System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Vertical Farm Environment Controller"] n1["subsystem<br>Climate Management Subsystem"] n2["subsystem<br>Horticultural Lighting Subsystem"] n3["subsystem<br>Nutrient Management Subsystem"] n4["subsystem<br>CO2 Enrichment Subsystem"] n5["subsystem<br>Safety Interlock Subsystem"] n6["subsystem<br>Supervisory Control Subsystem"] n7["subsystem<br>Data Acquisition and Compliance Subsystem"] n8["subsystem<br>Zone Controller Network"] n0 --> n1 n0 --> n2 n0 --> n3 n0 --> n4 n0 --> n5 n0 --> n6 n0 --> n7 n0 --> n8 n8 -->|setpoints/feedback| n1 n8 -->|PWM commands| n2 n8 -->|dose/irrigate| n3 n8 -->|valve commands| n4 n6 -->|recipes/modes| n8 n8 -->|sensor data| n7 n5 -.->|CO2 trip| n4 n5 -.->|thermal trip| n2
Vertical Farm Environment Controller — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Climate Management Subsystem | Climate Management Subsystem — Internal | — | complete |
| Horticultural Lighting Subsystem | Horticultural Lighting Subsystem — Internal | SIL 2 | complete |
| Nutrient Management Subsystem | Nutrient Management Subsystem — Internal | SIL 2 | complete |
| CO2 Enrichment Subsystem | CO2 Enrichment Subsystem — Internal | SIL 3 | complete |
| Safety Interlock Subsystem | Safety Interlock Subsystem — Internal | SIL 3 | complete |
| Supervisory Control Subsystem | Supervisory Control Subsystem — Internal | — | complete |
| Data Acquisition and Compliance Subsystem | Data Acquisition and Compliance Subsystem — Internal | — | complete |
| Zone Controller Network | Zone Controller Network — Internal | — | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The CO2 Safety Sensor Array SHALL provide an independent CO2 measurement for each zone, achieving accuracy of ±50 ppm across the 0–10,000 ppm range at a sample rate of 1 Hz, using electrochemical or NDIR sensor technology rated to IEC 61508 SIL 3. Rationale: SYS-REQ-004 mandates an independent safety-rated CO2 sensor separate from the process dosing sensor. Independence prevents common-cause failure: if the process sensor drifts and causes CO2 overdose, the safety sensor provides the credible measurement to trigger the interlock. ±50 ppm accuracy is the specification minimum to discriminate the 5000 ppm trip threshold from normal 1000–2000 ppm operating range. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-co2-sensor-accuracy-463 |
| SUB-REQ-002 | The CO2 Safety Sensor Array SHALL implement 2-out-of-3 (2oo3) voting across three independently powered sensor channels per zone, such that a single sensor failure does not suppress the CO2 interlock nor generate a spurious trip. Rationale: IEC 61511 SIL 3 requires voted redundancy to achieve the required probability of failure on demand (PFD < 10^-3). 2oo3 provides both high availability (tolerates one sensor fail-safe) and high reliability (requires two sensors to agree before triggering, preventing spurious shutdown). This balances crop protection against nuisance trips. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-co2-sensor-voting-463 |
| SUB-REQ-003 | The Safety PLC SHALL be certified to IEC 61508 SIL 3 using a 2oo2 dual-core architecture with cross-checking, achieving a hardware fault tolerance HFT=1 and diagnostic coverage DC > 99%, with a safe failure fraction SFF > 99%. Rationale: IEC 61508 SIL-3 certification requires physical demonstration of the hardware fault tolerance (HFT=1) and diagnostic coverage (DC>99%) claims, not architectural analysis alone. Verification method changed from Analysis to Inspection: confirm the third-party IEC 61508 SIL-3 certification certificate issued by a Notified Body (TÜV, Bureau Veritas, or equivalent) is present in the project safety case dossier. The certificate must explicitly state SIL-3 capability, the 2oo2 dual-core architecture, HFT=1, DC>99%, and SFF>99%. Certificate inspection satisfies IEC 61511 Clause 11.6.3 which accepts SIL-certified equipment via documented prior use or third-party certification. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-safety-plc-sil3-463 |
| SUB-REQ-004 | The Safety PLC SHALL complete each execution scan within 50 ms, with a hardware watchdog that forces a safe-state transition if scan completion is not confirmed within 100 ms. Rationale: SYS-REQ-004 requires CO2 interlock action within 30 seconds. The 50ms scan cycle provides 600 evaluation cycles within the 30s window, ensuring the interlock logic responds promptly to sensor threshold crossings. The 100ms watchdog ensures software freeze cannot prevent actuator de-energisation, meeting IEC 61511 requirements for safe-state enforcement. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-safety-plc-scan-463 |
| SUB-REQ-005 | The Voted Logic Engine SHALL evaluate the following trip conditions on every scan and assert the corresponding interlock within the specified response time: CO2 > 5000 ppm (30s), LED surface temperature > 85°C (10s), zone temperature > 38°C (10s), pH dosing excess injection > 5% tank volume in 10 min (5s), emergency stop button pressed (1s). Rationale: These thresholds and response times are derived directly from SYS-REQ-004, SYS-REQ-007, SYS-REQ-009, and SYS-REQ-013. Grouping all interlock conditions in a single voted logic engine ensures prioritisation conflicts are resolved deterministically. Response times are set to prevent physiological CO2 harm (>30s exposure at >5000 ppm), thermal fixture damage, and crop contamination from excess pH dosing. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-voted-logic-trips-463 |
| SUB-REQ-006 | When any interlock trip condition is asserted, the Safety Interlock Subsystem SHALL transition all affected zone outputs to the safe state within the condition-specific response time: CO2 isolation valve CLOSED, emergency ventilation OPEN, LED array circuit breakers OPEN, irrigation isolation valves CLOSED. The safe state SHALL be maintained until an authorised operator manually resets the interlock at the Safety PLC HMI. Rationale: IEC 61511 requires each SIF to have a defined safe state and a means of demanding that state. De-energised final elements (NC valves closed, NO contactors open) implement fail-safe design: loss of power, wiring break, or PLC failure automatically demands the safe state without active intervention. Manual reset prevents automatic restart into a hazardous condition before root cause is identified. | Demonstration | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-safe-state-def-463 |
| SUB-REQ-007 | The Hardwired Trip Bus SHALL operate entirely via discrete 24VDC relay circuits independent of any fieldbus (MODBUS, Ethernet, CAN), such that failure, disconnection, or compromise of any digital communication network cannot inhibit or delay interlock actuation. Rationale: SYS-REQ-015 mandates that safety-critical control functions operate independently of the process control network. A cyber event, network flood, or switch failure that disables MODBUS must not prevent CO2 interlock actuation. Hardwired relay independence is the fundamental SIL 3 isolation mechanism required by IEC 61511 clause 11.6 (independence of safety-critical systems). | Inspection | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-trip-bus-isolation-463 |
| SUB-REQ-008 | The Lockout Tagout Controller SHALL prevent energisation of any zone equipment when a LOTO key for that zone is checked out, and SHALL generate an audible and visual alarm (amber beacon and buzzer) if re-energisation is attempted while a key remains outstanding. Rationale: STK-REQ-006 requires lockout/tagout capability for maintenance. OSHA 29 CFR 1910.147 mandates that LOTO devices prevent equipment re-energisation. Hardware enforcement (key-switch interlocked with Safety PLC) is required because software-only LOTO cannot achieve the required reliability — a software bug or reboot could re-enable outputs, endangering maintenance personnel working inside the zone. | Demonstration | subsystem, safety-interlock, sil-1, session-463, idempotency:sub-loto-enforcement-463 |
| SUB-REQ-009 | The Safety PLC SHALL be connected to the process control network via a unidirectional data diode or certified firewall only, such that no inbound network command can modify interlock logic, trip thresholds, or safe-state outputs at runtime. Rationale: SYS-REQ-015 requires safety functions to operate independently from the process network. A bidirectionally connected Safety PLC is vulnerable to command injection via MODBUS write coils — an attacker or software bug could disable the CO2 interlock remotely. The data diode or certified gateway enforces one-way diagnostic export while preventing any inbound control path, as required by IEC 62443 for safety-instrumented systems. | Inspection | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-plc-network-isolation-463 |
| SUB-REQ-010 | The Voted Logic Engine SHALL log every interlock state transition — including timestamp (UTC, ±1s accuracy), trigger condition, sensor readings at time of trip, and operator reset identity — to non-volatile memory with capacity for a minimum of 10,000 events, retained through power loss. Rationale: STK-REQ-009 requires tamper-evident environmental records and SYS-REQ-011 requires event logging. Interlock event logs are primary evidence for regulatory investigations (OSHA incident reports, HACCP deviations, insurance claims). Non-volatile storage ensures logs survive a power trip caused by the interlock itself. 10,000 events covers >27 years at one event per day, or >2 years at 15 events per day. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-voted-logic-audit-463 |
| SUB-REQ-011 | The Safety Interlock Subsystem SHALL support a periodic proof test sequence at intervals not exceeding 12 months, exercising all CO2 sensor channels, voted logic trip conditions, relay outputs, and final element positions, with test results automatically logged and accessible for regulatory review. Rationale: IEC 61511 clause 16 requires a proof test interval to detect dangerous undetected failures and maintain the SIL 3 PFD target. Cross-domain analog with nuclear SIL-3 safety logic processors (hex D1B77858) confirms proof test scheduling as a mandatory lifecycle requirement. Without periodic proof testing, latent failures in the hardwired trip bus or sensor channels will accumulate until the SIL 3 PFD target is exceeded. 12-month interval is the maximum permitted under the PFD calculation for this SIL 3 SIF with the selected architecture. | Demonstration | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-proof-test-463 |
| SUB-REQ-012 | The CO2 Injection Controller SHALL execute a per-zone PID control loop with update period ≤100 ms, adjusting Zone Solenoid Valve duty cycle to maintain CO2 concentration within ±50 ppm of the zone setpoint during steady-state enrichment. Rationale: SYS-REQ-003 requires ±50 ppm regulation. The 100ms scan rate is derived from the CO2 injection dynamics: at maximum flow rate the concentration in a 40m³ zone can rise at ~150 ppm/min, so a 100ms control cycle provides >100 samples per ppm rise, giving the PID loop adequate resolution to prevent overshoot. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-013 | The CO2 Injection Controller SHALL accept zone CO2 concentration setpoints in the range 400–2000 ppm at ±1 ppm resolution via Modbus TCP/IP from the Supervisory Control Subsystem, with any setpoint command rejected and alarmed if it falls outside the crop-safe range defined in the active zone recipe. Rationale: SYS-REQ-003 bounds software-controlled CO2 to ≤3000 ppm. Clamping setpoint acceptance at 2000 ppm provides a 1000 ppm margin below the software limit, preventing operator or recipe error from approaching the safety threshold. 400 ppm floor represents atmospheric baseline. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-setpoint-465 |
| SUB-REQ-014 | The CO2 Injection Controller SHALL command all Zone Solenoid Valves to close when any zone CO2 concentration measurement from the Zone NDIR CO2 Sensor Array exceeds 2800 ppm, and SHALL NOT reopen valves until concentration falls below 2500 ppm, implementing an independent software-level concentration ceiling. Rationale: SYS-REQ-003 prohibits software-controlled CO2 exceeding 3000 ppm. The 2800 ppm trip and 2500 ppm reset provide 200 ppm and 500 ppm margins respectively, with hysteresis to prevent valve chatter. This software ceiling is complementary to — and does not replace — the SIL-3 hardware trip at 5000 ppm. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-ceiling-465 |
| SUB-REQ-015 | The Zone NDIR CO2 Sensor Array SHALL provide CO2 concentration measurements in the range 300–3000 ppm with accuracy ±100 ppm (or ±3% of reading, whichever is greater) at 1 Hz sample rate per zone, maintaining accuracy within the specified limits across the temperature range 18–35°C and 40–90% relative humidity. Rationale: ±100 ppm accuracy aligns with the PID controller's ±50 ppm regulation target (2× margin), accounting for sensor drift between calibrations. Temperature and humidity ranges reflect vertical farm grow-room conditions. NDIR technology is preferred over electrochemical for process sensing due to superior stability and lower maintenance than the safety sensors. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-016 | The Zone NDIR CO2 Sensor Array SHALL perform automatic single-point calibration against atmospheric CO2 (nominally 420 ppm) when the grow zone has been unoccupied and ventilated to ambient for ≥30 minutes, with calibration logged including timestamp and pre/post calibration readings. Rationale: NDIR sensors drift over time due to LED aging; automatic recalibration during scheduled zone transitions (harvest, replanting) maintains measurement accuracy without manual intervention. Logging enables drift trend analysis and maintenance scheduling. | Demonstration | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ndir-cal-465 |
| SUB-REQ-017 | The Zone Solenoid Valve Array SHALL achieve a de-energised (closed) state within 500 ms of removal of 24VDC supply, with a spring-return mechanism that maintains the closed position against manifold pressure up to 3 bar without energisation. Rationale: 500 ms valve closure time is driven by the SIL-3 safety loop response budget: SYS-REQ-004 requires full system response (sense + trip + valve close) within 2 seconds; the safety PLC scan budget is ≤50 ms (SUB-REQ-004), leaving 1450 ms for hardwired relay actuation plus valve stroke. Fail-closed on de-energisation is mandatory for CO2 systems to prevent uncontrolled enrichment on power loss. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-3, idempotency:sub-co2-valve-closure-465 |
| SUB-REQ-018 | While de-energised, the Zone Solenoid Valve Array SHALL exhibit a seat leakage rate of ≤0.001 cm³/min at 1.5 bar differential pressure, tested per ISO 15848 Class AH, to prevent CO2 seepage into occupied zones during valve-closed conditions. Rationale: CO2 leakage through closed valves can cause slow concentration creep; at 0.001 cm³/min per valve across 12 zones the total leakage is negligible relative to zone volume (40m³), preventing any measureable rise over an 8-hour unoccupied period. Class AH per ISO 15848 provides an industry-standard leakage acceptance criterion for gas service. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-valve-leak-465 |
| SUB-REQ-019 | The CO2 Distribution Manifold SHALL maintain zone injection pressure at 1.5 bar ±0.1 bar via a pressure-reducing valve, with a relief valve set to open at 2.5 bar, for all CO2 flow conditions between zero and maximum simultaneous injection to all zones. Rationale: 1.5 bar injection pressure is the design operating point for the solenoid valves' Cv 0.5 rating; ±0.1 bar variance limits flow variation across zones to <7%. Relief valve at 2.5 bar protects valve seals and fittings rated to 3 bar, providing 0.5 bar margin. These values are derived from the valve manufacturers' pressure ratings. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-manifold-pressure-465 |
| SUB-REQ-020 | The CO2 Distribution Manifold wetted surfaces SHALL be constructed from SS316 stainless steel or PTFE, with all joints using face-seal fittings (Swagelok or equivalent), and SHALL be pressure-tested to 1.5× maximum operating pressure (2.25 bar) before first use. Rationale: SS316 and PTFE are compatible with high-purity CO2 gas and resist moisture condensation in humid grow-room environments. Face-seal fittings eliminate threaded connections that can work loose from vibration. Pressure test at 1.5× is the standard hydrostatic test factor for piping systems per EN 13480. | Inspection | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-manifold-material-465 |
| SUB-REQ-021 | When a Zone NDIR CO2 Sensor Array fault is detected for a specific zone (output out of range, diagnostic alarm, or communication failure), the CO2 Injection Controller SHALL close that zone's solenoid valve and raise an alarm within 5 seconds, maintaining CO2 injection to all other zones at their setpoints unaffected. Rationale: Sensor fault must trigger valve closure for the affected zone to prevent uncontrolled CO2 accumulation — without a process measurement the PID loop cannot maintain safe bounds. Isolation to one zone preserves production in other zones; 5-second alarm response is derived from the 1Hz sensor scan rate plus two missed scans as a dead-band. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-degraded-sensor-465 |
| SUB-REQ-022 | When the CO2 Enrichment Subsystem receives a safety interlock trip signal via the hardwired de-energise-to-trip relay, all Zone Solenoid Valves SHALL be driven to the closed state within 500 ms regardless of CO2 Injection Controller command state, and the CO2 Injection Controller SHALL lock out all valve open commands until an operator-authorised reset is performed. Rationale: SYS-REQ-004 and SIL-3 allocation require that the safety function (CO2 valve closure on over-concentration) is not defeatable by the process controller. Hardwired override ensures the safety trip action is independent of software state. Operator-authorised reset prevents automatic restart after a SIL-3 trip event, which could re-introduce the hazard before the cause is investigated. This is the safe state for IEC 61508 SIL 3 CO2 injection hazard. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-3, idempotency:sub-co2-safe-state-465 |
| SUB-REQ-023 | The CO2 Injection Controller SHALL operate from a 24VDC ±10% supply at maximum 15W continuous draw, with the supply provided via an uninterruptable power supply (UPS) rated for ≥30 minutes runtime at full load, ensuring CO2 injection control is maintained during mains power interruptions. Rationale: Power supply budget is required to size the UPS and cable/fuse ratings. 15W is the maximum for a typical mid-range PLC with full I/O populated. 30 minutes UPS runtime allows for orderly shutdown of grow zones without crop damage from uncontrolled CO2 enrichment during power events. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-power-465 |
| SUB-REQ-024 | The EC/pH Sensor Array SHALL measure electrical conductivity in the range 0.1–10.0 mS/cm with accuracy ±0.1 mS/cm and pH in the range 3.0–9.0 with accuracy ±0.05 pH units, both temperature-compensated to 20°C reference via PT1000 probe, at a measurement rate of 0.1 Hz per zone. Rationale: SYS-REQ-006 mandates EC control within ±0.1 mS/cm of setpoint. A sensor accuracy of ±0.1 mS/cm consumes the full allowable error budget, leaving zero margin for dosing lag and system drift. This accuracy therefore sets the tightest single-sensor limit achievable without disproportionate cost; any looser sensor spec would make the ±0.1 mS/cm system requirement unachievable. The pH ±0.05 accuracy similarly supports the ±0.2 pH system requirement (SYS-REQ-006) with margin. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-ecph-accuracy-466 |
| SUB-REQ-025 | The EC/pH Sensor Array SHALL detect sensor drift or fault conditions — including open-circuit, short-circuit, and out-of-range output — and transmit a fault flag to the Irrigation Controller within 5 seconds of fault onset. Rationale: SYS-REQ-007 specifies that repeated dosing without pH equilibration must be treated as potential sensor drift. If the EC/pH Sensor Array cannot self-report a fault, the Irrigation Controller will continue commanding the Dosing Pump Array based on a stale or stuck reading, leading to cumulative overdosing and safety interlock activation. The 5-second detection window allows at most one additional 0.1Hz measurement before the fault is visible to the controller. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-ecph-fault-466 |
| SUB-REQ-026 | The Dosing Pump Array SHALL deliver each individual pump injection with a stroke volume accuracy of ±1% of commanded volume, with maximum single-stroke volume not exceeding 2% of working solution tank volume, verified by encoder-counted revolutions. Rationale: SYS-REQ-006 explicitly limits dosing pump stroke volume to 2% of tank volume per injection to prevent overshoot. A ±1% stroke accuracy ensures the commanded 2% limit is not inadvertently exceeded by pump calibration error alone. Without this accuracy requirement, a pump running 10% high on stroke volume could exceed the watchdog threshold (5% cumulative over 10 minutes) within 3 injections at nominal setpoints. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-dpa-stroke-accuracy-466 |
| SUB-REQ-027 | The Dosing Pump Array SHALL implement a hardwired cumulative injection counter that monitors total acid and base pump volume delivered within any rolling 10-minute window, and SHALL assert a 24VDC normally-open fault contact to the Safety PLC within 200 ms when cumulative injection exceeds 5% of the working solution tank volume within that window. Rationale: SYS-REQ-007 and SYS-REQ-015 require the dosing-excess protection function to meet SIL-2. Implementing this watchdog as a hardwired counter in the pump drive firmware rather than as a software function in the Irrigation Controller is consistent with ARC-REQ-001 and ARC-REQ-006 — safety-critical shutdown functions must not rely on general-purpose software. The 200ms propagation time matches IFC-REQ-019 and ensures the Safety PLC trip logic executes before a second injection cycle can begin (minimum pump cycle time is >500ms). | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-dpa-watchdog-466 |
