Layer2_MMS_SW_SPARK: take into account answers for #22

2025-11-30 20:57:58 +01:00 · 2017-06-28 15:51:57 +02:00
parent a069f7a017
commit e82c73fadd
7 changed files with 126 additions and 94 deletions
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-behavior.ads
@@ -21,6 +21,16 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
     Global => Private_State,
     Pre    => Mission_State = RUNNING;

+   function Operating_Point return Operating_Point_Type with
+     Global => Private_State;
+
+   --------------------------
+   -- Properties on Inputs --
+   --------------------------
+
+   function Operating_Point_Changed return Boolean with
+     Global => Private_State;
+
   ----------------------
   -- Estimated Values --
   ----------------------
@@ -36,9 +46,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
   function Mission_State return Mission_State_Type with
     Global => Private_State;

-   type Phase_State_Type is (CLIMB, CRUISE, DESCENT);
-
-   function Phase_State return Phase_State_Type with
+   function Flight_Phase_State return Flight_Phase_Type with
     Global => Private_State,
     Pre    => Mission_State = RUNNING;

@@ -56,7 +64,7 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
   --  From 6.7.3.2

   function In_Safety_Envelope return Boolean is
-     (case Phase_State is
+     (case Flight_Phase_State is
         when CLIMB   =>
            Q_Dot in MMS.F_PT.F_FC.Data.Qdot_MinCl .. MMS.F_PT.F_FC.Data.Qdot_MaxCl
              and Q < MMS.F_PT.F_FC.Data.Q_MaxCl,
@@ -70,10 +78,13 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
   with Pre => Mission_State = RUNNING;

   function Time_Since_In_Safety_Escape return Time_Type with
-     Global => Private_State;
+     Global => Private_State,
+     Pre    => (Mission_State = RUNNING and then not In_Safety_Envelope)
+     or else Mission_State = ABORTED;

   function Fast_Evolving_Safety_Escape return Boolean with
-     Global => Private_State;
+     Global => Private_State,
+     Pre    => Mission_State = RUNNING and then not In_Safety_Envelope;

   function Time_Since_Stopped return Time_Type with
     Global => Private_State,
@@ -86,7 +97,9 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
   procedure Read_Inputs with
   --  Read values of inputs once and for all and update the current state
     Global => (In_Out => Private_State,
-                Input  => External.State);
+                Input  => External.State),
+     Post   => Operating_Point_Changed =
+       (Operating_Point'Old /= Operating_Point);

   procedure Write_Outputs with
   --  Compute values of outputs from the current state
@@ -96,6 +109,9 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
   procedure Run with
     Global         => (In_Out => Private_State),
     Contract_Cases =>
+
+       --  ??? All these are guesses...
+
       (Mission_State = INIT
        and then Start_Take_Off
        =>
@@ -124,8 +140,20 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
          Mission_State = Mission_State'Old),

     Post           =>
-       (if In_Safety_Envelope'Old then Time_Since_In_Safety_Escape = 0
-        else Time_Since_In_Safety_Escape > Time_Since_In_Safety_Escape'Old)
+
+       --  Changes in the operating point provoque termination of the current
+       --  cruise phase and activate a transient climb or descent phase to
+       --  capture the new operating point (see 6.6.4 4. Cruise).
+
+       (if Operating_Point_Changed then Flight_Phase_State in CLIMB | DESCENT)
+
+       --  Time_Since_In_Safety_Escape is the number of seconds since the first
+       --  occurrence of safety escapes.
+
+       and then
+       (if not In_Safety_Envelope then
+          (if In_Safety_Envelope'Old then Time_Since_In_Safety_Escape = 0
+           else Time_Since_In_Safety_Escape > Time_Since_In_Safety_Escape'Old))

        --  6.7.4 Propulsion braking mutual exclusion

@@ -133,8 +161,10 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
       (if Mission_State = RUNNING and then Mission_State'Old = RUNNING then
          (case Engine_State'Old is
           when PROPULSION   =>
-             (if Time_Since_In_Safety_Escape > MMS.F_PT.F_FC.Data.Hazard_Duration
-                or else Fast_Evolving_Safety_Escape
+             (if not In_Safety_Envelope
+              and then
+                (Time_Since_In_Safety_Escape > MMS.F_PT.F_FC.Data.Hazard_Duration
+                 or else Fast_Evolving_Safety_Escape)
              then Engine_State = WAITING_BRAK
                and then Time_Since_Stopped = 0
              else Engine_State = PROPULSION),
@@ -146,8 +176,9 @@ package MMS.F_PT.F_FC.Behavior with SPARK_Mode is
              else Engine_State = BRAKING),

           when WAITING_PROP =>
-             (if Time_Since_In_Safety_Escape > MMS.F_PT.F_FC.Data.Hazard_Duration
-                or else Fast_Evolving_Safety_Escape
+             (if not In_Safety_Envelope
+              and then (Time_Since_In_Safety_Escape > MMS.F_PT.F_FC.Data.Hazard_Duration
+                        or else Fast_Evolving_Safety_Escape)
              then Engine_State = BRAKING
              elsif Time_Since_Stopped > MMS.F_PT.F_FC.Data.Commutation_Duration
              then Engine_State = PROPULSION
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-data.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-data.ads
@@ -2,7 +2,7 @@ with MMS.F_PT.Data;

 with Types; use Types;

