Lift System
The Lift System
The lift system consists of the lift plant
and of the automated software controller;
and, it is a structured system.
Here we use our method to express its relevant properties,
which are mainly about how its subparts influence each other.
The produced specification may be considered as a precise definition
of the requirements on the controller, stating precisely how it
will affect and interact with the lift plant.
Lift System: Parts and Constituent Features
Lift System: Property Spreadsheet
-
CALL:CALL
-
- incompat1
- CALL(f1) incompatible with CALL(f2)
(No two calls may be received simultaneously)
- pre-cond1
- post-cond1
- if CALL(f) happen then
in any case eventually LP.cabinPosition = f and LP.motorStatus =
stop and LP.doorPosition(f) = open
(Any received call for a given floor will be eventually
satisfied in any case)
- vital1
- in any case eventually in one case CALL(f) happen
(In any case eventually will be able to receive a
call for a given floor)
- loc-glob1
- if CALL(f) happen then CN.CALL(f) happen
if CN.CALL(f) happen then CALL(f)
(The calls are received by the controller)
-
CALL:LP.CABINPOSITION
-
- loc-glob2
-
CALL:LP.DOORPOSITION
-
- loc-glob2
-
CALL:LP.MOTORSTATUS
-
- loc-glob2
-
CALL:LP.OPENDOOR
-
- loc-glob2
-
CALL:LP.CLOSEDOOR
-
- loc-glob2
-
CALL:LP.MOTORSTOP
-
- loc-glob2
-
CALL:LP.MOTORUP
-
- loc-glob2
-
CALL:LP.MOTORDOWN
-
- loc-glob2
-
CALL:LP.USERINSIDE
-
- loc-glob2
-
CALL:CN.CABINPOSITION
-
- loc-glob2
-
CALL:CN.DOORPOSITION
-
- loc-glob2
-
CALL:CN.MOTORSTATUS
-
- loc-glob2
-
CALL:CN.OPENDOOR
-
- loc-glob2
-
CALL:CN.CLOSEDOOR
-
- loc-glob2
-
CALL:CN.MOTORSTOP
-
- loc-glob2
-
CALL:CN.MOTORUP
-
- loc-glob2
-
CALL:CN.MOTORDOWN
-
- loc-glob2
-
CALL:CN.USERINSIDE
-
- loc-glob2
-
CALL:CN.CALL
-
- loc-glob2
- if CALL(f) happen then CN.CALL(f) happen
if CN.CALL(f) happen then CALL(f)
(The calls are received by the controller)
-
CALL:LP
-
- pre-cond2
- post-cond2
- vital2
-
CALL:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.CABINPOSITION:CALL
-
- loc-glob2
-
LP.CABINPOSITION:LP.CABINPOSITION
-
- synchr1
- if LP.CABINPOSITION(f) happen then CN.CABINPOSITION(f)
happen
if CN.CABINPOSITION(f) happen then LP.CABINPOSITION(f) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
LP.CABINPOSITION:CN.CABINPOSITION
-
- synchr1
- if LP.CABINPOSITION(f) happen then
CN.CABINPOSITION(f) happen
if CN.CABINPOSITION(f) happen then
LP.CABINPOSITION(f) happen
-
LP.CABINPOSITION:CN.DOORPOSITION
-
- synchr2
-
LP.CABINPOSITION:CN.MOTORSTATUS
-
- synchr2
-
LP.CABINPOSITION:CN.OPENDOOR
-
- synchr2
-
LP.CABINPOSITION:CN.CLOSEDOOR
-
- synchr2
-
LP.CABINPOSITION:CN.MOTORSTOP
-
- synchr2
-
LP.CABINPOSITION:CN.MOTORUP
-
- synchr2
-
LP.CABINPOSITION:CN.MOTORDOWN
-
- synchr2
-
