event-b course 3. a mechanical press controller
TRANSCRIPT
![Page 1: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/1.jpg)
Event-B Course
3. A Mechanical Press Controller
Jean-Raymond Abrial
September-October-November 2011
![Page 2: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/2.jpg)
Outline 1
1. Informal presentation of the example
2. Presentation of some design patterns
3. Writing the requirement document
4. Proposing a refinement strategy
5. Development of the model using refinements and design patterns
1
![Page 3: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/3.jpg)
1. Informal Presentation of the Example
2
![Page 4: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/4.jpg)
Presentation of the Example 2
- A mechanical press controller
- Adapted from a real system
- The real system is coming from INRST:
Institut National de la Recherche sur la Sécurité du Travail
3
![Page 5: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/5.jpg)
Mechanical Press Schema 3
B1 B4B3B2
BUTTONS
MOTOR
ROD
SLIDE
PART
TOOL
4
![Page 6: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/6.jpg)
Basic Equipment 4
- A Vertical Slide with a tool at its lower extremity
- An electrical Rotating Motor
- A Rod connecting the motor to the slide.
- A Clutch engaging or disengaging the motor on the rod
- When the clutch is disengaged, the slide stops “immediately”
5
![Page 7: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/7.jpg)
Basic Commands 5
- Button B1: start motor
- Button B2: stop motor
- Button B3: engage clutch
- Button B4: disengage clutch
6
![Page 8: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/8.jpg)
Basic User Actions 6
- Action 1: Change the tool at the lower extremity of the slide
- Action 2: Put a part to be treated under the slide
- Action 3: Remove the part
7
![Page 9: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/9.jpg)
First Schematic View 7
EQUIPMENTCOMMANDS
8
![Page 10: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/10.jpg)
A Typical User Session 8
1. start the motor (button B1)
2. change the tool (action 1)
3. put a part (action 2),
4. engage the clutch (button B3): the press now works,
5. disengage the clutch (button B4): the press does not work,
6. remove the part (action 3),
7. repeat zero or more times steps 3 to 6,
8. repeat zero or more times steps 2 to 7,
9. stop the motor (button B2).
9
![Page 11: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/11.jpg)
Danger: Necessity of a Controller 9
- step 2 (change the tool),
- step 3 (put a part),
- step 6 (remove the part) are all DANGEROUS
10
![Page 12: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/12.jpg)
Second Schematic View 10
CONTROLLER EQUIPMENT
COMMANDS
11
![Page 13: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/13.jpg)
More Elaborate Commands for Protecting the User 11
- Controlling the way the clutch is engaged or disengaged
- Protection by means of a Front Door
12
![Page 14: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/14.jpg)
The Front Door 12
open closed
13
![Page 15: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/15.jpg)
The Front Door: Behavior 13
- Initially, the door is open
- When the user presses button B3 to engage the clutch,
the door is first closed BEFORE engaging the clutch
- When the user presses button B4 to disengage the clutch,
the door is opened AFTER disengaging the clutch
- Notice: The door has no button.
14
![Page 16: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/16.jpg)
Summary of Connections 14
B1
C O N T R O L L E R
B2 B3 B4
MR
CL
DR
MR CL DR
15
![Page 17: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/17.jpg)
Initial Situation 15
16
![Page 18: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/18.jpg)
Starting the Motor: Pressing Button B1 16
17
![Page 19: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/19.jpg)
The Motor Works 17
18
![Page 20: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/20.jpg)
The Motor Works 18
19
![Page 21: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/21.jpg)
The Motor Works 19
20
![Page 22: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/22.jpg)
Adding a Tool 20
21
![Page 23: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/23.jpg)
The Motor Works 21
22
![Page 24: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/24.jpg)
The Motor Works 22
23
![Page 25: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/25.jpg)
Putting a Part 23
24
![Page 26: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/26.jpg)
The Motor Works 24
25
![Page 27: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/27.jpg)
The Motor Works 25
26
![Page 28: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/28.jpg)
The Motor Works 26
27
![Page 29: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/29.jpg)
The Motor Works 27
28
![Page 30: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/30.jpg)
The Motor Works 28
29
![Page 31: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/31.jpg)
The Motor Works 29
30
![Page 32: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/32.jpg)
The Motor Works 30
31
![Page 33: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/33.jpg)
The Motor Works 31
32
![Page 34: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/34.jpg)
The Motor Works 32
33
![Page 35: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/35.jpg)
The Motor Works 33
34
![Page 36: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/36.jpg)
Engaging the Clutch: Pressing Button B3 34
35
![Page 37: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/37.jpg)
The Press Works 35
36
![Page 38: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/38.jpg)
The Press Works 36
37
![Page 39: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/39.jpg)
The Press Works 37
38
![Page 40: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/40.jpg)
The Press Works 38
39
![Page 41: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/41.jpg)
The Press Works 39
40
![Page 42: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/42.jpg)
The Press Works 40
41
![Page 43: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/43.jpg)
The Press Works 41
42
![Page 44: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/44.jpg)
The Press Works 42
43
![Page 45: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/45.jpg)
The Press Works 43
44
![Page 46: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/46.jpg)
The Press Works 44
45
![Page 47: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/47.jpg)
The Press Works 45
46
![Page 48: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/48.jpg)
The Press Works 46
47
![Page 49: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/49.jpg)
The Press Works 47
48
![Page 50: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/50.jpg)
The Press Works 48
49
![Page 51: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/51.jpg)
The Press Works 49
50
![Page 52: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/52.jpg)
The Press Works 50
51
![Page 53: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/53.jpg)
The Press Works 51
52
![Page 54: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/54.jpg)
The Press Works 52
53
![Page 55: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/55.jpg)
Disengaging the Clutch: Pressing Button B4 53
54
![Page 56: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/56.jpg)
The Motor Works 54
55
![Page 57: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/57.jpg)
The Motor Works 55
56
![Page 58: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/58.jpg)
The Motor Works 56
57
![Page 59: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/59.jpg)
Removing the Part 57
58
![Page 60: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/60.jpg)
The Motor Works 58
59
![Page 61: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/61.jpg)
The Motor Works 59
60
![Page 62: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/62.jpg)
Putting a Part 60
61
![Page 63: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/63.jpg)
Engaging the Clutch: Pressing Button B3 61
62
![Page 64: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/64.jpg)
The Press works 62
63
![Page 65: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/65.jpg)
The Press works 63
64
![Page 66: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/66.jpg)
The Press works 64
65
![Page 67: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/67.jpg)
The Press works 65
66
![Page 68: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/68.jpg)
The Press works 66
67
![Page 69: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/69.jpg)
The Press works 67
68
![Page 70: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/70.jpg)
The Press works 68
69
![Page 71: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/71.jpg)
The Press works 69
70
![Page 72: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/72.jpg)
The Press works 70
71
![Page 73: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/73.jpg)
The Press works 71
72
![Page 74: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/74.jpg)
The Press works 72
73
![Page 75: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/75.jpg)
The Press works 73
74
![Page 76: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/76.jpg)
The Press works 74
75
![Page 77: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/77.jpg)
The Press works 75
76
![Page 78: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/78.jpg)
The Press works 76
77
![Page 79: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/79.jpg)
The Press works 77
78
![Page 80: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/80.jpg)
The Press works 78
79
![Page 81: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/81.jpg)
The Press works 79
80
![Page 82: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/82.jpg)
Disengaging the Clutch: Pressing Button B4 80
81
![Page 83: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/83.jpg)
The Motor Works 81
82
![Page 84: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/84.jpg)
The Motor Works 82
83
![Page 85: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/85.jpg)
The Motor Works 83
84
![Page 86: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/86.jpg)
Removing the Part 84
85
![Page 87: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/87.jpg)
The Motor Works 85
86
![Page 88: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/88.jpg)
The Motor Works 86
87
![Page 89: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/89.jpg)
Removing the Tool 87
88
![Page 90: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/90.jpg)
Stopping Motor: Pressing Button B2 88
89
![Page 91: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/91.jpg)
Final Situation 89
90
![Page 92: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/92.jpg)
Overview 90
StopStartMotor
Start Stop
Clutch
MOTOR
motor_actuator
motor_sensor
CLUTCH
clutch_actuator
clutch_sensor
DOOR
door_sensordoor_actuator
CONTROLLER
91
![Page 93: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/93.jpg)
2. Presentation of some Design Patterns
92
![Page 94: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/94.jpg)
Motivations 91
- A number of similar behaviors
- Some complex situations to handle
93
![Page 95: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/95.jpg)
Similar Behavior (1) 92
- A specific action results eventually in having a specific reaction:
- Pushing button B1 results eventually in starting the motor
- Pushing button B4 results eventually in disengaging the clutch
- . . .
