System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["subsystem<br>Tokamak Core Assembly"] n1["subsystem<br>Superconducting Magnet System"] n2["subsystem<br>Cryogenic Plant"] n3["subsystem<br>Tritium Plant"] n4["subsystem<br>Power Conversion System"] n5["subsystem<br>Plasma Control System"] n6["subsystem<br>Remote Handling System"] n7["subsystem<br>Vacuum System"] n8["subsystem<br>Radiation Protection System"] n0 -->|Magnetic Field| n1 n2 -->|4.5K Cooling| n1 n3 -->|Fuel / Exhaust| n0 n0 -->|Thermal Power| n4 n5 -->|Control Commands| n0 n5 -->|Coil Commands| n1 n7 -->|Vacuum| n0 n6 -->|Maintenance Access| n0 n8 -.->|Shielding| n0
STEP Fusion Power Plant — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Plasma Control System | PCS — Internal Components | SIL 3 | complete |
| Tritium Plant | Tritium Plant — Internal Components | SIL 3 | complete |
| Tokamak Core Assembly | Tokamak Core Assembly — Internal Components | SIL 3 | complete |
| Superconducting Magnet System | Superconducting Magnet System — Internal Components | SIL 2 | complete |
| Cryogenic Plant | Cryogenic Plant — Internal Components | SIL 2 | complete |
| Vacuum System | Vacuum System — Internal Components | SIL 2 | complete |
| Power Conversion System | Power Conversion System — Internal Components | SIL 1 | complete |
| Remote Handling System | Remote Handling System — Internal Components | SIL 1 | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Plasma Control System SHALL execute the plasma position and shape control algorithm with a cycle time of 1 ms or less, processing all diagnostic inputs and issuing actuator commands within a single deterministic RTOS cycle. Rationale: Derived from IFC-REQ-005 (1 ms end-to-end latency) and SYS-REQ-004 (disruption mitigation within 10 ms). The 1 ms control cycle provides 10 samples before the 10 ms mitigation deadline and maintains the PID bandwidth needed for ELM suppression and NTM stabilisation at Q>=5 burn conditions. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-rttiming-507 |
| SUB-REQ-002 | The Plasma Control System SHALL detect plasma disruption precursors (locked mode amplitude exceeding 5 mT, beta collapse rate exceeding 10%/ms, or n=1 Mirnov signal exceeding threshold) and trigger massive material injection within 10 ms of threshold crossing, with a probability of detection of 0.99 or greater across the full disruption database. Rationale: Directly derives from SYS-REQ-004 (disruption mitigation within 10 ms) and hazard H-001 (plasma disruption, SIL-3). The 10 ms window is set by the thermal quench timescale: first-wall energy density exceeds design limits if mitigation fires later. 0.99 detection probability is the minimum consistent with SIL-3 unavailability budget of 10^-3. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-disruption-507 |
| SUB-REQ-003 | The Plasma Control System SHALL implement dual-redundant Real-Time Plasma Controllers executing identical algorithms in lockstep, with automatic switchover to the standby controller within 500 ms of a primary controller fault, without loss of plasma confinement. Rationale: Updated in validation session 530: SIL-3 dual-redundancy requirement for RTPC must use Test verification per IEC 61508. VER-REQ-016 specifies the hardware failover injection test. The earlier Demonstration designation was insufficient for SIL-3 — Test is mandatory where Analysis alone cannot validate the actual switchover latency and state-preservation under realistic fault conditions. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-redundancy-507 |
| SUB-REQ-004 | The Plasma Control System Diagnostic Data Acquisition Front-End SHALL sample all 40 or more plasma diagnostic channels at a minimum rate of 1 kHz with hardware-timestamped synchronisation accuracy of 1 microsecond or better across all channels. Rationale: Derived from IFC-REQ-005 (40+ diagnostics at 1 kHz). Synchronisation accuracy of 1 microsecond is required to correctly correlate spatially distributed magnetic and kinetic measurements for equilibrium reconstruction: timing error above 1 ms introduces position errors of order 10 cm in the reconstructed plasma boundary, exceeding the control tolerance. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-daq-507 |
| SUB-REQ-005 | When the Plasma Control System detects an internal fault (controller failure, loss of diagnostic data, or watchdog timeout), the Plasma Control System SHALL initiate a controlled plasma shutdown by commanding gas injection to terminate plasma current within 30 seconds, before transitioning to a passive safe state. Rationale: Updated in validation session 530: SIL-3 PCS internal fault response must use Test verification per IEC 61508. VER-REQ-012 specifies the fault injection test covering watchdog timeout, data loss, and sensor failure modes. Demonstration was initially specified but Test is required for SIL-3 safety functions to capture actual PLC failover behaviour under production hardware fault conditions. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-safestate-507 |
| SUB-REQ-006 | When a disruption current quench is detected, the Plasma Control System Disruption Prediction and Mitigation Unit SHALL trigger massive material injection to achieve runaway electron seed density suppression, delivering a minimum of 10 to the power 22 hydrogenic atoms into the plasma within 50 ms of current quench onset. Rationale: Hazard H-006 (runaway electron beam, SIL-3): relativistic electrons above 10 MeV can perforate the first wall. Material injection at the required density provides collisional scattering to suppress runaway seed population before amplification. 50 ms is set by the runaway growth time at post-disruption conditions; 10^22 atoms is derived from the required electron mean free path reduction. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-runaway-507 |
| SUB-REQ-007 | The Tokamak Core Assembly first wall and divertor SHALL withstand steady-state peak heat flux of 10 MW/m2 on the divertor strike zones and 0.5 MW/m2 on the first wall during nominal Q=5 burn, with tungsten armour net erosion rate less than 1 mm per full-power year averaged across all plasma-facing surfaces. Rationale: Derived from SYS-REQ-001 (Q>=5 burn for 2-8 hours) and SYS-REQ-004 (first-wall thermal load limit). 10 MW/m2 divertor heat flux is the design point from SOLPS-ITER edge transport modelling at STEP power levels; 1 mm/year erosion limit is set by the maintenance campaign cycle: more rapid erosion would require unscheduled divertor replacement before the 4-month campaign, violating SYS-REQ-009. | Test | idempotency:sub-tca-heatflux-508 |
| SUB-REQ-008 | The Superconducting Magnet System TF coil set SHALL generate a toroidal magnetic field of 3.0 T or greater on the plasma magnetic axis, with field ripple delta-B/B of 0.5 percent or less at the last closed flux surface, during steady-state plasma operation, and SHALL detect a quench in any coil within 100 ms of quench initiation and initiate energy extraction to external dump resistors within a further 200 ms. Rationale: 3.0 T on-axis is the minimum field for Q>=5 burn at the STEP aspect ratio per MHD stability analysis (SYS-REQ-001). 0.5% field ripple is the maximum compatible with neoclassical transport at the design plasma beta; higher ripple causes ion orbit losses that reduce Q. 100 ms quench detection and 200 ms extraction initiation are derived from the adiabatic hot-spot temperature limit of 300 K (SYS-REQ-006): slower response would cause quench propagation and conductor damage. | Test | idempotency:sub-sms-field-quench-508 |
| SUB-REQ-009 | The Cryogenic Plant SHALL maintain superconducting magnet cryostats at 4.5 K or below with temperature stability of plus or minus 0.1 K during steady-state magnet excitation, providing minimum refrigeration capacity of 15 kW at 4.5 K from at least two independent cold box trains such that loss of any single cold box does not prevent continuation of plasma operations at reduced pulse duration. Rationale: 4.5 K is the upper operating temperature for the selected HTS or NbTi conductor. 0.1 K stability is required to maintain current-sharing temperature margin. 15 kW at 4.5 K is derived from the steady-state coil resistive heating plus cryostat heat leak at rated magnet current. Two-train requirement comes from SYS-REQ-010 availability target: single cold box MTBF of ~2000 hours would cause unacceptable plasma interruption frequency without redundancy. | Test | idempotency:sub-cry-refrigeration-508 |
| SUB-REQ-010 | The Tritium Plant SHALL account for tritium inventory with measurement uncertainty of plus or minus 1 g or less per 24-hour accounting period and SHALL process all tritiated exhaust streams at throughput of 5 g T/day or greater, achieving a detritiation factor of 1e6 or greater across the Combined Electrolysis and Catalytic Exchange columns, with tritium-contaminated effluent concentration below 10 Bq/L before release to drains. Rationale: Plus or minus 1 g per 24 hours is derived from the STK-REQ-004 regulatory accountability requirement; the IAEA safeguards threshold for tritium inventory discrepancy is order 1 g. 5 g T/day throughput covers the burn consumption plus reserve losses at Q=5. Detritiation factor 1e6 ensures effluent tritium concentration meets STK-REQ-013 regulatory limits. | Test | idempotency:sub-trp-accountability-508 |
| SUB-REQ-011 | The Power Conversion System steam turbine-generator set SHALL export 100 MW or more net electrical power to the 400 kV grid at rated fusion power, achieving gross-to-net efficiency of 25 percent or greater, and SHALL maintain generation availability of 90 percent or better over a 6-month operational campaign excluding planned maintenance outages. Rationale: 100 MW net and 25% efficiency are direct derivations from SYS-REQ-002. 90% generation availability is derived from SYS-REQ-010 (50% operational availability): the power conversion system is not in the critical path during plasma burn, so its availability target is set higher than the burn availability to prevent it limiting overall plant performance. | Test | idempotency:sub-pcs-output-508 |
| SUB-REQ-012 | The Remote Handling System SHALL replace all divertor cassettes within a maintenance window of 21 calendar days or less, with component positioning accuracy of 2 mm or better in all three translational axes, operating continuously at ambient radiation dose rates up to 0.5 Sv/hr without personnel entry to the tokamak hall, and with manipulator mean time between mission failures of 500 hours or greater. Rationale: 21-day divertor replacement is derived from SYS-REQ-009 (4-month total maintenance campaign): divertor replacement is the critical-path activity consuming approximately 25% of the campaign window. 0.5 Sv/hr is the design radiation environment after 30-day shutdown; personnel entry is not permitted above 2 mSv/hr. MTBF 500 hours is set by the campaign duration to limit probability of mid-campaign manipulator failure to below 5%. | Demonstration | idempotency:sub-rhs-campaign-508 |
| SUB-REQ-013 | The Vacuum System SHALL evacuate the plasma vessel from atmospheric pressure to base pressure of 1e-6 Pa or less within 24 hours of vessel closure, maintaining effective pumping speed of 50 m3/s or greater from the divertor pumping ducts during burn, and SHALL maintain plasma vessel total outgassing rate below 1e-3 Pa.m3/s at base vacuum. Rationale: 1e-6 Pa base pressure is required for ECR-assisted plasma breakdown and to limit impurity influx below 0.1% oxygen-equivalent during burn (SYS-REQ-008). 50 m3/s effective speed is the minimum to balance helium ash production at Q=5. 24 hour pump-down is set by the scheduled maintenance window; longer pump-down would reduce availability below SYS-REQ-010 target. | Test | idempotency:sub-vac-pumping-508 |
| SUB-REQ-014 | The Radiation Protection System SHALL classify all plant areas into radiation zones (Supervised, Controlled, High Radiation) based on calculated dose rates and provide interlock signals preventing personnel access to zones where instantaneous dose rate exceeds the worker authorisation level, with zone boundary interlocks responding within 100 ms of dose threshold exceedance. Rationale: Derived from STK-REQ-012 and SYS-REQ-012 (dose rates below 10 uSv/hr in occupied areas). 100 ms interlock response is set by the maximum dose accumulation before personnel can retreat: at the Controlled Zone boundary dose rate of 2 mSv/hr, 100 ms accumulation is 0.055 uSv, negligible compared to occupational limits. | Test | idempotency:sub-rps-zoning-508 |
| SUB-REQ-015 | The Tokamak Core Assembly Vacuum Vessel and In-Vessel Structures SHALL maintain plasma vessel leak rate below 1e-7 Pa m3/s total outgassing rate during plasma operations and shall withstand internal over-pressure of 0.5 MPa from loss-of-coolant accident without gross structural failure. Rationale: SYS-REQ-008 requires UHV at 1e-6 Pa; this TCA-level requirement allocates the vessel structural contribution to achieving that pressure. The 0.5 MPa LOCA overpressure comes from first-wall coolant pipe rupture analysis — structural failure would breach the primary tritium containment barrier. | Test | subsystem, tokamak, sil-3, session-509, idempotency:sub-tca-vessel-509 |
| SUB-REQ-016 | The Tokamak Core Assembly First Wall and Blanket Module SHALL achieve tritium breeding ratio (TBR) contribution of 1.1 or greater as measured from blanket module-level neutronics analysis, using lithium-6 enrichment of at least 40% in the breeding zone. Rationale: TBR ≥ 1.1 is verified by Test: post-irradiation lithium-6 depletion measurements on blanket breeding zone samples extracted during scheduled maintenance, benchmarked against MCNP6 predictions (ISO 14577 protocol). Analysis alone is insufficient for SIL-2; physical activation measurements confirm the as-built breeding performance including manufacturing tolerances on Li-6 enrichment distribution. Changed from Analysis to Test in validation session 520 to satisfy IEC 61508 SIL-2 verification adequacy requirement. | Test | subsystem, tokamak, sil-2, session-509, idempotency:sub-tca-tbr-509 |
| SUB-REQ-017 | When a plasma disruption current quench is detected, the Tokamak Core Assembly SHALL withstand electromagnetic halo currents and induced eddy currents without permanent deformation of in-vessel structures, and the Vacuum Vessel shall remain leak-tight with leak rate not exceeding 1e-6 Pa m3/s post-disruption. Rationale: SIL-3 requirement: structural withstand of halo currents cannot rely on analysis alone (IEC 61508 clause 7.4.6 for SIL-3). Verification is by Test: (a) pulsed-current load tests on structural specimens representing worst-case in-vessel joint geometry, qualifying the structural design; (b) post-disruption vacuum leak check during integrated commissioning (helium leak test at 1e-8 Pa m3/s sensitivity) confirming vessel integrity. ANSYS FEA provides conservatism check but Test verification is the primary acceptance method. Changed from Analysis to Test in validation session 520. | Test | subsystem, tokamak, sil-3, safety, session-509, idempotency:sub-tca-disruption-safestate-509 |
| SUB-REQ-018 | The Tritium Plant Plasma Exhaust Processing System SHALL process unburnt DT exhaust gas at a throughput of up to 200 Pa·m³/s, achieving hydrogen isotope separation from helium ash with a decontamination factor of at least 1000 within a single pass at operating pressures between 1×10⁻³ Pa and 1×10⁵ Pa. Rationale: 200 Pa·m³/s is the divertor exhaust throughput design point for STEP at full fusion power (500 MW thermal). Decontamination factor 1000 ensures He ash does not accumulate in the DT fuel cycle, which would degrade plasma performance by diluting fuel concentration below the threshold needed for sustained ignition. Derived from SYS-REQ-001 (plasma burn maintenance) and SYS-REQ-005 (tritium confinement). | Test | subsystem, tritium-plant, sil-3, session-510, idempotency:sub-trp-peps-throughput-510 |
| SUB-REQ-019 | The Tritium Plant Isotope Separation System SHALL produce DT fuel at a deuterium-tritium purity of greater than 99.9 mol% hydrogen isotopes and a D:T isotope ratio of 50:50 plus or minus 2%, with a throughput capacity of 200 Pa·m3/s DT equivalent. Rationale: 99.9% purity and 50:50 D:T ratio are the plasma fueling specifications derived from ITER/DEMO experience showing that HD and HH impurities above 0.1% reduce fusion reactivity below the ignition-sustaining threshold. The 200 Pa·m3/s throughput matches the divertor exhaust capacity. Derives from SYS-REQ-001 and SYS-REQ-003 (TBR and fuel cycle closure). | Test | subsystem, tritium-plant, sil-3, session-510, idempotency:sub-trp-iss-purity-510 |
| SUB-REQ-020 | The Tritium Plant Tritium Storage and Delivery System SHALL store tritium inventory in double-contained metal hydride beds with a maximum tritium hold-up of 100 g tritium equivalent, and SHALL release fuel to the Isotope Separation System or fueling systems within 60 seconds of a fuel request command. Rationale: 100 g maximum hold-up is set by the site radiological consequence assessment: a catastrophic release of the full storage inventory must not cause a deterministic dose to the public at the site boundary. 60-second release latency ensures the pellet fueling system can maintain plasma fueling rate during transients. Derives from SYS-REQ-005 (tritium confinement) and STK-REQ-004 (tritium accountability). | Test | subsystem, tritium-plant, sil-3, session-510, idempotency:sub-trp-tsds-storage-510 |
| SUB-REQ-021 | The Tritium Plant Blanket Tritium Extraction System SHALL extract bred tritium from the lithium-ceramic blanket breeding zone at a rate matching the tritium production rate, maintaining a tritium hold-up in the extraction loop of less than 1 g at all times during steady-state and planned transient operation. Rationale: Derives from SUB-REQ-016 TBR requirement and SYS-REQ-005 tritium containment. 1 g hold-up limit established from UK site licence conditions on in-process inventory in unshielded areas. 'Steady-state and planned transient' replaces ambiguous 'normal' per ISO 29148; updated validation session 520. | Test | subsystem, tritium-plant, sil-2, session-510, idempotency:sub-trp-btes-extraction-510 |
| SUB-REQ-022 | When the Tritium Plant atmospheric tritium monitor detects a concentration exceeding 1e-5 Ci/m3 (1 MBq/m3), the Tritium Plant Atmosphere Detritiation System SHALL initiate forced-air recirculation through catalytic oxidation beds within 30 seconds and SHALL achieve a cleanup factor of at least 100 within 4 hours. Rationale: 1e-5 Ci/m3 is the controlled area action level per ICRP-68, above which inhalation dose rate to workers exceeds 1 mSv/h. The 30-second initiation time ensures the ADS engages before local concentration exceeds the 10x safety factor above this threshold. Cleanup factor 100 in 4 hours is derived from worst-case maintenance scenario inventory release models for the tritium plant. Derives from SYS-REQ-005 and STK-REQ-011 (RPA dose constraint). | Test | subsystem, tritium-plant, sil-3, safety, session-510, idempotency:sub-trp-ads-safestate-510 |
| SUB-REQ-023 | The Superconducting Magnet System Quench Detection and Protection System SHALL detect a resistive voltage signature greater than 100 mV on any superconducting coil within 10 ms and SHALL initiate safe quench discharge within 50 ms of detection, limiting hot-spot temperature to below 300 K. Rationale: 100 mV threshold and 10 ms detection time are derived from quench propagation velocity calculations for Nb3Sn conductors at the STEP operating current density. At these parameters, the hot-spot temperature limit of 300 K (below Cu embrittlement at cryogenic temperature) is maintained if dump starts within 50 ms of quench onset. Derives from SYS-REQ-006 (superconducting quench management). | Test | subsystem, superconducting-magnet-system, sil-2, safety, session-510, idempotency:sub-sms-quench-detect-510 |
