System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| IEC 60068 | — |
| IEC 60068-2-27 | — |
| IEC 60529 | — |
| IEC 60664 | — |
| IEC 60695-11-10 | — |
| IEC 60812 | — |
| IEC 60980 | — |
| IEC 61000-4-3 | Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test |
| IEC 61000-4-8 | — |
| IEC 61346 | — |
| IEC 61360 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-2 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-3 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 61513 | Nuclear power plants — Instrumentation and control important to safety |
| IEC 61784-3 | — |
| IEC 61850 | — |
| IEC 62138 | — |
| IEC 62262 | — |
| IEC 62443 | Industrial communication networks — Network and system security |
| IEC 62443-3-3 | System security requirements and security levels |
| IEC 62645 | — |
| IEEE 1023 | — |
| IEEE 1588 | Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems |
| IEEE 344 | — |
| ISO 17873 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| FL | Formal Equipment List |
| IFC | Interface Requirements |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Fusion Plant Operator | day-to-day control, mode authorisation, emergency response | 002D7AF9 |
| Nuclear Regulatory Authority | licensing, inspection, safety case approval | 008578FD |
| I&C Maintenance Engineer | calibration, surveillance testing, spare management | 00851278 |
| Fusion Physics Research Team | experiment design, plasma scenario optimisation | 00857AB9 |
| System | Interface | Hex Code |
|---|---|---|
| Superconducting Magnet System | dual-redundant serial command, 68 kA setpoints, 4K cryogenic status | 56D57018 |
| Site Protection System | hardwired normally-energised interlock, 50 ms SCRAM actuation | 51F77859 |
flowchart TB n0["system<br>Fusion Reactor Control System"] n1["subsystem<br>Plasma Control System"] n2["subsystem<br>Disruption Prediction and Mitigation System"] n3["subsystem<br>Heating and Current Drive Control"] n4["subsystem<br>Magnet Safety and Protection System"] n5["subsystem<br>Fuel Injection and Burn Control"] n6["subsystem<br>Plasma Diagnostics Integration System"] n7["subsystem<br>Plant Control and I&C System"] n8["subsystem<br>Interlock and Emergency Shutdown System"] n0 -->|contains| n1 n0 -->|contains| n2 n0 -->|contains| n3 n0 -->|contains| n4 n0 -->|contains| n5 n0 -->|contains| n6 n0 -->|contains| n7 n0 -->|contains| n8
Fusion Reactor Control System — Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The Fusion Reactor Control System SHALL present consolidated plasma state information on a unified operator interface displaying current, position, beta, and disruption risk with a maximum refresh latency of 200 ms. Rationale: Fusion Plant Operator: operators managing a 500 MW plasma must track multiple coupled parameters simultaneously. A 200 ms display refresh is the human-factors limit for transient detection identified in IEA/NEA operator studies; slower refresh causes operators to miss fast-evolving instabilities before automatic systems engage. | Test | stakeholder, stk-operator, session-386, idempotency:stk-operator-display-latency-386 |
| STK-REQ-002 | The Fusion Reactor Control System SHALL execute operator-commanded plasma termination sequences, including controlled ramp-down from full-power burn to zero plasma current, within 300 seconds without inducing a disruption. Rationale: Fusion Plant Operator: operators must be able to safely terminate a plasma experiment on demand without triggering an unmitigated disruption, which would deposit >100 MJ on the first wall and potentially delay subsequent pulses by weeks. 300 s is set by the minimum ramp rate of the central solenoid current. | Test | stakeholder, stk-operator, session-386, idempotency:stk-operator-controlled-shutdown-386 |
| STK-REQ-003 | The Fusion Reactor Control System SHALL maintain a complete, tamper-evident audit log of all safety-system state transitions, interlock actuations, and operator commands with timestamps accurate to 1 ms, retained for a minimum of 10 years. Rationale: Nuclear Regulatory Authority: regulators require demonstrable traceability for all safety-relevant events per nuclear installation licensing conditions. 1 ms timestamp accuracy supports post-event reconstruction for safety analysis. 10-year retention matches the typical operating licence period. | Inspection | stakeholder, stk-regulator, session-386, idempotency:stk-regulator-audit-log-386 |
| STK-REQ-004 | The Fusion Reactor Control System SHALL maintain tritium boundary integrity and ensure that airborne tritium concentration in controlled areas does not exceed 10 μSv/h dose equivalent, with automated area evacuation alarm at 1 μSv/h. Rationale: Nuclear Regulatory Authority: tritium release limits are defined in the facility radiological protection programme and environmental authorisation. 10 μSv/h is the controlled area occupational limit; 1 μSv/h alarm threshold provides a 10× margin for evacuation before personnel dose becomes significant. Failure to meet this would trigger revocation of site operating authorisation. | Test | stakeholder, stk-regulator, session-386, idempotency:stk-regulator-tritium-limit-386 |
| STK-REQ-005 | The Fusion Reactor Control System SHALL support online replacement and testing of redundant I&C channels without interrupting plasma operations, with a maximum mean time to restore any single-channel failure of 4 hours. Rationale: I&C Maintenance Engineer: online maintenance capability is mandatory for a system with a target availability of 90% over a 40-year plant life. 4-hour MTTR is derived from maintenance access schedules in high-radiation environments, where decontamination and remote handling add 2–3× overhead versus normal maintenance. | Test | stakeholder, stk-maintenance, session-386, idempotency:stk-maintenance-online-replace-386 |
| STK-REQ-006 | The Fusion Reactor Control System SHALL provide self-diagnostic coverage of at least 90% of I&C channel faults, with detected faults reported to the maintenance management system within 10 seconds. Rationale: I&C Maintenance Engineer: self-diagnostic coverage is the primary reliability driver for safety-classified I&C systems per IEC 61508. 90% diagnostic coverage (DC) is required to achieve SIL-3 claim for hardware fault tolerance. 10 s reporting ensures maintenance team can respond before a second fault occurs in a redundant channel. | Test | stakeholder, stk-maintenance, session-386, idempotency:stk-maintenance-diagnostics-386 |
| STK-REQ-007 | The Fusion Reactor Control System SHALL log full plasma state vectors at 1 kHz with synchronised diagnostic data from all 300+ instruments, accessible for post-pulse analysis within 60 seconds of plasma termination. Rationale: Fusion Physics Research Team: 1 kHz state vector archiving is required to resolve MHD instability dynamics (tearing modes, ELMs) with characteristic timescales of 1–10 ms. 60 s post-pulse availability supports rapid experiment iteration; delays beyond this compress the physics analysis window between pulses in a high-repetition programme. | Test | stakeholder, stk-research, session-386, idempotency:stk-research-data-archive-386 |
| STK-REQ-008 | The Fusion Reactor Control System SHALL allow physics team to upload and validate new plasma control scenario parameters (current waveforms, density targets, heating power schedules) before each pulse without requiring a plant outage. Rationale: Fusion Physics Research Team: experiment programme flexibility is the primary science driver. Requiring an outage for scenario updates would reduce pulse rate from target 10 pulses/day to < 2 pulses/day, making the scientific programme commercially unviable. Parameter validation must include physics limit checking to prevent unsafe scenarios. | Test | stakeholder, stk-research, session-386, idempotency:stk-research-scenario-upload-386 |
| STK-REQ-009 | The Fusion Reactor Control System SHALL maintain all safety functions under seismic loading of up to 0.2g peak ground acceleration (IEC 60980 Category 1 Safe Shutdown Earthquake) without spurious actuation or loss of safety function. Rationale: Environment: the reactor building is required by nuclear licensing to withstand a site-specific SSE. 0.2g is conservative for temperate European sites. Spurious actuation during seismic events could cause plasma disruptions and magnet quench; loss of function could prevent safe shutdown — both are hazard initiators. | Test | stakeholder, stk-environment, session-386, idempotency:stk-env-seismic-386 |
| STK-REQ-010 | The Fusion Reactor Control System SHALL operate without degradation of control performance in an electromagnetic environment including pulsed magnetic fields up to 10 T/s dB/dt transients from the pulsed power system and RF fields up to 200 V/m at 50–170 GHz from the heating systems, compliant with IEC 61000-4-3 and IEC 61000-4-8. Rationale: Environment: tokamak operation generates one of the most severe electromagnetic environments of any engineered system. The pulsed coil currents (68 kA in 10 s) create dB/dt transients that can induce voltages in control signal cables. ECRH and ICRH systems emit RF that can corrupt digital communications. Failure to comply with EMC limits would result in control system malfunctions during plasma heating — precisely when control accuracy is most critical. | Test | stakeholder, stk-environment, session-386, idempotency:stk-env-emc-386 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The Fusion Reactor Control System SHALL achieve and maintain plasma equilibrium within ±2 cm radial position and ±1% plasma current error during steady-state burn at plasma currents up to 15 MA. Rationale: Derived from STK-REQ-001 and STK-REQ-002: radial position control ±2 cm is set by the first-wall protection margin (first-wall gap ≈ 15 cm; ±2 cm leaves ≥10 cm margin for thermal load asymmetry). Current control ±1% is required to maintain equilibrium within the stable operating space boundary and prevent disruptions during flat-top. | Test | system, session-386, idempotency:sys-plasma-equilibrium-control-386 |
| SYS-REQ-002 | The Fusion Reactor Control System SHALL detect a plasma disruption precursor state and trigger a disruption mitigation actuation within 50 ms of detection, achieving radiative collapse with >80% energy mitigation efficiency. Rationale: Derived from STK-REQ-001 and STK-REQ-009: the thermal quench in an unmitigated disruption deposits >100 MJ on the divertor in <1 ms, exceeding the carbon/tungsten first-wall erosion threshold. 50 ms detection-to-actuation budget is set by the fastest known disruption onset timescale (locked-mode disruptions, ~100 ms total). 80% mitigation efficiency is required to keep divertor surface temperature below 3000°C tungsten melting point. | Test | system, session-386, idempotency:sys-disruption-mitigation-386 |
| SYS-REQ-003 | The Fusion Reactor Control System SHALL deliver fusion power regulation maintaining plasma stored energy within ±5% of the target value and plasma density within ±5% of 1×10²⁰ m⁻³ during the burn phase. Rationale: Derived from STK-REQ-007 and STK-REQ-008: ±5% stored energy control is required to prevent transition into the density limit (Greenwald density), which triggers disruptions, and to maintain thermal load on the blanket within its design envelope. ±5% density control follows from the same density limit margin calculation. | Test | system, session-386, idempotency:sys-burn-regulation-386 |
| SYS-REQ-004 | The Fusion Reactor Control System SHALL provide a SIL-3 classified automatic safety shutdown function (SCRAM) that transitions the reactor from any operating state to safe state in ≤5 seconds, with hardware-enforced independence from the control system. Rationale: Derived from STK-REQ-004 and STK-REQ-009: nuclear installation licensing requires that the ultimate safety function (safe shutdown) is immune to common cause failure with the control system. SIL-3 is derived from the preliminary probabilistic risk assessment: target core damage frequency <1×10⁻⁴/year with unavailability budget of <1×10⁻³ for the shutdown function. 5 s shutdown time is constrained by the energy dissipation rate of the superconducting magnets during normal ramp-down. | Analysis | rt-sil-gap, rt-implausible-value, red-team-session-433 |
| SYS-REQ-005 | The Fusion Reactor Control System SHALL archive plasma state vectors and diagnostic data at 1 kHz with ≤60 s post-pulse latency, retaining all pulse data for a minimum of 25 years. Rationale: Derived from STK-REQ-007: 25-year retention is required to support nuclear site decommissioning records, which extend beyond the operating licence period. 1 kHz archiving supports MHD instability analysis at 1 ms resolution. | Inspection | system, session-386, idempotency:sys-data-archiving-386 |
| SYS-REQ-016 | The Fusion Reactor Control System SHALL execute plasma operational lifecycle sequences through the following states in order: PRE-SHOT-CONDITIONING → PLASMA-INITIATION → CURRENT-RAMP → FLAT-TOP-BURN → CONTROLLED-SHUTDOWN → POST-SHOT-COOLDOWN. Each state transition SHALL require explicit authorisation by the operator or Plant Operations Sequencer logic, with automatic reversion to SAFE-STATE on any unplanned transition attempt. The total cycle time from PRE-SHOT-CONDITIONING entry to post-shot SAFE-STATE confirmation SHALL not exceed 8 hours for a nominal plasma experiment. Rationale: STK-REQ-002 requires the system to execute operator-commanded plasma termination sequences and controlled ramp-down from full-power burn to safe state. No system-level requirement defines the plasma operational state machine and lifecycle sequence. Without a SYS-level lifecycle requirement, the POS state machine (SUB-REQ-050) cannot be verified against its stakeholder intent, and there is no system-level requirement that bounds the full cycle time or mandatory state transition authorisations. | Demonstration | idempotency:val-423-sys-lifecycle |
| SYS-REQ-017 | The Fusion Reactor Control System SHALL provide a unified operator interface presenting consolidated real-time plasma state data — including plasma current, radial position, stored energy, disruption risk index, heating power levels, fuelling rates, and all safety interlock status — with a display refresh latency not exceeding 200 ms from the most recent sensor cycle, integrated into the Plant Control and I&C System. Rationale: STK-REQ-001 is a direct stakeholder requirement for consolidated plasma state display with ≤200 ms refresh latency. Without a SYS-level requirement capturing the operator interface function, the display latency and parameter completeness requirements float at the SUB level with no system-level anchor, making it impossible to demonstrate that the system as a whole satisfies STK-REQ-001. This also enables the STK→SYS→SUB trace chain needed for the verification matrix. | Test | idempotency:val-424-sys-operator-display |
| SYS-REQ-018 | The Fusion Reactor Control System SHALL provide a validated scenario parameter management function allowing the physics operations team to upload, validate, and approve plasma control scenario parameters — including magnetic field waveforms, current ramp profiles, density targets, and heating power schedules — without requiring a plant outage, with a parameter validation report delivered within 120 seconds of upload and all approved parameters active for the next pulse. Rationale: STK-REQ-008 requires the physics team to upload and validate new plasma control scenario parameters before each pulse without requiring a plant outage. The existing trace from STK-REQ-008 to SYS-REQ-003 (power regulation) does not capture the upload/validation workflow. Without a SYS-level requirement, the scenario management function has no system-level specification, making it impossible to verify that the plant can operate under routine inter-pulse physics scenario changes — the core operational workflow for a physics research tokamak. | Demonstration | idempotency:val-424-sys-scenario-mgmt |
| SYS-REQ-019 | The Fusion Reactor Control System SHALL comply with the ethical obligations of its safety-critical role by ensuring that: no single software failure can suppress a required SCRAM, all safety-critical parameter modifications require dual authorisation from qualified reactor engineers, and the safety function is protected against inadvertent or unauthorised inhibition by operational convenience. Rationale: The FRCS, IESS, and Safety Arbiter are classified Ethically Significant (UHT bit 32): they are instruments of potentially catastrophic consequence if misused or misapplied, operating under nuclear regulatory oversight. This requirement codifies the ethical obligations: protection against single-point-of-failure suppression, dual authorisation for safety configuration changes, and prohibition on convenience-motivated safety inhibition. Derived from IAEA NS-G-1.3 and IEC 61513 requirements for safety system independence and authorisation. | Inspection | rt-mechanical-trace, red-team-session-459 |
| SYS-REQ-020 | The Fusion Reactor Control System SHALL provide continuous self-diagnostic coverage of at least 90% of I&C channel faults, with all detected faults reported to the plant Maintenance Management System within 10 seconds of detection, to support predictive maintenance planning without interrupting reactor operations. Rationale: STK-REQ-006 specifies 90% diagnostic coverage and 10-second MMS reporting. This SYS requirement flows STK-REQ-006 to system level: the self-diagnostic function must be continuous (not only on demand), achieve 90% coverage of the I&C channel fault population, and interface to the external MMS within 10 seconds. The continuous operation requirement is driven by the need to detect degraded channels before they become safety-significant, consistent with IEC 61513 condition monitoring requirements for nuclear I&C. | Test | idempotency:sys-ic-diagnostics-qc-432 |
| SYS-REQ-021 | The Fusion Reactor Control System SHALL maintain specified control performance without degradation in the electromagnetic environment generated by pulsed magnetic field transients up to 10 T/s dB/dt and RF fields up to 200 V/m at 50–170 GHz from heating systems, compliant with IEC 61000-4-3 and IEC 61000-4-8. Rationale: STK-REQ-010 specifies the EMC environment of the heating systems (ECRH/ICRH) and pulsed magnet power supplies. This SYS requirement flows the EMC obligation from stakeholder to system level. The specific standards (IEC 61000-4-3 for RF immunity, IEC 61000-4-8 for power frequency magnetic field immunity) are cited because they are the international standards applicable to I&C equipment in high-magnetic-field environments such as tokamak machine halls. | Test | idempotency:sys-emc-heating-qc-432 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Interlock and Emergency Shutdown System SHALL execute all trip functions within 10 ms of any Trip Parameter Monitor asserting a valid trip signal, using 2-out-of-3 (2oo3) voted logic to prevent spurious trips from single-channel failures. Rationale: 10 ms trip response derives from plasma disruption dynamics: a major disruption evolving from precursor to full runaway takes 20-50 ms in a large tokamak. The 10 ms budget allows 2x margin before irreversible first-wall damage. 2oo3 voting is the minimum fault-tolerance architecture required for SIL-3 hardware fault tolerance level 2 (HFT=2) per IEC 61508 Part 2. | Test | subsystem, iess, session-387, idempotency:sub-iess-trip-response-387 |
| SUB-REQ-002 | While energised, the Safety Logic Processor SHALL maintain the plasma run-permit output; when supply voltage falls below 18 VDC the Safety Logic Processor SHALL de-energise the run-permit within 5 ms, causing the Emergency Shutdown Sequencer to initiate plasma termination. Rationale: Power-fail-safe (de-energise-to-trip) is the fundamental safety design principle for interlock logic. A power failure that leaves the run-permit energised would prevent shutdown — this is a Single Point of Failure for the safety system. The 18 VDC threshold provides margin above the minimum guaranteed battery voltage (20 VDC) during a site blackout, and the 5 ms response is achievable with relay logic and prevents a race between power loss and thermal runaway. | Test | subsystem, iess, safety-critical, session-387, idempotency:sub-iess-failsafe-387 |
| SUB-REQ-003 | The Trip Parameter Monitor SHALL achieve a diagnostic coverage of at least 90% of detectable hardware faults across all three redundant channels, with detected faults annunciated to the Plant Control and I&C System within 10 seconds. Rationale: 90% diagnostic coverage (DC_high per IEC 61508 Table C.1) is mandatory to support the SIL-3 claim for hardware subsystem HFT=1. DC < 90% would drop the achievable SIL to SIL-2, requiring a hardware architecture change (additional redundancy). 10 s annunciation aligns with STK-REQ-006 system-level maintenance requirement. | Test | subsystem, iess, session-387, idempotency:sub-iess-diagnostic-coverage-387 |
| SUB-REQ-004 | When a trip is asserted, the Emergency Shutdown Sequencer SHALL initiate Massive Gas Injection within 20 ms, command all heating systems to zero power within 50 ms, and open divertor strike-point gas valves within 30 ms, executing all actions from battery-backed power independent of site AC supply. Rationale: Massive Gas Injection must begin before the thermal quench phase of a disruption (typically 10-50 ms) to cool the runaway electrons and limit the heat deposited on the divertor. The 20 ms MGI window is set by JET/ITER experimental data. Heating power must fall to zero before MGI takes effect to prevent re-heating. Battery independence is required because site power faults are a plausible initiating event for plasma disruption. | Test | subsystem, iess, session-387, idempotency:sub-iess-ess-timing-387 |
| SUB-REQ-005 | The Safety Parameter Display System SHALL display qualified safety parameters with a refresh latency of no more than 200 ms and SHALL annunciate any data staleness or channel failure through a distinct visual alarm, remaining operational for a minimum of 4 hours on battery backup following loss of site power. Rationale: Qualified safety displays are required by IEEE 1023 for nuclear I&C systems where operator response to safety parameters is required. 200 ms refresh matches the human perception threshold for parameter trend changes defined in NUREG-0700 (HFE guidance). 4-hour battery backup covers the duration of post-blackout safe-state monitoring before mobile generator support arrives per emergency operating procedures. | Test | subsystem, iess, session-387, idempotency:sub-iess-spds-387 |
| SUB-REQ-006 | The Interlock and Emergency Shutdown System SHALL be physically segregated from the Plant Control and I&C System, with no bi-directional data pathway between safety and non-safety networks, receiving sensor data only via qualified opto-isolated unidirectional interfaces. Rationale: Physical segregation between safety and non-safety I&C is a mandatory defence-in-depth requirement per IEC 62645 (nuclear cybersecurity) and IEC 61513 (nuclear I&C systems). A software-exploitable path from the operational network to the safety interlock would allow a cyberattack to defeat the safety function, which is classified as a Category A threat in the facility's design basis threat document. Opto-isolation eliminates both conducted EMI coupling and electronic intrusion pathways. | Inspection | subsystem, iess, safety-critical, session-387, idempotency:sub-iess-segregation-387 |
| SUB-REQ-007 | The Interlock and Emergency Shutdown System SHALL operate from a dedicated uninterruptible DC power supply rated at 24 VDC ±10%, sustaining full interlock function for a minimum of 8 hours following loss of site AC power, with automatic switchover to battery within 20 ms of AC loss detection. Rationale: Lint identified absence of power specification for a Powered subsystem (IEC 61508 omission). 8-hour autonomy covers emergency response duration per site emergency plan. 20 ms switchover is required to prevent a power transition from creating a spurious trip or, worse, a momentary loss of trip function. 24 VDC is the standard for industrial safety relay systems and matches the discrete signal levels used throughout the IESS. | Test | subsystem, iess, session-387, idempotency:sub-iess-power-387 |
| SUB-REQ-009 | The Disruption Prediction Engine SHALL output a disruption risk probability update within 3 ms of receiving each 128-element feature vector from the Disruption Precursor Monitor, at a sustained evaluation rate of 10 kHz. Rationale: A tokamak disruption at 500 MW plasma current can deposit more than 100 MJ on plasma-facing components within 10-50 ms; the 3 ms inference budget leaves 7 ms for MGI valve actuation before thermal energy deposition begins. 10 kHz evaluation rate resolves fastest disruption precursor evolution timescales of 0.5-2 ms identified from JET and ASDEX-U disruption databases. | Test | subsystem, dpms, safety-critical, session-388, idempotency:sub-dpms-prediction-latency-388 |
| SUB-REQ-010 | The Disruption Prediction Engine SHALL achieve a true positive rate of at least 95% (95% confidence interval lower bound, n≥500 disruption events) for disruptions with a warning time of at least 30 ms, and a false positive rate of no more than 2 events per 24-hour operating period at 10 kHz evaluation rate. Performance SHALL be measured over test sequences spanning plasma current 8–15 MA, q95 = 2.5–5.0, and at least 3 distinct MHD stability regimes. Rationale: 95% TPR is derived from disruption risk: at 100 disruptions per year, 5% miss rate yields 5 unmitigated events depositing more than 100 MJ each on the divertor. Test dataset minimum of 500 confirmed disruption sequences (specified in VER-REQ-075) achieves greater than 95% confidence in the TPR estimate using Wilson interval at N=500 (CI half-width of 2%). False positive rate of 2 events per 24-hour period is set by availability impact: each false positive requires 30-minute MGI recovery, limiting dead time to 1% per day. | Analysis | subsystem, dpms, session-388, idempotency:sub-dpms-prediction-accuracy-388 |
| SUB-REQ-011 | When disruption risk probability exceeds 0.85 or an IESS trip demand is received, the Mitigation Actuator Controller SHALL issue the MGI valve open command within 10 ms of the trigger event, independent of plasma scenario state or operator action. Rationale: 10 ms trigger-to-command latency is the critical timing budget: disruption thermal quench begins 15-30 ms after precursor detection; MGI gas front travel time is 5-15 ms depending on injection geometry; 10 ms actuation budget ensures gas arrives before runaway electron generation onset at 20 ms post-thermal-quench at ITER parameters. Independence from operator action prevents the 200-1000 ms human response time from becoming the bottleneck in a safety-critical sequence. | Test | subsystem, dpms, safety-critical, session-388, idempotency:sub-dpms-mgi-trigger-388 |
| SUB-REQ-012 | When the Disruption Prediction Engine model confidence falls below 0.70 or any Disruption Precursor Monitor channel fails self-test, the DPMS SHALL switch to conservative threshold-only detection mode within 500 ms, maintaining a true positive rate of at least 80% using fixed MHD stability thresholds without ML inference. Rationale: Conservative fallback ensures the disruption safety function is maintained when the ML model is unavailable, consistent with IEC 61508 requirements for defined safe states in safety-related systems. 80% TPR in threshold-only mode reflects documented performance of threshold-based detection on JET and ASDEX-U before ML adoption; the remaining 20% are slow low-beta disruptions where MGI would be ineffective regardless. 500 ms switchover must complete before a potential disruption event can develop. | Test | subsystem, dpms, safety-critical, degraded-mode, session-388, idempotency:sub-dpms-fallback-388 |
| SUB-REQ-013 | The Disruption Precursor Monitor SHALL process all active diagnostic channel signals, extract the 128-element MHD stability feature vector, and deliver it to the Disruption Prediction Engine within 100 μs of each sample epoch, with a maximum missing-sample rate of 0.01% at 10 kHz channel update rate. Rationale: 100 μs feature extraction latency is derived from the 10 kHz evaluation epoch (100 μs per cycle); the monitor must complete extraction within one epoch to prevent pipeline latency accumulation. 0.01% missing-sample rate ensures contiguous feature streams; sparse data has been shown to increase false positive rate by 15-40% in LSTM disruption predictors (KSTAR studies, 2023) by creating artificial discontinuities that the model interprets as precursor signatures. | Test | subsystem, dpms, session-388, idempotency:sub-dpms-dpm-latency-388 |
| SUB-REQ-014 | The DPMS Supervisory and Archive SHALL record the complete 5-second pre-disruption state vector window at 1 ms sample intervals for every disruption event, and SHALL generate a model retraining package within 10 minutes of event completion when the rolling 24-hour false positive rate exceeds 3 events or true positive rate falls below 93%. Rationale: 5-second pre-event capture at 1 ms resolution preserves the full MHD precursor dynamics required to identify prediction failure modes and retrain the LSTM model; shorter windows miss slow-evolving neoclassical tearing mode precursors. 10-minute retraining package generation aligns with inter-pulse intervals in a high-repetition programme. Thresholds of 3 FP/day and 93% TPR represent one standard deviation of degradation from design targets and trigger model update before operational impact is significant. | Test | subsystem, dpms, session-388, idempotency:sub-dpms-archive-388 |
| SUB-REQ-018 | The Equilibrium Reconstruction Processor SHALL deliver an updated equilibrium state vector, including plasma boundary, current density profile, and q-profile, within 100 μs of each magnetic measurement sample at a sustained rate of 10 kHz. Rationale: 100 μs latency budget derives from the 10 kHz Shape and Position Controller cycle: ERP output must be available before the SPC computations begin. At 10 kHz the total cycle is 100 μs; ERP is allocated 40 μs, leaving 60 μs for SPC computation and coil command output. Exceeding this budget causes the SPC to use stale equilibrium data, degrading position control accuracy below the ±2 cm limit. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-erp-update-rate-390 |
| SUB-REQ-019 | The Equilibrium Reconstruction Processor SHALL continue to provide a valid equilibrium state vector meeting all accuracy specifications when up to 20% of the 160 magnetic measurement channels are unavailable, by switching to a reduced-channel EFIT variant within 2 control cycles. Rationale: Magnetic sensor dropout is a routine operational event: coil breakage, digitiser faults, and cabling damage all occur in long-pulse operation. JET data shows a 2-4% per-discharge channel failure rate; 20% tolerance provides margin against concurrent failures. Degraded equilibrium reconstruction that stops rather than adapts would trigger a disruptive plasma termination for a recoverable sensor fault. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-erp-dropout-390 |
| SUB-REQ-020 | The Shape and Position Controller SHALL maintain the plasma geometric centre within 2 cm of the reference trajectory in both radial and vertical directions under steady-state flat-top conditions. Rationale: 2 cm positional accuracy is derived from the minimum gap constraint to the first wall: a 5 cm gap is required at all points, and a 2 cm control error budget leaves 1 cm for thermal expansion and position measurement uncertainty. Exceeding 2 cm risks first-wall contact events. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-021 | The Vertical Stability Controller SHALL issue a VDE trip demand to the Interlock and Emergency Shutdown System when the vertical displacement exceeds 10 cm from the reference position and the estimated vertical growth rate exceeds 50 m/s, within 200 us of detecting both conditions simultaneously. Rationale: 10 cm displacement and 50 m/s growth rate together indicate a locked VDE that cannot be arrested by the VSC active control. The 200 us response time derives from: 50 us VSC cycle, plus 100 us for the IESS to begin the shutdown sequence, leaving 50 us margin before the MGI valve open command must arrive. Delayed trip demands result in halo current damage to the vessel. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-vsc-trip-390 |
| SUB-REQ-022 | The MHD Mode Stabiliser SHALL detect a growing neoclassical tearing mode with toroidal mode number n=1 or n=2 at an island width greater than 3 cm within 50 ms of mode onset, using Mirnov coil spectral analysis at 1 kHz. Rationale: 3 cm island width is the threshold above which beta degradation becomes significant (>5% reduction in fusion performance). 50 ms detection window allows the ECCD power to be steered to the rational surface before the island grows to 6 cm, where it becomes self-sustaining and requires full disruption mitigation. Derived from ITER NTM control specification. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-023 | The Vertical Stability Controller SHALL operate on FPGA hardware that is physically and electrically independent of the main Plasma Control System FPGA nodes, such that a single hardware failure affecting the main PCS nodes does not impair VSC availability or response latency. Rationale: VSC must remain operational during main PCS safe-state transitions. If VSC shared hardware with ERP or SPC, a main PCS FPGA fault that triggers safe-state would simultaneously disable the VSC during the period of highest VDE risk. Hardware separation was also the mitigation recommended following the 2019 JET VDE incident post-mortem. | Inspection | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-vsc-hardware-independence-390 |
| SUB-REQ-024 | The PCS Real-Time Data Bus SHALL synchronise all connected PCS nodes to a common 10 kHz cycle with inter-node jitter not exceeding 1 us, and SHALL re-establish synchronisation within 5 cycles following any single bus fault without losing data from functioning nodes. Rationale: 1 us jitter budget is derived from the ERP-to-SPC data handoff: ERP has a 40 us computation window and SPC reads equilibrium data at cycle start. A 1 us jitter means SPC could read data up to 1 us before ERP finishes; at 10 kHz this is acceptable. Larger jitter causes SPC to occasionally read a partially-updated state vector, producing a corrupted equilibrium. | Test | subsystem, plasma-control-system, session-390, idempotency:sub-pcs-rtdb-sync-390 |
| SUB-REQ-025 | When the PCS Real-Time Data Bus fails to deliver a synchronised cycle for more than 5 consecutive cycles, or when any PCS component fails its internal self-test, the Plasma Control System SHALL freeze all coil current setpoints at their last valid values and assert a safe-state signal to the Interlock and Emergency Shutdown System within 10 ms. Rationale: Autonomous PCS components must have a defined fail-safe state to address the Functionally Autonomous ontological risk. Freezing coil setpoints rather than zeroing them prevents a large dI/dt in the PF coils that would itself cause a disruption. The 10 ms handoff to IESS allows the IESS to apply the full disruption mitigation sequence. | Test | subsystem, plasma-control-system, safety, session-390, idempotency:sub-pcs-watchdog-failsafe-390 |
| SUB-REQ-026 | The HCDC Supervisory and Safety Arbiter SHALL enforce a total injected heating power ceiling of 50 MW by limiting the sum of NBI, ECRH, and ICRH power setpoints, with priority given to ECRH during active NTM stabilisation events. Rationale: 50 MW is the plant electrical supply allocation for auxiliary heating. Exceeding this trips the main bus protection. Priority to ECRH during NTM events ensures the MHD stabilisation function is not starved by competing NBI demand, consistent with the ECRH primary-actuator architecture decision. | Test | subsystem, hcdc, session-391, idempotency:sub-hcdc-power-budget-391 |
| SUB-REQ-027 | When a beam-off command is received from the HCDC Supervisory and Safety Arbiter or from the Interlock and Emergency Shutdown System, the NBI Controller SHALL terminate all beam injection within 5 ms by deflecting the ion source beam onto the calorimeter. Rationale: 5 ms shutdown derives from the requirement to halt NBI power deposition within the same timescale as plasma disruption evolution. Beam continuation into a disrupting plasma risks first-wall damage from unthermalized fast ions and energetic neutral strike. Deflection onto calorimeter provides known-safe beam dump without beam extinction latency. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-028 | When the DPMS Disruption Prediction Engine issues an NTM stabilisation command, the ECRH Controller SHALL steer the injection mirror to the designated q=3/2 or q=2/1 rational surface and achieve co-deposition lock-on within 100 ms of command receipt. Rationale: 100 ms lock-on budget: DPMS detects early NTM growth 300-500 ms before predicted disruption. ECRH must achieve stabilisation co-deposition early enough to allow 2 seconds of stabilisation current injection, requiring steering completion well before the 300 ms pre-disruption window. The 100 ms allows 200 ms margin for NTM current stabilisation before forced disruption mitigation must be triggered. | Test | rt-missing-failure-mode, red-team-session-433 |
| SUB-REQ-029 | When the ICRH Controller detects a VSWR exceeding 3.5:1 on any antenna feed, it SHALL reduce the RF power to that antenna to zero within 2 ms to prevent antenna arc formation and subsequent port limiter erosion. Rationale: VSWR of 3.5:1 is the antenna arc formation threshold at full power based on RF engineering models of port antenna geometry. Arc formation within a vacuum vessel antenna causes immediate limiter erosion and potentially unrecoverable plasma contamination from metallic impurities. 2 ms shutdown is achievable with solid-state RF switches and prevents arc formation before the thermal damage threshold. | Test | rt-missing-failure-mode, red-team-session-433 |
| SUB-REQ-030 | When any single heating actuator (NBI, ECRH, or ICRH) becomes unavailable, the HCDC Supervisory and Safety Arbiter SHALL redistribute the power deficit across the remaining two actuators up to each actuator's rated maximum, maintaining a minimum total injected heating power of 30 MW to sustain ignition-margin plasma parameters. Rationale: 30 MW minimum was derived from plasma physics simulations showing Q>1 operation requires a minimum of 30 MW auxiliary heating at nominal density. Below this threshold the plasma falls below ignition margin and the session must be terminated under controlled shutdown. The redistribution target avoids unnecessary session loss when a single actuator fails. | Test | subsystem, hcdc, degraded-mode, session-391, idempotency:sub-hcdc-degraded-mode-391 |
| SUB-REQ-031 | The HCDC Supervisory and Safety Arbiter SHALL monitor a 100 ms heartbeat from each actuator controller and, upon detecting two consecutive missed heartbeats from any controller, SHALL command that controller to safe state and notify the Interlock and Emergency Shutdown System. Rationale: 200 ms detection window (2 x 100 ms heartbeat) is a balance between detection speed and false-positive rate. A single missed heartbeat can result from processing jitter; two consecutive misses indicate a genuine failure. Safe-state command ensures the affected actuator does not drift to an unsafe operating condition in the absence of supervisory oversight. | Test | subsystem, hcdc, session-391, idempotency:sub-hcdc-watchdog-391 |
| SUB-REQ-032 | The Quench Detection System SHALL detect a resistive voltage ≥50 mV sustained for ≥5 ms across any monitored coil pancake segment and assert a quench alarm within 20 ms of onset, across all operating coil currents from 10% to 100% of nominal. Rationale: Tokamak TF coil normal-zone propagation velocity is ~5–20 m/s; an undetected quench grows to encompass a full pancake (~50 m) within 2–10 s, at which point irreversible coil damage occurs. A 20 ms detection window allows the Energy Extraction and Dump System sufficient time to initiate energy transfer before the normal zone exceeds the damage threshold. The 50 mV / 5 ms threshold is derived from ITER coil characterisation data balancing false-trip suppression against sensitivity. | Test | subsystem, msps, magnet-safety, safety-critical, session-392, idempotency:sub-msps-qds-latency-392 |
| SUB-REQ-033 | The Quench Detection System SHALL implement 2-out-of-3 independent detection channels per coil group, with each channel using inductive voltage compensation to suppress false alarms from dI/dt transients above 100 A/s. Rationale: Single-channel quench detection creates a common-cause failure path where one faulty sensor either fails to detect a real quench or triggers unnecessary plasma disruptions. 2oo3 voting balances false-negative risk (safety) against false-positive risk (availability). Inductive compensation is essential because tokamak coils experience rapid current ramps during plasma initiation (up to 5 kA/s) that would otherwise saturate resistive detection thresholds. | Test | subsystem, msps, magnet-safety, safety-critical, session-392, idempotency:sub-msps-qds-voting-392 |
| SUB-REQ-034 | When a quench alarm or IESS trip demand is received, the Energy Extraction and Dump System SHALL complete energy transfer from all TF coils into the dump resistors within 30 s, maintaining peak dump resistor voltage below 20 kV at all times. Rationale: TF coil stored energy (~50 GJ across 18 coils) must be extracted before normal-zone propagation causes arc damage. The 30 s window is derived from worst-case normal-zone propagation analysis assuming initial detection at the 20 ms threshold. The 20 kV ceiling is set by the coil insulation design margin (rated at 40 kV) with a factor-of-2 margin against insulation breakdown during emergency dump. | Test | subsystem, msps, magnet-safety, safety-critical, session-392, idempotency:sub-msps-fedu-tf-timing-392 |
| SUB-REQ-035 | When a quench alarm or IESS trip demand is received, the Energy Extraction and Dump System SHALL complete energy transfer from all PF and CS coils within 10 s, with each coil circuit extracting independently to prevent voltage coupling between coil groups. Rationale: PF and CS coils carry time-varying currents during the plasma burn and must be discharged faster than TF coils due to the higher stored energy density per unit inductance and smaller normal-zone thermal margins in the thinner winding cross-sections. Independent extraction per circuit prevents mutual inductance coupling from creating overvoltage on adjacent circuits during asymmetric quench events. | Test | subsystem, msps, magnet-safety, session-392, idempotency:sub-msps-fedu-pf-timing-392 |
| SUB-REQ-036 | The Magnet Power Supply Controller SHALL maintain coil current within ±1 A of the reference waveform uploaded by the Plasma Control System, with an inner control loop executing at ≥1 kHz and hard trip limits enforced at ±10% of nominal coil current. Rationale: Plasma equilibrium depends on precise coil current profiles; ±1 A accuracy (typically <0.01% of 65 kA nominal TF current) is required to maintain the target field geometry within the PCS position control error budget. The 1 kHz inner loop provides sufficient bandwidth to suppress converter ripple and transient disturbances from adjacent coil switching. The ±10% hard trip prevents converter faults from imposing destructive over-currents on the coil insulation. | Test | subsystem, msps, magnet-safety, session-392, idempotency:sub-msps-mpsc-accuracy-392 |
| SUB-REQ-037 | The Coil Thermal and Cryogenic Monitor SHALL acquire temperatures from all embedded Cernox sensors at a sample rate of ≥10 Hz per channel, detect a coil cold-mass temperature rise of >0.5 K above pre-shot baseline within 100 ms, and transmit a secondary quench indication to the Quench Detection System for use in 2oo3 arbitration. Rationale: Temperature-based quench confirmation provides a physically independent secondary channel from voltage-bridge detection, enabling the QDS to distinguish between genuine quench (both voltage and temperature signatures) and electrical noise events (voltage spike without temperature rise). The 0.5 K threshold at 10 Hz sampling is derived from cryogenic coil thermal models showing that a genuine quench zone elevates local temperature at >1 K/s even before propagation to adjacent pancakes. | Test | subsystem, msps, magnet-safety, session-392, idempotency:sub-msps-ctcm-sensitivity-392 |
| SUB-REQ-038 | When any single Quench Detection System channel fails self-test, the Magnet Safety and Protection System SHALL revert to 1-out-of-2 voting on the remaining channels, annunciate a degraded-mode alarm to the Plant Control and I&C System, and continue to provide quench protection for all coil groups at the degraded threshold of ≥30 mV for ≥5 ms. Rationale: Loss of one QDS channel in 2oo3 voting leaves 2oo2 residual logic, which is fail-safe (any one detection triggers alarm) but increases false-positive rate. Reducing the threshold from 50 mV to 30 mV partially recovers sensitivity lost from reduced voting redundancy. The plant must be informed of degraded mode so operators can decide whether to continue the plasma shot or perform a controlled shutdown for maintenance. Continued protection is required as an unplanned shutdown with no quench detection would leave the coils unprotected. | Test | subsystem, msps, magnet-safety, degraded-mode, session-392, idempotency:sub-msps-degraded-mode-392 |
| SUB-REQ-039 | The Safety Logic Processor SHALL be implemented as two physically independent processor cards operating in 1oo2 de-energise-to-trip configuration, where either card independently drives the trip relay output to the Emergency Shutdown Sequencer, such that single card failure does not prevent SCRAM actuation. Rationale: SIL-3 classification requires Hardware Fault Tolerance = 2 per IEC 61508-2 table 4. De-energise-to-trip ensures power loss is fail-safe. A single-card SLP would be a single point of failure in the safety chain, violating the SIL-3 architecture assumed in ARC-REQ-001. This requirement directly addresses the lint finding that the SLP (D1B77858) has System-Essential trait but no redundancy requirement. | Test | subsystem, iess, safety-critical, redundancy, session-393 |
| SUB-REQ-040 | The Emergency Shutdown Sequencer SHALL be implemented on dedicated single-board computer hardware with watchdog timer, where loss of watchdog refresh within 100 ms triggers immediate hardware reset and return to safe state, and no single hardware fault in the sequencer prevents MGI actuation. Rationale: IEC 61508-2 SIL-3 HFT requirement and ARC-REQ-001 2oo3 architecture require every element in the safety chain to have defined fault-tolerance behaviour. The ESS is the final actuation element; if it fails open (no MGI), a disruption causes first-wall damage and potential tritium release. 100 ms watchdog ensures prompt recovery from processor lockup without human intervention. | Test | subsystem, iess, safety-critical, redundancy, session-393 |
| SUB-REQ-041 | When the Disruption Prediction Engine primary FPGA becomes unavailable, the Disruption Prediction and Mitigation System SHALL activate a hardwired fallback that automatically issues MGI actuation command within 5 ms, maintaining the disruption mitigation function with degraded prediction capability (no probability output, fixed-threshold only). Rationale: The DPE is classified System-Essential (hex 71F77308). Loss of the primary FPGA with no fallback would eliminate disruption mitigation capability, exposing the first wall to unmitigated disruption forces. The 5 ms fallback activation is derived from the 10 ms disruption precursor detection budget in SYS-REQ-002; a fixed-threshold hardwired path is acceptable degraded operation because it preserves the safety function with a conservative trip threshold. | Test | subsystem, dpms, safety-critical, redundancy, session-393 |