94
![Page 96: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/96.jpg)
Similar Behavior (2) 93
- Correlating two pieces of equipment:
- When the clutch is engaged then the motor must work
- When the clutch is engaged then the door must be closed
95
![Page 97: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/97.jpg)
Similar Behavior (3) 94
- Making an action dependent of another one:
- Engaging the clutch implies closing the door first
- Disengaging the clutch means opening the door afterwards
96
![Page 98: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/98.jpg)
Motivation: Example of Some Complex Situation 95
- Here is a sequence of events:
(1) User pushes button B1 (start motor)
(1’) User does not remove his finger from button B1
(2) Controller sends the starting command to the motor
(3) Motor starts and sends feedback to the controller
(4) Controller is aware that the motor works
(5) User pushes button B2 (stop motor)
(6) Controller sends the stop command to the motor
(7) Motor stops and sends feedback to the controller
(8) Controller is aware that the motor does not work
(9) Controller must not send the starting command to the motor
97
![Page 99: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/99.jpg)
Motivation: Example of Some Complex Situation 96
- Here is a sequence of events:
(1) User pushes button B1 (start motor)
(2) Controller sends the starting command to the motor
(3.1) Motor starts and sends feedback to the controller
(3.2) User pushes button B2 (stop motor)
- (3.1) and (3.2) may occur simultaneously
- If controller treats (3.1) before (3.2): motor is stopped
- If controller treats (3.2) before (3.1): motor is not stopped
98
![Page 100: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/100.jpg)
Design Patterns in Formal Developments 97
- We want to build systems which are correct by construction
- We want to have more methods for doing so
- "Design pattern" is an Object Oriented concept
- We would like to borrow this concept for doing formal developments
- A preliminary tentative with reactive system developments
- Advantage: systematic developments and also refinement of proofs
99
![Page 101: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/101.jpg)
A Personal View on Design Patterns 98
- This is an engineering concept
- It can be used outside OO
- The goal of each DP is to solve a certain category of problems
- But the design pattern has to be adapted to the problem at hand
- Is it compatible with formal developments?
- Let’s apply this approach to the design of reactive systems
100
![Page 102: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/102.jpg)
A Wikipedia View on Design Patterns (1) 99
- A design pattern isn’t a finished design that can be transformed
into code
- It is a template for how to solve a problem that can be used in
many different situations
- Patterns originated as an architectural concept by Christopher
Alexander
- "Design Patterns: Elements of Reusable Object-Oriented Software"
published in 1994 (Gamma et al)
101
![Page 103: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/103.jpg)
A Wikipedia View on Design Patterns (2) 100
- Design pattern can speed up the development process by providing
tested and proven development paradigms
- The documentation for a design pattern should contain enough
information about the problem that the pattern addresses, the
context in which it is used, and the suggested solution.
- Some feel that the need for patterns results from using computer
languages or techniques with insufficient abstraction
102
![Page 104: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/104.jpg)
An Action Pattern 101
Action
103
![Page 105: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/105.jpg)
Action and Reaction Patterns 102
Action Reaction
104
![Page 106: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/106.jpg)
Action and Weak Reaction Patterns 103
- Sometimes, the reaction has not enough time to react
- Because the action moves too quickly
105
![Page 107: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/107.jpg)
Action and Strong Reaction Patterns 104
- Sometimes, the reaction always follows the action
- They are both synchronized
106
![Page 108: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/108.jpg)
Constructing Models of Actions and Reactions 105
- We built first a model of a weak reaction
- The strong reaction will be a refinement of the weak one
107
![Page 109: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/109.jpg)
Model for weak action and reaction: the State 106
variables: ar
pat0 1: a ∈ {0, 1}
pat0 2: r ∈ {0, 1}
- a denotes the action
- r denotes the reaction
108
![Page 110: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/110.jpg)
Model for weak action and reaction: the State 107
variables: arcacr
pat0 1: a ∈ {0, 1}
pat0 2: r ∈ {0, 1}
pat0 3: ca ∈ N
pat0 4: cr ∈ N
pat0 5: cr ≤ ca
- ca and cr denote how many times a and r are set to 1
- pat0 5 formalizes the weak reaction
109
![Page 111: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/111.jpg)
Model for weak action and reaction: the Events (1) 108
a onwhena = 0
thena := 1ca := ca + 1
end
a offwhena = 1
thena := 0
end
a = 0
a = 1
a = 0
110
![Page 112: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/112.jpg)
Model for weak action and reaction: the Events (2) 109
r onwhenr = 0a = 1
thenr := 1cr := cr + 1
end
r offwhenr = 1a = 0
thenr := 0
end
r = 0 r = 0
r = 1
a = 0
a = 1
111
![Page 113: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/113.jpg)
Summary of Events 110
a onwhen
a = 0then
a := 1ca := ca + 1
end
a offwhen
a = 1then
a := 0end
r onwhen
r = 0a = 1
thenr := 1cr := cr + 1
end
r offwhen
r = 1a = 0
thenr := 0
end
a_on a_off
r_offr_on
112
![Page 114: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/114.jpg)
Summary of Weak Synchronization 111
variables: a,r,ca,cr
pat0 1: a ∈ {0, 1}
pat0 2: r ∈ {0, 1}
pat0 3: ca ∈ N
pat0 4: cr ∈ N
pat0 5: cr ≤ ca
inita := 0r := 0ca := 0cr := 0
a onwhen
a = 0then
a := 1ca := ca + 1
end
a offwhen
a = 1then
a := 0end
r onwhen
r = 0a = 1
thenr := 1cr := cr + 1
end
r offwhen
r = 1a = 0
thenr := 0
end
Nothing guarantees that the invariants are preserved
113
![Page 115: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/115.jpg)
D E M 0 (Showing a Problem and Finding aSolution)
114
![Page 116: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/116.jpg)
Intuition Behind the new Invariant 112
pat0 6: r = 0 ∧ a = 1 ⇒ cr < ca
cr<ca
a=1
r=0
ca is incremented
115
![Page 117: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/117.jpg)
Summary of the State of the weak Reaction 113
pat0 1: a ∈ {0, 1}
pat0 2: r ∈ {0, 1}
pat0 3: ca ∈ N
pat0 4: cr ∈ N
pat0 5: cr ≤ ca
pat0 6: r = 0 ∧ a = 1 ⇒ cr < ca
116
![Page 118: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/118.jpg)
Summary of the Events of the weak Reaction 114
The counters have
been removed
inita := 0r := 0
a onwhena = 0
thena := 1
end
r onwhenr = 0a = 1
thenr := 1
end
a offwhena = 1
thena := 0
end
r offwhenr = 1a = 0
thenr := 0
end
117
![Page 119: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/119.jpg)
Weak Synchronization of Events 115
a_on a_off
r_offr_on
118
![Page 120: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/120.jpg)
Refinement: Strong action and reaction 116
- We add the following invariant
pat1 1: ca ≤ cr + 1
- Remember invariant pat0 5
pat0 5: cr ≤ ca We have thus: ca = cr ∨ ca = cr + 1
119
![Page 121: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/121.jpg)
Summary (so far) of the Strong Sncchronization 117
pat1 1: ca ≤ cr + 1
a onwhen
a = 0then
a := 1ca := ca + 1
end
a offwhen
a = 1then
a := 0end
r onwhen
r = 0a = 1
thenr := 1cr := cr + 1
end
r offwhen
r = 1a = 0
thenr := 0
end
Nothing guarantees that the invariant is preserved