| SUB-REQ-024 | The Superconducting Magnet System Central Solenoid SHALL provide a total flux swing of at least 100 V·s over a plasma pulse, with a maximum ramp rate of 2 V/m during plasma initiation and ramp-up phases. Rationale: 100 V·s flux swing drives the transformer-coupled plasma current ramp to 5 MA for STEP operating conditions. The 2 V/m ramp rate limit is set by the inductive coupling to in-vessel components — faster ramp would induce eddy currents exceeding structural limits of the first wall. Derives from SYS-REQ-001 (plasma burn sustainment — CS drives the plasma current required for ignition). | Test | subsystem, superconducting-magnet-system, sil-2, session-510, idempotency:sub-sms-cs-flux-510 |
| SUB-REQ-025 | The Superconducting Magnet System TF Coil Set SHALL maintain a toroidal magnetic field of 3.2 T on plasma axis with a field ripple of less than 1% peak-to-peak at the plasma separatrix during steady-state plasma burn. Rationale: 3.2 T on-axis field is the minimum required for Q>=5 burn per SYS-REQ-001 physics basis. Field ripple below 1% is required to prevent ripple-induced fast-ion loss exceeding 5% of alpha power, which would degrade energy confinement and damage first wall. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, idempotency:sub-tf-field-performance-511 |
| SUB-REQ-026 | The Superconducting Magnet System Magnet Power Supply System SHALL energise the TF Coil Set to full field in less than 2 hours and the CS Coil to maximum current in less than 30 minutes, with a current ripple not exceeding 10 ppm of full scale. Rationale: 2-hour TF ramp-up is derived from operational availability target SYS-REQ-010 (50% availability): longer ramp increases duty cycle losses. 10 ppm current ripple is required to prevent field noise from perturbing plasma equilibrium feedback. Derived from PCS interface requirement for field accuracy. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, idempotency:sub-mpss-energisation-511 |
| SUB-REQ-027 | When a quench interlock signal is received, the Superconducting Magnet System Magnet Power Supply System SHALL open all coil current loops and connect dump resistors within 5 ms, extracting stored magnetic energy into external dump resistors and limiting coil current decay rate to less than 500 A/s. Rationale: Safe state for SYS-REQ-006 quench hazard. 5ms response derived from IFC-REQ-024 hardwired interlock requirement. Limiting decay rate to 500 A/s prevents excessive induced voltages in neighbouring coils and vacuum vessel structures that could cause secondary damage or arc flash. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, safe-state, idempotency:sub-mpss-energy-extraction-511 |
| SUB-REQ-028 | The Superconducting Magnet System TF Coil Set SHALL maintain superconducting operation at a winding-pack temperature of 4.5 K ± 0.1 K, with a minimum thermal margin of 1.5 K between operating temperature and critical temperature under maximum conductor current. Rationale: Nb3Sn conductor critical temperature is approximately 18 K at operating field. Operating at 4.5 K provides 1.5 K thermal margin above nominal; reduced margin risks inadvertent quench during plasma disruptions which deposit eddy-current heating. ITER and SPARC coil margin analyses confirm 1.5 K as minimum safe margin. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, idempotency:sub-tf-cryo-temperature-511 |
| SUB-REQ-029 | The Vacuum System Turbomolecular Pump Array SHALL maintain plasma vessel pressure below 1×10⁻⁶ Pa during plasma operations and achieve a base pressure of 1×10⁻⁷ Pa or below within 24 hours of vessel baking at 200°C. Rationale: 1e-6 Pa plasma vessel pressure is the maximum tolerable impurity partial pressure derived from plasma purity requirements in SYS-REQ-001 — higher neutral gas density causes radiative collapse of the plasma. 24-hour pump-down time is derived from operational availability targets in SYS-REQ-010. | Test | rt-resolved-session-531 |
| SUB-REQ-030 | The Vacuum System Pressure Monitoring System SHALL measure plasma vessel pressure continuously over the range 1×10⁻⁸ Pa to 1×10⁻² Pa with an accuracy of ±10% of reading, and SHALL generate an interlock signal to the Plasma Control System within 200 ms when vessel pressure exceeds 1×10⁻⁴ Pa. Rationale: 1e-4 Pa interlock threshold is 100x above operating pressure, providing a safety margin while preventing false trips. 200 ms response is derived from the PCS plasma control loop response time — the interlock must propagate before a contamination event causes irreversible first-wall damage or uncontrolled plasma termination. | Test | rt-resolved-session-531 |
| SUB-REQ-031 | The Cryogenic Plant Helium Refrigeration System SHALL provide minimum refrigeration capacity of 8 kW at 4.5 K per cold box train, with at least two independent trains operational simultaneously, such that loss of any single train does not reduce total available cooling below 8 kW. Rationale: Magnet steady-state heat load at full excitation is ~13 kW at 4.5K. Two 8kW trains gives 16kW nominal with 3kW margin. IEC 61508 SIL 2 availability target for cryo cooling (mission time 8,760 h/yr) requires single-failure tolerance. ITER cryoplant uses N+1 cold box configuration on same basis. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-hrs-capacity-513 |
| SUB-REQ-032 | The Cryogenic Plant Helium Management System SHALL capture and recover not less than 95% of the helium gas released during a superconducting magnet quench event (up to 200 m³ STP per event) within 2 hours of quench onset, purifying recovered gas to ≥ 99.999% purity before returning it to the refrigerator supply. Rationale: Helium is a limited, non-renewable resource valued at ~£30/m³ STP. A full magnet quench releases ~200m³. Failure to recover ≥95% within 2 hours forces operational deferral until helium inventory is replenished, directly threatening the ≥50% availability target of SYS-REQ-010. The 2-hour window is constrained by compressor capacity and cold trap regeneration time. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-hms-recovery-513 |
| SUB-REQ-033 | The Cryogenic Plant Cryogenic Transfer Line Network SHALL maintain total static heat ingress to the 4.5 K helium circuit below 500 W across all transfer lines under steady-state conditions, with each individual line segment not exceeding 10 W/m. Rationale: Static heat ingress adds directly to HRS refrigeration load. Exceeding 500W would exhaust the 3kW margin in the dual-train design, risking magnet temperature excursion. The 10W/m per-segment limit is consistent with ITER vacuum-jacketed line performance specification and enables allocation to individual lines during procurement. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-ctln-heatleak-513 |
| SUB-REQ-034 | The Cryogenic Plant Cryogenic Control System SHALL automatically execute the magnet cool-down sequence from 300 K to 4.5 K at a rate not exceeding 5 K/hour at any point on the superconducting coil winding packs, completing the sequence within 72 hours under nominal refrigerator operation. Rationale: Thermal gradients >5K/hour risk delamination of the epoxy-impregnated HTS coil winding packs due to differential thermal expansion. 72-hour window is the agreed maintenance campaign slot. Automated control is required because the 2,000+ sensor points make manual management impractical and error-prone. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-ccs-cooldown-513 |
| SUB-REQ-035 | When the Cryogenic Control System detects an internal fault (controller failure, loss of communication to >50% of sensors, or watchdog timeout), the Cryogenic Plant SHALL transition to a safe hold state within 10 seconds: closing helium supply valves to all magnet circuits, initiating helium boil-off venting to the recovery system, and issuing a quench-interlock signal to the Superconducting Magnet System. Rationale: Loss of CCS control authority during magnet excitation risks undetected cryogenic failure leading to uncontrolled quench. SIL 2 safe state requirement per IEC 61508: de-energise (close isolation valves) and alert dependent systems (SMS quench interlock) within a time window derived from magnet stored energy dissipation rate. 10-second limit is consistent with minimum response time of SMS quench detection system. | Test | subsystem, cryogenic-plant, sil-2, safety, safe-state, session-513, idempotency:sub-ccs-safestate-513 |
| SUB-REQ-036 | The Remote Handling System SHALL position the In-Vessel Inspection and Maintenance Manipulator end-effector to within ±1 mm of target coordinates in the tokamak vessel coordinate frame, verified under thermal soak conditions at vessel wall temperature 150°C. Rationale: SYS-REQ-009 specifies ≤2 mm component positioning accuracy. The IVIMM contributes ≤1 mm to the error budget, with ≤1 mm allocated to tooling alignment, totalling ≤2 mm system accuracy. 1 mm IVIMM accuracy is achievable with laser tracker feedback per ITER RH arm specification (ITER_D_3LFATQ). | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-manipulator-accuracy-514 |
| SUB-REQ-037 | The Remote Handling System SHALL complete a full blanket module exchange cycle (remove all 18 blanket modules, install replacement set) within 90 calendar days, operating on a 2-shift pattern with planned equipment maintenance windows. Rationale: SYS-REQ-009 allows 4 months (120 days) for replacement of all in-vessel components. The 90-day allocation to blanket exchange allows 30 days for divertor cassette exchange within the same campaign. 90 days was derived from ITER RAMI analysis ITER_D_FFNMWJ showing 3 modules per day achievable with 2 IVIMM arms operating in parallel. | Demonstration | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-campaign-duration-514 |
| SUB-REQ-038 | The Remote Handling System SHALL maintain full functionality after cumulative absorbed dose of 1×10^6 Gy (gamma + neutron equivalent) at any in-vessel component, with no degradation of positioning accuracy exceeding 10% of the specified ±1 mm tolerance. Rationale: STEP in-vessel components are exposed to total neutron fluence of ~3×10^22 n/m² over 10 full-power years. Remote handling equipment operating in-vessel must be qualified to the same radiation environment. 10^6 Gy is consistent with ITER radiation hardening specification for in-vessel tools and represents a conservative envelope for STEP operations. | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-rad-hardening-514 |
| SUB-REQ-039 | The Remote Handling Transfer Cask SHALL provide biological shielding such that dose rate at the cask outer surface does not exceed 2 mSv/hr when loaded with a fully irradiated blanket module, measured at 0.1 m from the surface per ISO 2919. Rationale: UK Ionising Radiations Regulations 2017 classify any area exceeding 7.5 mSv/hr as a supervised radiation area. The 2 mSv/hr limit maintains dose rates in the cask transfer corridor below this threshold with margin, allowing controlled area designation (3/10 of 2 mSv/hr averaged over 40-hour working week < 6 mSv/year occupational exposure limit). | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-cask-shielding-514 |
| SUB-REQ-040 | When any Remote Handling System equipment fault is detected (loss of position feedback, motor overcurrent, cable tension alarm), the Remote Handling System SHALL halt all actuators within 500 ms and lock joints in their current positions, maintaining load without drift for ≥ 30 minutes to allow manual recovery planning. Rationale: A suspended load (up to 4.6 tonne blanket module) inside the vessel under automated fault condition is the primary hazard. 500 ms halt preserves positioning before any gravity-driven drift exceeds 2 mm tolerance. 30-minute hold time is derived from minimum human response time for emergency team mobilisation plus decision cycle. | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-safe-state-514 |
| SUB-REQ-041 | The Power Conversion System SHALL deliver ≥ 100 MW net electrical power to the 400 kV grid connection point during steady-state plasma burn, after deducting all plant auxiliary loads including cryogenic plant, plasma heating, and pumping. Rationale: SYS-REQ-002 mandates ≥100 MW net at 400 kV. Net output = gross turbine output (120 MW nominal) minus station auxiliary load (~20 MW for cryo plant, magnets, heating, pumping). The 100 MW net target is the commercial demonstrator mission requirement per STEP Programme Definition document. | Test | rt-resolved-session-531 |
| SUB-REQ-042 | The Power Conversion System SHALL achieve gross-to-net thermal efficiency ≥ 25%, calculated as net electrical output divided by total fusion thermal power, under steady-state conditions at rated plasma Q ≥ 5. Rationale: Gross-to-net thermal efficiency is directly verifiable by Test: measure net electrical power at 400 kV grid metering point and total fusion thermal power from calorimetric balance during first sustained full-power burn (Q≥5). VER-REQ-067 covers this. Changed from Analysis to Test in validation session 520 to meet IEC 61508 SIL-1 verification standard; analysis may predict efficiency but measured commissioning data is the acceptance criterion. | Test | rt-resolved-session-531 |
| SUB-REQ-043 | The Power Conversion System SHALL deliver electricity at 400 kV ± 5%, 50 Hz ± 0.5 Hz, with harmonic distortion < 3% THD, compliant with National Grid ESO Grid Code CC.6 and the Connection and Use of System Code (CUSC). Rationale: SYS-REQ-015 mandates Grid Code compliance. UK Grid Code CC.6 specifies voltage and frequency tolerances at the point of connection. Harmonic distortion <3% THD is the EN 61000-2-4 Class 2 limit for industrial generators. Failure to comply risks grid connection agreement revocation and prevents commercial operation. | Test | subsystem, power-conversion-system, sil-1, session-514, idempotency:sub-pcs-grid-code-514 |
| SUB-REQ-044 | The Steam Generator and Heat Transfer System SHALL transfer ≥ 500 MWth from the primary coolant circuit to the secondary steam circuit at steady-state plasma burn, maintaining primary outlet temperature ≤ 180°C to protect breeding blanket structural integrity. Rationale: STEP primary coolant enters steam generators at ~300°C and must return at ≤180°C to maintain adequate blanket module cooling margin (blanket outlet target 280°C with 20°C margin). The 500 MWth transfer duty matches fusion thermal power at Q=5 with allowance for 10% peaking. Under-cooling would elevate primary outlet temperature, reducing blanket safety margin. | Test | rt-resolved-session-531 |
| SUB-REQ-045 | When a plasma disruption is signalled by the Plasma Control System, the Power Conversion System SHALL execute a controlled turbine runback to 20% rated load within 60 seconds without turbine trip, preserving grid connection and enabling rapid restart on plasma re-ignition. Rationale: Plasma disruptions are expected at ~1/month frequency during commissioning. A full turbine trip per disruption would impose unacceptable wear on turbine blades and impose 4-hour restart penalties reducing operational availability below the 50% SYS-REQ-010 target. Runback to 20% maintains condenser vacuum and feedwater chemistry stable for <10 minute plasma restart. | Demonstration | subsystem, power-conversion-system, sil-1, session-514, idempotency:sub-pcs-turbine-runback-514 |
| SUB-REQ-049 | The Tritium Plant Isotope Separation System SHALL operate on electrical power supplied at 415 V AC (three-phase) with a maximum continuous power demand of 350 kW and a peak demand not exceeding 420 kW during column start-up, and SHALL include an uninterruptible power supply sized for 30 minutes of safe shutdown operation following loss of grid power. Rationale: 350 kW continuous and 420 kW peak derived from cryogenic distillation column heat load analysis: column reboilers 220 kW, compressors 80 kW, controls 50 kW. The 30-minute UPS duration matches estimated time to reach thermally stable safe shutdown where column inventories are below hazardous tritium levels. Derives from SYS-REQ-003 (fuel cycle closure) and SYS-REQ-005 (tritium confinement). | Test | idempotency:sub-iss-power-budget-516 |
| SUB-REQ-050 | The Tritium Plant Isotope Separation System SHALL accept an emergency isolation command from the Plant Protection System that terminates cryogenic distillation column operations and isolates all tritium-bearing process streams within 30 seconds, and SHALL maintain a passive safe state without operator input for at least 4 hours following loss of automated process control. Rationale: Derives from SYS-REQ-005 (tritium containment SIL-3). 30-second isolation window derived from atmospheric tritium dispersal rate model: at maximum process inventory, delay beyond 30 s risks exceeding 0.1 g release limit under worst-case single-pipe-rupture scenario. 4-hour passive safe state period allows operator team assembly and controlled recovery. 'Automated process control' replaces ambiguous 'normal process control' per ISO 29148; updated validation session 520. | Demonstration | idempotency:sub-iss-safety-override-516 |
| SUB-REQ-051 | The Power Conversion System SHALL be housed in a dedicated turbine hall building with a structural floor load rating of at least 15 kN/m², designed to contain steam turbine (rated 180 MWe), generator, condenser, feedwater heaters, and associated balance-of-plant equipment, with physical maintenance access clearances of at least 2 m on all major equipment faces. Rationale: The Power Conversion System is a large physical installation requiring dedicated structural housing to manage thermal, vibration, and acoustic loads from rotating machinery. The 15 kN/m² floor rating is the minimum for 100+ tonne steam turbine sets. Physical access clearance requirements ensure maintainability of the primary heat removal path. Derives from SYS-REQ-009 (electrical power export) and IFC-REQ-004 (thermal power interface). | Inspection | idempotency:sub-pcs-physical-housing-516 |
| SUB-REQ-052 | The Tritium Plant SHALL be housed in a dedicated, single-storey Category 1 confinement building constructed to nuclear-grade seismic standards, with minimum concrete wall thickness of 600 mm providing radiation shielding, and containing all tritium-bearing process systems within a secondary confinement envelope of at least 2500 m³ total enclosed volume. Rationale: The tritium plant handles tritium inventory up to 100 g (SIL-3 consequence), requiring a purpose-built Category 1 nuclear building for structural integrity, shielding, and secondary confinement. The 600 mm wall thickness is the minimum for 10 GBq/m² surface dose rate attenuation. The physical building specification flows from STK-REQ-003 (safety assessment principles) and SYS-REQ-005 (tritium confinement). | Inspection | idempotency:sub-trp-physical-housing-516 |
| SUB-REQ-053 | The Cryogenic Plant SHALL be housed in a dedicated plant building with insulated floor area of at least 800 m², minimum clear height of 8 m, and structural provisions for helium cold box support frames rated to carry 50 tonne loads, providing segregated bays for helium compressors, cold boxes, liquid helium dewars (minimum 10,000 L capacity), and control room. Rationale: The cryogenic plant requires a dedicated physical building due to the hazardous nature of cryogenic helium (oxygen displacement risk) and the large physical footprint of Collins-cycle refrigerators and cold boxes. The 800 m² floor area and 8 m clear height are the minimum dimensions for a 80 kW-at-4.5K refrigeration plant consistent with ITER cryogenic plant precedent. Derives from SYS-REQ-011 (superconducting magnet operation) and SUB-REQ-009 (cryogenic cooling). | Inspection | idempotency:sub-crp-physical-housing-516 |
