@ -15,15 +15,21 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -15,15 +15,21 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
function Start_Take_Off return Boolean with
Global => ( Input => Input_State , Proof_In => Private _ State ) ,
Pre => Missio n_State = INIT ;
Pre => O n_State = INIT ;
function Start_Landing return Boolean with
Global => ( Input => Input_State , Proof_In => Private _ State ) ,
Pre => Mission_State = FLIGHT ;
Pre => On_State = RUNNING ;
function Operating_Point return Operating_Point_Type with
Global => Input_State ;
function Operating_Mode return Navigation_Option_Type with
Global => Input_State ;
function Mission_Range return Current_Range_Type with
Global => Input_State ;
function Emergency_Landing return Boolean with
Global => Input_State ;
@ -34,6 +40,9 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -34,6 +40,9 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
function Operating_Point_Changed return Boolean with
Global => Input_State ;
function Operating_Mode_Changed return Boolean with
Global => Input_State ;
- - - - - - - - - - - - - - - - - - - - - -
- - Estimated Values - -
- - - - - - - - - - - - - - - - - - - - - -
@ -44,16 +53,19 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -44,16 +53,19 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
- - States - -
- - - - - - - - - - - -
function Mission_State return Mission_State_Type with
function On_State return On_State_Type with
Global => Private _ State ;
function Running_State return Running_State_Type with
Global => Private _ State ;
function Engine_State return Engine_State_Type with
Global => ( Input => Mutual_Exclusion_State , Proof_In => Private _ State ) ,
Pre => Mission_State in FLIGHT | LAND ING;
Pre => On_State = RUNN ING;
function Aborted_With_Propulsion_Available return Boolean with
Global => Private _ State ,
Pre => Missio n_State = ABORTED ;
Pre => O n_State = ABORTED ;
- - - - - - - - - - - - - - - -
- - Properties - -
@ -63,7 +75,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -63,7 +75,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
function Flight_Phase return Flight_Phase_Type with
Global => ( Input => Trajectory_State , Proof_In => Private _ State ) ,
Pre => Mission_State = FLIGHT ;
Pre => On_State = RUNNING ;
function In_Safety_Envelope return Boolean is
( case Flight_Phase is
@ -77,32 +89,48 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -77,32 +89,48 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
when DESCENT =>
Q_Dot in MMS . F_PT . F_FC . Data . Qdot_MinDs . . MMS . F_PT . F_FC . Data . Qdot_MaxDs
and Q < MMS . F_PT . F_FC . Data . Q_MaxDs )
with Pre => Mission_State = FLIGHT ;
with Pre => On_State = RUNNING ;
function Selected_Option return Navigation_Option_Type with
Global => ( Input => Operating_Mode_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING ;
function Already_Running return Boolean with
Global => Private _ State ,
Pre => Mission_State in FLIGHT | LANDING ;
Pre => On_State = RUNN ING;
function Time_Since_In_Safety_Escape return Time_Type with
Global => ( Input => Private _ State ,
Proof_In => ( Input_State , Trajectory_State ) ) ,
Pre => ( Mission_State = FLIGHT and then not In_Safety_Envelope )
or else Mission_State = ABORTED ;
Global => ( Input => Safety_Escape_State ,
Proof_In => ( Input_State , Trajectory_State , Private _ State ) ) ,
Pre => On_State = RUNNING and then not In_Safety_Envelope ;
function Fast_Evolving_Safety_Escape return Boolean with
Global => ( Input => Private _ State ,
Proof_In => ( Input_State , Trajectory_State ) ) ,
Pre => Mission_State = FLIGHT and then not In_Safety_Envelope ;
Pre => On_State = RUNNING and then not In_Safety_Envelope ;
function Time_Since_Stopped return Time_Type with
Global => ( Input => Mutual_Exclusion_State , Proof_In => Private _ State ) ,
Pre => Mission_State in FLIGHT | LAND ING;
Pre => On_State = RUNN ING;
