System

Fusion Reactor Control System, second QC pass (session 422, following QC session 421). At entry: 283 requirements, 332 trace links, 26 lint findings (7 high, 19 medium). Status: qc-reviewed. This pass targeted the residual high-severity findings left unresolved in session 421 and corrected a structural defect in how session 421’s requirements were stored.

Findings

Floating REQ- references (structural defect).* Three requirements created in session 421 — SUB-REQ-115 (qualified maintenance bus), SUB-REQ-116 (IESS IEC 61513 compliance), SUB-REQ-117 (GPVC dual-channel redundancy) — were stored as REQ-SEFUSIONREACTORCONTROLSYSTEM-{131,132,133} without --document or --section flags. These appeared under the correct document in the UI but had no documentSlug binding and therefore fell outside all trace linkset validation. All three were missing VER entries and their trace links were not visible to the linkset analyser. Reassigned using airgen reqs reassign to the subsystem-requirements document; refs updated to proper SUB-REQ-{115,116,117} format. Trace links from SYS requirements ({{sys:SYS-REQ-011}} → SUB-REQ-115, {{sys:SYS-REQ-014}} → SUB-REQ-116, {{sys:SYS-REQ-004}} → SUB-REQ-117) were automatically preserved.

Safe state definition gap (lint finding 17 — coverage gap, SYS → SUB). {{sys:SYS-REQ-004}} requires the FRCS to transition to safe state in ≤5 seconds but did not define what safe state is at any subsystem level. An {{entity:Interlock and Emergency Shutdown System}} without a defined safe state cannot be verified: the test engineer has no acceptance criteria for the post-SCRAM condition. Added SUB-REQ-114 enumerating the six-parameter safe state: plasma current ≤10 kA, poloidal field coil currents ≤1% of operating values, RF power ≤100 W, all pellet injection valves closed, torus pressure ≥10⁻⁴ mbar with no active fuelling, latched until authorised restart. Values derived from ITER-IT-SAFE-001 operational termination criteria scaled to a DEMO-class device.

Disruption Prediction Engine biomimetic boundary (lint finding 7). UHT classifies the {{entity:disruption prediction engine}} ({{hex:71F77309}}) with the {{trait:Biological/Biomimetic}} trait because its LSTM architecture is neurally inspired. The lint flagged the absence of biocompatibility requirements. Rather than add spurious sterilisation requirements to a software algorithm, ARC-REQ-010 was added to explicitly bound the classification: no biological materials are present, no biocompatibility certification is required, and the trait reflects architectural lineage only. This is a non-standard case where the ontological classification is correct but its safety implication does not apply.

Entity reclassifications for Physical Object mismatches (findings 1–6). Six entities — {{entity:fusion reactor control system}} ({{hex:51B57818}}), {{entity:plasma control system}} ({{hex:51F73A18}}), {{entity:Interlock and Emergency Shutdown System}} ({{hex:D6E53859}}), {{entity:quench detection system}} ({{hex:D4F57018}}), {{entity:pellet injection controller}} ({{hex:D6F51018}}), {{entity:safety arbiter}} ({{hex:D6A53058}}) — were reclassified with physical embodiment context. The lint findings for these subsystems (e.g., “lacks Physical Object trait but has physical embodiment”) reflect the original classifications being made without sufficient physical context. Four reclassifications yielded updated hex codes with Physical Object (bit 1) now present; two (fusion reactor control system, plasma control system) require further verification as the classifier retained the trait as absent with moderate confidence. Residual: lint may still flag these on the next pass if the global canonical classification has not propagated.

VER coverage after reassignment. With the three newly-bound subsystem requirements now visible to the trace linkset, VER entries were missing. Added VER-REQ-121 (maintenance bus IEC 61784-3 functional test), VER-REQ-122 (IESS safety case analytical review gate prior to first plasma), VER-REQ-123 (GPVC dual-channel 100 ms failover hardware test). All three trace to their respective subsystem requirements via the verifies linkset.

Corrections

Resolved: SUB-REQ-114 (safe state enumeration, 6 parameters quantified), trace link {{sys:SYS-REQ-004}} → SUB-REQ-114, VER-REQ-120 (IESS safe state 5-trip FAT test).

Resolved: Floating refs REQ-131/132/133 reassigned to SUB-REQ-115/116/117, VER-REQ-121/122/123 added, 6 new trace links (3 verifies, 1 derives already extant per SYS→SUB).

Resolved: ARC-REQ-010 (DPE biomimetic boundary statement).

IESS top-level diagram with safe state definition context:

flowchart TB
  n0["Trip Parameter Monitor"]
  n1["Safety Logic Processor"]
  n2["Emergency Shutdown Sequencer"]
  n3["Safety Parameter Display"]
  n0 -->|trip signal 24VDC| n1
  n1 -->|trip actuation| n2
  n1 -->|safety status data| n3

Residual

Lint findings 1–6 (Physical Object mismatches) may persist if the canonical entity classification has not propagated; reclassification was performed on the SE-namespace entities. Findings 11–14 (Ethically Significant without explicit ethical requirements) are addressed by {{sys:SYS-REQ-014}} (IEC 61513/IEC 61511/IAEA SSG-39 compliance) but the lint may not recognise that regulatory compliance requirements satisfy the ethical significance flag without a dedicated ARC requirement — this is a low-priority residual. Findings 15–16 and 18–26 are concept-matching artefacts: the referenced concepts are decomposed in the project but the lint extracts them from requirement text verbatim (e.g., “control system” in SYS-REQ-004 is the system itself, not an undecomposed concept).

Next

Final count: 289 requirements, 337 trace links, 42 baselines, VER coverage 65%. With the safe state defined and the floating-ref structural defect corrected, the project is ready for validation (Flow D). The validation session should open with the ConOps scenario walkthrough (plasma startup, steady-state burn, planned shutdown, emergency shutdown, maintenance bypass), check that the trace chain from each STK scenario reaches at least one VER entry, and confirm the safety argument for each hazard in the hazard register. Priority hazard: disruption + quench simultaneous (multiple-initiator SCRAM scenario — SUB requirements for this interaction have not been explicitly checked).