ISO/IEC TR 15942:2000

1 Scope

This Technical Report provides guidance on the use of Ada when producing high integrity systems. In producing such

applications it is usually the case that adherence to guidelines or standards has to be demonstrated to independent bodies.

These guidelines or standards vary according to the application area, industrial sector or nature of the risk involved.

For safety applications, the international generic standard is [IEC 61508] of which part 3 is concerned with software.

For security systems, the multi-national generic assessment guide is [ISO CD 15408].

For sector-specific guidance and standards there are:

Airborne civil avionics: [DO-178B]

Nuclear power plants: [IEC 880]

Medical systems: [IEC 601-4]

Pharmaceutical: [GAMP]

For national/regional guidance and standards there are the following:

UK Defence: [DS 00-55]

European rail: [EN 50128]

European security: [ITSEC]

US nuclear: [NRC]

UK automotive: [MISRA]

US medical: [FDA]

US space: [NASA]

The above standards and guides are referred to as Standards in this Technical Report. The above list is not exhaustive but

indicative of the type of Standard to which this Technical Report provides guidance.

The specific Standards above are not addressed individually but this Technical Report is synthesized from an analysis of their

requirements and recommendations.

1.1 Within the scope

This Technical Report assumes that a system is being developed in Ada to meet a standard listed above or one of a similar

nature. The primary goal of this Technical Report is to translate general requirements into Ada specific ones. For example, a

general standard might require that dynamic testing provides evidence of the execution of all the statements in the code of the

application. In the case of generics, this is interpreted by this Technical Report to mean all instantiations of the generic should

be executed.

ISO/IEC TR 15942:2000 (E)

2 © ISO/IEC 2000 - All rights reserved

This Technical Report is intended to provide guidance only, and hence there are no ?shalls'. However, this Technical Report

identifies verification and validation issues which should be resolved and documented according to the sector-specific

standards being employed.

The following topics are within the scope of this Technical Report:

_ the choice of features of the language which aid verification and compliance to the standards,

_ identification of language features requiring additional verification steps,

_ the use of tools to aid design and verification,

_ issues concerning qualification of compilers for use on high integrity applications,

_ tools, such as graphic design tools, which generate Ada source code which is accessible to users.

Tools which generate Ada source code require special consideration. Where generated code may be modified or extended,

verification of the extensions and overall system will be assisted if the guidelines have been taken into account. Even where

modification is not planned, inspection and analysis of the generated code may be unavoidable unless the generator is trusted or

?qualified' according to an applicable standard. Finally, even if generated code is neither modified nor inspected, the overall

verification process may be made more complicated if the code deviates from guidelines intended to facilitate testing and

analysis. Potential users of such tools should evaluate their code generation against the guidance provided in this Technical

Report.

1.2 Out of scope

The following topics are considered to be out of scope with respect to this Technical Report:

_ Domain-specific standards,

_ Application-specific issues,

_ Hardware and system-specific issues,

_ Human factor