Vertical Farm Environment Controller

Rationale: Grower Technician, Daily Growing Cycle: Technician reviews dashboard at shift start to assess zone status and identify deviations requiring manual intervention. 5-second latency ensures displayed values reflect current conditions during walkthrough inspections.

Rationale: Grower Technician, Daily Growing Cycle: Technician adjusts Zone 5 lettuce PAR based on growth analytics. Recipe modifications must propagate quickly to zone controllers so the technician can verify the effect during the same visit.

Rationale: Facility Manager, HVAC Failure: Manager needs to assess production impact of thermal excursions to make degraded-mode operational decisions (e.g., accept reduced yield vs. emergency HVAC procurement).

Rationale: Facility Manager, Crop Changeover: Production scheduling requires per-zone maintenance windows that do not cascade environmental disturbances to neighbouring zones through shared HVAC or nutrient systems.

Rationale: Maintenance Technician, Sensor Drift: pH sensor drift scenario demonstrates that routine calibration is essential. Guided procedures with reference comparison reduce calibration errors. Automatic logging creates maintenance audit trail required by food safety standards.

Rationale: Maintenance Technician, Maintenance mode: Technician must safely access zone equipment (LEDs, pumps, HVAC components) without risk of automatic actuator activation. Zone isolation must not compromise adjacent zone control.

Rationale: Harvest Crew Worker, Crop Changeover and CO2 Emergency: Non-technical harvest crew cannot be expected to monitor environmental conditions. Controller must guarantee safe atmospheric conditions during occupied periods. 5000ppm is OSHA TWA limit; 35°C is heat stress threshold for moderate physical work.

Rationale: Harvest Crew Worker, Crop Changeover: Harvest crew enters Zone 1 for lettuce harvest — controller transitions to comfortable working conditions. Two-state interlock (entry/exit confirmed) prevents premature return to production conditions with high CO2 or extreme lighting.

Rationale: Food Safety Auditor: BRCGS/SQF certification requires demonstrated environmental control with auditable records. HACCP principles demand continuous monitoring logs. 2-year retention covers multiple audit cycles. 4-hour retrieval supports audit day workflow.

Rationale: Food Safety Auditor: Auditors require documentation of deviations and corrective actions per HACCP Principle 5. Automated report generation ensures consistent documentation and reduces audit preparation workload.

Rationale: Energy Utility/Grid Operator, Daily Growing Cycle: 500kW-2MW facility load incurs significant demand charges. Demand response participation requires automated load shedding within utility-specified response windows while protecting crop viability.

Rationale: Energy Utility/Grid Operator: Utility requires load predictability for grid balancing. 15-minute intervals match smart meter granularity. 1-hour forecast horizon enables utility dispatch planning. 60-second curtailment confirmation meets OpenADR fast-DR requirements.

Rationale: Controls System Integrator: Commissioning and lifecycle maintenance requires structured access to control parameters. Version-controlled configuration prevents undocumented changes that could cause environmental excursions after maintenance visits.

Rationale: Controls System Integrator: Firmware updates are necessary for bug fixes and feature additions over 15-20 year system life. Rollback prevents bricking zone controllers. Maintenance window restriction prevents updates during active crop cycles. Operator authorisation prevents unauthorised changes per IEC 62443.

Rationale: Environment as stakeholder, Electromagnetic constraint: LED drivers (50-200kHz switching) and VSD-equipped HVAC fans generate significant EMI. Controller sensors and communication buses must maintain signal integrity in this electrically noisy environment to prevent false readings or control errors.

Rationale: Environment as stakeholder, Network constraint: Cloud connectivity supports monitoring and analytics but crop safety cannot depend on internet availability. 72-hour autonomy covers typical ISP outage resolution time and ensures crop cycles are not interrupted by IT infrastructure failures.

Rationale: Derived from grower technician need for precise zone-specific climate control. ±1°C tolerance is the threshold below which leafy green growth rate variation remains within 5% of optimal. 120-second response to 2°C step prevents thermal accumulation that would trigger yield impact estimates.

Rationale: Derived from grower technician zone control need and physical environment constraint. ±5% RH is achievable with dehumidification control. 90% RH ceiling prevents condensation at the dew point difference present when zone air meets cooler electronic surfaces, avoiding H-002 electrocution hazard pathway.

Rationale: Derived from grower technician recipe management and H-001 CO2 asphyxiation hazard. ±50ppm is achievable with NDIR sensors and proportional solenoid control. 3000ppm software ceiling provides margin below the 5000ppm OSHA TWA limit, with hardware interlock at 5000ppm as independent backup per SIL 3 allocation.

Rationale: H-001 drives SIL 3: CO2 enrichment valve failure could cause lethal accumulation. Hardware interlock must operate independently of software controller to achieve SIL 3 integrity. 2-second response limits CO2 rise rate in enclosed zone volume. 5000ppm trigger is OSHA TWA limit.