| SUB-REQ-042 | The Gas Puffing Valve Controller SHALL achieve a valve response time of less than 10 ms from receipt of a density setpoint change to confirmed valve position change, measured at each of the 20 gas injection valves under full operating pressure. Rationale: The PCS Shape and Position Controller requires density feedback loop closure at 100 Hz. A 10 ms gas puffing response contributes at most one control cycle delay, preserving loop stability margin. Longer response times cause density overshoot in the pedestal region, increasing ELM frequency and IESS trip rate. | Test | subsystem, fuel-injection, gas-puffing, session-394, idempotency:sub-gpvc-response-394 |
| SUB-REQ-043 | The Tritium and Fuel Inventory Controller SHALL assert a fuel-off interlock that inhibits both the Gas Puffing Valve Controller and Pellet Injection Controller when the estimated cumulative in-vessel tritium mass exceeds 30 g, within 100 ms of threshold crossing. Rationale: 30 g is the nuclear regulatory maximum in-vessel tritium limit for this class of fusion facility, derived from site emergency planning zone activity calculations. The 100 ms response limit ensures no additional pellet injection cycle can complete after threshold breach. Both injection channels must be inhibited simultaneously to prevent asymmetric fuelling. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-044 | The Pellet Injection Controller SHALL synchronise pellet injection to occur within 0.5 ms of the ELM phase trigger received from the MHD Mode Stabiliser, with a miss rate not exceeding 2% across any 100-pellet sequence. Rationale: The MHD Mode Stabiliser ({{hex:40800000}}) provides ELM phase trigger timing for pellet injection synchronisation. The 0.5 ms window is set by the characteristic ELM growth time (1–3 ms); pellets injected outside this window will not pace the ELM effectively. The 2% miss-rate criterion corresponds to the tolerable fraction of ELM events without pacing before net erosion of the divertor first wall exceeds design allowance. Confidence level: 95% (one-sided), evaluated over a minimum sample of 500 consecutive ELM events per machine state. Test conditions: H-mode, q95 = 3.0–3.5, standard pellet size (2mm D pellets). | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-045 | The Burn Condition Monitor SHALL provide a real-time fusion power estimate accurate to within ±2% of the calibrated reference value over the range 50–800 MW, with an update rate of at least 10 Hz. Rationale: Fusion power accuracy drives the Q-factor calculation used to determine burn sustainability. A ±2% accuracy error translates to ±0.05 in Q at Q=10, which is below the 0.1 Q resolution needed for burn state discrimination. The 10 Hz update rate matches the DPMS event register polling frequency — slower updates create a blind interval where Q could drop below 1 without triggering burn termination. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-046 | When tritium concentration at the boundary of the Fuel Injection and Burn Control equipment zone exceeds 10 μSv/h as measured by area monitors, the Tritium and Fuel Inventory Controller SHALL assert a fuel-off interlock on both injection channels and send a tritium-alarm signal to the Interlock and Emergency Shutdown System within 500 ms. Rationale: 10 μSv/h is the nuclear regulatory action level for occupational tritium exposure in the controlled zone. At this level, continued injection could increase in-vessel tritium activity and contaminate the primary vacuum circuit. The 500 ms response time allows one sampling interval on the area monitors (sampled at 2 Hz) before the interlock takes effect. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-047 | When the Burn Condition Monitor predicts Q < 1 within 500 ms based on thermal energy decay rate, it SHALL trigger a controlled burn termination by sending an ordered fuel-ramp-down command to the Gas Puffing Valve Controller and a pellet-hold command to the Pellet Injection Controller, completing the ramp-down within 200 ms. Rationale: Controlled burn termination via fuel ramp-down is preferable to a hard IESS trip: it avoids the thermal shock of sudden plasma termination, which can cause first-wall erosion. The 500 ms prediction horizon is achievable from the diamagnetic loop thermal energy trend; the 200 ms ramp-down completes within the prediction window, allowing soft termination before IESS trip becomes necessary. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-048 | The Pellet Injection Controller SHALL maintain the pellet formation cryostat temperature within the range 15 K to 18 K during active fuelling, with temperature deviation not exceeding ±0.5 K over any 60-second window. Rationale: D-T ice pellet mechanical integrity requires temperatures in the 15–18 K range. Below 15 K, pellets become brittle and fragment in the guide tube, causing blockages. Above 18 K, surface sublimation reduces pellet mass below the minimum 0.5 mg threshold, degrading fuelling efficiency by >30%. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-049 | The Burn Condition Monitor SHALL achieve a diagnostic coverage of at least 90% of all neutron flux measurement channels, as verified by self-test exercised at every 10-second health check interval. Rationale: Cross-domain analog: the Quench Detection System (UHT 54F77218, identical observable monitoring profile) requires 90% diagnostic coverage (SUB-REQ-003) for magnetic quench channels. The Burn Condition Monitor performs the same architectural function — threshold monitoring with safety action — on neutron flux channels, and the same coverage standard applies. Without channel-level self-test, a failed fission chamber could cause a silent under-reading of fusion power, masking a Q-collapse. | Test | rt-implausible-value, red-team-session-459 |
| SUB-REQ-050 | The Plant Operations Sequencer SHALL maintain a machine state variable (MSV) in one of eight defined states (MAINTENANCE, STANDBY, PRE-PULSE, PLASMA-INIT, FLAT-TOP, RAMP-DOWN, POST-PULSE, FAULT) and SHALL broadcast the MSV to all subsystems at 10 Hz via the supervisory SCADA bus. Rationale: All eight subsystems require a consistent, authoritative operating state to coordinate actuator enable/disable logic. The 10 Hz update rate is sufficient for supervisory state management while avoiding network congestion; real-time actuator control uses dedicated control buses at higher rates. | Test | subsystem, pcis, plant-control, session-395, idempotency:sub-pos-msv-395 |
| SUB-REQ-051 | When the active Plant Operations Sequencer fails (heartbeat loss exceeding 200 ms), the standby sequencer SHALL assume control within 500 ms and SHALL resume broadcasting the last valid MSV without requiring operator intervention. Rationale: Loss of the Plant Operations Sequencer during plasma operation could leave all subsystems without a valid machine state, causing undefined actuator behaviour. The 500ms failover window is derived from the 1 second plasma quench growth time — the control system must re-establish supervisory authority before any actuator loses its operating context. | Test | subsystem, pcis, plant-control, redundancy, session-395, idempotency:sub-pos-failover-395 |
| SUB-REQ-052 | The Machine Timing and Synchronisation System SHALL deliver shot T=0 and inter-subsystem synchronisation pulses to all I&C subsystems with absolute timestamp accuracy of <=1 µs and inter-subsystem jitter of <=5 µs, derived from a GPS-disciplined oscillator with holdover accuracy of <=10 µs per hour during GPS outage. Rationale: Plasma equilibrium reconstruction requires diagnostic timestamps accurate to 1 µs to avoid aliasing at the 100 kHz sample rates used by Mirnov coils. The 5 µs inter-subsystem jitter constraint ensures coordinated actuator firings (pellet injection, NBI modulation) arrive within the 10 µs plasma control loop cycle time. The 10 µs/hour GPS holdover is derived from the maximum timing error accumulation acceptable during a 2-hour plasma pulse. | Test | rt-missing-failure-mode, red-team-session-459 |
| SUB-REQ-053 | The Plant Data Historian SHALL ingest time-series data from all subsystems at an aggregate sustained rate of >=50 MB/s during plasma operations, provide post-pulse data access via REST API within <=60 s of pulse completion, and retain all pulse data for >=25 years with lossless compression. Rationale: The 50 MB/s aggregate ingest rate is derived from 1 kHz sampling of 400 diagnostic channels at 64-bit precision across all subsystems. The 60 s post-pulse access deadline is mandated by SYS-REQ-005 and reflects the physics analysis workflow where equilibrium reconstruction begins immediately after pulse end. The 25-year retention matches the expected programme lifetime for a fusion science device and enables longitudinal degradation analysis. | Test | subsystem, pcis, plant-control, session-395, idempotency:sub-pdh-archival-395 |
| SUB-REQ-054 | The Plant I&C Network Infrastructure SHALL enforce physical and logical separation between three network security zones: the real-time deterministic control LAN (EtherCAT/Ethernet POWERLINK, <1 ms latency), the best-effort monitoring LAN (GbE), and the safety-isolated IESS network, with unidirectional data diodes enforcing all data flows from safety to non-safety zones. Rationale: Network zone segregation prevents common-cause failure between safety and non-safety I&C. A cyber intrusion on the monitoring LAN must not be able to inject commands onto the real-time control bus or the IESS network. Unidirectional data diodes are mandated for safety-network connections by IEC 62443-3-3 for nuclear I&C applications; software firewalls alone are insufficient. | Inspection | subsystem, pcis, plant-control, session-395, idempotency:sub-nicinfra-zones-395 |
| SUB-REQ-055 | The Real-Time Diagnostic Signal Conditioner SHALL digitise all 512 input channels at >=100 kHz with >=16-bit resolution and deliver calibrated digital outputs to the Equilibrium Reconstruction Processor and Disruption Precursor Monitor with end-to-end signal conditioning latency <=100 µs from analogue input to digital output. Rationale: The 100 kHz sample rate is driven by the Mirnov coil bandwidth required for MHD mode detection up to 50 kHz (Nyquist). The 100 µs conditioning latency budget is derived from the Equilibrium Reconstruction Processor needing conditioned signals within its 1 ms computation cycle, leaving 900 µs for reconstruction computation. Exceeding this latency would delay equilibrium updates and degrade Shape and Position Controller response. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-056 | The Magnetic Diagnostics Array SHALL provide plasma current integral measurements with absolute accuracy <=0.1% of full-scale (80 MA-turns) and SHALL include a self-monitoring function that flags individual sensor degradation when the calibration drift exceeds 0.05% per 100 shots. Rationale: The 0.1% absolute accuracy threshold is required by the Equilibrium Reconstruction Processor to achieve the ±2 cm plasma position accuracy mandated by SYS-REQ-001. Calibration drift monitoring is included because neutron-irradiated magnetic sensors experience progressive sensitivity changes; undetected drift would corrupt equilibrium reconstruction without operator awareness. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-057 | The Disruption Precursor Sensor Suite SHALL provide time-stamped outputs at >=10 kHz for tearing mode saddle coils and >=1 kHz for soft X-ray bolometer channels, with timestamp accuracy <=10 µs relative to the Machine Timing System reference. Rationale: The 10 kHz saddle coil sample rate resolves tearing mode rotation frequencies up to 5 kHz which is consistent with disruption precursor frequencies observed in JET and ASDEX-U data. The 10 µs timestamp accuracy preserves phase information at these frequencies and ensures the Disruption Prediction Engine can correlate precursor events across multiple diagnostic channels. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-058 | When the Disruption Precursor Monitor has not produced a valid output within 500 ms of the previous valid output, the Disruption Prediction and Mitigation System SHALL enter a watchdog-tripped state in which disruption risk is treated as 1.0 (maximum), triggering the precautionary mitigation sequence. Rationale: The Disruption Precursor Monitor is classified as Functionally Autonomous and any silent failure would leave the DPMS operating without valid precursor data. Treating a monitoring failure as maximum risk ensures the safe fail-state is always the disruption mitigation response — consistent with IEC 61508 fail-safe design for autonomous safety monitors. The 500 ms window allows one full monitoring cycle to be missed before the watchdog fires. | Test | subsystem, dpms, safety-critical, degraded-mode, session-395, idempotency:sub-dpm-watchdog-395 |
| SUB-REQ-059 | When the Equilibrium Reconstruction Processor fails to produce a valid equilibrium solution within two consecutive 1 ms computation cycles, the Plasma Control System SHALL revert to the last valid equilibrium and SHALL reduce plasma current ramp rate to zero until valid solutions resume; operator override via the Operator Console System SHALL require a deliberate two-action confirmation. Rationale: The ERP is Functionally Autonomous and its outputs directly drive Shape and Position Controller actuations. A silent ERP failure with stale outputs would cause the PCS to chase a non-existent plasma equilibrium, potentially leading to an uncontrolled vertical displacement event. The two-consecutive-cycle fault threshold prevents single-shot computational outliers from triggering unnecessary holds while ensuring a genuine failure is detected within 2 ms. | Test | subsystem, plasma-control-system, safety-critical, degraded-mode, session-395, idempotency:sub-erp-watchdog-395 |
| SUB-REQ-060 | While the Disruption Prediction Engine is operating, the DPMS Supervisory and Archive SHALL monitor DPE heartbeat at 100 ms intervals and, upon two consecutive missed heartbeats, SHALL escalate disruption risk to the emergency mitigation threshold and notify the Interlock and Emergency Shutdown System; the operator SHALL NOT be able to inhibit DPE watchdog escalation without a plant director-level authorisation. Rationale: The Disruption Prediction Engine uses ML pattern recognition that classifies it as Functionally Autonomous — autonomous ML systems driving actuation require explicit human-override constraints. The 200 ms watchdog window (two missed beats) balances false-alarm suppression against the DPMS 50 ms disruption response budget. Plant-director authorisation for inhibit prevents operators from disabling disruption protection under operational pressure. | Test | subsystem, dpms, safety-critical, session-395, idempotency:sub-dpe-override-395 |
| SUB-REQ-061 | When a safe shutdown earthquake is detected at plant level, all SIL-3 classified components of the Interlock and Emergency Shutdown System SHALL remain functional and maintain their safety trip functions, as demonstrated by qualification testing to IEEE 344 seismic category I fragility levels. Rationale: SYS-REQ-006 mandates IEEE 344 category I seismic qualification; this SUB requirement flows the seismic equipment qualification requirement into the IESS subsystem, which contains all SIL-3 safety functions. Seismic events coincide with the highest plasma energy states and require the safety shutdown to be available precisely when a natural disaster occurs. | Test | subsystem, iess, seismic, safety-critical, session-396, idempotency:sub-iess-seismic-qual-396 |
| SUB-REQ-062 | The Interlock and Emergency Shutdown System shall define safe state as the condition in which: plasma current has been reduced to zero, all heating and current drive systems are at zero power, magnetic field coils are discharged via the Energy Extraction and Dump System, and the Tritium and Fuel Inventory Controller has closed all fuelling valves; the IESS SHALL verify all four conditions within 5 s of SCRAM initiation and maintain safe state until manually reset. Rationale: PARTIALLY SUPERSEDED: 5-second verification time is consistent with SYS-REQ-004 SCRAM budget, but plasma current threshold ('zero') is less precise than the <1 kA threshold in SUB-REQ-112. The authoritative safe state definition is SUB-REQ-112 (QC session 417). SUB-REQ-062 is retained as a supporting requirement specifying the manual reset behaviour not covered by SUB-REQ-112. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-063 | The Disruption Precursor Monitor SHALL operate from a 24 VDC ±10% redundant power supply with a maximum quiescent power consumption of 150 W, and SHALL continue processing and outputting valid data within 10 ms of switchover from primary to backup power, with no spurious trigger outputs during the switchover transient. Rationale: The DPM is classified as Powered in UHT; as a System-Essential component in the disruption mitigation chain, its power supply architecture must prevent loss of disruption monitoring during power supply faults. The 24 VDC standard is consistent with IESS and other safety-rated I&C in the plant. The 150 W budget is derived from FPGA inference card typical consumption (80 W) plus sensor conditioning (40 W) plus margin (30 W). The 10 ms switchover recovery requirement preserves the disruption detection latency budget defined in SYS-REQ-002. | Test | subsystem, dpms, session-396, idempotency:sub-dpm-power-396 |
| SUB-REQ-064 | The Interlock and Emergency Shutdown System Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Sequencer SHALL be qualified to IEEE 344 seismic requirements at the plant site-specific Safe Shutdown Earthquake response spectrum, maintaining full function during and after the SSE. Rationale: SYS-REQ-006 mandates IEEE 344 qualification; this subsystem requirement allocates that obligation to the three IESS hardware components that must undergo qualification testing. | Test | |
| SUB-REQ-065 | When a safe shutdown earthquake is detected at plant level, the Fusion Reactor Control System SHALL maintain all SIL-3 safety shutdown functions and transition the plasma to safe state within 10 seconds, using equipment qualified to IEEE 344 seismic category I. Rationale: STK-REQ-009 mandates safety function survivability under seismic conditions. IEEE 344 Category I is the nuclear safety-related I&C qualification standard. The 10 s window covers the SYS-REQ-004 5 s SCRAM budget plus 5 s post-seismic assessment margin. Loss of SCRAM capability after a seismic event is a design basis accident. NOTE: This requirement was accidentally reassigned from system-requirements to subsystem-requirements (was SYS-REQ-006). The canonical system-level requirement is now REQ-SEFUSIONREACTORCONTROLSYSTEM-031. Tag: superseded-by-REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | Analysis | rt-sil-gap, red-team-session-433 |
| SUB-REQ-066 | The Quench Detection System SHALL be housed in a 19-inch, rack-mounted, seismically-qualified enclosure rated IP54 or better, with all analogue input channels individually shielded to maintain ≤1 mV conducted noise immunity in the presence of the full-power superconducting coil electromagnetic environment (dB/dt ≤ 10 T/s). Rationale: The QDS is physically co-located with the superconducting magnet system in a high electromagnetic noise environment. Specific shielded housing is required to ensure the 20 ms quench detection latency (SUB-REQ-032) is not compromised by cable-coupled interference from the coil discharge transients. IP54 prevents condensation ingress during cryogenic system maintenance cycles. Seismic qualification matches the plant SSE requirement (STK-REQ-009). | Inspection | subsystem, qds, physical, emi, session-398 |
| SUB-REQ-067 | The Fusion Reactor Control System SHALL be housed in a qualified nuclear-grade equipment enclosure rated to IP54 minimum, constructed from non-combustible materials, and installed in a radiation-controlled area with dose rates not exceeding 100 mSv/hr, with all external interfaces protected by qualified connectors meeting IEC 60068 environmental standards. Rationale: Lint finding: UHT hex 51F77B19 lacks Physical Object trait despite physical embodiment constraints in REQ-SEFUSIONREACTORCONTROLSYSTEM-034 and STK-REQ-010. The physical installation constraints are required for nuclear I&C equipment qualification and personnel safety under IEC 61513 Class 1 requirements. | Inspection | |
| SUB-REQ-068 | The Quench Detection System SHALL be physically implemented as dedicated, qualified hardware units installed within 10 m of each superconducting magnet coil assembly, housed in radiation-hardened enclosures rated for a neutron fluence of at least 1×10^14 n/cm² over 20-year operational lifetime, with no shared chassis or power supply with non-safety systems. Rationale: Lint finding: UHT hex 54F77218 lacks Physical Object trait despite physical constraints in IFC-REQ-017 and SUB-REQ-037. Physical separation and radiation hardening are essential as quench detection failure during a magnet fault would result in uncontrolled release of stored magnetic energy (GJ-scale), which is a Category A safety event. | Inspection | |
| SUB-REQ-069 | The Emergency Shutdown Sequencer SHALL be implemented as a 2-of-3 redundant voted architecture. When one channel fails (detected by watchdog timeout >50 ms), the system SHALL continue to execute shutdown sequences at full specification. When two channels fail, the system SHALL initiate an immediate reactor trip and maintain the safe state indefinitely without requiring operator action. Rationale: UHT classification 51F73A18 carries System-Essential trait; lint finding flags absence of redundancy requirements. The Emergency Shutdown Sequencer is a SIL-3 safety function — IEC 61511 mandates architectural independence and voting logic for functions at this integrity level. 2-of-3 voting achieves the required PFD < 10^-3 per demand. | Test | |
| SUB-REQ-070 | The Safety Logic Processor SHALL operate as a fault-tolerant triple modular redundant (TMR) system. When one processing channel fails, the majority-vote output SHALL remain valid and SIL-3 compliant. When the Safety Logic Processor cannot achieve a 2-of-3 vote due to two channel failures, it SHALL default to the safe state (all scram signals asserted) within 100 ms. Rationale: UHT classification D1B77858 carries System-Essential trait; the Safety Logic Processor is the SIL-3 voting element for reactor scram initiation. IEC 61511 requires hardware fault tolerance HFT ≥ 1 for SIL-3 safety functions; TMR achieves HFT=2, with fail-safe default preventing a stuck-at-safe rather than stuck-at-permissive failure mode. | Test | |
| SUB-REQ-071 | The Disruption Prediction Engine SHALL implement cybersecurity controls meeting IEC 62443 Security Level 2 (SL-2), including cryptographic authentication of all model update packages (SHA-256 minimum), read-only runtime execution from verified firmware, and network isolation preventing any outbound connection from the prediction engine during plasma operation. Rationale: UHT classification 51F57308 carries Digital/Virtual trait; the disruption prediction engine runs ML inference and accepts model updates, creating a supply chain attack surface. A compromised model could suppress disruption warnings, allowing unmitigated disruptions that damage first-wall components or pose personnel safety hazards. IEC 62443 SL-2 is the minimum for safety-adjacent digital I&C. | Analysis | |
| SUB-REQ-072 | The Safety Arbiter SHALL be type-approved under IEC 61513 Category A (highest nuclear I&C category) and certified to IEC 61508 SIL-3. The vendor SHALL provide qualification documentation including FMEA, software diversity analysis, and independent verification evidence to the nuclear regulatory authority prior to plant commissioning. Rationale: UHT classification 002008B1 carries Regulated trait; the safety arbiter is the final decision element in the protective system. Nuclear regulatory authorities in all major fusion programme jurisdictions (UK ONR, EURATOM, US NRC) require pre-approval of Class 1 I&C before commissioning. Type approval under IEC 61513 is the accepted route to regulatory acceptance. | Inspection | |
| SUB-REQ-073 | The Pellet Injection Controller, including all tritium-handling components, SHALL comply with IAEA SSG-52 (Safety of Fusion Reactors) guidance on tritium systems and shall be licensed under the applicable national nuclear safety legislation for tritium handling facilities, with a licensed quantity limit not less than the maximum inventory design basis. Rationale: UHT classification 55F53218 carries Regulated trait; pellet injection handles tritium fuel which is radioactive and subject to national nuclear material regulations. IAEA SSG-52 is the current international guidance framework for fusion reactor safety regulation. Failure to obtain licensing would prevent plant operation and could result in regulatory enforcement. | Inspection | |
| SUB-REQ-074 | While the Fusion Reactor Control System is executing or maintaining a safe state, the Interlock and Emergency Shutdown System SHALL hold all plasma-facing subsystems (Heating and Current Drive, Fuel Injection, Plasma Control) in a de-energised and locked configuration, with fuel injection valves mechanically isolated and all RF power sources confirmed off via hardware interlocks, until a formal clearance procedure is authorised by a licensed reactor operator. Rationale: Lint finding: SYS-REQ-004 establishes the safe state concept but no subsystem requirement defines what safe state physically means for each subsystem. The three subsystems mentioned each have independent shutdown actions that together constitute the operational safe state; without a SUB-level requirement, each subsystem design team may interpret safe state differently, creating integration gaps. | Demonstration | |
| SUB-REQ-075 | The Disruption Prediction Engine SHALL incorporate a hot-standby redundant inference node. When the primary node fails to produce a valid prediction output within 500 ms (three missed cycles), the standby node SHALL assume the prediction function automatically within 100 ms, with the last valid prediction output held during the switchover period. Switchover SHALL be logged with microsecond-resolution timestamps. Rationale: UHT classification 51F57308 carries System-Essential trait; the disruption prediction engine is the only source of advance warning before a major disruption. Loss of prediction capability without failover degrades the plasma safety envelope from active-protection to open-loop operation, increasing first-wall damage risk by an order of magnitude in high-beta scenarios. | Test | |
| SUB-REQ-076 | The Pellet Injection Controller SHALL implement dual-channel architecture with independent pellet formation and injection paths. When the primary injection channel fails (detected by pellet velocity sensor disagreement >20% or injection position error >5 mm), the secondary channel SHALL maintain disruption mitigation pellet readiness within 200 ms. The system SHALL not require manual intervention to switch channels. Rationale: UHT classification 55F53218 carries System-Essential trait; pellet injection is required for both fuelling and disruption mitigation (massive material injection). Single-point failure in the injection controller during a disruption precursor event would prevent mitigation, resulting in an unmitigated disruption and potential first-wall damage worth tens of millions of euros. | Test | |
| SUB-REQ-077 | While operating in the plant electromagnetic environment, the HCDC Supervisory and Safety Arbiter and all heating actuator controllers (NBI, ECRH, ICRH) SHALL maintain commanded heating power setpoint accuracy within ±5% in the presence of: pulsed magnetic field transients up to 10 T/s dB/dt from the pulsed power system; and RF fields up to 200 V/m at 50-170 GHz from co-located ion cyclotron and neutral beam heating systems. All controllers SHALL be qualified to IEC 61000-4-3 immunity level IV and IEC 61000-4-8 level 5. Rationale: SYS-REQ-010 mandates no degradation of control performance under the full plant EMC environment. The HCDC subsystem operates in close proximity to ICRH and NBI heating sources; inadequate EMC immunity will cause spurious setpoint errors that can destabilise plasma position and trigger false disruption precursor detections. IEC 61000-4-3 Level IV and 61000-4-8 Level 5 are the highest standardised test levels appropriate for pulsed-power nuclear environments. | Test | |
| SUB-REQ-078 | The Plant Control and I&C System SHALL report detected I&C channel faults to the Maintenance Management System via the qualified IEC 61850 maintenance bus within 10 seconds of fault detection. Each fault report SHALL include: equipment identifier (per IEC 61360 plant item classification), UTC timestamp accurate to 1 ms, fault severity classification (CRITICAL / MAJOR / MINOR per IEC 60812), and channel identity. The maintenance bus interface SHALL achieve 99.9% message delivery reliability over a rolling 30-day period. Rationale: SYS-REQ-011 requires self-diagnostic coverage with fault reports to the Maintenance Management System within 10 s. This SUB requirement decomposes the reporting interface specification: message content, bus standard, timing, and reliability. Without a qualified reporting interface, early-life I&C degradation cannot be detected before it propagates to safety-function failures. IEC 61850 GOOSE is the standard for qualified nuclear I&C maintenance networks. | Test | |
| SUB-REQ-079 | The Disruption Prediction Engine SHALL be validated against a test dataset containing at least 500 disruption precursor sequences and 2000 non-disruption plasma shots, achieving: sensitivity of 95% or greater (missed disruption rate of 5% or less); false positive rate of 2% or less; and prediction horizon of 30 ms or greater before energy limit threshold is exceeded. The DPE machine learning model SHALL be version-controlled with model weights frozen at commissioning, and SHALL undergo revalidation when plasma operational parameters deviate by more than 15% from the training envelope. Rationale: The DPE employs LSTM-based neural network inference. IEC 61508-3 Annex D requires statistical validation of ML-based safety-related systems. The 95% sensitivity and 2% FPR thresholds are derived from the reactor energy budget: a missed disruption at full plasma energy (greater than 350 MJ) can cause first-wall damage and breach confinement. Model version control and revalidation requirements prevent silent model degradation under plasma parameter drift. | Analysis | |
| SUB-REQ-080 | The Quench Detection System SHALL be implemented as a dedicated rack-mounted unit in a seismically-qualified 19-inch equipment enclosure rated for nuclear facility installation, housed within the FRCS instrumentation area. The QDS housing SHALL provide EMI shielding to IEC 61000-4-3 level IV, temperature stability to ±2°C internal ambient, and physical separation of safety-class signal conditioning boards from non-safety auxiliary circuits. Rationale: QDS is a safety-critical system (SIL-3) with physical signal conditioning hardware for Cernox sensor inputs and voltage tap circuits. The Physical Object trait requires that its housing, segregation from non-safety circuits, and environmental qualification are explicitly specified. Seismic qualification is required by nuclear installation standards; EMI shielding matches plant EME requirements; ±2°C internal temperature is required by Cernox sensor accuracy budget. Without an embodiment requirement, there is no contractual basis for the physical design review. | Inspection | |
| SUB-REQ-081 | The Pellet Injection Controller SHALL be housed in a dedicated radiation-tolerant cabinet located in the tritium plant ancillary area, with the PIC electronics enclosure physically segregated from the cryostat cold-head assembly. The PIC housing SHALL meet IEC 61000-4-3 EMI immunity level III, be rated for continuous operation in a tritium-bearing gaseous environment, and incorporate personnel safety interlocks preventing access to high-voltage pellet accelerator circuits during operation. Rationale: The PIC controls high-voltage pellet injection equipment in a tritium-bearing environment and is classified as Regulated. Physical segregation between control electronics and the cryostat cold-head prevents cryogenic liquid ingress into electronics; radiation tolerance is required for the tokamak hall environment; tritium gas environment rating derives from the fuel plant location; personnel interlocks are required by radiation protection regulations for high-voltage equipment in nuclear facilities. Without an embodiment requirement, the physical design has no contractual nuclear safety and radiation protection basis. | Inspection | |
| SUB-REQ-082 | The MHD Mode Stabiliser NTM detection function SHALL achieve a detection probability of ≥95% for growing n=1 and n=2 islands exceeding 3 cm width under standard plasma operating conditions, with a false-alarm rate not exceeding 1 per 100 shots. This performance SHALL be verified over a minimum sample of 200 simulated disruption onset sequences, spanning the full range of q-profiles (q95 = 2.5 to 5.0) and plasma current (8 to 15 MA), at standard test conditions (20°C ±5°C, nominal EMI environment). Rationale: The 95% detection probability for n=1/n=2 islands exceeding 3 cm is derived from plasma physics modelling of NTM growth rates: islands grow from 3 cm to locking width (typically 6–8 cm) in 200–500 ms. The MHD Mode Stabiliser ({{hex:40800000}}) must detect at 3 cm to allow ECRH stabilisation before locking. Statistical parameters: 95% confidence, minimum sample of 200 independent NTM events per island mode, evaluated across standard plasma operating conditions (1.5–2.0 MA, 2.5–3.5 T). False alarm rate ≤5% prevents unnecessary ECRH power dumps that would degrade plasma performance. | Analysis | rt-implausible-value, red-team-session-459 |
| SUB-REQ-083 | When a single Trip Parameter Monitor channel is placed into bypass for maintenance, the IESS SHALL automatically reduce voting logic to 1-out-of-2 on the remaining channels, and SHALL annunciate the bypass state on SPDS. The IESS SHALL not permit simultaneous bypass of more than one Trip Parameter Monitor channel. Rationale: STK-REQ-005 requires online channel replacement. The NukeRPS analog (Jaccard 0.85) uses 2oo4 voting specifically to allow one-channel bypass; our 2oo3 requires explicit 1oo2 fallback during bypass to maintain single-failure tolerance. | Inspection | |
| SUB-REQ-084 | When the SCRAM function is actuated, the Emergency Shutdown System SHALL establish the Reactor Safe State defined as: plasma discharge terminated, all magnet currents decayed to zero via dump resistors within 30 s, all active heating systems (NBI, ICRF, ECRH) de-energised, and fuel injection halted with the pellet cryostat vented to the tritium exhaust system. Rationale: SYS-REQ-004 references safe state as the SCRAM target but does not specify what that state is; without a formal safe state definition, the acceptance criterion for the SCRAM function is untestable. This requirement closes the gap by defining quantitative conditions (magnet dump time, heating system de-energisation, fuel isolation) that constitute safe state, derived from IEC 61513 requirements for nuclear I&C systems. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-085 | The Interlock and Emergency Shutdown System SHALL implement 1oo2 redundant architecture for all hardware channels between the Safety Logic Processor and Emergency Shutdown Sequencer actuation outputs, such that loss of any single hardware channel does not reduce the IESS availability below the SIL-3 target (probability of failure on demand < 1×10⁻³). The second channel shall be physically separated in independent cabinets with independent power supplies. Rationale: Lint finding: ESS classified as System-Essential (bit 16) but lacked an explicit redundancy requirement. SIL-3 target PFD < 1×10⁻³ requires 1oo2 channel architecture for the final actuation path; a single-channel ESS cannot meet this PFD without heroic component reliability assumptions that are not achievable in a nuclear environment. | Analysis | rt-sil-gap, red-team-session-459 |
| SUB-REQ-086 | The Pellet Injection Controller SHALL comply with ITER nuclear island tritium handling requirements (ITER-D-2X5MRW), maintaining tritium confinement class C2 design with double containment on all tritium-wetted components, and SHALL be qualified to ISO 17873 for tritium systems in nuclear facilities. Rationale: Pellet Injection Controller handles solid tritium pellets inside the nuclear island — tritium regulatory requirements (ITER-D-2X5MRW, ISO 17873) mandate double containment and material compatibility qualification. This addresses the lint finding that the Pellet Injection Controller is Regulated and Institutionally Defined without corresponding compliance requirements. | Inspection | |
| SUB-REQ-087 | The Fusion Reactor Control System SHALL be housed in IEC 62262 IK10-rated enclosures with IP54 ingress protection for nuclear island cabinets and IP44 for control room cabinets, with EMC shielding achieving 40 dB attenuation at 50-170 GHz to protect against ECRH and ICRH radiated fields per SYS-REQ-008 and SYS-REQ-010. Rationale: Physical embodiment requirement: FRCS lacks Physical Object classification but environmental requirements SYS-REQ-008 and SYS-REQ-010 impose physical constraints requiring defined enclosures. IP54 prevents process fluid ingress in nuclear island; IK10 ensures cabinet integrity during SSE events; 40 dB RF shielding provides margin above IEC 61000-4-3 Level IV for the tokamak electromagnetic environment. | Inspection | |
| SUB-REQ-088 | The Quench Detection System SHALL be implemented as a dedicated hardware assembly physically mounted on each superconducting coil cold-mass support structure, with voltage bridge sensor pairs located at coil mid-points and end terminals, and quench heater driver circuits installed in cryogenic-rated enclosures rated for operation at 4.2 K with stainless steel welded construction per ITER coil mechanical design specifications. Rationale: Lint finding 2: QDS is classified without Physical Object trait but SUB-REQ-037, SUB-REQ-066, and SUB-REQ-080 impose physical constraints (cryogenic environment, coil mounting, voltage bridge sensing). The physical mounting specification is architecturally essential: voltage bridge sensing requires symmetric lead pairs at specific coil locations; cryogenic enclosure rating is mandatory for operation at 4.2 K; physical separation from control electronics prevents common-cause thermal failures. | Inspection | |
| SUB-REQ-089 | The Tritium and Fuel Inventory Controller SHALL comply with IAEA safeguards requirements for nuclear material accountancy (INFCIRC/153), tritium inventory management per ISO 17873, and ITER nuclear island tritium confinement class C2 per ITER-D-2X5MRW. Tritium inventory reports SHALL be generated at intervals not exceeding 24 hours and transmitted to the plant safeguards data acquisition system. Rationale: Lint finding 8: Fuel Inventory Controller is classified as Institutionally Defined (Regulated) but no SUB requirement referenced applicable safeguards or nuclear material accountancy standards. IAEA INFCIRC/153 is the governing instrument for nuclear material safeguards at ITER; non-compliance would result in loss of nuclear operating licence. ISO 17873 is the specific standard for tritium systems in nuclear facilities. The 24-hour inventory reporting interval is consistent with ITER safeguards agreement requirements. | Inspection | |
| SUB-REQ-090 | The Quench Detection System SHALL perform continuous, uninterrupted monitoring of all superconducting coil voltage channels on a deterministic 1 ms sampling cycle, with channel-to-channel synchronisation jitter not exceeding 100 μs. While in quench monitoring mode, the QDS SHALL complete each full sensor scan and signal processing cycle within the 1 ms sampling period, maintaining this timing independently of quench alarm or fault state processing. Rationale: Lint finding 7: QDS is classified as Temporal (bit 23) indicating time-dependent operation, but no existing requirement explicitly specifies the QDS monitoring cycle timing beyond the 5 ms detection threshold in SUB-REQ-032. The 1 ms sampling cycle is required to provide at least 5 samples within the ≥5 ms quench onset window; channel synchronisation jitter <100 μs ensures the 2oo3 voting logic in SUB-REQ-033 operates on spatially-consistent coil state snapshots. | Test | |
| SUB-REQ-091 | The Disruption Prediction Engine performance thresholds in SUB-REQ-010 (TPR ≥95%, FPR ≤2 events/24h) SHALL be validated against a minimum test dataset of 500 disruption events and 5000 non-disruption control windows drawn from representative plasma operating scenarios including L-mode, H-mode, and ELMy H-mode, with performance confidence intervals at 95% confidence level (Wilson score interval) reported alongside each claimed performance metric. Test conditions SHALL be defined in the DPMS Validation Plan prior to implementation. Rationale: Lint finding 13: disruption prediction is classified as a low-trait abstract concept (only Temporal + Processes Signals), and SUB-REQ-010 sets performance thresholds without specifying the statistical basis. Performance claims without defined confidence level and sample size cannot be verified — a 95% TPR on a 20-event test set is not the same as on a 500-event test set. The 500/5000 dataset size is consistent with ITER plasma disruption database accumulation rate and provides Wilson interval widths of ±3% at 95% confidence. | Analysis | |
| SUB-REQ-092 | The Interlock and Emergency Shutdown System SHALL define and enforce the reactor safe state as: plasma current ≤10 kA and decaying, all neutral beam injectors in beam-off state, all ICRH and ECRH systems at 0 W output, all superconducting coil energies transferred to dump resistors with coil currents ≤10% of operating value, and tritium fuelling systems in locked-closed state. The IESS SHALL verify all safe-state conditions and assert a safe-state confirmed signal within 5 seconds of SCRAM initiation. Rationale: SYS-REQ-004 mandates ≤5 second SCRAM to safe state. The original SUB-REQ-092 text specified 10 seconds for safe-state verification, which directly contradicts the system-level requirement. Corrected to ≤5 seconds to align with SYS-REQ-004. Note: this encompasses the full IESS actuation sequence — trip detection, MGI initiation (SUB-REQ-004 at 500 ms), and safe-state confirmation all within the 5 s budget. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-093 | The Plant Control and I&C System SHALL provide electromagnetic shielding and cable routing for all control signal cables operating in the proximity of ion cyclotron (50–170 GHz) and neutral beam injection heating systems, ensuring signal-to-noise ratio ≥40 dB on all diagnostic channels and no control actuation errors attributable to RF interference. Shielding shall meet IEC 61000-4-3 Class 3 for radiated immunity up to 200 V/m. Rationale: Derived from SYS-REQ-010 which specifies immunity to RF fields from ICRH and NBI heating systems: the system-level immunity requirement must be decomposed to the Plant Control I&C subsystem as specific shielding and cable routing constraints so that the requirement is implementable and testable at the component level. | Test | |
| SUB-REQ-094 | The Plant Data Historian and I&C Network Infrastructure SHALL implement a dedicated qualified maintenance bus compliant with IEC 61784-3 (functional safety communications), providing bidirectional fault report messages to the Maintenance Management System with end-to-end latency ≤10 seconds. Each fault message SHALL include: fault identity code, subsystem source identifier, UTC timestamp, severity classification (Critical/Major/Minor), and first-occurrence flag. Rationale: Derived from SYS-REQ-011 which requires fault reporting to the Maintenance Management System within 10 seconds: the system-level requirement must be decomposed to specify the physical bus standard, message structure, and latency budget at subsystem level so that the Plant Data Historian and network infrastructure can be designed and tested against measurable criteria. | Test | |
| SUB-REQ-095 | The Pellet Injection Controller SHALL be implemented as a dual-redundant system with automatic warm standby switchover. When the active Pellet Injection Controller fails (watchdog timeout ≥500 ms or self-test failure), the standby controller SHALL assume control within 2 seconds, retaining the pellet formation cryostat temperature state within ±1 K. While operating in single-channel mode following a failover, pellet injection SHALL maintain ≥50% of nominal injection frequency capability. Rationale: Derived from UHT System-Essential trait of the Pellet Injection Controller (hex 55F53218): a System-Essential component whose failure stops plasma density regulation and triggers burn termination requires a redundant design. The 2-second switchover budget preserves cryostat thermal state; 50% injection rate in degraded mode maintains basic density control while the fault is diagnosed. | Test | |
| SUB-REQ-096 | The Tritium and Fuel Inventory Controller design and operation SHALL comply with: IAEA Safety Guide SSG-52 (Safety of Fusion Facilities), ITER PDDS-11 (Fuel Cycle Design Description), and IEC 62645 (Nuclear Power Plant I&C requirements for programmable digital systems). Tritium inventory accounting SHALL meet the material control requirements of IAEA Safeguards Agreement Article 34 with accountability uncertainty ≤0.5% per accounting period. Rationale: Derived from UHT Institutionally Defined trait of the Fuel Inventory Controller (hex 01B432F8): tritium handling in a fusion facility is subject to specific IAEA safeguards and national nuclear regulatory requirements. Explicit standards references are required so that the design authority, regulators, and verifiers know the compliance basis and can audit conformance. | Inspection | |
| SUB-REQ-097 | The Disruption Prediction and Mitigation System SHALL monitor hard X-ray emission and synchrotron radiation signals from dedicated RE diagnostic channels. When hard X-ray count rate exceeds 10^4 counts/s sustained for ≥5 ms following a detected thermal quench, the DPMS SHALL classify the event as confirmed RE beam onset and latch a RE_DETECTED signal within 10 ms of threshold crossing. Rationale: Hard X-ray emission from bremsstrahlung of runaway electrons on residual neutrals is the primary real-time indicator of RE beam formation. A 10^4 counts/s threshold at ≥5 ms duration provides discrimination from background noise while detecting RE seed currents above 1 kA — the minimum current that sustains amplification. Latency of 10 ms leaves 40 ms margin for secondary injection actuation within the 50 ms system budget. | Test | subsystem, dpms, re-mitigation, safety-critical, session-411, idempotency:sub-dpms-re-detection-411 |
| SUB-REQ-099 | When RE_DETECTED is latched, the Mitigation Actuator Controller SHALL command the second-stage Massive Gas Injection valve to inject a neon-argon mixture at a minimum flow of 30 bar-L within 40 ms of RE_DETECTED signal assertion. Injection SHALL continue until plasma current drops below 100 kA or 500 ms has elapsed, whichever occurs first. Rationale: Secondary injection of high-Z neon-argon suppresses RE amplification by increasing charge-exchange losses and raising effective Z to slow avalanche gain. The 40 ms actuation deadline is derived from the 50 ms system budget (REQ-SEFUSIONREACTORCONTROLSYSTEM-112) minus 10 ms RE detection latency. The 30 bar-L minimum quantity is the ITER design basis for RE suppression efficiency. Termination criteria prevent unnecessary gas injection after RE beam extinction. | Test | subsystem, dpms, re-mitigation, safety-critical, session-411 |
