Presented by David LESENS Tuesday 29 November 2011 Hi-Lite project – Case Study ASTRIUM Space Transportation

Presented by David LESENS

Tuesday 29 November 2011

Hi-Lite project – Case StudyASTRIUM Space Transportation

10/05/2011

p2

Overview

Introduction Astrium Space Transportation Case study

SCADE modelling Data handling Numerical algorithm Event driven

Feedbacks on Alfa Gnatprove Conclusion

10/05/2011

p3

Astrium case study

10/05/2011

p4

Event driven Data flow driven & algorithms

EC

S

EP

C

EA

P

EA

P

EC

S

EP

CEA

P

EA

P

EC

S

EP

CEA

P

EA

P

• Acquisition ofmeasurement

Sen

sors

• Send commandsto actuators

Actu

ators

GNC

• Compute thecommands

Control

• Where shall I go ?Guidance

• Where am I ?NavigationEn

viron

me

En

viron

me

nt

nt

En

viron

me

En

viron

me

nt

nt

Data handlingMiddleware

10/05/2011

p5

Tools

gnatpro-7.1.0w-20111122-45-i686-pc-mingw32-binhilite-0.1w-20111122-i686-pc-mingw32-bingps-5.1.0-i686-pc-mingw32aunit-3.3.1-i686-pc-mingw32

SCADE Suite version 6.3 beta (build i9)

10/05/2011

p6

Overview




10/05/2011

p7

Solar wing deployment

Thermalknives

Thermalknives

The Flight Application SoftwareThe Flight Application Softwarepowers thermal knives in orderpowers thermal knives in orderto deploy the solar wingsto deploy the solar wings

• Acyclic events• Redundancy (FDIR)• Automaton oriented

Software part modelledin SCADE

10/05/2011

p8

Software architecture in SCADE

10/05/2011

p9

Hierarchical automata

10/05/2011

p10

Mode automaton

10/05/2011

p11

Activation conditions

10/05/2011

p12

Automatic generated code

10/05/2011

p13

Overview




10/05/2011

p14

Data handling

ECSS-E-70-41A “Space engineering – Ground systems and operations – Telemetry

and telecommand packet Utilization”, 30 January 2003) Ground / board communications Vehicle management

10/05/2011

p15

Structure of telemetry / telecommand packets

10/05/2011

p16

Verification of telecommand packets

10/05/2011

p17

Definition of data bus

10/05/2011

p18

Access to the data bus

10/05/2011

p19

Monitoring list

10/05/2011

p20

Overview




10/05/2011

p21

Orientation of the ATV solar wings Optimisation of energy

From SPARK to Alfa

Algorithms

10/05/2011

p22

Mathematical library

10/05/2011

p23

Mathematical library with test cases

Is the test cases defined for Sin32 applicable

10/05/2011

p24

Mathematical library: matrix product definition

Classical “safe” way

10/05/2011

p25

Mathematical library: matrix product use

Quite complex type definition

10/05/2011

p26

Mathematical library: matrix product definition

Classical “unsafe” way / Hi-Lite “safe” way?

Simple type definition

10/05/2011

p27

Overview




10/05/2011

p28

Automata (1/2)

10/05/2011

p29

Automata (2/2)

10/05/2011

p30

Overview




10/05/2011

p31

Ambiguity to missing parenthesis detected

10/05/2011

p32

Overloading of operators possible

10/05/2011

p33

Difficulty to write a contract (precision)

10/05/2011

p34

Powerful contract

10/05/2011

p35

Extensions

Can this property be expressed as an invariant of the plan type?

10/05/2011

p36

Abstract variables

10/05/2011

p37

Abstract variables

In SPARK, an abstract global variable would be defined. The contracts will then specified than only the "Run_Time" subprogram can modify this global variable

In ALFA, such abstract global variables do not exist

++ mvm__obit__get_obit mvm-obit.ads:44-- mvm__obit__run_time mvm-obit.ads:36 (unsupported construct) [Old attribute]

++ mvm__obit__get_obit mvm-obit.ads:44-- mvm__obit__run_time mvm-obit.ads:36 (unsupported construct) [Old attribute]

10/05/2011

p38

Abstract variables: First solution

The OBIT variable should be private

++ mvm__obit__get_obit mvm-obit.ads:48++ mvm__obit__run_time mvm-obit.ads:40

++ mvm__obit__get_obit mvm-obit.ads:48++ mvm__obit__run_time mvm-obit.ads:40

10/05/2011

p39

Abstract variables: Second solution

++ mvm__obit__get mvm-obit.ads:49-- mvm__obit__run_time mvm-obit.ads:41 (unsupported construct)

