-- S18-WBS-R-0321 p 58
-- Loss of all wheel braking (annunciated or unannunciated)
-- during landing or RTO
-- shall be extremely remote
CONTRACT never_loss_of_all_wheel_braking assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never
((mechanical_pedal_pos_L and mechanical_pedal_pos_R)
and ground_speed>0
and (
not ((mechanical_pedal_pos_L
and (((wheel_status_1=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_1=rolling and wheel_status_5=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_1>0)
and
not ((mechanical_pedal_pos_L
and (((wheel_status_2=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_2=rolling and wheel_status_6=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_2>0)
and
not ((mechanical_pedal_pos_L
and (((wheel_status_5=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_5=rolling and wheel_status_1=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_5>0)
and
not ((mechanical_pedal_pos_L
and (((wheel_status_6=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_6=rolling and wheel_status_2=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_6>0)
and
not ((mechanical_pedal_pos_R
and (((wheel_status_3=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_3=rolling and wheel_status_7=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_3>0)
and
not ((mechanical_pedal_pos_R
and (((wheel_status_4=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_4=rolling and wheel_status_8=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_4>0)
and
not ((mechanical_pedal_pos_R
and (((wheel_status_7=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_7=rolling and wheel_status_3=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_7>0)
and
not ((mechanical_pedal_pos_R
and (((wheel_status_8=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_8=rolling and wheel_status_4=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_8>0))) ;
-- S18-WBS-R-0322 p 58
-- Asymmetrical loss of wheel braking
-- coupled with loss of rudder or nose wheel steering
-- during landing or RTO
-- shall be extremely remote
-- loss of the right side
CONTRACT never_asymmetric_loss_of_wheel_braking_right assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never
(mechanical_pedal_pos_L
and mechanical_pedal_pos_R
and ground_speed>0
and (
count (((mechanical_pedal_pos_L
and (((wheel_status_1=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_1=rolling and wheel_status_5=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_1>0) , ((mechanical_pedal_pos_L
and (((wheel_status_2=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_2=rolling and wheel_status_6=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_2>0) , ((mechanical_pedal_pos_L
and (((wheel_status_5=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_5=rolling and wheel_status_1=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_5>0) , ((mechanical_pedal_pos_L
and (((wheel_status_6=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_6=rolling and wheel_status_2=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_6>0))=4
and count (((mechanical_pedal_pos_R
and (((wheel_status_3=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_3=rolling and wheel_status_7=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_3>0) , ((mechanical_pedal_pos_R
and (((wheel_status_4=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_4=rolling and wheel_status_8=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_4>0) , ((mechanical_pedal_pos_R
and (((wheel_status_7=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_7=rolling and wheel_status_3=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_7>0) , ((mechanical_pedal_pos_R
and (((wheel_status_8=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_8=rolling and wheel_status_4=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_8>0)) =0
)) ;
-- S18-WBS-R-0322 p 58
-- Asymmetrical loss of wheel braking
-- coupled with loss of rudder or nose wheel steering
-- during landing or RTO
-- shall be extremely remote
-- loss of the left side
CONTRACT never_asymmetric_loss_of_wheel_braking_left assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never
(mechanical_pedal_pos_L
and mechanical_pedal_pos_R
and ground_speed>0
and (
count (((mechanical_pedal_pos_L
and (((wheel_status_1=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_1=rolling and wheel_status_5=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_1>0) , ((mechanical_pedal_pos_L
and (((wheel_status_2=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_2=rolling and wheel_status_6=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_2>0) , ((mechanical_pedal_pos_L
and (((wheel_status_5=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_5=rolling and wheel_status_1=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_5>0) , ((mechanical_pedal_pos_L
and (((wheel_status_6=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_6=rolling and wheel_status_2=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_6>0))=0
and count (((mechanical_pedal_pos_R
and (((wheel_status_3=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_3=rolling and wheel_status_7=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_3>0) , ((mechanical_pedal_pos_R
and (((wheel_status_4=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_4=rolling and wheel_status_8=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_4>0) , ((mechanical_pedal_pos_R
and (((wheel_status_7=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_7=rolling and wheel_status_3=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_7>0) , ((mechanical_pedal_pos_R
and (((wheel_status_8=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_8=rolling and wheel_status_4=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_8>0))=4
)) ;
-- S18-WBS-0323 p 59
-- Inadvertent wheel braking with all wheels locked during
-- take off roll before V1
-- shall be extremely remote
CONTRACT never_inadvertent_braking_with_all_wheels_locked assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never (((not mechanical_pedal_pos_L) and (not mechanical_pedal_pos_R))
and (wheel_braking_force_1>0 and
wheel_braking_force_2>0 and
wheel_braking_force_3>0 and
wheel_braking_force_4>0 and
wheel_braking_force_5>0 and
wheel_braking_force_6>0 and
wheel_braking_force_7>0 and
wheel_braking_force_8>0
) and (wheel_status_1=stopped and
wheel_status_2=stopped and
wheel_status_3=stopped and
wheel_status_4=stopped and
wheel_status_5=stopped and
wheel_status_6=stopped and
wheel_status_7=stopped and
wheel_status_8=stopped
) and (ground_speed > 0 )) ;
-- S18-WBS-0324 p 59
-- Inadvertent wheel braking of all wheels during
-- take off roll after V1
-- shall be extremely improbable
CONTRACT never_inadvertent_braking_of_all_wheels assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never
(((not mechanical_pedal_pos_L) and (not mechanical_pedal_pos_R))
and (wheel_braking_force_1>0 and
wheel_braking_force_2>0 and
wheel_braking_force_3>0 and
wheel_braking_force_4>0 and
wheel_braking_force_5>0 and
wheel_braking_force_6>0 and
wheel_braking_force_7>0 and
wheel_braking_force_8>0
) and (ground_speed > 0 )) ;
-- S18-WBS-0325 p 59
-- Undetected inadvertent wheel braking on one wheel
-- w/o locking during takeoff
-- shall be extremely improbable
-- Duplicate the property for each wheel
CONTRACT never_inadvertent_braking_of_wheel_1 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_L) and ground_speed>0 and wheel_braking_force_1>0 and wheel_status_1=rolling) ;