Rationale: Derived from grower technician recipe adjustment need. ±5% PAR accuracy ensures consistent daily light integral (DLI) for crop quality. 5-30 minute ramp prevents thermal shock to LED drivers and avoids instantaneous 200kW load steps that would trigger demand charges.

Rationale: Derived from grower technician nutrient management and H-003 chemical burn hazard. ±0.2 pH keeps nutrient availability within crop tolerance band. 2% stroke volume limit prevents pH overshoot that could drive tank below pH 2 from a single dose event, supporting the SIL 2 safe state requirement.

Rationale: H-003 drives SIL 2: Runaway dosing from drifted sensor could produce dangerous acid/alkali concentrations. Cumulative volume limit detects sensor drift scenario from Nutrient Sensor Drift ConOps scenario. Suspension prevents tank reaching corrosive pH before operator intervention.

Rationale: Derived from HVAC Failure scenario and H-004 thermal hazard. LED heat is the dominant internal load in growing zones; 40% LED reduction cuts thermal input by approximately 40kW per zone, buying 2-4 hours before temperature exceeds crop damage threshold. Adjacent zone compensation prevents cascading degradation.

Rationale: H-004 drives SIL 2: HVAC failure combined with high-power LED operation creates thermal runaway risk. 85°C fixture temperature is 15°C below typical LED driver thermal shutdown. 38°C zone temperature provides margin below 45°C crop destruction and fire risk threshold.

Rationale: H-005 drives SIL 2: Uncontrolled water release in a multi-storey structure risks structural overload and electrical shorts on lower floors. 30-second detection window limits water volume to approximately 50 litres at typical irrigation flow rates, within floor drain capacity.

Rationale: Derived from STK-REQ-009 (auditor log integrity) and STK-REQ-010 (HACCP-compliant deviation reports). Cryptographic signing (tamper-evident) requires Test: the signing mechanism must be exercised and a tampered log entry must be rejected. The 2-year retention requirement requires Test: sustained logging at 1-minute intervals per zone must be verified under realistic data volume to confirm retention policy enforcement. Inspection of code or specification alone cannot confirm correct crypto verification behaviour or that old records are not silently dropped when storage fills.

Rationale: Derived from energy utility demand response need. 30% curtailment from 1MW baseline saves approximately £150/event in avoided demand charges at UK industrial tariffs. 4°C temperature relaxation is the maximum short-duration excursion that does not trigger yield impact for leafy greens.

Rationale: Derived from CO2 Leak Emergency scenario and harvest crew safety need. 3-second total sequence time limits CO2 accumulation. Two-person reset prevents premature restart before hazard is verified cleared, aligning with IEC 62061 requirements for safety function reset.

Rationale: H-006 drives SIL 1: Uncontrolled pathogen spread between zones via shared air or nutrient systems causes multi-zone crop loss and food safety risk. Airflow isolation prevents aerosol transmission. Nutrient isolation prevents waterborne pathogen spread. UV treatment inactivates common hydroponic pathogens (Pythium, Fusarium).

Rationale: IEC 61508 SIL-3 requires that hardware independence of the safety system be demonstrated, not merely analysed. The independence claim — that supervisory software failure cannot affect the safety PLC — must be demonstrated by: (1) crashing the supervisory software while the Safety PLC is executing interlock logic, and confirming no interlock state change occurs; (2) disconnecting the data-diode network path and confirming the Safety PLC continues normal operation. Analysis of the architecture alone cannot confirm there are no undocumented shared resources (power rails, communication buses, or firmware update paths) between the supervisory system and the SIL-3 Safety PLC.

Rationale: Derived from Crop Changeover scenario: Sanitisation chemical residue on new crop is a food safety risk. EC/pH sensors verify rinse completeness. Blocking germination phase prevents planting into contaminated media, which would result in crop loss and potential food safety violation.

Rationale: UHT classifies the vertical farm environment controller (D1F77818) as System-Essential (bit 16). A single point of failure at the top-level controller results in simultaneous loss of all environmental regulation across all zones, risking crop loss within hours for temperature-sensitive cultivars.

Rationale: STK-REQ-002 identifies farm operators as needing a system that allows easy monitoring and adjustment. The 3-interaction acknowledgement limit and browser-native access derive from operator usability research for industrial HMI: operators wearing gloves or using shared terminals need minimal click-through paths.

Rationale: Vertical farm controllers operate in an electrically noisy industrial environment with variable-speed drives, switching power supplies, and CO2 solenoid valves generating conducted and radiated emissions. IEC 61000-6-2 sets the industrial immunity benchmark; compliance ensures the controller does not misread sensor data or fail to execute safety shutdowns during EMC disturbances.

Rationale: STK-REQ-016 requires locally stored crop recipes and control parameters. The 200-recipe minimum covers expected commercial cultivar variety. The 72-hour autonomous operation target derives from worst-case ISP outage duration at rural agricultural sites where fibre restoration typically takes 24-48 hours.