《高级软件工程》学习资料（英文版）sept29

State Machine specifications Define behavior using states and transitions between states temp sp/ temp> sp/ turn on heat turn on ac Below At Above setpoint setpoint setpoint temp sp/ emp sp turn off heat turn off ac

State Machine Specifications Define behavior using states and transitions between states temp sp / setpoint Below setpoint At Above setpoint turn on heat turn on AC temp = sp / temp = sp / turn off heat turn off AC c Copyright Nancy Leveson, Sept. 1999 ￾

State Machine Specifications(2 Can easily define time constraints on transitions e.g. telephone switch, must dial 4 digits (internal call) within 10 seconds P offhook Start Timer T(10) Idle Dialtone Await first digit P depress hookswitch 1 thru 8/ Start Timer T(10) Alarm/ Reordertone/Await second digit Alarm T Dia Reordertone o thru 9/- Again Alarm T Await third Reordertone digit Conversing Alarm T o thru 9/- Reordertone Await fourth y o thru 9/ digit Connect

c Copyright Nancy Leveson, Sept. 1999 State Machine Specifications (2) Can easily define time constraints on transitions: e.g. telephone switch, must dial 4 digits (internal call) within 10 seconds P offhook / Start Timer T (10), Dialtone Alarm T / Reordertone Alarm T / Reordertone Alarm T / Reordertone Alarm T / Reordertone Start Timer T (10) P depress hookswitch / Idle Again Dial Await first digit Await second digit Await fourth digit Await third digit Conversing 0 thru 9 / Connect 0 thru 9 / - 0 thru 9 / - 1 thru 8 / - ✁

cruise control turned on initialize cc Cruise Cruise Control on and in Control Standby increase speed commanded Off cruise control Mode send command to throttle turned off to increase at x rate brake depressed Increasing or accelerator depressed Speed discontinue cruise control set point reached / reduce throttle Maintaining Speed read wheel turning rate adjust throttle

cruise control Speed Speed Increasing Maintaining Off Control Cruise Mode Standby and in Control On Cruise or accelerator depressed / cruise control to increase at X rate send command to throttle initialize cc turned on / discontinue brake depressed set point reached / reduce throttle increase speed commanded / cruise control turned off read wheel turning rate / adjust throttle ✂

SpecTRM-RL State explosion prevented by dividing components into parallel state machines Traffic Density Schedule Slot [1...90 LOW Available Average Aircraft Scheduled High Blocked Unknown Unknown Complete state space is the cross product

SpecTRM-RL State explosion prevented by dividing components into parallel state machines. Aircraft Scheduled Available Blocked Unknown Traffic Density Schedule Slot [1...90] High Unknown Low Average Complete state space is the cross product. ✄

SpecTRM-RL (2) Each state can be hierarchically refined Traffic Density Schedule Slot [1...901 LoW Available Average AIRCRAFT SCHEDULED High Aircraft Type Light Unknown Large ETA STA Heavy Unknown BLOCKED Begin Time End Time Unknown

SpecTRM-RL (2) Each state can be hierarchically refined. Traffic Density Schedule Slot [1...90] Available AIRCRAFT SCHEDULED BLOCKED Unknown Aircraft Type STA Begin Time End Time Low Average High Unknown ETA ID Light Large Heavy Unknown ☎

Transition Conditions are Specified Using AND/OR Tables Other-Traffic INTRUDER. STATUS OR Other- Traffic AltReporting in-state Lost TTT Proximate-Traffic Bearing-Valid A mr-478 Potential-Threat N Range-Validv-3298 Threa D Proximate- Traffic-Condition m-498 Potential-Threat-Condition Other-Aircraft in-state On-ground Description: A threat is reclassified as other traffic if its altitude reporting has been lost(+ 2. 13 )and either the bearing or range inputs are invalid if its altitude reporting has been lost and both the range and bearing ar alid but neither the proximate nor potential threat classification criteria are satisfied; or the aircraft is on the ground (+2.12) to level2:2.23.↑229 Mapping to Level 4: 14. 1, Traffic-Advisory

