coffee/coffee.pygments
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2024-06-20. You can view files and clone it, but you cannot make any changes to it's state, such as pushing and creating new issues, pull requests or comments.
coffee.pygments/tests/examplefiles/nusmv/guidance.smv
Oleh Prypin 6f43092173
Also add auto-updatable output-based tests to examplefiles (#1689) 
Co-authored-by: Georg Brandl <georg@python.org>
2021-01-20 10:48:45 +01:00

1124 lines
33 KiB
Text
Raw Permalink Blame History

--
-- Shuttle Digital Autopilot
-- by Sergey Berezin (berez@cs.cmu.edu)
--
MODULE cont_3eo_mode_select(start,smode5,vel,q_bar,apogee_alt_LT_alt_ref,
h_dot_LT_hdot_reg2,alpha_n_GRT_alpha_reg2,
delta_r_GRT_del_r_usp,v_horiz_dnrng_LT_0,
high_rate_sep,meco_confirmed)
VAR cont_3EO_start: boolean;
RTLS_abort_declared: boolean;
region_selected : boolean;
m_mode: {mm102, mm103, mm601};
r: {reg-1, reg0, reg1, reg2, reg3, reg102};
step : {1,2,3,4,5,6,7,8,9,10, exit, undef};
ASSIGN
init(cont_3EO_start) := FALSE;
init(m_mode) := {mm102, mm103};
init(region_selected) := FALSE;
init(RTLS_abort_declared) := FALSE;
init(r) := reg-1;
init(step) := undef;
next(step) :=
case
step = 1 & m_mode = mm102 : exit;
step = 1 : 2;
step = 2 & smode5 : 5;
step = 2 & vel = GRT_vi_3eo_max: exit;
step = 2 : 3;
step = 3 & vel = LEQ_vi_3eo_min : 6;
step = 3 : 4;
step = 4 & apogee_alt_LT_alt_ref: exit;
step = 4 : 6;
step = 5 : 6;
step = 6 & r = reg0 : exit;
step = 6 : 7;
step = 7 : 8;
step = 8 & q_bar = GRT_qbar_reg3 & !high_rate_sep : 10;
step = 8 : 9;
step = 9 : 10;
step = 10: exit;
next(start): 1;
step = exit : undef;
TRUE: step;
esac;
next(cont_3EO_start) :=
case
step = 1 & m_mode = mm102 : TRUE;
step = 10 & meco_confirmed : TRUE;
TRUE : cont_3EO_start;
esac;
next(r) :=
case
step = 1 & m_mode = mm102 : reg102;
step = 2 & !smode5 & vel = GRT_vi_3eo_max: reg0;
step = 4 & apogee_alt_LT_alt_ref: reg0;
step = 5 & v_horiz_dnrng_LT_0 & delta_r_GRT_del_r_usp : reg0;
step = 8 & q_bar = GRT_qbar_reg3 & !high_rate_sep : reg3;
step = 9: case
(h_dot_LT_hdot_reg2 & alpha_n_GRT_alpha_reg2 &
q_bar = GRT_qbar_reg1) | high_rate_sep : reg2;
TRUE : reg1;
esac;
next(step) = 1 : reg-1;
TRUE: r;
esac;
next(RTLS_abort_declared) :=
case
step = 10 & meco_confirmed & m_mode = mm103 : TRUE;
TRUE: RTLS_abort_declared;
esac;
next(m_mode) :=
case
step = 10 & meco_confirmed & m_mode = mm103 : mm601;
TRUE: m_mode;
esac;
next(region_selected) :=
case
next(step) = 1 : FALSE;
next(step) = exit : TRUE;
TRUE : region_selected;
esac;
MODULE cont_3eo_guide(start,cont_3EO_start, mode_select_completed, et_sep_cmd,
h_dot_LT_0, q_bar_a_GRT_qbar_max_sep, m_mode, r0,
cont_minus_z_compl, t_nav-t_et_sep_GRT_dt_min_z_102,
ABS_q_orb_GRT_q_minus_z_max, ABS_r_orb_GRT_r_minus_z_max,
excess_OMS_propellant, q_bar_a_LT_qbar_oms_dump,
entry_mnvr_couter_LE_0, rcs_all_jet_inhibit,
alt_GRT_alt_min_102_dump, t_nav-t_gmtlo_LT_t_dmp_last,
pre_sep, cond_18, q_orb_LT_0, ABS_alf_err_LT_alf_sep_err,
cond_20b, cond_21, ABS_beta_n_GRT_beta_max, cond_24, cond_26,
cond_27, cond_29, mm602_OK)
VAR
step: {1,a1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,
b20, c20, d20, 21,22,23,24,25,26,27,28,29,exit, undef};
call_RTLS_abort_task : boolean;
first3: boolean; -- indicates if it is the first pass
first8: boolean;
first27: boolean;
s_unconv : boolean;
mode_2_indicator : boolean;
et_sep_man_initiate : boolean;
emerg_sep : boolean;
cont_3eo_pr_delay : {minus_z_reg1, minus_z_reg2,
minus_z_reg3, minus_z_reg4, minus_z_reg102, 0, 5};
etsep_y_drift : {undef, minus_z_reg1, minus_z_reg2,
