diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d8249f7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*/#*#
+*/.*
diff --git a/.project b/.project
new file mode 100644
index 0000000..fda0554
--- /dev/null
+++ b/.project
@@ -0,0 +1,18 @@
+
+
+ hardens
+
+
+ sysml.library
+
+
+
+ org.eclipse.xtext.ui.shared.xtextBuilder
+
+
+
+
+
+ org.eclipse.xtext.ui.shared.xtextNature
+
+
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..a3cfd69
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,86 @@
+FROM ubuntu:21.04
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get upgrade
+RUN apt-get install -y wget git vim python pip\
+ python3-dev software-properties-common \
+ iproute2 usbutils srecord
+
+# Yosys
+RUN apt-get install -y build-essential clang bison flex \
+ libreadline-dev gawk tcl-dev libffi-dev git \
+ graphviz xdot pkg-config python3 libboost-system-dev \
+ libboost-python-dev libboost-filesystem-dev zlib1g-dev
+RUN git clone https://github.com/YosysHQ/yosys.git /tools/yosys
+WORKDIR /tools/yosys
+RUN make -j$(nproc)
+RUN make install PREFIX=/opt
+
+# Trellis
+RUN apt-get install -y libboost-all-dev python3 python3-pip \
+ cmake openocd
+RUN git clone --recursive https://github.com/SymbiFlow/prjtrellis /tools/prjtrellis
+WORKDIR /tools/prjtrellis/libtrellis
+RUN cmake -DCMAKE_INSTALL_PREFIX=/opt .
+RUN make -j$(nproc)
+RUN make install
+ENV TRELLIS="/opt/share/trellis"
+
+# nextpnr
+RUN apt-get install -y python3-dev libboost-all-dev \
+ libeigen3-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools
+RUN git clone https://github.com/YosysHQ/nextpnr.git /tools/nextpnr
+WORKDIR /tools/nextpnr
+RUN cmake . -DARCH=ecp5 -DTRELLIS_INSTALL_PREFIX=/opt
+RUN make -j$(nproc)
+RUN make install
+
+# RISCV toolchain
+RUN apt-get install -y autoconf automake autotools-dev curl libmpc-dev \
+ libmpfr-dev libgmp-dev gawk build-essential bison flex texinfo gperf \
+ libtool patchutils bc zlib1g-dev libexpat-dev
+RUN git clone --recursive https://github.com/riscv/riscv-gnu-toolchain /tools/riscv-gnu-toolchain
+WORKDIR /tools/riscv-gnu-toolchain
+RUN ./configure --prefix=/opt/riscv --enable-multilib
+RUN export MAKEFLAGS="-j$(nproc)"
+RUN make
+RUN make linux
+ENV PATH="/opt/riscv/bin:/opt/bin:${PATH}"
+
+# ecpprog
+RUN apt-get install -y libftdi-dev
+RUN git clone https://github.com/gregdavill/ecpprog /tools/ecpprog
+WORKDIR /tools/ecpprog/ecpprog
+RUN make -j$(nproc)
+RUN make install
+
+# Iverilog
+RUN apt-get install -y iverilog
+
+# Bluespec compiler
+RUN apt-get install -y libffi7
+WORKDIR /tmp
+RUN wget https://github.com/B-Lang-org/bsc/releases/download/2021.07/bsc-2021.07-ubuntu-20.04.tar.gz
+RUN tar xvzf bsc-2021.07-ubuntu-20.04.tar.gz
+RUN mv bsc-2021.07-ubuntu-20.04 /tools/bsc-2021.07-ubuntu-20.04
+ENV PATH="/tools/bsc-2021.07-ubuntu-20.04/bin:${PATH}"
+
+# Verilator
+RUN apt-get install -y verilator
+
+# OpenFPGAloader
+RUN apt-get install -y libftdi1-2 libftdi1-dev libhidapi-libusb0 libhidapi-dev libudev-dev cmake pkg-config make g++
+RUN git clone https://github.com/trabucayre/openFPGALoader.git /tools/openFPGALoader
+WORKDIR /tools/openFPGALoader
+RUN mkdir build
+WORKDIR /tools/openFPGALoader/build
+RUN cmake ../
+RUN cmake --build .
+RUN make install
+#WORKDIR /tools/openFPGALoader
+#RUN cp 99-openfpgaloader.rules /etc/udev/rules.d/
+#RUN udevadm control --reload-rules && sudo udevadm trigger # force udev to take new rule
+#RUN usermod -a $USER -G plugdev # add user to plugdev group
+
+WORKDIR /
\ No newline at end of file
diff --git a/README.md b/README.md
index bd6d675..5bf9d68 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,174 @@
# HARDENS
+## Copyright (C) Galois 2021
+## Principal Investigator: Joe Kiniry
+## Project Lead: Andrew Bivin
+## Research Engineers: Alexander Bakst and Michal Podhradsky
+
Repository for the HARDENS project for the [Nuclear Regulatory Commission](https://www.nrc.gov/about-nrc.html).
+
+## Overview
+
+The goal of HARDENS is to provide to the NRC expert technical services
+in order to (1) develop a better understanding of how Model-Based
+Systems Engineering (MBSE) methods and tools can support regulatory
+reviews of adequate design and design assurance, and (2) identify any
+barriers or gaps associated with MBSE in a regulatory review of
+Digital Instrumentation and Control Systems for existing Nuclear Power
+Plants (NPPs).
+
+In the HARDENS project Galois will demonstrate to the Nuclear
+Regulatory Commission (NRC) cutting- edge capabilities in the
+model-based design, validation, and verification of safety-critical,
+mission-critical, high-assurance systems. Our demonstrator includes
+high-assurance software and hardware, includes open source RISC-V
+Central Processing Units (CPUs), and lays the groundwork for a
+high-assurance reusable product for safety critical Digital
+Instrumentation and Control Systems systems in NPPs.
+
+Details about the HARDENS project are found in our
+[original proposal](docs/HARDENS.pdf), which was written in response
+to the [original NRC RFP](docs/RFP.pdf).
+
+This document summarizes the current state of affairs of the project
+and demonstrator.
+
+## Task 1: Implementation
+
+As described in our proposal and the project Statement of Work, in
+Task 1 (Implementation), the first task of the HARDENS project, Galois
+will implement the system described above using both (1) highly
+integrated computer-based engineering development processes and (2)
+model-based systems engineering. All the modules of the simple
+protection system will be modeled functionally, and one FPGA-based
+circuit card will be modeled/designed in detail. The deliverable will
+be the model-based design itself. We will use Galois’s RDE process and
+methodology to achieve this goal, as well as the V&V in Task 2.
+
+All project models---the SysMLv2 model, the executable, rigorously
+validated and formally verified Cryptol model, and the semi-formal and
+formal requirements model---are included in this release and are found
+in the `develop` branch of the repository.
+
+Also, the initial implementation of the system which runs as an
+application on a POSIX host (e.g., a Linux or macOS development
+machine or in the HARDENS Docker image) is found in the
+as-of-yet-unmerged `c-impl` branch in the HARDENS repository. That
+implementation includes both hand-written C code conforming to the
+model-based specifications discussed above, as well as automatically
+synthesized formally verified sub-components, as described in the
+HARDENS proposal, for a small handful of critical sub-components.
+These synthesized components are generated in formally verified C
+source code and in the System Verilog HDL. The POSIX-based simulation
+can execute both the generated C components and the generated System Verilog
+components by means of a shim library wrapping the Verilated components.
+
+Finally, we have a formally verified RISC-V CPU, called the `nerv`
+CPU, built and tested on the ECP5-5G board. We have sketched out
+an initial three core SoC design using Bluespec SystemVerilog, but
+have not yet built that SoC for emulation or put it on the FGPA. We
+will accomplish such early in Task 2, and cross-compile our POSIX C
+implementation to that SoC. That ongoing work is found in the `nerv`
+branch of the repository.
+
+## Repository Structure
+
+The repository is structured as follows:
+
+- [specs](./specs) contains a domain model (`*.lando`, `*.lobot`), requirements
+ (exported from `FRET` to `RTS_requirements.json`), and a specification of the RTS architecture
+ (`*.sysml`).
+- [models](./models) contains the executable Cryptol model
+- [assets](./assets) and [docs](./docs) contain project and device documentation
+
+## Submodules
+
+This repository does not currently use any submodules. If/when it
+does, initialize with:
+
+```
+$ git submodule init
+$ git submodule update --recursive
+```
+
+## Docker
+
+A Docker container has been built to make for easier use, evaluation,
+reusability, and repeatibility of project results. We are adding
+tools to this container as necessary during project execution.
+
+### HARDENS Container
+
+To build and run the core HARDENS Docker image, use the `build` and
+`run` commands.
+
+```
+$ docker build -t hardens:latest .
+$ docker run --network host --privileged -v $PWD:/HARDENS -it hardens:latest
+```
+
+In order to run a long-lived Docker container for reuse, use a `docker
+run` command like the following, ensuring that you are in the right
+directory in order to bind your sandbox properly into the container.
+
+```
+$ docker run -d -it --name HARDENS --network host --privileged -v $PWD:/HARDENS hardens:latest
+```
+
+After running such a detacted container, attach to it for interactive
+use by running a command like:
+```
+$ docker exec -it HARDENS bash -l
+```
+
+### SysMLv2 Container
+
+To pull and use the pre-build SysMLv2 container, use the following
+`pull` command to pull the container from DockerHub. See
+https://hub.docker.com/r/gorenje/sysmlv2-jupyter for details.
+
+```
+$ docker pull gorenje/sysmlv2-jupyter:latest
+$ docker run -d -it --name SysMLv2 --network host -v $PWD:/HARDENS gorenje/sysmlv2-jupyter:latest
+```
+
+## Lattice ECP5 evaluation board
+
+We are using an ECP5-5G FPGA board for the RTS demonstrator.
+
+Details [here](https://www.latticesemi.com/products/developmentboardsandkits/ecp5evaluationboard#_C694C444BC684AD48A3ED64C227B6455). The board uses ECP5-5G FPGA ([LFE5UM5G-85F-8BG381](https://www.latticesemi.com/en/Products/FPGAandCPLD/ECP5)) which has:
+
+- 84k LUTs
+- On-board Boot Flash – 128 Mbit Serial Peripheral Interface (SPI) Flash, with Quad read featu
+- 8 input DIP switches, 3 push buttons and 8 LEDs for demo purposes
+
+![ECP_board](assets/ecp5_top.png)
+
+### GPIO headers
+
+Headers are: J5, J8, J32, J33 and Max I_OUT for 3V3 is 1.35A
+
+J5 Pinout:
+
+* 1, 2 - VCCIO2 (Sensor 1 VIN, Sensor 2 VIN)
+* 3, 4 - H20, G19 (Sensor 1 I2C)
+* 5, 6 - GND (Sensor 1 GND, Sensor 2 GND)
+* 7, 8 - K18, J18 (Sensor 2 I2C)
+
+### LEDs:
+
+![ECP_LED](assets/ecp5_leds.png)
+
+### Switches
+
+![ECP_DIP](assets/ecp5_dip.png)
+
+### Buttons
+
+General purpose button `SW4` is connected to `P4`
+
+## Sensors/Actuators
+
+* MOSFET power control kit: https://www.sparkfun.com/products/12959
+* 12 V Latch solenoid: https://www.sparkfun.com/products/15324
+* Pressure sensor: https://www.sparkfun.com/products/11084
diff --git a/Toolchain.md b/Toolchain.md
new file mode 100644
index 0000000..17bd5e9
--- /dev/null
+++ b/Toolchain.md
@@ -0,0 +1,79 @@
+# Toolchain
+
+Internal documentation explaining different pieces of the toolchain.
+
+Note that [this page](https://craigjb.com/2020/01/22/ecp5/#appendix---installing-the-symbiflow-tools) was very helpful for setting up the toolchains.
+
+## Symbiflow
+
+- https://symbiflow.readthedocs.io/en/latest/
+- https://github.com/SymbiFlow/symbiflow-arch-defs
+
+Symbiflow claims to be an umbrella tool encapsulating all the elements of Electronic Design Automation ([EDA](https://en.wikipedia.org/wiki/Electronic_design_automation)) workflow:
+
+![eda](assets/symbiflow_eda.svg)
+
+Specifically we are talking about the following tools:
+
+![tools](assets/symbiflow_parts.svg)
+
+Interestingly, Symbiflow claims to support Lattice ECP5 board, but doesn't provide any examples so the usability of Symbiflow proper is questionable.
+A brief google search also indicates that for ECP5 a combination of Yosys+Prjtrellis is used, not Symbiflow.
+
+## Yosys
+
+- https://github.com/YosysHQ/yosys
+
+Yosys is tool suite that contains a Verilog synthesis tool. The way I understand it is that it reads multiple Verilog files, does some optimizations, and returns a single Verilog file that can be then used to generate a bitstream.
+
+## Project Trellis
+
+- https://github.com/YosysHQ/prjtrellis
+
+Project Trellis enables a fully open-source flow for ECP5 FPGAs using *Yosys* for Verilog synthesis and *nextpnr* for place and route. Project Trellis itself provides the device database and tools for bitstream creation.
+
+## nextpnr
+
+- https://github.com/YosysHQ/nextpnr
+
+nextpnr portable FPGA place and route tool.
+
+## ecpprog
+
+- https://github.com/gregdavill/ecpprog
+
+For programming the flash memory of ECP5.
+
+## Icarus Verilog
+
+- http://iverilog.icarus.com/
+
+Stricter Verilog parser than Yosys, used by the *icicle* project for validation.
+
+## Other tools
+
+### Migen, Litex
+
+- https://github.com/m-labs/migen
+- https://github.com/litex-hub
+
+High level tools for designing hardware. *Migen* lets you create hardware in Python.
+
+### Older prebuilt ECP5 toolchain
+
+- https://github.com/xobs/ecp5-toolchain
+
+For reference only.
+
+### icicle
+
+- https://github.com/grahamedgecombe/icicle
+
+32-bit RISC-V system on chip for iCE40 and ECP5 FPGAs, has instructions for a build using Symbiflow/Yosys.
+
+```
+$ git clone https://github.com/grahamedgecombe/icicle
+$ cd icicle
+$ make BOARD=ecp5-evn syntax
+$ make BOARD=ecp5-evn
+```
diff --git a/assets/ecp5_dip.png b/assets/ecp5_dip.png
new file mode 100644
index 0000000..481ef9c
Binary files /dev/null and b/assets/ecp5_dip.png differ
diff --git a/assets/ecp5_leds.png b/assets/ecp5_leds.png
new file mode 100644
index 0000000..b728dda
Binary files /dev/null and b/assets/ecp5_leds.png differ
diff --git a/assets/ecp5_top.png b/assets/ecp5_top.png
new file mode 100644
index 0000000..a0a77c8
Binary files /dev/null and b/assets/ecp5_top.png differ
diff --git a/assets/symbiflow_eda.svg b/assets/symbiflow_eda.svg
new file mode 100644
index 0000000..f278a9c
--- /dev/null
+++ b/assets/symbiflow_eda.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/assets/symbiflow_parts.svg b/assets/symbiflow_parts.svg
new file mode 100644
index 0000000..97296de
--- /dev/null
+++ b/assets/symbiflow_parts.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-bottom.png b/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-bottom.png
new file mode 100644
index 0000000..f35f304
Binary files /dev/null and b/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-bottom.png differ
diff --git a/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-side.png b/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-side.png
new file mode 100644
index 0000000..6330d6e
Binary files /dev/null and b/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-side.png differ
diff --git a/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-top.png b/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-top.png
new file mode 100644
index 0000000..43d9952
Binary files /dev/null and b/docs/ECP-5/board_photos/LFE5UM5G-85F-EVN-revB-top.png differ
diff --git a/docs/ECP-5/design_files/ecp5-5g_evaluation _brd_revb_18-0375_pcb_0524.zip b/docs/ECP-5/design_files/ecp5-5g_evaluation _brd_revb_18-0375_pcb_0524.zip
new file mode 100644
index 0000000..237fc1d
Binary files /dev/null and b/docs/ECP-5/design_files/ecp5-5g_evaluation _brd_revb_18-0375_pcb_0524.zip differ
diff --git a/docs/ECP-5/design_files/ecp5_evaluation_board_default_demo.zip b/docs/ECP-5/design_files/ecp5_evaluation_board_default_demo.zip
new file mode 100644
index 0000000..4138d4a
Binary files /dev/null and b/docs/ECP-5/design_files/ecp5_evaluation_board_default_demo.zip differ
diff --git a/docs/ECP-5/design_files/ecp5_evaluation_board_rev-b_05242018.zip b/docs/ECP-5/design_files/ecp5_evaluation_board_rev-b_05242018.zip
new file mode 100644
index 0000000..0f66cae
Binary files /dev/null and b/docs/ECP-5/design_files/ecp5_evaluation_board_rev-b_05242018.zip differ
diff --git a/docs/ECP-5/docs/107439.pdf b/docs/ECP-5/docs/107439.pdf
new file mode 100644
index 0000000..ec0e38d
Binary files /dev/null and b/docs/ECP-5/docs/107439.pdf differ
diff --git a/docs/ECP-5/docs/ECP5ProductBrochure.pdf b/docs/ECP-5/docs/ECP5ProductBrochure.pdf
new file mode 100644
index 0000000..112233b
Binary files /dev/null and b/docs/ECP-5/docs/ECP5ProductBrochure.pdf differ
diff --git a/docs/ECP-5/docs/ECP5UM85Pinout.csv b/docs/ECP-5/docs/ECP5UM85Pinout.csv
new file mode 100644
index 0000000..90e5694
--- /dev/null
+++ b/docs/ECP-5/docs/ECP5UM85Pinout.csv
@@ -0,0 +1,1119 @@
+# Pin Out For ECP5UM-85,,,,,,,,,,
+# Revision 1.0,,,,,,,,,,
+"# Revised Nov. 2, 2015",,,,,,,,,,
+,,,,,,,,,,
+PAD,Pin/Ball Function,Bank,Dual Function,Differential,High Speed,DQS,CABGA756,CABGA554,CABGA381,CSFBGA285
+1,NC,-,-,-,-,-,-,-,-,-
+2,NC,-,-,-,-,-,-,-,-,-
+3,NC,-,-,-,-,-,-,-,-,-
+4,NC,-,-,-,-,-,-,-,-,-
+5,NC,-,-,-,-,-,-,-,-,-
+6,PL11A,7,ULC_GPLL0T_IN,True_OF_PL11B,TRUE,LDQ17,C5,C2,A4,C12
+7,PL11B,7,ULC_GPLL0C_IN,Comp_OF_PL11A,TRUE,LDQ17,D5,C1,A5,B12
+8,VSSIO7,-,-,-,-,-,-,-,-,-
+9,PL11C,7,-,True_OF_PL11D,-,LDQ17,C4,C4,B5,-
+10,VCCIO7,-,-,-,-,-,-,-,-,-
+11,PL11D,7,-,Comp_OF_PL11C,-,LDQ17,C3,C3,C5,-
+12,PL14A,7,-,True_OF_PL14B,TRUE,LDQ17,D4,D4,C4,A12
+13,VCCAUX,-,-,-,-,-,-,-,-,-
+14,PL14C,7,-,True_OF_PL14D,-,LDQ17,F4,B1,A3,-
+15,PL14B,7,-,Comp_OF_PL14A,TRUE,LDQ17,E4,D3,B4,-
+16,VSS,-,-,-,-,-,-,-,-,-
+17,PL14D,7,-,Comp_OF_PL14C,-,LDQ17,F5,B3,B3,-
+18,PL17A,7,-,True_OF_PL17B,TRUE,LDQS17,B1,D2,E4,D13
+19,VCC,-,-,-,-,-,-,-,-,-
+20,PL17C,7,-,True_OF_PL17D,-,LDQ17,D3,E3,C3,-
+21,PL17B,7,-,Comp_OF_PL17A,TRUE,LDQSN17,C2,E1,D5,C13
+22,VSS,-,-,-,-,-,-,-,-,-
+23,PL17D,7,-,Comp_OF_PL17C,-,LDQ17,D2,D1,D3,-
+24,PL20A,7,-,True_OF_PL20B,TRUE,LDQ17,F3,F2,F4,-
+25,VSSIO7,-,-,-,-,-,-,-,-,-
+26,PL20C,7,-,True_OF_PL20D,-,LDQ17,C1,E4,E5,-
+27,PL20B,7,-,Comp_OF_PL20A,TRUE,LDQ17,E3,F1,E3,-
+28,VCCIO7,-,-,-,-,-,-,-,-,-
+29,PL20D,7,-,Comp_OF_PL20C,-,LDQ17,D1,F3,F5,-
+30,PL23A,7,-,True_OF_PL23B,TRUE,LDQ29,F2,-,-,-
+31,VSSIO7,-,-,-,-,-,-,-,-,-
+32,PL23C,7,-,True_OF_PL23D,-,LDQ29,F1,-,-,-
+33,PL23B,7,-,Comp_OF_PL23A,TRUE,LDQ29,E1,-,-,-
+34,VCCIO7,-,-,-,-,-,-,-,-,-
+35,PL23D,7,-,Comp_OF_PL23C,-,LDQ29,H1,-,-,-
+36,PL26A,7,-,True_OF_PL26B,TRUE,LDQ29,H2,-,-,-
+37,VCCAUX,-,-,-,-,-,-,-,-,-
+38,PL26C,7,-,True_OF_PL26D,-,LDQ29,J3,-,-,-
+39,PL26B,7,-,Comp_OF_PL26A,TRUE,LDQ29,H3,-,-,-
+40,VSS,-,-,-,-,-,-,-,-,-
+41,PL26D,7,-,Comp_OF_PL26C,-,LDQ29,K3,-,-,-
+42,PL29A,7,-,True_OF_PL29B,TRUE,LDQS29,K2,-,-,-
+43,VCC,-,-,-,-,-,-,-,-,-
+44,PL29C,7,-,True_OF_PL29D,-,LDQ29,K1,-,-,-
+45,PL29B,7,-,Comp_OF_PL29A,TRUE,LDQSN29,J1,-,-,-
+46,VSS,-,-,-,-,-,-,-,-,-
+47,PL29D,7,-,Comp_OF_PL29C,-,LDQ29,L1,-,-,-
+48,PL32A,7,-,True_OF_PL32B,TRUE,LDQ29,L2,-,-,-
+49,VSSIO7,-,-,-,-,-,-,-,-,-
+50,PL32C,7,-,True_OF_PL32D,-,LDQ29,J4,-,-,-
+51,PL32B,7,-,Comp_OF_PL32A,TRUE,LDQ29,L3,-,-,-
+52,VCCIO7,-,-,-,-,-,-,-,-,-
+53,PL32D,7,-,Comp_OF_PL32C,-,LDQ29,K4,-,-,-
+54,PL35A,7,-,True_OF_PL35B,TRUE,LDQ41,H6,F5,A2,B13
+55,VSSIO7,-,-,-,-,-,-,-,-,-
+56,PL35C,7,VREF1_7,True_OF_PL35D,-,LDQ41,J7,H5,B2,C15
+57,PL35B,7,-,Comp_OF_PL35A,TRUE,LDQ41,H5,F4,B1,A13
+58,VCCIO7,-,-,-,-,-,-,-,-,-
+59,PL35D,7,-,Comp_OF_PL35C,-,LDQ41,J6,H6,C2,A15
+60,PL38A,7,-,True_OF_PL38B,TRUE,LDQ41,K6,J6,C1,D15
+61,VCCAUX,-,-,-,-,-,-,-,-,-
+62,PL38C,7,-,True_OF_PL38D,-,LDQ41,K5,H4,D2,-
+63,PL38B,7,-,Comp_OF_PL38A,TRUE,LDQ41,K7,K6,D1,D16
+64,VSS,-,-,-,-,-,-,-,-,-
+65,PL38D,7,-,Comp_OF_PL38C,-,LDQ41,L4,L5,E1,-
+66,PL41A,7,GR_PCLK7_1,True_OF_PL41B,TRUE,LDQS41,N3,K5,H4,B15
+67,VCC,-,-,-,-,-,-,-,-,-
+68,PL41C,7,GR_PCLK7_0,True_OF_PL41D,-,LDQ41,L7,M6,H5,C16
+69,PL41B,7,-,Comp_OF_PL41A,TRUE,LDQSN41,N4,J4,G5,A16
+70,VSS,-,-,-,-,-,-,-,-,-
+71,PL41D,7,-,Comp_OF_PL41C,-,LDQ41,L6,M4,H3,-
+72,PL44A,7,PCLKT7_1,True_OF_PL44B,TRUE,LDQ41,N6,K4,G3,A17
+73,VSSIO7,-,-,-,-,-,-,-,-,-
+74,PL44C,7,PCLKT7_0,True_OF_PL44D,-,LDQ41,P6,N6,F2,B18
+75,PL44B,7,PCLKC7_1,Comp_OF_PL44A,TRUE,LDQ41,N7,L4,F3,B17
+76,VCCIO7,-,-,-,-,-,-,-,-,-
+77,PL44D,7,PCLKC7_0,Comp_OF_PL44C,-,LDQ41,P7,N5,E2,C17
+78,PL47A,6,PCLKT6_1,True_OF_PL47B,TRUE,LDQ53,P5,H3,G2,D17
+79,VSSIO6,-,-,-,-,-,-,-,-,-
+80,PL47C,6,PCLKT6_0,True_OF_PL47D,-,LDQ53,R7,H2,H2,D18
+81,PL47B,6,PCLKC6_1,Comp_OF_PL47A,TRUE,LDQ53,P4,J3,F1,C18
+82,VCCIO6,-,-,-,-,-,-,-,-,-
+83,PL47D,6,PCLKC6_0,Comp_OF_PL47C,-,LDQ53,T7,H1,G1,F18
+84,PL50A,6,GR_PCLK6_0,True_OF_PL50B,TRUE,LDQ53,R6,K2,J4,F17
+85,VCCAUX,-,-,-,-,-,-,-,-,-
+86,PL50C,6,GR_PCLK6_1,True_OF_PL50D,-,LDQ53,U6,K3,J3,F15
+87,PL50B,6,-,Comp_OF_PL50A,TRUE,LDQ53,T6,J1,J5,F16
+88,VSS,-,-,-,-,-,-,-,-,-
+89,PL50D,6,-,Comp_OF_PL50C,-,LDQ53,U7,L3,K3,G16
+90,PL53A,6,-,True_OF_PL53B,TRUE,LDQS53,R4,L2,K2,G18
+91,VCC,-,-,-,-,-,-,-,-,-
+92,PL53C,6,-,True_OF_PL53D,-,LDQ53,T4,K1,H1,-
+93,PL53B,6,-,Comp_OF_PL53A,TRUE,LDQSN53,T5,M1,J1,H17
+94,VSS,-,-,-,-,-,-,-,-,-
+95,PL53D,6,-,Comp_OF_PL53C,-,LDQ53,U5,L1,K1,-
+96,PL56A,6,-,True_OF_PL56B,TRUE,LDQ53,U4,N1,K4,G15
+97,VSSIO6,-,-,-,-,-,-,-,-,-
+98,PL56C,6,-,True_OF_PL56D,-,LDQ53,V6,N3,L4,H16
+99,PL56B,6,VREF1_6,Comp_OF_PL56A,TRUE,LDQ53,V4,N2,K5,H15
+100,VCCIO6,-,-,-,-,-,-,-,-,-
+101,PL56D,6,-,Comp_OF_PL56C,-,LDQ53,V7,M3,L5,J16
+102,PL59A,6,-,True_OF_PL59B,TRUE,LDQ65,P2,-,-,-
+103,VSSIO6,-,-,-,-,-,-,-,-,-
+104,PL59C,6,-,True_OF_PL59D,-,LDQ65,R3,-,-,-
+105,PL59B,6,-,Comp_OF_PL59A,TRUE,LDQ65,P3,-,-,-
+106,VCCIO6,-,-,-,-,-,-,-,-,-
+107,PL59D,6,-,Comp_OF_PL59C,-,LDQ65,T3,-,-,-
+108,PL62A,6,-,True_OF_PL62B,TRUE,LDQ65,N1,-,-,-
+109,VCCAUX,-,-,-,-,-,-,-,-,-
+110,PL62C,6,-,True_OF_PL62D,-,LDQ65,U2,-,-,-
+111,PL62B,6,-,Comp_OF_PL62A,TRUE,LDQ65,P1,-,-,-
+112,VSS,-,-,-,-,-,-,-,-,-
+113,PL62D,6,-,Comp_OF_PL62C,-,LDQ65,U3,-,-,-
+114,PL65A,6,-,True_OF_PL65B,TRUE,LDQS65,R1,-,-,-
+115,VCC,-,-,-,-,-,-,-,-,-
+116,PL65C,6,-,True_OF_PL65D,-,LDQ65,W3,-,-,-
+117,PL65B,6,-,Comp_OF_PL65A,TRUE,LDQSN65,T2,-,-,-
+118,VSS,-,-,-,-,-,-,-,-,-
+119,PL65D,6,-,Comp_OF_PL65C,-,LDQ65,Y3,-,-,-
+120,PL68A,6,-,True_OF_PL68B,TRUE,LDQ65,T1,-,-,-
+121,VSSIO6,-,-,-,-,-,-,-,-,-
+122,PL68C,6,-,True_OF_PL68D,-,LDQ65,V1,-,-,-
+123,PL68B,6,-,Comp_OF_PL68A,TRUE,LDQ65,U1,-,-,-
+124,VCCIO6,-,-,-,-,-,-,-,-,-
+125,PL68D,6,-,Comp_OF_PL68C,-,LDQ65,W1,-,-,-
+126,PL71A,6,-,True_OF_PL71B,TRUE,LDQ77,Y7,P4,-,-
+127,VSSIO6,-,-,-,-,-,-,-,-,-
+128,PL71C,6,-,True_OF_PL71D,-,LDQ77,Y5,P6,-,-
+129,PL71B,6,-,Comp_OF_PL71A,TRUE,LDQ77,Y6,P5,-,-
+130,VCCIO6,-,-,-,-,-,-,-,-,-
+131,PL71D,6,-,Comp_OF_PL71C,-,LDQ77,W5,N4,-,-
+132,PL74A,6,-,True_OF_PL74B,TRUE,LDQ77,Y4,R4,-,-
+133,VCCAUX,-,-,-,-,-,-,-,-,-
+134,PL74C,6,-,True_OF_PL74D,-,LDQ77,AB7,R6,-,-
+135,PL74B,6,-,Comp_OF_PL74A,TRUE,LDQ77,W4,T5,-,-
+136,VSS,-,-,-,-,-,-,-,-,-
+137,PL74D,6,-,Comp_OF_PL74C,-,LDQ77,AC6,T4,-,-
+138,PL77A,6,-,True_OF_PL77B,TRUE,LDQS77,AB5,V4,M5,-
+139,VCC,-,-,-,-,-,-,-,-,-
+140,PL77C,6,-,True_OF_PL77D,-,LDQ77,AC7,U6,-,-
+141,PL77B,6,-,Comp_OF_PL77A,TRUE,LDQSN77,AB6,U5,-,-
+142,VSS,-,-,-,-,-,-,-,-,-
+143,PL77D,6,-,Comp_OF_PL77C,-,LDQ77,AD7,U4,-,-
+144,PL80A,6,-,True_OF_PL80B,TRUE,LDQ77,AD6,W4,-,-
+145,VSSIO6,-,-,-,-,-,-,-,-,-
+146,PL80C,6,-,True_OF_PL80D,-,LDQ77,AE5,W5,-,-
+147,PL80B,6,-,Comp_OF_PL80A,TRUE,LDQ77,AE6,V6,-,-
+148,VCCIO6,-,-,-,-,-,-,-,-,-
+149,PL80D,6,-,Comp_OF_PL80C,-,LDQ77,AE4,W6,-,-
+150,PL83A,6,-,True_OF_PL83B,TRUE,LDQ89,AB3,T3,M4,-
+151,VSSIO6,-,-,-,-,-,-,-,-,-
+152,PL83C,6,-,True_OF_PL83D,-,LDQ89,AC5,R3,N4,J17
+153,PL83B,6,-,Comp_OF_PL83A,TRUE,LDQ89,AB4,U3,N5,-
+154,VCCIO6,-,-,-,-,-,-,-,-,-
+155,PL83D,6,-,Comp_OF_PL83C,-,LDQ89,AD4,P3,P5,H18
+156,PL86A,6,-,True_OF_PL86B,TRUE,LDQ89,W2,P2,N3,J18
+157,VCCAUX,-,-,-,-,-,-,-,-,-
+158,PL86C,6,-,True_OF_PL86D,-,LDQ89,AD3,T2,L3,K16
+159,PL86B,6,-,Comp_OF_PL86A,TRUE,LDQ89,Y1,P1,M3,K18
+160,VSS,-,-,-,-,-,-,-,-,-
+161,PL86D,6,-,Comp_OF_PL86C,-,LDQ89,AE3,R1,L2,K15
+162,PL89A,6,-,True_OF_PL89B,TRUE,LDQS89,AC3,V1,N2,K17
+163,VCC,-,-,-,-,-,-,-,-,-
+164,PL89C,6,-,True_OF_PL89D,-,LDQ89,AC2,U1,L1,L15
+165,PL89B,6,-,Comp_OF_PL89A,TRUE,LDQSN89,AB2,U2,M1,L18
+166,VSS,-,-,-,-,-,-,-,-,-
+167,PL89D,6,-,Comp_OF_PL89C,-,LDQ89,AE2,T1,N1,L16
+168,PL92A,6,-,True_OF_PL92B,TRUE,LDQ89,AB1,V3,P1,-
+169,VSSIO6,-,-,-,-,-,-,-,-,-
+170,PL92B,6,-,Comp_OF_PL92A,TRUE,LDQ89,AC1,W1,P2,-
+171,VCCIO6,-,-,-,-,-,-,-,-,-
+172,PL92C,6,LLC_GPLL0T_IN,True_OF_PL92D,-,LDQ89,AD1,W2,P3,M16
+173,PL92D,6,LLC_GPLL0C_IN,Comp_OF_PL92C,-,LDQ89,AE1,W3,P4,M17
+174,NC,-,-,-,-,-,-,-,-,-
+175,NC,-,-,-,-,-,-,-,-,-
+176,GND,-,-,-,-,-,-,-,-,-
+177,VCC,-,-,-,-,-,-,-,-,-
+178,VCC,-,-,-,-,-,-,-,-,-
+179,VSS,-,-,-,-,-,-,-,-,-
+180,PB4A,8,D7/IO7,True_OF_PB4B,-,-,AG1,AA1,R1,N15
+181,PB6A,8,D5/MISO2/IO5,True_OF_PB6B,-,-,AJ1,AC1,U1,N17
+182,VCC,-,-,-,-,-,-,-,-,-
+183,PB4B,8,D6/IO6,Comp_OF_PB4A,-,-,AH1,AB1,T1,N16
+184,PB6B,8,D4/MOSI2/IO4,Comp_OF_PB6A,-,-,AK1,AD1,V1,M18
+185,VSS,-,-,-,-,-,-,-,-,-
+186,PB9A,8,D3/IO3,True_OF_PB9B,-,-,AL1,AE1,W1,N18
+187,PB11A,8,D1/MISO/IO1,True_OF_PB11B,-,-,AJ2,AD2,V2,T18
+188,VSSIO8,-,-,-,-,-,-,-,-,-
+189,PB9B,8,D2/IO2,Comp_OF_PB9A,-,-,AM2,AF2,Y2,R18
+190,PB11B,8,D0/MOSI/IO0,Comp_OF_PB11A,-,-,AK2,AE2,W2,U18
+191,VCCIO8,-,-,-,-,-,-,-,-,-
+192,PB13A,8,SN/CSN,True_OF_PB13B,-,-,AG3,AB2,T2,R17
+193,PB15A,8,HOLDN/DI/BUSY/CSSPIN/CEN,True_OF_PB15B,-,-,AJ3,AA2,R2,U17
+194,VSSIO8,-,-,-,-,-,-,-,-,-
+195,PB13B,8,CS1N,Comp_OF_PB13A,-,-,AH3,AC2,U2,T17
+196,PB15B,8,DOUT/CSON,Comp_OF_PB15A,-,-,AK3,AB3,R3,V17
+197,VCCIO8,-,-,-,-,-,-,-,-,-
+198,PB18A,8,WRITEN,-,-,-,AL3,AD3,T3,R16
+199,INITN,8,-,-,-,-,AG4,AF3,V3,V16
+200,VCCAUX,-,-,-,-,-,-,-,-,-
+201,CCLK,8,MCLK/SCK,-,-,-,AM3,AE3,U3,U16
+202,PROGRAMN,8,-,-,-,-,AH4,AB4,W3,T15
+203,VSS,-,-,-,-,-,-,-,-,-
+204,DONE,8,-,-,-,-,AJ4,AC4,Y3,U15
+205,CFG_1,8,-,-,-,-,AL4,AE4,T4,T14
+206,VCC,-,-,-,-,-,-,-,-,-
+207,CFG_2,8,-,-,-,-,AK4,AD4,R4,V15
+208,CFG_0,8,-,-,-,-,AM4,AF4,U4,U14
+209,VSS,-,-,-,-,-,-,-,-,-
+210,TDO,40,-,-,-,-,AG5,AB5,V4,V14
+211,TCK,40,-,-,-,-,AK5,AD5,T5,U13
+212,VSSIO8,-,-,-,-,-,-,-,-,-
+213,TDI,40,-,-,-,-,AJ5,AC5,R5,T13
+214,TMS,40,-,-,-,-,AM5,AE5,U5,V13
+215,VCCIO8,-,-,-,-,-,-,-,-,-
+216,VCC,-,-,-,-,-,-,-,-,-
+217,VCC,-,-,-,-,-,-,-,-,-
+218,VSS,-,-,-,-,-,-,-,-,-
+219,VSS,-,-,-,-,-,-,-,-,-
+220,VCC,-,-,-,-,-,-,-,-,-
+221,VCC,-,-,-,-,-,-,-,-,-
+222,VSSA0_D0CH0,-,-,-,-,-,-,-,-,-
+223,VCCATX0_D0CH0,-,-,-,-,-,-,-,-,-
+224,HDTXP0_D0CH0,50,-,True_OF_HDTXN0_D0CH0,-,-,AK9,AD7,W4,V12
+225,VCCHTX0_D0CH0,-,-,-,-,-,AC13,W10,T7,U12
+226,HDTXN0_D0CH0,50,-,Comp_OF_HDTXP0_D0CH0,-,-,AK10,AD8,W5,V11
+227,VSSA0_D0CH0,-,-,-,-,-,-,-,-,-
+228,VCCARX0_D0CH0,-,-,-,-,-,-,-,-,-
+229,HDRXP0_D0CH0,50,-,True_OF_HDRXN0_D0CH0,-,-,AM8,AF6,Y5,V9
+230,VCCARX0_D0CH0,-,-,-,-,-,-,-,-,-
+231,VCCHRX0_D0CH0,-,-,-,-,-,AC14,W11,T8,U8
+232,HDRXN0_D0CH0,50,-,Comp_OF_HDRXP0_D0CH0,-,-,AM9,AF7,Y6,V8
+233,VSSA0_D0CH0,-,-,-,-,-,-,-,-,-
+234,VSSA1_D0CH1,-,-,-,-,-,-,-,-,-
+235,HDRXP0_D0CH1,50,-,True_OF_HDRXN0_D0CH1,-,-,AM11,AF9,Y7,V6
+236,VCCARX1_D0CH1,-,-,-,-,-,-,-,-,-
+237,VCCHRX1_D0CH1,-,-,-,-,-,AC15,W12,T9,U6
+238,HDRXN0_D0CH1,50,-,Comp_OF_HDRXP0_D0CH1,-,-,AM12,AF10,Y8,V5
+239,VCCARX1_D0CH1,-,-,-,-,-,-,-,-,-
+240,VSSA1_D0CH1,-,-,-,-,-,-,-,-,-
+241,HDTXP0_D0CH1,50,-,True_OF_HDTXN0_D0CH1,-,-,AK12,AD10,W8,V3
+242,VCCHTX1_D0CH1,-,-,-,-,-,AC16,W13,T10,T5
+243,HDTXN0_D0CH1,50,-,Comp_OF_HDTXP0_D0CH1,-,-,AK13,AD11,W9,V2
+244,VCCATX1_D0CH1,-,-,-,-,-,-,-,-,-
+245,VSSA1_D0CH1,-,-,-,-,-,-,-,-,-
+246,RESERVED,-,-,True_OF_ATSTN_D0,-,-,AK15,AD13,W10,-
+247,VCCA_D0,-,-,-,-,-,-,-,-,-
+248,RESERVED,-,-,Comp_OF_ATSTP_D0,-,-,AK16,AD14,W11,-
+249,VSSA_D0,-,-,-,-,-,-,-,-,-
+250,VSSA_D0,-,-,-,-,-,-,-,-,-
+251,REFCLKP_D0,50,-,True_OF_REFCLKN_D0,-,-,AM14,AF12,Y11,U1
+252,VCCA25_D0,-,-,-,-,-,-,-,-,-
+253,REFCLKN_D0,50,-,Comp_OF_REFCLKP_D0,-,-,AM15,AF13,Y12,T1
+254,VSSA0_D1CH0,-,-,-,-,-,-,-,-,-
+255,VCCATX0_D1CH0,-,-,-,-,-,-,-,-,-
+256,HDTXP0_D1CH0,51,-,True_OF_HDTXN0_D1CH0,-,-,AK18,AD16,W13,-
+257,VCCHTX0_D1CH0,-,-,-,-,-,AC17,W14,T11,-
+258,HDTXN0_D1CH0,51,-,Comp_OF_HDTXP0_D1CH0,-,-,AK19,AD17,W14,-
+259,VSSA0_D1CH0,-,-,-,-,-,-,-,-,-
+260,VCCARX0_D1CH0,-,-,-,-,-,-,-,-,-
+261,HDRXP0_D1CH0,51,-,True_OF_HDRXN0_D1CH0,-,-,AM17,AF15,Y14,-
+262,VCCARX0_D1CH0,-,-,-,-,-,-,-,-,-
+263,VCCHRX0_D1CH0,-,-,-,-,-,AC18,W15,T12,-
+264,HDRXN0_D1CH0,51,-,Comp_OF_HDRXP0_D1CH0,-,-,AM18,AF16,Y15,-
+265,VSSA0_D1CH0,-,-,-,-,-,-,-,-,-
+266,VSSA1_D1CH1,-,-,-,-,-,-,-,-,-
+267,HDRXP0_D1CH1,51,-,True_OF_HDRXN0_D1CH1,-,-,AM20,AF18,Y16,-
+268,VCCARX1_D1CH1,-,-,-,-,-,-,-,-,-
+269,VCCHRX1_D1CH1,-,-,-,-,-,AC19,W16,T13,-
+270,HDRXN0_D1CH1,51,-,Comp_OF_HDRXP0_D1CH1,-,-,AM21,AF19,Y17,-
+271,VCCARX1_D1CH1,-,-,-,-,-,-,-,-,-
+272,VSSA1_D1CH1,-,-,-,-,-,-,-,-,-
+273,HDTXP0_D1CH1,51,-,True_OF_HDTXN0_D1CH1,-,-,AK21,AD19,W17,-
+274,VCCHTX1_D1CH1,-,-,-,-,-,AC20,W17,T14,-
+275,HDTXN0_D1CH1,51,-,Comp_OF_HDTXP0_D1CH1,-,-,AK22,AD20,W18,-
+276,VCCATX1_D1CH1,-,-,-,-,-,-,-,-,-
+277,VSSA1_D1CH1,-,-,-,-,-,-,-,-,-
+278,RESERVED,-,-,True_OF_ATSTN_D1,-,-,AK24,AD22,-,-
+279,VCCA_D1,-,-,-,-,-,-,-,-,-
+280,RESERVED,-,-,Comp_OF_ATSTP_D1,-,-,AK25,AD23,-,-
+281,VSSA_D1,-,-,-,-,-,-,-,-,-
+282,VSSA_D1,-,-,-,-,-,-,-,-,-
+283,REFCLKP_D1,51,-,True_OF_REFCLKN_D1,-,-,AM23,AF21,Y19,-
+284,VCCA25_D1,-,-,-,-,-,-,-,-,-
+285,REFCLKN_D1,51,-,Comp_OF_REFCLKP_D1,-,-,AM24,AF22,W20,-
+286,VCC,-,-,-,-,-,-,-,-,-
+287,VCC,-,-,-,-,-,-,-,-,-
+288,VSS,-,-,-,-,-,-,-,-,-
+289,VSS,-,-,-,-,-,-,-,-,-
+290,PB96A,4,-,True_OF_PB96B,-,-,AM28,-,-,-
+291,PB98A,4,-,True_OF_PB98B,-,-,AL28,-,-,-
+292,VCC,-,-,-,-,-,-,-,-,-
+293,PB96B,4,-,Comp_OF_PB96A,-,-,AM29,-,-,-
+294,PB98B,4,-,Comp_OF_PB98A,-,-,AK28,-,-,-
+295,VSS,-,-,-,-,-,-,-,-,-
+296,PB101A,4,-,True_OF_PB101B,-,-,AK32,-,-,-
+297,PB103A,4,-,True_OF_PB103B,-,-,AM30,-,-,-
+298,VSSIO4,-,-,-,-,-,-,-,-,-
+299,PB101B,4,-,Comp_OF_PB101A,-,-,AJ32,-,-,-
+300,PB103B,4,-,Comp_OF_PB103A,-,-,AL30,-,-,-
+301,VCCIO4,-,-,-,-,-,-,-,-,-
+302,PB105A,4,-,True_OF_PB105B,-,-,AK31,-,-,-
+303,PB107A,4,-,True_OF_PB107B,-,-,AM31,AA22,-,-
+304,VSSIO4,-,-,-,-,-,-,-,-,-
+305,PB105B,4,-,Comp_OF_PB105A,-,-,AJ31,-,-,-
+306,PB107B,4,-,Comp_OF_PB107A,-,-,AL32,AA23,-,-
+307,VCCIO4,-,-,-,-,-,-,-,-,-
+308,PB110A,4,-,True_OF_PB110B,-,-,AG28,AB24,-,-
+309,PB112A,4,-,True_OF_PB112B,-,-,AJ28,AB25,-,-
+310,VCCAUX,-,-,-,-,-,-,-,-,-
+311,PB110B,4,-,Comp_OF_PB110A,-,-,AG29,AA24,-,-
+312,PB112B,4,-,Comp_OF_PB112A,-,-,AH28,AA25,-,-
+313,VSS,-,-,-,-,-,-,-,-,-
+314,PB114A,4,-,True_OF_PB114B,-,-,AH30,AE25,-,-
+315,PB116A,4,-,True_OF_PB116B,-,-,AK29,AF25,-,-
+316,VCC,-,-,-,-,-,-,-,-,-
+317,PB114B,4,-,Comp_OF_PB114A,-,-,AG30,AD25,-,-
+318,PB116B,4,-,Comp_OF_PB116A,-,-,AK30,AE26,-,-
+319,VSS,-,-,-,-,-,-,-,-,-
+320,PB119A,4,-,True_OF_PB119B,-,-,AH32,AD26,-,-
+321,PB121A,4,-,True_OF_PB121B,-,-,AJ29,AB26,-,-
+322,VSSIO4,-,-,-,-,-,-,-,-,-
+323,PB119B,4,-,Comp_OF_PB119A,-,-,AG32,AC26,-,-
+324,PB121B,4,-,Comp_OF_PB121A,-,-,AJ30,AA26,-,-
+325,VCCIO4,-,-,-,-,-,-,-,-,-
+326,VCC,-,-,-,-,-,-,-,-,-
+327,VCC,-,-,-,-,-,-,-,-,-
+328,VSS,-,-,-,-,-,-,-,-,-
+329,GND,-,-,-,-,-,-,-,-,-
+330,NC,-,-,-,-,-,-,-,-,-
+331,NC,-,-,-,-,-,-,-,-,-
+332,PR92D,3,LRC_GPLL0C_IN,Comp_OF_PR92C,-,RDQ89,AE32,W24,T17,N1
+333,PR92C,3,LRC_GPLL0T_IN,True_OF_PR92D,-,RDQ89,AD32,W25,U16,M1
+334,VCCIO3,-,-,-,-,-,-,-,-,-
+335,PR92B,3,-,Comp_OF_PR92A,TRUE,RDQ89,AC32,W26,U17,-
+336,VSSIO3,-,-,-,-,-,-,-,-,-
+337,PR92A,3,-,True_OF_PR92B,TRUE,RDQ89,AB32,V24,U18,-
+338,PR89D,3,-,Comp_OF_PR89C,-,RDQ89,AE31,T26,T18,N2
+339,VSS,-,-,-,-,-,-,-,-,-
+340,PR89B,3,-,Comp_OF_PR89A,TRUE,RDQSN89,AB31,U25,R18,L1
+341,PR89C,3,-,True_OF_PR89D,-,RDQ89,AC31,U26,U19,M2
+342,VCC,-,-,-,-,-,-,-,-,-
+343,PR89A,3,-,True_OF_PR89B,TRUE,RDQS89,AC30,V26,T19,K2
+344,PR86D,3,-,Comp_OF_PR86C,-,RDQ89,AE30,R26,U20,K1
+345,VSS,-,-,-,-,-,-,-,-,-
+346,PR86B,3,-,Comp_OF_PR86A,TRUE,RDQ89,Y32,P26,R20,L3
+347,PR86C,3,-,True_OF_PR86D,-,RDQ89,AD30,T25,T20,K3
+348,VCCAUX,-,-,-,-,-,-,-,-,-
+349,PR86A,3,-,True_OF_PR86B,TRUE,RDQ89,W31,P25,P20,M3
+350,PR83D,3,-,Comp_OF_PR83C,-,RDQ89,AD29,P24,P18,N3
+351,VCCIO3,-,-,-,-,-,-,-,-,-
+352,PR83B,3,-,Comp_OF_PR83A,TRUE,RDQ89,AB29,U24,N20,L4
+353,PR83C,3,-,True_OF_PR83D,-,RDQ89,AC28,R24,P19,N4
+354,VSSIO3,-,-,-,-,-,-,-,-,-
+355,PR83A,3,-,True_OF_PR83B,TRUE,RDQ89,AB30,T24,N19,K4
+356,PR80D,3,-,Comp_OF_PR80C,-,RDQ77,AE29,W21,-,-
+357,VCCIO3,-,-,-,-,-,-,-,-,-
+358,PR80B,3,-,Comp_OF_PR80A,TRUE,RDQ77,AE27,V21,-,-
+359,PR80C,3,-,True_OF_PR80D,-,RDQ77,AE28,W22,-,-
+360,VSSIO3,-,-,-,-,-,-,-,-,-
+361,PR80A,3,-,True_OF_PR80B,TRUE,RDQ77,AD27,W23,-,-
+362,PR77D,3,-,Comp_OF_PR77C,-,RDQ77,AD26,U23,-,-
+363,VSS,-,-,-,-,-,-,-,-,-
+364,PR77B,3,-,Comp_OF_PR77A,TRUE,RDQSN77,AB27,U22,-,-
+365,PR77C,3,-,True_OF_PR77D,-,RDQ77,AC26,U21,-,-
+366,VCC,-,-,-,-,-,-,-,-,-
+367,PR77A,3,-,True_OF_PR77B,TRUE,RDQS77,AB28,V23,T16,-
+368,PR74D,3,-,Comp_OF_PR74C,-,RDQ77,AC27,T23,-,-
+369,VSS,-,-,-,-,-,-,-,-,-
+370,PR74B,3,-,Comp_OF_PR74A,TRUE,RDQ77,W29,T22,-,-
+371,PR74C,3,-,True_OF_PR74D,-,RDQ77,AB26,R21,-,-
+372,VCCAUX,-,-,-,-,-,-,-,-,-
+373,PR74A,3,-,True_OF_PR74B,TRUE,RDQ77,Y29,R23,-,-
+374,PR71D,3,-,Comp_OF_PR71C,-,RDQ77,W28,N23,-,-
+375,VCCIO3,-,-,-,-,-,-,-,-,-
+376,PR71B,3,-,Comp_OF_PR71A,TRUE,RDQ77,Y27,P22,-,-
+377,PR71C,3,-,True_OF_PR71D,-,RDQ77,Y28,P21,-,-
+378,VSSIO3,-,-,-,-,-,-,-,-,-
+379,PR71A,3,-,True_OF_PR71B,TRUE,RDQ77,Y26,P23,-,-
+380,PR68D,3,-,Comp_OF_PR68C,-,RDQ65,W32,-,-,-
+381,VCCIO3,-,-,-,-,-,-,-,-,-
+382,PR68B,3,-,Comp_OF_PR68A,TRUE,RDQ65,U32,-,-,-
+383,PR68C,3,-,True_OF_PR68D,-,RDQ65,V32,-,-,-
+384,VSSIO3,-,-,-,-,-,-,-,-,-
+385,PR68A,3,-,True_OF_PR68B,TRUE,RDQ65,T32,-,-,-
+386,PR65D,3,-,Comp_OF_PR65C,-,RDQ65,Y30,-,-,-
+387,VSS,-,-,-,-,-,-,-,-,-
+388,PR65B,3,-,Comp_OF_PR65A,TRUE,RDQSN65,T31,-,-,-
+389,PR65C,3,-,True_OF_PR65D,-,RDQ65,W30,-,-,-
+390,VCC,-,-,-,-,-,-,-,-,-
+391,PR65A,3,-,True_OF_PR65B,TRUE,RDQS65,R32,-,-,-
+392,PR62D,3,-,Comp_OF_PR62C,-,RDQ65,U30,-,-,-
+393,VSS,-,-,-,-,-,-,-,-,-
