System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Fusion Reactor Control System"] n1["subsystem<br>Plasma Control System"] n2["subsystem<br>Disruption Prediction and Mitigation System"] n3["subsystem<br>Heating and Current Drive Control"] n4["subsystem<br>Magnet Safety and Protection System"] n5["subsystem<br>Fuel Injection and Burn Control"] n6["subsystem<br>Plasma Diagnostics Integration System"] n7["subsystem<br>Plant Control and I&C System"] n8["subsystem<br>Interlock and Emergency Shutdown System"] n0 -->|contains| n1 n0 -->|contains| n2 n0 -->|contains| n3 n0 -->|contains| n4 n0 -->|contains| n5 n0 -->|contains| n6 n0 -->|contains| n7 n0 -->|contains| n8
Fusion Reactor Control System — Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Interlock and Emergency Shutdown System SHALL execute all trip functions within 10 ms of any Trip Parameter Monitor asserting a valid trip signal, using 2-out-of-3 (2oo3) voted logic to prevent spurious trips from single-channel failures. Rationale: 10 ms trip response derives from plasma disruption dynamics: a major disruption evolving from precursor to full runaway takes 20-50 ms in a large tokamak. The 10 ms budget allows 2x margin before irreversible first-wall damage. 2oo3 voting is the minimum fault-tolerance architecture required for SIL-3 hardware fault tolerance level 2 (HFT=2) per IEC 61508 Part 2. | Test | subsystem, iess, session-387, idempotency:sub-iess-trip-response-387 |
| SUB-REQ-002 | While energised, the Safety Logic Processor SHALL maintain the plasma run-permit output; when supply voltage falls below 18 VDC the Safety Logic Processor SHALL de-energise the run-permit within 5 ms, causing the Emergency Shutdown Sequencer to initiate plasma termination. Rationale: Power-fail-safe (de-energise-to-trip) is the fundamental safety design principle for interlock logic. A power failure that leaves the run-permit energised would prevent shutdown — this is a Single Point of Failure for the safety system. The 18 VDC threshold provides margin above the minimum guaranteed battery voltage (20 VDC) during a site blackout, and the 5 ms response is achievable with relay logic and prevents a race between power loss and thermal runaway. | Test | subsystem, iess, safety-critical, session-387, idempotency:sub-iess-failsafe-387 |
| SUB-REQ-003 | The Trip Parameter Monitor SHALL achieve a diagnostic coverage of at least 90% of detectable hardware faults across all three redundant channels, with detected faults annunciated to the Plant Control and I&C System within 10 seconds. Rationale: 90% diagnostic coverage (DC_high per IEC 61508 Table C.1) is mandatory to support the SIL-3 claim for hardware subsystem HFT=1. DC < 90% would drop the achievable SIL to SIL-2, requiring a hardware architecture change (additional redundancy). 10 s annunciation aligns with STK-REQ-006 system-level maintenance requirement. | Test | subsystem, iess, session-387, idempotency:sub-iess-diagnostic-coverage-387 |
| SUB-REQ-004 | When a trip is asserted, the Emergency Shutdown Sequencer SHALL initiate Massive Gas Injection within 20 ms, command all heating systems to zero power within 50 ms, and open divertor strike-point gas valves within 30 ms, executing all actions from battery-backed power independent of site AC supply. Rationale: Massive Gas Injection must begin before the thermal quench phase of a disruption (typically 10-50 ms) to cool the runaway electrons and limit the heat deposited on the divertor. The 20 ms MGI window is set by JET/ITER experimental data. Heating power must fall to zero before MGI takes effect to prevent re-heating. Battery independence is required because site power faults are a plausible initiating event for plasma disruption. | Test | subsystem, iess, session-387, idempotency:sub-iess-ess-timing-387 |
| SUB-REQ-005 | The Safety Parameter Display System SHALL display qualified safety parameters with a refresh latency of no more than 200 ms and SHALL annunciate any data staleness or channel failure through a distinct visual alarm, remaining operational for a minimum of 4 hours on battery backup following loss of site power. Rationale: Qualified safety displays are required by IEEE 1023 for nuclear I&C systems where operator response to safety parameters is required. 200 ms refresh matches the human perception threshold for parameter trend changes defined in NUREG-0700 (HFE guidance). 4-hour battery backup covers the duration of post-blackout safe-state monitoring before mobile generator support arrives per emergency operating procedures. | Test | subsystem, iess, session-387, idempotency:sub-iess-spds-387 |
| SUB-REQ-006 | The Interlock and Emergency Shutdown System SHALL be physically segregated from the Plant Control and I&C System, with no bi-directional data pathway between safety and non-safety networks, receiving sensor data only via qualified opto-isolated unidirectional interfaces. Rationale: Physical segregation between safety and non-safety I&C is a mandatory defence-in-depth requirement per IEC 62645 (nuclear cybersecurity) and IEC 61513 (nuclear I&C systems). A software-exploitable path from the operational network to the safety interlock would allow a cyberattack to defeat the safety function, which is classified as a Category A threat in the facility's design basis threat document. Opto-isolation eliminates both conducted EMI coupling and electronic intrusion pathways. | Inspection | subsystem, iess, safety-critical, session-387, idempotency:sub-iess-segregation-387 |
| SUB-REQ-007 | The Interlock and Emergency Shutdown System SHALL operate from a dedicated uninterruptible DC power supply rated at 24 VDC ±10%, sustaining full interlock function for a minimum of 8 hours following loss of site AC power, with automatic switchover to battery within 20 ms of AC loss detection. Rationale: Lint identified absence of power specification for a Powered subsystem (IEC 61508 omission). 8-hour autonomy covers emergency response duration per site emergency plan. 20 ms switchover is required to prevent a power transition from creating a spurious trip or, worse, a momentary loss of trip function. 24 VDC is the standard for industrial safety relay systems and matches the discrete signal levels used throughout the IESS. | Test | subsystem, iess, session-387, idempotency:sub-iess-power-387 |
| SUB-REQ-009 | The Disruption Prediction Engine SHALL output a disruption risk probability update within 3 ms of receiving each 128-element feature vector from the Disruption Precursor Monitor, at a sustained evaluation rate of 10 kHz. Rationale: A tokamak disruption at 500 MW plasma current can deposit more than 100 MJ on plasma-facing components within 10-50 ms; the 3 ms inference budget leaves 7 ms for MGI valve actuation before thermal energy deposition begins. 10 kHz evaluation rate resolves fastest disruption precursor evolution timescales of 0.5-2 ms identified from JET and ASDEX-U disruption databases. | Test | subsystem, dpms, safety-critical, session-388, idempotency:sub-dpms-prediction-latency-388 |
| SUB-REQ-010 | The Disruption Prediction Engine SHALL achieve a true positive rate of at least 95% (95% confidence interval lower bound, n≥500 disruption events) for disruptions with a warning time of at least 30 ms, and a false positive rate of no more than 2 events per 24-hour operating period at 10 kHz evaluation rate. Performance SHALL be measured over test sequences spanning plasma current 8–15 MA, q95 = 2.5–5.0, and at least 3 distinct MHD stability regimes. Rationale: 95% TPR is derived from disruption risk: at 100 disruptions per year, 5% miss rate yields 5 unmitigated events depositing more than 100 MJ each on the divertor. Test dataset minimum of 500 confirmed disruption sequences (specified in VER-REQ-075) achieves greater than 95% confidence in the TPR estimate using Wilson interval at N=500 (CI half-width of 2%). False positive rate of 2 events per 24-hour period is set by availability impact: each false positive requires 30-minute MGI recovery, limiting dead time to 1% per day. | Analysis | subsystem, dpms, session-388, idempotency:sub-dpms-prediction-accuracy-388 |
| SUB-REQ-011 | When disruption risk probability exceeds 0.85 or an IESS trip demand is received, the Mitigation Actuator Controller SHALL issue the MGI valve open command within 10 ms of the trigger event, independent of plasma scenario state or operator action. Rationale: 10 ms trigger-to-command latency is the critical timing budget: disruption thermal quench begins 15-30 ms after precursor detection; MGI gas front travel time is 5-15 ms depending on injection geometry; 10 ms actuation budget ensures gas arrives before runaway electron generation onset at 20 ms post-thermal-quench at ITER parameters. Independence from operator action prevents the 200-1000 ms human response time from becoming the bottleneck in a safety-critical sequence. | Test | subsystem, dpms, safety-critical, session-388, idempotency:sub-dpms-mgi-trigger-388 |
| SUB-REQ-012 | When the Disruption Prediction Engine model confidence falls below 0.70 or any Disruption Precursor Monitor channel fails self-test, the DPMS SHALL switch to conservative threshold-only detection mode within 500 ms, maintaining a true positive rate of at least 80% using fixed MHD stability thresholds without ML inference. Rationale: Conservative fallback ensures the disruption safety function is maintained when the ML model is unavailable, consistent with IEC 61508 requirements for defined safe states in safety-related systems. 80% TPR in threshold-only mode reflects documented performance of threshold-based detection on JET and ASDEX-U before ML adoption; the remaining 20% are slow low-beta disruptions where MGI would be ineffective regardless. 500 ms switchover must complete before a potential disruption event can develop. | Test | subsystem, dpms, safety-critical, degraded-mode, session-388, idempotency:sub-dpms-fallback-388 |
| SUB-REQ-013 | The Disruption Precursor Monitor SHALL process all active diagnostic channel signals, extract the 128-element MHD stability feature vector, and deliver it to the Disruption Prediction Engine within 100 μs of each sample epoch, with a maximum missing-sample rate of 0.01% at 10 kHz channel update rate. Rationale: 100 μs feature extraction latency is derived from the 10 kHz evaluation epoch (100 μs per cycle); the monitor must complete extraction within one epoch to prevent pipeline latency accumulation. 0.01% missing-sample rate ensures contiguous feature streams; sparse data has been shown to increase false positive rate by 15-40% in LSTM disruption predictors (KSTAR studies, 2023) by creating artificial discontinuities that the model interprets as precursor signatures. | Test | subsystem, dpms, session-388, idempotency:sub-dpms-dpm-latency-388 |
| SUB-REQ-014 | The DPMS Supervisory and Archive SHALL record the complete 5-second pre-disruption state vector window at 1 ms sample intervals for every disruption event, and SHALL generate a model retraining package within 10 minutes of event completion when the rolling 24-hour false positive rate exceeds 3 events or true positive rate falls below 93%. Rationale: 5-second pre-event capture at 1 ms resolution preserves the full MHD precursor dynamics required to identify prediction failure modes and retrain the LSTM model; shorter windows miss slow-evolving neoclassical tearing mode precursors. 10-minute retraining package generation aligns with inter-pulse intervals in a high-repetition programme. Thresholds of 3 FP/day and 93% TPR represent one standard deviation of degradation from design targets and trigger model update before operational impact is significant. | Test | subsystem, dpms, session-388, idempotency:sub-dpms-archive-388 |
| SUB-REQ-018 | The Equilibrium Reconstruction Processor SHALL deliver an updated equilibrium state vector, including plasma boundary, current density profile, and q-profile, within 100 μs of each magnetic measurement sample at a sustained rate of 10 kHz. Rationale: 100 μs latency budget derives from the 10 kHz Shape and Position Controller cycle: ERP output must be available before the SPC computations begin. At 10 kHz the total cycle is 100 μs; ERP is allocated 40 μs, leaving 60 μs for SPC computation and coil command output. Exceeding this budget causes the SPC to use stale equilibrium data, degrading position control accuracy below the ±2 cm limit. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-erp-update-rate-390 |
| SUB-REQ-019 | The Equilibrium Reconstruction Processor SHALL continue to provide a valid equilibrium state vector meeting all accuracy specifications when up to 20% of the 160 magnetic measurement channels are unavailable, by switching to a reduced-channel EFIT variant within 2 control cycles. Rationale: Magnetic sensor dropout is a routine operational event: coil breakage, digitiser faults, and cabling damage all occur in long-pulse operation. JET data shows a 2-4% per-discharge channel failure rate; 20% tolerance provides margin against concurrent failures. Degraded equilibrium reconstruction that stops rather than adapts would trigger a disruptive plasma termination for a recoverable sensor fault. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-erp-dropout-390 |
| SUB-REQ-020 | The Shape and Position Controller SHALL maintain the plasma geometric centre within 2 cm of the reference trajectory in both radial and vertical directions under steady-state flat-top conditions. Rationale: 2 cm positional accuracy is derived from the minimum gap constraint to the first wall: a 5 cm gap is required at all points, and a 2 cm control error budget leaves 1 cm for thermal expansion and position measurement uncertainty. Exceeding 2 cm risks first-wall contact events. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-021 | The Vertical Stability Controller SHALL issue a VDE trip demand to the Interlock and Emergency Shutdown System when the vertical displacement exceeds 10 cm from the reference position and the estimated vertical growth rate exceeds 50 m/s, within 200 us of detecting both conditions simultaneously. Rationale: 10 cm displacement and 50 m/s growth rate together indicate a locked VDE that cannot be arrested by the VSC active control. The 200 us response time derives from: 50 us VSC cycle, plus 100 us for the IESS to begin the shutdown sequence, leaving 50 us margin before the MGI valve open command must arrive. Delayed trip demands result in halo current damage to the vessel. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-vsc-trip-390 |
| SUB-REQ-022 | The MHD Mode Stabiliser SHALL detect a growing neoclassical tearing mode with toroidal mode number n=1 or n=2 at an island width greater than 3 cm within 50 ms of mode onset, using Mirnov coil spectral analysis at 1 kHz. Rationale: 3 cm island width is the threshold above which beta degradation becomes significant (>5% reduction in fusion performance). 50 ms detection window allows the ECCD power to be steered to the rational surface before the island grows to 6 cm, where it becomes self-sustaining and requires full disruption mitigation. Derived from ITER NTM control specification. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-023 | The Vertical Stability Controller SHALL operate on FPGA hardware that is physically and electrically independent of the main Plasma Control System FPGA nodes, such that a single hardware failure affecting the main PCS nodes does not impair VSC availability or response latency. Rationale: VSC must remain operational during main PCS safe-state transitions. If VSC shared hardware with ERP or SPC, a main PCS FPGA fault that triggers safe-state would simultaneously disable the VSC during the period of highest VDE risk. Hardware separation was also the mitigation recommended following the 2019 JET VDE incident post-mortem. | Inspection | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-vsc-hardware-independence-390 |
| SUB-REQ-024 | The PCS Real-Time Data Bus SHALL synchronise all connected PCS nodes to a common 10 kHz cycle with inter-node jitter not exceeding 1 us, and SHALL re-establish synchronisation within 5 cycles following any single bus fault without losing data from functioning nodes. Rationale: 1 us jitter budget is derived from the ERP-to-SPC data handoff: ERP has a 40 us computation window and SPC reads equilibrium data at cycle start. A 1 us jitter means SPC could read data up to 1 us before ERP finishes; at 10 kHz this is acceptable. Larger jitter causes SPC to occasionally read a partially-updated state vector, producing a corrupted equilibrium. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-rtdb-sync-390 |
| SUB-REQ-025 | When the PCS Real-Time Data Bus fails to deliver a synchronised cycle for more than 5 consecutive cycles, or when any PCS component fails its internal self-test, the Plasma Control System SHALL freeze all coil current setpoints at their last valid values and assert a safe-state signal to the Interlock and Emergency Shutdown System within 10 ms. Rationale: Autonomous PCS components must have a defined fail-safe state to address the Functionally Autonomous ontological risk. Freezing coil setpoints rather than zeroing them prevents a large dI/dt in the PF coils that would itself cause a disruption. The 10 ms handoff to IESS allows the IESS to apply the full disruption mitigation sequence. | Test | subsystem, plasma-control-system, safety, session-390, idempotency:sub-pcs-watchdog-failsafe-390 |
| SUB-REQ-026 | The HCDC Supervisory and Safety Arbiter SHALL enforce a total injected heating power ceiling of 50 MW by limiting the sum of NBI, ECRH, and ICRH power setpoints, with priority given to ECRH during active NTM stabilisation events. Rationale: 50 MW is the plant electrical supply allocation for auxiliary heating. Exceeding this trips the main bus protection. Priority to ECRH during NTM events ensures the MHD stabilisation function is not starved by competing NBI demand, consistent with the ECRH primary-actuator architecture decision. | Test | subsystem, hcdc, session-391, idempotency:sub-hcdc-power-budget-391 |
| SUB-REQ-027 | When a beam-off command is received from the HCDC Supervisory and Safety Arbiter or from the Interlock and Emergency Shutdown System, the NBI Controller SHALL terminate all beam injection within 5 ms by deflecting the ion source beam onto the calorimeter. Rationale: 5 ms shutdown derives from the requirement to halt NBI power deposition within the same timescale as plasma disruption evolution. Beam continuation into a disrupting plasma risks first-wall damage from unthermalized fast ions and energetic neutral strike. Deflection onto calorimeter provides known-safe beam dump without beam extinction latency. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-028 | When the DPMS Disruption Prediction Engine issues an NTM stabilisation command, the ECRH Controller SHALL steer the injection mirror to the designated q=3/2 or q=2/1 rational surface and achieve co-deposition lock-on within 100 ms of command receipt. Rationale: 100 ms lock-on budget: DPMS detects early NTM growth 300-500 ms before predicted disruption. ECRH must achieve stabilisation co-deposition early enough to allow 2 seconds of stabilisation current injection, requiring steering completion well before the 300 ms pre-disruption window. The 100 ms allows 200 ms margin for NTM current stabilisation before forced disruption mitigation must be triggered. | Test | rt-missing-failure-mode, red-team-session-433 |
| SUB-REQ-029 | When the ICRH Controller detects a VSWR exceeding 3.5:1 on any antenna feed, it SHALL reduce the RF power to that antenna to zero within 2 ms to prevent antenna arc formation and subsequent port limiter erosion. Rationale: VSWR of 3.5:1 is the antenna arc formation threshold at full power based on RF engineering models of port antenna geometry. Arc formation within a vacuum vessel antenna causes immediate limiter erosion and potentially unrecoverable plasma contamination from metallic impurities. 2 ms shutdown is achievable with solid-state RF switches and prevents arc formation before the thermal damage threshold. | Test | rt-missing-failure-mode, red-team-session-433 |
| SUB-REQ-030 | When any single heating actuator (NBI, ECRH, or ICRH) becomes unavailable, the HCDC Supervisory and Safety Arbiter SHALL redistribute the power deficit across the remaining two actuators up to each actuator's rated maximum, maintaining a minimum total injected heating power of 30 MW to sustain ignition-margin plasma parameters. Rationale: 30 MW minimum was derived from plasma physics simulations showing Q>1 operation requires a minimum of 30 MW auxiliary heating at nominal density. Below this threshold the plasma falls below ignition margin and the session must be terminated under controlled shutdown. The redistribution target avoids unnecessary session loss when a single actuator fails. | Test | subsystem, hcdc, degraded-mode, session-391, idempotency:sub-hcdc-degraded-mode-391 |
| SUB-REQ-031 | The HCDC Supervisory and Safety Arbiter SHALL monitor a 100 ms heartbeat from each actuator controller and, upon detecting two consecutive missed heartbeats from any controller, SHALL command that controller to safe state and notify the Interlock and Emergency Shutdown System. Rationale: 200 ms detection window (2 x 100 ms heartbeat) is a balance between detection speed and false-positive rate. A single missed heartbeat can result from processing jitter; two consecutive misses indicate a genuine failure. Safe-state command ensures the affected actuator does not drift to an unsafe operating condition in the absence of supervisory oversight. | Test | subsystem, hcdc, session-391, idempotency:sub-hcdc-watchdog-391 |
| SUB-REQ-032 | The Quench Detection System SHALL detect a resistive voltage ≥50 mV sustained for ≥5 ms across any monitored coil pancake segment and assert a quench alarm within 20 ms of onset, across all operating coil currents from 10% to 100% of nominal. Rationale: Tokamak TF coil normal-zone propagation velocity is ~5–20 m/s; an undetected quench grows to encompass a full pancake (~50 m) within 2–10 s, at which point irreversible coil damage occurs. A 20 ms detection window allows the Energy Extraction and Dump System sufficient time to initiate energy transfer before the normal zone exceeds the damage threshold. The 50 mV / 5 ms threshold is derived from ITER coil characterisation data balancing false-trip suppression against sensitivity. | Test | subsystem, msps, magnet-safety, safety-critical, session-392, idempotency:sub-msps-qds-latency-392 |
| SUB-REQ-033 | The Quench Detection System SHALL implement 2-out-of-3 independent detection channels per coil group, with each channel using inductive voltage compensation to suppress false alarms from dI/dt transients above 100 A/s. Rationale: Single-channel quench detection creates a common-cause failure path where one faulty sensor either fails to detect a real quench or triggers unnecessary plasma disruptions. 2oo3 voting balances false-negative risk (safety) against false-positive risk (availability). Inductive compensation is essential because tokamak coils experience rapid current ramps during plasma initiation (up to 5 kA/s) that would otherwise saturate resistive detection thresholds. | Test | subsystem, msps, magnet-safety, safety-critical, session-392, idempotency:sub-msps-qds-voting-392 |
