%---------------------------------------------------------------------------- Requirements Specification ??? 1.1 : %---------------------------------------------------------------------------- Organizational Aspects: ProjectName : Light_32_4 Authors : Peper, Kronenburg Status : after 1st review Declarations: Formalized Requirements: % ----------------------------------------------------------------------------- U1 : Predicates : roomOccupied : the room is occupied by a person safeLight : light is sufficient to move safely lightScene : a light scene is chosen Formal : \always ( roomOccupied \and \not lightScene \imp safeLight ) NL : Whenever the room is occupied and no light scene is chosen, the light is sufficient to move safely. References : PD-Sec3.1.1/U1 PatternInst : Comment : Is it desired that a light scene "Dark" is applicable to an occupied room, thus suppressing the safe light condition? It is assumed that the "dark" light scene is allowed. Time delay for the implication? U2 : Predicates : roomOccupied : the room is occupied by a person lightScene : a light scene is chosen Formal : \always ( (roomOccupied and lightScene) \imp (lightScene \waitsfor \not roomOccupied) ) NL : Whenever the room is occupied by a person and a light scene is chosen, the light scene remains chosen until the room is not occupied. References : PD-Sec3.1.1/U2 PatternInst : ConditionalContinuity (roomOccupied, lightScene) Comment : Does this even exclude any change of the light scene during the room occupation? What is the meaning of "lightScene"? ANY light scene is chosen or a CERTAIN light scene is chosen? "ANY" is supposed. U3: Predicates : roomOccupied : the room is occupied by a person chosenLightScene = l : the light scene "l" is chosen by the user appliedLightScene = l : the light scene "l" is applied by the system Constants : T1 : the time delay during which the reoccupation of a room leads to reestablishing the previous light scene Formal : \always ( ( [roomOccupied] \and \sometimesInThePast_{(0, T1]} roomOccupied \and chosenLightScene=l) \imp appliedLightScene=l) NL : Whenever the room becomes occupied now and was occupied sometimes within the last T1 minutes and the light scene l was last chosen, the light scene l is applied. References : PD-Sec.3.1.1/U3 Comment : Or is the last APPLIED light scene to be reestablished? What about the "normal case": if the room is occupied and light scene l is chosen, light scene l is indeed applied? U4: Predicates : roomOccupied : the room is occupied by a person appliedLightScene = "standard" : the standard light scene is applied Constants : T1 : the time delay during which the reoccupation of a room leads to reestablishing the previous light scene Formal : \always ( [roomOccupied] \and \alwaysInThePast_{(0,T1]} \not roomOccupied) \imp appliedLightScene="standard" NL : Whenever the room becomes occupied now ans was not occupied during the last T1 minutes, the light scene 'standard' is applied. References : PD-Sec.3.1.1/U4 U5i: Predicates : switchPushed : the switch is pushed down lightOn : The corresponding light is completely on lightOff : The corresponding light is completely off Constants TU5 : The maximal time between pushing the switch and switching off the light. Formal : \always ( [switchPushed] \and lightOn \imp \eventually_{\leq TU5i} lightOff ) NL : Whenever the switch becomes pushed and the light is completely on, the light is completely off within TU5 time units. References : PD-Sec.3.1.1/U5(i) U5ii: Predicates : switchPushed : the switch is pushed down lightOn : The corresponding light is completely on lightOff : The corresponding light is completely off Constants TU5 : The maximal time between pushing the switch and switching off the light. Formal : \always ( [switchPushed] \and \not lightOn \imp \eventually_{\leq TU5} lightOn ) NL : Whenever the switch becomes pushed and the light is not completely on, the light is completely on within TU5 time units. References : PD-Sec.3.1.1/U5(ii) U6: Predicates : appliedLightScene = l : the light scene "l" is applied chosenLightScene = l : the light scene "l" was last