\documentclass[letterpaper,11pt]{article} % Set up geometry package to make a little greater use of the formatted % page, by reducing margins. \usepackage[hmargin=0.5in,vmargin=1.0in,headheight=18pt] {geometry} % Use the Z/EVES style file for Z notation \usepackage{z-eves} \begin{document} \title{Elevator Control System (Version 0.1)} \author{SE-381 Class \and Mark J. Sebern} \maketitle \section{Introduction} The purpose of the elevator control system is to manage movement of an elevator in response to user requests. \subsection{Basic elements} The elevator system has the following basic elements and parameters. \subsubsection{Number of elevators} Number of elevators in the system. \begin{axdef} numElevators : \nat_1 \end{axdef} \subsubsection{Floors} Floors are the building levels serviced by the elevator system. Internally, floors are numbered starting at one, with floor ``1'' being the lowest floor in the elevator system. All elevators in the system are assumed to service the same range of floors. $Floors$ is modeled as a finite set, since we may need to apply the cardinality operator, which does not work with infinite sets. \begin{axdef} nFloors : \nat \\ Floors : \finset \num \where \Label{grule TopFloorGE2} nFloors \geq 2 \\ \Label{rule FloorsDef} Floors = 1 \upto nFloors \end{axdef} \begin{quote} Proof note: The $TopFloorGE2$ label marks the $nFloors \geq 2$ predicate as a theorem that the Z/EVES prover can assume to be true. The $FloorsDef$ label marks the $Floors = 1 \upto nFloors$ equality predicate so it can be used as a substitution rule. In other words, when the prover sees $Floors$, this rule means that it can rewrite that part of the expression to be $1 \upto nFloors$ instead. These proof rules are needed for use in later proofs. \end{quote} In some circumstances, floors are labeled with numbers or other designators (e.g., ``B'' or ``G'') that do not correspond to the internal floor numbers. (Have you noticed that many hotels and other buildings don't have a floor that is labeled ``13'', for example?) To model these externally visible floor labels, we introduce a new type, which is a string (sequence) of characters. \begin{zed} [CHAR] \end{zed} \begin{zed} STRING == \seq CHAR \end{zed} \begin{zed} FLOOR\_LABEL\_LENGTH\_MAX == 4 \end{zed} \begin{axdef} FLOOR\_LABEL : \finset STRING \where \forall fl : FLOOR\_LABEL @ \# fl \geq 1 \land \#fl \leq FLOOR\_LABEL\_LENGTH\_MAX \end{axdef} \begin{quote} Proof note: The following proof steps demonstrate how the domain check for the above axiomatic declaration can be proved. \begin{zproof} reduce; \end{zproof} \end{quote} Now, we would like to associate floor labels with internal floor numbers. \centerline{\rule[-1em]{5in}{1pt}} \begin{quote} \sffamily One way to do this would be to use the Z ``abbreviation notation'' to define a set of all possible floor-to-label mappings, and then define a global set of floor mappings for a specific elevator system. \begin{zed} FLOOR\_LABEL\_MAPPING == Floors \cross FLOOR\_LABEL \end{zed} \begin{axdef} FloorLabelMap1 : \finset FLOOR\_LABEL\_MAPPING \end{axdef} This would define a set ($FloorLabelMap1$) of floor-to-label pairs, but we still have the problem of specifying that there must be exactly one pair for each floor, with the first member of the ordered pair equal to the floor number. Also, we want to make sure that one floor number can't map to more than one label, and that one label cannot be associated with more than one floor. Another way to define the floor-label association would be to use a Z relation, which is a shorthand way of defining a set of ordered pairs. \begin{axdef} FloorLabelMap2 : Floors \rel FLOOR\_LABEL \end{axdef} But, since this is only a shorthand for the abbreviation definition and set definition above, we still have the same problem. What we really need is a function, as shown below. In defining the function, we have a number of alternatives: \begin{axdef} FloorLabelMapPartialFunction : Floors \pfun FLOOR\_LABEL \\ FloorLabelMapTotalFunction : Floors \fun FLOOR\_LABEL \\ FloorLabelMapPartialInjection : Floors \pinj