Safety Model
Statements of principle
- The LLM does not directly control equipment — under any configuration, in any release.
- All AI recommendations pass through EMS safety gates before any action.
- Deterministic controls override AI suggestions, always and automatically.
- Operator approval may be required for critical actions, enforced by role-based authorization.
- Protection devices remain independent: relay trip paths are hardwired and function with the EMS offline.
- Fail-safe behavior is mandatory: loss of intelligence, communication, or power resolves to a safe state.
- Audit logs are required for every recommendation and every command — who, what, when, on what evidence.
The Trip / Close asymmetry
Trip = relay-led, hardwired, fast, EMS-independent.
Operational close = EMS-led, slow, interlocked, logged, user-authorized.
After any trip, the EMS enters trip lockout. Even when every permissive in the
chain recovers to true, close remains disabled until an authorized user clears the
lockout — at which point the EMS re-evaluates the complete permissive chain before
enabling close. AI may explain the trip and recommend recovery steps; it cannot
clear lockouts or close breakers.
Validation
Interlock chains, trip lockout behavior, comm-loss responses, and limit
enforcement are validated through structured FAT/SAT procedures with witnessed
test evidence — the same evidence chain required for utility interconnection
approval.