-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtarffic-lights0.smv
315 lines (285 loc) · 16.1 KB
/
tarffic-lights0.smv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
-- SENG 5801 - Homework 7
-- Submitted by:
-- Team Identifiers
-- 1. Pranjali Trimbak Kulkarni ([email protected])
-- 2. Udhaya Kumar Dayalan ([email protected])
-- 3. Rajesh Paul ([email protected])
-- 4. Amit Nandan Periyapatna ([email protected])
-- START Scope
-- Traffic light controller system manages the intersection of cars-pedestrians, cars-cars,
-- pedistrians-pedistrians and cars-pedistrians-emergency in a two way direction.
-- Drive Signals follow the color order - Red (Stop), Yellow (About to stop) and Green (Good to go).
-- The pedestrians raise a request to walk by pressing a request button and loop sensors sense the
-- presence of vehicles.
-- System provides higher priority for emergency vehicles by switching the traffic lights to Green in
-- the direction of emergency.
-- END Scope
-- START Requirements
-- 1. The traffic lights shall not be green for both the directions at the same time.
-- 2. Pedestrian light shall be Red if the traffic light is Green on the crossing direction.
-- 3. If the traffic light is Green, it shall eventually in the future turn Yellow.
-- 4. If there is an emergency in a particular direction, then the traffic light shall of that respective direction shall immediately turn Green.
-- 5. If there is an emergency in a particular direction, then the traffic light shall eventually turn Yellow once the emergency vehicle is allowed to pass through the intersection.
-- 6. If the pedistrian light is Green, then it shall eventually in the future turn Red.
-- 7. If there is an emergency then the pedestrian lights shall immediately turn Red.
-- END Requirements
-- START Assumptions
-- 1. There are no emergency vehicles at the same time on both the roads.
-- 2. Pedestrian and Drive signal can be green at the same time in the same direction.
-- 3. Traffic and Pedestrian lights will be Green on one of the directions for 30 seconds.
-- END Assumptions
-- START Traffic Light Module
-- The traffic light module which models the traffic lights across two directions NS and EW.
-- Inputs:
-- 1. turnInProgress
-- 2. direction
-- 3. currentAllowedDirection
-- 4. light_timer - Timer which counts down the number of seconds left before the traffic signal changes state.
MODULE trafficLightModule(turnInProgress, direction, currentAllowedDirection, light_timer)
VAR
-- Traffic lights can be Red, Yellow and Green.
current_traffic_light : {Red, Yellow, Green};
ASSIGN
-- Setting initial traffic light to Red.
init(current_traffic_light) := Red;
next(current_traffic_light) :=
case
direction != currentAllowedDirection : current_traffic_light;
current_traffic_light = Red & turnInProgress & light_timer = 0 : Red;
current_traffic_light = Red & !turnInProgress & light_timer = 0 : Green;
current_traffic_light = Green & light_timer = 0 : Yellow;
current_traffic_light = Yellow : Red;
TRUE : current_traffic_light;
esac;
-- END Traffic Light Module
-- START Pedestrian Light Module
-- The pedestrian light module which models the pedistrian crossing signals across two directions, NS and EW.
-- Inputs:
-- 1. trafficLight
-- 2. light_timer
MODULE pedestrianLightModule(trafficLight, light_timer)
VAR
-- Pedestrian lights can be Dont_Walk (Red), Alert, Walk
current_walk_light : {Dont_Walk, Alert, Walk};
ASSIGN
init(current_walk_light) := Dont_Walk;
next(current_walk_light) :=
case
current_walk_light = Dont_Walk & trafficLight.current_traffic_light = Green : Walk;
-- Start alerting if the light countdown timer is less than 10s.
trafficLight.current_traffic_light = Green & light_timer < 10 & light_timer > 0 : Alert;
(light_timer = 0) | (current_walk_light = Alert & trafficLight.current_traffic_light = Red) : Dont_Walk;
TRUE : current_walk_light;
esac;
-- END Pedestrian Light Module
-- START Main Module
MODULE main
VAR
turnInProgress : boolean;
-- Direction in which the traffic lights are allowed to turn Green.