+394,PR62B,3,-,Comp_OF_PR62A,TRUE,RDQ65,P32,-,-,-
+395,PR62C,3,-,True_OF_PR62D,-,RDQ65,U31,-,-,-
+396,VCCAUX,-,-,-,-,-,-,-,-,-
+397,PR62A,3,-,True_OF_PR62B,TRUE,RDQ65,N32,-,-,-
+398,PR59D,3,-,Comp_OF_PR59C,-,RDQ65,T30,-,-,-
+399,VCCIO3,-,-,-,-,-,-,-,-,-
+400,PR59B,3,-,Comp_OF_PR59A,TRUE,RDQ65,P30,-,-,-
+401,PR59C,3,-,True_OF_PR59D,-,RDQ65,R30,-,-,-
+402,VSSIO3,-,-,-,-,-,-,-,-,-
+403,PR59A,3,-,True_OF_PR59B,TRUE,RDQ65,P31,-,-,-
+404,PR56D,3,-,Comp_OF_PR56C,-,RDQ53,V26,M24,R17,H1
+405,VCCIO3,-,-,-,-,-,-,-,-,-
+406,PR56B,3,VREF1_3,Comp_OF_PR56A,TRUE,RDQ53,V29,N25,P16,J1
+407,PR56C,3,-,True_OF_PR56D,-,RDQ53,V27,N24,R16,F1
+408,VSSIO3,-,-,-,-,-,-,-,-,-
+409,PR56A,3,-,True_OF_PR56B,TRUE,RDQ53,U29,N26,N17,J2
+410,PR53D,3,-,Comp_OF_PR53C,-,RDQ53,U28,L26,P17,-
+411,VSS,-,-,-,-,-,-,-,-,-
+412,PR53B,3,-,Comp_OF_PR53A,TRUE,RDQSN53,T28,M26,M17,G1
+413,PR53C,3,-,True_OF_PR53D,-,RDQ53,T29,K26,N18,-
+414,VCC,-,-,-,-,-,-,-,-,-
+415,PR53A,3,-,True_OF_PR53B,TRUE,RDQS53,R29,L25,N16,F2
+416,PR50D,3,-,Comp_OF_PR50C,-,RDQ53,U26,L24,M18,H2
+417,VSS,-,-,-,-,-,-,-,-,-
+418,PR50B,3,-,Comp_OF_PR50A,TRUE,RDQ53,T27,J26,L17,G3
+419,PR50C,3,GR_PCLK3_1,True_OF_PR50D,-,RDQ53,U27,K24,L18,J3
+420,VCCAUX,-,-,-,-,-,-,-,-,-
+421,PR50A,3,GR_PCLK3_0,True_OF_PR50B,TRUE,RDQ53,R27,K25,L16,H3
+422,PR47D,3,PCLKC3_0,Comp_OF_PR47C,-,RDQ53,T26,H26,M19,F3
+423,VCCIO3,-,-,-,-,-,-,-,-,-
+424,PR47B,3,PCLKC3_1,Comp_OF_PR47A,TRUE,RDQ53,P29,J24,M20,G4
+425,PR47C,3,PCLKT3_0,True_OF_PR47D,-,RDQ53,R26,H25,L19,F4
+426,VSSIO3,-,-,-,-,-,-,-,-,-
+427,PR47A,3,PCLKT3_1,True_OF_PR47B,TRUE,RDQ53,P28,H24,L20,H4
+428,PR44D,2,PCLKC2_0,Comp_OF_PR44C,-,RDQ41,P26,N22,K20,D1
+429,VCCIO2,-,-,-,-,-,-,-,-,-
+430,PR44B,2,PCLKC2_1,Comp_OF_PR44A,TRUE,RDQ41,N26,L23,K19,B1
+431,PR44C,2,PCLKT2_0,True_OF_PR44D,-,RDQ41,P27,N21,J20,C1
+432,VSSIO2,-,-,-,-,-,-,-,-,-
+433,PR44A,2,PCLKT2_1,True_OF_PR44B,TRUE,RDQ41,N27,K23,J19,D2
+434,PR41D,2,-,Comp_OF_PR41C,-,RDQ41,L27,M23,K18,-
+435,VSS,-,-,-,-,-,-,-,-,-
+436,PR41B,2,-,Comp_OF_PR41A,TRUE,RDQSN41,N29,J23,H20,B2
+437,PR41C,2,GR_PCLK2_0,True_OF_PR41D,-,RDQ41,L26,M21,J18,A2
+438,VCC,-,-,-,-,-,-,-,-,-
+439,PR41A,2,GR_PCLK2_1,True_OF_PR41B,TRUE,RDQS41,N30,K22,G19,A3
+440,PR38D,2,-,Comp_OF_PR38C,-,RDQ41,L29,L22,G20,-
+441,VSS,-,-,-,-,-,-,-,-,-
+442,PR38B,2,-,Comp_OF_PR38A,TRUE,RDQ41,K26,K21,F19,C2
+443,PR38C,2,-,True_OF_PR38D,-,RDQ41,K28,H23,F20,-
+444,VCCAUX,-,-,-,-,-,-,-,-,-
+445,PR38A,2,-,True_OF_PR38B,TRUE,RDQ41,K27,J21,E20,D3
+446,PR35D,2,-,Comp_OF_PR35C,-,RDQ41,J27,H21,E19,C3
+447,VCCIO2,-,-,-,-,-,-,-,-,-
+448,PR35B,2,-,Comp_OF_PR35A,TRUE,RDQ41,H28,F23,D19,C4
+449,PR35C,2,VREF1_2,True_OF_PR35D,-,RDQ41,J26,H22,D20,B4
+450,VSSIO2,-,-,-,-,-,-,-,-,-
+451,PR35A,2,-,True_OF_PR35B,TRUE,RDQ41,H27,F22,C20,D4
+452,PR32D,2,-,Comp_OF_PR32C,-,RDQ29,K29,-,-,-
+453,VCCIO2,-,-,-,-,-,-,-,-,-
+454,PR32B,2,-,Comp_OF_PR32A,TRUE,RDQ29,L30,-,-,-
+455,PR32C,2,-,True_OF_PR32D,-,RDQ29,J29,-,-,-
+456,VSSIO2,-,-,-,-,-,-,-,-,-
+457,PR32A,2,-,True_OF_PR32B,TRUE,RDQ29,L31,-,-,-
+458,PR29D,2,-,Comp_OF_PR29C,-,RDQ29,L32,-,-,-
+459,VSS,-,-,-,-,-,-,-,-,-
+460,PR29B,2,-,Comp_OF_PR29A,TRUE,RDQSN29,J32,-,K17,-
+461,PR29C,2,-,True_OF_PR29D,-,RDQ29,K32,-,-,-
+462,VCC,-,-,-,-,-,-,-,-,-
+463,PR29A,2,-,True_OF_PR29B,TRUE,RDQS29,K31,-,K16,-
+464,PR26D,2,-,Comp_OF_PR26C,-,RDQ29,K30,-,-,-
+465,VSS,-,-,-,-,-,-,-,-,-
+466,PR26B,2,-,Comp_OF_PR26A,TRUE,RDQ29,H30,-,-,-
+467,PR26C,2,-,True_OF_PR26D,-,RDQ29,J30,-,-,-
+468,VCCAUX,-,-,-,-,-,-,-,-,-
+469,PR26A,2,-,True_OF_PR26B,TRUE,RDQ29,H31,-,-,-
+470,PR23D,2,-,Comp_OF_PR23C,-,RDQ29,H32,-,-,-
+471,VCCIO2,-,-,-,-,-,-,-,-,-
+472,PR23B,2,-,Comp_OF_PR23A,TRUE,RDQ29,E32,-,-,-
+473,PR23C,2,-,True_OF_PR23D,-,RDQ29,F32,-,-,-
+474,VSSIO2,-,-,-,-,-,-,-,-,-
+475,PR23A,2,-,True_OF_PR23B,TRUE,RDQ29,F31,-,-,-
+476,PR20D,2,-,Comp_OF_PR20C,-,RDQ17,D32,F24,J16,-
+477,VCCIO2,-,-,-,-,-,-,-,-,-
+478,PR20B,2,-,Comp_OF_PR20A,TRUE,RDQ17,E30,F26,H17,A4
+479,PR20C,2,-,True_OF_PR20D,-,RDQ17,C32,E23,J17,-
+480,VSSIO2,-,-,-,-,-,-,-,-,-
+481,PR20A,2,-,True_OF_PR20B,TRUE,RDQ17,F30,F25,H18,A6
+482,PR17D,2,-,Comp_OF_PR17C,-,RDQ17,D31,D26,H16,-
+483,VSS,-,-,-,-,-,-,-,-,-
+484,PR17B,2,-,Comp_OF_PR17A,TRUE,RDQSN17,C31,E26,G18,A7
+485,PR17C,2,-,True_OF_PR17D,-,RDQ17,D30,E24,G16,-
+486,VCC,-,-,-,-,-,-,-,-,-
+487,PR17A,2,-,True_OF_PR17B,TRUE,RDQS17,B32,D25,F17,B6
+488,PR14D,2,-,Comp_OF_PR14C,-,RDQ17,F28,B24,F18,-
+489,VSS,-,-,-,-,-,-,-,-,-
+490,PR14B,2,-,Comp_OF_PR14A,TRUE,RDQ17,E29,D24,E17,C6
+491,PR14C,2,-,True_OF_PR14D,-,RDQ17,F29,B26,E18,-
+492,VCCAUX,-,-,-,-,-,-,-,-,-
+493,PR14A,2,-,True_OF_PR14B,TRUE,RDQ17,D29,D23,D18,D6
+494,PR11D,2,-,Comp_OF_PR11C,-,RDQ17,C30,C24,F16,-
+495,VCCIO2,-,-,-,-,-,-,-,-,-
+496,PR11C,2,-,True_OF_PR11D,-,RDQ17,C29,C23,E16,-
+497,VSSIO2,-,-,-,-,-,-,-,-,-
+498,PR11B,2,URC_GPLL0C_IN,Comp_OF_PR11A,TRUE,RDQ17,D28,C26,D17,B7
+499,PR11A,2,URC_GPLL0T_IN,True_OF_PR11B,TRUE,RDQ17,C28,C25,C18,C7
+500,NC,-,-,-,-,-,-,-,-,-
+501,NC,-,-,-,-,-,-,-,-,-
+502,NC,-,-,-,-,-,-,-,-,-
+503,NC,-,-,-,-,-,-,-,-,-
+504,NC,-,-,-,-,-,-,-,-,-
+505,GND,-,-,-,-,-,-,-,-,-
+506,VCC,-,-,-,-,-,-,-,-,-
+507,VSS,-,-,-,-,-,-,-,-,-
+508,VCC,-,-,-,-,-,-,-,-,-
+509,PT121B,1,URC_GPLL1C_IN,Comp_OF_PT121A,-,-,B30,A25,B20,C8
+510,VCCIO1,-,-,-,-,-,-,-,-,-
+511,PT119B,1,-,Comp_OF_PT119A,-,-,A31,B23,B19,-
+512,PT121A,1,URC_GPLL1T_IN,True_OF_PT121B,-,-,B29,A24,A19,B8
+513,VSSIO1,-,-,-,-,-,-,-,-,-
+514,PT119A,1,-,True_OF_PT119B,-,-,A30,A23,A18,-
+515,PT116B,1,-,Comp_OF_PT116A,-,-,A29,D22,B18,-
+516,VSS,-,-,-,-,-,-,-,-,-
+517,PT114B,1,-,Comp_OF_PT114A,-,-,D26,E21,C17,-
+518,PT116A,1,-,True_OF_PT116B,-,-,A28,C22,A17,-
+519,VCC,-,-,-,-,-,-,-,-,-
+520,PT114A,1,-,True_OF_PT114B,-,-,C26,D21,B17,-
+521,PT112B,1,-,Comp_OF_PT112A,-,-,B26,C21,D16,-
+522,VSS,-,-,-,-,-,-,-,-,-
+523,PT110B,1,-,Comp_OF_PT110A,-,-,F25,A22,B16,-
+524,PT112A,1,-,True_OF_PT112B,-,-,A26,B21,C16,-
+525,VCCAUX,-,-,-,-,-,-,-,-,-
+526,PT110A,1,-,True_OF_PT110B,-,-,E25,A21,A16,-
+527,PT107B,1,-,Comp_OF_PT107A,-,-,D25,A19,E15,-
+528,VCCIO1,-,-,-,-,-,-,-,-,-
+529,PT105B,1,-,Comp_OF_PT105A,-,-,B25,B19,C15,-
+530,PT107A,1,-,True_OF_PT107B,-,-,C25,A18,D15,-
+531,VSSIO1,-,-,-,-,-,-,-,-,-
+532,PT105A,1,-,True_OF_PT105B,-,-,A25,C19,B15,-
+533,PT103B,1,-,Comp_OF_PT103A,-,-,F24,D19,-,-
+534,VCCIO1,-,-,-,-,-,-,-,-,-
+535,PT101B,1,-,Comp_OF_PT101A,-,-,C24,D18,-,-
+536,PT103A,1,-,True_OF_PT103B,-,-,D24,E19,A15,-
+537,VSSIO1,-,-,-,-,-,-,-,-,-
+538,PT101A,1,-,True_OF_PT101B,-,-,A24,C18,-,-
+539,PT98B,1,-,Comp_OF_PT98A,-,-,F23,E17,-,-
+540,VSS,-,-,-,-,-,-,-,-,-
+541,PT96B,1,-,Comp_OF_PT96A,-,-,D23,C17,-,-
+542,PT98A,1,-,True_OF_PT98B,-,-,E23,D17,-,-
+543,VCC,-,-,-,-,-,-,-,-,-
+544,PT96A,1,-,True_OF_PT96B,-,-,C23,B17,-,-
+545,PT94B,1,-,Comp_OF_PT94A,-,-,B23,-,-,-
+546,VSS,-,-,-,-,-,-,-,-,-
+547,PT92B,1,-,Comp_OF_PT92A,-,-,F22,-,-,-
+548,PT94A,1,-,True_OF_PT94B,-,-,A23,-,-,-
+549,VCCAUX,-,-,-,-,-,-,-,-,-
+550,PT92A,1,-,True_OF_PT92B,-,-,E22,-,-,-
+551,PT89B,1,-,Comp_OF_PT89A,-,-,D22,-,-,-
+552,VCCIO1,-,-,-,-,-,-,-,-,-
+553,PT87B,1,-,Comp_OF_PT87A,-,-,B22,-,-,-
+554,PT89A,1,-,True_OF_PT89B,-,-,C22,-,-,-
+555,VSSIO1,-,-,-,-,-,-,-,-,-
+556,PT87A,1,-,True_OF_PT87B,-,-,A22,-,-,-
+557,PT85B,1,-,Comp_OF_PT85A,-,-,F20,A17,E14,-
+558,VCCIO1,-,-,-,-,-,-,-,-,-
+559,PT83B,1,-,Comp_OF_PT83A,-,-,C20,C16,C14,-
+560,PT85A,1,-,True_OF_PT85B,-,-,D20,A16,D14,-
+561,VSSIO1,-,-,-,-,-,-,-,-,-
+562,PT83A,1,-,True_OF_PT83B,-,-,A20,B16,A14,-
+563,PT80B,1,-,Comp_OF_PT80A,-,-,F19,E16,E13,-
+564,VSS,-,-,-,-,-,-,-,-,-
+565,PT78B,1,-,Comp_OF_PT78A,-,-,D19,A15,C13,-
+566,PT80A,1,-,True_OF_PT80B,-,-,E19,D16,D13,-
+567,VCC,-,-,-,-,-,-,-,-,-
+568,PT78A,1,-,True_OF_PT78B,-,-,C19,A14,B13,-
+569,PT76B,1,-,Comp_OF_PT76A,-,-,B19,B14,A13,-
+570,VCCIO1,-,-,-,-,-,-,-,-,-
+571,PT74B,1,GR_PCLK1_1,Comp_OF_PT74A,-,-,F18,C14,E12,-
+572,PT76A,1,-,True_OF_PT76B,-,-,A19,B13,A12,-
+573,VSSIO1,-,-,-,-,-,-,-,-,-
+574,PT74A,1,GR_PCLK1_0,True_OF_PT74B,-,-,D18,C13,D12,-
+575,PT71B,1,PCLKC1_0,Comp_OF_PT71A,-,-,C18,D14,C12,A8
+576,VSS,-,-,-,-,-,-,-,-,-
+577,PT69B,1,PCLKC1_1,Comp_OF_PT69A,-,-,F17,E14,E11,C9
+578,PT71A,1,PCLKT1_0,True_OF_PT71B,-,-,A18,D13,B12,A9
+579,VCC,-,-,-,-,-,-,-,-,-
+580,PT69A,1,PCLKT1_1,True_OF_PT69B,-,-,E17,E13,D11,B9
+581,VSS,-,-,-,-,-,-,-,-,-
+582,VCC,-,-,-,-,-,-,-,-,-
+583,PT65B,0,PCLKC0_0,Comp_OF_PT65A,-,-,D17,A13,C11,C10
+584,VCCIO0,-,-,-,-,-,-,-,-,-
+585,PT63B,0,PCLKC0_1,Comp_OF_PT63A,-,-,B17,D11,A11,A10
+586,PT65A,0,PCLKT0_0,True_OF_PT65B,-,-,C17,A12,B11,B10
+587,VSSIO0,-,-,-,-,-,-,-,-,-
+588,PT63A,0,PCLKT0_1,True_OF_PT63B,-,-,A17,E11,A10,A11
+589,PT60B,0,GR_PCLK0_0,Comp_OF_PT60A,-,-,A16,B11,B10,-
+590,VSS,-,-,-,-,-,-,-,-,-
+591,PT58B,0,-,Comp_OF_PT58A,-,-,C16,A11,C10,-
+592,PT60A,0,GR_PCLK0_1,True_OF_PT60B,-,-,B16,C11,A9,-
+593,VCC,-,-,-,-,-,-,-,-,-
+594,PT58A,0,-,True_OF_PT58B,-,-,D16,A10,B9,-
+595,PT56B,0,-,Comp_OF_PT56A,-,-,E16,B10,E10,-
+596,VSS,-,-,-,-,-,-,-,-,-
+597,PT54B,0,-,Comp_OF_PT54A,-,-,A15,D10,-,-
+598,PT56A,0,-,True_OF_PT56B,-,-,F16,C10,D10,-
+599,VCCAUX,-,-,-,-,-,-,-,-,-
+600,PT54A,0,-,True_OF_PT54B,-,-,C15,E10,C9,-
+601,PT51B,0,-,Comp_OF_PT51A,-,-,D15,C9,-,-
+602,VCCIO0,-,-,-,-,-,-,-,-,-
+603,PT49B,0,-,Comp_OF_PT49A,-,-,A14,D8,-,-
+604,PT51A,0,-,True_OF_PT51B,-,-,F15,D9,-,-
+605,VSSIO0,-,-,-,-,-,-,-,-,-
+606,PT49A,0,-,True_OF_PT49B,-,-,B14,E8,-,-
+607,PT47B,0,-,Comp_OF_PT47A,-,-,C14,-,-,-
+608,VCCIO0,-,-,-,-,-,-,-,-,-
+609,PT45B,0,-,Comp_OF_PT45A,-,-,E14,-,-,-
+610,PT47A,0,-,True_OF_PT47B,-,-,D14,-,-,-
+611,VSSIO0,-,-,-,-,-,-,-,-,-
+612,PT45A,0,-,True_OF_PT45B,-,-,F14,-,-,-
+613,PT42B,0,-,Comp_OF_PT42A,-,-,A13,-,-,-
+614,VSS,-,-,-,-,-,-,-,-,-
+615,PT40B,0,-,Comp_OF_PT40A,-,-,D13,-,-,-
+616,PT42A,0,-,True_OF_PT42B,-,-,C13,-,-,-
+617,VCC,-,-,-,-,-,-,-,-,-
+618,PT40A,0,-,True_OF_PT40B,-,-,F13,-,-,-
+619,PT38B,0,-,Comp_OF_PT38A,-,-,A11,-,-,-
+620,VSS,-,-,-,-,-,-,-,-,-
+621,PT36B,0,-,Comp_OF_PT36A,-,-,C11,-,-,-
+622,PT38A,0,-,True_OF_PT38B,-,-,B11,-,-,-
+623,VCCAUX,-,-,-,-,-,-,-,-,-
+624,PT36A,0,-,True_OF_PT36B,-,-,D11,-,-,-
+625,PT33B,0,-,Comp_OF_PT33A,-,-,E11,-,-,-
+626,VCCIO0,-,-,-,-,-,-,-,-,-
+627,PT31B,0,-,Comp_OF_PT31A,-,-,A10,-,-,-
+628,PT33A,0,-,True_OF_PT33B,-,-,F11,-,-,-
+629,VSSIO0,-,-,-,-,-,-,-,-,-
+630,PT31A,0,-,True_OF_PT31B,-,-,B10,-,-,-
+631,PT29B,0,-,Comp_OF_PT29A,-,-,C10,-,-,-
+632,VCCIO0,-,-,-,-,-,-,-,-,-
+633,PT27B,0,-,Comp_OF_PT27A,-,-,E10,-,-,-
+634,PT29A,0,-,True_OF_PT29B,-,-,D10,-,-,-
+635,VSSIO0,-,-,-,-,-,-,-,-,-
+636,PT27A,0,-,True_OF_PT27B,-,-,F10,-,-,-
+637,PT24B,0,-,Comp_OF_PT24A,-,-,A9,-,-,-
+638,VSS,-,-,-,-,-,-,-,-,-
+639,PT22B,0,-,Comp_OF_PT22A,-,-,D9,-,-,-
+640,PT24A,0,-,True_OF_PT24B,-,-,C9,-,-,-
+641,VCC,-,-,-,-,-,-,-,-,-
+642,PT22A,0,-,True_OF_PT22B,-,-,F9,-,-,-
+643,PT20B,0,-,Comp_OF_PT20A,-,-,A8,C8,E9,-
+644,VSS,-,-,-,-,-,-,-,-,-
+645,PT18B,0,-,Comp_OF_PT18A,-,-,C8,A9,A8,-
+646,PT20A,0,-,True_OF_PT20B,-,-,B8,B8,D9,-
+647,VCCAUX,-,-,-,-,-,-,-,-,-
+648,PT18A,0,-,True_OF_PT18B,-,-,D8,A8,A7,-
+649,PT15B,0,-,Comp_OF_PT15A,-,-,E8,A6,B8,-
+650,VCCIO0,-,-,-,-,-,-,-,-,-
+651,PT13B,0,-,Comp_OF_PT13A,-,-,A7,B6,D8,-
+652,PT15A,0,-,True_OF_PT15B,-,-,F8,A5,C8,-
+653,VSSIO0,-,-,-,-,-,-,-,-,-
+654,PT13A,0,-,True_OF_PT13B,-,-,B7,C6,E8,-
+655,PT11B,0,-,Comp_OF_PT11A,-,-,C7,D6,C7,-
+656,VCCIO0,-,-,-,-,-,-,-,-,-
+657,PT9B,0,-,Comp_OF_PT9A,-,-,A5,C5,D7,-
+658,PT11A,0,-,True_OF_PT11B,-,-,D7,E6,C6,-
+659,VSSIO0,-,-,-,-,-,-,-,-,-
+660,PT9A,0,-,True_OF_PT9B,-,-,A4,D5,E7,-
+661,PT6B,0,-,Comp_OF_PT6A,-,-,A3,A4,D6,-
+662,VSS,-,-,-,-,-,-,-,-,-
+663,PT4B,0,ULC_GPLL1C_IN,Comp_OF_PT4A,-,-,B4,A3,B6,C11
+664,PT6A,0,-,True_OF_PT6B,-,-,A2,B4,E6,-
+665,VCC,-,-,-,-,-,-,-,-,-
+666,PT4A,0,ULC_GPLL1T_IN,True_OF_PT4B,-,-,B3,A2,A6,B11
+667,VSS,-,-,-,-,-,-,-,-,-
+668,VCC,-,-,-,-,-,-,-,-,-
+669,VCC,-,-,-,-,-,-,-,-,-
+670,GND,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,F19,-,-
+0,GND,-,-,-,-,-,B31,B25,C19,G2
+0,GND,-,-,-,-,-,E31,E25,H19,L2
+0,GND,-,-,-,-,-,J31,J25,R19,B3
+0,GND,-,-,-,-,-,N31,M25,G17,E5
+0,GND,-,-,-,-,-,R31,R25,M16,F5
+0,GND,-,-,-,-,-,V31,V25,G15,K5
+0,GND,-,-,-,-,-,Y31,AC25,K15,L5
+0,GND,-,-,-,-,-,AD31,B22,N15,F6
+0,GND,-,-,-,-,-,AH31,E22,B14,G6
+0,GND,-,-,-,-,-,AL31,J22,F14,H6
+0,GND,-,-,-,-,-,AH29,M22,G14,J6
+0,GND,-,-,-,-,-,AL29,R22,J14,K6
+0,GND,-,-,-,-,-,B28,V22,K14,L6
+0,GND,-,-,-,-,-,E28,H19,M14,M6
+0,GND,-,-,-,-,-,J28,B18,N14,E7
+0,GND,-,-,-,-,-,N28,E18,P14,F7
+0,GND,-,-,-,-,-,R28,J18,F13,G7
+0,GND,-,-,-,-,-,V28,K18,G13,H7
+0,GND,-,-,-,-,-,AD28,L18,P13,J7
+0,GND,-,-,-,-,-,B24,M18,G12,K7
+0,GND,-,-,-,-,-,E24,N18,J12,L7
+0,GND,-,-,-,-,-,K23,P18,K12,M7
+0,GND,-,-,-,-,-,L23,R18,L12,N7
+0,GND,-,-,-,-,-,K22,T18,M12,E8
+0,GND,-,-,-,-,-,L22,U18,P12,F8
+0,GND,-,-,-,-,-,M22,W18,G11,G8
+0,GND,-,-,-,-,-,N22,J17,J11,H8
+0,GND,-,-,-,-,-,P22,K17,K11,J8
+0,GND,-,-,-,-,-,R22,U17,L11,K8
+0,GND,-,-,-,-,-,T22,V17,M11,L8
+0,GND,-,-,-,-,-,U22,J16,P11,M8
+0,GND,-,-,-,-,-,V22,L16,G10,N8
+0,GND,-,-,-,-,-,W22,M16,J10,E9
+0,GND,-,-,-,-,-,Y22,N16,K10,F9
+0,GND,-,-,-,-,-,AA22,P16,L10,G9
+0,GND,-,-,-,-,-,AB22,R16,M10,H9
+0,GND,-,-,-,-,-,L21,U16,G9,J9
+0,GND,-,-,-,-,-,AB21,V16,J9,K9
+0,GND,-,-,-,-,-,AC21,B15,K9,L9
+0,GND,-,-,-,-,-,B20,E15,L9,M9
+0,GND,-,-,-,-,-,E20,J15,M9,N9
+0,GND,-,-,-,-,-,L20,L15,F8,E10
+0,GND,-,-,-,-,-,N20,M15,G8,F10
+0,GND,-,-,-,-,-,P20,N15,P8,G10
+0,GND,-,-,-,-,-,R20,P15,B7,H10
+0,GND,-,-,-,-,-,T20,R15,F7,J10
+0,GND,-,-,-,-,-,U20,U15,G7,K10
+0,GND,-,-,-,-,-,V20,V15,J7,L10
+0,GND,-,-,-,-,-,W20,J14,K7,M10
+0,GND,-,-,-,-,-,Y20,L14,M7,N10
+0,GND,-,-,-,-,-,AB20,M14,N7,E11
+0,GND,-,-,-,-,-,L19,N14,P7,F11
+0,GND,-,-,-,-,-,N19,P14,G6,G11
+0,GND,-,-,-,-,-,P19,R14,K6,H11
+0,GND,-,-,-,-,-,R19,U14,N6,J11
+0,GND,-,-,-,-,-,T19,V14,D4,K11
+0,GND,-,-,-,-,-,U19,J13,G4,L11
+0,GND,-,-,-,-,-,V19,L13,J2,M11
+0,GND,-,-,-,-,-,W19,M13,M2,N11
+0,GND,-,-,-,-,-,Y19,N13,-,E12
+0,GND,-,-,-,-,-,AB19,P13,-,F12
+0,GND,-,-,-,-,-,B18,R13,-,G12
+0,GND,-,-,-,-,-,E18,U13,-,H12
+0,GND,-,-,-,-,-,L18,V13,-,J12
+0,GND,-,-,-,-,-,N18,B12,-,K12
+0,GND,-,-,-,-,-,P18,E12,-,L12
+0,GND,-,-,-,-,-,R18,J12,-,M12
+0,GND,-,-,-,-,-,T18,L12,-,N12
+0,GND,-,-,-,-,-,U18,M12,-,F13
+0,GND,-,-,-,-,-,V18,N12,-,G13
+0,GND,-,-,-,-,-,W18,P12,-,H13
+0,GND,-,-,-,-,-,Y18,R12,-,J13
+0,GND,-,-,-,-,-,AB18,U12,-,K13
+0,GND,-,-,-,-,-,L17,V12,-,L13
+0,GND,-,-,-,-,-,N17,J11,-,M13
+0,GND,-,-,-,-,-,P17,L11,-,E14
+0,GND,-,-,-,-,-,R17,M11,-,F14
+0,GND,-,-,-,-,-,T17,N11,-,K14
+0,GND,-,-,-,-,-,U17,P11,-,L14
+0,GND,-,-,-,-,-,V17,R11,-,B16
+0,GND,-,-,-,-,-,W17,U11,-,T16
+0,GND,-,-,-,-,-,Y17,J10,-,G17
+0,GND,-,-,-,-,-,AB17,K10,-,L17
+0,GND,-,-,-,-,-,L16,U10,-,-
+0,GND,-,-,-,-,-,N16,B9,-,-
+0,GND,-,-,-,-,-,P16,E9,-,-
+0,GND,-,-,-,-,-,R16,H9,-,-
+0,GND,-,-,-,-,-,T16,J9,-,-
+0,GND,-,-,-,-,-,U16,K9,-,-
+0,GND,-,-,-,-,-,V16,L9,-,-
+0,GND,-,-,-,-,-,W16,M9,-,-
+0,GND,-,-,-,-,-,Y16,N9,-,-
+0,GND,-,-,-,-,-,AB16,P9,-,-
+0,GND,-,-,-,-,-,B15,R9,-,-
+0,GND,-,-,-,-,-,E15,T9,-,-
+0,GND,-,-,-,-,-,L15,U9,-,-
+0,GND,-,-,-,-,-,N15,V9,-,-
+0,GND,-,-,-,-,-,P15,W9,-,-
+0,GND,-,-,-,-,-,R15,H8,-,-
+0,GND,-,-,-,-,-,T15,J8,-,-
+0,GND,-,-,-,-,-,U15,B5,-,-
+0,GND,-,-,-,-,-,V15,E5,-,-
+0,GND,-,-,-,-,-,W15,J5,-,-
+0,GND,-,-,-,-,-,Y15,M5,-,-
+0,GND,-,-,-,-,-,AB15,R5,-,-
+0,GND,-,-,-,-,-,L14,V5,-,-
+0,GND,-,-,-,-,-,N14,AC3,-,-
+0,GND,-,-,-,-,-,P14,B2,-,-
+0,GND,-,-,-,-,-,R14,E2,-,-
+0,GND,-,-,-,-,-,T14,J2,-,-
+0,GND,-,-,-,-,-,U14,M2,-,-
+0,GND,-,-,-,-,-,V14,R2,-,-
+0,GND,-,-,-,-,-,W14,V2,-,-
+0,GND,-,-,-,-,-,Y14,-,-,-
+0,GND,-,-,-,-,-,AB14,-,-,-
+0,GND,-,-,-,-,-,B13,-,-,-
+0,GND,-,-,-,-,-,E13,-,-,-
+0,GND,-,-,-,-,-,L13,-,-,-
+0,GND,-,-,-,-,-,N13,-,-,-
+0,GND,-,-,-,-,-,P13,-,-,-
+0,GND,-,-,-,-,-,R13,-,-,-
+0,GND,-,-,-,-,-,T13,-,-,-
+0,GND,-,-,-,-,-,U13,-,-,-
+0,GND,-,-,-,-,-,V13,-,-,-
+0,GND,-,-,-,-,-,W13,-,-,-
+0,GND,-,-,-,-,-,Y13,-,-,-
+0,GND,-,-,-,-,-,AB11,-,-,-
+0,GND,-,-,-,-,-,L12,-,-,-
+0,GND,-,-,-,-,-,AB12,-,-,-
+0,GND,-,-,-,-,-,AC12,-,-,-
+0,GND,-,-,-,-,-,K11,-,-,-
+0,GND,-,-,-,-,-,L11,-,-,-
+0,GND,-,-,-,-,-,M11,-,-,-
+0,GND,-,-,-,-,-,N11,-,-,-
+0,GND,-,-,-,-,-,P11,-,-,-
+0,GND,-,-,-,-,-,R11,-,-,-
+0,GND,-,-,-,-,-,T11,-,-,-
+0,GND,-,-,-,-,-,U11,-,-,-
+0,GND,-,-,-,-,-,V11,-,-,-
+0,GND,-,-,-,-,-,W11,-,-,-
+0,GND,-,-,-,-,-,Y11,-,-,-
+0,GND,-,-,-,-,-,AA11,-,-,-
+0,GND,-,-,-,-,-,AB13,-,-,-
+0,GND,-,-,-,-,-,K10,-,-,-
+0,GND,-,-,-,-,-,L10,-,-,-
+0,GND,-,-,-,-,-,B9,-,-,-
+0,GND,-,-,-,-,-,E9,-,-,-
+0,GND,-,-,-,-,-,B5,-,-,-
+0,GND,-,-,-,-,-,E5,-,-,-
+0,GND,-,-,-,-,-,J5,-,-,-
+0,GND,-,-,-,-,-,N5,-,-,-
+0,GND,-,-,-,-,-,R5,-,-,-
+0,GND,-,-,-,-,-,V5,-,-,-
+0,GND,-,-,-,-,-,AD5,-,-,-
+0,GND,-,-,-,-,-,AH5,-,-,-
+0,GND,-,-,-,-,-,AL5,-,-,-
+0,GND,-,-,-,-,-,B2,-,-,-
+0,GND,-,-,-,-,-,E2,-,-,-
+0,GND,-,-,-,-,-,J2,-,-,-
+0,GND,-,-,-,-,-,N2,-,-,-
+0,GND,-,-,-,-,-,R2,-,-,-
+0,GND,-,-,-,-,-,V2,-,-,-
+0,GND,-,-,-,-,-,Y2,-,-,-
+0,GND,-,-,-,-,-,AD2,-,-,-
+0,GND,-,-,-,-,-,AH2,-,-,-
+0,GND,-,-,-,-,-,AL2,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,GND,-,-,-,-,-,-,-,-,-
+0,VCC,-,-,-,-,-,M21,L17,H13,J4
+0,VCC,-,-,-,-,-,N21,M17,J13,M4
+0,VCC,-,-,-,-,-,P21,N17,K13,J5
+0,VCC,-,-,-,-,-,R21,P17,L13,P7
+0,VCC,-,-,-,-,-,T21,R17,M13,D8
+0,VCC,-,-,-,-,-,U21,T17,N13,D9
+0,VCC,-,-,-,-,-,V21,K16,H12,P9
+0,VCC,-,-,-,-,-,W21,T16,N12,D10
+0,VCC,-,-,-,-,-,Y21,K15,H11,D11
+0,VCC,-,-,-,-,-,AA21,T15,N11,P11
+0,VCC,-,-,-,-,-,M20,K14,H10,J14
+0,VCC,-,-,-,-,-,AA20,T14,N10,J15
+0,VCC,-,-,-,-,-,M19,K13,H9,M15
+0,VCC,-,-,-,-,-,AA19,T13,N9,-
+0,VCC,-,-,-,-,-,M18,K12,H8,-
+0,VCC,-,-,-,-,-,AA18,T12,J8,-
+0,VCC,-,-,-,-,-,M17,K11,K8,-
+0,VCC,-,-,-,-,-,AA17,T11,L8,-
+0,VCC,-,-,-,-,-,M16,L10,M8,-
+0,VCC,-,-,-,-,-,AA16,M10,N8,-
+0,VCC,-,-,-,-,-,M15,N10,-,-
+0,VCC,-,-,-,-,-,AA15,P10,-,-
+0,VCC,-,-,-,-,-,M14,R10,-,-
+0,VCC,-,-,-,-,-,AA14,T10,-,-
+0,VCC,-,-,-,-,-,M13,-,-,-
+0,VCC,-,-,-,-,-,AA13,-,-,-
+0,VCC,-,-,-,-,-,M12,-,-,-
+0,VCC,-,-,-,-,-,N12,-,-,-
+0,VCC,-,-,-,-,-,P12,-,-,-
+0,VCC,-,-,-,-,-,R12,-,-,-
+0,VCC,-,-,-,-,-,T12,-,-,-
+0,VCC,-,-,-,-,-,U12,-,-,-
+0,VCC,-,-,-,-,-,V12,-,-,-
+0,VCC,-,-,-,-,-,W12,-,-,-
+0,VCC,-,-,-,-,-,Y12,-,-,-
+0,VCC,-,-,-,-,-,AA12,-,-,-
+0,VCC,-,-,-,-,-,-,-,-,-
+0,VCC,-,-,-,-,-,-,-,-,-
+0,VCC,-,-,-,-,-,-,-,-,-
+0,VCC,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,N23,K19,F15,E6
+0,VCCAUX,-,-,-,-,-,Y23,T19,P15,N6
+0,VCCAUX,-,-,-,-,-,AC22,W19,F6,E13
+0,VCCAUX,-,-,-,-,-,K20,H17,P6,P13
+0,VCCAUX,-,-,-,-,-,K13,H14,-,-
+0,VCCAUX,-,-,-,-,-,AC11,H11,-,-
+0,VCCAUX,-,-,-,-,-,N10,L8,-,-
+0,VCCAUX,-,-,-,-,-,Y10,T8,-,-
+0,VCCAUX,-,-,-,-,-,-,W8,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCAUX,-,-,-,-,-,-,-,-,-
+0,VCCIO0,0,-,-,-,-,K16,H13,F10,D12
+0,VCCIO0,0,-,-,-,-,K15,H12,F9,-
+0,VCCIO0,0,-,-,-,-,K14,H10,-,-
+0,VCCIO0,0,-,-,-,-,K12,-,-,-
+0,VCCIO0,0,-,-,-,-,-,-,-,-
+0,VCCIO0,0,-,-,-,-,-,-,-,-
+0,VCCIO1,1,-,-,-,-,K21,H18,F12,D7
+0,VCCIO1,1,-,-,-,-,K19,H16,F11,-
+0,VCCIO1,1,-,-,-,-,K18,H15,-,-
+0,VCCIO1,1,-,-,-,-,K17,-,-,-
+0,VCCIO1,1,-,-,-,-,-,-,-,-
+0,VCCIO1,1,-,-,-,-,-,-,-,-
+0,VCCIO2,2,-,-,-,-,M23,J19,H15,G5
+0,VCCIO2,2,-,-,-,-,P23,L19,J15,H5
+0,VCCIO2,2,-,-,-,-,R23,M19,H14,-
+0,VCCIO2,2,-,-,-,-,T23,N19,-,-
+0,VCCIO2,2,-,-,-,-,-,-,-,-
+0,VCCIO2,2,-,-,-,-,-,-,-,-
+0,VCCIO2,2,-,-,-,-,-,-,-,-
+0,VCCIO2,2,-,-,-,-,-,-,-,-
+0,VCCIO3,3,-,-,-,-,U23,P19,L15,M5
+0,VCCIO3,3,-,-,-,-,V23,R19,M15,N5
+0,VCCIO3,3,-,-,-,-,W23,U19,L14,-
+0,VCCIO3,3,-,-,-,-,AA23,-,-,-
+0,VCCIO3,3,-,-,-,-,-,-,-,-
+0,VCCIO3,3,-,-,-,-,-,-,-,-
+0,VCCIO3,3,-,-,-,-,-,-,-,-
+0,VCCIO3,3,-,-,-,-,-,-,-,-
+0,VCCIO4,4,-,-,-,-,AB23,V19,-,-
+0,VCCIO4,4,-,-,-,-,AC23,V18,-,-
+0,VCCIO4,4,-,-,-,-,-,-,-,-
+0,VCCIO4,4,-,-,-,-,-,-,-,-
+0,VCCIO4,4,-,-,-,-,-,-,-,-
+0,GND,-,GND,-,-,-,AH26,AC24,V20,R1
+0,GND,-,GND,-,-,-,AJ26,AD24,V19,R2
+0,GND,-,GND,-,-,-,AK26,AE24,W19,T2
+0,GND,-,GND,-,-,-,AL26,AF24,V16,U2
+0,GND,-,GND,-,-,-,AM26,AB23,W16,T3
+0,GND,-,GND,-,-,-,AH25,AB22,V15,U3
+0,GND,-,GND,-,-,-,AH24,AE22,W15,T4
+0,GND,-,GND,-,-,-,AL24,AB21,U14,U4
+0,GND,-,GND,-,-,-,AF23,AC21,V14,V4
+0,GND,-,GND,-,-,-,AG23,AD21,U13,U5
+0,GND,-,GND,-,-,-,AH23,AE21,V13,P6
+0,GND,-,GND,-,-,-,AJ23,AA20,U12,T6
+0,GND,-,GND,-,-,-,AK23,AE19,V12,T7
+0,GND,-,GND,-,-,-,AL23,AA18,W12,U7
+0,GND,-,GND,-,-,-,AL21,AB18,U11,V7
+0,GND,-,GND,-,-,-,AF20,AC18,U10,P8
+0,GND,-,GND,-,-,-,AG20,AD18,U9,T8
+0,GND,-,GND,-,-,-,AH20,AE18,V9,T9
+0,GND,-,GND,-,-,-,AJ20,AA17,U8,U9
+0,GND,-,GND,-,-,-,AK20,AE16,V8,T10
+0,GND,-,GND,-,-,-,AL20,AA15,U7,U10
+0,GND,-,GND,-,-,-,AF19,AB15,V7,V10
+0,GND,-,GND,-,-,-,AL18,AC15,W7,T11
+0,GND,-,GND,-,-,-,AF17,AD15,V6,U11
+0,GND,-,GND,-,-,-,AG17,AE15,W6,P12
+0,GND,-,GND,-,-,-,AH17,AA14,V5,T12
+0,GND,-,GND,-,-,-,AJ17,AB14,-,-
+0,GND,-,GND,-,-,-,AK17,AA13,-,-
+0,GND,-,GND,-,-,-,AL17,AB13,-,-
+0,GND,-,GND,-,-,-,AF16,AE13,-,-
+0,GND,-,GND,-,-,-,AG16,AA12,-,-
+0,GND,-,GND,-,-,-,AH16,AB12,-,-
+0,GND,-,GND,-,-,-,AF15,AC12,-,-
+0,GND,-,GND,-,-,-,AG15,AD12,-,-
+0,GND,-,GND,-,-,-,AH15,AE12,-,-
+0,GND,-,GND,-,-,-,AL15,AA10,-,-
+0,GND,-,GND,-,-,-,AF14,AE10,-,-
+0,GND,-,GND,-,-,-,AG14,AA9,-,-
+0,GND,-,GND,-,-,-,AH14,AB9,-,-
+0,GND,-,GND,-,-,-,AJ14,AC9,-,-
+0,GND,-,GND,-,-,-,AK14,AD9,-,-
+0,GND,-,GND,-,-,-,AL14,AE9,-,-
+0,GND,-,GND,-,-,-,AF12,AA7,-,-
+0,GND,-,GND,-,-,-,AL12,AE7,-,-
+0,GND,-,GND,-,-,-,AF11,AB6,-,-
+0,GND,-,GND,-,-,-,AG11,AC6,-,-
+0,GND,-,GND,-,-,-,AH11,AD6,-,-
+0,GND,-,GND,-,-,-,AJ11,AE6,-,-
+0,GND,-,GND,-,-,-,AK11,AF5,-,-
+0,GND,-,GND,-,-,-,AL11,-,-,-
+0,GND,-,GND,-,-,-,AL9,-,-,-
+0,GND,-,GND,-,-,-,AH8,-,-,-
+0,GND,-,GND,-,-,-,AJ8,-,-,-
+0,GND,-,GND,-,-,-,AK8,-,-,-
+0,GND,-,GND,-,-,-,AL8,-,-,-
+0,GND,-,GND,-,-,-,AH7,-,-,-
+0,GND,-,GND,-,-,-,AJ7,-,-,-
+0,GND,-,GND,-,-,-,AK7,-,-,-
+0,GND,-,GND,-,-,-,AL7,-,-,-
+0,GND,-,GND,-,-,-,AM7,-,-,-
+0,GND,-,GND,-,-,-,-,-,-,-
+0,GND,-,GND,-,-,-,-,-,-,-
+0,GND,-,GND,-,-,-,-,-,-,-
+0,GND,-,GND,-,-,-,-,-,-,-
+0,VCCA0,-,-,-,-,-,AJ13,AC11,T6,P10
+0,VCCA0,-,-,-,-,-,AG12,AB10,U6,R10
+0,VCCA0,-,-,-,-,-,AH12,AC10,-,-
+0,VCCA0,-,-,-,-,-,AJ12,AC8,-,-
+0,VCCA0,-,-,-,-,-,AJ10,AB7,-,-
+0,VCCA0,-,-,-,-,-,AG9,AC7,-,-
+0,VCCA0,-,-,-,-,-,AH9,-,-,-
+0,VCCA0,-,-,-,-,-,AJ9,-,-,-
+0,VCCA0,-,-,-,-,-,-,-,-,-
+0,VCCA0,-,-,-,-,-,-,-,-,-
+0,VCCA0,-,-,-,-,-,-,-,-,-
+0,VCCA1,-,-,-,-,-,AF22,AB20,T15,-
+0,VCCA1,-,-,-,-,-,AG22,AC20,U15,-
+0,VCCA1,-,-,-,-,-,AH22,AC19,-,-
+0,VCCA1,-,-,-,-,-,AJ22,AB17,-,-
+0,VCCA1,-,-,-,-,-,AJ21,AC17,-,-
+0,VCCA1,-,-,-,-,-,AG19,AC16,-,-
+0,VCCA1,-,-,-,-,-,AH19,-,-,-
+0,VCCA1,-,-,-,-,-,AJ19,-,-,-
+0,VCCA1,-,-,-,-,-,AJ18,-,-,-
+0,VCCA1,-,-,-,-,-,-,-,-,-
+0,VCCA1,-,-,-,-,-,-,-,-,-
+0,VCCAUXA0,-,-,-,-,-,AJ16,AC14,V11,R3
+0,VCCAUXA0,-,-,-,-,-,AJ15,AC13,V10,P5
+0,VCCAUXA0,-,-,-,-,-,-,-,-,-
+0,VCCAUXA0,-,-,-,-,-,-,-,-,-
+0,VCCAUXA0,-,-,-,-,-,-,-,-,-
+0,VCCAUXA0,-,-,-,-,-,-,-,-,-
+0,VCCAUXA1,-,-,-,-,-,AJ25,AC23,V18,-
+0,VCCAUXA1,-,-,-,-,-,AJ24,AC22,V17,-
+0,VCCAUXA1,-,-,-,-,-,-,-,-,-
+0,VCCAUXA1,-,-,-,-,-,-,-,-,-
+0,VCCAUXA1,-,-,-,-,-,-,-,-,-
+0,VCCAUXA1,-,-,-,-,-,-,-,-,-
+0,VCCIO8,8,-,-,-,-,AB10,V11,P10,N13
+0,VCCIO8,8,-,-,-,-,AC10,V10,P9,P14
+0,VCCIO8,8,-,-,-,-,-,-,-,-
+0,VCCIO8,8,-,-,-,-,-,-,-,-
+0,VCCIO8,8,-,-,-,-,-,-,-,-
+0,VCCIO6,6,-,-,-,-,U10,P8,L7,M14
+0,VCCIO6,6,-,-,-,-,V10,R8,L6,N14
+0,VCCIO6,6,-,-,-,-,W10,U8,M6,-
+0,VCCIO6,6,-,-,-,-,AA10,V8,-,-
+0,VCCIO6,6,-,-,-,-,-,-,-,-
+0,VCCIO6,6,-,-,-,-,-,-,-,-
+0,VCCIO6,6,-,-,-,-,-,-,-,-
+0,VCCIO6,6,-,-,-,-,-,-,-,-
+0,VCCIO7,7,-,-,-,-,M10,K8,H7,G14
+0,VCCIO7,7,-,-,-,-,P10,M8,H6,H14
+0,VCCIO7,7,-,-,-,-,R10,N8,J6,-
+0,VCCIO7,7,-,-,-,-,T10,-,-,-
+0,VCCIO7,7,-,-,-,-,-,-,-,-
+0,VCCIO7,7,-,-,-,-,-,-,-,-
+0,VCCIO7,7,-,-,-,-,-,-,-,-
+0,VCCIO7,7,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,AG31,F18,-,-
+0,NC,-,-,-,-,-,V30,F17,-,-
+0,NC,-,-,-,-,-,H29,C15,-,-
+0,NC,-,-,-,-,-,AC29,D15,-,-
+0,NC,-,-,-,-,-,L28,F15,-,-
+0,NC,-,-,-,-,-,W27,F14,-,-
+0,NC,-,-,-,-,-,E26,F13,-,-
+0,NC,-,-,-,-,-,AE26,C12,-,-
+0,NC,-,-,-,-,-,G24,D12,-,-
+0,NC,-,-,-,-,-,AG24,F12,-,-
+0,NC,-,-,-,-,-,G23,F10,-,-
+0,NC,-,-,-,-,-,G22,F9,-,-
+0,NC,-,-,-,-,-,G19,F8,-,-
+0,NC,-,-,-,-,-,G18,AA5,-,-
+0,NC,-,-,-,-,-,G17,AA4,-,-
+0,NC,-,-,-,-,-,G16,AA3,-,-
+0,NC,-,-,-,-,-,G15,-,-,-
+0,NC,-,-,-,-,-,G14,-,-,-
+0,NC,-,-,-,-,-,G11,-,-,-
+0,NC,-,-,-,-,-,G10,-,-,-
+0,NC,-,-,-,-,-,G9,-,-,-
+0,NC,-,-,-,-,-,E7,-,-,-
+0,NC,-,-,-,-,-,AE7,-,-,-
+0,NC,-,-,-,-,-,W6,-,-,-
+0,NC,-,-,-,-,-,L5,-,-,-
+0,NC,-,-,-,-,-,H4,-,-,-
+0,NC,-,-,-,-,-,AC4,-,-,-
+0,NC,-,-,-,-,-,V3,-,-,-
+0,NC,-,-,-,-,-,AG2,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
+0,NC,-,-,-,-,-,-,-,-,-
diff --git a/docs/ECP-5/docs/EnablingProgrammableConnectivitySolutionsforCompactHighVolumeApplications.pdf b/docs/ECP-5/docs/EnablingProgrammableConnectivitySolutionsforCompactHighVolumeApplications.pdf
new file mode 100644
index 0000000..20a2eaf
Binary files /dev/null and b/docs/ECP-5/docs/EnablingProgrammableConnectivitySolutionsforCompactHighVolumeApplications.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-DS-02012-2-6-ECP5-ECP5G-Family-Data-Sheet.pdf b/docs/ECP-5/docs/FPGA-DS-02012-2-6-ECP5-ECP5G-Family-Data-Sheet.pdf
new file mode 100644
index 0000000..4d51eb3
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-DS-02012-2-6-ECP5-ECP5G-Family-Data-Sheet.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02032-1-3-ECP5-ECP5G-sysIO-Usage-Guide.pdf b/docs/ECP-5/docs/FPGA-TN-02032-1-3-ECP5-ECP5G-sysIO-Usage-Guide.pdf
new file mode 100644
index 0000000..e5094b6
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02032-1-3-ECP5-ECP5G-sysIO-Usage-Guide.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02035-1-3-ECP5-ECP5-5G-HighSpeed-IO-Interface.pdf b/docs/ECP-5/docs/FPGA-TN-02035-1-3-ECP5-ECP5-5G-HighSpeed-IO-Interface.pdf
new file mode 100644
index 0000000..efd6937
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02035-1-3-ECP5-ECP5-5G-HighSpeed-IO-Interface.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02038-1-6-ECP5-and-ECP5-5G-Hardware-Checklist.pdf b/docs/ECP-5/docs/FPGA-TN-02038-1-6-ECP5-and-ECP5-5G-Hardware-Checklist.pdf
new file mode 100644
index 0000000..6ace525
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02038-1-6-ECP5-and-ECP5-5G-Hardware-Checklist.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02039-2-0-ECP5-and-ECP5-5G-sysCONFIG.pdf b/docs/ECP-5/docs/FPGA-TN-02039-2-0-ECP5-and-ECP5-5G-sysCONFIG.pdf
new file mode 100644
index 0000000..bf922cf
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02039-2-0-ECP5-and-ECP5-5G-sysCONFIG.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02084-2-2-Using-TraceID.pdf b/docs/ECP-5/docs/FPGA-TN-02084-2-2-Using-TraceID.pdf
new file mode 100644
index 0000000..3247b11
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02084-2-2-Using-TraceID.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02200-1-2-ECP5-and-ECP5-5G-sysCLOCK-PLL-DLL-Design-and-Usage-Guide.pdf b/docs/ECP-5/docs/FPGA-TN-02200-1-2-ECP5-and-ECP5-5G-sysCLOCK-PLL-DLL-Design-and-Usage-Guide.pdf
new file mode 100644
index 0000000..66989e3
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02200-1-2-ECP5-and-ECP5-5G-sysCLOCK-PLL-DLL-Design-and-Usage-Guide.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02203-1-7-LatticeECP3-LatticeECP2-M-ECP5-and-ECP5-5G-Dual-Boot-and-Multiple-Boot-Feature.pdf b/docs/ECP-5/docs/FPGA-TN-02203-1-7-LatticeECP3-LatticeECP2-M-ECP5-and-ECP5-5G-Dual-Boot-and-Multiple-Boot-Feature.pdf
new file mode 100644
index 0000000..7d37b7d
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02203-1-7-LatticeECP3-LatticeECP2-M-ECP5-and-ECP5-5G-Dual-Boot-and-Multiple-Boot-Feature.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02204-1-4-ECP5-and-ECP5-5G-Memory-Usage-Guide.pdf b/docs/ECP-5/docs/FPGA-TN-02204-1-4-ECP5-and-ECP5-5G-Memory-Usage-Guide.pdf
new file mode 100644
index 0000000..db63c69
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02204-1-4-ECP5-and-ECP5-5G-Memory-Usage-Guide.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02205-1-2-ECP5-and-ECP5-5G-sysDSP-Usage-Guide.pdf b/docs/ECP-5/docs/FPGA-TN-02205-1-2-ECP5-and-ECP5-5G-sysDSP-Usage-Guide.pdf
new file mode 100644
index 0000000..a6b6dd4
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02205-1-2-ECP5-and-ECP5-5G-sysDSP-Usage-Guide.pdf differ
diff --git a/docs/ECP-5/docs/FPGA-TN-02206-1-3-ECP5-and-ECP5-5G-SerDes-PCS-Usage-Guide.pdf b/docs/ECP-5/docs/FPGA-TN-02206-1-3-ECP5-and-ECP5-5G-SerDes-PCS-Usage-Guide.pdf
new file mode 100644
index 0000000..0f49a1a
Binary files /dev/null and b/docs/ECP-5/docs/FPGA-TN-02206-1-3-ECP5-and-ECP5-5G-SerDes-PCS-Usage-Guide.pdf differ
diff --git a/docs/ECP-5/docs/FPGATN02050ProgrammingExtSPIFlashJTAGECP55G.pdf b/docs/ECP-5/docs/FPGATN02050ProgrammingExtSPIFlashJTAGECP55G.pdf
new file mode 100644
index 0000000..8187479
Binary files /dev/null and b/docs/ECP-5/docs/FPGATN02050ProgrammingExtSPIFlashJTAGECP55G.pdf differ
diff --git a/docs/ECP-5/docs/HB1012.pdf b/docs/ECP-5/docs/HB1012.pdf
new file mode 100644
index 0000000..d0d0cb5
Binary files /dev/null and b/docs/ECP-5/docs/HB1012.pdf differ
diff --git a/docs/ECP-5/docs/PB1384_ECP5_Errata-SED_wDistiRAM.pdf b/docs/ECP-5/docs/PB1384_ECP5_Errata-SED_wDistiRAM.pdf
new file mode 100644
index 0000000..276d438
Binary files /dev/null and b/docs/ECP-5/docs/PB1384_ECP5_Errata-SED_wDistiRAM.pdf differ
diff --git a/docs/ECP-5/docs/PCN04A-17ECP5andECP5-5GDataSheetUpdate.pdf b/docs/ECP-5/docs/PCN04A-17ECP5andECP5-5GDataSheetUpdate.pdf
new file mode 100644
index 0000000..b55644f
Binary files /dev/null and b/docs/ECP-5/docs/PCN04A-17ECP5andECP5-5GDataSheetUpdate.pdf differ
diff --git a/docs/ECP-5/docs/PCN_02A16_ECP5_updates_on_D3_7.pdf b/docs/ECP-5/docs/PCN_02A16_ECP5_updates_on_D3_7.pdf
new file mode 100644
index 0000000..c2ea91c
Binary files /dev/null and b/docs/ECP-5/docs/PCN_02A16_ECP5_updates_on_D3_7.pdf differ
diff --git a/docs/ECP-5/docs/TN1266.pdf b/docs/ECP-5/docs/TN1266.pdf
new file mode 100644
index 0000000..059598a
Binary files /dev/null and b/docs/ECP-5/docs/TN1266.pdf differ
diff --git a/docs/ECP-5/docs/ecp5_eval_flash_instructions.pdf b/docs/ECP-5/docs/ecp5_eval_flash_instructions.pdf
new file mode 100644
index 0000000..e979725
Binary files /dev/null and b/docs/ECP-5/docs/ecp5_eval_flash_instructions.pdf differ
diff --git a/docs/ECP-5/docs/fpga-eb-02017-1-2-ecp5-evaluation-board.pdf b/docs/ECP-5/docs/fpga-eb-02017-1-2-ecp5-evaluation-board.pdf
new file mode 100644
index 0000000..73b53cb
Binary files /dev/null and b/docs/ECP-5/docs/fpga-eb-02017-1-2-ecp5-evaluation-board.pdf differ
diff --git a/docs/ECP-5/docs/fpga-ug-02042-26-4-programming_cables.pdf b/docs/ECP-5/docs/fpga-ug-02042-26-4-programming_cables.pdf
new file mode 100644
index 0000000..ea2cd01
Binary files /dev/null and b/docs/ECP-5/docs/fpga-ug-02042-26-4-programming_cables.pdf differ
diff --git a/docs/ECP-5/docs/qs045_ecp5_evalboard.pdf b/docs/ECP-5/docs/qs045_ecp5_evalboard.pdf
new file mode 100644
index 0000000..d5af645
Binary files /dev/null and b/docs/ECP-5/docs/qs045_ecp5_evalboard.pdf differ
diff --git a/docs/ECP-5/white_papers/EnablingProgrammableConnectivitySolutionsforCompactHighVolumeApplications.pdf b/docs/ECP-5/white_papers/EnablingProgrammableConnectivitySolutionsforCompactHighVolumeApplications.pdf
new file mode 100644
index 0000000..20a2eaf
Binary files /dev/null and b/docs/ECP-5/white_papers/EnablingProgrammableConnectivitySolutionsforCompactHighVolumeApplications.pdf differ
diff --git a/docs/HARDENS.pdf b/docs/HARDENS.pdf
new file mode 100644
index 0000000..03a1e4c
Binary files /dev/null and b/docs/HARDENS.pdf differ
diff --git a/docs/RFP.pdf b/docs/RFP.pdf
new file mode 100755
index 0000000..d4d231e
Binary files /dev/null and b/docs/RFP.pdf differ
diff --git a/hardware/receipts-invoices/MOUSER_Receipt_63393420.pdf b/hardware/receipts-invoices/MOUSER_Receipt_63393420.pdf
new file mode 100644
index 0000000..1280149
Binary files /dev/null and b/hardware/receipts-invoices/MOUSER_Receipt_63393420.pdf differ
diff --git a/lando.el b/lando.el
new file mode 100644
index 0000000..e95b367
--- /dev/null
+++ b/lando.el
@@ -0,0 +1,40 @@
+;; ===== lando mode
+(defvar lando-mode-hook nil)
+(defvar lando-mode-map
+ (let ((lando-mode-map (make-keymap)))
+ (define-key lando-mode-map "\C-j" 'newline-and-indent)
+ lando-mode-map)
+ "Keymap for LANDO major mode")
+
+(add-to-list 'auto-mode-alist '("\\.lando\\'" . lando-mode))
+
+(defconst lando-font-lock-keywords-1
+ (list
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ '("\\" . font-lock-builtin-face)
+ )
+ "Minimal highlighting expressions for LANDO mode.")
+
+(defvar lando-font-lock-keywords lando-font-lock-keywords-1 "Default highlighting expressions for LANDO mode.")
+
+(defun lando-mode ()
+ (interactive)
+ (kill-all-local-variables)
+ (use-local-map lando-mode-map)
+ ;; Set up font-lock
+ (set (make-local-variable 'font-lock-defaults) '(lando-font-lock-keywords))
+ (setq major-mode 'lando-mode)
+ (setq mode-name "LANDO")
+ (run-hooks 'lando-mode-hook))
+
+(provide 'lando-mode)
+;; ===== end of lando-mode
diff --git a/models/Makefile b/models/Makefile
new file mode 100644
index 0000000..9000b8f
--- /dev/null
+++ b/models/Makefile
@@ -0,0 +1,6 @@
+.PHONY: all check
+
+all: check
+
+check:
+ cryptol -b check_model.icry
diff --git a/models/Overview.md b/models/Overview.md
new file mode 100644
index 0000000..3fdc4d1
--- /dev/null
+++ b/models/Overview.md
@@ -0,0 +1,78 @@
+# Executable Behavioral Specification
+
+This directory contains the executable behavioral model, implemented in Cryptol,
+which refines the formal specification given by the domain model, requirements,
+and architecture in the [specs](../specs) directory.