LP.CABINPOSITION:CN.USERINSIDE
-
- synchr2
-
LP.CABINPOSITION:CN.CALL
-
- loc-glob2
-
LP.CABINPOSITION:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.DOORPOSITION:CALL
-
- loc-glob2
-
LP.DOORPOSITION:LP.DOORPOSITION
-
- synchr1
- if LP.DOORPOSITION(f,dps) happen then
CN.DOORPOSITION(f,dps) happen
happen
if CN.DOORPOSITION(f,dps) happen then
LP.DOORPOSITION(f,dps) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
LP.DOORPOSITION:CN.CABINPOSITION
-
- synchr2
-
LP.DOORPOSITION:CN.DOORPOSITION
-
- synchr2
- if LP.DOORPOSITION(f,dps) happen then
CN.DOORPOSITION(f,dps) happen
if CN.DOORPOSITION(f,dps) happen
then LP.DOORPOSITION(f,dps) happen
-
LP.DOORPOSITION:CN.MOTORSTATUS
-
- synchr2
-
LP.DOORPOSITION:CN.OPENDOOR
-
- synchr2
-
LP.DOORPOSITION:CN.CLOSEDOOR
-
- synchr2
-
LP.DOORPOSITION:CN.MOTORSTOP
-
- synchr2
-
LP.DOORPOSITION:CN.MOTORUP
-
- synchr2
-
LP.DOORPOSITION:CN.MOTORDOWN
-
- synchr2
-
LP.DOORPOSITION:CN.USERINSIDE
-
- synchr2
-
LP.DOORPOSITION:CN.CALL
-
- synchr2
-
LP.DOORPOSITION:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.MOTORSTATUS:CALL
-
- loc-glob2
-
LP.MOTORSTATUS:LP.MOTORSTATUS
-
- synchr1
- if LP.MOTORSTATUS(ms) happen then CN.MOTORSTATUS(ms)
happen
if CN.MOTORSTATUS(ms) happen then LP.MOTORSTATUS(ms) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
LP.MOTORSTATUS:CN.CABINPOSITION
-
- synchr2
-
LP.MOTORSTATUS:CN.DOORPOSITION
-
- synchr2
-
LP.MOTORSTATUS:CN.MOTORSTATUS
-
- synchr2
- if LP.MOTORSTATUS(ms) happen then
CN.MOTORSTATUS(ms) happen
if CN.MOTORSTATUS(ms) happen then
LP.MOTORSTATUS(ms) happen
-
LP.MOTORSTATUS:CN.OPENDOOR
-
- synchr2
-
LP.MOTORSTATUS:CN.CLOSEDOOR
-
- synchr2
-
LP.MOTORSTATUS:CN.MOTORSTOP
-
- synchr2
-
LP.MOTORSTATUS:CN.MOTORUP
-
- synchr2
-
LP.MOTORSTATUS:CN.MOTORDOWN
-
- synchr2
-
LP.MOTORSTATUS:CN.USERINSIDE
-
- synchr2
-
LP.MOTORSTATUS:CN.CALL
-
- synchr2
-
LP.MOTORSTATUS:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.CLOSEDOOR:CALL
-
- loc-glob2
-
LP.CLOSEDOOR:LP.CLOSEDOOR
-
- synchr2
- if LP.CLOSEDOOR(f) happen then
CN.CLOSEDOOR(f) happen
if CN.CLOSEDOOR(f) happen then
LP.CLOSEDOOR(f) happen
-
LP.CLOSEDOOR:CN.CABINPOSITION
-
- synchr2
-
LP.CLOSEDOOR:CN.DOORPOSITION
-
- synchr2
-
LP.CLOSEDOOR:CN.MOTORSTATUS
-
- synchr2
-
LP.CLOSEDOOR:LP.CLOSEDOOR
-
- synchr2
- if LP.CLOSEDOOR(f) happen then
CN.CLOSEDOOR(f) happen
if CN.CLOSEDOOR(f) happen then LP.CLOSEDOOR(f) happen
-
LP.CLOSEDOOR:CN.MOTORSTOP
-
- synchr2
-
LP.CLOSEDOOR:CN.MOTORUP
-
- synchr2
-
LP.CLOSEDOOR:CN.MOTORDOWN
-
- synchr2
-
LP.CLOSEDOOR:CN.USERINSIDE
-
- synchr2
-
LP.CLOSEDOOR:CN.CALL
-
- synchr2
-
LP.MOTORSTATUS:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.OPENDOOR:CALL
-
- loc-glob2
-
LP.OPENDOOR:LP.OPENDOOR
-
- synchr2
- if LP.OPENDOOR(f) happen then
CN.OPENDOOR(f) happen