| SUB-REQ-034 | When a quench alarm or IESS trip demand is received, the Energy Extraction and Dump System SHALL complete energy transfer from all TF coils into the dump resistors within 30 s, maintaining peak dump resistor voltage below 20 kV at all times. Rationale: TF coil stored energy (~50 GJ across 18 coils) must be extracted before normal-zone propagation causes arc damage. The 30 s window is derived from worst-case normal-zone propagation analysis assuming initial detection at the 20 ms threshold. The 20 kV ceiling is set by the coil insulation design margin (rated at 40 kV) with a factor-of-2 margin against insulation breakdown during emergency dump. | Test | subsystem, msps, magnet-safety, safety-critical, session-392, idempotency:sub-msps-fedu-tf-timing-392 |
| SUB-REQ-035 | When a quench alarm or IESS trip demand is received, the Energy Extraction and Dump System SHALL complete energy transfer from all PF and CS coils within 10 s, with each coil circuit extracting independently to prevent voltage coupling between coil groups. Rationale: PF and CS coils carry time-varying currents during the plasma burn and must be discharged faster than TF coils due to the higher stored energy density per unit inductance and smaller normal-zone thermal margins in the thinner winding cross-sections. Independent extraction per circuit prevents mutual inductance coupling from creating overvoltage on adjacent circuits during asymmetric quench events. | Test | subsystem, msps, magnet-safety, session-392, idempotency:sub-msps-fedu-pf-timing-392 |
| SUB-REQ-036 | The Magnet Power Supply Controller SHALL maintain coil current within ±1 A of the reference waveform uploaded by the Plasma Control System, with an inner control loop executing at ≥1 kHz and hard trip limits enforced at ±10% of nominal coil current. Rationale: Plasma equilibrium depends on precise coil current profiles; ±1 A accuracy (typically <0.01% of 65 kA nominal TF current) is required to maintain the target field geometry within the PCS position control error budget. The 1 kHz inner loop provides sufficient bandwidth to suppress converter ripple and transient disturbances from adjacent coil switching. The ±10% hard trip prevents converter faults from imposing destructive over-currents on the coil insulation. | Test | subsystem, msps, magnet-safety, session-392, idempotency:sub-msps-mpsc-accuracy-392 |
| SUB-REQ-037 | The Coil Thermal and Cryogenic Monitor SHALL acquire temperatures from all embedded Cernox sensors at a sample rate of ≥10 Hz per channel, detect a coil cold-mass temperature rise of >0.5 K above pre-shot baseline within 100 ms, and transmit a secondary quench indication to the Quench Detection System for use in 2oo3 arbitration. Rationale: Temperature-based quench confirmation provides a physically independent secondary channel from voltage-bridge detection, enabling the QDS to distinguish between genuine quench (both voltage and temperature signatures) and electrical noise events (voltage spike without temperature rise). The 0.5 K threshold at 10 Hz sampling is derived from cryogenic coil thermal models showing that a genuine quench zone elevates local temperature at >1 K/s even before propagation to adjacent pancakes. | Test | subsystem, msps, magnet-safety, session-392, idempotency:sub-msps-ctcm-sensitivity-392 |
| SUB-REQ-038 | When any single Quench Detection System channel fails self-test, the Magnet Safety and Protection System SHALL revert to 1-out-of-2 voting on the remaining channels, annunciate a degraded-mode alarm to the Plant Control and I&C System, and continue to provide quench protection for all coil groups at the degraded threshold of ≥30 mV for ≥5 ms. Rationale: Loss of one QDS channel in 2oo3 voting leaves 2oo2 residual logic, which is fail-safe (any one detection triggers alarm) but increases false-positive rate. Reducing the threshold from 50 mV to 30 mV partially recovers sensitivity lost from reduced voting redundancy. The plant must be informed of degraded mode so operators can decide whether to continue the plasma shot or perform a controlled shutdown for maintenance. Continued protection is required as an unplanned shutdown with no quench detection would leave the coils unprotected. | Test | subsystem, msps, magnet-safety, degraded-mode, session-392, idempotency:sub-msps-degraded-mode-392 |
| SUB-REQ-039 | The Safety Logic Processor SHALL be implemented as two physically independent processor cards operating in 1oo2 de-energise-to-trip configuration, where either card independently drives the trip relay output to the Emergency Shutdown Sequencer, such that single card failure does not prevent SCRAM actuation. Rationale: SIL-3 classification requires Hardware Fault Tolerance = 2 per IEC 61508-2 table 4. De-energise-to-trip ensures power loss is fail-safe. A single-card SLP would be a single point of failure in the safety chain, violating the SIL-3 architecture assumed in ARC-REQ-001. This requirement directly addresses the lint finding that the SLP (D1B77858) has System-Essential trait but no redundancy requirement. | Test | subsystem, iess, safety-critical, redundancy, session-393 |
| SUB-REQ-040 | The Emergency Shutdown Sequencer SHALL be implemented on dedicated single-board computer hardware with watchdog timer, where loss of watchdog refresh within 100 ms triggers immediate hardware reset and return to safe state, and no single hardware fault in the sequencer prevents MGI actuation. Rationale: IEC 61508-2 SIL-3 HFT requirement and ARC-REQ-001 2oo3 architecture require every element in the safety chain to have defined fault-tolerance behaviour. The ESS is the final actuation element; if it fails open (no MGI), a disruption causes first-wall damage and potential tritium release. 100 ms watchdog ensures prompt recovery from processor lockup without human intervention. | Test | subsystem, iess, safety-critical, redundancy, session-393 |
| SUB-REQ-041 | When the Disruption Prediction Engine primary FPGA becomes unavailable, the Disruption Prediction and Mitigation System SHALL activate a hardwired fallback that automatically issues MGI actuation command within 5 ms, maintaining the disruption mitigation function with degraded prediction capability (no probability output, fixed-threshold only). Rationale: The DPE is classified System-Essential (hex 71F77308). Loss of the primary FPGA with no fallback would eliminate disruption mitigation capability, exposing the first wall to unmitigated disruption forces. The 5 ms fallback activation is derived from the 10 ms disruption precursor detection budget in SYS-REQ-002; a fixed-threshold hardwired path is acceptable degraded operation because it preserves the safety function with a conservative trip threshold. | Test | subsystem, dpms, safety-critical, redundancy, session-393 |
| SUB-REQ-042 | The Gas Puffing Valve Controller SHALL achieve a valve response time of less than 10 ms from receipt of a density setpoint change to confirmed valve position change, measured at each of the 20 gas injection valves under full operating pressure. Rationale: The PCS Shape and Position Controller requires density feedback loop closure at 100 Hz. A 10 ms gas puffing response contributes at most one control cycle delay, preserving loop stability margin. Longer response times cause density overshoot in the pedestal region, increasing ELM frequency and IESS trip rate. | Test | subsystem, fuel-injection, gas-puffing, session-394, idempotency:sub-gpvc-response-394 |
| SUB-REQ-043 | The Tritium and Fuel Inventory Controller SHALL assert a fuel-off interlock that inhibits both the Gas Puffing Valve Controller and Pellet Injection Controller when the estimated cumulative in-vessel tritium mass exceeds 30 g, within 100 ms of threshold crossing. Rationale: 30 g is the nuclear regulatory maximum in-vessel tritium limit for this class of fusion facility, derived from site emergency planning zone activity calculations. The 100 ms response limit ensures no additional pellet injection cycle can complete after threshold breach. Both injection channels must be inhibited simultaneously to prevent asymmetric fuelling. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-044 | The Pellet Injection Controller SHALL synchronise pellet injection to occur within 0.5 ms of the ELM phase trigger received from the MHD Mode Stabiliser, with a miss rate not exceeding 2% across any 100-pellet sequence. Rationale: The MHD Mode Stabiliser ({{hex:40800000}}) provides ELM phase trigger timing for pellet injection synchronisation. The 0.5 ms window is set by the characteristic ELM growth time (1–3 ms); pellets injected outside this window will not pace the ELM effectively. The 2% miss-rate criterion corresponds to the tolerable fraction of ELM events without pacing before net erosion of the divertor first wall exceeds design allowance. Confidence level: 95% (one-sided), evaluated over a minimum sample of 500 consecutive ELM events per machine state. Test conditions: H-mode, q95 = 3.0–3.5, standard pellet size (2mm D pellets). | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-045 | The Burn Condition Monitor SHALL provide a real-time fusion power estimate accurate to within ±2% of the calibrated reference value over the range 50–800 MW, with an update rate of at least 10 Hz. Rationale: Fusion power accuracy drives the Q-factor calculation used to determine burn sustainability. A ±2% accuracy error translates to ±0.05 in Q at Q=10, which is below the 0.1 Q resolution needed for burn state discrimination. The 10 Hz update rate matches the DPMS event register polling frequency — slower updates create a blind interval where Q could drop below 1 without triggering burn termination. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-046 | When tritium concentration at the boundary of the Fuel Injection and Burn Control equipment zone exceeds 10 μSv/h as measured by area monitors, the Tritium and Fuel Inventory Controller SHALL assert a fuel-off interlock on both injection channels and send a tritium-alarm signal to the Interlock and Emergency Shutdown System within 500 ms. Rationale: 10 μSv/h is the nuclear regulatory action level for occupational tritium exposure in the controlled zone. At this level, continued injection could increase in-vessel tritium activity and contaminate the primary vacuum circuit. The 500 ms response time allows one sampling interval on the area monitors (sampled at 2 Hz) before the interlock takes effect. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-047 | When the Burn Condition Monitor predicts Q < 1 within 500 ms based on thermal energy decay rate, it SHALL trigger a controlled burn termination by sending an ordered fuel-ramp-down command to the Gas Puffing Valve Controller and a pellet-hold command to the Pellet Injection Controller, completing the ramp-down within 200 ms. Rationale: Controlled burn termination via fuel ramp-down is preferable to a hard IESS trip: it avoids the thermal shock of sudden plasma termination, which can cause first-wall erosion. The 500 ms prediction horizon is achievable from the diamagnetic loop thermal energy trend; the 200 ms ramp-down completes within the prediction window, allowing soft termination before IESS trip becomes necessary. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-048 | The Pellet Injection Controller SHALL maintain the pellet formation cryostat temperature within the range 15 K to 18 K during active fuelling, with temperature deviation not exceeding ±0.5 K over any 60-second window. Rationale: D-T ice pellet mechanical integrity requires temperatures in the 15–18 K range. Below 15 K, pellets become brittle and fragment in the guide tube, causing blockages. Above 18 K, surface sublimation reduces pellet mass below the minimum 0.5 mg threshold, degrading fuelling efficiency by >30%. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-049 | The Burn Condition Monitor SHALL achieve a diagnostic coverage of at least 90% of all neutron flux measurement channels, as verified by self-test exercised at every 10-second health check interval. Rationale: Cross-domain analog: the Quench Detection System (UHT 54F77218, identical observable monitoring profile) requires 90% diagnostic coverage (SUB-REQ-003) for magnetic quench channels. The Burn Condition Monitor performs the same architectural function — threshold monitoring with safety action — on neutron flux channels, and the same coverage standard applies. Without channel-level self-test, a failed fission chamber could cause a silent under-reading of fusion power, masking a Q-collapse. | Test | rt-implausible-value, red-team-session-459 |
| SUB-REQ-050 | The Plant Operations Sequencer SHALL maintain a machine state variable (MSV) in one of eight defined states (MAINTENANCE, STANDBY, PRE-PULSE, PLASMA-INIT, FLAT-TOP, RAMP-DOWN, POST-PULSE, FAULT) and SHALL broadcast the MSV to all subsystems at 10 Hz via the supervisory SCADA bus. Rationale: All eight subsystems require a consistent, authoritative operating state to coordinate actuator enable/disable logic. The 10 Hz update rate is sufficient for supervisory state management while avoiding network congestion; real-time actuator control uses dedicated control buses at higher rates. | Test | subsystem, pcis, plant-control, session-395, idempotency:sub-pos-msv-395 |
| SUB-REQ-051 | When the active Plant Operations Sequencer fails (heartbeat loss exceeding 200 ms), the standby sequencer SHALL assume control within 500 ms and SHALL resume broadcasting the last valid MSV without requiring operator intervention. Rationale: Loss of the Plant Operations Sequencer during plasma operation could leave all subsystems without a valid machine state, causing undefined actuator behaviour. The 500ms failover window is derived from the 1 second plasma quench growth time — the control system must re-establish supervisory authority before any actuator loses its operating context. | Test | subsystem, pcis, plant-control, redundancy, session-395, idempotency:sub-pos-failover-395 |
| SUB-REQ-052 | The Machine Timing and Synchronisation System SHALL deliver shot T=0 and inter-subsystem synchronisation pulses to all I&C subsystems with absolute timestamp accuracy of <=1 µs and inter-subsystem jitter of <=5 µs, derived from a GPS-disciplined oscillator with holdover accuracy of <=10 µs per hour during GPS outage. Rationale: Plasma equilibrium reconstruction requires diagnostic timestamps accurate to 1 µs to avoid aliasing at the 100 kHz sample rates used by Mirnov coils. The 5 µs inter-subsystem jitter constraint ensures coordinated actuator firings (pellet injection, NBI modulation) arrive within the 10 µs plasma control loop cycle time. The 10 µs/hour GPS holdover is derived from the maximum timing error accumulation acceptable during a 2-hour plasma pulse. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-053 | The Plant Data Historian SHALL ingest time-series data from all subsystems at an aggregate sustained rate of >=50 MB/s during plasma operations, provide post-pulse data access via REST API within <=60 s of pulse completion, and retain all pulse data for >=25 years with lossless compression. Rationale: The 50 MB/s aggregate ingest rate is derived from 1 kHz sampling of 400 diagnostic channels at 64-bit precision across all subsystems. The 60 s post-pulse access deadline is mandated by SYS-REQ-005 and reflects the physics analysis workflow where equilibrium reconstruction begins immediately after pulse end. The 25-year retention matches the expected programme lifetime for a fusion science device and enables longitudinal degradation analysis. | Test | subsystem, pcis, plant-control, session-395, idempotency:sub-pdh-archival-395 |
| SUB-REQ-054 | The Plant I&C Network Infrastructure SHALL enforce physical and logical separation between three network security zones: the real-time deterministic control LAN (EtherCAT/Ethernet POWERLINK, <1 ms latency), the best-effort monitoring LAN (GbE), and the safety-isolated IESS network, with unidirectional data diodes enforcing all data flows from safety to non-safety zones. Rationale: Network zone segregation prevents common-cause failure between safety and non-safety I&C. A cyber intrusion on the monitoring LAN must not be able to inject commands onto the real-time control bus or the IESS network. Unidirectional data diodes are mandated for safety-network connections by IEC 62443-3-3 for nuclear I&C applications; software firewalls alone are insufficient. | Inspection | subsystem, pcis, plant-control, session-395, idempotency:sub-nicinfra-zones-395 |
| SUB-REQ-055 | The Real-Time Diagnostic Signal Conditioner SHALL digitise all 512 input channels at >=100 kHz with >=16-bit resolution and deliver calibrated digital outputs to the Equilibrium Reconstruction Processor and Disruption Precursor Monitor with end-to-end signal conditioning latency <=100 µs from analogue input to digital output. Rationale: The 100 kHz sample rate is driven by the Mirnov coil bandwidth required for MHD mode detection up to 50 kHz (Nyquist). The 100 µs conditioning latency budget is derived from the Equilibrium Reconstruction Processor needing conditioned signals within its 1 ms computation cycle, leaving 900 µs for reconstruction computation. Exceeding this latency would delay equilibrium updates and degrade Shape and Position Controller response. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-056 | The Magnetic Diagnostics Array SHALL provide plasma current integral measurements with absolute accuracy <=0.1% of full-scale (80 MA-turns) and SHALL include a self-monitoring function that flags individual sensor degradation when the calibration drift exceeds 0.05% per 100 shots. Rationale: The 0.1% absolute accuracy threshold is required by the Equilibrium Reconstruction Processor to achieve the ±2 cm plasma position accuracy mandated by SYS-REQ-001. Calibration drift monitoring is included because neutron-irradiated magnetic sensors experience progressive sensitivity changes; undetected drift would corrupt equilibrium reconstruction without operator awareness. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-057 | The Disruption Precursor Sensor Suite SHALL provide time-stamped outputs at >=10 kHz for tearing mode saddle coils and >=1 kHz for soft X-ray bolometer channels, with timestamp accuracy <=10 µs relative to the Machine Timing System reference. Rationale: The 10 kHz saddle coil sample rate resolves tearing mode rotation frequencies up to 5 kHz which is consistent with disruption precursor frequencies observed in JET and ASDEX-U data. The 10 µs timestamp accuracy preserves phase information at these frequencies and ensures the Disruption Prediction Engine can correlate precursor events across multiple diagnostic channels. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-058 | When the Disruption Precursor Monitor has not produced a valid output within 500 ms of the previous valid output, the Disruption Prediction and Mitigation System SHALL enter a watchdog-tripped state in which disruption risk is treated as 1.0 (maximum), triggering the precautionary mitigation sequence. Rationale: The Disruption Precursor Monitor is classified as Functionally Autonomous and any silent failure would leave the DPMS operating without valid precursor data. Treating a monitoring failure as maximum risk ensures the safe fail-state is always the disruption mitigation response — consistent with IEC 61508 fail-safe design for autonomous safety monitors. The 500 ms window allows one full monitoring cycle to be missed before the watchdog fires. | Test | subsystem, dpms, safety-critical, degraded-mode, session-395, idempotency:sub-dpm-watchdog-395 |
| SUB-REQ-059 | When the Equilibrium Reconstruction Processor fails to produce a valid equilibrium solution within two consecutive 1 ms computation cycles, the Plasma Control System SHALL revert to the last valid equilibrium and SHALL reduce plasma current ramp rate to zero until valid solutions resume; operator override via the Operator Console System SHALL require a deliberate two-action confirmation. Rationale: The ERP is Functionally Autonomous and its outputs directly drive Shape and Position Controller actuations. A silent ERP failure with stale outputs would cause the PCS to chase a non-existent plasma equilibrium, potentially leading to an uncontrolled vertical displacement event. The two-consecutive-cycle fault threshold prevents single-shot computational outliers from triggering unnecessary holds while ensuring a genuine failure is detected within 2 ms. | Test | subsystem, plasma-control-system, safety-critical, degraded-mode, session-395, idempotency:sub-erp-watchdog-395 |
| SUB-REQ-060 | While the Disruption Prediction Engine is operating, the DPMS Supervisory and Archive SHALL monitor DPE heartbeat at 100 ms intervals and, upon two consecutive missed heartbeats, SHALL escalate disruption risk to the emergency mitigation threshold and notify the Interlock and Emergency Shutdown System; the operator SHALL NOT be able to inhibit DPE watchdog escalation without a plant director-level authorisation. Rationale: The Disruption Prediction Engine uses ML pattern recognition that classifies it as Functionally Autonomous — autonomous ML systems driving actuation require explicit human-override constraints. The 200 ms watchdog window (two missed beats) balances false-alarm suppression against the DPMS 50 ms disruption response budget. Plant-director authorisation for inhibit prevents operators from disabling disruption protection under operational pressure. | Test | subsystem, dpms, safety-critical, session-395, idempotency:sub-dpe-override-395 |
| SUB-REQ-061 | When a safe shutdown earthquake is detected at plant level, all SIL-3 classified components of the Interlock and Emergency Shutdown System SHALL remain functional and maintain their safety trip functions, as demonstrated by qualification testing to IEEE 344 seismic category I fragility levels. Rationale: SYS-REQ-006 mandates IEEE 344 category I seismic qualification; this SUB requirement flows the seismic equipment qualification requirement into the IESS subsystem, which contains all SIL-3 safety functions. Seismic events coincide with the highest plasma energy states and require the safety shutdown to be available precisely when a natural disaster occurs. | Test | subsystem, iess, seismic, safety-critical, session-396, idempotency:sub-iess-seismic-qual-396 |
| SUB-REQ-062 | The Interlock and Emergency Shutdown System shall define safe state as the condition in which: plasma current has been reduced to zero, all heating and current drive systems are at zero power, magnetic field coils are discharged via the Energy Extraction and Dump System, and the Tritium and Fuel Inventory Controller has closed all fuelling valves; the IESS SHALL verify all four conditions within 5 s of SCRAM initiation and maintain safe state until manually reset. Rationale: PARTIALLY SUPERSEDED: 5-second verification time is consistent with SYS-REQ-004 SCRAM budget, but plasma current threshold ('zero') is less precise than the <1 kA threshold in SUB-REQ-112. The authoritative safe state definition is SUB-REQ-112 (QC session 417). SUB-REQ-062 is retained as a supporting requirement specifying the manual reset behaviour not covered by SUB-REQ-112. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-063 | The Disruption Precursor Monitor SHALL operate from a 24 VDC ±10% redundant power supply with a maximum quiescent power consumption of 150 W, and SHALL continue processing and outputting valid data within 10 ms of switchover from primary to backup power, with no spurious trigger outputs during the switchover transient. Rationale: The DPM is classified as Powered in UHT; as a System-Essential component in the disruption mitigation chain, its power supply architecture must prevent loss of disruption monitoring during power supply faults. The 24 VDC standard is consistent with IESS and other safety-rated I&C in the plant. The 150 W budget is derived from FPGA inference card typical consumption (80 W) plus sensor conditioning (40 W) plus margin (30 W). The 10 ms switchover recovery requirement preserves the disruption detection latency budget defined in SYS-REQ-002. | Test | subsystem, dpms, session-396, idempotency:sub-dpm-power-396 |