120
![Page 122: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/122.jpg)
D E M 0 (Showing Problems and FindingSolutions)
121
![Page 123: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/123.jpg)
Merging the two invariants 118
- Putting together these two invariants
pat1 2: a = 0 ⇒ ca = cr
pat1 3: a = 1 ∧ r = 1 ⇒ ca = cr
- leads to the following
pat1 4: a = 0 ∨ r = 1 ⇒ ca = cr
122
![Page 124: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/124.jpg)
Simplifying the Invariants 119
pat0 5: cr ≤ ca
pat0 6: a = 1 ∧ r = 0 ⇒ cr < ca
pat1 1: ca ≤ cr + 1
pat1 4: a = 0 ∨ r = 1 ⇒ ca = cr
This can be simplified to
pat2 1: a = 1 ∧ r = 0 ⇒ ca = cr + 1
pat2 2: a = 0 ∨ r = 1 ⇒ ca = cr
123
![Page 125: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/125.jpg)
Summary of the State for the Strong Reaction 120
pat0 1: a ∈ {0, 1}
pat0 2: r ∈ {0, 1}
pat0 3: ca ∈ N
pat0 4: cr ∈ N
pat2 1: a = 1 ∧ r = 0 ⇒ ca = cr + 1
pat2 2: a = 0 ∨ r = 1 ⇒ ca = cr
124
![Page 126: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/126.jpg)
Intuition Behind the two Invariants 121
pat2 1: a = 1 ∧ r = 0 ⇒ ca = cr + 1
pat2 2: a = 0 ∨ r = 1 ⇒ ca = cr
a=0
r=0
a=1 r=1
ca = crca = crca = cr
ca is incremented cr is incremented
ca=cr+1
pat2_1pat2_2 pat2_2
125
![Page 127: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/127.jpg)
Summary of the Events for the Strong Reaction 122
The counters have
been removed
inita := 0r := 0
a onwhena = 0r = 0
thena := 1
end
r onwhenr = 0a = 1
thenr := 1
end
a offwhena = 1r = 1
thena := 0
end
r offwhenr = 1a = 0
thenr := 0
end
126
![Page 128: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/128.jpg)
Strong Synchronization of Events 123
a_on a_off
r_offr_on
127
![Page 129: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/129.jpg)
What we Have Learned 124
- Proof failures helped us improving our models
- When an invariant preservation proof fails on an event,
there are two solutions:
- adding a new invariant
- strengthening the guard
- Modelling considerations helped us choosing one or the other
- At the end, we reached a stable situation (fixpoint)
128
![Page 130: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/130.jpg)
3. Writing the Requirement Document
129
![Page 131: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/131.jpg)
Requirements: Describing Equipment 125
The system has got the following pieces ofequipment: a Motor, a Clutch, and a Door EQP 1
Four Buttons are used to start and stop themotor, and engage and disengage the clutch EQP 2
A Controller is supposed to manage this equipment EQP 3
130
![Page 132: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/132.jpg)
Requirements: Connection Constraints 126
Buttons and Controller are weakly synchronized FUN 1
Controller are Equipment are strongly synchronized FUN 2
131
![Page 133: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/133.jpg)
Requirements: Relationship Between Motor and Clutch 127
When the clutch is engaged, the motor must work SAF 1
When the clutch is engaged, the door must be closed SAF 2
132
![Page 134: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/134.jpg)
Requirements: Relationship Between Door and Clutch 128
When the clutch is engaged, the door cannotbe closed several times, ONLY ONCE FUN 3
When the door is closed, the clutch cannotbe disengaged several times, ONLY ONCE FUN 4
Opening and closing the door are not independent.It must be synchronized with disengaging andengaging the clutch
FUN 5
133
![Page 135: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/135.jpg)
Overview 129
StopStartMotor
Start Stop
Clutch
MOTOR
motor_actuator
motor_sensor
CLUTCH
clutch_actuator
clutch_sensor
DOOR
door_sensordoor_actuator
CONTROLLER
134
![Page 136: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/136.jpg)
4. Proposing a Refinement Strategy
135
![Page 137: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/137.jpg)
Refinement Strategy 130
- Initial model: Connecting the controller to the motor
- 1st refinement: Connecting the motor buttons to the controller
- 2nd refinement: Connecting the controller to the clutch
- 3rd refinement: Constraining the clutch and the motor
136
![Page 138: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/138.jpg)
Refinement Strategy (cont’d) 131
- 4th refinement: Connecting the controller to the door
- 5th refinement: Constraining the clutch and the door
- 6th refinement: More constraints between clutch and door
- 7th refinement: Connecting the clutch buttons to the controller
137
![Page 139: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/139.jpg)
5. Development of the Model using Refinements and
Design Patterns
138
![Page 140: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/140.jpg)
Initial Model: Connecting the Controller to the Motor 132
Controller
Motor
Strong Reaction
Controller are Equipment are strongly synchronized FUN 2
139
![Page 141: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/141.jpg)
Model for strong action and reaction: the Final Events 133
The counters have
been removed
inita := 0r := 0
a onwhena = 0r = 0
thena := 1
end
r onwhenr = 0a = 1
thenr := 1
end
a offwhena = 1r = 1
thena := 0
end
r offwhenr = 1a = 0
thenr := 0
end
140
![Page 142: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/142.jpg)
Initial Model: the Context 134
set: STATUSconstants: stopped
working
axm0 1: STATUS = {stopped,working}
axm0 2: stopped 6= working
141
![Page 143: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/143.jpg)
Initial Model: the State 135
variables: motor actuatormotor sensor
inv0 1: motor sensor ∈ STATUS
inv0 2: motor actuator ∈ STATUS
142
![Page 144: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/144.jpg)
Initial Model: the Synchronization 136
MotorController
Action
motor_actuator
Strong Reaction
motor_sensor
143
![Page 145: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/145.jpg)
Pattern Instantiation 137
- We instantiate the strong pattern as follows:
a ; motor actuatorr ; motor sensor0 ; stopped1 ; working
a on ; treat start motora off ; treat stop motorr on ; Motor startr off ; Motor stop
- Convention: Controller events start with "treat "
144
![Page 146: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/146.jpg)
Initial Model: Initialization 138
inita := 0r := 0
initmotor actuator := stopped
motor sensor := stopped
145
![Page 147: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/147.jpg)
Initial Model: Controller Events (1) 139
a onwhena = 0r = 0
thena := 1
end
treat start motorwhen
motor actuator = stopped
motor sensor = stoppedthen
motor actuator := workingend
146
![Page 148: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/148.jpg)
Initial Model: Environment Event (1) 140
r onwhenr = 0a = 1
thenr := 1
end
Motor startwhen
motor sensor = stopped
motor actuator = workingthen
motor sensor := workingend
147
![Page 149: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/149.jpg)
Initial Model: Controller Events (2) 141
a offwhena = 1r = 1
thena := 0
end
treat stop motorwhen
motor actuator = working
motor sensor = workingthen
motor actuator := stoppedend
148
![Page 150: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/150.jpg)
Initial Model: Environment Event (2) 142
r offwhenr = 1a = 0
thenr := 0
end
Motor stopwhen
motor sensor = working
motor actuator = stoppedthen
motor sensor := stoppedend
149
![Page 151: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/151.jpg)
Synchronization 143
a_on a_off
r_offr_on
Motor_start Motor_stop
treat_start_motor treat_stop_motor
150
![Page 152: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/152.jpg)
Initial Model: Summary of the Events 144
- Environment
- motor start
- motor stop
- Controller
- treat start motor
- treat stop motor
151
