System

{{entity:STEP Fusion Power Plant}} — validation session 518. The project holds 236 requirements across 6 documents: 20 STK, 16 SYS, 53 SUB, 36 IFC, 8 ARC, 87+ VER, with 250 trace links. Previous QC session (517) left 36% verifies coverage (82/229 at entry). This session targeted the V-model right side: verification adequacy audit, ConOps scenario walkthrough, and safety argument completeness.

Verification Audit

Eighteen wrong-type trace links were found and corrected. Prior sessions had created derives links from SUB/IFC requirements to VER entries (e.g., SUB-REQ-019 → VER-042 [derives]). The AIRGen verify runner only counts verifies-typed links, so these 11 SUB reqs and 3 IFC reqs appeared unverified despite having VER entries. All 12 derives links were deleted and replaced with correct verifies links.

One false trace was discovered: {{ifc:IFC-REQ-023}} (BTES-ISS tritium transfer interface) had a derives link pointing to VER-REQ-041, which actually verifies IFC-REQ-021. The wrong link was deleted, a proper VER entry created (testing 0.1–1% T/He concentration and 1–10 slm flow at the ISS feed manifold inlet), and a verifies link established.

Six new VER entries were created for {{sub:SUB-REQ-049}} through {{sub:SUB-REQ-054}} (ISS electrical supply and UPS, PPS emergency isolation, turbine hall inspection, tritium building confinement inspection, cryogenic plant building inspection, vacuum equipment mounting). VER-REQ-068 through VER-REQ-073 were also reassigned from null document to the verification section, and verifies links created for their SUB targets (SUB-REQ-038–040, 043–045). Net verifies coverage moved from 36% (82/229) to 42% (100/236).

Sampled verification methods were generally sound: safety-critical requirements use Test (VER-039 timing test at 1 MHz sample rate for quench interlock; VER-049 failure injection for tritium isolation). The new infrastructure requirements (SUB-051 turbine hall, SUB-052 confinement building, SUB-053 cryogenic plant) correctly use Inspection — floor load ratings and wall thickness are documentary/dimensional, not dynamic. One adequacy concern: VER for SUB-051 does not specify the certification standard; it should reference ISO 9001 or SQEP-grade structural inspection.

Scenario Validation

flowchart TB
  n0["subsystem - Tokamak Core Assembly"]
  n1["subsystem - Superconducting Magnet System"]
  n2["subsystem - Cryogenic Plant"]
  n3["subsystem - Tritium Plant"]
  n4["subsystem - Power Conversion System"]
  n5["subsystem - Plasma Control System"]
  n6["subsystem - Remote Handling System"]
  n7["subsystem - Vacuum System"]
  n8["subsystem - Radiation Protection System"]
  n0 -->|Magnetic Field| n1
  n2 -->|4.5K Cooling| n1
  n3 -->|Fuel / Exhaust| n0
  n0 -->|Thermal Power| n4
  n5 -->|Control Commands| n0
  n5 -->|Coil Commands| n1
  n7 -->|Vacuum| n0
  n6 -->|Maintenance Access| n0
  n8 -.->|Shielding| n0

S-001 Full-Power Burn: Covered. {{stk:STK-REQ-009}} (100 MW net export) traces to {{sys:SYS-REQ-002}} → {{sub:SUB-REQ-041}}, {{sub:SUB-REQ-042}}, {{sub:SUB-REQ-044}}, {{sub:SUB-REQ-051}}, {{ifc:IFC-REQ-009}}. All carry verified VER entries including a 24-hour sustained power measurement test (VER-REQ-082).

S-002 Disruption Recovery: Covered. {{sys:SYS-REQ-004}} → {{sub:SUB-REQ-001}}–006, 017, {{ifc:IFC-REQ-005}}, {{ifc:IFC-REQ-017}}. VER-REQ-013 provides end-to-end integration test injecting a disruption precursor through to shattered pellet injection confirmation — the 10 ms mitigation window is explicitly tested.

S-003 Tritium Malfunction: Covered. {{sys:SYS-REQ-005}} → {{sub:SUB-023}}, {{sub:SUB-024}}, {{sub:SUB-REQ-018}}, {{sub:SUB-REQ-020}}, {{sub:SUB-REQ-049}}, {{sub:SUB-REQ-050}}, {{sub:SUB-REQ-052}} + {{ifc:IFC-REQ-011}}. The scenario requires automatic line isolation and ≤0.1 g release; VER-049 failure-injection test and the new VER for SUB-050 (30-second emergency isolation demonstrated on as-built hardware) close the chain.

S-004 Seismic Emergency: Gap. {{sys:SYS-REQ-011}} (fast plasma shutdown ≤100 ms on OBE ≥0.1g) has zero SUB derivations and no VER entries. The seismic trip chain — from accelerometer detection through Plant Protection System fast trip logic to plasma termination confirmation — is entirely absent. The scenario cannot be argued safe from the current chain.

S-005 Planned Maintenance: Covered. {{sys:SYS-REQ-009}} → {{sub:SUB-REQ-036}}–040, {{ifc:IFC-REQ-008}}. VER-REQ-066 end-to-end blanket exchange trial and newly linked VER-REQ-068–070 cover RHS radiation tolerance, cask handling, and fault recovery.

Mode Coverage

Six operating modes were checked. Plasma Startup, Steady-State Burn, Planned Shutdown, and Remote Maintenance have entry/behaviour/exit requirements and VER entries. Emergency Shutdown mode is partially covered: the disruption mitigation path (H-001) is complete, but the seismic trip path (H-009) is untraced — Emergency Shutdown triggered by seismic event has no requirement specifying the sub-100ms shutdown sequence. Commissioning mode lacks a VER entry confirming first hydrogen plasma milestones against the STK acceptance criteria.

Safety Argument

H-001 (plasma disruption, SIL-3): chain complete — {{sys:SYS-REQ-004}} → SUB → VER-013 integration test.

H-002 (tritium release, SIL-3): substantially complete — double-barrier VER entries exist; confinement building inspection (new VER for {{sub:SUB-REQ-052}}) closes the structural argument.

H-003 (magnet quench, SIL-2): complete — {{sys:SYS-REQ-006}} → {{sub:SUB-REQ-023}}, 027, 028, 032, {{ifc:IFC-REQ-024}}. VER-039 tests the 1 ms hardwired quench interlock signal.

H-004 (LOCA, SIL-2): gap — {{sys:SYS-REQ-007}} (72-hour passive decay heat removal) has no SUB derivations or VER entries. The passive cooling subsystem is unrepresented in the requirement chain; safe-state reachability under H-004 cannot be argued.

H-009 (seismic, SIL-3): gap — see S-004 above. Single-channel seismic trip logic architecture and response time are unspecified.

Gaps Closed

14 verification gaps closed: 12 wrong-type derives links corrected to verifies, 1 false trace deleted, 7 new VER requirements created (IFC-023, SUB-049 through SUB-054), 13 null-document VER reqs reassigned to verification section. Coverage improved from 36% to 42%.

Verdict

Fail. S-004 Seismic and H-009/H-004 safety chains are open. The next session must add: (a) a seismic trip SUB requirement under the Plant Protection System allocating the ≤100 ms shutdown timeline, a seismic instrumentation SUB req for the accelerometer array, and VER entries testing both; (b) a passive decay heat removal SUB requirement under Tokamak Core Assembly or a dedicated passive cooling subsystem, with a VER entry demonstrating 72-hour passive capability. Until these chains are closed, the safety argument for the seismic scenario (H-009, SIL-3) and the LOCA scenario (H-004, SIL-2) cannot be made.