System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| EN 1186 | — |
| EN 13480 | — |
| EN 61326-1 | — |
| IEC 60204-1 | — |
| IEC 60529 | — |
| IEC 60598-2 | — |
| IEC 60715 | — |
| IEC 61000-4 | — |
| IEC 61000-6-2 | — |
| IEC 61439 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-2 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 61511-1 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 62061 | — |
| IEC 62386 | — |
| IEC 62386-certified | — |
| IEC 62443 | Industrial communication networks — Network and system security |
| IEC 62443-3-3 | System security requirements and security levels |
| IEEE 802.1Q | — |
| ISO 15848 | — |
| ISO 22000 | — |
| ISO 9001 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| DLI | Daily Light Integral |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Grower Technician | Primary operator — monitors crops, adjusts recipes, responds to alarms, daily inspections. Derived from Daily Growing Cycle and Sensor Drift scenarios. | 008502A8 |
| Facility Manager | Operations oversight — production scheduling, maintenance planning, energy cost decisions, food safety compliance, worker safety accountability. Derived from HVAC Failure and Crop Changeover scenarios. | — |
| Maintenance Technician | Preventive/corrective maintenance — HVAC, LEDs, sensors, pumps, CO2 system. Sensor calibration, actuator testing, lockout/tagout. Derived from Maintenance mode and Sensor Drift scenario. | — |
| Harvest Crew Worker | Manual harvesting and zone cleaning — non-technical, enters controlled zones, safety depends on controller maintaining safe conditions (CO2, temperature). Derived from Crop Changeover and Emergency scenarios. | — |
| Food Safety Auditor | External certification auditor — requires environmental data logs, HACCP records, sanitisation records, tamper-evident audit trails. 1-2 audits/year. Derived from regulatory compliance requirements. | — |
| Energy Utility/Grid Operator | Electricity provider — imposes demand charges, time-of-use tariffs, demand-response requests. Farm is 500kW-2MW load. Controller must manage peak demand coordination. | — |
| Controls System Integrator | Commissions, configures, maintains control system — PID tuning, alarm config, firmware updates, network architecture. Engineering-level access. Lifecycle stakeholder. | — |
| Category | Constraint |
|---|---|
| Physical | Operating temperature 18-28°C in growing zones, control cabinets in technical rooms at 15-35°C. Humidity 60-85% RH in zones (condensation risk on electronics). Zone-mounted sensors require IP65 minimum. Vibration from HVAC compressors up to 0.5g at mounting points. |
| Electromagnetic | LED drivers generate significant EMI at switching frequencies (50-200kHz). Variable-speed drives on HVAC fans and pumps produce conducted and radiated emissions. Controller must comply with EN 61326-1 (industrial EMC) and maintain immunity to ESD, EFT, and surge per IEC 61000-4 series. |
| Power | Three-phase 400V supply for HVAC and pumps, single-phase 230V for control systems. Total facility load 500kW-2MW. UPS required for control system (minimum 30-minute ride-through for graceful shutdown). Generator backup for critical safety systems. |
| Network | Ethernet backbone between zone controllers and central server (1Gbps). Field-level bus for sensors/actuators (Modbus RTU/TCP or BACnet). Cloud connectivity for remote monitoring (encrypted VPN). Cybersecurity per IEC 62443 for industrial control systems. |
| Regulatory | Food safety — HACCP principles, BRCGS/SQF certification for data logging and traceability. Worker safety — OSHA/HSE CO2 limits (5000ppm TWA, 30000ppm STEL), electrical safety per IEC 60204-1. Environmental — waste nutrient discharge regulations, chemical storage for pH adjustment chemicals. |
| Operational tempo | 24/7 continuous operation, 365 days/year. Crop cycles 21-42 days. Maintenance windows scheduled around crop cycles. Peak electrical demand during 16-18hr photoperiod. Harvest changeover every 3-6 weeks per zone on staggered schedule. |
| System | Interface | Hex Code |
|---|---|---|
| Building Management System | BACnet/IP, bidirectional — receives fire alarm status and weather data, provides energy consumption metrics. Owned by building operator. Update rate: event-driven for alarms, 5-minute polling for energy data. | 51F77B58 |
| Crop Planning/ERP Software | REST API (JSON), bidirectional — receives crop recipes and zone scheduling, provides environmental logs and harvest data. Owned by farm operator. Cloud-hosted, requires internet connectivity. | — |
| Energy Management/Smart Grid | OpenADR 2.0 for demand-response signals, Modbus TCP for local metering — receives pricing signals, DR requests, renewable availability; provides load forecasts and curtailment confirmation. Owned by utility/aggregator. | — |
| Cloud Monitoring Platform | MQTT/TLS or HTTPS — pushes 1-minute telemetry (sensors, actuators, alarms); receives anomaly alerts, growth predictions, configuration updates. Owned by controller vendor or farm IT. Requires internet, operates degraded-local if connectivity lost. | — |
| CO2 Bulk Supply System | 4-20mA for tank level and pressure, digital output for zone solenoid valves — monitors tank level for reorder trigger, controls enrichment delivery. Owned by gas supplier. Safety-critical: regulator failure drives H-001 hazard. | — |
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: CO2 enrichment valve failure or sticking causes lethal CO2 accumulation (>40,000ppm) in enclosed growing zone — worker asphyxiation | catastrophic | low | SIL 3 | CO2 injection valves de-energised closed, emergency ventilation at maximum extraction rate, zone entry interlocked with CO2 level below 5000ppm |
| H-002: Nutrient solution leak or irrigation failure causes water accumulation near 400V electrical panels, LED drivers, or pump connections in high-humidity environment — worker electrocution | catastrophic | low | SIL 3 | earth leakage protection trips affected circuit within 30ms, water leak sensors de-energise zone electrical supply, maintenance lockout enforced |
| H-003: pH dosing pump failure causes over-concentrated acid/alkali in nutrient tank (pH <2 or >12); worker skin/eye contact during maintenance or from pressurised line rupture — chemical burns, eye damage | critical | medium | SIL 2 | dosing pumps de-energised, nutrient circulation stopped, tank drain to containment sump, chemical spill alarm activated |
| H-004: HVAC cooling failure combined with high-power LED operation causes zone temperature >45°C; LED driver thermal runaway risk — worker heat stress, crop destruction, potential fire | critical | low | SIL 2 | LED fixtures de-energised, emergency ventilation activated, zone temperature alarm at 35°C with automatic LED power reduction at 38°C |
| H-005: Irrigation valve fails open or tank overflow sensor failure causes uncontrolled water release across multi-storey structure — structural overload on growing racks, electrical shorts on lower floors, slip hazard | critical | medium | SIL 2 | irrigation supply valve closed, zone drain pumps activated, water leak sensors trigger floor-level electrical isolation |
| H-006: Airflow control failure or nutrient recirculation without sterilisation spreads pathogens (Botrytis, Fusarium, Pythium) between zones — multi-zone crop loss, food safety risk | major | medium | SIL 1 | affected zone HVAC dampers closed to isolate airflow, nutrient recirculation stopped for affected zones, UV sterilisation bypass alarm |
| H-007: Remote compromise of network-connected controller modifies environmental setpoints to lethal CO2 levels or destructive conditions — worker safety risk, total crop destruction, business disruption | catastrophic | rare | SIL 2 | hardware safety interlocks on CO2 and temperature operate independently of software controller, network segmentation isolates safety-critical controls from IT network |
flowchart TB n0["system<br>Vertical Farm Environment Controller"] n1["actor<br>Grower Technician"] n2["actor<br>Facility Manager"] n3["actor<br>Maintenance Technician"] n4["external<br>Building Management System"] n5["external<br>Crop Planning / ERP"] n6["external<br>Energy Management / Grid"] n7["external<br>Cloud Monitoring Platform"] n8["external<br>CO2 Bulk Supply System"] n9["actor<br>Harvest Crew"] n1 -->|Recipe adjustments, commands| n0 n0 -->|Dashboard, alarms, analytics| n1 n2 -->|Scheduling, overrides| n0 n0 -->|KPI reports, fault alerts| n2 n3 -->|Calibration, lockout, actuator test| n0 n4 -->|Fire alarm, weather data| n0 n0 -->|Energy consumption| n4 n5 -->|Crop recipes, zone schedule| n0 n0 -->|Environmental logs, harvest data| n5 n6 -->|Pricing, DR requests| n0 n0 -->|Load forecasts| n6 n0 -->|Telemetry, sensor data| n7 n7 -->|Anomaly alerts, predictions| n0 n8 -->|Tank level, pressure| n0 n0 -->|Valve control signals| n8 n9 -->|Zone entry/exit| n0 n0 -->|Zone status, safety conditions| n9
Vertical Farm Environment Controller — Context
flowchart TB n0["system<br>Vertical Farm Environment Controller"] n1["subsystem<br>Climate Management Subsystem"] n2["subsystem<br>Horticultural Lighting Subsystem"] n3["subsystem<br>Nutrient Management Subsystem"] n4["subsystem<br>CO2 Enrichment Subsystem"] n5["subsystem<br>Safety Interlock Subsystem"] n6["subsystem<br>Supervisory Control Subsystem"] n7["subsystem<br>Data Acquisition and Compliance Subsystem"] n8["subsystem<br>Zone Controller Network"] n0 --> n1 n0 --> n2 n0 --> n3 n0 --> n4 n0 --> n5 n0 --> n6 n0 --> n7 n0 --> n8 n8 -->|setpoints/feedback| n1 n8 -->|PWM commands| n2 n8 -->|dose/irrigate| n3 n8 -->|valve commands| n4 n6 -->|recipes/modes| n8 n8 -->|sensor data| n7 n5 -.->|CO2 trip| n4 n5 -.->|thermal trip| n2
Vertical Farm Environment Controller — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Climate Management Subsystem | Climate Management Subsystem — Internal | — | complete |
| Horticultural Lighting Subsystem | Horticultural Lighting Subsystem — Internal | SIL 2 | complete |
| Nutrient Management Subsystem | Nutrient Management Subsystem — Internal | SIL 2 | complete |
| CO2 Enrichment Subsystem | CO2 Enrichment Subsystem — Internal | SIL 3 | complete |
| Safety Interlock Subsystem | Safety Interlock Subsystem — Internal | SIL 3 | complete |
| Supervisory Control Subsystem | Supervisory Control Subsystem — Internal | — | complete |
| Data Acquisition and Compliance Subsystem | Data Acquisition and Compliance Subsystem — Internal | — | complete |
| Zone Controller Network | Zone Controller Network — Internal | — | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The Vertical Farm Environment Controller SHALL provide zone-specific environmental dashboards displaying real-time temperature, humidity, CO2, PAR level, and nutrient status with update latency not exceeding 5 seconds. Rationale: Grower Technician, Daily Growing Cycle: Technician reviews dashboard at shift start to assess zone status and identify deviations requiring manual intervention. 5-second latency ensures displayed values reflect current conditions during walkthrough inspections. | Demonstration | stakeholder, stk-grower, session-462, idempotency:stk-grower-dashboard-462 |
| STK-REQ-002 | The Vertical Farm Environment Controller SHALL allow grower technicians to modify zone-specific crop recipe parameters (PAR intensity, photoperiod timing, temperature setpoints, nutrient EC/pH targets) from the HMI with changes taking effect within 60 seconds. Rationale: Grower Technician, Daily Growing Cycle: Technician adjusts Zone 5 lettuce PAR based on growth analytics. Recipe modifications must propagate quickly to zone controllers so the technician can verify the effect during the same visit. | Test | stakeholder, stk-grower, session-462, idempotency:stk-grower-recipe-462 |
| STK-REQ-003 | The Vertical Farm Environment Controller SHALL provide the facility manager with estimated crop yield impact within 10 minutes of any environmental excursion exceeding zone setpoint tolerances. Rationale: Facility Manager, HVAC Failure: Manager needs to assess production impact of thermal excursions to make degraded-mode operational decisions (e.g., accept reduced yield vs. emergency HVAC procurement). | Test | stakeholder, stk-manager, session-462, idempotency:stk-manager-yield-impact-462 |
| STK-REQ-004 | The Vertical Farm Environment Controller SHALL enable the facility manager to schedule maintenance windows per zone without disrupting active crop cycles in adjacent zones. Rationale: Facility Manager, Crop Changeover: Production scheduling requires per-zone maintenance windows that do not cascade environmental disturbances to neighbouring zones through shared HVAC or nutrient systems. | Demonstration | stakeholder, stk-manager, session-462, idempotency:stk-manager-scheduling-462 |
| STK-REQ-005 | The Vertical Farm Environment Controller SHALL support sensor calibration routines with guided procedures, automatic logging of calibration events, and comparison against reference standards for the maintenance technician. Rationale: Maintenance Technician, Sensor Drift: pH sensor drift scenario demonstrates that routine calibration is essential. Guided procedures with reference comparison reduce calibration errors. Automatic logging creates maintenance audit trail required by food safety standards. | Demonstration | stakeholder, stk-maintenance, session-462, idempotency:stk-maint-calibration-462 |
| STK-REQ-006 | The Vertical Farm Environment Controller SHALL provide maintenance lockout/tagout capability per zone, preventing automatic actuator operation in isolated zones while allowing adjacent zones to continue automated operation. Rationale: Maintenance Technician, Maintenance mode: Technician must safely access zone equipment (LEDs, pumps, HVAC components) without risk of automatic actuator activation. Zone isolation must not compromise adjacent zone control. | Test | stakeholder, stk-maintenance, session-462, idempotency:stk-maint-lockout-462 |
| STK-REQ-007 | The Vertical Farm Environment Controller SHALL maintain zone CO2 concentration below 5000 ppm TWA and temperature below 35°C whenever harvest crew personnel are present in a growing zone. Rationale: Harvest Crew Worker, Crop Changeover and CO2 Emergency: Non-technical harvest crew cannot be expected to monitor environmental conditions. Controller must guarantee safe atmospheric conditions during occupied periods. 5000ppm is OSHA TWA limit; 35°C is heat stress threshold for moderate physical work. | Test | stakeholder, stk-harvest-crew, session-462, idempotency:stk-harvest-safety-462 |
| STK-REQ-008 | The Vertical Farm Environment Controller SHALL switch zones to worker-comfort mode (22°C, 50% white light, CO2 enrichment off) when harvest crew zone entry is confirmed, and prevent return to production mode until crew exit is confirmed. Rationale: Harvest Crew Worker, Crop Changeover: Harvest crew enters Zone 1 for lettuce harvest — controller transitions to comfortable working conditions. Two-state interlock (entry/exit confirmed) prevents premature return to production conditions with high CO2 or extreme lighting. | Demonstration | stakeholder, stk-harvest-crew, session-462, idempotency:stk-harvest-comfort-462 |
| STK-REQ-009 | The Vertical Farm Environment Controller SHALL maintain tamper-evident, time-stamped environmental data logs with minimum 2-year retention covering temperature, humidity, CO2, pH, EC, and irrigation events for all zones, accessible for food safety audit within 4 hours of request. Rationale: Food Safety Auditor: BRCGS/SQF certification requires demonstrated environmental control with auditable records. HACCP principles demand continuous monitoring logs. 2-year retention covers multiple audit cycles. 4-hour retrieval supports audit day workflow. | Inspection | stakeholder, stk-auditor, session-462, idempotency:stk-auditor-logs-462 |
| STK-REQ-010 | The Vertical Farm Environment Controller SHALL generate HACCP-compliant deviation reports identifying any period where environmental parameters exceeded food-safety-critical thresholds, including corrective actions taken. Rationale: Food Safety Auditor: Auditors require documentation of deviations and corrective actions per HACCP Principle 5. Automated report generation ensures consistent documentation and reduces audit preparation workload. | Inspection | stakeholder, stk-auditor, session-462, idempotency:stk-auditor-haccp-462 |
| STK-REQ-011 | The Vertical Farm Environment Controller SHALL respond to OpenADR 2.0 demand-response signals by curtailing non-critical electrical loads (lighting dimming, HVAC setpoint relaxation) within 5 minutes while maintaining crop-safe environmental boundaries. Rationale: Energy Utility/Grid Operator, Daily Growing Cycle: 500kW-2MW facility load incurs significant demand charges. Demand response participation requires automated load shedding within utility-specified response windows while protecting crop viability. | Test | stakeholder, stk-utility, session-462, idempotency:stk-utility-dr-462 |
| STK-REQ-012 | The Vertical Farm Environment Controller SHALL provide the energy utility with 15-minute-interval load forecasts at least 1 hour ahead and confirm curtailment actions within 60 seconds of demand-response event acknowledgement. Rationale: Energy Utility/Grid Operator: Utility requires load predictability for grid balancing. 15-minute intervals match smart meter granularity. 1-hour forecast horizon enables utility dispatch planning. 60-second curtailment confirmation meets OpenADR fast-DR requirements. | Test | stakeholder, stk-utility, session-462, idempotency:stk-utility-forecast-462 |
| STK-REQ-013 | The Vertical Farm Environment Controller SHALL provide the controls system integrator with documented configuration interfaces for PID tuning parameters, alarm thresholds, network topology, and zone-to-controller mapping, with all configuration changes version-controlled and auditable. Rationale: Controls System Integrator: Commissioning and lifecycle maintenance requires structured access to control parameters. Version-controlled configuration prevents undocumented changes that could cause environmental excursions after maintenance visits. | Inspection | stakeholder, stk-integrator, session-462, idempotency:stk-integrator-config-462 |
| STK-REQ-014 | The Vertical Farm Environment Controller SHALL support remote firmware updates for zone controllers with rollback capability, executing updates only during scheduled maintenance windows and requiring operator authorisation. Rationale: Controls System Integrator: Firmware updates are necessary for bug fixes and feature additions over 15-20 year system life. Rollback prevents bricking zone controllers. Maintenance window restriction prevents updates during active crop cycles. Operator authorisation prevents unauthorised changes per IEC 62443. | Test | stakeholder, stk-integrator, session-462, idempotency:stk-integrator-firmware-462 |
| STK-REQ-015 | The Vertical Farm Environment Controller SHALL operate within electromagnetic emission limits per EN 61326-1 and maintain control accuracy within specified tolerances when exposed to ESD, EFT, and surge transients per IEC 61000-4 series in the presence of LED drivers and variable-speed drives. Rationale: Environment as stakeholder, Electromagnetic constraint: LED drivers (50-200kHz switching) and VSD-equipped HVAC fans generate significant EMI. Controller sensors and communication buses must maintain signal integrity in this electrically noisy environment to prevent false readings or control errors. | Test | stakeholder, stk-environment, session-462, idempotency:stk-env-emc-462 |
| STK-REQ-016 | The Vertical Farm Environment Controller SHALL maintain safe environmental conditions in all zones during and after loss of external network connectivity for a minimum of 72 hours using locally stored crop recipes and control parameters. Rationale: Environment as stakeholder, Network constraint: Cloud connectivity supports monitoring and analytics but crop safety cannot depend on internet availability. 72-hour autonomy covers typical ISP outage resolution time and ensures crop cycles are not interrupted by IT infrastructure failures. | Test | stakeholder, stk-environment, session-462, idempotency:stk-env-network-resilience-462 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The Vertical Farm Environment Controller SHALL maintain zone temperature within ±1.0°C of crop recipe setpoint during Production Operation, with control loop response time not exceeding 120 seconds for a 2°C step disturbance. Rationale: Derived from grower technician need for precise zone-specific climate control. ±1°C tolerance is the threshold below which leafy green growth rate variation remains within 5% of optimal. 120-second response to 2°C step prevents thermal accumulation that would trigger yield impact estimates. | Test | rt-mechanical-trace, red-team-session-480 |
| SYS-REQ-002 | The Vertical Farm Environment Controller SHALL maintain zone relative humidity within ±5% RH of crop recipe setpoint during Production Operation, and shall not permit humidity to exceed 90% RH in any zone to prevent condensation on LED fixtures and electronics. Rationale: Derived from grower technician zone control need and physical environment constraint. ±5% RH is achievable with dehumidification control. 90% RH ceiling prevents condensation at the dew point difference present when zone air meets cooler electronic surfaces, avoiding H-002 electrocution hazard pathway. | Test | system, climate, session-462, idempotency:sys-humidity-control-462 |
| SYS-REQ-003 | The Vertical Farm Environment Controller SHALL regulate zone CO2 concentration within ±50 ppm of crop recipe setpoint during enrichment periods, and SHALL NOT permit CO2 concentration to exceed 3000 ppm under software control in any zone. Rationale: Derived from grower technician recipe management and H-001 CO2 asphyxiation hazard. ±50ppm is achievable with NDIR sensors and proportional solenoid control. 3000ppm software ceiling provides margin below the 5000ppm OSHA TWA limit, with hardware interlock at 5000ppm as independent backup per SIL 3 allocation. | Test | rt-mechanical-trace, red-team-session-480 |
| SYS-REQ-004 | When zone CO2 concentration exceeds 5000 ppm as measured by the independent safety-rated CO2 sensor, the safety interlock subsystem SHALL de-energise all CO2 injection solenoid valves and activate emergency ventilation within 2 seconds, independent of the software controller. Rationale: H-001 drives SIL 3: CO2 enrichment valve failure could cause lethal accumulation. Hardware interlock must operate independently of software controller to achieve SIL 3 integrity. 2-second response limits CO2 rise rate in enclosed zone volume. 5000ppm trigger is OSHA TWA limit. | Test | rt-mechanical-trace, red-team-session-480 |
| SYS-REQ-005 | The Vertical Farm Environment Controller SHALL control zone LED lighting intensity within ±5% of crop recipe PAR setpoint (range 100-600 µmol/m²/s) and execute photoperiod transitions (on/off ramps) over a configurable 5-30 minute ramp period. Rationale: Derived from grower technician recipe adjustment need. ±5% PAR accuracy ensures consistent daily light integral (DLI) for crop quality. 5-30 minute ramp prevents thermal shock to LED drivers and avoids instantaneous 200kW load steps that would trigger demand charges. | Test | system, lighting, session-462, idempotency:sys-lighting-control-462 |
| SYS-REQ-006 | The Vertical Farm Environment Controller SHALL regulate nutrient solution pH within ±0.2 of crop recipe setpoint and EC within ±0.1 mS/cm of setpoint, with dosing pump stroke volume not exceeding 2% of tank volume per injection to prevent overshoot. Rationale: Derived from grower technician nutrient management and H-003 chemical burn hazard. ±0.2 pH keeps nutrient availability within crop tolerance band. 2% stroke volume limit prevents pH overshoot that could drive tank below pH 2 from a single dose event, supporting the SIL 2 safe state requirement. | Test | rt-mechanical-trace, red-team-session-480 |
| SYS-REQ-007 | When pH dosing pump cumulative injection exceeds 5% of tank volume within any 10-minute window without pH reaching the target band, the Vertical Farm Environment Controller SHALL suspend dosing, alarm the operator, and log the event as a potential sensor drift condition. Rationale: H-003 drives SIL 2: Runaway dosing from drifted sensor could produce dangerous acid/alkali concentrations. Cumulative volume limit detects sensor drift scenario from Nutrient Sensor Drift ConOps scenario. Suspension prevents tank reaching corrosive pH before operator intervention. | Test | system, sil-2, safety, nutrient, session-462, idempotency:sys-dosing-protection-462 |
| SYS-REQ-008 | When a zone HVAC compressor trips, the Vertical Farm Environment Controller SHALL automatically reduce LED power in the affected zone by at least 40% within 60 seconds and increase extraction fan speed to maximum, while compensating adjacent zone HVAC loads to maintain their setpoints. Rationale: Derived from HVAC Failure scenario and H-004 thermal hazard. LED heat is the dominant internal load in growing zones; 40% LED reduction cuts thermal input by approximately 40kW per zone, buying 2-4 hours before temperature exceeds crop damage threshold. Adjacent zone compensation prevents cascading degradation. | Test | system, sil-2, degraded, session-462, idempotency:sys-hvac-degraded-462 |
| SYS-REQ-009 | When LED fixture surface temperature exceeds 85°C or zone temperature exceeds 38°C, the Vertical Farm Environment Controller SHALL de-energise affected LED circuits within 5 seconds to prevent thermal runaway. Rationale: H-004 drives SIL 2: HVAC failure combined with high-power LED operation creates thermal runaway risk. 85°C fixture temperature is 15°C below typical LED driver thermal shutdown. 38°C zone temperature provides margin below 45°C crop destruction and fire risk threshold. | Test | system, sil-2, safety, session-462, idempotency:sys-thermal-protection-462 |
| SYS-REQ-010 | The Vertical Farm Environment Controller SHALL detect irrigation valve stuck-open conditions within 30 seconds using flow meter feedback and close the upstream zone isolation valve, activating floor-level drain pumps within 60 seconds. Rationale: H-005 drives SIL 2: Uncontrolled water release in a multi-storey structure risks structural overload and electrical shorts on lower floors. 30-second detection window limits water volume to approximately 50 litres at typical irrigation flow rates, within floor drain capacity. | Test | system, sil-2, safety, session-462, idempotency:sys-water-leak-462 |
| SYS-REQ-011 | The Vertical Farm Environment Controller SHALL log all environmental parameters (temperature, humidity, CO2, PAR, pH, EC, flow rates) at minimum 1-minute intervals per zone with UTC timestamps, cryptographic integrity verification, and local storage capacity for minimum 90 days of full-resolution data. Rationale: Derived from STK-REQ-009 (auditor log integrity) and STK-REQ-010 (HACCP-compliant deviation reports). Cryptographic signing (tamper-evident) requires Test: the signing mechanism must be exercised and a tampered log entry must be rejected. The 2-year retention requirement requires Test: sustained logging at 1-minute intervals per zone must be verified under realistic data volume to confirm retention policy enforcement. Inspection of code or specification alone cannot confirm correct crypto verification behaviour or that old records are not silently dropped when storage fills. | Test | rt-mechanical-trace, red-team-session-480 |
| SYS-REQ-012 | The Vertical Farm Environment Controller SHALL respond to OpenADR 2.0 demand-response events by executing a pre-configured load curtailment profile within 5 minutes, reducing facility electrical demand by at least 30% while maintaining zone temperatures within 4°C of setpoint and CO2 within safe limits. Rationale: Derived from energy utility demand response need. 30% curtailment from 1MW baseline saves approximately £150/event in avoided demand charges at UK industrial tariffs. 4°C temperature relaxation is the maximum short-duration excursion that does not trigger yield impact for leafy greens. | Test | system, energy, session-462, idempotency:sys-demand-response-462 |
| SYS-REQ-013 | The Vertical Farm Environment Controller SHALL execute the emergency shutdown sequence (CO2 valve closure, emergency ventilation, non-essential load de-energisation) within 3 seconds of any safety interlock trigger, and SHALL require two-person reset (physical key plus software acknowledgement) before returning to Production Operation. Rationale: Derived from CO2 Leak Emergency scenario and harvest crew safety need. 3-second total sequence time limits CO2 accumulation. Two-person reset prevents premature restart before hazard is verified cleared, aligning with IEC 62061 requirements for safety function reset. | Test | system, sil-3, safety, session-462, idempotency:sys-emergency-shutdown-462 |
| SYS-REQ-014 | The Vertical Farm Environment Controller SHALL isolate zone airflow (HVAC dampers closed) and nutrient recirculation when pathogen contamination is detected or suspected, and SHALL activate UV sterilisation on affected nutrient lines within 5 minutes. Rationale: H-006 drives SIL 1: Uncontrolled pathogen spread between zones via shared air or nutrient systems causes multi-zone crop loss and food safety risk. Airflow isolation prevents aerosol transmission. Nutrient isolation prevents waterborne pathogen spread. UV treatment inactivates common hydroponic pathogens (Pythium, Fusarium). | Test | system, sil-1, biosecurity, session-462, idempotency:sys-pathogen-isolation-462 |
| SYS-REQ-015 | The Vertical Farm Environment Controller safety-critical control functions (CO2 interlock, thermal protection, water leak detection) SHALL be implemented on hardware independent of the supervisory software controller, with a mean time to dangerous failure (MTTFd) of at least 150 years per safety function. Rationale: IEC 61508 SIL-3 requires that hardware independence of the safety system be demonstrated, not merely analysed. The independence claim — that supervisory software failure cannot affect the safety PLC — must be demonstrated by: (1) crashing the supervisory software while the Safety PLC is executing interlock logic, and confirming no interlock state change occurs; (2) disconnecting the data-diode network path and confirming the Safety PLC continues normal operation. Analysis of the architecture alone cannot confirm there are no undocumented shared resources (power rails, communication buses, or firmware update paths) between the supervisory system and the SIL-3 Safety PLC. | Test | rt-mechanical-trace, red-team-session-480 |
| SYS-REQ-016 | The Vertical Farm Environment Controller SHALL complete zone sanitisation sequence verification (peracetic acid contact time, rinse water pH/EC confirmation, drain completion) before permitting new crop recipe activation, blocking germination phase until all verification criteria pass. Rationale: Derived from Crop Changeover scenario: Sanitisation chemical residue on new crop is a food safety risk. EC/pH sensors verify rinse completeness. Blocking germination phase prevents planting into contaminated media, which would result in crop loss and potential food safety violation. | Demonstration | system, compliance, changeover, session-462, idempotency:sys-sanitation-verify-462 |
| SYS-REQ-017 | When the primary Vertical Farm Environment Controller processing node fails, the system SHALL restore zone regulation functions (temperature, CO2, pH, and lighting) from a warm-standby node within 30 seconds, with no more than one missed control cycle per zone. Rationale: UHT classifies the vertical farm environment controller (D1F77818) as System-Essential (bit 16). A single point of failure at the top-level controller results in simultaneous loss of all environmental regulation across all zones, risking crop loss within hours for temperature-sensitive cultivars. | Test | idempotency:qc-468-vfec-redundancy |
| SYS-REQ-018 | The Vertical Farm Environment Controller SHALL provide a supervisory HMI displaying real-time zone status (temperature, humidity, CO2, pH, lighting intensity) with alert acknowledgement within 3 user interactions, accessible from any network-connected browser without additional software installation. Rationale: STK-REQ-002 identifies farm operators as needing a system that allows easy monitoring and adjustment. The 3-interaction acknowledgement limit and browser-native access derive from operator usability research for industrial HMI: operators wearing gloves or using shared terminals need minimal click-through paths. | Demonstration | idempotency:qc-468-hmi-sys-req |
| SYS-REQ-019 | The Vertical Farm Environment Controller SHALL comply with IEC 61000-4 series immunity standards (surge, EFT, ESD, conducted, and radiated) at immunity test levels specified by IEC 61000-6-2 for industrial environments. Rationale: Vertical farm controllers operate in an electrically noisy industrial environment with variable-speed drives, switching power supplies, and CO2 solenoid valves generating conducted and radiated emissions. IEC 61000-6-2 sets the industrial immunity benchmark; compliance ensures the controller does not misread sensor data or fail to execute safety shutdowns during EMC disturbances. | Test | idempotency:qc-468-emc-sys-req |
| SYS-REQ-020 | The Vertical Farm Environment Controller SHALL store a minimum of 200 crop recipes and their associated control parameters in local non-volatile storage and SHALL continue autonomous zone regulation from stored recipes for a minimum of 72 hours following loss of network connectivity to external systems. Rationale: STK-REQ-016 requires locally stored crop recipes and control parameters. The 200-recipe minimum covers expected commercial cultivar variety. The 72-hour autonomous operation target derives from worst-case ISP outage duration at rural agricultural sites where fibre restoration typically takes 24-48 hours. | Test | idempotency:qc-468-local-storage-sys-req |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The CO2 Safety Sensor Array SHALL provide an independent CO2 measurement for each zone, achieving accuracy of ±50 ppm across the 0–10,000 ppm range at a sample rate of 1 Hz, using electrochemical or NDIR sensor technology rated to IEC 61508 SIL 3. Rationale: SYS-REQ-004 mandates an independent safety-rated CO2 sensor separate from the process dosing sensor. Independence prevents common-cause failure: if the process sensor drifts and causes CO2 overdose, the safety sensor provides the credible measurement to trigger the interlock. ±50 ppm accuracy is the specification minimum to discriminate the 5000 ppm trip threshold from normal 1000–2000 ppm operating range. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-co2-sensor-accuracy-463 |
| SUB-REQ-002 | The CO2 Safety Sensor Array SHALL implement 2-out-of-3 (2oo3) voting across three independently powered sensor channels per zone, such that a single sensor failure does not suppress the CO2 interlock nor generate a spurious trip. Rationale: IEC 61511 SIL 3 requires voted redundancy to achieve the required probability of failure on demand (PFD < 10^-3). 2oo3 provides both high availability (tolerates one sensor fail-safe) and high reliability (requires two sensors to agree before triggering, preventing spurious shutdown). This balances crop protection against nuisance trips. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-co2-sensor-voting-463 |
| SUB-REQ-003 | The Safety PLC SHALL be certified to IEC 61508 SIL 3 using a 2oo2 dual-core architecture with cross-checking, achieving a hardware fault tolerance HFT=1 and diagnostic coverage DC > 99%, with a safe failure fraction SFF > 99%. Rationale: IEC 61508 SIL-3 certification requires physical demonstration of the hardware fault tolerance (HFT=1) and diagnostic coverage (DC>99%) claims, not architectural analysis alone. Verification method changed from Analysis to Inspection: confirm the third-party IEC 61508 SIL-3 certification certificate issued by a Notified Body (TÜV, Bureau Veritas, or equivalent) is present in the project safety case dossier. The certificate must explicitly state SIL-3 capability, the 2oo2 dual-core architecture, HFT=1, DC>99%, and SFF>99%. Certificate inspection satisfies IEC 61511 Clause 11.6.3 which accepts SIL-certified equipment via documented prior use or third-party certification. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-safety-plc-sil3-463 |
| SUB-REQ-004 | The Safety PLC SHALL complete each execution scan within 50 ms, with a hardware watchdog that forces a safe-state transition if scan completion is not confirmed within 100 ms. Rationale: SYS-REQ-004 requires CO2 interlock action within 30 seconds. The 50ms scan cycle provides 600 evaluation cycles within the 30s window, ensuring the interlock logic responds promptly to sensor threshold crossings. The 100ms watchdog ensures software freeze cannot prevent actuator de-energisation, meeting IEC 61511 requirements for safe-state enforcement. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-safety-plc-scan-463 |
