Project

General

Profile

Download (24.2 KB) Statistics
| Branch: | Tag: | Revision:
1
-- STEAM BOILER example
2
-- from The Steam Boiler Problem in Lustre
3
-- by Thierry Cattel and Gregory Duval
4

    
5

    
6

    
7

    
8
node REDGE(S:bool) returns(REDGE:bool); 
9
let 
10
  REDGE= S -> S and not(pre(S)); 
11
tel
12

    
13
 
14

    
15
node sum(a_0,a_1,a_2,a_3:int) returns(sum:int); 
16
let 
17
  sum = a_0 + a_1 + a_2 + a_3; 
18
tel
19

    
20
 
21
node AND(a_0,a_1,a_2,a_3:bool) returns(AND:bool); 
22
let 
23
  AND = a_0 and a_1 and a_2 and a_3;
24
tel
25

    
26
node OR(a_0,a_1,a_2,a_3:bool) returns(OR:bool); 
27
let 
28
  OR = a_0 or a_1 or a_2 or a_3;
29
tel
30

    
31

    
32
node NOT(a_0,a_1,a_2,a_3:bool) returns(NOT_0,NOT_1,NOT_2,NOT_3:bool); 
33
let 
34
  NOT_0 = not a_0;
35
  NOT_1 = not a_1;
36
  NOT_2 = not a_2;
37
  NOT_3 = not a_3;
38
tel
39

    
40
 
41

    
42
node FEDGE1(S:bool) returns(FEDGE1:bool); 
43
let 
44
  FEDGE1= not(S) -> not(S) and pre(S); 
45
tel
46

    
47
 
48

    
49
node FEDGE2(S:bool) returns(FEDGE2:bool); 
50
let 
51
  FEDGE2= REDGE(not(S)); 
52
tel
53

    
54
 
55

    
56
node Verification(S1,S2:bool) returns(property_ok:bool); 
57
var property1,property2:bool; 
58
let 
59
  property1=FEDGE1(S1)=FEDGE2(S1); 
60

    
61
--  assert(S2=not(S1)); 
62
  property2=FEDGE1(S1)=REDGE(S2);
63

    
64
  property_ok=if (S2=not(S1)) then
65
(property1 and property2)
66
else true;
67
tel
68

    
69
 
70

    
71
node Operator(stop:bool) returns (stop_request:bool); 
72
var nb_stops:int; 
73
let 
74
  nb_stops = (if stop then 1 else 0) -> 
75
    if stop then pre(nb_stops)+1 else 0; 
76
  stop_request = (nb_stops>=3); 
77
tel
78

    
79
 
80

    
81
node Defect(statein:int; fail_cond,ack_chan,repair_chan:bool) 
82
  returns(stateout:int); 
83
let 
84
  stateout = if (statein=0) then 
85
    if fail_cond then 1 else 0 
86
    else 
87
      if (statein=1) then 
88
        if ack_chan then 2 else 1 
89
      else -- statein=2 
90
        if repair_chan then 0 else 2; 
91
tel
92

    
93

    
94
node level_failure_detect(level:int) returns(level_failure_detect:bool); 
95
let 
96
  level_failure_detect = ((level < 0) or (level > 1000)); 
97
tel
98

    
99
node steam_failure_detect(steam:int) returns(steam_failure_detect:bool); 
100
let 
101
  steam_failure_detect = ((steam < 0) or (steam > 25)); 
102
tel
103

    
104
node LevelDefect(level_failure_acknowledgement,level_repaired:bool; 
105
  level:int) 
106
  returns( LevelDefect:int); 
107
let 
108
  LevelDefect = 0 -> 
109
    Defect(pre(LevelDefect), level_failure_detect(level), level_failure_acknowledgement, level_repaired); 
110
tel
111

    
112

    
113
node SteamDefect(steam_failure_acknowledgement,steam_repaired:bool; 
114
  steam:int) 
115
  returns( SteamDefect:int); 
116
let 
117
  SteamDefect = 0 -> 
118
    Defect(pre(SteamDefect), steam_failure_detect(steam), steam_failure_acknowledgement, steam_repaired); 
119
tel
120

