System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| BS 5514 | — |
| BS EN 10255 | — |
| BS EN 1992-1-2 | — |
| BS EN 50131 | — |
| BS EN 50160 | — |
| BS EN 50522 | — |
| BS EN 590 | — |
| BS EN 60034-1 | — |
| BS EN 61439-1 | — |
| BS EN 62271-100 | — |
| EN 590 | — |
| IEC 17065 | — |
| IEC 60034 | — |
| IEC 60034-1 | — |
| IEC 60034-3 | — |
| IEC 60038 | — |
| IEC 60255 | — |
| IEC 60255-151 | — |
| IEC 60255-181 | — |
| IEC 60381-1 | — |
| IEC 60664-1 | — |
| IEC 60709 | — |
| IEC 60751 | — |
| IEC 60770 | — |
| IEC 60780 | — |
| IEC 61000 | — |
| IEC 61000-4-2 | — |
| IEC 61000-4-4 | — |
| IEC 61000-4-5 | — |
| IEC 61000-6-2 | — |
| IEC 61000-6-7 | — |
| IEC 61010-1 | — |
| IEC 61226 | — |
| IEC 61326 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-2 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 61511-1 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 61513 | Nuclear power plants — Instrumentation and control important to safety |
| IEC 62138 | — |
| IEC 62443-3-3 | System security requirements and security levels |
| IEC 62645 | — |
| IEEE 1188 | — |
| IEEE 308 | — |
| IEEE 344 | — |
| IEEE 450 | — |
| ISO 14694 | — |
| ISO 16889 | — |
| ISO 4064 | — |
| ISO 4165 | — |
| ISO 4406 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| AVR | Automatic Voltage Regulator |
| CCCS | Completeness, Consistency, Correctness, Stability |
| DBE | Design Basis Earthquake |
| EA | Environment Agency |
| EARS | Easy Approach to Requirements Syntax |
| EUR | European Utility Requirements |
| FRS | Floor Response Spectra |
| GPR | Generator Protection Relay |
| IFC | Interface Requirements |
| LAIP | Local Alarm and Indication Panel |
| MGCB | Main Generator Circuit Breaker |
| PGA | Peak Ground Acceleration |
| PMG | Permanent Magnet Generator |
| PMT | Post Maintenance Test |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| UKAS | United Kingdom Accreditation Service |
| VER | Verification Plan |
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Control Room Operator | Primary operational interface, monitors EDG status and initiates manual controls | — |
| Shift Supervisor | LCO and emergency decisions, authorises maintenance | — |
| Mechanical Technician | Engine maintenance and repair | — |
| I&C Technician | Control and protection system maintenance | — |
| ONR | Regulatory approval and safety case assessment | — |
| Licensee | Ultimate safety responsibility for the nuclear site | — |
| EDG OEM | Technical support, spare parts, overhaul services | — |
| Local Community | Expects accident prevention and environmental protection | — |
| Category | Constraint |
|---|---|
| Seismic | Category I structure, 0.2g PGA design basis per EUR requirements |
| Environmental | -10C to +40C ambient, IP54 minimum, coastal atmosphere corrosion protection |
| EMC | IEC 61000-4 immunity, no spurious actuation from electromagnetic interference |
| Reliability | 0.975 start-on-demand probability, 0.999 24-hour mission reliability |
| Fuel | 7-day inventory at 100% load, EN 590 quality, diverse supply route |
| Timing | 10-second start-to-rated-voltage, 15-second full load acceptance |
| System | Interface | Hex Code |
|---|---|---|
| National Grid | LOOP detection signal, normal power source | — |
| Emergency AC Bus | 6.6kV AC power output to safety loads | — |
| Plant Protection System | Start/stop commands and status signals | — |
| Main Control Room | HMI data display and manual controls | — |
| Ultimate Heat Sink | Cooling water supply for engine and alternator | — |
| Fuel Supply | Diesel fuel from day tank and bulk storage | CE851018 |
| DC Battery System | 110V DC control power and engine starting | — |
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| Failure to start on demand: Loss of standby power on LOOP | catastrophic | — | Diverse backup power or reactor trip | |
| Loss of output during operation: EDG trip while loaded | catastrophic | — | Auto-transfer to alternate EDG | |
| Engine overspeed: Uncontrolled speed above rated RPM | critical | — | Mechanical trip and fuel cutoff | |
| Fire in EDG building: Fuel or lubricant ignition | critical | — | Fire suppression, alternate EDG | |
| Fuel contamination/exhaustion: Degraded or depleted fuel supply | critical | — | Alternate tank, replenishment | |
| Cooling system failure: Loss of engine cooling | critical | — | High-temp trip, alternate EDG | |
| Common cause failure (both EDGs): Simultaneous loss of all diesel generators | catastrophic | — | Diverse AC, DC batteries, passive cooling | |
| Seismic damage: Earthquake exceeding design basis | critical | — | Post-seismic inspection | |
| Spurious start/trip: Undemanded engine start or trip | major | — | Operator verification | |
| Cyber attack: Malicious interference with control systems | catastrophic | — | Air-gapped backup, hardwired trips |
flowchart TB n0["system<br>Emergency Diesel Generator for a UK Nuclear Licensed Site"] n1["actor<br>DC Battery System"] n2["actor<br>Emergency AC Bus"] n3["actor<br>Plant Protection System"] n4["actor<br>Main Control Room"] n5["actor<br>National Grid"] n6["actor<br>Ultimate Heat Sink"] n7["actor<br>Fuel Supply"] n3 -->|Start/stop command| n0 n1 -->|110V DC control power| n0 n0 -->|6.6kV Class 1E power| n2 n0 -->|Status and alarms| n4 n5 -->|LOOP detection signal| n0 n7 -->|Diesel fuel| n0 n6 -->|Cooling water| n0
Emergency Diesel Generator — System Context
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Starting and Control Subsystem | Starting and Control - Internal Block | SIL 3 | complete |
| Electrical Protection and Switchgear Subsystem | Electrical Protection and Switchgear - Internal Block | SIL 3 | complete |
| Diesel Engine Subsystem | Diesel Engine - Internal Block | SIL 2 | complete |
| Alternator Subsystem | Alternator Subsystem — Internal Components | SIL 2 | complete |
| Fuel Oil System | Fuel Oil System — Internal Components | SIL 2 | complete |
| Cooling System | Cooling System — Internal Components | SIL 2 | complete |
| Monitoring and Instrumentation Subsystem | Monitoring and Instrumentation — Internal Components | SIL 2 | complete |
| Emergency Diesel Generator for a UK Nuclear Licensed Site | Emergency Diesel Generator — System Context | — | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The site operator SHALL have access to qualified emergency AC standby power capable of supplying all safety-classified loads within 10 seconds of loss of normal grid power supply. Rationale: ONR Safety Assessment Principles (SAPs) require that nuclear licensed sites maintain diverse and redundant emergency power supplies to ensure safe shutdown functions can be performed following loss of offsite power (LOOP). The 10-second start requirement is derived from maximum permissible interruption time for Class 1E loads (pump motors, valve actuators) without loss of safety function. | Demonstration | stakeholder, sil-3, session-574, idempotency:stk-emergency-power-provision-574 |
| STK-REQ-002 | The site operator SHALL maintain continuous emergency power supply for a minimum of 7 days without external fuel resupply, to cover extended loss of offsite power scenarios including site isolation. Rationale: ONR SAPs specify that the EDG must sustain safety functions throughout design basis accident (DBA) sequences and beyond-design-basis events. 7-day autonomy is the UK nuclear industry standard derived from historical extended blackout scenarios and the time required for grid restoration or alternative fuel supply logistics. | Demonstration | stakeholder, sil-3, session-574, idempotency:stk-sustained-7day-operation-574 |
| STK-REQ-003 | The EDG system SHALL comply with ONR Safety Assessment Principles, IEC 61226 (Nuclear power plants — Instrumentation and control functions important to safety), IEC 61513, and IEEE 308 (Class 1E electrical power systems), as applied to UK nuclear licensed sites. Rationale: UK nuclear sites operate under the Nuclear Installations Act 1965 and ONR regulatory oversight. Non-compliance with applicable standards constitutes a licensing offence and directly endangers public safety. IEC 61226 classifies EDG functions as Category A (highest importance to safety). | Inspection | stakeholder, regulatory, session-574, idempotency:stk-regulatory-compliance-574 |
| STK-REQ-004 | The operations team SHALL be able to conduct full-load operational tests of the EDG at least monthly without interrupting the normal plant safety function, and without degrading EDG availability below site licence condition requirements. Rationale: ONR requires periodic surveillance testing to verify EDG operability. Monthly full-load tests are the UK nuclear industry standard per site licence conditions. The ability to test without degrading availability requires load test capability while the sister EDG (if applicable) remains available — this drives the requirement for test bus configuration. | Demonstration | stakeholder, maintainability, session-574, idempotency:stk-periodic-testing-574 |
| STK-REQ-005 | The site owner SHALL ensure the EDG can survive and remain operational following site design basis seismic events to Peak Ground Acceleration (PGA) not less than 0.25g, flooding to the maximum site design flood level of the highest recorded 1-in-10,000 year flood event, and design basis fire scenarios as classified under BS EN 1992-1-2 (Structural fire design), with EDG return to service within 72 hours of hazard event. Rationale: UK nuclear site safety cases (ONR guidance NS-TAST-GD-013) require Class 1E systems to survive and function after design basis external hazards. PGA 0.25g aligns with typical UK nuclear site seismic design basis; 72-hour return-to-service is the operator action window before battery DC supplies are exhausted. Specific numeric limits replace the original reference to 'site safety case' which is unverifiable without access to a site-specific document. | Inspection | stakeholder, sil-3, nuclear-safety, session-574, idempotency:stk-seismic-flood-fire-574 |
| STK-REQ-006 | The maintenance team SHALL be able to isolate, maintain, and return to service each EDG major subsystem independently, with planned maintenance intervals not exceeding 12 months for minor servicing and 5 years for major overhaul, without requiring specialised tools unavailable on site. Rationale: Site licence conditions and plant availability targets require that EDGs are maintainable within planned outage windows. 12-month minor and 5-year major intervals are standard for medium-speed diesels of this class. On-site tooling requirement is driven by nuclear site security constraints on external personnel and equipment access. | Inspection | stakeholder, maintainability, session-574, idempotency:stk-maintenance-access-574 |
| STK-REQ-007 | The site owner SHALL ensure that in the event of simultaneous loss of all EDG trains, the safety-classified DC battery system provides sufficient backup power to maintain reactor core cooling instrumentation and passive safety function initiation for a minimum of 8 hours without AC charging, in accordance with the site safety case and ONR Safety Assessment Principles (SAPs) requirements for diverse backup power. Rationale: The Station Blackout ConOps scenario (both EDGs lost due to common-cause failure) requires that a stakeholder-level requirement captures the diverse backup power mandate. Without this STK requirement, SYS-REQ-011 (CCF architecture) has no stakeholder-level derivation, leaving a gap in the top-down trace from stakeholder need to system architecture. ONR SAPs require site licensees to demonstrate that common-cause failure of primary emergency power does not preclude reactor safe state maintenance. | Demonstration | session-603, validation, station-blackout, sil-4, ccf, dc-battery, idempotency:stk-ccf-dc-battery-coping-603 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The EDG system SHALL reach rated voltage (415V ±6% or 11kV ±6%) and frequency (50Hz ±1%) and be ready to accept the first Class 1E load block within 10 seconds of receiving an automatic start demand signal. Rationale: Derived from STK-REQ-001. The 10-second limit is the maximum permissible power interruption for Class 1E safety loads (emergency coolant injection pumps, containment isolation valves) per IEC 61226 Category A. Voltage and frequency tolerances are per BS EN 50160 and IEC 60038 for nuclear plant auxiliary systems. Failure to meet this requirement means safety loads may not start following a LOOP event coincident with a design basis accident. | Test | system, sil-3, performance, session-574, idempotency:sys-start-time-10s-574 |
| SYS-REQ-002 | The EDG system SHALL sustain continuous rated output for a minimum of 168 hours (7 days) at rated load conditions without any external intervention, provided initial fuel storage is at the design fill level. Rationale: Derived from STK-REQ-002. 168 hours corresponds to 7-day operational autonomy. Value derived from analysis of maximum grid restoration time following major network failure scenarios and site isolation scenarios in the UK nuclear industry. Exceeding this limit would require manual fuel delivery under potentially degraded access conditions, creating a logistics risk to plant safety. | Test | system, sil-3, performance, session-574, idempotency:sys-sustained-168h-574 |
| SYS-REQ-003 | When a loss-of-offsite-power (LOOP) signal is received from the site electrical protection system, the EDG system SHALL initiate the automatic start sequence within 500 milliseconds without requiring operator action. Rationale: Derived from STK-REQ-001. The 500ms initiation window is the maximum allowable delay between LOOP detection and EDG crank initiation, derived by back-calculating from the 10-second load-ready requirement minus engine run-up time (8s) and voltage/frequency stabilisation time (1.5s). Operator action is excluded to ensure the system functions during control room evacuation scenarios. | Test | system, sil-3, auto-start, session-574, idempotency:sys-auto-start-loop-574 |
| SYS-REQ-004 | When a safety trip condition is detected (overspeed >110% rated, low lubricating oil pressure <2.5 bar, high coolant temperature >95°C, generator differential fault, or overcurrent >120% rated for >10 seconds), the EDG system SHALL execute a controlled shutdown within 5 seconds and latch the trip, preventing automatic restart until the fault is cleared and the EDG is manually reset. Rationale: Derived from STK-REQ-002 and ONR SAPs. Specific trip thresholds are per engine manufacturer limits and IEEE 308. Latched trip with manual reset is required to prevent automatic restart into a persistent fault, which could cause escalating damage (e.g., engine seizure from oil starvation) and reduce EDG availability for subsequent demand. The 5-second shutdown window protects engine mechanical integrity while allowing load transfer to occur on parallel safety systems. | Test | system, sil-3, safety, session-574, idempotency:sys-safety-trip-shutdown-574 |
| SYS-REQ-005 | The EDG system SHALL achieve a probability of failure on demand (PFD) not exceeding 1×10⁻³ per demand, assessed over a 12-month surveillance interval and calculated in accordance with IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 6 simplified fault tree method. Rationale: Derived from STK-REQ-003. PFD ≤ 1×10⁻³ corresponds to SIL 3 allocation for a single channel per IEC 61508 (Functional safety of E/E/PE safety-related systems). This target is established in the nuclear site probabilistic safety assessment (PSA) as the required reliability for the emergency power function, based on overall plant risk limits. Failing to meet PFD means the EDG contributes unacceptably to core damage frequency. Verification by Analysis: the IEC 61508 Part 6 simplified fault tree method produces a PFD calculation report with MTBF inputs, proof test interval, and common-cause beta-factor for the dual-train EDG architecture. The analysis must demonstrate PFD ≤ 1×10⁻³ across the 12-month surveillance interval; if the fault tree result exceeds this, the surveillance interval must be shortened or component reliability improved. Inspection of a procedure document alone does not verify the PFD target — the analysis must be performed with actual component failure rate data from manufacturer datasheets and site historical records. | Analysis | system, sil-3, reliability, session-574, idempotency:sys-pfd-sil3-574, red-team-session-609, rt-resolved-session-611 |
| SYS-REQ-006 | The EDG system, including all associated fuel, cooling, and control equipment within the EDG building, SHALL remain operable following a safe shutdown earthquake (SSE) with peak ground acceleration as defined in the site seismic hazard assessment, and SHALL be demonstrated by seismic qualification analysis to IEEE 344 or equivalent ONR-accepted standard. Rationale: Derived from STK-REQ-005. Loss of the EDG during a seismic event — the scenario most likely to simultaneously cause LOOP and equipment damage — would eliminate emergency power at the point of maximum demand. IEEE 344 qualification analysis is the accepted method per UK nuclear industry practice and ONR guidance. Safe state: if the EDG fails to restart following an SSE (verified by the post-seismic start attempt within 60 seconds per SYS-REQ-001), the safe state is maintained by the diverse backup systems identified in SYS-REQ-011 (DC battery system with ≥8-hour coping time, and passive decay heat removal). The EDG failure following SSE SHALL be annunciated in the main control room within 30 seconds via the unavailability signal, triggering the operator to activate the backup power strategy per site emergency operating procedure. The qualification analysis must confirm that seismic-induced failure modes do not cause the EDG to energise the safety bus incorrectly (wrong voltage/frequency), which would be a worse failure than simply remaining unavailable. | Inspection | system, sil-3, seismic, session-574, idempotency:sys-seismic-qualification-574, red-team-session-609, rt-resolved-session-611 |
| SYS-REQ-007 | The EDG system SHALL accept safety loads in a controlled sequence, with individual load blocks applied at intervals not less than 2 seconds, such that total voltage dip during any single load application does not exceed 15% of rated voltage and frequency deviation does not exceed 3 Hz, with full recovery to within tolerance within 3 seconds. Rationale: Derived from SYS-REQ-001. Large motor inrush currents from simultaneous load application can cause generator voltage collapse. The 15% voltage dip limit and 3 Hz frequency limit are the maximum tolerable by Class 1E motor starters and associated contactors per IEEE 308. Sequential loading at 2-second intervals ensures the engine governor and AVR stabilise between steps. | Test | system, performance, session-574, idempotency:sys-load-sequencing-574 |
| SYS-REQ-008 | The EDG system control and protection electronics SHALL operate without degradation in the electromagnetic environment of the EDG building, including transients generated by the EDG itself, and SHALL comply with BS EN IEC 61000 (Electromagnetic compatibility) applicable parts for industrial environments. Rationale: Derived from STK-REQ-003. EDG buildings contain large rotating machinery generating significant EMI. Control and protection circuits that malfunction due to EMI can cause spurious trips or failure to start — both are safety-significant. BS EN IEC 61000 compliance is mandatory for Class 1E electronic equipment on UK nuclear sites. | Test | system, emc, session-574, idempotency:sys-emc-compliance-574 |
| SYS-REQ-009 | The EDG system SHALL support full-rated-load operational testing without interruption to normal plant safety functions, with a test duration of at least 30 minutes, and SHALL return to hot standby status within 10 minutes of test completion. Rationale: Derived from STK-REQ-004. 30-minute load test duration is the minimum specified in site licence conditions to verify EDG thermal performance and governor stability under sustained load. 10-minute return-to-standby is the maximum duration for the EDG to be unavailable after testing, per site Technical Specifications. | Demonstration | system, maintainability, session-574, idempotency:sys-load-test-support-574 |
| SYS-REQ-010 | The EDG system SHALL be maintainable with planned minor service intervals of 12 months maximum and major overhaul intervals of 5 years maximum, using only tools and spare parts held within the site stores, without requiring specialised tooling not permanently available on site. Rationale: Derived from STK-REQ-006. 12-month minor and 5-year major intervals align with medium-speed diesel manufacturer recommendations and site outage planning constraints. On-site tooling requirement flows from nuclear site security constraints on external contractor access during security-heightened states. | Inspection | system, maintainability, session-574, idempotency:sys-maintainability-tooling-574 |
| SYS-REQ-011 | The EDG system architecture SHALL ensure that a common-cause failure of both EDG trains does not prevent reactor core cooling, with diverse and independent backup systems (separate AC supply train, DC battery system with minimum 8-hour coping time, and passive decay heat removal) capable of maintaining reactor safe state without EDG power, in accordance with the site safety case and IEC 61508-2 (Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 2: Requirements for E/E/PE safety-related systems) SIL-4 architectural constraints (HFT=1, minimum hardware fault tolerance). Rationale: Hazard H-006 (Common-cause failure of both EDGs) is classified SIL-4 at the plant level because the EDG system provides two of the four redundant power channels required by the site safety case; loss of both EDGs simultaneously removes two channels, creating a plant-level SIL-4 risk scenario. IEC 61508-2 (Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 2: Requirements for E/E/PE safety-related systems) SIL-4 architectural constraint HFT=1 applies to the overall emergency AC power function, NOT to the EDG subsystems individually — each EDG channel is SIL-3 per SYS-REQ-005, but together they must satisfy the HFT=1 constraint at the plant level. The SIL gap addressed by this requirement: no prior SYS requirement established that the EDG architecture must be designed to ENABLE diverse fallback — only to perform its own function. Safe state for the CCF scenario: reactor in cold shutdown, core cooled by passive decay heat removal (natural circulation) and DC battery-backed instrumentation maintaining monitoring for ≥8 hours. The diverse AC backup (separate AC supply train with separate fuel and cabling routes) must be demonstrated independent from both EDG trains to prevent common-cause vulnerability from propagating to the backup. Verification: safety case analysis demonstrating diversity and independence per IEC 61508-2 Table A.15 (avoidance of dependent failures). | Inspection | session-596, validation, sil-4, ccf, station-blackout, safety, idempotency:sys-ccf-sil4-architecture-596, red-team-session-609, rt-resolved-session-611 |
| SYS-REQ-012 | When one or more EDG subsystems experience a fault that does not trigger a safety trip, the EDG system SHALL continue to operate in degraded mode, maintaining a minimum electrical output of 60% rated power and frequency stability within 50Hz ±2% for a minimum of 2 hours, while annunciating the degraded condition to the control room. Rationale: Derived from H-002 (Loss of output during operation) and H-003 (Engine overspeed) hazards: subsystem faults that are non-trip-inducing must not cause total loss of EDG function. The 60% minimum output threshold is derived from the minimum safety load demand during cold shutdown; 2-hour duration aligns with operator action time to transfer to alternate EDG or mobile generator. Annunciation requirement ensures control room awareness within the LOOP response scenario. | Test | session-598, validation, degraded-mode, sil-2, idempotency:sys-degraded-mode-598-replacement |
| SYS-REQ-014 | When offsite power is restored and the Class 1E bus is transferred to normal supply, the EDG system SHALL enter a controlled cooldown period of not less than 5 minutes at no-load (≤10% rated) before stopping the engine, maintaining coolant temperature below 80°C and lubricant circulation active throughout, to prevent thermal shock to the engine block and turbocharger bearings. Rationale: ConOps Cooldown Shutdown scenario: no SYS requirement existed for the post-LOOP cooldown transition. IEC 60034-1 (Rotating electrical machines) and engine manufacturer specifications require a minimum no-load cooldown run before stopping a loaded diesel engine; thermal shock from immediate hot-stop can cause cracking of the engine block, cylinder head distortion, and turbocharger bearing seizure — all of which degrade EDG availability for the next demand. The 5-minute minimum and 80°C limit are derived from CEGB/EDF diesel engine maintenance standards for nuclear standby plant. | Test | session-604, validation, cooldown-shutdown, mode-coverage, sil-2, idempotency:sys-cooldown-shutdown-mode-604 |
| SYS-REQ-015 | When a single EDG train fails to start or trips during an active Loss-of-Offsite-Power event, the Class 1E safety bus served by the failed train SHALL maintain safety-classified DC loads from the Class 1E battery system for a minimum of 8 hours, until a diverse AC source (gas turbine or mobile generator) is available and can be connected to the affected bus. Rationale: H-001 (Failure to start, SIL-3) and H-002 (Loss of output, SIL-3) safe states require diverse backup power. In the two-train architecture, a single-train failure leaves the affected Class 1E bus without AC; the 8-hour DC coping window (from STK-REQ-007) must explicitly apply. Verification method changed from Analysis to Test: the 8-hour coping duration is verifiable by IEEE 450 (Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid Batteries) battery capacity test — discharge battery under rated load profile, measure actual Ah capacity, then demonstrate analytically using measured (not design) capacity that 8-hour autonomy is achieved. This hybrid test+analysis method constitutes Test verification per IEC 61508 because the critical capacity value comes from direct measurement. | Test | session-605, validation, sil-3, station-blackout, single-train-failure, idempotency:sys-single-train-dc-coping-605 |
| SYS-REQ-016 | The EDG control and protection system (Automatic Load Controller, Engine Control Panel, Protective Trip Logic Unit, and Isochronous Governor System) SHALL be physically isolated from all corporate, site-wide, and external communications networks. All control interfaces SHALL be hardwired point-to-point connections with no software-configurable network addresses. Remote monitoring outputs SHALL be unidirectional (one-way data diode) and SHALL NOT accept inbound commands or configuration changes during operation. Rationale: H-010 (Cyber attack, SIL-3 per ONR cybersecurity guidance for Category A safety systems) requires the safe state to be maintained by air-gapped backup and hardwired trips. SYS-REQ-004 establishes the hardwired trip principle but does not explicitly prohibit network connectivity of the control system. This requirement closes the gap: a networked EDG controller at a UK nuclear licensed site would require ONR agreement as a Category A cyber security change, and the standard mitigation is physical isolation. Safe state for detected breach attempt: if the Remote Monitoring Gateway detects an inbound command attempt or any bidirectional traffic on the data diode output, the gateway SHALL (a) generate a Cyber Security Alert in the main control room within 5 seconds, and (b) maintain the EDG in its current operational state without any modification to protection setpoints or control parameters — the safe state is operational continuation with alerting, NOT automatic trip, to prevent adversary-induced spurious shutdowns. The inspection method verifies design documentation, cable schedule, and network diagram confirming no IP-connected interfaces; additionally, a penetration test of the monitoring interface data diode SHALL be conducted at commissioning to confirm unidirectional enforcement (IEC 62645 (Nuclear power plants — Instrumentation and control systems — Requirements for security programmes for computer-based systems) baseline). | Inspection | session-605, validation, sil-3, cyber, h-010, idempotency:sys-cyber-isolation-605, red-team-session-609, rt-resolved-session-611 |
| SYS-REQ-017 | When the fault condition causing Degraded Operation mode is cleared or isolated, the EDG system SHALL restore full rated output power and return to normal operating parameters (voltage 415V ±6%, frequency 50Hz ±1%) within 60 seconds, following operator acknowledgement of fault clearance from the Engine Control Panel, without requiring engine shutdown and restart. Rationale: The Degraded Operation mode (SYS-REQ-012) specifies entry conditions and minimum performance floor (60% rated, 50Hz ±2%, 2-hour minimum). However, no requirement defines the exit condition — what happens when the fault is cleared. In the scenario 'EDG Trip During Extended LOOP', the cooling fan belt failure causes high-temp trip; if the fault were recoverable (e.g., subsystem fault that clears), the operator needs the EDG to restore full output without restarting. Without an exit requirement, the Degraded Operation mode is a dead-end: once entered, no defined path back to normal. This requirement closes the mode transition gap identified in validation session 606. | Test | session-606, validation, degraded-mode, mode-transition, sil-2, idempotency:sys-degraded-exit-recovery-606 |
| SYS-REQ-018 | When one or more EDG subsystems experience a fault that does not trigger a safety trip, the EDG system SHALL continue to operate in degraded mode, maintaining a minimum electrical output of 60% rated power and frequency stability within 50Hz ±2% for a minimum of 2 hours, while annunciating the degraded condition to the control room. Rationale: Derived from STK-REQ-002 (7-day continuous operation) and the Degraded Operation mode in the ConOps. Quantified minimum performance of 60% rated power provides sufficient margin to supply priority safety loads while excluding non-essential loads. The 2-hour minimum provides time for operator diagnosis and load transfer to alternate EDG. The 2% frequency tolerance is relaxed from normal 1% but within acceptable tolerance of Class 1E equipment. | Test | session-613, tech-author, idempotency:sys-degraded-mode-613 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Automatic Load Controller SHALL detect a loss-of-offsite-power condition and generate a start demand signal to the Engine Control Panel within 200 milliseconds of bus voltage falling below 80% of rated voltage (332V on a 415V system) or bus frequency falling below 48 Hz. Rationale: Derived from SYS-REQ-003 (500ms total initiation budget). The 200ms detection budget is allocated from the 500ms total ALC initiation window, leaving 300ms margin for signal transmission and ECP processing. The 80% voltage threshold prevents spurious starts from transient voltage dips (motor starting) while capturing genuine LOOP events. 48 Hz frequency threshold detects loss of grid synchronisation before voltage collapse. | Test | subsystem, starting-control, sil-3, session-574, idempotency:sub-alc-loop-detection-574 |
| SUB-REQ-002 | The Compressed Air Starting System SHALL maintain a minimum stored compressed air capacity equivalent to 3 complete cranking attempts, each of 15-second duration at ≥1.8 MPa initial manifold pressure, without activation of the recharge compressor between attempts. Rationale: Starting air volume and pressure must be specified so that receiver sizing can be verified by calculation and confirmed by test. '≥1.8 MPa' is derived from the minimum cranking pressure required by the OEM to achieve the minimum cranking RPM for cold starting per BS 5514 (Reciprocating internal combustion engines) starting requirements. The 3-attempt criterion aligns with nuclear site single-train availability requirements. | Test | subsystem, starting-control, sil-3, session-574, idempotency:sub-cass-3-attempts-574, superseded-by-session-595 |
| SUB-REQ-003 | The Isochronous Governor System SHALL maintain engine speed within ±0.5% of 1500 RPM (±7.5 RPM) under steady-state loading conditions from no-load to full-rated load, and SHALL recover to within ±1% of rated speed within 3 seconds of a step load change up to 50% of rated power. Rationale: Derived from SYS-REQ-001 (frequency tolerance ±1 Hz on 50 Hz system). ±0.5% steady-state corresponds to ±0.25 Hz, providing 4× margin to the system-level ±1 Hz tolerance. The 3-second recovery window is based on Class 1E motor restart sequence timing — motors must not be exposed to sustained frequency deviation exceeding 2 Hz. Step load 50% rated covers the largest expected single load block in the sequential load acceptance sequence. | Test | subsystem, starting-control, sil-2, session-574, idempotency:sub-gov-frequency-regulation-574 |
| SUB-REQ-004 | The Engine Control Panel SHALL initiate an engine shutdown within 500 milliseconds of engine speed exceeding 110% of rated speed (1650 RPM), via a hardwired independent magnetic pick-up trip circuit that is separate from and independent of the Isochronous Governor System. Rationale: Derived from SYS-REQ-004 (safety trip within 5 seconds). The ECP overspeed trip is independent of the governor (which normally prevents overspeed) per IEC 61226 diversity and independence requirements. 500ms trip time is the maximum allowable before mechanical damage to the engine and alternator begins at 110% overspeed. Hardwired implementation ensures the trip functions even if the governor ECU fails in a demanding state. | Test | subsystem, starting-control, sil-3, safety, session-574, idempotency:sub-ecp-overspeed-trip-574 |
| SUB-REQ-005 | When 3 consecutive start attempts have failed to reach rated speed within the allotted cranking time, the Starting and Control Subsystem SHALL latch in a failed-to-start state, inhibit further automatic start attempts, and assert a failed-to-start alarm to the main control room within 45 seconds of the original start demand. Rationale: Derived from SYS-REQ-004 (safe state on failure). Continued cranking after 3 failed attempts depletes air receiver pressure below reliable start capability and risks battery drain. The 45-second timeline is derived from 3 × 15-second attempts. Manual reset by the operator is required before re-attempt, ensuring a human decision point before further cranking — this is the safe state for the start failure scenario per the EDG hazard register. | Test | subsystem, starting-control, sil-3, safe-state, session-574, idempotency:sub-snc-failed-to-start-safe-state-574 |
| SUB-REQ-006 | The Automatic Load Controller SHALL implement a dual-channel voting architecture (2oo2 for start demand) such that a single hardware or software failure in one channel does not prevent start demand generation, and a failure that causes spurious start demand in one channel does not cause EDG start unless both channels independently confirm the LOOP condition. Rationale: Derived from SYS-REQ-005 (PFD ≤ 1×10-3). A dual-channel 2oo2 architecture for start demand simultaneously reduces spurious start rate (requiring both channels to fail) and meets SIL 3 diagnostic coverage requirements per IEC 61508. Single-channel design would require component PFD ≤ 1×10-3 which is achievable but does not meet the diversity requirement of IEC 61226 for Category A functions in nuclear applications. | Test | subsystem, starting-control, sil-3, redundancy, session-574, idempotency:sub-alc-dual-channel-574 |
| SUB-REQ-007 | The Automatic Load Controller SHALL provide a hardwired inhibit input that, when activated by a key-operated switch at the local control panel, prevents automatic start demand generation and latches the inhibit state until the key switch is returned to the normal position, with local and remote indication of the inhibit state. Rationale: Lint finding: ALC is functionally autonomous without an identified override mechanism. The inhibit function is required for planned maintenance of the EDG when the site can accept a period of reduced emergency power availability (e.g., when sister EDG is available). Key-operated switch prevents inadvertent inhibit activation. Hardwired implementation ensures inhibit works regardless of ALC software state. Required by ONR SAPs for maintainability without loss of control. | Test | subsystem, starting-control, sil-3, override, session-574, idempotency:sub-alc-inhibit-override-574 |
| SUB-REQ-008 | The Isochronous Governor System SHALL provide a manual speed trim input allowing the operator to adjust output frequency between 49 Hz and 51 Hz in 0.1 Hz increments from the local control panel, without requiring power interruption or ECU software modification, and this trim function SHALL be overridden and set to 50 Hz target automatically upon receipt of a synchronise command. Rationale: Lint finding: Governor is functionally autonomous without an identified operator override mechanism. Manual speed trim is required during synchronising operations (connecting EDG to live bus requires matching frequency within ±0.2 Hz) and during load sharing tests. Automatic return to 50 Hz setpoint on synchronise command prevents operator error from leaving a biased setpoint after test completion. | Demonstration | subsystem, starting-control, sil-2, override, session-574, idempotency:sub-gov-manual-trim-574 |
| SUB-REQ-009 | The Generator Protection Relay SHALL detect an internal generator winding fault (87G differential protection) and issue a trip signal to the Main Generator Circuit Breaker within 80 milliseconds of fault inception, under all load conditions from no-load to 110% rated. Rationale: 80ms trip time is derived from the maximum fault energy that the generator windings can absorb before insulation damage, per IEC 60034-1 (Rotating electrical machines) thermal withstand curve for 11kV class insulation. Failure to trip within this window risks winding burnout and renders the generator irreparable, eliminating the emergency power function. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-gpr-differential-trip-time-575 |
