From 07eb7054055302806d3431d719473ff473ec84b5 Mon Sep 17 00:00:00 2001 From: Fabien Chouteau Date: Mon, 16 Mar 2026 18:10:04 +0100 Subject: [PATCH 01/12] First version of the space systems software booklet --- .../chapters/abbreviations.csv | 29 + .../chapters/abbreviations.rst | 11 + .../chapters/compliance-e40c.rst | 884 +++++++++++ .../chapters/compliance-q80c.rst | 432 ++++++ .../chapters/introduction.rst | 550 +++++++ .../chapters/programming.rst | 1028 +++++++++++++ .../chapters/table-dva-cwe.csv | 18 + .../table-object-coverage-vs-criticality.csv | 2 + .../table-source-coverage-vs-criticality.csv | 4 + .../chapters/table-spark-cwe.csv | 22 + ...ble-technology-e40C-compliance-summary.csv | 10 + ...ble-technology-q80c-compliance-summary.csv | 11 + .../chapters/table-verification-support.csv | 32 + .../chapters/tools.rst | 1320 +++++++++++++++++ .../conf.ini | 5 + .../images/v-diagram.png | Bin 0 -> 30601 bytes .../images/v-diagram.pptx | Bin 0 -> 45131 bytes .../index.rst | 216 +++ .../references.bib | 265 ++++ content/global.txt | 16 + content/index.rst | 1 + 21 files changed, 4856 insertions(+) create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/conf.ini create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.png create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.pptx create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/index.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/references.bib diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv new file mode 100644 index 000000000..fec59f426 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv @@ -0,0 +1,29 @@ +Abbreviation,Expansion +API,Application Program Interface +AR,Acceptance Review +CDR,Critical Design Review +DDF,Design Definition File +DJF,Design Justification File +DRD,Document Requirements Definition +DRL,Document Requirements List +EAL,Evaluation Assurance Level +ECSS,European Cooperation for Space Standardization +ESA,European Space Agency +GCC,GNU Compiler Collection +GUI,Graphical User Interface +IDE,Integrated Development Environment +IRTAW,International Real-Time Ada Workshop +ISO,International Organization for Standardization +LSP,Liskov Substitution Principle +MF,Maintenance File +MGT,Management File +OP,Operational Plan +ORR,Operational Readiness Review +PAF,Product Assurance File +PDR,Preliminary Design Review +QR,Qualification Review +RB,Requirements Baseline +RTOS,Real-Time Operating Systems +SRR,System Requirements Review +TQL,Tool Qualification Level +TS,Technical Specification diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst new file mode 100644 index 000000000..574b84f8e --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst @@ -0,0 +1,11 @@ +.. include:: ../../../global.txt + +.. _Abbreviations: + +Abbreviations +============= + +.. csv-table:: + :file: abbreviations.csv + :header-rows: 1 + :widths: 20, 70 diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst new file mode 100644 index 000000000..b948571d0 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -0,0 +1,884 @@ +.. include:: ../../../global.txt + +.. _Compliance_with_ECSS-E-ST-40C: + +Compliance with ECSS-E-ST-40C +============================= + +The |E-ST-40C| standard is concerned with software engineering |mdash| +the principles and techniques underlying the production of code that is +reliable, safe, secure, readable, maintainable, portable and efficient. +These are the goals that drove the design of the Ada language (and its +SPARK subset), whose features assist in designing a modular and robust +system architecture and in preventing or detecting errors such as type +mismatches or buffer overruns that can arise in other languages. + +This chapter explains how Ada and SPARK, together with the relevant +AdaCore development and verification tools, can help a space software +supplier meet many of the requirements presented in |E-ST-40C|. The +section numbers in braces refer to the associated content in |E-ST-40C|. + +.. index:: single: ECSS-E-ST-40C compliance; §5.4 Software requirements and architecture engineering process + +Software requirements and architecture engineering process {§5.4} +----------------------------------------------------------------- + +Software architecture design {§5.4.3} ++++++++++++++++++++++++++++++++++++++ + +Transformation of software requirements into a software architecture {§5.4.3.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall transform the requirements for the software into an + architecture that describes the top-level structure; identifies the software + components, ensuring that all the requirements for the software item are + allocated to the software components and later refined to facilitate + detailed design; covers as a minimum hierarchy, dependency, interfaces and + operational usage for the software components; documents the process, data + and control aspects of the product; describes the architecture static + decomposition into software elements such as packages, classes or units; + describes the dynamic architecture, which involves the identification of + active objects such as threads, tasks and processes; describes the software + behavior." {§5.4.3.1a} + + * The Ada and SPARK languages (and thus the GNAT Pro Ada and SPARK Pro + toolsuites directly support this requirement. Relevant + features include packages, child libraries, subunits, private types, + tasking, and object-oriented programming (tagged types). The + :index:`GNATstub` utility (included with GNAT Pro Ada) is useful here; + it generates empty package bodies ("stubs") from a software design's + top-level API (package specs). + +Software design method {§5.4.3.2} +''''''''''''''''''''''''''''''''' + +* "The supplier shall use a method (e.g., object oriented or functional) to + produce the static and dynamic architecture including: software elements, + their interfaces and; software elements relationships." {§5.4.3.2a} + + * Ada and SPARK are methodology agnostic and fully support both + object-oriented and functional styles. + +Selection of a computational model for real-time software {§5.4.3.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The dynamic architecture design shall be described according to an + analytical computational model." {§5.4.3.3a} + + * The Ada and SPARK tasking facility supports a stylistic idiom + that is amenable to Rate Monotonic Analysis, allowing static + verification that real-time deadlines will be met. + +Description of software behavior {§5.4.3.4} +''''''''''''''''''''''''''''''''''''''''''' + +* "The software design shall also describe the behaviour of the software, + by means of description techniques using automata and scenarios." + {§5.4.3.4a} + + * Ada and SPARK are appropriate target languages for tools that support + such techniques. + +Development and documentation of the software interfaces {§5.4.3.5} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document a software preliminary design for + the interfaces external to the software item and between the software + components of the software item." {§5.4.3.5a} + + * The supplier can use the Ada / SPARK package facility to specify the + interfaces, both external and internal. The contract-based programming + features provide additional expressive power, allowing the specification + of pre- and postconditions for the subprograms comprising an interface. + +Definition of methods and tools for software intended for reuse {§5.4.3.6} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define procedures, methods and tools for reuse, and + apply these to the software engineering processes to comply with the + reusability requirements for the software development." {§5.4.3.6a} + + * Ada and SPARK facilitate reuse via the separate compilation semantics + (which allows "bottom-up" development by reusing existing libraries) + and the generic facility (which, for example, allows a module to be + defined in a general and type-independent fashion and then instantiated + with specific types as needed). The semantics for these features + enforces safe reuse: + + * All checks that are performed within a single compilation unit are + also enforced across separate compilation boundaries. + + * A post-compilation pre-link check detects and prevents "version skew" + (building an executable where some compilation unit depends on an + obsolescent version of another unit). + + * Unlike the situation with C++ templates, a type mismatch in an Ada + generic instantiation is detected and prevented at compile time, + ensuring consistency between the instantiation and the generic unit. + +.. index:: single: ECSS-E-ST-40C compliance; §5.5 Software design and implementation engineering process + +Software design and implementation engineering process {§5.5} +------------------------------------------------------------- + +Design of software items {§5.5.2} ++++++++++++++++++++++++++++++++++ + +Detailed design of each software component {§5.5.2.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop a detailed design for each component of the + software and document it." {§5.5.2.1a} + + * Ada / SPARK features, including packages and child units, + and thus GNAT Pro for Ada and SPARK Pro, help meet + this requirement. The contract-based programming feature (e.g., + pre- and postconditions) allows the supplier to express low-level + requirements as part of the software architecture, facilitating + the low-level design of algorithms. + +* "Each software component shall be refined into lower levels containing + software units that can be coded, compiled, and tested." {§5.5.2.1b} + + * Relevant Ada / SPARK features include packages, child units, and + subunits. + +Development and documentation of the software interfaces detailed design {§5.5.2.2} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document a detailed design for the interfaces + external to the software items, between the software components, and between + the software units, in order to allow coding without requiring further + information." {§5.5.2.2a} + + * Ada / SPARK features, including packages and child units, + and thus SPARK Pro and GNAT Pro for Ada, help meet this + requirement. The contract-based programming feature (e.g., pre- and + postconditions) allows the supplier to express low-level requirements as + part of the interfaces, facilitating the implementation of algorithms. + +Production of the detailed design model {§5.5.2.3} +'''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall produce the detailed design model of the software + components defined during the software architectural design, including their + static, dynamic and behavioural aspects." {§5.5.2.3a} + + * Ada / SPARK features such as packages, child units, and contract-based + programming, and thus SPARK Pro and GNAT Pro for Ada, help meet this + requirement. + +Software detail design method {§5.5.2.4} +'''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall use a design method (e.g. object oriented or functional + method) to produce the detailed design including: software units, their + interfaces, and; (*sic*) software units relationships." {§5.5.2.4a} + + * Ada and SPARK are methodology agnostic and fully support both + object-oriented and functional styles. + +Detailed design of real-time software {§5.5.2.5} +'''''''''''''''''''''''''''''''''''''''''''''''' + +* "The dynamic design model shall be compatible with the computational model + selected during the software architectural design model" {§5.5.2.5a} + + * The Ada / SPARK tasking model allows a straightforward mapping from the + architectural design (where the system comprises a collection of tasks + that interact via protected shared resources) to the detailed design. + +* "The supplier shall document and justify all timing and synchronization + mechanisms" {§5.5.2.5b} + + * The Ada / SPARK tasking model supplies the necessary timing and + synchronization support. + +* "The supplier shall document and justify all the design mutual exclusion + mechanisms to manage access to the shared resources." {§5.5.2.5c} + + * The Ada / SPARK tasking model supplies the necessary mutual exclusion + mechanisms (protected types/objects, pragma Atomic). + The protected type/object facility prevents certain kinds of race + conditions: in state-based mutual exclusion, the state of an object + cannot change between the time that a task evaluates the state + condition and when it executes the code based on that state. + Other race conditions can be detected by the Defects and Vulnerability + Analyszer in the GNAT Static Analysis Suite. + +* "The supplier shall document and justify the use of dynamic allocation + of resources." {§5.5.2.5d} + + * Ada has a general and flexible mechanism for dynamic memory management, + including the ability of the programmer to specify the semantics of + allocation and deallocation within a storage pool. This can be used, + for example, to define a fragmentation-free strategy for memory + management with constant time for allocation and deallocation. The + latest version of SPARK includes a facility for safe pointers. + +* "The supplier shall ensure protection against problems that can be induced + by the use of dynamic allocation of resources, e.g. memory leaks." + {§5.5.2.5e} + + * Ada includes a variety of mechanisms that assist in preventing dynamic + memory management issues. + The :ada:`No_Standard_Allocators_After_Elaboration` argument to + pragma :ada:`Restrictions` produces a run-time check that detects + attempts to perform allocations from a standard storage pool after + elaboration (initialization). Depending on the program structure, + static analysis by the GNAT Static Analysis Suite's Defect and + vulnerability Analyzer may be able to determine that this check + will never fail. + +Utilization of description techniques for the software behaviour {§5.5.2.6} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The behavioural design of the software units shall be described by means + of techniques using automata and scenarios." {§5.5.2.6a} + + * Ada and SPARK are appropriate target languages for tools that support + such techniques. + +Coding and testing {§5.5.3} ++++++++++++++++++++++++++++ + +Development and documentation of the software units {§5.5.3.1} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document the following: the coding of each + software unit; the build procedures to compile and link software units" + {§5.5.3.1a} + + * The GNAT Pro project and gprbuild facility automate the build process + and prevent "version skew". + +Software unit testing {§5.5.3.2} +'''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document the test procedures and data + for testing each software unit" {§5.5.3.2a} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "The supplier shall test each software unit ensuring that it satisfies its + requirements and document the test results." {§5.5.3.2b} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "The unit test shall exercise: code using boundaries at *n-1*, *n*, *n+1* + including looping instructions *while*, *for* and tests that use + comparisons; all the messages and error cases defined in the design + document; the access of all global variables as specified in the design + document; out of range values for input data, including values that can + cause erroneous results in mathematical functions; the software at the + limits of its requirements (stress testing)." {§5.5.3.2c} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +Integration {§5.5.4} +++++++++++++++++++++ + +Software units and software component integration and testing {§5.5.4.2} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall integrate the software units and software components, + and test them, as the aggregates are developed, in accordance with the + integration plan, ensuring each aggregate satisfies the requirements of + the software item and that the software item is integrated at the conclusion + of the integration activity." {§5.5.4.2a} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process, supplementing the GNAT Pro for Ada compilation facilities. + +.. index:: single: ECSS-E-ST-40C compliance; §5.6 Software validation process + + +Validation activities with respect to the technical specification {§5.6.3} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Development and documentation of a software validation specification with respect to the technical specification {§5.6.3.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document, for each requirement of the + software item in TS [Technical Specification] (including ICD [Interface + Control Document]), a set of tests, test cases (inputs, outputs, test + criteria) and test procedures ...." {§5.6.3.1a} + + * AdaCore's GNAT Pro Ada environment and GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can support + this process. + +* "Validation shall be performed by test." {§5.6.3.1b} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "If it can be justified that validation by test cannot be performed, + validation shall be performed by either analysis, inspection or review + of design" {§5.6.3.1c} + + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test case + will trigger a failure. + +Validation activities with respect to the requirements baseline {§5.6.4} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Development and documentation of a software validation specification with respect to the requirements baseline {§5.6.4.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document, for each requirement of the + software item in RB [Requirements Baseline] (including IRD [Interface + Requirements Document]), a set of tests, test cases (inputs, outputs, + test criteria) and test procedures ...." {§5.6.4.1a} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "Validation shall be performed by test." {§5.6.4.1b} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "If it can be justified that validation by test cannot be performed, + validation shall be performed by either analysis, inspection or review + of design” {§5.6.4.1c} + + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test case + will trigger a failure. + +.. index:: single: ECSS-E-ST-40C compliance; §5.7 Software delivery and acceptance process + +Software delivery and acceptance process {§5.7} +----------------------------------------------- + +Software acceptance {§5.7.3} +++++++++++++++++++++++++++++ + +Executable code generation and installation {§5.7.3.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The acceptance shall include generation of the executable code from + configuration managed source code components and its installation on + the target environment." {§5.7.3.3a} + + * The GNAT Pro project and gprbuild facility can assist in the build + and installation process. + +.. index:: single: ECSS-E-ST-40C compliance; §5.8 Software verification process + +Software verification process {§5.8} +------------------------------------ + +Verification activities {§5.8.3} +++++++++++++++++++++++++++++++++ + +Verification of the software detailed design {§5.8.3.4} +''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall verify the software detailed design ensuring that: + ... 5. testing is feasible, by assessing that: (a) controllability + and observability features are identified and included in the detailed + design in order to prepare the effective testing of the performance + requirements; (b) computationally invariant properties and temporal + properties are added within the design; (c) fault injection is + possible. ... 7. the design is correct with respect to requirements + and interfaces, including safety, security, and other critical + requirements; 8. the design implements proper sequence of events, + inputs, outputs, interfaces, logic flow, allocation of timing and + sizing budgets, and error handling; ..." {§5.8.3.4a} + + * SPARK (and GNATprove) help meet criteria 5, 7, and 8. + +Verification of code {§5.8.3.5} +''''''''''''''''''''''''''''''' + +* "The supplier shall verify the software code ensuring at least that: + 1. the code is externally consistent with the requirements and design + of the software item; 2. there is internal consistency between + software units; 3. the code is traceable to design and requirements, + testable, correct, and in conformity to software requirements and coding + standards; 4. the code that is not traced to the units is justified; + 5. the code implements proper events sequences, consistent interfaces, + correct data and control flow, completeness, appropriate allocation + of timing and sizing budgets; 6. the code implements + safety, security, and other critical requirements correctly as shown by + appropriate methods; 7. the code is implemented in a way that it cannot + result in runtime errors; 8. the effects of any residual runtime errors + are controlled through error handling." {§5.8.3.5a} + + * SPARK (and GNATprove) help meet criterion 1. + * Ada's strong typing and interface checks (and thus GNAT Pro for Ada) + help meet criterion 2. + * For criterion 3, the Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite and/or SPARK Pro can help verify correctness, + and the GNATcheck utility included in the GNAT Static Analysis Suite + (see :ref:`GNATcheck`) can enforce conformance with a coding standard. + * For criterion 5, Ada's strong typing and interface checks,as well as + SPARK and GNATprove, can help show consistent interfaces and correct + data flow. + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite, SPARK Pro, and the + standard semantic checks performed by the GNAT Pro compiler can help + meet criterion 6. + * The GNAT Static Analysis Suite and SPARK / GNATprove can statically + detect potential run-time errors and thereby help meet criterion 7. + * Ada's exception handling facility can help meet criterion 8. + +* "The supplier shall verify that the following code coverage is achieved: + + .. csv-table:: + :file: table-source-coverage-vs-criticality.csv + :header-rows: 1 + :widths: 50, 10, 10, 10, 10 + + Note: 'TBA' means that the value is to be agreed with the customer and + measured as per |Q-ST-80C| clause 6.3.5.2." {§5.8.3.5b} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + +* "The supplier shall measure code coverage by analysis of the results of + the execution of tests." {§5.8.3.5c} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + +* "If it can be justfied that the required percentage cannot be achieved + by test execution, then analysis, inspection or review of design shall be + applied to the non-covered code." {§5.8.3.5d} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + +* "In case the traceability between source code and object code cannot be + verified, the supplier shall perform + additional code coverage analysis on object code level as follows: + + .. csv-table:: + :file: table-object-coverage-vs-criticality.csv + :header-rows: 1 + :widths: 50, 10, 10, 10, 10 + + Note: 'N/A' means not applicable. + + Note: The use of some compiler optimization options can make the + traceability between source code and object code not possible." {§5.8.3.5e} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + + * AdaCore can prepare an analysis of traceability between source and object + code; the company has provided this to customers in connection with + certification under the DO-178C/ED-12C standard for airborne software for + the commercial aviation industry. + +* "The supplier shall verify source code robustness. AIM: use static analysis + for the errors that are difficult to detect at run-time." {§5.8.3.5f} + + * Errors such as division by zero, null pointer dereferencing, array + indices out of bounds, and many others are flagged at run-time by + raising an exception. Effective practice is to keep these checks + enabled during development and then, after verifying either statically + or through sufficient testing that the run-time checks are not needed, + disable the checks in the final code for maximal efficiency. + + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite will detect such errors as well as + many others, including suspicious constructs that, although legitimate + Ada, are likely logic errors. + + * SPARK Pro will enforce the SPARK subset and can be used to + demonstrate absence of run-time