Layer2_MMS_SW_SPARK behavioural specification of F_EM

parent e82c73fa
ACTIVITIES: ACTIVITIES:
1 - Identification and validation of inputs / outputs: 1 - Identification and validation of inputs / outputs:
* Design: * Design:
The specification is structured into a component based architecture. Each component and sub-component has identified inputs and outputs, which may have types, bounds... Information flows through these signals between components. The specification is structured into a component based architecture. Each component and sub-component has identified inputs and outputs, which may have types, bounds... Information flows through these signals between components.
Each sub-component is a child package of its container. Inputs and outputs of components are translated as functions without parameters stored in specific child packages named Comp.Input and Comp.Output. Types for signals are stored at the root of the architecture, namely in mms.ads. They are as precise as we could make them, based on the specifications available. Each sub-component is a child package of its container. Inputs and outputs of components are translated as functions without parameters stored in specific child packages named Comp.Input and Comp.Output. Types for signals are stored at the root of the architecture, namely in mms.ads. They are as precise as we could make them, based on the specifications available.
Links between inputs and outputs of various components are made through renamings, or through expression functions when the mapping is more complex. Inputs and outputs are grouped together depending on where they are coming from/where they are going to. Links between inputs and outputs of various components are made through renamings, or through expression functions when the mapping is more complex. Inputs and outputs are grouped together depending on where they are coming from/where they are going to.
* Verifications: * Verifications:
We have checked by review that: We have checked by review that:
- Inputs and outputs of components are consistent, namely, if a component A has an output to another component B, then B must have an input from A and conversely. - Inputs and outputs of components are consistent, namely, if a component A has an output to another component B, then B must have an input from A and conversely.
+ Method: If a function F is in a group of inputs (resp. outputs) of a component Comp1 labelled 'From Comp2' (resp. 'To Comp2'), where Comp2 is inside the same container as Comp1, check that Comp2.Output (resp. Comp2.Input) has a section 'To Comp1' (resp. 'From Comp1') containing a matching output (resp. input). + Method: If a function F is in a group of inputs (resp. outputs) of a component Comp1 labelled 'From Comp2' (resp. 'To Comp2'), where Comp2 is inside the same container as Comp1, check that Comp2.Output (resp. Comp2.Input) has a section 'To Comp1' (resp. 'From Comp1') containing a matching output (resp. input).
+ Result: Inconsistencies have been reported. + Result: Inconsistencies have been reported.
- Types (as well as bounds and units) are consistent between sources and destinations. - Types (as well as bounds and units) are consistent between sources and destinations.
+ Method: This is enforced through static typing by turning the destination of a signal as a renaming of its origin. + Method: This is enforced through static typing by turning the destination of a signal as a renaming of its origin.
+ Assumptions: When no information was supplied, we have made the following choices: + Assumptions: When no information was supplied, we have made the following choices:
* Payload_Mass_Type is in kg with a precision of 0.1 and bounds of 1.0 and 5.0. * Payload_Mass_Type is in kg with a precision of 0.1 and bounds of 1.0 and 5.0.
* [...] * [...]
- The component structure is well-formed, namely, information does not flow through the edge of components. - The component structure is well-formed, namely, information does not flow through the edge of components.
+ Method: This can be verified by reviewing use clauses inserted at the beginning of inputs or outputs packages. More precisely + Method: This can be verified by reviewing use clauses inserted at the beginning of inputs or outputs packages. More precisely
* An input package Comp.Subcomp.Input can only reference outputs of siblings Comp.*.Output or inputs of parent Comp.Input. * An input package Comp.Subcomp.Input can only reference outputs of siblings Comp.*.Output or inputs of parent Comp.Input.
* An output package Comp.Output can only reference its own inputs Comp.Input or outputs of its children Comp.Subcomp.Output. * An output package Comp.Output can only reference its own inputs Comp.Input or outputs of its children Comp.Subcomp.Output.
+ Result: No inconsistency found. + Result: No inconsistency found.
2 - Review of the specification for translatability in Ada contracts: 2 - Review of the specification for translatability in Ada contracts:
* Design: * Design:
...@@ -43,9 +43,15 @@ ACTIVITIES: ...@@ -43,9 +43,15 @@ ACTIVITIES:
6.6.3.1 6.6.3.1
A. Additional guarantee: Translated as a postcondition. A. Additional guarantee: Translated as a postcondition.
- MMS.F_PT.F_EM:
6.8.3.1
Assumptions A, B: Not translated (linked with AV, mechanical body behavior)
6.8.3.2
Guarantee A: Not translated (linked with weather conditions)
Guarantees B, C: Not translated (linked with actual embedded energy which is not measurable)
* Verifications: * Verifications:
The SPARK toolset can be used to check that: The SPARK toolset can be used to check that:
- Ada contracts are consistent. If it is a case by case contract, SPARK can check that all cases are covered and that no two cases can apply to the same inputs. If some properties or some information can only be checked in some cases, these cases can be expressed as preconditions on property or information functions and SPARK will check that they are always used in valid context. - Ada contracts are consistent. If it is a case by case contract, SPARK can check that all cases are covered and that no two cases can apply to the same inputs. If some properties or some information can only be checked in some cases, these cases can be expressed as preconditions on property or information functions and SPARK will check that they are always used in valid context.