| SUB-REQ-010 | The Generator Protection Relay SHALL provide time-delayed overcurrent protection (51/51N) with a definite minimum time characteristic, coordinated with the downstream protection scheme to isolate generator faults within 500 milliseconds for faults at the generator terminals and within 200 milliseconds for sustained through-faults exceeding 200% rated current. Rationale: Overcurrent coordination timings are derived from the protection grading study required by BS EN 50522 (Earthing of power installations exceeding 1kV a.c.) and ONR protection philosophy. 500ms terminal fault clearance prevents overheating of stator windings; 200ms threshold for severe faults prevents damage propagation to connected safety loads. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-gpr-overcurrent-protection-575 |
| SUB-REQ-011 | The Main Generator Circuit Breaker SHALL interrupt fault currents up to the rated short-circuit breaking capacity of the switchgear assembly (minimum 31.5kA symmetrical for 11kV installations, minimum 50kA for 415V installations) within one cycle (20ms) of receiving a trip signal, without restrike or flashover. Rationale: Short-circuit breaking capacity must exceed the prospective fault level at the generator terminals, calculated from the subtransient reactance of the alternator. Failure to interrupt within one cycle allows fault energy to propagate to the safety bus and damage connected load circuits, potentially disabling multiple safety systems simultaneously. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-mgcb-fault-interruption-575 |
| SUB-REQ-012 | The Safety Bus Transfer Contactor SHALL complete transfer of the nuclear safety bus from the normal offsite supply to the EDG supply within 150 milliseconds of receiving the bus transfer command from the Automatic Load Controller, confirmed by position feedback to the Engine Control Panel. Rationale: 150ms transfer window is derived from the maximum interruption time that safety-classified motors (cooling pumps, feedwater pumps) can sustain without coastdown below restart threshold. Transfer beyond 150ms risks motor stall and requires manual restart sequences, delaying safety function availability beyond the 10-second LOOP-to-rated-voltage timeline in SYS-REQ-001. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-sbtc-automatic-transfer-575 |
| SUB-REQ-013 | The Safety Bus Transfer Contactor SHALL incorporate a hardwired mechanical and electrical interlock with the Main Generator Circuit Breaker that prevents simultaneous closure of both devices, with the interlock effective within 10 milliseconds of either device receiving a close command. Rationale: Anti-paralleling interlock prevents the EDG from being connected in parallel with the grid without synchronisation, which would expose the alternator to out-of-phase fault currents capable of shaft torque transients exceeding 3x rated torque, risking catastrophic mechanical failure. Hardwired interlock is required (not software-only) because software interlocks are insufficient for SIL 3 protection per IEC 61508. | Test | subsystem, electrical-protection-and-switchgear, sil-3, session-575, idempotency:sub-sbtc-anti-paralleling-interlock-575 |
| SUB-REQ-014 | The Voltage Sensing and Monitoring Unit SHALL implement dual-channel redundant voltage measurement on both the generator output and safety bus, with the two channels processed independently, and a discrepancy greater than ±5% nominal voltage between channels SHALL generate an alarm to the Engine Control Panel within 2 seconds. Rationale: Dual-channel measurement is required to achieve SIL 2 for the LOOP detection function per IEC 61508 architecture requirements (hardware fault tolerance HFT=1). The ±5% discrepancy threshold ensures failed or drifting sensors are detected before they can cause spurious trips or missed LOOP detection; 2-second alarm latency is consistent with operator response time requirements in ONR Safety Assessment Principles. | Test | subsystem, electrical-protection-and-switchgear, sil-2, session-575, idempotency:sub-vsmu-dual-channel-redundancy-575 |
| SUB-REQ-015 | When the Generator Protection Relay detects an internal self-test failure or watchdog timeout, the relay SHALL output a fail-safe trip signal to the Main Generator Circuit Breaker within 500 milliseconds and assert a relay-failed alarm to the Engine Control Panel, de-energising the generator output as the safe state. Rationale: Fail-safe trip on relay internal failure implements the safe state for Hazard H-EPS-001 (protection relay failure leaving generator unprotected). IEC 61508 requires that SIL 3 devices fail to the safe state on detected internal failures. De-energising the generator output is the correct safe state because an unprotected generator connected to the safety bus presents a greater risk than loss of EDG power supply. | Test | subsystem, electrical-protection-and-switchgear, sil-3, safety-critical, session-575, idempotency:sub-gpr-safe-state-self-test-failure-575 |
| SUB-REQ-016 | The Isochronous Governor System SHALL incorporate a hardware watchdog with a timeout of not more than 100 milliseconds; upon watchdog expiry the governor control output SHALL default to a fuel-off (0% rack position) state, causing the diesel engine to shut down and preventing uncontrolled engine runaway. Rationale: The isochronous governor operates autonomously on a closed-loop speed control algorithm without continuous human input. Per IEC 61508 (Functional safety of E/E/PE safety-related systems), a Functionally Autonomous system in a SIL 3 application requires a fail-safe state reachable independently of the control algorithm. Without a watchdog-enforced fail-safe, a governor CPU lockup could result in uncontrolled engine over-speed, which is Hazard H-003 (uncontrolled overspeed) in the EDG hazard register. The 100ms watchdog timeout bounds the worst-case exposure time before the safe state is reached. | Test | session-576, qc, governor, safety, watchdog, failsafe, idempotency:edg-sub-governor-watchdog-failsafe-session576 |
| SUB-REQ-017 | The Engine Block and Rotating Assembly SHALL accelerate the Alternator Subsystem rotor from standstill to 1500 RPM (50Hz ±1%) within 10 seconds of start initiation under no-load conditions, maintaining gross shaft torque ≥10% above the minimum torque calculated for the rated acceleration profile. Rationale: The 10-second start criterion is the primary measurable requirement; the ≥10% torque margin ensures the mechanical system has design headroom over the minimum acceleration torque, derived from BS 5514 and OEM data for this engine class. Eliminating 'sufficient' makes the requirement testable by recording speed vs. time and independently verifiable by OEM torque-curve analysis. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-engine-block-shaft-output-578, superseded-by-session-595 |
| SUB-REQ-018 | The Diesel Engine Subsystem SHALL sustain continuous rated shaft power output for a minimum of 168 hours without requiring engine shutdown, provided the Fuel Oil System, Cooling System, and Lubrication and Bearing System remain within specified operating limits. Rationale: 168-hour (7-day) endurance derives from SYS-REQ-002's requirement for continuous operation under prolonged station blackout. Nuclear site safety cases require fuel oil storage and engine endurance to be matched; the engine itself must be capable of the full duration without internal inspection or minor service, as defined by SYS-REQ-010's 12-month service interval. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-engine-sustained-168h-578 |
| SUB-REQ-019 | The Lubrication and Bearing System SHALL initiate an engine shutdown signal to the Engine Control Panel within 1.5 seconds when lubricating oil pressure falls below 2.0 bar at any engine speed above idle. Rationale: Low oil pressure at 2.0 bar trip setpoint protects main bearings from seizure; the 1.5-second response time allows the engine protection relay to act before bearing damage occurs at operating speed. Derives from SYS-REQ-004 low lubricating oil pressure trip condition. SIL-2 applies: the hardwired trip path must be independent of the governor control channel. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-lube-pressure-trip-578 |
| SUB-REQ-020 | The Engine Block and Rotating Assembly SHALL incorporate a centrifugal mechanical overspeed trip device that physically disengages the fuel rack and removes fuel supply at any engine speed exceeding 1650 RPM, operating independently of all electronic control systems. Rationale: Mechanical overspeed trip at 1650 RPM (110% of 1500 RPM rated) is required by SYS-REQ-004 and by ONR Safety Assessment Principles for nuclear standby generators. The mechanical independence from electronic governors is a SIL-2 requirement: governor software failure must not prevent overspeed protection, as uncontrolled engine acceleration would destroy the alternator and the generator building. IEC 61508 requires diversity between the controlled function (governor speed regulation) and the safety function (overspeed shutdown). | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-mech-overspeed-trip-578 |
| SUB-REQ-021 | The Fuel Injection System SHALL modulate fuel delivery from minimum to maximum fuel rack position within 200 milliseconds of a governor actuator demand signal, across the full engine speed range from cranking to rated speed. Rationale: 200ms fuel rack response is derived from the SYS-REQ-003 requirement to reach rated speed within 10 seconds. Engine acceleration dynamics for a medium-speed diesel require fuel rack authority to be applied within the first revolution of cranking — delayed fuel response would increase time-to-rated-speed and risk failure to meet the 10-second LOOP start time. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-fuel-injection-response-578 |
| SUB-REQ-022 | The Turbocharger and Charge Air System SHALL maintain charge air manifold pressure ≥150 kPa gauge at loads from 25% to 110% of rated power, without engine derating, exhaust smoke exceeding Ringelmann Scale 2, or turbocharger surge. Rationale: 150 kPa gauge minimum charge air pressure is derived from the OEM's power–boost curve for rated output; below this threshold combustion becomes fuel-rich and causes derating, smoke, and turbocharger damage. The Ringelmann Scale 2 limit aligns with UK Environmental Permitting (England and Wales) Regulations 2016 smoky vehicle limits applicable to site diesel plant. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-turbo-boost-578, superseded-by-session-595 |
| SUB-REQ-023 | While the EDG is in standby, the Diesel Engine Subsystem SHALL maintain engine coolant temperature above 20°C using thermostatically controlled immersion heaters, ensuring full rated start capability at ambient temperatures as low as -10°C without warm-up delay. Rationale: ONR Safety Assessment Principles and IEC 61226 require the EDG to be capable of starting and reaching rated output within the design start time at minimum design ambient temperature. Without preheating, cold-viscosity lube oil would prevent achieving rated speed in 10 seconds (SYS-REQ-003) and could cause early bearing wear. Derives from SYS-REQ-003 and SYS-REQ-006 environmental operating range of -10°C to +40°C. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-cold-start-preheat-578 |
| SUB-REQ-024 | When a crankcase explosion relief valve actuates, the Diesel Engine Subsystem SHALL transmit a hardwired trip signal to the Engine Control Panel to initiate engine shutdown within 2 seconds, independent of the engine management software. Rationale: Crankcase explosion is a low-frequency, high-severity failure mode in diesel engines caused by ignition of oil mist from blow-by gases. The 2-second shutdown window prevents secondary explosion or fire propagation within the EDG building. The hardwired trip path ensures this safe state is reached even if the electronic governor or ECP software has failed — consistent with the SIL-2 independence requirements in SYS-REQ-004. This safe state is not covered by the main overspeed or low oil pressure trips. | Test | subsystem, diesel-engine-subsystem, sil-2, session-578, idempotency:sub-crankcase-explosion-safe-state-578 |
| SUB-REQ-026 | The Automatic Load Controller SHALL receive the loss-of-offsite-power signal from the site electrical protection system via a hardwired 24VDC Class 1E discrete input, and SHALL initiate the EDG start sequence within 200 milliseconds of signal assertion, leaving 300 milliseconds margin to the SYS-REQ-003 system deadline of 500ms. Rationale: SYS-REQ-003 requires start initiation within 500ms of LOOP signal receipt. The 200ms sub-allocation to the ALC leaves margin for downstream start sequencing. Hardwired 24VDC Class 1E input is required because the LOOP signal must maintain integrity during the loss-of-power event it signals. Closes the coverage gap for site electrical protection system interface not decomposed at subsystem level. | Test | subsystem, starting-control, sil-3, session-587, idempotency:sub-alc-loop-interface-587 |
| SUB-REQ-027 | The Diesel Engine Subsystem, including the Engine Block, Fuel Injection System, Lubrication and Bearing System, Turbocharger and Charge Air System, and exhaust silencing pipework, SHALL be seismically qualified to remain operable following a safe shutdown earthquake as defined in the site seismic hazard assessment, demonstrated by analysis to IEEE 344 (Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations) or equivalent ONR-accepted standard. Rationale: SYS-REQ-006 mandates seismic qualification for all EDG building equipment. The verification method is IEEE 344 analysis (not inspection of a document — the analysis IS the verification): the qualification analysis must produce a seismic response spectrum (SRS) enveloping the site safe shutdown earthquake (SSE) floor response spectra at the EDG building basemat level, and demonstrate by modal analysis or dynamic test that the Diesel Engine Subsystem's natural frequencies and mode shapes do not exceed the allowable stress and deflection limits specified by the manufacturer for continued operability post-SSE. The analysis must also address the combination of seismic and operational vibration loads (engine rotating imbalance at 1500 RPM = 25 Hz, turbocharger at ~90,000 RPM). Acceptance criteria: no permanent deformation of fuel injection rail, no fracture of exhaust manifold welds, engine restart demonstrated within 60 seconds of SSE cessation per SYS-REQ-001. The qualification analysis report, including methodology, input spectra, results, and conclusions, constitutes the verification evidence. | Analysis | subsystem, diesel-engine-subsystem, sil-3, seismic, session-587, idempotency:sub-diesel-seismic-qualify-587, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-028 | The Isochronous Governor System and Engine Control Panel SHALL comply with BS EN IEC 61000-6-2 (Electromagnetic compatibility - Immunity for industrial environments) for conducted and radiated immunity, and the Automatic Load Controller and Generator Protection Relay electronics SHALL additionally comply with BS EN IEC 61000-6-7 (Electromagnetic compatibility - Immunity requirements for equipment intended to perform functions in a safety-related system) to maintain SIL-3 function integrity in the electromagnetic environment of the EDG building. Rationale: SYS-REQ-008 requires control and protection electronics to operate without degradation in the EDG building electromagnetic environment. The EDG itself generates significant transient EMI during starting and load switching. The Governor and ALC contain microprocessors that are susceptible to EMI-induced logic errors which could cause spurious trips or start failures. IEC 61000-6-7 is specified for SIL-rated functions because standard industrial immunity is insufficient for safety-critical control electronics in a nuclear application. | Test | subsystem, starting-control, electrical-protection-and-switchgear, sil-3, emc, session-587, idempotency:sub-control-emc-compliance-587 |
| SUB-REQ-029 | The Diesel Engine Subsystem SHALL be maintainable for planned minor servicing (cylinder head inspection, injector calibration, belt and filter replacement) using only tools and consumables listed in the site-approved store inventory, without requiring specialised tooling not permanently held on site, at intervals not exceeding 12 months at rated duty cycle. Rationale: SYS-REQ-010 mandates 12-month minor service intervals using only site-held tools and spares. The Diesel Engine Subsystem drives this constraint because it contains the highest-maintenance items: fuel injectors (require calibration), cylinder heads (require torque tools), cooling circuit (requires flush and fill), and lubrication system (requires oil change). Failure to design for site-maintainability would necessitate specialist contractor attendance for routine servicing, violating the site independence requirement. | Demonstration | subsystem, diesel-engine-subsystem, maintainability, session-587, idempotency:sub-diesel-maintainability-587 |
| SUB-REQ-030 | The Engine Parameter Sensor Array SHALL provide dual-channel 4-20mA output for each critical parameter — lube oil pressure (range 0–10 bar, accuracy ±0.5%), jacket coolant temperature (range 0–120°C, accuracy ±1°C), per-cylinder exhaust gas temperature (range 0–600°C, accuracy ±5°C), and vibration level (range 0–25 mm/s RMS) — with each channel capable of independently driving the Protective Trip Logic Unit. Rationale: Dual-channel independence is required by IEC 61508 SIL 2 architecture for the lube oil low-pressure and high-coolant-temperature trip functions. Single-channel failure must be detectable and must not impair the protection function, as loss of parameter monitoring feeds hazard H-COOLING-001 (cooling system failure, severity:critical) and H-ENGINE-001 (engine overspeed via loss of speed feedback). | Test | subsystem, monitoring-and-instrumentation, sil-2, session-588, idempotency:sub-epsa-dual-channel-588 |
| SUB-REQ-031 | The Protective Trip Logic Unit SHALL initiate a hardwired de-energise-to-trip command to the Engine Control Panel within 200 milliseconds of a critical threshold crossing — lube oil pressure below 2.5 bar, jacket coolant temperature above 95 degrees C, engine speed above 110% rated RPM, or vibration above 18 mm/s RMS — using 1oo2D voting on dual-channel sensor inputs with SIL 2 certification to IEC 61508. Rationale: 200ms response time derived from safety analysis: engine failure progression from threshold crossing to catastrophic mechanical failure requires at minimum 500ms (vendor thermal analysis), giving 300ms margin. 1oo2D voting prevents both spurious trips from single sensor failure and failure-to-trip from single channel loss. SIL 2 certification required to match the hazard severity for cooling failure (H-COOLING-001) and overspeed (H-ENGINE-001) at severity:critical. | Test | subsystem, monitoring-and-instrumentation, sil-2, safety, session-588, idempotency:sub-ptlu-trip-response-588 |
| SUB-REQ-032 | When the Protective Trip Logic Unit loses 110VDC supply voltage below 88VDC (80% nominal), the Monitoring and Instrumentation Subsystem SHALL transition to the safe state by de-energising all trip output relays within 100 milliseconds, causing the Engine Control Panel to initiate engine shutdown. Rationale: De-energise-to-trip is mandated by IEC 61508 for SIL-2 safety functions: power loss must produce the safe state, not hold the process running. 80% voltage threshold is the minimum guaranteed relay hold-in voltage per IEC 60255 relay specifications. 100ms response is faster than the 200ms sensor-trip requirement to ensure power loss does not delay protection. | Test | subsystem, monitoring-and-instrumentation, sil-2, safe-state, session-588, idempotency:sub-ptlu-safe-state-588 |
| SUB-REQ-033 | The Protective Trip Logic Unit SHALL detect a fault on either sensor channel (open circuit, short to supply, out-of-range signal) within 1 second of occurrence and generate a separate channel-fault alarm to the Local Alarm and Indication Panel without inhibiting the protection function on the healthy channel. Rationale: Channel fault detection maintains the defence-in-depth of the dual-channel architecture: an undetected channel fault degrades the 1oo2D configuration to 1oo1, removing the single-failure tolerance required for SIL 2. 1-second detection time aligns with IEC 61508 diagnostic coverage requirements for SIL 2 hardware fault tolerance of 1. | Test | subsystem, monitoring-and-instrumentation, sil-2, session-588, idempotency:sub-ptlu-channel-fault-588 |
| SUB-REQ-034 | The Remote Monitoring Gateway SHALL provide a minimum 1500Vrms optical isolation barrier between the SIL-2 Protective Trip Logic Unit circuits and the main control room I&C network, and SHALL reject any command or write message received from the I&C network without generating an acknowledgement. Rationale: Optical isolation at 1500Vrms prevents ground-loop currents and fault injection from the non-nuclear I&C network from affecting the safety-classified protection circuits. One-way enforcement prevents cyber or operator-error command paths from inadvertently modifying protection setpoints through the monitoring interface, which would be a common-cause vulnerability. IEC 61513 requires isolation of safety and non-safety I&C at qualified barriers. | Test | subsystem, monitoring-and-instrumentation, sil-2, session-588, idempotency:sub-rmg-isolation-588, red-team-session-609, superseded-by-session-611, rt-resolved-session-611 |
| SUB-REQ-035 | The Local Alarm and Indication Panel SHALL provide first-out alarm annunciation for all EDG protective trip functions, displaying the identity of the first-to-trip parameter within 500 milliseconds of the trip output from the Protective Trip Logic Unit, with audible and visual indication that is latched until manually acknowledged. Rationale: First-out annunciation is an ONR inspection requirement for nuclear EDGs during surveillance testing and post-trip review: technicians must identify the root cause of a protective shutdown without ambiguity. 500ms display latency ensures the indication appears before the engine decelerates appreciably, allowing unambiguous first-out identification. | Demonstration | subsystem, monitoring-and-instrumentation, session-588, idempotency:sub-laip-firstout-588, red-team-session-609, superseded-by-session-611, rt-resolved-session-611 |
| SUB-REQ-036 | The Engine Parameter Sensor Array and Protective Trip Logic Unit SHALL remain functional during and after a seismic event with peak ground acceleration up to 0.2g as defined by the EUR (European Utility Requirements) seismic design basis, maintaining trip setpoint accuracy within 10% of nominal during seismic excitation. Rationale: The M&I subsystem must not fail spuriously during a design-basis earthquake (which may itself be the initiating event requiring EDG start) and must retain the ability to initiate protective shutdown if engine parameters exceed limits during seismic operation. 0.2g PGA matches SYS-REQ-006 seismic requirement. 10% setpoint accuracy during excitation is consistent with IEC 60780 (nuclear power plants — electrical equipment qualification) allowance for dynamic error. | Test | subsystem, monitoring-and-instrumentation, sil-2, seismic, session-588, idempotency:sub-mi-seismic-588 |
| SUB-REQ-037 | The Jacket Water Pump SHALL maintain coolant circulation through the engine block at a minimum flow rate of 200 litres per minute at all engine speeds from 1000 RPM to 1600 RPM, without electrical power supply, driven solely from the engine crankshaft belt drive. Rationale: 200 L/min minimum flow is derived from engine thermal model: below this rate, cylinder head temperatures exceed 95 deg C trip setpoint within 2 minutes at full load, so this is the floor that prevents thermal damage at rated output. Engine-driven belt eliminates electrical power dependency for the primary cooling function, directly mitigating H-COOLING-001 during LOOP when EDG bus may not yet be established. Failure mode: drive belt failure or pulley seizure → pump impeller stops rotating → coolant flow drops to zero → cylinder head temperatures rise at ~0.5 deg C/s at full load → high jacket water temperature trip (95 deg C) activates within 120 seconds → engine trips to safe state (standstill with residual coolant providing convective cooling sufficient for <30 min cool-down). Secondary failure indicator: coolant flow switch on pump outlet provides an independent low-flow alarm at 150 L/min (25% below minimum), allowing operator-initiated controlled shutdown before the high-temperature trip activates. This failure mode is captured in hazard H-COOLING-001 and mitigated by the independent flow switch alarm and temperature trip chain. | Test | subsystem, cooling-system, sil-2, session-588, idempotency:sub-jwp-flow-588, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-038 | The Radiator and Fan Assembly SHALL dissipate a minimum of 280 kilowatts of engine waste heat to ambient air at a maximum ambient temperature of 40 degrees Celsius, maintaining engine outlet coolant temperature below 92 degrees Celsius at continuous rated load. Rationale: 280kW cooling capacity provides 10% margin above the engine manufacturer thermal rejection figure of 255kW at rated output. 40 deg C ambient is the site design-basis summer maximum per SYS-REQ-006 environmental constraint. Maintaining outlet below 92 deg C provides 3 deg C margin below the thermostat full-open temperature and 8 deg C margin below the high-temperature trip setpoint. Failure mode: fan motor failure or loss of forced convection (e.g., mechanical failure of the fan belt) → radiator thermal resistance increases by ~40% → at full load (255kW heat rejection), coolant outlet temperature rises from ~85 deg C to approximately 92 deg C in 5–8 minutes → high jacket water temperature alarm activates at 90 deg C → operator-initiated load reduction or automatic engine trip at 95 deg C. Under degraded fan operation at 60% capacity, the engine SHALL maintain reduced output of at least 50% rated load with coolant temperature stable below trip setpoint — this degraded capability is captured in the degraded-mode requirement. The safe state is engine controlled shutdown with coolant convective natural circulation sufficient to prevent thermal damage during cool-down. | Test | subsystem, cooling-system, session-588, idempotency:sub-rad-capacity-588, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-039 | When the engine jacket coolant outlet temperature exceeds 95 degrees Celsius, the Cooling System SHALL generate a hardwired high-temperature alarm signal to the Protective Trip Logic Unit within 2 seconds of threshold crossing, enabling the M&I subsystem to initiate engine shutdown. Rationale: 95 deg C trip threshold matches the Engine Parameter Sensor Array setpoint in SUB-REQ-031. 2-second response is the Thermostat Valve plus coolant sensor thermal lag; the PTLU adds 200ms per SUB-REQ-031. Combined 2.2s to engine shutdown initiation is within the engine vendor safety margin. This is the safe-state interface for H-COOLING-001. | Test | subsystem, cooling-system, sil-2, safe-state, session-588, idempotency:sub-cs-safe-state-588 |
| SUB-REQ-040 | The Day Tank SHALL provide a minimum fuel reserve of 8 hours of continuous operation at rated engine load without replenishment from the Fuel Transfer Pump Set, with the tank sized at no less than 120% of the 8-hour consumption volume calculated at manufacturer's rated specific fuel consumption. Rationale: 8-hour autonomous reserve ensures the EDG continues to operate through loss of 415V AC supply to transfer pumps (which would accompany a LOOP event) until the diesel-backed 24VDC system can restore pump operation. 120% margin accommodates sedimentation volume and prevents air ingestion from the outlet pipe. Derived from SYS-REQ-002 (168h total) with the day tank providing the first-phase buffer. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-day-tank-capacity-590 |
| SUB-REQ-041 | The Bulk Fuel Storage Tank SHALL hold a minimum usable fuel volume of 42,000 litres, with nominal tank capacity ≥48,300 litres (115% of minimum usable) to account for unusable sump volume, thermal expansion, and minimum pump inlet submersion depth. Rationale: 42,000 litres is derived from the rated fuel consumption rate (250 L/hr at 100% load, OEM data) × 168 hours. The 115% factor for nominal capacity follows CIRIA C765 (Above-ground fuel storage tank design) guidance for usable volume derating. These values allow tank capacity compliance to be verified by dimensional survey without ambiguity. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-bulk-tank-capacity-590, superseded-by-session-595 |
| SUB-REQ-042 | The Fuel Transfer Pump Set SHALL automatically start the duty pump within 10 seconds of the Day Tank level falling to the Low (L) set-point, and automatically start the standby pump within 10 seconds of duty pump trip confirmation, with both pumps capable of filling the Day Tank from Low to High level within 30 minutes at rated EDG fuel consumption. Rationale: 10-second start delay prevents nuisance cycling; 30-minute fill time ensures the day tank never reaches LL (low-low trip) during the pump start-up transient. These values are derived from the day tank volume and engine fuel consumption rate at rated load. Standby auto-start is required to prevent loss of fuel supply on duty pump trip during an unattended LOOP mission. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-pump-autostart-590 |
| SUB-REQ-043 | The Fuel Filtration Assembly SHALL remove particulate matter to a maximum particle size of 10 microns nominal and separate free water from the fuel stream, generating a maintenance alarm to the Local Alarm and Indication Panel when differential pressure across the filter element exceeds 0.3 bar, while maintaining rated flow without restricting supply pressure below 1.5 bar at the engine inlet. Rationale: 10-micron filtration protects precision fuel injection components (nozzle orifice typically 15-20 micron) from wear; 0.3 bar DP alarm threshold is the manufacturer standard for duplex filter sets on medium-speed diesel engines. 1.5 bar minimum inlet pressure is the fuel injection system operating floor per IFC-REQ-008. Failure to filter would cause premature injection pump wear and risk loss of engine output. | Test | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-fuel-filtration-590 |
| SUB-REQ-044 | When a confirmed fire detection signal is received from the EDG building fire detection system, the Fuel Supply Pipework and Valve Assembly SHALL automatically close the bulk fuel supply isolation valve within 10 seconds to prevent additional fuel feeding the fire, while maintaining the Day Tank gravity-feed to the engine to support controlled shutdown. Rationale: Motorised isolation on fire signal is an ONR requirement (NS-TAST-GD-049 fire safety guidance) for nuclear EDG buildings; 10-second closure prevents significant additional fuel reaching a fire source while the engine runs its controlled stop sequence. Maintaining Day Tank gravity feed during controlled shutdown avoids uncontrolled loss of cooling and lubrication by an abrupt engine trip. This is the safe state for the HAZ-FIRE hazard in the hazard register. | Test | subsystem, fuel-oil-system, sil-2, safe-state, session-590, idempotency:sub-fuel-fire-isolation-590 |
| SUB-REQ-045 | The Fuel Oil System SHALL maintain fuel temperature in the Day Tank above 5°C under site minimum ambient temperature conditions (-10°C at the EDG building) using trace heating or immersion heating, such that fuel viscosity at the engine fuel inlet remains within the fuel injection manufacturer's specified operating range (Class A2 diesel EN 590, cloud point ≤ -10°C). Rationale: BS EN 590 Class A2 diesel has a cold filter plugging point (CFPP) of -10°C; at -10°C ambient, unheated pipework on an uninsulated external run could cause wax deposition in filter and pipework. 5°C tank minimum maintains adequate margin above CFPP for fuel within the building. This requirement is critical to the cold-start capability required by SYS-REQ-001 (10-second start at all environmental conditions). | Demonstration | subsystem, fuel-oil-system, sil-2, session-590, idempotency:sub-fuel-cold-start-temp-590 |
| SUB-REQ-046 | The Automatic Voltage Regulator SHALL maintain the Synchronous Generator Assembly terminal voltage within ±0.5% of set-point under steady-state conditions and within ±6% during any single load step not exceeding 40% of rated kVA, recovering to within ±2% within 3 seconds of the step load application. Rationale: ±0.5% steady-state regulation derives from SYS-REQ-001 (±6% terminal voltage) and must be achievable with sufficient margin to accommodate load-sharing tolerance in future parallel operation. ±6% transient tolerance is the SYS-REQ-001 limit; 3-second recovery is the site electrical system requirement for connected Class 1E equipment (sensitive motor drives and UPS float chargers tolerate 6% for no more than 3s before actuation). 40% step load is the largest single block in the site load sequencing plan per SYS-REQ-007. Failure mode: AVR excitation circuit failure (loss of excitation sensing or failed SCR in excitation bridge) → generator terminal voltage falls outside ±6% window → generator protection relay (loss-of-excitation element 40) activates within 3 seconds → generator trips to safe state (de-energised, engine continues running unloaded awaiting AVR recovery or operator intervention). Under partial AVR failure (one of two redundant sensing channels fails), the generator SHALL maintain regulated output on the remaining channel at reduced droop setting — this resilience is addressed by the redundant AVR sensing architecture documented in ARC-REQ-007. Voltage collapse without protection actuation is prevented by the generator protection relay's independent voltage supervision, which does not depend on the AVR. | Test | subsystem, alternator-subsystem, sil-2, session-590, idempotency:sub-avr-voltage-regulation-590, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-047 | The Generator Stator Winding and Thermal Protection SHALL alarm to the Protective Trip Logic Unit when any stator winding PT100 RTD reading exceeds 130°C and SHALL initiate a protective trip of the EDG system when any reading exceeds 155°C, with both thresholds independently configurable and the PT100 signals providing ±2°C accuracy over the operating range 20°C to 180°C. Rationale: 155°C trip threshold is the Class F thermal limit applied within Class H (180°C rated) insulation — a 25°C design margin per IEC 60034-1 thermal classification. This margin is required for a nuclear qualified generator where accelerated insulation ageing under continuous high-temperature operation could compromise the 40-year design life. 130°C alarm (25°C below trip) provides operator warning during blocked cooling or overload. ±2°C RTD accuracy ensures the alarm/trip threshold tolerances remain within the insulation class margins. | Test | subsystem, alternator-subsystem, sil-2, safety, session-590, idempotency:sub-stator-winding-temp-590 |
| SUB-REQ-048 | The Generator Bearing and Mechanical Support Assembly SHALL alarm to the Protective Trip Logic Unit when any bearing PT100 RTD reading exceeds 90°C and SHALL initiate an engine shutdown trip when any reading exceeds 100°C, with the DE bearing lubricated from the engine main lube oil header at no less than 1.5 bar and no more than 4.0 bar supply pressure during normal operation. Rationale: 90°C alarm and 100°C trip are standard limits for white-metal sleeve bearings used in medium-speed diesel-coupled generators (BS EN 60034-1 and manufacturer guidance for Babbitt metal bearings, which suffer accelerated fatigue above 100°C). 1.5-4.0 bar lube supply range is the typical operating envelope for medium-speed diesel engine lube oil headers. Bearing failure on a coupled set would rapidly destroy both the engine and alternator, hence the trip is safety-significant. | Test | subsystem, alternator-subsystem, sil-2, safety, session-590, idempotency:sub-bearing-temp-trip-590 |
| SUB-REQ-049 | The Brushless Excitation System SHALL build terminal voltage from zero (black-start) to within ±6% of rated voltage within 3 seconds of the engine reaching 95% rated speed, with voltage overshoot not exceeding 10% of rated voltage at any point during the build-up transient, independent of any power supply other than mechanical rotation of the shaft. Rationale: 3-second voltage build-up from engine synchronous speed is required to meet the SYS-REQ-001 10-second overall start time (10s from LOOP signal to ready state includes start sequence and speed run-up; voltage build-up must complete within the final 3s). The PMG-based brushless excitation achieves this without dependency on external AC power, which is the failure mode being responded to. 10% overshoot limit protects connected Class 1E equipment from voltage transients during energisation. Failure mode: permanent magnet generator (PMG) rotor demagnetisation or rotating rectifier diode failure → no excitation current to main field winding → zero terminal voltage at synchronous speed → generator protection relay (field failure element 40) activates after 5-second delay → EDG remains available for manual field restoration or replacement of rectifier cartridge (maintenance access required). A single rotating diode failure reduces excitation current by 33% (3-phase bridge with one lost phase), producing voltage reduction of approximately 20% — this triggers under-voltage protection (element 27) and a controlled load rejection rather than a sudden blackout, preserving generator and load integrity. This failure mode is traceable to hazard H-EXCITATION-001. | Test | subsystem, alternator-subsystem, sil-2, session-590, idempotency:sub-excitation-blackstart-590, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-050 | When a Generator Protection Relay (GPR) stator earth fault trip signal is received, the Alternator Subsystem SHALL de-energise the anti-condensation heaters and the Automatic Voltage Regulator within 200 milliseconds to remove all voltage sources from the stator winding, such that the stator winding is electrically isolated on both the generator terminal side and the excitation supply side within 200 milliseconds. Rationale: The Fuel Oil System is Regulated (UHT trait): on-site bulk fuel storage in volumes typical of nuclear EDG systems (typically 30,000–50,000 litres for 168h mission) requires secondary containment and spill detection under Environmental Permitting Regulations. CIRIA C736 (Construction Industry Research and Information Association — Containment systems for the prevention of pollution) is the industry standard for oil storage bunding used by ONR as the benchmark for compliance during nuclear site inspections. Failure to comply exposes the site owner to enforcement action that could require immediate removal of fuel storage. 110% of largest tank (or 25% of total volume, whichever is greater) is the standard bunding capacity requirement from CIRIA C736 and PPG2 (Pollution Prevention Guidance). | Test | subsystem, alternator-subsystem, sil-2, safe-state, session-590, idempotency:sub-alternator-stator-safe-state-590, tech-author-session-613 |
