Example for Project 1, Part A

Initial Conditions

• A passenger in the front hallway makes a front hall call when the elevator is at another floor.
• No front door reversal ocurs when the passenger enters.
• The car isn't overweight after the passenger gets on.
• The passenger pushes a front car call button after entering.

Step 1: Scenario

• S1.1. The elevator arrives at the passenger's floor with the front doors shut.
• S1.2. The front doors open.
• S1.3. The passenger gets in.
• S1.4. The front doors close when the passenger pushes a front car call button.

Step 2: Write requirements using precise words

• R-FDC1. When the elevator arrives at the passenger's floor, both front doors shall be commanded to open.
• R-FDC2. The front doors shall remain open while the passenger boards.
• R-FDC3. The front doors should be commanded to close when a front car call button is pushed.

Step 3: Write requirements using consistent terms

• R-FDC1. When AtFrontFloor[f] and FrontHallCall[f, d] are true for the same f, both FrontDoorMotor[j] shall be commanded to Open.
• R-FDC2. After being commanded to Open, both FrontDoorMotor[j] shall not be commanded to Close for at least 5 seconds.
• R-FDC3. Both FrontDoorMotor[j] should be commanded to Close if a FrontCarCall[f] is true.

Step 4: Number requirements

Hey, they're already numbered! How about that.

Step 5: Write test cases

• R-FDC1. When AtFrontFloor[f] and FrontHallCall[f, d] are true for the same f, both FrontDoorMotor[j] shall be commanded to Open.

• Test: Set AtFrontFloor[f] and FrontHallCall[f, d] to true for some f. Observe both FrontDoorMotor[j] being commanded to Open.

• R-FDC2. After being commanded to Open, both FrontDoorMotor[j] shall not be commanded to Close for at least 5 seconds.

• Test: Run the test for R-FDC1. Observe that both FrontDoorMotor[j] are commanded to something other than Close for at least 5 seconds.

• R-FDC3. Both FrontDoorMotor[j] should be commanded to Close if a FrontCarCall[f] is true.

• Test: In a situation that would not conflict with R-FDC2 where the elevator front doors are open (all FrontDoorOpen[j] are true), and all FrontCarCall[f]s are false, set a FrontCarCall[f] to true. Observe that both FrontDoorMotor[j] are commanded to Close.

Step 6: Traceability

• R-FDC1. When AtFrontFloor[f] and FrontHallCall[f, d] are true for the same f, both FrontDoorMotor[j] shall be commanded to Open.

• R-T1: Passengers are able to board.
• R-T3: Passengers are able to board
• R-S1: The FrontDoorMotor[j] are only commanded to Open if AtFrontFloor[f] is true.
• R-S2: The FrontDoorMotor[j] are only commanded to Open if FrontHallCall[f, d] is true for the AtFrontFloor[f] which is also true.
• R-S3: All FrontDoorReversal[j] are false for this scenario (Initial conditions). This requirement doesn't command the front doors to close.
• R-S4: CarWeight is less than MaxCarCapacity for this scenario (Initial conditions). This requirement doesn't command the front doors to close.

• R-FDC2. After being commanded to Open, both FrontDoorMotor[j] shall not be commanded to Close for at least 5 seconds.

• R-T1: This allows passengers to board the elevator so they may use the elevator.
• R-T3: By placing a limit on the time the front doors are open, performance may be improved.
• R-Sl: This requirement doesn't command the front doors to open.
• R-S2: This requirement doesn't command the front doors to open.
• R-S3: All FrontDoorReversal[j] are false for this scenario (Initial Conditions). This requirement doesn't command the front doors to close.
• R-S4: CarWeight is less than MaxCarCapacity for this scenario (Initial Conditions). This requirement doesn't command the front doors to close.

• R-FDC3. Both FrontDoorMotor[j] should be commanded to Close if a FrontCarCall[f] is true.

• R-T1: Closes the front doors once a passenger is inside, so the elevator may move.
• R-T3: Helps performance as the front doors will close when someone picks a floor instead of waiting a fixed time.
• R-Sl: This requirement doesn't command the front doors to open.
• R-S2: This requirement doesn't command the front doors to open.
• R-S3: All FrontDoorReversal[j] are false for this scenario (Initial Conditions). BUT for the final requirements, a FrontDoorReversal[j] true should take precedence over this requirement.
• R-S4: CarWeight is less than MaxCarCapacity for this scenario (Initial Conditions). BUT the front doors would have to reopen/remain open if the CarWeight was greater than MaxCarCapacity; that would take precedence over this requirement.

Step 7: Process audit (the checklist)

Step 1: Is there a scenario? Yes
Step 2: Do the requirements use only shall and should, or the words from lecture on 9/4? Yes
Step 3: Do the requirements use the terms given in the Interface section to describe sensors, actuators and controllers on the elevator? Yes
Step 4: Are the requirements numbered? Yes
Step 5: Is there a test given for each of the requirements? Yes
Step 6: Traceability - Does *each* requirement either support or not contradict *each* of the high-level requirements? Yes
Name: Xavier Q. Student (xqid@andrew.cmu.edu)