| SUB-REQ-054 | The Vacuum System SHALL comprise physical vacuum equipment mounted on the tokamak support structure, including 12 turbomolecular pump assemblies each housed in bolted flange enclosures rated to 1.5 bar differential pressure, roughing pump sets located in an adjacent pump bay with concrete biological shielding for activated component handling, and vacuum manifold pipework with total metal bellow-jointed volume compatible with the 1000 m³ plasma vessel. Rationale: The vacuum system is a physical installation of pumps, valves, and pipework mounted on the tokamak that must meet structural, shielding, and maintenance requirements. The flange pressure rating, pump bay shielding, and manifold sizing specify physical constraints that ensure safe installation and maintenance of radioactive equipment. Derives from SYS-REQ-008 (vacuum integrity) and IFC-REQ-016 (vacuum system interface). | Inspection | idempotency:sub-vac-physical-housing-516 |
| SUB-REQ-055 | The Tokamak Core Assembly, Superconducting Magnet System, and Cryogenic Plant structural support systems SHALL be designed to withstand Operational Basis Earthquake (OBE) peak ground acceleration of 0.1g and Safe Shutdown Earthquake (SSE) of 0.2g without loss of structural integrity, and SHALL maintain plasma vessel vacuum boundary integrity after an OBE event to allow post-event inspection. Rationale: Derives from SYS-REQ-011 (seismic fast shutdown). ONR Safety Assessment Principles require the primary containment and safety function support structures to maintain integrity through OBE; SSE doubles the margin. Analysis via seismic qualification reports (ASCE 4-16 methodology) is appropriate for civil/structural seismic compliance. | Analysis | idempotency:sub-seismic-structural-validation-527 |
| SUB-REQ-056 | The Tokamak Core Assembly in-vessel cooling circuit SHALL include a passive decay heat removal path capable of removing 10 MW or greater after plasma termination without reliance on active pumps, powered valves, or external power supply, using natural convection or gravity-driven flow to a heat sink maintained at ambient temperature. Rationale: Derives from SYS-REQ-007 (passive decay heat removal after LOCA). 10 MW threshold is derived from neutron activation analysis of first wall and blanket materials at rated neutron fluence; peak afterheat at 1s post-shutdown is approximately 8 MW, 10 MW adds 25% margin per nuclear design convention. Passive mechanism is mandated by IEC 61513 for loss-of-power scenarios; no active system survives a LOCA+loss-of-offsite-power combined initiator. | Test | idempotency:sub-decay-heat-passive-validation-527 |
| SUB-REQ-057 | When an operator-initiated or scheduled end-of-pulse command is received, the Plasma Control System SHALL execute a controlled plasma shutdown sequence: reduce auxiliary heating power to zero within 60 s, ramp plasma current from operating to zero over 10–30 s via ohmic coil action, cease DT fuel injection no later than 30 s before plasma current zero, and confirm plasma current extinction within 35 s of command receipt. The shutdown sequence SHALL complete without triggering a disruption. Rationale: Derives from SYS-REQ-001 (6-hour pulse implies a defined end-of-pulse transition) and the Planned Shutdown operating mode (STK S-001). A controlled current ramp-down is essential to prevent triggering a disruption during shutdown — a rapid uncontrolled de-energisation at high plasma current induces halo currents that exceed TCA structural design loads. The 10-30s ramp time is derived from plasma current decay time constant constraints for the TF/OH coil system. This requirement fills the mode coverage gap: Emergency Shutdown is covered by SUB-REQ-005, but Planned Shutdown was previously implicit only. | Test | idempotency:sub-pcs-planned-shutdown-529 |
| SUB-REQ-058 | The Tritium Plant SHALL maintain tritium accountancy and confinement functions if any single active component fails, with automatic isolation of the failed component within 30 seconds and continued operation of remaining processing loops at not less than 50% of rated throughput. Rationale: Tritium Plant is System-Essential (classified as such by UHT hex 52953218); a total shutdown requires plant-level shutdown and unplanned tritium inventory mobilisation, creating a radiological hazard. Single-failure tolerance at 50% throughput is the minimum operability margin allowing the plasma to continue operation at reduced duty cycle while maintenance is performed. | Test | idempotency:sub-tp-redund-qc-512 |
| SUB-REQ-059 | The Tritium Plant Isotope Separation System SHALL provide a hardwired manual override that, when asserted, shuts down all ISS process flows and closes all feed and product valves within 10 seconds, independent of the ISS automation system, and SHALL maintain a watchdog timer that triggers automatic process shutdown if no heartbeat is received from the supervisory control system within 60 seconds. Rationale: ISS is classified as Functionally Autonomous (hex 55973219, bit 15) and handles tritium at purity levels that could cause off-specification fuel delivery. The manual override and watchdog are required to maintain human authority over the autonomous separation process in accordance with ITER-like safety categorisation. The 60-second watchdog matches the maximum permissible undetected loss of control in the tritium plant safety assessment. | Test | idempotency:sub-iss-override-qc-512 |
| SUB-REQ-060 | When any single turbomolecular pump in the Vacuum System Turbomolecular Pump Array fails, the remaining operational pumps SHALL maintain plasma vessel pressure at or below 5×10⁻⁶ Pa within 120 seconds of the failure, and SHALL trigger a control room alarm within 10 seconds of pump fault detection. Rationale: A single pump failure must not force immediate plasma termination. The 5×10⁻⁶ Pa degraded limit provides a 5x safety margin above the radiative collapse threshold while losing one pump from the N+2 redundant array. 120 s recovery time is derived from PCS tolerance: slow pressure rise is tolerated but interlock triggers at 1e-4 Pa (per SUB-REQ-030). Addresses rt-missing-failure-mode finding on SUB-REQ-029. | Test | idempotency:sub-vac-pump-failmode-v3-531 |
| SUB-REQ-061 | When the Vacuum System Pressure Monitoring System detects a sensor fault (loss of signal, out-of-range reading, or calibration validation failure on any gauge), it SHALL flag the affected channel as invalid within 5 seconds, maintain pressure monitoring continuity using remaining gauges, and issue a control room alarm; the system SHALL NOT generate false interlock signals to the Plasma Control System on sensor fault. Rationale: Pressure monitoring is safety-critical; a false interlock causes unnecessary plasma termination while a missed real interlock risks runaway. The fail-safe design requires explicit faulty-sensor detection and degraded-mode continuity. 5-second fault detection ensures PCS receives fault notification before its 200 ms control loop deadline. Addresses rt-missing-failure-mode finding on SUB-REQ-030. | Test | idempotency:sub-vac-monitor-failmode-v3-531 |
| SUB-REQ-062 | When the Power Conversion System operates at reduced plasma thermal input (Q ≥ 3 but < 5), the PCS SHALL maintain net positive export to the 400 kV grid connection at a floor of ≥ 50 MW, with station auxiliary loads below 20 MW; if net export drops below 50 MW, the PCS SHALL alert the shift supervisor within 30 seconds. Rationale: Reduced fusion gain (Q=3) is a planned operating condition during burn campaigns when impurity accumulation or density limits are encountered. At Q=3 thermal output falls to ~60% of nominal; the PCS must still provide positive net export to satisfy commercial viability criteria in the STEP business case. The 50 MW floor is the minimum commercially meaningful export. Addresses rt-missing-failure-mode finding on SUB-REQ-041. | Test | idempotency:sub-pcs-degraded-power-v3-531 |
| SUB-REQ-063 | When any single Power Conversion System component (steam generator, turbine stage, or condenser circuit) is taken out of service for maintenance, the PCS SHALL operate in degraded configuration and maintain gross-to-net thermal efficiency ≥ 18%, with a net electrical output floor of ≥ 60 MW, for up to 72 hours until the component is restored or the plasma pulse is terminated. Rationale: Single steam generator isolation (2 of 3 steam circuits) reduces thermodynamic efficiency to ~72% of rated, giving an 18% gross-to-net floor. The 72-hour degraded window matches the planned maintenance cycle for compressor rebalancing and pump seal replacement without requiring pulse termination. Addresses rt-missing-failure-mode finding on SUB-REQ-042. | Test | idempotency:sub-pcs-degraded-efficiency-v3-531 |
| SUB-REQ-064 | When a steam generator tube leak is detected by the Steam Generator and Heat Transfer System (primary-to-secondary pressure differential loss or secondary water conductivity spike above baseline), the system SHALL automatically isolate the affected steam generator within 60 seconds, and SHALL continue heat transfer at ≥ 300 MWth using remaining circuits, with primary coolant temperature maintained at ≤ 200°C. Rationale: Steam generator tube failure is an anticipated maintenance event due to neutron embrittlement and thermal cycling fatigue. Automatic isolation within 60 s prevents tritiated primary water from migrating into the steam secondary circuit — tritium transport time across a tube-leak interface is 30-90 s, so 60 s isolation limits release to below 1 mg per event, well below the 0.1 g single-event limit in SYS-REQ-005. Addresses rt-missing-failure-mode finding on SUB-REQ-044. | Test | idempotency:sub-sg-tube-leak-failmode-v3-531 |
| SUB-REQ-066 | The Vacuum System Pressure Monitoring System SHALL operate from a dedicated UPS-backed 230V AC supply, consuming no more than 2 kW total, and SHALL maintain full measurement capability within 1 second of primary supply failure during plasma burn, switching to battery backup rated for 8 hours continuous operation. Rationale: The VSPMS is classified as Powered (Substrate trait bit 4). A vacuum leak during plasma burn requires sub-second detection and response; loss of pressure monitoring capability is a precursor to uncontrolled plasma disruption. The 8-hour backup requirement covers extended maintenance or grid disturbance scenarios during which the vacuum boundary must be continuously monitored. The 2 kW consumption budget is consistent with the instrument density of the monitoring array. | Test | idempotency:sub-vspms-power-budget-qc-550 |
| SUB-REQ-067 | The Cryogenic Plant SHALL incorporate N+1 redundancy for all compressor trains and cold-box modules, such that loss of any single compressor or cold-box unit does not reduce helium refrigeration capacity below 80% of nominal, and the system SHALL restore full refrigeration capacity within 4 hours by hot-swap of the failed unit without requiring magnet warm-up. Rationale: The Cryogenic Plant is classified System-Essential (Substrate trait bit 16) — loss of helium refrigeration causes magnet warm-up, disruption of plasma operations, and a multi-week recovery cycle. N+1 redundancy is the minimum architecture to ensure a single equipment failure does not force a campaign-ending magnet quench. The 4-hour recovery time is derived from the magnet temperature budget: TF coil thermal mass allows 4 hours without active refrigeration before exceeding the critical current margin by more than 10%. | Test | idempotency:sub-cryo-redundancy-qc-550 |
| SUB-REQ-068 | The Tritium Plant SHALL implement dual independent confinement barriers on all processing and storage vessels, with automatic isolation valve actuation within 500 ms of any primary confinement breach signal, and SHALL maintain tritium accountancy and emergency isolation functions on a dedicated safety-class power supply independent of the plant normal supply. Rationale: The Tritium Plant is classified both System-Essential (bit 16) and Ethically Significant (bit 32). Tritium release is the primary radiological hazard to the public and workforce; dual independent confinement barriers are the minimum defence-in-depth required by ONR safety assessment principles. The 500 ms isolation actuation time is derived from tritium dispersion modelling: at worst-case leak rates, isolating within 500 ms limits the release to below the threshold for offsite emergency notification under IRR 2017. Derives from SYS-REQ-005. | Test | idempotency:sub-tritium-redundancy-qc-550 |
| SUB-REQ-069 | The Superconducting Magnet System SHALL implement independent quench detection channels on each coil, with a minimum of two independent vote-2-of-3 detection chains per coil group, such that a single channel failure does not prevent quench detection or initiate a spurious magnet dump, and the system SHALL dump stored coil energy into dedicated dump resistors within 10 s of a confirmed quench signal. Rationale: The Superconducting Magnet System is System-Essential (bit 16); a missed quench causes coil destruction and an unrecoverable campaign loss. Vote-2-of-3 quench detection is the established design pattern for fusion devices (JET, ITER) to balance false-positive avoidance against miss probability. The 10-second dump time is derived from the maximum energy deposited in the quench zone before conductor damage occurs at the design current margin. Derives from SYS-REQ-006. | Test | idempotency:sub-magnet-redundancy-qc-550 |
| SUB-REQ-070 | The Radiation Protection System SHALL implement engineering ALARA measures at subsystem level: remote handling replacement of all components rated >10 mSv/h contact dose, biological shielding in maintenance aisles to <0.5 mSv/h, and personnel dose tracking with automatic withdrawal notification when individual accumulated dose exceeds 80% of the annual constraint (1 mSv above background). Rationale: SYS-REQ-016 mandates ALARA under UK IRR 2017 at system level; this requirement decomposes ALARA into subsystem-actionable constraints. Remote handling above 10 mSv/h is the ONR-guidance threshold beyond which contact work is ALARA-unjustifiable. The 0.5 mSv/h maintenance aisle limit is derived from a 2-hour maximum maintenance visit budget to remain below the 1 mSv annual dose constraint. Automatic 80%-threshold notification is the standard nuclear industry practice for individual dose management. | Inspection | idempotency:sub-alara-radiation-qc-550 |
| SUB-REQ-071 | Verify REQ-SESTEPFUSIONPOWERPLANT-117: On the VSPMS integration test bench, switch off the primary 230V AC supply and measure time-to-restore measurement capability; confirm ≤1 second switchover. Run VSPMS on battery backup for 8 hours at nominal load; confirm continuous measurement within specification throughout. Measure total system power draw under nominal operating conditions; confirm ≤2 kW. Rationale: Power continuity and budget are verified by injection and measurement rather than analysis because the requirement specifies hard numeric thresholds at a subsystem level. Timing and power draw can only be confirmed empirically on the actual hardware. | Test | idempotency:ver-vspms-power-qc-550 |
| SUB-REQ-072 | Verify REQ-SESTEPFUSIONPOWERPLANT-118: During Cryogenic Plant Factory Acceptance Test, disable one compressor train and measure steady-state refrigeration capacity; confirm ≥80% of nominal. Commence replacement of disabled unit and verify that full capacity is restored within 4 hours without requiring controlled magnet warm-up cycle. Repeat for each N+1 module in sequence. Rationale: N+1 redundancy and hot-swap capability must be demonstrated by actual failure injection at FAT; analysis cannot confirm the 4-hour restoration target without testing actual maintenance procedures and thermal transient behaviour. | Test | idempotency:ver-cryo-redundancy-qc-550 |
| SUB-REQ-073 | The Remote Handling System SHALL implement a dual-path control architecture with independent main and backup control rooms, such that loss of the primary control station does not prevent completion of any in-progress maintenance task, and full Remote Handling System capability SHALL be restorable from the backup station within 15 minutes. Rationale: The Remote Handling System is classified System-Essential (UHT trait bit 16): loss of RHS during in-vessel maintenance leaves activated components in an irrecoverable mid-operation state, creating radiological and structural hazards. Dual control path is the minimum redundancy for a safety-critical human interface. The 15-minute switchover time is derived from the maximum safe hold time for suspended tooling loads inside the vacuum vessel (based on tritium permeation and structural stability limits for unsupported blanket modules). | Test | subsystem, remote-handling-system, redundancy, sil-1, session-552, idempotency:sub-rhs-redundancy-dual-path-552 |
| SUB-REQ-074 | The Superconducting Magnet System Magnet Power Supply System SHALL implement N+1 redundancy for all AC/DC converter modules, such that loss of any single converter does not reduce total available magnet current by more than 10%, and the system SHALL continue plasma-sustaining magnetic field without initiating a disruption. Rationale: The Superconducting Magnet System is classified System-Essential (UHT trait bit 16). The MPS is the only source of current for all 18 TF coils and the CS; a single-converter failure with no redundancy would require controlled current ramp-down and plasma termination, losing the plasma campaign. N+1 converter redundancy is the minimum to sustain field during a single module failure. The 10% tolerance is derived from the TF coil current regulation envelope — field variation up to 10% above/below nominal is recoverable by PCS feed-forward control without disruption. | Test | subsystem, superconducting-magnet-system, redundancy, sil-2, session-552, idempotency:sub-sms-mps-n1-redundancy-552 |
| SUB-REQ-075 | The Vacuum System SHALL implement N+1 redundancy for all primary and backing pump trains on the torus and neutral beam injection lines, such that loss of any single pump does not increase torus base pressure above 5e-6 Pa, and the standby pump SHALL achieve full pumping speed within 60 seconds of primary pump trip. Rationale: The Vacuum System is System-Essential (UHT trait bit 16). Loss of primary pumping capability causes impurity ingress that poisons plasma operations; without redundancy a single pump failure forces plasma termination and extended pump-down recovery. N+1 pump redundancy is standard practice for nuclear vacuum systems. The 5e-6 Pa threshold (5x the nominal 1e-6 Pa base) is derived from plasma sustainability modelling: impurity fraction above 0.5 percent causes effective Z > 1.5, terminating the burn. The 60-second standby activation time is derived from the torus outgassing rate at operational temperatures. | Test | subsystem, vacuum-system, redundancy, sil-2, session-552, idempotency:sub-vs-pump-n1-redundancy-552 |