+
+## Methodology
+
+The Cryptol model provides implementations of the components given in the
+SysMLv2 architecture. Generally, the components are modeled either as (1) pure
+functions, as in the case of `CoincidenceLogic`; or (2) as a record of component
+state together with functions that manipulate such records, as in the case of
+`Actuator`s. In either case, the model is designed to give an unambiguous
+specification behaviors of the different components.
+
+## Relationship to SysMLv2 model
+
+The model is designed such that its connection to the architecture specification
+is apparent, which is to say that given a component in the architecture, it
+should be straightforward to identify the corresponding implementation in the
+model. The following is a brief overview of this relationship.
+
+In general, attributes in the architecture diagram are modeled as bitvectors in
+Cryptol: `Boolean`s become `Bit`s, `enum`s with `n` values become `[lg2 n]`
+(bitvectors of length `log_2(n)`), etc.
+
+Sometimes there is tension between straightforward translation to `Cryptol` and
+ease of synthesizing implementations (such as `C` code): in such cases, we may
+use `[8]` (bytes) to model `Boolean` values.
+
+### RTS/Actuator.cry
+
+This module models the `Actuator` part, with two operations to set automatic and
+manual actuation.
+
+### RTS/InstrumentationUnit.cry
+
+The `InstrumentationUnit` part is modeled by a record of the same name that
+capture the important attributes. The `Step` function in this module models the
+simultaneous response of an `InstrumentationUnit` to the different sensor inputs
+and commands.
+
+### RTS/ActuationUnit.cry
+
+This module models the `ActuationUnit` part. The actuation output ports are
+captured by the `ActuationUnit` `output` field, while the named logic parts
+`TemperatureLogic`, `SaturationLogic`, and the like, are modeled by functions
+with the same name.
+
+### RTS.cry
+
+The Cryptol `RTS` type models the composition of the types exposed by the
+previous modules in accordance with the architecture: one `Instrumentation`
+component comprising 4 `InstrumentationUnit`s, one `Actuation` component
+comprising 2 `ActuationUnit`s and 2 `Actuator`.
+
+`Sense_Actuate` models the flow of the connections between the different
+components (i.e., from sensor to actuator) as indicated by the architecture.
+
+`Event_Control` models the `EventControl` package and `ControlUnit`
+behavior.
+
+## Implementation Status
+
+- Each component in the architecture has a representation as Cryptol
+ type and/or functions.
+
+- Each Cryptol module has a set of _properties_ that are true of the
+ model. These properties are either derived from the formal
+ requirements (and indicated as such), or are further refinements of
+ the system behavior. These properties are all provable by `SMT`
+ except where indicated.
+
+- The `InstrumentationUnit` module currently uses a strawman
+ implementation for calculating the saturation margin given a
+ temperature and pressure. The model is agnostic to its actual
+ implementation, but this will be replaced by a lookup table derived
+ from standard steam tables.
diff --git a/models/RTS.cry b/models/RTS.cry
new file mode 100644
index 0000000..df3ce77
--- /dev/null
+++ b/models/RTS.cry
@@ -0,0 +1,283 @@
+// HARDENS Reactor Trip System (RTS)
+// A formal model of RTS behavior written in the Cryptol DSL.
+//
+// @author Alex Bakst
+// @created November, 2021
+// @refines HARDENS.sysml
+// @refines RTS.lando
+// @refines
+
+module RTS where
+
+import RTS::Utils
+import RTS::InstrumentationUnit
+import RTS::InstrumentationUnit as I
+import RTS::ActuationUnit
+import RTS::ActuationUnit as AU
+import RTS::Actuator
+import RTS::Actuator as A
+
+type Device = [1]
+type Division = [2]
+type Logic = [1]
+
+D0, D1: Device
+D0 = 0
+D1 = 1
+
+type EventType = [2]
+// Event Type Values
+EVENT_MAINTENANCE, EVENT_TRIP_MODE, EVENT_SETPOINT, EVENT_ACTUATE : EventType
+EVENT_MAINTENANCE = 0
+EVENT_TRIP_MODE = 1
+EVENT_SETPOINT = 2
+EVENT_ACTUATE = 3
+
+type RTS =
+ { control: Control
+ , instrumentation: Instrumentation
+ , actuation: Actuation
+ , ui: UI
+ }
+
+type UI =
+ { instrumentation_values: [4][NChannels][32]
+ , instrumentation_bypass: [4][NChannels]
+ , instrumentation_trip: [4][NChannels]
+ }
+
+type Control =
+ { self_test: Bit // Are we running an end-to-end test?
+ , self_test_instrs: [2]Division // Which instrumentation units are we poking?
+ , self_test_channel: Channel // Which channel are we poking?
+ , self_test_logic: Logic // Which actuation logic unit are we observing?
+ , self_test_dev: Device // Which actuator are we observing?
+ , self_test_expect: Bit
+ , self_test_timer: [32]
+ , self_test_fail: Bit
+ }
+
+type Actuation =
+ { units: [2]ActuationUnit
+ , actuators: [2]Actuator
+ }
+
+type Instrumentation =
+ { units: [4]InstrumentationUnit }
+
+type Event =
+ { event: EventType // The event tag
+ , ch: Channel // Which channel
+ , dev: Device // Which device
+ , unit: Division // Which Instrumentation unit
+ , setpoint: [32]
+ , mode: I::Mode
+ , on_off: Bit
+ }
+
+// @refines ControlUnit
+Event_Control: Event -> RTS -> RTS
+Event_Control e rts =
+ if e.event == EVENT_MAINTENANCE then
+ on_instr_units rts (\units -> update units (e.unit) (Set_Maintenance e.on_off (units @ e.unit)))
+ else if (e.event == EVENT_TRIP_MODE) && (ch < `NChannels) && (e.mode < `NModes) then
+ on_instr_units rts (\units -> update units (e.unit) (Set_Mode ch e.mode (units @ e.unit)))
+ else if (e.event == EVENT_SETPOINT) && (ch < `NChannels) then
+ on_instr_units rts (\units -> update units (e.unit) (Set_Setpoint ch e.setpoint (units @ e.unit)))
+ else if (e.event == EVENT_ACTUATE) then
+ {rts| actuation =
+ {rts.actuation | actuators = update rts.actuation.actuators dev (SetManual e.on_off (rts.actuation.actuators @ dev))} }
+ else rts
+ where
+ ch : Channel
+ ch = e.ch
+ dev : Device
+ dev = e.dev
+
+ on_instr_units r f = {r|instrumentation = {units = f r.instrumentation.units }}
+
+
+Sense_Actuate:
+ [4]I::Input ->
+ [4]I::Command ->
+ RTS ->
+ RTS
+Sense_Actuate inputs icmds rts =
+ { rts | control = { rts.control | self_test_fail = test_fail }
+ , instrumentation = { units = instrumentation' }
+ , actuation = { units = actuation_logic', actuators = actuators' }
+ }
+ where
+ // The two instrumentation units under test
+ i0 = rts.control.self_test_instrs @ 0
+ i1 = rts.control.self_test_instrs @ 1
+ test_ch = rts.control.self_test_channel
+ test_dev = rts.control.self_test_dev
+ test_logic = rts.control.self_test_logic
+
+ // Each instrumentation unit runs
+ instrumentation' = [ I::Step input cmd i | i <- rts.instrumentation.units | input <- inputs | cmd <- icmds ]
+ output_trips: [3][4]TripPort
+ output_trips = [[ instr.output_trip @ ch | instr <- instrumentation' ] | ch <- [0..2]]
+
+ // Mask trips from the instrs under test at the channel under test. This is passed
+ // to the voting components _not_ under test (so that we do not count any test-generated trips)
+ output_trips_masked, output_trips_test: [3][4]TripPort
+ output_trips_masked = MaskTripFrom (\i ch -> elem i [i0, i1] && (ch == test_ch)) output_trips
+ output_trips_test = MaskTripFrom (\i ch -> ~ (elem i [i0, i1] && (ch == test_ch))) output_trips
+
+ // Now run the voting logic
+ actuation_logic' : [2]ActuationUnit
+ actuation_logic' = [ AU::TripInput (Select_trips l) logic | logic <- rts.actuation.units | l <- [0..1] ]
+
+ // Mask out the output of the voting unit we are *not* testing, and then use *this* value
+ // for testing device actuation
+ test_actuation_logic : [2]ActuationUnit
+ test_actuation_logic = [ { output = [ if (test_logic == l) && (test_dev == d) then logic.output @ d else 0 | d <- [0..1] ]}
+ | logic <- actuation_logic' | l <- [0..1]
+ ]
+
+ Select_trips l = if rts.control.self_test then
+ (if l == test_logic then output_trips_test else output_trips_masked)
+ else
+ output_trips
+
+ // This is the output to the devices
+ actuators' : [2]Actuator
+ actuators' = [ A::SetInput (or [ logic.output @ d | logic <- actuation_logic' ]) a | a <- rts.actuation.actuators | d <- [0...] ]
+
+ actuators_test : [2]Actuator
+ actuators_test = [ A::SetInput (or [ logic.output @ d | logic <- test_actuation_logic ]) a | a <- rts.actuation.actuators | d <- [0...] ]
+
+ test_fail = rts.control.self_test_expect != (actuators_test @ test_dev).input
+
+MaskTripFrom: {idx} (Integral idx, Literal 0 idx) =>
+ (idx -> Channel -> Bit) -> [3][4][8] -> [3][4][8]
+MaskTripFrom p trips =
+ [ [ if p j ch then 0 else ch_trip | ch_trip <- trip | j <- [0...] ]
+ | trip <- trips
+ | ch <- [0..2]
+ ]
+
+Test_Instrumentation : {n} (fin n) =>
+ [n]([8], [2][32], Channel) -> [2] -> RTS -> RTS
+Test_Instrumentation tests i rts = {rts | control = {rts.control|self_test_fail = ~ (all Run_test tests)}}
+ where
+ Run_test: ([8],[2][32],Channel) -> Bit
+ Run_test (trip,vals,ch) = (rts.instrumentation.units @ i)
+ >>>> Set_Maintenance True
+ >>>> Set_Mode ch Operate
+ >>>> Set_Maintenance False
+ >>>> (\in -> I::Step vals I::NoCommand in)
+ >>>> (\in -> trip == (in.output_trip @ ch))
+
+Test_Voting: {n} (fin n) => [n](Bit, [1], AU::Input) -> [1] -> RTS -> RTS
+Test_Voting tests l rts = {rts | control = {rts.control|self_test_fail = ~ (all Run_test tests)}}
+ where
+ Run_test (on,d,trips) = (rts.actuation.units @ l)
+ >>>> AU::TripInput trips
+ >>>> \a -> (a.output @ d) == on
+
+private
+ property sense_to_actuate_0 rts (sensors : [4][2][32]) cmds =
+ ~rts.control.self_test ==> (
+ sum [ if Is_Tripped T i then 1 else 0 | i <- rts'.instrumentation.units ] >= 2
+ \/ sum [ if Is_Tripped P i then 1 else 0 | i <- rts'.instrumentation.units ] >= 2
+ \/ or [ a.output @ D0 | a <- rts.actuation.units ]
+ /* --------------------- */ ==
+ (rts'.actuation.actuators @ D0).input
+ )
+ where
+ rts' = rts >>>> Sense_Actuate sensors cmds
+
+ property sense_to_actuate_1 rts (sensors : [4][2][32]) cmds =
+ ~rts.control.self_test ==> (
+ sum [ if Is_Tripped S i then 1 else 0 | i <- rts'.instrumentation.units ] >= 2
+ \/ or [ a.output @ D1 | a <- rts.actuation.units ]
+ /* --------------------- */ ==
+ (rts'.actuation.actuators @ D1).input
+ )
+ where
+ rts' = rts >>>> Sense_Actuate sensors cmds
+
+ property end_to_end_test (ch : [2]) rts i1 i2 vote sensors =
+ ( ~rts.control.self_test_fail
+ /\ (i1 != i2)
+ /\ and [ (a.output == 0) | a <- rts.actuation.units ]
+ /\ (ch < 3 /* not provable if ch == S */))// /\ (ch != S) // Add this to make it provable
+ /* ------------------------------------------*/ ==>
+ ~rts'.control.self_test_fail
+ where
+ rts' = RunEndToEnd rts i1 i2 ch vote (repeat sensors)
+
+ property end_to_end_test_non_interference (ch : [2]) rts (sensors: [4][2][32]) =
+ (~ rts.control.self_test_fail
+ // Start in a state where we haven't actuated
+ /\ and [ (a.output == 0) | a <- rts.actuation.units ]
+ /\ ch < 3
+ // Check if enough of the non-tested instrumentation (which may be all of them!) thinks we should
+ // actuate
+ /\ sum [ if (~rts.control.self_test || ~elem i [i1,i2]) && ChShouldTrip ch vs instr then 1 else 0
+ | vs <- sensors
+ | instr <- rts.instrumentation.units
+ | i <- [0...]
+ ] >= 2
+ ) /* ------------------------------------------------------------- */ ==>
+ (rts'.actuation.actuators @ (if ch == S then D1 else D0)).input
+ where
+ i1 = rts.control.self_test_instrs@0
+ i2 = rts.control.self_test_instrs@1
+ rts' = rts >>>> Sense_Actuate sensors (repeat I::NoCommand)
+
+ property test_instrumentation_ok i rts vs (ch : Channel) =
+ ~ (rts.control.self_test_fail) ==> (
+ (ch < 3) ==>
+ (~(Test_Instrumentation [(pass, vs, ch)] i rts).control.self_test_fail)
+ )
+ where
+ pass: [8]
+ pass = if ChShouldTrip ch vs {(rts.instrumentation.units @ i) | mode = repeat Operate} then 1 else 0
+
+ property test_voting_ok d ts l rts =
+ (~rts.control.self_test_fail && and [ a.output == 0 | a <- rts.actuation.units ]) ==>
+ ~ ((Test_Voting [(expect, d, ts)] l rts).control.self_test_fail)
+ where
+ expect =
+ if d == D0 then
+ (sum [ if (t != 0) then 1 else 0 | t <- ts @ T ] >= 2)
+ || (sum [ if (t != 0) then 1 else 0 | t <- ts @ P ] >= 2)
+ else
+ sum [ if (t != 0) then 1 else 0 | t <- ts @ S ] >= 2
+
+ I : ([4]InstrumentationUnit -> [4]InstrumentationUnit) -> RTS -> RTS
+ I f rts = {rts|instrumentation = { units = f rts.instrumentation.units }}
+
+ RunEndToEnd rts i1 i2 ch vote sensors = rts'
+ where
+ mkTestCore : [4]InstrumentationUnit -> Control
+ mkTestCore instrs = {rts.control| self_test = True,
+ self_test_instrs = [i1, i2],
+ self_test_channel = ch,
+ self_test_logic = vote,
+ self_test_dev = dev,
+ self_test_expect = ShouldTrip ch sensors instrs [i1,i2] }
+ dev = if (ch == T) || (ch == P) then D0 else D1
+ rts' = rts
+ >>>> I (\instrs -> [ if (i == i1) || (i == i2) then Set_Maintenance True instr else instr | instr <- instrs | i <- [0..3] ])
+ >>>> I (\instrs -> [ if (i == i1) || (i == i2) then Set_Mode ch Operate instr else instr | instr <- instrs | i <- [0..3] ])
+ >>>> (\r -> {r | control = (mkTestCore r.instrumentation.units) })
+ >>>> Sense_Actuate sensors cmds
+ cmds = repeat I::NoCommand
+
+ ShouldTrip: Channel -> [4][2][32] -> [4]InstrumentationUnit -> [2][2] -> Bit
+ ShouldTrip ch sensors instrumentation test_instrs =
+ numBits [ ChShouldTrip ch vs instr
+ | vs <- sensors @@ test_instrs | instr <- instrumentation @@ test_instrs ] >= 2
+
+ ChShouldTrip ch vs instr =
+ if In_Mode ch Operate instr then
+ if (ch == T) || (ch == P)
+ then (instr.setpoints @ ch) < (vs @ ch)
+ else (instr.setpoints @ ch) >$ Saturation (vs @ T) (vs @ P)
+ else
+ In_Mode ch Manual instr
diff --git a/models/RTS/ActuationUnit.cry b/models/RTS/ActuationUnit.cry
new file mode 100644
index 0000000..c121759
--- /dev/null
+++ b/models/RTS/ActuationUnit.cry
@@ -0,0 +1,88 @@
+module RTS::ActuationUnit where
+
+import RTS::Utils
+import RTS::InstrumentationUnit
+
+type Input = [3][4]TripPort
+type ActuationPort = Bit
+type ActuationUnit = { output: [2]ActuationPort }
+type CoincidenceLogic = [4]TripPort -> Bit
+type OrLogic = [2]Bit -> Bit
+
+TripInput: [3][4]TripPort -> ActuationUnit -> ActuationUnit
+TripInput trips actuationUnit =
+ { output = [ d0, d1 ] }
+ where
+ d0 = (actuationUnit.output @ 0)
+ || TempPressureTripOut [TemperatureLogic temperatureTrips,
+ PressureLogic pressureTrips]
+
+ d1 = (actuationUnit.output @ 1)
+ || (SaturationLogic saturationTrips)
+
+ temperatureTrips = trips @ T
+ pressureTrips = trips @ P
+ saturationTrips = trips @ S
+
+TemperatureLogic: CoincidenceLogic
+TemperatureLogic = Coincidence_2_4
+
+PressureLogic: CoincidenceLogic
+PressureLogic = Coincidence_2_4
+
+SaturationLogic: CoincidenceLogic
+SaturationLogic = Coincidence_2_4
+
+TempPressureTripOut: OrLogic
+TempPressureTripOut = or
+
+private
+ Coincidence_2_4 : [4][8] -> Bit
+ Coincidence_2_4 x = (bits != 0) && (bits != 1) && (bits != 2) && (bits != 4) && (bits != 8)
+ where
+ bits = [ b != 0 | b <- x ]
+
+ count : {n} (fin n) => [n] -> Integer
+ count bs = sum [ if b then 1 else 0 | b <- bs ]
+
+ /** @requirements
+ ACTUATION_LOGIC_VOTE_TEMPERATURE
+ */
+ property actuation_logic_vote_temperature (inp: Input) =
+ (count [i != 0 | i <- (inp @ T)] >= 2) == TemperatureLogic (inp @ T)
+
+ /** @requirements
+ ACTUATION_LOGIC_VOTE_PRESSURE
+ */
+ property actuation_logic_vote_pressure (inp: Input) =
+ (count [i != 0 | i <- (inp @ P)] >= 2) == PressureLogic (inp @ P)
+
+ /** @requirements
+ ACTUATION_LOGIC_VOTE_SATURATION
+ */
+ property actuation_logic_vote_saturation (inp: Input) =
+ (count [i != 0 | i <- (inp @ S)] >= 2) == SaturationLogic (inp @ S)
+
+ /** @requirements
+ ACTUATION_LOGIC_DEVICE_0
+ ACTUATION_LOGIC_VOTE_DEVICE_0
+ ACTUATION_LOGIC_VOTE_MANUAL_DEVICE_0
+ */
+ property actuation_logic_device_0 (inp: Input) (act: ActuationUnit) =
+ act.output @ 0
+ \/ TempPressureTripOut [TemperatureLogic (inp @ T), PressureLogic (inp @ P)]
+ == /* ---------------- */
+ act'.output @ 0
+ where act' = TripInput inp act
+
+ /** @requirements
+ ACTUATION_LOGIC_DEVICE_1
+ ACTUATION_LOGIC_VOTE_DEVICE_1
+ ACTUATION_LOGIC_VOTE_MANUAL_DEVICE_1
+ */
+ property actuation_logic_device_1 (inp: Input) (act: ActuationUnit) =
+ act.output @ 1
+ \/ SaturationLogic (inp @ S)
+ == /* ---------------- */
+ act'.output @ 1
+ where act' = TripInput inp act
diff --git a/models/RTS/Actuator.cry b/models/RTS/Actuator.cry
new file mode 100644
index 0000000..b66af5e
--- /dev/null
+++ b/models/RTS/Actuator.cry
@@ -0,0 +1,18 @@
+module RTS::Actuator where
+
+type Actuation = Bit
+type Mode = Bit
+
+/** @requirements
+ ACTUATION_LOGIC_MANUAL_DEVICE_{0,1} satisfied by definition
+*/
+type Actuator =
+ { input: Actuation
+ , manualActuatorInput: Actuation
+ }
+
+SetInput: Actuation -> Actuator -> Actuator
+SetInput on actuator = {actuator| input = on}
+
+SetManual: Actuation -> Actuator -> Actuator
+SetManual on actuator = {actuator | manualActuatorInput = on}
diff --git a/models/RTS/InstrumentationUnit.cry b/models/RTS/InstrumentationUnit.cry
new file mode 100644
index 0000000..27bf992
--- /dev/null
+++ b/models/RTS/InstrumentationUnit.cry
@@ -0,0 +1,308 @@
+module RTS::InstrumentationUnit where
+
+import RTS::Utils
+
+type Input = [2][32]
+type NChannels = 3
+type Channel = [lg2 NChannels]
+type TripPort = [8]
+type NModes = 3
+type Mode = [lg2 NModes]
+type CommandType = [lg2 NCommands]
+type NCommands = 4
+type Command =
+ { command: CommandType
+ , channel: Channel
+ , mode: Mode
+ , setpoint: [32]
+ , on_off: Bit
+ }
+
+Set_Mode_Cmd, Set_Maintenance_Cmd, Set_Setpoint_Cmd, Null_Cmd : CommandType
+Set_Mode_Cmd = 0
+Set_Maintenance_Cmd = 1
+Set_Setpoint_Cmd = 2
+Null_Cmd = 3
+
+T,P,S : Channel
+T = 0 // Temperature
+P = 1 // Pressure
+S = 2 // Saturation
+
+Bypass,Operate,Manual: Mode
+Bypass = 0 // Do not generate a "trip"
+Operate = 1 // generate "trip" on setpoint violation
+Manual = 2 // Force "trip" generation
+
+type InstrumentationUnit =
+ { setpoints: [NChannels][32]
+ , reading: [NChannels][32]
+ , mode: [NChannels]Mode
+ , sensor_trip: [NChannels]
+ , output_trip: [NChannels][8]
+ , maintenance: Bit
+ }
+
+NoCommand: Command
+NoCommand = { command= Null_Cmd, channel= zero, mode= zero, setpoint= zero, on_off= zero }
+
+Initial: InstrumentationUnit
+Initial =
+ { setpoints = zero
+ , reading = zero
+ , mode = zero
+ , sensor_trip = zero
+ , output_trip = repeat zero
+ , maintenance = ~zero
+ }
+
+Step: Input -> Command -> InstrumentationUnit -> InstrumentationUnit
+Step inp cmd instr =
+ Handle_Input inp instr
+ >>>> Handle_Command cmd
+ >>>> Step_Trip_Signals
+ >>>> OutputTrips
+ where
+ OutputTrips state =
+ { state | output_trip = [ zero # [Is_Ch_Tripped (state.mode @ ch) (state.sensor_trip @ ch)] | ch <- [0..2] ] }
+
+// @refines sensor input ports
+Handle_Input: Input -> InstrumentationUnit -> InstrumentationUnit
+Handle_Input sensors instr = { instr | reading = vals }
+ where
+ vals: [3][32]
+ // 0 and 1 should be T and P, but this causes problems for crymp
+ vals = [ sensors @ 0
+ , sensors @ 1
+ , Saturation (sensors @ 0) (sensors @ 1)
+ ]
+
+// @refines mode, tripmode, setpoint input port attributes
+Handle_Command: Command -> InstrumentationUnit -> InstrumentationUnit
+Handle_Command cmd instr =
+ if (cmd.command == Set_Mode_Cmd) && (cmd.channel < `NChannels) then
+ Set_Mode cmd.channel cmd.mode instr
+ else if cmd.command == Set_Maintenance_Cmd then
+ Set_Maintenance cmd.on_off instr
+ else if (cmd.command == Set_Setpoint_Cmd) && (cmd.channel < `NChannels) then
+ Set_Setpoint cmd.channel cmd.setpoint instr
+ else
+ instr
+
+////////////////////////////////////////
+// Queries, "Setters", "Getters", etc
+////////////////////////////////////////
+
+Get_Reading: InstrumentationUnit -> [NChannels][32]
+Get_Reading instr = instr.reading
+
+In_Maintenance: InstrumentationUnit -> Bit
+In_Maintenance instr = instr.maintenance
+
+Set_Maintenance: Bit -> InstrumentationUnit -> InstrumentationUnit
+Set_Maintenance on instr = { instr | maintenance = on }
+
+Set_Mode: Channel -> Mode -> InstrumentationUnit -> InstrumentationUnit
+Set_Mode ch mode i =
+ if In_Maintenance i && (mode <= 2) then
+ {i | mode = update i.mode ch mode}
+ else
+ i
+
+In_Mode: Channel -> Mode -> InstrumentationUnit -> Bit
+In_Mode ch mode instr = (instr.mode @ ch) == mode
+
+Get_Setpoint: Channel -> InstrumentationUnit -> [32]
+Get_Setpoint ch instr = instr.setpoints @ ch
+
+Set_Setpoint: Channel -> [32] -> InstrumentationUnit -> InstrumentationUnit
+Set_Setpoint ch val instr = { instr | setpoints = update instr.setpoints ch val }
+
+Get_Tripped: InstrumentationUnit -> [NChannels][8]
+Get_Tripped instr = [zero # [Is_Tripped T instr], zero # [Is_Tripped P instr], zero # [Is_Tripped S instr]]
+
+Is_Tripped: Channel -> InstrumentationUnit -> Bit
+Is_Tripped ch instr = In_Mode ch Manual instr
+ || (In_Mode ch Operate instr && (instr.sensor_trip @ ch))
+
+Is_Ch_Tripped : Mode -> Bit -> Bit
+Is_Ch_Tripped mode sensor_tripped =
+ // Constants should be replaced, but this causes problems for crymp
+ // 2 = Manual, 1 = Operate
+ (mode == 2) || ((mode == 1) && sensor_tripped)
+
+Step_Trip_Signals:
+ InstrumentationUnit ->
+ InstrumentationUnit
+Step_Trip_Signals state =
+ { state | sensor_trip = sensor_trips }
+ where
+ sensor_trips = Generate_Sensor_Trips state.reading state.setpoints
+
+Saturation : [32] -> [32] -> [32]
+Saturation t p = p - sat_pressure
+ where sat_pressure = PressureTable t
+
+PressureTable : [32] -> [32]
+PressureTable temp = sat_pressure
+ where
+ idx = if 35 <=$ temp then (temp-35)/5 else 0
+ sat_pressure =
+ if idx < 52 then Table @ idx else Table ! 0
+
+// Table in 10^-5 lb/in^2
+// https://mfathi.iut.ac.ir/sites/mfathi.iut.ac.ir/files/files_course/table_of_saturation_vapor_0.pdf
+Table: [52][32]
+Table = [0009998,
+ 0012163,
+ 0014753,
+ 0017796,
+ 0021404,
+ 0025611,
+ 0030562,
+ 0036292,
+ 0042985,
+ 0050683,
+ 0059610,
+ 0069813,
+ 0081567,
+ 0094924,
+ 0110218,
+ 0127500,
+ 0147160,
+ 0169270,
+ 0194350,
+ 0222300,
+ 0253820,
+ 0288920,
+ 0328250,
+ 0371840,
+ 0420470,
+ 0474140,
+ 0533740,
+ 0599260,
+ 0671730,
+ 0751100,
+ 0838550,
+ 0934000,
+ 1038600,
+ 1152600,
+ 1277600,
+ 1413200,
+ 1469600,
+ 1718600,
+ 1892100,
+ 2079100,
+ 2280400,
+ 2496800,
+ 2731900,
+ 2984000,
+ 3253900,
+ 3542700,
+ 3854600,
+ 4187500,
+ 4542300,
+ 4920000,
+ 5325900,
+ 5775200
+ ]
+
+private
+
+ Generate_Sensor_Trips : [NChannels][32] -> [NChannels][32] -> [NChannels]
+ Generate_Sensor_Trips vals setpoints =
+ [ trp ch | ch <- [0..NChannels-1] : [3][2] ]
+ where
+ // 2 should be S, but this causes problems for crymp
+ trp ch = if ch == 2 then v <$ sp else sp < v
+ where v = vals @ ch
+ sp = setpoints @ ch
+
+ /** @requirements
+ INSTRUMENTATION_RESET
+ */
+ property instrumentation_reset =
+ In_Maintenance Initial
+ /\ In_Mode P Bypass Initial
+ /\ In_Mode T Bypass Initial
+ /\ In_Mode S Bypass Initial
+
+ /** @requirements
+ INSTRUMENTATION_TRIP_PRESSURE
+ */
+ property instrumentation_trip_pressure (inp: Input) (instr: InstrumentationUnit) =
+ In_Mode P Manual instr
+ \/ (In_Mode P Operate instr /\ inp @ P > Get_Setpoint P instr')
+ /* ------------------------------------------------------------------- */ ==
+ (Is_Tripped P instr')
+ where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
+
+ /** @requirements
+ INSTRUMENTATION_TRIP_TEMPERATURE
+ */
+ property instrumentation_trip_temperature (inp: Input) (instr: InstrumentationUnit) =
+ In_Mode T Manual instr
+ \/ (In_Mode T Operate instr /\ inp @ T > Get_Setpoint T instr')
+ /* ------------------------------------------------------------------- */ ==
+ (Is_Tripped T instr')
+ where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
+
+ /** @requirements
+ INSTRUMENTATION_TRIP_SATURATION
+ */
+ property instrumentation_trip_saturation (inp: Input) (instr: InstrumentationUnit) =
+ In_Mode S Manual instr
+ \/ (In_Mode S Operate instr /\ Saturation (inp @ T) (inp @ P) <$ Get_Setpoint S instr')
+ /* ------------------------------------------------------------------- */ ==
+ (Is_Tripped S instr')
+ where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
+
+ /** @requirements
+ INSTRUMENTATION_SET_MANUAL_TRIP_TEMPERATURE
+ INSTRUMENTATION_SET_MANUAL_TRIP_PRESSURE
+ INSTRUMENTATION_SET_MANUAL_TRIP_SATURATION
+ */
+ property instrumentation_set_manual_trip (instr: InstrumentationUnit) =
+ In_Maintenance instr ==> (
+ (Is_Tripped T trippedT \/ ~ (instr.sensor_trip @ T))
+ /\ (Is_Tripped P trippedP \/ ~ (instr.sensor_trip @ P))
+ /\ (Is_Tripped S trippedS \/ ~ (instr.sensor_trip @ S))
+ )
+ where
+ trippedT = Set_Mode T Manual instr
+ trippedP = Set_Mode P Manual instr
+ trippedS = Set_Mode S Manual instr
+
+ /** @requirements
+ INSTRUMENTATION_SET_SETPOINT_TEMPERATURE
+ INSTRUMENTATION_SET_SETPOINT_PRESSURE
+ INSTRUMENTATION_SET_SETPOINT_SATURATION
+ */
+ property get_set_setpoint_correct (instr: InstrumentationUnit) (val: [32]) =
+ Get_Setpoint T (Set_Setpoint T val instr) == val
+ /\ Get_Setpoint P (Set_Setpoint P val instr) == val
+ /\ Get_Setpoint S (Set_Setpoint S val instr) == val
+
+ /** @requirements
+ INSTRUMENTATION_SET_BYPASS_TEMPERATURE
+ INSTRUMENTATION_SET_BYPASS_PRESSURE
+ INSTRUMENTATION_SET_BYPASS_SATURATION
+ */
+ property set_bypass_correct (instr: InstrumentationUnit) =
+ In_Maintenance instr ==> (
+ ~ Is_Tripped T (Set_Mode T Bypass instr)
+ /\ ~ Is_Tripped P (Set_Mode P Bypass instr)
+ /\ ~ Is_Tripped S (Set_Mode S Bypass instr)
+ )
+
+ property step_state_const (inp: Input) (instr: InstrumentationUnit) =
+ instr.mode == instr'.mode
+ /\ instr.setpoints == instr'.setpoints
+ /\ instr.maintenance == instr'.maintenance
+ where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
+
+ // Not connected to a high level requirement
+ property is_ch_trip_correct instr =
+ Is_Tripped T instr == Is_Ch_Tripped (instr.mode @ T) (instr.sensor_trip @ T)
+ /\ Is_Tripped P instr == Is_Ch_Tripped (instr.mode @ P) (instr.sensor_trip @ P)
+ /\ Is_Tripped S instr == Is_Ch_Tripped (instr.mode @ S) (instr.sensor_trip @ S)
diff --git a/models/RTS/Utils.cry b/models/RTS/Utils.cry
new file mode 100644
index 0000000..9660c48
--- /dev/null
+++ b/models/RTS/Utils.cry
@@ -0,0 +1,7 @@
+module RTS::Utils where
+
+infixl 5 >>>>
+(>>>>) x f = f x
+
+numBits: {n} (fin n) => [n] -> Integer
+numBits lst = sum [ if b then 1 else 0 | b <- lst ]
diff --git a/models/check_model.icry b/models/check_model.icry
new file mode 100644
index 0000000..9e7503d
--- /dev/null
+++ b/models/check_model.icry
@@ -0,0 +1,18 @@
+:m RTS::InstrumentationUnit
+:prove
+
+:m RTS::ActuationUnit
+:prove
+
+:m RTS
+:prove sense_to_actuate_0
+:prove sense_to_actuate_1
+
+:prove end_to_end_test T
+:prove end_to_end_test P
+:prove end_to_end_test_non_interference
+:prove test_instrumentation_ok
+:prove test_voting_ok
+
+:set tests = 100000
+:check end_to_end_test S
diff --git a/specs/Glossary.sysml b/specs/Glossary.sysml
new file mode 100644
index 0000000..3c67992
--- /dev/null
+++ b/specs/Glossary.sysml
@@ -0,0 +1,277 @@
+package id Glossary 'Project Glossary' {
+ // @design Eliminate all redundancy with concepts in KerML or SysML domain
+ // libraries.
+ private import ScalarValues::*;
+ private import KerML::*;
+
+ part def BlueCheck;
+ /** A formal, state-based specification language that focuses on the
+ specification of the interfaces of discrete modules in a system, and
+ often times includes model-based specification constructs to improve
+ usability and expressivity. */
+ abstract item id BISL 'Behavioral Interface Specification Language';
+ abstract part def Computer;
+ abstract part def Coq;
+ abstract part def Cryptol;
+ abstract item def DevSecOps;
+ abstract item def id DIANC 'Digital Instrumentation and Control Systems';
+ /** The NASA Formal Requirements Elicitation Tool is used to make writing,
+ understanding, and debugging formal requirements natural and
+ intuitive. */
+ part def id FRET 'Formal Requirements Elicitation Tool';
+ /** An Instruction Set Architecture, or ISA for short, is the set of
+ instructions that a given kind of CPU can understand. Example ISAs
+ include x86, x64, MIPS, RISC, RISC-V, AVR, etc. */
+ attribute def id ISA 'Instruction Set Architecture';
+ /** A specification language integrated with support tools and an
+ automated theorem prover, developed at the Computer Science Laboratory
+ of SRI International. PVS is based on a kernel consisting of an
+ extension of Church's theory of types with dependent types, and is
+ fundamentally a classical typed higher-order logic. */
+ part def PVS;
+ /** RISC-V (pronounced ``risk-five'') is an open standard instruction set
+ architecture (ISA) based on established reduced instruction set
+ computer (RISC) principles. Unlike most other ISA designs, the RISC-V
+ ISA is provided under open source licenses that do not require fees to
+ use. A number of companies are offering or have announced RISC-V
+ hardware, open source operating systems with RISC-V support are
+ available and the instruction set is supported in several popular
+ software toolchains. */
+ attribute def RISC_V_ISA :> ISA;
+ /** A formal specification language that uses hierarchical finite state
+ machines to specify system requirements. */
+ part def id RSML 'Requirements State Modeling Language';
+ /** The Boolean satisfiability problem (sometimes called propositional
+ satisfiability problem and abbreviated SAT) is the problem of
+ determining if there exists an interpretation that satisfies a given
+ Boolean formula. */
+ abstract item def SAT;
+ /** The proof script language is used to specify the assumptions and proof
+ goals of formal verifications to the SAW tool. */
+ part def SAWscript;
+ /** A CPU or SoC that is implemented in an HDL and synthesized to a
+ bitstream and loaded onto an FPGA. */
+ abstract item def 'Soft Core' {
+ // size: estimated number of gates
+ // complexity: measured complexity metric
+ // hdls: which HDLs are used in the design
+ }
+ /** A formally defined computer programming language based on the Ada
+ programming language, intended for the development of high integrity
+ software used in systems where predictable and highly reliable
+ operation is essential. It facilitates the development of applications
+ that demand safety, security, or business integrity. */
+ part def SPARK;
+ /** An integrated development environment for formally specifying and
+ rigorously analyzing requirements. */
+ part def SpeAR;
+ /** VCC is a program verification tool that proves correctness of
+ annotated concurrent C programs or finds problems in them. VCC extends
+ C with design by contract features, like pre- and postcondition as
+ well as type invariants. Annotated programs are translated to logical
+ formulas using the Boogie tool, which passes them to an automated SMT
+ solver Z3 to check their validity. */
+ part def id VCC 'Verifier for Concurrent C';
+ /** A software toolchain that includes static analyzers to check
+ assertions about a C program; optimizing compilers to translate a C
+ program to machine language; and operating systems and libraries to
+ supply context for the C program. The Verified Software Toolchain
+ project assures with machine-checked proofs that the assertions
+ claimed at the top of the toolchain really hold in the
+ machine-language program, running in the operating-system context. */
+ part def id VST 'Verified Software Toolchain';
+
+ // Mathematical modeling concepts in RDE.
+ abstract item def Refinement:> Relationship;
+ abstract item def Property:> BooleanExpression;
+ abstract item def 'Safety Property' :> Property;
+ abstract item def 'Correctness Property' :> Property;
+ abstract item def 'Security Property' :> Property;
+ abstract item def Model;
+ abstract item def 'Semi-Formal Model' :> Model;
+ abstract item def 'Formal Model' :> Model;
+ abstract item def Consistent:> Property;
+ abstract item def Complete:> Property;
+ abstract item def 'Consistent Model' :> Consistent, Model;
+ abstract item def 'Complete Model' :> Complete, Model;
+ abstract item def 'Consistent and Complete Model' :> 'Consistent Model', 'Complete Model';
+ abstract item def Denotational;
+ abstract item def Operational;
+ abstract item def Semantics;
+ /** A specification that has a precise, unambiguous, formal semantics
+ grounded in real world formal foundations and systems engineering
+ artifacts, such as source code and hardware designs. */
+ abstract item def Rigorous;
+ abstract item def Deterministic;
+ abstract item def 'Non-deterministic';
+ abstract part def id FM 'Formal Method';
+
+ // Systems modeling concepts in RDE.
+ // @design Probably in KerML or SysML domain libraries.
+ abstract item def Requirement;
+ abstract item def Scenario;
+ abstract item def Product;
+ abstract item def 'Product Line';
+ abstract item def Configure;
+ part def DOORS;
+ part def Clafer;
+ part def Lobot;
+ abstract item def id FSM 'Finite State Machine';
+ abstract item def id DFSM 'Deterministic Finite State Machine'
+ :> FSM, Deterministic;
+ abstract item def id NFSM 'Non-deterministic Finite State Machine'
+ :> FSM, 'Non-deterministic';
+ abstract item def id ASM 'Abstract State Machine';
+ abstract part def Design;
+ abstract part def Architecture;
+ abstract part def Specification;
+ abstract part def 'Architecture Specification' :> Specification;
+ abstract part def System;
+ abstract part def 'Distributed System' :> System;
+ abstract part def 'Concurrent System' :> System;
+ abstract part def Algorithm;
+ abstract part def Program;
+
+ // Concepts related to measurable abstractions of systems.
+ abstract item def Risk;
+ abstract item def Power;
+ abstract item def Resource;
+ abstract item def Reliability;
+
+ // Assurance concepts and techonlogies.
+ abstract item def id CDE 'Collaborative Development Environment';
+ abstract item def id CI 'Continuous Integration';
+ abstract item def id CV 'Continuous Verification';
+ abstract item def Analyzer;
+ abstract item def 'Static Analyzer' :> Analyzer;
+ abstract item def 'Dynamic Analyzer' :> Analyzer;
+ abstract part def Solver;
+ abstract part def id LF 'Logical Framework';
+ abstract item def 'High-Assurance';
+
+ // Concepts relevant to languages and protocols.
+ abstract part def Language;
+ abstract part def 'Specification Language' :> Language;
+ abstract part def Protocol;
+ abstract part def 'System Specification' :> Specification;
+ abstract item def 'Hand-written';
+ abstract item def 'Machine-generated';
+ abstract part def 'Source-level Specification Language'
+ :> 'Specification Language';
+ abstract part def 'Model-based Specification Language'
+ :> 'Specification Language';
+ abstract item def Cryptological;
+ abstract item def 'Cryptographic Protocol' :> Protocol, Cryptological;
+ abstract item def 'Cryptographic Algorithm' :> Algorithm, Cryptological;
+
+ // Software engineering.
+ abstract item def id PL 'Programming Language' :> Language;
+ abstract item def 'Source Code';
+ abstract part def C :> 'Programming Language';
+ abstract part def C_Source :> C, 'Source Code';
+ abstract item def 'Object Code';
+ abstract item def id IR 'Intermediate Representation';
+ abstract item def id LLVM 'Low-Level Virtual Machine' :> IR;
+ abstract item def Compiler {
+ item input: Language[1..*];
+ item output: Language[1..*];
+ }
+
+ // Hardware design.
+ abstract item def Hardware;
+ abstract item def SWaP {
+ // attribute size:
+ // attribute weight:
+ // attribute power:
+ }
+ abstract item def Hard :> SWaP;
+ abstract item def 'Soft Core Hardware' :> Hardware, 'Soft Core';
+ abstract item def 'Physical Hardware' :> Hardware, Hard;
+ abstract part def Synthesizer :> Compiler;
+ abstract item def id HDL 'Hardware Design Language';
+ abstract part def BluespecSystemVerilog :> HDL;
+ abstract part def SystemVerilog :> HDL;
+ abstract part def Verilog :> SystemVerilog;
+ abstract part def Chisel :> HDL;
+ abstract part def id CPU 'Central Processing Unit';
+
+ // Hardware engineering concepts.
+ abstract part def Component;
+ abstract part def Switch :> Component;
+ abstract part def Button :> Component;
+ abstract part def Header :> Component;
+ abstract part def Interface :> Component;
+ abstract part def Connector :> Component;
+ abstract part def Memory :> Component;
+ abstract part def ASIC :> Component;
+ abstract item def id IO 'I/O';
+ abstract part def id GPIO 'General Purpose I/O';
+ abstract part def Sensor;
+ abstract part def 'Temperature Sensor';
+ abstract part def 'Pressure Sensor';
+ abstract part def Actuator;
+ abstract part def Solenoid :> Actuator;
+ abstract item def Bus;
+ abstract part def id USB 'Universal Serial Bus' :> Bus;
+ abstract part def LED;
+ abstract part def Cable;
+ abstract part def id FPGA 'Field-Programmable Gate Array' :> ASIC;
+ abstract part def 'ECP-5' :> FPGA;
+ abstract part def id PCB 'Printed Circuit Board' {
+ part components: Component[*];
+ }
+ abstract part def 'USB Connector' :> USB, Connector;
+ abstract part def id USB_Mini 'USB Mini Connector' :> 'USB Connector';
+ abstract part def PMOD;
+ abstract part def JTAG:> Protocol;
+ abstract part def Driver;
+ port def USB_In {
+ in item 'USB Connector';
+ }
+ port def USB_Out {
+ out item 'USB Connector';
+ }
+ /** A normal USB cable. */
+ abstract part def 'USB Cable' :> USB, Cable {
+ /** What kind of USB connector is on the start of the cable? */
+ port start_connector: USB_In;
+ /** What kind of USB connector is on the end of the cable? */
+ port end_connector: USB_Out;
+ }
+ port def 'Output LED' :> LED;
+
+ // Safety-critical concepts.
+ abstract item def Voting;
+
+ // Artifacts specific to RDE.
+ abstract part def id CryptolSpec 'Cryptol System Specification'
+ :> Cryptol, 'System Specification' {
+ attribute literate: Boolean;
+ }
+ attribute def Languages {
+ attribute languages: String[*];
+ }
+ abstract part def id Impl 'Implementation' {
+ attribute languages: Languages[*];
+ }
+ abstract part def id Software 'Software Implementation'
+ :> Implementation;
+ abstract part def id SWImpl 'Hand-written Software Implementation'
+ :> Software, 'Hand-written';
+ abstract part def id SynthSW 'Synthesized Software Implementation'
+ :> Software, 'Machine-generated';
+ abstract part def 'Hardware Implementation';
+ abstract part def id HWImpl 'Hand-written Hardware Implementation';
+ abstract part def id SynthHW 'Synthesized Hardware Implementation';
+ abstract part def id Binary 'Software Binaries' {
+ attribute verified_compilation: Boolean;
+ attribute secure_compilation: Boolean;
+ attribute isa: ISA;
+ }
+ part def RISCV_Binary :> Binary {
+ // :>> isa = RISC_V_ISA;
+ }
+ abstract part def id Bitstream 'FPGA Bitstream' {
+ attribute proprietary_flow: Boolean;
+ }
+}
diff --git a/specs/HARDENS.sysml b/specs/HARDENS.sysml
new file mode 100644
index 0000000..8eb7697
--- /dev/null
+++ b/specs/HARDENS.sysml
@@ -0,0 +1,697 @@
+/*
+ # Reactor Trip System (RTS) High-assurance Demonstrator
+ ## project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
+ ### copyright (C) 2021 Galois
+ ### author: Joe Kiniry
+*/
+
+/**
+ * The overall shape of the Reactor Trip System (RTS) is an archetypal
+ * *sense-compute-actuate* architecture. Sensors are in the `Sensors`
+ * subsystem. They are read by the `Instrumentation` subsystem, which
+ * contains four separate and independent `Instrumentation`
+ * components. The "Compute" part of the architecture is spread across
+ * the `Actuation Logic` subsystem—which contains the two `Voting`
+ * components which perform the actuation logic itself—and the `Root`
+ * subsystem which contains the core computation and I/O components, and
+ * the two separate and independent devices that drive actuators.
+ */
+package id RTS 'Reactor Trip System' {
+ private import 'Semantic Properties'::*;
+
+ package id Architecture 'RTS Architecture';
+ alias Arch for Architecture;
+ package id Hardware 'RTS Hardware Artifacts';
+ alias HW for Hardware;
+ package id Artifacts 'RTS Implementation Artifacts';
+ package id Requirements 'RTS Requirements';
+ package id Properties 'RTS Properties';
+ alias Props for Properties;
+ package id Characteristics 'IEEE Std 603-2018 Characteristics';
+ comment TopLevelPackages about Architecture, Hardware, Properties, Characteristics
+ /* These are the core top-level subsystems characterizing HARDEN work. */
+}
+
+package id Architecture 'RTS Architecture' {
+ //import RTS::*;
+ //import 'Project Glossary'::*;
+ //import Artifacts::*;
+ //import 'RTS Hardware Artifacts'::*;
+
+ /** Note that this is the *systems* architecture, which is different
+ than our software, hardware, or data architectures. */
+ package id RTS_System_Arch 'RTS System Architecture' {
+
+ package Sensor {
+ private import Quantities::*;
+
+ /** Generic sensor port */
+ port def SensorOutPort {
+ out value : ScalarQuantityValue;
+ }
+
+ /** Generic sensor */
+ part def GenericSensor {
+ attribute currentValue : ScalarQuantityValue;
+ port output: SensorOutPort;
+ }
+
+ part def Demux {
+ port input: ~SensorOutPort;
+ // Using vector notation doesn't seem to work in connections
+ port output1: SensorOutPort;
+ port output2: SensorOutPort;
+ }
+ }
+
+ package TempSensor {
+ import Sensor::*;
+ import ISQThermodynamics::TemperatureValue;
+
+ /** Temperature port */
+ port def TemperatureOutPort :> SensorOutPort {
+ redefines value: TemperatureValue;
+ }
+
+ /** A sensor that is capable of measuring the temperature of its environment. */
+ part def 'Temperature Sensor' :> GenericSensor {
+ /** What is your temperature reading in Celsius (C)? */
+ redefines currentValue: TemperatureValue;
+ redefines output: TemperatureOutPort;
+ }
+
+ part def TempDemux :> Demux {
+ redefines input: ~TemperatureOutPort;
+ redefines output1: TemperatureOutPort;
+ redefines output2: TemperatureOutPort;
+ }
+ }
+
+ package PressureSensor {
+ import Sensor::*;
+ import ISQMechanics::PressureValue;
+
+ /** Pressure port */
+ port def PressureOutPort :> SensorOutPort {
+ redefines value: PressureValue;
+ }
+
+ /** A sensor that is capable of measuring the air pressure of its environment. */
+ part def 'Pressure Sensor' :> GenericSensor {
+ /** What is your pressure reading in Pascal (P)? */
+ redefines currentValue: PressureValue;
+ redefines output: PressureOutPort;
+ }
+
+ part def PressureDemux :> Demux {
+ redefines input: ~PressureOutPort;
+ redefines output1: PressureOutPort;
+ redefines output2: PressureOutPort;
+ }
+ }
+
+ package Instrumentation {
+ import ScalarValues::Real;
+ import ScalarValues::Boolean;
+ import TempSensor::*;
+ import PressureSensor::*;
+
+ port def TripPort {
+ out trip : Boolean;
+ }
+
+ port def BypassPort {
+ out trip : Boolean;
+ }
+
+ enum def TripMode {
+ enum Bypass;
+ enum Operate;
+ enum Manual;
+ }
+
+ enum def Channel {
+ enum Temperature;
+ enum Pressure;
+ enum Saturation;
+ }
+
+ attribute def TripModeCommand {
+ attribute mode: TripMode;
+ attribute channel: Channel;
+ }
+
+ port def TripModePort {
+ out mode: TripModeCommand;
+ }
+
+ part def InstrumentationUnit {
+ // setpoints
+ attribute tempSetpoint : TemperatureValue;
+ attribute pressureSetpoint : PressureValue;
+ attribute saturationLimit : Real;
+
+ // mode selectors
+ attribute maintenanceMode : Boolean;
+ attribute temperatureTripMode: TripMode;
+ attribute pressureTripMode: TripMode;
+ attribute saturationTripMode: TripMode;
+
+
+ // Inputs
+ port temperatureInput: ~TemperatureOutPort;
+ port pressureInput: ~PressureOutPort;
+ port tripMode: ~TripModePort;
+
+ // Outputs
+ port pressureTripOut:TripPort;
+ port temperatureTripOut:TripPort;
+ port saturationTripOut:TripPort;
+
+ port setMaintenanceMode: ~EventControl::MaintenancePort;
+
+ port newTemperatureSetpoint: ~TemperatureOutPort;
+ port newPressureSetpoint: ~PressureOutPort;
+ port newSaturationSetpoint : ~SensorOutPort;
+ }
+ }
+
+ package Actuation {
+ import Instrumentation::*;
+
+ port def ActuationPort {
+ out actuate: Boolean;
+ }
+
+ part def CoincidenceLogic {
+ port channel1: ~TripPort;
+ port channel2: ~TripPort;
+ port channel3: ~TripPort;
+ port channel4: ~TripPort;
+ port actuate: ActuationPort;
+ }
+ part def OrLogic {
+ port channel1: ~TripPort;
+ port channel2: ~TripPort;
+ port actuate: ActuationPort;
+ }
+
+ part def ActuationUnit {
+ part temperatureLogic : CoincidenceLogic;
+ part pressureLogic : CoincidenceLogic;
+ part saturationLogic : CoincidenceLogic;
+
+ part tempPressureTripOut: OrLogic;
+
+ connect temperatureLogic.actuate to tempPressureTripOut.channel1;
+ connect pressureLogic.actuate to tempPressureTripOut.channel2;
+ }
+ part def Actuator {
+ // Actuate if either of these are true
+ port input: ActuationPort;
+ port manualActuatorInput: ~ActuationPort;
+ }
+ }
+
+ package EventControl {
+ import ScalarValues::Boolean;
+
+ port def MaintenancePort {
+ out maintenance: Boolean;
+ }
+
+ part def ControlUnit {
+ // Maintenance mode select x 4 instrumentation units
+ port maintenanceMode: MaintenancePort[4];
+ // Trip mode select x 4 instrumentation units
+ port tripMode: Instrumentation::TripModePort[4];
+ // New setpoints x 4 instrumentation units
+ port newPressureSetpoint: PressureSensor::PressureOutPort[4];
+ port newTemperatureSetpoint: TempSensor::TemperatureOutPort[4];
+ port newSaturationSetpoint: PressureSensor::PressureOutPort[4];
+ // Toggle actuator x2 actuators
+ port manualActuatorInput: Actuation::ActuationPort[2];
+ }
+ }
+
+ part RTS {
+ part eventControl : EventControl::ControlUnit;
+
+ import Instrumentation::*;
+ part instrumentationAndSensing {
+ part pressureSensor1 : PressureSensor::'Pressure Sensor';
+ part pressureSensor2 : PressureSensor::'Pressure Sensor';
+
+ part tempSensor1 : TempSensor::'Temperature Sensor';
+ part tempSensor2 : TempSensor::'Temperature Sensor';
+
+ part instrumentationUnit1 : InstrumentationUnit;
+ part instrumentationUnit2 : InstrumentationUnit;
+ part instrumentationUnit3 : InstrumentationUnit;
+ part instrumentationUnit4 : InstrumentationUnit;
+
+ part tempDemux1 : TempSensor::Demux;
+ part tempDemux2 : TempSensor::Demux;
+
+ part pressureDemux1 : PressureSensor::Demux;
+ part pressureDemux2 : PressureSensor::Demux;
+
+ // Temp sensor 1
+ connect tempSensor1.output to tempDemux1.input;
+ connect tempDemux1.output1 to instrumentationUnit1.temperatureInput;
+ connect tempDemux1.output2 to instrumentationUnit2.temperatureInput;
+
+ // Temp sensor 2
+ connect tempSensor2.output to tempDemux2.input;
+ connect tempDemux2.output1 to instrumentationUnit3.temperatureInput;
+ connect tempDemux2.output2 to instrumentationUnit4.temperatureInput;
+
+ // Pressure sensor 1
+ connect pressureSensor1.output to pressureDemux1.input;
+ connect pressureDemux1.output1 to instrumentationUnit1.pressureInput;
+ connect pressureDemux1.output2 to instrumentationUnit2.pressureInput;
+
+ // Pressure sensor 2
+ connect pressureSensor2.output to pressureDemux2.input;
+ connect pressureDemux1.output1 to instrumentationUnit3.pressureInput;
+ connect pressureDemux1.output2 to instrumentationUnit4.pressureInput;
+ }
+
+
+ import Actuation::*;
+ part actuation {
+ part actuationUnit1: ActuationUnit;
+ part actuationUnit2: ActuationUnit;
+
+ part actuator1 : Actuator;
+ part actuator2 : Actuator;
+
+ part actuateActuator1: OrLogic;
+ part actuateActuator2: OrLogic;
+
+ // connect actuators
+ // Actuator 1 - temp or pressure trip
+ connect actuationUnit1.tempPressureTripOut.actuate to actuateActuator1.channel1;
+ connect actuationUnit2.tempPressureTripOut.actuate to actuateActuator1.channel2;
+ connect actuateActuator1.actuate to actuator1.input;
+
+ // Actuator 2 - Saturation
+ connect actuationUnit1.saturationLogic.actuate to actuateActuator2.channel1;
+ connect actuationUnit2.saturationLogic.actuate to actuateActuator2.channel2;
+ connect actuateActuator2.actuate to actuator2.input;
+ }
+
+ // connect Control units
+ // Actuators manual override
+ connect eventControl.manualActuatorInput[1] to actuation.actuator1.manualActuatorInput;
+ connect eventControl.manualActuatorInput[2] to actuation.actuator2.manualActuatorInput;
+
+ // Instrumentation mode select
+ connect eventControl.maintenanceMode[1] to instrumentationAndSensing.instrumentationUnit1.setMaintenanceMode;
+ connect eventControl.maintenanceMode[2] to instrumentationAndSensing.instrumentationUnit2.setMaintenanceMode;
+ connect eventControl.maintenanceMode[3] to instrumentationAndSensing.instrumentationUnit3.setMaintenanceMode;
+ connect eventControl.maintenanceMode[4] to instrumentationAndSensing.instrumentationUnit4.setMaintenanceMode;
+
+
+ // Instrumentation pressure setpoint
+ connect eventControl.newPressureSetpoint[1] to instrumentationAndSensing.instrumentationUnit1.newPressureSetpoint;
+ connect eventControl.newPressureSetpoint[2] to instrumentationAndSensing.instrumentationUnit2.newPressureSetpoint;
+ connect eventControl.newPressureSetpoint[3] to instrumentationAndSensing.instrumentationUnit3.newPressureSetpoint;
+ connect eventControl.newPressureSetpoint[4] to instrumentationAndSensing.instrumentationUnit4.newPressureSetpoint;
+
+ // Instrumentation temperature setpoint
+ connect eventControl.newTemperatureSetpoint[1] to instrumentationAndSensing.instrumentationUnit1.newTemperatureSetpoint;
+ connect eventControl.newTemperatureSetpoint[2] to instrumentationAndSensing.instrumentationUnit2.newTemperatureSetpoint;
+ connect eventControl.newTemperatureSetpoint[3] to instrumentationAndSensing.instrumentationUnit3.newTemperatureSetpoint;
+ connect eventControl.newTemperatureSetpoint[4] to instrumentationAndSensing.instrumentationUnit4.newTemperatureSetpoint;
+
+ // Instrumentation saturation setpoint
+ connect eventControl.newSaturationSetpoint[1] to instrumentationAndSensing.instrumentationUnit1.newSaturationSetpoint;
+ connect eventControl.newSaturationSetpoint[2] to instrumentationAndSensing.instrumentationUnit2.newSaturationSetpoint;
+ connect eventControl.newSaturationSetpoint[3] to instrumentationAndSensing.instrumentationUnit3.newSaturationSetpoint;
+ connect eventControl.newSaturationSetpoint[4] to instrumentationAndSensing.instrumentationUnit4.newSaturationSetpoint;
+
+ // Instrumentation trip mode
+ // Bypass temperature
+ connect eventControl.tripMode[1] to instrumentationAndSensing.instrumentationUnit1.tripMode;
+ connect eventControl.tripMode[2] to instrumentationAndSensing.instrumentationUnit2.tripMode;
+ connect eventControl.tripMode[3] to instrumentationAndSensing.instrumentationUnit3.tripMode;
+ connect eventControl.tripMode[4] to instrumentationAndSensing.instrumentationUnit4.tripMode;
+
+ // Trip on pressure above the setpoint
+ // Actuation unit 1
+ connect instrumentationAndSensing.instrumentationUnit1.pressureTripOut to actuation.actuationUnit1.pressureLogic.channel1;
+ connect instrumentationAndSensing.instrumentationUnit2.pressureTripOut to actuation.actuationUnit1.pressureLogic.channel2;
+ connect instrumentationAndSensing.instrumentationUnit3.pressureTripOut to actuation.actuationUnit1.pressureLogic.channel3;
+ connect instrumentationAndSensing.instrumentationUnit4.pressureTripOut to actuation.actuationUnit1.pressureLogic.channel4;
+ // Actuation unit 2
+ connect instrumentationAndSensing.instrumentationUnit1.pressureTripOut to actuation.actuationUnit2.pressureLogic.channel1;
+ connect instrumentationAndSensing.instrumentationUnit2.pressureTripOut to actuation.actuationUnit2.pressureLogic.channel2;
+ connect instrumentationAndSensing.instrumentationUnit3.pressureTripOut to actuation.actuationUnit2.pressureLogic.channel3;
+ connect instrumentationAndSensing.instrumentationUnit4.pressureTripOut to actuation.actuationUnit2.pressureLogic.channel4;
+
+ // Trip on temperature above the setpoint
+ // Actuation unit 1
+ connect instrumentationAndSensing.instrumentationUnit1.temperatureTripOut to actuation.actuationUnit1.temperatureLogic.channel1;
+ connect instrumentationAndSensing.instrumentationUnit2.temperatureTripOut to actuation.actuationUnit1.temperatureLogic.channel2;
+ connect instrumentationAndSensing.instrumentationUnit3.temperatureTripOut to actuation.actuationUnit1.temperatureLogic.channel3;
+ connect instrumentationAndSensing.instrumentationUnit4.temperatureTripOut to actuation.actuationUnit1.temperatureLogic.channel4;
+ // Actuation unit 2
+ connect instrumentationAndSensing.instrumentationUnit1.temperatureTripOut to actuation.actuationUnit2.temperatureLogic.channel1;
+ connect instrumentationAndSensing.instrumentationUnit2.temperatureTripOut to actuation.actuationUnit2.temperatureLogic.channel2;
+ connect instrumentationAndSensing.instrumentationUnit3.temperatureTripOut to actuation.actuationUnit2.temperatureLogic.channel3;
+ connect instrumentationAndSensing.instrumentationUnit4.temperatureTripOut to actuation.actuationUnit2.temperatureLogic.channel4;
+
+ // Trip on saturation above the setpoint
+ // Actuation unit 1
+ connect instrumentationAndSensing.instrumentationUnit1.saturationTripOut to actuation.actuationUnit1.saturationLogic.channel1;
+ connect instrumentationAndSensing.instrumentationUnit2.saturationTripOut to actuation.actuationUnit1.saturationLogic.channel2;
+ connect instrumentationAndSensing.instrumentationUnit3.saturationTripOut to actuation.actuationUnit1.saturationLogic.channel3;
+ connect instrumentationAndSensing.instrumentationUnit4.saturationTripOut to actuation.actuationUnit1.saturationLogic.channel4;
+ // Actuation unit 2
+ connect instrumentationAndSensing.instrumentationUnit1.saturationTripOut to actuation.actuationUnit2.saturationLogic.channel1;
+ connect instrumentationAndSensing.instrumentationUnit2.saturationTripOut to actuation.actuationUnit2.saturationLogic.channel2;
+ connect instrumentationAndSensing.instrumentationUnit3.saturationTripOut to actuation.actuationUnit2.saturationLogic.channel3;
+ connect instrumentationAndSensing.instrumentationUnit4.saturationTripOut to actuation.actuationUnit2.saturationLogic.channel4;
+
+
+ }
+ } // package id RTS_System_Arch 'RTS System Architecture'
+} // package id Architecture 'RTS Architecture'
+
+/**
+ * This RTS architecture specification includes all of the core
+ * concepts inherent to NPP Instrumentation and Control systems.