| SUB-REQ-051 | The Isochronous Governor System SHALL incorporate dual independent speed-sensing channels, such that the failure of one channel (open circuit, sensor failure, or signal loss) does not cause governed speed deviation exceeding ±3% of rated speed and SHALL annunciate the channel failure to the Local Alarm and Indication Panel within 2 seconds without initiating an engine trip. Rationale: The governor is System-Essential (UHT trait): loss of governed speed control causes frequency deviation that disconnects safety loads. Dual-channel architecture is required per IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 3 for single-point failure protection. The no-trip-on-single-failure requirement prevents unnecessary EDG shutdowns during LOOP missions when a governor sensor fails; the 3% speed window bounds the resulting frequency excursion within load protection relay settings. | Test | subsystem, starting-and-control, sil-3, redundancy, session-592, idempotency:sub-governor-redundancy-592 |
| SUB-REQ-052 | The Fuel Injection System SHALL deliver fuel injection timing within ±2 degrees of crankshaft rotation of the nominal injection advance angle across the full speed range (700–1600 RPM) and load range (0–100% rated), and SHALL maintain injection timing accuracy in the event of a single injector nozzle blockage by redistributing fuel delivery to the remaining cylinders with no more than 5% reduction in rated power output. Rationale: Fuel injection timing is Temporal (UHT trait) and System-Essential: ±2° timing precision is required to achieve the NOx and smoke limits under UK nuclear site air quality regulations and to maintain combustion stability during rapid load application following LOOP. Single-injector redundancy bounds the consequence of a nozzle blockage to <5% power reduction, preserving the minimum EDG output required to supply nuclear safety loads (typically 60–80% of rated capacity). | Test | subsystem, diesel-engine, sil-2, redundancy, temporal, session-592, idempotency:sub-fuel-injection-timing-redundancy-592 |
| SUB-REQ-053 | The Fuel Transfer Pump Set SHALL consist of two independently-powered duty/standby pumps, each capable of supplying 150% of rated engine fuel consumption, with automatic standby pump start on duty pump failure (loss of discharge pressure below 0.8 bar) occurring within 30 seconds, maintaining uninterrupted Day Tank replenishment throughout the EDG mission duration. Rationale: The Fuel Transfer Pump Set is System-Essential (UHT trait): pump failure causes Day Tank depletion within 2–4 hours at rated load, terminating the 168h mission. Duty/standby architecture with automatic changeover is required by the PFD budget in SYS-REQ-005 (PFD ≤1×10⁻³) — a single pump with no standby contributes unacceptably to mission failure probability. 30-second changeover is bounded by Day Tank minimum volume capacity at rated consumption. | Test | subsystem, fuel-oil-system, sil-2, redundancy, session-592, idempotency:sub-fuel-pump-redundancy-592 |
| SUB-REQ-054 | The Cooling System SHALL maintain engine jacket water temperature within the operational band (70°C–88°C) following the failure of a single Jacket Water Pump, provided the engine load is reduced to 75% of rated within 60 seconds of pump failure, and SHALL generate a pump failure alarm to the Local Alarm and Indication Panel within 10 seconds of detecting coolant flow below the minimum threshold. Rationale: The Cooling System is System-Essential (UHT trait): loss of cooling causes engine shutdown on high-temperature trip within minutes. Maintaining operability at 75% load with one pump failed supports continued supply to nuclear safety loads at reduced (but sufficient) output — nuclear sites typically size EDG rated capacity with a margin above minimum safety load. The 60-second load reduction window is achievable by the automatic load shedding sequence in the Starting and Control Subsystem (SUB-REQ-028). 10-second alarm response ensures operator situational awareness before temperature rises to the trip threshold. | Test | subsystem, cooling-system, sil-2, redundancy, session-592, idempotency:sub-cooling-backup-path-592 |
| SUB-REQ-055 | The Generator Protection Relay SHALL comply with IEC 60255-151 (Measuring relays and protection equipment — Functional requirements for over/under voltage protection) and IEC 60255-181 (frequency protection), and SHALL be type-tested and certified to these standards by an accredited test laboratory before installation on the nuclear licensed site. Rationale: The Generator Protection Relay is Institutionally Defined (UHT trait): it must comply with IEC 60255 series standards as required under the ONR Safety Assessment Principles for safety-classified electrical protection equipment. Type-testing by an accredited laboratory is required because nuclear sites cannot perform first-article qualification testing on protection relays in-situ — the test environment would require tripping the EDG from the safety bus, which is unacceptable during site operation. | Inspection | subsystem, electrical-protection-switchgear, sil-3, standards, session-592, idempotency:sub-protection-relay-standards-592 |
| SUB-REQ-056 | The Main Generator Circuit Breaker SHALL comply with BS EN 62271-100 (High-voltage switchgear and controlgear — AC circuit-breakers) or BS EN 61439-1 (Low-voltage switchgear and controlgear assemblies) as applicable to the rated voltage, and SHALL be certified by a UKAS-accredited body with type test evidence covering rated breaking capacity, short-time current withstand, and electrical endurance class E2. Rationale: BS EN 62271-100 (High-voltage switchgear and controlgear — AC circuit-breakers) or BS EN 61439-1 (Low-voltage switchgear and controlgear assemblies) are the required product standards for Main Generator Circuit Breaker (MGCB) certification, depending on rated voltage. UKAS (United Kingdom Accreditation Service) accreditation ensures the certifying body is competent to issue type-test certificates meeting the requirements of EN IEC 17065 (Conformity assessment bodies). ONR and nuclear site licensing inspectors require third-party certified electrical equipment in Class 1E applications — self-declaration is not accepted. E2 endurance class confirms the MGCB is rated for frequent switching duty cycles consistent with nuclear EDG surveillance testing (weekly start/load/shutdown) and emergency operation profiles. | Inspection | subsystem, electrical-protection-switchgear, sil-3, regulated, standards, session-592, idempotency:sub-mcb-compliance-592, tech-author-session-613 |
| SUB-REQ-057 | The Fuel Oil System bunding and containment SHALL comply with the Environmental Permitting (England and Wales) Regulations 2016 and CIRIA C736 (Containment systems for the prevention of pollution), providing secondary containment with a minimum capacity of 110% of the largest tank or 25% of total stored fuel volume (whichever is greater), with an impermeable bund having no drains connected to site drainage, and with spill detection alarming to the site control room. Rationale: The Fuel Oil System is Regulated (UHT trait): on-site bulk fuel storage in volumes typical of nuclear EDG systems (typically 30,000–50,000 litres for 168h mission) requires secondary containment and spill detection under Environmental Permitting Regulations. CIRIA C736 is the industry standard for oil storage bunding used by ONR as the benchmark for compliance during nuclear site inspections. Failure to comply exposes the site owner to enforcement action that could require immediate removal of fuel storage. | Inspection | subsystem, fuel-oil-system, sil-2, regulated, environmental, session-592, idempotency:sub-fuel-oil-compliance-592 |
| SUB-REQ-058 | The Local Alarm and Indication Panel SHALL present any new alarm condition within 2 seconds of the initiating parameter exceeding its alarm threshold, SHALL maintain alarm display independent of the EDG running state (alarms SHALL be visible during start-up, steady-state operation, and shutdown), and SHALL comply with EEMUA 191 (Alarm systems — A guide to design, management and procurement) for alarm presentation, priority classification, and suppression control. Rationale: The Local Alarm and Indication Panel is Temporal (UHT trait) and Normative: 2-second alarm presentation latency is the maximum permissible for Class 1E safety alarm systems under the IEC 61226 (Nuclear power plants — I&C systems important to safety) classification. EEMUA 191 compliance is required by ONR for control panel alarm management on nuclear licensed sites to prevent alarm flooding that could lead operators to miss safety-critical alerts during abnormal events. | Test | subsystem, monitoring-and-instrumentation, sil-2, temporal, normative, session-592, idempotency:sub-local-alarm-timing-592 |
| SUB-REQ-059 | The Starting and Control Subsystem SHALL provide a test mode that enables full-rated-load operational testing of the EDG system without connecting to the safety bus, achieved by automatically transferring the EDG load to a dedicated load bank, with test initiation and termination controlled by a key-switch on the Engine Control Panel accessible only to authorised operations team personnel. Rationale: STK-REQ-004 requires the operations team to conduct monthly full-load tests without interrupting normal plant safety functions; this SUB requirement decomposes the test mode implementation to the Starting and Control Subsystem. Key-switch access control is required by ONR nuclear site operating procedures to prevent inadvertent test mode activation. Load bank transfer (rather than live bus testing) ensures that a test-mode fault cannot interrupt safety bus power to nuclear loads. | Demonstration | subsystem, starting-and-control, sil-3, operations, session-592, idempotency:sub-test-mode-control-592 |
| SUB-REQ-060 | Each major subsystem of the EDG system (Diesel Engine Subsystem, Alternator Subsystem, Fuel Oil System, Cooling System, Starting and Control Subsystem, Electrical Protection and Switchgear Subsystem, Monitoring and Instrumentation Subsystem) SHALL provide dedicated isolation points (valves, isolators, or disconnects) enabling an authorised maintenance team to electrically or mechanically isolate that subsystem from the remainder of the EDG system without requiring removal of any shared component, within a preparation time not exceeding 60 minutes. Rationale: STK-REQ-006 requires the maintenance team to isolate and maintain each subsystem independently with maximum 2-hour preparation time; this SUB requirement decomposes the isolation architecture across all seven subsystems. 60-minute isolation preparation is specified (half the 2-hour STK allowance) to allow margin for unexpected complications during isolations on a nuclear licensed site where permit-to-work procedures add administrative overhead. | Inspection | subsystem, maintenance, sil-2, isolation, session-592, idempotency:sub-subsystem-isolation-592 |
| SUB-REQ-061 | The Fuel Oil System SHALL comply with the Dangerous Substances and Explosive Atmospheres Regulations 2002 (DSEAR) for storage and handling of Class C3 petroleum product, the Petroleum (Consolidation) Regulations 2014, and BS EN ISO 4064 for flow measurement, and SHALL be designed, constructed, and inspected in accordance with CIRIA C736 (Containment systems for the storage of polluting liquids) for secondary containment of all bulk and day tank installations. Rationale: The Fuel Oil System stores and handles diesel fuel (petroleum Class C3) on a licensed nuclear site. DSEAR compliance is legally mandatory for hazardous substance storage. Petroleum Consolidation Regulations apply because bulk storage exceeds 3,000 litres. CIRIA C736 secondary containment is required by the Environment Agency (EA) for bulk fuel tanks to prevent pollution incidents — a 168h fuel stock at a large EDG may exceed 15,000 litres, triggering EA Class 2 bunding requirements. | Inspection | session-593, qc, fuel-oil, compliance, regulatory, idempotency:sub-fuel-oil-compliance-593 |
| SUB-REQ-062 | The Compressed Air Starting System SHALL store compressed air at no less than 25 bar gauge to deliver a minimum of 3 complete 15-second cranking cycles at full cranking torque, without requiring compressor recharge between attempts. Rationale: Derived from SYS-REQ-003. Three attempts is the UK nuclear standard: probabilistic analysis shows P(3 sequential failures | working engine) < 1×10⁻⁴. Each cycle is 15 seconds to match engine starting performance at rated class. The 25 bar minimum stored pressure ensures starting torque is maintained through all three attempts without compressor assist. Replaces SUB-REQ-002 to eliminate ambiguous 'sufficient'. | Test | session-595, qc, starting-control, sil-3, replaces-sub-002, idempotency:sub-cass-3-attempts-r2-595, idempotency:sub-cass-3-attempts-r2-595 |
| SUB-REQ-063 | The Engine Block and Rotating Assembly SHALL accelerate the coupled shaft to 1500 RPM nominal (50 Hz ±1% at the alternator output) within 10 seconds of start initiation, measured from first starter engagement under cold standby conditions with no electrical load connected. Rationale: 1500 RPM is required by the 4-pole alternator to produce 50 Hz (SUB-REQ-050 and SYS-REQ-001). The 10-second criterion is the system-level start time from SYS-REQ-003. Cold standby starting is the worst-case condition for accelerating inertia. Replaces SUB-REQ-017 to eliminate ambiguous 'sufficient'. | Test | session-595, qc, diesel-engine-subsystem, sil-2, replaces-sub-017, idempotency:sub-engine-accel-r2-595, idempotency:sub-engine-accel-r2-595 |
| SUB-REQ-064 | The Turbocharger and Charge Air System SHALL deliver combustion air at the boost pressure defined in the engine manufacturer's performance map across the rated load range (25% to 110% of rated power), such that the engine achieves its rated power output without smoke exceedance or turbocharger surge at any operating point within this range. Rationale: The nuclear EDG must accept safety bus loads in stepped blocks per SYS-REQ-007, starting as low as 25% rated load. Replacement references the manufacturer's performance map (a defined, measurable specification) rather than the ambiguous 'sufficient boost pressure'. The 25-110% range is confirmed as the operating envelope. Replaces SUB-REQ-022 to eliminate ambiguous 'sufficient'. | Test | session-595, qc, diesel-engine-subsystem, sil-2, replaces-sub-022, idempotency:sub-turbo-boost-r2-595, idempotency:sub-turbo-boost-r2-595 |
| SUB-REQ-065 | The Bulk Fuel Storage Tank SHALL have a minimum nominal capacity of 115% of the quantity required for 168 hours of continuous EDG operation at rated load, where rated load fuel consumption is defined by the engine manufacturer's test bed data, and the 115% factor accounts for 3% dead sump volume, 2% thermal expansion (per ASTM D975 Class A2 diesel at 40°C), and 10% minimum pump inlet submersion. Rationale: 168h duration is the design basis from SYS-REQ-002. The 115% factor components are: 3% sump dead volume, 2% thermal expansion at 40°C (ASTM D975 Class A2 diesel), 10% minimum pump inlet submersion to prevent vortex ingestion — standard allowances per ENA TS 09-3. Calculation method provides a verifiable capacity rather than the ambiguous 'sufficient volume'. Replaces SUB-REQ-041 to eliminate ambiguous 'sufficient'. | Inspection | session-595, qc, fuel-oil-system, sil-2, replaces-sub-041, idempotency:sub-bulk-tank-cap-r2-595, idempotency:sub-bulk-tank-cap-r2-595 |
| SUB-REQ-066 | Before reinstatement to operational service following any planned maintenance activity requiring LOTO isolation, the EDG system SHALL successfully complete a Post Maintenance Test (PMT) demonstrating start-to-rated voltage and frequency within 10 seconds and acceptance of a 50% rated load block, with all protective trips, alarms, and control functions verified functional prior to return to standby ready mode. Rationale: The Planned Overhaul ConOps scenario requires a validation mechanism between maintenance completion and return to standby ready mode. Without a PMT requirement, the system could re-enter the Standby Ready mode with undetected maintenance defects (e.g., incorrectly reassembled governor, air-locked fuel system). IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) SIL-2/3 functional safety management requires that post-maintenance testing confirms safety function integrity before reinstatement. | Demonstration | session-603, validation, maintenance, pmt, return-to-service, sil-3, idempotency:sub-pmt-return-to-service-603 |
| SUB-REQ-067 | Before any planned maintenance activity requiring physical isolation of EDG components, the Starting and Control Subsystem SHALL enforce a controlled transition to Maintenance Out-of-Service mode by: (a) confirming EDG is in Standby Ready or post-test shutdown state; (b) issuing an EDG unavailability signal to the site control room within 30 seconds; (c) removing the start demand interlock to prevent automatic start; (d) confirming LOTO point isolation on all energy sources before issuing a Maintenance Access Permit. Rationale: The ConOps scenario 'Planned Overhaul' identifies a 14-day maintenance outage with LOTO. STK-REQ-006 requires isolation without affecting normal plant operation. SUB-REQ-066 specifies the return-to-service PMT but there was no corresponding requirement governing the controlled ENTRY into Maintenance Out-of-Service mode — specifically, the automatic start interlock removal and unavailability notification to the control room. Without a procedural entry requirement, there is a risk that an EDG could receive a LOOP demand while maintenance activities are in progress. Verification by Demonstration: a factory acceptance test (FAT) procedure SHALL step through the full sequence (a)–(d) against a simulated LOOP demand signal, confirming that the start demand interlock is removed before Maintenance Access Permit is issued, and that the unavailability signal reaches the simulated control room within 30 seconds. The demonstration must be repeatable and witnessed by the nuclear site's I&C commissioning team. Inspection of a document alone is insufficient because the sequence involves software logic and interlock states that can only be confirmed by exercising the actual control system. | Demonstration | session-607, validation, maintenance, loto, mode-coverage, sil-3, idempotency:sub-maintenance-mode-entry-607, red-team-session-609, rt-resolved-session-611 |
| SUB-REQ-068 | The Remote Monitoring Gateway SHALL provide a minimum 2500Vrms galvanic isolation barrier (optical isolator or equivalent qualified isolator device) between the SIL-2 Protective Trip Logic Unit circuits and the main control room I&C network, and SHALL reject any command or write message received from the I&C network without generating an acknowledgement. Rationale: 2500Vrms isolation withstand is required by IEC 60709 (Nuclear power plants — Instrumentation and control systems important to safety — Separation) for Class 1E to non-Class 1E interface isolation barriers with 120/240VAC working voltage: IEC 60709 Table 1 specifies a minimum 3000V dielectric withstand test (2121Vrms continuous equivalent), making 2500Vrms the minimum rated isolation voltage to meet the test requirement with margin. The previous value of 1500Vrms was derived from IEC 60664-1 general industrial practice and is insufficient for nuclear-qualified separation. One-way enforcement prevents cyber or operator-error command paths from inadvertently modifying protection setpoints, directly addressing H-010 (Cyber attack threat) per IEC 61513 (Nuclear power plants — Instrumentation and control systems important to safety — General requirements for systems). Supersedes SUB-REQ-034. | Test | session-611, qc, monitoring-and-instrumentation, sil-2, supersedes-sub-req-034, idempotency:sub-rmg-isolation-2500vrms-611 |
| SUB-REQ-069 | The Local Alarm and Indication Panel SHALL provide first-out alarm annunciation for all EDG protective trip functions, displaying the identity of the first-to-trip parameter within 100 milliseconds of the trip output from the Protective Trip Logic Unit, with audible and visual indication that is latched until manually acknowledged. Rationale: 100ms first-out display latency is required because nuclear EDG protective trip chains can produce cascading secondary trips within 200–500ms of the initiating event (e.g., low oil pressure initiates followed by overspeed as the engine governor reacts): if the LAIP display latency exceeds the inter-trip interval, the displayed first-out may incorrectly show a secondary trip as the initiating cause. IEC 62138 (Software for computers important to safety for nuclear power stations) and NUREG/CR-6572 guidance for nuclear annunciation systems establish ≤100ms as the required maximum response time for first-out discrimination. ONR inspection requirements for nuclear EDGs specify that first-out identification must be unambiguous for both surveillance testing post-trips and licensing event reports. The 500ms value in the superseded SUB-REQ-035 was insufficient to meet this discrimination requirement. Supersedes SUB-REQ-035. | Demonstration | session-611, qc, monitoring-and-instrumentation, supersedes-sub-req-035, idempotency:sub-laip-firstout-100ms-611 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Automatic Load Controller and the Engine Control Panel SHALL convey the start demand signal as a hardwired 24VDC contact closure signal, with a maximum impedance of 500 ohms in the signal path, a maximum latency of 10 milliseconds from ALC output to ECP input, and shall be routed via physically separate cable from all other instrumentation circuits. Rationale: Derived from SUB-REQ-001. Hardwired contact closure rather than serial communications eliminates the risk of software protocol failure blocking the start signal. 24VDC is the nuclear site standard control voltage. 500 ohm impedance limit is derived from ECP relay input sensitivity specification. Physical cable separation prevents common-cause cable damage from defeating the start signal and a single control cable failure simultaneously. | Test | interface, starting-control, sil-3, session-574, idempotency:ifc-alc-ecp-start-demand-574 |
| IFC-REQ-002 | The interface between the Engine Control Panel and the Compressed Air Starting System SHALL use a 24VDC solenoid valve signal, with the start air solenoid valve rated for a minimum of 10,000 operating cycles, an opening time not exceeding 100 milliseconds, and shall fail-closed (de-energise to close) on loss of control power. Rationale: Derived from SUB-REQ-002. Fail-closed solenoid valve ensures that loss of control power does not inadvertently vent air receivers (loss of start capability). 100ms opening time contributes to the overall start sequence timing budget. 10,000 cycle rating covers monthly testing over a 30-year plant life with margin. 24VDC aligns with site-standard control voltage. | Test | interface, starting-control, sil-3, session-574, idempotency:ifc-ecp-cass-solenoid-574 |
| IFC-REQ-003 | The interface between the Isochronous Governor System and the Diesel Engine Subsystem SHALL provide dual independent magnetic pick-up speed sensors (minimum 60-tooth gear, 24VDC excitation) with a signal separation of at least 90mm between sensor locations on the flywheel housing, and a fuel rack actuator interface delivering 0–100% fuel position at a slew rate not less than 100%/second. Rationale: Derived from SUB-REQ-003 (3-second recovery) and SUB-REQ-004 (independent overspeed trip). Dual sensors with physical separation prevent common-cause sensor failure from eliminating both speed feedback paths simultaneously. 100%/second fuel rack slew rate is the minimum required to achieve 3-second load recovery: full-rack excursion must complete within the first 1.5s of the 3-second window. | Test | interface, starting-control, sil-2, session-574, idempotency:ifc-gov-engine-speed-574 |
| IFC-REQ-004 | The interface between the Generator Protection Relay and the Main Generator Circuit Breaker SHALL transmit the generator trip signal as a hardwired 110V DC signal held energised during normal operation (de-energisation causes breaker to open — fail-safe), with the trip initiating breaker opening within 10 milliseconds of signal de-energisation, and the trip circuit monitored continuously for open-circuit faults. Rationale: Normally-energised hardwired trip circuit is the standard nuclear fail-safe scheme: loss of supply or open-circuit in the trip wiring causes a trip, preventing relay failure from resulting in an unprotected generator. 110V DC is the nuclear industry standard for trip circuits per BS EN 50131 practice. Continuous monitoring detects latent open-circuit faults before demand. | Test | interface, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ifc-gpr-mgcb-trip-signal-575 |
| IFC-REQ-005 | The interface between the Voltage Sensing and Monitoring Unit and the Generator Protection Relay SHALL provide analogue voltage measurement signals as 4-20mA loops (4mA = 0V, 20mA = 120% nominal voltage), one channel per measurement point, with cable screening and maximum loop resistance of 500 ohms, and signal latency not exceeding 20 milliseconds. Rationale: 4-20mA analogue loop is the standard industrial measurement interface because the living-zero at 4mA allows open-circuit and short-circuit faults to be distinguished from zero-voltage readings, preventing false LOOP detection. 20ms latency is required to ensure the VSMU signal reaches the GPR within the overall 80ms fault detection budget. | Test | interface, electrical-protection-and-switchgear, sil-2, session-575, idempotency:ifc-vsmu-gpr-voltage-signals-575 |
| IFC-REQ-006 | The interface between the Automatic Load Controller and the Safety Bus Transfer Contactor SHALL transmit the bus transfer command as a hardwired 24V DC pulsed signal (50ms minimum pulse width), with contactor position status returned as volt-free contacts (normally-open closed when contactor closed) to the ALC and Engine Control Panel within 50 milliseconds of position change. Rationale: Hardwired pulsed command with position feedback provides closed-loop verification of transfer completion required by the SIL 3 function. 50ms position feedback latency allows the ALC to confirm transfer within the 150ms total transfer window (SUB-REQ-012) with margin for re-command if the first attempt fails. Volt-free contacts isolate the switchgear from the control system ground reference. | Test | interface, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ifc-alc-sbtc-bus-transfer-575 |
| IFC-REQ-007 | The 24VDC supply powering the Automatic Load Controller hardwired interface circuits (start demand, bus transfer command, and status return circuits) SHALL be sourced from a dedicated, seismically-qualified, Class 1E battery-backed 24VDC distribution panel, rated to supply the interface load with supply voltage maintained within 22V to 28VDC for a minimum of 2 hours following loss of normal 415V AC supply. Rationale: IFC-REQ-001 and IFC-REQ-006 specify 24VDC hardwired interface signals. The UHT classification of this interface as Powered (bit 4) indicates a power source dependency that has no corresponding requirement. For a SIL 3 safety function, the power supply must be Class 1E (nuclear safety-related), seismically qualified, and battery-backed to ensure the LOOP detection and bus transfer interfaces remain operable following the initiating event (loss of offsite power). Without this constraint, the ALC interfaces could lose power at precisely the moment they are needed. The 2-hour duration aligns with STK-REQ-002 (168-hour operation) and the initial battery buffer required during EDG start-up. | Test | session-576, qc, alc-interface, power, class1e, idempotency:edg-ifc-alc-24vdc-power-supply-session576 |
| IFC-REQ-008 | The interface between the Fuel Injection System and the Fuel Oil System SHALL deliver diesel fuel at a supply pressure of 3 to 6 bar and a maximum temperature of 40°C at the injection pump inlet, with a fuel return line capable of handling full bypass flow at back-pressure below 0.5 bar. Rationale: Injection pump manufacturers specify a minimum supply pressure to ensure adequate priming and prevent vapour lock, and a maximum temperature to avoid thermal degradation of seals and injection timing drift. The return line back-pressure limit prevents pressure buildup in the Fuel Oil System that could affect day-tank float valve operation. Interfaces with IFC-REQ-003 governor actuator: fuel quantity is metered after supply, so supply pressure stability directly affects governed output power. | Test | interface, diesel-engine-subsystem, sil-2, session-578, idempotency:ifc-fuel-injection-fuel-oil-578 |
| IFC-REQ-009 | The interface between the Engine Block and Rotating Assembly and the Alternator Subsystem SHALL be a rigid flanged coupling rated for the full engine peak torque including a 120% transient overload margin, with a lateral critical speed at least 20% above the maximum continuous operating speed of 1500 RPM. Rationale: The shaft coupling is the primary mechanical energy transfer path between the EDG's two major subsystems; undersized coupling would fail on load acceptance transients (SYS-REQ-007 load blocks), causing EDG loss at the moment of greatest safety need. The 20% critical speed separation margin prevents resonant vibration during speed excursions from 1500 RPM that occur during load steps and governor correction. | Inspection | interface, diesel-engine-subsystem, sil-2, session-578, idempotency:ifc-engine-block-alternator-coupling-578 |
| IFC-REQ-010 | The interface between the Diesel Engine Subsystem and the Cooling System SHALL maintain engine jacket water inlet temperature between 70°C and 85°C at rated load, and SHALL reduce charge air temperature from turbocharger outlet to below 45°C at the Turbocharger and Charge Air System intercooler outlet under all load conditions from 25% to 110% rated power. Rationale: The jacket water temperature range is the operating window specified by diesel engine manufacturers to maintain thermal efficiency and prevent cold corrosion (below 70°C) or component overheating (above 85°C). The charge air temperature limit below 45°C before the intake manifold prevents knock and allows the engine to produce full rated power — elevated charge air temperature reduces air density and thus maximum power output, risking inability to meet SYS-REQ-001 rated voltage at full load. | Test | interface, diesel-engine-subsystem, sil-2, session-578, idempotency:ifc-diesel-engine-cooling-system-578 |
| IFC-REQ-011 | The interface between the Engine Parameter Sensor Array and the Protective Trip Logic Unit SHALL use dual 4-20mA current loops per parameter, with loop supply voltage of 24VDC plus or minus 10%, maximum loop impedance 500 ohms, and open-circuit and short-circuit detection on each loop within 500 milliseconds. Rationale: 4-20mA current-loop standard (IEC 60381-1) is noise-immune over cable runs to 100m without shielding correction, suitable for the EDG building environment (EMC Class C per IEC 61326). Dual-loop architecture is the SIL-2 hardware redundancy. Loop fault detection within 500ms keeps the single-point vulnerability window below the 1s channel-fault detection budget of SUB-REQ-033. | Test | interface, monitoring-and-instrumentation, sil-2, session-588, idempotency:ifc-epsa-ptlu-588 |
| IFC-REQ-012 | The interface between the Protective Trip Logic Unit and the Engine Control Panel SHALL use hardwired de-energised-to-trip (open contact = shutdown initiated) relay contacts rated 24VDC 2A minimum, one contact per trip function (oil pressure, high coolant temp, overspeed, vibration, channel fault), with each contact driving directly into the Engine Control Panel shutdown input circuit without logic interposing. Rationale: Hardwired relay contacts eliminate any software path between the SIL-2 PTLU and the engine shutdown actuator. Normally-open (de-energise-to-trip) ensures power loss to PTLU causes shutdown. No interposing logic means no additional software common-cause failure path between measurement and actuation, which is a fundamental IEC 61508 requirement for hardwired safety functions. | Test | interface, monitoring-and-instrumentation, sil-2, session-588, idempotency:ifc-ptlu-ecp-588 |
| IFC-REQ-013 | The interface between the Protective Trip Logic Unit and the Remote Monitoring Gateway SHALL transmit discrete status signals (running, trip, alarm, channel fault, test mode) via optically isolated contacts rated 24VDC, and analogue retransmission signals for engine speed, coolant temperature, and lube oil pressure via 4-20mA outputs, with a maximum transmission latency of 2 seconds from parameter change to gateway output. Rationale: Optically isolated discrete contacts prevent electrical coupling from the non-nuclear I&C system into safety circuits. 2-second latency is acceptable for control room monitoring (not relied on for protection). Analogue retransmission of the three highest-priority parameters gives operators actionable information during LOOP response without requiring direct access to safety system inputs. | Test | interface, monitoring-and-instrumentation, session-588, idempotency:ifc-ptlu-rmg-588 |
| IFC-REQ-014 | The interface between the Jacket Water Pump and the Radiator and Fan Assembly SHALL be a closed-circuit 50mm bore coolant pipe with maximum operating pressure of 1.8 bar gauge, rated for 100 degree C continuous, with isolation valves on inlet and outlet to permit radiator replacement without engine draining. Rationale: 50mm bore provides flow velocity within 2-3 m/s to prevent cavitation and noise. 1.8 bar matches the coolant header tank relief valve rating, ensuring the circuit does not exceed header tank relief. Isolation valves are required to maintain the 14-day major overhaul interval in SYS-REQ-010 without full coolant draining. | Inspection | interface, cooling-system, session-588, idempotency:ifc-jwp-rad-588 |
| IFC-REQ-015 | The interface between the Day Tank and the Fuel Injection System SHALL supply diesel fuel at a gauge pressure of 0.3 to 0.7 bar (gravity head from tank mounting height) and a temperature of 5°C to 45°C, with a volumetric flow capacity equal to 110% of maximum engine fuel consumption at full rated load, via BS EN 10255 pipework and flexible compensator connections at the engine interface. Rationale: 0.3-0.7 bar gravity head range is set by the day tank mounting height (3.0-7.0m above the engine fuel pump inlet, typical EDG building arrangement). 110% capacity margin ensures no flow restriction even at maximum engine fuel demand plus filter pressure drop. Temperature limits derive from BS EN 590 A2 diesel fuel specification and engine manufacturer fuel inlet requirements. | Test | interface, fuel-oil-system, sil-2, session-590, idempotency:ifc-day-tank-injection-590 |
| IFC-REQ-016 | The interface between the Fuel Transfer Pump Set and the Day Tank SHALL deliver fuel at a nominal flow rate of no less than 150% of rated engine fuel consumption at full load, at a maximum discharge pressure not exceeding the Day Tank overflow return pressure setting, with the fill line terminated at or below the High (H) level set-point to prevent turbulence-induced air entrainment. Rationale: 150% of rated consumption flow ensures the day tank refill transient completes within the 30-minute window specified in SUB-REQ-042, even if one pump is operating in degraded condition. Maximum pressure limit protects the day tank shell (typically 0.5 bar design pressure) from pump shutoff head. Air entrainment below the liquid surface prevents fuel foaming that could starve the engine supply. | Test | interface, fuel-oil-system, sil-2, session-590, idempotency:ifc-transfer-pump-day-tank-590 |
| IFC-REQ-017 | The interface between the Fuel Oil System level switches (Day Tank LL, L, H, HH and Bulk Tank L, LL) and the Local Alarm and Indication Panel SHALL use volt-free relay contacts rated for 24VDC at 0.5A minimum, with normally-energised (fail-safe) contact arrangement such that loss of supply to any level switch de-energises the contact and presents the same alarm state as the critical low-level condition. Rationale: Volt-free contacts are the standard nuclear plant interface for field devices to safety-system alarm panels (eliminating ground loop and common-mode noise paths). Normally-energised fail-safe arrangement means cable break or instrument loss of power presents as a low-level alarm rather than a false normal reading — this is a standard nuclear safety instrumentation design principle ensuring failures are revealed, not hidden. | Test | interface, fuel-oil-system, monitoring-and-instrumentation, sil-2, session-590, idempotency:ifc-fuel-level-laip-590 |