| SUB-REQ-064 | The Interlock and Emergency Shutdown System Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Sequencer SHALL be qualified to IEEE 344 seismic requirements at the plant site-specific Safe Shutdown Earthquake response spectrum, maintaining full function during and after the SSE. Rationale: SYS-REQ-006 mandates IEEE 344 qualification; this subsystem requirement allocates that obligation to the three IESS hardware components that must undergo qualification testing. | Test | |
| SUB-REQ-065 | When a safe shutdown earthquake is detected at plant level, the Fusion Reactor Control System SHALL maintain all SIL-3 safety shutdown functions and transition the plasma to safe state within 10 seconds, using equipment qualified to IEEE 344 seismic category I. Rationale: STK-REQ-009 mandates safety function survivability under seismic conditions. IEEE 344 Category I is the nuclear safety-related I&C qualification standard. The 10 s window covers the SYS-REQ-004 5 s SCRAM budget plus 5 s post-seismic assessment margin. Loss of SCRAM capability after a seismic event is a design basis accident. NOTE: This requirement was accidentally reassigned from system-requirements to subsystem-requirements (was SYS-REQ-006). The canonical system-level requirement is now REQ-SEFUSIONREACTORCONTROLSYSTEM-031. Tag: superseded-by-REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | Analysis | rt-sil-gap, red-team-session-433 |
| SUB-REQ-066 | The Quench Detection System SHALL be housed in a 19-inch, rack-mounted, seismically-qualified enclosure rated IP54 or better, with all analogue input channels individually shielded to maintain ≤1 mV conducted noise immunity in the presence of the full-power superconducting coil electromagnetic environment (dB/dt ≤ 10 T/s). Rationale: The QDS is physically co-located with the superconducting magnet system in a high electromagnetic noise environment. Specific shielded housing is required to ensure the 20 ms quench detection latency (SUB-REQ-032) is not compromised by cable-coupled interference from the coil discharge transients. IP54 prevents condensation ingress during cryogenic system maintenance cycles. Seismic qualification matches the plant SSE requirement (STK-REQ-009). | Inspection | subsystem, qds, physical, emi, session-398 |
| SUB-REQ-067 | The Fusion Reactor Control System SHALL be housed in a qualified nuclear-grade equipment enclosure rated to IP54 minimum, constructed from non-combustible materials, and installed in a radiation-controlled area with dose rates not exceeding 100 mSv/hr, with all external interfaces protected by qualified connectors meeting IEC 60068 environmental standards. Rationale: Lint finding: UHT hex 51F77B19 lacks Physical Object trait despite physical embodiment constraints in REQ-SEFUSIONREACTORCONTROLSYSTEM-034 and STK-REQ-010. The physical installation constraints are required for nuclear I&C equipment qualification and personnel safety under IEC 61513 Class 1 requirements. | Inspection | |
| SUB-REQ-068 | The Quench Detection System SHALL be physically implemented as dedicated, qualified hardware units installed within 10 m of each superconducting magnet coil assembly, housed in radiation-hardened enclosures rated for a neutron fluence of at least 1×10^14 n/cm² over 20-year operational lifetime, with no shared chassis or power supply with non-safety systems. Rationale: Lint finding: UHT hex 54F77218 lacks Physical Object trait despite physical constraints in IFC-REQ-017 and SUB-REQ-037. Physical separation and radiation hardening are essential as quench detection failure during a magnet fault would result in uncontrolled release of stored magnetic energy (GJ-scale), which is a Category A safety event. | Inspection | |
| SUB-REQ-069 | The Emergency Shutdown Sequencer SHALL be implemented as a 2-of-3 redundant voted architecture. When one channel fails (detected by watchdog timeout >50 ms), the system SHALL continue to execute shutdown sequences at full specification. When two channels fail, the system SHALL initiate an immediate reactor trip and maintain the safe state indefinitely without requiring operator action. Rationale: UHT classification 51F73A18 carries System-Essential trait; lint finding flags absence of redundancy requirements. The Emergency Shutdown Sequencer is a SIL-3 safety function — IEC 61511 mandates architectural independence and voting logic for functions at this integrity level. 2-of-3 voting achieves the required PFD < 10^-3 per demand. | Test | |
| SUB-REQ-070 | The Safety Logic Processor SHALL operate as a fault-tolerant triple modular redundant (TMR) system. When one processing channel fails, the majority-vote output SHALL remain valid and SIL-3 compliant. When the Safety Logic Processor cannot achieve a 2-of-3 vote due to two channel failures, it SHALL default to the safe state (all scram signals asserted) within 100 ms. Rationale: UHT classification D1B77858 carries System-Essential trait; the Safety Logic Processor is the SIL-3 voting element for reactor scram initiation. IEC 61511 requires hardware fault tolerance HFT ≥ 1 for SIL-3 safety functions; TMR achieves HFT=2, with fail-safe default preventing a stuck-at-safe rather than stuck-at-permissive failure mode. | Test | |
| SUB-REQ-071 | The Disruption Prediction Engine SHALL implement cybersecurity controls meeting IEC 62443 Security Level 2 (SL-2), including cryptographic authentication of all model update packages (SHA-256 minimum), read-only runtime execution from verified firmware, and network isolation preventing any outbound connection from the prediction engine during plasma operation. Rationale: UHT classification 51F57308 carries Digital/Virtual trait; the disruption prediction engine runs ML inference and accepts model updates, creating a supply chain attack surface. A compromised model could suppress disruption warnings, allowing unmitigated disruptions that damage first-wall components or pose personnel safety hazards. IEC 62443 SL-2 is the minimum for safety-adjacent digital I&C. | Analysis | |
| SUB-REQ-072 | The Safety Arbiter SHALL be type-approved under IEC 61513 Category A (highest nuclear I&C category) and certified to IEC 61508 SIL-3. The vendor SHALL provide qualification documentation including FMEA, software diversity analysis, and independent verification evidence to the nuclear regulatory authority prior to plant commissioning. Rationale: UHT classification 002008B1 carries Regulated trait; the safety arbiter is the final decision element in the protective system. Nuclear regulatory authorities in all major fusion programme jurisdictions (UK ONR, EURATOM, US NRC) require pre-approval of Class 1 I&C before commissioning. Type approval under IEC 61513 is the accepted route to regulatory acceptance. | Inspection | |
| SUB-REQ-073 | The Pellet Injection Controller, including all tritium-handling components, SHALL comply with IAEA SSG-52 (Safety of Fusion Reactors) guidance on tritium systems and shall be licensed under the applicable national nuclear safety legislation for tritium handling facilities, with a licensed quantity limit not less than the maximum inventory design basis. Rationale: UHT classification 55F53218 carries Regulated trait; pellet injection handles tritium fuel which is radioactive and subject to national nuclear material regulations. IAEA SSG-52 is the current international guidance framework for fusion reactor safety regulation. Failure to obtain licensing would prevent plant operation and could result in regulatory enforcement. | Inspection | |
| SUB-REQ-074 | While the Fusion Reactor Control System is executing or maintaining a safe state, the Interlock and Emergency Shutdown System SHALL hold all plasma-facing subsystems (Heating and Current Drive, Fuel Injection, Plasma Control) in a de-energised and locked configuration, with fuel injection valves mechanically isolated and all RF power sources confirmed off via hardware interlocks, until a formal clearance procedure is authorised by a licensed reactor operator. Rationale: Lint finding: SYS-REQ-004 establishes the safe state concept but no subsystem requirement defines what safe state physically means for each subsystem. The three subsystems mentioned each have independent shutdown actions that together constitute the operational safe state; without a SUB-level requirement, each subsystem design team may interpret safe state differently, creating integration gaps. | Demonstration | |
| SUB-REQ-075 | The Disruption Prediction Engine SHALL incorporate a hot-standby redundant inference node. When the primary node fails to produce a valid prediction output within 500 ms (three missed cycles), the standby node SHALL assume the prediction function automatically within 100 ms, with the last valid prediction output held during the switchover period. Switchover SHALL be logged with microsecond-resolution timestamps. Rationale: UHT classification 51F57308 carries System-Essential trait; the disruption prediction engine is the only source of advance warning before a major disruption. Loss of prediction capability without failover degrades the plasma safety envelope from active-protection to open-loop operation, increasing first-wall damage risk by an order of magnitude in high-beta scenarios. | Test | |
| SUB-REQ-076 | The Pellet Injection Controller SHALL implement dual-channel architecture with independent pellet formation and injection paths. When the primary injection channel fails (detected by pellet velocity sensor disagreement >20% or injection position error >5 mm), the secondary channel SHALL maintain disruption mitigation pellet readiness within 200 ms. The system SHALL not require manual intervention to switch channels. Rationale: UHT classification 55F53218 carries System-Essential trait; pellet injection is required for both fuelling and disruption mitigation (massive material injection). Single-point failure in the injection controller during a disruption precursor event would prevent mitigation, resulting in an unmitigated disruption and potential first-wall damage worth tens of millions of euros. | Test | |
| SUB-REQ-077 | While operating in the plant electromagnetic environment, the HCDC Supervisory and Safety Arbiter and all heating actuator controllers (NBI, ECRH, ICRH) SHALL maintain commanded heating power setpoint accuracy within ±5% in the presence of: pulsed magnetic field transients up to 10 T/s dB/dt from the pulsed power system; and RF fields up to 200 V/m at 50-170 GHz from co-located ion cyclotron and neutral beam heating systems. All controllers SHALL be qualified to IEC 61000-4-3 immunity level IV and IEC 61000-4-8 level 5. Rationale: SYS-REQ-010 mandates no degradation of control performance under the full plant EMC environment. The HCDC subsystem operates in close proximity to ICRH and NBI heating sources; inadequate EMC immunity will cause spurious setpoint errors that can destabilise plasma position and trigger false disruption precursor detections. IEC 61000-4-3 Level IV and 61000-4-8 Level 5 are the highest standardised test levels appropriate for pulsed-power nuclear environments. | Test | |
| SUB-REQ-078 | The Plant Control and I&C System SHALL report detected I&C channel faults to the Maintenance Management System via the qualified IEC 61850 maintenance bus within 10 seconds of fault detection. Each fault report SHALL include: equipment identifier (per IEC 61360 plant item classification), UTC timestamp accurate to 1 ms, fault severity classification (CRITICAL / MAJOR / MINOR per IEC 60812), and channel identity. The maintenance bus interface SHALL achieve 99.9% message delivery reliability over a rolling 30-day period. Rationale: SYS-REQ-011 requires self-diagnostic coverage with fault reports to the Maintenance Management System within 10 s. This SUB requirement decomposes the reporting interface specification: message content, bus standard, timing, and reliability. Without a qualified reporting interface, early-life I&C degradation cannot be detected before it propagates to safety-function failures. IEC 61850 GOOSE is the standard for qualified nuclear I&C maintenance networks. | Test | |
| SUB-REQ-079 | The Disruption Prediction Engine SHALL be validated against a test dataset containing at least 500 disruption precursor sequences and 2000 non-disruption plasma shots, achieving: sensitivity of 95% or greater (missed disruption rate of 5% or less); false positive rate of 2% or less; and prediction horizon of 30 ms or greater before energy limit threshold is exceeded. The DPE machine learning model SHALL be version-controlled with model weights frozen at commissioning, and SHALL undergo revalidation when plasma operational parameters deviate by more than 15% from the training envelope. Rationale: The DPE employs LSTM-based neural network inference. IEC 61508-3 Annex D requires statistical validation of ML-based safety-related systems. The 95% sensitivity and 2% FPR thresholds are derived from the reactor energy budget: a missed disruption at full plasma energy (greater than 350 MJ) can cause first-wall damage and breach confinement. Model version control and revalidation requirements prevent silent model degradation under plasma parameter drift. | Analysis | |
| SUB-REQ-080 | The Quench Detection System SHALL be implemented as a dedicated rack-mounted unit in a seismically-qualified 19-inch equipment enclosure rated for nuclear facility installation, housed within the FRCS instrumentation area. The QDS housing SHALL provide EMI shielding to IEC 61000-4-3 level IV, temperature stability to ±2°C internal ambient, and physical separation of safety-class signal conditioning boards from non-safety auxiliary circuits. Rationale: QDS is a safety-critical system (SIL-3) with physical signal conditioning hardware for Cernox sensor inputs and voltage tap circuits. The Physical Object trait requires that its housing, segregation from non-safety circuits, and environmental qualification are explicitly specified. Seismic qualification is required by nuclear installation standards; EMI shielding matches plant EME requirements; ±2°C internal temperature is required by Cernox sensor accuracy budget. Without an embodiment requirement, there is no contractual basis for the physical design review. | Inspection | |
| SUB-REQ-081 | The Pellet Injection Controller SHALL be housed in a dedicated radiation-tolerant cabinet located in the tritium plant ancillary area, with the PIC electronics enclosure physically segregated from the cryostat cold-head assembly. The PIC housing SHALL meet IEC 61000-4-3 EMI immunity level III, be rated for continuous operation in a tritium-bearing gaseous environment, and incorporate personnel safety interlocks preventing access to high-voltage pellet accelerator circuits during operation. Rationale: The PIC controls high-voltage pellet injection equipment in a tritium-bearing environment and is classified as Regulated. Physical segregation between control electronics and the cryostat cold-head prevents cryogenic liquid ingress into electronics; radiation tolerance is required for the tokamak hall environment; tritium gas environment rating derives from the fuel plant location; personnel interlocks are required by radiation protection regulations for high-voltage equipment in nuclear facilities. Without an embodiment requirement, the physical design has no contractual nuclear safety and radiation protection basis. | Inspection | |
| SUB-REQ-082 | The MHD Mode Stabiliser NTM detection function SHALL achieve a detection probability of ≥95% for growing n=1 and n=2 islands exceeding 3 cm width under standard plasma operating conditions, with a false-alarm rate not exceeding 1 per 100 shots. This performance SHALL be verified over a minimum sample of 200 simulated disruption onset sequences, spanning the full range of q-profiles (q95 = 2.5 to 5.0) and plasma current (8 to 15 MA), at standard test conditions (20°C ±5°C, nominal EMI environment). Rationale: The 95% detection probability for n=1/n=2 islands exceeding 3 cm is derived from plasma physics modelling of NTM growth rates: islands grow from 3 cm to locking width (typically 6–8 cm) in 200–500 ms. The MHD Mode Stabiliser ({{hex:40800000}}) must detect at 3 cm to allow ECRH stabilisation before locking. Statistical parameters: 95% confidence, minimum sample of 200 independent NTM events per island mode, evaluated across standard plasma operating conditions (1.5–2.0 MA, 2.5–3.5 T). False alarm rate ≤5% prevents unnecessary ECRH power dumps that would degrade plasma performance. | Analysis | rt-implausible-value, red-team-session-459 |
| SUB-REQ-083 | When a single Trip Parameter Monitor channel is placed into bypass for maintenance, the IESS SHALL automatically reduce voting logic to 1-out-of-2 on the remaining channels, and SHALL annunciate the bypass state on SPDS. The IESS SHALL not permit simultaneous bypass of more than one Trip Parameter Monitor channel. Rationale: STK-REQ-005 requires online channel replacement. The NukeRPS analog (Jaccard 0.85) uses 2oo4 voting specifically to allow one-channel bypass; our 2oo3 requires explicit 1oo2 fallback during bypass to maintain single-failure tolerance. | Inspection | |
| SUB-REQ-084 | When the SCRAM function is actuated, the Emergency Shutdown System SHALL establish the Reactor Safe State defined as: plasma discharge terminated, all magnet currents decayed to zero via dump resistors within 30 s, all active heating systems (NBI, ICRF, ECRH) de-energised, and fuel injection halted with the pellet cryostat vented to the tritium exhaust system. Rationale: SYS-REQ-004 references safe state as the SCRAM target but does not specify what that state is; without a formal safe state definition, the acceptance criterion for the SCRAM function is untestable. This requirement closes the gap by defining quantitative conditions (magnet dump time, heating system de-energisation, fuel isolation) that constitute safe state, derived from IEC 61513 requirements for nuclear I&C systems. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-085 | The Interlock and Emergency Shutdown System SHALL implement 1oo2 redundant architecture for all hardware channels between the Safety Logic Processor and Emergency Shutdown Sequencer actuation outputs, such that loss of any single hardware channel does not reduce the IESS availability below the SIL-3 target (probability of failure on demand < 1×10⁻³). The second channel shall be physically separated in independent cabinets with independent power supplies. Rationale: Lint finding: ESS classified as System-Essential (bit 16) but lacked an explicit redundancy requirement. SIL-3 target PFD < 1×10⁻³ requires 1oo2 channel architecture for the final actuation path; a single-channel ESS cannot meet this PFD without heroic component reliability assumptions that are not achievable in a nuclear environment. | Analysis | rt-sil-gap, red-team-session-459 |
| SUB-REQ-086 | The Pellet Injection Controller SHALL comply with ITER nuclear island tritium handling requirements (ITER-D-2X5MRW), maintaining tritium confinement class C2 design with double containment on all tritium-wetted components, and SHALL be qualified to ISO 17873 for tritium systems in nuclear facilities. Rationale: Pellet Injection Controller handles solid tritium pellets inside the nuclear island — tritium regulatory requirements (ITER-D-2X5MRW, ISO 17873) mandate double containment and material compatibility qualification. This addresses the lint finding that the Pellet Injection Controller is Regulated and Institutionally Defined without corresponding compliance requirements. | Inspection | |
| SUB-REQ-087 | The Fusion Reactor Control System SHALL be housed in IEC 62262 IK10-rated enclosures with IP54 ingress protection for nuclear island cabinets and IP44 for control room cabinets, with EMC shielding achieving 40 dB attenuation at 50-170 GHz to protect against ECRH and ICRH radiated fields per SYS-REQ-008 and SYS-REQ-010. Rationale: Physical embodiment requirement: FRCS lacks Physical Object classification but environmental requirements SYS-REQ-008 and SYS-REQ-010 impose physical constraints requiring defined enclosures. IP54 prevents process fluid ingress in nuclear island; IK10 ensures cabinet integrity during SSE events; 40 dB RF shielding provides margin above IEC 61000-4-3 Level IV for the tokamak electromagnetic environment. | Inspection | |
| SUB-REQ-088 | The Quench Detection System SHALL be implemented as a dedicated hardware assembly physically mounted on each superconducting coil cold-mass support structure, with voltage bridge sensor pairs located at coil mid-points and end terminals, and quench heater driver circuits installed in cryogenic-rated enclosures rated for operation at 4.2 K with stainless steel welded construction per ITER coil mechanical design specifications. Rationale: Lint finding 2: QDS is classified without Physical Object trait but SUB-REQ-037, SUB-REQ-066, and SUB-REQ-080 impose physical constraints (cryogenic environment, coil mounting, voltage bridge sensing). The physical mounting specification is architecturally essential: voltage bridge sensing requires symmetric lead pairs at specific coil locations; cryogenic enclosure rating is mandatory for operation at 4.2 K; physical separation from control electronics prevents common-cause thermal failures. | Inspection | |
| SUB-REQ-089 | The Tritium and Fuel Inventory Controller SHALL comply with IAEA safeguards requirements for nuclear material accountancy (INFCIRC/153), tritium inventory management per ISO 17873, and ITER nuclear island tritium confinement class C2 per ITER-D-2X5MRW. Tritium inventory reports SHALL be generated at intervals not exceeding 24 hours and transmitted to the plant safeguards data acquisition system. Rationale: Lint finding 8: Fuel Inventory Controller is classified as Institutionally Defined (Regulated) but no SUB requirement referenced applicable safeguards or nuclear material accountancy standards. IAEA INFCIRC/153 is the governing instrument for nuclear material safeguards at ITER; non-compliance would result in loss of nuclear operating licence. ISO 17873 is the specific standard for tritium systems in nuclear facilities. The 24-hour inventory reporting interval is consistent with ITER safeguards agreement requirements. | Inspection | |
| SUB-REQ-090 | The Quench Detection System SHALL perform continuous, uninterrupted monitoring of all superconducting coil voltage channels on a deterministic 1 ms sampling cycle, with channel-to-channel synchronisation jitter not exceeding 100 μs. While in quench monitoring mode, the QDS SHALL complete each full sensor scan and signal processing cycle within the 1 ms sampling period, maintaining this timing independently of quench alarm or fault state processing. Rationale: Lint finding 7: QDS is classified as Temporal (bit 23) indicating time-dependent operation, but no existing requirement explicitly specifies the QDS monitoring cycle timing beyond the 5 ms detection threshold in SUB-REQ-032. The 1 ms sampling cycle is required to provide at least 5 samples within the ≥5 ms quench onset window; channel synchronisation jitter <100 μs ensures the 2oo3 voting logic in SUB-REQ-033 operates on spatially-consistent coil state snapshots. | Test | |