+ * A system architecture specification often includes a software,
+ * hardware, network, and data architecture specifications.
+ */
+package id Architecture 'RTS Architecture' {
+ private import 'Project Glossary'::*;
+
+ /**
+ * Note that this is the *systems* architecture, which is different
+ * than our software, hardware, or data architectures.
+ */
+ package id RTS_System_Arch 'RTS System Architecture' {
+
+ package Sensor {
+ private import Quantities::*;
+
+ /** Generic sensor port */
+ port def SensorOutPort {
+ out value : ScalarQuantityValue;
+ }
+
+ /** Generic sensor */
+ part def GenericSensor :> Sensor {
+ attribute currentValue : ScalarQuantityValue;
+ port output: SensorOutPort;
+ }
+
+ /**
+ * A demultiplexer for sending one sensor signal to multiple
+ * outputs.
+ */
+ part def Demux {
+ port input: ~SensorOutPort;
+ // Using vector notation doesn't seem to work in connections
+ port output1: SensorOutPort;
+ port output2: SensorOutPort;
+ }
+ }
+
+ /** A generic temperature sensor. */
+ package TempSensor {
+ private import Sensor::*;
+ private import ISQThermodynamics::TemperatureValue;
+
+ /** Temperature port */
+ port def TemperatureOutPort :> SensorOutPort {
+ redefines value: TemperatureValue;
+ }
+
+ /** A sensor that is capable of measuring the temperature of its environment. */
+ part def 'Temperature Sensor' :> GenericSensor {
+ /** What is your temperature reading in Celsius (C)? */
+ redefines currentValue: TemperatureValue;
+ redefines output: TemperatureOutPort;
+ }
+
+ part def TempDemux :> Demux {
+ redefines input: ~TemperatureOutPort;
+ redefines output1: TemperatureOutPort;
+ redefines output2: TemperatureOutPort;
+ }
+ }
+
+ /** A generic pressure sensor. */
+ package PressureSensor {
+ private import Sensor::*;
+ private import ISQMechanics::PressureValue;
+
+ /** Pressure port */
+ port def PressureOutPort :> SensorOutPort {
+ redefines value: PressureValue;
+ }
+
+ /** A sensor that is capable of measuring the air pressure of its environment. */
+ part def 'Pressure Sensor' :> GenericSensor {
+ /** What is your pressure reading in Pascal (P)? */
+ redefines currentValue: PressureValue;
+ redefines output: PressureOutPort;
+ }
+
+ part def PressureDemux :> Demux {
+ redefines input: ~PressureOutPort;
+ redefines output1: PressureOutPort;
+ redefines output2: PressureOutPort;
+ }
+ }
+
+ /**
+ * The Instrumentation subsystem contains all of the sensors for an
+ * NPP I&C system.
+ */
+ package Instrumentation {
+ private import ScalarValues::Real;
+ private import ScalarValues::Boolean;
+ private import TempSensor::*;
+ private import PressureSensor::*;
+
+ port def TripPort {
+ out trip : Boolean;
+ }
+ package Actuators {
+ part 'Actuator'[2];
+ }
+ package Sensors {
+ part TS: 'Temperature Sensor'[2];
+ part PS: 'Pressure Sensor'[2];
+ }
+ }
+ }
+}
+
+package id Artifacts 'RTS Implementation Artifacts' {
+ private import ScalarValues::*;
+ private import 'Project Glossary'::*;
+
+ // @design Remove concepts in general Glossary that duplicate or
+ // overlap with these concepts. Move abstract items to Glossary.
+ part def id CryptolToC 'Cryptol Software Compiler':> Compiler {
+ ref item input: CryptolSpec redefines input;
+ ref item output: C_Source redefines output;
+ }
+ part def id CryptolToSystemVerilog 'Cryptol Hardware Compiler':> Compiler {
+ ref item input: CryptolSpec redefines input;
+ ref item output: SystemVerilog redefines output;
+ }
+ part def id CPU 'COTS High-Assurance RV32I RISC-V CPU':> CPU, RISC_V_ISA;
+ part def id CompCert 'CompCert Compiler':> Compiler {
+ ref item input: C_Source redefines input;
+ ref item output: RISCV_Binary redefines output;
+ }
+ part def id BSC 'Bluespec Compiler':> Compiler {
+ ref item input: BluespecSystemVerilog redefines input;
+ ref item output: SystemVerilog redefines output;
+ }
+ part def id SymbiFlow 'SymbiFlow Synthesizer' :> Synthesizer {
+ ref item input: SystemVerilog redefines input;
+ ref item output: Bitstream redefines output;
+ }
+ part def id RTL 'Demonstrator Verilog';
+ part def 'Demonstrator Bitstream':> Bitstream;
+ package id Dataflow 'Dataflow of RTS Implementation Artifacts' {
+ private import 'RTS Implementation Artifacts'::*;
+
+ part def 'HARDENS Cryptol System Specification':> CryptolSpec {
+ // :>> literate = true;
+ }
+ // bind 'HARDENS Cryptol System Specification'.output = CryptolToC.input;
+ }
+}
+
+/**
+ * The physical hardware components that are a part of the HARDENS RTS
+ * demonstrator.
+ */
+package 'RTS Hardware Artifacts' {
+ private import 'Project Glossary'::*;
+ //import Architecture::RTS_System_Arch::Hardware::*;
+ private import ScalarValues::*;
+
+ part def 'SERDES Test SMA Connector' :> Connector;
+ part def 'Parallel Config Header' :> Header;
+ part def 'Versa Expansion Connector' :> Connector;
+ part def 'SPI Flag Configuration Memory' :> Memory;
+ part def 'CFG Switch' :> Switch;
+ part def 'Input Switch' :> Switch;
+ part def 'Output LED' :> LED;
+ part def 'Input Push Button' :> Button;
+ part def '12 V DC Power Input' :> Power;
+ part def 'GPIO Headers' :> Header, GPIO;
+ part def 'PMOD/GPIO Header' :> Header, PMOD, GPIO;
+ part def 'Microphone Board/GPIO Header' :> Header;
+ part def 'ECP5-5G Device' :> FPGA;
+ // @todo Ensure that JTAG is, in fact, USB.
+ part def 'JTAG Interface' :> JTAG, USB;
+ part def 'Mini USB Programming' :> USB;
+ part def id DevBoard 'Lattice ECP-5 FPGA Development Board' :> PCB {
+ part J9_J26 : 'SERDES Test SMA Connector'[16] subsets components;
+ part J38 : 'Parallel Config Header' subsets components;
+ part J39_J40 : 'Versa Expansion Connector'[2] subsets components;
+ part U4 : 'SPI Flag Configuration Memory' subsets components;
+ part SW1 : 'CFG Switch' subsets components;
+ part SW5 : 'Input Switch' subsets components;
+ part D5_D12 : 'Output LED'[8] subsets components;
+ part SW2_SW4 : 'Input Push Button'[3] subsets components;
+ part J37 : '12 V DC Power Input' subsets components;
+ part J5_J8_J32_J33 : 'GPIO Headers'[4] subsets components;
+ part J31 : 'PMOD/GPIO Header' subsets components;
+ part J30 : 'Microphone Board/GPIO Header' subsets components;
+ part 'Prototype Area';
+ part U3 : 'ECP5-5G Device' subsets components;
+ part J1 : 'JTAG Interface' subsets components;
+ part J2 : 'Mini USB Programming' subsets components;
+ }
+
+ enum def SolenoidState {
+ OPEN;
+ CLOSED;
+ }
+ /** A solenoid actuator capable of being in an open or closed state. */
+ part def 'Solenoid Actuator':> Actuator {
+ item actuator_state;
+ /** Open! */
+ port open;
+ /** Close! */
+ port close;
+ }
+}
+
+///** The physical architecture of the HARDENS RTS demonstrator. */
+//package 'Physical Architecture' {
+// import 'Project Glossary'::*;
+// import 'RTS Hardware Artifacts'::*;
+//
+// /** A PCB developer board used to prototype hardware. */
+// part 'HARDENS Demonstrator Board' : DevBoard;
+// /** The USB cable used to communicate the ASCII UI to/from the board. */
+// part id UI_C 'USB UI Cable' : 'USB Cable';
+// /** The USB cable used to program the board with a bitstream. */
+// part id Prog_C 'USB Programming Cable' : 'USB Cable';
+// /** The USB cable used to interact with the board in a debugger. */
+// part id Debug_C 'USB Debugging I/O Cable' : 'USB Cable';
+// // @trace #11 https://github.com/GaloisInc/HARDENS/issues/11
+// // @todo Add attributes for URL traceability.
+// part def id MPL3115A2 'SparkFun Altitude/Pressure Sensor Breakout' :>
+// PCB, 'Pressure Sensor';
+// // 4x https://www.sparkfun.com/products/11084
+// part def 'SparkFun MOSFET Power Control Kit' :> PCB, Power;
+// // 4x https://www.sparkfun.com/products/12959
+// part def id TMP102 'SparkFun Digital Temperature Sensor Breakout' :>
+// PCB, 'Temperature Sensor';
+// // 4x https://www.sparkfun.com/products/13314
+// part def 'Small Push-Pull Solenoid - 12VDC' :> 'Solenoid Actuator';
+// // 4x https://www.adafruit.com/product/412
+// part def '1N4001 Diode';
+// // 1x https://www.adafruit.com/product/755
+// /** The first of two redundant temperature sensors. */
+// part id TS1 'Temperature Sensor 1' : TMP102;
+// /** The second of two redundant temperature sensors. */
+// part id TS2 'Temperature Sensor 2' : TMP102;
+// /** The first of two redundant pressure sensors. */
+// part id PS1 'Pressure Sensor 1' : MPL3115A2;
+// /** The second of two redundant pressure sensors. */
+// part id PS2 'Pressure Sensor 2' : MPL3115A2;
+// /** The first of two redundant solenoid actuators. */
+// part id SA1 'Solenoid Actuator 1' : 'Small Push-Pull Solenoid - 12VDC';
+// /** The second of two redundant solenoid actuators. */
+// part id SA2 'Solenoid Actuator 2' : 'Small Push-Pull Solenoid - 12VDC';
+// // @todo kiniry Add ports for external connectors.
+//
+// /** The computer used by a developer to interface with the demonstrator,
+// typically for driving the demonstrator's UI and programming and
+// debugging the board. */
+// part def 'Developer Machine':> Computer;
+//
+// /** The fully assembled HARDENS demonstrator hardware with all component present. */
+// part id Demonstrator 'HARDENS Demonstrator';
+//
+// connection def DevMachineToDevBoard {
+// end: Computer;
+// end: PCB;
+// }
+// connection: DevMachineToDevBoard connect 'Developer Machine' to Board;
+}
+
+/**
+ * All requirements that the RTS system must fulfill, as driven by the
+ * IEEE 603-2018 standards and the NRC RFP.
+ */
+package id Requirements 'RTS Requirements' {
+ // Note that we do not specify documentation comments here as they
+ // are specified in the Lando specification. If we do not include
+ // additional specifications here on the refinement from the higher-level
+ // specification (in this case, SysML refines Lando), then the higher-level
+ // specification's comments/specifications refine too (an hence are
+ // just copied verbatim).
+ package id Requirements 'HARDENS Project High-level Requirements' {
+ requirement def 'NRC Understanding';
+ requirement def 'Identify Regulatory Gaps';
+ requirement def Demonstrate;
+ requirement def 'Demonstrator Parts';
+ requirement 'Demonstrator Groundwork';
+ }
+ package id Characteristics 'NRC Characteristics' {
+ requirement def 'Requirements Consistency';
+ requirement def 'Requirements Colloquial Completeness';
+ requirement def 'Requirements Formal Completeness';
+ requirement def 'Instrumentation Independence';
+ requirement def 'Channel Independence';
+ requirement def 'Actuation Independence';
+ requirement def 'Actuation Correctness';
+ requirement def 'Self-Test/Trip Independence';
+ }
+}
+
+/**
+ * All correctness and security properties of the RTS system are
+ * specified in this subsystem.
+ */
+package id Properties 'RTS Properties' {
+}
+
+/**
+ * The IEEE 603-2018 requirements (known as "characteristics" in
+ * the standard) which the RTS demonstrator system must fulfill.
+ */
+package id Characteristics 'IEEE Std 603-2018 Characteristics' {
+}
+
+/**
+ * The IEEE 603-2018 requirements (known as "characteristics" in
+ * the standard) which the RTS demonstrator system must fulfill.
+ */
+package id Characteristics 'IEEE Std 603-2018 Characteristics' {
+}
diff --git a/specs/Makefile b/specs/Makefile
new file mode 100644
index 0000000..5d70a0f
--- /dev/null
+++ b/specs/Makefile
@@ -0,0 +1,22 @@
+.PHONY: all validate
+
+all: validate
+
+validate: validate_lando validate_lobot
+
+validate_lando:
+ lando validate RTS.lando
+ lando validate acronyms.lando
+ lando validate architecture.lando
+ lando validate dataflow.lando
+ lando validate events.lando
+ lando validate glossary.lando
+ lando validate hardware.lando
+ lando validate instrumentation.lando
+ lando validate project_requirements.lando
+ lando validate requirements.lando
+ lando validate test_scenarios.lando
+ lando validate tool_scenarios.lando
+
+validate_lobot:
+ lobot RTS.lobot
diff --git a/specs/README.md b/specs/README.md
new file mode 100644
index 0000000..ab4947f
--- /dev/null
+++ b/specs/README.md
@@ -0,0 +1,17 @@
+# HARDENS specifications
+
+This directory contains the specifications for the HARDENS Reactor Trip System:
+
+- The high level project requirements and domain model specified in Lando (`*.lando` files), validated
+ by `lando validate`; see [](./Makefile)
+- The project feature model [](./RTS.lobot) specified as a Lobot file (see [](./Makefile))
+- The system architecture in SysMLv2 (`*.sysml` files); see [](../README.md) for
+ information on setting up an environment for viewing SysMLv2 files.
+
+- The system requriements specified in FRET
+ [](./RTS_Requirements.json).
+
+ To view the requirements, install FRET
+ and import the [requirements](./RTS_Requirements.json). At the moment, to
+ realizability checking requires the user to indicate the type of each variable
+ and whether it is an input or output.
diff --git a/specs/RTS.lando b/specs/RTS.lando
new file mode 100644
index 0000000..497d1d6
--- /dev/null
+++ b/specs/RTS.lando
@@ -0,0 +1,48 @@
+// title: Reactor Trip System high-assurance demonstrator.
+// project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
+// copyright (C) 2021 Galois
+// author: Joe Kiniry
+
+system Reactor Trip System (RTS)
+The overall shape of the Reactor Trip System (RTS) is an archetypal
+*sense-compute-actuate* architecture. Sensors are in the `Sensors`
+subsystem. They are read by the `Instrumentation` subsystem, which
+contains four separate and independent `Instrumentation`
+components. The "Compute" part of the architecture is spread across
+the `Actuation Logic` subsystem—which contains the two `Voting`
+components which perform the actuation logic itself—and the `Root`
+subsystem which contains the core computation and I/O components, and
+the two separate and independent devices that drive actuators.
+
+subsystem RTS Architecture (Architecture)
+This RTS architecture specification includes all of the core
+concepts inherent to NPP Instrumentation and Control systems.
+A system architecture specification often includes a software,
+hardware, network, and data architecture specifications.
+
+subsystem RTS Hardware Artifacts (Hardware)
+The physical hardware components that are a part of the HARDENS RTS
+demonstrator.
+
+subsystem RTS Implementation Artifacts (Implementation)
+A summary of the tools, technologies, specifications, and implementations
+relevant to this high-assurance demonstrator's development and assurance.
+
+subsystem RTS Requirements (Requirements)
+All requirements that the RTS system must fulfill, as driven by the
+IEEE 603-2018 standards and the NRC RFP.
+
+subsystem RTS Properties (Properties)
+All correctness and security properties of the RTS system are
+specified in this subsystem.
+
+subsystem IEEE Std 603-2018 Characteristics (Characteristics)
+The IEEE 603-2018 requirements (known as "characteristics" in
+the standard) which the RTS demonstrator system must fulfill.
+
+relation RTS contains Architecture
+relation RTS contains Hardware
+relation RTS contains Properties
+relation RTS contains Characteristics
+
+// Properties
diff --git a/specs/RTS.lobot b/specs/RTS.lobot
new file mode 100644
index 0000000..61eddce
--- /dev/null
+++ b/specs/RTS.lobot
@@ -0,0 +1,151 @@
+-- title: Reactor Trip System high-assurance demonstrator.
+-- project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
+-- copyright (C) 2021 Galois
+-- author: Joe Kiniry
+
+nat : kind of int where self >= 0
+
+-- Our development platforms for running the RTS demonstrator in a
+-- fully virtualized (Twin) mode. If we choose to target a real RV32,
+-- then we will be running on the bare metal.
+
+type virtualized_platform_runtime =
+ { MacOS, Linux, RV32_bare_metal, None }
+
+-- The developer boards we have to choose from. We are using the
+-- ECP-5 5G 85F variant of the Lattice Semiconductor dev board, and if
+-- we choose to put the demonstrator on a real RV32, we will likely
+-- use the Vega board.
+
+type dev_board =
+ { LFE5UM5G_85F_EVN, RV32M1_VEGA, None }
+
+-- The ECP-5 FPGA comes in several flavors. We are using the 5G
+-- variant for this project. Other variants should be able to use the
+-- exact same build chain.
+
+type fpga =
+ { ECP5, ECP5_5G }
+
+-- We can assign an assurance level of every sub-component of the
+-- system. This definition is made here to provide an enumeration of
+-- assurance levels which we will assign/update later as assurance
+-- work goes on.
+
+type assurance_level =
+ { None, Low, Medium, High }
+
+-- Every subsystem and the system overall is realized either by a
+-- physical component (e.g., a real sensor, actuator, or FPGA) or a
+-- "Digital Twin", which is a simulation/emulation of the component in
+-- question.
+
+type twin_or_physical =
+ { Twin, Physical }
+
+-- Twins come in different fidelity levels.
+
+-- "Perfect" fidelity means that our simulator/emulation is capable of
+-- executing the actual software/hardware of the system, subsystem, or
+-- component in such detail that all requirements can be validated or
+-- verified in the twin as accurately as in the physical realization.
+
+-- "High" fidelity means that we are executing the actual
+-- software/hardware in question in a simulator or emulator that
+-- replicates most, but not all, of the underlying functionality and
+-- behavior of the device in question. For example, a cycle-accurate
+-- Verilog simulator is high-fidelity, but is not "Perfect" fidelity
+-- if we are concerned about EM side-channels.
+
+-- A "Medium" fidelity twin also executes the actual
+-- software/hardware, but elides non-behavioral properties that are
+-- critical to fulfilling all system requirements. A hardware virtual
+-- platform (VP) or an event-based Verilog simulator or emulator are
+-- two examples of medium-fidelity digital twin environments.
+
+-- A "Low" fidelity twin is an executable model that is usually fully
+-- decoupled from the implementation. In order for the model to be
+-- refinement-consistent with regards to more concrete models or the
+-- software/hardware implementation, all measurable properties of the
+-- model which relate to system requirements must hold through the
+-- refinement.
+
+type twin_fidelity =
+ { Low, Medium, High, Perfect }
+
+-- The feature model of the RTS demonstrator itself.
+
+-- The cost of a demonstrator is expressed in U.S. dollars and is
+-- based upon the value of the board plus all physical devices that
+-- are attached. A purely virtualized RTS demonstrator has zero
+-- hardware cost.
+-- @todo Refine the definition of cost to be precise with regards
+-- to components chosen by the team.
+
+rts : kind of struct
+ with -- Which development board is being used?
+ board : dev_board
+ -- How much does the hardware for this demonstrator cost in USD?
+ cost : nat
+ -- What level of assurance does the demonstrator have overall?
+ assurance : assurance_level
+ -- Is the FPGA being twinned via a Verilog simulator/emulator?
+ soc : twin_or_physical
+ -- Is the first tempurature sensor a twin or physically present?
+ ts1 : twin_or_physical
+ -- Is the second tempurature sensor a twin or physically present?
+ ts2 : twin_or_physical
+ -- Is the first pressure sensor a twin or physically present?
+ ps1 : twin_or_physical
+ -- Is the second pressure sensor a twin or physically present?
+ ps2 : twin_or_physical
+ -- Is the first actuator a twin or physically present?
+ sa1 : twin_or_physical
+ -- Is the second actuator a twin or physically present?
+ sa2 : twin_or_physical
+ -- Are all devices twins?
+ all_devices_twins : bool
+ -- Is this instance of the RTS fully virtualized and running only in software?
+ virtualized_platform_rt : bool
+ -- What development platform is being used to run this fully virtualized twin?
+ rt : virtualized_platform_runtime
+ where
+ cost = 0 | cost = 100 | cost = 200
+ all_devices_twins <=> ((ts1 = Twin) & (ts2 = Twin) & (ps1 = Twin) & (ps2 = Twin) & (sa1 = Twin) & (sa2 = Twin))
+ (soc = Twin) => all_devices_twins
+ virtualized_platform_rt <=> ((soc = Twin) & (board = RV32M1_VEGA) & (rt = None)) ^ ((soc = Twin) & (board = None))
+
+-- @design kiniry This feature model needs to be further enriched to
+-- capture the design, nature, and assuance of the RTS architecture's
+-- primary subsystems and components. We will perform that
+-- refinement after writing the RTS SysML system architecture.
+
+-- @issue Refine feature model to reflect system architecture.
+
+-- @design kiniry There are likely additional constraints to add to
+-- this feature model. Some things to think about include: whether or
+-- not we want to support twins for arbitrary subset of devices, do we
+-- want to support the use of an RV32 development board attached to
+-- the physical devices, and what is the assurance of the RTS given
+-- the assurance of its constituant parts?
+
+-- @issue Refine feature model constraints after RTS models are
+-- written.
+
+-- There are 16 configurations of virtualized configurations.
+
+-- @issue Ensure that all build configurations are supported by RTS
+-- build system.
+
+virtualized_rts_configs : kind of rts
+ where all_devices_twins = true & cost = 0 & board = None & virtualized_platform_rt = true
+
+-- @todo Feature model checks go below. An example check is included.
+
+-- @issue Refine feature model checks to reflect final architecture,
+-- requirements, and RTS demonstrator assurance.
+
+-- Virtualized builds do not need a development board.
+check_twin_build_configs : check
+ on c : virtualized_rts_configs
+ that c.board = None
diff --git a/specs/RTS.png b/specs/RTS.png
new file mode 100644
index 0000000..f657268
Binary files /dev/null and b/specs/RTS.png differ
diff --git a/specs/RTSArchitectureDraft.sysml b/specs/RTSArchitectureDraft.sysml
new file mode 100644
index 0000000..a67404f
--- /dev/null
+++ b/specs/RTSArchitectureDraft.sysml
@@ -0,0 +1,230 @@
+/** The physical hardware components that are a part of the HARDENS RTS
+ demonstrator. */
+package 'RTS Hardware Artifacts' {
+
+ package TempSensor {
+ import ISQThermodynamics::TemperatureValue;
+
+ /** Generic temperature port */
+ port def TemperatureOutPort {
+ out temp : TemperatureValue;
+ }
+
+ /** Temperature interface */
+ interface def TemperatureInterface {
+ // each sensor is connected to two instrumentation units
+ end supplierPort : TemperatureOutPort;
+ end consumerPort1 : ~TemperatureOutPort;
+ end consumerPort2 : ~TemperatureOutPort;
+ }
+
+ /** A sensor that is capable of measuring the temperature of its environment. */
+ part def 'Temperature Sensor' {
+ /** What is your temperature reading in Celcius (C)? */
+ attribute currentTemp: TemperatureValue;
+ port tempOut: TemperatureOutPort;
+ }
+ }
+
+ package PressureSensor {
+ import ISQMechanics::PressureValue;
+
+ /** Generic pressure port */
+ port def PressureOutPort {
+ out pressure : PressureValue;
+ }
+
+ /** Pressure sensor interface */
+ interface def PressureInterface {
+ // each sensor is connected to two instrumentation units
+ end supplierPort : PressureOutPort;
+ end consumerPort1 : ~PressureOutPort;
+ end consumerPort2 : ~PressureOutPort;
+ }
+
+ /** A sensor that is capable of measuring the air pressure of its environment. */
+ part def 'Pressure Sensor' {
+ /** What is your pressure reading in Pascal (P)? */
+ attribute currentPressure: PressureValue;
+ port pressureOut: PressureOutPort;
+ }
+ }
+
+ package Instrumentation {
+ import ScalarValues::Real;
+ import ScalarValues::Boolean;
+ import TempSensor::*;
+ import PressureSensor::*;
+
+ port def TripPort {
+ out trip : Boolean;
+ }
+
+ interface def TripInterface {
+ // Each trip interface has 1 trip sources, and 1 consumer
+ end supplierPort : TripPort;
+ end consumerPort : ~TripPort;
+ }
+
+
+ part def InstrumentationUnit {
+ // setpoints
+ attribute tempSetpoint : TemperatureValue;
+ attribute pressureSetpoint : PressureValue;
+ attribute saturationLimit : Real;
+
+ // mode selectors
+ attribute maintenanceMode : Boolean;
+
+ // Inputs
+ port temperatureInput: ~TemperatureOutPort;
+ port pressureInput: ~PressureOutPort;
+
+ // Outputs
+ port pressureTripOut:TripPort;
+ port temperatureTripOut:TripPort;
+ port saturationTripOut:TripPort;
+ }
+ }
+
+ package Actuation {
+ import Instrumentation::*;
+
+ port def ActuationPort {
+ out actuate: Boolean;
+ }
+
+ part def CoincidenceLogic {
+ port channel1: ~TripPort;
+ port channel2: ~TripPort;
+ port actuate: ActuationPort;
+ }
+ part def OrLogic {
+ port channel1: ~TripPort;
+ port channel2: ~TripPort;
+ port actuate: ActuationPort;
+ }
+
+ part def ActuationUnit {
+ part tempLogic : CoincidenceLogic;
+ part pressureLogic : CoincidenceLogic;
+ part saturationLogic : OrLogic;
+ }
+ part def Actuator {
+ port input: ActuationPort;
+ }
+ interface def OrGate {
+ end inputA: ActuationPort;
+ end inputB: ActuationPort;
+ end output: ~ActuationPort;
+ }
+ }
+
+ part RTS {
+ import TempSensor::*;
+ part tempSensor1 : 'Temperature Sensor';
+ part tempSensor2 : 'Temperature Sensor';
+
+ import PressureSensor::*;
+ part pressureSensor1 : 'Pressure Sensor';
+ part pressureSensor2 : 'Pressure Sensor';
+
+ import Instrumentation::*;
+ part InstrumentationUnit1 : InstrumentationUnit;
+ part InstrumentationUnit2 : InstrumentationUnit;
+ part InstrumentationUnit3 : InstrumentationUnit;
+ part InstrumentationUnit4 : InstrumentationUnit;
+
+ import Actuation::*;
+ part ActuationUnit1: ActuationUnit;
+ part ActuationUnit2: ActuationUnit;
+ part Actuator1 : Actuator;
+ part Actuator2 : Actuator;
+
+ // connect sensors
+ interface T1 : TemperatureInterface
+ connect tempSensor1.tempOut to InstrumentationUnit1.temperatureInput;
+ connect tempSensor1.tempOut to InstrumentationUnit2.temperatureInput;
+
+ interface T2 : TemperatureInterface
+ connect tempSensor2.tempOut to InstrumentationUnit3.temperatureInput;
+ connect tempSensor2.tempOut to InstrumentationUnit4.temperatureInput;
+
+ interface P1 : PressureInterface
+ connect pressureSensor1.pressureOut to InstrumentationUnit1.pressureInput;
+ connect pressureSensor1.pressureOut to InstrumentationUnit2.pressureInput;
+
+ interface P2 : PressureInterface
+ connect pressureSensor2.pressureOut to InstrumentationUnit3.pressureInput;
+ connect pressureSensor2.pressureOut to InstrumentationUnit4.pressureInput;
+
+ // connect actuation logic
+ // Temperature channels
+ interface TripTemp1 : TripInterface
+ connect InstrumentationUnit1.temperatureTripOut to ActuationUnit1.tempLogic.channel1;
+ interface TripTemp2 : TripInterface
+ connect InstrumentationUnit2.temperatureTripOut to ActuationUnit1.tempLogic.channel2;
+ interface TripTemp3 : TripInterface
+ connect InstrumentationUnit3.temperatureTripOut to ActuationUnit2.tempLogic.channel1;
+ interface TripTemp4 : TripInterface
+ connect InstrumentationUnit4.temperatureTripOut to ActuationUnit2.tempLogic.channel2;
+ // Pressure channels
+ interface TripPressure1 : TripInterface
+ connect InstrumentationUnit1.pressureTripOut to ActuationUnit1.pressureLogic.channel1;
+ interface TripPressure2 : TripInterface
+ connect InstrumentationUnit2.pressureTripOut to ActuationUnit1.pressureLogic.channel2;
+ interface TripPressure3 : TripInterface
+ connect InstrumentationUnit3.pressureTripOut to ActuationUnit2.pressureLogic.channel1;
+ interface TripPressure4 : TripInterface
+ connect InstrumentationUnit4.pressureTripOut to ActuationUnit2.pressureLogic.channel2;
+ // Saturation channels
+ interface TripSaturation1 : TripInterface
+ connect InstrumentationUnit1.saturationTripOut to ActuationUnit1.saturationLogic.channel1;
+ interface TripSaturation2 : TripInterface
+ connect InstrumentationUnit2.saturationTripOut to ActuationUnit1.saturationLogic.channel2;
+ interface TripSaturation3 : TripInterface
+ connect InstrumentationUnit3.saturationTripOut to ActuationUnit2.saturationLogic.channel1;
+ interface TripSaturation4 : TripInterface
+ connect InstrumentationUnit4.saturationTripOut to ActuationUnit2.saturationLogic.channel2;
+ // Connect outputs to actuators
+ interface SaturationOut : OrGate
+ connect ActuationUnit1.saturationLogic.actuate to Actuator2.input;
+ connect ActuationUnit2.saturationLogic.actuate to Actuator2.input;
+ }
+ // TODO : connect the remaining logic
+}
+
+
+package InternetModel_v1 {
+ part def Data;
+ part def Device {
+ attribute connType: Connection[1.. * ];
+ attribute voltageIn: Electricity[1];
+ }
+ part def WiFiRouter :> Device {
+ attribute wirelessConnection : WirelessConnection[1..2];
+ attribute ethernetConnection : CableConnection[1..*];
+ }
+ part def DSLRouter :> Device {
+ attribute dslConnection : CableConnection[1];
+ attribute ethernetConnection : CableConnection[1..*];
+ }
+ part def MobileDevice :> Device {
+ doc /** Bluetooth, WiFi, 5G/4G ... so at least 3 wireless connections **/
+ attribute wirelessConnection : WirelessConnection[1..3];
+ }
+ attribute def Connection {
+ in item inData: Data;
+ out item outData: Data;
+ }
+ attribute def WirelessConnection :> Connection {
+ attribute frequency: SI::FrequencyUnit;
+ }
+ attribute def CableConnection :> Connection {
+ attribute wireCount: ScalarValues::Integer;
+ }
+ attribute def Electricity {
+ attribute voltage: ISQElectromagnetism::ElectricPotentialUnit;
+ attribute ampere: ISQElectromagnetism::ElectricChargeUnit;
+ }
+}
diff --git a/specs/RTS_Requirements.json b/specs/RTS_Requirements.json
new file mode 100644
index 0000000..1373f46
--- /dev/null
+++ b/specs/RTS_Requirements.json
@@ -0,0 +1,1403 @@
+[
+ {
+ "reqid": "INSTRUMENTATION_SET_MANUAL_TRIP_TEMPERATURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_TEMPERATURE",
+ "project": "HARDENS",
+ "rationale": "RFP [10]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & TEMPERATURE_MODE = 2 Instrumentation shall, until MAINTENANCE & !(TEMPERATURE_MODE = 2), satisfy TRIP_TEMPERATURE",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "TEMPERATURE_MODE",
+ "TRIP_TEMPERATURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & TEMPERATURE_MODE = 2)",
+ "regular_condition": "(MAINTENANCE & TEMPERATURE_MODE = 2)",
+ "conditionTextRange": [
+ 0,
+ 38
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 40,
+ 54
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( TEMPERATURE_MODE = 2 ))",
+ "timingTextRange": [
+ 61,
+ 106
+ ],
+ "post_condition": "(TRIP_TEMPERATURE)",
+ "responseTextRange": [
+ 108,
+ 131
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & TEMPERATURE_MODE = 2)) & ((! LAST) & (X (MAINTENANCE & TEMPERATURE_MODE = 2)))) -> (X (((MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )) V ((TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )))) | (LAST V (TRIP_TEMPERATURE)))))) & ((MAINTENANCE & TEMPERATURE_MODE = 2) -> (((MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )) V ((TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )))) | (LAST V (TRIP_TEMPERATURE)))))",
+ "pt": "(H ((H (! (MAINTENANCE & TEMPERATURE_MODE = 2))) | (((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 ))) S ((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 ))) & ((MAINTENANCE & TEMPERATURE_MODE = 2) & ((Y (! (MAINTENANCE & TEMPERATURE_MODE = 2))) | FTP)))) -> (TRIP_TEMPERATURE))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & TEMPERATURE_MODE = 2)) & ((! LAST) & (X (MAINTENANCE & TEMPERATURE_MODE = 2)))) -> (X (((MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )) V ((TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )))) | (LAST V (TRIP_TEMPERATURE)))))) & ((MAINTENANCE & TEMPERATURE_MODE = 2) -> (((MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )) V ((TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )))) | (LAST V (TRIP_TEMPERATURE)))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & TEMPERATURE_MODE = 2))) | (((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 ))) S ((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 ))) & ((MAINTENANCE & TEMPERATURE_MODE = 2) & ((Y (! (MAINTENANCE & TEMPERATURE_MODE = 2))) | (! (Y TRUE)))))) -> (TRIP_TEMPERATURE))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and TEMPERATURE_MODE = 2))) or ((SI( ((MAINTENANCE and TEMPERATURE_MODE = 2) and ((pre ( not (MAINTENANCE and TEMPERATURE_MODE = 2))) or FTP)), ( not (MAINTENANCE and not ( TEMPERATURE_MODE = 2 ))) )) => (TRIP_TEMPERATURE))))",
+ "diagramVariables": "TC = (MAINTENANCE & TEMPERATURE_MODE = 2), SC = (MAINTENANCE & ! ( TEMPERATURE_MODE = 2 )), Response = (TRIP_TEMPERATURE).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & TEMPERATURE_MODE = 2) is true and any point in the interval where (MAINTENANCE & TEMPERATURE_MODE = 2) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8cdcf310-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SENSOR_TRIP_PRESSURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_PRESSURE",
+ "project": "HARDENS",
+ "rationale": "RFP [1]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & PRESSURE_MODE = 1 Instrumentation shall, until MAINTENANCE & !(PRESSURE_MODE = 1), satisfy (if SENSOR_PRESSURE > SETPOINT_PRESSURE then TRIP_PRESSURE) & (if TRIP_PRESSURE then SENSOR_PRESSURE > SETPOINT_PRESSURE)",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "PRESSURE_MODE",
+ "SENSOR_PRESSURE",
+ "SETPOINT_PRESSURE",
+ "TRIP_PRESSURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & PRESSURE_MODE = 1)",
+ "regular_condition": "(MAINTENANCE & PRESSURE_MODE = 1)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 37,
+ 51
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( PRESSURE_MODE = 1 ))",
+ "timingTextRange": [
+ 58,
+ 100
+ ],
+ "post_condition": "(( SENSOR_PRESSURE > SETPOINT_PRESSURE => TRIP_PRESSURE ) & ( TRIP_PRESSURE => SENSOR_PRESSURE > SETPOINT_PRESSURE ))",
+ "responseTextRange": [
+ 102,
+ 230
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & PRESSURE_MODE = 1)) & ((! LAST) & (X (MAINTENANCE & PRESSURE_MODE = 1)))) -> (X (((MAINTENANCE & ! ( PRESSURE_MODE = 1 )) V ((( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE )) | (MAINTENANCE & ! ( PRESSURE_MODE = 1 )))) | (LAST V (( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE ))))))) & ((MAINTENANCE & PRESSURE_MODE = 1) -> (((MAINTENANCE & ! ( PRESSURE_MODE = 1 )) V ((( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE )) | (MAINTENANCE & ! ( PRESSURE_MODE = 1 )))) | (LAST V (( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE ))))))",
+ "pt": "(H ((H (! (MAINTENANCE & PRESSURE_MODE = 1))) | (((! (MAINTENANCE & ! ( PRESSURE_MODE = 1 ))) S ((! (MAINTENANCE & ! ( PRESSURE_MODE = 1 ))) & ((MAINTENANCE & PRESSURE_MODE = 1) & ((Y (! (MAINTENANCE & PRESSURE_MODE = 1))) | FTP)))) -> (( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE )))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & PRESSURE_MODE = 1)) & ((! LAST) & (X (MAINTENANCE & PRESSURE_MODE = 1)))) -> (X (((MAINTENANCE & ! ( PRESSURE_MODE = 1 )) V ((( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE )) | (MAINTENANCE & ! ( PRESSURE_MODE = 1 )))) | (LAST V (( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE ))))))) & ((MAINTENANCE & PRESSURE_MODE = 1) -> (((MAINTENANCE & ! ( PRESSURE_MODE = 1 )) V ((( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE )) | (MAINTENANCE & ! ( PRESSURE_MODE = 1 )))) | (LAST V (( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE ))))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & PRESSURE_MODE = 1))) | (((! (MAINTENANCE & ! ( PRESSURE_MODE = 1 ))) S ((! (MAINTENANCE & ! ( PRESSURE_MODE = 1 ))) & ((MAINTENANCE & PRESSURE_MODE = 1) & ((Y (! (MAINTENANCE & PRESSURE_MODE = 1))) | (! (Y TRUE)))))) -> (( SENSOR_PRESSURE > SETPOINT_PRESSURE -> TRIP_PRESSURE ) & ( TRIP_PRESSURE -> SENSOR_PRESSURE > SETPOINT_PRESSURE )))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and PRESSURE_MODE = 1))) or ((SI( ((MAINTENANCE and PRESSURE_MODE = 1) and ((pre ( not (MAINTENANCE and PRESSURE_MODE = 1))) or FTP)), ( not (MAINTENANCE and not ( PRESSURE_MODE = 1 ))) )) => (( SENSOR_PRESSURE > SETPOINT_PRESSURE => TRIP_PRESSURE ) and ( TRIP_PRESSURE => SENSOR_PRESSURE > SETPOINT_PRESSURE )))))",
+ "diagramVariables": "TC = (MAINTENANCE & PRESSURE_MODE = 1), SC = (MAINTENANCE & ! ( PRESSURE_MODE = 1 )), Response = (( SENSOR_PRESSURE > SETPOINT_PRESSURE => TRIP_PRESSURE ) & ( TRIP_PRESSURE => SENSOR_PRESSURE > SETPOINT_PRESSURE )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & PRESSURE_MODE = 1) is true and any point in the interval where (MAINTENANCE & PRESSURE_MODE = 1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8cdd1a20-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_SETPOINT_PRESSURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_PRESSURE",
+ "project": "HARDENS",
+ "rationale": "RFP [8]",
+ "comments": "",
+ "fulltext": "Upon (MAINTENANCE & SET_SETPOINT_PRESSURE) Instrumentation shall, until MAINTENANCE & SET_SETPOINT_PRESSURE, satisfy SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "SET_SETPOINT_PRESSURE",
+ "SETPOINT_PRESSURE",
+ "INPUT_SETPOINT_PRESSURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(( MAINTENANCE & SET_SETPOINT_PRESSURE ))",
+ "regular_condition": "(( MAINTENANCE & SET_SETPOINT_PRESSURE ))",
+ "conditionTextRange": [
+ 0,
+ 41
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 43,
+ 57
+ ],
+ "stop_condition": "(MAINTENANCE & SET_SETPOINT_PRESSURE)",
+ "timingTextRange": [
+ 64,
+ 107
+ ],
+ "post_condition": "(SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE)",
+ "responseTextRange": [
+ 109,
+ 159
+ ],
+ "ft": "((LAST V (((! (( MAINTENANCE & SET_SETPOINT_PRESSURE ))) & ((! LAST) & (X (( MAINTENANCE & SET_SETPOINT_PRESSURE ))))) -> (X (((MAINTENANCE & SET_SETPOINT_PRESSURE) V ((SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE) | (MAINTENANCE & SET_SETPOINT_PRESSURE))) | (LAST V (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE)))))) & ((( MAINTENANCE & SET_SETPOINT_PRESSURE )) -> (((MAINTENANCE & SET_SETPOINT_PRESSURE) V ((SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE) | (MAINTENANCE & SET_SETPOINT_PRESSURE))) | (LAST V (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE)))))",
+ "pt": "(H ((H (! (( MAINTENANCE & SET_SETPOINT_PRESSURE )))) | (((! (MAINTENANCE & SET_SETPOINT_PRESSURE)) S ((! (MAINTENANCE & SET_SETPOINT_PRESSURE)) & ((( MAINTENANCE & SET_SETPOINT_PRESSURE )) & ((Y (! (( MAINTENANCE & SET_SETPOINT_PRESSURE )))) | FTP)))) -> (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE))))",
+ "ftExpanded": "((LAST V (((! (( MAINTENANCE & SET_SETPOINT_PRESSURE ))) & ((! LAST) & (X (( MAINTENANCE & SET_SETPOINT_PRESSURE ))))) -> (X (((MAINTENANCE & SET_SETPOINT_PRESSURE) V ((SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE) | (MAINTENANCE & SET_SETPOINT_PRESSURE))) | (LAST V (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE)))))) & ((( MAINTENANCE & SET_SETPOINT_PRESSURE )) -> (((MAINTENANCE & SET_SETPOINT_PRESSURE) V ((SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE) | (MAINTENANCE & SET_SETPOINT_PRESSURE))) | (LAST V (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE)))))",
+ "ptExpanded": "(H ((H (! (( MAINTENANCE & SET_SETPOINT_PRESSURE )))) | (((! (MAINTENANCE & SET_SETPOINT_PRESSURE)) S ((! (MAINTENANCE & SET_SETPOINT_PRESSURE)) & ((( MAINTENANCE & SET_SETPOINT_PRESSURE )) & ((Y (! (( MAINTENANCE & SET_SETPOINT_PRESSURE )))) | (! (Y TRUE)))))) -> (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (( MAINTENANCE and SET_SETPOINT_PRESSURE )))) or ((SI( ((( MAINTENANCE and SET_SETPOINT_PRESSURE )) and ((pre ( not (( MAINTENANCE and SET_SETPOINT_PRESSURE )))) or FTP)), ( not (MAINTENANCE and SET_SETPOINT_PRESSURE)) )) => (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE))))",
+ "diagramVariables": "TC = (( MAINTENANCE & SET_SETPOINT_PRESSURE )), SC = (MAINTENANCE & SET_SETPOINT_PRESSURE), Response = (SETPOINT_PRESSURE = INPUT_SETPOINT_PRESSURE).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( MAINTENANCE & SET_SETPOINT_PRESSURE )) is true and any point in the interval where (( MAINTENANCE & SET_SETPOINT_PRESSURE )) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce111c0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SENSOR_TRIP_SATURATION",
+ "parent_reqid": "INSTRUMENTATION_TRIP_SATURATION",
+ "project": "HARDENS",
+ "rationale": "RFP [3]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & SATURATION_MODE = 1 Instrumentation shall, until MAINTENANCE & !(SATURATION_MODE = 1) satisfy (if SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION then TRIP_SATURATION) & (if TRIP_SATURATION then SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION)",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "SATURATION_MODE",
+ "SATURATION_FUNCTION_VALUE",
+ "SETPOINT_SATURATION",
+ "TRIP_SATURATION"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & SATURATION_MODE = 1)",
+ "regular_condition": "(MAINTENANCE & SATURATION_MODE = 1)",
+ "conditionTextRange": [
+ 0,
+ 37
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 39,
+ 53
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( SATURATION_MODE = 1 ))",
+ "timingTextRange": [
+ 60,
+ 103
+ ],
+ "post_condition": "(( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION => TRIP_SATURATION ) & ( TRIP_SATURATION => SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION ))",
+ "responseTextRange": [
+ 105,
+ 261
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & SATURATION_MODE = 1)) & ((! LAST) & (X (MAINTENANCE & SATURATION_MODE = 1)))) -> (X (((MAINTENANCE & ! ( SATURATION_MODE = 1 )) V ((( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )) | (MAINTENANCE & ! ( SATURATION_MODE = 1 )))) | (LAST V (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION ))))))) & ((MAINTENANCE & SATURATION_MODE = 1) -> (((MAINTENANCE & ! ( SATURATION_MODE = 1 )) V ((( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )) | (MAINTENANCE & ! ( SATURATION_MODE = 1 )))) | (LAST V (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION ))))))",
+ "pt": "(H ((H (! (MAINTENANCE & SATURATION_MODE = 1))) | (((! (MAINTENANCE & ! ( SATURATION_MODE = 1 ))) S ((! (MAINTENANCE & ! ( SATURATION_MODE = 1 ))) & ((MAINTENANCE & SATURATION_MODE = 1) & ((Y (! (MAINTENANCE & SATURATION_MODE = 1))) | FTP)))) -> (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & SATURATION_MODE = 1)) & ((! LAST) & (X (MAINTENANCE & SATURATION_MODE = 1)))) -> (X (((MAINTENANCE & ! ( SATURATION_MODE = 1 )) V ((( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )) | (MAINTENANCE & ! ( SATURATION_MODE = 1 )))) | (LAST V (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION ))))))) & ((MAINTENANCE & SATURATION_MODE = 1) -> (((MAINTENANCE & ! ( SATURATION_MODE = 1 )) V ((( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )) | (MAINTENANCE & ! ( SATURATION_MODE = 1 )))) | (LAST V (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION ))))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & SATURATION_MODE = 1))) | (((! (MAINTENANCE & ! ( SATURATION_MODE = 1 ))) S ((! (MAINTENANCE & ! ( SATURATION_MODE = 1 ))) & ((MAINTENANCE & SATURATION_MODE = 1) & ((Y (! (MAINTENANCE & SATURATION_MODE = 1))) | (! (Y TRUE)))))) -> (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION -> TRIP_SATURATION ) & ( TRIP_SATURATION -> SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and SATURATION_MODE = 1))) or ((SI( ((MAINTENANCE and SATURATION_MODE = 1) and ((pre ( not (MAINTENANCE and SATURATION_MODE = 1))) or FTP)), ( not (MAINTENANCE and not ( SATURATION_MODE = 1 ))) )) => (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION => TRIP_SATURATION ) and ( TRIP_SATURATION => SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )))))",
+ "diagramVariables": "TC = (MAINTENANCE & SATURATION_MODE = 1), SC = (MAINTENANCE & ! ( SATURATION_MODE = 1 )), Response = (( SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION => TRIP_SATURATION ) & ( TRIP_SATURATION => SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & SATURATION_MODE = 1) is true and any point in the interval where (MAINTENANCE & SATURATION_MODE = 1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce15fe0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_MANUAL_TRIP_PRESSURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_PRESSURE",
+ "project": "HARDENS",
+ "rationale": "RFP [10]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & PRESSURE_MODE = 2 Instrumentation shall, until MAINTENANCE & !(PRESSURE_MODE = 2), satisfy TRIP_PRESSURE",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "PRESSURE_MODE",
+ "TRIP_PRESSURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & PRESSURE_MODE = 2)",
+ "regular_condition": "(MAINTENANCE & PRESSURE_MODE = 2)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 37,
+ 51
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( PRESSURE_MODE = 2 ))",
+ "timingTextRange": [
+ 58,
+ 100
+ ],
+ "post_condition": "(TRIP_PRESSURE)",
+ "responseTextRange": [
+ 102,
+ 122
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & PRESSURE_MODE = 2)) & ((! LAST) & (X (MAINTENANCE & PRESSURE_MODE = 2)))) -> (X (((MAINTENANCE & ! ( PRESSURE_MODE = 2 )) V ((TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 2 )))) | (LAST V (TRIP_PRESSURE)))))) & ((MAINTENANCE & PRESSURE_MODE = 2) -> (((MAINTENANCE & ! ( PRESSURE_MODE = 2 )) V ((TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 2 )))) | (LAST V (TRIP_PRESSURE)))))",
+ "pt": "(H ((H (! (MAINTENANCE & PRESSURE_MODE = 2))) | (((! (MAINTENANCE & ! ( PRESSURE_MODE = 2 ))) S ((! (MAINTENANCE & ! ( PRESSURE_MODE = 2 ))) & ((MAINTENANCE & PRESSURE_MODE = 2) & ((Y (! (MAINTENANCE & PRESSURE_MODE = 2))) | FTP)))) -> (TRIP_PRESSURE))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & PRESSURE_MODE = 2)) & ((! LAST) & (X (MAINTENANCE & PRESSURE_MODE = 2)))) -> (X (((MAINTENANCE & ! ( PRESSURE_MODE = 2 )) V ((TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 2 )))) | (LAST V (TRIP_PRESSURE)))))) & ((MAINTENANCE & PRESSURE_MODE = 2) -> (((MAINTENANCE & ! ( PRESSURE_MODE = 2 )) V ((TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 2 )))) | (LAST V (TRIP_PRESSURE)))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & PRESSURE_MODE = 2))) | (((! (MAINTENANCE & ! ( PRESSURE_MODE = 2 ))) S ((! (MAINTENANCE & ! ( PRESSURE_MODE = 2 ))) & ((MAINTENANCE & PRESSURE_MODE = 2) & ((Y (! (MAINTENANCE & PRESSURE_MODE = 2))) | (! (Y TRUE)))))) -> (TRIP_PRESSURE))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and PRESSURE_MODE = 2))) or ((SI( ((MAINTENANCE and PRESSURE_MODE = 2) and ((pre ( not (MAINTENANCE and PRESSURE_MODE = 2))) or FTP)), ( not (MAINTENANCE and not ( PRESSURE_MODE = 2 ))) )) => (TRIP_PRESSURE))))",
+ "diagramVariables": "TC = (MAINTENANCE & PRESSURE_MODE = 2), SC = (MAINTENANCE & ! ( PRESSURE_MODE = 2 )), Response = (TRIP_PRESSURE).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & PRESSURE_MODE = 2) is true and any point in the interval where (MAINTENANCE & PRESSURE_MODE = 2) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce1ae00-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_BYPASS_SATURATION",
+ "parent_reqid": "INSTRUMENTATION_TRIP_SATURATION",
+ "project": "HARDENS",
+ "rationale": "",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & SATURATION_MODE = 0 Instrumentation shall, until MAINTENANCE & !(SATURATION_MODE = 0), satisfy !TRIP_SATURATION",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "SATURATION_MODE",
+ "TRIP_SATURATION"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & SATURATION_MODE = 0)",
+ "regular_condition": "(MAINTENANCE & SATURATION_MODE = 0)",
+ "conditionTextRange": [
+ 0,
+ 37
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 39,
+ 53
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( SATURATION_MODE = 0 ))",
+ "timingTextRange": [
+ 60,
+ 104
+ ],
+ "post_condition": "(! TRIP_SATURATION)",
+ "responseTextRange": [
+ 106,
+ 129
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & SATURATION_MODE = 0)) & ((! LAST) & (X (MAINTENANCE & SATURATION_MODE = 0)))) -> (X (((MAINTENANCE & ! ( SATURATION_MODE = 0 )) V ((! TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 0 )))) | (LAST V (! TRIP_SATURATION)))))) & ((MAINTENANCE & SATURATION_MODE = 0) -> (((MAINTENANCE & ! ( SATURATION_MODE = 0 )) V ((! TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 0 )))) | (LAST V (! TRIP_SATURATION)))))",
+ "pt": "(H ((H (! (MAINTENANCE & SATURATION_MODE = 0))) | (((! (MAINTENANCE & ! ( SATURATION_MODE = 0 ))) S ((! (MAINTENANCE & ! ( SATURATION_MODE = 0 ))) & ((MAINTENANCE & SATURATION_MODE = 0) & ((Y (! (MAINTENANCE & SATURATION_MODE = 0))) | FTP)))) -> (! TRIP_SATURATION))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & SATURATION_MODE = 0)) & ((! LAST) & (X (MAINTENANCE & SATURATION_MODE = 0)))) -> (X (((MAINTENANCE & ! ( SATURATION_MODE = 0 )) V ((! TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 0 )))) | (LAST V (! TRIP_SATURATION)))))) & ((MAINTENANCE & SATURATION_MODE = 0) -> (((MAINTENANCE & ! ( SATURATION_MODE = 0 )) V ((! TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 0 )))) | (LAST V (! TRIP_SATURATION)))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & SATURATION_MODE = 0))) | (((! (MAINTENANCE & ! ( SATURATION_MODE = 0 ))) S ((! (MAINTENANCE & ! ( SATURATION_MODE = 0 ))) & ((MAINTENANCE & SATURATION_MODE = 0) & ((Y (! (MAINTENANCE & SATURATION_MODE = 0))) | (! (Y TRUE)))))) -> (! TRIP_SATURATION))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and SATURATION_MODE = 0))) or ((SI( ((MAINTENANCE and SATURATION_MODE = 0) and ((pre ( not (MAINTENANCE and SATURATION_MODE = 0))) or FTP)), ( not (MAINTENANCE and not ( SATURATION_MODE = 0 ))) )) => (not TRIP_SATURATION))))",
+ "diagramVariables": "TC = (MAINTENANCE & SATURATION_MODE = 0), SC = (MAINTENANCE & ! ( SATURATION_MODE = 0 )), Response = (! TRIP_SATURATION).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & SATURATION_MODE = 0) is true and any point in the interval where (MAINTENANCE & SATURATION_MODE = 0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce1fc20-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_DEVICE_0",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "RFP [5, 6]",
+ "comments": "",
+ "fulltext": "Actuation_Logic shall always satisfy ((VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0) => ACTUATE_DEVICE_0) & (ACTUATE_DEVICE_0 => (VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0))",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "VOTE_ACTUATE_DEVICE_0",
+ "MANUAL_ACTUATE_DEVICE_0",
+ "ACTUATE_DEVICE_0"
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(( ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) => ACTUATE_DEVICE_0 ) & ( ACTUATE_DEVICE_0 => ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) ))",
+ "responseTextRange": [
+ 29,
+ 181
+ ],
+ "ft": "(LAST V (( ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) -> ACTUATE_DEVICE_0 ) & ( ACTUATE_DEVICE_0 -> ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) )))",
+ "pt": "(H (( ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) -> ACTUATE_DEVICE_0 ) & ( ACTUATE_DEVICE_0 -> ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) )))",
+ "ftExpanded": "(LAST V (( ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) -> ACTUATE_DEVICE_0 ) & ( ACTUATE_DEVICE_0 -> ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) )))",
+ "ptExpanded": "(H (( ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) -> ACTUATE_DEVICE_0 ) & ( ACTUATE_DEVICE_0 -> ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) )))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((( ( VOTE_ACTUATE_DEVICE_0 or MANUAL_ACTUATE_DEVICE_0 ) => ACTUATE_DEVICE_0 ) and ( ACTUATE_DEVICE_0 => ( VOTE_ACTUATE_DEVICE_0 or MANUAL_ACTUATE_DEVICE_0 ) ))))",
+ "diagramVariables": "Response = (( ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) => ACTUATE_DEVICE_0 ) & ( ACTUATE_DEVICE_0 => ( VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0 ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce24a40-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_SETPOINT_SATURATION",
+ "parent_reqid": "INSTRUMENTATION_TRIP_SATURATION",
+ "project": "HARDENS",
+ "rationale": "RFP [8]",
+ "comments": "",
+ "fulltext": "Upon (MAINTENANCE & SET_SETPOINT_SATURATION) Instrumentation shall, until MAINTENANCE & SET_SETPOINT_SATURATION, satisfy SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "SET_SETPOINT_SATURATION",
+ "SETPOINT_SATURATION",
+ "INPUT_SETPOINT_SATURATION"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(( MAINTENANCE & SET_SETPOINT_SATURATION ))",