if CN.OPENDOOR(f) happen then LP.OPENDOOR(f) happen
-
LP.OPENDOOR:CN.CABINPOSITION
-
- synchr2
-
LP.OPENDOOR:CN.DOORPOSITION
-
- synchr2
-
LP.OPENDOOR:CN.MOTORSTATUS
-
- synchr2
-
LP.OPENDOOR:LP.CLOSEDOOR
-
- synchr2
-
LP.OPENDOOR:CN.MOTORSTOP
-
- synchr2
-
LP.OPENDOOR:CN.MOTORUP
-
- synchr2
-
LP.OPENDOOR:CN.MOTORDOWN
-
- synchr2
-
LP.OPENDOOR:CN.USERINSIDE
-
- synchr2
-
LP.OPENDOOR:CN.CALL
-
- synchr2
-
LP.MOTORSTATUS:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.MOTORSTOP:CALL
-
- loc-glob2
-
LP.MOTORSTOP:LP.MOTORSTOP
-
- synchr1
- if LP.MOTORSTOP happen then CN.MOTORSTOP
happen
if CN.MOTORSTOP happen then
LP.MOTORSTOP happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
LP.MOTORSTOP:CN.CABINPOSITION
-
- synchr2
-
LP.MOTORSTOP:CN.DOORPOSITION
-
- synchr2
-
LP.MOTORSTOP:CN.MOTORSTATUS
-
- synchr2
-
LP.MOTORSTOP:CN.OPENDOOR
-
- synchr2
-
LP.MOTORSDTOP:CN.CLOSEDOOR
-
- synchr2
-
LP.MOTORSTOP:CN.MOTORSTOP
-
- synchr2
- if LP.MOTORSTOP happen then CN.MOTORSTOP happen
if CN.MOTORSTOP happen then LP.MOTORSTOP happen
-
LP.MOTORSTOP:CN.MOTORUP
-
- synchr2
-
LP.MOTORSTOP:CN.MOTORDOWN
-
- synchr2
-
LP.MOTORSTOP:CN.USERINSIDE
-
- synchr2
-
LP.MOTORSTOP:CN.CALL
-
- synchr2
-
LP.MOTORSTOP:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.MOTORUP:CALL
-
- loc-glob2
-
LP.MOTORUP:LP.MOTORUP
-
- synchr1
- if LP.MOTORUP happen then CN.MOTORUP
happen
if CN.MOTORUP happen then LP.MOTORUP happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
LP.MOTORUP:CN.CABINPOSITION
-
- synchr2
-
LP.MOTORUP:CN.DOORPOSITION
-
- synchr2
-
LP.MOTORUP:CN.MOTORSTATUS
-
- synchr2
-
LP.MOTORUP:CN.OPENDOOR
-
- synchr2
-
LP.MOTORUP:CN.CLOSEDOOR
-
- synchr2
-
LP.MOTORUP:CN.MOTORSTOP
-
- synchr2
-
LP.MOTORUP:CN.MOTORUP
-
- synchr2
- if LP.MOTORUP happen then
CN.MOTORUP happen
if CN.MOTORUP happen then LP.MOTORUP happen
-
LP.MOTORUP:CN.MOTORDOWN
-
- synchr2
-
LP.MOTORUP:CN.USERINSIDE
-
- synchr2
-
LP.MOTORUP:CN.CALL
-
- synchr2
-
LP.MOTORUP:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.MOTORDOWN:CALL
-
- loc-glob2
-
LP.MOTORDOWN:LP.MOTORDOWN
-
- synchr1
- if LP.MOTORDOWN happen then CN.MOTORDOWN
happen
if CN.MOTORDOWN(f) happen then LP.MOTORDOWN happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
LP.MOTORDOWN:CN.CABINPOSITION
-
- synchr2
-
LP.MOTORDOWN:CN.DOORPOSITION
-
- synchr2
-
LP.MOTORDOWN:CN.MOTORSTATUS
-
- synchr2
-
LP.MOTORDOWN:CN.CLOSEDOOR
-
- synchr2
-
LP.MOTORDOWN:CN.MOTORSTOP
-
- synchr2
-
LP.MOTORDOWN:CN.MOTORSTOP
-
- synchr2
-
LP.MOTORDOWN:CN.MOTORUP
-
- synchr2
-
LP.MOTORDOWN:CN.MOTORDOWN
-
- synchr2
- if LP.MOTORDOWN happen then CN.MOTORDOWN happen
if CN.MOTORDOWN happen then LP.MOTORDOWN happen
-
LP.MOTORDOWN:CN.USERINSIDE
-
- synchr2
-
LP.MOTORDOWN:CN.CALL
-
- synchr2
-
LP.MOTORDOWN:CN
-
- pre-cond2
- post-cond2
- vital2