errors. + + * The GNATstack tool in GNAT Pro computes the potential maximum stack usage for + each task in a program. Combining the result with a separate analysis + showing the maximal depth of recursion, the developer can allocate + sufficient stack space for program execution and prevent stack overflow. + +Schedulability analysis for real-time software {§5.8.3.11} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +.. index:: Ravenscar profile + +* "As part of the verification of the software requirements and architectural + design, the supplier shall use an analytical model to + perform a schedulability analysis and prove that the design is feasible." + {§5.8.3.11a} + + * The Ada Ravenscar profile restricts the tasking model to enable precise + schedulability analysis, including Rate-Monotonic Analysis (RMA). + +.. index:: single: ECSS-E-ST-40C compliance; §5.9 Software operation process + +Software operation process {§5.9} +--------------------------------- + +Process implementation {§5.9.2} ++++++++++++++++++++++++++++++++ + +Problem handling procedures definition {§5.9.2.3} +''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The SOS [Software Operation Support] entity shall establish procedures for + receiving, recording, resolving, tracking problems, and providing feedback." + {§5.9.2.3a} + + * In the event that a product problem is due to a defect in an AdaCore tool + (e.g., a code generation bug), AdaCore has a rigorous QA process for + responding to and resolving such issues. The "sustained branch" service, + which is included with a GNAT Pro Assurance subscription, helps by + ensuring that a specific version of the toolchain is maintained over + the lifetime of the supplier's project. + +* "The SOS entity shall ensure that information regarding problems that can + have an impact on security is protected." {§5.9.2.3b} + + * AdaCore's internal processes for maintaining sensitive data help to meet + this criterion. + +Software operation support {§5.9.4} ++++++++++++++++++++++++++++++++++++ + +Problem handling {§5.9.4.2} +''''''''''''''''''''''''''' + +* "Encountered problems shall be recorded and handled in accordance with the + applicable procedures." {§5.9.4.2a} + + * As described above in connection with clause 5.9.2.3, AdaCore's QA + process, and more specifically the GNAT Pro Assurance sustained branch + service with its management of Known Problems, can help meet this + requirement when an issue arises that is due to an AdaCore tool. + +Vulnerabilities in operations {§5.9.4.3} +'''''''''''''''''''''''''''''''''''''''' + +* "During operations, security vulnerabilities, threats and exploits shall be: + 1. continuously monitored; 2. subject to further security analysis when + evaluated relevant to the security of the system; 3. maintained for auditing + purposes even when evaluated not relevant to the security of the system." + {§5.9.4.3a} + + * The ability to express security-related requirements as contracts in the + Ada source code, with run-time checks when needed, helps to meet + criterion 1. + +User support §5.9.5 ++++++++++++++++++++ + +Provisions of work-around solutions {§5.9.5.3} +'''''''''''''''''''''''''''''''''''''''''''''' + +* "If a reported problem has a temporary work-around solution before a + permanent solution can be released, the SOS entity shall give to the + originator of the problem report the option to use it." {§5.9.5.3a} + + * As part of the GNAT Pro Assurance sustained branch service, AdaCore + can supply work-arounds to critical problems prior to releasing + a permanent solution. + +.. index:: single: ECSS-E-ST-40C compliance; §5.10 Software maintenance process + +Software maintenance process {§5.10} +------------------------------------ + +Process implementation {§5.10.2} +++++++++++++++++++++++++++++++++ + +Long term maintenance for flight software {§5.10.2.2} +''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The maintainer shall propose + solutions to be able to implement and upload modifications to the spacecraft + up to its end of life." {§5.10.2.2a} + + * AdaCore's "sustained branch" service, which is included with a GNAT Pro + Assurance subscription, in effect means that the compilation environment + will receive support and not become obsolescent. + +Modification implementation {§5.10.4} ++++++++++++++++++++++++++++++++++++++ + +Invoking of software engineering processes for modification implementation {§5.10.4.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The maintainer shall apply the software engineering processes specified + in clauses 5.3 to 5.8 and 5.11 that are relevant to the scope of the + modifications, using the tailoring applied during the development of the + software." {§5.10.4.3a} + + * The Ada and SPARK languages have specific features that support the design + of modular, maintainable software with high cohesion and low coupling. + These include encapsulation (private types, separation of specification + from implementation), hierarchical child libraries, and object-oriented + programming (tagged types). By exploiting these features and utilizing + GNAT Pro for Ada and SPARK Pro, the developer + can localize the impact of maintenance changes. + + * The GNAT Static and Dynamic Analysis Suites can ensure that any modifications + meet the verification criteria applicable to the original software. + +.. index:: single: ECSS-E-ST-40C compliance; §5.11 Software security process + +Software security process {|sect| 5.11} +--------------------------------------- + +Process implementation {|sect| 5.11.2} +++++++++++++++++++++++++++++++++++++++ + +* "A software security management plan shall be produced documenting: ... + 7. the tools, methods and procedures to be used...." {|sect| 5.11.2a} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and + Dynamic Analysis Suites, and the SPARK Pro toolset support the + software security management plan. + +.. _Software_security_analysis: + +Software security analysis {|sect| 5.11.3} +++++++++++++++++++++++++++++++++++++++++++ + +* "The methods to be used for the security analysis shall be identified + as part of the planning of the project." {|sect| 5.11.3b} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and + Dynamic Analysis Suites, and the SPARK Pro toolset help meet this + requirement. For example: + + * Ada's compile-time checks prevent unsafe practices such as + treating an integer value as a pointer. + + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis + Suite can detect a number of dangerous software errors in the + MITRE Corporation's Common Weakness Enumeration. + + * The SPARK language and SPARK Pro can enforce security-related + properties such as correct information flows and absence of + run-time errors. + + * GNATfuzz can be used to stress test the software with malformed + input values. + +Security activities in the software life cycle {|sect| 5.11.5} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Security in the requirements baseline {|sect| 5.11.5.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The security assurance requirements shall determine the type and extent + of security verification and validation activities, including testing, + to be conducted.... Security verification and validation activities can + include, for example, fuzzing tests...." {|sect| 5.11.5.1c} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and + Dynamic Analysis Suites, and the SPARK Pro toolset help meet this + requirement. + +Security in the detailed design and implementation engineering {|sect| 5.11.5.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The software security analysis shall be used during verification and + validation activities to evaluate iteratively residual vulnerabilities and + to reassess security risks." {|sect| 5.11.5.3b} + + * The Ada and SPARK languages, the GNAT Static and Dynamic Analysis + Suites, and the SPARK Pro toolset help meet this requirement. For + examples, see :ref:`Software_security_analysis`. + +.. index:: single: ECSS-E-ST-40C compliance; Annex U: Software code verification + +Software code verification {Annex U (informative)} +-------------------------------------------------- + +* "The following checks are expected to be performed on the software code: + + 1. the code implements numerical protection mechanisms (e.g. against + overflow and underflow, division by zero); + + 2. the code does not perform out of bounds accesses - e.g. underrun or + overrun of buffers, arrays or strings; + + 3. the code does not include any infinite loop other than the main loop of + the software and the main loops of cyclic tasks; + + 4. the code appropriately uses arithmetical and logical operators (e.g. + arithmetical OR vs. logical OR); + + 5. implicit type conversions do not lead to arithmetical errors; + + 6. the lifetime of variables is consistent with their use; + + 7. the code makes proper use of static/global functions/variables to enforce + the correct level of visibility; + + 8. the code makes proper use of volatile variables for all variables that can + be modified asynchronously (e.g. hardware access, memory-mapped + I/O); + + 9. the code does not perform invalid memory accesses (e.g. NULL + dereferences); + + 10. the code does not access uninitialized variables; + + 11. the code does not perform unused assignments, unless this is done to + trigger HW side-effects; + + 12. there are no memory leaks; + + 13. pointer arithmetic is justified and types of operands are consistent; + + 14. the code does not lead to race conditions." {|sect| U.2} + +:numref:`Verification-Support` shows how AdaCore's technologies help meet these +requirements: + +.. _Verification-Support: + +.. table:: Verification Support + :align: center + :widths: 17 65 18 + + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | Verification check # | Technology | Explanation | + +=========================+===============================================================+========================================+ + | 1 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 2 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 3 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 4 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 5 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 6 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 7 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 8 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 9 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 10 | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 11 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 12 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + | +---------------------------------------------------------------+----------------------------------------+ + | | Ada Language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`***` | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATstack (for preventing stack overflow) | Static check | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 13 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 14 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + +:superscript:`*` Depending on the source code, the GNAT Pro compiler may be +able to guarantee that the check will always succeed and can thus avoid +generating run-time code to detect violations. + +:superscript:`**` The static checks can result in false alarms +("false positives"), but the user can calibrate the tool to control the +tradeoff between soundness (no false negatives) and precision (minimization +of false positives). + +:superscript:`***` Exhausting dynamic memory raises the :ada:`Storage_Error` +exception at run time. Ada does not require a general garbage collector for +storage reclamation, but several techniques can be used to prevent storage +leaks: + +* Ensure, through analysis or testing, that dynamic allocations occur only + during startup ("elaboration time") and not thereafter. +* Reclaim storage explicitly through Ada's :ada:`Unchecked_Deallocation` + and ensure, through analysis or testing, that this does not create + dangling references. +* Define a memory pool for a pointer type ("access type") so that allocations + of objects for that type only use that storage area, and through analysis + or testing demonstrate that the pool is never exhausted. Ada's memory pool + facility can be used to implement a reference counting strategy (for + non-cyclic data structures) with automatic reclamation. + +Compliance Summary +------------------ + +:numref:`ECSS-E-ST-40C-Compliance-Support` shows how AdaCore's technologies support the +requirements in ECSS-E-ST-40C: + +.. _ECSS-E-ST-40C-Compliance-Support: + +.. table:: Technology Support for ECSS-E-ST-40C Compliance + :align: left + + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | Technology | |sect|\ 5.4 | |sect|\5.5 | |sect|\ 5.6 | |sect|\ 5.7 | |sect|\ 5.8 | |sect|\ 5.9 | |sect|\ 5.10 | |sect|\ 5.11 | Annex U | + +=============================+=============+============+=============+=============+=============+=============+==============+==============+=========+ + | Ada language | |check| | |check| | | | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | SPARK language | |check| | |check| | | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Pro for Ada | |check| | |check| | |check| | |check| | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | SPARK Pro | |check| | |check| | |check| | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Static Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Dynamic Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Pro Assurance | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst new file mode 100644 index 000000000..82d68efde --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -0,0 +1,432 @@ +.. include:: ../../../global.txt + +.. _Compliance_with_ECSS-Q-ST-80C: + +Compliance with ECSS-Q-ST-80C +============================== + +The |Q-ST-80C| standard defines software product assurance requirements +for the development and maintenance of space software systems. This +chapter explains how AdaCore's products can help a supplier meet many +of these requirements. The section numbers in braces refer to the +relevant content in |Q-ST-80C|. + +.. index:: single: ECSS-Q-ST-80C compliance; §5 Software product assurance programme implementation + +Software product assurance programme implementation {§5} +-------------------------------------------------------- + +Software product assurance programme management {§5.2} +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Quality requirements and quality models {§5.2.7} +'''''''''''''''''''''''''''''''''''''''''''''''' + +* "Quality models shall be used to specify the software quality + requirements" {§5.2.7.1a} + + * The GNATmetric tool (see :ref:`GNATmetric`) in the GNAT Static Analysis + Suite can show quality metrics related to the source code structure. + + * The GNATdashboard IDE tool (see :ref:`GNATdashboard`) can + display software quality data. + +Tools and supporting environment {§5.6} ++++++++++++++++++++++++++++++++++++++++ + +Methods and tools {§5.6.1} +'''''''''''''''''''''''''' + +* "Methods and tools to be used for all activities of the development cycle + ... shall be identified by the supplier and agreed by the customer" + {§5.6.1.1a} + + * The GNAT Pro for Ada environment and any supplemental tools that are + selected (e.g., GNAT Static and Dynamic Analysis Suites, SPARK Pro) + should be listed. + +* "The choice of development methods and tools shall be justified by + demonstrating through testing or documented assessment that ... the tools + and methods are appropriate for the functional and operational + characteristics of the product, and ... the tools are available (in an + appropriate hardware environment) throughout the development and + maintenance lifetime of the product, + ... the tools and methods are appropriate to the security sensitivity + of the product as determined by the security analysis and as defined + in the software security management plan" {§5.6.1.2a} + + * AdaCore can make available a variety of documentation showing + that the selected tools are "appropriate for the functional and + operational characteristics of the product", ranging from user + manuals to qualification material relative to other + high-assurance software standards such as |do-178c| + :footcite:p:`Space_SW_RTCA_EUROCAE_2011a` and |en-50128| + :footcite:p:`Space_SW_CENELEC_2020b`. + + * AdaCore's "sustained branch" service for its GNAT Pro for Ada Assurance + product (see :ref:`Sustained_Branches`) can guarantee that the toolchain + is maintained throughout the product lifetime. + + * AdaCore's SPARK Pro environment (see :ref:`Static_Verification_SPARK_Pro`) + can be used to demonstrate security properties such as correct information + flows and, for software at the highest security levels, compliance with + formally specified requirements. + +Development environment selection {§5.6.2} +'''''''''''''''''''''''''''''''''''''''''' + +* "The software development environment shall be selected according to the + following criteria: 1. availability; 2. compatibility; 3. performance; + 4. maintenance; 5. durability and technical consistency with the operational + environment; 6. the assessment of the product with respect to requirements, + including the criticality category; 7. the available support documentation; + 8. the acceptance and warranty conditions; 9. the conditions of + installation, preparation, training and use; 10. the maintenance conditions, + including the possibilities of evolutions; 11. copyright and intellectual + property rights constraints; 12. dependence on one specific supplier; + 13. the assessment of the product with respect to the security sensitivity + level of the products; 14. compliance with appropriate security requirements + due to organizational or national security regulations, policies or + directives." + {§5.6.2.1a} + + * AdaCore tools directly satisfy these criteria. The availability of + qualification material for specific tools (GNATcheck, + GNATprove, GNATstack) contributes to criterion 6, and the + "sustained branch" service for GNAT Pro for Ada Assurance supports + criteria 4, 7 and 10. AdaCore tools come with source code and + flexible licensing, mitigating the issues noted in criteria 11 and 12. + The GNAT Static Analysis Suite, SPARK, and the GNATfuzz tool in + the GNAT Dynamic Analysis Suite facilitate + demonstrating the relevant security properties (criteria 13 and 14). + +.. index:: single: ECSS-Q-ST-80C compliance; §6 Software process assurance + +Software process assurance {§6} +------------------------------- + +Requirements applicable to all software engineering processes {§6.2} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Handling of critical software {§6.2.3} +'''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define, justify and apply measures to assure the + dependability and safety of critical software.... These measures can + include: ... use of a 'safe subset' of programming language; use of + formal design language for formal proof; 100% code branch coverage + at unit testing level; ... removing deactivated code or showing through + a combination of analysis and testing that the means by which such code + can be inadvertently executed are prevented, isolated, or eliminated; + use of dynamic code verification techniques." + {§6.2.3.2a} + + * Ada's pragma :ada:`Restrictions` and pragma :ada:`Profile`, together + with the GNAT Static Analysis Suite tool GNATcheck, can enforce a coding + standard for Ada (in effect a 'safe subset'). See + :ref:`GNAT_Pro_Enterprise` and :ref:`GNATcheck`. + + * The SPARK language serves as a safe subset of full Ada, and a formal + design language for formal proof. + + * SPARK Pro uses proof technology that can demonstrate a program's + conformance with formally specified requirements. + + * GNATcoverage can report code coverage up to MC/DC at the source level. + + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite + can detect unreachable code, including deactivated code. + + * The Ada language and the GNAT Pro Ada development environment allow + contracts to be verified either statically or with run-time checks and + thus facilitate dynamic code verification. + +Verification {§6.2.6} +''''''''''''''''''''' +* "The completion of actions related to software problem reports generated + during verification shall be verified and recorded." {§6.2.6.4a} + + * GNAT Pro for Ada Assurance, and its Sustained Branch service, help + support compliance. + +* "Software containing deactivated code shall be verified specifically to + ensure that the deactivated code cannot be activated or that its accidental + activation cannot harm the operation of the system." {§6.2.6.5a} + + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite + can detect unreachable code, including deactivated code. + +Software security {§6.2.9} +'''''''''''''''''''''''''' + +* "The supplier shall identify the methods and techniques for the software + security analysis." {|sect| 6.2.9.3a} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and Dynamic + Analysis Suites, and the SPARK Pro toolset help meet this requirement. + +* "Based on the results of the software security analysis, the supplier shall + apply engineering measures to reduce the number of security sensitive + software components and mitigate the risks associated with security + sensitive software." {|sect| 6.2.9.4a} + + * Code modularization in Ada and SPARK can be used to minimize the number + of security sensitive components, and to localize and encapsulate them + in modules (packages) with compile-time enforcement of data consistency. + Checks performed by the GNAT Pro and SPARK Pro tools help mitigate + security risks, while hybrid verification can combine formal analysis + (for high security components in SPARK) with traditional testing methods. + + +Handling of security sensitive software {|sect| 6.2.10} +''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define and implement measures to avoid propagation + of failures, including the ones caused by deliberate action, between + software components." {|sect| 6.2.10.1a} + + * The Ada language provides features that support this requirement + for components in the same address space. + Failures can be modeled by exceptions, and software + components that need to interact synchronously or asynchronously + can be modeled by tasks. (A failure in one component may be due to a + device malfunction and is not necessarily security related, but it + needs to be handled in a way that does not compromise security or + other mission requirements.) If the failure (exception) occurs in an Ada + task, then an appropriate style is for the task to take corrective + measures by handling that exception and/or to report the failure so that + a separate component can take further actions. If the task terminates as + a result of the exception, the effect is localized; the failure that + triggered the termination does not propagate to other components. + + * The SPARK language and SPARK Pro can help by ensuring that failures + do not occur (proving the Absence of Run-Time Errors). + + +Requirements applicable to individual software engineering processes or activities {§6.3} ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Coding {§6.3.4} +''''''''''''''' + +* "Coding standards (including security, consistent naming conventions and + adequate commentary rules) shall be specified and observed." {§6.3.4.1a} + + * Ada's :ada:`Restrictions` and :ada:`Profile` pragmas, together with + AdaCore’s GNATcheck tool (see section :ref:`GNATcheck`), can define and + enforce a coding standard. + + * The SPARK language can serve as a coding standard. + +* "The tools to be used in implementing and checking conformance with coding + standards shall be identified in the product assurance plan before coding + activities start." {§6.3.4.3a} + + * GNATcheck and SPARK Pro are relevant tools for this activity. + +* "The supplier shall define measurements, criteria and tools to ensure that + the software code meets the quality and security requirements." {§6.3.4.6a} + + * The GNATmetric tool (see :ref:`GNATmetric`) can be used to report quality + data related to the source code structure. + +* "Synthesis of the code analysis results and corrective actions implemented + shall be described in the software product assurance reports." {§6.3.4.7a} + + * GNATdashboard (see :ref:`GNATdashboard`) can be used to synthesize and + summarize code quality metrics. + +Testing and validation {§6.3.5} +''''''''''''''''''''''''''''''' + +* "Testing shall be performed in accordance with a strategy for each testing + level (i.e. unit, integration, validation against the technical + specification, validation against the requirements baseline, acceptance), + ...." {§6.3.5.1a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement for unit testing. + +* "Based on the dependability and safety criticality, and the security + sensitivity of the software, test coverage goals for each + testing level shall be agreed between the customer and the supplier and + their achievement monitored by metrics ...." {§6.3.5.2a) + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. + +* "Test coverage shall be checked with respect to the stated goals." + {§6.3.5.5a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. + +* "The test coverage of configurable code shall be checked to ensure that the + stated requirements are met in each tested configuration." {§6.3.5.7a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. + +* "Test tool development or acquisition ... shall be planned for in the + overall project plan." {§6.3.5.24a} + + * The tools in AdaCore's GNAT Dynamic Analysis Suite (GNATtest, + GNATcoverage, GNATfuzz) are candidates for consideration in test tool + acquisition. + +* "Software containing deactivated code shall be validated specifically to + ensure that the deactivated code cannot be activated or that its accidental + activation cannot harm the operation of the system." {§6.3.5.30a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement by detecting non-covered code that is + intended (and can be categorized) as deactivated. + +* "Software containing configurable code shall be validated specifically to + ensure that unintended configuration cannot be activated at run time or + included during code generation". {§6.3.5.31a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement by detecting configurable code that, + because of incorrect configuration settings, was unintentionally included + during code generation. + +Maintenance {§6.3.9} +'''''''''''''''''''' + +* "The maintenance plans and procedures shall include the following as a + minimum: 1. scope of maintenance; 2. identification of the first version of the + software product for which maintenance is to be done; 3. support organization; + 4. maintenance life cycle; 5. maintenance activities; 6. quality measures to be + applied during the maintenance; 7. security measures to be applied during the + maintenance. 