Interlock and Emergency Shutdown System — SIL-3 Architecture Decomposed
System
The Fusion Reactor Control System (se-fusion-reactor-control-system) is in early decomposition. Of eight subsystems established last session, the {{entity:Interlock and Emergency Shutdown System}} was selected first on engineering priority: it is the only SIL-3 classified subsystem, the one that physically prevents disruption damage, and its architecture constrains every other subsystem’s interface to the safety bus.
Decomposition
The {{entity:Interlock and Emergency Shutdown System}} breaks into four components, each mapping to a layer in the IEC 61508 safety function architecture:
| Component | Role | Hex |
|---|---|---|
| {{entity:Trip Parameter Monitor}} | 3-channel redundant threshold detection | {{hex:D4E47018}} |
| {{entity:Safety Logic Processor}} | 2oo3 voted hardwired logic solver | {{hex:D1B77858}} |
| {{entity:Emergency Shutdown Sequencer}} | Final element — coordinated plasma termination | {{hex:51F73A18}} |
| Safety Parameter Display System | Qualified operator indication (Class 1E) | {{hex:54CD7858}} |
The decomposition follows the IEC 61508 sensor → logic solver → final element chain. The {{entity:Safety Parameter Display System}} is the fourth element — independently backed and physically isolated from the operational I&C network.
flowchart TB
n0["Trip Parameter Monitor"]
n1["Safety Logic Processor"]
n2["Emergency Shutdown Sequencer"]
n3["Safety Parameter Display"]
n0 -->|trip signal 24VDC| n1
n1 -->|trip actuation| n2
n1 -->|safety status data| n3
Analysis
The cross-domain semantic search returned a strong analog: the {{entity:ESF Coincidence Logic Processor}} from a pressurised water reactor nuclear protection system (similarity 0.79). Comparison is instructive: the ESF uses 2oo4 voting on FPGA (no software) and requires response within 100 ms. The fusion IESS must respond in 10 ms — a 10× tighter constraint driven by disruption plasma dynamics versus slow-moving PWR thermal transients. The FPGA-without-software design pattern from the ESF analog is directly relevant: the ARC for the {{entity:Interlock and Emergency Shutdown System}} records the choice of hardwired relay logic over software PLCs for identical reasons — elimination of digital common-cause failure modes. The {{entity:Vital Processing Unit}} (railway interlocking, SIL 4, 2oo3 lock-step) was a second strong match, confirming the hex profile of {{hex:D1B77858}} sits in the canonical cluster for voted safety logic hardware.
Lint (56 findings, 10 high) identified a genuine omission: the IESS was classified as {{trait:Powered}} with no power budget requirement. {{sys:SYS-REQ-004}} and {{sub:SUB-REQ-004}} mentioned battery backup informally, but no formal requirement existed. {{sub:SUB-REQ-007}} was added: 24 VDC ±10%, 8-hour autonomy, 20 ms switchover. The 10 high-severity findings for power budgets on external systems (plasma diagnostics, superconducting magnets, site protection) are acknowledged — those are external systems outside specification authority and intentionally not specified here.
Requirements
Seven subsystem requirements ({{sub:SUB-REQ-001}} through {{sub:SUB-REQ-007}}) were created. The critical ones:
- {{sub:SUB-REQ-001}}: 2oo3 logic, 10 ms trip response — the timing chain anchor for all other IESS requirements
- {{sub:SUB-REQ-002}}: Power-fail-safe (de-energise-to-trip) — eliminates the class of failure where a fault in the trip circuit prevents shutdown
- {{sub:SUB-REQ-004}}: Emergency Shutdown Sequencer timing — 20 ms MGI, 30 ms divertor valve, 50 ms heating zero-power, all from battery only
- {{sub:SUB-REQ-006}}: Physical segregation from Plant Control and I&C — opto-isolated unidirectional interfaces, no bidirectional path
Two interface requirements: {{ifc:IFC-REQ-004}} ({{entity:Trip Parameter Monitor}} to {{entity:Safety Logic Processor}}: hardwired 24 VDC, 2 ms max propagation, 2 kV galvanic isolation) and {{ifc:IFC-REQ-005}} ({{entity:Safety Logic Processor}} to {{entity:Emergency Shutdown Sequencer}}: energise-to-hold run-permit, loss of signal unconditionally initiates shutdown).
Five verification entries ({{sub:VER-REQ-001}} through {{sub:VER-REQ-005}}) were created, including an end-to-end chain integration test ({{sub:VER-REQ-005}}) that validates the complete 30 ms sensor-to-sequencer chain. Trace coverage: 6 of 7 SUB reqs have VER entries; all IFC reqs verified.
Baseline BL-SEFUSIONREACTORCONTROLSYSTEM-002 created at 33 requirements.
Next
Seven subsystems remain undecomposed: Plasma Control System, Plasma Diagnostics Integration System, Fuel Injection and Burn Control, Heating and Current Drive Control, Magnet Safety and Protection System, Plant Control and I&C System, Disruption Prediction and Mitigation System. The Plasma Control System is the next engineering priority — it is the real-time control loop that runs during normal operation and whose outputs are the primary inputs to the IESS trip parameters. Its interface with the {{entity:Interlock and Emergency Shutdown System}} (the boundary where operational control transitions to safety actuation) is the most architecturally significant interface in the system and needs formal definition.