| SUB-REQ-028 | When the Dosing Pump Array receives a hardwired interlock trip signal from the Safety PLC (IFC-REQ-019 signal path), the Dosing Pump Array SHALL inhibit all pump outputs and de-energise all pump drive signals within 500 ms, and SHALL not resume dosing until the interlock is manually reset. Rationale: IEC 61508 SIL-2 requires a safe state for every safety-critical function. The safe state for overdosing hazard (SYS-REQ-007) is cessation of all dosing. The 500ms response time allows for one PLC scan cycle (50ms) plus drive inhibit propagation. Manual reset prevents autonomous restart after a dosing-excess event, which must be investigated before resuming operation. | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-dpa-safe-state-466 |
| SUB-REQ-029 | The Irrigation Controller SHALL execute configurable zone irrigation schedules with on-time resolution of ±1 minute over a 24-hour period, supporting drip and flood-drain (NFT) modes, and SHALL enforce a minimum 5-minute inter-zone delay to prevent simultaneous multi-zone demand exceeding recirculation pump rated flow. Rationale: Simultaneous activation of more than approximately 60% of zone valves at peak flow exceeds the recirculation pump rated capacity (300 L/min), causing pressure drop across the furthest zones and uneven nutrient distribution. The 5-minute inter-zone delay ensures sequential activation scheduling that keeps total demand within pump capacity. | Test | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-ic-scheduling-466 |
| SUB-REQ-030 | The Irrigation Controller SHALL detect a stuck-open zone irrigation valve condition within 30 seconds by comparing commanded valve state (closed) against flow meter measurement exceeding 2 L/min on the corresponding zone header, and SHALL command the zone isolation valve closed and activate floor drain pumps within 60 seconds of detection. Rationale: SYS-REQ-010 mandates 30-second stuck-valve detection and 60-second drain pump activation. The 2 L/min threshold is set above instrument noise (flow meter accuracy ±2% at 100 L/min full scale = ±2 L/min) while remaining sensitive enough to detect a single failed-open 15mm solenoid valve (minimum flow ~8 L/min at 1.2 bar). Without this requirement cascaded to the Irrigation Controller, SYS-REQ-010 lacks a component responsible for the detection logic. | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-ic-stuck-valve-466 |
| SUB-REQ-031 | The Irrigation Controller SHALL execute zone sanitisation sequences on command, including: circulating peracetic acid solution at ≥80 ppm concentration for ≥20 minutes contact time, flushing until EC/pH Sensor Array confirms rinse water EC <0.3 mS/cm and pH 6.5–7.0, and confirming drain completion via sump level sensor, before setting the zone-ready flag that permits new crop recipe activation. Rationale: SYS-REQ-016 blocks crop recipe activation until sanitisation criteria pass. The specific parameters (≥80 ppm peracetic acid, ≥20 minutes contact time) are derived from food-safety CIP (clean-in-place) protocols for hydroponic systems per GLOBALG.A.P. and UK food safety guidance — lower concentrations or shorter contact times do not reliably achieve the 5-log pathogen reduction required for fresh produce food safety. | Demonstration | subsystem, nutrient-management-subsystem, compliance, session-466, idempotency:sub-ic-sanitisation-466 |
| SUB-REQ-032 | The Zone Irrigation Valve Array SHALL use normally-closed solenoid valves that achieve full seat closure within 2 seconds of de-energisation, with EPDM seat leakage not exceeding 0.5 mL/min at 2.5 bar differential, maintaining fail-safe closed state on loss of 24VAC supply. Rationale: Fail-safe closure on power loss prevents irrigation from continuing during an electrical fault or emergency shutdown. The 2-second closure time ensures that stuck-valve detection response (SYS-REQ-010, 30s) has no ambiguity about valve state. Seat leakage ≤0.5 mL/min is necessary to prevent slow flooding accumulation in the grow bed during extended power-off periods; a failed valve leaking at higher rates would accumulate water over hours even in shutdown state. | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-ziva-failsafe-466 |
| SUB-REQ-033 | Each solenoid valve in the Zone Irrigation Valve Array SHALL provide a reed-switch position feedback signal (24VDC open-collector) confirming open or closed state within 2 seconds of the commanded transition, detectable by the Irrigation Controller as a discrete digital input. Rationale: Position feedback is required by the stuck-valve detection logic (SUB-REQ-030) to distinguish between a genuinely stuck valve and a valve that has been commanded closed but not yet physically settled. Without confirmed position feedback, the Irrigation Controller cannot determine whether continued flow is caused by valve failure or normal settling delay, leading to premature false alarms or missed detections. | Test | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-ziva-feedback-466 |
| SUB-REQ-034 | The Recirculation Pump System SHALL operate in duty/standby configuration with automatic changeover to the standby pump within 30 seconds of detecting duty pump failure (loss of flow confirmation >10 L/min below setpoint for 15 seconds), maintaining nutrient solution circulation without operator intervention. Rationale: A single recirculation pump failure interrupting nutrient flow for more than approximately 15 minutes causes crop stress in nutrient-film technique (NFT) channels where root zone drying begins rapidly. Duty/standby with 30-second changeover limits maximum interruption to under 1 minute, well within the 15-minute crop stress threshold. This justification also underpins the ARC-REQ-006 decision to use dual pumps rather than a single high-reliability unit. | Demonstration | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-rps-standby-466 |
| SUB-REQ-035 | The Recirculation Pump System SHALL detect dry-run conditions within 10 seconds using a flow switch confirming <5 L/min on the pump outlet with the pump energised, and SHALL de-energise the pump motor and inhibit restart for a minimum 60-second cool-down period to prevent seal and impeller damage. Rationale: Peristaltic seal failure due to dry running can release pump materials into the nutrient solution, contaminating the food crop. The 10-second detection window (100 pump revolutions at minimum speed) is fast enough to stop seal damage before contamination risk. The 60-second inhibit prevents repeated auto-restart cycling that accelerates bearing wear and could mask an empty reservoir alarm. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-036 | The Nutrient Reservoir and Mixing System SHALL trigger a low-level alarm on the Supervisory Control Subsystem when the working solution reservoir volume falls below 20% of rated capacity, and SHALL trigger an emergency shutdown request to the Irrigation Controller when volume falls below 5% of rated capacity to prevent pump dry-run. Rationale: A 20% low-level alarm gives operators approximately 30 minutes at maximum flow (300 L/min pump rate) to respond before the 5% emergency threshold is reached, providing adequate warning without frequent nuisance alarming. The 5% emergency level is set above the physical minimum needed to keep pump inlet submerged under all orientation conditions, preventing dry-run before the level sensor detects the state. | Test | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-nrm-low-level-466 |
| SUB-REQ-037 | When one EC/pH Sensor Array probe reports a fault in a zone, the Nutrient Management Subsystem SHALL continue closed-loop control of the unaffected measurement parameter (EC or pH) and SHALL operate the affected parameter in open-loop time-based dosing at the last valid recipe setpoint, maintaining dosing frequency not exceeding 50% of the nominal closed-loop rate, until the probe fault is cleared or manually acknowledged. Rationale: A complete suspension of dosing on any sensor fault would halt crop nutrition for the entire zone, causing crop loss disproportionate to the fault severity. Continued unaffected-parameter control and reduced-rate open-loop dosing on the faulted parameter limits crop risk while preventing the unconstrained dosing that a full open-loop mode without rate reduction would allow. The 50% rate reduction provides sufficient safety margin against overdosing while maintaining minimum nutrient delivery. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-nm-degraded-mode-466 |
| SUB-REQ-039 | The Horticultural Lighting Subsystem SHALL maintain zone PPFD within ±5% of the crop recipe PAR setpoint across the 100-600 µmol/m²/s operating range under steady-state conditions. Rationale: SYS-REQ-005 allocates ±5% PAR accuracy to this subsystem. ±5% is the agronomic boundary within which the LCU's PAR PID loop can hold steady state; exceeding this boundary causes measurable yield loss and recipe non-compliance. Derived from crop science DLI (Daily Light Integral) tolerance data. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-par-accuracy-467 |
| SUB-REQ-040 | The Lighting Control Unit SHALL control each of the four spectrum channels (red 660nm, blue 450nm, white 4000K, far-red 730nm) independently with 12-bit or greater PWM dimming resolution over a 0-100% intensity range. Rationale: Twelve-bit resolution (4096 steps) provides 0.024% per step, which keeps spectral accuracy within the 0.5% per-step ramp requirement of SUB-HVAC-004 and supports the recipe spectrum ratio requirements of the crop science protocol. Lower resolution (10-bit) causes visible stepping artefacts on long ramps. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-spectral-resolution-467 |
| SUB-REQ-041 | The Lighting Control Unit SHALL execute linear intensity ramp transitions between setpoints over operator-configurable periods of 5, 10, 15, 20, or 30 minutes with ramp step size not exceeding 0.5% of full scale per step. Rationale: Abrupt light transitions cause photoinhibition stress in leafy crops by overwhelming the photosystems before protective down-regulation activates. Stepwise ramps over 5-30 minutes are the agronomically recommended range for vertical farms with sensitive leafy crops. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-intensity-ramp-467 |
| SUB-REQ-042 | When any LED fixture heatsink temperature exceeds 85 degrees C as detected by the Fixture Thermal Monitoring Array hardwired comparator circuit, the Horticultural Lighting Subsystem SHALL de-energise all LED Driver Modules in the affected zone within 2 seconds, independently of the Lighting Control Unit software. Rationale: SYS-REQ-009 allocates the 85 degree C thermal shutdown to this subsystem at SIL 2 (H-002: LED fixture fire hazard). The 2-second maximum is derived from thermal runaway propagation modelling — heat sink temperatures above 85 degree C indicate junction temperatures approaching LED derating limits. The software-independent path is required because SIL 2 prohibits the safety function from relying on general-purpose software per IEC 61508 clause 7.4.2.3. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-thermal-trip-467 |
| SUB-REQ-043 | When any LED fixture heatsink temperature exceeds 75 degrees C, the Lighting Control Unit SHALL reduce LED power in the affected zone by 5% of current output per minute until heatsink temperature falls below 70 degrees C or all driver outputs reach zero. Rationale: A 75 degree C software derating threshold (below the 85 degree C hardware trip) provides a 10-degree C guard band for graceful power reduction before the SIL-2 trip activates, avoiding unnecessary safety shutdowns during moderate load events while still protecting fixtures from thermal damage. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-thermal-derating-467 |
| SUB-REQ-044 | When the zone HVAC compressor trip signal is received from the Zone Controller Network, the Lighting Control Unit SHALL reduce LED power in the affected zone to 50% of the current recipe setpoint within 30 seconds. Rationale: SYS-REQ-008 allocates the 50% LED power reduction upon HVAC trip to this subsystem. LED fixtures contribute 30-40% of zone heat load; reducing output by 50% lowers zone air temperature rise rate by 15-20 degrees C/hour, buying time for the HVAC fault to be resolved before reaching the 38 degree C thermal protection threshold. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-hvac-loadshed-467 |
| SUB-REQ-045 | When the emergency shutdown signal is asserted on the Safety Interlock hardwired trip bus, the Horticultural Lighting Subsystem SHALL de-energise all LED Driver Modules across all 8 zones within 5 seconds. Rationale: SYS-REQ-013 specifies a 10-second emergency shutdown sequence for the full system. LED de-energisation is the first step — removing 400kW+ of electrical load reduces fire risk and allows safe human entry. The 5-second sub-budget allows the remaining 5 seconds for CO2 valve closure and ventilation activation. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-emergency-shutdown-467 |
| SUB-REQ-046 | When a PAR Sensor Array signal is lost or out-of-range in a zone, the Lighting Control Unit SHALL continue closed-loop operation at the last valid setpoint PWM value for up to 4 hours, generate a sensor fault alarm, and transition to full manual override after the 4-hour timeout. Rationale: PAR sensor failure should not immediately force operator intervention in a 24/7 automated facility. A 4-hour hold at last-known PWM is safe because short-term DLI deviation from single-zone sensor loss is within crop tolerance windows. Beyond 4 hours the risk of undetected environmental change justifies requiring operator confirmation. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-par-degraded-467 |
| SUB-REQ-047 | The PAR Sensor Array SHALL have NIST or PTB-traceable calibration per ASTM E948 with a maximum measurement uncertainty of 3% (k=2) at recalibration intervals not exceeding 12 months. Rationale: ASTM E948 is the primary standard for PAR sensor calibration in horticultural applications. 3% calibration uncertainty is the maximum consistent with maintaining overall PAR accuracy of ±5% (SYS-REQ-005) when combined with installation and measurement losses. Twelve-month recalibration intervals are standard in controlled horticulture environments per EN ISO 9001 measurement system requirements. | Inspection | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-par-calibration-467 |
| SUB-REQ-048 | The LED Driver Module Array SHALL achieve a minimum power conversion efficiency of 93% at rated load and maintain output current regulation within 2% of the commanded setpoint under steady-state conditions across all channels. Rationale: 93% driver efficiency is the industry minimum for horticultural LED drivers at this power density (>50W per channel). Below 93% the waste heat per zone exceeds the HVAC cooling budget, requiring oversized cooling infrastructure. 2% current regulation translates to 2% PAR variation at constant flux, which must be accounted for in the ±5% overall PAR budget. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-driver-efficiency-467 |
| SUB-REQ-049 | The Zone Controller Network SHALL provide a supervisory override channel that, when asserted by the Supervisory Control Subsystem within 500 ms, suspends autonomous zone regulation and transfers zone actuator control to the supervisory setpoint within that response window. Rationale: UHT classifies zone controller network (51F77808) as Functionally Autonomous (bit 15), requiring an explicit human-in-the-loop override per IEC 62443-3-3 SR 2.12. Without this, the operator cannot regain control during runaway CO2 or thermal excursion scenarios. | Test | idempotency:qc-468-zone-ctrl-net-override |
| SUB-REQ-050 | The Irrigation Controller SHALL operate from a 24 VDC ±10% supply with a maximum steady-state power consumption of 15 W and a peak inrush current not exceeding 2 A for more than 50 ms at power-on. Rationale: UHT classifies the irrigation controller (D1F77A08) as Powered (bit 4) and System-Essential (bit 16). Without a defined power envelope, the electrical panel and UPS sizing cannot be verified, and inrush from multiple controllers starting simultaneously could trip circuit protection. | Test | idempotency:qc-468-irrig-ctrl-power |
| SUB-REQ-051 | The Dosing Pump Array SHALL operate from a 24 VDC ±10% supply with a maximum steady-state power consumption of 30 W per pump and food-contact-compliant wetted materials certified to FDA 21 CFR 177 for nutrient solution compatibility. Rationale: UHT classifies the dosing pump array (D7F73218) as Powered (bit 4), Physical Medium (bit 7), and Regulated (bit 28). Dosing pumps in a food-production environment require both a defined power budget for UPS autonomy and material certification to prevent nutrient contamination from pump wetted surfaces. | Test | idempotency:qc-468-dosing-pump-power |
| SUB-REQ-052 | The Supervisory Control Subsystem SHALL authenticate all remote HMI sessions using multi-factor credentials (username/password plus time-based OTP) and SHALL encrypt all management communications using TLS 1.3 or later. Rationale: UHT classifies the supervisory control subsystem (51BD7908) as Digital/Virtual (bit 24) and Human-Interactive (bit 13). Unauthenticated access to the supervisory HMI would allow an adversary to disable safety interlocks or alter crop recipes; TLS 1.3 prevents credential interception on uncontrolled network segments. | Test | idempotency:qc-468-supervisory-cybersec |
| SUB-REQ-053 | The Climate Management Subsystem SHALL maintain grow zone air temperature within ±1.0°C of the crop-specific temperature setpoint across the full 18–28°C operating range under steady-state conditions. Rationale: Derived from SYS-REQ-001. Temperature deviations beyond ±1.0°C reduce crop growth rate and quality; validated against industry benchmarks for lettuce (20±1°C), strawberry (18±1°C), and basil (22±1°C). The ±1.0°C band is the tightest achievable with DX HVAC at the specified zone volumes. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-054 | The Climate Management Subsystem SHALL maintain grow zone relative humidity within ±5% RH of the crop-specific humidity setpoint across the 60–85% RH operating range under steady-state conditions. Rationale: Derived from SYS-REQ-002. RH deviations beyond ±5% promote fungal pathogens (Botrytis cinerea) at high end and cause crop tip-burn through reduced transpiration at low end. The ±5% band is the IEC 61511 functional accuracy class for capacitive RH sensors in the 0–40°C temperature compensation range. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-rh-regulation-469 |
| SUB-REQ-055 | When the HVAC Actuator Interface reports a compressor trip condition, the Zone Climate Controller SHALL send a lighting load-reduction command to the Supervisory Control Subsystem within 500 ms and engage the economiser damper to maintain zone temperature below 30 degC. Rationale: Derived from SYS-REQ-008. Compressor trip causes loss of cooling capacity; LED fixtures contribute up to 40 percent of zone heat load, so reducing lighting is the fastest mechanical intervention available. The 500 ms response window was derived from the thermal time constant analysis for a 20 m2 zone under peak summer ambient conditions. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-compressor-trip-469 |
| SUB-REQ-056 | The Temperature Sensor Network SHALL sample all zone temperature sensors at a minimum rate of 1 Hz and deliver readings to the Zone Climate Controller with a maximum end-to-end latency of 2 s from measurement to controller input. Rationale: 1 Hz sampling is the minimum required for PID loop stability given the thermal time constant of the grow zone air volume (estimated 60-90 s). The 2 s maximum latency bound ensures the PID derivative term is not corrupted by stale data during transient events such as door opening. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-temp-sampling-469 |
| SUB-REQ-057 | When the Temperature Sensor Network detects a sensor reading outside the valid range of 0 to 50 degC or reports a wire-break fault, the Zone Climate Controller SHALL switch control inputs to the next available redundant sensor and generate a maintenance alarm within 30 s. Rationale: Dual-sensor redundancy per zone (top and bottom canopy positions) ensures continued closed-loop control on single sensor failure. The 30 s alarm latency allows operator awareness before the next crop inspection round while not imposing real-time alarm fatigue. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-sensor-fault-469 |
| SUB-REQ-058 | The Fresh Air Ventilation Controller SHALL coordinate fresh air fraction with the CO2 Enrichment Subsystem via Modbus TCP, maintaining a fresh air fraction between 5 and 30 percent of zone supply volume to balance CO2 setpoint, O2 replenishment, and ethylene dilution requirements. Rationale: Derived from the need to manage competing gas concentrations without independent control of each. The 5-30 percent range is the mechanical limit of the HRV unit specified; below 5 percent O2 depletion risk rises; above 30 percent the CO2 enrichment system cannot maintain setpoint economically. Modbus TCP interface selected because CO2 Enrichment Subsystem already uses this bus. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-fresh-air-469 |
| SUB-REQ-059 | The HVAC Actuator Interface SHALL execute Zone Climate Controller setpoint commands within 500 ms of receipt and confirm execution status to the controller within 1 s, for all actuator types (VFD, contactor, modulating valve, damper). Rationale: 500 ms command execution latency is the maximum allowed to maintain PID loop stability. Confirmation within 1 s allows the Zone Climate Controller to detect actuator stuck-open/closed conditions and escalate to the Safety Interlock Subsystem if needed. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-actuator-latency-469 |
