

MODULE main

    IVAR
        cmd_to_G1 : {cmd_on, cmd_off, nop};
	cmd_to_G2 : {cmd_on, cmd_off, nop};
	cmd_to_G3 : {cmd_on, cmd_off, nop};
        cmd_to_GB1 : {cmd_closed, cmd_open, nop};
	cmd_to_GB2 : {cmd_closed, cmd_open, nop};
        cmd_to_GB3 : {cmd_closed, cmd_open, nop};
        cmd_to_BB1 : {cmd_closed, cmd_open, nop};
        cmd_to_BB2 : {cmd_closed, cmd_open, nop};
        cmd_to_BB3 : {cmd_closed, cmd_open, nop};

    VAR
        v_cmd_to_G1 : {cmd_on, cmd_off, nop};
	v_cmd_to_G2 : {cmd_on, cmd_off, nop};
	v_cmd_to_G3 : {cmd_on, cmd_off, nop};
	v_cmd_to_GB1 : {cmd_closed, cmd_open, nop};
	v_cmd_to_GB2 : {cmd_closed, cmd_open, nop};
	v_cmd_to_GB3 : {cmd_closed, cmd_open, nop};
	v_cmd_to_BB1 : {cmd_closed, cmd_open, nop};
	v_cmd_to_BB2 : {cmd_closed, cmd_open, nop};
	v_cmd_to_BB3 : {cmd_closed, cmd_open, nop};

    ASSIGN
      init(v_cmd_to_G1) := nop;
      next(v_cmd_to_G1) := cmd_to_G1;
      init(v_cmd_to_G2) := nop;
      next(v_cmd_to_G2) := cmd_to_G2;
      init(v_cmd_to_G3) := nop;
      next(v_cmd_to_G3) := cmd_to_G3;
      init(v_cmd_to_GB1) := nop;
      next(v_cmd_to_GB1) := cmd_to_GB1;
      init(v_cmd_to_GB2) := nop;
      next(v_cmd_to_GB2) := cmd_to_GB2;
      init(v_cmd_to_GB3) := nop;
      next(v_cmd_to_GB3) := cmd_to_GB3;
      init(v_cmd_to_BB1) := nop;
      next(v_cmd_to_BB1) := cmd_to_BB1;
      init(v_cmd_to_BB2) := nop;
      next(v_cmd_to_BB2) := cmd_to_BB2;
      init(v_cmd_to_BB3) := nop;
      next(v_cmd_to_BB3) := cmd_to_BB3;

    VAR
        SC : System_Configuration(cmd_to_G1, cmd_to_G2, cmd_to_G3, 
				  cmd_to_GB1, cmd_to_GB2, cmd_to_GB3, cmd_to_BB1, cmd_to_BB2, cmd_to_BB3);
        _masterCC : MasterCC#;

    -- Requirements

    -- R1. No bus will be connected to more than 1 power source at any time
    INVAR (SC.B1_poweredby_G1 -> !(SC.B1_poweredby_G2 | SC.B1_poweredby_G3));
    INVAR (SC.B1_poweredby_G2 -> !(SC.B1_poweredby_G1 | SC.B1_poweredby_G3));
    INVAR (SC.B1_poweredby_G3 -> !(SC.B1_poweredby_G1 | SC.B1_poweredby_G2));

    INVAR (SC.B2_poweredby_G1 -> !(SC.B2_poweredby_G2 | SC.B2_poweredby_G3));
    INVAR (SC.B2_poweredby_G2 -> !(SC.B2_poweredby_G1 | SC.B2_poweredby_G3));
    INVAR (SC.B2_poweredby_G3 -> !(SC.B2_poweredby_G1 | SC.B2_poweredby_G2));

    INVAR (SC.B3_poweredby_G1 -> !(SC.B3_poweredby_G2 | SC.B3_poweredby_G3));
    INVAR (SC.B3_poweredby_G2 -> !(SC.B3_poweredby_G1 | SC.B3_poweredby_G3));
    INVAR (SC.B3_poweredby_G3 -> !(SC.B3_poweredby_G1 | SC.B3_poweredby_G2));

    -- R4. If no power source is on, then all buses will be unpowered
    INVARSPEC ((SC.G1.is_off & SC.G2.is_off & SC.G3.is_off) -> (!SC.B1.is_powered & !SC.B2.is_powered & !SC.B3.is_powered));



