ-001 verifies test
REQ-SEEDGUKNUCLEAR-066 REQ-SEEDGUKNUCLEAR-077 verifies Pre-lube pressure acceptance test verifies pre-lube timing and pressure spec
REQ-SEEDGUKNUCLEAR-067 REQ-SEEDGUKNUCLEAR-078 verifies Engine-Driven pump pressure test verifies steady-state oil pressure band
REQ-SEEDGUKNUCLEAR-070 REQ-SEEDGUKNUCLEAR-079 verifies Post-lube duration test verifies 10-minute minimum circulation after shutdown
REQ-SEEDGUKNUCLEAR-072 REQ-SEEDGUKNUCLEAR-080 verifies AVR steady-state test verifies voltage regulation ±1% across load envelope
REQ-SEEDGUKNUCLEAR-073 REQ-SEEDGUKNUCLEAR-081 verifies Block-load transient test verifies 1.5s recovery window
REQ-SEEDGUKNUCLEAR-074 REQ-SEEDGUKNUCLEAR-082 verifies Design analysis verifies neutral earthing unit limits fault current to 5A
REQ-SEEDGUKNUCLEAR-076 REQ-SEEDGUKNUCLEAR-083 verifies EQF inspection verifies AVR Class 1E qualification certificates
REQ-SEEDGUKNUCLEAR-062 SUB-REQ-037 verifies Endurance test verifies SUB-REQ-037 jacket water temperature band
REQ-SEEDGUKNUCLEAR-065 IFC-REQ-028 verifies Filter differential pressure test verifies IFC-REQ-028 filter interface
REQ-SEEDGUKNUCLEAR-064 IFC-REQ-027 verifies Fuel endurance test verifies IFC-REQ-027 day tank to engine fuel supply
REQ-SEEDGUKNUCLEAR-063 IFC-REQ-026 verifies Fuel Transfer Pump test verifies IFC-REQ-026 transfer pump to day tank
REQ-SEEDGUKNUCLEAR-061 IFC-REQ-025 verifies Cooling to I&C signal test verifies IFC-REQ-025 interface
REQ-SEEDGUKNUCLEAR-060 IFC-REQ-024 verifies Thermostatic valve test verifies IFC-REQ-024 thermostat-to-radiator interface
REQ-SEEDGUKNUCLEAR-059 IFC-REQ-023 verifies Pre-heat system test verifies IFC-REQ-023 pre-heat to jacket water interface
REQ-SEEDGUKNUCLEAR-058 IFC-REQ-022 verifies Coolant Pump performance test verifies IFC-REQ-022 pump-to-jacket interface
IFC-REQ-022 VER-REQ-001 verifies test link
VER-REQ-037 IFC-REQ-019 verifies HVAC-engine air intake commissioning test verifies IFC-REQ-019
VER-REQ-038 IFC-REQ-020 verifies Fire-to-HVAC isolation timing test verifies IFC-REQ-020
VER-REQ-039 IFC-REQ-021 verifies Drain bunding commissioning inspection verifies IFC-REQ-021
VER-REQ-013 REQ-SEEDGUKNUCLEAR-042 verifies UHS cooling flow test verifies EDG-to-UHS thermal interface performance
VER-REQ-014 REQ-SEEDGUKNUCLEAR-044 verifies MCR interface functional test verifies all alarm, display, and command channels
VER-REQ-015 REQ-SEEDGUKNUCLEAR-045 verifies Fuel supply demonstration verifies overfill protection and day tank reserve
VER-REQ-016 REQ-SEEDGUKNUCLEAR-046 verifies DC battery interface test verifies 125VDC supply and charger feedback under LOOP
VER-REQ-021 IFC-REQ-014 verifies Integration test verifies I&C to SAS start command interface
VER-REQ-022 IFC-REQ-015 verifies SAS pressure monitoring interface test verifies IFC-REQ-015
VER-REQ-027 IFC-REQ-017 verifies Sync check relay close permission acceptance test verifies IFC-REQ-017
VER-REQ-026 IFC-REQ-018 verifies GEPRP to GCB trip circuit test verifies IFC-REQ-018 resistance, supervision, and trip timing
VER-REQ-025 IFC-REQ-016 verifies BUVR to GCB interface integration test verifies IFC-REQ-016 resistance, failsafe, and segregation
VER-REQ-006 REQ-SEEDGUKNUCLEAR-043 verifies End-to-end start chain test verifies the PPS-to-EDG LOOP signal interface
VER-REQ-002 IFC-REQ-012 verifies Protection relay functional test verifies the engine-instrumentation interface
VER-REQ-007 IFC-REQ-013 verifies 24-hour endurance test verifies the crankshaft-to-generator mechanical coupling