CONTRACT never_inadvertent_braking_of_wheel_2 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_L) and ground_speed>0 and wheel_braking_force_2>0 and wheel_status_2=rolling) ;
CONTRACT never_inadvertent_braking_of_wheel_3 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_R) and ground_speed>0 and wheel_braking_force_3>0 and wheel_status_3=rolling) ;
CONTRACT never_inadvertent_braking_of_wheel_4 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_R) and ground_speed>0 and wheel_braking_force_4>0 and wheel_status_4=rolling) ;
CONTRACT never_inadvertent_braking_of_wheel_5 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_L) and ground_speed>0 and wheel_braking_force_5>0 and wheel_status_5=rolling) ;
CONTRACT never_inadvertent_braking_of_wheel_6 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_L) and ground_speed>0 and wheel_braking_force_6>0 and wheel_status_6=rolling) ;
CONTRACT never_inadvertent_braking_of_wheel_7 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_R) and ground_speed>0 and wheel_braking_force_7>0 and wheel_status_7=rolling) ;
CONTRACT never_inadvertent_braking_of_wheel_8 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : never ((not mechanical_pedal_pos_R) and ground_speed>0 and wheel_braking_force_8>0 and wheel_status_8=rolling) ;
-- The capacity to brake the four wheels in left landing gear is always available in the nominal case
CONTRACT asymmetrical_left_braking assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(((mechanical_pedal_pos_L
and (((wheel_status_1=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_1=rolling and wheel_status_5=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_1>0)
and ((mechanical_pedal_pos_L
and (((wheel_status_2=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_2=rolling and wheel_status_6=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_2>0)
and ((mechanical_pedal_pos_L
and (((wheel_status_5=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_5=rolling and wheel_status_1=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_5>0)
and ((mechanical_pedal_pos_L
and (((wheel_status_6=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_6=rolling and wheel_status_2=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_6>0)) ;
-- The capacity to brake the four wheels in the right landing gear is always available in the nominal case
CONTRACT asymmetrical_right_braking assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(((mechanical_pedal_pos_R
and (((wheel_status_3=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_3=rolling and wheel_status_7=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_3>0)
and ((mechanical_pedal_pos_R
and (((wheel_status_4=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_4=rolling and wheel_status_8=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_4>0)
and ((mechanical_pedal_pos_R
and (((wheel_status_7=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_7=rolling and wheel_status_3=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_7>0)
and ((mechanical_pedal_pos_R
and (((wheel_status_8=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_8=rolling and wheel_status_4=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_8>0)) ;
-- The model represents the behavior of the wbs on the ground
-- The wheel is skidding means that the wheel is stopped and the aircraft is moving
--FIRST PROPERTY: CMD implies braking force
--GUARANTEE:
-- For each wheel, if:
-- the assigned mechanical pedal position signal is available
-- and:
-- the wheel is not skidding or the ground speed equals 0
-- and the WBS is in the normal mode
-- or
-- no wheel of the pair is skidding
-- or ground speed equals 0
-- or the control system is invalid
-- and the WBS is in the alternate or the emergency mode,
-- Then there is a braking force
--
--SECOND PROPERTY: braking force implies CMD
--GUARANTEE:
-- For each wheel, if there is a braking force then:
-- the assigned mechanical pedal position signal is available
-- and:
-- the wheel is not skidding or the ground speed equals 0
-- and the WBS is in the normal mode
-- or
-- no wheel of the pair is skidding
-- or ground speed equals 0
-- or the control system is invalid
-- and the WBS is in the alternate or emergency mode
CONTRACT cmd_implies_braking_wheel_1 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_L
and (((wheel_status_1=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_1=rolling and wheel_status_5=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_1>0
) ;
CONTRACT braking_wheel_1_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_1>0 implies (mechanical_pedal_pos_L
and (((wheel_status_1=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_1=rolling and wheel_status_5=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
CONTRACT cmd_implies_braking_wheel_2 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_L
and (((wheel_status_2=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_2=rolling and wheel_status_6=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_2>0
) ;
CONTRACT braking_wheel_2_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_2>0 implies (mechanical_pedal_pos_L
and (((wheel_status_2=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_2=rolling and wheel_status_6=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
CONTRACT cmd_implies_braking_wheel_3 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_R
and (((wheel_status_3=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_3=rolling and wheel_status_7=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_3>0
) ;
CONTRACT braking_wheel_3_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_3>0 implies (mechanical_pedal_pos_R
and (((wheel_status_3=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_3=rolling and wheel_status_7=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
CONTRACT cmd_implies_braking_wheel_4 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_R
and (((wheel_status_4=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_4=rolling and wheel_status_8=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_4>0
) ;
CONTRACT braking_wheel_4_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_4>0 implies (mechanical_pedal_pos_R
and (((wheel_status_4=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_4=rolling and wheel_status_8=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
CONTRACT cmd_implies_braking_wheel_5 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_L
and (((wheel_status_5=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_5=rolling and wheel_status_1=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_5>0
) ;
CONTRACT braking_wheel_5_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_5>0 implies (mechanical_pedal_pos_L
and (((wheel_status_5=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_5=rolling and wheel_status_1=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
CONTRACT cmd_implies_braking_wheel_6 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_L
and (((wheel_status_6=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_6=rolling and wheel_status_2=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_6>0
) ;
CONTRACT braking_wheel_6_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_6>0 implies (mechanical_pedal_pos_L
