System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| BS EN 61000-3 | — |
| EN 61000-2-4 | — |
| IEC 60034-1 | — |
| IEC 60076-1 | — |
| IEC 60364 | — |
| IEC 61000-4-30 | Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test |
| IEC 61000-4-7 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 61513 | Nuclear power plants — Instrumentation and control important to safety |
| IEC 61850 | — |
| IEC 62061 | — |
| ISO 14001 | — |
| ISO 14577 | — |
| ISO 20485 | — |
| ISO 29148 | — |
| ISO 2919 | — |
| Acronym | Expansion |
|---|---|
| ALARA | As Low As Reasonably Achievable |
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| CUSC | System Code |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| LOCA | Coolant Accident |
| OBE | Operational Basis Earthquake |
| ONR | Nuclear Safety Regulator |
| SSE | Safe Shutdown Earthquake |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Control Room Operator | licensed operators managing pulse operations, plasma monitoring, manual intervention during off-normal events. 4 per shift, 24/7. Derived from S-001, S-002, S-004. | — |
| Nuclear Safety Regulator (ONR) | licenses facility, approves safety case, sets dose limits, inspects. First fusion nuclear site licence. Derived from all scenarios. | — |
| Remote Handling Engineer | operates robotic systems for in-vessel maintenance of activated components. Critical path for plant availability. Derived from S-005. | 008532F9 |
| Tritium Plant Operator | manages tritium fuel cycle — separation, storage, fuelling, detritiation, waste. Specific tritium handling certification. Derived from S-001, S-003. | 010D3AF9 |
| Grid Transmission Operator (National Grid ESO) | receives pulsed ~100 MW output, Grid Code compliance, scheduling. Derived from S-001. | — |
| Radiation Protection Adviser | radiological protection ALARP, area classification, dosimetry, environmental discharge monitoring. Derived from S-005, S-004. | 00857AF9 |
| Environment Agency | regulates radioactive waste disposal, atmospheric/liquid discharges, environmental impact. | — |
| Local Community and Public | affected by construction, noise, transport, emergency planning zone, perceived risk. | — |
| Fusion Research Community (UKAEA, EUROfusion) | provides physics basis, validates design assumptions, receives experimental data. | — |
| Decommissioning Authority | end-of-life dismantling, waste categorisation, site remediation. Design for decommissioning. | — |
| Category | Constraint |
|---|---|
| Physical | tokamak hall temperature 15-35°C, seismic design to SSE 0.15g, biological shield minimum 2m concrete equivalent, building footprint ~200m x 150m, total mass ~40,000 tonnes |
| Vacuum | base pressure <1e-6 Pa in ~1000 m3 vessel, leak rate <1e-9 Pa·m3/s per seal, all in-vessel materials UHV-compatible, bake-out to 200°C |
| Cryogenic | magnets at 4.5K, ~80 kW cooling capacity, liquid helium inventory ~50 tonnes, cool-down time ~2 weeks, warm-up time ~1 week |
| Radiation | 14.1 MeV neutron flux ~1e18 n/m2/s at first wall, activation dose rate >10 Sv/hr on in-vessel components post-operation, worker dose limit 20 mSv/year (ALARP target <1 mSv/year) |
| Regulatory | UK Nuclear Installations Act, ONR nuclear site licence, REPPIR emergency planning, Environmental Permitting Regulations for radioactive discharges, COMAH for tritium inventory |
| Electromagnetic | toroidal field 3-4T at plasma centre, pulsed poloidal fields generating significant eddy currents in vessel structures, EMC shielding required for diagnostics and control systems |
| Operational tempo | target 50% availability, pulse duration 2-8 hours, inter-pulse turnaround 30 min to 4 hours, 6-month operational campaigns between 4-month maintenance periods |
| System | Interface | Hex Code |
|---|---|---|
| National Electrical Grid | 400 kV connection, exports ~100 MW during burn, imports ~50 MW for auxiliaries, Grid Code compliance, pulsed power profile coordination | 50C57A58 |
| Helium Supply Chain | commercial helium procurement for make-up, on-site storage and purification, critical for magnet operations | — |
| Cooling Water System | river or sea water abstraction for condenser cooling, environmental thermal discharge limits, drought contingency planning | 56C51018 |
| Radioactive Waste Disposal | low-level and intermediate-level waste routes, spent component storage, decommissioning waste strategy | — |
| Emergency Services | site emergency plan, off-site emergency planning zone coordination, mutual aid agreements with local fire/ambulance | — |
| IAEA Safeguards | tritium accountancy reporting, inspection access for nuclear materials oversight | — |
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Plasma disruption — uncontrolled MHD instability dumps up to 1 GJ thermal energy onto first wall in <1ms, EM forces up to hundreds of MN | critical | high | SIL 3 | plasma terminated via massive gas injection, vessel integrity confirmed |
| H-002: Tritium release to environment — uncontrolled release of tritium (1-3 kg inventory) through double-barrier failure | catastrophic | rare | SIL 3 | building ventilation isolated, detritiation system activated |
| H-003: Superconducting magnet quench — loss of superconductivity in coils storing ~50 GJ, rapid helium boil-off | critical | low | SIL 2 | controlled fast discharge to dump resistors, cryogen vented via relief valves |
| H-004: Loss of coolant accident — rupture in cooling circuit, coolant ingress to vessel or loss of decay heat removal | critical | low | SIL 2 | plasma terminated, isolation valves closed, passive decay heat removal |
| H-005: Loss of vacuum — air ingress, exothermic beryllium-air reaction producing toxic/radioactive aerosol | critical | low | SIL 2 | plasma terminated, vessel isolation valves closed, containment filtered |
| H-006: Runaway electron beam — relativistic electrons >10 MeV from disruption current quench, localised first wall perforation | critical | medium | SIL 3 | beam dispersal via massive material injection |
| H-007: Activated dust explosion — beryllium/tungsten dust dispersed by air ingress exceeds explosive limit | critical | rare | SIL 2 | inert gas flood, air ingress sealed, dust inventory below threshold |
| H-008: Loss of cryogenic cooling — helium refrigeration failure causing whole-system magnet quench, asphyxiation risk | critical | low | SIL 2 | controlled magnet discharge, building ventilation maximum, evacuation |
| H-009: Seismic event — earthquake causing vessel/magnet displacement, simultaneous LOCA and quench | catastrophic | rare | SIL 3 | seismic trip, fast plasma shutdown, passive cooling |
| H-010: Neutron streaming — 14.1 MeV neutrons through penetrations exceed shielding, worker dose above limits | major | medium | SIL 1 | radiation interlocks, power reduced until shielding verified |
flowchart TB n0["system<br>STEP Fusion Power Plant"] n1["system<br>STEP Fusion Power Plant"] n2["actor<br>Control Room Operators"] n3["actor<br>Nuclear Safety Regulator (ONR)"] n4["actor<br>National Grid (400kV)"] n5["actor<br>Cooling Water Supply"] n6["actor<br>Helium Supply Chain"] n7["actor<br>Emergency Services"] n8["actor<br>Radioactive Waste Disposal"] n9["actor<br>IAEA Safeguards"] n1 -->|Plasma status, alarms, commands| n2 n1 -->|Safety case, dose reports, incidents| n3 n1 -->|100 MW export / 50 MW import| n4 n5 -->|Condenser cooling water| n1 n6 -->|Liquid helium supply| n1 n1 -->|Emergency alerts, mutual aid| n7 n1 -->|LLW/ILW packages| n8 n1 -->|Tritium accountancy| n9
STEP Fusion Power Plant — Context
flowchart TB n0["subsystem<br>Tokamak Core Assembly"] n1["subsystem<br>Superconducting Magnet System"] n2["subsystem<br>Cryogenic Plant"] n3["subsystem<br>Tritium Plant"] n4["subsystem<br>Power Conversion System"] n5["subsystem<br>Plasma Control System"] n6["subsystem<br>Remote Handling System"] n7["subsystem<br>Vacuum System"] n8["subsystem<br>Radiation Protection System"] n0 -->|Magnetic Field| n1 n2 -->|4.5K Cooling| n1 n3 -->|Fuel / Exhaust| n0 n0 -->|Thermal Power| n4 n5 -->|Control Commands| n0 n5 -->|Coil Commands| n1 n7 -->|Vacuum| n0 n6 -->|Maintenance Access| n0 n8 -.->|Shielding| n0
STEP Fusion Power Plant — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Plasma Control System | PCS — Internal Components | SIL 3 | complete |
| Tritium Plant | Tritium Plant — Internal Components | SIL 3 | complete |
| Tokamak Core Assembly | Tokamak Core Assembly — Internal Components | SIL 3 | complete |
| Superconducting Magnet System | Superconducting Magnet System — Internal Components | SIL 2 | complete |
| Cryogenic Plant | Cryogenic Plant — Internal Components | SIL 2 | complete |
| Vacuum System | Vacuum System — Internal Components | SIL 2 | complete |
| Power Conversion System | Power Conversion System — Internal Components | SIL 1 | complete |
| Remote Handling System | Remote Handling System — Internal Components | SIL 1 | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The STEP Fusion Power Plant SHALL provide the control room operator with real-time plasma state displays updating at ≥10 Hz, including plasma current, stored energy, density, and MHD stability indicators. Rationale: Control Room Operator, S-001 Full-Power Burn: operators must continuously monitor plasma parameters during 6-hour burn pulses to detect instabilities and decide on intervention timing. | Demonstration | stakeholder, stk-operator, session-506, idempotency:stk-operator-display-506 |
| STK-REQ-002 | The STEP Fusion Power Plant SHALL enable operator-initiated emergency plasma termination within 2 operator actions and ≤5 seconds from decision to actuation. Rationale: test update | Demonstration | stakeholder, stk-operator, session-506, idempotency:stk-operator-emergency-506 |
| STK-REQ-003 | The STEP Fusion Power Plant SHALL demonstrate a deterministic nuclear safety case compliant with ONR Safety Assessment Principles, including fault analysis for all Design Basis Accidents with consequences below ONR Basic Safety Levels. Rationale: Nuclear Safety Regulator (ONR), all scenarios: ONR must license the first fusion nuclear facility; the safety case must meet established nuclear standards adapted for fusion-specific hazards. | Analysis | stakeholder, stk-onr, session-506, idempotency:stk-onr-safetycase-506 |
| STK-REQ-004 | The STEP Fusion Power Plant SHALL maintain tritium inventory accountability to ±0.1 g precision and provide real-time tritium balance reporting to the regulator. Rationale: Nuclear Safety Regulator (ONR), S-003 Tritium Processing Malfunction: tritium is the principal nuclear material; loss-of-accountability triggers regulatory escalation and potential licence conditions. | Test | stakeholder, stk-onr, session-506, idempotency:stk-onr-tritium-accountability-506 |
| STK-REQ-005 | The STEP Fusion Power Plant SHALL provide remote handling capability to replace all in-vessel components (divertor cassettes, blanket modules, diagnostics) without human entry to activated areas. Rationale: Remote Handling Engineer, S-005 Planned Maintenance: in-vessel dose rates exceed 10 Sv/hr post-operation, making human entry impossible; all maintenance must be robotic with hot cell support. | Demonstration | stakeholder, stk-remote-handling, session-506, idempotency:stk-rh-capability-506 |
| STK-REQ-006 | The STEP Fusion Power Plant SHALL complete a full divertor cassette replacement campaign (8 cassettes) within 4 months using remote handling systems. Rationale: Remote Handling Engineer, S-005 Planned Maintenance: 4-month maintenance campaign target drives plant availability to 50%; exceeding this timeline directly reduces energy output and economic viability. | Demonstration | stakeholder, stk-remote-handling, session-506, idempotency:stk-rh-campaign-506 |
| STK-REQ-007 | The STEP Fusion Power Plant SHALL operate a closed tritium fuel cycle with breeding ratio TBR ≥ 1.1, processing exhaust gas to recover unburned tritium within 4 hours of extraction. Rationale: Tritium Plant Operator, S-001 Full-Power Burn: tritium self-sufficiency is a fundamental mission requirement; external tritium supply is limited and expensive, so breeding and recycling must close the loop. | Test | stakeholder, stk-tritium-operator, session-506, idempotency:stk-tritium-fuelcycle-506 |
| STK-REQ-008 | When a tritium system leak is detected, the STEP Fusion Power Plant SHALL automatically isolate the affected line within 30 seconds and activate secondary containment. Rationale: Tritium Plant Operator, S-003 Tritium Processing Malfunction: automatic isolation prevents inventory loss and environmental release; 30s threshold limits release to <0.1 g per scenario analysis. | Test | stakeholder, stk-tritium-operator, session-506, idempotency:stk-tritium-isolation-506 |
| STK-REQ-009 | The STEP Fusion Power Plant SHALL deliver net electrical power of ≥100 MW to the 400 kV grid connection point during steady-state burn, compliant with National Grid ESO Grid Code for frequency response and voltage regulation. Rationale: Grid Transmission Operator (National Grid ESO), S-001 Full-Power Burn: the fundamental mission of STEP is to demonstrate net electricity generation; Grid Code compliance is mandatory for grid connection. | Test | stakeholder, stk-grid-operator, session-506, idempotency:stk-grid-power-506 |
| STK-REQ-010 | The STEP Fusion Power Plant SHALL provide 24-hour advance notification to National Grid ESO of planned pulse schedules and ≥15 minutes warning of unplanned shutdowns. Rationale: Grid Transmission Operator (National Grid ESO), S-001/S-004: pulsed power profile requires grid scheduling; unplanned loss of 100 MW generation affects grid stability. | Demonstration | stakeholder, stk-grid-operator, session-506, idempotency:stk-grid-notification-506 |
| STK-REQ-011 | The STEP Fusion Power Plant SHALL maintain individual worker radiation doses below 20 mSv/year with an ALARP target of <1 mSv/year, through shielding, remote operations, and access controls. Rationale: Radiation Protection Adviser, S-005/S-004: IRR17 dose limits and ALARP principle are non-negotiable regulatory requirements; 14.1 MeV neutron environment and activation make dose management critical. | Analysis | stakeholder, stk-rpa, session-506, idempotency:stk-rpa-dose-506 |
| STK-REQ-012 | The STEP Fusion Power Plant SHALL classify all areas by radiation zone and enforce interlocked access controls preventing entry to zones exceeding the worker's authorised dose rate. Rationale: Radiation Protection Adviser, S-005 Planned Maintenance: maintenance campaigns involve variable dose rates across the facility; automated zoning prevents inadvertent exposure during complex multi-team operations. | Inspection | stakeholder, stk-rpa, session-506, idempotency:stk-rpa-zoning-506 |
| STK-REQ-013 | The STEP Fusion Power Plant SHALL limit all radioactive discharges (gaseous and liquid) to levels below Environmental Permitting Regulations limits, with continuous stack and effluent monitoring. Rationale: Environment Agency: EPR compliance is a condition of operation; continuous monitoring provides the evidence base for the environmental safety case and public dose assessment. | Test | stakeholder, stk-environment-agency, session-506, idempotency:stk-ea-discharges-506 |
| STK-REQ-014 | The STEP Fusion Power Plant SHALL categorise all radioactive waste at source and provide interim storage for ILW with a 100-year design life pending national disposal facility availability. Rationale: Environment Agency: no UK geological disposal facility exists yet for ILW; the plant must demonstrate a credible waste strategy with long-duration interim storage to obtain environmental permits. | Inspection | stakeholder, stk-environment-agency, session-506, idempotency:stk-ea-waste-506 |
| STK-REQ-015 | The STEP Fusion Power Plant SHALL maintain off-site radiation doses below 1 mSv/year to any member of the public, including contributions from routine discharges, direct radiation, and accident scenarios. Rationale: Local Community and Public: public dose limit under IRR17; community acceptance depends on demonstrating that fusion is radiologically safe under all conditions including accidents. | Analysis | stakeholder, stk-public, session-506, idempotency:stk-public-dose-506 |
| STK-REQ-016 | The STEP Fusion Power Plant SHALL implement an emergency planning zone with public notification capability achieving ≥95% population coverage within 15 minutes of a declared nuclear emergency. Rationale: Local Community and Public, S-003/S-004: REPPIR regulations require off-site emergency planning; rapid notification is essential for public protection during tritium release or seismic events. | Demonstration | stakeholder, stk-public, session-506, idempotency:stk-public-emergency-506 |
| STK-REQ-017 | The STEP Fusion Power Plant SHALL provide comprehensive plasma physics diagnostic data (≥40 diagnostic systems) with calibrated, time-synchronised output available to the fusion research community within 30 days of each campaign. Rationale: Fusion Research Community (UKAEA, EUROfusion): STEP's dual mission includes advancing fusion science; diagnostic data validates physics models and informs DEMO/commercial reactor design. | Demonstration | stakeholder, stk-research, session-506, idempotency:stk-research-diagnostics-506 |
| STK-REQ-018 | The STEP Fusion Power Plant SHALL validate tritium breeding blanket performance through in-situ measurement of tritium production rates, neutron spectra, and thermal-hydraulic conditions in breeding modules. Rationale: Fusion Research Community (UKAEA, EUROfusion), S-001: breeding blanket validation is a key STEP mission deliverable; no prior device has operated a breeding blanket in a DT neutron environment at reactor scale. | Test | stakeholder, stk-research, session-506, idempotency:stk-research-blanket-506 |
| STK-REQ-019 | The STEP Fusion Power Plant SHALL be designed for decommissioning with all components classifiable under UK radioactive waste categories, and a demonstrated dismantling sequence achievable within 30 years of final shutdown. Rationale: Decommissioning Authority: NDA and ONR require a credible decommissioning strategy at the design stage; 30-year timeline aligns with UK nuclear decommissioning practice and funding models. | Analysis | stakeholder, stk-decommissioning, session-506, idempotency:stk-decom-timeline-506 |
| STK-REQ-020 | The STEP Fusion Power Plant SHALL minimise activation of structural materials through material selection (reduced-activation steels, tungsten, SiC composites) such that ≥80% of decommissioning waste is classifiable as LLW within 100 years. Rationale: Decommissioning Authority: minimising ILW reduces long-term storage burden and cost; material choice at design stage is the primary lever for waste classification outcomes. | Analysis | stakeholder, stk-decommissioning, session-506, idempotency:stk-decom-materials-506 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The STEP Fusion Power Plant SHALL sustain deuterium-tritium plasma burn at fusion gain Q ≥ 5 for pulse durations of 2 to 8 hours with plasma current ≥ 10 MA. Rationale: Derives from STK-REQ-009 (net 100 MW to grid) and mission statement. Q≥5 is the minimum gain to produce ~500 MW fusion power from ~100 MW auxiliary heating, yielding ~100 MW net after recirculating power. Pulse duration drives energy yield per campaign. | Test | system, plasma, session-506, idempotency:sys-plasma-burn-506 |
| SYS-REQ-002 | The STEP Fusion Power Plant SHALL convert fusion thermal power to net electrical output of ≥ 100 MW at the 400 kV grid connection point with a gross-to-net efficiency ≥ 25%. Rationale: Derives from STK-REQ-009. ~500 MW fusion thermal power requires ~33% gross thermal efficiency to yield ~165 MW gross; after ~65 MW recirculating power for magnets, heating, and auxiliaries, ≥100 MW net is delivered. 25% gross-to-net accounts for all parasitic loads. | Test | system, power, session-506, idempotency:sys-power-conversion-506 |
| SYS-REQ-003 | The STEP Fusion Power Plant SHALL achieve a tritium breeding ratio (TBR) ≥ 1.1 measured across the breeding blanket, producing net bred tritium at a rate exceeding DT fuel consumption by ≥ 10% to accumulate a reserve inventory of ≥ 1 kg tritium within 12 months of full-power operation. Rationale: TBR ≥ 1.1 means 10% excess production over consumption rate. At planned 500 MW fusion power with 50% availability, annual DT consumption is ~4 kg T; 10% surplus yields ~400 g/year reserve accumulation, reaching ≥1 kg within 3 years. The 1 kg reserve provides 2-3 month fuel buffer against breeding blanket underperformance. The original text said 'sufficient tritium' which is non-measurable; this revision specifies both the rate and target inventory. Revised in validation session 519 to address AmbiguityBlacklist finding. | Test | system, tritium, session-506, idempotency:sys-tbr-506 |
| SYS-REQ-004 | When a plasma disruption is detected, the STEP Fusion Power Plant SHALL initiate disruption mitigation (shattered pellet injection or massive gas injection) within 10 ms and limit thermal loads on the first wall to ≤ 0.5 MJ/m². Rationale: Derives from STK-REQ-002, addresses H-001 (SIL 3). 10 ms response time is driven by thermal quench timescale of ~1 ms; mitigation must be initiated during the pre-thermal-quench phase. 0.5 MJ/m² is the tungsten damage threshold for single events. | Test | rt-resolved-session-531 |
| SYS-REQ-005 | The STEP Fusion Power Plant SHALL confine all tritium within at least two independent containment barriers under nominal operating, anticipated transient, and design basis accident conditions, limiting any single-event release to < 0.1 g tritium. Rationale: Derives from STK-REQ-001 and STK-REQ-003, addresses H-002 (SIL-3 tritium release). 0.1 g single-event limit derives from UK nuclear site licence conditions and ONR regulatory guides for fusion: at this inventory level, atmospheric dispersion models show ground-level concentration at the site boundary remains below 1% of the occupational exposure limit. Two-barrier requirement derives from nuclear containment principles. 'Nominal operating, anticipated transient, and design basis accident' replaces ambiguous 'normal' to comply with ISO 29148 unambiguous language requirement; updated validation session 520. | Test | rt-resolved-session-531 |
| SYS-REQ-006 | The STEP Fusion Power Plant SHALL detect and safely manage superconducting magnet quench events by discharging stored magnetic energy (up to 50 GJ) to dump resistors within 30 seconds, limiting hot-spot temperature to < 300 K. Rationale: Derives from STK-REQ-003, addresses H-003 (SIL 2). 50 GJ stored energy in HTS magnets must be extracted before conductor damage occurs; 300 K hot-spot limit prevents irreversible degradation of HTS tape. 30s discharge time balances voltage limits against thermal margin. | Test | rt-resolved-session-531 |
| SYS-REQ-007 | The STEP Fusion Power Plant SHALL remove decay heat from in-vessel components passively (without active pumping) for at least 72 hours following loss of all AC power, maintaining structural temperatures below design limits. Rationale: Passive decay heat removal is safety-critical (SIL-2, hazard H-004 LOCA). VER-REQ-093 specifies physical Test on a full-scale passive decay heat removal test rig. Analysis alone cannot account for as-built thermal resistance, fouling, or water chemistry effects on natural circulation. IEC 61508 SIL-2 requires Test verification for this failure mode. Changed from Analysis to Test in validation session 520 to resolve quality gate blocker. | Test | system, safety, sil-2, session-506, idempotency:sys-passive-decay-heat-506 |
| SYS-REQ-008 | The STEP Fusion Power Plant SHALL maintain ultra-high vacuum (< 1×10⁻⁶ Pa) in the plasma vessel with a total leak rate < 1×10⁻⁹ Pa·m³/s per seal during all operational modes. Rationale: Derives from vacuum constraints and STK-REQ-001 (plasma operation). Impurity ingress from leaks poisons the plasma and triggers disruptions; 1e-6 Pa base pressure is required for plasma breakdown and burn purity. | Test | system, vacuum, session-506, idempotency:sys-vacuum-506 |
| SYS-REQ-009 | The STEP Fusion Power Plant SHALL provide a remote handling system capable of replacing all in-vessel components within a 4-month maintenance campaign, with component positioning accuracy ≤ 2 mm. Rationale: Derives from STK-REQ-005, STK-REQ-006. 4-month campaign duration drives 50% plant availability target. 2 mm positioning accuracy is required for divertor cassette alignment to magnetic field geometry and coolant seal engagement. | Demonstration | system, remote-handling, session-506, idempotency:sys-remote-handling-506 |
| SYS-REQ-010 | The STEP Fusion Power Plant SHALL achieve ≥ 50% operational availability over a 6-month campaign, defined as burn-hours divided by calendar-hours excluding planned maintenance. Rationale: Derives from STK-REQ-009 and operational tempo constraint. 50% availability with 100 MW net output yields ~440 GWh per year, demonstrating economic relevance. Availability is limited by inter-pulse turnaround (30 min–4 hr) and unplanned downtime. | Analysis | system, performance, session-506, idempotency:sys-availability-506 |
| SYS-REQ-011 | When ground acceleration exceeds 0.1g (OBE threshold), the STEP Fusion Power Plant SHALL initiate plasma shutdown within 100 ms of seismic trigger signal receipt and transition all subsystems to seismically-safe states within 10 seconds. Rationale: SIL-3 seismic trip requirement. 100 ms shutdown window is set by maximum halo current exposure duration before structural damage to in-vessel components; beyond 100 ms, asymmetric disruption loads exceed design basis. 10 second full subsystem safe-state transition covers magnet hold current reduction, tritium confinement isolation, and vacuum system standby mode. Removed the adjective 'fast' (ambiguous) as the 100 ms bound is self-defining; added explicit 10-second subsystem transition bound absent from original. Revised in validation session 519. | Test | system, safety, sil-3, session-506, idempotency:sys-seismic-trip-506 |
| SYS-REQ-012 | The STEP Fusion Power Plant SHALL limit neutron streaming through all penetrations such that dose rates in occupied areas remain below 10 µSv/hr during full-power operation. Rationale: Neutron streaming dose rate must be measured in-situ at full-power operation; MCNP analysis cannot fully account for as-built penetration tolerances, cable routing gaps, and local shielding variations. VER-REQ-095 specifies calibrated dosimetry measurement at all occupied area boundaries during full-power plasma. Changed from Analysis to Test in validation session 520 to resolve quality gate blocker and meet IEC 61508 SIL-1 requirements for occupied area radiation protection. | Test | system, safety, sil-1, session-506, idempotency:sys-neutron-shielding-506 |
| SYS-REQ-013 | The STEP Fusion Power Plant SHALL provide ≥ 40 plasma diagnostic systems with calibrated, time-synchronised measurements (timing accuracy ≤ 1 µs) covering magnetic, kinetic, and spectroscopic parameters. Rationale: Derives from STK-REQ-017. 40 diagnostic systems is the minimum for comprehensive plasma characterisation of a burning DT plasma; 1 µs synchronisation enables correlation of fast MHD events across diagnostic channels. | Demonstration | system, diagnostics, session-506, idempotency:sys-diagnostics-506 |
| SYS-REQ-014 | The STEP Fusion Power Plant SHALL be designed such that ≥ 80% of decommissioning waste by volume is classifiable as LLW within 100 years of final shutdown through use of reduced-activation materials. Rationale: Derives from STK-REQ-019, STK-REQ-020. Reduced-activation ferritic-martensitic steels (e.g., EUROFER) and tungsten selection at design stage determines activation products and decay timescales. 80% LLW target minimises ILW storage burden. | Analysis | system, decommissioning, session-506, idempotency:sys-decom-waste-506 |
| SYS-REQ-015 | The STEP Fusion Power Plant SHALL comply with Grid Code requirements for power quality, delivering electricity at 400 kV ± 5%, 50 Hz ± 0.5 Hz, with harmonic distortion < 3% THD. Rationale: Derives from STK-REQ-009. Grid Code compliance is mandatory for connection; voltage and frequency tolerances are National Grid ESO standard requirements; THD limit prevents interference with other grid users. | Test | system, power, session-506, idempotency:sys-grid-quality-506 |
| SYS-REQ-016 | The STEP Fusion Power Plant SHALL implement radiobiological protection measures such that occupational whole-body dose to any worker does not exceed 1 mSv/year above background in designated supervised areas, and the plant SHALL maintain ALARA (As Low As Reasonably Achievable) dose management in accordance with UK IRR 2017 and ONR nuclear site licence conditions, documented in an approved Radiation Protection Supervisors programme. Rationale: A fusion power plant generates neutron activation products and tritium, creating radiobiological hazards to workers and the public. UK law requires compliance with IRR 2017 and ONR site licence conditions. The 1 mSv/year limit (above background) is the HSE-recommended constraint for designated areas at nuclear facilities. This requirement flows from STK-REQ-003 (safety assessment principles), STK-REQ-004 (tritium accountability), and the Biological/Biomimetic ontological trait assigned to the STEP system entity reflecting biological dose considerations. | Analysis | idempotency:sys-radiobio-protection-516 |
| SYS-REQ-017 | The STEP Fusion Power Plant SHALL provide 24-hour advance notification to National Grid of planned generation schedule changes exceeding 10 MW, and SHALL notify within 15 minutes of any unplanned generation interruption affecting grid frequency response obligations. Rationale: STK-REQ-010 mandates 24-hour advance notification; no SYS requirement currently implements this stakeholder need. UK Grid Code CC.6.3.2 requires mandatory advance notice for scheduled plant outages. The 15-minute unplanned interruption notification is derived from National Grid's Balancing and Settlement Code and Grid Code requirements for frequency response obligations: a delay beyond 15 minutes may trigger Grid Code non-compliance penalties and affect National Grid's ability to dispatch balancing mechanisms. | Demonstration | system, grid, grid-code, session-552, idempotency:sys-grid-notification-24h-552 |
| SYS-REQ-018 | The STEP Fusion Power Plant SHALL define a Design Basis Accident set encompassing at least: (a) maximum credible tritium release, (b) tokamak in-vessel component failure with delayed ex-vessel rupture, (c) superconducting magnet quench cascade, and (d) loss-of-cooling to decay heat removal system; and SHALL demonstrate in the Nuclear Safety Case that each DBA does not exceed the Basic Safety Level dose limits of 1 mSv effective dose to any member of the public. Rationale: STK-REQ-003 requires demonstration of a deterministic nuclear safety case using Design Basis Accidents and basic safety levels; no SYS requirement currently decomposes this. The four DBA categories represent the STEP-specific risk inventory: tritium release is the primary radiological source term; in-vessel component failure is the primary structural hazard; magnet quench cascade is the primary energy release event; and loss of decay heat cooling is the primary post-shutdown hazard. The 1 mSv DBA dose limit is derived from IAEA SSR-2/1 and ONR technical assessment guide NS-TAST-GD-005 for near-field nuclear installations. | Analysis | system, safety, sil-3, dba, session-552, idempotency:sys-dba-basic-safety-level-552 |
| SYS-REQ-019 | The STEP Fusion Power Plant SHALL obtain and maintain all required environmental permits under the Environmental Permitting (England and Wales) Regulations 2016 and the Nuclear Installations Act 1965, and SHALL demonstrate continuous compliance by maintaining a certified Environmental Management System conforming to ISO 14001 with annual third-party audit. Rationale: STK-REQ-013 mandates compliance with environmental permitting regulations; no SYS requirement currently implements this. Environmental Permitting (England and Wales) Regulations 2016 apply to all nuclear sites discharging radioactive substances to the environment; compliance is a condition of the ONR nuclear site licence. ISO 14001 certification provides an independent, internationally recognised framework for ongoing environmental compliance management. Annual third-party audit is the minimum frequency required by ONR guidance for nuclear site environmental management systems. | Inspection | system, environmental, regulatory, session-552, idempotency:sys-env-permitting-iso14001-552 |
| SYS-REQ-020 | The STEP Fusion Power Plant SHALL publish processed plasma physics diagnostic data to the fusion research community data repository within 30 days of each experimental campaign completion, in conformance with FAIR data principles (Findable, Accessible, Interoperable, Reusable). Rationale: STK-REQ-017 mandates data sharing within 30 days; no SYS requirement implements this. STEP is a publicly funded programme with open-science obligations under UKRI data management policy. The 30-day window is the STK-stated constraint derived from the UK Research and Innovation open data requirements for nationally significant science infrastructure. FAIR data principles are the international standard for scientific data interoperability, adopted by EUROfusion and mandatory for fusion science facilities receiving EU/UK public funding. | Inspection | system, research, data, session-552, idempotency:sys-research-data-30days-552 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Plasma Control System SHALL execute the plasma position and shape control algorithm with a cycle time of 1 ms or less, processing all diagnostic inputs and issuing actuator commands within a single deterministic RTOS cycle. Rationale: Derived from IFC-REQ-005 (1 ms end-to-end latency) and SYS-REQ-004 (disruption mitigation within 10 ms). The 1 ms control cycle provides 10 samples before the 10 ms mitigation deadline and maintains the PID bandwidth needed for ELM suppression and NTM stabilisation at Q>=5 burn conditions. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-rttiming-507 |
| SUB-REQ-002 | The Plasma Control System SHALL detect plasma disruption precursors (locked mode amplitude exceeding 5 mT, beta collapse rate exceeding 10%/ms, or n=1 Mirnov signal exceeding threshold) and trigger massive material injection within 10 ms of threshold crossing, with a probability of detection of 0.99 or greater across the full disruption database. Rationale: Directly derives from SYS-REQ-004 (disruption mitigation within 10 ms) and hazard H-001 (plasma disruption, SIL-3). The 10 ms window is set by the thermal quench timescale: first-wall energy density exceeds design limits if mitigation fires later. 0.99 detection probability is the minimum consistent with SIL-3 unavailability budget of 10^-3. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-disruption-507 |
| SUB-REQ-003 | The Plasma Control System SHALL implement dual-redundant Real-Time Plasma Controllers executing identical algorithms in lockstep, with automatic switchover to the standby controller within 500 ms of a primary controller fault, without loss of plasma confinement. Rationale: Updated in validation session 530: SIL-3 dual-redundancy requirement for RTPC must use Test verification per IEC 61508. VER-REQ-016 specifies the hardware failover injection test. The earlier Demonstration designation was insufficient for SIL-3 — Test is mandatory where Analysis alone cannot validate the actual switchover latency and state-preservation under realistic fault conditions. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-redundancy-507 |
| SUB-REQ-004 | The Plasma Control System Diagnostic Data Acquisition Front-End SHALL sample all 40 or more plasma diagnostic channels at a minimum rate of 1 kHz with hardware-timestamped synchronisation accuracy of 1 microsecond or better across all channels. Rationale: Derived from IFC-REQ-005 (40+ diagnostics at 1 kHz). Synchronisation accuracy of 1 microsecond is required to correctly correlate spatially distributed magnetic and kinetic measurements for equilibrium reconstruction: timing error above 1 ms introduces position errors of order 10 cm in the reconstructed plasma boundary, exceeding the control tolerance. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-daq-507 |
| SUB-REQ-005 | When the Plasma Control System detects an internal fault (controller failure, loss of diagnostic data, or watchdog timeout), the Plasma Control System SHALL initiate a controlled plasma shutdown by commanding gas injection to terminate plasma current within 30 seconds, before transitioning to a passive safe state. Rationale: Updated in validation session 530: SIL-3 PCS internal fault response must use Test verification per IEC 61508. VER-REQ-012 specifies the fault injection test covering watchdog timeout, data loss, and sensor failure modes. Demonstration was initially specified but Test is required for SIL-3 safety functions to capture actual PLC failover behaviour under production hardware fault conditions. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-safestate-507 |
| SUB-REQ-006 | When a disruption current quench is detected, the Plasma Control System Disruption Prediction and Mitigation Unit SHALL trigger massive material injection to achieve runaway electron seed density suppression, delivering a minimum of 10 to the power 22 hydrogenic atoms into the plasma within 50 ms of current quench onset. Rationale: Hazard H-006 (runaway electron beam, SIL-3): relativistic electrons above 10 MeV can perforate the first wall. Material injection at the required density provides collisional scattering to suppress runaway seed population before amplification. 50 ms is set by the runaway growth time at post-disruption conditions; 10^22 atoms is derived from the required electron mean free path reduction. | Test | subsystem, plasma-control, session-507, sil-3, idempotency:sub-pcs-runaway-507 |
| SUB-REQ-007 | The Tokamak Core Assembly first wall and divertor SHALL withstand steady-state peak heat flux of 10 MW/m2 on the divertor strike zones and 0.5 MW/m2 on the first wall during nominal Q=5 burn, with tungsten armour net erosion rate less than 1 mm per full-power year averaged across all plasma-facing surfaces. Rationale: Derived from SYS-REQ-001 (Q>=5 burn for 2-8 hours) and SYS-REQ-004 (first-wall thermal load limit). 10 MW/m2 divertor heat flux is the design point from SOLPS-ITER edge transport modelling at STEP power levels; 1 mm/year erosion limit is set by the maintenance campaign cycle: more rapid erosion would require unscheduled divertor replacement before the 4-month campaign, violating SYS-REQ-009. | Test | idempotency:sub-tca-heatflux-508 |
| SUB-REQ-008 | The Superconducting Magnet System TF coil set SHALL generate a toroidal magnetic field of 3.0 T or greater on the plasma magnetic axis, with field ripple delta-B/B of 0.5 percent or less at the last closed flux surface, during steady-state plasma operation, and SHALL detect a quench in any coil within 100 ms of quench initiation and initiate energy extraction to external dump resistors within a further 200 ms. Rationale: 3.0 T on-axis is the minimum field for Q>=5 burn at the STEP aspect ratio per MHD stability analysis (SYS-REQ-001). 0.5% field ripple is the maximum compatible with neoclassical transport at the design plasma beta; higher ripple causes ion orbit losses that reduce Q. 100 ms quench detection and 200 ms extraction initiation are derived from the adiabatic hot-spot temperature limit of 300 K (SYS-REQ-006): slower response would cause quench propagation and conductor damage. | Test | idempotency:sub-sms-field-quench-508 |
| SUB-REQ-009 | The Cryogenic Plant SHALL maintain superconducting magnet cryostats at 4.5 K or below with temperature stability of plus or minus 0.1 K during steady-state magnet excitation, providing minimum refrigeration capacity of 15 kW at 4.5 K from at least two independent cold box trains such that loss of any single cold box does not prevent continuation of plasma operations at reduced pulse duration. Rationale: 4.5 K is the upper operating temperature for the selected HTS or NbTi conductor. 0.1 K stability is required to maintain current-sharing temperature margin. 15 kW at 4.5 K is derived from the steady-state coil resistive heating plus cryostat heat leak at rated magnet current. Two-train requirement comes from SYS-REQ-010 availability target: single cold box MTBF of ~2000 hours would cause unacceptable plasma interruption frequency without redundancy. | Test | idempotency:sub-cry-refrigeration-508 |
| SUB-REQ-010 | The Tritium Plant SHALL account for tritium inventory with measurement uncertainty of plus or minus 1 g or less per 24-hour accounting period and SHALL process all tritiated exhaust streams at throughput of 5 g T/day or greater, achieving a detritiation factor of 1e6 or greater across the Combined Electrolysis and Catalytic Exchange columns, with tritium-contaminated effluent concentration below 10 Bq/L before release to drains. Rationale: Plus or minus 1 g per 24 hours is derived from the STK-REQ-004 regulatory accountability requirement; the IAEA safeguards threshold for tritium inventory discrepancy is order 1 g. 5 g T/day throughput covers the burn consumption plus reserve losses at Q=5. Detritiation factor 1e6 ensures effluent tritium concentration meets STK-REQ-013 regulatory limits. | Test | idempotency:sub-trp-accountability-508 |
| SUB-REQ-011 | The Power Conversion System steam turbine-generator set SHALL export 100 MW or more net electrical power to the 400 kV grid at rated fusion power, achieving gross-to-net efficiency of 25 percent or greater, and SHALL maintain generation availability of 90 percent or better over a 6-month operational campaign excluding planned maintenance outages. Rationale: 100 MW net and 25% efficiency are direct derivations from SYS-REQ-002. 90% generation availability is derived from SYS-REQ-010 (50% operational availability): the power conversion system is not in the critical path during plasma burn, so its availability target is set higher than the burn availability to prevent it limiting overall plant performance. | Test | idempotency:sub-pcs-output-508 |
| SUB-REQ-012 | The Remote Handling System SHALL replace all divertor cassettes within a maintenance window of 21 calendar days or less, with component positioning accuracy of 2 mm or better in all three translational axes, operating continuously at ambient radiation dose rates up to 0.5 Sv/hr without personnel entry to the tokamak hall, and with manipulator mean time between mission failures of 500 hours or greater. Rationale: 21-day divertor replacement is derived from SYS-REQ-009 (4-month total maintenance campaign): divertor replacement is the critical-path activity consuming approximately 25% of the campaign window. 0.5 Sv/hr is the design radiation environment after 30-day shutdown; personnel entry is not permitted above 2 mSv/hr. MTBF 500 hours is set by the campaign duration to limit probability of mid-campaign manipulator failure to below 5%. | Demonstration | idempotency:sub-rhs-campaign-508 |
| SUB-REQ-013 | The Vacuum System SHALL evacuate the plasma vessel from atmospheric pressure to base pressure of 1e-6 Pa or less within 24 hours of vessel closure, maintaining effective pumping speed of 50 m3/s or greater from the divertor pumping ducts during burn, and SHALL maintain plasma vessel total outgassing rate below 1e-3 Pa.m3/s at base vacuum. Rationale: 1e-6 Pa base pressure is required for ECR-assisted plasma breakdown and to limit impurity influx below 0.1% oxygen-equivalent during burn (SYS-REQ-008). 50 m3/s effective speed is the minimum to balance helium ash production at Q=5. 24 hour pump-down is set by the scheduled maintenance window; longer pump-down would reduce availability below SYS-REQ-010 target. | Test | idempotency:sub-vac-pumping-508 |
| SUB-REQ-014 | The Radiation Protection System SHALL classify all plant areas into radiation zones (Supervised, Controlled, High Radiation) based on calculated dose rates and provide interlock signals preventing personnel access to zones where instantaneous dose rate exceeds the worker authorisation level, with zone boundary interlocks responding within 100 ms of dose threshold exceedance. Rationale: Derived from STK-REQ-012 and SYS-REQ-012 (dose rates below 10 uSv/hr in occupied areas). 100 ms interlock response is set by the maximum dose accumulation before personnel can retreat: at the Controlled Zone boundary dose rate of 2 mSv/hr, 100 ms accumulation is 0.055 uSv, negligible compared to occupational limits. | Test | idempotency:sub-rps-zoning-508 |
| SUB-REQ-015 | The Tokamak Core Assembly Vacuum Vessel and In-Vessel Structures SHALL maintain plasma vessel leak rate below 1e-7 Pa m3/s total outgassing rate during plasma operations and shall withstand internal over-pressure of 0.5 MPa from loss-of-coolant accident without gross structural failure. Rationale: SYS-REQ-008 requires UHV at 1e-6 Pa; this TCA-level requirement allocates the vessel structural contribution to achieving that pressure. The 0.5 MPa LOCA overpressure comes from first-wall coolant pipe rupture analysis — structural failure would breach the primary tritium containment barrier. | Test | subsystem, tokamak, sil-3, session-509, idempotency:sub-tca-vessel-509 |
| SUB-REQ-016 | The Tokamak Core Assembly First Wall and Blanket Module SHALL achieve tritium breeding ratio (TBR) contribution of 1.1 or greater as measured from blanket module-level neutronics analysis, using lithium-6 enrichment of at least 40% in the breeding zone. Rationale: TBR ≥ 1.1 is verified by Test: post-irradiation lithium-6 depletion measurements on blanket breeding zone samples extracted during scheduled maintenance, benchmarked against MCNP6 predictions (ISO 14577 protocol). Analysis alone is insufficient for SIL-2; physical activation measurements confirm the as-built breeding performance including manufacturing tolerances on Li-6 enrichment distribution. Changed from Analysis to Test in validation session 520 to satisfy IEC 61508 SIL-2 verification adequacy requirement. | Test | subsystem, tokamak, sil-2, session-509, idempotency:sub-tca-tbr-509 |
| SUB-REQ-017 | When a plasma disruption current quench is detected, the Tokamak Core Assembly SHALL withstand electromagnetic halo currents and induced eddy currents without permanent deformation of in-vessel structures, and the Vacuum Vessel shall remain leak-tight with leak rate not exceeding 1e-6 Pa m3/s post-disruption. Rationale: SIL-3 requirement: structural withstand of halo currents cannot rely on analysis alone (IEC 61508 clause 7.4.6 for SIL-3). Verification is by Test: (a) pulsed-current load tests on structural specimens representing worst-case in-vessel joint geometry, qualifying the structural design; (b) post-disruption vacuum leak check during integrated commissioning (helium leak test at 1e-8 Pa m3/s sensitivity) confirming vessel integrity. ANSYS FEA provides conservatism check but Test verification is the primary acceptance method. Changed from Analysis to Test in validation session 520. | Test | subsystem, tokamak, sil-3, safety, session-509, idempotency:sub-tca-disruption-safestate-509 |
| SUB-REQ-018 | The Tritium Plant Plasma Exhaust Processing System SHALL process unburnt DT exhaust gas at a throughput of up to 200 Pa·m³/s, achieving hydrogen isotope separation from helium ash with a decontamination factor of at least 1000 within a single pass at operating pressures between 1×10⁻³ Pa and 1×10⁵ Pa. Rationale: 200 Pa·m³/s is the divertor exhaust throughput design point for STEP at full fusion power (500 MW thermal). Decontamination factor 1000 ensures He ash does not accumulate in the DT fuel cycle, which would degrade plasma performance by diluting fuel concentration below the threshold needed for sustained ignition. Derived from SYS-REQ-001 (plasma burn maintenance) and SYS-REQ-005 (tritium confinement). | Test | subsystem, tritium-plant, sil-3, session-510, idempotency:sub-trp-peps-throughput-510 |
| SUB-REQ-019 | The Tritium Plant Isotope Separation System SHALL produce DT fuel at a deuterium-tritium purity of greater than 99.9 mol% hydrogen isotopes and a D:T isotope ratio of 50:50 plus or minus 2%, with a throughput capacity of 200 Pa·m3/s DT equivalent. Rationale: 99.9% purity and 50:50 D:T ratio are the plasma fueling specifications derived from ITER/DEMO experience showing that HD and HH impurities above 0.1% reduce fusion reactivity below the ignition-sustaining threshold. The 200 Pa·m3/s throughput matches the divertor exhaust capacity. Derives from SYS-REQ-001 and SYS-REQ-003 (TBR and fuel cycle closure). | Test | subsystem, tritium-plant, sil-3, session-510, idempotency:sub-trp-iss-purity-510 |
| SUB-REQ-020 | The Tritium Plant Tritium Storage and Delivery System SHALL store tritium inventory in double-contained metal hydride beds with a maximum tritium hold-up of 100 g tritium equivalent, and SHALL release fuel to the Isotope Separation System or fueling systems within 60 seconds of a fuel request command. Rationale: 100 g maximum hold-up is set by the site radiological consequence assessment: a catastrophic release of the full storage inventory must not cause a deterministic dose to the public at the site boundary. 60-second release latency ensures the pellet fueling system can maintain plasma fueling rate during transients. Derives from SYS-REQ-005 (tritium confinement) and STK-REQ-004 (tritium accountability). | Test | subsystem, tritium-plant, sil-3, session-510, idempotency:sub-trp-tsds-storage-510 |
| SUB-REQ-021 | The Tritium Plant Blanket Tritium Extraction System SHALL extract bred tritium from the lithium-ceramic blanket breeding zone at a rate matching the tritium production rate, maintaining a tritium hold-up in the extraction loop of less than 1 g at all times during steady-state and planned transient operation. Rationale: Derives from SUB-REQ-016 TBR requirement and SYS-REQ-005 tritium containment. 1 g hold-up limit established from UK site licence conditions on in-process inventory in unshielded areas. 'Steady-state and planned transient' replaces ambiguous 'normal' per ISO 29148; updated validation session 520. | Test | subsystem, tritium-plant, sil-2, session-510, idempotency:sub-trp-btes-extraction-510 |
| SUB-REQ-022 | When the Tritium Plant atmospheric tritium monitor detects a concentration exceeding 1e-5 Ci/m3 (1 MBq/m3), the Tritium Plant Atmosphere Detritiation System SHALL initiate forced-air recirculation through catalytic oxidation beds within 30 seconds and SHALL achieve a cleanup factor of at least 100 within 4 hours. Rationale: 1e-5 Ci/m3 is the controlled area action level per ICRP-68, above which inhalation dose rate to workers exceeds 1 mSv/h. The 30-second initiation time ensures the ADS engages before local concentration exceeds the 10x safety factor above this threshold. Cleanup factor 100 in 4 hours is derived from worst-case maintenance scenario inventory release models for the tritium plant. Derives from SYS-REQ-005 and STK-REQ-011 (RPA dose constraint). | Test | subsystem, tritium-plant, sil-3, safety, session-510, idempotency:sub-trp-ads-safestate-510 |
| SUB-REQ-023 | The Superconducting Magnet System Quench Detection and Protection System SHALL detect a resistive voltage signature greater than 100 mV on any superconducting coil within 10 ms and SHALL initiate safe quench discharge within 50 ms of detection, limiting hot-spot temperature to below 300 K. Rationale: 100 mV threshold and 10 ms detection time are derived from quench propagation velocity calculations for Nb3Sn conductors at the STEP operating current density. At these parameters, the hot-spot temperature limit of 300 K (below Cu embrittlement at cryogenic temperature) is maintained if dump starts within 50 ms of quench onset. Derives from SYS-REQ-006 (superconducting quench management). | Test | subsystem, superconducting-magnet-system, sil-2, safety, session-510, idempotency:sub-sms-quench-detect-510 |
| SUB-REQ-024 | The Superconducting Magnet System Central Solenoid SHALL provide a total flux swing of at least 100 V·s over a plasma pulse, with a maximum ramp rate of 2 V/m during plasma initiation and ramp-up phases. Rationale: 100 V·s flux swing drives the transformer-coupled plasma current ramp to 5 MA for STEP operating conditions. The 2 V/m ramp rate limit is set by the inductive coupling to in-vessel components — faster ramp would induce eddy currents exceeding structural limits of the first wall. Derives from SYS-REQ-001 (plasma burn sustainment — CS drives the plasma current required for ignition). | Test | subsystem, superconducting-magnet-system, sil-2, session-510, idempotency:sub-sms-cs-flux-510 |
| SUB-REQ-025 | The Superconducting Magnet System TF Coil Set SHALL maintain a toroidal magnetic field of 3.2 T on plasma axis with a field ripple of less than 1% peak-to-peak at the plasma separatrix during steady-state plasma burn. Rationale: 3.2 T on-axis field is the minimum required for Q>=5 burn per SYS-REQ-001 physics basis. Field ripple below 1% is required to prevent ripple-induced fast-ion loss exceeding 5% of alpha power, which would degrade energy confinement and damage first wall. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, idempotency:sub-tf-field-performance-511 |
| SUB-REQ-026 | The Superconducting Magnet System Magnet Power Supply System SHALL energise the TF Coil Set to full field in less than 2 hours and the CS Coil to maximum current in less than 30 minutes, with a current ripple not exceeding 10 ppm of full scale. Rationale: 2-hour TF ramp-up is derived from operational availability target SYS-REQ-010 (50% availability): longer ramp increases duty cycle losses. 10 ppm current ripple is required to prevent field noise from perturbing plasma equilibrium feedback. Derived from PCS interface requirement for field accuracy. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, idempotency:sub-mpss-energisation-511 |
