Frankfurt University of Applied Sciences 30th April 2015

High Integrity Systems a) Choose appropriate actions and label the transitions of the traffic light
transition system accordingly.
Prof. Dr. Ruth Schorr
b) Give the transition system representation of a reasonable controller C that
switches the green signal lamps in the following order: A1, A2, A3, A1, A2, A3,...
Formal Specification and Verification (Hint: Choose an appropriate communication mechanism.)
Summer Term 2015 c) Outline the transition system A1 || A2 || A3 || C.
Exercise Sheet 2
Question 3:
Question 1:
Provide a PROMELA program simulating the following program graphs:
Provide a transition system modeling a machine with the following behaviour:

The machine delivers coffee, espresso or cappuccino depending on how many times PG1: PG2:
the button of the machine is pressed.

If the button is pressed only once and the system was in its initial state the machine noncrit1 noncrit2
may decide to deliver espresso or coffee. When the button is pressed again and
neither coffee nor espresso was delivered it may decide to produce espresso, coffee b1 := true , b2 := true ,
or cappuccino. When the button is pressed more than twice (and no output was x := 2 x := 1
delivered) the machine delivers coffee, espresso or cappuccino, eventually.
b1 := false wait1 b2 := false wait2
A graphical representation of the machine is sufficient as solution.

The machine has the use the following set of actions: b2 == false b1 == false
Act = {button, coffee, espresso, cappuccino} or or
x == 1 x == 2

crit1 crit
Question 2:
The scheduling strategy is realized using x as follows: If both processes want to enter
Consider the following street junction with the specification of a traffic light as outlined
the critical section, the value of variable x decides which of the two processes may
on the right:
enter its critical section: if x == 1, then P1 may enter its critical section. On entering
the waiting phase, process P1 performs x := 2, thus giving privilege to process P2 to
enter the critical section. The value of x thus indicates which process has its turn to
enter the critical section. Symmetrically, P2 sets x to 1 when starting to wait.
The variables b1 and b2 provide information about the current location of P1 and P2,
Ai:
i. e. b1 is set (to true) when P1 starts to wait and the value remains unchanged till P1
A1 leaves the critical section.
red
A2

yellow red/yellow
A2
A1 green

A3

1 2