This is for Principles of Cyber Physical Systems, the book is Principles of cyber physical systems

In the first part of this project, you will encode the rail road controller model described in the beginning of Section 3.1.2 and in Figure 3.3 of the textbook as a set of state machines in NuSMV. For the train model, you should encode it as a nondeterministic reactive component shown in Figure 3.4. For the controller model, you should encode that shown in Figure 3.8. The complete model should be the composition of your controller model and two instances of your train models. Encode the following safety invariant in your SMV model: it is never true that both trains are on the bridge simultaneously. Using the SMV tool, verify that this safety invariant is indeed an invariant for your train model.

Encode in NuSMV the two fairness monitors, namely WestFairMonitor (shown in Figure 3.9) and EastFairMonitor. Then compose them with the rail road model you built, and verify using NuSMV if these fairness requirements are satisfied. If they fail to satisfy, describe the reason of failing and how you may modify your model to meet these requirements.

In the second part of this project, you will encode the program for multiplication described by Exercise 3.1 and Figure 3.2 of the textbook in NuSMV. This time you are required to convert this example to a corresponding symbolic transition system and then encode it in NuSMV. Verify that the following property is an invariant of this transition system: (mode = stop) (y = m n).

t The invariant verification problem is the following: given a transition syntes a property check whether p is an of the system T. If it then there must be some state s such that the is and violates the property p. In such a case, for debugging purposes, the an technique should produce an execution of T that leads to s. Such an is called a counterezample to the claim that the property p is an invariant equivalently, a toitmess to the claim that the property is reachable. Exercise 3.1: Given two natural numbers m and n, consider the program l that multiplies the input mumbers using two variables x and y, of type sat, shown in figure 3.2. Describe the transition system Mult(m,n) that captus the behavior of this program on input numbers m and n, that is, describe the states, initial states, and transitions. Argue that when the value of the variable x is 0, the value of the variable y must equal the product of the input numben m and n, that is, the following property is an invariant this transition systs (mode stop m-n) 3.1.2 Role of Requirements in System Design Ta illustrate the use of invariants as safety requirements in the design of lights for a t The invariant verification problem is the following: given a transition syntes a property check whether p is an of the system T. If it then there must be some state s such that the is and violates the property p. In such a case, for debugging purposes, the an technique should produce an execution of T that leads to s. Such an is called a counterezample to the claim that the property p is an invariant equivalently, a toitmess to the claim that the property is reachable. Exercise 3.1: Given two natural numbers m and n, consider the program l that multiplies the input mumbers using two variables x and y, of type sat, shown in figure 3.2. Describe the transition system Mult(m,n) that captus the behavior of this program on input numbers m and n, that is, describe the states, initial states, and transitions. Argue that when the value of the variable x is 0, the value of the variable y must equal the product of the input numben m and n, that is, the following property is an invariant this transition systs (mode stop m-n) 3.1.2 Role of Requirements in System Design Ta illustrate the use of invariants as safety requirements in the design of lights for a