selected at the control panel Constants : T_U6 ; time delay between selection and application of a certain light scene Formal : \always ( \forall l: chosenLightScene = l \delEquiv_{T_U6} appliedLightScene = l ) NL : Whenever the light scene "l" was last selected at the control panel, the light scene "l" is applied within T_U6 time units. References : PD-Sec.3.1.1/U6 U7: Predicates : appliedLightLevel = l : the light level "l" is applied chosenLightLevel = l : the ambient light level "l" was last selected at the control panel Constants : T_U7 ; time delay between selection and application of a certain light scene Formal : \always ( chosenLightLevel = l \delEquiv_{\leq T_U7} appliedLightLevel = l ) NL : Whenever the light level "l" was last selected at the control panel, the light level "l" is applied within T_U7 time units. References : PD-Sec.3.1.1/U7 U8: NonFormal : For each room a default light scene can be set (not by using the control panel). References : PD-Sec3.1.1/U8 U9: NonFormal : For each room a default ambient light level can be set (not by using the control panel). References : PD-Sec3.1.1/U9 U10: NonFormal : The value T1 can be set for each room seperately (not by using the control panel). References : PD-Sec3.1.1/U10 U11: Predicates : outdoorLightSensorFault : the outdoor light sensor does not work correctly userInformed : the user is informed Formal : \always ( outdoorLightSensorFault \delEquiv_{T_{U11}} userInformed ) NL : Whenever the outdoor sensor does not work correctly for at least time T_{U11}, the user is informed within time T_{U11} and remains informed as long as the precondition is true. And conversely, whenever the outdoor light sensor works correctly for at least time T_{U11}, the user is no longer informed within time T_{U11} and is not informed as long as this precondition is true. References : PD-Sec3.1.1/U11 PatternInst : DelayedEquivalence (outdoorLightSensorFault, userInformed) U12: Predicates : appliedLightScene = l : the light scene "l" is applied by the control system chosenLightScene = l : the light scene "l" is chosen by the user Constants : T_U12 : the time delay between choosing and applying a certain light scene Formal : \always ( \forall l chosenLightScene=l \delImp_{T} appliedLightScene=l ) NL : Whenever the chosen light scene is l for at least time T_{U12}, the applied light scene is l within time T_{U12} and remains l as long as the precondition is true. References : PD-Sec3.1.1/U12 U13: NonFormal : The control panel should be installed moveably like a telephone in the offices. References : PD-Sec3.1.1/U13 U14_i Predicates : cpTaskLight : the task light switch in the control panel is "on" taskLight : the task light is on Constants : T_U14 : the time delay between setting and applying a certain light level Formal : \always ( cpTaskLight \delEquiv_{T_{U14}} taskLight ) NL : Whenever the task light switch in the control panel is on (off), the task light will be on (off) within T_U14 time units and stays on (off) as long as the precondition is true. References : PD-Sec3.1.1/U14(i) PatternInst : DelayedEquivalence (cpTaskLight, taskLight, T_U14) Comment : This could lead to potential conflicts with other requirements that also try to control taskLight. Should be replaced by a formulation that allows other source predicates to have influence on the target predicate. Last access or higher priority wins? -> New pattern definition! U14_ii Predicates : cpCeilingLight = l: the ceiling light switch in the control panel is "l" ceilingLight = l : the ceiling light is "l" (on/off/ambient) Constants : T_U14 : the time delay between setting and applying a certain light level Formal : \always ( \forall l: cpCeilingLight=l \delEquiv_{T_{U14}} ceilingLight=l ) NL : Whenever the ceiling light switch in the control panel is on (off), the ceiling light will be on (off) within T_U14 time units and stays on (off) as long as the precondition is true. References : PD-Sec3.1.1/U14(ii) PatternInst : DelayedEquivalence (cpTaskLight, taskLight, T_U14) Comment : What does ceilingLight="ambient" mean ? U14_iii Predicates : cpLightLevel =l : the ambient light level set by the control panel is "l" lightLevel =l : the ceiling light level "l" Constants : T_U14 : the time delay between setting and applying a certain light level Formal : \always ( cpLightLevel \delEquiv_{T_{U14}} lightLevel ) NL : Whenever the light level in the control panel is set to "l" the light level will be "l" within T_U14 time units and stays "l" as long as the precondition is true. References : PD-Sec3.1.1/U14(ii) PatternInst : DelayedEquivalence (cpLightLevel, lightLevel, T_U14) U15: NonFormal : In all other rooms the control panel should be installed near a door to the hallway. References : PD-Sec3.1.1/U15 U16_i Predicates : cpCeilingLight = l: the ceiling light switch in the control panel is "l" ceilingLight = l : the ceiling light is "l" (on/off/ambient) Constants : T_U16 : the time delay between setting and applying a certain light level Formal : \always ( \forall l: cpCeilingLight=l \delEquiv_{T_{U16}} ceilingLight=l ) NL : Whenever the ceiling light switch in the control panel is on (off), the ceiling light will be on (off) within T_U16 time units and stays on (off) as long as the precondition is true. References : PD-Sec3.1.1/U16(i) PatternInst : DelayedEquivalence (cpTaskLight, taskLight, T_U16) Comment : What does ceilingLight="ambient" mean ? U16_ii Predicates : cpLightLevel =l : the ambient light level set by the control panel is "l" lightLevel =l : the ceiling light level "l" Constants : T_U16 : the time delay between setting and applying a certain light level Formal : \always ( cpLightLevel \delEquiv_{T_{U16}} lightLevel ) NL : Whenever the light level in the control panel is set to "l" the light level will be "l" within T_U16 time units and stays "l" as long as the precondition is true. References : PD-Sec3.1.1/U16(ii) PatternInst : DelayedEquivalence (cpLightLevel, lightLevel, T_U16) U17: Predicates : hallwayOccupied : the hallway is occupied by a person safeLight : the hallway light is sufficient to move safely Constants : T_U17 : the time delay between a hallway occupation and the safe light status Formal : \always ( hallwayOccupied \delImp_{T_U17} safeLight ) NL : Whenever the hallway is occupied for at least time T_{U17}, the light is sufficient to move safely within time T_{U12} and remains sufficient to move safely as long as the precondition is true. References : PD-Sec3.1.1/U17 Comment : Analogous to U1 -> pattern definition or "derivation" from a common requirement type? U18: Predicates : nearNextHallway(i,j) : a person is in hallway i near the door to hallway j lightOn(j) : the light in hallway j is on Formal : \always ( nearNextHallway (i,j) \delImp_{T_{U18}} lightOn(j) ) NL : Whenever a person is continuously in hallway i near the door to hallway j for at least T_U18 time units, then the light in hallway j will be on within this time span, and remains on at least as long as the person is near the next hallway. References : PD-Sec3.1.1/U18 PatternInst : DelayedImplication (nearNextHallway(i,j), lightOn(j)) Comment : "before" is here interpreted geographically and not temporally. The time T_U18 should be set to value reasonable for typical pedestrian speeds. U19i: Predicates : switchPushed : the wall switch is pushed down lightOn : The corresponding light is on lightOff : The corresponding light is off Constants TU19 : The maximal time between pushing the switch and switching off the light. Formal : \always ( [switchPushed] \and lightOn \imp \eventually_{\leq TU19} lightOff ) NL : Whenever the switch becomes pushed and the light is completely on, the light is completely off within TU19 time units. References : PD-Sec.3.1.1/U19(i) U19ii: Predicates : switchPushed : the wall switch is pushed down lightOn : The corresponding light is on lightOff : The corresponding light is off Constants TU19 : The maximal time between pushing the switch and switching off the light. Formal : \always ( [switchPushed] \and \not lightOn \imp \eventually_{\leq TU19} lightOn ) NL : Whenever the switch becomes pushed and the light is not completely on, the light is completely on within TU19 time