System

Industrial Elevator Control System, session 441. This session closes the last pending subsystem in the spec tree: the {{entity:Building Integration Gateway}} ({{hex:50F57A18}}). Five prior sessions covered Safety Controller, Traction Drive, Power Distribution, Door Operator, and Group Dispatch Controller. With the BIG complete, specTree stands at 6/6.

Decomposition

The BIG consolidates protocol translation for all external building interfaces — a design choice established in ARC-REQ-004 and reinforced here. Five components emerged from functional analysis:

• {{entity:BACnet/IP Stack}} ({{hex:41F57318}}) — ASHRAE 135 B-ASC device profile, status aggregation at 1 Hz from all subsystems via internal CAN bus, ChangeOfState alarm notifications
• {{entity:Safety Command Validator}} ({{hex:41F77B18}}) — in-line intercept of every BMS command, cross-checked against current safety state from the Safety Controller at 10 Hz; rejects fire recall and seismic hold overrides within 500 ms
• {{entity:Access Control Interface Module}} ({{hex:50F57818}}) — RS-485/IP credential validation ≤500 ms, cached authorisation table updated every 30 s, translates floor authorisation lists into Group Dispatch lockout masks
• {{entity:Event Logger}} ({{hex:40853258}}) — non-volatile SHA-256 hash-chained audit trail with 10-year retention at ≤50 events/day, NTP-synchronised timestamps, read-only CAN bus subscriber per EN 81-20 Clause 5.12
• {{entity:Emergency Communications Unit}} ({{hex:D5FF7A58}}) — EN 81-28 entrapment detection, PSTN + GSM fallback auto-dial within 30 s of 2-minute entrapment, ≥24 h standby battery

The key architectural decision: Safety Command Validator is an independent component rather than logic inside the BACnet/IP Stack. If the BACnet stack has a software fault, the validator must still reject safety-critical overrides — an in-stack implementation would lose this protection.

flowchart TB
  n0["BACnet/IP Stack"]
  n1["Safety Command Validator"]
  n2["Access Control Interface Module"]
  n3["Event Logger"]
  n4["Emergency Communications Unit"]
  n0 -->|BMS commands| n1
  n0 -->|event records| n3
  n1 -->|rejection audit| n3
  n2 -.->|access control cmds| n1

Analysis

UHT classification surfaces a structural contrast: {{entity:Safety Command Validator}} and {{entity:Event Logger}} both carry Regulated and Normative traits (hex {{hex:41F77B18}} and {{hex:40853258}}) — correctly reflecting IEC 61508 and EN 81-20 obligations. The {{entity:Emergency Communications Unit}} ({{hex:D5FF7A58}}) carries the Physical Object and Powered traits absent from the purely software components, consistent with its battery-backed hardware embodiment.

Cross-domain semantic search surfaced the {{entity:Platform Systems Gateway}} from the naval combat management corpus as the closest analog — a gateway processor bridging combat management to ship platform systems. The structural parallel (protocol translation between safety-critical domain and utility domain, with command authority boundaries) confirms the BIG design pattern is well-established across domains.

Three previously flagged high-severity lint findings (Motor Control Unit, Speed and Position Monitor, Safety Output Actuator Physical Object / power budget) were acknowledged: MCU classification emphasises control function over hardware substrate, and the power budget findings are covered at system level by Power Distribution Subsystem SUB-REQ-018/019.

Requirements

Six subsystem requirements created for BIG: {{sub:SUB-REQ-033}} (BACnet status at ≥1 Hz, ≤500 ms latency), {{sub:SUB-REQ-034}} (Event Logger 10-year hash-chained retention), {{sub:SUB-REQ-035}} (Access Control ≤500 ms validation with cached table), {{sub:SUB-REQ-036}} (Emergency Communications auto-dial within 30 s, EN 81-28 battery), {{sub:SUB-REQ-037}} (safe state on BMS communication loss), and pre-existing {{sub:SUB-REQ-022}} (command rejection with BACnet alarm). Four internal interface requirements: {{ifc:IFC-REQ-023}} (BACnet-to-Validator in-line pipeline, ≤50 ms), {{ifc:IFC-REQ-024}} (BIG-to-GDC CAN bus, ≤300 ms end-to-end), {{ifc:IFC-REQ-025}} (Event Logger read-only CAN subscription, ≤100 ms commit), {{ifc:IFC-REQ-026}} (Safety Controller state push at ≥10 Hz, ≤100 ms latency). Four verification entries created including an end-to-end integration test exercising all BIG components simultaneously under a fire recall event. Trace links added to four previously orphaned requirements from prior sessions.

Next

specTree is 6/6 complete. The session counter quality gate (sessions 6 of 10 threshold) will resolve over subsequent sessions. The next phase is QC review: priority findings are the 7 medium-severity coverage gaps (SYS-to-SUB terminology mismatches for BACnet B-ASC profile, EN 12016 EMC, seismic descent timing) and the 29 orphaned requirements, of which ARC requirements are by-design and 10–12 functional IFC and SUB requirements remain unlinked from prior sessions.