minus_z_reg3, minus_z_reg4, minus_z_reg102, 0};
fwd_rcs_dump_enable : boolean;
fcs_accept_icnct : boolean;
oms_rcs_i_c_inh_ena_cmd : boolean;
orbiter_dump_ena : boolean;
frz_3eo : boolean;
high_rate_sep: boolean;
entry_gains : boolean;
cont_sep_cplt : boolean;
pch_cmd_reg4 : boolean;
alpha_ok : boolean;
r : {reg-1, reg0, reg1, reg2, reg3, reg4, reg102};
early_sep : boolean;
--------------------------------------------
----- Additional Variables -----------------
--------------------------------------------
rtls_lo_f_d_delay : {undef, 0};
wcb2 : {undef, reg1_0, reg2_neg4, wcb2_3eo, reg4_0,
reg102_undef, post_sep_0};
q_gcb_i : {undef, quat_reg1, quat_reg2, quat_reg3, quat_reg4,
quat_reg102_undef, quat_entry_M50_to_cmdbody};
oms_nz_lim : {undef, oms_nz_lim_3eo, oms_nz_lim_iload, oms_nz_lim_std};
contingency_nz_lim : {undef, contingency_nz_lim_3eo,
contingency_nz_lim_iload, contingency_nz_lim_std};
ASSIGN
init(entry_gains) := FALSE;
init(frz_3eo) := FALSE;
init(cont_3eo_pr_delay) := 5;
init(etsep_y_drift) := undef;
init(r) := reg-1;
init(step) := undef;
init(call_RTLS_abort_task) := FALSE;
init(first3) := TRUE;
init(first8) := TRUE;
init(first27) := TRUE;
init(cont_sep_cplt) := FALSE;
init(et_sep_man_initiate) := FALSE;
init(alpha_ok) := FALSE;
init(pch_cmd_reg4) := FALSE;
-- Assumed initializations:
init(rtls_lo_f_d_delay) := undef;
init(wcb2) := undef;
init(q_gcb_i) := undef;
init(oms_nz_lim) := undef;
init(contingency_nz_lim) := undef;
init(oms_rcs_i_c_inh_ena_cmd) := FALSE;
init(orbiter_dump_ena) := FALSE;
-- init(early_sep) := FALSE;
-------------
next(step) := nextstep;
next(r) :=
case
step = a1 & (cont_3EO_start | mode_select_completed) : r0;
step = 21 & cond_21 : reg4;
step = 23 & ABS_beta_n_GRT_beta_max & !high_rate_sep : reg1;
TRUE : r;
esac;
next(first3) :=
case
step = 3 & cont_3EO_start : FALSE;
TRUE : first3;
esac;
next(first8) :=
case
step = 8 & excess_OMS_propellant & cont_3EO_start : FALSE;
TRUE : first8;
esac;
next(first27) :=
case
step = 27 : FALSE;
TRUE: first27;
esac;
next(s_unconv) :=
case
step = 3 : FALSE;
TRUE : s_unconv;
esac;
next(call_RTLS_abort_task) :=
case
step = 3 : TRUE;
TRUE : call_RTLS_abort_task;
esac;
next(mode_2_indicator) :=
case
step = 4 : TRUE;
TRUE : mode_2_indicator;
esac;
next(et_sep_man_initiate) :=
case
step = 5 & h_dot_LT_0 & q_bar_a_GRT_qbar_max_sep & m_mode != mm102 : TRUE;
step = 14 & pre_sep : TRUE;
step = 19 & q_orb_LT_0 : TRUE;
step = d20 : TRUE;
step = 26 & cond_26 : TRUE;
step = 29 & cond_29 : TRUE;
TRUE : et_sep_man_initiate;
esac;
next(emerg_sep) :=
case
next(step) = 1 : FALSE;
step = 5 & h_dot_LT_0 & q_bar_a_GRT_qbar_max_sep & m_mode != mm102: TRUE;
TRUE : emerg_sep;
esac;
next(cont_3eo_pr_delay) :=
case
next(step) = 1 : 5;
step = 5 & h_dot_LT_0 & q_bar_a_GRT_qbar_max_sep & m_mode != mm102 :
minus_z_reg3;
step = 7 & !cont_minus_z_compl & r = reg102 &
t_nav-t_et_sep_GRT_dt_min_z_102 &
(ABS_q_orb_GRT_q_minus_z_max | ABS_r_orb_GRT_r_minus_z_max) : 0;
step = 14 & pre_sep : minus_z_reg102;
step = 19 & q_orb_LT_0 : minus_z_reg4;
step = d20 : minus_z_reg3;
step = 26 & cond_26 : minus_z_reg2;
step = 27 & first27 : minus_z_reg1;
TRUE : cont_3eo_pr_delay;
esac;
next(etsep_y_drift) :=
case
step = 5 & h_dot_LT_0 & q_bar_a_GRT_qbar_max_sep & m_mode != mm102 :
minus_z_reg3;
step = 7 & !cont_minus_z_compl & r = reg102 &
t_nav-t_et_sep_GRT_dt_min_z_102 &
(ABS_q_orb_GRT_q_minus_z_max | ABS_r_orb_GRT_r_minus_z_max) : 0;
step = 14 & pre_sep : minus_z_reg102;
step = 19 & q_orb_LT_0 : minus_z_reg4;
step = d20 : minus_z_reg3;
step = 26 & cond_26 : minus_z_reg2;
step = 27 & first27 : minus_z_reg1;
