TCS THERMAL CONTROL SYSTEMS
· LIVE BENCH UNIT 7 · ThermoLogic v1.15.2

Precision thermal control,
at firmware speed.

Thermal Control Systems builds ThermoLogic — the firmware platform that holds temperature to spec across medical, aerospace, industrial process, composites, energy, residential HVAC, consumer goods, and motorsport. The SmartControl capacitive-touch interface ports it onto any controller hardware.

ThermoLogic COMPOSITE CURE · 178°C ACTIVE · STAGE 3/5
PROCESS TEMPERATURE
177.8°C
Target 178.0 °C
Δ −0.2
Hold 47:12
T−00:00T−45:00NOW · 03:14:22
S01 · UPPER 178.1
S02 · MID 177.6
S03 · LOWER 177.9
S04 · TOOL 62.4
PACK 04 · MODULE B7 · LIVE SOC 64% · 220 kW DISCHARGE · COOLANT 6.2 L/min @ 24°C → 31°C
PACK AVG38.4°C
MAX CELL41.2°C · 087
MIN CELL36.4°C · 012
SPREAD4.8°C
HEALTHNOMINAL
CYCLE 14082 · GRAVITY DISPLACEMENT OPERATOR rn.kowalski · 21 CFR Part 11 ✓ · LOAD LP-2026-0142
01Purge
02Heat-Up
03EXPOSURE
04Exhaust
05Dry
TEMPERATURE
121.0°C
PROBE T1 121.0 · T2 120.9 · T3 121.1
PRESSURE
15.1PSI
DWELL 11:42 / 15:00
F₀ LETHALITY
9.6/ 12.0 min
LIVING ROOM · HEAT PUMP OUTDOOR −4°C · SNOW · COMPRESSOR 38% · COP 2.8
CURRENT 21.2° TARGET 22.0°C
TODAY · COMFORT SCHEDULE
06:00WAKE20.0°
08:00HOME22.0°
18:00AWAY19.5°
22:00SLEEP19.5°
RH38%
RUNTIME TODAY4h 12m
kWh TODAY9.4
NEXT CHANGESLEEP · 22:00 → 19.5°C
CAR 88 LAP 24 / 52 · S2 26.412 · GAP +0.842 · FUEL 18.4 kg STINT 2 · GREEN
TYRES AVG96°C
BRAKES612°C
WATER108°C
OIL121°C
GEARBOX94°C
AIRBOX32°C
DRUM 02 · ETHIOPIA YIRGACHEFFE · BATCH 142 GREEN 22.4 kg · MOISTURE 11.4% · ROASTER l.ostrowski · BEND, OR
CHARGE · 198°CRoR 8.4°C/minT = 9:34
BEAN TEMPERATURE
204°C
Δ from DTR target · −0.4°C
DEVELOPMENT TIME RATIO
22.4%
2:08 of 9:34 · target 21–24%
CHARGE TEMP198°C
FIRST CRACK198.6°C · 7:26
CURRENT RoR8.4°C/min
EST. DROP9:46 · 207°C
PROFILEYIRG-LIGHT-V4
FURNACE 07 · 4340 SHAFT LOAD · NIGHT SHIFT AUSTENITIZING · LOAD 1,847 kg · CARBON POT −15 mV · OPERATOR f.delaney
▲ TC DRIFT FLAGGED · FURNACE 7 · 18-MO CORPUS +2.1°C bias · hold extended +90s · pass
ZONE 1844.2°C
ZONE 2845.0°C
ZONE 3847.1°C
ZONE 4844.8°C
ZONE 5843.9°C
QUENCH62°C
SOAK ELAPSED2:14:38
SOAK FLOOR2:00:00
CORPUS QUERY2,184 prior loads
NADCAP REVAMS 2759/1G
QUEUE3 loads · 11h
TVAC BAY 02 · PAYLOAD KA-TXN-09 · QUAL CYCLE DAY 9 / 14 · 87 TC ACTIVE · OPERATOR a.chen · EL SEGUNDO, CA
ARTICLE · NORTH PANEL ZONE MAP
+62
+71
+58
+64
+59
+68
+55
+61
−42
−38
−45
−40
CHAMBER VACUUM
1.4×10⁻⁶Torr
PUMP STACK NOMINAL · OUTGAS 0.08 mTorr/hr
RAMP-RATE LAG · NORTH PANEL
1.4°C/min
CYCLE PAUSED <1s · HOLD ISOTHERMAL · CONSOLE FLAGGED
CYCLE PROGRESS9.0/ 14 d
SOAK FIDELITYσ 0.42°C
DEVIATIONS1 · OPEN
PROGRAMQUAL-TVAC-R4
LAUNCHSLIP 0 d
// The difference is firmware · scroll to compare
BEFORE · TYPICAL PID
A standard controller fights itself.
Overshoot+12.4°C Settle time14:22 Soak band±3.1°C Energy+28%
AFTER · ThermoLogic
ThermoLogic holds the line.
Overshoot+0.4°C Settle time3:08 Soak band±0.18°C Energy−22%
SOAK ACCURACY
±0.3°C
POWER VS PID BASELINE
−22%
CYCLE REPEATABILITY
σ 0.18°C
VERIFIED CYCLES
10,000+
// Eight industries · one firmware platform
Same ThermoLogic core. Same SmartControl interface. Different program library. Different setpoint envelope. Different certification path.
// 01 Residential
HVAC Multi-zone heat/cool, heat-pump staging, comfort-curve learning. // 02 Consumer
Goods Brewing, cooking, fermentation, dehumidification, niche climate. // 03 Industrial
Process Reactors, ovens, dryers, extrusion lines, jacketed vessels. // 04 Medical Autoclaves, incubators, cold chain, sample warmers — audit logs. // 05 Aerospace Component cure, thermal vacuum, ground support, hangar climate. // 06 Energy Battery thermal management, hydrogen handling, transformer cooling. // 07 Composites Prepreg cure, post-cure, autoclave + oven, infusion preheat. // 08 Motorsport Tire warming, ECU/airbox conditioning, fuel cell, paddock systems.
// The Platform

One firmware platform. One interface. Any controller hardware.