units. References : PD-Sec.3.1.1/U19(ii) % ----------------------------------------------------------------------------- FM1: Predicates : lightOff : the light is off Formal : \always ( lightOff ) NL : the light is always off References : PD-Sec3.1.2/FM1 Comment : Waiting for conflicts ... This requirement is expected to have lowest priority in case of potential conflicts. FM2: Predicates : hallwayOccupied : the hallway is occupied by a person lightOff : the light is off Formal : \always ( \not hallwayOccupied \delImp_{T2 min} lightOff ) NL : Whenever the hallway is continuously not occupied for at least T2 minutes, then the light is off within this time span and remains off at least as long as the hallway is not occupied. References : PD-Sec3.1.2/FM2 PatternINst : DelayedImplication (hallwayOccupied, lightOff, T2) FM3: Predicates : roomOccupied : the room is occupied by a person lightOff : all lights are off Formal : \always ( \not roomOccupied \delImp_{T2 min} lightOff ) NL : Whenever the room is continuously not occupied for at least T2 minutes, then the light is off within this time span and remains off at least as long as the room is not occupied. References : PD-Sec3.1.2/FM2 PatternINst : DelayedImplication (roomOccupied, lightOff, T2) FM4: NonFormal : The value T2 can be set for each hallway section separatly. References : PD-Sec3.1.2/FM4 FM5: NonFormal : The value T3 can be set for each room separatly. References : PD-Sec3.1.2/FM5 FM6: Predicates : fmLightOff : the facility manager has turned the light off occupied : the room or hallway is occupied lightOff : the light is off Formal : \always ( fmLightOff \and \not occupied \delImp_{\leq T_{FM6}} lightOff ) NL : Whenever the facility manager has turned the light off and the hallway/room is not occupied for at least T_FM6 time units, then eventually within this time span, the light is off and remains so at least as long as the facility manager has turned the light off and the hallway/room is not occupied. References : PD-Sec3.1.2/FM6 PatternInst : DelayedImplication (fmLightOff \and \not occupied, lightOff, T_FM6) FM7: Predicates: malfunction : a malfunction occurs fmInformed : the facility manager is informed Formal : \always ( malfunction \delEquiv_{T_{U11}} fmInformed ) NL : Whenever a malfunction occurs for at least time T_{U11}, the f.m. is informed within time T_{U11} and remains informed as long as the precondition is true. And conversely, whenever no malfunction occurs for at least time T_{U11}, the f.m. is no longer informed within time T_{U11} and is not informed as long as this precondition is true. References : PD-Sec3.1.2/FM7 PatternInst : DelayedEquivalence (malfunction, fmInformed, T_U11) Comment : What is a "malfunction"? (copied from U11) FM8: NonFormal : If a malfunction occurs, the control system supports the facility manager by finding the reason. Comment : I suppose that "finding the reason" means locating the fault in the future control system architecture. But architecture is something unknown to this specification level. References : PD-Sec3.1.2/FM8 FM9: NonFormal : The system provides reports on current and past energy consumption. References : PD-Sec3.1.2/FM9 FM10: NonFormal : All malfunctions and unusual conditions are stored and reported on request References : PD-Sec3.1.2/FM10 FM11: NonFormal : Malfunctions that the system cannot detect can be entered manually. References : PD-Sec3.1.2/FM11 % ----------------------------------------------------------------------------- NF1a: Predicates : sensorFault : the outdoor light sensor does not work correctly outdoorLight : the outdoor light value returned by the sensor outdoorLightValue: the outdoor light value used by the system Formal : \always ( (\not sensorFault \delImp_{T_NF1a} (\forall v : outdoorLightValue=v \delImp_{T_2} outdoorLight=v)) ) NL : Whenever the outdoor light sensor does not work correctly for at least T_NF2 time units, then eventually within this time span, the standard light scene is "all ceiling lights on" and remains so at least as long as the outdoor light sensor does not work correctly. NL : Whenever