| SUB-REQ-100 | When the FRCS initiates a safe shutdown in response to an interlock trip, the system SHALL transition all subsystems to their defined safe state within 2 seconds, including de-energising all high-power actuators and setting plasma control surfaces to safe-state positions. Rationale: SYS-REQ-004 references safe state but no system-level requirement specifies the transition sequence or timing. The 2-second bound derives from IEC 61513 Class 1 safety function response requirements. Without an explicit safe-state transition SYS requirement, subsystem implementers have no traceable upper-level constraint. | Test | |
| SUB-REQ-102 | The Quench Detection System SHALL be physically realised as a dedicated hardware assembly installed within 10 m of each superconducting magnet coil assembly, housed in a radiation-hardened, rackmounted enclosure rated for neutron fluence of ≥1×10^14 n/cm² over the 20-year operational lifetime, with no shared chassis, backplane, or power supply with non-safety-classified systems. The QDS enclosure shall be IEEE 344 seismically qualified and installed in a controlled-access radiation zone. Rationale: Lint finding: 54F77218 (Quench Detection System) lacks Physical Object trait but is constrained by physical implementation requirements (IFC-REQ-017, SUB-REQ-037, SUB-REQ-066, SUB-REQ-080). The proximity constraint (10 m) is required to achieve the <1 ms quench detection latency without signal degradation over long cable runs; the radiation hardening requirement follows from the 14-MeV neutron field adjacent to the TF and PF coils. | Inspection | |
| SUB-REQ-103 | The Pellet Injection Controller SHALL be physically housed in a dedicated, radiation-tolerant, enclosed cabinet located within the tritium-handling perimeter of the nuclear island, rated to IEC 60529 IP54 minimum and qualified to IEC 60068-2-27 shock and vibration tests consistent with the plant seismic category. All tritium-wetted physical interfaces SHALL be double-contained per ITER confinement class C2, with no direct physical pathway between the tritium inventory and the external control room environment. Rationale: Lint finding: 55F53218 (Pellet Injection Controller) lacks Physical Object trait but has physical constraints (REQ-SEFUSIONREACTORCONTROLSYSTEM-110, SUB-REQ-048). PIC cabinet location within the tritium perimeter is dictated by the C2 double-containment requirement and the cryogenic pellet feed path geometry; IP54 rating and seismic qualification are required for nuclear island operation; the containment separation requirement prevents tritium migration to unrestricted areas. | Inspection | |
| SUB-REQ-104 | The Safety Arbiter SHALL be physically implemented as a self-contained, type-approved hardware module (IEC 61513 Category A) installed in a dedicated safety-classified cabinet physically separate from the operational I&C network. The Safety Arbiter cabinet SHALL be located in a radiation-controlled, seismically-qualified equipment room with physical access restricted to Safety System maintenance personnel. All external Safety Arbiter interfaces SHALL be point-to-point hardwired with no shared data bus with non-Category A equipment. Rationale: Lint finding: 002008B1 (Safety Arbiter) lacks Physical Object trait but has physical constraints (SUB-REQ-077). IEC 61513 Category A requires that safety-classified I&C equipment be physically segregated from operational systems; the dedicated cabinet with hardwired interfaces prevents common-cause failure paths between the Safety Arbiter voting logic and the control network. | Inspection | |
| SUB-REQ-105 | The FRCS SHALL provide closed-loop power control for ion cyclotron resonance heating and neutral beam injection systems, maintaining commanded plasma heating power within 5% of setpoint over the range 0-73 MW aggregate. Rationale: STK-REQ-010 identifies heating system control as a stakeholder need but no SYS requirement addresses it. The 73 MW aggregate bound reflects ITER heating system design capacity. The 5% regulation tolerance is derived from the plasma physics constraint that heating power variation beyond this threshold causes sawtooth instabilities incompatible with Q=10 operation. | Test | |
| SUB-REQ-106 | The Fusion Reactor Control System SHALL detect runaway electron beam formation following a disruption thermal quench and command secondary high-Z material injection within 50 ms of RE onset, achieving at least 80% reduction in RE beam energy deposition on plasma-facing components. Rationale: RE beams in a 15 MA plasma carry up to 10 MJ, causing first-wall ablation damage if unmitigated. The 50 ms window is derived from RE seed amplification timescales (20-30 ms post thermal quench). Secondary neon-argon injection is the ITER-class mitigation approach reducing amplification by increasing charge-exchange losses. | Test | |
| SUB-REQ-107 | The Ion Cyclotron and Neutral Beam Heating Control subsystem SHALL maintain closed-loop power control for all installed heating systems with a power set-point tracking accuracy of ±2% of demanded power at all heating power levels from 1 MW to rated capacity, and SHALL sustain full EMC immunity to dB/dt transients up to 10 T/s without control loop instability. Rationale: Derives from SYS-REQ-010 (EMC immunity) and the heating system scope. Heating power accuracy is required to maintain plasma beta within the stable operating window; ±2% is the threshold above which beta excursions risk triggering avoidable disruptions. EMC immunity is essential because the pulsed toroidal field coils generate dB/dt transients in the same frequency range as heating control feedback signals. | Test | |
| SUB-REQ-108 | The Emergency Shutdown System SHALL define and maintain the reactor safe state as: plasma current = 0 A, all high-voltage systems de-energised, cryogenic system in passive hold mode, and all active plasma heating systems at zero power; the safe state SHALL be self-sustaining without ongoing active control intervention, verified by the Safety Logic Processor through continuous monitoring of each safe-state indicator. Rationale: Derives from SYS-REQ-004 which requires transition to safe state in ≤5 seconds but does not specify what safe state is. This requirement closes the definitional gap: without a precisely specified safe state, the SCRAM acceptance criteria cannot be tested and the VER requirements for SYS-REQ-004 cannot be written. The four conditions (zero current, de-energised HV, passive cryo hold, zero heating power) are the minimum necessary conditions for personnel safety as defined by IEC 61513 Clause 7.5. | Inspection | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-109 | The I&C Diagnostic subsystem SHALL transmit all detected channel fault events to the Maintenance Management System via a qualified maintenance data bus within 10 seconds of fault detection, using a redundant communication path that meets IEC 61784-3 SIL-2 communication profile, with a minimum message delivery probability of 99.9% and loss-of-communication alarm if the primary bus is silent for >30 seconds. Rationale: Derives directly from STK-REQ-006 and SYS-REQ-011, which require fault reporting within 10 seconds but do not specify the communication mechanism or reliability. The 30-second watchdog for bus silence ensures the I&C crew is alerted to diagnostic link failure before it affects maintenance response time. IEC 61784-3 SIL-2 profile is the minimum for a safety-support communication link per IEC 61513. | Test | |
| SUB-REQ-110 | The Fuel Inventory Controller SHALL comply with IAEA Nuclear Security Series No. 25-G (Physical Protection of Nuclear Material), EURATOM safeguards regulations (Council Regulation 302/2005), and relevant tritium accountancy standards (ISO 17873), with tritium inventory data retained in tamper-evident logs for a minimum of 30 years and reportable to regulatory authorities within 24 hours on demand. Rationale: The Fuel Inventory Controller handles tritium — a radioactive material subject to nuclear non-proliferation and safeguards obligations (EURATOM, IAEA). The Institutionally Defined classification (UHT bit 26) correctly identifies that this component operates within an externally defined regulatory and institutional framework. Without explicit standard references, the design cannot demonstrate compliance during licensing and the system safety case will have an unresolved regulatory gap. The 30-year retention period follows IAEA guidance on nuclear material accountability records. | Inspection | |
| SUB-REQ-111 | Each I&C subsystem within the Fusion Reactor Control System SHALL be registered in the plant Formal Equipment List (FL) referenced in the licensing basis, with entries specifying: subsystem designation, rack location identifier, IEC 61346 equipment tag, functional classification (safety/non-safety), SIL allocation, and qualified connector specification. The FL shall be configuration-controlled and revised before any physical change affecting the FRCS boundary. Rationale: SYS-REQ-013 commits the FRCS to a licensing-basis physical boundary defined by a Formal Equipment List. Without this decomposition requirement, individual subsystems have no obligation to register their hardware in the FL, creating a gap between the system-level licensing commitment and subsystem-level implementation. IEC 61513 clause 8.2.2 requires documentation of the physical scope boundary for nuclear I&C systems important to safety. | Inspection | |
| SUB-REQ-112 | The Interlock and Emergency Shutdown System SHALL define the reactor safe state as the simultaneous achievement of: plasma current less than 1 kA, all superconducting coil currents transferred to dump resistors, all ICRH and ECRH and NBI heating systems hardwired-inhibited, and deuterium-tritium gas injection valves confirmed closed. The IESS SHALL verify all conditions within 5 seconds of SCRAM initiation and issue a SAFE-STATE-CONFIRMED signal on the qualified safety bus. Rationale: SYS-REQ-004 mandates ≤5 second SCRAM to safe state. The original SUB-REQ-112 text specified 8 seconds, which contradicts the system-level requirement. Corrected to ≤5 seconds. The 1 kA plasma current threshold (lower than SUB-REQ-092's 10 kA) is the correct post-quench residual level achievable within the 5 s window given the 500 ms MGI initiation in SUB-REQ-004 and typical plasma current decay time constant of 1-2 s. | Test | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-113 | The Heating and Current Drive Control system SHALL provide hardwired electromagnetic compatibility protection for the ion cyclotron and neutral beam heating systems to prevent interference with the Plasma Control System and Interlock and Emergency Shutdown System signal paths, including shielded cable routing, filter insertion loss of at least 40 dB at frequencies from 50 MHz to 170 GHz, and bonding to the plant EMC reference plane. Rationale: SYS-REQ-010 requires the FRCS to maintain control performance in RF fields up to 200 V/m from ICRH and NBI systems but assigns no responsibility to the HCDC subsystem for managing its own emissions. Without EMC controls at the source (HCDC), the PCS and IESS must absorb the full RF environment, increasing their hardening cost and complexity. IEC 61000-4-3 compliance at 200 V/m is achievable only if the emitting subsystem also applies source controls. This requirement closes the STK-REQ-010 coverage gap noted in lint finding 11. | Test | idempotency:qc-417-sub-hcdc-emc |
| SUB-REQ-114 | The Interlock and Emergency Shutdown System SHALL define and maintain the safe state of the Fusion Reactor Control System as: plasma current ≤10 kA (confirmed via Rogowski coil), all poloidal field coil currents ≤1% of operating values (confirmed via coil current monitors), all heating system RF power ≤100 W (confirmed via directional couplers), all pellet injection valves closed (confirmed via valve position feedback), and torus pressure ≥10⁻⁴ mbar with no active fuelling (confirmed via baratron gauges). The safe state SHALL be latched until an authorised plasma restart sequence is initiated by a qualified operator. Rationale: SYS-REQ-004 specifies a ≤5 s transition to safe state but does not define what safe state is. Without a quantified safe state definition at subsystem level, the IESS cannot be verified against the system requirement — the test engineer has no measurable acceptance criteria. This requirement provides the enumerated safe state exit conditions for verification and safety case completeness. Values are derived from the plasma termination criteria in the ITER operational procedures (ITER-IT-SAFE-001) scaled to a DEMO-class device. | Test | idempotency:qc-422-sub-iess-safe-state |
| SUB-REQ-115 | The Plant Control and I&C System SHALL implement a qualified maintenance bus compliant with IEC 61784-3 connecting all safety-classified I&C channels to the Maintenance Management System, providing fault identity, timestamp, and severity classification in each report within 10 seconds of fault detection. Rationale: SYS-REQ-011 requires fault reporting to the Maintenance Management System via a qualified maintenance bus within 10 seconds; lint identified 'qualified maintenance bus within 10 seconds' in SYS-REQ-011 without a corresponding SUB-level implementation requirement. IEC 61784-3 compliance is mandatory for safety-classified fieldbus in nuclear I&C. | Test | idempotency:qc-421-sub-maintenance-bus |
| SUB-REQ-116 | The Interlock and Emergency Shutdown System SHALL be designed, verified, and validated in accordance with IEC 61513 Category A requirements and IEC 61511 SIL-3 requirements, with all design justifications, safety analyses, and proof-test intervals documented in the IESS safety case prior to first plasma commissioning. Rationale: SYS-REQ-014 mandates compliance with IEC 61513, IEC 61511, and IAEA SSG-39. Lint Coverage Gap finding identified that no subsystem-level requirement decomposed the standards compliance obligation. The IESS is the highest-criticality subsystem and must explicitly carry the Category A / SIL-3 compliance obligation to be traceable through the safety case. | Analysis | rt-sil-gap, red-team-session-459 |
| SUB-REQ-117 | The Gas Puffing Valve Controller SHALL implement dual-channel solenoid drive circuitry with independent power supplies for each channel, such that loss of either channel does not result in uncontrolled gas injection into the torus; the surviving channel SHALL maintain full injection capability within 100 ms of channel-loss detection. Rationale: Lint finding: GPVC classified as System-Essential (trait bit 16) with no redundancy or failover requirement. The gas puffing system provides emergency density control and disruption mitigation via gas jetting — an uncontrolled valve open in a SCRAM scenario could delay plasma termination. Dual-channel drive circuitry is the minimum mitigation for this failure mode consistent with the SIL-3 system context. | Test | idempotency:qc-421-sub-gpvc-redundancy |
| SUB-REQ-118 | The Plant Operations Sequencer SHALL execute a pre-shot conditioning sequence comprising at minimum: (1) bakeout confirmation (vessel wall temperature ≥150°C for ≥4 h), (2) glow discharge cleaning status confirmed complete, (3) all magnet power supplies energised and stable within ±0.1% of requested current for ≥5 min, (4) vacuum vessel pressure ≤10⁻⁵ mbar confirmed via baratron and residual gas analyser, and (5) all safety interlock channels reporting armed status. The POS SHALL refuse to issue a plasma initiation permit unless all five preconditions are simultaneously satisfied. Rationale: STK-REQ-002 requires the system to execute controlled plasma operation sequences. The POS state machine (SUB-REQ-050) defines eight operational states but no requirement specifies what preconditions must be verified before transitioning from CONDITIONING to INITIATION state. Without a quantified conditioning checklist, the POS could issue a plasma initiation permit with the vessel insufficiently cleaned or at atmospheric pressure, creating a first-wall damage risk. | Inspection | idempotency:val-423-sub-pos-preshot |
| SUB-REQ-119 | The Plant Operations Sequencer SHALL implement a controlled plasma shutdown sequence that ramps plasma current from operating value to ≤10 kA within 30 s, reduces all heating power to ≤1% of operating value before plasma current drops below 100 kA, confirms torus pressure remains below 10⁻⁴ mbar throughout ramp-down, and transitions all magnet power supplies to standby current within 10 min of plasma termination. The POS SHALL log the ramp-down profile at 10 Hz to the Plant Data Historian throughout the shutdown sequence. Rationale: STK-REQ-002 mandates controlled plasma termination sequences including controlled ramp-down from full-power burn. SUB-REQ-050 defines the SHUTDOWN operational state but does not specify the sequence steps, timing, or acceptance criteria. Without a quantified shutdown protocol, the POS could terminate plasma in a manner that damages superconducting coils through over-voltage during fast current ramp or leaves heating systems energised into a cold plasma, both constituting first-wall damage scenarios. | Test | idempotency:val-423-sub-pos-shutdown |
| SUB-REQ-120 | While in MAINTENANCE state, the Plant Operations Sequencer SHALL enforce the following access restrictions: (1) plasma initiation commands from the Operator Console are rejected with an on-screen inhibit message within 500 ms, (2) the machine state variable is set to MAINTENANCE_LOCKED and shall not transition to any PLASMA state without a two-person authorisation sequence (operator + shift supervisor), and (3) the maintenance lockout status is broadcast to all subsystem controllers on the PCS Real-Time Data Bus at 1 Hz. Rationale: STK-REQ-005 requires online channel replacement without interrupting plasma operations, and STK-REQ-003 requires tamper-evident audit of all safety state transitions. The POS state machine (SUB-REQ-050) identifies MAINTENANCE as a valid state, but no requirement specifies what operational constraints apply in that state. Without explicit plasma initiation inhibit logic, a maintenance technician working on live I&C channels could face an unexpected plasma initiation event, constituting a personnel safety hazard. | Test | idempotency:val-423-sub-pos-maintenance |
| SUB-REQ-121 | The Operator Console System SHALL display consolidated plasma state information — including plasma current (kA), radial position (cm), plasma stored energy (MJ), D-T fuel injection rate (molecules/s), neutron yield (n/s), disruption risk index (0–1), and all active interlock status flags — on the unified operator display with a screen refresh latency not exceeding 200 ms from the most recent measurement cycle, averaged over any 10-second window. Rationale: STK-REQ-001 requires the system to present consolidated plasma state information on a unified operator interface with ≤200 ms refresh latency. The Operator Console System is the PCIS component responsible for this function per ARC-REQ-008, but no SUB-level requirement captures the display completeness, parameter set, or latency at the OCS level. Without this requirement, the plant data feed to the operator workstation is unspecified, leaving the primary operator awareness function unverified. | Test | idempotency:val-424-sub-ocs-display |
| SUB-REQ-122 | When one channel of the dual-channel Gas Puffing Valve Controller solenoid drive fails, the Gas Puffing Valve Controller SHALL continue gas injection operation on the remaining channel with no interruption to the plasma density control loop and SHALL generate a channel-fail alarm to the Plant Operations Sequencer within 100 ms of fault detection. Rationale: The GPVC is classified System-Essential (hex 55F57A18) with dual-channel architecture per SUB-REQ-117; graceful single-channel degradation is required to prevent an unnecessary plasma disruption during a hardware fault. The 100 ms alarm latency is consistent with POS scan cycle requirements. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-123 | The Gas Puffing Valve Controller SHALL use only materials and electronic components that are qualified for operation in a tritium-bearing gas environment with hydrogen isotope partial pressures up to 1 bar, maintaining leak-tightness to less than 1e-9 Pa·m³/s helium-equivalent and electrical performance within specification after a cumulative fast-neutron fluence of 1e14 n/cm² (>1 MeV). Rationale: The GPVC is a Synthetic component handling tritium-bearing fuelling gases; material qualification is mandatory to prevent tritium permeation through valve seals and electronic degradation under neutron irradiation consistent with the blanket port-limiter radiation field. Failure to specify this requirement risks tritium release exceeding regulatory limits. | Test | rt-under-specified, red-team-session-433 |
| SUB-REQ-124 | The Gas Puffing Valve Controller SHALL be designed, manufactured, and qualified in accordance with IEC 61513 Category B (nuclear instrumentation and control) and ITER-specific procurement requirements PR-T-1 for tritium-compatible components, with qualification records retained for the operational lifetime of the reactor. Rationale: The GPVC is classified Regulated under UHT ontology and operates within the tritium inventory boundary of a nuclear facility. IEC 61513 Category B classification is required for I&C components whose failure could initiate a nuclear safety function challenge. Procurement records traceability is required by ITER licensing basis documents. | Inspection | rt-under-specified, red-team-session-433 |
| SUB-REQ-125 | The Plant Operations Sequencer SHALL be implemented and validated in accordance with IEC 62138 (nuclear power plants — software important to safety — category B) and the ITER I&C System Design Description, with software lifecycle documentation including design specification, integration test records, and V&V report maintained under configuration management throughout the operational lifetime. Rationale: The POS is classified Regulated and executes pre-shot conditioning and machine state sequencing that gates access to plasma operations; a sequencing error could initiate a plasma pulse under unsafe conditions, making software lifecycle compliance under IEC 62138 mandatory for regulatory approval of ITER or equivalent tokamak licensing. | Inspection | subsystem, plant-operations-sequencer, session-427, idempotency:sub-pos-compliance-427 |
| SUB-REQ-127 | When a safe shutdown earthquake is detected at plant level, the Fusion Reactor Control System SHALL maintain all SIL-3 safety shutdown functions and transition the plasma to safe state within 10 seconds, using equipment qualified to IEEE 344 seismic category I. Rationale: STK-REQ-009 mandates safety function survivability under seismic conditions. IEEE 344 Category I is the nuclear safety-related I&C qualification standard. The 10 s window covers the SYS-REQ-004 5 s SCRAM budget plus 5 s post-seismic assessment margin. Loss of SCRAM capability after a seismic event is a design basis accident requiring explicit system-level coverage. | Test | system, seismic, sil-3, session-398, replaces-sys-req-006 |
| SUB-REQ-128 | The Fusion Reactor Control System SHALL implement cybersecurity controls compliant with IEC 62443-3-3 Security Level 2, including network segmentation with unidirectional data diodes between safety (SL-3) and control (SL-2) networks, role-based access control, cryptographic authentication for all remote maintenance interfaces, and security event logging with tamper-evident audit trail retained for 90 days. Rationale: Nuclear I&C systems classified as IEC 61508 SIL-3 are high-consequence targets. IEC 62443 SL-2 is the minimum credible threat model for a national research reactor. Unidirectional diodes prevent protocol-level attacks propagating from the operational network to the SIL-3 safety domain. Role-based access and cryptographic authentication directly address insider threat and remote maintenance attack vectors identified in nuclear cybersecurity threat assessments (IAEA NST047). | Inspection | system, cybersecurity, iec-62443, session-398 |
| SUB-REQ-129 | The Fusion Reactor Control System SHALL operate without degradation of control performance in an electromagnetic environment including pulsed magnetic field transients up to 10 T/s dB/dt from superconducting coil charging, and RF fields up to 200 V/m at 50-170 GHz from ECRH and ICRH heating systems, compliant with IEC 61000-4-3 immunity level IV and IEC 61000-4-8 level 5. Rationale: STK-REQ-010 identifies the specific EM environment the system must tolerate. The 10 T/s dB/dt from coil operations and 200 V/m RF from gigawatt-class heating systems are measured operating parameters of a tokamak facility, not generic industrial assumptions. IEC 61000-4-3 level IV (30 V/m) and IEC 61000-4-8 level 5 (100 A/m) are the applicable test standards; the natural EM environment exceeds standard industrial levels, so explicit EMC test requirement is needed to drive design shielding margins. | Test | system, emc, electromagnetic, session-398 |
| SUB-REQ-130 | The Fusion Reactor Control System SHALL ensure all SIL-3 classified safety-critical components are qualified to IEEE 344 seismic requirements at the plant site-specific Safe Shutdown Earthquake response spectrum, maintaining full function during and after the SSE. Rationale: Nuclear regulatory authority requirements mandate seismic qualification of safety-critical I&C equipment. IEEE 344 is the accepted standard for nuclear facility equipment seismic qualification. Failure to qualify could result in loss of shutdown capability during a seismic event. | Test | |
| SUB-REQ-131 | The Fusion Reactor Control System SHALL operate without degradation of control performance (no increase in position error beyond ±2 cm, no missed disruption precursor detections) in the plant electromagnetic environment: pulsed magnetic fields up to 10 T/s dB/dt from the pulsed power system and RF fields up to 200 V/m at 50–170 GHz from the ion cyclotron and neutral beam heating systems, compliant with IEC 61000-4-3 (radiated immunity) and IEC 61000-4-8 (power-frequency magnetic field immunity). Rationale: STK-REQ-010 mandates EMC performance in the specific electromagnetic environment of the fusion reactor: dB/dt transients from pulsed power and microwave/RF from ion cyclotron and neutral beam heating. Without explicit EMC qualification to these threat levels, control system performance cannot be guaranteed during heating pulses, which co-occur with plasma operation and represent the highest-risk operational window. | Test | |
| SUB-REQ-132 | The Fusion Reactor Control System SHALL provide self-diagnostic coverage of at least 90% of I&C channel faults detectable by the system, with detected faults reported to the Maintenance Management System via a qualified maintenance bus within 10 seconds of detection, and fault identity, timestamp, and severity classification included in each report. Rationale: STK-REQ-006 requires 90% self-diagnostic coverage and 10 s fault reporting to the maintenance management system. This directly flows down from the 4-hour MTTR requirement: fault detection within 10 s is a prerequisite for timely maintenance dispatch in a high-radiation environment where access procedures add 2–3× overhead. 90% coverage is derived from IEC 61508 diagnostic coverage targets for SIL-2 monitoring functions. | Test | |
| SUB-REQ-133 | The Fusion Reactor Control System SHALL provide coordinated control of all plasma heating and current drive systems — including ion cyclotron resonance heating (ICRH), neutral beam injection (NBI), and electron cyclotron resonance heating (ECRH) — delivering total additional heating power within ±5% of the commanded setpoint over the range 0–73 MW, while maintaining safe operating envelopes for each system as defined by the HCDC protection interlock. Rationale: STK-REQ-010 identified that plasma heating systems — ICRH, NBI, and ECRH — must be coordinated by the FRCS. No SYS requirement addressed multi-system coordination or the 73 MW aggregate power envelope. The ±5% accuracy is consistent with SYS-REQ-003 stored energy control margin and prevents thermal overload of the first wall and divertor targets. | Test | |
| SUB-REQ-134 | The Fusion Reactor Control System SHALL be physically implemented as a distributed set of rackmounted equipment assemblies housed in IEEE 344 seismically-qualified, IEC 62262 IK10-rated, IP54 enclosures, installed in radiation-controlled areas. The physical boundary of the FRCS shall be defined by a formal equipment list (FL) referenced in the licensing basis, with all external physical interfaces protected by qualified connectors compliant with IEC 60068 environmental standards. Rationale: Lint finding: 51F77B19 (FRCS) lacks Physical Object trait but has physical embodiment requirements (STK-REQ-010, SUB-REQ-087, SYS-REQ-008, SYS-REQ-010). This establishes the formal physical boundary, housing standard, and equipment list anchor needed to qualify control system hardware to seismic and EMC standards. Without a defined physical boundary, qualification testing cannot be scoped. | Inspection | |
| SUB-REQ-135 | The Fusion Reactor Control System SHALL be designed, verified, and validated in accordance with IEC 61513 (Nuclear Power Plants - I&C systems important to safety), IEC 61511 (Functional Safety - Safety Instrumented Systems), and applicable IAEA Safety Standards (SSG-39), with all SIL classifications, safety analyses, and design justifications documented in the system safety case prior to commissioning. Rationale: The FRCS controls a nuclear fusion device with potential hazards to operating personnel and public safety. The Ethically Significant classification (UHT bit 32) requires explicit normative requirements capturing the regulatory and ethical obligations attached to operating such a system. IEC 61513 and IAEA SSG-39 are the internationally agreed standards for nuclear I&C; absence of explicit regulatory compliance requirements would constitute a safety case gap that regulators would require to be resolved before licensing. This requirement anchors all SIL assignments made elsewhere in the project. | Inspection | |
| SUB-REQ-136 | The Fusion Reactor Control System SHALL continuously monitor airborne tritium concentration at all controlled area boundaries, providing an automated evacuation alarm when concentration reaches 1 μSv/h dose equivalent and initiating tritium containment isolation when concentration reaches 10 μSv/h, with alarm latency not exceeding 30 seconds from threshold crossing. Rationale: STK-REQ-004 requires tritium boundary integrity with automated evacuation alarm at 1 μSv/h and safe state at 10 μSv/h. SYS-REQ-004 covers plasma SCRAM but does not address the distinct function of continuous radiological boundary monitoring, which requires dedicated sensors, alarm logic, and containment isolation actuation independent of plasma state. Tritium is classified as a radioactive material requiring EURATOM and IAEA safeguards; this requirement flows down to the Fuel Injection and Burn Control subsystem (SUB-REQ-046). | Test | idempotency:sys-tritium-monitoring-416 |
| SUB-REQ-137 | The FRCS I&C diagnostic module SHALL report all detected I&C channel faults to the external Maintenance Management System interface within 10 seconds of fault detection, with a fault record including channel ID, fault type, severity, and timestamp. Rationale: STK-REQ-006 requires 90% self-diagnostic coverage with fault reporting to the maintenance management system within 10 seconds. This decomposes the interface obligation at SUB level: the diagnostic module must push fault records to the MMS within 10 seconds, enabling maintenance staff to schedule corrective action before the next plasma pulse. | Test | idempotency:sub-mms-fault-report-qc-432 |
| SUB-REQ-138 | While heating systems are operating, the FRCS I&C channel assemblies SHALL maintain signal integrity such that measured sensor errors attributable to RF interference from heating system sources (50–170 GHz, up to 200 V/m) do not exceed 0.5% of full-scale reading, compliant with IEC 61000-4-3 and IEC 61000-4-8. Rationale: STK-REQ-010 requires undegraded control performance in the heating system EMC environment (200 V/m at 50–170 GHz, 10 T/s dB/dt). This SUB requirement decomposes the EMC obligation to the I&C channel assemblies, which must tolerate RF from ECRH/ICRH heating systems without introducing false sensor readings that could trigger erroneous plasma control corrections or spurious safety trips. | Test | idempotency:sub-heating-emc-qc-432 |
| SUB-REQ-139 | The Interlock and Emergency Shutdown Subsystem SHALL define and enforce the reactor safe state as: all superconducting magnet current ramps at zero, all heating system power at zero, plasma current below 10 kA, and all fuel injection valves closed, before declaring safe state achieved. Rationale: SYS-REQ-004 requires transition to 'safe state' in 5 seconds but does not define safe state at subsystem level. This SUB requirement provides the operational definition: specific measurable conditions that must be achieved. The definition is derived from ITER safety analysis documentation and IEC 61513 nuclear I&C standards for end-state verification. | Inspection | rt-missing-safe-state, red-team-session-459 |
| SUB-REQ-140 | The Plant Control System sensor acquisition module SHALL complete a full sensor cycle — acquiring plasma current, radial position, stored energy, disruption risk index, heating power levels, fuelling rates, and all safety interlock status — within 50 ms, with cycle completion time-stamped to UTC±1 ms for display latency accounting. Rationale: SYS-REQ-017 requires operator display refresh latency not exceeding 200 ms from the most recent sensor cycle. To achieve this, the sensor cycle itself must complete within 50 ms (25% of the 200 ms budget), leaving sufficient headroom for data bus transmission, display rendering, and jitter. The 50 ms cycle aligns with the 20 Hz refresh rate of the plasma control loop. | Test | idempotency:sub-sensor-cycle-qc-432 |
| SUB-REQ-141 | The Scenario Parameter Management function SHALL accept parameter file uploads via the secure Physics Operations Interface, validate each uploaded parameter set against plasma stability bounds and hardware limit tables, and return a validation report with pass/fail status and any violated constraint references within 120 seconds of upload initiation. Rationale: SYS-REQ-018 requires parameter validation report delivery within 120 seconds of upload. This SUB requirement decomposes the upload and validation function: file reception, constraint-bound checking against stability limits and hardware tables, and report generation must all complete within the 120-second window. The constraint-bound check is the most time-consuming step (MHD stability analysis), driving the 120-second budget allocation. | Test | idempotency:sub-param-upload-qc-432 |
| SUB-REQ-142 | The Gas Puffing Valve Controller SHALL implement dual-channel redundant valve drive circuits such that a single-channel failure results in valve closure (fail-safe de-energisation) within 10 ms, with the second channel capable of commanding valve open or closed within 50 ms of primary channel failure detection. Rationale: The Gas Puffing Valve Controller is classified System-Essential (UHT trait bit 16): loss of gas puffing control during a plasma pulse can cause uncontrolled density evolution leading to disruption or radiative collapse. Dual-channel redundancy with fail-safe closure prevents loss of density control from a single electronics failure. The 10 ms closure response is within the plasma density decay time constant (~500 ms), preventing runaway fuelling on failure. | Test | idempotency:sub-gpvc-redundancy-qc-432 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between Fusion Reactor Control System and the Plasma Diagnostics subsystem SHALL exchange validated measurement data on a deterministic real-time network with a maximum end-to-end latency of 2 ms and data loss rate <10⁻⁶ per measurement cycle. Rationale: External interface: plasma diagnostics provide the primary sensor data for all control loops. 2 ms latency budget is allocated from the 10 ms total control cycle budget, leaving 8 ms for computation and actuation. Data loss >10⁻⁶ would cause the control system to use stale data, degrading equilibrium accuracy. | Test | interface, external, session-386, idempotency:ifc-ext-diagnostics-386 |
| IFC-REQ-002 | The interface between Fusion Reactor Control System and the Superconducting Magnet System SHALL use redundant, galvanically isolated digital command links with status feedback confirmation within 1 ms of command issue. Rationale: External interface: magnet power supply commands carry the highest safety consequence of any interface — a missed command during vertical displacement event could allow plasma contact with first wall within 100 ms. Galvanic isolation prevents ground loop noise from corrupting commands. 1 ms confirmation is within the vertical stability control bandwidth. | Test | interface, external, session-386, idempotency:ifc-ext-magnets-386 |
| IFC-REQ-003 | The interface between Fusion Reactor Control System and the Site Protection System SHALL use a hardwired, normally-energised interlock circuit for Category A SCRAM demand signals, with no software in the signal path and a maximum actuation latency of 50 ms from demand to confirmed breaker open. Rationale: External interface: nuclear safety classification requires that SCRAM demand signals to the site protection system are hardware-only, not software-mediated. Normally-energised (fail-safe) circuit ensures that cable break or power loss initiates protective action. 50 ms actuation latency is derived from the SCRAM sequence time budget. | Test | interface, external, session-386, idempotency:ifc-ext-site-protection-386 |
| IFC-REQ-004 | The interface between the Trip Parameter Monitor and the Safety Logic Processor SHALL use hardwired 24 VDC discrete signals with a maximum signal propagation delay of 2 ms, employing opto-coupled galvanic isolation rated to 2 kV working voltage between sensor-side and logic-side circuits. Rationale: Hardwired discrete signals are the only architecture that eliminates software-related common-cause failure at this interface. The 2 ms propagation budget is allocated from the overall 10 ms trip response chain. 2 kV isolation rating provides adequate margin above the maximum induced voltage from 68 kA coil discharge events, protecting the SIL-3 logic from high-voltage transient coupling. | Test | interface, iess, session-387, idempotency:ifc-tpm-slp-387 |
| IFC-REQ-005 | The interface between the Safety Logic Processor and the Emergency Shutdown Sequencer SHALL be a hardwired energise-to-hold signal: the Safety Logic Processor SHALL maintain 24 VDC on the run-permit line during normal operation; loss of signal from any cause SHALL unconditionally initiate the Emergency Shutdown Sequencer. Rationale: Energise-to-hold (de-energise-to-trip) ensures the shutdown sequencer initiates on any cable fault, connector failure, logic failure, or power loss without requiring a positive trip command. This eliminates a class of failure modes where the interlock is bypassed by a failure in the trip signal path itself. This is the canonical design pattern for safety instrumented systems per IEC 61511 Clause 11. | Test | rt-vague-interface, red-team-session-433 |
| IFC-REQ-006 | The interface between the Disruption Precursor Monitor and the Plasma Diagnostics Integration System SHALL provide time-synchronised diagnostic channel data at 50 kHz per channel via fibre-optic reflective memory network, with absolute timestamp accuracy of 10 μs relative to GPS-disciplined master clock, and SHALL flag any channel with signal dropout exceeding 2 ms as invalid in the feature vector. Rationale: 50 kHz per channel sampling rate is required to resolve the highest-frequency MHD precursors (locked mode oscillations at 10-20 kHz). Fibre-optic isolation prevents ground loop interference from 60 T/s magnetic field transients during disruptions. 10 μs timestamp accuracy ensures feature vectors from different diagnostic subsystems are coherently aligned; misalignment greater than 100 μs degrades LSTM prediction accuracy by up to 12% (KSTAR benchmark). 2 ms dropout flag threshold matches the ELM blackout duration identified in the precursor monitor specification. | Test | interface, dpms, session-388, idempotency:ifc-dpms-pdis-388 |
| IFC-REQ-007 | The interface between the Disruption Prediction and Mitigation System and the Interlock and Emergency Shutdown System SHALL be a dual-channel hardwired 24 VDC signal: the DPMS Mitigation Actuator Controller asserts an MGI pre-trigger output when risk probability exceeds 0.85, and the IESS Safety Logic Processor asserts a deterministic trip demand to the Mitigation Actuator Controller on any SCRAM condition. Both signals SHALL be latched energise-to-hold and propagate within 1 ms of assertion. Rationale: Hardwired interface prevents software-induced latency between the two safety systems. Energise-to-hold convention ensures a power or communication failure causes a safe-side trip demand rather than inhibiting mitigation. 1 ms propagation limit ensures the DPMS-to-IESS and IESS-to-DPMS paths do not add significant latency to the 10 ms MGI trigger budget established in SUB-REQ-011. Dual-channel arrangement maintains signal integrity under single-channel failure per IEC 61508 SIL-3 HFT=1 requirements. | Test | interface, dpms, iess, session-388, idempotency:ifc-dpms-iess-388 |
| IFC-REQ-008 | The interface between the Mitigation Actuator Controller and the Heating and Current Drive Control SHALL provide a hardwired NBI inhibit signal that ramps all three NBI beam power outputs from full to zero in 50 ms upon DPMS mitigation trigger, and an ECRH shutdown signal that terminates gyrotron output within 5 ms, with confirmed execution feedback to the Mitigation Actuator Controller within 60 ms. Rationale: NBI and ECRH ramp-down is a mandatory part of the disruption mitigation sequence: continued external heating during a disruption amplifies runaway electron energy gain; at 150 MW NBI power the electron beam current could reach destructive levels within 50 ms of thermal quench if heating is not terminated. 50 ms NBI ramp-down is the minimum achievable from the power supply bus capacitor discharge time. 5 ms ECRH shutdown exploits the faster gyrotron gate-off response. 60 ms feedback timeout triggers a secondary alarm if heating shutdown is not confirmed. | Test | interface, dpms, hcdc, session-388, idempotency:ifc-dpms-hcdc-388 |
| IFC-REQ-009 | The interface between the Equilibrium Reconstruction Processor and the Shape and Position Controller SHALL transfer the equilibrium state vector at 10 kHz using the MARTe2 shared data store, with a maximum end-to-end latency of 5 us from ERP write-completion to SPC read-availability. Rationale: 5 us inter-component latency is the allowable fraction of the 40 us ERP budget allocated to data publishing. Reflective memory on the MARTe2 bus achieves 1-2 us typical transfer; 5 us provides headroom for bus arbitration under maximum load. Higher latency would reduce SPC computation time below the minimum required for gain-scheduled PID convergence. | Test | interface, plasma-control-system, session-390, idempotency:ifc-pcs-erp-spc-390 |
| IFC-REQ-010 | The interface between the Vertical Stability Controller and the Interlock and Emergency Shutdown System SHALL convey the VDE trip demand as a hardwired normally-energised signal that de-energises within 100 us of VSC asserting the trip condition, independent of any software or network path. Rationale: Hardwired de-energisation is mandated because the IESS SIL-3 classification prohibits software-mediated safety functions on the trip path. The 100 us signal propagation limit is derived from the IESS actuation chain: IESS has 50 ms total budget to fire the MGI valves, so the trip signal propagation must not consume more than 0.2% of that budget. | Test | rt-vague-interface, red-team-session-433 |
| IFC-REQ-011 | The interface between the Equilibrium Reconstruction Processor and the MHD Mode Stabiliser SHALL transfer the q-profile at minimum 1 kHz with a radial resolution of at least 50 flux surfaces, latency not to exceed 2 ms, using the MARTe2 shared data store. Rationale: NTM stabilisation by ECCD requires the rational surface location (q=1.5 for m/n=3/2 NTM, q=2 for m/n=2/1) to be known to within one flux surface. 50 flux surface resolution achieves this with margin. 2 ms latency is acceptable because NTM mode growth rates are 10-100 ms; a 2 ms q-profile lag does not prevent accurate ECCD steering. | Test | interface, plasma-control-system, session-390, idempotency:ifc-pcs-erp-mms-390 |
| IFC-REQ-012 | The interface between the HCDC Supervisory and Safety Arbiter and the Interlock and Emergency Shutdown System SHALL be a unidirectional hardwired safe-state command bus delivering a beam-off signal to all three actuator controllers within 1 ms of IESS trip assertion, independent of supervisory software. Rationale: Hardware independence from supervisory software is required for SIL-3 classification: the IESS trip must reach actuators even if the Supervisory processor has failed. 1 ms delivery budget preserves the 5 ms NBI shutdown margin from the trip assertion time. The bus must be unidirectional to prevent IESS signal corruption from HCDC software faults. | Test | interface, hcdc, iess, session-391, idempotency:ifc-hcdc-iess-hardwire-391 |
| IFC-REQ-013 | The interface between the ECRH Controller and the Disruption Prediction and Mitigation System SHALL accept NTM stabilisation commands over a dedicated real-time network with a command latency not exceeding 5 ms from DPMS command generation to ECRH mirror steering initiation. Rationale: 5 ms command delivery is required to fit within the 100 ms lock-on budget: 5 ms delivery leaves 95 ms for mirror steering and co-deposition confirmation. The dedicated network prevents interference from higher-bandwidth plant control traffic and provides deterministic latency for the safety-adjacent NTM stabilisation function. | Test | interface, hcdc, dpms, ecrh, session-391, idempotency:ifc-ecrh-dpms-ntm-391 |
| IFC-REQ-014 | The interface between the HCDC Supervisory and Safety Arbiter and the Plasma Control System SHALL accept closed-loop power setpoint updates at 50 Hz, allowing PCS to modulate total injected heating power within ±5 MW of the current operating point for plasma shape and density feedback control. Rationale: 50 Hz update rate matches the PCS equilibrium reconstruction cycle, ensuring heating adjustments are synchronised with the latest plasma equilibrium estimate. ±5 MW authority is the PCS-derived trim range for density and shape corrections; larger power swings are scheduled via the plant power management layer, not PCS feedback. | Test | interface, hcdc, pcs, session-391, idempotency:ifc-hcdc-pcs-setpoint-391 |
| IFC-REQ-015 | The interface between the Quench Detection System and the Interlock and Emergency Shutdown System SHALL be a hardwired relay-based trip channel, independent of plant software buses, with signal propagation latency ≤2 ms from quench alarm assertion to IESS trip input. Rationale: Routing quench alarms through software buses introduces latency and potential common-cause failure with the plasma control software. A hardwired relay channel is SIL-4 compliant per IEC 61508 and ensures the coil protection action is not susceptible to software faults or network congestion that might delay or drop the trip signal. The 2 ms budget is consistent with IESS trip response chain timing (SUB-REQ-001 requires full trip execution in ≤100 ms). | Test | interface, msps, iess, safety-critical, session-392, idempotency:ifc-qds-iess-hardwire-392 |
| IFC-REQ-016 | The interface between the Quench Detection System and the Energy Extraction and Dump System SHALL transmit per-coil-group quench alarm vectors at ≥100 Hz over a dedicated fibre-optic link with latency ≤5 ms, using a coded message format that distinguishes quench alarm, controlled shutdown request, and watchdog heartbeat states. Rationale: The FEDU must receive per-coil-group alarm state to selectively dump only the affected coil circuit rather than discharging all coils simultaneously, which would generate a large-scale plasma disruption. Fibre-optic isolation prevents ground-loop faults in the high-voltage dump circuit from coupling back into the low-voltage detection electronics. The 100 Hz update rate and 5 ms latency are consistent with the 30 s TF energy extraction window (plenty of margin). | Test | interface, msps, session-392, idempotency:ifc-qds-fedu-alarm-392 |
