Modularisation Plug-in Tutorial: Difference between revisions

From Event-B
Jump to navigationJump to search
imported>Alexili
mNo edit summary
imported>Alexili
mNo edit summary
Line 1: Line 1:
==Modularisation Plug-in Tutorial==
 
Go to the [[Modularisation Plug-in|plug-in description page]].
Go to the [[Modularisation Plug-in|plug-in description page]].


The tutorial illustrates the use of the modularisation plug-in in an Event-B development. The example used is rather small scale but it still demonstrates some basic principles of introducing modules during the development process.
The tutorial illustrates the use of the modularisation plug-in in an Event-B development. The example used is rather small scale but it still demonstrates some basic principles of introducing modules during the development process.


===Sluice Control Example===
==Sluice Control Example==


The example is a sluice with two doors connecting areas with dramatically different pressures. The pressure difference makes it unsafe to open a door unless the pressure is leveled between the areas connected by the door. The purpose of the system is to adjust the pressure in the sluice area and control the door locks to allow a user to get safely inside to outside. Such system can be deployed, for example, on a submarine to allow divers to get out while submerged.  
The example is a sluice with two doors connecting areas with dramatically different pressures. The pressure difference makes it unsafe to open a door unless the pressure is leveled between the areas connected by the door. The purpose of the system is to adjust the pressure in the sluice area and control the door locks to allow a user to get safely inside to outside. Such system can be deployed, for example, on a submarine to allow divers to get out while submerged.  
Line 27: Line 27:
[[Image:SluiceControllerSolution.png|500px]]
[[Image:SluiceControllerSolution.png|500px]]


The shaded rectagles denote a pressure level, high pressure area corresponds to a higher rectangle. The "u" label marks the current position of a system user. Initially, a user is inside and the sluice pressure is levelled with the outside pressure. Before the door connecting to the sluice is opened, the pressure is decreased to level it with the inside pressure. Once the door is open, the user moves in, the door is sealed again. Finally, the sluice pressure is set to match the outside pressure and the door leading may be safely opened.
The shaded rectagles denote a pressure level, high pressure area corresponds to a higher rectangle. The "u" label marks the current position of a system user. Initially, a user is inside and the sluice pressure is levelled with the outside pressure. Before the door connecting to the sluice is opened, the pressure is decreased to level it with the inside pressure. Once the door is open, the user moves in, the door is sealed again. Finally, the sluice pressure is set to match the outside pressure and the door leading may be safely opened.
 
===Initial Model===
 
The initial model contains three variables, one for each major system part.
 
variables door1 door2 pressure error
 
The typing is as follows:
 
invariants
  @inv1 door1 ∈ BOOL
  @inv2 door2 ∈ BOOL
  @inv3 pressure ∈ {0,1}
  @inv7 error ∈ BOOL
 
The requirement 6 that at most one door may be open at any given moment translates into the following model invariant
 
@inv4 error = FALSE ∧ door1 = door2 ⇒ door1 = FALSE
 
We also formally state the when it is safe to open a door
 
@inv5 error = FALSE ∧ door1 = TRUE ⇒ pressure = 0
@inv6 error = FALSE ∧ door2 = TRUE ⇒ pressure = 1
 
The two invariants above correspond to the 5th requirement.

Revision as of 13:40, 22 October 2009

Go to the plug-in description page.

The tutorial illustrates the use of the modularisation plug-in in an Event-B development. The example used is rather small scale but it still demonstrates some basic principles of introducing modules during the development process.

Sluice Control Example

The example is a sluice with two doors connecting areas with dramatically different pressures. The pressure difference makes it unsafe to open a door unless the pressure is leveled between the areas connected by the door. The purpose of the system is to adjust the pressure in the sluice area and control the door locks to allow a user to get safely inside to outside. Such system can be deployed, for example, on a submarine to allow divers to get out while submerged.

The system parts are two doors that can be operated independently of each other and a pressure controller that allows the change of pressure in the sluice area. The following is a schematic depiction of the system.

The system is summarised with the following set of requirements:

  1. the system allows a user to get inside or outside by leveling pressure between room and a destination
  2. the system has three locations - outside, sluice and inside
  3. the system has two doors - door1, connecting outside and sluice, and door2, connecting sluice and inside;
  4. there is a device to change pressure in sluice;
  5. a door may be opened only if the pressures in the locations it connects is equalised;
  6. at most one door is open at any moment;
  7. the pressure can only be switched on when the doors are closed.

Requirements 1-4 characterise the system by stating its goal and its major parts. The last three characterise the system behaviour. More precisely, they are the safety properties of the system.

The following diagram shows the stages of the system operation that let a user to get outside starting in the inside area.

The shaded rectagles denote a pressure level, high pressure area corresponds to a higher rectangle. The "u" label marks the current position of a system user. Initially, a user is inside and the sluice pressure is levelled with the outside pressure. Before the door connecting to the sluice is opened, the pressure is decreased to level it with the inside pressure. Once the door is open, the user moves in, the door is sealed again. Finally, the sluice pressure is set to match the outside pressure and the door leading may be safely opened.

Initial Model

The initial model contains three variables, one for each major system part.

variables door1 door2 pressure error

The typing is as follows:

invariants
 @inv1 door1 ∈ BOOL
 @inv2 door2 ∈ BOOL
 @inv3 pressure ∈ {0,1}
 @inv7 error ∈ BOOL 	

The requirement 6 that at most one door may be open at any given moment translates into the following model invariant

@inv4 error = FALSE ∧ door1 = door2 ⇒ door1 = FALSE

We also formally state the when it is safe to open a door

@inv5 error = FALSE ∧ door1 = TRUE ⇒ pressure = 0
@inv6 error = FALSE ∧ door2 = TRUE ⇒ pressure = 1

The two invariants above correspond to the 5th requirement.