Transition Conditions are Specified Using AND/OR Tables ✣✢✤✚✑✞☞☛✜✒✕✙✛☛✜✠✡✥✦✥✤✌✧ ★✖☛✜✩✡✰❚✌ ✲✳✠✡✢✴✞✓✒✍✙②☛✜✠✓✥✴✥✤✌✧ ★✟✩✓✢✴✞✪✎✫✢✤✌✠☞✗✒✍✙②✚✓☛✜✞✡✠✓✢ ✙✛✚✡☛✜✞✓✠✡✢ ③✴④✪✙✛✷✶⑤✶⑥✮⑦✖✷❞⑧✙❩✹✖✙✛⑤⑧ ✙✛✚✡☛✜✞✡✠✓✢ ✣✢✯✚✑✞☞☛✬✒✍✙✛☛✜✠✡✥✴✥✯✌✧ ❉❋❊ ✆ . . . . . . . . . . . . . . ✝✟✞✡✠☞☛✍✌ ✎✑✏✓✒✕✔✖✠☞✗ ✌✘ ★✟✩✡✢✦✞✪✎✫✢✤✌✠☞✗✒✕✙✛✚✓☛✬✞✓✠✡✢✦✒✕✭✮✩✪✎✫✘✪✌ ✢✯✌✩✪✎ ★✖☛✜✩✡✰✱✌ ✲✳✠✓✢✴✞✓✒✕✙✛☛✜✠✡✥✦✥✤✌✧✵✒✍✭✶✩☞✎✑✘☞✌ ✢✤✌✩☞✎ ✷✸✠☞✎✑✏✓✞✡✒✍✔✖✠☞✗ ✌✘ ✹✺✗ ✢✴✒✻✷✸✞☞✼✑✩☞☛✬✢✯✌ ✎✑✏✾✽✴✿❁❀✍❂✡❃✍❄✡❃✍❅❇❆✫✩✡❈✵✢ ✆ ✆ ● ✆ ● ✆ ● ● ✆ ⑨✵⑩❷❶❑❸❺❹ ❻⑩❷❼❑❽❑❹ ⑨✵⑩❷❶❑❽❺❹ ⑨✵⑩❷❶❑❽❺❶ ✣✢✯✚✑✞☞☛✬✒✍✹✺✌ ☛✜✧✱☛✜✠✡✥✦✢ ✽✴✿❁❀✍❂✡❃✍❄✓❃✕❅ ✣✎✑✒✍❿❾☛✜✩☞❲✡✎✫✘ ✉ st ❍✸❅✓❂✡■☞❏❑✽✴▲❁❃▼✽◆✛✿P❖◗✹❘✢✤✚✓☛✜✞✡✠✓✢✪✌❈❙☛✜✞✡✧✱✗✠✓❈✵❈❚✌ ✥✤✌✞✓✘❯✠✓❈❋✩✡✢✤✚✫✞☞☛❱✢✯☛✬✠✓✥✴✥✤✌✧❙✌ ✥☞✌ ✢✴❈❋✠✪✗ ✢✤✌✢✤❲✑✘✓✞❳☛✬✞☞✼✑✩☞☛✜✢✤✌ ✎✑✏ ✚✑✠✓❈❾♥✫✞✡✞☞✎❥✗✩✡❈❦✢ ❜ ❝☞❞✴❣✫❤✡✐ ✠☞✎✑✘❥✞✪✌✢✤✚✑✞☞☛❁✢✤✚✫✞♦♥✫✞✓✠✪☛✍✌ ✎✑✏❥✩☞☛❩☛✬✠☞✎✑✏✓✞❳✌ ✎✡✼✓❲✑✢✦❈q✠☞☛✬✞❳✌ ✎♠✠☞✗ ✌✘✪❧ ✌ ✥✪✌ ✢✦❈q✠☞✗ ✢✤✌ ✢✤❲✫✘✡✞❳☛✜✞✪✼✫✩☞☛✬✢✤✌ ✎✫✏❳✚✑✠✓❈❙♥✑✞✓✞✪✎❥✗✩✓❈✵✢✡✠☞✎✫✘♦♥✫✩✡✢✯✚✳✢✤✚✑✞❳☛✜✠✪✎✫✏✡✞❥✠☞✎✑✘❳♥✫✞✡✠☞☛✕✌ ✎✫✏❥✠✪☛✜✞ ♠✠☞✗ ✌✘❳♥✡❲✫✢✪✎✫✞☞✌ ✢✤✚✑✞☞☛❁✢✤✚✫✞♦✼✓☛✜✩✡✰❚✌ ✲✳✠✡✢✴✞❳✎✫✩✪☛❩✼✫✩✡✢✴✞☞✎✫✢✤✌✠✪✗▼✢✤✚✓☛✬✞✓✠✡✢✓✧✱✗✠✓❈✵❈✱✌✥✤✌✧✵✠✓✢✤✌✩☞✎♣✧❚☛✕✌ ✢✦✞✪☛✍✌✠ ✠☞☛✬✞❥❈✵✠✓✢✤✌❈❦✥✤✌✞✡✘☞❧✫✩✪☛❁✢✤✚✫✞❥✠✪✌ ☛✜✧✱☛✜✠✡✥✦✢✪✌❈❋✩✪✎✳✢✤✚✫✞❥✏✪☛✜✩✪❲✓✎✫✘ ❜ ❝✪❞✦❣✑❝✓✐ . ❝☞❞❝✡❤☞r ❝☞❞❝✡❡ ✈❞✇✪❞✦❣✡r ✙✛☛✬✠✓✥✴✥✤✌✧❦✒✕✹✖✘♠✌❈❦✩✪☛✜① ❨✳❄✪▲❩▲❩✽✴✿❁❬❭❃✍◆❫❪❁❅✓❴✡❅☞❵✑❢☞❖ ❨✳❄✪▲❩▲❩✽✴✿❁❬❭❃✍◆❫❪❁❅✓❴✡❅☞❵✑❛☞❖ ➀

