Project

General

Profile

Download (23.8 KB) Statistics
| Branch: | Tag: | Revision:
1

    
2
node REDGE(S:bool) returns(REDGE:bool); 
3
let 
4
  REDGE= S -> S and not(pre(S)); 
5
tel
6
node sum(a_0,a_1,a_2,a_3:int) returns(sum:int); 
7
let 
8
  sum = a_0 +1- a_1 + a_2 + a_3; 
9
tel
10
node AND(a_0,a_1,a_2,a_3:bool) returns(AND:bool); 
11
let 
12
  AND = a_0 and a_1 and a_2 and a_3;
13
tel
14
node OR(a_0,a_1,a_2,a_3:bool) returns(OR:bool); 
15
let 
16
  OR = a_0 or a_1 or a_2 or a_3;
17
tel
18
node NOT(a_0,a_1,a_2,a_3:bool) returns(NOT_0,NOT_1,NOT_2,NOT_3:bool); 
19
let 
20
  NOT_0 = not a_0;
21
  NOT_1 = not a_1;
22
  NOT_2 = not a_2;
23
  NOT_3 = not a_3;
24
tel
25
node FEDGE1(S:bool) returns(FEDGE1:bool); 
26
let 
27
  FEDGE1= not(S) -> not(S) and pre(S); 
28
tel
29
node FEDGE2(S:bool) returns(FEDGE2:bool); 
30
let 
31
  FEDGE2= REDGE(not(S)); 
32
tel
33
node Verification(S1,S2:bool) returns(property_ok:bool); 
34
var property1,property2:bool; 
35
let 
36
  property1=FEDGE1(S1)=FEDGE2(S1); 
37
  property2=FEDGE1(S1)=REDGE(S2);
38
  property_ok=if (S2=not(S1)) then
39
(property1 and property2)
40
else true;
41
tel
42
node Operator(stop:bool) returns (stop_request:bool); 
43
var nb_stops:int; 
44
let 
45
  nb_stops = (if stop then 1 else 0) -> 
46
    if stop then pre(nb_stops)+1 else 0; 
47
  stop_request = (nb_stops>=3); 
48
tel
49
node Defect(statein:int; fail_cond,ack_chan,repair_chan:bool) 
50
  returns(stateout:int); 
51
let 
52
  stateout = if (statein=0) then 
53
    if fail_cond then 1 else 0 
54
    else 
55
      if (statein=1) then 
56
        if ack_chan then 2 else 1 
57
      else 
58
        if repair_chan then 0 else 2; 
59
tel
60
node level_failure_detect(level:int) returns(level_failure_detect:bool); 
61
let 
62
  level_failure_detect = ((level < 0) or (level > 1000)); 
63
tel
64
node steam_failure_detect(steam:int) returns(steam_failure_detect:bool); 
65
let 
66
  steam_failure_detect = ((steam < 0) or (steam > 25)); 
67
tel
68
node LevelDefect(level_failure_acknowledgement,level_repaired:bool; 
69
  level:int) 
70
  returns( LevelDefect:int); 
71
let 
72
  LevelDefect = 0 -> 
73
    Defect(pre(LevelDefect), level_failure_detect(level), level_failure_acknowledgement, level_repaired); 
74
tel
75
node SteamDefect(steam_failure_acknowledgement,steam_repaired:bool; 
76
  steam:int) 
77
  returns( SteamDefect:int); 
78
let 
79
  SteamDefect = 0 -> 
80
    Defect(pre(SteamDefect), steam_failure_detect(steam), steam_failure_acknowledgement, steam_repaired); 
81
tel
82
node pump_failure_detect(pump_status,pump_state:int; 
83
  pump_control_state:bool) 
84
  returns(pump_failure_detect,pump_control_failure_detect,flow:bool); 
85
let 
86
  pump_failure_detect = ((pump_status=0) and pump_state=1) 
87
    or (((pump_status=1) or (pump_status=2))and pump_state=0); 
88
  pump_control_failure_detect = (((pump_status=0) or 
89
    (pump_status=2)) and pump_state=0 and pump_control_state) 
90
    or ((pump_status=1) and pump_state=1 and not(pump_control_state)) 
91
    or ((pump_status=2) and pump_state=1 and pump_control_state); 
92
  flow = ((pump_status=0) and pump_state=1 and pump_control_state) 
93
    or ((pump_status=1) and pump_state=0 and pump_control_state) 
94
    or ((pump_status=1) and pump_state=1); 
95
tel
96