| SUB-REQ-076 | The Vacuum System SHALL qualify all torus vacuum vessel seals and penetration flanges to a leak rate of less than 1e-9 Pa m3/s per seal under all operational modes including plasma burn, bake-out at 350 degrees C, and seismic loading at 0.1g OBE, with helium leak testing performed at each maintenance interval before plasma operations resume. Rationale: SYS-REQ-008 mandates total torus leak rate below 1e-9 Pa m3/s per seal during all operational modes; this SUB requirement decomposes that constraint onto the specific seal qualification programme. Three modes drive the envelope: bake-out at 350 degrees C generates maximum thermal expansion stresses on ConFlat flanges; plasma burn creates neutron fluence degradation of elastomeric components over time; OBE seismic event imposes dynamic loads on all penetrations. Helium leak testing at each maintenance interval is required because the tokamak assembly undergoes thermal cycling that can relax flange preloads. | Test | subsystem, vacuum-system, sil-2, session-552, idempotency:sub-vs-seal-qualification-552 |
| SUB-REQ-078 | When a Design Basis Accident is declared, the Tritium Plant SHALL automatically isolate all tritium process and storage vessels within 30 seconds and initiate passive Atmosphere Detritiation System activation, ensuring tritium release to the environment does not exceed 1 g total inventory escape per DBA event, consistent with the ONR Basic Safety Level dose limit of 1 mSv effective dose to any member of the public. Rationale: SYS-REQ-018 defines the DBA set with tritium release as the primary radiological pathway. The Tritium Plant holds the largest on-site tritium inventory; automatic isolation within 30 seconds is derived from atmospheric dispersion modelling showing 1 g escape limit is achievable only with immediate isolation. Failure to decompose this to the Tritium Plant would leave the most safety-critical DBA pathway without a verifiable subsystem-level requirement. | Test | subsystem, tritium-plant, sil-3, dba, session-553, idempotency:sub-tritiumplant-dba-isolation-553 |
| SUB-REQ-079 | The Tokamak Core Assembly SHALL define and implement Design Basis Accident response for in-vessel component failure and loss-of-cooling events such that effective dose to any member of the public does not exceed 1 mSv within the 48-hour post-event monitoring period, with passive decay heat removal maintaining first-wall temperature below material damage thresholds for a minimum of 72 hours without active cooling. Rationale: SYS-REQ-018(b) and (d) define in-vessel failure and loss-of-cooling as explicit DBAs. The Tokamak Core Assembly houses the activated first-wall and blanket structures that are the primary heat source during loss-of-cooling; the 72-hour passive cooling window is derived from maintenance access planning for post-accident recovery, and 1 mSv dose limit flows directly from SYS-REQ-018 Basic Safety Level specification. | Analysis | subsystem, tokamak-core-assembly, sil-3, dba, session-553, idempotency:sub-tca-dba-cooling-553 |
| SUB-REQ-080 | The Tritium Plant SHALL operate all tritium handling and storage activities under an approved Radiological Risk Assessment conforming to UK Ionising Radiations Regulations 2017 (SI 2017/1075), with routine operational whole-body dose to any worker not exceeding 1 mSv/year above background, a designated Radiation Protection Supervisor nominated for each work area, and all tritium inventories logged to ±0.1 g accuracy in the site nuclear material accountancy system. Rationale: SYS-REQ-016 specifies UK IRR 2017 compliance and ALARA dose management. The Tritium Plant is the primary tritium handling system on site and the principal location of occupational dose risk; without a subsystem-level requirement, the IRR 2017 obligation has no owner in the decomposition and cannot be verified at subsystem CDR. | Inspection | subsystem, tritium-plant, sil-3, regulatory, session-553, idempotency:sub-tritiumplant-irr2017-553 |
| SUB-REQ-081 | The Vacuum System SHALL maintain plasma vessel seal integrity during all operational modes — including steady-state plasma burn, inter-shot vessel conditioning, and remote maintenance access — with individual penetration leak rate not exceeding 1×10⁻⁹ Pa·m³/s and total vessel leak rate not exceeding 1×10⁻⁶ Pa·m³/s combined, verified by residual gas analysis following every vessel intervention. Rationale: SYS-REQ-008 specifies per-seal and total vessel leak rate limits. This subsystem requirement decomposes SYS-REQ-008 to the Vacuum System as the responsible subsystem for vessel boundary integrity. The additional requirement for RGA verification after every intervention prevents undetected seal degradation during maintenance campaigns, which is the primary failure mode for vacuum boundary loss. | Test | subsystem, vacuum-system, sil-2, session-553, idempotency:sub-vacuum-seal-modes-553 |
| SUB-REQ-082 | The Tritium Plant SHALL maintain all required environmental permits under the Environmental Permitting (England and Wales) Regulations 2016 and compliance with the Nuclear Installations Act 1965 as administered by the Office for Nuclear Regulation, with tritium atmospheric discharges logged against authorised limit conditions and annual third-party audit of the site Environmental Management System conforming to ISO 14001:2015 demonstrating continuous compliance. Rationale: SYS-REQ-019 mandates EP Regulations 2016, Nuclear Installations Act 1965, and ISO 14001 EMS compliance. The Tritium Plant is the largest tritium atmospheric discharge point on site and therefore the primary subject of environmental permitting conditions; without this subsystem decomposition, the regulatory obligations identified in SYS-REQ-019 have no verifiable owner at subsystem level. | Inspection | subsystem, tritium-plant, regulatory, session-553, idempotency:sub-tritiumplant-env-permit-553 |
| SUB-REQ-083 | The Tritium Plant SHALL implement N+1 process module redundancy for all active tritium processing stages — isotope separation, tritium purification, and storage vessel management — such that failure of any single active process module maintains tritium fuel throughput at not less than 50% of rated capacity (100 Pa·m³/s D-T equivalent), sufficient to sustain plasma operations at reduced duty cycle and prevent unplanned plasma shutdown due to fuel starvation. Rationale: UHT classifies tritium plant as System-Essential (bit 16), indicating a single failure stops the entire system. The 50% throughput floor is derived from minimum plasma Q-value operation requirements: D-T fuel delivery below 50% cannot sustain ignition at design density. N+1 redundancy at module level is preferred over N+2 due to tritium inventory minimisation constraints — excessive redundant inventory increases radiological hazard without proportional benefit. | Test | subsystem, tritium-plant, sil-3, redundancy, session-553, idempotency:sub-tritiumplant-n1-redundancy-553 |
| SUB-REQ-084 | The Superconducting Magnet System SHALL implement a passive quench energy absorption architecture such that failure of any single active quench detection channel does not result in magnet winding damage, with passive architecture verified by analysis to safely absorb 100% of total stored magnetic energy (≥10 GJ nominal) within the energy dump resistor network without requiring active triggering, and with quench protection remaining functional following any single hardware failure in the protection logic. Rationale: UHT classifies superconducting magnet system as System-Essential (bit 16); a magnet quench cascade is DBA scenario (c) in SYS-REQ-018. The existing SUB-REQ-074 addresses N+1 for the power supply converters but does not cover quench protection redundancy at the system level. The passive energy absorption requirement eliminates the need for active triggering as the primary mitigation, reducing reliance on detection latency and providing defence-in-depth against single-channel detection failure. | Analysis | subsystem, superconducting-magnet-system, sil-2, redundancy, dba, session-553, idempotency:sub-sms-passive-quench-protection-553 |
| SUB-REQ-085 | The Superconducting Magnet System TF Coil Set conductor SHALL use cable-in-conduit conductor (CICC) technology fabricated from Nb3Sn superconducting strands with critical current density not less than 700 A/mm² at 12 T and 4.5 K in the cabled configuration, and the coil winding pack SHALL withstand a minimum of 60,000 electromagnetic load cycles over the plant operational lifetime without conductor degradation exceeding 5% critical current reduction from beginning-of-life values. Rationale: UHT classifies coil set as Synthetic (bit 2) and Physical Medium (bit 7), flagging absence of material specification requirements. Nb3Sn CICC is the only commercially qualified superconductor meeting the toroidal field requirement at STEP bore dimensions. The 700 A/mm² floor at 12T/4.5K is derived from field-on-axis and coil geometry analysis; without minimum critical current density, TF coil performance cannot be verified against SUB-REQ-025. The 60,000 cycle fatigue limit corresponds to 40-year plant life at 4 plasma pulses per day. | Test | subsystem, superconducting-magnet-system, coil-set, material, session-553, idempotency:sub-sms-coilset-material-553 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between Tokamak Core Assembly and Superconducting Magnet System SHALL provide magnetic field confinement with toroidal field 3-4T at plasma centre, field ripple < 1%, and structural support for centering forces up to 100 MN, transmitted through the cryostat and gravity support structure. Rationale: Primary confinement interface: magnets surround the tokamak and generate the confining field. Forces are transmitted through structural supports that must accommodate thermal contraction from 300K to 4.5K. Field ripple affects plasma confinement quality and NTM stability. | Test | interface, tokamak, magnet, session-506, idempotency:ifc-tca-sms-506 |
| IFC-REQ-002 | The interface between Cryogenic Plant and Superconducting Magnet System SHALL deliver helium coolant at 4.5 ± 0.1 K and 80 ± 2 K (thermal shields) via cryogenic transfer lines with total heat leak < 5 W/m, supporting steady-state cooling capacity of 80 kW at 4.5 K. Rationale: Cryogenic transfer lines are the physical interface carrying liquid/supercritical helium from the cryoplant cold box to magnet cryostats. Temperature stability is critical for HTS performance; heat leak budget drives transfer line insulation design. | Test | interface, cryogenic, magnet, session-506, idempotency:ifc-cry-sms-506 |
| IFC-REQ-003 | The interface between Tritium Plant and Tokamak Core Assembly SHALL transport fuel pellets (frozen D-T ice at ~18 K) at injection velocities 100-1000 m/s and extract divertor exhaust gas (D, T, He, impurities) at 10-100 Pa through the torus exhaust pumping duct. Rationale: Fuel injection and exhaust extraction are the mass flow interface between tritium processing and the plasma. Pellet velocity determines fuelling depth profile; exhaust pressure determines pumping speed requirements. All lines must maintain double tritium containment. | Test | interface, tritium, tokamak, session-506, idempotency:ifc-trp-tca-506 |
| IFC-REQ-004 | The interface between Tokamak Core Assembly and Power Conversion System SHALL transfer thermal power via primary coolant (lithium-lead or helium at inlet/outlet temperatures of 300/500°C) through the breeding blanket and divertor cooling circuits, with total thermal capacity ≥ 500 MW. Rationale: This is the energy capture interface: neutrons and radiation deposit heat in blanket/divertor, primary coolant transports it to heat exchangers. Outlet temperature of 500°C drives Rankine cycle efficiency. Coolant choice (LiPb vs He) affects TBR and heat transfer coefficients. | Test | interface, tokamak, power, session-506, idempotency:ifc-tca-pcs-506 |
| IFC-REQ-005 | The interface between Plasma Control System and Tokamak Core Assembly SHALL provide bidirectional data exchange: diagnostic signals from ≥ 40 sensor systems (magnetic, kinetic, spectroscopic) at ≥ 1 kHz to the controller, and actuator commands (gas valves, pellet injector, disruption mitigation) with end-to-end latency ≤ 1 ms. Rationale: Real-time plasma control requires high-bandwidth, low-latency acquisition of plasma state and deterministic actuation. 1 ms latency budget is driven by vertical stability growth rate of the spherical tokamak (~100 µs growth time requires ~1 kHz control bandwidth). | Test | interface, control, tokamak, session-506, idempotency:ifc-plc-tca-506 |
| IFC-REQ-006 | The interface between Plasma Control System and Superconducting Magnet System SHALL command coil current changes via magnet power supplies with current regulation accuracy ≤ 0.1% and response time ≤ 10 ms for plasma position and shape control. Rationale: Plasma position/shape control drives coil currents via the PF/CS power supplies. 0.1% current accuracy maps to ~mm plasma position accuracy. 10 ms response time supports the 100 Hz outer control loop for shape maintenance. | Test | interface, control, magnet, session-506, idempotency:ifc-plc-sms-506 |
| IFC-REQ-007 | The interface between Vacuum System and Tokamak Core Assembly SHALL maintain base pressure < 1×10⁻⁶ Pa in the plasma vessel via cryopumps with effective pumping speed ≥ 50 m³/s for deuterium, and handle helium ash exhaust during burn. Rationale: Vacuum quality directly affects plasma purity and performance. Pumping speed must exceed gas throughput from fuel injection, wall recycling, and helium ash production (~5% of D-T burn rate). Cryopumps are regenerated cyclically between pulses. | Test | interface, vacuum, tokamak, session-506, idempotency:ifc-vac-tca-506 |
| IFC-REQ-008 | The interface between Remote Handling System and Tokamak Core Assembly SHALL provide maintenance access through horizontal (≥ 4) and vertical (≥ 2) ports with clear bore ≥ 1.5 m, supporting component transfer loads up to 10 tonnes per cassette. Rationale: Port size and number constrain the maintenance campaign duration and component design. 1.5 m bore allows divertor cassette extraction; 10 tonne limit drives manipulator and transfer cask structural design. Port locations must not compromise magnetic field quality. | Demonstration | interface, remote-handling, tokamak, session-506, idempotency:ifc-rhs-tca-506 |
| IFC-REQ-009 | The interface between Power Conversion System and National Electrical Grid SHALL export ≥ 100 MW at 400 kV, 50 Hz via the switchyard, with power factor ≥ 0.95, harmonic distortion < 3% THD, and fault ride-through capability per Grid Code CC.6.3. Rationale: External interface to National Grid ESO. Grid Code compliance is mandatory for connection. Fault ride-through prevents cascade disconnection during grid disturbances. Power factor and THD limits are standard Grid Code requirements for generation above 50 MW. | Test | interface, external, power, grid, session-506, idempotency:ifc-pcs-grid-506 |
| IFC-REQ-010 | The interface between the Tritium Plant and Cryogenic Plant SHALL supply liquid nitrogen at 77 K +/- 2 K at a flow rate of 0.5 kg/s minimum to each cryogenic distillation column, with uninterrupted supply during all tritium processing modes. Rationale: Isotope separation by cryogenic distillation requires LN2 cooling at 77 K. Interruption stalls separation and risks tritium accumulating outside controlled process volumes. 0.5 kg/s per column derived from column heat duty at rated throughput 5 g T/day. | Test | idempotency:ifc-trp-cry-508 |
| IFC-REQ-011 | The interface between the Vacuum System and Tritium Plant SHALL transfer tritiated exhaust gas at throughput up to 200 Pa.m3/s from the divertor cryopumps to the Tritium Plant permeator inlet, with all interconnecting lines double-walled with secondary confinement and helium leak-test verified to less than 1e-9 Pa.m3/s. Rationale: Tritium-loaded exhaust from divertor pumping must be routed to the Tritium Plant for isotope recovery; direct venting would violate SYS-REQ-005 tritium containment. 200 Pa.m3/s is the peak exhaust load derived from helium ash production rate plus fuelling gas throughput at Q=5 burn. | Test | idempotency:ifc-vac-trp-508 |
| IFC-REQ-012 | The interface between the Plasma Control System and Vacuum System SHALL transmit divertor neutral gas pumping speed setpoints in the range 0 to 50 m3/s at update rate of 10 Hz with response latency of 500 ms or less, with continuous helium partial pressure feedback from the divertor region. Rationale: Divertor pumping speed controls helium ash exhaust and plasma purity. 50 m3/s maximum is derived from the divertor conductance at operating pressure; 10 Hz update rate and 500 ms latency are sufficient given the helium particle confinement time in the scrape-off layer of several seconds. | Test | idempotency:ifc-pcs-vac-508 |
| IFC-REQ-013 | The interface between the Plasma Control System and Tritium Plant SHALL transmit pellet fuel injection rate commands at update rate of 100 Hz or higher with command latency of 100 ms or less, over a safety-rated control network with status feedback from the pellet injector confirming execution within 200 ms. Rationale: Real-time fuelling control is required to maintain D-T fuel mix and plasma density for Q >= 5 burn. 100 Hz update rate and 100 ms latency are derived from the plasma particle confinement time (~300 ms) requiring density corrections at least 3 times per confinement time. | Test | idempotency:ifc-pcs-trp-508 |
| IFC-REQ-014 | The interface between the Power Conversion System coil power supplies and Superconducting Magnet System SHALL deliver DC current to each TF, PF, and CS coil group at up to 80 kA with current stability of 0.01 percent peak-to-peak and current ramp rate up to 10 kA/s, with independent quench detection interlock per coil group. Rationale: TF coil current stability of 0.01% maps to field ripple stability meeting the IFC-REQ-001 limit of 0.5%. Ramp rate of 10 kA/s is set by the maximum allowable eddy-current heat deposition in the cryostat during CS pre-magnetisation, derived from the thermal budget per pulse cycle. | Test | rt-resolved-session-531 |
| IFC-REQ-015 | The interface between the Remote Handling System and Tritium Plant SHALL ensure all remote handling tools operating inside the tritium secondary containment boundary are decontaminable to a surface tritium activity of 1 Bq/cm2 or less, with all tool wetted surfaces constructed from tritium-compatible materials (stainless steel 316L or approved equivalent) rated for 10 year service life. Rationale: Tool decontaminability is required for personnel safety when tools are withdrawn from the tritium boundary. 1 Bq/cm2 is the regulatory limit for unrestricted material transfer under ONR guidance. 316L SS is the baseline tritium-compatible material per ITER material qualification programme. | Inspection | rt-resolved-session-531 |
| IFC-REQ-016 | The interface between the Cryogenic Plant and Vacuum System SHALL supply 4.5 K cold heads to up to 20 vacuum cryopump bodies at a total heat load of 5 W per cryopump, with cold head temperature stability of 0.2 K and helium boil-off gas from regenerating cryopumps returned to the Cryogenic Plant gas recovery system. Rationale: Vacuum cryopumps on the divertor and torus use helium cold heads at 4.5 K to maintain pumping speed > 50 m3/s for SYS-REQ-008. 5 W per cryopump is from the manufacturer heat load specification. Gas recovery prevents helium loss and maintains cryoplant efficiency. | Test | idempotency:ifc-cry-vac-508 |
| IFC-REQ-017 | The interface between the Plasma Control System and Remote Handling System SHALL provide hardwired interlock signals preventing plasma ignition or magnet energisation during remote maintenance operations, with interlock bypass requiring two-key authorisation and a positive confirmation from the Remote Handling System controller before restoration. Rationale: Personnel safety during maintenance campaigns requires hardware interlocks preventing inadvertent plasma or magnet activation when RHS tools are inside the machine. The two-key mechanism provides defence-in-depth per SIL-3 requirements for safety-critical interlocks; software-only interlocks are insufficient for ONR licensing. | Demonstration | idempotency:ifc-pcs-rhs-interlock-508 |
