The composed system RailRoadSystem1 (Page 73) has four state variables: east and west, each of which can take two values, and modeW and modeE, each of which can take three values. Thus, RailRoadSystem1 has 36 states. How many of these 36 states are reachable?

event({arrive, leave}) outw event({arrive, leave}) oute {green, red} west := green; east := green A west signalw A2: east signal signalw west signalgenst A3: west, east, oute, outw Heast, west if outg? leave then west :=green; if outw ? leave then east := green; if outg? arrive then west :=red else if outw? arrive then east :=red {green, red) signalw {green, red) signale Figure 3.6: A First Attempt at Design of the Railroad Controller is an invariant of RailRoadSystem. Here, the state variables modew and modes are the state variables of the two instances of the train component. west east signalw signale outw OUTE modew away modee away green green green green arrive arrive red green wait wait red green 1 1 red green wait bridge red green 1 leave green greer wait away A First Attempt at the Design of the Railroad Controller Figure 3.6 shows a first attempt at designing the railroad controller. The con- troller Controller1 maintains two state variables west and east for the states of the two output signals signalw and signalg, respectively, and in each round, the output variable is set to the value of the corresponding state variable. Initially, both signals are green. A signal is set to whenever a train approaches the opposite entrance to the bridge, and it is set back to green whenever that train exits from the bridge. If both trains approach the bridge in the same round, then only the west signal turns red, giving priority to the train approaching from the east. The update is split into three tasks: the tasks Aj and Az output the values of the respective signals without waiting for any input, and the task Az then updates the state variables based on the input events. Unfortunately, the resulting railroad system RailRoadSystem1 = Controller1 || Trainw | Traine does not satisfy the desired invariant TrainSafety. This is evidenced by the counterexample shown in figure 3.7, which leads to a state with both trains on the bridge. If both trains approach the bridge simultaneously, then the east train is admitted to the bridge with the west signal red and the east signal green. When the east train exits from the bridge, the west signal turns green, allowing the west train to proceed to the bridge. However, the east signal is still green green 1 arrive red green bridge wait red green red green bridge bridge Figure 3.7: An Execution of RailRoadSystem1 That Violates TrainSafety green. So if the east train returns before the west train has left the bridge, the west signal will turn red while admitting the east train onto the bridge, leading to a violation of the safety requirement. event({arrive, leave}) outw event({arrive, leave}) oute {green, red} west := green; east := green A west signalw A2: east signal signalw west signalgenst A3: west, east, oute, outw Heast, west if outg? leave then west :=green; if outw ? leave then east := green; if outg? arrive then west :=red else if outw? arrive then east :=red {green, red) signalw {green, red) signale Figure 3.6: A First Attempt at Design of the Railroad Controller is an invariant of RailRoadSystem. Here, the state variables modew and modes are the state variables of the two instances of the train component. west east signalw signale outw OUTE modew away modee away green green green green arrive arrive red green wait wait red green 1 1 red green wait bridge red green 1 leave green greer wait away A First Attempt at the Design of the Railroad Controller Figure 3.6 shows a first attempt at designing the railroad controller. The con- troller Controller1 maintains two state variables west and east for the states of the two output signals signalw and signalg, respectively, and in each round, the output variable is set to the value of the corresponding state variable. Initially, both signals are green. A signal is set to whenever a train approaches the opposite entrance to the bridge, and it is set back to green whenever that train exits from the bridge. If both trains approach the bridge in the same round, then only the west signal turns red, giving priority to the train approaching from the east. The update is split into three tasks: the tasks Aj and Az output the values of the respective signals without waiting for any input, and the task Az then updates the state variables based on the input events. Unfortunately, the resulting railroad system RailRoadSystem1 = Controller1 || Trainw | Traine does not satisfy the desired invariant TrainSafety. This is evidenced by the counterexample shown in figure 3.7, which leads to a state with both trains on the bridge. If both trains approach the bridge simultaneously, then the east train is admitted to the bridge with the west signal red and the east signal green. When the east train exits from the bridge, the west signal turns green, allowing the west train to proceed to the bridge. However, the east signal is still green green 1 arrive red green bridge wait red green red green bridge bridge Figure 3.7: An Execution of RailRoadSystem1 That Violates TrainSafety green. So if the east train returns before the west train has left the bridge, the west signal will turn red while admitting the east train onto the bridge, leading to a violation of the safety requirement