Beginning of development of F_MM

UseCaseData/Layer2_MMS_SW_SPARK/default.gpr

+project Default is
+
+   package Compiler is
+      for Switches ("Ada") use ("-g", "-O2");
+   end Compiler;
+
+end Default;

UseCaseData/Layer2_MMS_SW_SPARK/mms-f_pt-f_em-behavior.ads

-with MMS.F_PT.F_EM.Data;
+private with MMS.F_PT.F_EM.Data;
 
 package MMS.F_PT.F_EM.Behavior with SPARK_Mode is
       

UseCaseData/Layer2_MMS_SW_SPARK/mms-f_pt-f_em-data.ads

 with Types; use Types;
 
-package MMS.F_PT.F_EM.Data is
+private
+package MMS.F_PT.F_EM.Data with SPARK_Mode is
 
    ---------------
    -- Constants --
@@ -8,7 +9,9 @@ package MMS.F_PT.F_EM.Data is
    
    --  From 6.8.4
    
-   Primary_Initial_Capacity   : Energy_Level_Type;
-   Secondary_Initial_Capacity : Energy_Level_Type;
+   Primary_Initial_Capacity   : Energy_Level_Type 
+     with Part_Of => Private_State;
+   Secondary_Initial_Capacity : Energy_Level_Type
+     with Part_Of => Private_State; 
 
 end MMS.F_PT.F_EM.Data;

UseCaseData/Layer2_MMS_SW_SPARK/mms-f_pt-f_em.ads

 with Types; use Types;
 
-package MMS.F_PT.F_EM with Abstract_State => (Private_State, Output_State) is
+package MMS.F_PT.F_EM with 
+  SPARK_Mode,
+  Abstract_State => 
+  (Private_State,
+   Output_State) 
+is
    pragma Elaborate_Body (MMS.F_PT.F_EM);
-   
 end MMS.F_PT.F_EM;

UseCaseData/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior.ads

@@ -10,7 +10,7 @@
 
 with Types; use Types;
 with External;
-with MMS.F_PT.F_MM.Data;
+private with MMS.F_PT.F_MM.Data;
 private with MMS.F_PT.F_MM.State;
 with MMS.F_PT.Data;
 
@@ -148,7 +148,7 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
    function Mission_Range_From_Navigation_Parameters
      return Current_Range_Type
    with Global =>
-       (Input => Operating_Point_State, Proof_In => Input_State),
+       (Input => Navigation_Parameter_State, Proof_In => Input_State),
      Pre => Power_On
      and then Mission_Parameters_Defined;
    --  Fetch distance from Navigation_Parameters and do the appropriate
@@ -157,7 +157,7 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
    function Operating_Point_From_Navigation_Parameters
      return Operating_Point_Type
    with Global =>
-       (Input => Operating_Point_State, Proof_In => Input_State),
+       (Input => Navigation_Parameter_State, Proof_In => Input_State),
      Pre => Power_On
      and then Mission_Parameters_Defined;
    --  Fetch altitude and speed from Navigation_Parameters and do the
@@ -191,11 +191,11 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
      and then Current_Flight_Phase = CRUISE;
 
    function Current_Altitude_Close_Enough_To_ref_TakeOff return Boolean with
-     Global => Input_State;
+     Global => (Input => (Input_State, Viability_Logic_State));
    --  Return True if Current_Altitude is close enough to Altitude_ref_TakeOff
 
    function Current_Speed_Close_Enough_To_ref_TakeOff return Boolean with
-     Global => Input_State;
+     Global => (Input => (Input_State, Viability_Logic_State));
    --  Return True if Current_Altitude is close enough to Speed_ref_TakeOff
 
    function Take_Off_Over return Boolean is
@@ -233,6 +233,8 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
    function Mission_Cancelled_Signaled return Boolean with
      Global => Output_State;
 
+private
+
    ---------------------------------------
    -- Behavioural Specification of F_MM --
    ---------------------------------------
@@ -292,8 +294,10 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
    procedure Management_Of_Navigation_Modes_Options_Parameters with
    --  Compute the value of Navigation_Mode / Options / Parameters (see 6.9.4)
 
-     Global => (Input  => (Input_State, Private_State),
-                Output => Navigation_Parameter_State),
+     Global => (Input  => (Input_State,
+                           Private_State,
+                           Data.Energy_Mode_Ref_TakeOff),
+                In_Out => Navigation_Parameter_State),
      Pre    => Power_On,
      Post   => Navigation_Mode =
 