++ mvm__obit__get mvm-obit.ads:49-- mvm__obit__run_time mvm-obit.ads:41 (unsupported construct)

10/05/2011

p40

In this case, the contract is equivalent to the implementation

10/05/2011

p41

Overview




10/05/2011

p42

**********************************Subprograms in Alfa : 68% (414/613) ... already supported : 52% (321/613) ... not yet supported : 15% ( 93/613)Subprograms not in Alfa : 32% (199/613)

Subprograms not in Alfa due to (possibly more than one reason): unchecked conversion : 32% (194/613) ambiguous expr : 1% ( 7/613)

Subprograms not yet supported due to (possibly more than one reason): generic : 39% (237/613) attribute : 5% ( 29/613) conversion : 4% ( 24/613) discriminant : 2% ( 11/613) slice : 2% ( 11/613) multi dim array : 0% ( 2/613)(...)

Units with the largest number of subprograms in Alfa: ml-bits : 51% (197/389) ml : 100% (113/113) tmtc-data_pool : 85% (41/48) sgs-main : 100% (14/14) scade-ln1 : 100% (11/11) mvm-automaton : 100% (7/7)(...)

Units with the largest number of subprograms not in Alfa: ml-bits : 49% (192/389) tmtc-data_pool : 15% (7/48)**********************************

**********************************Subprograms in Alfa : 68% (414/613) ... already supported : 52% (321/613) ... not yet supported : 15% ( 93/613)Subprograms not in Alfa : 32% (199/613)

Subprograms not in Alfa due to (possibly more than one reason): unchecked conversion : 32% (194/613) ambiguous expr : 1% ( 7/613)

Subprograms not yet supported due to (possibly more than one reason): generic : 39% (237/613) attribute : 5% ( 29/613) conversion : 4% ( 24/613) discriminant : 2% ( 11/613) slice : 2% ( 11/613) multi dim array : 0% ( 2/613)(...)

Units with the largest number of subprograms in Alfa: ml-bits : 51% (197/389) ml : 100% (113/113) tmtc-data_pool : 85% (41/48) sgs-main : 100% (14/14) scade-ln1 : 100% (11/11) mvm-automaton : 100% (7/7)(...)

Units with the largest number of subprograms not in Alfa: ml-bits : 49% (192/389) tmtc-data_pool : 15% (7/48)**********************************

10/05/2011

p43

ambiguous expr

10/05/2011

p44

Gnatprove

Number of specification not in Alfa is 0Number of body not in Alfa is 199

10/05/2011

p45

ProofProject: mlgnatprove --mode=prove -P ml.gprPhase 1 of 3: frame condition computation ...Phase 2 of 3: translation to intermediate language ...ml-bits.adb:1385:07: warning: types for unchecked conversion have different sizes…

raised CONSTRAINT_ERROR : no element available because key not in mapalfa_report C:\Users\david\Mes documents\Developpement\TMTC\ADA\src\OBJ\gnatprove\gnatprove.alfad failed.Analysis performed in 18 seconds (0 h 0 mn 18 s)(Start at 28/11/2011, 22h51mn25s and end at 28/11/2011, 22h51mn43s) gnatprove : 16 seconds (0 h 0 mn 16 s)

Project: mlgnatprove --mode=prove -P ml.gprPhase 1 of 3: frame condition computation ...Phase 2 of 3: translation to intermediate language ...ml-bits.adb:1385:07: warning: types for unchecked conversion have different sizes…

raised CONSTRAINT_ERROR : no element available because key not in mapalfa_report C:\Users\david\Mes documents\Developpement\TMTC\ADA\src\OBJ\gnatprove\gnatprove.alfad failed.Analysis performed in 18 seconds (0 h 0 mn 18 s)(Start at 28/11/2011, 22h51mn25s and end at 28/11/2011, 22h51mn43s) gnatprove : 16 seconds (0 h 0 mn 16 s)

Not yet investigated Not yet investigated

10/05/2011

p46

Overview




10/05/2011

p47

Conclusion

Alfa safer than Ada

Alfa easier to use than SPARK

Alfa misses some constructs (compared to SPARK)

10/05/2011

p48

Always a great support from AdaCore

Documents

Presented by David LESENS Tuesday 29 November 2011 Hi-Lite project – Case Study ASTRIUM Space Transportation