node PumpDefect( 
97
  pump_failure_acknowledgement,pump_repaired, 
98
  pump_control_failure_acknowledgement,pump_control_repaired:bool; 
99
  pump_status,pump_state:int; 
100
  pump_control_state:bool) 
101
  returns(PumpDefect,PumpControlDefect:int;Flow:bool); 
102
var 
103
  pump_failure_d, pump_control_failure_d:bool; 
104
let 
105
  (pump_failure_d, pump_control_failure_d, Flow) = pump_failure_detect(pump_status, pump_state, pump_control_state); 
106
  PumpDefect = 0 -> 
107
    Defect(pre(PumpDefect), pump_failure_d, pump_failure_acknowledgement, pump_repaired); 
108
  PumpControlDefect = 0 -> 
109
    Defect(pre(PumpControlDefect), pump_control_failure_d, pump_control_failure_acknowledgement, pump_control_repaired); 
110
tel
111
node level_failure(level_defect:int) returns(level_failure:bool); 
112
let 
113
  level_failure = (level_defect<>0); 
114
tel
115
node steam_failure(steam_defect:int) returns(steam_failure:bool); 
116
let 
117
  steam_failure = (steam_defect<>0); 
118
tel
119
node pump_failure(pump_defect:int) returns(pump_failure:bool); 
120
let 
121
  pump_failure = (pump_defect<>0); 
122
tel
123
node pump_control_failure(pump_defect:int) returns(pump_failure:bool); 
124
let 
125
  pump_failure = (pump_defect<>0); 
126
tel
127
node Dynamics(valve_state,level,steam,level_defect,steam_defect:int; 
128
  flow_0,flow_1,flow_2,flow_3:bool) 
129
  returns (q,v:int; p_0,p_1,p_2,p_3:int); 
130
let 
131
  q = level-> 
132
    if level_failure(level_defect) then 
133
      pre(q) - steam*5 + sum(p_0,p_1,p_2,p_3)*5 - (if valve_state=1 then 10*5 else 0) 
134
    else 
135
      level; 
136
  v = steam-> 
137
    if steam_failure(steam_defect) then 
138
      (pre(q) -q) div 5 + sum(p_0,p_1,p_2,p_3)*5 
139
    else 
140
      steam; 
141
  p_0 = 0-> 
142
    if (not(flow_0)) then 
143
      0 
144
    else 
145
      15; 
146
  p_1 = 0-> 
147
    if (not(flow_1)) then 
148
      0 
149
    else 
150
      15; 
151
  p_2 = 0-> 
152
    if (not(flow_2)) then 
153
      0 
154
    else 
155
      15; 
156
  p_3 = 0-> 
157
    if (not(flow_3)) then 
158
      0 
159
    else 
160
      15; 
161
tel
162
node PumpsDecision(q,v:int) returns (n_pumps:int); 
163
let 
164
  n_pumps = if q>600 then 
165
      (v div 15) 
166
    else 
167
      if q<400 then 
168
        (v div 15) +1 
169
      else 
170
        pre(n_pumps) ; 
171
tel
172
node operate_pumps(n, n_pumps_to_open:int; 
173
  pump_status_0,pump_status_1,pump_status_2,pump_status_3,
174
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3:int; 
175
  flow_0,flow_1,flow_2,flow_3:bool) 
176
  returns(operate_pumps_0,operate_pumps_1,operate_pumps_2,operate_pumps_3:int); 
177
let 
178
  operate_pumps_0 =  
179
      if ((n_pumps_to_open>0) and 
180
        not(flow_0) and 
181
        not(pump_failure(pump_defect_0)) and 
182
        (pump_status_0=0)) then 
183
        2 
184
      else 
185
        if ((n_pumps_to_open<0) and 
186
          flow_0 and 
187
          not(pump_failure(pump_defect_0)) and 
188
          (pump_status_0=1)) then 
189
          0 
190
        else 
191
          if (pump_status_0=2) then 
192
            1 
193
          else 
194
            if (pre(pump_defect_0)=2 and 
195
              pump_defect_0=0) then 
196
              if pump_status_0=1 then 
197
