1
|
--Historically
|
2
|
node H(X:bool) returns (Y:bool);
|
3
|
let
|
4
|
Y = X -> (X and (pre Y));
|
5
|
tel
|
6
|
|
7
|
--Y since inclusive X
|
8
|
node SI(X,Y: bool) returns (Z:bool);
|
9
|
let
|
10
|
Z = Y and (X or (false -> pre Z));
|
11
|
tel
|
12
|
|
13
|
--Y since X
|
14
|
node S(X,Y: bool) returns (Z:bool);
|
15
|
let
|
16
|
Z = X or (Y and (false -> pre Z));
|
17
|
tel
|
18
|
|
19
|
--Once
|
20
|
node O(X:bool) returns (Y:bool);
|
21
|
let
|
22
|
Y = X or (false -> pre Y);
|
23
|
tel
|
24
|
|
25
|
node First( X : bool ) returns ( Y : bool );
|
26
|
let
|
27
|
Y = X -> pre Y;
|
28
|
tel
|
29
|
|
30
|
--Timed Once: less than or equal to N
|
31
|
node OTlore(const N: int; X: bool; ) returns (Y: bool);
|
32
|
var C:int;
|
33
|
let
|
34
|
C = if X then 0
|
35
|
else (-1 -> pre C + (if pre C <0 then 0 else 1));
|
36
|
|
37
|
Y = First(X)
|
38
|
->
|
39
|
(if pre C < 0 then false
|
40
|
else C <= N
|
41
|
);
|
42
|
tel
|
43
|
|
44
|
-- Timed Historically: less than or equal to N
|
45
|
node HTlore(const N: int; X: bool) returns (Y: bool);
|
46
|
let
|
47
|
Y = not OTlore(N, not X);
|
48
|
tel
|
49
|
|
50
|
-- Timed Since: less than or equal to N
|
51
|
node STlore(const N: int; X: bool; Y: bool; ) returns (Z: bool);
|
52
|
let
|
53
|
Z = S(X, Y) and OTlore(N, X);
|
54
|
tel
|
55
|
|
56
|
-- Timed Since Inclusive: less than or equal to N
|
57
|
node SITlore(const N: int; X: bool; Y: bool; ) returns (Z: bool);
|
58
|
let
|
59
|
Z = SI(X,Y) and OTlore(N, X);
|
60
|
tel
|
61
|
|
62
|
(*@
|
63
|
contract FSMSpec(apfail:bool; limits:bool; standby:bool; supported:bool; ) returns (pullup: bool; );
|
64
|
|
65
|
--Block Path: fsm_12B
|
66
|
|
67
|
let
|
68
|
|
69
|
var FTP:bool = true -> false;
|
70
|
|
71
|
--guarantee "FSM001" S( (((limits and not standby and not apfail and supported) => (pullup)) and FTP), ((limits and not standby and not apfail and supported) => (pullup)) );
|
72
|
guarantee "FSM001V2" limits and not standby and not apfail and supported => pullup;
|
73
|
|
74
|
tel
|
75
|
*)
|
76
|
|
77
|
|
78
|
(*@ contract FSM_AutopilotSpec(apfail:bool; good:bool; prevState:real; standby:bool; supported:bool; ) returns (pullup:bool; state_1:real; );
|
79
|
|
80
|
--Block Path: fsm_12B/FiniteStateMachine/Manager
|
81
|
|
82
|
let
|
83
|
var FTP:bool = true -> false;
|
84
|
|
85
|
|
86
|
|
87
|
--valid
|
88
|
guarantee "FSM002" S( (((standby and prevState = 0.0) => (state_1 = 3.0)) and FTP), ((standby and prevState = 0.0) => (state_1 = 3.0)) );
|
89
|
|
90
|
|
91
|
--guarantee "FSM003" S( (((prevState = 0.0 and good and supported) => (state_1 = 1.0)) and FTP), ((prevState = 0.0 and good and supported) => (state_1 = 1.0)) );
|
92
|
--the reuirement is not correct as they didn't clearly mentionned the pilot is not in control (not standby).
|
93
|
-- the correct version should be
|
94
|
-- "3. The autopilot shall change states from TRANSITION to NOMINAL when the pilot is not in control and the system is supported and sensor data is good.
