BS ISO/IEC TR 15942:2000

1 Scope
1.1 Within the scope
1.2 Out of scope
2 Verification techniques
2.1 Traceability
2.2 Reviews
2.3 Analysis
2.3.1 Control flow analysis
2.3.2 Data flow analysis
2.3.3 Information flow analysis
2.3.4 Symbolic execution
2.3.5 Formal code verification
2.3.6 Range checking
2.3.7 Stack usage analysis
2.3.8 Timing analysis
2.3.9 Other memory usage analysis
2.3.10 Object code analysis
2.4 Testing
2.4.1 Principles
2.4.2 Requirements-based testing
2.4.3 Structure-based testing
2.5 Use of verification techniques in this technical
      report
3 General language issues
3.1 Writing verifiable programs
3.1.1 Language rules to achieve predictability
3.1.2 Language rules to allow modelling
3.1.3 Language rules to facilitate testing
3.1.4 Pragmatic considerations
3.1.5 Language enhancements
3.2 The choice of language
4 Significance of language features for high integrity
4.1 Criteria for assessment of language features
4.2 How to use this technical report
5 Assessment of language features
5.1 Types with static attributes
5.1.1 Evaluation
5.1.2 Notes
5.1.3 Guidance
5.2 Declarations
5.2.1 Evaluation
5.2.2 Notes
5.2.3 Guidance
5.3 Names, including scope and visibility
5.3.1 Evaluation
5.3.2 Notes
5.3.3 Guidance
5.4 Expressions
5.4.1 Evaluation
5.4.2 Notes
5.4.3 Guidance
5.5 Statements
5.5.1 Evaluation
5.5.2 Notes
5.5.3 Guidance
5.6 Subprograms
5.6.1 Evaluation
5.6.2 Notes
5.6.3 Guidance
5.7 Packages (child and library)
5.7.1 Evaluation
5.7.2 Notes
5.7.3 Guidance
5.8 Arithmetic types
5.8.1 Evaluation
5.8.2 Notes
5.8.3 Guidance
5.9 Low level and interfacing
5.9.1 Evaluation
5.9.2 Notes
5.9.3 Guidance
5.10 Generics
5.10.1 Evaluation
5.10.2 Notes
5.10.3 Guidance
5.11 Access types and types with dynamic attributes
5.11.1 Evaluation
5.11.2 Notes
5.11.3 Guidance
5.12 Exceptions
5.12.1 Evaluation
5.12.2 Notes
5.12.3 Guidance
5.13 Tasking
5.13.1 Evaluation
5.13.2 Notes
5.13.3 Guidance
5.14 Distribution
5.14.1 Evaluation
5.14.2 Notes
5.14.3 Guidance
6 Compilers and run-time systems
6.1 Language issues
6.2 Compiler qualification
6.3 Run-time system
7 References
7.1 Applicable documents
7.2 Referenced documents

Gives a guide on the use of Ada when producing high integrity systems. It is usually the case when producing such applications that adherence to guidelines or standards has to be demonstrated to independent bodies. These guidelines vary according to the application area, nature of the risk involved or industrial sector.

This Technical Report provides guidance on the use of Ada when producing high integrity systems. In producing such applications it is usually the case that adherence to guidelines or standards has to be demonstrated to independent bodies. These guidelines or standards vary according to the application area, industrial sector or nature of the risk involved. For safety applications, the international generic standard is [IEC61508] of which part3 is concerned with software. For security systems, the multi-national generic assessment guide is [ISO CD 15408]. For sector-specific guidance and standards there are: Airborne civil avionics:[DO-178B] Nuclear power plants:[IEC880] Medical systems:[IEC601-4] Pharmaceutical:[GAMP] For national/regional guidance and standards there are the following: UK Defence:[DS 00-55] European rail:[EN50128] European security:[ITSEC] US nuclear:[NRC] UK automotive:[MISRA] US medical:[FDA] US space:[NASA] The above standards and guides are referred to as Standards in this Technical Report. The above list is not exhaustive but indicative of the type of Standard to which this Technical Report provides guidance. The specific Standards above are not addressed individually but this Technical Report is synthesized from an analysis of their requirements and recommendations. 1.1 Within the scope This Technical Report assumes that a system is being developed in Ada to meet a standard listed above or one of a similar nature. The primary goal of this Technical Report is to translate general requirements into Ada specific ones. For example, a general standard might require that dynamic testing provides evidence of the execution of all the statements in the code of the application. In the case of generics, this is interpreted by this Technical Report to mean all instantiations of the generic should be executed. This Technical Report is intended to provide guidance only, and hence there are no \'shalls\'. However, this Technical Report identifies verification and validation issues which should be resolved and documented according to the sector-specific standards being employed. The following topics are within the scope of this Technical Report: the choice of features of the language which aid verification and compliance to the standards, identification of language features requiring additional verification steps, the use of tools to aid design and verification, issues concerning qualification of compilers for use on high integrity applications, tools, such as graphic design tools, which generate Ada source code which is accessible to users. Tools which generate Ada source code require special consideration. Where generated code may be modified or extended, verification of the extensions and overall system will be assisted if the guidelines have been taken into account. Even where modification is not planned, inspection and analysis of the generated code may be unavoidable unless the generator is trusted or \'qualified\' according to an applicable standard. Finally, even if generated code is neither modified nor inspected, the overall verification process may be made more complicated if the code deviates from guidelines intended to facilitate testing and analysis. Potential users of such tools should evaluate their code generation against the guidance provided in this Technical Report. 1.2 Out of scope The following topics are considered to be out of scope with respect to this Technical Report: Domain-specific standards, Application-specific issues, Hardware and system-specific issues, Human factor issues in the application (as opposed to human factors in the use of the Ada language which is in scope).