TRUE : etsep_y_drift;
esac;
next(fwd_rcs_dump_enable) :=
case
step = 8 & excess_OMS_propellant & first8 : FALSE;
TRUE : fwd_rcs_dump_enable;
esac;
next(fcs_accept_icnct) :=
case
step = 9 & q_bar_a_LT_qbar_oms_dump & r != reg102 : TRUE;
TRUE : fcs_accept_icnct;
esac;
next(oms_rcs_i_c_inh_ena_cmd) :=
case
-- next(step) = 1 & oms_rcs_i_c_inh_ena_cmd : {0,1};
next(step) = 1 & oms_rcs_i_c_inh_ena_cmd : FALSE; -- Assumed initialization
step = 9 & q_bar_a_LT_qbar_oms_dump & r != reg102 : TRUE;
TRUE : oms_rcs_i_c_inh_ena_cmd;
esac;
next(orbiter_dump_ena) :=
case
next(start) = TRUE : FALSE; -- Assumed initialization
step = 9 & q_bar_a_LT_qbar_oms_dump & r != reg102 : TRUE;
step = 13 & alt_GRT_alt_min_102_dump & t_nav-t_gmtlo_LT_t_dmp_last : TRUE;
TRUE : orbiter_dump_ena;
esac;
next(frz_3eo) :=
case
next(step) = 1 : FALSE;
step = 10 & entry_mnvr_couter_LE_0 & !rcs_all_jet_inhibit : FALSE;
step = 28 & !et_sep_man_initiate : TRUE;
TRUE : frz_3eo;
esac;
next(high_rate_sep) :=
case
step = 10 & entry_mnvr_couter_LE_0 & !rcs_all_jet_inhibit : FALSE;
step = 25 : TRUE;
TRUE : high_rate_sep;
esac;
next(entry_gains) :=
case
next(step) = 1 : FALSE;
step = 10 & entry_mnvr_couter_LE_0 & !rcs_all_jet_inhibit : TRUE;
TRUE : entry_gains;
esac;
next(cont_sep_cplt) :=
case
next(step) = 1 : FALSE;
step = 12 & mm602_OK : TRUE;
TRUE : cont_sep_cplt;
esac;
next(pch_cmd_reg4) :=
case
next(step) = 1 : FALSE;
step = 18 & !pch_cmd_reg4 & cond_18 : TRUE;
TRUE : pch_cmd_reg4;
esac;
next(alpha_ok) :=
case
next(step) = 1 : FALSE;
step = 20 & ABS_alf_err_LT_alf_sep_err : TRUE;
TRUE : alpha_ok;
esac;
next(early_sep) :=
case
step = 27 & first27 :
case
cond_27 : TRUE;
TRUE : FALSE;
esac;
TRUE : early_sep;
esac;
--------------------------------------------
----- Additional Variables -----------------
--------------------------------------------
next(rtls_lo_f_d_delay) :=
case
next(start) = TRUE : undef; -- Assumed initialization
step = 8 & first8 & excess_OMS_propellant : 0;
TRUE : rtls_lo_f_d_delay;
esac;
next(wcb2) :=
case
next(start) = TRUE : undef; -- Assumed initialization
step = 10 & entry_mnvr_couter_LE_0 : post_sep_0;
step = 12 : case
r = reg4 : reg4_0;
TRUE : wcb2_3eo;
esac;
step = 14 & pre_sep : reg102_undef;
step = 15 : case
r = reg4 : reg4_0;
TRUE : wcb2_3eo;
esac;
step = 25 : reg2_neg4;
TRUE : wcb2;
esac;
next(q_gcb_i) :=
case
next(start) = TRUE : undef; -- Assumed initialization
step = 11 : quat_entry_M50_to_cmdbody;
step = 14 & pre_sep : quat_reg102_undef;
step = 16 : case
r = reg4 : quat_reg4;
TRUE : quat_reg3;
esac;
step = 22 : quat_reg2;
-- Without this step the value "quat_reg2" would remain in "reg1":
-- step = 23 & ABS_beta_n_GRT_beta_max & !high_rate_sep : undef;
TRUE : q_gcb_i;
esac;
next(oms_nz_lim) :=
case
next(start) = TRUE : undef; -- Assumed initialization
step = 9 & q_bar_a_LT_qbar_oms_dump & r != reg102 : oms_nz_lim_3eo;
step = 12 & mm602_OK : oms_nz_lim_std;
TRUE : oms_nz_lim;
esac;
next(contingency_nz_lim) :=
case
next(start) = TRUE : undef; -- Assumed initialization
step = 9 & q_bar_a_LT_qbar_oms_dump & r != reg102 :
contingency_nz_lim_3eo;
step = 12 & mm602_OK : contingency_nz_lim_std;
TRUE : contingency_nz_lim;
esac;
DEFINE
finished := step = exit;
idle := step = undef;
start_cont_3eo_mode_select :=
case
step = 1 & !cont_3EO_start : TRUE;
TRUE : FALSE;
esac;
nextstep :=
case
step = 1 : a1;
step = a1 : case
(cont_3EO_start | mode_select_completed) : 2;
TRUE : step;
esac;
step = 2 : case
!cont_3EO_start : exit;
first3 : 3;
TRUE: 4;
esac;
step = 3 : 4;
step = 4 : case
et_sep_cmd : 7;
TRUE : 5;
esac;
