Hazard & Risk Analysis (HRA) — ISO/IEC/IEEE 15289 — Report | IEC 61508 Phase 3
Generated 2026-03-27 — UHT Journal / universalhex.org
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Plasma disruption — uncontrolled MHD instability dumps up to 1 GJ thermal energy onto first wall in <1ms, EM forces up to hundreds of MN | critical | high | SIL 3 | plasma terminated via massive gas injection, vessel integrity confirmed |
| H-002: Tritium release to environment — uncontrolled release of tritium (1-3 kg inventory) through double-barrier failure | catastrophic | rare | SIL 3 | building ventilation isolated, detritiation system activated |
| H-003: Superconducting magnet quench — loss of superconductivity in coils storing ~50 GJ, rapid helium boil-off | critical | low | SIL 2 | controlled fast discharge to dump resistors, cryogen vented via relief valves |
| H-004: Loss of coolant accident — rupture in cooling circuit, coolant ingress to vessel or loss of decay heat removal | critical | low | SIL 2 | plasma terminated, isolation valves closed, passive decay heat removal |
| H-005: Loss of vacuum — air ingress, exothermic beryllium-air reaction producing toxic/radioactive aerosol | critical | low | SIL 2 | plasma terminated, vessel isolation valves closed, containment filtered |
| H-006: Runaway electron beam — relativistic electrons >10 MeV from disruption current quench, localised first wall perforation | critical | medium | SIL 3 | beam dispersal via massive material injection |
| H-007: Activated dust explosion — beryllium/tungsten dust dispersed by air ingress exceeds explosive limit | critical | rare | SIL 2 | inert gas flood, air ingress sealed, dust inventory below threshold |
| H-008: Loss of cryogenic cooling — helium refrigeration failure causing whole-system magnet quench, asphyxiation risk | critical | low | SIL 2 | controlled magnet discharge, building ventilation maximum, evacuation |
| H-009: Seismic event — earthquake causing vessel/magnet displacement, simultaneous LOCA and quench | catastrophic | rare | SIL 3 | seismic trip, fast plasma shutdown, passive cooling |
| H-010: Neutron streaming — 14.1 MeV neutrons through penetrations exceed shielding, worker dose above limits | major | medium | SIL 1 | radiation interlocks, power reduced until shielding verified |
| Ref | SIL | Requirement | V&V |
|---|---|---|---|
| IFC-REQ-021 | SIL 3 | The interface between the Tritium Plant Plasma Exhaust Processing System and the Isotope Separation System SHALL transfer purified hydrogen isotopolog... | Test |
| IFC-REQ-022 | SIL 3 | The interface between the Tritium Plant Isotope Separation System and the Tritium Storage and Delivery System SHALL transfer DT product at purity grea... | Test |
| IFC-REQ-023 | SIL 2 | The interface between the Tritium Plant Blanket Tritium Extraction System and the Isotope Separation System SHALL transfer extracted tritium-in-helium... | Test |
| IFC-REQ-024 | SIL 2 | The interface between the Superconducting Magnet System Quench Detection and Protection System and the Magnet Power Supply System SHALL transmit a har... | Test |
| IFC-REQ-031 | SIL 1 | The interface between the In-Vessel Inspection and Maintenance Manipulator and the Remote Handling Control Suite SHALL use a real-time motion control ... | Test |
| IFC-REQ-033 | SIL 1 | The interface between the In-Vessel Viewing and Monitoring System and the Remote Handling Control Suite SHALL deliver stereo video at ≥ 25 fps, ≥ 1080... | Test |
| IFC-REQ-034 | SIL 1 | The interface between the Steam Generator and Heat Transfer System primary side and secondary side SHALL maintain tube-to-shell differential pressure ... | Test |
| IFC-REQ-036 | SIL 1 | The interface between the Power Conversion System and the Plasma Control System SHALL receive plasma disruption notification within ≤ 100 ms of disrup... | Test |
| SUB-REQ-001 | SIL 3 | The Plasma Control System SHALL execute the plasma position and shape control algorithm with a cycle time of 1 ms or less, processing all diagnostic i... | Test |
| SUB-REQ-002 | SIL 3 | The Plasma Control System SHALL detect plasma disruption precursors (locked mode amplitude exceeding 5 mT, beta collapse rate exceeding 10%/ms, or n=1... | Test |
| SUB-REQ-003 | SIL 3 | The Plasma Control System SHALL implement dual-redundant Real-Time Plasma Controllers executing identical algorithms in lockstep, with automatic switc... | Test |
| SUB-REQ-004 | SIL 3 | The Plasma Control System Diagnostic Data Acquisition Front-End SHALL sample all 40 or more plasma diagnostic channels at a minimum rate of 1 kHz with... | Test |
| SUB-REQ-005 | SIL 3 | When the Plasma Control System detects an internal fault (controller failure, loss of diagnostic data, or watchdog timeout), the Plasma Control System... | Test |
| SUB-REQ-006 | SIL 3 | When a disruption current quench is detected, the Plasma Control System Disruption Prediction and Mitigation Unit SHALL trigger massive material injec... | Test |
| SUB-REQ-015 | SIL 3 | The Tokamak Core Assembly Vacuum Vessel and In-Vessel Structures SHALL maintain plasma vessel leak rate below 1e-7 Pa m3/s total outgassing rate durin... | Test |