| SUB-REQ-027 | When a quench interlock signal is received, the Superconducting Magnet System Magnet Power Supply System SHALL open all coil current loops and connect dump resistors within 5 ms, extracting stored magnetic energy into external dump resistors and limiting coil current decay rate to less than 500 A/s. Rationale: Safe state for SYS-REQ-006 quench hazard. 5ms response derived from IFC-REQ-024 hardwired interlock requirement. Limiting decay rate to 500 A/s prevents excessive induced voltages in neighbouring coils and vacuum vessel structures that could cause secondary damage or arc flash. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, safe-state, idempotency:sub-mpss-energy-extraction-511 |
| SUB-REQ-028 | The Superconducting Magnet System TF Coil Set SHALL maintain superconducting operation at a winding-pack temperature of 4.5 K ± 0.1 K, with a minimum thermal margin of 1.5 K between operating temperature and critical temperature under maximum conductor current. Rationale: Nb3Sn conductor critical temperature is approximately 18 K at operating field. Operating at 4.5 K provides 1.5 K thermal margin above nominal; reduced margin risks inadvertent quench during plasma disruptions which deposit eddy-current heating. ITER and SPARC coil margin analyses confirm 1.5 K as minimum safe margin. | Test | subsystem, superconducting-magnet-system, session-511, sil-2, idempotency:sub-tf-cryo-temperature-511 |
| SUB-REQ-029 | The Vacuum System Turbomolecular Pump Array SHALL maintain plasma vessel pressure below 1×10⁻⁶ Pa during plasma operations and achieve a base pressure of 1×10⁻⁷ Pa or below within 24 hours of vessel baking at 200°C. Rationale: 1e-6 Pa plasma vessel pressure is the maximum tolerable impurity partial pressure derived from plasma purity requirements in SYS-REQ-001 — higher neutral gas density causes radiative collapse of the plasma. 24-hour pump-down time is derived from operational availability targets in SYS-REQ-010. | Test | rt-resolved-session-531 |
| SUB-REQ-030 | The Vacuum System Pressure Monitoring System SHALL measure plasma vessel pressure continuously over the range 1×10⁻⁸ Pa to 1×10⁻² Pa with an accuracy of ±10% of reading, and SHALL generate an interlock signal to the Plasma Control System within 200 ms when vessel pressure exceeds 1×10⁻⁴ Pa. Rationale: 1e-4 Pa interlock threshold is 100x above operating pressure, providing a safety margin while preventing false trips. 200 ms response is derived from the PCS plasma control loop response time — the interlock must propagate before a contamination event causes irreversible first-wall damage or uncontrolled plasma termination. | Test | rt-resolved-session-531 |
| SUB-REQ-031 | The Cryogenic Plant Helium Refrigeration System SHALL provide minimum refrigeration capacity of 8 kW at 4.5 K per cold box train, with at least two independent trains operational simultaneously, such that loss of any single train does not reduce total available cooling below 8 kW. Rationale: Magnet steady-state heat load at full excitation is ~13 kW at 4.5K. Two 8kW trains gives 16kW nominal with 3kW margin. IEC 61508 SIL 2 availability target for cryo cooling (mission time 8,760 h/yr) requires single-failure tolerance. ITER cryoplant uses N+1 cold box configuration on same basis. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-hrs-capacity-513 |
| SUB-REQ-032 | The Cryogenic Plant Helium Management System SHALL capture and recover not less than 95% of the helium gas released during a superconducting magnet quench event (up to 200 m³ STP per event) within 2 hours of quench onset, purifying recovered gas to ≥ 99.999% purity before returning it to the refrigerator supply. Rationale: Helium is a limited, non-renewable resource valued at ~£30/m³ STP. A full magnet quench releases ~200m³. Failure to recover ≥95% within 2 hours forces operational deferral until helium inventory is replenished, directly threatening the ≥50% availability target of SYS-REQ-010. The 2-hour window is constrained by compressor capacity and cold trap regeneration time. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-hms-recovery-513 |
| SUB-REQ-033 | The Cryogenic Plant Cryogenic Transfer Line Network SHALL maintain total static heat ingress to the 4.5 K helium circuit below 500 W across all transfer lines under steady-state conditions, with each individual line segment not exceeding 10 W/m. Rationale: Static heat ingress adds directly to HRS refrigeration load. Exceeding 500W would exhaust the 3kW margin in the dual-train design, risking magnet temperature excursion. The 10W/m per-segment limit is consistent with ITER vacuum-jacketed line performance specification and enables allocation to individual lines during procurement. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-ctln-heatleak-513 |
| SUB-REQ-034 | The Cryogenic Plant Cryogenic Control System SHALL automatically execute the magnet cool-down sequence from 300 K to 4.5 K at a rate not exceeding 5 K/hour at any point on the superconducting coil winding packs, completing the sequence within 72 hours under nominal refrigerator operation. Rationale: Thermal gradients >5K/hour risk delamination of the epoxy-impregnated HTS coil winding packs due to differential thermal expansion. 72-hour window is the agreed maintenance campaign slot. Automated control is required because the 2,000+ sensor points make manual management impractical and error-prone. | Test | subsystem, cryogenic-plant, sil-2, session-513, idempotency:sub-ccs-cooldown-513 |
| SUB-REQ-035 | When the Cryogenic Control System detects an internal fault (controller failure, loss of communication to >50% of sensors, or watchdog timeout), the Cryogenic Plant SHALL transition to a safe hold state within 10 seconds: closing helium supply valves to all magnet circuits, initiating helium boil-off venting to the recovery system, and issuing a quench-interlock signal to the Superconducting Magnet System. Rationale: Loss of CCS control authority during magnet excitation risks undetected cryogenic failure leading to uncontrolled quench. SIL 2 safe state requirement per IEC 61508: de-energise (close isolation valves) and alert dependent systems (SMS quench interlock) within a time window derived from magnet stored energy dissipation rate. 10-second limit is consistent with minimum response time of SMS quench detection system. | Test | subsystem, cryogenic-plant, sil-2, safety, safe-state, session-513, idempotency:sub-ccs-safestate-513 |
| SUB-REQ-036 | The Remote Handling System SHALL position the In-Vessel Inspection and Maintenance Manipulator end-effector to within ±1 mm of target coordinates in the tokamak vessel coordinate frame, verified under thermal soak conditions at vessel wall temperature 150°C. Rationale: SYS-REQ-009 specifies ≤2 mm component positioning accuracy. The IVIMM contributes ≤1 mm to the error budget, with ≤1 mm allocated to tooling alignment, totalling ≤2 mm system accuracy. 1 mm IVIMM accuracy is achievable with laser tracker feedback per ITER RH arm specification (ITER_D_3LFATQ). | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-manipulator-accuracy-514 |
| SUB-REQ-037 | The Remote Handling System SHALL complete a full blanket module exchange cycle (remove all 18 blanket modules, install replacement set) within 90 calendar days, operating on a 2-shift pattern with planned equipment maintenance windows. Rationale: SYS-REQ-009 allows 4 months (120 days) for replacement of all in-vessel components. The 90-day allocation to blanket exchange allows 30 days for divertor cassette exchange within the same campaign. 90 days was derived from ITER RAMI analysis ITER_D_FFNMWJ showing 3 modules per day achievable with 2 IVIMM arms operating in parallel. | Demonstration | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-campaign-duration-514 |
| SUB-REQ-038 | The Remote Handling System SHALL maintain full functionality after cumulative absorbed dose of 1×10^6 Gy (gamma + neutron equivalent) at any in-vessel component, with no degradation of positioning accuracy exceeding 10% of the specified ±1 mm tolerance. Rationale: STEP in-vessel components are exposed to total neutron fluence of ~3×10^22 n/m² over 10 full-power years. Remote handling equipment operating in-vessel must be qualified to the same radiation environment. 10^6 Gy is consistent with ITER radiation hardening specification for in-vessel tools and represents a conservative envelope for STEP operations. | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-rad-hardening-514 |
| SUB-REQ-039 | The Remote Handling Transfer Cask SHALL provide biological shielding such that dose rate at the cask outer surface does not exceed 2 mSv/hr when loaded with a fully irradiated blanket module, measured at 0.1 m from the surface per ISO 2919. Rationale: UK Ionising Radiations Regulations 2017 classify any area exceeding 7.5 mSv/hr as a supervised radiation area. The 2 mSv/hr limit maintains dose rates in the cask transfer corridor below this threshold with margin, allowing controlled area designation (3/10 of 2 mSv/hr averaged over 40-hour working week < 6 mSv/year occupational exposure limit). | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-cask-shielding-514 |
| SUB-REQ-040 | When any Remote Handling System equipment fault is detected (loss of position feedback, motor overcurrent, cable tension alarm), the Remote Handling System SHALL halt all actuators within 500 ms and lock joints in their current positions, maintaining load without drift for ≥ 30 minutes to allow manual recovery planning. Rationale: A suspended load (up to 4.6 tonne blanket module) inside the vessel under automated fault condition is the primary hazard. 500 ms halt preserves positioning before any gravity-driven drift exceeds 2 mm tolerance. 30-minute hold time is derived from minimum human response time for emergency team mobilisation plus decision cycle. | Test | subsystem, remote-handling-system, sil-1, session-514, idempotency:sub-rhs-safe-state-514 |
| SUB-REQ-041 | The Power Conversion System SHALL deliver ≥ 100 MW net electrical power to the 400 kV grid connection point during steady-state plasma burn, after deducting all plant auxiliary loads including cryogenic plant, plasma heating, and pumping. Rationale: SYS-REQ-002 mandates ≥100 MW net at 400 kV. Net output = gross turbine output (120 MW nominal) minus station auxiliary load (~20 MW for cryo plant, magnets, heating, pumping). The 100 MW net target is the commercial demonstrator mission requirement per STEP Programme Definition document. | Test | rt-resolved-session-531 |
| SUB-REQ-042 | The Power Conversion System SHALL achieve gross-to-net thermal efficiency ≥ 25%, calculated as net electrical output divided by total fusion thermal power, under steady-state conditions at rated plasma Q ≥ 5. Rationale: Gross-to-net thermal efficiency is directly verifiable by Test: measure net electrical power at 400 kV grid metering point and total fusion thermal power from calorimetric balance during first sustained full-power burn (Q≥5). VER-REQ-067 covers this. Changed from Analysis to Test in validation session 520 to meet IEC 61508 SIL-1 verification standard; analysis may predict efficiency but measured commissioning data is the acceptance criterion. | Test | rt-resolved-session-531 |
| SUB-REQ-043 | The Power Conversion System SHALL deliver electricity at 400 kV ± 5%, 50 Hz ± 0.5 Hz, with harmonic distortion < 3% THD, compliant with National Grid ESO Grid Code CC.6 and the Connection and Use of System Code (CUSC). Rationale: SYS-REQ-015 mandates Grid Code compliance. UK Grid Code CC.6 specifies voltage and frequency tolerances at the point of connection. Harmonic distortion <3% THD is the EN 61000-2-4 Class 2 limit for industrial generators. Failure to comply risks grid connection agreement revocation and prevents commercial operation. | Test | subsystem, power-conversion-system, sil-1, session-514, idempotency:sub-pcs-grid-code-514 |
| SUB-REQ-044 | The Steam Generator and Heat Transfer System SHALL transfer ≥ 500 MWth from the primary coolant circuit to the secondary steam circuit at steady-state plasma burn, maintaining primary outlet temperature ≤ 180°C to protect breeding blanket structural integrity. Rationale: STEP primary coolant enters steam generators at ~300°C and must return at ≤180°C to maintain adequate blanket module cooling margin (blanket outlet target 280°C with 20°C margin). The 500 MWth transfer duty matches fusion thermal power at Q=5 with allowance for 10% peaking. Under-cooling would elevate primary outlet temperature, reducing blanket safety margin. | Test | rt-resolved-session-531 |
| SUB-REQ-045 | When a plasma disruption is signalled by the Plasma Control System, the Power Conversion System SHALL execute a controlled turbine runback to 20% rated load within 60 seconds without turbine trip, preserving grid connection and enabling rapid restart on plasma re-ignition. Rationale: Plasma disruptions are expected at ~1/month frequency during commissioning. A full turbine trip per disruption would impose unacceptable wear on turbine blades and impose 4-hour restart penalties reducing operational availability below the 50% SYS-REQ-010 target. Runback to 20% maintains condenser vacuum and feedwater chemistry stable for <10 minute plasma restart. | Demonstration | subsystem, power-conversion-system, sil-1, session-514, idempotency:sub-pcs-turbine-runback-514 |
| SUB-REQ-049 | The Tritium Plant Isotope Separation System SHALL operate on electrical power supplied at 415 V AC (three-phase) with a maximum continuous power demand of 350 kW and a peak demand not exceeding 420 kW during column start-up, and SHALL include an uninterruptible power supply sized for 30 minutes of safe shutdown operation following loss of grid power. Rationale: 350 kW continuous and 420 kW peak derived from cryogenic distillation column heat load analysis: column reboilers 220 kW, compressors 80 kW, controls 50 kW. The 30-minute UPS duration matches estimated time to reach thermally stable safe shutdown where column inventories are below hazardous tritium levels. Derives from SYS-REQ-003 (fuel cycle closure) and SYS-REQ-005 (tritium confinement). | Test | idempotency:sub-iss-power-budget-516 |
| SUB-REQ-050 | The Tritium Plant Isotope Separation System SHALL accept an emergency isolation command from the Plant Protection System that terminates cryogenic distillation column operations and isolates all tritium-bearing process streams within 30 seconds, and SHALL maintain a passive safe state without operator input for at least 4 hours following loss of automated process control. Rationale: Derives from SYS-REQ-005 (tritium containment SIL-3). 30-second isolation window derived from atmospheric tritium dispersal rate model: at maximum process inventory, delay beyond 30 s risks exceeding 0.1 g release limit under worst-case single-pipe-rupture scenario. 4-hour passive safe state period allows operator team assembly and controlled recovery. 'Automated process control' replaces ambiguous 'normal process control' per ISO 29148; updated validation session 520. | Demonstration | idempotency:sub-iss-safety-override-516 |
| SUB-REQ-051 | The Power Conversion System SHALL be housed in a dedicated turbine hall building with a structural floor load rating of at least 15 kN/m², designed to contain steam turbine (rated 180 MWe), generator, condenser, feedwater heaters, and associated balance-of-plant equipment, with physical maintenance access clearances of at least 2 m on all major equipment faces. Rationale: The Power Conversion System is a large physical installation requiring dedicated structural housing to manage thermal, vibration, and acoustic loads from rotating machinery. The 15 kN/m² floor rating is the minimum for 100+ tonne steam turbine sets. Physical access clearance requirements ensure maintainability of the primary heat removal path. Derives from SYS-REQ-009 (electrical power export) and IFC-REQ-004 (thermal power interface). | Inspection | idempotency:sub-pcs-physical-housing-516 |
| SUB-REQ-052 | The Tritium Plant SHALL be housed in a dedicated, single-storey Category 1 confinement building constructed to nuclear-grade seismic standards, with minimum concrete wall thickness of 600 mm providing radiation shielding, and containing all tritium-bearing process systems within a secondary confinement envelope of at least 2500 m³ total enclosed volume. Rationale: The tritium plant handles tritium inventory up to 100 g (SIL-3 consequence), requiring a purpose-built Category 1 nuclear building for structural integrity, shielding, and secondary confinement. The 600 mm wall thickness is the minimum for 10 GBq/m² surface dose rate attenuation. The physical building specification flows from STK-REQ-003 (safety assessment principles) and SYS-REQ-005 (tritium confinement). | Inspection | idempotency:sub-trp-physical-housing-516 |
| SUB-REQ-053 | The Cryogenic Plant SHALL be housed in a dedicated plant building with insulated floor area of at least 800 m², minimum clear height of 8 m, and structural provisions for helium cold box support frames rated to carry 50 tonne loads, providing segregated bays for helium compressors, cold boxes, liquid helium dewars (minimum 10,000 L capacity), and control room. Rationale: The cryogenic plant requires a dedicated physical building due to the hazardous nature of cryogenic helium (oxygen displacement risk) and the large physical footprint of Collins-cycle refrigerators and cold boxes. The 800 m² floor area and 8 m clear height are the minimum dimensions for a 80 kW-at-4.5K refrigeration plant consistent with ITER cryogenic plant precedent. Derives from SYS-REQ-011 (superconducting magnet operation) and SUB-REQ-009 (cryogenic cooling). | Inspection | idempotency:sub-crp-physical-housing-516 |
| SUB-REQ-054 | The Vacuum System SHALL comprise physical vacuum equipment mounted on the tokamak support structure, including 12 turbomolecular pump assemblies each housed in bolted flange enclosures rated to 1.5 bar differential pressure, roughing pump sets located in an adjacent pump bay with concrete biological shielding for activated component handling, and vacuum manifold pipework with total metal bellow-jointed volume compatible with the 1000 m³ plasma vessel. Rationale: The vacuum system is a physical installation of pumps, valves, and pipework mounted on the tokamak that must meet structural, shielding, and maintenance requirements. The flange pressure rating, pump bay shielding, and manifold sizing specify physical constraints that ensure safe installation and maintenance of radioactive equipment. Derives from SYS-REQ-008 (vacuum integrity) and IFC-REQ-016 (vacuum system interface). | Inspection | idempotency:sub-vac-physical-housing-516 |
| SUB-REQ-055 | The Tokamak Core Assembly, Superconducting Magnet System, and Cryogenic Plant structural support systems SHALL be designed to withstand Operational Basis Earthquake (OBE) peak ground acceleration of 0.1g and Safe Shutdown Earthquake (SSE) of 0.2g without loss of structural integrity, and SHALL maintain plasma vessel vacuum boundary integrity after an OBE event to allow post-event inspection. Rationale: Derives from SYS-REQ-011 (seismic fast shutdown). ONR Safety Assessment Principles require the primary containment and safety function support structures to maintain integrity through OBE; SSE doubles the margin. Analysis via seismic qualification reports (ASCE 4-16 methodology) is appropriate for civil/structural seismic compliance. | Analysis | idempotency:sub-seismic-structural-validation-527 |
| SUB-REQ-056 | The Tokamak Core Assembly in-vessel cooling circuit SHALL include a passive decay heat removal path capable of removing 10 MW or greater after plasma termination without reliance on active pumps, powered valves, or external power supply, using natural convection or gravity-driven flow to a heat sink maintained at ambient temperature. Rationale: Derives from SYS-REQ-007 (passive decay heat removal after LOCA). 10 MW threshold is derived from neutron activation analysis of first wall and blanket materials at rated neutron fluence; peak afterheat at 1s post-shutdown is approximately 8 MW, 10 MW adds 25% margin per nuclear design convention. Passive mechanism is mandated by IEC 61513 for loss-of-power scenarios; no active system survives a LOCA+loss-of-offsite-power combined initiator. | Test | idempotency:sub-decay-heat-passive-validation-527 |
| SUB-REQ-057 | When an operator-initiated or scheduled end-of-pulse command is received, the Plasma Control System SHALL execute a controlled plasma shutdown sequence: reduce auxiliary heating power to zero within 60 s, ramp plasma current from operating to zero over 10–30 s via ohmic coil action, cease DT fuel injection no later than 30 s before plasma current zero, and confirm plasma current extinction within 35 s of command receipt. The shutdown sequence SHALL complete without triggering a disruption. Rationale: Derives from SYS-REQ-001 (6-hour pulse implies a defined end-of-pulse transition) and the Planned Shutdown operating mode (STK S-001). A controlled current ramp-down is essential to prevent triggering a disruption during shutdown — a rapid uncontrolled de-energisation at high plasma current induces halo currents that exceed TCA structural design loads. The 10-30s ramp time is derived from plasma current decay time constant constraints for the TF/OH coil system. This requirement fills the mode coverage gap: Emergency Shutdown is covered by SUB-REQ-005, but Planned Shutdown was previously implicit only. | Test | idempotency:sub-pcs-planned-shutdown-529 |
| SUB-REQ-058 | The Tritium Plant SHALL maintain tritium accountancy and confinement functions if any single active component fails, with automatic isolation of the failed component within 30 seconds and continued operation of remaining processing loops at not less than 50% of rated throughput. Rationale: Tritium Plant is System-Essential (classified as such by UHT hex 52953218); a total shutdown requires plant-level shutdown and unplanned tritium inventory mobilisation, creating a radiological hazard. Single-failure tolerance at 50% throughput is the minimum operability margin allowing the plasma to continue operation at reduced duty cycle while maintenance is performed. | Test | idempotency:sub-tp-redund-qc-512 |
| SUB-REQ-059 | The Tritium Plant Isotope Separation System SHALL provide a hardwired manual override that, when asserted, shuts down all ISS process flows and closes all feed and product valves within 10 seconds, independent of the ISS automation system, and SHALL maintain a watchdog timer that triggers automatic process shutdown if no heartbeat is received from the supervisory control system within 60 seconds. Rationale: ISS is classified as Functionally Autonomous (hex 55973219, bit 15) and handles tritium at purity levels that could cause off-specification fuel delivery. The manual override and watchdog are required to maintain human authority over the autonomous separation process in accordance with ITER-like safety categorisation. The 60-second watchdog matches the maximum permissible undetected loss of control in the tritium plant safety assessment. | Test | idempotency:sub-iss-override-qc-512 |
| SUB-REQ-060 | When any single turbomolecular pump in the Vacuum System Turbomolecular Pump Array fails, the remaining operational pumps SHALL maintain plasma vessel pressure at or below 5×10⁻⁶ Pa within 120 seconds of the failure, and SHALL trigger a control room alarm within 10 seconds of pump fault detection. Rationale: A single pump failure must not force immediate plasma termination. The 5×10⁻⁶ Pa degraded limit provides a 5x safety margin above the radiative collapse threshold while losing one pump from the N+2 redundant array. 120 s recovery time is derived from PCS tolerance: slow pressure rise is tolerated but interlock triggers at 1e-4 Pa (per SUB-REQ-030). Addresses rt-missing-failure-mode finding on SUB-REQ-029. | Test | idempotency:sub-vac-pump-failmode-v3-531 |
| SUB-REQ-061 | When the Vacuum System Pressure Monitoring System detects a sensor fault (loss of signal, out-of-range reading, or calibration validation failure on any gauge), it SHALL flag the affected channel as invalid within 5 seconds, maintain pressure monitoring continuity using remaining gauges, and issue a control room alarm; the system SHALL NOT generate false interlock signals to the Plasma Control System on sensor fault. Rationale: Pressure monitoring is safety-critical; a false interlock causes unnecessary plasma termination while a missed real interlock risks runaway. The fail-safe design requires explicit faulty-sensor detection and degraded-mode continuity. 5-second fault detection ensures PCS receives fault notification before its 200 ms control loop deadline. Addresses rt-missing-failure-mode finding on SUB-REQ-030. | Test | idempotency:sub-vac-monitor-failmode-v3-531 |
| SUB-REQ-062 | When the Power Conversion System operates at reduced plasma thermal input (Q ≥ 3 but < 5), the PCS SHALL maintain net positive export to the 400 kV grid connection at a floor of ≥ 50 MW, with station auxiliary loads below 20 MW; if net export drops below 50 MW, the PCS SHALL alert the shift supervisor within 30 seconds. Rationale: Reduced fusion gain (Q=3) is a planned operating condition during burn campaigns when impurity accumulation or density limits are encountered. At Q=3 thermal output falls to ~60% of nominal; the PCS must still provide positive net export to satisfy commercial viability criteria in the STEP business case. The 50 MW floor is the minimum commercially meaningful export. Addresses rt-missing-failure-mode finding on SUB-REQ-041. | Test | idempotency:sub-pcs-degraded-power-v3-531 |
| SUB-REQ-063 | When any single Power Conversion System component (steam generator, turbine stage, or condenser circuit) is taken out of service for maintenance, the PCS SHALL operate in degraded configuration and maintain gross-to-net thermal efficiency ≥ 18%, with a net electrical output floor of ≥ 60 MW, for up to 72 hours until the component is restored or the plasma pulse is terminated. Rationale: Single steam generator isolation (2 of 3 steam circuits) reduces thermodynamic efficiency to ~72% of rated, giving an 18% gross-to-net floor. The 72-hour degraded window matches the planned maintenance cycle for compressor rebalancing and pump seal replacement without requiring pulse termination. Addresses rt-missing-failure-mode finding on SUB-REQ-042. | Test | idempotency:sub-pcs-degraded-efficiency-v3-531 |
| SUB-REQ-064 | When a steam generator tube leak is detected by the Steam Generator and Heat Transfer System (primary-to-secondary pressure differential loss or secondary water conductivity spike above baseline), the system SHALL automatically isolate the affected steam generator within 60 seconds, and SHALL continue heat transfer at ≥ 300 MWth using remaining circuits, with primary coolant temperature maintained at ≤ 200°C. Rationale: Steam generator tube failure is an anticipated maintenance event due to neutron embrittlement and thermal cycling fatigue. Automatic isolation within 60 s prevents tritiated primary water from migrating into the steam secondary circuit — tritium transport time across a tube-leak interface is 30-90 s, so 60 s isolation limits release to below 1 mg per event, well below the 0.1 g single-event limit in SYS-REQ-005. Addresses rt-missing-failure-mode finding on SUB-REQ-044. | Test | idempotency:sub-sg-tube-leak-failmode-v3-531 |
| SUB-REQ-066 | The Vacuum System Pressure Monitoring System SHALL operate from a dedicated UPS-backed 230V AC supply, consuming no more than 2 kW total, and SHALL maintain full measurement capability within 1 second of primary supply failure during plasma burn, switching to battery backup rated for 8 hours continuous operation. Rationale: The VSPMS is classified as Powered (Substrate trait bit 4). A vacuum leak during plasma burn requires sub-second detection and response; loss of pressure monitoring capability is a precursor to uncontrolled plasma disruption. The 8-hour backup requirement covers extended maintenance or grid disturbance scenarios during which the vacuum boundary must be continuously monitored. The 2 kW consumption budget is consistent with the instrument density of the monitoring array. | Test | idempotency:sub-vspms-power-budget-qc-550 |
| SUB-REQ-067 | The Cryogenic Plant SHALL incorporate N+1 redundancy for all compressor trains and cold-box modules, such that loss of any single compressor or cold-box unit does not reduce helium refrigeration capacity below 80% of nominal, and the system SHALL restore full refrigeration capacity within 4 hours by hot-swap of the failed unit without requiring magnet warm-up. Rationale: The Cryogenic Plant is classified System-Essential (Substrate trait bit 16) — loss of helium refrigeration causes magnet warm-up, disruption of plasma operations, and a multi-week recovery cycle. N+1 redundancy is the minimum architecture to ensure a single equipment failure does not force a campaign-ending magnet quench. The 4-hour recovery time is derived from the magnet temperature budget: TF coil thermal mass allows 4 hours without active refrigeration before exceeding the critical current margin by more than 10%. | Test | idempotency:sub-cryo-redundancy-qc-550 |
| SUB-REQ-068 | The Tritium Plant SHALL implement dual independent confinement barriers on all processing and storage vessels, with automatic isolation valve actuation within 500 ms of any primary confinement breach signal, and SHALL maintain tritium accountancy and emergency isolation functions on a dedicated safety-class power supply independent of the plant normal supply. Rationale: The Tritium Plant is classified both System-Essential (bit 16) and Ethically Significant (bit 32). Tritium release is the primary radiological hazard to the public and workforce; dual independent confinement barriers are the minimum defence-in-depth required by ONR safety assessment principles. The 500 ms isolation actuation time is derived from tritium dispersion modelling: at worst-case leak rates, isolating within 500 ms limits the release to below the threshold for offsite emergency notification under IRR 2017. Derives from SYS-REQ-005. | Test | idempotency:sub-tritium-redundancy-qc-550 |
| SUB-REQ-069 | The Superconducting Magnet System SHALL implement independent quench detection channels on each coil, with a minimum of two independent vote-2-of-3 detection chains per coil group, such that a single channel failure does not prevent quench detection or initiate a spurious magnet dump, and the system SHALL dump stored coil energy into dedicated dump resistors within 10 s of a confirmed quench signal. Rationale: The Superconducting Magnet System is System-Essential (bit 16); a missed quench causes coil destruction and an unrecoverable campaign loss. Vote-2-of-3 quench detection is the established design pattern for fusion devices (JET, ITER) to balance false-positive avoidance against miss probability. The 10-second dump time is derived from the maximum energy deposited in the quench zone before conductor damage occurs at the design current margin. Derives from SYS-REQ-006. | Test | idempotency:sub-magnet-redundancy-qc-550 |
| SUB-REQ-070 | The Radiation Protection System SHALL implement engineering ALARA measures at subsystem level: remote handling replacement of all components rated >10 mSv/h contact dose, biological shielding in maintenance aisles to <0.5 mSv/h, and personnel dose tracking with automatic withdrawal notification when individual accumulated dose exceeds 80% of the annual constraint (1 mSv above background). Rationale: SYS-REQ-016 mandates ALARA under UK IRR 2017 at system level; this requirement decomposes ALARA into subsystem-actionable constraints. Remote handling above 10 mSv/h is the ONR-guidance threshold beyond which contact work is ALARA-unjustifiable. The 0.5 mSv/h maintenance aisle limit is derived from a 2-hour maximum maintenance visit budget to remain below the 1 mSv annual dose constraint. Automatic 80%-threshold notification is the standard nuclear industry practice for individual dose management. | Inspection | idempotency:sub-alara-radiation-qc-550 |
| SUB-REQ-071 | Verify REQ-SESTEPFUSIONPOWERPLANT-117: On the VSPMS integration test bench, switch off the primary 230V AC supply and measure time-to-restore measurement capability; confirm ≤1 second switchover. Run VSPMS on battery backup for 8 hours at nominal load; confirm continuous measurement within specification throughout. Measure total system power draw under nominal operating conditions; confirm ≤2 kW. Rationale: Power continuity and budget are verified by injection and measurement rather than analysis because the requirement specifies hard numeric thresholds at a subsystem level. Timing and power draw can only be confirmed empirically on the actual hardware. | Test | idempotency:ver-vspms-power-qc-550 |
| SUB-REQ-072 | Verify REQ-SESTEPFUSIONPOWERPLANT-118: During Cryogenic Plant Factory Acceptance Test, disable one compressor train and measure steady-state refrigeration capacity; confirm ≥80% of nominal. Commence replacement of disabled unit and verify that full capacity is restored within 4 hours without requiring controlled magnet warm-up cycle. Repeat for each N+1 module in sequence. Rationale: N+1 redundancy and hot-swap capability must be demonstrated by actual failure injection at FAT; analysis cannot confirm the 4-hour restoration target without testing actual maintenance procedures and thermal transient behaviour. | Test | idempotency:ver-cryo-redundancy-qc-550 |
| SUB-REQ-073 | The Remote Handling System SHALL implement a dual-path control architecture with independent main and backup control rooms, such that loss of the primary control station does not prevent completion of any in-progress maintenance task, and full Remote Handling System capability SHALL be restorable from the backup station within 15 minutes. Rationale: The Remote Handling System is classified System-Essential (UHT trait bit 16): loss of RHS during in-vessel maintenance leaves activated components in an irrecoverable mid-operation state, creating radiological and structural hazards. Dual control path is the minimum redundancy for a safety-critical human interface. The 15-minute switchover time is derived from the maximum safe hold time for suspended tooling loads inside the vacuum vessel (based on tritium permeation and structural stability limits for unsupported blanket modules). | Test | subsystem, remote-handling-system, redundancy, sil-1, session-552, idempotency:sub-rhs-redundancy-dual-path-552 |
| SUB-REQ-074 | The Superconducting Magnet System Magnet Power Supply System SHALL implement N+1 redundancy for all AC/DC converter modules, such that loss of any single converter does not reduce total available magnet current by more than 10%, and the system SHALL continue plasma-sustaining magnetic field without initiating a disruption. Rationale: The Superconducting Magnet System is classified System-Essential (UHT trait bit 16). The MPS is the only source of current for all 18 TF coils and the CS; a single-converter failure with no redundancy would require controlled current ramp-down and plasma termination, losing the plasma campaign. N+1 converter redundancy is the minimum to sustain field during a single module failure. The 10% tolerance is derived from the TF coil current regulation envelope — field variation up to 10% above/below nominal is recoverable by PCS feed-forward control without disruption. | Test | subsystem, superconducting-magnet-system, redundancy, sil-2, session-552, idempotency:sub-sms-mps-n1-redundancy-552 |
| SUB-REQ-075 | The Vacuum System SHALL implement N+1 redundancy for all primary and backing pump trains on the torus and neutral beam injection lines, such that loss of any single pump does not increase torus base pressure above 5e-6 Pa, and the standby pump SHALL achieve full pumping speed within 60 seconds of primary pump trip. Rationale: The Vacuum System is System-Essential (UHT trait bit 16). Loss of primary pumping capability causes impurity ingress that poisons plasma operations; without redundancy a single pump failure forces plasma termination and extended pump-down recovery. N+1 pump redundancy is standard practice for nuclear vacuum systems. The 5e-6 Pa threshold (5x the nominal 1e-6 Pa base) is derived from plasma sustainability modelling: impurity fraction above 0.5 percent causes effective Z > 1.5, terminating the burn. The 60-second standby activation time is derived from the torus outgassing rate at operational temperatures. | Test | subsystem, vacuum-system, redundancy, sil-2, session-552, idempotency:sub-vs-pump-n1-redundancy-552 |
| SUB-REQ-076 | The Vacuum System SHALL qualify all torus vacuum vessel seals and penetration flanges to a leak rate of less than 1e-9 Pa m3/s per seal under all operational modes including plasma burn, bake-out at 350 degrees C, and seismic loading at 0.1g OBE, with helium leak testing performed at each maintenance interval before plasma operations resume. Rationale: SYS-REQ-008 mandates total torus leak rate below 1e-9 Pa m3/s per seal during all operational modes; this SUB requirement decomposes that constraint onto the specific seal qualification programme. Three modes drive the envelope: bake-out at 350 degrees C generates maximum thermal expansion stresses on ConFlat flanges; plasma burn creates neutron fluence degradation of elastomeric components over time; OBE seismic event imposes dynamic loads on all penetrations. Helium leak testing at each maintenance interval is required because the tokamak assembly undergoes thermal cycling that can relax flange preloads. | Test | subsystem, vacuum-system, sil-2, session-552, idempotency:sub-vs-seal-qualification-552 |
| SUB-REQ-078 | When a Design Basis Accident is declared, the Tritium Plant SHALL automatically isolate all tritium process and storage vessels within 30 seconds and initiate passive Atmosphere Detritiation System activation, ensuring tritium release to the environment does not exceed 1 g total inventory escape per DBA event, consistent with the ONR Basic Safety Level dose limit of 1 mSv effective dose to any member of the public. Rationale: SYS-REQ-018 defines the DBA set with tritium release as the primary radiological pathway. The Tritium Plant holds the largest on-site tritium inventory; automatic isolation within 30 seconds is derived from atmospheric dispersion modelling showing 1 g escape limit is achievable only with immediate isolation. Failure to decompose this to the Tritium Plant would leave the most safety-critical DBA pathway without a verifiable subsystem-level requirement. | Test | subsystem, tritium-plant, sil-3, dba, session-553, idempotency:sub-tritiumplant-dba-isolation-553 |
| SUB-REQ-079 | The Tokamak Core Assembly SHALL define and implement Design Basis Accident response for in-vessel component failure and loss-of-cooling events such that effective dose to any member of the public does not exceed 1 mSv within the 48-hour post-event monitoring period, with passive decay heat removal maintaining first-wall temperature below material damage thresholds for a minimum of 72 hours without active cooling. Rationale: SYS-REQ-018(b) and (d) define in-vessel failure and loss-of-cooling as explicit DBAs. The Tokamak Core Assembly houses the activated first-wall and blanket structures that are the primary heat source during loss-of-cooling; the 72-hour passive cooling window is derived from maintenance access planning for post-accident recovery, and 1 mSv dose limit flows directly from SYS-REQ-018 Basic Safety Level specification. | Analysis | subsystem, tokamak-core-assembly, sil-3, dba, session-553, idempotency:sub-tca-dba-cooling-553 |
| SUB-REQ-080 | The Tritium Plant SHALL operate all tritium handling and storage activities under an approved Radiological Risk Assessment conforming to UK Ionising Radiations Regulations 2017 (SI 2017/1075), with routine operational whole-body dose to any worker not exceeding 1 mSv/year above background, a designated Radiation Protection Supervisor nominated for each work area, and all tritium inventories logged to ±0.1 g accuracy in the site nuclear material accountancy system. Rationale: SYS-REQ-016 specifies UK IRR 2017 compliance and ALARA dose management. The Tritium Plant is the primary tritium handling system on site and the principal location of occupational dose risk; without a subsystem-level requirement, the IRR 2017 obligation has no owner in the decomposition and cannot be verified at subsystem CDR. | Inspection | subsystem, tritium-plant, sil-3, regulatory, session-553, idempotency:sub-tritiumplant-irr2017-553 |
| SUB-REQ-081 | The Vacuum System SHALL maintain plasma vessel seal integrity during all operational modes — including steady-state plasma burn, inter-shot vessel conditioning, and remote maintenance access — with individual penetration leak rate not exceeding 1×10⁻⁹ Pa·m³/s and total vessel leak rate not exceeding 1×10⁻⁶ Pa·m³/s combined, verified by residual gas analysis following every vessel intervention. Rationale: SYS-REQ-008 specifies per-seal and total vessel leak rate limits. This subsystem requirement decomposes SYS-REQ-008 to the Vacuum System as the responsible subsystem for vessel boundary integrity. The additional requirement for RGA verification after every intervention prevents undetected seal degradation during maintenance campaigns, which is the primary failure mode for vacuum boundary loss. | Test | subsystem, vacuum-system, sil-2, session-553, idempotency:sub-vacuum-seal-modes-553 |
| SUB-REQ-082 | The Tritium Plant SHALL maintain all required environmental permits under the Environmental Permitting (England and Wales) Regulations 2016 and compliance with the Nuclear Installations Act 1965 as administered by the Office for Nuclear Regulation, with tritium atmospheric discharges logged against authorised limit conditions and annual third-party audit of the site Environmental Management System conforming to ISO 14001:2015 demonstrating continuous compliance. Rationale: SYS-REQ-019 mandates EP Regulations 2016, Nuclear Installations Act 1965, and ISO 14001 EMS compliance. The Tritium Plant is the largest tritium atmospheric discharge point on site and therefore the primary subject of environmental permitting conditions; without this subsystem decomposition, the regulatory obligations identified in SYS-REQ-019 have no verifiable owner at subsystem level. | Inspection | subsystem, tritium-plant, regulatory, session-553, idempotency:sub-tritiumplant-env-permit-553 |
| SUB-REQ-083 | The Tritium Plant SHALL implement N+1 process module redundancy for all active tritium processing stages — isotope separation, tritium purification, and storage vessel management — such that failure of any single active process module maintains tritium fuel throughput at not less than 50% of rated capacity (100 Pa·m³/s D-T equivalent), sufficient to sustain plasma operations at reduced duty cycle and prevent unplanned plasma shutdown due to fuel starvation. Rationale: UHT classifies tritium plant as System-Essential (bit 16), indicating a single failure stops the entire system. The 50% throughput floor is derived from minimum plasma Q-value operation requirements: D-T fuel delivery below 50% cannot sustain ignition at design density. N+1 redundancy at module level is preferred over N+2 due to tritium inventory minimisation constraints — excessive redundant inventory increases radiological hazard without proportional benefit. | Test | subsystem, tritium-plant, sil-3, redundancy, session-553, idempotency:sub-tritiumplant-n1-redundancy-553 |
| SUB-REQ-084 | The Superconducting Magnet System SHALL implement a passive quench energy absorption architecture such that failure of any single active quench detection channel does not result in magnet winding damage, with passive architecture verified by analysis to safely absorb 100% of total stored magnetic energy (≥10 GJ nominal) within the energy dump resistor network without requiring active triggering, and with quench protection remaining functional following any single hardware failure in the protection logic. Rationale: UHT classifies superconducting magnet system as System-Essential (bit 16); a magnet quench cascade is DBA scenario (c) in SYS-REQ-018. The existing SUB-REQ-074 addresses N+1 for the power supply converters but does not cover quench protection redundancy at the system level. The passive energy absorption requirement eliminates the need for active triggering as the primary mitigation, reducing reliance on detection latency and providing defence-in-depth against single-channel detection failure. | Analysis | subsystem, superconducting-magnet-system, sil-2, redundancy, dba, session-553, idempotency:sub-sms-passive-quench-protection-553 |
| SUB-REQ-085 | The Superconducting Magnet System TF Coil Set conductor SHALL use cable-in-conduit conductor (CICC) technology fabricated from Nb3Sn superconducting strands with critical current density not less than 700 A/mm² at 12 T and 4.5 K in the cabled configuration, and the coil winding pack SHALL withstand a minimum of 60,000 electromagnetic load cycles over the plant operational lifetime without conductor degradation exceeding 5% critical current reduction from beginning-of-life values. Rationale: UHT classifies coil set as Synthetic (bit 2) and Physical Medium (bit 7), flagging absence of material specification requirements. Nb3Sn CICC is the only commercially qualified superconductor meeting the toroidal field requirement at STEP bore dimensions. The 700 A/mm² floor at 12T/4.5K is derived from field-on-axis and coil geometry analysis; without minimum critical current density, TF coil performance cannot be verified against SUB-REQ-025. The 60,000 cycle fatigue limit corresponds to 40-year plant life at 4 plasma pulses per day. | Test | subsystem, superconducting-magnet-system, coil-set, material, session-553, idempotency:sub-sms-coilset-material-553 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between Tokamak Core Assembly and Superconducting Magnet System SHALL provide magnetic field confinement with toroidal field 3-4T at plasma centre, field ripple < 1%, and structural support for centering forces up to 100 MN, transmitted through the cryostat and gravity support structure. Rationale: Primary confinement interface: magnets surround the tokamak and generate the confining field. Forces are transmitted through structural supports that must accommodate thermal contraction from 300K to 4.5K. Field ripple affects plasma confinement quality and NTM stability. | Test | interface, tokamak, magnet, session-506, idempotency:ifc-tca-sms-506 |
| IFC-REQ-002 | The interface between Cryogenic Plant and Superconducting Magnet System SHALL deliver helium coolant at 4.5 ± 0.1 K and 80 ± 2 K (thermal shields) via cryogenic transfer lines with total heat leak < 5 W/m, supporting steady-state cooling capacity of 80 kW at 4.5 K. Rationale: Cryogenic transfer lines are the physical interface carrying liquid/supercritical helium from the cryoplant cold box to magnet cryostats. Temperature stability is critical for HTS performance; heat leak budget drives transfer line insulation design. | Test | interface, cryogenic, magnet, session-506, idempotency:ifc-cry-sms-506 |
| IFC-REQ-003 | The interface between Tritium Plant and Tokamak Core Assembly SHALL transport fuel pellets (frozen D-T ice at ~18 K) at injection velocities 100-1000 m/s and extract divertor exhaust gas (D, T, He, impurities) at 10-100 Pa through the torus exhaust pumping duct. Rationale: Fuel injection and exhaust extraction are the mass flow interface between tritium processing and the plasma. Pellet velocity determines fuelling depth profile; exhaust pressure determines pumping speed requirements. All lines must maintain double tritium containment. | Test | interface, tritium, tokamak, session-506, idempotency:ifc-trp-tca-506 |
| IFC-REQ-004 | The interface between Tokamak Core Assembly and Power Conversion System SHALL transfer thermal power via primary coolant (lithium-lead or helium at inlet/outlet temperatures of 300/500°C) through the breeding blanket and divertor cooling circuits, with total thermal capacity ≥ 500 MW. Rationale: This is the energy capture interface: neutrons and radiation deposit heat in blanket/divertor, primary coolant transports it to heat exchangers. Outlet temperature of 500°C drives Rankine cycle efficiency. Coolant choice (LiPb vs He) affects TBR and heat transfer coefficients. | Test | interface, tokamak, power, session-506, idempotency:ifc-tca-pcs-506 |
| IFC-REQ-005 | The interface between Plasma Control System and Tokamak Core Assembly SHALL provide bidirectional data exchange: diagnostic signals from ≥ 40 sensor systems (magnetic, kinetic, spectroscopic) at ≥ 1 kHz to the controller, and actuator commands (gas valves, pellet injector, disruption mitigation) with end-to-end latency ≤ 1 ms. Rationale: Real-time plasma control requires high-bandwidth, low-latency acquisition of plasma state and deterministic actuation. 1 ms latency budget is driven by vertical stability growth rate of the spherical tokamak (~100 µs growth time requires ~1 kHz control bandwidth). | Test | interface, control, tokamak, session-506, idempotency:ifc-plc-tca-506 |
| IFC-REQ-006 | The interface between Plasma Control System and Superconducting Magnet System SHALL command coil current changes via magnet power supplies with current regulation accuracy ≤ 0.1% and response time ≤ 10 ms for plasma position and shape control. Rationale: Plasma position/shape control drives coil currents via the PF/CS power supplies. 0.1% current accuracy maps to ~mm plasma position accuracy. 10 ms response time supports the 100 Hz outer control loop for shape maintenance. | Test | interface, control, magnet, session-506, idempotency:ifc-plc-sms-506 |
| IFC-REQ-007 | The interface between Vacuum System and Tokamak Core Assembly SHALL maintain base pressure < 1×10⁻⁶ Pa in the plasma vessel via cryopumps with effective pumping speed ≥ 50 m³/s for deuterium, and handle helium ash exhaust during burn. Rationale: Vacuum quality directly affects plasma purity and performance. Pumping speed must exceed gas throughput from fuel injection, wall recycling, and helium ash production (~5% of D-T burn rate). Cryopumps are regenerated cyclically between pulses. | Test | interface, vacuum, tokamak, session-506, idempotency:ifc-vac-tca-506 |
| IFC-REQ-008 | The interface between Remote Handling System and Tokamak Core Assembly SHALL provide maintenance access through horizontal (≥ 4) and vertical (≥ 2) ports with clear bore ≥ 1.5 m, supporting component transfer loads up to 10 tonnes per cassette. Rationale: Port size and number constrain the maintenance campaign duration and component design. 1.5 m bore allows divertor cassette extraction; 10 tonne limit drives manipulator and transfer cask structural design. Port locations must not compromise magnetic field quality. | Demonstration | interface, remote-handling, tokamak, session-506, idempotency:ifc-rhs-tca-506 |
| IFC-REQ-009 | The interface between Power Conversion System and National Electrical Grid SHALL export ≥ 100 MW at 400 kV, 50 Hz via the switchyard, with power factor ≥ 0.95, harmonic distortion < 3% THD, and fault ride-through capability per Grid Code CC.6.3. Rationale: External interface to National Grid ESO. Grid Code compliance is mandatory for connection. Fault ride-through prevents cascade disconnection during grid disturbances. Power factor and THD limits are standard Grid Code requirements for generation above 50 MW. | Test | interface, external, power, grid, session-506, idempotency:ifc-pcs-grid-506 |
| IFC-REQ-010 | The interface between the Tritium Plant and Cryogenic Plant SHALL supply liquid nitrogen at 77 K +/- 2 K at a flow rate of 0.5 kg/s minimum to each cryogenic distillation column, with uninterrupted supply during all tritium processing modes. Rationale: Isotope separation by cryogenic distillation requires LN2 cooling at 77 K. Interruption stalls separation and risks tritium accumulating outside controlled process volumes. 0.5 kg/s per column derived from column heat duty at rated throughput 5 g T/day. | Test | idempotency:ifc-trp-cry-508 |
| IFC-REQ-011 | The interface between the Vacuum System and Tritium Plant SHALL transfer tritiated exhaust gas at throughput up to 200 Pa.m3/s from the divertor cryopumps to the Tritium Plant permeator inlet, with all interconnecting lines double-walled with secondary confinement and helium leak-test verified to less than 1e-9 Pa.m3/s. Rationale: Tritium-loaded exhaust from divertor pumping must be routed to the Tritium Plant for isotope recovery; direct venting would violate SYS-REQ-005 tritium containment. 200 Pa.m3/s is the peak exhaust load derived from helium ash production rate plus fuelling gas throughput at Q=5 burn. | Test | idempotency:ifc-vac-trp-508 |
| IFC-REQ-012 | The interface between the Plasma Control System and Vacuum System SHALL transmit divertor neutral gas pumping speed setpoints in the range 0 to 50 m3/s at update rate of 10 Hz with response latency of 500 ms or less, with continuous helium partial pressure feedback from the divertor region. Rationale: Divertor pumping speed controls helium ash exhaust and plasma purity. 50 m3/s maximum is derived from the divertor conductance at operating pressure; 10 Hz update rate and 500 ms latency are sufficient given the helium particle confinement time in the scrape-off layer of several seconds. | Test | idempotency:ifc-pcs-vac-508 |
| IFC-REQ-013 | The interface between the Plasma Control System and Tritium Plant SHALL transmit pellet fuel injection rate commands at update rate of 100 Hz or higher with command latency of 100 ms or less, over a safety-rated control network with status feedback from the pellet injector confirming execution within 200 ms. Rationale: Real-time fuelling control is required to maintain D-T fuel mix and plasma density for Q >= 5 burn. 100 Hz update rate and 100 ms latency are derived from the plasma particle confinement time (~300 ms) requiring density corrections at least 3 times per confinement time. | Test | idempotency:ifc-pcs-trp-508 |