+ "regular_condition": "(( MAINTENANCE & SET_SETPOINT_SATURATION ))",
+ "conditionTextRange": [
+ 0,
+ 43
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 45,
+ 59
+ ],
+ "stop_condition": "(MAINTENANCE & SET_SETPOINT_SATURATION)",
+ "timingTextRange": [
+ 66,
+ 111
+ ],
+ "post_condition": "(SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION)",
+ "responseTextRange": [
+ 113,
+ 167
+ ],
+ "ft": "((LAST V (((! (( MAINTENANCE & SET_SETPOINT_SATURATION ))) & ((! LAST) & (X (( MAINTENANCE & SET_SETPOINT_SATURATION ))))) -> (X (((MAINTENANCE & SET_SETPOINT_SATURATION) V ((SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION) | (MAINTENANCE & SET_SETPOINT_SATURATION))) | (LAST V (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION)))))) & ((( MAINTENANCE & SET_SETPOINT_SATURATION )) -> (((MAINTENANCE & SET_SETPOINT_SATURATION) V ((SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION) | (MAINTENANCE & SET_SETPOINT_SATURATION))) | (LAST V (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION)))))",
+ "pt": "(H ((H (! (( MAINTENANCE & SET_SETPOINT_SATURATION )))) | (((! (MAINTENANCE & SET_SETPOINT_SATURATION)) S ((! (MAINTENANCE & SET_SETPOINT_SATURATION)) & ((( MAINTENANCE & SET_SETPOINT_SATURATION )) & ((Y (! (( MAINTENANCE & SET_SETPOINT_SATURATION )))) | FTP)))) -> (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION))))",
+ "ftExpanded": "((LAST V (((! (( MAINTENANCE & SET_SETPOINT_SATURATION ))) & ((! LAST) & (X (( MAINTENANCE & SET_SETPOINT_SATURATION ))))) -> (X (((MAINTENANCE & SET_SETPOINT_SATURATION) V ((SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION) | (MAINTENANCE & SET_SETPOINT_SATURATION))) | (LAST V (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION)))))) & ((( MAINTENANCE & SET_SETPOINT_SATURATION )) -> (((MAINTENANCE & SET_SETPOINT_SATURATION) V ((SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION) | (MAINTENANCE & SET_SETPOINT_SATURATION))) | (LAST V (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION)))))",
+ "ptExpanded": "(H ((H (! (( MAINTENANCE & SET_SETPOINT_SATURATION )))) | (((! (MAINTENANCE & SET_SETPOINT_SATURATION)) S ((! (MAINTENANCE & SET_SETPOINT_SATURATION)) & ((( MAINTENANCE & SET_SETPOINT_SATURATION )) & ((Y (! (( MAINTENANCE & SET_SETPOINT_SATURATION )))) | (! (Y TRUE)))))) -> (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (( MAINTENANCE and SET_SETPOINT_SATURATION )))) or ((SI( ((( MAINTENANCE and SET_SETPOINT_SATURATION )) and ((pre ( not (( MAINTENANCE and SET_SETPOINT_SATURATION )))) or FTP)), ( not (MAINTENANCE and SET_SETPOINT_SATURATION)) )) => (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION))))",
+ "diagramVariables": "TC = (( MAINTENANCE & SET_SETPOINT_SATURATION )), SC = (MAINTENANCE & SET_SETPOINT_SATURATION), Response = (SETPOINT_SATURATION = INPUT_SETPOINT_SATURATION).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( MAINTENANCE & SET_SETPOINT_SATURATION )) is true and any point in the interval where (( MAINTENANCE & SET_SETPOINT_SATURATION )) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce29860-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_BYPASS_PRESSURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_PRESSURE",
+ "project": "HARDENS",
+ "rationale": "RFP [9]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & PRESSURE_MODE = 0 Instrumentation shall, until MAINTENANCE & !(PRESSURE_MODE = 0), satisfy !TRIP_PRESSURE",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "PRESSURE_MODE",
+ "TRIP_PRESSURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & PRESSURE_MODE = 0)",
+ "regular_condition": "(MAINTENANCE & PRESSURE_MODE = 0)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 37,
+ 51
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( PRESSURE_MODE = 0 ))",
+ "timingTextRange": [
+ 58,
+ 100
+ ],
+ "post_condition": "(! TRIP_PRESSURE)",
+ "responseTextRange": [
+ 102,
+ 123
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & PRESSURE_MODE = 0)) & ((! LAST) & (X (MAINTENANCE & PRESSURE_MODE = 0)))) -> (X (((MAINTENANCE & ! ( PRESSURE_MODE = 0 )) V ((! TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 0 )))) | (LAST V (! TRIP_PRESSURE)))))) & ((MAINTENANCE & PRESSURE_MODE = 0) -> (((MAINTENANCE & ! ( PRESSURE_MODE = 0 )) V ((! TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 0 )))) | (LAST V (! TRIP_PRESSURE)))))",
+ "pt": "(H ((H (! (MAINTENANCE & PRESSURE_MODE = 0))) | (((! (MAINTENANCE & ! ( PRESSURE_MODE = 0 ))) S ((! (MAINTENANCE & ! ( PRESSURE_MODE = 0 ))) & ((MAINTENANCE & PRESSURE_MODE = 0) & ((Y (! (MAINTENANCE & PRESSURE_MODE = 0))) | FTP)))) -> (! TRIP_PRESSURE))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & PRESSURE_MODE = 0)) & ((! LAST) & (X (MAINTENANCE & PRESSURE_MODE = 0)))) -> (X (((MAINTENANCE & ! ( PRESSURE_MODE = 0 )) V ((! TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 0 )))) | (LAST V (! TRIP_PRESSURE)))))) & ((MAINTENANCE & PRESSURE_MODE = 0) -> (((MAINTENANCE & ! ( PRESSURE_MODE = 0 )) V ((! TRIP_PRESSURE) | (MAINTENANCE & ! ( PRESSURE_MODE = 0 )))) | (LAST V (! TRIP_PRESSURE)))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & PRESSURE_MODE = 0))) | (((! (MAINTENANCE & ! ( PRESSURE_MODE = 0 ))) S ((! (MAINTENANCE & ! ( PRESSURE_MODE = 0 ))) & ((MAINTENANCE & PRESSURE_MODE = 0) & ((Y (! (MAINTENANCE & PRESSURE_MODE = 0))) | (! (Y TRUE)))))) -> (! TRIP_PRESSURE))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and PRESSURE_MODE = 0))) or ((SI( ((MAINTENANCE and PRESSURE_MODE = 0) and ((pre ( not (MAINTENANCE and PRESSURE_MODE = 0))) or FTP)), ( not (MAINTENANCE and not ( PRESSURE_MODE = 0 ))) )) => (not TRIP_PRESSURE))))",
+ "diagramVariables": "TC = (MAINTENANCE & PRESSURE_MODE = 0), SC = (MAINTENANCE & ! ( PRESSURE_MODE = 0 )), Response = (! TRIP_PRESSURE).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & PRESSURE_MODE = 0) is true and any point in the interval where (MAINTENANCE & PRESSURE_MODE = 0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce2e680-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_MANUAL_TRIP_SATURATION",
+ "parent_reqid": "INSTRUMENTATION_TRIP_SATURATION",
+ "project": "HARDENS",
+ "rationale": "RFP [10]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & SATURATION_MODE = 2 Instrumentation shall, until MAINTENANCE & !(SATURATION_MODE = 2), satisfy TRIP_SATURATION",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "SATURATION_MODE",
+ "TRIP_SATURATION"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & SATURATION_MODE = 2)",
+ "regular_condition": "(MAINTENANCE & SATURATION_MODE = 2)",
+ "conditionTextRange": [
+ 0,
+ 37
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 39,
+ 53
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( SATURATION_MODE = 2 ))",
+ "timingTextRange": [
+ 60,
+ 104
+ ],
+ "post_condition": "(TRIP_SATURATION)",
+ "responseTextRange": [
+ 106,
+ 128
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & SATURATION_MODE = 2)) & ((! LAST) & (X (MAINTENANCE & SATURATION_MODE = 2)))) -> (X (((MAINTENANCE & ! ( SATURATION_MODE = 2 )) V ((TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 2 )))) | (LAST V (TRIP_SATURATION)))))) & ((MAINTENANCE & SATURATION_MODE = 2) -> (((MAINTENANCE & ! ( SATURATION_MODE = 2 )) V ((TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 2 )))) | (LAST V (TRIP_SATURATION)))))",
+ "pt": "(H ((H (! (MAINTENANCE & SATURATION_MODE = 2))) | (((! (MAINTENANCE & ! ( SATURATION_MODE = 2 ))) S ((! (MAINTENANCE & ! ( SATURATION_MODE = 2 ))) & ((MAINTENANCE & SATURATION_MODE = 2) & ((Y (! (MAINTENANCE & SATURATION_MODE = 2))) | FTP)))) -> (TRIP_SATURATION))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & SATURATION_MODE = 2)) & ((! LAST) & (X (MAINTENANCE & SATURATION_MODE = 2)))) -> (X (((MAINTENANCE & ! ( SATURATION_MODE = 2 )) V ((TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 2 )))) | (LAST V (TRIP_SATURATION)))))) & ((MAINTENANCE & SATURATION_MODE = 2) -> (((MAINTENANCE & ! ( SATURATION_MODE = 2 )) V ((TRIP_SATURATION) | (MAINTENANCE & ! ( SATURATION_MODE = 2 )))) | (LAST V (TRIP_SATURATION)))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & SATURATION_MODE = 2))) | (((! (MAINTENANCE & ! ( SATURATION_MODE = 2 ))) S ((! (MAINTENANCE & ! ( SATURATION_MODE = 2 ))) & ((MAINTENANCE & SATURATION_MODE = 2) & ((Y (! (MAINTENANCE & SATURATION_MODE = 2))) | (! (Y TRUE)))))) -> (TRIP_SATURATION))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and SATURATION_MODE = 2))) or ((SI( ((MAINTENANCE and SATURATION_MODE = 2) and ((pre ( not (MAINTENANCE and SATURATION_MODE = 2))) or FTP)), ( not (MAINTENANCE and not ( SATURATION_MODE = 2 ))) )) => (TRIP_SATURATION))))",
+ "diagramVariables": "TC = (MAINTENANCE & SATURATION_MODE = 2), SC = (MAINTENANCE & ! ( SATURATION_MODE = 2 )), Response = (TRIP_SATURATION).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & SATURATION_MODE = 2) is true and any point in the interval where (MAINTENANCE & SATURATION_MODE = 2) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce334a0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_VOTE_TEMPERATURE",
+ "parent_reqid": "ACTUATION_LOGIC_VOTE_DEVICE_0",
+ "project": "HARDENS",
+ "rationale": "RFP Actuation Logic Architecture, [2,4]",
+ "comments": "",
+ "fulltext": "Actuation_Logic shall always satisfy (((TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1) | ((TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1) & (TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3)) | (TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3)) => VOTE_TRIP_TEMPERATURE) & (VOTE_TRIP_TEMPERATURE => ((TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1) | ((TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1) & (TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3)) | (TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3)))",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "TRIP_TEMPERATURE_0",
+ "TRIP_TEMPERATURE_1",
+ "TRIP_TEMPERATURE_2",
+ "TRIP_TEMPERATURE_3",
+ "VOTE_TRIP_TEMPERATURE"
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(( ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) => VOTE_TRIP_TEMPERATURE ) & ( VOTE_TRIP_TEMPERATURE => ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) ))",
+ "responseTextRange": [
+ 29,
+ 447
+ ],
+ "ft": "(LAST V (( ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) -> VOTE_TRIP_TEMPERATURE ) & ( VOTE_TRIP_TEMPERATURE -> ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) )))",
+ "pt": "(H (( ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) -> VOTE_TRIP_TEMPERATURE ) & ( VOTE_TRIP_TEMPERATURE -> ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) )))",
+ "ftExpanded": "(LAST V (( ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) -> VOTE_TRIP_TEMPERATURE ) & ( VOTE_TRIP_TEMPERATURE -> ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) )))",
+ "ptExpanded": "(H (( ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) -> VOTE_TRIP_TEMPERATURE ) & ( VOTE_TRIP_TEMPERATURE -> ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) )))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((( ( ( TRIP_TEMPERATURE_0 and TRIP_TEMPERATURE_1 ) or ( ( TRIP_TEMPERATURE_0 or TRIP_TEMPERATURE_1 ) and ( TRIP_TEMPERATURE_2 or TRIP_TEMPERATURE_3 ) ) or ( TRIP_TEMPERATURE_2 and TRIP_TEMPERATURE_3 ) ) => VOTE_TRIP_TEMPERATURE ) and ( VOTE_TRIP_TEMPERATURE => ( ( TRIP_TEMPERATURE_0 and TRIP_TEMPERATURE_1 ) or ( ( TRIP_TEMPERATURE_0 or TRIP_TEMPERATURE_1 ) and ( TRIP_TEMPERATURE_2 or TRIP_TEMPERATURE_3 ) ) or ( TRIP_TEMPERATURE_2 and TRIP_TEMPERATURE_3 ) ) ))))",
+ "diagramVariables": "Response = (( ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) => VOTE_TRIP_TEMPERATURE ) & ( VOTE_TRIP_TEMPERATURE => ( ( TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1 ) | ( ( TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1 ) & ( TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3 ) ) | ( TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3 ) ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce35bb0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_DEVICE_1",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "RFP [5, 6]",
+ "comments": "",
+ "fulltext": "Actuation_Logic shall always satisfy (VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 => ACTUATE_DEVICE_1) & (ACTUATE_DEVICE_1 => VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1)",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "VOTE_ACTUATE_DEVICE_1",
+ "MANUAL_ACTUATE_DEVICE_1",
+ "ACTUATE_DEVICE_1"
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 => ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 => VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 ))",
+ "responseTextRange": [
+ 29,
+ 177
+ ],
+ "ft": "(LAST V (( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 -> ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 -> VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 )))",
+ "pt": "(H (( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 -> ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 -> VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 )))",
+ "ftExpanded": "(LAST V (( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 -> ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 -> VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 )))",
+ "ptExpanded": "(H (( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 -> ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 -> VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 )))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((( VOTE_ACTUATE_DEVICE_1 or MANUAL_ACTUATE_DEVICE_1 => ACTUATE_DEVICE_1 ) and ( ACTUATE_DEVICE_1 => VOTE_ACTUATE_DEVICE_1 or MANUAL_ACTUATE_DEVICE_1 ))))",
+ "diagramVariables": "Response = (( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 => ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 => VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce3a9d0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_VOTE_PRESSURE",
+ "parent_reqid": "ACTUATION_LOGIC_VOTE_DEVICE_0",
+ "project": "HARDENS",
+ "rationale": "RFP Actuation Logic Architecture, [1,4]",
+ "comments": "",
+ "fulltext": "Actuation_Logic shall always satisfy (IF ((TRIP_PRESSURE_0 & TRIP_PRESSURE_1) | (( TRIP_PRESSURE_0 | TRIP_PRESSURE_1) & (TRIP_PRESSURE_2 | TRIP_PRESSURE_3)) | (TRIP_PRESSURE_2 & TRIP_PRESSURE_3)) THEN VOTE_TRIP_PRESSURE) & (IF VOTE_TRIP_PRESSURE THEN ((TRIP_PRESSURE_0 & TRIP_PRESSURE_1) | (( TRIP_PRESSURE_0 | TRIP_PRESSURE_1) & (TRIP_PRESSURE_2 | TRIP_PRESSURE_3)) | (TRIP_PRESSURE_2 & TRIP_PRESSURE_3)))",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "TRIP_PRESSURE_0",
+ "TRIP_PRESSURE_1",
+ "TRIP_PRESSURE_2",
+ "TRIP_PRESSURE_3",
+ "VOTE_TRIP_PRESSURE"
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(( ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) => VOTE_TRIP_PRESSURE ) & ( VOTE_TRIP_PRESSURE => ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) ))",
+ "responseTextRange": [
+ 29,
+ 405
+ ],
+ "ft": "(LAST V (( ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) -> VOTE_TRIP_PRESSURE ) & ( VOTE_TRIP_PRESSURE -> ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) )))",
+ "pt": "(H (( ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) -> VOTE_TRIP_PRESSURE ) & ( VOTE_TRIP_PRESSURE -> ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) )))",
+ "ftExpanded": "(LAST V (( ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) -> VOTE_TRIP_PRESSURE ) & ( VOTE_TRIP_PRESSURE -> ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) )))",
+ "ptExpanded": "(H (( ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) -> VOTE_TRIP_PRESSURE ) & ( VOTE_TRIP_PRESSURE -> ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) )))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((( ( ( TRIP_PRESSURE_0 and TRIP_PRESSURE_1 ) or ( ( TRIP_PRESSURE_0 or TRIP_PRESSURE_1 ) and ( TRIP_PRESSURE_2 or TRIP_PRESSURE_3 ) ) or ( TRIP_PRESSURE_2 and TRIP_PRESSURE_3 ) ) => VOTE_TRIP_PRESSURE ) and ( VOTE_TRIP_PRESSURE => ( ( TRIP_PRESSURE_0 and TRIP_PRESSURE_1 ) or ( ( TRIP_PRESSURE_0 or TRIP_PRESSURE_1 ) and ( TRIP_PRESSURE_2 or TRIP_PRESSURE_3 ) ) or ( TRIP_PRESSURE_2 and TRIP_PRESSURE_3 ) ) ))))",
+ "diagramVariables": "Response = (( ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) => VOTE_TRIP_PRESSURE ) & ( VOTE_TRIP_PRESSURE => ( ( TRIP_PRESSURE_0 & TRIP_PRESSURE_1 ) | ( ( TRIP_PRESSURE_0 | TRIP_PRESSURE_1 ) & ( TRIP_PRESSURE_2 | TRIP_PRESSURE_3 ) ) | ( TRIP_PRESSURE_2 & TRIP_PRESSURE_3 ) ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce3f7f0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_TRIP_TEMPERATURE",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "RFP [3,10]",
+ "comments": "",
+ "fulltext": "Instrumentation shall always satisfy true",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(true)",
+ "responseTextRange": [
+ 29,
+ 40
+ ],
+ "ft": "(LAST V (true))",
+ "pt": "(H (true))",
+ "ftExpanded": "(LAST V (true))",
+ "ptExpanded": "(H (true))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((true)))",
+ "diagramVariables": "Response = (true).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce44610-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_RESET",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "",
+ "comments": "",
+ "fulltext": "AFTER RESET Instrumentation shall immediately satisfy (MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0)",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "after",
+ "exclusive": false,
+ "required": false
+ },
+ "condition": "null",
+ "timing": "immediately",
+ "response": "satisfaction",
+ "variables": [
+ "RESET",
+ "MAINTENANCE",
+ "PRESSURE_TRIP_MODE",
+ "TEMPERATURE_TRIP_MODE",
+ "SATURATION_TRIP_MODE"
+ ],
+ "scope_mode": "RESET",
+ "scopeTextRange": [
+ 0,
+ 10
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 12,
+ 26
+ ],
+ "timingTextRange": [
+ 34,
+ 44
+ ],
+ "post_condition": "(( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 ))",
+ "responseTextRange": [
+ 46,
+ 146
+ ],
+ "ft": "(((! FLin_RESET) U (FLin_RESET & (X (( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 ))))) | (LAST V (! FLin_RESET)))",
+ "pt": "((O FLin_RESET) -> ((FLin_RESET -> (( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 ))) S ((FLin_RESET -> (( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 ))) & FLin_RESET)))",
+ "ftExpanded": "(((! ((RESET & (! LAST)) & (X (! RESET)))) U (((RESET & (! LAST)) & (X (! RESET))) & (X (( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 ))))) | (LAST V (! ((RESET & (! LAST)) & (X (! RESET))))))",
+ "ptExpanded": "((O (((! RESET) & (Y RESET)) & (Y (H (! ((! RESET) & (Y RESET))))))) -> (((((! RESET) & (Y RESET)) & (Y (H (! ((! RESET) & (Y RESET)))))) -> (( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 ))) S (((((! RESET) & (Y RESET)) & (Y (H (! ((! RESET) & (Y RESET)))))) -> (( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 ))) & (((! RESET) & (Y RESET)) & (Y (H (! ((! RESET) & (Y RESET)))))))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "((O((( not RESET) and (pre (RESET))) and pre (H( not (( not RESET) and (pre (RESET))))))) => (SI( ((( not RESET) and (pre (RESET))) and pre (H( not (( not RESET) and (pre (RESET)))))), (((( not RESET) and (pre (RESET))) and pre (H( not (( not RESET) and (pre (RESET)))))) => (( MAINTENANCE and PRESSURE_TRIP_MODE = 0 and TEMPERATURE_TRIP_MODE = 0 and SATURATION_TRIP_MODE = 0 ))) )))",
+ "diagramVariables": "M = RESET, Response = (( MAINTENANCE & PRESSURE_TRIP_MODE = 0 & TEMPERATURE_TRIP_MODE = 0 & SATURATION_TRIP_MODE = 0 )).",
+ "description": "ENFORCED: in the interval (if defined) starting strictly after the first RESET interval and spanning to the end of the execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, if trigger holds then RES also holds at the same time point.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/after_null_immediately_satisfaction.svg"
+ },
+ "_id": "8ce46d20-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_TRIP_SATURATION",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "RFP [2,10]",
+ "comments": "",
+ "fulltext": "Instrumentation shall always satisfy true",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(true)",
+ "responseTextRange": [
+ 29,
+ 40
+ ],
+ "ft": "(LAST V (true))",
+ "pt": "(H (true))",
+ "ftExpanded": "(LAST V (true))",
+ "ptExpanded": "(H (true))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((true)))",
+ "diagramVariables": "Response = (true).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce49430-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "CORE_UI_INSTRUMENTATION",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "RFP [11,12,13]",
+ "comments": "c.f. \"Integrating Formal Verification and Assurance:\nAn Inspection Rover Case Study\" for quantifier modeling",
+ "fulltext": "Core shall always satisfy forAll_instr_i & INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE & INSTRUMENTATION_i_SATURATION = UI_i_SATURATION & INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE & INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE & INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE & INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE & INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "forAll_instr_i",
+ "INSTRUMENTATION_i_PRESSURE",
+ "UI_i_PRESSURE",
+ "INSTRUMENTATION_i_TEMPERATURE",
+ "UI_i_TEMPERATURE",
+ "INSTRUMENTATION_i_SATURATION",
+ "UI_i_SATURATION",
+ "INSTRUMENTATION_i_BYPASS_PRESSURE",
+ "UI_i_BYPASS_PRESSURE",
+ "INSTRUMENTATION_i_BYPASS_TEMPERATURE",
+ "UI_i_BYPASS_TEMPERATURE",
+ "INSTRUMENTATION_i_TRIP_PRESSURE",
+ "UI_i_TRIP_PRESSURE",
+ "INSTRUMENTATION_i_TRIP_TEMPERATURE",
+ "UI_i_TRIP_TEMPERATURE",
+ "INSTRUMENTATION_i_TRIP_SATURATION",
+ "UI_i_TRIP_SATURATION"
+ ],
+ "component_name": "Core",
+ "componentTextRange": [
+ 0,
+ 3
+ ],
+ "timingTextRange": [
+ 11,
+ 16
+ ],
+ "post_condition": "(forAll_instr_i & INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE & INSTRUMENTATION_i_SATURATION = UI_i_SATURATION & INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE & INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE & INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE & INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE & INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION)",
+ "responseTextRange": [
+ 18,
+ 483
+ ],
+ "ft": "(LAST V (forAll_instr_i & INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE & INSTRUMENTATION_i_SATURATION = UI_i_SATURATION & INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE & INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE & INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE & INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE & INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION))",
+ "pt": "(H (forAll_instr_i & INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE & INSTRUMENTATION_i_SATURATION = UI_i_SATURATION & INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE & INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE & INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE & INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE & INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION))",
+ "ftExpanded": "(LAST V (forAll_instr_i & INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE & INSTRUMENTATION_i_SATURATION = UI_i_SATURATION & INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE & INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE & INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE & INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE & INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION))",
+ "ptExpanded": "(H (forAll_instr_i & INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE & INSTRUMENTATION_i_SATURATION = UI_i_SATURATION & INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE & INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE & INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE & INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE & INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION))",
+ "component": "Core",
+ "CoCoSpecCode": "(H((forAll_instr_i and INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE and INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE and INSTRUMENTATION_i_SATURATION = UI_i_SATURATION and INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE and INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE and INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE and INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE and INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION)))",
+ "diagramVariables": "Response = (forAll_instr_i & INSTRUMENTATION_i_PRESSURE = UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE & INSTRUMENTATION_i_SATURATION = UI_i_SATURATION & INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE & INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE & INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE & INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE & INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce4e250-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_MAINTENANCE",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "RFP [7]",
+ "comments": "Mutually exclusive by virtue of tracking state via a single boolean",
+ "fulltext": "Upon SET_MAINTENANCE Instrumentation shall, until UNSET_MAINTENANCE, satisfy MAINTENANCE",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "SET_MAINTENANCE",
+ "UNSET_MAINTENANCE",
+ "MAINTENANCE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(SET_MAINTENANCE)",
+ "regular_condition": "(SET_MAINTENANCE)",
+ "conditionTextRange": [
+ 0,
+ 19
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 21,
+ 35
+ ],
+ "stop_condition": "(UNSET_MAINTENANCE)",
+ "timingTextRange": [
+ 42,
+ 67
+ ],
+ "post_condition": "(MAINTENANCE)",
+ "responseTextRange": [
+ 69,
+ 87
+ ],
+ "ft": "((LAST V (((! (SET_MAINTENANCE)) & ((! LAST) & (X (SET_MAINTENANCE)))) -> (X (((UNSET_MAINTENANCE) V ((MAINTENANCE) | (UNSET_MAINTENANCE))) | (LAST V (MAINTENANCE)))))) & ((SET_MAINTENANCE) -> (((UNSET_MAINTENANCE) V ((MAINTENANCE) | (UNSET_MAINTENANCE))) | (LAST V (MAINTENANCE)))))",
+ "pt": "(H ((H (! (SET_MAINTENANCE))) | (((! (UNSET_MAINTENANCE)) S ((! (UNSET_MAINTENANCE)) & ((SET_MAINTENANCE) & ((Y (! (SET_MAINTENANCE))) | FTP)))) -> (MAINTENANCE))))",
+ "ftExpanded": "((LAST V (((! (SET_MAINTENANCE)) & ((! LAST) & (X (SET_MAINTENANCE)))) -> (X (((UNSET_MAINTENANCE) V ((MAINTENANCE) | (UNSET_MAINTENANCE))) | (LAST V (MAINTENANCE)))))) & ((SET_MAINTENANCE) -> (((UNSET_MAINTENANCE) V ((MAINTENANCE) | (UNSET_MAINTENANCE))) | (LAST V (MAINTENANCE)))))",
+ "ptExpanded": "(H ((H (! (SET_MAINTENANCE))) | (((! (UNSET_MAINTENANCE)) S ((! (UNSET_MAINTENANCE)) & ((SET_MAINTENANCE) & ((Y (! (SET_MAINTENANCE))) | (! (Y TRUE)))))) -> (MAINTENANCE))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (SET_MAINTENANCE))) or ((SI( ((SET_MAINTENANCE) and ((pre ( not (SET_MAINTENANCE))) or FTP)), ( not (UNSET_MAINTENANCE)) )) => (MAINTENANCE))))",
+ "diagramVariables": "TC = (SET_MAINTENANCE), SC = (UNSET_MAINTENANCE), Response = (MAINTENANCE).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (SET_MAINTENANCE) is true and any point in the interval where (SET_MAINTENANCE) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce53070-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_MANUAL_DEVICE_0",
+ "parent_reqid": "ACTUATION_LOGIC_DEVICE_0",
+ "project": "HARDENS",
+ "rationale": "RFP 6",
+ "comments": "",
+ "fulltext": "Upon SET_MANUAL_ACTUATE_DEVICE_0 Actuation_Logic shall, until UNSET_MANUAL_ACTUATE_DEVICE_0, satisfy MANUAL_ACTUATE_DEVICE_0",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "SET_MANUAL_ACTUATE_DEVICE_0",
+ "UNSET_MANUAL_ACTUATE_DEVICE_0",
+ "MANUAL_ACTUATE_DEVICE_0"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(SET_MANUAL_ACTUATE_DEVICE_0)",
+ "regular_condition": "(SET_MANUAL_ACTUATE_DEVICE_0)",
+ "conditionTextRange": [
+ 0,
+ 31
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 33,
+ 47
+ ],
+ "stop_condition": "(UNSET_MANUAL_ACTUATE_DEVICE_0)",
+ "timingTextRange": [
+ 54,
+ 91
+ ],
+ "post_condition": "(MANUAL_ACTUATE_DEVICE_0)",
+ "responseTextRange": [
+ 93,
+ 123
+ ],
+ "ft": "((LAST V (((! (SET_MANUAL_ACTUATE_DEVICE_0)) & ((! LAST) & (X (SET_MANUAL_ACTUATE_DEVICE_0)))) -> (X (((UNSET_MANUAL_ACTUATE_DEVICE_0) V ((MANUAL_ACTUATE_DEVICE_0) | (UNSET_MANUAL_ACTUATE_DEVICE_0))) | (LAST V (MANUAL_ACTUATE_DEVICE_0)))))) & ((SET_MANUAL_ACTUATE_DEVICE_0) -> (((UNSET_MANUAL_ACTUATE_DEVICE_0) V ((MANUAL_ACTUATE_DEVICE_0) | (UNSET_MANUAL_ACTUATE_DEVICE_0))) | (LAST V (MANUAL_ACTUATE_DEVICE_0)))))",
+ "pt": "(H ((H (! (SET_MANUAL_ACTUATE_DEVICE_0))) | (((! (UNSET_MANUAL_ACTUATE_DEVICE_0)) S ((! (UNSET_MANUAL_ACTUATE_DEVICE_0)) & ((SET_MANUAL_ACTUATE_DEVICE_0) & ((Y (! (SET_MANUAL_ACTUATE_DEVICE_0))) | FTP)))) -> (MANUAL_ACTUATE_DEVICE_0))))",
+ "ftExpanded": "((LAST V (((! (SET_MANUAL_ACTUATE_DEVICE_0)) & ((! LAST) & (X (SET_MANUAL_ACTUATE_DEVICE_0)))) -> (X (((UNSET_MANUAL_ACTUATE_DEVICE_0) V ((MANUAL_ACTUATE_DEVICE_0) | (UNSET_MANUAL_ACTUATE_DEVICE_0))) | (LAST V (MANUAL_ACTUATE_DEVICE_0)))))) & ((SET_MANUAL_ACTUATE_DEVICE_0) -> (((UNSET_MANUAL_ACTUATE_DEVICE_0) V ((MANUAL_ACTUATE_DEVICE_0) | (UNSET_MANUAL_ACTUATE_DEVICE_0))) | (LAST V (MANUAL_ACTUATE_DEVICE_0)))))",
+ "ptExpanded": "(H ((H (! (SET_MANUAL_ACTUATE_DEVICE_0))) | (((! (UNSET_MANUAL_ACTUATE_DEVICE_0)) S ((! (UNSET_MANUAL_ACTUATE_DEVICE_0)) & ((SET_MANUAL_ACTUATE_DEVICE_0) & ((Y (! (SET_MANUAL_ACTUATE_DEVICE_0))) | (! (Y TRUE)))))) -> (MANUAL_ACTUATE_DEVICE_0))))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((H( not (SET_MANUAL_ACTUATE_DEVICE_0))) or ((SI( ((SET_MANUAL_ACTUATE_DEVICE_0) and ((pre ( not (SET_MANUAL_ACTUATE_DEVICE_0))) or FTP)), ( not (UNSET_MANUAL_ACTUATE_DEVICE_0)) )) => (MANUAL_ACTUATE_DEVICE_0))))",
+ "diagramVariables": "TC = (SET_MANUAL_ACTUATE_DEVICE_0), SC = (UNSET_MANUAL_ACTUATE_DEVICE_0), Response = (MANUAL_ACTUATE_DEVICE_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (SET_MANUAL_ACTUATE_DEVICE_0) is true and any point in the interval where (SET_MANUAL_ACTUATE_DEVICE_0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce57e90-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_VOTE_SATURATION",
+ "parent_reqid": "ACTUATION_LOGIC_VOTE_DEVICE_1",
+ "project": "HARDENS",
+ "rationale": "RFP Actuation Logic Architecture, [3,4]",
+ "comments": "",
+ "fulltext": "Actuation_Logic shall always satisfy (((TRIP_SATURATION_0 & TRIP_SATURATION_1) | (( TRIP_SATURATION_0 | TRIP_SATURATION_1) & (TRIP_SATURATION_2 | TRIP_SATURATION_3)) | (TRIP_SATURATION_2 & TRIP_SATURATION_3)) => VOTE_TRIP_SATURATION) & (VOTE_TRIP_SATURATION => ((TRIP_SATURATION_0 & TRIP_SATURATION_1) | (( TRIP_SATURATION_0 | TRIP_SATURATION_1) & (TRIP_SATURATION_2 | TRIP_SATURATION_3)) | (TRIP_SATURATION_2 & TRIP_SATURATION_3)))",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "TRIP_SATURATION_0",
+ "TRIP_SATURATION_1",
+ "TRIP_SATURATION_2",
+ "TRIP_SATURATION_3",
+ "VOTE_TRIP_SATURATION"
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(( ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) => VOTE_TRIP_SATURATION ) & ( VOTE_TRIP_SATURATION => ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) ))",
+ "responseTextRange": [
+ 29,
+ 431
+ ],
+ "ft": "(LAST V (( ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) -> VOTE_TRIP_SATURATION ) & ( VOTE_TRIP_SATURATION -> ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) )))",
+ "pt": "(H (( ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) -> VOTE_TRIP_SATURATION ) & ( VOTE_TRIP_SATURATION -> ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) )))",
+ "ftExpanded": "(LAST V (( ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) -> VOTE_TRIP_SATURATION ) & ( VOTE_TRIP_SATURATION -> ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) )))",
+ "ptExpanded": "(H (( ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) -> VOTE_TRIP_SATURATION ) & ( VOTE_TRIP_SATURATION -> ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) )))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((( ( ( TRIP_SATURATION_0 and TRIP_SATURATION_1 ) or ( ( TRIP_SATURATION_0 or TRIP_SATURATION_1 ) and ( TRIP_SATURATION_2 or TRIP_SATURATION_3 ) ) or ( TRIP_SATURATION_2 and TRIP_SATURATION_3 ) ) => VOTE_TRIP_SATURATION ) and ( VOTE_TRIP_SATURATION => ( ( TRIP_SATURATION_0 and TRIP_SATURATION_1 ) or ( ( TRIP_SATURATION_0 or TRIP_SATURATION_1 ) and ( TRIP_SATURATION_2 or TRIP_SATURATION_3 ) ) or ( TRIP_SATURATION_2 and TRIP_SATURATION_3 ) ) ))))",
+ "diagramVariables": "Response = (( ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) => VOTE_TRIP_SATURATION ) & ( VOTE_TRIP_SATURATION => ( ( TRIP_SATURATION_0 & TRIP_SATURATION_1 ) | ( ( TRIP_SATURATION_0 | TRIP_SATURATION_1 ) & ( TRIP_SATURATION_2 | TRIP_SATURATION_3 ) ) | ( TRIP_SATURATION_2 & TRIP_SATURATION_3 ) ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce5a5a0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_MANUAL_DEVICE_1",
+ "parent_reqid": "ACTUATION_LOGIC_DEVICE_1",
+ "project": "HARDENS",
+ "rationale": "RFP 6",
+ "comments": "",
+ "fulltext": "Upon SET_MANUAL_ACTUATE_DEVICE_1 Actuation_Logic shall, until UNSET_MANUAL_ACTUATE_DEVICE_1, satisfy MANUAL_ACTUATE_DEVICE_1",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "SET_MANUAL_ACTUATE_DEVICE_1",
+ "UNSET_MANUAL_ACTUATE_DEVICE_1",
+ "MANUAL_ACTUATE_DEVICE_1"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(SET_MANUAL_ACTUATE_DEVICE_1)",
+ "regular_condition": "(SET_MANUAL_ACTUATE_DEVICE_1)",
+ "conditionTextRange": [
+ 0,
+ 31
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 33,
+ 47
+ ],
+ "stop_condition": "(UNSET_MANUAL_ACTUATE_DEVICE_1)",
+ "timingTextRange": [
+ 54,
+ 91
+ ],
+ "post_condition": "(MANUAL_ACTUATE_DEVICE_1)",
+ "responseTextRange": [
+ 93,
+ 123
+ ],
+ "ft": "((LAST V (((! (SET_MANUAL_ACTUATE_DEVICE_1)) & ((! LAST) & (X (SET_MANUAL_ACTUATE_DEVICE_1)))) -> (X (((UNSET_MANUAL_ACTUATE_DEVICE_1) V ((MANUAL_ACTUATE_DEVICE_1) | (UNSET_MANUAL_ACTUATE_DEVICE_1))) | (LAST V (MANUAL_ACTUATE_DEVICE_1)))))) & ((SET_MANUAL_ACTUATE_DEVICE_1) -> (((UNSET_MANUAL_ACTUATE_DEVICE_1) V ((MANUAL_ACTUATE_DEVICE_1) | (UNSET_MANUAL_ACTUATE_DEVICE_1))) | (LAST V (MANUAL_ACTUATE_DEVICE_1)))))",
+ "pt": "(H ((H (! (SET_MANUAL_ACTUATE_DEVICE_1))) | (((! (UNSET_MANUAL_ACTUATE_DEVICE_1)) S ((! (UNSET_MANUAL_ACTUATE_DEVICE_1)) & ((SET_MANUAL_ACTUATE_DEVICE_1) & ((Y (! (SET_MANUAL_ACTUATE_DEVICE_1))) | FTP)))) -> (MANUAL_ACTUATE_DEVICE_1))))",
+ "ftExpanded": "((LAST V (((! (SET_MANUAL_ACTUATE_DEVICE_1)) & ((! LAST) & (X (SET_MANUAL_ACTUATE_DEVICE_1)))) -> (X (((UNSET_MANUAL_ACTUATE_DEVICE_1) V ((MANUAL_ACTUATE_DEVICE_1) | (UNSET_MANUAL_ACTUATE_DEVICE_1))) | (LAST V (MANUAL_ACTUATE_DEVICE_1)))))) & ((SET_MANUAL_ACTUATE_DEVICE_1) -> (((UNSET_MANUAL_ACTUATE_DEVICE_1) V ((MANUAL_ACTUATE_DEVICE_1) | (UNSET_MANUAL_ACTUATE_DEVICE_1))) | (LAST V (MANUAL_ACTUATE_DEVICE_1)))))",
+ "ptExpanded": "(H ((H (! (SET_MANUAL_ACTUATE_DEVICE_1))) | (((! (UNSET_MANUAL_ACTUATE_DEVICE_1)) S ((! (UNSET_MANUAL_ACTUATE_DEVICE_1)) & ((SET_MANUAL_ACTUATE_DEVICE_1) & ((Y (! (SET_MANUAL_ACTUATE_DEVICE_1))) | (! (Y TRUE)))))) -> (MANUAL_ACTUATE_DEVICE_1))))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((H( not (SET_MANUAL_ACTUATE_DEVICE_1))) or ((SI( ((SET_MANUAL_ACTUATE_DEVICE_1) and ((pre ( not (SET_MANUAL_ACTUATE_DEVICE_1))) or FTP)), ( not (UNSET_MANUAL_ACTUATE_DEVICE_1)) )) => (MANUAL_ACTUATE_DEVICE_1))))",
+ "diagramVariables": "TC = (SET_MANUAL_ACTUATE_DEVICE_1), SC = (UNSET_MANUAL_ACTUATE_DEVICE_1), Response = (MANUAL_ACTUATE_DEVICE_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (SET_MANUAL_ACTUATE_DEVICE_1) is true and any point in the interval where (SET_MANUAL_ACTUATE_DEVICE_1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce5f3c0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_VOTE_DEVICE_1",
+ "parent_reqid": "ACTUATION_LOGIC_DEVICE_1",
+ "project": "HARDENS",
+ "rationale": "RFP 5",
+ "comments": "",
+ "fulltext": "Upon VOTE_TRIP_SATURATION Actuation_Logic shall always satisfy VOTE_ACTUATE_DEVICE_1",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "VOTE_TRIP_SATURATION",
+ "VOTE_ACTUATE_DEVICE_1"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(VOTE_TRIP_SATURATION)",
+ "regular_condition": "(VOTE_TRIP_SATURATION)",
+ "conditionTextRange": [
+ 0,
+ 24
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 26,
+ 40
+ ],
+ "timingTextRange": [
+ 48,
+ 53
+ ],
+ "post_condition": "(VOTE_ACTUATE_DEVICE_1)",
+ "responseTextRange": [
+ 55,
+ 83
+ ],
+ "ft": "((LAST V (((! (VOTE_TRIP_SATURATION)) & ((! LAST) & (X (VOTE_TRIP_SATURATION)))) -> (X (LAST V (VOTE_ACTUATE_DEVICE_1))))) & ((VOTE_TRIP_SATURATION) -> (LAST V (VOTE_ACTUATE_DEVICE_1))))",
+ "pt": "(H ((H (! (VOTE_TRIP_SATURATION))) | (VOTE_ACTUATE_DEVICE_1)))",
+ "ftExpanded": "((LAST V (((! (VOTE_TRIP_SATURATION)) & ((! LAST) & (X (VOTE_TRIP_SATURATION)))) -> (X (LAST V (VOTE_ACTUATE_DEVICE_1))))) & ((VOTE_TRIP_SATURATION) -> (LAST V (VOTE_ACTUATE_DEVICE_1))))",
+ "ptExpanded": "(H ((H (! (VOTE_TRIP_SATURATION))) | (VOTE_ACTUATE_DEVICE_1)))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((H( not (VOTE_TRIP_SATURATION))) or (VOTE_ACTUATE_DEVICE_1)))",
+ "diagramVariables": "TC = (VOTE_TRIP_SATURATION), Response = (VOTE_ACTUATE_DEVICE_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (VOTE_TRIP_SATURATION) is true and any point in the interval where (VOTE_TRIP_SATURATION) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ },
+ "_id": "8ce61ad0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_BYPASS_TEMPERATURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_TEMPERATURE",
+ "project": "HARDENS",
+ "rationale": "RFP [9]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & TEMPERATURE_MODE = 0 Instrumentation shall, until MAINTENANCE & !(TEMPERATURE_MODE = 0), satisfy !TRIP_TEMPERATURE",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "TEMPERATURE_MODE",
+ "TRIP_TEMPERATURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & TEMPERATURE_MODE = 0)",
+ "regular_condition": "(MAINTENANCE & TEMPERATURE_MODE = 0)",
+ "conditionTextRange": [
+ 0,
+ 38
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 40,
+ 54
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( TEMPERATURE_MODE = 0 ))",
+ "timingTextRange": [
+ 61,
+ 106
+ ],
+ "post_condition": "(! TRIP_TEMPERATURE)",
+ "responseTextRange": [
+ 108,
+ 132
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & TEMPERATURE_MODE = 0)) & ((! LAST) & (X (MAINTENANCE & TEMPERATURE_MODE = 0)))) -> (X (((MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )) V ((! TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )))) | (LAST V (! TRIP_TEMPERATURE)))))) & ((MAINTENANCE & TEMPERATURE_MODE = 0) -> (((MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )) V ((! TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )))) | (LAST V (! TRIP_TEMPERATURE)))))",
+ "pt": "(H ((H (! (MAINTENANCE & TEMPERATURE_MODE = 0))) | (((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 ))) S ((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 ))) & ((MAINTENANCE & TEMPERATURE_MODE = 0) & ((Y (! (MAINTENANCE & TEMPERATURE_MODE = 0))) | FTP)))) -> (! TRIP_TEMPERATURE))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & TEMPERATURE_MODE = 0)) & ((! LAST) & (X (MAINTENANCE & TEMPERATURE_MODE = 0)))) -> (X (((MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )) V ((! TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )))) | (LAST V (! TRIP_TEMPERATURE)))))) & ((MAINTENANCE & TEMPERATURE_MODE = 0) -> (((MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )) V ((! TRIP_TEMPERATURE) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )))) | (LAST V (! TRIP_TEMPERATURE)))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & TEMPERATURE_MODE = 0))) | (((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 ))) S ((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 ))) & ((MAINTENANCE & TEMPERATURE_MODE = 0) & ((Y (! (MAINTENANCE & TEMPERATURE_MODE = 0))) | (! (Y TRUE)))))) -> (! TRIP_TEMPERATURE))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and TEMPERATURE_MODE = 0))) or ((SI( ((MAINTENANCE and TEMPERATURE_MODE = 0) and ((pre ( not (MAINTENANCE and TEMPERATURE_MODE = 0))) or FTP)), ( not (MAINTENANCE and not ( TEMPERATURE_MODE = 0 ))) )) => (not TRIP_TEMPERATURE))))",
+ "diagramVariables": "TC = (MAINTENANCE & TEMPERATURE_MODE = 0), SC = (MAINTENANCE & ! ( TEMPERATURE_MODE = 0 )), Response = (! TRIP_TEMPERATURE).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & TEMPERATURE_MODE = 0) is true and any point in the interval where (MAINTENANCE & TEMPERATURE_MODE = 0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce641e0-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_TRIP_PRESSURE",
+ "parent_reqid": "",
+ "project": "HARDENS",
+ "rationale": "RFP [1,10]",
+ "comments": "",
+ "fulltext": "Instrumentation shall always satisfy true",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 0,
+ 14
+ ],
+ "timingTextRange": [
+ 22,
+ 27
+ ],
+ "post_condition": "(true)",
+ "responseTextRange": [
+ 29,
+ 40
+ ],
+ "ft": "(LAST V (true))",
+ "pt": "(H (true))",
+ "ftExpanded": "(LAST V (true))",
+ "ptExpanded": "(H (true))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((true)))",
+ "diagramVariables": "Response = (true).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ },
+ "_id": "8ce69000-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "ACTUATION_LOGIC_VOTE_DEVICE_0",
+ "parent_reqid": "ACTUATION_LOGIC_DEVICE_0",
+ "project": "HARDENS",
+ "rationale": "RFP 5",
+ "comments": "",
+ "fulltext": "Upon VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION Actuation_Logic shall always satisfy VOTE_ACTUATE_DEVICE_0",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "VOTE_TRIP_TEMPERATURE",
+ "VOTE_TRIP_SATURATION",
+ "VOTE_ACTUATE_DEVICE_0"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)",
+ "regular_condition": "(VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)",
+ "conditionTextRange": [
+ 0,
+ 48
+ ],
+ "component_name": "Actuation_Logic",
+ "componentTextRange": [
+ 50,
+ 64
+ ],
+ "timingTextRange": [
+ 72,
+ 77
+ ],
+ "post_condition": "(VOTE_ACTUATE_DEVICE_0)",
+ "responseTextRange": [
+ 79,
+ 107
+ ],
+ "ft": "((LAST V (((! (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)) & ((! LAST) & (X (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)))) -> (X (LAST V (VOTE_ACTUATE_DEVICE_0))))) & ((VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION) -> (LAST V (VOTE_ACTUATE_DEVICE_0))))",
+ "pt": "(H ((H (! (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION))) | (VOTE_ACTUATE_DEVICE_0)))",
+ "ftExpanded": "((LAST V (((! (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)) & ((! LAST) & (X (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)))) -> (X (LAST V (VOTE_ACTUATE_DEVICE_0))))) & ((VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION) -> (LAST V (VOTE_ACTUATE_DEVICE_0))))",
+ "ptExpanded": "(H ((H (! (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION))) | (VOTE_ACTUATE_DEVICE_0)))",
+ "component": "Actuation_Logic",
+ "CoCoSpecCode": "(H((H( not (VOTE_TRIP_TEMPERATURE or VOTE_TRIP_SATURATION))) or (VOTE_ACTUATE_DEVICE_0)))",
+ "diagramVariables": "TC = (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION), Response = (VOTE_ACTUATE_DEVICE_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION) is true and any point in the interval where (VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ },
+ "_id": "8ce6b710-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SENSOR_TRIP_TEMPERATURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_TEMPERATURE",
+ "project": "HARDENS",
+ "rationale": "RFP [2]",
+ "comments": "",
+ "fulltext": "Upon MAINTENANCE & TEMPERATURE_MODE = 1 Instrumentation shall, until MAINTENANCE & !(TEMPERATURE_MODE = 1), satisfy (if SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE then TRIP_TEMPERATURE) & (if TRIP_TEMPERATURE then SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE)",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "TEMPERATURE_MODE",
+ "SENSOR_TEMPERATURE",
+ "SETPOINT_TEMPERATURE",
+ "TRIP_TEMPERATURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(MAINTENANCE & TEMPERATURE_MODE = 1)",
+ "regular_condition": "(MAINTENANCE & TEMPERATURE_MODE = 1)",
+ "conditionTextRange": [
+ 0,
+ 38
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 40,
+ 54
+ ],
+ "stop_condition": "(MAINTENANCE & ! ( TEMPERATURE_MODE = 1 ))",
+ "timingTextRange": [
+ 61,
+ 106
+ ],
+ "post_condition": "(( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE => TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE => SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE ))",
+ "responseTextRange": [
+ 108,
+ 254
+ ],
+ "ft": "((LAST V (((! (MAINTENANCE & TEMPERATURE_MODE = 1)) & ((! LAST) & (X (MAINTENANCE & TEMPERATURE_MODE = 1)))) -> (X (((MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )) V ((( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )))) | (LAST V (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE ))))))) & ((MAINTENANCE & TEMPERATURE_MODE = 1) -> (((MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )) V ((( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )))) | (LAST V (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE ))))))",
+ "pt": "(H ((H (! (MAINTENANCE & TEMPERATURE_MODE = 1))) | (((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 ))) S ((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 ))) & ((MAINTENANCE & TEMPERATURE_MODE = 1) & ((Y (! (MAINTENANCE & TEMPERATURE_MODE = 1))) | FTP)))) -> (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )))))",
+ "ftExpanded": "((LAST V (((! (MAINTENANCE & TEMPERATURE_MODE = 1)) & ((! LAST) & (X (MAINTENANCE & TEMPERATURE_MODE = 1)))) -> (X (((MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )) V ((( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )))) | (LAST V (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE ))))))) & ((MAINTENANCE & TEMPERATURE_MODE = 1) -> (((MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )) V ((( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )) | (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )))) | (LAST V (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE ))))))",
+ "ptExpanded": "(H ((H (! (MAINTENANCE & TEMPERATURE_MODE = 1))) | (((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 ))) S ((! (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 ))) & ((MAINTENANCE & TEMPERATURE_MODE = 1) & ((Y (! (MAINTENANCE & TEMPERATURE_MODE = 1))) | (! (Y TRUE)))))) -> (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE -> TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE -> SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (MAINTENANCE and TEMPERATURE_MODE = 1))) or ((SI( ((MAINTENANCE and TEMPERATURE_MODE = 1) and ((pre ( not (MAINTENANCE and TEMPERATURE_MODE = 1))) or FTP)), ( not (MAINTENANCE and not ( TEMPERATURE_MODE = 1 ))) )) => (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE => TRIP_TEMPERATURE ) and ( TRIP_TEMPERATURE => SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )))))",
+ "diagramVariables": "TC = (MAINTENANCE & TEMPERATURE_MODE = 1), SC = (MAINTENANCE & ! ( TEMPERATURE_MODE = 1 )), Response = (( SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE => TRIP_TEMPERATURE ) & ( TRIP_TEMPERATURE => SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (MAINTENANCE & TEMPERATURE_MODE = 1) is true and any point in the interval where (MAINTENANCE & TEMPERATURE_MODE = 1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce70530-5932-11ec-96a3-f79b5f3617de"
+ },
+ {
+ "reqid": "INSTRUMENTATION_SET_SETPOINT_TEMPERATURE",
+ "parent_reqid": "INSTRUMENTATION_TRIP_TEMPERATURE",
+ "project": "HARDENS",
+ "rationale": "RFP [8]",
+ "comments": "",
+ "fulltext": "Upon (MAINTENANCE & SET_SETPOINT_TEMPERATURE) Instrumentation shall, until MAINTENANCE & SET_SETPOINT_TEMPERATURE, satisfy SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "MAINTENANCE",
+ "SET_SETPOINT_TEMPERATURE",
+ "SETPOINT_TEMPERATURE",
+ "INPUT_SETPOINT_TEMPERATURE"
+ ],
+ "qualifier_word": "upon",
+ "pre_condition": "(( MAINTENANCE & SET_SETPOINT_TEMPERATURE ))",
+ "regular_condition": "(( MAINTENANCE & SET_SETPOINT_TEMPERATURE ))",
+ "conditionTextRange": [
+ 0,
+ 44
+ ],
+ "component_name": "Instrumentation",
+ "componentTextRange": [
+ 46,
+ 60
+ ],
+ "stop_condition": "(MAINTENANCE & SET_SETPOINT_TEMPERATURE)",
+ "timingTextRange": [
+ 67,
+ 113
+ ],
+ "post_condition": "(SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE)",
+ "responseTextRange": [
+ 115,
+ 171
+ ],
+ "ft": "((LAST V (((! (( MAINTENANCE & SET_SETPOINT_TEMPERATURE ))) & ((! LAST) & (X (( MAINTENANCE & SET_SETPOINT_TEMPERATURE ))))) -> (X (((MAINTENANCE & SET_SETPOINT_TEMPERATURE) V ((SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE) | (MAINTENANCE & SET_SETPOINT_TEMPERATURE))) | (LAST V (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE)))))) & ((( MAINTENANCE & SET_SETPOINT_TEMPERATURE )) -> (((MAINTENANCE & SET_SETPOINT_TEMPERATURE) V ((SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE) | (MAINTENANCE & SET_SETPOINT_TEMPERATURE))) | (LAST V (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE)))))",
+ "pt": "(H ((H (! (( MAINTENANCE & SET_SETPOINT_TEMPERATURE )))) | (((! (MAINTENANCE & SET_SETPOINT_TEMPERATURE)) S ((! (MAINTENANCE & SET_SETPOINT_TEMPERATURE)) & ((( MAINTENANCE & SET_SETPOINT_TEMPERATURE )) & ((Y (! (( MAINTENANCE & SET_SETPOINT_TEMPERATURE )))) | FTP)))) -> (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE))))",
+ "ftExpanded": "((LAST V (((! (( MAINTENANCE & SET_SETPOINT_TEMPERATURE ))) & ((! LAST) & (X (( MAINTENANCE & SET_SETPOINT_TEMPERATURE ))))) -> (X (((MAINTENANCE & SET_SETPOINT_TEMPERATURE) V ((SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE) | (MAINTENANCE & SET_SETPOINT_TEMPERATURE))) | (LAST V (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE)))))) & ((( MAINTENANCE & SET_SETPOINT_TEMPERATURE )) -> (((MAINTENANCE & SET_SETPOINT_TEMPERATURE) V ((SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE) | (MAINTENANCE & SET_SETPOINT_TEMPERATURE))) | (LAST V (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE)))))",
+ "ptExpanded": "(H ((H (! (( MAINTENANCE & SET_SETPOINT_TEMPERATURE )))) | (((! (MAINTENANCE & SET_SETPOINT_TEMPERATURE)) S ((! (MAINTENANCE & SET_SETPOINT_TEMPERATURE)) & ((( MAINTENANCE & SET_SETPOINT_TEMPERATURE )) & ((Y (! (( MAINTENANCE & SET_SETPOINT_TEMPERATURE )))) | (! (Y TRUE)))))) -> (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE))))",
+ "component": "Instrumentation",
+ "CoCoSpecCode": "(H((H( not (( MAINTENANCE and SET_SETPOINT_TEMPERATURE )))) or ((SI( ((( MAINTENANCE and SET_SETPOINT_TEMPERATURE )) and ((pre ( not (( MAINTENANCE and SET_SETPOINT_TEMPERATURE )))) or FTP)), ( not (MAINTENANCE and SET_SETPOINT_TEMPERATURE)) )) => (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE))))",
+ "diagramVariables": "TC = (( MAINTENANCE & SET_SETPOINT_TEMPERATURE )), SC = (MAINTENANCE & SET_SETPOINT_TEMPERATURE), Response = (SETPOINT_TEMPERATURE = INPUT_SETPOINT_TEMPERATURE).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( MAINTENANCE & SET_SETPOINT_TEMPERATURE )) is true and any point in the interval where (( MAINTENANCE & SET_SETPOINT_TEMPERATURE )) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ },
+ "_id": "8ce75350-5932-11ec-96a3-f79b5f3617de"
+ }
+]
\ No newline at end of file
diff --git a/specs/SemanticProperties.sysml b/specs/SemanticProperties.sysml
new file mode 100644
index 0000000..6da68f5
--- /dev/null
+++ b/specs/SemanticProperties.sysml
@@ -0,0 +1,153 @@
+ /** Semantic properties are annotation to model and system artifacts
+ used to semantically markup those artifacts for documentation,
+ traceability, and more. */
+package 'Semantic Properties' {
+ doc /* Semantic Properties are used to document arbitrary
+ constructs in our specifications and implementations.