                0 
198
              else 
199
                1 
200
            else 
201
              pump_status_0; 
202
  operate_pumps_1 =  
203
      if ((n_pumps_to_open>0) and 
204
        not(flow_1) and 
205
        not(pump_failure(pump_defect_1)) and 
206
        (pump_status_1=0)) then 
207
        2 
208
      else 
209
        if ((n_pumps_to_open<0) and 
210
          flow_1 and 
211
          not(pump_failure(pump_defect_1)) and 
212
          (pump_status_1=1)) then 
213
          0 
214
        else 
215
          if (pump_status_1=2) then 
216
            1 
217
          else 
218
            if (pre(pump_defect_1)=2 and 
219
              pump_defect_1=0) then 
220
              if pump_status_1=1 then 
221
                0 
222
              else 
223
                1 
224
            else 
225
              pump_status_1; 
226
  operate_pumps_2 =  
227
      if ((n_pumps_to_open>0) and 
228
        not(flow_2) and 
229
        not(pump_failure(pump_defect_2)) and 
230
        (pump_status_2=0)) then 
231
        2 
232
      else 
233
        if ((n_pumps_to_open<0) and 
234
          flow_2 and 
235
          not(pump_failure(pump_defect_2)) and 
236
          (pump_status_2=1)) then 
237
          0 
238
        else 
239
          if (pump_status_2=2) then 
240
            1 
241
          else 
242
            if (pre(pump_defect_2)=2 and 
243
              pump_defect_2=0) then 
244
              if pump_status_2=1 then 
245
                0 
246
              else 
247
                1 
248
            else 
249
              pump_status_2; 
250
  operate_pumps_3 =  
251
      if ((n_pumps_to_open>0) and 
252
        not(flow_3) and 
253
        not(pump_failure(pump_defect_3)) and 
254
        (pump_status_3=0)) then 
255
        2 
256
      else 
257
        if ((n_pumps_to_open<0) and 
258
          flow_3 and 
259
          not(pump_failure(pump_defect_3)) and 
260
          (pump_status_3=1)) then 
261
          0 
262
        else 
263
          if (pump_status_3=2) then 
264
            1 
265
          else 
266
            if (pre(pump_defect_3)=2 and 
267
              pump_defect_3=0) then 
268
              if pump_status_3=1 then 
269
                0 
270
              else 
271
                1 
272
            else 
273
              pump_status_3; 
274
tel
275
node PumpsStatus( 
276
  n_pumps:int; 
277
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3:int; 
278
  flow_0,flow_1,flow_2,flow_3:bool) 
279
  returns(pump_status_0,pump_status_1,pump_status_2,pump_status_3:int); 
280
var 
281
  n_pumps_flow,n_pumps_to_open:int; 
282
  t0,t1,t2,t3:int;
283
let 
284
  n_pumps_flow = (if flow_0 then 1 else 0) + (if flow_1 then 1 else 0) + 
285
    (if flow_2 then 1 else 0) + (if flow_3 then 1 else 0); 
286
  n_pumps_to_open = n_pumps-n_pumps_flow; 
287
  pump_status_0 = 0 ->t0;
288
  pump_status_1 = 0 ->t1;
289
  pump_status_2 = 0 ->t2;
290
  pump_status_3 = 0 ->t3;
291
  (t0,t1,t2,t3) =
292
    operate_pumps(4, n_pumps_to_open, 
293
      pre(pump_status_0),pre(pump_status_1),pre(pump_status_2),pre(pump_status_3), 
294
      pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, 
295
      flow_0,flow_1,flow_2,flow_3); 
296
tel
297
node transmission_failure(pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