VER-REQ-007 IFC-REQ-010 verifies 24-hour endurance test verifies the engine-lube oil system interface
VER-REQ-007 IFC-REQ-009 verifies 24-hour endurance test verifies the engine-cooling system thermal interface
VER-REQ-008 REQ-SEEDGUKNUCLEAR-041 verifies EDG automatic start test verifies LOOP detection and bus energisation timing
VER-REQ-008 REQ-SEEDGUKNUCLEAR-040 verifies EDG automatic start test verifies LOOP detection interface with National Grid monitor
VER-REQ-004 IFC-REQ-008 verifies Fuel supply test verifies injection pump inlet pressure and cleanliness
VER-REQ-005 IFC-REQ-011 verifies Air start test verifies distributor inlet pressure and cranking speed

Orphan Requirements (no trace links)

RefDocumentRequirement
IFC-REQ-001 interface-requirements The interface between the Emergency Diesel Generator and the National Grid SHALL detect loss of offsite power via redund...
IFC-REQ-002 interface-requirements The interface between the Emergency Diesel Generator and the Emergency AC Bus SHALL deliver 6.6kV 3-phase 50Hz power thr...
IFC-REQ-003 interface-requirements The interface between the Emergency Diesel Generator and the Ultimate Heat Sink SHALL provide cooling water flow of at l...
IFC-REQ-004 interface-requirements The interface between the Emergency Diesel Generator and the Plant Protection System SHALL accept a hardwired LOOP start...
IFC-REQ-005 interface-requirements The interface between the Emergency Diesel Generator and the Main Control Room SHALL provide continuous analogue and dig...
IFC-REQ-006 interface-requirements The interface between the Emergency Diesel Generator and the Fuel Supply infrastructure SHALL accept diesel fuel deliver...
IFC-REQ-007 interface-requirements The interface between the Emergency Diesel Generator and the DC Battery System SHALL provide 125VDC Class 1E control pow...
STK-REQ-001 stakeholder-requirements The Emergency Diesel Generator system SHALL provide the control room operator with continuous real-time display of EDG o...
STK-REQ-002 stakeholder-requirements The Emergency Diesel Generator system SHALL enable the control room operator to manually start, stop, and authorise load...
STK-REQ-003 stakeholder-requirements The Emergency Diesel Generator system SHALL annunciate all abnormal EDG conditions as distinct alarms in the main contro...
STK-REQ-004 stakeholder-requirements The Emergency Diesel Generator system SHALL provide sufficient information to the shift supervisor to support Limiting C...
STK-REQ-005 stakeholder-requirements The Emergency Diesel Generator system SHALL support implementation of station blackout emergency operating procedures, i...
STK-REQ-006 stakeholder-requirements The Emergency Diesel Generator system SHALL enable fault diagnosis through locally accessible instrumentation and test p...
STK-REQ-007 stakeholder-requirements The Emergency Diesel Generator system SHALL support safe maintenance isolation through lock-out/tag-out provisions on al...
STK-REQ-008 stakeholder-requirements The Emergency Diesel Generator system SHALL support calibration and functional testing of all protection and control ins...
STK-REQ-009 stakeholder-requirements The Emergency Diesel Generator system SHALL provide diagnostic access to control system parameters and protection setpoi...
STK-REQ-010 stakeholder-requirements The Emergency Diesel Generator system SHALL demonstrate compliance with ONR Safety Assessment Principles (SAPs) for engi...
STK-REQ-011 stakeholder-requirements The Emergency Diesel Generator system SHALL maintain a deterministic safety case demonstrating that the EDG fulfils its ...
