// ===================================================================== // SensorVoting — Triple Modular Redundancy // ===================================================================== // // A minimal sensor system with three redundant sensors and a 2-of-3 // voting logic feeding a single actuator. The TLE is "LossOfSignal" // — the actuator receives no valid command. Single sensor failures // are tolerated; only pairwise failures cause a system-level fault. // // Domain: Generic (applicable to any safety-critical system) // Functions: 4 (fits Lite version, max 10) // Complexity: Low — ideal as a first example to learn ArchDSL // // Copyright (c) 2026 Dr. Wolfgang Freese, Overath (Germany) // All rights reserved. This file is provided as an example for // use with MCSA (mcsa.appliedfusa.de). // FUNCTION SensorSystem INPUT Sensor_A INPUT Sensor_B INPUT Sensor_C OUTPUT Actuator_Cmd FUNCTION Sensor_HW_A INPUT Sensor_A_Raw OUTPUT Sensor_A_Val OIM Sensor_A_Val.LossOfSignal.Sensor_A_Raw.LossOfSignal OIM Sensor_A_Val.ErroneousHigh.Sensor_A_Raw.ErroneousHigh END FUNCTION FUNCTION Sensor_HW_B INPUT Sensor_B_Raw OUTPUT Sensor_B_Val OIM Sensor_B_Val.LossOfSignal.Sensor_B_Raw.LossOfSignal OIM Sensor_B_Val.ErroneousHigh.Sensor_B_Raw.ErroneousHigh END FUNCTION FUNCTION Sensor_HW_C INPUT Sensor_C_Raw OUTPUT Sensor_C_Val OIM Sensor_C_Val.LossOfSignal.Sensor_C_Raw.LossOfSignal OIM Sensor_C_Val.ErroneousHigh.Sensor_C_Raw.ErroneousHigh END FUNCTION FUNCTION Voter_2of3 INPUT Sensor_A_Val INPUT Sensor_B_Val INPUT Sensor_C_Val OUTPUT Actuator_Cmd OIM Actuator_Cmd.LossOfSignal.AND(Sensor_A_Val.LossOfSignal; Sensor_B_Val.LossOfSignal) OIM Actuator_Cmd.LossOfSignal.AND(Sensor_A_Val.LossOfSignal; Sensor_C_Val.LossOfSignal) OIM Actuator_Cmd.LossOfSignal.AND(Sensor_B_Val.LossOfSignal; Sensor_C_Val.LossOfSignal) OIM Actuator_Cmd.ErroneousHigh.AND(Sensor_A_Val.ErroneousHigh; Sensor_B_Val.ErroneousHigh) OIM Actuator_Cmd.ErroneousHigh.AND(Sensor_A_Val.ErroneousHigh; Sensor_C_Val.ErroneousHigh) OIM Actuator_Cmd.ErroneousHigh.AND(Sensor_B_Val.ErroneousHigh; Sensor_C_Val.ErroneousHigh) END FUNCTION INT S_A_1.SensorSystem.IN.Sensor_A.Sensor_HW_A.IN.Sensor_A_Raw INT S_B_1.SensorSystem.IN.Sensor_B.Sensor_HW_B.IN.Sensor_B_Raw INT S_C_1.SensorSystem.IN.Sensor_C.Sensor_HW_C.IN.Sensor_C_Raw INT S_A_2.Sensor_HW_A.OUT.Sensor_A_Val.Voter_2of3.IN.Sensor_A_Val INT S_B_2.Sensor_HW_B.OUT.Sensor_B_Val.Voter_2of3.IN.Sensor_B_Val INT S_C_2.Sensor_HW_C.OUT.Sensor_C_Val.Voter_2of3.IN.Sensor_C_Val INT Act_Out.Voter_2of3.OUT.Actuator_Cmd.SensorSystem.OUT.Actuator_Cmd TLE LossOfSignal.Actuator_Cmd.LossOfSignal ISF SensorSystem.Sensor_A.LossOfSignal 1.0e-06 ISF SensorSystem.Sensor_A.ErroneousHigh 5.0e-07 ISF SensorSystem.Sensor_B.LossOfSignal 1.0e-06 ISF SensorSystem.Sensor_B.ErroneousHigh 5.0e-07 ISF SensorSystem.Sensor_C.LossOfSignal 1.0e-06 ISF SensorSystem.Sensor_C.ErroneousHigh 5.0e-07 SF Sensor_HW_A.Sensor_A_Val.LossOfSignal 2.5e-07 SF Sensor_HW_A.Sensor_A_Val.ErroneousHigh 1.0e-07 SF Sensor_HW_B.Sensor_B_Val.LossOfSignal 2.5e-07 SF Sensor_HW_B.Sensor_B_Val.ErroneousHigh 1.0e-07 SF Sensor_HW_C.Sensor_C_Val.LossOfSignal 2.5e-07 SF Sensor_HW_C.Sensor_C_Val.ErroneousHigh 1.0e-07 SF Voter_2of3.Actuator_Cmd.LossOfSignal 1.5e-07 SF Voter_2of3.Actuator_Cmd.ErroneousHigh 1.5e-07 TF S_A_1.LossOfSignal 5.0e-08 TF S_A_1.ErroneousHigh 3.0e-08 TF S_A_2.LossOfSignal 5.0e-08 TF S_A_2.ErroneousHigh 3.0e-08 TF S_B_1.LossOfSignal 5.0e-08 TF S_B_1.ErroneousHigh 3.0e-08 TF S_B_2.LossOfSignal 5.0e-08 TF S_B_2.ErroneousHigh 3.0e-08 TF S_C_1.LossOfSignal 5.0e-08 TF S_C_1.ErroneousHigh 3.0e-08 TF S_C_2.LossOfSignal 5.0e-08 TF S_C_2.ErroneousHigh 3.0e-08 TF Act_Out.LossOfSignal 5.0e-08 TF Act_Out.ErroneousHigh 3.0e-08 END FUNCTION