Fusion Reactor Control System

Rationale: Timing test with calibrated signal injection and oscilloscope capture is the definitive method for demonstrating the 10 ms trip response against actual hardware. Functional testing of all 15 trip functions is required for licensing evidence — analysis alone is not accepted by regulators for SIL-3 final element timing claims.

Rationale: Power-fail-safe behaviour must be demonstrated by test — it cannot be inferred from inspection of relay contacts, which may be welded or stuck. This test validates the complete fail-safe chain including the sequencer initiation response and is required as licensing evidence for the SIL-3 claim.

Rationale: Interface propagation delay is a timing budget item that determines whether the 10 ms total trip response is achievable. Isolation testing to 4 kV (2× working voltage) is required to demonstrate adequate margin against induced voltages from pulsed coil operation per IEC 60664 overvoltage Category III.

Rationale: All three timing measurements must be demonstrated on battery power because site AC failure is the plausible co-incident initiator of the disruption that triggers the trip. Testing under AC removes the most challenging operational condition and produces non-conservative evidence. Physical signal measurement (not logic simulation) is required for SIL-3 acceptance testing.

Rationale: End-to-end system integration test validates that the 30 ms total response chain is achievable when all components are integrated. Individual component tests (SUB-REQ-001 and SUB-REQ-004) verify timing budgets in isolation but cannot detect interface latencies or timing degradation under real signal conditions. This test is required before system-level SIL-3 claim can be made.

Rationale: Hardware-boundary timestamping eliminates operating system jitter from the measurement. 10,000 cycle sample provides statistical confidence that the 3 ms bound is not an artefact of thermal or memory state; the dataset must include pre-disruption windows from at least 50 distinct events covering different disruption types (VDE, NTM, locked mode).

Rationale: Battery-only test condition represents worst-case power scenario; mains-powered operation is expected to be faster. 50 repetitions cover statistical variation in solenoid driver response time. Oscilloscope probe at solenoid driver output (not valve position) is the appropriate measurement point as valve travel time is a mechanical characteristic outside the controller specification boundary.

Rationale: Mode-transition timing must be verified under simulated fault injection rather than software assertion alone; the 500 ms timer must run in hardware or watchdog-supervised firmware. Historical dataset of 100 events provides statistical confidence in the 80% TPR claim; dataset must include events with warning times less than 30 ms (slow disruptions) where threshold detection is known to be marginal, to characterise the limit of conservative mode coverage.

Rationale: Hardware-in-the-loop test at full operational rate is required because ERP latency is FPGA-timing-dependent and cannot be confirmed by analysis alone. The 99.9th percentile criterion allows for occasional memory refresh stalls while ensuring statistically reliable real-time performance.

Rationale: Two-phase test (with and without network paths) directly demonstrates that the hardwired path provides the 100 us performance independent of software — the core claim of IFC-REQ-010. Testing both phases is required for the IESS SIL-3 qualification record.

Rationale: Simultaneous threshold crossing test is the worst-case scenario that must be verified. HIL testing on the VSC FPGA hardware is required; simulation cannot substitute because the response latency is hardware-timing-dependent.

Rationale: End-to-end PCS chain test exercises the ERP-SPC-coil path as a closed loop. Individual component tests cannot verify that the data handoff latencies between ERP, RTDB, and SPC combine to produce the required system response. This test is required for plasma operations licence approval.

Rationale: Hardware independence test requires software to be inactive during verification to demonstrate the hardwired path is truly independent. 100 trials provides sufficient statistical confidence for safety classification.

Rationale: 99th percentile criterion at 1000 samples provides statistical confidence that rare worst-case latency still meets the 5 ms bound. Network load testing ensures the dedicated network isolation claim holds under real operating conditions.

Rationale: Calorimeter current rise is the fastest independently measurable beam-off proxy, confirming beam deflection without requiring optical diagnostics. Testing all 4 beam lines independently verifies each deflector independently meets the requirement.

Rationale: 350 ms end-to-end budget is derived from the 500 ms precursor warning window in SUB-REQ-009 minus a 150 ms margin for NTM stabilisation attempt. This test exercises the most safety-critical control chain in the system and must be verified as an integrated end-to-end path, not piecemeal.

Rationale: Integration test verifying the hardwired relay path meets the 2 ms latency budget. Oscilloscope timing captures the relay switching time plus cable propagation delay. Testing at temperature extremes (0°C–50°C ambient for control room hardware) verifies that relay contact resistance variation does not lengthen the signal path.

Rationale: Tests both nominal latency and message integrity handling. The corrupted-message test verifies the coded format provides error detection, preventing spurious dump commands from line noise.

