%---------------------------------------------------------------------------- Requirements Specification ??? 1.2 : %---------------------------------------------------------------------------- Organizational Aspects: ProjectName : Light_32_4 Authors : Peper, Kronenburg Status : after 2nd review Declarations: Formalized Requirements: % ----------------------------------------------------------------------------- U1 : Predicates : roomOccupied : the room is occupied by a person safeLight : light is sufficient to move safely lightScene : a light scene is chosen Constants : T_U1 : The time delay between occupation of a room, when no light scene is chosen, and the establishment of a safe light scene Formal : \always ( roomOccupied \and \not lightScene \delImp_{T_U1} safeLight ) NL : Whenever the room is occupied and no light scene is chosen for at least time T_{U1}, the light becomes sufficient to move safely within this time span. and remains sufficient to move safely at least as long as the precondition is true. References : PD-Sec3.1.1/U1 PatternInst : DelayedImplication (roomOccupied \and \not lightScene, safeLight, T_U1) CustomerReq : Is it desired that a light scene "Dark" is applicable to an occupied room, thus suppressing the safe light condition? It is assumed that the "dark" light scene is allowed. U2 : Predicates : roomOccupied : the room is occupied by a person Domains: LS : the possible light scenes Functions: chosenLightScene: LS the chosen light scene appliedLightScene: LS the applied light scene Formal : \always ( \forall l: (roomOccupied and chosenlightScene=l) \delImp_{T_U2} appliedLightScene=l) NL : Whenever the room is occupied and light scene l is chosen for at least time T_{U1}, this light scene l is applied within this time span. and remains applied at least as long as the precondition is true. References : PD-Sec3.1.1/U2 PatternInst : ConditionalContinuity (roomOccupied, lightScene) CustomerReq : Does this even exclude any change of the light scene during the room occupation? What is the meaning of "lightScene"? ANY light scene is chosen or a CERTAIN light scene is chosen? "ANY" is supposed. U3: Predicates : roomOccupied : the room is occupied by a person Domains: LS : the possible light scenes Functions: chosenLightScene: LS the light scene chosen by the user appliedLightScene: LS the light scene applied by the system Constants : T_U3a : the time delay during which the reoccupation of a room leads to reestablishing the previous light scene T_U3b : the time delay between a sufficiently often occupation and the application of the chosen light scene Formal : \always ( ( [roomOccupied] \and \sometimesInThePast_{(0, T_U3a]} roomOccupied \and chosenLightScene=l) \imp \eventually_{T_U3b} appliedLightScene=l) NL : Whenever the room becomes occupied now and was occupied sometimes within the last T_U3a minutes and the light scene l was last chosen, the light scene l is applied within T_U3b time units. References : PD-Sec.3.1.1/U3 CustomerReq : Or is the last APPLIED light scene to be reestablished? Is it possible that another light scene is chosen between the last occupation and the reoccupation? U4: Predicates : roomOccupied : the room is occupied by a person Domains: LS : the possible light scenes Functions: appliedLightScene: LS the light scene applied by the system Constants : T_U4a : the time delay during which the reoccupation of a room leads to reestablishing the previous light scene T_U4b : the time delay between a sufficiently long non-occupation and the application of the standard light scene Formal : \always ( [roomOccupied] \and \alwaysInThePast_{(0,TU4a]} \not roomOccupied) \imp \eventually_{T_U4b} appliedLightScene="standard") NL : Whenever the room becomes occupied now and was not occupied during the last T_U4a minutes, the light scene 'standard' is applied within T_U4b time units. References : PD-Sec.3.1.1/U4 U5i: Predicates : switchPushed : the switch is pushed down lightOn : The corresponding light is completely on lightOff : The corresponding light is completely off Constants TU5 : The maximal time between pushing the switch and switching off the light. Formal : \always ( [switchPushed] \and lightOn \imp \eventually_{\leq TU5i} lightOff ) NL : Whenever the switch becomes pushed and the light is completely on, the light is completely off within TU5 time units. References : PD-Sec.3.1.1/U5(i) CustomerReq : How long should the light be switchend off? Is this defined by U2? U5ii: Predicates : switchPushed : the switch is pushed down lightOn : The corresponding light is completely on Constants TU5 : The maximal time between pushing the switch and switching on the light. Formal : \always ( [switchPushed] \and \not lightOn \imp \eventually_{\leq TU5} lightOn ) NL : Whenever