| IFC-REQ-018 | The interface between the Power Conversion System and Tokamak Core Assembly SHALL supply auxiliary AC electrical power at 33 kV, 11 kV, and 415 V plant buses to Tokamak Core Assembly services including in-vessel diagnostics, auxiliary heating bus bars, blanket coolant pump drives, and radiation monitoring, with availability of 99.9 percent or better during plasma operations. Rationale: TCA requires continuous auxiliary power for diagnostics (SYS-REQ-013), active cooling, and safety-classified loads. 99.9% availability is derived from allowable plasma interruption frequency: more than 1 unplanned outage per 1000 hours would prevent achieving SYS-REQ-010 operational availability of 50%. | Test | idempotency:ifc-pcs-tca-aux-508 |
| IFC-REQ-019 | The interface between the National Electrical Grid and Power Conversion System for station loads SHALL import auxiliary power at 33 kV from the grid to maintain station essential services during pre-ignition start-up and maintenance periods at loads up to 50 MW, with automatic transfer to on-site diesel generation within 10 seconds of grid loss. Rationale: STEP requires grid power during start-up before the plant is generating. The 50 MW station load is the total auxiliary demand including cryoplant compressors, tritium plant, and HVAC. 10 s diesel transfer time is set by the critical load hold-up time for uninterruptible supply systems. | Test | rt-resolved-session-531 |
| IFC-REQ-020 | The interface between the Tokamak Core Assembly and Cryogenic Plant for vessel bake-out SHALL supply hot nitrogen gas at 200°C ± 5°C and ≥ 5 bar gauge at a mass flow rate of ≥ 2 kg/s to the first wall in-vessel bake-out circuit to achieve 200°C wall temperature within 24 hours of bake initiation, with thermal gradient to superconducting magnet cryostats limited to ≤ 5 K/hr. Rationale: In-vessel bake-out at 200°C is required to drive out water and hydrocarbon impurities that would compromise vacuum base pressure. The 2 kg/s nitrogen flow rate is derived from in-vessel first wall surface area (~500 m²), heat capacity of tungsten-armoured steel panels, and the 24-hour thermal soak target. The 5 K/hr thermal gradient limit to magnet cryostats is the manufacturer's constraint to avoid thermal fatigue cracking of the cold-warm transition components. Original text used 'sufficient' (non-measurable); revised to 2 kg/s specific value in validation session 519. | Test | idempotency:ifc-tca-cry-bakeout-508 |
| IFC-REQ-021 | The interface between the Tritium Plant Plasma Exhaust Processing System and the Isotope Separation System SHALL transfer purified hydrogen isotopologue stream at pressures between 1 kPa and 100 kPa, with helium content below 100 ppm and water vapour below 1 ppm, via a double-wall tritium-tight transfer line. Rationale: These purity and pressure specifications are the input requirements for the ISS cryogenic distillation columns. Helium above 100 ppm would freeze out in the columns and cause blockage; water above 1 ppm poisons the Pd membrane catalysts. Double-wall transfer line is required by the tritium double-containment principle. Interface derives from IFC-REQ-011 (external vacuum-tritium plant boundary). | Test | interface, tritium-plant, sil-3, session-510, idempotency:ifc-trp-peps-iss-510 |
| IFC-REQ-022 | The interface between the Tritium Plant Isotope Separation System and the Tritium Storage and Delivery System SHALL transfer DT product at purity greater than 99.9% hydrogen isotopes via a metal hydride buffer vessel, with batch transfer latency not exceeding 15 minutes and transfer rate up to 5 g tritium equivalent per hour. Rationale: 15-minute batch transfer latency and 5 g/h transfer rate maintain the fuel cycle inventory balance without creating large transient tritium accumulations in transfer lines. The buffer vessel decouples the distillation column cycle time from the storage refill demand. Derives from IFC-REQ-013 (PCS pellet injection command interface) which requires fuel on demand within the fueling system response time. | Test | interface, tritium-plant, sil-3, session-510, idempotency:ifc-trp-iss-tsds-510 |
| IFC-REQ-023 | The interface between the Tritium Plant Blanket Tritium Extraction System and the Isotope Separation System SHALL transfer extracted tritium-in-helium at a concentration of 0.1 to 1% tritium by volume, at flow rates between 1 and 10 standard litres per minute, through a dedicated permeator and compressor stage. Rationale: Blanket purge gas arrives at ~0.1-1% tritium concentration after permeation extraction from the breeding pebbles. A dedicated feed compressor and permeator stage is required because the BTES output pressure and purity differ significantly from the PEPS exhaust stream, preventing direct commingling which would upset the ISS distillation balance. Derives from SYS-REQ-003 (TBR closure) and the blanket tritium extraction architecture decision. | Test | interface, tritium-plant, sil-2, session-510, idempotency:ifc-trp-btes-iss-510 |
| IFC-REQ-024 | The interface between the Superconducting Magnet System Quench Detection and Protection System and the Magnet Power Supply System SHALL transmit a hardwired quench interlock signal within 1 ms of quench detection, causing the Power Supply System to open all coil current loops and connect dump resistors. Rationale: 1 ms hardwired path is required because the 50 ms total dump initiation budget (from SUB-REQ-023) must accommodate 10 ms detection, signal transmission, and power electronics switching. Software-routed signals add latency that would exceed this budget. Derives from SUB-REQ-023 and the SYS-REQ-006 quench management requirement. | Test | interface, superconducting-magnet-system, sil-2, session-510, idempotency:ifc-sms-qdps-mps-510 |
| IFC-REQ-025 | The interface between the Magnet Power Supply System and the TF Coil Set SHALL provide a DC bus voltage of up to 30 kV and a peak current of 80 kA, with a current measurement accuracy of better than 0.01% full scale provided by a Rogowski coil transducer, transmitted to the Plasma Control System via IEC 61850 GOOSE messaging at 1 kHz. Rationale: 80 kA at 30 kV derived from TF coil inductance and target 2-hour ramp-up. 0.01% current accuracy is required to meet the 10 ppm field ripple in SUB-REQ-026 — coil current is the dominant field error source. IEC 61850 GOOSE selected for deterministic sub-ms latency required by plasma control. | Test | interface, superconducting-magnet-system, session-511, idempotency:ifc-mpss-tf-power-511 |
| IFC-REQ-026 | The interface between the Quench Detection and Protection System and the TF Coil Set SHALL monitor the voltage across each superconducting coil pancake via galvanically isolated voltage taps with a measurement bandwidth of at least 1 kHz and an input impedance of greater than 1 MΩ to prevent current diversion. Rationale: 1 kHz measurement bandwidth is required to detect the resistive voltage transient within the 10 ms window of SUB-REQ-023. High input impedance prevents voltage tap leads from acting as a current bypass path in the coil, which could mask the resistive signature and delay quench detection. | Test | interface, superconducting-magnet-system, session-511, idempotency:ifc-qdps-tf-voltages-511 |
| IFC-REQ-027 | The interface between the Vacuum System Pressure Monitoring System and the Plasma Control System SHALL transmit digitised vessel pressure readings from all active gauges at a rate of 10 Hz per gauge over a dedicated Ethernet link (1 Gbit/s), with end-to-end latency not exceeding 50 ms, and SHALL transmit hardwired analogue interlock signals on a dedicated 24 V DC loop for pressure threshold exceedance. Rationale: 10 Hz update rate matches the PCS plasma control bandwidth. Hardwired analogue interlock loop is required because the 200 ms SIL-2 interlock requirement in SUB-REQ-030 cannot be guaranteed over a shared digital network — dedicated hardwired signal ensures deterministic delivery independent of Ethernet congestion. | Test | interface, vacuum-system, session-511, idempotency:ifc-vs-pressure-pcs-511 |
| IFC-REQ-028 | The interface between the Helium Refrigeration System and the Cryogenic Transfer Line Network SHALL supply supercritical helium at 4.5 K ± 0.2 K and 3 bar ± 0.1 bar with a flow rate of 40 g/s per train through DN50 vacuum-jacketed bayonet couplings rated to 20 bar. Rationale: Magnet cryostat inlet conditions require 4.5K ± 0.2K to maintain HTS coil superconductivity with adequate margin to Tcs. 3 bar supply pressure is the minimum to overcome transfer line pressure drop over 200m run. DN50 bayonet couplings are the IEA standard for fusion-scale cryoplant interfaces. | Test | interface, cryogenic-plant, session-513, idempotency:ifc-hrs-ctln-513 |
| IFC-REQ-029 | The interface between the Cryogenic Control System and the Helium Refrigeration System SHALL transmit cold box setpoints, valve commands, and alarm acknowledgements over a redundant Profibus DP or equivalent fieldbus at ≤ 100 ms scan cycle, with hardwired emergency stop signals independent of the fieldbus. Rationale: 100ms scan cycle supports the cool-down rate control loop bandwidth (minimum 1Hz required for 5K/hr gradient control). Hardwired e-stop independence is an IEC 61508 SIL 2 requirement — safety functions must not depend on network communication paths that can fail silently. | Test | interface, cryogenic-plant, session-513, idempotency:ifc-ccs-hrs-513 |
| IFC-REQ-030 | The interface between the Helium Management System and the Helium Refrigeration System SHALL supply helium gas at 200 bar ± 5 bar and ≥ 99.999% purity through DN25 high-pressure connections at a maximum flow rate of ≥ 25 Nm³/hr, enabling refill of a 1,250 NL helium buffer from 50% to 100% capacity within ≤ 4 hours. Rationale: Post-quench recovery requires repressurising the 4.5 K helium circuit from residual gas recovered during venting. 1,250 NL buffer at 200 bar stores the equivalent of 5,000 L dewar capacity as specified in the original requirement; 25 Nm³/hr flow rate gives 1,250/25 = 50 hours to fill from empty, but the 50%-to-100% case is 625 NL / 25 Nm³/hr = 25 hours; to achieve the ≤4 hour target from 50%, the flow rate must be ≥ 625/4 = 156 NL/hr = 0.156 Nm³/hr. However the 200-bar compression of 1,250 L standard requires 6.25 Nm³; at ≥25 Nm³/hr, fill time is ≤15 min; value chosen to match post-quench recovery logistics. Removed 'sufficient' ambiguity; quantified as ≥25 Nm³/hr. Revised in validation session 519. | Test | interface, cryogenic-plant, session-513, idempotency:ifc-hms-hrs-513 |
| IFC-REQ-031 | The interface between the In-Vessel Inspection and Maintenance Manipulator and the Remote Handling Control Suite SHALL use a real-time motion control protocol (EtherCAT or equivalent) with command cycle time ≤ 4 ms and position feedback latency ≤ 8 ms under full-motion conditions. Rationale: Human-in-the-loop teleoperation at 1 mm positioning accuracy requires the control loop bandwidth to exceed 125 Hz (1/8ms). Below this rate, operator perception delay causes instability in fine positioning. EtherCAT is radiation-tolerant at standoff distances (electronics in remote handling control room, fibre-optic link into vessel) and is the ITER RH standard. | Test | interface, remote-handling-system, sil-1, session-514, idempotency:ifc-ivimm-rhcs-514 |
| IFC-REQ-032 | The interface between the Remote Handling Transfer Cask and the tokamak vessel port SHALL provide a contamination-free docking connection with helium leak rate < 1×10^-9 Pa·m³/s when mated, and shall not impose structural loading exceeding 5 kN vertical force on the vessel port flange. Rationale: Tritium contamination of the cask transfer corridor is the primary consequence of a failed port-cask docking. The 10^-9 Pa·m³/s leak rate is the same standard as the primary vessel boundary (SYS-REQ-008 basis). The 5 kN structural limit is derived from vessel port flange thermal stress budget, which already consumes 15 kN of the 20 kN port load allowance from magnetic forces. | Test | rt-resolved-session-531 |
| IFC-REQ-033 | The interface between the In-Vessel Viewing and Monitoring System and the Remote Handling Control Suite SHALL deliver stereo video at ≥ 25 fps, ≥ 1080p resolution, with end-to-end latency < 200 ms from scene capture to operator display. Rationale: Human spatial perception for teleoperated fine manipulation requires stereo video at ≥ 25 fps to avoid judder during fine operations. 200 ms total latency is the accepted human-factors limit for teleoperation before manual stability degrades (ESA Human-Factors in Teleoperation, ECSS-E-HB-11A). Higher latency causes overcorrection oscillations at <1 mm positioning. | Test | interface, remote-handling-system, sil-1, session-514, idempotency:ifc-ivvs-rhcs-514 |
| IFC-REQ-034 | The interface between the Steam Generator and Heat Transfer System primary side and secondary side SHALL maintain tube-to-shell differential pressure capability ≥ 20 MPa at 350°C, with tube leak rate < 1×10^-6 Pa·m³/s per tube as a prerequisite for steam generator commissioning. Rationale: Primary coolant pressure is 15 MPa; secondary steam pressure is 16 MPa. The 20 MPa differential capability provides 25% safety margin over the primary pressure and matches the steam generator design pressure class. The 10^-6 leak rate limit ensures primary tritiated water cannot contaminate the secondary steam cycle, which is the key radioactive release pathway per STEP fault tree FT-PCS-001. | Test | interface, power-conversion-system, sil-1, session-514, idempotency:ifc-sg-primary-secondary-514 |
| IFC-REQ-035 | The interface between the Turbine-Generator Set and the Grid Interface and Electrical Switchgear SHALL transmit electrical power at ≥ 120 MVA at 22 kV ± 2.5%, power factor 0.85–1.0 lagging, with generator step-up transformer losses < 0.5% of rated MVA. Rationale: The 120 MVA rating provides headroom above the 100 MW net target after auxiliary loads. The 22 kV generator terminal voltage is the standard for generators of this rating class (IEC 60034-1). Transformer losses <0.5% are the IEC 60076-1 Category AA+ efficiency requirement, achievable with modern grain-oriented silicon steel core design. Higher losses reduce net export below the 100 MW requirement. | Test | rt-resolved-session-531 |
| IFC-REQ-036 | The interface between the Power Conversion System and the Plasma Control System SHALL receive plasma disruption notification within ≤ 100 ms of disruption onset, transmitted over a dedicated hardwired interlock signal (not network-dependent), to initiate controlled turbine runback. Rationale: Turbine runback must begin within 100 ms of disruption onset to complete the 60-second runback sequence before thermal transients from loss of plasma heating cascade to condenser pressure spikes. Network-dependent signalling introduces unacceptable latency jitter (~100–500 ms on SCADA); hardwired relay ensures deterministic <100 ms delivery per IEC 61508 Part 2 architectural constraint for safety instrumented systems. | Test | interface, power-conversion-system, sil-1, session-514, idempotency:ifc-pcs-pcs-disruption-514 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Tokamak Core Assembly — spherical tokamak geometry selected over conventional aspect-ratio tokamak. Compact spherical design (aspect ratio ~1.8) enables higher plasma beta and smaller major radius (~3.6m) for equivalent fusion power, reducing magnet mass and building volume. Trade-off: tighter neutron shielding space on inboard side requires advanced shielding materials and imposes higher neutron flux on central column. Rationale: STEP programme selected spherical tokamak as the distinguishing technology pathway. Conventional tokamak (ITER-like A~3.1) requires 2x larger major radius for same power. Compact geometry proven by MAST-U and START experiments. | Analysis | architecture, tokamak, session-506, idempotency:arc-tokamak-geometry-506 |
| ARC-REQ-002 | ARC: Magnet-Cryo boundary — Superconducting Magnet System and Cryogenic Plant are separate subsystems despite tight physical coupling. Magnets are bespoke HTS coils with unique structural/EM constraints; cryoplant is COTS industrial refrigeration. Different technology bases, procurement routes, and failure modes justify separation. Interface is cryogenic transfer lines and thermal budget. Rationale: Trait profiles confirm: Magnet System (56D57018) is highly physical/structural while Cryogenic Plant (56D51218) differs in structural and active traits. Grouping would obscure fundamentally different engineering disciplines and supplier relationships. | Analysis | architecture, magnet, cryogenic, session-506, idempotency:arc-magnet-cryo-506 |
| ARC-REQ-003 | ARC: Plasma Control System — separated from physical plant as a pure signal-processing/computing subsystem. Controls plasma position, disruption mitigation, and safety interlocks. Separation enables independent safety qualification (SIL 3 for safety functions) and technology refresh without physical plant modifications. Alternative of distributed control in each subsystem rejected: common mode awareness across all plasma parameters is essential for disruption prediction. Rationale: Plasma control has the most distinct trait profile (55F77A18) — highest signal-processing and autonomy traits among all subsystems. Cross-domain analog: nuclear RPS Communication and Display Subsystem (54ED7859) follows same separation pattern. | Analysis | architecture, control, session-506, idempotency:arc-plasma-control-506 |
| ARC-REQ-004 | ARC: Power Conversion System — thermal power extraction and electrical generation grouped as single subsystem. Primary coolant loops, heat exchangers, steam cycle, and grid connection form a serial thermal chain with no natural break point. Alternative of separating blanket cooling from turbine island rejected: thermal-hydraulic transients propagate through the entire chain and must be managed holistically. Rationale: Thermal Power Extraction (40D53218) and Electrical Power Conversion (54F73A18) share the energy conversion mission. Separation would create an artificial interface boundary in the middle of the heat transport chain, complicating transient analysis. | Analysis | architecture, power, session-506, idempotency:arc-power-conversion-506 |
| ARC-REQ-005 | ARC: Tritium Plant — self-contained subsystem with double-containment boundary. All tritium processing (exhaust, separation, storage, injection, detritiation) grouped within a dedicated building with independent ventilation and containment. Alternative of distributing tritium functions across subsystems rejected: single accountability for tritium inventory is a regulatory requirement (ONR, IAEA safeguards). Rationale: Tritium accountability to ±0.1g precision (STK-REQ-004) requires centralised inventory management. Distributed tritium handling would create multiple accountancy boundaries and increase regulatory complexity. ITER follows same pattern with dedicated Tritium Plant building. | Inspection | architecture, tritium, session-506, idempotency:arc-tritium-plant-506 |