    
121

    
122
node pump_failure_detect(pump_status,pump_state:int; 
123
  pump_control_state:bool) 
124
  returns(pump_failure_detect,pump_control_failure_detect,flow:bool); 
125
let 
126
  pump_failure_detect = ((pump_status=0) and pump_state=1) 
127
    or (((pump_status=1) or (pump_status=2))and pump_state=0); 
128
  pump_control_failure_detect = (((pump_status=0) or 
129
    (pump_status=2)) and pump_state=0 and pump_control_state) 
130
    or ((pump_status=1) and pump_state=1 and not(pump_control_state)) 
131
    or ((pump_status=2) and pump_state=1 and pump_control_state); 
132
  flow = ((pump_status=0) and pump_state=1 and pump_control_state) 
133
    or ((pump_status=1) and pump_state=0 and pump_control_state) 
134
    or ((pump_status=1) and pump_state=1); 
135
tel
136

    
137
 
138

    
139

    
140
node PumpDefect( 
141
  pump_failure_acknowledgement,pump_repaired, 
142
  pump_control_failure_acknowledgement,pump_control_repaired:bool; 
143
  pump_status,pump_state:int; 
144
  pump_control_state:bool) 
145
  returns(PumpDefect,PumpControlDefect:int;Flow:bool); 
146
var 
147
  pump_failure_d, pump_control_failure_d:bool; 
148
let 
149
  (pump_failure_d, pump_control_failure_d, Flow) = pump_failure_detect(pump_status, pump_state, pump_control_state); 
150
  PumpDefect = 0 -> 
151
    Defect(pre(PumpDefect), pump_failure_d, pump_failure_acknowledgement, pump_repaired); 
152
  PumpControlDefect = 0 -> 
153
    Defect(pre(PumpControlDefect), pump_control_failure_d, pump_control_failure_acknowledgement, pump_control_repaired); 
154
tel
155

    
156
 
157

    
158
node level_failure(level_defect:int) returns(level_failure:bool); 
159
let 
160
  level_failure = (level_defect<>0); 
161
tel
162

    
163
node steam_failure(steam_defect:int) returns(steam_failure:bool); 
164
let 
165
  steam_failure = (steam_defect<>0); 
166
tel
167
 
168
node pump_failure(pump_defect:int) returns(pump_failure:bool); 
169
let 
170
  pump_failure = (pump_defect<>0); 
171
tel
172
 
173
node pump_control_failure(pump_defect:int) returns(pump_failure:bool); 
174
let 
175
  pump_failure = (pump_defect<>0); 
176
tel
177

    
178

    
179
node Dynamics(valve_state,level,steam,level_defect,steam_defect:int; 
180
  flow_0,flow_1,flow_2,flow_3:bool) 
181
  returns (q,v:int; p_0,p_1,p_2,p_3:int); 
182
let 
183
  q = level-> 
184
    if level_failure(level_defect) then 
185
      pre(q) - steam*5 + sum(p_0,p_1,p_2,p_3)*5 - (if valve_state=1 then 10*5 else 0) 
186
    else 
187
      level; 
188
  v = steam-> 
189
    if steam_failure(steam_defect) then 
190
      (pre(q) -q) div 5 + sum(p_0,p_1,p_2,p_3)*5 
191
    else 
192
      steam; 
193
  p_0 = 0-> 
194
    if (not(flow_0)) then 
195
      0 
196
    else 
197
      15; 
198
  p_1 = 0-> 
199
    if (not(flow_1)) then 
200
      0 
201
    else 
202
      15; 
203
  p_2 = 0-> 
204
    if (not(flow_2)) then 
205
      0 
206
    else 
207
      15; 
208
  p_3 = 0-> 
209
    if (not(flow_3)) then 
210
      0 
211
    else 
212
      15; 
213
      
214
tel
215

    
216
 
217

    
218
node PumpsDecision(q,v:int) returns (n_pumps:int); 
219
let 
220
  n_pumps = if q>600 then 
221
      (v div 15) 
222
    else 
223
      if q<400 then 
224
        (v div 15) +1 
225
      else 
226
        pre(n_pumps) ; 
227
tel
228