298
  returns(transmission_failure:bool); 
299
let 
300
  transmission_failure = pump_state_0=3 or pump_state_1=3 or pump_state_2=3 or pump_state_3=3; 
301
tel
302
node dangerous_level(q:int) returns(dangerous_level:bool); 
303
let 
304
  dangerous_level = (q <= 150) or (q >= 850); 
305
tel
306
node steam_failure_startup(steam:int) returns(steam_failure_startup:bool); 
307
let 
308
  steam_failure_startup=(steam<>0); 
309
tel
310
node critical_failure( 
311
  op_mode,steam,level_defect,steam_defect:int; 
312
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3:int; 
313
  q:int; 
314
  pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
315
  returns(critical_failure:bool); 
316
let 
317
  critical_failure = transmission_failure(pump_state_0,pump_state_1,pump_state_2,pump_state_3) or 
318
    (op_mode=1 and steam_failure_startup(steam)) or 
319
    (op_mode=2 and (level_failure(level_defect) or steam_failure(steam_defect))) or 
320
    (op_mode=3 and dangerous_level(q)) or 
321
    (op_mode=4 and dangerous_level(q)) or 
322
    (op_mode=5 and (dangerous_level(q) or steam_failure(steam_defect) or AND(pump_failure(pump_defect_0),pump_failure(pump_defect_1),pump_failure(pump_defect_2),pump_failure(pump_defect_3)))); 
323
tel
324
node failure( 
325
  level_defect,steam_defect:int; 
326
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int) 
327
  returns(failure:bool); 
328
let 
329
  failure = level_failure(level_defect) or 
330
    steam_failure(steam_defect) or 
331
    OR(pump_failure(pump_defect_0),pump_failure(pump_defect_1),pump_failure(pump_defect_2),pump_failure(pump_defect_3)) or 
332
    OR(pump_control_failure(pump_control_defect_0),pump_control_failure(pump_control_defect_1),pump_control_failure(pump_control_defect_2),pump_control_failure(pump_control_defect_3)); 
333
tel
334
node ControlMode( 
335
  steam_boiler_waiting,physical_units_ready,stop_request:bool; 
336
  steam,level_defect,steam_defect:int; 
337
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int; 
338
  q:int; 
339
  pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
340
  returns(op_mode :int); 
341
let 
342
  op_mode= 1-> 
343
    if (critical_failure(pre(op_mode), 
344
      steam, level_defect, steam_defect, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, q, pump_state_0,pump_state_1,pump_state_2,pump_state_3) or 
345
      stop_request or pre(op_mode)=6) then 
346
      6 
347
    else 
348
      if (pre(op_mode)=1) then 
349
        if steam_boiler_waiting then 2 else 1 
350
      else 
351
        if (pre(op_mode)=2 and not physical_units_ready) then 
352
          2 
353
        else 
354
          if level_failure(level_defect) then 
355
            5 
356
          else 
357
            if failure(level_defect, steam_defect, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3) then 
358
              4 
359
            else 
360
              3; 
361
tel
362
node Valve(op_mode:int;q:int) returns (valve:bool;valve_state:int); 
363
let 
364
  valve_state=0-> 
365
    if (op_mode=2) then 
366
      if (q>600) then 
367
        1 
368
      else 
369
        if (q<=600) then 0 else pre(valve_state) 
370
    else 
371
      pre(valve_state); 
372
  valve =false-> 
373
    (valve_state<>pre(valve_state)); 