| SUB-REQ-016 | SIL 2 | The Tokamak Core Assembly First Wall and Blanket Module SHALL achieve tritium breeding ratio (TBR) contribution of 1.1 or greater as measured from bla... | Test |
| SUB-REQ-017 | SIL 3 | When a plasma disruption current quench is detected, the Tokamak Core Assembly SHALL withstand electromagnetic halo currents and induced eddy currents... | Test |
| SUB-REQ-018 | SIL 3 | The Tritium Plant Plasma Exhaust Processing System SHALL process unburnt DT exhaust gas at a throughput of up to 200 Pa·m³/s, achieving hydrogen isoto... | Test |
| SUB-REQ-019 | SIL 3 | The Tritium Plant Isotope Separation System SHALL produce DT fuel at a deuterium-tritium purity of greater than 99.9 mol% hydrogen isotopes and a D:T ... | Test |
| SUB-REQ-020 | SIL 3 | The Tritium Plant Tritium Storage and Delivery System SHALL store tritium inventory in double-contained metal hydride beds with a maximum tritium hold... | Test |
| SUB-REQ-021 | SIL 2 | The Tritium Plant Blanket Tritium Extraction System SHALL extract bred tritium from the lithium-ceramic blanket breeding zone at a rate matching the t... | Test |
| SUB-REQ-022 | SIL 3 | When the Tritium Plant atmospheric tritium monitor detects a concentration exceeding 1e-5 Ci/m3 (1 MBq/m3), the Tritium Plant Atmosphere Detritiation ... | Test |
| SUB-REQ-023 | SIL 2 | The Superconducting Magnet System Quench Detection and Protection System SHALL detect a resistive voltage signature greater than 100 mV on any superco... | Test |
| SUB-REQ-024 | SIL 2 | The Superconducting Magnet System Central Solenoid SHALL provide a total flux swing of at least 100 V·s over a plasma pulse, with a maximum ramp rate ... | Test |
| SUB-REQ-025 | SIL 2 | The Superconducting Magnet System TF Coil Set SHALL maintain a toroidal magnetic field of 3.2 T on plasma axis with a field ripple of less than 1% pea... | Test |
| SUB-REQ-026 | SIL 2 | The Superconducting Magnet System Magnet Power Supply System SHALL energise the TF Coil Set to full field in less than 2 hours and the CS Coil to maxi... | Test |
| SUB-REQ-027 | SIL 2 | When a quench interlock signal is received, the Superconducting Magnet System Magnet Power Supply System SHALL open all coil current loops and connect... | Test |
| SUB-REQ-028 | SIL 2 | The Superconducting Magnet System TF Coil Set SHALL maintain superconducting operation at a winding-pack temperature of 4.5 K ± 0.1 K, with a minimum ... | Test |
| SUB-REQ-031 | SIL 2 | The Cryogenic Plant Helium Refrigeration System SHALL provide minimum refrigeration capacity of 8 kW at 4.5 K per cold box train, with at least two in... | Test |
| SUB-REQ-032 | SIL 2 | The Cryogenic Plant Helium Management System SHALL capture and recover not less than 95% of the helium gas released during a superconducting magnet qu... | Test |
| SUB-REQ-033 | SIL 2 | The Cryogenic Plant Cryogenic Transfer Line Network SHALL maintain total static heat ingress to the 4.5 K helium circuit below 500 W across all transf... | Test |
| SUB-REQ-034 | SIL 2 | The Cryogenic Plant Cryogenic Control System SHALL automatically execute the magnet cool-down sequence from 300 K to 4.5 K at a rate not exceeding 5 K... | Test |
| SUB-REQ-035 | SIL 2 | When the Cryogenic Control System detects an internal fault (controller failure, loss of communication to >50% of sensors, or watchdog timeout), the C... | Test |
| SUB-REQ-036 | SIL 1 | The Remote Handling System SHALL position the In-Vessel Inspection and Maintenance Manipulator end-effector to within ±1 mm of target coordinates in t... | Test |
| SUB-REQ-037 | SIL 1 | The Remote Handling System SHALL complete a full blanket module exchange cycle (remove all 18 blanket modules, install replacement set) within 90 cale... | Demonstration |
| SUB-REQ-038 | SIL 1 | The Remote Handling System SHALL maintain full functionality after cumulative absorbed dose of 1×10^6 Gy (gamma + neutron equivalent) at any in-vessel... | Test |
| SUB-REQ-039 | SIL 1 | The Remote Handling Transfer Cask SHALL provide biological shielding such that dose rate at the cask outer surface does not exceed 2 mSv/hr when loade... | Test |
| SUB-REQ-040 | SIL 1 | When any Remote Handling System equipment fault is detected (loss of position feedback, motor overcurrent, cable tension alarm), the Remote Handling S... | Test |
| SUB-REQ-043 | SIL 1 | The Power Conversion System SHALL deliver electricity at 400 kV ± 5%, 50 Hz ± 0.5 Hz, with harmonic distortion < 3% THD, compliant with National Grid ... | Test |
| SUB-REQ-045 | SIL 1 | When a plasma disruption is signalled by the Plasma Control System, the Power Conversion System SHALL execute a controlled turbine runback to 20% rate... | Demonstration |
| SUB-REQ-073 | SIL 1 | The Remote Handling System SHALL implement a dual-path control architecture with independent main and backup control rooms, such that loss of the prim... | Test |
| SUB-REQ-074 | SIL 2 | The Superconducting Magnet System Magnet Power Supply System SHALL implement N+1 redundancy for all AC/DC converter modules, such that loss of any sin... | Test |
