System

The {{entity:Fusion Reactor Control System}} ({{hex:51F77B19}}) is the I&C system for a tokamak fusion reactor managing plasma equilibrium, disruption mitigation, and SIL-3 emergency shutdown across 8 subsystems. The project entered this session at status qc-reviewed with 203 requirements and 209 trace links. At session close: 216 requirements, 237 trace links, baseline VALIDATION-2026-03-21 captured.

Verification Audit

Sample of VER requirements confirmed adequate: {{sys:SYS-REQ-004}} is covered by {{sub:VER-REQ-005}} (IESS interlock chain ≤30 ms), but that verification stops at the first 30 ms of the SCRAM sequence. The ≤5 second safe state transition budget in {{sys:SYS-REQ-004}} requires plasma current quench, heating shutdown, and fuel inhibit across all four safety-relevant subsystems — not just interlock chain latency. A new end-to-end SCRAM verification requirement was created to close this gap, requiring all five safe state conditions to be confirmed within 5 seconds from each operating state (FLAT-TOP, RAMP-DOWN, PLASMA-INIT) over 20 consecutive test runs.

VER-REQ-053 (EMC) was found adequate: it specifies simultaneous 10 T/s dB/dt and 200 V/m RF exposure with quantified position error acceptance criteria. The tritium boundary scenario ({{stk:STK-REQ-004}}) has three VER entries covering concentration threshold interlock and inventory accounting. Data archival ({{stk:STK-REQ-007}}, {{sys:SYS-REQ-005}}) lacked a VER entry for the Historian ingestion rate — added.

Scenario Validation

Steady-state plasma burn ({{stk:STK-REQ-001}}→{{sys:SYS-REQ-001}}→{{sub:SUB-REQ-018}}/{{sub:SUB-REQ-020}}→VER-REQ-010/013): chain complete. ERP reconstruction and Shape & Position Controller verification tests confirmed.

Disruption detection and mitigation ({{stk:STK-REQ-001}}→{{sys:SYS-REQ-002}}→{{sub:SUB-REQ-009}}/{{sub:SUB-REQ-011}}→VER-REQ-006/007): chain complete. However {{sub:SUB-REQ-010}} (DPE 95% TPR, 2% FPR performance spec) and {{sub:SUB-REQ-041}} (DPMS hardwired fallback) had no VER entries — both added. The hardwired fallback gap was the most critical: an FPGA failure leaving the reactor without any disruption mitigation is a first-wall damage scenario.

Emergency SCRAM ({{stk:STK-REQ-002}}→{{sys:SYS-REQ-004}}→{{sub:SUB-REQ-001}}/{{sub:SUB-REQ-004}}): VER-REQ-005 covers the interlock logic chain. The full 5 s budget and safe state hold ({{sub:SUB-REQ-074}}) both lacked system-test verification — both added.

Seismic event ({{stk:STK-REQ-009}}→{{sys:SYS-REQ-006}}/{{sys:SYS-REQ-009}}): SYS-REQ-006 and SYS-REQ-009 had no STK inbound links and no SUB outbound links at session start — a complete trace chain absence. Six of the eleven system requirements (SYS-REQ-006 through SYS-REQ-011) were traceable by their rationale text but had no AIRGen trace links. All 6 STK→SYS and 11 SYS→SUB links were created.

Cybersecurity ({{stk:STK-REQ-003}}→{{sys:SYS-REQ-007}}→{{sub:SUB-REQ-054}}/{{sub:SUB-REQ-071}}): no trace links and no VER entry at session start. Penetration-test VER requirement added covering three-zone separation and data diode unidirectionality.

EMC ({{stk:STK-REQ-010}}→{{sys:SYS-REQ-008}}/{{sys:SYS-REQ-010}}→{{sub:SUB-REQ-077}}): trace chain created; VER-REQ-053 was pre-existing and adequate.

Self-diagnostic coverage ({{stk:STK-REQ-006}}→{{sys:SYS-REQ-011}}→{{sub:SUB-REQ-003}}/{{sub:SUB-REQ-078}}): trace chain created.