| IFC-REQ-017 | The interface between the Coil Thermal and Cryogenic Monitor and the Quench Detection System SHALL provide digitised temperature exceedance flags for each coil group at ≥10 Hz, with a latency ≤100 ms from sensor measurement to QDS reception. Rationale: Temperature flags must be available within the QDS 2oo3 voting window to serve as a valid independent channel. The 100 ms latency budget accounts for Cernox ADC acquisition time (~50 ms) plus the inter-subsystem communication path, and remains within the QDS detection-to-alarm budget (20 ms voltage + secondary temperature confirmation does not lengthen the primary alarm path, which relies on voltage alone reaching alarm first). | Test | interface, msps, session-392, idempotency:ifc-ctcm-qds-temp-392 |
| IFC-REQ-018 | The interface between the Magnet Power Supply Controller and the Plasma Control System SHALL accept coil current reference waveforms via a dedicated reflective memory link at 1 kHz update rate, with the MPSC acknowledging each set-point within 2 ms or flagging a timeout to the Plant Control and I&C System. Rationale: The PCS inner current control loop operates at 1 kHz (SUB-REQ-036) and requires set-point delivery matched to this rate. Reflective memory provides deterministic latency (<1 ms cycle time) without TCP/IP overhead that would introduce jitter incompatible with the ±1 A current tracking requirement. The 2 ms acknowledgement timeout surfaces coil controller faults before they manifest as plasma position errors. | Test | interface, msps, plasma-control-system, session-392, idempotency:ifc-mpsc-pcs-setpoint-392 |
| IFC-REQ-019 | The interface between the Gas Puffing Valve Controller and the Plasma Control System SHALL carry density setpoints as 32-bit floating-point values over a dedicated real-time Ethernet link (1 Gbit/s) with a maximum end-to-end latency of 5 ms and a cycle period of 10 ms. Rationale: The PCS outputs electron density setpoints (ne_target) to the gas puffing controller via the same real-time network used for other PCS actuators. A 5 ms latency budget and 10 ms cycle period ensure gas puffing acts within one PCS control cycle. The 1 Gbit/s link uses RDMA to bypass OS scheduling jitter — standard Ethernet would add 2–8 ms of unpredictable latency. | Test | interface, fuel-injection, plasma-control-system, session-394, idempotency:ifc-gpvc-pcs-394 |
| IFC-REQ-020 | The interface between the Pellet Injection Controller and the MHD Mode Stabiliser SHALL provide an ELM phase trigger signal as a hardwired TTL pulse with a jitter not exceeding 0.1 ms, synchronised to the ELM detection timestamp in the Mode Stabiliser. Rationale: TTL hardwire is used rather than network for the ELM trigger because network jitter (typically 0.5–2 ms) would consume the entire synchronisation window. The Mode Stabiliser ELM detection is derived from magnetic field perturbation signals, with a latency of <0.2 ms from event to output pulse, giving a total trigger-to-valve-command latency of <0.4 ms. | Test | interface, fuel-injection, mhd-mode-stabiliser, session-394, idempotency:ifc-pic-mms-394 |
| IFC-REQ-021 | The interface between the Tritium and Fuel Inventory Controller and the Interlock and Emergency Shutdown System SHALL use a hardwired relay-based fuel-off signal, with relay closure indicating a safe (fuelling permitted) state and open contact indicating an interlock demand, compliant with IEC 61511 SIL-3 architectural constraints. Rationale: De-energise-to-trip (relay open = trip demand) is mandated by IEC 61511 for SIL-3 nuclear material interlocks: a wiring fault, power loss, or controller failure all result in a safe state (fuel off). A software-only interface would require additional validation and could not achieve SIL-3 without certified hardware separation. | Inspection | rt-sil-gap, red-team-session-433 |
| IFC-REQ-022 | The interface between the Burn Condition Monitor and the Disruption Prediction and Mitigation System SHALL transmit a fusion power and Q-factor vector at 10 Hz via the PCS Real-Time Data Bus, encoded as a 64-byte fixed-format message with a sequence counter and CRC-32 checksum. Rationale: The DPMS Disruption Prediction Engine uses fusion power and Q-factor as features in its LSTM disruption risk model. Providing these via the shared PCS RTDB minimises physical interfaces and uses the same timing reference as plasma equilibrium data. The fixed-format message with CRC prevents silent data corruption on the RTDB backplane. | Test | interface, fuel-injection, dpms, session-394, idempotency:ifc-bcm-dpms-394 |
| IFC-REQ-023 | The interface between the Plant Operations Sequencer and each of the seven operational subsystems (PCS, HCDC, DPMS, FIBC, MSPS, IESS, PDIS) SHALL carry the machine state variable (MSV) as a 32-bit status word over the supervisory SCADA bus at 10 Hz with a maximum end-to-end latency of 50 ms. Rationale: Each subsystem must receive the MSV within one SCADA cycle (100 ms) to enable/disable actuators based on operational state. The 50 ms latency budget allows for 1 SCADA cycle of network transit and one processing cycle within each subsystem. MSV delivery is not a safety function — IESS has independent hardwired interlocking. | Test | interface, pcis, plant-control, session-395, idempotency:ifc-pos-msv-broadcast-395 |
| IFC-REQ-024 | The interface between the Machine Timing and Synchronisation System and each subsystem SHALL distribute shot timing signals over independent fibre-optic links using IRIG-B and IEEE 1588 PTP protocol formats, with timing pulse rise time <=100 ns at the subsystem receiver. Rationale: Fibre-optic links are mandated for all timing distribution in the high-field environment to provide EMI immunity — copper timing lines experience induced noise from magnet coil current transients exceeding 50 kA. Independent links per subsystem prevent a single fibre fault from disrupting timing on multiple subsystems. The 100 ns rise time ensures clean trigger edge detection at ADC-level timing circuits. | Test | interface, pcis, plant-control, session-395, idempotency:ifc-mtss-distribution-395 |
| IFC-REQ-025 | The interface between the Plant Data Historian and the Plasma Diagnostics Integration System SHALL accept time-stamped diagnostic data streams at >=1 kHz sample rate per channel over the best-effort monitoring LAN using a publish-subscribe message bus, with guaranteed delivery and sequence integrity confirmation within 60 s of pulse end. Rationale: The 1 kHz sample rate matches SYS-REQ-005. Publish-subscribe decouples the historian from each diagnostic source, allowing new diagnostic channels to be added without historian reconfiguration. The 60 s confirmation window closes the archival loop for post-pulse physics analysis and satisfies SYS-REQ-005 post-pulse latency. | Test | interface, pcis, plant-control, session-395, idempotency:ifc-pdh-pdis-395 |
| IFC-REQ-026 | The interface between the Magnetic Diagnostics Array and the Real-Time Diagnostic Signal Conditioner SHALL carry analogue voltage or current signals from >=256 magnetic sensor channels with common-mode rejection ratio >=80 dB and galvanic isolation >=2.5 kV per channel to protect digitiser electronics from vacuum vessel transients. Rationale: The 80 dB CMRR requirement is derived from the amplitude of 50 Hz power system interference relative to the minimum Mirnov coil signal during low-power plasma startup — the signal-to-noise ratio must remain >40 dB. Galvanic isolation at 2.5 kV protects the digitiser from halo currents and disruption-driven vessel transients that can reach 1 kV peak on sensor conductors. | Test | interface, pdis, session-395, idempotency:ifc-mda-rtdsc-395 |
| IFC-REQ-027 | The interface between the Diagnostic Data Multiplexer and the Equilibrium Reconstruction Processor SHALL deliver timestamped magnetic diagnostic data frames at 100 kHz via a deterministic RDMA link with end-to-end latency <=200 µs and zero frame loss tolerance during plasma flat-top operation. Rationale: The 200 µs total budget (100 µs conditioning plus 100 µs multiplexer routing) allows the Equilibrium Reconstruction Processor to receive data within its 1 ms computation cycle. Zero frame loss is required because any dropped magnetic data frame corrupts the numerical equilibrium solution, potentially triggering a spurious plasma position error and unwarranted shape correction actuation. | Test | interface, pdis, session-395, idempotency:ifc-ddm-erp-395 |
| IFC-REQ-028 | The interface between the Disruption Precursor Sensor Suite and the Disruption Precursor Monitor SHALL transmit calibrated, timestamped sensor vectors at >=10 kHz over a dedicated low-latency fibre link with delivery latency <=500 µs and timestamp synchronisation to the Machine Timing System within 10 µs. Rationale: The 500 µs delivery latency is the interface allocation within the 50 ms total disruption detection budget (SYS-REQ-002): 0.5 ms sensor delivery plus 49.5 ms for prediction computation and mitigation command. Dedicated fibre ensures the disruption-critical data path is isolated from routine diagnostic traffic congestion. | Test | interface, pdis, session-395, idempotency:ifc-dpss-dpm-395 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Interlock and Emergency Shutdown System — Hardwired 2oo3 voting logic with physically segregated channels, not a software-based safety system. The SIL-3 classification and the need to prevent common-cause failure between safety and operational I&C networks drives the choice of hardwired relay logic over programmable safety PLCs. Software-based systems introduce unacceptable common-cause software failure modes; hardwired logic eliminates this vulnerability at the cost of higher engineering effort for configuration changes. The 4-component decomposition (Trip Parameter Monitor, Safety Logic Processor, Emergency Shutdown Sequencer, Safety Parameter Display) maps directly to the IEC 61508 safety function architecture: sensor subsystem, logic solver, final element actuator, and operator indication. Battery-backed power for sequencer and display ensures function during loss of site power — a key licensing requirement. Rationale: IESS architecture decision: hardwired 2oo3 voting logic with IEC 61508 SIL-3 safety architecture. Supports SYS-REQ-004. Tagged informational as ARC documents design rationale, not traceable requirements. | Inspection | architecture, iess, session-387, idempotency:arc-iess-387 |
| ARC-REQ-002 | ARC: Disruption Prediction and Mitigation System — LSTM on FPGA with hardwired fallback. Disruption prediction uses a long short-term memory (LSTM) neural network deployed on an FPGA (not GPU/CPU) for deterministic inference latency. FPGA inference eliminates OS scheduling jitter and achieves 3 ms bound with 6-sigma margin. Hardwired threshold-only fallback bypasses ML entirely: it is implemented in fixed gate logic independent of the FPGA softcore, ensuring fallback availability is not contingent on FPGA health. MGI trigger path is isolated from the prediction path by a dedicated microcontroller running an independent watchdog-supervised interrupt service routine, preventing ML inference failures from blocking mitigation. Rationale: FPGA chosen over GPU because GPU inference latency has 3-sigma tail latency of 12-50 ms depending on CUDA kernel scheduling, which violates the 3 ms budget. FPGA deterministic logic achieves 3 ms with sigma less than 100 μs. LSTM chosen over simpler models (SVM, threshold) because ITER disruption database shows LSTM outperforms SVM by 8 percentage points TPR at matched FPR due to LSTM capacity to model temporal correlation in MHD precursor evolution. Hardwired fallback chosen over software-mode-switch because IEC 61508 prohibits relying on the same software path for both primary function and its safety backup. | Inspection | architecture, dpms, session-388, idempotency:arc-dpms-388 |
| ARC-REQ-003 | ARC: Plasma Control System — Hierarchical real-time control with separated vertical stability loop. The PCS is decomposed into: Equilibrium Reconstruction Processor (Grad-Shafranov solver at 10 kHz), Shape and Position Controller (isoflux/gap control, 48 PF channels), Vertical Stability Controller (standalone FPGA at 100 kHz, isolated from main PCS), MHD Mode Stabiliser (NTM/RWM/ELM control, 1 kHz), and PCS Real-Time Data Bus (MARTe2, synchronised cycle). The VSC runs on separate hardware because VDE growth times (5–20ms) cannot tolerate the latency of sharing FPGA resources with the equilibrium solver. NTM stabilisation requires the q-profile from equilibrium reconstruction, creating a data dependency that mandates ERP→MMS ordering on the data bus. A monolithic controller was rejected because fault isolation requires that VSC remain operational when the main PCS is in safe-state; separate hardware achieves this at the cost of two additional inter-subsystem interfaces. Rationale: Captures the primary architectural trade-off: VSC isolation vs. integration complexity. The 2019 JET VDE incident demonstrated that a shared-resource PCS cannot guarantee VSC latency under peak equilibrium reconstruction load. This decision prevents recurrence. | Inspection | architecture, plasma-control-system, session-390, idempotency:arc-plasma-control-system-390 |
| ARC-REQ-004 | ARC: Heating and Current Drive Control — four-component architecture separating actuator-specific controllers (NBI, ECRH, ICRH) from a central Supervisory and Safety Arbiter. Each actuator controller owns its machine protection interlocks and fast shutdown logic; the Supervisory arbitrates competing demands and enforces the 50 MW total power budget. ECRH was chosen as the primary NTM stabilisation actuator over ICRH because its 1 ms modulation response and steerable launcher enable closed-loop co-deposition targeting; NBI is retained for bulk heating and current profile tailoring where ECRH lacks the ion-heating capability required for Q>1 ignition margins. Rationale: Separating actuator-specific controllers enables independent qualification paths (each technology has distinct safety cases) and allows modular upgrade of individual heating systems without re-qualification of the full subsystem. The Supervisory pattern avoids distributed power budget enforcement which would require cross-system consensus protocols and introduce latency incompatible with fast interlock demands. | Inspection | architecture, hcdc, session-391, idempotency:arc-hcdc-decomposition-391 |
| ARC-REQ-006 | ARC: Magnet Safety and Protection System — hardwired quench detection with redundant fast energy extraction. The MSPS uses four components: a 2oo3-voted Quench Detection System detecting resistive voltage ≥50 mV in ≤20 ms; an Energy Extraction and Dump System that diverts stored coil energy into dump resistors within 30 s (TF) / 10 s (PF/CS); a Magnet Power Supply Controller executing PCS-uploaded current waveforms with ±1 A accuracy at 1 kHz inner loop; and a Coil Thermal and Cryogenic Monitor with ~200 Cernox sensors providing secondary quench indication. Quench detection is hardwired to IESS rather than routed through plant software to meet the <20 ms detection-to-alarm latency within the SIL-4 boundary. Energy dump is fail-safe (de-energise to dump) to ensure coil protection on any power loss. Rationale: Tokamak TF coil quench is a credible high-consequence failure: undetected quench at 50 GJ stored energy leads to catastrophic coil destruction within ~2 s. The 2oo3 voltage-bridge architecture minimises both false positives (which cause unnecessary plasma disruptions) and missed detections. Fail-safe energy extraction ensures the most likely failure mode (control power loss) results in the safe state (coil protected). PCS current waveform upload allows physics-driven coil control without requiring the safety boundary to process arbitrary control algorithms. | Inspection | architecture, msps, magnet-safety, session-392, idempotency:arc-msps-392 |
| ARC-REQ-007 | ARC: Fuel Injection and Burn Control — Two-channel injection (gas puffing + pellet) with independent tritium accountancy gate. Gas puffing provides real-time density control (10ms response) while pellet injection enables deep core fuelling inaccessible to gas puffing. Both channels route through the Tritium and Fuel Inventory Controller which enforces a hard 30g in-vessel tritium ceiling — a nuclear regulatory constraint that overrides all PCS density setpoints. The Burn Condition Monitor sits outside the injection control loop to maintain independence: it can trigger burn termination but cannot directly command injection, preventing a single-point coupling between burn sensing and fuel delivery. Rationale: Records the key architectural trade-off: why two injection channels are used (coverage vs. response time), and why the tritium inventory controller is positioned as a gate rather than a feedback element — nuclear material accountancy regulations require it to assert a hard limit, not participate in PID control. | Inspection | architecture, fuel-injection, session-394, idempotency:arc-fuel-injection-394 |
| ARC-REQ-008 | ARC: Plant Control and I&C System — five-component layered SCADA architecture separating sequencing (Plant Operations Sequencer), human interface (Operator Console System), deterministic timing (Machine Timing and Synchronisation System), communications (Plant I&C Network Infrastructure), and archival (Plant Data Historian). The separation enforces clear performance tiers: the sequencer and timing system require <5 µs determinism; the operator console and historian operate on best-effort Ethernet and are isolated from the real-time control domain by network segmentation. The Plant Operations Sequencer uses 1oo2 hot-standby redundancy rather than triple modular redundancy because mode-transition commands are supervisory (non-safety); the IESS independently enforces safety shutdowns regardless of sequencer state. The Machine Timing and Synchronisation System is a discrete component rather than a function within the sequencer because timing distribution is a site-wide infrastructure service consumed by all eight subsystems — consolidating it into the sequencer would create a single-point dependency for every subsystem's shot synchronisation. Rationale: PCIS architecture decision: layered SCADA separation of sequencing, HMI, timing, network, and archival concerns. SYS-REQ-005 drives the archival requirement; operational mode management cascades to all subsystems. | Inspection | architecture, pcis, plant-control, session-395, idempotency:arc-pcis-395 |
| ARC-REQ-009 | ARC: Plasma Diagnostics Integration System — five-component architecture separating physical sensors (Magnetic Diagnostics Array, Disruption Precursor Sensor Suite, Thomson Scattering and Interferometry System), signal conditioning (Real-Time Diagnostic Signal Conditioner), and data routing (Diagnostic Data Multiplexer). The Disruption Precursor Sensor Suite is separated from the Magnetic Diagnostics Array despite both being magnetic sensors because they serve different real-time consumers with different latency and bandwidth requirements: the Magnetic Array feeds equilibrium reconstruction at 100 kHz; the Disruption Precursor Suite feeds the DPMS Disruption Precursor Monitor at 10 kHz with disruption-sensitive signal processing. Thomson Scattering is a non-real-time diagnostic — its 50 ms sample interval cannot contribute to the 10 ms plasma control loop, making a tight integration with real-time conditioning unnecessary. The Diagnostic Data Multiplexer pattern decouples sensor producers from control consumers, enabling independent development and fault isolation without requiring every sensor to know every consumer's protocol. Rationale: PDIS architecture decision: sensor-conditioner-multiplexer separation. Supports IFC-REQ-006 (DPMS to PDIS interface) and IFC-REQ-001 (FRCS to plasma diagnostics interface). | Inspection | architecture, pdis, session-395, idempotency:arc-pdis-395 |
| ARC-REQ-010 | The Disruption Prediction Engine is classified Biological/Biomimetic due to its LSTM neural-network architecture. This classification SHALL NOT be interpreted as requiring biocompatibility or sterilisation certification. No biological materials are used in the DPE. Physical and environmental requirements for DPE hardware are captured in subsystem requirements SUB-REQ-009 through SUB-REQ-013. Rationale: Lint finding: DPE classified Biological/Biomimetic without biocompatibility requirements. The LSTM is biomimetic in origin but contains no biological materials. This ARC requirement explicitly bounds the ontological classification to prevent erroneous biocompatibility requirements being added in future. | Inspection | idempotency:qc-422-arc-dpe-bio |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-REQ-001 | Verify SUB-REQ-001: Inject a simulated trip signal into one Trip Parameter Monitor channel and measure time from signal assertion to Safety Logic Processor output state change. Repeat for all 15 trip functions. All measurements SHALL be < 10 ms. Inject single-channel trip only and verify no trip actuation (2oo3 logic). Pass criterion: all 15 functions < 10 ms; no spurious trip on single-channel input. Rationale: Timing test with calibrated signal injection and oscilloscope capture is the definitive method for demonstrating the 10 ms trip response against actual hardware. Functional testing of all 15 trip functions is required for licensing evidence — analysis alone is not accepted by regulators for SIL-3 final element timing claims. | Test | verification, iess, session-387, idempotency:ver-sub001-387 |
| VER-REQ-002 | Verify SUB-REQ-002: With the Safety Logic Processor in normal run-permit state, ramp supply voltage below 18 VDC and measure time to run-permit de-energisation. Verify Emergency Shutdown Sequencer initiates on de-energisation. Pass criterion: de-energisation within 5 ms of voltage crossing 18 VDC threshold; sequencer initiates within 10 ms. Rationale: Power-fail-safe behaviour must be demonstrated by test — it cannot be inferred from inspection of relay contacts, which may be welded or stuck. This test validates the complete fail-safe chain including the sequencer initiation response and is required as licensing evidence for the SIL-3 claim. | Test | verification, iess, session-387, idempotency:ver-sub002-387 |
| VER-REQ-003 | Verify IFC-REQ-004: Measure signal propagation delay from Trip Parameter Monitor output terminal to Safety Logic Processor input terminal using calibrated oscilloscope. Apply 4 kV isolation test between sensor and logic circuits per IEC 60664. Pass criterion: delay < 2 ms; isolation withstand 4 kV for 60 s with < 1 mA leakage. Rationale: Interface propagation delay is a timing budget item that determines whether the 10 ms total trip response is achievable. Isolation testing to 4 kV (2× working voltage) is required to demonstrate adequate margin against induced voltages from pulsed coil operation per IEC 60664 overvoltage Category III. | Test | verification, iess, session-387, idempotency:ver-ifc004-387 |
| VER-REQ-004 | Verify SUB-REQ-004: With the Emergency Shutdown Sequencer on battery power only (AC disconnected), assert a simulated trip and measure time to MGI valve command, heating system zero-power command, and divertor gas valve command. Pass criterion: MGI command within 20 ms, heating zero-power within 50 ms, divertor valves within 30 ms, all triggered without AC supply present. Rationale: All three timing measurements must be demonstrated on battery power because site AC failure is the plausible co-incident initiator of the disruption that triggers the trip. Testing under AC removes the most challenging operational condition and produces non-conservative evidence. Physical signal measurement (not logic simulation) is required for SIL-3 acceptance testing. | Test | verification, iess, session-387, idempotency:ver-sub004-387 |
| VER-REQ-005 | Verify end-to-end IESS chain: inject a threshold-exceeding trip parameter into two of three Trip Parameter Monitor channels simultaneously, measure total time from sensor threshold crossing to Emergency Shutdown Sequencer MGI actuation command. Pass criterion: total chain latency < 30 ms (10 ms trip logic + 20 ms sequencer). Verify no actuation when only one channel is above threshold. Rationale: End-to-end system integration test validates that the 30 ms total response chain is achievable when all components are integrated. Individual component tests (SUB-REQ-001 and SUB-REQ-004) verify timing budgets in isolation but cannot detect interface latencies or timing degradation under real signal conditions. This test is required before system-level SIL-3 claim can be made. | Test | verification, iess, integration, session-387, idempotency:ver-iess-e2e-387 |
| VER-REQ-006 | Verify SUB-REQ-009: Inject pre-recorded 128-element feature vectors from a historical disruption dataset at 10 kHz into the Disruption Prediction Engine input port. Measure elapsed time from vector receipt timestamp to risk probability output timestamp using hardware timestamping at the FPGA I/O boundary. Verify all 10,000 consecutive inference cycles complete within 3 ms. Record maximum, mean, and 99th-percentile latency. Rationale: Hardware-boundary timestamping eliminates operating system jitter from the measurement. 10,000 cycle sample provides statistical confidence that the 3 ms bound is not an artefact of thermal or memory state; the dataset must include pre-disruption windows from at least 50 distinct events covering different disruption types (VDE, NTM, locked mode). | Test | verification, dpms, session-388, idempotency:ver-sub009-388 |
| VER-REQ-007 | Verify SUB-REQ-011: With the Mitigation Actuator Controller powered from battery supply only (mains AC disconnected), apply a simulated risk-probability-exceeds-0.85 input signal and measure time from signal rising edge to MGI valve solenoid current onset using an oscilloscope probe at the solenoid driver output. Repeat 50 times with randomised inter-trigger intervals. Verify all 50 measurements are within 10 ms. Separately verify IESS trip-demand-input path using the same method. Rationale: Battery-only test condition represents worst-case power scenario; mains-powered operation is expected to be faster. 50 repetitions cover statistical variation in solenoid driver response time. Oscilloscope probe at solenoid driver output (not valve position) is the appropriate measurement point as valve travel time is a mechanical characteristic outside the controller specification boundary. | Test | verification, dpms, session-388, idempotency:ver-sub011-388 |
| VER-REQ-008 | Verify SUB-REQ-012: Inject a channel self-test failure signal into one Disruption Precursor Monitor channel and measure time to DPMS mode transition from ML to threshold-only. Verify transition completes within 500 ms via DPMS health status output. Then replay 100 historical disruption events through the threshold-only mode and calculate true positive rate. Verify TPR is at least 80%. Rationale: Mode-transition timing must be verified under simulated fault injection rather than software assertion alone; the 500 ms timer must run in hardware or watchdog-supervised firmware. Historical dataset of 100 events provides statistical confidence in the 80% TPR claim; dataset must include events with warning times less than 30 ms (slow disruptions) where threshold detection is known to be marginal, to characterise the limit of conservative mode coverage. | Test | verification, dpms, session-388, idempotency:ver-sub012-388 |
| VER-REQ-010 | Verify SUB-REQ-018: Inject pre-computed 160-channel magnetic measurement vectors from a JET-equivalent flat-top plasma scenario at 10 kHz into the ERP. Measure the interval between measurement input timestamp and equilibrium state vector write-completion across 10000 consecutive cycles. Pass criterion: 99.9th percentile latency less than or equal to 100 us with zero missed cycles. Rationale: Hardware-in-the-loop test at full operational rate is required because ERP latency is FPGA-timing-dependent and cannot be confirmed by analysis alone. The 99.9th percentile criterion allows for occasional memory refresh stalls while ensuring statistically reliable real-time performance. | Test | verification, plasma-control-system, session-390, idempotency:ver-sub-req-018-390 |
| VER-REQ-011 | Verify IFC-REQ-010: With the VSC powered and in active control mode, command the VSC to assert a VDE trip demand and measure the time between the assertion command and the de-energisation of the normally-energised hardwired trip signal at the IESS input terminal. Pass criterion: de-energisation within 100 us on 100 of 100 trials. Disconnect all software network paths and repeat; pass criterion unchanged. Rationale: Two-phase test (with and without network paths) directly demonstrates that the hardwired path provides the 100 us performance independent of software — the core claim of IFC-REQ-010. Testing both phases is required for the IESS SIL-3 qualification record. | Test | verification, plasma-control-system, session-390, idempotency:ver-ifc-req-010-390 |
| VER-REQ-012 | Verify SUB-REQ-021: In a hardware-in-the-loop test, inject synthetic vertical position data that ramps from 0 to 12 cm displacement at 80 m/s, exceeding both thresholds simultaneously. Measure the interval from the instant both threshold conditions are satisfied to the de-energisation of the VDE trip output. Pass criterion: trip demand issued within 200 us on 50 consecutive injections. Rationale: Simultaneous threshold crossing test is the worst-case scenario that must be verified. HIL testing on the VSC FPGA hardware is required; simulation cannot substitute because the response latency is hardware-timing-dependent. | Test | verification, plasma-control-system, session-390, idempotency:ver-sub-req-021-390 |
| VER-REQ-013 | Verify end-to-end PCS chain: Using a full HIL test bench with simulated magnetic measurement inputs representing a plasma position step disturbance of 3 cm at t=0, verify that the Shape and Position Controller issues corrective PF coil setpoints within 200 us and that the plasma position error returns within 1 cm within 500 ms. Pass criterion: 10 consecutive step responses meeting both criteria. Rationale: End-to-end PCS chain test exercises the ERP-SPC-coil path as a closed loop. Individual component tests cannot verify that the data handoff latencies between ERP, RTDB, and SPC combine to produce the required system response. This test is required for plasma operations licence approval. | Test | verification, plasma-control-system, session-390, idempotency:ver-pcs-endtoend-390 |
| VER-REQ-014 | Verify IFC-REQ-012: Inject simulated IESS trip signal on hardwired beam-off bus while HCDC Supervisory software is halted. Measure time from trip assertion to beam-off command receipt at all three actuator controllers. Pass criterion: all three controllers receive beam-off within 1 ms across 100 trials with no software interaction. Rationale: Hardware independence test requires software to be inactive during verification to demonstrate the hardwired path is truly independent. 100 trials provides sufficient statistical confidence for safety classification. | Test | verification, hcdc, iess, session-391, idempotency:ver-ifc012-hcdc-iess-391 |
| VER-REQ-015 | Verify IFC-REQ-013: Issue NTM stabilisation command from DPMS test fixture and measure time from command generation to ECRH mirror steering initiation confirmation. Pass criterion: command latency less than or equal to 5 ms in 99th percentile across 1000 samples under nominal plant control network load. Rationale: 99th percentile criterion at 1000 samples provides statistical confidence that rare worst-case latency still meets the 5 ms bound. Network load testing ensures the dedicated network isolation claim holds under real operating conditions. | Test | verification, hcdc, dpms, ecrh, session-391, idempotency:ver-ifc013-ecrh-dpms-391 |
| VER-REQ-016 | Verify SUB-REQ-027: Command NBI beam-off from test fixture simulating HCDC Supervisory safe-state command. Measure time from command issue to calorimeter current confirmation (proxy for beam deflection completion) using beam current transformer. Pass criterion: beam-off within 5 ms in all 50 trials across all 4 NBI beam lines. Rationale: Calorimeter current rise is the fastest independently measurable beam-off proxy, confirming beam deflection without requiring optical diagnostics. Testing all 4 beam lines independently verifies each deflector independently meets the requirement. | Test | verification, hcdc, nbi, session-391, idempotency:ver-sub027-nbi-shutdown-391 |
| VER-REQ-017 | Verify end-to-end disruption mitigation chain: from DPMS disruption prediction (risk > 0.85) through ECRH NTM stabilisation command delivery, mirror steering lock-on, and MGI trigger confirmation. Pass criterion: complete chain from DPMS prediction to MGI trigger occurs within 350 ms under a simulated disruption precursor scenario with full plant I&C load. Rationale: 350 ms end-to-end budget is derived from the 500 ms precursor warning window in SUB-REQ-009 minus a 150 ms margin for NTM stabilisation attempt. This test exercises the most safety-critical control chain in the system and must be verified as an integrated end-to-end path, not piecemeal. | Test | verification, system-integration, hcdc, dpms, session-391, idempotency:ver-system-disruption-chain-391 |
| VER-REQ-018 | Verify IFC-REQ-015: Inject a simulated quench alarm relay closure at the QDS output and measure signal propagation latency to IESS trip input using calibrated oscilloscope. Pass criterion: latency ≤2 ms in 20 consecutive trials across the operating temperature range. Rationale: Integration test verifying the hardwired relay path meets the 2 ms latency budget. Oscilloscope timing captures the relay switching time plus cable propagation delay. Testing at temperature extremes (0°C–50°C ambient for control room hardware) verifies that relay contact resistance variation does not lengthen the signal path. | Test | verification, msps, iess, session-392, idempotency:ver-ifc015-qds-iess-392 |
| VER-REQ-019 | Verify IFC-REQ-016: Connect QDS test fixture to FEDU fibre-optic receiver; issue simulated per-coil quench alarm vectors at 100 Hz; verify FEDU receives and decodes each alarm vector within 5 ms. Inject one corrupted message per 1000 and verify FEDU asserts a watchdog fault without acting on the corrupt payload. Rationale: Tests both nominal latency and message integrity handling. The corrupted-message test verifies the coded format provides error detection, preventing spurious dump commands from line noise. | Test | verification, msps, session-392, idempotency:ver-ifc016-qds-fedu-392 |
| VER-REQ-020 | Verify SUB-REQ-032: Using a coil emulator with adjustable resistive voltage injection, step resistive voltage from 0 to 60 mV across a QDS channel input and measure time-to-alarm at the QDS relay output. Test all three channels independently and in 2oo3 configuration. Pass criterion: alarm within 20 ms in all 30 test cases (10 per channel, 3 operating current levels: 10%, 50%, 100% nominal). Rationale: Verifies the primary safety requirement for quench detection. A coil emulator is used rather than a real coil quench because real quench experiments are destructive. Testing across current levels confirms that inductive compensation does not vary detectably with operating point. | Test | verification, msps, safety-critical, session-392, idempotency:ver-sub032-qds-latency-392 |
| VER-REQ-021 | Verify SUB-REQ-034: On an integrated FEDU test bench with resistive coil surrogates (scaled to 1% of full coil inductance), inject a quench alarm and measure energy transfer completion time and peak dump resistor voltage. Pass criterion: energy transfer complete in ≤30 s, peak voltage ≤20 kV, across 5 test runs with varied initial coil current (50%, 75%, 100% nominal). Rationale: Scaled coil surrogates allow the dump timing and voltage profile to be verified without requiring the full-scale tokamak coil infrastructure. The scaling factor is calibrated against the energy extraction model to ensure pass/fail on the surrogate corresponds to pass/fail on the real coils. | Test | verification, msps, session-392, idempotency:ver-sub034-fedu-tf-392 |
| VER-REQ-022 | Verify end-to-end MSPS quench protection chain: Inject a simulated quench voltage signature via QDS test fixture; verify 2oo3 voting asserts alarm within 20 ms; verify FEDU receives the alarm and initiates energy extraction within 5 ms of alarm; verify IESS trip channel asserted within 2 ms of quench alarm. Verify the full chain from quench injection to IESS trip input completes within 25 ms. Test in hardware-in-the-loop configuration. Rationale: End-to-end integration test covering the complete quench-to-trip chain across QDS, FEDU, and IESS interfaces. Individual subsystem tests (VER-REQ-018 to VER-REQ-021) verify components in isolation; this test verifies that the chain timing budgets do not degrade when all subsystems are connected simultaneously. | Test | verification, msps, iess, system-integration, session-392, idempotency:ver-msps-e2e-quench-392 |
| VER-REQ-023 | Verify IFC-REQ-019: Inject stepped density setpoints from a PCS test harness at 100 Hz into the Gas Puffing Valve Controller over the real-time Ethernet link. Measure end-to-end latency from setpoint transmission to acknowledged valve position change using network timestamping. Pass criterion: latency ≤5 ms on all 20 valves over 1000 consecutive cycles with zero cycle drops. Rationale: Integration test to verify density setpoint interface compliance at the GPVC boundary. Tests both network latency and valve acknowledgement path. | Test | verification, fuel-injection, session-394, idempotency:ver-ifc-019-394 |
| VER-REQ-024 | Verify IFC-REQ-020: Connect an oscilloscope to the hardwired TTL ELM trigger line between the MHD Mode Stabiliser and Pellet Injection Controller. Induce 100 simulated ELM events using a magnetic perturbation test coil. Measure trigger pulse jitter from event onset to TTL rising edge. Pass criterion: jitter ≤0.1 ms for all 100 events. Rationale: Hardwired interface test that directly measures the timing jitter of the ELM trigger signal at the physical interface — cannot be simulated in software as it tests the hardware timing path. | Test | verification, fuel-injection, session-394, idempotency:ver-ifc-020-394 |
| VER-REQ-025 | Verify IFC-REQ-021: With the Tritium and Fuel Inventory Controller powered, confirm relay contact is closed (fuelling permitted). Then simulate a tritium boundary alarm by injecting a signal above 10 μSv/h into the area monitor input. Measure time to relay opening. Also confirm that removing power from the TFIC causes relay to open (de-energise-to-trip). Pass criterion: relay opens within 500 ms in both cases. Rationale: Functional safety test of SIL-3 interlock architecture. Must verify both the active trip path and the fail-safe de-energise-to-trip behaviour required by IEC 61511. | Test | verification, fuel-injection, safety-critical, session-394, idempotency:ver-ifc-021-394 |
| VER-REQ-026 | Verify SUB-REQ-043: Using a test D-T accounting model, inject a simulated tritium inventory signal that crosses the 30 g threshold and record the time from threshold crossing to fuel-off inhibit signal asserted on both GPVC and PIC control outputs. Pass criterion: inhibit asserted within 100 ms on both channels simultaneously. Rationale: Safety validation of the nuclear material accountancy limit enforcement. Both channels must be inhibited simultaneously to prevent asymmetric fuelling state. | Test | verification, fuel-injection, tritium, session-394, idempotency:ver-sub-043-394 |
| VER-REQ-027 | Verify end-to-end Fuel Injection and Burn Control chain: with the system in steady-state fuelling mode, inject a simulated thermal energy decay profile that triggers a Q<1 prediction in the Burn Condition Monitor. Record time from BCM trigger to Gas Puffing Valve Controller ramp-down completion and confirm Pellet Injection Controller is in hold state. Pass criterion: full fuel ramp-down within 200 ms of BCM trigger; no IESS trip during the sequence. Rationale: End-to-end integration test validates the controlled burn termination path that prevents unnecessary IESS trips during marginal Q conditions. Tests the chain from burn sensing through soft fuel withdrawal. | Test | verification, fuel-injection, session-394, idempotency:ver-e2e-fibc-394 |
| VER-REQ-028 | Verify IFC-REQ-022: Inject synthetic fusion power and Q-factor vectors from a BCM test harness at 10 Hz into the DPMS Disruption Prediction Engine via the PCS RTDB. Confirm message receipt at DPMS at correct cadence, correct CRC validation, and sequence counter increment. Pass criterion: zero missed messages and zero CRC failures over 1000 consecutive messages. Rationale: Integration test for the BCM-DPMS data interface that validates both message integrity (CRC) and timing (10 Hz cadence) required by IFC-022. | Test | verification, fuel-injection, session-394, idempotency:ver-ifc-022-394 |
| VER-REQ-029 | Verify IFC-REQ-023: With a test sequencer generating MSV state transitions at 10 Hz, inject 1000 consecutive MSV frames and measure end-to-end latency at each of seven subsystem receive interfaces. Pass criterion: 99.9% of frames received within 50 ms; no frame loss across 1000 consecutive transmissions. Rationale: Statistical sampling over 1000 frames at nominal rate provides confidence in worst-case network latency under concurrent traffic. Pass rate of 99.9% reflects operational availability target. | Test | verification, pcis, plant-control, session-395, idempotency:ver-ifc023-395 |
| VER-REQ-030 | Verify IFC-REQ-024: Connect a calibrated time-interval analyser to the fibre-optic receiver outputs at five representative subsystem locations. Generate 1000 shot T=0 trigger pulses and record inter-subsystem jitter and absolute timestamp error. Pass criterion: absolute accuracy <=1 µs, inter-subsystem jitter <=5 µs, rise time <=100 ns at each measured receiver. Rationale: Direct measurement at subsystem receivers is the only way to verify end-to-end timing accuracy inclusive of fibre propagation delays and receiver circuit response. Five locations span the facility footprint and represent the worst-case propagation distance. | Test | verification, pcis, plant-control, session-395, idempotency:ver-ifc024-395 |
| VER-REQ-031 | Verify SUB-REQ-051: With the system in FLAT-TOP state, induce active sequencer failure by halting the process and measuring time from last valid MSV broadcast to first valid MSV from standby sequencer. Repeat 10 times. Pass criterion: failover in <=500 ms in all trials; standby sequencer resumes last valid MSV without reset; no subsystem enters FAULT state during failover. Rationale: Testing during FLAT-TOP state represents the highest-risk operational scenario where loss of MSV has the most consequence. Ten trials provide confidence in worst-case failover timing including memory synchronisation latency. | Test | verification, pcis, plant-control, redundancy, session-395, idempotency:ver-sub051-395 |
| VER-REQ-032 | Verify IFC-REQ-027: With PDIS data pipeline active, inject synthetic magnetic diagnostic frames at 100 kHz from a test signal generator and measure end-to-end latency at the ERP input and frame loss rate over a 60-minute simulated flat-top period. Pass criterion: latency <=200 µs for all frames; zero frames lost across 3.6e8 frames in 60-minute test. Rationale: The 60-minute test duration matches the maximum planned plasma pulse duration to verify sustained data integrity under real operational conditions. Zero frame loss is the pass criterion because partial data integrity cannot be accepted for equilibrium reconstruction. | Test | verification, pdis, session-395, idempotency:ver-ifc027-395 |
| VER-REQ-033 | Verify IFC-REQ-028: Inject calibrated test vectors from a precursor sensor simulator at 10 kHz; measure delivery latency from sensor suite output to Disruption Precursor Monitor input and verify timestamp accuracy against Machine Timing reference using a calibrated time-interval analyser. Pass criterion: delivery <=500 µs; timestamp error <=10 µs across 1000 consecutive frames. Rationale: Timestamp accuracy must be verified against the timing reference rather than the sensor itself because the DPMS uses cross-correlation between multiple sensor channels — timestamp errors greater than 10 µs at 10 kHz sample rate would alias the phase relationship between channels and corrupt disruption risk estimates. | Test | verification, pdis, session-395, idempotency:ver-ifc028-395 |
| VER-REQ-034 | Verify end-to-end PDIS to Plasma Control System chain: inject a step change in synthetic plasma position from the Magnetic Diagnostics Array test fixture, and measure time from magnetic signal injection through Real-Time Diagnostic Signal Conditioner, Diagnostic Data Multiplexer, and Equilibrium Reconstruction Processor to the first Shape and Position Controller actuator correction command. Pass criterion: total latency <=1 ms; ERP output position error <=2 cm. Rationale: This test validates the complete signal chain underpinning SYS-REQ-001 (±2 cm plasma position accuracy). The 1 ms budget is the combined 100 µs signal conditioning, 100 µs multiplexer, 800 µs ERP computation allocation. End-to-end testing is necessary because each individual interface may be within specification while the aggregate latency still violates the system requirement. | Test | verification, pdis, system-integration, session-395, idempotency:ver-e2e-pdis-pcs-395 |
| VER-REQ-035 | Verify SUB-REQ-061: Submit IESS Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Sequencer hardware to IEEE 344 seismic qualification test programme at a certified test facility. Apply OBE and SSE input spectra representative of the plant site. Pass criterion: all SIL-3 trip functions shall operate correctly during and after shaking, with no spurious trips and no failures to trip within the 10 ms budget. Rationale: IEEE 344 qualification test programme is the only accepted method to demonstrate seismic equipment qualification for nuclear class 1E/SIL-3 I&C components. Analysis alone is not sufficient under IEC 61508 for SIL-3 hardware. | Test | verification, iess, seismic, safety-critical, session-396, idempotency:ver-sub061-seismic-396 |
| VER-REQ-037 | Verify SUB-REQ-003: Inject defined hardware faults (open circuit, short, power undervoltage, ADC fault) into each of the three Trip Parameter Monitor channels using a fault injection test harness. Record detection and annunciation rate. Acceptance: diagnostic coverage >=90% across all injected fault types, with each detected fault annunciated within 200 ms. Rationale: SUB-REQ-003 specifies >=90% IEC 61508 diagnostic coverage — a quantitative safety metric that must be verified by fault injection because analysis alone cannot confirm latent hardware fault detection in real channel electronics. | Test | |
| VER-REQ-041 | Verify SUB-REQ-005: Inject step into SPDS signal, measure refresh latency 1000 times. Simulate channel failure, verify alarm within 200 ms. Acceptance: p95 latency at or below 200 ms; failure alarm distinct. Rationale: SUB-REQ-005 specifies 200 ms refresh and failure indication; timing measurement confirms safety HMI chain performance. | Test | |
| VER-REQ-042 | Verify SUB-REQ-006: With IESS fully powered, attempt to establish a bidirectional data connection between the safety network and the Plant I&C network using a protocol analyser. Verify no bidirectional path exists. Confirm one-way data diode operation at the IESS-to-PCIS boundary. Acceptance: zero bidirectional packets; IESS receives no data from PCIS; one-way data path confirmed. Rationale: SUB-REQ-006 requires physical segregation with no bidirectional pathway; architectural inspection plus protocol analysis confirms the safety-critical network isolation property. | Inspection | |