8. maintenance records and reports." + {§6.3.9.4a} + + * The "sustained branch" service of AdaCore's GNAT Pro Assurance product + can help meet this requirement. + +* "Maintenance records shall be established for each software product ...." + {§6.3.9.7a} + + * AdaCore's ticket system, which is part of the standard support in all + product subscriptions, provides an audit trail for problem reports / + resolution. + * The "sustained branch" service includes special maintenance + accommodation for dealing with problems that relate to software safety. + +.. index:: single: ECSS-Q-ST-80C compliance; §7 Software product quality assurance + +Software product quality assurance {§7} +--------------------------------------- + +Product quality objectives and metrication {§7.1} ++++++++++++++++++++++++++++++++++++++++++++++++++ + +Assurance activities for product quality requirements {§7.1.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define assurance activities to ensure that the product + meets the quality requirements as specified in the technical + specification" {§7.1.3a} + + * Any of AdaCore's tools could potentially contribute to meeting this + requirement, depending on the nature of the metrics that have been + defined, and the GNATdashboard tool can integrate the metrics + in a meaningful way. + + * Use of the SPARK language, and formal demonstration of absence of + runtime errors, support this requirement. + +Basic metrics {§7.1.5} +'''''''''''''''''''''' + +* "The following basic products metrics shall be used: size (code); complexity + (design, code); fault density and failure intensity; test coverage; number + of failures." {§7.1.5a} + + * The GNATmetric, GNATtest, and GNATcoverage tools in the GNAT Dynamic Analysis + Suite directly help to meet this requirement. + +Product quality requirements {§7.2} ++++++++++++++++++++++++++++++++++++ + +Design and related documentation {§7.2.2} +''''''''''''''''''''''''''''''''''''''''' + +* "The software shall be designed to facilitate testing." {§7.2.2.2a} + + * The Ada language encourages and supports the use of sound software + engineering principles such as modular design and structured programming, + which makes the code easier to test. + + * The contract facility in Ada and SPARK supports verification by both + static analysis and testing. + +* "Software with a long planned lifetime shall be designed with minimum + dependency on the operating system and the hardware in order to aid + portability." {§7.2.2.3a} + + * The Ada language has abstracted away the specifics of the underlying + operating system and hardware through standard syntax and semantics for + features such as concurrency, memory management, exception handling, + and I/O. As a result, Ada programs can often be ported across different + processor architectures and operating systems by simply recompiling, + with minimal or no source code changes needed. + +Test and validation documentation {§7.2.3} +'''''''''''''''''''''''''''''''''''''''''' + +* "Test procedures, data and expected results shall be specified." + {|sect| 7.2.3.4a} + + * The GNATtest and GNATfuzz tools in the GNAT Dynamic Analysis Suite + help meet this requirement. + +* "For any requirements not covered by testing a verification report shall be + drawn up documenting or referring to the verification activities performed." + {§7.2.3.6a} + + * In many cases where verification cannot be achieved by testing, + SPARK Pro may be able to provide convincing alternative verification + evidence (for example, a robustness demonstration by proof that an + out-of-range or otherwise non-valid input will never be passed to + the unit being verified). + + +Compliance Summary +------------------ + +:numref:`ECSS-Q-ST-80C-Compliance-Support` shows how AdaCore's technologies support the +requirements in ECSS-Q-ST-80C: + +.. _ECSS-Q-ST-80C-Compliance-Support: + +.. table:: Technology Support for ECSS-Q-ST-80C Compliance + :align: left + + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | Technology | |sect|\ 5.2 | |sect|\5.6 | |sect|\ 6.2 | |sect|\ 6.3 | |sect|\ 7.1 | |sect|\ 7.2 | + +=============================+=============+=============+=============+=============+=============+=============+ + | Ada language | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | SPARK language | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro for Ada | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | SPARK Pro | |blankcell| | |check| | |check| | |blankcell| | |check| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Static Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Dynamic Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro Assurance | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro IDEs | |check| | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst new file mode 100644 index 000000000..66be732ff --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst @@ -0,0 +1,550 @@ +.. include:: ../../../global.txt + +Introduction +=============== +Software for space applications must meet unique and formidable requirements. +Hard real-time deadlines, a constrained target execution environment with +limited storage capacity, and distributed functionality between ground and +on-board systems are some of the challenges, with little margin for error. +The software needs to work correctly from the outset, without safety or +security defects, and the source code needs to be amenable to maintenance +over the system’s lifetime (which may extend over decades) as requirements +evolve. + +.. index:: European Cooperation for Space Standardization (ECSS) +.. index:: European Space Agency (ESA) + +To provide a common approach to addressing these challenges, the European +Cooperation for Space Standardization (ECSS) was formed in the mid-1990s +in a joint effort conducted by the European Space Agency (ESA), individual +national space organizations, and industrial partners. As stated in +:footcite:p:`Space_SW_Kriedke_ElGammal_1995`: + +.. + + *The European Cooperation for Space Standardization (ECSS) is an initiative + established to develop a coherent, single set of user-friendly standards + for use in all European space activities.* + +The resulting set of standards, available from the ECSS web portal +:footcite:p:`Space_SW_ECSS_HomePage`, addresses space activities as a +whole and complement the relevant country-specific standards. + +The ECSS standards specify requirements that must be satisfied (although +project-specific tailoring is allowed) and fall into three categories: + +* *Space engineering* (the "|ndash|\ E" series), + +* *Space product assurance* (the "|ndash|\ Q" series), and + +* *Space project management* (the "|ndash|\ M" series). + +This document focuses on two specific standards: + +* |E-ST-40C| Rev.\ |nbsp|\ 1 (Space engineering / Software) + :footcite:p:`Space_SW_ECSS_2025a`, and + +* |Q-ST-80C|\ |nbsp|\ Rev.\ |nbsp|\ 2 (Space product assurance / + Software product assurance) :footcite:p:`Space_SW_ECSS_2025b` + +and shows how the Ada and SPARK languages, together with AdaCore's +product and services offerings, +can help space software suppliers comply with these standards. +Unless noted otherwise, all references to |E-ST-40C| and |Q-ST-80C| in this +document relate to these cited editions of the standards. + +AdaCore has a long and successful history supporting developers of space +software, and the company has proven experience and expertise in +qualification under |E-ST-40C| and |Q-ST-80C|. Examples include: + +.. index:: Zero Footprint (ZFP) run-time library + +* The ZFP (Zero Footprint) minimal run-time library for Ada on LEON2 ELF, + qualified at criticality category B, for the aerospace company AVIO + :footcite:p:`Space_SW_AdaCore_Web_2019a`. + +.. index:: Ravenscar Small Footprint (SFP) run-time library + +* The Ravenscar SFP (Small Footprint) QUAL run-time library for Ada on + LEON2 and LEON3 boards, pre­qualified at criticality category B, for + ESA :footcite:p:`Space_SW_AdaCore_Web_2019b`. + +.. index:: Memory safety + +An important update in the 2025 versions of |E-ST-40C| and |Q-ST-80C| +is the explicit attention paid to security issues. Memory-safe languages +like Ada and SPARK, and formal analysis tools such as SPARK Pro, help +reduce the effort in demonstrating security properties in space software. + +The remainder of this chapter summarizes the |E-ST-40C| and |Q-ST-80C| +standards, and the subsequent chapters have the following content: + +* :ref:`Programming_Languages_for_Space_Software` + describes the Ada and SPARK programming languages and relates their software + engineering support to the relevant sections / requirements in the two + standards. + +* Analogously, :ref:`Tools_for_Space_Software_Development` presents AdaCore's + various software development and verification toolsuites and relates their + functionality to the relevant sections / requirements in the two standards. + +* In the other direction, :ref:`Compliance_with_ECSS-E-ST-40C` + surveys the individual requirements in |E-ST-40C| and shows how a large + number of them can be met by a software supplier through Ada, SPARK, + and/or specific AdaCore products. + +* :ref:`Compliance_with_ECSS-Q-ST-80C` does likewise for the requirements in + |Q-ST-80C|. + +* For ease of reference, the :ref:`Abbreviations` chapter contains a table of + acronyms and initialisms used in this document, and bibliography lists + the various resources cited. + +Although this document is focused on specific ECSS standards, the +:ref:`Programming_Languages_for_Space_Software` and +:ref:`Tools_for_Space_Software_Development` chapters +explain how the Ada and SPARK languages / technologies and AdaCore's products +benefit software development in general for large-scale safety-critical +systems. These chapters may thus be applicable to software that has to comply +with regulatory standards in other domains. + +.. index:: single: ECSS-E-ST-40C; Summary + +ECSS-E-ST-40C: Space engineering / Software +------------------------------------------- + +As stated in |E-ST-40C| (:footcite:p:`Space_SW_ECSS_2025a`, p. 11): + + "This Standard covers all aspects of space software engineering including + requirements definition, design, production, verification and validation, + transfer, operations and maintenance." + + "It defines the scope of the space software engineering processes and its + interfaces with management and product assurance, which are addressed in the + Management (|ndash|\ M) and Product assurance (|ndash|\ Q) branches of the + ECSS System, and explains how they apply in the software engineering + processes." + +|E-ST-40C| defines the following space system software engineering processes: + +* Software-related systems requirements process (|sect| 4.2.2) + + This process links the system and software levels and "establishes the + functional and the performance requirements baseline (including the interface + requirement specification) (RB) of the software development" + (:footcite:p:`Space_SW_ECSS_2025a`, p. 27). + +* Software management process (|sect| 4.2.3) + + This process "tailors the M standards for software-specific issues" + and produces "a software development plan including the life cycle + description, activities description, milestones and outputs, the + techniques to be used, and the risks identification" + (:footcite:p:`Space_SW_ECSS_2025a`, pp. 27, 28). It covers the joint + review process, interface management, and technical budget and + margin management. + +* Software requirements and architecture engineering process (|sect| 4.2.4) + + This process comprises software requirements analysis (based on system + requirements) and a resulting software architecture design. Activities + associated with the latter include selection of a design method, selection + of a computational model for real-time software, description of software + behavior, development and documentation of the software interfaces, and + definition of methods and tools for software intended for reuse. + +* Software design and implementation engineering process (|sect| 4.2.5) + + This process covers the detailed design of the software items (including an + analysis of the dynamic model showing how issues such as storage leakage and + corrupted shared data are avoided), coding, testing, and integration. + +* Software validation process (|sect| 4.2.6) + + Software validation entails "software product testing against both the + technical specification and the requirements baseline" and "confirm[ing] + that the technical specification and the requirements baseline functions + and performances are correctly and completely implemented in the final + product" (:footcite:p:`Space_SW_ECSS_2025a`, p. 29). + +* Software delivery and acceptance process (|sect| 4.2.7) + + This process "prepares the software product for delivery and testing in its + operational environment" (:footcite:p:`Space_SW_ECSS_2025a`, p. 29). + +* Software verification process (|sect| 4.2.8) + + Software verification "confirm[s] that adequate specifications and inputs + exist for every activity and that the outputs of the activities are + correct and consistent with the specifications and inputs. This process + is concurrent with all the previous processes." + (:footcite:p:`Space_SW_ECSS_2025a`, p. 30) + +* Software operation process (|sect| 4.2.9) + + This process involves the activities needed to ensure that the software + remains operational for its users; these include "mainly the helpdesk and + the link between the users, the developers or maintainers, and the + customer." (:footcite:p:`Space_SW_ECSS_2025a`, p. 30) + +* Software maintenance process (|sect| 4.2.10) + + This process "covers software product modification to code or associated + documentation for correcting an error, a problem or implementing an + improvement or adaptation." (:footcite:p:`Space_SW_ECSS_2025a`, p. 31) + +* Software security process (|sect| 4.2.11) + + This process "is supported by a software security analysis that is + systematically maintained at different points in the lifecycle of the + software.... The software security analysis is used to ensure that + security risks are properly addressed.... It is also used to assess + and drive the design, implementation and operation of secure software." + (:footcite:p:`Space_SW_ECSS_2025a`, p. 32) + +The standard specifies the requirements associated with each of these +processes and defines the expected output for each requirement. The expected +output identifies three entities: + +* the relevant destination file, +* the DRL (Document Requirements List) item(s) within that file where the + requirement is addressed, and +* the review that will assess whether the requirement is met. + +The files in question are the RB (Requirements Baseline), TS (Technical +Specification), DDF (Design Definition File), DJF (Design Justification File), +MGT (Management File), MF (Maintenance File), OP (Operational Plan), and PAF +(Product Assurance File). + +The reviews are the SRR (System Requirements Review), PDR (Preliminary Design +Review), CDR (Critical Design Review), QR (Qualification Review), +AR (Acceptance Review), and ORR (Operational Readiness Review). + +The tables below, derived from Table A-1 in Annex A of |E-ST-40C|, show the +association between files, DRL items, and reviews. Cells with "E" indicate +requirements from |E-ST-40C|, and cells with "Q" are the contributions from +|Q-ST-80C|. + +.. To refer to a table by its number, use the :numref:`table-name` command, +.. and to refer to a table by its name, use the :ref:`table-name` command, +.. where table-name is as specified in the :name: option of the csv-table +.. For example: See :numref:`RB table` + +.. csv-table:: **Relationship between RB (Requirements Baseline), DRL items, and reviews** + :name: RB table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software System Specification","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Interface requirements document (IRD)","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Safety and dependability analysis results for lower level suppliers", "E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between TS (Technical Specification), DRL items, and reviews** + :name: TS table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software requirements specification (SRS)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software interface control document (ICD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + + +.. csv-table:: **Relationship between DDF (Design Definition File), DRL items, and reviews** + :name: DDF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software design document (SDD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + "Software configuration file (SCF)",|blankcell|,E,E,"E Q",E,"E Q" + "Software release document (SRelD)",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Software user manual (SUM)",|blankcell|,|blankcell|,E,E,E,|blankcell| + "Software source code and media labels",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software product and media labels",|blankcell|,|blankcell|,|blankcell|,E,E,E + "Training material",|blankcell|,|blankcell|,|blankcell|,E,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between DJF (Design Justification File), DRL items, and reviews** + :name: DJF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software verification plan (SVerP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software validation plan (SValP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Independent software verification and validation plan","E Q",E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software integration test plan (SITP)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + "Software unit test plan (SUTP)",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software validation specification (SVS) with respect to TS",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software validation specification (SVS) with respect to RB",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Acceptance test plan",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Acceptance test report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Installation report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software verification report (SVR)",E,E,E,E,E,"E Q" + "Independent software verification and validation report",|blankcell|,"E Q","E Q","E Q","E Q",E + "Software reuse file (SRF)","E Q",E,E,|blankcell|,|blankcell|,|blankcell| + "Software problems reports and nonconformance reports","E Q","E Q","E Q","E Q","E Q","E Q" + "Joint review reports",E,E,E,E,E,|blankcell| + "Justification of selection of operational ground equipment and support services","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between MGT (Management File), DRL items, and reviews** + :name: MGT table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software development plan (SDP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software review plan (SRP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software configuration management plan",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Training plan","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Interface management procedures",E,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Identification of NRB SW and members","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Procurement data","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between MF (Maintenance File), DRL items, and reviews** + :name: MF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Maintenance plan",|blankcell|,|blankcell|,|blankcell|,E,E,E + "Maintenance records",Q,Q,Q,"E Q","E Q","E Q" + "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Migration plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Retirement plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between OP (Operational Plan), DRL items, and reviews** + :name: OP table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software operation support plan",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + "Operational testing results",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + "SPR and NCR- User's request record- Post operation review report",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + +.. csv-table:: **Relationship between PAF (Product Assurance File), DRL items, and reviews** + :name: PAF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software product assurance plan (SPAP)","E Q","E Q","E Q","E Q","E Q","E Q" + "Software product assurance requirements for suppliers","E Q",Q,Q,Q,Q,Q + "Audit plan and schedule","E Q",Q,Q,Q,Q,Q + "Review and inspection plans or procedures",Q,Q,Q,Q,Q,Q + "Procedures and standards",Q,"E Q",Q,Q,Q,Q + "Modelling and design standards","E Q","E Q",Q,Q,Q,Q + "Coding standards and description of tools",Q,"E Q",Q,Q,Q,Q + "Software problem reporting procedure",Q,"E Q",Q,Q,Q,Q + "Software dependability and safety analysis report- Criticality classification of software components",Q,"E Q","E Q","E Q","E Q",Q + "Software product assurance report",Q,Q,Q,Q,Q,Q + "Software product assurance milestone report (SPAMR)","E Q","E Q","E Q","E Q","E Q","E Q" + "Statement of compliance with test plans and procedures",Q,Q,"E Q","E Q","E Q","E Q" + "Records of training and experience",Q,Q,Q,Q,Q,Q + "(Preliminary) alert information",Q,Q,Q,Q,Q,Q + "Results of preaward audits and assessments, and of procurement sources",Q,Q,Q,Q,Q,Q + "Software process assessment plan",Q,Q,Q,Q,Q,Q + "Software process