VAR
  
  busy[2]
  nonbusy[2]
  error[2]

  state[2]

DEFINE
  
  nonbusy := 0;
  busy := 1;
  error := 2;

ASSIGN
  
  init(state) := nonbusy;
  next(state) :=
    case
      state = nonbusy :
        case
	  oracle : busy;
	  1 : nonbusy;
	esac;
      state = busy :
        case
	  oracle : error;
	  1 : nonbusy;
	esac;
      1 : state;
    esac;

SPEC
  
  AG state != error
