search

AdaCore / RESSAC_Use_Case

A Collaborative Development Assurance Lab
6 stars 12 forks source link

Information about disabled inputs #12

Open AnthonyLeonardoGracio opened 7 years ago

AnthonyLeonardoGracio commented 7 years ago

Document: UseCaseDevelopment/Layer1_MMS/RESSAC_muXAV_SystemRQ_MMS_SW_Incr1.doc Commit: 74aa074

En général, lorsqu’un input est désactivé (e.g : quand il n’y a pas d’USB_Key ou pas de message de la GS), comment le sait-on ? Pareil lorsque les informations ne sont pas encore données (ModeSwitch ou NavigationParameters dans la phase d’init)

ledinot commented 7 years ago

Yes it is not specified. The case no key + no GS operator was not anticipated. No mission data => no mission, F_MM has to reject this case, as for any other kind of problem (failures, boot, viability etc.)

clairedross commented 7 years ago

Thanks. But how do we detect that an input is not there in MMS? Is there some kind of flag Usb_Key_Connected or Data_From_GS_Received that we can check? Or a default value for these inputs which means 'No_Value'?

clairedross commented 7 years ago

The cleanest way I can think of is to have some kind of option for the type of the signal, that is, have boolean flag inside the signal to specify if it is present and have the value of the signal being available only when present (a discriminant in Ada). Does it seem suitable to you ?

ledinot commented 7 years ago

I view it as a software design issue, not as a system specification issue. The intended functionality is clear (may or may not be available, with possibly ensuing mission cancellation).

I admit that without precise knowledge of the protocol between CP + GS and MMS, it is difficult to figure out precisely how the NAV parameters will be made available to F_MM, and so how to detect that all or part of them are not available.

This kind of question could also be coined *** for the lessons learnt.

This is why I insist to consider SYSTEM specification and SOFTWARE specification as tightly coupled. The “standard view” first system specification is done with allocation to software, THEN software HLRs can be written and software development can start, is an illusion. It is OK (sequentiality) for the first 80% of system and software specification . But then for the remaining 20%, … system-software co-specification (concurrent – collaborative engineering).

De : Claire Dross [mailto:notifications@github.com] Envoyé : mardi 27 juin 2017 14:48 À : AdaCore/RESSAC_Use_Case Cc : Ledinot Emmanuel; Assign Objet : [Message publicitaire : ] Re: [AdaCore/RESSAC_Use_Case] Information about disabled inputs (#12)

The cleanest way I can think of is to have some kind of option for the type of the signal, that is, have boolean flag inside the signal to specify if it is present and have the value of the signal being available only when present (a discriminant in Ada). Does it seem suitable to you ?

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/AdaCore/RESSAC_Use_Case/issues/12#issuecomment-311347555, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AVVweNluHpeXTRoB8CkHnoLHh_lDU7psks5sIPoDgaJpZM4N_fTd.