| SUB-REQ-005 | The Voted Logic Engine SHALL evaluate the following trip conditions on every scan and assert the corresponding interlock within the specified response time: CO2 > 5000 ppm (30s), LED surface temperature > 85°C (10s), zone temperature > 38°C (10s), pH dosing excess injection > 5% tank volume in 10 min (5s), emergency stop button pressed (1s). Rationale: These thresholds and response times are derived directly from SYS-REQ-004, SYS-REQ-007, SYS-REQ-009, and SYS-REQ-013. Grouping all interlock conditions in a single voted logic engine ensures prioritisation conflicts are resolved deterministically. Response times are set to prevent physiological CO2 harm (>30s exposure at >5000 ppm), thermal fixture damage, and crop contamination from excess pH dosing. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-voted-logic-trips-463 |
| SUB-REQ-006 | When any interlock trip condition is asserted, the Safety Interlock Subsystem SHALL transition all affected zone outputs to the safe state within the condition-specific response time: CO2 isolation valve CLOSED, emergency ventilation OPEN, LED array circuit breakers OPEN, irrigation isolation valves CLOSED. The safe state SHALL be maintained until an authorised operator manually resets the interlock at the Safety PLC HMI. Rationale: IEC 61511 requires each SIF to have a defined safe state and a means of demanding that state. De-energised final elements (NC valves closed, NO contactors open) implement fail-safe design: loss of power, wiring break, or PLC failure automatically demands the safe state without active intervention. Manual reset prevents automatic restart into a hazardous condition before root cause is identified. | Demonstration | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-safe-state-def-463 |
| SUB-REQ-007 | The Hardwired Trip Bus SHALL operate entirely via discrete 24VDC relay circuits independent of any fieldbus (MODBUS, Ethernet, CAN), such that failure, disconnection, or compromise of any digital communication network cannot inhibit or delay interlock actuation. Rationale: SYS-REQ-015 mandates that safety-critical control functions operate independently of the process control network. A cyber event, network flood, or switch failure that disables MODBUS must not prevent CO2 interlock actuation. Hardwired relay independence is the fundamental SIL 3 isolation mechanism required by IEC 61511 clause 11.6 (independence of safety-critical systems). | Inspection | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-trip-bus-isolation-463 |
| SUB-REQ-008 | The Lockout Tagout Controller SHALL prevent energisation of any zone equipment when a LOTO key for that zone is checked out, and SHALL generate an audible and visual alarm (amber beacon and buzzer) if re-energisation is attempted while a key remains outstanding. Rationale: STK-REQ-006 requires lockout/tagout capability for maintenance. OSHA 29 CFR 1910.147 mandates that LOTO devices prevent equipment re-energisation. Hardware enforcement (key-switch interlocked with Safety PLC) is required because software-only LOTO cannot achieve the required reliability — a software bug or reboot could re-enable outputs, endangering maintenance personnel working inside the zone. | Demonstration | subsystem, safety-interlock, sil-1, session-463, idempotency:sub-loto-enforcement-463 |
| SUB-REQ-009 | The Safety PLC SHALL be connected to the process control network via a unidirectional data diode or certified firewall only, such that no inbound network command can modify interlock logic, trip thresholds, or safe-state outputs at runtime. Rationale: SYS-REQ-015 requires safety functions to operate independently from the process network. A bidirectionally connected Safety PLC is vulnerable to command injection via MODBUS write coils — an attacker or software bug could disable the CO2 interlock remotely. The data diode or certified gateway enforces one-way diagnostic export while preventing any inbound control path, as required by IEC 62443 for safety-instrumented systems. | Inspection | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-plc-network-isolation-463 |
| SUB-REQ-010 | The Voted Logic Engine SHALL log every interlock state transition — including timestamp (UTC, ±1s accuracy), trigger condition, sensor readings at time of trip, and operator reset identity — to non-volatile memory with capacity for a minimum of 10,000 events, retained through power loss. Rationale: STK-REQ-009 requires tamper-evident environmental records and SYS-REQ-011 requires event logging. Interlock event logs are primary evidence for regulatory investigations (OSHA incident reports, HACCP deviations, insurance claims). Non-volatile storage ensures logs survive a power trip caused by the interlock itself. 10,000 events covers >27 years at one event per day, or >2 years at 15 events per day. | Test | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-voted-logic-audit-463 |
| SUB-REQ-011 | The Safety Interlock Subsystem SHALL support a periodic proof test sequence at intervals not exceeding 12 months, exercising all CO2 sensor channels, voted logic trip conditions, relay outputs, and final element positions, with test results automatically logged and accessible for regulatory review. Rationale: IEC 61511 clause 16 requires a proof test interval to detect dangerous undetected failures and maintain the SIL 3 PFD target. Cross-domain analog with nuclear SIL-3 safety logic processors (hex D1B77858) confirms proof test scheduling as a mandatory lifecycle requirement. Without periodic proof testing, latent failures in the hardwired trip bus or sensor channels will accumulate until the SIL 3 PFD target is exceeded. 12-month interval is the maximum permitted under the PFD calculation for this SIL 3 SIF with the selected architecture. | Demonstration | subsystem, safety-interlock, sil-3, session-463, idempotency:sub-proof-test-463 |
| SUB-REQ-012 | The CO2 Injection Controller SHALL execute a per-zone PID control loop with update period ≤100 ms, adjusting Zone Solenoid Valve duty cycle to maintain CO2 concentration within ±50 ppm of the zone setpoint during steady-state enrichment. Rationale: SYS-REQ-003 requires ±50 ppm regulation. The 100ms scan rate is derived from the CO2 injection dynamics: at maximum flow rate the concentration in a 40m³ zone can rise at ~150 ppm/min, so a 100ms control cycle provides >100 samples per ppm rise, giving the PID loop adequate resolution to prevent overshoot. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-013 | The CO2 Injection Controller SHALL accept zone CO2 concentration setpoints in the range 400–2000 ppm at ±1 ppm resolution via Modbus TCP/IP from the Supervisory Control Subsystem, with any setpoint command rejected and alarmed if it falls outside the crop-safe range defined in the active zone recipe. Rationale: SYS-REQ-003 bounds software-controlled CO2 to ≤3000 ppm. Clamping setpoint acceptance at 2000 ppm provides a 1000 ppm margin below the software limit, preventing operator or recipe error from approaching the safety threshold. 400 ppm floor represents atmospheric baseline. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-setpoint-465 |
| SUB-REQ-014 | The CO2 Injection Controller SHALL command all Zone Solenoid Valves to close when any zone CO2 concentration measurement from the Zone NDIR CO2 Sensor Array exceeds 2800 ppm, and SHALL NOT reopen valves until concentration falls below 2500 ppm, implementing an independent software-level concentration ceiling. Rationale: SYS-REQ-003 prohibits software-controlled CO2 exceeding 3000 ppm. The 2800 ppm trip and 2500 ppm reset provide 200 ppm and 500 ppm margins respectively, with hysteresis to prevent valve chatter. This software ceiling is complementary to — and does not replace — the SIL-3 hardware trip at 5000 ppm. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-ceiling-465 |
| SUB-REQ-015 | The Zone NDIR CO2 Sensor Array SHALL provide CO2 concentration measurements in the range 300–3000 ppm with accuracy ±100 ppm (or ±3% of reading, whichever is greater) at 1 Hz sample rate per zone, maintaining accuracy within the specified limits across the temperature range 18–35°C and 40–90% relative humidity. Rationale: ±100 ppm accuracy aligns with the PID controller's ±50 ppm regulation target (2× margin), accounting for sensor drift between calibrations. Temperature and humidity ranges reflect vertical farm grow-room conditions. NDIR technology is preferred over electrochemical for process sensing due to superior stability and lower maintenance than the safety sensors. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-016 | The Zone NDIR CO2 Sensor Array SHALL perform automatic single-point calibration against atmospheric CO2 (nominally 420 ppm) when the grow zone has been unoccupied and ventilated to ambient for ≥30 minutes, with calibration logged including timestamp and pre/post calibration readings. Rationale: NDIR sensors drift over time due to LED aging; automatic recalibration during scheduled zone transitions (harvest, replanting) maintains measurement accuracy without manual intervention. Logging enables drift trend analysis and maintenance scheduling. | Demonstration | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ndir-cal-465 |
| SUB-REQ-017 | The Zone Solenoid Valve Array SHALL achieve a de-energised (closed) state within 500 ms of removal of 24VDC supply, with a spring-return mechanism that maintains the closed position against manifold pressure up to 3 bar without energisation. Rationale: 500 ms valve closure time is driven by the SIL-3 safety loop response budget: SYS-REQ-004 requires full system response (sense + trip + valve close) within 2 seconds; the safety PLC scan budget is ≤50 ms (SUB-REQ-004), leaving 1450 ms for hardwired relay actuation plus valve stroke. Fail-closed on de-energisation is mandatory for CO2 systems to prevent uncontrolled enrichment on power loss. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-3, idempotency:sub-co2-valve-closure-465 |
| SUB-REQ-018 | While de-energised, the Zone Solenoid Valve Array SHALL exhibit a seat leakage rate of ≤0.001 cm³/min at 1.5 bar differential pressure, tested per ISO 15848 Class AH, to prevent CO2 seepage into occupied zones during valve-closed conditions. Rationale: CO2 leakage through closed valves can cause slow concentration creep; at 0.001 cm³/min per valve across 12 zones the total leakage is negligible relative to zone volume (40m³), preventing any measureable rise over an 8-hour unoccupied period. Class AH per ISO 15848 provides an industry-standard leakage acceptance criterion for gas service. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-valve-leak-465 |
| SUB-REQ-019 | The CO2 Distribution Manifold SHALL maintain zone injection pressure at 1.5 bar ±0.1 bar via a pressure-reducing valve, with a relief valve set to open at 2.5 bar, for all CO2 flow conditions between zero and maximum simultaneous injection to all zones. Rationale: 1.5 bar injection pressure is the design operating point for the solenoid valves' Cv 0.5 rating; ±0.1 bar variance limits flow variation across zones to <7%. Relief valve at 2.5 bar protects valve seals and fittings rated to 3 bar, providing 0.5 bar margin. These values are derived from the valve manufacturers' pressure ratings. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-manifold-pressure-465 |
| SUB-REQ-020 | The CO2 Distribution Manifold wetted surfaces SHALL be constructed from SS316 stainless steel or PTFE, with all joints using face-seal fittings (Swagelok or equivalent), and SHALL be pressure-tested to 1.5× maximum operating pressure (2.25 bar) before first use. Rationale: SS316 and PTFE are compatible with high-purity CO2 gas and resist moisture condensation in humid grow-room environments. Face-seal fittings eliminate threaded connections that can work loose from vibration. Pressure test at 1.5× is the standard hydrostatic test factor for piping systems per EN 13480. | Inspection | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-manifold-material-465 |
| SUB-REQ-021 | When a Zone NDIR CO2 Sensor Array fault is detected for a specific zone (output out of range, diagnostic alarm, or communication failure), the CO2 Injection Controller SHALL close that zone's solenoid valve and raise an alarm within 5 seconds, maintaining CO2 injection to all other zones at their setpoints unaffected. Rationale: Sensor fault must trigger valve closure for the affected zone to prevent uncontrolled CO2 accumulation — without a process measurement the PID loop cannot maintain safe bounds. Isolation to one zone preserves production in other zones; 5-second alarm response is derived from the 1Hz sensor scan rate plus two missed scans as a dead-band. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-degraded-sensor-465 |
| SUB-REQ-022 | When the CO2 Enrichment Subsystem receives a safety interlock trip signal via the hardwired de-energise-to-trip relay, all Zone Solenoid Valves SHALL be driven to the closed state within 500 ms regardless of CO2 Injection Controller command state, and the CO2 Injection Controller SHALL lock out all valve open commands until an operator-authorised reset is performed. Rationale: SYS-REQ-004 and SIL-3 allocation require that the safety function (CO2 valve closure on over-concentration) is not defeatable by the process controller. Hardwired override ensures the safety trip action is independent of software state. Operator-authorised reset prevents automatic restart after a SIL-3 trip event, which could re-introduce the hazard before the cause is investigated. This is the safe state for IEC 61508 SIL 3 CO2 injection hazard. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-3, idempotency:sub-co2-safe-state-465 |
| SUB-REQ-023 | The CO2 Injection Controller SHALL operate from a 24VDC ±10% supply at maximum 15W continuous draw, with the supply provided via an uninterruptable power supply (UPS) rated for ≥30 minutes runtime at full load, ensuring CO2 injection control is maintained during mains power interruptions. Rationale: Power supply budget is required to size the UPS and cable/fuse ratings. 15W is the maximum for a typical mid-range PLC with full I/O populated. 30 minutes UPS runtime allows for orderly shutdown of grow zones without crop damage from uncontrolled CO2 enrichment during power events. | Test | subsystem, co2-enrichment-subsystem, session-465, sil-0, idempotency:sub-co2-ctrl-power-465 |
| SUB-REQ-024 | The EC/pH Sensor Array SHALL measure electrical conductivity in the range 0.1–10.0 mS/cm with accuracy ±0.1 mS/cm and pH in the range 3.0–9.0 with accuracy ±0.05 pH units, both temperature-compensated to 20°C reference via PT1000 probe, at a measurement rate of 0.1 Hz per zone. Rationale: SYS-REQ-006 mandates EC control within ±0.1 mS/cm of setpoint. A sensor accuracy of ±0.1 mS/cm consumes the full allowable error budget, leaving zero margin for dosing lag and system drift. This accuracy therefore sets the tightest single-sensor limit achievable without disproportionate cost; any looser sensor spec would make the ±0.1 mS/cm system requirement unachievable. The pH ±0.05 accuracy similarly supports the ±0.2 pH system requirement (SYS-REQ-006) with margin. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-ecph-accuracy-466 |
| SUB-REQ-025 | The EC/pH Sensor Array SHALL detect sensor drift or fault conditions — including open-circuit, short-circuit, and out-of-range output — and transmit a fault flag to the Irrigation Controller within 5 seconds of fault onset. Rationale: SYS-REQ-007 specifies that repeated dosing without pH equilibration must be treated as potential sensor drift. If the EC/pH Sensor Array cannot self-report a fault, the Irrigation Controller will continue commanding the Dosing Pump Array based on a stale or stuck reading, leading to cumulative overdosing and safety interlock activation. The 5-second detection window allows at most one additional 0.1Hz measurement before the fault is visible to the controller. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-ecph-fault-466 |
| SUB-REQ-026 | The Dosing Pump Array SHALL deliver each individual pump injection with a stroke volume accuracy of ±1% of commanded volume, with maximum single-stroke volume not exceeding 2% of working solution tank volume, verified by encoder-counted revolutions. Rationale: SYS-REQ-006 explicitly limits dosing pump stroke volume to 2% of tank volume per injection to prevent overshoot. A ±1% stroke accuracy ensures the commanded 2% limit is not inadvertently exceeded by pump calibration error alone. Without this accuracy requirement, a pump running 10% high on stroke volume could exceed the watchdog threshold (5% cumulative over 10 minutes) within 3 injections at nominal setpoints. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-dpa-stroke-accuracy-466 |
| SUB-REQ-027 | The Dosing Pump Array SHALL implement a hardwired cumulative injection counter that monitors total acid and base pump volume delivered within any rolling 10-minute window, and SHALL assert a 24VDC normally-open fault contact to the Safety PLC within 200 ms when cumulative injection exceeds 5% of the working solution tank volume within that window. Rationale: SYS-REQ-007 and SYS-REQ-015 require the dosing-excess protection function to meet SIL-2. Implementing this watchdog as a hardwired counter in the pump drive firmware rather than as a software function in the Irrigation Controller is consistent with ARC-REQ-001 and ARC-REQ-006 — safety-critical shutdown functions must not rely on general-purpose software. The 200ms propagation time matches IFC-REQ-019 and ensures the Safety PLC trip logic executes before a second injection cycle can begin (minimum pump cycle time is >500ms). | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-dpa-watchdog-466 |
| SUB-REQ-028 | When the Dosing Pump Array receives a hardwired interlock trip signal from the Safety PLC (IFC-REQ-019 signal path), the Dosing Pump Array SHALL inhibit all pump outputs and de-energise all pump drive signals within 500 ms, and SHALL not resume dosing until the interlock is manually reset. Rationale: IEC 61508 SIL-2 requires a safe state for every safety-critical function. The safe state for overdosing hazard (SYS-REQ-007) is cessation of all dosing. The 500ms response time allows for one PLC scan cycle (50ms) plus drive inhibit propagation. Manual reset prevents autonomous restart after a dosing-excess event, which must be investigated before resuming operation. | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-dpa-safe-state-466 |
| SUB-REQ-029 | The Irrigation Controller SHALL execute configurable zone irrigation schedules with on-time resolution of ±1 minute over a 24-hour period, supporting drip and flood-drain (NFT) modes, and SHALL enforce a minimum 5-minute inter-zone delay to prevent simultaneous multi-zone demand exceeding recirculation pump rated flow. Rationale: Simultaneous activation of more than approximately 60% of zone valves at peak flow exceeds the recirculation pump rated capacity (300 L/min), causing pressure drop across the furthest zones and uneven nutrient distribution. The 5-minute inter-zone delay ensures sequential activation scheduling that keeps total demand within pump capacity. | Test | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-ic-scheduling-466 |
| SUB-REQ-030 | The Irrigation Controller SHALL detect a stuck-open zone irrigation valve condition within 30 seconds by comparing commanded valve state (closed) against flow meter measurement exceeding 2 L/min on the corresponding zone header, and SHALL command the zone isolation valve closed and activate floor drain pumps within 60 seconds of detection. Rationale: SYS-REQ-010 mandates 30-second stuck-valve detection and 60-second drain pump activation. The 2 L/min threshold is set above instrument noise (flow meter accuracy ±2% at 100 L/min full scale = ±2 L/min) while remaining sensitive enough to detect a single failed-open 15mm solenoid valve (minimum flow ~8 L/min at 1.2 bar). Without this requirement cascaded to the Irrigation Controller, SYS-REQ-010 lacks a component responsible for the detection logic. | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-ic-stuck-valve-466 |
| SUB-REQ-031 | The Irrigation Controller SHALL execute zone sanitisation sequences on command, including: circulating peracetic acid solution at ≥80 ppm concentration for ≥20 minutes contact time, flushing until EC/pH Sensor Array confirms rinse water EC <0.3 mS/cm and pH 6.5–7.0, and confirming drain completion via sump level sensor, before setting the zone-ready flag that permits new crop recipe activation. Rationale: SYS-REQ-016 blocks crop recipe activation until sanitisation criteria pass. The specific parameters (≥80 ppm peracetic acid, ≥20 minutes contact time) are derived from food-safety CIP (clean-in-place) protocols for hydroponic systems per GLOBALG.A.P. and UK food safety guidance — lower concentrations or shorter contact times do not reliably achieve the 5-log pathogen reduction required for fresh produce food safety. | Demonstration | subsystem, nutrient-management-subsystem, compliance, session-466, idempotency:sub-ic-sanitisation-466 |
| SUB-REQ-032 | The Zone Irrigation Valve Array SHALL use normally-closed solenoid valves that achieve full seat closure within 2 seconds of de-energisation, with EPDM seat leakage not exceeding 0.5 mL/min at 2.5 bar differential, maintaining fail-safe closed state on loss of 24VAC supply. Rationale: Fail-safe closure on power loss prevents irrigation from continuing during an electrical fault or emergency shutdown. The 2-second closure time ensures that stuck-valve detection response (SYS-REQ-010, 30s) has no ambiguity about valve state. Seat leakage ≤0.5 mL/min is necessary to prevent slow flooding accumulation in the grow bed during extended power-off periods; a failed valve leaking at higher rates would accumulate water over hours even in shutdown state. | Test | subsystem, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:sub-ziva-failsafe-466 |
| SUB-REQ-033 | Each solenoid valve in the Zone Irrigation Valve Array SHALL provide a reed-switch position feedback signal (24VDC open-collector) confirming open or closed state within 2 seconds of the commanded transition, detectable by the Irrigation Controller as a discrete digital input. Rationale: Position feedback is required by the stuck-valve detection logic (SUB-REQ-030) to distinguish between a genuinely stuck valve and a valve that has been commanded closed but not yet physically settled. Without confirmed position feedback, the Irrigation Controller cannot determine whether continued flow is caused by valve failure or normal settling delay, leading to premature false alarms or missed detections. | Test | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-ziva-feedback-466 |
| SUB-REQ-034 | The Recirculation Pump System SHALL operate in duty/standby configuration with automatic changeover to the standby pump within 30 seconds of detecting duty pump failure (loss of flow confirmation >10 L/min below setpoint for 15 seconds), maintaining nutrient solution circulation without operator intervention. Rationale: A single recirculation pump failure interrupting nutrient flow for more than approximately 15 minutes causes crop stress in nutrient-film technique (NFT) channels where root zone drying begins rapidly. Duty/standby with 30-second changeover limits maximum interruption to under 1 minute, well within the 15-minute crop stress threshold. This justification also underpins the ARC-REQ-006 decision to use dual pumps rather than a single high-reliability unit. | Demonstration | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-rps-standby-466 |
| SUB-REQ-035 | The Recirculation Pump System SHALL detect dry-run conditions within 10 seconds using a flow switch confirming <5 L/min on the pump outlet with the pump energised, and SHALL de-energise the pump motor and inhibit restart for a minimum 60-second cool-down period to prevent seal and impeller damage. Rationale: Peristaltic seal failure due to dry running can release pump materials into the nutrient solution, contaminating the food crop. The 10-second detection window (100 pump revolutions at minimum speed) is fast enough to stop seal damage before contamination risk. The 60-second inhibit prevents repeated auto-restart cycling that accelerates bearing wear and could mask an empty reservoir alarm. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-036 | The Nutrient Reservoir and Mixing System SHALL trigger a low-level alarm on the Supervisory Control Subsystem when the working solution reservoir volume falls below 20% of rated capacity, and SHALL trigger an emergency shutdown request to the Irrigation Controller when volume falls below 5% of rated capacity to prevent pump dry-run. Rationale: A 20% low-level alarm gives operators approximately 30 minutes at maximum flow (300 L/min pump rate) to respond before the 5% emergency threshold is reached, providing adequate warning without frequent nuisance alarming. The 5% emergency level is set above the physical minimum needed to keep pump inlet submerged under all orientation conditions, preventing dry-run before the level sensor detects the state. | Test | subsystem, nutrient-management-subsystem, session-466, idempotency:sub-nrm-low-level-466 |
| SUB-REQ-037 | When one EC/pH Sensor Array probe reports a fault in a zone, the Nutrient Management Subsystem SHALL continue closed-loop control of the unaffected measurement parameter (EC or pH) and SHALL operate the affected parameter in open-loop time-based dosing at the last valid recipe setpoint, maintaining dosing frequency not exceeding 50% of the nominal closed-loop rate, until the probe fault is cleared or manually acknowledged. Rationale: A complete suspension of dosing on any sensor fault would halt crop nutrition for the entire zone, causing crop loss disproportionate to the fault severity. Continued unaffected-parameter control and reduced-rate open-loop dosing on the faulted parameter limits crop risk while preventing the unconstrained dosing that a full open-loop mode without rate reduction would allow. The 50% rate reduction provides sufficient safety margin against overdosing while maintaining minimum nutrient delivery. | Test | subsystem, nutrient-management-subsystem, sil-2, session-466, idempotency:sub-nm-degraded-mode-466 |
| SUB-REQ-039 | The Horticultural Lighting Subsystem SHALL maintain zone PPFD within ±5% of the crop recipe PAR setpoint across the 100-600 µmol/m²/s operating range under steady-state conditions. Rationale: SYS-REQ-005 allocates ±5% PAR accuracy to this subsystem. ±5% is the agronomic boundary within which the LCU's PAR PID loop can hold steady state; exceeding this boundary causes measurable yield loss and recipe non-compliance. Derived from crop science DLI (Daily Light Integral) tolerance data. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-par-accuracy-467 |
| SUB-REQ-040 | The Lighting Control Unit SHALL control each of the four spectrum channels (red 660nm, blue 450nm, white 4000K, far-red 730nm) independently with 12-bit or greater PWM dimming resolution over a 0-100% intensity range. Rationale: Twelve-bit resolution (4096 steps) provides 0.024% per step, which keeps spectral accuracy within the 0.5% per-step ramp requirement of SUB-HVAC-004 and supports the recipe spectrum ratio requirements of the crop science protocol. Lower resolution (10-bit) causes visible stepping artefacts on long ramps. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-spectral-resolution-467 |
| SUB-REQ-041 | The Lighting Control Unit SHALL execute linear intensity ramp transitions between setpoints over operator-configurable periods of 5, 10, 15, 20, or 30 minutes with ramp step size not exceeding 0.5% of full scale per step. Rationale: Abrupt light transitions cause photoinhibition stress in leafy crops by overwhelming the photosystems before protective down-regulation activates. Stepwise ramps over 5-30 minutes are the agronomically recommended range for vertical farms with sensitive leafy crops. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-intensity-ramp-467 |
| SUB-REQ-042 | When any LED fixture heatsink temperature exceeds 85 degrees C as detected by the Fixture Thermal Monitoring Array hardwired comparator circuit, the Horticultural Lighting Subsystem SHALL de-energise all LED Driver Modules in the affected zone within 2 seconds, independently of the Lighting Control Unit software. Rationale: SYS-REQ-009 allocates the 85 degree C thermal shutdown to this subsystem at SIL 2 (H-002: LED fixture fire hazard). The 2-second maximum is derived from thermal runaway propagation modelling — heat sink temperatures above 85 degree C indicate junction temperatures approaching LED derating limits. The software-independent path is required because SIL 2 prohibits the safety function from relying on general-purpose software per IEC 61508 clause 7.4.2.3. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-thermal-trip-467 |
| SUB-REQ-043 | When any LED fixture heatsink temperature exceeds 75 degrees C, the Lighting Control Unit SHALL reduce LED power in the affected zone by 5% of current output per minute until heatsink temperature falls below 70 degrees C or all driver outputs reach zero. Rationale: A 75 degree C software derating threshold (below the 85 degree C hardware trip) provides a 10-degree C guard band for graceful power reduction before the SIL-2 trip activates, avoiding unnecessary safety shutdowns during moderate load events while still protecting fixtures from thermal damage. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-thermal-derating-467 |
| SUB-REQ-044 | When the zone HVAC compressor trip signal is received from the Zone Controller Network, the Lighting Control Unit SHALL reduce LED power in the affected zone to 50% of the current recipe setpoint within 30 seconds. Rationale: SYS-REQ-008 allocates the 50% LED power reduction upon HVAC trip to this subsystem. LED fixtures contribute 30-40% of zone heat load; reducing output by 50% lowers zone air temperature rise rate by 15-20 degrees C/hour, buying time for the HVAC fault to be resolved before reaching the 38 degree C thermal protection threshold. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-hvac-loadshed-467 |
| SUB-REQ-045 | When the emergency shutdown signal is asserted on the Safety Interlock hardwired trip bus, the Horticultural Lighting Subsystem SHALL de-energise all LED Driver Modules across all 8 zones within 5 seconds. Rationale: SYS-REQ-013 specifies a 10-second emergency shutdown sequence for the full system. LED de-energisation is the first step — removing 400kW+ of electrical load reduces fire risk and allows safe human entry. The 5-second sub-budget allows the remaining 5 seconds for CO2 valve closure and ventilation activation. | Test | subsystem, horticultural-lighting, sil-2, session-467, idempotency:sub-hls-emergency-shutdown-467 |
| SUB-REQ-046 | When a PAR Sensor Array signal is lost or out-of-range in a zone, the Lighting Control Unit SHALL continue closed-loop operation at the last valid setpoint PWM value for up to 4 hours, generate a sensor fault alarm, and transition to full manual override after the 4-hour timeout. Rationale: PAR sensor failure should not immediately force operator intervention in a 24/7 automated facility. A 4-hour hold at last-known PWM is safe because short-term DLI deviation from single-zone sensor loss is within crop tolerance windows. Beyond 4 hours the risk of undetected environmental change justifies requiring operator confirmation. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-par-degraded-467 |
| SUB-REQ-047 | The PAR Sensor Array SHALL have NIST or PTB-traceable calibration per ASTM E948 with a maximum measurement uncertainty of 3% (k=2) at recalibration intervals not exceeding 12 months. Rationale: ASTM E948 is the primary standard for PAR sensor calibration in horticultural applications. 3% calibration uncertainty is the maximum consistent with maintaining overall PAR accuracy of ±5% (SYS-REQ-005) when combined with installation and measurement losses. Twelve-month recalibration intervals are standard in controlled horticulture environments per EN ISO 9001 measurement system requirements. | Inspection | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-par-calibration-467 |
| SUB-REQ-048 | The LED Driver Module Array SHALL achieve a minimum power conversion efficiency of 93% at rated load and maintain output current regulation within 2% of the commanded setpoint under steady-state conditions across all channels. Rationale: 93% driver efficiency is the industry minimum for horticultural LED drivers at this power density (>50W per channel). Below 93% the waste heat per zone exceeds the HVAC cooling budget, requiring oversized cooling infrastructure. 2% current regulation translates to 2% PAR variation at constant flux, which must be accounted for in the ±5% overall PAR budget. | Test | subsystem, horticultural-lighting, session-467, idempotency:sub-hls-driver-efficiency-467 |
| SUB-REQ-049 | The Zone Controller Network SHALL provide a supervisory override channel that, when asserted by the Supervisory Control Subsystem within 500 ms, suspends autonomous zone regulation and transfers zone actuator control to the supervisory setpoint within that response window. Rationale: UHT classifies zone controller network (51F77808) as Functionally Autonomous (bit 15), requiring an explicit human-in-the-loop override per IEC 62443-3-3 SR 2.12. Without this, the operator cannot regain control during runaway CO2 or thermal excursion scenarios. | Test | idempotency:qc-468-zone-ctrl-net-override |
| SUB-REQ-050 | The Irrigation Controller SHALL operate from a 24 VDC ±10% supply with a maximum steady-state power consumption of 15 W and a peak inrush current not exceeding 2 A for more than 50 ms at power-on. Rationale: UHT classifies the irrigation controller (D1F77A08) as Powered (bit 4) and System-Essential (bit 16). Without a defined power envelope, the electrical panel and UPS sizing cannot be verified, and inrush from multiple controllers starting simultaneously could trip circuit protection. | Test | idempotency:qc-468-irrig-ctrl-power |
| SUB-REQ-051 | The Dosing Pump Array SHALL operate from a 24 VDC ±10% supply with a maximum steady-state power consumption of 30 W per pump and food-contact-compliant wetted materials certified to FDA 21 CFR 177 for nutrient solution compatibility. Rationale: UHT classifies the dosing pump array (D7F73218) as Powered (bit 4), Physical Medium (bit 7), and Regulated (bit 28). Dosing pumps in a food-production environment require both a defined power budget for UPS autonomy and material certification to prevent nutrient contamination from pump wetted surfaces. | Test | idempotency:qc-468-dosing-pump-power |
| SUB-REQ-052 | The Supervisory Control Subsystem SHALL authenticate all remote HMI sessions using multi-factor credentials (username/password plus time-based OTP) and SHALL encrypt all management communications using TLS 1.3 or later. Rationale: UHT classifies the supervisory control subsystem (51BD7908) as Digital/Virtual (bit 24) and Human-Interactive (bit 13). Unauthenticated access to the supervisory HMI would allow an adversary to disable safety interlocks or alter crop recipes; TLS 1.3 prevents credential interception on uncontrolled network segments. | Test | idempotency:qc-468-supervisory-cybersec |
| SUB-REQ-053 | The Climate Management Subsystem SHALL maintain grow zone air temperature within ±1.0°C of the crop-specific temperature setpoint across the full 18–28°C operating range under steady-state conditions. Rationale: Derived from SYS-REQ-001. Temperature deviations beyond ±1.0°C reduce crop growth rate and quality; validated against industry benchmarks for lettuce (20±1°C), strawberry (18±1°C), and basil (22±1°C). The ±1.0°C band is the tightest achievable with DX HVAC at the specified zone volumes. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-054 | The Climate Management Subsystem SHALL maintain grow zone relative humidity within ±5% RH of the crop-specific humidity setpoint across the 60–85% RH operating range under steady-state conditions. Rationale: Derived from SYS-REQ-002. RH deviations beyond ±5% promote fungal pathogens (Botrytis cinerea) at high end and cause crop tip-burn through reduced transpiration at low end. The ±5% band is the IEC 61511 functional accuracy class for capacitive RH sensors in the 0–40°C temperature compensation range. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-rh-regulation-469 |
| SUB-REQ-055 | When the HVAC Actuator Interface reports a compressor trip condition, the Zone Climate Controller SHALL send a lighting load-reduction command to the Supervisory Control Subsystem within 500 ms and engage the economiser damper to maintain zone temperature below 30 degC. Rationale: Derived from SYS-REQ-008. Compressor trip causes loss of cooling capacity; LED fixtures contribute up to 40 percent of zone heat load, so reducing lighting is the fastest mechanical intervention available. The 500 ms response window was derived from the thermal time constant analysis for a 20 m2 zone under peak summer ambient conditions. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-compressor-trip-469 |
| SUB-REQ-056 | The Temperature Sensor Network SHALL sample all zone temperature sensors at a minimum rate of 1 Hz and deliver readings to the Zone Climate Controller with a maximum end-to-end latency of 2 s from measurement to controller input. Rationale: 1 Hz sampling is the minimum required for PID loop stability given the thermal time constant of the grow zone air volume (estimated 60-90 s). The 2 s maximum latency bound ensures the PID derivative term is not corrupted by stale data during transient events such as door opening. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-temp-sampling-469 |