| IFC-REQ-014 | The interface between the Power Conversion System coil power supplies and Superconducting Magnet System SHALL deliver DC current to each TF, PF, and CS coil group at up to 80 kA with current stability of 0.01 percent peak-to-peak and current ramp rate up to 10 kA/s, with independent quench detection interlock per coil group. Rationale: TF coil current stability of 0.01% maps to field ripple stability meeting the IFC-REQ-001 limit of 0.5%. Ramp rate of 10 kA/s is set by the maximum allowable eddy-current heat deposition in the cryostat during CS pre-magnetisation, derived from the thermal budget per pulse cycle. | Test | rt-resolved-session-531 |
| IFC-REQ-015 | The interface between the Remote Handling System and Tritium Plant SHALL ensure all remote handling tools operating inside the tritium secondary containment boundary are decontaminable to a surface tritium activity of 1 Bq/cm2 or less, with all tool wetted surfaces constructed from tritium-compatible materials (stainless steel 316L or approved equivalent) rated for 10 year service life. Rationale: Tool decontaminability is required for personnel safety when tools are withdrawn from the tritium boundary. 1 Bq/cm2 is the regulatory limit for unrestricted material transfer under ONR guidance. 316L SS is the baseline tritium-compatible material per ITER material qualification programme. | Inspection | rt-resolved-session-531 |
| IFC-REQ-016 | The interface between the Cryogenic Plant and Vacuum System SHALL supply 4.5 K cold heads to up to 20 vacuum cryopump bodies at a total heat load of 5 W per cryopump, with cold head temperature stability of 0.2 K and helium boil-off gas from regenerating cryopumps returned to the Cryogenic Plant gas recovery system. Rationale: Vacuum cryopumps on the divertor and torus use helium cold heads at 4.5 K to maintain pumping speed > 50 m3/s for SYS-REQ-008. 5 W per cryopump is from the manufacturer heat load specification. Gas recovery prevents helium loss and maintains cryoplant efficiency. | Test | idempotency:ifc-cry-vac-508 |
| IFC-REQ-017 | The interface between the Plasma Control System and Remote Handling System SHALL provide hardwired interlock signals preventing plasma ignition or magnet energisation during remote maintenance operations, with interlock bypass requiring two-key authorisation and a positive confirmation from the Remote Handling System controller before restoration. Rationale: Personnel safety during maintenance campaigns requires hardware interlocks preventing inadvertent plasma or magnet activation when RHS tools are inside the machine. The two-key mechanism provides defence-in-depth per SIL-3 requirements for safety-critical interlocks; software-only interlocks are insufficient for ONR licensing. | Demonstration | idempotency:ifc-pcs-rhs-interlock-508 |
| IFC-REQ-018 | The interface between the Power Conversion System and Tokamak Core Assembly SHALL supply auxiliary AC electrical power at 33 kV, 11 kV, and 415 V plant buses to Tokamak Core Assembly services including in-vessel diagnostics, auxiliary heating bus bars, blanket coolant pump drives, and radiation monitoring, with availability of 99.9 percent or better during plasma operations. Rationale: TCA requires continuous auxiliary power for diagnostics (SYS-REQ-013), active cooling, and safety-classified loads. 99.9% availability is derived from allowable plasma interruption frequency: more than 1 unplanned outage per 1000 hours would prevent achieving SYS-REQ-010 operational availability of 50%. | Test | idempotency:ifc-pcs-tca-aux-508 |
| IFC-REQ-019 | The interface between the National Electrical Grid and Power Conversion System for station loads SHALL import auxiliary power at 33 kV from the grid to maintain station essential services during pre-ignition start-up and maintenance periods at loads up to 50 MW, with automatic transfer to on-site diesel generation within 10 seconds of grid loss. Rationale: STEP requires grid power during start-up before the plant is generating. The 50 MW station load is the total auxiliary demand including cryoplant compressors, tritium plant, and HVAC. 10 s diesel transfer time is set by the critical load hold-up time for uninterruptible supply systems. | Test | rt-resolved-session-531 |
| IFC-REQ-020 | The interface between the Tokamak Core Assembly and Cryogenic Plant for vessel bake-out SHALL supply hot nitrogen gas at 200°C ± 5°C and ≥ 5 bar gauge at a mass flow rate of ≥ 2 kg/s to the first wall in-vessel bake-out circuit to achieve 200°C wall temperature within 24 hours of bake initiation, with thermal gradient to superconducting magnet cryostats limited to ≤ 5 K/hr. Rationale: In-vessel bake-out at 200°C is required to drive out water and hydrocarbon impurities that would compromise vacuum base pressure. The 2 kg/s nitrogen flow rate is derived from in-vessel first wall surface area (~500 m²), heat capacity of tungsten-armoured steel panels, and the 24-hour thermal soak target. The 5 K/hr thermal gradient limit to magnet cryostats is the manufacturer's constraint to avoid thermal fatigue cracking of the cold-warm transition components. Original text used 'sufficient' (non-measurable); revised to 2 kg/s specific value in validation session 519. | Test | idempotency:ifc-tca-cry-bakeout-508 |
| IFC-REQ-021 | The interface between the Tritium Plant Plasma Exhaust Processing System and the Isotope Separation System SHALL transfer purified hydrogen isotopologue stream at pressures between 1 kPa and 100 kPa, with helium content below 100 ppm and water vapour below 1 ppm, via a double-wall tritium-tight transfer line. Rationale: These purity and pressure specifications are the input requirements for the ISS cryogenic distillation columns. Helium above 100 ppm would freeze out in the columns and cause blockage; water above 1 ppm poisons the Pd membrane catalysts. Double-wall transfer line is required by the tritium double-containment principle. Interface derives from IFC-REQ-011 (external vacuum-tritium plant boundary). | Test | interface, tritium-plant, sil-3, session-510, idempotency:ifc-trp-peps-iss-510 |
| IFC-REQ-022 | The interface between the Tritium Plant Isotope Separation System and the Tritium Storage and Delivery System SHALL transfer DT product at purity greater than 99.9% hydrogen isotopes via a metal hydride buffer vessel, with batch transfer latency not exceeding 15 minutes and transfer rate up to 5 g tritium equivalent per hour. Rationale: 15-minute batch transfer latency and 5 g/h transfer rate maintain the fuel cycle inventory balance without creating large transient tritium accumulations in transfer lines. The buffer vessel decouples the distillation column cycle time from the storage refill demand. Derives from IFC-REQ-013 (PCS pellet injection command interface) which requires fuel on demand within the fueling system response time. | Test | interface, tritium-plant, sil-3, session-510, idempotency:ifc-trp-iss-tsds-510 |
| IFC-REQ-023 | The interface between the Tritium Plant Blanket Tritium Extraction System and the Isotope Separation System SHALL transfer extracted tritium-in-helium at a concentration of 0.1 to 1% tritium by volume, at flow rates between 1 and 10 standard litres per minute, through a dedicated permeator and compressor stage. Rationale: Blanket purge gas arrives at ~0.1-1% tritium concentration after permeation extraction from the breeding pebbles. A dedicated feed compressor and permeator stage is required because the BTES output pressure and purity differ significantly from the PEPS exhaust stream, preventing direct commingling which would upset the ISS distillation balance. Derives from SYS-REQ-003 (TBR closure) and the blanket tritium extraction architecture decision. | Test | interface, tritium-plant, sil-2, session-510, idempotency:ifc-trp-btes-iss-510 |
| IFC-REQ-024 | The interface between the Superconducting Magnet System Quench Detection and Protection System and the Magnet Power Supply System SHALL transmit a hardwired quench interlock signal within 1 ms of quench detection, causing the Power Supply System to open all coil current loops and connect dump resistors. Rationale: 1 ms hardwired path is required because the 50 ms total dump initiation budget (from SUB-REQ-023) must accommodate 10 ms detection, signal transmission, and power electronics switching. Software-routed signals add latency that would exceed this budget. Derives from SUB-REQ-023 and the SYS-REQ-006 quench management requirement. | Test | interface, superconducting-magnet-system, sil-2, session-510, idempotency:ifc-sms-qdps-mps-510 |
| IFC-REQ-025 | The interface between the Magnet Power Supply System and the TF Coil Set SHALL provide a DC bus voltage of up to 30 kV and a peak current of 80 kA, with a current measurement accuracy of better than 0.01% full scale provided by a Rogowski coil transducer, transmitted to the Plasma Control System via IEC 61850 GOOSE messaging at 1 kHz. Rationale: 80 kA at 30 kV derived from TF coil inductance and target 2-hour ramp-up. 0.01% current accuracy is required to meet the 10 ppm field ripple in SUB-REQ-026 — coil current is the dominant field error source. IEC 61850 GOOSE selected for deterministic sub-ms latency required by plasma control. | Test | interface, superconducting-magnet-system, session-511, idempotency:ifc-mpss-tf-power-511 |
| IFC-REQ-026 | The interface between the Quench Detection and Protection System and the TF Coil Set SHALL monitor the voltage across each superconducting coil pancake via galvanically isolated voltage taps with a measurement bandwidth of at least 1 kHz and an input impedance of greater than 1 MΩ to prevent current diversion. Rationale: 1 kHz measurement bandwidth is required to detect the resistive voltage transient within the 10 ms window of SUB-REQ-023. High input impedance prevents voltage tap leads from acting as a current bypass path in the coil, which could mask the resistive signature and delay quench detection. | Test | interface, superconducting-magnet-system, session-511, idempotency:ifc-qdps-tf-voltages-511 |
| IFC-REQ-027 | The interface between the Vacuum System Pressure Monitoring System and the Plasma Control System SHALL transmit digitised vessel pressure readings from all active gauges at a rate of 10 Hz per gauge over a dedicated Ethernet link (1 Gbit/s), with end-to-end latency not exceeding 50 ms, and SHALL transmit hardwired analogue interlock signals on a dedicated 24 V DC loop for pressure threshold exceedance. Rationale: 10 Hz update rate matches the PCS plasma control bandwidth. Hardwired analogue interlock loop is required because the 200 ms SIL-2 interlock requirement in SUB-REQ-030 cannot be guaranteed over a shared digital network — dedicated hardwired signal ensures deterministic delivery independent of Ethernet congestion. | Test | interface, vacuum-system, session-511, idempotency:ifc-vs-pressure-pcs-511 |
| IFC-REQ-028 | The interface between the Helium Refrigeration System and the Cryogenic Transfer Line Network SHALL supply supercritical helium at 4.5 K ± 0.2 K and 3 bar ± 0.1 bar with a flow rate of 40 g/s per train through DN50 vacuum-jacketed bayonet couplings rated to 20 bar. Rationale: Magnet cryostat inlet conditions require 4.5K ± 0.2K to maintain HTS coil superconductivity with adequate margin to Tcs. 3 bar supply pressure is the minimum to overcome transfer line pressure drop over 200m run. DN50 bayonet couplings are the IEA standard for fusion-scale cryoplant interfaces. | Test | interface, cryogenic-plant, session-513, idempotency:ifc-hrs-ctln-513 |
| IFC-REQ-029 | The interface between the Cryogenic Control System and the Helium Refrigeration System SHALL transmit cold box setpoints, valve commands, and alarm acknowledgements over a redundant Profibus DP or equivalent fieldbus at ≤ 100 ms scan cycle, with hardwired emergency stop signals independent of the fieldbus. Rationale: 100ms scan cycle supports the cool-down rate control loop bandwidth (minimum 1Hz required for 5K/hr gradient control). Hardwired e-stop independence is an IEC 61508 SIL 2 requirement — safety functions must not depend on network communication paths that can fail silently. | Test | interface, cryogenic-plant, session-513, idempotency:ifc-ccs-hrs-513 |
| IFC-REQ-030 | The interface between the Helium Management System and the Helium Refrigeration System SHALL supply helium gas at 200 bar ± 5 bar and ≥ 99.999% purity through DN25 high-pressure connections at a maximum flow rate of ≥ 25 Nm³/hr, enabling refill of a 1,250 NL helium buffer from 50% to 100% capacity within ≤ 4 hours. Rationale: Post-quench recovery requires repressurising the 4.5 K helium circuit from residual gas recovered during venting. 1,250 NL buffer at 200 bar stores the equivalent of 5,000 L dewar capacity as specified in the original requirement; 25 Nm³/hr flow rate gives 1,250/25 = 50 hours to fill from empty, but the 50%-to-100% case is 625 NL / 25 Nm³/hr = 25 hours; to achieve the ≤4 hour target from 50%, the flow rate must be ≥ 625/4 = 156 NL/hr = 0.156 Nm³/hr. However the 200-bar compression of 1,250 L standard requires 6.25 Nm³; at ≥25 Nm³/hr, fill time is ≤15 min; value chosen to match post-quench recovery logistics. Removed 'sufficient' ambiguity; quantified as ≥25 Nm³/hr. Revised in validation session 519. | Test | interface, cryogenic-plant, session-513, idempotency:ifc-hms-hrs-513 |
| IFC-REQ-031 | The interface between the In-Vessel Inspection and Maintenance Manipulator and the Remote Handling Control Suite SHALL use a real-time motion control protocol (EtherCAT or equivalent) with command cycle time ≤ 4 ms and position feedback latency ≤ 8 ms under full-motion conditions. Rationale: Human-in-the-loop teleoperation at 1 mm positioning accuracy requires the control loop bandwidth to exceed 125 Hz (1/8ms). Below this rate, operator perception delay causes instability in fine positioning. EtherCAT is radiation-tolerant at standoff distances (electronics in remote handling control room, fibre-optic link into vessel) and is the ITER RH standard. | Test | interface, remote-handling-system, sil-1, session-514, idempotency:ifc-ivimm-rhcs-514 |
| IFC-REQ-032 | The interface between the Remote Handling Transfer Cask and the tokamak vessel port SHALL provide a contamination-free docking connection with helium leak rate < 1×10^-9 Pa·m³/s when mated, and shall not impose structural loading exceeding 5 kN vertical force on the vessel port flange. Rationale: Tritium contamination of the cask transfer corridor is the primary consequence of a failed port-cask docking. The 10^-9 Pa·m³/s leak rate is the same standard as the primary vessel boundary (SYS-REQ-008 basis). The 5 kN structural limit is derived from vessel port flange thermal stress budget, which already consumes 15 kN of the 20 kN port load allowance from magnetic forces. | Test | rt-resolved-session-531 |
| IFC-REQ-033 | The interface between the In-Vessel Viewing and Monitoring System and the Remote Handling Control Suite SHALL deliver stereo video at ≥ 25 fps, ≥ 1080p resolution, with end-to-end latency < 200 ms from scene capture to operator display. Rationale: Human spatial perception for teleoperated fine manipulation requires stereo video at ≥ 25 fps to avoid judder during fine operations. 200 ms total latency is the accepted human-factors limit for teleoperation before manual stability degrades (ESA Human-Factors in Teleoperation, ECSS-E-HB-11A). Higher latency causes overcorrection oscillations at <1 mm positioning. | Test | interface, remote-handling-system, sil-1, session-514, idempotency:ifc-ivvs-rhcs-514 |
| IFC-REQ-034 | The interface between the Steam Generator and Heat Transfer System primary side and secondary side SHALL maintain tube-to-shell differential pressure capability ≥ 20 MPa at 350°C, with tube leak rate < 1×10^-6 Pa·m³/s per tube as a prerequisite for steam generator commissioning. Rationale: Primary coolant pressure is 15 MPa; secondary steam pressure is 16 MPa. The 20 MPa differential capability provides 25% safety margin over the primary pressure and matches the steam generator design pressure class. The 10^-6 leak rate limit ensures primary tritiated water cannot contaminate the secondary steam cycle, which is the key radioactive release pathway per STEP fault tree FT-PCS-001. | Test | interface, power-conversion-system, sil-1, session-514, idempotency:ifc-sg-primary-secondary-514 |
| IFC-REQ-035 | The interface between the Turbine-Generator Set and the Grid Interface and Electrical Switchgear SHALL transmit electrical power at ≥ 120 MVA at 22 kV ± 2.5%, power factor 0.85–1.0 lagging, with generator step-up transformer losses < 0.5% of rated MVA. Rationale: The 120 MVA rating provides headroom above the 100 MW net target after auxiliary loads. The 22 kV generator terminal voltage is the standard for generators of this rating class (IEC 60034-1). Transformer losses <0.5% are the IEC 60076-1 Category AA+ efficiency requirement, achievable with modern grain-oriented silicon steel core design. Higher losses reduce net export below the 100 MW requirement. | Test | rt-resolved-session-531 |
| IFC-REQ-036 | The interface between the Power Conversion System and the Plasma Control System SHALL receive plasma disruption notification within ≤ 100 ms of disruption onset, transmitted over a dedicated hardwired interlock signal (not network-dependent), to initiate controlled turbine runback. Rationale: Turbine runback must begin within 100 ms of disruption onset to complete the 60-second runback sequence before thermal transients from loss of plasma heating cascade to condenser pressure spikes. Network-dependent signalling introduces unacceptable latency jitter (~100–500 ms on SCADA); hardwired relay ensures deterministic <100 ms delivery per IEC 61508 Part 2 architectural constraint for safety instrumented systems. | Test | interface, power-conversion-system, sil-1, session-514, idempotency:ifc-pcs-pcs-disruption-514 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Tokamak Core Assembly — spherical tokamak geometry selected over conventional aspect-ratio tokamak. Compact spherical design (aspect ratio ~1.8) enables higher plasma beta and smaller major radius (~3.6m) for equivalent fusion power, reducing magnet mass and building volume. Trade-off: tighter neutron shielding space on inboard side requires advanced shielding materials and imposes higher neutron flux on central column. Rationale: STEP programme selected spherical tokamak as the distinguishing technology pathway. Conventional tokamak (ITER-like A~3.1) requires 2x larger major radius for same power. Compact geometry proven by MAST-U and START experiments. | Analysis | architecture, tokamak, session-506, idempotency:arc-tokamak-geometry-506 |
| ARC-REQ-002 | ARC: Magnet-Cryo boundary — Superconducting Magnet System and Cryogenic Plant are separate subsystems despite tight physical coupling. Magnets are bespoke HTS coils with unique structural/EM constraints; cryoplant is COTS industrial refrigeration. Different technology bases, procurement routes, and failure modes justify separation. Interface is cryogenic transfer lines and thermal budget. Rationale: Trait profiles confirm: Magnet System (56D57018) is highly physical/structural while Cryogenic Plant (56D51218) differs in structural and active traits. Grouping would obscure fundamentally different engineering disciplines and supplier relationships. | Analysis | architecture, magnet, cryogenic, session-506, idempotency:arc-magnet-cryo-506 |
| ARC-REQ-003 | ARC: Plasma Control System — separated from physical plant as a pure signal-processing/computing subsystem. Controls plasma position, disruption mitigation, and safety interlocks. Separation enables independent safety qualification (SIL 3 for safety functions) and technology refresh without physical plant modifications. Alternative of distributed control in each subsystem rejected: common mode awareness across all plasma parameters is essential for disruption prediction. Rationale: Plasma control has the most distinct trait profile (55F77A18) — highest signal-processing and autonomy traits among all subsystems. Cross-domain analog: nuclear RPS Communication and Display Subsystem (54ED7859) follows same separation pattern. | Analysis | architecture, control, session-506, idempotency:arc-plasma-control-506 |
| ARC-REQ-004 | ARC: Power Conversion System — thermal power extraction and electrical generation grouped as single subsystem. Primary coolant loops, heat exchangers, steam cycle, and grid connection form a serial thermal chain with no natural break point. Alternative of separating blanket cooling from turbine island rejected: thermal-hydraulic transients propagate through the entire chain and must be managed holistically. Rationale: Thermal Power Extraction (40D53218) and Electrical Power Conversion (54F73A18) share the energy conversion mission. Separation would create an artificial interface boundary in the middle of the heat transport chain, complicating transient analysis. | Analysis | architecture, power, session-506, idempotency:arc-power-conversion-506 |
| ARC-REQ-005 | ARC: Tritium Plant — self-contained subsystem with double-containment boundary. All tritium processing (exhaust, separation, storage, injection, detritiation) grouped within a dedicated building with independent ventilation and containment. Alternative of distributing tritium functions across subsystems rejected: single accountability for tritium inventory is a regulatory requirement (ONR, IAEA safeguards). Rationale: Tritium accountability to ±0.1g precision (STK-REQ-004) requires centralised inventory management. Distributed tritium handling would create multiple accountancy boundaries and increase regulatory complexity. ITER follows same pattern with dedicated Tritium Plant building. | Inspection | architecture, tritium, session-506, idempotency:arc-tritium-plant-506 |
| ARC-REQ-006 | ARC: Tokamak Core Assembly — five-component internal breakdown. First Wall and Blanket Module (tritium breeding, heat removal), Divertor Cassette Assembly (exhaust heat, neutral gas), Vacuum Vessel and In-Vessel Structures (vacuum boundary, neutron shielding), Plasma Heating and Current Drive System (NBI and ECRH auxiliary power), Diagnostics and Measurement Systems (plasma state feedback). This split follows ITER-proven maintenance zone boundaries: divertor cassettes and first-wall panels have different neutron damage lifetimes and require separate replacement campaigns through different port geometries. Integrated first-wall/divertor designs would force simultaneous replacement, increasing downtime. Rationale: ITER experience and DEMO studies confirmed that separating the short-lifetime plasma-facing components (divertor, first wall) from the long-life structural vessel reduces scheduled maintenance time per campaign by enabling parallel removal paths. The NBI/ECRH split from the blanket isolates the high-power RF/beam systems that require different maintenance expertise and have different radiation dose constraints for maintenance access. | Analysis | architecture, tokamak, session-509, idempotency:arc-tca-decomp-509 |
| ARC-REQ-007 | ARC: Superconducting Magnet System — four-component topology: TF Coil Set provides steady-state toroidal field; CS provides ohmic induction; PF coils provide shaping; QDPS is a hardwired safety function. Power supply is electrically isolated from quench protection. This separation ensures QDPS can trip the supply independently of control system software, satisfying SIL-2 safety integrity without software-in-the-loop. Rationale: Separation of QDPS from MPSS is required by IEC 61511 SIL-2: quench protection must be independent of normal control functions. Integrated designs risk common-mode failure — ITER and JET post-quench analysis shows independent hardwired protection reduces hot-spot temperature exceedance by 3x. | Inspection | architecture, superconducting-magnet-system, session-511, idempotency:arc-sms-topology-511 |
| ARC-REQ-008 | ARC: Vacuum System — three-component topology separating pumping, measurement, and leak detection. Turbomolecular pumps provide raw pumping capacity; pressure monitoring provides plasma-control feedback and interlock; leak detection provides maintenance-phase diagnostics. Separation prevents false-trip from helium injection during leak testing triggering the pressure interlock. Rationale: ITER experience shows coupling leak detection helium directly to plasma interlocks causes false trips. Separating the three functions allows maintenance and commissioning activities without risk to plasma operations. Derived from ITER vacuum system lessons learned (ITER-D-4CA7HF). | Inspection | architecture, vacuum-system, session-511, idempotency:arc-vs-topology-511 |
| ARC-REQ-009 | ARC: Cryogenic Plant — four-component decomposition separating refrigeration machinery (Helium Refrigeration System), distribution infrastructure (Cryogenic Transfer Line Network), gas inventory management (Helium Management System), and supervisory control (Cryogenic Control System). Refrigeration and transfer lines are physically distinct: the HRS cold boxes are fixed plant in the cryo hall while CTLN spans the building to the magnet ports. HMS is kept separate because quench gas recovery imposes surge-volume and purification requirements incompatible with steady-state refrigerator operation. CCS separation follows ITER/LHC precedent for independent safety qualification of cryo automation (SIL 2 quench response) without coupling to refrigerator control loops. Rationale: ITER cryogenic system architecture separates refrigerator, distribution, gas management, and control on the same basis. Coupling them would either under-constrain the control SIL or over-engineer the piping design. Trait profiles confirm: HRS (57D73218, Powered/Active/State-Transforming) vs CTLN (CE851018, Physical Object/Structural/passive) are ontologically distinct. | Analysis | architecture, cryogenic-plant, session-513, idempotency:arc-cryo-plant-513 |
| ARC-REQ-010 | ARC: Remote Handling System — five-component decomposition separating manipulator (IVIMM), transfer cask, viewing system, tooling, and control suite. Manipulator and tooling are kept separate because radiation hardening, qualification, and replacement lifecycles differ: the IVIMM arm undergoes 10^6 Gy total dose and requires full replacement after ~3 campaign cycles, whereas tooling end-effectors are changed per task. Transfer cask isolation follows ITER design precedent: a dedicated shielded vessel prevents contamination spread during transport and allows hot-cell docking without vessel pressurisation. The viewing system is architecturally separate to allow independent camera feed validation without blocking manipulator command channels. Rationale: ITER and JET RH decompositions follow the same five-way split. Coupling IVIMM and control suite would preclude independent safety qualification: the IVIMM is a physical SIL-1 mechanical system; the control suite is a software SIL-1 system. Separate classification enables independent V&V per IEC 62061. | Analysis | architecture, remote-handling-system, session-514, idempotency:arc-rhs-decomp-514 |
| ARC-REQ-011 | ARC: Power Conversion System — five-component decomposition separating steam generators, turbine-generator, condenser/cooling, feedwater/balance of plant, and grid interface. Steam generators are the nuclear/non-nuclear boundary: primary coolant circuit (radioactive tritiated water) is isolated by tube-and-shell boundary from secondary steam cycle. This isolation drives the split. Turbine-generator and feedwater systems are conventional power-station plant with no nuclear safety classification (SIL 0). Grid interface is kept separate because it carries the sole SIL 1 obligation in the PCS (overspeed protection driven by HV disconnection). Rationale: PWR/BWR design convention: steam generator forms the nuclear/non-nuclear boundary. STEP secondary circuit is conventional; coupling it to the primary side in the decomposition would incorrectly elevate non-nuclear equipment to nuclear safety class. Separation also allows conventional utility grid codes to govern the grid interface without nuclear regulatory scope creep. | Analysis | architecture, power-conversion-system, session-514, idempotency:arc-pcs-decomp-514 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-039 | Verify IFC-REQ-024: Inject a calibrated resistive heater fault into a representative quench detection test loop on a SMS test facility. Measure the time from quench detection threshold crossing to hardwired interlock signal assertion at the power supply interface using a high-speed oscilloscope (1 MHz sample rate). Confirm signal propagation time is 1 ms or less for 10 consecutive injections. Command power supply to confirm it opens all coil current loops and connects dump resistors within the specified protection action time. Rationale: IFC-REQ-024 requires a 1 ms hardwired quench interlock response, a SIL-3 safety-critical timing constraint. Direct oscilloscope measurement is the only method that verifies actual propagation time against the 1 ms threshold with adequate confidence. | Test | idempotency:ver-ifc024-qc-512 |
| VER-040 | Verify IFC-REQ-027: Connect a calibrated pressure gauge simulator to the Vacuum System Pressure Monitoring System and command it to output known pressure values at 10 Hz on all active gauge channels. Measure end-to-end Ethernet latency from gauge output to PCS receipt using network time-stamping. Confirm latency is 50 ms or less for all channels under worst-case Ethernet load. Inject a pressure threshold exceedance on the 24 V DC hardwired interlock loop and confirm PCS receives the signal within the deterministic interlock response time specified in SUB-REQ-030. Rationale: IFC-REQ-027 specifies both a 50 ms digital latency and a hardwired analogue interlock for plasma vessel pressure monitoring. The digital path must be verified under realistic network load because PCS uses pressure data at 10 Hz control bandwidth; the hardwired path must be verified separately because the SIL-2 interlock in SUB-REQ-030 cannot rely on a shared Ethernet network. | Test | idempotency:ver-ifc027-qc-512 |
| VER-041 | Verify SUB-REQ-021: During integrated tritium commissioning with simulated lithium-ceramic blanket breeding zone, flow a representative tritium-bearing gas through the BTES extraction loop at a rate matching the design tritium production rate. Measure tritium hold-up in the extraction loop by calorimetric accountability at loop inlet and outlet. Confirm hold-up remains below 1 g throughout a full simulated plasma pulse cycle of at least 2 hours. Rationale: BTES hold-up limit of 1 g is a radiological limit set by the site safety case; tritium permeation from in-vessel hold-up into coolant streams constitutes a credible accident sequence. Continuous calorimetric accountability during the full pulse cycle is required because hold-up accumulates dynamically and cannot be inferred from steady-state measurements. | Test | idempotency:ver-sub021-qc-512 |
| VER-042 | Verify SUB-REQ-019: Commission the Isotope Separation System on a DT-representative feed gas at partial throughput (at least 20 Pa·m3/s DT). Analyse product stream purity by residual gas analyser calibrated against certified DT reference standard. Confirm hydrogen isotope purity exceeds 99.9 mol% and D:T ratio is within 50:50 ±2%. Demonstrate rated throughput at 200 Pa·m3/s equivalent by scaling from partial-throughput test data validated against process model. Rationale: ISS fuel purity directly sets plasma fuel quality: D:T ratio drift beyond ±2% reduces fusion reactivity by up to 8% per percentage point, and isotopic impurities (HH, HT) dilute the plasma and reduce Q. Residual gas analyser with certified reference standard is the only laboratory method that meets the required ±0.01% purity measurement uncertainty. | Test | idempotency:ver-sub019-qc-512 |
| VER-043 | Verify SUB-REQ-020: Load a metal hydride storage bed with a certified tritium inventory (mass measured to ±0.5 g) and confirm containment integrity by in-situ leak monitoring over 24 hours. Issue a fuel request command from the fueling system and measure the time from command receipt to fuel delivery at the system outlet. Confirm delivery within 60 seconds for 10 consecutive requests at varying inventory levels above 10 g. Rationale: TSDS hold-up limit of 100 g tritium equivalent is driven by site tritium inventory limit in the safety case; exceeding it changes site radiological consequence category. The 60-second delivery response is required to maintain plasma fueling continuity during pellet injection replenishment cycles, which have a minimum inter-pellet period of 100 seconds. | Test | idempotency:ver-sub020-qc-512 |
| VER-044 | Verify SUB-REQ-028: Instrument each TF coil module winding pack with calibrated cryogenic temperature sensors (Cernox type, accuracy ±5 mK at 4.5 K). During full-field steady-state operation, confirm winding-pack temperature is 4.5 K ± 0.1 K on all monitored points. Calculate thermal margin by comparing operating temperature to critical temperature at the maximum local conductor current density using validated strand characterisation data. Confirm thermal margin is 1.5 K or greater on all winding-pack locations. Rationale: 4.5 K ± 0.1 K operating temperature with 1.5 K thermal margin together define the superconducting operating point for the NbTi or Nb3Sn conductor. Thermal margin below 1.5 K means a transient heat pulse from AC loss, nuclear heating, or beam interception can cause a quench that requires a 12-hour recovery cycle, reducing plant availability by the specified 80% requirement. | Test | idempotency:ver-sub028-qc-512 |
| VER-045 | Verify SUB-REQ-024: During CS coil commissioning at a dedicated magnet test facility, energise the Central Solenoid to maximum positive and negative current on the rated power supply. Measure total flux swing by integrating flux loop output across the full current reversal. Confirm total flux swing equals or exceeds 100 V·s. Measure CS current ramp rate during simulated plasma initiation and confirm it does not exceed 2 V/m on any winding section. Rationale: CS flux swing sets the available ohmic heating volt-seconds for plasma startup and ramp-up. Below 100 V·s, the plasma cannot reach ignition current in the specified pulse; this is a mission-critical threshold. The 2 V/m ramp rate limit is a winding insulation stress constraint, not a functional one, and must be verified to prevent insulation fatigue over the planned 100,000-pulse plant lifetime. | Test | idempotency:ver-sub024-qc-512 |
| VER-046 | Verify SUB-REQ-030: Apply calibrated pressure inputs from a traceable pressure standard to the Vacuum System Pressure Monitoring System across the full range from 1×10⁻⁸ Pa to 1×10⁻² Pa at five decade intervals. Record PMS reading at each point and confirm accuracy is within ±10% of reading across the full range. Inject a simulated step pressure change crossing the 1×10⁻⁴ Pa interlock threshold and measure the time from threshold crossing to interlock signal output at the PCS interface. Confirm response is 200 ms or less for 10 consecutive tests. Rationale: PMS accuracy of ±10% over 6 decades is required for plasma operation feedback and safety interlock reliability. The 200 ms interlock threshold is a SIL-2 safety function: vessel pressure above 1e-4 Pa risks plasma disruption from impurity ingress, and the 200 ms budget is derived from plasma energy dissipation time at full burn power assuming disruption is initiated before vessel reaches critical impurity level. | Test | idempotency:ver-sub030-qc-512 |
| VER-047 | Verify SUB-REQ-026: Command the Magnet Power Supply System to energise the TF Coil Set from zero to full rated field and the CS Coil Set from zero to maximum current on a single-module test. Record ramp-up time and confirm TF reaches full field in under 2 hours and CS reaches maximum current in under 30 minutes. Measure current ripple on each power supply channel using a calibrated current transducer (resolution 1 ppm). Confirm ripple is 10 ppm or less of full scale throughout steady-state operation. Rationale: TF coil ramp time under 2 hours bounds the plant startup time and sets minimum interval between operational pulses; exceeding it risks thermal cycling fatigue. CS ramp time under 30 minutes is required to maintain plasma setup synchronisation with TF. Current ripple of 10 ppm is a plasma quality constraint: higher ripple introduces field error harmonics that drive MHD instabilities at Q=5 burn. | Test | idempotency:ver-sub026-qc-512 |
| VER-048 | Verify SUB-024: Assert the hardwired manual override signal at the ISS panel interface and confirm all ISS process flows stop and all feed and product valves close within 10 seconds, verified by valve position sensors. Then suppress the override and re-start the ISS. Disable the supervisory control heartbeat for 60 seconds and confirm the watchdog triggers automatic process shutdown. Confirm the watchdog and override operate correctly even when the ISS automation system is faulted. Rationale: Manual override and watchdog are SIL-classified safety functions for the ISS autonomous separation process; testing both at the system interface level against the specified timing thresholds (10 s valve closure, 60 s watchdog) is required to demonstrate compliance with the dual-barrier safety argument in SUB-024. | Test | idempotency:ver-sub024b-qc-512 |
| VER-049 | Verify SUB-023: Simulate a single active component failure in each Tritium Plant processing loop (ISS, TSDS, BTES, ADS) by physical isolation of one active component while the plant is processing tritium at rated throughput on a test rig. Confirm automatic isolation completes within 30 seconds by interlock signal logging. Confirm remaining loops continue at not less than 50% rated throughput for each failure scenario. Rationale: SUB-023 single-component failure tolerance at 50% throughput is the minimum operability margin for the Tritium Plant; verification by fault injection at component level is required because partial throughput behaviour is not predictable from component-level tests alone. | Test | idempotency:ver-sub023-qc-512 |
| VER-078 | Verify SUB-REQ-073: On the RHS full-scale test facility, simulate primary control station power loss during a simulated blanket module exchange at 50 percent completion. Measure switchover time to backup station. Pass criteria: backup station achieves full RHS capability within 15 minutes; in-progress sequence can be resumed without hardware re-initialisation; all actuator state is preserved across switchover. Rationale: Integration test for RHS control failover under realistic in-vessel activity. 15-minute switchover under live sequence conditions is the key failure mode; bench test is insufficient because actuator state preservation during handover must be demonstrated with representative payload. | Test | verification, remote-handling-system, redundancy, session-552, idempotency:ver-sub073-rhs-switchover-v2-552 |
| VER-079 | Verify SUB-REQ-074: During Magnet Power Supply Factory Acceptance Test, remove one AC/DC converter from service at 80 percent rated current. Pass criteria: total magnet current deviation does not exceed 10 percent; automated standby converter reaches full output within 30 seconds; no quench interlock is triggered during the switchover. Rationale: FAT test at 80 percent rated current validates converter module load-sharing and switchover topology under near-operational conditions. Full-current test would require complete magnet infrastructure; 80 percent is sufficient to validate failure-mode response and switchover timing. | Test | verification, superconducting-magnet-system, redundancy, session-552, idempotency:ver-sub074-sms-mps-failover-v2-552 |
| VER-080 | Verify SUB-REQ-075: At vacuum system integrated test, disable one primary torus pump train during steady-state pumping at 1e-6 Pa. Measure torus pressure response. Pass criteria: torus pressure does not exceed 5e-6 Pa at any point after primary pump trip; standby pump achieves full pumping speed within 60 seconds; no plasma-equivalent contamination event is simulated. Rationale: Functional test of N+1 pump redundancy under representative operating pressure. 5e-6 Pa threshold is derived from SUB-REQ-075; 60-second activation time must be measured against the torus outgassing rate at operational temperature to confirm compliance. | Test | verification, vacuum-system, redundancy, session-552, idempotency:ver-sub075-vs-pump-n1-552 |
| VER-081 | Verify SUB-REQ-076: For each torus vacuum vessel seal and penetration flange, perform helium leak test per ISO 20485 at: (a) ambient temperature, (b) post-bake-out at 350 degrees C thermal cycle, (c) post-simulated OBE at 0.1g. Pass criteria: measured leak rate below 1e-9 Pa m3/s per seal in all three conditions; no evidence of permanent deformation on ConFlat flanges post-seismic test. Rationale: Three-condition qualification test is required because each mode imposes a different stress regime: bake-out causes thermal expansion relaxing flange preload; OBE imposes dynamic bending loads on penetration nozzles; ambient baseline establishes initial condition. ISO 20485 is the applicable standard for vacuum leak testing of nuclear installations. | Test | verification, vacuum-system, session-552, idempotency:ver-sub076-vs-seal-qual-552 |
| VER-082 | Verify SUB-REQ-078: On the Tritium Plant confinement test facility, simulate DBA tritium release by injecting a tracer gas at maximum credible leak rate into a pressurised process vessel. Confirm automatic vessel isolation occurs within 30 seconds and Atmosphere Detritiation System activation commences. Pass criterion: full vessel isolation achieved <30 s, ADS flow confirmed, tracer concentration in simulated environment remains below 1 g T-equivalent. Rationale: DBA isolation time and ADS activation are safety-critical functions (SIL-3); only functional test provides adequate evidence. Type-test on a representative vessel at tracer-level concentration satisfies the nuclear safety case requirement for functional validation without actual tritium release. | Test | verification, tritium-plant, sil-3, dba, session-553, idempotency:ver-sub078-dba-isolation-553 |
| VER-083 | Verify SUB-REQ-079: Perform Design Basis Accident thermal analysis for loss-of-cooling to the Tokamak Core Assembly using the validated STEP thermal-hydraulic model. Pass criterion: analysis demonstrates first-wall temperature remains below 1200 C for minimum 72 hours post-loss-of-cooling with no active cooling, and predicted site boundary dose less than 1 mSv at 48 hours for the worst-case DBA scenario. Rationale: Passive 72-hour cooling performance cannot be validated by full-scale test before plant completion; validated thermal-hydraulic analysis is the accepted ONR submission evidence for DBA scenarios not amenable to direct testing. | Analysis | verification, tokamak-core-assembly, sil-3, dba, session-553, idempotency:ver-sub079-tca-dba-553 |
| VER-084 | Verify SUB-REQ-083: During Tritium Plant integrated commissioning at partial throughput, disable one active isotope separation module and measure tritium processing throughput. Pass criterion: measured D-T throughput remains at or above 100 Pa·m³/s with one module disabled, demonstrating N+1 redundancy at greater than or equal to 50 percent of rated capacity. Rationale: N+1 redundancy at module level must be functionally demonstrated rather than asserted by design; test at partial throughput during commissioning is the lowest-risk environment for this validation before full tritium loading. | Test | verification, tritium-plant, sil-3, redundancy, session-553, idempotency:ver-sub083-tp-n1-553 |
| VER-085 | Verify SUB-REQ-084: Perform passive quench energy absorption analysis using the validated SMS electromagnetic and thermal model. Simulate single active quench detection channel failure during full-energy quench event. Pass criterion: analysis demonstrates dump resistor network absorbs 100 percent of stored magnetic energy without winding damage, and all safety margins maintained with quench protection logic operating on remaining channels only. Rationale: Full-energy quench with deliberate channel failure cannot be tested at full scale without destructive risk; validated electromagnetic model with type-tested component data is the accepted verification approach for quench protection adequacy in large superconducting magnet systems (IEC 61511 and magnet safety standards). | Analysis | verification, superconducting-magnet-system, sil-2, dba, session-553, idempotency:ver-sub084-sms-passive-qp-553 |
| VER-086 | Verify SUB-REQ-085: Perform short-sample critical current density measurements on three representative TF coil conductor samples at 12 T field and 4.5 K temperature. Perform electromagnetic fatigue testing on a single full-scale TF coil module for 60,000 cycles at rated current. Pass criteria: short-sample Ic density is at or above 700 A/mm squared; end-of-life Ic degradation is below 5 percent of beginning-of-life value. Rationale: Conductor critical current density is a directly measurable material property; IEC standards for superconducting magnet qualification require short-sample testing at service conditions. The 60,000-cycle fatigue test is the only reliable method to verify lifetime electromagnetic performance of CICC conductors, which can degrade through strand movement and filament fracture under cyclic loading. | Test | verification, superconducting-magnet-system, coil-set, material, session-553, idempotency:ver-sub085-coilset-material-553 |
| VER-087 | Verify SUB-REQ-080: Conduct regulatory compliance inspection by an independent radiation protection auditor prior to tritium first-light. Review approved Radiological Risk Assessment documentation, Radiation Protection Supervisor nominations, and tritium inventory accountancy system logs. Pass criterion: all documentation current and approved by ONR, RPS designations in place for all tritium work areas, accountancy system demonstrated to log inventory changes to plus or minus 0.1 g precision. Rationale: UK IRR 2017 compliance is a legal pre-condition for tritium operation; inspection by an independent auditor is the ONR-accepted verification method for regulatory compliance before nuclear material handling begins. Test cannot replace documentary evidence for regulatory compliance. | Inspection | verification, tritium-plant, regulatory, session-553, idempotency:ver-sub080-irr2017-inspect-553 |
| VER-088 | Verify SUB-REQ-081: Following each plasma vessel maintenance intervention (seal replacement or penetration work), perform residual gas analysis measurement of plasma vessel background gas composition and pressure. Pass criterion: individual penetration leak rate is at or below 1x10-9 Pa m3/s by RGA attribution, and total vessel leak rate is at or below 1x10-6 Pa m3/s, measured during subsequent pump-down and prior to plasma operations resuming. Rationale: Vacuum boundary integrity following maintenance is the primary risk period for seal failures. Post-intervention RGA is the standard verification method in tokamak operations; requiring it as a pass criterion before plasma operations resume prevents undetected seal degradation from being carried into a plasma shot, which could damage in-vessel components. | Test | verification, vacuum-system, sil-2, session-553, idempotency:ver-sub081-vacuum-seal-rga-553 |
| VER-089 | Verify SUB-REQ-082: Prior to tritium first operation, conduct documentary review against Environmental Permitting (England and Wales) Regulations 2016, Nuclear Installations Act 1965 site licence conditions, and ISO 14001:2015 certification. Pass criterion: all required permits in place and current, nuclear site licence conditions confirmed met by ONR inspection, ISO 14001 certification from a UKAS-accredited certification body with first annual surveillance audit completed. Rationale: Environmental and nuclear site licencing are legal pre-conditions for radioactive operations; documentary inspection by the relevant authorities is the prescribed verification method. Third-party ISO 14001 certification cannot be replaced by internal audit for the nuclear regulatory purposes of SYS-REQ-019. | Inspection | verification, tritium-plant, regulatory, session-553, idempotency:ver-sub082-env-permit-553 |
| VER-REQ-001 | Verify IFC-REQ-001: Conduct static magnetic field measurement at plasma centre with Hall probe array. Confirm toroidal field 3-4T ± 0.1T. Measure field ripple across plasma volume, verify < 1%. Apply 100 MN lateral load via hydraulic test rig to gravity support structure, confirm no plastic deformation. Rationale: This interface carries both electromagnetic and structural loads. Direct measurement of field strength and ripple is needed to confirm confinement quality per IFC-REQ-001. Structural load test must be performed before first plasma operation. | Test | verification, tokamak, magnet, session-507, idempotency:ver-ifc001-507 |
| VER-REQ-002 | Verify IFC-REQ-002: Conduct integrated cryogenic acceptance test at full magnet load. Confirm steady-state helium flow rate at transfer line inlet, measure supply temperature ≤ 4.5 K and pressure 3-5 bar. Confirm quench valve response time < 100 ms by simulated quench signal. Monitor coil temperature rise during simulated quench, confirm ≤ 5 K overshoot. Rationale: Cryogenic interface failure is the initiator for H-003 (magnet quench). Acceptance test at full cryogenic load before magnet energisation provides evidence that IFC-REQ-002 flow and temperature parameters are met and quench protection operates within timing budget. | Test | verification, cryo, magnet, session-507, idempotency:ver-ifc002-507 |
| VER-REQ-003 | Verify IFC-REQ-003: Characterise pellet injection system on test stand, confirm pellet velocity 100-1000 m/s by time-of-flight measurement across 2 m diagnostic section. Confirm ice pellet integrity at plasma entry via optical diagnostics. Measure exhaust duct conductance with calibrated gas flow, verify pump throughput handles T+He exhaust at 10-100 Pa during burn. Rationale: Pellet injection velocity determines fuel deposition depth in plasma; failure to meet IFC-REQ-003 limits would result in surface fuelling instead of core fuelling, degrading plasma performance and TBR. Exhaust duct test confirms tritium plant can process divertor gas load. | Test | verification, tritium, tokamak, session-507, idempotency:ver-ifc003-507 |
| VER-REQ-004 | Verify IFC-REQ-004: During integrated commissioning at rated power, measure primary coolant inlet/outlet temperatures at blanket and divertor circuits. Confirm outlet temperature ≥ 500°C and inlet ≤ 300°C. Measure total thermal power via calorimetric balance, verify ≥ 500 MW transferred to power conversion system within ±5%. Rationale: Thermal interface compliance is the direct evidence that SYS-REQ-002 net electrical output is achievable. Primary coolant temperature and flow rate measurements at full fusion power provide the ground truth for the heat balance. Failure to achieve 500 MW thermal transfer would make 100 MW net electrical output unachievable. | Test | verification, tokamak, power-conversion, session-507, idempotency:ver-ifc004-507 |
| VER-REQ-005 | Verify IFC-REQ-005: Inject calibrated test signals to all 40+ diagnostic sensor inputs. Confirm data arrives at PCS controller within 1 ms end-to-end (measured by timestamped packet capture). Exercise all actuator command outputs (gas puff valve, pellet injector, disruption mitigation), confirm command delivery latency ≤ 1 ms under simultaneous full-sensor-rate load. Rationale: 1 ms latency drives the controller sampling loop: disruption precursor signals at 1 kHz must complete sensing→processing→actuation within one sample period. Exceeding this budget means the PCS cannot execute the disruption mitigation response required by SYS-REQ-004 within the 10 ms window. | Test | verification, plasma-control, tokamak, session-507, idempotency:ver-ifc005-507 |
| VER-REQ-006 | Verify IFC-REQ-006: Command step changes in coil current setpoints on each power supply channel. Measure current regulation accuracy under full thermal load at 4.5 K, confirm within 0.1% of setpoint. Measure response time from command issue to 90% of setpoint current, confirm at or below 10 ms. Test across full operational range of plasma position and shape control scenarios. Rationale: Current regulation accuracy and response time directly set the bandwidth of the plasma position and shape control loop. 0.1% accuracy and 10 ms response are derived from plasma equilibrium sensitivity analysis: larger errors or slower response lead to locked modes and disruptions (H-001). | Test | verification, plasma-control, magnet, session-507, idempotency:ver-ifc006-507 |
| VER-REQ-007 | Verify IFC-REQ-007: Evacuate the plasma vessel from atmospheric pressure. Measure base pressure by calibrated ionisation gauge after 72-hour pump-down. Confirm base pressure below 1e-6 Pa. Measure effective pumping speed for deuterium by injection-throughput method, confirm at or above 50 m3/s. During a simulated burn pulse inject helium ash at representative rate, confirm system maintains pressure within operational band. Rationale: Base pressure below 1e-6 Pa is required for plasma initiation by ECR breakdown. Effective pumping speed of 50 m3/s is derived from the helium ash production rate at rated fusion power and the requirement that helium concentration in the plasma remains below 5% to avoid fuel dilution. Failure would prevent plasma startup. | Test | verification, vacuum, tokamak, session-507, idempotency:ver-ifc007-507 |