| VER-REQ-043 | Verify SUB-REQ-007: Disconnect IESS from site AC power while system is in run-permit state. Record time until first run-permit drop. Acceptance: run-permit maintained for at least 8 hours from loss of AC power; DC supply voltage remains within 24 VDC plus or minus 10% throughout. Rationale: SUB-REQ-007 specifies 8-hour battery autonomy for the IESS UPS; only a timed battery-discharge test under real load conditions can confirm the requirement is met. | Test | |
| VER-REQ-044 | Verify IFC-REQ-001: Using a precision network analyser on the FRCS-to-Plasma Diagnostics real-time network, inject synthetic measurement frames at maximum data rate and measure end-to-end latency from producer to consumer. Acceptance: latency at or below the IFC-REQ-001 specified threshold at 99th percentile over a 1-hour test run. Rationale: IFC-REQ-001 specifies a deterministic maximum latency for the plasma diagnostics real-time interface; instrumented network measurement under sustained load is the only valid confirmation method. | Test | |
| VER-REQ-045 | Verify IFC-REQ-002: With the FRCS-to-Superconducting Magnet System command link active, inject command sequences on both redundant paths; disconnect primary path and confirm failover. Measure status feedback confirmation latency. Acceptance: feedback within 1 ms; failover to backup link within one command cycle; galvanic isolation verified by insulation resistance test at rated voltage. Rationale: IFC-REQ-002 specifies redundant galvanically isolated links with 1 ms feedback — interface properties that require end-to-end timing measurement and electrical isolation testing. | Test | |
| VER-REQ-046 | Verify IFC-REQ-003: With the hardwired SCRAM interlock circuit energised, simulate Category A SCRAM demand by de-energising the normally-energised circuit. Confirm that no software instruction is executed in the signal path. Inspect circuit diagrams and trace continuity. Acceptance: SCRAM demand propagates without software involvement; circuit is fail-safe de-energise-to-trip; inspection confirms no programmable element in signal path. Rationale: IFC-REQ-003 requires a software-free hardwired interlock; architectural inspection plus continuity testing is the correct verification method for a passive safety circuit property. | Inspection | |
| VER-REQ-047 | Verify SUB-REQ-033: Using a coil voltage emulator configured to inject inductive dI/dt transients at the rated PF coil slew rate, confirm QDS does not trigger a false alarm. Then inject a resistive quench signature (60 mV threshold-crossing, 5 ms duration) into 2-of-3 channels; measure time to alarm assertion. Acceptance: zero false alarms during dI/dt suppression test; 2oo3 alarm asserted within the specified detection window. Rationale: SUB-REQ-033 specifies both false-alarm immunity under dI/dt transients and 2oo3 detection performance — properties that cannot be analytically predicted for real coil geometries and must be test-verified. | Test | |
| VER-REQ-048 | Verify SUB-REQ-035: With the Energy Extraction and Dump System connected to a scaled PF and CS coil test load, trigger a quench alarm and measure time to complete energy transfer for each coil circuit. Acceptance: all coil circuits extract energy within 10 s of alarm receipt; each coil circuit extracts independently and in parallel. Rationale: SUB-REQ-035 specifies a 10 s energy extraction time — a safety-critical timing requirement that must be measured under representative load conditions because thermal and magnetic interactions affect real extraction time. | Test | |
| VER-REQ-049 | Verify SUB-REQ-038: Force a QDS channel self-test failure on one of the three channels and verify MSPS transitions to 1oo2 voting, annunciates degraded-mode alarm, and continues quench protection at the 30 mV degraded threshold. Acceptance: mode transition within 100 ms; annunciation visible; 2oo2 alarm correctly asserted for quench signatures above 30 mV. Rationale: SUB-REQ-038 specifies quantified degraded-mode behaviour following a channel failure; test verification confirms the QDS graceful degradation logic functions as designed. | Test | |
| VER-REQ-050 | Verify SUB-REQ-046: Inject a simulated tritium boundary concentration signal above the 10 uSv/h interlock threshold into the Tritium and Fuel Inventory Controller. Measure time from threshold crossing to fuel-off interlock assertion. Acceptance: interlock asserted within the specified response time; fuelling inhibit confirmed; IESS SCRAM demand issued. Rationale: SUB-REQ-046 is a tritium confinement safety function with a defined response time; functional test under simulated area monitor signal is required to confirm the interlock timing and chain. | Test | |
| VER-REQ-051 | Verify SUB-REQ-054: Using a network packet capture device, verify that no packets from the real-time control LAN are observable on the monitoring LAN or data management network, and vice versa. Attempt a protocol bridge attack across zone boundaries and confirm rejection. Acceptance: zero cross-zone packets detected; all bridge attempts blocked; firewall rule inspection confirms correct zone policy. Rationale: SUB-REQ-054 requires physical and logical separation between three security zones; penetration testing combined with architectural inspection confirms the network segregation property. | Inspection | |
| VER-REQ-052 | Verify SYS-REQ-006: Submit IESS Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Sequencer to IEEE 344 seismic qualification testing at the site-specific Safe Shutdown Earthquake response spectrum. Verify device under test remains functional throughout and after the test. Acceptance: no loss of function during or after SSE simulation. Rationale: SYS-REQ-006 requires seismic qualification per IEEE 344 for safety-critical equipment; physical qualification testing is the only valid verification method accepted by nuclear regulatory authorities. | Test | |
| VER-REQ-053 | Verify FRCS EMC compliance: expose fully integrated FRCS to simulated pulsed magnetic field (10 T/s dB/dt) and RF field (200 V/m, 50–170 GHz) simultaneously using IEC 61000-4-3 and IEC 61000-4-8 test rigs. Record plasma position error and disruption precursor detection rate throughout exposure. Acceptance: position error remains ≤±2 cm, zero missed disruption precursor events during 30-minute exposure. Rationale: EMC performance cannot be verified by design review alone; the electromagnetic environment of a fusion reactor (simultaneous dB/dt and GHz RF) is unique and must be tested at representative signal levels to validate shielding and filtering designs. | Test | |
| VER-REQ-054 | Verify FRCS self-diagnostic coverage: inject known fault patterns into each I&C channel in turn (simulating all testable fault modes per IEC 61508 diagnostic coverage definition). Count detected faults. Acceptance: ≥90% of injected faults detected within 10 s. Verify each detected fault generates a maintenance bus report containing fault identity, timestamp, and severity within 10 s. Acceptance: 100% of detected faults reported within 10 s. Rationale: Diagnostic coverage can only be measured by exhaustive fault injection across all channel types. The 90% target and 10 s reporting latency must be verified end-to-end from fault occurrence to MMS receipt, not just at the detection logic boundary. | Test | |
| VER-REQ-055 | Verify IFC-REQ-004: Using a calibrated signal injector, apply a TPM trip output to the SLP hardwired input and measure signal propagation delay. Inject 2 kV isolation test voltage between opto-coupler terminals and verify no breakdown. Acceptance: propagation delay ≤2 ms; isolation withstands 2 kV for 60 s without breakdown. Rationale: Hardwired safety interfaces cannot be verified by review or analysis alone; propagation delay directly affects the SCRAM response time budget (SYS-REQ-004 ≤5 s total) and must be measured at the as-installed interface. Isolation voltage withstand confirms galvanic separation against plant ground faults. | Test | |
| VER-REQ-056 | Verify IFC-REQ-005: Simulate SLP power loss and software halt conditions in turn; verify ESS initiates shutdown sequence within 2 ms of loss-of-run-permit signal in each case. Acceptance: ESS sequencer confirms trip receipt within 2 ms on oscilloscope trace for all three test conditions (power loss, watchdog timeout, and commanded trip). Rationale: Energise-to-hold interfaces must be tested under actual loss-of-signal conditions, not just commanded trips. SLP power failure is a credible failure mode and the most safety-critical test scenario — it validates that the interface fails safe as designed. | Test | |
| VER-REQ-057 | Verify IFC-REQ-007: Inject a synthetic disruption risk probability signal ≥0.85 to DPMS MAC input; measure time to MGI pre-trigger assertion. Inject IESS SCRAM demand; measure time to MAC trip demand propagation. Test all three SCRAM source combinations (QDS, VSC, HCDC). Acceptance: MGI pre-trigger within 1 ms; trip demand to MAC within 1 ms. Rationale: The 1 ms propagation requirement for both DPMS-to-IESS and IESS-to-MAC signal paths is safety-critical: delay reduces the effective mitigation window for a 50 ms total disruption response budget. Hardware timing must be measured at the interface terminals, not inferred from specification. | Test | |
| VER-REQ-058 | Verify IFC-REQ-010: Command VSC to assert VDE trip condition and measure de-energisation time of normally-energised IESS input signal. Test under full plant power load and during simulated VSC software halt (watchdog). Acceptance: signal de-energises within 100 µs in all conditions on oscilloscope trace. Rationale: 100 µs VDE trip propagation is the tightest interface timing requirement in the system, driven by the short timescale of vertical displacement events. This must be measured at terminal level under worst-case load conditions; simulated software halt verifies the hardware-independent path. | Test | |
| VER-REQ-059 | Verify IFC-REQ-012: Assert IESS trip signal and measure time to beam-off delivery at each of three HCDC actuator controllers. Verify signal path bypasses supervisory software by interrupting supervisory bus during test. Acceptance: all three actuators receive beam-off within 1 ms; beam-off is received even when supervisory bus is interrupted. Rationale: The 1 ms beam-off delivery requirement must be verified under intentional supervisory software interruption to confirm that the hardwired bypass path functions as specified. Without this test, the independence claim in the requirement cannot be substantiated. | Test | |
| VER-REQ-060 | Verify IFC-REQ-015: Using a relay-based test fixture, assert QDS quench alarm and measure signal propagation time to IESS trip input terminal. Test with relay contact resistance at both nominal and maximum specified values. Acceptance: signal propagation ≤2 ms from alarm assertion to IESS input in all relay contact conditions. Rationale: Relay contact resistance variation (particularly over life) can degrade propagation time for hardwired interfaces. Testing at maximum rated contact resistance validates the ≤2 ms budget under worst-case component aging and confirms no software path dependency. | Test | |
| VER-REQ-061 | Verify IFC-REQ-006: Using GPS-synchronised test fixtures on DPM and PDIS, inject simultaneous 128-channel samples and measure cross-system timestamp offset across 1000 frames. Acceptance: offset ≤1 µs RMS, no frame dropouts. Rationale: Validates time-synchronisation requirement in IFC-REQ-006 needed for disruption precursor feature vector integrity. | Test | |
| VER-REQ-062 | Verify IFC-REQ-008: With HCDC Supervisory in run-permit state, assert simulated NBI inhibit from MAC test fixture and measure signal propagation time to HCDC hardwired input. Acceptance: inhibit signal delivered ≤2 ms from MAC assertion. Rationale: IFC-REQ-008 specifies a hardwired NBI inhibit interface between MAC and HCDC. The 2 ms budget is within the disruption mitigation chain latency margin per SYS-REQ-002. | Test | |
| VER-REQ-063 | Verify IFC-REQ-009: Connect ERP test fixture to Shape and Position Controller input. Inject pre-computed equilibrium state vectors at 10 kHz for 1000 frames. Measure delivery latency and check for dropped frames. Acceptance: all frames received with latency ≤100 µs at 10 kHz sustained. Rationale: IFC-REQ-009 requires ERP equilibrium state delivery at 10 kHz for real-time plasma shape control. Dropped frames or latency exceeding 100 µs would break the PCS feedback loop timing in SYS-REQ-001. | Test | |
| VER-REQ-064 | Verify IFC-REQ-011: Using an ERP test fixture, inject q-profile data at 1 kHz into the MHD Mode Stabiliser input. Measure frame latency and resolution across a 100-frame burst. Acceptance: q-profile delivered at ≥1 kHz with radial resolution ≥50 nodes, latency ≤1 ms. Rationale: IFC-REQ-011 specifies q-profile delivery for NTM stabilisation control. Resolution below 50 nodes and latency above 1 ms would reduce MHD mode identification accuracy and impair ECRH targeting. | Test | |
| VER-REQ-065 | Verify IFC-REQ-014: Command HCDC Supervisory test fixture to issue closed-loop power setpoints at 50 Hz. Measure PCS setpoint receipt rate and inter-arrival jitter over 1000 samples. Acceptance: setpoints received at 50 ±1 Hz; inter-arrival jitter ≤2 ms; safe-state command triggers PCS feedback inhibit within 10 ms. Rationale: IFC-REQ-014 links heating power control to PCS feedback — setpoint jitter above 2 ms or missed safe-state commands would leave plasma heating uncontrolled during abnormal transitions. | Test | |
| VER-REQ-066 | Verify IFC-REQ-017: Using a calibrated temperature flag injector at the Coil Thermal and Cryogenic Monitor output, inject threshold-exceedance flags for representative coil groups and measure receipt latency at QDS input. Acceptance: flags received within ≤5 ms; all injected flags registered without loss. Rationale: IFC-REQ-017 requires digitised temperature exceedance flags from CTCM to QDS for coil protection. Missed or delayed flags would allow coil damage to proceed without quench detection activation. | Test | |
| VER-REQ-067 | Verify IFC-REQ-018: Inject coil current reference waveforms from a MPSC test fixture to PCS at rated update frequency. Measure waveform fidelity and round-trip latency. Acceptance: reference waveforms delivered with ≤200 µs latency; no waveform discontinuities over 500 consecutive frames. Rationale: IFC-REQ-018 provides the PCS with coil current references for plasma position control. Latency above 200 µs or waveform discontinuities degrade the plasma control loop bandwidth in SYS-REQ-001. | Test | |
| VER-REQ-068 | Verify SUB-REQ-069: Configure the Emergency Shutdown Sequencer 2-of-3 test bench. Inject a trip demand into two of three channels while the third channel is held in no-trip state. Verify that: trip is asserted within the specified latency; the 2-of-3 vote correctly propagates; deactivating one channel does not inhibit trip. Introduce a single-channel hardware fault (remove power to one channel) and verify the remaining two channels maintain trip function within ±10% of nominal latency. Record pass/fail for all 12 fault injection scenarios. Rationale: SUB-REQ-069 mandates 2-of-3 redundant voted architecture for IEC 61508 SIL-3 hardware fault tolerance (HFT=2). Testing must demonstrate both the nominal voted behaviour and single-channel fault tolerance, since SIL-3 requires the safety function to remain operable under any single hardware failure. Twelve scenarios cover all permutations of single-channel failure with two-channel trip assertion. | Test | |
| VER-REQ-069 | Verify SUB-REQ-070: In a hardware-in-the-loop test environment, install all three Safety Logic Processor channels and configure TMR majority-vote output. Inject a trip input to all three channels simultaneously and measure trip assertion latency. Then inject a trip input while one processing channel is artificially failed (watchdog disabled); verify majority vote correctly asserts trip and minority-failed channel is flagged within the specified diagnostic interval. Verify that failure of a second channel (2-of-3 failed) causes the system to revert to safe state (de-energise run permit) within 1 second. Rationale: SUB-REQ-070 requires fault-tolerant TMR with defined fail-safe behaviour on two-channel failure. IEC 61508 SIL-3 requires demonstration that HFT=2 is maintained: one-channel failure must not degrade safety function; two-channel failure must cause safe state transition. This VER requirement captures both the nominal TMR operation and the double-fault recovery test. | Test | |
| VER-REQ-070 | Verify SUB-REQ-074: During integrated system test with Interlock and Emergency Shutdown System in safe state condition (plasma current = 0 A, verified by magnetic diagnostics), command all plasma-facing actuators (heating systems, fuel injection, vertical stability coil) and verify each remains de-energised for the duration of the safe state hold period (minimum 300 s). Attempt to override the hold via both software command and manual operator interface; verify override is rejected. Record actuator state against IESS safe-state hold status throughout. Rationale: SUB-REQ-074 requires IESS to hold all plasma-facing actuators de-energised while safe state is active. This prevents inadvertent plasma re-ignition following a SCRAM. The test must demonstrate both the hold function and its independence from software override, since a successful override would breach the hardware-enforced independence required by SYS-REQ-004. | Test | |
| VER-REQ-071 | Verify SUB-REQ-062: Review the formal safe state definition document against the IESS logic implementation. Confirm that: plasma current reduction to zero is enforced by magnetic coil discharge interlocks; first wall heat flux monitoring threshold is set to 1 MW/m²; all fuel injection channels are commanded closed and confirmed closed by position feedback; cryogenic gas valves are commanded to closed and confirmed by pressure transducers; all ICRH/NBI/ECRH beam-off states are verified by calorimeter readings. Each safe state criterion SHALL be individually traceable to a monitored process variable. Rationale: SUB-REQ-062 defines the multi-condition safe state. Inspection of the logic implementation against the formal definition is required to verify that every stated safe state criterion is enforced by a corresponding interlock with a monitored process variable. Unmonitored conditions in the safe state definition are a latent risk of undetected safe state exit. | Inspection | |
| VER-REQ-072 | Verify SUB-REQ-026: Inject simulated heating power setpoints via software test interface commanding NBI at 25 MW, ECRH at 20 MW, and ICRH at 15 MW simultaneously (total 60 MW). Verify the HCDC Supervisory reduces commanded setpoints so sum does not exceed 50 MW, with ECRH maintained at full setpoint. Repeat with NTM stabilisation event active; verify ECRH is prioritised and NBI/ICRH bear the reduction. Acceptance: total power within 50 MW within 1 ms control cycle; ECRH priority confirmed by setpoint log. Rationale: SUB-REQ-026 implements a safety function preventing first wall thermal overload. Test is required because the power summation and NTM priority logic must be demonstrated under simultaneous inputs. The NTM prioritisation path uses a separate code branch not exercised by individual subsystem tests. Inspection alone cannot demonstrate correct dynamic response. | Test | |
| VER-REQ-073 | Verify SUB-REQ-039: Remove power from one Safety Logic Processor card while the SLP is operating in its test stand configuration. Confirm that the trip relay output remains driven by the surviving card and that a SCRAM signal is correctly asserted within the 10 ms trip response budget. Repeat with the second card powered down instead. Acceptance: trip relay asserts on either card failure; no failure of both independent paths observed under single-card removal. Rationale: SUB-REQ-039 requires single-card failure must not prevent SCRAM actuation. This can only be confirmed by a physical hardware test demonstrating independence under fault injection. Analysis cannot substitute because the independence claim depends on the actual board layout, wiring, and relay drive circuitry. The test must be performed on the final production hardware configuration to support the SIL-3 safety case. | Test | |
| VER-REQ-075 | Verify SUB-REQ-010: Using a validated test dataset of at least 500 disruption sequences and 2000 non-disruption plasma shots from JET and ASDEX-U databases, inject pre-recorded 128-element feature vectors at 10 kHz into the Disruption Prediction Engine. Measure true positive rate (disruptions detected with ≥30 ms warning before thermal quench onset) and false positive rate (spurious predictions per 24 hours equivalent run time). Acceptance: TPR ≥ 95%, FPR ≤ 2 events per 24 hours. Rationale: SUB-REQ-010 sets the primary DPE performance specification. 95% TPR with 30 ms warning is the minimum to successfully initiate MGI before thermal quench deposits runaway energy on first-wall components; FPR ≤ 2/day is the maximum tolerable spurious SCRAM rate for operational availability. | Test | |
| VER-REQ-076 | Verify SUB-REQ-041: On the DPMS test bench, halt the primary Disruption Prediction Engine FPGA by removing power while the system is in FLAT-TOP state. Measure time from FPGA power-off to MGI pre-trigger assertion from the hardwired fallback. Verify activation is hardware-initiated with no software dependency. Acceptance: MGI pre-trigger asserted within 50 ms of FPGA power loss; activation requires no software process to be active. Rationale: SUB-REQ-041 is the safety fallback when the ML-based disruption prediction fails. The hardwired fallback ensures an FPGA failure does not leave the reactor without disruption mitigation — an unmitigated thermal quench would damage first-wall components. The 50 ms budget is derived from the system-level disruption mitigation window in SYS-REQ-002. | Test | |
| VER-REQ-077 | Verify SUB-REQ-025: In a hardware-in-the-loop PCS test, suppress synchronised cycle delivery for 6 consecutive cycles to simulate real-time bus failure. Measure time from last valid cycle to PCS frozen output state. Simulate a component self-test failure and verify PCS outputs are set to last-known-good values with a fault flag raised. Acceptance: output freezes within 1 cycle of 6th missed delivery; fault flag asserted within 5 ms of self-test failure. Rationale: SUB-REQ-025 defines PCS degraded-mode behaviour on real-time bus failure. Freezing outputs preserves plasma stability during transient communication faults — an uncontrolled output step during bus failure could trigger a disruption. The 5-consecutive-cycle threshold provides hysteresis to filter single-cycle glitches while ensuring rapid response to sustained failure. | Test | |
| VER-REQ-078 | Verify SUB-REQ-030: Configure HCDC at 60 MW nominal (25 MW NBI, 20 MW ECRH, 15 MW ICRH). Simulate ECRH controller failure by halting its process. Measure: detection time, redistribution command issue time, and final setpoints for NBI and ICRH. Repeat for NBI and ICRH failure. Acceptance: redistribution command within 100 ms of missed heartbeat detection; redistributed power does not exceed each actuator's rated maximum; total power deficit ≤ 5% of pre-failure setpoint. Rationale: SUB-REQ-030 ensures plasma heating continuity during single actuator failure. Without redistribution, sudden heating loss during flat-top burn can cause density collapse and disruption. The 100 ms response window aligns with the HCDC heartbeat monitoring interval and prevents a step-loss of plasma beta that would exceed the 5% stored energy tolerance in SYS-REQ-003. | Test | |
| VER-REQ-079 | Verify SUB-REQ-019: Configure ERP test bench with 160 synthetic magnetic measurement channels. Force 32 channels (20%) to return invalid readings (NaN or out-of-range). Inject steady-state flat-top plasma state vectors and measure ERP equilibrium output against a pre-computed reference reconstruction. Acceptance: ERP provides valid equilibrium state vector with position accuracy ±2 cm and current reconstruction ±1% when up to 32 of 160 channels are unavailable; no error flag is asserted. Rationale: SUB-REQ-019 defines ERP fault-tolerance for sensor dropout. Maintaining equilibrium reconstruction with 20% channel loss is critical to avoiding a SCRAM during a diagnostic failure unrelated to plasma instability. The 20% threshold covers the expected maximum correlated failure rate of a single diagnostic front-end crate. | Test | |
| VER-REQ-080 | Verify SUB-REQ-036: Connect the Magnet Power Supply Controller to a scaled resistive test coil (1% rated inductance). Upload a 10-second reference coil current ramp from a PCS test fixture. Measure current tracking error throughout the ramp and at steady state. Inject a coil current perturbation exceeding ±2 A and measure time to MPSC hard trip assertion. Acceptance: tracking error ≤ ±1 A throughout the reference waveform; hard trip asserted within 10 ms of persistent ±2 A exceedance. Rationale: SUB-REQ-036 ensures the magnet power supply tracks the plasma equilibrium waveform with sufficient precision. Coil current errors exceeding ±1 A at 15 MA perturb plasma position beyond the ±2 cm SYS-REQ-001 boundary. The hard trip threshold prevents sustained overcurrent from damaging superconducting coil insulation. | Test | |
| VER-REQ-081 | Verify IFC-REQ-025: With the Plant Data Historian interface to the Plasma Diagnostics Integration System active, inject synthetic time-stamped diagnostic data streams at 1 kHz per channel across 300 channels over the best-effort monitoring network. Measure ingestion latency and packet loss rate over a 30-minute test period. Acceptance: ingestion rate sustained at ≥ 1 kHz per channel with ≤ 0.1% packet loss; all timestamp offsets from GPS reference ≤ 1 ms. Rationale: IFC-REQ-025 ensures the data archive interface sustains the 1 kHz sample rate required by STK-REQ-007 and SYS-REQ-005. Without verified ingestion performance, the 25-year archival requirement cannot be met; post-pulse analysis and model retraining also require complete time-ordered data. | Test | |
| VER-REQ-082 | Verify IFC-REQ-026: Connect calibrated signal generator to 256 Magnetic Diagnostics Array analogue input channels on the Real-Time Diagnostic Signal Conditioner. Inject sinusoidal test signals at frequencies up to 100 kHz, amplitudes 1 mV to 1 V. Measure CMRR at 50 Hz and 150 Hz, ADC linearity (INL), and dynamic range. Acceptance: CMRR ≥ 80 dB at 50 Hz; INL ≤ 0.05% FS; dynamic range ≥ 80 dB across all 256 channels. Rationale: IFC-REQ-026 defines the analogue performance of the magnetic diagnostics interface, the primary sensor input for equilibrium reconstruction and disruption prediction. CMRR ≥ 80 dB suppresses power line noise in the 15 MA toroidal current environment; INL ≤ 0.05% FS ensures ERP 160-channel reconstruction meets the ±2 cm position accuracy of SYS-REQ-001. | Test | |
| VER-REQ-083 | Verify SUB-REQ-054 and SYS-REQ-007: Using network penetration test methodology in a factory acceptance test environment: (1) attempt bidirectional data paths between real-time control LAN and monitoring LAN; (2) inject crafted packets from monitoring LAN toward control LAN endpoints; (3) attempt reverse-direction traffic injection through data diode; (4) verify all three security zones present with no shared switch ports. Acceptance: no bidirectional control-to-monitoring path exists; data diode rejects all reverse-direction packets; no unauthenticated cross-zone access path found. Rationale: SYS-REQ-007 mandates IEC 62443 SL-2 with data diode enforcement. Without adversarial penetration testing, network segmentation cannot be verified as effective — configuration inspection alone is insufficient for SL-2 compliance because misconfigurations may not be visible in documentation. | Test | |
| VER-REQ-084 | Verify SYS-REQ-004 end-to-end safe state transition: In integrated system test with plasma current simulation, from each operating state (FLAT-TOP, RAMP-DOWN, PLASMA-INIT), trigger automatic SCRAM via IESS trip. Measure elapsed time from SCRAM trigger to confirmation of all five safe state criteria: (1) plasma current zero; (2) all heating systems de-energised; (3) fuel injection valves closed; (4) SPDS shows SAFE STATE; (5) IESS run-permit de-energised. Acceptance: all five criteria confirmed within 5 seconds; 20 consecutive test runs covering all three starting states. Rationale: SYS-REQ-004 mandates ≤5 s safe state transition. VER-REQ-005 covers only the first 30 ms (interlock logic chain). The full 5 s window encompasses plasma quench, heating shutdown, and fuel inhibit across IESS, PCS, HCDC, and FIBC. Only an integrated system test verifies the composed timeline meets the system-level budget. | Test | |
| VER-REQ-085 | Verify SUB-REQ-074: After reaching safe state in an integrated SCRAM test, attempt to energise each plasma-facing subsystem (HCDC, FIBC, PCS) from their control interfaces without issuing a formal operator clearance. Verify all energisation attempts are hardware-rejected. Execute simulated formal clearance by authorised operator and verify all subsystems can be re-enabled. Acceptance: all energisation attempts without clearance are hardware-rejected within 100 ms; no software bypass path exists; re-energisation succeeds following formal clearance. Rationale: SUB-REQ-074 implements the safe state hold function. The safety argument depends on the system remaining in safe state once achieved. Without this test, a software or operator error could re-energise plasma-facing systems while the reactor is in post-SCRAM unsafe condition. The hardware interlock requirement prevents any software layer from bypassing the hold. | Test | |
| VER-REQ-086 | Verify SUB-REQ-031: Configure HCDC Supervisory heartbeat monitoring at 100 ms intervals. Suppress the ECRH controller heartbeat for two consecutive 100 ms intervals. Measure time from second missed heartbeat to HCDC Supervisory issuing a controller-isolate command and fault annunciation. Acceptance: isolate command issued within 50 ms of second missed heartbeat; fault annunciation appears on SPDS within 200 ms of detection. Rationale: SUB-REQ-031 prevents an unresponsive heating actuator controller from maintaining control of its actuator. An unresponsive controller maintaining last-commanded outputs could drive unsafe actuator states during plasma transients. Two-miss hysteresis suppresses single-cycle communication delays while ensuring rapid response to sustained controller failure. | Test | |
| VER-REQ-087 | Verify SUB-REQ-040: On hardware test bench, inhibit ESS watchdog refresh and measure time to hardware reset. Connect test actuator to MGI valve output and verify command within 20 ms of reset. Inject single hardware faults and confirm MGI actuation is not prevented. Pass criterion: reset within 100 ms; MGI actuation confirmed on all fault scenarios. Rationale: Watchdog timer boundary and hardware-enforced actuation must be verified by hardware fault injection; software analysis cannot demonstrate SIL-3 uncircumventability of the 100 ms reset trigger and MGI actuation chain. | Test | |
| VER-REQ-088 | Verify SUB-REQ-064: Subject the IESS Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Sequencer to seismic qualification testing per IEEE 344 at the plant site-specific SSE response spectrum. Apply simultaneous horizontal and vertical excitation. Operate all functions during and after test. Pass criterion: all trip functions operate within specified timing (<10 ms) during excitation; no structural damage or functionality loss after SSE level test. Rationale: IEEE 344 seismic qualification requires physical shake-table testing with the actual hardware energised; analysis alone cannot substitute for nuclear safety equipment. The SSE response spectrum must be applied at the actual mounting configuration to qualify the qualification claim in SUB-REQ-064. | Test | |
| VER-REQ-089 | Verify SUB-REQ-072: Obtain and review Safety Arbiter vendor qualification documentation including: IEC 61513 Category A type approval certificate, IEC 61508 SIL-3 certificate, FMEA report, software diversity analysis, and independent verification evidence. Confirm all documents are approved by the applicable nuclear regulatory authority. Pass criterion: all five document types present; SIL-3 certificate scope covers all safety functions; regulatory approval stamp present and current. Rationale: IEC 61513 Category A qualification requires regulatory-approved documentation that cannot be reproduced by test; inspection of vendor qualification evidence against the certificate scope is the mandated verification method for nuclear I&C platforms. | Inspection | |
| VER-REQ-090 | Verify SUB-REQ-075: During integrated system test with DPE in active operation, inject a hardware fault causing the primary inference node to fail (CPU reset). Measure: (a) time from failure detection to standby node assuming prediction function; (b) time to recovery of valid prediction output. Confirm last valid prediction is held during switchover. Verify switchover event is logged with microsecond timestamps. Pass criterion: standby active within 100 ms; prediction output valid within 500 ms; no false disruption trigger during switchover. Rationale: SUB-REQ-075 specifies a 100 ms switchover time for the hot-standby DPE node; hardware fault injection is required to validate the automatic failover mechanism under real failure conditions, as simulation cannot capture timing dependencies in the actual hardware architecture. | Test | |
| VER-REQ-091 | Verify SUB-REQ-076: During pellet injection test sequence, fail the primary injection channel by simulating pellet velocity sensor disagreement >20% (inject offset into calibration). Measure: (a) time from failure detection to secondary channel readiness; (b) confirm no manual intervention required. Verify channel switch is logged. Pass criterion: secondary channel ready within 200 ms; no operator action required; disruption mitigation pellets available immediately after switchover. Rationale: SUB-REQ-076 mandates automatic 200 ms switchover without manual intervention; test under simulated sensor disagreement failure is the only way to validate the automatic switchover criterion, as the secondary channel cannot be activated by normal operation. | Test | |
| VER-REQ-092 | Verify SUB-REQ-058: During integrated DPMS operation, inhibit the Disruption Precursor Monitor output for a period exceeding 500 ms. Confirm DPMS enters watchdog-tripped state with disruption risk set to 1.0. Verify this triggers the precautionary mitigation sequence. Measure time from output inhibition to watchdog-trip state transition. Pass criterion: watchdog-trip within 500 ms; risk value = 1.0 confirmed; mitigation sequence initiated; no operator action required. Rationale: SUB-REQ-058 specifies a safety-critical watchdog: failure to detect DPM output loss could leave the system unprotected during a disruption. Test by output inhibition verifies the 500 ms timing boundary and confirms the risk escalation is automatic and not operator-dependent. | Test | |
| VER-REQ-093 | Verify SYS-REQ-012: With all three HCDC actuator controllers active, command aggregate heating power setpoints from 0 to 73 MW in 25 MW increments. Measure delivered power at each actuator with calibrated power meters and compute aggregate sum. Pass criterion: aggregate delivered power within plus or minus 5% of commanded setpoint at each level. Simulate ECRH failure at 70 MW and verify HCDC Supervisory redistributes remaining power across NBI and ICRH within 2 s without exceeding actuator rated maxima. Rationale: SYS-REQ-012 governs coordinated multi-system heating control over the full 73 MW range. Hardware test with calibrated power meters is required because analysis alone cannot account for actuator non-linearity. The redistribution sub-test validates degraded-mode behaviour of SUB-REQ-030. | Test | |
| VER-REQ-094 | Verify RE detection (REQ-SEFUSIONREACTORCONTROLSYSTEM-114): Connect a calibrated hard X-ray pulse generator to the DPMS RE diagnostic channel. Inject a stepped source generating 12000 counts/s for 10 ms duration. Confirm RE_DETECTED signal is asserted within 10 ms of threshold crossing. Repeat 100 times. Pass criterion: RE_DETECTED asserted in all 100 trials with latency 10 ms or less. Rationale: Functional test verifying the DPMS RE detection chain threshold, timing, and signal latching. 100-trial repetition establishes statistical confidence in the detection reliability under worst-case hardware-in-loop conditions. | Test | verification, dpms, re-mitigation, session-411 |
| VER-REQ-095 | Verify RE mitigation actuation (REQ-SEFUSIONREACTORCONTROLSYSTEM-115): On an integrated DPMS test bench with simulated RE_DETECTED input and MGI valve test fixture, assert RE_DETECTED signal and measure time from assertion to valve open command. Confirm injection flow rate reaches 30 bar-L minimum within test flow parameters. Verify termination when simulated plasma current drops below 100 kA. Pass criterion: valve open command issued within 40 ms in all 50 trials. Rationale: Functional test verifying the complete RE mitigation actuation chain from RE_DETECTED signal to valve command timing and injection parameters. 50-trial repetition ensures actuation reliability. Hardware-in-loop setup with test fixture simulates realistic valve hardware latency. | Test | verification, dpms, re-mitigation, session-411 |
| VER-REQ-097 | Verify equipment list registration by inspection of the plant Formal Equipment List against the as-installed FRCS subsystem inventory: confirm every installed I&C subsystem has a corresponding FL entry with rack location, IEC 61346 tag, SIL classification, and connector specification. Confirm the FL is held under the plant configuration management system with a current revision date. Rationale: REQ-SEFUSIONREACTORCONTROLSYSTEM-127 requires FL registration for all FRCS subsystems. Inspection of the FL against the installed inventory is the only practical verification method for this administrative compliance requirement. | Inspection | |
| VER-REQ-098 | Verify SUB-REQ-113: During HCDC EMC qualification testing, inject 200 V/m RF signals at frequencies between 50 MHz and 170 GHz at the HCDC equipment boundary and measure field strength at the nearest PCS and IESS cabinet boundaries. Confirm field strength is below 10 V/m and that no PCS or IESS spurious actuations are recorded during a 1-hour exposure test. Rationale: SUB-REQ-113 requires HCDC source controls to limit RF fields at PCS/IESS boundaries. Direct measurement of field strength at the receiving equipment boundary during an in-situ RF injection test is the only method that validates both the HCDC source controls and the system-level immunity simultaneously. | Test | idempotency:qc-417-ver-sub113 |
| VER-REQ-099 | Verify IFC-REQ-022: Configure a test BCM simulator to transmit Q-factor vectors at 10 Hz to the DPMS input interface. Use a protocol analyser to capture 100 consecutive messages and verify: (a) message length equals exactly 64 bytes, (b) CRC-32 checksums match for all messages, (c) sequence counter increments monotonically with no gaps. Inject a message with corrupted CRC and confirm DPMS discards it. Pass criterion: all 100 messages valid, 1/1 corrupted messages rejected, counter increments unbroken. Rationale: IFC-REQ-022 specifies a deterministic 64-byte fixed-format message with CRC-32 integrity at 10 Hz. Protocol analyser capture is the only method that confirms both format compliance and error-rejection behaviour required for reliable disruption prediction input data integrity. | Test | idempotency:val-418-ver-ifc022 |
| VER-REQ-100 | Verify IFC-REQ-023: With the Plant Operations Sequencer and all seven subsystems on the SCADA bus, command POS to transition MSV from STANDBY to PRE-PULSE. Capture MSV broadcast timestamps at each of seven subsystem receivers using synchronised capture hardware. Verify: (a) all seven receivers confirm MSV within 50 ms of POS emission, (b) MSV encoded as 32-bit status word, (c) 10 Hz broadcast sustained over 30 seconds with no missed transmissions. Pass: all 7 receivers <50 ms, 300/300 transmissions received. Rationale: IFC-REQ-023 mandates MSV delivery to all 7 operational subsystems within 50 ms at 10 Hz. Simultaneous end-to-end timing measurement across all 7 receivers is required — sequential point-to-point tests cannot detect multi-hop bus congestion or scheduling jitter that affects only some receivers. | Test | idempotency:val-418-ver-ifc023 |
| VER-REQ-101 | Verify IFC-REQ-024: Connect IRIG-B and IEEE 1588 PTP timing pulse outputs from the Machine Timing and Synchronisation System to an oscilloscope at each of ten representative subsystem receiver inputs. Measure rise time of each timing pulse. Verify all rise times are <=100 ns. Confirm fibre-optic link independence by disconnecting one link and verifying other subsystems continue to receive valid timing. Pass criterion: 100% rise times <=100 ns across all receivers, no cross-link dependency. Rationale: IFC-REQ-024 specifies rise time <=100 ns for shot timing signals. Direct oscilloscope measurement at the receiver is required to confirm signal integrity through fibre-optic links — analysis alone cannot account for dispersion and connector losses in the as-built installation. | Test | idempotency:val-418-ver-ifc024 |
| VER-REQ-102 | Verify IFC-REQ-027: During a plasma flat-top simulation lasting 30 seconds, inject 3,000,000 magnetic diagnostic data frames through the DDM to ERP RDMA link at 100 kHz. Record frame delivery latency for each frame and count lost frames. Verify: (a) end-to-end latency <=200 µs for all frames, (b) zero frame loss over the 30-second test window, (c) timestamps on received frames monotonically increase and agree with Machine Timing System within 10 µs. Pass: 0 lost frames, 100% frames <=200 µs. Rationale: IFC-REQ-027 specifies zero frame loss tolerance during flat-top — a uniquely demanding requirement that must be verified under full operational load. Burst or idle-period testing would not expose queuing or timing drift under sustained 100 kHz throughput. | Test | idempotency:val-418-ver-ifc027 |
| VER-REQ-103 | Verify IFC-REQ-028: Inject pre-recorded calibrated sensor vectors from the Disruption Precursor Sensor Suite test harness at >=10 kHz into the Disruption Precursor Monitor input interface. Use synchronised hardware timestamps at source and receiver. Measure delivery latency for 10,000 consecutive vectors. Verify: (a) 100% of vectors delivered within 500 µs, (b) timestamp synchronisation to Machine Timing System within 10 µs for all vectors, (c) no vector loss over a 1-second capture window. Pass: all criteria met. Rationale: IFC-REQ-028 specifies <=500 µs delivery latency and <=10 µs timestamp synchronisation at >=10 kHz. These are tight real-time constraints that require direct measurement under operational load; analysis would not reveal jitter induced by the fibre link or FPGA timestamp insertion hardware. | Test | idempotency:val-418-ver-ifc028 |
| VER-REQ-104 | Verify SUB-REQ-085: With the IESS operating normally, physically disconnect one hardware channel between the Safety Logic Processor and Emergency Shutdown Sequencer actuation output. Inject a SCRAM demand and measure time to actuation via the remaining channel. Verify: (a) SCRAM still actuates within 5 seconds via surviving channel, (b) a channel failure alarm is raised within 10 seconds, (c) IEC 61508 SIL-3 PFD calculation using measured channel availability data confirms PFD < 1×10⁻³. Pass: single-channel loss does not prevent SCRAM, PFD <1e-3. Rationale: SUB-REQ-085 asserts 1oo2 redundancy with PFD<1e-3. Only a hardware fault injection test with the surviving channel under load can confirm that independence is genuine and not compromised by shared cabling, power supply, or firmware. Analysis alone is insufficient for IEC 61508 SIL-3 claims on safety-critical actuation hardware. | Test | idempotency:val-418-ver-sub085 |
| VER-REQ-105 | Verify SUB-REQ-084: From a simulated full-power flat-top state with active NBI and ICRH heating, inject a SCRAM demand into the Emergency Shutdown System. Using facility-level instrumentation, measure: (a) time from SCRAM demand to plasma current <1 kA, (b) time for all NBI, ICRF and ECRH systems to reach zero power, (c) time for all magnet dump resistors to be engaged and coil currents decaying, (d) confirmation of pellet cryostat vent to tritium exhaust. Verify all conditions achieved within 5 seconds. Pass: all four safe state conditions met within 5 s. Rationale: SUB-REQ-084 specifies the four-condition safe state achieved within 5 seconds — this is the primary safety acceptance criterion for the reactor. An end-to-end SCRAM test from full-power conditions is the only verification method accepted by nuclear regulators for IEC 61513 Category A qualification. | Test | idempotency:val-418-ver-sub084 |
| VER-REQ-106 | Verify SUB-REQ-108: Following a successful SCRAM test, inspect Safety Logic Processor continuous monitoring output for each of the four safe-state indicators: (a) plasma current monitor reading zero A, (b) all high-voltage system interlock status registers in de-energised state, (c) cryogenic system control mode flag in PASSIVE-HOLD, (d) all active heating system interlocks in zero-power state. Verify all four indicators remain in safe state for a 60-second observation period with no active control intervention. Inspect SLP self-test logs to confirm each indicator was individually tested during the preceding health check. Rationale: SUB-REQ-108 requires safe state to be self-sustaining without active control intervention, verified by the SLP. Inspection of the SLP monitor outputs during and after a SCRAM test is the only method that confirms both the self-sustaining property and the SLP's ongoing monitoring function. | Test | idempotency:val-418-ver-sub108 |
| VER-REQ-107 | Verify SUB-REQ-112: During a full-system SCRAM test, timestamp the SCRAM initiation event and then monitor the qualified safety bus for the SAFE-STATE-CONFIRMED signal. Measure: (a) time from SCRAM initiation to each of the four conditions being achieved (plasma current <1 kA, coil currents transferred to dump resistors, ICRH/ECRH/NBI hardwired inhibit confirmed, DT gas valves confirmed closed), (b) time from SCRAM initiation to SAFE-STATE-CONFIRMED signal on the qualified safety bus. Verify all conditions met within 8 seconds and SAFE-STATE-CONFIRMED asserted within 8 seconds. Pass: 8 s budget met for all four conditions and SAFE-STATE-CONFIRMED signal asserted. Rationale: SUB-REQ-112 requires IESS to verify all four safe state conditions and assert SAFE-STATE-CONFIRMED within 8 seconds. This timing constraint is directly derived from the 5-second SCRAM target in SYS-REQ-004 plus 3 seconds for verification confirmation. Direct timing measurement is required for IEC 61513 nuclear qualification. | Test | idempotency:val-418-ver-sub112 |
| VER-REQ-108 | Verify SUB-REQ-013: On a representative hardware platform, inject a synthetic 10 kHz diagnostic data stream into the Disruption Precursor Monitor across all active channels. Measure the time from each sample epoch to delivery of the 128-element MHD stability feature vector at the DPE input port using timestamped hardware counters. Record the missing-sample count over a 600-second run (6×10⁶ epochs). Pass: all epoch-to-feature latencies ≤ 100 μs; missing-sample count ≤ 600 (0.01% of 6×10⁶). Rationale: SUB-REQ-013 specifies a hard 100 μs latency and 0.01% missing-sample rate. These values feed directly into the disruption prediction response budget: DPM latency + DPE inference time must fit within the 50 ms precursor-to-actuation window of SYS-REQ-002. The requirement cannot be verified by analysis because the latency depends on real-time FPGA pipeline behaviour under concurrent diagnostic load. Hardware injection testing on the target platform is required. | Test | idempotency:val-420-ver-sub013 |
