Vertical Farm Environment Controller

Rationale: Integration test to verify interface compliance at system boundaries.

Rationale: Integration test to verify interface compliance at system boundaries.

Rationale: End-to-end test covering the complete signal path from sensor through Safety PLC, Voted Logic Engine, and Hardwired Trip Bus to final elements. Tests the composite requirement that each interlock acts within the hazard-specific time window. This is the primary safety case evidence for SIL 3 functional verification of the CO2 and thermal interlocks.

Rationale: Accuracy verification at multiple concentration points spanning the operational range (1000-2000 ppm normal, 5000 ppm trip threshold). NIST-traceable calibration gas provides metrological traceability for the safety case.

Rationale: Three hardwired interface requirements specify independent safety input channels. Testing them in a combined injection scenario verifies that no channel interferes with another and that the voted logic engine correctly processes simultaneous multi-hazard inputs, matching the SIL 3 diagnostic requirement.

Rationale: Process network interfaces between supervisory control, climate, nutrient, and lighting subsystems share the same Modbus TCP/IP backbone. FAT in integrated configuration verifies that simultaneous traffic from all subsystems does not degrade the latency of any individual interface below its specified bound.

Rationale: Interface test verifying 4-20mA signal calibration scaling and open-circuit fault detection, both required for correct PID operation and sensor fault safety behaviour.

Rationale: Valve command/feedback interface test covering both normal operation timing and fault detection, which is the primary mechanism for detecting valve seizure in process operation.

Rationale: End-to-end integration test exercising the complete chain from supervisory setpoint through injection control to physical valve actuation, and the complete safety trip path from sensor reading through hardwired trip to valve closure. This is the primary evidence for SYS-REQ-003 and SYS-REQ-004 system-level verification.

Rationale: Integration test verifying the Modbus RTU communication accuracy and fault reporting path required by IFC-REQ-025 and SUB-REQ-025, to confirm that sensor faults propagate before dosing can proceed on stale data.

Rationale: Interface test verifying both the 24VAC actuation path and position feedback confirmation, and the stuck-valve detection behaviour specified in SUB-REQ-030 and IFC-REQ-027. This test provides evidence that flood prevention response meets the 30-second detection window in SYS-REQ-010.

Rationale: SIL-2 functional safety test for the dosing-excess watchdog required by SUB-REQ-027 and SYS-REQ-007. The 200ms signal propagation time is the primary safety timing requirement for this function. Testing both below-threshold (no spurious trip) and above-threshold (confirmed trip) scenarios validates the correct implementation boundary. Manual reset requirement is evidence of SIL-2 latched-trip behaviour.

Rationale: End-to-end integration test exercising the complete NMS signal chain from EC/pH feedback through dosing control to solution delivery, and the three primary fault responses: flood detection (SYS-REQ-010), sensor degraded mode (SUB-REQ-037), and power-loss fail-safe (SUB-REQ-032). This provides the primary evidence for SYS-REQ-006 and SYS-REQ-010 system-level verification.

Rationale: Multi-point canopy measurement with an independently calibrated reference sensor verifies both LCU closed-loop accuracy and spatial uniformity — the two failure modes that would cause recipe non-compliance.

Rationale: SIL-2 functions require demonstrated probabilistic reliability — 10 consecutive trigger tests with zero failures provides minimum evidence for the diagnostic coverage claim. Hardware-only test path (no software intervention) directly verifies the SIL-2 architectural requirement.

Rationale: Bus analyser verification of DALI-2 timing and addressing confirms IEC 62386 compliance and the 22ms response budget; 100-command sequence provides statistical confidence in error rate.

Rationale: Three-fault-mode test verifies the fail-safe (normally-closed) behaviour of the SIL-2 interface — the key property that ensures wiring faults result in safe trips rather than missed trips.

Rationale: Functional test of PID control performance under realistic multi-zone load, measuring both response time and steady-state accuracy against the ±50 ppm specification.