| IFC-REQ-018 | The interface between the Voltage Sensing and Monitoring Unit and the Automatic Voltage Regulator SHALL provide a 4-20mA analogue signal representing the generator terminal voltage from 0% to 120% of rated voltage, with signal linearity ±0.3% of full scale, isolated to 500V DC (isolation class per IEC 61010-1), and with a signal update rate no slower than 20ms to enable AVR excitation response within the required transient regulation timescale. Rationale: 4-20mA is the standard nuclear instrumentation interface (IEC 61010-1 isolation protects AVR electronics from HV terminal faults). ±0.3% linearity is required to maintain ±0.5% steady-state voltage regulation (the VSMU signal linearity budget must be less than the voltage regulation requirement). 20ms update rate is derived from the AVR control loop bandwidth needed to achieve 3-second transient recovery per SUB-REQ-046. | Test | interface, alternator-subsystem, electrical-protection-and-switchgear, sil-2, session-590, idempotency:ifc-vsmu-avr-signal-590 |
| IFC-REQ-019 | The mechanical interface between the Diesel Engine Subsystem crankshaft flange and the Synchronous Generator Assembly drive-end shaft SHALL use a rigid disc-pack torsional coupling rated for the full generator rated torque plus a 100% transient overload factor, with torsional natural frequency of the coupled shaft system verified by analysis to be outside the critical speed ranges 0-100 RPM and 2800-3200 RPM (governed speed range ±10%), per ISO 14694 coupling acceptance criteria. Rationale: Torsional critical speed analysis per ISO 14694 is the primary verification deliverable: the analysis must produce a Campbell diagram demonstrating that the coupled shaft torsional natural frequencies lie outside both 0-100 RPM and 2800-3200 RPM exclusion zones across all engine operating modes. The 100% torque overload factor (coupling rated at 2× continuous torque) accommodates MGCB trip transients producing a torque spike to twice rated torque; without this margin, disc-pack fatigue crack initiation is credible within 10,000 start cycles. Failure mode: disc-pack fatigue fracture produces torsional shock load transmitted to both crankshaft and generator shaft, with potential for bearing damage and stator misalignment — the safe state is immediate engine trip via vibration monitoring with post-failure inspection before restart. The analysis report, coupling data sheet confirming Nm rating and stiffness, and acceptance sign-off against ISO 14694 Table 1 criteria constitute the verification evidence package required before first start. | Analysis | interface, alternator-subsystem, diesel-engine-subsystem, sil-2, session-590, idempotency:ifc-engine-alternator-coupling-590, red-team-session-609, rt-resolved-session-611 |
| IFC-REQ-020 | The interface between the Generator Stator Winding and Thermal Protection PT100 RTDs and the Protective Trip Logic Unit SHALL use a 3-wire PT100 connection with individually screened cables (screen earthed at the PTLU end only), providing ±2°C measurement accuracy over 0°C to 200°C range, with open-circuit and short-circuit diagnostics in the PTLU input module detecting wiring faults within 5 seconds and presenting a defined fail-safe state (alarm, not spurious trip) on instrument fault detection. Rationale: 3-wire PT100 connection eliminates lead resistance error that would compromise ±2°C accuracy. Single-end screen earthing prevents ground loops that cause common-mode interference. Fail-to-alarm (not spurious trip) on instrument fault is the design principle for protective monitoring: an instrument fault should alert the operator to investigate, not unnecessarily trip the EDG during a nuclear emergency. 5-second fault detection is consistent with the M&I PTLU response specification in SUB-REQ-031. RTD: Resistance Temperature Detector. | Test | interface, alternator-subsystem, monitoring-and-instrumentation, sil-2, session-590, idempotency:ifc-stator-rtd-ptlu-590, tech-author-session-613 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | The Starting and Control Subsystem architecture SHALL implement a four-component decomposition (Automatic Load Controller, Engine Control Panel, Compressed Air Starting System, Isochronous Governor System) with a documented SIL boundary separating the software-intensive ALC (SIL-3 dual-channel) from the hardwired relay-based ECP protection trips (IEC 61513 Category A), and the compressed air starting system SHALL provide a minimum of 3 complete start attempts without recharge. Rationale: A single integrated controller would require the entire control system to be qualified to SIL-3, increasing design and qualification cost disproportionately. Separation to distinct components allows each to be qualified to its own SIL by function. Compressed air starting is selected over electric starting because it provides starting capability even with battery depletion, addressing H-001 (Failure to start on demand). | Inspection | architecture, starting-control, session-574, idempotency:arc-starting-control-574 |
| ARC-REQ-002 | ARC: Electrical Protection and Switchgear Subsystem — four-component protection architecture driven by nuclear safety bus transfer requirements. The subsystem is decomposed into: Generator Protection Relay (numerical multifunction relay providing 87G/51/27/59/32/40/81 functions), Main Generator Circuit Breaker (vacuum/SF6 breaker providing electrical isolation), Safety Bus Transfer Contactor (automatic bus transfer on LOOP), and Voltage Sensing and Monitoring Unit (dual-channel redundant voltage measurement). This decomposition separates the sensing/logic (VSMU+GPR) from the switching/actuation (MGCB+SBTC) chains to allow independent SIL verification and prevent common-cause failure across the protection and switching paths. Alternative decompositions combining the relay and sensing function were rejected because the GPR's internal CTs cannot provide the bus-level voltage sensing needed for LOOP detection threshold logic — a separate VSMU preserves independent measurement. Rationale: Architecture decision records decomposition rationale for the EPS subsystem, capturing the sensing/switching separation driven by SIL independence requirements per IEC 61508 (Functional safety of E/E/PE safety-related systems). | Inspection | architecture, electrical-protection-and-switchgear, session-575, idempotency:arc-electrical-protection-switchgear-575 |
| ARC-REQ-003 | ARC: Diesel Engine Subsystem — five-component architecture (Engine Block and Rotating Assembly, Fuel Injection System, Lubrication and Bearing System, Turbocharger and Charge Air System, Engine Exhaust and Silencing System). The lubrication system is architecturally separated from the engine block because low oil pressure is a hardwired SIL-2 safety trip — isolating it as a discrete component enforces a clean boundary between the engine mechanical functions and the safety-critical shutdown path. The turbocharger is separated from the engine block because it has independent failure modes (bearing failure, surging, seizure) that require distinct monitoring, and its charge air cooler is thermally coupled to the Cooling System rather than the engine block. Fuel injection is separated because the fuel rack actuator forms the physical interface with the Isochronous Governor System (Starting and Control Subsystem), making it the critical performance boundary for start-time compliance. The exhaust system is included as a distinct component because seismic restraint and back-pressure constraints affect EDG building design independently of the engine internals. Rationale: Decomposing into five components reflects the actual failure mode independence and SIL boundary requirements of the system. A single-component 'diesel engine' would obscure the lubrication trip path (safety-critical) and governor interface (performance-critical), making requirements traceability impossible and qualification scope ambiguous. | Inspection | architecture, diesel-engine-subsystem, session-578, idempotency:arc-diesel-engine-578 |
| ARC-REQ-004 | ARC: Monitoring and Instrumentation Subsystem — four-component architecture (Engine Parameter Sensor Array, Protective Trip Logic Unit, Local Alarm and Indication Panel, Remote Monitoring Gateway). The critical architectural choice is the separation of the SIL-2 Protective Trip Logic Unit from the non-safety Local Alarm and Indication Panel. The PTLU uses hardwired 1oo2D voting with de-energise-to-trip architecture per IEC 61508, ensuring that sensor failures or control system faults cannot prevent a safety shutdown. The Remote Monitoring Gateway provides one-way data flow to the control room with optical isolation, preventing any back-path from the non-nuclear I&C network into the safety-classified protection circuits. The sensor array uses dual-channel redundant 4-20mA loops to allow single-channel failure detection without loss of protection. Rationale: Separation of safety and non-safety I&C functions follows nuclear defence-in-depth principles and IEC 61513 (Nuclear power plants - instrumentation, control and electrical power systems). Hardwired trip paths prevent software-common-mode failure from defeating the safety function. One-way gateway isolation prevents cyber back-path from non-nuclear I&C into SIL-2 circuits. | Inspection | architecture, monitoring-and-instrumentation, session-588, idempotency:arc-monitoring-instrumentation-588 |
| ARC-REQ-005 | The Cooling System architecture SHALL implement a five-component decomposition (Jacket Water Pump, Radiator and Fan Assembly, Thermostat Valve, Coolant Header Tank, Intercooler) where the Jacket Water Pump is engine-shaft-driven (not electrically powered), the Thermostat Valve is mechanical wax-element type with no electrical actuation, and the Radiator fan motor is powered from the emergency bus at 415V; the Coolant Header Tank SHALL provide sufficient makeup capacity to compensate for normal evaporative losses during 168 hours of continuous operation. Rationale: Engine-shaft-driven pump eliminates electrical power dependency for cooling during LOOP, addressing H-006 (Cooling system failure). Mechanical thermostat removes the control system from the cooling circuit, preventing common-cause failure between a control system fault and cooling trip. Emergency bus fan power ensures cooling continues when normal 415V supplies are absent. | Inspection | architecture, cooling-system, session-588, idempotency:arc-cooling-system-588 |
| ARC-REQ-006 | The Fuel Oil System architecture SHALL implement a gravity-feed day tank elevated to provide fuel to the injection system without pump support, with bulk external storage connected via buried pipework with cathodic protection, and duty/standby 415V AC motor-driven transfer pumps; the day tank elevation SHALL provide positive static head of not less than 2m at the injection pump inlet under all normal fuel level conditions. Rationale: Gravity feed eliminates an electrically-powered dependency on the fuel supply path, addressing H-005 (Fuel contamination/exhaustion). Bulk external storage satisfies EDG room fire load limits per ONR TAST guidance. Duty/standby pump redundancy achieves a better PFD than a single high-integrity pump because 415V gear pumps are commercially available with short lead times, reducing both cost and delivery risk. | Analysis | architecture, fuel-oil-system, session-590, idempotency:arc-fuel-oil-system-590 |
| ARC-REQ-007 | The Alternator Subsystem architecture SHALL implement a brushless salient-pole synchronous generator with static Automatic Voltage Regulator (AVR) and Permanent Magnet Generator (PMG)-fed pilot excitation; the PMG SHALL provide excitation independently of alternator terminal voltage to ensure reliable voltage build-up from zero-volts condition within the 10-second LOOP start sequence. Rationale: Brushless excitation eliminates carbon brush and slip ring maintenance (typically required every 1,000-2,000h) and removes debris contamination risk in the nuclear building — ONR preferred arrangement for safety-qualified generators on UK licensed sites. Static AVR provides faster voltage recovery than rotating or AC compound excitation on block load application, critical for LOOP re-energisation where the EDG must accept large block loads within 10 seconds. PMG pilot exciter ensures excitation remains available during terminal voltage collapse. | Analysis | architecture, alternator-subsystem, session-590, idempotency:arc-alternator-subsystem-590 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-REQ-001 | Verify IFC-REQ-001: Apply a simulated LOOP condition at the ALC input. Measure voltage at ECP relay input terminal within 10 ms window using calibrated oscilloscope. Pass criteria: signal present ≥19.2V (80% of 24VDC) within 10ms, signal path resistance ≤500Ω measured with 4-wire method, cable physically routed in dedicated conduit confirmed by inspection. Rationale: Integration test verifying the hardwired start demand interface at the system boundary. Direct measurement of contact closure voltage and latency at ECP terminals is the only method that confirms actual cable routing, contact wetting, and latency under realistic conditions. | Test | verification, starting-control, session-574, idempotency:ver-ifc001-574 |
| VER-REQ-002 | Verify IFC-REQ-002: Energise and de-energise start air solenoid valve 20 times. Measure opening time with pressure transducer downstream of valve. Remove control power and confirm valve closed position. Pass criteria: opening time ≤100ms in all cycles, fail-closed confirmed on power removal, cycle count ≥20 with no mechanical degradation observed. Rationale: Test verifies solenoid valve opening latency and fail-safe behaviour at the air system boundary. Pressure transducer measurement directly confirms opening time in the pneumatic circuit rather than inferred from electrical signal alone. | Test | verification, starting-control, session-574, idempotency:ver-ifc002-574 |
| VER-REQ-003 | Verify IFC-REQ-003: Apply step load change from 0 to 50% rated power to EDG at rated speed. Record speed transient and fuel rack position on data logger at 100 Hz. Measure gap between dual MPU sensor positions on flywheel housing. Pass criteria: speed recovery to ±1% rated within 3 seconds, fuel rack slew rate ≥100%/s confirmed from data log, MPU sensor separation ≥90mm confirmed by direct measurement. Rationale: Governor-engine interface verification requires an actual load step test to confirm combined governor and actuator dynamic response. Static bench testing of the fuel actuator alone does not verify end-to-end latency including mechanical linkage and engine response. | Test | verification, starting-control, session-574, idempotency:ver-ifc003-574 |
| VER-REQ-004 | Verify SYS-REQ-001 and SYS-REQ-003 end-to-end: Simulate LOOP condition by dropping Class 1E bus voltage to 0V. Record time from voltage drop to EDG breaker close command (GCB close) and to voltage/frequency within tolerance on safety bus. Pass criteria: GCB close command issued within 10 seconds, safety bus voltage 390–441V (415V ±6%) and frequency 49.5–50.5 Hz (50 Hz ±1%) within 12 seconds, no Class 1E protection trips during load pickup. Rationale: End-to-end system integration test exercising the complete start chain from LOOP detection through EDG run-up to Class 1E load pickup. This is the primary system-level acceptance test for the emergency power function and cannot be decomposed into subsystem tests because timing dependencies span component boundaries. | Test | verification, system, sil-3, session-574, idempotency:ver-e2e-start-574 |
| VER-REQ-005 | Verify SUB-REQ-009: Inject a simulated 87G differential fault condition into the Generator Protection Relay secondary test terminals at 3 rated current differential, and measure time from fault injection to trip signal output using a 1ms resolution timer. Test at no-load, 50% rated, and 110% rated conditions. Pass: trip signal issued within 80ms in all three test conditions. Rationale: Secondary injection testing is the accepted method for numerical relay protection function verification per IEC 60255 (Measuring relays and protection equipment). Testing at three load points confirms load-independence of the trip time. | Test | verification, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ver-sub-req-009-575 |
| VER-REQ-006 | Verify SUB-REQ-013: With MGCB in the closed position, issue a close command to the SBTC and measure time from command to mechanical interlock engagement using a proximity sensor. Repeat with SBTC closed and issue close command to MGCB. Pass: interlock prevents closure in both cases within 10ms; no voltage appears on the opposing device close coil circuit. Rationale: Direct physical test of the hardwired interlock is required to confirm the mechanical and electrical interlock functions independently of any software logic, as mandated by the SIL 3 classification for this protection function. | Test | verification, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ver-sub-req-013-575 |
| VER-REQ-007 | Verify IFC-REQ-004: De-energise the 110V DC trip circuit supply and measure time from de-energisation to MGCB open position using a 1ms timer. Introduce a deliberate open-circuit fault in the trip wiring and verify the trip circuit monitoring alarm is raised on the Engine Control Panel within 60 seconds. Pass: MGCB opens within 10ms of de-energisation; alarm raised within 60 seconds of open-circuit insertion. Rationale: Tests both the fail-safe trip function and the continuous monitoring capability of the trip circuit. 60-second monitoring detection time is consistent with periodic self-test interval requirements for SIL 3 systems under IEC 61508 proof test interval calculations. | Test | verification, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ver-ifc-req-004-575 |
| VER-REQ-008 | Verify IFC-REQ-006 and SUB-REQ-012 combined: Simulate a LOOP event at the ALC input and measure total time from ALC bus transfer command output to contactor closed position confirmation signal received at ALC. Repeat 10 times. Pass: position feedback received within 150ms in all 10 attempts; volt-free contact continuity confirmed on ECP mimic. Rationale: Combined test exercises both the ALC-SBTC interface (IFC-REQ-006) and the transfer completion timing requirement (SUB-REQ-012). Ten repeat tests provide statistical confidence in the timing margin without requiring full endurance testing at this stage. | Test | verification, electrical-protection-and-switchgear, sil-3, session-575, idempotency:ver-ifc-req-006-combined-575 |
| VER-REQ-009 | Verify IFC-REQ-005: Connect a calibrated current source to the VSMU 4-20mA output loop and apply 4mA (0V), 12mA (60% nominal), 16mA (100% nominal), and 20mA (120% nominal) signals. Measure GPR input voltage displayed against injected current at each point. Introduce an open circuit and confirm GPR receives <4mA (fault detection). Pass: accuracy within ±2% at each calibration point; open-circuit detected within 20ms. Rationale: Calibration injection test verifies the 4-20mA interface accuracy and the living-zero fault detection capability of IFC-REQ-005. The 20ms detection time is verified against the VSMU-GPR signal latency budget. | Test | verification, electrical-protection-and-switchgear, sil-2, session-575, idempotency:ver-ifc-req-005-575 |
| VER-REQ-010 | Verify IFC-REQ-008: Connect calibrated fuel pressure and temperature measurement at injection pump inlet during engine run-up from idle to full rated load. Record supply pressure and temperature at 25%, 50%, 75%, and 100% load. Pass criteria: pressure remains 3–6 bar and temperature remains below 40°C at all load points. Verify return line back-pressure below 0.5 bar using inline pressure gauge. Rationale: Fuel supply interface parameters must be verified under real operating load conditions, not bench test, because Fuel Oil System pump output varies with demand and engine-room temperature affects fuel temperature. Test at four load points covers the full EDG operating range. | Test | verification, diesel-engine-subsystem, session-578, idempotency:ver-ifc-008-578 |
| VER-REQ-011 | Verify IFC-REQ-009: Commission a lateral critical speed analysis (torsional vibration analysis) of the engine-alternator coupled shaft system using manufacturer rotor data and coupling stiffness. Pass criteria: lowest lateral critical speed is greater than 1800 RPM (20% above 1500 RPM). Also inspect coupling flange bolt torque after 100-hour endurance run and confirm no fretting or micro-movement. Rationale: Critical speed analysis is required by design before assembly because it cannot be safely tested by overspeed (doing so risks destructive resonance). The post-run inspection confirms that the coupling torque margin is adequate for transient load conditions experienced during acceptance test. | Analysis | verification, diesel-engine-subsystem, session-578, idempotency:ver-ifc-009-578 |
| VER-REQ-012 | Verify IFC-REQ-010: Instrument jacket water inlet temperature and charge air outlet temperature during full-rated-load endurance run at ambient temperature design maximum. Record temperatures at steady-state 25%, 50%, 75%, and 100% rated load, and during a step load acceptance from 0 to 100% rated. Pass criteria: jacket water inlet 70–85°C and charge air outlet below 45°C at all steady-state load points and within 60 seconds of step load application. Rationale: Cooling interface verification requires sustained load conditions because coolant temperatures take several minutes to stabilise; spot checks or bench tests do not capture steady-state thermal equilibrium. Step load test confirms the intercooler transient response is sufficient to prevent charge air temperature exceedance during sudden load acceptance. | Test | verification, diesel-engine-subsystem, session-578, idempotency:ver-ifc-010-578 |
| VER-REQ-013 | Verify SUB-REQ-019: With engine running at rated speed, progressively restrict oil supply to reduce oil pressure. Measure elapsed time from 2.0 bar threshold crossing to shutdown signal on ECP. Pass criteria: shutdown signal asserted within 1.5 seconds of threshold crossing on three consecutive tests. Also verify trip independence: with governor control channel disabled, confirm trip still operates. Rationale: SIL-2 safety function requiring measured response time under controlled conditions. The three-test repeatability requirement provides statistical confidence without excessive engine risk. Governor channel independence test confirms the SIL-2 diversity requirement between control and safety trip paths is maintained. | Test | verification, diesel-engine-subsystem, sil-2, session-578, idempotency:ver-sub-019-578 |
| VER-REQ-014 | Verify SUB-REQ-020: With the engine at no-load, manually actuate the mechanical overspeed trip device and confirm fuel rack physically disengages to zero-fuel position within 0.5 seconds of actuation. Confirm actuation is not affected by governor control power removal. Pass criteria: fuel rack at zero-fuel position confirmed by physical inspection within 0.5 seconds and engine speed drops to zero within 30 seconds. Rationale: Mechanical overspeed trip must be verified by direct actuation rather than overspeed run to avoid damaging the engine or alternator. The fuel rack physical position check confirms the mechanical linkage is functional, independent of any electronic indication that might mask a failure. Governor power removal test confirms independence from electronic systems. | Test | verification, diesel-engine-subsystem, sil-2, session-578, idempotency:ver-sub-020-578 |
| VER-REQ-015 | Verify end-to-end Diesel Engine Subsystem integration: Start EDG from cold standby condition (coolant at preheat temperature, fuel system primed). Record time from start signal to rated shaft speed (1500 RPM ±15 RPM). Apply 100% rated load in single step. Record time to re-stabilise to rated speed within ±0.5%. Pass criteria: rated speed reached in 8 seconds or less; frequency re-stabilised within 3 seconds of 100% load step. Rationale: End-to-end integration test exercises all five diesel engine components simultaneously and provides system-level evidence that the combined subsystem meets SYS-REQ-001 and SYS-REQ-003. The 8-second target for the diesel provides 2-second margin for the ALC and switchgear actions within the 10-second system start requirement. | Test | verification, diesel-engine-subsystem, sil-2, session-578, idempotency:ver-diesel-engine-integration-578 |
| VER-REQ-016 | Verify SUB-REQ-001: With EDG in standby and offsite power connected, simulate a Class 1E bus voltage loss by tripping the upstream transformer protection relay. Record time from voltage collapse to ALC start demand signal assertion. Pass criterion: start demand asserted within 200ms in each of 10 consecutive trials, with no spurious start demands over a 24-hour standby observation period. Rationale: SUB-REQ-001 is a SIL-3 requirement for the critical LOOP detection function. The 200ms timing criterion is the ALC sub-budget from SYS-REQ-003. Ten consecutive trials provide statistical confidence in consistent detection performance. The 24-hour standby observation tests for spurious start demand generation, which could cause unplanned EDG starts and nuclear safety bus disturbance. | Test | verification, starting-control, sil-3, session-587, idempotency:ver-sub-req-001-587 |
| VER-REQ-017 | Verify SUB-REQ-002: With compressed air receivers fully charged, perform 3 complete cranking cycles at maximum cranking duration (as specified by the engine manufacturer) in immediate succession without recharging. Confirm engine reaches cranking speed during each cycle and that receiver pressure remains above the minimum cranking pressure limit at the end of the third cycle. Pass criterion: 3 consecutive full-duration cranks completed with terminal receiver pressure above the minimum cranking threshold. Rationale: SUB-REQ-002 is the compressed air energy storage requirement for the Starting and Control Subsystem. Three consecutive cranking attempts without recharging is the design basis for the nuclear class emergency start scenario, where AC power to recharge the air receivers may not be available. The pass criterion confirms the stored energy budget is sufficient for the worst-case start sequence. | Test | verification, starting-control, sil-3, session-587, idempotency:ver-sub-req-002-587 |
| VER-REQ-018 | Verify SUB-REQ-003: With the EDG running at rated speed and connected to a resistive load bank, apply step load changes from 25% to 75% and 75% to 25% rated load. Log governor output and engine speed at 100ms sample rate for 30 seconds following each step change. Pass criterion: steady-state speed deviation does not exceed ±7.5 RPM from 1500 RPM after the transient recovery period; transient recovery to within ±1% within 3 seconds of the load step. Rationale: SUB-REQ-003 specifies the steady-state governor accuracy that determines output frequency compliance for safety bus consumers. The ±0.5% (±7.5 RPM) limit maintains generator frequency within the ±2% system tolerance. Load step testing is the standard commissioning verification for isochronous governor performance per BS 5514 (Reciprocating internal combustion engines) and IEC 60034-3 generator specifications. | Test | verification, starting-control, sil-3, performance, session-587, idempotency:ver-sub-req-003-587 |
| VER-REQ-019 | Verify SUB-REQ-015: Induce a simulated internal self-test failure in the Generator Protection Relay by interrupting the watchdog keep-alive signal. Measure time from watchdog timeout to MGCB trip coil energisation and relay-failed alarm assertion at ECP. Pass criterion: MGCB trip coil energised within 500ms of watchdog timeout; relay-failed alarm asserted within the same 500ms window; MGCB opens and generator output de-energises within the circuit breaker interrupting time. Rationale: SUB-REQ-015 is a SIL-3 safe-state requirement. The Generator Protection Relay must fail to the safe state (generator disconnected) on internal failure, not to a stuck-at-normal state that could leave an unprotected generator connected to the safety bus. The 500ms timing criterion and MGCB trip verification demonstrate compliance with the IEC 61508 (Functional safety of E/E/PE safety-related systems) fail-safe requirement. | Test | verification, electrical-protection-and-switchgear, sil-3, session-587, idempotency:ver-sub-req-015-587 |
| VER-REQ-020 | Verify SUB-REQ-016: With the EDG running at rated speed and no-load, interrupt the governor processor watchdog keep-alive path. Measure time from watchdog interrupt to governor fuel rack command reaching 0% (fuel-off). Monitor engine speed to confirm shutdown initiates. Pass criterion: fuel rack command reaches 0% within 100ms of watchdog interrupt; engine decelerates below 50% rated speed within 30 seconds confirming fuel cut-off is effective. Rationale: SUB-REQ-016 is a SIL-3 fail-safe requirement for the overspeed protection path. The governor watchdog is the last line of electronic defence against uncontrolled engine acceleration in the event of governor processor failure. The 100ms watchdog timeout is derived from the overspeed detection time budget in the engine safety case. Testing must confirm both the timing criterion and the effectiveness of fuel cut-off in achieving engine shutdown. | Test | verification, starting-control, sil-3, session-587, idempotency:ver-sub-req-016-587 |
| VER-REQ-021 | Verify IFC-REQ-007: With normal 415V AC supply removed, confirm the 24VDC Class 1E distribution panel switches to battery supply. Measure terminal voltage at the ALC hardwired interface terminals at 15-minute intervals for 2 hours. Apply the rated interface load (start demand, bus transfer command, and all status return circuits simultaneously) throughout. Pass criterion: terminal voltage remains within 22V to 28VDC for the full 2-hour duration under rated interface load. Rationale: IFC-REQ-007 defines the Class 1E power supply interface that maintains ALC hardwired functions during loss of offsite power. The 2-hour battery endurance is the design-basis mission duration for post-accident EDG operation. Supply voltage limits of 22–28VDC ensure correct logic threshold levels for all hardwired circuits. This is an integration test verifying the interface between the 24VDC panel and the ALC under design-basis conditions. | Test | verification, starting-control, sil-3, session-587, idempotency:ver-ifc-req-007-587 |
| VER-REQ-022 | Verify SUB-REQ-031: With the EDG running at rated speed and a calibrated signal injector on each sensor channel, step the injected oil pressure signal below 2.5 bar and record the time from threshold crossing to relay contact opening at the Engine Control Panel input. Pass criterion: trip output achieved within 200ms on 10 successive trials; no false trip occurs on the healthy channel when one channel is held above threshold. Rationale: Direct measurement of trip time under controlled conditions with calibrated injection is the only method providing traceability to the 200ms requirement. Testing 10 successive cycles provides statistical confidence at SIL 2 PFD level. Single-channel tolerance test verifies the 1oo2D voting architecture. | Test | verification, monitoring-and-instrumentation, sil-2, session-588, idempotency:ver-sub031-ptlu-trip-588 |
| VER-REQ-023 | Verify SUB-REQ-032: With the EDG running and M&I system energised, reduce the 110VDC supply to the Protective Trip Logic Unit to 85VDC using a variable DC source and record the time from 88VDC threshold to de-energisation of all trip relay contacts. Pass criterion: all trip contacts de-energise within 100ms; engine shutdown initiates; no contacts remain energised when supply is at 0VDC. Rationale: Power-loss safe-state test must be performed with a controlled voltage ramp to verify the exact threshold and response time. Testing to 0VDC verifies complete de-energisation and prevents latent partial energisation failures. | Test | verification, monitoring-and-instrumentation, sil-2, session-588, idempotency:ver-sub032-safe-state-588 |
| VER-REQ-024 | Verify IFC-REQ-011: With the M&I system energised from 24VDC supply, apply open-circuit and short-to-supply faults to each sensor loop in turn and verify: (a) fault annunciation on Local Alarm and Indication Panel within 500ms; (b) trip function on the unfaulted channel remains operative; (c) fault condition clears upon loop restoration. Pass criterion: all 10 fault conditions detected and annunciated within 500ms with no spurious trip on healthy channel. Rationale: Fault injection tests must be performed per channel to verify the 1oo2D diagnostic coverage claim. Testing all 10 sensor channels (5 parameters x 2 channels) is required for SIL 2 independent channel validation. | Test | verification, monitoring-and-instrumentation, sil-2, session-588, idempotency:ver-ifc011-epsa-ptlu-588 |
| VER-REQ-025 | Verify IFC-REQ-012: With the EDG stopped, energise each PTLU trip relay in turn and measure contact resistance (pass: below 0.1 ohm). With contacts energised and a 24VDC 2A load applied, de-energise each relay and verify the ECP shutdown input circuit receives the de-energise signal within 50ms. Pass criterion: all contacts operate within specification; no logic device is in series between PTLU contacts and ECP input terminals (verified by circuit topology inspection). Rationale: Hardwired interface verification requires both electrical measurement and topology inspection to prove no software path exists between PTLU and ECP. Contact resistance measurement confirms integrity. Topology inspection is a mandatory Inspection verification step for safety-classified hardwired circuits per BS IEC 61511-1. | Test | verification, monitoring-and-instrumentation, sil-2, session-588, idempotency:ver-ifc012-ptlu-ecp-588 |
| VER-REQ-026 | Verify CS cooling capacity (SUB-REQ-038): Run EDG at 100% rated load for 4 hours at 38 deg C ambient. Record coolant outlet temperature at 30-minute intervals. Pass criterion: coolant outlet temperature stabilises below 92 deg C and does not trend upward after 2 hours; radiator fan runs continuously without thermal overload trip. Rationale: 4-hour run is sufficient to achieve thermal equilibrium (typically within 45 minutes). 38 deg C represents a conservative sub-maximum ambient test condition achievable in the UK climate during summer surveillance testing. Stability criterion distinguishes genuine steady-state from transient cooldown. | Test | verification, cooling-system, session-588, idempotency:ver-cs-capacity-588 |
| VER-REQ-027 | Verify SUB-REQ-040: Fill the Day Tank to High (H) level, stop the Fuel Transfer Pump Set, run the EDG at 100% rated load, and measure elapsed time to Low-Low (LL) level activation. Pass criterion: LL activation no sooner than 8 hours from test start. Verify tank volume markings on level gauge correspond to calculated 8-hour consumption volume at rated specific fuel consumption. Record test as witnessed test in EDG commissioning certificate. Rationale: Direct measurement of tank endurance at full load is the only reliable acceptance criterion — analysis of tank volume and fuel consumption alone does not capture real-world effects of temperature variation, pump cycling, and fill-pipe backflow. | Test | verification, fuel-oil-system, sil-2, session-590, idempotency:ver-sub040-day-tank-590 |
| VER-REQ-028 | Verify SUB-REQ-042: With EDG running and Fuel Transfer Pump Set in automatic, drain the Day Tank to below Low (L) set-point via test drain valve. Measure time from L contact actuation to duty pump motor start signal confirmation. Pass criterion: duty pump starts within 10 seconds. Manually trip duty pump and confirm standby pump starts within 10 seconds. Measure time to fill Day Tank from L to H level at rated EDG fuel consumption drain rate. Pass criterion: L to H fill completed within 30 minutes. Rationale: Auto-start timing and fill rate are safety-functional behaviours that cannot be verified by inspection or analysis alone; full end-to-end test with the EDG running is required to account for actual pipeline losses and pump performance at operating temperature. | Test | verification, fuel-oil-system, sil-2, session-590, idempotency:ver-sub042-pump-autostart-590 |
| VER-REQ-029 | Verify IFC-REQ-015: With EDG running at 100% rated load, install calibrated pressure gauges at the fuel inlet to the Fuel Injection System. Record pressure and flow rate over a 30-minute run. Pass criterion: pressure remains 0.3-0.7 bar gauge throughout; flow rate equals or exceeds 110% of rated specific fuel consumption. Repeat with the filter element loaded to 0.3 bar DP (simulated blockage condition) and confirm pressure stays above 0.3 bar. Rationale: Interface compliance must be verified under load and at worst-case filter condition (0.3 bar DP blockage alarm). Gravity-head pressure depends on tank level, which varies during operation — measurement at both H and L tank levels confirms the full operating range is maintained within specification. | Test | verification, fuel-oil-system, sil-2, session-590, idempotency:ver-ifc015-day-tank-pressure-590 |
| VER-REQ-030 | Verify IFC-REQ-017: With the Day Tank and Bulk Tank level instruments energised from 24VDC, verify each level switch (Day Tank LL, L, H, HH and Bulk Tank L, LL) presents a normally-energised volt-free contact in the normal state. Disconnect instrument supply to one level switch and confirm the LAIP shows the critical alarm state (not de-energised/healthy). Pass criterion: LAIP displays low-level alarm within 5 seconds of supply loss to any field instrument. Rationale: 100ms first-out display latency is required because nuclear EDG protective trip chains can produce cascading secondary trips within 200–500ms of the initiating event (e.g., low oil pressure initiates followed by overspeed as the engine governor reacts): if the LAIP (Local Alarm and Indication Panel) display latency exceeds the inter-trip interval, the displayed first-out may incorrectly show a secondary trip as the initiating cause. IEC 62138 (Software for computers important to safety for nuclear power stations) and NUREG/CR-6572 guidance for nuclear annunciation systems establish ≤100ms as the required maximum response time for first-out discrimination. ONR inspection requirements for nuclear EDGs specify that first-out identification must be unambiguous for both surveillance testing post-trips and licensing event reports. The 500ms value in the superseded SUB-REQ-035 was insufficient to meet this discrimination requirement. Supersedes SUB-REQ-035. | Test | verification, fuel-oil-system, sil-2, session-590, idempotency:ver-ifc017-level-laip-590, tech-author-session-613 |
