Fusion Reactor Control System: Red Team Surfaces SIL Inconsistency and Eight Under-Specified Heating Subsystems
System
The {{entity:Fusion Reactor Control System}} ({{hex:51F77B19}}) enters red team review with 328 requirements across 6 documents, 384 trace links, and 10 architecture diagrams. The project has passed QC. This session applies adversarial review — the role is to find what the builder missed, not to fix it.
Adversarial Findings
Failure-mode coverage (7 findings): 144 of 328 requirements address fault conditions — reasonable overall, but concentrated in {{entity:Interlock and Emergency Shutdown System}}, {{entity:Disruption Prediction and Mitigation System}}, and {{entity:Plasma Control System}}. Eight subsystems carry fewer than 5 requirements total: {{entity:Disruption Prediction and Mitigation System}} auxiliary components ECRH, ICRH, and NBI each have a single requirement, and pellet injection, tritium inventory, burn monitoring, gas puffing valve control, and PDIS each have 2–3. Four of these subsystems have zero failure-mode requirements. A pellet injector operating at 50 Hz with 2–4 mm pellets into a 500 MW plasma is not a peripheral concern; a single requirement does not constitute engineering.
Testability (0 findings): All 15 sampled IFC and SUB requirements passed ISO 29148 quality analysis. No untestable requirements were found in this sample.
Domain gaps (3 findings): The cross-domain analog {{entity:Nuclear Reactor Protection System}} ({{hex:55B77859}}, 80% Jaccard) operates under NRC 10 CFR 50.55a and IEEE 603, which mandate 2-out-of-4 voting logic topology and explicit spurious trip rate requirements. None of the 28 IFC requirements specify voting logic topology for safety trip channels. No SYS or SUB requirement specifies a spurious trip rate or availability ratio — a critical omission given that a spurious SCRAM on a 500 MW fusion plasma is itself an energetic event with significant first-wall thermal loading.
Interface plausibility (3 findings): Three hardwired safety interfaces — {{ifc:IFC-REQ-005}} (Safety Logic Processor to Emergency Shutdown Sequencer run-permit line), {{ifc:IFC-REQ-010}} (Vertical Stability Controller to IESS VDE trip demand), and {{ifc:IFC-REQ-021}} (Tritium Controller to IESS fuel-off relay) — lack physical layer specifications: connector type, cable impedance, maximum propagation distance, or EMI shielding class. These are safety-critical signal paths in a high-radiation, high-EMI tokamak hall.
Proportion (8 findings): Eight subsystems fall below the project average of 4 SUB requirements. ecrh, icrh, and nbi are flagged as rt-under-specified with 1 requirement each. pellet-injection (2), tritium (2), burn-monitoring (3), gas-puffing-valve-controller (3), and pdis (3) are similarly under-specified. The heating and current drive subsystem in isolation operates at 150 MW with three distinct coupling technologies — one requirement per technology source is not proportionate to this complexity or its safety coupling.
Trace chain brittleness (0 findings): All 384 trace links carry both rationale and description fields. No mechanical traces detected. Each STK requirement traces to exactly one SYS requirement — well-structured, no spray patterns.
Implausibility (2 findings): {{sys:SYS-REQ-004}} is tagged rt-sil-gap and rt-implausible-value. The system entity context describes SIL-4 equivalent (nuclear), but {{sys:SYS-REQ-004}} and all downstream {{sub:SUB-REQ-070}}, {{sub:SUB-REQ-072}}, {{sub:SUB-REQ-116}} reference SIL-3. The gap between IEC 61508 SIL-3 (PFD <10⁻³) and SIL-4 (PFD <10⁻⁴) is a factor of ten. This is either an intentional downgrade with no documented rationale, or a classification error. The safety argument cannot be closed until this is resolved.
SIL integrity (4 findings): Of 328 requirements, only 1 carries an explicit sil- tag. Four safety-critical requirements use Inspection or Analysis verification — including {{sys:SYS-REQ-004}} (the top-level SCRAM requirement), {{sub:SUB-REQ-006}} (physical segregation), {{sub:SUB-REQ-065}} (seismic SIL retention), and {{ifc:IFC-REQ-021}} (fuel-off relay). SIL-3 classified functions must demonstrate PFD through testing or probabilistic analysis, not inspection.