    
229
 
230

    
231

    
232

    
233
node operate_pumps(n, n_pumps_to_open:int; 
234
  pump_status_0,pump_status_1,pump_status_2,pump_status_3,
235
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3:int; 
236
  flow_0,flow_1,flow_2,flow_3:bool) 
237
  returns(operate_pumps_0,operate_pumps_1,operate_pumps_2,operate_pumps_3:int); 
238
let 
239
  operate_pumps_0 =  
240
      if ((n_pumps_to_open>0) and 
241
        not(flow_0) and 
242
        not(pump_failure(pump_defect_0)) and 
243
        (pump_status_0=0)) then 
244
        2 
245
      else 
246
        if ((n_pumps_to_open<0) and 
247
          flow_0 and 
248
          not(pump_failure(pump_defect_0)) and 
249
          (pump_status_0=1)) then 
250
          0 
251
        else 
252
          if (pump_status_0=2) then 
253
            1 
254
          else 
255
            if (pre(pump_defect_0)=2 and 
256
              pump_defect_0=0) then 
257
              if pump_status_0=1 then 
258
                0 
259
              else --necessarily 0 
260
                1 
261
            else 
262
              pump_status_0; 
263

    
264
  operate_pumps_1 =  
265
      if ((n_pumps_to_open>0) and 
266
        not(flow_1) and 
267
        not(pump_failure(pump_defect_1)) and 
268
        (pump_status_1=0)) then 
269
        2 
270
      else 
271
        if ((n_pumps_to_open<0) and 
272
          flow_1 and 
273
          not(pump_failure(pump_defect_1)) and 
274
          (pump_status_1=1)) then 
275
          0 
276
        else 
277
          if (pump_status_1=2) then 
278
            1 
279
          else 
280
            if (pre(pump_defect_1)=2 and 
281
              pump_defect_1=0) then 
282
              if pump_status_1=1 then 
283
                0 
284
              else --necessarily 0 
285
                1 
286
            else 
287
              pump_status_1; 
288

    
289
  operate_pumps_2 =  
290
      if ((n_pumps_to_open>0) and 
291
        not(flow_2) and 
292
        not(pump_failure(pump_defect_2)) and 
293
        (pump_status_2=0)) then 
294
        2 
295
      else 
296
        if ((n_pumps_to_open<0) and 
297
          flow_2 and 
298
          not(pump_failure(pump_defect_2)) and 
299
          (pump_status_2=1)) then 
300
          0 
301
        else 
302
          if (pump_status_2=2) then 
303
            1 
304
          else 
305
            if (pre(pump_defect_2)=2 and 
306
              pump_defect_2=0) then 
307
              if pump_status_2=1 then 
308
                0 
309
              else --necessarily 0 
310
                1 
311
            else 
312
              pump_status_2; 
313

    
314
  operate_pumps_3 =  
315
      if ((n_pumps_to_open>0) and 
316
        not(flow_3) and 
317
        not(pump_failure(pump_defect_3)) and 
318
        (pump_status_3=0)) then 
319
        2 
320
      else 
321
        if ((n_pumps_to_open<0) and 
322
          flow_3 and 
323
          not(pump_failure(pump_defect_3)) and 
324
          (pump_status_3=1)) then 
325
          0 
326
        else 
327
          if (pump_status_3=2) then 
328
            1 
329
          else 
330
            if (pre(pump_defect_3)=2 and 
331
              pump_defect_3=0) then 
332
              if pump_status_3=1 then 
333
                0 
334
              else --necessarily 0 
335
                1 
336
            else 
337
              pump_status_3; 
338

    
339
tel
340

    
341
node PumpsStatus( 
342
  n_pumps:int; 
343
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3:int; 
344
  flow_0,flow_1,flow_2,flow_3:bool) 
345
  returns(pump_status_0,pump_status_1,pump_status_2,pump_status_3:int); 
346
var 
347
  n_pumps_flow,n_pumps_to_open:int; 
348
  t0,t1,t2,t3:int;
349
let 
350
  n_pumps_flow = (if flow_0 then 1 else 0) + (if flow_1 then 1 else 0) + 
351
    (if flow_2 then 1 else 0) + (if flow_3 then 1 else 0); 
352
  n_pumps_to_open = n_pumps-n_pumps_flow; 
353
  