| SUB-REQ-091 | The Disruption Prediction Engine performance thresholds in SUB-REQ-010 (TPR ≥95%, FPR ≤2 events/24h) SHALL be validated against a minimum test dataset of 500 disruption events and 5000 non-disruption control windows drawn from representative plasma operating scenarios including L-mode, H-mode, and ELMy H-mode, with performance confidence intervals at 95% confidence level (Wilson score interval) reported alongside each claimed performance metric. Test conditions SHALL be defined in the DPMS Validation Plan prior to implementation. Rationale: Lint finding 13: disruption prediction is classified as a low-trait abstract concept (only Temporal + Processes Signals), and SUB-REQ-010 sets performance thresholds without specifying the statistical basis. Performance claims without defined confidence level and sample size cannot be verified — a 95% TPR on a 20-event test set is not the same as on a 500-event test set. The 500/5000 dataset size is consistent with ITER plasma disruption database accumulation rate and provides Wilson interval widths of ±3% at 95% confidence. | Analysis | |
| SUB-REQ-092 | The Interlock and Emergency Shutdown System SHALL define and enforce the reactor safe state as: plasma current ≤10 kA and decaying, all neutral beam injectors in beam-off state, all ICRH and ECRH systems at 0 W output, all superconducting coil energies transferred to dump resistors with coil currents ≤10% of operating value, and tritium fuelling systems in locked-closed state. The IESS SHALL verify all safe-state conditions and assert a safe-state confirmed signal within 5 seconds of SCRAM initiation. Rationale: SYS-REQ-004 mandates ≤5 second SCRAM to safe state. The original SUB-REQ-092 text specified 10 seconds for safe-state verification, which directly contradicts the system-level requirement. Corrected to ≤5 seconds to align with SYS-REQ-004. Note: this encompasses the full IESS actuation sequence — trip detection, MGI initiation (SUB-REQ-004 at 500 ms), and safe-state confirmation all within the 5 s budget. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-093 | The Plant Control and I&C System SHALL provide electromagnetic shielding and cable routing for all control signal cables operating in the proximity of ion cyclotron (50–170 GHz) and neutral beam injection heating systems, ensuring signal-to-noise ratio ≥40 dB on all diagnostic channels and no control actuation errors attributable to RF interference. Shielding shall meet IEC 61000-4-3 Class 3 for radiated immunity up to 200 V/m. Rationale: Derived from SYS-REQ-010 which specifies immunity to RF fields from ICRH and NBI heating systems: the system-level immunity requirement must be decomposed to the Plant Control I&C subsystem as specific shielding and cable routing constraints so that the requirement is implementable and testable at the component level. | Test | |
| SUB-REQ-094 | The Plant Data Historian and I&C Network Infrastructure SHALL implement a dedicated qualified maintenance bus compliant with IEC 61784-3 (functional safety communications), providing bidirectional fault report messages to the Maintenance Management System with end-to-end latency ≤10 seconds. Each fault message SHALL include: fault identity code, subsystem source identifier, UTC timestamp, severity classification (Critical/Major/Minor), and first-occurrence flag. Rationale: Derived from SYS-REQ-011 which requires fault reporting to the Maintenance Management System within 10 seconds: the system-level requirement must be decomposed to specify the physical bus standard, message structure, and latency budget at subsystem level so that the Plant Data Historian and network infrastructure can be designed and tested against measurable criteria. | Test | |
| SUB-REQ-095 | The Pellet Injection Controller SHALL be implemented as a dual-redundant system with automatic warm standby switchover. When the active Pellet Injection Controller fails (watchdog timeout ≥500 ms or self-test failure), the standby controller SHALL assume control within 2 seconds, retaining the pellet formation cryostat temperature state within ±1 K. While operating in single-channel mode following a failover, pellet injection SHALL maintain ≥50% of nominal injection frequency capability. Rationale: Derived from UHT System-Essential trait of the Pellet Injection Controller (hex 55F53218): a System-Essential component whose failure stops plasma density regulation and triggers burn termination requires a redundant design. The 2-second switchover budget preserves cryostat thermal state; 50% injection rate in degraded mode maintains basic density control while the fault is diagnosed. | Test | |
| SUB-REQ-096 | The Tritium and Fuel Inventory Controller design and operation SHALL comply with: IAEA Safety Guide SSG-52 (Safety of Fusion Facilities), ITER PDDS-11 (Fuel Cycle Design Description), and IEC 62645 (Nuclear Power Plant I&C requirements for programmable digital systems). Tritium inventory accounting SHALL meet the material control requirements of IAEA Safeguards Agreement Article 34 with accountability uncertainty ≤0.5% per accounting period. Rationale: Derived from UHT Institutionally Defined trait of the Fuel Inventory Controller (hex 01B432F8): tritium handling in a fusion facility is subject to specific IAEA safeguards and national nuclear regulatory requirements. Explicit standards references are required so that the design authority, regulators, and verifiers know the compliance basis and can audit conformance. | Inspection | |
| SUB-REQ-097 | The Disruption Prediction and Mitigation System SHALL monitor hard X-ray emission and synchrotron radiation signals from dedicated RE diagnostic channels. When hard X-ray count rate exceeds 10^4 counts/s sustained for ≥5 ms following a detected thermal quench, the DPMS SHALL classify the event as confirmed RE beam onset and latch a RE_DETECTED signal within 10 ms of threshold crossing. Rationale: Hard X-ray emission from bremsstrahlung of runaway electrons on residual neutrals is the primary real-time indicator of RE beam formation. A 10^4 counts/s threshold at ≥5 ms duration provides discrimination from background noise while detecting RE seed currents above 1 kA — the minimum current that sustains amplification. Latency of 10 ms leaves 40 ms margin for secondary injection actuation within the 50 ms system budget. | Test | subsystem, dpms, re-mitigation, safety-critical, session-411, idempotency:sub-dpms-re-detection-411 |
| SUB-REQ-099 | When RE_DETECTED is latched, the Mitigation Actuator Controller SHALL command the second-stage Massive Gas Injection valve to inject a neon-argon mixture at a minimum flow of 30 bar-L within 40 ms of RE_DETECTED signal assertion. Injection SHALL continue until plasma current drops below 100 kA or 500 ms has elapsed, whichever occurs first. Rationale: Secondary injection of high-Z neon-argon suppresses RE amplification by increasing charge-exchange losses and raising effective Z to slow avalanche gain. The 40 ms actuation deadline is derived from the 50 ms system budget (REQ-SEFUSIONREACTORCONTROLSYSTEM-112) minus 10 ms RE detection latency. The 30 bar-L minimum quantity is the ITER design basis for RE suppression efficiency. Termination criteria prevent unnecessary gas injection after RE beam extinction. | Test | subsystem, dpms, re-mitigation, safety-critical, session-411 |
| SUB-REQ-100 | When the FRCS initiates a safe shutdown in response to an interlock trip, the system SHALL transition all subsystems to their defined safe state within 2 seconds, including de-energising all high-power actuators and setting plasma control surfaces to safe-state positions. Rationale: SYS-REQ-004 references safe state but no system-level requirement specifies the transition sequence or timing. The 2-second bound derives from IEC 61513 Class 1 safety function response requirements. Without an explicit safe-state transition SYS requirement, subsystem implementers have no traceable upper-level constraint. | Test | |
| SUB-REQ-102 | The Quench Detection System SHALL be physically realised as a dedicated hardware assembly installed within 10 m of each superconducting magnet coil assembly, housed in a radiation-hardened, rackmounted enclosure rated for neutron fluence of ≥1×10^14 n/cm² over the 20-year operational lifetime, with no shared chassis, backplane, or power supply with non-safety-classified systems. The QDS enclosure shall be IEEE 344 seismically qualified and installed in a controlled-access radiation zone. Rationale: Lint finding: 54F77218 (Quench Detection System) lacks Physical Object trait but is constrained by physical implementation requirements (IFC-REQ-017, SUB-REQ-037, SUB-REQ-066, SUB-REQ-080). The proximity constraint (10 m) is required to achieve the <1 ms quench detection latency without signal degradation over long cable runs; the radiation hardening requirement follows from the 14-MeV neutron field adjacent to the TF and PF coils. | Inspection | |
| SUB-REQ-103 | The Pellet Injection Controller SHALL be physically housed in a dedicated, radiation-tolerant, enclosed cabinet located within the tritium-handling perimeter of the nuclear island, rated to IEC 60529 IP54 minimum and qualified to IEC 60068-2-27 shock and vibration tests consistent with the plant seismic category. All tritium-wetted physical interfaces SHALL be double-contained per ITER confinement class C2, with no direct physical pathway between the tritium inventory and the external control room environment. Rationale: Lint finding: 55F53218 (Pellet Injection Controller) lacks Physical Object trait but has physical constraints (REQ-SEFUSIONREACTORCONTROLSYSTEM-110, SUB-REQ-048). PIC cabinet location within the tritium perimeter is dictated by the C2 double-containment requirement and the cryogenic pellet feed path geometry; IP54 rating and seismic qualification are required for nuclear island operation; the containment separation requirement prevents tritium migration to unrestricted areas. | Inspection | |
| SUB-REQ-104 | The Safety Arbiter SHALL be physically implemented as a self-contained, type-approved hardware module (IEC 61513 Category A) installed in a dedicated safety-classified cabinet physically separate from the operational I&C network. The Safety Arbiter cabinet SHALL be located in a radiation-controlled, seismically-qualified equipment room with physical access restricted to Safety System maintenance personnel. All external Safety Arbiter interfaces SHALL be point-to-point hardwired with no shared data bus with non-Category A equipment. Rationale: Lint finding: 002008B1 (Safety Arbiter) lacks Physical Object trait but has physical constraints (SUB-REQ-077). IEC 61513 Category A requires that safety-classified I&C equipment be physically segregated from operational systems; the dedicated cabinet with hardwired interfaces prevents common-cause failure paths between the Safety Arbiter voting logic and the control network. | Inspection | |
| SUB-REQ-105 | The FRCS SHALL provide closed-loop power control for ion cyclotron resonance heating and neutral beam injection systems, maintaining commanded plasma heating power within 5% of setpoint over the range 0-73 MW aggregate. Rationale: STK-REQ-010 identifies heating system control as a stakeholder need but no SYS requirement addresses it. The 73 MW aggregate bound reflects ITER heating system design capacity. The 5% regulation tolerance is derived from the plasma physics constraint that heating power variation beyond this threshold causes sawtooth instabilities incompatible with Q=10 operation. | Test | |
| SUB-REQ-106 | The Fusion Reactor Control System SHALL detect runaway electron beam formation following a disruption thermal quench and command secondary high-Z material injection within 50 ms of RE onset, achieving at least 80% reduction in RE beam energy deposition on plasma-facing components. Rationale: RE beams in a 15 MA plasma carry up to 10 MJ, causing first-wall ablation damage if unmitigated. The 50 ms window is derived from RE seed amplification timescales (20-30 ms post thermal quench). Secondary neon-argon injection is the ITER-class mitigation approach reducing amplification by increasing charge-exchange losses. | Test | |
| SUB-REQ-107 | The Ion Cyclotron and Neutral Beam Heating Control subsystem SHALL maintain closed-loop power control for all installed heating systems with a power set-point tracking accuracy of ±2% of demanded power at all heating power levels from 1 MW to rated capacity, and SHALL sustain full EMC immunity to dB/dt transients up to 10 T/s without control loop instability. Rationale: Derives from SYS-REQ-010 (EMC immunity) and the heating system scope. Heating power accuracy is required to maintain plasma beta within the stable operating window; ±2% is the threshold above which beta excursions risk triggering avoidable disruptions. EMC immunity is essential because the pulsed toroidal field coils generate dB/dt transients in the same frequency range as heating control feedback signals. | Test | |
| SUB-REQ-108 | The Emergency Shutdown System SHALL define and maintain the reactor safe state as: plasma current = 0 A, all high-voltage systems de-energised, cryogenic system in passive hold mode, and all active plasma heating systems at zero power; the safe state SHALL be self-sustaining without ongoing active control intervention, verified by the Safety Logic Processor through continuous monitoring of each safe-state indicator. Rationale: Derives from SYS-REQ-004 which requires transition to safe state in ≤5 seconds but does not specify what safe state is. This requirement closes the definitional gap: without a precisely specified safe state, the SCRAM acceptance criteria cannot be tested and the VER requirements for SYS-REQ-004 cannot be written. The four conditions (zero current, de-energised HV, passive cryo hold, zero heating power) are the minimum necessary conditions for personnel safety as defined by IEC 61513 Clause 7.5. | Inspection | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-109 | The I&C Diagnostic subsystem SHALL transmit all detected channel fault events to the Maintenance Management System via a qualified maintenance data bus within 10 seconds of fault detection, using a redundant communication path that meets IEC 61784-3 SIL-2 communication profile, with a minimum message delivery probability of 99.9% and loss-of-communication alarm if the primary bus is silent for >30 seconds. Rationale: Derives directly from STK-REQ-006 and SYS-REQ-011, which require fault reporting within 10 seconds but do not specify the communication mechanism or reliability. The 30-second watchdog for bus silence ensures the I&C crew is alerted to diagnostic link failure before it affects maintenance response time. IEC 61784-3 SIL-2 profile is the minimum for a safety-support communication link per IEC 61513. | Test | |
| SUB-REQ-110 | The Fuel Inventory Controller SHALL comply with IAEA Nuclear Security Series No. 25-G (Physical Protection of Nuclear Material), EURATOM safeguards regulations (Council Regulation 302/2005), and relevant tritium accountancy standards (ISO 17873), with tritium inventory data retained in tamper-evident logs for a minimum of 30 years and reportable to regulatory authorities within 24 hours on demand. Rationale: The Fuel Inventory Controller handles tritium — a radioactive material subject to nuclear non-proliferation and safeguards obligations (EURATOM, IAEA). The Institutionally Defined classification (UHT bit 26) correctly identifies that this component operates within an externally defined regulatory and institutional framework. Without explicit standard references, the design cannot demonstrate compliance during licensing and the system safety case will have an unresolved regulatory gap. The 30-year retention period follows IAEA guidance on nuclear material accountability records. | Inspection | |
| SUB-REQ-111 | Each I&C subsystem within the Fusion Reactor Control System SHALL be registered in the plant Formal Equipment List (FL) referenced in the licensing basis, with entries specifying: subsystem designation, rack location identifier, IEC 61346 equipment tag, functional classification (safety/non-safety), SIL allocation, and qualified connector specification. The FL shall be configuration-controlled and revised before any physical change affecting the FRCS boundary. Rationale: SYS-REQ-013 commits the FRCS to a licensing-basis physical boundary defined by a Formal Equipment List. Without this decomposition requirement, individual subsystems have no obligation to register their hardware in the FL, creating a gap between the system-level licensing commitment and subsystem-level implementation. IEC 61513 clause 8.2.2 requires documentation of the physical scope boundary for nuclear I&C systems important to safety. | Inspection | |
| SUB-REQ-112 | The Interlock and Emergency Shutdown System SHALL define the reactor safe state as the simultaneous achievement of: plasma current less than 1 kA, all superconducting coil currents transferred to dump resistors, all ICRH and ECRH and NBI heating systems hardwired-inhibited, and deuterium-tritium gas injection valves confirmed closed. The IESS SHALL verify all conditions within 5 seconds of SCRAM initiation and issue a SAFE-STATE-CONFIRMED signal on the qualified safety bus. Rationale: SYS-REQ-004 mandates ≤5 second SCRAM to safe state. The original SUB-REQ-112 text specified 8 seconds, which contradicts the system-level requirement. Corrected to ≤5 seconds. The 1 kA plasma current threshold (lower than SUB-REQ-092's 10 kA) is the correct post-quench residual level achievable within the 5 s window given the 500 ms MGI initiation in SUB-REQ-004 and typical plasma current decay time constant of 1-2 s. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-113 | The Heating and Current Drive Control system SHALL provide hardwired electromagnetic compatibility protection for the ion cyclotron and neutral beam heating systems to prevent interference with the Plasma Control System and Interlock and Emergency Shutdown System signal paths, including shielded cable routing, filter insertion loss of at least 40 dB at frequencies from 50 MHz to 170 GHz, and bonding to the plant EMC reference plane. Rationale: SYS-REQ-010 requires the FRCS to maintain control performance in RF fields up to 200 V/m from ICRH and NBI systems but assigns no responsibility to the HCDC subsystem for managing its own emissions. Without EMC controls at the source (HCDC), the PCS and IESS must absorb the full RF environment, increasing their hardening cost and complexity. IEC 61000-4-3 compliance at 200 V/m is achievable only if the emitting subsystem also applies source controls. This requirement closes the STK-REQ-010 coverage gap noted in lint finding 11. | Test | idempotency:qc-417-sub-hcdc-emc |
| SUB-REQ-114 | The Interlock and Emergency Shutdown System SHALL define and maintain the safe state of the Fusion Reactor Control System as: plasma current ≤10 kA (confirmed via Rogowski coil), all poloidal field coil currents ≤1% of operating values (confirmed via coil current monitors), all heating system RF power ≤100 W (confirmed via directional couplers), all pellet injection valves closed (confirmed via valve position feedback), and torus pressure ≥10⁻⁴ mbar with no active fuelling (confirmed via baratron gauges). The safe state SHALL be latched until an authorised plasma restart sequence is initiated by a qualified operator. Rationale: SYS-REQ-004 specifies a ≤5 s transition to safe state but does not define what safe state is. Without a quantified safe state definition at subsystem level, the IESS cannot be verified against the system requirement — the test engineer has no measurable acceptance criteria. This requirement provides the enumerated safe state exit conditions for verification and safety case completeness. Values are derived from the plasma termination criteria in the ITER operational procedures (ITER-IT-SAFE-001) scaled to a DEMO-class device. | Test | idempotency:qc-422-sub-iess-safe-state |
| SUB-REQ-115 | The Plant Control and I&C System SHALL implement a qualified maintenance bus compliant with IEC 61784-3 connecting all safety-classified I&C channels to the Maintenance Management System, providing fault identity, timestamp, and severity classification in each report within 10 seconds of fault detection. Rationale: SYS-REQ-011 requires fault reporting to the Maintenance Management System via a qualified maintenance bus within 10 seconds; lint identified 'qualified maintenance bus within 10 seconds' in SYS-REQ-011 without a corresponding SUB-level implementation requirement. IEC 61784-3 compliance is mandatory for safety-classified fieldbus in nuclear I&C. | Test | idempotency:qc-421-sub-maintenance-bus |
| SUB-REQ-116 | The Interlock and Emergency Shutdown System SHALL be designed, verified, and validated in accordance with IEC 61513 Category A requirements and IEC 61511 SIL-3 requirements, with all design justifications, safety analyses, and proof-test intervals documented in the IESS safety case prior to first plasma commissioning. Rationale: SYS-REQ-014 mandates compliance with IEC 61513, IEC 61511, and IAEA SSG-39. Lint Coverage Gap finding identified that no subsystem-level requirement decomposed the standards compliance obligation. The IESS is the highest-criticality subsystem and must explicitly carry the Category A / SIL-3 compliance obligation to be traceable through the safety case. | Analysis | rt-sil-gap, red-team-session-459 |
| SUB-REQ-117 | The Gas Puffing Valve Controller SHALL implement dual-channel solenoid drive circuitry with independent power supplies for each channel, such that loss of either channel does not result in uncontrolled gas injection into the torus; the surviving channel SHALL maintain full injection capability within 100 ms of channel-loss detection. Rationale: Lint finding: GPVC classified as System-Essential (trait bit 16) with no redundancy or failover requirement. The gas puffing system provides emergency density control and disruption mitigation via gas jetting — an uncontrolled valve open in a SCRAM scenario could delay plasma termination. Dual-channel drive circuitry is the minimum mitigation for this failure mode consistent with the SIL-3 system context. | Test | idempotency:qc-421-sub-gpvc-redundancy |
| SUB-REQ-118 | The Plant Operations Sequencer SHALL execute a pre-shot conditioning sequence comprising at minimum: (1) bakeout confirmation (vessel wall temperature ≥150°C for ≥4 h), (2) glow discharge cleaning status confirmed complete, (3) all magnet power supplies energised and stable within ±0.1% of requested current for ≥5 min, (4) vacuum vessel pressure ≤10⁻⁵ mbar confirmed via baratron and residual gas analyser, and (5) all safety interlock channels reporting armed status. The POS SHALL refuse to issue a plasma initiation permit unless all five preconditions are simultaneously satisfied. Rationale: STK-REQ-002 requires the system to execute controlled plasma operation sequences. The POS state machine (SUB-REQ-050) defines eight operational states but no requirement specifies what preconditions must be verified before transitioning from CONDITIONING to INITIATION state. Without a quantified conditioning checklist, the POS could issue a plasma initiation permit with the vessel insufficiently cleaned or at atmospheric pressure, creating a first-wall damage risk. | Inspection | idempotency:val-423-sub-pos-preshot |
