# Modelling a Lift Control System

Document Sample

```					                     Modelling a Lift Control System
Ken Robinson
January 29, 2009

CONTEXT Lift ctx
SETS
DIRECTION
STATUS
CONSTANTS
MAXFLOOR
FLOOR
MAXLIFT
LIFT
UP
DOWN
STOPPED
MOVING
CHANGE
AXIOMS
axm1 :    M AXF LOOR ∈ N1
axm2 :    F LOOR = 0 .. M AXF LOOR
axm3 :    M AXLIF T ∈ N1
axm4 :    LIF T = 1 .. M AXLIF T
axm5 :    DIRECT ION = {U P, DOW N }
axm6 :    U P = DOW N
axm7 :    ST AT U S = {ST OP P ED, M OV IN G}
axm8 :    ST OP P ED = M OV IN G
axm9 :    CHAN GE ∈ DIRECT ION          DIRECT ION
axm10 :    CHAN GE = {U P → DOW N, DOW N → U P }
THEOREMS
thm1 :    F LOOR = ∅
END

1
MACHINE BasicLift
The machine models the basic lift movements.
The behaviour is all non-deterministic: there is no attempt to express any sort of lift control
or scheduling.
A discpline of lift direction is established: level 0: direction is UP level MAXFLOOR:
direction is DOWN other ﬂoors: either direction is valid
There are no doors.
There are no buttons

SEES Lift ctx

VARIABLES

liftposition
liftstatus
liftdirection

INVARIANTS

inv1 :       lif tposition ∈ LIF T → F LOOR
inv2 :       lif tstatus ∈ LIF T → ST AT U S
inv3 :       lif tdirection ∈ LIF T → DIRECT ION
∀l·l ∈ LIF T ∧ lif tposition(l) = 0
inv4 :       ⇒
lif tdirection(l) = U P
∀l·l ∈ LIF T ∧ lif tposition(l) = M AXF LOOR
inv5 :       ⇒
lif tdirection(l) = DOW N
THEOREMS
∀l·l ∈ LIF T ∧ lif tdirection(l) = DOW N
thm1 :       ⇒
lif tposition(l) = 0
∀l·l ∈ LIF T ∧ lif tdirection(l) = U P
thm2 :       ⇒
lif tposition(l) = M AXF LOOR
∀l·l ∈ LIF T ∧ lif tdirection(l) = U P
thm3 :       ⇒
lif tposition(l) + 1 ≤ M AXF LOOR
EVENTS

Initialisation

begin

2
lif tposition, lif tdirection, lif tstatus : |
lif tposition ∈ LIF T → F LOOR
∧ lif tdirection ∈ LIF T → DIRECT ION
∧ lif tstatus ∈ LIF T → ST AT U S
∧ (∀l·l ∈ LIF T ∧ lif tposition (l) = 0
act1 :
⇒
lif tdirection (l) = U P )
∧ (∀m·m ∈ LIF T ∧ lif tposition (m) = M AXF LOOR
⇒
lif tdirection (m) = DOW N )
There seems to be a bug in Rodin. The two quantiﬁcations, in l and m, are
interfering. See PO Initialisation FIS!! Also, if the quantiﬁcation over m is replaced
by quantiﬁcation over l, which of course is legal, a syntax error is diagnosed!
end
Event StopLift =
Models a lift arriving at a ﬂoor and stopping
any
lift
where
grd1 :    lif t ∈ LIF T
grd2 :    lif tstatus(lif t) = M OV IN G
then
act1 :    lif tstatus(lif t) := ST OP P ED
end
Event StartLift =
Models the starting of a STOPPED lift, maintaining of previous direction
any
lift
where
grd1 :    lif t ∈ LIF T
grd2 :    lif tstatus(lif t) = ST OP P ED
then
act1 :    lif tstatus(lif t) := M OV IN G
end
Event ChangeDir =
Models the changing of direction of a STOPPED lift
any
lift
where
grd1 :    lif t ∈ LIF T
grd2 :    lif tstatus(lif t) = ST OP P ED

3
grd3 :   lif tposition(lif t) = 0
grd4 :   lif tposition(lif t) = M AXF LOOR
then
act1 :   lif tdirection(lif t) := CHAN GE(lif tdirection(lif t))
end
Event MoveUp =
Models a lift moving up to the next ﬂoor
any
lift
where
grd1   :   lif t ∈ LIF T
grd2   :   lif tstatus(lif t) = M OV IN G
grd3   :   lif tdirection(lif t) = U P
then
act1   :   lif tposition(lif t) := lif tposition(lif t) + 1
lif tdirection : |lif tdirection ∈ LIF T → DIRECT ION
∧ (lif tposition(lif t) + 1 = M AXF LOOR
⇒
act2 :   lif tdirection = lif tdirection − {lif t → DOW N })
∧ (lif tposition(lif t) + 1 = M AXF LOOR
⇒
lif tdirection = lif tdirection)
end
Event MoveDown =
Models a lift moving down to the next ﬂoor
any
lift
where
grd1   :   lif t ∈ LIF T