354
  pump_status_0 = 0 ->t0;
355
  pump_status_1 = 0 ->t1;
356
  pump_status_2 = 0 ->t2;
357
  pump_status_3 = 0 ->t3;
358
  
359
  (t0,t1,t2,t3) =
360
    operate_pumps(4, n_pumps_to_open, 
361
      pre(pump_status_0),pre(pump_status_1),pre(pump_status_2),pre(pump_status_3), 
362
      pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, 
363
      flow_0,flow_1,flow_2,flow_3); 
364
tel
365

    
366
node transmission_failure(pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
367
  returns(transmission_failure:bool); 
368
let 
369
  transmission_failure = pump_state_0=3 or pump_state_1=3 or pump_state_2=3 or pump_state_3=3; 
370
tel
371

    
372

    
373
node dangerous_level(q:int) returns(dangerous_level:bool); 
374
let 
375
  dangerous_level = (q <= 150) or (q >= 850); 
376
tel
377

    
378
node steam_failure_startup(steam:int) returns(steam_failure_startup:bool); 
379
let 
380
  steam_failure_startup=(steam<>0); 
381
tel
382

    
383

    
384
node critical_failure( 
385
  op_mode,steam,level_defect,steam_defect:int; 
386
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3:int; 
387
  q:int; 
388
  pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
389
  returns(critical_failure:bool); 
390
let 
391
  critical_failure = transmission_failure(pump_state_0,pump_state_1,pump_state_2,pump_state_3) or 
392
    (op_mode=1 and steam_failure_startup(steam)) or 
393
    (op_mode=2 and (level_failure(level_defect) or steam_failure(steam_defect))) or 
394
    (op_mode=3 and dangerous_level(q)) or 
395
    (op_mode=4 and dangerous_level(q)) or 
396
    (op_mode=5 and (dangerous_level(q) or steam_failure(steam_defect) or AND(pump_failure(pump_defect_0),pump_failure(pump_defect_1),pump_failure(pump_defect_2),pump_failure(pump_defect_3)))); 
397
tel
398
  
399
node failure( 
400
  level_defect,steam_defect:int; 
401
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int) 
402
  returns(failure:bool); 
403
let 
404
  failure = level_failure(level_defect) or 
405
    steam_failure(steam_defect) or 
406
    OR(pump_failure(pump_defect_0),pump_failure(pump_defect_1),pump_failure(pump_defect_2),pump_failure(pump_defect_3)) or 
407
    OR(pump_control_failure(pump_control_defect_0),pump_control_failure(pump_control_defect_1),pump_control_failure(pump_control_defect_2),pump_control_failure(pump_control_defect_3)); 
408
tel
409

    
410
node ControlMode( 
411
  steam_boiler_waiting,physical_units_ready,stop_request:bool; 
412
  steam,level_defect,steam_defect:int; 
413
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int; 
414
  q:int; 
415
  pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
416
  returns(op_mode :int); 
417
let 
418
  op_mode= 1-> 
419
    if (critical_failure(pre(op_mode), 
420
      steam, level_defect, steam_defect, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, q, pump_state_0,pump_state_1,pump_state_2,pump_state_3) or 
421
      stop_request or pre(op_mode)=6) then 
422
      6 
423
    else 
424
      if (pre(op_mode)=1) then 
425
        if steam_boiler_waiting then 2 else 1 
426
      else 
427
        if (pre(op_mode)=2 and not physical_units_ready) then 
428
          2 
429
        else 
430
          if level_failure(level_defect) then 
431
            5 
432
          else 
433
            if failure(level_defect, steam_defect, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3) then 
434
              4 
435
            else 
436
              3; 
437
tel
438

    
439
 
440

    
441
 
442

    
443
 
444
 
445

    
446

    
447
node Valve(op_mode:int;q:int) returns (valve:bool;valve_state:int); 
448
let 
449
  valve_state=0-> 
450
    if (op_mode=2) then 
451
      if (q>600) then 
452
        1 
453
      else 
454
        if (q<=600) then 0 else pre(valve_state) 
455
    else 
456
      pre(valve_state); 
457
  valve =false-> 
458
    (valve_state<>pre(valve_state)); 
459
tel
460