// 01
FIRMWARE
ThermoLogic
The control logic — ramps, soaks, fault handling, learning. ThermoLogic Lite for less complex products; full tier for safety-critical and multi-zone.
// 02
INTERFACE
SmartControl
Capacitive-touch UI/UX layer. Runs on TCS reference hardware or ports onto your existing controller platform via the HAL.
// 03
HAL · INTEGRATION
thermologic.hal
Hardware abstraction layer. Adapts ThermoLogic to your controller, your sensors, your actuators. OEM integration without rebuilding firmware.
// Eight industries · eight stories

Where the work happens. Where the platform earns its place.

// 01 · Residential HVAC EDINA, MINNESOTA · 06:40
It is six-forty on a Tuesday morning in a split-level in Edina, Minnesota. Margaret Voss is making coffee in a kitchen that is sixty-six degrees and falling. The heat pump has been running since four. Outside it is nine below. Don — her husband, home from cardiac rehab in November — is still asleep upstairs, where the bedroom is the warmest room in the house by design.

Two years ago this morning would have ended with the gas furnace cycling on backup and a four-hundred-dollar utility bill she would discover three weeks later. This morning the installer who commissioned the unit — Devin, out of a three-truck shop in St. Louis Park — receives a notification on his phone over breakfast. The cold-climate profile he pushed to her controller in October has just executed its third defrost cycle of the night without dropping setpoint in the master bedroom by so much as half a degree. He sees the curve. He sees what he needs to see. The corpus logged every minute of the run and made it defensible if the utility ever asks. The type-enforced language refused, at compile time, any profile that would have let Don's room drift below the line the cardiologist drew. Devin's three-truck shop runs a thousand homes from one console — the profile keeping Don warm was pushed by Mitsubishi to every cold-climate unit in the region last Tuesday, in the time it took to drink a coffee.

Margaret pours hers. The kitchen is climbing back. Don is asleep. The furnace, which two years ago would have been the loudest thing in the house at six-forty in the morning, is silent because it has not been asked to run. She does not think about her furnace, which is the entire point.
UNMEASURED VARIABLEOccupant-experienced setpoint deviation under real envelope leakage
PRIMARY BUYERHVAC contractor
PUBLISHESHeat-pump OEM
VENUEASHRAE Journal · Energy and Buildings
// 02 · Consumer Goods BEND, OREGON · 14:15
It is two-fifteen on a Saturday afternoon at a roastery in Bend, Oregon, and Lena Ostrowski is on the platform of her Probat, listening. The Ethiopian Yirgacheffe she is bringing to first crack is from a lot she will not see again — fourteen bags, single-farm, gone by August. The drum is at one-ninety-six Celsius and climbing.

Two years ago she would have written the curve on a clipboard taped to the side of the roaster and prayed her opening barista could read her handwriting on Monday. This afternoon the development-time-ratio she is shaping in real time — the four-minute window between first crack and drop — is being logged by the controller against a profile her head roaster wrote in Portland and pushed to her drum on Thursday. The type-enforced language refused, at compile, any curve where development time would have outrun the drum-temperature ramp; that class of error, the one that bricks a batch, can no longer reach her bean. The corpus underneath the profile is twenty years of her own palate, queryable now by every barista at every one of her three new locations. She watches first crack roll across the trier. She listens for the pop to settle into a rhythm. She drops the batch at four minutes and twelve seconds, which is what the bean asked for.

On Tuesday morning, in a café in Brooklyn, a customer will lift the cup and taste bergamot at the front of the palate and stone fruit behind it, and will set the cup down and order a second one without quite knowing why. He will not know Lena Ostrowski exists. He will not know there is a roastery in Bend or a controller on a Probat or a profile pushed on a Thursday. And that is also the entire point.
UNMEASURED VARIABLEDevelopment-time ratio under variable green-bean moisture
PRIMARY BUYERMulti-location operator (roastery, brewery, BBQ chain)
PUBLISHESEquipment OEM · green-bean importer
VENUEJournal of Food Engineering · Roast Magazine · MBAA Tech Quarterly
// 03 · Industrial Process CLEVELAND, OHIO · 03:10
It is three-ten on a Wednesday morning in a heat-treat shop in Cleveland, and Frank Delaney — second-shift metallurgist, thirty-one years on the floor, the kind of man who reads a chart recorder the way a doctor reads an EKG — is watching a load of 4340 aerospace shafts come down off an austenitizing soak. Furnace 7's pyrometer has been reading two degrees high for a week and he has known it for a week.

Two years ago he would have lived with it and written a non-conformance after the Rockwell came back soft three days later. Tonight the controller has cross-referenced the thermocouple drift against the corpus of every load that came off Furnace 7 in the last eighteen months, isolated the bias to a single junction, flagged it at 0300 to the morning-shift engineer's console in the office upstairs, and held the soak an extra ninety seconds to compensate. The program enforced AMS 2750 at the type-system level; it could not have been argued into letting the load drop cold. Frank reads the alert, reads the correction, reads the temperature trace, and signs off on the load.