| SUB-REQ-057 | When the Temperature Sensor Network detects a sensor reading outside the valid range of 0 to 50 degC or reports a wire-break fault, the Zone Climate Controller SHALL switch control inputs to the next available redundant sensor and generate a maintenance alarm within 30 s. Rationale: Dual-sensor redundancy per zone (top and bottom canopy positions) ensures continued closed-loop control on single sensor failure. The 30 s alarm latency allows operator awareness before the next crop inspection round while not imposing real-time alarm fatigue. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-sensor-fault-469 |
| SUB-REQ-058 | The Fresh Air Ventilation Controller SHALL coordinate fresh air fraction with the CO2 Enrichment Subsystem via Modbus TCP, maintaining a fresh air fraction between 5 and 30 percent of zone supply volume to balance CO2 setpoint, O2 replenishment, and ethylene dilution requirements. Rationale: Derived from the need to manage competing gas concentrations without independent control of each. The 5-30 percent range is the mechanical limit of the HRV unit specified; below 5 percent O2 depletion risk rises; above 30 percent the CO2 enrichment system cannot maintain setpoint economically. Modbus TCP interface selected because CO2 Enrichment Subsystem already uses this bus. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-fresh-air-469 |
| SUB-REQ-059 | The HVAC Actuator Interface SHALL execute Zone Climate Controller setpoint commands within 500 ms of receipt and confirm execution status to the controller within 1 s, for all actuator types (VFD, contactor, modulating valve, damper). Rationale: 500 ms command execution latency is the maximum allowed to maintain PID loop stability. Confirmation within 1 s allows the Zone Climate Controller to detect actuator stuck-open/closed conditions and escalate to the Safety Interlock Subsystem if needed. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-actuator-latency-469 |
| SUB-REQ-060 | When a zone isolation command is received from the Safety Interlock Subsystem, the HVAC Actuator Interface SHALL close zone supply and return HVAC dampers within 2 s of command receipt and hold the closed state until an explicit release command is received. Rationale: Derived from SYS-REQ-014. Zone airflow isolation prevents spread of pathogens or chemical contamination from an affected zone to adjacent zones via the shared duct network. The 2 s damper closure time is the maximum achievable with the specified 24V spring-return actuators at operating temperature range. | Test | subsystem, climate-management, session-469, idempotency:sub-cms-zone-isolation-469 |
| SUB-REQ-061 | When the Demand Response Handler receives an OpenADR 2.0b demand-response signal from the utility VTN, the Supervisory Control Subsystem SHALL compute and execute a load-reduction plan within 60 s of signal receipt, reducing facility electrical load by the requested amount while maintaining crop-safe minimum environmental parameters. Rationale: Derived from SYS-REQ-012. The 60 s execution window is the maximum allowed under OpenADR 2.0b SIMPLE event type baseline specification. Crop-safe minimum parameters (minimum temperature floor, minimum CO2 level) are required to prevent crop loss during DR events that may last up to 4 hours. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-dr-response-469 |
| SUB-REQ-062 | When an emergency shutdown trigger is received by the Emergency Shutdown Sequencer (fire alarm relay, manual E-stop, or critical sensor fault), the Supervisory Control Subsystem SHALL complete the full shutdown sequence (CO2 valve closure, nutrient pump off, lighting off, HVAC dampers to purge) within 10 s of trigger receipt. Rationale: Derived from SYS-REQ-013. The 10 s total sequence time is driven by the CO2 concentration rise rate in a sealed zone: at maximum CO2 enrichment flow rate, CO2 can rise from 1500 ppm to 5000 ppm (safety limit) in approximately 45 s, giving the sequence a 35 s safety margin. Steps are serialised with the CO2 valve first to maximise margin for that hazard. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-emergency-shutdown-469 |
| SUB-REQ-063 | The Supervisory Control Subsystem SHALL execute and verify the zone sanitisation sequence (pH 2.0 flush, UV-C exposure, dry-out dwell) per the registered crop transition protocol before authorising zone reactivation for a new crop cycle, with a verification record written to the compliance audit log. Rationale: Derived from SYS-REQ-016. Sanitisation verification is a regulatory and food-safety requirement (GFSI/SQF for leafy greens). Automated verification and audit logging prevents manual bypass and provides the evidence trail required for food safety audits. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-sanitisation-469 |
| SUB-REQ-064 | The Crop Recipe Engine SHALL continue executing the active crop recipe and issuing environmental setpoints during Plant Management Server software updates, with setpoint output interruption not exceeding 30 s during the update window. Rationale: Crop recipes running 7-120 day cycles cannot tolerate unplanned setpoint loss during routine server maintenance. A 30 s setpoint interruption is within the thermal and CO2 time constants of all grow zones (minimum 60 s), meaning the environment will not deviate beyond crop-safe limits during the gap. | Test | subsystem, supervisory-control, session-469, idempotency:sub-scs-recipe-continuity-469 |
| SUB-REQ-065 | The Zone Controller Unit SHALL maintain closed-loop control of all zone environmental parameters (temperature, humidity, CO2, PAR, pH, EC) within crop recipe setpoints using locally stored setpoint data for a minimum of 30 minutes when the OPC-UA connection to the Zone Edge Gateway is interrupted. Rationale: SYS-REQ-017 requires restoration of zone regulation within 30s of primary node failure. The ZCU must operate autonomously during any switchover period to prevent crop damage, using NOR flash-stored setpoints as the last-valid recipe. 30 minutes exceeds the expected switchover time plus manual response window. | Test | subsystem, zone-controller-network, session-470, idempotency:sub-zcn-zcu-autonomous-470 |
| SUB-REQ-066 | The Zone Controller Unit SHALL execute PID control loop iterations for all regulated environmental parameters at a minimum cycle rate of 10 Hz, with loop execution jitter not exceeding ±5 ms. Rationale: SYS-REQ-001 requires ±1.0°C temperature regulation and SYS-REQ-002 requires ±5% RH. Analysis of zone thermal mass and HVAC actuator response times shows that a 10Hz loop rate is the minimum to achieve these tolerances without oscillation. Jitter constraint prevents control loop aliasing against the 10s temperature sensor averaging window. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-067 | The Zone Controller Unit SHALL persist the current active recipe setpoints to non-volatile NOR flash memory within 5 seconds of any setpoint update, and SHALL retrieve stored setpoints within 10 seconds of power restoration. Rationale: Required to support the 30-minute autonomous operation window (SUB-REQ-065): setpoints must survive power cycling and network outage. 5s write window is bounded by the PID loop update frequency; 10s retrieval ensures zone control resumes within the SYS-REQ-017 30s failover window. | Test | rt-implausible-value, red-team-session-480 |
| SUB-REQ-068 | The Zone I/O Expansion Module SHALL sample all connected 4-20mA analog inputs at a minimum rate of 1 Hz with ±0.1% full-scale measurement accuracy, and SHALL detect and report open-circuit loop faults on any 4-20mA channel to the Zone Controller Unit within 1 second of fault occurrence. Rationale: SYS-REQ-011 requires 1-second resolution data logging; the I/O Module must sample at least as fast. ±0.1% FSR accuracy corresponds to ±0.16mA on a 20mA span, which resolves to ±0.16°C for a PT100 transmitter — within the sensor measurement error budget. Open-circuit detection within 1s prevents undetected sensor loss from causing uncontrolled dosing. | Test | subsystem, zone-controller-network, session-470, idempotency:sub-zcn-iom-sampling-470 |
| SUB-REQ-069 | The Zone Edge Gateway SHALL aggregate OPC-UA data from all Zone Controller Units and publish an updated node namespace to the Supervisory Control Subsystem at a maximum end-to-end latency of 500 ms from sensor sampling to supervisory data availability. Rationale: SYS-REQ-018 requires real-time zone status display for operator HMI; 500ms end-to-end latency is the human-perceptible update threshold for operational dashboards. This budget is allocated as: 100ms ZCU scan, 100ms RS-485 transfer, 100ms ZCU OPC-UA publish, 100ms network transit, 100ms Gateway aggregation, leaving 100ms margin. | Test | subsystem, zone-controller-network, session-470, idempotency:sub-zcn-gateway-latency-470 |
| SUB-REQ-070 | The Time-Series Database Engine SHALL ingest environmental sensor data at a minimum rate of 1 sample per second per channel across all zones without data loss, and SHALL retain raw 1-second resolution data for a minimum of 90 days and 1-minute resolution aggregates for a minimum of 10 years. Rationale: SYS-REQ-011 requires 1-second resolution logging with 10-year retention. The 90-day raw tier covers the regulatory inspection window for fresh produce (most jurisdictions require 90-day post-harvest environmental records); the 10-year aggregate tier covers long-term trend analysis and facility-level regulatory audits. Loss-free ingestion is required because data gaps invalidate compliance records. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-tsdb-ingest-470 |
| SUB-REQ-071 | The Time-Series Database Engine SHALL export any requested date range of environmental data for a specified zone as a CSV file within 30 seconds for queries spanning up to 90 days of 1-second resolution data. Rationale: SYS-REQ-011 specifies CSV export within 30 seconds; this requirement constrains the TSDB query engine and storage performance to support that SLA. 90-day scope covers the maximum raw-resolution retention window and defines the worst-case query performance target. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-tsdb-export-470 |
| SUB-REQ-072 | The OpenADR Virtual End Node SHALL receive and acknowledge OpenADR 2.0b DR event signals from the utility Virtual Top Node within 30 seconds of event distribution, and SHALL translate the event payload into an energy curtailment command dispatched to the Supervisory Control Subsystem within 5 seconds of acknowledgement. Rationale: SYS-REQ-012 requires response to OpenADR 2.0 demand-response events. Utility OpenADR 2.0b contracts typically specify 30-second acknowledgement SLA; the 5-second internal dispatch ensures the Supervisory has adequate time to pre-condition zones before the event start time. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-oadr-dispatch-470 |
| SUB-REQ-073 | The Crop Recipe Database SHALL store a minimum of 200 crop recipes with complete version history, and SHALL maintain an immutable audit trail of all recipe create, update, and supersede operations with timestamp, user identity, and change summary, ensuring no recipe version is ever deleted. Rationale: SYS-REQ-020 requires 200 crop recipes. Immutable version history with audit trail is required for GMP compliance (21 CFR Part 11 equivalent for food production): regulators require proof that a specific recipe version was active during a specific crop production run, and that recipe changes were authorised. | Inspection | subsystem, data-acquisition, session-470, idempotency:sub-dac-recipe-db-capacity-470 |
| SUB-REQ-074 | The Compliance Report Generator SHALL produce a zone sanitisation verification report including sensor evidence of peracetic acid contact time, temperature, and concentration, cryptographically signed with a SHA-256 hash of the source TSDB data, within 60 seconds of a sanitisation cycle completion event. Rationale: SYS-REQ-016 requires sanitisation sequence verification including peracetic acid contact time records. The cryptographic hash links the report to immutable TSDB source data, satisfying tamper-evidence requirements for food safety audits (GFSI, SQF). 60-second generation time allows the report to be available before the operator logs off the cleaning shift. | Test | subsystem, data-acquisition, session-470, idempotency:sub-dac-compliance-report-470 |
| SUB-REQ-075 | When the Zone Climate Controller loses communication with the Zone Controller Unit for more than 5 seconds, the Zone Controller Unit SHALL revert to its last valid setpoint cache and maintain that environmental state for at least 15 minutes before declaring a zone fault. Rationale: UHT classifies the Zone Climate Controller (hex D1F77008) as System-Essential (bit 16). Lint finding: zone controller lacks redundancy/failover requirements. The 5-second timeout and 15-minute holdover are derived from the crop thermal time constant — a vertical farm growing zone can tolerate 15 minutes of fixed-setpoint control before temperature drifts outside acceptable bounds, giving maintenance personnel time to respond without triggering a full zone shutdown. | Test | subsystem, zone-controller-network, redundancy, session-471, idempotency:sub-zcn-zcu-holdover-471 |
| SUB-REQ-076 | The CO2 Enrichment Subsystem SHALL incorporate an independent safety-rated CO2 sensor, certified to IEC 61508 SIL-2, operating on a separate power supply and signal path from the process-control CO2 sensors, with a response time not exceeding 30 seconds for a step change from 0 to 5000 ppm. Rationale: SYS-REQ-004 requires the safety interlock to act within 2 seconds on CO2 exceeding 5000 ppm using an independent safety-rated sensor — explicitly separate from the software-controlled process sensor. This SUB requirement derives that sensor's SIL-2 certification, independent power path, and 30-second response time. The 30-second response budget is the 2-second interlock latency padded for sensor settling; IEC 61508 SIL-2 certification is required because CO2 asphyxiation meets the hazard frequency and severity threshold for SIL-2 per the hazard register. | Test | subsystem, co2-enrichment, safety, sil-2, session-471, idempotency:sub-co2-safety-sensor-sil2-471 |
| SUB-REQ-077 | The Zone Controller Network SHALL enforce network segmentation using VLAN isolation between OT zone control traffic and corporate IT networks, with all OPC-UA communications authenticated using X.509 certificates and all Modbus RTU segments accessible only via physically secured electrical enclosures. Rationale: UHT classifies the zone and associated digital control systems with the Digital/Virtual trait (bit 24), triggering a cybersecurity gap finding in lint. Vertical farm control systems are OT environments with ICS/SCADA attack surfaces: an attacker gaining access to the zone Modbus segments could manipulate CO2 injection solenoids, nutrient dosing pumps, or LED circuits, creating both crop loss and personnel safety risks. VLAN segmentation with X.509 OPC-UA authentication and physical enclosure access control aligns with IEC 62443-3-3 SR 1.1 (identification and authentication) at Security Level 2. | Inspection | subsystem, zone-controller-network, cybersecurity, session-471, idempotency:sub-zcn-cybersecurity-vlan-471 |
| SUB-REQ-078 | All physical materials and surfaces within growing zones that contact nutrient solution, irrigation water, or air recirculation streams SHALL comply with FDA 21 CFR Part 174-186 (food contact materials) and SHALL be verified clean-in-place (CIP) compatible with 2% peracetic acid sanitisation solution at ambient temperature. Rationale: UHT classifies growing zones with the Biological/Biomimetic trait (bit 3) because zones contain live plant matter and microbiomes. Lint finding 7 flags the absence of biocompatibility or sterilisation requirements. Under FSMA (21 CFR Part 112), indoor growing facilities producing leafy greens for direct human consumption must demonstrate that materials contacting edible plant matter are food-safe. Peracetic acid is the standard sanitisant for hydroponic systems; CIP compatibility ensures the zone can be sanitised in place without disassembly, which is also required by SYS-REQ-016 (sanitisation sequence verification before new crop activation). | Inspection | subsystem, zone-controller-network, food-safety, compliance, session-471, idempotency:sub-zone-biocompat-fda-471 |
| SUB-REQ-079 | The Zone Climate Controller SHALL accept a supervisory override command from the Supervisory Control Subsystem within 2 seconds to either SUSPEND autonomous setpoint control (holding last actuator state) or SAFE-MODE (de-energise all HVAC actuators), and SHALL NOT resume autonomous operation until the Supervisory Control explicitly releases the override. Rationale: Lint finding: zone climate controller classified as Functionally Autonomous (bit 15) but had no supervisory override requirement. Autonomous control must yield to supervisory authority to prevent crop loss during fault conditions, prevent runaway control during sensor failure, and support orderly shutdown sequences. | Test | idempotency:sub-zcc-override-qc472 |
| SUB-REQ-080 | The Zone Controller Unit SHALL respond to a SUSPEND or SAFE-MODE override command from the Zone Edge Gateway within 500 ms by either freezing all setpoint outputs at current values or de-energising all zone actuator outputs, and SHALL transmit an acknowledgement back via OPC UA confirming the override state. Rationale: Lint finding: zone controller unit classified as Functionally Autonomous (bit 15) but lacked override constraints. The 500ms response time is required to coordinate with the safety interlock subsystem response chain; supervisory override is essential for controlled zone shutdowns without triggering interlock trips. | Test | idempotency:sub-zcu-override-qc472 |
| SUB-REQ-081 | The Zone Climate Controller SHALL operate from the zone control panel 24VDC supply rail with a maximum steady-state power draw not exceeding 15W per unit, and SHALL incorporate a local hold-up capacitor providing ≥200ms of brownout ride-through to prevent uncontrolled actuator state changes during supply voltage transients. Rationale: Lint finding: zone climate controller classified as Powered (bit 4) but had no power budget or supply requirement. The 15W limit constrains panel heat load for a standard 8-zone panel; 200ms ride-through aligns with UPS switchover time to prevent spurious actuator state changes. | Test | idempotency:sub-zcc-power-qc472 |
| SUB-REQ-082 | The Supervisory Control Subsystem SHALL be housed in an IEC 60529 IP54-rated 19-inch 4U rack-mount enclosure with front-panel LED indicators for system health, alarm, and communication status, suitable for installation in a climate-controlled control room at operating temperatures of +5 degC to +45 degC. Rationale: The Supervisory Control Subsystem contains industrial compute hardware subject to dust and humidity ingress in a farm environment; IP54 rack-mount packaging ensures hardware longevity and maintainability. UHT classification confirms the component carries physical embodiment traits requiring explicit enclosure constraints. | Inspection | idempotency:qc-phys-scs-enclosure-v1 |
| SUB-REQ-083 | The Zone Controller SHALL be packaged as a DIN-rail-mounted embedded controller rated to IEC 60529 IP54, operating across -5 degC to +55 degC ambient, with dimensions not exceeding 140 mm W x 100 mm H x 60 mm D to fit within the zone control panel. Rationale: Zone controllers are mounted inside wet, humid growing zones; IP54 DIN-rail packaging is the minimum protection level for continuous operation in this environment. Dimensional constraints are derived from the zone control panel enclosure design to ensure physical fitment. | Inspection | idempotency:qc-phys-zc-enclosure-v1 |
| SUB-REQ-084 | The Zone Controller Network cabling SHALL use shielded twisted-pair industrial Ethernet cable rated for continuous exposure to water splash and nutrient solution mist, with IP67-rated field junction boxes at each zone entry point, supporting network segments up to 100 m at 100 Mbps without active repeaters. Rationale: Network cabling traversing the growing zone is exposed to condensation and nutrient spray; specifying shielded cable and IP67 junction boxes prevents corrosion-induced network faults that would disrupt closed-loop zone control. The 100 m segment limit is the Cat6A maximum for 100BASE-TX. | Inspection | idempotency:qc-phys-zcn-cabling-v1 |
| SUB-REQ-085 | The CO2 Enrichment Subsystem SHALL be housed in a ventilated, wall-mounted IEC 60529 IP54-rated steel enclosure located within 2 m of the CO2 supply manifold, incorporating integrated solenoid valve driver circuits and a 24 VDC power supply rated to supply all zone injection solenoids simultaneously at a maximum combined load of 20 A. Rationale: Proximity mounting minimises CO2 supply piping runs and pressure drop; combined solenoid load rating prevents nuisance trips during simultaneous zone injection during peak crop growth periods. Ventilation prevents heat buildup from solenoid drivers. | Inspection | idempotency:qc-phys-enrich-enclosure-v1 |
| SUB-REQ-086 | The Zone Climate Controller SHALL be packaged in an IEC 60529 IP54 DIN-rail-mount enclosure with dedicated RS-485 Modbus RTU termination ports, an integral galvanically isolated 24 VDC power rail, and shall withstand sinusoidal vibration levels of 0.5 g RMS over 10-150 Hz for continuous operation in a fan-cooled equipment cabinet. Rationale: Zone Climate Controllers are installed in equipment cabinets adjacent to HVAC plant; vibration from fan motors and compressors requires 0.5g RMS rating derived from ASHRAE guidelines for fan vibration in air handling units. Galvanic isolation on the 24V rail protects against ground-loop noise from large HVAC motors. | Test | idempotency:qc-phys-zcc-enclosure-v1 |
| SUB-REQ-087 | The CO2 Injection Controller SHALL be housed in a glass-reinforced polyester (GRP) enclosure rated to IEC 60529 IP65, mounted external to the growing zone, and SHALL incorporate a manual isolation valve interface and solenoid position indicator to support safe maintenance under lockout/tagout (LOTO) procedures per IEC 60204-1. Rationale: GRP enclosures are preferred for CO2 equipment because they resist the HNO3-based condensation from nutrient misting without the galvanic corrosion risk of steel. External mounting enables LOTO access without entering the CO2-enriched zone, addressing a COSHH control requirement for CO2 service operations. | Inspection | idempotency:qc-phys-co2ic-enclosure-v1 |
| SUB-REQ-088 | All surfaces within a growing zone that are directly exposed to nutrient solution or crop root mass SHALL be constructed from food-safe, non-porous materials — specifically stainless steel grade 316L or HDPE — complying with FDA 21 CFR Part 177 to prevent pathogen harbouring and ensure biocompatibility with edible crops. Rationale: Vertical farm zones grow edible produce; pathogen contamination from surface materials (e.g., biofilm formation on porous substrates) presents a direct food safety hazard. FDA 21 CFR Part 177 sets the material standard for food-contact surfaces, and 316L SS/HDPE are proven choices for nutrient solution contact in hydroponics, matching industry certification expectations for GAP compliance. | Inspection | idempotency:qc-bio-zone-materials-v1 |
| SUB-REQ-089 | While a growing zone is undergoing sanitation, the Zone Controller SHALL enforce a zone isolation interlock that prevents nutrient delivery and CO2 injection until a minimum 30-minute hypochlorous acid fog or UV-C irradiation sterilisation cycle has completed, confirmed by sensor-based cycle completion verification. Rationale: Inadequate sanitisation between crop cycles is the primary route for Fusarium and E. coli O157 entry into a hydroponic system; a mandatory 30-minute chemical or UV-C cycle is the minimum effective contact time per UK HSE hydroponics guidance. Zone isolation during sanitisation prevents nutrient contamination of cleaning agents and protects next-crop food safety. | Test | idempotency:qc-bio-zone-sterilisation-v1 |
| SUB-REQ-090 | The Zone Climate Controller SHALL be a physically-housed DIN-rail-mounted controller unit installed in zone electrical enclosures, with a housing conforming to IEC 60715 and rated to IEC 60529 IP20, operating at 24 VDC supply, within ambient temperature range -10 to +55 degC. Rationale: Zone Climate Controller executes PID loops for HVAC actuators and must be co-located with zone I/O in electrical enclosures. Physical housing specification ensures the unit is procurable as a mountable hardware LRU and integrates with the DIN-rail ecosystem. Without this, the controller is treated as a pure software module. | Inspection | idempotency:sub-zone-climate-ctrl-housing-474 |
| SUB-REQ-091 | The CO2 Injection Controller SHALL be a physically-housed controller unit installed in a GRP or 304 stainless steel enclosure rated to IEC 60529 IP54, DIN-rail or panel-mounted in plant-room equipment corridors outside growing zones, with analogue 4-20 mA I/O terminals and RS-485 Modbus RTU communications port, operating at 24 VDC supply within -10 to +50 degC ambient. Rationale: CO2 Injection Controller is a process control device handling pressurised gas at up to 10 bar and must be installed in a location accessible for maintenance without disturbing active crop cycles. IP54 protection is required for the agricultural plant-room environment with cleaning spray and humidity. Physical housing specification enables procurement as a hardware LRU and defines installation zone, which is a safety requirement given CO2 asphyxiation hazard. | Inspection | idempotency:sub-co2-inject-ctrl-housing-474 |
| SUB-REQ-092 | The Vertical Farm Environment Controller SHALL ensure that all sensors, actuators, and hardware installed within growing zones are constructed from food-safe, non-toxic, corrosion-resistant materials (stainless steel 304/316, food-grade ABS, or equivalent) and comply with biocompatibility requirements of EN 1186 or equivalent applicable food-contact material standard, to prevent contamination of crops or nutrient solution. Rationale: Vertical farm growing zones contain live crops intended for human consumption. All hardware co-located in zones with plants can leach trace materials into nutrient solution or onto crop surfaces. Stainless steel 304/316 and food-grade ABS are established food-safe materials. Biocompatibility certification prevents regulatory non-compliance with food safety legislation (e.g., EU Regulation 10/2011 on plastic materials in food contact) and protects consumer health. | Inspection | idempotency:sub-zone-biocompat-474 |
| SUB-REQ-094 | The Zone Controller SHALL be a physically-housed embedded controller unit with a DIN-rail-mounted enclosure rated to IEC 60529 IP20, installed in zone electrical enclosures adjacent to each growing zone, with RS-485 serial ports, 24 VDC power input, and digital I/O terminals, operating within ambient temperature -10 to +55 degC and humidity 20-95% RH non-condensing. Rationale: Zone Controllers are the local automation nodes executing real-time PID control. Physical housing in zone electrical enclosures is necessary for cable management, maintenance access, and compliance with IEC 61439 (low-voltage switchgear). The IP20 rating and temperature/humidity specification ensure suitability for the agricultural electrical enclosure environment. Without a physical housing requirement, zone controllers cannot be selected or installed as real hardware units. | Inspection | idempotency:sub-zone-ctrl-housing-474 |
| SUB-REQ-095 | The Zone Controller Network physical infrastructure SHALL comprise shielded twisted-pair industrial Ethernet cabling (minimum Cat5e, foil/braid shield) rated for continuous exposure to humidity and nutrient mist, IP67-rated GRP field junction boxes at each zone entry point, and 19-inch 1U managed industrial Ethernet switches installed in the Supervisory Control Subsystem enclosure, supporting network segments up to 100 m at 100 Mbps. Rationale: Zone Controller Network must specify its physical cabling infrastructure to ensure reliable communications in the high-humidity, nutrient-mist environment of the growing facility. Shielded cabling and IP67 junction boxes protect network hardware from corrosion and condensation. Without explicit physical infrastructure requirements, the network cannot be procured or installed as a real hardware system. Derived from ARC-REQ-002 distributed architecture decision and IFC-REQ-013, IFC-REQ-016 which impose physical routing and termination constraints. | Inspection | idempotency:zcn-physical-infrastructure-v1 |
| SUB-REQ-096 | All materials in direct contact with growing zone air, water, or growing media SHALL be food-safe, non-toxic, and resistant to degradation by peracetic acid (PAA) at concentrations up to 2000 ppm, sodium hypochlorite at 200 ppm, and pH ranges 2.0-10.0. Zone surfaces SHALL be cleanable to a surface bioburden below 100 CFU/cm2 after the standard sanitisation cycle. Rationale: Growing zones contain crops for human consumption; material biocompatibility and cleanability prevent contamination of produce with chemicals, heavy metals, or pathogens. Peracetic acid and hypochlorite concentrations reflect the standard sanitisation protocol used between crop cycles. The 100 CFU/cm2 bioburden limit is based on ISO 22000 food safety standard guidance for food-contact surfaces. Without these requirements, there is no baseline for material selection or sanitisation effectiveness qualification. | Test | idempotency:zone-biocompatibility-v1 |
| SUB-REQ-097 | When a harvest crew zone entry signal is received from a zone access control reader, the Vertical Farm Environment Controller SHALL within 60 seconds switch the zone to worker-comfort mode: set temperature setpoint to 22 degC, set white-channel LED intensity to 50% of current output, disable CO2 enrichment injection for the zone, and prevent automatic return to production recipe setpoints until a zone-clear signal is received from the same access control reader. Rationale: Derived from STK-REQ-008: harvest crew working in a zone face risks from elevated CO2 (>1000 ppm causes cognitive impairment, >5000 ppm is life-threatening), high-intensity grow lighting (>600 µmol/m2/s causes eye and skin damage), and sub-optimal temperature. Without an automatic worker-comfort mode, operators must manually reconfigure zone parameters before entry, increasing the risk of a crew member entering a zone with hazardous conditions. The 60-second response time is derived from the expected transit time from access control reader to the growing zone. This is a safety-critical operational mode: the system must not return to production conditions while crew are present. | Test | idempotency:sys-worker-comfort-mode-477 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Vertical Farm Environment Controller and the Building Management System SHALL use BACnet/IP with event-driven alarm exchange (fire alarm status within 500ms) and 5-minute polled energy consumption metrics, supporting BACnet Alarm and Event services (clause 13) and Read Property services. Rationale: External interface: BMS provides fire alarm status that feeds safety interlock chain and weather data for HVAC anticipatory control. 500ms alarm latency ensures fire alarm reaches safety interlock subsystem before flashover conditions develop in adjacent building spaces. | Test | interface, external, session-462, idempotency:ifc-ext-bms-462 |
| IFC-REQ-002 | The interface between the Vertical Farm Environment Controller and the Crop Planning/ERP Software SHALL use REST API (JSON over HTTPS) with mutual TLS authentication, supporting crop recipe download, zone scheduling commands, and environmental log/harvest data upload with maximum API response time of 5 seconds. Rationale: External interface: ERP provides crop recipes that drive zone setpoints and schedules. Mutual TLS prevents recipe tampering (wrong recipe loaded is a ConOps failure mode). 5-second API timeout prevents cloud latency from blocking operational control loops. | Test | interface, external, session-462, idempotency:ifc-ext-erp-462 |
| IFC-REQ-003 | The interface between the Vertical Farm Environment Controller and the Energy Management/Smart Grid SHALL support OpenADR 2.0b VEN profile for demand-response signal reception and Modbus TCP (Function Code 3/4) for local energy metering at 15-second scan rate, with DR event acknowledgement within 60 seconds. Rationale: External interface: Utility sends DR signals that trigger load curtailment. OpenADR 2.0b VEN profile is the standard for demand-response loads >100kW. 15-second Modbus metering provides granularity for real-time load tracking used by the energy optimisation function. | Test | interface, external, session-462, idempotency:ifc-ext-grid-462 |
| IFC-REQ-004 | The interface between the Vertical Farm Environment Controller and the Cloud Monitoring Platform SHALL use MQTT v5 over TLS 1.3 for 1-minute telemetry push (all zone sensors, actuator states, active alarms) and configuration update pull, with automatic local-only fallback within 30 seconds of connectivity loss and data backfill upon reconnection. Rationale: External interface: Cloud platform provides analytics, anomaly detection, and remote monitoring. MQTT v5 session expiry and message retention support reconnection backfill. 30-second fallback ensures control loops are not affected by internet outages. | Test | interface, external, session-462, idempotency:ifc-ext-cloud-462 |
| IFC-REQ-005 | The interface between the Vertical Farm Environment Controller and the CO2 Bulk Supply System SHALL use 4-20mA analogue inputs for tank level (0-100%) and tank pressure (0-25 bar), and 24VDC digital outputs for zone CO2 solenoid valves (fail-closed on loss of signal), with the controller monitoring tank level for automatic reorder trigger at 20% remaining. Rationale: External interface: CO2 supply system is safety-critical — regulator failure drives H-001 asphyxiation hazard. 4-20mA is industry standard for hazardous area analogue instruments. Fail-closed solenoid on loss of signal ensures CO2 injection stops on any communication or power failure. | Test | interface, external, safety, session-462, idempotency:ifc-ext-co2-supply-462 |
| IFC-REQ-006 | The interface between the CO2 Safety Sensor Array and the Safety PLC SHALL use hardwired 4–20mA analog signals (one per sensor channel), with channel-open and channel-short detection, at a scan rate of ≤1s per channel, providing CO2 concentration readings in the range 0–10,000 ppm. Rationale: A hardwired 4-20mA interface is intrinsically fail-safe: a broken wire drives the current to 0mA (below the 4mA live-zero), which the Safety PLC detects as a fault rather than a valid zero-CO2 reading. This prevents a wiring fault from masking a CO2 hazard. Digital fieldbus alternatives are excluded because they could be compromised by a network fault or cyber event at precisely the moment CO2 is rising. | Test | interface, safety-interlock, sil-3, session-463, idempotency:ifc-co2-sensor-plc-463 |
| IFC-REQ-007 | The interface between the Safety PLC and the Hardwired Trip Bus SHALL consist of 24VDC relay coil outputs (energize-to-hold topology), with each output driving a safety relay module that controls one final element; wire-break detection SHALL be active on all relay coil circuits. Rationale: Energize-to-hold (de-energize-to-trip) ensures that any relay coil circuit failure — broken wire, power loss, PLC output card failure — results in the relay de-energising and the final element moving to the safe state. This is the foundation of the fail-safe architecture required by IEC 61511 for SIL 3 final elements. Wire-break detection catches open circuits before they become undetected latent faults. | Inspection | rt-vague-interface, red-team-session-480 |
| IFC-REQ-008 | The interface between the Lockout Tagout Controller and the Safety PLC SHALL provide a hardwired zone-inhibit signal (24VDC discrete, normally-open) for each zone; when a LOTO key is checked out, the signal SHALL be de-asserted, preventing Safety PLC from enabling any output in that zone. Rationale: OSHA 29 CFR 1910.147 requires energy isolation. Implementing LOTO as a hardwired inhibit to the Safety PLC ensures that software running on the supervisory layer cannot override LOTO state. The de-asserted signal (open circuit) maps to inhibit, so a broken LOTO wire conservatively defaults to inhibited — preventing inadvertent re-energisation while fault is investigated. | Demonstration | rt-vague-interface, red-team-session-480 |
| IFC-REQ-009 | The interface between the Supervisory Control Subsystem and the Zone Controller Network SHALL use Modbus TCP/IP or OPC UA to distribute crop recipe parameters and zone setpoints with latency not exceeding 500ms per zone update. Rationale: STK-REQ-002 requires setpoint propagation within 60 seconds. The 500ms per-zone latency ensures that for up to 100 zones, all zones receive updated recipe parameters within the 60-second window. Modbus TCP/IP and OPC UA are the de facto standards for industrial HVAC and process control integration. | Test | idempotency:ifc-sc-zcn-recipe-464b |
| IFC-REQ-010 | The interface between the CO2 Enrichment Subsystem and the Zone Controller Network SHALL exchange CO2 concentration measurements at 1Hz per zone via Modbus TCP/IP, with each zone's current ppm reading and valve position feedback available to the supervisory layer within 2 seconds. Rationale: SYS-REQ-003 requires CO2 regulation within ±50 ppm. 1Hz feedback matches the sensor reporting rate and allows the supervisory layer to detect concentration drift and adjust injection in time to maintain the ±50 ppm band. The 2-second delivery window provides headroom for Modbus TCP poll cycles on a 100-zone network. | Test | idempotency:ifc-co2-zcn-feedback-464 |