FLOOR\_LABEL \\ FloorLabelMapTotalInjection : Floors \inj FLOOR\_LABEL \\ FloorLabelMapPartialSurjection : Floors \psurj FLOOR\_LABEL \\ FloorLabelMapTotalSurjection : Floors \surj FLOOR\_LABEL \\ FloorLabelMapBijection : Floors \bij FLOOR\_LABEL \\ FloorLabelMapFinitePartialFunction : Floors \ffun FLOOR\_LABEL \\ FloorLabelMapFinitePartialInjection : Floors \finj FLOOR\_LABEL \end{axdef} \end{quote} \centerline{\rule[1em]{5in}{1pt}} We model the association between floor numbers and floor labels with a global function. \begin{axdef} FloorLabels : Floors \inj FLOOR\_LABEL \end{axdef} \centerline{\rule[-1em]{5in}{1pt}} \begin{quote} \sffamily Note that the function $FloorLabels$ is defined as a total injection. Because $FloorLabels$ is total, its domain is equal to the set of floors in the elevator system. Because $FloorLabels$ is injective, its inverse is also a function. This allows us to map unambiguously from floor numbers to floor labels or from floor labels to floor numbers. %Later, in proving theorems, we may wish we had defined the function %as a finite injection (\nat \finj FLOOR\_LABEL), with an additional %predicate to specify the function domain. If we want to know the label for a specified floor number, we can write an expression that applies the function. \begin{displaymath} floorlabel=FloorLabels~floornum \end{displaymath} Similarly, we can apply the function's inverse to get the floor number for a specified label. \begin{displaymath} floornum=FloorLabels\inv~floorlabel \end{displaymath} \end{quote} \centerline{\rule[1em]{5in}{1pt}} \subsubsection{Elevator direction} An elevator may be stopped, or it may be moving up or down. \begin{zed} Direction::= DirUp | DirDown | DirHalt \end{zed} \begin{quote} Proof note: The following theorem is defined to specify the enumerated directions, so the theorem prover can know that these are the only possible direction values. \begin{theorem}{frule DirectionDef} \forall d:Direction @ d = DirUp \lor d = DirDown \lor d = DirHalt \end{theorem} The following proof steps demonstrate how the $DirectionDef$ theorem can be proved. \begin{zproof} apply Direction\$member to predicate d \in Direction; reduce; \end{zproof} \end{quote} \subsubsection{Valid elevator calls} An elevator call is a summons from a specific floor, which indicates that a user has signaled a desire to travel in a specified direction (up or down) from that floor. The requested direction uses the same type as that used for an elevator's direction of travel, but the ``halt'' direction is excluded. \begin{zed} CallDirection == \{ DirUp, DirDown \} \end{zed} \begin{quote} The following theorem allows the Z/EVES prover to assume the correct type of $CallDirection$; it is needed for later proofs. \begin{theorem}{grule CallDirectionType} CallDirection \in \finset Direction \end{theorem} All that is necessary to prove this theorem is to expand the definition of $CallDirection$. \begin{zproof} invoke CallDirection; prove; \end{zproof} \end{quote} A call is represented by a pair that contains the originating floor and the desired direction of travel. The bottom floor has no ``down'' button and the top floor has no ``up'' button. \begin{axdef} ValidCalls : \finset (Floors \cross CallDirection) \where \Label{rule ValidCallsDef} ValidCalls = (Floors \cross CallDirection) \setminus \{ (nFloors,DirUp), (1, DirDown) \} \end{axdef} \begin{quote} Proof note: The following theorem specifies the type of the domain of $ValidCalls$ so that the Z/EVES theorem prover can assume this fact. \begin{theorem}{grule ValidCallsDomType} \forall c : \finset ValidCalls @ \dom c \in \finset (1 \upto nFloors) \end{theorem} \end{quote} \subsubsection{Elevator status} An elevator may be in service or out of service. \begin{zed} ServiceStatus::= InSvc | OutSvc \end{zed} \begin{quote} Proof note: The following theorem is defined so that Z/EVES knows that the service status is binary; an elevator is either in service or out of service. This permits the theorem prover to infer, for example, that if an elevator is not in service it must be out of service. The theorem might