![Page 153: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/153.jpg)
1st Reft.: Connecting the Motor Buttons to the Controller 145
B2B1
Controller
Weak Reaction
Motor
Strong Reaction
Buttons and Controller are weakly synchronized FUN 1
152
![Page 154: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/154.jpg)
Model for weak action and reaction: the Final Events 146
The counters have
been removed
inita := 0r := 0
a onwhena = 0
thena := 1
end
r onwhenr = 0a = 1
thenr := 1
end
a offwhena = 1
thena := 0
end
r offwhenr = 1a = 0
thenr := 0
end
153
![Page 155: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/155.jpg)
First Refinement: the State 147
variables: . . .start motor buttonstop motor buttonstart motor impulsestop motor impulse
inv1 1: stop motor button ∈ BOOLinv1 2: start motor button ∈ BOOLinv1 3: stop motor impulse ∈ BOOLinv1 4: start motor impulse ∈ BOOL
154
![Page 156: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/156.jpg)
First Refinement: the State 148
Button Button
Stop
start_motor_button stop_motor_button
start_motor_impulse stop_motor_impulse
Start
action action
CONTROLLER
weak reaction weak reaction
155
![Page 157: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/157.jpg)
Pattern Instantiation 149
- We instantiate the pattern as follows:
a ; start motor buttonr ; start motor impulse0 ; FALSE1 ; TRUE
a on ; push start motor buttona off ; release stop motor buttonr on ; treat push start motor buttonr off ; treat release start motor button
- We rename treat start motor as treat push start motor button
156
![Page 158: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/158.jpg)
1st Refinement: Refinement of Initialization 150
init
a := 0r := 0
initmotor actuator := stoppedmotor sensor := stoppedstart motor button := FALSEstart motor impulse := FALSE
157
![Page 159: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/159.jpg)
First Refinement: New Environment Events (1) 151
a onwhena = 0
thena := 1
end
push start motor buttonwhen
start motor button = FALSEthen
start motor button := TRUEend
a offwhena = 1
thena := 0
end
release start motor buttonwhen
start motor button = TRUEthen
start motor button := FALSEend
158
![Page 160: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/160.jpg)
First Refinement: Refining Controller Events (1) 152
r on
whenr = 0a = 1
thenr := 1
end
treat push start motor buttonrefines
treat start motorwhen
start motor impulse = FALSE
start motor button = TRUEmotor actuator = stoppedmotor sensor = stopped
thenstart motor impulse := TRUEmotor actuator := working
end
- This is the most important slide of the talk
- We can see how patterns can be superposed
159
![Page 161: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/161.jpg)
a onwhen
a = 0r = 0
thena := 1
end
treat start motorwhen
motor actuator = stopped
motor sensor = stoppedthen
motor actuator := workingend
r onwhen
r = 0a = 1
thenr := 1
end
treat push start motor buttonwhen
start motor impulse = FALSE
start motor button = TRUEmotor actuator = stopped
motor sensor = stoppedthen
start motor impulse := TRUE
motor actuator := workingend
160
![Page 162: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/162.jpg)
Design Pattern Integration within a Development 153
Refinement 1
Instantiated Pattern
Initial Model
refines
refines
Refinement n
refines
161
![Page 163: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/163.jpg)
First Refinement: New Controller Events (1) 154
r offwhenr = 1a = 0
thenr := 0
end
treat release start motor buttonwhen
start motor impulse = TRUE
start motor button = FALSEthen
start motor impulse := FALSEend
162
![Page 164: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/164.jpg)
Pattern Instantiation 155
- We instantiate the pattern as follows:
a ; stop motor buttonr ; stop motor impulse0 ; FALSE1 ; TRUE
a on ; push stop motor buttona off ; release stop motor buttonr on ; treat push stop motor buttonr off ; treat release stop motor button
163
![Page 165: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/165.jpg)
1st Refinement: More Refinement of Initialization 156
init
a := 0r := 0
initmotor actuator := stoppedmotor sensor := stoppedstart motor button := FALSEstart motor impulse := FALSEstop motor button := FALSE
stop motor impulse := FALSE
164
![Page 166: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/166.jpg)
First Refinement: New Environment Events 157
a onwhena = 0
thena := 1
end
push stop motor buttonwhen
stop motor button = FALSEthen
stop motor button := TRUEend
a offwhena = 1
thena := 0
end
release stop motor buttonwhen
stop motor button = TRUEthen
stop motor button := FALSEend
165
![Page 167: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/167.jpg)
First Refinement: Refining Controller Events (2) 158
r on
whenr = 0a = 1
thenr := 1
end
treat push stop motor buttonrefines
treat stop motorwhen
stop motor impulse = FALSE
stop motor button = TRUEmotor sensor = workingmotor actuator = working
thenstop motor impulse := TRUEmotor actuator := stopped
end
166
![Page 168: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/168.jpg)
First Refinement: New Controller Events (2) 159
r offwhenr = 1a = 0
thenr := 0
end
treat release stop motor buttonwhen
stop motor impulse = TRUE
stop motor button = FALSEthen
stop motor impulse := FALSEend
167
![Page 169: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/169.jpg)
Independent Synchronizations 160
push_start_motor_button release_start_motor_button
treat_release_start_motor_buttontreat_push_start_motor_button
168
![Page 170: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/170.jpg)
Independent Synchronizations 161
push_start_motor_button release_start_motor_button
treat_release_start_motor_buttontreat_push_start_motor_button
treat_release_stop_motor_button
push_stop_motor_buttonrelease_stop_motor_button
treat_push_stop_motor_button
169
![Page 171: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/171.jpg)
Independent Synchronizations 162
push_start_motor_button release_start_motor_button
treat_release_start_motor_buttontreat_push_start_motor_button
treat_release_stop_motor_button
push_stop_motor_buttonrelease_stop_motor_button
treat_push_stop_motor_button
Motor_start Motor_stop
treat_push_start_motor_button treat_push_stop_motor_button
170
![Page 172: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/172.jpg)
Weak and Strong Reactions Together 163
Button Button
Stop
start_motor_button stop_motor_button
motor_actuator
motor_sensor
start_motor_impulse stop_motor_impulse
MOTOR
Start
action action
CONTROLLER
action
weak reaction weak reaction
strong reaction
171
![Page 173: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/173.jpg)
Combined Synchronizations 164
treat_release_stop_motor_button
Motor_start
push_start_motor_button release_start_motor_button
Motor_stop
treat_release_start_motor_button
push_stop_motor_buttonrelease_stop_motor_button
treat_push_stop_motor_button
treat_push_start_motor_button
172
![Page 174: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/174.jpg)
Problems with treat push start motor button 165
treat push start motor buttonrefines
treat start motorwhen
start motor impulse = FALSE
start motor button = TRUEmotor actuator = stoppedmotor sensor = stopped
thenstart motor impulse := TRUEmotor actuator := working
end
- What happens when the following hold
¬ (motor actuator = stopped ∧ motor sensor = stopped)
- We need another event
173
![Page 175: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/175.jpg)
Problems with treat push start motor button 166
treat push start motor buttonrefines
treat start motorwhen
start motor impulse = FALSE
start motor button = TRUEmotor actuator = stoppedmotor sensor = stopped
thenstart motor impulse := TRUEmotor actuator := working
end
treat push start motor button false
