(fmod LOCATION is sort Location . ops endOfTS lastBrake leBrake noReturn opposite : -> Location . op appCross : -> Location . eq (endOfTS ~ lastBrake) = false . eq endOfTS ~ leBrake = false . eq endOfTS ~ noReturn = false . eq endOfTS ~ opposite = false . eq leBrake ~ lastBrake = false . eq lastBrake ~ opposite = false . eq lastBrake ~ noReturn = false . eq noReturn ~ leBrake = false . eq opposite ~ noReturn = false . eq leBrake ~ opposite = false . eq appCross ~ endOfTS = false . eq appCross ~ lastBrake = false . eq appCross ~ leBrake = false . eq appCross ~ noReturn = false . eq appCross ~ opposite = false . ceq true = false if endOfTS = lastBrake . ceq true = false if endOfTS = leBrake . ceq true = false if endOfTS = noReturn . ceq true = false if endOfTS = opposite . ceq true = false if leBrake = lastBrake . ceq true = false if lastBrake = opposite . ceq true = false if lastBrake = noReturn . ceq true = false if noReturn = leBrake . ceq true = false if opposite = noReturn . ceq true = false if leBrake = opposite . ceq true = false if appCross = endOfTS . ceq true = false if appCross = lastBrake . ceq true = false if appCross = leBrake . ceq true = false if appCross = noReturn . ceq true = false if appCross = opposite . op _~_ : Location Location -> Bool [comm] . vars L1 L2 : Location . eq (L1 ~ L1) = true . ceq L1 = L2 if L1 ~ L2 [nonexec] . endfm) (fmod STATUS is sort Status . op _~_ : Status Status -> Bool [comm] . ops running braked eBraked : -> Status . ceq true = false if running = braked . ceq true = false if braked = eBraked . ceq true = false if running = eBraked . vars S1 S2 : Status . eq (S1 ~ S1) = true . ceq S1 = S2 if (S1 ~ S2) = true [nonexec] . endfm) (fmod SIGNAL is sort Signal . ops grant reject unknown : -> Signal [ctor] . op _~_ : Signal Signal -> Bool [comm] . vars G1 G2 : Signal . eq (G1 ~ G1) = true . ceq true = false if grant = reject . ceq true = false if grant = unknown . ceq true = false if reject = unknown . ceq G1 = G2 if (G1 ~ G2) [nonexec] . endfm) (fmod MSGSET is inc SIGNAL . sorts Msg MsgSeq . subsort Msg < MsgSeq . op empty : -> MsgSeq [ctor] . op __ : MsgSeq MsgSeq -> MsgSeq [assoc id: empty] . op respMsg : Signal -> Msg . op passed : -> Msg . op reqMsg : -> Msg . op chkMsg : -> Msg . op gateMsg : Signal -> Msg . var M : Msg . var MS : MsgSeq . var B : Bool . op _~_ : Msg Msg -> Bool [comm] . eq (M ~ M) = true . eq respMsg(grant) ~ passed = false . eq respMsg(reject) ~ passed = false . eq respMsg(grant) ~ reqMsg = false . eq respMsg(reject) ~ reqMsg = false . eq respMsg(grant) ~ chkMsg = false . eq respMsg(reject) ~ chkMsg = false . eq respMsg(grant) ~ gateMsg(grant) = false . eq respMsg(grant) ~ gateMsg(reject) = false . eq respMsg(reject) ~ gateMsg(grant) = false . eq respMsg(reject) ~ gateMsg(reject) = false . eq passed ~ reqMsg = false . eq passed ~ chkMsg = false . eq passed ~ gateMsg(grant) = false . eq passed ~ gateMsg(reject) = false . eq chkMsg ~ reqMsg = false . eq gateMsg(grant) ~ reqMsg = false . eq gateMsg(reject) ~ reqMsg = false . eq chkMsg ~ gateMsg(grant) = false . eq chkMsg ~ gateMsg(reject) = false . var M' : Msg . var MS' : MsgSeq . ceq M = M' if M ~ M' [nonexec] . op _~~_ : MsgSeq MsgSeq -> Bool [comm] . eq (MS ~~ MS) = true . eq (MS M ~~ MS' M') = (M ~ M') and (MS ~~ MS') . eq (empty ~~ M MS) = false . endfm) (fmod BOOL-EXT is extending BOOL . op undef : -> Bool . op _~_ : Bool Bool -> Bool [comm] . eq (B:Bool ~ B:Bool) = true . ceq true = false if true ~ false [nonexec] . endfm ) (fmod LABEL is sort Label . ops s1 s2 s3 s4 s5 : -> Label . op _~_ : Label Label -> Bool [comm] . vars L1 L2 : Label . eq (L1 ~ L1) = true . ceq true = false if s1 = s2 . ceq true = false if s1 = s3 . ceq true = false if s1 = s4 . ceq true = false if s2 = s3 . ceq true = false if s2 = s4 . ceq true = false if s3 = s4 . ceq true = false if s5 = s4 . ceq true = false if s3 = s5 . ceq true = false if s2 = s5 . ceq true = false if s1 = s5 . ceq L1 = L2 if L1 ~ L2 [nonexec] . endfm ) (fmod RAILCAB-NEW is protecting LOCATION . protecting STATUS . protecting MSGSET . protecting BOOL-EXT . protecting LABEL . sort Sys . --- 18 constructors op init : -> Sys [ctor] . --- behavior of RailCab op sendReq : Sys -> Sys [ctor] . op recResp : Sys Signal -> Sys [ctor] . op brake : Sys -> Sys [ctor] . op move2leb : Sys -> Sys [ctor] . op eBrake : Sys Signal -> Sys [ctor] . op move2nr : Sys -> Sys [ctor] . op cross : Sys -> Sys [ctor] . op sendPass : Sys -> Sys [ctor] . op sendAppReq : Sys -> Sys [ctor] . op recAppResp : Sys Signal -> Sys [ctor] . --- behavior of controller op recReq : Sys -> Sys [ctor] . op sendResp : Sys -> Sys [ctor] . op closeGate : Sys -> Sys [ctor] . op openGate : Sys -> Sys [ctor] . op recAppReq : Sys -> Sys [ctor] . op sendAppResp : Sys -> Sys [ctor] . op getPass : Sys -> Sys [ctor] . --- 8 observers op loc : Sys -> Location . op channel1 : Sys -> MsgSeq . op channel2 : Sys -> MsgSeq . op rStatus : Sys -> Status . op gate : Sys -> Bool . op pass : Sys -> Signal . op conLoc : Sys -> Label . op appResult : Sys -> Signal . var S : Sys . var B : Bool . var G : Signal . var Q : MsgSeq . eq loc(init) = endOfTS . eq channel2(init) = empty . eq channel1(init) = empty . eq rStatus(init) = running . eq conLoc(init) = s1 . eq gate(init) = false . eq pass(init) = unknown . eq appResult(init) = unknown . --- pass is undefined at initial states --- appResult is undefined at initial states --- sendReq --- when a railcab is at the endOfTS point ceq loc(sendReq(S)) = appCross if (loc(S) = endOfTS) [metadata "CA-" ] . ceq loc(sendReq(S)) = loc(S) if (loc(S) ~ endOfTS) = false [metadata "CA-" ] . ceq channel1(sendReq(S)) = (reqMsg channel1(S)) if loc(S) = endOfTS [metadata "CA-" ] . ceq channel1(sendReq(S)) = channel1(S) if (loc(S) ~ endOfTS) = false [metadata "CA-" ] . eq channel2(sendReq(S)) = channel2(S) . eq rStatus(sendReq(S)) = rStatus(S) . eq gate(sendReq(S)) = gate(S) . eq pass(sendReq(S)) = pass(S) . eq conLoc(sendReq(S)) = conLoc(S) . eq appResult(sendReq(S)) = appResult(S) . --- sendAppReq ceq loc(sendAppReq(S)) = lastBrake if loc(S) = appCross [metadata "CA-" ] . ceq loc(sendAppReq(S)) = loc(S) if (loc(S) ~ appCross) = false [metadata "CA-" ] . ceq channel1(sendAppReq(S)) = (chkMsg channel1(S)) if loc(S) = appCross [metadata "CA-" ] . ceq channel1(sendAppReq(S)) = channel1(S) if (loc(S) ~ appCross) = false [metadata "CA-" ] . eq channel2(sendAppReq(S)) = channel2(S) . eq rStatus(sendAppReq(S)) = rStatus(S) . eq gate(sendAppReq(S)) = gate(S) . eq pass(sendAppReq(S)) = pass(S) . eq conLoc(sendAppReq(S)) = conLoc(S) . eq appResult(sendAppReq(S)) = appResult(S) . --- recResp --- when there is a response message at the head of in channel2 ceq channel2(recResp(S,G)) = Q if (Q respMsg(G)) := channel2(S) [metadata "CA-" ] . ceq channel2(recResp(S,G)) = channel2(S) if (Q passed ) := channel2(S) [metadata "CA-" ] . ceq channel2(recResp(S,G)) = channel2(S) if (Q reqMsg ) := channel2(S) [metadata "CA-" ] . ceq channel2(recResp(S,G)) = channel2(S) if (Q chkMsg ) := channel2(S) [metadata "CA-" ]. ceq channel2(recResp(S,G)) = channel2(S) if (Q gateMsg(G) ) := channel2(S) [metadata "CA-" ]. ceq