374
tel
375
node initialization_complete(op_mode,level:int;valve:bool) 
376
  returns(initialization_complete:bool); 
377
let 
378
  initialization_complete =(op_mode=2) and 
379
    ((400<=level) and (level<=600))and 
380
    not(valve); 
381
tel
382
node ControlOutput(op_mode,level:int;valve:bool) 
383
  returns(program_ready:bool;mode:int); 
384
let 
385
  program_ready=initialization_complete(op_mode,level,valve); 
386
  mode =op_mode; 
387
tel
388
node LevelOutput(op_mode,level_defect:int; level_repaired:bool) 
389
  returns (level_outcome_failure_detection, 
390
level_outcome_repaired_acknowledgement : bool); 
391
let 
392
  level_outcome_failure_detection= 
393
    not ((op_mode=6) or (op_mode=1)) and 
394
    (level_defect=1); 
395
  level_outcome_repaired_acknowledgement = 
396
    not ((op_mode=6) or (op_mode=1)) and 
397
    level_repaired; 
398
tel
399
node SteamOutput(op_mode,steam_defect:int; steam_repaired:bool) 
400
  returns (steam_outcome_failure_detection, 
401
steam_outcome_repaired_acknowledgement : bool); 
402
let 
403
  steam_outcome_failure_detection= 
404
    not ((op_mode=6) or (op_mode=1)) and 
405
    (steam_defect=1); 
406
  steam_outcome_repaired_acknowledgement = 
407
    not ((op_mode=6) or (op_mode=1)) and 
408
    steam_repaired; 
409
tel
410
node PumpsOutput(op_mode:int; 
411
  pump_status_0,pump_status_1,pump_status_2,pump_status_3,
412
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,
413
  pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int; 
414
  pump_repaired_0,pump_repaired_1,pump_repaired_2,pump_repaired_3,
415
  pump_control_repaired_0,pump_control_repaired_1,pump_control_repaired_2,pump_control_repaired_3:bool) 
416
  returns (open_pump_0,open_pump_1,open_pump_2,open_pump_3,
417
  close_pump_0,close_pump_1,close_pump_2,close_pump_3,
418
  pump_failure_detection_0,pump_failure_detection_1,pump_failure_detection_2,pump_failure_detection_3, 
419
  pump_repaired_acknowledgement_0,pump_repaired_acknowledgement_1,pump_repaired_acknowledgement_2,pump_repaired_acknowledgement_3,
420
  pump_control_failure_detection_0,pump_control_failure_detection_1,pump_control_failure_detection_2,pump_control_failure_detection_3, 
421
  pump_control_repaired_acknowledgement_0,pump_control_repaired_acknowledgement_1,pump_control_repaired_acknowledgement_2,pump_control_repaired_acknowledgement_3 : bool); 
422
let 
423
  open_pump_0 = 
424
     op_mode<>6 and op_mode<>1 and pump_status_0=2;
425
  open_pump_1 = 
426
     op_mode<>6 and op_mode<>1 and pump_status_1=2;
427
  open_pump_2 = 
428
     op_mode<>6 and op_mode<>1 and pump_status_2=2;
429
  open_pump_3 = 
430
     op_mode<>6 and op_mode<>1 and pump_status_3=2; 
431
    
432
  close_pump_0 = 
433
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_0)<>0 and pump_defect_0=0 and pre(pump_defect_0)=0;
434
  close_pump_1 = 
435
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_1)<>0 and pump_defect_0=0 and pre(pump_defect_1)=0;
436
  close_pump_2 = 
437
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_2)<>0 and pump_defect_0=0 and pre(pump_defect_2)=0;
438
  close_pump_3 = 
439
     op_mode<>6 and op_mode<>1 and pump_status_0=0 and pre(pump_status_3)<>0 and pump_defect_0=0 and pre(pump_defect_3)=0;
440
    
441
  pump_failure_detection_0 = 
442