The shafts go into the quench on spec. Rockwell will come back where it needs to come back. They will be ground, shot-peened, magnafluxed, certified, crated, and shipped. They will end up in the landing gear of an aircraft that will roll out of a paint shop in Renton in February. In nine months that aircraft will touch down at Changi at four in the afternoon local time, two hundred and forty souls aboard, after thirteen hours over the Pacific. The pilot will not know the airplane's gear was ever a billet in a furnace in Cleveland. He will not think about Frank Delaney, which is the way Frank prefers it.
UNMEASURED VARIABLEThermocouple drift versus actual load temperature
PRIMARY BUYERCaptive heat-treat / Nadcap job shop
PUBLISHESFurnace OEM (Surface Combustion, Ipsen)
VENUEIndustrial Heating · ASM Heat Treating Progress · MMT-A
// 04 · Medical REGIONAL TRANSPLANT CENTER · THE CALL · 03:42
The day finally arrived. Two and a half years on the list. Almost ten years since the first cardiac issue was diagnosed, three years later it was confirmed. The heart was failing, each year that passed by would cause continued degradation. Small at first, and then the pace would pick up. Which it did. They got on the transplant list as early as they could, and they just got the call. There was a match. It would be. A bit of a tight fit into a twelve-year-old's chest, they'd have to spread the ribs a bit more, the boy would be uncomfortable for the first thirty days or so, and then things would work around it. But… it was happening. Finally. The parents had pre-packed everything and mom repacked it every three months just to be ready. They were in the car, trying to hold back tears of joy, pain, excitement, anxiety, fear, relief — the emotions were racing faster than they were driving.

The doctor was on her way too. Only not in her car — she had already donned her surgical gear and worked through procedures. She was focused. These transplant surgeries were never routine, and always unexpected. The heart was en route. The clock was ticking. The organ had to remain at a certain temperature, even with that, time was not a friend. Officially called cold ischemia, and it was its own clock without forgiveness.

The cold storage container that was previously used had a digital thermometer; the transit tech would call as often as possible with updates. They only knew what the thermostat was reading, not what was actually happening inside the container, next to and internally with the organ. That had all changed fairly recently. It was still taking some getting used to. The container that held the organ was feeding her live data, to her phone, updating every two seconds. Four readings from the container. Top, bottom, next to the heart and — shockingly — inside the organ itself. All live, right to her device. Her colleagues were logged in, watching it as well, live in the operating room while they prepped.

So far, the only significant temperature event had been moving from the ambulance to the plane. It took a few minutes longer, and the controller logged the anomaly. A 0.3-degree change for three minutes was logged by the sensor near the top of the container. All the rest held temp. And the controller made adjustments to the cooling mechanism on the container to remain within the right tolerance. No calls, no texts, no I think so's. Live, confirmed hard data.

Before, she wouldn't be able to confidently spin up the rest of her team until the organ was thirty minutes away and they could confirm it was still in the safety window. This live data changed the game. Three hours of prep time. Felt like a lifetime compared to the past. The patient could arrive, prep, be sedated, and the pre-procedures could begin. The organ could arrive at almost the same time the team was ready to place it in the patient. While there were still plenty of risks, controlling the environment and knowing in real time the status — on the ground or in the air — having the live updates reduced the risk of a compromised organ by nearly ninety-five percent. They'd been using this for the past eighteen months. They had yet to lose an organ in transit. Who knew that simple programming and data capture could turn into exactly the knowledge she needed. The heart would arrive in near perfect condition. And the boy would walk out a week later with a sore chest, and dreams to chase.
UNMEASURED VARIABLEReal-time core temperature inside the organ during cold-chain transit — four probes, two-second cadence, including a probe internal to the heart itself
PRIMARY BUYERTransplant center · OPO · cold-chain logistics
PUBLISHESMedical-device OEM (Thermo Fisher, Helmer, Stirling Ultracold)
VENUEAmerican Journal of Transplantation · AAMI BI&T
// 05 · Aerospace EL SEGUNDO, CALIFORNIA · 11:20
It is eleven-twenty on a Friday morning at a thermal-vacuum chamber in El Segundo, California, and Aaron Chen — test engineer, eight years out of Cal Poly — is running a satellite payload through its qualification cycle. The article is a Ka-band transponder, mass-simulator-flanked, instrumented with eighty-seven thermocouples. The cycle is fourteen days long. They are on day nine.

At eleven-twenty-two a heater string on the north panel begins to lag its commanded ramp by 1.4 degrees per minute. Two years ago this would have been a scribbled note in a logbook and a phone call to a thermal analyst in Denver who would not pick up until Monday morning, after the article had drifted out of spec and the test had to be re-run. This morning the controller has cross-referenced the lag against the program's declared ramp tolerance, paused the cycle inside one second, held the article isothermal at the last good setpoint, and logged the deviation to the program manager's console before Aaron's coffee is cool enough to drink. The corpus tells him which heater string is failing and which spare is on the shelf. The type-enforced program will not let the cycle resume until the substitution is verified — MIL-STD-1540 isn't a checklist anymore, it's a property of the source code. He swaps the string. He re-arms the cycle. Total time from anomaly to recovery: thirty-eight minutes.

The launch slips by zero days. In November an Atlas V will lift the transponder out of Cape Canaveral and put it on a geostationary transfer orbit. Three weeks later it will reach station-keeping at thirty-five thousand seven hundred and eighty-six kilometers above the equator. It will stay there, talking to the ground, for fifteen years.
UNMEASURED VARIABLEReal ramp-rate fidelity across a hundred-zone article in vacuum
PRIMARY BUYERPrime (Lockheed, Northrop, Boeing) / test house
PUBLISHESTest-equipment OEM · NASA Goddard
VENUEAIAA Journal of Spacecraft and Rockets · IEST ESTECH
// 06 · Energy LUBBOCK, TEXAS · 14:50
It is two-fifty on a Thursday afternoon at a 400-megawatt-hour battery storage site outside Lubbock, Texas, and Marisol Reyes — operations engineer for the IPP that owns the asset — is at a desk in Houston watching the ambient climb past forty-one Celsius on the ground. Rack 14 in Container 7 has been pulling its cold-plate coolant supply two degrees warmer than its neighbors for forty minutes. The cells are LFP, three years old, two thousand cycles deep.