-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE System_Configuration(cmd_to_G1, cmd_to_G2, cmd_to_G3,
			    cmd_to_GB1, cmd_to_GB2, cmd_to_GB3, cmd_to_BB1, cmd_to_BB2, cmd_to_BB3)
    VAR
        G1 : Generator_#Extended(cmd_to_G1, init_state_G1);
        G2 : Generator_#Extended(cmd_to_G2, init_state_G2);
        G3 : Generator_#Extended(cmd_to_G3, init_state_G3);
        GB1 : Switch_#Extended(cmd_to_GB1, init_state_GB1);
        GB2 : Switch_#Extended(cmd_to_GB2, init_state_GB2);
        GB3 : Switch_#Extended(cmd_to_GB3, init_state_GB3);
        BB1 : Switch_#Extended(cmd_to_BB1, init_state_BB1);
        BB2 : Switch_#Extended(cmd_to_BB2, init_state_BB2);
        BB3 : Switch_#Extended(cmd_to_BB3, init_state_BB3);
        B1 : Bus(B1_poweredby_G1, B1_poweredby_G2, B1_poweredby_G3);
        B2 : Bus(B2_poweredby_G1, B2_poweredby_G2, B2_poweredby_G3);
        B3 : Bus(B3_poweredby_G1, B3_poweredby_G2, B3_poweredby_G3);
    DEFINE
        init_state_BB3 := open;
        init_state_BB2 := closed;
        init_state_BB1 := open;
        init_state_GB3 := open;
        init_state_GB2 := closed;
        init_state_GB1 := closed;
        init_state_G3 := off;
        init_state_G2 := on;
        init_state_G1 := on;
        B1_poweredby_G3_R := (B2_poweredby_G3_R & BB1.is_closed);
        B1_poweredby_G3_L := (B3_poweredby_G3_U & BB3.is_closed);
        B1_poweredby_G2_R := (B2_poweredby_G2_U & BB1.is_closed);
        B1_poweredby_G2_L := (B3_poweredby_G2_L & BB3.is_closed);
        B1_poweredby_G1_U := (G1.is_on & GB1.is_closed);
        B2_poweredby_G3_R := (B3_poweredby_G3_U & BB2.is_closed);
        B2_poweredby_G3_L := (B1_poweredby_G3_L & BB1.is_closed);
        B2_poweredby_G2_U := (G2.is_on & GB2.is_closed);
        B2_poweredby_G1_R := (B3_poweredby_G1_R & BB2.is_closed);
        B2_poweredby_G1_L := (B1_poweredby_G1_U & BB1.is_closed);
        B3_poweredby_G3_U := (G3.is_on & GB3.is_closed);
        B3_poweredby_G2_R := (B1_poweredby_G2_R & BB3.is_closed);
        B3_poweredby_G2_L := (B2_poweredby_G2_U & BB2.is_closed);
        B3_poweredby_G1_R := (B1_poweredby_G1_U & BB3.is_closed);
        B3_poweredby_G1_L := (B2_poweredby_G1_L & BB2.is_closed);
        B1_poweredby_G3 := (B1_poweredby_G3_R | B1_poweredby_G3_L);
        B1_poweredby_G2 := (B1_poweredby_G2_R | B1_poweredby_G2_L);
        B1_poweredby_G1 := B1_poweredby_G1_U;
        B2_poweredby_G3 := (B2_poweredby_G3_R | B2_poweredby_G3_L);
        B2_poweredby_G2 := B2_poweredby_G2_U;
        B2_poweredby_G1 := (B2_poweredby_G1_R | B2_poweredby_G1_L);
        B3_poweredby_G3 := B3_poweredby_G3_U;
        B3_poweredby_G2 := (B3_poweredby_G2_R | B3_poweredby_G2_L);
        B3_poweredby_G1 := (B3_poweredby_G1_R | B3_poweredby_G1_L);


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE Generator_#Extended(cmd, init_state)
    VAR
        Gen_StuckOff : Gen_StuckOff_FM_Mod(state_#nominal, off, fault_event_stuck_at_off);
    VAR
        state_#nominal : {on, off};

    IVAR
        fault_event_stuck_at_off : boolean;
        nominal_event : boolean;

    DEFINE
        is_on := state = on;
        is_off := state = off;
        state := Gen_StuckOff.state_#fault;

    -- Synthesis does not accept DEFINEs as observables
    VAR v_state : {on, off};
    ASSIGN v_state := state;

    ASSIGN
        init(state_#nominal) := init_state;
        next(state_#nominal) := case
cmd = cmd_on : on;
cmd = cmd_off : off;
TRUE : state;
esac;