    
461
 
462

    
463
node initialization_complete(op_mode,level:int;valve:bool) 
464
  returns(initialization_complete:bool); 
465
let 
466
  initialization_complete =(op_mode=2) and 
467
    ((400<=level) and (level<=600))and 
468
    not(valve); 
469
tel
470

    
471
 
472
node ControlOutput(op_mode,level:int;valve:bool) 
473
  returns(program_ready:bool;mode:int); 
474
let 
475
  program_ready=initialization_complete(op_mode,level,valve); 
476
  mode =op_mode; 
477
tel
478

    
479
 
480
node LevelOutput(op_mode,level_defect:int; level_repaired:bool) 
481
  returns (level_outcome_failure_detection, 
482
level_outcome_repaired_acknowledgement : bool); 
483
let 
484
  level_outcome_failure_detection= 
485
    not ((op_mode=6) or (op_mode=1)) and 
486
    (level_defect=1); 
487
  level_outcome_repaired_acknowledgement = 
488
    not ((op_mode=6) or (op_mode=1)) and 
489
    level_repaired; 
490
tel
491

    
492

    
493
node SteamOutput(op_mode,steam_defect:int; steam_repaired:bool) 
494
  returns (steam_outcome_failure_detection, 
495
steam_outcome_repaired_acknowledgement : bool); 
496
let 
497
  steam_outcome_failure_detection= 
498
    not ((op_mode=6) or (op_mode=1)) and 
499
    (steam_defect=1); 
500
  steam_outcome_repaired_acknowledgement = 
501
    not ((op_mode=6) or (op_mode=1)) and 
502
    steam_repaired; 
503
tel
504

    
505
 
506

    
507
node PumpsOutput(op_mode:int; 
508
  pump_status_0,pump_status_1,pump_status_2,pump_status_3,
509
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,
510
  pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int; 
511
  pump_repaired_0,pump_repaired_1,pump_repaired_2,pump_repaired_3,
512
  pump_control_repaired_0,pump_control_repaired_1,pump_control_repaired_2,pump_control_repaired_3:bool) 
513
  returns (open_pump_0,open_pump_1,open_pump_2,open_pump_3,
514
  close_pump_0,close_pump_1,close_pump_2,close_pump_3,
515
  pump_failure_detection_0,pump_failure_detection_1,pump_failure_detection_2,pump_failure_detection_3, 
516
  pump_repaired_acknowledgement_0,pump_repaired_acknowledgement_1,pump_repaired_acknowledgement_2,pump_repaired_acknowledgement_3,
517
  pump_control_failure_detection_0,pump_control_failure_detection_1,pump_control_failure_detection_2,pump_control_failure_detection_3, 
518
  pump_control_repaired_acknowledgement_0,pump_control_repaired_acknowledgement_1,pump_control_repaired_acknowledgement_2,pump_control_repaired_acknowledgement_3 : bool); 
519
let 
520
  open_pump_0 = 
521
     op_mode<>6 and op_mode<>1 and pump_status_0=2;
522
  open_pump_1 = 
523
     op_mode<>6 and op_mode<>1 and pump_status_1=2;
524
  open_pump_2 = 
525
     op_mode<>6 and op_mode<>1 and pump_status_2=2;
526
  open_pump_3 = 
527
     op_mode<>6 and op_mode<>1 and pump_status_3=2; 
528
    
529
  close_pump_0 = 
530
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_0)<>0 and pump_defect_0=0 and pre(pump_defect_0)=0;
531
  close_pump_1 = 
532
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_1)<>0 and pump_defect_0=0 and pre(pump_defect_1)=0;
533
  close_pump_2 = 
534
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_2)<>0 and pump_defect_0=0 and pre(pump_defect_2)=0;
535
  close_pump_3 = 
536
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_3)<>0 and pump_defect_0=0 and pre(pump_defect_3)=0;
537
    