| SUB-REQ-075 | SIL 2 | The Vacuum System SHALL implement N+1 redundancy for all primary and backing pump trains on the torus and neutral beam injection lines, such that loss... | Test |
| SUB-REQ-076 | SIL 2 | The Vacuum System SHALL qualify all torus vacuum vessel seals and penetration flanges to a leak rate of less than 1e-9 Pa m3/s per seal under all oper... | Test |
| SUB-REQ-078 | SIL 3 | When a Design Basis Accident is declared, the Tritium Plant SHALL automatically isolate all tritium process and storage vessels within 30 seconds and ... | Test |
| SUB-REQ-079 | SIL 3 | The Tokamak Core Assembly SHALL define and implement Design Basis Accident response for in-vessel component failure and loss-of-cooling events such th... | Analysis |
| SUB-REQ-080 | SIL 3 | The Tritium Plant SHALL operate all tritium handling and storage activities under an approved Radiological Risk Assessment conforming to UK Ionising R... | Inspection |
| SUB-REQ-081 | SIL 2 | The Vacuum System SHALL maintain plasma vessel seal integrity during all operational modes — including steady-state plasma burn, inter-shot vessel con... | Test |
| SUB-REQ-083 | SIL 3 | The Tritium Plant SHALL implement N+1 process module redundancy for all active tritium processing stages — isotope separation, tritium purification, a... | Test |
| SUB-REQ-084 | SIL 2 | The Superconducting Magnet System SHALL implement a passive quench energy absorption architecture such that failure of any single active quench detect... | Analysis |
| SYS-REQ-007 | SIL 2 | The STEP Fusion Power Plant SHALL remove decay heat from in-vessel components passively (without active pumping) for at least 72 hours following loss ... | Test |
| SYS-REQ-011 | SIL 3 | When ground acceleration exceeds 0.1g (OBE threshold), the STEP Fusion Power Plant SHALL initiate plasma shutdown within 100 ms of seismic trigger sig... | Test |
| SYS-REQ-012 | SIL 1 | The STEP Fusion Power Plant SHALL limit neutron streaming through all penetrations such that dose rates in occupied areas remain below 10 µSv/hr durin... | Test |
| SYS-REQ-018 | SIL 3 | The STEP Fusion Power Plant SHALL define a Design Basis Accident set encompassing at least: (a) maximum credible tritium release, (b) tokamak in-vesse... | Analysis |
| VER-082 | SIL 3 | Verify SUB-REQ-078: On the Tritium Plant confinement test facility, simulate DBA tritium release by injecting a tracer gas at maximum credible leak ra... | Test |
| VER-083 | SIL 3 | Verify SUB-REQ-079: Perform Design Basis Accident thermal analysis for loss-of-cooling to the Tokamak Core Assembly using the validated STEP thermal-h... | Analysis |
| VER-084 | SIL 3 | Verify SUB-REQ-083: During Tritium Plant integrated commissioning at partial throughput, disable one active isotope separation module and measure trit... | Test |
| VER-085 | SIL 2 | Verify SUB-REQ-084: Perform passive quench energy absorption analysis using the validated SMS electromagnetic and thermal model. Simulate single activ... | Analysis |
| VER-088 | SIL 2 | Verify SUB-REQ-081: Following each plasma vessel maintenance intervention (seal replacement or penetration work), perform residual gas analysis measur... | Test |
| VER-REQ-010 | SIL 3 | Verify SUB-REQ-001: Run the PCS control loop on the production hardware with all 40+ diagnostic channels active at 1 kHz injection rate. Instrument th... | Test |
| VER-REQ-011 | SIL 3 | Verify SUB-REQ-002: Replay the full ITER/JET/MAST disruption database (at least 5000 disruptive events) through the PCS detection algorithm on hardwar... | Test |
| VER-REQ-012 | SIL 3 | Verify SUB-REQ-005: In integrated commissioning, inject simulated controller fault signals (watchdog timeout, data loss, hardware alarm) while plasma ... | Test |
| VER-REQ-013 | SIL 3 | Verify end-to-end plasma control: from disruption precursor signal injection at the Diagnostic Data Acquisition Front-End through the Real-Time Plasma... | Test |
| VER-REQ-032 | SIL 3 | Verify IFC-REQ-017: With RHS deployed in port, assert PCS plasma-active interlock signal. Confirm RHS receives hardwired lockout and logs the event. P... | Test |
| VER-REQ-036 | SIL 3 | Verify SUB-REQ-015: After full assembly, conduct helium leak test of vacuum vessel at 1e-8 Pa m3/s sensitivity. Additionally, perform hydrostatic over... | Test |
| VER-REQ-038 | SIL 3 | Verify SUB-REQ-017: Run ANSYS electromagnetic analysis of worst-case disruption halo current (10 MA/m) on as-built TCA in-vessel structure FEM model. ... | Test |
| VER-REQ-039 | SIL 3 | Verify SUB-REQ-018: Test PEPS on a full-scale prototype or equivalent test facility by injecting a calibrated DT+He mixture at 200 Pa m3/s. Measure se... | Test |
| VER-REQ-040 | SIL 3 | Verify SUB-REQ-022: Inject a calibrated tritium tracer into the Atmosphere Detritiation System test facility atmosphere at 1e-5 Ci/m3. Confirm monitor... | Test |
| VER-REQ-041 | SIL 3 | Verify IFC-REQ-021: During integrated commissioning, flow a simulated exhaust stream from PEPS to the ISS feed manifold. Sample the transfer line outl... | Test |
| VER-REQ-042 | SIL 3 | Verify IFC-REQ-022: During fuel cycle commissioning, command an ISS batch product transfer to TSDS. Measure transfer latency from command to product r... | Test |