Sensor Measured variable 1 Measured Variable 2 Component SUPERVISORY: INFERRED SYSTEM OPERATING MODES MODE OPERATING INFERRED SYSTEM STATE Control Controlled Supervisor Control Input MODES Command Device Display Output Measured variable

Device Controlled Command Measured Variable (Feedback) Control Measured Variable 1 Measured Variable 2 Display Output SUPERVISORY MODE Component OPERATING INFERRED SYSTEM STATE MODES Control Input Sensor Supervisor INFERRED SYSTEM OPERATING MODES ➁

Altitude Switch Requirements Note: This problem was taken from an example by Steve Miller at Rockwell Collins. I have not altered the original example al though i would have designed the switch slightly differently. The Altitude Switch(As W)is a reusa ble component that turns power on to a Device of Interest(DoI) when the aircraft descends below a threshold altitude(2, 000 feet)above ground level(AGL). The As W receives altitude information from an analog radio altimeter and from two digital radio altimeters, with the altitude ta ken as the lowest valid altitude seen if the altitude cannot be determined for more than two seconds, the as w indicates a fault by failing to strobe a watchdog timer. a fault is also indicated if internal failures are detected in the asw. The detection of a fault turns on an indicator lamp within the cockpit The asw receives a status indication from the doi indicating whether the doi is powered on. If the doi does not indicate that it is powered on within two seconds fter power is applied a fault is indicated by failing to strobe the watchdog timer The asw does not apply power to the doi if the doi is already powered on. If the doi is powered off after the aircraft descends below the altitude threshhold the asw does not reapply power to the doi unless the aircraft again descends below the threshold altitude The asw also accepts an inhibit signal that prevents it from turning on power to the doi or indicating a fault. All other aSw functions are unaffected by the inhibit signal The asw also accepts a reset signal that returns it to its initial state