allowedDirection : {NS, EW};
NSDriving : trafficLightModule(turnInProgress, NS, allowedDirection, light_timer);
EWDriving : trafficLightModule(turnInProgress, EW, allowedDirection, light_timer);
NSPedestrian : pedestrianLightModule(NSDriving, light_timer);
EWPedestrian : pedestrianLightModule(EWDriving, light_timer);
light_timer : 0..30;
emergency : {NS,EW,none};
ASSIGN
init(turnInProgress) := FALSE;
init(allowedDirection) := NS;
init(light_timer) := 0;
init(emergency) := none;
next(turnInProgress) :=
case
(NSDriving.current_traffic_light = Red) &
(EWDriving.current_traffic_light = Red) : FALSE;
(NSDriving.current_traffic_light = Green) |
(EWDriving.current_traffic_light = Green) : TRUE;
(NSDriving.current_traffic_light = Yellow) |
(EWDriving.current_traffic_light = Yellow) : TRUE;
TRUE : turnInProgress;
esac;
next(allowedDirection) :=
case
(allowedDirection = NS & !turnInProgress) : EW;
(allowedDirection = EW & !turnInProgress) : NS;
TRUE : allowedDirection;
esac;
next(light_timer) :=
case
(EWDriving.current_traffic_light = Green & emergency=NS)|(NSDriving.current_traffic_light = Green & emergency=EW) : 0;
(light_timer > 0) : light_timer - 1;
(light_timer = 0 & (next(NSDriving.current_traffic_light = Yellow) |
next(EWDriving.current_traffic_light = Yellow))) : 3;
(light_timer = 0 & (next(NSDriving.current_traffic_light = Green) |
next(EWDriving.current_traffic_light = Green))) : 27;
(light_timer = 0 & (next(NSDriving.current_traffic_light = Red) |
next(EWDriving.current_traffic_light = Red))) : 30;
TRUE : light_timer;
esac;
-- END Main Module
-- START CTL Specificaitons
-- Sanity checks: To make sure all the traffic and pedestrian lights shall turn Green eventually.
SPEC EF (NSDriving.current_traffic_light = Green)
SPEC EF (EWDriving.current_traffic_light = Green)
SPEC EF (NSPedestrian.current_walk_light = Walk)
SPEC EF (EWPedestrian.current_walk_light = Walk)
SPEC EF (emergency = NS | emergency = EW | emergency = none)
-- Another sanity check stated differently: Negative property we expect to
-- be false. We can never get into the critical state.
-- SPEC AG !(NSDriving.current_traffic_light = Green)
-- SPEC AG !(EWDriving.current_traffic_light = Green)
-- SPEC AG !(NSPedestrian.current_walk_light = Walk)
-- SPEC AG !(EWPedestrian.current_walk_light = Walk)
-- Safety Properties.
-- REQ 1: If traffic light on NS direction is Green then traffic light on EW shall not be Green.
SPEC AG !(NSDriving.current_traffic_light = Green & EWDriving.current_traffic_light = Green)
-- REQ 1: If traffic light on NS direction is Green then traffic light on EW shall not be Yellow.
SPEC AG !(NSDriving.current_traffic_light = Green & EWDriving.current_traffic_light = Yellow)
-- REQ 2: If traffic light on NS direction is Green then the Pedestrian signal on EW direction shall not be Walk (Green).
SPEC AG !(NSDriving.current_traffic_light = Green & EWPedestrian.current_walk_light = Walk)
-- REQ 2: If traffic light on EW direction is Green then the Pedestrian signal on NS direction shall not be Walk (Green).
SPEC AG !(EWDriving.current_traffic_light = Green & NSPedestrian.current_walk_light = Walk)
-- Liveness Properties.
-- REQ 3: If traffic light on NS direction is Green then it will switch to Yellow in the future.
SPEC AG (NSDriving.current_traffic_light = Green -> AF NSDriving.current_traffic_light = Yellow)
-- REQ 3: If traffic light on EW direction is Green then it will switch to Yellow in the future.
SPEC AG (EWDriving.current_traffic_light = Green -> AF EWDriving.current_traffic_light = Yellow)
-- REQ 4: If traffic light on NS (or EW) direction is Red and there is an emergency in NS (or EW) direction then the traffic light on NS (or EW) direction will switch to Green.