    TRANS nominal_event = FALSE;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE Gen_StuckOff_FM_Mod(state__#read, term_#1, fault_event_stuck_at_off#event)
    VAR
        stuckAt_Off : stuckAt_Off_fm_Mod(mode = NOMINAL, mode_is_stuckAt_Off, term_#1, state__#read, state__#write, event = stuckAt_Off#failure, event = _#NoEvent);
    VAR
        mode : {NOMINAL, stuckAt_Off#FAULT};
        state__#write : {on, off};

    IVAR
        event : {_#NoEvent, stuckAt_Off#failure};

    DEFINE
        NoEvent := event = _#NoEvent;
        cando_stuckAt_Off#FAULT := ((mode = NOMINAL & stuckAt_Off.trans_trig_guard_#0) | (mode = stuckAt_Off#FAULT & stuckAt_Off.trans_trig_guard_#1));
        state_#fault := case
mode = NOMINAL : state__#read;
mode_is_stuckAt_Off : state__#write;
TRUE : state__#read;
esac;
        mode_is_stuckAt_Off := mode = stuckAt_Off#FAULT;

    INIT mode = NOMINAL;

    TRANS (event in stuckAt_Off#failure <-> fault_event_stuck_at_off#event);

    TRANS case
((mode = stuckAt_Off#FAULT & stuckAt_Off.trans_trig_guard_#1) | (mode = NOMINAL & stuckAt_Off.trans_trig_guard_#0)) : next(mode) = stuckAt_Off#FAULT;
TRUE : (next(mode) = mode & NoEvent);
esac;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE stuckAt_Off_fm_Mod(is_nominal, is_fault, term, input, varout, _failure, ev_#NoEvent)
    VAR
        stuckAt_OffEM : stuckAt_Off_fm_EM_Mod(is_nominal, is_fault, term, input, varout);
    DEFINE
        failure := _failure;
        NoEvent := ev_#NoEvent;
        trans_trig_guard_#0 := failure;
        trans_trig_guard_#1 := NoEvent;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE stuckAt_Off_fm_EM_Mod(is_nominal, is_fault, term, input, varout)
    TRANS (!(!is_fault & next(is_fault)) | next(varout) = term);

    TRANS (!(is_fault & next(is_fault)) | next(varout) = varout);

    TRANS (!(is_nominal & next(is_nominal)) | next(varout) = varout);


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE Switch_#Extended(cmd, init_state)
    VAR
        Switch_StuckClosed_StuckOpen : Switch_StuckClosed_StuckOpen_FM_Mod(state_#nominal, closed, open, fault_event_stuck_at_closed, nominal_event, fault_event_stuck_at_open);
    VAR
        state_#nominal : {open, closed};

    IVAR
        fault_event_stuck_at_closed : boolean;
        fault_event_stuck_at_open : boolean;
        nominal_event : boolean;

    DEFINE
        is_closed := state = closed;
        is_open := state = open;
        state := Switch_StuckClosed_StuckOpen.state_#fault;

    VAR v_state : {open, closed};
    ASSIGN v_state := state;

    ASSIGN
        init(state_#nominal) := init_state;
        next(state_#nominal) := case
cmd = cmd_open : open;
cmd = cmd_closed : closed;
TRUE : state;
esac;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE Switch_StuckClosed_StuckOpen_FM_Mod(state__#read, term_#1, term_#2, fault_event_stuck_at_closed#event, nominal_event#event, fault_event_stuck_at_open#event)
    VAR
        stuckAt_Closed : stuckAt_Closed_fm_Mod(mode = NOMINAL, mode_is_stuckAt_Closed, term_#1, state__#read, state__#write, event = stuckAt_Closed#failure, event = stuckAt_Closed#self_fixed, event = _#NoEvent);
        stuckAt_Open : stuckAt_Open_fm_Mod(mode = NOMINAL, mode_is_stuckAt_Open, term_#2, state__#read, state__#write, event = stuckAt_Open#failure, event = stuckAt_Open#self_fixed, event = _#NoEvent);
    VAR
        mode : {NOMINAL, stuckAt_Closed#FAULT, stuckAt_Open#FAULT};
        state__#write : {open, closed};

    IVAR
        event : {_#NoEvent, stuckAt_Closed#failure, stuckAt_Closed#self_fixed, stuckAt_Open#failure, stuckAt_Open#self_fixed};