| VER-REQ-008 | Verify IFC-REQ-008: Perform dimensional survey of all horizontal and vertical port clear bores. Confirm at least 4 horizontal and 2 vertical ports meet 1.5 m minimum clear bore. Conduct load trial inserting a representative cassette dummy (10-tonne) through each port type using the remote handling system. Confirm successful insertion, manipulation, and extraction without snagging. Rationale: Port clear bore and load capacity are fundamental to the remote maintenance campaign duration (STK-REQ-006). If any port fails to meet 1.5 m bore, the remote handling tool design is invalidated and the maintenance schedule cannot be achieved. Demonstration with full-scale dummy validates the physical interface before activation. | Demonstration | verification, remote-handling, tokamak, session-507, idempotency:ver-ifc008-507 |
| VER-REQ-009 | Verify IFC-REQ-009: During sustained full-power operation, measure active power export at grid connection point. Confirm at least 100 MW delivered at 400 kV and 50 Hz. Measure power factor, confirm 0.95 or above. Measure total harmonic distortion, confirm below 3% THD. Simulate grid fault as per Grid Code CC.6.3, confirm fault ride-through without disconnection. Rationale: Grid export parameters are contractual with the Grid Transmission Operator and regulatory. 100 MW at rated power quality is the primary mission performance metric. Fault ride-through test is required by ONR and the grid connection agreement prior to commercial operation. | Test | verification, power-conversion, grid, session-507, idempotency:ver-ifc009-507 |
| VER-REQ-010 | Verify SUB-REQ-001: Run the PCS control loop on the production hardware with all 40+ diagnostic channels active at 1 kHz injection rate. Instrument the control loop with hardware timestamping at input and output. Collect 10000 consecutive cycles. Confirm 99.9% of cycles complete within 1 ms. Confirm no cycle exceeds 1 ms by more than 100 microseconds. Rationale: Hardware-in-the-loop test on production controller under realistic load is the only reliable way to verify real-time timing compliance. Software simulation cannot capture NUMA cache effects, OS jitter, or PCIe interrupt latency that determine worst-case cycle time on the target hardware. | Test | verification, plasma-control, session-507, sil-3, idempotency:ver-sub001-507 |
| VER-REQ-011 | Verify SUB-REQ-002: Replay the full ITER/JET/MAST disruption database (at least 5000 disruptive events) through the PCS detection algorithm on hardware-in-the-loop test bench. Measure detection rate and time-to-trigger. Confirm detection probability of 0.99 or greater. Confirm 99th percentile trigger latency at or below 10 ms from threshold crossing. Confirm 0 false positive triggers in 1000 non-disruptive reference pulses. Rationale: Detection probability of 0.99 is a SIL-3 safety function target. Database replay is the accepted verification method for disruption prediction algorithms (per ITER CODAC standards) because controlled plasma disruptions cannot be deliberately induced on STEP for testing. The false positive criterion prevents spurious mitigation triggers that would waste divertor components. | Test | verification, plasma-control, session-507, sil-3, idempotency:ver-sub002-507 |
| VER-REQ-012 | Verify SUB-REQ-005: In integrated commissioning, inject simulated controller fault signals (watchdog timeout, data loss, hardware alarm) while plasma is sustained in H-mode at intermediate power. Confirm the PCS initiates gas injection for plasma termination within 1 s of fault detection. Confirm plasma current reaches zero within 30 s. Confirm no disruption (no thermal quench signature on first-wall calorimeters). Rationale: SIL-3 safety function (IEC 61508): safe-state initiation on PCS internal fault must be verified by Test, not Demonstration. A repeatable, instrumented test with recorded stimuli (fault injection), measured response times, and documented pass/fail criteria is required for regulatory sign-off. The existing procedure (fault injection while plasma is sustained, measure gas injection timing and plasma current extinction within 30 s) constitutes a Test — the method label is corrected accordingly. | Test | verification, plasma-control, session-507, sil-3, idempotency:ver-sub005-507 |
| VER-REQ-013 | Verify end-to-end plasma control: from disruption precursor signal injection at the Diagnostic Data Acquisition Front-End through the Real-Time Plasma Controller equilibrium reconstruction, through the Disruption Prediction and Mitigation Unit threshold assessment, to shattered pellet injection command at the Actuator Management System output, the total latency SHALL be demonstrated at or below 10 ms under peak diagnostic load (all 40 channels at 1 kHz) at rated plasma conditions. Rationale: System-level integration test for the SIL-3 disruption mitigation chain. Individual component tests of SUB-REQ-001 and SUB-REQ-002 verify subsystem behaviour; this end-to-end test verifies that the chain of interfaces IFC-REQ-005 and the internal PCS data path together meet the 10 ms SYS-REQ-004 system requirement under combined load. | Test | verification, plasma-control, integration, session-507, sil-3, idempotency:ver-e2e-pcs-507 |
| VER-REQ-014 | Verify SUB-REQ-006: On a dedicated material injection test bench, fire the massive material injection system with instrumented shattered pellet configuration. Measure total hydrogenic atom delivery, verify 10e22 atom minimum delivery within 50 ms of trigger signal, repeat 100 firings to establish statistical injection reliability. Rationale: 10e22 atoms in 50 ms is a SIL-3 safety function for runaway electron suppression (H-006). Bench test on the production injection system is required because in-vessel testing during actual disruptions is not feasible: the injection parameters must be characterised and qualified before first plasma. | Test | idempotency:ver-sub006-508 |
| VER-REQ-015 | Verify SUB-REQ-004: Inject synchronised calibrated pulses to all diagnostic front-end channels simultaneously from a common reference source. Measure timestamp skew between channels across 10000 pulse bursts. Confirm 1 kHz sample rate and skew below 1 microsecond in all cases. Rationale: 1 microsecond synchronisation is a SIL-3 data integrity requirement for equilibrium reconstruction. Hardware injection of known-phase pulses is the only reliable method to measure actual timestamping latency including interrupt service routines and PCIe transfer time, which simulation cannot capture. | Test | idempotency:ver-sub004-508 |
| VER-REQ-016 | Verify SUB-REQ-003: Inject a simulated primary controller fault (software halt) during closed-loop plasma simulation. Confirm standby controller assumes control within 500 ms with no simulated plasma position excursion exceeding 5 cm, repeated 20 times with zero failures. Rationale: Updated from Demonstration to Test: SUB-REQ-003 is SIL-3 (controller redundancy claim for disruption mitigation chain). The 20-repetition protocol with quantified pass/fail criteria (500ms switchover, 5cm excursion limit, zero failures) meets the Test standard under IEC 61508. Demonstration understates the rigour of this verification procedure. | Test | idempotency:ver-sub003-508 |
| VER-REQ-017 | Verify SUB-REQ-007: During integrated commissioning at stepped-up fusion power, measure divertor target surface heat flux with embedded thermocouples and infrared camera at each power step up to rated power. Confirm peak divertor heat flux does not exceed 10 MW/m2 at rated Q=5. Inspect tungsten tile surface condition after 100 full-power plasma pulses. Rationale: In-situ measurement is required because heat flux distribution depends on plasma shape and edge transport which cannot be predicted with sufficient accuracy for this safety-critical acceptance criterion. Tungsten erosion inspection after 100 pulses provides the basis for extrapolating to the 1 mm/year limit over the campaign. | Test | idempotency:ver-sub007-508 |
| VER-REQ-018 | Verify SUB-REQ-008: Energise TF coil set to rated current on a coil test facility. Measure on-axis field with calibrated Hall probe array and compute field ripple by Fourier analysis of the poloidal variation. Initiate quench by heater injection, confirm quench detection within 100 ms and energy extraction initiation within 200 ms by oscillograph trace. Rationale: Full-current magnet test is required to verify both field uniformity and quench protection timing as SYS-REQ-006 safety functions. Heater-induced quench is the accepted commissioning test method for superconducting magnets; testing at full stored energy (50 GJ) in the final configuration is needed for sign-off. | Test | idempotency:ver-sub008-508 |
| VER-REQ-019 | Verify SUB-REQ-010: During integrated commissioning, process a known tritium inventory through the full CECE detritiation system and measure input and output activity concentrations. Confirm detritiation factor 1e6 or greater. Conduct 30-day material balance period and confirm tritium accountancy closure to within plus or minus 1 g. Rationale: Detritiation factor and accountancy are regulatory requirements (STK-REQ-013, STK-REQ-004). Integrated commissioning test on the full production system is required because detritiation factor depends on CECE column loading and interface conditions not replicable on sub-scale test rigs. | Test | idempotency:ver-sub010-508 |
| VER-REQ-020 | Verify SUB-REQ-009: During cold commissioning, operate each cold box train independently at full cryoplant load. Confirm 4.5 K magnet temperature and stability within plus or minus 0.1 K over a 48-hour steady-state test. Demonstrate load transfer between cold box trains within 10 minutes of simulated cold box fault with no magnet temperature excursion above 4.8 K. Rationale: 48-hour steady-state test at full load is the accepted factory acceptance test for helium refrigerators of this class. 4.8 K maximum during switchover corresponds to 90% of the HTS current-sharing temperature margin, ensuring no quench risk during the transition. | Test | idempotency:ver-sub009-508 |
| VER-REQ-021 | Verify SUB-REQ-011: During sustained full-power plasma operation at rated Q=5, measure net electrical export at the 400 kV grid connection point averaged over 6-hour burn pulse. Confirm 100 MW or greater net output and compute gross-to-net efficiency from turbine heat input and net export metering. Analyse 6-month campaign generation availability from operational log data. Rationale: Net electrical output and efficiency are the primary commercial performance metrics (SYS-REQ-002). Measurement at the grid connection point during actual sustained plasma operation is the only valid method: auxiliary loads vary with plasma conditions and cannot be accurately modelled without operational data. | Test | idempotency:ver-sub011-508 |
| VER-REQ-022 | Verify SUB-REQ-012: On a full-scale remote handling test facility with representative port mock-up, demonstrate complete divertor cassette replacement sequence from start to end. Record elapsed time and confirm completion within 21 calendar days. Measure cassette insertion positioning accuracy with laser tracker and confirm 2 mm or better in all axes. Operate manipulators under simulated 0.5 Sv/hr dose field for 500 hours without failure. Rationale: Full-scale demonstration on a representative mock-up is required because RHS performance depends on tool stiffness, joint clearances, and visual feedback conditions that cannot be verified on sub-scale or software models alone. 500-hour endurance run is required to validate the MTBF claim before deployment in the radioactive environment. | Demonstration | idempotency:ver-sub012-508 |
| VER-REQ-023 | Verify SUB-REQ-013: After vessel bake-out, measure base pressure in the plasma vessel using calibrated ion gauge and residual gas analyser. Confirm pressure below 1e-6 Pa within 24 hours of pump-down start. Measure effective pumping speed from divertor ducts using gas injection conductance method and confirm 50 m3/s or greater at operating pressure. Rationale: Base pressure measurement by calibrated ion gauge is the primary vacuum acceptance criterion for plasma operation. Pumping speed measurement by gas injection is the ITER-standard method for characterising divertor pumping performance; effective pumping speed cannot be derived from cryopump specifications alone due to duct conductance uncertainties. | Test | idempotency:ver-sub013-508 |
| VER-REQ-024 | Verify RPS-SUB: On the as-built plant with all shielding installed, measure dose rates at all zone boundaries using calibrated dose rate meters. Inject simulated high-dose-rate signal to each zone boundary interlock and confirm access prevention response within 100 ms. Confirm zone classification maps match ALARP design target rates. Rationale: In-situ measurement on the as-built plant is required because dose rates depend on as-installed shielding configuration which cannot be verified on design drawings. Interlock response timing test is needed for the SIL classification of the access control function. | Test | idempotency:ver-sub-rps-508 |
| VER-REQ-025 | Verify IFC-REQ-010: During cryogenic commissioning, supply liquid nitrogen to the Tritium Plant process cold boxes at rated mass flow. Measure supply temperature at the inlet manifold. Pass criterion: temperature ≤ 77 K ± 1 K, supply pressure 3.5 ± 0.2 bar sustained for 4 hours. Rationale: IFC-REQ-010 specifies LN2 supply conditions; this integration test confirms the Cryogenic Plant can maintain those conditions under representative tritium process load, preventing isotope separation column warm-up. | Test | verification, cryogenic, tritium, session-509, idempotency:ver-ifc010-509 |
| VER-REQ-026 | Verify IFC-REQ-011: Inject a simulated tritiated exhaust gas flow into the vacuum-tritium interface port at the specified throughput rate. Measure gas flow rate and confirm delivery within the tritium inventory accountability bounds. Pass criterion: throughput ≥ 10 Pa·m³/s, tritium capture efficiency ≥ 99.9%. Rationale: IFC-REQ-011 specifies exhaust gas transfer; this test confirms the vacuum-tritium interface maintains throughput without tritium escape, which is the basis of the containment safety case. | Test | verification, vacuum, tritium, session-509, idempotency:ver-ifc011-509 |
| VER-REQ-027 | Verify IFC-REQ-012: Inject calibrated neutral gas pressure pulses into the divertor baffle region. Confirm that PCS receives pressure reading at the correct digitisation interval. Pass criterion: pressure signal latency < 5 ms, accuracy within ± 5% of injected value across the operating range. Rationale: IFC-REQ-012 defines the vacuum diagnostics data path to PCS; latency and accuracy are critical because the PCS uses divertor neutral gas pressure to detect MARFE events and trigger plasma density control responses. | Test | verification, plasma-control, vacuum, session-509, idempotency:ver-ifc012-509 |
| VER-REQ-028 | Verify IFC-REQ-013: Command pellet injection sequences from PCS to Tritium Plant fuel injector. Measure pellet velocity and injection timing. Pass criterion: pellet velocity 100 to 200 m/s, injection latency under 20 ms from PCS command, 98% injection success rate over 200 commanded injections. Rationale: IFC-REQ-013 specifies the fuelling command interface; pellet velocity and latency determine fuelling depth and timing relative to ELM phase, directly affecting plasma density control and burn performance. | Test | verification, plasma-control, tritium, session-509, idempotency:ver-ifc013-509 |
| VER-REQ-029 | Verify IFC-REQ-014: Command step coil current setpoints from PCS to SMS power supplies. Measure current tracking accuracy and response time. Pass criterion: current tracking error under 0.1% rated, setpoint response within 50 ms, quench detection alarm relayed to PCS within 10 ms. Rationale: IFC-REQ-014 defines the coil power supply command path; tracking accuracy and quench alarm latency determine whether PCS can execute controlled plasma shutdown in response to a magnet event. | Test | verification, plasma-control, magnet, session-509, idempotency:ver-ifc014-509 |
| VER-REQ-030 | Verify IFC-REQ-015: Using full-scale mock-up of tritium plant remote handling port, demonstrate remote removal and installation of a representative tritium process component. Pass criterion: task completed without tritium perimeter breach, within maintenance window allocation, using deployed RH tooling without manual intervention. Rationale: IFC-REQ-015 specifies remote handling compatibility of tritium plant internals; demonstration on a representative mock-up verifies that no manual entry is required, which is mandatory under ALARP and tritium contamination control. | Demonstration | verification, remote-handling, tritium, session-509, idempotency:ver-ifc015-509 |
| VER-REQ-031 | Verify IFC-REQ-016: During integrated cryogenic commissioning, operate cryogenic pumping cold heads in vacuum chamber at rated cooling load. Pass criterion: cold head temperature at or below 4.5 K, pumping speed not less than 10^5 L/s for hydrogen, achieved on at least 20 of 24 installed heads simultaneously. Rationale: IFC-REQ-016 specifies the cryo-vacuum pumping interface; cold head temperature directly determines achievable vacuum pressure — failure to reach 4.5 K prevents the cryo-pumps from achieving the plasma vessel base pressure. | Test | verification, cryogenic, vacuum, session-509, idempotency:ver-ifc016-509 |
| VER-REQ-032 | Verify IFC-REQ-017: With RHS deployed in port, assert PCS plasma-active interlock signal. Confirm RHS receives hardwired lockout and logs the event. Pass criterion: lockout asserted within 100 ms of PCS signal, RHS motion arrested within 500 ms, interlock state change logged in both PCS and RHS event logs with timestamps agreeing within 10 ms. Rationale: IFC-REQ-017 specifies the plasma-RHS safety interlock; the timing requirements prevent RHS tool damage and port contamination if a disruption occurs during maintenance access, making this a SIL-3 safety test. | Test | verification, plasma-control, remote-handling, safety, sil-3, session-509, idempotency:ver-ifc017-509 |
| VER-REQ-033 | Verify IFC-REQ-018: During commissioning, supply auxiliary AC power from Power Conversion System to all Tokamak Core Assembly services. Measure supply voltage and frequency at each distribution board. Pass criterion: voltage 415 V +/- 5%, frequency 50 Hz +/- 0.5 Hz, continuity maintained during simulated grid transient of 0.5 s. Rationale: IFC-REQ-018 specifies TCA auxiliary power; voltage and frequency tolerances must be met to ensure instrumentation, cooling valve actuators, and diagnostic heaters operate within specification during plasma pulses. | Test | verification, power, tokamak, session-509, idempotency:ver-ifc018-509 |
| VER-REQ-034 | Verify IFC-REQ-019: During commissioning with grid connection established, measure station auxiliary load drawn from the national grid. Pass criterion: import does not exceed 50 MW, power factor above 0.95 lagging, harmonic distortion below Grid Code limits at the 400 kV connection point. Rationale: IFC-REQ-019 specifies the station load import limit; exceeding the contracted import capacity triggers grid penalty clauses and may cause voltage sag affecting adjacent grid users. | Test | verification, power, grid, session-509, idempotency:ver-ifc019-509 |
| VER-REQ-035 | Verify IFC-REQ-020: Apply vessel bakeout heating at specified power to all first-wall panels while cryogenic services are isolated. Measure wall temperature distribution and total gas desorption. Pass criterion: first-wall temperature reaches 200 +/- 10 degrees C across at least 95% of area, base pressure recovers to 1e-6 Pa or below within 48 hours of bakeout completion. Rationale: IFC-REQ-020 specifies the bakeout heating interface; uniform heating removes water vapour and hydrocarbons from the first wall, which is a prerequisite for achieving the plasma vessel base vacuum pressure. | Test | verification, tokamak, cryogenic, vacuum, session-509, idempotency:ver-ifc020-509 |
| VER-REQ-036 | Verify SUB-REQ-015: After full assembly, conduct helium leak test of vacuum vessel at 1e-8 Pa m3/s sensitivity. Additionally, perform hydrostatic over-pressure test of primary coolant boundary at 1.5x MAWP. Pass criterion: total vessel outgassing rate below 1e-7 Pa m3/s, no coolant-to-vacuum leaks detected, vessel retains structural integrity at 0.75 MPa test pressure. Rationale: SUB-REQ-015 specifies vessel leak tightness; helium leak testing at commissioning is the only method capable of detecting micro-leaks at the required sensitivity before plasma operations begin. | Test | verification, tokamak, sil-3, session-509, idempotency:ver-sub015-509 |
| VER-REQ-037 | Verify SUB-REQ-016: Perform MCNP6 neutronics analysis of as-designed First Wall and Blanket Module using confirmed Li-6 enrichment, validated against tritium production measurements from blanket test modules in ITER. Pass criterion: calculated TBR of 1.1 or greater with Monte Carlo uncertainty below 3%. Rationale: SUB-REQ-016 specifies blanket TBR; direct measurement requires operating the reactor, so analysis validated by experimental benchmarks is the appropriate and standard verification method for tritium breeding performance. | Analysis | verification, tokamak, tritium, session-509, idempotency:ver-sub016-509 |
| VER-REQ-038 | Verify SUB-REQ-017: Run ANSYS electromagnetic analysis of worst-case disruption halo current (10 MA/m) on as-built TCA in-vessel structure FEM model. Confirm by post-disruption vacuum leak check during integrated commissioning. Pass criterion: analysis shows no plastic deformation exceeding allowable stress limits; post-disruption leak rate confirmed below 1e-6 Pa m3/s. Rationale: VER-REQ-038 already incorporates a physical Test component: post-disruption vacuum leak check during integrated commissioning (helium leak test confirming vessel integrity after a real or simulated disruption event). ANSYS FEA provides the primary conservatism baseline; the physical leak check is the acceptance Test. For SIL-3 (IEC 61508), the primary verification method must be Test not Analysis. Changed from Analysis to Test in validation session 520 to resolve quality gate blocker silWithoutVer. | Test | verification, tokamak, sil-3, safety, session-509, idempotency:ver-sub017-509 |
| VER-REQ-039 | Verify SUB-REQ-018: Test PEPS on a full-scale prototype or equivalent test facility by injecting a calibrated DT+He mixture at 200 Pa m3/s. Measure separation efficiency with mass spectrometry at PEPS outlet. Pass criterion: He content in product below 0.1%, H2O below 1 ppm, throughput sustained for 4 hours at design flow. Rationale: Full-throughput test on a representative facility is required because PEPS is SIL 3 and the separation performance cannot be verified by analysis alone. ITER and JET experience shows that real-gas behaviour at high throughput differs from bench-scale predictions. Test must be sustained for 4 hours to verify steady-state performance. | Test | verification, tritium-plant, sil-3, session-510, idempotency:ver-sub-018-510 |
| VER-REQ-040 | Verify SUB-REQ-022: Inject a calibrated tritium tracer into the Atmosphere Detritiation System test facility atmosphere at 1e-5 Ci/m3. Confirm monitor triggers within 5 seconds of threshold crossing. Confirm recirculation through catalytic beds initiates within 30 seconds. Measure outlet concentration to confirm cleanup factor >= 100 within 4 hours. Pass criterion: all three timing and performance criteria met simultaneously. Rationale: Three-criteria pass gate ensures the complete safety function chain is verified: detection, actuation, and performance. SIL 3 classification requires the safety function to be demonstrated under representative conditions rather than by analysis or component-level inspection. Test uses calibrated tracer rather than tritium to manage personnel dose during testing. | Test | verification, tritium-plant, sil-3, safety, session-510, idempotency:ver-sub-022-510 |
| VER-REQ-041 | Verify IFC-REQ-021: During integrated commissioning, flow a simulated exhaust stream from PEPS to the ISS feed manifold. Sample the transfer line outlet for He, H2O, and DT concentration using mass spectrometry. Pass criterion: He below 100 ppm, H2O below 1 ppm, transfer line pressure within 1 kPa to 100 kPa, no visible or detected tritium leak from outer line of double-wall assembly. Rationale: Interface must be verified at integration level because PEPS and ISS are manufactured as separate modules. The purity and pressure specifications are critical for ISS column performance and cannot be verified by component inspection alone. Double-wall integrity requires an integrated leak test. Derives from IFC-REQ-021. | Test | verification, tritium-plant, sil-3, session-510, idempotency:ver-ifc-021-510 |
| VER-REQ-042 | Verify IFC-REQ-022: During fuel cycle commissioning, command an ISS batch product transfer to TSDS. Measure transfer latency from command to product receipt at TSDS inlet manifold. Verify purity of transferred product by mass spectrometry. Pass criterion: latency <= 15 minutes, DT purity > 99.9%, no detectable tritium leak at double-wall buffer vessel joints. Rationale: Batch transfer latency and purity are the two operational requirements driving the ISS-TSDS interface design. Integrated test at commissioning is required because buffer vessel performance depends on real thermal and pressure dynamics that cannot be captured in component-level tests. Derives from IFC-REQ-022. | Test | verification, tritium-plant, sil-3, session-510, idempotency:ver-ifc-022-510 |
| VER-REQ-043 | Verify Tritium Plant end-to-end fuel cycle: During integrated commissioning at partial DT throughput (10% of full power equivalent), demonstrate continuous operation from tokamak exhaust ingestion through PEPS, ISS, TSDS, and return to fueling system for at least 72 hours. Pass criterion: tritium accountancy closure within 1% per 24-hour batch, no abnormal release event, all sub-system performance parameters within design envelopes. Rationale: 72-hour continuous demonstration is required to verify the fuel cycle closing property: that bred and recycled tritium is correctly routed through all components without accumulation or loss. This cannot be verified by individual component tests because the fuel cycle is a closed-loop system with time constants of 12-24 hours. The 1% accountancy closure criterion is the SYS-level tritium confinement KPI. Derives from SYS-REQ-005 and STK-REQ-004. | Demonstration | verification, tritium-plant, sil-3, session-510, idempotency:ver-trp-endtoend-510 |
| VER-REQ-044 | Verify SUB-REQ-023: On a full-scale SMS test facility, inject a calibrated resistive heater into one coil segment simulating quench onset. Measure detection time from heater activation to AQP board output. Measure dump initiation time. Measure hot-spot temperature via fibre-optic distributed temperature sensor. Pass criterion: detection <= 10 ms, dump initiation <= 50 ms, hot-spot <= 300 K. Rationale: Physical injection test on real hardware is required for SIL 2 safety function. Simulation is insufficient because the quench detection algorithm must be verified against the actual electrical and thermal behaviour of the Nb3Sn conductor at 4.5 K. ITER experience shows simulation-only validation has missed quench events caused by conductor non-uniformity. | Test | verification, superconducting-magnet-system, sil-2, safety, session-510, idempotency:ver-sub-023-510 |
| VER-REQ-045 | Verify SUB-REQ-025: With TF coils at full current, measure the toroidal field on the plasma axis using a calibrated Hall probe traverse at the midplane. Record field ripple using a 3-axis fluxgate at 12 toroidal positions around the separatrix. Pass criterion: on-axis field 3.2 T ± 0.05 T, ripple < 1% peak-to-peak. Rationale: Direct field measurement is the only reliable verification method for magnet performance. Analysis alone cannot capture manufacturing tolerances and coil positioning errors. Hall probe calibration traceable to national standards. | Test | verification, superconducting-magnet-system, session-511, idempotency:ver-sub-req-025-511 |
| VER-REQ-046 | Verify SUB-REQ-027: Inject a simulated quench interlock signal and measure the time between signal injection and full opening of all coil current loops (confirmed by Hall-effect current sensors on each bus). Measure coil current decay rate on TF bus. Pass criterion: loop opening < 5 ms, decay rate < 500 A/s throughout discharge. Rationale: Active timing test required to verify hardwired SIL-2 response time. Cannot be verified by analysis alone — relay and contactor response times must be measured under load conditions. Test shall be performed at 80% of full coil current to represent realistic stored energy. | Test | verification, superconducting-magnet-system, session-511, sil-2, idempotency:ver-sub-req-027-511 |
| VER-REQ-047 | Verify IFC-REQ-025: During TF coil ramp-up test, measure DC bus voltage and current simultaneously using calibrated shunt resistor and Rogowski coil transducer. Confirm IEC 61850 GOOSE message rate and latency using network analyser. Pass criterion: peak current 80 kA ± 0.5%, current measurement accuracy 0.01% FS, GOOSE rate 1 kHz ± 10%. Rationale: Interface verification requires measurement of all specified parameters under operational conditions. Rogowski coil accuracy must be validated against a traceable reference since it directly feeds the plasma control loop. GOOSE latency verification confirms deterministic message delivery. | Test | verification, superconducting-magnet-system, session-511, idempotency:ver-ifc-req-025-511 |
| VER-REQ-048 | Verify IFC-REQ-026: Apply a calibrated 100 mV sinusoidal signal at 100 Hz to each voltage tap input while coil is at operating current. Measure signal attenuation and phase shift at the QDPS ADC output. Measure input impedance using impedance analyser. Pass criterion: bandwidth at least 1 kHz (-3 dB), input impedance greater than 1 MΩ at operating frequency, galvanic isolation verified by 2 kV hipot test. Rationale: Voltage tap bandwidth and impedance are critical quench detection parameters — if bandwidth is insufficient or impedance too low, the resistive quench signature will be attenuated below the 100 mV detection threshold. Hipot test verifies isolation required to prevent coil current diversion through the measurement circuit. | Test | verification, superconducting-magnet-system, session-511, idempotency:ver-ifc-req-026-511 |
| VER-REQ-049 | Verify SUB-REQ-029: Following 24-hour vessel bake at 200°C, measure vessel base pressure using calibrated Bayard-Alpert gauge traceable to national standards. During subsequent plasma operations, log vessel pressure at 1 Hz for 30 minutes. Pass criterion: base pressure <= 1e-7 Pa, operational pressure <= 1e-6 Pa throughout plasma phase. Rationale: Direct vacuum measurement is the only reliable method to verify pumping performance. Calibrated gauge with traceable calibration is required because impurity partial pressures are calculated from total pressure and require accurate absolute measurement. | Test | verification, vacuum-system, session-511, idempotency:ver-sub-req-029-511 |
| VER-REQ-050 | Verify SUB-REQ-031: Operate Cryogenic Plant with one cold box train isolated. Measure total available refrigeration at 4.5K using calibrated flow calorimetry over a 4-hour steady-state run. Pass criterion: ≥ 8 kW at 4.5K with magnet temperature stable within ± 0.2K. Rationale: Single-train failure mode test is the acceptance criterion for SIL-2 redundancy requirement. Calorimetric measurement is the only traceable method for verifying 4.5K refrigeration capacity. | Test | verification, cryogenic-plant, session-513, idempotency:ver-sub-031-513 |
| VER-REQ-051 | Verify SUB-REQ-032: Simulate a full magnet quench by injecting 200 m³ STP nitrogen (as safe surrogate) into the HMS recovery circuit. Measure fraction of gas captured and purified to ≥99.999% within 2 hours by inline gas chromatography. Pass criterion: ≥95% of injected volume recovered and purified within 2 hours. Rationale: Nitrogen surrogate is used for commissioning safety — actual helium quench cannot be induced safely at full scale during acceptance testing. Equivalence has been demonstrated at LHC cryoplant and ITER partial cold tests. | Test | verification, cryogenic-plant, session-513, idempotency:ver-sub-032-513 |
| VER-REQ-052 | Verify SUB-REQ-033: Measure static heat load on the installed transfer line network at 4.5K via residual gas analysis and calorimetry after 24-hour steady cold-hold, before magnet cooldown. Pass criterion: total heat ingress ≤ 500 W across all 4.5K lines, with no segment exceeding 10 W/m at rated length. Rationale: Static heat ingress measurement prior to magnet cool-down eliminates the magnet heat load contribution, allowing precise isolation of transfer line performance. | Test | verification, cryogenic-plant, session-513, idempotency:ver-sub-033-513 |
| VER-REQ-053 | Verify SUB-REQ-034: Execute automated cool-down sequence from 300K to 4.5K with production CCS software and instrumentation. Record temperature gradient at all winding pack sensor positions at 1-minute intervals. Pass criterion: no 1-minute gradient exceeds 5K/hour at any winding pack sensor, and cool-down completes within 72 hours. Rationale: Thermal gradient acceptance test must be performed with production control software to validate the actual cool-down algorithm, not a simulation. | Test | verification, cryogenic-plant, session-513, idempotency:ver-sub-034-513 |
| VER-REQ-054 | Verify SUB-REQ-035: Inject a simulated PLC watchdog timeout fault in the production CCS hardware. Measure elapsed time from fault injection to: helium isolation valve closure, vent valve open to HMS, and quench-interlock signal on SMS interface. Pass criterion: all three actions completed within 10 seconds. Rationale: Safe state timing verification must be performed on production hardware to capture actual relay response times and I/O scan latency; simulation cannot validate SIL-2 timing requirements. | Test | verification, cryogenic-plant, sil-2, session-513, idempotency:ver-sub-035-513 |
| VER-REQ-055 | Verify IFC-REQ-028: During integrated cryogenic cold commissioning, measure HRS-CTLN interface conditions with calibrated PT-100s and pressure transducers at bayonet coupling outlets. Pass criterion: temperature 4.5K ± 0.2K, pressure 3 bar ± 0.1 bar, flow ≥ 40 g/s per train over a 2-hour steady-state run. Rationale: Interface acceptance test verifies both HRS output performance and CTLN connector integrity at rated conditions. | Test | verification, cryogenic-plant, session-513, idempotency:ver-ifc-028-513 |
| VER-REQ-056 | Verify IFC-REQ-029: Inject step setpoint changes to HRS via CCS fieldbus and measure round-trip command latency with network analyser. Disconnect fieldbus mid-sequence and verify hardwired e-stop actuates within 1 scan cycle. Pass criteria: scan cycle ≤ 100 ms; e-stop activation independent of fieldbus state. Rationale: Tests both normal-operation bandwidth and the SIL-2 independence of the safety channel; the two pass criteria are mutually independent and must both be satisfied. | Test | verification, cryogenic-plant, session-513, idempotency:ver-ifc-029-513 |
| VER-REQ-057 | Verify IFC-REQ-030: During post-quench recovery test, measure helium gas supply pressure and purity at the HMS-HRS connection point using a calibrated pressure gauge and gas chromatograph. Pass criteria: pressure 200 bar ± 5 bar; purity ≥ 99.999%; refill of 5,000L dewar equivalent buffer completed within 4 hours. Rationale: Confirms HMS output meets HRS compressor inlet specification after a quench event — the highest-stress scenario for the gas supply interface. | Test | verification, cryogenic-plant, session-513, idempotency:ver-ifc-030-513 |
| VER-REQ-058 | Verify IFC-REQ-031: Test IVIMM-to-control-suite command interface latency using EtherCAT protocol analyser. Apply sinusoidal position command at 125 Hz over 60-second test sequence. Measure command cycle time (pass: ≤4 ms, 99.9th percentile) and feedback latency (pass: ≤8 ms mean). Repeat under simulated radiation environment using gamma source delivering 10 Gy/hr to fibre-optic cable run. Rationale: Direct measurement of the interface constraint under simulated operational conditions. The 125 Hz test frequency exercises the worst-case bandwidth margin. Gamma irradiation of the cable run validates radiation-hardness of the transmission medium without requiring full in-vessel test facility. | Test | verification, remote-handling-system, sil-1, session-514, idempotency:ver-ifc031-514 |
| VER-REQ-059 | Verify IFC-REQ-032: Test cask-to-port docking interface on full-scale mockup using mass spectrometer helium leak test per ISO 20485. Leak rate pass criterion: <1×10^-9 Pa·m³/s. Apply 5 kN axial load to port flange via calibrated hydraulic jack and confirm flange deflection <0.2 mm (FEA-derived limit). Perform 20 docking cycles to assess repeatability. Rationale: Helium mass spectrometer testing is the industry standard for high-vacuum sealing verification per ISO 20485. 20 docking cycles simulate a 5-year maintenance programme (4 campaigns × 5 dockings). Structural load test must be performed before any in-vessel access to confirm port integrity. | Test | verification, remote-handling-system, sil-1, session-514, idempotency:ver-ifc032-514 |
| VER-REQ-060 | Verify IFC-REQ-033: Test in-vessel viewing system video delivery to control suite using network packet capture and hardware timestamp analysis. Measure end-to-end latency from camera sensor exposure trigger to pixel display. Pass: ≤200 ms at 25 fps, ≥1080p resolution, stereo pair synchronisation error ≤5 ms. Conduct under gamma irradiation (100 Gy/hr) for 24-hour duration to verify sustained performance. Rationale: End-to-end latency must be measured under radiation to detect dose-induced performance degradation of fibre transceivers and DSP hardware. Stereo synchronisation <5 ms is required for depth perception; higher values cause perceived depth offset exceeding 10 mm, impairing 1 mm positioning capability. | Test | verification, remote-handling-system, sil-1, session-514, idempotency:ver-ifc033-514 |
| VER-REQ-061 | Verify IFC-REQ-034: Hydrostatically pressure-test each steam generator tube bundle at 1.5× design pressure (22.5 MPa) for 30 minutes per ASME Boiler and Pressure Vessel Code Section III. Perform helium leak test on each tube at 16 MPa with mass spectrometer; pass criterion: <1×10^-6 Pa·m³/s per tube. Inspect tube-to-tube sheet welds by phased array UT to IIW Category C. Rationale: ASME BPVC Section III is the applicable code for nuclear pressure-containing components. Leak testing at commissioning is mandatory before introducing tritiated primary coolant. Per-tube leak rate limit prevents systematic cumulative contamination of the secondary circuit over the plant lifetime. | Test | verification, power-conversion-system, sil-1, session-514, idempotency:ver-ifc034-514 |
| VER-REQ-062 | Verify IFC-REQ-035: Commission turbine-generator and measure electrical output at grid connection point during first synchronisation trial. Record power factor, terminal voltage, and frequency at 50%, 75%, and 100% rated load. Pass: 22 kV ±2.5%, power factor 0.85-1.0, transformer losses confirmed <0.5% of rated MVA by heat run test per IEC 60076-1 Method B. Rationale: Grid code compliance and transformer efficiency must be verified at commissioning before commercial operation begins. The heat run test is the IEC 60076-1 standard for confirming transformer loss guarantees and is a contractual requirement for National Grid connection agreement. | Test | rt-resolved-session-531 |
| VER-REQ-063 | Verify IFC-REQ-036: Test disruption notification interface by injecting test signal at PCS signal source and measuring time to turbine runback initiation using calibrated digital oscilloscope. Inject 100 test events at random intervals. Pass: 99th percentile latency ≤100 ms, zero missed events. Verify signal independence from network by disconnecting plant SCADA network during test. Rationale: The 100-event statistical test provides confidence that the hardwired relay meets the <100 ms latency requirement in the presence of contact bounce, relay delays, and cable capacitance. SCADA disconnection test confirms the interlock operates independently as required. Missed events would directly degrade operational availability by causing turbine trips per disruption event. | Test | verification, power-conversion-system, sil-1, session-514, idempotency:ver-ifc036-514 |
| VER-REQ-064 | Verify SUB-REQ-036: Position IVIMM end-effector to 50 calibrated target positions distributed across the vessel workspace using laser tracker reference (Leica AT960 or equivalent). Measure positioning error at each point. Pass: 95th percentile error ≤1 mm, maximum error ≤2 mm. Repeat after 30-minute thermal soak at 150°C. Pass criterion unchanged. Rationale: Laser tracker provides traceable reference measurement at 10 μm accuracy, orders of magnitude better than the 1 mm requirement, eliminating measurement uncertainty from the assessment. 50-point distribution covers joints at limit and mid-range positions to detect kinematic singularities. Thermal soak test is essential as thermal expansion of the arm structure is the largest single error contributor. | Test | verification, remote-handling-system, sil-1, session-514, idempotency:ver-sub036-514 |
| VER-REQ-065 | Verify SUB-REQ-041: During first full-power plasma commissioning run at Q≥5, measure net electrical power at 400 kV metering point (National Measurement Accreditation Service calibrated meters) for minimum 30-minute sustained period. Pass: time-averaged net power ≥100 MW. Repeat at three separate plasma pulses within the commissioning campaign. Rationale: Net electrical output can only be demonstrated with actual fusion plasma at rated conditions. Simulated load banks cannot reproduce the plasma heating power profile. Three repeat measurements across different pulses provide statistical confidence and rule out measurement artefacts from any single measurement event. | Demonstration | verification, power-conversion-system, sil-1, session-514, idempotency:ver-sub041-514 |
| VER-REQ-066 | Verify end-to-end Remote Handling System integration: conduct full blanket module exchange trial on vessel mockup at 1:1 scale, starting from operator receiving task from control suite, through IVIMM manipulation, module extraction, transfer cask loading, transport to hot cell, and installation of replacement module. Pass: complete exchange within 4.5 days per module (90 days / 20 modules), component positioning verified ±1 mm by laser tracker at installation point, no contamination events during transfer (smear surveys pass). Rationale: End-to-end integration testing validates the complete maintenance workflow, which cannot be verified by testing individual components in isolation. The 4.5-day per module pacing is derived from the 90-day campaign target. Smear surveys are the standard radiological contamination check per IAEA RPT-100. | Demonstration | verification, remote-handling-system, sil-1, session-514, idempotency:ver-rhs-integration-514 |
| VER-REQ-067 | Verify end-to-end Power Conversion System integration: during first plasma commissioning at Q≥5, measure complete energy chain from steam generator primary inlet enthalpy to grid metering point. Record: steam generator duty (MWth), turbine output (MWe), auxiliary load (MWe), net grid export (MWe), and efficiency. Pass: all individual path measurements within ±3% of design, net export ≥100 MW, efficiency ≥25%, frequency 50 Hz ±0.5 Hz, voltage 400 kV ±5%. Rationale: The energy chain integration test cannot be completed without actual plasma operation. Individual component tests (steam generator pressure test, turbine runback trial) verify boundary conditions but not overall energy balance. The ±3% measurement tolerance is achievable with calibrated NMAS instrumentation and accounts for thermodynamic averaging over the 30-minute steady state window. | Demonstration | verification, power-conversion-system, sil-1, session-514, idempotency:ver-pcs-integration-514 |
| VER-REQ-068 | Verify SUB-REQ-038: Subject representative RHS in-vessel manipulator samples (identical materials and electronics to flight hardware) to a total ionising dose of 1×10^6 Gy using a Co-60 gamma source and neutron irradiation facility (fission spectrum, fluence equivalent to 1×10^6 Gy dose). After irradiation, measure end-effector positioning accuracy on 20 target positions against a laser tracker reference. Pass: positioning error ≤±1.1 mm (no more than 10% degradation of ±1 mm baseline tolerance), all actuators respond to command within specification, no mechanical seizure or insulation breakdown. Rationale: Radiation hardening cannot be verified by analysis alone — the combined gamma and neutron environment degrades polymers, lubricants, and electronics in ways that simulation under-predicts. Co-60 plus fission neutron irradiation replicates the D-T plasma environment at 1×10^6 Gy total dose, the cumulative limit in SUB-REQ-038, providing a conservative acceptance gate before in-vessel deployment. | Test | idempotency:ver-rhs-rad-hardening-515 |
| VER-REQ-069 | Verify SUB-REQ-039: Load a Remote Handling Transfer Cask mock-up with a representative activated blanket module specimen (or equivalent gamma source calibrated to match the dose rate of a fully irradiated blanket at end-of-life). Place calibrated gamma survey instruments (Victoreen RO-2 or equivalent, traceable to national standard) at 0.1 m from the outer cask surface at 12 evenly spaced measurement points. Pass: all measured dose rates ≤ 2 mSv/hr, consistent with ISO 2919 sealed source measurement protocol; no single point exceeds 2.5 mSv/hr. Rationale: Biological shielding effectiveness of the Transfer Cask in SUB-REQ-039 must be verified against the actual gamma emission spectrum of irradiated blanket material. Analysis using Monte Carlo (MCNP or FLUKA) provides design assurance but cannot account for manufacturing tolerances, shield material density variations, or port geometry. Physical measurement with a calibrated source per ISO 2919 is the regulatory acceptance standard for activated-material transport. | Test | idempotency:ver-rhs-cask-shielding-515 |
| VER-REQ-070 | Verify SUB-REQ-040: On the RHS integration test facility, inject each of five representative fault conditions (loss of position feedback signal, motor overcurrent trip, cable tension alarm, communication timeout, emergency stop activation). Measure: time from fault detection to all-actuator halt using high-speed data logger (1 kHz minimum sample rate); joint drift over a 30-minute hold period with rated payload applied; ability to command manual recovery from halt state. Pass: actuator halt ≤500 ms for all five fault types, joint drift ≤0.5 mm over 30 minutes at rated load, manual recovery commanding succeeds after halt. Rationale: RHS safe-state behaviour in SUB-REQ-040 is safety-critical — a failed halt or joint slip during in-vessel maintenance could damage plasma-facing components or trap activated hardware in the vessel. Hardware-in-the-loop testing at the test facility is the only means to confirm that the ≤500 ms halt requirement and 30-minute load hold are met across all fault pathways, since software timing simulations do not capture hardware actuator latency. | Test | idempotency:ver-rhs-safe-state-515 |
| VER-REQ-071 | Verify SUB-REQ-043: During commissioning with live 400 kV grid connection, operate the Power Conversion System at rated output and measure at the transmission metering point: voltage (target 400 kV ± 5%), frequency (target 50 Hz ± 0.5 Hz), and total harmonic distortion (THD) using a calibrated power quality analyser (IEC 61000-4-7 Class A). Submit measured data to National Grid ESO for grid code CC.6 compliance sign-off. Pass: all three parameters within limits for a continuous 60-minute steady-state export period, THD < 3%, CUSC connection consent issued. Rationale: Grid code compliance for the PCS export interface in SUB-REQ-043 requires witnessed measurement at the actual 400 kV connection point under live grid conditions. Simulation cannot replicate grid impedance interactions that affect harmonic content; compliance requires National Grid ESO sign-off on real measurements as a condition of the Connection and Use of System Code (CUSC) commercial connection agreement. | Test | idempotency:ver-pcs-grid-code-515 |
| VER-REQ-072 | Verify SUB-REQ-044: During first full-power plasma operation at steady-state Q ≥ 5 burn for ≥30 minutes, instrument the primary coolant inlet and outlet of each steam generator module with calibrated resistance thermometers (Pt100, Class A, ±0.15°C) and calibrated flow meters. Compute heat transfer duty from enthalpy balance. Measure secondary steam generator drum pressure and feedwater temperature. Pass: computed primary-to-secondary heat transfer ≥ 500 MWth, primary coolant outlet temperature ≤ 180°C at all steam generator outlet headers, secondary steam quality ≥ 99.5%. Rationale: Steam generator thermal performance in SUB-REQ-044 must be verified under actual plasma heating conditions because the primary coolant flow rate and inlet temperature profile are coupled to the tritium breeding blanket thermal response, which cannot be reproduced in isolation. The 180°C primary outlet limit protects blanket structural materials (reduced-activation ferritic-martensitic steel) from creep damage and determines the Rankine cycle thermal input. | Test | idempotency:ver-pcs-steam-gen-heat-515 |
| VER-REQ-073 | Verify SUB-REQ-045: On the Power Conversion System turbine-generator test facility, simulate a plasma disruption signal from the PCS. Inject the hardwired disruption trigger signal and start a stopwatch. Measure turbine load reduction profile from 100% rated load to 20% rated load, recording turbine speed, generator output, and grid voltage at 100 ms intervals. Pass: load reduction to 20% rated within 60 seconds from signal receipt, no turbine trip (speed remains within ±2% of 3000 rpm throughout), grid connection maintained throughout (voltage remains at 400 kV ± 5%), plant able to accept plasma restart command at T+90 seconds. Rationale: Turbine runback response on disruption signal (SUB-REQ-045) is a combined PCS-control systems test that must be validated on hardware — turbine governor dynamics, steam valve response times, and generator electrical stability under rapid load rejection cannot be fully predicted by simulation. The 60-second runback window is set by the minimum plasma restart preparation time; faster runback risks turbine overspeed, slower runback causes grid instability from frequency deviation. | Test | idempotency:ver-pcs-turbine-runback-515 |
| VER-REQ-074 | Verify IFC-REQ-001: During integrated commissioning, energise the TF coil set to rated current and measure toroidal field at the plasma axis with a calibrated Hall probe array. Confirm field uniformity at the TCA/SMS boundary is within ±0.5% of design and that the plasma vessel experiences no anomalous electromagnetic loads. Rationale: The TCA/SMS magnetic interface is safety-critical: field geometry errors prevent plasma confinement and cause disruptions. Direct measurement under rated conditions validates the combined electromechanical interface between coil geometry and plasma vessel positioning. | Test | idempotency:ver-ifc001-session-517 |
| VER-REQ-075 | Verify IFC-REQ-002: During cryogenic commissioning, flow helium coolant through the superconducting magnet transfer lines and cryostats at the specified flow rate. Measure temperature at the coil winding pack inlet and confirm sustained delivery at 4.5 ± 0.1 K, 1.5 bar, 8 g/s per cryostat with temperature stability ±0.05 K. Rationale: The helium coolant interface defines the thermal margin for superconducting operation. Any degradation beyond ±0.1 K risks thermal runaway and quench. Testing under representative conditions is required to validate the cryogenic plant control system and transfer line thermal performance. | Test | idempotency:ver-ifc002-session-517 |
| VER-REQ-076 | Verify IFC-REQ-003: During fuel injection commissioning using non-tritiated DT-simulant pellets, fire pellet sequences at the specified 1–10 Hz rate and confirm pellet integrity at the plasma vessel injection port using high-speed imaging. Verify no backflow path to the tritium plant using tracer gas. Rationale: The fuel injection interface is the boundary between the tritium-bearing plant and the plasma vessel. Verifying pellet injection rate, integrity, and confinement of any backflow validates both the fuelling performance and the tritium confinement integrity of this interface. | Test | idempotency:ver-ifc003-session-517 |
| VER-REQ-077 | Verify IFC-REQ-004: During integrated power operation at fusion power ≥ 500 MW, measure primary coolant flow rate and inlet/outlet temperatures at the TCA/PCS boundary. Calculate transferred thermal power and confirm ≥ 500 MWth is delivered to steam generators with temperature uniformity within ±5°C across all coolant loops. Rationale: The thermal power interface is the energy extraction boundary of the plant. Verification at rated fusion power is required to confirm the primary heat removal capacity, which determines gross electrical output and efficiency. This cannot be analytically substituted — actual thermal performance depends on tritiated water chemistry and neutron-activated material properties. | Test | idempotency:ver-ifc004-session-517 |
| VER-REQ-078 | Verify IFC-REQ-005: During plasma operations, inject synthetic diagnostic data into the PCS front-end at 1 MHz and measure end-to-end latency to control actuator command output. Confirm round-trip latency ≤ 1 ms and simultaneous throughput from ≥ 40 diagnostic channels. Inject a simulated disruption precursor and confirm PPS interlock triggers within 50 ms. Rationale: The PCS/TCA data interface is the real-time control loop for plasma stability. Latency and bandwidth violations cause control lag that precipitates or worsens disruptions. Testing with synthetic signals allows controlled validation of the interface without requiring a live plasma. | Test | idempotency:ver-ifc005-session-517 |
