|
1
|
|
|
2
|
--==================
|
|
3
|
-- Simple Elevator
|
|
4
|
--==================
|
|
5
|
|
|
6
|
(*
|
|
7
|
Acknowledgements: This example is inspired by a similar one first made
|
|
8
|
by Prover Technology AB, then adapted at Chalmers University
|
|
9
|
by Carl Johan Lillieroth, K.V.S. Prasad, Mary Sheeran, Angela Wallenburg,
|
|
10
|
and Jan-Willem Roorda.
|
|
11
|
|
|
12
|
-------
|
|
13
|
Setting
|
|
14
|
-------
|
|
15
|
|
|
16
|
It models a simple elevator, moving people between two floors.
|
|
17
|
In the elevator, there are three buttons:
|
|
18
|
- a button 1 to go to the first floor,
|
|
19
|
- a button 2 to go to the first floor, and
|
|
20
|
- a stop switch to stop the elevator.
|
|
21
|
On each floor, there is a button to call the elevator.
|
|
22
|
|
|
23
|
The elevator has three sensors,
|
|
24
|
- the first indicating if the elevator is on the first floor or not,
|
|
25
|
- the second doing the same for the second floor, and
|
|
26
|
- the third indicating if the elevator's door is closed or not.
|
|
27
|
|
|
28
|
The stop switch is located within the elevator and can be pressed to
|
|
29
|
block the elevator. While the switch is on the elevator stops immediately
|
|
30
|
if it was moving and ignores any other input. Turning the switch back off
|
|
31
|
makes the elevator to be responsive again to other inputs.
|
|
32
|
|
|
33
|
The elevator is moved up and down by a motor that is on the roof of the
|
|
34
|
building. The motor is controlled by two signals,
|
|
35
|
- one for moving the elevator up and
|
|
36
|
- one for moving it down.
|
|
37
|
|
|
38
|
The control system looks at the buttons that are being pressed and the sensors
|
|
39
|
that say where the elevator is and if the door is open, and then decides if
|
|
40
|
the motor should move the elevator up or down, or do nothing.
|
|
41
|
|
|
42
|
For simplicity, we do not distinguish between the case of someone on floor 1
|
|
43
|
(resp., 2) pressing the call button and someone in the elevator pressing
|
|
44
|
the button 1 (resp., 2).
|
|
45
|
|
|
46
|
-------------------
|
|
47
|
Safety Requirements
|
|
48
|
-------------------
|
|
49
|
|
|
50
|
The controller is supposed to satisfy the following safety requirements:
|
|
51
|
|
|
52
|
R1 The elevator moves only when the door is closed and the stop switch
|
|
53
|
is not on.
|
|
54
|
R2 The elevator may not pass the end positions, that is, go through
|
|
55
|
the roof or the floor.
|
|
56
|
R3 A moving elevator halts only if the stop switch is on, or the door
|
|
57
|
is opened, or the elevator has arrived at the destination floor.
|
|
58
|
R4 The elevator halts before changing direction.
|
|
59
|
R5 The signals sent to the motor are not contradictory.
|
|
60
|
R6 The elevator starts moving when it should.
