This part of my site contains partly baked ideas (PBI). It has drafts for publications, essays, plus illustrations and visual aids for presentations and seminars.

Disclaimer. CSUSB and the CS Dept have no responsibility for the content of this page.

Copyright. Richard J. Botting ( Fri May 12 15:34:05 PDT 2006 ). Permission is granted to quote and use this document as long as the source is acknowledged.

An Example of Formal Analysis: The Lift Problem

Status: Working Paper

There are archival copies at [ rjb9Xa.lift.html ] [ rjb9Xa.lift.mth ] (raw) and [ rjb92a.lift ]

Notation This document was prepared using my [ MATHS in research ] notation. This notation can be converted into other text formats including HTML. So far there is a prototype mth2html program.

In the raw form (a *.mth file) the document starts out as a list of "bulleted" headlines. Headers have a '.' in the first column. Sections start with .Open and end with .Close.

Introduction

Notes on notation and the process of formal analysis will be prefixed by 'Note: topic'.

The sample problem is called the "Lift Problem" in the literature. I first met it in a prototype Jackson System Development(JSD) course in England when the British Civil Service College was in the process of selecting a standard method of analysis and design in 1979-81. I started it afresh in the summer of 1985 using Telos's "Filevision"( visual data base. I demonstrated the result at the international workshop on software specification and design in September 1985. In the summer of 1987 I reworked the model and transcribed it into regular expressions. I published the result as part of the papers for the 1987 workshop. In 1989, on sabbatical, I removed some complications and presented it at EXPOSIM'89 at the Monterey Institute of Technology in Mexico(ITESM), Torreon, Coah., Mexico.. This presentation developed from a chapter in a monograph on a notation for organizing documentation that has mathematics in it. This was revised in April 1993. The notation was modernized in 1998. This latest revision started in December 2004.

My goal is to show how to develop a mathematical model of a situation as a basis for formal requirements, specifications, designs, and implementations. The key idea is not solving non-problems, and not assuming things that are false. My approach is to establish a semi-formal language for talking about the domain and its problems. Once this in place we can discuss ways of solving any problems and so ways to implement the solutions.

The Lift Problem

Description

down

Facts

There are two elevators, call them elevators a and b.
There are five floors numbered 1, 2, 3, 4, and 5.
Each elevator has buttons inside it. Five of these are labeled with the numbers of the floors.
The top floor (number 5) has one "Down" button.
The ground floor (number 1) has a single "Up" button.
Floors 2,3, and 4 have both "Up" and "Down" buttons.
You push one of the numbered buttons in an elevator if you want to the elevator to go to the floor and stop.
You push one of the buttons on the floors if you want a a lift to come to your floor, stop, and then continue in the direction indicated.

meta-data

But at any time a number of facts are true. But these change every now an then. For example, at one time:

Elevator a is at Floor 1.
Elevator b is moving up between Floor 3 and Floor 4.

Elevator a is moving up between Floor 1 and Floor 2.
Elevator b is at Floor 4.

Elevator a is moving up between Floor 2 and Floor 3.
Elevator b is moving down between Floor 4 and Floor 3.

There are also "facts" relating to what people want:

You push one of the numbered buttons in an elevator if you want to the elevator to go to the floor and stop.
You push one of the buttons on the floors if you want a a lift to come to your floor, stop, and then continue in the direction indicated.

Expressing Facts Mathematically

People

We have a finite sets of elevators, floors and buttons. Let the set of floors be called F. Let n be the number of floors. Let E represent the set of elevators. Let m be the number of elevators. Let B represent the set of buttons.

In MATHS the above paragraph is documented like this:

Elevators::Finite_Sets,
Floors::Finite_Sets,
Buttons::Finite_Sets,
B::=Buttons,
E::=Elevators,
F::=Floors,
m::=|E|,
n::=|F|.
-- the number of elements in set E is |E|=Card(E).
Note: Declarations and Definitions The above statements have declarations (with a two colons ) and definitions (with the BNF two colons and an equals sign). A declaration defines a symbol as a member of a set without giving it any particular value. A definition makes a symbol stand for something else. Mathematical variables are introduced as abbreviations for words taken from the problem. B, E, F represent sets and may ultimately be implemented as entity types, abstract data types, or classes of objects.
Note: Abbreviations Much of the power of mathematics comes from the use of short symbols in place of complex words and ideas. This lets them be written, read, and thought quickly. Add some rules to manipulated them and you get the power of algebra. However, the symbology of mathematics introduces an initial bump in the road for people who have not used the notation before. It is wise to say things in both long and short form, and then add a diagram.
We also record all assumptions (axioms) that we make. If we think about buildings and elevators we can be certain that there is at least one elevator, and at least two floors. In symbols we have axiom or assumption e1:
|- (e1): n >= 2 and m>= 1.
Axioms The sign in front of the above formula is short for "It is asserted that". It is placed in front of formulas that are taken to be true in the remainder the current context. In the above case e1 is assumed throughout this document. The assertion symbol comes from [WhiteheadRussell66]. It is also used in Ina Jo [WingNixon89]. In Maths it is also used to indicate proved results or theorems as well as formula that are assumed.