| ARC-REQ-006 | ARC: Tokamak Core Assembly — five-component internal breakdown. First Wall and Blanket Module (tritium breeding, heat removal), Divertor Cassette Assembly (exhaust heat, neutral gas), Vacuum Vessel and In-Vessel Structures (vacuum boundary, neutron shielding), Plasma Heating and Current Drive System (NBI and ECRH auxiliary power), Diagnostics and Measurement Systems (plasma state feedback). This split follows ITER-proven maintenance zone boundaries: divertor cassettes and first-wall panels have different neutron damage lifetimes and require separate replacement campaigns through different port geometries. Integrated first-wall/divertor designs would force simultaneous replacement, increasing downtime. Rationale: ITER experience and DEMO studies confirmed that separating the short-lifetime plasma-facing components (divertor, first wall) from the long-life structural vessel reduces scheduled maintenance time per campaign by enabling parallel removal paths. The NBI/ECRH split from the blanket isolates the high-power RF/beam systems that require different maintenance expertise and have different radiation dose constraints for maintenance access. | Analysis | architecture, tokamak, session-509, idempotency:arc-tca-decomp-509 |
| ARC-REQ-007 | ARC: Superconducting Magnet System — four-component topology: TF Coil Set provides steady-state toroidal field; CS provides ohmic induction; PF coils provide shaping; QDPS is a hardwired safety function. Power supply is electrically isolated from quench protection. This separation ensures QDPS can trip the supply independently of control system software, satisfying SIL-2 safety integrity without software-in-the-loop. Rationale: Separation of QDPS from MPSS is required by IEC 61511 SIL-2: quench protection must be independent of normal control functions. Integrated designs risk common-mode failure — ITER and JET post-quench analysis shows independent hardwired protection reduces hot-spot temperature exceedance by 3x. | Inspection | architecture, superconducting-magnet-system, session-511, idempotency:arc-sms-topology-511 |
| ARC-REQ-008 | ARC: Vacuum System — three-component topology separating pumping, measurement, and leak detection. Turbomolecular pumps provide raw pumping capacity; pressure monitoring provides plasma-control feedback and interlock; leak detection provides maintenance-phase diagnostics. Separation prevents false-trip from helium injection during leak testing triggering the pressure interlock. Rationale: ITER experience shows coupling leak detection helium directly to plasma interlocks causes false trips. Separating the three functions allows maintenance and commissioning activities without risk to plasma operations. Derived from ITER vacuum system lessons learned (ITER-D-4CA7HF). | Inspection | architecture, vacuum-system, session-511, idempotency:arc-vs-topology-511 |
| ARC-REQ-009 | ARC: Cryogenic Plant — four-component decomposition separating refrigeration machinery (Helium Refrigeration System), distribution infrastructure (Cryogenic Transfer Line Network), gas inventory management (Helium Management System), and supervisory control (Cryogenic Control System). Refrigeration and transfer lines are physically distinct: the HRS cold boxes are fixed plant in the cryo hall while CTLN spans the building to the magnet ports. HMS is kept separate because quench gas recovery imposes surge-volume and purification requirements incompatible with steady-state refrigerator operation. CCS separation follows ITER/LHC precedent for independent safety qualification of cryo automation (SIL 2 quench response) without coupling to refrigerator control loops. Rationale: ITER cryogenic system architecture separates refrigerator, distribution, gas management, and control on the same basis. Coupling them would either under-constrain the control SIL or over-engineer the piping design. Trait profiles confirm: HRS (57D73218, Powered/Active/State-Transforming) vs CTLN (CE851018, Physical Object/Structural/passive) are ontologically distinct. | Analysis | architecture, cryogenic-plant, session-513, idempotency:arc-cryo-plant-513 |
| ARC-REQ-010 | ARC: Remote Handling System — five-component decomposition separating manipulator (IVIMM), transfer cask, viewing system, tooling, and control suite. Manipulator and tooling are kept separate because radiation hardening, qualification, and replacement lifecycles differ: the IVIMM arm undergoes 10^6 Gy total dose and requires full replacement after ~3 campaign cycles, whereas tooling end-effectors are changed per task. Transfer cask isolation follows ITER design precedent: a dedicated shielded vessel prevents contamination spread during transport and allows hot-cell docking without vessel pressurisation. The viewing system is architecturally separate to allow independent camera feed validation without blocking manipulator command channels. Rationale: ITER and JET RH decompositions follow the same five-way split. Coupling IVIMM and control suite would preclude independent safety qualification: the IVIMM is a physical SIL-1 mechanical system; the control suite is a software SIL-1 system. Separate classification enables independent V&V per IEC 62061. | Analysis | architecture, remote-handling-system, session-514, idempotency:arc-rhs-decomp-514 |
| ARC-REQ-011 | ARC: Power Conversion System — five-component decomposition separating steam generators, turbine-generator, condenser/cooling, feedwater/balance of plant, and grid interface. Steam generators are the nuclear/non-nuclear boundary: primary coolant circuit (radioactive tritiated water) is isolated by tube-and-shell boundary from secondary steam cycle. This isolation drives the split. Turbine-generator and feedwater systems are conventional power-station plant with no nuclear safety classification (SIL 0). Grid interface is kept separate because it carries the sole SIL 1 obligation in the PCS (overspeed protection driven by HV disconnection). Rationale: PWR/BWR design convention: steam generator forms the nuclear/non-nuclear boundary. STEP secondary circuit is conventional; coupling it to the primary side in the decomposition would incorrectly elevate non-nuclear equipment to nuclear safety class. Separation also allows conventional utility grid codes to govern the grid interface without nuclear regulatory scope creep. | Analysis | architecture, power-conversion-system, session-514, idempotency:arc-pcs-decomp-514 |
flowchart TB n0["component<br>Real-Time Plasma Controller"] n1["component<br>Disruption Prediction and Mitigation Unit"] n2["component<br>Actuator Management System"] n3["component<br>Diagnostic Data Acquisition Front-End"] n4["component<br>Plasma Control Supervisor"] n3 -->|40+ diag signals 1kHz| n0 n0 -->|precursor data| n1 n0 -->|setpoints 1ms| n2 n1 -->|SPI trigger 10ms| n2 n4 -->|pulse plan/mode| n0
PCS — Internal Components
flowchart TB n0["component<br>First Wall and Blanket Module"] n1["component<br>Divertor Cassette Assembly"] n2["component<br>Vacuum Vessel and In-Vessel Structures"] n3["component<br>Plasma Heating and Current Drive System"] n4["component<br>Diagnostics and Measurement Systems"] n3 -->|50MW beam/RF power| n0 n0 -->|plasma exhaust| n1 n4 -->|plasma state 10Hz| n3 n0 -->|bred tritium| n2 n1 -->|neutral gas to pumping ports| n2
Tokamak Core Assembly — Internal Components
flowchart TB n0["component<br>Plasma Exhaust Processing System"] n1["component<br>Isotope Separation System"] n2["component<br>Tritium Storage and Delivery System"] n3["component<br>Blanket Tritium Extraction System"] n4["component<br>Atmosphere Detritiation System"]
Tritium Plant — Internal Components
flowchart TB n0["component<br>TF Coil Set"] n1["component<br>CS and PF Coil Set"] n2["component<br>Magnet Power Supply System"] n3["component<br>Magnet Quench Detection and Protection System"] n2 -->|DC power| n0 n2 -->|DC power| n1 n3 -->|voltage monitoring| n0 n3 -->|voltage monitoring| n1 n3 -.->|quench trip| n2
Superconducting Magnet System — Internal Components
flowchart TB n0["component<br>Turbomolecular Pump Array"] n1["component<br>Pressure Monitoring System"] n2["component<br>Leak Detection System"] n1 -.->|speed control| n0 n2 -->|helium monitor| n0
Vacuum System — Internal Components
flowchart TB n0["component<br>Helium Refrigeration System"] n1["component<br>Cryogenic Transfer Line Network"] n2["component<br>Helium Management System"] n3["component<br>Cryogenic Control System"] n0 -->|4.5K He supply| n1 n2 -->|200bar He gas| n0 n3 -.->|control/setpoints| n0
Cryogenic Plant — Internal Components
| Entity | Hex Code | Description |
|---|---|---|
| Activated Dust Explosion in Fusion Vessel | 06400211 | Hazard in STEP Fusion Power Plant: accumulation of beryllium and tungsten dust from plasma-surface interaction (erosion, sputtering). Dust is radioactive (activated), toxic (beryllium), and potentially explosive when dispersed in air. Air ingress event could create dust-air mixture exceeding lower explosive limit. Consequence: pressure pulse damaging vessel internals, mobilisation of radioactive/toxic material, breach of confinement barriers. |
| Actuator Management System | 51B57B18 | Coordination layer of the STEP Fusion Power Plant Plasma Control System. Receives setpoints from the Real-Time Plasma Controller and translates them into commands for gas puff valves (5 ms response), pellet injector, neutral beam injectors (100 ms response), electron cyclotron (ECRH) and ion cyclotron (ICRH) systems. Implements priority arbitration — disruption mitigation overrides heating in all cases. Monitors actuator health and feeds status back to controller. |
| Atmosphere Detritiation System | 55F71219 | Catalytic converter and molecular sieve drier units protecting occupied zones of the tritium plant building. Monitors tritium concentration in building atmosphere using ionisation chamber monitors (threshold 1e-5 Ci/m³). On high alarm, recirculates atmosphere through palladium catalyst beds (converts HT/DT to HTO/DTO) and driers. Achieves cleanup factor ≥100 in <4 hours. SIL 3 — final barrier protecting workers from tritium inhalation dose. |
| Blanket and Divertor Exchange Tooling | C6851058 | Standardised set of end-effectors, grippers, torque tools, and alignment jigs for blanket module removal/installation and divertor cassette exchange. Each blanket module weighs ~1.2 tonnes; divertor cassette ~2.8 tonnes. Tooling provides blind-mate hydraulic and electrical connectors, self-aligning kinematic mounts, and torque feedback for fastener drives. Qualification to ITER-equivalent handling standard. SIL 1: tool failure during blanket exchange causes coolant breach risk within the vessel. |
| Blanket Tritium Extraction System | 56D51018 | High-temperature purge gas system and tritium extraction loop for the lithium-ceramic blanket modules. Circulates helium purge gas at 200-300°C through breeding blanket to sweep bred tritium from Li2TiO3 or Li4SiO4 pebbles. Includes molecular sieve beds and palladium permeators to separate tritium from the helium stream. Output: purified tritium gas at 99.5% purity fed to Isotope Separation System at 5-10 mg/day during full-power operation. SIL 2 — upstream of double-containment boundary. |
| Commissioning mode of STEP Fusion Power Plant | 50B53A50 | Pre-operational testing and system integration: individual subsystem tests (magnets, vacuum, heating, cooling, tritium, diagnostics), integrated system tests with hydrogen and deuterium plasmas (non-nuclear), progressive power ramp-up, safety system validation. First plasma achieved with hydrogen only. Gradual introduction of deuterium, then D-T mixtures at increasing power. Entry: construction complete, regulatory licence granted. Exit: all commissioning milestones achieved, full-power D-T operation authorised. |
| Condenser and Cooling Water System | 56C51018 | Surface condenser rejecting ~280 MWth of waste heat from turbine exhaust steam, using either once-through seawater cooling or closed-cycle cooling towers depending on site. Condenser vacuum maintained at 0.04 bar by two steam ejectors and one liquid-ring vacuum pump. Includes inlet screening, chemical dosing, biofouling treatment, and corrosion monitoring. Cooling water flow: 8000 m³/hr nominal. Non-nuclear, no SIL requirement. |
| Cryogenic Control System | 55B77A18 | Distributed control and monitoring system for the fusion power plant cryogenic infrastructure. Executes automatic cool-down sequences (80K per stage controlled descent over 72 hours), steady-state regulation of magnet temperatures and refrigerator loads, quench event response (vent isolation, recovery initiation), and alarm management. Runs on a redundant PLC/SCADA platform with OPC-UA interface to the plant-wide Plasma Control System for interlocks. Monitors >2,000 cryogenic measurement points: temperatures (PT-100 and Cernox sensors), pressures (Pirani and capacitive gauges), flowmeters, and valve positions. Provides SCADA HMI for cryogenic operators and historian for trend analysis. SIL 2 rated for quench response and emergency isolation functions. |
| Cryogenic Cooling System Operation | 54F73A18 | System function of STEP Fusion Power Plant: provides helium refrigeration to cool superconducting magnets to 4.5K with ~80 kW cooling capacity, manages 50 tonnes liquid helium inventory, thermal shields at 80K, cool-down/warm-up cycles. Inputs: compressor power, helium supply. Outputs: 4.5K coolant to magnets, 80K shield cooling. Constraints: 2-week cool-down, 1-week warm-up, cryoplant availability >99%. |
| Cryogenic Helium Supply Infrastructure | 5E851018 | External infrastructure for STEP Fusion Power Plant: large-scale helium refrigeration plant providing ~80 kW cooling at 4.5K for superconducting magnets. Liquid helium inventory ~50 tonnes. Helium recovery and purification system. Interface with commercial helium supply for make-up. Critical availability requirement — loss triggers whole-plant shutdown. |
| cryogenic plant | DEC51018 | Physical cryogenic facility containing helium compressor trains, cold boxes, heat exchangers, liquid nitrogen pre-coolers, and cryogenic distribution manifolds. Operates at 4.5K with liquid helium and supercritical helium coolant. Physical plant with structural, material, and manufacturing requirements for cryogenic-grade steels, vacuum-jacketed pipework, and seismic qualification. Classifiable as a Physical Object with physical medium (liquid helium). |
| Cryogenic Plant | DE851018 | Physical cryogenic plant: discrete bounded building containing helium refrigerators, cold boxes, compressors, liquid helium storage dewars, and cryogenic distribution pipework. Physical material structure with defined footprint, weight, and connections. Not biological. Not virtual. |
| Cryogenic Transfer Line Network | CE851018 | Vacuum-jacketed cryogenic piping distribution network routing 4.5K liquid helium and 40-80K cold helium gas from the Helium Refrigeration System cold boxes to superconducting magnet cryostats, and liquid nitrogen at 77K to Tritium Plant and ancillary loads. Consists of bayonet couplings, flexible cryogenic hoses, isolation valves, and current leads (20kA HTS current leads with gas-cooled normal-conducting lower section). Network spans approximately 200m of installed pipe within the tokamak building. Key constraints: heat leak budget <10W per metre of transfer line, pressure withstand at 20 bar, seismic qualification to Site Design Acceleration level. |
| CS and PF Coil Set | DED53018 | Central Solenoid (6-module stack) and Poloidal Field coils (6 coils). CS uses Nb3Sn superconductor, PF coils use NbTi. CS provides inductive plasma drive (100 V·s flux swing) and plasma vertical position control. PF coils shape plasma equilibrium. Maximum field: CS 13 T, PF 6 T. Both at 4.5 K. SIL 2 — CS quench or PF power supply failure triggers plasma disruption. |
| Diagnostic Data Acquisition Front-End | 54A55218 | High-bandwidth signal conditioning and digitisation front-end for the STEP Fusion Power Plant Plasma Control System. Interfaces to 40+ plasma diagnostic sensor systems including Rogowski coils, flux loops, Thomson scattering, interferometers, and soft X-ray detectors. Sample rates 1-100 kHz per channel with sub-microsecond hardware timestamping for synchronised reconstruction. Provides noise isolation and surge suppression to protect controller hardware from EM interference generated by pulsed poloidal field coils. |
| Diagnostics and Measurement Systems | 54E57018 | Suite of 40+ plasma diagnostic instruments integrated into the Tokamak Core Assembly. Includes Thomson scattering for electron temperature/density, soft X-ray cameras for MHD mode identification, bolometers for radiated power, Mirnov coils for magnetic perturbations, and neutron flux monitors for fusion power. Each system requires calibrated access through limited diagnostic ports with radiation-hardened detectors operating in 10^6 rad/hour environments. |
| Disruption and Recovery Scenario | 41F63200 | Failure scenario for STEP Fusion Power Plant: during steady-state burn, locked mode develops from n=1 error field. Disruption mitigation system fires shattered pellet injection within 10 ms of detection. Thermal quench deposits 400 MJ to first wall — within design limits. Current quench generates 50 MN vertical force on vessel. Runaway electron beam avoided by pellet injection. Post-disruption: automated cooldown, structural health monitoring confirms no damage, vessel purged. 4-hour turnaround to next pulse attempt. |
| Disruption Prediction and Mitigation Unit | 51F77218 | Dedicated SIL-3 sub-module of the STEP Fusion Power Plant Plasma Control System. Monitors disruption precursor indicators (beta collapse, locked mode oscillation, n=1 Mirnov signal) at 5 kHz on FPGA-based processing hardware. Triggers massive material injection (shattered pellet injection system) within 10 ms of detection threshold crossing. Operates in parallel with the Real-Time Plasma Controller without shared execution path. Diverse implementation to avoid common-cause failure. |
| Divertor Cassette Assembly | CE851018 | Modular tungsten and CFC armour cassettes at the bottom of the plasma vessel handling plasma exhaust. Each cassette handles peak heat flux of 10-20 MW/m2 under ELM and disruption loading. Coolant circuits in CuCrZr heat sink remove up to 8 MW per cassette. 18-24 cassettes around poloidal perimeter, all remotely replaceable through lower maintenance ports. Key I/O: pumped limiter for neutral gas, tritium exhaust to vacuum system. |
| Electrical Power Conversion and Export | 54F73A18 | System function of STEP Fusion Power Plant: converts thermal power to electricity via steam turbine-generator, manages power conditioning for 400 kV grid export and internal distribution to ~65 MW of auxiliary loads (magnets, heating, cryogenics, control). Inputs: ~500 MW steam from heat exchangers. Outputs: ≥100 MW net to grid at 400 kV, auxiliary power distribution. Constraints: Grid Code compliance, 50 Hz ±0.5 Hz, THD <3%. |
| Emergency Shutdown mode of STEP Fusion Power Plant | 40F53A10 | Uncontrolled plasma termination (disruption) or triggered fast shutdown: plasma instability (vertical displacement event, thermal quench, current quench) dumps up to 1 GJ thermal energy into first wall and divertor in <50 ms. Runaway electron beam possible at >10 MeV. Fast magnet discharge to prevent quench propagation. Emergency tritium containment activated — building ventilation isolation, detritiation systems. Electromagnetic forces up to hundreds of MN on vessel structures. Entry: disruption detection system trigger or manual emergency stop. Exit: plasma terminated, structural inspection required, radiological survey before re-entry. |
| Feedwater and Balance of Plant System | 56D53218 | Feedwater pumps, deaerator, low-pressure and high-pressure feedwater heaters, and auxiliary services restoring condensate from 0.04 bar to 16 MPa feedwater pressure for return to steam generators. The regenerative feedwater heating train extracts steam at 5 bleeds from the turbine to improve Rankine cycle efficiency from ~32% to ~38%. Includes chemical dosing for pH control (all-volatile treatment), sampling, and condensate polishing. Non-nuclear, SIL 0, but essential for cycle efficiency and steam generator lifetime. |
