Layer2_MMS_SW_SPARK: Reorganize F_FC behavior

0c53c4fd · Claire Dross · d821e7d5 · 0c53c4fd · 0c53c4fd · 0c53c4fd
Commit 0c53c4fd authored Jul 06, 2017 by Claire Dross
9 changed files
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/DESIGN.txt
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/DESIGN.txt
@@ -42,6 +42,8 @@ ACTIVITIES:
      A. Additional assumption: Translated into types (validity of inputs).
      6.6.3.1
      A. Additional guarantee: Translated as a postcondition.
+      6.6.4
+      Behavioural Specification: Mostly translated as contracts. Parts involving calculations or update frequencies have been kept as comments. Notably missing, external and internal disturbances (linked to weather conditions and AV behavior).
    - MMS.F_PT.F_EM:
      6.8.3.1
@@ -61,6 +63,15 @@ ACTIVITIES:
      7.3.2:
      Guarantees A, B: Not tranlated (linked to weather conditions)
+    - MMS.F_FC:
+      6.7.3.1:
+      Assumption A: Not tranlated (linked to measurements)
+      Assumption B: Input safety assumptions are automatic
+      Assumption C: Not translated, F_FC does not have the necessary inputs.
+      6.7.3.2:
+      Guarantees A, B, C: Not translated (linked to weather conditions and mechanical body behavior)
+      Guarantees D, E: Translated as postconditions.
  * Verifications:
    The SPARK toolset can be used to check that:
    - Ada contracts are consistent. If it is a case by case contract, SPARK can check that all cases are covered and that no two cases can apply to the same inputs. If some properties or some information can only be accessed in some cases, these cases can be expressed as preconditions on property or information functions and SPARK will check that they are always used in valid context.

--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior-guarantees.adb
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior-guarantees.adb
+with MMS.F_PT.F_FC.State;
 package body MMS.F_PT.F_FC.Behavior.Guarantees with SPARK_Mode is
   procedure Run is
   begin
-      MMS.F_PT.F_FC.Behavior.Run;
+      Update_State;
+      if Mission_State in FLIGHT | LANDING then
+         Propulsion_Braking_Mutual_Exclusion;
+         Reference_Trajectory_Computation;
+         Gain_Scheduling;
+         if Engine_State = PROPULSION then
+            Propulsion_Control;
+            State.Braking_Torque := 0.0;
+         elsif Engine_State = BRAKING then
+            Braking_Control;
+            State.Propulsion_Torque := 0.0;
+         else
+            State.Braking_Torque := 0.0;
+            State.Propulsion_Torque := 0.0;
+         end if;
+      end if;
   end Run;
 end MMS.F_PT.F_FC.Behavior.Guarantees;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior-guarantees.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior-guarantees.ads
@@ -15,10 +15,12 @@ package MMS.F_PT.F_FC.Behavior.Guarantees with SPARK_Mode is
   range BRAKING .. WAITING_PROP;
   function Engine_State_In_Braking return Boolean is
-     (Mission_State = FLIGHT and then Engine_State in Braking_State_Type);
+     (Mission_State in FLIGHT | LANDING
+      and then Engine_State in Braking_State_Type);
   function Engine_State_In_Propulsion return Boolean is
-     (Mission_State = FLIGHT and then Engine_State in Propulsion_State_Type);
+     (Mission_State in FLIGHT | LANDING
+      and then Engine_State in Propulsion_State_Type);
   -----------------------------------
   -- High-Level Garantees for F_FC --
@@ -27,7 +29,7 @@ package MMS.F_PT.F_FC.Behavior.Guarantees with SPARK_Mode is
   procedure Run with
     Post =>
-     --  6.7.3.2.D Propulsion and  braking torque actions are in mutual
+     --  6.7.3.2.D Propulsion and braking torque actions are in mutual
     --  exclusion.
     (if (Engine_State_In_Propulsion'Old and then Engine_State_In_Braking)
@@ -40,6 +42,7 @@ package MMS.F_PT.F_FC.Behavior.Guarantees with SPARK_Mode is
     and then
       (if Mission_State = ABORTED and then Mission_State'Old /= ABORTED
+           and then Aborted_With_Propulsion_Available
        then Time_Since_In_Safety_Escape > MMS.F_PT.F_FC.Data.Escape_Time);
 end MMS.F_PT.F_FC.Behavior.Guarantees;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior.ads
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-input.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-input.ads
@@ -39,5 +39,8 @@ package MMS.F_PT.F_FC.Input is
   function Mission_Range return Current_Range_Type
     renames MMS.F_PT.F_MM.Output.Mission_Range; 
+   function Emergency_Landing return Boolean 
+     renames MMS.F_PT.F_MM.Output.Emergency_Landing;
 end MMS.F_PT.F_FC.Input;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-state.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-state.ads
+private
+package MMS.F_PT.F_FC.State is
+   Propulsion_Torque : Torque_Type with Part_Of => Propulsion_State;
+   Braking_Torque : Torque_Type with Part_Of => Braking_State;
+end MMS.F_PT.F_FC.State;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc.ads
 with Types; use Types;
-package MMS.F_PT.F_FC with Abstract_State => (Private_State, Output_State) is
+package MMS.F_PT.F_FC with
+  Abstract_State => (Input_State,
+                     Trajectory_State,
+                     Private_State,
+                     Mutual_Exclusion_State,
+                     Gain_Scheduling_State,
+                     Propulsion_State,
+                     Braking_State,
+                     Output_State)
+is
   pragma Elaborate_Body (MMS.F_PT.F_FC);
   type Flight_Cell_Center_Type is record
@@ -25,4 +34,9 @@ package MMS.F_PT.F_FC with Abstract_State => (Private_State, Output_State) is
   type Time_Type is new Integer; --  in s ??? some bounds
+   type Mission_State_Type is (INIT, FLIGHT, LANDING, ABORTED, COMPLETE);
+   type Engine_State_Type is
+     (PROPULSION, WAITING_BRAK, BRAKING, WAITING_PROP);
 end MMS.F_PT.F_FC;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior-guarantees.adb
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior-guarantees.adb
@@ -41,12 +41,14 @@ package body MMS.F_PT.F_MM.Behavior.Guarantees with SPARK_Mode is
               if On_State = RUNNING then
                  In_Flight_Mission_Viability_Logic;
                  In_Flight_Energy_Test_Done := True;
                  Energy_Test_Succeded :=
                    In_Flight_Energy_Compatible_With_Mission;
               else
                  Initial_Mission_Viability_Logic;
                  Initial_Energy_Test_Done := True;
                  Energy_Test_Succeded :=
                    Initial_Energy_Compatible_With_Mission;

--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-output.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-output.ads
@@ -14,9 +14,9 @@ package MMS.F_PT.F_MM.Output is
   function Ready_For_Takeoff return Boolean with Global => Output_State;
-   -------------
+   ----------------------
-   -- To F_EL --
+   -- To F_EL and F_CM --
-   --------------
+   ----------------------
   function Emergency_Landing return Boolean with Global => Output_State;