+ @see https://www.kindsoftware.com/documents/whitepapers/code_standards/properties.html
+ */
+ import ScalarValues::*;
+
+ /* @todo kiniry The scope of every attribute needs to be tightened. */
+
+ attribute def id SP 'Semantic Property';
+ attribute def id SPD 'Semantic Property with Description' :>
+ 'Semantic Property' {
+ attribute description: String;
+ }
+ attribute def Exception :> String;
+
+ package 'Meta-Information' {
+ attribute def Author :> SP {
+ author: String;
+ }
+ attribute def Lando :> SP {
+ summary: String;
+ }
+ attribute def Bug :> SPD;
+ attribute def Copyright :> SP {
+ copyright: String;
+ }
+ attribute def Description :> SPD;
+ attribute def History :> SPD;
+ attribute def License :> SP {
+ license: String;
+ }
+ attribute def Title :> SP {
+ title: String;
+ }
+ }
+
+ attribute def 'Author Description Scope Triple' :> SPD {
+ import 'Meta-Information'::*;
+ attribute author: Author;
+ attribute scope: Boolean;
+ }
+ package 'Pending Work' {
+ attribute def Idea :> 'Author Description Scope Triple' {
+ classifier: String;
+ }
+ attribute def Review :> 'Author Description Scope Triple';
+ attribute def Todo :> 'Author Description Scope Triple';
+ }
+
+ attribute def 'Rich Assertion' :> SPD {
+ attribute label: String;
+ attribute expression: Boolean;
+ attribute exception : Exception;
+ }
+
+ attribute def 'Expression Description Pair' :> SPD {
+ attribute expression: Boolean;
+ }
+
+ package 'Formal Specifications' {
+ import Collections::*;
+ enum def 'Modifies Frame' {
+ SINGLE_ASSIGNMENT;
+ QUERY;
+ EXPRESSION;
+ }
+ attribute def Ensures :> 'Rich Assertion';
+ attribute def Generate :> 'Expression Description Pair';
+ attribute def Invariant :> 'Expression Description Pair' {
+ exception: Exception;
+ }
+ attribute def Modify :> 'Expression Description Pair' {
+ enum kind: 'Modifies Frame';
+ }
+ attribute def requires :> 'Rich Assertion';
+ }
+
+ package 'Concurrency Control' {
+ import Collections::*;
+ attribute def Locks :> Set;
+ attribute def Timeout {
+ attribute timeout: Natural;
+ attribute exception: String;
+ }
+ attribute def 'Concurrency Semantic Property' :> 'Semantic Property' {
+ attribute locks: Locks;
+ attribute failure: Exception;
+ attribute atomic: Boolean;
+ attribute special: String;
+ attribute timeout: Timeout;
+ }
+ attribute def Concurrent :> 'Concurrency Semantic Property' {
+ attribute threadcountlimit: Positive;
+ attribute broken: Boolean;
+ }
+ attribute def Sequential :> 'Concurrency Semantic Property';
+ attribute def Guarded :> 'Concurrency Semantic Property' {
+ attribute semaphore_count: Positive;
+ }
+ }
+
+ package 'Usage Information' {
+ attribute def 'Parameter Spec' {
+ parameter_name: String;
+ precondition: Boolean;
+ description: String;
+ }
+ attribute def Return :> String;
+ attribute def Exception :> 'Expression Description Pair' {
+ exception: Exception;
+ }
+ }
+
+ package Versioning {
+ attribute def Version :> String;
+ attribute def Deprecated :> String;
+ attribute def Since :> String;
+ }
+
+ attribute def 'Feature Name Description Pair' {
+ feature_name: String;
+ description: String;
+ }
+ package Inheritance {
+ attribute def Hides :> 'Feature Name Description Pair';
+ attribute def Overrides :> 'Feature Name Description Pair';
+ }
+
+ package Documentation {
+ attribute def Design :> 'Author Description Scope Triple';
+ attribute def Equivalent :> String;
+ attribute def Example :> String;
+ attribute def See :> String;
+ }
+
+ package Dependencies {
+ import Collections::*;
+ attribute def References :> 'Expression Description Pair';
+ // Note that we rename 'use' to 'uses' to avoid SysML keyword conflict.
+ attribute def Uses :> 'Expression Description Pair';
+ }
+
+ package Miscellaneous {
+ attribute def Guard :> 'Expression Description Pair';
+ attribute def Values :> 'Expression Description Pair';
+ attribute def 'Time Complexity' :> 'Expression Description Pair';
+ attribute def 'Space Complexity' :> 'Expression Description Pair';
+ }
+}
diff --git a/specs/acronyms.lando b/specs/acronyms.lando
new file mode 100644
index 0000000..7ec332d
--- /dev/null
+++ b/specs/acronyms.lando
@@ -0,0 +1,234 @@
+subsystem Proposal Acronyms (Acronyms)
+@todo kiniry Add an explanation.
+
+component 21st Century Cryptography (21CC)
+@todo kiniry Add an explanation.
+
+component Architecture Analysis and Design Language (AADL)
+@todo kiniry Add an explanation.
+
+component ISO ANSI C Specification Language (ACSL)
+@todo kiniry Add an explanation.
+
+component Advanced Encryption Standard (AES)
+@todo kiniry Add an explanation.
+
+component Application Programming Interface (API)
+@todo kiniry Add an explanation.
+
+component Application-Specific Integrated Circuit (ASIC)
+@todo kiniry Add an explanation.
+
+component Abstract State Machine (ASM)
+@todo kiniry Add an explanation.
+
+component Amazon Web Services (AWS)
+@todo kiniry Add an explanation.
+
+component Balancing the Evaluation of System Security Properties Against Industrial Needs (BESSPIN)
+@todo kiniry Add an explanation.
+
+component Behavioral Language for Embedded Systems with Software (BLESS)
+@todo kiniry Add an explanation.
+
+component Business Object Notation (BON)
+@todo kiniry Add an explanation.
+
+component Bluespec SystemVerilog (BSV)
+@todo kiniry Add an explanation.
+
+component BESSPIN Tool Suite (BTS)
+@todo kiniry Add an explanation.
+
+component Continuous Deployment (CD)
+@todo kiniry Add an explanation.
+
+component Continuous Integration (CI)
+@todo kiniry Add an explanation.
+
+component Commercial Off The Shelf (COTS)
+@todo kiniry Add an explanation.
+
+component Central Processing Unit (CPU)
+@todo kiniry Add an explanation.
+
+component Continuous Verification (CV)
+@todo kiniry Add an explanation.
+
+component Communicating Sequential Processes (CSP)
+@todo kiniry Add an explanation.
+
+component Digital Engineering (DE)
+@todo kiniry Add an explanation.
+
+component Digital Instrumentation \& Control (diandc)
+@todo kiniry Add an explanation.
+
+component Defense Industrial Base (DIB)
+@todo kiniry Add an explanation.
+
+component Department of Defense (DoD)
+@todo kiniry Add an explanation.
+
+component Domain Specific Language (DSL)
+@todo kiniry Add an explanation.
+
+component Electronic Design Automation (EDA)
+@todo kiniry Add an explanation.
+
+component Field Programmable Gate Array (FPGA)
+@todo kiniry Add an explanation.
+
+component Gnu Compiler Collection (GCC)
+@todo kiniry Add an explanation.
+
+component Government Furnished Equipment (GFE)
+@todo kiniry Add an explanation.
+
+component Galois Low-energy Asynchronous Secure SoC for Computer Vision (GLASS-CV)
+@todo kiniry Add an explanation.
+
+component General Purpose I/O (GPIO)
+@todo kiniry Add an explanation.
+
+component High-Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
+@todo kiniry Add an explanation.
+
+component Hardware Description Language (HDL)
+@todo kiniry Add an explanation.
+
+component Hash-based Message Authentication Code (HMAC)
+@todo kiniry Add an explanation.
+
+component Higher-Order Logic (HOL)
+@todo kiniry Add an explanation.
+
+component Hardware Security Module (HSM)
+@todo kiniry Add an explanation.
+
+component Intelligence Community (IC)
+@todo kiniry Add an explanation.
+
+component Integrated Development Environment (IDE)
+@todo kiniry Add an explanation.
+
+component Intellectual Property (IP)
+@todo kiniry Add an explanation.
+
+component Instruction Set Architecture (ISA)
+@todo kiniry Add an explanation.
+
+component Intermediate Representation (IR)
+@todo kiniry Add an explanation.
+
+component Java Modeling Language (JML)
+@todo kiniry Add an explanation.
+
+component Low Level Virtual Machine (LLVM)
+@todo kiniry Add an explanation.
+
+component Model-Based Engineering (MBE)
+@todo kiniry Add an explanation.
+
+component Model-Based Systems Engineering (MBSE)
+@todo kiniry Add an explanation.
+
+component Natural Language Processing (NLP)
+@todo kiniry Add an explanation.
+
+component Nuclear Regulatory Commission (NRC)
+@todo kiniry Add an explanation.
+
+component National Security Agency (NSA)
+@todo kiniry Add an explanation.
+
+component Nuclear Power Plant (NPP)
+@todo kiniry Add an explanation.
+
+component Object Constraint Language (OCL)
+@todo kiniry Add an explanation.
+
+component Open Systems Architecture (OSA)
+@todo kiniry Add an explanation.
+
+component Power, Performance, Area, and Security (PPAS)
+@todo kiniry Add an explanation.
+
+component Rigorous Digital Engineering (RDE)
+@todo kiniry Add an explanation.
+
+component Register Transfer Level (RTL)
+@todo kiniry Add an explanation.
+
+component Reactor Trip System (RTS)
+@todo kiniry Add an explanation.
+
+component Software Analysis Workbench (SAW)
+@todo kiniry Add an explanation.
+
+component Safety Critical Application Development Environment (SCADE)
+@todo kiniry Add an explanation.
+
+component Secure Hash Algorithm (SHA)
+@todo kiniry Add an explanation.
+
+component Satisfiability Modulo Theories (SMT)
+@todo kiniry Add an explanation.
+
+component Secret Ninja Formal Methods (SNFM)
+@todo kiniry Add an explanation.
+
+component Statement of Work (SoW)
+@todo kiniry Add an explanation.
+
+component SystemVerilog (SV)
+@todo kiniry Add an explanation.
+
+component SystemVerilog Assertions (SVA)
+@todo kiniry Add an explanation.
+
+component Size, Weight, and Power (SWaP)
+@todo kiniry Add an explanation.
+
+component System Modeling Language (SysML)
+@todo kiniry Add an explanation.
+
+component System-on-Chip (SoC)
+@todo kiniry Add an explanation.
+
+component System Security Integration Through Hardware and Firmware (SSITH)
+@todo kiniry Add an explanation.
+
+component User Interface (UI)
+@todo kiniry Add an explanation.
+
+component Unified Modeling Language (UML)
+@todo kiniry Add an explanation.
+
+component Universal Serial Bus (USB)
+@todo kiniry Add an explanation.
+
+component United States Government (USG)
+@todo kiniry Add an explanation.
+
+component Unified Theories of Programming (UTP)
+@todo kiniry Add an explanation.
+
+component Universal Verification Methodology (UVM)
+@todo kiniry Add an explanation.
+
+component User eXperience (UX)
+@todo kiniry Add an explanation.
+
+component Verilog
+@todo kiniry Add an explanation.
+
+component Vienna Development Method (VDM)
+@todo kiniry Add an explanation.
+
+component Very High Speed Integrated Circuit (VHSIC)
+@todo kiniry Add an explanation.
+
+component VHSIC Hardware Description Language (VHDL)
+@todo kiniry Add an explanation.
+
diff --git a/specs/architecture.lando b/specs/architecture.lando
new file mode 100644
index 0000000..d3ad62d
--- /dev/null
+++ b/specs/architecture.lando
@@ -0,0 +1,122 @@
+// Architecture
+
+subsystem RTS System Architecture (RTS_System_Arch)
+@todo kiniry Add an explanation.
+
+subsystem Root
+@todo kiniry Add an explanation.
+
+component Core Finite State Machine (CFSM)
+inherit FSM
+@todo kiniry Add an explanation.
+
+component Programming I/O (Programming_IO)
+inherit IO
+@todo kiniry Add an explanation.
+
+component UI I/O (UI_IO)
+inherit IO
+@todo kiniry Add an explanation.
+
+component Debugging I/O (Debugging_IO)
+inherit IO
+@todo kiniry Add an explanation.
+
+subsystem Actuation Logic
+@todo kiniry Add an explanation.
+
+component Voting 1
+@todo kiniry Add an explanation.
+
+component Voting 2
+@todo kiniry Add an explanation.
+
+component Actuator 1
+@todo kiniry Add an explanation.
+
+component Actuator 2
+@todo kiniry Add an explanation.
+
+subsystem Computation
+@todo kiniry Add an explanation.
+
+component RISC-V CPU 1
+@todo kiniry Add an explanation.
+
+component RISC-V CPU 2
+@todo kiniry Add an explanation.
+
+component RISC-V CPU 3
+@todo kiniry Add an explanation.
+
+subsystem Hardware
+@todo kiniry Add an explanation.
+
+subsystem FPGA
+@todo kiniry Add an explanation.
+
+component Lattice ECP-5 FGPA Development Board
+@todo kiniry Add an explanation.
+
+subsystem Actuators
+@todo kiniry Add an explanation.
+
+component Actuator 1
+@todo kiniry Add an explanation.
+
+component Actuator 2
+@todo kiniry Add an explanation.
+
+subsystem Sensors
+@todo kiniry Add an explanation.
+
+component Temperature Sensor 1
+@todo kiniry Add an explanation.
+
+component Temperature Sensor 2
+@todo kiniry Add an explanation.
+
+component Pressure Sensor 1
+@todo kiniry Add an explanation.
+
+component Pressure Sensor 2
+@todo kiniry Add an explanation.
+
+subsystem Instrumentation
+@todo kiniry Add an explanation.
+
+component Instrumentation 1
+@todo kiniry Add an explanation.
+
+component Instrumentation 2
+@todo kiniry Add an explanation.
+
+component Instrumentation 3
+@todo kiniry Add an explanation.
+
+component Instrumentation 4
+@todo kiniry Add an explanation.
+
+// Top-level subsystems.
+
+relation RTS_System_Arch contains Root
+relation RTS_System_Arch contains Actuation Logic
+relation RTS_System_Arch contains Computation
+relation RTS_System_Arch contains Hardware
+relation RTS_System_Arch contains Instrumentation
+
+// Nested subsystems.
+relation Hardware contains FPGA
+relation Hardware contains Actuators
+relation Hardware contains Sensors
+
+// Client-supplier relations.
+relation Root client Actuation Logic
+relation Root client Computation
+
+relation Computation client Hardware
+relation Actuation Logic client Hardware
+relation Instrumentation client Hardware
+relation Instrumentation client Actuation Logic
+relation Actuation Logic client Instrumentation
+
diff --git a/specs/dataflow.lando b/specs/dataflow.lando
new file mode 100644
index 0000000..a76aec5
--- /dev/null
+++ b/specs/dataflow.lando
@@ -0,0 +1,97 @@
+subsystem RTS Implementation Artifacts (Artifacts)
+
+component Cryptol System Specification (CryptolSpec)
+A specification of a model written in the Cryptol domain-specific
+language (DSL), either as Literate Cryptol, which can be Cryptol
+embedded in Markdown or LaTeX, or plain Cryptol. Cryptol is a strongly
+typed, functional DSL for specifying and reasoning about bit-level
+algorithms and their correctness properties and is mainly used to
+specify cryptographic algorithms. See https://crypto.net/ for more
+information.
+
+component Cryptol Software Compiler (CryptolToC)
+Multiple versions of a Cryptol software compiler exist which can
+compile different subsets of the Cryptol language into implementations
+and test benches written in the C, Java, and LLVM languages.
+
+component Cryptol Hardware Compiler (CryptolToSystemVerilog)
+Multiple versions of a Cryptol hardware compiler exist which can
+compile different subsets of the Cryptol language into implementations
+and test benches written in the VHDL, Verilog, and SystemVerilog.
+
+component Software Implementation (Software)
+@todo kiniry Add an explanation.
+
+component Hand-written Software Implementation (SWImpl)
+inherit Hand-written Software
+@todo kiniry Add an explanation.
+
+component Synthesized Software Implementation (SynthSW)
+inherit Machine-generated Software
+@todo kiniry Add an explanation.
+
+component Hardware Implementation (Hardware)
+@todo kiniry Add an explanation.
+
+component Hand-written Hardware Implementation (HWImpl)
+inherit Hand-written Hardware
+@todo kiniry Add an explanation.
+
+component Synthesized Hardware Implementation (SynthHW)
+inherit Machine-generated Hardware
+@todo kiniry Add an explanation.
+
+component COTS High-Assurance RV32I RISC-V CPU (CPU)
+@todo kiniry Add an explanation.
+
+component CompCert Compiler (CompCert)
+@todo kiniry Add an explanation.
+
+component Bluespec Compiler (BSC)
+@todo kiniry Add an explanation.
+
+component SymbiFlow Synthesizer (SymbiFlow)
+@todo kiniry Add an explanation.
+
+component Software Binaries (Binaries)
+@todo kiniry Add an explanation.
+
+component Demonstrator Verilog (RTL)
+@todo kiniry Add an explanation.
+
+component FPGA Bitstream (Bitstream)
+@todo kiniry Add an explanation.
+
+subsystem Dataflow of RTS Implementation Artifacts (Dataflow)
+This specification, which comes from the Galois HARDENS proposal,
+describes the relationships between various levels of specifications,
+implementations, and assurance artifacts for the HARDENS demonstrator.
+indexing
+ proposal_figure: 3
+ figure_name: Dataflow of RTS Implementation Artifacts.
+
+relation CryptolToC client CryptolSpec
+relation CryptolToSystemVerilog client CryptolSpec
+
+relation SynthSW client CryptolToC
+
+relation SynthHW client CryptolToSystemVerilog
+relation SynthHW client BSC
+
+relation CompCert client SynthSoftImpl
+relation CompCert client SoftImpl
+
+relation BSC inherit Compiler
+relation BSC client HWImpl
+
+relation SymbiFlow client SynthHW
+relation SymbiFlow client CPU
+
+relation Binaries client CompCert
+
+relation RTL client SymbiFLow
+relation RTL contains Soft-core RISC-V CPU
+
+relation Bitstream contains SynthHW
+relation Bitstream contains CPU
+relation BitStream client SymbiFlow
diff --git a/specs/events.lando b/specs/events.lando
new file mode 100644
index 0000000..b088718
--- /dev/null
+++ b/specs/events.lando
@@ -0,0 +1,65 @@
+// Events are (seemingly-atomic, from the point of view of an external
+// observer) interactions/state-transitions of the system. The full
+// set of specified events characterizes every potential externally
+// visible state change that the system can perform.
+
+
+// External input actions are those that are triggered by external input on UI.
+events Demonstrator External Input Actions
+
+Manually Actuate Device
+@todo TBD.
+
+Select Operating Mode
+@todo TBD.
+
+Perform Setpoint Adjustment
+@todo TBD.
+
+Configure Bypass of an Instrument Channel
+@todo TBD.
+
+Configure Active Trip Output State of an Instrument Channel
+@todo TBD.
+
+
+// External output actions are those that are triggered by internal
+// state change, which is, in turn, sometimes prompted by external input
+// actions.
+events Demonstrator External Output Actions
+
+Display Pressure
+@todo TBD.
+
+Display Temperature
+@todo TBD.
+
+Display Saturation Margin
+@todo TBD.
+
+Display Trip Output Signal State
+@todo TBD.
+
+Display Indication of Channel in Bypass
+@todo TBD.
+
+// Internal actions are those that are not triggered by external input on UI.
+events Demonstrator Internal Actions
+
+Trip on High Pressure
+@todo TBD.
+
+Trip on High Temperature
+@todo TBD.
+
+Trip on Low Saturation Margin
+@todo TBD.
+
+Vote on Like Trips using Two-out-of-four Coincidence
+@todo TBD.
+
+Automatically Actuate Device
+@todo TBD.
+
+Self-test of Safety Signal Path
+@todo TBD.
diff --git a/specs/glossary.lando b/specs/glossary.lando
new file mode 100644
index 0000000..4ecda6f
--- /dev/null
+++ b/specs/glossary.lando
@@ -0,0 +1,409 @@
+subsystem Proposal Glossary (Glossary)
+
+component Behavioral Interface Specification Language (BISL)
+A formal, state-based specification language that focuses on the
+specification of the interfaces of discrete modules in a system, and
+often times includes model-based specification constructs to improve
+usability and expressivity.
+
+component BlueCheck
+A property-based testing framework for components written in Bluespec
+SystemVerilog that uses some of the design patterns and ideas from the
+QuickCheck.
+
+component Coq
+Coq is an interactive theorem prover first released in 1989. It allows
+for expressing mathematical assertions, mechanically checks proofs of
+these assertions, helps find formal proofs, and extracts a certified
+program from the constructive proof of its formal specification. Coq
+works within the theory of the calculus of inductive constructions, a
+derivative of the calculus of constructions. Coq is not an automated
+theorem prover but includes automatic theorem proving tactics
+(procedures) and various decision procedures.
+
+component Cryptol
+Cryptol is a domain specific programming language for cryptography
+developed by Galois. The language was originally developed for use by
+the United States National Security Agency. The language is also used
+by private firms that provide information technology systems, such as
+Amazon and defense contractors in the United States. The programming
+language is used for all aspects of developing and using cryptography,
+such as the design and implementation of new ciphers and the
+verification of existing cryptographic algorithms.
+
+component DevSecOps
+The use of tools in a user's local and remote design, development,
+validation, verification, maintenance, and evolution environments that
+facilitate the automatic and continuous evaluation by static and
+dynamic means of a system/subsystem/component's behavioral (e.g.,
+safety and correctness) and non-behavioral (e.g., well-formedness and
+security) properties.
+
+component Digital Instrumentation and Control Systems (DIANDC)
+One of several types of control systems and associated instrumentation
+used for industrial process control. Such systems can range in size
+from a few modular panel-mounted controllers to large interconnected
+and interactive distributed control systems with many thousands of
+field connections. Systems receive data from remote sensors measuring
+process variables (PVs), compare the collected data with desired
+setpoints (SPs), and derive command functions which are used to
+control a process through the final control elements (FCEs), such as
+control valves.
+
+component Formal Requirements Elicitation Tool (FRET)
+The NASA Formal Requirements Elicitation Tool is used to make writing,
+understanding, and debugging formal requirements natural and
+intuitive.
+
+component PVS
+A specification language integrated with support tools and an
+automated theorem prover, developed at the Computer Science Laboratory
+of SRI International. PVS is based on a kernel consisting of an
+extension of Church's theory of types with dependent types, and is
+fundamentally a classical typed higher-order logic.
+
+component RISC-V
+RISC-V (pronounced ``risk-five'') is an open standard instruction set
+architecture (ISA) based on established reduced instruction set
+computer (RISC) principles. Unlike most other ISA designs, the RISC-V
+ISA is provided under open source licenses that do not require fees to
+use. A number of companies are offering or have announced RISC-V
+hardware, open source operating systems with RISC-V support are
+available and the instruction set is supported in several popular
+software toolchains.
+
+component Requirements State Modeling Language (RSML)
+A formal specification language that uses hierarchical finite state
+machines to specify system requirements.
+
+component SAT
+The Boolean satisfiability problem (sometimes called propositional
+satisfiability problem and abbreviated SAT) is the problem of
+determining if there exists an interpretation that satisfies a given
+Boolean formula.
+
+component SAWscript
+The proof script language is used to specify the assumptions and proof
+goals of formal verifications to the SAW tool.
+
+component soft-core
+A CPU or SoC that is implemented in an HDL and synthesized to a
+bitstream and loaded onto an FPGA.
+
+component SPARK
+A formally defined computer programming language based on the Ada
+programming language, intended for the development of high integrity
+software used in systems where predictable and highly reliable
+operation is essential. It facilitates the development of applications
+that demand safety, security, or business integrity.
+
+component SpeAR
+An integrated development environment for formally specifying and
+rigorously analyzing requirements.
+
+component Verifier for Concurrent C (VCC)
+VCC is a program verification tool that proves correctness of
+annotated concurrent C programs or finds problems in them. VCC extends
+C with design by contract features, like pre- and postcondition as
+well as type invariants. Annotated programs are translated to logical
+formulas using the Boogie tool, which passes them to an automated SMT
+solver Z3 to check their validity.
+
+component Verified Software Toolchain (VST)
+A software toolchain that includes static analyzers to check
+assertions about a C program; optimizing compilers to translate a C
+program to machine language; and operating systems and libraries to
+supply context for the C program. The Verified Software Toolchain
+project assures with machine-checked proofs that the assertions
+claimed at the top of the toolchain really hold in the
+machine-language program, running in the operating-system context.
+
+component Refinement
+@todo kiniry Add an explanation.
+
+component Property
+@todo kiniry Add an explanation.
+
+component Safety Property
+inherit Property
+@todo kiniry Add an explanation.
+
+component Correctness Property
+inherit Property
+@todo kiniry Add an explanation.
+
+component Security Property
+inherit Property
+@todo kiniry Add an explanation.
+
+component Model
+@todo kiniry Add an explanation.
+
+component Semi-Formal Model
+inherit Model
+@todo kiniry Add an explanation.
+
+component Formal Model
+inherit Model
+@todo kiniry Add an explanation.
+
+component Consistent
+inherit Property
+@todo kiniry Add an explanation.
+
+component Complete
+inherit Property
+@todo kiniry Add an explanation.
+
+component Consistent Model
+inherit Model Consistent
+@todo kiniry Add an explanation.
+
+component Complete Model
+inherit Model Complete
+@todo kiniry Add an explanation.
+
+component Requirement
+@todo kiniry Add an explanation.
+
+component Scenario
+@todo kiniry Add an explanation.
+
+component Product
+@todo kiniry Add an explanation.
+
+component Product Line
+@todo kiniry Add an explanation.
+
+component Configure
+@todo kiniry Add an explanation.
+
+component DOORS
+@todo kiniry Add an explanation.
+
+component Clafer
+@todo kiniry Add an explanation.
+
+component Lobot
+@todo kiniry Add an explanation.
+
+component Lando
+@todo kiniry Add an explanation.
+
+component Denotational
+@todo kiniry Add an explanation.
+
+component Operational
+@todo kiniry Add an explanation.
+
+component Semantics
+@todo kiniry Add an explanation.
+
+component Risk
+@todo kiniry Add an explanation.
+
+component Power
+@todo kiniry Add an explanation.
+
+component Resource
+@todo kiniry Add an explanation.
+
+component Reliability
+@todo kiniry Add an explanation.
+
+component Rigorous
+A specification that has a precise, unambiguous, formal semantics
+grounded in real world formal foundations and systems engineering
+artifacts, such as source code and hardware designs.
+
+component Collaborative Development Environment (CDE)
+@todo kiniry Add an explanation.
+
+component Continuous Integration (CI)
+@todo kiniry Add an explanation.
+
+component Continuous Verification (CV)
+@todo kiniry Add an explanation.
+
+component Analyzer
+@todo kiniry Add an explanation.
+
+component Static Analyzer
+inherit Analyzer
+@todo kiniry Add an explanation.
+
+component Dynamic Analyzer
+inherit Analyzer
+@todo kiniry Add an explanation.
+
+component Finite State Machine (FSM)
+@todo kiniry Add an explanation.
+
+component Deterministic
+@todo kiniry Add an explanation.
+
+component Non-deterministic
+@todo kiniry Add an explanation.
+
+component Deterministic Finite State Machine (DFSM)
+inherit FSM Deterministic
+@todo kiniry Add an explanation.
+
+component Non-deterministic Finite State Machine (NFSM)
+inherit FSM Non-deterministic
+@todo kiniry Add an explanation.
+
+component Abstract State Machine (ASM)
+inherit FSM
+@todo kiniry Add an explanation.
+
+component Design
+@todo kiniry Add an explanation.
+
+component Architecture
+@todo kiniry Add an explanation.
+
+component Specification
+@todo kiniry Add an explanation.
+
+component Architecture Specification
+inherit Specification
+@todo kiniry Add an explanation.
+
+component Solver
+@todo kiniry Add an explanation.
+
+component Formal Method (FM)
+@todo kiniry Add an explanation.
+
+component Logical Framework (LF)
+@todo kiniry Add an explanation.
+
+component Programming Language (PL)
+@todo kiniry Add an explanation.
+
+component Specification Language
+@todo kiniry Add an explanation.
+
+component Protocol
+@todo kiniry Add an explanation.
+
+component System Specification
+inherit Specification
+@todo kiniry Add an explanation.
+
+component Hand-written
+@todo kiniry Add an explanation.
+
+component Machine-generated
+@todo kiniry Add an explanation.
+
+component Source-level Specification Language
+inherit Specification Language
+@todo kiniry Add an explanation.
+
+component Model-based Specification Language
+inherit Specification Language
+@todo kiniry Add an explanation.
+
+component System
+@todo kiniry Add an explanation.
+
+component Distributed System
+inherit System
+@todo kiniry Add an explanation.
+
+component Concurrent System
+inherit System
+@todo kiniry Add an explanation.
+
+component Cryptographic Protocol
+inherit Protocol
+@todo kiniry Add an explanation.
+
+component Cryptographic Algorithm
+@todo kiniry Add an explanation.
+
+component I/O (IO)
+@todo kiniry Add an explanation.
+
+component General Purpose I/O (GPIO)
+inherit IO
+@todo kiniry Add an explanation.
+
+component Sensor
+@todo kiniry Add an explanation.
+
+component Actuator
+@todo kiniry Add an explanation.
+
+component Solenoid
+inherit Actuator
+@todo kiniry Add an explanation.
+
+component Compiler
+@todo kiniry Add an explanation.
+
+component Synthesizer
+@todo kiniry Add an explanation.
+
+component Universal Serial Bus (USB)
+@todo kiniry Add an explanation.
+
+component LED
+@todo kiniry Add an explanation.
+
+component Cable
+@todo kiniry Add an explanation.
+
+component Program
+@todo kiniry Add an explanation.
+
+component Bitstream
+@todo kiniry Add an explanation.
+
+component Field-Programmable Gate Array (FPGA)
+@todo kiniry Add an explanation.
+
+component ECP-5
+inherit FPGA
+@todo kiniry Add an explanation.
+
+component Printed Component Board (PCB)
+@todo kiniry Add an explanation.
+
+component Connector
+@todo kiniry Add an explanation.
+
+component USB Connector
+@todo kiniry Add an explanation.
+
+component USB Mini Connector (USB-Mini)
+inherit USB Connector
+@todo kiniry Add an explanation.
+
+component High-Assurance
+@todo kiniry Add an explanation.
+
+component C
+@todo kiniry Add an explanation.
+
+component PMOD
+@todo kiniry Add an explanation.
+
+component JTAG
+@todo kiniry Add an explanation.
+
+component Driver
+@todo kiniry Add an explanation.
+
+component Voting
+@todo kiniry Add an explanation.
+
+component UCB Cable
+inherit USB Cable
+@todo kiniry Add an explanation.
+
+component Output LED
+inherit LED
+@todo kiniry Add an explanation.
\ No newline at end of file
diff --git a/specs/hardware.lando b/specs/hardware.lando
new file mode 100644
index 0000000..bb987d7
--- /dev/null
+++ b/specs/hardware.lando
@@ -0,0 +1,158 @@
+subsystem RTS Hardware Artifacts
+The physical hardware components that are a part of the HARDENS RTS
+demonstrator.
+
+component USB Cable
+A normal USB cable.
+What kind of USB connector is on the start of the cable?
+What kind of USB connector is on the end of the cable?
+
+relation USB Cable inherit USB, Cable
+
+component SERDES Test SMA Connectors (J9-J26)
+@todo To be copied from board documentation.
+
+component Parallel Config Header (J38)
+@todo To be copied from board documentation.
+
+component Versa Expansion Connectors (J39-J40)
+@todo To be copied from board documentation.
+
+component SPI Flag Configuration Memory (U4)
+@todo To be copied from board documentation.
+
+component CFG Switches (SW1)
+@todo To be copied from board documentation.
+
+component Input Switches (SW5)
+@todo To be copied from board documentation.
+
+component Output LEDs (D5-D12)
+@todo To be copied from board documentation.
+
+component Input Push Buttons (SW2-SW4)
+@todo To be copied from board documentation.
+
+component 12 V DC Power Input (J37)
+@todo To be copied from board documentation.
+
+component GPIO Headers (J32-J33)
+@todo To be copied from board documentation.
+
+component PMOD/GPIO Header (J31)
+@todo To be copied from board documentation.
+
+component Microphone Board/GPIO Header (J30)
+@todo To be copied from board documentation.
+
+component Prototype Area
+@todo To be copied from board documentation.
+
+component GPIO Headers (J5_and_J8)
+@todo To be copied from board documentation.
+
+component ECP5-5G Device (U3)
+@todo To be copied from board documentation.
+
+component JTAG Interface (J1)
+@todo To be copied from board documentation.
+
+component Mini USB Programming (J2)
+@todo To be copied from board documentation.
+
+component Lattice ECP-5 FPGA Development Board (Board)
+@todo To be copied from board documentation.
+
+relation ECP5-5G Device inherit FPGA
+relation Board contains ECP5-5G
+relation Board inherit PCB
+
+// @todo Add all board I/O and devices listed above.
+
+relation FPGA Dev Board contains J2
+
+// relation FPGA Dev Board contains etc.
+
+component Temperature Sensor
+A sensor that is capable of measuring the temperature of its environment.
+What is your temperature reading in Celcius (C)?
+
+component Pressure Sensor
+A sensor that is capable of measuring the air pressure of its environment.
+What is your pressure reading in Pascal (P)?
+
+component Solenoid Actuator
+A solenoid actuator capable of being in an open or closed state.
+Close!
+Open!
+
+relation Temperature Sensor inherit Sensor
+relation Pressure Sensor inherit Sensor
+relation Solenoid Actuator inherit Actuator
+
+subsystem Physical Architecture
+The physical architecture of the HARDENS RTS demonstrator.
+
+component USB UI Cable (UI-C)
+The USB cable used to communicate the ASCII UI to/from the board.
+
+component USB Programming Cable (Prog-C)
+The USB cable used to program the board with a bitstream.
+
+component USB Debugging I/O Cable (Debug-C)
+The USB cable used to interact with the board in a debugger.
+
+component Dev Board (Board)
+A PCB developer board used to prototype hardware.
+
+// * MOSFET power control kit: https://www.sparkfun.com/products/12959
+
+// * 12 V Latch solenoid: https://www.sparkfun.com/products/15324
+
+// * Pressure sensor: https://www.sparkfun.com/products/11084
+
+component Temperature Sensor 1 (TS1)
+The first of two redundant temperature sensors.
+
+component Temperature Sensor 2 (TS2)
+The second of two redundant temperature sensors.
+
+component Pressure Sensor 1 (PS1)
+The first of two redundatnt pressure sensors.
+
+component Pressure Sensor 2 (PS2)
+The second of two redundant pressure sensors.
+
+component Solenoid Actuator 1 (SA1)
+The first of two redundant solenoid actuators.
+
+component Solenoid Actuator 2 (SA2)
+The second of two redundant solenoid actuators.
+
+component HARDENS Demonstrator (Demonstrator)
+The fully assembled HARDENS demonstrator hardware with all component
+present.
+
+relation Demonstrator client Board
+relation Board client UI
+relation Board client UI-C
+relation Board client Prog-C
+relation Board client Debug-C
+relation Board client TS1
+relation Board client TS2
+relation Board client PS1
+relation Board client PS2
+relation Board client SA1
+relation Board client SA2
+
+component Developer Machine
+The computer used by a developer to interface with the demonstrator,
+typically for driving the demonstrator's UI and programming and
+debugging the board.
+
+relation UI-C client Developer Machine
+relation Prog-C client Developer Machine
+relation Debug-C client Developer Machine
+
+
+
diff --git a/specs/instrumentation.lando b/specs/instrumentation.lando
new file mode 100644
index 0000000..065cddc
--- /dev/null
+++ b/specs/instrumentation.lando
@@ -0,0 +1,89 @@
+subsystem RTS Instrumentation Architecture
+The architecture for the instrumentation (sensors and actuators)
+subsystem of the RTS demonstrator.
+
+subsystem RTS Instrumentation Systems Architecture
+The systems architecture for the instrumentation subsystem of the RTS
+demonstrator. Some of the architecture is implemented in hardware,
+and some is implementated in software.
+
+component Instrumentation Implementation (InstImpl)
+inherit Driver
+A software or hardware driver that interfaces with a sensor. In the
+RTS demonstrator there are two kinds of sensors: pressure and
+temperature.
+
+component Actuator Implementation (ActImpl)
+inherit Driver
+A software or hardware driver that interfaces with an actuator. In
+the RTS demonstrator there is one kind of actuator: a solenoid.
+
+component Voting Implementation (VoteImpl)
+inherit Voting
+A software or hardware implemenation of our voting algorithm that
+provides fault tolerance for decision-making based upon the attached
+components' inputs.
+
+subsystem Instrumentation Software Stack (SWStack)
+inherit Software
+The software stack associated with the instrumentation subsystem.
+
+component Instrumentation Implementation 1 (InstImpl1)
+inherit InstImpl
+The first of four sensor drivers for the instrumentation subsystem.
+
+relation InstImpl1 inherit SWImpl
+relation InstImpl1 inherit High-Assurance
+relation InstImpl1 inherit C
+
+component Instrumentation Implementation 2 (InstImpl2)
+inherit InstImpl
+The second of four sensor drivers for the instrumentation subsystem.
+There are multiple sensors in the architecture to provide fault
+tolerance.
+
+component Actuator Implementation 1 (ActImpl1)
+inherit ActImpl
+The first of two actuator drivers for the instrumentation subsystem.
+There are multiple actuators in the architecture to provide fault
+tolerance.
+
+component Voting Implementation 1 (VoteImpl1)
+inherit VoteImpl
+The first of two implementations of the voting component. Voting is
+used to implement redundancy of instrumentation and control in the RTS
+demonstrator.
+
+relation SWStack client Binaries
+relation Binaries client SWStack
+
+subsystem Instrumentation, Actuation, and Voting Hardware Stack (HWStack)
+The hardware implementations driving a redundant subset of sensors,
+actuators, and voting components.
+
+component Instrumentation Implementation 3 (InstImpl3)
+inherit InstImpl
+The third of four sensor drivers for the instrumentation subsystem.
+There are multiple sensors in the architecture to provide fault
+tolerance.
+
+component Instrumentation Implementation 4 (InstImpl4)
+inherit InstImpl
+The fourth of four sensor drivers for the instrumentation subsystem.
+There are multiple sensors in the architecture to provide fault
+tolerance.
+
+component Actuator Implementation 2 (ActImpl2)
+inherit ActImpl
+The second of two actuator drivers for the instrumentation subsystem.
+There are multiple actuators in the architecture to provide fault
+tolerance.
+
+component Voting Implementation 2 (VoteImpl2)
+inherit VoteImpl
+The second of two implementations of the voting component. Voting is
+used to implement redundancy of instrumentation and control in the RTS
+demonstrator.
+
+relation HWStack client Bitstream
+relation Bitstream client HWStack
diff --git a/specs/project_requirements.lando b/specs/project_requirements.lando
new file mode 100644
index 0000000..e7bbc2d
--- /dev/null
+++ b/specs/project_requirements.lando
@@ -0,0 +1,92 @@
+// All requirements that the RTS system must fulfill, as driven by the
+// IEEE 603-2018 standards and the NRC RFP.
+
+requirements HARDENS Project High-level Requirements
+// The high-level requirements for the project stipulated by the NRC RFP.
+
+NRC Understanding
+Provide to the NRC expert technical services in order to develop a
+better understanding of how Model-Based Systems Engineering (MBSE)
+methods and tools can support regulatory reviews of adequate design
+and design assurance.
+
+Identify Regulatory Gaps
+Identify any barriers or gaps associated with MBSE in a regulatory
+review of Digital Instrumentation and Control Systems for existing
+Nuclear Power Plants.
+
+Demonstrate
+Galois will demonstrate to the Nuclear Regulatory Commission (NRC)
+cutting-edge capabilities in the model-based design, validation, and
+verification of safety-critical, mission-critical, high-assurance
+systems.
+
+Demonstrator Parts
+Our demonstrator includes high-assurance software and hardware,
+includes open source RISC-V Central Processing Units.
+
+Demonstrator Groundwork
+Our demonstrator lays the groundwork for a high-assurance reusable
+product for safety critical Digital Instrumentation and Control
+Systems systems in Nuclear Power Plants.
+
+requirements NRC Characteristics
+// The requirements driven by the IEEE 603-2018 standard for NPP I&C
+// systems.
+
+// Both formal and rigorous consistency checks of the requirements
+// will be accomplished by using false theorem checks and proofs in
+// the Cryptol model and in software and hardware source code;
+Requirements Consistency
+Requirements must be shown to be consistent.
+
+// A rigorous completeness validation of the requirements will be
+// accomplished by demonstrating traceability from the project
+// specification (including the RFP text describing the reactor trip
+// system) to the formal models of the system and its properties.
+Requirements Colloquial Completeness
+The system must be shown to fulfill all requirements.
+
+// A formal verification of completeness of the requirements will be
+// accomplished by using the chosen requirements checking tool
+Requirements Formal Completeness
+Requirements must be shown to be formally complete.
+
+// This characteristic will be demonstrated architecturally via the
+// decoupling of computation across the two RISC-V instrumentation
+// cores and two instrumentation units running on the FPGA.
+Instrumentation Independence
+Independence among the four divisions of instrumentation (inability
+for the behavior of one division to interfere or adversely affect the
+performance of another).
+
+// This characteristic will be demonstrated architecturally by
+// decoupling the compute and I/O channels of the units from one
+// another.
+Channel Independence
+Independence among the two instrumentation channels within a division
+(inability for the behavior of one channel to interfere or adversely
+affect the performance of another).
+
+// This characteristic will be demonstrated architecturally by
+// partitioning the actuation logic across software and hardware
+// units.
+Actuation Independence
+Independence among the two trains of actuation logic (inability for
+the behavior of one train to interfere or adversely affect the
+performance of another).
+
+// This characteristic will be demonstrated by rigorous validation via
+// runtime verification and formal verification of the model and its
+// implementation, as discussed in detail below.
+Actuation Correctness
+Completion of actuation whenever coincidence logic is satisfied or
+manual actuation is initiated.
+
+// This characteristic will be demonstrated architecturally by
+// partitioning the actuation logic across software and hardware
+// units.
+Self-Test/Trip Independence
+Independence between periodic self-test functions and trip functions
+(inability for the behavior of the self-testing to interfere or
+adversely affect the trip functions).