Rationale: Verifies the primary safety requirement for quench detection. A coil emulator is used rather than a real coil quench because real quench experiments are destructive. Testing across current levels confirms that inductive compensation does not vary detectably with operating point.

Rationale: Scaled coil surrogates allow the dump timing and voltage profile to be verified without requiring the full-scale tokamak coil infrastructure. The scaling factor is calibrated against the energy extraction model to ensure pass/fail on the surrogate corresponds to pass/fail on the real coils.

Rationale: End-to-end integration test covering the complete quench-to-trip chain across QDS, FEDU, and IESS interfaces. Individual subsystem tests (VER-REQ-018 to VER-REQ-021) verify components in isolation; this test verifies that the chain timing budgets do not degrade when all subsystems are connected simultaneously.

Rationale: Integration test to verify density setpoint interface compliance at the GPVC boundary. Tests both network latency and valve acknowledgement path.

Rationale: Hardwired interface test that directly measures the timing jitter of the ELM trigger signal at the physical interface — cannot be simulated in software as it tests the hardware timing path.

Rationale: Functional safety test of SIL-3 interlock architecture. Must verify both the active trip path and the fail-safe de-energise-to-trip behaviour required by IEC 61511.

Rationale: Safety validation of the nuclear material accountancy limit enforcement. Both channels must be inhibited simultaneously to prevent asymmetric fuelling state.

Rationale: End-to-end integration test validates the controlled burn termination path that prevents unnecessary IESS trips during marginal Q conditions. Tests the chain from burn sensing through soft fuel withdrawal.

Rationale: Integration test for the BCM-DPMS data interface that validates both message integrity (CRC) and timing (10 Hz cadence) required by IFC-022.

Rationale: Statistical sampling over 1000 frames at nominal rate provides confidence in worst-case network latency under concurrent traffic. Pass rate of 99.9% reflects operational availability target.

Rationale: Direct measurement at subsystem receivers is the only way to verify end-to-end timing accuracy inclusive of fibre propagation delays and receiver circuit response. Five locations span the facility footprint and represent the worst-case propagation distance.

Rationale: Testing during FLAT-TOP state represents the highest-risk operational scenario where loss of MSV has the most consequence. Ten trials provide confidence in worst-case failover timing including memory synchronisation latency.

Rationale: The 60-minute test duration matches the maximum planned plasma pulse duration to verify sustained data integrity under real operational conditions. Zero frame loss is the pass criterion because partial data integrity cannot be accepted for equilibrium reconstruction.

Rationale: Timestamp accuracy must be verified against the timing reference rather than the sensor itself because the DPMS uses cross-correlation between multiple sensor channels — timestamp errors greater than 10 µs at 10 kHz sample rate would alias the phase relationship between channels and corrupt disruption risk estimates.

Rationale: This test validates the complete signal chain underpinning SYS-REQ-001 (±2 cm plasma position accuracy). The 1 ms budget is the combined 100 µs signal conditioning, 100 µs multiplexer, 800 µs ERP computation allocation. End-to-end testing is necessary because each individual interface may be within specification while the aggregate latency still violates the system requirement.

Rationale: IEEE 344 qualification test programme is the only accepted method to demonstrate seismic equipment qualification for nuclear class 1E/SIL-3 I&C components. Analysis alone is not sufficient under IEC 61508 for SIL-3 hardware.

Rationale: SUB-REQ-003 specifies >=90% IEC 61508 diagnostic coverage — a quantitative safety metric that must be verified by fault injection because analysis alone cannot confirm latent hardware fault detection in real channel electronics.

Rationale: SUB-REQ-005 specifies 200 ms refresh and failure indication; timing measurement confirms safety HMI chain performance.

Rationale: SUB-REQ-006 requires physical segregation with no bidirectional pathway; architectural inspection plus protocol analysis confirms the safety-critical network isolation property.

Rationale: SUB-REQ-007 specifies 8-hour battery autonomy for the IESS UPS; only a timed battery-discharge test under real load conditions can confirm the requirement is met.

Rationale: IFC-REQ-001 specifies a deterministic maximum latency for the plasma diagnostics real-time interface; instrumented network measurement under sustained load is the only valid confirmation method.

Rationale: IFC-REQ-002 specifies redundant galvanically isolated links with 1 ms feedback — interface properties that require end-to-end timing measurement and electrical isolation testing.

Rationale: IFC-REQ-003 requires a software-free hardwired interlock; architectural inspection plus continuity testing is the correct verification method for a passive safety circuit property.

