in railcab-trans-new.cafe 

--- assumptions of update 
--- 1. current state should be preserved 
--- 2. new functionalities should be initialized 

--- Critera of correct update 

--- 1. it should finally reach an updatable state, otherwise, it must be braked  
--- 2. after being updated, system should satisfy desired properties 
--- In this example, the problem is 
--- a. when railcab is crossing the intersection, gate must be closed. 
--- b. when railcab can cross the intersection (when gate is closed and railcab 
--- is granted to cross, it must cross) 


mod! RAILCAB-UPDATE-1 {
  inc(RAILCAB-NEW) 
  inc(RAILCAB-OLD) 
  
  [OldState NewState < ONState]
  
  -- one possible update 
  -- from any oldState to new initial state 
  -- this corresponds to offline update 

  trans [update-1] :
    (loc-o: LOC:Location) (rStatus-o: T:Status) 
  (pass-o: S:Signal) (channel1-o: CH1:QMsg)
  (channel2-o: CH2:QMsg) (conLoc-O: L:Label) 
  (gate-o: B:Bool) => 
  (loc-n: endOfTS), (rStatus-n: running), 
  (pass-n: unknown), (channel1-n: empty), 
  (channel2-n: empty), (conLoc-N: s1), 
  (gate-n: false), (appResult: unknown) .

}

mod! RAILCAB-UPDATE-2 {
  inc(RAILCAB-NEW) 
  inc(RAILCAB-OLD) 
  
  [OldState NewState < ONState]
  

  -- this is a bad update 
  -- after updating, it is possible that 
  -- railcab is at the noReturn location, 
  -- but the gate is still open 

  ctrans [update-2] :
    (loc-o: LOC:Location) (rStatus-o: T:Status) 
  (pass-o: S:Signal) (channel1-o: CH1:QMsg)   
  (channel2-o: CH2:QMsg) (conLoc-O: L:Label) 
  (gate-o: B:Bool) => 
  (loc-n: LOC), (rStatus-n: T), 
  (pass-n: S), (conLoc-N: L), 
  (channel1-n: CH1:QMsg),   
  (channel2-n: CH2:QMsg), 
  (gate-n: B), (appResult: (if B then grant else unknown fi)) 
  if not (LOC = noReturn) .

  -- Question:
  -- when should we update? 

  -- if the system is already in bad state, we should do offline update 
  -- if the system is running correctly, the updated system should also run correctly. 
}



-- a correct updating 

mod! RAILCAB-UPDATE-3 {
  inc(RAILCAB-NEW) 
  inc(RAILCAB-OLD) 
  
  [OldState NewState < ONState]
  

  -- this is a bad update 
  -- after updating, it is possible that 
  -- railcab is at the noReturn location, 
  -- but the gate is still open 
  
  ctrans [update-3] :
    (loc-o: LOC:Location) (rStatus-o: T:Status) 
  (pass-o: S:Signal) (channel1-o: empty)   
  (channel2-o: CH2:QMsg) (conLoc-O: s1) 
  (gate-o: B:Bool) => 
    (loc-n: LOC), (rStatus-n: T), 
  (pass-n: S), (conLoc-N: s1), 
  (channel1-n: empty),   
  (channel2-n: CH2:QMsg), 
  (gate-n: B), (appResult: (if B then grant else unknown fi)) 
  if not (LOC = noReturn) .

  -- Question:
  -- when should we update? 

  -- if the system is already in bad state, we should do offline update 
  -- if the system is running correctly, the updated system should also run correctly. 
}




eof 

-- check whether after being updated the system will 
-- will reach a state where railcab is at noReturn 
-- but the gate is still open 


open RAILCAB-UPDATE .
red init-o =(*,*)=>+ (gate-n: false), (loc-n: noReturn), S:NewState .
close