| VER-REQ-043 | SIL 3 | Verify Tritium Plant end-to-end fuel cycle: During integrated commissioning at partial DT throughput (10% of full power equivalent), demonstrate conti... | Demonstration |
| VER-REQ-044 | SIL 2 | Verify SUB-REQ-023: On a full-scale SMS test facility, inject a calibrated resistive heater into one coil segment simulating quench onset. Measure det... | Test |
| VER-REQ-046 | SIL 2 | Verify SUB-REQ-027: Inject a simulated quench interlock signal and measure the time between signal injection and full opening of all coil current loop... | Test |
| VER-REQ-054 | SIL 2 | Verify SUB-REQ-035: Inject a simulated PLC watchdog timeout fault in the production CCS hardware. Measure elapsed time from fault injection to: helium... | Test |
| VER-REQ-058 | SIL 1 | Verify IFC-REQ-031: Test IVIMM-to-control-suite command interface latency using EtherCAT protocol analyser. Apply sinusoidal position command at 125 H... | Test |
| VER-REQ-059 | SIL 1 | Verify IFC-REQ-032: Test cask-to-port docking interface on full-scale mockup using mass spectrometer helium leak test per ISO 20485. Leak rate pass cr... | Test |
| VER-REQ-060 | SIL 1 | Verify IFC-REQ-033: Test in-vessel viewing system video delivery to control suite using network packet capture and hardware timestamp analysis. Measur... | Test |
| VER-REQ-061 | SIL 1 | Verify IFC-REQ-034: Hydrostatically pressure-test each steam generator tube bundle at 1.5× design pressure (22.5 MPa) for 30 minutes per ASME Boiler a... | Test |
| VER-REQ-063 | SIL 1 | Verify IFC-REQ-036: Test disruption notification interface by injecting test signal at PCS signal source and measuring time to turbine runback initiat... | Test |
| VER-REQ-064 | SIL 1 | Verify SUB-REQ-036: Position IVIMM end-effector to 50 calibrated target positions distributed across the vessel workspace using laser tracker referenc... | Test |
| VER-REQ-065 | SIL 1 | Verify SUB-REQ-041: During first full-power plasma commissioning run at Q≥5, measure net electrical power at 400 kV metering point (National Measureme... | Demonstration |
| VER-REQ-066 | SIL 1 | Verify end-to-end Remote Handling System integration: conduct full blanket module exchange trial on vessel mockup at 1:1 scale, starting from operator... | Demonstration |
| VER-REQ-067 | SIL 1 | Verify end-to-end Power Conversion System integration: during first plasma commissioning at Q≥5, measure complete energy chain from steam generator pr... | Demonstration |
| VER-REQ-083 | SIL 3 | Verify IFC-REQ-023: During tritium plant commissioning, flow a representative tritium-in-helium mixture (0.1-1% T/He by volume) through the BTES-ISS t... | Test |
| VER-REQ-084 | SIL 3 | Verify SUB-REQ-049: On the completed ISS installation, measure steady-state power consumption using calibrated three-phase power analyser at rated cry... | Test |
| VER-REQ-085 | SIL 3 | Verify SUB-REQ-050: Assert the Plant Protection System emergency isolation command to the ISS via the hardwired interface. Measure time from command a... | Test |
| VER-REQ-086 | SIL 1 | Verify SUB-REQ-051: Inspect the as-built turbine hall structure with a certified structural engineer. Confirm floor load rating certificate covers at ... | Inspection |
| VER-REQ-087 | SIL 3 | Verify SUB-REQ-052: Conduct structural inspection of the as-built Tritium Plant confinement building. Confirm nuclear-grade seismic qualification cert... | Inspection |
| VER-REQ-088 | SIL 2 | Verify SUB-REQ-053: Inspect the as-built Cryogenic Plant building. Measure insulated floor area using laser measurement system and confirm at least 80... | Inspection |
| VER-REQ-089 | SIL 2 | Verify SUB-REQ-054: During vacuum system pre-commissioning, confirm by physical count and inspection that 12 turbomolecular pump assemblies are instal... | Inspection |
| VER-REQ-090 | SIL 3 | Verify SYS-REQ-004: On the STEP Disruption Mitigation Test Bench, configure shattered pellet injection (SPI) system with representative pellet composi... | Test |
| VER-REQ-091 | SIL 3 | Verify SYS-REQ-005: Perform integrated tritium containment integrity test across all Tritium Plant and in-vessel boundary segments. (1) Pressure-cycle... | Test |
| VER-REQ-092 | SIL 2 | Verify SYS-REQ-006: On the STEP SMS full-scale quench protection test facility (or type-tested coil set representative of production magnets), inject ... | Test |
| VER-REQ-093 | SIL 2 | Verify SYS-REQ-007: On the integrated passive decay heat removal test rig (full-scale replica of in-vessel cooling circuit with electrically-heated fi... | Test |
| VER-REQ-094 | SIL 3 | Verify SYS-REQ-011: On the integrated Plant Protection System test bench, inject a simulated accelerometer signal exceeding 0.1g OBE threshold on all ... | Test |
| VER-REQ-095 | SIL 1 | Verify SYS-REQ-012: On the as-built STEP facility at full-power plasma operation (minimum Q=5, ≥ 500 MWth fusion power), measure neutron and gamma dos... | Test |
Goal Structuring Notation per GSN Community Standard v3. Top goal decomposes into hazard mitigation sub-goals, each supported by SIL-allocated requirements and verification evidence.