and (((wheel_status_6=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_6=rolling and wheel_status_2=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
CONTRACT cmd_implies_braking_wheel_7 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_R
and (((wheel_status_7=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_7=rolling and wheel_status_3=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_7>0
) ;
CONTRACT braking_wheel_7_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_7>0 implies (mechanical_pedal_pos_R
and (((wheel_status_7=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_7=rolling and wheel_status_3=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
CONTRACT cmd_implies_braking_wheel_8 assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
((mechanical_pedal_pos_R
and (((wheel_status_8=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_8=rolling and wheel_status_4=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))
implies wheel_braking_force_8>0
) ;
CONTRACT braking_wheel_8_implies_cmd assume : always (power_1 and power_2 and pump_power_1 and pump_power_2 and hydraulic_supply_1=10 and hydraulic_supply_2=10) ; guarantee : always
(wheel_braking_force_8>0 implies (mechanical_pedal_pos_R
and (((wheel_status_8=rolling or ground_speed=0)
and green_pressure_in_selector_valve>0)
or (((wheel_status_8=rolling and wheel_status_4=rolling)
or ground_speed=0
or notcontrol_system_validity)
and green_pressure_in_selector_valve=0)))) ;
ctrl_sys
Component description:
Name
Type
Notes
ctrl_sys
ControlSystem
Input ports:
Name
Type
Range
electrical_pedal_pos_L
boolean
electrical_pedal_pos_R
boolean
ground_speed
int
[0, 10]
power_1
boolean
power_2
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
wheel_rolling_3
boolean
wheel_rolling_4
boolean
wheel_rolling_5
boolean
wheel_rolling_6
boolean
wheel_rolling_7
boolean
wheel_rolling_8
boolean
Output ports:
Name
Type
Range
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
system_validity
boolean
Contracts:
-- For each pair of wheels, if there is a brake as command for each wheel and the system is valid,
-- there is no anti-skid command for the pair
CONTRACT brake_as_cmd_excludes_as_cmd assume : true ; guarantee : always ((brake_as_cmd_1 and brake_as_cmd_5 and system_validity) implies notas_cmd_pair_1_5)
and always ((brake_as_cmd_2 and brake_as_cmd_6 and system_validity) implies notas_cmd_pair_2_6)
and always ((brake_as_cmd_3 and brake_as_cmd_7 and system_validity) implies notas_cmd_pair_3_7)
and always ((brake_as_cmd_4 and brake_as_cmd_8 and system_validity) implies notas_cmd_pair_4_8) ;
-- For each pair of wheels, if there is an anti-skid command for the pair and the system is valid,
-- there is no brake as command for at least one wheel of the pair
CONTRACT as_cmd_excludes_brake_as_cmd assume : true ; guarantee : always ((as_cmd_pair_1_5 and system_validity) implies (notbrake_as_cmd_1or notbrake_as_cmd_5))
and always ((as_cmd_pair_2_6 and system_validity) implies (notbrake_as_cmd_2or notbrake_as_cmd_6))
and always ((as_cmd_pair_3_7 and system_validity) implies (notbrake_as_cmd_3or notbrake_as_cmd_7))
and always ((as_cmd_pair_4_8 and system_validity) implies (notbrake_as_cmd_4or notbrake_as_cmd_8)) ;
-- the validity of the system is true if and only if there is a power source and all the created commands are valid
CONTRACT system_validity assume : true ; guarantee : always (system_validityiff ((power_1 or power_2)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or ground_speed=0)) iff brake_as_cmd_1)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or ground_speed=0)) iff brake_as_cmd_2)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or ground_speed=0)) iff brake_as_cmd_3)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or ground_speed=0)) iff brake_as_cmd_4)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or ground_speed=0)) iff brake_as_cmd_5)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or ground_speed=0)) iff brake_as_cmd_6)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or ground_speed=0)) iff brake_as_cmd_7)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or ground_speed=0)) iff brake_as_cmd_8)
and ((ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)
and ((ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)
and ((ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)
and ((ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8))) ;
-- If the antiskid command is created for a pair of wheels then:
-- the system is valid
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- if:
-- the system is valid
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- then:
-- the antiskid command is created for a pair of wheels
CONTRACT expected_behavior_as_cmd_pair_1_5 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_1or notwheel_rolling_5))
implies as_cmd_pair_1_5)
and
always (as_cmd_pair_1_5 implies (system_validityand ground_speed>0
and (notwheel_rolling_1or notwheel_rolling_5))) ;
CONTRACT expected_behavior_as_cmd_pair_2_6 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_2or notwheel_rolling_6))
implies as_cmd_pair_2_6)
and
always (as_cmd_pair_2_6 implies (system_validityand ground_speed>0
and (notwheel_rolling_2or notwheel_rolling_6))) ;
CONTRACT expected_behavior_as_cmd_pair_3_7 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_3or notwheel_rolling_7))
implies as_cmd_pair_3_7)
and
always (as_cmd_pair_3_7 implies (system_validityand ground_speed>0
and (notwheel_rolling_3or notwheel_rolling_7))) ;
CONTRACT expected_behavior_as_cmd_pair_4_8 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_4or notwheel_rolling_8))
implies as_cmd_pair_4_8)
and
always (as_cmd_pair_4_8 implies (system_validityand ground_speed>0
and (notwheel_rolling_4or notwheel_rolling_8))) ;
-- If the brake/AntiSkid command is created for a wheel then:
-- the system is valid
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or the aircraft is stopped
-- If:
-- the system is valid
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or the aircraft is stopped
-- then:
-- the brake/AntiSkid command is created for a wheel
CONTRACT expected_behavior_brake_as_cmd_1 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0)))
implies brake_as_cmd_1)
and
always (brake_as_cmd_1 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_2 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0)))
implies brake_as_cmd_2)
and
always (brake_as_cmd_2 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_3 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0)))
implies brake_as_cmd_3)
and
always (brake_as_cmd_3 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_4 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0)))
implies brake_as_cmd_4)
and
always (brake_as_cmd_4 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_5 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0)))
implies brake_as_cmd_5)
and
always (brake_as_cmd_5 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_6 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0)))
implies brake_as_cmd_6)
and
always (brake_as_cmd_6 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_7 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0)))
implies brake_as_cmd_7)
and
always (brake_as_cmd_7 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_8 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0)))
implies brake_as_cmd_8)
and
always (brake_as_cmd_8 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0)))) ;