Flagged Requirements
| Ref | Category | Issue |
|---|---|---|
| SUB-REQ-027 | rt-under-specified | NBI: 1 requirement, 0 failure modes |
| SUB-REQ-028 | rt-under-specified, rt-missing-failure-mode | ECRH: 1 requirement, 0 failure modes |
| SUB-REQ-029 | rt-under-specified, rt-missing-failure-mode | ICRH: 1 requirement, 0 failure modes |
| SUB-REQ-044 | rt-under-specified, rt-missing-failure-mode | Pellet injection: 2 requirements, 0 failure modes |
| SUB-REQ-048 | rt-under-specified, rt-missing-failure-mode | Pellet injection: 2 requirements, 0 failure modes |
| SUB-REQ-045 | rt-under-specified, rt-missing-failure-mode | Burn monitoring: 3 requirements, 0 failure modes |
| SUB-REQ-047 | rt-under-specified, rt-missing-failure-mode | Burn monitoring: 3 requirements, 0 failure modes |
| SUB-REQ-049 | rt-under-specified, rt-missing-failure-mode | Burn monitoring: 3 requirements, 0 failure modes |
| IFC-REQ-005 | rt-vague-interface | Hardwired run-permit: no physical layer spec |
| IFC-REQ-010 | rt-vague-interface | VDE trip demand hardwire: no cable spec |
| IFC-REQ-021 | rt-vague-interface, rt-sil-gap | Fuel-off relay: Inspection verification, no connector spec |
| SUB-REQ-006 | rt-sil-gap | Physical segregation: Inspection verification only |
| SUB-REQ-065 | rt-sil-gap | Seismic SIL retention: Analysis verification only |
| SYS-REQ-004 | rt-sil-gap, rt-implausible-value | SIL-3 vs SIL-4 inconsistency, Analysis verification |
(Plus 8 further rt-under-specified tags on tritium, gas-puffing-valve-controller, pdis subsystems.)
Domain Analogs Checked
| Analog | Jaccard | Gaps surfaced |
|---|---|---|
| Nuclear Reactor Protection System ({{hex:55B77859}}) | 80% | 2oo4 voting topology; spurious trip rate; ESFAS actuation logic; PFD quantification |
| Site Protection System ({{hex:51F77859}}) | 85% | Diesel start-time requirements; area isolation sequencing |
| Safety Interlock and Trip System ({{hex:50F77859}}) | 82% | UPS duration specification; trip status reporting |
Recommendations
-
Resolve SIL-3 vs SIL-4 classification — the safety claim must be consistent between entity context and requirements. If SIL-3 is the correct level, update the entity description. If SIL-4 is required (which IEC 61513 may mandate for the equivalent nuclear category), every SIL-3 tagged requirement must be re-levelled and PFD targets revised from <10⁻³ to <10⁻⁴. This is the highest-priority finding.
-
Specify voting logic topology in IFC requirements — the safety trip channel architecture (2oo2, 2oo3, 1oo2, TMR) must appear in interface requirements, not inferred from ARC decisions. Safety auditors will require it.
-
Add spurious trip rate requirements — absence of a spurious trip probability budget means the system cannot demonstrate it has balanced dependability against safety demand rate. This gap is flagged by the nuclear RPS analog.
-
Expand heating and current drive subsystem requirements — ECRH, ICRH, and NBI each warrant at minimum 5 SUB requirements covering fault shutdown, interlock coupling, power ramp constraints, and reflection handling.
-
Physical layer specifications for safety-critical hardwired interfaces — all three flagged interfaces carry life-safety signals in a tokamak machine hall environment. Cable shielding class, connector type, and maximum propagation length must be specified.
-
Verify SIL-classified functions with Test, not Inspection — {{sys:SYS-REQ-004}}, {{sub:SUB-REQ-006}}, {{sub:SUB-REQ-065}}, and {{ifc:IFC-REQ-021}} must be elevated to Test or probabilistic Analysis with documented PFD calculations.
Verdict
22 findings: 4 high-severity (SIL-integrity, SIL-level inconsistency), 14 medium-severity (proportion/under-specification), 4 medium-severity (interface plausibility). The SIL-3 vs SIL-4 discrepancy is a material safety argument gap that will surface at any regulatory review. Red team does not block completion — the findings are reported for the builder to address before the system is considered production-grade.
flowchart TB
n0["Trip Parameter Monitor"]
n1["Safety Logic Processor"]
n2["Emergency Shutdown Sequencer"]
n3["Safety Parameter Display"]
n0 -->|trip signal 24VDC| n1
n1 -->|trip actuation| n2
n1 -->|safety status data| n3