flowchart TD
G0["<b>G0: Top Goal</b><br/>STEP Fusion Power Plant is acceptably safe"]
S0{"<b>S0: Strategy</b><br/>Argument by hazard<br/>mitigation per IEC 61508"}
G0 --> S0
G1["<b>G1: H-001</b><br/>Plasma disruption — uncontrolled MHD instability dumps up to...<br/>SIL 3"]
S0 --> G1
Sn0_0(["<b>SUB-REQ-002</b>"])
G1 --> Sn0_0
G2["<b>G2: H-002</b><br/>Tritium release to environment — uncontrolled release of tri...<br/>SIL 3"]
S0 --> G2
Sn1_0(["<b>VER-REQ-087</b>"])
G2 --> Sn1_0
G3["<b>G3: H-003</b><br/>Superconducting magnet quench — loss of superconductivity in...<br/>SIL 2"]
S0 --> G3
G4["<b>G4: H-004</b><br/>Loss of coolant accident — rupture in cooling circuit, coola...<br/>SIL 2"]
S0 --> G4
Sn3_0(["<b>SYS-REQ-007</b>"])
G4 --> Sn3_0
G5["<b>G5: H-005</b><br/>Loss of vacuum — air ingress, exothermic beryllium-air react...<br/>SIL 2"]
S0 --> G5
G6["<b>G6: H-006</b><br/>Runaway electron beam — relativistic electrons >10 MeV from ...<br/>SIL 3"]
S0 --> G6
Sn5_0(["<b>SUB-REQ-006</b>"])
G6 --> Sn5_0
G7["<b>G7: H-007</b><br/>Activated dust explosion — beryllium/tungsten dust dispersed...<br/>SIL 2"]
S0 --> G7
G8["<b>G8: H-008</b><br/>Loss of cryogenic cooling — helium refrigeration failure cau...<br/>SIL 2"]
S0 --> G8
G9["<b>G9: H-009</b><br/>Seismic event — earthquake causing vessel/magnet displacemen...<br/>SIL 3"]
S0 --> G9
G10["<b>G10: H-010</b><br/>Neutron streaming — 14.1 MeV neutrons through penetrations e...<br/>SIL 1"]
S0 --> G10 Machine-readable safety case structure. Import into GSN tools (Astah GSN, ASCE, NOR-STA).
# GSN Safety Case — STEP Fusion Power Plant
# Generated 2026-03-27
# Goal Structuring Notation (GSN) per GSN Community Standard v3
goals:
G0:
text: "STEP Fusion Power Plant is acceptably safe"
type: top-goal
supported_by: [S0]
strategies:
S0:
text: "Argument by hazard mitigation per IEC 61508"
supported_by: [G1, G2, G3, G4, G5, G6, G7, G8, G9, G10]
G1:
text: "H-001: Plasma disruption — uncontrolled MHD instability dumps up to 1 GJ thermal energy onto first wall in <1ms, EM forces up to hundreds of MN"
sil: 3
safe_state: "plasma terminated via massive gas injection, vessel integrity confirmed"
supported_by: [SUB-REQ-002]
evidence: [VER-REQ-011, VER-REQ-011, VER-REQ-011]
G2:
text: "H-002: Tritium release to environment — uncontrolled release of tritium (1-3 kg inventory) through double-barrier failure"
sil: 3
safe_state: "building ventilation isolated, detritiation system activated"
supported_by: [VER-REQ-087]
evidence: []
G3:
text: "H-003: Superconducting magnet quench — loss of superconductivity in coils storing ~50 GJ, rapid helium boil-off"
sil: 2
safe_state: "controlled fast discharge to dump resistors, cryogen vented via relief valves"
supported_by: []
evidence: []
G4:
text: "H-004: Loss of coolant accident — rupture in cooling circuit, coolant ingress to vessel or loss of decay heat removal"
sil: 2
safe_state: "plasma terminated, isolation valves closed, passive decay heat removal"
supported_by: [SYS-REQ-007]
evidence: [VER-REQ-093, VER-REQ-093]
G5:
text: "H-005: Loss of vacuum — air ingress, exothermic beryllium-air reaction producing toxic/radioactive aerosol"
sil: 2
safe_state: "plasma terminated, vessel isolation valves closed, containment filtered"
supported_by: []
evidence: []
G6:
text: "H-006: Runaway electron beam — relativistic electrons >10 MeV from disruption current quench, localised first wall perforation"
sil: 3
safe_state: "beam dispersal via massive material injection"
supported_by: [SUB-REQ-006]
evidence: [REQ-SESTEPFUSIONPOWERPLANT-021, REQ-SESTEPFUSIONPOWERPLANT-021, REQ-SESTEPFUSIONPOWERPLANT-021]
G7:
text: "H-007: Activated dust explosion — beryllium/tungsten dust dispersed by air ingress exceeds explosive limit"
sil: 2
safe_state: "inert gas flood, air ingress sealed, dust inventory below threshold"
supported_by: []
evidence: []
G8:
text: "H-008: Loss of cryogenic cooling — helium refrigeration failure causing whole-system magnet quench, asphyxiation risk"
sil: 2
safe_state: "controlled magnet discharge, building ventilation maximum, evacuation"
supported_by: []
evidence: []
G9:
text: "H-009: Seismic event — earthquake causing vessel/magnet displacement, simultaneous LOCA and quench"
sil: 3
safe_state: "seismic trip, fast plasma shutdown, passive cooling"
supported_by: []
evidence: []
G10:
text: "H-010: Neutron streaming — 14.1 MeV neutrons through penetrations exceed shielding, worker dose above limits"
sil: 1
safe_state: "radiation interlocks, power reduced until shielding verified"
supported_by: []
evidence: []
solutions:
IFC-REQ-021:
text: "The interface between the Tritium Plant Plasma Exhaust Processing System and the Isotope Separation System SHALL transfe"
verification: Test
sil: 3
IFC-REQ-022:
text: "The interface between the Tritium Plant Isotope Separation System and the Tritium Storage and Delivery System SHALL tran"
verification: Test
sil: 3
IFC-REQ-023:
text: "The interface between the Tritium Plant Blanket Tritium Extraction System and the Isotope Separation System SHALL transf"
verification: Test
sil: 2
IFC-REQ-024:
text: "The interface between the Superconducting Magnet System Quench Detection and Protection System and the Magnet Power Supp"
verification: Test
sil: 2
IFC-REQ-031:
text: "The interface between the In-Vessel Inspection and Maintenance Manipulator and the Remote Handling Control Suite SHALL u"
verification: Test