bscu
Component description:
Name
Type
Notes
bscu
BSCU
Input ports:
Name
Type
Range
electrical_pedal_pos_L
boolean
electrical_pedal_pos_R
boolean
ground_speed
int
[0, 10]
power_1
boolean
power_2
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
wheel_rolling_3
boolean
wheel_rolling_4
boolean
wheel_rolling_5
boolean
wheel_rolling_6
boolean
wheel_rolling_7
boolean
wheel_rolling_8
boolean
Output ports:
Name
Type
Range
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
system_validity
boolean
Contracts:
-- the validity of the system is true if and only if there is a power source and all the created commands are valid
CONTRACT system_validity assume : true ; guarantee : always (system_validityiff ((power_1 or power_2)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or ground_speed=0)) iff brake_as_cmd_1)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or ground_speed=0)) iff brake_as_cmd_2)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or ground_speed=0)) iff brake_as_cmd_3)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or ground_speed=0)) iff brake_as_cmd_4)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or ground_speed=0)) iff brake_as_cmd_5)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or ground_speed=0)) iff brake_as_cmd_6)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or ground_speed=0)) iff brake_as_cmd_7)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or ground_speed=0)) iff brake_as_cmd_8)
and ((ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)
and ((ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)
and ((ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)
and ((ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8))) ;
-- If the antiskid command is created for a pair of wheels then:
-- the system is valid
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- if:
-- the system is valid
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- then:
-- the antiskid command is created for a pair of wheels
CONTRACT expected_behavior_as_cmd_pair_1_5 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_1or notwheel_rolling_5))
implies as_cmd_pair_1_5)
and
always (as_cmd_pair_1_5 implies (system_validityand ground_speed>0
and (notwheel_rolling_1or notwheel_rolling_5))) ;
CONTRACT expected_behavior_as_cmd_pair_2_6 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_2or notwheel_rolling_6))
implies as_cmd_pair_2_6)
and
always (as_cmd_pair_2_6 implies (system_validityand ground_speed>0
and (notwheel_rolling_2or notwheel_rolling_6))) ;
CONTRACT expected_behavior_as_cmd_pair_3_7 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_3or notwheel_rolling_7))
implies as_cmd_pair_3_7)
and
always (as_cmd_pair_3_7 implies (system_validityand ground_speed>0
and (notwheel_rolling_3or notwheel_rolling_7))) ;
CONTRACT expected_behavior_as_cmd_pair_4_8 assume : true ; guarantee : always ((system_validity
and ground_speed>0
and (notwheel_rolling_4or notwheel_rolling_8))
implies as_cmd_pair_4_8)
and
always (as_cmd_pair_4_8 implies (system_validityand ground_speed>0
and (notwheel_rolling_4or notwheel_rolling_8))) ;
-- If the brake/AntiSkid command is created for a wheel then:
-- the system is valid
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or the aircraft is stopped
-- If:
-- the system is valid
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or th aircraft is stopped
-- then:
-- the brake/AntiSkid command is created for a wheel
CONTRACT expected_behavior_brake_as_cmd_1 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0)))
implies brake_as_cmd_1)
and
always (brake_as_cmd_1 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_2 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0)))
implies brake_as_cmd_2)
and
always (brake_as_cmd_2 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_3 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0)))
implies brake_as_cmd_3)
and
always (brake_as_cmd_3 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_4 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0)))
implies brake_as_cmd_4)
and
always (brake_as_cmd_4 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_5 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0)))
implies brake_as_cmd_5)
and
always (brake_as_cmd_5 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_6 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0)))
implies brake_as_cmd_6)
and
always (brake_as_cmd_6 implies (system_validityand electrical_pedal_pos_L
and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_7 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0)))
implies brake_as_cmd_7)
and
always (brake_as_cmd_7 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0)))) ;
CONTRACT expected_behavior_brake_as_cmd_8 assume : true ; guarantee : always ((system_validity
and electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0)))
implies brake_as_cmd_8)
and
always (brake_as_cmd_8 implies (system_validityand electrical_pedal_pos_R
and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0)))) ;
channel_1
Component description:
Name
Type
Notes
channel_1
Channel
Input ports:
Name
Type
Range
electrical_pedal_pos_L
boolean
electrical_pedal_pos_R
boolean
ground_speed
int
[0, 10]
power
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
wheel_rolling_3
boolean
wheel_rolling_4
boolean
wheel_rolling_5
boolean
wheel_rolling_6
boolean
wheel_rolling_7
boolean
wheel_rolling_8
boolean
Output ports:
Name
Type
Range
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
system_validity
boolean
Contracts:
-- the validity of the system is true if and only if there is a power source and all the commands are created correctly
-- The AntiSkid commands are created for each pair of wheels if and only if:
-- there is power
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- The brake/AntiSkid commands are created for wheels if and only if:
-- there is power
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or the aircraft is stopped
CONTRACT system_validity assume : true ; guarantee : always (system_validityiff (power
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or ground_speed=0)) iff brake_as_cmd_1)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or ground_speed=0)) iff brake_as_cmd_2)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or ground_speed=0)) iff brake_as_cmd_3)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or ground_speed=0)) iff brake_as_cmd_4)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or ground_speed=0)) iff brake_as_cmd_5)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or ground_speed=0)) iff brake_as_cmd_6)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or ground_speed=0)) iff brake_as_cmd_7)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or ground_speed=0)) iff brake_as_cmd_8)
and ((ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)
and ((ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)
and ((ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)
and ((ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8))) ;
CONTRACT command_creation_alternate_1 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)) ;
CONTRACT command_creation_alternate_2 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)) ;
CONTRACT command_creation_alternate_3 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)) ;
CONTRACT command_creation_alternate_4 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8)) ;
CONTRACT command_creation_normal_1 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_1)) ;
CONTRACT command_creation_normal_2 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_2)) ;
CONTRACT command_creation_normal_3 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0))) iff brake_as_cmd_3)) ;
CONTRACT command_creation_normal_4 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0))) iff brake_as_cmd_4)) ;
CONTRACT command_creation_normal_5 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0))) iff brake_as_cmd_5)) ;
CONTRACT command_creation_normal_6 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0))) iff brake_as_cmd_6)) ;
CONTRACT command_creation_normal_7 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0))) iff brake_as_cmd_7)) ;
CONTRACT command_creation_normal_8 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0))) iff brake_as_cmd_8)) ;
command_sys
Component description:
Name
Type
Notes
command_sys
CommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos_L
boolean
electrical_pedal_pos_R
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
wheel_rolling_3
boolean
wheel_rolling_4
boolean
wheel_rolling_5
boolean
wheel_rolling_6
boolean
wheel_rolling_7
boolean
wheel_rolling_8
boolean
Output ports:
Name
Type
Range
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
Contracts:
-- The AntiSkid commands are created for each pair of wheels if and only if:
-- there is a source of power
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- The brake/AntiSkid commands are created for wheel if and only if:
-- there is a source of power
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or the aircraft is stopped
CONTRACT command_creation_alternate_1 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)) ;
CONTRACT command_creation_alternate_2 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)) ;
CONTRACT command_creation_alternate_3 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)) ;
CONTRACT command_creation_alternate_4 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8)) ;
CONTRACT command_creation_normal_1 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_1)) ;
CONTRACT command_creation_normal_2 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_2)) ;
CONTRACT command_creation_normal_3 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0))) iff brake_as_cmd_3)) ;
CONTRACT command_creation_normal_4 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0))) iff brake_as_cmd_4)) ;
CONTRACT command_creation_normal_5 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0))) iff brake_as_cmd_5)) ;
CONTRACT command_creation_normal_6 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0))) iff brake_as_cmd_6)) ;
CONTRACT command_creation_normal_7 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0))) iff brake_as_cmd_7)) ;
CONTRACT command_creation_normal_8 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0))) iff brake_as_cmd_8)) ;
w1_w5_cmd_sys
Component description:
Name
Type
Notes
w1_w5_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
w2_w6_cmd_sys
Component description:
Name
Type
Notes
w2_w6_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
w3_w7_cmd_sys
Component description:
Name
Type
Notes
w3_w7_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
w4_w8_cmd_sys
Component description:
Name
Type
Notes
w4_w8_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
channel_2
Component description:
Name
Type
Notes
channel_2
Channel
Input ports:
Name
Type
Range
electrical_pedal_pos_L
boolean
electrical_pedal_pos_R
boolean
ground_speed
int
[0, 10]
power
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
wheel_rolling_3
boolean
wheel_rolling_4
boolean
wheel_rolling_5
boolean
wheel_rolling_6
boolean
wheel_rolling_7
boolean
wheel_rolling_8
boolean
Output ports:
Name
Type
Range
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
system_validity
boolean
Contracts:
-- the validity of the system is true if and only if there is a power source and all the commands are created correctly
-- The AntiSkid commands are created for each pair of wheels if and only if:
-- there is power
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- The brake/AntiSkid commands are created for wheels if and only if:
-- there is power
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or the aircraft is stopped
CONTRACT system_validity assume : true ; guarantee : always (system_validityiff (power
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or ground_speed=0)) iff brake_as_cmd_1)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or ground_speed=0)) iff brake_as_cmd_2)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or ground_speed=0)) iff brake_as_cmd_3)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or ground_speed=0)) iff brake_as_cmd_4)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or ground_speed=0)) iff brake_as_cmd_5)
and ((electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or ground_speed=0)) iff brake_as_cmd_6)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or ground_speed=0)) iff brake_as_cmd_7)
and ((electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or ground_speed=0)) iff brake_as_cmd_8)
and ((ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)
and ((ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)
and ((ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)
and ((ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8))) ;
CONTRACT command_creation_alternate_1 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)) ;
CONTRACT command_creation_alternate_2 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)) ;
CONTRACT command_creation_alternate_3 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)) ;
CONTRACT command_creation_alternate_4 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8)) ;
CONTRACT command_creation_normal_1 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_1)) ;
CONTRACT command_creation_normal_2 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_2)) ;
CONTRACT command_creation_normal_3 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0))) iff brake_as_cmd_3)) ;
CONTRACT command_creation_normal_4 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0))) iff brake_as_cmd_4)) ;
CONTRACT command_creation_normal_5 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0))) iff brake_as_cmd_5)) ;
CONTRACT command_creation_normal_6 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0))) iff brake_as_cmd_6)) ;
CONTRACT command_creation_normal_7 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0))) iff brake_as_cmd_7)) ;
CONTRACT command_creation_normal_8 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0))) iff brake_as_cmd_8)) ;
command_sys
Component description:
Name
Type
Notes
command_sys
CommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos_L
boolean
electrical_pedal_pos_R
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
wheel_rolling_3
boolean
wheel_rolling_4
boolean
wheel_rolling_5
boolean
wheel_rolling_6
boolean
wheel_rolling_7
boolean
wheel_rolling_8
boolean
Output ports:
Name
Type
Range
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
Contracts:
-- The AntiSkid commands are created for each pair of wheels if and only if:
-- there is a source of power
-- and the aircraft is moving
-- and one of the wheel of the pair is not rolling