| SUB-REQ-060 | When a zone isolation command is received from the Safety Interlock Subsystem, the HVAC Actuator Interface SHALL close zone supply and return HVAC dampers within 2 s of command receipt and hold the closed state until an explicit release command is received. Rationale: Derived from SYS-REQ-014. Zone airflow isolation prevents spread of pathogens or chemical contamination from an affected zone to adjacent zones via the shared duct network. The 2 s damper closure time is the maximum achievable with the specified 24V spring-return actuators at operating temperature range. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-zone-isolation-469 |
| SUB-REQ-061 | When the Demand Response Handler receives an OpenADR 2.0b demand-response signal from the utility VTN, the Supervisory Control Subsystem SHALL compute and execute a load-reduction plan within 60 s of signal receipt, reducing facility electrical load by the requested amount while maintaining crop-safe minimum environmental parameters. Rationale: Derived from SYS-REQ-012. The 60 s execution window is the maximum allowed under OpenADR 2.0b SIMPLE event type baseline specification. Crop-safe minimum parameters (minimum temperature floor, minimum CO2 level) are required to prevent crop loss during DR events that may last up to 4 hours. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-dr-response-469 |
| SUB-REQ-062 | When an emergency shutdown trigger is received by the Emergency Shutdown Sequencer (fire alarm relay, manual E-stop, or critical sensor fault), the Supervisory Control Subsystem SHALL complete the full shutdown sequence (CO2 valve closure, nutrient pump off, lighting off, HVAC dampers to purge) within 10 s of trigger receipt. Rationale: Derived from SYS-REQ-013. The 10 s total sequence time is driven by the CO2 concentration rise rate in a sealed zone: at maximum CO2 enrichment flow rate, CO2 can rise from 1500 ppm to 5000 ppm (safety limit) in approximately 45 s, giving the sequence a 35 s safety margin. Steps are serialised with the CO2 valve first to maximise margin for that hazard. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-emergency-shutdown-469 |
| SUB-REQ-063 | The Supervisory Control Subsystem SHALL execute and verify the zone sanitisation sequence (pH 2.0 flush, UV-C exposure, dry-out dwell) per the registered crop transition protocol before authorising zone reactivation for a new crop cycle, with a verification record written to the compliance audit log. Rationale: Derived from SYS-REQ-016. Sanitisation verification is a regulatory and food-safety requirement (GFSI/SQF for leafy greens). Automated verification and audit logging prevents manual bypass and provides the evidence trail required for food safety audits. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-sanitisation-469 |
| SUB-REQ-064 | The Crop Recipe Engine SHALL continue executing the active crop recipe and issuing environmental setpoints during Plant Management Server software updates, with setpoint output interruption not exceeding 30 s during the update window. Rationale: Crop recipes running 7-120 day cycles cannot tolerate unplanned setpoint loss during routine server maintenance. A 30 s setpoint interruption is within the thermal and CO2 time constants of all grow zones (minimum 60 s), meaning the environment will not deviate beyond crop-safe limits during the gap. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-recipe-continuity-469 |
| SUB-REQ-065 | The Zone Controller Unit SHALL maintain closed-loop control of all zone environmental parameters (temperature, humidity, CO2, PAR, pH, EC) within crop recipe setpoints using locally stored setpoint data for a minimum of 30 minutes when the OPC-UA connection to the Zone Edge Gateway is interrupted. Rationale: SYS-REQ-017 requires restoration of zone regulation within 30s of primary node failure. The ZCU must operate autonomously during any switchover period to prevent crop damage, using NOR flash-stored setpoints as the last-valid recipe. 30 minutes exceeds the expected switchover time plus manual response window. | Test | subsystem, zone-controller-network, session-470, idempotency:sub-zcn-zcu-autonomous-470 |
| SUB-REQ-066 | The Zone Controller Unit SHALL execute PID control loop iterations for all regulated environmental parameters at a minimum cycle rate of 10 Hz, with loop execution jitter not exceeding ±5 ms. Rationale: SYS-REQ-001 requires ±1.0°C temperature regulation and SYS-REQ-002 requires ±5% RH. Analysis of zone thermal mass and HVAC actuator response times shows that a 10Hz loop rate is the minimum to achieve these tolerances without oscillation. Jitter constraint prevents control loop aliasing against the 10s temperature sensor averaging window. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-067 | The Zone Controller Unit SHALL persist the current active recipe setpoints to non-volatile NOR flash memory within 5 seconds of any setpoint update, and SHALL retrieve stored setpoints within 10 seconds of power restoration. Rationale: Required to support the 30-minute autonomous operation window (SUB-REQ-065): setpoints must survive power cycling and network outage. 5s write window is bounded by the PID loop update frequency; 10s retrieval ensures zone control resumes within the SYS-REQ-017 30s failover window. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-068 | The Zone I/O Expansion Module SHALL sample all connected 4-20mA analog inputs at a minimum rate of 1 Hz with ±0.1% full-scale measurement accuracy, and SHALL detect and report open-circuit loop faults on any 4-20mA channel to the Zone Controller Unit within 1 second of fault occurrence. Rationale: SYS-REQ-011 requires 1-second resolution data logging; the I/O Module must sample at least as fast. ±0.1% FSR accuracy corresponds to ±0.16mA on a 20mA span, which resolves to ±0.16°C for a PT100 transmitter — within the sensor measurement error budget. Open-circuit detection within 1s prevents undetected sensor loss from causing uncontrolled dosing. | Test | subsystem, zone-controller-network, session-470, idempotency:sub-zcn-iom-sampling-470 |
| SUB-REQ-069 | The Zone Edge Gateway SHALL aggregate OPC-UA data from all Zone Controller Units and publish an updated node namespace to the Supervisory Control Subsystem at a maximum end-to-end latency of 500 ms from sensor sampling to supervisory data availability. Rationale: SYS-REQ-018 requires real-time zone status display for operator HMI; 500ms end-to-end latency is the human-perceptible update threshold for operational dashboards. This budget is allocated as: 100ms ZCU scan, 100ms RS-485 transfer, 100ms ZCU OPC-UA publish, 100ms network transit, 100ms Gateway aggregation, leaving 100ms margin. | Test | subsystem, zone-controller-network, session-470, idempotency:sub-zcn-gateway-latency-470 |
| SUB-REQ-070 | The Time-Series Database Engine SHALL ingest environmental sensor data at a minimum rate of 1 sample per second per channel across all zones without data loss, and SHALL retain raw 1-second resolution data for a minimum of 90 days and 1-minute resolution aggregates for a minimum of 10 years. Rationale: SYS-REQ-011 requires 1-second resolution logging with 10-year retention. The 90-day raw tier covers the regulatory inspection window for fresh produce (most jurisdictions require 90-day post-harvest environmental records); the 10-year aggregate tier covers long-term trend analysis and facility-level regulatory audits. Loss-free ingestion is required because data gaps invalidate compliance records. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-tsdb-ingest-470 |
| SUB-REQ-071 | The Time-Series Database Engine SHALL export any requested date range of environmental data for a specified zone as a CSV file within 30 seconds for queries spanning up to 90 days of 1-second resolution data. Rationale: SYS-REQ-011 specifies CSV export within 30 seconds; this requirement constrains the TSDB query engine and storage performance to support that SLA. 90-day scope covers the maximum raw-resolution retention window and defines the worst-case query performance target. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-tsdb-export-470 |
| SUB-REQ-072 | The OpenADR Virtual End Node SHALL receive and acknowledge OpenADR 2.0b DR event signals from the utility Virtual Top Node within 30 seconds of event distribution, and SHALL translate the event payload into an energy curtailment command dispatched to the Supervisory Control Subsystem within 5 seconds of acknowledgement. Rationale: SYS-REQ-012 requires response to OpenADR 2.0 demand-response events. Utility OpenADR 2.0b contracts typically specify 30-second acknowledgement SLA; the 5-second internal dispatch ensures the Supervisory has adequate time to pre-condition zones before the event start time. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-oadr-dispatch-470 |
| SUB-REQ-073 | The Crop Recipe Database SHALL store a minimum of 200 crop recipes with complete version history, and SHALL maintain an immutable audit trail of all recipe create, update, and supersede operations with timestamp, user identity, and change summary, ensuring no recipe version is ever deleted. Rationale: SYS-REQ-020 requires 200 crop recipes. Immutable version history with audit trail is required for GMP compliance (21 CFR Part 11 equivalent for food production): regulators require proof that a specific recipe version was active during a specific crop production run, and that recipe changes were authorised. | Inspection | subsystem, data-acquisition, session-470, idempotency:sub-dac-recipe-db-capacity-470 |
| SUB-REQ-074 | The Compliance Report Generator SHALL produce a zone sanitisation verification report including sensor evidence of peracetic acid contact time, temperature, and concentration, cryptographically signed with a SHA-256 hash of the source TSDB data, within 60 seconds of a sanitisation cycle completion event. Rationale: SYS-REQ-016 requires sanitisation sequence verification including peracetic acid contact time records. The cryptographic hash links the report to immutable TSDB source data, satisfying tamper-evidence requirements for food safety audits (GFSI, SQF). 60-second generation time allows the report to be available before the operator logs off the cleaning shift. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-compliance-report-470 |
| SUB-REQ-075 | When the Zone Climate Controller loses communication with the Zone Controller Unit for more than 5 seconds, the Zone Controller Unit SHALL revert to its last valid setpoint cache and maintain that environmental state for at least 15 minutes before declaring a zone fault. Rationale: UHT classifies the Zone Climate Controller (hex D1F77008) as System-Essential (bit 16). Lint finding: zone controller lacks redundancy/failover requirements. The 5-second timeout and 15-minute holdover are derived from the crop thermal time constant — a vertical farm growing zone can tolerate 15 minutes of fixed-setpoint control before temperature drifts outside acceptable bounds, giving maintenance personnel time to respond without triggering a full zone shutdown. | Test | subsystem, zone-controller-network, redundancy, session-471, idempotency:sub-zcn-zcu-holdover-471 |
| SUB-REQ-076 | The CO2 Enrichment Subsystem SHALL incorporate an independent safety-rated CO2 sensor, certified to IEC 61508 SIL-2, operating on a separate power supply and signal path from the process-control CO2 sensors, with a response time not exceeding 30 seconds for a step change from 0 to 5000 ppm. Rationale: SYS-REQ-004 requires the safety interlock to act within 2 seconds on CO2 exceeding 5000 ppm using an independent safety-rated sensor — explicitly separate from the software-controlled process sensor. This SUB requirement derives that sensor's SIL-2 certification, independent power path, and 30-second response time. The 30-second response budget is the 2-second interlock latency padded for sensor settling; IEC 61508 SIL-2 certification is required because CO2 asphyxiation meets the hazard frequency and severity threshold for SIL-2 per the hazard register. | Test | subsystem, co2-enrichment, safety, sil-2, session-471, idempotency:sub-co2-safety-sensor-sil2-471 |
| SUB-REQ-077 | The Zone Controller Network SHALL enforce network segmentation using VLAN isolation between OT zone control traffic and corporate IT networks, with all OPC-UA communications authenticated using X.509 certificates and all Modbus RTU segments accessible only via physically secured electrical enclosures. Rationale: UHT classifies the zone and associated digital control systems with the Digital/Virtual trait (bit 24), triggering a cybersecurity gap finding in lint. Vertical farm control systems are OT environments with ICS/SCADA attack surfaces: an attacker gaining access to the zone Modbus segments could manipulate CO2 injection solenoids, nutrient dosing pumps, or LED circuits, creating both crop loss and personnel safety risks. VLAN segmentation with X.509 OPC-UA authentication and physical enclosure access control aligns with IEC 62443-3-3 SR 1.1 (identification and authentication) at Security Level 2. | Inspection | subsystem, zone-controller-network, cybersecurity, session-471, idempotency:sub-zcn-cybersecurity-vlan-471 |
| SUB-REQ-078 | All physical materials and surfaces within growing zones that contact nutrient solution, irrigation water, or air recirculation streams SHALL comply with FDA 21 CFR Part 174-186 (food contact materials) and SHALL be verified clean-in-place (CIP) compatible with 2% peracetic acid sanitisation solution at ambient temperature. Rationale: UHT classifies growing zones with the Biological/Biomimetic trait (bit 3) because zones contain live plant matter and microbiomes. Lint finding 7 flags the absence of biocompatibility or sterilisation requirements. Under FSMA (21 CFR Part 112), indoor growing facilities producing leafy greens for direct human consumption must demonstrate that materials contacting edible plant matter are food-safe. Peracetic acid is the standard sanitisant for hydroponic systems; CIP compatibility ensures the zone can be sanitised in place without disassembly, which is also required by SYS-REQ-016 (sanitisation sequence verification before new crop activation). | Inspection | subsystem, zone-controller-network, food-safety, compliance, session-471, idempotency:sub-zone-biocompat-fda-471 |
| SUB-REQ-079 | The Zone Climate Controller SHALL accept a supervisory override command from the Supervisory Control Subsystem within 2 seconds to either SUSPEND autonomous setpoint control (holding last actuator state) or SAFE-MODE (de-energise all HVAC actuators), and SHALL NOT resume autonomous operation until the Supervisory Control explicitly releases the override. Rationale: Lint finding: zone climate controller classified as Functionally Autonomous (bit 15) but had no supervisory override requirement. Autonomous control must yield to supervisory authority to prevent crop loss during fault conditions, prevent runaway control during sensor failure, and support orderly shutdown sequences. | Test | idempotency:sub-zcc-override-qc472 |
| SUB-REQ-080 | The Zone Controller Unit SHALL respond to a SUSPEND or SAFE-MODE override command from the Zone Edge Gateway within 500 ms by either freezing all setpoint outputs at current values or de-energising all zone actuator outputs, and SHALL transmit an acknowledgement back via OPC UA confirming the override state. Rationale: Lint finding: zone controller unit classified as Functionally Autonomous (bit 15) but lacked override constraints. The 500ms response time is required to coordinate with the safety interlock subsystem response chain; supervisory override is essential for controlled zone shutdowns without triggering interlock trips. | Test | idempotency:sub-zcu-override-qc472 |
| SUB-REQ-081 | The Zone Climate Controller SHALL operate from the zone control panel 24VDC supply rail with a maximum steady-state power draw not exceeding 15W per unit, and SHALL incorporate a local hold-up capacitor providing ≥200ms of brownout ride-through to prevent uncontrolled actuator state changes during supply voltage transients. Rationale: Lint finding: zone climate controller classified as Powered (bit 4) but had no power budget or supply requirement. The 15W limit constrains panel heat load for a standard 8-zone panel; 200ms ride-through aligns with UPS switchover time to prevent spurious actuator state changes. | Test | idempotency:sub-zcc-power-qc472 |
| SUB-REQ-082 | The Supervisory Control Subsystem SHALL be housed in an IEC 60529 IP54-rated 19-inch 4U rack-mount enclosure with front-panel LED indicators for system health, alarm, and communication status, suitable for installation in a climate-controlled control room at operating temperatures of +5 degC to +45 degC. Rationale: The Supervisory Control Subsystem contains industrial compute hardware subject to dust and humidity ingress in a farm environment; IP54 rack-mount packaging ensures hardware longevity and maintainability. UHT classification confirms the component carries physical embodiment traits requiring explicit enclosure constraints. | Inspection | idempotency:qc-phys-scs-enclosure-v1 |
| SUB-REQ-083 | The Zone Controller SHALL be packaged as a DIN-rail-mounted embedded controller rated to IEC 60529 IP54, operating across -5 degC to +55 degC ambient, with dimensions not exceeding 140 mm W x 100 mm H x 60 mm D to fit within the zone control panel. Rationale: Zone controllers are mounted inside wet, humid growing zones; IP54 DIN-rail packaging is the minimum protection level for continuous operation in this environment. Dimensional constraints are derived from the zone control panel enclosure design to ensure physical fitment. | Inspection | idempotency:qc-phys-zc-enclosure-v1 |
| SUB-REQ-084 | The Zone Controller Network cabling SHALL use shielded twisted-pair industrial Ethernet cable rated for continuous exposure to water splash and nutrient solution mist, with IP67-rated field junction boxes at each zone entry point, supporting network segments up to 100 m at 100 Mbps without active repeaters. Rationale: Network cabling traversing the growing zone is exposed to condensation and nutrient spray; specifying shielded cable and IP67 junction boxes prevents corrosion-induced network faults that would disrupt closed-loop zone control. The 100 m segment limit is the Cat6A maximum for 100BASE-TX. | Inspection | idempotency:qc-phys-zcn-cabling-v1 |
| SUB-REQ-085 | The CO2 Enrichment Subsystem SHALL be housed in a ventilated, wall-mounted IEC 60529 IP54-rated steel enclosure located within 2 m of the CO2 supply manifold, incorporating integrated solenoid valve driver circuits and a 24 VDC power supply rated to supply all zone injection solenoids simultaneously at a maximum combined load of 20 A. Rationale: Proximity mounting minimises CO2 supply piping runs and pressure drop; combined solenoid load rating prevents nuisance trips during simultaneous zone injection during peak crop growth periods. Ventilation prevents heat buildup from solenoid drivers. | Inspection | idempotency:qc-phys-enrich-enclosure-v1 |
| SUB-REQ-086 | The Zone Climate Controller SHALL be packaged in an IEC 60529 IP54 DIN-rail-mount enclosure with dedicated RS-485 Modbus RTU termination ports, an integral galvanically isolated 24 VDC power rail, and shall withstand sinusoidal vibration levels of 0.5 g RMS over 10-150 Hz for continuous operation in a fan-cooled equipment cabinet. Rationale: Zone Climate Controllers are installed in equipment cabinets adjacent to HVAC plant; vibration from fan motors and compressors requires 0.5g RMS rating derived from ASHRAE guidelines for fan vibration in air handling units. Galvanic isolation on the 24V rail protects against ground-loop noise from large HVAC motors. | Test | idempotency:qc-phys-zcc-enclosure-v1 |
| SUB-REQ-087 | The CO2 Injection Controller SHALL be housed in a glass-reinforced polyester (GRP) enclosure rated to IEC 60529 IP65, mounted external to the growing zone, and SHALL incorporate a manual isolation valve interface and solenoid position indicator to support safe maintenance under lockout/tagout (LOTO) procedures per IEC 60204-1. Rationale: GRP enclosures are preferred for CO2 equipment because they resist the HNO3-based condensation from nutrient misting without the galvanic corrosion risk of steel. External mounting enables LOTO access without entering the CO2-enriched zone, addressing a COSHH control requirement for CO2 service operations. | Inspection | idempotency:qc-phys-co2ic-enclosure-v1 |
| SUB-REQ-088 | All surfaces within a growing zone that are directly exposed to nutrient solution or crop root mass SHALL be constructed from food-safe, non-porous materials — specifically stainless steel grade 316L or HDPE — complying with FDA 21 CFR Part 177 to prevent pathogen harbouring and ensure biocompatibility with edible crops. Rationale: Vertical farm zones grow edible produce; pathogen contamination from surface materials (e.g., biofilm formation on porous substrates) presents a direct food safety hazard. FDA 21 CFR Part 177 sets the material standard for food-contact surfaces, and 316L SS/HDPE are proven choices for nutrient solution contact in hydroponics, matching industry certification expectations for GAP compliance. | Inspection | idempotency:qc-bio-zone-materials-v1 |
| SUB-REQ-089 | While a growing zone is undergoing sanitation, the Zone Controller SHALL enforce a zone isolation interlock that prevents nutrient delivery and CO2 injection until a minimum 30-minute hypochlorous acid fog or UV-C irradiation sterilisation cycle has completed, confirmed by sensor-based cycle completion verification. Rationale: Inadequate sanitisation between crop cycles is the primary route for Fusarium and E. coli O157 entry into a hydroponic system; a mandatory 30-minute chemical or UV-C cycle is the minimum effective contact time per UK HSE hydroponics guidance. Zone isolation during sanitisation prevents nutrient contamination of cleaning agents and protects next-crop food safety. | Test | idempotency:qc-bio-zone-sterilisation-v1 |
| SUB-REQ-090 | The Zone Climate Controller SHALL be a physically-housed DIN-rail-mounted controller unit installed in zone electrical enclosures, with a housing conforming to IEC 60715 and rated to IEC 60529 IP20, operating at 24 VDC supply, within ambient temperature range -10 to +55 degC. Rationale: Zone Climate Controller executes PID loops for HVAC actuators and must be co-located with zone I/O in electrical enclosures. Physical housing specification ensures the unit is procurable as a mountable hardware LRU and integrates with the DIN-rail ecosystem. Without this, the controller is treated as a pure software module. | Inspection | idempotency:sub-zone-climate-ctrl-housing-474 |