the switch becomes pushed and the light is not completely on, the light is completely on within TU5 time units. References : PD-Sec.3.1.1/U5(ii) CustomerReq : How long should the light be switchend on? Is this defined by U2? U6: Domains : LS : the possible light scenes Functions : appliedLightScene: LS the light scene "l" is applied chosenLightScene: LS the light scene "l" was last selected at the control panel Constants : T_U6 ; time delay between selection and application of a certain light scene Formal : \always ( \forall l: chosenLightScene = l \delEquiv_{T_U6} appliedLightScene = l ) NL : Whenever the light scene "l" was last selected at the control panel, the light scene "l" is applied within T_U6 time units. NonFormal : by using the control panel. References : PD-Sec.3.1.1/U6 U7: Domains : LS : the possible light scenes Functions : appliedLightScene: LS the light scene "l" is applied chosenLightScene: LS the light scene "l" was last selected at the control panel Constants : T_U7 ; time delay between selection and application of a certain light scene Formal : \always ( chosenLightLevel = l \delEquiv_{\leq T_U7} appliedLightLevel = l ) NL : Whenever the light level "l" was last selected at the control panel, the light level "l" is applied within T_U7 time units. NonFormal : by using the control panel. References : PD-Sec.3.1.1/U7 U8: NonFormal : For each room a default light scene can be set (not by using the control panel). References : PD-Sec3.1.1/U8 U9: NonFormal : For each room a default ambient light level can be set (not by using the control panel). References : PD-Sec3.1.1/U9 U10: NonFormal : The value T1 can be set for each room seperately (not by using the control panel). References : PD-Sec3.1.1/U10 U11: Predicates : outdoorLightSensorFault : the outdoor light sensor does not work correctly userInformed : the user is informed Formal : \always ( outdoorLightSensorFault \delEquiv_{T_{U11}} userInformed ) NL : Whenever the outdoor sensor does not work correctly for at least time T_{U11}, the user is informed within time T_{U11} and remains informed as long as the precondition is true. And conversely, whenever the outdoor light sensor works correctly for at least time T_{U11}, the user is no longer informed within time T_{U11} and is not informed as long as this precondition is true. References : PD-Sec3.1.1/U11 PatternInst : DelayedEquivalence (outdoorLightSensorFault, userInformed) CustomerReq : What is the meaning of 'the user is informed'? U12: Domains : LS : the possible light scenes Functions : appliedLightScene: LS the light scene "l" is applied chosenLightScene: LS the light scene "l" was last selected at the control panel Constants : T_U12 : the time delay between choosing and applying a certain light scene Formal : \always ( \forall l chosenLightScene=l \delImp_{T} appliedLightScene=l ) NL : Whenever the chosen light scene is l for at least time T_{U12}, the applied light scene is l within time T_{U12} and remains l as long as the precondition is true. References : PD-Sec3.1.1/U12 CustomerReq : Is this depending on the occupation of the office? See U2. U13: NonFormal : The control panel should be installed moveably like a telephone in the offices. References : PD-Sec3.1.1/U13 U14_i Predicates : cpTaskLight : the task light switch in the control panel is "on" taskLight : the task light is on Constants : T_U14 : the time delay between setting and applying a certain light level Formal : \always ( cpTaskLight \delEquiv_{T_{U14}} taskLight ) NL : Whenever the task light switch in the control panel is on (off), the task light will be on (off) within T_U14 time units and stays on (off) as long as the precondition is true. NonFormal : The task light switch is contained in the control panel. References : PD-Sec3.1.1/U14(i) PatternInst : DelayedEquivalence (cpTaskLight, taskLight, T_U14) Comment : This could lead to potential conflicts with other requirements that also try to control taskLight. Should be replaced by a formulation that allows other source predicates to have influence on the target predicate. Last access or higher priority wins? -> New pattern definition! U14_ii Predicates : cpCeilingLight = l: the ceiling light switch in the control panel is "l" ceilingLight = l : the ceiling light is "l" (on/off/ambient) Constants : T_U14 : the time delay between setting and applying a certain light level Formal : \always ( \forall l: cpCeilingLight=l \delEquiv_{T_{U14}} ceilingLight=l ) NL : Whenever the ceiling light switch in the control panel is on (off), the ceiling light will be on (off) within T_U14 time units and stays on (off) as long as the precondition is true. NonFormal : The ceiling light switch is contained in the control panel. References : PD-Sec3.1.1/U14(ii) PatternInst : DelayedEquivalence (cpTaskLight, taskLight, T_U14) CustomerReq : What does ceilingLight="ambient" mean ? U14_iii Predicates : cpLightLevel =l : the ambient light level set by the control panel is "l" lightLevel =l : the ceiling light level "l" Constants : T_U14 : the time delay between setting and applying a certain light level Formal : \always ( cpLightLevel \delEquiv_{T_{U14}} lightLevel ) NL : Whenever the light level in the control panel is set to "l" the light level will be "l" within T_U14 time units and stays "l" as long as the precondition is true. NonFormal : The ambient light level setting is contained in the control panel. References : PD-Sec3.1.1/U14(ii) PatternInst : DelayedEquivalence (cpLightLevel, lightLevel, T_U14) U15: NonFormal : In all other rooms the control panel should be installed near a door to the hallway. References : PD-Sec3.1.1/U15 U16_i Domains: LS: the light scenes onm/off/ambient Functions: cpCeilingLight: LS the ceiling light switch in the control panel is "l" ceilingLight:Ls the ceiling light is "l" (on/off/ambient) Constants : T_U16 : the time delay between setting and applying a certain light level Formal : \always ( \forall l: cpCeilingLight=l \delEquiv_{T_{U16}} ceilingLight=l ) NL : Whenever the ceiling light switch in the control panel is l the ceiling light will be l within T_U16 time units and stays l as long as the precondition is true. NonFormal : The ceiling light switch is contained in the control panel. References : PD-Sec3.1.1/U16(i) PatternInst : DelayedEquivalence (cpTaskLight, taskLight, T_U16) CustomerReq : What does ceilingLight="ambient" mean ? U16_ii Domains: LS: the light scenes Functions: cpLightLevel: LS the ambient light level set by the control panel is "l" lightLevel : LS the ceiling light level "l" Constants : T_U16 : the time delay between setting and applying a certain light level Formal : \always ( cpLightLevel \delEquiv_{T_{U16}} lightLevel ) NL : Whenever the light level in the control panel is set to "l" the light level will be "l" within T_U16 time units and stays "l" as long as the precondition is true. NonFormal : The ambient light level setting is contained in the control panel. References : PD-Sec3.1.1/U16(ii) PatternInst : DelayedEquivalence (cpLightLevel, lightLevel, T_U16) U17: Predicates : hallwayOccupied : the hallway is occupied by a person safeLight : the hallway light is sufficient to move safely Constants : T_U17 : the time delay between a hallway occupation and the safe light status Formal : \always ( hallwayOccupied \delImp_{T_U17} safeLight ) NL : Whenever the hallway is occupied for at least time T_{U17}, the light is sufficient to move safely within time T_{U17} and remains sufficient to move safely as long as the precondition is true. References : PD-Sec3.1.1/U17 Comment : Analogous to U1 -> pattern definition or "derivation" from a common requirement type? U18: Predicates : nearNextHallway(i,j) : a person is in hallway i near the door to hallway j lightOn(j) : the light in hallway j is on Constants: T_U18 : the time delay between a sufficiently long occupation of an adjacent hallway and switching on the lights Formal : \always ( nearNextHallway (i,j) \delImp_{T_{U18}} lightOn(j) ) NL : Whenever a person is continuously in hallway i near the door to hallway j for at least T_U18 time units, then the light in hallway j will be on within this time span, and remains on at least as long as the person is near the next hallway. References : PD-Sec3.1.1/U18 PatternInst : DelayedImplication (nearNextHallway(i,j), lightOn(j)) Comment : "before" is here interpreted geographically and not temporally. The time T_U18 should be set to value reasonable for typical pedestrian speeds. U19i: Predicates : switchPushed : the wall switch is pushed down lightOn : The corresponding light is on lightOff : The corresponding light is off Constants TU19 : The maximal time between pushing the switch and switching off the light. Formal : \always ( [switchPushed] \and lightOn \imp \eventually_{\leq TU19} lightOff ) NL : Whenever the switch becomes pushed and the light is on, the light is off within TU19 time units. References : PD-Sec.3.1.1/U19(i) U19ii: Predicates : switchPushed : the wall switch is pushed down lightOn : The corresponding light is on lightOff : The corresponding light is off Constants TU19 : The maximal time between pushing the switch and switching off the light. Formal : \always ( [switchPushed] \and \not lightOn \imp \eventually_{\leq TU19} lightOn ) NL : Whenever the switch becomes pushed and the light is not on, the light is on within TU19 time units. References : PD-Sec.3.1.1/U19(ii) % ----------------------------------------------------------------------------- FM1: Predicates : lightOff : the light is off Formal : \always ( lightOff ) NL : the light is always off References : PD-Sec3.1.2/FM1 Comment : Waiting for conflicts ... CustomerReq : This requirement is expected to have lowest priority in case of potential conflicts. Was this your intention? FM2: Predicates : hallwayOccupied : the hallway is occupied by a person lightOff : the light is off Constants : T2 : the time delay between a sufficiently long occupation of the hallway and switching off the light Formal : \always ( \not hallwayOccupied \delImp_{T2 min} lightOff ) NL : Whenever the hallway is continuously not occupied for at least T2 minutes, then the light is off within this time span and remains off at least as long as the hallway is not occupied. References : PD-Sec3.1.2/FM2 PatternInst : DelayedImplication (hallwayOccupied, lightOff, T2) FM3: Predicates : roomOccupied : the room is occupied by a person lightOff : all lights are off Constants : T3 : the time delay between a sufficiently long non-occupation of the room and switching off the light Formal : \always ( \not roomOccupied \delImp_{T3 min} lightOff ) NL : Whenever the room is continuously not occupied for at least T3 minutes, then the light is off within this time span and remains off at least as long as the room is not occupied. References : PD-Sec3.1.2/FM2 PatternInst : DelayedImplication (roomOccupied, lightOff, T2) FM4: NonFormal : The value T2 can be set for each hallway section separatly. References : PD-Sec3.1.2/FM4 FM5: NonFormal : The value T3 can be set for each room separatly. References : PD-Sec3.1.2/FM5 FM6: Predicates : fmLightOff : the facility manager has turned the light off occupied : the room or hallway is occupied lightOff : the light is off Constants : T_FM6 : the time delay between a sufficiently long non-occupation of the room or hallway, if the f.m. has turned the light off and actually switching off the light. Formal : \always ( fmLightOff \and \not occupied \delImp_{\leq T_{FM6}} lightOff ) NL : Whenever the facility manager has turned the light off and the hallway/room is not occupied for at least T_FM6 time units, then eventually within this time span, the light is off and remains so at least as long as the facility manager has turned the light off and the hallway/room is not occupied. References : PD-Sec3.1.2/FM6 PatternInst : DelayedImplication (fmLightOff \and \not occupied, lightOff, T_FM6) FM7: Predicates: malfunction : a malfunction occurs fmInformed : the facility manager is informed Constants : T : the time delay between a malfunction and the information of the facility manager. Formal : \always ( malfunction \delEquiv_{T}} fmInformed ) NL : Whenever a malfunction occurs for at least time T, the f.m. is informed within time T and remains informed as long as the precondition is true. And conversely, whenever no malfunction occurs for at least time T, the f.m. is no longer informed within time T and is not informed as long as this precondition is true. References : PD-Sec3.1.2/FM7 PatternInst : DelayedEquivalence (malfunction, fmInformed, T CustomerReq : What is a "malfunction"? What means 'the facility manager has to be informed'? Comments : (copied from U11) FM8: NonFormal : If a malfunction occurs, the control system supports the facility manager by finding the reason. Comment : I suppose that "finding the reason" means locating the fault in the future control system architecture. But architecture is something unknown to this specification level. References : PD-Sec3.1.2/FM8 FM9: NonFormal : The system provides reports on current and past energy consumption. References : PD-Sec3.1.2/FM9 FM10: NonFormal : All malfunctions and unusual conditions are stored and reported on request References : PD-Sec3.1.2/FM10 FM11: NonFormal : Malfunctions that the system cannot detect can be entered manually. References : PD-Sec3.1.2/FM11 % ----------------------------------------------------------------------------- NF1a: Predicates : sensorFault : the outdoor light sensor does not work correctly Domains: OL: outdoor light values Functions: outdoorLight: OL the outdoor light value returned by the sensor outdoorLightValue: OL the outdoor light value used by the system Constants: T_NF1a: the time delay between a correct sensor operation and the corresponding system behaviour T_2 : the time delay between outdoorLightValue and outdoorLight Formal : \always ( (\not sensorFault \delImp_{T_NF1a} (\forall v : outdoorLightValue=v \delCopy_{T_2} outdoorLight=v)) ) NL : Whenever the outdoor light sensor does work correctly for at least T_NF1a time units, then eventually within this time span, the outdoor light value used by the system is equal to the outdoor light value returned by the sensor with a maximal delay of T_2 time units. References : PD-Sec3.1.3/NF1 Comment : Additional