Rationale: SUB-REQ-033 specifies both false-alarm immunity under dI/dt transients and 2oo3 detection performance — properties that cannot be analytically predicted for real coil geometries and must be test-verified.

Rationale: SUB-REQ-035 specifies a 10 s energy extraction time — a safety-critical timing requirement that must be measured under representative load conditions because thermal and magnetic interactions affect real extraction time.

Rationale: SUB-REQ-038 specifies quantified degraded-mode behaviour following a channel failure; test verification confirms the QDS graceful degradation logic functions as designed.

Rationale: SUB-REQ-046 is a tritium confinement safety function with a defined response time; functional test under simulated area monitor signal is required to confirm the interlock timing and chain.

Rationale: SUB-REQ-054 requires physical and logical separation between three security zones; penetration testing combined with architectural inspection confirms the network segregation property.

Rationale: SYS-REQ-006 requires seismic qualification per IEEE 344 for safety-critical equipment; physical qualification testing is the only valid verification method accepted by nuclear regulatory authorities.

Rationale: EMC performance cannot be verified by design review alone; the electromagnetic environment of a fusion reactor (simultaneous dB/dt and GHz RF) is unique and must be tested at representative signal levels to validate shielding and filtering designs.

Rationale: Diagnostic coverage can only be measured by exhaustive fault injection across all channel types. The 90% target and 10 s reporting latency must be verified end-to-end from fault occurrence to MMS receipt, not just at the detection logic boundary.

Rationale: Hardwired safety interfaces cannot be verified by review or analysis alone; propagation delay directly affects the SCRAM response time budget (SYS-REQ-004 ≤5 s total) and must be measured at the as-installed interface. Isolation voltage withstand confirms galvanic separation against plant ground faults.

Rationale: Energise-to-hold interfaces must be tested under actual loss-of-signal conditions, not just commanded trips. SLP power failure is a credible failure mode and the most safety-critical test scenario — it validates that the interface fails safe as designed.

Rationale: The 1 ms propagation requirement for both DPMS-to-IESS and IESS-to-MAC signal paths is safety-critical: delay reduces the effective mitigation window for a 50 ms total disruption response budget. Hardware timing must be measured at the interface terminals, not inferred from specification.

Rationale: 100 µs VDE trip propagation is the tightest interface timing requirement in the system, driven by the short timescale of vertical displacement events. This must be measured at terminal level under worst-case load conditions; simulated software halt verifies the hardware-independent path.

Rationale: The 1 ms beam-off delivery requirement must be verified under intentional supervisory software interruption to confirm that the hardwired bypass path functions as specified. Without this test, the independence claim in the requirement cannot be substantiated.

Rationale: Relay contact resistance variation (particularly over life) can degrade propagation time for hardwired interfaces. Testing at maximum rated contact resistance validates the ≤2 ms budget under worst-case component aging and confirms no software path dependency.

Rationale: Validates time-synchronisation requirement in IFC-REQ-006 needed for disruption precursor feature vector integrity.

Rationale: IFC-REQ-008 specifies a hardwired NBI inhibit interface between MAC and HCDC. The 2 ms budget is within the disruption mitigation chain latency margin per SYS-REQ-002.

Rationale: IFC-REQ-009 requires ERP equilibrium state delivery at 10 kHz for real-time plasma shape control. Dropped frames or latency exceeding 100 µs would break the PCS feedback loop timing in SYS-REQ-001.

Rationale: IFC-REQ-011 specifies q-profile delivery for NTM stabilisation control. Resolution below 50 nodes and latency above 1 ms would reduce MHD mode identification accuracy and impair ECRH targeting.

Rationale: IFC-REQ-014 links heating power control to PCS feedback — setpoint jitter above 2 ms or missed safe-state commands would leave plasma heating uncontrolled during abnormal transitions.

Rationale: IFC-REQ-017 requires digitised temperature exceedance flags from CTCM to QDS for coil protection. Missed or delayed flags would allow coil damage to proceed without quench detection activation.

Rationale: IFC-REQ-018 provides the PCS with coil current references for plasma position control. Latency above 200 µs or waveform discontinuities degrade the plasma control loop bandwidth in SYS-REQ-001.

Rationale: SUB-REQ-069 mandates 2-of-3 redundant voted architecture for IEC 61508 SIL-3 hardware fault tolerance (HFT=2). Testing must demonstrate both the nominal voted behaviour and single-channel fault tolerance, since SIL-3 requires the safety function to remain operable under any single hardware failure. Twelve scenarios cover all permutations of single-channel failure with two-channel trip assertion.