| IFC-REQ-011 | The interface between the Climate Management Subsystem and the Zone Controller Network SHALL provide per-zone HVAC actuator commands (damper position 0-100%, compressor enable/disable, fan speed setpoint) with command execution acknowledgement within 1 second. Rationale: SYS-REQ-001 (temperature ±1°C) and SYS-REQ-002 (humidity ±5% RH) require closed-loop HVAC control. The 1-second acknowledgement window allows the Climate Management Subsystem to detect actuator faults and invoke the SYS-REQ-008 degraded-mode response before zone temperature deviates beyond 2°C. | Test | rt-vague-interface, red-team-session-480 |
| IFC-REQ-012 | The interface between the Nutrient Management Subsystem and the Zone Controller Network SHALL relay zone-level dosing commands (acid/base pump enable, irrigation valve open/close, flow rate setpoint) via Modbus TCP/IP and SHALL report per-zone EC and pH measurements at 0.1Hz with accuracy of ±0.1 mS/cm EC and ±0.05 pH. Rationale: SYS-REQ-006 requires pH regulation within ±0.2. Zone-level feedback accuracy of ±0.05 pH must be tighter than the system-level tolerance to accommodate sensor aging and calibration drift. Irrigation valve state reporting is needed to detect the stuck-open condition in SYS-REQ-010. | Test | idempotency:ifc-nm-zcn-nutrient-464 |
| IFC-REQ-013 | The interface between the Horticultural Lighting Subsystem and the Zone Controller Network SHALL distribute per-zone LED intensity and spectrum commands (PWM duty cycle 0-100% per channel) via DALI-2 or DMX512 protocol with LED fixture surface temperature telemetry returned at 0.2Hz. Rationale: SYS-REQ-005 requires LED intensity within ±5% of recipe setpoints. DALI-2 is IEC 62386-certified for digital LED control with per-fixture dimming accuracy of ±1%. Surface temperature telemetry at 0.2Hz satisfies SYS-REQ-009, which requires trip response within 10 seconds of exceeding 85°C. | Test | idempotency:ifc-hl-zcn-lighting-464 |
| IFC-REQ-014 | The interface between the Safety Interlock Subsystem and the CO2 Enrichment Subsystem SHALL consist of a hardwired de-energize-to-trip 24VDC relay signal that forces the CO2 bulk supply solenoid valve to the closed state within 500ms of an interlock trip, independent of any software controller. Rationale: SYS-REQ-004 requires CO2 shutoff within 10 seconds of the 5000 ppm threshold. A hardwired relay directly controlling the supply solenoid is the only architecture guaranteeing trip times independent of network latency or software availability. The 500ms margin leaves 9.5 seconds for actuator stroke time. | Inspection | idempotency:ifc-sis-co2-trip-464 |
| IFC-REQ-015 | The interface between the Safety Interlock Subsystem and the Supervisory Control Subsystem SHALL provide a unidirectional read-only OPC UA status bus reporting interlock state, trip cause code, and last-trip timestamp with polling interval not exceeding 1 second. Rationale: STK-REQ-001 requires HMI display of zone status and SYS-REQ-011 requires audit logging. The Supervisory Control Subsystem must not be able to acknowledge or reset trips via software to preserve SIL 3 integrity. A unidirectional OPC UA server/client topology enforces isolation while enabling state visibility. | Test | idempotency:ifc-sis-sc-status-464 |
| IFC-REQ-016 | The interface between the Data Acquisition and Compliance Subsystem and the Zone Controller Network SHALL collect 1-minute-resolution readings of all environmental parameters (temperature, humidity, CO2, PAR, EC, pH, irrigation flow) from each zone controller via OPC UA subscription, timestamped to UTC ±1 second accuracy. Rationale: STK-REQ-005 requires data retention compliant with food safety reference standards. 1-minute resolution is the minimum for post-harvest environmental correlation required by FSMA traceability frameworks. UTC ±1 second synchronisation is needed for multi-zone event correlation in compliance audits. | Test | idempotency:ifc-dac-zcn-logging-464 |
| IFC-REQ-017 | The interface between the Supervisory Control Subsystem and the Data Acquisition and Compliance Subsystem SHALL allow on-demand compliance report generation via REST API, returning the complete dataset within 5 minutes for any date range up to 90 days. Rationale: STK-REQ-012 requires energy-use reporting and STK-REQ-005 requires compliance data access. A REST API allows the HMI and cloud platform to pull historical datasets without direct database access, isolating the compliance data store from operational control traffic. | Test | idempotency:ifc-sc-dac-reports-464 |
| IFC-REQ-018 | The interface between the Climate Management Subsystem and the Safety Interlock Subsystem SHALL provide a hardwired zone-temperature out-of-range contact closure (24VDC) to the Safety PLC input card when any zone exceeds 38°C, with signal propagation time not exceeding 100ms. Rationale: SYS-REQ-009 requires trip of LED fixtures when zone temperature exceeds 38°C. A hardwired input to the Safety PLC ensures the thermal trip condition is evaluated by the SIL 3 Voted Logic Engine independently of process network health. The 100ms propagation budget fits within the 10-second trip response window in SYS-REQ-009. | Test | idempotency:ifc-cm-sis-thermal-464 |
| IFC-REQ-019 | The interface between the Nutrient Management Subsystem and the Safety Interlock Subsystem SHALL provide a hardwired dosing-excess fault contact closure (24VDC) to the Safety PLC input card when cumulative acid/base injection exceeds 5% of tank volume within any 10-minute window, with signal propagation time not exceeding 200ms. Rationale: SYS-REQ-007 defines the pH dosing excess condition as a safety trip requiring valve closure within 5 seconds. A hardwired signal path ensures the dosing-excess condition feeds directly into the SIL 3 Voted Logic Engine without relying on Modbus network availability, satisfying the independence requirement of SYS-REQ-015. | Test | idempotency:ifc-nm-sis-dosing-464 |
| IFC-REQ-020 | The interface between the Supervisory Control Subsystem and the CO2 Enrichment Subsystem SHALL provide zone-level CO2 concentration setpoints (400-2000 ppm range, ±1 ppm resolution) and injection enable/disable commands via Modbus TCP/IP with command acknowledgement within 2 seconds. Rationale: SYS-REQ-003 requires CO2 regulation within ±50 ppm of crop recipe setpoints. The Supervisory Control Subsystem holds the crop recipe (STK-REQ-002) and must transmit updated CO2 setpoints to the CO2 Enrichment Subsystem. The 400-2000 ppm range covers ambient to the maximum enrichment for fruiting crops. | Test | idempotency:ifc-sc-co2-setpoint-464 |
| IFC-REQ-021 | The interface between the Zone Controller Network and the Supervisory Control Subsystem SHALL publish zone fault events (sensor out-of-range, actuator fault, communication timeout) as OPC UA events with severity classification and zone identifier, delivered within 3 seconds of fault detection. Rationale: STK-REQ-003 requires crop yield impact assessment within 10 minutes of environmental excursions. STK-REQ-001 requires HMI status display with 5-second update latency. The 3-second event delivery window provides the required headroom for HMI rendering while giving the supervisory layer time to initiate yield impact calculations. | Test | idempotency:ifc-zcn-sc-faults-464 |
| IFC-REQ-022 | The interface between the CO2 Injection Controller and the Zone NDIR CO2 Sensor Array SHALL use 4-20mA analogue signals (one per zone), corresponding to 300–3000 ppm full-scale, with the CO2 Injection Controller detecting sensor fault conditions (open circuit <3.6mA, saturation >20.5mA) and raising a zone fault alarm within 5 seconds. Rationale: 4-20mA is the industry standard for process sensor interfaces due to its noise immunity in electrically noisy grow-room environments (motor drives, lighting ballasts). The live-zero (4mA) enables open-circuit fault detection, which is essential for a process control loop — loss of feedback must be detectable. | Test | interface, co2-enrichment-subsystem, session-465, idempotency:ifc-ctrl-ndir-465 |
| IFC-REQ-023 | The interface between the CO2 Injection Controller and the Zone Solenoid Valve Array SHALL use 24VDC discrete output signals (one per zone) energise-to-open, with valve position feedback returned as 24VDC discrete input (one per zone), and the CO2 Injection Controller SHALL detect valve-open command-feedback discrepancy within 2 seconds and raise a valve fault alarm. Rationale: 24VDC discrete I/O is the standard interface for solenoid valve control, providing clean on/off switching without analogue noise concerns. Position feedback detection of command/state discrepancy within 2s is required to detect valve seizure or coil failure before it causes out-of-specification CO2 enrichment or dangerous valve-open-on-trip conditions. | Test | rt-vague-interface, red-team-session-480 |
| IFC-REQ-024 | The interface between the CO2 Distribution Manifold and the CO2 Injection Controller SHALL transmit manifold inlet pressure (0–10 bar, 4-20mA) and manifold temperature (−10 to 40°C, 4-20mA) to the CO2 Injection Controller at 1Hz, with the controller raising a low-pressure alarm at <1.3 bar and shutting all zone valves at <0.5 bar to prevent CO2 reverse-flow. Rationale: Manifold pressure monitoring is needed to detect bulk CO2 supply exhaustion and vaporiser faults before they cause control failures. 1.3 bar low-pressure alarm gives operators time to top up supply before injection is lost; 0.5 bar shutdown prevents CO2 reverse-flow through valves, which could damage equipment and corrupt sensor readings. | Test | interface, co2-enrichment-subsystem, session-465, idempotency:ifc-manifold-ctrl-465 |
| IFC-REQ-025 | The interface between the EC/pH Sensor Array and the Irrigation Controller SHALL transmit EC (mS/cm) and pH measurements per zone via Modbus RTU RS-485 at 9600 baud with 16-bit register encoding, including a fault status register, at a polling rate of 0.1 Hz per zone, with maximum measurement-to-register latency of 500 ms. Rationale: Modbus RTU RS-485 is selected over 4-20mA because it allows single-cable multi-drop wiring across all zones, simplifying installation in large vertical farms with many grow zones. A fault status register is mandatory to support SUB-REQ-025 (fault detection) — analogue 4-20mA cannot carry fault state without a separate discrete signal. The 0.1Hz polling rate matches the measurement rate and ensures dosing corrections respond to the most current reading without excessive bus load. | Test | interface, nutrient-management-subsystem, session-466, idempotency:ifc-ecph-ic-466 |
| IFC-REQ-026 | The interface between the Irrigation Controller and the Dosing Pump Array SHALL transmit pump enable commands (per pump: on/off, target volume in mL) via Modbus TCP at 100 Mbit/s, with command round-trip confirmation within 1 second, and SHALL receive cumulative injection counters (per pump, in mL) for watchdog monitoring at 1 Hz. Rationale: Modbus TCP is used (over Modbus RTU) for the Irrigation Controller to Dosing Pump Array interface because the Irrigation Controller already uses Ethernet for Zone Controller Network communication (IFC-REQ-012), and maintaining a single network avoids separate RS-485 field cabling to the pump cabinet. Cumulative injection counters are returned at 1Hz to enable the Irrigation Controller to mirror the watchdog counter state for alarming before the hardwired SIL-2 trip is reached. | Test | interface, nutrient-management-subsystem, session-466, idempotency:ifc-ic-dpa-466 |
| IFC-REQ-027 | The interface between the Irrigation Controller and the Zone Irrigation Valve Array SHALL use 24VAC energise-to-open discrete outputs, one per zone valve, with Irrigation Controller reading reed-switch position feedback (24VDC open-collector, one per valve) within 2 seconds of each commanded state change; any position confirmation timeout SHALL be reported as a stuck-valve fault to the Zone Controller Network. Rationale: 24VAC discrete control is standard for solenoid valve actuation in hydroponic systems, providing galvanic isolation between control and power circuits and compatibility with off-the-shelf irrigation valve hardware. Position feedback integration at the Irrigation Controller (rather than at the Zone Controller Network) localises the stuck-valve detection logic (SUB-REQ-030) to the component responsible for valve commands, enabling sub-30-second detection without polling latency through a higher-level network. | Test | rt-vague-interface, red-team-session-480 |
| IFC-REQ-028 | The interface between the Recirculation Pump System and the Nutrient Reservoir and Mixing System SHALL consist of a DN50 suction connection from the reservoir outlet to the pump inlet, with a float-type dry-run protection switch on the reservoir monitoring fluid level at the pump inlet centerline, transmitting a 24VDC discrete signal to the pump VFD safety input; loss of the signal SHALL inhibit pump start. Rationale: A physical float switch on the reservoir at pump inlet centerline provides faster dry-run detection than an ultrasonic level sensor alarm threshold (SUB-REQ-036 low-level alarm is at 20% capacity, which may still leave fluid above the inlet). The hardwired 24VDC signal to the VFD safety input ensures dry-run inhibit is enforced even if the Irrigation Controller communication is lost, preventing pump damage independent of software. | Inspection | rt-vague-interface, red-team-session-480 |
| IFC-REQ-029 | The interface between the Lighting Control Unit and the LED Driver Module Array SHALL use DALI-2 (IEC 62386 Part 209) at 1200 baud, supporting per-channel dimming commands with 16-bit address and 8-bit level resolution, and SHALL receive driver status responses including fault codes within 22 ms. Rationale: DALI-2 is selected over 0-10V analog for its bidirectional fault reporting capability — essential in a 400kW+ facility where silent driver failure would degrade PAR accuracy without indication. 22ms response time derives from DALI-2 bus timing specification and allows within-scan fault detection at the LCU 100ms control cycle. | Test | interface, horticultural-lighting, session-467, idempotency:ifc-lcu-driverarray-dali-467 |
| IFC-REQ-030 | The interface between the PAR Sensor Array and the Lighting Control Unit SHALL transmit calibrated PPFD measurements in the range 0-2000 µmol/m²/s at a minimum rate of 1 Hz via 4-20 mA analog loop or RS-485 Modbus RTU, with loss-of-signal detection within 3 seconds. Rationale: 1 Hz sampling matches the LCU PAR PID control cycle and provides sufficient response bandwidth for closed-loop regulation. 3-second loss-of-signal detection is required to trigger the degraded-mode fallback (SUB-REQ-046) promptly enough to avoid a control gap exceeding one photoperiod scheduling step. | Test | interface, horticultural-lighting, session-467, idempotency:ifc-par-lcu-measurement-467 |
| IFC-REQ-031 | The interface between the Fixture Thermal Monitoring Array and the Safety Interlock Subsystem SHALL be a normally-closed 24 V DC hardwired signal on the trip bus: signal opens when any fixture heatsink exceeds 85 degrees C, using a dedicated comparator circuit with no programmable components in the trip path. Rationale: SIL 2 classification of the thermal trip function (SUB-REQ-042) requires that no software is in the trip path per IEC 61508 clause 7.4.2.3. Normally-closed configuration ensures that wiring faults (open circuit, short to ground) result in a spurious trip rather than a missed trip, which is the correct safe-fail direction for a fire-prevention function. | Test | interface, horticultural-lighting, sil-2, session-467, idempotency:ifc-thermal-safetyinterlock-hardwired-467 |
| IFC-REQ-032 | The interface between the Temperature Sensor Network and the Zone Climate Controller SHALL transmit 16-bit RTD resistance readings for all zone sensors at 1 Hz via 4-wire PT100 multiplexer bus, with bus fault detection (open-circuit and short-circuit conditions) reported within 1 measurement cycle. Rationale: 1 Hz transmission matches the PID sampling period; 16-bit resolution provides 0.01 degC step size sufficient for ±1.0 degC zone control. Bus fault detection in one cycle (1 s) ensures sensor loss is detected before the next PID iteration could produce a runaway output. | Test | interface, climate-management, session-469, idempotency:ifc-tsn-zcc-469 |
| IFC-REQ-033 | The interface between the Zone Climate Controller and the HVAC Actuator Interface SHALL use Modbus RTU over RS-485 at 19200 baud, with the Zone Climate Controller as master issuing setpoint write registers and reading status registers at 2 Hz, and the HVAC Actuator Interface responding within 100 ms per Modbus specification. Rationale: Modbus RTU at 19200 baud is the established HVAC industry standard for this scale of installation, supported by all candidate VFD and actuator vendors. 2 Hz polling is sufficient to detect actuator faults within the 1 s confirmation latency in SUB-REQ-059 while keeping bus utilisation below 20 percent. | Test | interface, climate-management, session-469, idempotency:ifc-zcc-hvac-actuator-469 |
| IFC-REQ-034 | The interface between the Fresh Air Ventilation Controller and the CO2 Enrichment Subsystem SHALL use Modbus TCP over Ethernet at 100 Mbit/s, exchanging zone CO2 concentration (ppm, 16-bit) and fresh-air fraction setpoint (percent, 8-bit) at 0.5 Hz with a maximum round-trip latency of 200 ms. Rationale: Modbus TCP reuses the existing plant Ethernet network already used by the CO2 subsystem, avoiding a separate serial bus. 0.5 Hz exchange rate is sufficient for fresh-air fraction coordination since the HRV damper actuator response time is 10-20 s. The 200 ms latency bound is 10x less than the HRV actuator response time, ensuring coordination data does not become stale. | Test | interface, climate-management, session-469, idempotency:ifc-favc-co2-469 |
| IFC-REQ-035 | The interface between the Crop Recipe Engine and the environmental subsystems (Climate Management, Lighting, Nutrient, CO2 Enrichment) SHALL use OPC-UA over Ethernet at 1 Gbit/s, with setpoint publish intervals of 60 s during steady-state recipe execution and 5 s during rapid-ramp recipe transitions, with a maximum delivery latency of 500 ms per setpoint write. Rationale: OPC-UA provides a vendor-neutral, standardised SCADA interface supported by all major PLC and controller vendors. 60 s normal publish interval matches the slowest setpoint change rate in any registered crop recipe; 5 s rapid-ramp interval is needed for lighting pre-dawn simulation ramps. 500 ms delivery latency is 10x less than any subsystem's actuator response time. | Test | interface, supervisory-control, session-469, idempotency:ifc-cre-subsystems-469 |
| IFC-REQ-036 | The interface between the Emergency Shutdown Sequencer and the Safety Interlock Subsystem SHALL use a hardwired 24V DC discrete signal bus with dedicated signal lines for each shutdown phase (CO2 valve trip, nutrient pump stop, lighting kill, HVAC purge), with signal propagation latency not exceeding 20 ms end-to-end. Rationale: Hardwired interface is mandatory for safety-critical shutdown paths per IEC 61511. Network-based commands are insufficient for CO2 and thermal hazard mitigation because network failure must not prevent emergency shutdown. 20 ms propagation latency is negligible relative to the 10 s total sequence time budget. | Test | interface, supervisory-control, session-469, idempotency:ifc-ess-safety-interlock-469 |
| IFC-REQ-037 | The interface between the Zone Controller Unit and the Zone Edge Gateway SHALL use OPC-UA over 100Mbps Ethernet with security mode SignAndEncrypt (Basic256Sha256 security policy), transferring zone telemetry and setpoint commands at a publish interval of 100 ms and a maximum message size of 4096 bytes. Rationale: OPC-UA is the standard industrial interoperability protocol for this application; SignAndEncrypt prevents man-in-the-middle attacks on control commands. 100ms publish interval meets the 500ms end-to-end latency budget (SUB-REQ-069). 4096-byte message limit is sized for 24 data nodes (12 parameters × 2 zones per controller) with OPC-UA encoding overhead. | Test | interface, zone-controller-network, session-470, idempotency:ifc-zcn-zcu-gateway-opcua-470 |
| IFC-REQ-038 | The interface between the Zone Controller Unit and Zone I/O Expansion Module SHALL use RS-485 Modbus RTU at 115200 baud, with the ZCU as master polling all connected I/O modules at a cycle time not exceeding 250 ms per scan across up to 4 modules on a single RS-485 segment. Rationale: RS-485 Modbus RTU provides electrically isolated, deterministic field bus communications suitable for the wet, chemical-laden growing zone environment. 115200 baud and 250ms scan time ensures analog samples reach the ZCU PID loop within the 10 Hz control cycle. Supporting up to 4 modules per segment covers the maximum I/O count for a single zone without additional repeaters. | Test | interface, zone-controller-network, session-470, idempotency:ifc-zcn-zcu-iom-rs485-470 |
| IFC-REQ-039 | The interface between the Industrial Ethernet Switch and all connected OT devices SHALL enforce IEEE 802.1Q VLAN segmentation such that zone-controller operational traffic (VLAN 100) is physically isolated at Layer 2 from safety-interlock traffic (VLAN 200), with zero cross-VLAN unicast forwarding permitted without explicit inter-VLAN routing policy. Rationale: SYS-REQ-015 requires SIL-3 independence for safety-critical functions; VLAN segregation at the switch layer prevents broadcast storms or misconfigured zone controller software from disrupting the Safety Interlock Subsystem network. Inspection verification via switch configuration audit is more reliable than runtime test for negative-traffic requirements. | Inspection | interface, zone-controller-network, session-470, idempotency:ifc-zcn-switch-vlan-470 |
| IFC-REQ-040 | The interface between the Zone Edge Gateway and the Time-Series Database Engine SHALL use MQTT over TLS 1.2 (topic: farm/<zone-id>/<parameter>/raw, QoS level 1) for real-time sensor data ingestion at 1Hz per channel, with the TSDB MQTT broker acknowledging each message within 500 ms and persisting data within 2 seconds of receipt. Rationale: MQTT QoS 1 guarantees at-least-once delivery without the head-of-line blocking that QoS 2 introduces, which is appropriate for sensor telemetry where duplicate samples are preferable to data gaps. TLS 1.2 protects OT network data from eavesdropping. The 2-second persistence deadline ensures data is written to durable storage before any TSDB process failure could cause loss. | Test | interface, data-acquisition, session-470, idempotency:ifc-dac-gateway-tsdb-mqtt-470 |
| IFC-REQ-041 | The interface between the Supervisory Control Subsystem and the Crop Recipe Database SHALL use a REST API over HTTPS (TLS 1.2, mutual authentication with X.509 client certificates), with recipe read operations responding within 500 ms and recipe write operations (create/update) completing within 2 seconds under a load of 10 concurrent requests. Rationale: The Supervisory HMI must load and switch crop recipes during active growth operations; the 500ms read latency ensures operator-initiated recipe activation does not disrupt crop monitoring workflows. Mutual TLS authentication prevents unauthorised recipe modification from misconfigured HMI client software. | Test | interface, data-acquisition, session-470, idempotency:ifc-dac-supervisory-recipedb-470 |
| IFC-REQ-042 | The interface between the OpenADR Virtual End Node and the Supervisory Control Subsystem SHALL use an internal message queue (AMQP or equivalent) with message routing key 'dr.event.curtailment', carrying structured curtailment payloads (JSON: event_id, start_time, duration_s, load_reduction_kw, affected_zones[]) with end-to-end delivery latency not exceeding 5 seconds. Rationale: Internal message queue decouples the OpenADR VEN (utility-protocol-facing) from the Supervisory (farm-protocol-facing), allowing each to evolve independently and preventing a utility communication fault from blocking supervisory operations. 5s delivery is derived from the 30s acknowledgement window minus 25s buffer for Supervisory pre-conditioning. | Test | rt-vague-interface, red-team-session-480 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Safety Interlock Subsystem — Implemented as hardware-independent relay/safety-PLC chain, not as software functions within the supervisory controller. Alternatives considered: (1) software-only interlocks in supervisory controller — rejected because SIL 3 requires hardware independence per IEC 61508 clause 7.4.2.2 and H-007 cyber compromise scenario makes software-only unacceptable; (2) safety PLC with software-only voting — rejected because dual-NDIR sensor voting at hardware level provides better diagnostic coverage. Constraint: IEC 62443 defence-in-depth and IEC 61508 SIL 3 architectural constraints require physically separate safety channel. Rationale: H-001 (CO2 asphyxiation, SIL 3) and H-007 (cyber compromise) together mandate that the safety function cannot share hardware or software with the operational controller. The 150-year MTTFd target drives the choice of proven relay technology over complex programmable safety systems. | Analysis | architecture, safety-interlock, session-462, idempotency:arc-safety-interlock-462 |
| ARC-REQ-002 | ARC: Zone Controller Network — Distributed architecture with one dedicated controller per zone rather than centralised I/O. Each zone controller executes local PID loops and stores crop recipes for autonomous operation. Alternatives considered: (1) centralised controller with remote I/O racks — rejected because single point of failure would lose all zones simultaneously, and 72-hour network resilience requirement demands local recipe storage; (2) redundant centralised pair — rejected because cost exceeds distributed approach for 8 zones while providing worse zone isolation during faults. Rationale: The HVAC Failure and network resilience scenarios demonstrate that zone independence is critical — a fault in one zone must not cascade to others. Distributed architecture provides natural fault isolation boundaries aligned with the physical growing zone boundaries. | Analysis | architecture, zone-controller, session-462, idempotency:arc-zone-controllers-462 |
| ARC-REQ-003 | ARC: CO2 Enrichment Subsystem — Separated from Climate Management despite both controlling atmospheric composition. CO2 enrichment has a distinct safety boundary (SIL 3), distinct supply chain (bulk liquid CO2 from external supplier), fail-closed solenoid valve architecture, and distinct regulatory certification path. Grouping with HVAC would dilute the safety boundary and complicate SIL allocation. The interface between CO2 enrichment and climate (ventilation coordination) is managed through the zone controller. Rationale: H-001 drives SIL 3 allocation on CO2 functions. Mixing SIL 3 and non-safety-rated HVAC functions in one subsystem would force the entire climate subsystem to SIL 3, increasing cost and certification effort with no safety benefit. Clean subsystem boundaries enable independent safety certification. | Inspection | architecture, co2-enrichment, session-462, idempotency:arc-co2-separation-462 |
| ARC-REQ-004 | ARC: Supervisory Control Subsystem — Energy optimisation function grouped with supervisory control rather than as a separate subsystem. Energy decisions (demand response, load curtailment, photoperiod scheduling) require crop priority context, facility-wide load visibility, and inter-zone coordination that only the supervisory controller possesses. A separate energy subsystem would duplicate the facility-wide state model. The OpenADR 2.0 interface is a protocol adapter within the supervisory platform. Rationale: Energy optimisation is decision-layer logic that coordinates across zones using the same data model as recipe management and mode transitions. Separating it would create a tight coupling between two subsystems sharing the same state, which is worse than consolidation. | Analysis | architecture, supervisory, energy, session-462, idempotency:arc-supervisory-energy-462 |
| ARC-REQ-005 | ARC: Data Acquisition and Compliance Subsystem — Separated from supervisory control despite data flowing through the same network. Compliance data requires cryptographic integrity chains, tamper-evident storage, and regulatory retention policies (2-year BRCGS) that impose different design constraints from operational data. A combined system would risk compliance requirements inflating the complexity of the real-time control path, or operational priorities compromising audit trail integrity. Rationale: Food Safety Auditor stakeholder requires independently verifiable records. If the operational controller can modify historical records, the audit trail is not tamper-evident. Physical and logical separation of the compliance data path from the control path provides defence-in-depth for data integrity. | Inspection | architecture, compliance, session-462, idempotency:arc-data-compliance-462 |
| ARC-REQ-006 | ARC: Nutrient Management Subsystem — Separated dosing control (Dosing Pump Array + EC/pH Sensor Array) from fluid distribution (Irrigation Controller + Zone Irrigation Valve Array + Recirculation Pump System) to isolate the SIL-2 chemical dosing chain from the lower-risk irrigation timing functions. Dosing-excess watchdog is implemented as a hardwired cumulative counter in the Dosing Pump Array drive firmware rather than as a software function in the Irrigation Controller, consistent with ARC-REQ-001 (safety-critical functions must not rely on software alone). Bulk chemical storage (Nutrient Reservoir and Mixing System) is passive and requires no safety integrity — its concentrate tanks are physical inventory only. The Recirculation Pump System uses a duty/standby configuration rather than a single high-capacity pump to eliminate single-point failure of nutrient delivery, recognising that pump failure for >15 minutes causes crop stress across all zones. Rationale: IEC 61508 SIL-2 allocation on the dosing chain (SYS-REQ-006, SYS-REQ-007) requires architectural separation between the safety-relevant dosing watchdog hardware and the non-safety irrigation scheduler. Mixing these in a single controller would require the entire irrigation controller to be SIL-2 qualified, disproportionate to the risk of timing functions alone. | Inspection | architecture, nutrient-management-subsystem, session-466, idempotency:arc-nutrient-management-subsystem-466 |
| ARC-REQ-007 | ARC: Horticultural Lighting Subsystem — Four-component architecture separating control intelligence (Lighting Control Unit) from power conversion (LED Driver Module Array), photon delivery (LED Fixture Array), and feedback sensing (PAR Sensor Array + Fixture Thermal Monitoring Array). Thermal protection is split: software thermal derating via LCU for gradual ramp-down above 75°C, and a hardwired comparator circuit in the Fixture Thermal Monitoring Array for SIL-2 hard trip at 85°C independent of any software path. This split avoids routing safety-critical shutdown through the control software, ensuring the thermal trip meets IEC 61508 SIL 2 without requiring the full LCU to be SIL-certified. DALI-2 chosen over 0-10V for dimming because it supports per-fixture status feedback, individual addressing, and fault reporting — essential for 400kW+ arrays where undetected driver failure would degrade PAR accuracy without indication. Rationale: Documents the architectural trade-off that separates thermal protection into two independent paths: LCU software for graceful derating and hardwired comparator for safety trip. This ensures SIL 2 compliance for the thermal interlock without raising the SIL requirement of the entire software control stack. The DALI-2 selection over 0-10V is justified by operational observability requirements in a large facility. | Inspection | architecture, horticultural-lighting, session-467, idempotency:arc-horticultural-lighting-467 |
| ARC-REQ-008 | ARC: Climate Management Subsystem — Five-component decomposition separating sensing, control logic, actuation, and ventilation. Zone Climate Controller issues setpoints via Modbus RTU to the HVAC Actuator Interface rather than directly commanding hardware: this isolates the PID control algorithm from HVAC variant differences (DX vs chilled water vs VRF) and allows controller replacement without rewiring. Temperature Sensor Network and Relative Humidity Sensor Array are kept as separate components because their calibration cycles, failure modes, and Safety Interlock connections differ. Fresh Air Ventilation Controller is decoupled from the main HVAC loop because it coordinates with CO2 Enrichment Subsystem and must remain operable when the compressor circuit is tripped. Rationale: Separation of Zone Climate Controller from HVAC Actuator Interface enables swapping HVAC plant type without controller modification. Separate Temperature Sensor Network and RH Sensor Array components reflect different IEC 61511 proof-test intervals and independent safety trip channels to Safety Interlock Subsystem. Fresh Air Ventilation Controller decoupled from main HVAC loop allows it to continue operating when the compressor circuit is tripped. | Inspection | architecture, climate-management, session-469, idempotency:arc-climate-management-469 |
| ARC-REQ-009 | ARC: Supervisory Control Subsystem — Five-component decomposition separating server infrastructure, recipe execution, operator interaction, demand response, and emergency sequencing. The Crop Recipe Engine is a separate component from the Plant Management Server because recipes must continue executing during server maintenance windows via a hot-standby recipe executor. The Emergency Shutdown Sequencer is isolated from the main supervisory bus with its own hardwired interface to the Safety Interlock Subsystem, ensuring shutdown can complete even if the network bus fails. The Demand Response Handler is decoupled from the Crop Recipe Engine to allow load-shed commands to override recipe setpoints without modifying the recipe state machine. Rationale: Separation of Emergency Shutdown Sequencer preserves shutdown capability during network failures. Crop Recipe Engine decoupled from Plant Management Server allows recipe execution to survive server updates. DR Handler separation prevents demand-response events from corrupting crop recipe state. | Inspection | architecture, supervisory-control, session-469, idempotency:arc-supervisory-control-469 |
| ARC-REQ-010 | ARC: Zone Controller Network — distributed embedded controllers with OPC-UA aggregation gateway. Zone Controller Units are selected as standalone embedded Linux nodes (not PLCs) to enable recipe-driven Python control loops without proprietary programming environments; the Edge Gateway pattern decouples the OPC-UA server from per-zone hardware, allowing supervisory software upgrades without touching field devices. Industrial Ethernet with VLAN segregation was chosen over a dedicated fieldbus (PROFIBUS, CANopen) to leverage standard IT network management tooling and support future bandwidth growth for video-based crop monitoring. Rationale: Architecture decision for Zone Controller Network subsystem: embedded Linux ZCU nodes selected over PLCs for recipe-driven Python control; Edge Gateway decouples OPC-UA server from field hardware; industrial Ethernet with VLAN segregation preferred over fieldbus for standard IT tooling and future bandwidth growth. | Analysis | architecture, zone-controller-network, session-470, idempotency:arc-zone-controller-network-470 |
| ARC-REQ-011 | ARC: Data Acquisition and Compliance Subsystem — TSDB-centred data store with separate recipe database and automated report generation. A time-series database (InfluxDB) was selected over a relational database for environmental telemetry because sensor data ingestion at 1Hz per channel per zone produces high-cardinality sequential writes that relational engines handle poorly at 10-year retention scale. The recipe and compliance subsystems use a relational database (PostgreSQL) because their data is structured, low-volume, and requires referential integrity for audit chains. The OpenADR VEN is deployed as a co-located service to share the TSDB's energy telemetry without requiring a separate data bus. Rationale: Architecture decision for Data Acquisition and Compliance Subsystem: InfluxDB selected for high-cardinality sequential sensor writes; PostgreSQL for recipe and compliance data requiring referential integrity; OpenADR VEN co-located with TSDB to share energy telemetry without additional data bus. | Analysis | architecture, data-acquisition, session-470, idempotency:arc-data-acquisition-470 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-REQ-001 | Verify IFC-REQ-006: With three CO2 sensor channels connected to the Safety PLC, inject calibrated CO2 concentration levels at 0 ppm, 2500 ppm, 5000 ppm, and 9900 ppm on each channel independently; confirm PLC analog input readings match injected values within ±50 ppm. Simulate wire-open on each channel individually; confirm PLC raises sensor-fault alarm within 1s and does not interpret the failure as 0 ppm CO2. PASS: all readings within tolerance, all wire-break faults detected. Rationale: Integration test to verify interface compliance at system boundaries. | Test | verification, safety-interlock, sil-3, session-463, idempotency:ver-ifc006-463 |
