Introduction ADC is used to simplify adjusting :
Mirror Window Door Lock
Motivation Convenience Enhancement of features
Features Window Controller
Move window up or down Lock passenger’s window controls Driver’s window express down
Door Lock Controller Lock or unlock all the vehicle doors
Mirror Controller Move the external mirrors of the vehicle Store and load the mirror positions from memory Tilt the passenger’s mirror to full down
Problems with analysis Defining actors
Included motors as actors Manual locks
Did not include them in the system Defining the classes
Defined each controller as a class
Problems with analysis continued
Relationships between classes Inheritance between passenger controllers
Organizations of the layout of the classes Rearranged the layout to avoid overlapping
lines
Critical Properties Safety properties
High torque stops window movement Window lock inhibits passenger’s window controls
Liveness Holding driver’s window button down for 1 sec
causes express down to occur If passenger’s mirror is selected and the gear is in
reverse, then the passenger’s mirror tilts to full down
Promela and XSpin Verify window process behaviors
High torque eventually stops window movement#define p ( vdrWinTorqueHigh == 1)#define q (cur_drWin_state == stop )
Formula : [] (p -> <> q)
Window lock inhibits passenger’s window controls#define p ( vwinLock_on == 1)#define q ( cur_passgWin_moveUpBy == passenger)#define s ( cur_passgWin_moveDownBy == passenger) Formula : [] ( p -> <> (! q || ! s) )
Promela and Xspin Continue Passenger’s window conflict will stop window
#define p ( passgWinConflict == 1)#define q ( cur_passgWin_state == moveUp)#define s ( cur_passgWin_state == moveDown)#define r ( cur_passgWin_state == stop )
Formula : [] ( ( (q || s) && p ) -> <> r)
Verify Mirror process behaviors Passenger’s mirror full down
#define p ( event??[pass_select] )#define q ( event??[switch_reversed] )#define r ( gear_state == PULLING_DOWN )
Formula : [] (p && q-> <> r)