| SUB-REQ-091 | The CO2 Injection Controller SHALL be a physically-housed controller unit installed in a GRP or 304 stainless steel enclosure rated to IEC 60529 IP54, DIN-rail or panel-mounted in plant-room equipment corridors outside growing zones, with analogue 4-20 mA I/O terminals and RS-485 Modbus RTU communications port, operating at 24 VDC supply within -10 to +50 degC ambient. Rationale: CO2 Injection Controller is a process control device handling pressurised gas at up to 10 bar and must be installed in a location accessible for maintenance without disturbing active crop cycles. IP54 protection is required for the agricultural plant-room environment with cleaning spray and humidity. Physical housing specification enables procurement as a hardware LRU and defines installation zone, which is a safety requirement given CO2 asphyxiation hazard. | Inspection | idempotency:sub-co2-inject-ctrl-housing-474 |
| SUB-REQ-092 | The Vertical Farm Environment Controller SHALL ensure that all sensors, actuators, and hardware installed within growing zones are constructed from food-safe, non-toxic, corrosion-resistant materials (stainless steel 304/316, food-grade ABS, or equivalent) and comply with biocompatibility requirements of EN 1186 or equivalent applicable food-contact material standard, to prevent contamination of crops or nutrient solution. Rationale: Vertical farm growing zones contain live crops intended for human consumption. All hardware co-located in zones with plants can leach trace materials into nutrient solution or onto crop surfaces. Stainless steel 304/316 and food-grade ABS are established food-safe materials. Biocompatibility certification prevents regulatory non-compliance with food safety legislation (e.g., EU Regulation 10/2011 on plastic materials in food contact) and protects consumer health. | Inspection | idempotency:sub-zone-biocompat-474 |
| SUB-REQ-094 | The Zone Controller SHALL be a physically-housed embedded controller unit with a DIN-rail-mounted enclosure rated to IEC 60529 IP20, installed in zone electrical enclosures adjacent to each growing zone, with RS-485 serial ports, 24 VDC power input, and digital I/O terminals, operating within ambient temperature -10 to +55 degC and humidity 20-95% RH non-condensing. Rationale: Zone Controllers are the local automation nodes executing real-time PID control. Physical housing in zone electrical enclosures is necessary for cable management, maintenance access, and compliance with IEC 61439 (low-voltage switchgear). The IP20 rating and temperature/humidity specification ensure suitability for the agricultural electrical enclosure environment. Without a physical housing requirement, zone controllers cannot be selected or installed as real hardware units. | Inspection | idempotency:sub-zone-ctrl-housing-474 |
| SUB-REQ-095 | The Zone Controller Network physical infrastructure SHALL comprise shielded twisted-pair industrial Ethernet cabling (minimum Cat5e, foil/braid shield) rated for continuous exposure to humidity and nutrient mist, IP67-rated GRP field junction boxes at each zone entry point, and 19-inch 1U managed industrial Ethernet switches installed in the Supervisory Control Subsystem enclosure, supporting network segments up to 100 m at 100 Mbps. Rationale: Zone Controller Network must specify its physical cabling infrastructure to ensure reliable communications in the high-humidity, nutrient-mist environment of the growing facility. Shielded cabling and IP67 junction boxes protect network hardware from corrosion and condensation. Without explicit physical infrastructure requirements, the network cannot be procured or installed as a real hardware system. Derived from ARC-REQ-002 distributed architecture decision and IFC-REQ-013, IFC-REQ-016 which impose physical routing and termination constraints. | Inspection | idempotency:zcn-physical-infrastructure-v1 |
| SUB-REQ-096 | All materials in direct contact with growing zone air, water, or growing media SHALL be food-safe, non-toxic, and resistant to degradation by peracetic acid (PAA) at concentrations up to 2000 ppm, sodium hypochlorite at 200 ppm, and pH ranges 2.0-10.0. Zone surfaces SHALL be cleanable to a surface bioburden below 100 CFU/cm2 after the standard sanitisation cycle. Rationale: Growing zones contain crops for human consumption; material biocompatibility and cleanability prevent contamination of produce with chemicals, heavy metals, or pathogens. Peracetic acid and hypochlorite concentrations reflect the standard sanitisation protocol used between crop cycles. The 100 CFU/cm2 bioburden limit is based on ISO 22000 food safety standard guidance for food-contact surfaces. Without these requirements, there is no baseline for material selection or sanitisation effectiveness qualification. | Test | idempotency:zone-biocompatibility-v1 |
| SUB-REQ-097 | When a harvest crew zone entry signal is received from a zone access control reader, the Vertical Farm Environment Controller SHALL within 60 seconds switch the zone to worker-comfort mode: set temperature setpoint to 22 degC, set white-channel LED intensity to 50% of current output, disable CO2 enrichment injection for the zone, and prevent automatic return to production recipe setpoints until a zone-clear signal is received from the same access control reader. Rationale: Derived from STK-REQ-008: harvest crew working in a zone face risks from elevated CO2 (>1000 ppm causes cognitive impairment, >5000 ppm is life-threatening), high-intensity grow lighting (>600 µmol/m2/s causes eye and skin damage), and sub-optimal temperature. Without an automatic worker-comfort mode, operators must manually reconfigure zone parameters before entry, increasing the risk of a crew member entering a zone with hazardous conditions. The 60-second response time is derived from the expected transit time from access control reader to the growing zone. This is a safety-critical operational mode: the system must not return to production conditions while crew are present. | Test | idempotency:sys-worker-comfort-mode-477 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Vertical Farm Environment Controller and the Building Management System SHALL use BACnet/IP with event-driven alarm exchange (fire alarm status within 500ms) and 5-minute polled energy consumption metrics, supporting BACnet Alarm and Event services (clause 13) and Read Property services. Rationale: External interface: BMS provides fire alarm status that feeds safety interlock chain and weather data for HVAC anticipatory control. 500ms alarm latency ensures fire alarm reaches safety interlock subsystem before flashover conditions develop in adjacent building spaces. | Test | interface, external, session-462, idempotency:ifc-ext-bms-462 |
| IFC-REQ-002 | The interface between the Vertical Farm Environment Controller and the Crop Planning/ERP Software SHALL use REST API (JSON over HTTPS) with mutual TLS authentication, supporting crop recipe download, zone scheduling commands, and environmental log/harvest data upload with maximum API response time of 5 seconds. Rationale: External interface: ERP provides crop recipes that drive zone setpoints and schedules. Mutual TLS prevents recipe tampering (wrong recipe loaded is a ConOps failure mode). 5-second API timeout prevents cloud latency from blocking operational control loops. | Test | interface, external, session-462, idempotency:ifc-ext-erp-462 |
| IFC-REQ-003 | The interface between the Vertical Farm Environment Controller and the Energy Management/Smart Grid SHALL support OpenADR 2.0b VEN profile for demand-response signal reception and Modbus TCP (Function Code 3/4) for local energy metering at 15-second scan rate, with DR event acknowledgement within 60 seconds. Rationale: External interface: Utility sends DR signals that trigger load curtailment. OpenADR 2.0b VEN profile is the standard for demand-response loads >100kW. 15-second Modbus metering provides granularity for real-time load tracking used by the energy optimisation function. | Test | interface, external, session-462, idempotency:ifc-ext-grid-462 |
| IFC-REQ-004 | The interface between the Vertical Farm Environment Controller and the Cloud Monitoring Platform SHALL use MQTT v5 over TLS 1.3 for 1-minute telemetry push (all zone sensors, actuator states, active alarms) and configuration update pull, with automatic local-only fallback within 30 seconds of connectivity loss and data backfill upon reconnection. Rationale: External interface: Cloud platform provides analytics, anomaly detection, and remote monitoring. MQTT v5 session expiry and message retention support reconnection backfill. 30-second fallback ensures control loops are not affected by internet outages. | Test | interface, external, session-462, idempotency:ifc-ext-cloud-462 |
| IFC-REQ-005 | The interface between the Vertical Farm Environment Controller and the CO2 Bulk Supply System SHALL use 4-20mA analogue inputs for tank level (0-100%) and tank pressure (0-25 bar), and 24VDC digital outputs for zone CO2 solenoid valves (fail-closed on loss of signal), with the controller monitoring tank level for automatic reorder trigger at 20% remaining. Rationale: External interface: CO2 supply system is safety-critical — regulator failure drives H-001 asphyxiation hazard. 4-20mA is industry standard for hazardous area analogue instruments. Fail-closed solenoid on loss of signal ensures CO2 injection stops on any communication or power failure. | Test | interface, external, safety, session-462, idempotency:ifc-ext-co2-supply-462 |
| IFC-REQ-006 | The interface between the CO2 Safety Sensor Array and the Safety PLC SHALL use hardwired 4–20mA analog signals (one per sensor channel), with channel-open and channel-short detection, at a scan rate of ≤1s per channel, providing CO2 concentration readings in the range 0–10,000 ppm. Rationale: A hardwired 4-20mA interface is intrinsically fail-safe: a broken wire drives the current to 0mA (below the 4mA live-zero), which the Safety PLC detects as a fault rather than a valid zero-CO2 reading. This prevents a wiring fault from masking a CO2 hazard. Digital fieldbus alternatives are excluded because they could be compromised by a network fault or cyber event at precisely the moment CO2 is rising. | Test | interface, safety-interlock, sil-3, session-463, idempotency:ifc-co2-sensor-plc-463 |
| IFC-REQ-007 | The interface between the Safety PLC and the Hardwired Trip Bus SHALL consist of 24VDC relay coil outputs (energize-to-hold topology), with each output driving a safety relay module that controls one final element; wire-break detection SHALL be active on all relay coil circuits. Rationale: Energize-to-hold (de-energize-to-trip) ensures that any relay coil circuit failure — broken wire, power loss, PLC output card failure — results in the relay de-energising and the final element moving to the safe state. This is the foundation of the fail-safe architecture required by IEC 61511 for SIL 3 final elements. Wire-break detection catches open circuits before they become undetected latent faults. | Inspection | rt-vague-interface, red-team-session-480 |
| IFC-REQ-008 | The interface between the Lockout Tagout Controller and the Safety PLC SHALL provide a hardwired zone-inhibit signal (24VDC discrete, normally-open) for each zone; when a LOTO key is checked out, the signal SHALL be de-asserted, preventing Safety PLC from enabling any output in that zone. Rationale: OSHA 29 CFR 1910.147 requires energy isolation. Implementing LOTO as a hardwired inhibit to the Safety PLC ensures that software running on the supervisory layer cannot override LOTO state. The de-asserted signal (open circuit) maps to inhibit, so a broken LOTO wire conservatively defaults to inhibited — preventing inadvertent re-energisation while fault is investigated. | Demonstration | rt-vague-interface, red-team-session-480 |
| IFC-REQ-009 | The interface between the Supervisory Control Subsystem and the Zone Controller Network SHALL use Modbus TCP/IP or OPC UA to distribute crop recipe parameters and zone setpoints with latency not exceeding 500ms per zone update. Rationale: STK-REQ-002 requires setpoint propagation within 60 seconds. The 500ms per-zone latency ensures that for up to 100 zones, all zones receive updated recipe parameters within the 60-second window. Modbus TCP/IP and OPC UA are the de facto standards for industrial HVAC and process control integration. | Test | idempotency:ifc-sc-zcn-recipe-464b |
| IFC-REQ-010 | The interface between the CO2 Enrichment Subsystem and the Zone Controller Network SHALL exchange CO2 concentration measurements at 1Hz per zone via Modbus TCP/IP, with each zone's current ppm reading and valve position feedback available to the supervisory layer within 2 seconds. Rationale: SYS-REQ-003 requires CO2 regulation within ±50 ppm. 1Hz feedback matches the sensor reporting rate and allows the supervisory layer to detect concentration drift and adjust injection in time to maintain the ±50 ppm band. The 2-second delivery window provides headroom for Modbus TCP poll cycles on a 100-zone network. | Test | idempotency:ifc-co2-zcn-feedback-464 |
| IFC-REQ-011 | The interface between the Climate Management Subsystem and the Zone Controller Network SHALL provide per-zone HVAC actuator commands (damper position 0-100%, compressor enable/disable, fan speed setpoint) with command execution acknowledgement within 1 second. Rationale: SYS-REQ-001 (temperature ±1°C) and SYS-REQ-002 (humidity ±5% RH) require closed-loop HVAC control. The 1-second acknowledgement window allows the Climate Management Subsystem to detect actuator faults and invoke the SYS-REQ-008 degraded-mode response before zone temperature deviates beyond 2°C. | Test | rt-vague-interface, red-team-session-480 |
| IFC-REQ-012 | The interface between the Nutrient Management Subsystem and the Zone Controller Network SHALL relay zone-level dosing commands (acid/base pump enable, irrigation valve open/close, flow rate setpoint) via Modbus TCP/IP and SHALL report per-zone EC and pH measurements at 0.1Hz with accuracy of ±0.1 mS/cm EC and ±0.05 pH. Rationale: SYS-REQ-006 requires pH regulation within ±0.2. Zone-level feedback accuracy of ±0.05 pH must be tighter than the system-level tolerance to accommodate sensor aging and calibration drift. Irrigation valve state reporting is needed to detect the stuck-open condition in SYS-REQ-010. | Test | idempotency:ifc-nm-zcn-nutrient-464 |
| IFC-REQ-013 | The interface between the Horticultural Lighting Subsystem and the Zone Controller Network SHALL distribute per-zone LED intensity and spectrum commands (PWM duty cycle 0-100% per channel) via DALI-2 or DMX512 protocol with LED fixture surface temperature telemetry returned at 0.2Hz. Rationale: SYS-REQ-005 requires LED intensity within ±5% of recipe setpoints. DALI-2 is IEC 62386-certified for digital LED control with per-fixture dimming accuracy of ±1%. Surface temperature telemetry at 0.2Hz satisfies SYS-REQ-009, which requires trip response within 10 seconds of exceeding 85°C. | Test | idempotency:ifc-hl-zcn-lighting-464 |
| IFC-REQ-014 | The interface between the Safety Interlock Subsystem and the CO2 Enrichment Subsystem SHALL consist of a hardwired de-energize-to-trip 24VDC relay signal that forces the CO2 bulk supply solenoid valve to the closed state within 500ms of an interlock trip, independent of any software controller. Rationale: SYS-REQ-004 requires CO2 shutoff within 10 seconds of the 5000 ppm threshold. A hardwired relay directly controlling the supply solenoid is the only architecture guaranteeing trip times independent of network latency or software availability. The 500ms margin leaves 9.5 seconds for actuator stroke time. | Inspection | idempotency:ifc-sis-co2-trip-464 |
| IFC-REQ-015 | The interface between the Safety Interlock Subsystem and the Supervisory Control Subsystem SHALL provide a unidirectional read-only OPC UA status bus reporting interlock state, trip cause code, and last-trip timestamp with polling interval not exceeding 1 second. Rationale: STK-REQ-001 requires HMI display of zone status and SYS-REQ-011 requires audit logging. The Supervisory Control Subsystem must not be able to acknowledge or reset trips via software to preserve SIL 3 integrity. A unidirectional OPC UA server/client topology enforces isolation while enabling state visibility. | Test | idempotency:ifc-sis-sc-status-464 |
| IFC-REQ-016 | The interface between the Data Acquisition and Compliance Subsystem and the Zone Controller Network SHALL collect 1-minute-resolution readings of all environmental parameters (temperature, humidity, CO2, PAR, EC, pH, irrigation flow) from each zone controller via OPC UA subscription, timestamped to UTC ±1 second accuracy. Rationale: STK-REQ-005 requires data retention compliant with food safety reference standards. 1-minute resolution is the minimum for post-harvest environmental correlation required by FSMA traceability frameworks. UTC ±1 second synchronisation is needed for multi-zone event correlation in compliance audits. | Test | idempotency:ifc-dac-zcn-logging-464 |
| IFC-REQ-017 | The interface between the Supervisory Control Subsystem and the Data Acquisition and Compliance Subsystem SHALL allow on-demand compliance report generation via REST API, returning the complete dataset within 5 minutes for any date range up to 90 days. Rationale: STK-REQ-012 requires energy-use reporting and STK-REQ-005 requires compliance data access. A REST API allows the HMI and cloud platform to pull historical datasets without direct database access, isolating the compliance data store from operational control traffic. | Test | idempotency:ifc-sc-dac-reports-464 |
| IFC-REQ-018 | The interface between the Climate Management Subsystem and the Safety Interlock Subsystem SHALL provide a hardwired zone-temperature out-of-range contact closure (24VDC) to the Safety PLC input card when any zone exceeds 38°C, with signal propagation time not exceeding 100ms. Rationale: SYS-REQ-009 requires trip of LED fixtures when zone temperature exceeds 38°C. A hardwired input to the Safety PLC ensures the thermal trip condition is evaluated by the SIL 3 Voted Logic Engine independently of process network health. The 100ms propagation budget fits within the 10-second trip response window in SYS-REQ-009. | Test | idempotency:ifc-cm-sis-thermal-464 |
| IFC-REQ-019 | The interface between the Nutrient Management Subsystem and the Safety Interlock Subsystem SHALL provide a hardwired dosing-excess fault contact closure (24VDC) to the Safety PLC input card when cumulative acid/base injection exceeds 5% of tank volume within any 10-minute window, with signal propagation time not exceeding 200ms. Rationale: SYS-REQ-007 defines the pH dosing excess condition as a safety trip requiring valve closure within 5 seconds. A hardwired signal path ensures the dosing-excess condition feeds directly into the SIL 3 Voted Logic Engine without relying on Modbus network availability, satisfying the independence requirement of SYS-REQ-015. | Test | idempotency:ifc-nm-sis-dosing-464 |
| IFC-REQ-020 | The interface between the Supervisory Control Subsystem and the CO2 Enrichment Subsystem SHALL provide zone-level CO2 concentration setpoints (400-2000 ppm range, ±1 ppm resolution) and injection enable/disable commands via Modbus TCP/IP with command acknowledgement within 2 seconds. Rationale: SYS-REQ-003 requires CO2 regulation within ±50 ppm of crop recipe setpoints. The Supervisory Control Subsystem holds the crop recipe (STK-REQ-002) and must transmit updated CO2 setpoints to the CO2 Enrichment Subsystem. The 400-2000 ppm range covers ambient to the maximum enrichment for fruiting crops. | Test | idempotency:ifc-sc-co2-setpoint-464 |
| IFC-REQ-021 | The interface between the Zone Controller Network and the Supervisory Control Subsystem SHALL publish zone fault events (sensor out-of-range, actuator fault, communication timeout) as OPC UA events with severity classification and zone identifier, delivered within 3 seconds of fault detection. Rationale: STK-REQ-003 requires crop yield impact assessment within 10 minutes of environmental excursions. STK-REQ-001 requires HMI status display with 5-second update latency. The 3-second event delivery window provides the required headroom for HMI rendering while giving the supervisory layer time to initiate yield impact calculations. | Test | idempotency:ifc-zcn-sc-faults-464 |
| IFC-REQ-022 | The interface between the CO2 Injection Controller and the Zone NDIR CO2 Sensor Array SHALL use 4-20mA analogue signals (one per zone), corresponding to 300–3000 ppm full-scale, with the CO2 Injection Controller detecting sensor fault conditions (open circuit <3.6mA, saturation >20.5mA) and raising a zone fault alarm within 5 seconds. Rationale: 4-20mA is the industry standard for process sensor interfaces due to its noise immunity in electrically noisy grow-room environments (motor drives, lighting ballasts). The live-zero (4mA) enables open-circuit fault detection, which is essential for a process control loop — loss of feedback must be detectable. | Test | interface, co2-enrichment-subsystem, session-465, idempotency:ifc-ctrl-ndir-465 |
| IFC-REQ-023 | The interface between the CO2 Injection Controller and the Zone Solenoid Valve Array SHALL use 24VDC discrete output signals (one per zone) energise-to-open, with valve position feedback returned as 24VDC discrete input (one per zone), and the CO2 Injection Controller SHALL detect valve-open command-feedback discrepancy within 2 seconds and raise a valve fault alarm. Rationale: 24VDC discrete I/O is the standard interface for solenoid valve control, providing clean on/off switching without analogue noise concerns. Position feedback detection of command/state discrepancy within 2s is required to detect valve seizure or coil failure before it causes out-of-specification CO2 enrichment or dangerous valve-open-on-trip conditions. | Test | rt-vague-interface, red-team-session-480 |