Two years ago this would have been a maintenance ticket logged on Monday and a thermal runaway investigation on Wednesday. This afternoon the controller has correlated the divergence against the corpus of every charge cycle Container 7 has logged since commissioning, identified the failing pump on the secondary loop, derated Rack 14 by twelve percent to hold cell temperature below the program's declared ceiling, and flagged the work order to the O&M contractor's phone before Marisol has finished the sentence she was speaking. The type-enforced thermal program will not, at any setpoint, let a cell exceed CATL's published envelope. The derate is automatic. The grid does not notice it. Marisol does not have to call anyone.

At four o'clock ERCOT calls a four-hour discharge into the West Texas heat. The site delivers full contracted power for the full four hours, Rack 14 included. Forty miles north, at University Medical Center in Lubbock, the NICU charge nurse never sees the lights flicker. Three premature infants stay on their isolettes, on their monitors, on their ventilators, on warmers calibrated to the half-degree. None of their parents will know how close the grid came to a shed event at four-eighteen. None of them will hear the name Marisol Reyes. The site delivers. The grid holds. The babies stay warm.
UNMEASURED VARIABLECell-level temperature gradient versus state-of-health decay
PRIMARY BUYERIPP · utility · BESS integrator
PUBLISHESCell OEM (CATL, LG, Tesla)
VENUEJournal of Power Sources · Journal of Energy Storage · IEEE Trans. Smart Grid
// 07 · Composites WICHITA, KANSAS · 07:05
It is seven-oh-five on a Monday morning at an autoclave bay in Wichita, and Tom Berglund — cure technician, twenty-six years on the floor, the kind of man who can hear a thermocouple lie — is loading a wing skin for a regional jet. The part is forty-one feet long, IM7/8552 prepreg, sixty-eight thermocouples bonded to tool and bag. The cure is six hours.

Two years ago he would have watched the cure on a chart recorder and trusted his eyes and a stopwatch and the smell coming off the door seal. This morning the program declares its dwell at one-seventy-seven Celsius for one hundred and twenty minutes minimum — a hard floor, type-enforced, the controller cannot be argued out of it — and the corpus shows him every cure this autoclave has run on this tool in the last four years, ramp by ramp, deviation by deviation. He sees three prior tools that ran cold on the leading edge. He sees how the program corrected each one. At hour three the bag bleeds and a leading-edge thermocouple lags by four degrees in a span of ninety seconds. The program does not panic. It does not abort. It extends the dwell by eleven minutes on the affected zone alone, restoring the cure profile for that square footage of laminate without re-cooking the rest of the part. Hexcel's resin chemists wrote the kinetics. The program enforces them. The certification engineer downstairs will defend the part to the FAA with cure data at a resolution the FAA has never been handed before.

The part comes out on spec. It will be trimmed, drilled, ultrasonically inspected, certified, mated to its spar, painted, and installed on an airframe in Mirabel in October. It will fly six hundred and forty thousand cycles before it retires, carrying somebody's mother home from Toronto on a Tuesday night, every Tuesday night, for thirty years.
UNMEASURED VARIABLEZone-resolved cure kinetics across a non-isothermal tool
PRIMARY BUYERTier 1 composites shop · OEM in-house cure
PUBLISHESResin OEM (Hexcel, Solvay, Toray)
VENUEComposites Part A · SAMPE proceedings
// 08 · Motorsport TOKYO HOTEL ROOM → LE MANS · 23:00
It is eleven o'clock on a Thursday night in a hotel room in Tokyo. Race weekend. The crew chief has been watching his flights and the weather in Le Mans for six hours. He should get there just in time if he can catch this flight. He's seeing the overnight ambient temperatures have dropped faster than anyone expected — eight degrees in three hours. The compound strategy briefed that afternoon was built for different conditions. He picks up his phone. Opens the Operator Console. Four sets of tires on the warmers. Thirty-two thermocouples between them, three different compounds with individual race strategies, each one reporting its position on the tire's thermal map in real time. He watches the ramp curves for a moment, sees what he needs to see, and makes the change. New profiles pushed to all four controllers simultaneously. Confirmed. Fifteen seconds, including the time it took to decide. The driver will go out on Saturday morning into a cold pit lane with rubber that is exactly where it needs to be, and will never know how close it came to being otherwise.
UNMEASURED VARIABLECarcass-versus-surface temperature delta at tire release
PRIMARY BUYERRace team
PUBLISHESTire manufacturer (Pirelli, Michelin, Dunlop, Bridgestone)
VENUESAE Motorsports Engineering · Tire Science and Technology
// Engineering · the geek meat

The control language is the product. Everything else is plumbing.

A type-enforced thermal-program DSL · corpus-grounded adaptive control · multi-protocol HAL · audit-ready by construction. The compile-time rejections referenced in the stories are not metaphors — the program will not compile.
// 01 · The Language
A typed DSL for thermal programs — not a recipe builder, not a ladder, not a script.

Every value carries a unit. Temp · Dur · Pct · RampRate · Setpoint · Envelope. Pass a percentage where a ramp-rate belongs and the program does not compile. Declare a soak floor of 0°C on a composite cure and the program does not compile. The class of error that bricks a batch cannot reach the bench.

Safety envelopes are declared once and enforced by the type system. setpoint_ceiling, ramp_max, fault classes, and the fail-to state are properties of the source code, not setpoints on a screen a tired operator can dial past. AMS 2750G, 21 CFR Part 11, MIL-STD-1540, IEC 61508 — the standards stop being checklists and start being compiler rules.