    op_mode<>6 and op_mode<>1 and pump_defect_0=1;
443
  pump_failure_detection_1 = 
444
     op_mode<>6 and op_mode<>1 and pump_defect_1=1;
445
  pump_failure_detection_2 = 
446
     op_mode<>6 and op_mode<>1 and pump_defect_2=1;
447
  pump_failure_detection_3 = 
448
     op_mode<>6 and op_mode<>1 and pump_defect_3=1;
449
    
450
  pump_repaired_acknowledgement_0 = 
451
    op_mode<>6 and op_mode<>1 and pump_repaired_0;
452
  pump_repaired_acknowledgement_1 = 
453
     op_mode<>6 and op_mode<>1 and pump_repaired_1;
454
  pump_repaired_acknowledgement_2 = 
455
     op_mode<>6 and op_mode<>1 and pump_repaired_2;
456
  pump_repaired_acknowledgement_3 = 
457
     op_mode<>6 and op_mode<>1 and pump_repaired_3;
458
    
459
  pump_control_failure_detection_0 = 
460
    op_mode<>6 and op_mode<>1 and pump_control_defect_0=1;
461
  pump_control_failure_detection_1 = 
462
    op_mode<>6 and op_mode<>1 and pump_control_defect_1=1;
463
  pump_control_failure_detection_2 = 
464
    op_mode<>6 and op_mode<>1 and pump_control_defect_2=1;
465
  pump_control_failure_detection_3 = 
466
    op_mode<>6 and op_mode<>1 and pump_control_defect_3=1;
467
    
468
  pump_control_repaired_acknowledgement_0 = 
469
    op_mode<>6 and op_mode<>1 and pump_control_repaired_0;
470
  pump_control_repaired_acknowledgement_1 = 
471
    op_mode<>6 and op_mode<>1 and pump_control_repaired_1;
472
  pump_control_repaired_acknowledgement_2 = 
473
    op_mode<>6 and op_mode<>1 and pump_control_repaired_2;
474
  pump_control_repaired_acknowledgement_3 = 
475
    op_mode<>6 and op_mode<>1 and pump_control_repaired_3;
476
tel
477
node BoilerController( 
478
  stop, 
479
  steam_boiler_waiting, 
480
  physical_units_ready : bool; 
481
  level : int; 
482
  steam : int; 
483
  pump_state_0,pump_state_1,pump_state_2,pump_state_3 : int; 
484
  pump_control_state_0,pump_control_state_1,pump_control_state_2,pump_control_state_3 : bool; 
485
  pump_repaired_0,pump_repaired_1,pump_repaired_2,pump_repaired_3 : bool; 
486
  pump_control_repaired_0,pump_control_repaired_1,pump_control_repaired_2,pump_control_repaired_3 : bool; 
487
  level_repaired : bool; 
488
  steam_repaired : bool; 
489
  pump_failure_acknowledgement_0,pump_failure_acknowledgement_1,pump_failure_acknowledgement_2,pump_failure_acknowledgement_3 : bool; 
490
  pump_control_failure_acknowledgement_0,pump_control_failure_acknowledgement_1,pump_control_failure_acknowledgement_2,pump_control_failure_acknowledgement_3 : bool; 
491
  level_failure_acknowledgement : bool; 
492
  steam_failure_acknowledgement : bool) 
493
  returns(
494
  program_ready : bool; 
495
  mode : int; 
496
  valve : bool; 
497
  open_pump_0,open_pump_1,open_pump_2,open_pump_3 : bool; 
498
  close_pump_0,close_pump_1,close_pump_2,close_pump_3 : bool; 
499
  pump_failure_detection_0,pump_failure_detection_1,pump_failure_detection_2,pump_failure_detection_3 : bool; 
500
  pump_control_failure_detection_0,pump_control_failure_detection_1,pump_control_failure_detection_2,pump_control_failure_detection_3 : bool; 
501
  level_failure_detection : bool; 
502
  steam_outcome_failure_detection : bool; 
503
  pump_repaired_acknowledgement_0,pump_repaired_acknowledgement_1,pump_repaired_acknowledgement_2,pump_repaired_acknowledgement_3 : bool; 
504