| SUB-REQ-119 | The Plant Operations Sequencer SHALL implement a controlled plasma shutdown sequence that ramps plasma current from operating value to ≤10 kA within 30 s, reduces all heating power to ≤1% of operating value before plasma current drops below 100 kA, confirms torus pressure remains below 10⁻⁴ mbar throughout ramp-down, and transitions all magnet power supplies to standby current within 10 min of plasma termination. The POS SHALL log the ramp-down profile at 10 Hz to the Plant Data Historian throughout the shutdown sequence. Rationale: STK-REQ-002 mandates controlled plasma termination sequences including controlled ramp-down from full-power burn. SUB-REQ-050 defines the SHUTDOWN operational state but does not specify the sequence steps, timing, or acceptance criteria. Without a quantified shutdown protocol, the POS could terminate plasma in a manner that damages superconducting coils through over-voltage during fast current ramp or leaves heating systems energised into a cold plasma, both constituting first-wall damage scenarios. | Test | idempotency:val-423-sub-pos-shutdown |
| SUB-REQ-120 | While in MAINTENANCE state, the Plant Operations Sequencer SHALL enforce the following access restrictions: (1) plasma initiation commands from the Operator Console are rejected with an on-screen inhibit message within 500 ms, (2) the machine state variable is set to MAINTENANCE_LOCKED and shall not transition to any PLASMA state without a two-person authorisation sequence (operator + shift supervisor), and (3) the maintenance lockout status is broadcast to all subsystem controllers on the PCS Real-Time Data Bus at 1 Hz. Rationale: STK-REQ-005 requires online channel replacement without interrupting plasma operations, and STK-REQ-003 requires tamper-evident audit of all safety state transitions. The POS state machine (SUB-REQ-050) identifies MAINTENANCE as a valid state, but no requirement specifies what operational constraints apply in that state. Without explicit plasma initiation inhibit logic, a maintenance technician working on live I&C channels could face an unexpected plasma initiation event, constituting a personnel safety hazard. | Test | idempotency:val-423-sub-pos-maintenance |
| SUB-REQ-121 | The Operator Console System SHALL display consolidated plasma state information — including plasma current (kA), radial position (cm), plasma stored energy (MJ), D-T fuel injection rate (molecules/s), neutron yield (n/s), disruption risk index (0–1), and all active interlock status flags — on the unified operator display with a screen refresh latency not exceeding 200 ms from the most recent measurement cycle, averaged over any 10-second window. Rationale: STK-REQ-001 requires the system to present consolidated plasma state information on a unified operator interface with ≤200 ms refresh latency. The Operator Console System is the PCIS component responsible for this function per ARC-REQ-008, but no SUB-level requirement captures the display completeness, parameter set, or latency at the OCS level. Without this requirement, the plant data feed to the operator workstation is unspecified, leaving the primary operator awareness function unverified. | Test | idempotency:val-424-sub-ocs-display |
| SUB-REQ-122 | When one channel of the dual-channel Gas Puffing Valve Controller solenoid drive fails, the Gas Puffing Valve Controller SHALL continue gas injection operation on the remaining channel with no interruption to the plasma density control loop and SHALL generate a channel-fail alarm to the Plant Operations Sequencer within 100 ms of fault detection. Rationale: The GPVC is classified System-Essential (hex 55F57A18) with dual-channel architecture per SUB-REQ-117; graceful single-channel degradation is required to prevent an unnecessary plasma disruption during a hardware fault. The 100 ms alarm latency is consistent with POS scan cycle requirements. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-123 | The Gas Puffing Valve Controller SHALL use only materials and electronic components that are qualified for operation in a tritium-bearing gas environment with hydrogen isotope partial pressures up to 1 bar, maintaining leak-tightness to less than 1e-9 Pa·m³/s helium-equivalent and electrical performance within specification after a cumulative fast-neutron fluence of 1e14 n/cm² (>1 MeV). Rationale: The GPVC is a Synthetic component handling tritium-bearing fuelling gases; material qualification is mandatory to prevent tritium permeation through valve seals and electronic degradation under neutron irradiation consistent with the blanket port-limiter radiation field. Failure to specify this requirement risks tritium release exceeding regulatory limits. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-124 | The Gas Puffing Valve Controller SHALL be designed, manufactured, and qualified in accordance with IEC 61513 Category B (nuclear instrumentation and control) and ITER-specific procurement requirements PR-T-1 for tritium-compatible components, with qualification records retained for the operational lifetime of the reactor. Rationale: The GPVC is classified Regulated under UHT ontology and operates within the tritium inventory boundary of a nuclear facility. IEC 61513 Category B classification is required for I&C components whose failure could initiate a nuclear safety function challenge. Procurement records traceability is required by ITER licensing basis documents. | Inspection | rt-under-specified, red-team-session-433 |
| SUB-REQ-125 | The Plant Operations Sequencer SHALL be implemented and validated in accordance with IEC 62138 (nuclear power plants — software important to safety — category B) and the ITER I&C System Design Description, with software lifecycle documentation including design specification, integration test records, and V&V report maintained under configuration management throughout the operational lifetime. Rationale: The POS is classified Regulated and executes pre-shot conditioning and machine state sequencing that gates access to plasma operations; a sequencing error could initiate a plasma pulse under unsafe conditions, making software lifecycle compliance under IEC 62138 mandatory for regulatory approval of ITER or equivalent tokamak licensing. | Inspection | subsystem, plant-operations-sequencer, session-427, idempotency:sub-pos-compliance-427 |
| SUB-REQ-127 | When a safe shutdown earthquake is detected at plant level, the Fusion Reactor Control System SHALL maintain all SIL-3 safety shutdown functions and transition the plasma to safe state within 10 seconds, using equipment qualified to IEEE 344 seismic category I. Rationale: STK-REQ-009 mandates safety function survivability under seismic conditions. IEEE 344 Category I is the nuclear safety-related I&C qualification standard. The 10 s window covers the SYS-REQ-004 5 s SCRAM budget plus 5 s post-seismic assessment margin. Loss of SCRAM capability after a seismic event is a design basis accident requiring explicit system-level coverage. | Test | system, seismic, sil-3, session-398, replaces-sys-req-006 |
| SUB-REQ-128 | The Fusion Reactor Control System SHALL implement cybersecurity controls compliant with IEC 62443-3-3 Security Level 2, including network segmentation with unidirectional data diodes between safety (SL-3) and control (SL-2) networks, role-based access control, cryptographic authentication for all remote maintenance interfaces, and security event logging with tamper-evident audit trail retained for 90 days. Rationale: Nuclear I&C systems classified as IEC 61508 SIL-3 are high-consequence targets. IEC 62443 SL-2 is the minimum credible threat model for a national research reactor. Unidirectional diodes prevent protocol-level attacks propagating from the operational network to the SIL-3 safety domain. Role-based access and cryptographic authentication directly address insider threat and remote maintenance attack vectors identified in nuclear cybersecurity threat assessments (IAEA NST047). | Inspection | system, cybersecurity, iec-62443, session-398 |
| SUB-REQ-129 | The Fusion Reactor Control System SHALL operate without degradation of control performance in an electromagnetic environment including pulsed magnetic field transients up to 10 T/s dB/dt from superconducting coil charging, and RF fields up to 200 V/m at 50-170 GHz from ECRH and ICRH heating systems, compliant with IEC 61000-4-3 immunity level IV and IEC 61000-4-8 level 5. Rationale: STK-REQ-010 identifies the specific EM environment the system must tolerate. The 10 T/s dB/dt from coil operations and 200 V/m RF from gigawatt-class heating systems are measured operating parameters of a tokamak facility, not generic industrial assumptions. IEC 61000-4-3 level IV (30 V/m) and IEC 61000-4-8 level 5 (100 A/m) are the applicable test standards; the natural EM environment exceeds standard industrial levels, so explicit EMC test requirement is needed to drive design shielding margins. | Test | system, emc, electromagnetic, session-398 |
| SUB-REQ-130 | The Fusion Reactor Control System SHALL ensure all SIL-3 classified safety-critical components are qualified to IEEE 344 seismic requirements at the plant site-specific Safe Shutdown Earthquake response spectrum, maintaining full function during and after the SSE. Rationale: Nuclear regulatory authority requirements mandate seismic qualification of safety-critical I&C equipment. IEEE 344 is the accepted standard for nuclear facility equipment seismic qualification. Failure to qualify could result in loss of shutdown capability during a seismic event. | Test | |
| SUB-REQ-131 | The Fusion Reactor Control System SHALL operate without degradation of control performance (no increase in position error beyond ±2 cm, no missed disruption precursor detections) in the plant electromagnetic environment: pulsed magnetic fields up to 10 T/s dB/dt from the pulsed power system and RF fields up to 200 V/m at 50–170 GHz from the ion cyclotron and neutral beam heating systems, compliant with IEC 61000-4-3 (radiated immunity) and IEC 61000-4-8 (power-frequency magnetic field immunity). Rationale: STK-REQ-010 mandates EMC performance in the specific electromagnetic environment of the fusion reactor: dB/dt transients from pulsed power and microwave/RF from ion cyclotron and neutral beam heating. Without explicit EMC qualification to these threat levels, control system performance cannot be guaranteed during heating pulses, which co-occur with plasma operation and represent the highest-risk operational window. | Test | |
| SUB-REQ-132 | The Fusion Reactor Control System SHALL provide self-diagnostic coverage of at least 90% of I&C channel faults detectable by the system, with detected faults reported to the Maintenance Management System via a qualified maintenance bus within 10 seconds of detection, and fault identity, timestamp, and severity classification included in each report. Rationale: STK-REQ-006 requires 90% self-diagnostic coverage and 10 s fault reporting to the maintenance management system. This directly flows down from the 4-hour MTTR requirement: fault detection within 10 s is a prerequisite for timely maintenance dispatch in a high-radiation environment where access procedures add 2–3× overhead. 90% coverage is derived from IEC 61508 diagnostic coverage targets for SIL-2 monitoring functions. | Test | |
| SUB-REQ-133 | The Fusion Reactor Control System SHALL provide coordinated control of all plasma heating and current drive systems — including ion cyclotron resonance heating (ICRH), neutral beam injection (NBI), and electron cyclotron resonance heating (ECRH) — delivering total additional heating power within ±5% of the commanded setpoint over the range 0–73 MW, while maintaining safe operating envelopes for each system as defined by the HCDC protection interlock. Rationale: STK-REQ-010 identified that plasma heating systems — ICRH, NBI, and ECRH — must be coordinated by the FRCS. No SYS requirement addressed multi-system coordination or the 73 MW aggregate power envelope. The ±5% accuracy is consistent with SYS-REQ-003 stored energy control margin and prevents thermal overload of the first wall and divertor targets. | Test | |
| SUB-REQ-134 | The Fusion Reactor Control System SHALL be physically implemented as a distributed set of rackmounted equipment assemblies housed in IEEE 344 seismically-qualified, IEC 62262 IK10-rated, IP54 enclosures, installed in radiation-controlled areas. The physical boundary of the FRCS shall be defined by a formal equipment list (FL) referenced in the licensing basis, with all external physical interfaces protected by qualified connectors compliant with IEC 60068 environmental standards. Rationale: Lint finding: 51F77B19 (FRCS) lacks Physical Object trait but has physical embodiment requirements (STK-REQ-010, SUB-REQ-087, SYS-REQ-008, SYS-REQ-010). This establishes the formal physical boundary, housing standard, and equipment list anchor needed to qualify control system hardware to seismic and EMC standards. Without a defined physical boundary, qualification testing cannot be scoped. | Inspection | |
| SUB-REQ-135 | The Fusion Reactor Control System SHALL be designed, verified, and validated in accordance with IEC 61513 (Nuclear Power Plants - I&C systems important to safety), IEC 61511 (Functional Safety - Safety Instrumented Systems), and applicable IAEA Safety Standards (SSG-39), with all SIL classifications, safety analyses, and design justifications documented in the system safety case prior to commissioning. Rationale: The FRCS controls a nuclear fusion device with potential hazards to operating personnel and public safety. The Ethically Significant classification (UHT bit 32) requires explicit normative requirements capturing the regulatory and ethical obligations attached to operating such a system. IEC 61513 and IAEA SSG-39 are the internationally agreed standards for nuclear I&C; absence of explicit regulatory compliance requirements would constitute a safety case gap that regulators would require to be resolved before licensing. This requirement anchors all SIL assignments made elsewhere in the project. | Inspection | |
| SUB-REQ-136 | The Fusion Reactor Control System SHALL continuously monitor airborne tritium concentration at all controlled area boundaries, providing an automated evacuation alarm when concentration reaches 1 μSv/h dose equivalent and initiating tritium containment isolation when concentration reaches 10 μSv/h, with alarm latency not exceeding 30 seconds from threshold crossing. Rationale: STK-REQ-004 requires tritium boundary integrity with automated evacuation alarm at 1 μSv/h and safe state at 10 μSv/h. SYS-REQ-004 covers plasma SCRAM but does not address the distinct function of continuous radiological boundary monitoring, which requires dedicated sensors, alarm logic, and containment isolation actuation independent of plasma state. Tritium is classified as a radioactive material requiring EURATOM and IAEA safeguards; this requirement flows down to the Fuel Injection and Burn Control subsystem (SUB-REQ-046). | Test | idempotency:sys-tritium-monitoring-416 |
| SUB-REQ-137 | The FRCS I&C diagnostic module SHALL report all detected I&C channel faults to the external Maintenance Management System interface within 10 seconds of fault detection, with a fault record including channel ID, fault type, severity, and timestamp. Rationale: STK-REQ-006 requires 90% self-diagnostic coverage with fault reporting to the maintenance management system within 10 seconds. This decomposes the interface obligation at SUB level: the diagnostic module must push fault records to the MMS within 10 seconds, enabling maintenance staff to schedule corrective action before the next plasma pulse. | Test | idempotency:sub-mms-fault-report-qc-432 |
| SUB-REQ-138 | While heating systems are operating, the FRCS I&C channel assemblies SHALL maintain signal integrity such that measured sensor errors attributable to RF interference from heating system sources (50–170 GHz, up to 200 V/m) do not exceed 0.5% of full-scale reading, compliant with IEC 61000-4-3 and IEC 61000-4-8. Rationale: STK-REQ-010 requires undegraded control performance in the heating system EMC environment (200 V/m at 50–170 GHz, 10 T/s dB/dt). This SUB requirement decomposes the EMC obligation to the I&C channel assemblies, which must tolerate RF from ECRH/ICRH heating systems without introducing false sensor readings that could trigger erroneous plasma control corrections or spurious safety trips. | Test | idempotency:sub-heating-emc-qc-432 |
| SUB-REQ-139 | The Interlock and Emergency Shutdown Subsystem SHALL define and enforce the reactor safe state as: all superconducting magnet current ramps at zero, all heating system power at zero, plasma current below 10 kA, and all fuel injection valves closed, before declaring safe state achieved. Rationale: SYS-REQ-004 requires transition to 'safe state' in 5 seconds but does not define safe state at subsystem level. This SUB requirement provides the operational definition: specific measurable conditions that must be achieved. The definition is derived from ITER safety analysis documentation and IEC 61513 nuclear I&C standards for end-state verification. | Inspection | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-140 | The Plant Control System sensor acquisition module SHALL complete a full sensor cycle — acquiring plasma current, radial position, stored energy, disruption risk index, heating power levels, fuelling rates, and all safety interlock status — within 50 ms, with cycle completion time-stamped to UTC±1 ms for display latency accounting. Rationale: SYS-REQ-017 requires operator display refresh latency not exceeding 200 ms from the most recent sensor cycle. To achieve this, the sensor cycle itself must complete within 50 ms (25% of the 200 ms budget), leaving sufficient headroom for data bus transmission, display rendering, and jitter. The 50 ms cycle aligns with the 20 Hz refresh rate of the plasma control loop. | Test | idempotency:sub-sensor-cycle-qc-432 |
| SUB-REQ-141 | The Scenario Parameter Management function SHALL accept parameter file uploads via the secure Physics Operations Interface, validate each uploaded parameter set against plasma stability bounds and hardware limit tables, and return a validation report with pass/fail status and any violated constraint references within 120 seconds of upload initiation. Rationale: SYS-REQ-018 requires parameter validation report delivery within 120 seconds of upload. This SUB requirement decomposes the upload and validation function: file reception, constraint-bound checking against stability limits and hardware tables, and report generation must all complete within the 120-second window. The constraint-bound check is the most time-consuming step (MHD stability analysis), driving the 120-second budget allocation. | Test | idempotency:sub-param-upload-qc-432 |
| SUB-REQ-142 | The Gas Puffing Valve Controller SHALL implement dual-channel redundant valve drive circuits such that a single-channel failure results in valve closure (fail-safe de-energisation) within 10 ms, with the second channel capable of commanding valve open or closed within 50 ms of primary channel failure detection. Rationale: The Gas Puffing Valve Controller is classified System-Essential (UHT trait bit 16): loss of gas puffing control during a plasma pulse can cause uncontrolled density evolution leading to disruption or radiative collapse. Dual-channel redundancy with fail-safe closure prevents loss of density control from a single electronics failure. The 10 ms closure response is within the plasma density decay time constant (~500 ms), preventing runaway fuelling on failure. | Test | idempotency:sub-gpvc-redundancy-qc-432 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between Fusion Reactor Control System and the Plasma Diagnostics subsystem SHALL exchange validated measurement data on a deterministic real-time network with a maximum end-to-end latency of 2 ms and data loss rate <10⁻⁶ per measurement cycle. Rationale: External interface: plasma diagnostics provide the primary sensor data for all control loops. 2 ms latency budget is allocated from the 10 ms total control cycle budget, leaving 8 ms for computation and actuation. Data loss >10⁻⁶ would cause the control system to use stale data, degrading equilibrium accuracy. | Test | interface, external, session-386, idempotency:ifc-ext-diagnostics-386 |
| IFC-REQ-002 | The interface between Fusion Reactor Control System and the Superconducting Magnet System SHALL use redundant, galvanically isolated digital command links with status feedback confirmation within 1 ms of command issue. Rationale: External interface: magnet power supply commands carry the highest safety consequence of any interface — a missed command during vertical displacement event could allow plasma contact with first wall within 100 ms. Galvanic isolation prevents ground loop noise from corrupting commands. 1 ms confirmation is within the vertical stability control bandwidth. | Test | interface, external, session-386, idempotency:ifc-ext-magnets-386 |
| IFC-REQ-003 | The interface between Fusion Reactor Control System and the Site Protection System SHALL use a hardwired, normally-energised interlock circuit for Category A SCRAM demand signals, with no software in the signal path and a maximum actuation latency of 50 ms from demand to confirmed breaker open. Rationale: External interface: nuclear safety classification requires that SCRAM demand signals to the site protection system are hardware-only, not software-mediated. Normally-energised (fail-safe) circuit ensures that cable break or power loss initiates protective action. 50 ms actuation latency is derived from the SCRAM sequence time budget. | Test | interface, external, session-386, idempotency:ifc-ext-site-protection-386 |
| IFC-REQ-004 | The interface between the Trip Parameter Monitor and the Safety Logic Processor SHALL use hardwired 24 VDC discrete signals with a maximum signal propagation delay of 2 ms, employing opto-coupled galvanic isolation rated to 2 kV working voltage between sensor-side and logic-side circuits. Rationale: Hardwired discrete signals are the only architecture that eliminates software-related common-cause failure at this interface. The 2 ms propagation budget is allocated from the overall 10 ms trip response chain. 2 kV isolation rating provides adequate margin above the maximum induced voltage from 68 kA coil discharge events, protecting the SIL-3 logic from high-voltage transient coupling. | Test | interface, iess, session-387, idempotency:ifc-tpm-slp-387 |
| IFC-REQ-005 | The interface between the Safety Logic Processor and the Emergency Shutdown Sequencer SHALL be a hardwired energise-to-hold signal: the Safety Logic Processor SHALL maintain 24 VDC on the run-permit line during normal operation; loss of signal from any cause SHALL unconditionally initiate the Emergency Shutdown Sequencer. Rationale: Energise-to-hold (de-energise-to-trip) ensures the shutdown sequencer initiates on any cable fault, connector failure, logic failure, or power loss without requiring a positive trip command. This eliminates a class of failure modes where the interlock is bypassed by a failure in the trip signal path itself. This is the canonical design pattern for safety instrumented systems per IEC 61511 Clause 11. | Test | rt-vague-interface, red-team-session-433 |
| IFC-REQ-006 | The interface between the Disruption Precursor Monitor and the Plasma Diagnostics Integration System SHALL provide time-synchronised diagnostic channel data at 50 kHz per channel via fibre-optic reflective memory network, with absolute timestamp accuracy of 10 μs relative to GPS-disciplined master clock, and SHALL flag any channel with signal dropout exceeding 2 ms as invalid in the feature vector. Rationale: 50 kHz per channel sampling rate is required to resolve the highest-frequency MHD precursors (locked mode oscillations at 10-20 kHz). Fibre-optic isolation prevents ground loop interference from 60 T/s magnetic field transients during disruptions. 10 μs timestamp accuracy ensures feature vectors from different diagnostic subsystems are coherently aligned; misalignment greater than 100 μs degrades LSTM prediction accuracy by up to 12% (KSTAR benchmark). 2 ms dropout flag threshold matches the ELM blackout duration identified in the precursor monitor specification. | Test | interface, dpms, session-388, idempotency:ifc-dpms-pdis-388 |