step = 5 : case
h_dot_LT_0 & q_bar_a_GRT_qbar_max_sep &
m_mode != mm102 : exit;
TRUE : 6;
esac;
step = 6 :
case
r = reg102 : 13;
r in {reg3, reg4} : 15;
r = reg2 : 22;
r = reg1 : 27;
TRUE : exit;
esac;
step = 7 : case
cont_minus_z_compl : 8;
TRUE : exit;
esac;
step = 8 : case
excess_OMS_propellant & first8 : 9;
TRUE : 10;
esac;
step = 9 : exit;
step = 10 : case
!entry_mnvr_couter_LE_0 | rcs_all_jet_inhibit : exit;
TRUE : 11;
esac;
step = 11 : 12;
step = 12 : exit;
step = 13 : 14;
step = 14 : exit;
step = 15 : 16;
step = 16 : 17;
step = 17 : case
r = reg4 : 18;
TRUE : 20;
esac;
step = 18 : case
pch_cmd_reg4 | cond_18 : 19;
TRUE : exit;
esac;
step = 19 : exit;
step = 20 : case
ABS_alf_err_LT_alf_sep_err : b20;
TRUE : c20;
esac;
step = b20 : case
cond_20b : d20;
TRUE : exit;
esac;
step = c20 : case
alpha_ok : d20;
TRUE : 21;
esac;
step = d20 : exit;
TRUE : nextstep21;
esac;
nextstep21 :=
case
step = 21 : case
cond_21 : 15;
TRUE : exit;
esac;
step = 22 : 23;
step = 23 : case
ABS_beta_n_GRT_beta_max & !high_rate_sep : 27;
TRUE : 24;
esac;
step = 24 : case
cond_24 | high_rate_sep : 25;
TRUE : exit;
esac;
step = 25 : 26;
step = 26 : exit;
step = 27 : 28;
step = 28 : case
!et_sep_man_initiate : 29;
TRUE : exit;
esac;
step = 29 : exit;
start : 1;
step = exit : undef;
TRUE : step;
esac;
post_sep_mode := step in {7,8,9,10,11,12};
------------------------------------------------------------------
------------------------------------------------------------------
MODULE main
VAR
smode5: boolean;
vel : {GRT_vi_3eo_max, GRT_vi_3eo_min, LEQ_vi_3eo_min};
q_bar: {GRT_qbar_reg3, GRT_qbar_reg1, LEQ_qbar_reg1};
q_bar_a_GRT_qbar_max_sep : boolean;
q_bar_a_LT_qbar_oms_dump : boolean;
apogee_alt_LT_alt_ref : boolean;
h_dot_LT_hdot_reg2 : boolean;
h_dot_LT_0 : boolean;
alpha_n_GRT_alpha_reg2 : boolean;
delta_r_GRT_del_r_usp : boolean;
v_horiz_dnrng_LT_0: boolean;
meco_confirmed: boolean;
et_sep_cmd : boolean;
cont_minus_z_compl : boolean;
t_nav-t_et_sep_GRT_dt_min_z_102 : boolean;
ABS_q_orb_GRT_q_minus_z_max : boolean;
ABS_r_orb_GRT_r_minus_z_max : boolean;
excess_OMS_propellant : boolean;
entry_mnvr_couter_LE_0 : boolean;
rcs_all_jet_inhibit : boolean;
alt_GRT_alt_min_102_dump : boolean;
t_nav-t_gmtlo_LT_t_dmp_last : boolean;
pre_sep : boolean;
cond_18 : boolean;
q_orb_LT_0 : boolean;
ABS_alf_err_LT_alf_sep_err : boolean;
cond_20b : boolean;
cond_21 : boolean;
ABS_beta_n_GRT_beta_max : boolean;
cond_24 : boolean;
cond_26 : boolean;
cond_27 : boolean;
cond_29 : boolean;
mm602_OK : boolean;
start_guide : boolean;
mated_coast_mnvr : boolean;
cs: cont_3eo_mode_select(cg.start_cont_3eo_mode_select,
smode5,vel,q_bar,apogee_alt_LT_alt_ref,
h_dot_LT_hdot_reg2,alpha_n_GRT_alpha_reg2,
delta_r_GRT_del_r_usp,v_horiz_dnrng_LT_0,
cg.high_rate_sep,meco_confirmed);
cg: cont_3eo_guide(start_guide,
cs.cont_3EO_start, cs.region_selected, et_sep_cmd,
h_dot_LT_0, q_bar_a_GRT_qbar_max_sep, cs.m_mode, cs.r,
cont_minus_z_compl, t_nav-t_et_sep_GRT_dt_min_z_102,
ABS_q_orb_GRT_q_minus_z_max, ABS_r_orb_GRT_r_minus_z_max,
excess_OMS_propellant, q_bar_a_LT_qbar_oms_dump,
entry_mnvr_couter_LE_0, rcs_all_jet_inhibit,
alt_GRT_alt_min_102_dump, t_nav-t_gmtlo_LT_t_dmp_last,
pre_sep, cond_18, q_orb_LT_0, ABS_alf_err_LT_alf_sep_err,
cond_20b, cond_21, ABS_beta_n_GRT_beta_max, cond_24, cond_26,
cond_27, cond_29, mm602_OK);
ASSIGN
init(start_guide) := FALSE;
init(mated_coast_mnvr) := FALSE;
next(entry_mnvr_couter_LE_0) :=
case
!entry_mnvr_couter_LE_0 : {FALSE, TRUE};
TRUE : TRUE;
esac;
---------------------------------------------------------------------