-
LP.USERINSIDE:CALL
-
- loc-glob2
-
LP.USERINSIDE:LP.USERINSIDE
-
- synchr1
- if LP.USERINSIDE(b) happen then CN.USERINSIDE(b)
happen
if CN.USERINSIDE(b) happen then LP.USERINSIDE(b) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
LP.USERINSIDE:CN.CABINPOSITION
-
- synchr2
-
LP.USERINSIDE:CN.DOORPOSITION
-
- synchr2
-
LP.USERINSIDE:CN.MOTORSTATUS
-
- synchr2
-
LP.USERINSIDE:CN.CLOSEDOOR
-
- synchr2
-
LP.USERINSIDE:CN.OPENDOOR
-
- synchr2
-
LP.USERINSIDE:CN.MOTORSTOP
-
- synchr2
-
LP.USERINSIDE:CN.MOTORUP
-
- synchr2
-
LP.USERINSIDE:CN.MOTORDOWN
-
- synchr2
-
LP.USERINSIDE:CN.USERINSIDE
-
- synchr2
- if LP.USERINSIDE(b) happen then CN.USERINSIDE(b) happen
if CN.USERINSIDE(b) happen then LP.USERINSIDE(b) happen
-
LP.USERINSIDE:CN.CALL
-
- synchr2
-
LP.USERINSIDE:CN
-
- pre-cond2
- post-cond2
- vital2
-
CN.CABINPOSITION:CALL
-
- loc-glob2
-
CN.CABINPOSITION:LP.CABINPOSITION
-
- synchr1
- if CN.CABINPOSITION(f) happen then
LP.CABINPOSITION(f) happen
if LP.CABINPOSITION(f) happen then CN.CABINPOSITION(f) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.CABINPOSITION:LP.DOORPOSITION
-
- synchr2
-
CN.CABINPOSITION:LP.MOTORSTATUS
-
- synchr2
-
CN.CABINPOSITION:LP.CLOSEDOOR
-
- synchr2
-
CN.CABINPOSITION:LP.OPENDOOR
-
- synchr2
-
CN.CABINPOSITION:LP.MOTORSTOP
-
- synchr2
-
CN.CABINPOSITION:LP.MOTORUP
-
- synchr2
-
CN.CABINPOSITION:LP.MOTORDOWN
-
- synchr2
-
CN.CABINPOSITION:LP.USERINSIDE
-
- synchr2
-
CN.CABINPOSITION:CN.CABINPOSITION
-
- synchr1
- if CN.CABINPOSITION(f) happen then LP.CABINPOSITION(f) happen
if LP.CABINPOSITION(f) happen then CN.CABINPOSITION(f) happen
-
CN.CABINPOSITION:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.DOORPOSITION:CALL
-
- loc-glob2
DT>
CN.DOORPOSITION:LP.CABINPOSITION
-
- synchr2
-
CN.DOORPOSITION:LP.DOORPOSITION
-
- synchr1
- if CN.DOORPOSITION(f,dps) happen then
LP.DOORPOSITION(f,dps) happen
if LP.DOORPOSITION(f,dps) happen then CN.DOORPOSITION(f,dps) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
<
-
CN.DOORPOSITION:LP.MOTORSTATUS
-
- synchr2
-
CN.DOORPOSITION:LP.CLOSEDOOR
-
- synchr2
-
CN.DOORPOSITION:LP.OPENDOOR
-
- synchr2
-
CN.DOORPOSITION:LP.MOTORSTOP
-
- synchr2
-
CN.DOORPOSITION:LP.MOTORUP
-
- synchr2
-
CN.DOORPOSITION:LP.MOTORDOWN
-
- synchr2
-
CN.DOORPOSITION:LP.USERINSIDE
-
- synchr2
-
CN.DOORPOSITION:CN.DOORPOSITION
-
- synchr1
- if CN.DOORPOSITION(f,dps) happen then LP.DOORPOSITION(f,dps) happen
if LP.DOORPOSITION(f,dps) happen then CN.DOORPOSITION(f,dps) happen
-
CN.DOORPOSITION:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.MOTORSTATUS:CALL
-
- loc-glob2
-
CN.MOTORSTATUS:LP.CABINPOSITION
-
- synchr2
-
CN.MOTORSTATUS:LP.DOORPOSITION
-
- synchr2
-
CN.MOTORSTATUS:LP.MOTORSTATUS
-
- synchr1
- if CN.MOTORSTATUS(ms) happen then
LP.MOTORSTATUS(ms) happen