|
95
|
guarantee "FSM003V2" prevState = 0.0 and not standby and good and supported => state_1 = 1.0;
|
96
|
|
97
|
|
98
|
--guarantee "FSM008" S( (((prevState = 3.0 and not standby) => (state_1 = 0.0)) and FTP), ((prevState = 3.0 and not standby) => (state_1 = 0.0)) );
|
99
|
-- the requirement is not correct, they forgot to mention "a failure does not occur (not apfail)"
|
100
|
guarantee "FSM008V2" prevState = 3.0 and not standby and not apfail => state_1 = 0.0;
|
101
|
|
102
|
--valid
|
103
|
guarantee "FSM009" S( (((prevState = 3.0 and apfail) => (state_1 = 2.0)) and FTP), ((prevState = 3.0 and apfail) => (state_1 = 2.0)) );
|
104
|
|
105
|
|
106
|
--valid
|
107
|
guarantee "FSM005" S( (((prevState = 1.0 and standby) => (state_1 = 3.0)) and FTP), ((prevState = 1.0 and standby) => (state_1 = 3.0)) );
|
108
|
|
109
|
--guarantee "FSM007" S( (((pullup and supported and good) => (state_1 = 0.0)) and FTP), ((pullup and supported and good) => (state_1 = 0.0)) );
|
110
|
-- the formalization is not correct. In the table in definition of pullup: "True when the autopilot is in the MANEUVER state"
|
111
|
-- the requirement is also not correct as it did not mentioned "not standby".
|
112
|
guarantee "FSM007V2" prevState = 2.0 and supported and good and not standby => (state_1 = 0.0) ;
|
113
|
|
114
|
|
115
|
--guarantee "FSM004" S( (((not good and prevState = 1.0) => (state_1 = 2.0)) and FTP), ((not good and prevState = 1.0) => (state_1 = 2.0)) );
|
116
|
-- the requirement is also not correct as it did not mentioned "not standby".
|
117
|
guarantee "FSM004V2" not good and prevState = 1.0 and not standby => state_1 = 2.0;
|
118
|
|
119
|
--valid
|
120
|
guarantee "FSM006" S( (((prevState = 2.0 and standby and good) => (state_1 = 3.0)) and FTP), ((prevState = 2.0 and standby and good) => (state_1 = 3.0)) );
|
121
|
|
122
|
|
123
|
|
124
|
|
125
|
|
126
|
tel
|
127
|
*)
|
128
|
|
129
|
(*@contract FSM_SensorSpec(MODE:bool; limits:bool; prevSensState:real; request:bool; ) returns (sensState: real; );
|
130
|
|
131
|
--Block Path: fsm_12B/FiniteStateMachine/Sen
|
132
|
|
133
|
let
|
134
|
var FTP:bool = true -> false;
|
135
|
|
136
|
|
137
|
--guarantee "FSM011" S( (((prevSensState = 0.0 and not request) => (sensState = 1.0)) and FTP), ((prevSensState = 0.0 and not request) => (sensState = 1.0)) );
|
138
|
-- This requirement is not correct as they did not mention "when limits are not exceeded" which is implicitly implicated from "FSM010" requirement.
|
139
|
-- To rewrtie it: "11. The sensor shall change states from NOMINAL to TRANSITION when the autopilot is not requesting support and limits are not exceeded."
|
140
|
guarantee "FSM011V2" (prevSensState = 0.0 and not request and not limits) => (sensState = 1.0);
|
141
|
|
142
|
|
143
|
--valid
|
144
|
guarantee "FSM012" S( (((prevSensState = 2.0 and not request and not limits) => (sensState = 1.0)) and FTP), ((prevSensState = 2.0 and not request and not limits) => (sensState = 1.0)) );
|
145
|
|
146
|
|
147
|
--valid
|
148
|
guarantee "FSM010" S( (((prevSensState = 0.0 and limits) => (sensState = 2.0)) and FTP), ((prevSensState = 0.0 and limits) => (sensState = 2.0)) );
|
149
|
|
150
|
|
151
|
--valid
|
152
|
guarantee "FSM013" S( (((prevSensState = 1.0 and request and MODE) => (sensState = 0.0)) and FTP), ((prevSensState = 1.0 and request and MODE) => (sensState = 0.0)) );
|
153
|
|
154
|
|
155
|
tel
|
156
|
*)
|