seem obvious from the type definition, but Z/EVES doesn't automatically know this fact about free types. \begin{theorem}{frule ServiceStatusDef} \forall s:ServiceStatus @ s = InSvc \lor s = OutSvc \end{theorem} The following proof steps demonstrate how the $ServiceStatusDef$ theorem can be proved. \begin{zproof} apply ServiceStatus\$member to predicate s \in ServiceStatus; reduce; \end{zproof} \end{quote} \subsection{Elevator calls} A schema is used to model the set of pending elevator calls, to make it easier to define operations. \begin{schema}{Calls} calls : \finset ValidCalls %\where %No predicates needed at this time. \end{schema} The following schema describes the initial state of the elevator calls. \begin{schema}{InitCalls} Calls \\ \where calls = \emptyset \end{schema} The following theorem asserts that the elevator calls can be successfully initialized. \begin{theorem}{InitCallsOK} \exists Calls @ InitCalls \end{theorem} \begin{quote} Proof note: The following proof steps demonstrate how the $InitCallsOK$ theorem can be proved. A single step of \emph{prove by reduce} would also work. \begin{zproof} reduce; invoke Calls; prove; \end{zproof} \end{quote} \subsection{Elevator} An elevator has a current location (floor) and direction of movement. It also has a set of floor requests that correspond to the floor buttons currently selected inside the elevator. A finite set is used to model $requests$. \begin{schema}{Elevator} curFloor : Floors \\ status : ServiceStatus \\ curDir : Direction \\ requests : \finset Floors \\ %\where % No predicates needed at the current stage of the model. \end{schema} The following schema describes the initial state of an elevator. \begin{schema}{InitElevator} Elevator \\ \where curFloor = 1 \\ status = InSvc \\ curDir = DirHalt \\ requests = \emptyset \end{schema} The following theorem asserts that an elevator can be successfully initialized. \begin{theorem}{InitElevatorOK} \exists Elevator @ InitElevator \end{theorem} \begin{quote} Proof note: The following proof steps demonstrate how the $InitElevatorOK$ theorem can be proved. A faster alternative would be to use a single step of \emph{prove by reduce}, which in effect combines all the steps into one operation. \begin{zproof} reduce; invoke Elevator; apply FloorsDef to expression Floors; prove; \end{zproof} \end{quote} \section{Elevator system operations} A number of operations are specified for the elevator system. Some apply to a single elevator, with or without information on elevator calls, and others apply to the elevator system as a whole. \subsection{Operation status} Operations return a status code to indicate their success or failure. The following set of status codes represents the values defined so far. \begin{zed} OpStatusCode ::= StatusOK | \\ StatusOutOfService | \\ StatusInvalidMovement \end{zed} \subsection{Handling calls} Calls from waiting passengers are associated with the elevator system as a whole, rather than with a particular elevator. The $HandleCalls$ schema describes the operation that adjusts the system state to reflect new calls originated by waiting passengers. \begin{schema}{HandleCalls} \Delta Calls \\ newCalls? : \finset ValidCalls \where calls' = calls \cup newCalls? \end{schema} The following theorem asserts that the $HandleCalls$ operation covers all possible cases of system state and input. \begin{theorem}{HandleCallsIsTotal} \forall Calls; newCalls? : \finset ValidCalls @ \pre HandleCalls \end{theorem} \begin{quote} Proof note: The theorem is proved by simple reduction. \begin{zproof} reduce; \end{zproof} \end{quote} \subsection{Elevator movement} In this model, elevator movement is broken down into the following components: \begin{itemize} \item Movement up or down by one floor. \item When at a floor, performing a ``visit'' (opening doors, exchanging passengers, closing doors) or deciding not to do so, and accepting new floor requests from passengers. \item Choosing (calculating) an updated direction of movement, taking into account the pending requests and calls. \end{itemize} To be continued \dots \end{document}