Assignment 2, part 1

CSC2108F : Automated Verification

Assignment 2, Part 1: SMV

Due: Wednesday, October 17, classtime.

You can work on this part of the assignment with a partner

You are to specify and verify the behavior of a simple elevator system. The system consists of one elevator that services a building with three floors. Each floor has a request button that a user presses to get the elevator to come to that floor and open its doors. Inside the elevator, there is one request button for each of the three floors; passengers press these buttons to get the elevator to go to a particular floor and open its doors. If the elevator moves between floors, it should do so within one time unit (e.g., the elevator should not move for two consecutive states between floors $i$ and $i+1$). However, the elevator cannot move between floors 1 and 3 in one time unit. There is an OpenDoor button, in addition to call and destination buttons of the elevator. If the OpenDoor button is pressed when the elevator is not moving, then the door should open (remain open) for an extra time unit, i.e., for an extra state. However, a user should not be able to keep the door open indefinitely if the elevator has other requests to service.

Specify the behavior of your elevator system in the SMV input language. The following properties need to be re-written as CTL formulae.

Calls to use the elevator are eventually serviced (even if OpenDoor button is being pressed).
Destination requests from inside the elevator are eventually serviced (even if OpenDoor button is being pressed).
The elevator never moves with its doors open.
The elevator should keep its door open until there is a request to use it.

Think of and add at least one more CTL property (not equivalent to the ones presented above) that is vital to the correct operation of your elevator system.

Using the NuSMV model checker, verify that your specification satisfies all of these properties. See the end of this document for specific requirements to the model and to the documentation. Hint: It is easier to create an elevator that does not have an OpenDoor capability first, and then add it into the model.

Instructions:

Ensure that the model of the environment is given correctly, that is, there are no unnecessary constraints placed on the environment. For example, users should be able to press buttons at any point. In the accompanying document (see below), describe the assumptions you made about the environment and discuss why they are justifiable.
Use FAIRNESS correctly. For each FAIRNESS statement, add a short statement describing why this fairness assumption is meaningful.
Document your controller carefully, the way you would good software.
For each CTL formula, describe its meaning in English in addition to giving the formalization. In addition, determine under what circumstances this formula can hold vacuously, and specify an additional formula which guarantees that it does not happen. Using VaqUoT tool, check each of your CTL formulizations to guarantee that it does not hold vacuouly in your model.
Submit a short report on your model, with assumptions about the environment (and why they make sense), some modeling decisions (including discussion of FAIRNESS, if appropriate), the properties you verified, and the time it took for verification. Include the additional properties that you added to the elevator specification. Include the size of your model, as returned by NuSMV. Finally, include results of vacuity analysis done by VaqUoT.
E-mail Shiva the tar file containing your .smv files and names of your group members.

Presentation You may work by yourself or in groups of two. Warning: It may take you longer if you work on your own.

You must complete the assignment before class time on October 18 because we will discuss the assignment in class. We will need two groups to volunteer presenting the models of the elevator on October 18. If you are interested in presenting, let me know. I am looking for a 10-12-minute presentation from each presenting group.