hi-lite project - open-do...2013/05/29 · application of the on-board software handling the...
TRANSCRIPT
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Hi-Lite project
Final meetingPresented by David LESENSWednesday, 29 May 2013
28/05/2013 David LESENS
2
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
OverviewIntroductionAstrium Space Transportation Case study
Numerical algorithmEvent driven
Conclusion
28/05/2013 David LESENS
3
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Tools
28/05/2013 David LESENS
4
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
OverviewIntroductionAstrium Space Transportation Case study
Numerical algorithmEvent driven
Conclusion
28/05/2013 David LESENS
5
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Architecture
28/05/2013 David LESENS
6
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Types definitionsTypes definitions
28/05/2013 David LESENS
7
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
ContractsContracts
28/05/2013 David LESENS
8
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
ContractsContracts
28/05/2013 David LESENS
9
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
TrigonometricTrigonometricfunctionsfunctions
28/05/2013 David LESENS
10
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
]. NumericalNumericalalgorithmsalgorithms
28/05/2013 David LESENS
11
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
See PDFSee PDF
Results
28/05/2013 David LESENS
12
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
OverviewIntroductionAstrium Space Transportation Case study
Numerical algorithmEvent driven
Conclusion
28/05/2013 David LESENS
13
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
15/05/2013 p13
On-board control procedureSoftware program designed to be executed by an OBCP engine, which can easily be loaded, executed, and also replaced, on-board the spacecraft
OBCP codeComplete representation of an OBCP, in a form that can be loadedon-board for subsequent execution
OBCP engineApplication of the on-board software handling the execution of OBCPs
OBCP languageProgramming language in which OBCP source code is expressed by human programmers
28/05/2013 David LESENS
14
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Generic (flight software)Generic (flight software)DebugDebugInstances (for testing and formal proof)Instances (for testing and formal proof)TestsTestsUser manualUser manual
28/05/2013 David LESENS
15
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Size ofSize ofthe case studythe case study
28/05/2013 David LESENS
16
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Size ofSize ofthe case studythe case study
28/05/2013 David LESENS
17
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
MVM (simplified) architectureProved
Not in SPARK
Pointers and OOOOOO
PointersPointers
Too big
28/05/2013 David LESENS
18
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Not in SPARKNot in SPARK
28/05/2013 David LESENS
19
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Not in SPARKNot in SPARK
28/05/2013 David LESENS
20
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
GenericGeneric
28/05/2013 David LESENS
21
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
GenericGeneric
28/05/2013 David LESENS
22
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
DiscriminantDiscriminant
28/05/2013 David LESENS
23
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
ValidityValidityfunctionfunction
PrivatePrivatelistlist
28/05/2013 David LESENS
24
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
PrivatePrivatelistlist
ValidityValidityfunctionfunction
28/05/2013 David LESENS
25
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
SubprogramSubprogramon the on the
whole listwhole list
28/05/2013 David LESENS
26
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
SubprogramSubprogramon a singleon a single
elementelement
28/05/2013 David LESENS
27
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
LoopLoopinvariantinvariant
AdditionalAdditionalassertionassertion
28/05/2013 David LESENS
28
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
AdditionalAdditionalnumericalnumericalprotectionprotection
At 1KHz
On 32 bits On 64 bits2147483648 9,22337E+182147483,648 9,22337E+15 seconds596,5232356 2,56205E+12 hours24,85513481 1,06752E+11 days0,067910204 291672107 years0,000679102 2916721,07 centuries
At 1KHz
On 32 bits On 64 bits2147483648 9,22337E+182147483,648 9,22337E+15 seconds596,5232356 2,56205E+12 hours24,85513481 1,06752E+11 days0,067910204 291672107 years0,000679102 2916721,07 centuries
28/05/2013 David LESENS
29
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
BiggerBiggerstructurestructure
28/05/2013 David LESENS
30
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
ValidityValidityfunctionfunction
28/05/2013 David LESENS