whenstart motor impulse = FALSE
start motor button = TRUE¬ (motor actuator = stopped ∧
motor sensor = stopped)then
start motor impulse := TRUE
end
- In the second case, the button has been pushed but the internal conditions are not met
- However, we need to record that the button has been pushed:
start motor impulse := TRUE
174
![Page 176: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/176.jpg)
Problems with treat push stop motor button 167
treat push stop motor buttonrefines
treat stop motorwhen
stop motor impulse = FALSE
stop motor button = TRUEmotor sensor = workingmotor actuator = working
thenstop motor impulse := TRUEmotor actuator := stopped
end
treat push stop motor button false
whenstop motor impulse = FALSE
stop motor button = TRUE¬ (motor sensor = working ∧
motor actuator = working)then
stop motor impulse := TRUE
end
- In the second case, the button has been pushed but the internal conditions are not met
- However, we need to record that the button has been pushed:
stop motor impulse := TRUE
175
![Page 177: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/177.jpg)
First Refinement: Summary of the Events (1) 168
- Environment
- motor start
- motor stop
- push start motor button
- release start motor button
- push stop motor button
- release stop motor button
176
![Page 178: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/178.jpg)
First Refinement: Summary of the Events (2) 169
- Controller
- treat push start motor button
- treat push start motor button false
- treat push stop motor button
- treat push stop motor button false
- treat release start motor button
- treat release stop motor button
177
![Page 179: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/179.jpg)
2nd Refinement: Connecting the Controller to the Clutch 170
ButtonStart
ButtonStop
stop_motor_button
start_motor_impulse
stop_motor_impulse
CONTROLLER
MOTOR
motor_actuator
motor_sensor
start_motor_button
CLUTCH
clutch_actuator
clutch_sensor
178
![Page 180: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/180.jpg)
2nd Refinement: Connecting the Controller to the Clutch 171
- We introduce the set in a new context:
CLUTCH = {engaged, disengaged}
- We copy the initial model where we instantiate:
motor ; clutch
STATUS ; CLUTCH
working ; engaged
stopped ; disengaged
179
![Page 181: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/181.jpg)
Second Refinement: Summary of the Events (1) 172
- Environment
- motor start
- motor stop
- clutch start
- clutch stop
- push start motor button
- release start motor button
- push stop motor button
- release stop motor button
180
![Page 182: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/182.jpg)
Second Refinement: Summary of the Events (2) 173
- Controller
- treat push start motor button
- treat push start motor button false
- treat push stop motor button
- treat push stop motor button false
- treat release start motor button
- treat release stop motor button
- treat start clutch
- treat stop clutch
181
![Page 183: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/183.jpg)
Third Refinement: Constraining the Clutch and the Motor 174
- An additional safety constraint
When the clutch is engaged, the motor must work SAF 1
- For this we develop ANOTHER DESIGN PATTERN
- It is called: Weak synchronization of two Strong Reactions
182
![Page 184: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/184.jpg)
Pattern: Weak Synchronization of Strong Reactions 175
motor works
clutch engaged
When the clutch is engaged
then
the motor must work
183
![Page 185: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/185.jpg)
Pattern: Weak Synchronization of Strong Reactions 176
s=1
s=1 r=1=>
r=1
a r
sb
When the clutch is engaged
then
the motor must work
184
![Page 186: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/186.jpg)
The Synchronization is Weak (1) 177
clutch
motor
clutch is disengaged
When the clutch is disengaged,
then
the motor can be started and stopped several times185
![Page 187: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/187.jpg)
The Synchronization is Weak (2) 178
motor
clutch
motor works
When the motor works,
then
the clutch can be engaged and disengaged several times186
![Page 188: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/188.jpg)
Putting the Two Together 179
187
![Page 189: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/189.jpg)
Synchronizing the Reactions Without Touching them 180
a_on a_off
r_offr_on
b_on b_off
s_offs_on
188
![Page 190: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/190.jpg)
The Initial State Situation 181
dbl0 1: a ∈ {0, 1}dbl0 2: r ∈ {0, 1}dbl0 3: ca ∈ Ndbl0 4: cr ∈ Ndbl0 5: a = 1 ∧ r = 0 ⇒ ca = cr + 1dbl0 6: a = 0 ∨ r = 1 ⇒ ca = cr
dbl0 7: b ∈ {0, 1}dbl0 8: s ∈ {0, 1}dbl0 9: cb ∈ Ndbl0 10: cs ∈ Ndbl0 11: b = 1 ∧ s = 0 ⇒ cb = cs + 1dbl0 12: b = 0 ∨ s = 1 ⇒ cb = cs
189
![Page 191: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/191.jpg)
The Initial Event Situation (1) 182
a onwhena = 0r = 0
thena := 1ca := ca + 1
end
a offwhena = 1r = 1
thena := 0
end
r onwhenr = 0a = 1
thenr := 1cr := cr + 1
end
r offwhenr = 1a = 0
thenr := 0
end
190
![Page 192: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/192.jpg)
The Initial Event Situation (2) 183
b onwhenb = 0s = 0
thenb := 1cb := cb + 1
end
b offwhenb = 1s = 1
thenb := 0
end
s onwhens = 0b = 1
thens := 1cs := cs + 1
end
s offwhens = 1b = 0
thens := 0
end
191
![Page 193: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/193.jpg)
The Synchronizing Invariant 184
dbl1 1: s = 1 ⇒ r = 1
- It seems sufficient to add the following guards
s onwhens = 0b = 1r = 1
thens := 1cs := cs + 1
end
r offwhenr = 1a = 0s = 0
thenr := 0
end
- But we do not want to touch these events192
![Page 194: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/194.jpg)
Introducing Additional Invariants to Remove the red guards 185
s onwhens = 0b = 1
r = 1thens := 1cs := cs + 1
end
r offwhenr = 1a = 0
s = 0thenr := 0
end
- We introduce the following additional invariants
dbl1 2: b = 1 ⇒ r = 1
dbl1 3: a = 0 ⇒ s = 0
193
![Page 195: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/195.jpg)
Maintaining Invariant dbl1 2 (1) 186
dbl1 2: b = 1 ⇒ r = 1
In order to maintain this invariant, we have to refine b on
b onwhenb = 0s = 0
thenb := 1cb := cb + 1
end
;
b onwhenb = 0s = 0r = 1
thenb := 1cb := cb + 1
end
194
![Page 196: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/196.jpg)
Maintaining (Contraposition of) Invariant dbl1 2 (2) 187
dbl1 2: b = 1 ⇒ r = 1 (r = 0 ⇒ b = 0)
In order to maintain this invariant, we have to refine r off
r offwhenr = 1a = 0
thenr := 0
end
;
r offwhenr = 1a = 0b = 0
thenr := 0
end
- But, again, we do not want to touch this event195
![Page 197: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/197.jpg)
Introducing a new invariant to Remove the Red Guard 188
r offwhenr = 1a = 0
b = 0thenr := 0
end
- We introduce the following invariant
dbl1 4: a = 0 ⇒ b = 0
196
![Page 198: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/198.jpg)
Maintaining Invariant dbl1 3 (1) 189
dbl1 3: a = 0 ⇒ s = 0
In order to maintain this invariant, we have to refine a off
a offwhena = 1r = 1
thena := 0
end
;
a offwhena = 1r = 1s = 0
thena := 0
end
197
![Page 199: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/199.jpg)
Maintaining (Contraposition of) Invariant dbl1 3 (2) 190
dbl1 3: a = 0 ⇒ s = 0 (s = 1 ⇒ a = 1)
In order to maintain this invariant, we have to refine s on
s onwhens = 0b = 1
thens := 1cs := cs + 1
end
;
s onwhens = 0b = 1a = 1
thens := 1cs := cs + 1
end
- But, again, we do not want to touch this event198
![Page 200: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/200.jpg)
Introducing a new invariant to Remove the Red Guard 191
s onwhens = 0b = 1
a = 1thens := 1cs := cs + 1