-- The brake/AntiSkid commands are created for wheel if and only if:
-- there is a source of power
-- and the assigned electrical pedal position signal is available
-- and the wheel is rolling or the aircraft is stopped
CONTRACT command_creation_alternate_1 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_5)) iff as_cmd_pair_1_5)) ;
CONTRACT command_creation_alternate_2 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_2or notwheel_rolling_6)) iff as_cmd_pair_2_6)) ;
CONTRACT command_creation_alternate_3 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_3or notwheel_rolling_7)) iff as_cmd_pair_3_7)) ;
CONTRACT command_creation_alternate_4 assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_4or notwheel_rolling_8)) iff as_cmd_pair_4_8)) ;
CONTRACT command_creation_normal_1 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_1)) ;
CONTRACT command_creation_normal_2 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_2)) ;
CONTRACT command_creation_normal_3 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_3) or (ground_speed=0))) iff brake_as_cmd_3)) ;
CONTRACT command_creation_normal_4 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_4) or (ground_speed=0))) iff brake_as_cmd_4)) ;
CONTRACT command_creation_normal_5 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_5) or (ground_speed=0))) iff brake_as_cmd_5)) ;
CONTRACT command_creation_normal_6 assume : true ; guarantee : always (((power and electrical_pedal_pos_L and ((ground_speed>0 and wheel_rolling_6) or (ground_speed=0))) iff brake_as_cmd_6)) ;
CONTRACT command_creation_normal_7 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_7) or (ground_speed=0))) iff brake_as_cmd_7)) ;
CONTRACT command_creation_normal_8 assume : true ; guarantee : always (((power and electrical_pedal_pos_R and ((ground_speed>0 and wheel_rolling_8) or (ground_speed=0))) iff brake_as_cmd_8)) ;
w1_w5_cmd_sys
Component description:
Name
Type
Notes
w1_w5_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
w2_w6_cmd_sys
Component description:
Name
Type
Notes
w2_w6_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
w3_w7_cmd_sys
Component description:
Name
Type
Notes
w3_w7_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
w4_w8_cmd_sys
Component description:
Name
Type
Notes
w4_w8_cmd_sys
WheelPairCommandSystem
Input ports:
Name
Type
Range
power
boolean
ground_speed
int
[0, 10]
electrical_pedal_pos
boolean
wheel_rolling_1
boolean
wheel_rolling_2
boolean
Output ports:
Name
Type
Range
as_cmd_out
boolean
brake_as_cmd_out_1
boolean
brake_as_cmd_out_2
boolean
Contracts:
--The anti-skid command for the wheel pair is available if and only if:
-- at least one wheel is skidding
-- and power is available
--and the brake/anti-skid command of each wheel is available if and only if:
-- a brake command is available
-- and the wheel is not skidding
-- and power is available
CONTRACT commands_creation assume : true ; guarantee : always (((power and ground_speed>0 and (notwheel_rolling_1or notwheel_rolling_2)) iff as_cmd_out)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_1) or (ground_speed=0))) iff brake_as_cmd_out_1)
and ((power and electrical_pedal_pos and ((ground_speed>0 and wheel_rolling_2) or (ground_speed=0))) iff brake_as_cmd_out_2)) ;
phys_sys
Component description:
Name
Type
Notes
phys_sys
PhysicalSystem
Input ports:
Name
Type
Range
hydraulic_supply_1
int
[0, 10]
hydraulic_supply_2
int
[0, 10]
pump_power_1
boolean
pump_power_2
boolean
system_validity
boolean
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
ground_speed
int
[0, 10]
mechanical_pedal_pos_L
boolean
mechanical_pedal_pos_R
boolean
Output ports:
Name
Type
Range
accumulator_pressure_display
int
[0, 10]
wheel_status_1
ENUM_1
[rolling, stopped]
wheel_status_2
ENUM_1
[rolling, stopped]
wheel_status_3
ENUM_1
[rolling, stopped]
wheel_status_4
ENUM_1
[rolling, stopped]
wheel_status_5
ENUM_1
[rolling, stopped]
wheel_status_6
ENUM_1
[rolling, stopped]
wheel_status_7
ENUM_1
[rolling, stopped]
wheel_status_8
ENUM_1
[rolling, stopped]
wheel_braking_force_1
int
[0, 10]
wheel_braking_force_2
int
[0, 10]
wheel_braking_force_3
int
[0, 10]
wheel_braking_force_4
int
[0, 10]
wheel_braking_force_5
int
[0, 10]
wheel_braking_force_6
int
[0, 10]
wheel_braking_force_7
int
[0, 10]
wheel_braking_force_8
int
[0, 10]
green_pressure_in_selector_valve
int
[0, 10]
Contracts:
-- S18-WBS-R-0321 p 58
-- Loss of all wheel braking (annunciated or unannunciated)
-- during landing or RTO
-- shall be extremely remote
CONTRACT never_loss_of_all_wheel_braking assume : true ; guarantee : never (mechanical_pedal_pos_Land
mechanical_pedal_pos_Rand (ground_speed > 0 )
and
not (((brake_as_cmd_1
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_1>0
) and
not (((brake_as_cmd_2
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_2>0
) and
not (((brake_as_cmd_5
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_5>0
) and
not (((brake_as_cmd_6
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_6>0
) and
not (((brake_as_cmd_3
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_3>0
) and
not (((brake_as_cmd_4
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_4>0
) and
not (((brake_as_cmd_7
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_7>0
) and
not (((brake_as_cmd_8
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_8>0
)) ;
-- S18-WBS-R-0322 p 58
-- Asymmetrical loss of wheel braking
-- coupled with loss of rudder or nose wheel steering
-- during landing or RTO
-- shall be extremely remote
-- loss of the right side
CONTRACT never_asymmetric_loss_of_wheel_braking_right assume : true ; guarantee : never (mechanical_pedal_pos_Land
mechanical_pedal_pos_Rand (ground_speed > 0 )
and (count ((((brake_as_cmd_1
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_1>0
) , (((brake_as_cmd_2
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_2>0
) , (((brake_as_cmd_5
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_5>0
) , (((brake_as_cmd_6
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_6>0
))=4
and
count ((((brake_as_cmd_3
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_3>0
) , (((brake_as_cmd_4
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_4>0
) , (((brake_as_cmd_7
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_7>0
) , (((brake_as_cmd_8
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_8>0
))=0)) ;
-- S18-WBS-R-0322 p 58
-- Asymmetrical loss of wheel braking
-- coupled with loss of rudder or nose wheel steering
-- during landing or RTO
-- shall be extremely remote
-- loss of the left side
CONTRACT never_asymmetric_loss_of_wheel_braking_left assume : true ; guarantee : never (mechanical_pedal_pos_Land
mechanical_pedal_pos_Rand (ground_speed > 0 )
and count ((((brake_as_cmd_1
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_1>0
) , (((brake_as_cmd_2
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_2>0
) , (((brake_as_cmd_5
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_5>0
) , (((brake_as_cmd_6
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_6>0
))=0
and
count ((((brake_as_cmd_3
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_3>0
) , (((brake_as_cmd_4
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_4>0
) , (((brake_as_cmd_7
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_7>0
) , (((brake_as_cmd_8
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_8>0
))=4
) ;
-- S18-WBS-0323 p 59
-- Inadvertent wheel braking with all wheels locked during
