Layer2_MMS_SW_SPARK: fix contracts after answers on #26

UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_el-behavior.ads

@@ -16,7 +16,7 @@ package MMS.F_EL.Behavior with SPARK_Mode is
    -- Estimated Values --
    ----------------------
 
-   function Q_Dot return Angular_Speed_Type with Global => Private_State;
+   function Q_Dot return Speed_Type with Global => Private_State;
    
    ---------------------------------------
    -- Behavioural Specification of F_EL --

UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_cm-input.ads

@@ -66,6 +66,9 @@ package MMS.F_PT.F_CM.Input is
    function Mission_Cancelled return Boolean
      renames MMS.F_PT.F_MM.Output.Mission_Cancelled;
    
+   function Ready_For_Takeoff return Boolean
+     renames MMS.F_PT.F_MM.Output.Ready_For_Takeoff;
+   
    ---------------
    -- From F_EM --
    ---------------

UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_cm-output.ads

@@ -22,7 +22,7 @@ package MMS.F_PT.F_CM.Output is
       
    function CP_Displays return CP_Displays_Type is
      (CP_Displays_Type'
-        (Ready            => True, --  This register is not loaded at increment 1 ???
+        (Ready            => MMS.F_PT.F_CM.Input.Ready_For_Takeoff,
          Cancelled        => MMS.F_PT.F_CM.Input.Mission_Cancelled,
          Complete         => MMS.F_PT.F_CM.Input.Mission_Complete,
          Aborted          => MMS.F_PT.F_CM.Input.Mission_Aborted,

UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior-guarantees.ads

@@ -16,21 +16,15 @@ package MMS.F_PT.F_MM.Behavior.Guarantees with SPARK_Mode is
        and then On_State = RUNNING
        and then Running_State = TAKE_OFF);
 
-   function Initial_Energy_Check_Succeeded return Boolean is
-     (Power_State = ON
-      and then On_State = INIT
-      and then Initial_Energy_Compatible_With_Mission);
-
-   function In_Flight_Energy_Check_Failed return Boolean is
-     (Power_State = ON
-      and then On_State = RUNNING
-      and then Running_State = FLIGHT
-      and then Current_Flight_Phase = CRUISE
-      and then not In_Flight_Energy_Compatible_With_Mission);
+   function Mission_Aborted return Boolean is
+      (Power_State = On
+       and then On_State = ABORTED);
 
    function Mission_Cancelled return Boolean is
       (Power_State = On
-       and then On_State = CANCELLED);
+       and then On_State = INIT
+       and then Init_State = CANCELLED)
+   with Global => Private_State;
 
    -----------------------------------
    -- High-Level Garantees for F_MM --
@@ -43,19 +37,23 @@ package MMS.F_PT.F_MM.Behavior.Guarantees with SPARK_Mode is
       --  incompatible with mission completion.
 
       (if In_Take_Off_State and then not In_Take_Off_State'Old then
-         Initial_Energy_Check_Succeeded'Old)
+         Initial_Energy_Compatible_With_Mission)
 
       --  6.6.3.B Any mission cancellation is signaled to CP and GS.
 
+      and then
+       (if Mission_Aborted and then not Mission_Aborted'Old then
+           Mission_Aborted_Signaled)
       and then
        (if Mission_Cancelled and then not Mission_Cancelled'Old then
-           Mission_Cancellation_Signaled)
+           Mission_Cancelled_Signaled)
 
       --  6.6.3.2.A Missions cancelled for energy reasons can be proven
       --  infeasible.
 
       and then
-       (if Mission_Cancelled and then not Mission_Cancelled'Old then
-           In_Flight_Energy_Check_Failed'Old);
+       (if Mission_Aborted and then not Mission_Aborted'Old
+          and then Aborted_For_Energy_Reasons
+        then not In_Flight_Energy_Compatible_With_Mission);
 
 end MMS.F_PT.F_MM.Behavior.Guarantees;

UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-output.ads

@@ -12,6 +12,8 @@ package MMS.F_PT.F_MM.Output is
    
    function Mission_Aborted return Boolean with Global => Output_State;
    
+   function Ready_For_Takeoff return Boolean with Global => Output_State;
+   
    -------------
    -- To F_EL --
    --------------