System

The {{entity:Vertical Farm Environment Controller}} ({{hex:D1F77818}}) entered this session with status qc-reviewed, at 236 requirements across 6 documents (STK ×16, SYS ×20, SUB ×94, IFC ×42, ARC ×11, VER ×53), 224 trace links. The session scope is full Flow D validation: bottom-up verification audit and top-down ConOps scenario walk.

flowchart TB
  n0["Vertical Farm Environment Controller"]
  n1["Climate Management Subsystem"]
  n2["Horticultural Lighting Subsystem"]
  n3["Nutrient Management Subsystem"]
  n4["CO2 Enrichment Subsystem"]
  n5["Safety Interlock Subsystem"]
  n6["Supervisory Control Subsystem"]
  n7["Data Acquisition and Compliance Subsystem"]
  n8["Zone Controller Network"]
  n0 --> n1
  n0 --> n2
  n0 --> n3
  n0 --> n4
  n0 --> n5
  n0 --> n6
  n0 --> n7
  n0 --> n8
  n8 -->|setpoints/feedback| n1
  n8 -->|PWM commands| n2
  n8 -->|dose/irrigate| n3
  n8 -->|valve commands| n4
  n6 -->|recipes/modes| n8
  n8 -->|sensor data| n7
  n5 -.->|CO2 trip| n4
  n5 -.->|thermal trip| n2

Verification Audit

The 53 VER requirements were sampled against their SUB/IFC/SYS targets. The majority were adequate — each specifies test equipment, procedure, and pass/fail criteria quantified to the requirement threshold. Three issues found:

VER-REQ-032 (VLAN isolation) uses Inspection with active frame injection — this is correctly a hybrid and is acceptable; the SNMP config audit plus live VLAN-crossing test together constitute sufficient verification.

SYS-REQ-011 (data logging — Inspection): cryptographic integrity verification and 2-year retention cannot be confirmed by inspection of specification. The method was upgraded to Test, with rationale updated to require tamper-detection exercise and retention-policy stress test. The subsystem reqs (SUB-REQ-070, SUB-REQ-071) already specified Test — this restores consistency.

SYS-REQ-015 (SIL-3 safety independence — Analysis): IEC 61508 SIL-3 requires physical demonstration of independence, not architecture review alone. Method upgraded to Test: supervisory software crash while Safety PLC runs interlock logic, plus network path disconnection, are the required evidence.

VER coverage gaps were significant before this session: 64/94 SUB requirements and 9/42 IFC requirements had no VER trace link. The gaps fell into three groups: (1) SIL-3/SIL-2 safety functions that had been decomposed but never given a verification procedure — the most serious; (2) climate, lighting, and ZCN performance requirements that could be covered by grouped integration tests; (3) physical installation specifications (Inspection methods) that will be verified in commissioning procedures already documented in VER-REQ-052.

Twelve new VER requirements were added to close the priority gaps. SIL-3 safety interlock gaps closed: {{entity:Safety Interlock Subsystem}} proof-test procedure ({{sub:SUB-REQ-011}}), voted-logic audit-log HIL test ({{sub:SUB-REQ-010}}), and Safety PLC network isolation inspection-plus-active-test ({{sub:SUB-REQ-009}}). SIL-2 gaps closed: emergency lighting shutdown across all 8 zones ({{sub:SUB-REQ-045}}), independent CO2 safety sensor supply isolation and fault response ({{sub:SUB-REQ-076}}), HVAC zone isolation plus thermal derating ({{sub:SUB-REQ-060}}, {{sub:SUB-REQ-043}}). Grouped functional tests cover 5 climate management performance reqs ({{sub:SUB-REQ-054}}, {{sub:SUB-REQ-056}}–{{sub:SUB-REQ-059}}) and 5 ZCN performance reqs ({{sub:SUB-REQ-066}}–{{sub:SUB-REQ-069}}, {{sub:SUB-REQ-075}}).

Scenario Validation

Scenario: CO2 emergency during harvest crew presence ({{stk:STK-REQ-007}}) — Covered. Chain: STK-REQ-007 → {{sys:SYS-REQ-003}}/{{sys:SYS-REQ-004}} → {{sub:SUB-REQ-001}}–{{sub:SUB-REQ-009}}, {{sub:SUB-REQ-022}} → VER-REQ-001/004/009/044/045/048. The 2oo3 CO2 voting (VER-REQ-044), end-to-end trip timing (VER-REQ-003), and independent SIL-2 safety sensor (new REQ-048) together provide a credible safety argument for this hazard.