Rationale: SUB-REQ-070 requires fault-tolerant TMR with defined fail-safe behaviour on two-channel failure. IEC 61508 SIL-3 requires demonstration that HFT=2 is maintained: one-channel failure must not degrade safety function; two-channel failure must cause safe state transition. This VER requirement captures both the nominal TMR operation and the double-fault recovery test.

Rationale: SUB-REQ-074 requires IESS to hold all plasma-facing actuators de-energised while safe state is active. This prevents inadvertent plasma re-ignition following a SCRAM. The test must demonstrate both the hold function and its independence from software override, since a successful override would breach the hardware-enforced independence required by SYS-REQ-004.

Rationale: SUB-REQ-062 defines the multi-condition safe state. Inspection of the logic implementation against the formal definition is required to verify that every stated safe state criterion is enforced by a corresponding interlock with a monitored process variable. Unmonitored conditions in the safe state definition are a latent risk of undetected safe state exit.

Rationale: SUB-REQ-026 implements a safety function preventing first wall thermal overload. Test is required because the power summation and NTM priority logic must be demonstrated under simultaneous inputs. The NTM prioritisation path uses a separate code branch not exercised by individual subsystem tests. Inspection alone cannot demonstrate correct dynamic response.

Rationale: SUB-REQ-039 requires single-card failure must not prevent SCRAM actuation. This can only be confirmed by a physical hardware test demonstrating independence under fault injection. Analysis cannot substitute because the independence claim depends on the actual board layout, wiring, and relay drive circuitry. The test must be performed on the final production hardware configuration to support the SIL-3 safety case.

Rationale: SUB-REQ-010 sets the primary DPE performance specification. 95% TPR with 30 ms warning is the minimum to successfully initiate MGI before thermal quench deposits runaway energy on first-wall components; FPR ≤ 2/day is the maximum tolerable spurious SCRAM rate for operational availability.

Rationale: SUB-REQ-041 is the safety fallback when the ML-based disruption prediction fails. The hardwired fallback ensures an FPGA failure does not leave the reactor without disruption mitigation — an unmitigated thermal quench would damage first-wall components. The 50 ms budget is derived from the system-level disruption mitigation window in SYS-REQ-002.

Rationale: SUB-REQ-025 defines PCS degraded-mode behaviour on real-time bus failure. Freezing outputs preserves plasma stability during transient communication faults — an uncontrolled output step during bus failure could trigger a disruption. The 5-consecutive-cycle threshold provides hysteresis to filter single-cycle glitches while ensuring rapid response to sustained failure.

Rationale: SUB-REQ-030 ensures plasma heating continuity during single actuator failure. Without redistribution, sudden heating loss during flat-top burn can cause density collapse and disruption. The 100 ms response window aligns with the HCDC heartbeat monitoring interval and prevents a step-loss of plasma beta that would exceed the 5% stored energy tolerance in SYS-REQ-003.

Rationale: SUB-REQ-019 defines ERP fault-tolerance for sensor dropout. Maintaining equilibrium reconstruction with 20% channel loss is critical to avoiding a SCRAM during a diagnostic failure unrelated to plasma instability. The 20% threshold covers the expected maximum correlated failure rate of a single diagnostic front-end crate.

Rationale: SUB-REQ-036 ensures the magnet power supply tracks the plasma equilibrium waveform with sufficient precision. Coil current errors exceeding ±1 A at 15 MA perturb plasma position beyond the ±2 cm SYS-REQ-001 boundary. The hard trip threshold prevents sustained overcurrent from damaging superconducting coil insulation.

Rationale: IFC-REQ-025 ensures the data archive interface sustains the 1 kHz sample rate required by STK-REQ-007 and SYS-REQ-005. Without verified ingestion performance, the 25-year archival requirement cannot be met; post-pulse analysis and model retraining also require complete time-ordered data.

Rationale: IFC-REQ-026 defines the analogue performance of the magnetic diagnostics interface, the primary sensor input for equilibrium reconstruction and disruption prediction. CMRR ≥ 80 dB suppresses power line noise in the 15 MA toroidal current environment; INL ≤ 0.05% FS ensures ERP 160-channel reconstruction meets the ±2 cm position accuracy of SYS-REQ-001.

Rationale: SYS-REQ-007 mandates IEC 62443 SL-2 with data diode enforcement. Without adversarial penetration testing, network segmentation cannot be verified as effective — configuration inspection alone is insufficient for SL-2 compliance because misconfigurations may not be visible in documentation.

Rationale: SYS-REQ-004 mandates ≤5 s safe state transition. VER-REQ-005 covers only the first 30 ms (interlock logic chain). The full 5 s window encompasses plasma quench, heating shutdown, and fuel inhibit across IESS, PCS, HCDC, and FIBC. Only an integrated system test verifies the composed timeline meets the system-level budget.