Special Kinds of Button
There are two distinct types of button - floor selection buttons inside elevators and the call elevator buttons on the floors outside the elevators.
G::@B=Buttons inside elevators that select floors.
H::@B=Buttons on floors for calling lifts to floor.
Note: Subsets The "@" means "set of" (\power-set ). The above states that G and H are special kinds of buttons (B). This is close to the idea of inheritance or generalization used by object-oriented people.
Note: Verbalizations It is helpful to associate a name with a phrase. The above descriptions show one way of doing it. In raw MATHS I use reversed quotes:
```
 		`...`
```
to indicate statements in other languages than mathematics. This gives a natural language translation of the term. These strings allow us to write designations relating our symbols to the things that they symbolize. They help people understand what the mathematics means.
Now a button is either inside an elevator, or outside. Of course, a button can not be both inside (G) and outside(H) an elevator. So buttons(B) are partitioned into those inside(G) and those outside elevators (H). I show that B is partitioned into G and H like this:
|- (e2): B >== { G, H }. Note: Partitions A partition is a set of subsets whenever two or more subsets do not overlap. Their is no standard mathematical notation to indicate this. I've been using ">==" for nearly 30 years.

Buttons outside elevators have up and down on them.
The buttons outside the elevator ( H ) are labeled with one of two directions. Here is the mathematical definition:
Directions::Finite_Sets.
|- (e2a): |Directions| = 2.
D::=Directions.
Up::Directions.
Down::Directions.
(e2b): Up <> Down.
The above properties and definitions let use prove
(above) |- (e2c): Directions={Up, Down}.
Note: Notation for reasoning In the above line you are shown the reasons for the truth of the statement:
```
 		(list of reasons)|-(label): consequence.
```
It states that the formula can be derived from listed formulas. The proof may be included in a document, (click the assertion symbol to see if a proof is attached) or be omitted depending on the audience and the risks of errors. It can be as formal as we like, and can be at any level of abstraction. The formal rules are documented elsewhere.

Up and Down Buttons
Up and Down are not floors, and so are not in F:
|- (e3): Up and Down not_in F.

Labels on buttons
When we look at a button outside an elevator we see a label reading either Up or Down. Inside an elevator the labels on the buttons identify floors.
Labels::= F | D.
L::=Labels.
Each Button has its own label, so there is a function l that takes each button b in B into a unique label in L. We write the label on b as l(b). We call l a function, map, or mapping:
l::B->L=the label on button (_).
Here are some properties we can derive from the definition of l:
(l) |- (e4): For all b:B, l(b)=the label on button b.
(l) |- (e5): for all b:B, l(b) =b.l.
Note: Many to one functions The set of all maps from A to B is shown as A->B. A is called the domain (dom) and B the co-domain (cod). Both l(b) and b.l show the result of applying the function l to element b. I think of the application process as filling in the holes in an expression. I indicate a "hole" like this: "(_)". There is also a version of the lambda notation:
(l) |-l = fun[b](the label on button b).
Note: Maps Functions like l are also called maps and mappings. They are total many-to-one relations. They describe the structure of the problem domain and are used to document requirements and specifications. Functions are often implemented as the operations in abstract data types and/or methods of objects. Functions can also become navigation paths through a data base or set of data structures. Thus maps and sets define the structure shared by the solution and the problem's environment.
Note: Overloading I also overload maps so that they also to apply to sets, so:
(STANDARD) |-for all f:A->B, X:@A, f(X) = X.f = {b:B || for some x:X (b=a.f )}.

