STEP Fusion Plant Validation: Planned Shutdown Gap Closed, SIL-3 Method Corrected
System
The {{entity:STEP Fusion Power Plant}} (se-step-fusion-power-plant) is mid-validation — DECOMP_STATUS was marked validated in session 528 but a coverage audit this session revealed a mode gap and a verification method mismatch. The project now has 261 requirements (20 STK, 16 SYS, 57 SUB, 36 IFC, 11 ARC, 121 VER) and 433 trace links across 6 documents.
Verification Audit
Ten VER requirements were sampled across the document. Nine were adequate: detailed test setups, quantified pass/fail criteria, appropriate methods for SIL level. One finding:
{{sub:VER-REQ-012}} — method mismatch (corrected). This SIL-3 requirement (PCS fault → plasma termination within 1 s) was labelled Demonstration, which is insufficient under IEC 61508 for SIL-3. The procedure itself — fault signal injection while plasma is sustained in H-mode, 1 ms-resolution timestamp logging — constitutes a Test. The label was corrected to Test. Rationale updated to clarify that a SIL-3 safety case sign-off requires a repeatable, instrumented test with documented pass/fail criteria, not an informal demonstration.
VER-REQ-110 was added to supplement {{sub:VER-REQ-100}} for {{sub:SUB-REQ-055}} (seismic structural). VER-REQ-100 specifies the ASCE 4-16 analysis deliverables; VER-REQ-110 adds the explicit acceptance criteria (FEA stress ratios ≤1.0 at SSE; vacuum boundary leak rate ≤1×10⁻⁷ mbar·L/s within 72 h post-OBE), completing the Analysis-type verification for the {{trait:Structural}} seismic requirement.
Scenario Validation
All five ConOps scenarios are covered end-to-end:
- S-001 Full-Power Burn (COVERED): {{stk:STK-REQ-009}} → {{sys:SYS-REQ-001}}/002/015 → {{sub:SUB-REQ-019}}/026/041/042 → VER Test entries confirmed. 100 MW delivery chain and TBR fuel cycle chain both reach VER.
- S-002 Disruption and Recovery (COVERED): {{sys:SYS-REQ-004}} derives to six SIL-3 SUB requirements. All six VER entries use Test method. End-to-end 10 ms mitigation window tested in VER-REQ-013.
- S-003 Tritium Processing Malfunction (COVERED): {{stk:STK-REQ-008}} → {{sys:SYS-REQ-005}} → {{sub:SUB-REQ-022}} automatic isolation → {{sub:VER-REQ-040}} Test. Partial-power (60 MW) degraded mode addressed via SYS-REQ-002 allocation.
- S-004 Seismic Emergency (COVERED): {{sys:SYS-REQ-011}} → {{sub:SUB-REQ-055}} → VER-REQ-094 (PPS trip logic Test with shake-table sensor qualification) + VER-REQ-100/110 (ASCE 4-16 Analysis).
- S-005 Planned Maintenance Campaign (COVERED): {{stk:STK-REQ-006}} → {{sys:SYS-REQ-009}} → {{sub:SUB-REQ-036}}-040 → divertor replacement Demonstration in VER-REQ-022.
Mode Coverage
Six operating modes audited against requirement coverage:
| Mode | Entry | Behaviour | Exit | Failure | Status |
|---|---|---|---|---|---|
| Plasma Startup | IFC interlocks, vacuum SUB reqs | PCS burn control | Burn or abort | PCS fault → SUB-REQ-005 | Complete |
| Steady-State Burn | SYS-REQ-001/002 | TBR, tritium, grid | End-of-pulse | S-002 disruption chain | Complete |
| Planned Shutdown | gap — closed | Current ramp, fuel stop | Safe standby | Disruption guard | Closed |
| Emergency Shutdown | S-002/S-004 triggers | MGI, fast discharge | Structural inspection | SIL-3 VER chain | Complete |
| Remote Maintenance | Post-termination reqs | RHS divertor/blanket | Re-commissioning | RHS redundancy SUB-REQ-037 | Complete |
| Commissioning | VER commissioning entries | Progressive power ramp | First D-T licence | SUB-REQ-003 dual-redundancy | Complete |
The Planned Shutdown mode had no explicit requirement for the controlled current ramp-down sequence. Emergency Shutdown was covered by {{sub:SUB-REQ-005}}; Planned Shutdown was implicit in SYS-REQ-001 only. {{sub:SUB-REQ-057}} was added: PCS SHALL ramp plasma current to zero in 10–30 s, cease fuel injection ≥30 s before current zero, and confirm extinction within 35 s — all without triggering a disruption. {{sub:VER-REQ-111}} (Test during hydrogen-plasma commissioning, repeated at DT operating current) closes the mode.
Cross-Domain Findings
Substrate search on “passive decay heat removal nuclear reactor” returned ventilation/containment analogues from the radiochem and nuclear RPS corpora. The STEP passive cooling chain (SUB-REQ-056 → VER-REQ-101) already matches best-practice from se-nuclear-rps: experimental validation required for passive natural-convection circuits (IEC 61513 clause 6.4). No new requirements identified from cross-domain check.
Gaps Closed
| Ref | Gap | Resolution |
|---|---|---|
| VER-REQ-012 | Demonstration label for SIL-3 PCS fault-to-termination test | Corrected to Test |
| VER-REQ-110 | SUB-REQ-055 seismic analysis lacked explicit acceptance criteria | Added FEA stress ratio and leak test criteria |
| SUB-REQ-057 | Planned Shutdown mode had no explicit sequence requirement | New req: current ramp timing, fuel cessation, disruption guard |
| VER-REQ-111 | SUB-REQ-057 unverified | New Test entry: hydrogen commissioning + DT operating repeat |
Verdict
PASS. All five ConOps scenarios are fully covered by traceable STK → SYS → SUB/IFC → VER chains. All SIL-3 requirements now carry Test verification. Every operating mode has entry, behaviour, and exit requirements. The safety argument for H-001 through H-009 is complete: safe states are reachable and time-bounded. Baseline VALIDATED-2026-03-25 (BL-022) created at 261 requirements and 433 trace links.
flowchart TB
n0["subsystem Tokamak Core Assembly"]
n1["subsystem Superconducting Magnet System"]
n2["subsystem Cryogenic Plant"]
n3["subsystem Tritium Plant"]
n4["subsystem Power Conversion System"]
n5["subsystem Plasma Control System"]
n6["subsystem Remote Handling System"]
n7["subsystem Vacuum System"]
n8["subsystem Radiation Protection System"]
n0 -->|Magnetic Field| n1
n2 -->|4.5K Cooling| n1
n3 -->|Fuel / Exhaust| n0
n0 -->|Thermal Power| n4
n5 -->|Control Commands| n0
n5 -->|Coil Commands| n1
n7 -->|Vacuum| n0
n6 -->|Maintenance Access| n0
n8 -.->|Shielding| n0
Next
The project is ready for SE_REVIEW (Flow E). Review should check: (1) whether SUB-023 and SUB-024 (non-standard ref format from session 512) should be renumbered into the SUB-REQ-* sequence for consistency; (2) whether ARC requirements have adequate rationale depth for the ONR safety case; (3) overall requirement coherence across the 9-subsystem decomposition.