| VER-REQ-031 | Verify SUB-REQ-046: With EDG running at rated speed and connected to a programmable load bank, apply a steady-state resistive load of 100% rated kVA and measure terminal voltage for 10 minutes. Pass criterion: voltage deviation from set-point less than ±0.5%. Then apply a 40% kVA step load increase and measure peak transient deviation and recovery time. Pass criterion: peak deviation within ±6% of rated, recovery to within ±2% within 3 seconds. Rationale: Steady-state test at full load provides direct evidence of regulation under the worst-case sustained condition. Step-load test reproduces the block-load application scenario from SYS-REQ-007. Both tests must be performed at rated power factor (0.8 lagging) to exercise the AVR's reactive power control loop. | Test | verification, alternator-subsystem, sil-2, session-590, idempotency:ver-sub046-avr-regulation-590 |
| VER-REQ-032 | Verify SUB-REQ-049: Start the EDG from cold standby with no pre-existing excitation supply (confirm PMG output is the only excitation source). At 95% rated engine speed, measure elapsed time to terminal voltage reaching within ±6% of rated. Record voltage trace during build-up and measure peak overshoot above rated voltage. Pass criterion: voltage within ±6% within 3 seconds of 95% speed threshold; overshoot less than 10% of rated voltage at any point during transient. Repeat 3 times to confirm repeatability. Rationale: Black-start voltage build-up must be demonstrated under real conditions because PMG magnetic saturation and AVR initial state affect the transient behaviour in ways that cannot be fully predicted by analysis alone. Three repeats are required to confirm reliability consistent with the safety-functional PFD requirement. | Test | verification, alternator-subsystem, sil-2, session-590, idempotency:ver-sub049-excitation-build-590 |
| VER-REQ-033 | Verify IFC-REQ-018: With EDG running at rated speed, apply known reference voltages from a calibrated voltage source to the VSMU input terminals at 0%, 25%, 50%, 75%, 100%, and 120% of rated terminal voltage. Measure the 4-20mA output at the AVR input connector. Pass criterion: measured current values within ±0.3% of the linear interpolated expected value at each reference point. Verify isolation by applying 500V DC between the 4-20mA signal circuit and earth and confirming insulation resistance exceeds 10 MΩ. Rationale: Six-point calibration check confirms linearity across the full operating range including the 120% overvoltage point that the AVR OEL must respond to. 500V isolation test demonstrates compliance with IEC 61010-1 requirements and confirms the cable screening is correctly earthed at one end only (a wiring error that would cause ground loop noise cannot be detected at DC but the isolation test would reveal un-screened conductors). | Test | verification, alternator-subsystem, sil-2, session-590, idempotency:ver-ifc018-vsmu-avr-590 |
| VER-REQ-034 | Verify IFC-REQ-020: With the EDG stopped, connect a calibrated resistance decade box in place of each PT100 RTD in turn and verify PTLU displays the correct temperature to within ±2°C at decade box settings corresponding to 20°C, 130°C, and 155°C. With the EDG running, open-circuit and short-circuit each PT100 in turn via test disconnect terminals and confirm: PTLU detects the instrument fault within 5 seconds and presents an alarm (not a trip) without de-energising the EDG. Pass criterion: instrument fault alarm generated within 5 seconds; EDG continues to run. Rationale: Resistance substitution test is the standard acceptance test for PT100 instrumentation channels (IEC 60751). The fault injection test is critical for confirming the fail-to-alarm (not spurious trip) design principle: an instrument cable fault during an active LOOP mission must not cause an unnecessary EDG trip. This test must be performed with the EDG running under load because some PTLU inputs behave differently when the trip logic chain is energised vs de-energised. | Test | verification, alternator-subsystem, sil-2, session-590, idempotency:ver-ifc020-stator-rtd-ptlu-590 |
| VER-REQ-035 | Verify SUB-REQ-051: With the EDG running at 50% load, disconnect the primary speed sensor channel. Confirm: (a) governed speed deviation does not exceed ±3% of rated 1500 RPM (i.e., stays within 1455–1545 RPM) during and after the transition, measured by the secondary channel and confirmed against the PTLU engine speed reading; (b) channel failure alarm annunciated on Local Alarm Panel within 2 seconds; (c) no engine trip occurs. Restore primary channel and confirm normal dual-channel operation resumes. Rationale: Fault injection test with the EDG running under load is required because governor channel behaviour under load differs from bench test. ±3% speed deviation tolerance corresponds to the ±1% frequency tolerance in SYS-REQ-001 plus a transient margin; testing at 50% load represents a worst-case governor response scenario due to the load-to-speed gain characteristic. | Test | verification, starting-and-control, sil-3, session-592, idempotency:ver-sub051-governor-redundancy-592 |
| VER-REQ-036 | Verify SUB-REQ-053: With the EDG running at 100% load and the duty fuel transfer pump active, simulate pump failure by closing the duty pump discharge isolation valve. Confirm: (a) standby pump starts within 30 seconds; (b) Day Tank level continues to rise (pump discharge pressure ≥0.8 bar on standby pump); (c) no interruption to engine fuel supply (engine continues to run). Restore duty pump and confirm automatic reversion or manual selection as per design intent. Rationale: Pump switchover test under full load is required because Day Tank level dynamics at rated fuel consumption are the most demanding test condition for the 30-second changeover criterion. Testing at 100% load confirms the standby pump delivery rate is sufficient when engine fuel consumption is highest. | Test | verification, fuel-oil-system, sil-2, session-592, idempotency:ver-sub053-fuel-pump-redundancy-592 |
| VER-REQ-037 | Verify SUB-REQ-055: Inspect IEC 60255-151 and IEC 60255-181 type-test certificates from an accredited test laboratory for the Generator Protection Relay prior to installation. Certificates must reference the specific relay type and firmware version to be installed. Pass criterion: certificates present, cover all required functions (over/under voltage, frequency), issued by UKAS-accredited body, dated within 5 years of installation date. Rationale: Type-test certificate inspection is the appropriate verification method for standard compliance of safety-classified protection relays — in-situ re-testing to IEC 60255 is not practicable on an energised generator. The 5-year certificate validity window aligns with typical relay firmware revision cycles that would invalidate earlier certificates. | Inspection | verification, electrical-protection-switchgear, sil-3, session-592, idempotency:ver-sub055-relay-standards-592 |
| VER-REQ-038 | Verify SUB-REQ-059: With the EDG disconnected from the safety bus (load bank connected), initiate test mode via key-switch on Engine Control Panel. Ramp EDG to 100% rated load on load bank. Confirm: (a) safety bus voltage remains within ±5% of nominal throughout the test; (b) test mode cannot be activated without the key-switch; (c) an attempt to initiate test mode with EDG connected to safety bus is rejected by the control logic. Duration: 2-hour full-load test. Pass criterion: safety bus unaffected, all control interlocks function correctly. Rationale: Operational testing verification must demonstrate the safety bus isolation function (not just EDG load performance) because the critical safety claim is that the test does not interrupt normal plant safety functions. The 2-hour test duration exceeds the monthly operational test duration requirement to provide margin. | Demonstration | verification, starting-and-control, sil-3, session-592, idempotency:ver-sub059-test-mode-592 |
| VER-REQ-039 | Verify SUB-REQ-004: With the EDG running at rated speed (1500 RPM), inject a simulated overspeed signal via the magnetic pick-up trip circuit input to exceed 1650 RPM threshold. Measure elapsed time from threshold crossing to ECP fuel rack trip command using a high-speed data logger (≥1 kHz). Pass criterion: shutdown initiated within 500 ms on ≥3 of 3 test runs. Verify trip circuit is independent of the governor by disabling the governor processor and repeating test. Rationale: SUB-REQ-004 is the primary overspeed protection function derived from SYS-REQ-004. The 500 ms criterion must be verified by direct injection test, not analysis, because it depends on hardware relay response time and cannot be analytically bounded without physical characterisation. Independence of the trip circuit from the governor must be confirmed by deliberate governor isolation. | Test | session-593, qc, verification, starting-control, idempotency:ver-sub-004-overspeed-trip-593 |
| VER-REQ-040 | Verify SUB-REQ-010: Commission secondary injection test on the Generator Protection Relay overcurrent element (51/51N). Apply test currents at 110%, 150%, and 200% rated current via primary injection test set and record measured operate times. Pass criterion: operate time at 200% rated current ≤200ms; coordinate with upstream breaker scheme per the site protection coordination study. Repeat test for neutral overcurrent element (51N) with asymmetric test current injection. Rationale: SUB-REQ-010 specifies 500ms for terminal faults and 200ms for through-faults at 200% rated. These time-current characteristics must be verified by secondary injection because relay coordination cannot be confirmed analytically without site-specific relay settings. The test validates both the timing and coordination compliance with the downstream protection scheme. | Test | session-593, qc, verification, electrical-protection, idempotency:ver-sub-010-gpr-overcurrent-593 |
| VER-REQ-041 | Verify SUB-REQ-024: With the EDG stopped and isolated from fuel, manually actuate the crankcase explosion relief valve and simultaneously measure propagation time from relief valve actuation sensor to ECP trip signal output. Pass criterion: trip signal generated within 2 seconds. Verify that the hardwired trip path is independent of engine management software by isolating the engine management ECU and repeating actuation test. Confirm trip signal is maintained for ≥5 seconds after actuation. Rationale: SUB-REQ-024 is a safety shutdown function for an extreme engine failure mode (crankcase explosion). The 2-second timing and software independence are fundamental to the safe state — a delayed or software-dependent trip could escalate a crankcase event. Physical actuation test is the only valid verification method; analysis cannot confirm hardware path integrity. | Test | session-593, qc, verification, diesel-engine, idempotency:ver-sub-024-crankcase-trip-593 |
| VER-REQ-042 | Verify SUB-REQ-033: With the EDG running at rated speed and the M&I system energised, simulate each sensor channel fault condition in turn — open circuit (disconnect 4-20mA loop), short to supply (force loop to >20mA), and out-of-range (force loop to <4mA or >21mA) — on each of the four critical parameter channels. Pass criterion: PTLU generates a channel-fault alarm to the Local Alarm and Indication Panel within 1 second of fault application on each test run. Verify the protection function on the healthy channel remains active throughout fault injection. Rationale: SUB-REQ-033 requires fault detection within 1 second with no inhibition of the healthy channel — these are quantified safety properties that must be tested under realistic fault conditions. Each fault mode (OC, S-supply, OOR) produces different loop current profiles; all three must be confirmed. Analysis cannot substitute because the detection algorithm depends on PTLU firmware implementation. | Test | session-593, qc, verification, monitoring-instrumentation, idempotency:ver-sub-033-ptlu-fault-detect-593 |
| VER-REQ-043 | Verify SUB-REQ-044: With the EDG stopped and fuel isolation valve in the open state, simulate a confirmed fire detection signal at the Fuel Supply Pipework and Valve Assembly fire detection input. Measure elapsed time from fire signal assertion to confirmed bulk isolation valve closure using a position transmitter on the valve stem. Pass criterion: valve fully closed within 10 seconds. Verify day tank gravity-feed path remains open throughout the test by confirming zero pressure drop on the day tank outlet line during the 10-second closure window. Rationale: SUB-REQ-044 is a fire safety mitigation function with a 10-second timing criterion. Late valve closure allows fire to propagate via bulk fuel supply. The day tank gravity-feed continuity condition is equally critical — closing bulk supply without confirming day tank path means the engine cannot be brought to controlled shutdown. Both must be verified by physical actuation test. | Test | session-593, qc, verification, fuel-oil, idempotency:ver-sub-044-fire-isolation-593 |
| VER-REQ-044 | Verify SUB-REQ-047: Using calibrated PT100 decade resistance boxes substituted for each stator winding PT100 RTD, simulate temperatures at 125°C, 130°C, 135°C, 155°C, and 160°C on each PT100 channel. Pass criteria: (a) PTLU generates alarm at ≤130°C threshold on each channel, (b) PTLU initiates protective trip at ≤155°C threshold on each channel, (c) PT100 signal accuracy within ±2°C of applied reference across 20–180°C by comparison with NAMAS-calibrated reference. Test each channel independently to verify no cross-channel interaction. Rationale: SUB-REQ-047 specifies alarm at 130°C and trip at 155°C with ±2°C accuracy — all three are quantified thresholds that must be verified by PT100 simulation. Stator thermal protection prevents insulation failure from overtemperature; incorrect trip thresholds could allow winding damage or cause spurious trips. Calibration traceability to NAMAS is required for Class 1E instrument validation on nuclear sites. | Test | session-593, qc, verification, alternator, idempotency:ver-sub-047-stator-thermal-593 |
| VER-REQ-045 | Verify SUB-REQ-058: With the Local Alarm and Indication Panel energised and all process instrument loops active, inject step-change signals at each alarm threshold for all monitored parameters. Pass criterion: alarm annunciation visible on the LAIP within 2 seconds of signal application on ≥10 consecutive injections per parameter. Verify EEMUA 191 compliance by inspection of the alarm management documentation, alarm priority schedule, and suppression control procedures. Verify alarm visibility during start-up and shutdown transients by running a complete start-stop cycle and confirming display continuity throughout. Rationale: SUB-REQ-058 specifies a 2-second alarm presentation criterion that must be confirmed by timed injection test — operator response to process alarms depends on prompt display. EEMUA 191 compliance requires documentary evidence of priority classification and suppression design. Testing during transients is essential because start/stop transients generate many out-of-range signals that could inhibit real alarms if suppression is misconfigured. | Test | session-593, qc, verification, monitoring-instrumentation, idempotency:ver-sub-058-alarm-timing-593 |
| VER-REQ-046 | Verify SUB-REQ-050: With the EDG at rated speed, simulate a GPR stator earth fault trip signal at the Alternator Subsystem input. Measure: (a) time from trip signal assertion to de-energisation of anti-condensation heaters (pass: ≤200ms), (b) time from trip signal to AVR voltage collapse (pass: ≤200ms). Using a clamp-on current sensor on the stator neutral connection, confirm zero stator current from both generator terminal side and excitation supply side within 200ms. Repeat ×3 and confirm consistent timing. Rationale: SUB-REQ-050 specifies 200ms isolation of both voltage sources from the stator winding after a GPR earth fault trip. This dual-path isolation timing is a measurable safety criterion that prevents continued fault current flow that could degrade stator insulation. Both heater and AVR de-energisation must be confirmed independently — failure of either leaves a voltage source on a faulted winding. | Test | session-593, qc, verification, alternator, idempotency:ver-sub-050-earth-fault-isolation-593 |
| VER-REQ-047 | Verify SUB-REQ-005: With the EDG in standby and the starting system functional, command 3 consecutive failed start attempts (simulate cranking timeout by inhibiting the speed feedback signal). Measure: (a) time from 3rd failed attempt to failed-to-start alarm assertion at the MCR (pass: ≤45 seconds from original start demand), (b) confirm automatic start is inhibited (apply a 4th start demand — EDG SHALL NOT start), (c) confirm latch releases only upon key-operated reset. Repeat ×3 and confirm consistent behaviour. Rationale: Simulating 3 consecutive cranking failures exercises the same logic path as genuine start failures. Inhibiting speed feedback isolates the test to starting-circuit logic without requiring manual engine immobilisation. MCR: Main Control Room. 45-second alarm latency is realistic given 3×15s cranking cycles plus logic sequencing time — derived from SUB-REQ-005. The latch function prevents automatic start cycling during a sustained fault (e.g., frozen fuel at –20°C, fuel pickup line blockage) that would cycle-damage the battery and starter. ×3 repetitions are required to validate that the interlock state is consistent and not affected by prior test history or transient state. | Test | session-595, qc, verification, starting-control, idempotency:ver-sub-005-fts-latch-595, tech-author-session-613 |
| VER-REQ-048 | Verify SUB-REQ-006: Review the ALC hardware design documentation and software V&V report to confirm dual-channel 2oo2 voting architecture. Verify that: (a) channel independence is achieved by physically separate processing paths with no shared hardware between channels except the hardwired voting logic, (b) a single-channel hardware failure (simulated by removing power to one channel) does not produce a spurious start demand, (c) with one channel in a confirmed fail state, the ALC continues to process start demands through the healthy channel without generating a false start. Review IEC 61513 compliance assessment for the voting logic. Rationale: Verification of SUB-REQ-006 dual-channel 2oo2 architecture is achieved by inspecting the ALC hardware design documentation and software V&V report against IEC 61513 compliance checklist, and by simulating single-channel hardware failure to confirm no spurious start demand. The primary evidence is document review (Inspection); the channel isolation test provides corroborating evidence. Inspection is the appropriate IEC 61508 verification method for software-intensive voting architectures where the compliance argument is embodied in the design documentation. | Inspection | session-595, qc, verification, alc, sil-3, idempotency:ver-sub-006-alc-2oo2-595, idempotency:ver-sub-006-alc-2oo2-595 |
| VER-REQ-049 | Verify SUB-REQ-007: With the EDG in standby, activate the key-operated inhibit switch at the local control panel. Confirm: (a) local indication illuminates within 2 seconds, (b) remote indication at MCR activates within 2 seconds, (c) apply a simulated LOOP signal — EDG SHALL NOT start automatically, (d) the inhibit state persists after simulated power cycling of the ALC, (e) rotating the key switch to normal and applying the LOOP signal causes the EDG to start normally. Inspect the wiring schematic to confirm the inhibit is implemented in hardwired logic, not software. Rationale: SUB-REQ-007 requires a hardwired key-switch inhibit to prevent unintended automatic starts during maintenance. The functional test confirms inhibit effectiveness and latch behaviour. The wiring inspection confirms the inhibit cannot be bypassed by a software failure, which is an IEC 61513 Class 1E requirement for maintenance override functions. | Test | session-595, qc, verification, alc, idempotency:ver-sub-007-alc-inhibit-595, idempotency:ver-sub-007-alc-inhibit-595 |
| VER-REQ-050 | Verify SUB-REQ-008: With the EDG running in isochronous mode at rated load, operate the manual speed trim control at the local control panel. Confirm: (a) frequency is adjustable between 49 Hz and 51 Hz in 0.1 Hz increments (confirm step size with a calibrated frequency meter), (b) trim requires no power interruption or software modification, (c) issue a synchronise command and confirm frequency returns to 50.0 Hz ±0.1 Hz automatically within 5 seconds. Repeat frequency step verification at ×3 separate load levels (25%, 50%, 100% rated). Rationale: SUB-REQ-008 requires operator-accessible frequency trimming without software modification for manual synchronisation. The demonstration at multiple load levels confirms the trim function is effective across the operating range and that the auto-revert on synchronise command prevents operator error leaving the EDG at an incorrect frequency when connecting to the safety bus. | Demonstration | session-595, qc, verification, governor, idempotency:ver-sub-008-gov-trim-595, idempotency:ver-sub-008-gov-trim-595 |
| VER-REQ-051 | Verify SUB-REQ-011: Review the MGCB type test certificates to confirm short-circuit breaking capacity of ≥31.5 kA symmetrical (11kV) or ≥50 kA symmetrical (415V) as applicable to the site installation. Confirm breaker clearing time ≤20ms from trip coil energisation by manufacturer's type test data. Review BS EN 62271-100 (High-voltage switchgear and controlgear: alternating current circuit-breakers) type approval certificate for the equipment class installed. For site-specific installation, witness an operational trip test from the Generator Protection Relay trip output to confirm trip coil continuity and MCB trip mechanism actuation. Rationale: SUB-REQ-011 sets the fault-clearing duty for the MGCB based on site short-circuit level. Type test certificates provide the primary verification of breaking capacity since site fault level testing at full prospective current is not practicable. The operational trip test confirms installed wiring integrity without requiring full current injection. | Test | session-595, qc, verification, mgcb, electrical-protection, idempotency:ver-sub-011-mgcb-595, idempotency:ver-sub-011-mgcb-595 |
| VER-REQ-052 | Verify SUB-REQ-012: With the EDG running at rated voltage and frequency, and the safety bus connected to the normal offsite supply, command the ALC to issue a bus transfer command. Measure: (a) time from transfer command signal (at ALC output terminal) to contactor position feedback (closed) at Engine Control Panel (pass: ≤150 ms), using a millisecond timer triggered on ALC output energisation and stopped on ECP feedback receipt. Repeat ×5 consecutive transfers and confirm all within 150 ms. Record mean and maximum transfer times. Rationale: SUB-REQ-012 sets the 150 ms safety bus transfer time to ensure safety system power is restored within the allowable interruption time for Class 1E equipment. The timed test directly measures the parameter. Repeating ×5 times provides statistical confidence that the timing is consistently met and not an isolated result. | Test | session-595, qc, verification, electrical-protection, bus-transfer, idempotency:ver-sub-012-bus-transfer-595, idempotency:ver-sub-012-bus-transfer-595 |
| VER-REQ-053 | Verify SUB-REQ-014: With the EDG running, inject a test voltage into one channel of the Voltage Sensing and Monitoring Unit such that channel 1 reads 5.1% above the nominal voltage while channel 2 reads nominal. Measure: (a) time from discrepancy injection to alarm at ECP (pass: ≤2 seconds), (b) confirm alarm indicates dual-channel discrepancy (not a trip). Repeat with channel 2 offset and channel 1 nominal. Confirm both channels process independently by reviewing the VSMU design documentation for separate signal conditioning paths. Rationale: SUB-REQ-014 requires dual-channel voltage monitoring with a 2-second discrepancy alarm to detect instrument failures before they propagate to incorrect relay trip decisions. The 5.1% injection (just over the 5% threshold) and timing test directly measures the alarm latency criterion. The documentation review confirms independent processing — a shared component failure could defeat the redundancy. | Test | session-595, qc, verification, electrical-protection, vsmu, idempotency:ver-sub-014-vsmu-595, idempotency:ver-sub-014-vsmu-595 |
| VER-REQ-054 | Verify IFC-REQ-013: With the EDG running, confirm optically isolated contact signal transmission from the Protective Trip Logic Unit to the Remote Monitoring Gateway. Test each status signal (running, trip, alarm, channel fault, test mode) by: (a) injecting the relevant PTLU output state and measuring the signal at the RMG input within 2 seconds, (b) measuring isolation between PTLU and RMG signal commons using a 500V insulation resistance meter (pass: ≥1 MΩ). For analogue retransmission: inject calibrated reference values at the EPSA outputs, confirm 4-20mA signal at RMG input for engine speed, coolant temperature, and lube oil pressure matches within ±2% of full scale, with maximum latency 2 seconds. Rationale: IFC-REQ-013 defines the signal protocol and latency for the PTLU-to-RMG interface. Testing with injected values and a timing measurement directly verifies both signal type (optically isolated contacts, 4-20mA) and the 2-second latency criterion. The isolation test confirms the 24VDC isolation required to prevent RMG-side faults from propagating to Class 1E PTLU circuits. | Test | session-595, qc, verification, monitoring, ptlu, idempotency:ver-ifc-013-ptlu-rmg-595, idempotency:ver-ifc-013-ptlu-rmg-595 |
| VER-REQ-055 | Verify IFC-REQ-014: Inspect the Jacket Water Pump to Radiator and Fan Assembly pipework installation. Confirm: (a) pipe bore is 50mm nominal using measured internal diameter check, (b) maximum rated operating pressure is ≥1.8 bar gauge per nameplate and pressure test certificate, (c) pipe and fittings are rated for 100°C continuous per material specifications and weld inspection records, (d) isolation valves are installed on both inlet and outlet and can be closed and re-opened without coolant loss from the engine. Witness one isolation valve operation to confirm leak-free isolation. Review weld inspection certificates confirming rated temperature capability. Rationale: IFC-REQ-014 defines the mechanical interface between the jacket water pump and radiator, including bore size, pressure and temperature rating, and isolation valve provision for maintainability. Inspection of the installed pipework and pressure test certificate provides the primary verification — the dimensional and material requirements cannot be verified by functional test alone without risk of damage to the cooling circuit. | Inspection | session-595, qc, verification, cooling, ifc, idempotency:ver-ifc-014-jwp-rad-595, idempotency:ver-ifc-014-jwp-rad-595 |
| VER-REQ-056 | Verify IFC-REQ-016: With the EDG running at 100% rated load (measuring fuel consumption at the engine fuel meter), confirm the Fuel Transfer Pump Set delivers ≥150% of measured fuel consumption into the Day Tank. Measure flow rate at the transfer pump discharge using a calibrated ultrasonic or turbine flow meter over a 15-minute run. Confirm fill line terminates below Day Tank High (H) level mark. Measure Day Tank pressure during pump operation to confirm delivery pressure does not exceed the overflow return setting. Record actual engine fuel consumption rate and transfer pump delivery rate. Rationale: IFC-REQ-016 sets a minimum 150% delivery margin to ensure the Day Tank cannot be depleted during continuous full-load operation. The flow meter test at full load directly measures compliance with the 150% margin. Confirmation that fill line terminates below High level prevents air entrainment in the fuel injection system, which could cause fuel quality degradation. | Test | session-595, qc, verification, fuel-oil, ifc, idempotency:ver-ifc-016-ftp-daytank-595, idempotency:ver-ifc-016-ftp-daytank-595 |
| VER-REQ-057 | Verify IFC-REQ-019: Review the torsional vibration analysis report for the diesel-generator coupled shaft system. Confirm: (a) calculated torsional natural frequencies are outside the critical ranges 0–100 RPM and 2800–3200 RPM, (b) the coupling is rated for the full rated torque plus 100% transient overload factor, (c) the analysis methodology complies with ISO 14694 (Industrial fans: requirements for balance quality and vibration levels) acceptance criteria, (d) coupling type is rigid disc-pack torsional. Review coupling manufacturer's type test data confirming rated torque capacity. Confirm no resonant peaks within ±10% of governed speed (1350–1650 RPM). Rationale: IFC-REQ-019 sets the torsional coupling requirements between engine and alternator. Analysis is the only practicable verification method for torsional natural frequencies — measurement during operation risks equipment damage if resonances are present. ISO 14694 compliance provides independent validation of the analysis method. | Analysis | session-595, qc, verification, mechanical, coupling, idempotency:ver-ifc-019-coupling-595, idempotency:ver-ifc-019-coupling-595 |
| VER-REQ-058 | Verify SUB-REQ-017: From cold standby, issue a start demand and measure: (a) time from start initiation to alternator output frequency reaching 50 Hz ±1% (pass: ≤10 seconds), (b) at the 10-second mark, confirm voltage and frequency are within specification under no-load conditions using calibrated panel meters. Test at ambient temperatures across the specified range (minimum specified ambient to maximum specified ambient). Record time-to-rated-speed for each test run. Rationale: SUB-REQ-017 sets the engine torque delivery requirement by specifying 50 Hz ±1% within 10 seconds under no-load, which is the precondition for load pickup in SUB-REQ-001. The timed test from cold standby directly measures whether the engine block and rotating assembly meets the acceleration requirement. Testing at temperature extremes confirms performance margin is maintained across the operating envelope. | Test | session-595, qc, verification, diesel-engine, idempotency:ver-sub-017-engine-torque-595, idempotency:ver-sub-017-engine-torque-595 |
| VER-REQ-059 | Verify SUB-REQ-018: Conduct a 168-hour continuous load test at 100% rated load with all auxiliary systems within specified operating limits. Monitor at ≤1-hour intervals: engine load (kW), coolant temperature, lube oil pressure, fuel consumption rate, engine speed, generator output voltage and frequency. Pass criteria: no unplanned shutdown, all parameters within limits throughout, total fuel consumed ≤90% of available bulk storage (≥10% reserve confirmed by tank level gauge at test end), all alarm events logged and cleared. Rationale: Pass criteria must be binary and measurable. Replacing 'adequate fuel supply' with a specific ≥10% reserve threshold allows unambiguous pass/fail determination at test completion. The 168-hour test at 100% load is the primary verification method for SUB-REQ-018 endurance performance; IEC 61508 (Functional safety of E/E/PE safety-related systems) requires safety-critical performance to be demonstrated by test, not extrapolation. | Test | session-595, qc, verification, diesel-engine, endurance, idempotency:ver-sub-018-168hr-595, idempotency:ver-sub-018-168hr-595 |
| VER-REQ-060 | Verify SUB-REQ-065: Review the Bulk Fuel Storage Tank design documentation. Confirm: (a) nominal tank capacity is declared in litres on the tank data sheet, (b) calculate 168h fuel consumption at rated load from engine test bed data sheet fuel consumption figure (litres/hour), (c) calculate required volume = 168h × consumption rate × 1.15 (for 115% factor), (d) confirm nominal tank capacity ≥ required volume. Verify the 115% factor breakdown (3% sump, 2% thermal expansion, 10% pump submersion) matches the installed design. Review calculation record against ENA TS 09-3 (Energy Networks Association Technical Specification: Diesel fuel storage) fuel system allowances. Rationale: SUB-REQ-065 sets the tank capacity as a calculated value from test bed fuel consumption data. Analysis of the calculation against the declared design data sheet is the correct verification method — volumetric capacity cannot be confirmed by functional test. The ENA TS 09-3 reference provides an independent standard for the 115% factor components. | Analysis | session-595, qc, verification, fuel-oil, idempotency:ver-sub-065-bulk-tank-595, idempotency:ver-sub-065-bulk-tank-595 |
| VER-REQ-061 | Verify SUB-REQ-064: With the EDG under test, run load acceptance steps at 25%, 50%, 75%, and 110% of rated load. At each step, measure: (a) turbocharger boost pressure against the engine manufacturer's performance map (pass: within ±5% of map value at the measured load point), (b) exhaust smoke level (pass: Bosch Smoke Number ≤3.0 at all load points), (c) absence of turbocharger surge (audible surge or inlet pressure oscillation >0.1 bar amplitude). Review turbocharger type approval certificate for surge margin at rated speed. Rationale: SUB-REQ-064 references the manufacturer's performance map as the defined acceptance criterion. The test directly compares measured boost pressure against the map at key load points. The Bosch Smoke Number criterion (≤3.0) is the industry-standard pass/fail for incomplete combustion. Turbocharger surge would indicate operation outside the compressor map, which is a precursor to compressor wheel damage. | Test | session-595, qc, verification, diesel-engine, turbo, idempotency:ver-sub-064-turbo-595, idempotency:ver-sub-064-turbo-595 |
| VER-REQ-062 | Verify SUB-REQ-026: With the ALC supplied from 24VDC Class 1E bus, assert the LOOP input discrete by closing a calibrated relay contact. Measure elapsed time from contact closure to the ALC start-sequence output signal (starter motor energise command). Record using a data logger at 1ms resolution. Repeat 10 times. Pass criterion: all 10 measurements ≤200ms from contact closure to start command assertion. Rationale: SUB-REQ-026 allocates 200ms to the ALC detection and initiation step within the 500ms SYS-REQ-003 system budget. A 10-repeat relay injection test at 1ms resolution directly measures this timing allocation. Ten repeats confirm repeatability; a single-shot test would not distinguish a marginal design from a compliant one. SIL-3 requires Test verification for timing-critical functions. | Test | session-596, validation, starting-control, sil-3, idempotency:ver-sub026-alc-timing-596 |
| VER-REQ-063 | Verify SUB-REQ-027: Commission a seismic qualification analysis of the Diesel Engine Subsystem to IEEE 344 (Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations) using site-specific Floor Response Spectra (FRS) at the EDG building slab level derived from the site seismic hazard assessment. Analysis SHALL confirm that dynamic stresses in the engine block mountings, exhaust pipework hangers, and fuel injection system hold-down brackets remain below yield under SSE loading. Alternatively, witnessed shake-table test to the site FRS may be accepted as ONR-equivalent evidence. Pass criterion: qualified analysis report or shake-table test certificate accepted by ONR-approved Qualifying Engineer. Rationale: SUB-REQ-027 seismic qualification for a UK nuclear site is verified by inspecting the qualified seismic analysis report (to IEEE 344) or the witnessed shake-table test certificate issued by an ONR-approved Qualifying Engineer. The verification activity is review of a formal qualification document — Inspection is the correct IEC 61508 evidence type. Analysis is the technique used within the qualification report; the EDG project team inspects the results, not re-performs the analysis. | Inspection | session-596, validation, diesel-engine-subsystem, sil-3, seismic, idempotency:ver-sub027-seismic-qual-596 |
| VER-REQ-064 | Verify SUB-REQ-028: Subject the Isochronous Governor System and Engine Control Panel to BS EN IEC 61000-6-2 (Electromagnetic compatibility — Immunity for industrial environments) conducted and radiated immunity tests using UKAS-accredited test laboratory facilities. Additionally, subject the Automatic Load Controller and Generator Protection Relay to BS EN IEC 61000-6-7 (Electromagnetic compatibility — Immunity requirements for equipment intended to perform functions in a safety-related system) testing. Pass criterion: all equipment passes the relevant standard with no malfunction, spurious output, or mode change during test; test report issued by UKAS-accredited laboratory. Verify that ALC and GPR SIL-3 function (start initiation and protection trip) remains operational throughout all immunity test sequences. Rationale: SUB-REQ-028 requires EMC immunity compliance as a condition of maintaining SIL-3 function integrity. Third-party UKAS-accredited laboratory testing is the only accepted method for demonstrating compliance with IEC 61000-6-7 — analysis or inspection cannot substitute for radiated and conducted immunity testing. The explicit verification of SIL-3 function during testing goes beyond standard EMC compliance to confirm safety function availability under EMC stress. | Test | session-596, validation, starting-control, electrical-protection-and-switchgear, sil-3, emc, idempotency:ver-sub028-emc-compliance-596 |