grd2   :   lif tstatus(lif t) = M OV IN G
grd3   :   lif tdirection(lif t) = DOW N
then
act1   :   lif tposition(lif t) := lif tposition(lif t) − 1
lif tdirection : |lif tdirection ∈ LIF T → DIRECT ION
∧ (lif tposition(lif t) = 1
⇒
act2 :   lif tdirection = lif tdirection − {lif t → U P })
∧ (lif tposition(lif t) = 1
⇒
lif tdirection = lif tdirection)
end
END

4
CONTEXT Doors ctx

SETS

DOORS

CONSTANTS

OPEN
CLOSED

AXIOMS

axm1 :   DOORS = {OP EN, CLOSED}
axm2 :   OP EN = CLOSED

END

5
MACHINE LiftPlusDoors
Lift doors must always be closed when the lift is moving
REFINES BasicLift
SEES Lift ctx, Doors ctx
VARIABLES
liftposition
liftstatus
liftdirection
liftdoorstatus
INVARIANTS
inv1 :       lif tdoorstatus ∈ LIF T → DOORS
∀l·l ∈ LIF T ∧ lif tstatus(l) = M OV IN G
inv2 :       ⇒
lif tdoorstatus(l) = CLOSED
EVENTS
Initialisation
extended
begin
act2 :     lif tdoorstatus := LIF T × {CLOSED}
end
Event OpenLiftDoor =
any
lift
where
grd1 :     lif t ∈ LIF T
grd2 :     lif tstatus(lif t) = ST OP P ED
grd3 :     lif tdoorstatus(lif t) = CLOSED
then
act1 :     lif tdoorstatus(lif t) := OP EN
end
Event CloseLiftdoor =
any
lift
where
grd1 :     lif t ∈ LIF T

6
grd2 :   lif tstatus(lif t) = ST OP P ED
then
act1 :   lif tdoorstatus(lif t) := CLOSED
end
Event StopLift =
Models a lift arriving at a ﬂoor and stopping
extends StopLift
begin
skip
end
Event StartLift =
Models the starting of a STOPPED lift, maintaining of previous direction
extends StartLift
when
grd3 :     lif tdoorstatus(lif t) = CLOSED
then
skip
end
Event ChangeDir =
Models the changing of direction of a STOPPED lift
extends ChangeDir
begin
skip
end
Event MoveUp =
Models a lift moving up to the next ﬂoor
extends MoveUp
begin
skip
end
Event MoveDown =
Models a lift moving down to the next ﬂoor
extends MoveDown
begin
skip
end
END

7
MACHINE LiftPlusFloorDoors
Floor doors may be OPEN only on the ﬂoor where a lift is stopped
The ﬂoor door opens AFTER the lift door opens
The ﬂoor door closes BEFORE the lift door closes
This ensures that ﬂoor door OPEN implies lift door OPEN
And if a lift is MOViNG then the ﬂoor door for that lift is CLOSED on all ﬂoors

REFINES LiftPlusDoors

SEES Lift ctx, Doors ctx

VARIABLES

liftposition
liftstatus
liftdirection
liftdoorstatus
ﬂoordoorstatus

INVARIANTS

inv1 :       f loordoorstatus ∈ LIF T → (F LOOR → DOORS)
∀l·l ∈ LIF T ∧ lif tdoorstatus(l) = CLOSED
inv2 :   ⇒
f loordoorstatus(l)(lif tposition(l)) = CLOSED
The ﬂoor door opens AFTER the lift door opens
∀l, f ·l ∈ LIF T ∧ f ∈ F LOOR \ {lif tposition(l)}
inv3 :    ⇒
f loordoorstatus(l)(f ) = CLOSED
Floor doors may be OPEN only on the ﬂoor where a lift is stopped

THEOREMS
∀l, f ·l ∈ LIF T ∧ f ∈ F LOOR ∧ lif tstatus(l) = M OV IN G
thm1 :      ⇒
f loordoorstatus(l)(f ) = CLOSED
If a lift is MOVING then the ﬂoor door for that lift is CLOSED on all ﬂoors
∀l·l ∈ LIF T ∧ f loordoorstatus(l)(lif tposition(l)) = OP EN
thm2 : ⇒
lif tdoorstatus(l) = OP EN
Floor door OPEN implies lift door OPEN

EVENTS
Initialisation

begin

8
lif tposition, lif tdirection, lif tstatus : |
lif tposition ∈ LIF T → F LOOR
∧ lif tdirection ∈ LIF T → DIRECT ION
∧ lif tstatus ∈ LIF T → ST AT U S
∧ (∀l·l ∈ LIF T ∧ lif tposition (l) = 0
act1 :
⇒
lif tdirection (l) = U P )
∧ (∀m·m ∈ LIF T ∧ lif tposition (m) = M AXF LOOR
⇒
lif tdirection (m) = DOW N )
There seems to be a bug in Rodin. The two quantiﬁcations, in l and m, are
interfering. See PO Initialisation FIS!! Also, if the quantiﬁcation over m is replaced
by quantiﬁcation over l, which of course is legal, a syntax error is diagnosed!