| First Wall and Blanket Module | CEC51010 | Actively cooled tungsten/EUROFER first wall panels and tritium breeding blanket modules lining the plasma-facing interior of the STEP tokamak. Receives neutron flux up to 1 MW/m2 and peak surface heat flux of 5-10 MW/m2. Coolant channels carry pressurised water or helium at 300-500 degrees C. Key outputs: tritium bred from Li6 in blanket, decay heat to cooling circuit. Constrains: radiation damage limit 20 dpa before remote handling replacement. |
| Full-Power Burn Scenario | 50F53218 | Normal operations scenario for STEP Fusion Power Plant: shift supervisor and 4 control room operators monitor a 6-hour burn pulse. Pellet injector maintains fuel mix, divertor heat flux stable at 8 MW/m2, net 100 MW to grid. Plasma control system handles ELM pacing, sawtooth control, and position feedback. Tritium plant processes exhaust gas, separates isotopes, refuels. Mid-pulse: minor NTM detected, stabilised by targeted ECCD. End of pulse: orderly ramp-down per schedule. |
| Fusion Plant Control Room Operator | 01AD72F9 | Primary operational stakeholder of STEP Fusion Power Plant: licensed operators monitoring plasma parameters, heating systems, and plant safety from the main control room. Responsible for pulse initiation, supervision of automated plasma control, manual intervention during off-normal events, and orderly shutdown. 4 operators per shift, 24/7 coverage. Requires fusion-specific training on plasma physics, disruption response, and tritium safety. |
| fusion power plant | DEC51019 | A large physical facility: discrete bounded structure with foundations, walls, roof and equipment installed inside. Physical installation containing superconducting magnets (physical steel structures), vacuum vessel (physical steel vessel), turbine hall (physical building), heat exchangers (physical equipment). Has physical weight, dimensions, and material construction. Occupies a definite physical location in 3D space with a measurable footprint. |
| Fusion-grade Vacuum System Environment | 40852800 | Operating environment constraint for STEP Fusion Power Plant: ultra-high vacuum (UHV) <1e-6 Pa in tokamak vessel volume ~1000 m3. Must maintain base pressure after bake-out at 200°C. Plasma-facing surface outgassing, helium ash removal via divertor pumping. All in-vessel materials must be UHV-compatible. Leak rate specification <1e-9 Pa·m3/s per seal. |
| Grid Interface and Electrical Switchgear | D6F53858 | Step-up transformer (generator step-up transformer, 400 kV/22 kV, 120 MVA), HV switchgear bay, protection relays (overcurrent, differential, distance), and metering equipment connecting the turbine-generator to the national grid. Provides grid synchronisation, islanding detection, reactive power compensation (capacitor banks ±30 MVAR), and grid code compliance monitoring. SIL 1 designation because rapid uncontrolled disconnection from grid during fault could cause turbine overspeed and bearing damage. |
| Grid Transmission Operator | 00A53AF8 | External stakeholder of STEP Fusion Power Plant: National Grid ESO managing the electrical grid connection. Receives ~100 MW during burn pulses, must handle pulsed power profile (hours-long pulses with inter-pulse gaps). Requires compliance with Grid Code, frequency response obligations, fault ride-through capability, and advance scheduling of pulse operations. |
| Helium Management System | 51973218 | Helium gas storage, purification, compression, and recovery system for the fusion power plant cryogenic infrastructure. Provides high-pressure helium gas (200 bar) buffer storage for refrigerator compressor suction, captures and recovers boil-off helium from warm-up events and magnet quench discharges (up to 200m³ STP per quench event), purifies helium to ≥99.999% purity via activated charcoal cold traps and molecular sieve adsorbers, and liquefies recovered gas in a 5,000L liquid helium dewar. Includes oil removal adsorbers on compressor outlets and moisture analyser. System must recover ≥95% of helium from any single quench event within 2 hours. |
| Helium Refrigeration System | 57D73218 | Industrial-scale helium refrigeration system providing 4.5K supercritical helium coolant to superconducting magnet cryostats in a spherical tokamak fusion power plant. Consists of two independent cold box trains each with oil-free screw compressors, counterflow heat exchangers, JT valves, and turbine expanders. Each train provides minimum 8kW at 4.5K and 50kW at 40-80K for magnet thermal shields. Key inputs: high-pressure helium gas from recovery system; outputs: 4.5K LHe and 40-80K He gas to transfer line network. Operating environment: dedicated cryogenic hall with 10-20m tall cold boxes, helium purity ≥99.999% (< 1 ppm contaminants). Cool-down rate constrained to <5K/hour to avoid thermal shock to HTS coils. |
| In-Vessel Inspection and Maintenance Manipulator | D7E47018 | Multi-axis robotic manipulator arm operating inside the STEP tokamak vacuum vessel in high-radiation, high-temperature environment (300°C surface temp, 10^6 Gy total dose). Provides 6-DOF positioning with ±1mm precision for blanket module replacement and divertor cassette exchange. Deployed through equatorial port using carrier vehicle. Key I/O: position commands from RH Control Suite, force/torque feedback, camera feeds. Qualified to SIL 1 — loss of manipulation capability results in extended maintenance outage but no safety-critical hazard. |
| In-Vessel Viewing and Monitoring System | 54E55018 | Network of radiation-hardened cameras (up to 10^7 Gy qualified), LED lighting arrays, and fibre-optic endoscopes providing visual coverage of in-vessel components during remote operations. Minimum 12 fixed cameras plus 2 articulated pan-tilt cameras on maintenance carrier. Delivers stereo HD video at 30fps with <200ms latency to the RH Control Suite. Also performs thermographic inspection via IR cameras to detect hot spots on blanket tiles after plasma operations. |
| Isotope Separation System | 55973219 | Cryogenic distillation column cascade for separation of hydrogen isotopologues (H2, HD, HT, D2, DT, T2) from the DT fuel cycle. Processes input stream from Plasma Exhaust Processing System and Blanket Tritium Extraction System. Produces high-purity DT fuel product (>99.9% purity, D:T ratio 50:50 ± 2%) and depleted hydrogen waste stream. Operating temperature 20-24 K at column pressures up to 0.3 MPa. Throughput: 200 Pa·m³/s DT equivalent. SIL 3 — primary tritium processing system. |
| Loss of Coolant Accident in Fusion Plant | 40050211 | Hazard in STEP Fusion Power Plant: rupture or leak in primary or secondary cooling circuit (helium or water). In-vessel LOCA: coolant ingress into vacuum vessel during operation — steam/hydrogen generation if water-cooled, pressure spike, potential chemical reactions with hot plasma-facing materials (beryllium, tungsten). Ex-vessel LOCA: loss of decay heat removal capability after shutdown, component overheating. Consequence: structural damage, potential tritium mobilisation from co-deposited layers, activation product release. |
| Loss of Cryogenic Cooling | 00050219 | Hazard in STEP Fusion Power Plant: failure of helium refrigeration system supplying 4K cooling to superconducting magnets. Without cooling, magnets warm above critical temperature triggering quench of entire magnet system. Large-scale helium release (~tonnes of liquid helium) into magnet cryostat and potentially into the building — oxygen displacement asphyxiation risk for personnel. Consequence: cascading magnet quench, plasma disruption, potential structural damage, building evacuation. |
| Loss of Vacuum — air ingress to vessel | 00410211 | Hazard in STEP Fusion Power Plant: uncontrolled air ingress into the tokamak vacuum vessel through port seal failure, diagnostic window breach, or cooling pipe rupture. Air reacts exothermically with hot beryllium first-wall tiles (Be + N2/O2) producing beryllium oxide aerosol — toxic and radioactive. Consequence: mobilisation of activated dust (beryllium, tungsten), potential hydrogen generation, tritium release via oxidation of co-deposited T-layers, vessel contamination requiring extensive cleanup. |
| Magnet Power Supply System | 54F53018 | Thyristor-based DC power supplies providing controlled current to TF (68 kA), CS (45 kA), and PF coils (10-45 kA each). Fast discharge units with 10 ms switching capability for plasma control. Bus bar distribution rated for cryogenic operation. Voltage-current regulation to 0.01%. Interfaces with PCS for real-time current setpoints via IFC-REQ-014. SIL 1 at steady state; SIL 2 during PF fast discharge for disruption mitigation. |
| Magnet Quench Detection and Protection System | 55F77218 | Voltage-tap and resistive bridge detection system monitoring all superconducting coils for quench onset. Detects quench voltage signature (>100 mV threshold) within 10 ms. Initiates quench heaters and dump resistors to safely dissipate stored energy (40 GJ total). Active Quench Protection (AQP) board processes signals in 1 ms. SIL 2 — failure to detect results in conductor hot-spot temperature exceeding 300 K causing coil damage. |
| National Electrical Grid Connection | 50C57A58 | External interface for STEP Fusion Power Plant: 400 kV grid connection via dedicated substation. Exports ~100 MW net during burn. Imports ~50 MW for plant auxiliaries and magnet systems during non-burn periods. Must comply with UK Grid Code for frequency response, reactive power, fault ride-through. Pulsed power profile requires grid operator coordination. |
| Neutron Streaming through Penetrations | 04400011 | Hazard in STEP Fusion Power Plant: 14.1 MeV fusion neutrons streaming through diagnostic ports, maintenance ports, neutral beam injection ducts, and other penetrations in the biological shield. Inadequate shielding or labyrinth design allows radiation dose rates in occupied areas to exceed limits. Consequence: worker radiation exposure exceeding annual dose limits (20 mSv), regulatory shutdown, potential long-term health effects. |
| Nuclear Safety Regulator | 00857AFD | Regulatory stakeholder of STEP Fusion Power Plant: the Office for Nuclear Regulation (ONR) responsible for licensing and oversight of the facility. Approves safety case, sets dose limits, inspects operations, investigates incidents. Unique challenge: fusion regulatory framework is evolving — STEP may be first fusion facility requiring full nuclear site licence. Key concerns: tritium inventory, activated waste, worker dose, emergency planning zone. |
| Planned Maintenance Campaign Scenario | 40843218 | Maintenance scenario for STEP Fusion Power Plant: after 6-month operational campaign, plant enters scheduled maintenance. Tritium inventory removed to storage. Vessel purged and atmosphere established. Remote handling system deployed through equatorial maintenance ports. Divertor cassettes extracted (8 units, ~5 tonnes each), transported to hot cell via cask. Replacement cassettes installed. Blanket modules inspected in-situ by remote cameras. One module flagged for replacement — additional 3-week task. Total campaign: 4 months. Re-commissioning: vacuum leak test, magnet cool-down (2 weeks), integrated checks, first hydrogen plasma. |
| Planned Shutdown mode of STEP Fusion Power Plant | 40B43A10 | Controlled plasma termination: auxiliary heating power ramped down, plasma current reduced via controlled ramp-down over 10-30 seconds, fuel injection ceased, plasma density allowed to decay. Residual heat removal systems activated. Magnets de-energised in controlled sequence. Vacuum vessel purged of residual tritium. Coolant loops transition to decay heat removal mode. Entry: operator command or end-of-pulse schedule. Exit: plasma terminated, vessel in safe standby. |
| Plasma Confinement and Heating | 50F53208 | System function of STEP Fusion Power Plant: confines deuterium-tritium plasma at ~150 million K using 3-4T toroidal magnetic field from HTS superconducting magnets and additional poloidal field shaping. Inputs: magnetic field configuration, auxiliary heating power (NBI, ECCD ~100 MW), fuel pellets. Outputs: sustained fusion reaction at Q≥5, 14.1 MeV neutron flux ~1e18 n/m2/s, alpha particle self-heating. Constraints: plasma current ≥10 MA, ELM and NTM instability control, disruption avoidance. |
| Plasma Control and Safety Interlock | 55F77A18 | System function of STEP Fusion Power Plant: real-time feedback control of plasma position, shape, density, and heating power at ≥1 kHz; monitors MHD stability; commands disruption mitigation within 10 ms; manages all safety interlocks for seismic trip, radiation, vacuum breach. Inputs: magnetic diagnostics, interferometry, ECE, spectroscopy. Outputs: coil current commands, heating actuator commands, gas valve commands, safety trip signals. Constraints: SIL 3 for safety functions, deterministic latency <1 ms for inner loop. |
| Plasma Control Supervisor | 51B57B18 | Supervisory software layer of the STEP Fusion Power Plant Plasma Control System. Manages pulse programming, mode transitions (startup, burn, shutdown), interlock logic, and operator interfaces. Runs on a separate non-realtime server with 1-second update cycle. Receives pulse plan from the operations team, validates constraints, arms the real-time controller, and monitors for out-of-spec conditions. Initiates controlled shutdown via the Real-Time Plasma Controller when operator or automated trigger fires. |
| plasma control system | 51F73A18 | |
| Plasma Disruption — uncontrolled termination | 04540200 | Hazard in STEP Fusion Power Plant during Steady-State Burn: magnetohydrodynamic instability causes rapid loss of plasma confinement. Thermal quench deposits up to 1 GJ onto first wall and divertor in <1 ms. Current quench generates massive electromagnetic forces (hundreds of MN) on vessel and coil structures. Vertical displacement event drives plasma into upper or lower vessel wall. Consequence: first wall erosion/melting, structural fatigue, potential vacuum breach, coolant ingress. Frequency: expected multiple times per operational campaign. Mitigation: disruption prediction, massive gas injection, shattered pellet injection. |
| Plasma Exhaust Processing System | D5D71018 | Vacuum pump train and chemical processing unit that receives unburnt deuterium-tritium exhaust gas from the tokamak divertor. Processes up to 200 Pa·m³/s throughput at pressures from 10^-3 Pa to 10^5 Pa. Separates hydrogen isotopes from helium ash and impurities using palladium diffusion membranes and cryosorption beds. Transfers purified DT stream to Isotope Separation System. SIL 3 — tritium confinement boundary component. |
| Plasma Heating and Current Drive System | 54F53218 | Combined neutral beam injection (NBI) and electron cyclotron resonance heating (ECRH) system providing 50 MW of auxiliary plasma heating and current drive for the STEP tokamak. NBI unit uses negative-ion sources producing 1 MeV deuterium beams injected tangentially. ECRH array uses gyrotrons at 170 GHz launching microwave power via corrugated waveguide. Together these systems heat the plasma to ignition temperature (100-150 million K) and drive bootstrap current fraction. |
| Plasma Startup mode of STEP Fusion Power Plant | 56F53210 | Plasma initiation and current ramp-up phase: cryogenic magnets cooled to 4K, vacuum vessel evacuated to <1e-6 Pa, gas puff of deuterium, breakdown via electron cyclotron resonance heating, plasma current ramped from 0 to ~10 MA over 30-60 seconds via central solenoid flux swing, auxiliary heating systems engaged sequentially (neutral beam injection, ion cyclotron resonance). Entry: all pre-pulse interlocks satisfied. Exit: plasma reaches Q>1 burn conditions. Operators monitor from main control room with automated feedback control. |
| power conversion system | DED51018 | The Power Conversion System (PCS) is the physical plant that extracts thermal energy from the tokamak breeding blanket and converts it to electricity. It comprises steam generators, turbine stages, condensers, feedwater pumps, and heat exchangers installed in the turbine hall building. Operating at steam temperatures ~550°C with primary coolant inlet at ~300°C. Interfaces with the tokamak vacuum vessel coolant loops and the 400kV grid connection. Physical assembly of pressure vessels, piping, turbomachinery and electrical generators. |
| Power Conversion System | DEC51018 | Physical power conversion subsystem of STEP fusion power plant. Comprises steam generators, high-pressure and low-pressure turbines, condensers, feedwater pumps, and synchronous generators physically installed in the turbine hall building. A discrete, bounded physical installation with measurable weight, dimensions, and thermal mass. Converts thermal power from the fusion blanket to electricity via Rankine cycle. |
| Radiation Protection Adviser | 00857AF9 | Safety stakeholder of STEP Fusion Power Plant: responsible for radiological protection of workers and public. Manages ALARP assessments, sets controlled/supervised area boundaries, monitors personal and area dosimetry, approves work plans in activated areas, oversees environmental discharge monitoring. Reports to ONR on dose records. |
| Radiation Protection System | 4CA53859 | Subsystem of STEP Fusion Power Plant: biological shield (≥2m concrete equivalent around tokamak), localised shielding at penetrations, area radiation monitoring (gamma, neutron dose rate), personal dosimetry system, contamination monitoring, environmental discharge monitoring (stack monitors, liquid effluent samplers), interlocked access control for radiation zones, building ventilation/HVAC with HEPA filtration and detritiation for contaminated zones. |
| Radiation Shielding and Confinement | 48853859 | System function of STEP Fusion Power Plant: biological shielding (≥2m concrete equivalent), neutron streaming prevention at all vessel penetrations, tritium double-barrier containment, ventilation with HEPA and detritiation for contaminated zones. Inputs: neutron source term, tritium inventory, area classification. Outputs: dose rates in occupied areas <10 µSv/hr, tritium containment, filtered discharges. Constraints: ALARP, IRR17, EPR limits. |
| Real-Time Plasma Controller | 51F77208 | Core real-time computer of the STEP Fusion Power Plant Plasma Control System. Runs Grad-Shafranov equilibrium reconstruction and MHD stability assessment at 1 kHz on a deterministic RTOS (VxWorks or EPICS-RT). 64-core NUMA architecture with hardware timestamping. Ingests magnetic, kinetic, and spectroscopic diagnostic signals from 40+ sensor channels at 1 kHz. Outputs actuator commands with end-to-end latency under 1 ms. Dual-redundant for SIL-3. UPS-backed with 30-second ride-through. |
| Remote Handling Control Suite | 54ED7108 | Operator workstation suite for teleoperating all remote handling equipment. Provides stereo video feeds from 12 in-vessel cameras, haptic joystick interface, 3D rendered virtual environment (CAD overlay at <50ms latency), and automated sequence execution. Monitors equipment health (motor current, joint limits, cable tension). Located in the remote handling control room outside the biological shield. SIL 1: operator error with inadequate feedback could lead to component collision and extended downtime. |