The corpus is queryable. Every cure, every cycle, every defrost — timestamped, version-tagged, cryptographically signed. publish corpus { every: 100ms, retain: 10y } ships with every program. The fleet learns. New sites auto-tune from sibling-asset histories at commissioning.

Temp
temperature literal · °C / °F / K · enforced unit conversion
Dur
duration literal · ms / s / min / hr / d · arithmetic-aware
Pct
percentage 0.0–100.0 · rejects where physical units expected
RampRate
rate of change · Temp/Dur · slope-typed
Setpoint
declared target with bound enforcement
Envelope
multi-axis declared safety region · immutable at runtime
Stage
phase in a multi-stage program · Ramp / Soak / Dwell / Cool
FaultState
declared system response per fault class · fail-to target
composite_cure_im7_8552.tlp COMPILED · SIGNED · DEPLOYED 
program CompositeCure_IM7_8552 : ThermalProgram {
  manufacturer: Hexcel
  envelope:     CureEnvelope.IM7_8552   // from supplier corpus

  stage 01 "Ramp"       : { kind: Ramp,  to: Temp(82°C),  rate: RampRate(2.5°C/min) }
  stage 02 "Soak A"     : { kind: Soak,  at: Temp(82°C),  for: Dur(30 min) }
  stage 03 "Ramp"       : { kind: Ramp,  to: Temp(177°C), rate: RampRate(2.5°C/min) }
  stage 04 "Cure Dwell" : { kind: Dwell, at: Temp(177°C), for: Dur(120 min),
                            floor:  Temp(176°C),    // type-enforced hard floor
                            on_lag: ExtendZone(Dur(11 min)) }
  stage 05 "Cool"       : { kind: Cool,  to: Temp(60°C),  rate: RampRate(3°C/min, max) }

  // safety envelope — declared, type-enforced, immutable at runtime
  declare safety {
    setpoint_ceiling: Temp(185°C)               // cannot be exceeded under any condition
    setpoint_floor:   Temp(0°C)
    ramp_max:         RampRate(3.0°C/min)
    fault_on:         [tc_open, tc_short, comms_loss > Dur(5s)]
    fail_to:          State.Cool
  }

  publish corpus { every: Dur(100ms), retain: Dur(10y) }
}
// Compile-time rejections · the program will not compile
COMPILE ERROR · TL.E0042 · type mismatch
stage 03: rate: 12%
^^^ expected RampRate, found Pct
percentage values reject for RampRate; specify °C/min or °F/min explicitly.
COMPILE ERROR · TL.E0017 · safety envelope violated
stage 04: at: Temp(187°C)
^^^^
setpoint exceeds safety.setpoint_ceiling (185°C). hint: raise the ceiling explicitly or split the dwell.
COMPILE ERROR · TL.E0211 · missing fault handler
declare safety { ... fault_on: [tc_open] }
^^^^^^^
declared fault class tc_open has no fail_to target on stage 04. hint: State.Cool is the default safe state for composite cure.
// 02 · Control Architecture
A control stack that respects what the physics is doing.

PID is the floor, not the ceiling. The loop engine composes cascade, feedforward, gain-scheduled, and predictive topologies into the program the user actually declared. A heater with a tool mass under it does not need the same loop as a battery cell next to a coolant plate; both are spelled in the same language and resolve to whatever topology fits the physics.

The adaptive tuner is corpus-grounded. The loop does not auto-tune by injecting steps and watching what happens — it tunes against the history of every prior cycle on this asset, on this tool, on this cell, weighted by similarity. The result is a starting set of gains that already knows how this thing behaves on a Tuesday morning in February, before the first sample is taken.

Anti-windup, bumpless transfer, manual takeover, and synchronized multi-zone coordination are not configuration switches — they are properties of the loop the program declares. When an operator takes a zone manual mid-cure, the program does not lose the integral. When a thermocouple opens, the affected zone fails to its declared safe state in milliseconds. When a multi-zone article needs every zone to ramp in lock-step, the controller synchronizes them at the language level, not the wiring level.

Topologies
PID · cascade · feedforward · gain-scheduled · Smith predictor · multi-zone synchronized · model-predictive (where the physics warrants)
Adaptive
corpus-weighted gain estimation · per-asset learned response · drift-aware over thousands of cycles
Saturation
anti-windup at the integrator · bumpless transfer on auto/manual switch · ramp limiter at language level
Coordination
multi-zone lock-step ramps · master/follower hierarchies · cross-loop fault propagation
Fault response
declared per fault class · sub-millisecond decision · fail-to target compile-checked against safe-state envelope
Determinism
deterministic loop period · the same input on the same firmware produces the same output, every time
control_stack · architecture overview RUNTIME · DETERMINISTIC LOOP
// Sensor LayerTC (K · T · J · R · S · B · N · E) · RTD (Pt100 / Pt1000 · 2/3/4-wire) · CT clamp · pressure · position
// Sensor Fusion + Drift CompNIST ITS-90 linearization · CJC · fleet-corpus drift detection · open / short / OOR / lag classification
// State Estimatormulti-sensor reconciliation · redundant-channel voting · soft sensors where physics permits
// Loop EnginePID · cascade · feedforward · gain-scheduled · Smith predictor · multi-zone synchronized · model-predictive
// Adaptive Tunercorpus-weighted gain estimation · per-asset learned response · NOT Ziegler-Nichols step response
// Safety Envelopecompile-enforced · runtime-sealed · setpoint ceiling / floor · ramp_max · fault classes · fail-to state
// HAL / Actuator LayerSSR · PWM · DAC · relay banks · fan drivers · valve actuators · IO-Link / Modbus / OPC UA / CAN passthrough
// Determinism · capability matrix
Loop rate1 kHz typical · 10 kHz capable on dedicated channels
Soak hold±0.1 °C
Soak σ0.18 °C across the cycle, 10k-cycle median
Fault → safe< 1 ms decision · declared per fault class
Multi-zonesynchronized ramps across N zones · phase-locked at compile
Manual takeoverbumpless transfer · integral preserved · audit-logged
Cold-start to commission< 30 min · corpus-seeded gains
// 03 · Sensor Stack
Every channel is a first-class citizen.