assessment records",Q,Q,Q,Q,Q,Q + "Review and inspection reports",Q,Q,Q,Q,Q,Q + "Receiving inspection report","E Q","E Q","E Q","E Q",Q,Q + "Input to product assurance plan for systems operation",Q,Q,Q,Q,Q,"E Q" + +.. csv-table:: **ECSS-E-ST-40 and ECSS-Q-ST-80 Document requirements list (DRL)** + :header: File,"DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 10, 48, 7, 7, 7, 7, 7, 7 + + RB, "Software system specification (SSS)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + RB, "Interface requirements document (IRD)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + RB, "Safety and dependability analysis results for lower level suppliers", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + TS, "Software requirements specification (SRS)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + TS, "Software interface control document (ICD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software design document (SDD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software configuration file (SCF)", |blankcell|, E, E, "E Q", E, "E Q" + DDF, "Software release document (SRelD)", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DDF, "Software user manual (SUM)", |blankcell|, |blankcell|, E, E, E, |blankcell| + DDF, "Software source code and media labels", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software product and media labels", |blankcell|, |blankcell|, |blankcell|, E, E, E + DDF, "Training material", |blankcell|, |blankcell|, |blankcell|, E, |blankcell|, |blankcell| + DJF, "Software verification plan (SVerP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation plan (SValP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Independent software verification and validation plan", "E Q", E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Software integration test plan (SUITP)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software unit test plan (SUITP)", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation specification (SVS) with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation specification (SVS) with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Acceptance test plan", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Software unit test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software integration test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation report with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation report with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Acceptance test report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| + DJF, "Installation report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| + DJF, "Software verification report (SVR)", E, E, E, E, E, "E Q" + DJF, "Independent software verification and validation report", |blankcell|, "E Q", "E Q", "E Q", "E Q", E + DJF, "Software reuse file (SRF)", "E Q", E, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software problems reports and nonconformance reports", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + DJF, "Joint review reports", E, E, E, E , E , |blankcell| + DJF, "Justification of selection of operational ground equipment and support services", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software development plan (SDP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software review plan (SRevP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software configuration management plan", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Training plan", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Interface management procedures", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Identification of NRB SW and members", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Procurement data", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Maintenance plan", |blankcell|, , |blankcell|, E, E, E + MF, "Maintenance records", Q, Q, Q, "E Q", "E Q", "E Q" + MF, "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Migration plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Retirement plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + OP, "Software operation support plan", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + OP, "Operational testing results", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + OP, "SPR and NCR- User’s request record- Post operation review report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + PAF, "Software product assurance plan (SPAP)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + PAF, "Software product assurance requirements for suppliers", "E Q", Q, Q, Q, Q, Q + PAF, "Audit plan and schedule", "E Q", Q, Q, Q, Q, Q + PAF, "Review and inspection plans or procedures", Q, Q, Q, Q, Q, Q + PAF, "Procedures and standards", Q, "E Q", Q, Q, Q, Q + PAF, "Modelling and design standards", "E Q", "E Q", Q, Q, Q, Q + PAF, "Coding standards and description of tools", Q, "E Q", Q, Q, Q, Q + PAF, "Software problem reporting procedure", Q, "E Q", Q, Q, Q, Q + PAF, "Software dependability and safety analysis report- Criticality classification of software components", Q, "E Q", "E Q", "E Q", "E Q", Q + PAF, "Software product assurance report", Q, Q, Q, Q, Q, Q + PAF, "Software product assurance milestone report (SPAMR)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + PAF, "Statement of compliance with test plans and procedures", Q, Q, "E Q", "E Q", "E Q", "E Q" + PAF, "Records of training and experience", Q, Q, Q, Q, Q, Q + PAF, "(Preliminary) alert information", Q, Q, Q, Q, Q, Q + PAF, "Results of preaward audits and assessments, and of procurement sources", Q, Q, Q, Q, Q, Q + PAF, "Software process assessment plan", Q, Q, Q, Q, Q, Q + PAF, "Software process assessment records", Q, Q, Q, Q, Q, Q + PAF, "Review and inspection reports", Q, Q, Q, Q, Q, Q + PAF, "Receiving inspection report", "E Q", "E Q", "E Q", "E Q", Q, Q + PAF, "Input to product assurance plan for systems operation", Q, Q, Q, Q, Q, "E Q" + +.. index:: single: ECSS-Q-ST-80C; Summary + +ECSS-Q-ST-80C: Space product assurance / Software product assurance +------------------------------------------------------------------- + +The |Q-ST-80C| standard defines software product assurance requirements for +the development and maintenance of space software systems, including +non-deliverable software that affects the quality of the deliverable +product. As stated in :footcite:p:`Space_SW_ECSS_2025b`, p. 20: + + *The objectives of software product assurance are to provide adequate + confidence to the customer and to the supplier that the developed or + procured/reused software satisfies its requirements throughout the system's + lifetime. In particular, that the software is developed to perform properly, + securely, and safely in its operational environment, meeting the project's + agreed quality objectives.* + +The requirements apply throughout the software lifecycle and cover a range of +activities, including organizational responsibilities, process assessment, +development environment selection, and product verification. The specific set +of requirements that need to be met can be tailored based on several factors: + +* Dependability and safety aspects, as determined by the software criticality + category, +* Software development constraints, for example the type of development + (database vs. real-time), or +* Product quality / business objectives as specified by the customer + +|Q-ST-80C| defines requirements in the following areas: + +* Software product assurance programme implementation + + This set of activities includes organizational aspects, product assurance + management, risk management and critical item control, supplier selection + and control, procurement, tools and supporting environment selection, and + assessment and improvement process. + +* Software process assurance + + These activities comprise software life cycle management; requirements + applicable to all software engineering processes (e.g., documentation, + safety analysis, handling of critical software, configuration management, + metrics, verification, reuse, and automatic code generation); and + requirements applicable to individual software engineering processes or + activities (e.g., requirements analysis, architecture and design, coding, + testing and validation, delivery and acceptance, operations, and + maintenance). + +* Software product quality assurance + + These activities comprise product quality objectives and metrication; + product quality requirements; software intended for reuse; standard ground + hardware and services for operational system; and firmware. + +As with |E-ST-40C|, the expected output for each requirement identifies the +destination file, the DRL items within that file, and the review(s) that +assess compliance with the requirement. The table above includes this +information for the requirements in |Q-ST-80C|. + +.. index:: Criticality categories + +.. index:: DO-178C + +The ECSS standards recognize that software systems (and different components +of the same software system) may vary in their effects on system safety. +The standards accordingly define several criticality categories, +denoted A (most critical) to D, which correspond closely to the software +levels in the airborne standard |do-178c|. + +.. index:: ECSS Handbooks + +ECSS Handbooks +-------------- + +Supplementing the normative standards in the |ndash|\ E, |ndash|\ Q, and +|ndash|\ M series, ECSS has published a set of handbooks offering additional +support, guidance and practical discussion about the standards and their +requirements. They indicate how a customer (the organization acquiring +the space software or system) will likely interpret the standards and thus +how they will expect the supplier to comply. + +Several handbooks complement |E-ST-40C|, including: + +* |E-HB-40A| (Software engineering handbook) + :footcite:p:`Space_SW_ECSS_2013`, + + This document provides guidance, explanations, and examples on how to + satisfy the |E-ST-40C| requirements in practice. + +* |E-HB-40-01A| (Agile software development handbook) + :footcite:p:`Space_SW_ECSS_2020`. + + This handbook shows how to reconcile agile development practices + with the formal ECSS space software engineering processes. + +* |E-HB-40-02A| (Machine learning handbook) + :footcite:p:`Space_SW_ECSS_2024`. + + This handbook provides guidelines on how to create reliable machine + learning functions and perform the verification and validation considering + the specifics of machine learning development practices. + +Several handbooks complement ECSS-Q-ST-80C, including: + +* |Q-HB-80-01A| (Reuse of existing software) + :footcite:p:`Space_SW_ECSS_2011b` + + This handbook offers guidance on software reuse (including software + tools) and also presents a Tool Qualification Level (TQL) concept + based on |do-178c| :footcite:p:`Space_SW_RTCA_EUROCAE_2011a`, + |do-330| :footcite:p:`Space_SW_RTCA_EUROCAE_2011b`, and |ISO-26262| + :footcite:p:`Space_SW_ISO_2018`. + +* |Q-HB-80-03A-1| (Software dependability and safety) + :footcite:p:`Space_SW_ECSS_2017` + + This handbook focuses on analysis techniques such as Failure, + Mode and Effects Analysis (FMEA) and their application to software; + i.e., how to analyze what happens in case of failure due to software. + It covers topics such as defensive programming and prevention of failure + propagation. + +* |Q-HB-80-04A| (Software metrication program definition and implementation) + :footcite:p:`Space_SW_ECSS_2011a` + + This handbook offers recommendations on organizing and + implementing a metrication program for space software projects. + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst new file mode 100644 index 000000000..35e2414e4 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst @@ -0,0 +1,1028 @@ +.. include:: ../../../global.txt + +.. _Programming_Languages_for_Space_Software: + +Programming Languages for Space Software +======================================== + +This chapter explains how space software developers can benefit from +the Ada language and its formally analyzable SPARK subset +(:footcite:p:`Space_SW_AdaCore_Capgemini_Web`, +:footcite:p:`Space_SW_McCormick_Chapin_2015`). Unless explicitly +stated otherwise, the Ada discussion applies to the |ada-2012| version +of the language standard with Technical Corrigendum\ |nbsp|\ 1 +(:footcite:p:`Space_SW_ISO_IEC_2016`, +:footcite:p:`Space_SW_Barnes_2014`, +:footcite:p:`Space_SW_Barnes_Brosgol_2015`), and the SPARK language +discussion applies to the 2014 version of the language as amended by +:footcite:p:`Space_SW_AdaCore_Capgemini_Web`. Both Ada and SPARK +support the development and verification of software at the highest +criticality class levels. + +.. index:: single: Ada language; Summary + +Ada +--- + +The choice of programming language(s) is one of the fundamental decisions +during software design. The source code is the artifact that is developed, +verified, and maintained, and it is also the subject of much of the analysis / +inspection required for certification / qualification against domain-specific +standards. Although in principle almost any programming language can be used +for software development, in practice the life-cycle costs for the +high-assurance real-time software found in space systems are reduced when the +chosen language has been explicitly designed for reliability, safety, +security, and ease of maintenance of large, long-lived systems. + +.. index:: Memory safety + +Ada helps meet high-assurance requirements through its support for sound +software engineering principles, compile-time checks that guarantee type +safety, and run-time checks for constraints such as array index bounds and +scalar ranges. As will be explained below, the SPARK subset of Ada shares +these benefits and adds an important advantage: the dynamic constraints are +enforced through mathematics-based static analysis. This avoids run-time +overhead for checks in production code while eliminating the risk that such +a check could fail. With their standard features for preventing buffer +overruns, pointer misuses and other vulnerabilities, Ada and SPARK both +serve as memory-safe languages. + + +Ada language overview +~~~~~~~~~~~~~~~~~~~~~ + +Ada is multi-faceted. From one perspective it is a classical stack-based +general-purpose language (unlike languages like Java, it does not require +garbage collection), and it is not tied to any specific development +methodology. It offers: + + * a simple syntax designed for human readability; + * structured control statements; + * flexible data composition facilities; + * strong type checking; + * traditional features for code modularization (“sub­programs”); + * standard support for "programming in the large" and module reuse, + including packages, Object-Oriented Programming, hierarchical + package namespace ("child libraries"), and generic templates; + * a mechanism for detecting and responding to exceptional run-time + conditions ("exception handling"); and + * high-level concurrency support ("tasking") along with a deterministic + subset (the Ravenscar profile) appropriate in applications that need + to meet high-assurance certification / qualification requirements + and/or small footprint constraints. + +The language standard also includes: + + * an extensive predefined environment with support for I/O, string + handling, math functions, containers, and more; + * a standard mechanism for interfacing with other programming languages + (such as C and C++); and + * specialized needs annexes for functionality in several domains (Systems + Programming, Real-Time Systems, Distributed Systems, Numerics, + Information Systems, and High-Integrity Systems). + +Source code portability was a key goal for Ada. The challenge for a +programming language is to define the semantics in a platform-independent +manner but not sacrifice run-time efficiency. Ada achieves this in several +ways. + + * Ada provides a high-level model for concurrency (tasking), memory + management, and exception handling, with standard semantics across + all platforms. The language's dynamic semantics can be mapped to the + most efficient services provided by the target environment. + * The developer can express the logical properties of a type (such as + integer range, floating-point precision, and record fields/types) + in a machine-independent fashion, which the compiler can then map + to an efficient underlying representation. + * The physical representation of data structures (layout, alignment, + and addresses) is sometimes specified by system requirements. Ada + allows this to be defined in the program logic but separated from + target-independent properties for ease of maintenance. + * Platform-specific characteristics such as machine word size are + encapsulated in an API, so that references to these values are through + a standard syntax. Likewise, Ada defines a standard type :ada:`Address` + and associated operations, again facilitating the portability of + low-level code. + +.. index:: single: Ada language; Background + +.. Ada_language_background: + +Ada language background +~~~~~~~~~~~~~~~~~~~~~~~ + +.. index:: Ichbiah (Jean), CII-Honeywell-Bull + +Ada was designed for large, long-lived applications |mdash| and embedded +systems in particular |mdash| where reliability, maintainability, and +efficiency are essential. Under sponsorship of the U.S. Department of Defense, +the language was originally developed in the early 1980s (this version is +generally known as |ada-83|) by a team led by Jean Ichbiah at +CII-Honeywell-Bull in France. + +.. index:: Taft (Tucker), Intermetrics + +Ada was revised and enhanced in an upward-compatible fashion in the early +1990s, under the leadership of Tucker Taft from Intermetrics in the U.S. +The resulting language, |ada-95|, was the first internationally standardized +object-oriented language. + +Under the auspices of the International Organization for Standardization +(ISO), a further (minor) revision was completed as an amendment to the +standard; this version of the language is known as |ada-2005|. + +Additional features (including support for contract-based programming +in the form of subprogram pre- and postconditions and type invariants) +were added in |ada-2012|, and other enhancements to increase the +language's expressiveness were introduced in |ada-2022| +:footcite:p:`Space_SW_ISO_IEC_2022`. + +.. index:: Lovelace (Augusta Ada), Babbage (Charles), Byron (Lord George) + +The name "Ada" is not an acronym; it was chosen in honor of Augusta Ada +Lovelace (1815-1852), a mathematician who is sometimes regarded as the +world's first programmer because of her work with Charles Babbage. +She was also the daughter of the poet Lord Byron. + +The Ada language has long been a language of choice +in high-assurance / safety-critical / high-security domains, where software +failures can have catastrophic consequences. +Ada has a proven track record in space applications, +military and commercial aircraft avionics, air traffic control, and railroad +software, and it has also seen successful usage in other domains (such as +automotive systems and medical devices). + +.. index:: Ravenscar profile + +With its embodiment of modern software engineering principles, Ada is +especially appropriate for teaching in both introductory and advanced +computer science courses, and it has also been the subject of +significant research, especially in the area of real-time +technologies. Throughout much of Ada's history, a worldwide group of +experts from industry, academia, and government convened a biannual +meeting |mdash| the *International Real-Time Ada Workshop* ("IRTAW") +|mdash| to focus on Ada's support for real-time software. The 1997 +IRTAW in Ravenscar, UK, led directly to the definition of a subset of +Ada's concurrency features with deterministic semantics |mdash| the +so-called *Ravenscar Profile* :footcite:p:`Space_SW_Burns_et_al_2003`. +This work broke new ground in supporting the use of concurrent +programming in high-assurance software. + +AdaCore has a long history and close connection with the Ada programming +language. Company members worked on the original Ada 83 design and review +and played key roles in the Ada 95 project as well as the subsequent +revisions. The initial GNAT compiler was delivered at the time of the |ada-95| +language's standardization, thus guaranteeing that users would have a quality +implementation for transitioning to |ada-95| from |ada-83| or other languages. + +The following subsections provide additional detail on Ada language features. + +.. index:: single: Ada language; Scalar ranges + +Scalar ranges +~~~~~~~~~~~~~ + +Unlike languages based on C (such as C++, Java, and C#), Ada allows the +programmer to simply and explicitly specify the range of values that are +permitted for variables of scalar types (integer, floating-point, fixed-point, +and enumeration types). The attempted assignment of an out-of-range value +raises an exception, reflecting a run-time error. + +The ability to specify range constraints makes the programmer's intent +explicit and makes it easier to detect a major source of coding and user +input errors. It also provides useful information to static analysis tools +and facilitates automated proofs of program properties. + +Here's an example of an integer scalar range and an associated run-time check: + +.. code-block:: ada + + declare + My_Score : Integer range 1..100; + N : Integer; + begin + ... -- Code that assigns an integer value to N + My_Score := N; + -- A run-time check verifies that N is within the range 1 through 100, inclusive + -- If this check fails, the Constraint_Error exception is raised + end; + +The run-time check can be optimized out if the compiler can guarantee that +the value of :ada:`N` is within the range 1 through 100 when control reaches +the assignment to :ada:`My_Score`. + + +.. index:: single: Ada language; Contract-based programming +.. index:: single: Ada language; Preconditions +.. index:: single: Ada language; Postconditions + + +Contract-based programming +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A feature introduced in Ada 2012 allows extending a subprogram specification +or a type/subtype declaration with a contract (a Boolean assertion). +Subprogram contracts take the form of preconditions and postconditions; +type contracts are used for invariants; and subtype contracts provide +generalized constraints (predicates). Through contracts the developer can +formalize the intended behavior of the application, and can +verify this behavior by testing, static analysis or formal proof. + +Here's a skeletal example that illustrates contact-based programming; a +:ada:`Table` object is a fixed-length container for distinct :ada:`Float` +values. + +.. code-block:: ada + + package Table_Pkg is + type Table is private; -- Encapsulated type + + function Is_Full (T : in Table) return Boolean; + + function Contains (T : in Table; + Item : in Float) return Boolean; + + procedure Insert (T : in out Table; Item: in Float) + with Pre => not Is_Full(T) and + not Contains(T, Item), + Post => Contains(T, Item); + + procedure Remove (T : in out Table; Item: in Float); + with Pre => Contains(T, Item), + Post => not Contains(T, Item); + ... + private + ... -- Full declaration of Table + end Table_Pkg; + + package body Table_Pkg is + ... -- Implementation of Is_Full, Contains, Insert, Remove + end Table_Pkg; + +A compiler option controls whether the pre- and postconditions are checked +at run time. If checks are enabled, any pre- or postcondition failure |mdash| +i.e., the contact's Boolean expression evaluating to :ada:`False` |mdash| +raises the :ada:`Assertion_Error` exception. + +.. index:: single: Ada language; Type invariants +.. index:: single: Ada language; Type/subtype predicates + +Ada's type invariants and type / subtype predicates specify +precisely what is and is not valid for any particular (sub)type, including +composite types such as records and arrays. For example, the code fragment +below specifies that field :ada:`Max_Angle` in the +:ada:`Launching_Pad` structure below is the maximal angle allowed, given the +distance :ada:`D` to the center of the launching pad and the height :ada:`H` +of the rocket. The compiler will insert the necessary run-time checks when a +:ada:`Launching_Pad` object is created, to verify this predicate as well as +the constraints on the individual fields: + +.. code-block:: ada + + subtype Meter is Float range 0.0 .. 