538
  pump_failure_detection_0 = 
539
    op_mode<>6 and op_mode<>1 and pump_defect_0=1;
540
  pump_failure_detection_1 = 
541
     op_mode<>6 and op_mode<>1 and pump_defect_1=1;
542
  pump_failure_detection_2 = 
543
     op_mode<>6 and op_mode<>1 and pump_defect_2=1;
544
  pump_failure_detection_3 = 
545
     op_mode<>6 and op_mode<>1 and pump_defect_3=1;
546
    
547
  pump_repaired_acknowledgement_0 = 
548
    op_mode<>6 and op_mode<>1 and pump_repaired_0;
549
  pump_repaired_acknowledgement_1 = 
550
     op_mode<>6 and op_mode<>1 and pump_repaired_1;
551
  pump_repaired_acknowledgement_2 = 
552
     op_mode<>6 and op_mode<>1 and pump_repaired_2;
553
  pump_repaired_acknowledgement_3 = 
554
     op_mode<>6 and op_mode<>1 and pump_repaired_3;
555
    
556
  pump_control_failure_detection_0 = 
557
    op_mode<>6 and op_mode<>1 and pump_control_defect_0=1;
558
  pump_control_failure_detection_1 = 
559
    op_mode<>6 and op_mode<>1 and pump_control_defect_1=1;
560
  pump_control_failure_detection_2 = 
561
    op_mode<>6 and op_mode<>1 and pump_control_defect_2=1;
562
  pump_control_failure_detection_3 = 
563
    op_mode<>6 and op_mode<>1 and pump_control_defect_3=1;
564
    
565
  pump_control_repaired_acknowledgement_0 = 
566
    op_mode<>6 and op_mode<>1 and pump_control_repaired_0;
567
  pump_control_repaired_acknowledgement_1 = 
568
    op_mode<>6 and op_mode<>1 and pump_control_repaired_1;
569
  pump_control_repaired_acknowledgement_2 = 
570
    op_mode<>6 and op_mode<>1 and pump_control_repaired_2;
571
  pump_control_repaired_acknowledgement_3 = 
572
    op_mode<>6 and op_mode<>1 and pump_control_repaired_3;
573
tel
574

    
575
 
576

    
577
node BoilerController( 
578
  stop, 
579
  steam_boiler_waiting, 
580
  physical_units_ready : bool; 
581
  level : int; 
582
  steam : int; 
583
  pump_state_0,pump_state_1,pump_state_2,pump_state_3 : int; 
584
  pump_control_state_0,pump_control_state_1,pump_control_state_2,pump_control_state_3 : bool; 
585
  pump_repaired_0,pump_repaired_1,pump_repaired_2,pump_repaired_3 : bool; 
586
  pump_control_repaired_0,pump_control_repaired_1,pump_control_repaired_2,pump_control_repaired_3 : bool; 
587
  level_repaired : bool; 
588
  steam_repaired : bool; 
589
  pump_failure_acknowledgement_0,pump_failure_acknowledgement_1,pump_failure_acknowledgement_2,pump_failure_acknowledgement_3 : bool; 
590
  pump_control_failure_acknowledgement_0,pump_control_failure_acknowledgement_1,pump_control_failure_acknowledgement_2,pump_control_failure_acknowledgement_3 : bool; 
591
  level_failure_acknowledgement : bool; 
592
  steam_failure_acknowledgement : bool) 
593
  