sil: 1
IFC-REQ-033:
text: "The interface between the In-Vessel Viewing and Monitoring System and the Remote Handling Control Suite SHALL deliver st"
verification: Test
sil: 1
IFC-REQ-034:
text: "The interface between the Steam Generator and Heat Transfer System primary side and secondary side SHALL maintain tube-t"
verification: Test
sil: 1
IFC-REQ-036:
text: "The interface between the Power Conversion System and the Plasma Control System SHALL receive plasma disruption notifica"
verification: Test
sil: 1
SUB-REQ-001:
text: "The Plasma Control System SHALL execute the plasma position and shape control algorithm with a cycle time of 1 ms or les"
verification: Test
sil: 3
SUB-REQ-002:
text: "The Plasma Control System SHALL detect plasma disruption precursors (locked mode amplitude exceeding 5 mT, beta collapse"
verification: Test
sil: 3
SUB-REQ-003:
text: "The Plasma Control System SHALL implement dual-redundant Real-Time Plasma Controllers executing identical algorithms in "
verification: Test
sil: 3
SUB-REQ-004:
text: "The Plasma Control System Diagnostic Data Acquisition Front-End SHALL sample all 40 or more plasma diagnostic channels a"
verification: Test
sil: 3
SUB-REQ-005:
text: "When the Plasma Control System detects an internal fault (controller failure, loss of diagnostic data, or watchdog timeo"
verification: Test
sil: 3
SUB-REQ-006:
text: "When a disruption current quench is detected, the Plasma Control System Disruption Prediction and Mitigation Unit SHALL "
verification: Test
sil: 3
SUB-REQ-015:
text: "The Tokamak Core Assembly Vacuum Vessel and In-Vessel Structures SHALL maintain plasma vessel leak rate below 1e-7 Pa m3"
verification: Test
sil: 3
SUB-REQ-016:
text: "The Tokamak Core Assembly First Wall and Blanket Module SHALL achieve tritium breeding ratio (TBR) contribution of 1.1 o"
verification: Test
sil: 2
SUB-REQ-017:
text: "When a plasma disruption current quench is detected, the Tokamak Core Assembly SHALL withstand electromagnetic halo curr"
verification: Test
sil: 3
SUB-REQ-018:
text: "The Tritium Plant Plasma Exhaust Processing System SHALL process unburnt DT exhaust gas at a throughput of up to 200 Pa·"
verification: Test
sil: 3
SUB-REQ-019:
text: "The Tritium Plant Isotope Separation System SHALL produce DT fuel at a deuterium-tritium purity of greater than 99.9 mol"
verification: Test
sil: 3
SUB-REQ-020:
text: "The Tritium Plant Tritium Storage and Delivery System SHALL store tritium inventory in double-contained metal hydride be"
verification: Test
sil: 3
SUB-REQ-021:
text: "The Tritium Plant Blanket Tritium Extraction System SHALL extract bred tritium from the lithium-ceramic blanket breeding"
verification: Test
sil: 2
SUB-REQ-022:
text: "When the Tritium Plant atmospheric tritium monitor detects a concentration exceeding 1e-5 Ci/m3 (1 MBq/m3), the Tritium "
verification: Test
sil: 3
SUB-REQ-023:
text: "The Superconducting Magnet System Quench Detection and Protection System SHALL detect a resistive voltage signature grea"
verification: Test
sil: 2
SUB-REQ-024:
text: "The Superconducting Magnet System Central Solenoid SHALL provide a total flux swing of at least 100 V·s over a plasma pu"
verification: Test
sil: 2
SUB-REQ-025:
text: "The Superconducting Magnet System TF Coil Set SHALL maintain a toroidal magnetic field of 3.2 T on plasma axis with a fi"
verification: Test
sil: 2
SUB-REQ-026:
text: "The Superconducting Magnet System Magnet Power Supply System SHALL energise the TF Coil Set to full field in less than 2"
verification: Test
sil: 2
SUB-REQ-027:
text: "When a quench interlock signal is received, the Superconducting Magnet System Magnet Power Supply System SHALL open all "
verification: Test
sil: 2
SUB-REQ-028:
text: "The Superconducting Magnet System TF Coil Set SHALL maintain superconducting operation at a winding-pack temperature of "
verification: Test
sil: 2
SUB-REQ-031:
text: "The Cryogenic Plant Helium Refrigeration System SHALL provide minimum refrigeration capacity of 8 kW at 4.5 K per cold b"
verification: Test
sil: 2
SUB-REQ-032:
text: "The Cryogenic Plant Helium Management System SHALL capture and recover not less than 95% of the helium gas released duri"
verification: Test
sil: 2
SUB-REQ-033:
text: "The Cryogenic Plant Cryogenic Transfer Line Network SHALL maintain total static heat ingress to the 4.5 K helium circuit"
verification: Test
sil: 2
SUB-REQ-034:
text: "The Cryogenic Plant Cryogenic Control System SHALL automatically execute the magnet cool-down sequence from 300 K to 4.5"
verification: Test
sil: 2
SUB-REQ-035:
text: "When the Cryogenic Control System detects an internal fault (controller failure, loss of communication to >50% of sensor"
verification: Test
sil: 2
SUB-REQ-036:
text: "The Remote Handling System SHALL position the In-Vessel Inspection and Maintenance Manipulator end-effector to within ±1"
verification: Test
sil: 1
SUB-REQ-037:
text: "The Remote Handling System SHALL complete a full blanket module exchange cycle (remove all 18 blanket modules, install r"
verification: Demonstration
sil: 1
SUB-REQ-038:
text: "The Remote Handling System SHALL maintain full functionality after cumulative absorbed dose of 1×10^6 Gy (gamma + neutro"
verification: Test
sil: 1
SUB-REQ-039:
text: "The Remote Handling Transfer Cask SHALL provide biological shielding such that dose rate at the cask outer surface does "
