Embed Size (px)
Citation preview
Ada 2012 and SPARK Crazyflie and Railway demos
Eric Perlade2015/10/01
CrazyFlie 2.0• 27g ready to fly drone • Ideal for indoor use • Android and iOS app (Bluetooth LE)• Python client using a radio dongle• Based on STM32F4 (ARM Cortex M4) and NRF5181 (radio chip)• Firmware entirely written in C• 5900 lines of code (without including drivers, HAL and external
libs)• Based on FreeRTOS (tasking)
Why ? • Drones security and safety becoming an important issue• Stricter certification regime for drones coming in Europe• AdaCore is partnering with Squadrone Systems to build open-
source certifiable drone in Ada/SPARK • Will show the feasibility of this project
First Steps … towards safetyQ1 ) What code parts are the most critical in a drone firmware?Answer: the parts related to the stabilization system
Action Items: – Re-implementing stabilization system in SPARK 2014 – Proving absence of runtime errors
Stabilization systemStabilization system
Issues with original source code• The C code was not designed to be formally proved• Stabilization system in C uses C predefined types (float, int etc.)• Absence of runtime errors can’t be proved on calculations with general types• Example:
float calculateError(float measured, float desired) {
return desired – measured; } // Will cause an obvious overflow if called with // FLT_MIN and FLT_MAX…
Solution with SPARK 2014• Each module of the stabilization system transformed into a SPARK
package• Use of constrained types and subtypes (ex: defining a type T_Angle
instead of using the general Ada type Float)• Genericity for sharing code• Insert saturation when needed
Result• Proof of absence of runtime errors on every package• Discovery of one bug related to overflows, corrected by the Bitcraze
team later
Next Steps … towards more safetyQ2) What code parts are critical in a drone firmware?Answer: whole!
Action Items: Re-implementing the whole firmware in Ada 2012 and SPARK
• Replacing the OS by Ravenscar runtime• Rewriting other modules and drivers
SPARK 2014 and CSPARK 2014
Stabilization System
High-Level C codeCommunication System
Low-Level C code
Free RTOS ST peripheral Drivers Crazyflie Drivers (sensors, actuators)
Runtime and Drivers• Replace FreeRTOS by a Ravenscar based runtime targeting the
STM32F4• Replace all the FreeRTOS tasks using the Ravenscar tasking
model (tasks, protected objects)• Rewrite the Crazyflie drivers using ST Peripheral Drivers in Ada
SPARK 2014, Ada 2012 and no CSPARK 2014
Stabilization System
High-Level Ada 2012 codeCommunication System
Low-Level Ada 2012 code
Ravenscar RT ST peripheral Drivers Crazyflie Drivers (sensors, actuators)
Goal achieved ?• Crazyflie with a 100% Ada and SPARK firmware in 5 months
without any previous Ada nor fomal methods experience• But still not easy to pilot
One last question, what code part would be critical in a drone firmware?Answer: A secret recovery featureAction Item:
Implementing free fall recovery mode
Free Fall detection
When placed on a flat surface Free-fall detected
Recovery and Landing• Set desired angles to 0.0 for roll and pitch• High thrust applied after a free-fall• Thrust slowly decreased until a minimum that permits the drone to
land properly
• Calculate the acceleration variance when the drone is in the descending phase
• If variance is high, the drone has landed, recovery is over !
Real life validationAction Item:
Dropping the flie
Railway safe signaling Demo
Why ?• To prove the absence of collision using SPARK 2014• To get closer to customer experience• And mainly to play with our new Raspberry Pi 2 port !
Hardware• Electrical railway modelling kit• On-off power relay to control trains • Hall effect sensors to detect trains• Turnout motors to control switches • Raspberry Pi 2
One way track model
Controlled sectionOn/Off
Uncontrolled sectionalways on
Sensor
Slow train coming
Slow train going on
Slow train detected
Slow train still going
Slow train detected again
Slow train going away
Turnout the tricky part
Turnout the tricky part
Railway layout
Software designwith SPARK_Mode
Signaling Manager(protected object)Sensor monitoring
(Task)
SDL Graphical Interface (task)
Train Simulator(Task)
HW interfaceRaspberry Pi 2 GPIO
SPARK proof
Real life validationAction Item:
Dropping the train
Conclusion• It works!
• Ada 2012 mixed with SPARK 2014 are ready for the industry
• Easy to access and learn technology
• Demo sources will be available on GitHub
• Have a look at AdaCore University • http://university.adacore.com/
![2. SPARK Ada - Swanseacsetzer/lectures/critsys/09/critsysfinal2.pdf · The SPARK approach. [Ba03]. CS 313 High Integrity Systems; CS M13 Critical Systems; Michaelmas Term 2009, Sect](https://img.pdfslide.us/doc/110x75/5f0fd7327e708231d4462584/2-spark-ada-csetzerlecturescritsys09critsysfinal2pdf-the-spark-approach.jpg)
![[Spark meetup] Spark Streaming Overview](https://img.pdfslide.us/doc/110x75/55a457161a28ab057e8b45fd/spark-meetup-spark-streaming-overview.jpg)