200.0; + subtype Radian is Float range 0.0 .. 2.0 * Pi; + + type Launching_Pad is + record + D, H : Meter; + Max_Angle : Radian; + end record + with + Predicate => Arctan (H, D) <= Max_Angle; + +Further information about type invariants and type / subtype predicates +may be found in the *Design by contracts* chapter of the *Introduction to Ada* +course of :footcite:p:`Space_SW_AdaCore_AdaLearn`. + +.. index:: single: Ada language; Programming in the large + +Programming in the large +~~~~~~~~~~~~~~~~~~~~~~~~ + +The original |ada-83| design introduced the package construct, a feature +that supports encapsulation ("information hiding") and modularization, and +which allows the developer to control the namespace that is accessible +within a given compilation unit. |ada-95| introduced the concept of +"child units", which provides a hierarchical and extensible namespace +for library units and thus eases the design and maintenance of very large +systems. + +|ada-2005| extended the language's modularization facilities by allowing +mutual references between package specifications, thus making it easier +to interface with languages such as Java. + +.. index:: single: Ada language; Generic templates + +Generic templates +~~~~~~~~~~~~~~~~~ + +A key to reusable components is a mechanism for +parameterizing modules with respect to data types and other program entities. +A typical example is a data structure (e.g., a stack, FIFO queue, or +varying-length array) for an arbitrary element type :ada:`T`, where each element +of the data structure is of type :ada:`T`. +For safety and efficiency, compile-time checks should enforce type safety +both within the parameterized module, and at each use ("instantiation"). +Conceptually an +instantiation can be regarded as an expansion of the parameterized module, +with actual parameters replacing the formal parameters. However, the expansion +is not at the lexical/syntactic level (source text) but rather at the semantic +level (scope-resolved names). +In addition, an implementation may be able to share a single copy of the code +across multiple instantiations and thereby save code space. + +.. index:: Stroustrup (Bjarne) + +Ada supplies this functionality through a facility known as +*generics*, with type consistency enforced by the compiler both within +the generic unit and at each instantiation. Ada generics are analogous +to C++ templates but with more extensive compile-time checking: a data +object within a generic unit can only be processed using operations +that are known to be available for the object's type. (As a historical +note, at the ACM SIGPLAN Conference on History of Programming +Languages in 1993, the C++ designer Bjarne Stroustrup acknowledged the +Ada design for generics as one of the inspirations for templates in +C++ :footcite:p:`Space_SW_ACM_1993`.) + +.. index:: single: Ada language; Object-Oriented Programming (OOP) + +Object-Oriented Programming (OOP) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +|ada-83| was object-based, allowing the partitioning of a system into modules +(packages) corresponding to abstract data types or abstract objects. +Full OOP support was not provided since, first, it seemed not to be required +in the real-time domain that was Ada's primary target, and second, the +apparent need for automatic garbage collection in an Object Oriented language +would have interfered with predictable and efficient performance. + +However, large real-time systems often have components such as graphical user +interfaces (GUIs) that do not have hard real-time constraints and that can be +most effectively developed using OOP features. In part for this reason, +|ada-95| added comprehensive support for OOP, through its "tagged type" +facility: classes, polymorphism, inheritance, and dynamic binding. +These features do not require automatic garbage collection; instead, +definitional features introduced by |ada-95| allow the developer to supply +type-specific storage reclamation operations ("finalization"). + +|ada-2005| brought additional OOP features, including Java-like interfaces +and traditional :ada:`X.P(...)` notation for invoking operation :ada:`P(...)` +on object :ada:`X`. + +Ada is methodologically neutral and does not impose a distributed overhead +for OOP. If an application does not need OOP, then the OOP features do not +have to be used, and there is no run-time penalty. + +See :footcite:p:`Space_SW_Barnes_2014` or +:footcite:p:`Space_SW_AdaCore_2016` for more details. + +.. index:: single: Ada language; Concurrent programming (tasking) + +Concurrent programming +~~~~~~~~~~~~~~~~~~~~~~ + +Ada supplies a structured, high-level facility for concurrency. The unit of +concurrency is a program entity known as a "task". Tasks can communicate +implicitly via shared data or explicitly via a synchronous control +mechanism known as the rendezvous. A shared data item can be defined +abstractly as a "protected object" (a feature introduced in |ada-95|), +with operations executed under mutual exclusion when invoked from multiple +tasks. Protected objects provide the functionality of semaphores and +condition variables but more clearly and reliably (e.g., avoiding subtle +race conditions). + +Ada supports asynchronous task interactions for timeouts, software event +notifications, and task termination. Such asynchronous behavior is deferred +during certain operations, to prevent the possibility of leaving shared data +in an inconsistent state. Mechanisms designed to help take advantage +of multicore architectures were introduced in |ada-2012|. + +.. index:: single: Ada language; Systems programming + +Systems programming +~~~~~~~~~~~~~~~~~~~ + +Both in the core language and the Systems Programming Annex, Ada supplies +the necessary features for low-level / hardware-specific processing. +For example, the programmer can specify the bit layout for fields in a +record, define alignment and size properties, place data at specific machine +addresses, and express specialized code sequences in assembly language. +Interrupt handlers can also be written in Ada, using the protected object +facility. + +.. index:: single: Ada language; Real-time programming + +Real-time programming +~~~~~~~~~~~~~~~~~~~~~ + +Ada's tasking facility and the Real-Time Systems Annex support common idioms +such as periodic or event-driven tasks, with features that can help avoid +unbounded priority inversions. A protected object locking policy is defined +that uses priority ceilings; this has an especially efficient implementation +in Ada (mutexes are not required) since protected operations are not allowed +to block. |ada-95| defined a standard task dispatching policy in which a task +runs until blocked or preempted, and |ada-2005| introduced several others +including Earliest Deadline First. + +.. index:: single: Ada language; Time and space analysis + +Time and Space Analysis +~~~~~~~~~~~~~~~~~~~~~~~ + +.. rubric:: Timing verification + +Suitably subsetted, Ada (and SPARK) are amenable to the static analysis of +timing behavior. This kind of analysis is relevant for real-time systems, +where worst-case execution time (WCET) must be known in order to guarantee +that timing deadlines will always be met. Timing analysis is also of interest +for secure systems, where the issue might be to show that programs do not leak +information via so-called side-channels based on the observation of +differences in execution time. + +AdaCore does not produce its own WCET tool, but there are several such tools +on the market from partner companies, such as RapiTime from +Rapita Systems Ltd. + +.. rubric:: Memory usage verification + +Ada and SPARK can support the static analysis of worst-case memory +consumption, so that a developer can show that a program will never +run out of memory at execution time. + +In both SPARK and Ada, users can specify pragma :ada:`Restrictions` with the +standard arguments :ada:`No_Allocators` and +:ada:`No_Implicit_Heap_Allocations`. This will completely prevent heap usage, +thus reducing memory usage analysis to a worst-case computation of stack usage +for each task in a system. Stack size analysis is implemented directly in +AdaCore's GNATstack tool, as described in :ref:`GNATstack`. + +.. index:: single: Ada language; High-integrity systems +.. index:: single: Ada language; Memory safety +.. index:: Memory safety + +High-integrity systems +~~~~~~~~~~~~~~~~~~~~~~ + +With its emphasis on sound software engineering principles, Ada +supports the development of safety-critical and other high-integrity +applications, including those that need to be certified/qualified +against software standards such as |E-ST-40C| and |Q-ST-80C| for space +systems, |do-178c| for avionics +:footcite:p:`Space_SW_RTCA_EUROCAE_2011a`, and CENELEC |en-50128| for +rail systems :footcite:p:`Space_SW_CENELEC_2020b`. Similarly, Ada (and +its SPARK subset) can help developers produce high Evaluation +Assurance Level (EAL) code that meets security standards such as the +Common Criteria :footcite:p:`Space_SW_CCDB_2022`. Key to Ada's +support for high-assurance software is the language's memory safety; +this is illustrated by a number of features, including: + +* Strong typing + + Data intended for one purpose will only be accessed via operations that are + legal for that data item's type, so errors such as treating pointers as + integers (or vice versa) are prevented. (Low-level code sometimes needs to + defeat the language's type checking; e.g., by treating "raw bits" as a + value of a specific type. As a language that supports systems programming, + Ada allows such usages but requires explicit syntax that makes the intent + clear.) + +* Array bounds checking + + A run-time check guarantees that an array index is within the bounds of + the array. This prevents buffer overrun vulnerabilities that + are common in C and C++. In many cases a compiler optimization can + detect statically that the index is within bounds and thus eliminate + any run-time code for the check. + +* Prevention of null pointer dereferences + + As with array bounds, pointer dereferences are checked to make sure that + the pointer is not null. Again, such checks can often be optimized out. + +* Prevention of dangling references + + A scope accessibility check ensures that a pointer (known in Ada as an + *access value*) cannot reference an object on the stack after exit/return + from the scope (block or subprogram) in which the object is declared. + Such checks prevent dangling references to stack objects (i.e., subprogram + parameters and local variables) and are generally static, with no run-time + overhead. + (Since Ada does not require garbage collection + of inaccessible dynamically allocated objects, it provides an + :ada:`Unchecked_Deallocation` facility for programmer-supplied + deallocation. Uses of this feature require explicit syntax |mdash| + a :ada:`with` clause at the beginning of the compilation unit. + This makes clear that special attention needs to be paid to verification, + since erroneous deallocations can lead to dangling references.) + +The evolution of Ada has seen a continued increase in support for +safety-critical and high-security applications. |ada-2005| +standardized the Ravenscar Profile +:footcite:p:`Space_SW_Burns_et_al_2003`, a collection of concurrency +features that are powerful enough for real-time programming but simple +enough to make safety certification practical. |ada-2012| introduced +contract-based programming facilities, allowing the programmer to +specify preconditions and/or postconditions for subprograms, and +invariants for encapsulated (private) types. These can serve both for +run-time checking and as input to static analysis tools. + +The most recent version of the standard, Ada 2022, has added several +contract-based programming constructs inspired by SPARK +(:ada:`Contract_Cases`, :ada:`Global`, and :ada:`Depends` aspects) +and, more generally, has enhanced the language's expressiveness. +For example, Ada 2022 has introduced some new syntax in its +concurrency support and has defined the Jorvik tasking profile, +which is more inclusive than Ravenscar. + +.. index:: Coding standard enforcement + +Enforcing a coding standard +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ada is a large language, suitable for general-purpose programming, but +the full language may be inappropriate in a safety- or security-critical +application. The generality and flexibility of some features |mdash| +especially those with complex run-time semantics |mdash| complicate +analysis and could interfere with traceability / certification +requirements or impose too large a memory footprint. A project will +then need to define and enforce a coding standard that prohibits +problematic features. Several techniques are available: + +* pragma :ada:`Restrictions` + + This standard Ada pragma allows the user to specify constructs + that the compiler will reject. Sample restrictions include dependence + on particular packages or language facilities, or usage + of features requiring unwanted implementation techniques (e.g. run-time + support that is overly complex and difficult to certify). + +* pragma :ada:`Profile` + + This standard Ada pragma provides a common name for a collection + of related :ada:`Restrictions` pragmas. The predefined pragma + :ada:`Profile(Ravenscar)` is a shorthand for the various restrictions + that comprise the Ravenscar tasking subset. + +.. index:: GNATcheck +.. index: GNAT Static Analysis Suite; GNATcheck + +* Static analysis tool (coding standard enforcer) + + Other restrictions on Ada features can be detected by AdaCore's + automated GNATcheck tool (see :ref:`GNATcheck`) that is included + with the GNAT Pro Ada Static Analysis Suite. The developer can + configure this rule-based and tailorable tool to flag violations + of the project's coding standard, such as usage of specific + prohibited types or subprograms defined in otherwise-permitted + packages. + +.. index:: single: Ada language; ECSS standards support + +.. _Ada_and_the_ECSS_Standards: + +Ada and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +|E-ST-40C| covers software engineering practice, and |Q-ST-80C| covers +software product assurance, and both of these areas are "sweet spots" +that match Ada's strengths. Please see :ref:`Compliance_with_ECSS-E-ST-40C` +and :ref:`Compliance_with_ECSS-Q-ST-80C` to learn how +specific clauses in these standards relate to individual Ada features. +In summary, the use of Ada can help the software supplier meet +the requirements in the following sections: + +* |E-ST-40C| + + * |sect|\ 5.4 Software requirements and architecture engineering process + + * |sect|\ 5.4.3 Software architecture design + + * |sect|\ 5.5 Software design and implementation engineering process + + * |sect|\ 5.5.2 Design of software items + + * |sect|\ 5.8 Software verification process + + * §5.8.3 Verification activities + + * |sect|\ 5.9 Software operation process + + * §5.9.4 Software operation support + + * |sect|\ 5.10 Software maintenance process + + * |sect|\ 5.10.4 Modification implementation + + * |sect|\ 5.11 Software security process + + * |sect| 5.11.2 Process implementation + + * |sect| 5.11.3 Software security analysis + + * |sect| 5.11.5 Security activities in the software life cycle + + * Annex U - Software code verification + +* |Q-ST-80C| + + * |sect|\ 6.2 Requirements applicable to all software engineering processes + + * |sect|\ 6.2.3 Handling of critical software + + * |sect|\ 6.2.9 Software security + + * |sect|\ 6.2.10 Handling of security sensitive software + + * |sect|\ 6.3 Requirements applicable to individual software engineering + processes or activities + + * |sect|\ 6.3.4 Coding + + * |sect|\ 7.2 Product quality requirements + + * |sect|\ 7.2.2 Design and related documentation + +In brief, Ada is an internationally standardized language combining +object-oriented programming features, well-engineered concurrency facilities, +real-time predictability and performance, and built-in reliability through +both compile-time and run-time checks. With its support for producing +software that is correct, maintainable, and efficient, the language is +especially well suited for writing space applications. + +SPARK +----- + +.. index:: single: SPARK language; Summary + +SPARK Basics +~~~~~~~~~~~~ + +SPARK (:footcite:p:`Space_SW_AdaCore_Capgemini_Web`, +:footcite:p:`Space_SW_McCormick_Chapin_2015`) is a software +development technology (programming language and verification toolset) +specifically oriented around applications demanding an ultra-low +defect level, for example where safety and/or security are key +requirements. SPARK Pro is the commercial-grade offering of the SPARK +technology developed by AdaCore, Capgemini Engineering (formerly +Altran), and Inria. As will be described in +:ref:`Static_Verification_SPARK_Pro`, the main component in the +toolset is GNATprove, which performs formal verification on SPARK +code. + +SPARK has an extensive industrial track record. Since its inception in the +late 1980s it has been used worldwide in a wide variety of applications, +including civil and military avionics, space satellite control, air traffic +management / control, railway signaling, cryptographic software, medical +devices, automotive systems, and cross-domain solutions. SPARK 2014 is the +most recent version of the technology. + +The SPARK language has been stable over the years, with periodic enhancements. +The 2014 version of SPARK represented a major revision, incorporating +contract-based programming syntax from Ada 2012, and subsequent upgrades +included support for pointers (access types) based on the Rust ownership +model. + +.. index:: single: SPARK language; Memory safety +.. index:: Memory safety + +The SPARK language is a large subset of Ada 2012 and is memory safe. +It includes as much of the Ada language as is possible / practical to +analyze formally, while eliminating sources of undefined and +implementation-dependent behavior. +SPARK includes Ada's program structure support (packages, generics, child +libraries), most data types, safe pointers, contract-based programming +(subprogram pre- and postconditions, scalar ranges, type/subtype predicates), +Object-Oriented Programming, and the Ravenscar subset of the tasking features. + +Principal exclusions are side effects in functions and expressions, +problematic aliasing of names, exception handling, pointer functionality +that may be unsafe, and most tasking features. + +.. index:: single: SPARK language; Soundness + +A legal SPARK program has unambiguous semantics: its effect is precisely +defined and does not depend on the implementation. This property helps +ensure the soundness of static verification; i.e., the +absence of "false negatives". If the SPARK tools report that a program does +not have a specific vulnerability, such as a reference to an uninitialized +variable, then that conclusion can be trusted with mathematical certainty. +Soundness builds confidence in the tools, provides evidence-based assurance, +completely removes many classes of dangerous defects, and significantly +simplifies subsequent verification effort (e.g., testing), owing to less +rework. Moreover, the SPARK tools achieve soundness while keeping +"false positives" manageable. + +SPARK offers the flexibility of configuring the language on a per-project +basis. Restrictions can be fine-tuned based on the relevant coding standards +or run-time environments. + +SPARK code can easily be combined with full Ada code or with C, so that new +systems can be built on and reuse legacy codebases. Moreover, the same code +base can have some sections in SPARK and others excluded from SPARK analysis +(SPARK and non-SPARK code can also be mixed in the same package or +subprogram). + +.. index:: single: SPARK language; Formal methods + +Software verification typically involves extensive testing, including unit +tests and integration tests. Traditional testing methodologies are a major +contributor to the high delivery costs for safety-critical software. +Furthermore, testing can never be complete and thus may fail to detect errors. +SPARK addresses this issue by using automated proof (embodying +mathematics-based formal methods) to demonstrate program +integrity properties up to functional correctness at the subprogram level, +either in combination with or as a replacement for unit testing. In the +high proportion of cases where proofs can be discharged automatically, +the cost of writing unit tests may be completely avoided. Moreover, +verification by proofs covers all execution conditions and not just a sample. + +Here is an example of SPARK code: + +.. code-block:: ada + + package Example is + N : Positive := 100; -- N constrained to 1 .. Integer'Last + + procedure Decrement (X in out Integer) + with Global => (Input => N), + Depends => (X => (X, N)), + Pre => X >= Integer'First + N, + Post => X = X'Old - N; + end Example; + + package body Example is + procedure Decrement (X in out Integer) is + begin + X := X - N; + end Decrement; + end Example; + +The :ada:`with` constructs, known as "aspects", here define the +:ada:`Decrement` procedure's contracts: + +* :ada:`Global`: the only access to non-local data is to read the value of + :ada:`N` + +* :ada:`Depends`: the value of :ada:`X` on return depends only on :ada:`N` + and the value of :ada:`X` on entry + +* :ada:`Pre`: a Boolean condition that the procedure assumes on entry + +* :ada:`Post`: a Boolean condition that the subprogram guarantees on return + +In this example the SPARK tool can verify the :ada:`Global` and :ada:`Depends` +contracts and can also prove several dynamic properties: no run-time errors +will occur during execution of the :ada:`Decrement` procedure, and, if the +:ada:`Pre` contract is met when the procedure is invoked then the :ada:`Post` +contract will be satisfied on return. + +SPARK (and the SPARK proof tools) work with Ada 2012 syntax, but a SPARK +program can also be expressed in Ada 95, with contracts captured as pragmas. + +Ease of Adoption +~~~~~~~~~~~~~~~~ + +User experience has shown that the language and the SPARK Pro toolset +do not require a steep learning curve. Training material such as +AdaCore's online AdaLearn course for SPARK +:footcite:p:`Space_SW_AdaCore_AdaLearn` can quickly bring developers +up to speed; users are assumed to be experts in their own application +domain such as space technology and do not need to be familiar with +formal methods or the proof approaches implemented by the toolset. In +effect, SPARK Pro is an advanced static analysis tool that will detect +many logic errors and security vulnerabilities very early in the +software life cycle. It can be smoothly integrated into an +organization's existing development and verification methodology and +infrastructure. + +SPARK uses the standard Ada 2012 contract syntax, which both simplifies the +learning process and also allows new paradigms of software verification. +Programmers familiar with writing executable contracts for run-time assertion +checking can use the same approach but with additional flexibility: the +contracts can be verified either dynamically through classical run-time +testing methods or statically (i.e., pre-compilation and pre-test) using +automated tools. + +.. index:: single: SPARK language; Levels of adoption + +.. _Levels_of_Adoption_of_Formal_Methods: + +Levels of Adoption of Formal Methods +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Formal methods are not an "all or nothing" technique. It is possible and +in fact advisable for an organization to introduce the methodology in a +stepwise manner, with the ultimate level depending on the assurance +requirements for the software. This approach is documented in +:footcite:p:`Space_SW_AdaCore_Thales_2020`, +which details the levels of adoption, including the benefits and costs at +each level, based on the practical experience of a major aerospace company +in adopting formal methods incrementally; the development team did not have +previous knowledge of formal methods. The levels are additive; all the +checks at one level are also performed at the next