SPEC AG (NSDriving.current_traffic_light = Red & emergency=NS -> AF NSDriving.current_traffic_light = Green)
SPEC AG (EWDriving.current_traffic_light = Red & emergency=EW -> AF EWDriving.current_traffic_light = Green)
-- REQ 5: If traffic light on NS direction is Green and there in an emergency on EW direction then the traffic light on NS direction will turn Yellow.
SPEC AG (NSDriving.current_traffic_light = Green & emergency=EW -> AF NSDriving.current_traffic_light = Yellow)
SPEC AG (EWDriving.current_traffic_light = Green & emergency=NS -> AF EWDriving.current_traffic_light = Yellow)
-- REQ 6: If the pedistrian light is Green, then it shall eventually in the future turn Red.
SPEC AG (NSPedestrian.current_walk_light = Walk -> AF NSPedestrian.current_walk_light = Dont_Walk)
SPEC AG (EWPedestrian.current_walk_light = Walk -> AF EWPedestrian.current_walk_light = Dont_Walk)
-- REQ 7: If there is an emergency then the pedestrian lights shall immediately turn Red.
SPEC AG (emergency=NS -> AF(EWPedestrian.current_walk_light = Dont_Walk & NSPedestrian.current_walk_light = Dont_Walk))
-- Anti Properties
-- AP 1: If there is an emergency in the NS direction then the next state of the opposite direction shall be green.
-- Counter Example:
-- -> State: 1.1 <-
-- turnInProgress = FALSE
-- allowedDirection = NS
-- NSDriving.current_traffic_light = Red
-- EWDriving.current_traffic_light = Red
-- NSPedestrian.current_walk_light = Dont_Walk
-- EWPedestrian.current_walk_light = Dont_Walk
-- light_timer = 0
-- emergency = none
-- -> State: 1.2 <-
-- allowedDirection = EW
-- NSDriving.current_traffic_light = Green
-- light_timer = 27
-- emergency = NS
-- -> State: 1.3 <-
-- turnInProgress = TRUE
-- allowedDirection = NS
-- NSPedestrian.current_walk_light = Walk
-- light_timer = 26
-- Explanation:
-- The above counter example shows that if there is an emergency on the NS direction, then in the next state (State 1.3), EW Traffic Light will remain Red.
-- Since our model makes sure that if there is an emergency in one direction, then the Traffic Light in that direction will be switched to Green.
SPEC AG (emergency=NS -> AX(EWDriving.current_traffic_light = Green))
-- AP 2: If there is an emergency in the EW direction then the next state for the Pedestrian light shall be Walk (Green)
-- Counter Example:
-- -> State: 2.1 <-
-- turnInProgress = FALSE
-- allowedDirection = NS
-- NSDriving.current_traffic_light = Red
-- EWDriving.current_traffic_light = Red
-- NSPedestrian.current_walk_light = Dont_Walk
-- EWPedestrian.current_walk_light = Dont_Walk
-- light_timer = 0
-- emergency = none
-- -> State: 2.2 <-
-- allowedDirection = EW
-- NSDriving.current_traffic_light = Green
-- light_timer = 27
-- emergency = EW
-- -> State: 2.3 <-
-- turnInProgress = TRUE
-- allowedDirection = NS
-- NSPedestrian.current_walk_light = Walk
-- light_timer = 0
-- -> State: 2.4 <-
-- NSDriving.current_traffic_light = Yellow
-- NSPedestrian.current_walk_light = Alert
-- emergency = NS
-- Explanation:
-- The above counter example shows that when there is an emergency in the EW direction, the timer if first reset to zero and then the pedestrian light
-- switches from Walk (Green) to Dont_Walk (Red). Since our model makes sure that the Pedestrian walk signal will be set to Dont_Walk (Red) if there is
-- an emergency in the opposite direction.