| VER-REQ-109 | Verify SUB-REQ-014: Inject a sequence of 10 synthetic disruption events into the DPMS Supervisory and Archive, each with a 5-second pre-event state vector window at 1 ms sample intervals. For each event, verify: (a) the complete pre-event window is archived (5000 samples per event); (b) a retraining package is generated within 10 minutes when the rolling 24-hour false positive count exceeds 3 or true positive rate falls below 93%. Introduce a controlled test scenario where both thresholds are exceeded simultaneously and verify the retraining package is generated within the 10-minute window. Rationale: SUB-REQ-014 is the DPMS model-adaptation requirement: missed state-vector windows mean disruption precursors cannot be learned and model accuracy degrades over time. The 10-minute retraining trigger is a maintenance requirement tied to the 95% true-positive floor in SUB-REQ-010. Both time constraints require end-to-end test with injected events to confirm archive completeness and retraining automation. | Test | idempotency:val-420-ver-sub014 |
| VER-REQ-110 | Verify SUB-REQ-020: In a hardware-in-the-loop test bench with a validated 15 MA plasma equilibrium model, command the Shape and Position Controller to track a reference equilibrium trajectory under steady-state flat-top conditions. Inject representative perturbations (±5% plasma current, ±2% toroidal field). Record radial and vertical position error over a 30-second flat-top. Pass: peak radial and vertical displacement from reference trajectory <=2 cm for all perturbation scenarios; no sustained drift exceeding 2 cm for >1 s. Rationale: SUB-REQ-020 specifies the 2 cm geometric-centre tolerance that flows from SYS-REQ-001 (radial position tolerance). The PCS plasma-wall gap budget assumes this tolerance is maintained; exceeding it risks first-wall interaction at 15 MA plasma current. Hardware-in-the-loop is required because shape control performance depends on the coupled dynamics of the full magnetic equilibrium reconstruction and real-time actuator response. | Test | idempotency:val-420-ver-sub020 |
| VER-REQ-111 | Verify SUB-REQ-044: Connect the Pellet Injection Controller to a test-bench ELM phase simulator generating a configurable trigger signal. Issue 300 consecutive pellet injection commands, each keyed to the ELM phase trigger. Record: (a) injection-to-trigger timing offset for each shot; (b) total miss count (offset >0.5 ms or no injection within trigger window). Pass: all on-time injections within +-0.5 ms of trigger; miss rate <=2 of 100 in any 100-shot rolling window. Rationale: SUB-REQ-044 requires ELM-synchronised pellet injection within 0.5 ms. This is a hard real-time constraint: pellet injection outside the ELM-quiescent window causes plasma contamination and potential disruption. The 2% miss rate is the operational tolerance agreed with the physics team based on fuelling efficiency models. Only hardware timing measurements can confirm that the PIC firmware meets the synchronisation window, as software simulation cannot capture interrupt latency and DMA transfer timing on the target embedded system. | Test | idempotency:val-420-ver-sub044 |
| VER-REQ-112 | Verify SUB-REQ-045: Connect the Burn Condition Monitor to a calibrated neutron flux reference instrument at a test facility. Command a representative power ramp from 50 MW to 800 MW at 10 MW/s. Record BCM fusion power estimate and reference instrument reading at each 0.1 s update epoch. Calculate the absolute deviation at each epoch as a percentage of the reference. Verify update rate by counting output samples over a 60-second window. Pass: all deviations <=2% of calibrated reference; update count >=600 in 60 s (>=10 Hz). Rationale: SUB-REQ-045 specifies the 2% fusion power accuracy and 10 Hz update rate for the BCM. The BCM output is used by SUB-REQ-047 to trigger burn termination when Q<1 is predicted; a 2% error floor ensures the BCM does not produce spurious Q<1 alarms during normal operation. Calibration against a reference neutron flux instrument is required by IEC 61513 for safety-significant measurement chains in nuclear facilities. | Test | idempotency:val-420-ver-sub045 |
| VER-REQ-113 | Verify SUB-REQ-047: In a HIL test bench simulating active burn, inject synthetic BCM output data representing a thermal energy decay rate consistent with Q<1 prediction within 500 ms. Measure: (a) time from Q<1 prediction signal to Gas Puffing Valve Controller receiving fuel-ramp-down command; (b) time from Q<1 prediction to Pellet Injection Controller receiving pellet-hold command; (c) fuel ramp-down completion time. Pass: command delivery <=50 ms of Q<1 prediction; ramp-down complete <=200 ms of Q<1 prediction; both commands issued on every test trigger (no missed actuation in 20 repeat trials). Rationale: SUB-REQ-047 is the controlled burn termination trigger triggered by BCM Q<1 prediction. The 200 ms ramp-down budget is an engineering constraint derived from the plasma thermal energy decay time constant at low Q: exceeding this risks an uncontrolled burn collapse that the DPMS may classify as a disruption precursor and trigger SYS-REQ-002 mitigation. HIL testing is required to verify the command chain timing because it involves the interaction of three subsystems (BCM, GPVC, PIC) under real-time control. | Test | idempotency:val-420-ver-sub047 |
| VER-REQ-114 | Verify SUB-REQ-052: With the Machine Timing and Synchronisation System GPS-disciplined oscillator locked to a reference GPS signal, distribute T=0 and synchronisation pulses to representative I&C subsystem nodes across the full plant network. Measure: (a) absolute timestamp accuracy at each node against GPS reference using a calibrated time-interval analyser; (b) inter-node jitter; (c) holdover accuracy after GPS signal disconnection over a 1-hour observation. Pass: absolute accuracy <=1 us at all nodes; inter-node jitter <=5 us; holdover drift <=10 us/h. Rationale: SUB-REQ-052 specifies the 1 us absolute and 5 us inter-subsystem timing accuracy required for coherent plasma state reconstruction at 1 kHz. If timing jitter exceeds 5 us, the equilibrium reconstruction processor receives phase-misaligned magnetic flux measurements that corrupt the shape reconstruction used by the PCS. GPS holdover accuracy ensures timing integrity during satellite outage periods. All values derive from the 1 kHz data acquisition requirement and the ERP phase tolerance analysis. | Test | idempotency:val-420-ver-sub052 |
| VER-REQ-115 | Verify SUB-REQ-042: With the Gas Puffing Valve Controller connected to a representative gas injection valve on a test stand, issue 20 consecutive density setpoint step commands. For each command, measure valve response time from command receipt to valve reaching 95% of commanded position using a high-bandwidth position transducer. Pass: all 20 measurements <10 ms from command receipt to 95% valve travel; no single measurement exceeds 10 ms. Rationale: SUB-REQ-042 specifies a 10 ms valve response time for density control. This is the actuator latency budget for the fuelling control loop: the Gas Puffing Valve Controller is the actuator for plasma density regulation (SYS-REQ-003). A valve response exceeding 10 ms introduces density overshoot at the 1×10^20 m^-3 operating point, which can trigger a density-limit disruption. Hardware measurement on the actual valve mechanism is required because solenoid response time is a mechanical property that cannot be calculated from datasheet values alone. | Test | idempotency:val-420-ver-sub042 |
| VER-REQ-116 | Verify SUB-REQ-053: With all subsystem data sources connected to the Plant Data Historian, initiate a full-system data acquisition session. Inject a sustained synthetic data stream at the expected aggregate rate from all subsystems simultaneously. Measure: (a) actual historian ingest rate over a 60-second window; (b) data completeness (missing sample count); (c) query response time for a 5-second window of 1 kHz data from 300 channels. Pass: sustained ingest rate >=50 MB/s without data loss; post-pulse query returns complete dataset within 60 s of termination. Rationale: SUB-REQ-053 is the ingest-rate requirement for the Plant Data Historian, which must archive all subsystem data at 50 MB/s aggregate during a plasma pulse. This flows from STK-REQ-007 (1 kHz data logging from 300+ instruments). Storage system performance under concurrent write load cannot be verified by analysis; a sustained load test is required. The 60-second post-pulse query latency also verifies the STK-REQ-007 post-pulse access requirement. | Test | idempotency:val-420-ver-sub053 |
| VER-REQ-117 | Verify SYS-REQ-001: During commissioning plasma operations at full plasma current, record radial position and plasma current measurements from the Equilibrium Reconstruction Processor over at least five consecutive 30-second flat-top periods. Calculate peak and RMS radial displacement from reference trajectory and current error from setpoint for each flat-top. Pass: all peak radial displacements <=2 cm; all plasma current errors <=1% of commanded value during flat-top; no flat-top terminated prematurely due to equilibrium loss. Rationale: SYS-REQ-001 is the primary plasma control performance requirement. End-to-end system test at full 15 MA plasma current during actual operation is required because the interaction of the PCS, magnetic diagnostics, power systems, and heating systems cannot be replicated in hardware-in-the-loop simulation with sufficient fidelity at full parameter. Five flat-tops provide statistical confidence that performance is sustained and not a single-shot result. | Test | idempotency:val-420-ver-sys001 |
| VER-REQ-118 | Verify SYS-REQ-002: In a full system HIL test with all IESS, DPMS, and PCS subsystems integrated, inject 20 pre-recorded disruption precursor scenarios from the JET-equivalent disruption database. Measure: (a) time from disruption precursor signal onset to SMP injection actuation signal at the mitigation injectors; (b) energy mitigation efficiency calculated as (1 - thermal energy deposited on first wall / total pre-disruption thermal energy). Pass: all actuation latencies <=50 ms; mean energy mitigation efficiency >80%; minimum efficiency across all 20 scenarios >75%. Rationale: SYS-REQ-002 specifies the 50 ms disruption response time and 80% energy mitigation efficiency. These derive from first-wall thermal load limits: exceeding 80% un-mitigated energy deposition at 15 MA plasma current produces tungsten first-wall melting. Full integrated HIL testing is required because the 50 ms budget spans three subsystems (DPMS detection, IESS routing, actuator response) and cannot be verified piecemeal without timing accumulation uncertainty. | Test | idempotency:val-420-ver-sys002 |
| VER-REQ-119 | Verify SYS-REQ-015: With the tritium monitoring network fully installed, perform a controlled tritium source challenge at a representative controlled area boundary monitor: introduce a calibrated tritium source at known concentration levels of 0.5 uSv/h, 1 uSv/h, and 10 uSv/h. For each level, measure: (a) alarm latency from threshold crossing to operator alarm annunciation; (b) isolation command latency at the 10 uSv/h level. Pass: evacuation alarm latency <=30 s at 1 uSv/h; containment isolation command <=30 s at 10 uSv/h; no false alarm at 0.5 uSv/h source. Rationale: SYS-REQ-015 derives from STK-REQ-004 (tritium boundary integrity) and is a nuclear regulatory compliance requirement. The 30-second alarm latency is the maximum permitted by the facility radiation protection programme for personnel evacuation. A calibrated source challenge is the only method accepted by nuclear regulators to demonstrate that the tritium monitoring chain meets the response time and threshold accuracy requirements for personnel protection. | Test | idempotency:val-420-ver-sys015 |
| VER-REQ-120 | Verify SUB-REQ-114 (IESS safe state definition) by conducting a Type Test during Factory Acceptance Testing: command an IESS trip from full plasma operating conditions and measure plasma current, poloidal field coil currents, RF power levels, pellet injection valve positions, and torus pressure at T+10s after trip initiation. All six parameters SHALL be within their specified safe state bounds simultaneously. Repeat for each of the five IESS trip initiators (plasma current limit, disruption prediction, magnet quench, manual trip, watchdog timeout). Rationale: SUB-REQ-114 defines quantified safe state exit conditions for each of six plant parameters across five trip scenarios. The verification must confirm all parameters simultaneously — a safe state where plasma current is within limits but RF power is still pulsing is not a genuine safe state. Five trip initiators are tested to verify that the safe state is reachable from each failure mode, not just from the nominal trip path. | Test | idempotency:qc-422-ver-iess-safe-state |
| VER-REQ-121 | Verify SUB-REQ-115 (qualified maintenance bus): Configure a simulated SIL-classified I&C channel on the PCICS test bench and inject a synthetic fault. Confirm: (1) the fault is detected and classified within 10 seconds; (2) the fault report transmitted on the maintenance bus conforms to IEC 61784-3 framing; (3) the report includes fault identity, timestamp, and severity classification. Repeat for 10 representative fault types across the I&C channel population. Rationale: SUB-REQ-115 specifies a qualified maintenance bus compliant with IEC 61784-3 with 10-second fault reporting. Functional test at the subsystem level is necessary because the 10-second timing requirement and the frame format are testable acceptance criteria that cannot be verified by inspection of the design alone. | Test | idempotency:qc-422-ver-maintenance-bus |
| VER-REQ-122 | Verify SUB-REQ-116 (IESS IEC 61513 Category A compliance): Review the IESS safety case documentation pre-commissioning. Confirm the safety case contains: (1) SIL-3 allocation with probabilistic justification; (2) proof-test interval calculations; (3) FMEA covering at least 95% of identified failure modes; (4) IEC 61511 lifecycle documentation. The verification activity is the independent safety assessment review gate prior to first plasma. Rationale: SUB-REQ-116 is a documentation and compliance requirement — the acceptance criterion is the existence and content of the safety case. A test cannot confirm safety case completeness; only an analytical review of the documented safety case against IEC 61513 Category A requirements can verify this requirement. | Analysis | idempotency:qc-422-ver-iec61513-iess |
| VER-REQ-123 | Verify SUB-REQ-117 (GPVC dual-channel redundancy): On a GPVC production unit, disable channel A (remove power to channel A solenoid driver). Confirm: (1) channel B maintains full injection capability within 100 ms of channel-A-loss detection; (2) no uncontrolled gas injection occurs during the transition. Repeat with channel B disabled and channel A active. Confirm dual-channel fault annunciation in both cases. Rationale: SUB-REQ-117 specifies a 100 ms failover time for GPVC dual-channel redundancy. The timing requirement can only be verified by hardware test — no analysis can determine whether the actual relay/switching circuitry meets 100 ms without physical measurement. The test must be performed on production hardware, not engineering model, due to component variation in relay timing. | Test | idempotency:qc-422-ver-gpvc-redundancy |
| VER-REQ-124 | Verify SUB-REQ-118 (POS pre-shot conditioning sequence): On the plant control system integration test bench, configure a simulated plant state with all five conditioning preconditions met (vessel temperature ≥150°C confirmed, glow discharge complete, magnet PSUs stable within 0.1%, vacuum ≤10⁻⁵ mbar, all interlock channels armed). Confirm POS issues plasma initiation permit. Then individually remove each of the five preconditions and confirm the POS refuses to issue a permit in each case. Repeat for 10 randomised combinations of failed preconditions. Rationale: SUB-REQ-118 specifies five discrete conditioning preconditions that must all be satisfied simultaneously. The verification must test both the positive case (all five met → permit issued) and the negative cases (each precondition missing individually → permit refused). Testing 10 randomised combinations provides additional coverage for AND-gate logic errors. A test bench approach is required because the actual vessel bakeout takes ≥4 h — the test bench must simulate this via injected status signals. | Test | idempotency:val-423-ver-pos-preshot |
| VER-REQ-125 | Verify SUB-REQ-119 (POS controlled plasma shutdown): During site acceptance testing on the integrated plasma control system, initiate a POS-commanded controlled shutdown from 50% of design plasma current. Instrument the following: plasma current ramp profile at 100 Hz, heating power profiles at 1 Hz, torus pressure at 0.1 Hz, and magnet PSU standby transition time. Acceptance criteria: (1) plasma current reaches ≤10 kA within 30 s, (2) all heating power reduces to ≤1% of operating value before plasma current drops below 100 kA, (3) torus pressure does not exceed 10⁻⁴ mbar at any point during ramp-down, (4) all magnet PSUs transition to standby within 10 min of plasma termination, (5) ramp-down profile data present in Plant Data Historian at 10 Hz. Rationale: SUB-REQ-119 specifies five quantified acceptance criteria for the controlled shutdown sequence. Each criterion is independently measurable by instrumentation, requiring a functional test on the integrated system. The verification is performed at 50% design current (rather than full power) during initial site acceptance to manage risk, with full-power testing deferred to operational commissioning. All five criteria must be confirmed simultaneously to validate the shutdown sequencing logic. | Test | idempotency:val-423-ver-pos-shutdown |
| VER-REQ-126 | Verify SYS-REQ-016 (plasma operational lifecycle): During integrated system commissioning, run a full nominal plasma experiment cycle: (1) enter PRE-SHOT-CONDITIONING and confirm all five preconditions satisfied; (2) command PLASMA-INITIATION and confirm state transition within 500 ms; (3) observe FLAT-TOP-BURN for at least 5 minutes; (4) command CONTROLLED-SHUTDOWN and confirm plasma current ramp-down meets SUB-REQ-119 criteria; (5) confirm POST-SHOT-COOLDOWN and SAFE-STATE reached. Measure total cycle time from PRE-SHOT-CONDITIONING entry to SAFE-STATE confirmation. Acceptance: total cycle time ≤8 h; all state transitions require explicit authorisation; no unplanned transitions observed. Rationale: SYS-REQ-016 defines the plasma operational lifecycle as a state machine with mandatory sequencing, transition authorisation, and an 8-hour cycle time ceiling. Only a full-cycle demonstration on the commissioned plant can verify: (1) that all state transitions are properly authorised, (2) that the 8-hour cycle time is achievable, and (3) that unplanned transition attempts are correctly rejected. This is a demonstration rather than test because the acceptance criterion is correct functional sequencing rather than measurement of a specific parameter. | Demonstration | idempotency:val-423-ver-lifecycle |
| VER-REQ-127 | Verify SUB-REQ-050 (POS state machine) and SYS-REQ-016 state alignment: (1) Command POS through each of its eight states (MAINTENANCE, STANDBY, PRE-PULSE, PLASMA-INIT, FLAT-TOP, RAMP-DOWN, POST-PULSE, FAULT) in sequence on integration test bench. (2) Verify MSV broadcast received by all seven subsystems at 10 Hz ±1 Hz. (3) Confirm PLASMA-INIT maps to PLASMA-INITIATION, FLAT-TOP maps to FLAT-TOP-BURN, RAMP-DOWN maps to CONTROLLED-SHUTDOWN, and POST-PULSE maps to POST-SHOT-COOLDOWN per system-level state machine in SYS-REQ-016. (4) Attempt invalid state transition (STANDBY → FLAT-TOP); verify rejection. Acceptance: all 8 states reachable; broadcast rate 10 ±1 Hz; invalid transition rejected. Rationale: SUB-REQ-050 defines 8 MSV states and a 10 Hz broadcast rate — neither has an explicit verification procedure. Additionally, the POS state names differ from SYS-REQ-016's lifecycle state names, creating a trace gap that must be demonstrated as a valid implementation mapping. VER-REQ-031 covers only the redundancy failover scenario, not the state machine completeness or broadcast rate. | Test | idempotency:val-424-ver-sub050-statemachine |
| VER-REQ-128 | Verify SUB-REQ-121 (OCS display latency and content): On an integrated PCIS test bench with all seven subsystems connected via Plant I&C Network, inject synthetic plasma state updates at 100 Hz for 60 seconds. (1) Record timestamp of each injected update and corresponding OCS screen render timestamp. (2) Measure display refresh latency for 6,000 samples; compute mean and 99th-percentile latency. (3) Verify all required parameters are rendered (plasma current, radial position, plasma stored energy, D-T injection rate, neutron yield, disruption risk index, all interlock flags). Acceptance: mean refresh latency ≤200 ms; 99th-percentile latency ≤300 ms; all 7 parameter classes present on display. Rationale: STK-REQ-001 mandates consolidated plasma state display with ≤200 ms latency. Testing at 100 Hz synthetic input provides 6,000 samples over 60 seconds, giving statistical confidence in the latency budget. The 7 specified parameter classes directly correspond to the STK-REQ-001 enumeration (plasma current, position, beta as stored energy proxy, disruption risk, with fuelling rate and neutron yield added as operationally essential FLAT-TOP burn indicators). 99th-percentile latency ≤300 ms is acceptable because operator decision-making on plasma control does not require better than 300 ms worst-case latency. | Test | idempotency:val-424-ver-ocs-display |
| VER-REQ-129 | Verify SYS-REQ-018 (scenario parameter upload and validation): During integrated PCIS commissioning with all subsystems connected: (1) With the plant in STANDBY state and not in-shot, physics team member uploads a complete scenario file (magnetic waveform, density profile, heating schedule) via the scenario management interface. (2) Measure time from upload submission to delivery of parameter validation report. (3) Confirm that approved parameters are queued and active for the subsequent pulse (run through to PRE-PULSE state). (4) During the subsequent shot, verify that the newly uploaded current ramp profile is followed (compare 10 Hz logged ramp waveform against uploaded waveform; tolerance ±2%). Acceptance: validation report within 120 s; approved parameters active for next pulse; ramp waveform followed within ±2%; no plant state transition or outage required during parameter upload. Rationale: STK-REQ-008 specifies an inter-pulse physics scenario workflow — a demonstration on commissioning plant is required to confirm that the full upload→validate→approve→activate cycle works within a realistic inter-pulse interval (typically 15-30 minutes) without disrupting ongoing operations. Testing parameter injection through the scenario management API provides confidence that the IEC 62443-3-3 access-controlled upload path and validation logic function correctly. | Demonstration | idempotency:val-424-ver-scenario-mgmt |
| VER-REQ-130 | Verify SUB-REQ-066: Inspect the Quench Detection System enclosure to confirm 19-inch rack-mounted form factor, seismic qualification certificate per IEEE 344 at the site-specific SSE response spectrum, and IP54 or better ingress protection rating. Perform conducted noise immunity test on all analogue input channels with the superconducting coil energised at full field (dB/dt = 10 T/s): measure noise voltage on each channel and verify ≤1 mV. Pass criterion: all channels ≤1 mV noise; IP54 confirmed by inspection; seismic qualification certificate on file. Rationale: SUB-REQ-066 mandates a seismically-qualified rack enclosure for the QDS with 1 mV conducted noise immunity under full coil energisation. IEEE 344 qualification requires documented shake-table evidence; IP54 is verified by inspection against ingress protection certificates. The 1 mV noise floor is verified under live coil energisation because laboratory bench test cannot replicate the actual dB/dt field environment of 10 T/s from the pulsed superconducting magnets — on-site commissioning measurement is the only valid verification method. | Inspection | verification, qds, seismic, session-426, idempotency:ver-sub066-seismic-enclosure-426 |
| VER-REQ-131 | Verify SUB-REQ-067: During construction inspection and pre-commissioning, inspect the Fusion Reactor Control System equipment enclosures to confirm: (1) IP54 or better rating per IEC 60529, confirmed by certificate of conformity; (2) construction from non-combustible materials as defined in IEC 60695-11-10 (flammability class V-0 minimum), confirmed by material certification; (3) installation in a radiation-controlled area with dose rate monitoring records not exceeding 100 mSv/hr at installation; (4) all external interface connectors meeting IEC 60068 environmental qualification. Pass criterion: all four conditions confirmed by physical inspection and documentary evidence. Rationale: SUB-REQ-067 specifies nuclear-grade enclosure requirements, radiation area constraints, and qualified connector standards. Physical inspection of installed hardware against design certificates is the appropriate verification method for enclosure compliance requirements. The 100 mSv/hr limit is a regulatory boundary condition for worker access classification under IAEA GSR Part 3, not a performance parameter testable by function — only radiological area survey confirms installation compliance. | Inspection | verification, frcs, seismic, enclosure, session-426, idempotency:ver-sub067-frcs-enclosure-426 |
| VER-REQ-132 | Verify SUB-REQ-068: During site acceptance inspection, confirm that each Quench Detection System unit is: (1) installed within 10 m of its associated superconducting magnet coil assembly (verified by as-installed survey measurement); (2) housed in a dedicated radiation-hardened enclosure confirmed rated for neutron fluence of at least 1 times 10 to the power 14 neutrons per square centimetre over 20 years by materials certification and dose accumulation calculation; (3) on a separate chassis and power supply from all non-safety systems (verified by inspection of power distribution drawings and physical wiring). Pass criterion: all three conditions confirmed by measurement, certification, and inspection. Rationale: SUB-REQ-068 specifies three independent physical constraints for QDS hardware: proximity to each magnet coil, neutron fluence rating, and chassis segregation from non-safety systems. All three are physical installation and qualification properties that cannot be functionally tested; they must be verified by as-installed survey measurement and review of material qualification certificates. The 10 m cable run limit is a signal integrity constraint — longer runs would degrade quench detection sensitivity to below the voltage threshold at which quench events are distinguishable from electromagnetic noise. | Inspection | verification, qds, seismic, neutron, session-426, idempotency:ver-sub068-qds-proximity-426 |
| VER-REQ-133 | Verify SUB-REQ-122: On a GPVC test bench with dual solenoid drive channels active, disable Channel A power supply and measure: (1) gas injection continuity through Channel B — no interruption exceeding 5 ms during or after channel switch; (2) channel-fail alarm receipt at POS test interface within 100 ms of fault injection. Pass criteria: both conditions met in three consecutive trials. Rationale: Integration test verifying GPVC fault-tolerance behaviour at the hardware level; covers both the sustained-operation and alarm-latency acceptance criteria in SUB-REQ-122. | Test | verification, gas-puffing-valve-controller, session-427, idempotency:ver-sub-122-427 |
| VER-REQ-134 | Verify SUB-REQ-123: Submit GPVC material qualification test report to procurement authority demonstrating: (1) helium leak rate less than 1e-9 Pa/m3/s after 500 h tritium gas exposure at 1 bar; (2) electrical functional test within specification after neutron irradiation to 1e14 n/cm2 (>1 MeV) equivalent fluence in a reactor test facility. Pass criteria: documented test records with witness signatures accepted by nuclear safety authority. Rationale: Qualification by test is the only acceptable method for tritium-wetted components in a nuclear licensing basis; inspection of design documents alone is insufficient per IEC 61513 and ITER procurement rules. | Test | verification, gas-puffing-valve-controller, session-427, idempotency:ver-sub-123-427 |
| VER-REQ-135 | Verify SUB-REQ-124: Inspect the GPVC project qualification dossier and confirm: (1) design specification references IEC 61513 Category B; (2) procurement records include ITER PR-T-1 compliance certificate; (3) qualification records are stored in the project configuration management system with revision history. Pass criteria: all three artefacts present and accepted by the project safety authority. Rationale: Regulatory compliance for Category B I&C components is verified by document inspection against the procurement specification; functional testing cannot substitute for the paper trail required by the licensing basis. | Inspection | verification, gas-puffing-valve-controller, session-427, idempotency:ver-sub-124-427 |
| VER-REQ-136 | Verify SUB-REQ-125: Inspect the Plant Operations Sequencer software lifecycle documentation package and confirm: (1) design specification document references IEC 62138 Category B; (2) integration test report is present and signed; (3) V&V report is accepted by the project nuclear safety authority; (4) all documents are under configuration management with change history. Pass criteria: all four artefacts present and approved. Rationale: Software lifecycle compliance for nuclear Category B software is verified by document inspection; the completeness of the lifecycle documentation package is the primary audit evidence required by regulatory authority. | Inspection | verification, plant-operations-sequencer, session-427, idempotency:ver-sub-125-427 |
| VER-REQ-137 | Verify SUB-REQ-022: In hardware-in-the-loop simulation, inject a growing n=2 NTM mode at threshold rate. Confirm: (1) MHD Mode Stabiliser detection within 150 ms; (2) ECRH gyrotron steering command within 200 ms of detection; (3) NTM stabilisation within 30 s. Pass: all timing thresholds met in 10 consecutive runs. Rationale: SUB-REQ-022 specifies NTM detection and response timing requiring closed-loop HIL validation because FPGA-based ECRH steering cannot be validated by inspection alone. | Test | idempotency:ver-sub-022-428 |
| VER-REQ-138 | Verify SUB-REQ-026: With all four HCDC heating systems injecting simultaneously, command combined power to exceed 50 MW. Confirm HCDC Supervisory and Safety Arbiter enforces the 50 MW ceiling by curtailing injection within 100 ms and latching the power limit until operator reset. Pass: injected power does not exceed 52 MW in any 10 ms window across 5 test runs. Rationale: SUB-REQ-026 specifies a hard power ceiling for plasma heating that prevents first-wall thermal damage — a safety-critical test that must be performed on integrated hardware because the safety arbiter is a cross-subsystem enforcement point. | Test | idempotency:ver-sub-026-428 |
| VER-REQ-139 | Verify SUB-REQ-024: With all PCS nodes connected to the real-time data bus, measure inter-node clock synchronisation using a precision time interval analyser. Record 1000 synchronisation events at 10 kHz cycle. Pass: maximum inter-node skew does not exceed 500 ns in any measurement; no missed synchronisation pulses observed in 10-minute continuous run. Rationale: SUB-REQ-024 specifies a 10 kHz clock synchronisation with 500 ns maximum skew across all PCS nodes — a timing requirement that cannot be verified by inspection and must be measured on integrated hardware with production cabling and topology. | Test | idempotency:ver-sub-024-428 |
| VER-REQ-140 | Verify REQ-139 (safe state definition): During integrated SCRAM commissioning test, initiate a controlled SCRAM from full-power burn state. Verify using independent instrumentation that all conditions are achieved within 5 seconds: superconducting magnet current ramps at zero (±5A), all heating system power at zero (±1kW), plasma current below 10 kA, all fuel injection valves closed (confirmed by valve position switches). Rationale: The safe state definition in REQ-139 specifies four discrete measurable end-conditions. Each condition must be verified by independent instrumentation (not the FRCS itself) to confirm the SCRAM function has achieved the required state. Integration testing with physical hardware is the only valid verification method for a safety function of this criticality. | Test | idempotency:ver-safe-state-def-qc-432 |
| VER-REQ-141 | Verify REQ-142 (GPVC dual-channel redundancy): With GPVC operating normally, inject a single-channel failure (hardware fault injection on primary drive circuit). Measure time from fault injection to valve closure using a Hall-effect current sensor on the valve solenoid. Pass: valve closes within 10 ms. Then verify secondary channel can command valve open within 50 ms of primary failure detection, confirmed by valve position switch readback. Rationale: REQ-142 specifies 10 ms valve closure on single-channel failure and 50 ms secondary channel command. Fault injection testing on the physical hardware is required because the dual-channel behaviour cannot be verified by inspection or analysis of logic alone — actual switching transients and solenoid response times must be measured under hardware-fault conditions. | Test | idempotency:ver-gpvc-redundancy-qc-432 |
| VER-REQ-142 | Verify REQ-143 (ethical safety obligations): Review FRCS safety documentation to confirm: (1) FMEA shows no single software fault path suppresses SCRAM without hardware interlock activation; (2) safety parameter modification audit log shows dual-authorisation enforcement for all changes since commissioning; (3) safety system design documentation shows no operational convenience inhibit capability exists in the hardware-enforced safety path. Rationale: The ethical safety obligation (REQ-143) concerns system architecture and procedural controls rather than real-time performance. Inspection of FMEA analysis, audit logs, and design documentation is the appropriate verification method: the absence of a capability (single-point suppression, unauthorised inhibit) is most reliably verified by examining the design rather than testing for exhaustive failure scenarios. | Inspection | idempotency:ver-ethical-safety-qc-432 |
flowchart TB n0["component<br>Trip Parameter Monitor"] n1["component<br>Safety Logic Processor"] n2["component<br>Emergency Shutdown Sequencer"] n3["component<br>Safety Parameter Display"] n0 -->|trip signal 24VDC| n1 n1 -->|trip actuation| n2 n1 -->|safety status data| n3
Interlock and Emergency Shutdown System — Internal
flowchart TB n0["component<br>Equilibrium Reconstruction Processor"] n1["component<br>Shape and Position Controller"] n2["component<br>Vertical Stability Controller"] n3["component<br>MHD Mode Stabiliser"] n4["component<br>PCS Real-Time Data Bus"] n0 -->|equilibrium state vector| n1 n0 -->|q-profile| n3 n1 -->|vertical position ref| n2 n4 -->|10 kHz sync| n0 n4 -->|10 kHz sync| n3
Plasma Control System — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Burn Condition Monitor | 55F77218 | Real-time fusion burn state monitoring subsystem for a tokamak fusion reactor. Processes neutron flux measurements from 12 fission chambers and 8 activation foil detectors to compute instantaneous fusion power (0–800 MW range, ±2% accuracy) and Q-factor (energy gain). Monitors plasma thermal energy content via diamagnetic loop measurements and compares against burn condition targets. Provides D-T fuel burn fraction estimate (tritium burn efficiency) to the Fuel Injection and Burn Control supervisory. Triggers burn termination if Q < 1 is predicted within 500 ms — feeds directly into the Disruption Prediction and Mitigation System event register. |
| Coil Thermal and Cryogenic Monitor | 54A55218 | Monitoring subsystem for the superconducting coil cold mass and cryogenic cooling circuit of a tokamak. Acquires temperatures from ~200 calibrated Cernox sensors embedded in the coil windings and cryogenic manifolds, liquid helium flow rates, supercritical helium inlet/outlet temperatures, and coil cold mass strain gauges. Provides real-time coil thermal state to the Quench Detection System as a secondary quench indicator (temperature rise > 0.5 K above baseline) and to Plant Control for cryoplant control. Operates at 4.5 K with radiation-hardened electronics in the tokamak building. |
| Diagnostic Data Multiplexer | 40F57308 | Software-defined routing layer that receives diagnostic data streams from all four PDIS sensors and conditioning units, then distributes them to their respective consumers: Equilibrium Reconstruction Processor (magnetic data), Disruption Precursor Monitor (disruption suite data), and Plant Data Historian (all channels). Manages data prioritisation — real-time control consumers receive data via deterministic RDMA over EtherCAT; archival consumers receive data via best-effort publish-subscribe. Also provides cross-diagnostic timestamp alignment, ensuring all channels are synchronised to the Machine Timing System reference. |
| Disruption Precursor Monitor | 55F77200 | Real-time MHD stability signal processor within the DPMS of a tokamak fusion reactor. Ingests 300+ diagnostic channels at 50 kHz: Mirnov coil oscillation amplitudes (32 coils), locked mode detector flux (4 sensors), βN/βp proximity to Troyon limit, internal inductance drift rate, and radiative collapse indicator from bolometers. Computes 128-element feature vector every 100 μs for delivery to the Disruption Prediction Engine. Operates under 60 T/s magnetic field transients and must tolerate 2 ms blackouts during ELM events without losing feature synchronisation. |
| Disruption Precursor Sensor Suite | 54E55208 | Dedicated array of high-bandwidth sensors targeting disruption precursor signatures: saddle coils for tearing mode detection, soft X-ray bolometer arrays for radiation collapse, Halpha spectroscopy for edge localised modes (ELMs), and vertical position sensors for vertical displacement events (VDEs). Feeds calibrated, time-stamped digital outputs to the Disruption Precursor Monitor at 10 kHz. Separate from the Magnetic Diagnostics Array: this suite is specifically optimised for low-latency, high-sensitivity detection of pre-disruption instabilities rather than equilibrium measurement. |
| Disruption Prediction and Mitigation System | 51F77B19 | Safety-critical subsystem that predicts plasma disruptions 10–100 ms in advance using machine learning classifiers trained on disruption databases and real-time diagnostics (Mirnov coils, bolometers, locked-mode detectors). Upon prediction confidence > 95%, triggers shattered pellet injector (SPI) within 10 ms to perform radiative collapse, preventing unmitigated thermal quenches (>100 MJ deposited on first wall) and halo current spikes (>10 MA). |
| disruption prediction engine | 51F73308 | LSTM-based disruption prediction algorithm deployed on FPGA for deterministic inference. Processes time-series plasma state data (MHD precursors, current profile, stored energy) to predict disruption probability 50ms ahead of onset. Uses neural network architecture inspired by biological temporal pattern recognition but implemented as deterministic digital logic on silicon — not a biological or biomimetic system. Key characteristics: real-time deterministic inference, FPGA implementation, hardwired fallback threshold logic, 3ms inference latency bound. |
| Disruption Prediction Engine | 51F77B19 | LSTM and physics-informed neural network ensemble operating in real-time at 100 Hz, processing multi-channel magnetic and thermal diagnostic signals to predict major plasma disruption events 30-100 ms before onset. Receives input from Equilibrium Reconstruction Processor and Magnetic Diagnostics Array. Outputs disruption probability score and recommended mitigation action to the DPMS Supervisory. Hosted on dedicated GPU-accelerated compute nodes. Purely algorithmic software — no biological components, no biomimetic hardware. The 'neural network' is a mathematical model implemented in software, not biological material. This is an embedded AI inference engine for safety-critical real-time signal classification. |
| DPMS Supervisory and Archive | 50B57300 | Supervisory monitoring and event archive subsystem of the DPMS. Tracks false alarm rate (rolling 24-hour window), model prediction confidence distribution, and missed disruption count against retraining thresholds. Archives complete pre-disruption state vectors (5 s before trigger, 1 ms sample interval, 128 features) and post-mitigation plasma evolution data to a write-once historian. Generates model retraining dataset packages when false alarm rate exceeds 3/day or TP rate falls below 93%. Provides health status to Plant Control and I&C System via OPC-UA. |
| ECRH Controller | 51F57208 | Electron Cyclotron Resonance Heating controller managing an array of 24 gyrotrons at 170 GHz, providing up to 20 MW of injected power via steerable mirror launchers. Controls gyrotron modulation (1 ms on/off response), mirrors for resonance layer targeting, and fast power switching for NTM stabilisation co-deposition. Receives disruption-mode commands from DPMS to redirect power for neoclassical tearing mode stabilisation. Real-time mirror position feedback enables closed-loop steering within ±0.1° accuracy. |
| emergency shutdown sequencer | D7E73019 | Physical hardware sequencer unit that executes the SCRAM action sequence in a fusion reactor. Dedicated single-board computer or programmable logic controller installed in nuclear-grade seismically qualified racks. Physical hardware with discrete I/O for driving solenoid valves, circuit breakers, and actuation relays. The unit has a physical enclosure, power supply, and rack installation in the nuclear island. |
| Emergency Shutdown Sequencer | D6E53218 | Hardware sequencer unit that executes the physical SCRAM action sequence in a fusion reactor. A dedicated rackmount controller with hardwired relay outputs commanding Massive Gas Injection valves, magnetic energy extraction crowbars, NBI beam-off gates, and ECRH interlock. Physical steel cabinet unit qualified to IEEE 344 seismic category I, with redundant power supplies and manual override capability. Executes predefined actuation sequence within 20ms of trip signal, with no software involved in the safety function execution path. Distinct from the Safety Logic Processor (trip logic computation) and IESS (overall safety system) — the ESS is the electromechanical actuation module. |
| Energy Extraction and Dump System | 54F73218 | Fast energy extraction unit (FEDU) for tokamak superconducting magnet coils. On quench detection or emergency shutdown command, opens switching thyristors to insert dump resistors in series with each coil circuit, diverting the stored magnetic energy (~50 GJ for TF coils) into water-cooled dump resistors. Must complete energy transfer within 30 s for TF coils, 10 s for PF coils. Peak dump resistor voltage ≤20 kV. Redundant thyristor stacks (2oo2 to open, 1oo2 to close fail-safe). Also provides controlled ramp-down capability under normal shutdown. |
| Equilibrium Reconstruction Processor | 54F73208 | Real-time solver for the Grad-Shafranov equation running on dedicated FPGA/DSP cluster. Ingests 160 magnetic measurements (Mirnov coils, flux loops, Rogowski coils) sampled at 10 kHz, reconstructs 2D plasma boundary, current density profile, and q-profile within 100 μs. Primary output is the equilibrium state vector used by shape and position controller. Critical for determining whether plasma is within operational boundaries. Must continue functioning with up to 20% sensor dropout. |
| Fuel Injection and Burn Control | 54F73200 | Subsystem managing fuel (D-T mixture) injection into the plasma via gas puffing (20 valves, 0–100 mbar·L/s), pellet injection (frequency 0–50 Hz, pellet size 2–4 mm), and tritium breeding blanket inventory monitoring. Controls plasma density at 1×10²⁰ m⁻³ ± 5%, regulates fusion power output in burn phase (500 MW thermal), and manages helium ash pumping via divertor pressure control (0.1–1 Pa). |
| Fusion Physics Research Team | 00857AB9 | Scientists and plasma physicists responsible for experiment programme design, plasma scenario optimisation, and advancing fusion gain Q. Defines operational scenarios (plasma current ramps, NBI/ICRH combinations, seeding experiments), analyses diagnostic data post-pulse, and requests control system parameter changes to explore new operating regimes. Key performance metric: achieving Q>1 sustained burn. |
| Fusion Plant Operator | 002D7AF9 | Licensed operator responsible for day-to-day control and supervision of the fusion reactor. Monitors plasma performance displays, authorises mode transitions (ramp-up, flat-top burn, ramp-down), responds to alarms, and executes emergency procedures. Operates from a shielded main control room with 30+ display stations. Must manage multiple simultaneous system states and alarm floods during transients. |
| fusion reactor control system | D7B57819 | Top-level control system for a magnetic confinement fusion reactor (tokamak). Physical system comprising distributed rack-mounted computer hardware, I&C cabinets, operator consoles, and safety logic processors installed across the nuclear island and control room. Requires physical housing in IEC 62262 IK10-rated enclosures. Includes both software and physical hardware components — the system has a physical embodiment as installed plant equipment, not just a software architecture. Physical installation spans multiple rooms in the nuclear facility with defined cable routes and equipment layout. |
| Fusion Reactor Control System | 51F77B19 | Integrated digital control system for a tokamak-class magnetic confinement fusion reactor. Manages plasma initiation, equilibrium control, fusion burn regulation, disruption detection and mitigation, and safe shutdown. Operates in a high-radiation, high-EMI environment with superconducting magnet coils at 4K, 150 MW neutral beam injection, RF heating systems, and a tritium breeding blanket. Safety integrity level SIL-4 equivalent (nuclear). Interfaces with the superconducting magnet power supplies, plasma diagnostics (bolometers, Thomson scattering, interferometers), neutral beam injection system, RF heating system, divertor cooling, tritium processing plant, and site protection system. Governs a 500 MW fusion plasma with burn pulse durations of 300–3600 seconds and plasma current up to 15 MA. |
| Gas Puffing Valve Controller | 55F57A18 | Real-time digital PID controller managing 20 piezoelectric gas injection valves on the tokamak first wall. Each valve has 0-100 mbar gas puff range with <10 ms response time. Controls D-T and impurity gas injection for plasma density regulation and edge cooling. Receives density setpoints from the Plasma Control System Shape and Position Controller. Outputs valve position commands and confirms flow rates via capacitance manometer feedback. Critical for plasma density control and emergency density ramp-down during soft disruption mitigation. |
| HCDC Supervisory and Safety Arbiter | 51B77A30 | Supervisory controller and safety function arbiter for all Heating and Current Drive systems in a tokamak. Maintains the total injected heating power budget (max 50 MW), sequences actuator startup/shutdown, enforces machine protection interlocks from IESS, and resolves competing demands between PCS (steady-state heating) and DPMS (NTM stabilisation). Implements watchdog monitoring of all heating subsystem health states with automatic safe-state command on loss of heartbeat. Archives power deposition profiles to plant historian at 10 Hz. |