end
- We have to introduce the following invariant
b = 1 ⇒ a = 1
- Fortunately, this is dbl1 4 (a = 0 ⇒ b = 0) contraposed
199
![Page 201: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/201.jpg)
Maintaining Invariant dbl1 4 (1) 192
dbl1 4: a = 0 ⇒ b = 0
In order to maintain this invariant, we have to refine a off again
a offwhena = 1r = 1s = 0
thena := 0
end
;
a offwhena = 1r = 1s = 0b = 0
thena := 0
end
200
![Page 202: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/202.jpg)
Maintaining (Contraposition of) Invariant dbl1 4 (2) 193
dbl1 4: a = 0 ⇒ b = 0 (b = 1 ⇒ a = 1)
In order to maintain this invariant, we have to refine b on again
b onwhenb = 0s = 0r = 1
thenb, cb := 1, cb + 1
end
;
b onwhenb = 0s = 0r = 1a = 1
thenb, cb := 1, cb + 1
end
201
![Page 203: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/203.jpg)
Summary of Refinement: Reactions have not been Touched 194
dbl1 1: s = 1 ⇒ r = 1dbl1 2: b = 1 ⇒ r = 1dbl1 3: a = 0 ⇒ s = 0dbl1 4: a = 0 ⇒ b = 0
b onwhenb = 0s = 0r = 1a = 1
thenb, cb := 1, cb + 1
end
a offwhena = 1r = 1s = 0b = 0
thena := 0
end
202
![Page 204: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/204.jpg)
Intuition about the Invariants 195
dbl1 1: s = 1 ⇒ r = 1dbl1 2: b = 1 ⇒ r = 1dbl1 3: a = 0 ⇒ s = 0 (s = 1 ⇒ a = 1)dbl1 4: a = 0 ⇒ b = 0 (b = 1 ⇒ a = 1)
This can be put into a single invariant
dbl1 5: b = 1 ∨ s = 1 ⇒ a = 1 ∧ r = 1
with the following contraposed form
dbl1 6: a = 0 ∨ r = 0 ⇒ b = 0 ∧ s = 0
203
![Page 205: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/205.jpg)
Intuition about the Invariants 196
a=0
or
r=0
a=0
or
r=0
a=0
or
r=0
or
b=1
s=1
or
b=1
s=1
Reminder: - - - is the motor and - - - is the clutch
dbl1 5: b = 1 ∨ s = 1 ⇒ a = 1 ∧ r = 1
dbl1 6: a = 0 ∨ r = 0 ⇒ b = 0 ∧ s = 0
204
![Page 206: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/206.jpg)
Looking at the Result 197
a onwhen
a = 0r = 0
thena := 1
end
a offwhen
a = 1r = 1s = 0b = 0
thena := 0
end
r onwhen
r = 0a = 1
thenr := 1
end
r offwhen
r = 1a = 0
thenr := 0
end
b onwhen
b = 0s = 0r = 1a = 1
thenb := 1
end
b offwhen
b = 1s = 1
thenb := 0
end
s onwhen
s = 0b = 1
thens := 1
end
s offwhen
s = 1b = 0
thens := 0
end
dbl1 1: s = 1 ⇒ r = 1 (r = 0 ⇒ s = 0)dbl1 2: b = 1 ⇒ r = 1 (r = 0 ⇒ b = 0)dbl1 3: a = 0 ⇒ s = 0 (s = 1 ⇒ a = 1)dbl1 4: a = 0 ⇒ b = 0 (b = 1 ⇒ a = 1)
205
![Page 207: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/207.jpg)
Weak Synchronization of Strong Reactions: the Problem 198
a_on a_off
r_offr_on
b_on b_off
s_offs_on
dbl1 1: s = 1 ⇒ r = 1 (r = 0 ⇒ s = 0)
206
![Page 208: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/208.jpg)
Weak Synchronization of Strong Reactions: the Solution 199
b onwhen
b = 0s = 0r = 1a = 1
thenb := 1
end
a_on a_off
r_offr_on
b_on b_off
s_offs_on
a offwhen
a = 1r = 1s = 0b = 0
thena := 0
end
207
![Page 209: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/209.jpg)
Back to 3rd Reft.: Constraining the Clutch and the Motor 200
When the clutch is engaged, the motor must work SAF 1
inv3 1: clutch sensor = engaged⇒motor sensor = working
- This is an instance of the previous design pattern
208
![Page 210: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/210.jpg)
Pattern Instantiation 201
- We instantiate the pattern as follows:
a ; motor actuatorr ; motor sensor0 ; stopped1 ; working
a on ; treat push start motor buttona off ; treat push stop motor buttonr on ; Motor startr off ; Motor stop
b ; clutch actuators ; clutch sensor0 ; disengaged1 ; engaged
b on ; treat start clutchb off ; treat stop clutchs on ; Clutch starts off ; Clutch stop
209
![Page 211: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/211.jpg)
Translating the pattern invariants (1) 202
dbl1 1: s = 1 ⇒ r = 1
dbl1 2: b = 1 ⇒ r = 1
clutch sensor = engagedinv3 1: ⇒
motor sensor = working
clutch actuator = engagedinv3 2: ⇒
motor sensor = working
210
![Page 212: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/212.jpg)
Translating the pattern invariants (2) 203
dbl1 3: a = 0 ⇒ s = 0
dbl1 4: a = 0 ⇒ b = 0
motor actuator = stoppedinv3 3: ⇒
clutch sensor = disengaged
motor actuator = stoppedinv3 4: ⇒
clutch actuator = disengaged
211
![Page 213: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/213.jpg)
Adapting the Events of the Pattern (1) 204
b onwhenb = 0s = 0r = 1a = 1
thenb := 1
end
treat start clutchwhenclutch actuator = disengagedclutch sensor = disengagedmotor sensor = working
motor actuator = workingthenclutch actuator := engaged
end
212
![Page 214: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/214.jpg)
Adapting the events of the pattern (2) 205
a offwhen
a = 1r = 1s = 0b = 0
thena := 0
end
treat push stop motor buttonwhenstop motor impulse = FALSEstop motor button = TRUEmotor actuator = workingmotor sensor = workingclutch sensor = disengaged
clutch actuator = disengagedthenmotor actuator := stoppedstop motor impulse := TRUE
end
213
![Page 215: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/215.jpg)
Third Refinement: Summary of the Events (1) 206
- Environment (no new events)
- motor start
- motor stop
- clutch start
- clutch stop
- push start motor button
- release start motor button
- push stop motor button
- release stop motor button
214
![Page 216: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/216.jpg)
Third Refinement: Summary of the Events (2) 207
- Controller (no new events)
- treat push start motor button
- treat push start motor button false
- treat push stop motor button
- treat push stop motor button false
- treat release start motor button
- treat release stop motor button
- treat start clutch
- treat stop clutch
215
![Page 217: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/217.jpg)
Fourth Refinement: Connecting the Controller to the Door 208
ButtonStart
ButtonStop
stop_motor_button
start_motor_impulse
stop_motor_impulse
CONTROLLER
MOTOR
motor_actuator
motor_sensor
start_motor_button
CLUTCH
clutch_actuator
clutch_sensor
DOOR
door_sensordoor_actuator
- We copy (after renaming "motor" to "door") what has been done
in the initial model216
![Page 218: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/218.jpg)
Fourth Refinement: Connecting the Controller to the Door 209
- We introduce the set in a new context:
DOOR = {open, closed}
- We copy the initial model where we instantiate:
motor ; door
STATUS ; DOOR
working ; closed
stopped ; open
217
![Page 219: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/219.jpg)
Fourth Refinement: Summary of the Events (1) 210
- Environment
- motor start
- motor stop
- clutch start
- clutch stop
- door close
- door open
- push start motor button
- release start motor button
- push stop motor button
- release stop motor button
218
![Page 220: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/220.jpg)
Fourth Refinement: Summary of the Events (2) 211
- Controller
- treat push start motor button
- treat push start motor button false
- treat push stop motor button
- treat push stop motor button false
- treat release start motor button
- treat release stop motor button
- treat start clutch
- treat stop clutch
- treat close door
- treat open door
219
![Page 221: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/221.jpg)
Fifth Refinement: Constraining the Clutch and the Door 212
- An additional safety constraint
When the clutch is engaged, the door mustbe closed SAF 2
- We copy (after renaming "motor" to "door") what has been done
in the third model:
When the clutch is engaged, the motor must work SAF 1
220
![Page 222: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/222.jpg)
Fifth Reft.: Something was forgotten Concerning the Door 213
221
![Page 223: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/223.jpg)
Fifth Reft.: Something was forgotten Concerning the Door 214
- Can you guess it?