@@ -342,7 +346,10 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
 
 
      Global => (Input  =>
-                  (Input_State, Private_State, Navigation_Parameter_State),
+                  (Private_State,
+                   Navigation_Parameter_State,
+                   Data.Altitude_Ref_TakeOff,
+                   Data.Speed_Ref_TakeOff),
                 In_Out => Operating_Point_State),
      Pre    => Power_On
        and then Mission_Parameters_Defined
@@ -389,7 +396,9 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
 
    function Appropriate_Tabulating_Function return Viability_Domain_Mesh_Type
    with
-     Global => Viability_Logic_State;
+       Global => (Input => (Private_State,
+                            Viability_Logic_State,
+                            Navigation_Parameter_State));
 
    function Distance_With_Neighbour
      (Neighbour : Mission_Profile_Type) return Mission_Profile_Distance_Type
@@ -398,9 +407,12 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
    --  Compute the distance between Mission_Profile and its Neighbour.
 
    function Nearest_Neighbours return Neighbour_Mission_Profiles with
-    Global => Viability_Logic_State;
+     Global => (Input => (Private_State,
+                          Viability_Logic_State,
+                          Navigation_Parameter_State));
 
-   function Extract_Energy_Level_For_Neighbours return Energy_Levels
+   function Extract_Energy_Level_For_Neighbours
+     (Neighbours : Neighbour_Mission_Profiles) return Energy_Levels
    with
     Global => Viability_Logic_State;
 
@@ -414,7 +426,8 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
                   (Input_State,
                    Private_State,
                    Navigation_Parameter_State,
-                   Operating_Point_State),
+                   Operating_Point_State,
+                   MMS.F_PT.Data.Payload_Mass_Grid),
                  In_Out => Viability_Logic_State),
      Pre    => Power_State = ON,
      Post   =>
@@ -476,11 +489,13 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
 
    --  4. Extracting energy level for the neighbours.
 
-   and then Extract_Energy_Level_For_Neighbours.Size =
+   and then Extract_Energy_Level_For_Neighbours (Nearest_Neighbours).Size =
        Nearest_Neighbours.Size
    and then
-       (for all I in 1 .. Extract_Energy_Level_For_Neighbours.Size =>
-          Extract_Energy_Level_For_Neighbours.Neighbours (I) =
+       (for all I In
+          1 .. Extract_Energy_Level_For_Neighbours (Nearest_Neighbours).Size =>
+              Extract_Energy_Level_For_Neighbours
+          (Nearest_Neighbours).Neighbours (I) =
          (if On_State = INIT and then Navigation_Mode = A
           then Data.Viability_Amode_Initial
             (M => Nearest_Neighbours.Neighbours (I).Mission_Profile.M,
@@ -538,7 +553,7 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
    --  Compute the value of In_Flight_Energy_Compatible_With_Mission. It should
    --  be repeated at a periodic rate of F_Viability.
    --  Set In_Flight_Energy_Compatible_With_Mission to True if Energy_Level is
-   --  at least the Interpolated_Energy_Level plus an enery margin. When
+   --  at least the Interpolated_Energy_Level plus an energy margin. When
    --  EstimatedTotalMass increases, and even more so if it increases quickly,
    --  F_MM applies greater safety margins (see #17).
 
@@ -589,6 +604,7 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
    procedure Update_States with
      Global => (Input  =>
                   (Input_State,
+                   Output_State,
                    Navigation_Parameter_State,
                    Operating_Point_State,
                    Viability_Logic_State,
@@ -753,8 +769,6 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
           Power_State = ON
         and then On_State = On_State'Old);
 
-private
-
    ----------------------------
    --  Definitions of Inputs --
    ----------------------------

UseCaseData/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-data.ads

@@ -2,6 +2,7 @@ with MMS.F_PT.Data;
 
 with Types; use Types;
 
+private
 package MMS.F_PT.F_MM.Data is
 
    --------------------------
@@ -11,7 +12,8 @@ package MMS.F_PT.F_MM.Data is
    --  From 6.6.2.3
 
    Amode_Initial_Domain_Mesh : Viability_Domain_Mesh_Type
-     (1 .. 100, 1 .. 100, 1 .. 100); -- ??? bounds
+     (1 .. 100, 1 .. 100, 1 .. 100)
+     with Part_Of => Viability_Logic_State; -- ??? bounds
 
    function Viability_Amode_Initial
      (M : Payload_Mass_Center;
@@ -24,7 +26,8 @@ package MMS.F_PT.F_MM.Data is
      and then S in Amode_Initial_Domain_Mesh'Range (3);
 