| Heating and Current Drive Control | 51F73200 | Subsystem coordinating power delivery from three heating systems: 150 MW neutral beam injection (NBI, 1 MeV D⁰ beams), 50 MW ion cyclotron resonance heating (ICRH at 50–55 MHz), and 20 MW electron cyclotron resonance heating (ECRH at 170 GHz). Controls power ramp rates, beam timing, beam species mix, and RF phase for current drive efficiency. Interfaces with the plasma control system to manage plasma stored energy and fusion gain Q. |
| I&C Maintenance Engineer | 00851278 | Specialist engineer responsible for calibration, testing, and repair of instrumentation and control systems during planned outages. Performs online monitoring during operations, manages spare-part inventory, and executes surveillance tests of safety-classified systems. Must maintain I&C systems in high-radiation and tritium environments; remote handling and HEPA-filtered procedures apply. |
| ICRH Controller | 55F57A08 | Ion Cyclotron Resonance Heating controller managing 8 RF transmitters at 40-55 MHz, delivering up to 20 MW via 8 port antennas. Controls frequency tuning to track plasma resonance layer shift during density and temperature transients, manages voltage standing wave ratio (VSWR) protection to prevent arc damage in antenna feeds, and coordinates fast power ramp-down (<2 ms) on antenna arc detection. Operates in minority heating (H minority) and mode conversion regimes. Interfaces with PCS for real-time frequency correction based on estimated plasma ion cyclotron frequency. |
| Interlock and Emergency Shutdown System | D6E53859 | Hardwired interlock and emergency shutdown system for a tokamak fusion reactor. Physical hardware installed in Class 1E cabinets: trip amplifier racks, relay matrices, and safety PLCs qualified to IEC 61513 Category A. Directly drives coil crowbar circuits, plasma gas injection valves, and magnet protection systems. Physically separated from the control system in a dedicated I&C room with seismic qualification. Redundant power supplies and diverse cooling. |
| Machine Timing and Synchronisation System | 51F77A18 | GPS-disciplined timing master providing sub-microsecond synchronised timestamps and deterministic trigger pulses to all I&C subsystems across the tokamak facility. Generates shot timing reference (T=0), pre-pulse arming triggers, and inter-subsystem synchronisation pulses. Critical for coordinated actuator commands in Plasma Control System (<5 µs jitter) and for timestamping diagnostic data to <1 µs accuracy for post-pulse equilibrium reconstruction. Dual redundant timing channels with automatic switchover. IEEE 1588 PTP and IRIG-B output formats. |
| Magnet Power Supply Controller | 55F53A18 | Digital controller for the thyristor-based AC/DC power converters feeding each superconducting coil circuit (up to 18 TF coils and 6 PF+CS coils). Executes current reference waveforms uploaded by the Plasma Control System for plasma initiation, ramp-up, and flat-top phases. Implements inner current control loop at 1 kHz with ±1 A accuracy. Enforces soft limits (±5% of nominal) and hard trip limits (±10%) on current, voltage, and converter temperatures. Provides galvanic isolation between low-voltage control circuitry and high-voltage (≤68 kV DC) coil bus. |
| Magnet Safety and Protection System | 55F73010 | Dedicated SIL-4 subsystem monitoring 18 toroidal field coils and 9 poloidal field coils operating at 4K with 68 kA currents and 50 GJ stored magnetic energy. Detects quench events via resistive voltage monitoring and passive quench detection loops within 10 ms, triggers quench protection heater firing within 20 ms, and commands energy extraction dumps. Monitors helium cooling circuit pressures (0–2 bar, ±0.01 bar) and temperatures. Independent hardware interlock layer with no software override. |
| Magnetic Diagnostics Array | 54C57200 | Array of Rogowski coils, partial Rogowski sensors, diamagnetic loops, saddle coils, and flux loops distributed around the tokamak vacuum vessel inner wall. Measures plasma current, position, shape, and MHD mode activity in real time. Provides continuous analogue signals at 100 kHz sampled by the PDIS signal conditioning unit. Calibration-critical: absolute accuracy of 0.1% on plasma current integral is required for equilibrium reconstruction. Components are inside or adjacent to the vacuum vessel and subject to neutron flux degradation — calibration drift monitoring is built into the diagnostic cycle. |
| MHD Mode Stabiliser | 55F53208 | Active control system for detection and suppression of neoclassical tearing modes (NTMs), resistive wall modes (RWMs), and ELM (Edge-Localised Mode) mitigation. Uses magnetic perturbation coil arrays and Thomson scattering data to detect mode growth. Drives external saddle coils and resonant magnetic perturbation (RMP) coils. NTM suppression via ECCD current drive at the rational surface: requires real-time q-profile input from equilibrium reconstruction. RWM stabilisation requires rotation and wall distance monitoring. Growth times 50-500ms allow 1 kHz control rate. |
| Mitigation Actuator Controller | 51F53210 | Real-time actuator controller within the DPMS that executes the disruption mitigation sequence. Controls a 6-valve massive gas injection (MGI) cluster capable of injecting 200–500 g of argon or neon into the vacuum vessel in ≤15 ms. Also commands NBI power ramp-down (from 150 MW to zero in 50 ms), ECRH shutdown, and central solenoid current rundown. Receives trigger from Disruption Prediction Engine (probabilistic) or hardwired from Safety Logic Processor (deterministic trip). Must issue first valve open command within 10 ms of trigger. Operates on dedicated 24 VDC battery-backed supply independent of plant power. |
| mode stabiliser | 40800000 | |
| NBI Controller | 51F57000 | Neutral Beam Injector controller for a tokamak fusion reactor. Manages beam line operations for 4 tangential injectors delivering up to 33.4 MW of 100 keV deuterium neutral beams. Controls ion source conditioning, beam calorimeter interlock, accelerator voltage regulation, neutraliser efficiency monitoring, and beam deflection for fast fault shutdown (<5 ms). Receives power setpoints from HCDC Supervisory and outputs beam-on status to IESS. Primary heating and co-current drive actuator for Q>1 plasma operations. |
| Nuclear Regulatory Authority | 008578FD | Government body (e.g. Office for Nuclear Regulation in UK, NRC in US) that licenses, inspects, and regulates the fusion facility. Enforces compliance with nuclear installation safety cases, radiological protection standards, tritium inventory limits, emergency planning, and environmental discharge authorisations. Requires deterministic safety analysis and probabilistic risk assessment documentation. Fusion-specific regulatory framework still emerging (different from fission regulation). |
| Operator Console System | 54EC7B18 | Multi-screen SCADA operator interface providing real-time visualisation of plasma state, machine protection status, subsystem health, and control authority. Three redundant operator workstations (control room, shift supervisor, remote monitoring). Presents unified alarm annunciation, procedure guidance, and plasma operational state from the Plant Operations Sequencer. Does not issue safety commands — supervisory commands only, mediated through Plant Operations Sequencer interlocking. Data refresh at 4 Hz for display; 1 Hz for archival. |
| PCS Real-Time Data Bus | 40A57200 | Deterministic real-time data network interconnecting all Plasma Control System components. Implements MARTe2 (Multi-threaded Application Real-Time executor) framework with reflective memory and shared data store. Guarantees 10 kHz cycle synchronisation across all nodes with <1 μs jitter. Carries equilibrium state vectors, control setpoints, mode amplitudes, and diagnostic data. Failure of the bus triggers a safe state handoff to IESS. Dual-ring topology with automatic failover. |
| pellet injection controller | D6F51018 | Cryogenic pellet injection controller for a tokamak fusion reactor. Physical hardware comprising cryostat containing solid hydrogen pellet formation mechanism, pneumatic gun breach assembly, pellet tracking cameras, and dedicated motion control electronics. Operates at 4-20K for pellet formation, 15-70 bar injection pressure. Injects deuterium-tritium pellets at 50-1000 m/s at 1-10 Hz into the plasma for fuelling and disruption mitigation. Radiation-hardened electronics within the reactor building bioshield. |
| Pellet Injection Controller | DEF51018 | Centrifuge-based pellet injector controller for deep core fuelling of a tokamak plasma. Physical hardware comprising cryogenic systems for pellet formation at 15-18 K, electromagnetic pellet acceleration mechanisms (guide tubes), and digital control electronics. The PIC is a physical installation in the neutral beam cell of the tokamak facility, requiring radiation-hardened enclosures, cryogenic cooling infrastructure, and tritium-compatible materials. Physical embodiment includes a rack-mounted control unit and associated cryostat hardware. |
| Plant Control and I&C System | 50B53218 | Supervisory control and instrumentation system managing the non-plasma balance-of-plant: divertor cooling (primary coolant 300°C/15 MPa, 2000 kg/s), tritium extraction from the breeding blanket, cryogenic system for superconducting magnets (liquid helium at 4K, 10 kW refrigeration), vacuum systems (plasma vessel <10⁻⁶ Pa, cryostat <10⁻⁴ Pa), and power conversion interface. DCS architecture with 250 ms scan cycles, separate from real-time plasma control. |
| Plant Data Historian | 50841308 | High-throughput time-series archival system recording plasma state vectors, diagnostic signals, actuator commands, and alarm events. Ingests data at aggregate 50 MB/s from all subsystems during plasma operations. Provides post-pulse data access for physicists via REST API within 60 seconds of pulse end. Stores minimum 10 years of pulse data with lossless compression. Also provides slow-data trending for plant maintenance and degradation analysis. Distinct from the real-time diagnostic archive; operates on best-effort Ethernet network, not real-time bus. |
| Plant I&C Network Infrastructure | 40857018 | Layered communication network backbone interconnecting all I&C subsystems — control room, plasma control, IESS, diagnostics, heating, and magnet systems. Segregated network zones: real-time deterministic control LAN (EtherCAT/Ethernet POWERLINK, <1ms latency), best-effort monitoring LAN (GbE), and safety-isolated IESS network (physically separate). Cybersecurity enforcement via industrial firewalls, unidirectional data diodes between safety and non-safety zones, and role-based access control. Fibre-optic backbone between buildings for EMI immunity in high-field environment. |
| Plant Operations Sequencer | 51B57A18 | State machine controller managing the operational lifecycle of the fusion reactor — from pre-shot conditioning, plasma initiation and ramp-up, flat-top operation, controlled ramp-down, and post-pulse analysis mode. Issues operating mode commands to all eight subsystems via a supervisory SCADA bus at 10 Hz. Manages permit and interlock logic for mode transitions. Maintains authoritative machine state variable (MSV) consumed by all subsystems. 1oo2 hot-standby redundancy with automatic failover in <500ms. Runs on safety-grade, diverse hardware from plasma control workstations. |
| plasma control system | 51F73A18 | Distributed real-time control system for plasma position, shape, and stability in a tokamak fusion reactor. Physical hardware comprising dedicated DSP controller racks in the control room, I/O chassis interfacing to magnetic flux loops and Rogowski coils, and real-time fibre optic networks to power supply controllers. Implements equilibrium reconstruction at 10 kHz and magnetic field coil current setpoint generation. Operates at 60-80°C ambient in the plant building within magnetic shielding enclosures. |
| Plasma Control System | 51F73A08 | Real-time feedback control subsystem managing plasma equilibrium, current profile, and beta limits. Processes magnetic field measurements from ~200 Mirnov coils and flux loops at 10 kHz, computes equilibrium reconstruction using EFIT++ at 1 kHz, generates coil current setpoints for the 18 poloidal field coils and central solenoid, and enforces operating limits. Controls vertical stability (tau_vde < 100ms), radial position (±2cm), and plasma current (±1% of 15 MA). SIL-4 classified — loss of this function leads directly to disruption. |
| Plasma Diagnostics Integration System | 54E77308 | Data acquisition and integration subsystem processing raw signals from 300+ diagnostic instruments: Thomson scattering (Te and ne profiles at 50 ms intervals), charge exchange recombination spectroscopy (ion temperature and rotation), bolometry (radiated power 0–200 MW), interferometry (line-averaged density), neutron cameras (neutron emission profile), and spectroscopy (impurity monitoring). Provides validated, time-stamped data to the plasma control system, disruption predictor, and data archiving at 1 Hz–10 kHz depending on diagnostic. |
| quench detection system | D6E55018 | Physical hardware quench detection system for superconducting magnets in a tokamak fusion reactor. Physical installation includes voltage bridge measurement circuitry, signal conditioning electronics, and rack-mounted processing units housed in seismically qualified cabinets. The system has physical sensors (voltage taps, Rogowski coils) installed directly on the superconducting coil assemblies and physical signal cables routing through the nuclear island. Physical embodiment is essential for its function — the voltage measurement bridges must be directly connected to the coil terminals. |
| Quench Detection System | 54F77218 | Voltage-bridge-based quench detection subsystem for a tokamak's superconducting magnet coils (TF, PF, CS). Monitors resistive voltage across individual coil pancakes using inductive voltage compensation (dI/dt rejection) to discriminate resistive quench voltage from normal inductive transients. Implements 2oo3 voting on three independent detection channels per coil group. Detection threshold: resistive voltage ≥50 mV for ≥5 ms triggers quench alarm. Maximum detection latency: 20 ms from quench onset to alarm output. SIL-4 classified per IEC 61508. |
| Real-Time Diagnostic Signal Conditioner | D4F55208 | High-speed analogue-to-digital conversion and signal conditioning front-end for all real-time plasma diagnostics, including magnetic coil signals, soft X-ray detectors, and interferometry. Digitises up to 512 channels at 100 kHz, 16-bit resolution. Provides noise-filtered, calibrated digital outputs to the Equilibrium Reconstruction Processor and Disruption Precursor Monitor with latency <100 µs. Anti-aliasing filters, galvanic isolation per channel, and real-time self-calibration against known reference signals. Housed in radiation-hardened enclosures within the diagnostics hall. |
| safety arbiter | D6A51858 | Hardware safety voting arbiter for a tokamak fusion reactor HCDC subsystem. Physical 2oo3 voting relay assembly housed in a Class 1E cabinet in the nuclear island. Receives independently processed channel votes from the IESS and heating control loops via hardwired connections. Acts as the authoritative hardware interlock for plasma heating power. Physical enclosure with tamper-evident seals, radiation-hardened relay coils, and hardwired output to plasma-facing heating power switches. Qualified to IEC 61513 Category B. Physical box with physical I/O terminals — not a software function. |
| safety logic processor | D6F73018 | Hardware-based SIL-4 safety logic processor for nuclear I&C applications. A physical 19-inch rackmount unit containing redundant FPGA processing elements with hardwired voting logic for trip parameter comparison. Receives analog and digital inputs from trip parameter monitors, computes 2oo3 voting logic on-board, and outputs hardwired relay signals to the Emergency Shutdown System. Physical unit with deterministic cycle time <10ms, qualified to IEEE 344 seismic requirements and IEC 60780 nuclear qualification standard. Installed in safety building separation zones with physical segregation from control system hardware. |
| Safety Logic Processor | D6F73018 | Hardware-based SIL-3/SIL-4 safety logic processor for nuclear I&C applications. A physical 19-inch rackmount unit containing redundant FPGA processing elements with hardwired voting logic for trip parameter comparison. Receives analog and digital inputs from trip parameter monitors, computes 2oo3 voting logic on-board, and outputs hardwired relay signals to the Emergency Shutdown System. Physical unit with deterministic cycle time <10ms, qualified to IEEE 344 seismic requirements and IEC 60780 nuclear qualification standard. Installed in safety building separation zones with physical segregation from control system hardware. Forms the computation layer of the SIL-3 trip chain. |
| Safety Parameter Display System | 54CD7858 | |
| Shape and Position Controller | 51F53B08 | Feedback controller computing poloidal field coil current setpoints to achieve target plasma shape (elongation κ, triangularity δ, separatrix geometry) and horizontal/vertical position. Runs at 10 kHz on FPGA. Takes equilibrium reconstruction output as input, uses plasma-boundary-based control with isoflux control for gap control. Implements gain-scheduled PID with 48 independent coil channels. Operational limits enforced: plasma centre must stay within ±2 cm of reference, vertical position error < 1 cm before handoff to VSC. |
| Site Protection System | 51F77859 | Nuclear plant safety system independent of the Fusion Reactor Control System. Receives SCRAM demand signals from the interlock system and executes protective actions including breaker opening, diesel generator start, and area isolation. IEC 61511 SIL-3 classified. Owned by nuclear safety engineering group. |
| Superconducting Magnet System | 56D57018 | External system comprising 18 toroidal field coils and 9 poloidal field coils operating at 4K with 68 kA peak currents and 50 GJ stored energy. Receives current setpoint commands from the Fusion Reactor Control System and returns quench status, coil temperatures, and helium pressure readings. Owned by magnet engineering group. |
| Thomson Scattering and Interferometry System | 54C43210 | Electron temperature and density profile diagnostic using pulsed Nd:YAG laser Thomson scattering and millimetre-wave interferometry. Provides electron temperature Te profiles (10 eV to 30 keV range) and line-averaged electron density ne from the interferometer at 50 ms intervals. Primary non-real-time plasma parameter measurement; data are used for post-pulse analysis and slow feedback to plasma scenario control but not for the real-time equilibrium reconstruction. Laser safety interlocked with plasma operation mode. Spectrometer arrays and detectors housed outside the bio-shield. |
| Trip Parameter Monitor | D4E47018 | Redundant (3-channel) analogue/digital signal conditioning and threshold comparison unit for plasma interlock parameters. Monitors plasma current (Ip > 15 MA trip), vertical position error (>0.3 m trip), beta_N (>3.5 trip), and neutron emission rate (>5×10^19 n/s trip). Each channel receives signals from independent sensor sets. Outputs discrete 24V trip signal to Safety Logic Processor within 1 ms of threshold crossing. Channels are physically segregated to prevent common-cause failure. |
| Tritium and Fuel Inventory Controller | 55F77A59 | Nuclear material accountancy and safety interlock subsystem for tritium (T) and deuterium-tritium (D-T) fuel management on a fusion reactor. Tracks tritium inventory across the fuel cycle: storage vessels, torus injection lines, and exhaust processing. Provides real-time tritium activity estimates (Ci-level) to the site safety system and the nuclear regulatory authority telemetry gateway. Enforces hard injection limits: halts all gas puffing and pellet injection if cumulative in-vessel tritium estimate exceeds 30g. Interfaces with the IESS to assert fuel-off interlock when tritium sensors detect leakage above 10 μSv/h at boundary. Subject to nuclear material safeguards regulations. |
| Vertical Stability Controller | 51F73B08 | Dedicated fast digital controller for suppression of n=0 vertical displacement events (VDEs) in elongated plasmas. Runs at 100 kHz on standalone FPGA separate from main PCS hardware to avoid single-point failure. Computes vertical position from saddle coil array and drives vertical field coil power supply within 50 μs. Implements active control with state observer to estimate growth rate; triggers plasma termination handoff to IESS if vertical displacement exceeds 10 cm and growth rate > 50 m/s. |
| Component | Belongs To |
|---|---|
| Plasma Control System | Fusion Reactor Control System |
| Disruption Prediction and Mitigation System | Fusion Reactor Control System |
| Heating and Current Drive Control | Fusion Reactor Control System |
| Magnet Safety and Protection System | Fusion Reactor Control System |
| Fuel Injection and Burn Control | Fusion Reactor Control System |
| Plasma Diagnostics Integration System | Fusion Reactor Control System |
| Plant Control and I&C System | Fusion Reactor Control System |
| Interlock and Emergency Shutdown System | Fusion Reactor Control System |
| Safety Logic Processor | Interlock and Emergency Shutdown System |
| Trip Parameter Monitor | Interlock and Emergency Shutdown System |
| Emergency Shutdown Sequencer | Interlock and Emergency Shutdown System |
| Safety Parameter Display System | Interlock and Emergency Shutdown System |
| Disruption Precursor Monitor | Disruption Prediction and Mitigation System |
| Disruption Prediction Engine | Disruption Prediction and Mitigation System |
| Mitigation Actuator Controller | Disruption Prediction and Mitigation System |
| DPMS Supervisory and Archive | Disruption Prediction and Mitigation System |
| Equilibrium Reconstruction Processor | Plasma Control System |
| Shape and Position Controller | Plasma Control System |
| Vertical Stability Controller | Plasma Control System |
| MHD Mode Stabiliser | Plasma Control System |
| PCS Real-Time Data Bus | Plasma Control System |
| Quench Detection System | Magnet Safety and Protection System |
| Energy Extraction and Dump System | Magnet Safety and Protection System |
| Magnet Power Supply Controller | Magnet Safety and Protection System |
| Coil Thermal and Cryogenic Monitor | Magnet Safety and Protection System |
| Gas Puffing Valve Controller | Fuel Injection and Burn Control |
| Pellet Injection Controller | Fuel Injection and Burn Control |
| Burn Condition Monitor | Fuel Injection and Burn Control |
| Tritium and Fuel Inventory Controller | Fuel Injection and Burn Control |
| HCDC Supervisory and Safety Arbiter | Heating and Current Drive Control |
| NBI Controller | Heating and Current Drive Control |
| ECRH Controller | Heating and Current Drive Control |
| ICRH Controller | Heating and Current Drive Control |
| Plant Operations Sequencer | Plant Control and I&C System |
| Operator Console System | Plant Control and I&C System |
| Machine Timing and Synchronisation System | Plant Control and I&C System |
| Plant I&C Network Infrastructure | Plant Control and I&C System |
| Plant Data Historian | Plant Control and I&C System |
| Magnetic Diagnostics Array | Plasma Diagnostics Integration System |
| Real-Time Diagnostic Signal Conditioner | Plasma Diagnostics Integration System |
| Thomson Scattering and Interferometry System | Plasma Diagnostics Integration System |
| Disruption Precursor Sensor Suite | Plasma Diagnostics Integration System |
| Diagnostic Data Multiplexer | Plasma Diagnostics Integration System |
| From | To |
|---|---|
| Trip Parameter Monitor | Safety Logic Processor |
| Safety Logic Processor | Emergency Shutdown Sequencer |
| Safety Logic Processor | Safety Parameter Display System |
| Disruption Precursor Monitor | Disruption Prediction Engine |
| Disruption Prediction Engine | Mitigation Actuator Controller |
| Disruption Prediction Engine | DPMS Supervisory and Archive |
| Equilibrium Reconstruction Processor | Shape and Position Controller |
| Equilibrium Reconstruction Processor | MHD Mode Stabiliser |
| Shape and Position Controller | Vertical Stability Controller |
| Vertical Stability Controller | Interlock and Emergency Shutdown System |
| PCS Real-Time Data Bus | Equilibrium Reconstruction Processor |
| PCS Real-Time Data Bus | Shape and Position Controller |
| PCS Real-Time Data Bus | MHD Mode Stabiliser |
| Coil Thermal and Cryogenic Monitor | Quench Detection System |
| Quench Detection System | Energy Extraction and Dump System |
| Quench Detection System | Interlock and Emergency Shutdown System |
| Magnet Power Supply Controller | Quench Detection System |
| Burn Condition Monitor | Disruption Prediction and Mitigation System |
| Tritium and Fuel Inventory Controller | Interlock and Emergency Shutdown System |
| Gas Puffing Valve Controller | Plasma Control System |
| Pellet Injection Controller | MHD Mode Stabiliser |
| Plant Operations Sequencer | Plasma Control System |
| Plant Operations Sequencer | Interlock and Emergency Shutdown System |
| Machine Timing and Synchronisation System | Plasma Control System |
| Machine Timing and Synchronisation System | Plasma Diagnostics Integration System |
| Plant Data Historian | Plasma Diagnostics Integration System |
| Plant Operations Sequencer | Operator Console System |
| Magnetic Diagnostics Array | Real-Time Diagnostic Signal Conditioner |
| Disruption Precursor Sensor Suite | Real-Time Diagnostic Signal Conditioner |
| Real-Time Diagnostic Signal Conditioner | Diagnostic Data Multiplexer |
| Diagnostic Data Multiplexer | Equilibrium Reconstruction Processor |
| Diagnostic Data Multiplexer | Disruption Precursor Monitor |
| Diagnostic Data Multiplexer | Plant Data Historian |
| Thomson Scattering and Interferometry System | Plant Data Historian |
| Component | Output |
|---|---|
| Safety Logic Processor | safety trip signal |
| Trip Parameter Monitor | trip threshold signal |
| Emergency Shutdown Sequencer | plasma termination sequence commands |
| Safety Parameter Display System | qualified safety parameter display |
| Disruption Precursor Monitor | 128-element MHD feature vector at 10 kHz |
| Disruption Prediction Engine | disruption risk probability and time-to-disruption estimate at 10 kHz |
| Mitigation Actuator Controller | MGI valve open commands and heating ramp-down signals |
| Equilibrium Reconstruction Processor | 2D equilibrium state vector at 10 kHz (boundary, q-profile, Shafranov shift) |
| Shape and Position Controller | 48-channel poloidal field coil current setpoints at 10 kHz |
| Vertical Stability Controller | vertical field coil setpoint at 100 kHz and VDE trip demand |
| MHD Mode Stabiliser | RMP coil drive commands and ECCD power setpoints for NTM suppression |
| Quench Detection System | quench-alarm-signal |
| Energy Extraction and Dump System | coil-energy-dump-confirmation |
| Magnet Power Supply Controller | coil-current-waveform |
| Coil Thermal and Cryogenic Monitor | coil-thermal-state-vector |
| Gas Puffing Valve Controller | valve-position-commands |
| Pellet Injection Controller | pellet-injection-events |
| Burn Condition Monitor | fusion-power-estimate |
| Tritium and Fuel Inventory Controller | tritium-inventory-estimate |
| Plant Operations Sequencer | machine state variable |
| Machine Timing and Synchronisation System | synchronised timing pulses and timestamps |
| Plant Data Historian | archived pulse data record |
| Magnetic Diagnostics Array | plasma current position and MHD mode signals |
| Real-Time Diagnostic Signal Conditioner | calibrated real-time digital diagnostic streams |
| Thomson Scattering and Interferometry System | electron temperature and density profiles |
| Disruption Precursor Sensor Suite | disruption precursor sensor signals |
| Diagnostic Data Multiplexer | routed diagnostic data to control and archival consumers |
| Source | Target | Type | Description |
|---|---|---|---|
| ARC-REQ-010 | SYS-REQ-002 | derives | DPE ontological classification decision supports disruption detection requirement |
| SYS-REQ-002 | ARC-REQ-009 | derives | PDIS architecture delivers diagnostic signals for disruption precursor detection |
| SYS-REQ-004 | ARC-REQ-008 | derives | PCIS layered architecture supports safety-independence and state management |
| SYS-REQ-003 | ARC-REQ-007 | derives | Architecture decision for FIBC derives from fusion power regulation requirement |
| ARC-REQ-006 | SYS-REQ-004 | derives | MSPS hardwired architecture supports SIL-3 shutdown requirement |
| ARC-REQ-004 | SYS-REQ-003 | derives | HCDC architecture supports fusion power regulation requirement |
| ARC-REQ-003 | SYS-REQ-001 | derives | PCS hierarchical architecture supports plasma equilibrium control |
| ARC-REQ-002 | SYS-REQ-002 | derives | DPMS FPGA architecture supports disruption detection timing |
| ARC-REQ-001 | SYS-REQ-004 | derives | IESS 2oo3 architecture supports SIL-3 SCRAM |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-074 | REQ-SEFUSIONREACTORCONTROLSYSTEM-010 | derives | Fault injection test for SLP 1oo2 card independence |
| SUB-REQ-058 | REQ-SEFUSIONREACTORCONTROLSYSTEM-097 | derives | DPM watchdog timeout and risk escalation test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-045 | REQ-SEFUSIONREACTORCONTROLSYSTEM-094 | derives | Pellet injection dual-channel switchover test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-044 | REQ-SEFUSIONREACTORCONTROLSYSTEM-093 | derives | DPE hot-standby failover test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-041 | REQ-SEFUSIONREACTORCONTROLSYSTEM-092 | derives | Safety Arbiter IEC 61513 qualification inspection |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-030 | REQ-SEFUSIONREACTORCONTROLSYSTEM-091 | derives | IESS seismic qualification test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-011 | REQ-SEFUSIONREACTORCONTROLSYSTEM-090 | derives | ESS watchdog hardware test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-067 | REQ-SEFUSIONREACTORCONTROLSYSTEM-039 | derives | Hardware-in-loop test for SLP TMR voting |
| SUB-REQ-009 | VER-REQ-006 | derives | DPMS inference latency → verification test |
| SUB-REQ-011 | VER-REQ-007 | derives | DPMS MGI trigger → verification test |
| SUB-REQ-012 | VER-REQ-008 | derives | DPMS fallback mode → verification test |
| VER-REQ-005 | SUB-REQ-001 | derives | End-to-end IESS chain test verifies IESS trip timing requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-038 | REQ-SEFUSIONREACTORCONTROLSYSTEM-066 | derives | SUB-REQ-069 2-of-3 voted ESS verified by fault injection test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-039 | REQ-SEFUSIONREACTORCONTROLSYSTEM-067 | derives | SUB-REQ-070 TMR SLP verified by two-channel failure HIL test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-043 | REQ-SEFUSIONREACTORCONTROLSYSTEM-068 | derives | SUB-REQ-074 IESS safe state hold of actuators verified by integrated system test |
| SUB-REQ-062 | REQ-SEFUSIONREACTORCONTROLSYSTEM-069 | derives | SUB-REQ-062 safe state definition verified by logic review and inspection |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-073 | SUB-REQ-026 | derives | Verification procedure for HCDC heating power ceiling safety function |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-073 | SUB-REQ-026 | derives | Verification test for HCDC 50 MW heating power ceiling |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-096 | REQ-SEFUSIONREACTORCONTROLSYSTEM-098 | derives | 73 MW aggregate heating power verification derives from coordinated heating control requirement |
| SYS-REQ-001 | SUB-REQ-056 | derives | Plasma position accuracy requirement drives MDA calibration accuracy |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-148 | REQ-SEFUSIONREACTORCONTROLSYSTEM-138 | derives | SUB I&C EMC tolerance derives from SYS EMC requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-147 | REQ-SEFUSIONREACTORCONTROLSYSTEM-137 | derives | SUB diagnostic module MMS interface derives from SYS self-diagnostic requirement |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-143 | derives | Ethical safety obligations derive from SYS-REQ-004 hardware independence requirement |
| SYS-REQ-018 | REQ-SEFUSIONREACTORCONTROLSYSTEM-141 | derives | Parameter upload and validation function derives from SYS-REQ-018 |
| SYS-REQ-017 | REQ-SEFUSIONREACTORCONTROLSYSTEM-140 | derives | Sensor cycle timing budget derives from SYS-REQ-017 display latency requirement |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-139 | derives | Safe state operational definition derives from SYS-REQ-004 SCRAM function |
| SYS-REQ-016 | SUB-REQ-125 | derives | POS IEC 62138 software compliance derives from SYS-REQ-016 sequencing function |
| SYS-REQ-004 | SUB-REQ-124 | derives | GPVC IEC 61513 Category B compliance derives from SIL-3 system classification |
| SYS-REQ-004 | SUB-REQ-123 | derives | GPVC tritium/radiation material qualification supports SIL-3 safety function reliability |
| SYS-REQ-016 | SUB-REQ-122 | derives | GPVC single-channel failover derives from plant operational continuity |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-096 | SUB-REQ-122 | derives | GPVC single-channel failover sustains density control continuity |
| SYS-REQ-017 | SUB-REQ-121 | derives | OCS display requirement implements SYS operator interface |
| SYS-REQ-016 | SUB-REQ-119 | derives | Controlled shutdown sequence implements lifecycle CONTROLLED-SHUTDOWN state |
| SYS-REQ-016 | SUB-REQ-118 | derives | Pre-shot conditioning checklist implements lifecycle PRE-SHOT-CONDITIONING state |
| SYS-REQ-016 | SUB-REQ-050 | derives | POS 8-state machine is the implementation of the lifecycle sequencing requirement |
| SYS-REQ-004 | SUB-REQ-120 | derives | Maintenance mode access control derives from SIL-3 safety function protection |
| SYS-REQ-001 | SUB-REQ-119 | derives | Controlled plasma shutdown derives from plasma equilibrium system requirement |
| SYS-REQ-001 | SUB-REQ-118 | derives | Pre-shot conditioning enables plasma equilibrium achievement |
| SYS-REQ-004 | SUB-REQ-114 | derives | IESS safe state definition derives from SCRAM system requirement |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-133 | derives | GPVC redundancy requirement derives from SCRAM system-essential classification |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-125 | REQ-SEFUSIONREACTORCONTROLSYSTEM-132 | derives | IESS IEC 61513 compliance requirement derives from SYS-REQ-014 standards mandate |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | REQ-SEFUSIONREACTORCONTROLSYSTEM-131 | derives | New SUB req for maintenance bus implements SYS-REQ-011 fault reporting |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | SUB-REQ-113 | derives | SYS-REQ-010 EMC immunity derivation to HCDC source control |
| SYS-REQ-004 | SUB-REQ-112 | derives | SCRAM safe state definition derivation |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-130 | SUB-REQ-046 | derives | Fuel Injection subsystem tritium interlock derives from system tritium monitoring requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-125 | REQ-SEFUSIONREACTORCONTROLSYSTEM-126 | derives | Fuel Inventory Controller nuclear safeguards compliance derives from system-level regulatory standards requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | REQ-SEFUSIONREACTORCONTROLSYSTEM-124 | derives | I&C Diagnostic maintenance bus requirement derives from system-level fault reporting requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | REQ-SEFUSIONREACTORCONTROLSYSTEM-122 | derives | Heating control subsystem derives EMC and performance bounds from system-level requirement |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-123 | derives | Safe state definition closes the definitional gap in the system-level SCRAM requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-112 | REQ-SEFUSIONREACTORCONTROLSYSTEM-113 | derives | DPMS RE detection specification derived from SYS RE detection and mitigation requirement |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-121 | derives | Safety Arbiter physical segregation derived from hardware-enforced independence in SIL-3 SCRAM |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-120 | derives | PIC physical housing and containment derived from safe state fuel injection halt |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | REQ-SEFUSIONREACTORCONTROLSYSTEM-119 | derives | QDS physical installation and radiation hardening derived from SIL-3 seismic qualification |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | REQ-SEFUSIONREACTORCONTROLSYSTEM-118 | derives | FRCS physical boundary definition derived from seismic qualification requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | REQ-SEFUSIONREACTORCONTROLSYSTEM-037 | derives | QDS radiation-hardened dedicated hardware derived from seismic qualification for SIL-3 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | REQ-SEFUSIONREACTORCONTROLSYSTEM-036 | derives | FRCS nuclear-grade enclosure qualification derived from seismic qualification requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | REQ-SEFUSIONREACTORCONTROLSYSTEM-104 | derives | Tritium inventory safeguards reporting derived from system self-diagnostics and fault reporting requirement |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-099 | derives | PIC ITER C2 tritium confinement required for safe nuclear island operation |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-042 | derives | PIC tritium regulatory compliance required to support SIL-3 safe state |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-095 | derives | IESS 1oo2 redundancy architecture derived from SIL-3 SCRAM independence |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-089 | derives | Safe state operational definition derived from SIL-3 SCRAM requirement |
| SYS-REQ-001 | REQ-SEFUSIONREACTORCONTROLSYSTEM-072 | derives | MHD NTM detection performance derived from plasma equilibrium requirement |
| SYS-REQ-002 | REQ-SEFUSIONREACTORCONTROLSYSTEM-065 | derives | DPE validation requirement derived from disruption mitigation performance |
| SYS-REQ-002 | REQ-SEFUSIONREACTORCONTROLSYSTEM-113 | derives | DPMS RE detection derived from disruption mitigation requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-096 | SUB-REQ-029 | derives | ICRH arc protection derived from heating safe operating envelope |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-112 | REQ-SEFUSIONREACTORCONTROLSYSTEM-115 | derives | SYS RE mitigation derives to DPMS MAC injection actuation requirement |
| SYS-REQ-003 | REQ-SEFUSIONREACTORCONTROLSYSTEM-110 | derives | SYS-REQ-003 power regulation → pellet injection controller redundancy |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | REQ-SEFUSIONREACTORCONTROLSYSTEM-109 | derives | SYS-REQ-011 maintenance bus → Plant Data Historian qualified bus requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | REQ-SEFUSIONREACTORCONTROLSYSTEM-108 | derives | SYS-REQ-010 EMI immunity → Plant I&C subsystem shielding |
| SYS-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-107 | derives | SYS-REQ-004 safe state → IESS safe state definition and verification |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-034 | REQ-SEFUSIONREACTORCONTROLSYSTEM-102 | derives | Physical enclosure specification derives from EMC environmental immunity requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-034 | REQ-SEFUSIONREACTORCONTROLSYSTEM-071 | derives | EM/radiation environment requirement drives PIC cabinet specification |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | REQ-SEFUSIONREACTORCONTROLSYSTEM-070 | derives | Seismic qualification flows to QDS physical siting requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | REQ-SEFUSIONREACTORCONTROLSYSTEM-076 | derives | SYS-REQ-011 self-diagnostic and maintenance bus coverage derives IESS channel bypass procedure |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | REQ-SEFUSIONREACTORCONTROLSYSTEM-064 | derives | SYS-REQ-011 fault reporting to MMS derives SUB-REQ-078 PCIS 10s fault reporting |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | SUB-REQ-003 | derives | SYS-REQ-011 90% self-diagnostic derives SUB-REQ-003 TPM 90% fault coverage |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | REQ-SEFUSIONREACTORCONTROLSYSTEM-063 | derives | SYS-REQ-010 EMC no-degradation quantified derives SUB-REQ-077 HCDC EMC tolerance |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | SUB-REQ-061 | derives | SYS-REQ-009 IEEE 344 seismic qualification derives SUB-REQ-061 IESS qualified hardware |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-034 | REQ-SEFUSIONREACTORCONTROLSYSTEM-063 | derives | SYS-REQ-008 EMC performance derives SUB-REQ-077 HCDC EMC tolerance |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-032 | REQ-SEFUSIONREACTORCONTROLSYSTEM-040 | derives | SYS-REQ-007 IEC 62443 SL-2 derives SUB-REQ-071 DPE cryptographic authentication |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-032 | SUB-REQ-054 | derives | SYS-REQ-007 IEC 62443 SL-2 derives SUB-REQ-054 network security zone separation |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | REQ-SEFUSIONREACTORCONTROLSYSTEM-009 | derives | SYS-REQ-006 seismic shutdown derives SUB-REQ-065 FRCS-level 10s seismic safe state |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | SUB-REQ-061 | derives | SYS-REQ-006 seismic shutdown derives SUB-REQ-061 IESS seismic survivability |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | REQ-SEFUSIONREACTORCONTROLSYSTEM-064 | derives | SYS-REQ-011 maintenance reporting flows down to Plant I&C maintenance bus interface |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | REQ-SEFUSIONREACTORCONTROLSYSTEM-063 | derives | SYS-REQ-010 EMC immunity flows down to HCDC heating actuator EMC qualification |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | REQ-SEFUSIONREACTORCONTROLSYSTEM-033 | derives | System seismic qualification requirement allocates physical housing specification to QDS |
| SYS-REQ-002 | SUB-REQ-063 | derives | DPM power requirement derives from disruption detection reliability requirement |
| SYS-REQ-004 | SUB-REQ-062 | derives | Safe state definition derives from system-level SCRAM requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-009 | SUB-REQ-061 | derives | IESS seismic qualification flows from system-level seismic shutdown requirement |
| SYS-REQ-002 | SUB-REQ-060 | derives | DPE heartbeat monitoring ensures mitigation actuation is not blocked by DPE failure |
| SYS-REQ-001 | SUB-REQ-059 | derives | ERP watchdog maintains plasma equilibrium control under computational fault |
| SYS-REQ-002 | SUB-REQ-058 | derives | DPM watchdog maintains disruption mitigation capability when sensor degrades |
| SYS-REQ-004 | SUB-REQ-054 | derives | Network zone separation enforces hardware independence of safety from control |
| SYS-REQ-004 | SUB-REQ-050 | derives | MSV state machine derives from safety shutdown state transition requirements |
| SYS-REQ-001 | SUB-REQ-052 | derives | Position accuracy requirement drives MTSS timing accuracy |
| SYS-REQ-001 | SUB-REQ-055 | derives | Position accuracy requirement drives signal conditioner latency |
| SYS-REQ-002 | SUB-REQ-057 | derives | 50ms disruption detection budget drives DPSS 10 kHz sample rate |
| SYS-REQ-004 | SUB-REQ-001 | derives | IESS trip response time derives from SIL-3 safety shutdown requirement |
| SYS-REQ-002 | SUB-REQ-001 | derives | Trip response time derives from disruption precursor detection window |
| SYS-REQ-004 | SUB-REQ-002 | derives | Fail-safe power design derives from SIL-3 safety shutdown |
| SYS-REQ-004 | SUB-REQ-004 | derives | ESS timing derives from SIL-3 safety shutdown |
| SYS-REQ-002 | SUB-REQ-009 | derives | SYS disruption detection → DPMS inference latency |
| SYS-REQ-002 | SUB-REQ-010 | derives | SYS disruption detection → DPMS prediction accuracy |
| SYS-REQ-002 | SUB-REQ-011 | derives | SYS disruption detection → DPMS MGI trigger latency |
| SUB-REQ-003 | SYS-REQ-004 | derives | TPM diagnostic coverage derives from SIL-3 coverage gate in IEC 61508 |
| SUB-REQ-005 | SYS-REQ-004 | derives | SPDS qualified display requirement derives from SIL-3 safety system requirement |
| SUB-REQ-006 | SYS-REQ-004 | derives | IESS physical segregation derives from SIL-3 independence requirement |
| SUB-REQ-007 | SYS-REQ-004 | derives | IESS UPS requirement derives from SIL-3 power independence obligation |
| SUB-REQ-013 | SYS-REQ-002 | derives | DPM feature vector output requirement derives from system disruption detection timing budget |
| SUB-REQ-014 | SYS-REQ-005 | derives | DPMS pre-disruption archive derives from system plasma state archive requirement |
| SYS-REQ-001 | SUB-REQ-018 | derives | ERP update rate derives from plasma equilibrium control requirement |
| SYS-REQ-004 | SUB-REQ-021 | derives | VSC trip threshold derives from SIL-3 automatic safety function |
| SYS-REQ-001 | SUB-REQ-019 | derives | ERP dropout tolerance derives from plasma equilibrium continuity requirement |
| SYS-REQ-001 | SUB-REQ-020 | derives | Position accuracy requirement derives from plasma equilibrium control |
| SYS-REQ-002 | SUB-REQ-022 | derives | NTM detection requirement derives from disruption precursor detection |
| SYS-REQ-004 | SUB-REQ-023 | derives | VSC hardware independence is a SIL-3 safety architecture requirement |
| SYS-REQ-001 | SUB-REQ-024 | derives | Data bus synchronisation derives from 10 kHz equilibrium control cycle requirement |
| SYS-REQ-004 | SUB-REQ-025 | derives | PCS fail-safe requirement derives from SIL-3 safety function requirement |
| SYS-REQ-003 | SUB-REQ-026 | derives | Heating power budget enforcement derives from system fusion power regulation |
| SYS-REQ-003 | SUB-REQ-028 | derives | ECRH NTM stabilisation derives from fusion power regulation NTM avoidance requirement |
| SYS-REQ-004 | SUB-REQ-027 | derives | NBI fast shutdown derives from SIL-3 safety function requirement |
| SYS-REQ-003 | SUB-REQ-030 | derives | HCDC degraded mode performance floor derives from fusion power regulation continuity |
| SYS-REQ-004 | SUB-REQ-031 | derives | HCDC watchdog derives from SIL-3 automated safe-state requirement |
| SYS-REQ-004 | SUB-REQ-032 | derives | QDS latency derived from SIL-3 safety shutdown requirement |
| SYS-REQ-004 | SUB-REQ-034 | derives | TF dump timing derived from SIL-3 safety shutdown requirement |
| SYS-REQ-001 | SUB-REQ-036 | derives | Coil current accuracy required to achieve plasma equilibrium |
| SYS-REQ-004 | SUB-REQ-033 | derives | 2oo3 voting architecture derives from SIL-3 safety shutdown |
| SYS-REQ-004 | SUB-REQ-035 | derives | PF/CS energy extraction timing derived from SIL-3 shutdown requirement |
| SYS-REQ-001 | SUB-REQ-037 | derives | Coil thermal monitoring required to maintain plasma equilibrium |
| SYS-REQ-004 | SUB-REQ-038 | derives | QDS degraded mode derives from continuous protection requirement |
| SYS-REQ-003 | SUB-REQ-042 | derives | Gas puffing response time derives from fusion power regulation requirement |
| SYS-REQ-004 | SUB-REQ-043 | derives | Tritium ceiling interlock derives from SIL-3 safety requirement |
| SYS-REQ-004 | SUB-REQ-046 | derives | Tritium leak interlock derives from SIL-3 safety requirement |
| SYS-REQ-003 | SUB-REQ-045 | derives | Fusion power accuracy derives from system-level fusion power regulation requirement |
| SYS-REQ-003 | SUB-REQ-047 | derives | Burn termination derives from fusion power regulation requirement |
| SYS-REQ-003 | SUB-REQ-044 | derives | ELM synchronisation derives from fusion power regulation requirement |
| SYS-REQ-003 | SUB-REQ-048 | derives | Cryostat temperature maintenance derives from fusion power regulation requirement |
| SYS-REQ-004 | SUB-REQ-049 | derives | BCM diagnostic coverage derives from SIL-3 safety requirement |
| SYS-REQ-005 | SUB-REQ-053 | derives | Plant Data Historian archival derives from system data archival requirement |
| SYS-REQ-001 | IFC-REQ-026 | derives | MDA-RTDSC interface provides magnetic signals required for equilibrium reconstruction |
| SYS-REQ-002 | IFC-REQ-028 | derives | 50ms disruption response budget drives DPSS delivery latency |
