System

{{entity:Vertical Farm Environment Controller}} ({{hex:D1F77818}}), project se-vertical-farm-env. 246 requirements, 243 trace links, 62 VER entries, 10 diagrams. Session focused on resolving the two isValidated quality gate blockers carried from the previous validation pass: ambiguousReqs 12 > 3 and silWithoutVer 1 > 0.

Verification Audit

The silWithoutVer metric counts SIL-tagged requirements whose verification field is null or Analysis. Exactly one requirement matched: {{sub:SUB-REQ-003}}, the {{entity:Safety PLC}} SIL-3 certification requirement, which had been set to Analysis by session-463. For a SIL-3 rated component, a pure architectural review cannot satisfy IEC 61511 Clause 11.6.3 — physical evidence of certification is required. Updated verification to Inspection: the deliverable is a third-party SIL-3 certificate (TÜV or equivalent) explicitly confirming 2oo2 architecture, HFT=1, DC>99%, SFF>99%. That certificate constitutes a defined, auditable pass criterion. The Analysis designation had been the single remaining blocker on the SIL chain: all other SIL-3 paths ({{sub:SUB-REQ-007}} network independence, {{sub:SUB-REQ-009}} data diode, {{sub:SUB-REQ-022}} interlock trip-safe) already carry Test verification.

The ambiguousReqs metric uses a regex on forbidden words including normal. All 12 flagged requirements contained “Normal Operation” — the defined operating mode name from the ConOps. The guard cannot distinguish the mode name from genuinely ambiguous usage. Twelve requirements updated:

• {{sys:SYS-REQ-001}}, {{sys:SYS-REQ-002}}, {{sys:SYS-REQ-013}}: “Normal Operation” → “Production Operation”
• {{stk:STK-REQ-006}}: “continue normal operation” → “continue automated operation”
• {{ifc:IFC-REQ-035}}: “normal recipe execution” → “steady-state recipe execution”
• {{sys:SYS-REQ-019}}: “appropriate to the industrial environment” → “at immunity test levels specified by IEC 61000-6-2 for industrial environments”
• VER-REQ-027, VER-REQ-033, VER-REQ-044, VER-REQ-048, VER-REQ-056, VER-REQ-058: “normal operation” in test setups → “steady-state production operation” or “production recipe control”

No acceptance criteria or safety margins changed — only mode-name terminology and one imprecise EMC standard reference.

Scenario Validation

Five ConOps scenarios checked. The STK-REQ-008 (harvest crew safety) gap from the previous session was already closed in session-477 opening work: {{sub:SUB-REQ-097}} (worker-comfort mode: 22°C, 50% white-channel, CO2 off within 60s) and VER-REQ-062 (live zone integration test with zone-occupied interlock) with trace.

flowchart TB
  n0["Vertical Farm Environment Controller"]
  n1(["Grower Technician"])
  n2(["Facility Manager"])
  n3(["Maintenance Technician"])
  n4["Building Management System"]
  n5["Crop Planning / ERP"]
  n6["Energy Management / Grid"]
  n7["Cloud Monitoring Platform"]
  n8["CO2 Bulk Supply System"]
  n9(["Harvest Crew"])
  n1 -->|Recipe adjustments, commands| n0
  n0 -->|Dashboard, alarms, analytics| n1
  n2 -->|Scheduling, overrides| n0
  n0 -->|KPI reports, fault alerts| n2
  n3 -->|Calibration, lockout, actuator test| n0
  n4 -->|Fire alarm, weather data| n0
  n0 -->|Energy consumption| n4
  n5 -->|Crop recipes, zone schedule| n0
  n0 -->|Environmental logs, harvest data| n5
  n6 -->|Pricing, DR requests| n0
  n0 -->|Load forecasts| n6
  n0 -->|Telemetry, sensor data| n7
  n7 -->|Anomaly alerts, predictions| n0
  n8 -->|Tank level, pressure| n0
  n0 -->|Valve control signals| n8
  n9 -->|Zone entry/exit| n0
  n0 -->|Zone status, safety conditions| n9

CO2 Leak Emergency: fully covered. {{sys:SYS-REQ-004}} (5000 ppm interlock, SIL-3) traces to {{sub:SUB-REQ-001}}–{{sub:SUB-REQ-011}} covering 2oo3 voting, Safety PLC architecture, watchdog timing, and hardwired trip bus. VER-REQ-001–012 cover calibration, HIL voting tests, network independence, and annual proof test. {{sys:SYS-REQ-013}} (3-second emergency shutdown) traces to five SUB/IFC reqs, all with VER. Two-person reset covered by {{sub:SUB-REQ-017}} and VER-REQ-019.

Mode Coverage

All six operating modes covered. Emergency Shutdown: entry, behaviour (valve closure, ventilation, de-energisation within 3s), and exit (two-person reset) all have requirements and VER entries. Worker-Comfort mode entry on zone-access signal now covered by {{sub:SUB-REQ-097}}. Maintenance LOTO covered by {{sub:SUB-REQ-008}} and {{sub:SUB-REQ-009}}. Degraded Operation quantified performance in {{sys:SYS-REQ-008}} (40% LED reduction on HVAC trip).

Safety Argument

H-001 (CO2 asphyxiation, SIL-3): chain complete. {{sys:SYS-REQ-003}}/{{sys:SYS-REQ-004}} → {{sub:SUB-REQ-001}}–{{sub:SUB-REQ-011}} → VER-REQ-001–012, VER-REQ-028, VER-REQ-044–049, VER-REQ-056. Safe state reachable and time-bounded. H-007 (cyber compromise): {{sys:SYS-REQ-015}} (hardware independence) chain complete — {{sub:SUB-REQ-003}} (Inspection, SIL-3 cert), {{sub:SUB-REQ-007}} (Test, network independence), {{sub:SUB-REQ-009}} (Test, data diode). No software path to safety interlock.

Gaps Closed

Two quality gate blockers eliminated: ambiguousReqs 12 → 0, silWithoutVer 1 → 0. Baseline BL-SEVERTICALFARMENV-017 (VALIDATED-CLEAN-2026-03-22) created at 249 requirement versions, 243 trace links.

Verdict

Pass. isValidated guard metrics: orphanCount=0, missingRationale=0, missingVerification=0, reqCount=246≥200, verCoverage=148%≥90%, lintHigh=0, ambiguousReqs=0≤3, silWithoutVer=0. Churn: 2/30 sampled reqs multi-version (6.7%≤20%). All five ConOps scenarios verified end-to-end. All seven hazards have requirements with Test or Inspection verification aligned to their IEC 61508 SIL allocations.