pass(recResp(S,G)) = G if (Q respMsg(G)) := channel2(S) [metadata "CA-" ] . ceq pass(recResp(S,G)) = pass(S) if (Q passed ) := channel2(S) [metadata "CA-" ]. ceq pass(recResp(S,G)) = pass(S) if (Q reqMsg ) := channel2(S) [metadata "CA-" ]. ceq pass(recResp(S,G)) = pass(S) if (Q chkMsg ) := channel2(S) [metadata "CA-" ]. ceq pass(recResp(S,G)) = pass(S) if (Q gateMsg(G)) := channel2(S) [metadata "CA-" ]. eq rStatus(recResp(S,G)) = rStatus(S) . eq loc(recResp(S,G)) = loc(S) . eq gate(recResp(S,G)) = gate(S) . eq conLoc(recResp(S,G)) = conLoc(S) . eq channel1(recResp(S,G)) = channel1(S) . eq appResult(recResp(S,G)) = appResult(S) . --- recAppResp --- when there is a response gate message in channel2 ceq channel2(recAppResp(S,G)) = Q if (Q gateMsg(G)) := channel2(S) [metadata "CA-" ] . ceq channel2(recAppResp(S,G)) = channel2(S) if (Q passed ) := channel2(S) [metadata "CA-" ] . ceq channel2(recAppResp(S,G)) = channel2(S) if (Q reqMsg ) := channel2(S) [metadata "CA-" ] . ceq channel2(recAppResp(S,G)) = channel2(S) if (Q chkMsg ) := channel2(S) [metadata "CA-" ] . ceq channel2(recAppResp(S,G)) = channel2(S) if (Q respMsg(G) ) := channel2(S) [metadata "CA-" ] . ceq appResult(recAppResp(S,G)) = G if (Q gateMsg(G)) := channel2(S) [metadata "CA-" ] . ceq appResult(recAppResp(S,G)) = appResult(S) if (Q passed ) := channel2(S) [metadata "CA-" ] . ceq appResult(recAppResp(S,G)) = appResult(S) if (Q reqMsg ) := channel2(S) [metadata "CA-" ] . ceq appResult(recAppResp(S,G)) = appResult(S) if (Q chkMsg ) := channel2(S) [metadata "CA-" ] . ceq appResult(recAppResp(S,G)) = appResult(S) if (Q respMsg(G)) := channel2(S) [metadata "CA-" ] . eq rStatus(recAppResp(S,G)) = rStatus(S) . eq loc(recAppResp(S,G)) = loc(S) . eq gate(recAppResp(S,G)) = gate(S) . eq conLoc(recAppResp(S,G)) = conLoc(S) . eq channel1(recAppResp(S,G)) = channel1(S) . eq pass(recAppResp(S,G)) = pass(S) . --- brake --- when it is at lastBrake, but pass is false or appResult is false ceq rStatus(brake(S)) = braked if rStatus(S) = running /\ loc(S) = lastBrake /\ pass(S) = reject [metadata "CA-" ] . ceq rStatus(brake(S)) = braked if rStatus(S) = running /\ loc(S) = lastBrake /\ appResult(S) = reject [metadata "CA-" ] . ceq rStatus(brake(S)) = rStatus(S) if (rStatus(S) ~ running) = false [metadata "CA-" ] . ceq rStatus(brake(S)) = rStatus(S) if (loc(S) ~ lastBrake) = false [metadata "CA-" ] . ceq rStatus(brake(S)) = rStatus(S) if (pass(S) ~ reject) = false /\ (appResult(S) ~ reject) = false [metadata "CA-" ] . eq channel1(brake(S)) = channel1(S) . eq channel2(brake(S)) = channel2(S) . eq gate(brake(S)) = gate(S) . eq pass(brake(S)) = pass(S) . eq conLoc(brake(S)) = conLoc(S) . eq loc(brake(S)) = loc(S) . eq appResult(brake(S)) = appResult(S) . --- move2leb --- move from last brake point to last emergency brake point ceq loc(move2leb(S)) = leBrake if rStatus(S) = running /\ loc(S) = lastBrake /\ (pass(S) ~ reject) = false /\ (appResult(S) ~ reject) = false [metadata "CA-" ] . ceq loc(move2leb(S)) = loc(S) if (rStatus(S) ~ running) = false [metadata "CA-" ] . ceq loc(move2leb(S)) = loc(S) if (loc(S) ~ lastBrake) = false [metadata "CA-" ] . ceq loc(move2leb(S)) = loc(S) if pass(S) = reject [metadata "CA-" ] . ceq loc(move2leb(S)) = loc(S) if appResult(S) = reject [metadata "CA-" ] . eq channel1(move2leb(S)) = channel1(S) . eq channel2(move2leb(S)) = channel2(S) . eq gate(move2leb(S)) = gate(S) . eq pass(move2leb(S)) = pass(S) . eq conLoc(move2leb(S)) = conLoc(S) . eq rStatus(move2leb(S)) = rStatus(S) . eq appResult(move2leb(S)) = appResult(S) . --- eBrake --- when railcab is at the last emergency brake point, pass is false or no response message ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (pass(S) ~ grant) = false /\ rStatus(S) = running /\ (Q passed) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (pass(S) ~ grant) = false /\ rStatus(S) = running /\ (Q reqMsg) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (pass(S) ~ grant) = false /\ rStatus(S) = running /\ (Q chkMsg) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (pass(S) ~ grant) = false /\ rStatus(S) = running /\ (Q gateMsg(G)) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (appResult(S) ~ grant) = false /\ rStatus(S) = running /\ (Q respMsg(G)) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (appResult(S) ~ grant) = false /\ rStatus(S) = running /\ (Q passed) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (appResult(S) ~ grant) = false /\ rStatus(S) = running /\ (Q reqMsg) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = eBraked if loc(S) = leBrake /\ (appResult(S) ~ grant) = false /\ rStatus(S) = running /\ (Q chkMsg) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = rStatus(S) if (loc(S) ~ leBrake) = false [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = rStatus(S) if (rStatus(S) ~ running) = false [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = rStatus(S) if pass(S) = grant /\ appResult(S) = grant [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = rStatus(S) if (Q respMsg(G)) := channel2(S) [metadata "CA-" ] . ceq rStatus(eBrake(S,G)) = rStatus(S) if (Q gateMsg(G)) := channel2(S) [metadata "CA-" ] . eq channel1(eBrake(S,G)) = channel1(S) . eq channel2(eBrake(S,G)) = channel2(S) . eq gate(eBrake(S,G)) = gate(S) . eq pass(eBrake(S,G)) = pass(S) . eq conLoc(eBrake(S,G)) = conLoc(S) . eq loc(eBrake(S,G)) = loc(S) . eq appResult(eBrake(S,G)) = appResult(S) . --- move2nr ceq loc(move2nr(S)) = noReturn if rStatus(S) = running /\ loc(S) = leBrake /\ pass(S) = grant /\ appResult(S) = grant [metadata "CA-" ] . ceq loc(move2nr(S)) = loc(S) if (rStatus(S) ~ running) = false [metadata "CA-" ] . ceq loc(move2nr(S)) = loc(S) if (loc(S) ~ leBrake) = false [metadata "CA-" ] . ceq loc(move2nr(S)) = loc(S) if (pass(S) ~ grant) = false [metadata "CA-" ] . ceq loc(move2nr(S)) = loc(S) if (appResult(S) ~ grant) = false [metadata "CA-" ] . eq channel1(move2nr(S)) = channel1(S) . eq channel2(move2nr(S)) = channel2(S) . eq gate(move2nr(S)) = gate(S) . eq pass(move2nr(S)) = pass(S) . eq conLoc(move2nr(S)) = conLoc(S) . eq rStatus(move2nr(S)) = rStatus(S) . eq appResult(move2nr(S)) = appResult(S) . --- cross ceq loc(cross(S)) = opposite if loc(S) = noReturn [metadata "CA-" ] . ceq loc(cross(S)) = loc(S) if (loc(S) ~ noReturn) = false [metadata "CA-" ] . eq channel1(cross(S)) = channel1(S) . eq channel2(cross(S)) = channel2(S) . eq gate(cross(S)) = gate(S) . eq pass(cross(S)) = pass(S) . eq conLoc(cross(S)) = conLoc(S) . eq rStatus(cross(S)) = rStatus(S) . eq appResult(cross(S)) = appResult(S) . --- sendPass ceq loc(sendPass(S)) = endOfTS if loc(S) = opposite [metadata "CA-" ] . ceq loc(sendPass(S)) = loc(S) if (loc(S) ~ opposite) = false [metadata "CA-" ] . ceq channel2(sendPass(S)) = (passed channel2(S)) if loc(S) = opposite [metadata "CA-" ] . ceq channel2(sendPass(S)) = channel2(S) if (loc(S) ~ opposite) = false [metadata "CA-" ] . eq channel1(sendPass(S)) = channel1(S) . eq gate(sendPass(S)) = gate(S) . eq pass(sendPass(S)) = pass(S) . eq conLoc(sendPass(S)) = conLoc(S) . eq rStatus(sendPass(S)) = rStatus(S) . eq appResult(sendPass(S)) = appResult(S) . --- the