| SYS-REQ-005 | IFC-REQ-025 | derives | System archival requirement drives PDH-PDIS ingest interface spec |
| SYS-REQ-001 | IFC-REQ-018 | derives | MPSC-PCS interface derives from plasma equilibrium control |
| SYS-REQ-004 | IFC-REQ-015 | derives | QDS-IESS hardwired interface required for SIL-3 safety independence |
| SYS-REQ-003 | IFC-REQ-014 | derives | HCDC-PCS setpoint interface derives from fusion power regulation requirement |
| SYS-REQ-004 | IFC-REQ-012 | derives | HCDC-IESS hardwired interface derives from SIL-3 safety function independence |
| SYS-REQ-001 | IFC-REQ-009 | derives | ERP-SPC data interface derives from plasma equilibrium control requirement |
| SYS-REQ-002 | IFC-REQ-011 | derives | ERP-MMS q-profile interface derives from disruption detection requirement |
| SYS-REQ-002 | IFC-REQ-008 | derives | MAC-to-HCDC interface derives from disruption detection and mitigation requirement |
| SYS-REQ-004 | IFC-REQ-005 | derives | SLP-to-ESS interface derives from SIL-3 automatic trip chain requirement |
| SYS-REQ-004 | IFC-REQ-007 | derives | SYS safety shutdown → DPMS-IESS interface |
| SYS-REQ-002 | IFC-REQ-006 | derives | SYS disruption detection → PDIS-DPMS interface |
| SYS-REQ-004 | IFC-REQ-003 | derives | SIL-3 safe shutdown → hardwired interlock interface |
| SYS-REQ-001 | IFC-REQ-002 | derives | Plasma equilibrium control → magnet command interface |
| SYS-REQ-001 | IFC-REQ-001 | derives | Plasma equilibrium control → diagnostic data latency requirement |
| STK-REQ-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-148 | derives | SYS EMC requirement derives from STK-REQ-010 heating system EMC environment |
| STK-REQ-006 | REQ-SEFUSIONREACTORCONTROLSYSTEM-147 | derives | SYS I&C diagnostics requirement derives from STK-REQ-006 maintenance management obligation |
| STK-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-118 | derives | Physical enclosure hardening for seismic and environmental compliance |
| STK-REQ-008 | SYS-REQ-018 | derives | Scenario management requirement derived from physics team workflow need |
| STK-REQ-001 | SYS-REQ-017 | derives | Operator interface requirement derived from stakeholder display need |
| STK-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-130 | derives | Tritium monitoring derived from stakeholder tritium boundary safety need |
| STK-REQ-002 | SYS-REQ-016 | derives | Plasma lifecycle sequencing derives from operator plasma operations requirement |
| STK-REQ-004 | REQ-SEFUSIONREACTORCONTROLSYSTEM-130 | derives | System tritium monitoring requirement derives from stakeholder tritium boundary integrity need |
| STK-REQ-003 | REQ-SEFUSIONREACTORCONTROLSYSTEM-125 | derives | Nuclear I&C standards compliance derives from tamper-evident safety audit log stakeholder requirement |
| STK-REQ-002 | REQ-SEFUSIONREACTORCONTROLSYSTEM-112 | derives | STK disruption mitigation derives to SYS RE mitigation requirement |
| STK-REQ-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-096 | derives | SYS-REQ-012 heating coordination derives from STK-REQ-010 |
| STK-REQ-006 | REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | derives | STK-REQ-006 self-diagnostic 90% coverage derives SYS-REQ-011 |
| STK-REQ-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | derives | STK-REQ-010 EM environment derives SYS-REQ-010 EMC no-degradation quantified |
| STK-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | derives | STK-REQ-009 seismic survivability derives SYS-REQ-009 IEEE 344 qualification |
| STK-REQ-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-034 | derives | STK-REQ-010 EM environment constraint derives SYS-REQ-008 EMC performance |
| STK-REQ-003 | REQ-SEFUSIONREACTORCONTROLSYSTEM-032 | derives | STK-REQ-003 tamper-evident audit log derives SYS-REQ-007 cybersecurity architecture |
| STK-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | derives | STK-REQ-009 seismic survival derives SYS-REQ-006 seismic shutdown response |
| STK-REQ-003 | REQ-SEFUSIONREACTORCONTROLSYSTEM-032 | derives | Cybersecurity from audit integrity requirement |
| STK-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | derives | Seismic qualification derivation |
| STK-REQ-006 | REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | derives | Diagnostics system requirement derives from stakeholder fault reporting need |
| STK-REQ-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | derives | EMC system requirement derives from stakeholder EMC environment specification |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-035 | STK-REQ-005 | derives | Seismic qualification derives from regulatory compliance stakeholder requirement |
| STK-REQ-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-034 | derives | Stakeholder EM environment requirement derives to system EMC compliance requirement with IEC test standards |
| STK-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | derives | Stakeholder seismic requirement derives to system-level SIL-3 seismic qualification requirement |
| STK-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | derives | Stakeholder seismic survivability requirement derives to system SIL-3 seismic qualification requirement |
| STK-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-009 | derives | Seismic system requirement derives from stakeholder seismic survivability need |
| STK-REQ-010 | SYS-REQ-001 | derives | EMI immunity requirement derives from plasma control continuity obligation |
| STK-REQ-006 | SYS-REQ-004 | derives | Self-diagnostic 90% coverage derives from IEC 61508 SIL-3 diagnostic coverage gate |
| STK-REQ-005 | SYS-REQ-004 | derives | Online replacement and testing obligation derives from SIL-3 proof-test requirement |
| STK-REQ-003 | SYS-REQ-005 | derives | Tamper-evident audit log stakeholder need derives the plasma state archive system requirement |
| STK-REQ-007 | SYS-REQ-005 | derives | Research data archive → data archiving system req |
| STK-REQ-009 | SYS-REQ-004 | derives | Seismic loading → safety shutdown must survive seismic |
| STK-REQ-004 | SYS-REQ-004 | derives | Tritium boundary → safety shutdown independence |
| STK-REQ-008 | SYS-REQ-003 | derives | Scenario upload → burn regulation implementation |
| STK-REQ-007 | SYS-REQ-003 | derives | Research data archive → burn regulation accuracy |
| STK-REQ-002 | SYS-REQ-002 | derives | Controlled shutdown → disruption mitigation backing |
| STK-REQ-001 | SYS-REQ-002 | derives | Operator display → disruption prediction visible |
| STK-REQ-002 | SYS-REQ-001 | derives | Controlled ramp-down → equilibrium control |
| STK-REQ-001 | SYS-REQ-001 | derives | Operator display latency → plasma equilibrium accuracy |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| REQ-SEFUSIONREACTORCONTROLSYSTEM-146 | REQ-SEFUSIONREACTORCONTROLSYSTEM-143 | verifies | Inspection-based verification of FRCS ethical safety architectural obligations |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-145 | REQ-SEFUSIONREACTORCONTROLSYSTEM-142 | verifies | GPVC fault injection test verifies dual-channel redundancy timing |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-144 | REQ-SEFUSIONREACTORCONTROLSYSTEM-139 | verifies | SCRAM commissioning test verifies safe state operational definition |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-136 | SUB-REQ-024 | verifies | Hardware measurement of PCS real-time data bus synchronisation skew |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-135 | SUB-REQ-026 | verifies | Integrated test of HCDC Safety Arbiter 50 MW ceiling enforcement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-134 | SUB-REQ-022 | verifies | HIL test verification of MHD Mode Stabiliser detection and response timing |
| SUB-REQ-125 | VER-REQ-136 | verifies | Software lifecycle documentation inspection for POS IEC 62138 Category B compliance |
| SUB-REQ-124 | VER-REQ-135 | verifies | Compliance dossier inspection for GPVC IEC 61513 and ITER PR-T-1 conformance |
| SUB-REQ-123 | VER-REQ-134 | verifies | Material qualification test for GPVC tritium/radiation environment |
| SUB-REQ-122 | VER-REQ-133 | verifies | Integration test for GPVC single-channel failover behaviour |
| SUB-REQ-061 | VER-REQ-132 | verifies | QDS physical proximity to magnets required for seismic functional requirement |
| SUB-REQ-061 | VER-REQ-131 | verifies | Seismic IESS functional qualification encompasses FRCS enclosure inspection |
| SUB-REQ-061 | VER-REQ-130 | verifies | Seismic system-level functional test covers QDS enclosure requirement |
| SUB-REQ-121 | VER-REQ-128 | verifies | OCS display latency and content test verifies SUB-REQ-121 |
| SUB-REQ-050 | VER-REQ-127 | verifies | State machine completeness and broadcast rate test |
| SUB-REQ-119 | VER-REQ-125 | verifies | Shutdown functional test verifies POS controlled ramp-down sequence |
| SUB-REQ-118 | VER-REQ-124 | verifies | Pre-shot conditioning test verifies POS permit logic |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-133 | VER-REQ-123 | verifies | GPVC dual-channel redundancy test verifies 100ms failover |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-132 | VER-REQ-122 | verifies | Safety case review verifies IESS IEC 61513 compliance |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-131 | VER-REQ-121 | verifies | Maintenance bus functional test verifies IEC 61784-3 compliance |
| SUB-REQ-114 | VER-REQ-120 | verifies | Safe state FAT test verifies IESS safe state definition |
| VER-REQ-116 | SUB-REQ-053 | verifies | VER-REQ-116 verifies Plant Data Historian data acquisition in SUB-REQ-053 |
| VER-REQ-115 | SUB-REQ-042 | verifies | VER-REQ-115 verifies Gas Puffing Valve Controller injection timing in SUB-REQ-042 |
| VER-REQ-114 | SUB-REQ-052 | verifies | VER-REQ-114 verifies Machine Timing and Synchronisation System GPS-discipline in SUB-REQ-052 |
| VER-REQ-113 | SUB-REQ-047 | verifies | VER-REQ-113 verifies BCM burn termination signal in SUB-REQ-047 |
| VER-REQ-112 | SUB-REQ-045 | verifies | VER-REQ-112 verifies Burn Condition Monitor neutron flux measurement in SUB-REQ-045 |
| VER-REQ-111 | SUB-REQ-044 | verifies | VER-REQ-111 verifies Pellet Injection Controller ELM pacing in SUB-REQ-044 |
| VER-REQ-110 | SUB-REQ-020 | verifies | VER-REQ-110 verifies PCS equilibrium reconstruction in SUB-REQ-020 |
| VER-REQ-109 | SUB-REQ-014 | verifies | VER-REQ-109 verifies DPMS disruption event classification in SUB-REQ-014 |
| VER-REQ-108 | SUB-REQ-013 | verifies | VER-REQ-108 verifies DPMS diagnostic data throughput in SUB-REQ-013 |
| VER-REQ-106 | REQ-SEFUSIONREACTORCONTROLSYSTEM-123 | verifies | VER-REQ-106 verifies SLP safe-state indicator monitoring in SUB-REQ-108 |
| VER-REQ-105 | REQ-SEFUSIONREACTORCONTROLSYSTEM-089 | verifies | VER-REQ-105 verifies the complete SCRAM safe-state sequence in SUB-REQ-084 |
| VER-REQ-104 | REQ-SEFUSIONREACTORCONTROLSYSTEM-095 | verifies | VER-REQ-104 verifies SUB-REQ-085 single-channel fault tolerance |
| VER-REQ-107 | SUB-REQ-112 | verifies | SAFE-STATE-CONFIRMED timing measurement |
| VER-REQ-098 | SUB-REQ-113 | verifies | HCDC EMC verification link |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-043 | REQ-SEFUSIONREACTORCONTROLSYSTEM-087 | verifies | VER-REQ-085 verifies SUB-REQ-074 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-012 | REQ-SEFUSIONREACTORCONTROLSYSTEM-078 | verifies | VER-REQ-076 verifies SUB-REQ-041 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-074 | verifies | VER-REQ-073 verifies SUB-REQ-039 |
| SUB-REQ-036 | REQ-SEFUSIONREACTORCONTROLSYSTEM-082 | verifies | VER-REQ-080 verifies SUB-REQ-036 |
| SUB-REQ-031 | REQ-SEFUSIONREACTORCONTROLSYSTEM-088 | verifies | VER-REQ-086 verifies SUB-REQ-031 |
| SUB-REQ-030 | REQ-SEFUSIONREACTORCONTROLSYSTEM-080 | verifies | VER-REQ-078 verifies SUB-REQ-030 |
| SUB-REQ-026 | REQ-SEFUSIONREACTORCONTROLSYSTEM-073 | verifies | VER-REQ-072 verifies SUB-REQ-026 |
| SUB-REQ-025 | REQ-SEFUSIONREACTORCONTROLSYSTEM-079 | verifies | VER-REQ-077 verifies SUB-REQ-025 |
| SUB-REQ-019 | REQ-SEFUSIONREACTORCONTROLSYSTEM-081 | verifies | VER-REQ-079 verifies SUB-REQ-019 |
| SUB-REQ-010 | REQ-SEFUSIONREACTORCONTROLSYSTEM-077 | verifies | VER-REQ-075 verifies SUB-REQ-010 |
| SUB-REQ-054 | REQ-SEFUSIONREACTORCONTROLSYSTEM-028 | verifies | VER-REQ-051 verifies SUB-REQ-054 |
| SUB-REQ-046 | REQ-SEFUSIONREACTORCONTROLSYSTEM-027 | verifies | VER-REQ-050 verifies SUB-REQ-046 |
| SUB-REQ-038 | REQ-SEFUSIONREACTORCONTROLSYSTEM-026 | verifies | VER-REQ-049 verifies SUB-REQ-038 |
| SUB-REQ-035 | REQ-SEFUSIONREACTORCONTROLSYSTEM-025 | verifies | VER-REQ-048 verifies FEDU energy extraction speed and dump resistor peak current |
| SUB-REQ-033 | REQ-SEFUSIONREACTORCONTROLSYSTEM-024 | verifies | VER-REQ-047 verifies QDS false alarm rejection and quench detection speed |
| SUB-REQ-007 | REQ-SEFUSIONREACTORCONTROLSYSTEM-020 | verifies | VER-REQ-043 verifies 8-hour battery backup for IESS |
| SUB-REQ-006 | REQ-SEFUSIONREACTORCONTROLSYSTEM-019 | verifies | VER-REQ-042 verifies IESS network isolation |
| SUB-REQ-005 | REQ-SEFUSIONREACTORCONTROLSYSTEM-018 | verifies | VER-REQ-041 verifies SPDS 200 ms refresh latency |
| SUB-REQ-003 | REQ-SEFUSIONREACTORCONTROLSYSTEM-014 | verifies | VER-REQ-037 verifies TPM fault detection coverage |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-127 | REQ-SEFUSIONREACTORCONTROLSYSTEM-129 | verifies | FL registration verification inspects subsystem equipment list entries |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-113 | REQ-SEFUSIONREACTORCONTROLSYSTEM-116 | verifies | VER-116 verifies DPMS RE detection requirement (SUB-REQ-097) |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-115 | REQ-SEFUSIONREACTORCONTROLSYSTEM-117 | verifies | DPMS RE mitigation actuation verified by integrated valve command timing test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-088 | SUB-REQ-031 | verifies | VER verifies HCDC heartbeat monitoring and controller isolation |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-087 | REQ-SEFUSIONREACTORCONTROLSYSTEM-043 | verifies | VER verifies safe state hold hardware interlock |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-085 | SUB-REQ-054 | verifies | VER verifies network security zone penetration resistance |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-082 | SUB-REQ-036 | verifies | VER verifies MPSC ±1A current tracking and hard trip |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-081 | SUB-REQ-019 | verifies | VER verifies ERP 20% channel dropout tolerance |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-080 | SUB-REQ-030 | verifies | VER verifies HCDC power redistribution on actuator failure |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-079 | SUB-REQ-025 | verifies | VER verifies PCS degraded-mode freeze and fault flag |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-078 | REQ-SEFUSIONREACTORCONTROLSYSTEM-012 | verifies | VER verifies DPMS hardwired fallback activation |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-077 | SUB-REQ-010 | verifies | VER verifies DPE 95% TPR performance specification |
| SUB-REQ-001 | VER-REQ-001 | verifies | Trip response time test verifies SUB-REQ-001 |
| SUB-REQ-002 | VER-REQ-002 | verifies | Power-fail-safe test verifies SUB-REQ-002 |
| SUB-REQ-004 | VER-REQ-004 | verifies | ESS timing test verifies SUB-REQ-004 |
| SUB-REQ-018 | VER-REQ-010 | verifies | ERP update rate verified by HIL latency test |
| SUB-REQ-021 | VER-REQ-012 | verifies | VSC trip threshold verified by HIL injection test |
| SUB-REQ-027 | VER-REQ-016 | verifies | NBI beam deflection test verifies fast shutdown requirement |
| SUB-REQ-032 | VER-REQ-020 | verifies | Coil emulator test for 20 ms detection latency |
| SUB-REQ-034 | VER-REQ-021 | verifies | Scaled coil surrogate energy dump test |
| SUB-REQ-043 | VER-REQ-026 | verifies | Test of 30g tritium ceiling hard limit enforcement |
| SUB-REQ-047 | VER-REQ-027 | verifies | End-to-end FIBC burn termination chain test |
| SUB-REQ-051 | VER-REQ-031 | verifies | Failover test for Plant Operations Sequencer |
| SUB-REQ-061 | VER-REQ-035 | verifies | IEEE 344 seismic test verifies IESS seismic qualification requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-027 | SUB-REQ-046 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-027 verifies SUB-REQ-046 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-026 | SUB-REQ-038 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-026 verifies SUB-REQ-038 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-025 | SUB-REQ-035 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-025 verifies SUB-REQ-035 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-024 | SUB-REQ-033 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-024 verifies SUB-REQ-033 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-020 | SUB-REQ-007 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-020 verifies SUB-REQ-007 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-028 | SUB-REQ-054 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-028 verifies SUB-REQ-054 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-018 | SUB-REQ-005 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-018 verifies SUB-REQ-005 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-019 | SUB-REQ-006 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-019 verifies SUB-REQ-006 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-014 | SUB-REQ-003 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-014 verifies SUB-REQ-003 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-029 | REQ-SEFUSIONREACTORCONTROLSYSTEM-030 | verifies | Seismic qualification test verifies IESS IEEE 344 compliance requirement |
| VER-REQ-026 | SUB-REQ-043 | verifies | VER-REQ-026 verifies SUB-REQ-043 |
| VER-REQ-020 | SUB-REQ-032 | verifies | VER-REQ-020 verifies SUB-REQ-032 |
| VER-REQ-021 | SUB-REQ-034 | verifies | VER-REQ-021 verifies SUB-REQ-034 |
| VER-REQ-008 | SUB-REQ-012 | verifies | VER-REQ-008 verifies SUB-REQ-012 |
| VER-REQ-001 | SUB-REQ-001 | verifies | VER-REQ-001 verifies SUB-REQ-001 |
| VER-REQ-002 | SUB-REQ-002 | verifies | VER-REQ-002 verifies SUB-REQ-002 |
| VER-REQ-004 | SUB-REQ-004 | verifies | VER-REQ-004 verifies SUB-REQ-004 |
| VER-REQ-006 | SUB-REQ-009 | verifies | VER-REQ-006 verifies SUB-REQ-009 |
| VER-REQ-007 | SUB-REQ-011 | verifies | VER-REQ-007 verifies SUB-REQ-011 |
| VER-REQ-031 | SUB-REQ-051 | verifies | VER-REQ-031 verifies SUB-REQ-051 |
| VER-REQ-035 | SUB-REQ-061 | verifies | VER-REQ-035 verifies SUB-REQ-061 |
| VER-REQ-012 | SUB-REQ-021 | verifies | VER-REQ-012 verifies SUB-REQ-021 |
| VER-REQ-010 | SUB-REQ-018 | verifies | VER-REQ-010 verifies SUB-REQ-018 |
| VER-REQ-016 | SUB-REQ-027 | verifies | VER-REQ-016 verifies SUB-REQ-027 |
| IFC-REQ-011 | REQ-SEFUSIONREACTORCONTROLSYSTEM-059 | verifies | VER-REQ-064 verifies IFC-REQ-011 |
| VER-REQ-103 | IFC-REQ-028 | verifies | DPSS-DPM sensor latency verification |
| VER-REQ-102 | IFC-REQ-027 | verifies | DDM-ERP RDMA link zero-loss verification |
| VER-REQ-101 | IFC-REQ-024 | verifies | Machine timing signal rise time verification |
| VER-REQ-100 | IFC-REQ-023 | verifies | POS to subsystems MSV broadcast verification |
| VER-REQ-099 | IFC-REQ-022 | verifies | BCM-DPMS interface verification |
| IFC-REQ-026 | REQ-SEFUSIONREACTORCONTROLSYSTEM-084 | verifies | VER-REQ-082 verifies IFC-REQ-026 |
| IFC-REQ-025 | REQ-SEFUSIONREACTORCONTROLSYSTEM-083 | verifies | VER-REQ-081 verifies IFC-REQ-025 |
| IFC-REQ-018 | REQ-SEFUSIONREACTORCONTROLSYSTEM-062 | verifies | VER-REQ-067 verifies IFC-REQ-018 |
| IFC-REQ-017 | REQ-SEFUSIONREACTORCONTROLSYSTEM-061 | verifies | VER-REQ-066 verifies IFC-REQ-017 |
| IFC-REQ-014 | REQ-SEFUSIONREACTORCONTROLSYSTEM-060 | verifies | VER-REQ-065 verifies IFC-REQ-014 |
| IFC-REQ-004 | VER-REQ-003 | verifies | Interface propagation delay test verifies IFC-REQ-004 |
| IFC-REQ-010 | VER-REQ-011 | verifies | VSC-IESS trip interface verified by hardwired propagation test |
| IFC-REQ-012 | VER-REQ-014 | verifies | Hardware beam-off bus test verifies HCDC-IESS interface |
| IFC-REQ-013 | VER-REQ-015 | verifies | DPMS-ECRH latency test verifies NTM command interface |
| IFC-REQ-015 | VER-REQ-018 | verifies | Integration test for QDS-IESS hardwired interface |
| IFC-REQ-016 | VER-REQ-019 | verifies | Fibre-optic alarm channel test for QDS-FEDU interface |
| IFC-REQ-017 | VER-REQ-022 | verifies | CTCM-QDS interface tested as part of end-to-end chain |
| IFC-REQ-019 | VER-REQ-023 | verifies | Integration test for GPVC-PCS density setpoint interface |
| IFC-REQ-020 | VER-REQ-024 | verifies | Timing jitter test for PIC-MMS ELM trigger interface |
| IFC-REQ-021 | VER-REQ-025 | verifies | Safety relay test for TFIC-IESS interlock interface |
| IFC-REQ-022 | VER-REQ-028 | verifies | Integration test for BCM-DPMS data bus interface |
| IFC-REQ-023 | VER-REQ-029 | verifies | Integration test for MSV broadcast latency |
| IFC-REQ-024 | VER-REQ-030 | verifies | Integration test for MTSS timing distribution accuracy |
| IFC-REQ-027 | VER-REQ-032 | verifies | Integration test for DDM to ERP data delivery |
| IFC-REQ-028 | VER-REQ-033 | verifies | Integration test for DPSS to DPM delivery latency and timestamp accuracy |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-023 | IFC-REQ-003 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-023 verifies IFC-REQ-003 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-022 | IFC-REQ-002 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-022 verifies IFC-REQ-002 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-021 | IFC-REQ-001 | verifies | REQ-SEFUSIONREACTORCONTROLSYSTEM-021 verifies IFC-REQ-001 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-050 | IFC-REQ-004 | verifies | TPM-SLP interface timing and isolation test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-051 | IFC-REQ-005 | verifies | SLP-ESS energise-to-hold interface fail-safe test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-052 | IFC-REQ-007 | verifies | DPMS-IESS dual-channel timing test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-053 | IFC-REQ-010 | verifies | VSC-IESS VDE trip propagation timing test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-054 | IFC-REQ-012 | verifies | HCDC beam-off hardwired independence test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-055 | IFC-REQ-015 | verifies | QDS-IESS relay timing test |
| VER-REQ-015 | IFC-REQ-013 | verifies | ECRH NTM command timing verification |
| VER-REQ-019 | IFC-REQ-016 | verifies | QDS-EEDS per-coil quench vector frequency test |
| VER-REQ-023 | IFC-REQ-019 | verifies | Gas puffing density setpoint delivery test |
| VER-REQ-024 | IFC-REQ-020 | verifies | Pellet injection ELM trigger TTL test |
| VER-REQ-025 | IFC-REQ-021 | verifies | Tritium fuelling inhibit relay test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-056 | IFC-REQ-006 | verifies | DPM-PDIS time-sync test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-057 | IFC-REQ-008 | verifies | MAC-HCDC NBI inhibit signal test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-058 | IFC-REQ-009 | verifies | ERP-SPC equilibrium vector delivery test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-059 | IFC-REQ-011 | verifies | ERP-MHD q-profile delivery rate test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-060 | IFC-REQ-014 | verifies | HCDC-PCS setpoint delivery and safe-state test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-061 | IFC-REQ-017 | verifies | CTCM-QDS temperature flag delivery test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-062 | IFC-REQ-018 | verifies | MPSC-PCS coil reference waveform test |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-083 | IFC-REQ-025 | verifies | VER verifies Plant Data Historian 1 kHz ingestion rate |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-084 | IFC-REQ-026 | verifies | VER verifies MDA analogue interface CMRR and linearity |
| IFC-REQ-003 | REQ-SEFUSIONREACTORCONTROLSYSTEM-023 | verifies | VER-REQ-046 verifies hardwired SCRAM independence from software |
| IFC-REQ-001 | REQ-SEFUSIONREACTORCONTROLSYSTEM-021 | verifies | VER-REQ-044 verifies plasma diagnostics network latency |
| IFC-REQ-002 | REQ-SEFUSIONREACTORCONTROLSYSTEM-022 | verifies | VER-REQ-045 verifies magnet system command link failover |
| IFC-REQ-005 | REQ-SEFUSIONREACTORCONTROLSYSTEM-051 | verifies | VER-REQ-056 verifies IFC-REQ-005 |
| IFC-REQ-006 | REQ-SEFUSIONREACTORCONTROLSYSTEM-056 | verifies | VER-REQ-061 verifies IFC-REQ-006 |
| IFC-REQ-007 | REQ-SEFUSIONREACTORCONTROLSYSTEM-052 | verifies | VER-REQ-057 verifies IFC-REQ-007 |
| IFC-REQ-008 | REQ-SEFUSIONREACTORCONTROLSYSTEM-057 | verifies | VER-REQ-062 verifies IFC-REQ-008 |
| IFC-REQ-009 | REQ-SEFUSIONREACTORCONTROLSYSTEM-058 | verifies | VER-REQ-063 verifies IFC-REQ-009 |
| SYS-REQ-018 | VER-REQ-129 | verifies | Scenario upload demonstration verifies SYS-REQ-018 end-to-end |
| SYS-REQ-017 | VER-REQ-128 | verifies | OCS display test verifies system-level operator interface requirement |
| SYS-REQ-016 | VER-REQ-127 | verifies | Verifies state name mapping between SYS and SUB levels |
| SYS-REQ-016 | VER-REQ-126 | verifies | Full-cycle plasma demonstration verifies lifecycle state machine |
| VER-REQ-119 | REQ-SEFUSIONREACTORCONTROLSYSTEM-130 | verifies | VER-REQ-119 verifies tritium monitoring response time in SYS-REQ-015 |
| VER-REQ-118 | SYS-REQ-002 | verifies | VER-REQ-118 verifies system disruption mitigation response time in SYS-REQ-002 |
| VER-REQ-117 | SYS-REQ-001 | verifies | VER-REQ-117 verifies system-level plasma equilibrium accuracy in SYS-REQ-001 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-031 | REQ-SEFUSIONREACTORCONTROLSYSTEM-029 | verifies | VER-REQ-052 verifies SYS-REQ-006 |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-086 | SYS-REQ-004 | verifies | VER verifies full SCRAM-to-safe-state 5 second budget |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-049 | REQ-SEFUSIONREACTORCONTROLSYSTEM-047 | verifies | Fault injection test verifies self-diagnostic coverage and reporting requirement |
| REQ-SEFUSIONREACTORCONTROLSYSTEM-048 | REQ-SEFUSIONREACTORCONTROLSYSTEM-046 | verifies | Integrated EMC test verifies system EMC requirement |
| SYS-REQ-001 | VER-REQ-034 | verifies | End-to-end PDIS to PCS chain verifies SYS-REQ-001 position accuracy |
| SYS-REQ-002 | VER-REQ-017 | verifies | End-to-end disruption mitigation chain test verifies system disruption detection requirement |
| SYS-REQ-001 | VER-REQ-013 | verifies | End-to-end PCS chain test verifies system-level plasma equilibrium control |
| Ref | Document | Requirement |
|---|---|---|
| SUB-REQ-039 | subsystem-requirements | The Safety Logic Processor SHALL be implemented as two physically independent processor cards operating in 1oo2 de-energ... |
| SUB-REQ-040 | subsystem-requirements | The Emergency Shutdown Sequencer SHALL be implemented on dedicated single-board computer hardware with watchdog timer, w... |
| SUB-REQ-041 | subsystem-requirements | When the Disruption Prediction Engine primary FPGA becomes unavailable, the Disruption Prediction and Mitigation System ... |
| SUB-REQ-064 | subsystem-requirements | The Interlock and Emergency Shutdown System Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Seque... |
| SUB-REQ-065 | subsystem-requirements | When a safe shutdown earthquake is detected at plant level, the Fusion Reactor Control System SHALL maintain all SIL-3 s... |
| SUB-REQ-066 | subsystem-requirements | The Quench Detection System SHALL be housed in a 19-inch, rack-mounted, seismically-qualified enclosure rated IP54 or be... |
| SUB-REQ-067 | subsystem-requirements | The Fusion Reactor Control System SHALL be housed in a qualified nuclear-grade equipment enclosure rated to IP54 minimum... |
| SUB-REQ-068 | subsystem-requirements | The Quench Detection System SHALL be physically implemented as dedicated, qualified hardware units installed within 10 m... |
| SUB-REQ-069 | subsystem-requirements | The Emergency Shutdown Sequencer SHALL be implemented as a 2-of-3 redundant voted architecture. When one channel fails (... |
| SUB-REQ-070 | subsystem-requirements | The Safety Logic Processor SHALL operate as a fault-tolerant triple modular redundant (TMR) system. When one processing ... |
| SUB-REQ-071 | subsystem-requirements | The Disruption Prediction Engine SHALL implement cybersecurity controls meeting IEC 62443 Security Level 2 (SL-2), inclu... |
| SUB-REQ-072 | subsystem-requirements | The Safety Arbiter SHALL be type-approved under IEC 61513 Category A (highest nuclear I&C category) and certified to IEC... |
| SUB-REQ-073 | subsystem-requirements | The Pellet Injection Controller, including all tritium-handling components, SHALL comply with IAEA SSG-52 (Safety of Fus... |
| SUB-REQ-074 | subsystem-requirements | While the Fusion Reactor Control System is executing or maintaining a safe state, the Interlock and Emergency Shutdown S... |
| SUB-REQ-075 | subsystem-requirements | The Disruption Prediction Engine SHALL incorporate a hot-standby redundant inference node. When the primary node fails t... |
| SUB-REQ-076 | subsystem-requirements | The Pellet Injection Controller SHALL implement dual-channel architecture with independent pellet formation and injectio... |
| SUB-REQ-077 | subsystem-requirements | While operating in the plant electromagnetic environment, the HCDC Supervisory and Safety Arbiter and all heating actuat... |
| SUB-REQ-078 | subsystem-requirements | The Plant Control and I&C System SHALL report detected I&C channel faults to the Maintenance Management System via the q... |
| SUB-REQ-079 | subsystem-requirements | The Disruption Prediction Engine SHALL be validated against a test dataset containing at least 500 disruption precursor ... |
| SUB-REQ-080 | subsystem-requirements | The Quench Detection System SHALL be implemented as a dedicated rack-mounted unit in a seismically-qualified 19-inch equ... |
| SUB-REQ-081 | subsystem-requirements | The Pellet Injection Controller SHALL be housed in a dedicated radiation-tolerant cabinet located in the tritium plant a... |
| SUB-REQ-082 | subsystem-requirements | The MHD Mode Stabiliser NTM detection function SHALL achieve a detection probability of ≥95% for growing n=1 and n=2 isl... |
| SUB-REQ-083 | subsystem-requirements | When a single Trip Parameter Monitor channel is placed into bypass for maintenance, the IESS SHALL automatically reduce ... |
| SUB-REQ-084 | subsystem-requirements | When the SCRAM function is actuated, the Emergency Shutdown System SHALL establish the Reactor Safe State defined as: pl... |
| SUB-REQ-085 | subsystem-requirements | The Interlock and Emergency Shutdown System SHALL implement 1oo2 redundant architecture for all hardware channels betwee... |
| SUB-REQ-086 | subsystem-requirements | The Pellet Injection Controller SHALL comply with ITER nuclear island tritium handling requirements (ITER-D-2X5MRW), mai... |
| SUB-REQ-087 | subsystem-requirements | The Fusion Reactor Control System SHALL be housed in IEC 62262 IK10-rated enclosures with IP54 ingress protection for nu... |
| SUB-REQ-088 | subsystem-requirements | The Quench Detection System SHALL be implemented as a dedicated hardware assembly physically mounted on each superconduc... |
| SUB-REQ-089 | subsystem-requirements | The Tritium and Fuel Inventory Controller SHALL comply with IAEA safeguards requirements for nuclear material accountanc... |
| SUB-REQ-090 | subsystem-requirements | The Quench Detection System SHALL perform continuous, uninterrupted monitoring of all superconducting coil voltage chann... |
| SUB-REQ-091 | subsystem-requirements | The Disruption Prediction Engine performance thresholds in SUB-REQ-010 (TPR ≥95%, FPR ≤2 events/24h) SHALL be validated ... |
| SUB-REQ-092 | subsystem-requirements | The Interlock and Emergency Shutdown System SHALL define and enforce the reactor safe state as: plasma current ≤10 kA an... |
| SUB-REQ-093 | subsystem-requirements | The Plant Control and I&C System SHALL provide electromagnetic shielding and cable routing for all control signal cables... |
| SUB-REQ-094 | subsystem-requirements | The Plant Data Historian and I&C Network Infrastructure SHALL implement a dedicated qualified maintenance bus compliant ... |
| SUB-REQ-095 | subsystem-requirements | The Pellet Injection Controller SHALL be implemented as a dual-redundant system with automatic warm standby switchover. ... |
| SUB-REQ-096 | subsystem-requirements | The Tritium and Fuel Inventory Controller design and operation SHALL comply with: IAEA Safety Guide SSG-52 (Safety of Fu... |
| SUB-REQ-097 | subsystem-requirements | The Disruption Prediction and Mitigation System SHALL monitor hard X-ray emission and synchrotron radiation signals from... |
| SUB-REQ-099 | subsystem-requirements | When RE_DETECTED is latched, the Mitigation Actuator Controller SHALL command the second-stage Massive Gas Injection val... |
| SUB-REQ-100 | subsystem-requirements | When the FRCS initiates a safe shutdown in response to an interlock trip, the system SHALL transition all subsystems to ... |
| SUB-REQ-102 | subsystem-requirements | The Quench Detection System SHALL be physically realised as a dedicated hardware assembly installed within 10 m of each ... |
| SUB-REQ-103 | subsystem-requirements | The Pellet Injection Controller SHALL be physically housed in a dedicated, radiation-tolerant, enclosed cabinet located ... |
| SUB-REQ-104 | subsystem-requirements | The Safety Arbiter SHALL be physically implemented as a self-contained, type-approved hardware module (IEC 61513 Categor... |
| SUB-REQ-105 | subsystem-requirements | The FRCS SHALL provide closed-loop power control for ion cyclotron resonance heating and neutral beam injection systems,... |
| SUB-REQ-106 | subsystem-requirements | The Fusion Reactor Control System SHALL detect runaway electron beam formation following a disruption thermal quench and... |
| SUB-REQ-107 | subsystem-requirements | The Ion Cyclotron and Neutral Beam Heating Control subsystem SHALL maintain closed-loop power control for all installed ... |
| SUB-REQ-108 | subsystem-requirements | The Emergency Shutdown System SHALL define and maintain the reactor safe state as: plasma current = 0 A, all high-voltag... |
| SUB-REQ-109 | subsystem-requirements | The I&C Diagnostic subsystem SHALL transmit all detected channel fault events to the Maintenance Management System via a... |
| SUB-REQ-110 | subsystem-requirements | The Fuel Inventory Controller SHALL comply with IAEA Nuclear Security Series No. 25-G (Physical Protection of Nuclear Ma... |
| SUB-REQ-111 | subsystem-requirements | Each I&C subsystem within the Fusion Reactor Control System SHALL be registered in the plant Formal Equipment List (FL) ... |
| SUB-REQ-115 | subsystem-requirements | The Plant Control and I&C System SHALL implement a qualified maintenance bus compliant with IEC 61784-3 connecting all s... |
| SUB-REQ-116 | subsystem-requirements | The Interlock and Emergency Shutdown System SHALL be designed, verified, and validated in accordance with IEC 61513 Cate... |
| SUB-REQ-117 | subsystem-requirements | The Gas Puffing Valve Controller SHALL implement dual-channel solenoid drive circuitry with independent power supplies f... |
| SUB-REQ-127 | subsystem-requirements | When a safe shutdown earthquake is detected at plant level, the Fusion Reactor Control System SHALL maintain all SIL-3 s... |
| SUB-REQ-128 | subsystem-requirements | The Fusion Reactor Control System SHALL implement cybersecurity controls compliant with IEC 62443-3-3 Security Level 2, ... |
| SUB-REQ-129 | subsystem-requirements | The Fusion Reactor Control System SHALL operate without degradation of control performance in an electromagnetic environ... |
| SUB-REQ-130 | subsystem-requirements | The Fusion Reactor Control System SHALL ensure all SIL-3 classified safety-critical components are qualified to IEEE 344... |
| SUB-REQ-131 | subsystem-requirements | The Fusion Reactor Control System SHALL operate without degradation of control performance (no increase in position erro... |
| SUB-REQ-132 | subsystem-requirements | The Fusion Reactor Control System SHALL provide self-diagnostic coverage of at least 90% of I&C channel faults detectabl... |
| SUB-REQ-133 | subsystem-requirements | The Fusion Reactor Control System SHALL provide coordinated control of all plasma heating and current drive systems — in... |
| SUB-REQ-134 | subsystem-requirements | The Fusion Reactor Control System SHALL be physically implemented as a distributed set of rackmounted equipment assembli... |
| SUB-REQ-135 | subsystem-requirements | The Fusion Reactor Control System SHALL be designed, verified, and validated in accordance with IEC 61513 (Nuclear Power... |
| SUB-REQ-136 | subsystem-requirements | The Fusion Reactor Control System SHALL continuously monitor airborne tritium concentration at all controlled area bound... |
| SUB-REQ-137 | subsystem-requirements | The FRCS I&C diagnostic module SHALL report all detected I&C channel faults to the external Maintenance Management Syste... |
| SUB-REQ-138 | subsystem-requirements | While heating systems are operating, the FRCS I&C channel assemblies SHALL maintain signal integrity such that measured ... |
| SUB-REQ-139 | subsystem-requirements | The Interlock and Emergency Shutdown Subsystem SHALL define and enforce the reactor safe state as: all superconducting m... |
| SUB-REQ-140 | subsystem-requirements | The Plant Control System sensor acquisition module SHALL complete a full sensor cycle — acquiring plasma current, radial... |
| SUB-REQ-141 | subsystem-requirements | The Scenario Parameter Management function SHALL accept parameter file uploads via the secure Physics Operations Interfa... |
| SUB-REQ-142 | subsystem-requirements | The Gas Puffing Valve Controller SHALL implement dual-channel redundant valve drive circuits such that a single-channel ... |
| SYS-REQ-019 | system-requirements | The Fusion Reactor Control System SHALL comply with the ethical obligations of its safety-critical role by ensuring that... |
| SYS-REQ-020 | system-requirements | The Fusion Reactor Control System SHALL provide continuous self-diagnostic coverage of at least 90% of I&C channel fault... |
| SYS-REQ-021 | system-requirements | The Fusion Reactor Control System SHALL maintain specified control performance without degradation in the electromagneti... |
| VER-REQ-037 | verification-plan | Verify SUB-REQ-003: Inject defined hardware faults (open circuit, short, power undervoltage, ADC fault) into each of the... |
| VER-REQ-041 | verification-plan | Verify SUB-REQ-005: Inject step into SPDS signal, measure refresh latency 1000 times. Simulate channel failure, verify a... |
| VER-REQ-042 | verification-plan | Verify SUB-REQ-006: With IESS fully powered, attempt to establish a bidirectional data connection between the safety net... |
| VER-REQ-043 | verification-plan | Verify SUB-REQ-007: Disconnect IESS from site AC power while system is in run-permit state. Record time until first run-... |
| VER-REQ-044 | verification-plan | Verify IFC-REQ-001: Using a precision network analyser on the FRCS-to-Plasma Diagnostics real-time network, inject synth... |
| VER-REQ-045 | verification-plan | Verify IFC-REQ-002: With the FRCS-to-Superconducting Magnet System command link active, inject command sequences on both... |
| VER-REQ-046 | verification-plan | Verify IFC-REQ-003: With the hardwired SCRAM interlock circuit energised, simulate Category A SCRAM demand by de-energis... |
| VER-REQ-047 | verification-plan | Verify SUB-REQ-033: Using a coil voltage emulator configured to inject inductive dI/dt transients at the rated PF coil s... |
| VER-REQ-048 | verification-plan | Verify SUB-REQ-035: With the Energy Extraction and Dump System connected to a scaled PF and CS coil test load, trigger a... |
| VER-REQ-049 | verification-plan | Verify SUB-REQ-038: Force a QDS channel self-test failure on one of the three channels and verify MSPS transitions to 1o... |
| VER-REQ-050 | verification-plan | Verify SUB-REQ-046: Inject a simulated tritium boundary concentration signal above the 10 uSv/h interlock threshold into... |
| VER-REQ-051 | verification-plan | Verify SUB-REQ-054: Using a network packet capture device, verify that no packets from the real-time control LAN are obs... |
| VER-REQ-052 | verification-plan | Verify SYS-REQ-006: Submit IESS Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Sequencer to IEEE... |
| VER-REQ-053 | verification-plan | Verify FRCS EMC compliance: expose fully integrated FRCS to simulated pulsed magnetic field (10 T/s dB/dt) and RF field ... |
| VER-REQ-054 | verification-plan | Verify FRCS self-diagnostic coverage: inject known fault patterns into each I&C channel in turn (simulating all testable... |
| VER-REQ-055 | verification-plan | Verify IFC-REQ-004: Using a calibrated signal injector, apply a TPM trip output to the SLP hardwired input and measure s... |
| VER-REQ-056 | verification-plan | Verify IFC-REQ-005: Simulate SLP power loss and software halt conditions in turn; verify ESS initiates shutdown sequence... |
| VER-REQ-057 | verification-plan | Verify IFC-REQ-007: Inject a synthetic disruption risk probability signal ≥0.85 to DPMS MAC input; measure time to MGI p... |
| VER-REQ-058 | verification-plan | Verify IFC-REQ-010: Command VSC to assert VDE trip condition and measure de-energisation time of normally-energised IESS... |
| VER-REQ-059 | verification-plan | Verify IFC-REQ-012: Assert IESS trip signal and measure time to beam-off delivery at each of three HCDC actuator control... |
| VER-REQ-060 | verification-plan | Verify IFC-REQ-015: Using a relay-based test fixture, assert QDS quench alarm and measure signal propagation time to IES... |
| VER-REQ-061 | verification-plan | Verify IFC-REQ-006: Using GPS-synchronised test fixtures on DPM and PDIS, inject simultaneous 128-channel samples and me... |
| VER-REQ-062 | verification-plan | Verify IFC-REQ-008: With HCDC Supervisory in run-permit state, assert simulated NBI inhibit from MAC test fixture and me... |
| VER-REQ-063 | verification-plan | Verify IFC-REQ-009: Connect ERP test fixture to Shape and Position Controller input. Inject pre-computed equilibrium sta... |
| VER-REQ-064 | verification-plan | Verify IFC-REQ-011: Using an ERP test fixture, inject q-profile data at 1 kHz into the MHD Mode Stabiliser input. Measur... |
| VER-REQ-065 | verification-plan | Verify IFC-REQ-014: Command HCDC Supervisory test fixture to issue closed-loop power setpoints at 50 Hz. Measure PCS set... |
| VER-REQ-066 | verification-plan | Verify IFC-REQ-017: Using a calibrated temperature flag injector at the Coil Thermal and Cryogenic Monitor output, injec... |
| VER-REQ-067 | verification-plan | Verify IFC-REQ-018: Inject coil current reference waveforms from a MPSC test fixture to PCS at rated update frequency. M... |
| VER-REQ-068 | verification-plan | Verify SUB-REQ-069: Configure the Emergency Shutdown Sequencer 2-of-3 test bench. Inject a trip demand into two of three... |
| VER-REQ-069 | verification-plan | Verify SUB-REQ-070: In a hardware-in-the-loop test environment, install all three Safety Logic Processor channels and co... |
| VER-REQ-070 | verification-plan | Verify SUB-REQ-074: During integrated system test with Interlock and Emergency Shutdown System in safe state condition (... |
| VER-REQ-071 | verification-plan | Verify SUB-REQ-062: Review the formal safe state definition document against the IESS logic implementation. Confirm that... |
| VER-REQ-072 | verification-plan | Verify SUB-REQ-026: Inject simulated heating power setpoints via software test interface commanding NBI at 25 MW, ECRH a... |
| VER-REQ-073 | verification-plan | Verify SUB-REQ-039: Remove power from one Safety Logic Processor card while the SLP is operating in its test stand confi... |
| VER-REQ-075 | verification-plan | Verify SUB-REQ-010: Using a validated test dataset of at least 500 disruption sequences and 2000 non-disruption plasma s... |
| VER-REQ-076 | verification-plan | Verify SUB-REQ-041: On the DPMS test bench, halt the primary Disruption Prediction Engine FPGA by removing power while t... |
| VER-REQ-077 | verification-plan | Verify SUB-REQ-025: In a hardware-in-the-loop PCS test, suppress synchronised cycle delivery for 6 consecutive cycles to... |
| VER-REQ-078 | verification-plan | Verify SUB-REQ-030: Configure HCDC at 60 MW nominal (25 MW NBI, 20 MW ECRH, 15 MW ICRH). Simulate ECRH controller failur... |
| VER-REQ-079 | verification-plan | Verify SUB-REQ-019: Configure ERP test bench with 160 synthetic magnetic measurement channels. Force 32 channels (20%) t... |
| VER-REQ-080 | verification-plan | Verify SUB-REQ-036: Connect the Magnet Power Supply Controller to a scaled resistive test coil (1% rated inductance). Up... |
| VER-REQ-081 | verification-plan | Verify IFC-REQ-025: With the Plant Data Historian interface to the Plasma Diagnostics Integration System active, inject ... |
| VER-REQ-082 | verification-plan | Verify IFC-REQ-026: Connect calibrated signal generator to 256 Magnetic Diagnostics Array analogue input channels on the... |
| VER-REQ-083 | verification-plan | Verify SUB-REQ-054 and SYS-REQ-007: Using network penetration test methodology in a factory acceptance test environment:... |
| VER-REQ-084 | verification-plan | Verify SYS-REQ-004 end-to-end safe state transition: In integrated system test with plasma current simulation, from each... |
| VER-REQ-085 | verification-plan | Verify SUB-REQ-074: After reaching safe state in an integrated SCRAM test, attempt to energise each plasma-facing subsys... |
| VER-REQ-086 | verification-plan | Verify SUB-REQ-031: Configure HCDC Supervisory heartbeat monitoring at 100 ms intervals. Suppress the ECRH controller he... |
| VER-REQ-087 | verification-plan | Verify SUB-REQ-040: On hardware test bench, inhibit ESS watchdog refresh and measure time to hardware reset. Connect tes... |
| VER-REQ-088 | verification-plan | Verify SUB-REQ-064: Subject the IESS Trip Parameter Monitor, Safety Logic Processor, and Emergency Shutdown Sequencer to... |
| VER-REQ-089 | verification-plan | Verify SUB-REQ-072: Obtain and review Safety Arbiter vendor qualification documentation including: IEC 61513 Category A ... |
| VER-REQ-090 | verification-plan | Verify SUB-REQ-075: During integrated system test with DPE in active operation, inject a hardware fault causing the prim... |
| VER-REQ-091 | verification-plan | Verify SUB-REQ-076: During pellet injection test sequence, fail the primary injection channel by simulating pellet veloc... |
| VER-REQ-092 | verification-plan | Verify SUB-REQ-058: During integrated DPMS operation, inhibit the Disruption Precursor Monitor output for a period excee... |
| VER-REQ-093 | verification-plan | Verify SYS-REQ-012: With all three HCDC actuator controllers active, command aggregate heating power setpoints from 0 to... |
| VER-REQ-094 | verification-plan | Verify RE detection (REQ-SEFUSIONREACTORCONTROLSYSTEM-114): Connect a calibrated hard X-ray pulse generator to the DPMS ... |
| VER-REQ-095 | verification-plan | Verify RE mitigation actuation (REQ-SEFUSIONREACTORCONTROLSYSTEM-115): On an integrated DPMS test bench with simulated R... |
| VER-REQ-097 | verification-plan | Verify equipment list registration by inspection of the plant Formal Equipment List against the as-installed FRCS subsys... |
| VER-REQ-137 | verification-plan | Verify SUB-REQ-022: In hardware-in-the-loop simulation, inject a growing n=2 NTM mode at threshold rate. Confirm: (1) MH... |
| VER-REQ-138 | verification-plan | Verify SUB-REQ-026: With all four HCDC heating systems injecting simultaneously, command combined power to exceed 50 MW.... |
| VER-REQ-139 | verification-plan | Verify SUB-REQ-024: With all PCS nodes connected to the real-time data bus, measure inter-node clock synchronisation usi... |
| VER-REQ-140 | verification-plan | Verify REQ-139 (safe state definition): During integrated SCRAM commissioning test, initiate a controlled SCRAM from ful... |
| VER-REQ-141 | verification-plan | Verify REQ-142 (GPVC dual-channel redundancy): With GPVC operating normally, inject a single-channel failure (hardware f... |
| VER-REQ-142 | verification-plan | Verify REQ-143 (ethical safety obligations): Review FRCS safety documentation to confirm: (1) FMEA shows no single softw... |