requirement covering the "normal case". New operator is currently developed. NF1b: Predicates : sensorFault : the outdoor light sensor does not work correctly Domains: OL: outdoor light values Functions: lastCorrectLight: OL the last correct outdoor light value returned by the sensor outdoorLightValue: OL the outdoor light value used by the system Constants : T_NF1b: the time delay between a sensor fault and the corresponding system behaviour Formal : \always ( (sensorFault \delImp_{T_NF_1b} outdoorLightValue=lastCorrectLight ) ) NL : Whenever the outdoor light sensor does not work correctly for at least T_NF1b time units, the outdoor light value used by the system is equal to the last correct light value returned by the sensor, and this remains so at least as long as the precondition is true. References : PD-Sec3.1.3/NF1 NF2: Predicates : sensorFault : the outdoor light sensor does not work correctly standardIsCeilingLightsOn : the standard light scene is "all ceiling lights on". Formal : \always ( sensorFault \delImp_{T_NF2} standardIsCeilingLightsOn NL : Whenever the outdoor light sensor does not work correctly for at least T_NF2 time units, then eventually within this time span, the standard light scene is "all ceiling lights on" and remains so at least as long as the outdoor light sensor does not work correctly. References : PD-Sec3.1.3/NF2 PatternInst : DelayedImplication (sensorFault, standardLightScene = "all ceiling lights on", T_NF2) CustomerReq : Is the standard light scene in this case to be applied? "No" is supposed. NF3: Predicates : sensorFault : the outdoor light sensor does not work correctly hallwayOccupied (i) : hallway i is occupied hallwayLightsOn (i) : the light in hallway i is on Formal : \always ( \forall i: sensorFault \and hallwayOccupied(i) \delImp_{T_NF3} hallwayLightsOn (i) ) NL : Whenever the outdoor light sensor does not work correctly and hallway i is occupied for at least T_NF3 time units, then eventually within this time span, the light in hallway i is on and remains on at least as long as the outdoor light sensor does not work correctly and hallway i is occupied. References : PD-Sec3.1.3/NF3 PatternInst : DelayedImplication (sensorFault \and hallwayOccupied (i), hallwayLightsOn (i), T_NF3) NF4a: Predicates : sensorFault : the motion detector does not work correctly Domains : MV : the motion detector values Functions: motion : MV the motion detector value returned by the sensor motionValue : MV the motion detector value used by the system Constants : Constants: T_NF4a: the time delay between a correct sensor operation and the corresponding system behaviour T_2 : the time delay between motion and motionValue Formal : \always ( (\not sensorFault \delImp_{T_NF4a} (\forall v : motion=v \delCopy_{T_2} motionValue=v)) ) NL : Whenever the motion detector does work correctly, the motion detector value used by the system is equal to the motion detector value returned by the sensor. References : PD-Sec3.1.3/NF4 Comment : Times ? Copied and adapted from NF1 -> Pattern ? -> DelayedCopy as in NF1a NF4b: Predicates : sensorFault : the motion detector does not work correctly Domains : MV : the motion values, at least 'occupied' Functions : motionValue : MV the motion detector value used by the system Formal : \always ( (sensorFault \delImp_{T_NF4b} motionValue='occupied' ) ) NL : Whenever the motion sensor does not work correctly for at least T_NF4b time units, the motion value used by the system is 'occupied' and this remains so at least as long as the precondition is true. PatternInst : DelayedImplication (sensorFault, motionValue='occupied', T_NF4b) References : PD-Sec3.1.3/NF4 NF5: Predicates : uncontrollableLight: the lights are neither controllable automatically nor manually lightOn : the light is on Constants : T_NF5: the time delay between the loss of ligth control and switching on the lights. Formal : \always ( uncontrollableLight \delImp_{T_NF5} lightOn ) NL : Whenever the lights are neither controllable automatically nor manually for at least T_NF5 time units, then eventually within this time span, the light is on and remains so at least as long as the lights are neither controllable automatically nor manually. PatternInst : DelayedImplication (uncontrollableLight, lightOn, T_NF5) References : PD-Sec3.1.3/NF5 NF6: NonFormal : All hardware connections have to be made according to DIN standards. References : PD-Sec3.1.3/NF6 NF7: NonFormal : No hazardous condition for persons, inventory or building are allowed. References : PD-Sec3.1.3/NF7 Comment : Formalize? NF8: NonFormal : The control panel should be easy and intuitive to use. References : PD-Sec3.1.3/NF8 NF9: NonFormal : The system warns about unreasonable inputs. References : PD-Sec3.1.3/NF9 Comment : Formalize?