| IFC-REQ-024 | The interface between the CO2 Distribution Manifold and the CO2 Injection Controller SHALL transmit manifold inlet pressure (0–10 bar, 4-20mA) and manifold temperature (−10 to 40°C, 4-20mA) to the CO2 Injection Controller at 1Hz, with the controller raising a low-pressure alarm at <1.3 bar and shutting all zone valves at <0.5 bar to prevent CO2 reverse-flow. Rationale: Manifold pressure monitoring is needed to detect bulk CO2 supply exhaustion and vaporiser faults before they cause control failures. 1.3 bar low-pressure alarm gives operators time to top up supply before injection is lost; 0.5 bar shutdown prevents CO2 reverse-flow through valves, which could damage equipment and corrupt sensor readings. | Test | interface, co2-enrichment-subsystem, session-465, idempotency:ifc-manifold-ctrl-465 |
| IFC-REQ-025 | The interface between the EC/pH Sensor Array and the Irrigation Controller SHALL transmit EC (mS/cm) and pH measurements per zone via Modbus RTU RS-485 at 9600 baud with 16-bit register encoding, including a fault status register, at a polling rate of 0.1 Hz per zone, with maximum measurement-to-register latency of 500 ms. Rationale: Modbus RTU RS-485 is selected over 4-20mA because it allows single-cable multi-drop wiring across all zones, simplifying installation in large vertical farms with many grow zones. A fault status register is mandatory to support SUB-REQ-025 (fault detection) — analogue 4-20mA cannot carry fault state without a separate discrete signal. The 0.1Hz polling rate matches the measurement rate and ensures dosing corrections respond to the most current reading without excessive bus load. | Test | interface, nutrient-management-subsystem, session-466, idempotency:ifc-ecph-ic-466 |
| IFC-REQ-026 | The interface between the Irrigation Controller and the Dosing Pump Array SHALL transmit pump enable commands (per pump: on/off, target volume in mL) via Modbus TCP at 100 Mbit/s, with command round-trip confirmation within 1 second, and SHALL receive cumulative injection counters (per pump, in mL) for watchdog monitoring at 1 Hz. Rationale: Modbus TCP is used (over Modbus RTU) for the Irrigation Controller to Dosing Pump Array interface because the Irrigation Controller already uses Ethernet for Zone Controller Network communication (IFC-REQ-012), and maintaining a single network avoids separate RS-485 field cabling to the pump cabinet. Cumulative injection counters are returned at 1Hz to enable the Irrigation Controller to mirror the watchdog counter state for alarming before the hardwired SIL-2 trip is reached. | Test | interface, nutrient-management-subsystem, session-466, idempotency:ifc-ic-dpa-466 |
| IFC-REQ-027 | The interface between the Irrigation Controller and the Zone Irrigation Valve Array SHALL use 24VAC energise-to-open discrete outputs, one per zone valve, with Irrigation Controller reading reed-switch position feedback (24VDC open-collector, one per valve) within 2 seconds of each commanded state change; any position confirmation timeout SHALL be reported as a stuck-valve fault to the Zone Controller Network. Rationale: 24VAC discrete control is standard for solenoid valve actuation in hydroponic systems, providing galvanic isolation between control and power circuits and compatibility with off-the-shelf irrigation valve hardware. Position feedback integration at the Irrigation Controller (rather than at the Zone Controller Network) localises the stuck-valve detection logic (SUB-REQ-030) to the component responsible for valve commands, enabling sub-30-second detection without polling latency through a higher-level network. | Test | rt-vague-interface, red-team-session-480 |
| IFC-REQ-028 | The interface between the Recirculation Pump System and the Nutrient Reservoir and Mixing System SHALL consist of a DN50 suction connection from the reservoir outlet to the pump inlet, with a float-type dry-run protection switch on the reservoir monitoring fluid level at the pump inlet centerline, transmitting a 24VDC discrete signal to the pump VFD safety input; loss of the signal SHALL inhibit pump start. Rationale: A physical float switch on the reservoir at pump inlet centerline provides faster dry-run detection than an ultrasonic level sensor alarm threshold (SUB-REQ-036 low-level alarm is at 20% capacity, which may still leave fluid above the inlet). The hardwired 24VDC signal to the VFD safety input ensures dry-run inhibit is enforced even if the Irrigation Controller communication is lost, preventing pump damage independent of software. | Inspection | rt-vague-interface, red-team-session-480 |
| IFC-REQ-029 | The interface between the Lighting Control Unit and the LED Driver Module Array SHALL use DALI-2 (IEC 62386 Part 209) at 1200 baud, supporting per-channel dimming commands with 16-bit address and 8-bit level resolution, and SHALL receive driver status responses including fault codes within 22 ms. Rationale: DALI-2 is selected over 0-10V analog for its bidirectional fault reporting capability — essential in a 400kW+ facility where silent driver failure would degrade PAR accuracy without indication. 22ms response time derives from DALI-2 bus timing specification and allows within-scan fault detection at the LCU 100ms control cycle. | Test | interface, horticultural-lighting, session-467, idempotency:ifc-lcu-driverarray-dali-467 |
| IFC-REQ-030 | The interface between the PAR Sensor Array and the Lighting Control Unit SHALL transmit calibrated PPFD measurements in the range 0-2000 µmol/m²/s at a minimum rate of 1 Hz via 4-20 mA analog loop or RS-485 Modbus RTU, with loss-of-signal detection within 3 seconds. Rationale: 1 Hz sampling matches the LCU PAR PID control cycle and provides sufficient response bandwidth for closed-loop regulation. 3-second loss-of-signal detection is required to trigger the degraded-mode fallback (SUB-REQ-046) promptly enough to avoid a control gap exceeding one photoperiod scheduling step. | Test | interface, horticultural-lighting, session-467, idempotency:ifc-par-lcu-measurement-467 |
| IFC-REQ-031 | The interface between the Fixture Thermal Monitoring Array and the Safety Interlock Subsystem SHALL be a normally-closed 24 V DC hardwired signal on the trip bus: signal opens when any fixture heatsink exceeds 85 degrees C, using a dedicated comparator circuit with no programmable components in the trip path. Rationale: SIL 2 classification of the thermal trip function (SUB-REQ-042) requires that no software is in the trip path per IEC 61508 clause 7.4.2.3. Normally-closed configuration ensures that wiring faults (open circuit, short to ground) result in a spurious trip rather than a missed trip, which is the correct safe-fail direction for a fire-prevention function. | Test | interface, horticultural-lighting, sil-2, session-467, idempotency:ifc-thermal-safetyinterlock-hardwired-467 |
| IFC-REQ-032 | The interface between the Temperature Sensor Network and the Zone Climate Controller SHALL transmit 16-bit RTD resistance readings for all zone sensors at 1 Hz via 4-wire PT100 multiplexer bus, with bus fault detection (open-circuit and short-circuit conditions) reported within 1 measurement cycle. Rationale: 1 Hz transmission matches the PID sampling period; 16-bit resolution provides 0.01 degC step size sufficient for ±1.0 degC zone control. Bus fault detection in one cycle (1 s) ensures sensor loss is detected before the next PID iteration could produce a runaway output. | Test | interface, climate-management, session-469, idempotency:ifc-tsn-zcc-469 |
| IFC-REQ-033 | The interface between the Zone Climate Controller and the HVAC Actuator Interface SHALL use Modbus RTU over RS-485 at 19200 baud, with the Zone Climate Controller as master issuing setpoint write registers and reading status registers at 2 Hz, and the HVAC Actuator Interface responding within 100 ms per Modbus specification. Rationale: Modbus RTU at 19200 baud is the established HVAC industry standard for this scale of installation, supported by all candidate VFD and actuator vendors. 2 Hz polling is sufficient to detect actuator faults within the 1 s confirmation latency in SUB-REQ-059 while keeping bus utilisation below 20 percent. | Test | interface, climate-management, session-469, idempotency:ifc-zcc-hvac-actuator-469 |
| IFC-REQ-034 | The interface between the Fresh Air Ventilation Controller and the CO2 Enrichment Subsystem SHALL use Modbus TCP over Ethernet at 100 Mbit/s, exchanging zone CO2 concentration (ppm, 16-bit) and fresh-air fraction setpoint (percent, 8-bit) at 0.5 Hz with a maximum round-trip latency of 200 ms. Rationale: Modbus TCP reuses the existing plant Ethernet network already used by the CO2 subsystem, avoiding a separate serial bus. 0.5 Hz exchange rate is sufficient for fresh-air fraction coordination since the HRV damper actuator response time is 10-20 s. The 200 ms latency bound is 10x less than the HRV actuator response time, ensuring coordination data does not become stale. | Test | interface, climate-management, session-469, idempotency:ifc-favc-co2-469 |
| IFC-REQ-035 | The interface between the Crop Recipe Engine and the environmental subsystems (Climate Management, Lighting, Nutrient, CO2 Enrichment) SHALL use OPC-UA over Ethernet at 1 Gbit/s, with setpoint publish intervals of 60 s during steady-state recipe execution and 5 s during rapid-ramp recipe transitions, with a maximum delivery latency of 500 ms per setpoint write. Rationale: OPC-UA provides a vendor-neutral, standardised SCADA interface supported by all major PLC and controller vendors. 60 s normal publish interval matches the slowest setpoint change rate in any registered crop recipe; 5 s rapid-ramp interval is needed for lighting pre-dawn simulation ramps. 500 ms delivery latency is 10x less than any subsystem's actuator response time. | Test | interface, supervisory-control, session-469, idempotency:ifc-cre-subsystems-469 |
| IFC-REQ-036 | The interface between the Emergency Shutdown Sequencer and the Safety Interlock Subsystem SHALL use a hardwired 24V DC discrete signal bus with dedicated signal lines for each shutdown phase (CO2 valve trip, nutrient pump stop, lighting kill, HVAC purge), with signal propagation latency not exceeding 20 ms end-to-end. Rationale: Hardwired interface is mandatory for safety-critical shutdown paths per IEC 61511. Network-based commands are insufficient for CO2 and thermal hazard mitigation because network failure must not prevent emergency shutdown. 20 ms propagation latency is negligible relative to the 10 s total sequence time budget. | Test | interface, supervisory-control, session-469, idempotency:ifc-ess-safety-interlock-469 |
| IFC-REQ-037 | The interface between the Zone Controller Unit and the Zone Edge Gateway SHALL use OPC-UA over 100Mbps Ethernet with security mode SignAndEncrypt (Basic256Sha256 security policy), transferring zone telemetry and setpoint commands at a publish interval of 100 ms and a maximum message size of 4096 bytes. Rationale: OPC-UA is the standard industrial interoperability protocol for this application; SignAndEncrypt prevents man-in-the-middle attacks on control commands. 100ms publish interval meets the 500ms end-to-end latency budget (SUB-REQ-069). 4096-byte message limit is sized for 24 data nodes (12 parameters × 2 zones per controller) with OPC-UA encoding overhead. | Test | interface, zone-controller-network, session-470, idempotency:ifc-zcn-zcu-gateway-opcua-470 |
| IFC-REQ-038 | The interface between the Zone Controller Unit and Zone I/O Expansion Module SHALL use RS-485 Modbus RTU at 115200 baud, with the ZCU as master polling all connected I/O modules at a cycle time not exceeding 250 ms per scan across up to 4 modules on a single RS-485 segment. Rationale: RS-485 Modbus RTU provides electrically isolated, deterministic field bus communications suitable for the wet, chemical-laden growing zone environment. 115200 baud and 250ms scan time ensures analog samples reach the ZCU PID loop within the 10 Hz control cycle. Supporting up to 4 modules per segment covers the maximum I/O count for a single zone without additional repeaters. | Test | interface, zone-controller-network, session-470, idempotency:ifc-zcn-zcu-iom-rs485-470 |
| IFC-REQ-039 | The interface between the Industrial Ethernet Switch and all connected OT devices SHALL enforce IEEE 802.1Q VLAN segmentation such that zone-controller operational traffic (VLAN 100) is physically isolated at Layer 2 from safety-interlock traffic (VLAN 200), with zero cross-VLAN unicast forwarding permitted without explicit inter-VLAN routing policy. Rationale: SYS-REQ-015 requires SIL-3 independence for safety-critical functions; VLAN segregation at the switch layer prevents broadcast storms or misconfigured zone controller software from disrupting the Safety Interlock Subsystem network. Inspection verification via switch configuration audit is more reliable than runtime test for negative-traffic requirements. | Inspection | interface, zone-controller-network, session-470, idempotency:ifc-zcn-switch-vlan-470 |
| IFC-REQ-040 | The interface between the Zone Edge Gateway and the Time-Series Database Engine SHALL use MQTT over TLS 1.2 (topic: farm/<zone-id>/<parameter>/raw, QoS level 1) for real-time sensor data ingestion at 1Hz per channel, with the TSDB MQTT broker acknowledging each message within 500 ms and persisting data within 2 seconds of receipt. Rationale: MQTT QoS 1 guarantees at-least-once delivery without the head-of-line blocking that QoS 2 introduces, which is appropriate for sensor telemetry where duplicate samples are preferable to data gaps. TLS 1.2 protects OT network data from eavesdropping. The 2-second persistence deadline ensures data is written to durable storage before any TSDB process failure could cause loss. | Test | interface, data-acquisition, session-470, idempotency:ifc-dac-gateway-tsdb-mqtt-470 |
| IFC-REQ-041 | The interface between the Supervisory Control Subsystem and the Crop Recipe Database SHALL use a REST API over HTTPS (TLS 1.2, mutual authentication with X.509 client certificates), with recipe read operations responding within 500 ms and recipe write operations (create/update) completing within 2 seconds under a load of 10 concurrent requests. Rationale: The Supervisory HMI must load and switch crop recipes during active growth operations; the 500ms read latency ensures operator-initiated recipe activation does not disrupt crop monitoring workflows. Mutual TLS authentication prevents unauthorised recipe modification from misconfigured HMI client software. | Test | interface, data-acquisition, session-470, idempotency:ifc-dac-supervisory-recipedb-470 |
| IFC-REQ-042 | The interface between the OpenADR Virtual End Node and the Supervisory Control Subsystem SHALL use an internal message queue (AMQP or equivalent) with message routing key 'dr.event.curtailment', carrying structured curtailment payloads (JSON: event_id, start_time, duration_s, load_reduction_kw, affected_zones[]) with end-to-end delivery latency not exceeding 5 seconds. Rationale: Internal message queue decouples the OpenADR VEN (utility-protocol-facing) from the Supervisory (farm-protocol-facing), allowing each to evolve independently and preventing a utility communication fault from blocking supervisory operations. 5s delivery is derived from the 30s acknowledgement window minus 25s buffer for Supervisory pre-conditioning. | Test | rt-vague-interface, red-team-session-480 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Safety Interlock Subsystem — Implemented as hardware-independent relay/safety-PLC chain, not as software functions within the supervisory controller. Alternatives considered: (1) software-only interlocks in supervisory controller — rejected because SIL 3 requires hardware independence per IEC 61508 clause 7.4.2.2 and H-007 cyber compromise scenario makes software-only unacceptable; (2) safety PLC with software-only voting — rejected because dual-NDIR sensor voting at hardware level provides better diagnostic coverage. Constraint: IEC 62443 defence-in-depth and IEC 61508 SIL 3 architectural constraints require physically separate safety channel. Rationale: H-001 (CO2 asphyxiation, SIL 3) and H-007 (cyber compromise) together mandate that the safety function cannot share hardware or software with the operational controller. The 150-year MTTFd target drives the choice of proven relay technology over complex programmable safety systems. | Analysis | architecture, safety-interlock, session-462, idempotency:arc-safety-interlock-462 |
| ARC-REQ-002 | ARC: Zone Controller Network — Distributed architecture with one dedicated controller per zone rather than centralised I/O. Each zone controller executes local PID loops and stores crop recipes for autonomous operation. Alternatives considered: (1) centralised controller with remote I/O racks — rejected because single point of failure would lose all zones simultaneously, and 72-hour network resilience requirement demands local recipe storage; (2) redundant centralised pair — rejected because cost exceeds distributed approach for 8 zones while providing worse zone isolation during faults. Rationale: The HVAC Failure and network resilience scenarios demonstrate that zone independence is critical — a fault in one zone must not cascade to others. Distributed architecture provides natural fault isolation boundaries aligned with the physical growing zone boundaries. | Analysis | architecture, zone-controller, session-462, idempotency:arc-zone-controllers-462 |
| ARC-REQ-003 | ARC: CO2 Enrichment Subsystem — Separated from Climate Management despite both controlling atmospheric composition. CO2 enrichment has a distinct safety boundary (SIL 3), distinct supply chain (bulk liquid CO2 from external supplier), fail-closed solenoid valve architecture, and distinct regulatory certification path. Grouping with HVAC would dilute the safety boundary and complicate SIL allocation. The interface between CO2 enrichment and climate (ventilation coordination) is managed through the zone controller. Rationale: H-001 drives SIL 3 allocation on CO2 functions. Mixing SIL 3 and non-safety-rated HVAC functions in one subsystem would force the entire climate subsystem to SIL 3, increasing cost and certification effort with no safety benefit. Clean subsystem boundaries enable independent safety certification. | Inspection | architecture, co2-enrichment, session-462, idempotency:arc-co2-separation-462 |
| ARC-REQ-004 | ARC: Supervisory Control Subsystem — Energy optimisation function grouped with supervisory control rather than as a separate subsystem. Energy decisions (demand response, load curtailment, photoperiod scheduling) require crop priority context, facility-wide load visibility, and inter-zone coordination that only the supervisory controller possesses. A separate energy subsystem would duplicate the facility-wide state model. The OpenADR 2.0 interface is a protocol adapter within the supervisory platform. Rationale: Energy optimisation is decision-layer logic that coordinates across zones using the same data model as recipe management and mode transitions. Separating it would create a tight coupling between two subsystems sharing the same state, which is worse than consolidation. | Analysis | architecture, supervisory, energy, session-462, idempotency:arc-supervisory-energy-462 |
| ARC-REQ-005 | ARC: Data Acquisition and Compliance Subsystem — Separated from supervisory control despite data flowing through the same network. Compliance data requires cryptographic integrity chains, tamper-evident storage, and regulatory retention policies (2-year BRCGS) that impose different design constraints from operational data. A combined system would risk compliance requirements inflating the complexity of the real-time control path, or operational priorities compromising audit trail integrity. Rationale: Food Safety Auditor stakeholder requires independently verifiable records. If the operational controller can modify historical records, the audit trail is not tamper-evident. Physical and logical separation of the compliance data path from the control path provides defence-in-depth for data integrity. | Inspection | architecture, compliance, session-462, idempotency:arc-data-compliance-462 |
| ARC-REQ-006 | ARC: Nutrient Management Subsystem — Separated dosing control (Dosing Pump Array + EC/pH Sensor Array) from fluid distribution (Irrigation Controller + Zone Irrigation Valve Array + Recirculation Pump System) to isolate the SIL-2 chemical dosing chain from the lower-risk irrigation timing functions. Dosing-excess watchdog is implemented as a hardwired cumulative counter in the Dosing Pump Array drive firmware rather than as a software function in the Irrigation Controller, consistent with ARC-REQ-001 (safety-critical functions must not rely on software alone). Bulk chemical storage (Nutrient Reservoir and Mixing System) is passive and requires no safety integrity — its concentrate tanks are physical inventory only. The Recirculation Pump System uses a duty/standby configuration rather than a single high-capacity pump to eliminate single-point failure of nutrient delivery, recognising that pump failure for >15 minutes causes crop stress across all zones. Rationale: IEC 61508 SIL-2 allocation on the dosing chain (SYS-REQ-006, SYS-REQ-007) requires architectural separation between the safety-relevant dosing watchdog hardware and the non-safety irrigation scheduler. Mixing these in a single controller would require the entire irrigation controller to be SIL-2 qualified, disproportionate to the risk of timing functions alone. | Inspection | architecture, nutrient-management-subsystem, session-466, idempotency:arc-nutrient-management-subsystem-466 |