Rationale: Valve closure time is safety-critical (SIL-3 trip budget allocation); tests must span the full operating temperature range since spring force and coil impedance vary with temperature. 10-cycle repeat confirms repeatability, not just one-off performance.

Rationale: SIL-3 safe state test must verify both the hardware trip mechanism (hardwired relay) and the software lockout behaviour, and must confirm that unauthorised reset is rejected. This is a mandatory SIL-3 functional safety test per IEC 61508-2.

Rationale: Tests the quantified 500 ms override response window for the zone controller network autonomy override requirement. Ten-trial pass rate confirms repeatability under varied network load conditions.

Rationale: Directly tests the 30-second failover criterion and single-missed-cycle constraint. Power removal is chosen over software kill to test hardware-level failure detection.

Rationale: Two-part test covers both authentication factor enforcement and transport encryption. Protocol analyser confirmation is required because browser UI success does not prove TLS version negotiated.

Rationale: Zone-level steady-state test with reference thermometer provides independent calibration-traceable verification of the ±1.0 degC requirement; 4-hour window captures natural HVAC on/off cycling behaviour.

Rationale: Timing test with logic analyser provides objective, repeatable measurement of the 500 ms response requirement. Ten trials is the minimum statistical sample for a pass/fail safety function test per IEC 61511-1 clause 8.2.

Rationale: Protocol-level verification confirms the timing and fault-detection requirements of the interface. 1000 frames provides statistical confidence in 1 Hz compliance; fault injection test directly exercises the safety-relevant bus fault detection path.

Rationale: Integration test captures the real-time exchange behaviour under operational conditions. 30-minute window spans multiple HRV damper adjustment cycles to verify steady-state interface compliance.

Rationale: End-to-end timing test with data logger provides objective evidence of the 10 s sequence requirement. Three trials at full-operation state are the minimum required to detect sequencing failures due to bus congestion or lock contention.

Rationale: Oscilloscope measurement is the only method that can resolve sub-millisecond timing on the hardwired safety interface; functional test alone cannot verify the 20 ms latency bound specified in IFC-REQ-036.

Rationale: Integration test at the OPC-UA stack level verifies both functional (latency) and security (encryption) requirements simultaneously. 1000-cycle sample provides statistical confidence in the 99th-percentile measurement.

Rationale: 24-hour continuous test catches intermittent timing violations under temperature cycling. The open-circuit injection directly tests the fault detection path of SUB-REQ-068.

Rationale: Configuration audit and active probe test verifies both the intended VLAN design and that the switch is enforcing it. A negative test (attempting to inject cross-VLAN traffic) is more rigorous than a positive-only test for a security isolation requirement.

Rationale: Hardware-in-the-loop test with actual ZCU hardware and simulated zone loads verifies autonomous operation in conditions representative of deployment. 35-minute test exceeds the 30-minute requirement to demonstrate margin.

Rationale: Combined test exercises both ingestion fidelity (SUB-REQ-070) and query performance (SUB-REQ-071) in a single dataset, confirming that the TSDB can sustain high-frequency writes without index degradation that would slow exports.

Rationale: End-to-end timing test using a certified test VTN verifies real protocol behaviour including HTTPS handshake overhead. Testing 10 events over 4 hours captures variation in network load conditions.

Rationale: Synthetic dataset allows deterministic verification of report content and hash validity. The hash verification step confirms cryptographic linkage between report and source data, which is the key tamper-evidence property.

Rationale: IFC-REQ-001 specifies BACnet/IP with 500ms fire alarm latency and 5-minute energy polling. Protocol-level testing against a BMS simulator is the only means to confirm BACnet service compliance and timing.

Rationale: IFC-REQ-002 requires mTLS authentication and ≤5s response time. Functional API testing with a valid and invalid certificate is necessary to confirm both authentication and performance acceptance criteria.

Rationale: IFC-REQ-003 specifies dual protocols (OpenADR VEN and Modbus TCP) with precise timing constraints. Independent protocol testing against a certified OpenADR VTN test instance and a Modbus master is required to validate both interfaces.