594
  returns(
595
  program_ready : bool; 
596
  mode : int; 
597
  valve : bool; 
598
  open_pump_0,open_pump_1,open_pump_2,open_pump_3 : bool; 
599
  close_pump_0,close_pump_1,close_pump_2,close_pump_3 : bool; 
600
  pump_failure_detection_0,pump_failure_detection_1,pump_failure_detection_2,pump_failure_detection_3 : bool; 
601
  pump_control_failure_detection_0,pump_control_failure_detection_1,pump_control_failure_detection_2,pump_control_failure_detection_3 : bool; 
602
  level_failure_detection : bool; 
603
  steam_outcome_failure_detection : bool; 
604
  pump_repaired_acknowledgement_0,pump_repaired_acknowledgement_1,pump_repaired_acknowledgement_2,pump_repaired_acknowledgement_3 : bool; 
605
  pump_control_repaired_acknowledgement_0,pump_control_repaired_acknowledgement_1,pump_control_repaired_acknowledgement_2,pump_control_repaired_acknowledgement_3 : bool; 
606
  level_repaired_acknowledgement : bool; 
607
  steam_outcome_repaired_acknowledgement: bool); 
608
var 
609
  stop_request : bool; 
610
  op_mode : int; 
611
  q : int; 
612
  v : int; 
613
  p_0,p_1,p_2,p_3 : int; 
614
  valve_state : int; 
615
  n_pumps : int; 
616
  pump_status_0,pump_status_1,pump_status_2,pump_status_3 : int; 
617
  level_defect : int; 
618
  steam_defect : int; 
619
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3 : int; 
620
  pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3 : int; 
621
  flow_0,flow_1,flow_2,flow_3 : bool; 
622
  t00,t01,t10,t20,t30,t11,t21,t31:int;
623
  t02,t12,t22,t32,u4,u6:bool;
624
  t4,t5,t6,t7,t8,t9,u0,u1,u2,u3,u5,u7:int;
625
  a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24:bool;
626
  b0,b1,b2,b3:bool;
627
let 
628
  stop_request = Operator(stop); 
629

    
630
  level_defect = 0-> 
631
    LevelDefect(level_failure_acknowledgement, level_repaired, level); 
632

    
633
  steam_defect = 0-> 
634
    SteamDefect(steam_failure_acknowledgement, steam_repaired, steam); 
635

    
636
  pump_defect_0 = 0 -> t00;
637
  pump_control_defect_0 = 0 -> t01;
638
  flow_0 = false -> t02;
639

    
640
  (t00,t01,t02) =
641
       PumpDefect(pump_failure_acknowledgement_0, pump_repaired_0, 
642
         pump_control_failure_acknowledgement_0, pump_control_repaired_0,
643
         pre(pump_status_0), pump_state_0, pump_control_state_0); 
644
         
645
  pump_defect_1 = 0 -> t10;
646
  pump_control_defect_1 = 0 -> t11;
647
  flow_1 = false -> t12;
648

    
649
  (t10,t11,t12) =
650
       PumpDefect(pump_failure_acknowledgement_1, pump_repaired_1, 
651
         pump_control_failure_acknowledgement_1, pump_control_repaired_1,
652
         pre(pump_status_1), pump_state_1, pump_control_state_1); 
653
         
654
  pump_defect_2 = 0 -> t20;
655
  pump_control_defect_2 = 0 -> t21;
656
  flow_2 = false -> t22;
657

    
658
  (t20,t21,t22) =
659
       PumpDefect(pump_failure_acknowledgement_2, pump_repaired_2, 
660
         pump_control_failure_acknowledgement_2, pump_control_repaired_2,
661
         pre(pump_status_2), pump_state_2, pump_control_state_2); 
662
         
663
  pump_defect_3 = 0 -> t30;
664
  pump_control_defect_3 = 0 -> t31;
665
  flow_3 = false -> t32;
666

    
667
  (t30,t31,t32) =
668
       PumpDefect(pump_failure_acknowledgement_3, pump_repaired_3, 
669
         pump_control_failure_acknowledgement_3, pump_control_repaired_3,
670
         pre(pump_status_3), pump_state_3, pump_control_state_3); 
671

    
672
  q = level -> t4;
673
  v = steam -> t5;
674
  p_0 = 0 -> t6;
675
  p_1 = 0 -> t7;
676
  p_2 = 0 -> t8;
677
  p_3 = 0 -> t9;
678

    
679
  (t4,t5,t6,t7,t8,t9) =
680
    Dynamics(pre(valve_state), level, steam, level_defect, steam_defect, flow_0,flow_1,flow_2,flow_3); 
681

    
682
  n_pumps = 0-> PumpsDecision(q,v); 
683

    
684
  pump_status_0 = 0 -> u0;
685
  pump_status_1 = 0 -> u1;
686
  pump_status_2 = 0 -> u2;
687
  pump_status_3 = 0 -> u3;
688
  