Sensor diversity is the entry point. A composite cure shop runs Type T below 250°C and Type K above. An aerospace TVAC chamber runs Type B for the high zones and platinum RTDs for the cold side. A battery container runs hundreds of cell-level thermistors in parallel. The HAL accepts every standard TC type and RTD configuration without firmware-side conditional logic — the channel declares its type, the program reads the value.

Fault detection is sub-millisecond and corpus-aware. Open, short, out-of-range, drift, and lag are five distinct fault classes — each with its own detection method, its own confidence interval, and its own declared fail-to response. A thermocouple two degrees out of agreement with its three sibling channels is flagged before the affected zone moves a single degree past the envelope.

Drift compensation is the second-order intelligence — it is what makes the fleet learn. The corpus knows what every TC on this asset has read at every setpoint, in every season, across every cycle. A two-degree-high pyrometer that has read two degrees high for a week is detected, isolated to a single junction, and compensated at the loop level long before the QA engineer asks about the soft Rockwell on the witness coupon.

TC types
K (-200 → 1372°C) · T (-200 → 400°C) · J (-210 → 1200°C) · R / S / B (high temp · platinum) · N (drift-resistant) · E (cryogenic)
RTD
Pt100 · Pt1000 · 2/3/4-wire · lead-resistance compensation per wire count
ADC depth
24-bit on TC + RTD channels · sufficient resolution to read sub-0.05°C deltas
Linearization
NIST ITS-90 polynomial tables, every TC type, every range
CJC
cold-junction compensation per terminal block · isothermal-block-aware
Fault classes
open · short · out-of-range · drift · lag · each with declared detection + response
Voting
redundant-channel reconciliation · majority-rule · disagreement triggers fault
Drift
corpus-grounded · per-junction signature · isolates to the single TC at fault
sensor_stack · fault classification matrix SUB-MS DECISION · CORPUS-AWARE
// TC channel inventory · all standard types supported
Type K-200 → 1372°C · general purpose · most common in heat-treat + composites
Type T-200 → 400°C · cold-chain · medical · low-temp process
Type J-210 → 1200°C · legacy + reducing atmospheres
Type R · S · Bplatinum · 0 → 1820°C · vacuum furnace · sapphire growth · precious-metal precision
Type N-200 → 1300°C · drift-resistant for long-duration cures
Type E-200 → 1000°C · highest EMF/°C · cryogenic + low-noise
RTD Pt100 / Pt10002 / 3 / 4-wire · lead-resistance compensation per wire count
// Fault classification · 5 classes · declared response
OPENinfinite resistance · detected sub-ms · fail-to declared safe state immediately
SHORTzero resistance · CJC reads anomaly · same response as OPEN
OUT-OF-RANGEreading outside type-physical bounds · channel disabled · fault-on per declared response
DRIFTcorpus-detected · slow bias against sibling channels · isolated to single junction · compensated at loop level
LAGcommanded ramp vs measured rate · zone-affected hold extended OR cycle paused per program
// Performance envelope
Channel countup to 256 per controller · expandable via HAL bus passthrough
Sample rate100 ms standard · 10 ms high-rate · 1 ms on dedicated channels
Voting latency< 1 ms across redundant channel groups
Drift detectioncorpus query window per channel · per-asset signature persists across reboots
Corpus retention10 years default · per-channel timestamped & signed · audit-grade
// 04 · Safety
Safety is declared, not procedural — it is in the source code, not on a screen.

An envelope is not a setpoint. setpoint_ceiling, setpoint_floor, ramp_max, dwell_max, and the fault classes that bound them are properties of the program source. They are sealed at compile and remain sealed for the life of the flash. No menu, no admin password, no operator combination dials past them — the controller does not know how to violate the envelope, because the firmware that would do so does not exist on the device.

Fail-to is physics, not a callback. Every envelope declares the state the system enters when control is lost — cold_vented for a composite oven, hold_isolated for a battery rack, dark for a clean-room lamp, flooded for a cryogenic transfer. The state is reached by the physical hardware — relays normally-open, SSRs opto-isolated, solenoids spring-return — not by a routine that may or may not run.

Functional-safety targets are compile-time gates. A program targeted at a SIL 3 medical or aerospace asset will not compile against a SIL 2 controller binary. AMS 2750G, 21 CFR Part 11, ISO 13485, DO-178C, IEC 61508 — each declared as a program-level constraint, each verified before flash, each cryptographically signed into the audit corpus alongside every cycle the program runs. Certification is not a sticker; it is a property of the file.

envelope
declared safety region · ceiling · floor · ramp_max · dwell_max · sealed at flash · immutable at runtime
fail_to
physics-defined safe state · reached by hardware bias, not by code path
watchdog
independent silicon · hardware reset on missed heartbeat · cannot be masked by firmware
interlock
external chain · breaks the heat path before the loop knows · door / over-temp / cooling-loss
voting
redundant-sensor reconciliation · disagreement triggers fault before motion past envelope
SIL
IEC 61508 target · runtime-mapped to declared envelope strictness · per-industry
traceability
21 CFR Part 11 + AMS 2750G · every event time-locked and cryptographically signed
audit
immutable corpus · per-controller hw-id signature · exportable, queryable, court-grade
safety_envelope · declaration + fail-to decision COMPILE-ENFORCED · RUNTIME-SEALED 
safety_envelope CompositeCure_IM7_8552 : Envelope {
  setpoint_ceiling:  Temp(185°C)               // sealed · cannot be raised at runtime
  setpoint_floor:    Temp(0°C)
  ramp_max:          RampRate(3.0°C/min)
  dwell_max:         Dur(240 min)