if LP.MOTORSTATUS(ms) happen then CN.MOTORSTATUS(ms) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.MOTORSTATUS::LP.CLOSEDOOR
-
- synchr2
-
CN.MOTORSTATUS::LP.OPENDOOR
-
- synchr2
-
CN.MOTORSTATUS:LP.MOTORSTOP
-
- synchr2
-
CN.MOTORSTATUS:LP.MOTORUP
-
- synchr2
-
CN.MOTORSTATUS:LP.MOTORDOWN
-
- synchr2
-
CN.MOTORSTATUS:LP.USERINSIDE
-
- synchr2
-
CN.MOTORSTATUS:CN.MOTORSTATUS
-
- synchr1
- if CN.MOTORSTATUS(ms) happen then LP.MOTORSTATUS(ms) happen
if LP.MOTORSTATUS(ms) happen then CN.MOTORSTATUS(ms) happen
-
CN.MOTORSTATUS:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.OPENDOOR:CALL
-
- loc-glob2
-
CN.OPENDOOR:LP.CABINPOSITION
-
- synchr2
-
CN.OPENDOOR:LP.DOORPOSITION
-
- synchr2
-
CN.OPENDOOR:LP.MOTORSTATUS
-
- synchr2
-
CN.OPENDOOR:LP.OPENDOOR
-
- synchr1
- if CN.OPENDOOR(f) happen then LP.OPENDOOR(f) happen
if LP.OPENDOOR(f) happen then CN.OPENDOOR(f) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.OPENDOOR:LP.CLOSEDOOR
-
- synchr2
-
CN.OPENDOOR:LP.MOTORSTOP
-
- synchr2
-
CN.OPENDOOR:LP.MOTORUP
-
- synchr2
-
CN.OPENDOOR:LP.MOTORDOWN
-
- synchr2
-
CN.OPENDOOR:LP.USERINSIDE
-
- synchr2
-
CN.OPENDOOR:CN.OPENDOOR
-
- synchr1
- if CN.OPENDOOR(f) happen then LP.OPENDOOR(f) happen happen
if LP.OPENDOOR(f) happen then CN.OPENDOOR(f) happen
-
CN.OPENDOOR:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.CLOSEDOOR:CALL
-
- loc-glob2
-
CN.CLOSEDOOR:LP.CABINPOSITION
-
- synchr2
-
CN.CLOSEDOOR:LP.DOORPOSITION
-
- synchr2
-
CN.CLOSEDOOR:LP.MOTORSTATUS
-
- synchr2
-
CN.CLOSEDOOR:LP.OPENDOOR
-
- synchr2
-
CN.CLOSEDOOR:LP.CLOSEDOOR
-
- synchr1
- if CN.CLOSEDOOR(f) happen then LP.CLOSEDOOR(f) happen
if LP.CLOSEDOOR(f) happen then CN.CLOSEDOOR(f) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.CLOSEDOOR:LP.MOTORSTOP
-
- synchr2
-
CN.CLOSEDOOR:LP.MOTORUP
-
- synchr2
-
CN.CLOSEDOOR:LP.MOTORDOWN
-
- synchr2
-
CN.CLOSEDOOR:LP.USERINSIDE
-
- synchr2
-
CN.CLOSEDOOR:CN.CLOSEDOOR
-
- synchr1
- if CN.CLOSEDOOR(f) happen then LP.CLOSEDOOR(f) happen
if LP.CLOSEDOOR(f) happen then CN.CLOSEDOOR(f) happen
-
CN.CLOSEDOOR:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.MOTORSTOP:CALL
-
- loc-glob2
-
CN.MOTORSTOP:LP.CABINPOSITION
-
- synchr2
-
CN.MOTORSTOP:LP.DOORPOSITION
-
- synchr2
-
CN.MOTORSTOP:LP.MOTORSTATUS
-
- synchr2
-
CN.MOTORSTOP:LP.OPENDOOR
-
- synchr2
-
CN.MOTORSTOP:LP.CLOSEDOOR
-
- synchr2
-
CN.MOTORSTOP:LP.MOTORSTOP
-
- synchr1
- if CN.MOTORSTOP happen then LP.MOTORSTOP happen
if LP.MOTORSTOP happen then CN.MOTORSTOP happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.MOTORSTOP:LP.MOTORUP
-
- synchr2
-
CN.MOTORSTOP:LP.MOTORDOWN
-
- synchr2
-
CN.MOTORSTOP:LP.USERINSIDE
-
- synchr2
-
CN.MOTORSTOP:CN.MOTORSTOP
-
- synchr1
- if CN.MOTORSTOP happen then LP.MOTORSTOP happen