verification: Test
sil: 1
SUB-REQ-040:
text: "When any Remote Handling System equipment fault is detected (loss of position feedback, motor overcurrent, cable tension"
verification: Test
sil: 1
SUB-REQ-043:
text: "The Power Conversion System SHALL deliver electricity at 400 kV ± 5%, 50 Hz ± 0.5 Hz, with harmonic distortion < 3% THD,"
verification: Test
sil: 1
SUB-REQ-045:
text: "When a plasma disruption is signalled by the Plasma Control System, the Power Conversion System SHALL execute a controll"
verification: Demonstration
sil: 1
SUB-REQ-073:
text: "The Remote Handling System SHALL implement a dual-path control architecture with independent main and backup control roo"
verification: Test
sil: 1
SUB-REQ-074:
text: "The Superconducting Magnet System Magnet Power Supply System SHALL implement N+1 redundancy for all AC/DC converter modu"
verification: Test
sil: 2
SUB-REQ-075:
text: "The Vacuum System SHALL implement N+1 redundancy for all primary and backing pump trains on the torus and neutral beam i"
verification: Test
sil: 2
SUB-REQ-076:
text: "The Vacuum System SHALL qualify all torus vacuum vessel seals and penetration flanges to a leak rate of less than 1e-9 P"
verification: Test
sil: 2
SUB-REQ-078:
text: "When a Design Basis Accident is declared, the Tritium Plant SHALL automatically isolate all tritium process and storage "
verification: Test
sil: 3
SUB-REQ-079:
text: "The Tokamak Core Assembly SHALL define and implement Design Basis Accident response for in-vessel component failure and "
verification: Analysis
sil: 3
SUB-REQ-080:
text: "The Tritium Plant SHALL operate all tritium handling and storage activities under an approved Radiological Risk Assessme"
verification: Inspection
sil: 3
SUB-REQ-081:
text: "The Vacuum System SHALL maintain plasma vessel seal integrity during all operational modes — including steady-state plas"
verification: Test
sil: 2
SUB-REQ-083:
text: "The Tritium Plant SHALL implement N+1 process module redundancy for all active tritium processing stages — isotope separ"
verification: Test
sil: 3
SUB-REQ-084:
text: "The Superconducting Magnet System SHALL implement a passive quench energy absorption architecture such that failure of a"
verification: Analysis
sil: 2
SYS-REQ-007:
text: "The STEP Fusion Power Plant SHALL remove decay heat from in-vessel components passively (without active pumping) for at "
verification: Test
sil: 2
SYS-REQ-011:
text: "When ground acceleration exceeds 0.1g (OBE threshold), the STEP Fusion Power Plant SHALL initiate plasma shutdown within"
verification: Test
sil: 3
SYS-REQ-012:
text: "The STEP Fusion Power Plant SHALL limit neutron streaming through all penetrations such that dose rates in occupied area"
verification: Test
sil: 1
SYS-REQ-018:
text: "The STEP Fusion Power Plant SHALL define a Design Basis Accident set encompassing at least: (a) maximum credible tritium"
verification: Analysis
sil: 3
VER-082:
text: "Verify SUB-REQ-078: On the Tritium Plant confinement test facility, simulate DBA tritium release by injecting a tracer g"
verification: Test
sil: 3
VER-083:
text: "Verify SUB-REQ-079: Perform Design Basis Accident thermal analysis for loss-of-cooling to the Tokamak Core Assembly usin"
verification: Analysis
sil: 3
VER-084:
text: "Verify SUB-REQ-083: During Tritium Plant integrated commissioning at partial throughput, disable one active isotope sepa"
verification: Test
sil: 3
VER-085:
text: "Verify SUB-REQ-084: Perform passive quench energy absorption analysis using the validated SMS electromagnetic and therma"
verification: Analysis
sil: 2
VER-088:
text: "Verify SUB-REQ-081: Following each plasma vessel maintenance intervention (seal replacement or penetration work), perfor"
verification: Test
sil: 2
VER-REQ-010:
text: "Verify SUB-REQ-001: Run the PCS control loop on the production hardware with all 40+ diagnostic channels active at 1 kHz"
verification: Test
sil: 3
VER-REQ-011:
text: "Verify SUB-REQ-002: Replay the full ITER/JET/MAST disruption database (at least 5000 disruptive events) through the PCS "
verification: Test
sil: 3
VER-REQ-012:
text: "Verify SUB-REQ-005: In integrated commissioning, inject simulated controller fault signals (watchdog timeout, data loss,"
verification: Test
sil: 3
VER-REQ-013:
text: "Verify end-to-end plasma control: from disruption precursor signal injection at the Diagnostic Data Acquisition Front-En"
verification: Test
sil: 3
VER-REQ-032:
text: "Verify IFC-REQ-017: With RHS deployed in port, assert PCS plasma-active interlock signal. Confirm RHS receives hardwired"
verification: Test
sil: 3
VER-REQ-036:
text: "Verify SUB-REQ-015: After full assembly, conduct helium leak test of vacuum vessel at 1e-8 Pa m3/s sensitivity. Addition"
verification: Test
sil: 3
VER-REQ-038:
text: "Verify SUB-REQ-017: Run ANSYS electromagnetic analysis of worst-case disruption halo current (10 MA/m) on as-built TCA i"
verification: Test
sil: 3
VER-REQ-039:
text: "Verify SUB-REQ-018: Test PEPS on a full-scale prototype or equivalent test facility by injecting a calibrated DT+He mixt"
verification: Test
sil: 3
VER-REQ-040:
text: "Verify SUB-REQ-022: Inject a calibrated tritium tracer into the Atmosphere Detritiation System test facility atmosphere "
verification: Test
sil: 3
VER-REQ-041:
text: "Verify IFC-REQ-021: During integrated commissioning, flow a simulated exhaust stream from PEPS to the ISS feed manifold."