Rationale: SUB-REQ-074 implements the safe state hold function. The safety argument depends on the system remaining in safe state once achieved. Without this test, a software or operator error could re-energise plasma-facing systems while the reactor is in post-SCRAM unsafe condition. The hardware interlock requirement prevents any software layer from bypassing the hold.

Rationale: SUB-REQ-031 prevents an unresponsive heating actuator controller from maintaining control of its actuator. An unresponsive controller maintaining last-commanded outputs could drive unsafe actuator states during plasma transients. Two-miss hysteresis suppresses single-cycle communication delays while ensuring rapid response to sustained controller failure.

Rationale: Watchdog timer boundary and hardware-enforced actuation must be verified by hardware fault injection; software analysis cannot demonstrate SIL-3 uncircumventability of the 100 ms reset trigger and MGI actuation chain.

Rationale: IEEE 344 seismic qualification requires physical shake-table testing with the actual hardware energised; analysis alone cannot substitute for nuclear safety equipment. The SSE response spectrum must be applied at the actual mounting configuration to qualify the qualification claim in SUB-REQ-064.

Rationale: IEC 61513 Category A qualification requires regulatory-approved documentation that cannot be reproduced by test; inspection of vendor qualification evidence against the certificate scope is the mandated verification method for nuclear I&C platforms.

Rationale: SUB-REQ-075 specifies a 100 ms switchover time for the hot-standby DPE node; hardware fault injection is required to validate the automatic failover mechanism under real failure conditions, as simulation cannot capture timing dependencies in the actual hardware architecture.

Rationale: SUB-REQ-076 mandates automatic 200 ms switchover without manual intervention; test under simulated sensor disagreement failure is the only way to validate the automatic switchover criterion, as the secondary channel cannot be activated by normal operation.

Rationale: SUB-REQ-058 specifies a safety-critical watchdog: failure to detect DPM output loss could leave the system unprotected during a disruption. Test by output inhibition verifies the 500 ms timing boundary and confirms the risk escalation is automatic and not operator-dependent.

Rationale: SYS-REQ-012 governs coordinated multi-system heating control over the full 73 MW range. Hardware test with calibrated power meters is required because analysis alone cannot account for actuator non-linearity. The redistribution sub-test validates degraded-mode behaviour of SUB-REQ-030.

Rationale: Functional test verifying the DPMS RE detection chain threshold, timing, and signal latching. 100-trial repetition establishes statistical confidence in the detection reliability under worst-case hardware-in-loop conditions.

Rationale: Functional test verifying the complete RE mitigation actuation chain from RE_DETECTED signal to valve command timing and injection parameters. 50-trial repetition ensures actuation reliability. Hardware-in-loop setup with test fixture simulates realistic valve hardware latency.

Rationale: REQ-SEFUSIONREACTORCONTROLSYSTEM-127 requires FL registration for all FRCS subsystems. Inspection of the FL against the installed inventory is the only practical verification method for this administrative compliance requirement.

Rationale: SUB-REQ-113 requires HCDC source controls to limit RF fields at PCS/IESS boundaries. Direct measurement of field strength at the receiving equipment boundary during an in-situ RF injection test is the only method that validates both the HCDC source controls and the system-level immunity simultaneously.

Rationale: IFC-REQ-022 specifies a deterministic 64-byte fixed-format message with CRC-32 integrity at 10 Hz. Protocol analyser capture is the only method that confirms both format compliance and error-rejection behaviour required for reliable disruption prediction input data integrity.

Rationale: IFC-REQ-023 mandates MSV delivery to all 7 operational subsystems within 50 ms at 10 Hz. Simultaneous end-to-end timing measurement across all 7 receivers is required — sequential point-to-point tests cannot detect multi-hop bus congestion or scheduling jitter that affects only some receivers.

Rationale: IFC-REQ-024 specifies rise time <=100 ns for shot timing signals. Direct oscilloscope measurement at the receiver is required to confirm signal integrity through fibre-optic links — analysis alone cannot account for dispersion and connector losses in the as-built installation.

Rationale: IFC-REQ-027 specifies zero frame loss tolerance during flat-top — a uniquely demanding requirement that must be verified under full operational load. Burst or idle-period testing would not expose queuing or timing drift under sustained 100 kHz throughput.

Rationale: IFC-REQ-028 specifies <=500 µs delivery latency and <=10 µs timestamp synchronisation at >=10 kHz. These are tight real-time constraints that require direct measurement under operational load; analysis would not reveal jitter induced by the fibre link or FPGA timestamp insertion hardware.