222
![Page 224: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/224.jpg)
Fifth Reft.: Something was forgotten Concerning the Door 215
- Can you guess it?
- When the motor is not working, we must allow users:
- to change the tool
- to replace the part to be treated
223
![Page 225: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/225.jpg)
Fifth Reft.: Something was forgotten Concerning the Door 216
- Can you guess it?
- When the motor is not working, we must allow users:
- to change the tool
- to replace the part to be treated
- Hence the following additional requirement (which was forgotten)
When the motor is stopped, the door must be open SAF 3
224
![Page 226: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/226.jpg)
Fifth Reft.: Something was forgotten Concerning the Door 217
- Can you guess it?
- When the motor is not working, we must allow users:
- to change the tool
- to replace the part to be treated
- Hence the following additional requirement (which was forgotten)
When the door is closed, the motor must work SAF 3’
- SAF 3’ is the contraposed form of SAF 3
225
![Page 227: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/227.jpg)
Fifth Refinement: Taking Care of the New Constraint 218
- Additional safety constraint
When the door is closed, the motor must work SAF 3’
- We copy (after renaming "clutch" to "door") what has been done
in the third model:
When the clutch is engaged, the motor must work SAF 1
226
![Page 228: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/228.jpg)
Fifth Reft.: Summary of the Safety Requirements 219
When the clutch is engaged, the motor must work SAF 1
When the clutch is engaged, the door mustbe closed SAF 2
When the door is closed, the motor must work SAF 3’
- Requirement SAF 1 is now redundant: SAF 2 ∧ SAF 3’⇒ SAF 1
227
![Page 229: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/229.jpg)
Possible New Refinement Strategy 220
- Initial model: Connecting the controller to the motor
- 1st refinement: Connecting the motor button to the controller
- 2nd refinement: Connecting the controller to the clutch
- 3rd (4th) refinement: Connecting the controller to the door
228
![Page 230: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/230.jpg)
Possible New Refinement Strategy (cont’d) 221
- 4th (5th) refinement: Constraining the clutch and the door
Constraining the motor and the door
- 5th (6th) refinement: More constraints between clutch and door
- 6th (7th) refinement: Connecting the clutch button to the controller
229
![Page 231: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/231.jpg)
Fifth Refinement: Summary of the Events (1) 222
- Environment (no new events)
- motor start
- motor stop
- clutch start
- clutch stop
- door close
- door open
- push start motor button
- release start motor button
- push stop motor button
- release stop motor button
230
![Page 232: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/232.jpg)
Fifth Refinement: Summary of the Events (2) 223
- Controller (no new events)
- treat push start motor button
- treat push start motor button false
- treat push stop motor button
- treat push stop motor button false
- treat release start motor button
- treat release stop motor button
- treat start clutch
- treat stop clutch
- treat close door
- treat open door
231
![Page 233: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/233.jpg)
Sixth Reft.: More Constraints between Clutch and Door 224
- Adding two functional constraints
When the clutch is disengaged, the door cannotbe closed several times, ONLY ONCE FUN 3
When the door is closed, the clutch cannotbe disengaged several times, ONLY ONCE FUN 4
232
![Page 234: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/234.jpg)
Problem with the Weak Synchronization of Strong Reactions225
clutch disengaged
door closed
- When the clutch is disengaged, the door cannot be closed
several times
233
![Page 235: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/235.jpg)
Problem with the Weak Synchronization of Strong Reactions226
door closed
clutchdisengaged
- When the door is closed, the clutch cannot be disengaged
several times
234
![Page 236: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/236.jpg)
The Full Picture 227
door is closed
clutch is engaged
door is open
clutch is disengaged
235
![Page 237: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/237.jpg)
Strong Synchronization of two Strong Reactions 228
counter ca
counter cr
counter cb
counter cs
What we want:ca = cb ∨ ca = cb + 1
cr = cs ∨ cr = cs + 1
236
![Page 238: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/238.jpg)
How about counters ca and cb? 229
ca=cbca=cb+1
237
![Page 239: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/239.jpg)
In Search of a Solution 230
ca=cbca=cb+1
a=1 and b=0
b=0
a=1
238
![Page 240: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/240.jpg)
In Search of a Solution 231
ca=cbca=cb+1
a=1 and b=0
b=0
a=1
a = 1 ∧ b = 0 ⇒ ca = cb + 1 ?
239
![Page 241: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/241.jpg)
This Solution Does not Work 232
a=1 and b=0 a=1 and b=0
ca=cbca=cb+1
b=0
a=1 a=1
b=0
240
![Page 242: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/242.jpg)
The Solution: an Additional Variable m 233
ca=cbca=cb+1
m = 0m = 0
m = 1
m = 1 ⇒ ca = cb + 1m = 0 ⇒ ca = cb
241
![Page 243: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/243.jpg)
The Events 234
m = 0m = 0
m = 1
a_on
b_on
a_off
242
![Page 244: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/244.jpg)
The Modified Events 235
a onwhena = 0r = 0
thena := 1ca := ca + 1m := 1
end
b onwhenr = 1a = 1b = 0s = 0m = 1
thenb := 1cb := cb + 1m := 0
end
243
![Page 245: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/245.jpg)
How about counters cr and cs 236
m = 0m = 0
m = 1
cr=cscr=cs+1cr=cs
244
![Page 246: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/246.jpg)
In Search of a Solution 237
m = 0m = 0
m = 1
cr=cscr=cs+1cr=cs
r=1 and s=0
s=0
r=1
s=0
245
![Page 247: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/247.jpg)
In Search of a Solution 238
m = 0m = 0
m = 1
cr=cscr=cs+1cr=cs
r=1 and s=0
s=0
r=1
s=0
r = 1 ∧ s = 0 ⇒ cr = cs + 1 ?
