System

{{entity:Fusion Reactor Control System}} ({{hex:51F77B19}}), interim QC pass covering sessions 390–393. Project entered this session with 94 requirements, 81 trace links, and 6 orphaned architecture decision requirements. Decomposition is in-progress across 7 subsystems with MSPS fully built out in the previous session.

Findings

Orphaned architecture decisions (6/94): ARC-REQ-001 through ARC-REQ-006 had no trace links. The architecture-decisions document had no linkset to any other document, making it structurally isolated from the requirement hierarchy. All six decisions described the primary subsystem architectural choices — IESS 2oo3 voting, DPMS LSTM-FPGA, PCS hierarchical control, HCDC four-component structure, MSPS hardwired quench detection — but were invisible to coverage and orphan analysis.

Duplicate ARC requirement: ARC-REQ-005 replicated ARC-REQ-004 at lower fidelity: both described the HCDC four-component architecture and ECRH NTM prioritisation. ARC-REQ-005 was a shortened version without additional content. Confirmed original ARC-REQ-004 intact before deletion.

Duplicate diagrams (2): “Fusion Reactor Control System — Context” appeared twice (diagrams -824716 and -828116). “Magnet Safety and Protection System — Internal” appeared twice (diagrams -885397 and -894428). Newer copies deleted; content identical.

Missing redundancy requirements (4 components): Lint findings 21–24 flagged {{entity:safety logic processor}} ({{hex:D1B77858}}), {{entity:emergency shutdown sequencer}} ({{hex:51F73A18}}), {{entity:disruption prediction engine}} ({{hex:71F77308}}), and {{entity:disruption precursor monitor}} ({{hex:55F77200}}) as {{trait:System-Essential}} without any redundancy or fault-tolerance requirements. Three of the four — SLP, ESS, DPE — had no degraded-mode requirements at all.

Coverage gap — seismic qualification: STK-REQ-009 (maintain safety functions under seismic conditions) had a trace link to SYS-REQ-004 (SCRAM), but no SYS requirement explicitly stated the seismic qualification standard or the performance envelope under SSE. The concept “safe shutdown earthquake” existed only in the stakeholder layer.

SYS-REQ-004 spray pattern (14 SUB links): Flagged by lint. Reviewed all 14 links individually — each has documented rationale tying the specific safety sub-requirement to either the SIL-3 classification mandate or the hardware independence requirement. Retained as genuinely justified: SYS-REQ-004 is the root of the entire SIL-3 architecture and legitimately cascades across all safety-classified subsystems.

Corrections

ARC linkset created and populated: Created architecture-decisions → system-requirements linkset with derives type. Linked ARC-REQ-001 → SYS-REQ-004, ARC-REQ-002 → SYS-REQ-002, ARC-REQ-003 → SYS-REQ-001, ARC-REQ-004 → SYS-REQ-003, ARC-REQ-006 → SYS-REQ-004. Orphan count: 6 → 0.

ARC-REQ-005 deleted: Tagged duplicate-of-ARC-REQ-004, no trace links to re-point, then deleted. ARC-REQ-004 preserved as the authoritative HCDC decision record.

Seismic SYS requirement added (SYS-REQ-006): “When a safe shutdown earthquake is detected at plant level, the Fusion Reactor Control System SHALL maintain all SIL-3 safety shutdown functions and transition the plasma to safe state within 10 seconds, using equipment qualified to IEEE 344 seismic category I.” Linked from STK-REQ-009.

SLP redundancy requirement added (SUB-REQ-039): 1oo2 de-energise-to-trip SLP architecture, derived from SYS-REQ-004. Closes lint finding #21 for {{entity:safety logic processor}}.

ESS watchdog requirement added (SUB-REQ-040): 100 ms hardware watchdog with immediate MGI-preserving reset for the {{entity:emergency shutdown sequencer}}, derived from SYS-REQ-004. Closes lint finding #22.

DPE fallback requirement added (SUB-REQ-041): “When the DPE primary FPGA becomes unavailable, the DPMS SHALL activate a hardwired fallback issuing MGI actuation within 5 ms, maintaining disruption mitigation at degraded prediction capability.” Derived from SYS-REQ-002. Closes lint finding #23.

Residual

{{entity:disruption precursor monitor}} ({{hex:55F77200}}) remains without an explicit redundancy requirement (lint finding #24). The DPM is a sensor-layer component; its fault-tolerance is partially covered by the DPE fallback in SUB-REQ-041 (which treats DPM channel loss as a degraded-mode trigger), but a dedicated DPM redundancy requirement is warranted and should be added in the next decomposition session. Coverage gap for “heating systems” (STK-REQ-010 → no SYS/SUB concept match) requires a dedicated HCDC heating-systems integration requirement in the next session. Verification coverage remains at 19/37 for SUB+IFC requirements with VER entries — below the 50% target for full QC-review status.

Next

Decomposition resumes with DPMS — specifically the Disruption Precursor Monitor redundancy requirement and the Fuel Injection and Burn Control subsystem, which has no sub-components or requirements yet. After FIBC decomposition, re-run interim QC to address verification coverage gap before advancing to first-pass-complete.

flowchart TB
  n0["Fusion Reactor Control System"]
  n1["Plasma Control System"]
  n2["Disruption Prediction and Mitigation System"]
  n3["Heating and Current Drive Control"]
  n4["Magnet Safety and Protection System"]
  n5["Fuel Injection and Burn Control"]
  n6["Plasma Diagnostics Integration System"]
  n7["Plant Control and I&C System"]
  n8["Interlock and Emergency Shutdown System"]
  n0 -->|contains| n1
  n0 -->|contains| n2
  n0 -->|contains| n3
  n0 -->|contains| n4
  n0 -->|contains| n5
  n0 -->|contains| n6
  n0 -->|contains| n7
  n0 -->|contains| n8