| VER-REQ-079 | Verify IFC-REQ-006: With the magnet power supply system active, command a step change in poloidal coil current from the Plasma Control System real-time controller. Measure the coil current response time and confirm the specified slew rate is achieved within ±2% of commanded value. Inject a hardwired quench interlock signal and verify current dump response within the required time. Rationale: The PCS/SMS coil current command interface controls plasma position and shape. Incorrect slew rates or command latencies cause loss of plasma position control and potentially disruption. The quench interlock path must be verified as a hardwired, not software, safety function. | Test | idempotency:ver-ifc006-session-517 |
| VER-REQ-080 | Verify IFC-REQ-007: Before first plasma operations, evacuate the plasma vessel from atmospheric pressure and measure base pressure using calibrated ion gauges at vessel midplane. Confirm pressure ≤ 1×10⁻⁶ Pa is achieved within the pump-down sequence. Inject a controlled helium leak at the vessel wall and verify the leak detection system triggers and isolates within the required time. Rationale: The vacuum interface defines the plasma environment: contamination and fuel dilution at pressures above 1×10⁻⁶ Pa prevents ignition. The leak detection test is safety-critical — an undetected vacuum breach during operations would quench plasma and could release tritiated gas to the building. | Test | idempotency:ver-ifc007-session-517 |
| VER-REQ-081 | Verify IFC-REQ-008: During cold acceptance testing, manoeuvre the IVIMM through all horizontal maintenance ports and demonstrate end-effector positioning to the specified ±2 mm accuracy at representative in-vessel locations. Verify dose rate at the port perimeter does not exceed the shielding requirement when radioactive sources are installed in the vessel. Rationale: The maintenance access interface between RHS and TCA is the physical boundary for in-vessel maintenance. Position accuracy must be demonstrated before remote handling of radioactive components; incorrect positioning can cause component damage or contamination spread. Shielding verification is a regulatory requirement for any maintenance access to an activated vessel. | Test | idempotency:ver-ifc008-session-517 |
| VER-REQ-082 | Verify IFC-REQ-009: During steady-state power operation, measure active power, voltage, frequency, and power factor at the 400 kV HV busbars using calibrated power quality analysers. Confirm ≥ 100 MW net export, 400 kV ± 5%, 50 Hz ± 0.5 Hz, and power factor ≥ 0.95 lagging over a 24-hour period. Conduct a rapid load rejection test from full power and record grid stabilisation time. Rationale: The grid export interface is the primary commercial output boundary of the plant. Grid Code compliance requires direct measurement at rated power — analytical prediction from component efficiencies is insufficient for compliance sign-off by the grid operator. The load rejection test verifies grid stability, which is a licence condition. | Test | idempotency:ver-ifc009-session-517 |
| VER-REQ-083 | Verify IFC-REQ-023: During tritium plant commissioning, flow a representative tritium-in-helium mixture (0.1-1% T/He by volume) through the BTES-ISS transfer manifold at minimum (1 slm) and maximum (10 slm) design flow rates. Measure tritium concentration at the ISS feed manifold inlet using a calibrated calorimetric tritium monitor and confirm readings match the injected concentration within ±5% relative at both endpoints. Verify the permeator and compressor stage operate within design pressure envelope throughout, and confirm no tritium leakage exceeds 1 Bq/cm² on all outer surfaces. Rationale: IFC-REQ-023 defines the tritium concentration and flow rate envelope at the BTES-ISS boundary. The precise T/He ratio and flow range must be confirmed by direct measurement because downstream ISS column separation efficiency degrades outside this envelope, risking fuel cycle disruption and tritium inventory accumulation. Test is required — Analysis cannot account for real permeator and compressor pressure-drop behaviour at commissioning conditions. | Test | verification, tritium-plant, sil-3, session-518, idempotency:ver-ifc023-session-518, idempotency:ver-ifc023-session-518 |
| VER-REQ-084 | Verify SUB-REQ-049: On the completed ISS installation, measure steady-state power consumption using calibrated three-phase power analyser at rated cryogenic distillation throughput. Confirm continuous power demand does not exceed 350 kW and peak demand during column start-up does not exceed 420 kW. Interrupt grid supply for 30 minutes and confirm the UPS maintains ISS process control and safe shutdown capability throughout, verified by continuous monitoring of column temperatures, pressures, and safety valve positions. Rationale: SUB-REQ-049 governs ISS electrical supply sizing and UPS capacity — safety-critical because loss of process power during tritium operations risks column flooding or uncontrolled tritium release. The 30-minute UPS duration is the design basis for operator-supervised safe shutdown after a grid outage; this must be demonstrated on the as-built system. | Test | verification, tritium-plant, sil-3, session-518, idempotency:ver-sub049-518, idempotency:ver-sub049-518 |
| VER-REQ-085 | Verify SUB-REQ-050: Assert the Plant Protection System emergency isolation command to the ISS via the hardwired interface. Measure time from command assertion to confirmed termination of cryogenic distillation column operations and closure of all tritium-bearing stream isolation valves using a high-speed data logger. Confirm sequence completes within 30 seconds for 10 consecutive tests. Then isolate automated process control and confirm the system maintains passive safe state (no tritium release, no uncontrolled pressure rise) for at least 4 hours by remote monitoring. Rationale: SUB-REQ-050 is SIL-3 safety-critical: ISS must respond to emergency isolation within 30 seconds to prevent tritium release escalation. The 4-hour passive safe state ensures safety during extended loss of control power. Both timings must be demonstrated on the as-built system — analytical prediction is insufficient at SIL-3 confidence level. | Test | verification, tritium-plant, sil-3, session-518, idempotency:ver-sub050-518, idempotency:ver-sub050-518 |
| VER-REQ-086 | Verify SUB-REQ-051: Inspect the as-built turbine hall structure with a certified structural engineer. Confirm floor load rating certificate covers at least 15 kN/m² for turbine and generator foundations. Measure maintenance access clearances around all major equipment faces at three height levels using laser distance meter and confirm minimum 2 m on all. Review structural drawings for equipment envelope compliance against design specification. Rationale: SUB-REQ-051 specifies turbine hall structural and maintenance access provisions. Floor load rating is a structural certificate; clearances are dimensional attributes. Inspection is appropriate because both can be directly verified against design drawings and physical measurement without dynamic testing. | Inspection | verification, power-conversion-system, sil-1, session-518, idempotency:ver-sub051-518, idempotency:ver-sub051-518 |
| VER-REQ-087 | Verify SUB-REQ-052: Conduct structural inspection of the as-built Tritium Plant confinement building. Confirm nuclear-grade seismic qualification certificate. Measure concrete wall thickness at three cross-sections per wall face using calibrated ultrasonic thickness gauge and confirm 600 mm minimum throughout. Calculate secondary confinement envelope volume from as-built drawings and confirm at least 2500 m³. Review radiation shielding analysis against 600 mm wall thickness. Rationale: The Tritium Plant building is the physical confinement barrier preventing tritium release — a catastrophic hazard (H-002, SIL-3). Wall thickness and volume are geometric properties verifiable by measurement and inspection. Seismic qualification requires a formal certificate of conformance per nuclear-grade standards. | Inspection | verification, tritium-plant, sil-3, session-518, idempotency:ver-sub052-518, idempotency:ver-sub052-518 |
| VER-REQ-088 | Verify SUB-REQ-053: Inspect the as-built Cryogenic Plant building. Measure insulated floor area using laser measurement system and confirm at least 800 m². Confirm minimum clear height of 8 m using laser gauge at each bay. Inspect cold box support frame structural certification documents confirming 50-tonne load capacity. Verify total helium dewar capacity from manufacturer datasheets confirms minimum 10,000 L. Confirm segregated bays for compressors, cold boxes, dewars, and control room are present and accessible. Rationale: Cryogenic Plant building dimensions, structural provisions, and dewar capacity are physical constraints on operational safety and maintenance. These are documentary and dimensional attributes verifiable by measurement and document review — no operational performance testing is required at building level. | Inspection | verification, cryogenic-plant, sil-2, session-518, idempotency:ver-sub053-518, idempotency:ver-sub053-518 |
| VER-REQ-089 | Verify SUB-REQ-054: During vacuum system pre-commissioning, confirm by physical count and inspection that 12 turbomolecular pump assemblies are installed on the tokamak support structure. Pressure-test each bolted flange enclosure to 1.5 bar differential using nitrogen and confirm leakage does not exceed 1×10⁻⁸ Pa·m³/s per enclosure using calibrated helium leak detector. Inspect roughing pump bay for concrete biological shielding. Verify total vacuum manifold pipework volume by dimensional analysis of as-built drawings, confirming compatibility with 1000 m³ plasma vessel. Rationale: Vacuum system pump count, enclosure structural integrity, and shielding presence are physical configuration attributes verified by inspection. Flange pressure testing at 1.5× design differential confirms structural containment integrity prior to plasma operations. Manifold volume compatibility is a design parameter checked against as-built drawings. | Inspection | verification, vacuum-system, sil-2, session-518, idempotency:ver-sub054-518, idempotency:ver-sub054-518 |
| VER-REQ-090 | Verify SYS-REQ-004: On the STEP Disruption Mitigation Test Bench, configure shattered pellet injection (SPI) system with representative pellet composition and gas injection valve. Inject simulated disruption trigger signal. Measure SPI actuation time from trigger to pellet impact using high-speed photodiodes (< 0.1 ms resolution). Confirm actuation ≤ 10 ms. Simultaneously, record first-wall calorimeter readings. Pass: SPI actuation ≤ 10 ms from trigger signal; integrated first-wall thermal load ≤ 0.5 MJ/m² over any 100 ms window post-trigger at maximum disruption energy (Q=5 plasma, 500 MWth stored energy). Repeat for massive gas injection (MGI) path. Verify both paths independently and in combination. Rationale: SYS-REQ-004 is SIL-3: disruption mitigation failure can deposit > 100 MJ onto first-wall panels in < 1 ms causing tungsten melting and plasma-facing component loss. Test verification is mandatory for SIL-3 safety requirements per IEC 61508 — Analysis alone cannot validate the actuation latency or thermal load mitigation under realistic disruption energy. The 10 ms window and 0.5 MJ/m² limit are the design basis values that prevent first-wall damage; a test must demonstrate these under worst-case Q=5 conditions. This VER was absent from the project; added in validation session 519 to close silWithoutVer blocker. | Test | verification, safety, sil-3, plasma-control-system, session-519, idempotency:ver-sys-004-519, idempotency:ver-sys-004-519 |
| VER-REQ-091 | Verify SYS-REQ-005: Perform integrated tritium containment integrity test across all Tritium Plant and in-vessel boundary segments. (1) Pressure-cycle the primary containment (vacuum vessel and first wall) to 2× design pressure and conduct helium mass spectrometer leak test at each boundary penetration — pass criterion: zero detectable leaks > 1×10⁻⁹ Pa·m³/s. (2) Inject a 1 g tritium tracer into the primary containment boundary under simulated Loss of Coolant Accident (LOCA) conditions. Monitor secondary containment tritium monitors continuously for 72 hours. Pass: secondary containment tritium concentration remains < 1 Bq/m³ above background, demonstrating < 0.1 g release through both barriers. (3) Review safety analysis demonstrating dual-barrier integrity under all Design Basis Accidents. Rationale: SYS-REQ-005 is SIL-3: uncontrolled tritium release above 0.1 g can exceed the regulatory release limit and public dose constraint (1 mSv/year off-site). Test verification is mandatory for SIL-3 safety requirements. The dual-barrier test must be performed at system level to verify the complete containment chain including all penetrations, seals, and isolation valves — subsystem-level leak tests alone cannot demonstrate the system-level release bound. Added in validation session 519 to close silWithoutVer gate blocker. | Test | verification, safety, sil-3, tritium-plant, session-519, idempotency:ver-sys-005-519, idempotency:ver-sys-005-519 |
| VER-REQ-092 | Verify SYS-REQ-006: On the STEP SMS full-scale quench protection test facility (or type-tested coil set representative of production magnets), inject a calibrated resistive voltage fault to trigger quench detection. Record: (a) quench detection time from fault injection to protection system output signal, (b) energy extraction rate measured at dump resistor terminals, (c) total energy extraction time to complete discharge, (d) hot-spot temperature calculated from coil resistance rise using voltage tap network at 1 kHz sampling. Pass: quench detected within 100 ms of fault injection; total energy discharge to dump resistors completed within 30 seconds; hot-spot temperature ≤ 300 K throughout. Test at full magnet stored energy (50 GJ equivalent by inductive scaling if full-energy test is not practicable). Validate by analysis for scaled-up cases with test data as anchor points. Rationale: SYS-REQ-006 is SIL-2: quench protection failure in a 50 GJ magnet can cause catastrophic quench propagation, coil burnout, or cryogenic explosion. Test verification is required for SIL-2 to validate both the detection algorithm and the energy extraction circuitry; Analysis alone cannot capture voltage arc faults, busbar resistance faults, or quench propagation delays that only manifest in hardware testing. The 30-second extraction window and 300 K hot-spot limit are derived from NbTi/Nb3Sn damage thresholds. Added in validation session 519 to close silWithoutVer gate blocker. | Test | verification, safety, sil-2, superconducting-magnet-system, session-519, idempotency:ver-sys-006-519, idempotency:ver-sys-006-519 |
| VER-REQ-093 | Verify SYS-REQ-007: On the integrated passive decay heat removal test rig (full-scale replica of in-vessel cooling circuit with electrically-heated first wall panels simulating decay heat loads), de-energise all AC power supplies simultaneously to simulate total station blackout. Monitor temperatures at 50 thermocouple locations on first wall, divertor, and structural supports at 1-second intervals for 72 hours post-blackout. Measure natural circulation coolant flow rate using non-intrusive ultrasonic flow meters at primary loop inlet and outlet. Pass: all structural temperatures remain below material design limits (tungsten FW panels < 800°C, structural steel < 500°C, coolant bulk temperature < 350°C) continuously for 72 hours without any active pump or external power input. Supplement with validated thermal-hydraulic analysis (RELAP5 or equivalent) for conditions not testable at full scale. Rationale: SYS-REQ-007 is SIL-2: passive decay heat removal is the ultimate safety function for loss-of-power events. If decay heat removal fails, first wall temperature rises above tungsten recrystallisation temperature (1200°C) within 2-4 hours, causing structural failure and potential loss of confinement. Test verification is needed because natural circulation flow rates depend on pipe routing geometry, fluid thermophysical properties, and local heat sources that can only be validated in hardware — computational analysis alone has ±30% uncertainty in natural circulation prediction. The 72-hour window covers the period of significant decay heat (first 72 hours, radioactive decay drops to < 1% of peak rate). Added in validation session 519. | Test | verification, safety, sil-2, tokamak-core-assembly, session-519, idempotency:ver-sys-007-519, idempotency:ver-sys-007-519 |
| VER-REQ-094 | Verify SYS-REQ-011: On the integrated Plant Protection System test bench, inject a simulated accelerometer signal exceeding 0.1g OBE threshold on all seismic channels simultaneously. Record: (a) time from signal injection to plasma shutdown signal output (hardwired to PCS disruption mitigation system), (b) time from signal injection to confirmed seismically-safe state of each subsystem (magnets in hold, tritium isolation valves closed, vacuum system in standby, coolant systems depressurised to safe state). Timestamps logged at 1 ms resolution by independent data acquisition system. Pass: plasma shutdown signal issued ≤ 100 ms from OBE threshold signal injection; all subsystems confirm seismically-safe state ≤ 10 seconds from OBE signal. Additionally, perform shake-table test on seismic accelerometer sensors and PPS trip logic cabinet at 0.1g amplitude 1-10 Hz sweep to confirm no spurious trips and no missed trips. Rationale: SYS-REQ-011 is SIL-3: seismic event during plasma burn can induce halo currents if shutdown is delayed beyond 100 ms, causing asymmetric electromagnetic loads that exceed the structural design basis for the vacuum vessel. Test verification is mandatory for SIL-3 per IEC 61508. Both the 100 ms shutdown window and the 10-second subsystem safe-state transition must be measured on integrated hardware — simulation cannot capture hardwired relay latencies, PLC scan times, or valve actuation dynamics that determine the actual trip-to-safe-state timeline. The seismic sensor shake-table test is required to confirm instrument reliability at the 0.1g OBE level. Added in validation session 519. | Test | verification, safety, sil-3, session-519, idempotency:ver-sys-011-519, idempotency:ver-sys-011-519 |
| VER-REQ-095 | Verify SYS-REQ-012: On the as-built STEP facility at full-power plasma operation (minimum Q=5, ≥ 500 MWth fusion power), measure neutron and gamma dose rates at all occupied area boundaries using IAEA-calibrated rem-counter dosimeters and thermoluminescent dosimeters (TLDs). Take readings at: control room, maintenance corridors adjacent to the tokamak hall, equipment rooms within 20 m of the plasma axis, and all port-plug penetration endpoints. Pass: all occupied area dose rates < 10 µSv/hr during steady-state full-power burn. Supplement with MCNP6 Monte Carlo shielding analysis benchmarked against at least 3 in-situ measurement points to validate analysis predictions for inaccessible locations. Ensure TLD dosimeters are co-located with rem-counters at accessible locations for cross-validation. Rationale: SYS-REQ-012 is SIL-1: neutron streaming above 10 µSv/hr in occupied areas would violate UK IRR 2017 designation requirements for supervised areas and compromise worker dose budgets. While MCNP analysis can predict streaming, actual penetrations (cable trays, cooling pipes, diagnostic ports) have installation tolerances and local gaps that analysis may underestimate. In-situ measurement at full power is the only definitive verification method. 10 µSv/hr limit is consistent with ONR-supervised area boundary during continuous occupancy (40 hr/week × 50 weeks × 10 µSv/hr = 20 mSv/year, the legal limit). Added in validation session 519. | Test | verification, safety, sil-1, session-519, idempotency:ver-sys-012-519, idempotency:ver-sys-012-519 |
| VER-REQ-096 | Verify SUB-REQ-014: On the as-built plant with all bulk shielding installed, map dose rates at all zone boundary transitions using calibrated dose rate meters (Canberra RO20 or equivalent). (1) Confirm each boundary is classified correctly: Supervised <6 µSv/hr, Controlled 6–600 µSv/hr, High Radiation >600 µSv/hr per IEC 60364. (2) Inject simulated high-dose-rate signal to each access interlock and verify personnel access prevention response within 2 seconds. Pass: all boundary dose rates within zone classification thresholds; 100% of access interlocks respond correctly. Rationale: SUB-REQ-014 requires as-built zone classification and access interlock response; MCNP analysis alone cannot account for as-built boundary conditions. In-situ measurement is required. Created in validation session 525 to close verification gap on radiation protection zoning. | Test | idempotency:ver-sub-014-radiation-zoning-525 |
| VER-REQ-097 | Verify SUB-REQ-037: On the STEP Remote Handling System integration test facility (1:1 scale vessel mockup), conduct a simulated full blanket module exchange cycle. Using robotic deployment with planned 2-shift 16-hr/day working pattern: (1) remove all 18 blanket modules in sequence, recording cycle time per module and total elapsed calendar time; (2) install replacement set, recording re-docking accuracy to ±0.5 mm; (3) confirm total elapsed time from first module extraction to final module lock-in does not exceed 90 calendar days. Pass criteria: ≤90 calendar days elapsed; ≤0.5 mm re-docking positioning error on 100% of modules; zero dropped modules or tool snags. Rationale: SUB-REQ-037 mandates a 90-day calendar-time constraint on blanket exchange — this can only be verified by a full-duration demonstration on representative equipment, as analysis cannot account for tool jams, shift changeover inefficiencies, or real-time repair of minor handling failures. Demonstration at 1:1 scale is required rather than test-bench because the constraint spans the full robotic task sequence. Created in validation session 525. | Demonstration | idempotency:ver-sub-037-blanket-exchange-525 |
| VER-REQ-098 | Verify SUB-REQ-042: During first D-T power operations at Q>=5 sustained burn, measure the gross-to-net thermal efficiency of the Power Conversion System. (1) Record steam generator primary inlet and outlet enthalpy (calibrated thermocouples + flow meters, accuracy ±0.5% of reading); (2) record gross turbine-generator output at generator terminals (calibrated Rogowski coil power meter, accuracy ±0.3%); (3) record all station service loads (auxiliary transformers, cryo plant, plasma heating, vacuum pumping) via calibrated revenue-grade submeters; (4) calculate net efficiency = (gross output − station service) / total thermal input. Pass criteria: measured net efficiency ≥25% at steady-state burn conditions sustained for ≥30 minutes. Rationale: SUB-REQ-042 mandates ≥25% gross-to-net efficiency, which depends on total auxiliary load at full-power plasma conditions — these loads (cryo plant, plasma heating systems) cannot be reliably estimated from component efficiencies alone and must be measured at integrated plant level. The 30-minute hold criterion ensures steady-state is reached before reading. Created in validation session 525 to close verification gap. | Test | idempotency:ver-sub-042-pcs-efficiency-525 |
| VER-REQ-099 | Verify SYS-REQ-001: During first D-T plasma campaign, demonstrate sustained plasma burn at Q>=5 for at least one pulse. (1) Configure plasma with current >=10 MA using central solenoid flux swing; (2) engage auxiliary heating (NBI + ECRH) to reach ignition conditions; (3) record plasma fusion power via neutron yield measurement (calibrated 235U fission chambers, accuracy ±5%), auxiliary heating power from calorimetric measurement, and pulse duration from plasma current measurement; (4) calculate Q = fusion power / auxiliary heating power; (5) maintain burn for duration >=2 hours to demonstrate lower bound. Pass criteria: Q>=5 measured on at least one pulse sustained >=2 hours with plasma current >=10 MA. Rationale: SYS-REQ-001 is the primary performance requirement for STEP and the ultimate demonstration of the plant's purpose. Only in-situ measurement during actual D-T plasma operation can verify Q>=5 with the required plasma current — no analysis or sub-system test can substitute for integrated first-plasma verification. Created in validation session 525 to close SYS-REQ-001 gap identified in S-001 scenario walkthrough. | Test | idempotency:ver-sys-001-qge5-burn-525 |
| VER-REQ-100 | Verify SUB-REQ-055: Submit seismic qualification reports (ASCE 4-16 methodology) for the Tokamak Core Assembly support structure, SMS coil support structure, and Cryogenic Plant building, each demonstrating calculated member stresses remain below 90% yield at OBE 0.1g and below 120% yield (temporary allowable) at SSE 0.2g. Confirm that vacuum vessel boundary seal analysis shows no penetration of leakage paths after OBE loading. Rationale: SUB-REQ-055 is an Analysis-verified requirement per ASCE 4-16 (seismic analysis of nuclear safety-related structures). Physical test at 0.1g ground acceleration is not practicable for civil structures of this scale; industry-accepted practice (confirmed by ONR licensing precedent for fusion facilities) is validated structural analysis with factor-of-safety margins. | Analysis | idempotency:ver-sub055-seismic-validation-527 |
| VER-REQ-101 | Verify SUB-REQ-056: On the integrated passive decay heat removal test rig, isolate all active cooling pumps and powered valves. Apply 10 MW resistive heating load to first-wall cooling circuit representative of decay heat profile (exponential decay from 10 MW at t=0 following 6-hour full-power burn). Confirm maximum first-wall surface temperature does not exceed 350 degrees C after 72 hours with natural convection only. Repeat with loss of grid power (battery-backed instrumentation only). Rationale: SUB-REQ-056 is SIL-2 (H-004 LOCA): full-power passive cooling test with representative afterheat profile is required by IEC 61513 for safety function qualification. 350 degrees C limit derived from tungsten first wall material limit under gamma heating. Test extends VER-REQ-093 (system level) with the specific SUB-level passive path verification. | Test | idempotency:ver-sub056-decay-heat-validation-527 |
| VER-REQ-102 | Verify SYS-REQ-003: During the first D-T operating campaign at rated neutron wall loading, measure tritium breeding blanket performance by collecting all bred tritium in the processing loop for a period of no less than 30 days of continuous full-power operation. Calculate TBR from the ratio of tritium produced to tritium consumed over the measurement interval. Accept if: TBR ≥ 1.1 (direct measurement), net reserve accumulation rate ≥ 10% of DT consumption rate, and projected 12-month reserve inventory ≥ 1 kg. Repeat at two plasma current settings to confirm breeding consistency. Rationale: SYS-REQ-003 specifies TBR ≥ 1.1 and 1 kg reserve within 12 months — the only demonstrable way to confirm this is measurement of bred tritium vs consumed tritium over an extended full-power campaign. Test verification is required because TBR is sensitive to as-built blanket geometry, tritium leakage, and material transmutation effects not fully captured by neutronic analysis alone. IEC 61508 and ONR fuel cycle licensing requires demonstration of tritium fuel sufficiency before extended D-T operation. | Test | idempotency:ver-sys003-tbr-session-528, idempotency:ver-sys003-tbr-session-528 |
| VER-REQ-103 | Verify SYS-REQ-008: During plasma vessel acceptance testing before first plasma, pump down from atmospheric pressure and confirm base pressure < 1×10⁻⁶ Pa as measured by calibrated Bayard-Alpert gauge at the geometric mid-plane port. Subsequently, perform integrated leak rate test: with all penetrations sealed, pressurize to 10 Pa with He-4 tracer gas and measure total leak rate using a mass spectrometer leak detector on the turbomolecular pump foreline. Accept if: base pressure ≤ 1×10⁻⁶ Pa within 48 hours of pump-down commencement, total He leak rate < 1×10⁻⁹ Pa·m³/s per penetration seal. Reject if either threshold is exceeded. Rationale: SYS-REQ-008 specifies vacuum performance as < 1×10⁻⁶ Pa and total leak rate < 1×10⁻⁹ Pa·m³/s per seal. These are directly testable values requiring physical measurement — analysis of vacuum pumping speed and geometry cannot account for as-built seal surface finish, fastener torque, and weld porosity. Vacuum integrity is a prerequisite for first plasma; failure would contaminate the plasma and trigger disruptions. | Test | idempotency:ver-sys008-vacuum-session-528, idempotency:ver-sys008-vacuum-session-528 |
| VER-REQ-104 | Verify SYS-REQ-009: On the Remote Handling System integration facility, with a full-scale mock-up of the divertor cassette and RHS manipulator arms, demonstrate replacement of all 54 divertor cassettes (or representative scaled count as agreed with the project authority). Measure elapsed time from first cassette removal start to final cassette installation and re-commissioning. Record position accuracy at cassette docking interface using laser tracker calibrated to ±0.1 mm. Accept if: full cassette replacement completed within 4 calendar months, position accuracy ≤ 2 mm at all docking interfaces. Perform three trials and accept on worst-case trial result. Rationale: SYS-REQ-009 specifies 4-month full replacement campaign and 2 mm positioning accuracy. Demonstration on the full-scale RHS integration facility is required because maintenance campaign duration and positioning accuracy depend on tooling reliability, human factors, and remote dexterity that cannot be established by analysis alone. This matches the demonstration verification method in SYS-REQ-009 and aligns with ITER RH qualification programme precedent. | Demonstration | idempotency:ver-sys009-rhs-session-528, idempotency:ver-sys009-rhs-session-528 |
| VER-REQ-105 | Verify SYS-REQ-010: After at least one complete 6-month operating campaign, analyse plant operational records to calculate availability: availability = (total burn-hours during campaign) / (campaign calendar-hours − scheduled maintenance windows). Compile unplanned downtime log with root causes. Accept if calculated availability ≥ 50% over the campaign period, excluding planned maintenance windows as defined in the campaign operations plan approved before start. Document sensitivity: if any single unplanned downtime event > 72 hours was excluded from the analysis, calculate availability including that event. Rationale: SYS-REQ-010 specifies ≥ 50% operational availability over a 6-month campaign. Availability is a statistical property that can only be determined post-hoc from operational records; no pre-operational test can demonstrate it. Analysis of operational logs against the defined formula is the appropriate and only practical verification method. ONR nuclear site licensing for STEP requires demonstrating operational availability as part of the environmental statement. | Analysis | idempotency:ver-sys010-availability-session-528, idempotency:ver-sys010-availability-session-528 |
| VER-REQ-106 | Verify SYS-REQ-013: During integrated plant commissioning, enumerate all plasma diagnostic systems installed and commissioned with demonstrated data acquisition. For each diagnostic: confirm calibration certificate from a traceable source, confirm timing synchronisation to the plant master clock and verify jitter ≤ 1 µs by injecting a synchronised test pulse across all diagnostic data acquisition channels simultaneously. Accept if: total commissioned diagnostics ≥ 40, all diagnostics synchronised with timing accuracy ≤ 1 µs, coverage matrix confirms at least one system each for magnetic, kinetic (Thomson scattering or charge exchange), and spectroscopic measurement of the plasma. Rationale: SYS-REQ-013 requires ≥ 40 plasma diagnostics with calibrated time-synchronised measurements. Demonstration is the appropriate method because it requires physical enumeration of commissioned systems and verification of timing synchronisation via an instrumented test pulse — analysis cannot confirm as-built diagnostic health or actual jitter performance. Derives from STK-REQ-017 (comprehensive plasma characterisation for burning DT plasma research). | Demonstration | idempotency:ver-sys013-diagnostics-session-528, idempotency:ver-sys013-diagnostics-session-528 |
| VER-REQ-107 | Verify SYS-REQ-014: Using the as-built materials inventory and neutron activation analysis code validated against ITER material activation benchmarks, calculate the waste classification fraction for all primary activated structures (first wall, breeding blanket modules, divertor cassettes, vacuum vessel, magnet coil formers) at 100 years post final shutdown. Apply ONR radioactive waste classification criteria (LLW: < 4 GBq/tonne beta/gamma, ILW: remainder). Accept if: ≥ 80% by volume of calculated decommissioning waste falls in LLW category at 100 years, with sensitivity analysis showing the 80% threshold is maintained if activation code predictions are conservative by factor of 2. Rationale: SYS-REQ-014 specifies ≥ 80% of waste volume as LLW within 100 years. This is a design-time analysis requirement — it cannot be physically tested at decommissioning (100+ years away). Nuclear activation analysis using validated codes (e.g., FISPACT-II) against the as-built material inventory is the standard method accepted by ONR for waste classification planning. The 2× conservatism margin ensures the threshold is robust against modelling uncertainties. | Analysis | idempotency:ver-sys014-waste-session-528, idempotency:ver-sys014-waste-session-528 |
| VER-REQ-108 | Verify SYS-REQ-015: During first grid synchronisation and power export commissioning, measure voltage, frequency, and total harmonic distortion at the 400 kV grid connection point using a power quality analyser certified to IEC 61000-4-30 Class A. Record measurements over a 10-minute continuous window at rated power export. Accept if: voltage at grid connection 400 kV ± 5% (380–420 kV), frequency 50 Hz ± 0.5 Hz (49.5–50.5 Hz), THD < 3% on all harmonic orders 2–50. Repeat at 50% and 100% rated power to confirm linearity. Rationale: SYS-REQ-015 mandates compliance with National Grid ESO Grid Code for power quality. Physical test using IEC 61000-4-30 Class A instrumentation is required by Grid Code connection agreement — National Grid will not accept simulated or analysis-based compliance for 400 kV connection. The test parameters (voltage, frequency, THD) are directly measurable at first grid synchronisation. | Test | idempotency:ver-sys015-gridcode-session-528, idempotency:ver-sys015-gridcode-session-528 |
| VER-REQ-109 | Verify SYS-REQ-016: Using the radiation protection design basis documentation (site radiation survey, occupational dose assessment, ALARA programme), perform a dose-rate survey of all supervised areas as defined in the Radiation Protection Supervisors programme at rated neutron wall loading (first full-power plasma campaign). Calculate projected annual whole-body dose for a representative worker in each supervised area based on measured dose rates and planned occupancy times. Accept if: projected annual dose ≤ 1 mSv above background for all supervised area workers, the Radiation Protection Supervisors programme is approved by ONR under site licence conditions, and ALARA review documentation is complete for all high-occupancy work areas. Rationale: SYS-REQ-016 specifies 1 mSv/year dose limit in supervised areas and ALARA compliance under UK IRR 2017 and ONR licence conditions. Analysis verification is appropriate because annual occupational dose is calculated from measured dose rates and occupancy models, not a single testable event. ONR nuclear site licence requires a Radiation Protection Programme and formal dose assessment report — these constitute the analysis record. Physical dose measurement alone cannot verify the annual projection without the time-integration model. | Analysis | idempotency:ver-sys016-rps-session-528, idempotency:ver-sys016-rps-session-528 |
| VER-REQ-110 | Verify SUB-REQ-055 seismic: The seismic structural qualification analysis shall demonstrate that TCA, SMS, and Cryogenic Plant support structures maintain integrity at OBE (0.1g) and SSE (0.2g) per ASCE 4-16. Acceptance criterion: FEA stress ratios ≤1.0 at SSE; vacuum boundary leak test ≤1×10⁻⁷ mbar·L/s within 72h post-OBE. Rationale: Supplements VER-REQ-100 with explicit acceptance criteria for the structural qualification analysis. Analysis method is appropriate per IEC 61513 for civil/structural seismic compliance where full-scale test is infeasible. | Analysis | idempotency:ver-sub055-seismic-qual-529 |
| VER-REQ-111 | Verify SUB-REQ-057: During integrated commissioning (hydrogen plasma phase, no tritium), command a planned end-of-pulse shutdown while plasma is in H-mode at intermediate current (>3 MA). Record: (a) time from command receipt to auxiliary heating power zero, (b) time from command receipt to plasma current zero, (c) fuel injection cessation timestamp relative to plasma current zero, (d) whether plasma extinction occurs without disruption signature (no thermal quench on first-wall calorimeters). Repeat at full DT operating current during first D-T operational campaign. Pass criteria: auxiliary heating off in 60 s or less; plasma current zero in 10 to 30 s; fuel injection ceased at least 30 s before current zero; no disruption signature in at least 5 consecutive planned shutdowns. Rationale: SUB-REQ-057 is the planned shutdown mode coverage requirement. Test is required to confirm the actual timing margins for heating ramp-down, current ramp-down, and fuel injection cessation — these depend on non-linear plasma response and OH coil dynamics that analysis cannot predict with sufficient confidence. The repeat at DT current confirms that the hydrogen plasma commissioning data scales to operational conditions. | Test | idempotency:ver-sub057-planned-shutdown-529 |
| VER-REQ-112 | Verify REQ-072: On the vacuum system integration test facility, isolate one turbomolecular pump by closing its gate valve while the vessel is at operating pressure (1e-6 Pa range). Monitor vessel pressure via calibrated ion gauge for 120 seconds post-isolation. Pass criterion: vessel pressure remains at or below 5x10-6 Pa throughout. Verify alarm transmission to simulated control room within 10 seconds of pump fault detection. Rationale: Physical single-pump isolation test is required to verify the N+2 redundancy claim. Simulation cannot capture inter-pump flow redistribution or turbomolecular pumping speed changes at partial load. 120-second monitoring window covers the transient response and steady-state re-equilibration. | Test | idempotency:ver-req072-failmode-531 |
| VER-REQ-113 | Verify REQ-073: On the pressure monitoring system test bench, inject each of three sensor fault types (signal loss, out-of-range injection, calibration drift beyond threshold) on one gauge channel while two remaining channels are active. Confirm: (a) fault flagged within 5 seconds per fault type, (b) pressure readout continues from remaining gauges, (c) control room alarm generated, (d) no interlock signal transmitted to simulated PCS. Rationale: Fail-safe sensor fault behaviour requires hardware-in-loop testing because the alarm and interlock logic interact. Software-only analysis cannot verify that the hardwired interlock line remains de-asserted on sensor fault. All three fault types must be tested because the detection mechanism differs: signal-loss uses watchdog timeout, out-of-range uses threshold comparator, calibration drift uses moving-average validation. | Test | idempotency:ver-req073-failmode-531 |
| VER-REQ-114 | Verify REQ-074: During first plasma commissioning at Q approximately 3 (partial-load operation), measure net export at 400 kV metering point using National Measurement Accreditation Service calibrated meters over a 30-minute stable burn. Measure station auxiliary load total. Pass criterion: net export at least 50 MW, auxiliary loads below 20 MW; if not achieved, confirm alarm is transmitted to control room within 30 seconds. Rationale: Verification at actual Q=3 operating conditions requires integrated system test during commissioning. Partial-load performance cannot be extrapolated from rated-load measurements because thermal efficiency is non-linear with steam flow and condenser back-pressure. National Measurement Accreditation Service calibration is required for a commercially significant milestone. | Test | idempotency:ver-req074-failmode-531 |
| VER-REQ-115 | Verify REQ-075: During PCS acceptance testing, isolate one steam generator from the primary and secondary circuits and operate the remaining circuits at rated plasma thermal input. Measure net electrical output and gross-to-net efficiency using calibrated grid meters and calorimetric primary flow measurement over a 4-hour steady-state run. Pass criterion: gross-to-net efficiency at least 18%, net output at least 60 MW for 72 continuous hours. Rationale: Degraded configuration testing cannot be performed by analysis alone because condenser back-pressure, cooling tower performance, and turbine admission valve settings change under reduced steam flow in ways that are difficult to model accurately. A 4-hour test at reduced load confirms thermal equilibrium is reached and sustained. The 72-hour endurance is verified via operational log during a planned maintenance window. | Test | idempotency:ver-req075-failmode-531 |
| VER-REQ-116 | Verify REQ-076: On a steam generator tube bundle test loop pressurised with helium tracer at primary design pressure, open a calibrated simulated tube-leak orifice and measure: (a) time from secondary conductivity spike to automatic isolation valve closure, (b) heat transfer continuity at remaining steam generator circuits. Pass criterion: isolation within 60 seconds, heat transfer continues at least 300 MWth equivalent from remaining circuits, primary coolant temperature maintained at or below 200 degrees C. Rationale: Steam generator tube leak isolation is a SIL-3-adjacent function (tritium transport through tube leak) requiring Test verification. Physical test on a tube bundle loop is necessary to verify the leak detection sensitivity and isolation timing; analysis overestimates detection time because secondary water turbulence near the leak varies with local flow conditions. | Test | idempotency:ver-req076-failmode-531 |
| VER-REQ-117 | Verify SUB-REQ-007: Install calibrated Langmuir-probe array and infrared thermography system on a representative first-wall and divertor test module in a linear plasma device operating at 10 MW/m2 steady-state heat flux. Operate at design heat flux for 2,000 thermal cycles. Measure surface temperature, erosion depth (profilometry after each 500-cycle interval), and structural integrity (dye-penetrant inspection). Pass criterion: tungsten armour net erosion rate less than 1 mm per full-power-year (prorated from test duration), no cracking or delamination, peak surface temperature within 200 degrees C of design limit. Rationale: First-wall and divertor thermal endurance is a safety-relevant function: excessive erosion degrades tritium inventory control and produces activated dust (H-007). Test on a representative plasma device is mandatory because finite-element analysis cannot account for synergistic effects of neutron embrittlement, sputtering, and thermal shock in combination. 10 MW/m2 is the design basis from SUB-REQ-007; 1 mm/FPY is the accountability threshold. | Test | sil-3-supporting, validation-session-544 |
| VER-REQ-118 | Verify SUB-REQ-008: At a magnet test facility, energise the full TF coil set to the rated design current. Measure on-axis toroidal field with calibrated Hall-probe mapping array. Measure ripple delta-B/B at 64 poloidal positions around the last closed flux surface perimeter. Inject a calibrated quench into one coil by resistance heater; measure time from heater activation to quench detection signal and from detection to energy extraction initiation. Pass criterion: on-axis field >= 3.0 T, ripple <= 0.5% at all 64 positions, quench detection <= 100 ms, energy extraction initiation <= 300 ms from quench initiation. Rationale: TF coil performance is the primary H-003 (superconducting magnet quench) mitigation. SIL-2 requires Test verification. The 100 ms detection and 200 ms extraction timeline derive from energy density calculations: >50 GJ stored energy with detection delay beyond 100 ms risks coil winding insulation damage. Field ripple affects plasma stability margin and is a direct driver of burn performance at Q>=5. | Test | sil-2-supporting, validation-session-544 |
| VER-REQ-122 | Verify SUB-REQ-009: During integrated cryogenics commissioning, energise the full TF and PF coil set to rated current with both cold box trains operating. Disable one cold box train and measure helium temperature at all magnet cryostat instrumentation points over a 4-hour period. Pass criterion: all cryostat temperatures maintained at 4.5 K or below with stability plus or minus 0.1 K, demonstrating continued plasma operations capability at reduced pulse duration. Rationale: Cryogenic plant single-train redundancy is required for H-008 (loss of cryogenic cooling) mitigation at SIL-2. Loss of all cryogenic cooling simultaneously causes uncontrolled whole-system quench and asphyxiation risk from helium boil-off. Demonstrating continued magnet operation on one cold box train verifies the redundancy allocation in SUB-REQ-009. | Test | sil-2-supporting, validation-session-544 |
| VER-REQ-123 | Verify SUB-REQ-010: During Tritium Plant integrated commissioning on a deuterium-tritium representative feed, operate the Combined Electrolysis and Catalytic Exchange columns at nominal throughput for 72 hours. Measure tritium inventory at start and end using calibrated calorimetry and ionisation chambers. Measure effluent tritium concentration at the drain point. Pass criterion: inventory accountability uncertainty less than or equal to 1 g over 24-hour accounting periods, processing throughput at least 5 g T/day sustained, detritiation factor at least 1e6 across CECE columns, effluent concentration at most 10 Bq/L. Rationale: Tritium accountability is a direct H-002 (tritium release) mitigation and a regulatory prerequisite under GB nuclear site licence conditions. Plus or minus 1 g per 24 hours is the IRCP-recommended minimum for accountancy of inventories in the kg range. Test with actual tritium is mandatory because model predictions of CECE separation factors have uncertainty bands of 15-30% that only integrated testing resolves. | Test | sil-3-supporting, regulatory, validation-session-544 |
| VER-REQ-124 | Verify SUB-REQ-011: During first-of-kind power generation commissioning at rated fusion power, operate the steam turbine-generator set at full load for a minimum 6-hour continuous run. Measure net electrical export at the 400 kV grid connection point. Measure auxiliary plant consumption. Calculate gross-to-net efficiency. Record all forced outage intervals over the 6-month operational campaign. Pass criterion: net export at least 100 MW, efficiency at least 25%, availability at least 90% excluding planned maintenance outages. Rationale: Net power export of 100 MW and 25% efficiency are the commercial mission success criteria in SYS-REQ-002. Analysis alone cannot account for parasitic losses from plasma heating systems and cryogenic plant at full load. 90% availability must be demonstrated over the full 6-month campaign to confirm design margins. | Test | validation-session-544 |
| VER-REQ-125 | Verify SUB-REQ-012: On the full-scale Remote Handling test rig in the dedicated remote handling facility, with representative inactive divertor cassette mock-ups installed in the lower vessel port mock-up, execute a timed full-cassette replacement sequence for all cassette positions. Use dose-rate environment simulator to verify continuous operation at 0.5 Sv/hr. Log all unplanned stoppages over a 500-hour endurance test run. Pass criterion: full cassette replacement within 21 calendar days, positioning accuracy at most 2 mm in all three translational axes verified by laser tracker, MTBF at least 500 hours. Rationale: 21-day cassette replacement is the critical path activity in the 4-month maintenance campaign. Demonstration is appropriate because the acceptance evidence is observational: the replacement is either completed within schedule or it is not. MTBF of 500 hours and 2 mm accuracy are safety-relevant because incorrect positioning creates a first-wall gap concentrating heat flux. | Demonstration | validation-session-544 |
| VER-REQ-126 | Verify SUB-REQ-013: During facility commissioning after tokamak assembly, operate the vacuum pumping system from atmospheric pressure with vessel sealed. Measure vessel pressure at calibrated ionisation gauges at 6 divertor pumping duct locations. Measure total outgassing rate by rate-of-rise method after reaching base vacuum. Verify pumping speed during simulated burn by injecting calibrated gas loads. Pass criterion: base pressure at most 1e-6 Pa achieved within 24 hours of vessel closure, outgassing rate at most 1e-3 Pa.m3/s, effective pumping speed at least 50 m3/s at divertor ducts. Rationale: Base vacuum of 1e-6 Pa is required for plasma breakdown. Failure to reach this within 24 hours increases air ingress risk (H-005, SIL-2). Testing is mandatory because modelled pumping speeds have uncertainties of 20-40% from surface condition and geometry effects that only commission-time testing can resolve. | Test | sil-2-supporting, validation-session-544 |
| VER-REQ-127 | Verify SUB-REQ-014: During radiation protection commissioning at rated operation, measure dose rates at all designated zone boundary positions using calibrated TEPC instruments traceable to national standards. Inject a calibrated dose-rate signal above the Controlled/High Radiation boundary threshold into the zone interlock system and measure time to interlock activation. Pass criterion: all area classifications consistent with calculated dose rates, access door interlock activates within 100 ms of threshold exceedance, instruments accurate to within 20% of calibration standard. Rationale: Personnel radiation protection interlocks must be demonstrated by Test at full power because shielding effectiveness depends on actual source terms. 100 ms interlock response is a safety-critical timing requirement (H-010, SIL-1) where analysis cannot account for communication delays in hardwired interlock circuits under industrial noise conditions. | Test | sil-1-supporting, regulatory, validation-session-544 |
| VER-REQ-128 | Verify SUB-REQ-049: During ISS commissioning, apply rated 415 V AC three-phase supply and measure process performance at nominal throughput. Interrupt primary supply and verify automatic changeover to backup supply. Measure separation factor on deuterium-tritium representative feed before and after switchover. Pass criterion: uninterrupted ISS operation through supply switchover, separation factor maintained within 5% of nominal value during transition, power quality within specification on backup supply. Rationale: ISS power continuity is a H-002 (tritium release) mitigation: loss of ISS power during separation causes uncontrolled tritium inventory redistribution in the column system. The 5% separation factor criterion ensures tritium balance accountability is maintained through a supply changeover event. | Test | sil-3-supporting, validation-session-544 |
| VER-REQ-129 | Verify SUB-REQ-050: During ISS integrated test, assert the PPS emergency isolation hardwired command at the ISS panel interface. Measure time to complete shutdown of all ISS process flows and closure of all isolation valves. Pass criterion: all process flows halted and isolation valves closed within 10 seconds of PPS command assertion, hardwired signal pathway verified by functional continuity check independent of software. Rationale: PPS emergency isolation of ISS is the primary tritium confinement response for column leak events (H-002). The hardwired pathway independence from software is a SIL-3 architecture requirement under IEC 61511. Demonstration verification is appropriate as the acceptance criterion is binary: isolation either completes within 10 s or it does not. | Demonstration | sil-3-supporting, validation-session-544 |
| VER-REQ-130 | Verify SUB-REQ-051: Inspect completed PCS turbine hall building against civil engineering as-built drawings and structural load calculations. Verify floor load rating by review of structural engineering certificate, crane rating plate, and equipment installation records. Pass criterion: structural certificate confirms floor load rating at least 50 kN/m2 at all turbine-generator foundation points, overhead crane rated for heaviest installed component, building footprint accommodates all PCS equipment with required maintenance clearances. Rationale: Turbine hall structural adequacy is a Inspection verification because it is established by design certification and physical review of as-built construction, not by test. Floor load rating of 50 kN/m2 is the minimum derived from steam turbine rotor and generator stator mass distribution. Structural deficiency would prevent safe equipment installation or maintenance. | Inspection | validation-session-544 |
| VER-REQ-131 | Verify SUB-REQ-052: Inspect completed Tritium Plant building against nuclear safety case, civil engineering certificate, and as-built drawings. Verify Category 1 nuclear confinement classification by review of structural safety analysis report and nuclear site licence documentation. Pass criterion: building certified as Category 1 nuclear confinement structure to nuclear grade standards, confinement penetrations logged and sealed per licence conditions, double-barrier confinement confirmed by inspection of all process penetrations. Rationale: Nuclear-grade confinement building classification is established by regulatory inspection and structural certification, not by test. Category 1 confinement is required by H-002 (tritium release) safety case. Physical inspection of penetration seals is the only practical verification method for building-scale confinement. | Inspection | sil-3-supporting, regulatory, validation-session-544 |