-- take off roll before V1
-- shall be extremely remote
CONTRACT never_inadvertent_braking_with_all_wheels_locked assume : true ; guarantee : never (((not mechanical_pedal_pos_L) and (not mechanical_pedal_pos_R) and (not brake_as_cmd_1) and (not brake_as_cmd_2) and (not brake_as_cmd_3) and (not brake_as_cmd_4) and (not brake_as_cmd_5) and (not brake_as_cmd_6) and (not brake_as_cmd_7) and (not brake_as_cmd_8))
and (wheel_braking_force_1>0 and
wheel_braking_force_2>0 and
wheel_braking_force_3>0 and
wheel_braking_force_4>0 and
wheel_braking_force_5>0 and
wheel_braking_force_6>0 and
wheel_braking_force_7>0 and
wheel_braking_force_8>0
) and (wheel_status_1=stopped and
wheel_status_2=stopped and
wheel_status_3=stopped and
wheel_status_4=stopped and
wheel_status_5=stopped and
wheel_status_6=stopped and
wheel_status_7=stopped and
wheel_status_8=stopped
)
and ground_speed>0
) ;
-- S18-WBS-0324 p 59
-- Inadvertent wheel braking of all wheels during
-- take off roll after V1
-- shall be extremely improbable
CONTRACT never_inadvertent_braking_of_all_wheels assume : true ; guarantee : never (((not mechanical_pedal_pos_L) and (not mechanical_pedal_pos_R) and (not brake_as_cmd_1) and (not brake_as_cmd_2) and (not brake_as_cmd_3) and (not brake_as_cmd_4) and (not brake_as_cmd_5) and (not brake_as_cmd_6) and (not brake_as_cmd_7) and (not brake_as_cmd_8))
and (wheel_braking_force_1>0 and
wheel_braking_force_2>0 and
wheel_braking_force_3>0 and
wheel_braking_force_4>0 and
wheel_braking_force_5>0 and
wheel_braking_force_6>0 and
wheel_braking_force_7>0 and
wheel_braking_force_8>0
) and (ground_speed > 0 )) ;
-- Sanity check to evaluate the new behavior of the wheels
-- This contract is only used for debugging. It is commented in this release, as long as its refinement
-- ASSUMPTIONS
-- If there is a braking force on each wheel and the ground speed is greater than 1, then the ground speed is decreased of 1 at the next step
-- if there is no braking force on each wheel and the ground speed is greater than 1, then the ground speed remains the same at the next step
-- If the ground speed is lower than or equal to 1, then the ground speed equals 0 at the next step
-- Initially, if the ground speed is greater than zero, all the wheels are rolling
-- Initially, if the ground speed is equal to zero, all the wheels are stopped
-- GUARANTEE
-- The ground speed is equal to zero if and only if all the wheels are stopped
-- and ground speed is equal to zero implies that all the wheels are stopped at the next step
/--CONTRACT sanity_check
assume: always( (wheel_braking_force_1>0
and wheel_braking_force_2>0
and wheel_braking_force_3>0
and wheel_braking_force_4>0
and wheel_braking_force_5>0
and wheel_braking_force_6>0
and wheel_braking_force_7>0
and wheel_braking_force_8>0
and ground_speed>1)
implies next(ground_speed)=ground_speed - 1
)
and always( ((wheel_braking_force_1=0
or wheel_braking_force_2=0
or wheel_braking_force_3=0
or wheel_braking_force_4=0
or wheel_braking_force_5=0
or wheel_braking_force_6=0
or wheel_braking_force_7=0
or wheel_braking_force_8=0)
and ground_speed>1)
implies next(ground_speed)=ground_speed
)
and always(ground_speed<2 implies next(ground_speed)=0)
and (ground_speed>0 implies
(wheel_status_1=rolling
and wheel_status_2=rolling
and wheel_status_3=rolling
and wheel_status_4=rolling
and wheel_status_5=rolling
and wheel_status_6=rolling
and wheel_status_7=rolling
and wheel_status_8=rolling
))
and (ground_speed=0 implies
(wheel_status_1=stopped
and wheel_status_2=stopped
and wheel_status_3=stopped
and wheel_status_4=stopped
and wheel_status_5=stopped
and wheel_status_6=stopped
and wheel_status_7=stopped
and wheel_status_8=stopped
))
;
guarantee: always( ground_speed=0 implies
( wheel_status_1=stopped and
wheel_status_2=stopped and
wheel_status_3=stopped and
wheel_status_4=stopped and
wheel_status_5=stopped and
wheel_status_6=stopped and
wheel_status_7=stopped and
wheel_status_8=stopped
))
and always( ground_speed=0 implies
(next(wheel_status_1)=stopped and
next(wheel_status_2)=stopped and
next(wheel_status_3)=stopped and
next(wheel_status_4)=stopped and
next(wheel_status_5)=stopped and
next(wheel_status_6)=stopped and
next(wheel_status_7)=stopped and
next(wheel_status_8)=stopped
)
);--/
-- The capacity to brake the four wheels in the left landing gear is always available in the nominal case
CONTRACT asymmetrical_left_braking assume : true ; guarantee : always ((((brake_as_cmd_1
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_1>0
) and (((brake_as_cmd_2
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_2>0
) and (((brake_as_cmd_5
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_5>0
) and (((brake_as_cmd_6
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_6>0
)) ;
-- The capacity to brake the four wheels in the right landing gear is always available in the nominal case
CONTRACT asymmetrical_right_braking assume : true ; guarantee : always ((((brake_as_cmd_3
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_3>0
) and (((brake_as_cmd_4
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_4>0
) and (((brake_as_cmd_7
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_7>0
) and (((brake_as_cmd_8
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_8>0
)) ;
-- FIRST CONTRACT: CMD implies braking force
-- GUARANTEE:
-- For each wheel, if:
-- a brake/anti-skid command is applied
-- and the WBS is in the normal mode
-- or a mechanical command
-- and no antiskid command are applied
-- and the WBS is in the alternate of emergency mode
-- then:
-- a braking force is applied
--
-- SECOND CONTRACT: braking force implies CMD
-- ASSUMPTION:
-- for the wheel, if there is:
-- a mechanical command
-- and the control system is valid
-- and there is no braking/AS command,
-- then there is an anti-skid command for the pair containing the wheel
-- GUARANTEE:
-- For each wheel, if there is braking force then:
-- a brake/anti-skid command is applied
-- and the WBS is in the normal mode
-- or a mechanical command
-- and no antiskid command are applied
-- and the WBS is in the alternate or emergency mode
CONTRACT cmd_implies_braking_wheel_1 assume : true ; guarantee : always (((brake_as_cmd_1
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_1>0
) ;
CONTRACT braking_wheel_1_implies_cmd assume : always ((mechanical_pedal_pos_L
and system_validity
and notbrake_as_cmd_1)
implies as_cmd_pair_1_5
) ; guarantee : always (wheel_braking_force_1>0 implies ((brake_as_cmd_1
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))) ;
CONTRACT cmd_implies_braking_wheel_2 assume : true ; guarantee : always (((brake_as_cmd_2
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_2>0
) ;
CONTRACT braking_wheel_2_implies_cmd assume : always ((mechanical_pedal_pos_L
and system_validity
and notbrake_as_cmd_2)
implies as_cmd_pair_2_6
) ; guarantee : always (wheel_braking_force_2>0 implies ((brake_as_cmd_2
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))) ;
CONTRACT cmd_implies_braking_wheel_3 assume : true ; guarantee : always (((brake_as_cmd_3
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_3>0
) ;
CONTRACT braking_wheel_3_implies_cmd assume : always ((mechanical_pedal_pos_R
and system_validity
and notbrake_as_cmd_3)
implies as_cmd_pair_3_7
) ; guarantee : always (wheel_braking_force_3>0 implies ((brake_as_cmd_3
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))) ;