Properties of labels on buttons
We can state the following axioms:
|- (e6): l(G) = F -- buttons in elevators are assumed to have floors as labels.
|- (e7): l(H) = D -- labels of buttons outside the lift are assumed to be directions.
Note: inverse functions I use the '/' symbol to reverse the direction of a map or relation. If a function f maps from A->B then /f maps subsets and elements in B into subsets of A. In general:
(STANDARD) |-for f:A->B, b:B, b./f= /f(b)={a:A || a.f = b},
(STANDARD) |-for f:A->B, Y:B, Y./f=/f(Y)={a:A || a.f in Y}.

"Labeled"
For example:
(above) |-for all y:Buttons, /l(y)=y./l =buttons labeled y.
We can prove properties of buttons - for example a button outside a lift has either an Up or a Down on it, not a floor's name:
(e7) |- (e8): H=D./l.
(e6) |- (e9): G=F./l.

Relationships
The map l is equivalent to a relation between buttons and labels. If we decompose l into a relation between H and D, plus a relation between G and F then we discoverer that there are n-1 Up buttons and n-1 Down buttons. Further each floor appears as a label on exactly m buttons (one per elevator):
|- (e10): l in H(n-1)-(1)D,
|- (e11): l in G(m)-(1)F.

Systems Analysis by Stating the Obvious
Formal analysis proceeds primarily by stating the obvious. For example, each floor button is on one floor and each button in an elevator is in one elevator. This is an example of a common type of relationship - `is a part of`. Here is the formal documentation of 'P', the relation between an object and the object to which it is attached:
P:: @(B, F|E) = (1st) is part of the (2nd).
For b:B, u:F|E, b P u=b is a part of u.
For b:B, b.P=the elevator b is in or the floor b is on.
For x:F|E, x./P=the buttons that are parts of x.
F./P=the buttons placed on floors,
E./P=the buttons placed inside an elevator.
We assume that each part is in (or on) one other object:
|- (e12): P in B->F|E.
After examining some elevators we add the following properties of 'parts of` (/P) and 'labeled'(/l) as assumed (or defining) properties:
|- (e13): G = E./P = F./l,
|- (e14): H = F./P = D./l,
|- (e15): P in H(1..2)-(1)F | G(n)-(1)E,
Note: (n)-(m) Relations Expressions like A(n)-(m)B represent sets of relations - those that link 1 A with m Bs and 1 B to n As. Bachman designed a diagram for documenting collections of sets and relations [Bachman69]. There are several varieties [Chen80], [MartinMcClure85], [Wiederhold77], [WardMellor85]. The UML notation unifies these concepts with object-oriented modelling. For systems and requirements analysis I use only the simplest form - a Conceptual Model [SSADM circa 1980] or Conceptual Structure [Carasiketal90]. Boxes represent sets and lines show mappings (=attributes). The boxes are placed so that the mappings run from lower boxes to higher ones - this makes the diagrams easier to read [MartinMcClure85]. Symbols at the bottom of a line show the range of sizes of inverse images under the map - this is used to validate the model[SSADM]. .UML Net{f:A(n..m)-(1)B}. .UML Net{f:A(n)-(1)B}.
A binary relation R is equivalent to a set of pairs X (in @(A><B)) and an n-ary one to a set of n-tuples. Many-many relations are shown as sets of objects plus maps - a restriction that starts to 'normalize' the model [Codd70] and [Codd82]. Now a relation is in A(n)-(m)B iff there is a set X in @(A><B) such that A(1)-(m)X(n)-(1)B. .UML Net{A(1)-(m)R(n)-(1)B}
Even complex systems of relationships can be modeled using sets and functions. For the elevators we have: .UML Net{Elevator, Button, Floor, Direction, Button_in_elevator, Button_on_floor}
Abstracting a formal model of a system proceeds by stating the obvious. Boring truths are certain truths. Simple facts, sets, and maps determine the set of logically correct data structures or data bases.