---------------------------------------------------------------------
next(start_guide) :=
case
start_guide : FALSE;
!cg.idle : FALSE;
TRUE : {FALSE, TRUE};
esac;
next(smode5) :=
case
fixed_values : smode5;
cg.idle : { FALSE, TRUE };
TRUE : smode5;
esac;
next(vel) :=
case
fixed_values : vel;
cg.idle : {GRT_vi_3eo_max, GRT_vi_3eo_min, LEQ_vi_3eo_min};
TRUE : vel;
esac;
next(q_bar) :=
case
fixed_values : q_bar;
cg.idle : {GRT_qbar_reg3, GRT_qbar_reg1, LEQ_qbar_reg1};
TRUE : q_bar;
esac;
next(q_bar_a_GRT_qbar_max_sep) :=
case
fixed_values : q_bar_a_GRT_qbar_max_sep;
cg.idle : { FALSE, TRUE };
TRUE : q_bar_a_GRT_qbar_max_sep;
esac;
next(apogee_alt_LT_alt_ref) :=
case
fixed_values : apogee_alt_LT_alt_ref;
cg.idle : { FALSE, TRUE };
TRUE : apogee_alt_LT_alt_ref;
esac;
next(h_dot_LT_hdot_reg2) :=
case
fixed_values : h_dot_LT_hdot_reg2;
cg.idle : { FALSE, TRUE };
TRUE : h_dot_LT_hdot_reg2;
esac;
next(h_dot_LT_0) :=
case
fixed_values : h_dot_LT_0;
cg.idle : { FALSE, TRUE };
TRUE : h_dot_LT_0;
esac;
next(alpha_n_GRT_alpha_reg2) :=
case
fixed_values : alpha_n_GRT_alpha_reg2;
cg.idle : { FALSE, TRUE };
TRUE : alpha_n_GRT_alpha_reg2;
esac;
next(delta_r_GRT_del_r_usp) :=
case
fixed_values : delta_r_GRT_del_r_usp;
cg.idle : { FALSE, TRUE };
TRUE : delta_r_GRT_del_r_usp;
esac;
next(v_horiz_dnrng_LT_0) :=
case
fixed_values : v_horiz_dnrng_LT_0;
cg.idle : { FALSE, TRUE };
TRUE : v_horiz_dnrng_LT_0;
esac;
next(meco_confirmed) :=
case
fixed_values : meco_confirmed;
meco_confirmed : TRUE;
cg.idle : { FALSE, TRUE };
TRUE : meco_confirmed;
esac;
next(et_sep_cmd) :=
case
fixed_values : et_sep_cmd;
et_sep_cmd : TRUE;
cg.idle : { FALSE, TRUE };
TRUE : et_sep_cmd;
esac;
next(cont_minus_z_compl) :=
case
fixed_values : cont_minus_z_compl;
cg.idle : { FALSE, TRUE };
TRUE : cont_minus_z_compl;
esac;
next(t_nav-t_et_sep_GRT_dt_min_z_102) :=
case
fixed_values : t_nav-t_et_sep_GRT_dt_min_z_102;
cg.idle : { FALSE, TRUE };
TRUE : t_nav-t_et_sep_GRT_dt_min_z_102;
esac;
next(ABS_q_orb_GRT_q_minus_z_max) :=
case
fixed_values : ABS_q_orb_GRT_q_minus_z_max;
cg.idle : { FALSE, TRUE };
TRUE : ABS_q_orb_GRT_q_minus_z_max;
esac;
next(ABS_r_orb_GRT_r_minus_z_max) :=
case
fixed_values : ABS_r_orb_GRT_r_minus_z_max;
cg.idle : { FALSE, TRUE };
TRUE : ABS_r_orb_GRT_r_minus_z_max;
esac;
next(excess_OMS_propellant) :=
case
fixed_values : excess_OMS_propellant;
cg.idle & excess_OMS_propellant : { FALSE, TRUE };
TRUE : excess_OMS_propellant;
esac;
next(q_bar_a_LT_qbar_oms_dump) :=
case
fixed_values : q_bar_a_LT_qbar_oms_dump;
cg.idle : { FALSE, TRUE };
TRUE : q_bar_a_LT_qbar_oms_dump;
esac;
next(rcs_all_jet_inhibit) :=
case
fixed_values : rcs_all_jet_inhibit;
cg.idle : { FALSE, TRUE };
TRUE : rcs_all_jet_inhibit;
esac;
next(alt_GRT_alt_min_102_dump) :=
case
fixed_values : alt_GRT_alt_min_102_dump;
cg.idle : { FALSE, TRUE };
TRUE : alt_GRT_alt_min_102_dump;
esac;
next(t_nav-t_gmtlo_LT_t_dmp_last) :=
case
fixed_values : t_nav-t_gmtlo_LT_t_dmp_last;
cg.idle : { FALSE, TRUE };
TRUE : t_nav-t_gmtlo_LT_t_dmp_last;
esac;
next(pre_sep) :=
case
fixed_values : pre_sep;
cg.idle : { FALSE, TRUE };
TRUE : pre_sep;
esac;
next(cond_18) :=
case
fixed_values : cond_18;
cg.idle : { FALSE, TRUE };
TRUE : cond_18;
esac;
next(q_orb_LT_0) :=
case
fixed_values : q_orb_LT_0;
cg.idle : { FALSE, TRUE };
TRUE : q_orb_LT_0;
esac;
next(ABS_alf_err_LT_alf_sep_err) :=
case
fixed_values : ABS_alf_err_LT_alf_sep_err;
cg.idle : { FALSE, TRUE };
TRUE : ABS_alf_err_LT_alf_sep_err;
esac;
next(cond_20b) :=
case
fixed_values : cond_20b;
cg.idle : { FALSE, TRUE };
TRUE : cond_20b;
esac;
next(cond_21) :=