| IFC-REQ-007 | The interface between the Disruption Prediction and Mitigation System and the Interlock and Emergency Shutdown System SHALL be a dual-channel hardwired 24 VDC signal: the DPMS Mitigation Actuator Controller asserts an MGI pre-trigger output when risk probability exceeds 0.85, and the IESS Safety Logic Processor asserts a deterministic trip demand to the Mitigation Actuator Controller on any SCRAM condition. Both signals SHALL be latched energise-to-hold and propagate within 1 ms of assertion. Rationale: Hardwired interface prevents software-induced latency between the two safety systems. Energise-to-hold convention ensures a power or communication failure causes a safe-side trip demand rather than inhibiting mitigation. 1 ms propagation limit ensures the DPMS-to-IESS and IESS-to-DPMS paths do not add significant latency to the 10 ms MGI trigger budget established in SUB-REQ-011. Dual-channel arrangement maintains signal integrity under single-channel failure per IEC 61508 SIL-3 HFT=1 requirements. | Test | interface, dpms, iess, session-388, idempotency:ifc-dpms-iess-388 |
| IFC-REQ-008 | The interface between the Mitigation Actuator Controller and the Heating and Current Drive Control SHALL provide a hardwired NBI inhibit signal that ramps all three NBI beam power outputs from full to zero in 50 ms upon DPMS mitigation trigger, and an ECRH shutdown signal that terminates gyrotron output within 5 ms, with confirmed execution feedback to the Mitigation Actuator Controller within 60 ms. Rationale: NBI and ECRH ramp-down is a mandatory part of the disruption mitigation sequence: continued external heating during a disruption amplifies runaway electron energy gain; at 150 MW NBI power the electron beam current could reach destructive levels within 50 ms of thermal quench if heating is not terminated. 50 ms NBI ramp-down is the minimum achievable from the power supply bus capacitor discharge time. 5 ms ECRH shutdown exploits the faster gyrotron gate-off response. 60 ms feedback timeout triggers a secondary alarm if heating shutdown is not confirmed. | Test | interface, dpms, hcdc, session-388, idempotency:ifc-dpms-hcdc-388 |
| IFC-REQ-009 | The interface between the Equilibrium Reconstruction Processor and the Shape and Position Controller SHALL transfer the equilibrium state vector at 10 kHz using the MARTe2 shared data store, with a maximum end-to-end latency of 5 us from ERP write-completion to SPC read-availability. Rationale: 5 us inter-component latency is the allowable fraction of the 40 us ERP budget allocated to data publishing. Reflective memory on the MARTe2 bus achieves 1-2 us typical transfer; 5 us provides headroom for bus arbitration under maximum load. Higher latency would reduce SPC computation time below the minimum required for gain-scheduled PID convergence. | Test | interface, plasma-control-system, session-390, idempotency:ifc-pcs-erp-spc-390 |
| IFC-REQ-010 | The interface between the Vertical Stability Controller and the Interlock and Emergency Shutdown System SHALL convey the VDE trip demand as a hardwired normally-energised signal that de-energises within 100 us of VSC asserting the trip condition, independent of any software or network path. Rationale: Hardwired de-energisation is mandated because the IESS SIL-3 classification prohibits software-mediated safety functions on the trip path. The 100 us signal propagation limit is derived from the IESS actuation chain: IESS has 50 ms total budget to fire the MGI valves, so the trip signal propagation must not consume more than 0.2% of that budget. | Test | rt-vague-interface, red-team-session-433 |
| IFC-REQ-011 | The interface between the Equilibrium Reconstruction Processor and the MHD Mode Stabiliser SHALL transfer the q-profile at minimum 1 kHz with a radial resolution of at least 50 flux surfaces, latency not to exceed 2 ms, using the MARTe2 shared data store. Rationale: NTM stabilisation by ECCD requires the rational surface location (q=1.5 for m/n=3/2 NTM, q=2 for m/n=2/1) to be known to within one flux surface. 50 flux surface resolution achieves this with margin. 2 ms latency is acceptable because NTM mode growth rates are 10-100 ms; a 2 ms q-profile lag does not prevent accurate ECCD steering. | Test | interface, plasma-control-system, session-390, idempotency:ifc-pcs-erp-mms-390 |
| IFC-REQ-012 | The interface between the HCDC Supervisory and Safety Arbiter and the Interlock and Emergency Shutdown System SHALL be a unidirectional hardwired safe-state command bus delivering a beam-off signal to all three actuator controllers within 1 ms of IESS trip assertion, independent of supervisory software. Rationale: Hardware independence from supervisory software is required for SIL-3 classification: the IESS trip must reach actuators even if the Supervisory processor has failed. 1 ms delivery budget preserves the 5 ms NBI shutdown margin from the trip assertion time. The bus must be unidirectional to prevent IESS signal corruption from HCDC software faults. | Test | interface, hcdc, iess, session-391, idempotency:ifc-hcdc-iess-hardwire-391 |
| IFC-REQ-013 | The interface between the ECRH Controller and the Disruption Prediction and Mitigation System SHALL accept NTM stabilisation commands over a dedicated real-time network with a command latency not exceeding 5 ms from DPMS command generation to ECRH mirror steering initiation. Rationale: 5 ms command delivery is required to fit within the 100 ms lock-on budget: 5 ms delivery leaves 95 ms for mirror steering and co-deposition confirmation. The dedicated network prevents interference from higher-bandwidth plant control traffic and provides deterministic latency for the safety-adjacent NTM stabilisation function. | Test | interface, hcdc, dpms, ecrh, session-391, idempotency:ifc-ecrh-dpms-ntm-391 |
| IFC-REQ-014 | The interface between the HCDC Supervisory and Safety Arbiter and the Plasma Control System SHALL accept closed-loop power setpoint updates at 50 Hz, allowing PCS to modulate total injected heating power within ±5 MW of the current operating point for plasma shape and density feedback control. Rationale: 50 Hz update rate matches the PCS equilibrium reconstruction cycle, ensuring heating adjustments are synchronised with the latest plasma equilibrium estimate. ±5 MW authority is the PCS-derived trim range for density and shape corrections; larger power swings are scheduled via the plant power management layer, not PCS feedback. | Test | interface, hcdc, pcs, session-391, idempotency:ifc-hcdc-pcs-setpoint-391 |
| IFC-REQ-015 | The interface between the Quench Detection System and the Interlock and Emergency Shutdown System SHALL be a hardwired relay-based trip channel, independent of plant software buses, with signal propagation latency ≤2 ms from quench alarm assertion to IESS trip input. Rationale: Routing quench alarms through software buses introduces latency and potential common-cause failure with the plasma control software. A hardwired relay channel is SIL-4 compliant per IEC 61508 and ensures the coil protection action is not susceptible to software faults or network congestion that might delay or drop the trip signal. The 2 ms budget is consistent with IESS trip response chain timing (SUB-REQ-001 requires full trip execution in ≤100 ms). | Test | interface, msps, iess, safety-critical, session-392, idempotency:ifc-qds-iess-hardwire-392 |
| IFC-REQ-016 | The interface between the Quench Detection System and the Energy Extraction and Dump System SHALL transmit per-coil-group quench alarm vectors at ≥100 Hz over a dedicated fibre-optic link with latency ≤5 ms, using a coded message format that distinguishes quench alarm, controlled shutdown request, and watchdog heartbeat states. Rationale: The FEDU must receive per-coil-group alarm state to selectively dump only the affected coil circuit rather than discharging all coils simultaneously, which would generate a large-scale plasma disruption. Fibre-optic isolation prevents ground-loop faults in the high-voltage dump circuit from coupling back into the low-voltage detection electronics. The 100 Hz update rate and 5 ms latency are consistent with the 30 s TF energy extraction window (plenty of margin). | Test | interface, msps, session-392, idempotency:ifc-qds-fedu-alarm-392 |
| IFC-REQ-017 | The interface between the Coil Thermal and Cryogenic Monitor and the Quench Detection System SHALL provide digitised temperature exceedance flags for each coil group at ≥10 Hz, with a latency ≤100 ms from sensor measurement to QDS reception. Rationale: Temperature flags must be available within the QDS 2oo3 voting window to serve as a valid independent channel. The 100 ms latency budget accounts for Cernox ADC acquisition time (~50 ms) plus the inter-subsystem communication path, and remains within the QDS detection-to-alarm budget (20 ms voltage + secondary temperature confirmation does not lengthen the primary alarm path, which relies on voltage alone reaching alarm first). | Test | interface, msps, session-392, idempotency:ifc-ctcm-qds-temp-392 |
| IFC-REQ-018 | The interface between the Magnet Power Supply Controller and the Plasma Control System SHALL accept coil current reference waveforms via a dedicated reflective memory link at 1 kHz update rate, with the MPSC acknowledging each set-point within 2 ms or flagging a timeout to the Plant Control and I&C System. Rationale: The PCS inner current control loop operates at 1 kHz (SUB-REQ-036) and requires set-point delivery matched to this rate. Reflective memory provides deterministic latency (<1 ms cycle time) without TCP/IP overhead that would introduce jitter incompatible with the ±1 A current tracking requirement. The 2 ms acknowledgement timeout surfaces coil controller faults before they manifest as plasma position errors. | Test | interface, msps, plasma-control-system, session-392, idempotency:ifc-mpsc-pcs-setpoint-392 |
| IFC-REQ-019 | The interface between the Gas Puffing Valve Controller and the Plasma Control System SHALL carry density setpoints as 32-bit floating-point values over a dedicated real-time Ethernet link (1 Gbit/s) with a maximum end-to-end latency of 5 ms and a cycle period of 10 ms. Rationale: The PCS outputs electron density setpoints (ne_target) to the gas puffing controller via the same real-time network used for other PCS actuators. A 5 ms latency budget and 10 ms cycle period ensure gas puffing acts within one PCS control cycle. The 1 Gbit/s link uses RDMA to bypass OS scheduling jitter — standard Ethernet would add 2–8 ms of unpredictable latency. | Test | interface, fuel-injection, plasma-control-system, session-394, idempotency:ifc-gpvc-pcs-394 |
| IFC-REQ-020 | The interface between the Pellet Injection Controller and the MHD Mode Stabiliser SHALL provide an ELM phase trigger signal as a hardwired TTL pulse with a jitter not exceeding 0.1 ms, synchronised to the ELM detection timestamp in the Mode Stabiliser. Rationale: TTL hardwire is used rather than network for the ELM trigger because network jitter (typically 0.5–2 ms) would consume the entire synchronisation window. The Mode Stabiliser ELM detection is derived from magnetic field perturbation signals, with a latency of <0.2 ms from event to output pulse, giving a total trigger-to-valve-command latency of <0.4 ms. | Test | interface, fuel-injection, mhd-mode-stabiliser, session-394, idempotency:ifc-pic-mms-394 |
| IFC-REQ-021 | The interface between the Tritium and Fuel Inventory Controller and the Interlock and Emergency Shutdown System SHALL use a hardwired relay-based fuel-off signal, with relay closure indicating a safe (fuelling permitted) state and open contact indicating an interlock demand, compliant with IEC 61511 SIL-3 architectural constraints. Rationale: De-energise-to-trip (relay open = trip demand) is mandated by IEC 61511 for SIL-3 nuclear material interlocks: a wiring fault, power loss, or controller failure all result in a safe state (fuel off). A software-only interface would require additional validation and could not achieve SIL-3 without certified hardware separation. | Inspection | rt-sil-gap, red-team-session-433 |
| IFC-REQ-022 | The interface between the Burn Condition Monitor and the Disruption Prediction and Mitigation System SHALL transmit a fusion power and Q-factor vector at 10 Hz via the PCS Real-Time Data Bus, encoded as a 64-byte fixed-format message with a sequence counter and CRC-32 checksum. Rationale: The DPMS Disruption Prediction Engine uses fusion power and Q-factor as features in its LSTM disruption risk model. Providing these via the shared PCS RTDB minimises physical interfaces and uses the same timing reference as plasma equilibrium data. The fixed-format message with CRC prevents silent data corruption on the RTDB backplane. | Test | interface, fuel-injection, dpms, session-394, idempotency:ifc-bcm-dpms-394 |
| IFC-REQ-023 | The interface between the Plant Operations Sequencer and each of the seven operational subsystems (PCS, HCDC, DPMS, FIBC, MSPS, IESS, PDIS) SHALL carry the machine state variable (MSV) as a 32-bit status word over the supervisory SCADA bus at 10 Hz with a maximum end-to-end latency of 50 ms. Rationale: Each subsystem must receive the MSV within one SCADA cycle (100 ms) to enable/disable actuators based on operational state. The 50 ms latency budget allows for 1 SCADA cycle of network transit and one processing cycle within each subsystem. MSV delivery is not a safety function — IESS has independent hardwired interlocking. | Test | interface, pcis, plant-control, session-395, idempotency:ifc-pos-msv-broadcast-395 |
| IFC-REQ-024 | The interface between the Machine Timing and Synchronisation System and each subsystem SHALL distribute shot timing signals over independent fibre-optic links using IRIG-B and IEEE 1588 PTP protocol formats, with timing pulse rise time <=100 ns at the subsystem receiver. Rationale: Fibre-optic links are mandated for all timing distribution in the high-field environment to provide EMI immunity — copper timing lines experience induced noise from magnet coil current transients exceeding 50 kA. Independent links per subsystem prevent a single fibre fault from disrupting timing on multiple subsystems. The 100 ns rise time ensures clean trigger edge detection at ADC-level timing circuits. | Test | interface, pcis, plant-control, session-395, idempotency:ifc-mtss-distribution-395 |
| IFC-REQ-025 | The interface between the Plant Data Historian and the Plasma Diagnostics Integration System SHALL accept time-stamped diagnostic data streams at >=1 kHz sample rate per channel over the best-effort monitoring LAN using a publish-subscribe message bus, with guaranteed delivery and sequence integrity confirmation within 60 s of pulse end. Rationale: The 1 kHz sample rate matches SYS-REQ-005. Publish-subscribe decouples the historian from each diagnostic source, allowing new diagnostic channels to be added without historian reconfiguration. The 60 s confirmation window closes the archival loop for post-pulse physics analysis and satisfies SYS-REQ-005 post-pulse latency. | Test | interface, pcis, plant-control, session-395, idempotency:ifc-pdh-pdis-395 |
| IFC-REQ-026 | The interface between the Magnetic Diagnostics Array and the Real-Time Diagnostic Signal Conditioner SHALL carry analogue voltage or current signals from >=256 magnetic sensor channels with common-mode rejection ratio >=80 dB and galvanic isolation >=2.5 kV per channel to protect digitiser electronics from vacuum vessel transients. Rationale: The 80 dB CMRR requirement is derived from the amplitude of 50 Hz power system interference relative to the minimum Mirnov coil signal during low-power plasma startup — the signal-to-noise ratio must remain >40 dB. Galvanic isolation at 2.5 kV protects the digitiser from halo currents and disruption-driven vessel transients that can reach 1 kV peak on sensor conductors. | Test | interface, pdis, session-395, idempotency:ifc-mda-rtdsc-395 |
| IFC-REQ-027 | The interface between the Diagnostic Data Multiplexer and the Equilibrium Reconstruction Processor SHALL deliver timestamped magnetic diagnostic data frames at 100 kHz via a deterministic RDMA link with end-to-end latency <=200 µs and zero frame loss tolerance during plasma flat-top operation. Rationale: The 200 µs total budget (100 µs conditioning plus 100 µs multiplexer routing) allows the Equilibrium Reconstruction Processor to receive data within its 1 ms computation cycle. Zero frame loss is required because any dropped magnetic data frame corrupts the numerical equilibrium solution, potentially triggering a spurious plasma position error and unwarranted shape correction actuation. | Test | interface, pdis, session-395, idempotency:ifc-ddm-erp-395 |
| IFC-REQ-028 | The interface between the Disruption Precursor Sensor Suite and the Disruption Precursor Monitor SHALL transmit calibrated, timestamped sensor vectors at >=10 kHz over a dedicated low-latency fibre link with delivery latency <=500 µs and timestamp synchronisation to the Machine Timing System within 10 µs. Rationale: The 500 µs delivery latency is the interface allocation within the 50 ms total disruption detection budget (SYS-REQ-002): 0.5 ms sensor delivery plus 49.5 ms for prediction computation and mitigation command. Dedicated fibre ensures the disruption-critical data path is isolated from routine diagnostic traffic congestion. | Test | interface, pdis, session-395, idempotency:ifc-dpss-dpm-395 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Interlock and Emergency Shutdown System — Hardwired 2oo3 voting logic with physically segregated channels, not a software-based safety system. The SIL-3 classification and the need to prevent common-cause failure between safety and operational I&C networks drives the choice of hardwired relay logic over programmable safety PLCs. Software-based systems introduce unacceptable common-cause software failure modes; hardwired logic eliminates this vulnerability at the cost of higher engineering effort for configuration changes. The 4-component decomposition (Trip Parameter Monitor, Safety Logic Processor, Emergency Shutdown Sequencer, Safety Parameter Display) maps directly to the IEC 61508 safety function architecture: sensor subsystem, logic solver, final element actuator, and operator indication. Battery-backed power for sequencer and display ensures function during loss of site power — a key licensing requirement. Rationale: IESS architecture decision: hardwired 2oo3 voting logic with IEC 61508 SIL-3 safety architecture. Supports SYS-REQ-004. Tagged informational as ARC documents design rationale, not traceable requirements. | Inspection | architecture, iess, session-387, idempotency:arc-iess-387 |
| ARC-REQ-002 | ARC: Disruption Prediction and Mitigation System — LSTM on FPGA with hardwired fallback. Disruption prediction uses a long short-term memory (LSTM) neural network deployed on an FPGA (not GPU/CPU) for deterministic inference latency. FPGA inference eliminates OS scheduling jitter and achieves 3 ms bound with 6-sigma margin. Hardwired threshold-only fallback bypasses ML entirely: it is implemented in fixed gate logic independent of the FPGA softcore, ensuring fallback availability is not contingent on FPGA health. MGI trigger path is isolated from the prediction path by a dedicated microcontroller running an independent watchdog-supervised interrupt service routine, preventing ML inference failures from blocking mitigation. Rationale: FPGA chosen over GPU because GPU inference latency has 3-sigma tail latency of 12-50 ms depending on CUDA kernel scheduling, which violates the 3 ms budget. FPGA deterministic logic achieves 3 ms with sigma less than 100 μs. LSTM chosen over simpler models (SVM, threshold) because ITER disruption database shows LSTM outperforms SVM by 8 percentage points TPR at matched FPR due to LSTM capacity to model temporal correlation in MHD precursor evolution. Hardwired fallback chosen over software-mode-switch because IEC 61508 prohibits relying on the same software path for both primary function and its safety backup. | Inspection | architecture, dpms, session-388, idempotency:arc-dpms-388 |
| ARC-REQ-003 | ARC: Plasma Control System — Hierarchical real-time control with separated vertical stability loop. The PCS is decomposed into: Equilibrium Reconstruction Processor (Grad-Shafranov solver at 10 kHz), Shape and Position Controller (isoflux/gap control, 48 PF channels), Vertical Stability Controller (standalone FPGA at 100 kHz, isolated from main PCS), MHD Mode Stabiliser (NTM/RWM/ELM control, 1 kHz), and PCS Real-Time Data Bus (MARTe2, synchronised cycle). The VSC runs on separate hardware because VDE growth times (5–20ms) cannot tolerate the latency of sharing FPGA resources with the equilibrium solver. NTM stabilisation requires the q-profile from equilibrium reconstruction, creating a data dependency that mandates ERP→MMS ordering on the data bus. A monolithic controller was rejected because fault isolation requires that VSC remain operational when the main PCS is in safe-state; separate hardware achieves this at the cost of two additional inter-subsystem interfaces. Rationale: Captures the primary architectural trade-off: VSC isolation vs. integration complexity. The 2019 JET VDE incident demonstrated that a shared-resource PCS cannot guarantee VSC latency under peak equilibrium reconstruction load. This decision prevents recurrence. | Inspection | architecture, plasma-control-system, session-390, idempotency:arc-plasma-control-system-390 |
| ARC-REQ-004 | ARC: Heating and Current Drive Control — four-component architecture separating actuator-specific controllers (NBI, ECRH, ICRH) from a central Supervisory and Safety Arbiter. Each actuator controller owns its machine protection interlocks and fast shutdown logic; the Supervisory arbitrates competing demands and enforces the 50 MW total power budget. ECRH was chosen as the primary NTM stabilisation actuator over ICRH because its 1 ms modulation response and steerable launcher enable closed-loop co-deposition targeting; NBI is retained for bulk heating and current profile tailoring where ECRH lacks the ion-heating capability required for Q>1 ignition margins. Rationale: Separating actuator-specific controllers enables independent qualification paths (each technology has distinct safety cases) and allows modular upgrade of individual heating systems without re-qualification of the full subsystem. The Supervisory pattern avoids distributed power budget enforcement which would require cross-system consensus protocols and introduce latency incompatible with fast interlock demands. | Inspection | architecture, hcdc, session-391, idempotency:arc-hcdc-decomposition-391 |
