Red Team Breaks STEP Fusion: 37% Orphaned Requirements and Missing Nuclear Safety Analogs
System
STEP Fusion Power Plant ({{hex:DEC51019}}) — red team review of the completed decomposition. At entry: 242 requirements across 6 documents, 258 trace links, 10 diagrams, 0 orphan requirements per AIRGen reports. 9 subsystems: {{entity:Tokamak Core Assembly}}, {{entity:Plasma Control System}}, {{entity:Superconducting Magnet System}}, {{entity:Cryogenic Plant}}, {{entity:Tritium Plant}}, {{entity:Power Conversion System}}, {{entity:Remote Handling System}}, {{entity:Vacuum System}}, {{entity:Radiation Protection System}}. SIL allocation spans SIL-1 through SIL-3 across 91 tagged requirements.
flowchart TB
TCA["Tokamak Core Assembly"]
SMS["Superconducting Magnet System"]
CP["Cryogenic Plant"]
TP["Tritium Plant"]
PCS["Power Conversion System"]
PlCS["Plasma Control System"]
RHS["Remote Handling System"]
VS["Vacuum System"]
RPS["Radiation Protection System"]
TCA -->|Magnetic Field| SMS
CP -->|4.5K Cooling| SMS
TP -->|Fuel / Exhaust| TCA
TCA -->|Thermal Power| PCS
PlCS -->|Control Commands| TCA
PlCS -->|Coil Commands| SMS
VS -->|Vacuum| TCA
RHS -->|Maintenance Access| TCA
RPS -.->|Shielding| TCA
Adversarial Findings
Failure Modes (5 tagged, rt-missing-failure-mode): {{entity:Vacuum System}} has 2 tagged SUB requirements but only 1 addresses fault/failure behaviour. {{entity:Power Conversion System}} has 5 tagged SUB requirements with only 1 failure-mode requirement — no steam generator tube rupture, no turbine trip recovery, no loss-of-grid-connection degraded mode. {{sub:SUB-REQ-029}}, {{sub:SUB-REQ-030}}, {{sub:SUB-REQ-041}}, {{sub:SUB-REQ-042}}, {{sub:SUB-REQ-044}} tagged.
Trace Derivation Gaps (33 orphaned, structural): 33/89 SUB/IFC requirements (37%) have no derivation parent from any SYS requirement. The IFC document is worst: 20/36 IFC requirements (55%) are orphaned from the derivation chain. These requirements exist but their engineering provenance is undocumented — they cannot demonstrate they derive from system-level needs.
Spray Pattern Traces (3 tagged, rt-mechanical-trace): {{sys:SYS-REQ-006}} (quench management) has 10 derivation targets including a duplicate link to {{sub:SUB-REQ-023}}. {{sys:SYS-REQ-004}} (disruption mitigation) has 9 targets. {{sys:SYS-REQ-005}} (tritium containment) has 8 targets. While safety cascade requirements can justify broad fan-out, 10 links from a single SYS requirement warrants scrutiny for genuine vs mechanical derivation.
Vague Interfaces (4 tagged, rt-vague-interface): {{ifc:IFC-REQ-014}} (power supply to coils) specifies current magnitude but no regulation bandwidth or transient response. {{ifc:IFC-REQ-019}} (grid auxiliary power) lacks fault ride-through or automatic transfer specs. {{ifc:IFC-REQ-015}} (RHS tritium decontamination) has no process timing. {{ifc:IFC-REQ-032}} (transfer cask docking) has no mating sequence timing.
Implausible Values (2 tagged, rt-implausible-value): “30 seconds” appears as a safety response time across 5 unrelated subsystems (tritium isolation, plasma shutdown, ADS activation, ISS shutdown, quench discharge). While individually plausible, identical values across physically distinct systems suggest template copying rather than independent derivation. {{ifc:IFC-REQ-035}} contains a suspiciously round “1.0” power factor upper bound.
Proportion Imbalance (structural): {{entity:Vacuum System}} has only 2 tagged SUB requirements versus 6 for {{entity:Plasma Control System}} — under-specified for a SIL-2 subsystem managing 10⁻⁶ Pa vessel integrity. All 53 SUB requirements sit in a single null section with no subsystem-based document organisation.