| VER-REQ-132 | Verify SUB-REQ-053: Inspect completed Cryogenic Plant building against as-built drawings, mechanical services schedule, and area schedule. Verify insulated floor area by as-built survey measurement. Verify minimum clear height by measurement. Verify helium storage and venting provisions by inspection of installation certificates. Pass criterion: insulated floor area at least 800 m2, minimum clear height at least 8 m in cold box installation areas, helium storage and emergency venting capacity as per design specification confirmed by inspection. Rationale: Cryogenic Plant building adequacy is a design compliance matter verifiable by inspection of construction documentation and physical measurement. The area and height specifications ensure adequate working clearances for cold box installation and maintenance. Helium venting capacity is safety-relevant (H-008, asphyxiation risk). | Inspection | validation-session-544 |
| VER-REQ-133 | Verify SUB-REQ-054: Inspect installed vacuum system equipment layout against as-built drawings. Count installed turbo-molecular pump count and verify cryopump configuration by physical inspection. Verify mechanical connections between vacuum equipment and tokamak support structure by inspection of installation records. Pass criterion: 12 turbo-molecular pumps installed and commissioned, cryopumps installed at divertor and first-wall ports as per design, all mechanical connections to tokamak support structure confirmed by installation certificate review. Rationale: Vacuum system physical configuration compliance is verifiable by inspection of installed equipment against design drawings. The 12 turbo-molecular pump count derives from pumping speed calculations for 50 m3/s aggregate throughput. Physical installation inspection is more reliable than test for configuration compliance. | Inspection | validation-session-544 |
| VER-REQ-134 | Verify SUB-REQ-055: Review structural analysis report for tokamak core assembly, superconducting magnet system, and cryogenic plant support systems. Verify seismic analysis inputs use site-specific ground motion spectra for OBE (0.1g peak ground acceleration) and SSE (0.2g). Verify analysis includes simultaneous LOCA and quench loading combination. Pass criterion: structural analysis report demonstrates all safety class-1 support structures maintain integrity at SSE loading with no plastic deformation at critical joints, combined LOCA and quench scenario analysed with margins meeting nuclear structural design standards. Rationale: Seismic structural integrity is verified by Analysis because physical seismic testing of full-scale tokamak structures is not practicable. The OBE 0.1g and SSE 0.2g values are site-specific inputs. Analysis must include the combined LOCA and quench scenario (H-009, SIL-3) because these events are coupled through common-cause seismic initiation. | Analysis | sil-3-supporting, validation-session-544 |
| VER-REQ-135 | Verify SUB-REQ-056: On a representative in-vessel cooling circuit test loop with passive decay heat removal path installed, simulate plasma termination by stopping active coolant circulation while maintaining 3 MW decay heat injection via electrical heaters. Measure coolant temperature and pressure over a 24-hour passive cooling period. Pass criterion: peak coolant temperature does not exceed 350 degrees C, system pressure remains within design envelope, natural circulation flow initiated and sustained without active components, all instrumentation remains powered from passive sources. Rationale: Passive decay heat removal is the primary H-004 (loss of coolant accident) mitigation following plasma termination. Test is mandatory for SIL-2 functions because natural circulation flow behaviour has strong non-linear dependence on geometry and temperature that analysis cannot bound conservatively. 350 degrees C is the maximum coolant temperature before zirconium-steam reaction risk for beryllium-clad components. | Test | sil-2-supporting, validation-session-544 |
| VER-REQ-136 | Verify SUB-REQ-057: During plasma operations commissioning, issue an operator-commanded end-of-pulse shutdown from the main control room at rated Q=5 conditions. Measure heating power ramp-down profile, plasma current ramp-down trajectory, and total plasma current at termination. Pass criterion: heating power ramped to zero within 30 seconds, plasma current ramped down to zero over 10 to 30 seconds per design, plasma current at final termination below 500 kA, no disruption triggered during the ramp-down sequence, vessel structural loads within design envelope. Rationale: Controlled plasma shutdown is the primary planned transition out of Steady-State Burn mode. Failure to execute a smooth ramp-down can trigger a disruption (H-001, SIL-3) with 400 MJ thermal quench. Test is required to verify the actual plasma response to the ramp-down sequence because plasma instability thresholds during current ramp-down are not precisely predictable from MHD analysis alone. | Test | sil-3-supporting, validation-session-544 |
| VER-REQ-137 | Verify SUB-REQ-058: During Tritium Plant operational qualification, simulate failure of each active accountancy and confinement component in turn (isotope separation compressor, CECE column heater, process valves). For each single failure, measure tritium accountancy measurement uncertainty and verify confinement barrier status. Pass criterion: tritium accountancy uncertainty remains at most 1 g per 24-hour period in each single-failure state, at least one confinement barrier intact for all single-failure scenarios, automatic isolation initiated for each failure detected. Rationale: Single-failure tolerance for tritium accountability and confinement is a SIL-3 requirement derived from H-002 (tritium release). The regulatory limit of 0.1 g release per event requires that a single component failure cannot cause loss of accountancy (which could mask a leak) or loss of both confinement barriers simultaneously. | Test | sil-3-supporting, regulatory, validation-session-544 |
| VER-REQ-138 | Verify SUB-REQ-059: During ISS integrated test, assert the hardwired manual override at the ISS panel interface and confirm all ISS process flows shut down and all isolation valves close. Verify the override path bypasses software control by disconnecting ISS control software while manual override is asserted and confirming isolation is maintained. Pass criterion: all ISS process flows halted within 30 seconds of manual override assertion, override path functional with software disconnected, physical panel switch confirmed as the sole command path for override. Rationale: Hardwired manual override is the last-resort tritium confinement action for operators when automated systems fail. Independence from software is essential for SIL-3 defense-in-depth. Demonstration verification is appropriate because the test is observational: either the manual override functions independently of software or it does not. | Demonstration | sil-3-supporting, validation-session-544 |
| VER-REQ-139 | Verify IFC-REQ-010: During integrated cryogenics and tritium plant commissioning, operate the LN2 supply interface at rated flow. Measure LN2 temperature at the Tritium Plant inlet and supply flow rate at the interface connection point. Pass criterion: LN2 supply temperature at 77 K plus or minus 2 K, flow rate meets Tritium Plant specification at rated demand, no cross-contamination between LN2 circuit and tritium process measured by gas analysis at both ends of interface. Rationale: LN2 supply at 77 K is required for Tritium Plant cold trap operation. Incorrect LN2 temperature degrades detritiation factor, risking tritium accountability loss (H-002). Cross-contamination check is essential because a tritium-contaminated LN2 circuit would create an uncontrolled release pathway. | Test | sil-3-supporting, validation-session-544 |
| VER-REQ-140 | Verify IFC-REQ-011: During integrated vacuum-tritium interface commissioning, operate the tritiated exhaust gas transfer path at rated throughput. Measure gas flow rate and composition at the vacuum system outlet and tritium plant inlet. Verify inter-system isolation valve closure on loss-of-confinement signal. Pass criterion: throughput at least 200 Pa.m3/s at rated condition, tritiated gas composition within specification for ISS intake, isolation valves close within 5 seconds of confinement loss signal. Rationale: Vacuum-to-tritium exhaust interface is the primary tritium process pathway during burn. Insufficient throughput limits fusion power; inadequate isolation on confinement loss creates H-002 release pathway. 200 Pa.m3/s is the rated DT exhaust throughput. 5 s isolation time is derived from maximum tolerable tritium inventory at-risk during an exhaust line failure. | Test | sil-3-supporting, validation-session-544 |
| VER-REQ-141 | Verify IFC-REQ-012: During plasma control-vacuum system integrated commissioning, inject test pumping speed setpoint commands from the Plasma Control System to the Vacuum System and measure response time and accuracy. Pass criterion: pumping speed setpoint received and acted on within 100 ms of command transmission, achieved pumping speed within 10% of commanded setpoint, command interface functional over the full operating range of vacuum conditions. Rationale: PCS control of vacuum pumping speed is required for plasma density control during burn. Response time of 100 ms is derived from the plasma confinement time and density control bandwidth needed to respond to ELM events. Test is required because interface latency depends on actual communication stack implementation and cannot be verified by inspection alone. | Test | validation-session-544 |
| VER-REQ-142 | Verify IFC-REQ-013: During plasma control-tritium plant integrated commissioning, inject test pellet injection rate commands from the Plasma Control System to the Tritium Plant pellet injector. Measure command latency and injection rate accuracy. Pass criterion: pellet injection rate command executed within 50 ms, achieved injection rate within 5% of commanded rate, command interface verified across the full pellet rate range. Rationale: PCS command of pellet injection rate is the primary fuel control mechanism during Steady-State Burn. 50 ms latency and 5% rate accuracy are derived from plasma density control requirements: larger lag or error can cause plasma density to drift outside the burn window, triggering density-limit disruption (H-001, SIL-3). Test is required as actual latency depends on network and actuator implementation. | Test | sil-3-supporting, validation-session-544 |
| VER-REQ-143 | Verify IFC-REQ-014: During magnet system commissioning at the magnet power supply test facility, energise TF coil set from zero to full rated field via the coil power supply interface. Measure DC voltage and current at the magnet busbars. Test fast discharge by commanding energy extraction and measuring dump resistor current profile. Pass criterion: DC power delivery meets rated voltage and current specification, fast discharge completed within 10 seconds of command, busbar voltage within 5% of specification throughout discharge. Rationale: Coil power supply to superconducting magnet interface is the primary H-003 (magnet quench) mitigation pathway. Fast discharge within 10 seconds is required to extract stored energy below the coil damage threshold. Test at full rated current is mandatory because impedance mismatch at the busbar connection cannot be predicted from design alone and affects discharge timing. | Test | sil-2-supporting, validation-session-544 |
| VER-REQ-144 | Verify IFC-REQ-015: Inspect all remote handling tools and manipulator end-effectors that operate inside the tritium confinement boundary against the tritium compatibility certification register. Verify surface coatings and sealing mechanisms by inspection. Check contamination control procedures documentation. Pass criterion: all tools confirmed on certified materials list, all penetrations of confinement boundary use double-seal mechanisms with leak test certification, contamination control procedures reviewed and approved. Rationale: RHS-tritium confinement boundary compatibility is verified by Inspection of material certifications and design documentation because tritium permeation through materials is a property established at manufacturing, not demonstrable without destructive sampling. Double-seal mechanisms are required by H-002 confinement barrier policy. | Inspection | sil-3-supporting, validation-session-544 |
| VER-REQ-145 | Verify IFC-REQ-016: During integrated cryogenics-vacuum commissioning, operate the cold head supply interface to vacuum cryopumps at rated capacity. Measure cold head temperature at the cryopump interface manifold for up to 20 cryopump positions. Verify cryopump regeneration cycle without interrupting cold head supply to remaining pumps. Pass criterion: 4.5 K cold heads supplied to all 20 cryopump positions at rated capacity, cryopump regeneration cycle completed without temperature excursion at other pump positions exceeding 0.2 K. Rationale: Cryogenic supply to vacuum cryopumps is required for maintaining divertor pumping speed during burn. Loss of cryopumping reduces vacuum quality and risks plasma contamination. The 0.2 K temperature stability during regeneration cycles verifies that cryopump regeneration does not disrupt plasma operations in adjacent sectors. | Test | validation-session-544 |
| VER-REQ-146 | Verify IFC-REQ-017: During PCS-RHS interlock commissioning, assert each hardwired interlock signal from the Plasma Control System that prevents Remote Handling System access during plasma operations. Verify physical access prevention and hardwired pathway independence from software. Pass criterion: all PCS interlock signals prevent RHS access when plasma operations are in progress, interlock path verified as hardwired and independent of software control layer by functional continuity test. Rationale: Hardwired prevention of RHS access during plasma operations is a personnel safety requirement: entry to the tokamak hall during burn would result in lethal neutron dose (H-010). Independence from software is required because software failures must not defeat this barrier. Demonstration is the appropriate method as the test is binary: access is prevented or it is not. | Demonstration | sil-1-supporting, validation-session-544 |
| VER-REQ-147 | Verify IFC-REQ-018: During facility commissioning, measure AC auxiliary power supply at all PCS-to-tokamak auxiliary supply connection points with all major loads active. Measure voltage, frequency, and power quality. Pass criterion: AC supply voltage within 5% of rated value at all connection points under full auxiliary load, frequency within 0.5 Hz of rated, power quality (THD) within BS EN 61000-3 limits, supply available within 30 seconds of grid restoration after outage. Rationale: Auxiliary AC supply from PCS to tokamak supports diagnostics, control systems, and cryogenic instrumentation during plasma operations. Supply quality affecting plasma diagnostics can trigger false disruption events. The 30-second restoration time after outage is required to avoid a plasma termination on loss of diagnostic power. | Test | validation-session-544 |
| VER-REQ-148 | Verify IFC-REQ-019: During grid connection commissioning, measure imported auxiliary AC power from the National Grid at the PCS station loads connection point with all plant auxiliary systems at full load. Verify power import capability across the range from minimum to maximum station load demand. Pass criterion: import power capability confirmed at maximum station loads demand, power quality at import connection point within Grid Code requirements, automatic transfer to on-site generation within 5 seconds of grid loss. Rationale: Grid import for station loads is required for plant commissioning before first plasma (no self-generation available). Automatic transfer to on-site generation on grid loss within 5 seconds ensures continued cryogenic cooling during grid disturbances (H-008 mitigation). Test at full load is required because transformer impedance and cable voltage drop cannot be calculated without site-specific grid impedance data. | Test | validation-session-544 |
| VER-REQ-149 | Verify IFC-REQ-020: During vessel bake-out commissioning, circulate hot nitrogen gas at rated conditions through the tokamak vessel via the Cryogenic Plant bake-out supply interface. Measure nitrogen gas temperature and flow rate at the vessel inlet and the outgassing rate from the vessel during bake-out. Pass criterion: nitrogen supply at 120 degrees C plus or minus 5 K at rated flow rate, vessel wall temperature uniform within 10 degrees C across all measured points, outgassing rate falls below 1e-3 Pa.m3/s within 96 hours of bake-out initiation. Rationale: Vessel bake-out is required to achieve the 1e-6 Pa base vacuum needed for plasma operations. Insufficient bake-out temperature or non-uniform wall heating can leave water ice in crevices that outgasses into the plasma, contaminating the first wall. Test is required because heat transfer in the complex vessel geometry cannot be precisely modelled. | Test | validation-session-544 |
flowchart TB n0["component<br>Real-Time Plasma Controller"] n1["component<br>Disruption Prediction and Mitigation Unit"] n2["component<br>Actuator Management System"] n3["component<br>Diagnostic Data Acquisition Front-End"] n4["component<br>Plasma Control Supervisor"] n3 -->|40+ diag signals 1kHz| n0 n0 -->|precursor data| n1 n0 -->|setpoints 1ms| n2 n1 -->|SPI trigger 10ms| n2 n4 -->|pulse plan/mode| n0
PCS — Internal Components
flowchart TB n0["component<br>First Wall and Blanket Module"] n1["component<br>Divertor Cassette Assembly"] n2["component<br>Vacuum Vessel and In-Vessel Structures"] n3["component<br>Plasma Heating and Current Drive System"] n4["component<br>Diagnostics and Measurement Systems"] n3 -->|50MW beam/RF power| n0 n0 -->|plasma exhaust| n1 n4 -->|plasma state 10Hz| n3 n0 -->|bred tritium| n2 n1 -->|neutral gas to pumping ports| n2
Tokamak Core Assembly — Internal Components
flowchart TB n0["component<br>Plasma Exhaust Processing System"] n1["component<br>Isotope Separation System"] n2["component<br>Tritium Storage and Delivery System"] n3["component<br>Blanket Tritium Extraction System"] n4["component<br>Atmosphere Detritiation System"]
Tritium Plant — Internal Components
flowchart TB n0["component<br>TF Coil Set"] n1["component<br>CS and PF Coil Set"] n2["component<br>Magnet Power Supply System"] n3["component<br>Magnet Quench Detection and Protection System"] n2 -->|DC power| n0 n2 -->|DC power| n1 n3 -->|voltage monitoring| n0 n3 -->|voltage monitoring| n1 n3 -.->|quench trip| n2
Superconducting Magnet System — Internal Components
flowchart TB n0["component<br>Turbomolecular Pump Array"] n1["component<br>Pressure Monitoring System"] n2["component<br>Leak Detection System"] n1 -.->|speed control| n0 n2 -->|helium monitor| n0
Vacuum System — Internal Components
flowchart TB n0["component<br>Helium Refrigeration System"] n1["component<br>Cryogenic Transfer Line Network"] n2["component<br>Helium Management System"] n3["component<br>Cryogenic Control System"] n0 -->|4.5K He supply| n1 n2 -->|200bar He gas| n0 n3 -.->|control/setpoints| n0
Cryogenic Plant — Internal Components
| Entity | Hex Code | Description |
|---|---|---|
| Activated Dust Explosion in Fusion Vessel | 06400211 | Hazard in STEP Fusion Power Plant: accumulation of beryllium and tungsten dust from plasma-surface interaction (erosion, sputtering). Dust is radioactive (activated), toxic (beryllium), and potentially explosive when dispersed in air. Air ingress event could create dust-air mixture exceeding lower explosive limit. Consequence: pressure pulse damaging vessel internals, mobilisation of radioactive/toxic material, breach of confinement barriers. |
| Actuator Management System | 51B57B18 | Coordination layer of the STEP Fusion Power Plant Plasma Control System. Receives setpoints from the Real-Time Plasma Controller and translates them into commands for gas puff valves (5 ms response), pellet injector, neutral beam injectors (100 ms response), electron cyclotron (ECRH) and ion cyclotron (ICRH) systems. Implements priority arbitration — disruption mitigation overrides heating in all cases. Monitors actuator health and feeds status back to controller. |
| Atmosphere Detritiation System | 55F71219 | Catalytic converter and molecular sieve drier units protecting occupied zones of the tritium plant building. Monitors tritium concentration in building atmosphere using ionisation chamber monitors (threshold 1e-5 Ci/m³). On high alarm, recirculates atmosphere through palladium catalyst beds (converts HT/DT to HTO/DTO) and driers. Achieves cleanup factor ≥100 in <4 hours. SIL 3 — final barrier protecting workers from tritium inhalation dose. |
| Blanket and Divertor Exchange Tooling | C6851058 | Standardised set of end-effectors, grippers, torque tools, and alignment jigs for blanket module removal/installation and divertor cassette exchange. Each blanket module weighs ~1.2 tonnes; divertor cassette ~2.8 tonnes. Tooling provides blind-mate hydraulic and electrical connectors, self-aligning kinematic mounts, and torque feedback for fastener drives. Qualification to ITER-equivalent handling standard. SIL 1: tool failure during blanket exchange causes coolant breach risk within the vessel. |
| Blanket Tritium Extraction System | 56D51018 | High-temperature purge gas system and tritium extraction loop for the lithium-ceramic blanket modules. Circulates helium purge gas at 200-300°C through breeding blanket to sweep bred tritium from Li2TiO3 or Li4SiO4 pebbles. Includes molecular sieve beds and palladium permeators to separate tritium from the helium stream. Output: purified tritium gas at 99.5% purity fed to Isotope Separation System at 5-10 mg/day during full-power operation. SIL 2 — upstream of double-containment boundary. |
| Commissioning mode of STEP Fusion Power Plant | 50B53A50 | Pre-operational testing and system integration: individual subsystem tests (magnets, vacuum, heating, cooling, tritium, diagnostics), integrated system tests with hydrogen and deuterium plasmas (non-nuclear), progressive power ramp-up, safety system validation. First plasma achieved with hydrogen only. Gradual introduction of deuterium, then D-T mixtures at increasing power. Entry: construction complete, regulatory licence granted. Exit: all commissioning milestones achieved, full-power D-T operation authorised. |
| Condenser and Cooling Water System | 56C51018 | Surface condenser rejecting ~280 MWth of waste heat from turbine exhaust steam, using either once-through seawater cooling or closed-cycle cooling towers depending on site. Condenser vacuum maintained at 0.04 bar by two steam ejectors and one liquid-ring vacuum pump. Includes inlet screening, chemical dosing, biofouling treatment, and corrosion monitoring. Cooling water flow: 8000 m³/hr nominal. Non-nuclear, no SIL requirement. |
| Cryogenic Control System | 55B77A18 | Distributed control and monitoring system for the fusion power plant cryogenic infrastructure. Executes automatic cool-down sequences (80K per stage controlled descent over 72 hours), steady-state regulation of magnet temperatures and refrigerator loads, quench event response (vent isolation, recovery initiation), and alarm management. Runs on a redundant PLC/SCADA platform with OPC-UA interface to the plant-wide Plasma Control System for interlocks. Monitors >2,000 cryogenic measurement points: temperatures (PT-100 and Cernox sensors), pressures (Pirani and capacitive gauges), flowmeters, and valve positions. Provides SCADA HMI for cryogenic operators and historian for trend analysis. SIL 2 rated for quench response and emergency isolation functions. |
| Cryogenic Cooling System Operation | 54F73A18 | System function of STEP Fusion Power Plant: provides helium refrigeration to cool superconducting magnets to 4.5K with ~80 kW cooling capacity, manages 50 tonnes liquid helium inventory, thermal shields at 80K, cool-down/warm-up cycles. Inputs: compressor power, helium supply. Outputs: 4.5K coolant to magnets, 80K shield cooling. Constraints: 2-week cool-down, 1-week warm-up, cryoplant availability >99%. |
| Cryogenic Helium Supply Infrastructure | 5E851018 | External infrastructure for STEP Fusion Power Plant: large-scale helium refrigeration plant providing ~80 kW cooling at 4.5K for superconducting magnets. Liquid helium inventory ~50 tonnes. Helium recovery and purification system. Interface with commercial helium supply for make-up. Critical availability requirement — loss triggers whole-plant shutdown. |
| cryogenic plant | DEC51018 | Physical cryogenic facility containing helium compressor trains, cold boxes, heat exchangers, liquid nitrogen pre-coolers, and cryogenic distribution manifolds. Operates at 4.5K with liquid helium and supercritical helium coolant. Physical plant with structural, material, and manufacturing requirements for cryogenic-grade steels, vacuum-jacketed pipework, and seismic qualification. Classifiable as a Physical Object with physical medium (liquid helium). |
| Cryogenic Plant | DE851018 | Physical cryogenic plant: discrete bounded building containing helium refrigerators, cold boxes, compressors, liquid helium storage dewars, and cryogenic distribution pipework. Physical material structure with defined footprint, weight, and connections. Not biological. Not virtual. |
| Cryogenic Transfer Line Network | CE851018 | Vacuum-jacketed cryogenic piping distribution network routing 4.5K liquid helium and 40-80K cold helium gas from the Helium Refrigeration System cold boxes to superconducting magnet cryostats, and liquid nitrogen at 77K to Tritium Plant and ancillary loads. Consists of bayonet couplings, flexible cryogenic hoses, isolation valves, and current leads (20kA HTS current leads with gas-cooled normal-conducting lower section). Network spans approximately 200m of installed pipe within the tokamak building. Key constraints: heat leak budget <10W per metre of transfer line, pressure withstand at 20 bar, seismic qualification to Site Design Acceleration level. |
| CS and PF Coil Set | DED53018 | Central Solenoid (6-module stack) and Poloidal Field coils (6 coils). CS uses Nb3Sn superconductor, PF coils use NbTi. CS provides inductive plasma drive (100 V·s flux swing) and plasma vertical position control. PF coils shape plasma equilibrium. Maximum field: CS 13 T, PF 6 T. Both at 4.5 K. SIL 2 — CS quench or PF power supply failure triggers plasma disruption. |
| Diagnostic Data Acquisition Front-End | 54A55218 | High-bandwidth signal conditioning and digitisation front-end for the STEP Fusion Power Plant Plasma Control System. Interfaces to 40+ plasma diagnostic sensor systems including Rogowski coils, flux loops, Thomson scattering, interferometers, and soft X-ray detectors. Sample rates 1-100 kHz per channel with sub-microsecond hardware timestamping for synchronised reconstruction. Provides noise isolation and surge suppression to protect controller hardware from EM interference generated by pulsed poloidal field coils. |
| Diagnostics and Measurement Systems | 54E57018 | Suite of 40+ plasma diagnostic instruments integrated into the Tokamak Core Assembly. Includes Thomson scattering for electron temperature/density, soft X-ray cameras for MHD mode identification, bolometers for radiated power, Mirnov coils for magnetic perturbations, and neutron flux monitors for fusion power. Each system requires calibrated access through limited diagnostic ports with radiation-hardened detectors operating in 10^6 rad/hour environments. |
| Disruption and Recovery Scenario | 41F63200 | Failure scenario for STEP Fusion Power Plant: during steady-state burn, locked mode develops from n=1 error field. Disruption mitigation system fires shattered pellet injection within 10 ms of detection. Thermal quench deposits 400 MJ to first wall — within design limits. Current quench generates 50 MN vertical force on vessel. Runaway electron beam avoided by pellet injection. Post-disruption: automated cooldown, structural health monitoring confirms no damage, vessel purged. 4-hour turnaround to next pulse attempt. |
| Disruption Prediction and Mitigation Unit | 51F77218 | Dedicated SIL-3 sub-module of the STEP Fusion Power Plant Plasma Control System. Monitors disruption precursor indicators (beta collapse, locked mode oscillation, n=1 Mirnov signal) at 5 kHz on FPGA-based processing hardware. Triggers massive material injection (shattered pellet injection system) within 10 ms of detection threshold crossing. Operates in parallel with the Real-Time Plasma Controller without shared execution path. Diverse implementation to avoid common-cause failure. |
| Divertor Cassette Assembly | CE851018 | Modular tungsten and CFC armour cassettes at the bottom of the plasma vessel handling plasma exhaust. Each cassette handles peak heat flux of 10-20 MW/m2 under ELM and disruption loading. Coolant circuits in CuCrZr heat sink remove up to 8 MW per cassette. 18-24 cassettes around poloidal perimeter, all remotely replaceable through lower maintenance ports. Key I/O: pumped limiter for neutral gas, tritium exhaust to vacuum system. |
| Electrical Power Conversion and Export | 54F73A18 | System function of STEP Fusion Power Plant: converts thermal power to electricity via steam turbine-generator, manages power conditioning for 400 kV grid export and internal distribution to ~65 MW of auxiliary loads (magnets, heating, cryogenics, control). Inputs: ~500 MW steam from heat exchangers. Outputs: ≥100 MW net to grid at 400 kV, auxiliary power distribution. Constraints: Grid Code compliance, 50 Hz ±0.5 Hz, THD <3%. |
| Emergency Shutdown mode of STEP Fusion Power Plant | 40F53A10 | Uncontrolled plasma termination (disruption) or triggered fast shutdown: plasma instability (vertical displacement event, thermal quench, current quench) dumps up to 1 GJ thermal energy into first wall and divertor in <50 ms. Runaway electron beam possible at >10 MeV. Fast magnet discharge to prevent quench propagation. Emergency tritium containment activated — building ventilation isolation, detritiation systems. Electromagnetic forces up to hundreds of MN on vessel structures. Entry: disruption detection system trigger or manual emergency stop. Exit: plasma terminated, structural inspection required, radiological survey before re-entry. |
| Feedwater and Balance of Plant System | 56D53218 | Feedwater pumps, deaerator, low-pressure and high-pressure feedwater heaters, and auxiliary services restoring condensate from 0.04 bar to 16 MPa feedwater pressure for return to steam generators. The regenerative feedwater heating train extracts steam at 5 bleeds from the turbine to improve Rankine cycle efficiency from ~32% to ~38%. Includes chemical dosing for pH control (all-volatile treatment), sampling, and condensate polishing. Non-nuclear, SIL 0, but essential for cycle efficiency and steam generator lifetime. |
| First Wall and Blanket Module | CEC51010 | Actively cooled tungsten/EUROFER first wall panels and tritium breeding blanket modules lining the plasma-facing interior of the STEP tokamak. Receives neutron flux up to 1 MW/m2 and peak surface heat flux of 5-10 MW/m2. Coolant channels carry pressurised water or helium at 300-500 degrees C. Key outputs: tritium bred from Li6 in blanket, decay heat to cooling circuit. Constrains: radiation damage limit 20 dpa before remote handling replacement. |
| Full-Power Burn Scenario | 50F53218 | Normal operations scenario for STEP Fusion Power Plant: shift supervisor and 4 control room operators monitor a 6-hour burn pulse. Pellet injector maintains fuel mix, divertor heat flux stable at 8 MW/m2, net 100 MW to grid. Plasma control system handles ELM pacing, sawtooth control, and position feedback. Tritium plant processes exhaust gas, separates isotopes, refuels. Mid-pulse: minor NTM detected, stabilised by targeted ECCD. End of pulse: orderly ramp-down per schedule. |
| Fusion Plant Control Room Operator | 01AD72F9 | Primary operational stakeholder of STEP Fusion Power Plant: licensed operators monitoring plasma parameters, heating systems, and plant safety from the main control room. Responsible for pulse initiation, supervision of automated plasma control, manual intervention during off-normal events, and orderly shutdown. 4 operators per shift, 24/7 coverage. Requires fusion-specific training on plasma physics, disruption response, and tritium safety. |
| fusion power plant | DEC51019 | A large physical facility: discrete bounded structure with foundations, walls, roof and equipment installed inside. Physical installation containing superconducting magnets (physical steel structures), vacuum vessel (physical steel vessel), turbine hall (physical building), heat exchangers (physical equipment). Has physical weight, dimensions, and material construction. Occupies a definite physical location in 3D space with a measurable footprint. |
| Fusion-grade Vacuum System Environment | 40852800 | Operating environment constraint for STEP Fusion Power Plant: ultra-high vacuum (UHV) <1e-6 Pa in tokamak vessel volume ~1000 m3. Must maintain base pressure after bake-out at 200°C. Plasma-facing surface outgassing, helium ash removal via divertor pumping. All in-vessel materials must be UHV-compatible. Leak rate specification <1e-9 Pa·m3/s per seal. |
| Grid Interface and Electrical Switchgear | D6F53858 | Step-up transformer (generator step-up transformer, 400 kV/22 kV, 120 MVA), HV switchgear bay, protection relays (overcurrent, differential, distance), and metering equipment connecting the turbine-generator to the national grid. Provides grid synchronisation, islanding detection, reactive power compensation (capacitor banks ±30 MVAR), and grid code compliance monitoring. SIL 1 designation because rapid uncontrolled disconnection from grid during fault could cause turbine overspeed and bearing damage. |
| Grid Transmission Operator | 00A53AF8 | External stakeholder of STEP Fusion Power Plant: National Grid ESO managing the electrical grid connection. Receives ~100 MW during burn pulses, must handle pulsed power profile (hours-long pulses with inter-pulse gaps). Requires compliance with Grid Code, frequency response obligations, fault ride-through capability, and advance scheduling of pulse operations. |
| Helium Management System | 51973218 | Helium gas storage, purification, compression, and recovery system for the fusion power plant cryogenic infrastructure. Provides high-pressure helium gas (200 bar) buffer storage for refrigerator compressor suction, captures and recovers boil-off helium from warm-up events and magnet quench discharges (up to 200m³ STP per quench event), purifies helium to ≥99.999% purity via activated charcoal cold traps and molecular sieve adsorbers, and liquefies recovered gas in a 5,000L liquid helium dewar. Includes oil removal adsorbers on compressor outlets and moisture analyser. System must recover ≥95% of helium from any single quench event within 2 hours. |
| Helium Refrigeration System | 57D73218 | Industrial-scale helium refrigeration system providing 4.5K supercritical helium coolant to superconducting magnet cryostats in a spherical tokamak fusion power plant. Consists of two independent cold box trains each with oil-free screw compressors, counterflow heat exchangers, JT valves, and turbine expanders. Each train provides minimum 8kW at 4.5K and 50kW at 40-80K for magnet thermal shields. Key inputs: high-pressure helium gas from recovery system; outputs: 4.5K LHe and 40-80K He gas to transfer line network. Operating environment: dedicated cryogenic hall with 10-20m tall cold boxes, helium purity ≥99.999% (< 1 ppm contaminants). Cool-down rate constrained to <5K/hour to avoid thermal shock to HTS coils. |
| In-Vessel Inspection and Maintenance Manipulator | D7E47018 | Multi-axis robotic manipulator arm operating inside the STEP tokamak vacuum vessel in high-radiation, high-temperature environment (300°C surface temp, 10^6 Gy total dose). Provides 6-DOF positioning with ±1mm precision for blanket module replacement and divertor cassette exchange. Deployed through equatorial port using carrier vehicle. Key I/O: position commands from RH Control Suite, force/torque feedback, camera feeds. Qualified to SIL 1 — loss of manipulation capability results in extended maintenance outage but no safety-critical hazard. |
| In-Vessel Viewing and Monitoring System | 54E55018 | Network of radiation-hardened cameras (up to 10^7 Gy qualified), LED lighting arrays, and fibre-optic endoscopes providing visual coverage of in-vessel components during remote operations. Minimum 12 fixed cameras plus 2 articulated pan-tilt cameras on maintenance carrier. Delivers stereo HD video at 30fps with <200ms latency to the RH Control Suite. Also performs thermographic inspection via IR cameras to detect hot spots on blanket tiles after plasma operations. |
| Isotope Separation System | 55973219 | Cryogenic distillation column cascade for separation of hydrogen isotopologues (H2, HD, HT, D2, DT, T2) from the DT fuel cycle. Processes input stream from Plasma Exhaust Processing System and Blanket Tritium Extraction System. Produces high-purity DT fuel product (>99.9% purity, D:T ratio 50:50 ± 2%) and depleted hydrogen waste stream. Operating temperature 20-24 K at column pressures up to 0.3 MPa. Throughput: 200 Pa·m³/s DT equivalent. SIL 3 — primary tritium processing system. |
| Loss of Coolant Accident in Fusion Plant | 40050211 | Hazard in STEP Fusion Power Plant: rupture or leak in primary or secondary cooling circuit (helium or water). In-vessel LOCA: coolant ingress into vacuum vessel during operation — steam/hydrogen generation if water-cooled, pressure spike, potential chemical reactions with hot plasma-facing materials (beryllium, tungsten). Ex-vessel LOCA: loss of decay heat removal capability after shutdown, component overheating. Consequence: structural damage, potential tritium mobilisation from co-deposited layers, activation product release. |
| Loss of Cryogenic Cooling | 00050219 | Hazard in STEP Fusion Power Plant: failure of helium refrigeration system supplying 4K cooling to superconducting magnets. Without cooling, magnets warm above critical temperature triggering quench of entire magnet system. Large-scale helium release (~tonnes of liquid helium) into magnet cryostat and potentially into the building — oxygen displacement asphyxiation risk for personnel. Consequence: cascading magnet quench, plasma disruption, potential structural damage, building evacuation. |
| Loss of Vacuum — air ingress to vessel | 00410211 | Hazard in STEP Fusion Power Plant: uncontrolled air ingress into the tokamak vacuum vessel through port seal failure, diagnostic window breach, or cooling pipe rupture. Air reacts exothermically with hot beryllium first-wall tiles (Be + N2/O2) producing beryllium oxide aerosol — toxic and radioactive. Consequence: mobilisation of activated dust (beryllium, tungsten), potential hydrogen generation, tritium release via oxidation of co-deposited T-layers, vessel contamination requiring extensive cleanup. |
| Magnet Power Supply System | 54F53018 | Thyristor-based DC power supplies providing controlled current to TF (68 kA), CS (45 kA), and PF coils (10-45 kA each). Fast discharge units with 10 ms switching capability for plasma control. Bus bar distribution rated for cryogenic operation. Voltage-current regulation to 0.01%. Interfaces with PCS for real-time current setpoints via IFC-REQ-014. SIL 1 at steady state; SIL 2 during PF fast discharge for disruption mitigation. |
| Magnet Quench Detection and Protection System | 55F77218 | Voltage-tap and resistive bridge detection system monitoring all superconducting coils for quench onset. Detects quench voltage signature (>100 mV threshold) within 10 ms. Initiates quench heaters and dump resistors to safely dissipate stored energy (40 GJ total). Active Quench Protection (AQP) board processes signals in 1 ms. SIL 2 — failure to detect results in conductor hot-spot temperature exceeding 300 K causing coil damage. |
| National Electrical Grid Connection | 50C57A58 | External interface for STEP Fusion Power Plant: 400 kV grid connection via dedicated substation. Exports ~100 MW net during burn. Imports ~50 MW for plant auxiliaries and magnet systems during non-burn periods. Must comply with UK Grid Code for frequency response, reactive power, fault ride-through. Pulsed power profile requires grid operator coordination. |
| Neutron Streaming through Penetrations | 04400011 | Hazard in STEP Fusion Power Plant: 14.1 MeV fusion neutrons streaming through diagnostic ports, maintenance ports, neutral beam injection ducts, and other penetrations in the biological shield. Inadequate shielding or labyrinth design allows radiation dose rates in occupied areas to exceed limits. Consequence: worker radiation exposure exceeding annual dose limits (20 mSv), regulatory shutdown, potential long-term health effects. |
| Nuclear Safety Regulator | 00857AFD | Regulatory stakeholder of STEP Fusion Power Plant: the Office for Nuclear Regulation (ONR) responsible for licensing and oversight of the facility. Approves safety case, sets dose limits, inspects operations, investigates incidents. Unique challenge: fusion regulatory framework is evolving — STEP may be first fusion facility requiring full nuclear site licence. Key concerns: tritium inventory, activated waste, worker dose, emergency planning zone. |
| Planned Maintenance Campaign Scenario | 40843218 | Maintenance scenario for STEP Fusion Power Plant: after 6-month operational campaign, plant enters scheduled maintenance. Tritium inventory removed to storage. Vessel purged and atmosphere established. Remote handling system deployed through equatorial maintenance ports. Divertor cassettes extracted (8 units, ~5 tonnes each), transported to hot cell via cask. Replacement cassettes installed. Blanket modules inspected in-situ by remote cameras. One module flagged for replacement — additional 3-week task. Total campaign: 4 months. Re-commissioning: vacuum leak test, magnet cool-down (2 weeks), integrated checks, first hydrogen plasma. |
| Planned Shutdown mode of STEP Fusion Power Plant | 40B43A10 | Controlled plasma termination: auxiliary heating power ramped down, plasma current reduced via controlled ramp-down over 10-30 seconds, fuel injection ceased, plasma density allowed to decay. Residual heat removal systems activated. Magnets de-energised in controlled sequence. Vacuum vessel purged of residual tritium. Coolant loops transition to decay heat removal mode. Entry: operator command or end-of-pulse schedule. Exit: plasma terminated, vessel in safe standby. |
| Plasma Confinement and Heating | 50F53208 | System function of STEP Fusion Power Plant: confines deuterium-tritium plasma at ~150 million K using 3-4T toroidal magnetic field from HTS superconducting magnets and additional poloidal field shaping. Inputs: magnetic field configuration, auxiliary heating power (NBI, ECCD ~100 MW), fuel pellets. Outputs: sustained fusion reaction at Q≥5, 14.1 MeV neutron flux ~1e18 n/m2/s, alpha particle self-heating. Constraints: plasma current ≥10 MA, ELM and NTM instability control, disruption avoidance. |
| Plasma Control and Safety Interlock | 55F77A18 | System function of STEP Fusion Power Plant: real-time feedback control of plasma position, shape, density, and heating power at ≥1 kHz; monitors MHD stability; commands disruption mitigation within 10 ms; manages all safety interlocks for seismic trip, radiation, vacuum breach. Inputs: magnetic diagnostics, interferometry, ECE, spectroscopy. Outputs: coil current commands, heating actuator commands, gas valve commands, safety trip signals. Constraints: SIL 3 for safety functions, deterministic latency <1 ms for inner loop. |
| Plasma Control Supervisor | 51B57B18 | Supervisory software layer of the STEP Fusion Power Plant Plasma Control System. Manages pulse programming, mode transitions (startup, burn, shutdown), interlock logic, and operator interfaces. Runs on a separate non-realtime server with 1-second update cycle. Receives pulse plan from the operations team, validates constraints, arms the real-time controller, and monitors for out-of-spec conditions. Initiates controlled shutdown via the Real-Time Plasma Controller when operator or automated trigger fires. |
| plasma control system | 51F73A18 | |
| Plasma Disruption — uncontrolled termination | 04540200 | Hazard in STEP Fusion Power Plant during Steady-State Burn: magnetohydrodynamic instability causes rapid loss of plasma confinement. Thermal quench deposits up to 1 GJ onto first wall and divertor in <1 ms. Current quench generates massive electromagnetic forces (hundreds of MN) on vessel and coil structures. Vertical displacement event drives plasma into upper or lower vessel wall. Consequence: first wall erosion/melting, structural fatigue, potential vacuum breach, coolant ingress. Frequency: expected multiple times per operational campaign. Mitigation: disruption prediction, massive gas injection, shattered pellet injection. |
| Plasma Exhaust Processing System | D5D71018 | Vacuum pump train and chemical processing unit that receives unburnt deuterium-tritium exhaust gas from the tokamak divertor. Processes up to 200 Pa·m³/s throughput at pressures from 10^-3 Pa to 10^5 Pa. Separates hydrogen isotopes from helium ash and impurities using palladium diffusion membranes and cryosorption beds. Transfers purified DT stream to Isotope Separation System. SIL 3 — tritium confinement boundary component. |
| Plasma Heating and Current Drive System | 54F53218 | Combined neutral beam injection (NBI) and electron cyclotron resonance heating (ECRH) system providing 50 MW of auxiliary plasma heating and current drive for the STEP tokamak. NBI unit uses negative-ion sources producing 1 MeV deuterium beams injected tangentially. ECRH array uses gyrotrons at 170 GHz launching microwave power via corrugated waveguide. Together these systems heat the plasma to ignition temperature (100-150 million K) and drive bootstrap current fraction. |
| Plasma Startup mode of STEP Fusion Power Plant | 56F53210 | Plasma initiation and current ramp-up phase: cryogenic magnets cooled to 4K, vacuum vessel evacuated to <1e-6 Pa, gas puff of deuterium, breakdown via electron cyclotron resonance heating, plasma current ramped from 0 to ~10 MA over 30-60 seconds via central solenoid flux swing, auxiliary heating systems engaged sequentially (neutral beam injection, ion cyclotron resonance). Entry: all pre-pulse interlocks satisfied. Exit: plasma reaches Q>1 burn conditions. Operators monitor from main control room with automated feedback control. |
| power conversion system | DED51018 | The Power Conversion System (PCS) is the physical plant that extracts thermal energy from the tokamak breeding blanket and converts it to electricity. It comprises steam generators, turbine stages, condensers, feedwater pumps, and heat exchangers installed in the turbine hall building. Operating at steam temperatures ~550°C with primary coolant inlet at ~300°C. Interfaces with the tokamak vacuum vessel coolant loops and the 400kV grid connection. Physical assembly of pressure vessels, piping, turbomachinery and electrical generators. |
| Power Conversion System | DEC51018 | Physical power conversion subsystem of STEP fusion power plant. Comprises steam generators, high-pressure and low-pressure turbines, condensers, feedwater pumps, and synchronous generators physically installed in the turbine hall building. A discrete, bounded physical installation with measurable weight, dimensions, and thermal mass. Converts thermal power from the fusion blanket to electricity via Rankine cycle. |
| Radiation Protection Adviser | 00857AF9 | Safety stakeholder of STEP Fusion Power Plant: responsible for radiological protection of workers and public. Manages ALARP assessments, sets controlled/supervised area boundaries, monitors personal and area dosimetry, approves work plans in activated areas, oversees environmental discharge monitoring. Reports to ONR on dose records. |
| Radiation Protection System | 4CA53859 | Subsystem of STEP Fusion Power Plant: biological shield (≥2m concrete equivalent around tokamak), localised shielding at penetrations, area radiation monitoring (gamma, neutron dose rate), personal dosimetry system, contamination monitoring, environmental discharge monitoring (stack monitors, liquid effluent samplers), interlocked access control for radiation zones, building ventilation/HVAC with HEPA filtration and detritiation for contaminated zones. |
| Radiation Shielding and Confinement | 48853859 | System function of STEP Fusion Power Plant: biological shielding (≥2m concrete equivalent), neutron streaming prevention at all vessel penetrations, tritium double-barrier containment, ventilation with HEPA and detritiation for contaminated zones. Inputs: neutron source term, tritium inventory, area classification. Outputs: dose rates in occupied areas <10 µSv/hr, tritium containment, filtered discharges. Constraints: ALARP, IRR17, EPR limits. |
| Real-Time Plasma Controller | 51F77208 | Core real-time computer of the STEP Fusion Power Plant Plasma Control System. Runs Grad-Shafranov equilibrium reconstruction and MHD stability assessment at 1 kHz on a deterministic RTOS (VxWorks or EPICS-RT). 64-core NUMA architecture with hardware timestamping. Ingests magnetic, kinetic, and spectroscopic diagnostic signals from 40+ sensor channels at 1 kHz. Outputs actuator commands with end-to-end latency under 1 ms. Dual-redundant for SIL-3. UPS-backed with 30-second ride-through. |
| Remote Handling Control Suite | 54ED7108 | Operator workstation suite for teleoperating all remote handling equipment. Provides stereo video feeds from 12 in-vessel cameras, haptic joystick interface, 3D rendered virtual environment (CAD overlay at <50ms latency), and automated sequence execution. Monitors equipment health (motor current, joint limits, cable tension). Located in the remote handling control room outside the biological shield. SIL 1: operator error with inadequate feedback could lead to component collision and extended downtime. |
| Remote Handling Engineer | 008532F9 | Maintenance stakeholder of STEP Fusion Power Plant: engineers operating remote handling systems from a shielded control room to perform in-vessel maintenance. Design, plan, and execute replacement of highly activated components (divertor cassettes, blanket modules, diagnostics). Interface with hot cell operations. Require real-time force/torque feedback, 3D visualisation, and collision-avoidance systems. Critical path for plant availability. |
| Remote Handling System | DDE53019 | Subsystem of STEP Fusion Power Plant: articulated boom manipulators for in-vessel operations through horizontal and vertical ports, divertor cassette handling tools, blanket module handling tools, in-bore inspection tools, hot cell with master-slave manipulators and automated cutting/welding stations. Component transfer cask system between vessel and hot cell. Waste packaging and interim storage handling. All operations in >10 Sv/hr radiation field, 2 mm positioning accuracy required. |
| Remote Handling Transfer Cask | CE851059 | Shielded transport container for radioactive in-vessel components (blanket modules, divertor cassettes) weighing up to 4.6 tonnes. Provides biological shielding (≥2 Sv/hr reduction) and contamination control during transfer between tokamak port and hot cell facility. Interfaces with port interlock system, overhead crane (SWL 50t), and hot cell docking collar. Radiation inventory in transported components drives SIL 1 rating — improper transfer could expose personnel above occupational dose limits. |
| Remote Maintenance and In-Vessel Handling | 51A53218 | System function of STEP Fusion Power Plant: robotic replacement of activated in-vessel components (divertor cassettes, blanket modules, diagnostics) using articulated manipulators operating through access ports. Hot cell operations for component inspection, repair, and waste packaging. Inputs: maintenance schedule, component specifications. Outputs: replaced components, refurbished assemblies. Constraints: 2 mm positioning accuracy, 4-month campaign, >10 Sv/hr environment, fully remote. |
| Remote Maintenance mode of STEP Fusion Power Plant | 51853A18 | In-vessel and ex-vessel maintenance performed entirely by remote handling systems due to neutron activation (contact dose rates >10 Sv/hr on in-vessel components after extended operation). Robotic arms insert through maintenance ports to replace divertor cassettes, blanket modules, and diagnostics. Hot cell facilities for component inspection, refurbishment, and waste packaging. Typical maintenance campaign: 2-6 months between operational periods. Entry: plasma terminated, vessel cooled, tritium inventory removed. Exit: leak testing, interlock verification, re-commissioning checks complete. |
| Runaway Electron Beam | 04400200 | Hazard in STEP Fusion Power Plant during disruption: during current quench, high electric field accelerates electrons to relativistic energies (>10 MeV), forming a concentrated beam carrying up to several MA. Beam impacts first wall at a localised point, depositing energy equivalent to melting/ablating several cm of tungsten or steel. Consequence: deep erosion or perforation of first wall, potential coolant channel breach, activation product mobilisation. No reliable passive mitigation — requires active detection and beam dispersal. |
| Seismic Emergency Scenario | 00B73A10 | Emergency scenario for STEP Fusion Power Plant: seismic sensors detect ground acceleration exceeding OBE threshold (0.1g). Automatic fast plasma shutdown initiated within 100 ms. Magnets discharged to dump resistors. All coolant isolation valves close. Building enters seismic isolation mode. Control room operators verify safe state via hardwired instrumentation. Post-event inspection: remote visual inspection of in-vessel components, leak testing of all primary boundaries, structural assessment of magnet supports. Estimated recovery: 2-4 weeks if no damage found. |