| ARC-REQ-007 | ARC: Horticultural Lighting Subsystem — Four-component architecture separating control intelligence (Lighting Control Unit) from power conversion (LED Driver Module Array), photon delivery (LED Fixture Array), and feedback sensing (PAR Sensor Array + Fixture Thermal Monitoring Array). Thermal protection is split: software thermal derating via LCU for gradual ramp-down above 75°C, and a hardwired comparator circuit in the Fixture Thermal Monitoring Array for SIL-2 hard trip at 85°C independent of any software path. This split avoids routing safety-critical shutdown through the control software, ensuring the thermal trip meets IEC 61508 SIL 2 without requiring the full LCU to be SIL-certified. DALI-2 chosen over 0-10V for dimming because it supports per-fixture status feedback, individual addressing, and fault reporting — essential for 400kW+ arrays where undetected driver failure would degrade PAR accuracy without indication. Rationale: Documents the architectural trade-off that separates thermal protection into two independent paths: LCU software for graceful derating and hardwired comparator for safety trip. This ensures SIL 2 compliance for the thermal interlock without raising the SIL requirement of the entire software control stack. The DALI-2 selection over 0-10V is justified by operational observability requirements in a large facility. | Inspection | architecture, horticultural-lighting, session-467, idempotency:arc-horticultural-lighting-467 |
| ARC-REQ-008 | ARC: Climate Management Subsystem — Five-component decomposition separating sensing, control logic, actuation, and ventilation. Zone Climate Controller issues setpoints via Modbus RTU to the HVAC Actuator Interface rather than directly commanding hardware: this isolates the PID control algorithm from HVAC variant differences (DX vs chilled water vs VRF) and allows controller replacement without rewiring. Temperature Sensor Network and Relative Humidity Sensor Array are kept as separate components because their calibration cycles, failure modes, and Safety Interlock connections differ. Fresh Air Ventilation Controller is decoupled from the main HVAC loop because it coordinates with CO2 Enrichment Subsystem and must remain operable when the compressor circuit is tripped. Rationale: Separation of Zone Climate Controller from HVAC Actuator Interface enables swapping HVAC plant type without controller modification. Separate Temperature Sensor Network and RH Sensor Array components reflect different IEC 61511 proof-test intervals and independent safety trip channels to Safety Interlock Subsystem. Fresh Air Ventilation Controller decoupled from main HVAC loop allows it to continue operating when the compressor circuit is tripped. | Inspection | architecture, climate-management, session-469, idempotency:arc-climate-management-469 |
| ARC-REQ-009 | ARC: Supervisory Control Subsystem — Five-component decomposition separating server infrastructure, recipe execution, operator interaction, demand response, and emergency sequencing. The Crop Recipe Engine is a separate component from the Plant Management Server because recipes must continue executing during server maintenance windows via a hot-standby recipe executor. The Emergency Shutdown Sequencer is isolated from the main supervisory bus with its own hardwired interface to the Safety Interlock Subsystem, ensuring shutdown can complete even if the network bus fails. The Demand Response Handler is decoupled from the Crop Recipe Engine to allow load-shed commands to override recipe setpoints without modifying the recipe state machine. Rationale: Separation of Emergency Shutdown Sequencer preserves shutdown capability during network failures. Crop Recipe Engine decoupled from Plant Management Server allows recipe execution to survive server updates. DR Handler separation prevents demand-response events from corrupting crop recipe state. | Inspection | architecture, supervisory-control, session-469, idempotency:arc-supervisory-control-469 |
| ARC-REQ-010 | ARC: Zone Controller Network — distributed embedded controllers with OPC-UA aggregation gateway. Zone Controller Units are selected as standalone embedded Linux nodes (not PLCs) to enable recipe-driven Python control loops without proprietary programming environments; the Edge Gateway pattern decouples the OPC-UA server from per-zone hardware, allowing supervisory software upgrades without touching field devices. Industrial Ethernet with VLAN segregation was chosen over a dedicated fieldbus (PROFIBUS, CANopen) to leverage standard IT network management tooling and support future bandwidth growth for video-based crop monitoring. Rationale: Architecture decision for Zone Controller Network subsystem: embedded Linux ZCU nodes selected over PLCs for recipe-driven Python control; Edge Gateway decouples OPC-UA server from field hardware; industrial Ethernet with VLAN segregation preferred over fieldbus for standard IT tooling and future bandwidth growth. | Analysis | architecture, zone-controller-network, session-470, idempotency:arc-zone-controller-network-470 |
| ARC-REQ-011 | ARC: Data Acquisition and Compliance Subsystem — TSDB-centred data store with separate recipe database and automated report generation. A time-series database (InfluxDB) was selected over a relational database for environmental telemetry because sensor data ingestion at 1Hz per channel per zone produces high-cardinality sequential writes that relational engines handle poorly at 10-year retention scale. The recipe and compliance subsystems use a relational database (PostgreSQL) because their data is structured, low-volume, and requires referential integrity for audit chains. The OpenADR VEN is deployed as a co-located service to share the TSDB's energy telemetry without requiring a separate data bus. Rationale: Architecture decision for Data Acquisition and Compliance Subsystem: InfluxDB selected for high-cardinality sequential sensor writes; PostgreSQL for recipe and compliance data requiring referential integrity; OpenADR VEN co-located with TSDB to share energy telemetry without additional data bus. | Analysis | architecture, data-acquisition, session-470, idempotency:arc-data-acquisition-470 |
flowchart TB n0["component<br>Zone Climate Controller"] n1["component<br>Temperature Sensor Network"] n2["component<br>Relative Humidity Sensor Array"] n3["component<br>HVAC Actuator Interface"] n4["component<br>Fresh Air Ventilation Controller"]
Climate Management Subsystem — Internal
flowchart TB n0["component<br>Lighting Control Unit"] n1["component<br>LED Driver Module Array"] n2["component<br>LED Fixture Array"] n3["component<br>PAR Sensor Array"] n4["component<br>Fixture Thermal Monitoring Array"] n0 -->|DALI-2 dimming commands| n1 n1 -->|constant current 48VDC| n2 n3 -->|PPFD feedback 1Hz| n0 n4 -->|heatsink temperature| n0
Horticultural Lighting Subsystem — Internal
flowchart TB n0["component<br>EC/pH Sensor Array"] n1["component<br>Dosing Pump Array"] n2["component<br>Nutrient Reservoir and Mixing System"] n3["component<br>Irrigation Controller"] n4["component<br>Zone Irrigation Valve Array"] n5["component<br>Recirculation Pump System"] n0 -->|EC/pH measurement 0.1Hz| n1 n1 -->|nutrient/acid/base dosing| n2 n2 -->|bulk solution supply| n5 n5 -->|flow rate feedback| n3 n3 -->|24VAC valve commands| n4
Nutrient Management Subsystem — Internal
flowchart TB n0["subsystem<br>CO2 Enrichment Subsystem"] n1["component<br>CO2 Injection Controller"] n2["component<br>Zone NDIR CO2 Sensor Array"] n3["component<br>Zone Solenoid Valve Array"] n4["component<br>CO2 Distribution Manifold"] n1 -->|CO2 ppm feedback| n2 n1 -->|valve open/close cmd| n3 n4 -->|CO2 vapour| n3 n0 --> n1
CO2 Enrichment Subsystem — Internal
flowchart TB n0["component<br>CO2 Safety Sensor Array"] n1["component<br>Safety PLC"] n2["component<br>Voted Logic Engine"] n3["component<br>Hardwired Trip Bus"] n4["component<br>Lockout Tagout Controller"] n0 -->|4-20mA CO2 ppm| n1 n1 -->|sensor data| n2 n2 -->|trip signal| n1 n1 -->|relay cmd 24VDC| n3 n4 -->|LOTO inhibit| n1
Safety Interlock Subsystem — Internal
flowchart TB n0["component<br>Plant Management Server"] n1["component<br>Crop Recipe Engine"] n2["component<br>Operator Interface Terminal"] n3["component<br>Demand Response Handler"] n4["component<br>Emergency Shutdown Sequencer"]
Supervisory Control Subsystem — Internal
flowchart TB n0["component<br>Time-Series Database Engine"] n1["component<br>OpenADR Virtual End Node"] n2["component<br>Crop Recipe Database"] n3["component<br>Compliance Report Generator"] n0 -->|time-series query| n3 n3 -->|recipe context| n2
Data Acquisition and Compliance Subsystem — Internal
flowchart TB n0["component<br>Zone Controller Unit"] n1["component<br>Industrial Ethernet Switch"] n2["component<br>Zone I/O Expansion Module"] n3["component<br>Zone Edge Gateway"] n2 -->|RS-485 Modbus RTU| n0 n0 -->|OPC-UA / 100Mbps Ethernet| n1 n1 -->|VLAN 100 Ethernet| n3
Zone Controller Network — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Building Management System | 51F77B58 | |
| Chemical exposure hazard from nutrient solution in vertical farm | 42000011 | Hazard in Vertical Farm Environment Controller during Maintenance or Harvest: pH adjustment chemicals (phosphoric acid, potassium hydroxide) are concentrated stock solutions (pH <1 or >13). Dosing pump failure causes over-concentration in nutrient tank. Worker skin/eye contact during tank maintenance or splashing from pressurised line failure. Additionally, peracetic acid used in sanitisation cycles is a strong oxidiser. Consequence: chemical burns, eye damage, respiratory irritation. |
| Climate Management Subsystem | 55F77208 | HVAC control subsystem of vertical farm environment controller. Manages compressors, condenser units, air handling units with variable-speed fans, motorised dampers, and dehumidification coils across 8 growing zones on 5 floors. Closed-loop PID control at zone level. Key interfaces: zone temperature/humidity sensors (field bus inputs), compressor contactors and VSD commands (outputs), safety interlock subsystem (trip signals), supervisory controller (setpoint commands). Operating envelope: cooling capacity 50kW per zone, 18-28°C control range, 60-85% RH. |
| Climate Regulation Function | 51F73A00 | System function of Vertical Farm Environment Controller: Closed-loop control of temperature and humidity across multiple independent growing zones. Inputs: zone temperature sensors (±0.1°C NTC), humidity sensors (±2% RH capacitive), HVAC compressor status, damper positions. Outputs: HVAC compressor commands, fan speed setpoints, damper position commands, dehumidifier enable. Constraints: ±1°C temperature tolerance, ±5% RH tolerance, 120-second response to 2°C step disturbance, must compensate adjacent zones when one HVAC unit fails. |
| Cloud Monitoring and Analytics Platform | 40E57319 | External cloud platform providing remote access dashboards, historical analytics, alerting/notification services (SMS, email, push), and machine learning crop growth prediction models. Controller pushes telemetry data (sensor readings, actuator states, alarms) at 1-minute intervals. Cloud platform provides trend analysis, yield predictions, and anomaly detection. Encrypted MQTT or HTTPS. Owned by controller vendor or farm operator's IT team. |
| CO2 asphyxiation hazard in vertical farm | 02010211 | Hazard in Vertical Farm Environment Controller during Normal Operation or Degraded Operation: CO2 enrichment system fails to shut off or valve sticks open, causing CO2 concentration to exceed 40,000ppm (4%) in enclosed growing zone. Workers entering the zone without warning could suffer rapid loss of consciousness and death within minutes. Vertical farms are enclosed spaces with limited natural ventilation, making CO2 accumulation rapid. Consequence: worker fatality or serious injury from oxygen displacement. |
| CO2 Bulk Supply and Delivery System | 56B53018 | External CO2 supply infrastructure: bulk liquid CO2 tank with vaporiser, pressure regulator, and distribution manifold supplying CO2 enrichment to growing zones. Controller interfaces with tank level sensor (4-20mA), supply pressure transducer, and controls zone solenoid valves. CO2 supplier (e.g., BOC, Air Liquide) owns the bulk tank and manages refill logistics. Controller provides consumption data for automatic reorder. Safety-critical interface: regulator failure causes H-001 hazard. |
| CO2 Distribution Manifold | CE851018 | High-pressure CO2 distribution header receiving CO2 vapour from bulk vaporiser at 5-10 bar, stepping down to 1.5 bar zone injection pressure via pressure-reducing valve (PRV). SS316 manifold with individual zone outlet headers, manual isolation valves per zone, inline pressure gauge, and pressure relief valve set at 2.5 bar. ATEX-rated fittings. Provides the physical distribution network connecting bulk CO2 supply interface to each zone solenoid valve. Monitoring inputs: manifold inlet pressure (4-20mA) and temperature to CO2 Injection Controller. |
| CO2 Enrichment Function | 51F73A18 | System function of Vertical Farm Environment Controller: Controls CO2 injection from bulk liquid CO2 supply to maintain enrichment setpoints during photoperiod. Inputs: zone NDIR CO2 sensors (0-5000ppm), bulk tank pressure and level, photoperiod status. Outputs: zone CO2 solenoid valve commands (proportional), tank reorder signals. Constraints: ±50ppm setpoint accuracy, 3000ppm software ceiling, fail-closed solenoid valves. Safety-critical: feeds into H-001 CO2 asphyxiation hazard with SIL 3 hardware interlock as independent backup. |
| CO2 Enrichment Subsystem | 54F53019 | CO2 injection subsystem for vertical farm. Manages bulk liquid CO2 supply (external tank with pressure regulator), distribution manifold, per-zone proportional solenoid valves (fail-closed, de-energise to close), NDIR CO2 sensors per zone. Safety-critical: SIL 3 boundary — CO2 valve failure drives H-001 asphyxiation hazard. Interfaces: zone CO2 sensors (field bus), solenoid valve commands, bulk tank level/pressure (4-20mA from external supply system), safety interlock subsystem (hardwired CO2 trip at 5000ppm), supervisory controller (enrichment setpoints, photoperiod sync). |
| co2 injection controller | D6A51018 | Physical controller unit for CO2 injection in vertical farm growing zones. Housed in glass-reinforced polyester (GRP) enclosure rated IEC 60529 IP65, mounted external to growing zone. Contains solenoid valve drivers, analogue 4-20 mA I/O for pressure and flow sensors, and RS-485 Modbus RTU communications. Incorporates manual isolation valve interface and solenoid position indicators for LOTO maintenance. Physical hardware in plant-room equipment corridors. |
| CO2 Injection Controller | D5A57018 | Physical GRP-enclosure-mounted PLC controller for CO2 injection in a vertical farm. Mounted outside growing zones in equipment corridors. Physical unit with 4-20mA analogue I/O for pressure and temperature sensors, digital outputs to zone solenoid valves, and RS-485 Modbus RTU communications. IP54-rated enclosure, operating range 0-50°C. Manages CO2 concentration PID control per zone with safety interlock hardwiring. |
| CO2 Leak Emergency scenario | 14F57A51 | Emergency scenario: At 02:00, night shift operator is remotely monitoring from control room on ground floor. CO2 bulk tank regulator fails, causing uncontrolled high-pressure CO2 release into Zone 2 supply manifold. Zone 2 CO2 sensor reads 8000ppm and rising rapidly. Controller triggers emergency shutdown: CO2 supply solenoid valve closes (fails-closed design), emergency ventilation fans activate at maximum rate, zone entry doors lock with illuminated warning signs, audible alarm sounds throughout facility. Independent hardwired CO2 safety interlock also triggers at 5000ppm threshold as backup. Night operator receives critical alarm on phone, calls emergency coordinator. Building remains in emergency mode until CO2 drops below 1000ppm in all zones (approximately 45 minutes with full ventilation). Two-person reset required. |
| CO2 Safety Sensor Array | D4C55058 | Redundant SIL 3-certified electrochemical or NDIR CO2 sensors (minimum 2oo3 voting configuration), independent from the process CO2 sensors used for dosing control. Continuously monitors each zone at 1Hz sample rate, 4–20mA output per sensor to Safety PLC analog inputs. Range 0–10,000 ppm, accuracy ±50 ppm. Calibration checked quarterly. Provides the independent measurement mandated by SYS-REQ-004 for the CO2 emergency interlock. |
| Compliance Report Generator | 51E67B58 | Automated report generation service that queries the Time-Series Database for environmental parameter data and generates compliance documentation including: temperature excursion reports (GMP/GFSI), CO2 exposure records, sanitisation cycle verification records (SYS-REQ-016), and regulatory audit trails. Outputs PDF/CSV reports with cryptographic hash signatures for tamper evidence. Scheduled daily and triggered on-demand. Interfaces with TSDB query API and exports to shared network drive and email distribution list. |
| Controls System Integrator for vertical farm | 40A53A18 | Engineering firm that commissions, configures, and maintains the environment control system. Designs control strategies, PID tuning, alarm setpoints, communication network architecture. Responsible for system updates, firmware management, and integration with third-party equipment. Needs engineering-level access to controller configuration, network diagnostics, and system logs. Visits site for commissioning and major system changes. |
| Crop Changeover and System Sanitisation scenario | 51B77A18 | Maintenance scenario: Zone 1 butter lettuce crop reaches harvest maturity at day 35. Facility manager schedules harvest for Tuesday 06:00-14:00. Controller begins pre-harvest sequence Monday evening: reduces photoperiod, lowers nutrient EC to flush residual salts, drops temperature to 16°C to firm leaves. Tuesday morning: harvest crew enters Zone 1, controller switches to worker-comfort mode (22°C, lights at 50% white, CO2 enrichment disabled for worker safety). After harvest, maintenance team runs sanitisation: controller activates peracetic acid flush through irrigation lines (30-minute contact time), then rinses. Growing medium is replaced. Controller loads new crop recipe (baby spinach, 28-day cycle), reconfigures photoperiod from 18/6 to 14/10, adjusts nutrient formulation. Zone startup sequence runs: sensor check, actuator test, germination parameters activated. |
| Crop Planning and ERP Software | 50BD7B08 | External cloud-based or on-premise software system that manages crop production scheduling, inventory, customer orders, and financial tracking for the vertical farm. Sends crop recipes and zone assignments to the environment controller. Receives actual environmental data, growth metrics, and harvest dates from the controller. API-based integration (REST/JSON). Owned by farm operating company. |
| Crop Recipe Database | 40853B08 | PostgreSQL relational database storing crop cultivation recipes for vertical farm operations. Each recipe contains setpoints for all controlled parameters (temperature, humidity, CO2, PAR daily integral, irrigation schedule, pH, EC) across all crop growth stages, plus associated alarm thresholds and sanitisation protocols. Implements versioned schema with immutable audit trail — recipes are never deleted, only superseded. Stores minimum 200 recipes as required by SYS-REQ-020. Backed up daily to off-site storage. REST API interface for recipe CRUD operations by the Supervisory HMI. |
| Crop Recipe Engine | 51B57B08 | Software module executing parameterised crop growth recipes that schedule time-varying setpoint profiles for temperature, humidity, CO2, light intensity, and nutrient EC/pH over the full crop cycle (7-120 days depending on crop). Recipes stored in JSON schema, version-controlled, and validated against crop constraint tables before activation. Interfaces with all five environmental subsystems via the supervisory messaging bus. Supports manual override and recipe hold modes. |
| Cross-contamination hazard in vertical farm environment | 00040219 | Hazard in Vertical Farm Environment Controller during Normal Operation: airflow control failure allows pathogen-laden air (Botrytis, Pythium, powdery mildew) to spread between zones via shared HVAC ductwork. Alternatively, nutrient solution recirculation without adequate UV sterilisation or filtration spreads root-zone pathogens (Fusarium, Phytophthora) across zones sharing a common nutrient reservoir. Consequence: multi-zone crop loss (potentially entire facility), food safety risk if pathogens affect edible portions. |
| Cybersecurity hazard in vertical farm control system | 40040319 | Hazard in Vertical Farm Environment Controller during Normal Operation: network-connected controller is compromised via remote access interface, BMS integration, or supply chain attack on firmware update. Attacker modifies environmental setpoints to destroy crops (e.g., sets CO2 to lethal levels, disables cooling, overdoses nutrients) or uses system as pivot point for wider network attack. Connected to building network and potentially cloud services. Consequence: crop destruction, worker safety risk from modified CO2 levels, business disruption, data theft. |
| Daily Growing Cycle Management scenario | 50FF7208 | Normal operations scenario: A grower technician arrives at 06:00 for the day shift at a 5-floor, 8-zone vertical farm growing leafy greens and herbs. The controller has been running overnight in dark-period mode (lights off, temperature lowered to 18°C, CO2 at ambient). At 06:00 the photoperiod timer triggers: lights ramp up zone-by-zone over 15 minutes to avoid power surge, temperature setpoints increase to 24°C, CO2 enrichment activates to 1200ppm. The technician checks the dashboard — all zones green, nutrient EC readings stable at 1.8 mS/cm. Zone 3 (basil, day 22) shows slightly elevated humidity at 82% — the controller has already increased airflow fan speed by 15%. The technician reviews growth analytics and adjusts Zone 5 (lettuce, day 8) lighting intensity from 350 to 400 µmol/m²/s based on observed growth rate. |
| Data Acquisition and Compliance Subsystem | 50A57B58 | Environmental data logging and regulatory compliance subsystem for vertical farm. Captures 1-minute-resolution data from all zone sensors (temperature, humidity, CO2, PAR, pH, EC, flow rates) with UTC timestamps and cryptographic hash chains for tamper evidence. Generates HACCP deviation reports, BRCGS/SQF audit packages. Local storage: 90 days full resolution on redundant SSDs. Cloud sync: 2-year retention via MQTT/TLS. Interfaces: all zone controllers (data bus), supervisory controller (report requests), cloud platform (MQTT), auditor access terminal (read-only web interface). |