|
|
61
|
R7 The elevator stays on a floor indefinitely as long as
|
|
62
|
there is no call the other floor
|
|
63
|
*)
|
|
64
|
|
|
65
|
-------------------------
|
|
66
|
-- Auxiliary operators --
|
|
67
|
-------------------------
|
|
68
|
|
|
69
|
node Happened(X : bool) returns (Y : bool);
|
|
70
|
let
|
|
71
|
Y = X or (false -> pre Y) ;
|
|
72
|
tel
|
|
73
|
|
|
74
|
node Since( X, Y : bool ) returns ( Z : bool );
|
|
75
|
let
|
|
76
|
Z = X or (Y and (false -> pre Z));
|
|
77
|
tel
|
|
78
|
|
|
79
|
node SinceIncl( X, Y : bool ) returns ( Z : bool );
|
|
80
|
let
|
|
81
|
Z = Y and (X or (false -> pre Z));
|
|
82
|
tel
|
|
83
|
|
|
84
|
node ToInt(X: bool) returns (N: int);
|
|
85
|
let
|
|
86
|
N = if X then 1 else 0;
|
|
87
|
tel
|
|
88
|
|
|
89
|
node MutuallyExcl_4(X1, X2, X3, X4: bool) returns (Y: bool);
|
|
90
|
let
|
|
91
|
Y = ToInt(X1) + ToInt(X2) + ToInt(X3) + ToInt(X4) < 2 ;
|
|
92
|
tel
|
|
93
|
|
|
94
|
|
|
95
|
---------------------------------
|
|
96
|
-- Controller high-level specs --
|
|
97
|
---------------------------------
|
|
98
|
|
|
99
|
(*@
|
|
100
|
contract ControlReq( Floor_1, Floor_2, DoorOpen, Call_1, Call_2, Stop : bool )
|
|
101
|
returns ( MotorUp, MotorDown : bool);
|
|
102
|
let
|
|
103
|
|
|
104
|
-------------------------------
|
|
105
|
-- Environmental assumptions --
|
|
106
|
-------------------------------
|
|
107
|
-- the elevator starts on the first floor
|
|
108
|
assume Floor_1 -> true;
|
|
109
|
|
|
110
|
-- if the elevator was on the first (second) floor and did not move up (down)
|
|
111
|
-- then it is still on that floor
|
|
112
|
assume true -> pre (Floor_1 and not MotorUp and not MotorDown) => Floor_1 ;
|
|
113
|
assume true -> pre (Floor_2 and not MotorUp and not MotorDown) => Floor_2 ;
|
|
114
|
(*
|
|
115
|
-- if the elevator was on the first (second) floor and moved up (down)
|
|
116
|
-- then it has left that floor
|
|
117
|
assume true -> pre (Floor_1 and MotorUp) => not Floor_1 ;
|
|
118
|
assume true -> pre (Floor_2 and MotorDown) => not Floor_2 ;
|
|
119
|
*)
|
|
120
|
|
|
121
|
-----------
|
|
122
|
-- Modes --
|
|
123
|
-----------
|
|
124
|
mode blocked (
|
|
125
|
require Stop or DoorOpen ;
|
|
126
|
ensure not MotorUp ;
|
|
127
|
ensure not MotorDown ;
|
|
128
|
);
|
|
129
|
|
|
130
|
mode servicing1 (
|
|
131
|
require SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
132
|
and not (false -> pre MotorUp)
|
|
133
|
) ;
|
|
134
|
ensure MotorDown ;
|
|
135
|
ensure not MotorUp ;
|
|
136
|
) ;
|
|
137
|
|
|
138
|
mode servicing2 (
|
|
139
|
require SinceIncl(Call_2, not (SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
140
|
and not (false -> pre MotorUp)))
|
|
141
|
and not (Stop or DoorOpen) and not Floor_2
|
|
142
|
and not (false -> pre MotorDown)
|
|
143
|
) ;
|
|
144
|
ensure MotorUp ;
|
|
145
|
ensure not MotorDown ;
|
|
146
|
) ;
|
|
147
|
|
|
148
|
mode waiting (
|
|
149
|
require not (Stop or DoorOpen) ;
|
|
150
|
require not (SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
151
|
and not (false -> pre MotorUp))) ;
|
|
152
|