Rationale: SUB-REQ-085 asserts 1oo2 redundancy with PFD<1e-3. Only a hardware fault injection test with the surviving channel under load can confirm that independence is genuine and not compromised by shared cabling, power supply, or firmware. Analysis alone is insufficient for IEC 61508 SIL-3 claims on safety-critical actuation hardware.

Rationale: SUB-REQ-084 specifies the four-condition safe state achieved within 5 seconds — this is the primary safety acceptance criterion for the reactor. An end-to-end SCRAM test from full-power conditions is the only verification method accepted by nuclear regulators for IEC 61513 Category A qualification.

Rationale: SUB-REQ-108 requires safe state to be self-sustaining without active control intervention, verified by the SLP. Inspection of the SLP monitor outputs during and after a SCRAM test is the only method that confirms both the self-sustaining property and the SLP's ongoing monitoring function.

Rationale: SUB-REQ-112 requires IESS to verify all four safe state conditions and assert SAFE-STATE-CONFIRMED within 8 seconds. This timing constraint is directly derived from the 5-second SCRAM target in SYS-REQ-004 plus 3 seconds for verification confirmation. Direct timing measurement is required for IEC 61513 nuclear qualification.

Rationale: SUB-REQ-013 specifies a hard 100 μs latency and 0.01% missing-sample rate. These values feed directly into the disruption prediction response budget: DPM latency + DPE inference time must fit within the 50 ms precursor-to-actuation window of SYS-REQ-002. The requirement cannot be verified by analysis because the latency depends on real-time FPGA pipeline behaviour under concurrent diagnostic load. Hardware injection testing on the target platform is required.

Rationale: SUB-REQ-014 is the DPMS model-adaptation requirement: missed state-vector windows mean disruption precursors cannot be learned and model accuracy degrades over time. The 10-minute retraining trigger is a maintenance requirement tied to the 95% true-positive floor in SUB-REQ-010. Both time constraints require end-to-end test with injected events to confirm archive completeness and retraining automation.

Rationale: SUB-REQ-020 specifies the 2 cm geometric-centre tolerance that flows from SYS-REQ-001 (radial position tolerance). The PCS plasma-wall gap budget assumes this tolerance is maintained; exceeding it risks first-wall interaction at 15 MA plasma current. Hardware-in-the-loop is required because shape control performance depends on the coupled dynamics of the full magnetic equilibrium reconstruction and real-time actuator response.

Rationale: SUB-REQ-044 requires ELM-synchronised pellet injection within 0.5 ms. This is a hard real-time constraint: pellet injection outside the ELM-quiescent window causes plasma contamination and potential disruption. The 2% miss rate is the operational tolerance agreed with the physics team based on fuelling efficiency models. Only hardware timing measurements can confirm that the PIC firmware meets the synchronisation window, as software simulation cannot capture interrupt latency and DMA transfer timing on the target embedded system.

Rationale: SUB-REQ-045 specifies the 2% fusion power accuracy and 10 Hz update rate for the BCM. The BCM output is used by SUB-REQ-047 to trigger burn termination when Q<1 is predicted; a 2% error floor ensures the BCM does not produce spurious Q<1 alarms during normal operation. Calibration against a reference neutron flux instrument is required by IEC 61513 for safety-significant measurement chains in nuclear facilities.

Rationale: SUB-REQ-047 is the controlled burn termination trigger triggered by BCM Q<1 prediction. The 200 ms ramp-down budget is an engineering constraint derived from the plasma thermal energy decay time constant at low Q: exceeding this risks an uncontrolled burn collapse that the DPMS may classify as a disruption precursor and trigger SYS-REQ-002 mitigation. HIL testing is required to verify the command chain timing because it involves the interaction of three subsystems (BCM, GPVC, PIC) under real-time control.

Rationale: SUB-REQ-052 specifies the 1 us absolute and 5 us inter-subsystem timing accuracy required for coherent plasma state reconstruction at 1 kHz. If timing jitter exceeds 5 us, the equilibrium reconstruction processor receives phase-misaligned magnetic flux measurements that corrupt the shape reconstruction used by the PCS. GPS holdover accuracy ensures timing integrity during satellite outage periods. All values derive from the 1 kHz data acquisition requirement and the ERP phase tolerance analysis.

Rationale: SUB-REQ-042 specifies a 10 ms valve response time for density control. This is the actuator latency budget for the fuelling control loop: the Gas Puffing Valve Controller is the actuator for plasma density regulation (SYS-REQ-003). A valve response exceeding 10 ms introduces density overshoot at the 1×10^20 m^-3 operating point, which can trigger a density-limit disruption. Hardware measurement on the actual valve mechanism is required because solenoid response time is a mechanical property that cannot be calculated from datasheet values alone.