| ARC-REQ-006 | ARC: Magnet Safety and Protection System — hardwired quench detection with redundant fast energy extraction. The MSPS uses four components: a 2oo3-voted Quench Detection System detecting resistive voltage ≥50 mV in ≤20 ms; an Energy Extraction and Dump System that diverts stored coil energy into dump resistors within 30 s (TF) / 10 s (PF/CS); a Magnet Power Supply Controller executing PCS-uploaded current waveforms with ±1 A accuracy at 1 kHz inner loop; and a Coil Thermal and Cryogenic Monitor with ~200 Cernox sensors providing secondary quench indication. Quench detection is hardwired to IESS rather than routed through plant software to meet the <20 ms detection-to-alarm latency within the SIL-4 boundary. Energy dump is fail-safe (de-energise to dump) to ensure coil protection on any power loss. Rationale: Tokamak TF coil quench is a credible high-consequence failure: undetected quench at 50 GJ stored energy leads to catastrophic coil destruction within ~2 s. The 2oo3 voltage-bridge architecture minimises both false positives (which cause unnecessary plasma disruptions) and missed detections. Fail-safe energy extraction ensures the most likely failure mode (control power loss) results in the safe state (coil protected). PCS current waveform upload allows physics-driven coil control without requiring the safety boundary to process arbitrary control algorithms. | Inspection | architecture, msps, magnet-safety, session-392, idempotency:arc-msps-392 |
| ARC-REQ-007 | ARC: Fuel Injection and Burn Control — Two-channel injection (gas puffing + pellet) with independent tritium accountancy gate. Gas puffing provides real-time density control (10ms response) while pellet injection enables deep core fuelling inaccessible to gas puffing. Both channels route through the Tritium and Fuel Inventory Controller which enforces a hard 30g in-vessel tritium ceiling — a nuclear regulatory constraint that overrides all PCS density setpoints. The Burn Condition Monitor sits outside the injection control loop to maintain independence: it can trigger burn termination but cannot directly command injection, preventing a single-point coupling between burn sensing and fuel delivery. Rationale: Records the key architectural trade-off: why two injection channels are used (coverage vs. response time), and why the tritium inventory controller is positioned as a gate rather than a feedback element — nuclear material accountancy regulations require it to assert a hard limit, not participate in PID control. | Inspection | architecture, fuel-injection, session-394, idempotency:arc-fuel-injection-394 |
| ARC-REQ-008 | ARC: Plant Control and I&C System — five-component layered SCADA architecture separating sequencing (Plant Operations Sequencer), human interface (Operator Console System), deterministic timing (Machine Timing and Synchronisation System), communications (Plant I&C Network Infrastructure), and archival (Plant Data Historian). The separation enforces clear performance tiers: the sequencer and timing system require <5 µs determinism; the operator console and historian operate on best-effort Ethernet and are isolated from the real-time control domain by network segmentation. The Plant Operations Sequencer uses 1oo2 hot-standby redundancy rather than triple modular redundancy because mode-transition commands are supervisory (non-safety); the IESS independently enforces safety shutdowns regardless of sequencer state. The Machine Timing and Synchronisation System is a discrete component rather than a function within the sequencer because timing distribution is a site-wide infrastructure service consumed by all eight subsystems — consolidating it into the sequencer would create a single-point dependency for every subsystem's shot synchronisation. Rationale: PCIS architecture decision: layered SCADA separation of sequencing, HMI, timing, network, and archival concerns. SYS-REQ-005 drives the archival requirement; operational mode management cascades to all subsystems. | Inspection | architecture, pcis, plant-control, session-395, idempotency:arc-pcis-395 |
| ARC-REQ-009 | ARC: Plasma Diagnostics Integration System — five-component architecture separating physical sensors (Magnetic Diagnostics Array, Disruption Precursor Sensor Suite, Thomson Scattering and Interferometry System), signal conditioning (Real-Time Diagnostic Signal Conditioner), and data routing (Diagnostic Data Multiplexer). The Disruption Precursor Sensor Suite is separated from the Magnetic Diagnostics Array despite both being magnetic sensors because they serve different real-time consumers with different latency and bandwidth requirements: the Magnetic Array feeds equilibrium reconstruction at 100 kHz; the Disruption Precursor Suite feeds the DPMS Disruption Precursor Monitor at 10 kHz with disruption-sensitive signal processing. Thomson Scattering is a non-real-time diagnostic — its 50 ms sample interval cannot contribute to the 10 ms plasma control loop, making a tight integration with real-time conditioning unnecessary. The Diagnostic Data Multiplexer pattern decouples sensor producers from control consumers, enabling independent development and fault isolation without requiring every sensor to know every consumer's protocol. Rationale: PDIS architecture decision: sensor-conditioner-multiplexer separation. Supports IFC-REQ-006 (DPMS to PDIS interface) and IFC-REQ-001 (FRCS to plasma diagnostics interface). | Inspection | architecture, pdis, session-395, idempotency:arc-pdis-395 |
| ARC-REQ-010 | The Disruption Prediction Engine is classified Biological/Biomimetic due to its LSTM neural-network architecture. This classification SHALL NOT be interpreted as requiring biocompatibility or sterilisation certification. No biological materials are used in the DPE. Physical and environmental requirements for DPE hardware are captured in subsystem requirements SUB-REQ-009 through SUB-REQ-013. Rationale: Lint finding: DPE classified Biological/Biomimetic without biocompatibility requirements. The LSTM is biomimetic in origin but contains no biological materials. This ARC requirement explicitly bounds the ontological classification to prevent erroneous biocompatibility requirements being added in future. | Inspection | idempotency:qc-422-arc-dpe-bio |
flowchart TB n0["component<br>Trip Parameter Monitor"] n1["component<br>Safety Logic Processor"] n2["component<br>Emergency Shutdown Sequencer"] n3["component<br>Safety Parameter Display"] n0 -->|trip signal 24VDC| n1 n1 -->|trip actuation| n2 n1 -->|safety status data| n3
Interlock and Emergency Shutdown System — Internal
flowchart TB n0["component<br>Equilibrium Reconstruction Processor"] n1["component<br>Shape and Position Controller"] n2["component<br>Vertical Stability Controller"] n3["component<br>MHD Mode Stabiliser"] n4["component<br>PCS Real-Time Data Bus"] n0 -->|equilibrium state vector| n1 n0 -->|q-profile| n3 n1 -->|vertical position ref| n2 n4 -->|10 kHz sync| n0 n4 -->|10 kHz sync| n3
Plasma Control System — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Burn Condition Monitor | 55F77218 | Real-time fusion burn state monitoring subsystem for a tokamak fusion reactor. Processes neutron flux measurements from 12 fission chambers and 8 activation foil detectors to compute instantaneous fusion power (0–800 MW range, ±2% accuracy) and Q-factor (energy gain). Monitors plasma thermal energy content via diamagnetic loop measurements and compares against burn condition targets. Provides D-T fuel burn fraction estimate (tritium burn efficiency) to the Fuel Injection and Burn Control supervisory. Triggers burn termination if Q < 1 is predicted within 500 ms — feeds directly into the Disruption Prediction and Mitigation System event register. |
| Coil Thermal and Cryogenic Monitor | 54A55218 | Monitoring subsystem for the superconducting coil cold mass and cryogenic cooling circuit of a tokamak. Acquires temperatures from ~200 calibrated Cernox sensors embedded in the coil windings and cryogenic manifolds, liquid helium flow rates, supercritical helium inlet/outlet temperatures, and coil cold mass strain gauges. Provides real-time coil thermal state to the Quench Detection System as a secondary quench indicator (temperature rise > 0.5 K above baseline) and to Plant Control for cryoplant control. Operates at 4.5 K with radiation-hardened electronics in the tokamak building. |
| Diagnostic Data Multiplexer | 40F57308 | Software-defined routing layer that receives diagnostic data streams from all four PDIS sensors and conditioning units, then distributes them to their respective consumers: Equilibrium Reconstruction Processor (magnetic data), Disruption Precursor Monitor (disruption suite data), and Plant Data Historian (all channels). Manages data prioritisation — real-time control consumers receive data via deterministic RDMA over EtherCAT; archival consumers receive data via best-effort publish-subscribe. Also provides cross-diagnostic timestamp alignment, ensuring all channels are synchronised to the Machine Timing System reference. |
| Disruption Precursor Monitor | 55F77200 | Real-time MHD stability signal processor within the DPMS of a tokamak fusion reactor. Ingests 300+ diagnostic channels at 50 kHz: Mirnov coil oscillation amplitudes (32 coils), locked mode detector flux (4 sensors), βN/βp proximity to Troyon limit, internal inductance drift rate, and radiative collapse indicator from bolometers. Computes 128-element feature vector every 100 μs for delivery to the Disruption Prediction Engine. Operates under 60 T/s magnetic field transients and must tolerate 2 ms blackouts during ELM events without losing feature synchronisation. |
| Disruption Precursor Sensor Suite | 54E55208 | Dedicated array of high-bandwidth sensors targeting disruption precursor signatures: saddle coils for tearing mode detection, soft X-ray bolometer arrays for radiation collapse, Halpha spectroscopy for edge localised modes (ELMs), and vertical position sensors for vertical displacement events (VDEs). Feeds calibrated, time-stamped digital outputs to the Disruption Precursor Monitor at 10 kHz. Separate from the Magnetic Diagnostics Array: this suite is specifically optimised for low-latency, high-sensitivity detection of pre-disruption instabilities rather than equilibrium measurement. |
| Disruption Prediction and Mitigation System | 51F77B19 | Safety-critical subsystem that predicts plasma disruptions 10–100 ms in advance using machine learning classifiers trained on disruption databases and real-time diagnostics (Mirnov coils, bolometers, locked-mode detectors). Upon prediction confidence > 95%, triggers shattered pellet injector (SPI) within 10 ms to perform radiative collapse, preventing unmitigated thermal quenches (>100 MJ deposited on first wall) and halo current spikes (>10 MA). |
| disruption prediction engine | 51F73308 | LSTM-based disruption prediction algorithm deployed on FPGA for deterministic inference. Processes time-series plasma state data (MHD precursors, current profile, stored energy) to predict disruption probability 50ms ahead of onset. Uses neural network architecture inspired by biological temporal pattern recognition but implemented as deterministic digital logic on silicon — not a biological or biomimetic system. Key characteristics: real-time deterministic inference, FPGA implementation, hardwired fallback threshold logic, 3ms inference latency bound. |
| Disruption Prediction Engine | 51F77B19 | LSTM and physics-informed neural network ensemble operating in real-time at 100 Hz, processing multi-channel magnetic and thermal diagnostic signals to predict major plasma disruption events 30-100 ms before onset. Receives input from Equilibrium Reconstruction Processor and Magnetic Diagnostics Array. Outputs disruption probability score and recommended mitigation action to the DPMS Supervisory. Hosted on dedicated GPU-accelerated compute nodes. Purely algorithmic software — no biological components, no biomimetic hardware. The 'neural network' is a mathematical model implemented in software, not biological material. This is an embedded AI inference engine for safety-critical real-time signal classification. |
| DPMS Supervisory and Archive | 50B57300 | Supervisory monitoring and event archive subsystem of the DPMS. Tracks false alarm rate (rolling 24-hour window), model prediction confidence distribution, and missed disruption count against retraining thresholds. Archives complete pre-disruption state vectors (5 s before trigger, 1 ms sample interval, 128 features) and post-mitigation plasma evolution data to a write-once historian. Generates model retraining dataset packages when false alarm rate exceeds 3/day or TP rate falls below 93%. Provides health status to Plant Control and I&C System via OPC-UA. |
| ECRH Controller | 51F57208 | Electron Cyclotron Resonance Heating controller managing an array of 24 gyrotrons at 170 GHz, providing up to 20 MW of injected power via steerable mirror launchers. Controls gyrotron modulation (1 ms on/off response), mirrors for resonance layer targeting, and fast power switching for NTM stabilisation co-deposition. Receives disruption-mode commands from DPMS to redirect power for neoclassical tearing mode stabilisation. Real-time mirror position feedback enables closed-loop steering within ±0.1° accuracy. |
| emergency shutdown sequencer | D7E73019 | Physical hardware sequencer unit that executes the SCRAM action sequence in a fusion reactor. Dedicated single-board computer or programmable logic controller installed in nuclear-grade seismically qualified racks. Physical hardware with discrete I/O for driving solenoid valves, circuit breakers, and actuation relays. The unit has a physical enclosure, power supply, and rack installation in the nuclear island. |
| Emergency Shutdown Sequencer | D6E53218 | Hardware sequencer unit that executes the physical SCRAM action sequence in a fusion reactor. A dedicated rackmount controller with hardwired relay outputs commanding Massive Gas Injection valves, magnetic energy extraction crowbars, NBI beam-off gates, and ECRH interlock. Physical steel cabinet unit qualified to IEEE 344 seismic category I, with redundant power supplies and manual override capability. Executes predefined actuation sequence within 20ms of trip signal, with no software involved in the safety function execution path. Distinct from the Safety Logic Processor (trip logic computation) and IESS (overall safety system) — the ESS is the electromechanical actuation module. |
| Energy Extraction and Dump System | 54F73218 | Fast energy extraction unit (FEDU) for tokamak superconducting magnet coils. On quench detection or emergency shutdown command, opens switching thyristors to insert dump resistors in series with each coil circuit, diverting the stored magnetic energy (~50 GJ for TF coils) into water-cooled dump resistors. Must complete energy transfer within 30 s for TF coils, 10 s for PF coils. Peak dump resistor voltage ≤20 kV. Redundant thyristor stacks (2oo2 to open, 1oo2 to close fail-safe). Also provides controlled ramp-down capability under normal shutdown. |
| Equilibrium Reconstruction Processor | 54F73208 | Real-time solver for the Grad-Shafranov equation running on dedicated FPGA/DSP cluster. Ingests 160 magnetic measurements (Mirnov coils, flux loops, Rogowski coils) sampled at 10 kHz, reconstructs 2D plasma boundary, current density profile, and q-profile within 100 μs. Primary output is the equilibrium state vector used by shape and position controller. Critical for determining whether plasma is within operational boundaries. Must continue functioning with up to 20% sensor dropout. |
| Fuel Injection and Burn Control | 54F73200 | Subsystem managing fuel (D-T mixture) injection into the plasma via gas puffing (20 valves, 0–100 mbar·L/s), pellet injection (frequency 0–50 Hz, pellet size 2–4 mm), and tritium breeding blanket inventory monitoring. Controls plasma density at 1×10²⁰ m⁻³ ± 5%, regulates fusion power output in burn phase (500 MW thermal), and manages helium ash pumping via divertor pressure control (0.1–1 Pa). |
| Fusion Physics Research Team | 00857AB9 | Scientists and plasma physicists responsible for experiment programme design, plasma scenario optimisation, and advancing fusion gain Q. Defines operational scenarios (plasma current ramps, NBI/ICRH combinations, seeding experiments), analyses diagnostic data post-pulse, and requests control system parameter changes to explore new operating regimes. Key performance metric: achieving Q>1 sustained burn. |
| Fusion Plant Operator | 002D7AF9 | Licensed operator responsible for day-to-day control and supervision of the fusion reactor. Monitors plasma performance displays, authorises mode transitions (ramp-up, flat-top burn, ramp-down), responds to alarms, and executes emergency procedures. Operates from a shielded main control room with 30+ display stations. Must manage multiple simultaneous system states and alarm floods during transients. |
| fusion reactor control system | D7B57819 | Top-level control system for a magnetic confinement fusion reactor (tokamak). Physical system comprising distributed rack-mounted computer hardware, I&C cabinets, operator consoles, and safety logic processors installed across the nuclear island and control room. Requires physical housing in IEC 62262 IK10-rated enclosures. Includes both software and physical hardware components — the system has a physical embodiment as installed plant equipment, not just a software architecture. Physical installation spans multiple rooms in the nuclear facility with defined cable routes and equipment layout. |
| Fusion Reactor Control System | 51F77B19 | Integrated digital control system for a tokamak-class magnetic confinement fusion reactor. Manages plasma initiation, equilibrium control, fusion burn regulation, disruption detection and mitigation, and safe shutdown. Operates in a high-radiation, high-EMI environment with superconducting magnet coils at 4K, 150 MW neutral beam injection, RF heating systems, and a tritium breeding blanket. Safety integrity level SIL-4 equivalent (nuclear). Interfaces with the superconducting magnet power supplies, plasma diagnostics (bolometers, Thomson scattering, interferometers), neutral beam injection system, RF heating system, divertor cooling, tritium processing plant, and site protection system. Governs a 500 MW fusion plasma with burn pulse durations of 300–3600 seconds and plasma current up to 15 MA. |
| Gas Puffing Valve Controller | 55F57A18 | Real-time digital PID controller managing 20 piezoelectric gas injection valves on the tokamak first wall. Each valve has 0-100 mbar gas puff range with <10 ms response time. Controls D-T and impurity gas injection for plasma density regulation and edge cooling. Receives density setpoints from the Plasma Control System Shape and Position Controller. Outputs valve position commands and confirms flow rates via capacitance manometer feedback. Critical for plasma density control and emergency density ramp-down during soft disruption mitigation. |
| HCDC Supervisory and Safety Arbiter | 51B77A30 | Supervisory controller and safety function arbiter for all Heating and Current Drive systems in a tokamak. Maintains the total injected heating power budget (max 50 MW), sequences actuator startup/shutdown, enforces machine protection interlocks from IESS, and resolves competing demands between PCS (steady-state heating) and DPMS (NTM stabilisation). Implements watchdog monitoring of all heating subsystem health states with automatic safe-state command on loss of heartbeat. Archives power deposition profiles to plant historian at 10 Hz. |
| Heating and Current Drive Control | 51F73200 | Subsystem coordinating power delivery from three heating systems: 150 MW neutral beam injection (NBI, 1 MeV D⁰ beams), 50 MW ion cyclotron resonance heating (ICRH at 50–55 MHz), and 20 MW electron cyclotron resonance heating (ECRH at 170 GHz). Controls power ramp rates, beam timing, beam species mix, and RF phase for current drive efficiency. Interfaces with the plasma control system to manage plasma stored energy and fusion gain Q. |
| I&C Maintenance Engineer | 00851278 | Specialist engineer responsible for calibration, testing, and repair of instrumentation and control systems during planned outages. Performs online monitoring during operations, manages spare-part inventory, and executes surveillance tests of safety-classified systems. Must maintain I&C systems in high-radiation and tritium environments; remote handling and HEPA-filtered procedures apply. |
| ICRH Controller | 55F57A08 | Ion Cyclotron Resonance Heating controller managing 8 RF transmitters at 40-55 MHz, delivering up to 20 MW via 8 port antennas. Controls frequency tuning to track plasma resonance layer shift during density and temperature transients, manages voltage standing wave ratio (VSWR) protection to prevent arc damage in antenna feeds, and coordinates fast power ramp-down (<2 ms) on antenna arc detection. Operates in minority heating (H minority) and mode conversion regimes. Interfaces with PCS for real-time frequency correction based on estimated plasma ion cyclotron frequency. |
| Interlock and Emergency Shutdown System | D6E53859 | Hardwired interlock and emergency shutdown system for a tokamak fusion reactor. Physical hardware installed in Class 1E cabinets: trip amplifier racks, relay matrices, and safety PLCs qualified to IEC 61513 Category A. Directly drives coil crowbar circuits, plasma gas injection valves, and magnet protection systems. Physically separated from the control system in a dedicated I&C room with seismic qualification. Redundant power supplies and diverse cooling. |
| Machine Timing and Synchronisation System | 51F77A18 | GPS-disciplined timing master providing sub-microsecond synchronised timestamps and deterministic trigger pulses to all I&C subsystems across the tokamak facility. Generates shot timing reference (T=0), pre-pulse arming triggers, and inter-subsystem synchronisation pulses. Critical for coordinated actuator commands in Plasma Control System (<5 µs jitter) and for timestamping diagnostic data to <1 µs accuracy for post-pulse equilibrium reconstruction. Dual redundant timing channels with automatic switchover. IEEE 1588 PTP and IRIG-B output formats. |
| Magnet Power Supply Controller | 55F53A18 | Digital controller for the thyristor-based AC/DC power converters feeding each superconducting coil circuit (up to 18 TF coils and 6 PF+CS coils). Executes current reference waveforms uploaded by the Plasma Control System for plasma initiation, ramp-up, and flat-top phases. Implements inner current control loop at 1 kHz with ±1 A accuracy. Enforces soft limits (±5% of nominal) and hard trip limits (±10%) on current, voltage, and converter temperatures. Provides galvanic isolation between low-voltage control circuitry and high-voltage (≤68 kV DC) coil bus. |
| Magnet Safety and Protection System | 55F73010 | Dedicated SIL-4 subsystem monitoring 18 toroidal field coils and 9 poloidal field coils operating at 4K with 68 kA currents and 50 GJ stored magnetic energy. Detects quench events via resistive voltage monitoring and passive quench detection loops within 10 ms, triggers quench protection heater firing within 20 ms, and commands energy extraction dumps. Monitors helium cooling circuit pressures (0–2 bar, ±0.01 bar) and temperatures. Independent hardware interlock layer with no software override. |
| Magnetic Diagnostics Array | 54C57200 | Array of Rogowski coils, partial Rogowski sensors, diamagnetic loops, saddle coils, and flux loops distributed around the tokamak vacuum vessel inner wall. Measures plasma current, position, shape, and MHD mode activity in real time. Provides continuous analogue signals at 100 kHz sampled by the PDIS signal conditioning unit. Calibration-critical: absolute accuracy of 0.1% on plasma current integral is required for equilibrium reconstruction. Components are inside or adjacent to the vacuum vessel and subject to neutron flux degradation — calibration drift monitoring is built into the diagnostic cycle. |