➂❙➃➅➄➇➆➅➄➇➈☞➉☞➊➌➋➎➍➏➆➐➄➒➑➔➓➣→➏➊✵↔✟➈☞➆➐↕➒➊✵➙❘➊✵➛✱➄➒➜ ➝➟➞✪➠➢➡✸➤➦➥➓P➆✍➜❫➧P↕➒➨❚➩☞➃➐➊✵➙➫➍➯➭✡➜➲➄➇➭✡➳✡➊❦➛➸➵✤↕➒➨❚➙ ➭✡➛➺➊✑➻P➭✡➙❘➧☞➃✍➊➼➩✱➽➾➋➎➄➒➊❦➚✡➊➶➪➟➆✍➃➐➃✍➊❦↕➲➭❱➄➹→➏➨❩➑➔➳✱➍q➊✵➃➐➃ ➘➨❚➃➐➃✍➆✍➛P➜✵➴➬➷➮➓✪➭◗➚✡➊❳➛☞➨✡➄❾➭✡➃➐➄➒➊✵↕➱➊✵➉➟➄➒➓☞➊❳➨✡↕➒➆✍✃✡➆✍➛✪➭✡➃❐➊✑➻P➭✡➙❘➧☞➃✍➊❒➭✡➃➐➄➒➓☞➨❚➈☞✃✡➓➟➷➯➍q➨❚➈☞➃➐➉❮➓✪➭◗➚❚➊❳➉☞➊✵➜➱➆✍✃❚➛☞➊❦➉➣➄➇➓P➊ ➜➱➍➏➆➅➄➇➑➔➓➼➜➒➃➐➆✍✃❚➓✱➄➇➃➅➽❫➉P➆➐❰✖➊✵↕➒➊❦➛✱➄➇➃➐➽✡➴✴Ï ➥➓☞➊Ð➂❙➃➅➄➇➆➅➄➇➈☞➉☞➊❫➋➎➍➏➆➅➄➇➑➔➓ÒÑ✤➂➌➋➎ÓÔÏ❒➆➐➜♦➭➣↕➱➊✵➈☞➜➒➭✡➩☞➃➐➊➹➑✵➨❚➙❘➧Õ➨❚➛☞➊✵➛✱➄❒➄➇➓✪➭✓➄❒➄➇➈☞↕➱➛☞➜♦➧Õ➨➢➍➯➊❦↕♦➨❚➛➦➄➒➨Ö➭ ×➊❦➚➎➆➐➑✵➊➏➨✡➵✖➷✻➛✟➄➒➊✵↕➱➊✵➜➱➄➌Ñ ➵✤➊✵➊✑➄✫Ï➹➭✡➩Õ➨➢➚❚➊➶✃❚↕➱➨❚➈☞➛☞➉Ò➃✍➊✑➚❚➊❦➃❘ÑÞ➂❥ßÙà✶Ï✫➴ ➭✡➛✪➭✓➃✍➨❚✃â↕➒➭✡➉☞➆✍➨ã➭✓➃➐➄➇➆➐➙➲➊✑➄➇➊❦↕➬➭✡➛☞➉ä➵✤↕➒➨✡➙å➄✻➍q➨➲➉☞➆➐✃❚➆➐➄➇➭✡➃Õ↕➇➭✡➉☞➆➐➨ã➭✡➃➐➄➒➆✍➙❘➊❦➄➒➊✵↕➒➜ ➭✡➜➬➄➒➓☞➊Ù➃✍➨➢➍➯➊❦➜➱➄➮➚✓➭✡➃➐➆✍➉Ð➭✡➃➅➄➇➆➅➄➇➈☞➉☞➊❙➜➒➊✵➊❦➛✛➴♣➷❺➵✶➄➒➓☞➊❭➭✡➃➐➄➒➆➐➄➒➈☞➉☞➊❙➑✵➭✡➛☞➛☞➨✓➄➏➩✖➊➌➉☞➊✑➄➇➊❦↕➒➙❘➆✍➛☞➊❦➉ä➵✤➨✡↕➮➙➲➨❚↕➱➊❙➄➇➓☞➭✡➛ ➄✻➍q➨❒➜➱➊✵➑✵➨✡➛☞➉☞➜ ×ÙØ➷ÚÏ✶➍➏➓☞➊❦➛➲➄➇➓P➊❯➭✓➆✍↕➒➑❦↕➇➭✓➵✯➄✺➉☞➊✵➜➱➑✵➊✵➛P➉☞➜➬➩Õ➊✵➃✍➨➢➍Û➭Ù➄➒➓☞↕➒➊❦➜➒➓☞➨✡➃✍➉➲➭✡➃➐➄➒➆➐➄➇➈P➉☞➊ÙÑ ✁➎Ü✦Ý❚Ý✡Ý ➥➓☞➊➶➂➌➋✟Ó ↕➱➊✵➑✵➊❦➆➐➚✡➊✵➜➟➭✡➃➐➄➒➆➐➄➇➈P➉☞➊➣➆➐➛P➵✤➨❚↕➒➙➲➭✓➄➒➆✍➨❚➛á➵✤↕➒➨❚➙ ➭✡➛ Ü ➍➏➆➅➄➇➓Ð➄➇➓☞➊❭➭✡➃➅➄➇➆➅➄➇➈☞➉☞➊❯➄➔➭✡➳✓➊✵➛ Ü ➄➇➓P➊❥➂❾➋➎Ó ➆➐➛☞➉☞➆➐➑◗➭✓➄➒➊✵➜♣➭❾➵Þ➭✡➈☞➃➅➄✳➩✱➽♦➵Þ➭✡➆✍➃➐➆✍➛☞✃❥➄➇➨Ù➜➱➄➒↕➒➨❚➩Õ➊❥➭❾➍➬➭✓➄➒➑➔➓☞➉☞➨❚✃Ù➄➇➆➐➙➲➊❦↕✵➴✶➂➸➵Þ➭✡➈☞➃➐➄ ➆✍➜q➭✡➃➐➜➒➨❳➆➐➛☞➉☞➆➐➑◗➭✓➄➒➊✵➉❫➆➅➵②➆✍➛✱➄➒➊✵↕➒➛☞➭✡➃Õ➵Þ➭✓➆✍➃✍➈P↕➒➊✵➜❋➭✡↕➱➊❙➉☞➊✑➄➇➊❦➑❦➄➇➊❦➉ä➆✍➛➲➄➒➓☞➊❙➂❾➋➎Óæ➴ ➥➓☞➊❾➉☞➊✑➄➇➊✵➑✑➄➇➆➐➨❚➛➹➨✡➵✮➭Ù➵Þ➭✡➈☞➃➐➄ ➄➇➈P↕➒➛☞➜➏➨❚➛➟➭✡➛ä➆✍➛☞➉P➆✍➑◗➭❱➄➇➨❚↕➬➃✍➭✡➙❘➧➹➍➏➆➐➄➇➓P➆✍➛➹➄➇➓P➊❭➑❦➨❩➑➔➳✟➧☞➆➅➄◗➴ ➥➓☞➊❳➂❾➋➎Ó ↕➱➊✵➑✵➊❦➆➐➚✡➊✵➜❾➭ã➜➱➄➇➭✓➄➇➈P➜❯➆➐➛☞➉☞➆✍➑✵➭✓➄➇➆➐➨❚➛➹➵✤↕➒➨✡➙✾➄➇➓☞➊ ×ÙØ➷➯➆✍➛P➉☞➆✍➑✵➭✓➄➇➆➐➛☞✃♦➍➏➓☞➊❦➄➒➓☞➊✵↕❥➄➇➓☞➊ ×ÙØ➷ ➆✍➜q➧✖➨➢➍q➊✵↕➱➊✵➉ä➨❚➛✛➴✳➷❺➵②➄➒➓☞➊ ×ÙØ➷✳➉☞➨➎➊✵➜➬➛☞➨✓➄➬➆✍➛P➉☞➆✍➑✵➭✓➄➇➊❥➄➇➓✪➭✓➄➯➆➐➄q➆✍➜q➧✖➨➢➍q➊✵↕➒➊❦➉ä➨❚➛➹➍➏➆➐➄➒➓☞➆✍➛❘➄✻➍➯➨â➜➱➊✵➑✵➨✡➛☞➉☞➜ ➭✓➵✯➄➒➊✵↕Ù➧✖➨➢➍q➊✵↕❒➆✍➜❭➭✡➧☞➧☞➃➐➆✍➊❦➉ Ü ➭➼➵Þ➭✡➈P➃➐➄Ù➆✍➜Ù➆➐➛☞➉☞➆✍➑✵➭✓➄➇➊❦➉➶➩✟➽➶➵Þ➭✡➆➐➃✍➆➐➛☞✃❫➄➇➨➼➜➱➄➒↕➒➨❚➩Õ➊ã➄➇➓☞➊ã➍➬➭❱➄➇➑➔➓☞➉☞➨✡✃➟➄➇➆➐➙➲➊❦↕✵➴ ➥➓☞➊Ð➂❾➋➎Ó ➉☞➨❩➊❦➜â➛☞➨✡➄♦➭✡➧☞➧☞➃➅➽➦➧Õ➨➢➍➯➊❦↕♦➄➇➨➣➄➒➓☞➊ ×ÙØ➷➌➆➐➵➮➄➇➓P➊ ×ÙØ➷➌➆✍➜â➭✡➃➐↕➒➊✵➭✡➉P➽ç➧✖➨➢➍q➊✵↕➱➊✵➉á➨❚➛✛➴Ö➷❺➵ ➄➇➓P➊ ×ÙØ➷❋➆✍➜➮➧Õ➨➢➍➯➊❦↕➒➊✵➉➟➨✡❰➶➭✓➵✯➄➒➊✵↕➬➄➒➓☞➊❭➭✡➆✍↕➱➑✵↕➇➭❱➵✯➄➮➉☞➊✵➜➱➑✵➊❦➛☞➉☞➜❙➩Õ➊✵➃➐➨➢➍Ô➄➒➓☞➊❭➭✡➃➐➄➒➆➐➄➇➈P➉☞➊❙➄➇➓P↕➒➊✵➜➱➓☞➓☞➨❚➃➐➉ Ü ➄➇➓P➊ ➂➌➋✟Ó ➉☞➨➎➊✵➜♣➛☞➨✡➄❋↕➱➊◗➭✡➧☞➧P➃➐➽â➧Õ➨➢➍➯➊❦↕♣➄➒➨❭➄➒➓☞➊ ×ÙØ➷✶➈☞➛P➃✍➊✵➜➱➜❋➄➒➓☞➊❥➭✡➆✍↕➱➑✵↕➒➭✓➵✯➄♣➭✡✃✱➭✓➆✍➛ã➉☞➊✵➜➱➑✵➊❦➛☞➉☞➜➯➩Õ➊✵➃➐➨➢➍Û➄➇➓P➊ ➄➇➓P↕➒➊✵➜➱➓☞➨❚➃➐➉➣➭✡➃➅➄➇➆➅➄➇➈☞➉☞➊✓➴ ➥➓☞➊❙➂❾➋➎Ó ➭✡➃➐➜➒➨❒➭✡➑✵➑❦➊✵➧P➄➒➜➮➭✡➛❘➆✍➛☞➓P➆✍➩☞➆➅➄♣➜➒➆✍✃✡➛✪➭✡➃☞➄➇➓☞➭✓➄➯➧P↕➒➊❦➚✡➊✵➛✱➄➇➜➯➆➐➄♣➵✤↕➒➨❚➙è➄➒➈☞↕➒➛P➆✍➛☞✃❭➨❚➛❘➧✖➨➢➍q➊✵↕q➄➒➨ ➄➇➓P➊ ×ÙØ➷❋➨✡↕➯➆✍➛P➉☞➆✍➑✵➭✓➄➇➆➐➛☞✃♦➭❳➵Þ➭✡➈P➃➐➄◗➴✶➂❙➃➐➃❐➨✡➄➒➓☞➊✵↕➬➂❾➋➎Ó ➵✤➈☞➛☞➑✑➄➇➆✍➨✡➛☞➜➮➭✡↕➱➊❾➈☞➛✪➭✓❰✖➊✵➑✑➄➇➊❦➉➼➩✱➽➲➄➇➓☞➊❾➆➐➛☞➓☞➆➐➩☞➆➐➄ ➜➒➆➐✃❚➛✪➭✡➃é➴ ➥➓☞➊❭➂➌➋➎Ó ➭✡➃✍➜➱➨➲➭✓➑✵➑✵➊❦➧P➄➇➜❯➭â↕➒➊❦➜➒➊❦➄❥➜➱➆✍✃❚➛✪➭✓➃❐➄➇➓✪➭❱➄❯↕➱➊❦➄➒➈☞↕➒➛☞➜➏➆➅➄➮➄➇➨ã➆➐➄➒➜➮➆✍➛☞➆➅➄➇➆✕➭✓➃✖➜Ú➄➔➭✓➄➒➊✡➴ ê

