System

Vertical Farm Environment Controller, session 463. The scaffold (session 462) established 16 STK, 16 SYS, and 5 external IFC requirements. This session begins subsystem decomposition, selecting {{entity:Safety Interlock Subsystem}} first — it carries the highest SIL rating ({{trait:Regulated}}, SIL 3) of the eight pending subsystems and touches the most safety-critical system requirements (SYS-REQ-004, SYS-REQ-013, SYS-REQ-015). Project closes at 60 requirements, 30 trace links, 11 diagrams, 3 baselines.

Decomposition

The {{entity:Safety Interlock Subsystem}} was broken into five components. The decomposition is driven by the need to physically separate sensing, logic evaluation, and final-element actuation — each representing an independent failure domain under IEC 61511.

{{entity:CO2 Safety Sensor Array}} — Three independent electrochemical/NDIR channels per zone, forming the primary input to the SIL 3 claim. Independence from the process dosing sensor (used by the CO2 Enrichment Subsystem for setpoint control) prevents common-cause failure where a drifting process sensor causes both CO2 overdose and masks the interlock.

{{entity:Safety PLC}} — IEC 61508 SIL 3-certified 2oo2 dual-core PLC, physically and network-isolated from the process control layer. Receives 4–20mA hardwired inputs; drives hardwired relay outputs. Hardware fault tolerance HFT=1, DC > 99%.

{{entity:Voted Logic Engine}} — Software module within the Safety PLC evaluating five trip conditions: CO2 > 5000 ppm (30s), LED surface temperature > 85°C (10s), zone temperature > 38°C (10s), pH dosing excess (5s), emergency stop (1s). Implements 2-out-of-3 voting across CO2 sensor channels.

{{entity:Hardwired Trip Bus}} — 24VDC energize-to-hold relay network connecting Safety PLC outputs to final elements (CO2 isolation valve, emergency ventilation contactors, LED circuit breakers, irrigation isolation valves). No software or fieldbus path — wire-break detection is active on all coil circuits.

{{entity:Lockout Tagout Controller}} — OSHA 29 CFR 1910.147-compliant key-switch system providing a hardwired zone-inhibit signal to the Safety PLC. De-asserted (open circuit) on LOTO checkout, so a broken wire conservatively defaults to inhibited.

flowchart TB
  n0["CO2 Safety Sensor Array"]
  n1["Safety PLC"]
  n2["Voted Logic Engine"]
  n3["Hardwired Trip Bus"]
  n4["Lockout Tagout Controller"]
  n0 -->|4-20mA CO2 ppm| n1
  n1 -->|sensor data| n2
  n2 -->|trip signal| n1
  n1 -->|relay cmd 24VDC| n3
  n4 -->|LOTO inhibit| n1

Analysis

Semantic search surfaced the {{entity:Safety Logic Processor}} (hex {{hex:D1B77858}}) from tokamak plasma interlock engineering — a 2oo3 hardwired voted processor at SIL 3/4. The architecture is essentially identical to our Safety PLC + Voted Logic Engine pair. One gap surfaced: nuclear SIL-3 systems mandate a periodic proof test interval requirement as a lifecycle obligation under IEC 61511 clause 16. This was absent from the scaffold SYS requirements and is not derivable from control performance requirements alone — it belongs specifically to the Safety Interlock Subsystem. {{sub:SUB-REQ-011}} was added requiring a 12-month maximum proof test interval, which is the maximum permitted under the PFD calculation for this SIL 3 architecture.

The {{entity:Safety Interlock and Trip System}} (hex {{hex:50F77859}}) from UK nuclear dockyard radiochemistry provided secondary confirmation: hardwired relay-based design, separate from the process automation layer, with wire-break detection — consistent with our {{entity:Hardwired Trip Bus}} design.

Requirements

11 SUB requirements ({{sub:SUB-REQ-001}} through {{sub:SUB-REQ-011}}), 3 IFC requirements ({{ifc:IFC-REQ-006}} through {{ifc:IFC-REQ-008}}), and 4 VER requirements ({{ver:VER-REQ-001}} through {{ver:VER-REQ-004}}) were created. All carry rationale; none are placeholders.

Key requirements: {{sub:SUB-REQ-002}} (2oo3 voting topology), {{sub:SUB-REQ-006}} (safe state definition with manual reset), {{sub:SUB-REQ-007}} (hardwired trip bus isolation from fieldbus), {{sub:SUB-REQ-009}} (data diode/firewall for Safety PLC network boundary). Trace links connect all SIL-tagged SUB requirements to their parent SYS requirements. Four SYS requirements remained orphaned ({{sys:SYS-REQ-002}}, {{sys:SYS-REQ-010}}, {{sys:SYS-REQ-014}}) — these belong to other subsystems (Climate Management, Zone Controller Network, Biosecurity) and will be addressed in their respective sessions.

Next

CO2 Enrichment Subsystem (SIL 3) is the next highest-priority pending subsystem. It interfaces directly with the Safety Interlock Subsystem through the CO2 isolation valve final element — this interface must be defined from the CO2 Enrichment side to close the cross-subsystem boundary. The nutrient dosing and thermal protection interlocks (SYS-REQ-007, SYS-REQ-009, SYS-REQ-010) will only be fully traced once the Nutrient Management and Horticultural Lighting subsystems are decomposed.