\ No newline at end of file
diff --git a/specs/requirements.json b/specs/requirements.json
new file mode 100644
index 0000000..1fe9bc0
--- /dev/null
+++ b/specs/requirements.json
@@ -0,0 +1,4774 @@
+[
+ {
+ "reqid": "ACTUATION_ACTUATOR_0",
+ "rationale": "RFP function 5,6\n",
+ "fulltext": "RTS shall always satisfy\n (Auto_Actuate_0_Actuator_0 | Auto_Actuate_1_Actuator_0 | UI_Manual_Actuate_Actuator_0)\n = Actuate_Actuator_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Auto_Actuate_0_Actuator_0",
+ "Auto_Actuate_1_Actuator_0",
+ "UI_Manual_Actuate_Actuator_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( Auto_Actuate_0_Actuator_0 | Auto_Actuate_1_Actuator_0 | UI_Manual_Actuate_Actuator_0 ))",
+ "responseTextRange": [
+ 17,
+ 112
+ ],
+ "ft": "(LAST V (( Auto_Actuate_0_Actuator_0 | Auto_Actuate_1_Actuator_0 | UI_Manual_Actuate_Actuator_0 )))",
+ "pt": "(H (( Auto_Actuate_0_Actuator_0 | Auto_Actuate_1_Actuator_0 | UI_Manual_Actuate_Actuator_0 )))",
+ "ftExpanded": "(LAST V (( Auto_Actuate_0_Actuator_0 | Auto_Actuate_1_Actuator_0 | UI_Manual_Actuate_Actuator_0 )))",
+ "ptExpanded": "(H (( Auto_Actuate_0_Actuator_0 | Auto_Actuate_1_Actuator_0 | UI_Manual_Actuate_Actuator_0 )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( Auto_Actuate_0_Actuator_0 or Auto_Actuate_1_Actuator_0 or UI_Manual_Actuate_Actuator_0 ))))",
+ "diagramVariables": "Response = (( Auto_Actuate_0_Actuator_0 | Auto_Actuate_1_Actuator_0 | UI_Manual_Actuate_Actuator_0 )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "ACTUATION_ACTUATOR_1",
+ "rationale": "RFP function 5,6\n",
+ "fulltext": "RTS shall always satisfy\n (Auto_Actuate_0_Actuator_1 | Auto_Actuate_1_Actuator_1 | UI_Manual_Actuate_Actuator_1)\n = Actuate_Actuator_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Auto_Actuate_0_Actuator_1",
+ "Auto_Actuate_1_Actuator_1",
+ "UI_Manual_Actuate_Actuator_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( Auto_Actuate_0_Actuator_1 | Auto_Actuate_1_Actuator_1 | UI_Manual_Actuate_Actuator_1 ))",
+ "responseTextRange": [
+ 17,
+ 112
+ ],
+ "ft": "(LAST V (( Auto_Actuate_0_Actuator_1 | Auto_Actuate_1_Actuator_1 | UI_Manual_Actuate_Actuator_1 )))",
+ "pt": "(H (( Auto_Actuate_0_Actuator_1 | Auto_Actuate_1_Actuator_1 | UI_Manual_Actuate_Actuator_1 )))",
+ "ftExpanded": "(LAST V (( Auto_Actuate_0_Actuator_1 | Auto_Actuate_1_Actuator_1 | UI_Manual_Actuate_Actuator_1 )))",
+ "ptExpanded": "(H (( Auto_Actuate_0_Actuator_1 | Auto_Actuate_1_Actuator_1 | UI_Manual_Actuate_Actuator_1 )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( Auto_Actuate_0_Actuator_1 or Auto_Actuate_1_Actuator_1 or UI_Manual_Actuate_Actuator_1 ))))",
+ "diagramVariables": "Response = (( Auto_Actuate_0_Actuator_1 | Auto_Actuate_1_Actuator_1 | UI_Manual_Actuate_Actuator_1 )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "ACTUATION_AUTO_LOGIC_0_ACTUATOR_0",
+ "parent_reqid": "ACTUATION_ACTUATOR_0",
+ "rationale": "RFP function 4,5, RFP actuation logic architecture\n",
+ "fulltext": "RTS shall always satisfy if (Coincidence_0_T | Coincidence_0_P) then Auto_Actuate_0_Actuator_0\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Coincidence_0_T",
+ "Coincidence_0_P",
+ "Auto_Actuate_0_Actuator_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( Coincidence_0_T | Coincidence_0_P ) => Auto_Actuate_0_Actuator_0)",
+ "responseTextRange": [
+ 17,
+ 93
+ ],
+ "ft": "(LAST V (( Coincidence_0_T | Coincidence_0_P ) -> Auto_Actuate_0_Actuator_0))",
+ "pt": "(H (( Coincidence_0_T | Coincidence_0_P ) -> Auto_Actuate_0_Actuator_0))",
+ "ftExpanded": "(LAST V (( Coincidence_0_T | Coincidence_0_P ) -> Auto_Actuate_0_Actuator_0))",
+ "ptExpanded": "(H (( Coincidence_0_T | Coincidence_0_P ) -> Auto_Actuate_0_Actuator_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( Coincidence_0_T or Coincidence_0_P ) => Auto_Actuate_0_Actuator_0)))",
+ "diagramVariables": "Response = (( Coincidence_0_T | Coincidence_0_P ) => Auto_Actuate_0_Actuator_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "ACTUATION_AUTO_LOGIC_0_ACTUATOR_1",
+ "parent_reqid": "ACTUATION_ACTUATOR_1",
+ "rationale": "RFP function 4,5, RFP actuation logic architecture\n",
+ "fulltext": "RTS shall always satisfy if Coincidence_0_S then Auto_Actuate_0_Actuator_1",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Coincidence_0_S",
+ "Auto_Actuate_0_Actuator_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(Coincidence_0_S => Auto_Actuate_0_Actuator_1)",
+ "responseTextRange": [
+ 17,
+ 73
+ ],
+ "ft": "(LAST V (Coincidence_0_S -> Auto_Actuate_0_Actuator_1))",
+ "pt": "(H (Coincidence_0_S -> Auto_Actuate_0_Actuator_1))",
+ "ftExpanded": "(LAST V (Coincidence_0_S -> Auto_Actuate_0_Actuator_1))",
+ "ptExpanded": "(H (Coincidence_0_S -> Auto_Actuate_0_Actuator_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((Coincidence_0_S => Auto_Actuate_0_Actuator_1)))",
+ "diagramVariables": "Response = (Coincidence_0_S => Auto_Actuate_0_Actuator_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "COINCIDENCE_LOGIC_0_T",
+ "rationale": "RFP function 4",
+ "parent_reqid": "ACTUATION_AUTO_LOGIC_0_ACTUATOR_0",
+ "fulltext": "RTS shall always satisfy\n ((Trip_T_0 & Trip_T_1)\n | ((Trip_T_0 | Trip_T_1) & (Trip_T_2 | Trip_T_3))\n | (Trip_T_2 & Trip_T_3))\n = Coincidence_0_T\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Trip_T_0",
+ "Trip_T_1",
+ "Trip_T_2",
+ "Trip_T_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) ))",
+ "responseTextRange": [
+ 17,
+ 124
+ ],
+ "ft": "(LAST V (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "pt": "(H (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "ftExpanded": "(LAST V (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "ptExpanded": "(H (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( ( Trip_T_0 and Trip_T_1 ) or ( ( Trip_T_0 or Trip_T_1 ) and ( Trip_T_2 or Trip_T_3 ) ) or ( Trip_T_2 and Trip_T_3 ) ))))",
+ "diagramVariables": "Response = (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "COINCIDENCE_LOGIC_0_P",
+ "rationale": "RFP function 4",
+ "parent_reqid": "ACTUATION_AUTO_LOGIC_0_ACTUATOR_0",
+ "fulltext": "RTS shall always satisfy\n ((Trip_P_0 & Trip_P_1)\n | ((Trip_P_0 | Trip_P_1) & (Trip_P_2 | Trip_P_3))\n | (Trip_P_2 & Trip_P_3))\n = Coincidence_0_P\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Trip_P_0",
+ "Trip_P_1",
+ "Trip_P_2",
+ "Trip_P_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) ))",
+ "responseTextRange": [
+ 17,
+ 124
+ ],
+ "ft": "(LAST V (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "pt": "(H (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "ftExpanded": "(LAST V (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "ptExpanded": "(H (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( ( Trip_P_0 and Trip_P_1 ) or ( ( Trip_P_0 or Trip_P_1 ) and ( Trip_P_2 or Trip_P_3 ) ) or ( Trip_P_2 and Trip_P_3 ) ))))",
+ "diagramVariables": "Response = (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "COINCIDENCE_LOGIC_0_S",
+ "rationale": "RFP function 4",
+ "parent_reqid": "ACTUATION_AUTO_LOGIC_0_ACTUATOR_1",
+ "fulltext": "RTS shall always satisfy\n ((Trip_S_0 & Trip_S_1)\n | ((Trip_S_0 | Trip_S_1) & (Trip_S_2 | Trip_S_3))\n | (Trip_S_2 & Trip_S_3))\n = Coincidence_0_S\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Trip_S_0",
+ "Trip_S_1",
+ "Trip_S_2",
+ "Trip_S_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) ))",
+ "responseTextRange": [
+ 17,
+ 124
+ ],
+ "ft": "(LAST V (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "pt": "(H (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "ftExpanded": "(LAST V (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "ptExpanded": "(H (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( ( Trip_S_0 and Trip_S_1 ) or ( ( Trip_S_0 or Trip_S_1 ) and ( Trip_S_2 or Trip_S_3 ) ) or ( Trip_S_2 and Trip_S_3 ) ))))",
+ "diagramVariables": "Response = (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
+ "parent_reqid": "ACTUATION_ACTUATOR_0",
+ "rationale": "RFP function 4,5, RFP actuation logic architecture\n",
+ "fulltext": "RTS shall always satisfy if (Coincidence_1_T | Coincidence_1_P) then Auto_Actuate_1_Actuator_0\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Coincidence_1_T",
+ "Coincidence_1_P",
+ "Auto_Actuate_1_Actuator_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( Coincidence_1_T | Coincidence_1_P ) => Auto_Actuate_1_Actuator_0)",
+ "responseTextRange": [
+ 17,
+ 93
+ ],
+ "ft": "(LAST V (( Coincidence_1_T | Coincidence_1_P ) -> Auto_Actuate_1_Actuator_0))",
+ "pt": "(H (( Coincidence_1_T | Coincidence_1_P ) -> Auto_Actuate_1_Actuator_0))",
+ "ftExpanded": "(LAST V (( Coincidence_1_T | Coincidence_1_P ) -> Auto_Actuate_1_Actuator_0))",
+ "ptExpanded": "(H (( Coincidence_1_T | Coincidence_1_P ) -> Auto_Actuate_1_Actuator_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( Coincidence_1_T or Coincidence_1_P ) => Auto_Actuate_1_Actuator_0)))",
+ "diagramVariables": "Response = (( Coincidence_1_T | Coincidence_1_P ) => Auto_Actuate_1_Actuator_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "ACTUATION_AUTO_LOGIC_1_ACTUATOR_1",
+ "parent_reqid": "ACTUATION_ACTUATOR_1",
+ "rationale": "RFP function 4,5, RFP actuation logic architecture\n",
+ "fulltext": "RTS shall always satisfy if Coincidence_1_S then Auto_Actuate_1_Actuator_1",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Coincidence_1_S",
+ "Auto_Actuate_1_Actuator_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(Coincidence_1_S => Auto_Actuate_1_Actuator_1)",
+ "responseTextRange": [
+ 17,
+ 73
+ ],
+ "ft": "(LAST V (Coincidence_1_S -> Auto_Actuate_1_Actuator_1))",
+ "pt": "(H (Coincidence_1_S -> Auto_Actuate_1_Actuator_1))",
+ "ftExpanded": "(LAST V (Coincidence_1_S -> Auto_Actuate_1_Actuator_1))",
+ "ptExpanded": "(H (Coincidence_1_S -> Auto_Actuate_1_Actuator_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((Coincidence_1_S => Auto_Actuate_1_Actuator_1)))",
+ "diagramVariables": "Response = (Coincidence_1_S => Auto_Actuate_1_Actuator_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "COINCIDENCE_LOGIC_1_T",
+ "rationale": "RFP function 4",
+ "parent_reqid": "ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
+ "fulltext": "RTS shall always satisfy\n ((Trip_T_0 & Trip_T_1)\n | ((Trip_T_0 | Trip_T_1) & (Trip_T_2 | Trip_T_3))\n | (Trip_T_2 & Trip_T_3))\n = Coincidence_1_T\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Trip_T_0",
+ "Trip_T_1",
+ "Trip_T_2",
+ "Trip_T_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) ))",
+ "responseTextRange": [
+ 17,
+ 124
+ ],
+ "ft": "(LAST V (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "pt": "(H (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "ftExpanded": "(LAST V (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "ptExpanded": "(H (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( ( Trip_T_0 and Trip_T_1 ) or ( ( Trip_T_0 or Trip_T_1 ) and ( Trip_T_2 or Trip_T_3 ) ) or ( Trip_T_2 and Trip_T_3 ) ))))",
+ "diagramVariables": "Response = (( ( Trip_T_0 & Trip_T_1 ) | ( ( Trip_T_0 | Trip_T_1 ) & ( Trip_T_2 | Trip_T_3 ) ) | ( Trip_T_2 & Trip_T_3 ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "COINCIDENCE_LOGIC_1_P",
+ "rationale": "RFP function 4",
+ "parent_reqid": "ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
+ "fulltext": "RTS shall always satisfy\n ((Trip_P_0 & Trip_P_1)\n | ((Trip_P_0 | Trip_P_1) & (Trip_P_2 | Trip_P_3))\n | (Trip_P_2 & Trip_P_3))\n = Coincidence_1_P\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Trip_P_0",
+ "Trip_P_1",
+ "Trip_P_2",
+ "Trip_P_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) ))",
+ "responseTextRange": [
+ 17,
+ 124
+ ],
+ "ft": "(LAST V (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "pt": "(H (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "ftExpanded": "(LAST V (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "ptExpanded": "(H (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( ( Trip_P_0 and Trip_P_1 ) or ( ( Trip_P_0 or Trip_P_1 ) and ( Trip_P_2 or Trip_P_3 ) ) or ( Trip_P_2 and Trip_P_3 ) ))))",
+ "diagramVariables": "Response = (( ( Trip_P_0 & Trip_P_1 ) | ( ( Trip_P_0 | Trip_P_1 ) & ( Trip_P_2 | Trip_P_3 ) ) | ( Trip_P_2 & Trip_P_3 ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "COINCIDENCE_LOGIC_1_S",
+ "rationale": "RFP function 4",
+ "parent_reqid": "ACTUATION_AUTO_LOGIC_1_ACTUATOR_1",
+ "fulltext": "RTS shall always satisfy\n ((Trip_S_0 & Trip_S_1)\n | ((Trip_S_0 | Trip_S_1) & (Trip_S_2 | Trip_S_3))\n | (Trip_S_2 & Trip_S_3))\n = Coincidence_1_S\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Trip_S_0",
+ "Trip_S_1",
+ "Trip_S_2",
+ "Trip_S_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) ))",
+ "responseTextRange": [
+ 17,
+ 124
+ ],
+ "ft": "(LAST V (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "pt": "(H (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "ftExpanded": "(LAST V (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "ptExpanded": "(H (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((( ( Trip_S_0 and Trip_S_1 ) or ( ( Trip_S_0 or Trip_S_1 ) and ( Trip_S_2 or Trip_S_3 ) ) or ( Trip_S_2 and Trip_S_3 ) ))))",
+ "diagramVariables": "Response = (( ( Trip_S_0 & Trip_S_1 ) | ( ( Trip_S_0 | Trip_S_1 ) & ( Trip_S_2 | Trip_S_3 ) ) | ( Trip_S_2 & Trip_S_3 ) )).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_T_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_T_0 & (T_0 > Setpoint_T_0))\nRTS shall always satisfy Trip_T_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_T_0",
+ "T_0",
+ "Setpoint_T_0",
+ "Trip_T_0"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) ))",
+ "regular_condition": "(( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_T_0)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) ))) & ((! LAST) & (X (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) ))))) -> (X (LAST V (Trip_T_0))))) & ((( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )) -> (LAST V (Trip_T_0))))",
+ "pt": "(H ((H (! (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )))) | (Trip_T_0)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) ))) & ((! LAST) & (X (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) ))))) -> (X (LAST V (Trip_T_0))))) & ((( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )) -> (LAST V (Trip_T_0))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )))) | (Trip_T_0)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_T_0 and ( T_0 > Setpoint_T_0 ) )))) or (Trip_T_0)))",
+ "diagramVariables": "TC = (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )), Response = (Trip_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )) is true and any point in the interval where (( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_T_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_T_0_Display = Trip_T_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_T_0_Display",
+ "Trip_T_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_T_0_Display = Trip_T_0)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_T_0_Display = Trip_T_0))",
+ "pt": "(H (UI_Trip_T_0_Display = Trip_T_0))",
+ "ftExpanded": "(LAST V (UI_Trip_T_0_Display = Trip_T_0))",
+ "ptExpanded": "(H (UI_Trip_T_0_Display = Trip_T_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_T_0_Display = Trip_T_0)))",
+ "diagramVariables": "Response = (UI_Trip_T_0_Display = Trip_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_P_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_P_0 & (P_0 > Setpoint_P_0))\nRTS shall always satisfy Trip_P_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_P_0",
+ "P_0",
+ "Setpoint_P_0",
+ "Trip_P_0"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) ))",
+ "regular_condition": "(( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_P_0)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) ))) & ((! LAST) & (X (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) ))))) -> (X (LAST V (Trip_P_0))))) & ((( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )) -> (LAST V (Trip_P_0))))",
+ "pt": "(H ((H (! (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )))) | (Trip_P_0)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) ))) & ((! LAST) & (X (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) ))))) -> (X (LAST V (Trip_P_0))))) & ((( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )) -> (LAST V (Trip_P_0))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )))) | (Trip_P_0)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_P_0 and ( P_0 > Setpoint_P_0 ) )))) or (Trip_P_0)))",
+ "diagramVariables": "TC = (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )), Response = (Trip_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )) is true and any point in the interval where (( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_P_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_P_0_Display = Trip_P_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_P_0_Display",
+ "Trip_P_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_P_0_Display = Trip_P_0)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_P_0_Display = Trip_P_0))",
+ "pt": "(H (UI_Trip_P_0_Display = Trip_P_0))",
+ "ftExpanded": "(LAST V (UI_Trip_P_0_Display = Trip_P_0))",
+ "ptExpanded": "(H (UI_Trip_P_0_Display = Trip_P_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_P_0_Display = Trip_P_0)))",
+ "diagramVariables": "Response = (UI_Trip_P_0_Display = Trip_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_S_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_S_0 & (S_0 < Setpoint_S_0))\nRTS shall always satisfy Trip_S_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_S_0",
+ "S_0",
+ "Setpoint_S_0",
+ "Trip_S_0"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) ))",
+ "regular_condition": "(( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_S_0)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) ))) & ((! LAST) & (X (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) ))))) -> (X (LAST V (Trip_S_0))))) & ((( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )) -> (LAST V (Trip_S_0))))",
+ "pt": "(H ((H (! (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )))) | (Trip_S_0)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) ))) & ((! LAST) & (X (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) ))))) -> (X (LAST V (Trip_S_0))))) & ((( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )) -> (LAST V (Trip_S_0))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )))) | (Trip_S_0)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_S_0 and ( S_0 < Setpoint_S_0 ) )))) or (Trip_S_0)))",
+ "diagramVariables": "TC = (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )), Response = (Trip_S_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )) is true and any point in the interval where (( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_S_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_S_0_Display = Trip_S_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_S_0_Display",
+ "Trip_S_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_S_0_Display = Trip_S_0)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_S_0_Display = Trip_S_0))",
+ "pt": "(H (UI_Trip_S_0_Display = Trip_S_0))",
+ "ftExpanded": "(LAST V (UI_Trip_S_0_Display = Trip_S_0))",
+ "ptExpanded": "(H (UI_Trip_S_0_Display = Trip_S_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_S_0_Display = Trip_S_0)))",
+ "diagramVariables": "Response = (UI_Trip_S_0_Display = Trip_S_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_T_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_T_1 & (T_1 > Setpoint_T_1))\nRTS shall always satisfy Trip_T_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_T_1",
+ "T_1",
+ "Setpoint_T_1",
+ "Trip_T_1"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))",
+ "regular_condition": "(( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_T_1)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))) & ((! LAST) & (X (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))))) -> (X (LAST V (Trip_T_1))))) & ((( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) )) -> (LAST V (Trip_T_1))))",
+ "pt": "(H ((H (! (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) )))) | (Trip_T_1)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))) & ((! LAST) & (X (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))))) -> (X (LAST V (Trip_T_1))))) & ((( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) )) -> (LAST V (Trip_T_1))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) )))) | (Trip_T_1)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_T_1 and ( T_1 > Setpoint_T_1 ) )))) or (Trip_T_1)))",
+ "diagramVariables": "TC = (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) )), Response = (Trip_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) )) is true and any point in the interval where (( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_T_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_T_1_Display = Trip_T_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_T_1_Display",
+ "Trip_T_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_T_1_Display = Trip_T_1)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_T_1_Display = Trip_T_1))",
+ "pt": "(H (UI_Trip_T_1_Display = Trip_T_1))",
+ "ftExpanded": "(LAST V (UI_Trip_T_1_Display = Trip_T_1))",
+ "ptExpanded": "(H (UI_Trip_T_1_Display = Trip_T_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_T_1_Display = Trip_T_1)))",
+ "diagramVariables": "Response = (UI_Trip_T_1_Display = Trip_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_P_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_P_1 & (P_1 > Setpoint_P_1))\nRTS shall always satisfy Trip_P_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_P_1",
+ "P_1",
+ "Setpoint_P_1",
+ "Trip_P_1"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))",
+ "regular_condition": "(( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_P_1)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))) & ((! LAST) & (X (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))))) -> (X (LAST V (Trip_P_1))))) & ((( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) )) -> (LAST V (Trip_P_1))))",
+ "pt": "(H ((H (! (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) )))) | (Trip_P_1)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))) & ((! LAST) & (X (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))))) -> (X (LAST V (Trip_P_1))))) & ((( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) )) -> (LAST V (Trip_P_1))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) )))) | (Trip_P_1)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_P_1 and ( P_1 > Setpoint_P_1 ) )))) or (Trip_P_1)))",
+ "diagramVariables": "TC = (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) )), Response = (Trip_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) )) is true and any point in the interval where (( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_P_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_P_1_Display = Trip_P_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_P_1_Display",
+ "Trip_P_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_P_1_Display = Trip_P_1)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_P_1_Display = Trip_P_1))",
+ "pt": "(H (UI_Trip_P_1_Display = Trip_P_1))",
+ "ftExpanded": "(LAST V (UI_Trip_P_1_Display = Trip_P_1))",
+ "ptExpanded": "(H (UI_Trip_P_1_Display = Trip_P_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_P_1_Display = Trip_P_1)))",
+ "diagramVariables": "Response = (UI_Trip_P_1_Display = Trip_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_S_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_S_1 & (S_1 < Setpoint_S_1))\nRTS shall always satisfy Trip_S_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_S_1",
+ "S_1",
+ "Setpoint_S_1",
+ "Trip_S_1"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) ))",
+ "regular_condition": "(( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_S_1)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) ))) & ((! LAST) & (X (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) ))))) -> (X (LAST V (Trip_S_1))))) & ((( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) )) -> (LAST V (Trip_S_1))))",
+ "pt": "(H ((H (! (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) )))) | (Trip_S_1)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) ))) & ((! LAST) & (X (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) ))))) -> (X (LAST V (Trip_S_1))))) & ((( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) )) -> (LAST V (Trip_S_1))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) )))) | (Trip_S_1)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_S_1 and ( S_1 < Setpoint_S_1 ) )))) or (Trip_S_1)))",
+ "diagramVariables": "TC = (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) )), Response = (Trip_S_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) )) is true and any point in the interval where (( ! Bypass_S_1 & ( S_1 < Setpoint_S_1 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_S_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_S_1_Display = Trip_S_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_S_1_Display",
+ "Trip_S_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_S_1_Display = Trip_S_1)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_S_1_Display = Trip_S_1))",
+ "pt": "(H (UI_Trip_S_1_Display = Trip_S_1))",
+ "ftExpanded": "(LAST V (UI_Trip_S_1_Display = Trip_S_1))",
+ "ptExpanded": "(H (UI_Trip_S_1_Display = Trip_S_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_S_1_Display = Trip_S_1)))",
+ "diagramVariables": "Response = (UI_Trip_S_1_Display = Trip_S_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_T_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_T_2 & (T_2 > Setpoint_T_2))\nRTS shall always satisfy Trip_T_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_T_2",
+ "T_2",
+ "Setpoint_T_2",
+ "Trip_T_2"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) ))",
+ "regular_condition": "(( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_T_2)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) ))) & ((! LAST) & (X (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) ))))) -> (X (LAST V (Trip_T_2))))) & ((( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) )) -> (LAST V (Trip_T_2))))",
+ "pt": "(H ((H (! (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) )))) | (Trip_T_2)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) ))) & ((! LAST) & (X (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) ))))) -> (X (LAST V (Trip_T_2))))) & ((( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) )) -> (LAST V (Trip_T_2))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) )))) | (Trip_T_2)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_T_2 and ( T_2 > Setpoint_T_2 ) )))) or (Trip_T_2)))",
+ "diagramVariables": "TC = (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) )), Response = (Trip_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) )) is true and any point in the interval where (( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_T_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_T_2_Display = Trip_T_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_T_2_Display",
+ "Trip_T_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_T_2_Display = Trip_T_2)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_T_2_Display = Trip_T_2))",
+ "pt": "(H (UI_Trip_T_2_Display = Trip_T_2))",
+ "ftExpanded": "(LAST V (UI_Trip_T_2_Display = Trip_T_2))",
+ "ptExpanded": "(H (UI_Trip_T_2_Display = Trip_T_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_T_2_Display = Trip_T_2)))",
+ "diagramVariables": "Response = (UI_Trip_T_2_Display = Trip_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_P_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_P_2 & (P_2 > Setpoint_P_2))\nRTS shall always satisfy Trip_P_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_P_2",
+ "P_2",
+ "Setpoint_P_2",
+ "Trip_P_2"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) ))",
+ "regular_condition": "(( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_P_2)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) ))) & ((! LAST) & (X (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) ))))) -> (X (LAST V (Trip_P_2))))) & ((( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) )) -> (LAST V (Trip_P_2))))",
+ "pt": "(H ((H (! (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) )))) | (Trip_P_2)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) ))) & ((! LAST) & (X (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) ))))) -> (X (LAST V (Trip_P_2))))) & ((( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) )) -> (LAST V (Trip_P_2))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) )))) | (Trip_P_2)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_P_2 and ( P_2 > Setpoint_P_2 ) )))) or (Trip_P_2)))",
+ "diagramVariables": "TC = (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) )), Response = (Trip_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) )) is true and any point in the interval where (( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_P_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_P_2_Display = Trip_P_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_P_2_Display",
+ "Trip_P_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_P_2_Display = Trip_P_2)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_P_2_Display = Trip_P_2))",
+ "pt": "(H (UI_Trip_P_2_Display = Trip_P_2))",
+ "ftExpanded": "(LAST V (UI_Trip_P_2_Display = Trip_P_2))",
+ "ptExpanded": "(H (UI_Trip_P_2_Display = Trip_P_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_P_2_Display = Trip_P_2)))",
+ "diagramVariables": "Response = (UI_Trip_P_2_Display = Trip_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_S_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_S_2 & (S_2 < Setpoint_S_2))\nRTS shall always satisfy Trip_S_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_S_2",
+ "S_2",
+ "Setpoint_S_2",
+ "Trip_S_2"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) ))",
+ "regular_condition": "(( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_S_2)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) ))) & ((! LAST) & (X (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) ))))) -> (X (LAST V (Trip_S_2))))) & ((( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) )) -> (LAST V (Trip_S_2))))",
+ "pt": "(H ((H (! (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) )))) | (Trip_S_2)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) ))) & ((! LAST) & (X (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) ))))) -> (X (LAST V (Trip_S_2))))) & ((( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) )) -> (LAST V (Trip_S_2))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) )))) | (Trip_S_2)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_S_2 and ( S_2 < Setpoint_S_2 ) )))) or (Trip_S_2)))",
+ "diagramVariables": "TC = (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) )), Response = (Trip_S_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) )) is true and any point in the interval where (( ! Bypass_S_2 & ( S_2 < Setpoint_S_2 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_S_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_S_2_Display = Trip_S_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_S_2_Display",
+ "Trip_S_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_S_2_Display = Trip_S_2)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_S_2_Display = Trip_S_2))",
+ "pt": "(H (UI_Trip_S_2_Display = Trip_S_2))",
+ "ftExpanded": "(LAST V (UI_Trip_S_2_Display = Trip_S_2))",
+ "ptExpanded": "(H (UI_Trip_S_2_Display = Trip_S_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_S_2_Display = Trip_S_2)))",
+ "diagramVariables": "Response = (UI_Trip_S_2_Display = Trip_S_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_T_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_T_3 & (T_3 > Setpoint_T_3))\nRTS shall always satisfy Trip_T_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_T_3",
+ "T_3",
+ "Setpoint_T_3",
+ "Trip_T_3"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) ))",
+ "regular_condition": "(( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_T_3)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) ))) & ((! LAST) & (X (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) ))))) -> (X (LAST V (Trip_T_3))))) & ((( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) )) -> (LAST V (Trip_T_3))))",
+ "pt": "(H ((H (! (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) )))) | (Trip_T_3)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) ))) & ((! LAST) & (X (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) ))))) -> (X (LAST V (Trip_T_3))))) & ((( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) )) -> (LAST V (Trip_T_3))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) )))) | (Trip_T_3)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_T_3 and ( T_3 > Setpoint_T_3 ) )))) or (Trip_T_3)))",
+ "diagramVariables": "TC = (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) )), Response = (Trip_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) )) is true and any point in the interval where (( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_T_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_T_3_Display = Trip_T_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_T_3_Display",
+ "Trip_T_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_T_3_Display = Trip_T_3)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_T_3_Display = Trip_T_3))",
+ "pt": "(H (UI_Trip_T_3_Display = Trip_T_3))",
+ "ftExpanded": "(LAST V (UI_Trip_T_3_Display = Trip_T_3))",
+ "ptExpanded": "(H (UI_Trip_T_3_Display = Trip_T_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_T_3_Display = Trip_T_3)))",
+ "diagramVariables": "Response = (UI_Trip_T_3_Display = Trip_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_P_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_P_3 & (P_3 > Setpoint_P_3))\nRTS shall always satisfy Trip_P_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_P_3",
+ "P_3",
+ "Setpoint_P_3",
+ "Trip_P_3"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) ))",
+ "regular_condition": "(( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_P_3)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) ))) & ((! LAST) & (X (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) ))))) -> (X (LAST V (Trip_P_3))))) & ((( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) )) -> (LAST V (Trip_P_3))))",
+ "pt": "(H ((H (! (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) )))) | (Trip_P_3)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) ))) & ((! LAST) & (X (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) ))))) -> (X (LAST V (Trip_P_3))))) & ((( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) )) -> (LAST V (Trip_P_3))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) )))) | (Trip_P_3)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_P_3 and ( P_3 > Setpoint_P_3 ) )))) or (Trip_P_3)))",
+ "diagramVariables": "TC = (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) )), Response = (Trip_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) )) is true and any point in the interval where (( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_P_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_P_3_Display = Trip_P_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_P_3_Display",
+ "Trip_P_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_P_3_Display = Trip_P_3)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_P_3_Display = Trip_P_3))",
+ "pt": "(H (UI_Trip_P_3_Display = Trip_P_3))",
+ "ftExpanded": "(LAST V (UI_Trip_P_3_Display = Trip_P_3))",
+ "ptExpanded": "(H (UI_Trip_P_3_Display = Trip_P_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_P_3_Display = Trip_P_3)))",
+ "diagramVariables": "Response = (UI_Trip_P_3_Display = Trip_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_S_TRIP",
+ "rationale": "RFP function 1,2,3,9\n",
+ "fulltext": "When\n (!Bypass_S_3 & (S_3 < Setpoint_S_3))\nRTS shall always satisfy Trip_S_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "Bypass_S_3",
+ "S_3",
+ "Setpoint_S_3",
+ "Trip_S_3"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) ))",
+ "regular_condition": "(( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) ))",
+ "conditionTextRange": [
+ 0,
+ 42
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 44,
+ 46
+ ],
+ "timingTextRange": [
+ 54,
+ 59
+ ],
+ "post_condition": "(Trip_S_3)",
+ "responseTextRange": [
+ 61,
+ 76
+ ],
+ "ft": "((LAST V (((! (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) ))) & ((! LAST) & (X (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) ))))) -> (X (LAST V (Trip_S_3))))) & ((( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) )) -> (LAST V (Trip_S_3))))",
+ "pt": "(H ((H (! (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) )))) | (Trip_S_3)))",
+ "ftExpanded": "((LAST V (((! (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) ))) & ((! LAST) & (X (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) ))))) -> (X (LAST V (Trip_S_3))))) & ((( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) )) -> (LAST V (Trip_S_3))))",
+ "ptExpanded": "(H ((H (! (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) )))) | (Trip_S_3)))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (( not Bypass_S_3 and ( S_3 < Setpoint_S_3 ) )))) or (Trip_S_3)))",
+ "diagramVariables": "TC = (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) )), Response = (Trip_S_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) )) is true and any point in the interval where (( ! Bypass_S_3 & ( S_3 < Setpoint_S_3 ) )) becomes true (from false).\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_S_TRIP_UI",
+ "rationale": "RFP function 12",
+ "fulltext": "RTS shall always satisfy UI_Trip_S_3_Display = Trip_S_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Trip_S_3_Display",
+ "Trip_S_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Trip_S_3_Display = Trip_S_3)",
+ "responseTextRange": [
+ 17,
+ 54
+ ],
+ "ft": "(LAST V (UI_Trip_S_3_Display = Trip_S_3))",
+ "pt": "(H (UI_Trip_S_3_Display = Trip_S_3))",
+ "ftExpanded": "(LAST V (UI_Trip_S_3_Display = Trip_S_3))",
+ "ptExpanded": "(H (UI_Trip_S_3_Display = Trip_S_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Trip_S_3_Display = Trip_S_3)))",
+ "diagramVariables": "Response = (UI_Trip_S_3_Display = Trip_S_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_BYPASS_T_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_T_0_Display = Bypass_T_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_T_0_Display",
+ "Bypass_T_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_T_0_Display = Bypass_T_0)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_T_0_Display = Bypass_T_0))",
+ "pt": "(H (UI_Bypass_T_0_Display = Bypass_T_0))",
+ "ftExpanded": "(LAST V (UI_Bypass_T_0_Display = Bypass_T_0))",
+ "ptExpanded": "(H (UI_Bypass_T_0_Display = Bypass_T_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_T_0_Display = Bypass_T_0)))",
+ "diagramVariables": "Response = (UI_Bypass_T_0_Display = Bypass_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0\n then (UI_Bypass_T_0) = Bypass_T_0)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "UI_Bypass_T_0",
+ "Bypass_T_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 => ( UI_Bypass_T_0 ) = Bypass_T_0)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 -> ( UI_Bypass_T_0 ) = Bypass_T_0))",
+ "pt": "(H (UI_Maintenance_0 -> ( UI_Bypass_T_0 ) = Bypass_T_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 -> ( UI_Bypass_T_0 ) = Bypass_T_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 -> ( UI_Bypass_T_0 ) = Bypass_T_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 => ( UI_Bypass_T_0 ) = Bypass_T_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 => ( UI_Bypass_T_0 ) = Bypass_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_0_NO_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_0_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_0 & !Bypass_T_0 RTS shall, until UI_Maintenance_0 & UI_Bypass_T_0, satisfy\n !Bypass_T_0\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "Bypass_T_0",
+ "UI_Bypass_T_0"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_0 & ! Bypass_T_0)",
+ "regular_condition": "(! UI_Maintenance_0 & ! Bypass_T_0)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_0 & UI_Bypass_T_0)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_T_0)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_0 & ! Bypass_T_0)) & ((! LAST) & (X (! UI_Maintenance_0 & ! Bypass_T_0)))) -> (X (((UI_Maintenance_0 & UI_Bypass_T_0) V ((! Bypass_T_0) | (UI_Maintenance_0 & UI_Bypass_T_0))) | (LAST V (! Bypass_T_0)))))) & ((! UI_Maintenance_0 & ! Bypass_T_0) -> (((UI_Maintenance_0 & UI_Bypass_T_0) V ((! Bypass_T_0) | (UI_Maintenance_0 & UI_Bypass_T_0))) | (LAST V (! Bypass_T_0)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_0 & ! Bypass_T_0))) | (((! (UI_Maintenance_0 & UI_Bypass_T_0)) S ((! (UI_Maintenance_0 & UI_Bypass_T_0)) & ((! UI_Maintenance_0 & ! Bypass_T_0) & ((Y (! (! UI_Maintenance_0 & ! Bypass_T_0))) | FTP)))) -> (! Bypass_T_0))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_0 & ! Bypass_T_0)) & ((! LAST) & (X (! UI_Maintenance_0 & ! Bypass_T_0)))) -> (X (((UI_Maintenance_0 & UI_Bypass_T_0) V ((! Bypass_T_0) | (UI_Maintenance_0 & UI_Bypass_T_0))) | (LAST V (! Bypass_T_0)))))) & ((! UI_Maintenance_0 & ! Bypass_T_0) -> (((UI_Maintenance_0 & UI_Bypass_T_0) V ((! Bypass_T_0) | (UI_Maintenance_0 & UI_Bypass_T_0))) | (LAST V (! Bypass_T_0)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_0 & ! Bypass_T_0))) | (((! (UI_Maintenance_0 & UI_Bypass_T_0)) S ((! (UI_Maintenance_0 & UI_Bypass_T_0)) & ((! UI_Maintenance_0 & ! Bypass_T_0) & ((Y (! (! UI_Maintenance_0 & ! Bypass_T_0))) | (! (Y TRUE)))))) -> (! Bypass_T_0))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_0 and not Bypass_T_0))) or ((SI( ((not UI_Maintenance_0 and not Bypass_T_0) and ((pre ( not (not UI_Maintenance_0 and not Bypass_T_0))) or FTP)), ( not (UI_Maintenance_0 and UI_Bypass_T_0)) )) => (not Bypass_T_0))))",
+ "diagramVariables": "TC = (! UI_Maintenance_0 & ! Bypass_T_0), SC = (UI_Maintenance_0 & UI_Bypass_T_0), Response = (! Bypass_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_0 & ! Bypass_T_0) is true and any point in the interval where (! UI_Maintenance_0 & ! Bypass_T_0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_0_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_0_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_0 & Bypass_T_0 RTS shall, until UI_Maintenance_0 & !UI_Bypass_T_0, satisfy\n Bypass_T_0\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "Bypass_T_0",
+ "UI_Bypass_T_0"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_0 & Bypass_T_0)",
+ "regular_condition": "(! UI_Maintenance_0 & Bypass_T_0)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_0 & ! UI_Bypass_T_0)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_T_0)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_0 & Bypass_T_0)) & ((! LAST) & (X (! UI_Maintenance_0 & Bypass_T_0)))) -> (X (((UI_Maintenance_0 & ! UI_Bypass_T_0) V ((Bypass_T_0) | (UI_Maintenance_0 & ! UI_Bypass_T_0))) | (LAST V (Bypass_T_0)))))) & ((! UI_Maintenance_0 & Bypass_T_0) -> (((UI_Maintenance_0 & ! UI_Bypass_T_0) V ((Bypass_T_0) | (UI_Maintenance_0 & ! UI_Bypass_T_0))) | (LAST V (Bypass_T_0)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_0 & Bypass_T_0))) | (((! (UI_Maintenance_0 & ! UI_Bypass_T_0)) S ((! (UI_Maintenance_0 & ! UI_Bypass_T_0)) & ((! UI_Maintenance_0 & Bypass_T_0) & ((Y (! (! UI_Maintenance_0 & Bypass_T_0))) | FTP)))) -> (Bypass_T_0))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_0 & Bypass_T_0)) & ((! LAST) & (X (! UI_Maintenance_0 & Bypass_T_0)))) -> (X (((UI_Maintenance_0 & ! UI_Bypass_T_0) V ((Bypass_T_0) | (UI_Maintenance_0 & ! UI_Bypass_T_0))) | (LAST V (Bypass_T_0)))))) & ((! UI_Maintenance_0 & Bypass_T_0) -> (((UI_Maintenance_0 & ! UI_Bypass_T_0) V ((Bypass_T_0) | (UI_Maintenance_0 & ! UI_Bypass_T_0))) | (LAST V (Bypass_T_0)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_0 & Bypass_T_0))) | (((! (UI_Maintenance_0 & ! UI_Bypass_T_0)) S ((! (UI_Maintenance_0 & ! UI_Bypass_T_0)) & ((! UI_Maintenance_0 & Bypass_T_0) & ((Y (! (! UI_Maintenance_0 & Bypass_T_0))) | (! (Y TRUE)))))) -> (Bypass_T_0))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_0 and Bypass_T_0))) or ((SI( ((not UI_Maintenance_0 and Bypass_T_0) and ((pre ( not (not UI_Maintenance_0 and Bypass_T_0))) or FTP)), ( not (UI_Maintenance_0 and not UI_Bypass_T_0)) )) => (Bypass_T_0))))",
+ "diagramVariables": "TC = (! UI_Maintenance_0 & Bypass_T_0), SC = (UI_Maintenance_0 & ! UI_Bypass_T_0), Response = (Bypass_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_0 & Bypass_T_0) is true and any point in the interval where (! UI_Maintenance_0 & Bypass_T_0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_BYPASS_P_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_P_0_Display = Bypass_P_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_P_0_Display",
+ "Bypass_P_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_P_0_Display = Bypass_P_0)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_P_0_Display = Bypass_P_0))",
+ "pt": "(H (UI_Bypass_P_0_Display = Bypass_P_0))",
+ "ftExpanded": "(LAST V (UI_Bypass_P_0_Display = Bypass_P_0))",
+ "ptExpanded": "(H (UI_Bypass_P_0_Display = Bypass_P_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_P_0_Display = Bypass_P_0)))",
+ "diagramVariables": "Response = (UI_Bypass_P_0_Display = Bypass_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0\n then (UI_Bypass_P_0) = Bypass_P_0)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "UI_Bypass_P_0",
+ "Bypass_P_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 => ( UI_Bypass_P_0 ) = Bypass_P_0)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 -> ( UI_Bypass_P_0 ) = Bypass_P_0))",
+ "pt": "(H (UI_Maintenance_0 -> ( UI_Bypass_P_0 ) = Bypass_P_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 -> ( UI_Bypass_P_0 ) = Bypass_P_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 -> ( UI_Bypass_P_0 ) = Bypass_P_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 => ( UI_Bypass_P_0 ) = Bypass_P_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 => ( UI_Bypass_P_0 ) = Bypass_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_0_NO_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_0_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_0 & !Bypass_P_0 RTS shall, until UI_Maintenance_0 & UI_Bypass_P_0, satisfy\n !Bypass_P_0\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "Bypass_P_0",
+ "UI_Bypass_P_0"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_0 & ! Bypass_P_0)",
+ "regular_condition": "(! UI_Maintenance_0 & ! Bypass_P_0)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_0 & UI_Bypass_P_0)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_P_0)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_0 & ! Bypass_P_0)) & ((! LAST) & (X (! UI_Maintenance_0 & ! Bypass_P_0)))) -> (X (((UI_Maintenance_0 & UI_Bypass_P_0) V ((! Bypass_P_0) | (UI_Maintenance_0 & UI_Bypass_P_0))) | (LAST V (! Bypass_P_0)))))) & ((! UI_Maintenance_0 & ! Bypass_P_0) -> (((UI_Maintenance_0 & UI_Bypass_P_0) V ((! Bypass_P_0) | (UI_Maintenance_0 & UI_Bypass_P_0))) | (LAST V (! Bypass_P_0)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_0 & ! Bypass_P_0))) | (((! (UI_Maintenance_0 & UI_Bypass_P_0)) S ((! (UI_Maintenance_0 & UI_Bypass_P_0)) & ((! UI_Maintenance_0 & ! Bypass_P_0) & ((Y (! (! UI_Maintenance_0 & ! Bypass_P_0))) | FTP)))) -> (! Bypass_P_0))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_0 & ! Bypass_P_0)) & ((! LAST) & (X (! UI_Maintenance_0 & ! Bypass_P_0)))) -> (X (((UI_Maintenance_0 & UI_Bypass_P_0) V ((! Bypass_P_0) | (UI_Maintenance_0 & UI_Bypass_P_0))) | (LAST V (! Bypass_P_0)))))) & ((! UI_Maintenance_0 & ! Bypass_P_0) -> (((UI_Maintenance_0 & UI_Bypass_P_0) V ((! Bypass_P_0) | (UI_Maintenance_0 & UI_Bypass_P_0))) | (LAST V (! Bypass_P_0)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_0 & ! Bypass_P_0))) | (((! (UI_Maintenance_0 & UI_Bypass_P_0)) S ((! (UI_Maintenance_0 & UI_Bypass_P_0)) & ((! UI_Maintenance_0 & ! Bypass_P_0) & ((Y (! (! UI_Maintenance_0 & ! Bypass_P_0))) | (! (Y TRUE)))))) -> (! Bypass_P_0))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_0 and not Bypass_P_0))) or ((SI( ((not UI_Maintenance_0 and not Bypass_P_0) and ((pre ( not (not UI_Maintenance_0 and not Bypass_P_0))) or FTP)), ( not (UI_Maintenance_0 and UI_Bypass_P_0)) )) => (not Bypass_P_0))))",
+ "diagramVariables": "TC = (! UI_Maintenance_0 & ! Bypass_P_0), SC = (UI_Maintenance_0 & UI_Bypass_P_0), Response = (! Bypass_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_0 & ! Bypass_P_0) is true and any point in the interval where (! UI_Maintenance_0 & ! Bypass_P_0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_0_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_0_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_0 & Bypass_P_0 RTS shall, until UI_Maintenance_0 & !UI_Bypass_P_0, satisfy\n Bypass_P_0\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "Bypass_P_0",
+ "UI_Bypass_P_0"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_0 & Bypass_P_0)",
+ "regular_condition": "(! UI_Maintenance_0 & Bypass_P_0)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_0 & ! UI_Bypass_P_0)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_P_0)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_0 & Bypass_P_0)) & ((! LAST) & (X (! UI_Maintenance_0 & Bypass_P_0)))) -> (X (((UI_Maintenance_0 & ! UI_Bypass_P_0) V ((Bypass_P_0) | (UI_Maintenance_0 & ! UI_Bypass_P_0))) | (LAST V (Bypass_P_0)))))) & ((! UI_Maintenance_0 & Bypass_P_0) -> (((UI_Maintenance_0 & ! UI_Bypass_P_0) V ((Bypass_P_0) | (UI_Maintenance_0 & ! UI_Bypass_P_0))) | (LAST V (Bypass_P_0)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_0 & Bypass_P_0))) | (((! (UI_Maintenance_0 & ! UI_Bypass_P_0)) S ((! (UI_Maintenance_0 & ! UI_Bypass_P_0)) & ((! UI_Maintenance_0 & Bypass_P_0) & ((Y (! (! UI_Maintenance_0 & Bypass_P_0))) | FTP)))) -> (Bypass_P_0))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_0 & Bypass_P_0)) & ((! LAST) & (X (! UI_Maintenance_0 & Bypass_P_0)))) -> (X (((UI_Maintenance_0 & ! UI_Bypass_P_0) V ((Bypass_P_0) | (UI_Maintenance_0 & ! UI_Bypass_P_0))) | (LAST V (Bypass_P_0)))))) & ((! UI_Maintenance_0 & Bypass_P_0) -> (((UI_Maintenance_0 & ! UI_Bypass_P_0) V ((Bypass_P_0) | (UI_Maintenance_0 & ! UI_Bypass_P_0))) | (LAST V (Bypass_P_0)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_0 & Bypass_P_0))) | (((! (UI_Maintenance_0 & ! UI_Bypass_P_0)) S ((! (UI_Maintenance_0 & ! UI_Bypass_P_0)) & ((! UI_Maintenance_0 & Bypass_P_0) & ((Y (! (! UI_Maintenance_0 & Bypass_P_0))) | (! (Y TRUE)))))) -> (Bypass_P_0))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_0 and Bypass_P_0))) or ((SI( ((not UI_Maintenance_0 and Bypass_P_0) and ((pre ( not (not UI_Maintenance_0 and Bypass_P_0))) or FTP)), ( not (UI_Maintenance_0 and not UI_Bypass_P_0)) )) => (Bypass_P_0))))",
+ "diagramVariables": "TC = (! UI_Maintenance_0 & Bypass_P_0), SC = (UI_Maintenance_0 & ! UI_Bypass_P_0), Response = (Bypass_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_0 & Bypass_P_0) is true and any point in the interval where (! UI_Maintenance_0 & Bypass_P_0) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_T_0",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy T_0 = UI_T_0_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "T_0",
+ "UI_T_0_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(T_0 = UI_T_0_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (T_0 = UI_T_0_Display))",
+ "pt": "(H (T_0 = UI_T_0_Display))",
+ "ftExpanded": "(LAST V (T_0 = UI_T_0_Display))",
+ "ptExpanded": "(H (T_0 = UI_T_0_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((T_0 = UI_T_0_Display)))",
+ "diagramVariables": "Response = (T_0 = UI_T_0_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_SETPOINT_T",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_T_0 = UI_Setpoint_T_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "Setpoint_T_0",
+ "UI_Setpoint_T_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 => Setpoint_T_0 = UI_Setpoint_T_0)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 -> Setpoint_T_0 = UI_Setpoint_T_0))",
+ "pt": "(H (UI_Maintenance_0 -> Setpoint_T_0 = UI_Setpoint_T_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 -> Setpoint_T_0 = UI_Setpoint_T_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 -> Setpoint_T_0 = UI_Setpoint_T_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 => Setpoint_T_0 = UI_Setpoint_T_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 => Setpoint_T_0 = UI_Setpoint_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_MANUAL_TRIP_T",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_T_0 then Trip_T_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "UI_Manual_Trip_T_0",
+ "Trip_T_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 & UI_Manual_Trip_T_0 => Trip_T_0)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 & UI_Manual_Trip_T_0 -> Trip_T_0))",
+ "pt": "(H (UI_Maintenance_0 & UI_Manual_Trip_T_0 -> Trip_T_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 & UI_Manual_Trip_T_0 -> Trip_T_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 & UI_Manual_Trip_T_0 -> Trip_T_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 and UI_Manual_Trip_T_0 => Trip_T_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 & UI_Manual_Trip_T_0 => Trip_T_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_P_0",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy P_0 = UI_P_0_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "P_0",
+ "UI_P_0_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(P_0 = UI_P_0_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (P_0 = UI_P_0_Display))",
+ "pt": "(H (P_0 = UI_P_0_Display))",
+ "ftExpanded": "(LAST V (P_0 = UI_P_0_Display))",
+ "ptExpanded": "(H (P_0 = UI_P_0_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((P_0 = UI_P_0_Display)))",
+ "diagramVariables": "Response = (P_0 = UI_P_0_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_SETPOINT_P",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_P_0 = UI_Setpoint_P_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "Setpoint_P_0",
+ "UI_Setpoint_P_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 => Setpoint_P_0 = UI_Setpoint_P_0)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 -> Setpoint_P_0 = UI_Setpoint_P_0))",
+ "pt": "(H (UI_Maintenance_0 -> Setpoint_P_0 = UI_Setpoint_P_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 -> Setpoint_P_0 = UI_Setpoint_P_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 -> Setpoint_P_0 = UI_Setpoint_P_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 => Setpoint_P_0 = UI_Setpoint_P_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 => Setpoint_P_0 = UI_Setpoint_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_MANUAL_TRIP_P",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_P_0 then Trip_P_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "UI_Manual_Trip_P_0",
+ "Trip_P_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 & UI_Manual_Trip_P_0 => Trip_P_0)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 & UI_Manual_Trip_P_0 -> Trip_P_0))",
+ "pt": "(H (UI_Maintenance_0 & UI_Manual_Trip_P_0 -> Trip_P_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 & UI_Manual_Trip_P_0 -> Trip_P_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 & UI_Manual_Trip_P_0 -> Trip_P_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 and UI_Manual_Trip_P_0 => Trip_P_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 & UI_Manual_Trip_P_0 => Trip_P_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_S_0",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy S_0 = UI_S_0_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "S_0",
+ "UI_S_0_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(S_0 = UI_S_0_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (S_0 = UI_S_0_Display))",
+ "pt": "(H (S_0 = UI_S_0_Display))",
+ "ftExpanded": "(LAST V (S_0 = UI_S_0_Display))",
+ "ptExpanded": "(H (S_0 = UI_S_0_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((S_0 = UI_S_0_Display)))",
+ "diagramVariables": "Response = (S_0 = UI_S_0_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_SETPOINT_S",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_S_0 = UI_Setpoint_S_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "Setpoint_S_0",
+ "UI_Setpoint_S_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 => Setpoint_S_0 = UI_Setpoint_S_0)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 -> Setpoint_S_0 = UI_Setpoint_S_0))",
+ "pt": "(H (UI_Maintenance_0 -> Setpoint_S_0 = UI_Setpoint_S_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 -> Setpoint_S_0 = UI_Setpoint_S_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 -> Setpoint_S_0 = UI_Setpoint_S_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 => Setpoint_S_0 = UI_Setpoint_S_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 => Setpoint_S_0 = UI_Setpoint_S_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_0_MANUAL_TRIP_S",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_S_0 then Trip_S_0\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_0",
+ "UI_Manual_Trip_S_0",
+ "Trip_S_0"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_0 & UI_Manual_Trip_S_0 => Trip_S_0)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_0 & UI_Manual_Trip_S_0 -> Trip_S_0))",
+ "pt": "(H (UI_Maintenance_0 & UI_Manual_Trip_S_0 -> Trip_S_0))",
+ "ftExpanded": "(LAST V (UI_Maintenance_0 & UI_Manual_Trip_S_0 -> Trip_S_0))",
+ "ptExpanded": "(H (UI_Maintenance_0 & UI_Manual_Trip_S_0 -> Trip_S_0))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_0 and UI_Manual_Trip_S_0 => Trip_S_0)))",
+ "diagramVariables": "Response = (UI_Maintenance_0 & UI_Manual_Trip_S_0 => Trip_S_0).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_BYPASS_T_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_T_1_Display = Bypass_T_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_T_1_Display",
+ "Bypass_T_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_T_1_Display = Bypass_T_1)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_T_1_Display = Bypass_T_1))",
+ "pt": "(H (UI_Bypass_T_1_Display = Bypass_T_1))",
+ "ftExpanded": "(LAST V (UI_Bypass_T_1_Display = Bypass_T_1))",
+ "ptExpanded": "(H (UI_Bypass_T_1_Display = Bypass_T_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_T_1_Display = Bypass_T_1)))",
+ "diagramVariables": "Response = (UI_Bypass_T_1_Display = Bypass_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1\n then (UI_Bypass_T_1) = Bypass_T_1)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "UI_Bypass_T_1",
+ "Bypass_T_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 => ( UI_Bypass_T_1 ) = Bypass_T_1)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 -> ( UI_Bypass_T_1 ) = Bypass_T_1))",
+ "pt": "(H (UI_Maintenance_1 -> ( UI_Bypass_T_1 ) = Bypass_T_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 -> ( UI_Bypass_T_1 ) = Bypass_T_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 -> ( UI_Bypass_T_1 ) = Bypass_T_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 => ( UI_Bypass_T_1 ) = Bypass_T_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 => ( UI_Bypass_T_1 ) = Bypass_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_1_NO_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_1_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_1 & !Bypass_T_1 RTS shall, until UI_Maintenance_1 & UI_Bypass_T_1, satisfy\n !Bypass_T_1\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "Bypass_T_1",
+ "UI_Bypass_T_1"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_1 & ! Bypass_T_1)",
+ "regular_condition": "(! UI_Maintenance_1 & ! Bypass_T_1)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_1 & UI_Bypass_T_1)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_T_1)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_1 & ! Bypass_T_1)) & ((! LAST) & (X (! UI_Maintenance_1 & ! Bypass_T_1)))) -> (X (((UI_Maintenance_1 & UI_Bypass_T_1) V ((! Bypass_T_1) | (UI_Maintenance_1 & UI_Bypass_T_1))) | (LAST V (! Bypass_T_1)))))) & ((! UI_Maintenance_1 & ! Bypass_T_1) -> (((UI_Maintenance_1 & UI_Bypass_T_1) V ((! Bypass_T_1) | (UI_Maintenance_1 & UI_Bypass_T_1))) | (LAST V (! Bypass_T_1)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_1 & ! Bypass_T_1))) | (((! (UI_Maintenance_1 & UI_Bypass_T_1)) S ((! (UI_Maintenance_1 & UI_Bypass_T_1)) & ((! UI_Maintenance_1 & ! Bypass_T_1) & ((Y (! (! UI_Maintenance_1 & ! Bypass_T_1))) | FTP)))) -> (! Bypass_T_1))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_1 & ! Bypass_T_1)) & ((! LAST) & (X (! UI_Maintenance_1 & ! Bypass_T_1)))) -> (X (((UI_Maintenance_1 & UI_Bypass_T_1) V ((! Bypass_T_1) | (UI_Maintenance_1 & UI_Bypass_T_1))) | (LAST V (! Bypass_T_1)))))) & ((! UI_Maintenance_1 & ! Bypass_T_1) -> (((UI_Maintenance_1 & UI_Bypass_T_1) V ((! Bypass_T_1) | (UI_Maintenance_1 & UI_Bypass_T_1))) | (LAST V (! Bypass_T_1)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_1 & ! Bypass_T_1))) | (((! (UI_Maintenance_1 & UI_Bypass_T_1)) S ((! (UI_Maintenance_1 & UI_Bypass_T_1)) & ((! UI_Maintenance_1 & ! Bypass_T_1) & ((Y (! (! UI_Maintenance_1 & ! Bypass_T_1))) | (! (Y TRUE)))))) -> (! Bypass_T_1))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_1 and not Bypass_T_1))) or ((SI( ((not UI_Maintenance_1 and not Bypass_T_1) and ((pre ( not (not UI_Maintenance_1 and not Bypass_T_1))) or FTP)), ( not (UI_Maintenance_1 and UI_Bypass_T_1)) )) => (not Bypass_T_1))))",
+ "diagramVariables": "TC = (! UI_Maintenance_1 & ! Bypass_T_1), SC = (UI_Maintenance_1 & UI_Bypass_T_1), Response = (! Bypass_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_1 & ! Bypass_T_1) is true and any point in the interval where (! UI_Maintenance_1 & ! Bypass_T_1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_1_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_1_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_1 & Bypass_T_1 RTS shall, until UI_Maintenance_1 & !UI_Bypass_T_1, satisfy\n Bypass_T_1\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "Bypass_T_1",
+ "UI_Bypass_T_1"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_1 & Bypass_T_1)",
+ "regular_condition": "(! UI_Maintenance_1 & Bypass_T_1)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_1 & ! UI_Bypass_T_1)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_T_1)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_1 & Bypass_T_1)) & ((! LAST) & (X (! UI_Maintenance_1 & Bypass_T_1)))) -> (X (((UI_Maintenance_1 & ! UI_Bypass_T_1) V ((Bypass_T_1) | (UI_Maintenance_1 & ! UI_Bypass_T_1))) | (LAST V (Bypass_T_1)))))) & ((! UI_Maintenance_1 & Bypass_T_1) -> (((UI_Maintenance_1 & ! UI_Bypass_T_1) V ((Bypass_T_1) | (UI_Maintenance_1 & ! UI_Bypass_T_1))) | (LAST V (Bypass_T_1)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_1 & Bypass_T_1))) | (((! (UI_Maintenance_1 & ! UI_Bypass_T_1)) S ((! (UI_Maintenance_1 & ! UI_Bypass_T_1)) & ((! UI_Maintenance_1 & Bypass_T_1) & ((Y (! (! UI_Maintenance_1 & Bypass_T_1))) | FTP)))) -> (Bypass_T_1))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_1 & Bypass_T_1)) & ((! LAST) & (X (! UI_Maintenance_1 & Bypass_T_1)))) -> (X (((UI_Maintenance_1 & ! UI_Bypass_T_1) V ((Bypass_T_1) | (UI_Maintenance_1 & ! UI_Bypass_T_1))) | (LAST V (Bypass_T_1)))))) & ((! UI_Maintenance_1 & Bypass_T_1) -> (((UI_Maintenance_1 & ! UI_Bypass_T_1) V ((Bypass_T_1) | (UI_Maintenance_1 & ! UI_Bypass_T_1))) | (LAST V (Bypass_T_1)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_1 & Bypass_T_1))) | (((! (UI_Maintenance_1 & ! UI_Bypass_T_1)) S ((! (UI_Maintenance_1 & ! UI_Bypass_T_1)) & ((! UI_Maintenance_1 & Bypass_T_1) & ((Y (! (! UI_Maintenance_1 & Bypass_T_1))) | (! (Y TRUE)))))) -> (Bypass_T_1))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_1 and Bypass_T_1))) or ((SI( ((not UI_Maintenance_1 and Bypass_T_1) and ((pre ( not (not UI_Maintenance_1 and Bypass_T_1))) or FTP)), ( not (UI_Maintenance_1 and not UI_Bypass_T_1)) )) => (Bypass_T_1))))",
+ "diagramVariables": "TC = (! UI_Maintenance_1 & Bypass_T_1), SC = (UI_Maintenance_1 & ! UI_Bypass_T_1), Response = (Bypass_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_1 & Bypass_T_1) is true and any point in the interval where (! UI_Maintenance_1 & Bypass_T_1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_BYPASS_P_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_P_1_Display = Bypass_P_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_P_1_Display",
+ "Bypass_P_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_P_1_Display = Bypass_P_1)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_P_1_Display = Bypass_P_1))",
+ "pt": "(H (UI_Bypass_P_1_Display = Bypass_P_1))",
+ "ftExpanded": "(LAST V (UI_Bypass_P_1_Display = Bypass_P_1))",
+ "ptExpanded": "(H (UI_Bypass_P_1_Display = Bypass_P_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_P_1_Display = Bypass_P_1)))",
+ "diagramVariables": "Response = (UI_Bypass_P_1_Display = Bypass_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1\n then (UI_Bypass_P_1) = Bypass_P_1)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "UI_Bypass_P_1",
+ "Bypass_P_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 => ( UI_Bypass_P_1 ) = Bypass_P_1)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 -> ( UI_Bypass_P_1 ) = Bypass_P_1))",
+ "pt": "(H (UI_Maintenance_1 -> ( UI_Bypass_P_1 ) = Bypass_P_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 -> ( UI_Bypass_P_1 ) = Bypass_P_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 -> ( UI_Bypass_P_1 ) = Bypass_P_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 => ( UI_Bypass_P_1 ) = Bypass_P_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 => ( UI_Bypass_P_1 ) = Bypass_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_1_NO_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_1_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_1 & !Bypass_P_1 RTS shall, until UI_Maintenance_1 & UI_Bypass_P_1, satisfy\n !Bypass_P_1\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "Bypass_P_1",
+ "UI_Bypass_P_1"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_1 & ! Bypass_P_1)",