higher level. + +Stone level: Valid SPARK +^^^^^^^^^^^^^^^^^^^^^^^^ + +As the first step, a project can implement as much of the code as is possible +in the SPARK subset, run the SPARK analyzer on the codebase (or new code), +and look at violations. For each violation, the developer can decide whether +to convert the code to valid SPARK or exclude it from analysis. The benefits +include easier maintenance for the SPARK modules (no aliasing, no side effects +in functions) and project experience with the basic usage of formal methods. +The costs include the effort that may be required to convert the code to SPARK +(especially if there is heavy use of pointers). + +Bronze level: Initialization and correct data flow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This level entails performing flow analysis on the SPARK code to verify +intended data usage. The benefits include assurance of no reads of +uninitialized variables, no interference between parameters and global +objects, no unintended access to global variables, and no race conditions +on accesses to shared data. The costs include a conservative analysis of +arrays (since indices may be computed at run time) and potential +"false alarms" that need to be inspected. + +.. index:: single: SPARK language; Absence of run-time errors (AORTE) + +Silver level: Absence of run-time errors (AORTE) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +At the Silver level, the SPARK proof tool performs flow analysis, locates all +potential run-time checks (e.g., array indexing), and then attempts to prove +that none will fail. If the proof succeeds, this brings all the benefits of +the Bronze level plus the ability to safely compile the final executable +without exception checks. Critical software should aim for at least this +level. The cost is the additional effort needed to obtain provability. +In some cases (if the programmer knows that an unprovable check will always +succeed, for example because of hardware properties) it may be necessary to +augment the code with pragmas to help the prover. + +Gold level: Proof of key integrity properties +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +At the Gold level, the proof tool will verify properties such as correctness +of critical data invariants or safe transitions between program states. +Subprogram pre- and postconditions and subtype predicates are especially +useful here, as is "ghost" code that serves only for verification and is not +part of the executable. A benefit is that the proofs can be used for safety +case rationale, to replace certain kinds of testing. The cost is increased +time for tool execution, and the possibility that some properties may be +beyond the abilities of current provers. + +Platinum level: Full functional correctness +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +At the Platinum level, the algorithmic code is proved to satisfy its formally +specified functional requirements. This is still a challenge in practice for +realistic programs but may be appropriate for small critical modules, +especially for security-critical systems at high Evaluation Assurance Levels +where formal methods can provide the needed confidence. + +.. index:: single: SPARK language; Hybrid verification + +.. _Hybrid_Verification: + +Hybrid Verification +~~~~~~~~~~~~~~~~~~~ + +Hybrid verification combines formal methods with traditional testing. +A typical scenario is an in-progress project that is based on testing but +which has high-assurance requirements that can best be demonstrated +through formal methods. The new code will be in SPARK; and the adoption +level depends on the experience of the project team (typically Stone at +the start, then progressing to Bronze or Silver). The existing codebase +may be in Ada or other languages. To maximize the precision of the SPARK +analysis, the subprograms that the SPARK code will be invoking should +have relevant pre- and postconditions expressing the subprograms' low-level +requirements. If the non-SPARK code is not in Ada, then the pre- and +postconditions should be included on the Ada subprogram specification +corresponding to the imported function; here is an example. + +.. code-block:: ada + + function getascii return Interfaces.C.unsigned_char + with Post => getascii'Result in 0..127; + + pragma Import (C, getascii); + -- Interfaces.C.unsigned_char is a modular (unsigned) + -- integer type, typically ranging from 0 through 255 + + procedure Example is + N : Interfaces.C.unsigned_char range 0 .. 127; + begin + N := getascii; + -- SPARK can prove that no range check is needed + end Example; + +The verification activity depends on whether the formally verified code +invokes the tested code or vice versa. + +* The SPARK code calls a tested subprogram + + If the tested subprogram has a precondition, the SPARK code is checked + at each call site to see if the precondition is met. Any call that the + proof tool cannot verify for compliance with the precondition needs to be + inspected to see why the precondition cannot be proved. It could be a + problem with the precondition, a problem at the call site, or a limitation + of the prover. + + The postcondition of the called subprogram can be assumed to be valid at + the point following the return, although the validity needs to be + established by testing. In the example above, testing would + need to establish that the :ada:`getascii` function only returns a result + in the range 0 through 127. + +* The SPARK code is invoked from tested code + + Testing would need to establish that, at each call, the precondition of the + SPARK subprogram is met. Since the SPARK subprogram has been formally + verified, at the point of return the subprogram’s postcondition is known + to be satisfied. Testing of the non-SPARK code can take advantage of this + fact, thereby reducing the testing effort. + +Hybrid verification can be performed within a single module; e.g., a package +can specify different sections where SPARK analysis is or is not to be +performed. + +.. index:: single: SPARK language; ECSS standards support + +.. _SPARK_and_the_ECSS_Standards: + +SPARK and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In summary, the qualities that make Ada an appropriate choice for space +software also apply to SPARK (see :ref:`Ada_and_the_ECSS_Standards`). +And specific to SPARK, the static determination that the code is free +from run-time errors ("Silver" level of SPARK adoption) can significantly +reduce the effort in showing that the application is sufficiently safe +and secure. + +The use of SPARK can help the software supplier meet the requirements in the +following sections of |E-ST-40C| and |Q-ST-80C|: + +* |E-ST-40C| + + * |sect|\ 5.4 Software requirements and architecture engineering process + + * |sect|\ 5.4.3 Software architecture design + + * |sect|\ 5.5 Software design and implementation engineering process + + * |sect|\ 5.5.2 Design of software items + + * |sect|\ 5.8 Software verification process + + * §5.8.3 Verification activities + + * |sect|\ 5.10 Software maintenance process + + * |sect|\ 5.10.4 Modification implementation + + * |sect|\ 5.11 Software security process + + * |sect| 5.11.2 Process implementation + + * |sect| 5.11.3 Software security analysis + + * |sect| 5.11.5 Security activities in the software life cycle + + * Annex U Software code verification + +* |Q-ST-80C| + + * |sect|\ 6.2 Requirements applicable to all software engineering processes + + * |sect|\ 6.2.3 Handling of critical software + + * |sect|\ 6.2.9 Software security + + * |sect|\ 6.2.10 Handling of security sensitive software + + * |sect|\ 6.3 Requirements applicable to individual software engineering + processes or activities + + * |sect|\ 6.3.4 Coding + + * |sect|\ 7.2 Product quality requirements + + * |sect|\ 7.2.2 Design and related documentation + +Note in particular that the SPARK language directly addresses several criteria +in |Q-ST-80C| requirement 6.2.3.2a: + +* "use of a 'safe subset' of programming language" +* "use of formal design language for formal proof" + +Further details on how SPARK and SPARK Pro can contribute to compliance +with the ECSS standards are presented in :ref:`Compliance_with_ECSS-E-ST-40C` +and :ref:`Compliance_with_ECSS-Q-ST-80C`. + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv new file mode 100644 index 000000000..bfc6cb76e --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv @@ -0,0 +1,18 @@ +CWE weakness,Description +"CWE 120, 124, 125, 126, 127, 129, 130, 131",Buffer overflow/underflow +"CWE 136, 137","Variant record field violation, Use of incorrect type in inheritance hierarchy" +"CWE 190, 191",Numeric overflow/underflow +"CWE 362, 366",Race condition +CWE 369,Division by zero +CWE 457,Use of uninitialized variable +CWE 476,Null pointer dereference +CWE 561,Dead (unreachable) code +CWE 563,Unused or redundant assignment +CWE 570,Expression is always false +CWE 571,Expression is always true +CWE 628,Incorrect arguments in call +CWE 667,Improper locking +CWE 682,Incorrect calculation +CWE 820,Missing synchronization +CWE 821,Incorrect synchronization +CWE 835,Infinite loop diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv new file mode 100644 index 000000000..8e8a807cf --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv @@ -0,0 +1,2 @@ +Code coverage versus criticality category,A,B,C,D +Object code coverage,100.00%,N/A,N/A,N/A diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv new file mode 100644 index 000000000..938e1600a --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv @@ -0,0 +1,4 @@ +Code coverage versus criticality category,A,B,C,D +Source code statement coverage,100.00%,100.00%,TBA,TBA +Source code decision coverage,100.00%,100.00%,TBA,TBA +Source code modified condition and decision coverage,100.00%,TBA,TBA,TBA diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv new file mode 100644 index 000000000..e10e492ce --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv @@ -0,0 +1,22 @@ +CWE Weakness,Description +"CWE 119, 120, 123, 124, 125, 126, 127, 129, 130, 131",Buffer overflow/underflow +"CWE 136, 137","Variant record field violation, Use of incorrect type in inheritance hierarchy" +CWE 188,Reliance on data layout +"CWE 190, 191",Numeric overflow/underflow +CWE 193,Off-by-one error +CWE 194,Unexpected sign extension +CWE 197,Numeric truncation error +"CWE 252, 253",Unchecked or incorrectly checked return value +CWE 366,Race Condition +CWE 369,Division by zero +"CWE 456, 457",Use of uninitialized variable +"CWE 466, 468, 469",Pointer errors +CWE 476,Null pointer dereference +CWE 562,Return of stack variable address +CWE 563,Unused or redundant assignment +CWE 682,Range constraint violation +"CWE 786, 787, 788, 805",Buffer access errors +CWE 820,Missing synchronization +CWE 821,Incorrect synchronization +"CWE 822, 823, 824, 825",Pointer errors +CWE 835,Infinite loop diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv new file mode 100644 index 000000000..f2816aff2 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv @@ -0,0 +1,10 @@ +.. csv-table:: Technology Support for ECSS-E-ST-40C Compliance + + Technology, |sect|\ 5.4, |sect|\5.5, |sect|\ 5.6, |sect|\ 5.7, |sect|\ 5.8, |sect|\ 5.9, |sect|\ 5.10, |sect|\ 5.11, Annex U + Ada language, |check| , |check| , |blankcell|, |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + SPARK language, |check| , |check| , |blankcell|, |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + GNAT Pro for Ada, |check| , |check| , |check| , |check| , |check| , |blankcell|, |check| , |check| , |check| + SPARK Pro, |check| , |check| , |check| , |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + GNAT SAS, |blankcell|, |check| , |check| , |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + GNAT DAS, |blankcell|, |check| , |check| , |blankcell|, |check| , |blankcell|, |check| , |check| , |blankcell| + GNAT Pro Assurance, |check| , |check| , |check| , |check| , |check| , |check| , |check| , |check| , |check| \ No newline at end of file diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv new file mode 100644 index 000000000..ad84ef269 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv @@ -0,0 +1,11 @@ +.. csv-table:: Technology Support for ECSS-Q-ST-80C Compliance + + Technology, |sect|\ 5 , |sect|\6 , |sect|\ 7 + Ada language, |blankcell|, |check| , |check| + SPARK language, |blankcell|, |check| , |check| + GNAT Pro for Ada, |check| , |check| , |check| + SPARK Pro, |check| , |check| , |check| + GNAT SAS, |check| , |check| , |check| + GNAT DAS, |check| , |check| , |check| + GNAT Pro Assurance, |check| , |check| , |check| + IDE, |check| , |check| , |check| \ No newline at end of file diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv new file mode 100644 index 000000000..6aa50db14 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv @@ -0,0 +1,32 @@ +.. Not needed, it was converted to a grid table + +.. csv-table:: + :header-rows: 1 + :widths: 23, 37, 40 + + Verification check #,Technology,Explanation + 1,Ada language,Run-time check\ :superscript:`*` + 1,SPARK language,Static check + 1,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 2,Ada language,Run-time check\ :superscript:`*` + 2,SPARK language,Static check + 2,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 3,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 3,GNATcheck (in GNAT Static Analysis Suite),User-defined rule + 4,Ada and SPARK languages, Static check + 5,Ada and SPARK languages, Static check + 5,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 6,Ada and SPARK languages, Static check + 7,Ada and SPARK languages, Static check + 8,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 9,Ada language,Run-time check\ :superscript:`*` + 9,SPARK language,Static check + 9,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 10,SPARK language,Static check + 10,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 11,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 12,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 12,Ada Language,Run-time check\ :superscript:`***` + 13,Ada and SPARK languages, Static check + 14,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst new file mode 100644 index 000000000..5cc5a712c --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst @@ -0,0 +1,1320 @@ +.. include:: ../../../global.txt + +.. _Tools_for_Space_Software_Development: + +Tools for Space Software Development +==================================== + +This chapter explains how suppliers of space software can benefit from +AdaCore's products. The advantages stem in general from reduced life cycle +costs for developing and verifying high-assurance software. More +specifically, in connection with space software qualification, several +tools can help to show that an application complies with the requirements +in |E-ST-40C| and |Q-ST-80C|. + +.. index:: Software life cycle, "V" diagram (software life cycle) + +AdaCore Tools and the Software Life Cycle +----------------------------------------- + +The software life cycle is often depicted as a "V" diagram, and the figure below +shows how AdaCore's major products fit into the various stages. Although the +stages are rarely performed as a single sequential process |mdash| the phases +typically involve feedback / iteration, and requirements often evolve as a +project unfolds |mdash| the "V" chart is useful in characterizing the various +kinds of activities that occur. + +.. figure:: ../images/v-diagram.png + :align: center + +As can be seen in the figure, AdaCore's toolsuites apply towards the bottom +of the "V". In summary: + +.. index:: single: SPARK Pro; Software life cycle +.. index:: single: Software life cycle; SPARK Pro + +* The SPARK Pro static analysis toolsuite + (see :ref:`Static_Verification_SPARK_Pro`) applies during Detailed Design and + Software Development. It includes a proof tool that verifies properties + ranging from correct information flows to functional correctness. + +.. index:: single: GNAT Pro for Ada; Software life cycle +.. index:: single: Software life cycle; GNAT Pro + +* The GNAT Pro development environment + (see :ref:`GNAT_Pro_Development_Environment`) applies during + Detailed Design, Software Development, and Unit Testing. It consists of + gcc-based program build tools, an integrated and tailorable graphical user + interface, accompanying tools, and a variety + of supplemental libraries (including some for which qualification material + is available for |E-ST-40C| and |Q-ST-80C|.) + +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); Software life cycle +.. index:: single: Software life cycle; GNAT Static Analysis Suite (GNAT SAS) + +* The GNAT Static Analysis Suite + (see :ref:`Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS`) + applies during Software Development. It contains a variety of tools for Ada, + including a vulnerability detector that can be used retrospectively to + detect issues in existing codebases and/or during new projects to prevent + errors from being introduced. + +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); Software life cycle +.. index:: single: Software life cycle; GNAT Dynamic Analysis Suite (GNAT DAS) + +* The GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) applies during Software + Development and Unit Testing. One of these tools, GNATcoverage, supports + code coverage and reporting at various levels of granularity for both Ada + and C. It can be used during unit and integration testing. + +The following sections describe the tools in more detail and show how they can +assist in developing and verifying space system software. + +.. index:: single: SPARK Pro; Static verification + +.. _Static_Verification_SPARK_Pro: + +Static Verification: SPARK Pro +------------------------------ + +SPARK Pro is an advanced static analysis toolsuite for the SPARK subset of +Ada, bringing mathematics-based confidence to the verification of critical +code. Built around the GNATprove formal analysis and proof tool, SPARK Pro +combines speed, flexibility, depth and soundness, while minimizing the +generation of "false alarms". It can be used for new high-assurance code +(including enhancements to or hardening of existing codebases at lower +assurance levels, written in full Ada or other languages such as C) or +projects where the existing high-assurance coding standard is sufficiently +close to SPARK to ease transition. + +Powerful Static Verification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The SPARK language supports a wide range of static verification techniques. +At one end of the spectrum is basic data- and control-flow analysis; i.e., +exhaustive detection of errors such as attempted reads of uninitialized +variables, and ineffective assignments (where a variable is assigned a +value that is never read). For more critical applications, dependency +contracts can constrain the information flow allowed in an application. +Violations of these contracts |mdash| potentially representing violations +of safety or security policies |mdash| can then be detected even before +the code is compiled. + +In addition, SPARK supports mathematical proof and can thus provide high +confidence that the software meets a range of assurance requirements: +from the absence of run-time exceptions, to the enforcement of safety or +security properties, to compliance with a formal specification of the +program's required behavior. + +As described earlier (see :ref:`Levels_of_Adoption_of_Formal_Methods`), +the SPARK technology can be introduced +incrementally into a project, based on the assurance requirements. Each +level, from Bronze to Platinum, comes with associated benefits and costs. + +.. index:: single: SPARK Pro; Minimal run-time footprint + +Minimal Run-Time Footprint +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Developers of systems with security requirements are generally advised to +"minimize the trusted computing base", making it as small as possible so that +high-assurance verification is feasible. However, adhering to this principle +may be difficult if a Commercial Off-the-Shelf (COTS) library or operating +system is used: how are these to be evaluated or verified without the close +(and probably expensive) cooperation of the COTS vendor? + +For the most critical embedded systems, SPARK supports the so-called +"Bare-Metal" development style, where SPARK code is running directly on a +target processor with little or no COTS libraries or operating system at all. +SPARK is also designed to be compatible with GNAT Pro's Light run-time +library. In a Bare-Metal / light run-time development, every byte of object +code can be traced to the application’s source code and accounted for. +This can be particularly useful for systems that must undergo evaluation by +a national technical authority or regulator. + +SPARK code can also run with a specialized run-time library on top of a +real-time operating system (RTOS), or with a full Ada run-time library and +a commercial desktop operating system. The choice is left to the system +designer, not imposed by the language. + +.. index:: single: SPARK Pro; CWE compatibility +.. index:: single: Common Weakness Enumeration (CWE) compatibility; SPARK Pro +.. index:: MITRE Corporation + +CWE Compatibility +~~~~~~~~~~~~~~~~~ + +SPARK Pro detects a number of dangerous software errors in The MITRE +Corporation's Common Weakness Enumeration (CWE), and the tool has been +certified by the MITRE Corporation as a "CWE-Compatible" product +:footcite:p:`Space_SW_MITRE_Web`. + +The table below lists the CWE weaknesses detected by SPARK Pro: + +.. csv-table:: SPARK Pro and the CWE + :file: table-spark-cwe.csv + :widths: 20, 70 + :header-rows: 1 + +.. index:: single: SPARK Pro; ECSS standards support + +SPARK Pro and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SPARK Pro can help a space software supplier in various ways. At a general +level, the technology supports the development of analyzable and portable +code: + +* The tool enforces a number of Ada restrictions that are appropriate for + high-assurance software. For example, the use of tasking constructs outside + the Ravenscar subset will be flagged. + +* The full Ada language has several implementation dependencies that can + result in the same source program yielding different results when compiled + by different compilers. For example, the evaluation order in expressions is + not specified, and different orderings may produce different values if one + of the terms has a side effect. (A detailed discussion of this issue and its + mitigation may be found in :footcite:p:`Space_SW_Brosgol_2021`.) + Such implementation dependencies are either prohibited in SPARK and thus + detected by SPARK Pro, or else they do not affect the computed result. + In either case the use of SPARK Pro eases the effort in porting the code + from one environment to another. + +More specifically, using the SPARK Pro technology can help the supplier meet +|E-ST-40C| and |Q-ST-80C| requirements in a number of areas. These comprise +the ones mentioned earlier (see :ref:`SPARK_and_the_ECSS_Standards`) that +relate to the SPARK language, together with the following: + +* |E-ST-40C| + + * §5.4 Software requirements and architecture engineering process + + * §5.4.3 Software architecture design + + * §5.5 Software design and implementation engineering process + + * §5.5.2 Design of software items + + * §5.6 Software validation process + + * §5.6.3 Validation activities with respect to the technical + specification + * §5.6.4 Validation activities with respect to the requirements + baseline + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + + * §5.11.3 Software security analysis + + * §5.11.5 Security activities in the software life cycle + + * Annex U - Software code verification + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.1 Methods and tools + + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + + * §6.2.9 Software security + + * §6.2.10 Handling of security sensitive software + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.4 Coding + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + + * §7.2 Product quality requirements + + * §7.2.3 Test and validation documentation + +Details are provided in chapters :ref:`Compliance_with_ECSS-E-ST-40C` and +:ref:`Compliance_with_ECSS-Q-ST-80C`. + +.. _GNAT_Pro_Development_Environment: + +GNAT Pro Development Environment +-------------------------------- + +.. index:: GNAT Pro for C, GNAT Pro for C++, GNAT Pro for Rust + +This section summarizes the main features of the two editions of AdaCore's +|gnatpro| language toolsuite, *Enterprise* and *Assurance*. +These editions correspond to different levels of customer requirements and +are available for Ada, C, C++, and Rust. + +.. index:: single: GNAT Pro for Ada; Summary + +Based on the GNU GCC technology, |gnatpro| for Ada supports the |ada-83|, +|ada-95|, |ada-2005|, and |ada-2012| standards, as well as selected features +of |ada-2022|. It includes: + +* several Integrated Development Environments + (See :ref:`Integrated_Development_Environments_IDEs`); +* a comprehensive toolsuite including a stack analysis tool + (see :ref:`GNATstack`) and a visual debugger; +* a library that enables customers to develop their own + source analysis tools for project-specific needs + (see :ref:`Libadalang`); and +* other useful libraries and bindings. + +For details on the tools and libraries supplied with |gnatpro| for +Ada, see :footcite:p:`Space_SW_AdaCore_Web_UG_Native` and +:footcite:p:`Space_SW_AdaCore_Web_UG_Cross`. + +Other |gnatpro| products handle multiple versions of C (from C89 +through C18), C++ (from C++98 through C++17), and Rust. + +.. index:: GNAT Pro Enterprise + +.. _GNAT_Pro_Enterprise: + +GNAT Pro Enterprise +~~~~~~~~~~~~~~~~~~~ + +*GNAT Pro Enterprise* is a development environment for producing critical +software systems where reliability, efficiency, and maintainability are +essential. +Several features of |gnatpro| for Ada are noteworthy: + +.. rubric:: Run-Time Library Options + +The product allows a variety of choices for the run-time +library, based on the target platform. In addition to the Standard run-time, +which is available for platforms that can support the full language +capabilities, the product on some bare-metal or RTOS targets also includes +restricted libraries that reduce the footprint and/or help simplify safety +certification: + +.. index:: single: GNAT Pro Enterprise; Light run-time library +.. index:: Light run-time library + +* The *Light Run-Time* library offers a minimal application footprint while + retaining compatibility with the SPARK subset and verification tools. + It supports a non-tasking Ada subset suitable for certification / + qualification and/or storage-constrained embedded applications. + It supersedes the ZFP (Zero FootPrint) and Cert run-time libraries from + previous |gnatpro| releases. + +.. index:: single: GNAT Pro Enterprise; Light-tasking run-time library +.. index:: Light-tasking run-time library +.. index:: Ravenscar profile +.. index:: Jorvik profile + +* The *Light-Tasking Run-Time* library augments the Light run-time library + with support for the Ravenscar and Jorvik tasking profiles. It supersedes the + Ravenscar-Cert and Ravenscar-SFP libraries from previous |gnatpro| releases. + +.. index:: single: GNAT Pro Enterprise; Embedded run-time library +.. index:: Embedded run-time library + +* The *Embedded Run-Time* library provides a subset of the Standard + Ada run-time library suitable for target platforms lacking file I/O and + networking support. It supersedes the Ravenscar-Full library from previous + |gnatpro| releases. + +Although limited in terms of dynamic Ada semantics, these predefined libraries +fully support static Ada constructs such as private types, generic templates, +and child units. Some dynamic semantics are also supported. For example, +tagged types (at library level) and other Object-Oriented Programming features +are supported, as is dynamic dispatching. +The general use of dynamic dispatching at the application level can be +prevented through pragma :ada:`Restrictions`. + +Details on these libraries may be found in the "Predefined GNAT Pro +Run-Times" chapter of :footcite:p:`Space_SW_AdaCore_Web_UG_Cross`. + +.. index:: single: Run-time libraries; Qualification at criticality category B +.. index:: single: Run-time libraries; Configurability + +Adapted versions of the earlier ZFP and Ravenscar-Cert libraries have been +qualified under |E-ST-40C| and |Q-ST-80C| at criticality category B. + +.. rubric:: Run-Time Library Configurability + +A traditional problem with predefined profiles is their inflexibility: +if a feature outside a given profile is needed, then it is the developer's +responsibility to address the certification issues deriving from its use. +|gnatpro| for Ada accommodates this need by allowing the developer to define +a profile for the specific set of features that are used. Typically this will +be for features with run-time libraries that require associated certification +materials. Thus the program will have a tailored run-time library supporting +only those features that have been specified. + +More generally, the configurable run-time capability allows specifying support +for Ada's dynamic features in an à la carte fashion ranging from none +at all to full Ada. +The units included in the executable may be either a subset of +the standard libraries provided with |gnatpro|, or specially tailored to the +application. This latter capability is useful, for example, if one of the +predefined profiles implements almost all the dynamic functionality needed +in an existing system that has to meet new safety-critical requirements, +and where the costs of adapting the application without the additional +run-time support are considered prohibitive. + +.. index:: single: GNAT Pro for Ada; Enhanced data validity checking + +.. rubric:: Enhanced Data Validity Checking + +Improper or missing data validity checking is a notorious source of security +vulnerabilities in software systems. Ada has always offered range checks for +scalar subtypes, but |gnatpro| goes further, offering enhanced validity +checking that can protect a program against malicious or accidental memory +corruption, failed I/O devices, and so on. This feature is particularly useful +in combination with automatic Fuzz testing, since it offers strong defense +for invalid data at the software boundary of a system. + +.. index:: GNAT Pro Assurance + +GNAT Pro Assurance +~~~~~~~~~~~~~~~~~~ + +*GNAT Pro Assurance* extends GNAT Pro Enterprise with specialized support, +including bug fixes and "known problems" analyses, on a specific version of +the toolchain. This product edition is especially suitable for applications +with long-lived maintenance cycles or assurance requirements, since critical +updates to the compiler or other product components may become necessary +years after the initial release. + +.. index:: single: GNAT Pro Assurance; Sustained branches +.. index:: Sustained branches + +.. _Sustained_Branches: + +Sustained Branches +^^^^^^^^^^^^^^^^^^ + +Unique to GNAT Pro Assurance is a service known as a "sustained branch": +customized support and maintenance for a specific version of the product. +A project on a sustained branch can monitor relevant known problems, +analyze their impact and, if needed, update to a newer version of the +product on the same development branch (i.e., not incorporating changes +introduced in later versions of the product). + +Sustained branches are a practical solution to the problem of ensuring +toolchain stability while allowing flexibility in case an upgrade is +needed to correct a critical problem. + +.. index:: single: GNAT Pro Assurance; Source to object traceability + +Source to Object Traceability +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Source-to-object traceability is required in standards such as |do-178c|, +and a |gnatpro| compiler option can limit the use of language constructs +that generate object code that is not directly traceable to the source +code. As an add-on service, AdaCore can perform an analysis that +demonstrates this traceability and justifies any remaining cases of +non-traceable code. + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Supplementing the support provided by GNAT Pro for Ada +(see :ref:`GNAT_Pro_and_the_ECSS_Standards`), GNAT Pro Assurance +helps compliance with the following requirements from |E-ST-40C| +and |Q-ST-80C|: + +* |E-ST-40C| + + * §5.9 Software operation process + + * §5.9.2 Process implementation + * §5.9.4 Software operation support + * §5.9.5 User support + +* |Q-ST-80C| + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.6 Verification + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.9 Maintenance + +.. index:: single: GNAT Pro for Ada; Libadalang +.. index:: Libadalang + +.. _Libadalang: + +Libadalang +~~~~~~~~~~ + +Libadalang is a library included with GNAT Pro that gives applications access +to the complete syntactic and semantic structure of an Ada compilation unit. +This library is typically used by tools that need to perform some sort of +static analysis on an Ada program. + +AdaCore can assist customers in developing libadalang-based tools to meet +their specific needs, as well as develop such tools upon request. + +Typical libadalang applications include: + +* Static analysis (property verification) +* Code instrumentation +* Design and document generation tools +* Metric testing or timing tools +* Dependency tree analysis tools +* Type dictionary generators +* Coding standard enforcement tools +* Language translators (e.g., to CORBA IDL) +* Quality assessment tools +* Source browsers and formatters +* Syntax directed editors + +.. index:: GNATstack +.. index:: single: GNAT Pro for Ada; GNATstack + +.. _GNATstack: + +GNATstack +~~~~~~~~~ + +GNATstack is a static analysis tool included with |gnatpro| that enables an +Ada/C software developer to accurately predict the maximum size of the memory +stack required for program execution. + +GNATstack statically predicts the maximum stack space required by each task +in an application. The computed bounds can be used to ensure that sufficient +space is reserved, thus guaranteeing safe execution with respect to stack +usage. The tool uses a conservative analysis to deal with complexities such +as subprogram recursion, while avoiding unnecessarily pessimistic estimates. + +This static stack analysis tool exploits data generated by the compiler to +compute worst-case stack requirements. It performs per-subprogram stack usage +computation combined with control flow analysis. + +GNATstack can analyze object-oriented applications, automatically determining +maximum stack usage on code that uses dynamic dispatching in Ada. +A dispatching call challenges static analysis because the identity of the +subprogram being invoked is not known until run time. GNATstack solves this +problem by statically determining the subset of potential targets (primitive +operations) for every dispatching call. This significantly reduces the +analysis effort and yields precise stack usage bounds on complex Ada code. + +GNATstack's analysis is based on information known at compile time. When the +tool indicates that the result is accurate, the computed bound can never be +exceeded. + +On the other hand, there may be cases in which the results will not be +accurate (the tool will report such situations) because of some missing +information (such as the maximum depth of subprogram recursion, indirect +calls, etc.). The user can assist the tool by specifying missing call graph +and stack usage information. + +GNATstack's main output is the worst-case stack usage for every entry point, +together with the paths that result in these stack sizes. +The list of entry points can be automatically computed (all the tasks, +including the environment task) or can be specified by the user (a list of +entry points or all the subprograms matching a given regular expression). + +GNATstack can also detect and display a list of potential problems when +computing stack requirements: + +* Indirect (including dispatching) calls. The tool will indicate the number + of indirect calls made from any subprogram. +* External calls. The tool displays all the subprograms that are reachable + from any entry point for which there is no stack or call graph information. +* Unbounded frames. The tool displays all the subprograms that are reachable + from any entry point with an unbounded stack requirement. + The required stack size depends on the arguments passed to the subprogram. + For example: + + .. code-block:: ada + + procedure P(N : Integer) is + S : String (1..N); + begin + ... + end P; + +* Cycles. The tool can detect all the cycles (i.e., potential recursion) in + the call graph. + +GNATstack allows the user to supply a text file with the missing information, +such as the potential targets for indirect calls, the stack requirements for +external calls, and the maximal size for unbounded frames. + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The GNATstack tool can help meet several requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.8.3.5f Verification of code / source code robustness + + * Annex U - Software code verification + + * Verification check 12 (memory leaks) + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.2 Development environment selection + + +.. index:: GNAT Pro for Rust +.. index:: Rust language support + +GNAT Pro for Rust +~~~~~~~~~~~~~~~~~ + +The Rust language was designed for software that needs to meet stringent +requirements for both assurance and performance: Rust is a memory-safe +systems-programming language with software integrity guarantees (in both +concurrent and sequential code) enforced by compile-time checks. The language +is seeing growing use in domains such as automotive systems and is a viable +choice for other high-assurance software. + +AdaCore's GNAT Pro for Rust is a complete development environment for the +Rust programming language, supporting both native builds and cross compilation +to embedded targets. The product is not a fork of the Rust programming +language or the Rust tools. Instead, GNAT Pro for Rust is a professionally +supported build of a selected version of rustc and other core Rust development +tools that offers stability for professional and high-integrity Rust projects. +Critical fixes to GNAT Pro for Rust are upstreamed to the Rust community, +and critical fixes made by the community to upstream Rust tools are backported +as needed to the GNAT Pro for Rust code base. +Additionally, the Assurance edition of GNAT Pro for Rust includes the +"sustained branch" service (see :ref:`Sustained_Branches`) that strikes the +balance between tool stability and project flexibility. + +.. index:: Integrated Development Environments (IDEs) + +.. _Integrated_Development_Environments_IDEs: + +Integrated Development Environments (IDEs) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. index:: single: Integrated Development Environments (IDEs); GNAT Studio +.. index:: GNAT Studio IDE + +GNAT Pro includes several graphical IDEs for invoking the build tools +and accompanying utilities and monitoring their outputs. + +GNAT Studio +^^^^^^^^^^^ + +GNAT Studio is a powerful and simple-to-use IDE that streamlines software +development from the initial coding stage through testing, debugging, system +integration, and maintenance. It is designed to allow programmers to get the +most out of GNAT Pro technology. + +.. rubric:: Functionality + +GNAT Studio's extensive navigation and analysis tools can generate a variety +of useful information including call graphs, source dependencies, +project organization, and complexity metrics, giving a thorough understanding +of a program at multiple levels. The IDE allows interfacing with third-party +version control systems, easing both development and maintenance. + +.. rubric:: Robustness, Flexibility and Extensibility + +Especially suited for large, complex systems, GNAT Studio can import existing +projects from other Ada implementations while adhering to their +file naming conventions and retaining the existing directory organization. +Through the multi-language capabilities of GNAT Studio, components +written in C and C++ can also be handled. The IDE is highly extensible; +additional tools can be plugged in through a simple scripting +approach. It is also tailorable, allowing various aspects of the program's +appearance to be customized in the editor. + +.. rubric:: Ease of Learning and Use + +GNAT Studio is intuitive to new users thanks to its menu-driven interface +with extensive online help (including documentation on all the +menu selections) and "tool tips". The Project Wizard makes it simple to get +started, supplying default values for almost all of the project properties. +For experienced users, it offers the necessary level of control for +advanced purposes; e.g., the ability to run command scripts. Anything that +can be done on the command line is achievable through the menu interface. + +.. rubric:: Support for Remote Programming + +Integrated into GNAT Studio, Remote Programming provides a secure and +efficient way for programmers to access any number of remote servers +on a wide variety of platforms while taking advantage of the power and +familiarity of their local PC workstations. + +.. index:: single: Integrated Development Environments (IDEs); VS Code support +.. index:: VS Code support + +VS Code Extensions for Ada and SPARK +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +AdaCore's extensions to Visual Studio Code (VS Code) enable Ada and SPARK +development with a lightweight editor, as an alternative to the full +GNAT Studio IDE. Functionality includes: + +* Syntax highlighting for Ada and SPARK files +* Code navigation +* Error diagnostics (errors reported in the Problems pane) +* Build integration (execution of GNAT-based toolchains from within VS Code) +* Display of SPARK proof results (green/red annotations from GNATprove) +* Basic IntelliSense (completion and hover information for known symbols) + +.. index:: single: Integrated Development Environments (IDEs); GNATbench +.. index:: single: Integrated Development Environments (IDEs); Workbench +.. index:: single: Integrated Development Environments (IDEs); Eclipse +.. index:: Workbench IDE (Wind River) +.. index:: Eclipse IDE +.. index:: GNATbench IDE + +Eclipse Support |ndash| GNATbench +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +GNATbench is an Ada development plug-in for Eclipse and Wind River's Workbench +environment. The Workbench integration supports Ada development on a variety +of VxWorks real-time operating systems. The Eclipse version is primarily +for native applications, with some support for cross development. In both +cases the Ada tools are tightly integrated. + +.. index:: single: Integrated Development Environments (IDEs); GNATdashboard +.. index:: GNATdashboard IDE + +.. _GNATdashboard: + +GNATdashboard +^^^^^^^^^^^^^ + +GNATdashboard serves as a one-stop control panel for monitoring and improving +the quality of Ada software. It integrates and aggregates the results of +AdaCore's various static and dynamic analysis tools (GNATmetric, GNATcheck, +GNATcoverage, SPARK Pro, among others) within a common interface, helping +quality assurance managers and project leaders understand or reduce +their software's technical debt, and eliminating the need for manual input. + +GNATdashboard fits naturally into a continuous integration environment, +providing users with metrics on code complexity, code coverage, +conformance to coding standards, and more. + +.. index:: single: GNAT Pro for Ada; ECSS standards support + +.. _GNAT_Pro_and_the_ECSS_Standards: + +GNAT Pro and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +GNAT Pro can help meet a number of requirements in |E-ST-40C| and |Q-ST-80C|; +details are provided in chapters :ref:`Compliance_with_ECSS-E-ST-40C` and +:ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* |E-ST-40C| + + * §5.4 Software requirements and architecture engineering process + + * §5.4.3 Software architecture design + + * §5.5 Software design and implementation engineering process + + * §5.5.2 Design of software items + * §5.5.3 Coding and testing + * §5.5.4 Integration + + * §5.7 Software delivery and acceptance process + + * §5.7.3 Software acceptance + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.9 Software operation process + + * §5.9.2 Process implementation + + * §5.10 Software maintenance process + + * §5.10.2 Process implementation + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + + * §5.11.3 Software security analysis + + * §5.11.5 Security analysis in the software lifecycle + + * Annex U - Source code verification + + * Verification check 12 (memory leaks) + +* |Q-ST-80C| + + * §5.2 Software product assurance programme management + + * §5.2.7 Quality requirements and quality models + + * §5.6 Tools and supporting environments + + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + * §6.2.6 Verification + * §6.2.9 Software security + + * §6.3 Requirements applicable to individual processes or activities + + * §6.3.4 Coding + * §6.3.9 Maintenance + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance objectives for product quality requirements + * §7.1.5 Basic metrics + +AdaCore's ZFP (Zero Footprint) minimal run-time library (superseded by +the Light run-time in current |gnatpro| releases) on LEON2 ELF has +been qualified at criticality category B, and the Ravenscar SFP (Small +Footprint) QUAL run-time library (superseded by the Light-Tasking +run-time) on LEON2 and LEON3 boards have been qualified at criticality +category B (see :footcite:p:`Space_SW_AdaCore_Web_2019b`). + +.. index:: GNAT Static Analysis Suite (GNAT SAS) + +.. _Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS: + +Static Verification: GNAT Static Analysis Suite (GNAT SAS) +---------------------------------------------------------- + +GNAT SAS is a set of Ada static analysis tools that complement |gnatpro| +for Ada. These tools can save time and effort in general during software +development and verification, and they are useful in particular in +supporting compliance with ECSS standards. + +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); Defects and Vulnerability Analyzer + +.. _Defects_and_Vulnerability_Analyzer: + +Defects and Vulnerability Analyzer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +One of the main tools in GNAT SAS is an Ada source code analyzer that detects +run-time and logic errors that can cause safety or security vulnerabilities +in a codebase. +This tool inspects the code for potential bugs before program execution, +serving as an automated peer reviewer. +It can be used on existing codebases, thereby +helping vulnerability analysis during a security assessment or system +modernization, and when performing impact analysis during updates. +It can also be used on new projects, helping to find errors +early in the development life-cycle when they are +least costly to repair. Using control-flow, +data-flow, and other advanced static analysis techniques, this analysis tool +detects errors that would otherwise only be found through labor-intensive +debugging. + +The defects and vulnerability analyzer can be used from within the |gnatpro| +development environment, +or as part of a continuous integration regime. As a stand-alone tool, +it can also be used with projects that do not use |gnatpro| for +compilation. + +.. index:: single: Defects and Vulnerability Analyzer; CWE compatibility +.. index:: single: Common Weakness Enumeration (CWE) compatibility; Defects and Vulnerability Analyzer + +CWE Compatibility +^^^^^^^^^^^^^^^^^ + +The tool can detect a number of "Dangerous Software Errors" in the +MITRE Corporation's Common Weakness Enumeration, and the tool has been +certified (under its previous name, CodePeer) by The MITRE Corporation +as a "CWE-Compatible" product :footcite:p:`Space_SW_MITRE_Web`. + +Here are the weaknesses that are detected: + +.. csv-table:: Defects and Vulnerability Analyzer and the CWE + :header-rows: 1 + :widths: 20, 70 + :file: table-dva-cwe.csv + +.. index:: single: Defects and Vulnerability Analyzer; ECSS standards support + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The defects and vulnerability analyzer can help meet a number of requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.5 Software design and implementation engineering process + + * §5.5.2 Design of software items + + * §5.6 Software