Rationale: SUB-REQ-053 is the ingest-rate requirement for the Plant Data Historian, which must archive all subsystem data at 50 MB/s aggregate during a plasma pulse. This flows from STK-REQ-007 (1 kHz data logging from 300+ instruments). Storage system performance under concurrent write load cannot be verified by analysis; a sustained load test is required. The 60-second post-pulse query latency also verifies the STK-REQ-007 post-pulse access requirement.

Rationale: SYS-REQ-001 is the primary plasma control performance requirement. End-to-end system test at full 15 MA plasma current during actual operation is required because the interaction of the PCS, magnetic diagnostics, power systems, and heating systems cannot be replicated in hardware-in-the-loop simulation with sufficient fidelity at full parameter. Five flat-tops provide statistical confidence that performance is sustained and not a single-shot result.

Rationale: SYS-REQ-002 specifies the 50 ms disruption response time and 80% energy mitigation efficiency. These derive from first-wall thermal load limits: exceeding 80% un-mitigated energy deposition at 15 MA plasma current produces tungsten first-wall melting. Full integrated HIL testing is required because the 50 ms budget spans three subsystems (DPMS detection, IESS routing, actuator response) and cannot be verified piecemeal without timing accumulation uncertainty.

Rationale: SYS-REQ-015 derives from STK-REQ-004 (tritium boundary integrity) and is a nuclear regulatory compliance requirement. The 30-second alarm latency is the maximum permitted by the facility radiation protection programme for personnel evacuation. A calibrated source challenge is the only method accepted by nuclear regulators to demonstrate that the tritium monitoring chain meets the response time and threshold accuracy requirements for personnel protection.

Rationale: SUB-REQ-114 defines quantified safe state exit conditions for each of six plant parameters across five trip scenarios. The verification must confirm all parameters simultaneously — a safe state where plasma current is within limits but RF power is still pulsing is not a genuine safe state. Five trip initiators are tested to verify that the safe state is reachable from each failure mode, not just from the nominal trip path.

Rationale: SUB-REQ-115 specifies a qualified maintenance bus compliant with IEC 61784-3 with 10-second fault reporting. Functional test at the subsystem level is necessary because the 10-second timing requirement and the frame format are testable acceptance criteria that cannot be verified by inspection of the design alone.

Rationale: SUB-REQ-116 is a documentation and compliance requirement — the acceptance criterion is the existence and content of the safety case. A test cannot confirm safety case completeness; only an analytical review of the documented safety case against IEC 61513 Category A requirements can verify this requirement.

Rationale: SUB-REQ-117 specifies a 100 ms failover time for GPVC dual-channel redundancy. The timing requirement can only be verified by hardware test — no analysis can determine whether the actual relay/switching circuitry meets 100 ms without physical measurement. The test must be performed on production hardware, not engineering model, due to component variation in relay timing.

Rationale: SUB-REQ-118 specifies five discrete conditioning preconditions that must all be satisfied simultaneously. The verification must test both the positive case (all five met → permit issued) and the negative cases (each precondition missing individually → permit refused). Testing 10 randomised combinations provides additional coverage for AND-gate logic errors. A test bench approach is required because the actual vessel bakeout takes ≥4 h — the test bench must simulate this via injected status signals.

Rationale: SUB-REQ-119 specifies five quantified acceptance criteria for the controlled shutdown sequence. Each criterion is independently measurable by instrumentation, requiring a functional test on the integrated system. The verification is performed at 50% design current (rather than full power) during initial site acceptance to manage risk, with full-power testing deferred to operational commissioning. All five criteria must be confirmed simultaneously to validate the shutdown sequencing logic.

Rationale: SYS-REQ-016 defines the plasma operational lifecycle as a state machine with mandatory sequencing, transition authorisation, and an 8-hour cycle time ceiling. Only a full-cycle demonstration on the commissioned plant can verify: (1) that all state transitions are properly authorised, (2) that the 8-hour cycle time is achievable, and (3) that unplanned transition attempts are correctly rejected. This is a demonstration rather than test because the acceptance criterion is correct functional sequencing rather than measurement of a specific parameter.

Rationale: SUB-REQ-050 defines 8 MSV states and a 10 Hz broadcast rate — neither has an explicit verification procedure. Additionally, the POS state names differ from SYS-REQ-016's lifecycle state names, creating a trace gap that must be demonstrated as a valid implementation mapping. VER-REQ-031 covers only the redundancy failover scenario, not the state machine completeness or broadcast rate.