  pump_control_repaired_acknowledgement_0,pump_control_repaired_acknowledgement_1,pump_control_repaired_acknowledgement_2,pump_control_repaired_acknowledgement_3 : bool; 
505
  level_repaired_acknowledgement : bool; 
506
  steam_outcome_repaired_acknowledgement: bool); 
507
var 
508
  stop_request : bool; 
509
  op_mode : int; 
510
  q : int; 
511
  v : int; 
512
  p_0,p_1,p_2,p_3 : int; 
513
  valve_state : int; 
514
  n_pumps : int; 
515
  pump_status_0,pump_status_1,pump_status_2,pump_status_3 : int; 
516
  level_defect : int; 
517
  steam_defect : int; 
518
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3 : int; 
519
  pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3 : int; 
520
  flow_0,flow_1,flow_2,flow_3 : bool; 
521
  t00,t01,t10,t20,t30,t11,t21,t31:int;
522
  t02,t12,t22,t32,u4,u6:bool;
523
  t4,t5,t6,t7,t8,t9,u0,u1,u2,u3,u5,u7:int;
524
  a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24:bool;
525
  b0,b1,b2,b3:bool;
526
let 
527
  stop_request = Operator(stop); 
528
  level_defect = 0-> 
529
    LevelDefect(level_failure_acknowledgement, level_repaired, level); 
530
  steam_defect = 0-> 
531
    SteamDefect(steam_failure_acknowledgement, steam_repaired, steam); 
532
  pump_defect_0 = 0 -> t00;
533
  pump_control_defect_0 = 0 -> t01;
534
  flow_0 = false -> t02;
535
  (t00,t01,t02) =
536
       PumpDefect(pump_failure_acknowledgement_0, pump_repaired_0, 
537
         pump_control_failure_acknowledgement_0, pump_control_repaired_0,
538
         pre(pump_status_0), pump_state_0, pump_control_state_0); 
539
  pump_defect_1 = 0 -> t10;
540
  pump_control_defect_1 = 0 -> t11;
541
  flow_1 = false -> t12;
542
  (t10,t11,t12) =
543
       PumpDefect(pump_failure_acknowledgement_1, pump_repaired_1, 
544
         pump_control_failure_acknowledgement_1, pump_control_repaired_1,
545
         pre(pump_status_1), pump_state_1, pump_control_state_1); 
546
  pump_defect_2 = 0 -> t20;
547
  pump_control_defect_2 = 0 -> t21;
548
  flow_2 = false -> t22;
549
  (t20,t21,t22) =
550
       PumpDefect(pump_failure_acknowledgement_2, pump_repaired_2, 
551
         pump_control_failure_acknowledgement_2, pump_control_repaired_2,
552
         pre(pump_status_2), pump_state_2, pump_control_state_2); 
553
  pump_defect_3 = 0 -> t30;
554
  pump_control_defect_3 = 0 -> t31;
555
  flow_3 = false -> t32;
556
  (t30,t31,t32) =
557
       PumpDefect(pump_failure_acknowledgement_3, pump_repaired_3, 
558
         pump_control_failure_acknowledgement_3, pump_control_repaired_3,
559
         pre(pump_status_3), pump_state_3, pump_control_state_3); 
560
  q = level -> t4;
561
  v = steam -> t5;
562
  p_0 = 0 -> t6;
563
  p_1 = 0 -> t7;
564
  p_2 = 0 -> t8;
565
  p_3 = 0 -> t9;
566
  (t4,t5,t6,t7,t8,t9) =
567
    Dynamics(pre(valve_state), level, steam, level_defect, steam_defect, flow_0,flow_1,flow_2,flow_3); 
568
  n_pumps = 0-> PumpsDecision(q,v); 
569
  pump_status_0 = 0 -> u0;
570
  pump_status_1 = 0 -> u1;
571
  pump_status_2 = 0 -> u2;
572
  pump_status_3 = 0 -> u3;
573
  (u0,u1,u2,u3) =
574
    PumpsStatus(n_pumps, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,
575
      flow_0,flow_1,flow_2,flow_3); 
576
  op_mode = 1-> 
577