| VER-REQ-002 | Verify IFC-REQ-007: With the Safety PLC in test mode, de-energise each relay coil output in sequence; confirm the corresponding final element moves to its safe state within 500 ms. Open-circuit each relay coil wire in turn; confirm wire-break fault is raised by the PLC within 1s and the relay de-energises. PASS: all final elements reach safe state on demand, all wire-break faults detected. Rationale: Integration test to verify interface compliance at system boundaries. | Test | verification, safety-interlock, sil-3, session-463, idempotency:ver-ifc007-463 |
| VER-REQ-003 | Verify SUB-REQ-005 (end-to-end integration): In a commissioned zone with live sensors, inject CO2 test gas at 5100 ppm to safety sensor channels; measure time from injection stabilisation to CO2 isolation valve fully-closed position; confirm ≤30s. Repeat for LED thermal (heat gun to >85°C, confirm LED circuit breaker OPEN ≤10s) and emergency-stop button (confirm all zone outputs de-energised ≤1s). PASS: all measured response times within specified limits with audit log entry created. Rationale: End-to-end test covering the complete signal path from sensor through Safety PLC, Voted Logic Engine, and Hardwired Trip Bus to final elements. Tests the composite requirement that each interlock acts within the hazard-specific time window. This is the primary safety case evidence for SIL 3 functional verification of the CO2 and thermal interlocks. | Test | verification, safety-interlock, sil-3, session-463, idempotency:ver-sub005-e2e-463 |
| VER-REQ-004 | Verify SUB-REQ-001: Expose three CO2 Safety Sensor Array channels to NIST-traceable calibration gas at 0, 1000, 2500, 5000, and 9000 ppm; record each channel reading; confirm deviation ≤50 ppm at each point. Verify SIL 3 certification documentation for sensor type. PASS: all readings within ±50 ppm, SIL 3 certificate present. Rationale: Accuracy verification at multiple concentration points spanning the operational range (1000-2000 ppm normal, 5000 ppm trip threshold). NIST-traceable calibration gas provides metrological traceability for the safety case. | Test | verification, safety-interlock, sil-3, session-463, idempotency:ver-sub001-accuracy-463 |
| VER-REQ-005 | Verify IFC-REQ-014, IFC-REQ-018, IFC-REQ-019: With the Safety PLC in test mode, inject CO2 over-threshold, zone temperature over-threshold (38°C), and dosing-excess signals simultaneously via the hardwired input channels. Confirm that each signal propagates to the PLC input register within the specified latency (500ms, 100ms, 200ms respectively) using a calibrated signal logger, and that each triggers the correct safe-state actuation. Rationale: Three hardwired interface requirements specify independent safety input channels. Testing them in a combined injection scenario verifies that no channel interferes with another and that the voted logic engine correctly processes simultaneous multi-hazard inputs, matching the SIL 3 diagnostic requirement. | Test | idempotency:ver-hardwired-inputs-464 |
| VER-REQ-006 | Verify IFC-REQ-009, IFC-REQ-010, IFC-REQ-011, IFC-REQ-012, IFC-REQ-013: In a factory acceptance test environment with all subsystem controllers connected to a test zone controller network, inject recipe parameter changes and confirm propagation latency for each interface is within specification. Verify EC/pH feedback accuracy (±0.1 mS/cm, ±0.05 pH) using calibrated reference instruments. Rationale: Process network interfaces between supervisory control, climate, nutrient, and lighting subsystems share the same Modbus TCP/IP backbone. FAT in integrated configuration verifies that simultaneous traffic from all subsystems does not degrade the latency of any individual interface below its specified bound. | Test | idempotency:ver-process-network-ifc-464 |
| VER-REQ-007 | Verify IFC-REQ-022: connect Zone NDIR CO2 Sensor Array analogue output (4-20mA) to CO2 Injection Controller input; inject calibrated current at 4mA (sensor fail), 8mA (600 ppm), 12mA (1200 ppm), 16mA (1800 ppm), 20mA (2400 ppm); confirm controller readings within ±50 ppm of expected; simulate open-circuit (<3.6mA) and confirm fault alarm within 5 seconds; PASS: all readings within tolerance, open-circuit detected. Rationale: Interface test verifying 4-20mA signal calibration scaling and open-circuit fault detection, both required for correct PID operation and sensor fault safety behaviour. | Test | verification, co2-enrichment-subsystem, session-465, idempotency:ver-ifc022-465 |
| VER-REQ-008 | Verify IFC-REQ-023: command zone solenoid valve to open via CO2 Injection Controller 24VDC output; confirm position feedback indicates open within 2 seconds; command valve to close; confirm position feedback indicates closed within 500 ms; force open/close command mismatch by mechanically jamming valve and verify CO2 Injection Controller raises valve-fault alarm within 2 seconds; PASS: all timings within specification, fault alarm raised. Rationale: Valve command/feedback interface test covering both normal operation timing and fault detection, which is the primary mechanism for detecting valve seizure in process operation. | Test | verification, co2-enrichment-subsystem, session-465, idempotency:ver-ifc023-465 |
| VER-REQ-009 | Verify CO2 Enrichment Subsystem end-to-end (system integration test): with all subsystems connected in a live test environment, command a zone CO2 setpoint from 400 ppm to 1000 ppm via Supervisory Control; measure time to achieve 1000 ppm ±50 ppm; inject simulated 5000 ppm safety sensor reading and verify all zone solenoid valves close within 2 seconds and CO2 Injection Controller enters lockout; PASS: setpoint achieved within 5 minutes, trip response ≤2 seconds under nominal load. Rationale: End-to-end integration test exercising the complete chain from supervisory setpoint through injection control to physical valve actuation, and the complete safety trip path from sensor reading through hardwired trip to valve closure. This is the primary evidence for SYS-REQ-003 and SYS-REQ-004 system-level verification. | Test | verification, co2-enrichment-subsystem, session-465, sil-3, idempotency:ver-co2-e2e-465 |
| VER-REQ-010 | Verify IFC-REQ-025: Configure Modbus RTU RS-485 at 9600 baud between EC/pH Sensor Array and Irrigation Controller. Confirm EC register value within ±0.1 mS/cm of reference meter at three setpoints (0.5, 3.0, 8.0 mS/cm). Confirm pH register value within ±0.05 of reference calibration buffer (pH 4.0, 7.0, 9.0). Set sensor to fault mode; confirm fault status register is set and Irrigation Controller logs fault within 5 seconds. Pass: all values within tolerance, fault detected within 5s. Rationale: Integration test verifying the Modbus RTU communication accuracy and fault reporting path required by IFC-REQ-025 and SUB-REQ-025, to confirm that sensor faults propagate before dosing can proceed on stale data. | Test | verification, nutrient-management-subsystem, session-466, idempotency:ver-ifc025-466 |
| VER-REQ-011 | Verify IFC-REQ-027: Command zone irrigation valve to open via Irrigation Controller 24VAC output; confirm reed-switch position feedback indicates open within 2 seconds. Command valve to close; confirm position feedback closed within 2 seconds. Mechanically restrain valve in open position, command close, and confirm Irrigation Controller reports stuck-valve fault to Zone Controller Network within 30 seconds. Pass: all timings within specification, stuck-valve fault detected and reported. Rationale: Interface test verifying both the 24VAC actuation path and position feedback confirmation, and the stuck-valve detection behaviour specified in SUB-REQ-030 and IFC-REQ-027. This test provides evidence that flood prevention response meets the 30-second detection window in SYS-REQ-010. | Test | verification, nutrient-management-subsystem, sil-2, session-466, idempotency:ver-ifc027-466 |
| VER-REQ-012 | Verify SUB-REQ-027 (Dosing Pump Array hardwired watchdog): Command a series of pH-down pump injections totalling 4.5% of tank volume in 8 minutes; confirm no fault contact assertion. Continue to 5.1% in the 10-minute window; confirm 24VDC fault contact asserts to Safety PLC within 200 ms of threshold crossing (measured with calibrated signal logger). Command pump operation while fault contact is asserted and confirm pumps are inhibited. Perform manual interlock reset and confirm pumps can resume. Pass: threshold detection within 200ms, pump inhibit enforced, manual reset required. Rationale: SIL-2 functional safety test for the dosing-excess watchdog required by SUB-REQ-027 and SYS-REQ-007. The 200ms signal propagation time is the primary safety timing requirement for this function. Testing both below-threshold (no spurious trip) and above-threshold (confirmed trip) scenarios validates the correct implementation boundary. Manual reset requirement is evidence of SIL-2 latched-trip behaviour. | Test | verification, nutrient-management-subsystem, sil-2, safety, session-466, idempotency:ver-sub027-watchdog-466 |
| VER-REQ-013 | Verify Nutrient Management Subsystem end-to-end (system integration test): with all NMS components connected in a live test environment, set zone recipe to pH 6.0/EC 2.5 mS/cm; confirm closed-loop dosing achieves setpoint within ±0.2 pH and ±0.1 mS/cm within 30 minutes; simulate stuck-open irrigation valve and confirm floor drain pump activates within 60 seconds; simulate sensor fault and confirm degraded-mode (SUB-REQ-037) operation at 50% dosing rate; simulate loss of mains power and confirm all zone valves close within 2 seconds. Pass: all system-level requirements met under combined conditions. Rationale: End-to-end integration test exercising the complete NMS signal chain from EC/pH feedback through dosing control to solution delivery, and the three primary fault responses: flood detection (SYS-REQ-010), sensor degraded mode (SUB-REQ-037), and power-loss fail-safe (SUB-REQ-032). This provides the primary evidence for SYS-REQ-006 and SYS-REQ-010 system-level verification. | Test | verification, nutrient-management-subsystem, sil-2, session-466, idempotency:ver-nms-e2e-466 |
| VER-REQ-014 | Verify SUB-REQ-039: In a commissioned zone with the PAR Sensor Array and LED Fixture Array installed at operating height, command the LCU to four PAR setpoints (100, 250, 400, 600 µmol/m²/s). At each setpoint under steady state (30s settled), measure PPFD with a calibrated reference quantum sensor at 9 canopy-level positions. Pass criterion: all 9 readings within ±5% of the commanded setpoint. Rationale: Multi-point canopy measurement with an independently calibrated reference sensor verifies both LCU closed-loop accuracy and spatial uniformity — the two failure modes that would cause recipe non-compliance. | Test | verification, horticultural-lighting, session-467, idempotency:ver-sub039-par-accuracy-467 |
| VER-REQ-015 | Verify SUB-REQ-042: In a test rig with a zone LED Driver Module Array energised and the Fixture Thermal Monitoring Array comparator circuit connected, inject a calibrated voltage equivalent to the 85 degree C threshold into the comparator input while monitoring Driver Module output current. Pass criterion: all Driver Module outputs de-energise within 2 seconds of threshold crossing, with no software intervention. Repeat 10 times. All 10 must pass. Rationale: SIL-2 functions require demonstrated probabilistic reliability — 10 consecutive trigger tests with zero failures provides minimum evidence for the diagnostic coverage claim. Hardware-only test path (no software intervention) directly verifies the SIL-2 architectural requirement. | Test | verification, horticultural-lighting, sil-2, session-467, idempotency:ver-sub042-thermal-trip-467 |
| VER-REQ-016 | Verify IFC-REQ-029: Using a DALI-2 bus analyser, command all four channel addresses to 10%, 50%, and 100% level. Measure round-trip command latency and verify driver status response received. Pass criterion: all responses received within 22 ms, all channels achieve commanded level within ±1 count, and no bus fault messages observed during 100-command test sequence. Rationale: Bus analyser verification of DALI-2 timing and addressing confirms IEC 62386 compliance and the 22ms response budget; 100-command sequence provides statistical confidence in error rate. | Test | verification, horticultural-lighting, session-467, idempotency:ver-ifc029-dali-interface-467 |
| VER-REQ-017 | Verify IFC-REQ-031: With the Fixture Thermal Monitoring Array trip bus connected to the Safety Interlock hardwired trip input, simulate open-circuit, short-to-ground, and threshold-crossing failure modes on the 24VDC line. Pass criterion: (a) open circuit triggers safety trip within 2s; (b) short to ground triggers safety trip within 2s; (c) threshold-crossing triggers safety trip within 2s. All three fault modes must activate the normally-closed trip correctly. Rationale: Three-fault-mode test verifies the fail-safe (normally-closed) behaviour of the SIL-2 interface — the key property that ensures wiring faults result in safe trips rather than missed trips. | Test | verification, horticultural-lighting, sil-2, session-467, idempotency:ver-ifc031-thermal-hardwired-467 |
| VER-REQ-018 | Verify SUB-REQ-012: inject test CO2 setpoint steps of 200 ppm across all zones simultaneously; measure controller response time and steady-state error over 30-minute test window; pass criterion: all zones achieve ±50 ppm of setpoint within 5 minutes of step and maintain within ±50 ppm for remainder. Rationale: Functional test of PID control performance under realistic multi-zone load, measuring both response time and steady-state accuracy against the ±50 ppm specification. | Test | verification, co2-enrichment-subsystem, session-465, idempotency:ver-sub012-465 |
| VER-REQ-019 | Verify SUB-REQ-017: de-energise zone solenoid valve from fully-open state and measure time to full closure via position feedback; test at 0°C, 20°C, and 40°C ambient; pass criterion: closure ≤500 ms at all temperatures with zero spring-return failures across 10 cycles per zone. Rationale: Valve closure time is safety-critical (SIL-3 trip budget allocation); tests must span the full operating temperature range since spring force and coil impedance vary with temperature. 10-cycle repeat confirms repeatability, not just one-off performance. | Test | verification, co2-enrichment-subsystem, session-465, sil-3, idempotency:ver-sub017-465 |
| VER-REQ-020 | Verify SUB-REQ-022: simulate safety interlock trip by removing 24VDC trip relay signal; verify all zone valves close within 500 ms via position feedback; verify CO2 Injection Controller enters lockout (refuses valve-open commands); attempt operator reset without authorised credential and verify lockout maintained; perform authorised reset and verify valves can re-open; pass criterion: all closure and lockout behaviours as specified, with valve closure time measured ≤500 ms. Rationale: SIL-3 safe state test must verify both the hardware trip mechanism (hardwired relay) and the software lockout behaviour, and must confirm that unauthorised reset is rejected. This is a mandatory SIL-3 functional safety test per IEC 61508-2. | Test | verification, co2-enrichment-subsystem, session-465, sil-3, idempotency:ver-sub022-465 |
| VER-REQ-021 | Verify REQ-SEVERTICALFARMENV-007: assert supervisory override command from simulated Supervisory Control Subsystem and measure elapsed time from command issuance to full actuator handover; pass criterion ≤500 ms in 10/10 trials. Rationale: Tests the quantified 500 ms override response window for the zone controller network autonomy override requirement. Ten-trial pass rate confirms repeatability under varied network load conditions. | Test | idempotency:qc-468-ver-zone-ctrl-override |
| VER-REQ-022 | Verify REQ-SEVERTICALFARMENV-008: kill primary VFEC processing node (power removal) while all zones active; measure time from node loss to full zone regulation resume from warm-standby; pass criterion ≤30 s with no more than 1 missed control cycle per zone. Rationale: Directly tests the 30-second failover criterion and single-missed-cycle constraint. Power removal is chosen over software kill to test hardware-level failure detection. | Test | idempotency:qc-468-ver-vfec-redundancy |
| VER-REQ-023 | Verify REQ-SEVERTICALFARMENV-011: attempt HMI login with valid username/password only (no OTP) and verify access is denied; verify TLS connection using protocol analyser to confirm TLS 1.3 negotiation and absence of plaintext credential transmission. Rationale: Two-part test covers both authentication factor enforcement and transport encryption. Protocol analyser confirmation is required because browser UI success does not prove TLS version negotiated. | Test | idempotency:qc-468-ver-cybersec |
| VER-REQ-024 | Verify SUB-REQ-053: In a commissioned grow zone with temperature setpoint 22 degC and full crop canopy, record zone air temperature at both PT100 sensor positions over a 4-hour steady-state period using a calibrated reference thermometer. Pass criterion: all readings within 22 ±1.0 degC with no outliers exceeding ±1.5 degC. Rationale: Zone-level steady-state test with reference thermometer provides independent calibration-traceable verification of the ±1.0 degC requirement; 4-hour window captures natural HVAC on/off cycling behaviour. | Test | verification, climate-management, session-469, idempotency:ver-sub053-469 |
| VER-REQ-025 | Verify SUB-REQ-055: Inject a simulated compressor trip signal at the HVAC Actuator Interface test port while the zone is at steady-state cooling. Measure time from trip signal injection to lighting load-reduction command on the Supervisory Control Subsystem interface using a logic analyser. Pass criterion: command issued within 500 ms on 10 consecutive trials with no failures. Rationale: Timing test with logic analyser provides objective, repeatable measurement of the 500 ms response requirement. Ten trials is the minimum statistical sample for a pass/fail safety function test per IEC 61511-1 clause 8.2. | Test | verification, climate-management, session-469, idempotency:ver-sub055-469 |
| VER-REQ-026 | Verify IFC-REQ-032: Connect a Modbus RTU bus analyser to the PT100 multiplexer bus and capture 1000 consecutive measurement frames. Pass criterion: all frames arrive within 1000 ±50 ms intervals; bus fault injection (open-circuit on one sensor) is detected and reported within one measurement cycle. Rationale: Protocol-level verification confirms the timing and fault-detection requirements of the interface. 1000 frames provides statistical confidence in 1 Hz compliance; fault injection test directly exercises the safety-relevant bus fault detection path. | Test | verification, climate-management, session-469, idempotency:ver-ifc032-469 |
| VER-REQ-027 | Verify IFC-REQ-034: Using a Modbus TCP test client, monitor the exchange between Fresh Air Ventilation Controller and CO2 Enrichment Subsystem for 30 minutes during steady-state production operation. Measure message interval and round-trip latency for all CO2 concentration and fresh-air fraction exchanges. Pass criterion: all message intervals within 2000 ±200 ms; all round-trip latencies below 200 ms. Rationale: Integration test captures the real-time exchange behaviour under operational conditions. 30-minute window spans multiple HRV damper adjustment cycles to verify steady-state interface compliance. | Test | verification, climate-management, session-469, idempotency:ver-ifc034-469 |
| VER-REQ-028 | Verify SUB-REQ-062: Trigger emergency shutdown by asserting the manual E-stop input while the facility is in full operation (all zones active, CO2 enrichment running). Use a multi-channel data logger to timestamp CO2 valve closure, nutrient pump stop, lighting kill, and HVAC damper purge signals. Pass criterion: complete sequence logged within 10 s from E-stop assertion on 3 consecutive trials. Rationale: End-to-end timing test with data logger provides objective evidence of the 10 s sequence requirement. Three trials at full-operation state are the minimum required to detect sequencing failures due to bus congestion or lock contention. | Test | verification, supervisory-control, session-469, idempotency:ver-sub062-469 |
| VER-REQ-029 | Verify IFC-REQ-036: Using an oscilloscope, measure propagation delay from Emergency Shutdown Sequencer 24V output assertion to Safety Interlock Subsystem input detection for each of the four shutdown signal lines. Pass criterion: all four lines show propagation delay less than 20 ms across 10 trials per line. Rationale: Oscilloscope measurement is the only method that can resolve sub-millisecond timing on the hardwired safety interface; functional test alone cannot verify the 20 ms latency bound specified in IFC-REQ-036. | Test | verification, supervisory-control, session-469, idempotency:ver-ifc036-469 |
| VER-REQ-030 | Verify IFC-REQ-037: Configure a test ZCU and Zone Edge Gateway on an isolated network, inject a known-value data set, and measure OPC-UA message round-trip latency over 1000 cycles under 100% data-change rate. Pass criteria: all messages use SignAndEncrypt, mean latency ≤100ms, 99th-percentile latency ≤150ms, no plaintext sessions accepted. Rationale: Integration test at the OPC-UA stack level verifies both functional (latency) and security (encryption) requirements simultaneously. 1000-cycle sample provides statistical confidence in the 99th-percentile measurement. | Test | verification, zone-controller-network, session-470, idempotency:ver-ifc037-zcn-470 |
| VER-REQ-031 | Verify IFC-REQ-038: Connect a ZCU to 4 I/O Expansion Modules on a single RS-485 segment and run a 24-hour polling cycle test at the specified baud rate. Inject an open-circuit fault on one analog channel. Pass criteria: complete scan cycle ≤250ms for all 4 modules, open-circuit fault detected and reported to ZCU within 1s, no scan cycle exceeds 500ms over 24 hours. Rationale: 24-hour continuous test catches intermittent timing violations under temperature cycling. The open-circuit injection directly tests the fault detection path of SUB-REQ-068. | Test | verification, zone-controller-network, session-470, idempotency:ver-ifc038-zcn-470 |
| VER-REQ-032 | Verify IFC-REQ-039: Audit the Ethernet switch configuration via SNMP MIB and running-config export. Verify VLAN 100 and VLAN 200 membership assignments. Attempt to send a unicast frame from VLAN 100 to a VLAN 200 host and confirm the frame is dropped at the switch. Pass criteria: VLAN membership matches design, zero VLAN 100 frames appear on VLAN 200 network monitor after 1000 test frames sent. Rationale: Configuration audit and active probe test verifies both the intended VLAN design and that the switch is enforcing it. A negative test (attempting to inject cross-VLAN traffic) is more rigorous than a positive-only test for a security isolation requirement. | Inspection | verification, zone-controller-network, session-470, idempotency:ver-ifc039-zcn-470 |
| VER-REQ-033 | Verify SUB-REQ-065: In a hardware-in-the-loop test, establish steady-state ZCU operation with known setpoints, then physically disconnect the OPC-UA network interface. Monitor zone parameter control over 35 minutes. Pass criteria: zone parameters remain within crop recipe tolerances for the full 35-minute test period, ZCU generates network-loss alarm within 60s of disconnect, control resumes on the stored local recipe when network is restored. Rationale: Hardware-in-the-loop test with actual ZCU hardware and simulated zone loads verifies autonomous operation in conditions representative of deployment. 35-minute test exceeds the 30-minute requirement to demonstrate margin. | Test | verification, zone-controller-network, session-470, idempotency:ver-sub065-zcn-470 |
| VER-REQ-034 | Verify SUB-REQ-070 and SUB-REQ-071: Inject 100,000 sensor data points at 1Hz into the TSDB from a simulated Zone Edge Gateway across 12 channels. Verify zero data loss in the raw store. Then execute a CSV export query for a 90-day range. Pass criteria: all 100,000 records present in TSDB, CSV export completes in ≤30 seconds, CSV row count matches injected count within 0.001% tolerance. Rationale: Combined test exercises both ingestion fidelity (SUB-REQ-070) and query performance (SUB-REQ-071) in a single dataset, confirming that the TSDB can sustain high-frequency writes without index degradation that would slow exports. | Test | verification, data-acquisition, session-470, idempotency:ver-dac-tsdb-ingest-export-470 |
| VER-REQ-035 | Verify SUB-REQ-072 and IFC-REQ-042: Connect the OpenADR VEN to a certified OpenADR 2.0b test VTN. Distribute 10 DR events at random intervals over 4 hours. Timestamp acknowledgements at VTN and curtailment commands at Supervisory message queue. Pass criteria: all 10 events acknowledged within 30 seconds, all 10 curtailment commands delivered to Supervisory queue within 35 seconds of event distribution. Rationale: End-to-end timing test using a certified test VTN verifies real protocol behaviour including HTTPS handshake overhead. Testing 10 events over 4 hours captures variation in network load conditions. | Test | verification, data-acquisition, session-470, idempotency:ver-dac-oadr-timing-470 |
| VER-REQ-036 | Verify SUB-REQ-074: Pre-populate the TSDB with a synthetic 4-hour sanitisation cycle dataset including peracetic acid concentration, temperature, and contact time telemetry. Trigger a compliance report generation event. Measure report generation time and verify SHA-256 hash. Pass criteria: PDF report generated within 60 seconds, report includes correct sanitisation parameters, SHA-256 hash of report matches hash of source TSDB records, hash is embedded in report metadata. Rationale: Synthetic dataset allows deterministic verification of report content and hash validity. The hash verification step confirms cryptographic linkage between report and source data, which is the key tamper-evidence property. | Test | verification, data-acquisition, session-470, idempotency:ver-dac-compliance-report-470 |
| VER-REQ-037 | Verify IFC-REQ-001 (BACnet/IP BMS interface): Connect the Vertical Farm Environment Controller to a BACnet/IP protocol analyser and a BMS simulator. Trigger a fire alarm condition; confirm alarm receipt at the VFEC within 500 ms. Enable 5-minute polling cycle; confirm energy metrics read via BACnet Read Property service. Verify BACnet Alarm and Event services (clause 13) are enumerated in the device object. Rationale: IFC-REQ-001 specifies BACnet/IP with 500ms fire alarm latency and 5-minute energy polling. Protocol-level testing against a BMS simulator is the only means to confirm BACnet service compliance and timing. | Test | idempotency:ver-ifc001-bacnet-qc472 |
| VER-REQ-038 | Verify IFC-REQ-002 (REST API crop planning interface): Using an API test client (Postman or equivalent), exercise the VFEC REST endpoints with valid mTLS credentials. Issue crop recipe download, zone scheduling, and log upload requests; measure response time for each (must be ≤5 s under nominal load). Verify 401 rejection when mTLS certificate is absent or expired. Rationale: IFC-REQ-002 requires mTLS authentication and ≤5s response time. Functional API testing with a valid and invalid certificate is necessary to confirm both authentication and performance acceptance criteria. | Test | idempotency:ver-ifc002-rest-qc472 |
| VER-REQ-039 | Verify IFC-REQ-003 (OpenADR 2.0b and Modbus energy metering): Connect VEN to a certified OpenADR 2.0b VTN test server. Issue a SIMPLE DR event; confirm acknowledgement within 60 seconds. Verify Modbus TCP function codes FC3/FC4 poll energy registers at 15-second interval using a Modbus master test tool; confirm all expected registers respond correctly. Rationale: IFC-REQ-003 specifies dual protocols (OpenADR VEN and Modbus TCP) with precise timing constraints. Independent protocol testing against a certified OpenADR VTN test instance and a Modbus master is required to validate both interfaces. | Test | idempotency:ver-ifc003-openadr-qc472 |
| VER-REQ-040 | Verify IFC-REQ-004 (MQTT v5 cloud monitoring): Confirm MQTT v5 over TLS 1.3 connection to a cloud broker with all zone sensor, actuator, and alarm topics publishing at 1-minute intervals. Disconnect broker connection; confirm local-only fallback activates within 30 seconds. Restore connection; verify data backfill of buffered telemetry. Rationale: IFC-REQ-004 requires MQTT v5/TLS 1.3 with 30s fallback and backfill. Disconnection testing is the only way to validate the fallback and reconnection backfill behaviours. | Test | idempotency:ver-ifc004-mqtt-qc472 |
| VER-REQ-041 | Verify IFC-REQ-005 (CO2 bulk supply analogue interface): Inject calibrated 4-20mA signals representing 0%, 20%, 50%, and 100% tank level and 0, 5, 12.5, and 25 bar tank pressure; confirm displayed values at VFEC within ±1% full scale. Set tank level to 20% signal; confirm automatic reorder trigger is generated. Remove 24VDC signal from a zone solenoid output; confirm valve returns to fail-closed state. Rationale: IFC-REQ-005 specifies 4-20mA analogue inputs and fail-closed solenoid behaviour. Signal injection testing is required to verify analogue scaling and the fail-safe de-energise behaviour. | Test | idempotency:ver-ifc005-co2supply-qc472 |
| VER-REQ-042 | Verify IFC-REQ-015 and IFC-REQ-016 (Safety OPC UA status bus and zone data collection): Configure OPC UA client on Supervisory Control and trigger an interlock trip; confirm interlock state, trip cause code, and last-trip timestamp appear within 1-second poll cycle. Separately, subscribe to Zone Controller Network OPC UA nodes; confirm 1-minute environmental parameter data arrives with UTC timestamp offset ≤1 second. Rationale: IFC-REQ-015 requires read-only OPC UA status at ≤1s poll; IFC-REQ-016 requires 1-minute zone data with ≤1s timestamp accuracy. Combined OPC UA testing against live controllers confirms both interfaces in one test session. | Test | idempotency:ver-ifc015-016-opcua-qc472 |
| VER-REQ-043 | Verify IFC-REQ-017 (compliance report REST API): Pre-populate TSDB with 90 days of synthetic zone data. Issue an on-demand compliance report request via REST API for a 90-day date range; confirm complete dataset returned within 5 minutes. Issue a partial-range request (7 days); confirm response time proportionally shorter. Verify data integrity by spot-checking 10 random records against TSDB source. Rationale: IFC-REQ-017 requires report generation within 5 minutes for up to 90-day ranges. Performance testing with maximum-range data confirms the worst-case compliance report response time. | Test | idempotency:ver-ifc017-report-qc472 |
| VER-REQ-044 | Verify SUB-REQ-002 (2oo3 CO2 sensor voting): In a Hardware-in-the-Loop test bench with three CO2 sensor channels wired to the Safety PLC, fail one sensor channel (open circuit); confirm interlock trip is not suppressed and no spurious trip is generated. Fail a second channel while the first remains failed; confirm interlock trip is generated within the required response time. Confirm all three sensors present produces the expected 2oo3 voted output with no spurious trip. Pass criteria: single-channel failure: no spurious trip, 2oo3 voting active; dual-channel failure: interlock trip within 500ms; all channels healthy: no trip, correct CO2 reading. Rationale: SUB-REQ-002 defines SIL 3 2oo3 voting logic. Hardware channel failure injection on the HIL bench is the only method to verify that the voting architecture correctly distinguishes 1-of-3 sensor failure from actual CO2 exceedance. | Test | idempotency:ver-sub002-2oo3-qc472 |
| VER-REQ-045 | Verify SUB-REQ-003 (Safety PLC IEC 61508 SIL 3 certification): Inspect Safety PLC IEC 61508 third-party certificate confirming SIL 3 capability, 2oo2 dual-core architecture, HFT=1, DC > 99%, and SFF > 99%. Confirm certificate covers the firmware version deployed. Inspect FMEA/FMECA report from the Safety PLC manufacturer. Rationale: SUB-REQ-003 requires third-party SIL 3 certification per IEC 61508. Certification is a hardware supplier deliverable verified by document inspection — functional testing cannot substitute for the PFD calculations underlying SIL 3 classification. | Inspection | idempotency:ver-sub003-sil3-qc472 |
| VER-REQ-046 | Verify SUB-REQ-004 (Safety PLC scan time and watchdog): Connect an oscilloscope to the Safety PLC scan-complete output pin. Under maximum configured I/O load, measure 100 consecutive scan cycles; confirm all complete within 50 ms. Inhibit the scan-complete signal by injecting a software fault; confirm hardware watchdog asserts safe-state transition within 100 ms. Rationale: SUB-REQ-004 specifies 50ms scan and 100ms watchdog response. Oscilloscope timing measurement under load is the only direct evidence of compliance; a software fault injection test is required to verify watchdog independence from normal scan completion. | Test | idempotency:ver-sub004-scantime-qc472 |
| VER-REQ-047 | Verify SUB-REQ-006 (interlock trip safe-state response time): In a HIL test environment with live Safety PLC and relay outputs connected to simulated zone loads, assert each interlock trip condition in sequence (CO2 over-threshold, temperature exceedance, manual E-stop). Measure time from condition assertion to output de-energisation for each actuator type (CO2 isolation valve, emergency ventilation, LED circuit breakers, irrigation valves). Confirm safe state is maintained until manual Safety PLC HMI reset. Rationale: SUB-REQ-006 specifies condition-specific response times for each safe-state output. HIL timing measurements are required for each actuator class; the requirement cannot be verified by inspection because relay propagation delays vary by circuit load. | Test | idempotency:ver-sub006-trip-response-qc472 |
| VER-REQ-048 | Verify SUB-REQ-007 (hardwired trip bus network independence): Disconnect all Modbus, Ethernet, and CAN network cabling from the Safety Interlock Subsystem while a zone is under production recipe control. Assert a CO2 over-threshold condition; confirm the interlock trip actuates correctly via relay chain without any fieldbus communication. Inspect wiring drawings to confirm discrete 24VDC relay circuit topology with no fieldbus dependency. Pass criteria: interlock trip occurs within 500ms of threshold assertion; wiring drawings confirm relay-only topology with zero fieldbus components in trip chain. Rationale: SUB-REQ-007 requires network-independent trip bus operation. Physical network disconnection testing is the definitive test of independence; inspection of wiring drawings supplements but does not replace live testing. | Test | idempotency:ver-sub007-trip-bus-qc472 |
| VER-REQ-049 | Verify SUB-REQ-008 (LOTO controller energisation prevention): Check out a LOTO key for Zone A; attempt to energise any Zone A equipment via the Supervisory Control HMI and directly via the zone breaker panel; confirm energisation is prevented in both paths. Attempt to energise Zone A equipment again; confirm amber beacon and buzzer activate. Return LOTO key; confirm equipment can be energised normally. Rationale: SUB-REQ-008 requires personnel safety demonstration to confirm LOTO enforcement. A functional demonstration is the appropriate verification method for a safety-critical personnel protection function. | Demonstration | idempotency:ver-sub008-loto-qc472 |
| VER-REQ-050 | Verify SUB-REQ-013 and SUB-REQ-014 (CO2 Injection Controller setpoint acceptance and software concentration ceiling): Issue Modbus TCP setpoint commands for 400, 1000, and 2000 ppm; confirm acceptance and display at ±1 ppm resolution. Issue out-of-range setpoint (2001 ppm); confirm rejection and alarm. Simulate zone CO2 sensor readings at 2800 ppm; confirm all zone solenoid valves commanded closed. Reduce simulated reading below 2500 ppm; confirm valves remain closed until concentration drops below threshold. Rationale: SUB-REQ-013 specifies setpoint range 400–2000 ppm at ±1 ppm resolution and rejection of out-of-range commands. SUB-REQ-014 specifies independent 2800/2500 ppm software ceiling. Both must be tested in the same controller test session. | Test | idempotency:ver-sub013-014-co2-setpoint-qc472 |
| VER-REQ-051 | Verify SUB-REQ-015 and SUB-REQ-016 (Zone NDIR CO2 Sensor Array accuracy and autocalibration): Expose sensors to NIST-traceable CO2 calibration gas at 300, 500, 1000, 2000, and 3000 ppm across temperature range 18–35°C and humidity range 40–90% RH; confirm readings within ±100 ppm or ±3% of reading. In a conditioned test chamber, ventilate to ambient CO2 (~420 ppm) for 30+ minutes and trigger autocalibration; confirm calibration log entry with timestamp, pre- and post-calibration readings. Rationale: SUB-REQ-015 specifies multi-point accuracy across environmental range; SUB-REQ-016 specifies autocalibration with logged output. Multi-point calibration gas injection across the environmental envelope is the only method to verify the ±100 ppm accuracy requirement over operating conditions. | Test | idempotency:ver-sub015-016-ndir-qc472 |
| VER-REQ-052 | Inspect Zone Controller Network installation: verify shielded Cat5e or higher cabling with foil/braid shield markings, IP67-rated junction boxes at each zone entry point, and managed industrial Ethernet switches in Supervisory Control Subsystem enclosure. Verify segment lengths ≤100 m with cable run measurement. Confirm IP67 gasket integrity via visual inspection and pull-test. Rationale: Physical infrastructure inspection is the appropriate verification method for cable type, IP ratings, and installation compliance. Network segment length can be verified by cable run measurement. IP67 rating is verified by visual inspection of gasket condition and box seal integrity per IEC 60529 assessment criteria. | Inspection | idempotency:ver-sub-req-095-v1 |