  fault_on: [
    tc_open, tc_short, tc_out_of_range,
    drift_exceeds(Temp(2°C)),
    voting_disagreement > Pct(5),
    comms_loss > Dur(5s),
    watchdog_miss
  ]
  fail_to:  State.ColdVented             // physics · relays NO · SSR opto-iso · solenoid spring

  certification: [
    "AMS_2750G", "NADCAP_AC7118",
    "IEC_61508_SIL2", "AS9100D"
  ]
  audit:    { every: Dur(100ms), sign: hw_id, retain: Dur(10y) }
}
// Runtime-rejection · what the device will not do
RUNTIME REJECTED · TL.R0103 · envelope ceiling raise blocked
PUT /api/envelope { setpoint_ceiling: 200°C }
^^^^^
envelope is sealed at flash. raising the ceiling requires a re-signed, re-certified binary. no API path exists on the running device.
RUNTIME REJECTED · TL.R0214 · fail_to override blocked
operator: DISMISS tc_open fault on zone 04
^^^^^^^
fail_to state for tc_open is ColdVented. operator dismissal does not exist as a command. service the channel; restart the cycle from a checkpoint.
RUNTIME REJECTED · TL.R0301 · unsigned binary refused at boot
boot: load firmware-modified.bin
^^^^^^^^^^^^^^^^^^^^^^
signature chain does not verify against the controller's certification root. the device will not boot the image. the unaltered prior image stays resident.
// Fail-to decision matrix · response is declared, not derived
tc_open · shortheat path cut at SSR · relays drop · vent opens · declared safe state reached < 20 ms
out_of_rangechannel disabled · zone failed · sibling zones continue or pause per program
drift_exceedscorpus-isolated to single junction · compensated at loop · flagged for next-cycle service
voting_disagreezone held in place · operator notified · cycle paused before motion past envelope
comms_losslocal controller autonomous · fail_to enters after 5 s no-heartbeat · corpus catches up on reconnect
watchdog_missindependent silicon resets the MCU · power-stage hardware-biased to safe state during reset
power_lossphysical fail-safe · NO relays open · NC valves close · SSR opto-iso defaults dark · no firmware involvement
// Functional-safety targets · per-industry · compile-time verified
MedicalSIL 3 · 21 CFR Part 11 · ISO 13485 · IEC 60601 · GxP / GAMP 5
AerospaceSIL 3 · DO-178C DAL B · MIL-STD-1540 · AMS 2750G · NADCAP AC7102
Industrial HTSIL 2 · AMS 2750G · NADCAP AC7102 · ISO 17025
CompositesSIL 2 · AMS 2750G · NADCAP AC7118 · AS9100D
EnergySIL 2 · UL 9540A · IEC 61508 · NFPA 855 · IEC 62619
Consumernon-SIL · UL / CE / FCC · NSF where wetted
Motorsportnon-SIL · series tech regulations · insurance underwriter envelope
// Defense in depth · 7 independent layers · each survives the failure of the one above
L1 · Type systemunit mismatch · out-of-envelope · missing fail_to → does not compile
L2 · Signed binaryflash refuses unsigned firmware · certification chain verified at boot · supply-chain attested
L3 · Sealed enveloperuntime-immutable · no menu / API / debug path raises ceiling · no admin override exists
L4 · Sensor votingredundant-channel disagreement triggers fault before motion past envelope
L5 · Software WDTper-task heartbeat · firmware self-check · controlled shutdown on stall
L6 · Silicon WDTexternal IC · separate clock domain · hardware reset on miss · cannot be masked by firmware
L7 · Physical fail-safeNO relays · NC valves · SSR opto-iso · springs · no firmware involvement at all
// 05 · HAL
A hardware abstraction layer that respects the plant floor. The bus is the bus.

The HAL is declared, not stitched. A channel says what it is — a Type K thermocouple on a 24-bit isolated front end, a 4–20 mA actuator on RS-485, a contactor on a CAN-Open node — and the language resolves the path. The control program does not know what bus an actuator sits on; the safety envelope does not care whether voting reconciles between two channels on the same isolated front end or across a Modbus segment. Replace the back end and the program continues to compile.

Industrial protocols are first-class. Modbus RTU + TCP, EtherCAT, PROFINET, EtherNet/IP, OPC UA, BACnet, CAN-Open, MQTT — each ships as a transport that the language consumes, not a sidecar with its own configuration tool and its own failure modes. A point on the EtherCAT ring and a register on a Modbus slave both publish as a typed channel; the program declares which one it wants and the HAL holds the rope.

Isolation is non-negotiable. Every signal that enters the controller crosses an isolation barrier — galvanic on TC and RTD front ends, reinforced opto on SSR and contactor outputs, transformer-coupled on industrial Ethernet, transceiver-isolated on RS-485 and CAN. The plant floor is electrically loud; the controller treats every line as hostile until proven otherwise.

bus
physical layer · UART · SPI · I²C · CAN · RS-485 · Ethernet · USB · 802.11 · LoRa · BLE
protocol
Modbus RTU/TCP · EtherCAT · PROFINET · EtherNet/IP · OPC UA · BACnet · CAN-Open · MQTT · DNP3
driver
channel-typed binding · TC · RTD · CT · pressure · position · SSR · contactor · valve · VFD · gateway
transceiver
isolated line driver · reinforced opto · CAN xcvr · RS-485 xcvr · industrial PHY
isolation
galvanic · opto · transformer · 5kV reinforced on safety-critical paths · per IEC 60601-1 / IEC 61010
gateway
protocol-bridge driver · Modbus ↔ MQTT · OPC UA ↔ CAN-Open · declared at HAL, transparent to program
namespace
flat channel name space across buses · `front.tc.04` resolves identically over EtherCAT or Modbus
timing
per-bus deterministic budget · EtherCAT cycle 1ms · CAN 5ms · Modbus 50ms · enforced by the loop scheduler
hal · channel + bus + protocol declaration DECLARED · TYPE-CHECKED · ISOLATED 
hal CompositeCellHAL : HAL {

