Vertical farm concept: CO2 safety drives SIL 3 allocation and independent hardware interlocks
System
The {{entity:Vertical Farm Environment Controller}} ({{hex:51F73A18}}) is a new concept-phase system in the Agriculture domain — the twentieth system in the decomposition programme and the first in controlled-environment agriculture. The controller manages environmental parameters (temperature, humidity, CO2, lighting, nutrients, irrigation) across multiple growing zones in a commercial multi-storey indoor farm. It classified with strong {{trait:Functionally Autonomous}}, {{trait:Processes Signals/Logic}}, and {{trait:System-Essential}} traits, consistent with a closed-loop industrial control system.
ConOps
Six operating modes defined: Startup/Initialisation, Normal Operation, Degraded Operation, Emergency Shutdown, Maintenance, and Harvest/Crop Changeover. The Normal Operation mode runs independent control loops per zone with crop-specific recipes varying setpoints by growth stage. The Emergency Shutdown mode is the most architecturally significant — triggered by CO2 exceeding 5000ppm, water-electrical proximity, or fire alarm, it must independently de-energise CO2 injection and activate emergency ventilation regardless of software controller state.
Five ConOps scenarios capture the operational reality: daily growing cycle management (the happy path through photoperiod transitions), HVAC failure and zone isolation (degraded operation with crop impact estimation), CO2 leak emergency (the critical safety scenario with two-person reset), nutrient sensor drift causing crop stress (the slow-failure case that evades rate-of-change alarms), and crop changeover with sanitisation (the maintenance/lifecycle scenario). The sensor drift scenario surfaced an important cross-domain analog — water treatment plants face identical analyser drift challenges and universally deploy redundant sensors, which this system should consider.
Hazard Register
| ID | Description | Severity | Freq | SIL | Safe State |
|---|---|---|---|---|---|
| H-001 | CO2 valve failure causing lethal accumulation >40,000ppm | Catastrophic | Low | 3 | CO2 valves de-energised closed, emergency ventilation max |
| H-002 | Water leak near 400V electrical — electrocution | Catastrophic | Low | 3 | Earth leakage trips in 30ms, zone electrical isolation |
| H-003 | pH dosing pump failure — chemical burns from concentrated acid/alkali | Critical | Medium | 2 | Dosing pumps de-energised, nutrient circulation stopped |
| H-004 | HVAC failure + LED thermal runaway — fire risk | Critical | Low | 2 | LEDs de-energised, emergency ventilation |
| H-005 | Irrigation valve fails open — multi-floor flooding | Critical | Medium | 2 | Supply valve closed, drain pumps active |
| H-006 | Pathogen spread via shared HVAC or nutrient recirculation | Major | Medium | 1 | Zone HVAC dampers closed, recirculation stopped |
| H-007 | Cyber compromise modifying setpoints to lethal CO2 | Catastrophic | Rare | 2 | Hardware interlocks independent of software |
H-001 and H-002 at SIL 3 drive the most significant architectural constraint: the safety interlock for CO2 and electrical isolation must be implemented in hardware independent of the software controller, since the software is the common-cause failure path for H-007.
Stakeholders
| Role | Relationship | Hex | Cross-Domain Analog |
|---|---|---|---|
| {{entity:Grower Technician}} | Primary operator — recipe management, crop monitoring | {{hex:008502A8}} | Process operator in water treatment |
| {{entity:Vertical Farm Facility Manager}} | Operations oversight, production scheduling | {{hex:00045AF9}} | Plant manager in manufacturing |
| {{entity:Vertical Farm Maintenance Technician}} | Preventive/corrective maintenance, calibration | {{hex:000400F8}} | Instrument technician in process industry |
| {{entity:Vertical Farm Harvest Crew Worker}} | Manual harvest, zone cleaning — safety-dependent | {{hex:02040039}} | Clean-room operator in pharma |
| Food Safety Auditor | External certification — BRCGS/SQF compliance | {{hex:00842AF8}} | Regulatory inspector |
| Energy Utility/Grid Operator | Demand charges, demand-response | {{hex:00B57ADD}} | Grid operator for any large load |
| Controls System Integrator | Commissioning, configuration, firmware | {{hex:40A53A18}} | SCADA integrator |
Operating Environment
Key constraints: 18-28°C / 60-85% RH in zones (condensation risk on electronics, IP65 required for zone sensors), LED drivers generate EMI at 50-200kHz requiring EN 61326-1 compliance, 500kW-2MW facility load with UPS (30-min ride-through) and generator backup for safety systems. Regulatory environment includes OSHA CO2 exposure limits (5000ppm TWA), IEC 60204-1 electrical safety, HACCP food safety, and IEC 62443 industrial cybersecurity. Operational tempo is 24/7/365 with 21-42 day crop cycles.
External Interfaces
| External System | Interface | Hex |
|---|---|---|
| Building Management System | BACnet/IP — fire alarms, weather, energy metrics | {{hex:51F77B58}} |
| Crop Planning/ERP | REST API — recipes in, logs/harvest data out | {{hex:50BD7B08}} |
| Energy Management/Grid | OpenADR 2.0 + Modbus TCP — pricing, DR, load forecasts | {{hex:40B57B59}} |
| Cloud Monitoring Platform | MQTT/TLS — telemetry out, anomaly alerts in | {{hex:40E57319}} |
| CO2 Bulk Supply System | 4-20mA + digital I/O — tank level, valve control (safety-critical) | {{hex:56B53018}} |
flowchart TB
n0["Vertical Farm Environment Controller"]
n1(["Grower Technician"])
n2(["Facility Manager"])
n3(["Maintenance Technician"])
n4["Building Management System"]
n5["Crop Planning / ERP"]
n6["Energy Management / Grid"]
n7["Cloud Monitoring Platform"]
n8["CO2 Bulk Supply System"]
n9(["Harvest Crew"])
n1 -->|Recipe adjustments, commands| n0
n0 -->|Dashboard, alarms, analytics| n1
n2 -->|Scheduling, overrides| n0
n0 -->|KPI reports, fault alerts| n2
n3 -->|Calibration, lockout, actuator test| n0
n4 -->|Fire alarm, weather data| n0
n0 -->|Energy consumption| n4
n5 -->|Crop recipes, zone schedule| n0
n0 -->|Environmental logs, harvest data| n5
n6 -->|Pricing, DR requests| n0
n0 -->|Load forecasts| n6
n0 -->|Telemetry, sensor data| n7
n7 -->|Anomaly alerts, predictions| n0
n8 -->|Tank level, pressure| n0
n0 -->|Valve control signals| n8
n9 -->|Zone entry/exit| n0
n0 -->|Zone status, safety conditions| n9
Next
The scaffold session should focus on deriving STK requirements from the five ConOps scenarios, prioritising the CO2 safety chain (H-001/H-007 → SIL 3 hardware interlock architecture) and the nutrient control loop (the sensor drift scenario exposed the need for redundant pH/EC sensing). The energy optimisation interface is architecturally interesting — the controller must balance demand-response curtailment against crop tolerance windows, which constrains how aggressively it can shed load. System requirements should quantify environmental tolerances per crop type and define the degraded-mode performance floors that were identified as gaps during hazard analysis.