Fusion Reactor Control System

Rationale: Fusion Plant Operator: operators managing a 500 MW plasma must track multiple coupled parameters simultaneously. A 200 ms display refresh is the human-factors limit for transient detection identified in IEA/NEA operator studies; slower refresh causes operators to miss fast-evolving instabilities before automatic systems engage.

Rationale: Fusion Plant Operator: operators must be able to safely terminate a plasma experiment on demand without triggering an unmitigated disruption, which would deposit >100 MJ on the first wall and potentially delay subsequent pulses by weeks. 300 s is set by the minimum ramp rate of the central solenoid current.

Rationale: Nuclear Regulatory Authority: regulators require demonstrable traceability for all safety-relevant events per nuclear installation licensing conditions. 1 ms timestamp accuracy supports post-event reconstruction for safety analysis. 10-year retention matches the typical operating licence period.

Rationale: Nuclear Regulatory Authority: tritium release limits are defined in the facility radiological protection programme and environmental authorisation. 10 μSv/h is the controlled area occupational limit; 1 μSv/h alarm threshold provides a 10× margin for evacuation before personnel dose becomes significant. Failure to meet this would trigger revocation of site operating authorisation.

Rationale: I&C Maintenance Engineer: online maintenance capability is mandatory for a system with a target availability of 90% over a 40-year plant life. 4-hour MTTR is derived from maintenance access schedules in high-radiation environments, where decontamination and remote handling add 2–3× overhead versus normal maintenance.

Rationale: I&C Maintenance Engineer: self-diagnostic coverage is the primary reliability driver for safety-classified I&C systems per IEC 61508. 90% diagnostic coverage (DC) is required to achieve SIL-3 claim for hardware fault tolerance. 10 s reporting ensures maintenance team can respond before a second fault occurs in a redundant channel.

Rationale: Fusion Physics Research Team: 1 kHz state vector archiving is required to resolve MHD instability dynamics (tearing modes, ELMs) with characteristic timescales of 1–10 ms. 60 s post-pulse availability supports rapid experiment iteration; delays beyond this compress the physics analysis window between pulses in a high-repetition programme.

Rationale: Fusion Physics Research Team: experiment programme flexibility is the primary science driver. Requiring an outage for scenario updates would reduce pulse rate from target 10 pulses/day to < 2 pulses/day, making the scientific programme commercially unviable. Parameter validation must include physics limit checking to prevent unsafe scenarios.

Rationale: Environment: the reactor building is required by nuclear licensing to withstand a site-specific SSE. 0.2g is conservative for temperate European sites. Spurious actuation during seismic events could cause plasma disruptions and magnet quench; loss of function could prevent safe shutdown — both are hazard initiators.

Rationale: Environment: tokamak operation generates one of the most severe electromagnetic environments of any engineered system. The pulsed coil currents (68 kA in 10 s) create dB/dt transients that can induce voltages in control signal cables. ECRH and ICRH systems emit RF that can corrupt digital communications. Failure to comply with EMC limits would result in control system malfunctions during plasma heating — precisely when control accuracy is most critical.

Rationale: Derived from STK-REQ-001 and STK-REQ-002: radial position control ±2 cm is set by the first-wall protection margin (first-wall gap ≈ 15 cm; ±2 cm leaves ≥10 cm margin for thermal load asymmetry). Current control ±1% is required to maintain equilibrium within the stable operating space boundary and prevent disruptions during flat-top.

Rationale: Derived from STK-REQ-001 and STK-REQ-009: the thermal quench in an unmitigated disruption deposits >100 MJ on the divertor in <1 ms, exceeding the carbon/tungsten first-wall erosion threshold. 50 ms detection-to-actuation budget is set by the fastest known disruption onset timescale (locked-mode disruptions, ~100 ms total). 80% mitigation efficiency is required to keep divertor surface temperature below 3000°C tungsten melting point.

Rationale: Derived from STK-REQ-007 and STK-REQ-008: ±5% stored energy control is required to prevent transition into the density limit (Greenwald density), which triggers disruptions, and to maintain thermal load on the blanket within its design envelope. ±5% density control follows from the same density limit margin calculation.

Rationale: Derived from STK-REQ-004 and STK-REQ-009: nuclear installation licensing requires that the ultimate safety function (safe shutdown) is immune to common cause failure with the control system. SIL-3 is derived from the preliminary probabilistic risk assessment: target core damage frequency <1×10⁻⁴/year with unavailability budget of <1×10⁻³ for the shutdown function. 5 s shutdown time is constrained by the energy dissipation rate of the superconducting magnets during normal ramp-down.

Rationale: Derived from STK-REQ-007: 25-year retention is required to support nuclear site decommissioning records, which extend beyond the operating licence period. 1 kHz archiving supports MHD instability analysis at 1 ms resolution.

Rationale: STK-REQ-002 requires the system to execute operator-commanded plasma termination sequences and controlled ramp-down from full-power burn to safe state. No system-level requirement defines the plasma operational state machine and lifecycle sequence. Without a SYS-level lifecycle requirement, the POS state machine (SUB-REQ-050) cannot be verified against its stakeholder intent, and there is no system-level requirement that bounds the full cycle time or mandatory state transition authorisations.

Rationale: STK-REQ-001 is a direct stakeholder requirement for consolidated plasma state display with ≤200 ms refresh latency. Without a SYS-level requirement capturing the operator interface function, the display latency and parameter completeness requirements float at the SUB level with no system-level anchor, making it impossible to demonstrate that the system as a whole satisfies STK-REQ-001. This also enables the STK→SYS→SUB trace chain needed for the verification matrix.

Rationale: STK-REQ-008 requires the physics team to upload and validate new plasma control scenario parameters before each pulse without requiring a plant outage. The existing trace from STK-REQ-008 to SYS-REQ-003 (power regulation) does not capture the upload/validation workflow. Without a SYS-level requirement, the scenario management function has no system-level specification, making it impossible to verify that the plant can operate under routine inter-pulse physics scenario changes — the core operational workflow for a physics research tokamak.

Rationale: The FRCS, IESS, and Safety Arbiter are classified Ethically Significant (UHT bit 32): they are instruments of potentially catastrophic consequence if misused or misapplied, operating under nuclear regulatory oversight. This requirement codifies the ethical obligations: protection against single-point-of-failure suppression, dual authorisation for safety configuration changes, and prohibition on convenience-motivated safety inhibition. Derived from IAEA NS-G-1.3 and IEC 61513 requirements for safety system independence and authorisation.

Rationale: STK-REQ-006 specifies 90% diagnostic coverage and 10-second MMS reporting. This SYS requirement flows STK-REQ-006 to system level: the self-diagnostic function must be continuous (not only on demand), achieve 90% coverage of the I&C channel fault population, and interface to the external MMS within 10 seconds. The continuous operation requirement is driven by the need to detect degraded channels before they become safety-significant, consistent with IEC 61513 condition monitoring requirements for nuclear I&C.

Rationale: STK-REQ-010 specifies the EMC environment of the heating systems (ECRH/ICRH) and pulsed magnet power supplies. This SYS requirement flows the EMC obligation from stakeholder to system level. The specific standards (IEC 61000-4-3 for RF immunity, IEC 61000-4-8 for power frequency magnetic field immunity) are cited because they are the international standards applicable to I&C equipment in high-magnetic-field environments such as tokamak machine halls.