Rationale: IFC-REQ-004 requires MQTT v5/TLS 1.3 with 30s fallback and backfill. Disconnection testing is the only way to validate the fallback and reconnection backfill behaviours.

Rationale: IFC-REQ-005 specifies 4-20mA analogue inputs and fail-closed solenoid behaviour. Signal injection testing is required to verify analogue scaling and the fail-safe de-energise behaviour.

Rationale: IFC-REQ-015 requires read-only OPC UA status at ≤1s poll; IFC-REQ-016 requires 1-minute zone data with ≤1s timestamp accuracy. Combined OPC UA testing against live controllers confirms both interfaces in one test session.

Rationale: IFC-REQ-017 requires report generation within 5 minutes for up to 90-day ranges. Performance testing with maximum-range data confirms the worst-case compliance report response time.

Rationale: SUB-REQ-002 defines SIL 3 2oo3 voting logic. Hardware channel failure injection on the HIL bench is the only method to verify that the voting architecture correctly distinguishes 1-of-3 sensor failure from actual CO2 exceedance.

Rationale: SUB-REQ-003 requires third-party SIL 3 certification per IEC 61508. Certification is a hardware supplier deliverable verified by document inspection — functional testing cannot substitute for the PFD calculations underlying SIL 3 classification.

Rationale: SUB-REQ-004 specifies 50ms scan and 100ms watchdog response. Oscilloscope timing measurement under load is the only direct evidence of compliance; a software fault injection test is required to verify watchdog independence from normal scan completion.

Rationale: SUB-REQ-006 specifies condition-specific response times for each safe-state output. HIL timing measurements are required for each actuator class; the requirement cannot be verified by inspection because relay propagation delays vary by circuit load.

Rationale: SUB-REQ-007 requires network-independent trip bus operation. Physical network disconnection testing is the definitive test of independence; inspection of wiring drawings supplements but does not replace live testing.

Rationale: SUB-REQ-008 requires personnel safety demonstration to confirm LOTO enforcement. A functional demonstration is the appropriate verification method for a safety-critical personnel protection function.

Rationale: SUB-REQ-013 specifies setpoint range 400–2000 ppm at ±1 ppm resolution and rejection of out-of-range commands. SUB-REQ-014 specifies independent 2800/2500 ppm software ceiling. Both must be tested in the same controller test session.

Rationale: SUB-REQ-015 specifies multi-point accuracy across environmental range; SUB-REQ-016 specifies autocalibration with logged output. Multi-point calibration gas injection across the environmental envelope is the only method to verify the ±100 ppm accuracy requirement over operating conditions.

Rationale: Physical infrastructure inspection is the appropriate verification method for cable type, IP ratings, and installation compliance. Network segment length can be verified by cable run measurement. IP67 rating is verified by visual inspection of gasket condition and box seal integrity per IEC 60529 assessment criteria.

Rationale: Chemical resistance and bioburden testing are the only objective methods to confirm material compatibility with the sanitisation chemistry and food safety cleanliness thresholds. Inspection alone cannot detect subsurface degradation or invisible microbial contamination. Testing against specific concentrations and the 100 CFU/cm2 limit provides quantitative acceptance criteria for material qualification.

Rationale: SIL-3 rated Safety PLC network isolation is a safety-critical cybersecurity control. Any successful inbound write to the Safety PLC could override interlock logic or trip thresholds, defeating the safety function. IEC 61508 SIL-3 requires architectural isolation of the safety system; unidirectional enforcement cannot be verified by analysis alone — active penetration-style inspection and certificate audit are required. Inspection is appropriate here because the isolation is implemented in network hardware (data diode) that can be physically verified, not in software that requires runtime testing.

Rationale: IEC 61508 SIL-3 mandates complete auditability of all safety system state transitions. The audit log is the primary forensic record for incident investigation and proof-test evidence. Testing with 20 synthetic events exercises the log write path, timestamp accuracy, and operator identity capture. Capacity verification prevents a log-overflow vulnerability that could silently lose safety-critical trip records. Inspection of the log format specification alone cannot confirm correct runtime behaviour of the logging mechanism.