| VER-REQ-053 | Test zone surface material biocompatibility: expose material samples to PAA at 2000 ppm, sodium hypochlorite at 200 ppm, and pH 2.0 and 10.0 solutions for 30 minutes each; inspect for visible degradation, delamination, or surface alteration. After standard sanitisation cycle, swab 10 cm2 samples from 5 random zone surface locations and culture on TSA plates for 48h at 37°C; confirm bioburden below 100 CFU/cm2 in all samples. Rationale: Chemical resistance and bioburden testing are the only objective methods to confirm material compatibility with the sanitisation chemistry and food safety cleanliness thresholds. Inspection alone cannot detect subsurface degradation or invisible microbial contamination. Testing against specific concentrations and the 100 CFU/cm2 limit provides quantitative acceptance criteria for material qualification. | Test | idempotency:ver-sub-req-096-v1 |
| VER-REQ-054 | Verify SUB-REQ-009 (Safety PLC network isolation): Audit the network architecture documentation and SCADA/firewall configuration to confirm the Safety PLC connects to the process network exclusively via a certified unidirectional data diode or IEC 62443 SL-2 firewall. Attempt inbound write commands (Modbus FC16 and function block downloads) to Safety PLC I/O addresses from an engineer workstation; confirm all inbound write attempts are blocked. Review firewall access-control lists and data-diode installation records for compliance with the unidirectional communications requirement. Pass criteria: zero successful inbound write transactions; data diode or firewall certificate on file. Rationale: SIL-3 rated Safety PLC network isolation is a safety-critical cybersecurity control. Any successful inbound write to the Safety PLC could override interlock logic or trip thresholds, defeating the safety function. IEC 61508 SIL-3 requires architectural isolation of the safety system; unidirectional enforcement cannot be verified by analysis alone — active penetration-style inspection and certificate audit are required. Inspection is appropriate here because the isolation is implemented in network hardware (data diode) that can be physically verified, not in software that requires runtime testing. | Inspection | idempotency:ver-sub009-plc-isolation-477 |
| VER-REQ-055 | Verify SUB-REQ-010 (Voted Logic Engine interlock audit log): In a Hardware-in-the-Loop test environment, trigger 20 synthetic interlock events (CO2 over-threshold, temperature over-threshold, and watchdog failures) in sequence. After each event, query the Safety PLC non-volatile log; confirm each entry contains UTC timestamp (±1s accuracy vs NTP reference), trigger condition identity, all sensor readings at time of trip, and operator reset identity. Continue logging until storage fills above 10,000 events; verify no log entry is overwritten and the oldest entries are preserved. Pass criteria: all 20 triggered events logged with complete fields; capacity ≥10,000 events without loss. Rationale: IEC 61508 SIL-3 mandates complete auditability of all safety system state transitions. The audit log is the primary forensic record for incident investigation and proof-test evidence. Testing with 20 synthetic events exercises the log write path, timestamp accuracy, and operator identity capture. Capacity verification prevents a log-overflow vulnerability that could silently lose safety-critical trip records. Inspection of the log format specification alone cannot confirm correct runtime behaviour of the logging mechanism. | Test | idempotency:ver-sub010-audit-log-477 |
| VER-REQ-056 | Verify SUB-REQ-011 (Safety Interlock Subsystem annual proof test): Execute the full SIL-3 proof test procedure: (1) Inject calibrated CO2 at each of the three sensor channels in turn at 5100 ppm; confirm voted-logic trip on 2oo3 pattern; reset and verify return to active interlock monitoring. (2) Actuate each relay output by simulating a trip; confirm the corresponding final element reaches safe state within the specified time bound. (3) Inject a simulated sensor-fail diagnostic on each CO2 channel; verify alarm and continued operation from remaining channels. (4) Record all test results with technician identity, instrument calibration certificates, test date, and outcome in the Safety PLC non-volatile test log. Pass criteria: all exercises pass; test record persisted in Safety PLC log within 60 s of test completion. Rationale: IEC 61508 SIL-3 requires periodic proof testing to detect dangerous undetected failures accumulated between online diagnostic cycles. The 12-month proof test interval is consistent with SIL-3 PFD targets and the IEC 61511 proof-test coverage requirements for this type of safety instrumented function. Demonstration (witnessed procedure) is appropriate because proof tests require qualified safety personnel performing the procedure in situ on the commissioned system — it cannot be fully replicated in a factory test or by analysis. Automatic test-log persistence is verified during this procedure. | Demonstration | idempotency:ver-sub011-proof-test-477 |
| VER-REQ-057 | Verify SUB-REQ-045 (Horticultural Lighting emergency shutdown on Safety Interlock trip): In a full-facility integration test with all 8 zone LED Driver Module Arrays energised at recipe setpoints, assert the Safety Interlock hardwired trip bus signal (24V removed). Record de-energisation timestamps per zone using a multi-channel oscilloscope at 1 kHz sample rate. Pass criteria: all LED Driver Modules across all 8 zones de-energised within 5 seconds of trip signal assertion; no zone exceeds the 5-second bound under any combination of fault conditions. Repeat test from three initial lighting states: 100%, 50%, and 10% output level. Rationale: Lighting load shedding on safety interlock trip is a SIL-2 safety function — it reduces zone heat load during emergency shutdown when HVAC may also have stopped. The 5-second response time is set by SYS-REQ-009 (thermal protection). Testing across all 8 zones simultaneously is necessary because the hardwired trip bus drives all zones in parallel; a zone-by-zone test would not detect contention or current-limiting failures on the trip bus. Testing at multiple lighting levels verifies the DALI-2 command is acted upon regardless of current output state. | Test | idempotency:ver-sub045-estop-lighting-477 |
| VER-REQ-058 | Verify SUB-REQ-060 (HVAC zone isolation on safety interlock) and SUB-REQ-043 (LCU thermal derating): Part A — Zone isolation: With Zone A HVAC supply and return dampers in energised-open position, assert a zone isolation command from the Safety Interlock Subsystem test port; measure time from command to both dampers fully closed via end-switch feedback; pass criterion: full closure within 2 s. Confirm dampers remain closed when command is maintained; verify damper-open command from Zone Climate Controller is rejected while isolation is held. Part B — Thermal derating: In a test rig with the Lighting Control Unit and Fixture Thermal Monitoring Array, inject simulated heatsink temperature rising at 2 degC/min from 65 degC to 80 degC; confirm 5%/min power reduction begins at 75 degC threshold; verify reduction continues until heatsink falls below 70 degC; pass criteria: derating starts at correct threshold and maintains ≥0.5%/step resolution. Rationale: Both requirements protect against thermal runaway pathways. Zone isolation (SUB-REQ-060, SIL-2) prevents heat buildup when the safety system trips other loads; without confirmed damper closure, an isolated zone can overheat within 20 minutes at full lighting. Thermal derating (SUB-REQ-043, SIL-2) prevents LED fixture overtemperature that could lead to fire or early failure; the 75 degC threshold and 5%/min rate are derived from LED manufacturer MTBF curves and IEC 60598-2 luminaire thermal requirements. Both require integration tests because the response paths traverse multiple hardware interfaces that cannot be confirmed by component test alone. | Test | idempotency:ver-sub060-043-hvac-thermal-477 |
| VER-REQ-059 | Verify SUB-REQ-076 (CO2 Enrichment Subsystem independent SIL-2 safety sensor): Inspect the CO2 Enrichment Subsystem installation to confirm a physically separate CO2 sensor, on an independent 24V supply from a dedicated UPS circuit (not shared with the process CO2 sensor supply), with the signal cable routed separately from the process sensor cables. Review the sensor IEC 61508 SIL-2 certificate. Power off the process CO2 sensor supply while the facility is running; confirm the independent safety sensor remains powered and reporting; confirm the process-control CO2 injection controller raises a fault alarm within 5 s. Power off the independent safety sensor supply; confirm a SIL-2 sensor fault alarm is raised within 5 s and CO2 injection is disabled in the affected zone. Pass criteria: independent sensor power and signal path verified by inspection; both fault scenarios produce correct alarm and response within 5 s. Rationale: SIL-2 classification of the independent CO2 safety sensor (SUB-REQ-076) requires verified separation from the process-control sensor path — common-cause failure of a shared power rail or signal cable would defeat the independence. Physical inspection alone cannot confirm correct fault response behaviour; power-removal tests verify both the independence of the supply and the correct alarm/disable response of the CO2 injection controller. This is the defence-in-depth layer between a process sensor failure and uncontrolled CO2 accumulation. | Test | idempotency:ver-sub076-co2-safety-sensor-477 |
| VER-REQ-060 | Verify Climate Management Subsystem functional performance (SUB-REQ-054, SUB-REQ-056, SUB-REQ-057, SUB-REQ-058, SUB-REQ-059): In a commissioned grow zone operating at 22 degC / 70% RH setpoints with full crop canopy load: (1) Record zone humidity over 4 hours steady-state; pass criterion: maintained within ±5% RH. (2) Insert a data logger on the Modbus RTU bus and confirm PT100 readings arrive at 1 Hz with ≤2 s end-to-end latency for 1000 consecutive samples. (3) Disconnect one PT100 sensor and confirm Zone Climate Controller switches to the redundant sensor within 10 s and raises a sensor-fault alarm. (4) Monitor Fresh Air Ventilation Controller Modbus TCP messages and confirm fresh air fraction held in 5-30% band during active CO2 enrichment; verify message timing at ≤2 s intervals. (5) Issue a VFD setpoint change command and measure actuator execution confirmation round-trip; pass criterion: ≤500 ms command receipt, ≤1 s status confirmation. Rationale: Climate management accuracy (±5% RH, SUB-REQ-054), sensor sampling rate (1 Hz, SUB-REQ-056), sensor failover (SUB-REQ-057), fresh air coordination (5-30%, SUB-REQ-058), and actuator latency (500 ms, SUB-REQ-059) are all performance requirements derived from crop physiology needs. Each must be demonstrated on a commissioned zone under realistic thermal load because the interactions between HVAC actuators, temperature sensor networks, and CO2 enrichment create coupled control loops that cannot be validated by component tests alone. The crop canopy load is specified because it represents the primary thermal disturbance in a vertical farm grow zone. | Test | idempotency:ver-cms-functional-group-477 |
| VER-REQ-061 | Verify Zone Controller Network performance (SUB-REQ-066, SUB-REQ-067, SUB-REQ-068, SUB-REQ-069, SUB-REQ-075): Using a HIL test bench with a Zone Controller Unit, four I/O Expansion Modules, and a Zone Edge Gateway: (1) Measure PID loop execution cycle time over 10,000 iterations using a hardware performance counter; pass criterion: all iterations ≥10 Hz with jitter ≤±5 ms. (2) Issue 10 setpoint updates via OPC-UA; confirm each persisted to non-volatile NOR flash within 5 s via power-cycle recovery test; confirm all setpoints recovered within 10 s of restart. (3) Command all 16 analog inputs on the I/O Expansion Modules to sweep from 4 mA to 20 mA; verify ±0.1% accuracy at 1 Hz; disconnect one 4-20mA loop and confirm open-circuit fault flagged within 60 s. (4) Measure OPC-UA round-trip from sensor acquisition at ZCU to namespace publication at Zone Edge Gateway; pass criterion: ≤500 ms end-to-end. (5) Disconnect OPC-UA network cable from ZCU while zone is active; confirm last-valid setpoint holdover maintained for ≥35 minutes with zone in regulation. Rationale: ZCU loop rate (SUB-REQ-066, 10 Hz) determines control bandwidth for all regulated environmental parameters — insufficient loop rate causes steady-state error and overshoot. NOR flash persistence (SUB-REQ-067, 5 s) is the recovery mechanism for power-loss events. I/O sampling accuracy (SUB-REQ-068) underpins all closed-loop control accuracy. Gateway latency (SUB-REQ-069, 500 ms) sets the supervisory loop response time. ZCU holdover (SUB-REQ-075, 35 min) is the primary availability mechanism when supervisory communications fail; testing requires actual power removal to confirm the holdover cache is populated before the outage. | Test | idempotency:ver-zcn-performance-group-477 |
| VER-REQ-062 | Verify REQ-SEVERTICALFARMENV-051 (worker-comfort mode on harvest crew zone entry): In a live test with a zone at full production recipe setpoints (temperature >22 degC, PAR setpoint ≥300 µmol/m2/s, CO2 enrichment active), trigger a zone entry event from the access control reader; confirm within 60 s: temperature setpoint changes to 22 degC, LED white-channel intensity drops to 50% of the previous output, CO2 injection solenoid valve closes and injection control disables for the zone. Attempt to issue a production recipe setpoint restore command while the zone-occupied flag is set; confirm command is rejected. Trigger zone-clear from the access control reader; confirm the system accepts recipe restore commands. Pass criteria: all mode changes within 60 s; zone-occupied interlock prevents production restore; clear signal re-enables recipe commands. Rationale: Worker-comfort mode is a safety-critical operational mode protecting harvest crew from CO2 toxicity, photo-biological hazards, and thermal stress. The test uses a live zone because comfort mode parameters interact with the running PID control loops — simulation cannot confirm that CO2 injection shutoff propagates correctly through the closed-loop control or that the zone-occupied flag correctly blocks the supervisory recipe engine. Testing the zone-occupied interlock is mandatory because re-entry to production conditions while crew are present is the primary safety hazard this requirement prevents. | Test | idempotency:ver-worker-comfort-mode-477 |
flowchart TB n0["component<br>Zone Climate Controller"] n1["component<br>Temperature Sensor Network"] n2["component<br>Relative Humidity Sensor Array"] n3["component<br>HVAC Actuator Interface"] n4["component<br>Fresh Air Ventilation Controller"]
Climate Management Subsystem — Internal
flowchart TB n0["component<br>Lighting Control Unit"] n1["component<br>LED Driver Module Array"] n2["component<br>LED Fixture Array"] n3["component<br>PAR Sensor Array"] n4["component<br>Fixture Thermal Monitoring Array"] n0 -->|DALI-2 dimming commands| n1 n1 -->|constant current 48VDC| n2 n3 -->|PPFD feedback 1Hz| n0 n4 -->|heatsink temperature| n0
Horticultural Lighting Subsystem — Internal
flowchart TB n0["component<br>EC/pH Sensor Array"] n1["component<br>Dosing Pump Array"] n2["component<br>Nutrient Reservoir and Mixing System"] n3["component<br>Irrigation Controller"] n4["component<br>Zone Irrigation Valve Array"] n5["component<br>Recirculation Pump System"] n0 -->|EC/pH measurement 0.1Hz| n1 n1 -->|nutrient/acid/base dosing| n2 n2 -->|bulk solution supply| n5 n5 -->|flow rate feedback| n3 n3 -->|24VAC valve commands| n4
Nutrient Management Subsystem — Internal
flowchart TB n0["subsystem<br>CO2 Enrichment Subsystem"] n1["component<br>CO2 Injection Controller"] n2["component<br>Zone NDIR CO2 Sensor Array"] n3["component<br>Zone Solenoid Valve Array"] n4["component<br>CO2 Distribution Manifold"] n1 -->|CO2 ppm feedback| n2 n1 -->|valve open/close cmd| n3 n4 -->|CO2 vapour| n3 n0 --> n1
CO2 Enrichment Subsystem — Internal
flowchart TB n0["component<br>CO2 Safety Sensor Array"] n1["component<br>Safety PLC"] n2["component<br>Voted Logic Engine"] n3["component<br>Hardwired Trip Bus"] n4["component<br>Lockout Tagout Controller"] n0 -->|4-20mA CO2 ppm| n1 n1 -->|sensor data| n2 n2 -->|trip signal| n1 n1 -->|relay cmd 24VDC| n3 n4 -->|LOTO inhibit| n1
Safety Interlock Subsystem — Internal
flowchart TB n0["component<br>Plant Management Server"] n1["component<br>Crop Recipe Engine"] n2["component<br>Operator Interface Terminal"] n3["component<br>Demand Response Handler"] n4["component<br>Emergency Shutdown Sequencer"]
Supervisory Control Subsystem — Internal
flowchart TB n0["component<br>Time-Series Database Engine"] n1["component<br>OpenADR Virtual End Node"] n2["component<br>Crop Recipe Database"] n3["component<br>Compliance Report Generator"] n0 -->|time-series query| n3 n3 -->|recipe context| n2
Data Acquisition and Compliance Subsystem — Internal
flowchart TB n0["component<br>Zone Controller Unit"] n1["component<br>Industrial Ethernet Switch"] n2["component<br>Zone I/O Expansion Module"] n3["component<br>Zone Edge Gateway"] n2 -->|RS-485 Modbus RTU| n0 n0 -->|OPC-UA / 100Mbps Ethernet| n1 n1 -->|VLAN 100 Ethernet| n3
Zone Controller Network — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Building Management System | 51F77B58 | |
| Chemical exposure hazard from nutrient solution in vertical farm | 42000011 | Hazard in Vertical Farm Environment Controller during Maintenance or Harvest: pH adjustment chemicals (phosphoric acid, potassium hydroxide) are concentrated stock solutions (pH <1 or >13). Dosing pump failure causes over-concentration in nutrient tank. Worker skin/eye contact during tank maintenance or splashing from pressurised line failure. Additionally, peracetic acid used in sanitisation cycles is a strong oxidiser. Consequence: chemical burns, eye damage, respiratory irritation. |
| Climate Management Subsystem | 55F77208 | HVAC control subsystem of vertical farm environment controller. Manages compressors, condenser units, air handling units with variable-speed fans, motorised dampers, and dehumidification coils across 8 growing zones on 5 floors. Closed-loop PID control at zone level. Key interfaces: zone temperature/humidity sensors (field bus inputs), compressor contactors and VSD commands (outputs), safety interlock subsystem (trip signals), supervisory controller (setpoint commands). Operating envelope: cooling capacity 50kW per zone, 18-28°C control range, 60-85% RH. |
| Climate Regulation Function | 51F73A00 | System function of Vertical Farm Environment Controller: Closed-loop control of temperature and humidity across multiple independent growing zones. Inputs: zone temperature sensors (±0.1°C NTC), humidity sensors (±2% RH capacitive), HVAC compressor status, damper positions. Outputs: HVAC compressor commands, fan speed setpoints, damper position commands, dehumidifier enable. Constraints: ±1°C temperature tolerance, ±5% RH tolerance, 120-second response to 2°C step disturbance, must compensate adjacent zones when one HVAC unit fails. |
| Cloud Monitoring and Analytics Platform | 40E57319 | External cloud platform providing remote access dashboards, historical analytics, alerting/notification services (SMS, email, push), and machine learning crop growth prediction models. Controller pushes telemetry data (sensor readings, actuator states, alarms) at 1-minute intervals. Cloud platform provides trend analysis, yield predictions, and anomaly detection. Encrypted MQTT or HTTPS. Owned by controller vendor or farm operator's IT team. |
| CO2 asphyxiation hazard in vertical farm | 02010211 | Hazard in Vertical Farm Environment Controller during Normal Operation or Degraded Operation: CO2 enrichment system fails to shut off or valve sticks open, causing CO2 concentration to exceed 40,000ppm (4%) in enclosed growing zone. Workers entering the zone without warning could suffer rapid loss of consciousness and death within minutes. Vertical farms are enclosed spaces with limited natural ventilation, making CO2 accumulation rapid. Consequence: worker fatality or serious injury from oxygen displacement. |
| CO2 Bulk Supply and Delivery System | 56B53018 | External CO2 supply infrastructure: bulk liquid CO2 tank with vaporiser, pressure regulator, and distribution manifold supplying CO2 enrichment to growing zones. Controller interfaces with tank level sensor (4-20mA), supply pressure transducer, and controls zone solenoid valves. CO2 supplier (e.g., BOC, Air Liquide) owns the bulk tank and manages refill logistics. Controller provides consumption data for automatic reorder. Safety-critical interface: regulator failure causes H-001 hazard. |
| CO2 Distribution Manifold | CE851018 | High-pressure CO2 distribution header receiving CO2 vapour from bulk vaporiser at 5-10 bar, stepping down to 1.5 bar zone injection pressure via pressure-reducing valve (PRV). SS316 manifold with individual zone outlet headers, manual isolation valves per zone, inline pressure gauge, and pressure relief valve set at 2.5 bar. ATEX-rated fittings. Provides the physical distribution network connecting bulk CO2 supply interface to each zone solenoid valve. Monitoring inputs: manifold inlet pressure (4-20mA) and temperature to CO2 Injection Controller. |
| CO2 Enrichment Function | 51F73A18 | System function of Vertical Farm Environment Controller: Controls CO2 injection from bulk liquid CO2 supply to maintain enrichment setpoints during photoperiod. Inputs: zone NDIR CO2 sensors (0-5000ppm), bulk tank pressure and level, photoperiod status. Outputs: zone CO2 solenoid valve commands (proportional), tank reorder signals. Constraints: ±50ppm setpoint accuracy, 3000ppm software ceiling, fail-closed solenoid valves. Safety-critical: feeds into H-001 CO2 asphyxiation hazard with SIL 3 hardware interlock as independent backup. |
| CO2 Enrichment Subsystem | 54F53019 | CO2 injection subsystem for vertical farm. Manages bulk liquid CO2 supply (external tank with pressure regulator), distribution manifold, per-zone proportional solenoid valves (fail-closed, de-energise to close), NDIR CO2 sensors per zone. Safety-critical: SIL 3 boundary — CO2 valve failure drives H-001 asphyxiation hazard. Interfaces: zone CO2 sensors (field bus), solenoid valve commands, bulk tank level/pressure (4-20mA from external supply system), safety interlock subsystem (hardwired CO2 trip at 5000ppm), supervisory controller (enrichment setpoints, photoperiod sync). |
| co2 injection controller | D6A51018 | Physical controller unit for CO2 injection in vertical farm growing zones. Housed in glass-reinforced polyester (GRP) enclosure rated IEC 60529 IP65, mounted external to growing zone. Contains solenoid valve drivers, analogue 4-20 mA I/O for pressure and flow sensors, and RS-485 Modbus RTU communications. Incorporates manual isolation valve interface and solenoid position indicators for LOTO maintenance. Physical hardware in plant-room equipment corridors. |
| CO2 Injection Controller | D5A57018 | Physical GRP-enclosure-mounted PLC controller for CO2 injection in a vertical farm. Mounted outside growing zones in equipment corridors. Physical unit with 4-20mA analogue I/O for pressure and temperature sensors, digital outputs to zone solenoid valves, and RS-485 Modbus RTU communications. IP54-rated enclosure, operating range 0-50°C. Manages CO2 concentration PID control per zone with safety interlock hardwiring. |
| CO2 Leak Emergency scenario | 14F57A51 | Emergency scenario: At 02:00, night shift operator is remotely monitoring from control room on ground floor. CO2 bulk tank regulator fails, causing uncontrolled high-pressure CO2 release into Zone 2 supply manifold. Zone 2 CO2 sensor reads 8000ppm and rising rapidly. Controller triggers emergency shutdown: CO2 supply solenoid valve closes (fails-closed design), emergency ventilation fans activate at maximum rate, zone entry doors lock with illuminated warning signs, audible alarm sounds throughout facility. Independent hardwired CO2 safety interlock also triggers at 5000ppm threshold as backup. Night operator receives critical alarm on phone, calls emergency coordinator. Building remains in emergency mode until CO2 drops below 1000ppm in all zones (approximately 45 minutes with full ventilation). Two-person reset required. |
| CO2 Safety Sensor Array | D4C55058 | Redundant SIL 3-certified electrochemical or NDIR CO2 sensors (minimum 2oo3 voting configuration), independent from the process CO2 sensors used for dosing control. Continuously monitors each zone at 1Hz sample rate, 4–20mA output per sensor to Safety PLC analog inputs. Range 0–10,000 ppm, accuracy ±50 ppm. Calibration checked quarterly. Provides the independent measurement mandated by SYS-REQ-004 for the CO2 emergency interlock. |
| Compliance Report Generator | 51E67B58 | Automated report generation service that queries the Time-Series Database for environmental parameter data and generates compliance documentation including: temperature excursion reports (GMP/GFSI), CO2 exposure records, sanitisation cycle verification records (SYS-REQ-016), and regulatory audit trails. Outputs PDF/CSV reports with cryptographic hash signatures for tamper evidence. Scheduled daily and triggered on-demand. Interfaces with TSDB query API and exports to shared network drive and email distribution list. |
| Controls System Integrator for vertical farm | 40A53A18 | Engineering firm that commissions, configures, and maintains the environment control system. Designs control strategies, PID tuning, alarm setpoints, communication network architecture. Responsible for system updates, firmware management, and integration with third-party equipment. Needs engineering-level access to controller configuration, network diagnostics, and system logs. Visits site for commissioning and major system changes. |
| Crop Changeover and System Sanitisation scenario | 51B77A18 | Maintenance scenario: Zone 1 butter lettuce crop reaches harvest maturity at day 35. Facility manager schedules harvest for Tuesday 06:00-14:00. Controller begins pre-harvest sequence Monday evening: reduces photoperiod, lowers nutrient EC to flush residual salts, drops temperature to 16°C to firm leaves. Tuesday morning: harvest crew enters Zone 1, controller switches to worker-comfort mode (22°C, lights at 50% white, CO2 enrichment disabled for worker safety). After harvest, maintenance team runs sanitisation: controller activates peracetic acid flush through irrigation lines (30-minute contact time), then rinses. Growing medium is replaced. Controller loads new crop recipe (baby spinach, 28-day cycle), reconfigures photoperiod from 18/6 to 14/10, adjusts nutrient formulation. Zone startup sequence runs: sensor check, actuator test, germination parameters activated. |
| Crop Planning and ERP Software | 50BD7B08 | External cloud-based or on-premise software system that manages crop production scheduling, inventory, customer orders, and financial tracking for the vertical farm. Sends crop recipes and zone assignments to the environment controller. Receives actual environmental data, growth metrics, and harvest dates from the controller. API-based integration (REST/JSON). Owned by farm operating company. |
| Crop Recipe Database | 40853B08 | PostgreSQL relational database storing crop cultivation recipes for vertical farm operations. Each recipe contains setpoints for all controlled parameters (temperature, humidity, CO2, PAR daily integral, irrigation schedule, pH, EC) across all crop growth stages, plus associated alarm thresholds and sanitisation protocols. Implements versioned schema with immutable audit trail — recipes are never deleted, only superseded. Stores minimum 200 recipes as required by SYS-REQ-020. Backed up daily to off-site storage. REST API interface for recipe CRUD operations by the Supervisory HMI. |
| Crop Recipe Engine | 51B57B08 | Software module executing parameterised crop growth recipes that schedule time-varying setpoint profiles for temperature, humidity, CO2, light intensity, and nutrient EC/pH over the full crop cycle (7-120 days depending on crop). Recipes stored in JSON schema, version-controlled, and validated against crop constraint tables before activation. Interfaces with all five environmental subsystems via the supervisory messaging bus. Supports manual override and recipe hold modes. |
| Cross-contamination hazard in vertical farm environment | 00040219 | Hazard in Vertical Farm Environment Controller during Normal Operation: airflow control failure allows pathogen-laden air (Botrytis, Pythium, powdery mildew) to spread between zones via shared HVAC ductwork. Alternatively, nutrient solution recirculation without adequate UV sterilisation or filtration spreads root-zone pathogens (Fusarium, Phytophthora) across zones sharing a common nutrient reservoir. Consequence: multi-zone crop loss (potentially entire facility), food safety risk if pathogens affect edible portions. |
| Cybersecurity hazard in vertical farm control system | 40040319 | Hazard in Vertical Farm Environment Controller during Normal Operation: network-connected controller is compromised via remote access interface, BMS integration, or supply chain attack on firmware update. Attacker modifies environmental setpoints to destroy crops (e.g., sets CO2 to lethal levels, disables cooling, overdoses nutrients) or uses system as pivot point for wider network attack. Connected to building network and potentially cloud services. Consequence: crop destruction, worker safety risk from modified CO2 levels, business disruption, data theft. |
| Daily Growing Cycle Management scenario | 50FF7208 | Normal operations scenario: A grower technician arrives at 06:00 for the day shift at a 5-floor, 8-zone vertical farm growing leafy greens and herbs. The controller has been running overnight in dark-period mode (lights off, temperature lowered to 18°C, CO2 at ambient). At 06:00 the photoperiod timer triggers: lights ramp up zone-by-zone over 15 minutes to avoid power surge, temperature setpoints increase to 24°C, CO2 enrichment activates to 1200ppm. The technician checks the dashboard — all zones green, nutrient EC readings stable at 1.8 mS/cm. Zone 3 (basil, day 22) shows slightly elevated humidity at 82% — the controller has already increased airflow fan speed by 15%. The technician reviews growth analytics and adjusts Zone 5 (lettuce, day 8) lighting intensity from 350 to 400 µmol/m²/s based on observed growth rate. |
| Data Acquisition and Compliance Subsystem | 50A57B58 | Environmental data logging and regulatory compliance subsystem for vertical farm. Captures 1-minute-resolution data from all zone sensors (temperature, humidity, CO2, PAR, pH, EC, flow rates) with UTC timestamps and cryptographic hash chains for tamper evidence. Generates HACCP deviation reports, BRCGS/SQF audit packages. Local storage: 90 days full resolution on redundant SSDs. Cloud sync: 2-year retention via MQTT/TLS. Interfaces: all zone controllers (data bus), supervisory controller (report requests), cloud platform (MQTT), auditor access terminal (read-only web interface). |
| Degraded Operation mode of Vertical Farm Environment Controller | 51F67A08 | One or more sensors or actuators have failed but the system continues operating with reduced capability. Examples: a zone's CO2 sensor fails — controller holds last-known-good setpoint and alerts operator; an HVAC unit trips — remaining units increase capacity for affected zones; LED driver fails — adjacent fixtures increase intensity to partially compensate. Controller switches affected zones to conservative setpoints (wider deadbands, reduced CO2 enrichment) to avoid crop damage. Operator is notified with specific fault codes and estimated crop impact. Automatic recovery attempted on intermittent faults with exponential backoff. Entry: sensor/actuator fault detected. Exit: fault cleared and sensor recalibrated, or operator escalates to maintenance mode. |
| Demand Response Handler | 51F77B59 | OpenADR 2.0b VEN (Virtual End Node) client that receives demand-response signals from the utility ADR server, calculates maximum allowable load reduction preserving crop safety constraints, and issues load-shed commands to lighting and HVAC subsystems. Maintains a priority table of sheddable loads per zone with minimum crop-safe operating parameters. Logs all DR events and compliance data for utility settlement. |
| Dosing Pump Array | D7F73218 | Array of six peristaltic dosing pumps for nutrient solution management in a hydroponic vertical farm: Nutrient A concentrate, Nutrient B concentrate, pH-down (phosphoric acid), pH-up (potassium hydroxide), supplemental calcium, supplemental magnesium. Each pump is 4–500 mL/min with ±1% stroke volume accuracy and revolution encoder for cumulative injection counting. Implements dosing-excess watchdog: asserts hardwired 24VDC fault contact to Safety PLC when cumulative acid/base volume exceeds 5% of tank volume in any 10-minute window. SIL-2 relevant component. |
| EC/pH Sensor Array | D5F57008 | Inline electrochemical measurement assembly installed in each zone's recirculation return line in a vertical farm. Dual-probe assembly: 4-electrode conductivity cell (EC range 0.1–10 mS/cm, ±0.1 mS/cm accuracy) and glass/ISFET pH electrode (pH 3–9, ±0.05 accuracy). Temperature-compensated to 20°C reference via PT1000. Provides continuous 0.1Hz closed-loop feedback to Dosing Pump Array for pH/EC correction. Output: 4–20mA analogue and Modbus RTU RS-485. |
| Electrical shock hazard from water proximity in vertical farm | 10000011 | Hazard in Vertical Farm Environment Controller during Normal Operation or Maintenance: nutrient solution leaks or irrigation system failure causes water accumulation near electrical panels, LED drivers, or pump motor connections. High-humidity environment (60-85% RH) accelerates insulation degradation. Workers contacting energised wet surfaces risk electrocution. 400V three-phase supply to HVAC and pump systems. Consequence: worker electrocution or serious electrical burns. |
| Emergency Shutdown mode of Vertical Farm Environment Controller | 55F77A51 | Safety-critical mode triggered by hazardous conditions: CO2 concentration exceeds 5000ppm (OSHA IDLH threshold) in any occupied area, water leak detected near electrical panels, fire/smoke alarm activation, or manual emergency stop pressed. Controller immediately: closes CO2 injection valves, activates emergency ventilation fans to maximum, de-energises non-essential electrical loads (lighting, nutrient pumps), opens emergency dampers, triggers audible/visual alarms. Maintains only emergency lighting and ventilation. Worker safety takes absolute priority over crop preservation. Entry: safety interlock trigger or E-stop. Exit: operator reset after hazard investigation and clearance — requires physical key switch and software acknowledgement (two-person rule). |
| emergency shutdown sequencer | D7E73019 | |
| Energy Management System and Smart Grid Interface | 40B57B59 | External system providing real-time energy pricing signals, demand-response requests, and renewable energy availability data to the vertical farm controller. Controller uses this data to optimise scheduling of energy-intensive operations (lighting start times, HVAC pre-cooling). May include on-site solar/battery storage management. Protocol: OpenADR 2.0 for demand response, Modbus TCP for local energy metering. Owned by energy utility and/or third-party energy aggregator. |
| Energy Optimisation Function | 41F77B18 | Load management and demand response function for 500kW-2MW vertical farm facility. Inputs: OpenADR 2.0 signals, time-of-use tariff data, zone energy consumption, crop priority schedules. Outputs: load curtailment commands, lighting dim profiles, HVAC setpoint relaxation commands, 15-minute load forecasts. Responds to DR events within 5 minutes, targets 30% load reduction. |
| Energy Utility and Grid Operator | 00B57ADD | Electricity provider and grid operator serving the vertical farm facility. Vertical farms are significant electricity consumers (500kW-2MW for a commercial facility) with potential for demand response participation. Grid operator imposes peak demand charges, time-of-use tariffs, and may request load shedding during grid stress events. Controller must coordinate energy-intensive operations (lighting, HVAC) to minimise peak demand and potentially participate in demand-response programmes. |
| enrichment subsystem | D6F71018 | Physical CO2 enrichment system for vertical farm growing zones. Housed in a ventilated wall-mounted IEC 60529 IP54-rated steel enclosure located within 2 m of the CO2 supply manifold. Contains CO2 injection controller hardware, solenoid valve driver circuits, zone valve manifold, and 24 VDC power supply. Physical components include CO2 supply cylinder, pressure regulator, distribution manifold, zone solenoid valves, and CO2 concentration sensors. |
| Environmental Data Logging Function | 40A73358 | Continuous data acquisition and compliance recording for vertical farm. Captures 1-minute-resolution environmental data (temperature, humidity, CO2, PAR, pH, EC, flow rates) across all zones with UTC timestamps and cryptographic integrity. Generates HACCP deviation reports and audit trails for BRCGS/SQF certification. 90-day local, 2-year cloud retention. |