followings are the definiton of controller's behavior --- recReq ceq conLoc(recReq(S)) = s2 if conLoc(S) = s1 /\ (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (conLoc(S) ~ s1) = false [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (Q respMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (Q respMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (Q passed) := channel1(S) [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (Q chkMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (Q gateMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq conLoc(recReq(S)) = conLoc(S) if (Q gateMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = Q if conLoc(S) = s1 /\ (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (conLoc(S) ~ s1) = false [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (Q respMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (Q respMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (Q passed) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (Q chkMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (Q gateMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq channel1(recReq(S)) = channel1(S) if (Q gateMsg(reject)) := channel1(S) [metadata "CA-" ] . eq channel2(recReq(S)) = channel2(S) . eq gate(recReq(S)) = gate(S) . eq pass(recReq(S)) = pass(S) . eq loc(recReq(S)) = loc(S) . eq rStatus(recReq(S)) = rStatus(S) . eq appResult(recReq(S)) = appResult(S) . --- sendResp ceq conLoc(sendResp(S)) = s1 if conLoc(S) = s2 /\ gate(S) = true [metadata "CA-" ] . ceq conLoc(sendResp(S)) = s3 if conLoc(S) = s2 /\ gate(S) = false [metadata "CA-" ] . ceq conLoc(sendResp(S)) = conLoc(S) if (conLoc(S) ~ s2) = false [metadata "CA-" ] . ceq channel2(sendResp(S)) = (respMsg(grant) channel2(S)) if conLoc(S) = s2 /\ gate(S) = true [metadata "CA-" ] . ceq channel2(sendResp(S)) = (respMsg(reject) channel2(S)) if conLoc(S) = s2 /\ gate(S) = false [metadata "CA-" ] . ceq channel2(sendResp(S)) = channel2(S) if (conLoc(S) ~ s2) = false [metadata "CA-" ] . eq channel1(sendResp(S)) = channel1(S) . eq gate(sendResp(S)) = gate(S) . eq pass(sendResp(S)) = pass(S) . eq loc(sendResp(S)) = loc(S) . eq rStatus(sendResp(S)) = rStatus(S) . eq appResult(sendResp(S)) = appResult(S) . --- closeGate ceq conLoc(closeGate(S)) = s1 if conLoc(S) = s3 [metadata "CA-" ] . ceq conLoc(closeGate(S)) = conLoc(S) if (conLoc(S) ~ s3) = false [metadata "CA-" ] . ceq gate(closeGate(S)) = true if conLoc(S) = s3 [metadata "CA-" ] . ceq gate(closeGate(S)) = gate(S) if (conLoc(S) ~ s3) = false [metadata "CA-" ] . eq channel1(closeGate(S)) = channel1(S) . eq channel2(closeGate(S)) = channel2(S) . eq pass(closeGate(S)) = pass(S) . eq loc(closeGate(S)) = loc(S) . eq rStatus(closeGate(S)) = rStatus(S) . eq appResult(closeGate(S)) = appResult(S) . --- getPass ceq conLoc(getPass(S)) = s4 if conLoc(S) = s1 /\ (Q passed) := channel1(S) [metadata "CA-" ] . ceq conLoc(getPass(S)) = conLoc(S) if (conLoc(S) ~ s1) = false [metadata "CA-" ] . ceq conLoc(getPass(S)) = conLoc(S) if (Q respMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq conLoc(getPass(S)) = conLoc(S) if (Q respMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq conLoc(getPass(S)) = conLoc(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(getPass(S)) = conLoc(S) if (Q gateMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq conLoc(getPass(S)) = conLoc(S) if (Q chkMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(getPass(S)) = conLoc(S) if (Q gateMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq channel1(getPass(S)) = Q if conLoc(S) = s1 /\ (Q passed) := channel1(S) [metadata "CA-" ] . ceq channel1(getPass(S)) = channel1(S) if (conLoc(S) ~ s1) = false [metadata "CA-" ] . ceq channel1(getPass(S)) = channel1(S) if (Q respMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq channel1(getPass(S)) = channel1(S) if (Q respMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq channel1(getPass(S)) = channel1(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(getPass(S)) = channel1(S) if (Q gateMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq channel1(getPass(S)) = channel1(S) if (Q chkMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(getPass(S)) = channel1(S) if (Q gateMsg(grant)) := channel1(S) [metadata "CA-" ] . eq channel2(getPass(S)) = channel2(S) . eq gate(getPass(S)) = gate(S) . eq pass(getPass(S)) = pass(S) . eq loc(getPass(S)) = loc(S) . eq rStatus(getPass(S)) = rStatus(S) . eq appResult(getPass(S)) = appResult(S) . --- openGate ceq conLoc(openGate(S)) = s1 if conLoc(S) = s4 [metadata "CA-" ] . ceq conLoc(openGate(S)) = conLoc(S) if (conLoc(S) ~ s4) = false [metadata "CA-" ] . ceq gate(openGate(S)) = false if conLoc(S) = s4 [metadata "CA-" ] . ceq gate(openGate(S)) = gate(S) if (conLoc(S) ~ s4) = false [metadata "CA-" ] . eq channel1(openGate(S)) = channel1(S) . eq channel2(openGate(S)) = channel2(S) . eq pass(openGate(S)) = pass(S) . eq loc(openGate(S)) = loc(S) . eq rStatus(openGate(S)) = rStatus(S) . eq appResult(openGate(S)) = appResult(S) . --- sendAppResp ceq conLoc(sendAppResp(S)) = s1 if conLoc(S) = s5 [metadata "CA-" ] . ceq conLoc(sendAppResp(S)) = conLoc(S) if (conLoc(S) ~ s5) = false [metadata "CA-" ] . ceq channel2(sendAppResp(S)) = (gateMsg(grant) channel2(S)) if conLoc(S) = s5 /\ gate(S) = true [metadata "CA-" ] . ceq channel2(sendAppResp(S)) = (gateMsg(reject) channel2(S)) if conLoc(S) = s5 /\ gate(S) = true [metadata "CA-" ] . ceq channel2(sendAppResp(S)) = channel2(S) if (conLoc(S) ~ s5) = false [metadata "CA-" ] . eq channel1(sendAppResp(S)) = channel1(S) . eq gate(sendAppResp(S)) = gate(S) . eq pass(sendAppResp(S)) = pass(S) . eq loc(sendAppResp(S)) = loc(S) . eq rStatus(sendAppResp(S)) = rStatus(S) . eq appResult(sendAppResp(S)) = appResult(S) . --- recAppReq ceq conLoc(recAppReq(S)) = s5 if conLoc(S) = s1 /\ (Q chkMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (conLoc(S) ~ s1) = false [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (Q respMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (Q respMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (Q passed) := channel1(S) [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (Q gateMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq conLoc(recAppReq(S)) = conLoc(S) if (Q gateMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = Q if conLoc(S) = s1 /\ (Q chkMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (conLoc(S) ~ s1) = false [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (Q respMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (Q respMsg(reject)) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (Q passed) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (Q reqMsg) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (Q gateMsg(grant)) := channel1(S) [metadata "CA-" ] . ceq channel1(recAppReq(S)) = channel1(S) if (Q gateMsg(reject)) := channel1(S) [metadata "CA-" ] . eq channel2(recAppReq(S)) = channel2(S) . eq gate(recAppReq(S)) = gate(S) . eq pass(recAppReq(S)) = pass(S) . eq loc(recAppReq(S)) = loc(S) . eq rStatus(recAppReq(S)) = rStatus(S) . eq appResult(recAppReq(S)) = appResult(S) . endfm) eof