| VER-REQ-065 | Verify SUB-REQ-056: Obtain the circuit breaker type test certificate from the manufacturer issued by a UKAS-accredited body. Review the certificate against BS EN 62271-100 (High-voltage switchgear and controlgear — AC circuit-breakers) or BS EN 61439-1 (Low-voltage switchgear and controlgear assemblies) as applicable to the rated voltage. Confirm the certificate covers: (a) rated breaking capacity (rms symmetrical short-circuit current) equal to or exceeding the site fault level, (b) short-time current withstand (rated duration, rated current), (c) electrical endurance class E2 (10,000 operating cycles). Pass criterion: valid type test certificate from UKAS-accredited body covering all three attributes, issued within 10 years of installation commissioning. Rationale: SUB-REQ-056 is a standards compliance requirement satisfied by type-test certification, not by repeat testing at site. Inspection of the manufacturer's type test certificate against the standard's requirements is the correct and accepted verification method for switchgear standards compliance. Re-testing at rated fault current on site would be destructive. The E2 class (10,000 cycles) aligns with the EDG's expected surveillance test frequency over a 40-year plant life. | Inspection | session-596, validation, electrical-protection-and-switchgear, sil-3, idempotency:ver-sub056-mgcb-type-cert-596 |
| VER-REQ-066 | Verify SYS-REQ-011: Commission an independent architectural safety analysis demonstrating that common-cause failure of both EDG trains does not prevent reactor core cooling. Analysis SHALL demonstrate: (a) physical and electrical separation between EDG Train A and Train B meeting ONR separation criteria, (b) diverse non-EDG AC supply exists (e.g., gas turbine, mobile generator) with startup time within station blackout DC battery coping window, (c) DC battery system autonomy ≥8 hours under station blackout load profile, (d) passive decay heat removal system is available without AC power and is not susceptible to EDG common-cause failure. Pass criterion: safety analysis accepted by ONR-licensed qualifying engineer, with no outstanding open items against IEC 61508-2 SIL-4 architectural constraints. Rationale: SYS-REQ-011 common-cause failure argument for SIL-4 is verified by inspecting the independent architectural safety analysis submitted to ONR. The verification team inspects the analysis methodology, separation evidence, and passive cooling arguments against IEC 61508-2 SIL-4 architectural constraints. The analysis is commissioned externally; the project team's role is Inspection of the resulting safety case document, not re-derivation of the analysis. | Inspection | session-596, validation, sil-4, ccf, station-blackout, safety, idempotency:ver-sys011-ccf-architecture-596 |
| VER-REQ-067 | Verify SUB-REQ-034: With the Remote Monitoring Gateway powered and connected to a simulated I&C network test port, transmit write commands, parameter set commands, and configuration change messages to the RMG Ethernet interface at 100% rated network load for 30 minutes. Monitor the PTLU side of the optical isolation barrier for any response, write acknowledgement, or parameter change. Pass criterion: zero write acknowledgements or parameter changes observed on the PTLU side during the 30-minute test; optical isolation resistance measured at >100MΩ between I&C network and PTLU circuits. Rationale: SUB-REQ-034 provides a one-way isolation barrier (RMG) between the I&C network and the SIL-2 PTLU — this is the primary mitigation for H-010 (Cyber attack) hazard. A functional penetration test confirming zero write-through is the only way to demonstrate the read-only isolation property. Isolation resistance measurement confirms the 1500Vrms optical barrier is intact. Test is required (not Analysis) because SUB-REQ-034 is a SIL-2 safety function claim. | Test | session-596, validation, monitoring-and-instrumentation, sil-2, cyber, idempotency:ver-sub034-rmg-isolation-596 |
| VER-REQ-068 | Verify SUB-REQ-025: With the EDG in standby mode, apply a simulated LOOP signal to the Automatic Load Controller input representing bus voltage drop below 80% of nominal. Measure the time from LOOP signal receipt to ALC initiating the diesel start signal. Verify the start signal is a hardwired relay output independent of any software path. Pass criterion: start signal initiated within 100ms of LOOP detection; signal path confirmed hardwired via relay contact verification. Rationale: SUB-REQ-025 is SIL-3 (H-001: Failure to start on demand). The LOOP signal processing is the triggering event for the entire EDG start sequence. A functional test with measured latency is mandatory for SIL-3 — analysis alone cannot demonstrate the hardwired independence claim. 100ms criterion is derived from the 10-second start budget (SYS-REQ-001). | Test | session-598, validation, starting-control, sil-3, idempotency:ver-sub025-598 |
| VER-REQ-069 | Verify SUB-REQ-062: With compressed air receivers at minimum pressure (25 bar gauge), perform 3 consecutive cranking cycles without recharging between attempts. Monitor air pressure after each cycle. After 3rd cycle, verify receiver pressure remains above 25 bar. Pass criterion: minimum 3 complete cranking cycles from 25 bar initial charge; air receiver pressure not below 25 bar after 3rd cycle. Rationale: SUB-REQ-062 is SIL-3 (H-001: Failure to start). The compressed air starting store is the primary start energy source — insufficient air pressure is a known EDG failure mode. Three-start minimum ensures the system can re-attempt after a wet-stack or failed start attempt without recharging. Minimum pressure threshold must be demonstrated by test per IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 requirements. | Test | session-598, validation, starting-control, sil-3, idempotency:ver-sub062-598 |
| VER-REQ-070 | Verify SUB-REQ-039: With the EDG running at rated load, use an external calibrated temperature source to inject a simulated coolant outlet temperature above 95°C into the Protective Trip Logic Unit thermocouple input. Confirm the hardwired trip relay opens and the EDG trips to safe state within 2 seconds of the setpoint being exceeded. Pass criterion: EDG trip confirmed within 2 seconds; relay contact opening verified by independent contact state monitor. Rationale: SUB-REQ-039 is SIL-2 (H-006: Cooling system failure). The 95°C high-temperature trip is a primary mitigation for engine seizure. A functional injection test is required rather than analysis because the hardwired relay path must be proven end-to-end — software-based simulation cannot confirm the physical trip circuit. | Test | session-598, validation, cooling-system, sil-2, idempotency:ver-sub039-598 |
| VER-REQ-071 | Verify SUB-REQ-021: With the EDG running at 50% rated load, command a step demand change to 100% rated load via the governor. Measure the fuel rack position response time from command to full rack displacement using a calibrated position transducer. Perform 5 test runs. Pass criterion: fuel rack response within 200ms for all 5 runs; no hunting or instability observed over 30 seconds post-step. Rationale: SUB-REQ-021 is SIL-2 (H-003: Engine overspeed). Fuel rack response time is the primary control input affecting speed transient magnitude — a slow or oscillatory rack response leads to overspeed. The 200ms limit is derived from governor stability analysis; functional test is required to confirm real hardware meets the analytical model. | Test | session-598, validation, diesel-engine-subsystem, sil-2, idempotency:ver-sub021-598 |
| VER-REQ-072 | Verify SUB-REQ-041: Perform volumetric survey of Bulk Fuel Storage Tank at installation, confirming usable capacity not less than required for 168 hours of EDG operation at rated fuel consumption rate. Measure tank dimensions, calculate gross volume, deduct sump and unusable heel volumes. Pass criterion: confirmed usable volume ≥ (168h × rated fuel consumption rate l/h) with 10% margin. Rationale: SUB-REQ-041 is SIL-2 (H-005: Fuel contamination/exhaustion). Fuel volume is a physical measurement — Inspection (dimensional survey with calculation) is the appropriate method; continuous Test operation for 168h is not warranted. The 10% margin accounts for measurement uncertainty and unusable heel variation. | Inspection | session-598, validation, fuel-oil-system, sil-2, idempotency:ver-sub041-598 |
| VER-REQ-073 | Verify SUB-REQ-036: Following seismic qualification testing per IEEE 344 (Recommended Practice for Seismic Qualification of Class 1E Equipment), subject Engine Parameter Sensor Array and Protective Trip Logic Unit samples to the site Design Basis Earthquake (DBE) response spectrum. Following shake testing, perform functional test: energise sensors, verify PTLU logic outputs respond correctly to simulated trip inputs. Pass criterion: PTLU and all sensors functional post-shake; no alarms due to seismic input alone. Rationale: SUB-REQ-036 is SIL-2 (H-008: Seismic damage). The I&C instruments protecting the EDG must survive the DBE to maintain safety function. Seismic qualification by test per IEEE 344 is the industry standard for nuclear Class 1E equipment; Analysis alone is not acceptable for SIL-2 safety instruments. | Test | session-598, validation, monitoring-and-instrumentation, sil-2, seismic, idempotency:ver-sub036-598 |
| VER-REQ-074 | Verify SUB-REQ-030: Connect calibrated reference instruments in parallel with the Engine Parameter Sensor Array 4-20mA dual-channel outputs for lube oil pressure, coolant temperature, and shaft speed. Run EDG at rated load for 30 minutes. Compare channel A vs channel B outputs at 1-minute intervals. Pass criterion: dual-channel output deviation ≤ 0.5% of full scale for all parameters; both channels independently trigger a simulated trip input at PTLU when setpoints are exceeded by injected fault signal. Rationale: SUB-REQ-030 is SIL-2 (H-006 and H-003). Dual-channel I&C is the primary diversity mechanism for safety parameter monitoring. A cross-comparison test validates channel independence and confirms both channels are able to initiate trips — Analysis cannot substitute for functional channel separation proof per IEC 61511 (Functional safety of safety-instrumented systems for the process industry sector). | Test | session-598, validation, monitoring-and-instrumentation, sil-2, idempotency:ver-sub030-598 |
| VER-REQ-075 | Verify SUB-REQ-054: With the EDG running at no-load and jacket water temperature pre-stabilised at preheat temperature (35°C ±5°C), apply a step load of 100% rated power. Record jacket water outlet temperature at 30-second intervals for 20 minutes post-load application. Pass criterion: coolant temperature reaches and stabilises within 70°C–88°C operational band within 10 minutes of full-load application; no overshoot above 95°C trip setpoint. Rationale: SUB-REQ-054 is SIL-2 (H-006: Cooling system failure). The cooling system response to cold-start/full-load is the worst-case thermal transient — the 95°C trip setpoint must not be exceeded during normal LOOP load pickup. Test under actual thermal conditions is required because cooling model uncertainties (thermostat hysteresis, airflow resistance) are too large to verify by Analysis alone. | Test | session-598, validation, cooling-system, sil-2, idempotency:ver-sub054-598 |
| VER-REQ-076 | Verify SUB-REQ-022: With the EDG running at rated speed and full load for 30 minutes (thermal steady state), measure charge air manifold pressure with a calibrated pressure transducer at the turbocharger outlet. Compare measured boost pressure against manufacturer rated boost pressure at 100% load. Pass criterion: measured charge air boost pressure within 5% of manufacturer's rated value; no surge, choke, or surging noise observed during rated load operation. Rationale: SUB-REQ-022 is SIL-2 (H-003: Engine overspeed via under-fuelling from inadequate air). Turbocharger boost pressure determines the air-fuel ratio at rated power. Insufficient boost causes either under-fuelling (output drop, possible LOOP fail) or rich-burn (black smoke, possible engine damage). Functional test at rated load conditions is the only way to confirm the real turbocharger matches the engine power curve — Analysis uses test data that may not reflect installation effects. | Test | session-598, validation, diesel-engine-subsystem, sil-2, idempotency:ver-sub022-598 |
| VER-REQ-077 | Verify SYS-REQ-012: Induce a non-trip fault in the Isochronous Governor System (simulated sensor failure causing governor to operate in degraded open-loop mode). Measure EDG electrical output power and frequency under 60% of rated load. Monitor for 2 hours. Confirm control room alarm received within 60 seconds of fault injection. Pass criterion: EDG sustains ≥60% rated power output; frequency within 50Hz ±2%; annunciation confirmed within 60 seconds of fault. Rationale: SYS-REQ-012 is SIL-2 (H-002: Loss of output during operation). The degraded mode requirement must be verified by inducing a representative non-trip fault and confirming minimum output is sustained. Analysis cannot verify the annunciation path or the minimum 60% power floor under degraded governor operation — physical test under actual fault conditions is required. | Test | session-598, validation, system, sil-2, degraded-mode, idempotency:ver-sys012-598 |
| VER-REQ-078 | Verify SYS-REQ-002: Run the EDG at rated load continuously for 168 hours. Monitor fuel consumption rate, coolant temperature, lube oil pressure, and bearing temperatures at 4-hour intervals. Pass criteria: no manual intervention required, all parameters remain within design limits throughout the full 168-hour period. Rationale: SYS-REQ-002 specifies a 168-hour minimum continuous run capability — IEC 60034 (Rotating electrical machines) and CEGB diesel generator requirements mandate endurance demonstration by full-duration test. Spot checks or extrapolation are not acceptable for this safety-critical performance requirement. | Test | verification, diesel-engine, sil-3, session-599, idempotency:ver-sys-req-002-endurance-599 |
| VER-REQ-079 | Verify SYS-REQ-004: Inject each trip condition in sequence (overspeed, low lube oil pressure, high coolant temperature, high exhaust temperature, overcurrent, earth fault) into the Protective Trip Logic Unit. Measure elapsed time from condition onset to fuel solenoid de-energisation and GCB trip. Pass criteria: trip execution ≤2 seconds for all conditions, GCB trips confirmed by relay test unit, engine decelerates to rest within 30 seconds. Rationale: SYS-REQ-004 specifies the safety trip response chain at SIL-3. IEC 61508 (Functional safety of E/E/PE safety-related systems) requires that SIL-3 safety functions be verified by Test with full stimulus-response measurement; Analysis alone cannot demonstrate the actual trip time for the hardware-in-the-loop trip path. | Test | verification, starting-control, sil-3, session-599, idempotency:ver-sys-req-004-trip-599 |
| VER-REQ-080 | Verify SYS-REQ-005: Perform reliability block diagram (RBD) and fault tree analysis (FTA) for the EDG system using failure rate data per IEC 61508 (Functional safety of E/E/PE safety-related systems) Annex B or plant-specific historical data (minimum 10-year dataset). Calculate PFD_avg across the 10-year surveillance interval with 24-month proof test interval. Pass criteria: calculated PFD_avg ≤1×10⁻³ per demand with 90% confidence bound; all failure mode assumptions documented and peer-reviewed. Rationale: PFD_avg reliability calculations are analytical computations (RBD, FTA), not documentary inspections. IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 6 Annex B classifies probabilistic assessment as Analysis. Inspection applies to physical artefacts; Analysis applies to mathematical models and calculations. Updated from Inspection to Analysis. | Analysis | verification, system, session-599, idempotency:ver-sys-req-005-pfd-599, verifies-sil-3, session-604 |
| VER-REQ-081 | Verify SYS-REQ-006: Review the seismic qualification analysis report for all EDG building structural elements and mechanical equipment. Confirm analysis uses Design Basis Earthquake spectrum with 0.25g PGA at frequency range 1-33 Hz. Verify that natural frequencies of all EDG-mounted components are above 33 Hz or that dynamic amplification has been considered. Pass criteria: ONR-approved analysis report confirms ≥0.25g PGA survivability, all critical bolted connections torqued and lock-wired, no resonance peaks within EDG operational speed range. Rationale: SYS-REQ-006 seismic survivability to 0.25g PGA is verified by inspecting the ONR-approved seismic qualification analysis report. The report confirms Design Basis Earthquake spectrum compliance, natural frequency margins, and bolted connection adequacy. Inspection of an externally commissioned and independently approved analysis report is the appropriate verification method for structural seismic qualification on a UK nuclear licensed site. | Inspection | verification, system, sil-2, session-599, idempotency:ver-sys-req-006-seismic-599 |
| VER-REQ-082 | Verify SUB-REQ-023: With EDG in standby mode (heaters energised), measure jacket water temperature using calibrated thermocouple at engine inlet and outlet over a 72-hour period at minimum ambient temperature. Pass criteria: coolant temperature maintained ≥35°C continuously with no heater cycling gaps >30 minutes, start-to-rated transition completed within 10 seconds during any standby measurement window. Rationale: SUB-REQ-023 requires standby coolant pre-heat temperature maintenance for rapid start capability at SIL-2. Compliance cannot be demonstrated by analysis alone — the thermal lag of the cooling system depends on actual heat loss rates, heater capacity, and ambient temperature that must be measured in situ. | Test | verification, diesel-engine, sil-2, session-599, idempotency:ver-sub-req-023-standby-coolant-599 |
| VER-REQ-083 | Verify SUB-REQ-037: With engine at operating temperature (coolant 75-85°C), install calibrated ultrasonic flow meter on jacket water pump outlet. Measure flow rate at 100% rated engine load and at idle (600 RPM minimum). Pass criteria: flow ≥120 L/min at rated load, ≥60 L/min at idle; no cavitation noise detectable. Rationale: SUB-REQ-037 specifies minimum coolant flow for engine thermal management at SIL-2. Flow rate must be measured directly; pump curve analysis is insufficient because pipe losses and temperature-dependent viscosity affect actual delivered flow. In-situ measurement validates the installed configuration. | Test | verification, cooling-system, sil-2, session-599, idempotency:ver-sub-req-037-jw-flow-599 |
| VER-REQ-084 | Verify SUB-REQ-043: Sample fuel downstream of the Fuel Filtration Assembly during EDG operation at rated load. Analyse sample using ISO 4406 particle counting (optical). Pass criteria: ISO cleanliness code ≤16/14/11 (equivalent to <10 micron particles per IEC 60770 (Transmitters for use in industrial-process control systems) service class requirements), measured in three independent samples taken at 30-minute intervals. Rationale: SUB-REQ-043 specifies fuel cleanliness for fuel injection system protection at SIL-2. Filter ratings must be verified by downstream particle count, not upstream specification, as filter bypass or bypass valve operation can admit contaminated fuel. Direct measurement is required per BS EN ISO 16889 (Hydraulic fluid power — Filters). | Test | verification, fuel-oil-system, sil-2, session-599, idempotency:ver-sub-req-043-fuel-filter-599 |
| VER-REQ-085 | Verify SUB-REQ-045: Monitor Day Tank fuel temperature at minimum ambient winter conditions (site minimum -5°C, or use temperature-controlled test chamber). Confirm fuel heater maintains temperature ≥5°C after 12 hours exposure at minimum ambient. Pass criteria: fuel temperature ≥5°C throughout test with no fuel heater failures; if analysis-based, present validated thermal model with uncertainty bounds showing ≥5°C with 95% confidence. Rationale: SUB-REQ-045 requires fuel temperature ≥5°C at site minimum ambient. Verification requires physical measurement of fuel temperature at minimum ambient (−5°C or equivalent chamber test) over a 12-hour soak with the heater system active. This is a Test: quantified environmental condition applied, temperature measured at prescribed intervals, pass/fail against a numeric threshold. The analysis-based alternative (thermal model) is accepted only if the physical test is not practicable during commissioning; the primary verification method is Test. | Test | verification, fuel-oil-system, sil-2, session-599, idempotency:ver-sub-req-045-fuel-temp-599 |
| VER-REQ-086 | Verify SUB-REQ-048: Inject a simulated PT100 RTD resistance value equivalent to 91°C into the Protective Trip Logic Unit input for each generator bearing channel in turn. Verify alarm appears at local indication panel and control room annunciator within 5 seconds. Pass criteria: alarm triggered for all bearing channels at ≤91°C simulated temperature; no false alarms at 89°C; alarm latches correctly until acknowledged. Rationale: SUB-REQ-048 specifies the bearing high-temperature alarm at SIL-2. The PT100 input, alarm logic, and annunciator output form a safety-related measurement chain that must be proven end-to-end. Injection testing at the field instrument connection verifies the full chain without requiring actual bearing overheating. | Test | verification, alternator, sil-2, session-599, idempotency:ver-sub-req-048-bearing-temp-599 |
| VER-REQ-087 | Verify SUB-REQ-052: Using a crankshaft position sensor and calibrated fuel pressure transducer at injector inlet, measure injection timing relative to TDC at engine idle (600 RPM), 50%, and 100% rated load. Pass criteria: injection timing within ±2° crankshaft angle of nominal advance angle at all three load points; data logged over 10 consecutive injection events per point to confirm repeatability. Rationale: SUB-REQ-052 specifies fuel injection timing accuracy for combustion efficiency and emission compliance at SIL-2. Injection timing drift is a known failure mode leading to hard starting and excessive smoke; direct measurement at three load points is required per BS EN ISO 4165 (Road vehicles — Electrical connections) diesel test standards. Analysis cannot substitute for measurement of the mechanical injection pump's actual timing. | Test | verification, diesel-engine, sil-2, session-599, idempotency:ver-sub-req-052-inj-timing-599 |
| VER-REQ-088 | Verify SUB-REQ-057: Inspect all fuel oil bunding and containment around the Day Tank, service tank, and fuel transfer pipework. Verify bund capacity ≥110% of the largest vessel it contains. Review Environmental Permitting (England and Wales) Regulations 2016 compliance documentation and compare against CIRIA C736 (Containment systems for the prevention of pollution — secondary, tertiary and other measures) checklist. Pass criteria: inspection report signed by qualified civil/environmental engineer confirms full compliance, zero observed penetrations in bund lining, drainage valve in closed/locked position. Rationale: SUB-REQ-057 is an environmental compliance requirement mandated by UK environmental regulations. Inspection by a qualified engineer against CIRIA C736 checklist is the standard compliance verification method; analysis cannot substitute for physical inspection of bund integrity and volume. | Inspection | verification, fuel-oil-system, sil-2, session-599, idempotency:ver-sub-req-057-bunding-599 |
| VER-REQ-089 | Verify SUB-REQ-060: With EDG in Maintenance Out-of-Service mode (LOTO applied), inspect access routes and clearances around all major subsystems (Diesel Engine Subsystem, Alternator Subsystem, Fuel Oil System, Cooling System, Starting and Control Subsystem, Electrical Protection and Switchgear Subsystem). Verify that all maintenance access points specified in the OEM maintenance manual can be reached without disturbing adjacent plant. Pass criteria: all identified maintenance tasks achievable without confined-space entry, minimum 750mm aisle clearance maintained, all lifting equipment anchor points accessible and in-date certified. Rationale: SUB-REQ-060 addresses maintainability and safe access at SIL-2 (common cause failure prevention through maintainability). Physical inspection is the only valid verification method; drawings cannot confirm that as-built plant matches design intent or that all maintenance tools physically fit in the space. | Inspection | verification, maintenance, sil-2, session-599, idempotency:ver-sub-req-060-access-599 |
| VER-REQ-090 | Verify SYS-REQ-007: Apply a simulated LOOP event and initiate load sequencing with three load blocks representing: safety injection (50kW), emergency lighting (15kW), and HVAC (30kW). Apply each block at 2-second intervals and record voltage and frequency transients on a data logger at 200Hz sampling. Pass criteria: voltage dip per load application ≤15% of 415V (i.e., ≥353V minimum during transient), frequency deviation ≤3Hz from 50Hz nominal during transient, recovery to within tolerance (390–441V, 49.5–50.5Hz) within 3 seconds of each block application. Rationale: SYS-REQ-007 specifies load sequencing constraints directly driven by the 10-second LOOP Response ConOps scenario. An uncontrolled voltage dip >15% risks contactor dropout on safety-classified loads, breaking the load sequencing chain. Testing at the exact threshold with a data logger at 200Hz confirms the 3-second recovery requirement is met under worst-case thermal load conditions and is not achievable by analysis alone. | Test | session-600, validation, system, sil-3, load-sequencing, idempotency:ver-sys007-load-seq-600 |
| VER-REQ-091 | Verify SYS-REQ-008: Subject the EDG control and protection electronics (ALC, ECP, PTLU, Governor System) to EMC immunity testing in accordance with BS EN IEC 61000-4-2 (electrostatic discharge, 8kV contact/15kV air), BS EN IEC 61000-4-4 (EFT/burst testing per IEC 61000-4-4, Level 4), and BS EN IEC 61000-4-5 (surge immunity, Level 3) with test levels representative of the EDG building electromagnetic environment during engine cranking and load pickup. Monitor all protective trip outputs and control signals during and after each test burst. Pass criteria: no spurious trips, no loss of control functionality, no parameter deviation >10% of setpoint during or within 5 seconds after each test. Rationale: SYS-REQ-008 addresses BS EN IEC 61000 (Electromagnetic compatibility) compliance for EDG control electronics in a high-EMI environment generated by the EDG itself (ignition transients, large motor switching). A spurious trip during a real LOOP event caused by conducted EMI would be a SIL-3 failure. EMC testing at Level 4 is the only way to demonstrate immunity; analysis cannot predict EMI coupling paths in the as-installed plant configuration. | Test | session-600, validation, system, emc, idempotency:ver-sys008-emc-600 |
| VER-REQ-092 | Verify SYS-REQ-009: Configure EDG for surveillance test mode with SBTC isolating the safety bus. Conduct a 30-minute full-rated-load test using the load bank connected to the test bus output. Record load (kW), voltage, frequency, and engine parameters throughout. At test completion, isolate load bank, allow engine cooldown, and measure time from load removal to ECP indicating 'hot standby' status (oil pressure confirmed, starting air charged, ALC armed). Pass criteria: 30 minutes continuous at rated load with no protective trips; hot standby status confirmed within 10 minutes of load removal. Rationale: SYS-REQ-009 is the direct implementation requirement for the Monthly Surveillance Test ConOps scenario. The 30-minute duration and 10-minute hot standby recovery are site licence condition requirements; failure to demonstrate these would put the plant in a limiting condition for operation. Demonstration against the as-installed test infrastructure confirms the test mode works without any safety bus perturbation. | Demonstration | session-600, validation, system, surveillance-test, idempotency:ver-sys009-surveillance-600 |
| VER-REQ-093 | Verify SYS-REQ-010: Inspect site stores inventory records and compare against the EDG OEM-specified minor servicing consumables list (filters, belts, gaskets, coolant) and the major overhaul tooling list. Inspect maintenance schedule records for the last 5 years confirming minor service intervals ≤12 months and confirm major overhaul is scheduled within the 5-year interval. Inspect all specialised tooling items on the OEM overhaul list and confirm physical presence in site stores. Pass criteria: all consumables and tools present in stores; no service interval exceedance recorded; scheduled overhaul date within 5-year cycle confirmed. Rationale: SYS-REQ-010 is a maintainability requirement driven by STK-REQ-006 (maintenance team access without off-site tools) and the Planned Overhaul ConOps scenario. Inspection of stores inventory and maintenance records is the appropriate method because the requirement governs material availability and organisational process, not a measurable physical performance parameter. | Inspection | session-600, validation, system, maintainability, idempotency:ver-sys010-maintainability-600 |
| VER-REQ-094 | Verify SUB-REQ-035: Inject each protective trip function (oil pressure, coolant temp, overspeed, vibration, channel fault) one at a time into the Protective Trip Logic Unit test terminals while the Local Alarm and Indication Panel is energised. For each injection, record time from trip signal onset to first-out alarm display illumination and audible alarm activation using a 1ms-resolution timer. Confirm the alarm annunciation is latched (remains active after trip signal is removed) until manually acknowledged at the LAIP panel. Pass criteria: first-out display and audible alarm active within 500ms in all cases; latching confirmed for each trip function; no subsequent trip function displays the first-out indication while the first alarm is unacknowledged. Rationale: SUB-REQ-035 is a 500ms first-out annunciation requirement for the LAIP. This is the diagnostic interface for the Failure to Start and EDG Trip During Extended LOOP scenarios — the operator needs to identify the trip cause within the first 500ms to initiate correct recovery action. Only physical injection testing through the trip logic confirms the timing and latching logic; simulation cannot account for relay coil delay and indicator driver response time. | Test | session-600, validation, monitoring-instrumentation, sil-2, idempotency:ver-sub035-firstout-alarm-600 |
| VER-REQ-095 | Verify SUB-REQ-029: Schedule and witness a minor servicing event on the Diesel Engine Subsystem. Confirm that all tools and consumables used (cylinder head inspection tools, injector calibration equipment, belt and filter replacements) are drawn from the site-approved store inventory list. Record start and finish times of the servicing event. Confirm no specialised tools not on the site inventory list were called up. Pass criteria: all maintenance activities completed using only site-held tools and consumables; servicing completed within the maintenance window defined in the site maintenance schedule; no off-site tool requests raised. Rationale: SUB-REQ-029 is a maintainability constraint ensuring independence from OEM field-service visits for planned minor maintenance. This supports the Planned Overhaul ConOps scenario where 14-day maintenance must be completable without off-site tooling logistics. Witnessing an actual servicing event is the only way to confirm site stores coverage — analysis would merely confirm the written inventory, not whether the stored items are serviceable and appropriate. | Demonstration | session-600, validation, diesel-engine, maintainability, idempotency:ver-sub029-diesel-maintain-600 |
| VER-REQ-096 | Verify SUB-REQ-061: Inspect the Fuel Oil System design documentation, construction records, and operating licence against: (a) DSEAR (Dangerous Substances and Explosive Atmospheres Regulations 2002) ATEX zone classification drawings and hazardous area assessment; (b) Petroleum (Consolidation) Regulations 2014 — site petroleum licence and storage certificates; (c) BS EN ISO 4064 flow measurement — calibration certificates for fuel flow meters; (d) CIRIA C736 (Containment systems for the storage of polluting liquids) — secondary containment design calculations and inspection records for day tank and bulk tank installations. Pass criteria: current petroleum storage licence held; ATEX zone classification drawings approved; all secondary containment installations documented as compliant with CIRIA C736 calculation methodology. Rationale: SUB-REQ-061 requires compliance with DSEAR, Petroleum (Consolidation) Regulations 2014, and CIRIA C736 — all of which are regulatory/statutory requirements enforced by inspection of documentation, licences, and design records rather than physical testing. The 168-hour fuel endurance test (VER-REQ-059) verifies operational performance; this requirement verifies the legal compliance basis. | Inspection | session-600, validation, fuel-oil, compliance, regulatory, idempotency:ver-sub061-dsear-compliance-600 |
| VER-REQ-097 | Validate STK-REQ-001 (stakeholder acceptance): Conduct a witnessed system acceptance test with the site safety authority. From a cold standby state, apply a genuine LOOP by opening the Class 1E bus interties; record time-to-rated-voltage using the plant SCRAM data logger. Conduct three consecutive repetitions, varying ambient temperature across the operating range (5°C, 20°C, 40°C). Pass criteria: all three starts achieve rated voltage and frequency on the safety bus within 10 seconds; no auxiliary system failures requiring operator intervention; SCRAM data logger records confirm timing without manual stopwatch reliance. Rationale: STK-REQ-001 is the primary emergency start stakeholder requirement — the criterion that motivates the entire EDG system. A witnessed acceptance Demonstration with the site safety authority is the appropriate validation method at stakeholder level (above system-level Test VER-REQ-004) because it closes the gap between design verification and operational validation in the presence of the licensing body. | Demonstration | session-602, validation, stk, stk-acceptance, sil-3, idempotency:ver-stk001-acceptance-demonstration-602 |
| VER-REQ-098 | Verify H-010 cyber security mitigation (SYS-REQ-004 and control system architecture): Conduct a structured cyber security assessment of all digital control system interfaces (ALC, Governor, PTLU, Remote Monitoring Gateway) in accordance with IEC 62645 (Nuclear power plants — Instrumentation, control and electrical power systems — Cybersecurity requirements). Confirm that: (a) the ALC, Governor, and PTLU have no IP-addressable remote access ports; (b) the Remote Monitoring Gateway is physically isolated with a one-way data diode on the read path; (c) hardwired trip circuits (oil pressure, coolant temperature, overspeed) are implemented in relay logic with no software path to inhibit. Pass criteria: cyber architecture review by ONR-recognised assessor confirms air-gapped control architecture; no network path to safety-critical functions; hardwired trip logic verified by continuity test independent of digital channels. Rationale: H-010 identifies cyber attack as a SIL-3 hazard with safe state of air-gapped backup and hardwired trips. No dedicated cyber security VER requirement existed prior to this session. IEC 62645 is the primary standard for nuclear I&C cyber security assessment. Inspection is appropriate because the primary control measure is architectural (air-gap, one-way diode, hardwired relays) — these are verified by physical inspection and architectural review, not by simulated cyber attack. | Inspection | session-602, validation, cyber-security, h-010, sil-3, idempotency:ver-h010-cyber-security-inspection-602 |
| VER-REQ-099 | Verify H-007 CCF safe state — DC battery coping time under station blackout load profile (SYS-REQ-011): With both EDGs inhibited and all AC power removed, connect a calibrated DC load bank to the Class 1E DC battery system simulating the station blackout load profile (DC-powered instrumentation, rod control inhibit, passive decay heat removal initiation circuit). Record battery terminal voltage versus time at rated temperature (20°C). Pass criteria: battery terminal voltage remains ≥105V DC for a minimum of 8 hours under the station blackout load profile without AC charging; voltage recovery within 30 minutes upon restored AC supply. Test to be repeated at end-of-life battery capacity (80% rated Ah). This directly tests the SYS-REQ-011 CCF safe state assumption for DC battery coping time. Rationale: H-007 (CCF both EDGs, SIL-4) has a safe state of diverse AC, DC batteries, and passive cooling. Session 600 flagged that SYS-REQ-011→VER-REQ-066 relies entirely on analysis — no Test-method verification of DC battery coping time existed. IEC 61508-2 SIL-4 requires hardware fault tolerance (HFT=1) to be demonstrated, not just analysed. VER-REQ-066 is an architecture analysis review; this Test requirement directly measures the 8-hour battery coping claim under realistic station blackout load. | Test | session-602, validation, station-blackout, h-007, sil-4, ccf, dc-battery, idempotency:ver-h007-ccf-battery-coping-test-602 |
| VER-REQ-100 | The EDG system SHALL be tested in degraded mode: introduce a simulated subsystem fault (simulate a cooling fan belt fault via belt tension sensor override) while the EDG is running at rated load. Verify: (a) no automatic safety trip is triggered, (b) EDG continues to run, (c) electrical output remains ≥60% rated power (3.0 MW from 5.0 MW rated), (d) frequency remains within 50Hz ±2% (49.0–51.0 Hz), (e) degraded condition alarm appears on MCR within 30 seconds, (f) condition persists for a minimum of 2 hours. Pass criteria: all five measurements within bounds; MCR alarm within 30 seconds; no spurious trip. Verify at two load levels: 60% rated and 80% rated. Rationale: Degraded mode operation test verifies REQ-SEEMERGENCYDIESELGENERATORFORAUKNUCLEARLICENSEDSITE-001 under simulated fault conditions. MCR: Main Control Room. Coolant fan belt fault is selected because (a) it's a realistic non-safety-critical fault (loose belt, belt wear, slipping pulley) that can be detected via belt tension sensor override, (b) it reduces cooling capacity without immediately causing overheat trip, and (c) it can be simulated without disabling safety interlocks or modifying protection setpoints. The 2-hour duration matches STK-REQ-002 (degraded operation must sustain sufficient time for operator diagnosis and load transfer) — 2 hours is derived from nuclear site operating procedures for fault diagnosis and EDG load transfer. The 60% rated power floor (3.0 MW from 5.0 MW) ensures priority safety loads can be supplied while excluding non-essential loads. Two load levels (60% and 80%) are required to validate that degraded mode is not a pass/fail state change but a gradual performance envelope degradation. | Test | session-603, validation, degraded-mode, sil-2, idempotency:ver-sys013-degraded-mode-test-603, tech-author-session-613 |