| Fixture Thermal Monitoring Array | D4D57A18 | NTC thermistor or PT100 RTD temperature sensors integrated into each LED fixture heatsink in a vertical farm horticultural lighting system. One sensor per fixture, read via multiplexed analog input to the Lighting Control Unit. Measurement range 0-120°C, accuracy ±1°C at 85°C threshold. Sampled at 1Hz minimum. Provides two outputs: (1) analog temperature value to LCU for gradual thermal derating ramp when T > 75°C; (2) hardwired 24V DC digital output to Safety Interlock Subsystem hardwired trip bus when any fixture exceeds 85°C. The hardwired interlock output is independent of LCU processing — it is a direct comparator circuit with no software in the path, supporting SIL 2 classification. |
| Flooding hazard from irrigation system failure in vertical farm | 40040209 | Hazard in Vertical Farm Environment Controller during Normal Operation: irrigation valve fails open or nutrient tank overflow sensor fails, causing uncontrolled water release across growing levels. Multi-storey structure means water cascades to lower floors. Water weight on growing racks exceeds structural capacity (>50 litres per rack). Electrical equipment on lower floors exposed. Consequence: structural damage to growing racks, electrical short circuits on lower floors, crop loss, slip hazard for workers. |
| Food Safety Auditor for vertical farm | 00842AF8 | External auditor from certification body (e.g., BRCGS, SQF, FSSC 22000) who inspects facility compliance with food safety standards. Requires access to environmental data logs, HACCP records, cleaning/sanitisation records, pest monitoring data. Audits occur 1-2 times per year. Needs evidence that environmental conditions were maintained within specification throughout crop growth cycles. Controller must provide tamper-evident audit trails. |
| Fresh Air Ventilation Controller | 51B77A08 | Controls the fresh air intake damper and heat recovery ventilator (HRV) to manage zone O2 replenishment and controlled dilution of accumulated ethylene gas from ripening crops. Modulates fresh air fraction (5–30% of supply volume) based on CO2 set point deviation and ethylene sensor input, using Modbus TCP to communicate with CO2 Enrichment Subsystem for coordinated CO2/fresh-air balance. Operates independently of main HVAC compressor. |
| Grower Technician | 008502A8 | Primary daily operator of vertical farm environment controller. Responsible for monitoring crop health, adjusting growth recipes, responding to environmental alarms, performing daily inspections across all growing zones. Horticultural expertise with basic technical skills. Interacts with controller HMI touchscreen and mobile dashboard 8-12 hours per shift. Makes real-time crop management decisions based on controller data and visual plant assessment. |
| Hardwired Trip Bus | 52A53010 | Dedicated hardwired relay network connecting Safety PLC outputs to final control elements: CO2 bulk supply isolation valve (NC relay, 24VDC), zone emergency ventilation contactors (NO relay, 120VAC), LED array circuit breakers (shunt-trip, 230VAC), and irrigation isolation valves (NC relay, 24VDC). Operates independently of fieldbus networks — failure of MODBUS or Ethernet cannot prevent interlock action. Energize-to-trip topology with wire-break detection. Cable runs are segregated from process I/O wiring per IEC 61511 physical separation requirements. |
| Harvest and Crop Changeover mode of Vertical Farm Environment Controller | 51F73A08 | Zone transitions between crop cycles. Controller executes end-of-cycle sequence: ramps down lighting over 24 hours, drains and flushes nutrient system, runs sanitisation cycle on irrigation lines (peracetic acid or ozone flush), adjusts temperature for worker comfort during manual harvest. After harvest, loads new crop recipe: different photoperiod, temperature range, humidity target, nutrient formulation. Reconfigures zone setpoints and verifies all actuators respond correctly before starting germination phase. Entry: crop maturity reached (days-after-planting timer or operator judgement). Exit: new crop recipe loaded, zone sanitised, germination parameters active. |
| Horticultural Lighting Function | 51F73A08 | System function of Vertical Farm Environment Controller: Manages LED array intensity, spectrum composition, and photoperiod scheduling per zone crop recipe. Inputs: PAR sensor readings (µmol/m²/s), crop recipe parameters, photoperiod timer, LED fixture temperature sensors. Outputs: LED driver PWM commands per channel (red, blue, white, far-red), dimming ramp profiles. Constraints: ±5% PAR accuracy, 5-30 minute ramp transitions, 100-600 µmol/m²/s range, instant de-energise on thermal protection trigger at 85°C fixture or 38°C zone. |
| Horticultural Lighting Subsystem | 55F77218 | LED lighting control subsystem for vertical farm. Manages multi-channel LED fixtures (red 660nm, blue 450nm, white 4000K, far-red 730nm) with PWM dimming drivers per zone across 8 zones. Controls photoperiod scheduling, spectrum recipes, intensity ramps. Total lighting load 400kW+ across facility. Interfaces: LED driver PWM outputs, PAR sensors (field bus inputs), fixture temperature sensors, thermal protection relay (to safety interlock), supervisory controller (recipe commands), energy management (curtailment commands). |
| HVAC Actuator Interface | D6E55018 | Physical DIN-rail-mounted interface module installed in zone electrical enclosures of a vertical farm. Translates digital setpoints from Zone Climate Controller to hardware command signals: 0–10V analog outputs for VFD speed control, relay contacts for compressor/condenser contactors, and Modbus RTU commands for motorized dampers. Physical Object with embedded electronics, terminal blocks, and field wiring connections. Regulated for industrial EMC (IEC 61000-6-2). |
| HVAC Failure and Zone Isolation scenario | 01F67A09 | Degraded operation scenario: During peak summer at 14:00, outside temperature reaches 35°C. Zone 4 HVAC compressor trips on high-head-pressure fault. Zone 4 temperature begins rising — 26°C and climbing. Controller detects HVAC fault, reduces Zone 4 LED intensity by 40% to reduce heat load, increases extraction fan speed, and alerts the facility manager via SMS and dashboard alarm. Adjacent zones 3 and 5 see 1°C temperature increase from thermal bleed-through; controller increases their HVAC output by 10%. Facility manager assesses: spare compressor part not available until tomorrow. Decides to keep Zone 4 in degraded mode with reduced lighting rather than losing the crop entirely. Controller maintains Zone 4 at 30°C with reduced photoperiod. |
| Indoor commercial agricultural building environment | 44841018 | Operating environment for vertical farm controller: enclosed multi-storey commercial building, typically converted warehouse or purpose-built facility. Internal conditions: growing zones at 18-28°C, 60-85% RH, elevated CO2 up to 1500ppm. Condensation risk on control equipment from high humidity. Nutrient solution mist and chemical vapour exposure for electronics. IP65 minimum for zone-mounted sensors, IP20 for control cabinet internals. Vibration from HVAC compressors and pumps. |
| Industrial Ethernet Switch | D6A57018 | Managed Layer 2/3 DIN-rail switch forming the zone-level OT network backbone. 24 x 100/1000Base-T copper ports plus 4 SFP uplinks. Implements IEEE 802.1Q VLANs to segregate operational-technology traffic (VLAN 100) from safety-interlock traffic (VLAN 200). Provides IEEE 1588 PTPv2 grandmaster for sub-millisecond time synchronisation across all zone controllers. 24VDC redundant power supply, -40 to +70 deg C operating range, SNMP-managed. |
| Irrigation Controller | D1F77A08 | Embedded PLC managing drip irrigation and NFT recirculation cycles in a vertical farm. Controls irrigation schedules (on/off timing per zone, 1-minute to 24-hour cycles), manages zone sequencing to avoid simultaneous multi-zone demand, monitors ultrasonic flow meters (±2% accuracy) for stuck-valve detection (30s timeout), and executes sanitisation sequences for zone changeover. Interfaces: Zone Controller Network (Modbus TCP), EC/pH Sensor Array (4-20mA inputs), Zone Irrigation Valve Array (24VAC digital outputs), flow meter pulse inputs. SIL-2 relevant for flood detection and valve override functions. |
| LED Driver Module Array | D4F57018 | Per-zone, per-channel constant-current LED power supply units for horticultural vertical farm. Accepts DALI-2 digital dimming commands from Lighting Control Unit. Outputs regulated constant current to LED strings across four channels: red 660nm, blue 450nm, white 4000K, far-red 730nm. Each driver module rated 0-100% dimming range with ≥12-bit resolution. Includes over-temperature, over-current, short-circuit protection. Fail-safe: outputs de-energise on loss of DALI bus or LCU heartbeat. Mounted in zone control panel adjacent to LED fixture distribution board. Efficiency ≥93% at rated load. 48V DC output per channel. |
| LED Fixture Array | D6C51018 | Multi-channel horticulture LED luminaires installed in each grow zone of a vertical farm. Each fixture provides independently driven spectral channels: red 660nm, blue 450nm, broadspectrum white 4000K, and far-red 730nm. Fixtures are rated for IP54 minimum (high humidity environment). Total installed load 400kW+ across 8 zones. Each fixture includes a heatsink and integral temperature sensor port. Driven by external LED Driver Modules via constant-current wiring. Fixtures are physically mounted on zone racking above crop canopy at fixed height per zone design. Output: photon flux at canopy (100-600 µmol/m²/s PPFD adjustable per channel). Fixtures fail off (safe state) when driver power is removed. |
| Lighting Control Unit | D1F77A18 | Zone-level embedded controller executing photoperiod scheduling, spectrum recipe management, and PAR intensity PID loops for horticultural LED lighting in a vertical farm. Receives crop recipe setpoints (target PAR, spectrum ratios, photoperiod) from Zone Controller Network via Modbus TCP/IP. Outputs: per-channel PWM duty cycle commands to LED Driver Module Array via DALI-2 or 0-10V analog. Inputs: PAR sensor readings at 1Hz, fixture thermal sensor readings at 1Hz, recipe commands, emergency shutdown signal. Implements 5-30 minute linear intensity ramp profiles. Operates 8 zones simultaneously at 10ms control cycle. Fails safe by de-energising all drivers. |
| Lockout Tagout Controller | 50F57A58 | Supervisory module managing maintenance LOTO state for the vertical farm zone controllers. Accepts key-switch inputs from physical LOTO stations at each zone access point, enforces a permission model preventing equipment re-energization while any LOTO key is checked out, communicates LOTO status to supervisory SCADA via OPC-UA, and drives local status beacons (flashing amber = LOTO active). Provides audit trail of LOTO events compliant with OSHA 29 CFR 1910.147. Runs on non-safety-rated hardware since LOTO is a procedural control layer, not a SIL-rated interlock. |
| Maintenance mode of Vertical Farm Environment Controller | 40BC3A00 | Scheduled or unscheduled maintenance window where individual zones or subsystems are taken offline while the rest of the facility continues operating. Controller isolates the maintenance zone: locks out affected actuators, maintains safe environmental defaults in adjacent zones to prevent cross-contamination, enables sensor calibration routines (zero/span checks on CO2 analysers, pH probe recalibration, PAR sensor verification against reference). Maintenance technician has local HMI access with override capability for individual actuators. All overrides logged with timestamp and operator ID. Entry: operator schedules maintenance window via HMI or responds to degraded-mode escalation. Exit: maintenance complete, sensors recalibrated, actuators tested, operator signs off → returns to startup sequence for affected zone. |
| Normal Operation mode of Vertical Farm Environment Controller | 55F73A08 | Steady-state closed-loop control across all growing zones. Each zone runs an independent control loop for temperature (18-28°C ±0.5°C), humidity (60-85% RH ±3%), CO2 (800-1500ppm ±50ppm), lighting (photoperiod and spectrum per crop recipe, 100-600 µmol/m²/s PAR), nutrient solution (pH 5.5-6.5 ±0.1, EC 1.0-3.0 mS/cm ±0.1), and irrigation (timed flood-drain or drip cycles). Controller executes crop-specific growth recipes that vary setpoints by growth stage (germination, vegetative, flowering, harvest). Energy optimisation layer coordinates HVAC and lighting to minimise peak demand. Data logging at 1-minute intervals. Entry: operator acknowledgement after startup. Exit: fault detection, operator command, or scheduled maintenance window. |
| Nutrient Delivery Function | 55F73A08 | System function of Vertical Farm Environment Controller: Manages hydroponic nutrient solution mixing, pH/EC regulation, and irrigation scheduling for recirculating deep-water-culture and NFT systems. Inputs: pH sensor (glass electrode), EC sensor (toroidal), flow meters, tank level sensors, water temperature. Outputs: acid/base dosing pump commands, fertiliser A/B pump commands, irrigation valve commands, UV steriliser enable. Constraints: ±0.2 pH, ±0.1 mS/cm EC, 2% max tank volume per dose stroke, runaway detection at 5% cumulative in 10 minutes. |
| Nutrient Management Subsystem | 55F77218 | Hydroponic nutrient delivery subsystem for vertical farm. Manages central mixing tanks with acid/base dosing pumps (peristaltic), A/B fertiliser concentrate pumps, pH glass electrodes, toroidal EC sensors, flow meters, and per-zone irrigation valves for recirculating deep-water-culture systems. UV sterilisation on return lines. Interfaces: analytical sensors (pH, EC, temperature, flow — field bus), dosing pump commands, irrigation valve commands, UV steriliser enable, safety interlock (runaway detection), supervisory controller (nutrient recipe parameters). |
| Nutrient Reservoir and Mixing System | DE951018 | Bulk storage and mixing infrastructure for hydroponic nutrient solutions in a vertical farm. Comprises: two 200L concentrate tanks (A and B), one 1000L working solution reservoir, one 50L acid tank (pH-down), one 50L base tank (pH-up). Includes ultrasonic level sensors (±5mm), PT100 temperature sensors, low-level alarms, motorised agitator for homogenisation, and gravity-fed drain valves. All wetted surfaces SS316 stainless or food-grade HDPE. Provides bulk storage to Dosing Pump Array and recirculation supply to Irrigation Controller. |
| Nutrient Sensor Drift and Crop Stress scenario | 04353209 | Degraded operation scenario: Over two weeks, Zone 6 pH sensor drifts 0.3 units high due to fouling from mineral deposits. Controller adjusts acid dosing based on faulty reading, actual pH drops to 5.0 (sensor reads 5.3, target 5.8). Crop shows iron/manganese toxicity symptoms — technician notices leaf chlorosis during daily inspection. Technician checks sensor against portable reference meter, discovers drift. Enters maintenance mode for Zone 6 nutrient system: controller stops dosing, flushes lines, technician cleans and recalibrates probe. Controller logs calibration event and adjusts drift compensation algorithm. Nutrient solution is dumped and remixed. Zone returns to normal operation after 4-hour maintenance window. |
| OpenADR Virtual End Node | 51B57B58 | Software client implementing OpenADR 2.0b protocol (OADR 2.0b schema, HTTPS/TLS 1.2+ transport) connecting to utility Virtual Top Node. Receives DR event signals (SIMPLE, PRICE, LOAD_DISPATCH) and translates them into demand-curtailment commands for the Supervisory Control Subsystem. Maintains certified OpenADR 2.0b VEN status per IEC 62746-10-3. Reports energy baseline and actual consumption telemetry to the VTN. Runs on the same server node as the TSDB, connected to the facility energy management system via Modbus TCP. |
| Operator Interface Terminal | 50AC7B28 | Web-based HMI served by Plant Management Server, providing real-time zone dashboards, alarm management, recipe selection and editing, trend visualisation for environmental parameters, and audit log viewer. Accessible from operator workstations and mobile tablets on the farm LAN. Role-based access control (operator, supervisor, administrator, read-only). All actions logged to immutable audit trail. |
| PAR Sensor Array | D4F77008 | Calibrated quantum (PAR) sensors installed at canopy level in each grow zone of a vertical farm, measuring photosynthetically active radiation (400-700nm) in µmol/m²/s (PPFD). One sensor per zone minimum, optional multi-point arrays for zones with non-uniform canopy geometry. Measurement range 0-2000 µmol/m²/s, accuracy ±3% traceable to ASTM E948, response time <100ms. Output: 4-20mA analog or RS-485 Modbus to Lighting Control Unit at 1Hz sampling. IP65 rated for humid grow environment. Recalibration interval 12 months. Provides closed-loop feedback for PAR PID control. Failure mode: signal loss triggers LCU degraded-mode operation at last valid setpoint. |
| Plant Management Server | 50A55008 | Industrial PC running the supervisory SCADA/HMI software stack for the vertical farm environment controller. Aggregates setpoints, schedules, and alarms from all grow zone controllers. Hosts the recipe management database (150+ crop profiles), demand-response scheduler, and OPC-UA server for external integrations. 1GHz redundant power supply, runs on Ubuntu 22.04 LTS with watchdog daemon. Provides operator web dashboard over HTTPS on LAN. |
| Recirculation Pump System | 57F71208 | Variable-speed centrifugal pump array circulating nutrient solution from the Nutrient Reservoir through grow zones and back in a closed-loop hydroponic system. Typically 2 pumps (duty/standby) with variable-frequency drives (VFDs) for 50–300 L/min flow range. Maintains 1.2–2.5 bar distribution pressure. Includes dry-run protection via flow switch, pump health monitoring (current draw, bearing vibration), and automatic standby changeover on duty pump fault. All wetted surfaces SS316 or HDPE. |
| Relative Humidity Sensor Array | D4D55008 | Capacitive thin-film RH sensors with ±2% RH accuracy over 20–90% RH range, deployed at 1 per zone in the return air stream. Provide 4–20mA analog output to Zone Climate Controller at 0.5Hz sample rate. Used for closed-loop humidity control via dehumidifier and humidification spray setpoint adjustment. Cross-referenced against intake air humidity for fresh-air enthalpy calculation. |
| Safety Interlock Function | 44F73858 | Hardware-independent safety function in vertical farm environment controller. Monitors CO2 concentration, zone temperature, water leaks, and fire alarm inputs via hardwired circuits independent of software controller. Triggers: CO2 >5000ppm, temperature >38°C, water on electrical panels, fire alarm. Outputs: fail-safe valve closure, emergency ventilation, electrical isolation. SIL 2-3 per IEC 61508, MTTFd >150 years. |
| Safety Interlock Subsystem | D4E77818 | Hardware safety interlock subsystem for vertical farm, independent of software controller per IEC 61508 SIL 3 architecture. Hardwired relay logic and safety-rated PLCs monitoring: CO2 concentration (dual NDIR sensors per zone with voting), zone temperature (RTD with comparator), water leak sensors (conductive probes near electrical panels), fire alarm relay input. Outputs: CO2 solenoid de-energise relays, emergency ventilation contactor, zone electrical isolation contactors, audible/visual alarms, E-stop chain. MTTFd >150 years per function. Two-person reset: physical key switch + software acknowledgement. |
| Safety PLC | D5F53058 | IEC 61511 SIL 3-certified programmable logic controller isolated from process control networks. Runs redundant interlock logic across dual execution cores with cross-checking. Receives hardwired digital inputs from CO2 safety sensors, thermal sensors, and emergency stops; drives hardwired relay outputs to CO2 isolation valve, ventilation actuators, and LED circuit breakers. Achieves SIL 3 via 2oo2 architecture with diagnostics coverage >99%. Scan cycle <50ms with hardware watchdog. Operates in -10°C to 55°C, humidity 10–95%. |
| Startup/Initialisation mode of Vertical Farm Environment Controller | 54B53A00 | System boot sequence: controllers power up, sensor arrays self-test and calibrate (temperature probes, RH sensors, CO2 analysers, pH/EC probes, PAR sensors), communication buses establish links to all zone controllers, actuators move to safe default positions (ventilation open, lights off, pumps stopped, CO2 injection closed). Entry: facility power-on or controller restart after maintenance. Exit: all sensors reporting within valid ranges, all zone controllers online, watchdog timers armed. Duration: 2-5 minutes. Operator must acknowledge readiness before transitioning to normal operation. |
| Supervisory Control Function | 41FD7B08 | Central coordination and operator interface for vertical farm environment controller. Manages crop recipes, zone assignments, operating mode transitions, alarm management, and inter-zone coordination. Inputs: all zone controller status, operator commands from HMI touchscreens. Outputs: zone setpoint commands, mode transition commands, alarm notifications. Coordinates 8 zones across 5 floors. |
| supervisory control subsystem | D6ED7018 | Physical industrial computing platform for vertical farm supervisory control. Housed in IEC 60529 IP54-rated 19-inch 4U rack-mount enclosure with front-panel LED indicators, installed in climate-controlled control room. Runs HMI, SCADA, recipe management, alarm handling, and OPC-UA server. Physical hardware includes industrial server chassis, touch-screen HMI panel, network switches, and UPS module. Operating temperature +5 to +45 degC. |
| Supervisory Control Subsystem | 51BD7908 | Central supervisory control and HMI subsystem for vertical farm environment controller. Server-based platform coordinating 8 zone controllers, managing crop recipes, zone assignments, operating mode state machine, alarm management, and energy optimisation. Includes: industrial HMI touchscreens, web dashboard for remote monitoring, OpenADR 2.0 client for demand response, recipe database, inter-zone coordination logic. Interfaces: zone controllers (Ethernet), BMS (BACnet/IP), ERP (REST API), cloud monitoring (MQTT/TLS), energy utility (OpenADR), operator (HMI). Manages 500kW-2MW facility load optimisation. |
| Temperature Sensor Network | 54C57208 | Distributed array of Class-B PT100 RTD sensors deployed at 2 per grow zone rack (top and bottom canopy positions), providing temperature measurements at ±0.5°C accuracy over 0–50°C range. Sensors connect via 4-wire Pt100 circuit to zone-level multiplexer boards. Sampling rate 1Hz per sensor, 16-bit ADC resolution. Provides redundant temperature inputs to Zone Climate Controller and independent verification channel to Safety Interlock Subsystem. |
| Thermal runaway hazard in vertical farm LED and HVAC system | 10040209 | Hazard in Vertical Farm Environment Controller during Normal Operation: HVAC cooling failure combined with high-power LED operation (200-600W per fixture, dozens per zone) causes zone temperature to exceed 45°C. LED thermal protection may fail if driver firmware is corrupted. Heat accumulation in enclosed multi-storey structure with limited thermal mass. Consequence: worker heat stress if present, crop destruction (total loss of zone), potential LED fixture fire from thermal runaway of driver electronics. |
| Time-Series Database Engine | 50A53308 | InfluxDB OSS or compatible TSDB deployed on a dedicated server node within the on-premises OT network. Ingests environmental sensor data (temperature, humidity, CO2, PAR, pH, EC, valve state) from the Zone Edge Gateway via MQTT or HTTP line protocol at 1Hz per channel per zone. Maintains a high-resolution tier (1-second samples, 90-day retention) and a downsampled tier (1-minute aggregates, 10-year retention) in accordance with SYS-REQ-011. Provides InfluxDB query API and Grafana-compatible data source interface. RAID-1 mirrored NVMe storage, 64GB minimum capacity for 10-year archive. |
| Vertical Farm Environment Controller | 51F73A18 | Integrated control system for indoor vertical farming facilities. Manages environmental parameters including lighting (LED spectrum and intensity), temperature, humidity, CO2 concentration, nutrient solution composition (pH, EC, individual ion concentrations), irrigation scheduling, and airflow across multiple growing zones within a multi-storey indoor farm. Operates 24/7 in a commercial agricultural building, typically 2000-10000 sq ft per floor, 3-8 floors. Controls actuators (HVAC, LED drivers, pumps, valves, CO2 injectors) based on sensor feedback and crop-specific growth recipes. Must maintain precise environmental setpoints (±0.5°C temperature, ±3% RH, ±50ppm CO2) to optimise crop yield and quality. Interfaces with building management systems, energy management, crop planning software, and remote monitoring dashboards. Safety-critical for worker exposure to CO2 enrichment and electrical/water proximity hazards. |
| Vertical Farm Facility Manager | 00045AF9 | Oversees overall farm operations including production scheduling, maintenance planning, energy cost management, and staff coordination. Makes resource allocation decisions during equipment failures (repair vs. replace, degraded operation vs. shutdown). Reviews analytics dashboards for yield trends and energy efficiency. Responsible for food safety compliance and worker safety. Reports to company management on production KPIs. |
| Vertical Farm Harvest Crew Worker | 02040039 | Manual labourers who enter growing zones to harvest mature crops, replace growing media, and clean equipment. Non-technical role — interact with controller only through zone entry/exit protocols (badge access, zone status display). Exposed to environmental conditions controlled by the system: temperature, humidity, CO2 levels, lighting. Worker safety directly depends on controller maintaining safe conditions during occupied-zone operations. |
| Vertical Farm Maintenance Technician | 000400F8 | Responsible for preventive and corrective maintenance of all controlled environment systems: HVAC units, LED fixtures, pumps, valves, sensors, nutrient dosing equipment, CO2 delivery system. Performs sensor calibration, actuator testing, electrical safety checks. Works under maintenance lockout/tagout procedures. Needs local HMI override capability for individual actuator testing. Electrical and mechanical trade qualifications required. |
| Voted Logic Engine | 41B73B58 | Software module executing inside the Safety PLC that performs 2-out-of-3 sensor voting for CO2 readings, evaluates all interlock conditions against configurable trip thresholds, manages the interlock state machine (normal/alarm/shutdown/reset), and arbitrates priority conflicts when multiple interlock conditions activate simultaneously. Implements IEC 61511 requirements for software safety lifecycle. Maximum execution time per scan: 20ms. Logs all state transitions with timestamp to non-volatile memory. |
| zone | CE851008 | A discrete physical growing room or rack section in a controlled environment vertical farm. Physical-spatial entity with fixed structural boundaries: reinforced walls, sealed floor/ceiling, air curtains at entry points, and installed mechanical hardware including HVAC ducts, irrigation lines, CO2 distribution manifold, and LED grow-light arrays. Occupies a defined volume (typical 20-100 m3). Has physical access points, physical sensor mounting locations, and physical actuator installations. The growing zone is a physical room that can be entered, cleaned, and inspected. |
| zone climate controller | D7F73018 | Physical DIN-rail-mounted embedded controller unit for zone climate management in a vertical farm. Packaged in IEC 60529 IP54 enclosure with RS-485 Modbus RTU ports and galvanically isolated 24 VDC power rail. Controls HVAC actuators via Modbus, runs PID loops for temperature and humidity control, processes PT100 temperature sensor inputs. Physical hardware installed in zone electrical enclosures, withstands 0.5 g RMS vibration over 10-150 Hz. |
| Zone Climate Controller | D7F73008 | Physical DIN-rail-mounted PLC-based controller unit installed in zone electrical enclosures of a vertical farm. Executes PID and feedforward algorithms for temperature and humidity control. Physical aluminium-rail-mounted hardware with 24VDC supply, Modbus RTU ports for HVAC actuators, and RS-485 bus to zone sensors. Operating temperature -10 to +60°C, IP20 protection. |
| zone controller | D7F73008 | Physical DIN-rail-mounted embedded controller unit installed in zone electrical enclosures of a vertical farm. Houses local PID control logic, recipe storage, and I/O interfaces. Physical hardware includes a DIN-rail case rated IEC 60529 IP20, RS-485 ports, 24 VDC power input, digital I/O terminals. Operating within -10 to +55 degC, humidity 20-95% RH. Executes zone temperature, humidity, CO2, and lighting PID loops. |
| zone controller network | D6851008 | Physical distributed automation network hardware deployed in a vertical farm facility. Physical installation comprising: DIN-rail-mounted industrial Ethernet switches in equipment enclosures, shielded Cat5e cables in conduit, IP67-rated GRP junction boxes at zone entry points, and zone controller units in zone electrical enclosures. Has physical cable routing, hardware nodes, termination panels, and IP-rated enclosures. Can be physically traced, inspected, and measured. The physical hardware backbone connects 8+ zone controller units to the supervisory system. |
| Zone Controller Network | D6855008 | Physical industrial Ethernet network infrastructure deployed through growing zones of a vertical farm. Comprises shielded Cat6A cabling, managed DIN-rail Ethernet switches, and RS-485 bus segments connecting zone controllers to zone-level I/O modules. Physical cable plant rated IP54, with physical termination panels and patch bays in zone electrical enclosures. Carries OPC-UA, Modbus RTU, and DALI-2 traffic. |
| Zone Controller Unit | D1F77008 | ARM Cortex-A53 embedded Linux controller, one per growing zone. Executes local PID control loops for temperature, humidity, CO2, PAR, pH and EC at 10Hz cycle rate. Interfaces with zone sensors via RS-485 Modbus RTU and with actuators via 24VDC discrete I/O and 4-20mA analog outputs. Communicates with Supervisory via OPC-UA over 100Mbps Ethernet. Stores current recipe setpoints in 16MB NOR flash for autonomous operation during network outage. 12 units in standard 3-tier 4-aisle facility. |
| Zone Edge Gateway | D0E57018 | OPC-UA server and protocol aggregator running on dedicated x86 embedded PC. Aggregates real-time data from all Zone Controller Units via OPC-UA at 500ms publication intervals and re-publishes aggregated node space to the Supervisory Control Subsystem. Provides protocol translation between zone-level Modbus RTU and OPC-UA, implements OPC-UA security mode SignAndEncrypt with X.509 certificates, and routes zone control commands from Supervisory to individual ZCUs. 10/100/1000Base-T dual-NIC, 24VDC supply. |
| Zone I/O Expansion Module | D6E55008 | RS-485-connected modular I/O expander attached to each Zone Controller Unit. Provides 16 digital inputs, 8 relay digital outputs (24VDC/2A), 8 analog inputs (4-20mA/0-10V, 12-bit resolution), and 4 analog outputs (4-20mA). Hot-swappable. Detects open-circuit faults on 4-20mA sensor loops within 1s and reports fault code to host ZCU. Extends ZCU I/O capacity to accommodate full sensor and actuator suite in zones with high device density. |
| Zone Irrigation Valve Array | D6F57018 | Array of normally-closed 24VAC solenoid valves mounted on distribution manifold, one per grow zone in a vertical farm. Fail-safe closed on power loss. DN15/DN20 food-grade EPDM seals rated for pH 4–9 at 5–35°C. Each valve includes reed switch position feedback (open/closed confirmation within 2s). Flow detection via common-header ultrasonic flow meter. Controlled by Irrigation Controller digital outputs. Stuck-open detection drives zone isolation valve closure and floor drain pump activation (per SYS-REQ-010). |
| Zone NDIR CO2 Sensor Array | D4F45008 | Non-dispersive infrared (NDIR) CO2 sensors installed in each grow zone for process control feedback. One dual-beam NDIR sensor per zone providing ±100 ppm accuracy across 300-3000 ppm range at 1Hz. Not safety-rated — used exclusively for PID loop feedback in CO2 Injection Controller. Temperature-compensated, auto-calibration against 400 ppm reference. 4-20mA output per zone, IP54 enclosure for humid grow-room environments. Distinct from the SIL-3 electrochemical safety sensor array owned by Safety Interlock Subsystem. |
| Zone Solenoid Valve Array | D6D55008 | Array of 2/2-way normally-closed solenoid valves, one per grow zone, installed in the CO2 distribution manifold outlet headers. 24VDC energise-to-open, spring-return to closed on de-energisation or power loss (fail-closed). CO2 service rated, PTFE/SS316 wetted parts, Cv 0.5 for precision flow control. Valve position feedback via 24VDC discrete output to CO2 Injection Controller. Override forced-closed by hardwired Safety Interlock trip relay — valve cannot open when interlock is tripped regardless of controller command. |
| Component | Belongs To |
|---|---|
| Climate Management Subsystem | Vertical Farm Environment Controller |
| Horticultural Lighting Subsystem | Vertical Farm Environment Controller |
| Nutrient Management Subsystem | Vertical Farm Environment Controller |
| CO2 Enrichment Subsystem | Vertical Farm Environment Controller |
| Safety Interlock Subsystem | Vertical Farm Environment Controller |
| Supervisory Control Subsystem | Vertical Farm Environment Controller |
| Data Acquisition and Compliance Subsystem | Vertical Farm Environment Controller |
| Zone Controller Network | Vertical Farm Environment Controller |
| Safety PLC | Safety Interlock Subsystem |
| CO2 Safety Sensor Array | Safety Interlock Subsystem |
| Voted Logic Engine | Safety Interlock Subsystem |
| Hardwired Trip Bus | Safety Interlock Subsystem |
| Lockout Tagout Controller | Safety Interlock Subsystem |
| CO2 Injection Controller | CO2 Enrichment Subsystem |
| Zone NDIR CO2 Sensor Array | CO2 Enrichment Subsystem |
| Zone Solenoid Valve Array | CO2 Enrichment Subsystem |
| CO2 Distribution Manifold | CO2 Enrichment Subsystem |
| Lighting Control Unit | Horticultural Lighting Subsystem |
| LED Fixture Array | Horticultural Lighting Subsystem |
| LED Driver Module Array | Horticultural Lighting Subsystem |
| PAR Sensor Array | Horticultural Lighting Subsystem |
| Fixture Thermal Monitoring Array | Horticultural Lighting Subsystem |
| Zone Climate Controller | Climate Management Subsystem |
| Temperature Sensor Network | Climate Management Subsystem |
| Relative Humidity Sensor Array | Climate Management Subsystem |
| HVAC Actuator Interface | Climate Management Subsystem |
| Fresh Air Ventilation Controller | Climate Management Subsystem |
| Plant Management Server | Supervisory Control Subsystem |
| Crop Recipe Engine | Supervisory Control Subsystem |
| Operator Interface Terminal | Supervisory Control Subsystem |
| Demand Response Handler | Supervisory Control Subsystem |
| Emergency Shutdown Sequencer | Supervisory Control Subsystem |
| Zone Controller Unit | Zone Controller Network |
| Industrial Ethernet Switch | Zone Controller Network |
| Zone I/O Expansion Module | Zone Controller Network |
| Zone Edge Gateway | Zone Controller Network |
| Time-Series Database Engine | Data Acquisition and Compliance Subsystem |
| OpenADR Virtual End Node | Data Acquisition and Compliance Subsystem |
| Crop Recipe Database | Data Acquisition and Compliance Subsystem |
| Compliance Report Generator | Data Acquisition and Compliance Subsystem |
| From | To |
|---|---|
| CO2 Safety Sensor Array | Safety PLC |
| Safety PLC | Voted Logic Engine |
| Safety PLC | Hardwired Trip Bus |
| Lockout Tagout Controller | Safety PLC |
| CO2 Injection Controller | Zone NDIR CO2 Sensor Array |
| CO2 Injection Controller | Zone Solenoid Valve Array |
| CO2 Distribution Manifold | Zone Solenoid Valve Array |
| Fixture Thermal Monitoring Array | Safety Interlock Subsystem |
| Lighting Control Unit | LED Driver Module Array |
| PAR Sensor Array | Lighting Control Unit |
| Fixture Thermal Monitoring Array | Lighting Control Unit |
| Zone Controller Unit | Zone Edge Gateway |
| Zone Controller Unit | Zone I/O Expansion Module |
| Industrial Ethernet Switch | Zone Controller Unit |
| Zone Edge Gateway | Time-Series Database Engine |
| Crop Recipe Database | Supervisory Control Subsystem |
| OpenADR Virtual End Node | Supervisory Control Subsystem |
| Component | Output |
|---|---|
| CO2 Safety Sensor Array | CO2 ppm measurement |
| Voted Logic Engine | interlock trip signal |
| Safety PLC | hardwired relay command |
| Hardwired Trip Bus | actuator de-energisation |
| Lockout Tagout Controller | LOTO status signal |
| CO2 Injection Controller | zone solenoid valve commands |
| Zone NDIR CO2 Sensor Array | zone CO2 ppm measurement for PID control |
| Zone Solenoid Valve Array | CO2 zone injection flow |
| Lighting Control Unit | LED driver PWM commands |
| LED Fixture Array | photosynthetically active radiation |
| PAR Sensor Array | PPFD measurement |
| Zone Climate Controller | HVAC setpoints |
| Temperature Sensor Network | zone temperature readings |
| Relative Humidity Sensor Array | zone relative humidity readings |
| HVAC Actuator Interface | HVAC hardware commands |