SPEC AG (emergency=EW -> AX(NSPedestrian.current_walk_light = Walk))
-- END CTL Specifications
-- START NuSMV Session Transcript
-- -- specification EF NSDriving.current_traffic_light = Green is true
-- -- specification EF EWDriving.current_traffic_light = Green is true
-- -- specification EF NSPedestrian.current_walk_light = Walk is true
-- -- specification EF EWPedestrian.current_walk_light = Walk is true
-- -- specification EF ((emergency = NS | emergency = EW) | emergency = none) is true
-- -- specification AG !(NSDriving.current_traffic_light = Green & EWDriving.current_traffic_light = Green) is true
-- -- specification AG !(NSDriving.current_traffic_light = Green & EWDriving.current_traffic_light = Yellow) is true
-- -- specification AG !(NSDriving.current_traffic_light = Green & EWPedestrian.current_walk_light = Walk) is true
-- -- specification AG !(EWDriving.current_traffic_light = Green & NSPedestrian.current_walk_light = Walk) is true
-- -- specification AG (NSDriving.current_traffic_light = Green -> AF NSDriving.current_traffic_light = Yellow) is true
-- -- specification AG (EWDriving.current_traffic_light = Green -> AF EWDriving.current_traffic_light = Yellow) is true
-- -- specification AG ((NSDriving.current_traffic_light = Red & emergency = NS) -> AF NSDriving.current_traffic_light = Green) is true
-- -- specification AG ((EWDriving.current_traffic_light = Red & emergency = EW) -> AF EWDriving.current_traffic_light = Green) is true
-- -- specification AG ((NSDriving.current_traffic_light = Green & emergency = EW) -> AF NSDriving.current_traffic_light = Yellow) is true
-- -- specification AG ((EWDriving.current_traffic_light = Green & emergency = NS) -> AF EWDriving.current_traffic_light = Yellow) is true
-- -- specification AG (NSPedestrian.current_walk_light = Walk -> AF NSPedestrian.current_walk_light = Dont_Walk) is true
-- -- specification AG (EWPedestrian.current_walk_light = Walk -> AF EWPedestrian.current_walk_light = Dont_Walk) is true
-- -- specification AG (emergency = NS -> AF (EWPedestrian.current_walk_light = Dont_Walk & NSPedestrian.current_walk_light = Dont_Walk)) is true
-- -- specification AG (emergency = NS -> AX EWDriving.current_traffic_light = Green) is false
-- -- as demonstrated by the following execution sequence
-- Trace Description: CTL Counterexample
-- Trace Type: Counterexample
-- -> State: 1.1 <-
-- turnInProgress = FALSE
-- allowedDirection = NS
-- NSDriving.current_traffic_light = Red
-- EWDriving.current_traffic_light = Red
-- NSPedestrian.current_walk_light = Dont_Walk
-- EWPedestrian.current_walk_light = Dont_Walk
-- light_timer = 0
-- emergency = none
-- -> State: 1.2 <-
-- allowedDirection = EW
-- NSDriving.current_traffic_light = Green
-- light_timer = 27
-- emergency = NS
-- -> State: 1.3 <-
-- turnInProgress = TRUE
-- allowedDirection = NS
-- NSPedestrian.current_walk_light = Walk
-- light_timer = 26
-- -- specification AG (emergency = EW -> AX NSPedestrian.current_walk_light = Walk) is false
-- -- as demonstrated by the following execution sequence
-- Trace Description: CTL Counterexample
-- Trace Type: Counterexample
-- -> State: 2.1 <-
-- turnInProgress = FALSE
-- allowedDirection = NS
-- NSDriving.current_traffic_light = Red
-- EWDriving.current_traffic_light = Red
-- NSPedestrian.current_walk_light = Dont_Walk
-- EWPedestrian.current_walk_light = Dont_Walk
-- light_timer = 0
-- emergency = none
-- -> State: 2.2 <-
-- allowedDirection = EW
-- NSDriving.current_traffic_light = Green
-- light_timer = 27
-- emergency = EW
-- -> State: 2.3 <-
-- turnInProgress = TRUE
-- allowedDirection = NS
-- NSPedestrian.current_walk_light = Walk
-- light_timer = 0
-- -> State: 2.4 <-
-- NSDriving.current_traffic_light = Yellow
-- NSPedestrian.current_walk_light = Dont_Walk
-- emergency = NS
-- END NuSMV Transcript Session