Mode Coverage

Eight defined machine states (MAINTENANCE, STANDBY, PRE-PULSE, PLASMA-INIT, FLAT-TOP, RAMP-DOWN, POST-PULSE, FAULT) are managed by the Plant Operations Sequencer ({{sub:SUB-REQ-050}}). FLAT-TOP and RAMP-DOWN have full requirement coverage. MAINTENANCE mode exposed a gap: no IESS requirement specified the voting degradation procedure during single-channel bypass — a scenario that must occur in MAINTENANCE mode to satisfy the online channel replacement mandate ({{stk:STK-REQ-005}}). A new SUB requirement was added defining 1oo2 fallback voting with SPDS annunciation and a hard prohibition on simultaneous multi-channel bypass.

Safety Argument

flowchart LR
  H1[Unmitigated Disruption]
  H2[SCRAM Failure]
  H3[Quench Undetected]
  SYS2["SYS-REQ-002 (50ms mitigation)"]
  SYS4["SYS-REQ-004 (SIL-3 SCRAM ≤5s)"]
  SYS4a["SYS-REQ-009 (IEEE 344)"]
  S9["SUB-REQ-009 (DPE 3ms)"]
  S10["SUB-REQ-010 (95% TPR)"]
  S11["SUB-REQ-011 (MAC 10ms)"]
  S41["SUB-REQ-041 (FPGA fallback)"]
  S1["SUB-REQ-001 (trip 10ms)"]
  S4["SUB-REQ-004 (ESS 20ms)"]
  S61["SUB-REQ-061 (IESS seismic)"]
  S32["SUB-REQ-032 (QDS quench)"]
  V6[VER-006] V10[VER-010] V7[VER-007] V41[VER-078]
  V1[VER-001] V4[VER-004] V5[VER-005 full]
  V35[VER-035]
  V20[VER-020]
  H1 --> SYS2 --> S9 --> V6
  SYS2 --> S10 --> V10
  SYS2 --> S11 --> V7
  SYS2 --> S41 --> V41
  H2 --> SYS4 --> S1 --> V1
  SYS4 --> S4 --> V4
  SYS4 --> V5
  H3 --> S32 --> V20
  SYS4a --> S61 --> V35

The disruption hazard chain is now complete from STK through to VER. The SCRAM chain covers the interlock logic (30 ms) and the full safe state transition (5 s). The quench hazard has VER coverage at QDS and FEDU levels. All chains pass.

Cross-Domain Findings

Nuclear Reactor Protection System ({{hex:55B77859}}) has Jaccard 0.85 against the {{entity:Interlock and Emergency Shutdown System}} ({{hex:51F77A59}}). The NukeRPS uses 2oo4 voting to allow single-channel bypass during maintenance without degrading the voting threshold. Our 2oo3 IESS uses 2oo3 voting, which falls to 1oo2 during single-channel bypass — creating a scenario where a second spontaneous channel failure would produce a permissive rather than a trip. This analogy surfaced the maintenance bypass gap: the IESS had no requirement specifying this degradation or prohibiting simultaneous bypass. Corrected.

Gaps Closed

• 6 STK→SYS trace links created ({{sys:SYS-REQ-006}} through {{sys:SYS-REQ-011}})
• 12 SYS→SUB trace links created (seismic, cybersecurity, EMC, self-diagnostic domains)
• 14 new VER requirements: DPE TPR performance, DPMS FPGA fallback, PCS degraded mode, HCDC power redistribution, ERP channel dropout tolerance, MPSC current tracking, magnetic diagnostics analogue interface (256-channel), data historian ingestion, cybersecurity penetration test, end-to-end SCRAM ≤5 s, safe state hold enforcement, HCDC heartbeat isolation, IFC-REQ-025/026
• 1 new SUB requirement: IESS channel bypass procedure with 1oo2 fallback voting and dual-channel bypass prohibition

Verdict

Pass. All seven ConOps scenarios have traceable requirement chains from STK through SYS, SUB/IFC, and VER. The two most critical safety scenarios — disruption mitigation and emergency SCRAM — both have end-to-end verification coverage including the FPGA fallback and the full 5 s safe state transition. The previously untraceable seismic, EMC, cybersecurity, and self-diagnostic SYS requirements now have complete chains. The NukeRPS cross-domain analog surfaced a genuine maintenance bypass gap that was not visible from the requirements alone. The {{entity:Fusion Reactor Control System}} decomposition is complete at status validated.