Dynamics
So far we have documented the unchanging or static properties of the elevators. We now look at varying properties - the dynamics of elevators. A dynamic system is imagined to have a state that varies with time. A set of possible states is often called a state-space . If a dynamic has one or more parts then each has its own a state. The state-space of the whole has components (or dimensions) for each of its parts. When a system has many similar parts, the state of the whole is an n-tuple. Often a systems state is also constrained to lie within a subset of the product space of its components. Now a system needs an internal model of the any system it controls and this implies a homomorphism connecting them [Beer74] [RossAshby57]. So the abstract model of a system to be controlled or monitored reveals the structure of the software that controls or monitors it [Jackson78].
To describe the state of the whole "Lift System" we define the state of each elevator and button. At any time a button has either been pushed to request a service, or it has not been pushed or if pushed then the request has been serviced since the last push. Therefore we define R::@B=buttons with outstanding requests for service,
(above) |- (e16): R&G= requests for a lift to come to a floor.
(above) |- (e17): R&H= requests for lifts to go to a floor.
S::@B=buttons with no outstanding requests for service
(above) |- (e18): B>=={R,S}, -- some buttons have requests, others don't.
(above) |- (e19): S&G=serviced elevator call buttons.
(above) |- (e20): S&H=serviced go to floor buttons.
Hence we can formulate concepts like:
The buttons on floors with requests to go up = R & Up./l.
The buttons on floors without requests to go up = S & Up./l.
The buttons in lifts with requests to go to floor = R & Up./l.
The floors with up requests = (R & Up./l).P.
We can also prove that
(above) |- (e21): R&H & Up./l= R & Up./l

Universe of Discourse
We will need to make a model of the positions of the elevators and other objects. Let U be the universe of discourse - the set of all objects we are discussing:
U::Sets=The universe of discourse.
|- (e22): U>=={E,F,B}.

Heights
In the elevator problem we will need to reason about the relative heights of objects:
For u1,u2:U, u1>u2::@= u1 is above u2.
One of the main benefits of using mathematics in analysis and design is using known results. Thus we look at elevators and talk to our clients and users and verify the following axioms :
|- (h1): u1<u2 iff u2>u1.
|- (h2): if u1>u2>u3 then u1>u3.
|- (h3): Exactly one of u1<u2, u1=u2, or u1>u2 is true. .Higraph Net{U, U><U>=={(<), (=), (>)}.}
This means that < is a linear order on U. From the theory of linear orders we know that we can model the relation by associating a number with each object. We can assume that the floors are vertically above each other and inside a finite building. We can model height as a set of real numbers called 'X':
X::@Real=Heights of Objects,
x0::=min X,
x0 is the minimum height - just above the height of the bottom of the building.
x1::=max X,
x1 is the maximum height - just below the height of the top of the building.
Assume that there are no holes in the lift shaft:
|- (e23): X={x:Real | x0<=x<=x1}.
Assign a height x(u):X to all objects u:U that are in the problem,
x::U->X=the height assigned to (_).
This is not the "real" height, but an assigned height - for example buttons are assigned the same height as the object to which they are attached,
|- (e24): for all s:E | F, Button b where b P s (b.x = s.x).
Notice that we can always use a map to 'pull back' properties from its co-domain into its domain. Define ' above/equal/below' relations in U (the dom(x)) as the inverse image of 'less than/equal/greater than' in the X dimension(cod(x)):
|-for u1,u2:dom(x) ( u1>u2 iff x(u1)>x(u2) ),
This last is written (>)::@(U><U)=(>/x),
(above) |- (e24): x in (>) U->X.
Therefore for all heights h between x0 and x1 we can define the next floor above and next floor below a height,
next_above::X->F=(min{f:F || x(f)>(_)}),
next_below::X->F=(max{f:F || x(f)<(_)}),
(above) |- (e25): next_above and next_below in X (some)-(0..1) F.

Times
Now, the position of moving objects (like elevators and the buttons in them) depend on the time. We can symbolize the set of times by T and we will assume the following properties for it:
Times::linear_ordered_set(<),
T::=Times, for t1,t2:T, t1 < t2::@= time t1 is before t2.