- Guarantees are implied by the behavioral specification. If both can be expressed as Ada contracts, SPARK can check that, if the behavioural specification of a component is respected by its implementation, then the implementation will also respect the guarantees as stated in the specification contracts. - Guarantees are implied by the behavioral specification. If both can be expressed as Ada contracts, SPARK can check that, if the behavioural specification of a component is respected by its implementation, then the implementation will also respect the guarantees as stated in the specification contracts.
with MMS.F_PT.F_EM.Data;
package MMS.F_PT.F_EM.Behavior with SPARK_Mode is
------------
-- Inputs --
------------
function Propulsion_Torque return Torque_Type with Global => Private_State;
function Braking_Torque return Torque_Type with Global => Private_State;
function P_Dot return Speed_Type with Global => Private_State;
---------------------------------------
-- Behavioural Specification of F_EM --
---------------------------------------
procedure Read_Inputs with
-- Read values of inputs once and for all and update the current state
Global => (In_Out => Private_State);
procedure Write_Outputs with
-- Compute values of outputs from the current state
Global => (Input => Private_State,
Output => Output_State);
procedure Run with
Global => (In_Out => Private_State);
private
function Primary_Initial_Capacity return Energy_Level_Type
is
(Data.Primary_Initial_Capacity + Data.Secondary_Initial_CapacitY)
with Global => Private_State;
function Propulsion_Energy return Energy_Level_Type
with Global => Private_State;
-- Integral [0-t] Propulsion_Torque(u) * P_Dot(u) * du
function Braking_Energy return Energy_Level_Type
with Global => Private_State;
-- Integral [0-t] Braking_Torque(u) * P_Dot(u) * du
function Dispended_Energy return Energy_Level_Type
is
(Propulsion_Energy + Braking_Energy)
with Global => Private_State;
function Primary_Energy_Left return Energy_Level_Type
is
(Data.Primary_Initial_Capacity - Dispended_Energy)
with Global => Private_State;
function Primary_Source return Source_Type
is
(Source_Type (100 *
(Data.Primary_Initial_Capacity - Dispended_Energy /
Data.Primary_Initial_Capacity)))
with Global => Private_State;
function Secondary_Energy_Left return Energy_Level_Type
is
(if Primary_Source > 0 then
Data.Secondary_Initial_Capacity
else
Data.Secondary_Initial_Capacity - Dispended_Energy)
with Global => Private_State;
function Secondary_Source return Source_Type
is
(if Primary_Source > 0 then
100
else
Source_Type (100 *
(Data.Secondary_Initial_Capacity - Dispended_Energy /
Data.Secondary_Initial_Capacity)))
with Global => Private_State;
end MMS.F_PT.F_EM.Behavior;
...@@ -9,6 +9,6 @@ package MMS.F_PT.F_EM.Data is ...@@ -9,6 +9,6 @@ package MMS.F_PT.F_EM.Data is
-- From 6.8.4 -- From 6.8.4
Primary_Initial_Capacity : Energy_Level_Type; Primary_Initial_Capacity : Energy_Level_Type;
Secondary_Initial_CapacitY : Energy_Level_Type; Secondary_Initial_Capacity : Energy_Level_Type;
end MMS.F_PT.F_EM.Data; end MMS.F_PT.F_EM.Data;
...@@ -6,14 +6,14 @@ package MMS.F_PT.F_EM.Output is ...@@ -6,14 +6,14 @@ package MMS.F_PT.F_EM.Output is
-- To F_CM -- -- To F_CM --
------------- -------------
function Primary_Source return Source_Type; function Primary_Source return Source_Type with Global => Output_State;
function Secondary_Source return Source_Type; function Secondary_Source return Source_Type with Global => Output_State;
------------- -------------
-- To F_MM -- -- To F_MM --
------------- -------------
function Energy_Level return Energy_Level_Type; function Energy_Level return Energy_Level_Type with Global => Output_State;
end MMS.F_PT.F_EM.Output; end MMS.F_PT.F_EM.Output;
private
package MMS.F_PT.F_EM.State is
end MMS.F_PT.F_EM.State;
with Types; use Types; with Types; use Types;
package MMS.F_PT.F_EM is package MMS.F_PT.F_EM with Abstract_State => (Private_State, Output_State) is
pragma Elaborate_Body (MMS.F_PT.F_EM);
end MMS.F_PT.F_EM;
end MMS.F_PT.F_EM;
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment