Validation session surfaces safe-state timing conflict and three uncovered STK scenarios
System
The {{entity:Fusion Reactor Control System}} ({{hex:D7B57819}}) is at qc-reviewed status entering this session: 296 requirements across 6 documents, 348 trace links, 10 diagrams, 43 baselines. Validation scope is the full system — all 10 STK scenarios, 6 plasma lifecycle modes, and the SIL-3 safety argument.
Verification Audit
119 VER requirements against 114 SUB and 28 IFC — a surface coverage of ~84%. Sampled the IESS chain in depth: {{sub:SUB-REQ-001}} (10 ms trip response), {{sub:SUB-REQ-002}} (energise-to-permit logic), and {{sub:SUB-REQ-004}} (MGI initiation within 500 ms) all have direct, quantified VER procedures. {{sub:SUB-REQ-006}} (physical segregation from PCIS) is verified by inspection. The only gap found in the IESS cluster was {{sub:SUB-REQ-050}} (Plant Operations Sequencer 8-state machine, 10 Hz broadcast): it had no VER entry. VER-REQ-127 was created to cover state machine completeness, broadcast rate, and the state-name mapping against the SYS-level lifecycle.
Scenario Validation
Ten STK scenarios checked. Seven have clean derivation chains. Three had defects:
Scenario 1 — Operator awareness ({{stk:STK-REQ-001}}, 200 ms display refresh): traced to {{sys:SYS-REQ-001}} (plasma equilibrium) and {{sys:SYS-REQ-002}} (disruption detection) — neither captures the display latency or parameter completeness function. Closed by creating {{sys:SYS-REQ-017}} (unified operator interface, ≤200 ms), {{sub:SUB-REQ-121}} (Operator Console System display latency and parameter set), and VER-REQ-128 (6,000-sample latency test at 100 Hz synthetic input).
Scenario 2 — Tritium safety ({{stk:STK-REQ-004}}): traces to {{sys:SYS-REQ-004}} only. {{sys:SYS-REQ-015}} (tritium area monitoring, evacuation alarm) had no STK anchor. Closed by adding the {{stk:STK-REQ-004}} → {{sys:SYS-REQ-015}} trace link. The downstream chain ({{sub:SUB-REQ-046}}, {{ifc:IFC-REQ-021}}, VER-REQ-050, VER-REQ-025) is solid.
Scenario 3 — Physics scenario workflow ({{stk:STK-REQ-008}}, inter-pulse parameter upload): traced incorrectly to {{sys:SYS-REQ-003}} (power regulation). The upload/validate/approve cycle had no SYS requirement. Closed by creating {{sys:SYS-REQ-018}} (scenario parameter management function, 120 s validation report, active for next pulse) with STK trace and VER-REQ-129 (commissioning demonstration).
Mode Coverage
Six plasma lifecycle states from {{sys:SYS-REQ-016}} checked. PRE-SHOT-CONDITIONING, PLASMA-INITIATION, FLAT-TOP-BURN, CONTROLLED-SHUTDOWN, and POST-SHOT-COOLDOWN all have SUB coverage. The CURRENT-RAMP phase has implicit coverage through the magnet current waveform requirements ({{sub:SUB-REQ-036}}) but no dedicated lifecycle transition requirement. The POS 8-state machine ({{sub:SUB-REQ-050}}) uses different state names — VER-REQ-127 resolves this by requiring explicit demonstration of the SYS-to-SUB state mapping. MAINTENANCE and FAULT states added in the POS model are engineering additions beyond the SYS-level state machine; {{sub:SUB-REQ-120}} (maintenance access restrictions) covers the MAINTENANCE state behaviour.
Safety Argument
Three competing safe-state timing definitions found: {{sub:SUB-REQ-092}} specified 10 seconds to safe-state confirmation; {{sub:SUB-REQ-112}} specified 8 seconds; {{sys:SYS-REQ-004}} mandates ≤5 seconds. Both SUB requirements directly contradicted the system-level SIL-3 SCRAM budget. Both updated to ≤5 seconds with the corrected rationale: the 500 ms MGI initiation ({{sub:SUB-REQ-004}}) plus typical 1–2 s plasma current decay gives roughly 3 s to plasma current ≤1 kA, leaving headroom within the 5 s budget. VER-REQ-084 covers the end-to-end SCRAM test from all three operational states.
Cross-domain analogs: the {{entity:Safety Logic Processor}} ({{hex:D6F73018}}) shares 76% Jaccard similarity with the {{entity:ESF Coincidence Logic Processor}} ({{hex:50F77018}}) from nuclear PWR applications and 63% with the railway {{entity:Vital Processing Unit}} ({{hex:51F53258}}). The PWR analog’s 2-out-of-4 voting architecture differs from the fusion IESS 2oo3 architecture — the additional channel is driven by the more complex plasma trip parameter space compared to a PWR reactor protection system’s well-bounded sensor set.
flowchart TB
n0["Fusion Reactor Control System"]
n1["Plasma Control System"]
n2["Disruption Prediction and Mitigation System"]
n3["Heating and Current Drive Control"]
n4["Magnet Safety and Protection System"]
n5["Fuel Injection and Burn Control"]
n6["Plasma Diagnostics Integration System"]
n7["Plant Control and I&C System"]
n8["Interlock and Emergency Shutdown System"]
n0 -->|contains| n1
n0 -->|contains| n2
n0 -->|contains| n3
n0 -->|contains| n4
n0 -->|contains| n5
n0 -->|contains| n6
n0 -->|contains| n7
n0 -->|contains| n8
Gaps Closed
| Item | Type | Action |
|---|---|---|
| {{sub:SUB-REQ-092}} safe-state 10 s → 5 s | Inconsistency | Updated to align with {{sys:SYS-REQ-004}} |
| {{sub:SUB-REQ-112}} safe-state 8 s → 5 s | Inconsistency | Updated to align with {{sys:SYS-REQ-004}} |
| {{stk:STK-REQ-004}} → {{sys:SYS-REQ-015}} trace | Missing trace | Added STK→SYS link for tritium monitoring |
| {{sub:SUB-REQ-050}} POS state machine | Missing VER | Created VER-REQ-127 with state mapping check |
| {{stk:STK-REQ-001}} operator display | Missing SYS | Created {{sys:SYS-REQ-017}}, {{sub:SUB-REQ-121}}, VER-REQ-128 |
| {{stk:STK-REQ-008}} scenario upload workflow | Missing SYS | Created {{sys:SYS-REQ-018}}, VER-REQ-129 |
Verdict
Partial pass. 5 structural gaps closed; 2 timing inconsistencies in the SIL-3 safe-state chain corrected. One residual gap remains: {{stk:STK-REQ-005}} (online channel replacement, 4 h MTTR) traces only to {{sys:SYS-REQ-004}} — the SCRAM requirement — rather than a dedicated availability/maintenance requirement. The MTTR requirement has no SYS-level derivation and no verification procedure. This must be resolved in the next session before marking the system validated. Status: validation-in-progress. Total requirements at close: 302; trace links: 357.