require not (SinceIncl(Call_2, not (SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
153
|
and not (false -> pre MotorUp)))
|
|
154
|
and not (Stop or DoorOpen) and not Floor_2
|
|
155
|
and not (false -> pre MotorDown)
|
|
156
|
)) ;
|
|
157
|
ensure not MotorUp ;
|
|
158
|
ensure not MotorDown ;
|
|
159
|
) ;
|
|
160
|
|
|
161
|
|
|
162
|
-------------------------
|
|
163
|
-- Auxiliary variables --
|
|
164
|
-------------------------
|
|
165
|
|
|
166
|
-- Moving is true iff the elevator is moving now
|
|
167
|
var Moving: bool = MotorUp or MotorDown ;
|
|
168
|
|
|
169
|
-- Halts is true iff the elevator has come to a stop
|
|
170
|
var Halts: bool = not Moving and (false -> pre Moving);
|
|
171
|
|
|
172
|
-- The elevator can move now iff
|
|
173
|
-- the Stop button is not pressed and
|
|
174
|
-- the door is not closed
|
|
175
|
var CanMove: bool = not Stop and not DoorOpen;
|
|
176
|
|
|
177
|
-- The elevator should start moving iff
|
|
178
|
-- it was not moving before
|
|
179
|
-- it can move,
|
|
180
|
-- there is a call to go to a floor, and
|
|
181
|
-- the elevator is not a that floor
|
|
182
|
var ShouldMove: bool = (true -> not pre Moving)
|
|
183
|
and CanMove
|
|
184
|
and ((Call_1 and not Floor_1) or
|
|
185
|
(Call_2 and not Floor_2)) ;
|
|
186
|
|
|
187
|
----------------
|
|
188
|
-- Guarantees --
|
|
189
|
----------------
|
|
190
|
-- the execution modes are mutually exclusive
|
|
191
|
guarantee MutuallyExcl_4((Stop or DoorOpen), (SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
192
|
and not (false -> pre MotorUp))), (SinceIncl(Call_2, not (SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
193
|
and not (false -> pre MotorUp)))
|
|
194
|
and not (Stop or DoorOpen) and not Floor_2
|
|
195
|
and not (false -> pre MotorDown)
|
|
196
|
)), (not (Stop or DoorOpen) and
|
|
197
|
not (SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
198
|
and not (false -> pre MotorUp))) and
|
|
199
|
not (SinceIncl(Call_2, not (SinceIncl(Call_1, not (Stop or DoorOpen) and not Floor_1
|
|
200
|
and not (false -> pre MotorUp)))
|
|
201
|
and not (Stop or DoorOpen) and not Floor_2
|
|
202
|
and not (false -> pre MotorDown)
|
|
203
|
)))) ;
|
|
204
|
|
|
205
|
-- R1: The elevator moves only when the door is closed and
|
|
206
|
-- the Stop button is not pressed
|
|
207
|
guarantee Moving => not DoorOpen and not Stop;
|
|
208
|
|
|
209
|
-- R2: The elevator will not pass the end positions, that is,
|
|
210
|
-- go through the roof or the floor.
|
|
211
|
guarantee (Floor_1 => not MotorDown) ;
|
|
212
|
guarantee (Floor_2 => not MotorUp) ;
|
|
213
|
|
|
214
|
-- R3: A moving elevator halts only if
|
|
215
|
-- the Stop button is pressed, or the door is open, or
|
|
216
|
-- the elevator has arrived at the destination floor
|
|
217
|
guarantee Halts => ( Stop
|
|
218
|
or DoorOpen
|
|
219
|
or ((true -> pre MotorDown) and Floor_1)
|
|
220
|
or ((true -> pre MotorUp) and Floor_2)
|
|
221
|
) ;
|
|
222
|
|
|
223
|
-- R4: he elevator halts before changing direction
|
|
224
|
guarantee true -> ( not (pre MotorDown and MotorUp)
|
|
225
|
and not (pre MotorUp and MotorDown)
|
|
226
|
) ;
|
|
227
|
|
|
228
|
-- R5: The signals sent to the motor are not contradictory
|
|
229
|
guarantee not (MotorUp and MotorDown) ;
|
|
230
|
|
|
231
|
-- R6: The elevator starts moving when it should
|
|
232
|
guarantee ShouldMove => Moving ;
|
|
233
|
|
|
234
|
-- R7: The elevator stays on a floor indefinitely as long as
|
|
235
|
-- there is no call the other floor
|
|
236
|
guarantee Since(Floor_1, not Happened(Call_2)) => Floor_1 ;
|
|
237
|
guarantee Since(Floor_2, not Happened(Call_1)) => Floor_2 ;
|
|
238
|
|
|
239
|
tel
|
|
240
|
*)
|
|
241
|
|
|
242
|
--------------------------------
|
|
243
|
-- Controller low-level specs --
|
|
244
|
--------------------------------
|
|
245
|
|
|
246
|
node Control( Floor_1, Floor_2, DoorOpen, Call_1, Call_2, Stop : bool )
|
|
247
|
returns ( MotorUp, MotorDown : bool) ;
|
|
248
|
(*@ contract import
|
|
249
|
ControlReq( Floor_1, Floor_2, DoorOpen, Call_1, Call_2, Stop )
|
|
250
|
returns ( MotorUp, MotorDown ) ;
|
|
251
|
*)
|
|
252
|
var CanMove : bool ;
|
|
253
|
let
|
|
254
|
CanMove = not Stop and not DoorOpen ;
|
|
255
|
|
|
256
|
(*
|
|
257
|
The elevator goes down iff all the following hold:
|
|
258
|
1) there is a call to the first floor or it was already going down
|
|
259
|
2) it can move
|
|
260
|
3) it is not on the first floor already
|
|
261
|
4) it was not going up
|
|
262
|
*)
|
|
263
|
MotorDown = (Call_1 or (false -> pre MotorDown))
|
|
264
|
and CanMove
|
|
265
|
and not Floor_1
|
|
266
|
and not (false -> pre MotorUp) ;
|
|
267
|
|
|
268
|
(*
|
|
269
|
The elevator goes up iff all the following hold:
|
|
270
|
0) it is not going down (i.e., going down takes precedence over going up)
|
|
271
|
1) there is a call to the second floor or it was already going up
|
|
272
|
2) it can move
|
|
273
|
3) it is not on the second floor already
|
|
274
|
4) it was not going down
|
|
275
|
*)
|
|
276
|
MotorUp = not MotorDown
|
|
277
|
and (Call_2 or (false -> pre MotorUp))
|
|
278
|
and CanMove
|
|
279
|
and not Floor_2
|
|
280
|
and not (false -> pre MotorDown) ;
|
|
281
|
|
|
282
|
--%MAIN;
|
|
283
|
tel
|
|
284
|
|
|
285
|
|
|
286
|
|
|
287
|
-- To simulate the elevator system make this the main file first
|
|
288
|
|
|
289
|
-- The simulator assumes (for brevity) that it takes 5 execution steps
|
|
290
|
-- to go from one floor to the other, each corresponding to an intermediate
|
|
291
|
-- "level". Level 0 corresponds to the first floor, level 4 to the second
|
|
292
|
node Simulator( Call_1, Call_2, Stop, DoorOpen : bool )
|
|
293
|
returns ( Floor_1, Floor_2 : bool ) ;
|
|
294
|
var MotorUp, MotorDown: bool ;
|
|
295
|
L: int ;
|
|
296
|
let
|
|
297
|
L = 0 -> if pre MotorUp then pre L + 1
|
|
298
|
else if pre MotorDown then pre L - 1
|
|
299
|
else pre L ;
|
|
300
|
Floor_1 = L = 0 ;
|
|
301
|
Floor_2 = L = 4 ;
|
|
302
|
|
|
303
|
(MotorUp, MotorDown) = Control(Floor_1, Floor_2, DoorOpen, Call_1, Call_2, Stop) ;
|
|
304
|
-- %MAIN;
|
|
305
|
tel
|
|
306
|
|
|
307
|
|
|
308
|
|
|
309
|
|