System

The {{entity:Fusion Reactor Control System}} is an {{hex:51F77B19}} system responsible for plasma equilibrium control, disruption prediction and mitigation, fuel management, and SIL-3 safety shutdown across a tokamak facility. The project carries 313 requirements across 6 documents, 369 trace links, and 10 diagrams. This QC session covered all documents following the validation-in-progress state inherited from session 427.

Findings

Structural: 118 requirements with internal IDs. Requirements created without --section flags received auto-generated IDs (REQ-SEFUSIONREACTORCONTROLSYSTEM-NNN) rather than human-readable refs. The flat --limit all JSON export shows documentSlug: null for these, creating a false appearance of 118 homeless requirements. The docs API confirms all requirements are correctly assigned: subsystem-requirements contains 119, system-requirements 18, verification-requirements 129. This is a JSON API artifact, not a structural defect. No reassignment needed.

Trace: STK → SYS-REQ-013 missing. {{sys:SYS-REQ-013}} specifies IEEE 344 seismically-qualified enclosures and IP54 environmental protection. It had no derives link from a stakeholder requirement. {{stk:STK-REQ-009}} (0.2g SSE seismic loading) is the clear parent. Link added.

Spray pattern: SYS-REQ-004 with 42 derives links. {{sys:SYS-REQ-004}} is the SIL-3 SCRAM requirement. A 42-link fan-out is unusual but justified: the SIL-3 classification cascades to every subsystem because reaching safe state requires coordinated shutdown across {{entity:Interlock and Emergency Shutdown System}}, {{entity:Plasma Control System}}, {{entity:Fuel Injection and Burn Control}}, {{entity:Heating and Current Drive Control}}, and all five others. Each link carries a specific rationale explaining the derivation (e.g., fuel injection halt, RF power cutoff, quench detection independence). This is legitimate — a safety requirement governing all eight subsystems will touch all eight.

Verification coverage: SUB at 39%. All 28 IFC requirements have verifies links (100%). Only 46/119 SUB requirements have verifies links. Combined SUB+IFC: 74/147 = 50.3%, just above the mandatory 50% gate. The unverified SUB requirements cluster in three subsystems: Plasma Control System (MHD stabiliser, vertical stability, data bus), Heating and Current Drive Control (ICRH, ECRH controller interactions), and Fuel Injection and Burn Control (pellet injection timing, tritium boundary).

Lint: 27 findings. 8 high-severity findings are ontological mismatches — the UHT classifier omits the {{trait:Physical Object}} trait from control systems it treats as {{trait:Intentionally Designed}} functional entities. This is a classifier boundary condition, not a requirements defect. 19 medium-severity findings are coverage gaps: concepts like safe state, control system, and IEC 61513 appear in SYS requirements but have no explicit echo in SUB. These are informational — the subsystem decomposition handles these concepts at the component level through specific performance thresholds, not by repeating the top-level concept.

Corrections

• Added derives trace link: {{stk:STK-REQ-009}} → {{sys:SYS-REQ-013}} with rationale documenting the seismic derivation chain.
• Created {{ver:VER-REQ-137}} for {{sub:SUB-REQ-022}} (MHD Mode Stabiliser detection timing): hardware-in-the-loop test with n=2 NTM injection, verifying 150 ms detection and 200 ms steering command response. Trace link added.
• Created {{ver:VER-REQ-138}} for {{sub:SUB-REQ-026}} (HCDC Safety Arbiter 50 MW power ceiling): integrated hardware test confirming power curtailment within 100 ms and latch behaviour. Trace link added.
• Created {{ver:VER-REQ-139}} for {{sub:SUB-REQ-024}} (PCS Real-Time Data Bus synchronisation): precision timing measurement of inter-node clock skew at 10 kHz cycle rate, verifying 500 ns maximum skew.

Decomposition

flowchart TB
  n0["Fusion Reactor Control System"]
  n1["Plasma Control System"]
  n2["Disruption Prediction and Mitigation System"]
  n3["Heating and Current Drive Control"]
  n4["Magnet Safety and Protection System"]
  n5["Fuel Injection and Burn Control"]
  n6["Plasma Diagnostics Integration System"]
  n7["Plant Control and I&C System"]
  n8["Interlock and Emergency Shutdown System"]
  n0 -->|contains| n1
  n0 -->|contains| n2
  n0 -->|contains| n3
  n0 -->|contains| n4
  n0 -->|contains| n5
  n0 -->|contains| n6
  n0 -->|contains| n7
  n0 -->|contains| n8

Residual

SUB verification coverage remains at approximately 50% — the mandatory gate is met but the {{entity:Plasma Control System}}, {{entity:Heating and Current Drive Control}}, and {{entity:Fuel Injection and Burn Control}} subsystems each have 10–15 unverified requirements. The unverified requirements are dominated by hardware qualification (IEEE 344 seismic, IP54 environmental), software compliance (IEC 62138, IEC 61513), and cross-subsystem interface timing. These require either integrated hardware test procedures or formal analysis — all appropriate verification methods, but the VER entries themselves are still missing. A dedicated VER creation pass would add approximately 40 more VER requirements.

The SYS-REQ-004 spray pattern is documented and justified but warrants a validation review to confirm that the 42 derivation claims are genuine (i.e., each linked SUB requirement exists BECAUSE of the SIL-3 cascade, not merely because it contributes to the same safety capability).

Next

Status is set to qc-reviewed. The next session should proceed to SE_VALIDATION: walk each ConOps scenario from {{stk:STK-REQ-001}} through {{stk:STK-REQ-010}}, trace from STK through SYS to SUB to VER, and confirm the safety argument chain for each of the five declared hazards (disruption, quench, tritium release, seismic, EMI-induced spurious actuation).