if LP.MOTORSTOP happen then CN.MOTORSTOP happen
-
CN.MOTORSTOP:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.MOTORUP:CALL
-
- loc-glob2
-
CN.MOTORUP:LP.CABINPOSITION
-
- synchr2
-
CN.MOTORUP:LP.DOORPOSITION
-
- synchr2
-
CN.MOTORUP:LP.MOTORSTATUS
-
- synchr2
-
CN.MOTORUP:LP.OPENDOOR
-
- synchr2
-
CN.MOTORUP:LP.CLOSEDOOR
-
- synchr2
-
CN.MOTORUP:LP.MOTORSTOP
-
- synchr2
-
CN.MOTORUP:LP.MOTORUP
-
- synchr1
- if CN.MOTORUP happen then LP.MOTORUP happen
if LP.MOTORUP happen then CN.MOTORUP happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.MOTORUP:LP.MOTORDOWN
-
- synchr2
-
CN.MOTORUP:LP.USERINSIDE
-
- synchr2
-
CN.MOTORUP:CN.MOTORUP
-
- synchr1
- if CN.MOTORUP happen then LP.MOTORUP happen
if LP.MOTORUP happen then CN.MOTORUP happen
-
CN.MOTORUP:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.MOTORDOWN:CALL
-
- loc-glob2
-
CN.MOTORDOWN:LP.CABINPOSITION
-
- synchr2
-
CN.MOTORDOWN:LP.DOORPOSITION
-
- synchr2
-
CN.MOTORDOWN:LP.MOTORSTATUS
-
- synchr2
-
CN.MOTORDOWN:LP.OPENDOOR
-
- synchr2
-
CN.MOTORDOWN:LP.CLOSEDOOR
-
- synchr2
-
CN.MOTORDOWN:LP.MOTORSTOP
-
- synchr2
-
CN.MOTORDOWN:LP.MOTORUP
-
- synchr2
-
CN.MOTORDOWN:LP.MOTORDOWN
-
- synchr1
- if CN.MOTORDOWN happen then LP.MOTORDOWN happen
if LP.MOTORDOWN happen then CN.MOTORDOWN happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.MOTORDOWN:LP.USERINSIDE
-
- synchr2
-
CN.MOTORDOWN:CN.MOTORDOWN
-
- synchr1
- if CN.MOTORDOWN happen then LP.MOTORDOWN happen
if LP.MOTORDOWN happen then CN.MOTORDOWN happen
-
CN.MOTORDOWN:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.USERINSIDE:CALL
-
- loc-glob2
-
CN.USERINSIDE:LP.CABINPOSITION
-
- synchr2
-
CN.USERINSIDE:LP.DOORPOSITION
-
- synchr2
-
CN.USERINSIDE:LP.MOTORSTATUS
-
- synchr2
-
CN.USERINSIDE:LP.OPENDOOR
-
- synchr2
-
CN.USERINSIDE:LP.CLOSEDOOR
-
- synchr2
-
CN.USERINSIDE:LP.MOTORSTOP
-
- synchr2
-
CN.USERINSIDE:LP.MOTORUP
-
- synchr2
-
CN.USERINSIDE:LP.MOTORDOWN
-
- synchr2
-
CN.USERINSIDE:LP.USERINSIDE
-
- synchr1
- if CN.USERINSIDE(b) happen then LP.USERINSIDE(b) happen
if LP.USERINSIDE(b) happen then CN.USERINSIDE(b) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.USERINSIDE:CN.USERINSIDE
-
- synchr1
- if CN.USERINSIDE(b) happen then LP.USERINSIDE(b) happen
if LP.USERINSIDE(b) happen then CN.USERINSIDE(b) happen
-
CN.USERINSIDE:LP
-
- pre-cond2
- post-cond2
- vital2
-
CN.CALL:CALL
-
- loc-glob2
-
CN.CALL:LP.CABINPOSITION
-
- synchr2
-
CN.CALL:LP.DOORPOSITION
-
- synchr2
-
CN.CALL:LP.MOTORSTATUS
-
- synchr2
-
CN.CALL:LP.OPENDOOR
-
- synchr2
-
CN.CALL:LP.CLOSEDOOR
-
- synchr2
-
CN.CALL:LP.MOTORSTOP
-
- synchr2
-
CN.CALL:LP.MOTORUP
-
- synchr2
-
CN.CALL:LP.MOTORDOWN
-
- synchr2
-
CN.CALL:LP.USERINSIDE
-
- synchr1
- if CN.CALL(f) happen then LP.CALL(f) happen
if LP.CALL(f) happen then CN.CALL(f) happen