function Propulsion_Torque return Torque_Type with
Global => ( Input => Propulsion_State , Proof_In => Private _ State ) ;
Global => Propulsion_State ;
function Braking_Torque return Torque_Type with
Global => ( Input => Braking_State , Proof_In => Private _ State ) ;
Global => Braking_State ;
function Current_Speed return Current_Speed_Type with
Global => AV_State_Vector_State ;
function Current_Altitude return Current_Altitude_Type with
Global => AV_State_Vector_State ;
function Current_Range return Current_Range_Type with
Global => AV_State_Vector_State ;
function Estimated_Total_Mass return Estimated_Total_Mass_Type with
Global => AV_State_Vector_State ;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - Behavioural Specification of F_FC - -
@ -112,7 +140,9 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -112,7 +140,9 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
- - Read values of inputs once and for all and update the current state
Post => Operating_Point_Changed =
( Operating_Point ' Old / = Operating_Point ) ;
( Operating_Point ' Old / = Operating_Point )
and then Operating_Mode_Changed =
( Operating_Mode ' Old / = Operating_Mode ) ;
procedure Write_Outputs with
- - Compute values of outputs from the current state
@ -126,89 +156,153 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -126,89 +156,153 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
Braking_State ) ,
Output => Output_State ) ;
- - - - - - - - - - - - - - - - - - - - - - -
- - Safety Objectives - -
- - - - - - - - - - - - - - - - - - - - - - -
- - See 7.7 . 3.2 . E
procedure Check_Safety_Escape with
Global => ( Input => ( Input_State , Trajectory_State ) ,
In_Out => Safety_Escape_State ) ,
Pre => On_State in RUNNING ,
Post =>
- - Time_Since_In_Safety_Escape is the number of seconds since the first
- - occurrence of safety escapes .
( if not In_Safety_Envelope then
( if In_Safety_Envelope ' Old then Time_Since_In_Safety_Escape = 0
else Time_Since_In_Safety_Escape > Time_Since_In_Safety_Escape ' Old ) ) ;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - Choice of Operating Mode in Energy Mode - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - See 6.7 . 4 ( Propulsion Control )
procedure Choose_Operating_Mode with
- - Two systems of two equations in ( pdotA , qA ) , ( pdotS , qS ) are to be solved .
- - First :
- - g / L = ( pdotA ) * * 2 * cos ( qA )
- - Operating_Point . Altitude = L * ( 1 - cos ( qA ) )
- - Second :
- - g / L = ( pdotS ) * * 2 * cos ( qS )
- - Operating_Point . Speed = pdotS * L * sin ( qS )
- - If pdotA < pdotS , option ALTITUDE is selected otherwise SPEED is
- - selected .
Global => ( Input => Input_State ,
In_Out => Operating_Mode_State ) ,
Pre => On_State = RUNNING ,
Post => Selected_Option in SPEED | ALTITUDE
and then
( if Already_Running
and then not Operating_Mode_Changed
and then not Operating_Point_Changed
then Selected_Option = Selected_Option ' Old )
and then
( if Operating_Mode in SPEED | ALTITUDE then
Selected_Option = Operating_Mode ) ;
- - - - - - - - - - - - - - - - - - - - - - -
- - AV ' s State Vector - -
- - - - - - - - - - - - - - - - - - - - - - -
procedure AV_State_Vector with
Global => ( Input => Input_State ,
In_Out => AV_State_Vector_State ) ;
- - The AV ' s state vector is defined by :
- - Current_Speed = L * sin ( Q ) * P_Dot
- - Current_Altitude = L * ( 1 - cos ( Q ) )
- - Current_Range = Integral of Current_Speed over time
- - Estimated_Total_Mass = M0 + Payload_Mass + Micing , where Micing is an
- - unknown perturbation to be estimated .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - Update the State Automaton - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - Same states as F_MM except On / Off is not considered here
procedure Update_State with
Global => ( Input => ( Input_State , Trajectory_State ) ,
In_Out => Private _ State ) ,
Contract_Cases =>
- - ? ? ? All these are guesses . . .