| Degraded Operation mode of Vertical Farm Environment Controller | 51F67A08 | One or more sensors or actuators have failed but the system continues operating with reduced capability. Examples: a zone's CO2 sensor fails — controller holds last-known-good setpoint and alerts operator; an HVAC unit trips — remaining units increase capacity for affected zones; LED driver fails — adjacent fixtures increase intensity to partially compensate. Controller switches affected zones to conservative setpoints (wider deadbands, reduced CO2 enrichment) to avoid crop damage. Operator is notified with specific fault codes and estimated crop impact. Automatic recovery attempted on intermittent faults with exponential backoff. Entry: sensor/actuator fault detected. Exit: fault cleared and sensor recalibrated, or operator escalates to maintenance mode. |
| Demand Response Handler | 51F77B59 | OpenADR 2.0b VEN (Virtual End Node) client that receives demand-response signals from the utility ADR server, calculates maximum allowable load reduction preserving crop safety constraints, and issues load-shed commands to lighting and HVAC subsystems. Maintains a priority table of sheddable loads per zone with minimum crop-safe operating parameters. Logs all DR events and compliance data for utility settlement. |
| Dosing Pump Array | D7F73218 | Array of six peristaltic dosing pumps for nutrient solution management in a hydroponic vertical farm: Nutrient A concentrate, Nutrient B concentrate, pH-down (phosphoric acid), pH-up (potassium hydroxide), supplemental calcium, supplemental magnesium. Each pump is 4–500 mL/min with ±1% stroke volume accuracy and revolution encoder for cumulative injection counting. Implements dosing-excess watchdog: asserts hardwired 24VDC fault contact to Safety PLC when cumulative acid/base volume exceeds 5% of tank volume in any 10-minute window. SIL-2 relevant component. |
| EC/pH Sensor Array | D5F57008 | Inline electrochemical measurement assembly installed in each zone's recirculation return line in a vertical farm. Dual-probe assembly: 4-electrode conductivity cell (EC range 0.1–10 mS/cm, ±0.1 mS/cm accuracy) and glass/ISFET pH electrode (pH 3–9, ±0.05 accuracy). Temperature-compensated to 20°C reference via PT1000. Provides continuous 0.1Hz closed-loop feedback to Dosing Pump Array for pH/EC correction. Output: 4–20mA analogue and Modbus RTU RS-485. |
| Electrical shock hazard from water proximity in vertical farm | 10000011 | Hazard in Vertical Farm Environment Controller during Normal Operation or Maintenance: nutrient solution leaks or irrigation system failure causes water accumulation near electrical panels, LED drivers, or pump motor connections. High-humidity environment (60-85% RH) accelerates insulation degradation. Workers contacting energised wet surfaces risk electrocution. 400V three-phase supply to HVAC and pump systems. Consequence: worker electrocution or serious electrical burns. |
| Emergency Shutdown mode of Vertical Farm Environment Controller | 55F77A51 | Safety-critical mode triggered by hazardous conditions: CO2 concentration exceeds 5000ppm (OSHA IDLH threshold) in any occupied area, water leak detected near electrical panels, fire/smoke alarm activation, or manual emergency stop pressed. Controller immediately: closes CO2 injection valves, activates emergency ventilation fans to maximum, de-energises non-essential electrical loads (lighting, nutrient pumps), opens emergency dampers, triggers audible/visual alarms. Maintains only emergency lighting and ventilation. Worker safety takes absolute priority over crop preservation. Entry: safety interlock trigger or E-stop. Exit: operator reset after hazard investigation and clearance — requires physical key switch and software acknowledgement (two-person rule). |
| emergency shutdown sequencer | D7E73019 | |
| Energy Management System and Smart Grid Interface | 40B57B59 | External system providing real-time energy pricing signals, demand-response requests, and renewable energy availability data to the vertical farm controller. Controller uses this data to optimise scheduling of energy-intensive operations (lighting start times, HVAC pre-cooling). May include on-site solar/battery storage management. Protocol: OpenADR 2.0 for demand response, Modbus TCP for local energy metering. Owned by energy utility and/or third-party energy aggregator. |
| Energy Optimisation Function | 41F77B18 | Load management and demand response function for 500kW-2MW vertical farm facility. Inputs: OpenADR 2.0 signals, time-of-use tariff data, zone energy consumption, crop priority schedules. Outputs: load curtailment commands, lighting dim profiles, HVAC setpoint relaxation commands, 15-minute load forecasts. Responds to DR events within 5 minutes, targets 30% load reduction. |
| Energy Utility and Grid Operator | 00B57ADD | Electricity provider and grid operator serving the vertical farm facility. Vertical farms are significant electricity consumers (500kW-2MW for a commercial facility) with potential for demand response participation. Grid operator imposes peak demand charges, time-of-use tariffs, and may request load shedding during grid stress events. Controller must coordinate energy-intensive operations (lighting, HVAC) to minimise peak demand and potentially participate in demand-response programmes. |
| enrichment subsystem | D6F71018 | Physical CO2 enrichment system for vertical farm growing zones. Housed in a ventilated wall-mounted IEC 60529 IP54-rated steel enclosure located within 2 m of the CO2 supply manifold. Contains CO2 injection controller hardware, solenoid valve driver circuits, zone valve manifold, and 24 VDC power supply. Physical components include CO2 supply cylinder, pressure regulator, distribution manifold, zone solenoid valves, and CO2 concentration sensors. |
| Environmental Data Logging Function | 40A73358 | Continuous data acquisition and compliance recording for vertical farm. Captures 1-minute-resolution environmental data (temperature, humidity, CO2, PAR, pH, EC, flow rates) across all zones with UTC timestamps and cryptographic integrity. Generates HACCP deviation reports and audit trails for BRCGS/SQF certification. 90-day local, 2-year cloud retention. |
| Fixture Thermal Monitoring Array | D4D57A18 | NTC thermistor or PT100 RTD temperature sensors integrated into each LED fixture heatsink in a vertical farm horticultural lighting system. One sensor per fixture, read via multiplexed analog input to the Lighting Control Unit. Measurement range 0-120°C, accuracy ±1°C at 85°C threshold. Sampled at 1Hz minimum. Provides two outputs: (1) analog temperature value to LCU for gradual thermal derating ramp when T > 75°C; (2) hardwired 24V DC digital output to Safety Interlock Subsystem hardwired trip bus when any fixture exceeds 85°C. The hardwired interlock output is independent of LCU processing — it is a direct comparator circuit with no software in the path, supporting SIL 2 classification. |
| Flooding hazard from irrigation system failure in vertical farm | 40040209 | Hazard in Vertical Farm Environment Controller during Normal Operation: irrigation valve fails open or nutrient tank overflow sensor fails, causing uncontrolled water release across growing levels. Multi-storey structure means water cascades to lower floors. Water weight on growing racks exceeds structural capacity (>50 litres per rack). Electrical equipment on lower floors exposed. Consequence: structural damage to growing racks, electrical short circuits on lower floors, crop loss, slip hazard for workers. |
| Food Safety Auditor for vertical farm | 00842AF8 | External auditor from certification body (e.g., BRCGS, SQF, FSSC 22000) who inspects facility compliance with food safety standards. Requires access to environmental data logs, HACCP records, cleaning/sanitisation records, pest monitoring data. Audits occur 1-2 times per year. Needs evidence that environmental conditions were maintained within specification throughout crop growth cycles. Controller must provide tamper-evident audit trails. |
| Fresh Air Ventilation Controller | 51B77A08 | Controls the fresh air intake damper and heat recovery ventilator (HRV) to manage zone O2 replenishment and controlled dilution of accumulated ethylene gas from ripening crops. Modulates fresh air fraction (5–30% of supply volume) based on CO2 set point deviation and ethylene sensor input, using Modbus TCP to communicate with CO2 Enrichment Subsystem for coordinated CO2/fresh-air balance. Operates independently of main HVAC compressor. |
| Grower Technician | 008502A8 | Primary daily operator of vertical farm environment controller. Responsible for monitoring crop health, adjusting growth recipes, responding to environmental alarms, performing daily inspections across all growing zones. Horticultural expertise with basic technical skills. Interacts with controller HMI touchscreen and mobile dashboard 8-12 hours per shift. Makes real-time crop management decisions based on controller data and visual plant assessment. |
| Hardwired Trip Bus | 52A53010 | Dedicated hardwired relay network connecting Safety PLC outputs to final control elements: CO2 bulk supply isolation valve (NC relay, 24VDC), zone emergency ventilation contactors (NO relay, 120VAC), LED array circuit breakers (shunt-trip, 230VAC), and irrigation isolation valves (NC relay, 24VDC). Operates independently of fieldbus networks — failure of MODBUS or Ethernet cannot prevent interlock action. Energize-to-trip topology with wire-break detection. Cable runs are segregated from process I/O wiring per IEC 61511 physical separation requirements. |
| Harvest and Crop Changeover mode of Vertical Farm Environment Controller | 51F73A08 | Zone transitions between crop cycles. Controller executes end-of-cycle sequence: ramps down lighting over 24 hours, drains and flushes nutrient system, runs sanitisation cycle on irrigation lines (peracetic acid or ozone flush), adjusts temperature for worker comfort during manual harvest. After harvest, loads new crop recipe: different photoperiod, temperature range, humidity target, nutrient formulation. Reconfigures zone setpoints and verifies all actuators respond correctly before starting germination phase. Entry: crop maturity reached (days-after-planting timer or operator judgement). Exit: new crop recipe loaded, zone sanitised, germination parameters active. |
| Horticultural Lighting Function | 51F73A08 | System function of Vertical Farm Environment Controller: Manages LED array intensity, spectrum composition, and photoperiod scheduling per zone crop recipe. Inputs: PAR sensor readings (µmol/m²/s), crop recipe parameters, photoperiod timer, LED fixture temperature sensors. Outputs: LED driver PWM commands per channel (red, blue, white, far-red), dimming ramp profiles. Constraints: ±5% PAR accuracy, 5-30 minute ramp transitions, 100-600 µmol/m²/s range, instant de-energise on thermal protection trigger at 85°C fixture or 38°C zone. |
| Horticultural Lighting Subsystem | 55F77218 | LED lighting control subsystem for vertical farm. Manages multi-channel LED fixtures (red 660nm, blue 450nm, white 4000K, far-red 730nm) with PWM dimming drivers per zone across 8 zones. Controls photoperiod scheduling, spectrum recipes, intensity ramps. Total lighting load 400kW+ across facility. Interfaces: LED driver PWM outputs, PAR sensors (field bus inputs), fixture temperature sensors, thermal protection relay (to safety interlock), supervisory controller (recipe commands), energy management (curtailment commands). |
| HVAC Actuator Interface | D6E55018 | Physical DIN-rail-mounted interface module installed in zone electrical enclosures of a vertical farm. Translates digital setpoints from Zone Climate Controller to hardware command signals: 0–10V analog outputs for VFD speed control, relay contacts for compressor/condenser contactors, and Modbus RTU commands for motorized dampers. Physical Object with embedded electronics, terminal blocks, and field wiring connections. Regulated for industrial EMC (IEC 61000-6-2). |
| HVAC Failure and Zone Isolation scenario | 01F67A09 | Degraded operation scenario: During peak summer at 14:00, outside temperature reaches 35°C. Zone 4 HVAC compressor trips on high-head-pressure fault. Zone 4 temperature begins rising — 26°C and climbing. Controller detects HVAC fault, reduces Zone 4 LED intensity by 40% to reduce heat load, increases extraction fan speed, and alerts the facility manager via SMS and dashboard alarm. Adjacent zones 3 and 5 see 1°C temperature increase from thermal bleed-through; controller increases their HVAC output by 10%. Facility manager assesses: spare compressor part not available until tomorrow. Decides to keep Zone 4 in degraded mode with reduced lighting rather than losing the crop entirely. Controller maintains Zone 4 at 30°C with reduced photoperiod. |
| Indoor commercial agricultural building environment | 44841018 | Operating environment for vertical farm controller: enclosed multi-storey commercial building, typically converted warehouse or purpose-built facility. Internal conditions: growing zones at 18-28°C, 60-85% RH, elevated CO2 up to 1500ppm. Condensation risk on control equipment from high humidity. Nutrient solution mist and chemical vapour exposure for electronics. IP65 minimum for zone-mounted sensors, IP20 for control cabinet internals. Vibration from HVAC compressors and pumps. |
| Industrial Ethernet Switch | D6A57018 | Managed Layer 2/3 DIN-rail switch forming the zone-level OT network backbone. 24 x 100/1000Base-T copper ports plus 4 SFP uplinks. Implements IEEE 802.1Q VLANs to segregate operational-technology traffic (VLAN 100) from safety-interlock traffic (VLAN 200). Provides IEEE 1588 PTPv2 grandmaster for sub-millisecond time synchronisation across all zone controllers. 24VDC redundant power supply, -40 to +70 deg C operating range, SNMP-managed. |
| Irrigation Controller | D1F77A08 | Embedded PLC managing drip irrigation and NFT recirculation cycles in a vertical farm. Controls irrigation schedules (on/off timing per zone, 1-minute to 24-hour cycles), manages zone sequencing to avoid simultaneous multi-zone demand, monitors ultrasonic flow meters (±2% accuracy) for stuck-valve detection (30s timeout), and executes sanitisation sequences for zone changeover. Interfaces: Zone Controller Network (Modbus TCP), EC/pH Sensor Array (4-20mA inputs), Zone Irrigation Valve Array (24VAC digital outputs), flow meter pulse inputs. SIL-2 relevant for flood detection and valve override functions. |
| LED Driver Module Array | D4F57018 | Per-zone, per-channel constant-current LED power supply units for horticultural vertical farm. Accepts DALI-2 digital dimming commands from Lighting Control Unit. Outputs regulated constant current to LED strings across four channels: red 660nm, blue 450nm, white 4000K, far-red 730nm. Each driver module rated 0-100% dimming range with ≥12-bit resolution. Includes over-temperature, over-current, short-circuit protection. Fail-safe: outputs de-energise on loss of DALI bus or LCU heartbeat. Mounted in zone control panel adjacent to LED fixture distribution board. Efficiency ≥93% at rated load. 48V DC output per channel. |
| LED Fixture Array | D6C51018 | Multi-channel horticulture LED luminaires installed in each grow zone of a vertical farm. Each fixture provides independently driven spectral channels: red 660nm, blue 450nm, broadspectrum white 4000K, and far-red 730nm. Fixtures are rated for IP54 minimum (high humidity environment). Total installed load 400kW+ across 8 zones. Each fixture includes a heatsink and integral temperature sensor port. Driven by external LED Driver Modules via constant-current wiring. Fixtures are physically mounted on zone racking above crop canopy at fixed height per zone design. Output: photon flux at canopy (100-600 µmol/m²/s PPFD adjustable per channel). Fixtures fail off (safe state) when driver power is removed. |
| Lighting Control Unit | D1F77A18 | Zone-level embedded controller executing photoperiod scheduling, spectrum recipe management, and PAR intensity PID loops for horticultural LED lighting in a vertical farm. Receives crop recipe setpoints (target PAR, spectrum ratios, photoperiod) from Zone Controller Network via Modbus TCP/IP. Outputs: per-channel PWM duty cycle commands to LED Driver Module Array via DALI-2 or 0-10V analog. Inputs: PAR sensor readings at 1Hz, fixture thermal sensor readings at 1Hz, recipe commands, emergency shutdown signal. Implements 5-30 minute linear intensity ramp profiles. Operates 8 zones simultaneously at 10ms control cycle. Fails safe by de-energising all drivers. |
| Lockout Tagout Controller | 50F57A58 | Supervisory module managing maintenance LOTO state for the vertical farm zone controllers. Accepts key-switch inputs from physical LOTO stations at each zone access point, enforces a permission model preventing equipment re-energization while any LOTO key is checked out, communicates LOTO status to supervisory SCADA via OPC-UA, and drives local status beacons (flashing amber = LOTO active). Provides audit trail of LOTO events compliant with OSHA 29 CFR 1910.147. Runs on non-safety-rated hardware since LOTO is a procedural control layer, not a SIL-rated interlock. |
| Maintenance mode of Vertical Farm Environment Controller | 40BC3A00 | Scheduled or unscheduled maintenance window where individual zones or subsystems are taken offline while the rest of the facility continues operating. Controller isolates the maintenance zone: locks out affected actuators, maintains safe environmental defaults in adjacent zones to prevent cross-contamination, enables sensor calibration routines (zero/span checks on CO2 analysers, pH probe recalibration, PAR sensor verification against reference). Maintenance technician has local HMI access with override capability for individual actuators. All overrides logged with timestamp and operator ID. Entry: operator schedules maintenance window via HMI or responds to degraded-mode escalation. Exit: maintenance complete, sensors recalibrated, actuators tested, operator signs off → returns to startup sequence for affected zone. |
| Normal Operation mode of Vertical Farm Environment Controller | 55F73A08 | Steady-state closed-loop control across all growing zones. Each zone runs an independent control loop for temperature (18-28°C ±0.5°C), humidity (60-85% RH ±3%), CO2 (800-1500ppm ±50ppm), lighting (photoperiod and spectrum per crop recipe, 100-600 µmol/m²/s PAR), nutrient solution (pH 5.5-6.5 ±0.1, EC 1.0-3.0 mS/cm ±0.1), and irrigation (timed flood-drain or drip cycles). Controller executes crop-specific growth recipes that vary setpoints by growth stage (germination, vegetative, flowering, harvest). Energy optimisation layer coordinates HVAC and lighting to minimise peak demand. Data logging at 1-minute intervals. Entry: operator acknowledgement after startup. Exit: fault detection, operator command, or scheduled maintenance window. |
| Nutrient Delivery Function | 55F73A08 | System function of Vertical Farm Environment Controller: Manages hydroponic nutrient solution mixing, pH/EC regulation, and irrigation scheduling for recirculating deep-water-culture and NFT systems. Inputs: pH sensor (glass electrode), EC sensor (toroidal), flow meters, tank level sensors, water temperature. Outputs: acid/base dosing pump commands, fertiliser A/B pump commands, irrigation valve commands, UV steriliser enable. Constraints: ±0.2 pH, ±0.1 mS/cm EC, 2% max tank volume per dose stroke, runaway detection at 5% cumulative in 10 minutes. |
| Nutrient Management Subsystem | 55F77218 | Hydroponic nutrient delivery subsystem for vertical farm. Manages central mixing tanks with acid/base dosing pumps (peristaltic), A/B fertiliser concentrate pumps, pH glass electrodes, toroidal EC sensors, flow meters, and per-zone irrigation valves for recirculating deep-water-culture systems. UV sterilisation on return lines. Interfaces: analytical sensors (pH, EC, temperature, flow — field bus), dosing pump commands, irrigation valve commands, UV steriliser enable, safety interlock (runaway detection), supervisory controller (nutrient recipe parameters). |
| Nutrient Reservoir and Mixing System | DE951018 | Bulk storage and mixing infrastructure for hydroponic nutrient solutions in a vertical farm. Comprises: two 200L concentrate tanks (A and B), one 1000L working solution reservoir, one 50L acid tank (pH-down), one 50L base tank (pH-up). Includes ultrasonic level sensors (±5mm), PT100 temperature sensors, low-level alarms, motorised agitator for homogenisation, and gravity-fed drain valves. All wetted surfaces SS316 stainless or food-grade HDPE. Provides bulk storage to Dosing Pump Array and recirculation supply to Irrigation Controller. |
| Nutrient Sensor Drift and Crop Stress scenario | 04353209 | Degraded operation scenario: Over two weeks, Zone 6 pH sensor drifts 0.3 units high due to fouling from mineral deposits. Controller adjusts acid dosing based on faulty reading, actual pH drops to 5.0 (sensor reads 5.3, target 5.8). Crop shows iron/manganese toxicity symptoms — technician notices leaf chlorosis during daily inspection. Technician checks sensor against portable reference meter, discovers drift. Enters maintenance mode for Zone 6 nutrient system: controller stops dosing, flushes lines, technician cleans and recalibrates probe. Controller logs calibration event and adjusts drift compensation algorithm. Nutrient solution is dumped and remixed. Zone returns to normal operation after 4-hour maintenance window. |
| OpenADR Virtual End Node | 51B57B58 | Software client implementing OpenADR 2.0b protocol (OADR 2.0b schema, HTTPS/TLS 1.2+ transport) connecting to utility Virtual Top Node. Receives DR event signals (SIMPLE, PRICE, LOAD_DISPATCH) and translates them into demand-curtailment commands for the Supervisory Control Subsystem. Maintains certified OpenADR 2.0b VEN status per IEC 62746-10-3. Reports energy baseline and actual consumption telemetry to the VTN. Runs on the same server node as the TSDB, connected to the facility energy management system via Modbus TCP. |
| Operator Interface Terminal | 50AC7B28 | Web-based HMI served by Plant Management Server, providing real-time zone dashboards, alarm management, recipe selection and editing, trend visualisation for environmental parameters, and audit log viewer. Accessible from operator workstations and mobile tablets on the farm LAN. Role-based access control (operator, supervisor, administrator, read-only). All actions logged to immutable audit trail. |