| MHD Mode Stabiliser | 55F53208 | Active control system for detection and suppression of neoclassical tearing modes (NTMs), resistive wall modes (RWMs), and ELM (Edge-Localised Mode) mitigation. Uses magnetic perturbation coil arrays and Thomson scattering data to detect mode growth. Drives external saddle coils and resonant magnetic perturbation (RMP) coils. NTM suppression via ECCD current drive at the rational surface: requires real-time q-profile input from equilibrium reconstruction. RWM stabilisation requires rotation and wall distance monitoring. Growth times 50-500ms allow 1 kHz control rate. |
| Mitigation Actuator Controller | 51F53210 | Real-time actuator controller within the DPMS that executes the disruption mitigation sequence. Controls a 6-valve massive gas injection (MGI) cluster capable of injecting 200–500 g of argon or neon into the vacuum vessel in ≤15 ms. Also commands NBI power ramp-down (from 150 MW to zero in 50 ms), ECRH shutdown, and central solenoid current rundown. Receives trigger from Disruption Prediction Engine (probabilistic) or hardwired from Safety Logic Processor (deterministic trip). Must issue first valve open command within 10 ms of trigger. Operates on dedicated 24 VDC battery-backed supply independent of plant power. |
| mode stabiliser | 40800000 | |
| NBI Controller | 51F57000 | Neutral Beam Injector controller for a tokamak fusion reactor. Manages beam line operations for 4 tangential injectors delivering up to 33.4 MW of 100 keV deuterium neutral beams. Controls ion source conditioning, beam calorimeter interlock, accelerator voltage regulation, neutraliser efficiency monitoring, and beam deflection for fast fault shutdown (<5 ms). Receives power setpoints from HCDC Supervisory and outputs beam-on status to IESS. Primary heating and co-current drive actuator for Q>1 plasma operations. |
| Nuclear Regulatory Authority | 008578FD | Government body (e.g. Office for Nuclear Regulation in UK, NRC in US) that licenses, inspects, and regulates the fusion facility. Enforces compliance with nuclear installation safety cases, radiological protection standards, tritium inventory limits, emergency planning, and environmental discharge authorisations. Requires deterministic safety analysis and probabilistic risk assessment documentation. Fusion-specific regulatory framework still emerging (different from fission regulation). |
| Operator Console System | 54EC7B18 | Multi-screen SCADA operator interface providing real-time visualisation of plasma state, machine protection status, subsystem health, and control authority. Three redundant operator workstations (control room, shift supervisor, remote monitoring). Presents unified alarm annunciation, procedure guidance, and plasma operational state from the Plant Operations Sequencer. Does not issue safety commands — supervisory commands only, mediated through Plant Operations Sequencer interlocking. Data refresh at 4 Hz for display; 1 Hz for archival. |
| PCS Real-Time Data Bus | 40A57200 | Deterministic real-time data network interconnecting all Plasma Control System components. Implements MARTe2 (Multi-threaded Application Real-Time executor) framework with reflective memory and shared data store. Guarantees 10 kHz cycle synchronisation across all nodes with <1 μs jitter. Carries equilibrium state vectors, control setpoints, mode amplitudes, and diagnostic data. Failure of the bus triggers a safe state handoff to IESS. Dual-ring topology with automatic failover. |
| pellet injection controller | D6F51018 | Cryogenic pellet injection controller for a tokamak fusion reactor. Physical hardware comprising cryostat containing solid hydrogen pellet formation mechanism, pneumatic gun breach assembly, pellet tracking cameras, and dedicated motion control electronics. Operates at 4-20K for pellet formation, 15-70 bar injection pressure. Injects deuterium-tritium pellets at 50-1000 m/s at 1-10 Hz into the plasma for fuelling and disruption mitigation. Radiation-hardened electronics within the reactor building bioshield. |
| Pellet Injection Controller | DEF51018 | Centrifuge-based pellet injector controller for deep core fuelling of a tokamak plasma. Physical hardware comprising cryogenic systems for pellet formation at 15-18 K, electromagnetic pellet acceleration mechanisms (guide tubes), and digital control electronics. The PIC is a physical installation in the neutral beam cell of the tokamak facility, requiring radiation-hardened enclosures, cryogenic cooling infrastructure, and tritium-compatible materials. Physical embodiment includes a rack-mounted control unit and associated cryostat hardware. |
| Plant Control and I&C System | 50B53218 | Supervisory control and instrumentation system managing the non-plasma balance-of-plant: divertor cooling (primary coolant 300°C/15 MPa, 2000 kg/s), tritium extraction from the breeding blanket, cryogenic system for superconducting magnets (liquid helium at 4K, 10 kW refrigeration), vacuum systems (plasma vessel <10⁻⁶ Pa, cryostat <10⁻⁴ Pa), and power conversion interface. DCS architecture with 250 ms scan cycles, separate from real-time plasma control. |
| Plant Data Historian | 50841308 | High-throughput time-series archival system recording plasma state vectors, diagnostic signals, actuator commands, and alarm events. Ingests data at aggregate 50 MB/s from all subsystems during plasma operations. Provides post-pulse data access for physicists via REST API within 60 seconds of pulse end. Stores minimum 10 years of pulse data with lossless compression. Also provides slow-data trending for plant maintenance and degradation analysis. Distinct from the real-time diagnostic archive; operates on best-effort Ethernet network, not real-time bus. |
| Plant I&C Network Infrastructure | 40857018 | Layered communication network backbone interconnecting all I&C subsystems — control room, plasma control, IESS, diagnostics, heating, and magnet systems. Segregated network zones: real-time deterministic control LAN (EtherCAT/Ethernet POWERLINK, <1ms latency), best-effort monitoring LAN (GbE), and safety-isolated IESS network (physically separate). Cybersecurity enforcement via industrial firewalls, unidirectional data diodes between safety and non-safety zones, and role-based access control. Fibre-optic backbone between buildings for EMI immunity in high-field environment. |
| Plant Operations Sequencer | 51B57A18 | State machine controller managing the operational lifecycle of the fusion reactor — from pre-shot conditioning, plasma initiation and ramp-up, flat-top operation, controlled ramp-down, and post-pulse analysis mode. Issues operating mode commands to all eight subsystems via a supervisory SCADA bus at 10 Hz. Manages permit and interlock logic for mode transitions. Maintains authoritative machine state variable (MSV) consumed by all subsystems. 1oo2 hot-standby redundancy with automatic failover in <500ms. Runs on safety-grade, diverse hardware from plasma control workstations. |
| plasma control system | 51F73A18 | Distributed real-time control system for plasma position, shape, and stability in a tokamak fusion reactor. Physical hardware comprising dedicated DSP controller racks in the control room, I/O chassis interfacing to magnetic flux loops and Rogowski coils, and real-time fibre optic networks to power supply controllers. Implements equilibrium reconstruction at 10 kHz and magnetic field coil current setpoint generation. Operates at 60-80°C ambient in the plant building within magnetic shielding enclosures. |
| Plasma Control System | 51F73A08 | Real-time feedback control subsystem managing plasma equilibrium, current profile, and beta limits. Processes magnetic field measurements from ~200 Mirnov coils and flux loops at 10 kHz, computes equilibrium reconstruction using EFIT++ at 1 kHz, generates coil current setpoints for the 18 poloidal field coils and central solenoid, and enforces operating limits. Controls vertical stability (tau_vde < 100ms), radial position (±2cm), and plasma current (±1% of 15 MA). SIL-4 classified — loss of this function leads directly to disruption. |
| Plasma Diagnostics Integration System | 54E77308 | Data acquisition and integration subsystem processing raw signals from 300+ diagnostic instruments: Thomson scattering (Te and ne profiles at 50 ms intervals), charge exchange recombination spectroscopy (ion temperature and rotation), bolometry (radiated power 0–200 MW), interferometry (line-averaged density), neutron cameras (neutron emission profile), and spectroscopy (impurity monitoring). Provides validated, time-stamped data to the plasma control system, disruption predictor, and data archiving at 1 Hz–10 kHz depending on diagnostic. |
| quench detection system | D6E55018 | Physical hardware quench detection system for superconducting magnets in a tokamak fusion reactor. Physical installation includes voltage bridge measurement circuitry, signal conditioning electronics, and rack-mounted processing units housed in seismically qualified cabinets. The system has physical sensors (voltage taps, Rogowski coils) installed directly on the superconducting coil assemblies and physical signal cables routing through the nuclear island. Physical embodiment is essential for its function — the voltage measurement bridges must be directly connected to the coil terminals. |
| Quench Detection System | 54F77218 | Voltage-bridge-based quench detection subsystem for a tokamak's superconducting magnet coils (TF, PF, CS). Monitors resistive voltage across individual coil pancakes using inductive voltage compensation (dI/dt rejection) to discriminate resistive quench voltage from normal inductive transients. Implements 2oo3 voting on three independent detection channels per coil group. Detection threshold: resistive voltage ≥50 mV for ≥5 ms triggers quench alarm. Maximum detection latency: 20 ms from quench onset to alarm output. SIL-4 classified per IEC 61508. |
| Real-Time Diagnostic Signal Conditioner | D4F55208 | High-speed analogue-to-digital conversion and signal conditioning front-end for all real-time plasma diagnostics, including magnetic coil signals, soft X-ray detectors, and interferometry. Digitises up to 512 channels at 100 kHz, 16-bit resolution. Provides noise-filtered, calibrated digital outputs to the Equilibrium Reconstruction Processor and Disruption Precursor Monitor with latency <100 µs. Anti-aliasing filters, galvanic isolation per channel, and real-time self-calibration against known reference signals. Housed in radiation-hardened enclosures within the diagnostics hall. |
| safety arbiter | D6A51858 | Hardware safety voting arbiter for a tokamak fusion reactor HCDC subsystem. Physical 2oo3 voting relay assembly housed in a Class 1E cabinet in the nuclear island. Receives independently processed channel votes from the IESS and heating control loops via hardwired connections. Acts as the authoritative hardware interlock for plasma heating power. Physical enclosure with tamper-evident seals, radiation-hardened relay coils, and hardwired output to plasma-facing heating power switches. Qualified to IEC 61513 Category B. Physical box with physical I/O terminals — not a software function. |
| safety logic processor | D6F73018 | Hardware-based SIL-4 safety logic processor for nuclear I&C applications. A physical 19-inch rackmount unit containing redundant FPGA processing elements with hardwired voting logic for trip parameter comparison. Receives analog and digital inputs from trip parameter monitors, computes 2oo3 voting logic on-board, and outputs hardwired relay signals to the Emergency Shutdown System. Physical unit with deterministic cycle time <10ms, qualified to IEEE 344 seismic requirements and IEC 60780 nuclear qualification standard. Installed in safety building separation zones with physical segregation from control system hardware. |
| Safety Logic Processor | D6F73018 | Hardware-based SIL-3/SIL-4 safety logic processor for nuclear I&C applications. A physical 19-inch rackmount unit containing redundant FPGA processing elements with hardwired voting logic for trip parameter comparison. Receives analog and digital inputs from trip parameter monitors, computes 2oo3 voting logic on-board, and outputs hardwired relay signals to the Emergency Shutdown System. Physical unit with deterministic cycle time <10ms, qualified to IEEE 344 seismic requirements and IEC 60780 nuclear qualification standard. Installed in safety building separation zones with physical segregation from control system hardware. Forms the computation layer of the SIL-3 trip chain. |
| Safety Parameter Display System | 54CD7858 | |
| Shape and Position Controller | 51F53B08 | Feedback controller computing poloidal field coil current setpoints to achieve target plasma shape (elongation κ, triangularity δ, separatrix geometry) and horizontal/vertical position. Runs at 10 kHz on FPGA. Takes equilibrium reconstruction output as input, uses plasma-boundary-based control with isoflux control for gap control. Implements gain-scheduled PID with 48 independent coil channels. Operational limits enforced: plasma centre must stay within ±2 cm of reference, vertical position error < 1 cm before handoff to VSC. |
| Site Protection System | 51F77859 | Nuclear plant safety system independent of the Fusion Reactor Control System. Receives SCRAM demand signals from the interlock system and executes protective actions including breaker opening, diesel generator start, and area isolation. IEC 61511 SIL-3 classified. Owned by nuclear safety engineering group. |
| Superconducting Magnet System | 56D57018 | External system comprising 18 toroidal field coils and 9 poloidal field coils operating at 4K with 68 kA peak currents and 50 GJ stored energy. Receives current setpoint commands from the Fusion Reactor Control System and returns quench status, coil temperatures, and helium pressure readings. Owned by magnet engineering group. |
| Thomson Scattering and Interferometry System | 54C43210 | Electron temperature and density profile diagnostic using pulsed Nd:YAG laser Thomson scattering and millimetre-wave interferometry. Provides electron temperature Te profiles (10 eV to 30 keV range) and line-averaged electron density ne from the interferometer at 50 ms intervals. Primary non-real-time plasma parameter measurement; data are used for post-pulse analysis and slow feedback to plasma scenario control but not for the real-time equilibrium reconstruction. Laser safety interlocked with plasma operation mode. Spectrometer arrays and detectors housed outside the bio-shield. |
| Trip Parameter Monitor | D4E47018 | Redundant (3-channel) analogue/digital signal conditioning and threshold comparison unit for plasma interlock parameters. Monitors plasma current (Ip > 15 MA trip), vertical position error (>0.3 m trip), beta_N (>3.5 trip), and neutron emission rate (>5×10^19 n/s trip). Each channel receives signals from independent sensor sets. Outputs discrete 24V trip signal to Safety Logic Processor within 1 ms of threshold crossing. Channels are physically segregated to prevent common-cause failure. |
| Tritium and Fuel Inventory Controller | 55F77A59 | Nuclear material accountancy and safety interlock subsystem for tritium (T) and deuterium-tritium (D-T) fuel management on a fusion reactor. Tracks tritium inventory across the fuel cycle: storage vessels, torus injection lines, and exhaust processing. Provides real-time tritium activity estimates (Ci-level) to the site safety system and the nuclear regulatory authority telemetry gateway. Enforces hard injection limits: halts all gas puffing and pellet injection if cumulative in-vessel tritium estimate exceeds 30g. Interfaces with the IESS to assert fuel-off interlock when tritium sensors detect leakage above 10 μSv/h at boundary. Subject to nuclear material safeguards regulations. |
| Vertical Stability Controller | 51F73B08 | Dedicated fast digital controller for suppression of n=0 vertical displacement events (VDEs) in elongated plasmas. Runs at 100 kHz on standalone FPGA separate from main PCS hardware to avoid single-point failure. Computes vertical position from saddle coil array and drives vertical field coil power supply within 50 μs. Implements active control with state observer to estimate growth rate; triggers plasma termination handoff to IESS if vertical displacement exceeds 10 cm and growth rate > 50 m/s. |
| Component | Belongs To |
|---|---|
| Plasma Control System | Fusion Reactor Control System |
| Disruption Prediction and Mitigation System | Fusion Reactor Control System |
| Heating and Current Drive Control | Fusion Reactor Control System |
| Magnet Safety and Protection System | Fusion Reactor Control System |
| Fuel Injection and Burn Control | Fusion Reactor Control System |
| Plasma Diagnostics Integration System | Fusion Reactor Control System |
| Plant Control and I&C System | Fusion Reactor Control System |
| Interlock and Emergency Shutdown System | Fusion Reactor Control System |
| Safety Logic Processor | Interlock and Emergency Shutdown System |
| Trip Parameter Monitor | Interlock and Emergency Shutdown System |
| Emergency Shutdown Sequencer | Interlock and Emergency Shutdown System |
| Safety Parameter Display System | Interlock and Emergency Shutdown System |
| Disruption Precursor Monitor | Disruption Prediction and Mitigation System |
| Disruption Prediction Engine | Disruption Prediction and Mitigation System |
| Mitigation Actuator Controller | Disruption Prediction and Mitigation System |
| DPMS Supervisory and Archive | Disruption Prediction and Mitigation System |
| Equilibrium Reconstruction Processor | Plasma Control System |
| Shape and Position Controller | Plasma Control System |
| Vertical Stability Controller | Plasma Control System |
| MHD Mode Stabiliser | Plasma Control System |
| PCS Real-Time Data Bus | Plasma Control System |
| Quench Detection System | Magnet Safety and Protection System |
| Energy Extraction and Dump System | Magnet Safety and Protection System |
| Magnet Power Supply Controller | Magnet Safety and Protection System |
| Coil Thermal and Cryogenic Monitor | Magnet Safety and Protection System |
| Gas Puffing Valve Controller | Fuel Injection and Burn Control |
| Pellet Injection Controller | Fuel Injection and Burn Control |
| Burn Condition Monitor | Fuel Injection and Burn Control |
| Tritium and Fuel Inventory Controller | Fuel Injection and Burn Control |
| HCDC Supervisory and Safety Arbiter | Heating and Current Drive Control |
| NBI Controller | Heating and Current Drive Control |
| ECRH Controller | Heating and Current Drive Control |
| ICRH Controller | Heating and Current Drive Control |
| Plant Operations Sequencer | Plant Control and I&C System |
| Operator Console System | Plant Control and I&C System |
| Machine Timing and Synchronisation System | Plant Control and I&C System |
| Plant I&C Network Infrastructure | Plant Control and I&C System |
| Plant Data Historian | Plant Control and I&C System |
| Magnetic Diagnostics Array | Plasma Diagnostics Integration System |
| Real-Time Diagnostic Signal Conditioner | Plasma Diagnostics Integration System |
| Thomson Scattering and Interferometry System | Plasma Diagnostics Integration System |
| Disruption Precursor Sensor Suite | Plasma Diagnostics Integration System |
| Diagnostic Data Multiplexer | Plasma Diagnostics Integration System |
| From | To |
|---|---|
| Trip Parameter Monitor | Safety Logic Processor |
| Safety Logic Processor | Emergency Shutdown Sequencer |
| Safety Logic Processor | Safety Parameter Display System |
| Disruption Precursor Monitor | Disruption Prediction Engine |
| Disruption Prediction Engine | Mitigation Actuator Controller |
| Disruption Prediction Engine | DPMS Supervisory and Archive |
| Equilibrium Reconstruction Processor | Shape and Position Controller |
| Equilibrium Reconstruction Processor | MHD Mode Stabiliser |
| Shape and Position Controller | Vertical Stability Controller |
| Vertical Stability Controller | Interlock and Emergency Shutdown System |
| PCS Real-Time Data Bus | Equilibrium Reconstruction Processor |
| PCS Real-Time Data Bus | Shape and Position Controller |
| PCS Real-Time Data Bus | MHD Mode Stabiliser |
| Coil Thermal and Cryogenic Monitor | Quench Detection System |
| Quench Detection System | Energy Extraction and Dump System |
| Quench Detection System | Interlock and Emergency Shutdown System |
| Magnet Power Supply Controller | Quench Detection System |
| Burn Condition Monitor | Disruption Prediction and Mitigation System |
| Tritium and Fuel Inventory Controller | Interlock and Emergency Shutdown System |
| Gas Puffing Valve Controller | Plasma Control System |
| Pellet Injection Controller | MHD Mode Stabiliser |
| Plant Operations Sequencer | Plasma Control System |
| Plant Operations Sequencer | Interlock and Emergency Shutdown System |
| Machine Timing and Synchronisation System | Plasma Control System |
| Machine Timing and Synchronisation System | Plasma Diagnostics Integration System |
| Plant Data Historian | Plasma Diagnostics Integration System |
| Plant Operations Sequencer | Operator Console System |
| Magnetic Diagnostics Array | Real-Time Diagnostic Signal Conditioner |
| Disruption Precursor Sensor Suite | Real-Time Diagnostic Signal Conditioner |
| Real-Time Diagnostic Signal Conditioner | Diagnostic Data Multiplexer |
| Diagnostic Data Multiplexer | Equilibrium Reconstruction Processor |
| Diagnostic Data Multiplexer | Disruption Precursor Monitor |
| Diagnostic Data Multiplexer | Plant Data Historian |
| Thomson Scattering and Interferometry System | Plant Data Historian |
| Component | Output |
|---|---|
| Safety Logic Processor | safety trip signal |
| Trip Parameter Monitor | trip threshold signal |
| Emergency Shutdown Sequencer | plasma termination sequence commands |
| Safety Parameter Display System | qualified safety parameter display |
| Disruption Precursor Monitor | 128-element MHD feature vector at 10 kHz |
| Disruption Prediction Engine | disruption risk probability and time-to-disruption estimate at 10 kHz |
| Mitigation Actuator Controller | MGI valve open commands and heating ramp-down signals |
| Equilibrium Reconstruction Processor | 2D equilibrium state vector at 10 kHz (boundary, q-profile, Shafranov shift) |
| Shape and Position Controller | 48-channel poloidal field coil current setpoints at 10 kHz |
| Vertical Stability Controller | vertical field coil setpoint at 100 kHz and VDE trip demand |
| MHD Mode Stabiliser | RMP coil drive commands and ECCD power setpoints for NTM suppression |
| Quench Detection System | quench-alarm-signal |
| Energy Extraction and Dump System | coil-energy-dump-confirmation |
| Magnet Power Supply Controller | coil-current-waveform |
| Coil Thermal and Cryogenic Monitor | coil-thermal-state-vector |
| Gas Puffing Valve Controller | valve-position-commands |
| Pellet Injection Controller | pellet-injection-events |
| Burn Condition Monitor | fusion-power-estimate |
| Tritium and Fuel Inventory Controller | tritium-inventory-estimate |
| Plant Operations Sequencer | machine state variable |
| Machine Timing and Synchronisation System | synchronised timing pulses and timestamps |
| Plant Data Historian | archived pulse data record |
| Magnetic Diagnostics Array | plasma current position and MHD mode signals |
| Real-Time Diagnostic Signal Conditioner | calibrated real-time digital diagnostic streams |
| Thomson Scattering and Interferometry System | electron temperature and density profiles |
| Disruption Precursor Sensor Suite | disruption precursor sensor signals |
| Diagnostic Data Multiplexer | routed diagnostic data to control and archival consumers |