( ( Mission_State in INIT . . LANDING )
( ( On_State in INIT . . RUNNING )
and then Emergency_Landing
=>
Mission_State = ABORTED
On_State = ABORTED
and then not Aborted_With_Propulsion_Available ,
Mission_State = INIT
O n_State = INIT
and then not Emergency_Landing
and then Start_Take_Off
=>
Mission_State = FLIGHT ,
On_State = RUNNING ,
Mission_State = INIT
O n_State = INIT
and then not Emergency_Landing
and then not Start_Take_Off
=>
Mission_State = INIT ,
O n_State = INIT ,
Mission_State = FLIGHT
On_State = RUNNING
and then not Emergency_Landing
and then Start_Landing
and then
( if Running_State = LANDING then
not ( P_Dot = 0.0 and then Q_Dot = 0.0 ) )
and then not In_Safety_Envelope
and then Time_Since_In_Safety_Escape > MMS . F_PT . F_FC . Data . Escape_Time
=>
Mission_State = LANDING ,
On_State = ABORTED
and then Aborted_With_Propulsion_Available ,
Mission_State = FLIGHT
On_State = RUNNING
and then not Emergency_Landing
and then not Start_Landing
and then
( if Running_State = LANDING then
not ( P_Dot = 0.0 and then Q_Dot = 0.0 ) )
and then
( if not In_Safety_Envelope then
Time_Since_In_Safety_Escape < = MMS . F_PT . F_FC . Data . Escape_Time )
=>
( if Time_Since_In_Safety_Escape > MMS . F_PT . F_FC . Data . Escape_Time then
Mission_State = ABORTED
and then Aborted_With_Propulsion_Available
else Mission_State = FLIGHT ) ,
On_State = RUNNING ,
Mission_State = LANDING
On_State = RUNNING
and then not Emergency_Landing
and then Running_State = LANDING
and then P_Dot = 0.0 and then Q_Dot = 0.0
=>
( if P_Dot = 0.0 and then Q_Dot = 0.0 then
Mission_State = COMPLETE
else Mission_State = LANDING ) ,
On_State = COMPLETE ,
( Mission_State in COMPLETE | ABORTED )
( On_State in COMPLETE | ABORTED )
=>
Mission_State = Mission_State ' Old ) ,
On_State = O n_State' Old ) ,
Post =>
( if Mission_State in FLIGHT | LANDING then
( if On_State = RUNN ING then
Engine_State = Engine_State ' Old - - ? ? ? Needed due to current limitation in proof tool
and then Already_Running = ( Mission_State ' Old in FLIGHT | LANDING ) )
- - Time_Since_In_Safety_Escape is the number of seconds since the first
- - occurrence of safety escapes .
and then Already_Running = ( On_State ' Old = RUNNING ) ) ;
and then
( if not In_Safety_Envelope then
( if In_Safety_Envelope ' Old then Time_Since_In_Safety_Escape = 0
else Time_Since_In_Safety_Escape > Time_Since_In_Safety_Escape ' Old ) ) ;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - Propulsion / Braking Mutual Exclusion - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
function Go_To_Braking return Boolean is
( Mission_State = LANDING
or else
( not In_Safety_Envelope
and then
( Time_Since_In_Safety_Escape > MMS . F_PT . F_FC . Data . Hazard_Duration
or else Fast_Evolving_Safety_Escape ) ) )
or else Fast_Evolving_Safety_Escape ) )
with
Pre => Mission_State in FLIGHT | LAND ING;
Pre => On_State = RUNN ING;
function Go_To_Propulsion return Boolean is
( Mission_State = FLIGHT and then In_Safety_Envelope )
( In_Safety_Envelope )
with
Pre => Mission_State in FLIGHT | LAND ING;
Pre => On_State = RUNN ING;
procedure Propulsion_Braking_Mutual_Exclusion with
Global => ( Input => ( Input_State , Trajectory_State , Private _ State ) ,
In_Out => Mutual_Exclusion_State ) ,
Pre => Mission_State in FLIGHT | LAND ING,
Pre => On_State = RUNN ING,
Contract_Cases =>
( not Already_Running
=>
@ -272,17 +366,114 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -272,17 +366,114 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
else Engine_State = WAITING_BRAK
and then Time_Since_Stopped > Time_Since_Stopped ' Old ) ) ;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - Reference Trajectory Computation - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
function Set_Point_Altitude return Current_Altitude_Type with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING ;
function Intermediate_Set_Point_Altitude return Current_Altitude_Type with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING ;
function Close_To_Set_Point_Altitude return Boolean with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING ;
- - True if we are close enough to the set point . Used to avoid Zeno effect .
function Intermediate_Set_Point_Altitude_Reached return Boolean with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING and then Already_Running ;
- - True if we have reached the previous intermediate set point .