STK-REQ-012 stakeholder-requirements The Emergency Diesel Generator system SHALL achieve a start-on-demand reliability of at least 0.975 and a 24-hour missio...
STK-REQ-013 stakeholder-requirements The Emergency Diesel Generator system SHALL maintain complete qualification evidence, maintenance records, and modificat...
STK-REQ-014 stakeholder-requirements The Emergency Diesel Generator system SHALL accommodate OEM-specified maintenance regimes and accept qualified replaceme...
STK-REQ-015 stakeholder-requirements The Emergency Diesel Generator system SHALL prevent failure of backup power supply from contributing to an uncontrolled ...
STK-REQ-016 stakeholder-requirements The Emergency Diesel Generator system SHALL remain functional during and after a design basis earthquake of 0.2g peak gr...
STK-REQ-017 stakeholder-requirements The Emergency Diesel Generator system SHALL operate across the full ambient temperature range of -10°C to +40°C and with...
STK-REQ-018 stakeholder-requirements The Emergency Diesel Generator system SHALL not produce electromagnetic interference that could cause spurious actuation...
SUB-REQ-051 subsystem-requirements The Pre-Lube and Post-Lube Pump SHALL establish a minimum lubricating oil pressure of 1.5 bar at the engine main gallery...
SUB-REQ-052 subsystem-requirements The Engine-Driven Lube Oil Pump SHALL maintain engine main gallery oil pressure within 3.5 bar to 5.5 bar at rated engin...
SUB-REQ-053 subsystem-requirements The Lube Oil Cooler SHALL maintain engine lubricating oil outlet temperature within 80°C to 100°C at 100% rated engine l...
SUB-REQ-054 subsystem-requirements The Lube Oil Filter and Strainer SHALL maintain lubricating oil particle contamination downstream of the filter to ISO 4...
SUB-REQ-055 subsystem-requirements The Pre-Lube and Post-Lube Pump SHALL continue post-shutdown lubrication circulation for a minimum of 10 minutes followi...
SUB-REQ-056 subsystem-requirements When engine lubricating oil gallery pressure falls below 2.0 bar at any time during engine operation, the Engine Protect...
SUB-REQ-057 subsystem-requirements The Automatic Voltage Regulator SHALL maintain the Synchronous Generator terminal voltage within ±1% of 6.6kV in steady-...
SUB-REQ-058 subsystem-requirements The Automatic Voltage Regulator SHALL restore terminal voltage to within ±3% of 6.6kV within 1.5 seconds following a ste...
SUB-REQ-059 subsystem-requirements The Generator Neutral Earthing Unit SHALL limit the earth fault current at the generator terminals to not more than 5 am...
SUB-REQ-060 subsystem-requirements The Generator Cooling Fan SHALL start automatically upon engine rotation exceeding 50 rpm, maintain airflow through the ...
SUB-REQ-061 subsystem-requirements The Automatic Voltage Regulator SHALL be classified as Class 1E I&C equipment per IEC 60780 and IEEE Std 603, and SHALL ...
SYS-REQ-001 system-requirements The Emergency Diesel Generator SHALL start and reach rated voltage (6.6kV ±10%) and rated frequency (50Hz ±2%) within 10...
SYS-REQ-002 system-requirements The Emergency Diesel Generator SHALL automatically start upon detection of bus undervoltage below 5.94kV (90% of nominal...
SYS-REQ-003 system-requirements The Emergency Diesel Generator SHALL connect safety loads to the emergency bus via a priority-based load sequencer, with...
SYS-REQ-004 system-requirements The Emergency Diesel Generator SHALL achieve a start-on-demand reliability of not less than 0.975 per demand, demonstrat...
SYS-REQ-005 system-requirements The Emergency Diesel Generator SHALL sustain continuous operation at rated load for a minimum of 24 hours with a mission...
SYS-REQ-006 system-requirements The Emergency Diesel Generator SHALL maintain output voltage within 6.6kV ±10% and frequency within 50Hz ±2% under all l...
SYS-REQ-007 system-requirements The Emergency Diesel Generator installation SHALL comprise two independent, redundant trains (Train A and Train B) with ...
SYS-REQ-008 system-requirements The Emergency Diesel Generator fuel storage system SHALL hold a minimum 7-day fuel inventory at 100% rated load, with au...
