System

{{entity:Industrial Elevator Control System}} ({{hex:51F77A58}}), QC session against baseline BL-SEINDUSTRIALELEVATOR-003. Entry state: concept-defined, 57 requirements across 6 documents, 29 trace links. Quality gate blockers from session header: specTree 5/6 subsystems not complete, ifcCount 8 < 20, sessions 2 < 10.

Findings

Orphan requirements: 14/57 with no trace links. Breakdown: 6 architecture decisions (ARC-REQ-001–006), 2 interface requirements ({{ifc:IFC-REQ-003}}, {{ifc:IFC-REQ-004}}), 5 stakeholder requirements ({{stk:STK-REQ-004}}, {{stk:STK-REQ-005}}, {{stk:STK-REQ-007}}, {{stk:STK-REQ-009}}, {{stk:STK-REQ-012}}), and 1 system requirement ({{sys:SYS-REQ-012}}). All had derivation paths to existing requirements but the trace links were never created.

Verification coverage: 7/17 SUB+IFC requirements with VER entries (41%) — below the 50% gate. Missing: {{sub:SUB-REQ-001}} (dual-channel SIL 3 architecture), {{sub:SUB-REQ-003}} (UCMP detection), and {{sub:SUB-REQ-007}} (Safety Output Actuator brake engagement, partially covered by VER-REQ-005 but not formally linked).

Spray pattern: {{sys:SYS-REQ-003}} links to 5 SUB requirements (SUB-REQ-001, SUB-REQ-002, SUB-REQ-004, SUB-REQ-007, SUB-REQ-009). All 5 links carry individual rationale referencing IEC 61508 SIL 3 cascading requirements. Accepted — a genuine safety requirement mandating architectural controls in every Safety Controller component.

Coverage gaps (lint findings 78–94): 12 concepts in STK/SYS without lower-level requirements. Critical gap: {{stk:STK-REQ-007}} (facility manager configuration) had no SYS derivation. {{stk:STK-REQ-006}} BMS position reporting and {{stk:STK-REQ-014}} ARD mains failure behaviour have indirect SYS coverage but lack explicit sub-concept traceability.

Lint severity summary: 94 findings (9 high, 85 medium). All 7 high-severity findings are {{trait:Powered}} components without power budget requirements — {{entity:position monitor}}, {{entity:safety output actuator}}, {{entity:safety chain interface module}}, {{entity:speed and position monitor}}, {{entity:seismic and fire interface}}, {{entity:safety cpu}}, {{entity:industrial elevator control system safety controller}}. Power budget requirements belong in hardware design documents; residual finding, not a QC blocker.

Corrections

Orphan repair — STK requirements: Added trace links for all 5 orphan STK requirements. {{stk:STK-REQ-004}} (exclusive hoistway access) → {{sys:SYS-REQ-003}} (safety chain covers maintenance interlocks). {{stk:STK-REQ-005}} (inspection speed ≤0.3 m/s) → {{sys:SYS-REQ-002}} (velocity control). {{stk:STK-REQ-007}} (facility manager configuration) → {{sys:SYS-REQ-001}} (group dispatch parameters). {{stk:STK-REQ-009}} (Phase II firefighter control) → {{sys:SYS-REQ-007}} (fire recall). {{stk:STK-REQ-012}} (modular architecture) → {{sys:SYS-REQ-012}} (availability target).

Orphan repair — SYS-REQ-012: Linked {{stk:STK-REQ-001}} → {{sys:SYS-REQ-012}}: N-1 degraded operation pushes average wait time to 45–50s, so 4-car availability directly gates the ≤30s passenger experience requirement.

Orphan repair — IFC requirements: {{ifc:IFC-REQ-003}} (access control interface) linked from {{sys:SYS-REQ-003}} — building access credentials gate hoistway entry as part of the maintenance interlock chain. {{ifc:IFC-REQ-004}} (emergency intercom) linked from {{sys:SYS-REQ-006}} — EN 81-28 auto-dial on entrapment is co-triggered with ARD during mains failure.

ARC requirements: All 6 ARC requirements tagged informational. The architecture-decisions → system-requirements linkset is undefined; trace link creation was rejected by the API. Tagged to distinguish from traceable requirements per protocol.

Verification coverage additions: Created VER-008 verifying {{sub:SUB-REQ-003}} UCMP detection (200mm/50ms end-to-end test). Created VER-010 verifying {{sub:SUB-REQ-001}} SIL 3 dual-channel architecture via signed analysis. Added formal link {{sub:SUB-REQ-007}} → VER-REQ-005 (that test already exercises the full chain to brake engagement). Coverage: 7/17 → 10/17 = 59%.

flowchart TB
  n0["Industrial Elevator Control System"]
  n1["Traction Drive Subsystem"]
  n2["Safety Controller Subsystem"]
  n3["Door Operator Subsystem"]
  n4["Group Dispatch Controller"]
  n5["Power Distribution Subsystem"]
  n6["Building Integration Gateway"]
  n7["Building Management System"]
  n8["Fire Alarm Panel"]
  n2 -->|Brake permit, STO| n1
  n2 -->|Interlock status| n3
  n4 -->|Target floor| n1
  n4 -->|Door commands| n3
  n5 -->|3-phase power| n1
  n6 -->|BMS commands| n4
  n6 -->|Fire relay| n2
  n7 -->|BACnet/IP| n6
  n8 -->|Hardwired relay| n6

Residual

ARC orphans (6): ARC-REQ-001–006 remain without trace links. The architecture-decisions document has no defined linkset to system-requirements. Tagged informational — these are rationale documents, not derived requirements.

Power budget requirements (7 high-severity lint): {{entity:safety cpu}} and other {{trait:Powered}} components lack voltage range and consumption requirements. These belong in a hardware design specification. Flagged for the Power Distribution Subsystem decomposition session.

Concept coverage gaps (lint 84–94): SYS→SUB traceability for “ARD batteries”, “designated landing within 60 seconds”, “BACnet B-ASC device profile” requires decomposition of Power Distribution, Traction Drive, and Building Integration Gateway — blocked on specTree completion.

Next

DECOMPOSITION_STATUS updated to qc-reviewed, baseline QC-2026-03-21 created. Project state: 59 requirements, 40 trace links, VER coverage 59%. Decompose Traction Drive Subsystem next — highest interface count of the 4 remaining subsystems, and its components drive the power budget gap flagged by all 7 high-severity lint findings.