verification: Test
sil: 3
VER-REQ-042:
text: "Verify IFC-REQ-022: During fuel cycle commissioning, command an ISS batch product transfer to TSDS. Measure transfer lat"
verification: Test
sil: 3
VER-REQ-043:
text: "Verify Tritium Plant end-to-end fuel cycle: During integrated commissioning at partial DT throughput (10% of full power "
verification: Demonstration
sil: 3
VER-REQ-044:
text: "Verify SUB-REQ-023: On a full-scale SMS test facility, inject a calibrated resistive heater into one coil segment simula"
verification: Test
sil: 2
VER-REQ-046:
text: "Verify SUB-REQ-027: Inject a simulated quench interlock signal and measure the time between signal injection and full op"
verification: Test
sil: 2
VER-REQ-054:
text: "Verify SUB-REQ-035: Inject a simulated PLC watchdog timeout fault in the production CCS hardware. Measure elapsed time f"
verification: Test
sil: 2
VER-REQ-058:
text: "Verify IFC-REQ-031: Test IVIMM-to-control-suite command interface latency using EtherCAT protocol analyser. Apply sinuso"
verification: Test
sil: 1
VER-REQ-059:
text: "Verify IFC-REQ-032: Test cask-to-port docking interface on full-scale mockup using mass spectrometer helium leak test pe"
verification: Test
sil: 1
VER-REQ-060:
text: "Verify IFC-REQ-033: Test in-vessel viewing system video delivery to control suite using network packet capture and hardw"
verification: Test
sil: 1
VER-REQ-061:
text: "Verify IFC-REQ-034: Hydrostatically pressure-test each steam generator tube bundle at 1.5× design pressure (22.5 MPa) fo"
verification: Test
sil: 1
VER-REQ-063:
text: "Verify IFC-REQ-036: Test disruption notification interface by injecting test signal at PCS signal source and measuring t"
verification: Test
sil: 1
VER-REQ-064:
text: "Verify SUB-REQ-036: Position IVIMM end-effector to 50 calibrated target positions distributed across the vessel workspac"
verification: Test
sil: 1
VER-REQ-065:
text: "Verify SUB-REQ-041: During first full-power plasma commissioning run at Q≥5, measure net electrical power at 400 kV mete"
verification: Demonstration
sil: 1
VER-REQ-066:
text: "Verify end-to-end Remote Handling System integration: conduct full blanket module exchange trial on vessel mockup at 1:1"
verification: Demonstration
sil: 1
VER-REQ-067:
text: "Verify end-to-end Power Conversion System integration: during first plasma commissioning at Q≥5, measure complete energy"
verification: Demonstration
sil: 1
VER-REQ-083:
text: "Verify IFC-REQ-023: During tritium plant commissioning, flow a representative tritium-in-helium mixture (0.1-1% T/He by "
verification: Test
sil: 3
VER-REQ-084:
text: "Verify SUB-REQ-049: On the completed ISS installation, measure steady-state power consumption using calibrated three-pha"
verification: Test
sil: 3
VER-REQ-085:
text: "Verify SUB-REQ-050: Assert the Plant Protection System emergency isolation command to the ISS via the hardwired interfac"
verification: Test
sil: 3
VER-REQ-086:
text: "Verify SUB-REQ-051: Inspect the as-built turbine hall structure with a certified structural engineer. Confirm floor load"
verification: Inspection
sil: 1
VER-REQ-087:
text: "Verify SUB-REQ-052: Conduct structural inspection of the as-built Tritium Plant confinement building. Confirm nuclear-gr"
verification: Inspection
sil: 3
VER-REQ-088:
text: "Verify SUB-REQ-053: Inspect the as-built Cryogenic Plant building. Measure insulated floor area using laser measurement "
verification: Inspection
sil: 2
VER-REQ-089:
text: "Verify SUB-REQ-054: During vacuum system pre-commissioning, confirm by physical count and inspection that 12 turbomolecu"
verification: Inspection
sil: 2
VER-REQ-090:
text: "Verify SYS-REQ-004: On the STEP Disruption Mitigation Test Bench, configure shattered pellet injection (SPI) system with"
verification: Test
sil: 3
VER-REQ-091:
text: "Verify SYS-REQ-005: Perform integrated tritium containment integrity test across all Tritium Plant and in-vessel boundar"
verification: Test
sil: 3
VER-REQ-092:
text: "Verify SYS-REQ-006: On the STEP SMS full-scale quench protection test facility (or type-tested coil set representative o"
verification: Test
sil: 2
VER-REQ-093:
text: "Verify SYS-REQ-007: On the integrated passive decay heat removal test rig (full-scale replica of in-vessel cooling circu"
verification: Test
sil: 2
VER-REQ-094:
text: "Verify SYS-REQ-011: On the integrated Plant Protection System test bench, inject a simulated accelerometer signal exceed"
verification: Test
sil: 3
VER-REQ-095:
text: "Verify SYS-REQ-012: On the as-built STEP facility at full-power plasma operation (minimum Q=5, ≥ 500 MWth fusion power),"
verification: Test
sil: 1