case
fixed_values : cond_21;
cg.idle : { FALSE, TRUE };
TRUE : cond_21;
esac;
next(ABS_beta_n_GRT_beta_max) :=
case
fixed_values : ABS_beta_n_GRT_beta_max;
cg.idle : { FALSE, TRUE };
TRUE : ABS_beta_n_GRT_beta_max;
esac;
next(cond_24) :=
case
fixed_values : cond_24;
cg.idle : { FALSE, TRUE };
TRUE : cond_24;
esac;
next(cond_26) :=
case
fixed_values : cond_26;
cg.idle : { FALSE, TRUE };
TRUE : cond_26;
esac;
next(cond_27) :=
case
fixed_values : cond_27;
cg.idle : { FALSE, TRUE };
TRUE : cond_27;
esac;
next(cond_29) :=
case
fixed_values : cond_29;
cg.idle : { FALSE, TRUE };
TRUE : cond_29;
esac;
next(mm602_OK) :=
case
fixed_values : mm602_OK;
cg.idle : { FALSE, TRUE };
TRUE : mm602_OK;
esac;
next(mated_coast_mnvr) :=
case
next(cg.step) = 1 : FALSE;
cg.step = 6 & cg.r in {reg1, reg2, reg3, reg4, reg102} : TRUE;
TRUE : mated_coast_mnvr;
esac;
---------------------------------------------------------------------
---------------------------------------------------------------------
DEFINE
fixed_values := FALSE;
output_ok :=
case
cg.q_gcb_i = undef | cg.wcb2 = undef |
cg.cont_3eo_pr_delay = 5 |
cg.etsep_y_drift = undef :
case
!mated_coast_mnvr: 1;
TRUE : undef;
esac;
!mated_coast_mnvr: toint(cg.q_gcb_i = quat_entry_M50_to_cmdbody &
cg.wcb2 = post_sep_0);
-- reg1 never happens?
-- cg.r = reg1 : (cg.q_gcb_i = quat_reg1 & cg.wcb2 = reg1_0 &
-- cg.cont_3eo_pr_delay = minus_z_reg1 &
-- cg.etsep_y_drift = minus_z_reg1) | cg.emerg_sep;
cg.r = reg2 : toint((cg.q_gcb_i = quat_reg2 & cg.wcb2 = reg2_neg4 &
cg.cont_3eo_pr_delay = minus_z_reg2 &
cg.etsep_y_drift = minus_z_reg2) | cg.emerg_sep);
cg.r = reg3 : toint((cg.q_gcb_i = quat_reg3 & cg.wcb2 = wcb2_3eo &
cg.cont_3eo_pr_delay = minus_z_reg3 &
cg.etsep_y_drift = minus_z_reg3) | cg.emerg_sep);
cg.r = reg4 : toint((cg.q_gcb_i = quat_reg4 & cg.wcb2 = reg4_0 &
cg.cont_3eo_pr_delay = minus_z_reg4 &
cg.etsep_y_drift = minus_z_reg4) | cg.emerg_sep);
cg.r = reg102 : toint((cg.q_gcb_i = quat_reg102_undef &
cg.wcb2 = reg102_undef &
cg.cont_3eo_pr_delay = minus_z_reg102 &
cg.etsep_y_drift = minus_z_reg102) | cg.emerg_sep);
TRUE : 0;
esac;
---------------------------------------------------------------------
-------- Specifications ---------------------------------------------
---------------------------------------------------------------------
-- Contingency Guide terminates
SPEC AG(!cg.idle -> AF(cg.finished))
-- Contingency guide can be executed infinitely often
SPEC AG( (cg.idle | cg.finished) ->
EF(!(cg.idle | cg.finished) & EF(cg.finished)))
-- Contingency mode select task works fine
SPEC AG(cs.cont_3EO_start & cs.region_selected ->
((cs.m_mode = mm102 | meco_confirmed) &
cs.r != reg-1 & cs.r != reg0))
-- Bad (initial) value never happens again once region is computed
-- unless we restart the task
--SPEC AG(cs.r != reg-1 -> !E[!cg.start_cont_3eo_mode_select U
-- cs.r = reg-1 & !cg.start_cont_3eo_mode_select])
-- Comment out each of the regions and see if this is still true
-- (Check, if ALL of the regions can happen)
--SPEC AG(cs.r in {reg-1
-- ,reg0
-- ,reg1
-- ,reg2
-- ,reg3
-- ,reg102
-- })
-- Comment out each of the regions and see if this is still true
-- (Check, if ALL of the regions can happen)
--SPEC AG(cg.r in {reg-1
-- ,reg0
-- ,reg1
-- ,reg2
-- ,reg3
-- ,reg4
-- ,reg102
-- })
-- Mode_select starts at the next step after its "start" bit is set:
--SPEC AG(!cg.start_cont_3eo_mode_select ->
-- AX(cg.start_cont_3eo_mode_select & cs.step in {exit, undef} ->
-- AX(cs.step = 1 & !cs.region_selected)))
-- During major mode 103, the inertial velocity is monitored.