Reusable Specifications on the Net
Now a linear order is a standard part of mathematics. A library of standard mathematics is vital resource. Software Engineers need a library of documentation for fundamental ideas like order, time, number, arithmetic, calculus, sequence, tree, list, space, group, and so on. Manuals and source code are already shared by Electronic Mail or anonymous FTP. Ideas also need to be shared. In this case much of the formal theory of orderings is already online: [ math_21_Order.html ] We need a much larger Internet library of formal systems like this!
In my work a set of declarations, assertions, theorems, comments and definitions is reusable if it is named. For example a linear ordered set is documented as a "net" of variables and properties like this:
LOSET::=following
Net
1. T::Sets, A Linearly Ordered set. (<)::infix(T,@,@).
2. |- (L0): Strict_partial_order(T,<).
3. ...
4. (above) |- (Ln): For some m:T->Real, m in (T,<)->(Real,<).
(End of Net)
The ellipsis (...) above hides unwanted details.
Given a set of documentation called N then $ N is a set of objects that satisfy the documentation. For example:
(T, Times) |- (e26): (T, <) in $ LOSET.
This declares a set T with relations(<,>,<=,>=) and imports its axioms from the library. Similar ideas are used in most formal documentation systems - Z, Lotos, Ina Joe, ....
Returning to the dynamics of elevators, a common convention omits the ts (Times) from definitions and assertions that hold at all possible times. I will do this from now on. We might assume that an elevator is always at a unique floor, but there exist times when it is between floors. When a lift is between floors it should be moving in a particular direction, and when moving it should not be 'at' a floor. If a lift ceases to move between floors then something is wrong with it. In other words a particular lift is either moving in a direction, stopped at a floor, or out of service. It would be incorrect to document movement as a map from Elevators into Directions, because stationary Elevators are not moving in a Direction.
is_moving:: E (0..*)-( 0..1) D,
at:: E ( 0..m)-(0..1) F.
|- (e27): For all e:E ( for some d:D( e is_moving d ) or for some f:F ( e at f ) ).

Note: optative mode The above is a nice example of what Michael Jackson calls a statement that is in the optative mood. The term comes from Alonzo Church's terminology for the logic of wishes. Statements in this mode are statements that we want to be true of our system when our designed machine or improvement is correctly installed in the system. We can not expect randomly moving elevators to avoid stopping between floors and trapping their passengers, so we must require our controller to enforce this unnatural rule. In the SCR method NAT is the set of statements describing the behavior of the natural world and REQ are the statements describing the required world. Jackson notes that if SPEC describes the software system and we have written it correctly then we expect to be able to prove the following:
if SPEC and NAT then REQ.

Velocities
The elevator's movement should be smooth to keep the passengers happy. Therefore we can talk about the velocity of the lift - the rate of change of the height with respect to time. Model velocities by another variable (y). We can assign the velocity of zero to floors - since they do not move. Thus for all objects u, we have a velocity y(u),
velocities::=Real,
Y::=velocities,
y::U->Y.
|- (e28): For all u:E, u.y=d(u.x)/dt.
|- (e29): For all u:F, u.y=0, -- floors don't move.
|- (e30): For all u1, u2:U, if u2 P u1 then u2.y=u1.y,
--parts have same velocity as the whole.
Using x and y we can define what it means to service a request for a floor:
|- (e31): If elevator e services floor f at time t then f.x=(e(t)).x and (e(t)).y = 0.

Events in the Life of an Elevator
In this problem, we are only interested button pushes and buttons being serviced. Thus each significant event has two components - the button and the type of event (pushed or serviced).
events::Sets,
V::=events,
|- (e32): V=B><W. -- Events involve pushing or servicing buttons, where W::Finite_Sets=Types of events occurring to buttons,
pushed::W,
serviced::W,
p::=pushed,
s::=serviced,
|- (e33): W={p,s}.
Let v::T->V,
|- (e34): for all t:T, b:B, v(t)=(b,p) iff b is pushed at time t,
|- (e35): for all t:T, b:B, v(t)=(b,s) iff b is serviced at time t.
The significant patterns of events in the life of an button are defined by this grammar [Botting87a], [Botting87b]:
For b:B.
Button_life_history(b) ::= #Request(b),
Request(b) ::= Push(b) #Push(b) Service(b),
Push(b) ::={(b,p)},
Service(b) ::={(b,s)},
(STANDARD) |-For all A, #A= ( {""} | A #A), ... .
Jackson has shown that detailed code can be derived from grammars like this [Jackson75], [Jackson83], [Cameron84], [Cameron86], and [Cameron89].
Requirements::=following,
Net
1. |- (R1): All requests are ultimately serviced:
2. for all t1:T, b1:B, if v(t1)=(b1, p) then for some t2:T(t1<t2 and v(t2)=(b1, s) ).
3. |- (R2): No request is serviced more than once:
4. for all t1, t2:T, b:B, if t1<t2 and v(t1)=v(t2)=(b,p) then for 0..1 t:t1..t2( v(t)=(b, s)).
5. |- (R3): ...
(End of Net Requirements)
The three dots (elision) show that part of the set of requirements has been hidden (elided).