| Seismic Event affecting Fusion Plant | 00040259 | Hazard in STEP Fusion Power Plant: earthquake exceeding design basis causes relative displacement between vacuum vessel and magnet system, rupture of cryogenic and coolant pipework, loss of precision alignment of plasma-facing components. Consequence: simultaneous LOCA, magnet quench, tritium release, structural damage. Safe shutdown earthquake (SSE) must be defined for the site. |
| Steady-State Burn mode of STEP Fusion Power Plant | 55F73218 | Sustained D-T fusion operation at full power: plasma temperature ~150 million K, density ~1e20 ions/m3, confinement time sufficient for Q>=5. Tritium bred in lithium blanket at TBR>=1.1. Heat extracted via primary coolant loop (helium or water) driving turbine-generator at ~100 MW net electrical. Continuous fuelling via pellet injection. Divertor handles ~10 MW/m2 heat flux. Plasma position and shape maintained by real-time feedback control of poloidal field coils. Duration: hours to days per pulse, target quasi-steady-state. Operators monitor key parameters; automated systems handle perturbations within envelope. |
| Steam Generator and Heat Transfer System | DED53018 | Primary heat exchangers converting fusion thermal power from the water-cooled plasma-facing components and breeding blanket (first wall outlet at ~300°C, 15 MPa) to secondary steam at 525°C/16 MPa. Comprises 4 shell-and-tube steam generators (each rated 150 MWth) plus a dedicated pressuriser. The steam generators are the interface between the nuclear island (primary coolant) and the conventional steam cycle (secondary). SIL 1 — loss of heat transfer causes blanket overtemperature but primary safety function is covered by decay heat removal system (SIL 3). |
| step fusion power plant | DEC51019 | STEP (Spherical Tokamak for Energy Production) fusion power plant. Physical installation on a dedicated site comprising multiple buildings: tokamak hall, fuel cycle facility, turbine hall, electrical switchgear building. Uses magnetic confinement fusion of deuterium-tritium plasma — a physics-based nuclear process with no biological or biomimetic elements. Physical structure with steel and concrete construction, physical equipment, and regulated nuclear site boundary. |
| STEP Fusion Power Plant | 5ED53219 | Spherical Tokamak for Energy Production (STEP) — a demonstration fusion power plant using a compact spherical tokamak design to achieve net electricity generation. Deuterium-tritium plasma confined by superconducting magnets at temperatures exceeding 100 million degrees Celsius. Breeds its own tritium fuel from lithium blankets. Generates ~100 MW net electrical power to the grid. Operates in a nuclear-regulated environment with tritium inventory, neutron activation, and remote maintenance requirements. First-of-kind facility bridging the gap between experimental fusion devices (JET, ITER) and commercial power stations. |
| Superconducting Magnet Quench | 00540200 | Hazard in STEP Fusion Power Plant: sudden loss of superconductivity in toroidal or poloidal field coils storing ~50 GJ magnetic energy. Local hot spot triggers resistive transition propagating through winding pack. Stored energy converts to heat — risk of coil damage, helium boil-off (rapid cryogen release), structural damage from thermal stress and electromagnetic forces. Consequence: loss of plasma confinement (disruption), potential coil replacement (months of downtime), pressure vessel overpressure from helium vaporisation. |
| Superconducting Magnet System | 56D57018 | |
| Superconducting Magnet System Operation | 54F53218 | System function of STEP Fusion Power Plant: generates and maintains toroidal field (3-4T at plasma centre) and poloidal field for plasma equilibrium using HTS (REBCO) superconducting coils at 4.5K. Includes central solenoid for plasma initiation, quench detection and protection (50 GJ stored energy). Inputs: cryogenic cooling, power supplies. Outputs: magnetic field configuration, quench detection signals. Constraints: field ripple <1%, quench discharge <30s, hot-spot <300K. |
| TF Coil Set | CEC51018 | 18 D-shaped toroidal field coils wound with Nb3Sn superconductor. Each coil generates 3.0 T on axis. Maximum field at conductor 12-13 T. Operating temperature 4.5 K. Stored magnetic energy 40 GJ (total). Coils housed in steel casing with ground insulation. Quench detection based on voltage imbalance. SIL 2 — uncontrolled quench can cause structural damage to coil and vacuum vessel. |
| Thermal Power Extraction | 40D53218 | System function of STEP Fusion Power Plant: captures 14.1 MeV neutron energy and alpha particle heat in breeding blankets and divertor, transfers thermal energy via primary coolant loops (lithium-lead or helium) to steam generators. Inputs: neutron flux, plasma radiation, alpha heating. Outputs: ~500 MW thermal power to steam cycle, bred tritium. Constraints: first wall heat flux ≤10 MW/m², blanket outlet temperature ≥500°C for efficient conversion. |
| Tokamak Core Assembly | DE851010 | Central subsystem of STEP Fusion Power Plant spherical tokamak: plasma vessel (~1000 m³ volume), first wall (tungsten-clad), divertor (8 cassettes handling ~150 MW exhaust heat), breeding blanket modules (lithium-lead/ceramic breeder), in-vessel diagnostics ports. Houses the plasma and absorbs 14.1 MeV neutron flux. Operates at UHV (<1e-6 Pa), bake-out to 200°C, neutron wall loading ~2 MW/m². Interfaces with magnets (external), vacuum system, cooling loops, remote handling ports. |
| Tritium Fuel Cycle Management | 40F73A19 | System function of STEP Fusion Power Plant: processes exhaust gas from divertor, separates hydrogen isotopes (H/D/T), stores tritium, breeds tritium in lithium blanket, and re-injects fuel pellets. Inputs: divertor exhaust gas, bred tritium from blanket, pellet specifications. Outputs: fuel pellets at correct D:T ratio, tritium inventory accounting, waste gas for detritiation. Constraints: TBR≥1.1, processing time ≤4 hours, tritium inventory ≤3 kg on-site, double containment. |
| tritium plant | DE851019 | Physical tritium fuel cycle facility containing processing vessels, isotope separation columns, storage beds, atmosphere detritiation systems, and exhaust treatment stacks. Handles tritium gas at multi-gram inventory levels within dual containment barriers. Physical plant with significant material and structural requirements for radiation shielding, seismic qualification, and leak-tight construction under IEC 61511 and ONR site licence. |
| Tritium Plant | 52953218 | Subsystem of STEP Fusion Power Plant: closed tritium fuel cycle processing. Tokamak exhaust processing (TEP) with palladium membrane reactors, isotope separation system (ISS) using cryogenic distillation, tritium storage in metal hydride beds (uranium or ZrCo), fuel injection system (frozen pellet injector, gas puff valves), detritiation system for building atmosphere. Processes ~250 g T/day. On-site inventory ≤3 kg. Double-glove-box containment throughout. Tritium accountability to ±0.1 g. |
| Tritium Plant Operator | 010D3AF9 | Operational stakeholder of STEP Fusion Power Plant: specialists operating the tritium processing plant — isotope separation, storage, accountability, fuelling systems, detritiation, and waste processing. Handle the full tritium fuel cycle from breeding blanket extraction to pellet injection. Subject to ALARP dose constraints and specific tritium handling certification. |
| Tritium Processing Malfunction Scenario | 00141211 | Degraded operations scenario for STEP Fusion Power Plant: primary isotope separation column develops a leak detected by room tritium monitors. Automatic isolation of affected processing line. Plant continues burn on reduced tritium throughput — power reduced to 60 MW. Tritium plant operators in protective equipment perform remote isolation and repair. Secondary detritiation system captures released tritium. Repair completed within shift — full power resumed. Total release: <0.1 g tritium, within operational limits. |
| Tritium Release to Environment | 02400255 | Hazard in STEP Fusion Power Plant: uncontrolled release of tritium (radioactive hydrogen isotope, T1/2=12.3 years, beta emitter) from the tritium processing plant, vacuum vessel, or coolant systems to the environment. Plant tritium inventory ~1-3 kg, biological hazard via inhalation or skin absorption. Consequence: radiological exposure to workers and public, regulatory violation, environmental contamination. Could result from double-barrier failure (vacuum vessel + containment building), tritium plant pipe rupture, or loss of detritiation system. |
| Tritium Storage and Delivery System | DE953019 | Metal hydride storage beds and gas handling manifolds for tritium and deuterium inventory management. Stores up to 100 g tritium equivalent in getter beds (uranium or ZrCo alloy at 20°C for storage, 300°C for release). Provides controlled DT fuel delivery to Isotope Separation System and gas puffing valves at the tokamak. Accountancy function: tracks tritium inventory to ±0.1 g per batch, ≤1% annual uncertainty. Double-containment boundary required. SIL 3. |
| Turbine-Generator Set | DFF53218 | Tandem compound steam turbine (high-pressure + low-pressure stages) driving a synchronous AC generator rated 120 MVA, 400 kV output. The turbine nominally processes 450 kg/s of steam at 525°C/16 MPa inlet, exhausting to condenser at 0.04 bar. Includes governor valve control for load following (±20% load swing in <30s), turning gear, and automatic turbine run-up sequencer. Delivers ≥100 MW net electrical output to grid connection point. Non-safety classified (SIL 0) but operationally critical for plant revenue. |
| Turbomolecular Pump Array | D6D51218 | Array of 12 turbomolecular pumps (10,000 L/s each) positioned on lower ports of STEP tokamak. Primary pumping element maintaining plasma vessel pressure below 1e-6 Pa. Backed by rough pumps; discharges via torus exhaust to isotope separation system. Operates during plasma and dwell phases. Cold-cathode gauge feedback controls pump speed. |
| vacuum system | DE851018 | Physical vacuum pumping facility comprising turbomolecular pumps, cryopumps, roughing pumps, cryo-panels, and vacuum manifolds installed on the tokamak machine. Physical system with structural requirements for leak-tight welded construction, pump-down performance, and seismic qualification. Operates at pressures from atmosphere down to 1e-6 Pa in the torus. Discrete physical object integrated into the tokamak building structure. |
| Vacuum System | 54873018 | Subsystem of STEP Fusion Power Plant: achieves and maintains <1e-6 Pa in ~1000 m³ plasma vessel. Roughing pumps (scroll/roots), high-vacuum pumps (cryopumps with liquid helium panels), torus exhaust pumping, neutral beam injector differential pumping. Helium ash exhaust, leak detection system, vacuum gauging (ionisation, capacitance). Bake-out gas handling. Interlock with plasma operation and tritium systems. Must handle tritiated exhaust gas safely. |
| Vacuum Vessel and In-Vessel Structures | CE851018 | Double-walled stainless steel torus forming the primary vacuum boundary and neutron shielding structure for the STEP tokamak. 316L(N) construction, 7.5m major radius, 2.5m minor radius, wall thickness 40mm inner shell. Provides radial access ports for diagnostics, heating systems, and remote handling. Passive decay heat removal via conduction to vessel body. Maintains 1e-6 Pa vacuum boundary integrity under seismic loading up to 0.2g. |
| Vacuum Vessel Leak Detection System | 54E77818 | Helium mass spectrometer leak detector deployed on vacuum vessel and cryostat, detecting in-leakage during shutdown and in-operation through background helium rise rate. Sensitivity 1e-9 mbar L/s. Triggers maintenance response if leak rate exceeds 1e-6 mbar L/s. Connected to facility alarm system. |
| Vacuum Vessel Pressure Monitoring System | 54F57A18 | Cold-cathode and hot-cathode ionisation gauges distributed across 32 vessel ports, providing redundant vacuum measurement from 1 Pa down to 1e-8 Pa. Feeds vessel pressure data to Plasma Control System at 10 Hz. Includes residual gas analyser for impurity species identification. Triggers interlock at 1e-4 Pa to prevent plasma with degraded vacuum. |
| Component | Belongs To |
|---|---|
| Real-Time Plasma Controller | Plasma Control System |
| Disruption Prediction and Mitigation Unit | Plasma Control System |
| Actuator Management System | Plasma Control System |
| Diagnostic Data Acquisition Front-End | Plasma Control System |
| Plasma Control Supervisor | Plasma Control System |
| First Wall and Blanket Module | Tokamak Core Assembly |
| Divertor Cassette Assembly | Tokamak Core Assembly |
| Vacuum Vessel and In-Vessel Structures | Tokamak Core Assembly |
| Plasma Heating and Current Drive System | Tokamak Core Assembly |
| Diagnostics and Measurement Systems | Tokamak Core Assembly |
| Plasma Exhaust Processing System | Tritium Plant |
| Isotope Separation System | Tritium Plant |
| Tritium Storage and Delivery System | Tritium Plant |
| Blanket Tritium Extraction System | Tritium Plant |
| Atmosphere Detritiation System | Tritium Plant |
| TF Coil Set | Superconducting Magnet System |
| CS and PF Coil Set | Superconducting Magnet System |
| Magnet Quench Detection and Protection System | Superconducting Magnet System |
| Magnet Power Supply System | Superconducting Magnet System |
| Turbomolecular Pump Array | Vacuum System |
| Vacuum Vessel Pressure Monitoring System | Vacuum System |
| Vacuum Vessel Leak Detection System | Vacuum System |
| Helium Refrigeration System | Cryogenic Plant |
| Cryogenic Transfer Line Network | Cryogenic Plant |
| Helium Management System | Cryogenic Plant |
| Cryogenic Control System | Cryogenic Plant |
| In-Vessel Inspection and Maintenance Manipulator | Remote Handling System |
| Remote Handling Transfer Cask | Remote Handling System |
| Remote Handling Control Suite | Remote Handling System |
| In-Vessel Viewing and Monitoring System | Remote Handling System |
| Blanket and Divertor Exchange Tooling | Remote Handling System |
| Steam Generator and Heat Transfer System | Power Conversion System |
| Turbine-Generator Set | Power Conversion System |
| Condenser and Cooling Water System | Power Conversion System |
| Feedwater and Balance of Plant System | Power Conversion System |
| Grid Interface and Electrical Switchgear | Power Conversion System |
| From | To |
|---|---|
| Diagnostic Data Acquisition Front-End | Real-Time Plasma Controller |
| Real-Time Plasma Controller | Actuator Management System |
| Real-Time Plasma Controller | Disruption Prediction and Mitigation Unit |
| Plasma Control Supervisor | Real-Time Plasma Controller |
| Plasma Exhaust Processing System | Isotope Separation System |
| Isotope Separation System | Tritium Storage and Delivery System |
| Blanket Tritium Extraction System | Isotope Separation System |
| Atmosphere Detritiation System | Tritium Plant |
| Magnet Quench Detection and Protection System | Magnet Power Supply System |
| Cryogenic Transfer Line Network | Superconducting Magnet System |
| Helium Refrigeration System | Cryogenic Transfer Line Network |
| Cryogenic Control System | Helium Refrigeration System |
| Helium Management System | Helium Refrigeration System |
| Component | Output |
|---|---|
| First Wall and Blanket Module | bred tritium and thermal power |
| Divertor Cassette Assembly | plasma exhaust heat and neutral gas |
| Plasma Heating and Current Drive System | plasma current and heating power |
| Diagnostics and Measurement Systems | plasma state measurements |
| Plasma Exhaust Processing System | purified DT exhaust stream |
| Isotope Separation System | high-purity DT fuel (>99.9%) |
| Tritium Storage and Delivery System | controlled DT fuel delivery |
| Blanket Tritium Extraction System | extracted bred tritium |
| Atmosphere Detritiation System | detritiated building atmosphere |
| Helium Refrigeration System | 4.5K supercritical helium coolant |
| Source | Target | Type | Description |
|---|---|---|---|
| ARC-SUB-011 | SYS-REQ-015 | derives | ARC-REQ-011 PCS five-component decomposition derives SYS-REQ-015 Grid Code compliance |
| ARC-SUB-010 | SYS-REQ-009 | derives | ARC-REQ-010 RHS five-component decomposition derives SYS-REQ-009 maintenance campaign requirement |
| ARC-SUB-009 | SYS-REQ-006 | derives | ARC-REQ-009 Cryogenic Plant decomposition derives SYS-REQ-006 superconducting magnet protection |
| ARC-REQ-008 | SYS-REQ-008 | derives | ARC-REQ-008 vacuum system three-component topology derives SYS-REQ-008 UHV requirement |
| ARC-REQ-007 | SYS-REQ-006 | derives | ARC-REQ-007 SMS four-component topology derives SYS-REQ-006 magnet quench protection |
| ARC-REQ-004 | SYS-REQ-002 | derives | ARC-REQ-004 PCS thermal conversion architecture derives SYS-REQ-002 100 MW net power target |
| ARC-REQ-005 | SYS-REQ-005 | derives | ARC-REQ-005 Tritium Plant double containment architecture derives SYS-REQ-005 tritium confinement |
| ARC-REQ-003 | SYS-REQ-004 | derives | ARC-REQ-003 digital-only PCS architecture drives SYS-REQ-004 disruption mitigation timing |
| ARC-REQ-002 | SYS-REQ-006 | derives | ARC-REQ-002 SMS-Cryoplant separation architecture derives SYS-REQ-006 quench protection requirement |
| ARC-REQ-001 | SYS-REQ-001 | derives | ARC-REQ-001 spherical tokamak geometry selection drives SYS-REQ-001 fusion gain target |
| ARC-REQ-007 | SYS-REQ-006 | derives | ARC-REQ-007 SMS four-component architecture constrains SYS-REQ-006 quench management |
| ARC-REQ-007 | SYS-REQ-006 | derives | ARC-REQ-007 architecture decision constrains SYS-REQ-006 implementation |
| SYS-REQ-005 | ARC-REQ-005 | derives | Tritium Plant double-containment driven by tritium confinement requirement |
| SYS-REQ-002 | ARC-REQ-004 | derives | PCS thermal/electrical grouping enables system-level efficiency accounting |
| SYS-REQ-001 | ARC-REQ-003 | derives | PCS separation enables high-bandwidth plasma control for burn maintenance |
| SYS-REQ-006 | ARC-REQ-002 | derives | Magnet-cryo separation driven by quench safety requirement |
| SYS-REQ-001 | ARC-REQ-001 | derives | Spherical tokamak geometry selected to achieve Q>=5 fusion gain |
| ARC-REQ-008 | SYS-REQ-008 | derives | Vacuum system topology architecture supports SYS-REQ-008 |
| SYS-REQ-006 | ARC-REQ-007 | derives | SYS quench management drives SMS architecture separation decision |
| ARC-REQ-006 | SYS-REQ-001 | derives | TCA decomposition rationale informs system plasma burn requirement decomposition |
| ARC-REQ-005 | SYS-REQ-005 | derives | Tritium Plant self-contained with double-containment boundary derives tritium confinement requirement |
| ARC-REQ-004 | SYS-REQ-002 | derives | Power Conversion System thermal architecture drives net electrical output requirement |
| ARC-REQ-003 | SYS-REQ-004 | derives | PCS as isolated signal-processing subsystem enables disruption mitigation timing |
| ARC-REQ-002 | SYS-REQ-006 | derives | Separate SMS and Cryo subsystems define quench detection and management interface |
| ARC-REQ-001 | SYS-REQ-001 | derives | Spherical tokamak geometry enables Q≥5 plasma performance target |
| ARC-REQ-003 | SYS-REQ-004 | derives | PCS architecture as isolated signal-processing layer enables the disruption mitigation timing requirement |
| ARC-REQ-002 | SYS-REQ-006 | derives | Separate SMS and Cryo subsystems define the quench detection and management interface |
| ARC-REQ-001 | SYS-REQ-001 | derives | Spherical tokamak geometry enables the Q≥5 plasma performance target |
| REQ-SESTEPFUSIONPOWERPLANT-015 | REQ-SESTEPFUSIONPOWERPLANT-025 | derives | Tritium Plant accountancy verified by integrated commissioning test |
| REQ-SESTEPFUSIONPOWERPLANT-013 | REQ-SESTEPFUSIONPOWERPLANT-023 | derives | SMS field strength and quench protection verified by magnet commissioning |
| REQ-SESTEPFUSIONPOWERPLANT-012 | REQ-SESTEPFUSIONPOWERPLANT-022 | derives | TCA first wall heat flux verified by commissioning measurement |
| REQ-SESTEPFUSIONPOWERPLANT-014 | REQ-SESTEPFUSIONPOWERPLANT-024 | derives | Cryogenic Plant refrigeration capacity verified by cold commissioning |
| SUB-REQ-003 | REQ-SESTEPFUSIONPOWERPLANT-019 | derives | PCS dual-redundant controller switchover verified by fault injection test |
| REQ-SESTEPFUSIONPOWERPLANT-016 | REQ-SESTEPFUSIONPOWERPLANT-026 | derives | Power Conversion output verified by full-power grid export measurement |
| REQ-SESTEPFUSIONPOWERPLANT-017 | REQ-SESTEPFUSIONPOWERPLANT-027 | derives | Vacuum System performance verified by pump-down commissioning test |
| REQ-SESTEPFUSIONPOWERPLANT-018 | REQ-SESTEPFUSIONPOWERPLANT-028 | derives | RHS campaign performance verified by full-scale demonstration |
| SUB-REQ-004 | REQ-SESTEPFUSIONPOWERPLANT-020 | derives | PCS DAQ synchronisation verified by hardware pulse injection test |
| SUB-REQ-006 | REQ-SESTEPFUSIONPOWERPLANT-021 | derives | Material injection delivery quantity and timing verified by bench test |
| REQ-SESTEPFUSIONPOWERPLANT-029 | REQ-SESTEPFUSIONPOWERPLANT-030 | derives | RPS zone classification and interlock timing verified by in-situ measurement |
| SUB-REQ-003 | REQ-SESTEPFUSIONPOWERPLANT-019 | derives | SUB-REQ-003 verified by VER-REQ-016 |
| SUB-REQ-004 | REQ-SESTEPFUSIONPOWERPLANT-020 | derives | SUB-REQ-004 verified by VER-REQ-015 |
| SUB-REQ-006 | REQ-SESTEPFUSIONPOWERPLANT-021 | derives | SUB-REQ-006 verified by VER-REQ-014 |
| REQ-SESTEPFUSIONPOWERPLANT-012 | REQ-SESTEPFUSIONPOWERPLANT-022 | derives | SUB-REQ-007 verified by VER-REQ-017 |
| REQ-SESTEPFUSIONPOWERPLANT-013 | REQ-SESTEPFUSIONPOWERPLANT-023 | derives | SUB-REQ-008 verified by VER-REQ-018 |
| REQ-SESTEPFUSIONPOWERPLANT-014 | REQ-SESTEPFUSIONPOWERPLANT-024 | derives | SUB-REQ-009 verified by VER-REQ-020 |
| REQ-SESTEPFUSIONPOWERPLANT-015 | REQ-SESTEPFUSIONPOWERPLANT-025 | derives | SUB-REQ-010 verified by VER-REQ-019 |
| REQ-SESTEPFUSIONPOWERPLANT-016 | REQ-SESTEPFUSIONPOWERPLANT-026 | derives | SUB-REQ-011 verified by VER-REQ-021 |
| REQ-SESTEPFUSIONPOWERPLANT-018 | REQ-SESTEPFUSIONPOWERPLANT-028 | derives | SUB-REQ-012 verified by VER-REQ-022 |
| REQ-SESTEPFUSIONPOWERPLANT-017 | REQ-SESTEPFUSIONPOWERPLANT-027 | derives | SUB-REQ-013 verified by VER-REQ-023 |
| REQ-SESTEPFUSIONPOWERPLANT-029 | REQ-SESTEPFUSIONPOWERPLANT-030 | derives | SUB-REQ-014 verified by VER-REQ-024 |
| REQ-SESTEPFUSIONPOWERPLANT-001 | VER-REQ-025 | derives | IFC-REQ-010 verified by VER-REQ-025 |
| REQ-SESTEPFUSIONPOWERPLANT-002 | VER-REQ-026 | derives | IFC-REQ-011 verified by VER-REQ-026 |
| REQ-SESTEPFUSIONPOWERPLANT-004 | VER-REQ-027 | derives | IFC-REQ-012 verified by VER-REQ-027 |
| REQ-SESTEPFUSIONPOWERPLANT-003 | VER-REQ-028 | derives | IFC-REQ-013 verified by VER-REQ-028 |
| REQ-SESTEPFUSIONPOWERPLANT-005 | VER-REQ-029 | derives | IFC-REQ-014 verified by VER-REQ-029 |
| REQ-SESTEPFUSIONPOWERPLANT-007 | VER-REQ-030 | derives | IFC-REQ-015 verified by VER-REQ-030 |
| REQ-SESTEPFUSIONPOWERPLANT-006 | VER-REQ-031 | derives | IFC-REQ-016 verified by VER-REQ-031 |
| REQ-SESTEPFUSIONPOWERPLANT-009 | VER-REQ-032 | derives | IFC-REQ-017 verified by VER-REQ-032 |
| REQ-SESTEPFUSIONPOWERPLANT-008 | VER-REQ-033 | derives | IFC-REQ-018 verified by VER-REQ-033 |
| REQ-SESTEPFUSIONPOWERPLANT-010 | VER-REQ-034 | derives | IFC-REQ-019 verified by VER-REQ-034 |
| REQ-SESTEPFUSIONPOWERPLANT-011 | VER-REQ-035 | derives | IFC-REQ-020 verified by VER-REQ-035 |
| SYS-REQ-012 | REQ-SESTEPFUSIONPOWERPLANT-029 | derives | RPS dose rate monitoring enforces the 10 µSv/hr occupied area limit from neutron streaming |
| SYS-REQ-018 | SUB-REQ-084 | derives | DBA scenario (c) superconducting magnet quench cascade → SMS passive quench protection |
| SYS-REQ-019 | SUB-REQ-082 | derives | Environmental permitting, Nuclear Installations Act, ISO 14001 EMS decomposed to Tritium Plant |
| SYS-REQ-008 | SUB-REQ-081 | derives | Seal integrity across all operational modes decomposed to Vacuum System |
| SYS-REQ-018 | SUB-REQ-079 | derives | DBA in-vessel failure and loss-of-cooling (SYS-REQ-018b,d) → Tokamak Core Assembly passive heat removal |
| SYS-REQ-018 | SUB-REQ-078 | derives | Tritium release DBA (SYS-REQ-018a) → Tritium Plant automatic isolation |
| SYS-REQ-018 | SUB-REQ-078 | derives | DBA tritium release pathway decomposed to Tritium Plant isolation requirement |
| SYS-REQ-008 | SUB-REQ-076 | derives | SYS seal leak rate → SUB seal qualification programme |
| SYS-REQ-008 | SUB-REQ-075 | derives | SYS vacuum integrity → SUB pump N+1 redundancy |
| SYS-REQ-006 | SUB-REQ-074 | derives | SYS magnet quench management → SUB MPS N+1 redundancy |
| SYS-REQ-009 | SUB-REQ-073 | derives | SYS remote handling capability → SUB RHS dual-path control redundancy |
| REQ-SESTEPFUSIONPOWERPLANT-043 | REQ-SESTEPFUSIONPOWERPLANT-121 | derives | ALARA engineering measures derive from radiobiological protection system requirement |
| SYS-REQ-006 | REQ-SESTEPFUSIONPOWERPLANT-120 | derives | Magnet quench detection redundancy derives from quench management system requirement |
| SYS-REQ-005 | REQ-SESTEPFUSIONPOWERPLANT-119 | derives | Tritium dual-barrier failsafe derives from tritium confinement system requirement |
| SYS-REQ-010 | REQ-SESTEPFUSIONPOWERPLANT-118 | derives | Cryogenic N+1 redundancy derives from campaign availability requirement |
| SYS-REQ-008 | REQ-SESTEPFUSIONPOWERPLANT-117 | derives | VSPMS power continuity derives from vacuum system operational requirement |
| SYS-REQ-001 | SUB-REQ-057 | derives | Planned shutdown sequence derives from Q>=5 pulse requirement: pulse start/end lifecycle management |
| SYS-REQ-007 | SUB-REQ-056 | derives | SYS-REQ-007 passive decay heat removal derives SUB-REQ-056 in-vessel passive cooling path |
| SYS-REQ-011 | SUB-REQ-055 | derives | SYS-REQ-011 seismic fast shutdown derives SUB-REQ-055 structural seismic resistance |
| SYS-REQ-004 | SUB-REQ-001 | derives | 10 ms system disruption response drives PCS 1 ms control cycle requirement |
| SYS-REQ-004 | SUB-REQ-002 | derives | System disruption mitigation requirement directly derives PCS detection and injection requirement |
| SYS-REQ-004 | SUB-REQ-003 | derives | SIL-3 disruption mitigation requirement drives PCS dual-redundancy |
| SYS-REQ-013 | SUB-REQ-004 | derives | System diagnostic specification drives PCS DAQ sampling and synchronisation requirement |
| SYS-REQ-004 | SUB-REQ-005 | derives | System safe plasma termination requirement drives PCS internal fault safe state |
| SYS-REQ-004 | SUB-REQ-006 | derives | System disruption mitigation drives runaway electron suppression injection requirement |
| SYS-REQ-008 | SUB-REQ-015 | derives | UHV system requirement drives vessel structural leak integrity specification |
| SYS-REQ-003 | SUB-REQ-016 | derives | System TBR requirement allocates blanket module breeding performance |
| SYS-REQ-004 | SUB-REQ-017 | derives | Disruption mitigation requirement drives TCA structural safe state specification |
| SYS-REQ-005 | SUB-REQ-018 | derives | PEPS throughput requirement derives from tritium confinement system requirement |
| SYS-REQ-001 | SUB-REQ-019 | derives | ISS fuel purity requirement derives from plasma burn sustainment requirement |
| SYS-REQ-005 | SUB-REQ-020 | derives | TSDS double-containment requirement derives from tritium confinement system requirement |
| SYS-REQ-003 | SUB-REQ-021 | derives | BTES extraction rate derives from TBR >= 1.1 system requirement |
| SYS-REQ-006 | SUB-REQ-023 | derives | Quench detection timing derives from quench safe management system requirement |
| SYS-REQ-006 | SUB-REQ-023 | derives | SYS quench management derives to QDPS detection specification |
| SYS-REQ-006 | SUB-REQ-027 | derives | SYS quench management derives to MPSS energy extraction response |
| SYS-REQ-001 | SUB-REQ-025 | derives | Plasma burn Q>=5 derives to TF field performance specification |
| SYS-REQ-001 | SUB-REQ-024 | derives | Plasma burn derives to CS flux swing specification |
| SYS-REQ-001 | SUB-REQ-026 | derives | Plasma burn derives to MPSS energisation performance |
| SYS-REQ-006 | SUB-REQ-028 | derives | Quench management derives to TF thermal margin specification |
| SYS-REQ-008 | SUB-REQ-029 | derives | Ultra-high vacuum requirement derives to pump array performance |
| SYS-REQ-008 | SUB-REQ-030 | derives | Ultra-high vacuum requirement derives to pressure monitoring interlock |
| SYS-REQ-005 | SUB-023 | derives | Tritium Plant redundancy requirement derives from SYS tritium confinement |
| SYS-REQ-005 | SUB-024 | derives | ISS override/watchdog requirement derives from SYS tritium confinement |
| SYS-REQ-006 | SUB-REQ-031 | derives | HRS redundancy derives from quench management requirement |
| SYS-REQ-006 | SUB-REQ-032 | derives | HMS helium recovery supports quench safe management |
| SYS-REQ-009 | SUB-REQ-036 | derives | IVIMM accuracy derives from system positioning accuracy requirement |
| SYS-REQ-009 | SUB-REQ-037 | derives | Campaign duration derives from 4-month system maintenance window |
| SYS-REQ-009 | SUB-REQ-039 | derives | Transfer cask shielding derives from personnel access during maintenance |
| SYS-REQ-002 | SUB-REQ-041 | derives | Net electrical output requirement derives from 100 MW system target |
| SYS-REQ-002 | SUB-REQ-042 | derives | Rankine efficiency derives from gross-to-net efficiency system requirement |
| SYS-REQ-015 | SUB-REQ-043 | derives | Grid code compliance derives from system-level Grid Code mandate |
| SYS-REQ-009 | SUB-REQ-038 | derives | Radiation hardening derives from in-vessel operation requirement |
| SYS-REQ-009 | SUB-REQ-040 | derives | RHS safe state derives from in-vessel maintenance safety obligation |
| SYS-REQ-002 | SUB-REQ-044 | derives | Steam generator heat transfer derives from electrical output requirement |
| SYS-REQ-010 | SUB-REQ-045 | derives | Turbine runback derives from operational availability requirement |
| SYS-REQ-005 | REQ-SESTEPFUSIONPOWERPLANT-037 | derives | SYS tritium confinement → SUB ISS power specification |
| SYS-REQ-005 | REQ-SESTEPFUSIONPOWERPLANT-038 | derives | SYS tritium confinement → SUB ISS emergency isolation |
| SYS-REQ-002 | REQ-SESTEPFUSIONPOWERPLANT-039 | derives | SYS power conversion function → SUB PCS dedicated turbine hall |
| SYS-REQ-005 | REQ-SESTEPFUSIONPOWERPLANT-040 | derives | SYS tritium confinement → SUB Tritium Plant Category 1 confinement building |
| SYS-REQ-001 | REQ-SESTEPFUSIONPOWERPLANT-041 | derives | SYS plasma confinement (superconducting magnets) → SUB Cryogenic Plant dedicated building |
| SYS-REQ-008 | REQ-SESTEPFUSIONPOWERPLANT-042 | derives | SYS vacuum integrity → SUB Vacuum System physical pump configuration |
| REQ-SESTEPFUSIONPOWERPLANT-043 | REQ-SESTEPFUSIONPOWERPLANT-029 | derives | RPS zone classification and interlock system implements the 1 mSv/year worker dose limit |
| SYS-REQ-008 | IFC-REQ-027 | derives | Vacuum maintenance derives to pressure monitoring interface to PCS |
| SYS-REQ-006 | IFC-REQ-024 | derives | Quench management derives to QDPS-MPSS interlock interface |
| SYS-REQ-003 | IFC-REQ-023 | derives | TBR requirement derives to blanket tritium extraction interface |
| SYS-REQ-015 | REQ-SESTEPFUSIONPOWERPLANT-010 | derives | Grid Code compliance drives station load import interface specification |
| SYS-REQ-004 | REQ-SESTEPFUSIONPOWERPLANT-009 | derives | Disruption mitigation requires hardwired RHS lockout during plasma-active state |
| SYS-REQ-006 | REQ-SESTEPFUSIONPOWERPLANT-005 | derives | Quench protection requires coil power supply command and quench alarm interface |
| SYS-REQ-001 | REQ-SESTEPFUSIONPOWERPLANT-003 | derives | Plasma burn sustain requirement drives fuel injection command interface |
| SYS-REQ-005 | REQ-SESTEPFUSIONPOWERPLANT-002 | derives | Tritium containment drives exhaust gas transfer interface |
| SYS-REQ-015 | IFC-REQ-009 | derives | Grid quality drives grid interface specification |
| SYS-REQ-009 | IFC-REQ-008 | derives | Remote handling drives maintenance access port specification |
| SYS-REQ-008 | IFC-REQ-007 | derives | Vacuum requirement drives vacuum-tokamak pumping interface |
| SYS-REQ-006 | IFC-REQ-002 | derives | Quench protection drives cryogenic-magnet interface |
| SYS-REQ-004 | IFC-REQ-005 | derives | Disruption mitigation drives control-tokamak interface latency |
| SYS-REQ-003 | IFC-REQ-003 | derives | TBR requirement drives fuel cycle interface |
| SYS-REQ-002 | IFC-REQ-009 | derives | Power conversion drives grid export interface |
| SYS-REQ-002 | IFC-REQ-004 | derives | Power conversion drives thermal transport interface |
| SYS-REQ-001 | IFC-REQ-001 | derives | Plasma burn requirement drives magnet-tokamak field interface |
| STK-REQ-017 | SYS-REQ-020 | derives | STK research data sharing → SYS FAIR data publication requirement |
| STK-REQ-013 | SYS-REQ-019 | derives | STK environmental discharge limits → SYS environmental permitting |
| STK-REQ-003 | SYS-REQ-018 | derives | STK safety case requirement → SYS DBA and basic safety levels |
| STK-REQ-010 | SYS-REQ-017 | derives | STK 24-hour grid notification → SYS grid scheduling notification requirement |
| STK-REQ-011 | REQ-SESTEPFUSIONPOWERPLANT-043 | derives | STK worker dose limits → SYS radiobiological protection implementation |
| STK-REQ-016 | SYS-REQ-005 | derives | EPZ size driven by maximum credible tritium release limited by containment requirement |
| STK-REQ-018 | SYS-REQ-003 | derives | In-situ blanket measurement validates system-level TBR requirement |
| STK-REQ-014 | SYS-REQ-014 | derives | Radioactive waste categorisation need drives reduced-activation materials requirement |
| STK-REQ-013 | SYS-REQ-005 | derives | Environmental discharge limits derive tritium containment requirement |
| STK-REQ-012 | SYS-REQ-012 | derives | Radiation zone access control derives system dose rate requirement |
| STK-REQ-010 | SYS-REQ-010 | derives | Grid scheduling drives availability requirement |
| STK-REQ-003 | SYS-REQ-011 | derives | Safety case drives seismic response requirement |
| STK-REQ-020 | SYS-REQ-014 | derives | Material activation minimisation drives waste target |
| STK-REQ-019 | SYS-REQ-014 | derives | Decommissioning timeline drives material selection requirement |
| STK-REQ-017 | SYS-REQ-013 | derives | Research data need drives diagnostic system specification |
| STK-REQ-015 | SYS-REQ-012 | derives | Public dose limit drives shielding to reduce off-site contribution |
| STK-REQ-011 | SYS-REQ-012 | derives | Worker dose limit drives neutron shielding requirement |
| STK-REQ-009 | SYS-REQ-015 | derives | Grid connection need drives power quality requirements |
| STK-REQ-009 | SYS-REQ-002 | derives | Net power output drives conversion efficiency |
| STK-REQ-009 | SYS-REQ-001 | derives | Net power output drives plasma performance requirement |
| STK-REQ-008 | SYS-REQ-005 | derives | Automatic tritium isolation drives containment architecture |
| STK-REQ-007 | SYS-REQ-003 | derives | Fuel cycle closure drives breeding ratio requirement |
| STK-REQ-006 | SYS-REQ-009 | derives | Maintenance campaign duration drives RH throughput |
| STK-REQ-005 | SYS-REQ-009 | derives | Remote handling need drives system-level RH specification |
| STK-REQ-004 | SYS-REQ-003 | derives | Tritium accountability drives breeding ratio measurement |
| STK-REQ-003 | SYS-REQ-007 | derives | Safety case drives passive safety for loss of coolant |
| STK-REQ-003 | SYS-REQ-006 | derives | Safety case drives quench protection requirements |
| STK-REQ-003 | SYS-REQ-005 | derives | Safety case requirement drives tritium double containment |
| STK-REQ-003 | SYS-REQ-004 | derives | Safety case requirement drives disruption mitigation as DBA response |
| STK-REQ-002 | SYS-REQ-004 | derives | Operator emergency shutdown need drives disruption mitigation timing |
| STK-REQ-001 | SYS-REQ-013 | derives | Operator display requirement drives diagnostic system specification |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| SUB-REQ-033 | VER-REQ-052 | verifies | Cold-hold calorimetry verifies CTLN heat leak |
| SUB-REQ-082 | VER-089 | verifies | Regulatory documentary inspection for environmental permitting and ISO 14001 EMS |
| SUB-REQ-081 | VER-088 | verifies | Post-intervention RGA test for plasma vessel seal integrity in all operational modes |
| SUB-REQ-080 | VER-087 | verifies | Regulatory compliance inspection for UK IRR 2017 and ALARA Tritium Plant documentation |
| SUB-REQ-085 | VER-086 | verifies | Short-sample and fatigue test for TF Coil Set CICC conductor specification |
| SUB-REQ-084 | VER-085 | verifies | Passive quench protection analysis for SMS single-channel failure scenario |
| SUB-REQ-083 | VER-084 | verifies | N+1 redundancy functional test for Tritium Plant isotope separation modules |
| SUB-REQ-079 | VER-083 | verifies | DBA thermal analysis for Tokamak Core Assembly passive cooling |
| SUB-REQ-078 | VER-082 | verifies | Functional test for Tritium Plant DBA isolation within 30 seconds |
| SUB-REQ-076 | VER-081 | verifies | Vacuum seal qualification → three-condition helium leak test |
| SUB-REQ-075 | VER-080 | verifies | Vacuum pump N+1 redundancy → pump failover pressure test |
| SUB-REQ-074 | VER-079 | verifies | SMS MPS redundancy → MPS converter failover FAT |
| SUB-REQ-073 | VER-078 | verifies | RHS redundancy req → RHS failover integration test |
| REQ-SESTEPFUSIONPOWERPLANT-121 | REQ-SESTEPFUSIONPOWERPLANT-126 | verifies | ALARA radiation protection verification |
| REQ-SESTEPFUSIONPOWERPLANT-120 | REQ-SESTEPFUSIONPOWERPLANT-125 | verifies | Magnet quench detection architecture verification |
| REQ-SESTEPFUSIONPOWERPLANT-119 | REQ-SESTEPFUSIONPOWERPLANT-124 | verifies | Tritium plant dual-barrier verification |
| REQ-SESTEPFUSIONPOWERPLANT-118 | REQ-SESTEPFUSIONPOWERPLANT-123 | verifies | Cryogenic plant redundancy verification |
| REQ-SESTEPFUSIONPOWERPLANT-117 | REQ-SESTEPFUSIONPOWERPLANT-122 | verifies | VSPMS power budget verification |
| REQ-SESTEPFUSIONPOWERPLANT-103 | SUB-023 | verifies | Verification test for SUB-REQ-058 |
| REQ-SESTEPFUSIONPOWERPLANT-102 | SUB-REQ-057 | verifies | Verification test for SUB-REQ-057 |
| REQ-SESTEPFUSIONPOWERPLANT-101 | SUB-REQ-056 | verifies | Verification test for SUB-REQ-056 |
| REQ-SESTEPFUSIONPOWERPLANT-100 | SUB-REQ-055 | verifies | Verification test for SUB-REQ-055 |
| REQ-SESTEPFUSIONPOWERPLANT-099 | REQ-SESTEPFUSIONPOWERPLANT-042 | verifies | Verification test for SUB-REQ-054 |
| REQ-SESTEPFUSIONPOWERPLANT-098 | REQ-SESTEPFUSIONPOWERPLANT-041 | verifies | Verification test for SUB-REQ-053 |
| REQ-SESTEPFUSIONPOWERPLANT-097 | REQ-SESTEPFUSIONPOWERPLANT-040 | verifies | Verification test for SUB-REQ-052 |
| REQ-SESTEPFUSIONPOWERPLANT-096 | REQ-SESTEPFUSIONPOWERPLANT-039 | verifies | Verification test for SUB-REQ-051 |
| REQ-SESTEPFUSIONPOWERPLANT-104 | SUB-024 | verifies | Verification test for SUB-REQ-059 |
| REQ-SESTEPFUSIONPOWERPLANT-083 | REQ-SESTEPFUSIONPOWERPLANT-012 | verifies | Verification test for SUB-REQ-007 |
| REQ-SESTEPFUSIONPOWERPLANT-084 | REQ-SESTEPFUSIONPOWERPLANT-013 | verifies | Verification test for SUB-REQ-008 |
| REQ-SESTEPFUSIONPOWERPLANT-090 | REQ-SESTEPFUSIONPOWERPLANT-016 | verifies | Verification test for SUB-REQ-011 |
| REQ-SESTEPFUSIONPOWERPLANT-091 | REQ-SESTEPFUSIONPOWERPLANT-018 | verifies | Verification test for SUB-REQ-012 |
| REQ-SESTEPFUSIONPOWERPLANT-092 | REQ-SESTEPFUSIONPOWERPLANT-017 | verifies | Verification test for SUB-REQ-013 |
| REQ-SESTEPFUSIONPOWERPLANT-093 | REQ-SESTEPFUSIONPOWERPLANT-029 | verifies | Verification test for SUB-REQ-014 |
| REQ-SESTEPFUSIONPOWERPLANT-089 | REQ-SESTEPFUSIONPOWERPLANT-015 | verifies | Verification test for SUB-REQ-010 |
| REQ-SESTEPFUSIONPOWERPLANT-094 | REQ-SESTEPFUSIONPOWERPLANT-037 | verifies | Verification test for SUB-REQ-049 |
| REQ-SESTEPFUSIONPOWERPLANT-095 | REQ-SESTEPFUSIONPOWERPLANT-038 | verifies | Verification test for SUB-REQ-050 |
| REQ-SESTEPFUSIONPOWERPLANT-088 | REQ-SESTEPFUSIONPOWERPLANT-014 | verifies | Verification test for cryo plant 4.5K stability |
| REQ-SESTEPFUSIONPOWERPLANT-082 | REQ-SESTEPFUSIONPOWERPLANT-076 | verifies | Verification test for degraded-mode subsystem requirement |
| REQ-SESTEPFUSIONPOWERPLANT-081 | REQ-SESTEPFUSIONPOWERPLANT-075 | verifies | Verification test for degraded-mode subsystem requirement |
| REQ-SESTEPFUSIONPOWERPLANT-080 | REQ-SESTEPFUSIONPOWERPLANT-074 | verifies | Verification test for degraded-mode subsystem requirement |
| REQ-SESTEPFUSIONPOWERPLANT-079 | REQ-SESTEPFUSIONPOWERPLANT-073 | verifies | Verification test for degraded-mode subsystem requirement |
| REQ-SESTEPFUSIONPOWERPLANT-078 | REQ-SESTEPFUSIONPOWERPLANT-072 | verifies | Verification test for degraded-mode subsystem requirement |
| REQ-SESTEPFUSIONPOWERPLANT-062 | SUB-REQ-042 | verifies | VER-REQ-098 verifies PCS gross-to-net efficiency requirement SUB-REQ-042 |
| REQ-SESTEPFUSIONPOWERPLANT-061 | SUB-REQ-037 | verifies | VER-REQ-097 verifies remote handling campaign duration requirement SUB-REQ-037 |
| REQ-SESTEPFUSIONPOWERPLANT-060 | REQ-SESTEPFUSIONPOWERPLANT-029 | verifies | VER-REQ-096 verifies radiation zone classification requirement SUB-REQ-014 |
| REQ-SESTEPFUSIONPOWERPLANT-059 | REQ-SESTEPFUSIONPOWERPLANT-042 | verifies | VER-REQ-089 verifies vacuum pump configuration requirement SUB-REQ-054 |
| REQ-SESTEPFUSIONPOWERPLANT-058 | REQ-SESTEPFUSIONPOWERPLANT-041 | verifies | VER-REQ-088 verifies cryogenic plant building requirement SUB-REQ-053 |
| REQ-SESTEPFUSIONPOWERPLANT-057 | REQ-SESTEPFUSIONPOWERPLANT-040 | verifies | VER-REQ-087 verifies tritium building confinement requirement SUB-REQ-052 |
| REQ-SESTEPFUSIONPOWERPLANT-056 | REQ-SESTEPFUSIONPOWERPLANT-039 | verifies | VER-REQ-086 verifies turbine hall structural requirement SUB-REQ-051 |
| REQ-SESTEPFUSIONPOWERPLANT-055 | REQ-SESTEPFUSIONPOWERPLANT-038 | verifies | VER-REQ-085 verifies PPS emergency isolation requirement SUB-REQ-050 |
| REQ-SESTEPFUSIONPOWERPLANT-054 | REQ-SESTEPFUSIONPOWERPLANT-037 | verifies | VER-REQ-084 verifies ISS power consumption requirement SUB-REQ-049 |
| REQ-SESTEPFUSIONPOWERPLANT-036 | SUB-REQ-045 | verifies | VER-REQ-073 verifies PCS fast turbine runback requirement SUB-REQ-045 |
| REQ-SESTEPFUSIONPOWERPLANT-035 | SUB-REQ-044 | verifies | VER-REQ-072 verifies PCS thermal efficiency requirement SUB-REQ-044 |
| REQ-SESTEPFUSIONPOWERPLANT-034 | SUB-REQ-043 | verifies | VER-REQ-071 verifies PCS grid operation requirement SUB-REQ-043 |
| REQ-SESTEPFUSIONPOWERPLANT-033 | SUB-REQ-040 | verifies | VER-REQ-070 verifies RHS fault handling requirement SUB-REQ-040 |
| REQ-SESTEPFUSIONPOWERPLANT-032 | SUB-REQ-039 | verifies | VER-REQ-069 verifies transfer cask shielding requirement SUB-REQ-039 |
| REQ-SESTEPFUSIONPOWERPLANT-031 | SUB-REQ-038 | verifies | VER-REQ-068 verifies RHS radiation hardening requirement SUB-REQ-038 |
| REQ-SESTEPFUSIONPOWERPLANT-030 | REQ-SESTEPFUSIONPOWERPLANT-029 | verifies | VER-REQ-024 verifies radiation zone boundary requirement SUB-REQ-014 |
| REQ-SESTEPFUSIONPOWERPLANT-027 | REQ-SESTEPFUSIONPOWERPLANT-017 | verifies | VER-REQ-023 verifies vacuum system base pressure requirement SUB-REQ-013 |
| REQ-SESTEPFUSIONPOWERPLANT-028 | REQ-SESTEPFUSIONPOWERPLANT-018 | verifies | VER-REQ-022 verifies remote handling campaign requirement SUB-REQ-012 |
| REQ-SESTEPFUSIONPOWERPLANT-026 | REQ-SESTEPFUSIONPOWERPLANT-016 | verifies | VER-REQ-021 verifies PCS net export requirement SUB-REQ-011 |
| REQ-SESTEPFUSIONPOWERPLANT-024 | REQ-SESTEPFUSIONPOWERPLANT-014 | verifies | VER-REQ-020 verifies cryogenic plant refrigeration requirement SUB-REQ-009 |
| REQ-SESTEPFUSIONPOWERPLANT-025 | REQ-SESTEPFUSIONPOWERPLANT-015 | verifies | VER-REQ-019 verifies tritium accountancy requirement SUB-REQ-010 |
| REQ-SESTEPFUSIONPOWERPLANT-023 | REQ-SESTEPFUSIONPOWERPLANT-013 | verifies | VER-REQ-018 verifies TF coil field requirement SUB-REQ-008 |
| REQ-SESTEPFUSIONPOWERPLANT-022 | REQ-SESTEPFUSIONPOWERPLANT-012 | verifies | VER-REQ-017 verifies first wall/divertor heat flux requirement SUB-REQ-007 |
| REQ-SESTEPFUSIONPOWERPLANT-019 | SUB-REQ-003 | verifies | VER-REQ-016 verifies dual-redundant controller failover requirement SUB-REQ-003 |
| REQ-SESTEPFUSIONPOWERPLANT-020 | SUB-REQ-004 | verifies | VER-REQ-015 verifies diagnostic data acquisition requirement SUB-REQ-004 |
| REQ-SESTEPFUSIONPOWERPLANT-021 | SUB-REQ-006 | verifies | VER-REQ-014 verifies massive material injection requirement SUB-REQ-006 |
| VER-REQ-065 | SUB-REQ-041 | verifies | VER-REQ-065 specifies the test procedure demonstrating compliance with SUB-REQ-041 |
| VER-REQ-064 | SUB-REQ-036 | verifies | VER-REQ-064 specifies the test procedure demonstrating compliance with SUB-REQ-036 |
| VER-REQ-010 | SUB-REQ-001 | verifies | VER-REQ-010 specifies the test procedure demonstrating compliance with SUB-REQ-001 |
| VER-REQ-011 | SUB-REQ-002 | verifies | VER-REQ-011 specifies the test procedure demonstrating compliance with SUB-REQ-002 |
| VER-REQ-012 | SUB-REQ-005 | verifies | VER-REQ-012 specifies the test procedure demonstrating compliance with SUB-REQ-005 |
| VER-REQ-100 | SUB-REQ-055 | verifies | VER-REQ-100 specifies the test procedure demonstrating compliance with SUB-REQ-055 |
| VER-REQ-101 | SUB-REQ-056 | verifies | VER-REQ-101 specifies the test procedure demonstrating compliance with SUB-REQ-056 |
| VER-REQ-038 | SUB-REQ-017 | verifies | VER-REQ-038 specifies the test procedure demonstrating compliance with SUB-REQ-017 |
| VER-REQ-039 | SUB-REQ-018 | verifies | VER-REQ-039 specifies the test procedure demonstrating compliance with SUB-REQ-018 |
| VER-REQ-036 | SUB-REQ-015 | verifies | VER-REQ-036 specifies the test procedure demonstrating compliance with SUB-REQ-015 |
| VER-REQ-037 | SUB-REQ-016 | verifies | VER-REQ-037 specifies the test procedure demonstrating compliance with SUB-REQ-016 |
| VER-REQ-111 | SUB-REQ-057 | verifies | VER-REQ-111 specifies the test procedure demonstrating compliance with SUB-REQ-057 |
| VER-REQ-110 | SUB-REQ-055 | verifies | VER-REQ-110 specifies the test procedure demonstrating compliance with SUB-REQ-055 |
| VER-044 | SUB-REQ-028 | verifies | VER-044 specifies the test procedure demonstrating compliance with SUB-REQ-028 |
| VER-045 | SUB-REQ-024 | verifies | VER-045 specifies the test procedure demonstrating compliance with SUB-REQ-024 |
| VER-046 | SUB-REQ-030 | verifies | VER-046 specifies the test procedure demonstrating compliance with SUB-REQ-030 |
| VER-047 | SUB-REQ-026 | verifies | VER-047 specifies the test procedure demonstrating compliance with SUB-REQ-026 |
| VER-041 | SUB-REQ-021 | verifies | VER-041 specifies the test procedure demonstrating compliance with SUB-REQ-021 |
| VER-042 | SUB-REQ-019 | verifies | VER-042 specifies the test procedure demonstrating compliance with SUB-REQ-019 |
| VER-043 | SUB-REQ-020 | verifies | VER-043 specifies the test procedure demonstrating compliance with SUB-REQ-020 |
| VER-048 | SUB-024 | verifies | VER-048 specifies the test procedure demonstrating compliance with SUB-024 |
| VER-049 | SUB-023 | verifies | VER-049 specifies the test procedure demonstrating compliance with SUB-023 |
| VER-REQ-050 | SUB-REQ-031 | verifies | VER-REQ-050 specifies the test procedure demonstrating compliance with SUB-REQ-031 |
| VER-REQ-051 | SUB-REQ-032 | verifies | VER-REQ-051 specifies the test procedure demonstrating compliance with SUB-REQ-032 |
| VER-REQ-052 | SUB-REQ-033 | verifies | VER-REQ-052 specifies the test procedure demonstrating compliance with SUB-REQ-033 |
| VER-REQ-053 | SUB-REQ-034 | verifies | VER-REQ-053 specifies the test procedure demonstrating compliance with SUB-REQ-034 |
| VER-REQ-054 | SUB-REQ-035 | verifies | VER-REQ-054 specifies the test procedure demonstrating compliance with SUB-REQ-035 |
| VER-REQ-049 | SUB-REQ-029 | verifies | VER-REQ-049 specifies the test procedure demonstrating compliance with SUB-REQ-029 |
| VER-REQ-040 | SUB-REQ-022 | verifies | VER-REQ-040 specifies the test procedure demonstrating compliance with SUB-REQ-022 |
| VER-REQ-046 | SUB-REQ-027 | verifies | VER-REQ-046 specifies the test procedure demonstrating compliance with SUB-REQ-027 |
| VER-REQ-045 | SUB-REQ-025 | verifies | VER-REQ-045 specifies the test procedure demonstrating compliance with SUB-REQ-025 |
| VER-REQ-044 | SUB-REQ-023 | verifies | VER-REQ-044 specifies the test procedure demonstrating compliance with SUB-REQ-023 |
| SUB-REQ-057 | VER-REQ-111 | verifies | Planned shutdown sequence verified by commissioning test |
| SUB-REQ-055 | VER-REQ-110 | verifies | Structural seismic qualification analysis entry with explicit FEA stress ratio acceptance criteria |
| REQ-SESTEPFUSIONPOWERPLANT-042 | REQ-SESTEPFUSIONPOWERPLANT-059 | verifies | SUB-REQ-054 vacuum system component count verified by VER-REQ-089 commissioning inspection |
| REQ-SESTEPFUSIONPOWERPLANT-041 | REQ-SESTEPFUSIONPOWERPLANT-058 | verifies | SUB-REQ-053 cryogenic plant building floor area verified by VER-REQ-088 inspection |
| REQ-SESTEPFUSIONPOWERPLANT-040 | REQ-SESTEPFUSIONPOWERPLANT-057 | verifies | SUB-REQ-052 tritium plant confinement building verified by VER-REQ-087 structural inspection |
| REQ-SESTEPFUSIONPOWERPLANT-039 | REQ-SESTEPFUSIONPOWERPLANT-056 | verifies | SUB-REQ-051 turbine hall structural load verified by VER-REQ-086 inspection |
| REQ-SESTEPFUSIONPOWERPLANT-038 | REQ-SESTEPFUSIONPOWERPLANT-055 | verifies | SUB-REQ-050 ISS emergency isolation verified by VER-REQ-085 PPS integration test |
| REQ-SESTEPFUSIONPOWERPLANT-037 | REQ-SESTEPFUSIONPOWERPLANT-054 | verifies | SUB-REQ-049 ISS power supply verified by VER-REQ-084 electrical acceptance test |
| REQ-SESTEPFUSIONPOWERPLANT-029 | REQ-SESTEPFUSIONPOWERPLANT-060 | verifies | SUB-REQ-014 radiation zone classification verified by VER-REQ-096 area characterisation |
| REQ-SESTEPFUSIONPOWERPLANT-017 | REQ-SESTEPFUSIONPOWERPLANT-027 | verifies | SUB-REQ-013 vacuum base pressure verified by VER-REQ-023 pump-down test |
| REQ-SESTEPFUSIONPOWERPLANT-018 | REQ-SESTEPFUSIONPOWERPLANT-028 | verifies | SUB-REQ-012 divertor cassette replacement time verified by VER-REQ-022 RHS demonstration |
| REQ-SESTEPFUSIONPOWERPLANT-016 | REQ-SESTEPFUSIONPOWERPLANT-026 | verifies | SUB-REQ-011 PCS net power export verified by VER-REQ-021 commissioning test |
| REQ-SESTEPFUSIONPOWERPLANT-015 | REQ-SESTEPFUSIONPOWERPLANT-025 | verifies | SUB-REQ-010 tritium inventory uncertainty verified by VER-REQ-019 accountancy test |
| REQ-SESTEPFUSIONPOWERPLANT-014 | REQ-SESTEPFUSIONPOWERPLANT-024 | verifies | SUB-REQ-009 cryostat temperature verified by VER-REQ-020 cryogenic commissioning |
| REQ-SESTEPFUSIONPOWERPLANT-013 | REQ-SESTEPFUSIONPOWERPLANT-023 | verifies | SUB-REQ-008 TF coil field verified by VER-REQ-018 magnetic field mapping |
| REQ-SESTEPFUSIONPOWERPLANT-012 | REQ-SESTEPFUSIONPOWERPLANT-022 | verifies | SUB-REQ-007 divertor heat flux verified by VER-REQ-017 calorimetric test |
| SUB-REQ-056 | VER-REQ-101 | verifies | SUB-REQ-056 passive decay heat path verified by VER-REQ-101 loss-of-active-cooling test |
| SUB-REQ-055 | VER-REQ-100 | verifies | SUB-REQ-055 seismic structural requirement verified by VER-REQ-100 ASCE 4-16 analysis |
| REQ-SESTEPFUSIONPOWERPLANT-042 | REQ-SESTEPFUSIONPOWERPLANT-059 | verifies | SUB-REQ-054 is verified by VER-REQ-089 |
| REQ-SESTEPFUSIONPOWERPLANT-041 | REQ-SESTEPFUSIONPOWERPLANT-058 | verifies | SUB-REQ-053 is verified by VER-REQ-088 |
| REQ-SESTEPFUSIONPOWERPLANT-040 | REQ-SESTEPFUSIONPOWERPLANT-057 | verifies | SUB-REQ-052 is verified by VER-REQ-087 |
| REQ-SESTEPFUSIONPOWERPLANT-039 | REQ-SESTEPFUSIONPOWERPLANT-056 | verifies | SUB-REQ-051 is verified by VER-REQ-086 |
| REQ-SESTEPFUSIONPOWERPLANT-038 | REQ-SESTEPFUSIONPOWERPLANT-055 | verifies | SUB-REQ-050 is verified by VER-REQ-085 |
| REQ-SESTEPFUSIONPOWERPLANT-037 | REQ-SESTEPFUSIONPOWERPLANT-054 | verifies | SUB-REQ-049 is verified by VER-REQ-084 |
| REQ-SESTEPFUSIONPOWERPLANT-029 | REQ-SESTEPFUSIONPOWERPLANT-060 | verifies | SUB-REQ-014 is verified by VER-REQ-096 |
| REQ-SESTEPFUSIONPOWERPLANT-017 | REQ-SESTEPFUSIONPOWERPLANT-027 | verifies | SUB-REQ-013 is verified by VER-REQ-023 |
| REQ-SESTEPFUSIONPOWERPLANT-018 | REQ-SESTEPFUSIONPOWERPLANT-028 | verifies | SUB-REQ-012 is verified by VER-REQ-022 |
| REQ-SESTEPFUSIONPOWERPLANT-016 | REQ-SESTEPFUSIONPOWERPLANT-026 | verifies | SUB-REQ-011 is verified by VER-REQ-021 |
| REQ-SESTEPFUSIONPOWERPLANT-015 | REQ-SESTEPFUSIONPOWERPLANT-025 | verifies | SUB-REQ-010 is verified by VER-REQ-019 |
| REQ-SESTEPFUSIONPOWERPLANT-014 | REQ-SESTEPFUSIONPOWERPLANT-024 | verifies | SUB-REQ-009 is verified by VER-REQ-020 |
| REQ-SESTEPFUSIONPOWERPLANT-013 | REQ-SESTEPFUSIONPOWERPLANT-023 | verifies | SUB-REQ-008 is verified by VER-REQ-018 |
| REQ-SESTEPFUSIONPOWERPLANT-012 | REQ-SESTEPFUSIONPOWERPLANT-022 | verifies | SUB-REQ-007 is verified by VER-REQ-017 |
| REQ-SESTEPFUSIONPOWERPLANT-059 | REQ-SESTEPFUSIONPOWERPLANT-042 | verifies | VER-REQ-089 verifies SUB-REQ-054 vacuum penetrations count |
| REQ-SESTEPFUSIONPOWERPLANT-058 | REQ-SESTEPFUSIONPOWERPLANT-041 | verifies | VER-REQ-088 verifies SUB-REQ-053 cryogenic plant building |
| REQ-SESTEPFUSIONPOWERPLANT-057 | REQ-SESTEPFUSIONPOWERPLANT-040 | verifies | VER-REQ-087 verifies SUB-REQ-052 tritium plant confinement |
| REQ-SESTEPFUSIONPOWERPLANT-056 | REQ-SESTEPFUSIONPOWERPLANT-039 | verifies | VER-REQ-086 verifies SUB-REQ-051 turbine hall structure |
| REQ-SESTEPFUSIONPOWERPLANT-055 | REQ-SESTEPFUSIONPOWERPLANT-038 | verifies | VER-REQ-085 verifies SUB-REQ-050 PPS emergency isolation |
| REQ-SESTEPFUSIONPOWERPLANT-054 | REQ-SESTEPFUSIONPOWERPLANT-037 | verifies | VER-REQ-084 verifies SUB-REQ-049 ISS power consumption |
| REQ-SESTEPFUSIONPOWERPLANT-027 | REQ-SESTEPFUSIONPOWERPLANT-017 | verifies | VER-REQ-023 verifies SUB-REQ-013 vacuum base pressure |
| REQ-SESTEPFUSIONPOWERPLANT-028 | REQ-SESTEPFUSIONPOWERPLANT-018 | verifies | VER-REQ-022 verifies SUB-REQ-012 remote handling dexterity |
| REQ-SESTEPFUSIONPOWERPLANT-026 | REQ-SESTEPFUSIONPOWERPLANT-016 | verifies | VER-REQ-021 verifies SUB-REQ-011 net electrical output |
| REQ-SESTEPFUSIONPOWERPLANT-024 | REQ-SESTEPFUSIONPOWERPLANT-014 | verifies | VER-REQ-020 verifies SUB-REQ-009 cryogenic cooling capacity |
| REQ-SESTEPFUSIONPOWERPLANT-025 | REQ-SESTEPFUSIONPOWERPLANT-015 | verifies | VER-REQ-019 verifies SUB-REQ-010 tritium processing throughput |