246
![Page 248: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/248.jpg)
This Solution Does not Work 239
m = 0
m = 1
cr=cscr=cs+1cr=cs
r=1 and
s=0
r=1
s=0
r=1 s=0and
s=0
r=1
m = 0s=0
247
![Page 249: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/249.jpg)
The Solution 240
m = 0
cr=cscr=cs+1cr=cs
r=1 and
s=0
r=1
s=0
r=1 s=0and
s=0
r=1
m = 1
m = 1
b=1
b=0 m = 0
248
![Page 250: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/250.jpg)
The Solution 241
m = 0
cr=cscr=cs+1cr=cs
r=1 and
s=0
r=1
s=0
r=1 s=0and
s=0
r=1
m = 1
m = 1
b=1
b=0 m = 0
r = 1 ∧ s = 0 ∧ (m = 1 ∨ b = 1) ⇒ cr = cs + 1
r = 0 ∨ s = 1 ∨ (m = 0 ∧ b = 0) ⇒ cr = cs
249
![Page 251: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/251.jpg)
Summary of Refinement: the state 242
dbl2 1: m ∈ {0, 1}
dbl2 2: m = 1 ⇒ ca = cb + 1
dbl2 3: m = 0 ⇒ ca = cb
dbl2 4: r = 1 ∧ s = 0 ∧ (m = 1 ∨ b = 1) ⇒ cr = cs + 1
dbl2 5: r = 0 ∨ s = 1 ∨ (m = 0 ∧ b = 0) ⇒ cr = cs
250
![Page 252: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/252.jpg)
Summary of Refinement: the state 243
dbl2 1: m ∈ {0, 1}
dbl2 2: m = 1 ⇒ ca = cb + 1
dbl2 3: m = 0 ⇒ ca = cb
dbl2 4: r = 1 ∧ s = 0 ∧ (m = 1 ∨ b = 1) ⇒ cr = cs + 1
dbl2 5: r = 0 ∨ s = 1 ∨ (m = 0 ∧ b = 0) ⇒ cr = cs
- The following theorems are easy to prove
thm2 1: ca = cb ∨ ca = cb + 1
thm2 2: cr = cs ∨ cr = cs + 1
251
![Page 253: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/253.jpg)
More Invariant 244
dbl2 1: m ∈ {0, 1}
dbl2 2: m = 1 ⇒ ca = cb + 1
dbl2 3: m = 0 ⇒ ca = cb
dbl2 4: r = 1 ∧ s = 0 ∧ (m = 1 ∨ b = 1) ⇒ cr = cs + 1
dbl2 5: r = 0 ∨ s = 1 ∨ (m = 0 ∧ b = 0) ⇒ cr = cs
dbl2 6: a = 0 ⇒ m = 0
- The last new invariants was discovered while doing the proof
- It requires adding the guard m = 0 in event a off
- The proofs are now (almost) completely automatic
252
![Page 254: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/254.jpg)
The Final Modified Events 245
a onwhena = 0r = 0
thena := 1ca := ca + 1m := 1
end
b onwhenr = 1a = 1b = 0s = 0m = 1
thenb := 1cb := cb + 1m := 0
end
a offwhena = 1r = 1b = 0s = 0m = 0
thena := 0
end
253
![Page 255: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/255.jpg)
Instantiation 246
door closed
clutch
engaged
treat_open_door
(a_off)
treat_close_door
(a_on)
treat_start_clutch (b_on)
254
![Page 256: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/256.jpg)
Pattern Instantiation for the 6th Refinement 247
- We instantiate the pattern as follows:
a ; door actuatorr ; door sensor0 ; open1 ; closed
b ; clutch actuators ; clutch sensor0 ; disengaged1 ; engaged
a on ; treat close doora off ; treat open doorb on ; treat start clutch
255
![Page 257: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/257.jpg)
6th Refinement: Adapting the events of the pattern (2) 248
a onwhena = 0r = 0
thena := 1m := 1
end
treat close doorwhendoor actuator = opendoor sensor = openmotor actuator = workingmotor sensor = working
thendoor actuator := closedm := 1
end
256
![Page 258: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/258.jpg)
6th Refinement: Adapting the events of the pattern (2) 249
b onwhen
b = 0s = 0r = 1a = 1m = 1
thenb := 1m := 0
end
treat start clutchwhenmotor actuator = workingmotor sensor = workingclutch actuator = disengagedclutch sensor = disengageddoor sensor = closeddoor actuator = closedm = 1
thenclutch actuator := engagedm := 0
end
257
![Page 259: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/259.jpg)
6th Refinement: Adapting the events of the pattern (3) 250
a offwhena = 1r = 1s = 0b = 0m = 0
thena := 0
end
treat open doorwhendoor actuator = closeddoor sensor = closedclutch sensor = disengagedclutch actuator = disengagedm = 0
thendoor actuator := open
end
258
![Page 260: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/260.jpg)
The Complete Synchronization of Door and Clutch 251
treat_close_door
treat_start_clutch
treat_stop_clutch
push_stop_clutch_button (B4)
door_close
clutch_stop
treat_open_door
clutch_start
door_open
push_start_clutch_button (B3)
- treat close door is the result of depressing button B3
- treat stop clutch is the result of depressing button B4
- treat start clutch and treat open door are automatic259
![Page 261: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/261.jpg)
Sixth Refinement: Summary of the Events (1) 252
- Environment (no new events)
- motor start
- motor stop
- clutch start
- clutch stop
- door close
- door open
- push start motor button
- release start motor button
- push stop motor button
- release stop motor button
260
![Page 262: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/262.jpg)
Sixth Refinement: Summary of the Events (2) 253
- Controller (no new events)
- treat push start motor button
- treat push start motor button false
- treat push stop motor button
- treat push stop motor button false
- treat release start motor button
- treat release stop motor button
- treat start clutch
- treat stop clutch
- treat close door
- treat open door
261
![Page 263: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/263.jpg)
7th Reft.: Connecting the Controller to the Clutch Buttons 254
MOTOR
motor_actuator
motor_sensor
CLUTCH
clutch_actuator
clutch_sensor
DOOR
door_sensordoor_actuator
StopStart Start Stop
ClutchMotor
start_motor_impulse
stop_motor_impulse
start_clutch_impulse
stop_clutch_impulse
CONTROLLER
m
262
![Page 264: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/264.jpg)
Reminder: Synchronizing Door and Clutch 255
- There are no door buttons
- The door must be closed before engaging the clutch
- The door must be opened after disengaging the clutch
- It is sufficient to connect:
- button B3 to the door (closing the door)
- button B4 to the clutch (disengaging the clutch)
263
![Page 265: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/265.jpg)
Seventh Refinement: Summary of the Events (Environment) 256
- motor start
- motor stop
- clutch start
- clutch stop
- door close
- door open
- push start motor button
- release start motor button
- push stop motor button
- release stop motor button
- push start clutch button
- release start clutch button
- push stop clutch button
- release stop clutch button
264
![Page 266: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/266.jpg)
Seventh Refinement: Summary of the Events (Controller) 257
- treat push start motor button
- treat push start motor button false
- treat push stop motor button
- treat push stop motor button false
- treat release start motor button
- treat release stop motor button
- treat start clutch
- treat stop clutch
- treat close door
- treat open door
- treat close door false
- treat stop clutch false
- treat release start clutch button
- treat release stop clutch button
265
![Page 267: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/267.jpg)
Decomposing the Final Model: Environment 258
- The environment events
- The environment variables modified by environment events
- The sensor variables modified by environment events
- The actuator variables read by environment events
- The controller variables not seen by environment events
- No environment variables in this model
266
![Page 268: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/268.jpg)
Decomposing the Final Model: Controller 259
- The controller events
- The controller variables modified by controller events
- The sensor variables read by controller events
- The actuator variables modified by controller events
- The environment variables not seen by controller events
- No environment variables in this model
267
![Page 269: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/269.jpg)
Summary: Variables of the Last Refinement (1) 260
- 7 sensor variables:
- motor sensor
- clutch sensor
- door sensor
- start motor button
- stop motor button
- start clutch button
- stop clutch button
268
![Page 270: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/270.jpg)
Summary: Variables of the Last Refinement (2) 261
- 3 actuator variables:
- motor actuator
- clutch actuator
- door actuator
- 5 controller variables (without the counter variables):
- start motor impulse
- stop motor impulse
- start clutch impulse
- stop clutch impulse
- m
269
![Page 271: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/271.jpg)
Summary: Events of the Last Refinement 262
- 14 environment events,
- 14 controller events,
- 130 lines for environment events,
- 180 lines for controller events.
270
![Page 272: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/272.jpg)
Summary: Usage of the Design Patterns 263
- 4 weak reactions: 4 buttons (B1, B2, B3, B4)
- 3 strong reactions: 3 devices (motor, clutch, door)
- 3 strong-weak reactions: motor-clutch, clutch-door, motor-door
- 1 strong-strong reaction: clutch-door
271
![Page 273: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/273.jpg)
Summary: Number of Invariants 264
- Weak reaction: 6
- Strong reaction: 3
- Strong-weak reaction: 16
- Strong-strong reaction: 6
- Total: 31
- Press (typing): 15
- Total: 15
272
![Page 274: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/274.jpg)
Summary: Number of Proof Obligations 265
- Weak reaction: 18
- Strong reaction: 12
- Strong-weak reaction: 60
- Strong-strong reaction: 29
- Total: 119
- Press: 0
- PO saving: 4x18 + 3x12 + 3x60 + 29 = 317
273
![Page 275: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/275.jpg)
Summary: Proofs 266
- Design patterns: 119 (all automatic)
- Press: 0
274
![Page 276: Event-B Course 3. A Mechanical Press Controller](https://reader030.vdocuments.mx/reader030/viewer/2022012608/619be36022182725a37c07bc/html5/thumbnails/276.jpg)
Conclusion 267
- This design pattern approach is very fruitful
- It results in a very systematic formal development
- Many other patterns have to be developed
- More automation has to be provided (plug-in)
275