Why Buttons are labeled Up and Down
We have abstracted a model of 'Up' and 'Down', but we have not explained why there are up and down labels on the buttons on the floors of the building. Now if we talk to some users we find that they prefer to get on an elevator that is going in the right direction even though the elevator is stationary at the time. Or perhaps we look at some elevators and we see that they have lights indicating a direction - even when they are stationary. We therefore add a third dimension to our state space - Z={Up, Down, 0} and assign a value ( z(u)) in Z to each the object u:U.
Z::=D|{0}, z:U->Z,
z::E->Z=current direction of elevator (_),
z::F->Z= (0),
z::B->Z= (if (_) in H then (_).l else 0).

State Space
Every object in U has 3 co-ordinate values (x,y,z) in a 3 dimensional space - call it XYZ:
XYZ::=X><Y><Z,
xyz::U->XYZ=fun[r](r.x, r.y, r.z).
|- (e36): For all u:U, u.x=u.xyz.1st and u.y=u.xyz.2nd and u.z=u.xyz.3rd.
|- (e37): For all f:F, xyz(f)=(f.x, 0, 0), - floors don't move!
|- (e38): For all u:U~H, r: u./P ( xyz(u)=xyz(r) ).
We can now state a desirable property of elevators: When elevators are moving then they should be moving in the desirable direction:
|- (e39): For all e:Up./z (y(e)>=0) and for all e:Down./z(y(e)<=0), or equivalently:
|- (e40): For all e:E, if z(e)=Up then y(e)>=0 else if z(e)=Down then y(e)<=0.
The next step is to derive the sequence in which each lift/elevator can service buttons in terms of xyz coordinates from the physical limits on how fast elevators can stop and start. From here it is easy to describe how the sequence changes as events occur and use it to define a strategy for deciding which elevator is allocated to serve buttons. Implementation of these relations is discussed elsewhere [Botting85].

. . . . . . . . . ( end of section The Lift Problem) <<Contents | End>>

Conclusions

In general Formal Analysis proceeds by stating the obvious. Simple facts determine the set of logically correct structures. In my monograph I argue that grammars, dictionaries and sets of sequences are useful for documenting the data (data dictionaries). The same theory helps define the dynamics (entities, events and patterns) in a situation. Sets and functions describe the structure of the problem domain and are used to document requirements and specifications. These sets and functions define entity types, abstract data types, classes of objects, and/or paths through the data structures and data base. Thus maps and sets define the structure shared by the solution and the problem's environment.

Projects that use mathematics and logic can "zero-in" on the best software. First: Define things that appear in the description of the problem and (1) are outside the software, (2) interact with the software, and (3) are individually identifiable by the software. Second: Define events, entities, identifiers, relationships, attributes, facts, and patterns. .Figure Zeroing In

These initial steps are an exercise in stating the obvious. Facts are recorded and verified by experts and from observation. When the obvious facts are not enough then hypotheses need to be introduced and theories constructed. The Scientific Method is an effective way to develop a mathematical theory or model of the situation. If a system interacts with another system then it will have an internal model of the other system. Abstracting a formal model of the external system reveals a natural internal structure and so a structure for a design. Computer Science already teaches the techniques to implement the designs plus the calculus of sets, maps, and relations used for this purpose.

Because the model is abstract it is more reusable than computer oriented documentation. Further it can refer to abstract models developed by mathematicians: ordering, topology, algebra, geometry, etc. These are highly reusable. Because the syntax is formal it also possible to extract information from the document using comparatively stupid tools. These tools can produce variously rendered forms of the same ideas (diagrams, HTML, SGML, \Tex, ...). Questions can be answered by simply searching the raw documents as well.

The models are used to validate requirements, specifications, designs, algorithms, data structures, and data bases.

Links

STANDARD::= See http://www.csci.csusb.edu/dick/maths/math_11_STANDARD.html.
mth2html::= See http://www.csci.csusb.edu/dick/tools/mth2html.
Proof of e2c

Let
1. Directions in Finite_Sets.
2. |-|Directions| = 2.
3. Up in Directions.
4. Down in Directions.
5. |-Up <> Down.
  We have two Directions, and Up and Down are two different elements in that set. So
6. (above) |-Directions = { Up, Down}.
(Close Let )

. . . . . . . . . ( end of section An Example of Formal Analysis) <<Contents | End>>

Contents

An Example of Formal Analysis: The Lift Problem

Status: Working Paper

Description

Facts

Proof of e2c

End