the outdoor light sensor does work correctly, the outdoor light value used by the system is equal to the outdoor light value returned by the sensor. References : PD-Sec3.1.3/NF1 Comment : Times ? Additional requirement covering the "normal case". New operator is currently developed. NF1b: Predicates : sensorFault : the outdoor light sensor does not work correctly lastCorrectLight : the last correct outdoor light value returned by the sensor outdoorLightValue: the outdoor light value used by the system Formal : \always ( (sensorFault \imp outdoorLightValue=lastCorrectLight ) ) NL : Whenever the outdoor light sensor does not work correctly, the outdoor light value used by the system is equal to the last correct light value returned by the sensor. References : PD-Sec3.1.3/NF1 NF2: Predicates : sensorFault : the outdoor light sensor does not work correctly standardLightScene = "all ceiling lights on" : the standard light scene is set to ... Formal : \always ( sensorFault \delImp_{T_NF2} standardLightScene = "all ceiling lights on" ) NL : Whenever the outdoor light sensor does not work correctly for at least T_NF2 time units, then eventually within this time span, the standard light scene is "all ceiling lights on" and remains so at least as long as the outdoor light sensor does not work correctly. References : PD-Sec3.1.3/NF2 PatternInst : DelayedImplication (sensorFault, standardLightScene = "all ceiling lights on", T_NF2) Comment : Is the standard light scene in this case to be applied? "No" is supposed. NF3: Predicates : sensorFault : the outdoor light sensor does not work correctly hallwayOccupied (i) : hallway i is occupied hallwayLightsOn (i) : the light in hallway i is on Formal : \always ( sensorFault \and hallwayOccupied(i) \delImp_{T_NF3} hallwayLightsOn (i) ) NL : Whenever the outdoor light sensor does not work correctly and hallway i is occupied for at least T_NF3 time units, then eventually within this time span, the light in hallway i is on and remains on at least as long as the outdoor light sensor does not work correctly and hallway i is occupied. References : PD-Sec3.1.3/NF3 PatternInst : DelayedImplication (sensorFault \and hallwayOccupied (i), hallwayLightsOn (i), T_NF3) NF4a: Predicates : sensorFault : the motion detector does not work correctly motion : the motion detector value returned by the sensor motionValue : the motion detector value used by the system Formal : \always ( (\not sensorFault \imp (motionValue=motion)) ) NL : Whenever the motion detector does work correctly, the motion detector value used by the system is equal to the motion detector value returned by the sensor. References : PD-Sec3.1.3/NF4 Comment : Times ? Copied and adapted from NF1 -> Pattern ? -> DelayedCopy as in NF1a NF4b: Predicates : sensorFault : the motion detector does not work correctly motionValue : the motion detector value used by the system Formal : \always ( (sensorFault \imp motionValue='occupied' ) ) NL : Whenever the motion detector does work not correctly, the motion detector value used by the system is 'occupied'. References : PD-Sec3.1.3/NF4 NF5: Predicates : uncontrollableLight: the lights are neither controllable automatically nor manually lightOn : the light is on Constants : T_NF5: the time delay between the loss of ligth control and switching on the lights. Formal : \always ( uncontrollableLight \delImp lightOn ) NL : Whenever the lights are neither controllable automatically for at least T_NF5 time units, then eventually within this time span, the light is on and remains so at least as long as the lights are neither controllable automatically. References : PD-Sec3.1.3/NF5 NF6: NonFormal : All hardware connections have to be made according to DIN standards. References : PD-Sec3.1.3/NF6 NF7: NonFormal : No hazardous condition for persons, inventory or building are allowed. References : PD-Sec3.1.3/NF7 Comment : Formalize? NF8: NonFormal : The control panel should be easy and intuitive to use. References : PD-Sec3.1.3/NF8 NF9: NonFormal : The system warns about unreasonable inputs. References : PD-Sec3.1.3/NF9 Comment : Formalize?