- loc-glob3
- pre-cond3
- post-cond3
- vital3
-
CN.CALL:CN.CALL
-
- synchr1
- if CN.CALL(f) happen then LP.CALL(f) happen
if LP.CALL(f) happen then CN.CALL(f) happen
-
CN.CALL:LP
-
- pre-cond2
- post-cond2
- vital2
-
LP:CALL
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.CABINPOSITION
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.DOORPOSITION
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.MOTORSTATUS
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.OPENDOOR
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.CLOSEDOOR
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.MOTORSTOP
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.MOTORUP
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.MOTORDOWN
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.USERINSIDE
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN.CALL
-
- pre-cond2
- post-cond2
- vital2
-
LP:CN
-
- value2
-
CN:CALL
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.CABINPOSITION
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.DOORPOSITION
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.MOTORSTATUS
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.OPENDOOR
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.CLOSEDOOR
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.MOTORSTOP
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.MOTORUP
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.MOTORDOWN
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.USERINSIDE
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP.CALL
-
- pre-cond2
- post-cond2
- vital2
-
CN:LP
-
- value2
Lift System: Properties
CALL(f1) incompatible with CALL(f2)
No two calls may be received simultaneously
if CALL(f) happen then
in any case eventually LP.cabinPosition = f and
LP.motorStatus = stop and
LP.doorPosition(f) = open
Any received call for a given floor will be eventually satisfied in any case
in any case eventually in one case CALL(f) happen
In any case eventually the lisft system will be able to receive a call for a given floor
if CALL(f) happen then CN.CALL(f) happen
if CN.CALL(f) happen then CALL(f)
The calls are received by the controller
if LP.CABINPOSITION(f) happen then CN.CABINPOSITION(f) happen
if CN.CABINPOSITION(f) happen then LP.CABINPOSITION(f) happen
if LP.DOORPOSITION(f,dps) happen then CN.DOORPOSITION(f,dps) happen
if CN.DOORPOSITION(f,dps) happen then LP.DOORPOSITION(f,dps) happen
if LP.MOTORSTATUS(ms) happen then CN.MOTORSTATUS(ms) happen
if CN.MOTORSTATUS(ms) happen then LP.MOTORSTATUS(ms) happen
if LP.CLOSEDOOR(f) happen then CN.CLOSEDOOR(f) happen
if CN.CLOSEDOOR(f) happen then LP.CLOSEDOOR(f) happen
if LP.OPENDOOR(f) happen then CN.OPENDOOR(f) happen
if CN.OPENDOOR(f) happen then LP.OPENDOOR(f) happen