Rationale: STK-REQ-001 mandates consolidated plasma state display with ≤200 ms latency. Testing at 100 Hz synthetic input provides 6,000 samples over 60 seconds, giving statistical confidence in the latency budget. The 7 specified parameter classes directly correspond to the STK-REQ-001 enumeration (plasma current, position, beta as stored energy proxy, disruption risk, with fuelling rate and neutron yield added as operationally essential FLAT-TOP burn indicators). 99th-percentile latency ≤300 ms is acceptable because operator decision-making on plasma control does not require better than 300 ms worst-case latency.

Rationale: STK-REQ-008 specifies an inter-pulse physics scenario workflow — a demonstration on commissioning plant is required to confirm that the full upload→validate→approve→activate cycle works within a realistic inter-pulse interval (typically 15-30 minutes) without disrupting ongoing operations. Testing parameter injection through the scenario management API provides confidence that the IEC 62443-3-3 access-controlled upload path and validation logic function correctly.

Rationale: SUB-REQ-066 mandates a seismically-qualified rack enclosure for the QDS with 1 mV conducted noise immunity under full coil energisation. IEEE 344 qualification requires documented shake-table evidence; IP54 is verified by inspection against ingress protection certificates. The 1 mV noise floor is verified under live coil energisation because laboratory bench test cannot replicate the actual dB/dt field environment of 10 T/s from the pulsed superconducting magnets — on-site commissioning measurement is the only valid verification method.

Rationale: SUB-REQ-067 specifies nuclear-grade enclosure requirements, radiation area constraints, and qualified connector standards. Physical inspection of installed hardware against design certificates is the appropriate verification method for enclosure compliance requirements. The 100 mSv/hr limit is a regulatory boundary condition for worker access classification under IAEA GSR Part 3, not a performance parameter testable by function — only radiological area survey confirms installation compliance.

Rationale: SUB-REQ-068 specifies three independent physical constraints for QDS hardware: proximity to each magnet coil, neutron fluence rating, and chassis segregation from non-safety systems. All three are physical installation and qualification properties that cannot be functionally tested; they must be verified by as-installed survey measurement and review of material qualification certificates. The 10 m cable run limit is a signal integrity constraint — longer runs would degrade quench detection sensitivity to below the voltage threshold at which quench events are distinguishable from electromagnetic noise.

Rationale: Integration test verifying GPVC fault-tolerance behaviour at the hardware level; covers both the sustained-operation and alarm-latency acceptance criteria in SUB-REQ-122.

Rationale: Qualification by test is the only acceptable method for tritium-wetted components in a nuclear licensing basis; inspection of design documents alone is insufficient per IEC 61513 and ITER procurement rules.

Rationale: Regulatory compliance for Category B I&C components is verified by document inspection against the procurement specification; functional testing cannot substitute for the paper trail required by the licensing basis.

Rationale: Software lifecycle compliance for nuclear Category B software is verified by document inspection; the completeness of the lifecycle documentation package is the primary audit evidence required by regulatory authority.

Rationale: SUB-REQ-022 specifies NTM detection and response timing requiring closed-loop HIL validation because FPGA-based ECRH steering cannot be validated by inspection alone.

Rationale: SUB-REQ-026 specifies a hard power ceiling for plasma heating that prevents first-wall thermal damage — a safety-critical test that must be performed on integrated hardware because the safety arbiter is a cross-subsystem enforcement point.

Rationale: SUB-REQ-024 specifies a 10 kHz clock synchronisation with 500 ns maximum skew across all PCS nodes — a timing requirement that cannot be verified by inspection and must be measured on integrated hardware with production cabling and topology.

Rationale: The safe state definition in REQ-139 specifies four discrete measurable end-conditions. Each condition must be verified by independent instrumentation (not the FRCS itself) to confirm the SCRAM function has achieved the required state. Integration testing with physical hardware is the only valid verification method for a safety function of this criticality.

Rationale: REQ-142 specifies 10 ms valve closure on single-channel failure and 50 ms secondary channel command. Fault injection testing on the physical hardware is required because the dual-channel behaviour cannot be verified by inspection or analysis of logic alone — actual switching transients and solenoid response times must be measured under hardware-fault conditions.

Rationale: The ethical safety obligation (REQ-143) concerns system architecture and procedural controls rather than real-time performance. Inspection of FMEA analysis, audit logs, and design documentation is the appropriate verification method: the absence of a capability (single-point suppression, unauthorised inhibit) is most reliably verified by examining the design rather than testing for exhaustive failure scenarios.