| VER-REQ-101 | The EDG system SHALL demonstrate Post Maintenance Test (PMT) completion: following a simulated major maintenance activity (oil and filter change, injector calibration, governor adjustment), with LOTO released and all connections reinstated, command one start from standby. Record: (a) time from start command to rated voltage (pass: ≤10 seconds), (b) voltage and frequency at rated (pass: 400V ±2%, 50Hz ±1%), (c) acceptance of 50% rated load block without voltage dip below 380V, (d) all protective trip functions respond to their respective test inputs within 2 seconds. The PMT shall be witnessed by the shift supervisor and recorded in the plant maintenance log before handback. Rationale: SUB-REQ-066 requires a PMT before reinstatement. This Demonstration verifies that maintenance has not degraded start performance, governor function, or protective trip operation. The 50% load acceptance test is chosen as a representative functional test that exercises the fuel system, governor, and alternator without requiring full-rated load bank deployment during routine post-maintenance checks. | Demonstration | session-603, validation, pmt, maintenance, return-to-service, idempotency:ver-sub066-pmt-demonstration-603 |
| VER-REQ-102 | The EDG system SHALL be demonstrated to have physical and electrical separation between Train A and Train B meeting CCF exclusion criteria: using a power injection test set, conduct a fault injection test on EDG Train A control power supply (disconnect Train A Class 1E DC supply) and verify: (a) Train B ALC, ECP, and PTLU remain energised with normal indication within 1 second, (b) Train B completes a start-to-rated test cycle independently without any cross-coupling to Train A circuitry, (c) no common terminal or junction box contains conductors from both trains simultaneously. Pass criteria: Train B fully functional with Train A de-energised; physical separation inspection confirms no shared enclosures. This test shall be performed by an independent nuclear safety engineer under ONR oversight. Rationale: SYS-REQ-011 is SIL-4 and requires HFT=1 — architectural independence of the two EDG trains. IEC 61508-2 (Requirements for E/E/PE safety-related systems) SIL-4 mandates that hardware fault tolerance be demonstrated under fault injection, not only confirmed by documentation Inspection. VER-REQ-066 (Inspection) and VER-REQ-099 (DC battery test) address specific aspects but neither demonstrates Train B operability under Train A total failure. This Demonstration closes the SIL-4 verification gap for the CCF exclusion argument. | Demonstration | session-603, validation, ccf, sil-4, train-separation, h-007, idempotency:ver-sysreq011-ccf-train-separation-demo-603 |
| VER-REQ-103 | Verify SYS-REQ-014: Following a full-rated-load run test, restore offsite power supply and transfer the Class 1E bus to normal supply. Inhibit the EDG stop command and monitor for 5 minutes at no-load. Record: (a) coolant temperature at 0, 1, 3, and 5 minutes — pass: temperature does not exceed 80°C and decreases monotonically; (b) lubricating oil pressure at ALC display — pass: maintained within normal standby band throughout; (c) confirm automatic engine stop does not occur until the 5-minute timer elapses. Pass criteria: all three conditions met; thermocouple calibration certificate within 12-month validity. Rationale: SYS-REQ-014 requires 5-minute minimum cooldown at ≤10% load with coolant below 80°C. This test verifies the ALC timer logic, the coolant temperature trending, and lubricant circulation under actual post-run thermal conditions. Analytical methods cannot substitute for the thermal transient measurement — the test must be performed under hot conditions following a loaded run to capture real cooldown dynamics. | Test | session-604, validation, cooldown-shutdown, mode-coverage, sil-2, idempotency:ver-sys014-cooldown-shutdown-604 |
| VER-REQ-104 | Verify SYS-REQ-015: Perform a battery capacity test per IEEE 450 (Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid Batteries) on the Class 1E battery system under the worst-case DC load profile. Test procedure: (a) discharge battery at the documented worst-case DC load profile (emergency lighting, protection relays, control systems, annunciators), (b) record discharge curve at 1-minute intervals until battery reaches 105V minimum cell voltage threshold, (c) calculate measured Ah capacity with temperature correction for minimum design ambient (5°C), (d) apply end-of-life derating factor (80% of measured capacity per IEEE 1188), (e) analytically demonstrate that derated measured capacity supports ≥8-hour DC coping time at worst-case load. Pass criterion: derated measured capacity demonstrates ≥8-hour autonomy with ≥10% margin, test witnessed and accepted by independent nuclear safety engineer, results documented in the nuclear QA programme. Battery replacement required if capacity <80% rated at end-of-life. Rationale: SYS-REQ-015 specifies the 8-hour DC coping window for single-train failure (SIL-3, H-001/H-002). Verification changed from pure analysis to Test: IEEE 450 capacity test directly measures the actual battery capacity under load, eliminating reliance on design data that may not reflect actual installed condition, cell aging, or electrolyte condition. The test also constitutes mandatory nuclear surveillance per IEEE 450 Section 6 interval requirements. Using measured rather than design capacity satisfies the IEC 61508 requirement for Test verification of SIL-3 functions. | Test | session-605, validation, sil-3, single-train-failure, idempotency:ver-sys015-single-train-dc-605 |
| VER-REQ-105 | Verify SYS-REQ-016 cyber isolation: Inspect the EDG control system design documentation, network architecture diagram, and cable schedule. Confirm: (a) no Ethernet, fieldbus, or wireless interface present on ALC, ECP, PTLU, or IGS units, (b) remote monitoring path uses certified one-way data diode hardware with no reverse channel, (c) all control wiring is point-to-point hardwired with no intermediate protocol converters, (d) software version is locked and change-controlled through the nuclear QA programme. Pass criterion: all four points confirmed by inspection with no open findings; inspection witnessed and accepted by ONR-approved nuclear cybersecurity assessor. Rationale: SYS-REQ-016 is a design-phase cyber isolation requirement. The verification method is inspection of documentation and physical hardware because network isolation is a property of the design, not of runtime behaviour. An Inspection by an ONR-approved assessor is the required evidence under the ONR Security Assessment Principles for Category A safety systems. | Inspection | session-605, validation, sil-3, cyber, h-010, idempotency:ver-sys016-cyber-605 |
| VER-REQ-106 | Verify SUB-REQ-006 channel voting under single-channel failure: (a) Disable ALC Channel A processing unit by removing power connector; confirm EDG does NOT start (voting logic correctly inhibits start on single-channel assertion). (b) With Channel A re-enabled, disable Channel B; confirm EDG does NOT start. (c) Apply LOOP signal simultaneously to both Channel A and Channel B inputs; confirm start demand generated within 500ms. (d) Apply LOOP to Channel A only (Channel B normal); confirm NO start demand. (e) Re-enable Channel A, apply LOOP to both channels; confirm start demand generated. Pass criteria: (a)–(b) no start demand in 5s; (c) start demand ≤500ms; (d) no start demand in 5s; (e) start demand ≤500ms. All five conditions passed without manual intervention. Rationale: SUB-REQ-006 specifies SIL-3 2oo2 voting to prevent both loss-of-start (single-channel failure prevents demand) and spurious start (single-channel assertion causes demand). H-001 (Failure to start, SIL-3) and H-009 (Spurious start, SIL-1) are mitigated by this architecture. VER-REQ-048 (Inspection of design documentation) verifies the design intent but does not demonstrate the functional voting behaviour under failure conditions. This functional test closes the IEC 61508 requirement for Test verification of safety-critical SIL-3 logic at the commissioning stage. | Test | session-606, validation, starting-control, sil-3, alc, 2oo2, h-001, h-009, idempotency:ver-sub006-alc-voting-failure-606 |
| VER-REQ-107 | Verify SYS-REQ-017 degraded mode exit recovery: With the EDG running at 60% rated load in simulated degraded mode (subsystem fault injected via test input), clear the simulated fault at t=0. Record time from fault clearance acknowledgement at ECP to EDG output reaching ≥95% rated power and voltage 415V ±6%, frequency 50Hz ±1%. Pass criteria: full output restored within 60 seconds of operator acknowledgement, without engine trip or restart. Rationale: SYS-REQ-017 requires fault-cleared recovery to full power within 60 seconds without restart. Demonstrating this by test confirms the governor and load control system can smoothly ramp from degraded to full power following fault isolation. Analysis alone cannot confirm the dynamic ramp behaviour of the combined governor-fuel system, which depends on commissioning tuning. | Test | session-606, validation, degraded-mode, mode-transition, sil-2, idempotency:ver-sys017-degraded-exit-606 |
| VER-REQ-108 | Verify SYS-REQ-016 cyber resilience under active attack simulation: Engage an independent nuclear cyber security assessor to conduct a structured penetration test against the EDG control system interface (test bed replica with identical software image). Test SHALL include: (a) attempted unauthorised access to Automatic Load Controller via RS-485 maintenance port; (b) attempted signal injection on 24VDC LOOP signal input; (c) replay attack on hardwired trip circuit. Pass criteria: no unauthorised control action executed, no trip circuit bypassed, all intrusion attempts logged and alarmed within 60 seconds, EDG continues operating or achieves safe state (hardwired trip). Simulation environment must be certified equivalent to production hardware. Rationale: SYS-REQ-016 is SIL-3 (H-010 cyber attack, catastrophic severity). VER-REQ-105 provides only Inspection of design documentation. For SIL-3 cyber requirements in nuclear applications, IEC 62443-3-3 (Security for Industrial Automation and Control Systems) and ONR Safety Assessment Principles require demonstration under adversarial conditions, not documentation review alone. This Test verification adds active penetration testing using a hardware-identical test bed, closing the verification adequacy gap for H-010. | Test | session-607, validation, cyber-security, sil-3, h-010, idempotency:ver-sys016-cyber-pentest-607, idempotency:ver-sys016-cyber-pentest-607 |
| VER-REQ-109 | Verify SUB-REQ-067 Maintenance Out-of-Service mode entry: Simulate a maintenance transition request with EDG in Standby Ready state. Confirm: (a) unavailability signal transmitted to control room within 30 seconds; (b) start demand interlock removed (verified by attempting LOOP signal injection — EDG SHALL NOT start); (c) LOTO Maintenance Access Permit issued only after energy source isolation confirmed. Repeat with EDG in post-test shutdown state. Pass criteria: all three sequential conditions satisfied in correct order, automatic start inhibited throughout, no unauthorised start on LOOP demand. Rationale: SUB-REQ-067 (session 607) defines the controlled entry into Maintenance Out-of-Service mode. Inspection alone cannot verify that the start demand interlock is actually removed and that the EDG is unable to respond to a spurious LOOP demand while maintenance access is granted. This Test verification confirms the interlock removal is effective by attempting a live LOOP signal injection. | Test | session-607, validation, maintenance, loto, mode-coverage, idempotency:ver-sub067-maintenance-entry-607, sil-3 |
flowchart TB n0["component<br>Automatic Load Controller"] n1["component<br>Engine Control Panel"] n2["component<br>Compressed Air Starting System"] n3["component<br>Isochronous Governor System"] n4["external<br>Class 1E Safety Bus"] n5["external<br>Diesel Engine"] n4 -->|LOOP detection voltage/freq| n0 n0 -->|Start demand hardwired 24VDC| n1 n1 -->|Air start valve open signal| n2 n2 -->|30 bar cranking air| n5 n5 -->|Speed feedback dual MPU| n3 n3 -->|Fuel rack position| n5 n1 -->|Speed setpoint / trip| n3
Starting and Control - Internal Block
flowchart TB n0["component<br>Generator Protection Relay"] n1["component<br>Main Generator Circuit Breaker"] n2["component<br>Safety Bus Transfer Contactor"] n3["component<br>Voltage Sensing and Monitoring Unit"] n4["external<br>Automatic Load Controller"] n5["external<br>Class 1E Safety Bus"] n3 -->|4-20mA voltage signals| n0 n0 -->|110VDC trip signal| n1 n4 -->|24VDC bus transfer cmd| n2 n2 -->|safety bus supply| n5 n1 -.->|anti-paralleling interlock| n2
Electrical Protection and Switchgear - Internal Block
flowchart TB n0["component<br>Engine Block and Rotating Assembly"] n1["component<br>Fuel Injection System"] n2["component<br>Lubrication and Bearing System"] n3["component<br>Turbocharger and Charge Air System"] n4["component<br>Engine Exhaust and Silencing System"] n5["external<br>Fuel Oil System"] n6["external<br>Alternator Subsystem"] n7["external<br>Cooling System"] n8["external<br>Isochronous Governor System"] n5 -->|diesel fuel 3-6 bar| n1 n1 -->|metered fuel spray| n0 n8 -->|fuel rack demand| n1 n0 -->|shaft torque 1500 RPM| n6 n0 -->|exhaust gases| n3 n3 -->|charge air below 45C| n0 n7 -->|jacket water 70-85C| n0 n2 -->|oil 3.5-5 bar| n0 n0 -->|exhaust to atmosphere| n4
Diesel Engine - Internal Block
flowchart TB n0["component<br>Rotor and Field Winding"] n1["component<br>Stator and Armature Winding"] n2["component<br>Automatic Voltage Regulator"] n3["component<br>Brushless Exciter"] n4["external<br>Diesel Engine"] n5["external<br>Generator Protection Relay"] n6["component<br>Generator Bearing and Mechanical Support Assembly"] n4 -->|shaft torque 1500 RPM| n0 n0 -->|field rotation| n3 n3 -->|DC excitation current| n0 n2 -->|excitation demand signal| n3 n1 -->|11kV terminal voltage| n2 n1 -->|11kV 3-phase output| n5 n4 -->|shaft coupling| n6 n6 -->|rotor shaft| n0
Alternator Subsystem — Internal Components
flowchart TB n0["component<br>Day Tank"] n1["component<br>Fuel Transfer Pump"] n2["component<br>Duplex Fuel Filter"] n3["component<br>Fuel Level and Alarm Unit"] n4["external<br>Fuel Injection System"] n5["external<br>Bulk Storage Tank"] n6["component<br>Fuel Supply Pipework and Valve Assembly"] n7["component<br>Bulk Fuel Storage Tank"] n5 -->|bulk fuel supply| n1 n1 -->|diesel fill| n0 n0 -->|gravity feed 0.3 bar| n2 n2 -->|filtered fuel 3-6 bar| n4 n3 -->|level alarm / pump start| n1 n7 -->|bulk fuel supply| n1 n1 -->|pressurised fuel| n6 n6 -->|metered fill| n0
Fuel Oil System — Internal Components
flowchart TB n0["component<br>Jacket Water Pump"] n1["component<br>Radiator and Fan Assembly"] n2["component<br>Thermostat Valve"] n3["component<br>Coolant Header Tank"] n4["external<br>Engine Block"] n5["component<br>Intercooler"] n0 -->|hot coolant| n2 n2 -->|coolant above 71C| n1 n1 -->|cooled water return| n0 n2 -->|bypass/through coolant| n4 n4 -->|warm jacket water| n0 n5 -->|charge air below 45C| n4 n3 -->|system pressure / top-up| n0 n0 -->|coolant flow| n4 n4 -->|hot coolant| n1 n2 -->|bypass| n0
Cooling System — Internal Components
flowchart TB n0["component<br>Engine Monitoring Unit"] n1["component<br>Temperature Sensor Array"] n2["component<br>Pressure Sensor Array"] n3["component<br>Speed and Frequency Monitor"] n4["component<br>Local Alarm Annunciator"] n5["external<br>Engine Control Panel"] n6["component<br>Engine Parameter Sensor Array"] n7["component<br>Protective Trip Logic Unit"] n8["component<br>Local Alarm and Indication Panel"] n9["component<br>Remote Monitoring Gateway"] n1 -->|temperature signals 4-20mA| n0 n2 -->|pressure signals 4-20mA| n0 n3 -->|speed/freq pulse signals| n0 n0 -->|alarm discrete outputs| n4 n0 -->|trip and shutdown signals| n5 n3 -->|overspeed trip hardwired| n5 n6 -->|4-20mA dual-channel| n7 n7 -->|hardwired trip| n5 n7 -->|alarm signals| n8 n7 -->|status discretes| n9
Monitoring and Instrumentation — Internal Components
| Entity | Hex Code | Description |
|---|---|---|
| Alternator Subsystem | D6F53018 | Synchronous AC generator, 415V/11kV 3-phase 50Hz output, directly coupled to diesel engine. Includes brushless exciter, automatic voltage regulator (AVR) maintaining ±2% voltage, and AVR protection. Sustained rated output for 7-day continuous operation. Insulation class H. Self-excited following blackstart. Harmonic distortion <5% THD per IEC 60034. |
| automatic load controller | D7F77018 | Physical electronic control unit (LRU) housed in a 19-inch rack-mount enclosure, installed in the Starting and Control panel within the EDG building. Receives hardwired 24VDC signals from the site electrical protection system, processes loss-of-offsite-power and load demand signals, and generates timed relay outputs to the safety bus transfer contactor and load-sequencing contactors. Class 1E qualified electronic equipment with EMC screening and surge protection. |
| Automatic Load Controller | D7F73858 | Physically housed relay logic panel with DIN-rail mounted PLC modules, solid-state relays, and terminal blocks in a steel enclosure. Located in the EDG building. Receives start demand and bus voltage signals, implements load sequencing logic, and drives the Safety Bus Transfer Contactor via hardwired outputs. Classified 1E nuclear safety equipment, housed in a seismic-qualified cabinet. |
| Automatic Voltage Regulator | D5F73058 | Static electronic AVR maintaining generator terminal voltage within ±0.5% of set-point under steady-state and within ±6% during transient step loading. Receives voltage feedback from VSMU 4-20mA signal and controls field excitation current via PWM firing of the main exciter stator winding. Provides reactive droop compensation (typically 3-5% droop for parallel operation), over-excitation limiter (OEL), under-excitation limiter (UEL), and manual voltage trim potentiometer. Powered from PMG (independent of terminal voltage). Complies with IEC 60034-16-1 for Class A voltage regulation. |
| Brushless Excitation System | 54F53018 | Three-stage brushless excitation chain eliminating slip rings and carbon brushes: (1) permanent magnet generator (PMG) on the main shaft provides stable, terminal-voltage-independent excitation power; (2) main exciter stator (AC field winding controlled by AVR) and main exciter rotor (rotating AC armature); (3) rotating silicon diode rectifier assembly on shaft converts AC exciter output to DC for the main generator field winding. Provides excitation response time within IEC 60034-16-1 requirements. Rotating rectifier diodes are fused with open-circuit fuse detection via shaft-mounted proximity sensor. |
| Bulk Fuel Storage Tank | CE851058 | External bunded underground or above-grade carbon-steel tank (typically 20,000–50,000L) providing 7-day fuel reserve at rated EDG output. Cathodic protection on buried sections, secondary containment bunding to site PADHI flood risk level. Fitted with continuous ultrasonic level monitoring, bottom water detection probes, manual sampling point, vented fill pipe, and suction line to fuel transfer pump set. Must be seismically qualified to SS1 category (BS EN 1998-4 / NS-TAST-GD-013 screening). |
| Compressed Air Starting System | D6D51018 | Dual redundant 250-litre air receivers charged to 30 bar by dedicated compressor. Supplies compressed air to pneumatic air start motors (2 per engine) that crank the diesel engine to firing speed (~100 RPM). Air distributor valve controls injection timing into cylinders. Auto-recharge maintains receiver pressure after each start attempt. Sufficient stored air for minimum 3 start attempts without recharging. Operating environment: EDG building, ambient -5°C to +45°C, seismically qualified. |
| Coolant Header Tank | C6851018 | Pressurised expansion vessel maintaining cooling system at 1.0-1.5 bar gauge above atmospheric. Volume 30L. Provides make-up coolant for minor leaks during mission time. Fitted with low-level float switch connected to M&I subsystem alarm. Cap pressure-relief rated 1.8 bar. Located above engine height to ensure positive head pressure to jacket water pump inlet. |
| cooling system | DED51008 | Physical closed-circuit liquid cooling system for a diesel engine, comprising steel pipework, a centrifugal jacket water pump, a radiator assembly with electric fan, an intercooler for charge air, a header tank, and a thermostat valve. Physically installed in the EDG building and connected to the engine block by 50mm bore flanged pipework. Must dissipate 280 kW to ambient air at 40°C ambient. Monitored by PT100 RTD temperature sensors. |
| Cooling System | D6D51018 | Physical fluid-cooled heat rejection system comprising radiator and fan assembly, jacket water circulating pump, coolant header tank, thermostat valve, and charge air intercooler. Physically located in and adjacent to the EDG building with external radiator module. Contains coolant fluid under pressure at up to 1.5 bar, produces heat rejection up to 40% of rated engine output, has mass and volume, requires maintenance access. Subject to seismic qualification and frost protection requirements. |
| Day Tank | CE851018 | Stainless steel service tank (1,500–4,000L) located inside the EDG building, providing gravity head to the engine fuel injection system. Level switches at LL/L/H/HH set-points control automatic fill from bulk tank and alarm outputs to LAIP. Serves as the immediate fuel buffer; sized for ≥8h operation at rated load without transfer pump. Fitted with temperature probe, overflow return line, manual fill inlet, and drain point. Class 1E boundary begins here. |
| Diesel Engine Subsystem | D7F53218 | 4-stroke medium-speed diesel prime mover (1000–1500 RPM), 1–5 MW shaft output. Drives the alternator directly via flexible coupling. Critical failure modes: failure to start (compressed air or fuel starvation), overspeed, loss of lubrication, high coolant temperature shutdown. Must reach rated speed within 10s of start signal per ONR SAPs. Governs via mechanical/electronic governor maintaining ±0.5Hz frequency. SIL 3. |
| Electrical Protection and Switchgear Subsystem | 50F77858 | Generator circuit breaker (GCB) plus associated protective relays: overcurrent, undervoltage, overvoltage, underfrequency, overfrequency, differential protection, loss-of-excitation. Connects EDG to Class 1E safety bus. Synchronising check relay prevents out-of-phase closing. Load shedding contactors for staged load acceptance sequence. Bus section breaker interlocks. All equipment to IEC 60255 and BS EN 61439. SIL 3 protection functions per IEC 61508. |
| Emergency Diesel Generator System for UK Nuclear Licensed Site | D7F73A59 | Class 1E standby AC power generation system for a UK nuclear licensed site, providing emergency electrical power to safety-critical loads upon loss of normal grid supply. Rated 1–5 MW, 415V/11kV 3-phase 50Hz output. Must auto-start within 10 seconds of demand signal and sustain rated load for minimum 7 days. Governed by ONR Safety Assessment Principles, IEC 61513, IEC 61226, and IEEE 308. SIL 3 / nuclear safety class. Installed in seismically qualified, flood-protected, fire-compartmented building. |
| Engine Block and Rotating Assembly | DEC51018 | Medium-speed turbocharged diesel engine block assembly for a UK nuclear licensed site emergency diesel generator (1–6 MW class). Houses cylinder block, cylinder liners, pistons, connecting rods, crankshaft, camshaft, and flywheel. Converts thermodynamic combustion energy to shaft rotation at 1500 RPM nominal. Produces continuous rated shaft torque under load steps up to 100% rated load. Must survive IEC 60068 seismic Category I conditions. Operating environment: indoor housing at -10°C to +40°C ambient. Key output: mechanical shaft power at rated speed for alternator drive. |
| Engine Control Panel | D6AD7818 | Hardwired control and protection relay panel. Processes start/stop commands from Automatic Load Controller and manual pushbuttons. Contains: engine protection relay module (oil pressure, coolant temp, overspeed, generator differential), run-up sequence timer, trip latch relay, audible/visual alarm annunciators. Provides hardwired trip outputs to fuel shutoff solenoid and shutdown actuator. 24V DC battery-backed power supply. Rated for industrial EMI per BS EN IEC 61000. IEC 61226 Category A. |
| Engine Exhaust and Silencing System | CEC51018 | Exhaust manifold, turbocharger outlet ducting, acoustic silencer, and rooftop exhaust stack for a UK nuclear licensed site EDG. Carries exhaust gases from combustion chambers through turbocharger turbine to atmosphere. Acoustic silencer reduces exhaust noise to site boundary limits. Exhaust stack designed to prevent rainwater ingress. Back-pressure monitored: must remain below 50 mbar at rated power to prevent turbocharger surge and power derating. Seismically restrained within the EDG building. |
| Engine Parameter Sensor Array | D4855018 | Redundant set of hardwired analogue sensors monitoring critical EDG engine parameters for protection and indication: lube oil pressure (low trip at 2.5 bar), jacket coolant temperature (high trip at 95°C), exhaust gas temperature per cylinder, engine vibration (seismic-qualified accelerometers), and fuel oil pressure. Dual-channel 4-20mA outputs per parameter fed to the Protective Trip Logic Unit. Sensors are qualified to BS EN 60068 environmental class C1 for operation at nuclear licensed sites. Provides the primary parameter inputs for protective shutdown and control room indication. |
| Fuel Filtration Assembly | C6851018 | Duplex spin-on or bowl-type fuel filter with nominal 10-micron filtration, integral fuel/water separator, and differential pressure switch (set at 0.3 bar) for blockage alarm. Three-way changeover valve permits switch from duty to standby filter element without interrupting fuel supply during engine operation. Differential pressure signal routed to LAIP for maintenance alarm. Located in fuel supply line between day tank and engine fuel injection system. |
| Fuel Injection System | C7F73218 | High-pressure diesel fuel injection assembly for an emergency diesel generator. Comprises engine-driven fuel injection pump (jerk-pump or common rail), individual cylinder injectors, fuel rack actuator rod mechanically coupled to the isochronous governor actuator output. Receives conditioned low-pressure diesel fuel at 3–6 bar from the Fuel Oil System. Meters and injects high-pressure diesel (up to 1200 bar) into combustion chambers. Fuel delivery rate is modulated by governor rack position within 200ms of actuator demand. Operates continuously from first engine rotation through shutdown without external power. |
| fuel oil system | DE851018 | Physical bulk fuel storage and transfer system for an emergency diesel generator, comprising a 30,000-50,000 litre above-ground steel bulk storage tank, a gravity-feed day tank installed at elevation, two duty/standby fuel transfer pumps, fuel filtration assemblies, steel pipework with isolation valves, bunded secondary containment, and fuel temperature maintenance heaters. Physically installed in the EDG building and surrounding bund area. Supplies DERV diesel fuel to the engine injectors. |
| Fuel Oil System | D6851018 | Physical fluid handling system comprising steel tanks (day tank and bulk storage), centrifugal pump sets, duplex filter assembly, valves, and pipework. Located in and adjacent to the EDG building. Stores, transfers, filters, and delivers diesel fuel to the engine fuel injection system. Physically occupies building space, has mass and volume, contains pressurised fluid, and includes motorised valves requiring electrical power. Subject to seismic qualification, secondary containment requirements, and fire safety regulations. |
| Fuel Supply Pipework and Valve Assembly | CE851018 | Carbon steel pipework (BS EN 10255 medium grade) from bulk tank to building penetration to day tank to engine; includes all isolating ball valves (NRV), anti-siphon arrangement on bulk tank suction, flexible compensators at the engine interface to absorb vibration, drain/vent points at low/high points, and fire-rated sealing at building penetrations. Buried sections protected with polyethylene sleeving and cathodic protection. Manual isolation valve at bulk tank suction, day tank outlet, and engine fuel inlet provides maintenance isolation. Emergency manual fuel isolation valve accessible from outside EDG building for fire brigade. |
| Fuel Transfer Pump Set | D6F51018 | Duty/standby pair of 415V AC motor-driven gear or centrifugal pumps transferring diesel fuel from bulk storage tank to day tank. Automatic start on day tank low-level (L) signal, auto stop on high-level (H) signal. Manual start/stop available from Engine Control Panel. Duty pump rated for full transfer flow; standby selected by LAIP on duty pump trip. Pump motor protection via thermal overload relays. Pump set located in ventilated pump room with spill containment bunding. |
| Generator Bearing and Mechanical Support Assembly | CE851018 | Drive-end (DE) and non-drive-end (NDE) bearing housings for the synchronous generator rotor. DE bearing: sleeve-type hydrodynamic journal bearing lubricated from the engine oil system via a tee from the main lube oil header (simplifying maintenance and eliminating a separate oil system). NDE bearing: grease-lubricated rolling element bearing with extended relubrication interval. Each bearing housing fitted with PT100 RTD (max temperature 90°C alarm, 100°C trip) and vibration measurement stud (seating for ICP accelerometer during commissioning and periodic testing). Shaft earthing brush prevents electrolytic bearing damage from stray shaft currents. |
| Generator Protection Relay | D5F77858 | Numerical multifunction protection relay providing generator protection functions for a nuclear EDG 415V/11kV alternator. Inputs: voltage/current CTs from generator terminals, differential CT, neutral CT. Outputs: trip signal to MGCB, alarm to ECP. Functions: differential protection (87G), overcurrent (51/51N), undervoltage (27), overvoltage (59), reverse power (32), loss of excitation (40), frequency (81O/U). Required trip time <80ms for differential faults. Operates in EMC Zone 2 within EDG building. SIL 3 classified per IEC 61508. |
| Generator Stator Winding and Thermal Protection | D6953018 | Class H insulated copper stator windings with embedded PT100 RTDs (minimum 6 sensors, 2 per phase) measuring hotspot temperature at rated load and during thermal transients. Anti-condensation heaters (230V AC, thermostatically controlled at 5°C) energised during standby to prevent moisture absorption during the EDG off-line periods. Winding insulation health monitored by periodic polarisation index (PI) and insulation resistance (IR) testing per IEEE 43. Maximum continuous winding temperature 155°C (Class F limit within Class H insulation for nuclear safety margin). |
| Isochronous Governor System | D5F77008 | Electronic isochronous governor unit mounted in the EDG control panel, containing magnetic speed pickup sensor, integrated circuits for speed error processing, and hydraulic/electronic actuator output controlling fuel rack position to maintain engine speed at 1500 RPM (50 Hz) ±0.5% under variable load from no-load to full rated power. Physical housing rated IP54, powered from 24VDC control supply, generating 4-20mA position signal to fuel rack actuator. |
| Jacket Water Pump | C6C51018 | Engine-driven centrifugal pump circulating jacket coolant through the engine block, cylinder heads, and heat exchanger circuit. Belt-driven from the engine crankshaft pulley. Flow rate 200-400 L/min at rated RPM, maximum pressure 3.5 bar. Provides primary coolant circulation without electrical power dependency. Sealed bearing assembly with mechanical shaft seal. Failure mode: belt failure or impeller cavitation. |
| Local Alarm and Indication Panel | D6EC5018 | Panel-mounted display and annunciator unit providing local first-out alarm annunciation and analogue indication for all monitored EDG parameters. Located in the EDG building. Displays: engine speed (RPM), coolant temperature, lube oil pressure, exhaust temperatures, vibration level, output voltage, current and frequency. First-out annunciation with audible and visual alarms. Accepts acknowledge and reset inputs. Powered from 24VDC UPS-backed supply. Hardwired inputs from Engine Parameter Sensor Array and Protective Trip Logic Unit. Not safety-classified but provides operator interface for surveillance testing and degraded-mode monitoring. |
| Lubrication and Bearing System | 46D53218 | Pressurised wet-sump lubrication system for a nuclear-licensed site emergency diesel generator engine. Engine-driven gear pump supplies filtered lubricating oil at 3.5–5.0 bar to main crankshaft bearings, big-end bearings, camshaft bearings, turbocharger journal bearings, and cylinder heads. Full-flow spin-on oil filter with bypass valve. Oil pressure transducer provides 4–20mA output to monitoring system and hardwired low-pressure switch at 2.0 bar trip setpoint. Safety-critical: low oil pressure trip initiates engine shutdown within 1.5 seconds. Engine oil cooler (jacket-water cooled) maintains sump oil temperature below 110°C. Dry-bulb ambient: -10°C to +40°C. |
| Main Generator Circuit Breaker | D6B51018 | Vacuum or SF6 circuit breaker rated for 415V or 11kV EDG output, interrupting fault currents up to 31.5kA (11kV) or 50kA (415V). Normally open, closes on LOOP demand and opens on protection trip. Operated by Generator Protection Relay trip output and Automatic Load Controller closure command. Rated for 10,000 mechanical operations. Provides electrical isolation between alternator and safety bus. Located in switchgear room within EDG building. SIL 3 by association with protection chain. |
| Monitoring and Instrumentation Subsystem | 54A57218 | Local and remote parameter monitoring for EDG: engine speed (RPM), oil pressure, coolant temperature, generator voltage/current/frequency/power factor, air receiver pressure, fuel level, battery state, vibration. Hardwired trip signals to engine control panel. Remote status indications to main control room and emergency shutdown panel. Test sequencer for monthly 30-minute full-load test. All instruments qualified to IEC 60780 (nuclear environment). Data logging at 1-second intervals. |
| Protective Trip Logic Unit | D0F77858 | SIL-2 rated programmable logic unit that processes dual-channel sensor inputs from the Engine Parameter Sensor Array and issues hardwired trip commands to the Engine Control Panel. Implements 1oo2D voting for each trip function (oil pressure, high coolant temp, overspeed, differential protection). Response time <200ms from sensor threshold crossing to trip output. Designed to fail-safe (de-energise-to-trip) with IEC 61508 Part 2 SIL 2 certification. Provides separate alarm and shutdown outputs, discrete status signals to the Remote Monitoring Gateway, and a local LED status display. |
| Radiator and Fan Assembly | D6C51018 | Air-blast heat exchanger and electrically-driven fan mounted at the end of the EDG building. Dissipates engine waste heat to ambient air. Radiator core: aluminium tube-and-fin with inlet/outlet tanks. Fan: 1.2m diameter, 480VAC three-phase motor, thermal switch controlled. Cooling capacity: 300kW at 40 deg C ambient. Emergency bypass mode: manual louver operation if fan fails. |
| Remote Monitoring Gateway | D4E57018 | Qualified data concentrator that collects validated parameter data from the Protective Trip Logic Unit and transmits it to the Main Control Room I&C network. Provides electrical isolation between the safety-classified EDG protection circuits and the non-nuclear instrumentation bus. Outputs: 4-20mA analogue retransmission signals for key parameters (speed, coolant temp, oil pressure, output MW/MVAR) and discrete status signals (running, fault, trip, test) via optically isolated contacts. Compliant with IEC 61850 where applicable. Read-only interface toward the control room — no control commands accepted through this path. |
| Safety Bus Transfer Contactor | D6B53018 | Electrically operated HV/LV contactor providing automatic and manual transfer of the nuclear safety bus between normal offsite supply and EDG supply. Receives open/close commands from Automatic Load Controller on LOOP detection. Interlocked with MGCB to prevent paralleling of EDG with grid. Rated for safety bus full load current (typically 800A-2000A at 415V or 400A at 11kV). Open/close position fed back to ECP and ALC for status indication. Fail-safe design: de-energise to open from normal supply in fire/fault conditions. SIL 3 by association. |
| Starting and Control Subsystem | 55F77A18 | Compressed air starting system (dual 250L air receivers at 30 bar) plus electronic control panel providing automatic start-on-demand within 10 seconds of loss-of-offsite-power (LOOP) signal. Accepts start signals from both site emergency protection system and local manual initiation. Manages engine run-up sequence, load acceptance sequencing, and trip logic (over/undervoltage, over/underfrequency, overcurrent, high temperature, low oil pressure). SIL 3 per IEC 61508. |
| Synchronous Generator Assembly | DEC51018 | Salient-pole brushless synchronous generator directly coupled to the diesel engine via rigid disc coupling. Produces 3-phase AC power at rated voltage (415V or 11kV) and frequency (50Hz) under steady-state and transient load conditions. Class H (180°C) insulation, IP54 enclosure, self-ventilated (CACW or CACA cooling). Rated continuous output at 0.8 pf lagging for nuclear EDG duty. Stator core and windings embedded with PT100 RTDs; rotor dynamically balanced to ISO 21940-11 G2.5. The primary electromechanical energy conversion component. |