-- Below an I-loaded velocity, a MECO would constitute a contingency
-- abort. (Must NOT be in SMODE=5 (??))
SPEC AG(cg.start_cont_3eo_mode_select & cs.m_mode = mm103 &
vel = LEQ_vi_3eo_min & meco_confirmed & !smode5 ->
A[!cs.region_selected U cs.region_selected & cs.cont_3EO_start])
-- Above a certain inertial velocity (in mode 103), the 3E/O field
-- is blanked, indicating that a MECO at this point would not require
-- an OPS 6 contingency abort.
SPEC AG(cs.region_selected ->
(cs.m_mode = mm103 & vel = GRT_vi_3eo_max -> !cs.cont_3EO_start))
-- Between the two velocities, an apogee altitude - velocity curve is
-- constructed based on the current inertial velocity. If the apogee
-- altitude is above this curve, a contingency abort capability is
-- still required and a 3E/O region index will be calculated.
-- Otherwise, the 3E/O field is blanked out and no further contingency
-- abort calculations will be performed. (Must NOT be in SMODE=5 (??))
SPEC AG(cg.start_cont_3eo_mode_select & cs.m_mode = mm103 &
vel = GRT_vi_3eo_min & meco_confirmed & !smode5 ->
A[!cs.region_selected U cs.region_selected &
apogee_alt_LT_alt_ref = !cs.cont_3EO_start])
-- For an RTLS trajectory (SMODE=5), a check is made on the downrange
-- velocity to see if the vehicle is heading away from the landing site.
-- If this is the case, a 3E/O region index is calculated. If the vehicle
-- is heading back to the landing site, and the current range to the MECO
-- R-V line is greater than an I-loaded value, a 3E/O region index is
-- calculated. Otherwise, an intact abort is possible and the 3E/O field
-- is blanked.
SPEC AG(cg.start_cont_3eo_mode_select & smode5 & meco_confirmed &
(!v_horiz_dnrng_LT_0 | !delta_r_GRT_del_r_usp) ->
A[!cs.region_selected U cs.region_selected & cs.cont_3EO_start])
-- If this task is called prior to SRB separation [mm102], the 3E/O region
-- index is set to 102 and the 3E/O contingency flag is set.
SPEC AG(cs.m_mode = mm102 & cg.start_cont_3eo_mode_select ->
AX (A [ !cs.region_selected U cs.region_selected &
cs.r = reg102 & cs.cont_3EO_start]))
-- After SRB separation, on every pass that the 3E/O region index is
-- calculated, a check is made to see if MECO confirmed has occured. If
-- so, a check is made to see if the major mode is 103. If so, an RTLS is
-- automatically invoked to transition to major mode 601.
SPEC AG(!cs.region_selected & cs.m_mode = mm103 & meco_confirmed ->
A[!cs.region_selected U cs.region_selected & cs.r != reg0 ->
cs.m_mode = mm601 & cs.RTLS_abort_declared])
-- Once the 3E/O contingency flag has been set, this task is no longer
-- executed.
SPEC AG(cs.cont_3EO_start -> AG(!cg.start_cont_3eo_mode_select))
-- If MECO confirmed occurs in MM103 and an OPS 6 contingency abort
-- procedure is still required, contingency 3E/O guidance sets the
-- CONT_3EO_START flag ON. Contingency 3E/O guidance then switches
-- from its display support function into an actual auto guidance
-- steering process. [...] Contingency 3E/O guidance sets the RTLS abort
-- declared flag and the MSC performs the transition from from major mode
-- 103 to 601.
SPEC AG(!cg.idle & !cg.finished & !cs.region_selected & cs.m_mode = mm103 ->
A[ !cg.finished U cg.finished & cs.region_selected &
(cs.cont_3EO_start -> cs.m_mode = mm601 & cs.RTLS_abort_declared) ])
-- If MECO confirmed occurs in a major mode 601 and a contingency abort
-- procedure is still required, contingency 3E/O guidance sets the
-- CONT_3EO_START flag ON. [...] Contingency 3E/O guidance then commands
-- 3E/O auto maneuvers in major mode 601. [What are these maneuvers??]