-package MMS.F_PT.F_FC.Data is
+package MMS.F_PT.F_FC.Data with SPARK_Mode is

   --  ??? Types need to be precisely defined.

@@ -12,7 +12,7 @@ package MMS.F_PT.F_FC.Data is

   --  From 6.7.2.3

-   Flight_Domain_Mesh : Flight_Domain_Mesh_Type (1 .. 100, 1 .. 100); -- ??? bounds
+   Flight_Domain_Mesh : constant Flight_Domain_Mesh_Type (1 .. 100, 1 .. 100); -- ??? bounds

   function Climb_Gains
     (S : Flight_Speed_Center;
@@ -47,28 +47,58 @@ package MMS.F_PT.F_FC.Data is

   --  From 6.7.3.2

-   Qdot_MinCl : Angular_Speed_Type; --  in angle.s-1
-   Qdot_MaxCl : Angular_Speed_Type; --  in angle.s-1
-   Q_MaxCl    : Angle_Type; --  in angle
-   Qdot_MinCr : Angular_Speed_Type; --  in angle.s-1
-   Qdot_MaxCr : Angular_Speed_Type; --  in angle.s-1
-   Q_MinCr    : Angle_Type; --  in angle
-   Pdot_MaxCr : Speed_Type; --  in km/h
-   Qdot_MinDs : Angular_Speed_Type; --  in angle.s-1
-   Qdot_MaxDs : Angular_Speed_Type; --  in angle.s-1
-   Q_MaxDs    : Angle_Type; --  in angle
+   Qdot_MinCl : constant Angular_Speed_Type; --  in angle.s-1
+   Qdot_MaxCl : constant Angular_Speed_Type; --  in angle.s-1
+   Q_MaxCl    : constant Angle_Type; --  in angle
+   Qdot_MinCr : constant Angular_Speed_Type; --  in angle.s-1
+   Qdot_MaxCr : constant Angular_Speed_Type; --  in angle.s-1
+   Q_MinCr    : constant Angle_Type; --  in angle
+   Pdot_MaxCr : constant Speed_Type; --  in km/h
+   Qdot_MinDs : constant Angular_Speed_Type; --  in angle.s-1
+   Qdot_MaxDs : constant Angular_Speed_Type; --  in angle.s-1
+   Q_MaxDs    : constant Angle_Type; --  in angle

-   Escape_Time : Time_Type; --  in s
+   Escape_Time : constant Time_Type; --  in s

   --  From 6.7.4

-   Commutation_Duration : Time_Type; --  in s
-   Hazard_Duration      : Time_Type; --  in s
+   Commutation_Duration : constant Time_Type; --  in s
+   Hazard_Duration      : constant Time_Type; --  in s

-   Recovery_Speed : Integer; --  in m.s
+   Recovery_Speed : constant Integer; --  in m.s

-   J0 : Integer; --  in kg.m2
-   L  : Integer; --  in m
-   M0 : Integer; --  in kg
+   J0 : constant Integer; --  in kg.m2
+   L  : constant Integer; --  in m
+   M0 : constant Integer; --  in kg
+
+private
+   pragma SPARK_Mode (Off);
+
+   Flight_Domain_Mesh : constant Flight_Domain_Mesh_Type (1 .. 100, 1 .. 100) :=
+     (others => (others => <>));
+
+   Qdot_MinCl : constant Angular_Speed_Type := 0.0; --  in angle.s-1
+   Qdot_MaxCl : constant Angular_Speed_Type := 0.0; --  in angle.s-1
+   Q_MaxCl    : constant Angle_Type := 0.0; --  in angle
+   Qdot_MinCr : constant Angular_Speed_Type := 0.0; --  in angle.s-1
+   Qdot_MaxCr : constant Angular_Speed_Type := 0.0; --  in angle.s-1
+   Q_MinCr    : constant Angle_Type := 0.0; --  in angle
+   Pdot_MaxCr : constant Speed_Type := 0.0; --  in km/h
+   Qdot_MinDs : constant Angular_Speed_Type := 0.0; --  in angle.s-1
+   Qdot_MaxDs : constant Angular_Speed_Type := 0.0; --  in angle.s-1
+   Q_MaxDs    : constant Angle_Type := 0.0; --  in angle
+
+   Escape_Time : constant Time_Type := 0; --  in s
+
+   --  From 6.7.4
+
+   Commutation_Duration : constant Time_Type := 0; --  in s
+   Hazard_Duration      : constant Time_Type := 0; --  in s
+
+   Recovery_Speed : constant Integer := 0; --  in m.s
+
+   J0 : constant Integer := 0; --  in kg.m2
+   L  : constant Integer := 0; --  in m
+   M0 : constant Integer := 0; --  in kg

