tech days 2015: ada 2012 and spark crazyflie and railway demo

Ada 2012 and SPARK Crazyflie and Railway demos

Eric Perlade2015/10/01

CrazyFlie 2.0• 27g ready to fly drone • Ideal for indoor use • Android and iOS app (Bluetooth LE)• Python client using a radio dongle• Based on STM32F4 (ARM Cortex M4) and NRF5181 (radio chip)• Firmware entirely written in C• 5900 lines of code (without including drivers, HAL and external

libs)• Based on FreeRTOS (tasking)

Why ? • Drones security and safety becoming an important issue• Stricter certification regime for drones coming in Europe• AdaCore is partnering with Squadrone Systems to build open-

source certifiable drone in Ada/SPARK • Will show the feasibility of this project

First Steps … towards safetyQ1 ) What code parts are the most critical in a drone firmware?Answer: the parts related to the stabilization system

Action Items: – Re-implementing stabilization system in SPARK 2014 – Proving absence of runtime errors

Stabilization systemStabilization system

Issues with original source code• The C code was not designed to be formally proved• Stabilization system in C uses C predefined types (float, int etc.)• Absence of runtime errors can’t be proved on calculations with general types• Example:

float calculateError(float measured, float desired) {

return desired – measured; } // Will cause an obvious overflow if called with // FLT_MIN and FLT_MAX…

Solution with SPARK 2014• Each module of the stabilization system transformed into a SPARK

package• Use of constrained types and subtypes (ex: defining a type T_Angle

instead of using the general Ada type Float)• Genericity for sharing code• Insert saturation when needed

Result• Proof of absence of runtime errors on every package• Discovery of one bug related to overflows, corrected by the Bitcraze

team later

Next Steps … towards more safetyQ2) What code parts are critical in a drone firmware?Answer: whole!

Action Items: Re-implementing the whole firmware in Ada 2012 and SPARK

• Replacing the OS by Ravenscar runtime• Rewriting other modules and drivers

SPARK 2014 and CSPARK 2014

Stabilization System

High-Level C codeCommunication System

Low-Level C code

Free RTOS ST peripheral Drivers Crazyflie Drivers (sensors, actuators)

Runtime and Drivers• Replace FreeRTOS by a Ravenscar based runtime targeting the

STM32F4• Replace all the FreeRTOS tasks using the Ravenscar tasking

model (tasks, protected objects)• Rewrite the Crazyflie drivers using ST Peripheral Drivers in Ada

SPARK 2014, Ada 2012 and no CSPARK 2014

Stabilization System

High-Level Ada 2012 codeCommunication System

Low-Level Ada 2012 code

Ravenscar RT ST peripheral Drivers Crazyflie Drivers (sensors, actuators)

Goal achieved ?• Crazyflie with a 100% Ada and SPARK firmware in 5 months

without any previous Ada nor fomal methods experience• But still not easy to pilot

One last question, what code part would be critical in a drone firmware?Answer: A secret recovery featureAction Item:

Implementing free fall recovery mode

Free Fall detection

When placed on a flat surface Free-fall detected

Recovery and Landing• Set desired angles to 0.0 for roll and pitch• High thrust applied after a free-fall• Thrust slowly decreased until a minimum that permits the drone to

land properly

• Calculate the acceleration variance when the drone is in the descending phase

• If variance is high, the drone has landed, recovery is over !

Real life validationAction Item:

Dropping the flie

Railway safe signaling Demo

Why ?• To prove the absence of collision using SPARK 2014• To get closer to customer experience• And mainly to play with our new Raspberry Pi 2 port !

Hardware• Electrical railway modelling kit• On-off power relay to control trains • Hall effect sensors to detect trains• Turnout motors to control switches • Raspberry Pi 2

One way track model

Controlled sectionOn/Off

Uncontrolled sectionalways on

Sensor

Slow train coming

Slow train going on

Slow train detected

Slow train still going

Slow train detected again

Slow train going away

Turnout the tricky part

Turnout the tricky part

Railway layout

Software designwith SPARK_Mode

Signaling Manager(protected object)Sensor monitoring

(Task)

SDL Graphical Interface (task)

Train Simulator(Task)

HW interfaceRaspberry Pi 2 GPIO

SPARK proof

Real life validationAction Item:

Dropping the train

Conclusion• It works!

• Ada 2012 mixed with SPARK 2014 are ready for the industry

• Easy to access and learn technology

• Demo sources will be available on GitHub

• Have a look at AdaCore University • http://university.adacore.com/