Testability (0 tagged): All 15 sampled SUB+IFC requirements scored 86/100 on ISO 29148 compliance with EARS ubiquitous pattern. No testability issues detected.
SIL Integrity (0 escalations): No SIL escalation found — all SUB SIL levels equal or below parent SYS SIL. 0/91 SIL-tagged requirements lack verification method. 5 safe-state requirements exist. No SIL-4 requirements present despite nuclear-class safety functions.
Flagged Requirements
| Ref | Category | Issue |
|---|---|---|
| {{sub:SUB-REQ-029}} | rt-missing-failure-mode | No turbomolecular pump failure/degradation handling |
| {{sub:SUB-REQ-030}} | rt-missing-failure-mode | Pressure monitoring gauge failure not addressed |
| {{sub:SUB-REQ-041}} | rt-missing-failure-mode | No loss-of-grid or islanding failure mode |
| {{sub:SUB-REQ-042}} | rt-missing-failure-mode | Thermal efficiency degradation not addressed |
| {{sub:SUB-REQ-044}} | rt-missing-failure-mode | Steam generator tube rupture not addressed |
| {{sys:SYS-REQ-004}} | rt-mechanical-trace | 9 derivation targets — potential spray pattern |
| {{sys:SYS-REQ-005}} | rt-mechanical-trace | 8 derivation targets — potential spray pattern |
| {{sys:SYS-REQ-006}} | rt-mechanical-trace | 10 targets with duplicate link to SUB-REQ-023 |
| {{ifc:IFC-REQ-014}} | rt-vague-interface | No regulation bandwidth or transient response |
| {{ifc:IFC-REQ-015}} | rt-vague-interface | No decontamination process timing |
| {{ifc:IFC-REQ-019}} | rt-vague-interface | No fault ride-through or transfer specs |
| {{ifc:IFC-REQ-032}} | rt-vague-interface | No mating sequence timing |
| {{ifc:IFC-REQ-035}} | rt-implausible-value | Round “1.0” power factor upper bound |
| VER-REQ-062 | rt-implausible-value | Mirrors IFC-REQ-035 round values |
Domain Analogs Checked
| Analog | Similarity | Gaps Surfaced |
|---|---|---|
| Fukushima Daiichi Nuclear Power Plant | 0.79 | Missing beyond-design-basis accident scenarios, emergency operating procedures |
| Nuclear reactor (Factory corpus) | 0.78 | No decommissioning requirements at design stage |
| Plant Control and I&C System | 0.79 | No environmental discharge monitoring for tritium/activation products |
| Magnet Safety and Protection System | 0.82 | STEP project lacks independent hardware interlock layer requirement |
| Quench detection system (Factory) | 0.81 | Factory entity uses 2oo3 voting; STEP specifies only “dual-redundant” |
Recommendations
- Create derivation traces for 33 orphaned SUB/IFC requirements. 20 IFC requirements and 13 SUB requirements have no parent SYS requirement. This is the highest-priority structural gap — without provenance, these requirements cannot be validated against system-level intent.
- Add failure-mode requirements for Vacuum System and Power Conversion System. Both subsystems lack turbine trip, pump failure, loss-of-grid, and steam generator tube rupture scenarios despite SIL-1/2 classification.
- Investigate the “30 seconds” safety response time. Five distinct safety functions across unrelated subsystems use identical 30-second response windows. Each should have an independently derived value based on hazard analysis (e.g., tritium dispersion modelling for ADS, thermal time constant for quench discharge).
- Add beyond-design-basis accident and decommissioning requirements. Fukushima analog at 0.79 similarity strongly suggests these categories are missing from the STK/SYS level.
- Resolve duplicate trace link: {{sys:SYS-REQ-006}} → {{sub:SUB-REQ-023}} appears twice.
- Organise SUB document into per-subsystem sections for navigability and trace audit.
Verdict
Informational. 14 rt-tagged requirements across 4 categories. 5 domain gap findings stored in QUALITY namespace. 48 lint findings (4 high, 44 medium) from semantic analysis. The decomposition is structurally sound with good verification coverage (123 verifies links, all with rationale) and no SIL escalation, but the 37% derivation orphan rate and absent nuclear safety analog categories (beyond-design-basis, decommissioning, environmental discharge) represent significant gaps for a nuclear-class facility.