System

{{entity:Industrial Elevator Control System}} ({{hex:D6B77058}}), a SIL 3 safety-critical elevator group control system governed by EN 81-20, EN 81-72, and EN 81-77. The specification has accumulated 203 requirements across 6 documents, 196 trace links, 8 block diagrams, and 11 architecture decisions over 16 sessions. This review assesses whether the specification is ready for acceptance as a basis for detailed design and procurement.

Coherence

The decomposition partitions the system into six subsystems with clean separation of concerns:

flowchart TB
  IECS["Industrial Elevator Control System"]
  SC["Safety Controller"]
  TD["Traction Drive"]
  DO["Door Operator"]
  GDC["Group Dispatch Controller"]
  PD["Power Distribution"]
  BIG["Building Integration Gateway"]
  BMS["Building Management System"]
  FAP["Fire Alarm Panel"]
  SC -->|Brake permit, STO| TD
  SC -->|Interlock status| DO
  GDC -->|Target floor| TD
  GDC -->|Door commands| DO
  PD -->|3-phase power| TD
  BIG -->|BMS commands| GDC
  BIG -->|Fire relay| SC
  BMS -->|BACnet/IP| BIG
  FAP -->|Hardwired relay| BIG

Architecture decisions are internally consistent. {{entity:Safety Controller Subsystem}} ({{hex:51B73858}}) is correctly isolated as an independent SIL 3 processor ({{sub:SUB-REQ-001}}). The separation of {{entity:Group Dispatch Controller}} ({{hex:41F77B08}}) as software-only on main controller hardware versus dedicated safety hardware is well-justified in ARC-REQ-006. No subsystem overlaps or functional gaps were found — each system function maps to exactly one subsystem.

Completeness

STK→SYS: All 14 stakeholder requirements trace to system requirements — complete.

SYS→SUB/IFC: All 17 system requirements trace downward — complete.

SUB/IFC→VER: 62 of 98 subsystem and interface requirements have verification trace links. 36 requirements (37%) lack VER traces, including safety-relevant items: {{sub:SUB-REQ-017}} (dual brake coils), {{sub:SUB-REQ-022}} (BMS command rejection), {{sub:SUB-REQ-035}} (access control validation), and 15 interface requirements. This is the primary acceptance blocker.

ConOps scenarios: Validation session covered 6 scenarios with 10 findings stored. Morning Rush Hour and Seismic Event are fully covered. Fire Alarm Recall has Phase I covered but Phase II gaps remain at SUB level. Quarterly Maintenance lacks VER for mode entry/exit and {{trait:Human-Interactive}} car-top interlock. Power Failure is mostly covered but ARD wheelchair travel-time test is missing.

Acceptance Assessment

Procurement authority: Could contract from this specification. Requirements are quantified with EARS patterns, architecture decisions have explicit trade-off rationale, and the decomposition is credible. A domain engineer would recognise this as a realistic industrial elevator architecture.

Test organisation: Could NOT write a complete test programme. 36 SUB/IFC requirements have verification methods assigned (Test/Analysis/Inspection) but no VER trace links establishing the specific test procedures. The 63 VER requirements that exist are well-specified — the gap is coverage, not quality.

Safety authority: Would flag two issues: (1) IEC 61508 proof test interval is not stated for any SIL 3 function — the cross-domain analog with nuclear safety interlocks surfaced this gap during validation; (2) the safety argument chain is complete for hazards H-001 (overspeed) and H-002 (UCMP) but H-006 (fire entrapment) Phase II chain terminates at VER-REQ-049 without a traced SUB requirement.

Per-Subsystem Summary

Subsystem	SUB	IFC	VER	Diagram	VER Coverage
Safety Controller	12	8	15	Yes	75%
Traction Drive	10	3	12	Yes	77%
Door Operator	8	6	6	Yes	57%
Group Dispatch Controller	5	3	5	Yes	63%
Power Distribution	7	2	5	Yes	56%
Building Integration Gateway	9	4	7	Yes	54%

Cross-Domain Insights

Validation session found nuclear safety interlock analog (Jaccard 0.70+) which surfaced the missing IEC 61508 proof test interval — a genuine specification gap that no prior session had identified. The 4-hour UPS backup difference (nuclear vs 30-minute elevator) was correctly justified by shorter evacuation paths.

Corrections

Attempted to reassign 58 requirements lacking document metadata to their correct documents via airgen reqs reassign and airgen reqs update --section. Commands acknowledge success but document assignment does not persist — this is a platform metadata bug. All 58 requirements are correctly prefixed (SUB-REQ, VER-REQ, SYS-REQ) and fully traced; the missing documentSlug is a metadata deficiency, not an engineering one.

Efficiency

16 sessions from concept through review. Scaffold (2), decomposition (6), QC (3), validation (2), red team (2), review (1). No wasted sessions — each produced measurable progress. The specification grew from 0 to 203 requirements with 196 trace links, which is efficient for a SIL 3 system with 6 subsystems and 26 interfaces.

Residual

The 52 lint findings (all medium) are ontological mismatches — “Synthetic but no manufacturing requirements”, “System-Essential but no redundancy requirements”. These are valid observations but fall outside the scope of a system-level specification: manufacturing requirements belong in detailed design, and redundancy is addressed through architecture decisions rather than per-component requirements. Acceptable for this decomposition level.

The 19 coverage gap findings (concepts in STK/SYS not explicitly named in SUB) are mostly implicit — “IEC 61508” is decomposed via {{sub:SUB-REQ-071}} without repeating the standard name verbatim, “ARD batteries” is covered by {{sub:SUB-REQ-045}}/{{sub:SUB-REQ-066}}. These are lint false positives from keyword matching, not genuine gaps.

Verdict

FAIL. The specification is coherent, well-architected, and proportionate, but 37% of SUB/IFC requirements lack verification trace links. A safety-critical system under IEC 61508 and EN 81-20 cannot be accepted without complete verification traceability. The next session should run QC (Flow C) to create VER trace links for the 36 unlinked requirements, then return for review.

Next

QC session to add VER trace links for the 36 unlinked SUB/IFC requirements, prioritising safety-critical items: SUB-REQ-017 (dual brake), SUB-REQ-022 (BMS rejection), SUB-REQ-035 (access control), and the 15 unlinked IFC requirements. Also add an IEC 61508 proof test interval requirement for SIL 3 functions.