Rationale: IEC 61508 SIL-3 requires periodic proof testing to detect dangerous undetected failures accumulated between online diagnostic cycles. The 12-month proof test interval is consistent with SIL-3 PFD targets and the IEC 61511 proof-test coverage requirements for this type of safety instrumented function. Demonstration (witnessed procedure) is appropriate because proof tests require qualified safety personnel performing the procedure in situ on the commissioned system — it cannot be fully replicated in a factory test or by analysis. Automatic test-log persistence is verified during this procedure.

Rationale: Lighting load shedding on safety interlock trip is a SIL-2 safety function — it reduces zone heat load during emergency shutdown when HVAC may also have stopped. The 5-second response time is set by SYS-REQ-009 (thermal protection). Testing across all 8 zones simultaneously is necessary because the hardwired trip bus drives all zones in parallel; a zone-by-zone test would not detect contention or current-limiting failures on the trip bus. Testing at multiple lighting levels verifies the DALI-2 command is acted upon regardless of current output state.

Rationale: Both requirements protect against thermal runaway pathways. Zone isolation (SUB-REQ-060, SIL-2) prevents heat buildup when the safety system trips other loads; without confirmed damper closure, an isolated zone can overheat within 20 minutes at full lighting. Thermal derating (SUB-REQ-043, SIL-2) prevents LED fixture overtemperature that could lead to fire or early failure; the 75 degC threshold and 5%/min rate are derived from LED manufacturer MTBF curves and IEC 60598-2 luminaire thermal requirements. Both require integration tests because the response paths traverse multiple hardware interfaces that cannot be confirmed by component test alone.

Rationale: SIL-2 classification of the independent CO2 safety sensor (SUB-REQ-076) requires verified separation from the process-control sensor path — common-cause failure of a shared power rail or signal cable would defeat the independence. Physical inspection alone cannot confirm correct fault response behaviour; power-removal tests verify both the independence of the supply and the correct alarm/disable response of the CO2 injection controller. This is the defence-in-depth layer between a process sensor failure and uncontrolled CO2 accumulation.

Rationale: Climate management accuracy (±5% RH, SUB-REQ-054), sensor sampling rate (1 Hz, SUB-REQ-056), sensor failover (SUB-REQ-057), fresh air coordination (5-30%, SUB-REQ-058), and actuator latency (500 ms, SUB-REQ-059) are all performance requirements derived from crop physiology needs. Each must be demonstrated on a commissioned zone under realistic thermal load because the interactions between HVAC actuators, temperature sensor networks, and CO2 enrichment create coupled control loops that cannot be validated by component tests alone. The crop canopy load is specified because it represents the primary thermal disturbance in a vertical farm grow zone.

Rationale: ZCU loop rate (SUB-REQ-066, 10 Hz) determines control bandwidth for all regulated environmental parameters — insufficient loop rate causes steady-state error and overshoot. NOR flash persistence (SUB-REQ-067, 5 s) is the recovery mechanism for power-loss events. I/O sampling accuracy (SUB-REQ-068) underpins all closed-loop control accuracy. Gateway latency (SUB-REQ-069, 500 ms) sets the supervisory loop response time. ZCU holdover (SUB-REQ-075, 35 min) is the primary availability mechanism when supervisory communications fail; testing requires actual power removal to confirm the holdover cache is populated before the outage.

Rationale: Worker-comfort mode is a safety-critical operational mode protecting harvest crew from CO2 toxicity, photo-biological hazards, and thermal stress. The test uses a live zone because comfort mode parameters interact with the running PID control loops — simulation cannot confirm that CO2 injection shutoff propagates correctly through the closed-loop control or that the zone-occupied flag correctly blocks the supervisory recipe engine. Testing the zone-occupied interlock is mandatory because re-entry to production conditions while crew are present is the primary safety hazard this requirement prevents.