act2 : lif tdoorstatus := LIF T × {CLOSED}
act3 : f loordoorstatus := LIF T × {F LOOR × {CLOSED}}
end

Event OpenFloorDoor =

any
lift
ﬂoor
where
grd1 :    lif t ∈ LIF T
grd2 :    f loor = lif tposition(lif t)
grd3 :    lif tdoorstatus(lif t) = OP EN
then
act1 :    f loordoorstatus(lif t) := f loordoorstatus(lif t) − {f loor → OP EN }
end

Event CloseFloorDoor =

any
lift
ﬂoor
where
grd1 :    lif t ∈ LIF T
grd2 :    f loor = lif tposition(lif t)
grd3 :    f loordoorstatus(lif t)(f loor) = OP EN
then
act1 :    f loordoorstatus(lif t) := f loordoorstatus(lif t) − {f loor → CLOSED}
end

Event OpenLiftDoor =

extends OpenLiftDoor

9
begin
skip
end

Event CloseLiftdoor =

extends CloseLiftdoor

when
grd3 :   f loordoorstatus(lif t)(lif tposition(lif t)) = CLOSED
then
skip
end

Event StopLift =
Models a lift arriving at a ﬂoor and stopping

extends StopLift

begin
skip
end

Event StartLift =
Models the starting of a STOPPED lift, maintaining of previous direction

extends StartLift

begin
skip
end

Event ChangeDir =
Models the changing of direction of a STOPPED lift

extends ChangeDir

begin
skip
end

Event MoveUp =
Models a lift moving up to the next ﬂoor

extends MoveUp

begin
skip
end

10
Event MoveDown =
Models a lift moving down to the next ﬂoor

extends MoveDown

begin
skip
end

END

11
MACHINE LiftWithButtons
REFINES LiftPlusFloorDoors
SEES Lift ctx, Doors ctx
VARIABLES
liftposition
liftstatus
liftdirection
liftdoorstatus
ﬂoordoorstatus
extrequests
intrequests
INVARIANTS
inv1 :       extrequests ∈ F LOOR → P(DIRECT ION )
inv2 :       intrequests ∈ LIF T → P(F LOOR)
EVENTS
Initialisation
extended
begin
act4 :     extrequests := F LOOR × {∅}
act5 :     intrequests := LIF T × {∅}
end
Event ChooseDirection =
any
ﬂoor
dir
where
grd2 :     f loor ∈ F LOOR
grd1 :     dir ∈ DIRECT ION
then
act1 :     extrequests(f loor) := extrequests(f loor) ∪ {dir}
end
Event ChooseFloor =
Models internal choice of ﬂoor in lift
any
lift
ﬂoor

12
where
grd2 :   lif t ∈ LIF T
grd1 :   f loor ∈ F LOOR
then
act1 :   intrequests(lif t) := intrequests(lif t) ∪ {f loor}
end

Event StopLift =
Models a lift arriving at a ﬂoor and stopping

extends StopLift

begin
skip
end

Event StartLift =
Models the starting of a STOPPED lift, maintaining of previous direction

extends StartLift

begin
skip
end

Event ChangeDir =
Models the changing of direction of a STOPPED lift

extends ChangeDir

begin
skip
end

Event OpenFloorDoor =

extends OpenFloorDoor

begin
skip
end

Event CloseFloorDoor =

extends CloseFloorDoor

begin
skip
end

13
Event MoveUp =
Models a lift moving up to the next ﬂoor

extends MoveUp

begin
skip
end

Event MoveDown =
Models a lift moving down to the next ﬂoor

extends MoveDown

begin
skip
end

Event OpenLiftDoor =

extends OpenLiftDoor

begin
skip
end

Event CloseLiftdoor =

extends CloseLiftdoor

begin
skip
end

END

14

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 7 posted: 4/20/2010 language: English pages: 14
Description: Modelling a Lift Control System