    Amode_Cruise_Domain_Mesh : Viability_Domain_Mesh_Type
-     (1 .. 100, 1 .. 100, 1 .. 100); -- ??? bounds
+     (1 .. 100, 1 .. 100, 1 .. 100)
+     with Part_Of => Viability_Logic_State; -- ??? bounds
 
    function Viability_Amode_Cruise
      (M : Payload_Mass_Center;
@@ -37,7 +40,8 @@ package MMS.F_PT.F_MM.Data is
      and then S in Amode_Cruise_Domain_Mesh'Range (3);
 
    RPmode_Initial_Domain_Mesh : Viability_Domain_Mesh_Type
-     (1 .. 100, 1 .. 100, 1 .. 100); -- ??? bounds
+     (1 .. 100, 1 .. 100, 1 .. 100)
+     with Part_Of => Viability_Logic_State; -- ??? bounds
 
    function Viability_RPmode_Initial
      (M : Payload_Mass_Center;
@@ -50,7 +54,8 @@ package MMS.F_PT.F_MM.Data is
      and then S in RPmode_Initial_Domain_Mesh'Range (3);
 
    RPmode_Cruise_Domain_Mesh : Viability_Domain_Mesh_Type
-     (1 .. 100, 1 .. 100, 1 .. 100); -- ??? bounds
+     (1 .. 100, 1 .. 100, 1 .. 100)
+     with Part_Of => Viability_Logic_State; -- ??? bounds
 
    function Viability_RPmode_Cruise
      (M : Payload_Mass_Center;
@@ -64,7 +69,8 @@ package MMS.F_PT.F_MM.Data is
 
    --  From 6.6.4 Mission termination control
 
-   Glide_Distance_Domain_Mesh : Glide_Domain_Mesh_Type (1 .. 100); -- ??? bounds
+   Glide_Distance_Domain_Mesh : Glide_Domain_Mesh_Type (1 .. 100)
+     with Part_Of => Mission_Termination_State; -- ??? bounds
 
    function Glide_Distance
      (AI : Glide_Altitude_Center) return Current_Range_Type
@@ -72,8 +78,8 @@ package MMS.F_PT.F_MM.Data is
 
    --  Issue #28
 
-   Altitude_ref_TakeOff    : Current_Altitude_Type;
-   Speed_ref_TakeOff       : Current_Speed_Type;
-   Energy_Mode_ref_TakeOff : Speed_Or_Altitude;
+   Altitude_Ref_TakeOff    : Current_Altitude_Type;
+   Speed_Ref_TakeOff       : Current_Speed_Type;
+   Energy_Mode_Ref_TakeOff : Speed_Or_Altitude;
 
 end MMS.F_PT.F_MM.Data;

UseCaseData/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-state.ads

@@ -93,6 +93,9 @@ package MMS.F_PT.F_MM.State is
    In_Flight_Energy_Compatible_With_Mission : Boolean with
      Part_Of => Viability_Logic_State;
 
+   Mission_Profile : Mission_Profile_Type with
+     Part_Of => Viability_Logic_State;
+
    -------------------------------
    -- Mission_Termination_State --
    -------------------------------

UseCaseData/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm.adb

@@ -45,7 +45,8 @@ SPARK_Mode,
                        Operating_Point),
                     Viability_Logic_State =>
                       (Initial_Energy_Compatible_With_Mission,
-                       In_Flight_Energy_Compatible_With_Mission),
+                       In_Flight_Energy_Compatible_With_Mission,
+                       Mission_Profile),
                     Mission_Termination_State =>
                       (Descent_Over))
 is

UseCaseData/Layer2_MMS_SW_SPARK/mms-output.ads

@@ -40,8 +40,10 @@ package MMS.Output is
    -- Physical Parameters --
    -------------------------
    
-   function Propulsion_Torque return Torque_Type;
+   function Propulsion_Torque return Torque_Type
+     renames MMS.F_PT.Output.Propulsion_Torque;
    
-   function Braking_Torque return Torque_Type;
+   function Braking_Torque return Torque_Type
+     renames MMS.F_PT.Output.Braking_Torque;
    
 end MMS.Output;

UseCaseData/Layer2_MMS_SW_SPARK/types.ads

@@ -8,7 +8,7 @@ package Types with SPARK_Mode is
 
    type Speed_Input_Type is range 1 .. 250; -- in k.t
 
-   type Altitude_Input_Type is range -500 .. 3000; -- in ft
+   type Altitude_Input_Type is range -500 .. 3_000; -- in ft
 
    type Navigation_Parameters_Type is record
       Distance : Distance_Input_Type;