| Fresh Air Ventilation Controller | fresh air fraction commands |
| Plant Management Server | zone setpoints and schedules |
| Crop Recipe Engine | time-varying environmental setpoints |
| Demand Response Handler | load-shed commands |
| Emergency Shutdown Sequencer | shutdown sequence commands |
| Zone Controller Unit | zone control signals (4-20mA, 24VDC) |
| Zone Controller Unit | OPC-UA data nodes |
| Industrial Ethernet Switch | network packet forwarding |
| Zone I/O Expansion Module | scaled sensor values and actuator drive signals |
| Zone Edge Gateway | aggregated OPC-UA namespace |
| Time-Series Database Engine | time-series environmental data archive |
| OpenADR Virtual End Node | demand-response curtailment commands |
| Crop Recipe Database | crop cultivation recipe records |
| Compliance Report Generator | signed compliance reports (PDF/CSV) |
| Source | Target | Type | Description |
|---|---|---|---|
| REQ-SEVERTICALFARMENV-008 | ARC-REQ-010 | derives | Distributed zone controller architecture derived from failover/warm-standby requirement |
| SYS-REQ-011 | ARC-REQ-011 | derives | Data Acquisition architecture decision derived from environmental logging requirement |
| REQ-SEVERTICALFARMENV-012 | ARC-REQ-009 | derives | Supervisory Control architecture decision derived from HMI and autonomous recipe requirements |
| SYS-REQ-001 | ARC-REQ-008 | derives | Climate Management architecture decision derived from temperature regulation requirement |
| ARC-REQ-007 | SYS-REQ-005 | derives | Lighting subsystem architecture enables intensity precision compliance |
| ARC-REQ-006 | SYS-REQ-006 | derives | Nutrient subsystem architecture enables pH regulatory compliance |
| SYS-REQ-011 | ARC-REQ-005 | derives | Data acquisition separation enables independent compliance data management |
| SYS-REQ-012 | ARC-REQ-004 | derives | Energy optimisation co-location enables demand-response capability |
| SYS-REQ-004 | ARC-REQ-003 | derives | CO2 subsystem separation maintains SIL 3 boundary |
| SYS-REQ-008 | ARC-REQ-002 | derives | Distributed zone architecture enables per-zone degraded-mode |
| SYS-REQ-015 | ARC-REQ-001 | derives | Safety interlock architecture implements software independence |
| SUB-REQ-037 | VER-REQ-013 | derives | SUB-REQ-037 sensor fault fallback verified by Nutrient Management integration test |
| SYS-REQ-005 | SUB-REQ-041 | derives | Ramp profile control is the mechanism for transitioning between PAR setpoints |
| REQ-SEVERTICALFARMENV-014 | SUB-REQ-064 | derives | Autonomous operation derives recipe engine continuity |
| REQ-SEVERTICALFARMENV-014 | SUB-REQ-073 | derives | Recipe storage system requirement derives crop recipe database |
| REQ-SEVERTICALFARMENV-012 | REQ-SEVERTICALFARMENV-011 | derives | System HMI requirement derives supervisory HMI authentication |
| REQ-SEVERTICALFARMENV-008 | SUB-REQ-067 | derives | Failover requirement derives non-volatile recipe persistence |
| REQ-SEVERTICALFARMENV-008 | SUB-REQ-065 | derives | Failover system requirement derives zone controller closed-loop resilience |
| SYS-REQ-016 | REQ-SEVERTICALFARMENV-040 | derives | Zone material biocompatibility derived from sanitisation sequence system requirement |
| REQ-SEVERTICALFARMENV-008 | REQ-SEVERTICALFARMENV-039 | derives | Physical cabling spec derived from zone network failover requirement |
| REQ-SEVERTICALFARMENV-008 | REQ-SEVERTICALFARMENV-038 | derives | Zone Controller housing enables system-level failover |
| SYS-REQ-016 | REQ-SEVERTICALFARMENV-036 | derives | Zone hardware biocompatibility derives from system sanitisation |
| SYS-REQ-003 | REQ-SEVERTICALFARMENV-035 | derives | CO2 Injection Controller housing derives from system CO2 regulation |
| SYS-REQ-001 | REQ-SEVERTICALFARMENV-034 | derives | Zone Climate Controller housing derives from system temperature control |
| SYS-REQ-008 | SUB-REQ-081 | derives | ZCC power ride-through derived from HVAC trip controlled response requirement |
| SYS-REQ-016 | REQ-SEVERTICALFARMENV-033 | derives | Zone isolation interlock derived from sanitisation sequence verification requirement |
| SYS-REQ-016 | REQ-SEVERTICALFARMENV-032 | derives | Zone material specification derived from sanitisation and food safety requirement |
| SYS-REQ-004 | REQ-SEVERTICALFARMENV-031 | derives | CO2 injection controller enclosure derived from CO2 safety interlock requirement |
| SYS-REQ-008 | REQ-SEVERTICALFARMENV-030 | derives | ZCC enclosure vibration rating derived from HVAC colocation requirement |
| SYS-REQ-011 | REQ-SEVERTICALFARMENV-028 | derives | Network cabling IP67 spec derived from continuous zone telemetry requirement |
| SYS-REQ-003 | REQ-SEVERTICALFARMENV-029 | derives | Enrichment subsystem enclosure derived from CO2 regulation requirement |
| SYS-REQ-001 | REQ-SEVERTICALFARMENV-027 | derives | Zone controller IP54 rating derived from continuous operation in humid growing zone |
| SYS-REQ-015 | REQ-SEVERTICALFARMENV-026 | derives | SCS enclosure requirement derived from SIL 2 platform durability constraint |
| SYS-REQ-003 | SUB-REQ-080 | derives | ZCU override enables coordinated zone shutdown |
| SYS-REQ-003 | SUB-REQ-079 | derives | ZCC override enables supervisory environmental regulation |
| SYS-REQ-011 | SUB-REQ-077 | derives | Zone OT network security derived from data integrity and cryptographic logging requirement |
| SYS-REQ-016 | SUB-REQ-078 | derives | Zone material biocompatibility derived from sanitisation sequence and food safety requirement |
| SYS-REQ-004 | SUB-REQ-076 | derives | Independent SIL-2 CO2 sensor in subsystem derived from SIL-3 safety interlock requirement |
| REQ-SEVERTICALFARMENV-008 | SUB-REQ-075 | derives | Zone Controller Unit holdover mode derived from system-level failover requirement |
| REQ-SEVERTICALFARMENV-014 | SUB-REQ-064 | derives | Recipe engine continuity during override derived from autonomous operation requirement |
| SYS-REQ-001 | SUB-REQ-059 | derives | HVAC actuator interface response time derived from zone temperature regulation response |
| SYS-REQ-003 | SUB-REQ-058 | derives | Fresh air ventilation coordination with CO2 derived from CO2 regulation requirement |
| SYS-REQ-014 | SUB-REQ-057 | derives | Sensor fault detection requirement derived from zone isolation and contamination response |
| SYS-REQ-006 | REQ-SEVERTICALFARMENV-010 | derives | Power envelope for Dosing Pump Array derived from nutrient regulation requirement |
| SYS-REQ-006 | REQ-SEVERTICALFARMENV-009 | derives | Power envelope for Irrigation Controller derived from nutrient regulation requirement |
| SYS-REQ-001 | SUB-REQ-056 | derives | Temperature sensor sampling rate derived from temperature regulation response time requirement |
| REQ-SEVERTICALFARMENV-008 | SUB-REQ-067 | derives | ZCU setpoint persistence derives from failover recovery requirement |
| REQ-SEVERTICALFARMENV-014 | SUB-REQ-073 | derives | Recipe database 200-recipe capacity with audit trail derives from system recipe storage requirement |
| SYS-REQ-016 | SUB-REQ-074 | derives | Sanitisation verification report derives from sanitisation sequence verification requirement |
| SYS-REQ-012 | SUB-REQ-072 | derives | OpenADR VEN acknowledgement timing derives from DR event response requirement |
| SYS-REQ-011 | SUB-REQ-071 | derives | 30s CSV export derives from system export SLA requirement |
| SYS-REQ-011 | SUB-REQ-070 | derives | TSDB 1Hz ingestion and 10-year retention derive from system logging requirement |
| REQ-SEVERTICALFARMENV-012 | SUB-REQ-069 | derives | 500ms gateway latency derives from real-time HMI display requirement |
| REQ-SEVERTICALFARMENV-008 | SUB-REQ-065 | derives | ZCU autonomous operation derives from system failover requirement |
| SYS-REQ-011 | SUB-REQ-068 | derives | 1Hz I/O sampling derives from 1-second resolution logging requirement |
| SYS-REQ-001 | SUB-REQ-066 | derives | ZCU 10Hz PID rate derives from temperature regulation accuracy requirement |
| SYS-REQ-016 | SUB-REQ-063 | derives | Supervisory Control verifies sanitisation sequence completion |
| SYS-REQ-013 | SUB-REQ-062 | derives | Supervisory Control executes emergency shutdown sequence |
| SYS-REQ-012 | SUB-REQ-061 | derives | Supervisory Control implements OpenADR demand response |
| SYS-REQ-014 | SUB-REQ-060 | derives | Climate Management provides damper-based zone isolation |
| SYS-REQ-008 | SUB-REQ-055 | derives | Climate Management handles compressor trip lighting reduction |
| SYS-REQ-002 | SUB-REQ-054 | derives | Climate Management implements zone humidity control |
| SYS-REQ-001 | SUB-REQ-053 | derives | Climate Management implements zone temperature control |
| SYS-REQ-012 | SUB-REQ-048 | derives | LED driver efficiency constrains the energy curtailment depth achievable during demand response |
| SYS-REQ-005 | SUB-REQ-047 | derives | PAR sensor calibration accuracy is prerequisite for achieving ±5% PAR control accuracy |
| SYS-REQ-005 | SUB-REQ-046 | derives | Degraded-mode PAR hold is the resilience mechanism for sustaining PAR control accuracy on sensor failure |
| SYS-REQ-004 | SUB-REQ-001 | derives | CO2 independent sensor requirement from CO2 interlock SYS req |
| SYS-REQ-004 | SUB-REQ-002 | derives | 2oo3 voting architecture derives from CO2 SIL 3 requirement |
| SYS-REQ-015 | SUB-REQ-003 | derives | SIL 3 hardware certification prerequisite for safety layer |
| SYS-REQ-015 | SUB-REQ-004 | derives | SIL 3 scan time and watchdog requirements |
| SYS-REQ-013 | SUB-REQ-005 | derives | Voted Logic Engine trip conditions derive from emergency shutdown SYS req |
| SYS-REQ-004 | SUB-REQ-006 | derives | Safe state definition derives from CO2 interlock action specification |
| SYS-REQ-015 | SUB-REQ-007 | derives | Hardwired trip bus enforces physical independence from process software |
| SYS-REQ-015 | SUB-REQ-009 | derives | Data diode/firewall implements network-level safety independence |
| SYS-REQ-011 | SUB-REQ-010 | derives | Interlock audit log derives from system-level data logging requirement |
| SYS-REQ-007 | SUB-REQ-005 | derives | pH dosing excess interlock derives from SYS dosing protection requirement |
| SYS-REQ-009 | SUB-REQ-005 | derives | LED thermal interlock derives from SYS thermal protection requirement |
| SYS-REQ-015 | SUB-REQ-011 | derives | Proof test interval maintains SIL 3 PFD over operational lifetime |
| SYS-REQ-013 | SUB-REQ-008 | derives | LOTO controller implements energy isolation component of emergency shutdown |
| SYS-REQ-003 | SUB-REQ-012 | derives | CO2 concentration regulation derives to CO2 Enrichment Subsystem component |
| SYS-REQ-003 | SUB-REQ-013 | derives | CO2 concentration regulation derives to CO2 Enrichment Subsystem component |
| SYS-REQ-003 | SUB-REQ-014 | derives | CO2 concentration regulation derives to CO2 Enrichment Subsystem component |
| SYS-REQ-003 | SUB-REQ-015 | derives | CO2 concentration regulation derives to CO2 Enrichment Subsystem component |
| SYS-REQ-003 | SUB-REQ-016 | derives | CO2 concentration regulation derives to CO2 Enrichment Subsystem component |
| SYS-REQ-004 | SUB-REQ-017 | derives | 5000 ppm trip response drives valve closure time budget |
| SYS-REQ-004 | SUB-REQ-022 | derives | CO2 over-concentration interlock drives CO2 subsystem safe state |
| SYS-REQ-015 | SUB-REQ-022 | derives | SIL-3 allocation for CO2 interlock cascades to subsystem safe state requirement |
| SYS-REQ-003 | SUB-REQ-018 | derives | Valve leakage requirement to prevent uncontrolled CO2 enrichment |
| SYS-REQ-003 | SUB-REQ-019 | derives | Manifold pressure regulation enables consistent zone injection |
| SYS-REQ-003 | SUB-REQ-020 | derives | Manifold material requirement ensures CO2 service integrity |
| SYS-REQ-003 | SUB-REQ-021 | derives | Degraded mode for sensor fault to maintain regulation in other zones |
| SYS-REQ-003 | SUB-REQ-023 | derives | UPS requirement to maintain CO2 regulation during power interruptions |
| SYS-REQ-006 | SUB-REQ-024 | derives | EC/pH sensor accuracy derives from nutrient control setpoint tolerances |
| SYS-REQ-006 | SUB-REQ-026 | derives | Pump stroke volume limit derives from overshoot prevention requirement |
| SYS-REQ-007 | SUB-REQ-027 | derives | Hardwired dosing-excess watchdog derives from SIL-2 overdose protection |
| SYS-REQ-010 | SUB-REQ-030 | derives | Irrigation Controller stuck-valve detection derives from flood prevention system req |
| SYS-REQ-016 | SUB-REQ-031 | derives | Sanitisation sequence execution derives from zone changeover compliance |
| SYS-REQ-007 | SUB-REQ-025 | derives | Sensor fault detection enables dosing suspension decision in overdose protection |
| SYS-REQ-007 | SUB-REQ-028 | derives | Dosing pump safe state derives from overdose protection trip response |
| SYS-REQ-006 | SUB-REQ-029 | derives | Irrigation scheduling enables controlled nutrient solution delivery for pH/EC control |
| SYS-REQ-010 | SUB-REQ-032 | derives | Normally-closed fail-safe valve closure supports stuck-valve flood prevention |
| SYS-REQ-010 | SUB-REQ-033 | derives | Valve position feedback is required for the 30-second stuck-valve detection |
| SYS-REQ-006 | SUB-REQ-034 | derives | Pump duty/standby availability supports continuous pH/EC dosing and delivery |
| SYS-REQ-006 | SUB-REQ-035 | derives | Dry-run protection preserves pump integrity for sustained nutrient delivery |
| SYS-REQ-006 | SUB-REQ-036 | derives | Reservoir low-level alarm supports operator intervention before dosing loss |
| SYS-REQ-007 | SUB-REQ-037 | derives | Degraded-mode dosing rate limit balances crop continuity against sensor-drift overdose risk |
| SYS-REQ-005 | SUB-REQ-039 | derives | PAR control accuracy requirement allocates to HLS |
| SYS-REQ-009 | SUB-REQ-042 | derives | 85 degree C fixture thermal trip allocated to HLS thermal monitoring |
| SYS-REQ-009 | SUB-REQ-043 | derives | Software thermal derating at 75 degree C is the graceful pre-trip action |
| SYS-REQ-008 | SUB-REQ-044 | derives | 50% LED power reduction on HVAC compressor trip |
| SYS-REQ-013 | SUB-REQ-045 | derives | LED de-energisation step in emergency shutdown sequence |
| SYS-REQ-005 | SUB-REQ-040 | derives | 12-bit spectral channel resolution derives from PAR accuracy requirement |
| REQ-SEVERTICALFARMENV-014 | IFC-REQ-035 | derives | Recipe Engine to control setpoints interface derives from recipe management requirement |
| SYS-REQ-001 | IFC-REQ-033 | derives | Zone climate controller HVAC interface supports temperature regulation |
| REQ-SEVERTICALFARMENV-014 | IFC-REQ-041 | derives | Supervisory-to-RecipeDB API derives from recipe storage and access requirement |
| SYS-REQ-005 | IFC-REQ-030 | derives | PAR sensor interface enables the closed-loop PPFD feedback required for ±5% accuracy |
| SYS-REQ-005 | IFC-REQ-013 | derives | PAR setpoint distribution interface derives from system-level PAR accuracy requirement |
| SYS-REQ-006 | IFC-REQ-028 | derives | Pump suction interface defines physical connection for nutrient solution circulation |
| SYS-REQ-006 | IFC-REQ-026 | derives | IC to DPA Modbus TCP interface enables closed-loop dosing command chain |
| SYS-REQ-003 | IFC-REQ-024 | derives | CO2 regulation requires manifold pressure monitoring interface |
| SYS-REQ-001 | IFC-REQ-021 | derives | Zone fault event interface supports real-time zone status monitoring |
| SYS-REQ-003 | IFC-REQ-020 | derives | CO2 setpoint distribution interface derived from CO2 regulation requirement |
| SYS-REQ-007 | IFC-REQ-019 | derives | Hardwired dosing-excess signal derives from pH safety trip requirement |
| SYS-REQ-009 | IFC-REQ-018 | derives | Hardwired thermal trip signal derives from zone temperature exceedance requirement |
| SYS-REQ-011 | IFC-REQ-017 | derives | Compliance report generation interface supports SYS logging requirement |
| SYS-REQ-011 | IFC-REQ-016 | derives | Zone data collection interface implements compliance logging requirement |
| SYS-REQ-015 | IFC-REQ-015 | derives | Unidirectional safety status interface enforces SIL 3 independence |
| SYS-REQ-004 | IFC-REQ-014 | derives | Hardwired CO2 shutoff interface implements software-independent interlock |
| SYS-REQ-005 | IFC-REQ-013 | derives | LED control interface derived from lighting accuracy and thermal protection requirements |
| SYS-REQ-006 | IFC-REQ-012 | derives | Nutrient dosing interface derived from pH regulation requirement |
| SYS-REQ-008 | IFC-REQ-011 | derives | HVAC actuator command interface enables degraded-mode fault detection |
| SYS-REQ-003 | IFC-REQ-010 | derives | CO2 feedback interface derived from 50ppm regulation requirement |
| SYS-REQ-001 | IFC-REQ-009 | derives | Zone setpoint distribution interface derived from temperature control requirement |
| SYS-REQ-004 | IFC-REQ-005 | derives | CO2 bulk supply shutoff interface for safety interlock |
| SYS-REQ-011 | IFC-REQ-004 | derives | Remote monitoring event forwarding interface |
| SYS-REQ-012 | IFC-REQ-003 | derives | OpenADR demand-response input interface |
| SYS-REQ-005 | IFC-REQ-002 | derives | Crop recipe data from ERP drives lighting setpoints |
| SYS-REQ-013 | IFC-REQ-001 | derives | Emergency shutdown trigger via BMS interface |
| SYS-REQ-015 | IFC-REQ-008 | derives | LOTO-to-PLC interface derives from safety independence mandate |
| STK-REQ-008 | REQ-SEVERTICALFARMENV-051 | derives | Worker-comfort mode SYS requirement derives from harvest crew safety STK need |
| STK-REQ-001 | REQ-SEVERTICALFARMENV-008 | derives | Reliability stakeholder need motivates VFEC warm-standby redundancy |
| STK-REQ-016 | REQ-SEVERTICALFARMENV-014 | derives | Local recipe storage stakeholder need flows to system specification |
| STK-REQ-015 | REQ-SEVERTICALFARMENV-013 | derives | EMC stakeholder mandate flows to system compliance requirement |
| STK-REQ-002 | REQ-SEVERTICALFARMENV-012 | derives | HMI stakeholder need flows down to system-level HMI specification |
| STK-REQ-004 | SYS-REQ-014 | derives | Zone isolation for maintenance directly implements STK-REQ-004 |
| STK-REQ-001 | SYS-REQ-010 | derives | Irrigation fault detection is part of zone environmental monitoring |
| STK-REQ-001 | SYS-REQ-002 | derives | Zone humidity control derives from grower technician operational needs |
| STK-REQ-015 | SYS-REQ-015 | derives | EMC compliance is prerequisite for SIL 3 hardware certification |
| STK-REQ-014 | SYS-REQ-011 | derives | Remote firmware update requires update event logging |
| STK-REQ-013 | SYS-REQ-015 | derives | Controls access requirements drive safety/process separation |
| STK-REQ-012 | SYS-REQ-012 | derives | Energy reporting stakeholder need drives demand-response system requirement |
| STK-REQ-004 | SYS-REQ-016 | derives | Zone isolation for maintenance derives from stakeholder maintenance need |
| STK-REQ-010 | SYS-REQ-011 | derives | HACCP deviation reports require comprehensive environmental logging |
| STK-REQ-016 | SYS-REQ-015 | derives | Network resilience requires hardware-independent safety |
| STK-REQ-008 | SYS-REQ-016 | derives | Harvest crew safety extends to post-sanitation verification |
| STK-REQ-006 | SYS-REQ-013 | derives | Maintenance lockout requirement extends to emergency reset |
| STK-REQ-011 | SYS-REQ-012 | derives | Utility DR signals drive load curtailment requirement |
| STK-REQ-009 | SYS-REQ-011 | derives | Audit-ready logging requires comprehensive data recording |
| STK-REQ-005 | SYS-REQ-006 | derives | Sensor calibration supports nutrient control accuracy |
| STK-REQ-007 | SYS-REQ-003 | derives | Worker CO2 safety requires software concentration ceiling |
| STK-REQ-007 | SYS-REQ-004 | derives | Worker CO2 safety requires hardware interlock |
| STK-REQ-003 | SYS-REQ-008 | derives | HVAC failure response enables yield impact estimation |
| STK-REQ-002 | SYS-REQ-005 | derives | Recipe PAR adjustment requires lighting control precision |
| STK-REQ-001 | SYS-REQ-001 | derives | Zone dashboard accuracy requires precise temperature control |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| SUB-REQ-075 | REQ-SEVERTICALFARMENV-050 | verifies | SUB-REQ-075 covered by Zone Controller Network HIL performance test |
| SUB-REQ-032 | VER-REQ-013 | verifies | Valve fail-safe closure verified by NMS power-loss test |
| SUB-REQ-030 | VER-REQ-013 | verifies | Stuck-open valve detection verified by NMS integration test |
| SUB-REQ-028 | REQ-SEVERTICALFARMENV-006 | verifies | Dosing pump safety interlock verified by interlock trip test |
| SUB-REQ-026 | VER-REQ-012 | verifies | Dosing pump accuracy verified by pump watchdog test |
| SUB-REQ-025 | VER-REQ-013 | verifies | Sensor fault detection verified by NMS integration test |
| SUB-REQ-024 | VER-REQ-013 | verifies | EC/pH sensor accuracy verified by NMS integration test |
| SUB-REQ-005 | VER-REQ-003 | verifies | End-to-end integration test for interlock response times |
| SUB-REQ-001 | VER-REQ-004 | verifies | Calibration test for CO2 sensor accuracy specification |
| SUB-REQ-012 | REQ-SEVERTICALFARMENV-004 | verifies | PID performance test for CO2 injection controller |
| SUB-REQ-017 | REQ-SEVERTICALFARMENV-005 | verifies | Valve closure time test across temperature range |
| SUB-REQ-022 | REQ-SEVERTICALFARMENV-006 | verifies | SIL-3 safe state functional test for CO2 subsystem |
| SUB-REQ-027 | VER-REQ-012 | verifies | SIL-2 functional test for Dosing Pump Array hardwired watchdog |
| SUB-REQ-039 | VER-REQ-014 | verifies | PAR accuracy test verifies SUB-REQ-039 |
| SUB-REQ-042 | VER-REQ-015 | verifies | SIL-2 thermal trip hardware test verifies SUB-REQ-042 |
| REQ-SEVERTICALFARMENV-015 | REQ-SEVERTICALFARMENV-007 | verifies | Override response time test verifies zone controller autonomy constraint |
| REQ-SEVERTICALFARMENV-017 | REQ-SEVERTICALFARMENV-011 | verifies | Authentication and TLS test verifies supervisory control cybersecurity requirement |
| SUB-REQ-053 | REQ-SEVERTICALFARMENV-018 | verifies | Temperature regulation acceptance test |
| SUB-REQ-055 | REQ-SEVERTICALFARMENV-019 | verifies | Compressor trip 500ms timing test |
| SUB-REQ-062 | VER-REQ-028 | verifies | Emergency shutdown end-to-end timing test |
| SUB-REQ-065 | REQ-SEVERTICALFARMENV-025 | verifies | Verification test for SUB-REQ-065 |
| SUB-REQ-070 | VER-REQ-034 | verifies | TSDB ingestion fidelity verified by 100k-record injection test |
| SUB-REQ-071 | VER-REQ-034 | verifies | TSDB CSV export performance verified by 100k-record query test |
| SUB-REQ-072 | VER-REQ-035 | verifies | OpenADR VEN response timing verified by 10-event test harness |
| SUB-REQ-074 | VER-REQ-036 | verifies | Compliance report hash and generation time verified by synthetic cycle test |
| SUB-REQ-002 | VER-REQ-044 | verifies | 2oo3 CO2 sensor voting HIL test |
| SUB-REQ-003 | VER-REQ-045 | verifies | Safety PLC SIL 3 certificate inspection |
| SUB-REQ-004 | VER-REQ-046 | verifies | Safety PLC scan time and watchdog |
| SUB-REQ-006 | VER-REQ-047 | verifies | Interlock trip safe-state response time |
| SUB-REQ-007 | VER-REQ-048 | verifies | Hardwired trip bus network independence |
| SUB-REQ-008 | VER-REQ-049 | verifies | LOTO controller demonstration |
| SUB-REQ-013 | VER-REQ-050 | verifies | CO2 setpoint acceptance and rejection |
| SUB-REQ-014 | VER-REQ-050 | verifies | CO2 software concentration ceiling |
| SUB-REQ-015 | VER-REQ-051 | verifies | NDIR sensor accuracy across environment |
| SUB-REQ-016 | VER-REQ-051 | verifies | NDIR autocalibration log |
| REQ-SEVERTICALFARMENV-039 | REQ-SEVERTICALFARMENV-041 | verifies | Verification inspection procedure for ZCN physical infrastructure requirement |
| REQ-SEVERTICALFARMENV-040 | REQ-SEVERTICALFARMENV-042 | verifies | Verification test procedure for zone biocompatibility requirement |
| SUB-REQ-009 | REQ-SEVERTICALFARMENV-043 | verifies | Safety PLC network isolation verified by inspection and active inbound-write test |
| SUB-REQ-010 | REQ-SEVERTICALFARMENV-044 | verifies | Voted Logic Engine audit log verified by HIL test with 20 synthetic interlock events |
| SUB-REQ-011 | REQ-SEVERTICALFARMENV-045 | verifies | Safety Interlock proof test procedure verified by witnessed annual demonstration |
| SUB-REQ-045 | REQ-SEVERTICALFARMENV-046 | verifies | Emergency lighting shutdown on Safety Interlock trip verified across all 8 zones |
| SUB-REQ-060 | REQ-SEVERTICALFARMENV-047 | verifies | HVAC zone isolation on safety interlock verified by damper timing test |
| SUB-REQ-043 | REQ-SEVERTICALFARMENV-047 | verifies | Lighting Control Unit thermal derating verified by heatsink temperature injection test |
| SUB-REQ-076 | REQ-SEVERTICALFARMENV-048 | verifies | Independent SIL-2 CO2 safety sensor power separation and fault response verified |
| SUB-REQ-054 | REQ-SEVERTICALFARMENV-049 | verifies | SUB-REQ-054 covered by Climate Management functional performance integration test |
| SUB-REQ-056 | REQ-SEVERTICALFARMENV-049 | verifies | SUB-REQ-056 covered by Climate Management functional performance integration test |
| SUB-REQ-057 | REQ-SEVERTICALFARMENV-049 | verifies | SUB-REQ-057 covered by Climate Management functional performance integration test |
| SUB-REQ-058 | REQ-SEVERTICALFARMENV-049 | verifies | SUB-REQ-058 covered by Climate Management functional performance integration test |
| SUB-REQ-059 | REQ-SEVERTICALFARMENV-049 | verifies | SUB-REQ-059 covered by Climate Management functional performance integration test |
| SUB-REQ-066 | REQ-SEVERTICALFARMENV-050 | verifies | SUB-REQ-066 covered by Zone Controller Network HIL performance test |
| SUB-REQ-067 | REQ-SEVERTICALFARMENV-050 | verifies | SUB-REQ-067 covered by Zone Controller Network HIL performance test |
| SUB-REQ-068 | REQ-SEVERTICALFARMENV-050 | verifies | SUB-REQ-068 covered by Zone Controller Network HIL performance test |
| SUB-REQ-069 | REQ-SEVERTICALFARMENV-050 | verifies | SUB-REQ-069 covered by Zone Controller Network HIL performance test |
| IFC-REQ-017 | VER-REQ-043 | verifies | Compliance report REST API performance |
| IFC-REQ-016 | VER-REQ-042 | verifies | Zone data collection OPC UA subscription |
| IFC-REQ-015 | VER-REQ-042 | verifies | Safety OPC UA status bus timing |
| IFC-REQ-005 | VER-REQ-041 | verifies | CO2 supply 4-20mA analogue and fail-closed solenoid |
| IFC-REQ-004 | VER-REQ-040 | verifies | MQTT v5 cloud interface with fallback |
| IFC-REQ-003 | VER-REQ-039 | verifies | OpenADR VEN and Modbus energy metering |
| IFC-REQ-002 | VER-REQ-038 | verifies | REST API mTLS and response time |
| IFC-REQ-001 | VER-REQ-037 | verifies | BACnet/IP interface verified by protocol test |
| IFC-REQ-042 | VER-REQ-035 | verifies | OpenADR-to-Supervisory queue latency verified by end-to-end timing test |
| IFC-REQ-040 | VER-REQ-034 | verifies | MQTT ingestion interface verified by combined ingest/export test |
| IFC-REQ-039 | REQ-SEVERTICALFARMENV-024 | verifies | Verification test for IFC-REQ-039 |
| IFC-REQ-038 | REQ-SEVERTICALFARMENV-023 | verifies | Verification test for IFC-REQ-038 |
| IFC-REQ-037 | REQ-SEVERTICALFARMENV-022 | verifies | Verification test for IFC-REQ-037 |
| IFC-REQ-036 | VER-REQ-029 | verifies | Hardwired shutdown interface propagation delay test |
| IFC-REQ-034 | REQ-SEVERTICALFARMENV-021 | verifies | Fresh air/CO2 Modbus TCP integration test |
| IFC-REQ-032 | REQ-SEVERTICALFARMENV-020 | verifies | PT100 bus timing and fault detection test |
| IFC-REQ-031 | VER-REQ-017 | verifies | Fail-safe wiring test verifies IFC-REQ-031 SIL-2 hardwired interface |
| IFC-REQ-029 | VER-REQ-016 | verifies | DALI-2 bus timing and addressing test verifies IFC-REQ-029 |
| IFC-REQ-027 | VER-REQ-011 | verifies | Integration test for Irrigation Controller to Zone Irrigation Valve Array interface |
| IFC-REQ-025 | VER-REQ-010 | verifies | Integration test for EC/pH Sensor Array to Irrigation Controller Modbus interface |
| IFC-REQ-023 | VER-REQ-008 | verifies | Valve command/feedback interface test |
| IFC-REQ-022 | VER-REQ-007 | verifies | Interface test for NDIR sensor 4-20mA analogue signal |
| IFC-REQ-013 | VER-REQ-006 | verifies | Process network interface latency/accuracy verification |
| IFC-REQ-012 | VER-REQ-006 | verifies | Process network interface latency/accuracy verification |
| IFC-REQ-011 | VER-REQ-006 | verifies | Process network interface latency/accuracy verification |
| IFC-REQ-010 | VER-REQ-006 | verifies | Process network interface latency/accuracy verification |
| IFC-REQ-009 | VER-REQ-006 | verifies | Process network interface latency/accuracy verification |
| IFC-REQ-019 | VER-REQ-005 | verifies | Hardwired dosing-excess signal latency verification |
| IFC-REQ-018 | VER-REQ-005 | verifies | Hardwired thermal trip signal latency verification |
| IFC-REQ-014 | VER-REQ-005 | verifies | Hardwired CO2 trip signal latency verification |
| IFC-REQ-008 | VER-REQ-003 | verifies | End-to-end test covers LOTO inhibit verification |
| IFC-REQ-007 | REQ-SEVERTICALFARMENV-002 | verifies | Integration test for Safety PLC to Trip Bus relay interface |
| IFC-REQ-006 | REQ-SEVERTICALFARMENV-001 | verifies | Integration test for CO2 sensor-to-PLC interface |
| REQ-SEVERTICALFARMENV-051 | REQ-SEVERTICALFARMENV-052 | verifies | Worker-comfort mode SYS requirement verified by live zone integration test |
| REQ-SEVERTICALFARMENV-016 | REQ-SEVERTICALFARMENV-008 | verifies | Failover test verifies VFEC warm-standby redundancy requirement |
| VER-REQ-013 | SYS-REQ-006 | verifies | NMS end-to-end test verifies system-level pH/EC control and flood prevention |
| SYS-REQ-004 | VER-REQ-009 | verifies | System-level CO2 over-concentration trip verification |
| SYS-REQ-003 | VER-REQ-009 | verifies | System-level CO2 regulation verification |
| Ref | Document | Requirement |
|---|---|---|
| SUB-REQ-049 | subsystem-requirements | The Zone Controller Network SHALL provide a supervisory override channel that, when asserted by the Supervisory Control ... |
| SUB-REQ-050 | subsystem-requirements | The Irrigation Controller SHALL operate from a 24 VDC ±10% supply with a maximum steady-state power consumption of 15 W ... |
| SUB-REQ-051 | subsystem-requirements | The Dosing Pump Array SHALL operate from a 24 VDC ±10% supply with a maximum steady-state power consumption of 30 W per ... |
| SUB-REQ-052 | subsystem-requirements | The Supervisory Control Subsystem SHALL authenticate all remote HMI sessions using multi-factor credentials (username/pa... |
| SUB-REQ-082 | subsystem-requirements | The Supervisory Control Subsystem SHALL be housed in an IEC 60529 IP54-rated 19-inch 4U rack-mount enclosure with front-... |
| SUB-REQ-083 | subsystem-requirements | The Zone Controller SHALL be packaged as a DIN-rail-mounted embedded controller rated to IEC 60529 IP54, operating acros... |
| SUB-REQ-084 | subsystem-requirements | The Zone Controller Network cabling SHALL use shielded twisted-pair industrial Ethernet cable rated for continuous expos... |
| SUB-REQ-085 | subsystem-requirements | The CO2 Enrichment Subsystem SHALL be housed in a ventilated, wall-mounted IEC 60529 IP54-rated steel enclosure located ... |
| SUB-REQ-086 | subsystem-requirements | The Zone Climate Controller SHALL be packaged in an IEC 60529 IP54 DIN-rail-mount enclosure with dedicated RS-485 Modbus... |
| SUB-REQ-087 | subsystem-requirements | The CO2 Injection Controller SHALL be housed in a glass-reinforced polyester (GRP) enclosure rated to IEC 60529 IP65, mo... |
| SUB-REQ-088 | subsystem-requirements | All surfaces within a growing zone that are directly exposed to nutrient solution or crop root mass SHALL be constructed... |
| SUB-REQ-089 | subsystem-requirements | While a growing zone is undergoing sanitation, the Zone Controller SHALL enforce a zone isolation interlock that prevent... |
| SUB-REQ-090 | subsystem-requirements | The Zone Climate Controller SHALL be a physically-housed DIN-rail-mounted controller unit installed in zone electrical e... |
| SUB-REQ-091 | subsystem-requirements | The CO2 Injection Controller SHALL be a physically-housed controller unit installed in a GRP or 304 stainless steel encl... |
| SUB-REQ-092 | subsystem-requirements | The Vertical Farm Environment Controller SHALL ensure that all sensors, actuators, and hardware installed within growing... |
| SUB-REQ-094 | subsystem-requirements | The Zone Controller SHALL be a physically-housed embedded controller unit with a DIN-rail-mounted enclosure rated to IEC... |
| SUB-REQ-095 | subsystem-requirements | The Zone Controller Network physical infrastructure SHALL comprise shielded twisted-pair industrial Ethernet cabling (mi... |
| SUB-REQ-096 | subsystem-requirements | All materials in direct contact with growing zone air, water, or growing media SHALL be food-safe, non-toxic, and resist... |
| SUB-REQ-097 | subsystem-requirements | When a harvest crew zone entry signal is received from a zone access control reader, the Vertical Farm Environment Contr... |
| SYS-REQ-017 | system-requirements | When the primary Vertical Farm Environment Controller processing node fails, the system SHALL restore zone regulation fu... |
| SYS-REQ-018 | system-requirements | The Vertical Farm Environment Controller SHALL provide a supervisory HMI displaying real-time zone status (temperature, ... |
| SYS-REQ-019 | system-requirements | The Vertical Farm Environment Controller SHALL comply with IEC 61000-4 series immunity standards (surge, EFT, ESD, condu... |
| SYS-REQ-020 | system-requirements | The Vertical Farm Environment Controller SHALL store a minimum of 200 crop recipes and their associated control paramete... |
| VER-REQ-001 | verification-plan | Verify IFC-REQ-006: With three CO2 sensor channels connected to the Safety PLC, inject calibrated CO2 concentration leve... |
| VER-REQ-002 | verification-plan | Verify IFC-REQ-007: With the Safety PLC in test mode, de-energise each relay coil output in sequence; confirm the corres... |
| VER-REQ-018 | verification-plan | Verify SUB-REQ-012: inject test CO2 setpoint steps of 200 ppm across all zones simultaneously; measure controller respon... |
| VER-REQ-019 | verification-plan | Verify SUB-REQ-017: de-energise zone solenoid valve from fully-open state and measure time to full closure via position ... |
| VER-REQ-020 | verification-plan | Verify SUB-REQ-022: simulate safety interlock trip by removing 24VDC trip relay signal; verify all zone valves close wit... |
| VER-REQ-021 | verification-plan | Verify REQ-SEVERTICALFARMENV-007: assert supervisory override command from simulated Supervisory Control Subsystem and m... |
| VER-REQ-022 | verification-plan | Verify REQ-SEVERTICALFARMENV-008: kill primary VFEC processing node (power removal) while all zones active; measure time... |
| VER-REQ-023 | verification-plan | Verify REQ-SEVERTICALFARMENV-011: attempt HMI login with valid username/password only (no OTP) and verify access is deni... |
| VER-REQ-024 | verification-plan | Verify SUB-REQ-053: In a commissioned grow zone with temperature setpoint 22 degC and full crop canopy, record zone air ... |
| VER-REQ-025 | verification-plan | Verify SUB-REQ-055: Inject a simulated compressor trip signal at the HVAC Actuator Interface test port while the zone is... |
| VER-REQ-026 | verification-plan | Verify IFC-REQ-032: Connect a Modbus RTU bus analyser to the PT100 multiplexer bus and capture 1000 consecutive measurem... |
| VER-REQ-027 | verification-plan | Verify IFC-REQ-034: Using a Modbus TCP test client, monitor the exchange between Fresh Air Ventilation Controller and CO... |
| VER-REQ-030 | verification-plan | Verify IFC-REQ-037: Configure a test ZCU and Zone Edge Gateway on an isolated network, inject a known-value data set, an... |
| VER-REQ-031 | verification-plan | Verify IFC-REQ-038: Connect a ZCU to 4 I/O Expansion Modules on a single RS-485 segment and run a 24-hour polling cycle ... |
| VER-REQ-032 | verification-plan | Verify IFC-REQ-039: Audit the Ethernet switch configuration via SNMP MIB and running-config export. Verify VLAN 100 and ... |
| VER-REQ-033 | verification-plan | Verify SUB-REQ-065: In a hardware-in-the-loop test, establish steady-state ZCU operation with known setpoints, then phys... |
| VER-REQ-052 | verification-plan | Inspect Zone Controller Network installation: verify shielded Cat5e or higher cabling with foil/braid shield markings, I... |
| VER-REQ-053 | verification-plan | Test zone surface material biocompatibility: expose material samples to PAA at 2000 ppm, sodium hypochlorite at 200 ppm,... |
| VER-REQ-054 | verification-plan | Verify SUB-REQ-009 (Safety PLC network isolation): Audit the network architecture documentation and SCADA/firewall confi... |
| VER-REQ-055 | verification-plan | Verify SUB-REQ-010 (Voted Logic Engine interlock audit log): In a Hardware-in-the-Loop test environment, trigger 20 synt... |
| VER-REQ-056 | verification-plan | Verify SUB-REQ-011 (Safety Interlock Subsystem annual proof test): Execute the full SIL-3 proof test procedure: (1) Inje... |
| VER-REQ-057 | verification-plan | Verify SUB-REQ-045 (Horticultural Lighting emergency shutdown on Safety Interlock trip): In a full-facility integration ... |
| VER-REQ-058 | verification-plan | Verify SUB-REQ-060 (HVAC zone isolation on safety interlock) and SUB-REQ-043 (LCU thermal derating): Part A — Zone isola... |
| VER-REQ-059 | verification-plan | Verify SUB-REQ-076 (CO2 Enrichment Subsystem independent SIL-2 safety sensor): Inspect the CO2 Enrichment Subsystem inst... |
| VER-REQ-060 | verification-plan | Verify Climate Management Subsystem functional performance (SUB-REQ-054, SUB-REQ-056, SUB-REQ-057, SUB-REQ-058, SUB-REQ-... |
| VER-REQ-061 | verification-plan | Verify Zone Controller Network performance (SUB-REQ-066, SUB-REQ-067, SUB-REQ-068, SUB-REQ-069, SUB-REQ-075): Using a HI... |
| VER-REQ-062 | verification-plan | Verify REQ-SEVERTICALFARMENV-051 (worker-comfort mode on harvest crew zone entry): In a live test with a zone at full pr... |