    ControlMode( steam_boiler_waiting, physical_units_ready, stop_request, steam, level_defect, steam_defect, pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3, pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3, q, pump_state_0,pump_state_1,pump_state_2,pump_state_3); 
578
  valve = false -> u4;
579
  valve_state = 0 -> u5;
580
  (u4,u5) =
581
    Valve(op_mode,q); 
582
  program_ready = false -> u6;
583
  mode = 1-> u7;
584
  (u6,u7) =
585
    ControlOutput(op_mode,level,valve); 
586
  open_pump_0=a1;
587
  open_pump_1=a2;
588
  open_pump_2=a3;
589
  open_pump_3=a4;
590
  close_pump_0=a5;
591
  close_pump_1=a6;
592
  close_pump_2=a7;
593
  close_pump_3=a8;
594
  pump_failure_detection_0=a9;
595
  pump_failure_detection_1=a10;
596
  pump_failure_detection_2=a11;
597
  pump_failure_detection_3=a12;
598
  pump_repaired_acknowledgement_0=a13;
599
  pump_repaired_acknowledgement_1=a14;
600
  pump_repaired_acknowledgement_2=a15;
601
  pump_repaired_acknowledgement_3=a16;
602
  pump_control_failure_detection_0=a17;
603
  pump_control_failure_detection_1=a18;
604
  pump_control_failure_detection_2=a19;
605
  pump_control_failure_detection_3=a20;
606
  pump_control_repaired_acknowledgement_0=a21;
607
  pump_control_repaired_acknowledgement_1=a22;
608
  pump_control_repaired_acknowledgement_2=a23;
609
  pump_control_repaired_acknowledgement_3=a24;
610
   (a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24)=
611
      PumpsOutput(op_mode, pump_status_0,pump_status_1,pump_status_2,pump_status_3,
612
        pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,
613
        pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3,
614
        pump_repaired_0,pump_repaired_1,pump_repaired_2,pump_repaired_3,
615
        pump_control_repaired_0,pump_control_repaired_1,pump_control_repaired_2,pump_control_repaired_3); 
616
  level_failure_detection = false -> b0;
617
  level_repaired_acknowledgement = false -> b1;
618
  (b0,b1)=
619
    LevelOutput(op_mode,level_defect,level_repaired); 
620
  steam_outcome_failure_detection = false -> b2;
621
  steam_outcome_repaired_acknowledgement = false -> b3;
622
  (b2,b3)=
623
    SteamOutput(op_mode,steam_defect,steam_repaired); 
624
tel
625
--@ ensures OK;
626
node top(
627
  steam_boiler_waiting,physical_units_ready,stop_request:bool; 
628
  steam,level_defect,steam_defect:int; 
629
  pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3:int; 
630
  q:int; 
631
  pump_state_0,pump_state_1,pump_state_2,pump_state_3:int) 
632
  returns(OK:bool); 
633
var 
634
  op_mode :int; 
635
  mode_normal_then_water_level_ok, 
636
  mode_normal_then_no_stop_request:bool; 
637
let 
638
  op_mode= 
639
    ControlMode(
640
      steam_boiler_waiting,physical_units_ready,stop_request,
641
      steam,level_defect,steam_defect,
642
      pump_defect_0,pump_defect_1,pump_defect_2,pump_defect_3,pump_control_defect_0,pump_control_defect_1,pump_control_defect_2,pump_control_defect_3,
643
      q, pump_state_0,pump_state_1,pump_state_2,pump_state_3); 
644
  OK = 
645
    mode_normal_then_water_level_ok and 
646
    mode_normal_then_no_stop_request; 
647
  mode_normal_then_no_stop_request = 
648
    (op_mode=3 => not(stop_request)); 
649
  mode_normal_then_water_level_ok = 
650
    true ->
651
    (op_mode=3 and pre(op_mode)=3 =>
652
    not(dangerous_level(q))); 
653
  --%MAIN;
654
--!k:2;
655
--!PROPERTY:  OK=true;
656
tel
(20-20/23)