| Remote Handling Engineer | 008532F9 | Maintenance stakeholder of STEP Fusion Power Plant: engineers operating remote handling systems from a shielded control room to perform in-vessel maintenance. Design, plan, and execute replacement of highly activated components (divertor cassettes, blanket modules, diagnostics). Interface with hot cell operations. Require real-time force/torque feedback, 3D visualisation, and collision-avoidance systems. Critical path for plant availability. |
| Remote Handling System | DDE53019 | Subsystem of STEP Fusion Power Plant: articulated boom manipulators for in-vessel operations through horizontal and vertical ports, divertor cassette handling tools, blanket module handling tools, in-bore inspection tools, hot cell with master-slave manipulators and automated cutting/welding stations. Component transfer cask system between vessel and hot cell. Waste packaging and interim storage handling. All operations in >10 Sv/hr radiation field, 2 mm positioning accuracy required. |
| Remote Handling Transfer Cask | CE851059 | Shielded transport container for radioactive in-vessel components (blanket modules, divertor cassettes) weighing up to 4.6 tonnes. Provides biological shielding (≥2 Sv/hr reduction) and contamination control during transfer between tokamak port and hot cell facility. Interfaces with port interlock system, overhead crane (SWL 50t), and hot cell docking collar. Radiation inventory in transported components drives SIL 1 rating — improper transfer could expose personnel above occupational dose limits. |
| Remote Maintenance and In-Vessel Handling | 51A53218 | System function of STEP Fusion Power Plant: robotic replacement of activated in-vessel components (divertor cassettes, blanket modules, diagnostics) using articulated manipulators operating through access ports. Hot cell operations for component inspection, repair, and waste packaging. Inputs: maintenance schedule, component specifications. Outputs: replaced components, refurbished assemblies. Constraints: 2 mm positioning accuracy, 4-month campaign, >10 Sv/hr environment, fully remote. |
| Remote Maintenance mode of STEP Fusion Power Plant | 51853A18 | In-vessel and ex-vessel maintenance performed entirely by remote handling systems due to neutron activation (contact dose rates >10 Sv/hr on in-vessel components after extended operation). Robotic arms insert through maintenance ports to replace divertor cassettes, blanket modules, and diagnostics. Hot cell facilities for component inspection, refurbishment, and waste packaging. Typical maintenance campaign: 2-6 months between operational periods. Entry: plasma terminated, vessel cooled, tritium inventory removed. Exit: leak testing, interlock verification, re-commissioning checks complete. |
| Runaway Electron Beam | 04400200 | Hazard in STEP Fusion Power Plant during disruption: during current quench, high electric field accelerates electrons to relativistic energies (>10 MeV), forming a concentrated beam carrying up to several MA. Beam impacts first wall at a localised point, depositing energy equivalent to melting/ablating several cm of tungsten or steel. Consequence: deep erosion or perforation of first wall, potential coolant channel breach, activation product mobilisation. No reliable passive mitigation — requires active detection and beam dispersal. |
| Seismic Emergency Scenario | 00B73A10 | Emergency scenario for STEP Fusion Power Plant: seismic sensors detect ground acceleration exceeding OBE threshold (0.1g). Automatic fast plasma shutdown initiated within 100 ms. Magnets discharged to dump resistors. All coolant isolation valves close. Building enters seismic isolation mode. Control room operators verify safe state via hardwired instrumentation. Post-event inspection: remote visual inspection of in-vessel components, leak testing of all primary boundaries, structural assessment of magnet supports. Estimated recovery: 2-4 weeks if no damage found. |
| Seismic Event affecting Fusion Plant | 00040259 | Hazard in STEP Fusion Power Plant: earthquake exceeding design basis causes relative displacement between vacuum vessel and magnet system, rupture of cryogenic and coolant pipework, loss of precision alignment of plasma-facing components. Consequence: simultaneous LOCA, magnet quench, tritium release, structural damage. Safe shutdown earthquake (SSE) must be defined for the site. |
| Steady-State Burn mode of STEP Fusion Power Plant | 55F73218 | Sustained D-T fusion operation at full power: plasma temperature ~150 million K, density ~1e20 ions/m3, confinement time sufficient for Q>=5. Tritium bred in lithium blanket at TBR>=1.1. Heat extracted via primary coolant loop (helium or water) driving turbine-generator at ~100 MW net electrical. Continuous fuelling via pellet injection. Divertor handles ~10 MW/m2 heat flux. Plasma position and shape maintained by real-time feedback control of poloidal field coils. Duration: hours to days per pulse, target quasi-steady-state. Operators monitor key parameters; automated systems handle perturbations within envelope. |
| Steam Generator and Heat Transfer System | DED53018 | Primary heat exchangers converting fusion thermal power from the water-cooled plasma-facing components and breeding blanket (first wall outlet at ~300°C, 15 MPa) to secondary steam at 525°C/16 MPa. Comprises 4 shell-and-tube steam generators (each rated 150 MWth) plus a dedicated pressuriser. The steam generators are the interface between the nuclear island (primary coolant) and the conventional steam cycle (secondary). SIL 1 — loss of heat transfer causes blanket overtemperature but primary safety function is covered by decay heat removal system (SIL 3). |
| step fusion power plant | DEC51019 | STEP (Spherical Tokamak for Energy Production) fusion power plant. Physical installation on a dedicated site comprising multiple buildings: tokamak hall, fuel cycle facility, turbine hall, electrical switchgear building. Uses magnetic confinement fusion of deuterium-tritium plasma — a physics-based nuclear process with no biological or biomimetic elements. Physical structure with steel and concrete construction, physical equipment, and regulated nuclear site boundary. |
| STEP Fusion Power Plant | 5ED53219 | Spherical Tokamak for Energy Production (STEP) — a demonstration fusion power plant using a compact spherical tokamak design to achieve net electricity generation. Deuterium-tritium plasma confined by superconducting magnets at temperatures exceeding 100 million degrees Celsius. Breeds its own tritium fuel from lithium blankets. Generates ~100 MW net electrical power to the grid. Operates in a nuclear-regulated environment with tritium inventory, neutron activation, and remote maintenance requirements. First-of-kind facility bridging the gap between experimental fusion devices (JET, ITER) and commercial power stations. |
| Superconducting Magnet Quench | 00540200 | Hazard in STEP Fusion Power Plant: sudden loss of superconductivity in toroidal or poloidal field coils storing ~50 GJ magnetic energy. Local hot spot triggers resistive transition propagating through winding pack. Stored energy converts to heat — risk of coil damage, helium boil-off (rapid cryogen release), structural damage from thermal stress and electromagnetic forces. Consequence: loss of plasma confinement (disruption), potential coil replacement (months of downtime), pressure vessel overpressure from helium vaporisation. |
| Superconducting Magnet System | 56D57018 | |
| Superconducting Magnet System Operation | 54F53218 | System function of STEP Fusion Power Plant: generates and maintains toroidal field (3-4T at plasma centre) and poloidal field for plasma equilibrium using HTS (REBCO) superconducting coils at 4.5K. Includes central solenoid for plasma initiation, quench detection and protection (50 GJ stored energy). Inputs: cryogenic cooling, power supplies. Outputs: magnetic field configuration, quench detection signals. Constraints: field ripple <1%, quench discharge <30s, hot-spot <300K. |
| TF Coil Set | CEC51018 | 18 D-shaped toroidal field coils wound with Nb3Sn superconductor. Each coil generates 3.0 T on axis. Maximum field at conductor 12-13 T. Operating temperature 4.5 K. Stored magnetic energy 40 GJ (total). Coils housed in steel casing with ground insulation. Quench detection based on voltage imbalance. SIL 2 — uncontrolled quench can cause structural damage to coil and vacuum vessel. |
| Thermal Power Extraction | 40D53218 | System function of STEP Fusion Power Plant: captures 14.1 MeV neutron energy and alpha particle heat in breeding blankets and divertor, transfers thermal energy via primary coolant loops (lithium-lead or helium) to steam generators. Inputs: neutron flux, plasma radiation, alpha heating. Outputs: ~500 MW thermal power to steam cycle, bred tritium. Constraints: first wall heat flux ≤10 MW/m², blanket outlet temperature ≥500°C for efficient conversion. |
| Tokamak Core Assembly | DE851010 | Central subsystem of STEP Fusion Power Plant spherical tokamak: plasma vessel (~1000 m³ volume), first wall (tungsten-clad), divertor (8 cassettes handling ~150 MW exhaust heat), breeding blanket modules (lithium-lead/ceramic breeder), in-vessel diagnostics ports. Houses the plasma and absorbs 14.1 MeV neutron flux. Operates at UHV (<1e-6 Pa), bake-out to 200°C, neutron wall loading ~2 MW/m². Interfaces with magnets (external), vacuum system, cooling loops, remote handling ports. |
| Tritium Fuel Cycle Management | 40F73A19 | System function of STEP Fusion Power Plant: processes exhaust gas from divertor, separates hydrogen isotopes (H/D/T), stores tritium, breeds tritium in lithium blanket, and re-injects fuel pellets. Inputs: divertor exhaust gas, bred tritium from blanket, pellet specifications. Outputs: fuel pellets at correct D:T ratio, tritium inventory accounting, waste gas for detritiation. Constraints: TBR≥1.1, processing time ≤4 hours, tritium inventory ≤3 kg on-site, double containment. |
| tritium plant | DE851019 | Physical tritium fuel cycle facility containing processing vessels, isotope separation columns, storage beds, atmosphere detritiation systems, and exhaust treatment stacks. Handles tritium gas at multi-gram inventory levels within dual containment barriers. Physical plant with significant material and structural requirements for radiation shielding, seismic qualification, and leak-tight construction under IEC 61511 and ONR site licence. |
| Tritium Plant | 52953218 | Subsystem of STEP Fusion Power Plant: closed tritium fuel cycle processing. Tokamak exhaust processing (TEP) with palladium membrane reactors, isotope separation system (ISS) using cryogenic distillation, tritium storage in metal hydride beds (uranium or ZrCo), fuel injection system (frozen pellet injector, gas puff valves), detritiation system for building atmosphere. Processes ~250 g T/day. On-site inventory ≤3 kg. Double-glove-box containment throughout. Tritium accountability to ±0.1 g. |
| Tritium Plant Operator | 010D3AF9 | Operational stakeholder of STEP Fusion Power Plant: specialists operating the tritium processing plant — isotope separation, storage, accountability, fuelling systems, detritiation, and waste processing. Handle the full tritium fuel cycle from breeding blanket extraction to pellet injection. Subject to ALARP dose constraints and specific tritium handling certification. |
| Tritium Processing Malfunction Scenario | 00141211 | Degraded operations scenario for STEP Fusion Power Plant: primary isotope separation column develops a leak detected by room tritium monitors. Automatic isolation of affected processing line. Plant continues burn on reduced tritium throughput — power reduced to 60 MW. Tritium plant operators in protective equipment perform remote isolation and repair. Secondary detritiation system captures released tritium. Repair completed within shift — full power resumed. Total release: <0.1 g tritium, within operational limits. |
| Tritium Release to Environment | 02400255 | Hazard in STEP Fusion Power Plant: uncontrolled release of tritium (radioactive hydrogen isotope, T1/2=12.3 years, beta emitter) from the tritium processing plant, vacuum vessel, or coolant systems to the environment. Plant tritium inventory ~1-3 kg, biological hazard via inhalation or skin absorption. Consequence: radiological exposure to workers and public, regulatory violation, environmental contamination. Could result from double-barrier failure (vacuum vessel + containment building), tritium plant pipe rupture, or loss of detritiation system. |
| Tritium Storage and Delivery System | DE953019 | Metal hydride storage beds and gas handling manifolds for tritium and deuterium inventory management. Stores up to 100 g tritium equivalent in getter beds (uranium or ZrCo alloy at 20°C for storage, 300°C for release). Provides controlled DT fuel delivery to Isotope Separation System and gas puffing valves at the tokamak. Accountancy function: tracks tritium inventory to ±0.1 g per batch, ≤1% annual uncertainty. Double-containment boundary required. SIL 3. |
| Turbine-Generator Set | DFF53218 | Tandem compound steam turbine (high-pressure + low-pressure stages) driving a synchronous AC generator rated 120 MVA, 400 kV output. The turbine nominally processes 450 kg/s of steam at 525°C/16 MPa inlet, exhausting to condenser at 0.04 bar. Includes governor valve control for load following (±20% load swing in <30s), turning gear, and automatic turbine run-up sequencer. Delivers ≥100 MW net electrical output to grid connection point. Non-safety classified (SIL 0) but operationally critical for plant revenue. |
| Turbomolecular Pump Array | D6D51218 | Array of 12 turbomolecular pumps (10,000 L/s each) positioned on lower ports of STEP tokamak. Primary pumping element maintaining plasma vessel pressure below 1e-6 Pa. Backed by rough pumps; discharges via torus exhaust to isotope separation system. Operates during plasma and dwell phases. Cold-cathode gauge feedback controls pump speed. |
| vacuum system | DE851018 | Physical vacuum pumping facility comprising turbomolecular pumps, cryopumps, roughing pumps, cryo-panels, and vacuum manifolds installed on the tokamak machine. Physical system with structural requirements for leak-tight welded construction, pump-down performance, and seismic qualification. Operates at pressures from atmosphere down to 1e-6 Pa in the torus. Discrete physical object integrated into the tokamak building structure. |
| Vacuum System | 54873018 | Subsystem of STEP Fusion Power Plant: achieves and maintains <1e-6 Pa in ~1000 m³ plasma vessel. Roughing pumps (scroll/roots), high-vacuum pumps (cryopumps with liquid helium panels), torus exhaust pumping, neutral beam injector differential pumping. Helium ash exhaust, leak detection system, vacuum gauging (ionisation, capacitance). Bake-out gas handling. Interlock with plasma operation and tritium systems. Must handle tritiated exhaust gas safely. |
| Vacuum Vessel and In-Vessel Structures | CE851018 | Double-walled stainless steel torus forming the primary vacuum boundary and neutron shielding structure for the STEP tokamak. 316L(N) construction, 7.5m major radius, 2.5m minor radius, wall thickness 40mm inner shell. Provides radial access ports for diagnostics, heating systems, and remote handling. Passive decay heat removal via conduction to vessel body. Maintains 1e-6 Pa vacuum boundary integrity under seismic loading up to 0.2g. |
| Vacuum Vessel Leak Detection System | 54E77818 | Helium mass spectrometer leak detector deployed on vacuum vessel and cryostat, detecting in-leakage during shutdown and in-operation through background helium rise rate. Sensitivity 1e-9 mbar L/s. Triggers maintenance response if leak rate exceeds 1e-6 mbar L/s. Connected to facility alarm system. |
| Vacuum Vessel Pressure Monitoring System | 54F57A18 | Cold-cathode and hot-cathode ionisation gauges distributed across 32 vessel ports, providing redundant vacuum measurement from 1 Pa down to 1e-8 Pa. Feeds vessel pressure data to Plasma Control System at 10 Hz. Includes residual gas analyser for impurity species identification. Triggers interlock at 1e-4 Pa to prevent plasma with degraded vacuum. |
| Component | Belongs To |
|---|---|
| Real-Time Plasma Controller | Plasma Control System |
| Disruption Prediction and Mitigation Unit | Plasma Control System |
| Actuator Management System | Plasma Control System |
| Diagnostic Data Acquisition Front-End | Plasma Control System |
| Plasma Control Supervisor | Plasma Control System |
| First Wall and Blanket Module | Tokamak Core Assembly |
| Divertor Cassette Assembly | Tokamak Core Assembly |
| Vacuum Vessel and In-Vessel Structures | Tokamak Core Assembly |
| Plasma Heating and Current Drive System | Tokamak Core Assembly |
| Diagnostics and Measurement Systems | Tokamak Core Assembly |
| Plasma Exhaust Processing System | Tritium Plant |
| Isotope Separation System | Tritium Plant |
| Tritium Storage and Delivery System | Tritium Plant |
| Blanket Tritium Extraction System | Tritium Plant |
| Atmosphere Detritiation System | Tritium Plant |
| TF Coil Set | Superconducting Magnet System |
| CS and PF Coil Set | Superconducting Magnet System |
| Magnet Quench Detection and Protection System | Superconducting Magnet System |
| Magnet Power Supply System | Superconducting Magnet System |
| Turbomolecular Pump Array | Vacuum System |
| Vacuum Vessel Pressure Monitoring System | Vacuum System |
| Vacuum Vessel Leak Detection System | Vacuum System |
| Helium Refrigeration System | Cryogenic Plant |
| Cryogenic Transfer Line Network | Cryogenic Plant |
| Helium Management System | Cryogenic Plant |
| Cryogenic Control System | Cryogenic Plant |
| In-Vessel Inspection and Maintenance Manipulator | Remote Handling System |
| Remote Handling Transfer Cask | Remote Handling System |
| Remote Handling Control Suite | Remote Handling System |
| In-Vessel Viewing and Monitoring System | Remote Handling System |
| Blanket and Divertor Exchange Tooling | Remote Handling System |
| Steam Generator and Heat Transfer System | Power Conversion System |
| Turbine-Generator Set | Power Conversion System |
| Condenser and Cooling Water System | Power Conversion System |
| Feedwater and Balance of Plant System | Power Conversion System |
| Grid Interface and Electrical Switchgear | Power Conversion System |
| From | To |
|---|---|
| Diagnostic Data Acquisition Front-End | Real-Time Plasma Controller |
| Real-Time Plasma Controller | Actuator Management System |
| Real-Time Plasma Controller | Disruption Prediction and Mitigation Unit |
| Plasma Control Supervisor | Real-Time Plasma Controller |
| Plasma Exhaust Processing System | Isotope Separation System |
| Isotope Separation System | Tritium Storage and Delivery System |
| Blanket Tritium Extraction System | Isotope Separation System |
| Atmosphere Detritiation System | Tritium Plant |
| Magnet Quench Detection and Protection System | Magnet Power Supply System |
| Cryogenic Transfer Line Network | Superconducting Magnet System |
| Helium Refrigeration System | Cryogenic Transfer Line Network |
| Cryogenic Control System | Helium Refrigeration System |
| Helium Management System | Helium Refrigeration System |
| Component | Output |
|---|---|
| First Wall and Blanket Module | bred tritium and thermal power |
| Divertor Cassette Assembly | plasma exhaust heat and neutral gas |
| Plasma Heating and Current Drive System | plasma current and heating power |
| Diagnostics and Measurement Systems | plasma state measurements |
| Plasma Exhaust Processing System | purified DT exhaust stream |
| Isotope Separation System | high-purity DT fuel (>99.9%) |
| Tritium Storage and Delivery System | controlled DT fuel delivery |
| Blanket Tritium Extraction System | extracted bred tritium |
| Atmosphere Detritiation System | detritiated building atmosphere |
| Helium Refrigeration System | 4.5K supercritical helium coolant |