| PAR Sensor Array | D4F77008 | Calibrated quantum (PAR) sensors installed at canopy level in each grow zone of a vertical farm, measuring photosynthetically active radiation (400-700nm) in µmol/m²/s (PPFD). One sensor per zone minimum, optional multi-point arrays for zones with non-uniform canopy geometry. Measurement range 0-2000 µmol/m²/s, accuracy ±3% traceable to ASTM E948, response time <100ms. Output: 4-20mA analog or RS-485 Modbus to Lighting Control Unit at 1Hz sampling. IP65 rated for humid grow environment. Recalibration interval 12 months. Provides closed-loop feedback for PAR PID control. Failure mode: signal loss triggers LCU degraded-mode operation at last valid setpoint. |
| Plant Management Server | 50A55008 | Industrial PC running the supervisory SCADA/HMI software stack for the vertical farm environment controller. Aggregates setpoints, schedules, and alarms from all grow zone controllers. Hosts the recipe management database (150+ crop profiles), demand-response scheduler, and OPC-UA server for external integrations. 1GHz redundant power supply, runs on Ubuntu 22.04 LTS with watchdog daemon. Provides operator web dashboard over HTTPS on LAN. |
| Recirculation Pump System | 57F71208 | Variable-speed centrifugal pump array circulating nutrient solution from the Nutrient Reservoir through grow zones and back in a closed-loop hydroponic system. Typically 2 pumps (duty/standby) with variable-frequency drives (VFDs) for 50–300 L/min flow range. Maintains 1.2–2.5 bar distribution pressure. Includes dry-run protection via flow switch, pump health monitoring (current draw, bearing vibration), and automatic standby changeover on duty pump fault. All wetted surfaces SS316 or HDPE. |
| Relative Humidity Sensor Array | D4D55008 | Capacitive thin-film RH sensors with ±2% RH accuracy over 20–90% RH range, deployed at 1 per zone in the return air stream. Provide 4–20mA analog output to Zone Climate Controller at 0.5Hz sample rate. Used for closed-loop humidity control via dehumidifier and humidification spray setpoint adjustment. Cross-referenced against intake air humidity for fresh-air enthalpy calculation. |
| Safety Interlock Function | 44F73858 | Hardware-independent safety function in vertical farm environment controller. Monitors CO2 concentration, zone temperature, water leaks, and fire alarm inputs via hardwired circuits independent of software controller. Triggers: CO2 >5000ppm, temperature >38°C, water on electrical panels, fire alarm. Outputs: fail-safe valve closure, emergency ventilation, electrical isolation. SIL 2-3 per IEC 61508, MTTFd >150 years. |
| Safety Interlock Subsystem | D4E77818 | Hardware safety interlock subsystem for vertical farm, independent of software controller per IEC 61508 SIL 3 architecture. Hardwired relay logic and safety-rated PLCs monitoring: CO2 concentration (dual NDIR sensors per zone with voting), zone temperature (RTD with comparator), water leak sensors (conductive probes near electrical panels), fire alarm relay input. Outputs: CO2 solenoid de-energise relays, emergency ventilation contactor, zone electrical isolation contactors, audible/visual alarms, E-stop chain. MTTFd >150 years per function. Two-person reset: physical key switch + software acknowledgement. |
| Safety PLC | D5F53058 | IEC 61511 SIL 3-certified programmable logic controller isolated from process control networks. Runs redundant interlock logic across dual execution cores with cross-checking. Receives hardwired digital inputs from CO2 safety sensors, thermal sensors, and emergency stops; drives hardwired relay outputs to CO2 isolation valve, ventilation actuators, and LED circuit breakers. Achieves SIL 3 via 2oo2 architecture with diagnostics coverage >99%. Scan cycle <50ms with hardware watchdog. Operates in -10°C to 55°C, humidity 10–95%. |
| Startup/Initialisation mode of Vertical Farm Environment Controller | 54B53A00 | System boot sequence: controllers power up, sensor arrays self-test and calibrate (temperature probes, RH sensors, CO2 analysers, pH/EC probes, PAR sensors), communication buses establish links to all zone controllers, actuators move to safe default positions (ventilation open, lights off, pumps stopped, CO2 injection closed). Entry: facility power-on or controller restart after maintenance. Exit: all sensors reporting within valid ranges, all zone controllers online, watchdog timers armed. Duration: 2-5 minutes. Operator must acknowledge readiness before transitioning to normal operation. |
| Supervisory Control Function | 41FD7B08 | Central coordination and operator interface for vertical farm environment controller. Manages crop recipes, zone assignments, operating mode transitions, alarm management, and inter-zone coordination. Inputs: all zone controller status, operator commands from HMI touchscreens. Outputs: zone setpoint commands, mode transition commands, alarm notifications. Coordinates 8 zones across 5 floors. |
| supervisory control subsystem | D6ED7018 | Physical industrial computing platform for vertical farm supervisory control. Housed in IEC 60529 IP54-rated 19-inch 4U rack-mount enclosure with front-panel LED indicators, installed in climate-controlled control room. Runs HMI, SCADA, recipe management, alarm handling, and OPC-UA server. Physical hardware includes industrial server chassis, touch-screen HMI panel, network switches, and UPS module. Operating temperature +5 to +45 degC. |
| Supervisory Control Subsystem | 51BD7908 | Central supervisory control and HMI subsystem for vertical farm environment controller. Server-based platform coordinating 8 zone controllers, managing crop recipes, zone assignments, operating mode state machine, alarm management, and energy optimisation. Includes: industrial HMI touchscreens, web dashboard for remote monitoring, OpenADR 2.0 client for demand response, recipe database, inter-zone coordination logic. Interfaces: zone controllers (Ethernet), BMS (BACnet/IP), ERP (REST API), cloud monitoring (MQTT/TLS), energy utility (OpenADR), operator (HMI). Manages 500kW-2MW facility load optimisation. |
| Temperature Sensor Network | 54C57208 | Distributed array of Class-B PT100 RTD sensors deployed at 2 per grow zone rack (top and bottom canopy positions), providing temperature measurements at ±0.5°C accuracy over 0–50°C range. Sensors connect via 4-wire Pt100 circuit to zone-level multiplexer boards. Sampling rate 1Hz per sensor, 16-bit ADC resolution. Provides redundant temperature inputs to Zone Climate Controller and independent verification channel to Safety Interlock Subsystem. |
| Thermal runaway hazard in vertical farm LED and HVAC system | 10040209 | Hazard in Vertical Farm Environment Controller during Normal Operation: HVAC cooling failure combined with high-power LED operation (200-600W per fixture, dozens per zone) causes zone temperature to exceed 45°C. LED thermal protection may fail if driver firmware is corrupted. Heat accumulation in enclosed multi-storey structure with limited thermal mass. Consequence: worker heat stress if present, crop destruction (total loss of zone), potential LED fixture fire from thermal runaway of driver electronics. |
| Time-Series Database Engine | 50A53308 | InfluxDB OSS or compatible TSDB deployed on a dedicated server node within the on-premises OT network. Ingests environmental sensor data (temperature, humidity, CO2, PAR, pH, EC, valve state) from the Zone Edge Gateway via MQTT or HTTP line protocol at 1Hz per channel per zone. Maintains a high-resolution tier (1-second samples, 90-day retention) and a downsampled tier (1-minute aggregates, 10-year retention) in accordance with SYS-REQ-011. Provides InfluxDB query API and Grafana-compatible data source interface. RAID-1 mirrored NVMe storage, 64GB minimum capacity for 10-year archive. |
| Vertical Farm Environment Controller | 51F73A18 | Integrated control system for indoor vertical farming facilities. Manages environmental parameters including lighting (LED spectrum and intensity), temperature, humidity, CO2 concentration, nutrient solution composition (pH, EC, individual ion concentrations), irrigation scheduling, and airflow across multiple growing zones within a multi-storey indoor farm. Operates 24/7 in a commercial agricultural building, typically 2000-10000 sq ft per floor, 3-8 floors. Controls actuators (HVAC, LED drivers, pumps, valves, CO2 injectors) based on sensor feedback and crop-specific growth recipes. Must maintain precise environmental setpoints (±0.5°C temperature, ±3% RH, ±50ppm CO2) to optimise crop yield and quality. Interfaces with building management systems, energy management, crop planning software, and remote monitoring dashboards. Safety-critical for worker exposure to CO2 enrichment and electrical/water proximity hazards. |
| Vertical Farm Facility Manager | 00045AF9 | Oversees overall farm operations including production scheduling, maintenance planning, energy cost management, and staff coordination. Makes resource allocation decisions during equipment failures (repair vs. replace, degraded operation vs. shutdown). Reviews analytics dashboards for yield trends and energy efficiency. Responsible for food safety compliance and worker safety. Reports to company management on production KPIs. |
| Vertical Farm Harvest Crew Worker | 02040039 | Manual labourers who enter growing zones to harvest mature crops, replace growing media, and clean equipment. Non-technical role — interact with controller only through zone entry/exit protocols (badge access, zone status display). Exposed to environmental conditions controlled by the system: temperature, humidity, CO2 levels, lighting. Worker safety directly depends on controller maintaining safe conditions during occupied-zone operations. |
| Vertical Farm Maintenance Technician | 000400F8 | Responsible for preventive and corrective maintenance of all controlled environment systems: HVAC units, LED fixtures, pumps, valves, sensors, nutrient dosing equipment, CO2 delivery system. Performs sensor calibration, actuator testing, electrical safety checks. Works under maintenance lockout/tagout procedures. Needs local HMI override capability for individual actuator testing. Electrical and mechanical trade qualifications required. |
| Voted Logic Engine | 41B73B58 | Software module executing inside the Safety PLC that performs 2-out-of-3 sensor voting for CO2 readings, evaluates all interlock conditions against configurable trip thresholds, manages the interlock state machine (normal/alarm/shutdown/reset), and arbitrates priority conflicts when multiple interlock conditions activate simultaneously. Implements IEC 61511 requirements for software safety lifecycle. Maximum execution time per scan: 20ms. Logs all state transitions with timestamp to non-volatile memory. |
| zone | CE851008 | A discrete physical growing room or rack section in a controlled environment vertical farm. Physical-spatial entity with fixed structural boundaries: reinforced walls, sealed floor/ceiling, air curtains at entry points, and installed mechanical hardware including HVAC ducts, irrigation lines, CO2 distribution manifold, and LED grow-light arrays. Occupies a defined volume (typical 20-100 m3). Has physical access points, physical sensor mounting locations, and physical actuator installations. The growing zone is a physical room that can be entered, cleaned, and inspected. |
| zone climate controller | D7F73018 | Physical DIN-rail-mounted embedded controller unit for zone climate management in a vertical farm. Packaged in IEC 60529 IP54 enclosure with RS-485 Modbus RTU ports and galvanically isolated 24 VDC power rail. Controls HVAC actuators via Modbus, runs PID loops for temperature and humidity control, processes PT100 temperature sensor inputs. Physical hardware installed in zone electrical enclosures, withstands 0.5 g RMS vibration over 10-150 Hz. |
| Zone Climate Controller | D7F73008 | Physical DIN-rail-mounted PLC-based controller unit installed in zone electrical enclosures of a vertical farm. Executes PID and feedforward algorithms for temperature and humidity control. Physical aluminium-rail-mounted hardware with 24VDC supply, Modbus RTU ports for HVAC actuators, and RS-485 bus to zone sensors. Operating temperature -10 to +60°C, IP20 protection. |
| zone controller | D7F73008 | Physical DIN-rail-mounted embedded controller unit installed in zone electrical enclosures of a vertical farm. Houses local PID control logic, recipe storage, and I/O interfaces. Physical hardware includes a DIN-rail case rated IEC 60529 IP20, RS-485 ports, 24 VDC power input, digital I/O terminals. Operating within -10 to +55 degC, humidity 20-95% RH. Executes zone temperature, humidity, CO2, and lighting PID loops. |
| zone controller network | D6851008 | Physical distributed automation network hardware deployed in a vertical farm facility. Physical installation comprising: DIN-rail-mounted industrial Ethernet switches in equipment enclosures, shielded Cat5e cables in conduit, IP67-rated GRP junction boxes at zone entry points, and zone controller units in zone electrical enclosures. Has physical cable routing, hardware nodes, termination panels, and IP-rated enclosures. Can be physically traced, inspected, and measured. The physical hardware backbone connects 8+ zone controller units to the supervisory system. |
| Zone Controller Network | D6855008 | Physical industrial Ethernet network infrastructure deployed through growing zones of a vertical farm. Comprises shielded Cat6A cabling, managed DIN-rail Ethernet switches, and RS-485 bus segments connecting zone controllers to zone-level I/O modules. Physical cable plant rated IP54, with physical termination panels and patch bays in zone electrical enclosures. Carries OPC-UA, Modbus RTU, and DALI-2 traffic. |
| Zone Controller Unit | D1F77008 | ARM Cortex-A53 embedded Linux controller, one per growing zone. Executes local PID control loops for temperature, humidity, CO2, PAR, pH and EC at 10Hz cycle rate. Interfaces with zone sensors via RS-485 Modbus RTU and with actuators via 24VDC discrete I/O and 4-20mA analog outputs. Communicates with Supervisory via OPC-UA over 100Mbps Ethernet. Stores current recipe setpoints in 16MB NOR flash for autonomous operation during network outage. 12 units in standard 3-tier 4-aisle facility. |
| Zone Edge Gateway | D0E57018 | OPC-UA server and protocol aggregator running on dedicated x86 embedded PC. Aggregates real-time data from all Zone Controller Units via OPC-UA at 500ms publication intervals and re-publishes aggregated node space to the Supervisory Control Subsystem. Provides protocol translation between zone-level Modbus RTU and OPC-UA, implements OPC-UA security mode SignAndEncrypt with X.509 certificates, and routes zone control commands from Supervisory to individual ZCUs. 10/100/1000Base-T dual-NIC, 24VDC supply. |
| Zone I/O Expansion Module | D6E55008 | RS-485-connected modular I/O expander attached to each Zone Controller Unit. Provides 16 digital inputs, 8 relay digital outputs (24VDC/2A), 8 analog inputs (4-20mA/0-10V, 12-bit resolution), and 4 analog outputs (4-20mA). Hot-swappable. Detects open-circuit faults on 4-20mA sensor loops within 1s and reports fault code to host ZCU. Extends ZCU I/O capacity to accommodate full sensor and actuator suite in zones with high device density. |
| Zone Irrigation Valve Array | D6F57018 | Array of normally-closed 24VAC solenoid valves mounted on distribution manifold, one per grow zone in a vertical farm. Fail-safe closed on power loss. DN15/DN20 food-grade EPDM seals rated for pH 4–9 at 5–35°C. Each valve includes reed switch position feedback (open/closed confirmation within 2s). Flow detection via common-header ultrasonic flow meter. Controlled by Irrigation Controller digital outputs. Stuck-open detection drives zone isolation valve closure and floor drain pump activation (per SYS-REQ-010). |
| Zone NDIR CO2 Sensor Array | D4F45008 | Non-dispersive infrared (NDIR) CO2 sensors installed in each grow zone for process control feedback. One dual-beam NDIR sensor per zone providing ±100 ppm accuracy across 300-3000 ppm range at 1Hz. Not safety-rated — used exclusively for PID loop feedback in CO2 Injection Controller. Temperature-compensated, auto-calibration against 400 ppm reference. 4-20mA output per zone, IP54 enclosure for humid grow-room environments. Distinct from the SIL-3 electrochemical safety sensor array owned by Safety Interlock Subsystem. |
| Zone Solenoid Valve Array | D6D55008 | Array of 2/2-way normally-closed solenoid valves, one per grow zone, installed in the CO2 distribution manifold outlet headers. 24VDC energise-to-open, spring-return to closed on de-energisation or power loss (fail-closed). CO2 service rated, PTFE/SS316 wetted parts, Cv 0.5 for precision flow control. Valve position feedback via 24VDC discrete output to CO2 Injection Controller. Override forced-closed by hardwired Safety Interlock trip relay — valve cannot open when interlock is tripped regardless of controller command. |
| Component | Belongs To |
|---|---|
| Climate Management Subsystem | Vertical Farm Environment Controller |
| Horticultural Lighting Subsystem | Vertical Farm Environment Controller |
| Nutrient Management Subsystem | Vertical Farm Environment Controller |
| CO2 Enrichment Subsystem | Vertical Farm Environment Controller |
| Safety Interlock Subsystem | Vertical Farm Environment Controller |
| Supervisory Control Subsystem | Vertical Farm Environment Controller |
| Data Acquisition and Compliance Subsystem | Vertical Farm Environment Controller |
| Zone Controller Network | Vertical Farm Environment Controller |
| Safety PLC | Safety Interlock Subsystem |
| CO2 Safety Sensor Array | Safety Interlock Subsystem |
| Voted Logic Engine | Safety Interlock Subsystem |
| Hardwired Trip Bus | Safety Interlock Subsystem |
| Lockout Tagout Controller | Safety Interlock Subsystem |
| CO2 Injection Controller | CO2 Enrichment Subsystem |
| Zone NDIR CO2 Sensor Array | CO2 Enrichment Subsystem |
| Zone Solenoid Valve Array | CO2 Enrichment Subsystem |
| CO2 Distribution Manifold | CO2 Enrichment Subsystem |
| Lighting Control Unit | Horticultural Lighting Subsystem |
| LED Fixture Array | Horticultural Lighting Subsystem |
| LED Driver Module Array | Horticultural Lighting Subsystem |
| PAR Sensor Array | Horticultural Lighting Subsystem |
| Fixture Thermal Monitoring Array | Horticultural Lighting Subsystem |
| Zone Climate Controller | Climate Management Subsystem |
| Temperature Sensor Network | Climate Management Subsystem |
| Relative Humidity Sensor Array | Climate Management Subsystem |
| HVAC Actuator Interface | Climate Management Subsystem |
| Fresh Air Ventilation Controller | Climate Management Subsystem |
| Plant Management Server | Supervisory Control Subsystem |
| Crop Recipe Engine | Supervisory Control Subsystem |
| Operator Interface Terminal | Supervisory Control Subsystem |
| Demand Response Handler | Supervisory Control Subsystem |
| Emergency Shutdown Sequencer | Supervisory Control Subsystem |
| Zone Controller Unit | Zone Controller Network |
| Industrial Ethernet Switch | Zone Controller Network |
| Zone I/O Expansion Module | Zone Controller Network |
| Zone Edge Gateway | Zone Controller Network |
| Time-Series Database Engine | Data Acquisition and Compliance Subsystem |
| OpenADR Virtual End Node | Data Acquisition and Compliance Subsystem |
| Crop Recipe Database | Data Acquisition and Compliance Subsystem |
| Compliance Report Generator | Data Acquisition and Compliance Subsystem |
| From | To |
|---|---|
| CO2 Safety Sensor Array | Safety PLC |
| Safety PLC | Voted Logic Engine |
| Safety PLC | Hardwired Trip Bus |
| Lockout Tagout Controller | Safety PLC |
| CO2 Injection Controller | Zone NDIR CO2 Sensor Array |
| CO2 Injection Controller | Zone Solenoid Valve Array |
| CO2 Distribution Manifold | Zone Solenoid Valve Array |
| Fixture Thermal Monitoring Array | Safety Interlock Subsystem |
| Lighting Control Unit | LED Driver Module Array |
| PAR Sensor Array | Lighting Control Unit |
| Fixture Thermal Monitoring Array | Lighting Control Unit |
| Zone Controller Unit | Zone Edge Gateway |
| Zone Controller Unit | Zone I/O Expansion Module |
| Industrial Ethernet Switch | Zone Controller Unit |
| Zone Edge Gateway | Time-Series Database Engine |
| Crop Recipe Database | Supervisory Control Subsystem |
| OpenADR Virtual End Node | Supervisory Control Subsystem |
| Component | Output |
|---|---|
| CO2 Safety Sensor Array | CO2 ppm measurement |
| Voted Logic Engine | interlock trip signal |
| Safety PLC | hardwired relay command |
| Hardwired Trip Bus | actuator de-energisation |
| Lockout Tagout Controller | LOTO status signal |
| CO2 Injection Controller | zone solenoid valve commands |
| Zone NDIR CO2 Sensor Array | zone CO2 ppm measurement for PID control |
| Zone Solenoid Valve Array | CO2 zone injection flow |
| Lighting Control Unit | LED driver PWM commands |
| LED Fixture Array | photosynthetically active radiation |
| PAR Sensor Array | PPFD measurement |
| Zone Climate Controller | HVAC setpoints |
| Temperature Sensor Network | zone temperature readings |
| Relative Humidity Sensor Array | zone relative humidity readings |
| HVAC Actuator Interface | HVAC hardware commands |
| Fresh Air Ventilation Controller | fresh air fraction commands |
| Plant Management Server | zone setpoints and schedules |
| Crop Recipe Engine | time-varying environmental setpoints |
| Demand Response Handler | load-shed commands |
| Emergency Shutdown Sequencer | shutdown sequence commands |
| Zone Controller Unit | zone control signals (4-20mA, 24VDC) |
| Zone Controller Unit | OPC-UA data nodes |
| Industrial Ethernet Switch | network packet forwarding |
| Zone I/O Expansion Module | scaled sensor values and actuator drive signals |
| Zone Edge Gateway | aggregated OPC-UA namespace |
| Time-Series Database Engine | time-series environmental data archive |
| OpenADR Virtual End Node | demand-response curtailment commands |
| Crop Recipe Database | crop cultivation recipe records |
| Compliance Report Generator | signed compliance reports (PDF/CSV) |