| Thermostat Valve | C7B71008 | Wax-element thermostatic valve modulating coolant bypass flow during engine warm-up and steady-state temperature control. Set point 82 deg C (start bypass), fully open radiator circuit at 92 deg C. Located in the engine coolant outlet header. Fail-open to full bypass (safe: engine overheats to high-temperature trip rather than running cold). No electrical actuation. |
| Turbocharger and Charge Air System | CEC51018 | Physical assembly comprising turbocharger turbine and compressor wheel, intercooler heat exchanger, charge air manifold, and boost pressure sensors. Bolted to the diesel engine block. Receives exhaust gas energy as input; compresses and cools intake air to increase charge density. Physical housing must withstand 3 bar boost pressure and 600 deg C exhaust temperatures. Seismic-qualified mounting to engine block. |
| Voltage Sensing and Monitoring Unit | D4E57018 | Analogue and digital voltage monitoring assembly measuring generator output voltage (415V/11kV) and safety bus voltage for protection and synchronism check functions. Provides undervoltage (27), overvoltage (59) input signals to Generator Protection Relay and LOOP detection threshold (<80% nominal for >1.0s) to Automatic Load Controller. Dual-channel redundant measurement to meet SIL 2 requirements. 4-20mA analogue output to ECP for indication. Located in switchgear panel. |
| Component | Belongs To |
|---|---|
| Diesel Engine Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Starting and Control Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Alternator Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Fuel Oil System | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Cooling System | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Electrical Protection and Switchgear Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Monitoring and Instrumentation Subsystem | Emergency Diesel Generator System for UK Nuclear Licensed Site |
| Compressed Air Starting System | Starting and Control Subsystem |
| Engine Control Panel | Starting and Control Subsystem |
| Automatic Load Controller | Starting and Control Subsystem |
| Isochronous Governor System | Starting and Control Subsystem |
| Generator Protection Relay | Electrical Protection and Switchgear Subsystem |
| Main Generator Circuit Breaker | Electrical Protection and Switchgear Subsystem |
| Safety Bus Transfer Contactor | Electrical Protection and Switchgear Subsystem |
| Voltage Sensing and Monitoring Unit | Electrical Protection and Switchgear Subsystem |
| Engine Block and Rotating Assembly | Diesel Engine Subsystem |
| Fuel Injection System | Diesel Engine Subsystem |
| Lubrication and Bearing System | Diesel Engine Subsystem |
| Turbocharger and Charge Air System | Diesel Engine Subsystem |
| Engine Exhaust and Silencing System | Diesel Engine Subsystem |
| Engine Parameter Sensor Array | Monitoring and Instrumentation Subsystem |
| Protective Trip Logic Unit | Monitoring and Instrumentation Subsystem |
| Local Alarm and Indication Panel | Monitoring and Instrumentation Subsystem |
| Remote Monitoring Gateway | Monitoring and Instrumentation Subsystem |
| Jacket Water Pump | Cooling System |
| Radiator and Fan Assembly | Cooling System |
| Thermostat Valve | Cooling System |
| Coolant Header Tank | Cooling System |
| Intercooler | Cooling System |
| Bulk Fuel Storage Tank | Fuel Oil System |
| Fuel Transfer Pump Set | Fuel Oil System |
| Fuel Filtration Assembly | Fuel Oil System |
| Fuel Supply Pipework and Valve Assembly | Fuel Oil System |
| Synchronous Generator Assembly | Alternator Subsystem |
| Automatic Voltage Regulator | Alternator Subsystem |
| Brushless Excitation System | Alternator Subsystem |
| Generator Stator Winding and Thermal Protection | Alternator Subsystem |
| Generator Bearing and Mechanical Support Assembly | Alternator Subsystem |
| From | To |
|---|---|
| Compressed Air Starting System | Diesel Engine Subsystem |
| Automatic Load Controller | Engine Control Panel |
| Isochronous Governor System | Diesel Engine Subsystem |
| Engine Control Panel | Compressed Air Starting System |
| Generator Protection Relay | Main Generator Circuit Breaker |
| Voltage Sensing and Monitoring Unit | Generator Protection Relay |
| Fuel Injection System | Fuel Oil System |
| Engine Block and Rotating Assembly | Alternator Subsystem |
| Turbocharger and Charge Air System | Cooling System |
| Lubrication and Bearing System | Monitoring and Instrumentation Subsystem |
| Engine Parameter Sensor Array | Protective Trip Logic Unit |
| Protective Trip Logic Unit | Engine Control Panel |
| Protective Trip Logic Unit | Local Alarm and Indication Panel |
| Protective Trip Logic Unit | Remote Monitoring Gateway |
| Remote Monitoring Gateway | Main Control Room |
| Fuel Supply Pipework and Valve Assembly | Fuel Injection System |
| Day Tank | Fuel Injection System |
| Fuel Transfer Pump Set | Day Tank |
| Fuel Oil System | Monitoring and Instrumentation Subsystem |
| Automatic Voltage Regulator | Brushless Excitation System |
| Brushless Excitation System | Synchronous Generator Assembly |
| Synchronous Generator Assembly | Main Generator Circuit Breaker |
| Component | Output |
|---|---|
| Generator Protection Relay | generator-trip-signal |
| Main Generator Circuit Breaker | electrical-isolation |
| Safety Bus Transfer Contactor | bus-transfer-action |
| Voltage Sensing and Monitoring Unit | voltage-measurement-signals |
| Engine Block and Rotating Assembly | shaft torque at 1500 RPM |
| Fuel Injection System | metered high-pressure fuel spray |
| Lubrication and Bearing System | pressurised filtered lubricating oil |
| Turbocharger and Charge Air System | compressed charge air below 45C |
| Engine Parameter Sensor Array | 4-20mA analogue parameter signals (oil pressure, coolant temp, exhaust temp, vibration) |
| Protective Trip Logic Unit | hardwired trip and alarm outputs; status discretes for remote monitoring |
| Remote Monitoring Gateway | isolated parameter retransmission signals and status contacts to main control room I&C |
| Day Tank | Gravity-fed fuel supply to injection system |
| Bulk Fuel Storage Tank | 7-day fuel reserve with level telemetry |
| Fuel Transfer Pump Set | Pressurised fuel flow from bulk tank to day tank |
| Fuel Filtration Assembly | Filtered fuel at ≤10 micron to injection system |
| Synchronous Generator Assembly | 3-phase AC power at rated voltage and frequency |
| Automatic Voltage Regulator | Controlled excitation current to maintain ±0.5% terminal voltage |
| Brushless Excitation System | DC field current to synchronous generator rotor via rotating diode rectifier |
| Source | Target | Type | Description |
|---|---|---|---|
| SYS-REQ-001 | ARC-REQ-007 | derives | Fast start voltage stability requirement drives brushless PMG exciter architecture |
| SYS-REQ-002 | ARC-REQ-006 | derives | 168h endurance requirement drives fuel tank sizing and transfer architecture |
| SYS-REQ-002 | ARC-REQ-005 | derives | 168h endurance requirement drives cooling architecture sizing and redundancy |
| SYS-REQ-004 | ARC-REQ-004 | derives | Safety trip requirements drive separation of PTLU from non-safety M&I |
| SYS-REQ-001 | ARC-REQ-003 | derives | Diesel Engine architecture decision derives from rated output requirement |
| SYS-REQ-005 | ARC-REQ-002 | derives | SYS-REQ-005 PFD target drives independent sensing and switching chain architecture |
| SYS-REQ-003 | ARC-REQ-002 | derives | SYS-REQ-003 LOOP response requirement drives sensing/switching separation architecture |
| SYS-REQ-005 | ARC-REQ-001 | derives | SYS-REQ-005 SIL 3 PFD target drives dual-channel ALC architecture |
| SYS-REQ-004 | ARC-REQ-001 | derives | SYS-REQ-004 safety trip requirement drives ECP relay architecture |
| SYS-REQ-004 | SUB-REQ-035 | derives | Local alarm panel implements first-out alarm annunciation for trip conditions |
| SYS-REQ-004 | SUB-REQ-069 | derives | SYS-REQ-004 protection system annunciation requirements derive LAIP first-out display |
| SYS-REQ-008 | SUB-REQ-069 | derives | SYS-REQ-008 monitoring requirements derive LAIP first-out annunciation |
| SYS-REQ-008 | SUB-REQ-068 | derives | SYS-REQ-008 I&C isolation requirement derives SUB-REQ-068 monitoring gateway isolation |
| SYS-REQ-010 | SUB-REQ-067 | derives | Controlled maintenance mode entry procedure derives from system maintainability requirement |
| SYS-REQ-014 | SUB-REQ-037 | derives | JWP maintains coolant circulation throughout 5-minute cooldown per SYS-REQ-014 |
| SYS-REQ-012 | SUB-REQ-039 | derives | High-temperature alarm implements degraded condition annunciation required by SYS-REQ-012 |
| SYS-REQ-012 | SUB-REQ-031 | derives | PTLU implements fault severity classification — distinguishes non-trip faults that trigger degraded mode from safety trips |
| SYS-REQ-010 | SUB-REQ-066 | derives | Maintainability SYS requirement derives PMT sub-requirement for return-to-service verification |
| SYS-REQ-002 | SUB-REQ-061 | derives | 168h fuel storage volume drives statutory compliance requirements for petroleum storage |
| SYS-REQ-010 | SUB-REQ-060 | derives | Subsystem isolation decomposes maintainability requirement |
| SYS-REQ-009 | SUB-REQ-059 | derives | Test mode control decomposes full-load testing without safety function interruption |
| SYS-REQ-004 | SUB-REQ-058 | derives | Alarm timing decomposes safety trip annunciation response requirement |
| SYS-REQ-002 | SUB-REQ-057 | derives | Fuel oil containment decomposes 168h sustained fuel storage requirement |
| SYS-REQ-009 | SUB-REQ-056 | derives | MCB E2 endurance class decomposes monthly operational testing requirement |
| SYS-REQ-008 | SUB-REQ-055 | derives | Protection relay type-testing decomposes control and protection electronics qualification requirement |
| SYS-REQ-002 | SUB-REQ-054 | derives | Cooling System degraded mode decomposes sustained 168h operation at reduced load |
| SYS-REQ-005 | SUB-REQ-053 | derives | Fuel pump redundancy decomposes PFD reliability requirement |
| SYS-REQ-002 | SUB-REQ-052 | derives | Fuel injection timing derives from 168h continuous operation requirement |
| SYS-REQ-005 | SUB-REQ-051 | derives | Governor redundancy decomposes PFD reliability requirement |
| SYS-REQ-004 | SUB-REQ-048 | derives | Bearing thermal alarm implements generator bearing over-temperature trip condition |
| SYS-REQ-004 | SUB-REQ-047 | derives | Stator winding thermal alarm implements generator over-temperature trip condition |
| SYS-REQ-002 | SUB-REQ-045 | derives | Fuel temperature maintenance implements cold-weather operability for sustained ops |
| SYS-REQ-002 | SUB-REQ-043 | derives | Fuel filtration implements fuel quality for 168h sustained operation |
| SYS-REQ-004 | SUB-REQ-039 | derives | Cooling System implements coolant high-temperature alarm for safety trip chain |
| SYS-REQ-002 | SUB-REQ-038 | derives | Radiator heat dissipation implements sustained 168h operation thermal requirement |
| SYS-REQ-003 | SUB-REQ-001 | derives | SYS-REQ-003 LOOP response initiation → ALC LOOP detection and start demand |
| SYS-REQ-003 | SUB-REQ-002 | derives | SYS-REQ-003 10-second LOOP response → compressed air capacity for 3 start attempts |
| SYS-REQ-001 | SUB-REQ-003 | derives | SYS-REQ-001 50Hz ±1% frequency requirement → governor ±0.5% speed regulation |
| SYS-REQ-004 | SUB-REQ-004 | derives | SYS-REQ-004 5-second controlled shutdown → ECP 500ms trip initiation |
| SYS-REQ-004 | SUB-REQ-005 | derives | SYS-REQ-004 trip latch/manual reset requirement → start attempt limit and lockout |
| SYS-REQ-005 | SUB-REQ-006 | derives | SYS-REQ-005 SIL 3 PFD → ALC dual-channel 2oo2 voting architecture |
| SYS-REQ-001 | SUB-REQ-008 | derives | SYS-REQ-001 frequency requirement → governor manual speed trim for operator adjustment |
| SYS-REQ-009 | SUB-REQ-007 | derives | SYS-REQ-009 full-load testing without interruption → ALC hardwired test inhibit |
| SYS-REQ-004 | SUB-REQ-009 | derives | SYS-REQ-004 generator differential fault trip → GPR 87G differential protection |
| SYS-REQ-004 | SUB-REQ-015 | derives | SYS-REQ-004 controlled shutdown requirement → GPR fail-safe self-test output |
| SYS-REQ-003 | SUB-REQ-012 | derives | SYS-REQ-003 LOOP response timeline → SBTC bus transfer timing |
| SYS-REQ-005 | SUB-REQ-014 | derives | SYS-REQ-005 SIL 3 PFD → dual-channel voltage sensing redundancy |
| SYS-REQ-001 | SUB-REQ-011 | derives | SYS-REQ-001 startup load acceptance → MGCB rated fault current interruption |
| SYS-REQ-004 | SUB-REQ-010 | derives | SYS-REQ-004 overcurrent trip condition → GPR overcurrent protection function |
| SYS-REQ-004 | SUB-REQ-016 | derives | SYS-REQ-004 overspeed trip → governor watchdog fail-safe state |
| SYS-REQ-001 | SUB-REQ-017 | derives | Shaft output to rated 1500RPM derives from 50Hz frequency requirement |
| SYS-REQ-002 | SUB-REQ-018 | derives | 168-hour engine endurance derives from sustained output requirement |
| SYS-REQ-004 | SUB-REQ-019 | derives | Low oil pressure shutdown derives from system trip conditions |
| SYS-REQ-004 | SUB-REQ-020 | derives | Mechanical overspeed trip derives from system overspeed trip condition |
| SYS-REQ-003 | SUB-REQ-021 | derives | Fuel injection response time derives from 10-second start requirement |
| SYS-REQ-007 | SUB-REQ-022 | derives | Turbocharger boost at low load derives from load sequencing requirement |
| SYS-REQ-003 | SUB-REQ-023 | derives | Cold start preheat derives from start time and environmental temperature requirements |
| SYS-REQ-004 | SUB-REQ-024 | derives | Crankcase explosion safe state derives from safety trip conditions |
| SYS-REQ-003 | SUB-REQ-026 | derives | ALC LOOP input interface derives from system auto-start requirement |
| SYS-REQ-006 | SUB-REQ-027 | derives | Diesel engine seismic qualification derives from system seismic requirement |
| SYS-REQ-008 | SUB-REQ-028 | derives | Control electronics EMC compliance derives from system EMC requirement |
| SYS-REQ-010 | SUB-REQ-029 | derives | Diesel engine maintainability derives from system tools/spares constraint |
| SYS-REQ-004 | SUB-REQ-030 | derives | EPSA dual-channel requirement derives from system-level trip detection |
| SYS-REQ-004 | SUB-REQ-031 | derives | PTLU response time derives from system trip detection timing |
| SYS-REQ-008 | SUB-REQ-034 | derives | RMG isolation derives from system EMC and cyber isolation requirement |
| SYS-REQ-006 | SUB-REQ-036 | derives | M&I seismic req derives from system seismic qualification |
| SYS-REQ-002 | SUB-REQ-037 | derives | Jacket water flow derives from system 168-hour endurance requirement |
| SYS-REQ-002 | SUB-REQ-040 | derives | Day Tank 8h autonomous reserve derives from 168h total system requirement |
| SYS-REQ-002 | SUB-REQ-041 | derives | Bulk tank 168h capacity is the primary derivation of the system 168h requirement |
| SYS-REQ-004 | SUB-REQ-044 | derives | Fuel fire isolation is a safety trip action required by the system safety trip requirement |
| SYS-REQ-002 | SUB-REQ-041 | derives | Bulk tank 168h capacity derives from system 168h requirement |
| SYS-REQ-002 | SUB-REQ-040 | derives | Day Tank 8h buffer derives from 168h sustained operation requirement |
| SYS-REQ-004 | SUB-REQ-044 | derives | Fuel fire isolation implements the safe state for fire hazard |
| SYS-REQ-001 | SUB-REQ-046 | derives | AVR voltage regulation derives from system rated voltage and frequency requirement |
| SYS-REQ-001 | SUB-REQ-049 | derives | Excitation build-up time derives from system rated voltage requirement during LOOP start |
| SYS-REQ-004 | SUB-REQ-050 | derives | Stator earth fault safe state derives from system safety trip requirement |
| SYS-REQ-003 | SUB-REQ-025 | derives | ALC implements LOOP signal reception from site electrical protection system |
| SYS-REQ-004 | SUB-REQ-033 | derives | PTLU implements dual-channel sensor fault detection for trip conditions |
| SYS-REQ-004 | SUB-REQ-035 | derives | Local alarm panel implements first-out alarm annunciation for trip conditions |
| SYS-REQ-003 | SUB-REQ-025 | derives | ALC implements LOOP signal reception from site electrical protection system |
| SYS-REQ-004 | SUB-REQ-033 | derives | PTLU implements dual-channel sensor fault detection for trip conditions |
| SYS-REQ-001 | IFC-REQ-019 | derives | Engine-generator shaft interface implements mechanical power coupling for voltage/frequency generation |
| SYS-REQ-002 | IFC-REQ-016 | derives | Fuel transfer pump to day tank interface implements 168h autonomous fuel supply chain |
| SYS-REQ-002 | IFC-REQ-014 | derives | Jacket water pump to radiator interface implements sustained cooling for 168h operation |
| SYS-REQ-004 | IFC-REQ-013 | derives | PTLU to Remote Monitoring Gateway interface propagates trip and alarm status |
| SYS-REQ-005 | IFC-REQ-007 | derives | SYS-REQ-005 SIL 3 PFD → Class 1E battery-backed 24VDC supply for ALC interfaces |
| STK-REQ-002 | SYS-REQ-018 | derives | STK-REQ-002 drives SYS-REQ-018 degraded mode capability |
| STK-REQ-002 | SYS-REQ-012 | derives | Degraded mode operation derived from 7-day continuous operation stakeholder need |
| STK-REQ-001 | SYS-REQ-017 | derives | Emergency power provision STK requirement derives the degraded mode exit recovery behavior |
| STK-REQ-003 | SYS-REQ-016 | derives | Cyber isolation derived from ONR regulatory compliance requirement for Category A safety systems |
| STK-REQ-007 | SYS-REQ-015 | derives | Single-train DC coping requirement derived from stakeholder 8-hour battery autonomy need |
| STK-REQ-001 | SYS-REQ-014 | derives | Cooldown shutdown behavior derived from emergency power provision requirement |
| STK-REQ-007 | SYS-REQ-011 | derives | STK-007 diverse backup mandate derives SYS-REQ-011 CCF architectural constraint |
| STK-REQ-001 | SYS-REQ-012 | derives | Degraded mode operation derived from LOOP survivability need |
| STK-REQ-001 | SYS-REQ-011 | derives | Emergency power provision stakeholder need drives CCF architectural constraint |
| STK-REQ-006 | SYS-REQ-010 | derives | STK-REQ-006 maintainability and return to service → SYS-REQ-010 maintenance interval constraints |
| STK-REQ-004 | SYS-REQ-009 | derives | STK-REQ-004 monthly full-load testing → SYS-REQ-009 testability without plant interruption |
| STK-REQ-003 | SYS-REQ-008 | derives | STK-REQ-003 nuclear safety EMC compliance → SYS-REQ-008 EMC immunity requirement |
| STK-REQ-001 | SYS-REQ-007 | derives | STK-REQ-001 all safety loads supplied → SYS-REQ-007 controlled load sequencing |
| STK-REQ-005 | SYS-REQ-006 | derives | STK-REQ-005 post-seismic operability → SYS-REQ-006 seismic qualification requirement |
| STK-REQ-003 | SYS-REQ-005 | derives | STK-REQ-003 IEC 61508 compliance → SYS-REQ-005 SIL 3 PFD target |
| STK-REQ-002 | SYS-REQ-002 | derives | STK-REQ-002 7-day self-sufficient operation → SYS-REQ-002 168-hour rated output endurance |
| STK-REQ-001 | SYS-REQ-003 | derives | STK-REQ-001 automatic emergency power restoration → SYS-REQ-003 LOOP response sequence |
| STK-REQ-001 | SYS-REQ-001 | derives | STK-REQ-001 qualified standby power → SYS-REQ-001 voltage/frequency start-up spec |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| VER-REQ-032 | ARC-REQ-007 | verifies | Brushless excitation cold start test verifies Alternator Subsystem architecture |
| VER-REQ-027 | ARC-REQ-006 | verifies | Day tank fuel reserve and gravity-feed test verifies Fuel Oil System architecture |
| VER-REQ-026 | ARC-REQ-005 | verifies | Cooling system capacity test verifies five-component Cooling System architecture |
| VER-REQ-073 | ARC-REQ-004 | verifies | Post-seismic M&I system test verifies Monitoring and Instrumentation architecture |
| VER-REQ-059 | ARC-REQ-003 | verifies | 168-hour continuous load test verifies Diesel Engine Subsystem five-component architecture |
| VER-REQ-008 | ARC-REQ-002 | verifies | SBTC + bus transfer test verifies Electrical Protection Subsystem architecture |
| VER-REQ-015 | ARC-REQ-001 | verifies | DES end-to-end integration test verifies Starting and Control Subsystem architecture |
| VER-REQ-099 | STK-REQ-007 | verifies | DC battery coping time Test verifies stakeholder 8-hour DC backup requirement |
| VER-REQ-097 | STK-REQ-001 | verifies | Witnessed acceptance demonstration validates emergency start stakeholder requirement |
| VER-REQ-089 | STK-REQ-006 | verifies | LOTO access inspection validates maintenance isolation stakeholder requirement |
| VER-REQ-081 | STK-REQ-005 | verifies | Seismic qualification analysis validates EDG survivability stakeholder requirement |
| VER-REQ-092 | STK-REQ-004 | verifies | Surveillance test demonstration validates periodic full-load testing stakeholder requirement |
| VER-REQ-080 | STK-REQ-003 | verifies | SIL-3 PFD_avg reliability analysis validates ONR Safety Assessment Principles compliance |
| VER-REQ-078 | STK-REQ-002 | verifies | 168-hour continuous test validates sustained emergency power stakeholder need |
| VER-REQ-004 | STK-REQ-001 | verifies | End-to-end LOOP simulation validates emergency start stakeholder requirement |
| VER-REQ-063 | SUB-REQ-027 | verifies | Seismic qualification analysis verifies SUB-REQ-027 IEEE 344 compliance |
| VER-REQ-068 | SUB-REQ-026 | verifies | ALC LOOP signal latency test verifies SUB-REQ-026 200ms timing |
| VER-REQ-109 | SUB-REQ-067 | verifies | Maintenance mode entry test verifies controlled LOTO entry procedure |
| VER-REQ-106 | SUB-REQ-006 | verifies | ALC 2oo2 channel voting functional failure test verifies single-channel failure behavior required by SUB-REQ-006 |
| VER-REQ-101 | SUB-REQ-066 | verifies | PMT Demonstration verifies post-maintenance return-to-service requirement |
| VER-REQ-096 | SUB-REQ-061 | verifies | VER-REQ-096 inspects petroleum licence, ATEX zoning, and CIRIA C736 containment records against SUB-REQ-061 |
| VER-REQ-095 | SUB-REQ-029 | verifies | VER-REQ-095 demonstrates minor servicing with site-held tools only, verifying SUB-REQ-029 maintainability constraint |
| VER-REQ-094 | SUB-REQ-035 | verifies | VER-REQ-094 tests first-out alarm timing (500ms) and latching for all LAIP trip functions in SUB-REQ-035 |
| VER-REQ-089 | SUB-REQ-060 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-088 | SUB-REQ-057 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-087 | SUB-REQ-052 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-086 | SUB-REQ-048 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-085 | SUB-REQ-045 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-084 | SUB-REQ-043 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-083 | SUB-REQ-037 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-082 | SUB-REQ-023 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-076 | SUB-REQ-022 | verifies | Turbocharger boost pressure at rated load |
| VER-REQ-075 | SUB-REQ-054 | verifies | Cooling thermal transient test under full load step |
| VER-REQ-074 | SUB-REQ-030 | verifies | Dual-channel sensor cross-comparison test |
| VER-REQ-073 | SUB-REQ-036 | verifies | Seismic qualification test per IEEE 344 |
| VER-REQ-072 | SUB-REQ-041 | verifies | Fuel volume dimensional survey |
| VER-REQ-071 | SUB-REQ-021 | verifies | Fuel rack response time test |
| VER-REQ-070 | SUB-REQ-039 | verifies | High-temp trip injection test |
| VER-REQ-069 | SUB-REQ-062 | verifies | 3-start air pressure endurance test |
| VER-REQ-068 | SUB-REQ-025 | verifies | ALC LOOP signal latency test |
| VER-REQ-015 | SUB-REQ-063 | verifies | Integration test verifies engine acceleration requirement |
| VER-REQ-065 | SUB-REQ-056 | verifies | VER test for SUB-REQ-056 |
| VER-REQ-064 | SUB-REQ-028 | verifies | VER test for SUB-REQ-028 |
| VER-REQ-063 | SUB-REQ-027 | verifies | VER test for SUB-REQ-027 |
| VER-REQ-062 | SUB-REQ-026 | verifies | VER test for SUB-REQ-026 |
| VER-REQ-061 | SUB-REQ-064 | verifies | VER test for SUB-REQ-064 |
| VER-REQ-060 | SUB-REQ-065 | verifies | VER test for SUB-REQ-065 |
| VER-REQ-059 | SUB-REQ-018 | verifies | VER test for SUB-REQ-018 |
| VER-REQ-058 | SUB-REQ-017 | verifies | VER test for SUB-REQ-017 |
| VER-REQ-053 | SUB-REQ-014 | verifies | VER test for SUB-REQ-014 |
| VER-REQ-052 | SUB-REQ-012 | verifies | VER test for SUB-REQ-012 |
| VER-REQ-051 | SUB-REQ-011 | verifies | VER test for SUB-REQ-011 |
| VER-REQ-050 | SUB-REQ-008 | verifies | VER test for SUB-REQ-008 |
| VER-REQ-049 | SUB-REQ-007 | verifies | VER test for SUB-REQ-007 |
| VER-REQ-048 | SUB-REQ-006 | verifies | VER test for SUB-REQ-006 |
| VER-REQ-047 | SUB-REQ-005 | verifies | VER test for SUB-REQ-005 |
| VER-REQ-046 | SUB-REQ-050 | verifies | VER test for SUB-REQ-050 |
| VER-REQ-045 | SUB-REQ-058 | verifies | VER test for SUB-REQ-058 |
| VER-REQ-044 | SUB-REQ-047 | verifies | VER test for SUB-REQ-047 |
| VER-REQ-043 | SUB-REQ-044 | verifies | VER test for SUB-REQ-044 |
| VER-REQ-042 | SUB-REQ-033 | verifies | VER test for SUB-REQ-033 |
| VER-REQ-041 | SUB-REQ-024 | verifies | VER test for SUB-REQ-024 |
| VER-REQ-040 | SUB-REQ-010 | verifies | VER test for SUB-REQ-010 |
| VER-REQ-039 | SUB-REQ-004 | verifies | VER test for SUB-REQ-004 |
| VER-REQ-038 | SUB-REQ-059 | verifies | VER test for SUB-REQ-059 |
| VER-REQ-037 | SUB-REQ-055 | verifies | VER test for SUB-REQ-055 |
| VER-REQ-036 | SUB-REQ-053 | verifies | VER test for SUB-REQ-053 |
| VER-REQ-035 | SUB-REQ-051 | verifies | VER test for SUB-REQ-051 |
| VER-REQ-032 | SUB-REQ-049 | verifies | VER test for SUB-REQ-049 |
| VER-REQ-031 | SUB-REQ-046 | verifies | VER test for SUB-REQ-046 |
| VER-REQ-026 | SUB-REQ-038 | verifies | VER test for SUB-REQ-038 |
| VER-REQ-023 | SUB-REQ-032 | verifies | VER test for SUB-REQ-032 |
| VER-REQ-022 | SUB-REQ-031 | verifies | VER test for SUB-REQ-031 |
| VER-REQ-020 | SUB-REQ-016 | verifies | VER test for SUB-REQ-016 |
| VER-REQ-019 | SUB-REQ-015 | verifies | VER test for SUB-REQ-015 |
| VER-REQ-018 | SUB-REQ-003 | verifies | VER test for SUB-REQ-003 |
| VER-REQ-017 | SUB-REQ-002 | verifies | VER test for SUB-REQ-002 |
| VER-REQ-016 | SUB-REQ-001 | verifies | VER test for SUB-REQ-001 |
| VER-REQ-014 | SUB-REQ-020 | verifies | VER test for SUB-REQ-020 |
| VER-REQ-013 | SUB-REQ-019 | verifies | VER test for SUB-REQ-019 |
| VER-REQ-008 | SUB-REQ-012 | verifies | Combined MGCB test verifies SUB-REQ-012 |
| VER-REQ-006 | SUB-REQ-013 | verifies | VER test for SUB-REQ-013 |
| VER-REQ-005 | SUB-REQ-009 | verifies | VER test for SUB-REQ-009 |
| VER-REQ-067 | SUB-REQ-034 | verifies | RMG penetration test and isolation resistance measurement verifies SUB-REQ-034 |
| VER-REQ-065 | SUB-REQ-056 | verifies | MGCB type test certificate inspection verifies SUB-REQ-056 |
| VER-REQ-064 | SUB-REQ-028 | verifies | EMC immunity test verifies SUB-REQ-028 IEC 61000-6-2/6-7 compliance |
| VER-REQ-006 | SUB-REQ-013 | verifies | SUB-REQ-013 SBTC mechanical interlock spec → VER-REQ-006 interlock test |
| VER-REQ-005 | SUB-REQ-009 | verifies | SUB-REQ-009 GPR 87G differential protection spec → VER-REQ-005 differential fault injection test |
| VER-REQ-014 | SUB-REQ-020 | verifies | Mechanical overspeed trip actuation test verifies SUB-REQ-020 |
| VER-REQ-013 | SUB-REQ-019 | verifies | Lube pressure trip timing test verifies SUB-REQ-019 |
| SUB-REQ-040 | VER-REQ-027 | verifies | Endurance test verifies 8h day tank capacity |
| SUB-REQ-042 | VER-REQ-028 | verifies | Functional test verifies pump auto-start timing and fill rate |
| VER-REQ-038 | SUB-REQ-059 | verifies | Test mode demonstration verifies non-disruptive full-load testing capability |
| VER-REQ-037 | SUB-REQ-055 | verifies | Type-test certificate inspection verifies IEC 60255 compliance |
| VER-REQ-036 | SUB-REQ-053 | verifies | Duty/standby pump switchover test verifies fuel transfer redundancy |
| VER-REQ-035 | SUB-REQ-051 | verifies | Governor channel fault injection test verifies dual-channel redundancy |
| VER-REQ-026 | SUB-REQ-038 | verifies | Cooling capacity commissioning test verifies Radiator 280 kW dissipation requirement |
| VER-REQ-032 | SUB-REQ-049 | verifies | Black-start test verifies excitation build-up time and overshoot |
| VER-REQ-031 | SUB-REQ-046 | verifies | Load bank test verifies AVR voltage regulation at steady state and step load |
| VER-REQ-039 | SUB-REQ-004 | verifies | Overspeed trip timing test verifies ECP 500ms shutdown requirement |
| VER-REQ-040 | SUB-REQ-010 | verifies | Secondary injection test verifies GPR overcurrent timing and coordination |
| VER-REQ-041 | SUB-REQ-024 | verifies | Crankcase relief actuation test verifies hardwired trip path timing |
| VER-REQ-042 | SUB-REQ-033 | verifies | Sensor fault injection test verifies PTLU 1-second channel-fault detection |
| VER-REQ-043 | SUB-REQ-044 | verifies | Fire isolation actuation test verifies 10s valve closure with day tank path maintained |
| VER-REQ-044 | SUB-REQ-047 | verifies | PT100 simulation test verifies stator thermal alarm/trip thresholds and accuracy |
| VER-REQ-045 | SUB-REQ-058 | verifies | Alarm injection test verifies 2-second presentation criterion and EEMUA 191 compliance |
| VER-REQ-046 | SUB-REQ-050 | verifies | Earth fault isolation timing test verifies 200ms stator de-energisation from both sources |
| VER-REQ-028 | SUB-REQ-042 | verifies | Functional test verifies pump auto-start timing and fill rate |
| VER-REQ-027 | SUB-REQ-040 | verifies | Endurance test verifies 8h day tank autonomous reserve |
| VER-REQ-023 | SUB-REQ-032 | verifies | Power loss safe state test verifies fail-safe requirement |
| VER-REQ-022 | SUB-REQ-031 | verifies | Trip response time test verifies PTLU timing requirement |
| VER-REQ-020 | SUB-REQ-016 | verifies | Governor watchdog trip test verifies SUB-REQ-016 fail-safe timing |
| VER-REQ-019 | SUB-REQ-015 | verifies | GPR fail-safe test verifies SUB-REQ-015 safe state requirement |
| VER-REQ-018 | SUB-REQ-003 | verifies | Governor load step test verifies SUB-REQ-003 speed accuracy |
| VER-REQ-017 | SUB-REQ-002 | verifies | Compressed air endurance test verifies SUB-REQ-002 |
| VER-REQ-016 | SUB-REQ-001 | verifies | ALC LOOP detection test verifies SUB-REQ-001 |
| VER-REQ-047 | SUB-REQ-005 | verifies | Failed-to-start latch and MCR alarm timing test |
| VER-REQ-048 | SUB-REQ-006 | verifies | ALC 2oo2 dual-channel voting architecture analysis |
| VER-REQ-049 | SUB-REQ-007 | verifies | ALC key-switch inhibit functional test and wiring inspection |
| VER-REQ-050 | SUB-REQ-008 | verifies | Governor manual speed trim range and auto-revert on synchronise demonstration |
| VER-REQ-051 | SUB-REQ-011 | verifies | MGCB fault interruption capacity and clearing time verification |
| VER-REQ-052 | SUB-REQ-012 | verifies | Safety bus transfer contactor 150ms timing test |
| VER-REQ-053 | SUB-REQ-014 | verifies | VSMU dual-channel discrepancy alarm 2s timing test |
| VER-REQ-058 | SUB-REQ-017 | verifies | Engine torque and 10-second rated-speed attainment test |
| VER-REQ-059 | SUB-REQ-018 | verifies | 168-hour continuous endurance test at rated load |
| VER-REQ-017 | SUB-REQ-062 | verifies | Compressed air starting system 3-attempt cranking test - updated requirement |
| VER-REQ-058 | SUB-REQ-063 | verifies | Engine acceleration to 1500 RPM within 10 seconds - updated requirement |
| VER-REQ-060 | SUB-REQ-065 | verifies | Bulk fuel storage tank capacity calculation analysis |
| VER-REQ-061 | SUB-REQ-064 | verifies | Turbocharger boost pressure map compliance and anti-surge test |
| VER-REQ-027 | SUB-REQ-040 | verifies | Day tank 8h autonomous reserve test verifies SUB-REQ-040 |
| VER-REQ-028 | SUB-REQ-042 | verifies | Fuel transfer pump auto-start test verifies SUB-REQ-042 |
| VER-REQ-062 | SUB-REQ-026 | verifies | ALC 200ms start initiation timing test verifies SUB-REQ-026 |
| VER-REQ-057 | IFC-REQ-019 | verifies | VER test for IFC-REQ-019 |
| VER-REQ-056 | IFC-REQ-016 | verifies | VER test for IFC-REQ-016 |
| VER-REQ-055 | IFC-REQ-014 | verifies | VER test for IFC-REQ-014 |
| VER-REQ-054 | IFC-REQ-013 | verifies | VER test for IFC-REQ-013 |
| VER-REQ-034 | IFC-REQ-020 | verifies | VER test for IFC-REQ-020 |
| VER-REQ-033 | IFC-REQ-018 | verifies | VER test for IFC-REQ-018 |
| VER-REQ-025 | IFC-REQ-012 | verifies | VER test for IFC-REQ-012 |
| VER-REQ-024 | IFC-REQ-011 | verifies | VER test for IFC-REQ-011 |
| VER-REQ-021 | IFC-REQ-007 | verifies | VER test for IFC-REQ-007 |
| VER-REQ-012 | IFC-REQ-010 | verifies | VER test for IFC-REQ-010 |
| VER-REQ-011 | IFC-REQ-009 | verifies | VER test for IFC-REQ-009 |
| VER-REQ-010 | IFC-REQ-008 | verifies | VER test for IFC-REQ-008 |
| VER-REQ-009 | IFC-REQ-005 | verifies | VER test for IFC-REQ-005 |
| VER-REQ-008 | IFC-REQ-006 | verifies | VER test for IFC-REQ-006 |
| VER-REQ-007 | IFC-REQ-004 | verifies | VER test for IFC-REQ-004 |
| VER-REQ-003 | IFC-REQ-003 | verifies | VER test for IFC-REQ-003 |
| VER-REQ-002 | IFC-REQ-002 | verifies | VER test for IFC-REQ-002 |
| VER-REQ-001 | IFC-REQ-001 | verifies | VER test for IFC-REQ-001 |
| VER-REQ-030 | IFC-REQ-017 | verifies | Fuel level switch NC topology test verifies IFC-REQ-017 |
| VER-REQ-029 | IFC-REQ-015 | verifies | Day tank gravity-feed pressure test verifies IFC-REQ-015 |
| VER-REQ-057 | IFC-REQ-019 | verifies | Torsional vibration analysis and coupling torque rating review |
| VER-REQ-056 | IFC-REQ-016 | verifies | Fuel transfer pump 150% delivery margin and fill line position test |
| VER-REQ-055 | IFC-REQ-014 | verifies | JWP-radiator pipe bore, pressure, temperature and isolation valve inspection |
| VER-REQ-054 | IFC-REQ-013 | verifies | PTLU-RMG signal protocol, latency and isolation test |
| VER-REQ-029 | IFC-REQ-015 | verifies | Day tank fuel supply pressure test verifies gravity-feed interface specification |
| VER-REQ-021 | IFC-REQ-007 | verifies | 24VDC battery endurance test verifies IFC-REQ-007 |
| VER-REQ-024 | IFC-REQ-011 | verifies | Loop fault detection test verifies EPSA-PTLU interface |
| VER-REQ-025 | IFC-REQ-012 | verifies | Hardwired relay topology test verifies PTLU-ECP interface |
| VER-REQ-030 | IFC-REQ-017 | verifies | Fail-safe test verifies level switch normally-energised logic to LAIP |
| VER-REQ-033 | IFC-REQ-018 | verifies | Calibration and isolation test verifies VSMU to AVR 4-20mA interface |
| VER-REQ-034 | IFC-REQ-020 | verifies | PT100 substitution and fault injection test verifies stator RTD to PTLU interface |
| IFC-REQ-017 | VER-REQ-030 | verifies | REVERSED-LINK-TO-DELETE: was IFC-REQ-017 verifies VER-REQ-030 |
| IFC-REQ-015 | VER-REQ-029 | verifies | Pressure test verifies fuel supply interface compliance |
| VER-REQ-010 | IFC-REQ-008 | verifies | Fuel supply interface test verifies IFC-REQ-008 pressure/temperature parameters |
| VER-REQ-011 | IFC-REQ-009 | verifies | Critical speed analysis and coupling inspection verifies IFC-REQ-009 |
| VER-REQ-012 | IFC-REQ-010 | verifies | Cooling interface temperature test verifies IFC-REQ-010 |
| VER-REQ-001 | IFC-REQ-001 | verifies | IFC-REQ-001 ALC→ECP start demand spec → VER-REQ-001 signal verification test |
| VER-REQ-002 | IFC-REQ-002 | verifies | IFC-REQ-002 ECP→starting system solenoid spec → VER-REQ-002 solenoid valve timing test |
| VER-REQ-003 | IFC-REQ-003 | verifies | IFC-REQ-003 governor interface response spec → VER-REQ-003 step load response test |
| VER-REQ-007 | IFC-REQ-004 | verifies | IFC-REQ-004 GPR→MGCB trip circuit spec → VER-REQ-007 de-energise trip time test |
| VER-REQ-008 | IFC-REQ-006 | verifies | IFC-REQ-006 ALC→SBTC bus transfer spec → VER-REQ-008 end-to-end transfer test |
| VER-REQ-009 | IFC-REQ-005 | verifies | IFC-REQ-005 VSMU output signal spec → VER-REQ-009 calibration accuracy test |
| VER-REQ-100 | SYS-REQ-012 | verifies | Degraded mode Test verifies 60% rated power and 2-hour performance floor |
| VER-REQ-108 | SYS-REQ-016 | verifies | Active penetration test verifies cyber isolation requirement under adversarial conditions |
| VER-REQ-107 | SYS-REQ-017 | verifies | Degraded mode exit recovery test verifies fault-cleared transition requirement |
| VER-REQ-105 | SYS-REQ-016 | verifies | Cyber isolation inspection verifies EDG control system network isolation requirement |
| VER-REQ-104 | SYS-REQ-015 | verifies | Battery coping analysis verifies single-train failure DC coping requirement |
| VER-REQ-103 | SYS-REQ-014 | verifies | Verification test for cooldown shutdown mode requirement |
| VER-REQ-102 | SYS-REQ-011 | verifies | Train separation Demonstration verifies SIL-4 CCF independence architectural requirement |
| VER-REQ-099 | SYS-REQ-011 | verifies | DC battery coping time Test verifies CCF safe state architecture in SYS-REQ-011 |
| VER-REQ-098 | SYS-REQ-004 | verifies | Cyber security inspection verifies hardwired trip architecture in SYS-REQ-004 |
| VER-REQ-093 | SYS-REQ-010 | verifies | VER-REQ-093 inspects stores inventory, maintenance records and tooling availability against SYS-REQ-010 intervals and site-only tooling constraint |
| VER-REQ-092 | SYS-REQ-009 | verifies | VER-REQ-092 demonstrates 30-minute surveillance test and 10-minute hot standby recovery |
| VER-REQ-091 | SYS-REQ-008 | verifies | VER-REQ-091 tests EMC immunity of EDG control electronics per BS EN IEC 61000 industrial levels |
| VER-REQ-090 | SYS-REQ-007 | verifies | VER-REQ-090 tests load sequencing voltage and frequency transient thresholds specified in SYS-REQ-007 |
| VER-REQ-081 | SYS-REQ-006 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-080 | SYS-REQ-005 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-079 | SYS-REQ-004 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-078 | SYS-REQ-002 | verifies | VER → SYS/SUB verification trace for SIL-gap closure |
| VER-REQ-077 | SYS-REQ-012 | verifies | Degraded mode functional test |
| VER-REQ-004 | SYS-REQ-003 | verifies | End-to-end start test verifies SYS-REQ-003 |
| VER-REQ-004 | SYS-REQ-001 | verifies | VER test for SYS-REQ-001 |
| VER-REQ-066 | SYS-REQ-011 | verifies | CCF architectural safety analysis verifies SYS-REQ-011 |
| VER-REQ-015 | SYS-REQ-001 | verifies | End-to-end diesel engine integration test verifies SYS-REQ-001 rated output |
| VER-REQ-015 | SYS-REQ-003 | verifies | End-to-end diesel engine integration test verifies SYS-REQ-003 start time |
| VER-REQ-004 | SYS-REQ-001 | verifies | SYS-REQ-001 startup performance → VER-REQ-004 end-to-end LOOP acceptance test |