+ "regular_condition": "(! UI_Maintenance_1 & ! Bypass_P_1)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_1 & UI_Bypass_P_1)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_P_1)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_1 & ! Bypass_P_1)) & ((! LAST) & (X (! UI_Maintenance_1 & ! Bypass_P_1)))) -> (X (((UI_Maintenance_1 & UI_Bypass_P_1) V ((! Bypass_P_1) | (UI_Maintenance_1 & UI_Bypass_P_1))) | (LAST V (! Bypass_P_1)))))) & ((! UI_Maintenance_1 & ! Bypass_P_1) -> (((UI_Maintenance_1 & UI_Bypass_P_1) V ((! Bypass_P_1) | (UI_Maintenance_1 & UI_Bypass_P_1))) | (LAST V (! Bypass_P_1)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_1 & ! Bypass_P_1))) | (((! (UI_Maintenance_1 & UI_Bypass_P_1)) S ((! (UI_Maintenance_1 & UI_Bypass_P_1)) & ((! UI_Maintenance_1 & ! Bypass_P_1) & ((Y (! (! UI_Maintenance_1 & ! Bypass_P_1))) | FTP)))) -> (! Bypass_P_1))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_1 & ! Bypass_P_1)) & ((! LAST) & (X (! UI_Maintenance_1 & ! Bypass_P_1)))) -> (X (((UI_Maintenance_1 & UI_Bypass_P_1) V ((! Bypass_P_1) | (UI_Maintenance_1 & UI_Bypass_P_1))) | (LAST V (! Bypass_P_1)))))) & ((! UI_Maintenance_1 & ! Bypass_P_1) -> (((UI_Maintenance_1 & UI_Bypass_P_1) V ((! Bypass_P_1) | (UI_Maintenance_1 & UI_Bypass_P_1))) | (LAST V (! Bypass_P_1)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_1 & ! Bypass_P_1))) | (((! (UI_Maintenance_1 & UI_Bypass_P_1)) S ((! (UI_Maintenance_1 & UI_Bypass_P_1)) & ((! UI_Maintenance_1 & ! Bypass_P_1) & ((Y (! (! UI_Maintenance_1 & ! Bypass_P_1))) | (! (Y TRUE)))))) -> (! Bypass_P_1))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_1 and not Bypass_P_1))) or ((SI( ((not UI_Maintenance_1 and not Bypass_P_1) and ((pre ( not (not UI_Maintenance_1 and not Bypass_P_1))) or FTP)), ( not (UI_Maintenance_1 and UI_Bypass_P_1)) )) => (not Bypass_P_1))))",
+ "diagramVariables": "TC = (! UI_Maintenance_1 & ! Bypass_P_1), SC = (UI_Maintenance_1 & UI_Bypass_P_1), Response = (! Bypass_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_1 & ! Bypass_P_1) is true and any point in the interval where (! UI_Maintenance_1 & ! Bypass_P_1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_1_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_1_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_1 & Bypass_P_1 RTS shall, until UI_Maintenance_1 & !UI_Bypass_P_1, satisfy\n Bypass_P_1\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "Bypass_P_1",
+ "UI_Bypass_P_1"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_1 & Bypass_P_1)",
+ "regular_condition": "(! UI_Maintenance_1 & Bypass_P_1)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_1 & ! UI_Bypass_P_1)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_P_1)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_1 & Bypass_P_1)) & ((! LAST) & (X (! UI_Maintenance_1 & Bypass_P_1)))) -> (X (((UI_Maintenance_1 & ! UI_Bypass_P_1) V ((Bypass_P_1) | (UI_Maintenance_1 & ! UI_Bypass_P_1))) | (LAST V (Bypass_P_1)))))) & ((! UI_Maintenance_1 & Bypass_P_1) -> (((UI_Maintenance_1 & ! UI_Bypass_P_1) V ((Bypass_P_1) | (UI_Maintenance_1 & ! UI_Bypass_P_1))) | (LAST V (Bypass_P_1)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_1 & Bypass_P_1))) | (((! (UI_Maintenance_1 & ! UI_Bypass_P_1)) S ((! (UI_Maintenance_1 & ! UI_Bypass_P_1)) & ((! UI_Maintenance_1 & Bypass_P_1) & ((Y (! (! UI_Maintenance_1 & Bypass_P_1))) | FTP)))) -> (Bypass_P_1))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_1 & Bypass_P_1)) & ((! LAST) & (X (! UI_Maintenance_1 & Bypass_P_1)))) -> (X (((UI_Maintenance_1 & ! UI_Bypass_P_1) V ((Bypass_P_1) | (UI_Maintenance_1 & ! UI_Bypass_P_1))) | (LAST V (Bypass_P_1)))))) & ((! UI_Maintenance_1 & Bypass_P_1) -> (((UI_Maintenance_1 & ! UI_Bypass_P_1) V ((Bypass_P_1) | (UI_Maintenance_1 & ! UI_Bypass_P_1))) | (LAST V (Bypass_P_1)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_1 & Bypass_P_1))) | (((! (UI_Maintenance_1 & ! UI_Bypass_P_1)) S ((! (UI_Maintenance_1 & ! UI_Bypass_P_1)) & ((! UI_Maintenance_1 & Bypass_P_1) & ((Y (! (! UI_Maintenance_1 & Bypass_P_1))) | (! (Y TRUE)))))) -> (Bypass_P_1))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_1 and Bypass_P_1))) or ((SI( ((not UI_Maintenance_1 and Bypass_P_1) and ((pre ( not (not UI_Maintenance_1 and Bypass_P_1))) or FTP)), ( not (UI_Maintenance_1 and not UI_Bypass_P_1)) )) => (Bypass_P_1))))",
+ "diagramVariables": "TC = (! UI_Maintenance_1 & Bypass_P_1), SC = (UI_Maintenance_1 & ! UI_Bypass_P_1), Response = (Bypass_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_1 & Bypass_P_1) is true and any point in the interval where (! UI_Maintenance_1 & Bypass_P_1) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_T_1",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy T_1 = UI_T_1_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "T_1",
+ "UI_T_1_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(T_1 = UI_T_1_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (T_1 = UI_T_1_Display))",
+ "pt": "(H (T_1 = UI_T_1_Display))",
+ "ftExpanded": "(LAST V (T_1 = UI_T_1_Display))",
+ "ptExpanded": "(H (T_1 = UI_T_1_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((T_1 = UI_T_1_Display)))",
+ "diagramVariables": "Response = (T_1 = UI_T_1_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_SETPOINT_T",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_T_1 = UI_Setpoint_T_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "Setpoint_T_1",
+ "UI_Setpoint_T_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 => Setpoint_T_1 = UI_Setpoint_T_1)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 -> Setpoint_T_1 = UI_Setpoint_T_1))",
+ "pt": "(H (UI_Maintenance_1 -> Setpoint_T_1 = UI_Setpoint_T_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 -> Setpoint_T_1 = UI_Setpoint_T_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 -> Setpoint_T_1 = UI_Setpoint_T_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 => Setpoint_T_1 = UI_Setpoint_T_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 => Setpoint_T_1 = UI_Setpoint_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_MANUAL_TRIP_T",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_T_1 then Trip_T_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "UI_Manual_Trip_T_1",
+ "Trip_T_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 & UI_Manual_Trip_T_1 => Trip_T_1)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 & UI_Manual_Trip_T_1 -> Trip_T_1))",
+ "pt": "(H (UI_Maintenance_1 & UI_Manual_Trip_T_1 -> Trip_T_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 & UI_Manual_Trip_T_1 -> Trip_T_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 & UI_Manual_Trip_T_1 -> Trip_T_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 and UI_Manual_Trip_T_1 => Trip_T_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 & UI_Manual_Trip_T_1 => Trip_T_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_P_1",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy P_1 = UI_P_1_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "P_1",
+ "UI_P_1_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(P_1 = UI_P_1_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (P_1 = UI_P_1_Display))",
+ "pt": "(H (P_1 = UI_P_1_Display))",
+ "ftExpanded": "(LAST V (P_1 = UI_P_1_Display))",
+ "ptExpanded": "(H (P_1 = UI_P_1_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((P_1 = UI_P_1_Display)))",
+ "diagramVariables": "Response = (P_1 = UI_P_1_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_SETPOINT_P",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_P_1 = UI_Setpoint_P_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "Setpoint_P_1",
+ "UI_Setpoint_P_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 => Setpoint_P_1 = UI_Setpoint_P_1)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 -> Setpoint_P_1 = UI_Setpoint_P_1))",
+ "pt": "(H (UI_Maintenance_1 -> Setpoint_P_1 = UI_Setpoint_P_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 -> Setpoint_P_1 = UI_Setpoint_P_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 -> Setpoint_P_1 = UI_Setpoint_P_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 => Setpoint_P_1 = UI_Setpoint_P_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 => Setpoint_P_1 = UI_Setpoint_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_MANUAL_TRIP_P",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_P_1 then Trip_P_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "UI_Manual_Trip_P_1",
+ "Trip_P_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 & UI_Manual_Trip_P_1 => Trip_P_1)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 & UI_Manual_Trip_P_1 -> Trip_P_1))",
+ "pt": "(H (UI_Maintenance_1 & UI_Manual_Trip_P_1 -> Trip_P_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 & UI_Manual_Trip_P_1 -> Trip_P_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 & UI_Manual_Trip_P_1 -> Trip_P_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 and UI_Manual_Trip_P_1 => Trip_P_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 & UI_Manual_Trip_P_1 => Trip_P_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_S_1",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy S_1 = UI_S_1_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "S_1",
+ "UI_S_1_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(S_1 = UI_S_1_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (S_1 = UI_S_1_Display))",
+ "pt": "(H (S_1 = UI_S_1_Display))",
+ "ftExpanded": "(LAST V (S_1 = UI_S_1_Display))",
+ "ptExpanded": "(H (S_1 = UI_S_1_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((S_1 = UI_S_1_Display)))",
+ "diagramVariables": "Response = (S_1 = UI_S_1_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_SETPOINT_S",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_S_1 = UI_Setpoint_S_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "Setpoint_S_1",
+ "UI_Setpoint_S_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 => Setpoint_S_1 = UI_Setpoint_S_1)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 -> Setpoint_S_1 = UI_Setpoint_S_1))",
+ "pt": "(H (UI_Maintenance_1 -> Setpoint_S_1 = UI_Setpoint_S_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 -> Setpoint_S_1 = UI_Setpoint_S_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 -> Setpoint_S_1 = UI_Setpoint_S_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 => Setpoint_S_1 = UI_Setpoint_S_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 => Setpoint_S_1 = UI_Setpoint_S_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_1_MANUAL_TRIP_S",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_S_1 then Trip_S_1\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_1",
+ "UI_Manual_Trip_S_1",
+ "Trip_S_1"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_1 & UI_Manual_Trip_S_1 => Trip_S_1)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_1 & UI_Manual_Trip_S_1 -> Trip_S_1))",
+ "pt": "(H (UI_Maintenance_1 & UI_Manual_Trip_S_1 -> Trip_S_1))",
+ "ftExpanded": "(LAST V (UI_Maintenance_1 & UI_Manual_Trip_S_1 -> Trip_S_1))",
+ "ptExpanded": "(H (UI_Maintenance_1 & UI_Manual_Trip_S_1 -> Trip_S_1))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_1 and UI_Manual_Trip_S_1 => Trip_S_1)))",
+ "diagramVariables": "Response = (UI_Maintenance_1 & UI_Manual_Trip_S_1 => Trip_S_1).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_BYPASS_T_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_T_2_Display = Bypass_T_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_T_2_Display",
+ "Bypass_T_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_T_2_Display = Bypass_T_2)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_T_2_Display = Bypass_T_2))",
+ "pt": "(H (UI_Bypass_T_2_Display = Bypass_T_2))",
+ "ftExpanded": "(LAST V (UI_Bypass_T_2_Display = Bypass_T_2))",
+ "ptExpanded": "(H (UI_Bypass_T_2_Display = Bypass_T_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_T_2_Display = Bypass_T_2)))",
+ "diagramVariables": "Response = (UI_Bypass_T_2_Display = Bypass_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2\n then (UI_Bypass_T_2) = Bypass_T_2)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "UI_Bypass_T_2",
+ "Bypass_T_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 => ( UI_Bypass_T_2 ) = Bypass_T_2)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 -> ( UI_Bypass_T_2 ) = Bypass_T_2))",
+ "pt": "(H (UI_Maintenance_2 -> ( UI_Bypass_T_2 ) = Bypass_T_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 -> ( UI_Bypass_T_2 ) = Bypass_T_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 -> ( UI_Bypass_T_2 ) = Bypass_T_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 => ( UI_Bypass_T_2 ) = Bypass_T_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 => ( UI_Bypass_T_2 ) = Bypass_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_2_NO_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_2_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_2 & !Bypass_T_2 RTS shall, until UI_Maintenance_2 & UI_Bypass_T_2, satisfy\n !Bypass_T_2\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "Bypass_T_2",
+ "UI_Bypass_T_2"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_2 & ! Bypass_T_2)",
+ "regular_condition": "(! UI_Maintenance_2 & ! Bypass_T_2)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_2 & UI_Bypass_T_2)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_T_2)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_2 & ! Bypass_T_2)) & ((! LAST) & (X (! UI_Maintenance_2 & ! Bypass_T_2)))) -> (X (((UI_Maintenance_2 & UI_Bypass_T_2) V ((! Bypass_T_2) | (UI_Maintenance_2 & UI_Bypass_T_2))) | (LAST V (! Bypass_T_2)))))) & ((! UI_Maintenance_2 & ! Bypass_T_2) -> (((UI_Maintenance_2 & UI_Bypass_T_2) V ((! Bypass_T_2) | (UI_Maintenance_2 & UI_Bypass_T_2))) | (LAST V (! Bypass_T_2)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_2 & ! Bypass_T_2))) | (((! (UI_Maintenance_2 & UI_Bypass_T_2)) S ((! (UI_Maintenance_2 & UI_Bypass_T_2)) & ((! UI_Maintenance_2 & ! Bypass_T_2) & ((Y (! (! UI_Maintenance_2 & ! Bypass_T_2))) | FTP)))) -> (! Bypass_T_2))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_2 & ! Bypass_T_2)) & ((! LAST) & (X (! UI_Maintenance_2 & ! Bypass_T_2)))) -> (X (((UI_Maintenance_2 & UI_Bypass_T_2) V ((! Bypass_T_2) | (UI_Maintenance_2 & UI_Bypass_T_2))) | (LAST V (! Bypass_T_2)))))) & ((! UI_Maintenance_2 & ! Bypass_T_2) -> (((UI_Maintenance_2 & UI_Bypass_T_2) V ((! Bypass_T_2) | (UI_Maintenance_2 & UI_Bypass_T_2))) | (LAST V (! Bypass_T_2)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_2 & ! Bypass_T_2))) | (((! (UI_Maintenance_2 & UI_Bypass_T_2)) S ((! (UI_Maintenance_2 & UI_Bypass_T_2)) & ((! UI_Maintenance_2 & ! Bypass_T_2) & ((Y (! (! UI_Maintenance_2 & ! Bypass_T_2))) | (! (Y TRUE)))))) -> (! Bypass_T_2))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_2 and not Bypass_T_2))) or ((SI( ((not UI_Maintenance_2 and not Bypass_T_2) and ((pre ( not (not UI_Maintenance_2 and not Bypass_T_2))) or FTP)), ( not (UI_Maintenance_2 and UI_Bypass_T_2)) )) => (not Bypass_T_2))))",
+ "diagramVariables": "TC = (! UI_Maintenance_2 & ! Bypass_T_2), SC = (UI_Maintenance_2 & UI_Bypass_T_2), Response = (! Bypass_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_2 & ! Bypass_T_2) is true and any point in the interval where (! UI_Maintenance_2 & ! Bypass_T_2) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_2_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_2_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_2 & Bypass_T_2 RTS shall, until UI_Maintenance_2 & !UI_Bypass_T_2, satisfy\n Bypass_T_2\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "Bypass_T_2",
+ "UI_Bypass_T_2"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_2 & Bypass_T_2)",
+ "regular_condition": "(! UI_Maintenance_2 & Bypass_T_2)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_2 & ! UI_Bypass_T_2)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_T_2)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_2 & Bypass_T_2)) & ((! LAST) & (X (! UI_Maintenance_2 & Bypass_T_2)))) -> (X (((UI_Maintenance_2 & ! UI_Bypass_T_2) V ((Bypass_T_2) | (UI_Maintenance_2 & ! UI_Bypass_T_2))) | (LAST V (Bypass_T_2)))))) & ((! UI_Maintenance_2 & Bypass_T_2) -> (((UI_Maintenance_2 & ! UI_Bypass_T_2) V ((Bypass_T_2) | (UI_Maintenance_2 & ! UI_Bypass_T_2))) | (LAST V (Bypass_T_2)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_2 & Bypass_T_2))) | (((! (UI_Maintenance_2 & ! UI_Bypass_T_2)) S ((! (UI_Maintenance_2 & ! UI_Bypass_T_2)) & ((! UI_Maintenance_2 & Bypass_T_2) & ((Y (! (! UI_Maintenance_2 & Bypass_T_2))) | FTP)))) -> (Bypass_T_2))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_2 & Bypass_T_2)) & ((! LAST) & (X (! UI_Maintenance_2 & Bypass_T_2)))) -> (X (((UI_Maintenance_2 & ! UI_Bypass_T_2) V ((Bypass_T_2) | (UI_Maintenance_2 & ! UI_Bypass_T_2))) | (LAST V (Bypass_T_2)))))) & ((! UI_Maintenance_2 & Bypass_T_2) -> (((UI_Maintenance_2 & ! UI_Bypass_T_2) V ((Bypass_T_2) | (UI_Maintenance_2 & ! UI_Bypass_T_2))) | (LAST V (Bypass_T_2)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_2 & Bypass_T_2))) | (((! (UI_Maintenance_2 & ! UI_Bypass_T_2)) S ((! (UI_Maintenance_2 & ! UI_Bypass_T_2)) & ((! UI_Maintenance_2 & Bypass_T_2) & ((Y (! (! UI_Maintenance_2 & Bypass_T_2))) | (! (Y TRUE)))))) -> (Bypass_T_2))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_2 and Bypass_T_2))) or ((SI( ((not UI_Maintenance_2 and Bypass_T_2) and ((pre ( not (not UI_Maintenance_2 and Bypass_T_2))) or FTP)), ( not (UI_Maintenance_2 and not UI_Bypass_T_2)) )) => (Bypass_T_2))))",
+ "diagramVariables": "TC = (! UI_Maintenance_2 & Bypass_T_2), SC = (UI_Maintenance_2 & ! UI_Bypass_T_2), Response = (Bypass_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_2 & Bypass_T_2) is true and any point in the interval where (! UI_Maintenance_2 & Bypass_T_2) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_BYPASS_P_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_P_2_Display = Bypass_P_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_P_2_Display",
+ "Bypass_P_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_P_2_Display = Bypass_P_2)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_P_2_Display = Bypass_P_2))",
+ "pt": "(H (UI_Bypass_P_2_Display = Bypass_P_2))",
+ "ftExpanded": "(LAST V (UI_Bypass_P_2_Display = Bypass_P_2))",
+ "ptExpanded": "(H (UI_Bypass_P_2_Display = Bypass_P_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_P_2_Display = Bypass_P_2)))",
+ "diagramVariables": "Response = (UI_Bypass_P_2_Display = Bypass_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2\n then (UI_Bypass_P_2) = Bypass_P_2)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "UI_Bypass_P_2",
+ "Bypass_P_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 => ( UI_Bypass_P_2 ) = Bypass_P_2)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 -> ( UI_Bypass_P_2 ) = Bypass_P_2))",
+ "pt": "(H (UI_Maintenance_2 -> ( UI_Bypass_P_2 ) = Bypass_P_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 -> ( UI_Bypass_P_2 ) = Bypass_P_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 -> ( UI_Bypass_P_2 ) = Bypass_P_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 => ( UI_Bypass_P_2 ) = Bypass_P_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 => ( UI_Bypass_P_2 ) = Bypass_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_2_NO_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_2_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_2 & !Bypass_P_2 RTS shall, until UI_Maintenance_2 & UI_Bypass_P_2, satisfy\n !Bypass_P_2\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "Bypass_P_2",
+ "UI_Bypass_P_2"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_2 & ! Bypass_P_2)",
+ "regular_condition": "(! UI_Maintenance_2 & ! Bypass_P_2)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_2 & UI_Bypass_P_2)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_P_2)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_2 & ! Bypass_P_2)) & ((! LAST) & (X (! UI_Maintenance_2 & ! Bypass_P_2)))) -> (X (((UI_Maintenance_2 & UI_Bypass_P_2) V ((! Bypass_P_2) | (UI_Maintenance_2 & UI_Bypass_P_2))) | (LAST V (! Bypass_P_2)))))) & ((! UI_Maintenance_2 & ! Bypass_P_2) -> (((UI_Maintenance_2 & UI_Bypass_P_2) V ((! Bypass_P_2) | (UI_Maintenance_2 & UI_Bypass_P_2))) | (LAST V (! Bypass_P_2)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_2 & ! Bypass_P_2))) | (((! (UI_Maintenance_2 & UI_Bypass_P_2)) S ((! (UI_Maintenance_2 & UI_Bypass_P_2)) & ((! UI_Maintenance_2 & ! Bypass_P_2) & ((Y (! (! UI_Maintenance_2 & ! Bypass_P_2))) | FTP)))) -> (! Bypass_P_2))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_2 & ! Bypass_P_2)) & ((! LAST) & (X (! UI_Maintenance_2 & ! Bypass_P_2)))) -> (X (((UI_Maintenance_2 & UI_Bypass_P_2) V ((! Bypass_P_2) | (UI_Maintenance_2 & UI_Bypass_P_2))) | (LAST V (! Bypass_P_2)))))) & ((! UI_Maintenance_2 & ! Bypass_P_2) -> (((UI_Maintenance_2 & UI_Bypass_P_2) V ((! Bypass_P_2) | (UI_Maintenance_2 & UI_Bypass_P_2))) | (LAST V (! Bypass_P_2)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_2 & ! Bypass_P_2))) | (((! (UI_Maintenance_2 & UI_Bypass_P_2)) S ((! (UI_Maintenance_2 & UI_Bypass_P_2)) & ((! UI_Maintenance_2 & ! Bypass_P_2) & ((Y (! (! UI_Maintenance_2 & ! Bypass_P_2))) | (! (Y TRUE)))))) -> (! Bypass_P_2))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_2 and not Bypass_P_2))) or ((SI( ((not UI_Maintenance_2 and not Bypass_P_2) and ((pre ( not (not UI_Maintenance_2 and not Bypass_P_2))) or FTP)), ( not (UI_Maintenance_2 and UI_Bypass_P_2)) )) => (not Bypass_P_2))))",
+ "diagramVariables": "TC = (! UI_Maintenance_2 & ! Bypass_P_2), SC = (UI_Maintenance_2 & UI_Bypass_P_2), Response = (! Bypass_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_2 & ! Bypass_P_2) is true and any point in the interval where (! UI_Maintenance_2 & ! Bypass_P_2) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_2_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_2_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_2 & Bypass_P_2 RTS shall, until UI_Maintenance_2 & !UI_Bypass_P_2, satisfy\n Bypass_P_2\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "Bypass_P_2",
+ "UI_Bypass_P_2"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_2 & Bypass_P_2)",
+ "regular_condition": "(! UI_Maintenance_2 & Bypass_P_2)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_2 & ! UI_Bypass_P_2)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_P_2)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_2 & Bypass_P_2)) & ((! LAST) & (X (! UI_Maintenance_2 & Bypass_P_2)))) -> (X (((UI_Maintenance_2 & ! UI_Bypass_P_2) V ((Bypass_P_2) | (UI_Maintenance_2 & ! UI_Bypass_P_2))) | (LAST V (Bypass_P_2)))))) & ((! UI_Maintenance_2 & Bypass_P_2) -> (((UI_Maintenance_2 & ! UI_Bypass_P_2) V ((Bypass_P_2) | (UI_Maintenance_2 & ! UI_Bypass_P_2))) | (LAST V (Bypass_P_2)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_2 & Bypass_P_2))) | (((! (UI_Maintenance_2 & ! UI_Bypass_P_2)) S ((! (UI_Maintenance_2 & ! UI_Bypass_P_2)) & ((! UI_Maintenance_2 & Bypass_P_2) & ((Y (! (! UI_Maintenance_2 & Bypass_P_2))) | FTP)))) -> (Bypass_P_2))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_2 & Bypass_P_2)) & ((! LAST) & (X (! UI_Maintenance_2 & Bypass_P_2)))) -> (X (((UI_Maintenance_2 & ! UI_Bypass_P_2) V ((Bypass_P_2) | (UI_Maintenance_2 & ! UI_Bypass_P_2))) | (LAST V (Bypass_P_2)))))) & ((! UI_Maintenance_2 & Bypass_P_2) -> (((UI_Maintenance_2 & ! UI_Bypass_P_2) V ((Bypass_P_2) | (UI_Maintenance_2 & ! UI_Bypass_P_2))) | (LAST V (Bypass_P_2)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_2 & Bypass_P_2))) | (((! (UI_Maintenance_2 & ! UI_Bypass_P_2)) S ((! (UI_Maintenance_2 & ! UI_Bypass_P_2)) & ((! UI_Maintenance_2 & Bypass_P_2) & ((Y (! (! UI_Maintenance_2 & Bypass_P_2))) | (! (Y TRUE)))))) -> (Bypass_P_2))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_2 and Bypass_P_2))) or ((SI( ((not UI_Maintenance_2 and Bypass_P_2) and ((pre ( not (not UI_Maintenance_2 and Bypass_P_2))) or FTP)), ( not (UI_Maintenance_2 and not UI_Bypass_P_2)) )) => (Bypass_P_2))))",
+ "diagramVariables": "TC = (! UI_Maintenance_2 & Bypass_P_2), SC = (UI_Maintenance_2 & ! UI_Bypass_P_2), Response = (Bypass_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_2 & Bypass_P_2) is true and any point in the interval where (! UI_Maintenance_2 & Bypass_P_2) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_T_2",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy T_2 = UI_T_2_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "T_2",
+ "UI_T_2_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(T_2 = UI_T_2_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (T_2 = UI_T_2_Display))",
+ "pt": "(H (T_2 = UI_T_2_Display))",
+ "ftExpanded": "(LAST V (T_2 = UI_T_2_Display))",
+ "ptExpanded": "(H (T_2 = UI_T_2_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((T_2 = UI_T_2_Display)))",
+ "diagramVariables": "Response = (T_2 = UI_T_2_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_SETPOINT_T",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_T_2 = UI_Setpoint_T_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "Setpoint_T_2",
+ "UI_Setpoint_T_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 => Setpoint_T_2 = UI_Setpoint_T_2)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 -> Setpoint_T_2 = UI_Setpoint_T_2))",
+ "pt": "(H (UI_Maintenance_2 -> Setpoint_T_2 = UI_Setpoint_T_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 -> Setpoint_T_2 = UI_Setpoint_T_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 -> Setpoint_T_2 = UI_Setpoint_T_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 => Setpoint_T_2 = UI_Setpoint_T_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 => Setpoint_T_2 = UI_Setpoint_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_MANUAL_TRIP_T",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_T_2 then Trip_T_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "UI_Manual_Trip_T_2",
+ "Trip_T_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 & UI_Manual_Trip_T_2 => Trip_T_2)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 & UI_Manual_Trip_T_2 -> Trip_T_2))",
+ "pt": "(H (UI_Maintenance_2 & UI_Manual_Trip_T_2 -> Trip_T_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 & UI_Manual_Trip_T_2 -> Trip_T_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 & UI_Manual_Trip_T_2 -> Trip_T_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 and UI_Manual_Trip_T_2 => Trip_T_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 & UI_Manual_Trip_T_2 => Trip_T_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_P_2",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy P_2 = UI_P_2_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "P_2",
+ "UI_P_2_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(P_2 = UI_P_2_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (P_2 = UI_P_2_Display))",
+ "pt": "(H (P_2 = UI_P_2_Display))",
+ "ftExpanded": "(LAST V (P_2 = UI_P_2_Display))",
+ "ptExpanded": "(H (P_2 = UI_P_2_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((P_2 = UI_P_2_Display)))",
+ "diagramVariables": "Response = (P_2 = UI_P_2_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_SETPOINT_P",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_P_2 = UI_Setpoint_P_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "Setpoint_P_2",
+ "UI_Setpoint_P_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 => Setpoint_P_2 = UI_Setpoint_P_2)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 -> Setpoint_P_2 = UI_Setpoint_P_2))",
+ "pt": "(H (UI_Maintenance_2 -> Setpoint_P_2 = UI_Setpoint_P_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 -> Setpoint_P_2 = UI_Setpoint_P_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 -> Setpoint_P_2 = UI_Setpoint_P_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 => Setpoint_P_2 = UI_Setpoint_P_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 => Setpoint_P_2 = UI_Setpoint_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_MANUAL_TRIP_P",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_P_2 then Trip_P_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "UI_Manual_Trip_P_2",
+ "Trip_P_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 & UI_Manual_Trip_P_2 => Trip_P_2)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 & UI_Manual_Trip_P_2 -> Trip_P_2))",
+ "pt": "(H (UI_Maintenance_2 & UI_Manual_Trip_P_2 -> Trip_P_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 & UI_Manual_Trip_P_2 -> Trip_P_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 & UI_Manual_Trip_P_2 -> Trip_P_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 and UI_Manual_Trip_P_2 => Trip_P_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 & UI_Manual_Trip_P_2 => Trip_P_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_S_2",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy S_2 = UI_S_2_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "S_2",
+ "UI_S_2_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(S_2 = UI_S_2_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (S_2 = UI_S_2_Display))",
+ "pt": "(H (S_2 = UI_S_2_Display))",
+ "ftExpanded": "(LAST V (S_2 = UI_S_2_Display))",
+ "ptExpanded": "(H (S_2 = UI_S_2_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((S_2 = UI_S_2_Display)))",
+ "diagramVariables": "Response = (S_2 = UI_S_2_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_SETPOINT_S",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_S_2 = UI_Setpoint_S_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "Setpoint_S_2",
+ "UI_Setpoint_S_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 => Setpoint_S_2 = UI_Setpoint_S_2)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 -> Setpoint_S_2 = UI_Setpoint_S_2))",
+ "pt": "(H (UI_Maintenance_2 -> Setpoint_S_2 = UI_Setpoint_S_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 -> Setpoint_S_2 = UI_Setpoint_S_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 -> Setpoint_S_2 = UI_Setpoint_S_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 => Setpoint_S_2 = UI_Setpoint_S_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 => Setpoint_S_2 = UI_Setpoint_S_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_2_MANUAL_TRIP_S",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_S_2 then Trip_S_2\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_2",
+ "UI_Manual_Trip_S_2",
+ "Trip_S_2"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_2 & UI_Manual_Trip_S_2 => Trip_S_2)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_2 & UI_Manual_Trip_S_2 -> Trip_S_2))",
+ "pt": "(H (UI_Maintenance_2 & UI_Manual_Trip_S_2 -> Trip_S_2))",
+ "ftExpanded": "(LAST V (UI_Maintenance_2 & UI_Manual_Trip_S_2 -> Trip_S_2))",
+ "ptExpanded": "(H (UI_Maintenance_2 & UI_Manual_Trip_S_2 -> Trip_S_2))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_2 and UI_Manual_Trip_S_2 => Trip_S_2)))",
+ "diagramVariables": "Response = (UI_Maintenance_2 & UI_Manual_Trip_S_2 => Trip_S_2).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_BYPASS_T_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_T_3_Display = Bypass_T_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_T_3_Display",
+ "Bypass_T_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_T_3_Display = Bypass_T_3)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_T_3_Display = Bypass_T_3))",
+ "pt": "(H (UI_Bypass_T_3_Display = Bypass_T_3))",
+ "ftExpanded": "(LAST V (UI_Bypass_T_3_Display = Bypass_T_3))",
+ "ptExpanded": "(H (UI_Bypass_T_3_Display = Bypass_T_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_T_3_Display = Bypass_T_3)))",
+ "diagramVariables": "Response = (UI_Bypass_T_3_Display = Bypass_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3\n then (UI_Bypass_T_3) = Bypass_T_3)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "UI_Bypass_T_3",
+ "Bypass_T_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 => ( UI_Bypass_T_3 ) = Bypass_T_3)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 -> ( UI_Bypass_T_3 ) = Bypass_T_3))",
+ "pt": "(H (UI_Maintenance_3 -> ( UI_Bypass_T_3 ) = Bypass_T_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 -> ( UI_Bypass_T_3 ) = Bypass_T_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 -> ( UI_Bypass_T_3 ) = Bypass_T_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 => ( UI_Bypass_T_3 ) = Bypass_T_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 => ( UI_Bypass_T_3 ) = Bypass_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_3_NO_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_3_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_3 & !Bypass_T_3 RTS shall, until UI_Maintenance_3 & UI_Bypass_T_3, satisfy\n !Bypass_T_3\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "Bypass_T_3",
+ "UI_Bypass_T_3"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_3 & ! Bypass_T_3)",
+ "regular_condition": "(! UI_Maintenance_3 & ! Bypass_T_3)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_3 & UI_Bypass_T_3)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_T_3)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_3 & ! Bypass_T_3)) & ((! LAST) & (X (! UI_Maintenance_3 & ! Bypass_T_3)))) -> (X (((UI_Maintenance_3 & UI_Bypass_T_3) V ((! Bypass_T_3) | (UI_Maintenance_3 & UI_Bypass_T_3))) | (LAST V (! Bypass_T_3)))))) & ((! UI_Maintenance_3 & ! Bypass_T_3) -> (((UI_Maintenance_3 & UI_Bypass_T_3) V ((! Bypass_T_3) | (UI_Maintenance_3 & UI_Bypass_T_3))) | (LAST V (! Bypass_T_3)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_3 & ! Bypass_T_3))) | (((! (UI_Maintenance_3 & UI_Bypass_T_3)) S ((! (UI_Maintenance_3 & UI_Bypass_T_3)) & ((! UI_Maintenance_3 & ! Bypass_T_3) & ((Y (! (! UI_Maintenance_3 & ! Bypass_T_3))) | FTP)))) -> (! Bypass_T_3))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_3 & ! Bypass_T_3)) & ((! LAST) & (X (! UI_Maintenance_3 & ! Bypass_T_3)))) -> (X (((UI_Maintenance_3 & UI_Bypass_T_3) V ((! Bypass_T_3) | (UI_Maintenance_3 & UI_Bypass_T_3))) | (LAST V (! Bypass_T_3)))))) & ((! UI_Maintenance_3 & ! Bypass_T_3) -> (((UI_Maintenance_3 & UI_Bypass_T_3) V ((! Bypass_T_3) | (UI_Maintenance_3 & UI_Bypass_T_3))) | (LAST V (! Bypass_T_3)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_3 & ! Bypass_T_3))) | (((! (UI_Maintenance_3 & UI_Bypass_T_3)) S ((! (UI_Maintenance_3 & UI_Bypass_T_3)) & ((! UI_Maintenance_3 & ! Bypass_T_3) & ((Y (! (! UI_Maintenance_3 & ! Bypass_T_3))) | (! (Y TRUE)))))) -> (! Bypass_T_3))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_3 and not Bypass_T_3))) or ((SI( ((not UI_Maintenance_3 and not Bypass_T_3) and ((pre ( not (not UI_Maintenance_3 and not Bypass_T_3))) or FTP)), ( not (UI_Maintenance_3 and UI_Bypass_T_3)) )) => (not Bypass_T_3))))",
+ "diagramVariables": "TC = (! UI_Maintenance_3 & ! Bypass_T_3), SC = (UI_Maintenance_3 & UI_Bypass_T_3), Response = (! Bypass_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_3 & ! Bypass_T_3) is true and any point in the interval where (! UI_Maintenance_3 & ! Bypass_T_3) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_3_BYPASS_T",
+ "parent_reqid": "INSTRUMENTATION_3_BYPASS_T",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_3 & Bypass_T_3 RTS shall, until UI_Maintenance_3 & !UI_Bypass_T_3, satisfy\n Bypass_T_3\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "Bypass_T_3",
+ "UI_Bypass_T_3"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_3 & Bypass_T_3)",
+ "regular_condition": "(! UI_Maintenance_3 & Bypass_T_3)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_3 & ! UI_Bypass_T_3)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_T_3)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_3 & Bypass_T_3)) & ((! LAST) & (X (! UI_Maintenance_3 & Bypass_T_3)))) -> (X (((UI_Maintenance_3 & ! UI_Bypass_T_3) V ((Bypass_T_3) | (UI_Maintenance_3 & ! UI_Bypass_T_3))) | (LAST V (Bypass_T_3)))))) & ((! UI_Maintenance_3 & Bypass_T_3) -> (((UI_Maintenance_3 & ! UI_Bypass_T_3) V ((Bypass_T_3) | (UI_Maintenance_3 & ! UI_Bypass_T_3))) | (LAST V (Bypass_T_3)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_3 & Bypass_T_3))) | (((! (UI_Maintenance_3 & ! UI_Bypass_T_3)) S ((! (UI_Maintenance_3 & ! UI_Bypass_T_3)) & ((! UI_Maintenance_3 & Bypass_T_3) & ((Y (! (! UI_Maintenance_3 & Bypass_T_3))) | FTP)))) -> (Bypass_T_3))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_3 & Bypass_T_3)) & ((! LAST) & (X (! UI_Maintenance_3 & Bypass_T_3)))) -> (X (((UI_Maintenance_3 & ! UI_Bypass_T_3) V ((Bypass_T_3) | (UI_Maintenance_3 & ! UI_Bypass_T_3))) | (LAST V (Bypass_T_3)))))) & ((! UI_Maintenance_3 & Bypass_T_3) -> (((UI_Maintenance_3 & ! UI_Bypass_T_3) V ((Bypass_T_3) | (UI_Maintenance_3 & ! UI_Bypass_T_3))) | (LAST V (Bypass_T_3)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_3 & Bypass_T_3))) | (((! (UI_Maintenance_3 & ! UI_Bypass_T_3)) S ((! (UI_Maintenance_3 & ! UI_Bypass_T_3)) & ((! UI_Maintenance_3 & Bypass_T_3) & ((Y (! (! UI_Maintenance_3 & Bypass_T_3))) | (! (Y TRUE)))))) -> (Bypass_T_3))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_3 and Bypass_T_3))) or ((SI( ((not UI_Maintenance_3 and Bypass_T_3) and ((pre ( not (not UI_Maintenance_3 and Bypass_T_3))) or FTP)), ( not (UI_Maintenance_3 and not UI_Bypass_T_3)) )) => (Bypass_T_3))))",
+ "diagramVariables": "TC = (! UI_Maintenance_3 & Bypass_T_3), SC = (UI_Maintenance_3 & ! UI_Bypass_T_3), Response = (Bypass_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_3 & Bypass_T_3) is true and any point in the interval where (! UI_Maintenance_3 & Bypass_T_3) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_BYPASS_P_Display",
+ "rationale": "RFP function 13",
+ "fulltext": "RTS shall always satisfy UI_Bypass_P_3_Display = Bypass_P_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Bypass_P_3_Display",
+ "Bypass_P_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Bypass_P_3_Display = Bypass_P_3)",
+ "responseTextRange": [
+ 17,
+ 58
+ ],
+ "ft": "(LAST V (UI_Bypass_P_3_Display = Bypass_P_3))",
+ "pt": "(H (UI_Bypass_P_3_Display = Bypass_P_3))",
+ "ftExpanded": "(LAST V (UI_Bypass_P_3_Display = Bypass_P_3))",
+ "ptExpanded": "(H (UI_Bypass_P_3_Display = Bypass_P_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Bypass_P_3_Display = Bypass_P_3)))",
+ "diagramVariables": "Response = (UI_Bypass_P_3_Display = Bypass_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement sets the system value from the UI)\n",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3\n then (UI_Bypass_P_3) = Bypass_P_3)\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "UI_Bypass_P_3",
+ "Bypass_P_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 => ( UI_Bypass_P_3 ) = Bypass_P_3)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 -> ( UI_Bypass_P_3 ) = Bypass_P_3))",
+ "pt": "(H (UI_Maintenance_3 -> ( UI_Bypass_P_3 ) = Bypass_P_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 -> ( UI_Bypass_P_3 ) = Bypass_P_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 -> ( UI_Bypass_P_3 ) = Bypass_P_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 => ( UI_Bypass_P_3 ) = Bypass_P_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 => ( UI_Bypass_P_3 ) = Bypass_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_3_NO_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_3_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn on during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_3 & !Bypass_P_3 RTS shall, until UI_Maintenance_3 & UI_Bypass_P_3, satisfy\n !Bypass_P_3\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "Bypass_P_3",
+ "UI_Bypass_P_3"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_3 & ! Bypass_P_3)",
+ "regular_condition": "(! UI_Maintenance_3 & ! Bypass_P_3)",
+ "conditionTextRange": [
+ 0,
+ 35
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 37,
+ 39
+ ],
+ "stop_condition": "(UI_Maintenance_3 & UI_Bypass_P_3)",
+ "timingTextRange": [
+ 46,
+ 86
+ ],
+ "post_condition": "(! Bypass_P_3)",
+ "responseTextRange": [
+ 88,
+ 108
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_3 & ! Bypass_P_3)) & ((! LAST) & (X (! UI_Maintenance_3 & ! Bypass_P_3)))) -> (X (((UI_Maintenance_3 & UI_Bypass_P_3) V ((! Bypass_P_3) | (UI_Maintenance_3 & UI_Bypass_P_3))) | (LAST V (! Bypass_P_3)))))) & ((! UI_Maintenance_3 & ! Bypass_P_3) -> (((UI_Maintenance_3 & UI_Bypass_P_3) V ((! Bypass_P_3) | (UI_Maintenance_3 & UI_Bypass_P_3))) | (LAST V (! Bypass_P_3)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_3 & ! Bypass_P_3))) | (((! (UI_Maintenance_3 & UI_Bypass_P_3)) S ((! (UI_Maintenance_3 & UI_Bypass_P_3)) & ((! UI_Maintenance_3 & ! Bypass_P_3) & ((Y (! (! UI_Maintenance_3 & ! Bypass_P_3))) | FTP)))) -> (! Bypass_P_3))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_3 & ! Bypass_P_3)) & ((! LAST) & (X (! UI_Maintenance_3 & ! Bypass_P_3)))) -> (X (((UI_Maintenance_3 & UI_Bypass_P_3) V ((! Bypass_P_3) | (UI_Maintenance_3 & UI_Bypass_P_3))) | (LAST V (! Bypass_P_3)))))) & ((! UI_Maintenance_3 & ! Bypass_P_3) -> (((UI_Maintenance_3 & UI_Bypass_P_3) V ((! Bypass_P_3) | (UI_Maintenance_3 & UI_Bypass_P_3))) | (LAST V (! Bypass_P_3)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_3 & ! Bypass_P_3))) | (((! (UI_Maintenance_3 & UI_Bypass_P_3)) S ((! (UI_Maintenance_3 & UI_Bypass_P_3)) & ((! UI_Maintenance_3 & ! Bypass_P_3) & ((Y (! (! UI_Maintenance_3 & ! Bypass_P_3))) | (! (Y TRUE)))))) -> (! Bypass_P_3))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_3 and not Bypass_P_3))) or ((SI( ((not UI_Maintenance_3 and not Bypass_P_3) and ((pre ( not (not UI_Maintenance_3 and not Bypass_P_3))) or FTP)), ( not (UI_Maintenance_3 and UI_Bypass_P_3)) )) => (not Bypass_P_3))))",
+ "diagramVariables": "TC = (! UI_Maintenance_3 & ! Bypass_P_3), SC = (UI_Maintenance_3 & UI_Bypass_P_3), Response = (! Bypass_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_3 & ! Bypass_P_3) is true and any point in the interval where (! UI_Maintenance_3 & ! Bypass_P_3) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "CONST_INSTRUMENTATION_3_BYPASS_P",
+ "parent_reqid": "INSTRUMENTATION_3_BYPASS_P",
+ "rationale": "RFP function 9: configure in maintenance mode to bypass an instrument channel (this requirement does not allow bypass to turn off during normal operation)\n",
+ "fulltext": "When !UI_Maintenance_3 & Bypass_P_3 RTS shall, until UI_Maintenance_3 & !UI_Bypass_P_3, satisfy\n Bypass_P_3\n",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "regular",
+ "timing": "until",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "Bypass_P_3",
+ "UI_Bypass_P_3"
+ ],
+ "qualifier_word": "when",
+ "pre_condition": "(! UI_Maintenance_3 & Bypass_P_3)",
+ "regular_condition": "(! UI_Maintenance_3 & Bypass_P_3)",
+ "conditionTextRange": [
+ 0,
+ 34
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 36,
+ 38
+ ],
+ "stop_condition": "(UI_Maintenance_3 & ! UI_Bypass_P_3)",
+ "timingTextRange": [
+ 45,
+ 86
+ ],
+ "post_condition": "(Bypass_P_3)",
+ "responseTextRange": [
+ 88,
+ 107
+ ],
+ "ft": "((LAST V (((! (! UI_Maintenance_3 & Bypass_P_3)) & ((! LAST) & (X (! UI_Maintenance_3 & Bypass_P_3)))) -> (X (((UI_Maintenance_3 & ! UI_Bypass_P_3) V ((Bypass_P_3) | (UI_Maintenance_3 & ! UI_Bypass_P_3))) | (LAST V (Bypass_P_3)))))) & ((! UI_Maintenance_3 & Bypass_P_3) -> (((UI_Maintenance_3 & ! UI_Bypass_P_3) V ((Bypass_P_3) | (UI_Maintenance_3 & ! UI_Bypass_P_3))) | (LAST V (Bypass_P_3)))))",
+ "pt": "(H ((H (! (! UI_Maintenance_3 & Bypass_P_3))) | (((! (UI_Maintenance_3 & ! UI_Bypass_P_3)) S ((! (UI_Maintenance_3 & ! UI_Bypass_P_3)) & ((! UI_Maintenance_3 & Bypass_P_3) & ((Y (! (! UI_Maintenance_3 & Bypass_P_3))) | FTP)))) -> (Bypass_P_3))))",
+ "ftExpanded": "((LAST V (((! (! UI_Maintenance_3 & Bypass_P_3)) & ((! LAST) & (X (! UI_Maintenance_3 & Bypass_P_3)))) -> (X (((UI_Maintenance_3 & ! UI_Bypass_P_3) V ((Bypass_P_3) | (UI_Maintenance_3 & ! UI_Bypass_P_3))) | (LAST V (Bypass_P_3)))))) & ((! UI_Maintenance_3 & Bypass_P_3) -> (((UI_Maintenance_3 & ! UI_Bypass_P_3) V ((Bypass_P_3) | (UI_Maintenance_3 & ! UI_Bypass_P_3))) | (LAST V (Bypass_P_3)))))",
+ "ptExpanded": "(H ((H (! (! UI_Maintenance_3 & Bypass_P_3))) | (((! (UI_Maintenance_3 & ! UI_Bypass_P_3)) S ((! (UI_Maintenance_3 & ! UI_Bypass_P_3)) & ((! UI_Maintenance_3 & Bypass_P_3) & ((Y (! (! UI_Maintenance_3 & Bypass_P_3))) | (! (Y TRUE)))))) -> (Bypass_P_3))))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((H( not (not UI_Maintenance_3 and Bypass_P_3))) or ((SI( ((not UI_Maintenance_3 and Bypass_P_3) and ((pre ( not (not UI_Maintenance_3 and Bypass_P_3))) or FTP)), ( not (UI_Maintenance_3 and not UI_Bypass_P_3)) )) => (Bypass_P_3))))",
+ "diagramVariables": "TC = (! UI_Maintenance_3 & Bypass_P_3), SC = (UI_Maintenance_3 & ! UI_Bypass_P_3), Response = (Bypass_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval if (! UI_Maintenance_3 & Bypass_P_3) is true and any point in the interval where (! UI_Maintenance_3 & Bypass_P_3) becomes true (from false).\nREQUIRES: for every trigger, RES must remain true until (but not necessarily including) the point where the stop condition holds, or to the end of the interval. If the stop condition never occurs, RES must hold until the end of the scope, or forever. If the stop condition holds at the trigger, the requirement is satisfied.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_regular_until_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_T_3",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy T_3 = UI_T_3_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "T_3",
+ "UI_T_3_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(T_3 = UI_T_3_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (T_3 = UI_T_3_Display))",
+ "pt": "(H (T_3 = UI_T_3_Display))",
+ "ftExpanded": "(LAST V (T_3 = UI_T_3_Display))",
+ "ptExpanded": "(H (T_3 = UI_T_3_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((T_3 = UI_T_3_Display)))",
+ "diagramVariables": "Response = (T_3 = UI_T_3_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_SETPOINT_T",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_T_3 = UI_Setpoint_T_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "Setpoint_T_3",
+ "UI_Setpoint_T_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 => Setpoint_T_3 = UI_Setpoint_T_3)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 -> Setpoint_T_3 = UI_Setpoint_T_3))",
+ "pt": "(H (UI_Maintenance_3 -> Setpoint_T_3 = UI_Setpoint_T_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 -> Setpoint_T_3 = UI_Setpoint_T_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 -> Setpoint_T_3 = UI_Setpoint_T_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 => Setpoint_T_3 = UI_Setpoint_T_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 => Setpoint_T_3 = UI_Setpoint_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_MANUAL_TRIP_T",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_T_3 then Trip_T_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "UI_Manual_Trip_T_3",
+ "Trip_T_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 & UI_Manual_Trip_T_3 => Trip_T_3)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 & UI_Manual_Trip_T_3 -> Trip_T_3))",
+ "pt": "(H (UI_Maintenance_3 & UI_Manual_Trip_T_3 -> Trip_T_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 & UI_Manual_Trip_T_3 -> Trip_T_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 & UI_Manual_Trip_T_3 -> Trip_T_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 and UI_Manual_Trip_T_3 => Trip_T_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 & UI_Manual_Trip_T_3 => Trip_T_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_P_3",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy P_3 = UI_P_3_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "P_3",
+ "UI_P_3_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(P_3 = UI_P_3_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (P_3 = UI_P_3_Display))",
+ "pt": "(H (P_3 = UI_P_3_Display))",
+ "ftExpanded": "(LAST V (P_3 = UI_P_3_Display))",
+ "ptExpanded": "(H (P_3 = UI_P_3_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((P_3 = UI_P_3_Display)))",
+ "diagramVariables": "Response = (P_3 = UI_P_3_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_SETPOINT_P",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_P_3 = UI_Setpoint_P_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "Setpoint_P_3",
+ "UI_Setpoint_P_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 => Setpoint_P_3 = UI_Setpoint_P_3)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 -> Setpoint_P_3 = UI_Setpoint_P_3))",
+ "pt": "(H (UI_Maintenance_3 -> Setpoint_P_3 = UI_Setpoint_P_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 -> Setpoint_P_3 = UI_Setpoint_P_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 -> Setpoint_P_3 = UI_Setpoint_P_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 => Setpoint_P_3 = UI_Setpoint_P_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 => Setpoint_P_3 = UI_Setpoint_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_MANUAL_TRIP_P",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_P_3 then Trip_P_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "UI_Manual_Trip_P_3",
+ "Trip_P_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 & UI_Manual_Trip_P_3 => Trip_P_3)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 & UI_Manual_Trip_P_3 -> Trip_P_3))",
+ "pt": "(H (UI_Maintenance_3 & UI_Manual_Trip_P_3 -> Trip_P_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 & UI_Manual_Trip_P_3 -> Trip_P_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 & UI_Manual_Trip_P_3 -> Trip_P_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 and UI_Manual_Trip_P_3 => Trip_P_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 & UI_Manual_Trip_P_3 => Trip_P_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_UI_S_3",
+ "rationale": "RFP function 11",
+ "fulltext": "RTS shall always satisfy S_3 = UI_S_3_Display",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "S_3",
+ "UI_S_3_Display"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(S_3 = UI_S_3_Display)",
+ "responseTextRange": [
+ 17,
+ 44
+ ],
+ "ft": "(LAST V (S_3 = UI_S_3_Display))",
+ "pt": "(H (S_3 = UI_S_3_Display))",
+ "ftExpanded": "(LAST V (S_3 = UI_S_3_Display))",
+ "ptExpanded": "(H (S_3 = UI_S_3_Display))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((S_3 = UI_S_3_Display)))",
+ "diagramVariables": "Response = (S_3 = UI_S_3_Display).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_SETPOINT_S",
+ "rationale": "RFP function 8",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_S_3 = UI_Setpoint_S_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "Setpoint_S_3",
+ "UI_Setpoint_S_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 => Setpoint_S_3 = UI_Setpoint_S_3)",
+ "responseTextRange": [
+ 17,
+ 81
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 -> Setpoint_S_3 = UI_Setpoint_S_3))",
+ "pt": "(H (UI_Maintenance_3 -> Setpoint_S_3 = UI_Setpoint_S_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 -> Setpoint_S_3 = UI_Setpoint_S_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 -> Setpoint_S_3 = UI_Setpoint_S_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 => Setpoint_S_3 = UI_Setpoint_S_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 => Setpoint_S_3 = UI_Setpoint_S_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ },
+ {
+ "reqid": "INSTRUMENTATION_3_MANUAL_TRIP_S",
+ "rationale": "RFP function 10",
+ "fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_S_3 then Trip_S_3\n",
+ "parent_reqid": "",
+ "project": "HARDENS_RTS",
+ "semantics": {
+ "type": "nasa",
+ "scope": {
+ "type": "null"
+ },
+ "condition": "null",
+ "timing": "always",
+ "response": "satisfaction",
+ "variables": [
+ "UI_Maintenance_3",
+ "UI_Manual_Trip_S_3",
+ "Trip_S_3"
+ ],
+ "component_name": "RTS",
+ "componentTextRange": [
+ 0,
+ 2
+ ],
+ "timingTextRange": [
+ 10,
+ 15
+ ],
+ "post_condition": "(UI_Maintenance_3 & UI_Manual_Trip_S_3 => Trip_S_3)",
+ "responseTextRange": [
+ 17,
+ 80
+ ],
+ "ft": "(LAST V (UI_Maintenance_3 & UI_Manual_Trip_S_3 -> Trip_S_3))",
+ "pt": "(H (UI_Maintenance_3 & UI_Manual_Trip_S_3 -> Trip_S_3))",
+ "ftExpanded": "(LAST V (UI_Maintenance_3 & UI_Manual_Trip_S_3 -> Trip_S_3))",
+ "ptExpanded": "(H (UI_Maintenance_3 & UI_Manual_Trip_S_3 -> Trip_S_3))",
+ "component": "RTS",
+ "CoCoSpecCode": "(H((UI_Maintenance_3 and UI_Manual_Trip_S_3 => Trip_S_3)))",
+ "diagramVariables": "Response = (UI_Maintenance_3 & UI_Manual_Trip_S_3 => Trip_S_3).",
+ "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER: first point in the interval.\nREQUIRES: for every trigger, RES must hold at all time points between (and including) the trigger and the end of the interval.",
+ "diagram": "_media/user-interface/examples/svgDiagrams/null_null_always_satisfaction.svg"
+ }
+ }
+]
\ No newline at end of file
diff --git a/specs/requirements.lando b/specs/requirements.lando
new file mode 100644
index 0000000..ef18312
--- /dev/null
+++ b/specs/requirements.lando
@@ -0,0 +1,11 @@
+subsystem Requirements
+The requirements for the RTS system are specified in the following
+requirements specifications:
+ HARDENS Project High-level Requirements
+ NRC Characteristics.
+
+// At the moment all system requirements are written in FRET. See the
+// top-level [](../README.md) for more information.
+
+// During Task 2 we will reify those same requirements into our Lando
+// and SysML specifications as well.
diff --git a/specs/requirements_vars.json b/specs/requirements_vars.json
new file mode 100644
index 0000000..42116f5
--- /dev/null
+++ b/specs/requirements_vars.json
@@ -0,0 +1,954 @@
+[
+ {
+ "variable_name": "UI_Manual_Actuate_Actuator_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Auto_Actuate_0_Actuator_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Auto_Actuate_1_Actuator_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Actuate_Actuator_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Auto_Actuate_0_Actuator_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Auto_Actuate_1_Actuator_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Coincidence_0_T",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Coincidence_0_P",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Coincidence_0_S",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Coincidence_1_T",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Coincidence_1_P",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Coincidence_1_S",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Maintenance_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_T_0",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_T_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_0_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_T_0_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_T_0_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "T_0",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_T_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_T_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_T_0",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_P_0",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_P_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_0_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_P_0_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_P_0_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "P_0",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_P_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_P_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_P_0",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_S_0",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_S_0",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_0_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_S_0_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_S_0_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "S_0",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_S_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_S_0",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_S_0",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Maintenance_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_T_1",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_T_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_1_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_T_1_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_T_1_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "T_1",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_T_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_T_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_T_1",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_P_1",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_P_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_1_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_P_1_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_P_1_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "P_1",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_P_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_P_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_P_1",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_S_1",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_S_1",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_1_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_S_1_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_S_1_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "S_1",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_S_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_S_1",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_S_1",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Maintenance_2",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_T_2",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_2",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_T_2",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_2_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_T_2_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_T_2_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "T_2",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_T_2",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_T_2",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_T_2",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_P_2",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_2",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_P_2",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_2_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_P_2_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_P_2_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "P_2",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_P_2",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_P_2",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_P_2",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_S_2",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_2",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_S_2",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_2_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_S_2_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_S_2_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "S_2",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_S_2",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_S_2",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_S_2",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Maintenance_3",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_T_3",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_3",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_T_3",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_T_3_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_T_3_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_T_3_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "T_3",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_T_3",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_T_3",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_T_3",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_P_3",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_3",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_P_3",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_P_3_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_P_3_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_P_3_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "P_3",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_P_3",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_P_3",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_P_3",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Setpoint_S_3",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_3",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Manual_Trip_S_3",
+ "dataType": "boolean",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Bypass_S_3_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_S_3_Display",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "UI_Trip_S_3_Display",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "S_3",
+ "dataType": "integer",
+ "idType": "Input",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Bypass_S_3",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Trip_S_3",
+ "dataType": "boolean",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ },
+ {
+ "variable_name": "Setpoint_S_3",
+ "dataType": "integer",
+ "idType": "Output",
+ "completed": true,
+ "modeldoc": false
+ }
+]
\ No newline at end of file
diff --git a/specs/test_scenarios.lando b/specs/test_scenarios.lando
new file mode 100644
index 0000000..328a4bb
--- /dev/null
+++ b/specs/test_scenarios.lando
@@ -0,0 +1,71 @@
+// Scenarios are sequences of events. Scenarios document normal and abnormal
+// traces of system execution.
+
+// Test scenarios are scenarios that validate a system conforms to its
+// requirements through runtime verification (testing). Each scenario
+// is refined to a (possibly parametrized) runtime verification
+// property. If a testbench is complete, then every path of a
+// system's state machine should be covered by the its set of scenarios.
+
+requirements Test Scenarios
+
+Normal Behavior 1a - Trip on Mock High Pressure Reading from that Pressure Sensor
+@todo TBD.
+
+Normal Behavior 1b - Trip on Environmental High Pressure Reading from that Pressure Sensor
+@todo TBD.
+
+Normal Behavior 2a - Trip on Mock High Temperature Reading from that Temperature Sensor
+@todo TBD.
+
+Normal Behavior 2a - Trip on Environmental High Temperature Reading from that Temperature Sensor
+@todo TBD.
+
+Normal Behavior 3a - Trip on Mock Low Saturation Margin
+@todo TBD.
+
+Normal Behavior 3a - Trip on Environmental Low Saturation Margin
+@todo TBD.
+
+Normal Behavior 4 - Vote on Every Possible Like Trip
+@todo TBD.
+
+Normal Behavior 5a - Automatically Actuate All Mock Devices in Sequence
+@todo TBD.
+
+Normal Behavior 5b - Automatically Actuate All Mock Devices in Sequence
+@todo TBD.
+
+Normal Behavior 6 - Manually Actuate Each Device in Sequence
+@todo TBD.
+
+Normal Behavior 7a - Select Maintenance Operating Mode for each Division
+@todo TBD.
+
+Normal Behavior 7b - Select Normal Operating Mode for each Division
+@todo TBD.
+
+Normal Behavior 8 - Perform Each Kind of Setpoint Adjustment
+@todo TBD.
+
+Normal Behavior 9 - Configure Bypass of Each Instrument Channel in Sequence
+@todo TBD.
+
+Normal Behavior 10 - Configure Active Trip Output State of Each Instrument Channel in Sequence
+@todo TBD.
+
+Normal Behavior 11 - Display Pressure, Temperature, and Saturation Margin
+@todo TBD.
+
+Normal Behavior 12 - Display Every Trip Output Signal State in Sequence
+@todo TBD.
+
+Normal Behavior 13 - Display Indication of Every Channel in Bypass in Sequence
+@todo TBD.
+
+Normal Behavior 14 - Demonstrate Periodic Continual Self-test of Safety Signal Path
+@todo TBD.
+
+Normal Behavior Full Self-Test
+@todo TBD.
+
diff --git a/specs/tool_scenarios.lando b/specs/tool_scenarios.lando
new file mode 100644
index 0000000..2b57d4b
--- /dev/null
+++ b/specs/tool_scenarios.lando
@@ -0,0 +1,80 @@
+scenarios Tool Scenarios
+
+Verify Software
+Formally verify that software or firmware programs fulfill their
+specifications.
+
+Verify Hardware
+Formally verify that a hardware design fulfills its specifications.
+
+Formal Equivalence Checking
+Formally verify that programs written in different languages (even
+across the hardware/software boundary) are equivalent.
+
+Symbolic Testing
+Improve the assurance of software using symbolic testing.
+
+Backend Solver Libraries
+Provide libraries for symbolic formula representation and solver
+interaction.
+
+Binary Analysis
+Analyze binaries in a variety of formats and for a host of different
+Instruction Set Architectures.
+
+Binary Rewriting
+Perform binary analysis and rewriting for a variety of purposes.
+
+Model-Based Test Generation
+Automatically generate model-based tests for a software, firmware, or
+hardware system.
+
+Specify Semi-Formal Architecture using Natural Language Processing
+Specify a systems architectures at a high level leveraging Natural
+Language Processing technology.
+
+Concretize Model
+Create or generate a new model or an implementation from a semi-formal or formal
+model or implementation by adding extra information, typically turning
+a denotational property into an operational computation, and guarantee
+that the new, refined model behaves identically to the previous,
+abstract model.
+
+Abstract Model
+Extract formal models---including behavioral and architectural
+models---from source code and binaries, and guarantee that all
+properties of the abstract model hold for the more concrete model or
+implementation.
+
+Define Refinement Relation
+Define a pair of functions, an abstraction function L: I->M and
+concretization function C: M->I, such that they form a refinement
+relation over some property P (roughly, P(c(l(i)))=P(i)) between their
+pair of types M and I.
+
+Formally Refine a Semi-formal Architecture
+Specify and formally refine a semi-formal architecture.
+
+Product Line Engineering
+Specify and reason about product lines of hardware, firmware, and/or
+software systems.
+
+Reason about Products
+Reason about products derived from product lines, particularly
+automatically generated CPUs and SoCs.
+
+Reason about Non-Behavioral Properties
+Reason about non-behavioral properties of models or implementations,
+such as security proofs of cryptographic algorithms and protocols,
+safety and progress properties of concurrent or distributed systems,
+information leakage properties of embedded systems and hardware
+designs.
+
+Configure Product Line
+Make feature selections in a feature model in order to specify the
+subset of products from a product line that are of interest.
+
+Fully Configure Product Line
+Configure a feature model until no open choices exist, thereby
+creating a fully configured feature model that specifies a single
+product.