function Set_Point_Speed return Current_Speed_Type with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING ;
function Intermediate_Set_Point_Speed return Current_Speed_Type with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING ;
function Close_To_Set_Point_Speed return Boolean with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING ;
- - True if we are close enough to the set point . Used to avoid Zeno effect .
function Intermediate_Set_Point_Speed_Reached return Boolean with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING and then Already_Running ;
- - True if we have reached the previous intermediate set point .
function Set_Point_Distance return Current_Range_Type with
Global => ( Input => Trajectory_State ,
Proof_In => Private _ State ) ,
Pre => On_State = RUNNING and then Running_State = LANDING ;
procedure Reference_Trajectory_Computation with
- - Computed at each cycle . Slower rates are possible but not too slow .
Global => ( Input => ( Input_State , Private _ State ) ,
In_Out => Trajectory_State ) ,
Pre => Mission_State in FLIGHT . . LANDING ,
Pre => On_State = RUNN ING,
Post =>
- - For landing , a distance objective is added to the zero - altitude
- - objective . Landing must occur at range completion .
- - ? ? ? How is it used by the PID ?
( if Running_State = FLIGHT then
Set_Point_Altitude = Operating_Point . Altitude
and then Set_Point_Speed = Operating_Point . Speed
else
Set_Point_Altitude = 0
and then Set_Point_Speed = 0
and then Set_Point_Distance = Mission_Range )
- - Instead of giving the true set - point to propulsion control , it gives
- - half of the change amplitude . When current intermediate set - point is
- - reached , a new one is computed ( zeno like aspects to be addressed for
- - convergence .
- - Module is reset by any operating point change .
and then
( if not Already_Running
or else ( Running_State = FLIGHT and then Operating_Point_Changed )
or else ( Intermediate_Set_Point_Speed_Reached
and then not Close_To_Set_Point_Speed ) then
Intermediate_Set_Point_Speed =
( Set_Point_Speed + Current_Speed ) / 2
elsif Close_To_Set_Point_Speed then
Intermediate_Set_Point_Speed = Set_Point_Speed
else Intermediate_Set_Point_Speed = Intermediate_Set_Point_Speed ' Old )
and then
( if not Already_Running
or else ( Running_State = FLIGHT and then Operating_Point_Changed )
or else ( Intermediate_Set_Point_Altitude_Reached
and then not Close_To_Set_Point_Altitude ) then
Intermediate_Set_Point_Altitude =
( Set_Point_Altitude + Current_Altitude ) / 2
elsif Close_To_Set_Point_Altitude then
Intermediate_Set_Point_Altitude = Set_Point_Altitude
else Intermediate_Set_Point_Altitude = Intermediate_Set_Point_Altitude ' Old )
- - Changes in the operating point provoque termination of the current
- - cruise phase and activate a transient climb or descent phase to
- - capture the new operating point ( see 6.6 . 4 4. Cruise ) .
- - ? ? ? How is the current Flight_Phase computed ?
( if Mission_State = FLIGHT and then Operating_Point_Changed then
and then
( if Running_State = FLIGHT and then Operating_Point_Changed then
Flight_Phase in CLIMB | DESCENT ) ;
procedure Gain_Scheduling with
@ -291,7 +482,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -291,7 +482,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
Private _ State ,
Mutual_Exclusion_State ) ,
In_Out => Gain_Scheduling_State ) ,
Pre => Mission_State in FLIGHT . . LAND ING;
Pre => On_State = RUNN ING;
procedure Propulsion_Control with
Global => ( Input => ( Input_State ,
@ -300,7 +491,8 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -300,7 +491,8 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
Gain_Scheduling_State ,
Mutual_Exclusion_State ) ,
In_Out => Propulsion_State ) ,
Pre => Mission_State = FLIGHT and then Engine_State = PROPULSION ;
Pre => On_State = RUNNING
and then Engine_State = PROPULSION ;
procedure Braking_Control with
Global => ( Input => ( Input_State ,
@ -309,7 +501,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
@@ -309,7 +501,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
Gain_Scheduling_State ,
Mutual_Exclusion_State ) ,
In_Out => Braking_State ) ,
Pre => Mission_State in FLIGHT . . LAND ING
Pre => On_State = RUNN ING
and then Engine_State = BRAKING ;
end MMS.F_PT.F_FC.Behavior ;