689
  (u0,u1,u2,u3) =
690
    PumpsStatus(n_pumps, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,
691
      flow_0,flow_1,flow_2,flow_3); 
692

    
693
  op_mode = 1-> 
694
    ControlMode( steam_boiler_waiting, physical_units_ready, stop_request, steam, level_defect, steam_defect, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3, q, pump_state_0,pump_state_1,pump_state_2,pump_state_3); 
695

    
696

    
697
  valve = false -> u4;
698
  valve_state = 0 -> u5;
699
  (u4,u5) =
700
    Valve(op_mode,q); 
701

    
702

    
703
  program_ready = false -> u6;
704
  mode = 1-> u7;
705
  
706
  (u6,u7) =
707
    ControlOutput(op_mode,level,valve); 
708

    
709
  open_pump_0=a1;
710
  open_pump_1=a2;
711
  open_pump_2=a3;
712
  open_pump_3=a4;
713
  close_pump_0=a5;
714
  close_pump_1=a6;
715
  close_pump_2=a7;
716
  close_pump_3=a8;
717
  pump_failure_detection_0=a9;
718
  pump_failure_detection_1=a10;
719
  pump_failure_detection_2=a11;
720
  pump_failure_detection_3=a12;
721
  pump_repaired_acknowledgement_0=a13;
722
  pump_repaired_acknowledgement_1=a14;
723
  pump_repaired_acknowledgement_2=a15;
724
  pump_repaired_acknowledgement_3=a16;
725
  pump_control_failure_detection_0=a17;
726
  pump_control_failure_detection_1=a18;
727
  pump_control_failure_detection_2=a19;
728
  pump_control_failure_detection_3=a20;
729
  pump_control_repaired_acknowledgement_0=a21;
730
  pump_control_repaired_acknowledgement_1=a22;
731
  pump_control_repaired_acknowledgement_2=a23;
732
  pump_control_repaired_acknowledgement_3=a24;
733
  
734
   (a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24)=
735
      PumpsOutput(op_mode, pump_status_0,pump_status_1,pump_status_2,pump_status_3,
736
        pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,
737
        pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3,
738
        pump_repaired_0,pump_repaired_1,pump_repaired_2,pump_repaired_3,
739
        pump_control_repaired_0,pump_control_repaired_1,pump_control_repaired_2,pump_control_repaired_3); 
740

    
741
  level_failure_detection = false -> b0;
742
  level_repaired_acknowledgement = false -> b1;
743

    
744
  (b0,b1)=
745
    LevelOutput(op_mode,level_defect,level_repaired); 
746

    
747
  steam_outcome_failure_detection = false -> b2;
748
  steam_outcome_repaired_acknowledgement = false -> b3;
749
  (b2,b3)=
750
    SteamOutput(op_mode,steam_defect,steam_repaired); 
751
tel
752

    
753

    
754
--@ ensures OK;
755
node top(
756
  steam_boiler_waiting,physical_units_ready,stop_request:bool; 
757
  steam,level_defect,steam_defect:int; 
758
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int; 
759
  q:int; 
760
  pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
761
  returns(OK:bool); 
762
var 
763
  op_mode :int; 
764
  mode_normal_then_water_level_ok, 
765
  mode_normal_then_no_stop_request:bool; 
766
let 
767
  op_mode= 
768
    ControlMode(
769
      steam_boiler_waiting,physical_units_ready,stop_request,
770
      steam,level_defect,steam_defect,
771
      pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3,
772
      q, pump_state_0,pump_state_1,pump_state_2,pump_state_3); 
773

    
774
  OK = 
775
    mode_normal_then_water_level_ok and 
776
    mode_normal_then_no_stop_request; 
777

    
778
  mode_normal_then_no_stop_request = 
779
    (op_mode=3 => not(stop_request)); 
780

    
781
  mode_normal_then_water_level_ok = 
782
    true ->
783
    (op_mode=3 and pre(op_mode)=3 =>
784
    not(dangerous_level(q))); 
785
--!k:2;
786
--!PROPERTY: OK=true;
787
  --%MAIN;
788
tel
789

    
790
 
791

    
(18-18/23)