| REQ-SESTEPFUSIONPOWERPLANT-023 | REQ-SESTEPFUSIONPOWERPLANT-013 | verifies | VER-REQ-018 verifies SUB-REQ-008 TF coil field strength |
| REQ-SESTEPFUSIONPOWERPLANT-022 | REQ-SESTEPFUSIONPOWERPLANT-012 | verifies | VER-REQ-017 verifies SUB-REQ-007 divertor heat load |
| REQ-SESTEPFUSIONPOWERPLANT-059 | REQ-SESTEPFUSIONPOWERPLANT-042 | verifies | VER-REQ-089 verifies SUB-REQ-054 |
| REQ-SESTEPFUSIONPOWERPLANT-058 | REQ-SESTEPFUSIONPOWERPLANT-041 | verifies | VER-REQ-088 verifies SUB-REQ-053 |
| REQ-SESTEPFUSIONPOWERPLANT-057 | REQ-SESTEPFUSIONPOWERPLANT-040 | verifies | VER-REQ-087 verifies SUB-REQ-052 |
| REQ-SESTEPFUSIONPOWERPLANT-056 | REQ-SESTEPFUSIONPOWERPLANT-039 | verifies | VER-REQ-086 verifies SUB-REQ-051 |
| REQ-SESTEPFUSIONPOWERPLANT-055 | REQ-SESTEPFUSIONPOWERPLANT-038 | verifies | VER-REQ-085 verifies SUB-REQ-050 |
| REQ-SESTEPFUSIONPOWERPLANT-054 | REQ-SESTEPFUSIONPOWERPLANT-037 | verifies | VER-REQ-084 verifies SUB-REQ-049 |
| REQ-SESTEPFUSIONPOWERPLANT-036 | SUB-REQ-045 | verifies | VER-REQ-073 verifies SUB-REQ-045 |
| REQ-SESTEPFUSIONPOWERPLANT-035 | SUB-REQ-044 | verifies | VER-REQ-072 verifies SUB-REQ-044 |
| REQ-SESTEPFUSIONPOWERPLANT-034 | SUB-REQ-043 | verifies | VER-REQ-071 verifies SUB-REQ-043 |
| REQ-SESTEPFUSIONPOWERPLANT-033 | SUB-REQ-040 | verifies | VER-REQ-070 verifies SUB-REQ-040 |
| REQ-SESTEPFUSIONPOWERPLANT-032 | SUB-REQ-039 | verifies | VER-REQ-069 verifies SUB-REQ-039 |
| REQ-SESTEPFUSIONPOWERPLANT-031 | SUB-REQ-038 | verifies | VER-REQ-068 verifies SUB-REQ-038 |
| VER-REQ-065 | SUB-REQ-041 | verifies | VER-REQ-065 verifies SUB-REQ-041 |
| VER-REQ-064 | SUB-REQ-036 | verifies | VER-REQ-064 verifies SUB-REQ-036 |
| VER-REQ-054 | SUB-REQ-035 | verifies | VER-REQ-054 verifies SUB-REQ-035 |
| VER-REQ-053 | SUB-REQ-034 | verifies | VER-REQ-053 verifies SUB-REQ-034 |
| VER-REQ-052 | SUB-REQ-033 | verifies | VER-REQ-052 verifies SUB-REQ-033 |
| VER-REQ-051 | SUB-REQ-032 | verifies | VER-REQ-051 verifies SUB-REQ-032 |
| VER-REQ-050 | SUB-REQ-031 | verifies | VER-REQ-050 verifies SUB-REQ-031 |
| VER-REQ-049 | SUB-REQ-029 | verifies | VER-REQ-049 verifies SUB-REQ-029 |
| VER-REQ-046 | SUB-REQ-027 | verifies | VER-REQ-046 verifies SUB-REQ-027 |
| VER-REQ-045 | SUB-REQ-025 | verifies | VER-REQ-045 verifies SUB-REQ-025 |
| VER-REQ-044 | SUB-REQ-023 | verifies | VER-REQ-044 verifies SUB-REQ-023 |
| VER-REQ-040 | SUB-REQ-022 | verifies | VER-REQ-040 verifies SUB-REQ-022 |
| VER-REQ-039 | SUB-REQ-018 | verifies | VER-REQ-039 verifies SUB-REQ-018 |
| VER-REQ-038 | SUB-REQ-017 | verifies | VER-REQ-038 verifies SUB-REQ-017 |
| VER-REQ-037 | SUB-REQ-016 | verifies | VER-REQ-037 verifies SUB-REQ-016 |
| VER-REQ-036 | SUB-REQ-015 | verifies | VER-REQ-036 verifies SUB-REQ-015 |
| REQ-SESTEPFUSIONPOWERPLANT-027 | REQ-SESTEPFUSIONPOWERPLANT-017 | verifies | VER-REQ-023 verifies SUB-REQ-013 |
| REQ-SESTEPFUSIONPOWERPLANT-028 | REQ-SESTEPFUSIONPOWERPLANT-018 | verifies | VER-REQ-022 verifies SUB-REQ-012 |
| REQ-SESTEPFUSIONPOWERPLANT-026 | REQ-SESTEPFUSIONPOWERPLANT-016 | verifies | VER-REQ-021 verifies SUB-REQ-011 |
| REQ-SESTEPFUSIONPOWERPLANT-024 | REQ-SESTEPFUSIONPOWERPLANT-014 | verifies | VER-REQ-020 verifies SUB-REQ-009 |
| REQ-SESTEPFUSIONPOWERPLANT-025 | REQ-SESTEPFUSIONPOWERPLANT-015 | verifies | VER-REQ-019 verifies SUB-REQ-010 |
| REQ-SESTEPFUSIONPOWERPLANT-023 | REQ-SESTEPFUSIONPOWERPLANT-013 | verifies | VER-REQ-018 verifies SUB-REQ-008 |
| REQ-SESTEPFUSIONPOWERPLANT-022 | REQ-SESTEPFUSIONPOWERPLANT-012 | verifies | VER-REQ-017 verifies SUB-REQ-007 |
| REQ-SESTEPFUSIONPOWERPLANT-019 | SUB-REQ-003 | verifies | VER-REQ-016 verifies SUB-REQ-003 |
| REQ-SESTEPFUSIONPOWERPLANT-020 | SUB-REQ-004 | verifies | VER-REQ-015 verifies SUB-REQ-004 |
| REQ-SESTEPFUSIONPOWERPLANT-021 | SUB-REQ-006 | verifies | VER-REQ-014 verifies SUB-REQ-006 |
| VER-REQ-012 | SUB-REQ-005 | verifies | VER-REQ-012 verifies SUB-REQ-005 |
| VER-REQ-011 | SUB-REQ-002 | verifies | VER-REQ-011 verifies SUB-REQ-002 |
| VER-REQ-010 | SUB-REQ-001 | verifies | VER-REQ-010 verifies SUB-REQ-001 |
| VER-049 | SUB-023 | verifies | VER-049 verifies SUB-023 |
| VER-048 | SUB-024 | verifies | VER-048 verifies SUB-024 |
| VER-047 | SUB-REQ-026 | verifies | VER-047 verifies SUB-REQ-026 |
| VER-046 | SUB-REQ-030 | verifies | VER-046 verifies SUB-REQ-030 |
| VER-045 | SUB-REQ-024 | verifies | VER-045 verifies SUB-REQ-024 |
| VER-044 | SUB-REQ-028 | verifies | VER-044 verifies SUB-REQ-028 |
| VER-043 | SUB-REQ-020 | verifies | VER-043 verifies SUB-REQ-020 |
| VER-042 | SUB-REQ-019 | verifies | VER-042 verifies SUB-REQ-019 |
| VER-041 | SUB-REQ-021 | verifies | VER-041 verifies SUB-REQ-021 |
| REQ-SESTEPFUSIONPOWERPLANT-060 | REQ-SESTEPFUSIONPOWERPLANT-029 | verifies | VER for radiation zone classification and access interlocks |
| REQ-SESTEPFUSIONPOWERPLANT-062 | SUB-REQ-042 | verifies | VER for gross-to-net thermal efficiency measurement |
| REQ-SESTEPFUSIONPOWERPLANT-061 | SUB-REQ-037 | verifies | VER for 90-day blanket module exchange demonstration |
| SUB-REQ-045 | REQ-SESTEPFUSIONPOWERPLANT-036 | verifies | SUB-REQ-045/VER-REQ-073 verification |
| SUB-REQ-044 | REQ-SESTEPFUSIONPOWERPLANT-035 | verifies | SUB-REQ-044/VER-REQ-072 verification |
| SUB-REQ-043 | REQ-SESTEPFUSIONPOWERPLANT-034 | verifies | SUB-REQ-043/VER-REQ-071 verification |
| SUB-REQ-040 | REQ-SESTEPFUSIONPOWERPLANT-033 | verifies | SUB-REQ-040/VER-REQ-070 verification |
| SUB-REQ-039 | REQ-SESTEPFUSIONPOWERPLANT-032 | verifies | SUB-REQ-039/VER-REQ-069 verification |
| SUB-REQ-038 | REQ-SESTEPFUSIONPOWERPLANT-031 | verifies | SUB-REQ-038/VER-REQ-068 verification |
| REQ-SESTEPFUSIONPOWERPLANT-042 | REQ-SESTEPFUSIONPOWERPLANT-059 | verifies | SUB-REQ-054 verification |
| REQ-SESTEPFUSIONPOWERPLANT-041 | REQ-SESTEPFUSIONPOWERPLANT-058 | verifies | SUB-REQ-053 verification |
| REQ-SESTEPFUSIONPOWERPLANT-040 | REQ-SESTEPFUSIONPOWERPLANT-057 | verifies | SUB-REQ-052 verification |
| REQ-SESTEPFUSIONPOWERPLANT-039 | REQ-SESTEPFUSIONPOWERPLANT-056 | verifies | SUB-REQ-051 verification |
| REQ-SESTEPFUSIONPOWERPLANT-038 | REQ-SESTEPFUSIONPOWERPLANT-055 | verifies | SUB-REQ-050 verification |
| REQ-SESTEPFUSIONPOWERPLANT-037 | REQ-SESTEPFUSIONPOWERPLANT-054 | verifies | SUB-REQ-049 verification |
| SUB-REQ-030 | VER-046 | verifies | SUB-REQ-030 is verified by VER-046 |
| SUB-023 | VER-049 | verifies | SUB-023 is verified by VER-049 |
| SUB-024 | VER-048 | verifies | SUB-024 is verified by VER-048 |
| SUB-REQ-019 | VER-042 | verifies | SUB-REQ-019 is verified by VER-042 |
| SUB-REQ-020 | VER-043 | verifies | SUB-REQ-020 is verified by VER-043 |
| SUB-REQ-021 | VER-041 | verifies | SUB-REQ-021 is verified by VER-041 |
| SUB-REQ-024 | VER-045 | verifies | SUB-REQ-024 is verified by VER-045 |
| SUB-REQ-026 | VER-047 | verifies | SUB-REQ-026 is verified by VER-047 |
| SUB-REQ-028 | VER-044 | verifies | SUB-REQ-028 is verified by VER-044 |
| SUB-REQ-045 | REQ-SESTEPFUSIONPOWERPLANT-036 | verifies | PCS turbine runback to 20% load within 60s on disruption signal verified by hardware test |
| SUB-REQ-044 | REQ-SESTEPFUSIONPOWERPLANT-035 | verifies | Steam generator ≥500 MWth heat transfer and ≤180°C primary outlet verified under plasma operation |
| SUB-REQ-043 | REQ-SESTEPFUSIONPOWERPLANT-034 | verifies | PCS grid code CC.6 compliance verified by witnessed measurement at 400kV metering point |
| SUB-REQ-040 | REQ-SESTEPFUSIONPOWERPLANT-033 | verifies | RHS fault halt ≤500ms and 30-minute load hold verified by hardware fault injection |
| SUB-REQ-039 | REQ-SESTEPFUSIONPOWERPLANT-032 | verifies | Transfer Cask biological shielding ≤2 mSv/hr verified by calibrated gamma survey |
| SUB-REQ-038 | REQ-SESTEPFUSIONPOWERPLANT-031 | verifies | RHS radiation hardening verified by Co-60 + neutron irradiation acceptance test |
| REQ-SESTEPFUSIONPOWERPLANT-029 | REQ-SESTEPFUSIONPOWERPLANT-030 | verifies | Radiation Protection System zoning classification verified by full-plant dose rate survey |
| REQ-SESTEPFUSIONPOWERPLANT-017 | REQ-SESTEPFUSIONPOWERPLANT-027 | verifies | Vacuum System pump-down to 1e-7 Pa base pressure verified after vessel bakeout |
| REQ-SESTEPFUSIONPOWERPLANT-018 | REQ-SESTEPFUSIONPOWERPLANT-028 | verifies | RHS divertor cassette 21-day replacement schedule verified by full-scale test facility |
| REQ-SESTEPFUSIONPOWERPLANT-016 | REQ-SESTEPFUSIONPOWERPLANT-026 | verifies | PCS steam turbine 100MW net export verified by sustained full-power plasma operation |
| REQ-SESTEPFUSIONPOWERPLANT-015 | REQ-SESTEPFUSIONPOWERPLANT-025 | verifies | Tritium accountability ±1g uncertainty verified by integrated commissioning inventory test |
| REQ-SESTEPFUSIONPOWERPLANT-014 | REQ-SESTEPFUSIONPOWERPLANT-024 | verifies | Cryogenic Plant 4.5K magnet cooling verified by cold commissioning test |
| REQ-SESTEPFUSIONPOWERPLANT-013 | REQ-SESTEPFUSIONPOWERPLANT-023 | verifies | SMS TF coil 3.0T field and quench detection verified by energisation test |
| REQ-SESTEPFUSIONPOWERPLANT-012 | REQ-SESTEPFUSIONPOWERPLANT-022 | verifies | TCA first wall heat flux verified by stepped plasma power commissioning |
| SUB-REQ-006 | REQ-SESTEPFUSIONPOWERPLANT-021 | verifies | Disruption mitigation material injection verified by injection timing test |
| SUB-REQ-004 | REQ-SESTEPFUSIONPOWERPLANT-020 | verifies | PCS DAQ front-end 40+ channel synchronous sampling verified by pulse injection |
| SUB-REQ-003 | REQ-SESTEPFUSIONPOWERPLANT-019 | verifies | PCS dual-redundant controller verified by failover injection test |
| SUB-REQ-042 | VER-REQ-067 | verifies | Plasma commissioning energy chain test verifies PCS efficiency |
| SUB-REQ-037 | VER-REQ-066 | verifies | Integration trial verifies RHS campaign duration and end-to-end capability |
| SUB-REQ-041 | VER-REQ-065 | verifies | Plasma commissioning power measurement verifies net electrical output |
| SUB-REQ-036 | VER-REQ-064 | verifies | Laser tracker positioning test verifies IVIMM accuracy |
| SUB-REQ-035 | VER-REQ-054 | verifies | Hardware fault injection verifies CCS safe-state timing |
| SUB-REQ-034 | VER-REQ-053 | verifies | Full cool-down run verifies CCS gradient control |
| SUB-REQ-001 | VER-REQ-010 | verifies | Hardware-in-the-loop timing test verifies 1 ms cycle time |
| SUB-REQ-002 | VER-REQ-011 | verifies | Disruption database replay verifies detection probability and latency |
| SUB-REQ-005 | VER-REQ-012 | verifies | Fault injection demonstration verifies PCS safe state transition |
| SUB-REQ-015 | VER-REQ-036 | verifies | Helium leak test and hydrostatic test for vessel integrity |
| SUB-REQ-016 | VER-REQ-037 | verifies | MCNP6 neutronics analysis for blanket TBR performance |
| SUB-REQ-017 | VER-REQ-038 | verifies | FEM electromagnetic analysis and post-disruption leak test for safe state |
| SUB-REQ-018 | VER-REQ-039 | verifies | PEPS throughput test verifies SUB-REQ-018 |
| SUB-REQ-022 | VER-REQ-040 | verifies | ADS safety function test verifies SUB-REQ-022 |
| SUB-REQ-025 | VER-REQ-045 | verifies | TF field performance verified by Hall probe measurement |
| SUB-REQ-027 | VER-REQ-046 | verifies | MPSS energy extraction verified by timed interlock test |
| SUB-REQ-023 | VER-REQ-044 | verifies | QDPS quench detection verified by resistive voltage injection test |
| SUB-REQ-018 | VER-REQ-043 | verifies | Tritium Plant SUB requirement verified by end-to-end commissioning test |
| SUB-REQ-029 | VER-REQ-049 | verifies | VS pump pressure verified by vacuum measurement test |
| SUB-REQ-031 | VER-REQ-050 | verifies | Calorimetric single-train test verifies HRS redundancy capacity |
| SUB-REQ-032 | VER-REQ-051 | verifies | Recovery test verifies HMS 95% helium capture |
| IFC-REQ-036 | VER-REQ-063 | verifies | Disruption signal latency test verifies PCS-PCS interface |
| REQ-SESTEPFUSIONPOWERPLANT-105 | REQ-SESTEPFUSIONPOWERPLANT-001 | verifies | Verification test for IFC-REQ-010 |
| REQ-SESTEPFUSIONPOWERPLANT-108 | REQ-SESTEPFUSIONPOWERPLANT-003 | verifies | Verification test for IFC-REQ-013 |
| REQ-SESTEPFUSIONPOWERPLANT-109 | REQ-SESTEPFUSIONPOWERPLANT-005 | verifies | Verification test for IFC-REQ-014 |
| REQ-SESTEPFUSIONPOWERPLANT-106 | REQ-SESTEPFUSIONPOWERPLANT-002 | verifies | Verification test for IFC-REQ-011 |
| REQ-SESTEPFUSIONPOWERPLANT-107 | REQ-SESTEPFUSIONPOWERPLANT-004 | verifies | Verification test for IFC-REQ-012 |
| REQ-SESTEPFUSIONPOWERPLANT-112 | REQ-SESTEPFUSIONPOWERPLANT-009 | verifies | Verification test for IFC-REQ-017 |
| REQ-SESTEPFUSIONPOWERPLANT-113 | REQ-SESTEPFUSIONPOWERPLANT-008 | verifies | Verification test for IFC-REQ-018 |
| REQ-SESTEPFUSIONPOWERPLANT-110 | REQ-SESTEPFUSIONPOWERPLANT-007 | verifies | Verification test for IFC-REQ-015 |
| REQ-SESTEPFUSIONPOWERPLANT-111 | REQ-SESTEPFUSIONPOWERPLANT-006 | verifies | Verification test for IFC-REQ-016 |
| REQ-SESTEPFUSIONPOWERPLANT-114 | REQ-SESTEPFUSIONPOWERPLANT-010 | verifies | Verification test for IFC-REQ-019 |
| REQ-SESTEPFUSIONPOWERPLANT-115 | REQ-SESTEPFUSIONPOWERPLANT-011 | verifies | Verification test for IFC-REQ-020 |
| REQ-SESTEPFUSIONPOWERPLANT-053 | IFC-REQ-023 | verifies | VER-REQ-083 verifies TP-CP cryogenic tritium interface IFC-REQ-023 |
| REQ-SESTEPFUSIONPOWERPLANT-052 | IFC-REQ-009 | verifies | VER-REQ-082 provides second verification for PCS grid export interface IFC-REQ-009 |
| REQ-SESTEPFUSIONPOWERPLANT-051 | IFC-REQ-008 | verifies | VER-REQ-081 provides second verification for RHS-TCA port access interface IFC-REQ-008 |
| REQ-SESTEPFUSIONPOWERPLANT-050 | IFC-REQ-007 | verifies | VER-REQ-080 provides second verification for TCA-VS vacuum interface IFC-REQ-007 |
| REQ-SESTEPFUSIONPOWERPLANT-049 | IFC-REQ-006 | verifies | VER-REQ-079 provides second verification for PCS-SMS coil current interface IFC-REQ-006 |
| REQ-SESTEPFUSIONPOWERPLANT-048 | IFC-REQ-005 | verifies | VER-REQ-078 provides second verification for TCA-PCS diagnostic interface IFC-REQ-005 |
| REQ-SESTEPFUSIONPOWERPLANT-047 | IFC-REQ-004 | verifies | VER-REQ-077 provides second verification for TCA-PCS coolant interface IFC-REQ-004 |
| REQ-SESTEPFUSIONPOWERPLANT-046 | IFC-REQ-003 | verifies | VER-REQ-076 provides second verification for TP-TCA pellet injection interface IFC-REQ-003 |
| REQ-SESTEPFUSIONPOWERPLANT-045 | IFC-REQ-002 | verifies | VER-REQ-075 provides second verification for CP-SMS cryogenic interface IFC-REQ-002 |
| REQ-SESTEPFUSIONPOWERPLANT-044 | IFC-REQ-001 | verifies | VER-REQ-074 provides second verification for TCA-SMS magnetic field interface IFC-REQ-001 |
| VER-REQ-035 | REQ-SESTEPFUSIONPOWERPLANT-011 | verifies | VER-REQ-035 verifies vessel bakeout heating interface IFC-REQ-020 |
| VER-REQ-034 | REQ-SESTEPFUSIONPOWERPLANT-010 | verifies | VER-REQ-034 verifies station auxiliary load interface IFC-REQ-019 |
| VER-REQ-033 | REQ-SESTEPFUSIONPOWERPLANT-008 | verifies | VER-REQ-033 verifies PCS-TCA auxiliary AC power interface IFC-REQ-018 |
| VER-REQ-032 | REQ-SESTEPFUSIONPOWERPLANT-009 | verifies | VER-REQ-032 verifies RHS-PCS plasma-active interlock IFC-REQ-017 |
| VER-REQ-031 | REQ-SESTEPFUSIONPOWERPLANT-006 | verifies | VER-REQ-031 verifies cryogenic pumping interface IFC-REQ-016 |
| VER-REQ-030 | REQ-SESTEPFUSIONPOWERPLANT-007 | verifies | VER-REQ-030 verifies RHS-TCA remote handling port interface IFC-REQ-015 |
| VER-REQ-029 | REQ-SESTEPFUSIONPOWERPLANT-005 | verifies | VER-REQ-029 verifies PCS-SMS coil current interface IFC-REQ-014 |
| VER-REQ-028 | REQ-SESTEPFUSIONPOWERPLANT-003 | verifies | VER-REQ-028 verifies PCS-TSDS pellet injection interface IFC-REQ-013 |
| VER-REQ-027 | REQ-SESTEPFUSIONPOWERPLANT-004 | verifies | VER-REQ-027 verifies PCS-TCA fuelling interface IFC-REQ-012 |
| VER-REQ-026 | REQ-SESTEPFUSIONPOWERPLANT-002 | verifies | VER-REQ-026 verifies vacuum-tritium exhaust interface IFC-REQ-011 |
| VER-REQ-025 | REQ-SESTEPFUSIONPOWERPLANT-001 | verifies | VER-REQ-025 verifies N2 supply to tritium plant interface IFC-REQ-010 |
| VER-REQ-061 | IFC-REQ-034 | verifies | VER-REQ-061 specifies the test procedure demonstrating compliance with IFC-REQ-034 |
| VER-REQ-060 | IFC-REQ-033 | verifies | VER-REQ-060 specifies the test procedure demonstrating compliance with IFC-REQ-033 |
| VER-REQ-063 | IFC-REQ-036 | verifies | VER-REQ-063 specifies the test procedure demonstrating compliance with IFC-REQ-036 |
| VER-REQ-062 | IFC-REQ-035 | verifies | VER-REQ-062 specifies the test procedure demonstrating compliance with IFC-REQ-035 |
| VER-REQ-007 | IFC-REQ-007 | verifies | VER-REQ-007 specifies the test procedure demonstrating compliance with IFC-REQ-007 |
| VER-REQ-006 | IFC-REQ-006 | verifies | VER-REQ-006 specifies the test procedure demonstrating compliance with IFC-REQ-006 |
| VER-REQ-005 | IFC-REQ-005 | verifies | VER-REQ-005 specifies the test procedure demonstrating compliance with IFC-REQ-005 |
| VER-REQ-004 | IFC-REQ-004 | verifies | VER-REQ-004 specifies the test procedure demonstrating compliance with IFC-REQ-004 |
| VER-REQ-003 | IFC-REQ-003 | verifies | VER-REQ-003 specifies the test procedure demonstrating compliance with IFC-REQ-003 |
| VER-REQ-002 | IFC-REQ-002 | verifies | VER-REQ-002 specifies the test procedure demonstrating compliance with IFC-REQ-002 |
| VER-REQ-001 | IFC-REQ-001 | verifies | VER-REQ-001 specifies the test procedure demonstrating compliance with IFC-REQ-001 |
| VER-REQ-009 | IFC-REQ-009 | verifies | VER-REQ-009 specifies the test procedure demonstrating compliance with IFC-REQ-009 |
| VER-REQ-008 | IFC-REQ-008 | verifies | VER-REQ-008 specifies the test procedure demonstrating compliance with IFC-REQ-008 |
| VER-039 | IFC-REQ-024 | verifies | VER-039 specifies the test procedure demonstrating compliance with IFC-REQ-024 |
| VER-040 | IFC-REQ-027 | verifies | VER-040 specifies the test procedure demonstrating compliance with IFC-REQ-027 |
| VER-REQ-058 | IFC-REQ-031 | verifies | VER-REQ-058 specifies the test procedure demonstrating compliance with IFC-REQ-031 |
| VER-REQ-059 | IFC-REQ-032 | verifies | VER-REQ-059 specifies the test procedure demonstrating compliance with IFC-REQ-032 |
| VER-REQ-055 | IFC-REQ-028 | verifies | VER-REQ-055 specifies the test procedure demonstrating compliance with IFC-REQ-028 |
| VER-REQ-056 | IFC-REQ-029 | verifies | VER-REQ-056 specifies the test procedure demonstrating compliance with IFC-REQ-029 |
| VER-REQ-057 | IFC-REQ-030 | verifies | VER-REQ-057 specifies the test procedure demonstrating compliance with IFC-REQ-030 |
| VER-REQ-048 | IFC-REQ-026 | verifies | VER-REQ-048 specifies the test procedure demonstrating compliance with IFC-REQ-026 |
| VER-REQ-042 | IFC-REQ-022 | verifies | VER-REQ-042 specifies the test procedure demonstrating compliance with IFC-REQ-022 |
| VER-REQ-041 | IFC-REQ-021 | verifies | VER-REQ-041 specifies the test procedure demonstrating compliance with IFC-REQ-021 |
| VER-REQ-047 | IFC-REQ-025 | verifies | VER-REQ-047 specifies the test procedure demonstrating compliance with IFC-REQ-025 |
| REQ-SESTEPFUSIONPOWERPLANT-011 | VER-REQ-035 | verifies | IFC-REQ-020 TCA to Cryogenic Plant bake-out interface verified by VER-REQ-035 |
| REQ-SESTEPFUSIONPOWERPLANT-010 | VER-REQ-034 | verifies | IFC-REQ-019 Grid to PCS station load interface verified by VER-REQ-034 grid connection test |
| REQ-SESTEPFUSIONPOWERPLANT-008 | VER-REQ-033 | verifies | IFC-REQ-018 PCS to TCA auxiliary power supply interface verified by VER-REQ-033 |
| REQ-SESTEPFUSIONPOWERPLANT-009 | VER-REQ-032 | verifies | IFC-REQ-017 PCS to RHS plasma inhibit hardwire interface verified by VER-REQ-032 |
| REQ-SESTEPFUSIONPOWERPLANT-006 | VER-REQ-031 | verifies | IFC-REQ-016 Cryogenic Plant to Vacuum System cold heads verified by VER-REQ-031 |
| REQ-SESTEPFUSIONPOWERPLANT-007 | VER-REQ-030 | verifies | IFC-REQ-015 RHS tritium boundary interface verified by VER-REQ-030 contamination inspection |
| REQ-SESTEPFUSIONPOWERPLANT-005 | VER-REQ-029 | verifies | IFC-REQ-014 coil power supply to SMS interface verified by VER-REQ-029 magnet energisation test |
| REQ-SESTEPFUSIONPOWERPLANT-003 | VER-REQ-028 | verifies | IFC-REQ-013 pellet fuel injection interface verified by VER-REQ-028 fuelling integration test |
| REQ-SESTEPFUSIONPOWERPLANT-004 | VER-REQ-027 | verifies | IFC-REQ-012 PCS to vacuum system neutral gas signal interface verified by VER-REQ-027 |
| REQ-SESTEPFUSIONPOWERPLANT-002 | VER-REQ-026 | verifies | IFC-REQ-011 vacuum exhaust to Tritium Plant interface verified by VER-REQ-026 |
| REQ-SESTEPFUSIONPOWERPLANT-001 | VER-REQ-025 | verifies | IFC-REQ-010 LN2 supply interface verified by VER-REQ-025 cryogenic interface test |
| REQ-SESTEPFUSIONPOWERPLANT-053 | IFC-REQ-023 | verifies | VER-REQ-083 verifies IFC-REQ-023 |
| VER-REQ-063 | IFC-REQ-036 | verifies | VER-REQ-063 verifies IFC-REQ-036 |
| VER-REQ-062 | IFC-REQ-035 | verifies | VER-REQ-062 verifies IFC-REQ-035 |
| VER-REQ-061 | IFC-REQ-034 | verifies | VER-REQ-061 verifies IFC-REQ-034 |
| VER-REQ-060 | IFC-REQ-033 | verifies | VER-REQ-060 verifies IFC-REQ-033 |
| VER-REQ-059 | IFC-REQ-032 | verifies | VER-REQ-059 verifies IFC-REQ-032 |
| VER-REQ-058 | IFC-REQ-031 | verifies | VER-REQ-058 verifies IFC-REQ-031 |
| VER-REQ-057 | IFC-REQ-030 | verifies | VER-REQ-057 verifies IFC-REQ-030 |
| VER-REQ-056 | IFC-REQ-029 | verifies | VER-REQ-056 verifies IFC-REQ-029 |
| VER-REQ-055 | IFC-REQ-028 | verifies | VER-REQ-055 verifies IFC-REQ-028 |
| VER-040 | IFC-REQ-027 | verifies | VER-040 verifies IFC-REQ-027 |
| VER-REQ-048 | IFC-REQ-026 | verifies | VER-REQ-048 verifies IFC-REQ-026 |
| VER-REQ-047 | IFC-REQ-025 | verifies | VER-REQ-047 verifies IFC-REQ-025 |
| VER-039 | IFC-REQ-024 | verifies | VER-039 verifies IFC-REQ-024 |
| VER-REQ-042 | IFC-REQ-022 | verifies | VER-REQ-042 verifies IFC-REQ-022 |
| VER-REQ-041 | IFC-REQ-021 | verifies | VER-REQ-041 verifies IFC-REQ-021 |
| VER-REQ-035 | REQ-SESTEPFUSIONPOWERPLANT-011 | verifies | VER-REQ-035 verifies IFC-REQ-020 |
| VER-REQ-034 | REQ-SESTEPFUSIONPOWERPLANT-010 | verifies | VER-REQ-034 verifies IFC-REQ-019 |
| VER-REQ-033 | REQ-SESTEPFUSIONPOWERPLANT-008 | verifies | VER-REQ-033 verifies IFC-REQ-018 |
| VER-REQ-032 | REQ-SESTEPFUSIONPOWERPLANT-009 | verifies | VER-REQ-032 verifies IFC-REQ-017 |
| VER-REQ-031 | REQ-SESTEPFUSIONPOWERPLANT-006 | verifies | VER-REQ-031 verifies IFC-REQ-016 |
| VER-REQ-030 | REQ-SESTEPFUSIONPOWERPLANT-007 | verifies | VER-REQ-030 verifies IFC-REQ-015 |
| VER-REQ-029 | REQ-SESTEPFUSIONPOWERPLANT-005 | verifies | VER-REQ-029 verifies IFC-REQ-014 |
| VER-REQ-028 | REQ-SESTEPFUSIONPOWERPLANT-003 | verifies | VER-REQ-028 verifies IFC-REQ-013 |
| VER-REQ-027 | REQ-SESTEPFUSIONPOWERPLANT-004 | verifies | VER-REQ-027 verifies IFC-REQ-012 |
| VER-REQ-026 | REQ-SESTEPFUSIONPOWERPLANT-002 | verifies | VER-REQ-026 verifies IFC-REQ-011 |
| VER-REQ-025 | REQ-SESTEPFUSIONPOWERPLANT-001 | verifies | VER-REQ-025 verifies IFC-REQ-010 |
| VER-REQ-009 | IFC-REQ-009 | verifies | VER-REQ-009 verifies IFC-REQ-009 interface requirement |
| VER-REQ-008 | IFC-REQ-008 | verifies | VER-REQ-008 verifies IFC-REQ-008 interface requirement |
| VER-REQ-007 | IFC-REQ-007 | verifies | VER-REQ-007 verifies IFC-REQ-007 interface requirement |
| VER-REQ-006 | IFC-REQ-006 | verifies | VER-REQ-006 verifies IFC-REQ-006 interface requirement |
| VER-REQ-005 | IFC-REQ-005 | verifies | VER-REQ-005 verifies IFC-REQ-005 interface requirement |
| VER-REQ-004 | IFC-REQ-004 | verifies | VER-REQ-004 verifies IFC-REQ-004 interface requirement |
| VER-REQ-003 | IFC-REQ-003 | verifies | VER-REQ-003 verifies IFC-REQ-003 interface requirement |
| VER-REQ-002 | IFC-REQ-002 | verifies | VER-REQ-002 verifies IFC-REQ-002 interface requirement |
| VER-REQ-001 | IFC-REQ-001 | verifies | VER-REQ-001 verifies IFC-REQ-001 interface requirement |
| IFC-REQ-023 | REQ-SESTEPFUSIONPOWERPLANT-053 | verifies | BTES-ISS tritium transfer interface verification |
| IFC-REQ-027 | VER-040 | verifies | IFC-REQ-027 is verified by VER-040 |
| IFC-REQ-024 | VER-039 | verifies | IFC-REQ-024 is verified by VER-039 |
| IFC-REQ-009 | REQ-SESTEPFUSIONPOWERPLANT-052 | verifies | PCS/Grid power export interface verification |
| IFC-REQ-008 | REQ-SESTEPFUSIONPOWERPLANT-051 | verifies | RHS/TCA maintenance access interface verification |
| IFC-REQ-007 | REQ-SESTEPFUSIONPOWERPLANT-050 | verifies | Vacuum System/TCA base pressure interface verification |
| IFC-REQ-006 | REQ-SESTEPFUSIONPOWERPLANT-049 | verifies | PCS/SMS coil current command interface verification |
| IFC-REQ-005 | REQ-SESTEPFUSIONPOWERPLANT-048 | verifies | PCS/TCA diagnostic data interface verification |
| IFC-REQ-004 | REQ-SESTEPFUSIONPOWERPLANT-047 | verifies | TCA/PCS thermal power transfer interface verification |
| IFC-REQ-003 | REQ-SESTEPFUSIONPOWERPLANT-046 | verifies | Tritium Plant/TCA fuel injection interface verification |
| IFC-REQ-002 | REQ-SESTEPFUSIONPOWERPLANT-045 | verifies | Cryo/SMS helium coolant interface verification |
| IFC-REQ-001 | REQ-SESTEPFUSIONPOWERPLANT-044 | verifies | TCA/SMS magnetic field interface verification |
| REQ-SESTEPFUSIONPOWERPLANT-011 | VER-REQ-035 | verifies | TCA-Cryo bakeout hot gas interface verified by vessel bakeout heating test |
| REQ-SESTEPFUSIONPOWERPLANT-010 | VER-REQ-034 | verifies | Grid-PCS station load import interface verified by commissioning grid connection test |
| REQ-SESTEPFUSIONPOWERPLANT-008 | VER-REQ-033 | verifies | PCS-TCA auxiliary AC power interface verified by commissioning supply test |
| REQ-SESTEPFUSIONPOWERPLANT-009 | VER-REQ-032 | verifies | PCS-RHS hardwired plasma-off interlock verified by interlock assertion test |
| REQ-SESTEPFUSIONPOWERPLANT-006 | VER-REQ-031 | verifies | Cryo-Vacuum 4.5K cold head interface verified by integrated commissioning test |
| REQ-SESTEPFUSIONPOWERPLANT-007 | VER-REQ-030 | verifies | RHS-Tritium Plant tool decontamination interface verified by full-scale mock-up |
| REQ-SESTEPFUSIONPOWERPLANT-005 | VER-REQ-029 | verifies | Coil power supply DC current interface verified by step setpoint test |
| REQ-SESTEPFUSIONPOWERPLANT-003 | VER-REQ-028 | verifies | PCS-Tritium pellet injection command interface verified by injection sequence test |
| REQ-SESTEPFUSIONPOWERPLANT-004 | VER-REQ-027 | verifies | PCS-Vacuum pumping setpoint interface verified by calibrated neutral gas pulses |
| REQ-SESTEPFUSIONPOWERPLANT-002 | VER-REQ-026 | verifies | Tritiated exhaust interface verified by simulated exhaust gas injection |
| REQ-SESTEPFUSIONPOWERPLANT-001 | VER-REQ-025 | verifies | LN2 supply interface (77K, 0.5kg/s) verified by cryogenic commissioning flow test |
| IFC-REQ-001 | VER-REQ-001 | verifies | Integration test verification for IFC-REQ-001 |
| IFC-REQ-002 | VER-REQ-002 | verifies | Integration test verification for IFC-REQ-002 |
| IFC-REQ-003 | VER-REQ-003 | verifies | Integration test verification for IFC-REQ-003 |
| IFC-REQ-004 | VER-REQ-004 | verifies | Integration test verification for IFC-REQ-004 |
| IFC-REQ-005 | VER-REQ-005 | verifies | Integration test verification for IFC-REQ-005 |
| IFC-REQ-006 | VER-REQ-006 | verifies | Integration test verification for IFC-REQ-006 |
| IFC-REQ-007 | VER-REQ-007 | verifies | Integration test verification for IFC-REQ-007 |
| IFC-REQ-008 | VER-REQ-008 | verifies | Integration test verification for IFC-REQ-008 |
| IFC-REQ-009 | VER-REQ-009 | verifies | Integration test verification for IFC-REQ-009 |
| REQ-SESTEPFUSIONPOWERPLANT-001 | VER-REQ-025 | verifies | Integration test for LN2 supply to Tritium Plant cryo interface |
| REQ-SESTEPFUSIONPOWERPLANT-002 | VER-REQ-026 | verifies | Integration test for tritiated exhaust gas transfer at vacuum-tritium interface |
| REQ-SESTEPFUSIONPOWERPLANT-004 | VER-REQ-027 | verifies | Integration test for PCS vacuum neutral gas signal latency and accuracy |
| REQ-SESTEPFUSIONPOWERPLANT-003 | VER-REQ-028 | verifies | Integration test for PCS pellet injection command interface |
| REQ-SESTEPFUSIONPOWERPLANT-005 | VER-REQ-029 | verifies | Integration test for coil power supply command and quench alarm relay |
| REQ-SESTEPFUSIONPOWERPLANT-007 | VER-REQ-030 | verifies | Demonstration test for RHS-tritium plant remote handling compatibility |
| REQ-SESTEPFUSIONPOWERPLANT-006 | VER-REQ-031 | verifies | Integration test for cryogenic cold heads in vacuum chamber |
| REQ-SESTEPFUSIONPOWERPLANT-009 | VER-REQ-032 | verifies | Safety test for PCS-RHS plasma-active hardwired interlock |
| REQ-SESTEPFUSIONPOWERPLANT-008 | VER-REQ-033 | verifies | Integration test for TCA auxiliary AC power supply from Power Conversion |
| REQ-SESTEPFUSIONPOWERPLANT-010 | VER-REQ-034 | verifies | Commissioning test for grid import station load measurement |
| REQ-SESTEPFUSIONPOWERPLANT-011 | VER-REQ-035 | verifies | Integration test for TCA vessel bakeout heating interface |
| IFC-REQ-021 | VER-REQ-041 | verifies | Integration test verifies PEPS-ISS interface compliance |
| IFC-REQ-022 | VER-REQ-042 | verifies | Integration test verifies ISS-TSDS batch transfer compliance |
| IFC-REQ-025 | VER-REQ-047 | verifies | MPSS-TF power interface verified by instrumented ramp test |
| IFC-REQ-026 | VER-REQ-048 | verifies | QDPS-TF voltage tap interface verified by bandwidth and impedance test |
| IFC-REQ-028 | VER-REQ-055 | verifies | Cold commissioning test verifies HRS-CTLN interface conditions |
| IFC-REQ-029 | VER-REQ-056 | verifies | Fieldbus latency and e-stop independence test verifies CCS-HRS interface |
| IFC-REQ-030 | VER-REQ-057 | verifies | Post-quench test verifies HMS-HRS gas supply interface |
| IFC-REQ-031 | VER-REQ-058 | verifies | EtherCAT latency test verifies IVIMM command interface |
| IFC-REQ-032 | VER-REQ-059 | verifies | Helium leak test verifies cask-port docking interface |
| IFC-REQ-033 | VER-REQ-060 | verifies | Video latency test verifies viewing system interface |
| IFC-REQ-034 | VER-REQ-061 | verifies | Pressure test and leak test verify SG primary-secondary boundary |
| IFC-REQ-035 | VER-REQ-062 | verifies | Commissioning electrical test verifies turbine-generator to grid interface |
| REQ-SESTEPFUSIONPOWERPLANT-071 | REQ-SESTEPFUSIONPOWERPLANT-043 | verifies | VER-REQ-109 verifies radiobiological protection requirement SYS-REQ-016 |
| REQ-SESTEPFUSIONPOWERPLANT-070 | SYS-REQ-015 | verifies | VER-REQ-108 verifies grid code compliance requirement SYS-REQ-015 |
| REQ-SESTEPFUSIONPOWERPLANT-069 | SYS-REQ-014 | verifies | VER-REQ-107 verifies activated material inventory requirement SYS-REQ-014 |
| REQ-SESTEPFUSIONPOWERPLANT-068 | SYS-REQ-013 | verifies | VER-REQ-106 verifies diagnostic system requirement SYS-REQ-013 |
| REQ-SESTEPFUSIONPOWERPLANT-067 | SYS-REQ-010 | verifies | VER-REQ-105 verifies plant availability requirement SYS-REQ-010 |
| REQ-SESTEPFUSIONPOWERPLANT-066 | SYS-REQ-009 | verifies | VER-REQ-104 verifies remote handling campaign requirement SYS-REQ-009 |
| REQ-SESTEPFUSIONPOWERPLANT-065 | SYS-REQ-008 | verifies | VER-REQ-103 verifies vacuum base pressure requirement SYS-REQ-008 |
| REQ-SESTEPFUSIONPOWERPLANT-064 | SYS-REQ-003 | verifies | VER-REQ-102 verifies tritium breeding ratio requirement SYS-REQ-003 |
| REQ-SESTEPFUSIONPOWERPLANT-063 | SYS-REQ-001 | verifies | VER-REQ-099 verifies system-level plasma burn requirement SYS-REQ-001 |
| VER-REQ-067 | SYS-REQ-002 | verifies | VER-REQ-067 specifies the test procedure demonstrating compliance with SYS-REQ-002 |
| VER-REQ-066 | SYS-REQ-009 | verifies | VER-REQ-066 specifies the test procedure demonstrating compliance with SYS-REQ-009 |
| VER-REQ-013 | SYS-REQ-004 | verifies | VER-REQ-013 specifies the test procedure demonstrating compliance with SYS-REQ-004 |
| VER-REQ-094 | SYS-REQ-011 | verifies | VER-REQ-094 specifies the test procedure demonstrating compliance with SYS-REQ-011 |
| VER-REQ-095 | SYS-REQ-012 | verifies | VER-REQ-095 specifies the test procedure demonstrating compliance with SYS-REQ-012 |
| VER-REQ-090 | SYS-REQ-004 | verifies | VER-REQ-090 specifies the test procedure demonstrating compliance with SYS-REQ-004 |
| VER-REQ-091 | SYS-REQ-005 | verifies | VER-REQ-091 specifies the test procedure demonstrating compliance with SYS-REQ-005 |
| VER-REQ-092 | SYS-REQ-006 | verifies | VER-REQ-092 specifies the test procedure demonstrating compliance with SYS-REQ-006 |
| VER-REQ-093 | SYS-REQ-007 | verifies | VER-REQ-093 specifies the test procedure demonstrating compliance with SYS-REQ-007 |
| VER-REQ-043 | SYS-REQ-003 | verifies | VER-REQ-043 specifies the test procedure demonstrating compliance with SYS-REQ-003 |
| REQ-SESTEPFUSIONPOWERPLANT-043 | REQ-SESTEPFUSIONPOWERPLANT-071 | verifies | SYS-REQ-016 radiobiological protection verified by VER-REQ-109 dose assessment and RPS approval |
| SYS-REQ-015 | REQ-SESTEPFUSIONPOWERPLANT-070 | verifies | SYS-REQ-015 Grid Code power quality verified by VER-REQ-108 grid connection test |
| SYS-REQ-014 | REQ-SESTEPFUSIONPOWERPLANT-069 | verifies | SYS-REQ-014 decommissioning waste fraction verified by VER-REQ-107 activation analysis |
| SYS-REQ-013 | REQ-SESTEPFUSIONPOWERPLANT-068 | verifies | SYS-REQ-013 plasma diagnostic coverage verified by VER-REQ-106 commissioning enumeration |
| SYS-REQ-010 | REQ-SESTEPFUSIONPOWERPLANT-067 | verifies | SYS-REQ-010 operational availability verified by VER-REQ-105 campaign log analysis |
| SYS-REQ-009 | REQ-SESTEPFUSIONPOWERPLANT-066 | verifies | SYS-REQ-009 remote handling campaign time verified by VER-REQ-104 full-scale RHS demonstration |
| SYS-REQ-008 | REQ-SESTEPFUSIONPOWERPLANT-065 | verifies | SYS-REQ-008 ultra-high vacuum integrity verified by VER-REQ-103 pump-down and leak test |
| SYS-REQ-003 | REQ-SESTEPFUSIONPOWERPLANT-064 | verifies | SYS-REQ-003 TBR ≥1.1 verified by VER-REQ-102 operational breeding measurement campaign |
| VER-REQ-065 | SYS-REQ-002 | verifies | VER-065 verifies SYS-REQ-002 net 100MW electrical output |
| REQ-SESTEPFUSIONPOWERPLANT-063 | SYS-REQ-001 | verifies | Verification of Q>=5 burn at >=10MA plasma current |
| VER-REQ-095 | SYS-REQ-012 | verifies | VER-REQ-095 tests neutron dose rates in all occupied areas at full power against 10 µSv/hr limit |
| VER-REQ-094 | SYS-REQ-011 | verifies | VER-REQ-094 tests seismic trip response time (100 ms shutdown) and full subsystem safe-state within 10 s |
| VER-REQ-093 | SYS-REQ-007 | verifies | VER-REQ-093 tests passive decay heat removal for 72 hours with no AC power |
| VER-REQ-092 | SYS-REQ-006 | verifies | VER-REQ-092 tests quench detection latency, energy extraction time, and hot-spot temperature limit |
| VER-REQ-091 | SYS-REQ-005 | verifies | VER-REQ-091 tests dual tritium containment barrier integrity and < 0.1 g single-event release limit |
| VER-REQ-090 | SYS-REQ-004 | verifies | VER-REQ-090 tests SYS-REQ-004 disruption mitigation actuation time and first-wall thermal load limits |
| SYS-REQ-004 | VER-REQ-013 | verifies | End-to-end integration test verifies SYS-REQ-004 disruption mitigation response |
| Ref | Document | Requirement |
|---|---|---|
| IFC-REQ-010 | interface-requirements | The interface between the Tritium Plant and Cryogenic Plant SHALL supply liquid nitrogen at 77 K +/- 2 K at a flow rate ... |
| IFC-REQ-011 | interface-requirements | The interface between the Vacuum System and Tritium Plant SHALL transfer tritiated exhaust gas at throughput up to 200 P... |
| IFC-REQ-012 | interface-requirements | The interface between the Plasma Control System and Vacuum System SHALL transmit divertor neutral gas pumping speed setp... |
| IFC-REQ-013 | interface-requirements | The interface between the Plasma Control System and Tritium Plant SHALL transmit pellet fuel injection rate commands at ... |
| IFC-REQ-014 | interface-requirements | The interface between the Power Conversion System coil power supplies and Superconducting Magnet System SHALL deliver DC... |
| IFC-REQ-015 | interface-requirements | The interface between the Remote Handling System and Tritium Plant SHALL ensure all remote handling tools operating insi... |
| IFC-REQ-016 | interface-requirements | The interface between the Cryogenic Plant and Vacuum System SHALL supply 4.5 K cold heads to up to 20 vacuum cryopump bo... |
| IFC-REQ-017 | interface-requirements | The interface between the Plasma Control System and Remote Handling System SHALL provide hardwired interlock signals pre... |
| IFC-REQ-018 | interface-requirements | The interface between the Power Conversion System and Tokamak Core Assembly SHALL supply auxiliary AC electrical power a... |
| IFC-REQ-019 | interface-requirements | The interface between the National Electrical Grid and Power Conversion System for station loads SHALL import auxiliary ... |
| IFC-REQ-020 | interface-requirements | The interface between the Tokamak Core Assembly and Cryogenic Plant for vessel bake-out SHALL supply hot nitrogen gas at... |
| SUB-REQ-007 | subsystem-requirements | The Tokamak Core Assembly first wall and divertor SHALL withstand steady-state peak heat flux of 10 MW/m2 on the diverto... |
| SUB-REQ-008 | subsystem-requirements | The Superconducting Magnet System TF coil set SHALL generate a toroidal magnetic field of 3.0 T or greater on the plasma... |
| SUB-REQ-009 | subsystem-requirements | The Cryogenic Plant SHALL maintain superconducting magnet cryostats at 4.5 K or below with temperature stability of plus... |
| SUB-REQ-010 | subsystem-requirements | The Tritium Plant SHALL account for tritium inventory with measurement uncertainty of plus or minus 1 g or less per 24-h... |
| SUB-REQ-011 | subsystem-requirements | The Power Conversion System steam turbine-generator set SHALL export 100 MW or more net electrical power to the 400 kV g... |
| SUB-REQ-012 | subsystem-requirements | The Remote Handling System SHALL replace all divertor cassettes within a maintenance window of 21 calendar days or less,... |
| SUB-REQ-013 | subsystem-requirements | The Vacuum System SHALL evacuate the plasma vessel from atmospheric pressure to base pressure of 1e-6 Pa or less within ... |
| SUB-REQ-014 | subsystem-requirements | The Radiation Protection System SHALL classify all plant areas into radiation zones (Supervised, Controlled, High Radiat... |
| SUB-REQ-049 | subsystem-requirements | The Tritium Plant Isotope Separation System SHALL operate on electrical power supplied at 415 V AC (three-phase) with a ... |
| SUB-REQ-050 | subsystem-requirements | The Tritium Plant Isotope Separation System SHALL accept an emergency isolation command from the Plant Protection System... |
| SUB-REQ-051 | subsystem-requirements | The Power Conversion System SHALL be housed in a dedicated turbine hall building with a structural floor load rating of ... |
| SUB-REQ-052 | subsystem-requirements | The Tritium Plant SHALL be housed in a dedicated, single-storey Category 1 confinement building constructed to nuclear-g... |
| SUB-REQ-053 | subsystem-requirements | The Cryogenic Plant SHALL be housed in a dedicated plant building with insulated floor area of at least 800 m², minimum ... |
| SUB-REQ-054 | subsystem-requirements | The Vacuum System SHALL comprise physical vacuum equipment mounted on the tokamak support structure, including 12 turbom... |
| SUB-REQ-058 | subsystem-requirements | The Tritium Plant SHALL maintain tritium accountancy and confinement functions if any single active component fails, wit... |
| SUB-REQ-059 | subsystem-requirements | The Tritium Plant Isotope Separation System SHALL provide a hardwired manual override that, when asserted, shuts down al... |
| SUB-REQ-060 | subsystem-requirements | When any single turbomolecular pump in the Vacuum System Turbomolecular Pump Array fails, the remaining operational pump... |
| SUB-REQ-061 | subsystem-requirements | When the Vacuum System Pressure Monitoring System detects a sensor fault (loss of signal, out-of-range reading, or calib... |
| SUB-REQ-062 | subsystem-requirements | When the Power Conversion System operates at reduced plasma thermal input (Q ≥ 3 but < 5), the PCS SHALL maintain net po... |
| SUB-REQ-063 | subsystem-requirements | When any single Power Conversion System component (steam generator, turbine stage, or condenser circuit) is taken out of... |
| SUB-REQ-064 | subsystem-requirements | When a steam generator tube leak is detected by the Steam Generator and Heat Transfer System (primary-to-secondary press... |
| SUB-REQ-066 | subsystem-requirements | The Vacuum System Pressure Monitoring System SHALL operate from a dedicated UPS-backed 230V AC supply, consuming no more... |
| SUB-REQ-067 | subsystem-requirements | The Cryogenic Plant SHALL incorporate N+1 redundancy for all compressor trains and cold-box modules, such that loss of a... |
| SUB-REQ-068 | subsystem-requirements | The Tritium Plant SHALL implement dual independent confinement barriers on all processing and storage vessels, with auto... |
| SUB-REQ-069 | subsystem-requirements | The Superconducting Magnet System SHALL implement independent quench detection channels on each coil, with a minimum of ... |
| SUB-REQ-070 | subsystem-requirements | The Radiation Protection System SHALL implement engineering ALARA measures at subsystem level: remote handling replaceme... |
| SUB-REQ-071 | subsystem-requirements | Verify REQ-SESTEPFUSIONPOWERPLANT-117: On the VSPMS integration test bench, switch off the primary 230V AC supply and me... |
| SUB-REQ-072 | subsystem-requirements | Verify REQ-SESTEPFUSIONPOWERPLANT-118: During Cryogenic Plant Factory Acceptance Test, disable one compressor train and ... |
| SYS-REQ-016 | system-requirements | The STEP Fusion Power Plant SHALL implement radiobiological protection measures such that occupational whole-body dose t... |
| VER-REQ-014 | verification-plan | Verify SUB-REQ-006: On a dedicated material injection test bench, fire the massive material injection system with instru... |
| VER-REQ-015 | verification-plan | Verify SUB-REQ-004: Inject synchronised calibrated pulses to all diagnostic front-end channels simultaneously from a com... |
| VER-REQ-016 | verification-plan | Verify SUB-REQ-003: Inject a simulated primary controller fault (software halt) during closed-loop plasma simulation. Co... |
| VER-REQ-017 | verification-plan | Verify SUB-REQ-007: During integrated commissioning at stepped-up fusion power, measure divertor target surface heat flu... |
| VER-REQ-018 | verification-plan | Verify SUB-REQ-008: Energise TF coil set to rated current on a coil test facility. Measure on-axis field with calibrated... |
| VER-REQ-019 | verification-plan | Verify SUB-REQ-010: During integrated commissioning, process a known tritium inventory through the full CECE detritiatio... |
| VER-REQ-020 | verification-plan | Verify SUB-REQ-009: During cold commissioning, operate each cold box train independently at full cryoplant load. Confirm... |
| VER-REQ-021 | verification-plan | Verify SUB-REQ-011: During sustained full-power plasma operation at rated Q=5, measure net electrical export at the 400 ... |
| VER-REQ-022 | verification-plan | Verify SUB-REQ-012: On a full-scale remote handling test facility with representative port mock-up, demonstrate complete... |
| VER-REQ-023 | verification-plan | Verify SUB-REQ-013: After vessel bake-out, measure base pressure in the plasma vessel using calibrated ion gauge and res... |
| VER-REQ-024 | verification-plan | Verify RPS-SUB: On the as-built plant with all shielding installed, measure dose rates at all zone boundaries using cali... |
| VER-REQ-068 | verification-plan | Verify SUB-REQ-038: Subject representative RHS in-vessel manipulator samples (identical materials and electronics to fli... |
| VER-REQ-069 | verification-plan | Verify SUB-REQ-039: Load a Remote Handling Transfer Cask mock-up with a representative activated blanket module specimen... |
| VER-REQ-070 | verification-plan | Verify SUB-REQ-040: On the RHS integration test facility, inject each of five representative fault conditions (loss of p... |
| VER-REQ-071 | verification-plan | Verify SUB-REQ-043: During commissioning with live 400 kV grid connection, operate the Power Conversion System at rated ... |
| VER-REQ-072 | verification-plan | Verify SUB-REQ-044: During first full-power plasma operation at steady-state Q ≥ 5 burn for ≥30 minutes, instrument the ... |
| VER-REQ-073 | verification-plan | Verify SUB-REQ-045: On the Power Conversion System turbine-generator test facility, simulate a plasma disruption signal ... |
| VER-REQ-074 | verification-plan | Verify IFC-REQ-001: During integrated commissioning, energise the TF coil set to rated current and measure toroidal fiel... |
| VER-REQ-075 | verification-plan | Verify IFC-REQ-002: During cryogenic commissioning, flow helium coolant through the superconducting magnet transfer line... |
| VER-REQ-076 | verification-plan | Verify IFC-REQ-003: During fuel injection commissioning using non-tritiated DT-simulant pellets, fire pellet sequences a... |
| VER-REQ-077 | verification-plan | Verify IFC-REQ-004: During integrated power operation at fusion power ≥ 500 MW, measure primary coolant flow rate and in... |
| VER-REQ-078 | verification-plan | Verify IFC-REQ-005: During plasma operations, inject synthetic diagnostic data into the PCS front-end at 1 MHz and measu... |
| VER-REQ-079 | verification-plan | Verify IFC-REQ-006: With the magnet power supply system active, command a step change in poloidal coil current from the ... |
| VER-REQ-080 | verification-plan | Verify IFC-REQ-007: Before first plasma operations, evacuate the plasma vessel from atmospheric pressure and measure bas... |
| VER-REQ-081 | verification-plan | Verify IFC-REQ-008: During cold acceptance testing, manoeuvre the IVIMM through all horizontal maintenance ports and dem... |
| VER-REQ-082 | verification-plan | Verify IFC-REQ-009: During steady-state power operation, measure active power, voltage, frequency, and power factor at t... |
| VER-REQ-083 | verification-plan | Verify IFC-REQ-023: During tritium plant commissioning, flow a representative tritium-in-helium mixture (0.1-1% T/He by ... |
| VER-REQ-084 | verification-plan | Verify SUB-REQ-049: On the completed ISS installation, measure steady-state power consumption using calibrated three-pha... |
| VER-REQ-085 | verification-plan | Verify SUB-REQ-050: Assert the Plant Protection System emergency isolation command to the ISS via the hardwired interfac... |
| VER-REQ-086 | verification-plan | Verify SUB-REQ-051: Inspect the as-built turbine hall structure with a certified structural engineer. Confirm floor load... |
| VER-REQ-087 | verification-plan | Verify SUB-REQ-052: Conduct structural inspection of the as-built Tritium Plant confinement building. Confirm nuclear-gr... |
| VER-REQ-088 | verification-plan | Verify SUB-REQ-053: Inspect the as-built Cryogenic Plant building. Measure insulated floor area using laser measurement ... |
| VER-REQ-089 | verification-plan | Verify SUB-REQ-054: During vacuum system pre-commissioning, confirm by physical count and inspection that 12 turbomolecu... |
| VER-REQ-096 | verification-plan | Verify SUB-REQ-014: On the as-built plant with all bulk shielding installed, map dose rates at all zone boundary transit... |
| VER-REQ-097 | verification-plan | Verify SUB-REQ-037: On the STEP Remote Handling System integration test facility (1:1 scale vessel mockup), conduct a si... |
| VER-REQ-098 | verification-plan | Verify SUB-REQ-042: During first D-T power operations at Q>=5 sustained burn, measure the gross-to-net thermal efficienc... |
| VER-REQ-099 | verification-plan | Verify SYS-REQ-001: During first D-T plasma campaign, demonstrate sustained plasma burn at Q>=5 for at least one pulse. ... |
| VER-REQ-102 | verification-plan | Verify SYS-REQ-003: During the first D-T operating campaign at rated neutron wall loading, measure tritium breeding blan... |
| VER-REQ-103 | verification-plan | Verify SYS-REQ-008: During plasma vessel acceptance testing before first plasma, pump down from atmospheric pressure and... |
| VER-REQ-104 | verification-plan | Verify SYS-REQ-009: On the Remote Handling System integration facility, with a full-scale mock-up of the divertor casset... |
| VER-REQ-105 | verification-plan | Verify SYS-REQ-010: After at least one complete 6-month operating campaign, analyse plant operational records to calcula... |
| VER-REQ-106 | verification-plan | Verify SYS-REQ-013: During integrated plant commissioning, enumerate all plasma diagnostic systems installed and commiss... |
| VER-REQ-107 | verification-plan | Verify SYS-REQ-014: Using the as-built materials inventory and neutron activation analysis code validated against ITER m... |
| VER-REQ-108 | verification-plan | Verify SYS-REQ-015: During first grid synchronisation and power export commissioning, measure voltage, frequency, and to... |
| VER-REQ-109 | verification-plan | Verify SYS-REQ-016: Using the radiation protection design basis documentation (site radiation survey, occupational dose ... |
| VER-REQ-112 | verification-plan | Verify REQ-072: On the vacuum system integration test facility, isolate one turbomolecular pump by closing its gate valv... |
| VER-REQ-113 | verification-plan | Verify REQ-073: On the pressure monitoring system test bench, inject each of three sensor fault types (signal loss, out-... |
| VER-REQ-114 | verification-plan | Verify REQ-074: During first plasma commissioning at Q approximately 3 (partial-load operation), measure net export at 4... |
| VER-REQ-115 | verification-plan | Verify REQ-075: During PCS acceptance testing, isolate one steam generator from the primary and secondary circuits and o... |
| VER-REQ-116 | verification-plan | Verify REQ-076: On a steam generator tube bundle test loop pressurised with helium tracer at primary design pressure, op... |
| VER-REQ-117 | verification-plan | Verify SUB-REQ-007: Install calibrated Langmuir-probe array and infrared thermography system on a representative first-w... |
| VER-REQ-118 | verification-plan | Verify SUB-REQ-008: At a magnet test facility, energise the full TF coil set to the rated design current. Measure on-axi... |
| VER-REQ-122 | verification-plan | Verify SUB-REQ-009: During integrated cryogenics commissioning, energise the full TF and PF coil set to rated current wi... |
| VER-REQ-123 | verification-plan | Verify SUB-REQ-010: During Tritium Plant integrated commissioning on a deuterium-tritium representative feed, operate th... |
| VER-REQ-124 | verification-plan | Verify SUB-REQ-011: During first-of-kind power generation commissioning at rated fusion power, operate the steam turbine... |
| VER-REQ-125 | verification-plan | Verify SUB-REQ-012: On the full-scale Remote Handling test rig in the dedicated remote handling facility, with represent... |
| VER-REQ-126 | verification-plan | Verify SUB-REQ-013: During facility commissioning after tokamak assembly, operate the vacuum pumping system from atmosph... |
| VER-REQ-127 | verification-plan | Verify SUB-REQ-014: During radiation protection commissioning at rated operation, measure dose rates at all designated z... |
| VER-REQ-128 | verification-plan | Verify SUB-REQ-049: During ISS commissioning, apply rated 415 V AC three-phase supply and measure process performance at... |
| VER-REQ-129 | verification-plan | Verify SUB-REQ-050: During ISS integrated test, assert the PPS emergency isolation hardwired command at the ISS panel in... |
| VER-REQ-130 | verification-plan | Verify SUB-REQ-051: Inspect completed PCS turbine hall building against civil engineering as-built drawings and structur... |
| VER-REQ-131 | verification-plan | Verify SUB-REQ-052: Inspect completed Tritium Plant building against nuclear safety case, civil engineering certificate,... |
| VER-REQ-132 | verification-plan | Verify SUB-REQ-053: Inspect completed Cryogenic Plant building against as-built drawings, mechanical services schedule, ... |
| VER-REQ-133 | verification-plan | Verify SUB-REQ-054: Inspect installed vacuum system equipment layout against as-built drawings. Count installed turbo-mo... |
| VER-REQ-134 | verification-plan | Verify SUB-REQ-055: Review structural analysis report for tokamak core assembly, superconducting magnet system, and cryo... |
| VER-REQ-135 | verification-plan | Verify SUB-REQ-056: On a representative in-vessel cooling circuit test loop with passive decay heat removal path install... |
| VER-REQ-136 | verification-plan | Verify SUB-REQ-057: During plasma operations commissioning, issue an operator-commanded end-of-pulse shutdown from the m... |
| VER-REQ-137 | verification-plan | Verify SUB-REQ-058: During Tritium Plant operational qualification, simulate failure of each active accountancy and conf... |
| VER-REQ-138 | verification-plan | Verify SUB-REQ-059: During ISS integrated test, assert the hardwired manual override at the ISS panel interface and conf... |
| VER-REQ-139 | verification-plan | Verify IFC-REQ-010: During integrated cryogenics and tritium plant commissioning, operate the LN2 supply interface at ra... |
| VER-REQ-140 | verification-plan | Verify IFC-REQ-011: During integrated vacuum-tritium interface commissioning, operate the tritiated exhaust gas transfer... |
| VER-REQ-141 | verification-plan | Verify IFC-REQ-012: During plasma control-vacuum system integrated commissioning, inject test pumping speed setpoint com... |
| VER-REQ-142 | verification-plan | Verify IFC-REQ-013: During plasma control-tritium plant integrated commissioning, inject test pellet injection rate comm... |
| VER-REQ-143 | verification-plan | Verify IFC-REQ-014: During magnet system commissioning at the magnet power supply test facility, energise TF coil set fr... |
| VER-REQ-144 | verification-plan | Verify IFC-REQ-015: Inspect all remote handling tools and manipulator end-effectors that operate inside the tritium conf... |
| VER-REQ-145 | verification-plan | Verify IFC-REQ-016: During integrated cryogenics-vacuum commissioning, operate the cold head supply interface to vacuum ... |
| VER-REQ-146 | verification-plan | Verify IFC-REQ-017: During PCS-RHS interlock commissioning, assert each hardwired interlock signal from the Plasma Contr... |
| VER-REQ-147 | verification-plan | Verify IFC-REQ-018: During facility commissioning, measure AC auxiliary power supply at all PCS-to-tokamak auxiliary sup... |
| VER-REQ-148 | verification-plan | Verify IFC-REQ-019: During grid connection commissioning, measure imported auxiliary AC power from the National Grid at ... |
| VER-REQ-149 | verification-plan | Verify IFC-REQ-020: During vessel bake-out commissioning, circulate hot nitrogen gas at rated conditions through the tok... |