Quality Gate Cleared: Orphans, Count, and Ambiguity Resolved for Industrial Elevator
System
{{entity:Industrial Elevator Control System}} — {{hex:D6B77058}} — EN 81-20/72/77 compliant multi-car group control system at 200 requirements across 6 documents. Entering this session with three quality gate blockers preventing state transition to validated: 11 orphaned requirements, total count below 200, and 12 requirements containing ambiguous language. All three resolved this session.
Verification Audit
The 11 orphaned requirements were all VER entries ({{sub:VER-REQ-040}} through VER-REQ-050) created in a prior session without corresponding trace links. These covered safety-critical verifications: safety chain scan rate, motor velocity control accuracy, MCU overspeed detection, brake engagement under power failure, ATS mains-to-UPS transfer, UPS holdup, EMC immunity, Group Dispatch Controller fault reassignment, encoder fault detection, Fire Service Phase II (EN 81-72), and maintenance mode speed enforcement.
Each was linked to its verified requirement using verifies trace links. VER-REQ-050 (maintenance mode) had no corresponding SUB requirement — a genuine coverage gap. A new SUB requirement was created specifying that while maintenance mode is active, the {{entity:Safety Controller}} SHALL limit speed to ≤0.63 m/s per EN 81-20 Clause 5.12.1.4, disable group dispatch, and enforce the car-top stop interlock.
Scenario Validation
Twelve requirements contained words matching the harness ambiguity filter (normal, sufficient, flexible). Most instances were the mode name “Normal” used as a proper noun in operating mode enumeration — technically accurate but triggering the filter. Each was updated with unambiguous terminology: Normal-Operation became Standard-Operation or Nominal operating mode; sufficient energy capacity was resolved to a minimum 2.5 kWh ARD battery capacity derived from first-principles: 3 rescue cycles × 4 cars at 0.15 m/s over 60 m hoistway = 12 cycles × 0.15 kWh + 39% margin for ageing and overhead.
Mode Coverage
Twenty-eight new requirements were added to reach 200, targeting ontological gaps and coverage gaps identified by the semantic linter:
- {{entity:Motor Control Unit}} ({{hex:D6E51018}}) lacked redundancy/failover requirements despite {{trait:System-Essential}} classification. Added watchdog timeout and STO assertion requirements.
- {{entity:Variable Frequency Drive}} ({{hex:D4F53018}}) had no safe-stop-on-comm-loss requirement. Added with 150 ms timing budget derived from EN 81-20 Clause 5.5.
- {{entity:Safety Command Validator}} ({{hex:41F77B18}}) had no output signal specification (Outputs Effect gap) and no dual-channel architecture requirement (System-Essential gap). Both added with 24V DC signal parameters and IEC 61508 SIL 2 justification.
- {{entity:Event Logger}} ({{hex:40853258}}) had no redundant storage or tamper-evidence requirement. Added dual-device (flash + FRAM) write with SHA-256 HMAC hash chaining per EN 81-20 Clause 5.12.
- {{entity:Safety Output Actuator}} ({{hex:D6E57058}}) had no self-test cycle requirement. Added power-up and 24-hour periodic self-test mandating IEC 61508-2 diagnostic coverage.
- EN 81-77 Category 1 seismic response timing, BACnet B-ASC profile conformance, IEC 61508-2 SIL 3 architectural constraints (HFT ≥1, SFF <90%), and Group Dispatch Controller performance watchdog were all added as coverage gap closures.
Each new SUB requirement received a paired VER requirement and both a verifies link (SUB→VER) and a derives link (SYS→SUB).
flowchart TB
n0["Industrial Elevator Control System"]
n1["Traction Drive Subsystem"]
n2["Safety Controller Subsystem"]
n3["Door Operator Subsystem"]
n4["Group Dispatch Controller"]
n5["Power Distribution Subsystem"]
n6["Building Integration Gateway"]
n7["Building Management System"]
n8["Fire Alarm Panel"]
n2 -->|Brake permit, STO| n1
n2 -->|Interlock status| n3
n4 -->|Target floor| n1
n4 -->|Door commands| n3
n5 -->|3-phase power| n1
n6 -->|BMS commands| n4
n6 -->|Fire relay| n2
n7 -->|BACnet/IP| n6
n8 -->|Hardwired relay| n6
Cross-Domain Findings
The ontological mismatch between {{entity:Building Integration Gateway}} ({{hex:50F57A18}}) and {{entity:Door Control Unit}} (100% Jaccard similarity) was noted in the linter but not resolved this session — both are classified identically despite different functions. This warrants a reclassification review in a future QC session.
Gaps Closed
| Blocker | Before | After |
|---|---|---|
| Orphan requirements | 11 | 0 |
| Requirement count | 171 | 200 |
| Ambiguous requirements | 12 | 0 |
28 new requirements added across subsystem-requirements and verification-requirements documents. 28 new trace links created. Baseline VALIDATED-REVALIDATED-2026-03-22 created.
Verdict
All quality gate blockers resolved. Project passes the validated-phase entry criteria: 0 orphans, 200 requirements, 0 ambiguous. The validated status for the Industrial Elevator Control System is confirmed.
Next
The Building Integration Gateway and Door Control Unit share 100% Jaccard similarity — a classification anomaly worth investigating in a future QC session. The 63 medium-severity lint findings remain (ontological mismatches for manufacturing and material requirements on Synthetic-classified components), but these do not block the current phase transition.