 end MMS.F_PT.F_FC.Data;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-output.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_fc-output.ads
@@ -24,4 +24,6 @@ package MMS.F_PT.F_FC.Output is
   
   function Current_Altitude return Current_Altitude_Type with Global => Output_State;
   
+   function Current_Flight_Phase return Flight_Phase_Type with Global => Output_State;
+   
 end MMS.F_PT.F_FC.Output;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior-guarantees.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior-guarantees.ads
@@ -16,15 +16,16 @@ package MMS.F_PT.F_MM.Behavior.Guarantees with SPARK_Mode is
       and then On_State = RUNNING
       and then Running_State = TAKE_OFF);

-   function Energy_Check_Succeed return Boolean is
+   function Initial_Energy_Check_Succeeded return Boolean is
     (Power_State = ON
      and then On_State = INIT
      and then Energy_Compatible_With_Mission);

-   function Energy_Check_Fail return Boolean is
+   function In_Flight_Energy_Check_Failed return Boolean is
     (Power_State = ON
      and then On_State = RUNNING
-      and then Running_State = CRUISE
+      and then Running_State = FLIGHT
+      and then Current_Flight_Phase = CRUISE
      and then not Energy_Compatible_With_Mission);

   function Mission_Cancelled return Boolean is
@@ -42,7 +43,7 @@ package MMS.F_PT.F_MM.Behavior.Guarantees with SPARK_Mode is
      --  incompatible with mission completion.

      (if In_Take_Off_State and then not In_Take_Off_State'Old then
-         Energy_Check_Succeed'Old)
+         Initial_Energy_Check_Succeeded'Old)

      --  6.6.3.B Any mission cancellation is signaled to CP and GS.

@@ -55,6 +56,6 @@ package MMS.F_PT.F_MM.Behavior.Guarantees with SPARK_Mode is

      and then
       (if Mission_Cancelled and then not Mission_Cancelled'Old then
-           Energy_Check_Fail'Old);
+           In_Flight_Energy_Check_Failed'Old);

 end MMS.F_PT.F_MM.Behavior.Guarantees;
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-behavior.ads
@@ -45,6 +45,12 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
   function Current_Altitude return Current_Altitude_Type with
     Global => Private_State;

+   function Current_Flight_Phase return Flight_Phase_Type with
+     Global => Private_State,
+     Pre    => Power_State = ON
+     and then On_State = RUNNING
+     and then Running_State = FLIGHT;
+
   -----------------------------------------
   -- States of the automaton in Figure 3 --
   -----------------------------------------
@@ -60,7 +66,7 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
     Global => Private_State,
     Pre    => Power_State = ON;

-   type Running_State_Type is (TAKE_OFF, CLIMB, CRUISE, DESCENT, LANDING);
+   type Running_State_Type is (TAKE_OFF, FLIGHT, LANDING);

   function Running_State return Running_State_Type with
     Global => Private_State,
@@ -111,7 +117,8 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
     Global => Private_State,
     Pre => Power_State = ON
     and then On_State = RUNNING
-     and then Running_State = DESCENT;
+     and then Running_State = FLIGHT
+     and then Current_Flight_Phase = DESCENT;

   function Landed return Boolean is
     (Current_Speed = 0 and Current_Altitude = 0)
@@ -121,19 +128,6 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
     and then On_State = RUNNING
     and then Running_State = LANDING;

-   function Operating_Point_Changed return Boolean with
-     Global => Private_State,
-     Pre => Power_State = ON
-     and then On_State = RUNNING
-     and then (Running_State in CLIMB | CRUISE | DESCENT)
-     and then Navigation_Mode = RP;
-
-   function Cruise_Altitude_Reached return Boolean with
-     Global => Private_State,
-     Pre => Power_State = ON
-     and then On_State = RUNNING
-     and then (Running_State in CLIMB | DESCENT);
-
   ----------------
   -- Properties --
   ----------------
@@ -142,7 +136,8 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
     Global => Private_State,
     Pre => Power_State = ON
     and then On_State in INIT | RUNNING
-     and then (if On_State = RUNNING then Running_State = CRUISE);
+     and then (if On_State = RUNNING then
+                 Running_State = FLIGHT and then Current_Flight_Phase = CRUISE);

   function Mission_Parameters_Defined return Boolean is
     (USB_Key_Present
@@ -205,11 +200,9 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is

     Global         => (In_Out => Private_State),
     Post           =>
-       Operating_Point_Changed = (Operating_Point /= Operating_Point'Old)

       --  RP mode enables modification of range parameter before take-off.