SYS-REQ-009 system-requirements The Emergency Diesel Generator SHALL remain functional during and after a design basis earthquake of 0.2g peak ground ac...
SYS-REQ-010 system-requirements The Emergency Diesel Generator engine SHALL be protected by independent, hardwired trip circuits for overspeed (>115% ra...
SYS-REQ-011 system-requirements The Emergency Diesel Generator building SHALL incorporate automatic fire detection and suppression to extinguish diesel ...
SYS-REQ-012 system-requirements The Emergency Diesel Generator safety-related control and protection systems SHALL be isolated from non-safety networks,...
SYS-REQ-013 system-requirements The Emergency Diesel Generator SHALL support monthly surveillance testing via simulated LOOP signal initiation, a 2-hour...
SYS-REQ-014 system-requirements When one EDG train is inoperable, the remaining train SHALL be capable of supplying 100% of the safety-critical electric...
SYS-REQ-015 system-requirements The Emergency Diesel Generator system SHALL provide a diverse alternate AC power source connection point, capable of acc...
VER-REQ-028 verification-plan The Generator Circuit Breaker close-time acceptance test SHALL confirm GCB closure onto the 6.6 kV emergency bus within ...
VER-REQ-029 verification-plan The Generator Electrical Protection Relay Package functional test SHALL inject a simulated differential current exceedin...
VER-REQ-030 verification-plan The Generator Electrical Protection Relay Package trip circuit test SHALL confirm that a protection trip condition cause...
VER-REQ-031 verification-plan The EDG I&C Qualified I/O Module Assembly isolation qualification test SHALL apply 1.5 kV RMS AC voltage for 60 seconds ...
VER-REQ-047 verification-plan Verify IFC-REQ-022: Coolant Circulation Pump performance test at 25%, 50%, 75%, 100%, and 110% rated engine load. Pass c...
VER-REQ-048 verification-plan The Pre-Lube and Post-Lube Pump pre-lubrication functional test SHALL confirm that lubricating oil gallery pressure reac...
VER-REQ-049 verification-plan The Engine-Driven Lube Oil Pump pressure performance test SHALL confirm oil gallery pressure within 3.5 bar to 5.5 bar a...
VER-REQ-050 verification-plan The Post-Lube and post-shutdown oil circulation test SHALL confirm that oil gallery pressure remains above 0.8 bar for n...
VER-REQ-051 verification-plan The Automatic Voltage Regulator steady-state regulation acceptance test SHALL apply step loads at 25%, 50%, 75%, and 100...
VER-REQ-052 verification-plan The Automatic Voltage Regulator transient recovery test SHALL apply a block load step equivalent to the largest single l...
VER-REQ-053 verification-plan The Generator Neutral Earthing Unit design verification SHALL confirm by calculation per IEC 60034-3 that the resistor-l...
VER-REQ-054 verification-plan The Automatic Voltage Regulator Class 1E qualification inspection SHALL verify by review of the equipment qualification ...
VER-REQ-055 verification-plan Verify IFC-REQ-023: Pre-heat system functional test during AC blackout simulation. Procedure: disconnect normal AC suppl...
VER-REQ-056 verification-plan Verify IFC-REQ-024: Thermostatic valve response time and flow characteristic test. Apply 10°C step change from 72°C to 8...
VER-REQ-057 verification-plan Verify IFC-REQ-025: Engine Cooling to I&C signal interface inspection and functional test. Perform cable routing inspect...
VER-REQ-058 verification-plan Verify SUB-REQ-037 and SUB-REQ-039: Endurance test at 110% rated load, 35°C ambient, for 4 hours minimum. Pass criterion...
VER-REQ-059 verification-plan Verify IFC-REQ-026: Fuel Transfer Pump commissioning test. Simulate low Day Tank level (float switch activation), confir...
VER-REQ-060 verification-plan Verify IFC-REQ-027 and SUB-REQ-044: Fuel system endurance and temperature test. Run engine at 100% rated load for 2 hour...
VER-REQ-061 verification-plan Verify IFC-REQ-028 and SUB-REQ-047: Fuel filter differential pressure test. Introduce controlled particulate loading to ...