Digital Altimeterstatus Digita Altimeterstatus Analogaltitude Altimeterstatus Device of interest Altitude nterface Switch Power-on Signal (DOl Reset Signal DOl Status Signal Watchdog Timer

Altimeter Digital Altimeter Analog Digital Altimeter Pilot Interface Device of Interest Switch (DOI) Altitude Watchdog Timer Power-on Signal Strobe DOI Status Signal altitude status altitude status altitude status Inhibit Signal Reset Signal ë

Altimeter Altimeter 1 Altimeter 2 Analog-Alt- DA1-Alt-Signal DA2 50.2500)wr G过m○m Altitude Switch SUPERVISORY INFERRED SYSTEM STATE MODE Dig-Alt2 ockpit Control Invalid DOl-Power-On Device Fault OPERATING hibit (On, Offy Indicator MODES Aircraft Altitude Dig-Alt1 Lamp eset T, FI At-or-above-threshold Cannot-be-determined Not inhibited DOl-Status DOI-status-signal Unknow Fault-detected Watchdog timer

OPERATING MODES Operational Fault Detected Startup Inhibited Not Inhibited Watchdog Timer SUPERVISORY MODE Cockpit Controls Altimeter 1 Digital Altimeter Analog Watchdog-Strobe {High} Altitude Switch Analog-Alt-Status Analog-Alt-Signal DA1-Status-Signal DA2-Status-Signal {Fail,NCD,Test,Norm} {Below,Above} {Invalid,Valid} {-50..2500} DA2-Alt-Signal INT {Fail,NCD,Test,Norm} (DOI) Interest of Device Digital Altimeter 2 DA1-Alt-Signal {-50..2500} INT DOI-Power-On {High} DOI-status-signal {On, Off} Cockpit Fault Indicator Lamp On Off Inhibit {On,Off} Reset {T,F} INFERRED SYSTEM STATE DOI-Status On Off Unknown Fault-detected Unknown Cannot-be-determined Below-threshold At-or-above-threshold Aircraft Altitude Valid Invalid Unknown Dig-Alt1 Valid Unknown Invalid Analog-Alt Valid Invalid Unknown Dig-Alt2 ￾➢Ý