if LP.MOTORSTOP happen then CN.MOTORSTOP happen
if CN.MOTORSTOP happen then LP.MOTORSTOP happen
if LP.MOTORUP happen then CN.MOTORUP happen
if CN.MOTORUP happen then LP.MOTORUP happen
if LP.MOTORDOWN happen then CN.MOTORDOWN happen
if CN.MOTORDOWN(f) happen then LP.MOTORDOWN happen
if LP.USERINSIDE(b) happen then CN.USERINSIDE(b) happen
if CN.USERINSIDE(b) happen then LP.USERINSIDE(b) happen
Lift Plant: CASL_LTL Specification
spec ELEMINTER =
free type elemInter ::=
CABINPOSITION(Floor) |
OPENDOOR(Floor) |
CLOSEDOOR(Floor) |
DOORPOSITION(Floor,DoorPosition) |
MOTORUP |
MOTORDOWN |
MOTORSTOP |
MOTORSTATUS(MotorStatus) |
USERINSIDE(Int)
spec LiftPlant =
FINITESET[ ELEMINTER] and Floor and MotorStatus and DoorPosition then
dsort St label FiniteSet[elemInter]
ops cabinPosition: St -> Floor
doorPosition: St x Floor -> DoorPosition
motorStatus: St -> MotorStatus
usersInside:St -> Int
axioms
S -- L --> S' and CABINPOSITION(f) in L =>
cabinPosition(S) = f
cabinPosition(S) = f =>
in_one_case(S, next =< L' • CABINPOSITION(f) in L' =>)
S -- L --> S' and OPENDOOR(f) in L =>
cabinPosition(S) = f
S -- L --> S' and CLOSEDOOR(f) in L =>
cabinPosition(S) = f
S -- L --> S' and MOTORSTOP in L =>
cabinPosition(S') = cabinPosition(S)
S -- L --> S' and cabinPosition(S) =/= cabinPosition(S') =>
(cabinPosition(S') = next(cabinPosition(S)) and motorStatus(S) = up) or
(cabinPosition(S') = previous(cabinPosition(S)) and motorStatus(S) = down)
motorStatus(S) = up => in_any_case(S, next [ S' • cabinPositionS') = next(cabinPosition(S)])
motorStatus(S) = down => in_any_case(S, next [ S' • cabinPositionS') = previous(cabinPosition(S)])
doorPosition(S,f) = open => cabinPosition(S) = f
S -- L --> S' and DOORPOSITION(f,dps) in L =>
doorPosition(S,f) = dps
doorPosition(S,f) = dps =>
in_one_case(S,next < L' •DOORPOSITION(f,dps) in L'>)
S -- L --> S' and OPENDOOR(f) in L =>
doorPosition(S,f) = open
S -- L --> S' and CLOSEDOOR(f) in L =>
doorPosition(S,f) = closed
S -- L --> S' and doorPosition(S,f) = open and doorPosition(S',f) = closed =>
CLOSEDOOR(f) in L
S -- L --> S' and doorPosition(S,f) = closed and doorPosition(S',f) = open =>
OPENDOOR(f) in L and cabinPosition(S) = f
S -- L --> S' and MOTORSTATUS = ms in L =>
motorStatus(S) = ms
S -- L --> S' and motorStatus(S) = ms =>
MOTORSTATUS(ms) in L
motorStatus(S) =/= stop =>
forall f • doorPosition(S,f) = closed
S -- L --> S' and motorStatus(S) = stop and motorStatus(S') = up =>
MOTORUP in L
S -- L --> S' and motorStatus(S) = stop and motorStatus(S') = down =>
MOTORDOWN in L
S -- L --> S' and motorStatus(S) =/= stop and motorStatus(S') = stop =>
MOTORSTOP in L
userInside(S) >= 0 and userInside(S) =< 5
userInside(S) =/= 0 =>
in_any_case(S, eventually [ S' • userInside(S') = 0])