Scenario: Worker-comfort mode on harvest crew zone entry ({{stk:STK-REQ-008}}) — Gap found and closed. STK-REQ-008 was incorrectly derived to SYS-REQ-016 (sanitisation), with no SYS requirement covering the actual scenario: automatic zone parameter change (22°C, 50% white light, CO2 enrichment off) when zone access reader triggers, with production-mode lockout until crew exit. A new system requirement (REQ-SEVERTICALFARMENV-051) was written to cover this, with a full-facility integration test (REQ-SEVERTICALFARMENV-052) specifying the access-reader trigger, 60-second response bound, and zone-occupied interlock verification.

Scenario: Emergency shutdown ({{sys:SYS-REQ-013}}) — Covered. Chain ends at VER-REQ-028 (full-facility E-stop, multi-channel oscilloscope timing), VER-REQ-029 (hardwired trip propagation delay), and new REQ-046 (LED de-energisation across all 8 zones within 5 s). The 3-second system-level bound in SYS-REQ-013 is validated by the subsystem-level timing tests with adequate margin.

Scenario: Demand response ({{stk:STK-REQ-011}}) — Covered. Chain: STK-REQ-011 → {{sys:SYS-REQ-012}} → {{sub:SUB-REQ-072}}, {{sub:SUB-REQ-061}} → VER-REQ-035. The OpenADR 2.0b test VTN procedure in VER-REQ-035 includes timing measurement and curtailment confirmation.

Scenario: HACCP audit compliance ({{stk:STK-REQ-009}}, {{stk:STK-REQ-010}}) — Covered. Chain: STK-REQ-009/010 → {{sys:SYS-REQ-011}} → {{sub:SUB-REQ-070}}/{{sub:SUB-REQ-071}}/{{sub:SUB-REQ-074}} → VER-REQ-034/036. Retention and crypto integrity now tested after method upgrade.

Mode Coverage

Normal Operation: fully covered. Degraded modes — HVAC compressor trip ({{sys:SYS-REQ-008}}) covered by VER-REQ-025. Worker-comfort mode: newly covered. Sanitisation/changeover mode: covered by VER-REQ-036 and SYS-REQ-016 chain. Network-loss holdover ({{sub:SUB-REQ-075}}): covered by new REQ-050 ZCN HIL test.

Safety Argument

H-CO2-001 (CO2 toxic accumulation, SIL-3): Chain: {{sub:SUB-REQ-001}}–{{sub:SUB-REQ-009}} → VER-REQ-001/004/044/045/048. SIL-3 Architecture: 2oo3 voting (dual-channel PLC, HFT=1, DC>99%, SFF>95%) verified by VER-REQ-044/045/046. Safe state (all zone solenoid valves closed, emergency ventilation on) is reachable within 500 ms per VER-REQ-002/047. Proof test coverage now verified annually. Chain is complete.

H-THERMAL-001 (LED/zone overtemperature, SIL-2): Chain: {{sub:SUB-REQ-042}} → VER-REQ-015, {{sub:SUB-REQ-043}} → new REQ-047 Part B. Trip-to-safe-state (de-energise LED circuits within 5 s) covered by new REQ-046. Chain now complete.

H-DOSE-001 (nutrient overdosing, SIL-2): Chain: {{sub:SUB-REQ-027}} → VER-REQ-012, {{sys:SYS-REQ-007}} → VER-REQ-013. Dosing watchdog hardware and interlock trip both tested. Chain complete.

SYS-REQ-015 safety independence (SIL-3): Verification method upgraded from Analysis to Test, closing a SIL-3 safety argument gap.

Gaps Closed

12 VER requirements added. 22 trace links created. 2 verification method corrections (SYS-REQ-011, SYS-REQ-015). 1 missing SYS requirement added (REQ-SEVERTICALFARMENV-051, worker-comfort mode). Baseline VALIDATED-2026-03-22 created at 249 requirements, 243 trace links.

Verdict

Pass. All 5 key ConOps scenarios have complete STK → SYS → SUB/IFC → VER chains after this session. Priority SIL-3 and SIL-2 verification gaps are closed with test procedures that would, if passed, provide credible evidence of compliance. Residual: 42 SUB requirements (physical enclosure/materials specifications, Inspection methods) have no dedicated VER trace link; these will be exercised through commissioning Inspection procedures, which is the appropriate verification method for installation requirements. Status updated to validated.