31
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Divide andDivide andConquerConquer
28/05/2013 David LESENS
32
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Divide andDivide andConquerConquer
28/05/2013 David LESENS
33
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
Array ofArray ofobjectsobjects
PointersPointers
28/05/2013 David LESENS
34
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
AbstractAbstractclassclass
28/05/2013 David LESENS
35
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
AbstractAbstractclassclass
28/05/2013 David LESENS
36
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
InheritanceInheritance
28/05/2013 David LESENS
37
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
InheritanceInheritance
28/05/2013 David LESENS
38
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].procedure Run_Plans (Obcpe : in out T_Obcpe) is
Execute_Next_Command : Boolean;--------------------------------------------------------------------------procedure Step_Further (Plan_Id : T_Plan_Id);procedure Step_Further (Plan_Id : T_Plan_Id) isbegin
if Obcpe.Plans_Status (Plan_Id).Current_Step < Obcpe.Plans (Plan_Id).Steps_Nb thenObcpe.Plans_Status (Plan_Id).Current_Step := T_Step_Range'Succ (Obcpe.Plans_Status (Plan_Id).Current_Step);
elseObcpe.Plans_Status (Obcpe.Active_Plan) := T_Plan_Status'(Status_Id => Plan_Failed,
Plan_Failure => End_Of_Plan_Reached,Failure_Step => Obcpe.Plans_Status (Obcpe.Active_Plan).Current_Step);
end if;Execute_Next_Command := True;
end Step_Further;--------------------------------------------------------------------------
beginMvm.Obit.Run_Time (Current_Time => Obcpe.Current_Time);if (case Obcpe.Obcpe_Status is
when Obcpe_On => True,when Obcpe_Off | Obcpe_Failed => False) then
P_Events.Check_Monitoring (Events => Obcpe.Events,Current_Time => Obcpe.Current_Time);
loopP_Vaps.Run_Vaps (Obcpe.Vaps, Obcpe.Current_Time);Execute_Next_Command := False;case Obcpe.Plans_Status (Obcpe.Active_Plan).Status_Id iswhen Plan_Inactive =>
pragma Assert (False, "An Inactive Plan can not be executed");when Plan_Ready =>
pragma Assert (False, "A Ready Plan can not be executed");when Plan_Terminated =>
pragma Assert (False, "A Terminated Plan can not be executed");when Plan_Failed =>
declareAlternative_Plan : T_Plan_Id;
beginAlternative_Plan := Obcpe.Plans (Obcpe.Active_Plan).Alternative_Plan;if Obcpe.Plans_Status (Alternative_Plan).Status_Id = Plan_Ready then
Obcpe.Active_Plan := Alternative_Plan;Obcpe.Plans_Status (Alternative_Plan) := T_Plan_Status'(Status_Id => Plan_Running,
Current_Step => T_Step_Range'First);else
Obcpe.Obcpe_Status := Obcpe_Failed;end if;Execute_Next_Command := True;
end;when Plan_Running =>
declareCurrent_Step : T_Step_Range;Instruction : T_Instruction;
beginCurrent_Step := Obcpe.Plans_Status (Obcpe.Active_Plan).Current_Step;Instruction := Obcpe.Plans (Obcpe.Active_Plan).Steps (Current_Step);case Instruction.Instruction_Id is
---------------------------------------------------------------------- Status: Wait for the end of the execution
when Send_Cmd_To_Fu_Instruction | Protected_Send_Cmd_To_Fu_Instruction =>declare
Fu_Command : T_Fu_Command;begin
-- A FU command call is createdFu_Command := P_Fus.P_Gfu.P_Command.Create_Command (Command_Id => Instruction.Fu_Command_Call.Command_Id,
Parameters_Nb => Instruction.Fu_Command_Call.Parameters_Nb);-- Update the referenced parametersif Fu_Command.Parameters_Nb > 0 then
-- Update the referenced parametersfor Parameter_Id in T_Parameter_Id range T_Parameter_Id'First .. T_Parameter_Id'First + Fu_Command.Parameters_Nb - 1 loop
case Instruction.Fu_Command_Call.Actuals (Parameter_Id).Actual_Type iswhen Numerical =>
-- The numerical value shall be copiedFu_Command.Parameters (Parameter_Id) := Instruction.Fu_Command_Call.Actuals (Parameter_Id).Value;
when Reference =>The referenced of the referenced parameter
Too bigToo bigsubprogramsubprogram
28/05/2013 David LESENS
39
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
See PDFSee PDF
Results
28/05/2013 David LESENS
40
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
OverviewIntroductionAstrium Space Transportation Case study
Numerical algorithmEvent driven
Conclusion
28/05/2013 David LESENS
41
This
doc
umen
t and
its
cont
ent i
s th
e pr
oper
ty o
f Ast
rium
[Ltd
/SAS
/Gm
bH] a
nd is
stri
ctly
con
fiden
tial.
It sh
all n
ot b
e co
mm
unic
ated
to a
ny th
ird p
arty
with
out t
he w
ritte
n co
nsen
t of A
striu
m [L
td/S
AS/G
mbH
].
ConclusionCompared to SPARK 2005
Great improvementLarger perimeter of Ada“Executable contracts” is a major progress
The ROI of contracts writing is positive, even without formal proof
Operationally deployable?The use of proof still requires a high level of expertise!
Proof may be costlyProof is not 100% sound! (float versus real)Final version of SPARK 2014 is promising