  // internal front end · 24-bit isolated TC + RTD
  bus local : SPI(10 MHz, isolated: true) {
    driver tc[16] : TC_AD7124 { types: [K, T, J, N], cjc: per_block }
    driver rtd[4]  : RTD_MAX31865 { wiring: FourWire, ref: 4.02 kΩ }
  }

  // power stage · opto-isolated SSR + contactor
  bus power : GPIO(isolated: true, opto: Reinforced_5kV) {
    driver ssr[8]      : SSR_ZeroCross      { fail_to: open }
    driver contactor[4] : Contactor_NO      { fail_to: open, aux_feedback: true }
  }

  // field bus · industrial Ethernet ring
  bus field : EtherCAT(cycle: Dur(1ms), redundancy: RingDual) {
    node vfd_blower   : CIA402_VFD     { fail_to: coast }
    node vfd_chiller  : CIA402_VFD     { fail_to: coast }
    node vacuum_valve : Valve_SpringRtn { fail_to: vented }
  }

  // process bus · Modbus to legacy plant SCADA
  bus scada : RS485(115200, isolated: true) {
    protocol: Modbus_RTU(slave_id: 17, cycle: Dur(50ms))
    map: corpus.expose("holding[0..127]")
  }

  // north bus · OPC UA + MQTT to fleet corpus
  bus north : Ethernet(1 GbE, isolated: TransformerCoupled) {
    protocol: OPC_UA(security: Basic256Sha256, role: server)
    protocol: MQTT(broker: fleet.tcs.io, tls: mTLS, qos: 1)
  }
}
// Buses supported · physical layer
UART · SPI · I²Con-board sensor + actuator front ends · 24-bit ADC TC/RTD · GPIO expanders
CAN · CAN-FDdistributed actuator + sensor nodes · CAN-Open · J1939 · 500k–5M
RS-485 · RS-422Modbus RTU · DMX · DNP3 · isolated transceiver default · up to 1.2 km
Industrial EthernetEtherCAT · PROFINET · EtherNet/IP · ring + line topologies · sub-ms cycle
Standard EthernetOPC UA · MQTT · HTTPS · 100 Mbps / 1 GbE · transformer-coupled · mTLS
USBCDC console · MSC log export · firmware load (signed only) · diagnostic-port only on cert builds
Wireless802.11ax · BLE 5.3 · LoRa for remote pendant · disabled by default on cert builds
// Industrial protocols · first-class language transports
Modbus RTU/TCPslave + master · 127-register window · channel↔register map declared at HAL
EtherCATmain + sub-device · CiA 402 motion · CoE · FoE for firmware push · ring redundancy
PROFINETIO device class B · IRT-aware · conformance-class B certified
EtherNet/IPCIP scanner + adapter · implicit + explicit messaging · ODVA conformance
OPC UAserver + client · pub-sub · Basic256Sha256 security · companion specs for thermal
BACnet · CAN-OpenBACnet/IP + MS/TP for building HVAC · CAN-Open + J1939 for mobile + distributed
MQTT · HTTPSfleet corpus uplink · mTLS pinned · QoS 1 default · store-and-forward on link loss
// Driver classes · channel-typed bindings · what the HAL knows how to talk to
TC · RTD24-bit · NIST ITS-90 linearized · CJC per terminal · 2/3/4-wire RTD
CT · pressure · flow4–20 mA · 0–10 V · pulse · per-channel isolation · calibration declared
SSR · contactorzero-cross + phase-angle · aux-contact feedback · fail-to declared per envelope
Valve · solenoidspring-return · proportional · fail-to vented / closed / open · current monitored
VFDCiA 402 motion profile · torque + speed + position · braking declared · fail-to coast
HMI · pendantlocal touch · remote LoRa pendant · authority declared per role · operator vs supervisor
GatewayModbus ↔ MQTT · OPC UA ↔ CAN-Open · protocol bridging at HAL, not at program
// Isolation requirements · per signal class · cert-grade
TC / RTD inputgalvanic · 2.5 kV channel-to-channel · 5 kV channel-to-ground
SSR / contactorreinforced opto · 5 kV · per IEC 61010-1 + IEC 60601-1 (medical)
Industrial Ethernettransformer-coupled · 1.5 kV · cable-shield bonded per PROFINET / EtherCAT spec
RS-485 / CANisolated transceiver · 5 kV · failsafe biasing · ESD protected
USB / pendantisolated USB · 2.5 kV · disabled on cert builds unless required by service profile
// Shipped · firmware cadence
One bench-verified feature, one cut. No silent updates. The version history is a public record.
2026-05-13 v1.15.2.10 Display Tier System Six runtime-switchable display tiers — Basic through Emperor — owned by the firmware, not compiled in.
2026-04-29 v1.15.0 Skin dispatch · v4 brand SmartControl picker UI, 13-product brand lockup library, LVGL asset pipeline.
2026-03-18 v1.14.0 Dual-channel control Independent front/rear control loops with a shared safety envelope and synchronized fault paths.
2026-02-04 v1.13.11 PSRAM heap · 12-slot LVGL heap relocated to PSRAM. Memory headroom for the full product line and richer display surfaces.
2026-01-09 v1.13.0 NTP-ready clock Async WiFi state machine, NVS-backed settings store, manual clock with NTP fall-in.