CONTRACT cmd_implies_braking_wheel_4 assume : true ; guarantee : always (((brake_as_cmd_4
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_4>0
) ;
CONTRACT braking_wheel_4_implies_cmd assume : always ((mechanical_pedal_pos_R
and system_validity
and notbrake_as_cmd_4)
implies as_cmd_pair_4_8
) ; guarantee : always (wheel_braking_force_4>0 implies ((brake_as_cmd_4
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))) ;
CONTRACT cmd_implies_braking_wheel_5 assume : true ; guarantee : always (((brake_as_cmd_5
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_5>0
) ;
CONTRACT braking_wheel_5_implies_cmd assume : always ((mechanical_pedal_pos_L
and system_validity
and notbrake_as_cmd_5)
implies as_cmd_pair_1_5
) ; guarantee : always (wheel_braking_force_5>0 implies ((brake_as_cmd_5
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_1_5
and green_pressure_in_selector_valve=0))) ;
CONTRACT cmd_implies_braking_wheel_6 assume : true ; guarantee : always (((brake_as_cmd_6
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_6>0
) ;
CONTRACT braking_wheel_6_implies_cmd assume : always ((mechanical_pedal_pos_L
and system_validity
and notbrake_as_cmd_6)
implies as_cmd_pair_2_6
) ; guarantee : always (wheel_braking_force_6>0 implies ((brake_as_cmd_6
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_L
and not as_cmd_pair_2_6
and green_pressure_in_selector_valve=0))) ;
CONTRACT cmd_implies_braking_wheel_7 assume : true ; guarantee : always (((brake_as_cmd_7
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_7>0
) ;
CONTRACT braking_wheel_7_implies_cmd assume : always ((mechanical_pedal_pos_R
and system_validity
and notbrake_as_cmd_7)
implies as_cmd_pair_3_7
) ; guarantee : always (wheel_braking_force_7>0 implies ((brake_as_cmd_7
and green_pressure_in_selector_valve>0 )
or (mechanical_pedal_pos_R
and not as_cmd_pair_3_7
and green_pressure_in_selector_valve=0))) ;
CONTRACT cmd_implies_braking_wheel_8 assume : true ; guarantee : always (((brake_as_cmd_8
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))
implies wheel_braking_force_8>0
) ;
CONTRACT braking_wheel_8_implies_cmd assume : always ((mechanical_pedal_pos_R
and system_validity
and notbrake_as_cmd_8)
implies as_cmd_pair_4_8
) ; guarantee : always (wheel_braking_force_8>0 implies ((brake_as_cmd_8
and green_pressure_in_selector_valve>0)
or (mechanical_pedal_pos_R
and not as_cmd_pair_4_8
and green_pressure_in_selector_valve=0))) ;
--Contract to ensure the value of the output green_pressure_in_selector_valve, used for mode recognition
CONTRACT getting_green_pressure_in_selector_valve assume : true ; guarantee : always (green_pressure_in_selector_valve>0 iff (system_validity and pump_power_1 and hydraulic_supply_1>0)) ;
normal_sys
Component description:
Name
Type
Notes
normal_sys
NormalBrakeSystem
Input ports:
Name
Type
Range
brake_as_cmd_1
boolean
brake_as_cmd_2
boolean
brake_as_cmd_3
boolean
brake_as_cmd_4
boolean
brake_as_cmd_5
boolean
brake_as_cmd_6
boolean
brake_as_cmd_7
boolean
brake_as_cmd_8
boolean
hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
hyd_pressure_out_1
int
[0, 10]
hyd_pressure_out_2
int
[0, 10]
hyd_pressure_out_3
int
[0, 10]
hyd_pressure_out_4
int
[0, 10]
hyd_pressure_out_5
int
[0, 10]
hyd_pressure_out_6
int
[0, 10]
hyd_pressure_out_7
int
[0, 10]
hyd_pressure_out_8
int
[0, 10]
Contracts:
--The pressure outgoing from each port of the system is greater than zero if and only if:
-- an hydraulic pressure is present in input
-- and the corresponding electrical brake command is received
CONTRACT apply_command_1 assume : true ; guarantee : always (((brake_as_cmd_1 and hyd_pressure_in>0) iff (hyd_pressure_out_1>0))) ;
CONTRACT apply_command_2 assume : true ; guarantee : always (((brake_as_cmd_2 and hyd_pressure_in>0) iff (hyd_pressure_out_2>0))) ;
CONTRACT apply_command_3 assume : true ; guarantee : always (((brake_as_cmd_3 and hyd_pressure_in>0) iff (hyd_pressure_out_3>0))) ;
CONTRACT apply_command_4 assume : true ; guarantee : always (((brake_as_cmd_4 and hyd_pressure_in>0) iff (hyd_pressure_out_4>0))) ;
CONTRACT apply_command_5 assume : true ; guarantee : always (((brake_as_cmd_5 and hyd_pressure_in>0) iff (hyd_pressure_out_5>0))) ;
CONTRACT apply_command_6 assume : true ; guarantee : always (((brake_as_cmd_6 and hyd_pressure_in>0) iff (hyd_pressure_out_6>0))) ;
CONTRACT apply_command_7 assume : true ; guarantee : always (((brake_as_cmd_7 and hyd_pressure_in>0) iff (hyd_pressure_out_7>0))) ;
CONTRACT apply_command_8 assume : true ; guarantee : always (((brake_as_cmd_8 and hyd_pressure_in>0) iff (hyd_pressure_out_8>0))) ;
alternate_sys
Component description:
Name
Type
Notes
alternate_sys
AlternateBrakeSystem
Input ports:
Name
Type
Range
hyd_pressure_in
int
[0, 10]
mechanical_pedal_pos_L
boolean
mechanical_pedal_pos_R
boolean
as_cmd_pair_1_5
boolean
as_cmd_pair_2_6
boolean
as_cmd_pair_3_7
boolean
as_cmd_pair_4_8
boolean
Output ports:
Name
Type
Range
hyd_pressure_out_1
int
[0, 10]
hyd_pressure_out_2
int
[0, 10]
hyd_pressure_out_3
int
[0, 10]
hyd_pressure_out_4
int
[0, 10]
Contracts:
--The pressure outgoing from each port of the system is greater than zero if and only if:
-- an hydraulic pressure is present in input
-- and the assigned mechanical pedal is pressed
-- and there is no anti skid command for the pairs of wheels
CONTRACT apply_command_1 assume : true ; guarantee : always (((mechanical_pedal_pos_L and not as_cmd_pair_1_5 and hyd_pressure_in>0) iff (hyd_pressure_out_1>0))) ;
CONTRACT apply_command_2 assume : true ; guarantee : always (((mechanical_pedal_pos_L and not as_cmd_pair_2_6 and hyd_pressure_in>0) iff (hyd_pressure_out_2>0))) ;
CONTRACT apply_command_3 assume : true ; guarantee : always (((mechanical_pedal_pos_R and not as_cmd_pair_3_7 and hyd_pressure_in>0) iff (hyd_pressure_out_3>0))) ;
CONTRACT apply_command_4 assume : true ; guarantee : always (((mechanical_pedal_pos_R and not as_cmd_pair_4_8 and hyd_pressure_in>0) iff (hyd_pressure_out_4>0))) ;
wheel_brake_1
Component description:
Name
Type
Notes
wheel_brake_1
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
wheel_brake_2
Component description:
Name
Type
Notes
wheel_brake_2
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
wheel_brake_3
Component description:
Name
Type
Notes
wheel_brake_3
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
wheel_brake_4
Component description:
Name
Type
Notes
wheel_brake_4
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
wheel_brake_5
Component description:
Name
Type
Notes
wheel_brake_5
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
wheel_brake_6
Component description:
Name
Type
Notes
wheel_brake_6
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
wheel_brake_7
Component description:
Name
Type
Notes
wheel_brake_7
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
wheel_brake_8
Component description:
Name
Type
Notes
wheel_brake_8
WheelBrake
Input ports:
Name
Type
Range
normal_hyd_pressure_in
int
[0, 10]
alternate_hyd_pressure_in
int
[0, 10]
Output ports:
Name
Type
Range
braking_force
int
[0, 10]
Contracts:
-- The outgoing braking force is greater than zero if there is an hydraulic pressure incoming in the brake
-- NOTE: if the behavior of the fuse is defined as a cutoff pipe, the property in the guarantee must be an implication
CONTRACT supply_braking_force assume : true ; guarantee : always ((braking_force>0) iff (normal_hyd_pressure_in>0 or alternate_hyd_pressure_in>0)) ;