SPEC AG(cg.finished & cs.m_mode = mm601 & !et_sep_cmd &
meco_confirmed & cs.cont_3EO_start ->
cg.q_gcb_i in {quat_reg1, quat_reg2, quat_reg3, quat_reg4, undef}
| cg.emerg_sep)
-- If MECO confirmed occurs in a first stage (MM102) [...], contingency
-- 3E/O guidance will command a fast ET separation during SRB tailoff in
-- major mode 102. CONT 3E/O GUID will then command maneuver post-sep in
-- MM601 (???). [ I'm not sure what indicates fast ET sep.: emerg_sep or
-- early_sep, or what? ]
SPEC AG(cg.finished & cs.m_mode = mm102 & meco_confirmed & pre_sep ->
cg.emerg_sep | et_sep_cmd
| cg.et_sep_man_initiate
| cg.early_sep
)
---------------------------------------------
-- Invariants from Murphi code --------------
---------------------------------------------
--SPEC AG(cg.finished -> (output_ok != 0 | (output_ok = undef &
-- (cg.emerg_sep | !cg.cont_sep_cplt))))
--SPEC AG(!cg.finished & !cg.idle -> !mated_coast_mnvr | !et_sep_cmd)
-- Stronger version !!!
SPEC AG(cg.finished -> output_ok != 0)
-- Contingency Guidance shall command an ET separation
-- [under certain conditions :-].
SPEC AG(cs.cont_3EO_start & cg.finished &
(cg.r = reg1 -> cond_29) &
(cg.r = reg2 -> cond_24 & cond_26) &
(cg.r = reg3 -> cg.alpha_ok &
(ABS_alf_err_LT_alf_sep_err -> cond_20b)) &
(cg.r = reg4 -> cond_18 & q_orb_LT_0) &
(cg.r = reg102 -> pre_sep) ->
et_sep_cmd | cg.et_sep_man_initiate
| cg.early_sep
| cg.emerg_sep
)
-- Contingency Guidance shall command at most one interconnected OMS dump.
SPEC AG(cg.finished & cg.oms_rcs_i_c_inh_ena_cmd ->
AG(!cg.oms_rcs_i_c_inh_ena_cmd -> AG(!cg.oms_rcs_i_c_inh_ena_cmd)))
-- Contingency Guidance shall command a transition to glide RTLS
-- (flight mode 602)
SPEC AG(cg.finished & cs.m_mode = mm601 ->
--cg.cont_sep_cplt | cg.emerg_sep |
cg.call_RTLS_abort_task)
-- Paper, p. 28, unstated assumption 2: at step 6 the region is
-- among 102, 1-4.
SPEC AG(cg.step = 6 -> cg.r in {reg102, reg1, reg2, reg3, reg4})
-- The transition to mode 602 shall not occur until the entry maneuver
-- has been calculated
SPEC !E[cg.q_gcb_i = undef U cg.cont_sep_cplt & cg.q_gcb_i = undef]
-- The entry maneuver calculations shall not commence until the OMS/RCS
-- interconnect, if any, is complete (??? What does it exactly mean???)
-- !!!
--SPEC AG(cg.oms_rcs_i_c_inh_ena_cmd ->
-- !E[cg.oms_rcs_i_c_inh_ena_cmd U
-- cg.q_gcb_i != undef & cg.oms_rcs_i_c_inh_ena_cmd])
SPEC AG(cg.oms_rcs_i_c_inh_ena_cmd ->
!E[rcs_all_jet_inhibit U
cg.q_gcb_i != undef & rcs_all_jet_inhibit])
-- The OMS dump shall not be considered until the -Z translation is complete.
SPEC !E[!cont_minus_z_compl & cg.r != reg102 U cg.orbiter_dump_ena]
-- Completion of -Z translation shall not be checked until ET separation
-- has been commanded
SPEC !E[!et_sep_cmd U cg.step = 7]
-- ET separation shall be commanded if and only if an abort maneuver
-- region is assigned [and again there are *certain conditions*].
SPEC AG(cg.finished & cs.cont_3EO_start &
(cg.r = reg1 -> cond_29) &
(cg.r = reg2 -> cond_24 & cond_26) &
(cg.r = reg3 -> cg.alpha_ok &
(ABS_alf_err_LT_alf_sep_err -> cond_20b)) &
(cg.r = reg4 -> cond_18 & q_orb_LT_0) &
(cg.r = reg102 -> pre_sep) ->
(cg.et_sep_man_initiate | et_sep_cmd
<-> cg.r in {reg1, reg2, reg3, reg4, reg102}))
-- The assigned region can not change arbitrarily.
-- Regions 1 and 2 may interchange, but will not switch to any other region:
SPEC AG(cg.finished & cs.cont_3EO_start & cg.r in {reg1,reg2} ->
AG(cg.finished -> cg.r in {reg1,reg2}))
-- Regions 3 and 4 may interchange, but will not switch to any other region:
SPEC AG(cg.finished & cs.cont_3EO_start & cg.r in {reg3,reg4} ->
AG(cg.finished -> cg.r in {reg3,reg4}))
-- Region 102 never changes:
SPEC AG(cg.finished & cg.r = reg102 -> AG(cg.finished -> cg.r = reg102))
Reference in a new issue View git blame Copy permalink