System

Fusion Reactor Control System — {{entity:Fusion Reactor Control System}} ({{hex:51F77B19}}), interim QC session triggered at session 400 (last QC: session 393). Project state entering QC: 174 requirements, 148 trace links, 14 baselines. Exiting: 184 requirements, 170 trace links, baseline QC-2026-03-21 created. Flow C applied to requirements since session 393.

Findings

12 orphan requirements were the primary structural finding. Ten requirements ({{sub:SUB-REQ-067}} through {{sub:SUB-REQ-076}}) had been created in prior sessions without document assignment — all carried document: null and had no trace links. A further {{sub:SUB-REQ-064}} (IESS seismic qualification) and {{sub:VER-REQ-052}} (seismic test procedure) were also unassigned. These are the redundancy architecture, physical implementation, cybersecurity, regulatory compliance, and safe-state lockout requirements for the safety subsystems: {{entity:Emergency Shutdown Sequencer}}, {{entity:Safety Logic Processor}}, {{entity:Quench Detection System}}, {{entity:Disruption Prediction Engine}}, {{entity:Safety Arbiter}}, and {{entity:Pellet Injection Controller}}.

VER coverage at 47.0% (47 of 100 SUB+IFC requirements). Six IFC requirements in the safety signal path — {{ifc:IFC-REQ-004}}, {{ifc:IFC-REQ-005}}, {{ifc:IFC-REQ-007}}, {{ifc:IFC-REQ-010}}, {{ifc:IFC-REQ-012}}, {{ifc:IFC-REQ-015}} — had no verification entries. All six are hardwired interface requirements specifying sub-millisecond timing and galvanic isolation; test-based verification is the only valid approach and was missing entirely.

Two STK coverage gaps identified by lint. {{stk:STK-REQ-006}} (90% diagnostic coverage, 10 s MMS reporting) and {{stk:STK-REQ-010}} (EMC operation in 10 T/s dB/dt and 200 V/m RF environment from heating systems and pulsed power) had no derived SYS requirements. The STK concepts “heating systems”, “pulsed power system”, and “maintenance management system” were unreferenced below stakeholder level.

Spray pattern review: {{sys:SYS-REQ-004}} carries 22 derived links. All were examined; each link has a specific SIL-3 derivation rationale referencing IEC 61508 Table 4 or specific subsystem safety functions. The pattern is justified — {{sys:SYS-REQ-004}} is the top-level safety shutdown requirement that cascades the SIL-3 classification across every safety-chain element.

Corrections

All 12 orphan requirements were reassigned to their correct document sections and 11 trace links created. {{sub:SUB-REQ-064}} through {{sub:SUB-REQ-076}} now derive from {{sys:SYS-REQ-004}} (SIL-3 shutdown requirement) except {{sub:SUB-REQ-073}} (tritium compliance) which derives from {{sys:SYS-REQ-003}} (fuel regulation) and {{sub:SUB-REQ-075}}/{{sub:SUB-REQ-076}} (DPE hot-standby and PIC dual-channel) which derive from {{sys:SYS-REQ-002}} (disruption mitigation continuity). {{sub:VER-REQ-052}} was linked to {{sub:SUB-REQ-064}} as its verification procedure.

Two new SYS requirements created to close STK coverage gaps: {{sys:SYS-REQ-009}} (EMC compliance to IEC 61000-4-3 and IEC 61000-4-8, no position error increase beyond ±2 cm under 10 T/s dB/dt and 200 V/m RF) and {{sys:SYS-REQ-010}} (90% self-diagnostic coverage with 10 s MMS fault reporting). Both derived from their respective STK requirements and verified by new test procedures {{sub:VER-REQ-053}} and {{sub:VER-REQ-054}}.

Six new VER entries created for the unverified hardwired IFC requirements: {{sub:VER-REQ-055}}–{{sub:VER-REQ-060}}, covering TPM-SLP discrete signal propagation (≤2 ms, 2 kV isolation), SLP-ESS energise-to-hold under power loss, DPMS-IESS dual-channel 1 ms timing, VSC VDE 100 µs de-energisation, HCDC beam-off 1 ms delivery with software bus interruption, and QDS-IESS relay propagation under worst-case contact resistance. VER coverage moved from 47.0% to 55.0%.

flowchart TB
  n0["Trip Parameter Monitor"]
  n1["Safety Logic Processor"]
  n2["Emergency Shutdown Sequencer"]
  n3["Safety Parameter Display"]
  n0 -->|trip signal 24VDC| n1
  n1 -->|trip actuation| n2
  n1 -->|safety status data| n3

Residual

Lint flags four HIGH ontological mismatches: {{entity:Fusion Reactor Control System}}, {{entity:Quench Detection System}}, and {{entity:Pellet Injection Controller}} lack the {{trait:Physical Object}} trait in their classifications despite having physical embodiment requirements. {{entity:Disruption Prediction Engine}} carries {{trait:Biological/Biomimetic}} (ML inference engine trait cluster) which the linter interprets as requiring biocompatibility requirements. These are Substrate classification artefacts, not missing requirements — the physical embodiment requirements ({{sub:SUB-REQ-067}}, {{sub:SUB-REQ-068}}) are present and well-specified. Entity reclassification with updated context strings would resolve the lint noise but falls outside this QC session’s scope.

Coverage gaps for “safe state” and “control system” in SYS-not-SUB remain flagged by lint. {{sub:SUB-REQ-062}} defines the safe state condition explicitly; the gap is a lint heuristic matching the string “safe state” in {{sys:SYS-REQ-004}} against SUB document text without following the trace chain. The substantive requirement exists.

Next

VER coverage at 55% — above the 50% gate. The 18 remaining unverified IFC requirements ({{ifc:IFC-REQ-006}}, {{ifc:IFC-REQ-008}}, {{ifc:IFC-REQ-009}}, {{ifc:IFC-REQ-011}}, {{ifc:IFC-REQ-013}} onwards) should be addressed in the next decomposition or QC session before validation. Substrate reclassification of the three components missing {{trait:Physical Object}} would eliminate the four HIGH lint findings and clarify the {{trait:Biological/Biomimetic}} tag on the {{entity:Disruption Prediction Engine}}. The project is qc-reviewed and ready for a validation pass once remaining IFC verifications are in place.