-     and then
       (if not (Power_State'Old = ON
                and then On_State'Old = INIT
                and then Navigation_Mode'Old = RP)
@@ -296,7 +289,7 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is
        =>
          Power_State = ON
        and then On_State = RUNNING
-        and then Running_State = CLIMB,
+        and then Running_State = FLIGHT,

        Power_State = ON
        and then On_State = RUNNING
@@ -311,7 +304,8 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is

        Power_State = ON
        and then On_State = RUNNING
-        and then Running_State = CRUISE
+        and then Running_State = FLIGHT
+        and then Current_Flight_Phase = CRUISE
        and then Power_On
        and then not Mission_Abort_Received
        and then not Energy_Compatible_With_Mission
@@ -323,7 +317,8 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is

        Power_State = ON
        and then On_State = RUNNING
-        and then Running_State = DESCENT
+        and then Running_State = FLIGHT
+        and then Current_Flight_Phase = DESCENT
        and then Power_On
        and then not Mission_Abort_Received
        and then Descent_Over
@@ -334,49 +329,17 @@ package MMS.F_PT.F_MM.Behavior with SPARK_Mode is

        Power_State = ON
        and then On_State = RUNNING
-        and then (Running_State in CLIMB | CRUISE | DESCENT)
-        and then Power_On
-        and then not Mission_Abort_Received
-        and then Navigation_Mode = RP
-        and then
-          (if Running_State = CRUISE then Energy_Compatible_With_Mission)
-        and then
-          (if Running_State = DESCENT then not Descent_Over)
-        and then Operating_Point_Changed
-        =>
-          Power_State = ON
-        and then On_State = RUNNING
-        and then (Running_State in CLIMB | DESCENT),
-
-        Power_State = ON
-        and then On_State = RUNNING
-        and then (Running_State in CLIMB | DESCENT)
-        and then Power_On
-        and then not Mission_Abort_Received
-        and then (if Navigation_Mode = RP then not Operating_Point_Changed)
-        and then (if Running_State = DESCENT then not Descent_Over)
-        and then Cruise_Altitude_Reached
-        =>
-          Power_State = ON
-        and then On_State = RUNNING
-        and then Running_State = CRUISE,
-
-        Power_State = ON
-        and then On_State = RUNNING
-        and then (Running_State in CLIMB | DESCENT | CRUISE)
+        and then Running_State = FLIGHT
        and then Power_On
        and then not Mission_Abort_Received
        and then
-          (if Running_State = CRUISE then Energy_Compatible_With_Mission)
-        and then (if Navigation_Mode = RP then not Operating_Point_Changed)
+          (if Current_Flight_Phase = CRUISE then Energy_Compatible_With_Mission)
        and then
-          (if Running_State in CLIMB | DESCENT then
-                 not Cruise_Altitude_Reached)
-        and then (if Running_State = DESCENT then not Descent_Over)
+          (if Current_Flight_Phase = DESCENT then not Descent_Over)
        =>
          Power_State = ON
        and then On_State = RUNNING
-        and then Running_State = Running_State'Old,
+        and then Running_State = FLIGHT,

        Power_State = ON
        and then On_State = RUNNING
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-input.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt-f_mm-input.ads
@@ -64,6 +64,9 @@ package MMS.F_PT.F_MM.Input is
   function Current_Altitude return Current_Altitude_Type
     renames MMS.F_PT.F_FC.Output.Current_Altitude;
   
+   function Current_Flight_Phase return Flight_Phase_Type
+     renames MMS.F_PT.F_FC.Output.Current_Flight_Phase;
+   
   ---------------
   -- From F_EM --
   ---------------
--- a/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt.ads
+++ b/UseCaseDevelopment/Layer2_MMS_SW_SPARK/mms-f_pt.ads
@@ -22,4 +22,6 @@ package MMS.F_PT is
   type Payload_Mass_Grid_Type is array (Payload_Mass_Center range <>)
     of Payload_Mass_Type;

+   type Flight_Phase_Type is (CLIMB, CRUISE, DESCENT);
+
 end MMS.F_PT;