    DEFINE
        NoEvent := event = _#NoEvent;
        cando_stuckAt_Closed#FAULT := ((mode = NOMINAL & stuckAt_Closed.trans_trig_guard_#0) | (mode = stuckAt_Closed#FAULT & stuckAt_Closed.trans_trig_guard_#1));
        cando_stuckAt_Open#FAULT := ((mode = NOMINAL & stuckAt_Open.trans_trig_guard_#0) | (mode = stuckAt_Open#FAULT & stuckAt_Open.trans_trig_guard_#1));
        state_#fault := case
mode = NOMINAL : state__#read;
(mode_is_stuckAt_Open | mode_is_stuckAt_Closed) : state__#write;
TRUE : state__#read;
esac;
        mode_is_stuckAt_Closed := mode = stuckAt_Closed#FAULT;
        mode_is_stuckAt_Open := mode = stuckAt_Open#FAULT;

    INIT mode = NOMINAL;

    TRANS (event in stuckAt_Closed#failure <-> fault_event_stuck_at_closed#event);

    TRANS (event in stuckAt_Open#self_fixed union stuckAt_Closed#self_fixed <-> nominal_event#event);

    TRANS (event in stuckAt_Open#failure <-> fault_event_stuck_at_open#event);

    TRANS case
(mode = stuckAt_Open#FAULT & stuckAt_Open.trans_trig_guard_#2) : next(mode) = NOMINAL;
((mode = stuckAt_Open#FAULT & stuckAt_Open.trans_trig_guard_#1) | (mode = NOMINAL & stuckAt_Open.trans_trig_guard_#0)) : next(mode) = stuckAt_Open#FAULT;
(mode = stuckAt_Closed#FAULT & stuckAt_Closed.trans_trig_guard_#2) : next(mode) = NOMINAL;
((mode = stuckAt_Closed#FAULT & stuckAt_Closed.trans_trig_guard_#1) | (mode = NOMINAL & stuckAt_Closed.trans_trig_guard_#0)) : next(mode) = stuckAt_Closed#FAULT;
TRUE : (next(mode) = mode & NoEvent);
esac;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE stuckAt_Closed_fm_Mod(is_nominal, is_fault, term, input, varout, _failure, _self_fixed, ev_#NoEvent)
    VAR
        stuckAt_ClosedEM : stuckAt_Closed_fm_EM_Mod(is_nominal, is_fault, term, input, varout);
    DEFINE
        failure := _failure;
        self_fixed := _self_fixed;
        NoEvent := ev_#NoEvent;
        trans_trig_guard_#0 := failure;
        trans_trig_guard_#1 := (NoEvent & !self_fixed);
        trans_trig_guard_#2 := self_fixed;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE stuckAt_Closed_fm_EM_Mod(is_nominal, is_fault, term, input, varout)
    TRANS (!(!is_fault & next(is_fault)) | next(varout) = term);

    TRANS (!(is_fault & next(is_fault)) | next(varout) = varout);

    TRANS (!(is_nominal & next(is_nominal)) | next(varout) = varout);


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE stuckAt_Open_fm_Mod(is_nominal, is_fault, term, input, varout, _failure, _self_fixed, ev_#NoEvent)
    VAR
        stuckAt_OpenEM : stuckAt_Open_fm_EM_Mod(is_nominal, is_fault, term, input, varout);
    DEFINE
        failure := _failure;
        self_fixed := _self_fixed;
        NoEvent := ev_#NoEvent;
        trans_trig_guard_#0 := failure;
        trans_trig_guard_#1 := (NoEvent & !self_fixed);
        trans_trig_guard_#2 := self_fixed;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE stuckAt_Open_fm_EM_Mod(is_nominal, is_fault, term, input, varout)
    TRANS (!(!is_fault & next(is_fault)) | next(varout) = term);

    TRANS (!(is_fault & next(is_fault)) | next(varout) = varout);

    TRANS (!(is_nominal & next(is_nominal)) | next(varout) = varout);


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE Bus(in1, in2, in3)
    VAR
        state : {working, broken};

    DEFINE
        is_broken := state = broken;
        is_powered := (state = working & count(in1, in2, in3) = 1);

    ASSIGN
        init(state) := case
count(in1, in2, in3) > 1 : broken;
TRUE : working;
esac;
        next(state) := case
next(count(in1, in2, in3) > 1) : broken;
TRUE : state;
esac;


-- ===============================================================================
--                               End of module
-- ===============================================================================

-- ===============================================================================
MODULE MasterCC#

-- ===============================================================================
--                               End of module
-- ===============================================================================