1范围 本技术报告为生产高完整性系统时使用Ada提供了指导。在生产这种 应用通常情况下，必须向独立机构证明遵守指南或标准。 这些指南或标准根据应用领域、工业部门或所涉及风险的性质而有所不同。 对于安全应用，国际通用标准是【IEC 61508】，其中第3部分涉及软件。 对于安全系统，多国通用评估指南是【ISO CD 15408】。 对于特定行业的指南和标准，有: 机载民用航空电子设备:[DO-178B] 核电厂:[IEC 880] 医疗系统:[IEC 601-4] 制药:[GAMP] 国家/地区指南和标准如下:英国国防:[DS 00-55] 欧洲铁路:[EN 50128] 欧洲安全:[ITSEC] 美核:[NRC] 英国汽车:[米斯拉] 美国医疗:[FDA] 美国太空:[NASA] 上述标准和指南在本技术报告中简称为标准。上述清单并非详尽无遗，但 指示本技术报告提供指导的标准类型。 上述具体标准没有单独讨论，但本技术报告是根据对其标准的分析综合而成的 要求和建议。 1.1范围内 本技术报告假设正在Ada中开发一个系统，以满足上述标准或类似标准之一 自然。本技术报告的主要目标是将一般需求转化为Ada特定需求。例如，一个 一般标准可能要求动态测试提供代码中所有语句执行的证据 应用。在泛型的情况下，本技术报告将其解释为泛型的所有实例化都应 被处死。 ISO/IEC TR 15942:2000(E) 2？ISO/IEC 2000-版权所有 本技术报告仅提供指导，因此没有？沙尔斯的。然而，本技术报告 确定应根据特定部门解决和记录的验证和确认问题 正在采用的标准。 以下主题属于本技术报告的范围: 选择有助于验证和遵守标准的语言特征， _需要附加验证步骤的语言特征的识别， _使用工具辅助设计和验证， _关于编译器在高完整性应用程序上使用的资格问题， _生成用户可访问的Ada源代码的工具，如图形设计工具。 生成Ada源代码的工具需要特别考虑。在生成的代码可以被修改或扩展的情况下， 如果考虑到指南，将有助于对扩展和整个系统的验证。甚至在哪里 修改不是计划的，对生成代码的检查和分析可能是不可避免的，除非生成器是可信的或 ？根据适用标准“合格”。最后，即使生成的代码既没有被修改也没有被检查，整个 如果代码偏离了旨在促进测试和 分析。这些工具的潜在用户应该根据本技术中提供的指导来评估他们的代码生成 报告。 1.2超出范围 以下主题被认为超出了本技术报告的范围: _特定领域的标准， _特定于应用程序的问题， _硬件和系统特定问题， _人为因素

1 Scope This Technical Report provides guidance on the use of Ada when producing high integrity systems. In producing such applications it is usually the case that adherence to guidelines or standards has to be demonstrated to independent bodies. These guidelines or standards vary according to the application area, industrial sector or nature of the risk involved. For safety applications, the international generic standard is [IEC 61508] of which part 3 is concerned with software. For security systems, the multi-national generic assessment guide is [ISO CD 15408]. For sector-specific guidance and standards there are: Airborne civil avionics: [DO-178B] Nuclear power plants: [IEC 880] Medical systems: [IEC 601-4] Pharmaceutical: [GAMP] For national/regional guidance and standards there are the following: UK Defence: [DS 00-55] European rail: [EN 50128] European security: [ITSEC] US nuclear: [NRC] UK automotive: [MISRA] US medical: [FDA] US space: [NASA] The above standards and guides are referred to as Standards in this Technical Report. The above list is not exhaustive but indicative of the type of Standard to which this Technical Report provides guidance. The specific Standards above are not addressed individually but this Technical Report is synthesized from an analysis of their requirements and recommendations. 1.1 Within the scope This Technical Report assumes that a system is being developed in Ada to meet a standard listed above or one of a similar nature. The primary goal of this Technical Report is to translate general requirements into Ada specific ones. For example, a general standard might require that dynamic testing provides evidence of the execution of all the statements in the code of the application. In the case of generics, this is interpreted by this Technical Report to mean all instantiations of the generic should be executed. ISO/IEC TR 15942:2000 (E) 2 ？ ISO/IEC 2000 - All rights reserved This Technical Report is intended to provide guidance only, and hence there are no?shalls'. However, this Technical Report identifies verification and validation issues which should be resolved and documented according to the sector-specific standards being employed. The following topics are within the scope of this Technical Report: _ the choice of features of the language which aid verification and compliance to the standards, _ identification of language features requiring additional verification steps, _ the use of tools to aid design and verification, _ issues concerning qualification of compilers for use on high integrity applications, _ tools, such as graphic design tools, which generate Ada source code which is accessible to users. Tools which generate Ada source code require special consideration. Where generated code may be modified or extended, verification of the extensions and overall system will be assisted if the guidelines have been taken into account. Even where modification is not planned, inspection and analysis of the generated code may be unavoidable unless the generator is trusted or ?qualified' according to an applicable standard. Finally, even if generated code is neither modified nor inspected, the overall verification process may be made more complicated if the code deviates from guidelines intended to facilitate testing and analysis. Potential users of such tools should evaluate their code generation against the guidance provided in this Technical Report. 1.2 Out of scope The following topics are considered to be out of scope with respect to this Technical Report: _ Domain-specific standards, _ Application-specific issues, _ Hardware and system-specific issues, _ Human factor