validation process + + * §5.6.3 Validation activities with respect to the technical specification + * §5.6.4 Validation activities with respect to the requirements baseline + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Software analysis in the software life cycle + + * Annex U - Software code verification + +* ECSS-Q-ST-80C + + * §5.6. Tools and supporting environment + + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + * §6.2.6 Verification + * §6.2.9 Software security + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATmetric +.. index:: GNATmetric + +.. _GNATmetric: + +GNATmetric +~~~~~~~~~~ + +GNATmetric is a static analysis tool that calculates a set of commonly used +industry metrics, thus allowing developers to estimate code complexity and +better understand the structure of the source program. This information also +facilitates satisfying the requirements of certain software development +frameworks and is useful in conjunction with GNATcheck (for example, in +reporting and limiting the maximum subprogram nesting depth). + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The GNATmetric tool can help meet a number of requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and +:ref:`Compliance_with_ECSS-Q-ST-80C`. +Here is a summary: + +* ECSS-E-ST-40C + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + +* ECSS-Q-ST-80C + + * §5.2 Software product assurance programme management + + * §5.2.7 Quality requirements and quality models + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.4 Coding + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + + * §7.1.5 Basic metrics + +.. index:: GNATcheck +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATcheck + +.. _GNATcheck: + +GNATcheck +~~~~~~~~~ + +GNATcheck is a coding standard verification tool that is extensible and +rule-based. It allows developers to completely define a project-specific +coding standard as a set of rules, for example a subset of permitted +language features and/or code formatting and style conventions. +It verifies a program's conformance with the resulting rules and thereby +facilitates demonstration of a system's compliance with a certification +standard's requirements on language subsetting. + +GNATcheck provides: + +* An integrated "Ada Restrictions" mechanism for banning specific features + from an application. This can be used to restrict features + such as tasking, exceptions, dynamic allocation, fixed- or floating point, + input/output, and unchecked conversions. + +* Restrictions specific to GNAT Pro, such as banning features that result + in the generation of implicit loops or conditionals + in the object code, or in the generation of elaboration code. + +* Additional Ada semantic rules resulting from customer input, such as + ordering of parameters, normalized naming of entities, and + subprograms with multiple returns. + +* An easy-to-use interface for creating and using a complete coding standard. + +* Generation of project-wide reports, including evidence of the level of + compliance with a given coding standard. + +* Over 30 compile-time warnings from GNAT Pro that detect typical error + situations, such as local variables being used before being + initialized, incorrect assumptions about array lower bounds, certain cases + of infinite recursion, incorrect data alignment, and accidental hiding of + names. + +* Style checks that allow developers to control indentation, casing, + comment style, and nesting level. + +AdaCore's :index:`GNATformat` tool +:footcite:p:`Space_SW_AdaCore_Web_GNATformat`, which formats Ada +source code according to the GNAT coding style +:footcite:p:`Space_SW_AdaCore_Coding_Style`, can help avoid having +code that violates GNATcheck rules. GNATformat is included in the GNAT +Pro for Ada toolchain. + +GNATcheck comes with a query language (LKQL, for Language Kit Query Language) +that lets developers define their own checks for any in-house rules that need +to be followed. +GNATcheck can thus be customized to meet an organization's specific +requirements, processes and procedures. + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The GNATcheck tool can help meet a number of requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.8.3.4 Verification of the software detailed design + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Software analysis in the software life cycle + + * Annex U - Software code verification + + * Verification check 3 (infinite loops) + * Verification check 4 (misuse of arithmetic and logical operators) + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.4 Coding + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + + +.. index:: GNAT Dynamic Analysis Suite (GNAT DAS) + +.. _GNAT_Dynamic_Analysis_Suite_GNAT_DAS: + +GNAT Dynamic Analysis Suite (GNAT DAS) +-------------------------------------- + +.. index:: GNATtest +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATtest + +.. _GNATtest: + +GNATtest +~~~~~~~~ + +The GNATtest tool helps create and maintain a complete unit testing +infrastructure for complex projects. It captures +the simple idea that each public subprogram (these are known as +"visible" subprograms in Ada) should have at least one corresponding +unit test. GNATtest takes a project file as input, and produces two outputs: + +* The complete harnessing code for executing all the unit tests under + consideration. This code is generated completely automatically. + +* A set of separate test stubs for each subprogram to be tested. + These test stubs are to be completed by the user. + +.. index:: Liskov Substitution Principle (LSP) + +GNATtest handles Ada's Object-Oriented Programming features and can be used +to help verify tagged type substitutability (the Liskov Substitution +Principle) that can be used to demonstrate consistency of class hierarchies. + +Testing a private subprogram is outside the scope of GNATtest but can be +implemented by defining the relevant testing code in a private child of the +package that declares the private subprogram. +Additionally, hybrid verification can help (see :ref:`Hybrid_Verification`): +augmenting testing with the use of SPARK to formally prove relevant properties +of the private subprogram. + +.. index:: GNATemulator +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATemulator + +GNATemulator +~~~~~~~~~~~~ + +GNATemulator is an efficient and flexible tool that provides integrated, +lightweight target emulation. + +Based on the :index:`QEMU` technology, a generic and open-source machine +emulator and virtualizer, GNATemulator allows software developers to +compile code directly for their target architecture and run it on their +host platform, through an approach that translates from the +target object code to native instructions on the host. This avoids the +inconvenience and cost of managing an actual board, while offering an +efficient testing environment compatible with the final hardware. + +There are two basic types of emulators. The first can serve as a surrogate +for the final hardware during development for a wide range of verification +activities, particularly those that require time accuracy. However, they +tend to be extremely costly, and are often very slow. The second, which +includes GNATemulator, does not attempt to be a complete time-accurate +target board simulator, and thus it cannot be used for all aspects of +testing. But it does provide a very efficient and cost-effective way to +execute the target code very early in the development and verification +processes. GNATemulator thus offers a practical compromise between a native +environment that lacks target emulation capability, and a cross configuration +where the final target hardware might not be available soon enough or in +sufficient quantity. + +.. index:: GNATcoverage +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATcoverage + +.. _GNATcoverage: + +GNATcoverage +~~~~~~~~~~~~ + +GNATcoverage is a code coverage analysis tool. Its results are computed from +trace files that show which program constructs have been exercised by a given +test campaign. With source code instrumentation, the tool produces these files +by executing an alternative version of the program, built from source code +instrumented to populate coverage-related data structures. +Through an option to GNATcoverage, the user can specify the granularity of +the analysis: statement coverage, decision coverage, or Modified Condition / +Decision Coverage (MC/DC). + +Source-based instrumentation brings several major benefits: efficiency of tool +execution (much faster than alternative coverage strategies using binary +traces and target emulation, especially on native platforms), compact-size +source trace files independent of execution duration, and support for coverage +of shared libraries. + +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATfuzz +.. index:: GNATfuzz +.. index:: Fuzz testing + +.. _GNATfuzz: + +GNATfuzz +~~~~~~~~ + +GNATfuzz is a fuzzing tool; i.e., a tool that automatically +and repeatedly executes tests and generates new test cases at a very high +frequency to detect faulty behavior of the system under test. Such anomalous +behavior is captured by monitoring the system for triggered exceptions, +failing built-in assertions, and signals such as SIGSEGV. + +Fuzz testing has proven to be an effective mechanism for finding corner-case +vulnerabilities that traditional human-driven verification mechanisms, +such as unit and integration testing, can miss. +Since such vulnerabilities can often lead to malicious exploitations, +fuzzing technology can help meet security verification +requirements. + +However, fuzz-testing campaigns are complex and time-consuming to construct, +execute and monitor. GNATfuzz simplifies the process by analyzing a code base +and identifying subprograms that can act as fuzz-test entry points. GNATfuzz +then automates the creation of test harnesses suitable for fuzzing. +In addition, GNATfuzz will automate the building, executing and analyzing +of fuzz-testing campaigns. + +GNATfuzz can serve a useful role as part of the software development +and verification life cycle processes. For example, by detecting +anomalous behavior such as data corruption due to +task or interrupt conflicts, GNATfuzz can help prevent defects from being +introduced into the source code. + +.. index:: TGen library +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); TGen library + +TGen +~~~~ + +TGen is an experimental run-time library / marshalling technology that can be +used by :index:`GNATtest` and/or :index:`GNATfuzz` to automate the production +of test cases for Ada code. It performs type-specific low-level processing to +generate test vectors for subprogram parameters, such as uniform value +distribution for scalar types and analogous strategies for unconstrained +arrays and record discriminants. A command-line argument specifies the number +of test values to be generated, and these can then be used as input to test +cases created by GNATtest. + +TGen can also be used with GNATfuzz, to help start a fuzz-testing campaign +when the user supplies an initial set of test cases where some may contain +invalid data. GNATfuzz will utilize coverage-driven fuzzer mutations coupled +with TGen to convert invalid test cases into valid ones. TGen represents test +data values compactly, removing a large amount of memory padding that would +otherwise be present for alignment of data components. With its +space-efficient representation, TGen significantly increases the probability +of a successful mutation that results in a new valid test case. + +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); ECSS standards support + +GNAT Dynamic Analysis Suite and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The GNAT Dynamic Analysis Suite can help meet a number of requirements in +|E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.5 Software design and implementation engineering process + + * §5.5.3 Coding and testing + * §5.5.4 Integration + + * §5.6 Software validation process + + * §5.6.3 Validation activities with respect to the technical + specification + * §5.6.4 Validation activities with respect to the requirements + baseline + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Security analysis in the software lifecycle + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + * §6.2.9 Software security + + * §6.3 Requirements applicable to individual software engineering processes + or activities + + * §6.3.5 Testing and validation + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + * §7.1.5 Basic metrics + + * §7.2 Product quality requirements + + * §7.2.3 Test and validation documents + +.. index:: single: AdaCore; Support and expertise + +Support and Expertise +--------------------- + +Every AdaCore product subscription comes with front-line support provided +directly by the product developers themselves, who have deep expertise in +the Ada language, domain-specific software certification / qualification +standards, compilation technologies, embedded system technology, and static +and dynamic verification. AdaCore's development engineers have extensive +experience supporting customers in critical areas including space, commercial +and military avionics, air traffic management/control, railway, and +automotive. Customers' questions (requests for guidance on feature usage, +suggestions for technology enhancements, or defect reports) are handled +efficiently and effectively. + +.. index:: single: AdaCore; Training and consulting services + +Beyond this bundled support, AdaCore also provides Ada language and tool +training, on-site consulting on topics such as how to best deploy the +technology, and mentoring assistance on start-up issues. On-demand tool +development or ports to new platforms are also available. + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/conf.ini b/content/booklets/adacore-technologies-for-space-systems-software/conf.ini new file mode 100644 index 000000000..24a3d481f --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/conf.ini @@ -0,0 +1,5 @@ +[DEFAULT] +title=AdaCore Technologies for Space Systems Software +author=Benjamin M. Brosgol \\and Jean-Paul Blanquart +version=2.1 +bibtex_file=references.bib diff --git a/content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.png b/content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..92209789e46efb21cae88459b229e2240ad15b82 GIT binary patch literal 30601 zcmdSBcT`kgwv4?v(#v4m%4fGK211Frq>^70ak zMeygsBBg+=pqhST=XVxawf@nGt(`waoMMMZ#}*#Qxa{}kwGHxy*14q>T6S)(!O^ec zP~X0NQ&Lg_VA$7Li($mvr zWo0oK%*@Qp&6_t54-Xj`83hCcT3T8N2?>XXhnJR?yu7>w1qA~F0>s6|Q&LhgGc()T z+M=SO-oAaixVRV}A3rrUwYIiqZf-t1JNxC!myaJm`uOV57k;j>_X{1Lp6%=# zMCF%AXq$2>YSD`+;_*Mk6I3FS)gzKKy!ph5Sm7BChd6-&9j0Gs~!v zs@ajMT3UMtQX2VTvx(xuguXPjQRsW(a!EZhcNBVTDD%{Un@=FOqympk7>t7lA)z3L z@zMy&dW648dG|p+ApPL@O zhV)D?9-W->yT$27y_fb)9bZ_x=kVI-O=0Kc{KCf0ZJV(5Kl?MQ8*^)0=$`S(rQa)C zyYs)d2suQ9i@zmRcbFu6Fpe*(ANr9~{~d=-)GepdDWjr)cBy@Q4pocsdRLv-)EiJ( z8(-CClTxM{oF(p+?3`KgrEh{xO!0A8?$?2-(9(JZWP0Y;ZjU@P_B}yDPBC0giJs|& zitf>_sb4kylO)^{FuBLHA_@);4sbX;C@AR7n>Xw0>oztv%gf7pdV1B>)g2ujrlzJe zG&E#nWVW`pE-o%iOiX=!ePLl?o}Qk{%F5Z<*?4$(TU%SPv9Y3}q74lVe0+TGA@4na zeTna)tnUT_k+l5%1MYAx1a1g-85M;G+MdQ6-;T4Xl)N`lU`h$>#KdrNY)Fj)m0UDi zW4i$vH<^=R{n!E18$E6Dwt7_rWHbChkm&)j-K2fB<*=g)_eAAznuAC6uv7I^a@|ME z*pFMnf*zaSZNZgqcm$-Btp)sSLmd%EI4m7sT;fnaqDXO5 z=qX^K-Eh)06r3^5ES&`wCK4CueY|J>dWFRK?nCOGKPtA?0$#wd52?@@1%kE3p~%&@ ztY0H2rCPgLb5WRu+*{};t!l!5f56|$jdq$}Oz8h^`G<^nN^c%UxBq9g)pH&?)rw!) zUBHxv8NNd+y!Ov!EJI|7?EQoy`TL0Be}?0uL4>btVOn9f(PKIPhM4X}LbUg>`z!9oK&Es|?t zKm=?k6md<25Fmmz0naC%z9vEn5Fw~V!D(x+i7*00DBT57_ua3FNC8CHR;&f=R<4P7 z14N$m_gD^+kz5l&ayK?JWndET&|eb)0TFp1n!qkEdQAij5D9XDX@$C66S)Bp!I^{S z6D?j5iIoN};4Z>pz=ih$6J>QX=#5(<--(=gV`k_aeRMsU-+b_eL;i~q--K+&oBD~l z>WV=Ln_jg!N7*eS2}O`rVysFqcjJ6c1|~R{9!&|GlAPMC^XmP$KlO5!d+ty`Ab`nW z35R;TT5*i`zZ&0RKqted1(yz;H~d7iD)1a`02o0y239-iaW&(^s&qHVZ3QmR`XRrNVG zcy%DBtBr)*9jnWhvy>fUlN*y4Eyz`z!M(RNbi>YSnZw=qCLgd8zIh273UMDdKq0=l z1#z3a*JZQlM)>ewfR}!nHuzd3`%Wxx4zV8IBEZk_c&h+L=t#p*d(fYfQ}z4#5?jhH z;^Z7_H3R=aQx`V%6LN~K^9|tryixa*tCrz6emA1d`8c!t{mUjgLF!y1p3ly8Z55jj z%!2)N<<=VY&u%TqJdv}m;<%jvw zP+JJ-F0Wwn;Txvg#a+KsIKZu6VaZRB_e1G@5^oTMRkf=GdNs}F>Vp>@nHuKdCNolx z5L5Ms4)p}SjdLzWZ*<0{4(#toe$Gk4R+db_$Vni$;ld^qo&%YjvKty7mb@V264dd{ zUh?+&%@mDRW?-TWHWiQ|u+%Kyu<=ad9B03hoA9=NBy7+hC(2~5{sN(K7fmE|&CZLN z=_KxzeCp0dYJEa>HwxFz?9T!v3+}GF zaN+*yuRqQgx>F}gY@m;96-04Wwv2XJ?ve&I#YDMKj8n;)P|z5Y7&k090pDD74`De0 z3lT94Wh%!@Lks)!Zj#aupKd;5=Y09c;kAqC@JG~HQg^T}lxYVJBit#k5|{|Qk(=^L zYuG1j4QmIB>}8$L(%roim)l2AUnG`PZpLLYnNrWx$YqTNyk!9+^rc~009iFAXtNtv|2ayF?Th9rP>LE4HI>(R6OXA^nL$WJS$at+UocGXej*|U?CUnyDzfT_>p}0v^=+X z&1Yp>HJh3~DyL;28MI~v*6g$Vph0R_1T#E^=s6un!4j}nqzPDyS9TK}!HhUjScxs> zzK=KA!txlv!`~q+*%*afMzp3H8iG|m{O6V$4k4NNtK5U-m&bBjGBL=M8@U6`8YGJS zbGGszq0b?&bvW30g^U~n+zcK1UO!Z-e~ zp7oh->wcdx9v~-gWX#Tc`#VKae2Q2!g}#&#zM@ z?3laJzP}eT%#@%aC-e7Ksp6|mYriK^>|fXOa0Iw5B7h9|Ha8o?l6xDikkI4xhyAp9 zr5B4CzZ?FJ`I9f42*{(v=WtjAj@cuDi3ML|LxP2wyG?wG56;g|122_1Zc`8gDLn51 zOiLlC{9Y>J;#RI8NwiwVA_oQjqJ_Dw9awI}c=Y=sJ(5xMwtHiZ%aWu6thymL8@o{c zUt>1Yn1Tq06Zy3?Xe*@=g`H??+g+Di*Jxg?Th<&INn3=EO3ip6-b zas)X64xd5j4d)db@Y)*; zt~(|~W>U%bI8_vY>7_56tIAFSon%H@gAr4+{e6((I|=M><;Ts{giTzJsE^-pW`>R7 z*3J2o)lJL^z0m;u($zlXm4H4*07NwPkiD^n2|9PM`yYP=Ej^Sc)QE(`!b!{`g(mJ| zktN`K2)g+@NWXaLhs@C0w>%XPb8>>)Q*DpsoJdwQ5LRw(*^k6rPu<+U5h{T)o%a-{ zjQtWQ8}DBzcK!^P|F39o(;9o_8UV1O2SF7Ne^WP(V~32uTL-nG?)?QS<(4fV<_buZ z+`7w#+)UwGZgt*p#v+ca>a+}8Awzp6l-5wR@*<5nJBx3X)tmK3-@@vzUe}Y{ zS+sa-=Li;WaQfr$$A{V&kO+0>;qFBiM;A&f#Hvb-$~F=xhC)?d>z z8NT1NaGN`=Q5EFZ9dnP&P#P9b3C$Tg(&0AE_L!rPUDYbQ)I6q}$$YaHy=Dtui^J^o z-vt)O(8bJs1pn?+@mQnV@UrZcGw|;miKO68s*&@*I407t*Y}}0+Whwn{r^rS$8D{H zBf8<{nOCH|5}`&cJUe3ijOMjLJm|q&qZcEl`Ph zZ0i}<=Z(d3P%Wi=H3ds%L!2t8suCoGv2gPH(}-aDAP6r-C0%ICg)1;C}Y22SD*{z_EM* z92Ts8HOAx|sFNARtpx746I`v!S{QfZpMLfP{9K(YKTkyv;N);!6dbqoYC-C2%?QgC zD!VMjZKlY`tX-1IQI0vE|LHjSAdKDC^!~y(YKjuzO9&Q-mS@2iYhAf|8#NG>L1IY z2froh?&lc7C?3?6-^_l2^4zfxK639j=))nlO~Ksn=RveS69!Cg0#SWf2hV@?(u{et z;wG#d3Ihv#>s$bZMH?FZrCaf3is z#L#j@#Q>n;%syYq6f9tR@%@Qp9fl+;@3+fs zLaG;;m3E>+xf==k1rr>UhRUs8PIxa*R!`r1;qvlG>LHMnzj-PG9H?y5Ffa1##s%sC z@#1*;TX1@eEwnpF*t3s(3cYnsyJmh5cU8ikn(d#@@0&l9*pU(dd(IZ~ZbeI*V5SAaDo+kh_ zk>jBXdvFl+*U~Bd3%Jt3JnFA#QOzE0AtKZmgO|~%wIokl{r>iBX>^*C%fSVF|K&32 zxcoP_jS-JI&T9Ox-|IJ^-L<$vt|-St?(4eW?bk*N-$bO1KoNH%ho1qdAeZbj!5Sxb zVndP?$D8*Z9TDffK>@kgMEmtVPrF`c!g6L zXxA>S4jdaobfO-5^j4PqcFCK<3f%}A;4`Rr!fcHr(=Zj9LEJ} z5gJ~4=h0%1sJnR-5i1`~X5dGMy2o3YoJ_g((i9gA_VRx{ngSkWlcY;qDG4=Z;bqj0 zEy*KRZeeAnvVMX!#+Af| z)<7(WFMfPzmDBGjPi%^**V>96WC~_D-PFbL>0RhDlC%KyvF`eiD*O{@zh}XFKp5dz ziy-`Tpuy+}?PL18O-}ywS7mNMixE&%ji@bsnE|nP3WV;(2;G$)5G(T{VdF&<<1KzhRFnOh|K^Mqw8|hmE~%zs?p9Ez3dj+CPWVEWv9Tm=|xKU*F3&^|=~B zI!Bc-eWbXJYo;yzRbJ3hfD!gTrjjmIf#&q0j96*IuJRJqKq$5z_LAN|#w-6amh&ep zCnu@^RrM~=4v1YRtl%F|Qz05luze;*=&jp0gl9@lDD+@vSkS!e#4$tT^ZjuwL<^(@ zCx}b7RIoo%LIN{Ns>NmWoSDk(udlWIA85h z{~-u^tXZWrPfLY>RAB2d7}&V_*)j+>bfYz-AIJpAN=fSwM?gAZOu(+oeE}N_8#UXl zL#Tpqsg=QdrD>nnvZoH#(p~J;#Cpop^cAEPYJq!9#JSR@+Q6FikE3%OqsKI(346=?Yi-!AhRMCHqaVMtYAVz0WFv@#kQh zW-x&BJ*eiFZcj9|Y~5DqsUi30p|b;5o0*rkkkhe^2p(glcuTPO=WKDE1K7KVoDCl= z8+85fBTf~}60r-tU}K>(X1g^AbzVNSo?r1&A(7_gLwu&QDS**R_4KXRJAO9gthY0r zAixa1*@LSUsH+yIl+*m)@^wLmB@-Ovx5|%=ggt18BxTnOg_KrPjf`1!L55tPDR$6x z#-vMG&eM#4hXa8zrqe6?1ufTm&rWEj%hRmFNOWsKM}(yF7Wmn1xlQH*0;0OA zI2tRkeHNxF*JIq5Cw&j(vpg42uj8gknDaCuoU(Cy>H)AMQ@`?t)Ecn}`|WOYFG>YM zInyd`LhyWwZr?dmN#p;S&MhPV!8ai^ zJ7`MTD&^RK>8zFc7k7bMWaudRvmP^+#yJ6|EMLcMGuv)|=H^VtaZ&tbjfv%oLtLsA zcr6R_BG+qNGDQtPhn&6O4$G-^Q{`7D=770QdSQo51Ch6M8F<#b6NsCWm!7D*l+#4SJoj0KloZt+bsbc3;Hw({f zE{JV1cA*b!EM(K{(eH{js|T2O+*uJUhRBKv|7@)W62p=K$cpf*q+X#7iV>`s<2B;X zpsK!ww00Q%p#EIBH2%7aA;se(pmZ0PZbXB+^T@&jo83D@m_Xs_HvHRb^2cTDbFqX2S-vm+Q@2Bx@1(F9Oj;hhV#eE){Y-D?y;iWGN*!^;?% zuTjVW6z{0cg*E8E-pD@}Sr7``M(ijfq5NQ=BLgc?Tuw#)YDrNiX6BZ) z5U4T#zn3Zh(lJE%bjPd@#OI%o{fR}U9utMP{-vn}=oOVWB%YMPXUt5Y(l_q%-%H?Z zPb`0u?HuBL{2F=0#h0&sBaiR@eAONGkF7#~XfM`=sVeMg6u()X^s2!ApDNOwh#a*{ z{K=+Ncp22!gh^93OH)dftQg7{fi5*S*(e=7C89-4U=mn>i~%P-|g?Be;sT&J!Mhd+ z`2P(Pjw>$Rq=v{U3vJlbuqW4g*nb>S!jLCWBOZ0FhyMU-V1p(JGh(KFrH51g2CAbF zUPkiy+VfXHV#!!rxmu-Cp|$_^Uj8;yaM$&dtx8We=&Vm>O{@>6=P#!MlxdeHs;8-D z@|AU@iGk4hfA3o8;^RaV!O`WQ-p?Bo7l)518?_gQ$biXpl)%e~J~toTj_tRCLKSBqO&&m=JtMYZfA4U5)9XpJ`b+~QBT*8 zqfedc*}qE7i{!(_n;`eO6N;PvaR!|{SUW|^luLnwqXYO%0r_%)rk+AB6P;kWl+U71 z5p)Mep>=z`RnD2KQ)z5SyRL%U&!Iohz)==%`(lxxgI?4SOU|uT;1OO4FC%DaPHwj} zEUX}R!7BIQ`I;dEdX4^$K24sjf!D7x&M#~WoT3f6elzw<>j!D~SbI3U1?976`?u;N zcM+$f>6>3$oZ{=aAma#a%X|th*&$%!a6&_Z1n$2z9I_b`VD*xOr*SRAC!D--rUw1( zue9-GQ_URg>mL=>OnfXc&n4TzjOX$BDL0bA3{0DXp)xZV*Gxq`VKgnrSs}<7?wXJW z(;NL9>J90QdsP|%Nqy@(dD8~m+}Audef#Du=y4rH`1i(*m$RGi~VMaGaEoHFh=-tk&_VW#*FoB~WuWiqO#E zDyW_+lpEl#m|uoWhxIYHh?W~^-%5s6zd$+ihDF8Zzc_XWd|*Kzd>&C;B@}vf=Z7tc z9P{B!5{>ET>qLb8U*TmqznYW#EYoF7ucGpS7^TT`xm4y1CdcZ+Rfn`Mg{c+!p$-s zWq4C1tJvj$^1dNhL;ju6kSBrIpi!{V%$fh~Taar~EFV5J=aemDd96pU1gpP_a+{Q9 z5BKA;*kdMdx&h;FRJXq=Hd^=GMKYL!X;U#t0GmH3M6pxwSz-&K`<}`13b_MVP9AC> zpzg6Lbp!2pxK;GTzxsSB8vV_H0U#`y z z9sz>|m==YhGBqC;NJp$anY|^#+FNqVSXN2|)vc5Y;cnDip&{(=gqMLRT9PL$cVU>v z-ehH7)`uCEJh#opA@2esP)1W`O~jQ$!dbWsb2wgUhBDoX z`o8doUjU)6CTv3z?2|Ue8wptq=0a(^Tb;+C^e6colD`27*^&lG$V>}x+J6i#19d4qk?-E>r1GH$ z!;K$EG3a+IrLYicaMO`FXLW5HopqFqXOan3+0RSIxyNAJTEkLeQD)t?701ir$!8@a0tMtlnNRuxE&<%)osel#d6ZR=X%o>3fJr+A2~j|{bTT}{1( zj)EDMpidw zHR5F`unj)G9G0%`)#l++C!#UFBNb0l0V3{M7~~g3+)_iEvMQS%GdMrbVk71I2(kv~ z$8-H{F;Va0oqX_%d_b9wO?IH!AbBKl-vShaho2)T1iaWrUr&UH*ibluTa*Y^ex`2P z#;DwoPc^)YXWIVf$-M!H`($IqF|G0FS?Foz(ec<)&LWU=q>$N8*CY$CBZ_9rnHvB(>C6Tcr||+0J|M z>rhAM$6Y}5?R82Q{1?&Z7k`P-YMm(0v;?Q6VXQ1{$16~XT&20d?yWDJ2coOEN4gq) z_mC4^N=cT48f(e+U=dyi#yiLdyAQlc=lqPqAY-@GF9^gjko!Uj-R=G5R)Q1F33sq` z#XP8&pYM)fx);_Tu^1i~#v{O829sNFjURG3%&3BvCl1!=mVVI8uttJj#$(&s!&0J) z%s9I(Iqk9cE4rTEuoX3ZNxz;WQ{Qupy-~3czz+odlUk@G{@NBnB!d% zHXEnEeYo*Z#nKZk~s`X`@in zZ|=$1wob5=$WPZr;T0y8Ci0|kJJQvU@M$SrG-nvQvI zetm=}g~$-u$|su8-TL#YFV1@l4T>;xfu%$=U84f8y~$gC!g(lyu5+s8ID{p%31tL> zUH9l!fU1u;L9j*vetnh+(1LGhVK%N2sn=(j?lnP~gy6jk>yr z($9i5_rG5gnFok4THCnVr7~RgirN4oQr~+Q2Kgkeh(rc)%X+6~V&0p1UK0VjNm%@n z3Ej=x*F0f z)R~)&FDmVezpx@p*nb4)!T*;G`@a`*zgpV+0x5}QaOKE<3D(emC#91i)Z{v&$5Z>> zx1h-8STYEiOr4Uv|s;c%X;-fPeFz}@i3 z#?p1pUGZvVmm8r>&%~J%2nz(Sq?0tD;#LQ5p^QW`Z(eN=F@SAKZ|6eu>YFPnkAa7) znK(;AWImwh|2a~KZ-@+DeFNu7Be`xRvjDpxUtXZbR-EOETLJ)*N`hHe}W3Y$V&AP2CxGUpsi3D(;sZ$pFpN686h5G6@%C;qdlXs`1sJUo0OHLCh00O0s zSqKCmfW(>znnX)c`WJijW~9rdFHIb*zr^M1aqhVM}2U@Oz8qB zGS14?tXCr*Rh&Q)e@cn~YvyYS)R>CH5GXi0MD=L%(?-2vpz}k#oOe>-@4EFs*X_-H zh6GI8Air6+WrY|7uhh_Uz~>a{*!RT@R(K1LMr-Y0pvw2jx8jyh(uS;T5-j}$inNn_ zcSvfHZxs+-J8@V-+eWQ?U7wo5MY{+lY@qLus=mE4JPc0$G`Tk>wcRxAdWA6^l>n*dCbnpgSB!{b)Iu zI}!t>lr22?=eXP`4g=UoX!!!AyTxz^ytgI(rLhP%|7Ih6u^4E1+YO1KjMy?M&|H6u zgLPr6bBOIT4=E=C;JnOO6ZRLIF7-G6jU|NwJF4|&qZcsIP%#lMeujcdT}6L z!kGz}kU=rCZu1J@px9n-(m5T_6PluueeYE0*90rCE4Dw)r)uQ-Fa8-Q(L}IxT0G)t zBeG_z{&esqiOQp`UMkh;B~nkwm+$D5k9g~8MHDQ+Jdxb8^X?ijY8BiN?jQ`*n^K+F z|I^$nQeVH{a19ZkM&osSCVIE2XBW?wNgIpn+t{)B_q;b5#YFK>uL_1C!XY=cMmU*f$XY|Yvmf}t~qX- zj;QSJfHJ)hXHOt}2fXu`vdnu{uSckHaF`=Pnly}o@9Si?k zGUR&zT9k~K!FpYat+ByL`dy*J5Xq2)!5&mG%X6$4;4vw|PGv&6W+}{`nO#m~h&{qx zADK-RWVOzBtokU)_gaV_w*q_o3Cf6xfl9awMkibCy8|^11gQp6uysw`n-9-KJOR$6 zmaTO{O>L}PpSx?1v!x?I(|_6wkY->b>%;StL2%uc$gqV#JwD}4CD8d0Z02(-dc&t- zNe#Uc#dWA2^4R#0d-L=>>7wrdc$xEAphi@j1CgjEjC48%6qhx)k~%M{N1amkvNEC@ zA=zI2@zgfj=R*jvF-XZdViDk%x-e=brI6?f3{F2cFd>>dNWbnaqZo>1Wrj!uK9y=^c)Tw&|sx6>3%3*BbX@~gc5bBNHfRo}D zqV~W1(w1Cl+OFx$QGsa%y&Pv;o9zEw?~|w8le($$W_E5@v|ng~Wh3$9ir#TVH7E~T zqZdiRi=4X!or_yt9Dsxu*z4Rt*nwlVfKQLCuA)Y#zp>MYt|K;qU%)>HM}#=e#DwG| zfTO1O5u|FXs9~w5x@F+=DUAN_25h4gD&7y+5|NUUo;nRi4|$Ki5E>x>6v&)SU>=6w zNhGvnQC{_*IrURDHeuVVAQK@gQ=^>A$&OACp91?iu%aQ7;uDNM*URt@sAY<_G1&!~ zHW4GS*%e47I9D} zyjhk*+y{7{+&sSwj7tl+viLTI{5k5}RJ54dezN5z;&J=K13Y%C3Pm#fsU!9w9r?wT z7z^gpW)Xekm?(ry8Lf{6s~SVngykbWCaKV)PqjtLTJ;~y7vq2ftsV)H8D9}zcn%IX?bK; z&6HkO@Yv}>h@J2*s)P=!S=hg8kKeOJ(%00-PzWVTlI5wO>(Z`%!V9R4PlWGIL$}0H zYjnkQG|lM|x-iqEPk$8nnjn>24g(u}Mq9>W3N`<5xwk26J6jnc5byc*N3{y*SrYL% zQS{biIoiif_DDVSW1)8pRba+nbPN_JzR6^3ZA6wl(trR*9spg-!`MSEGF@@UDe*$2FT`=VxtIOi#7L zk*vi+(e}gPK1`fN>=&rR;a(B@bacjWCMHeOVO+hmBedHkFR=?Q$ni<(wn0jT8F_4^QM94bgRXlr@~S-qI610?XL+N{&tV~)2TRpRS8mt1h} zn1m5(^Y=rtz^^WyFASAV)twzQY&Y|*7sg3O9uG=Mt&~F*{7@xALLnPX`#*nVNE^Ev z@}x<1{M5~GDSTll>h;Rq=EzBbxZmxg0J#~2JbWY|<*x4g3gA(H+HiUMqT^EK(Z;Te zj>~Q?=HXLphc3(MB4z|B0%`m`(~y8BJ}Jd->Na+)gJWd&d@%N)UyBE`WaAGAjWBpW zLZ>Jy-52jvJj+-6>BcUN*Z~b~P+lKB&!9mma{_VBNqMvcR%y*IA?r%ZS*Y!7CW@RV zJNpXc{mgOu8X8cW6dDD3N$oeZ3e224Mmu5{h^XOD4>HE@I5r6;MAGu=`N8NOjF_bl zatC{snDcVRbdXB2x8@hk33#{izS+E8Uo0u>9Ihw}n(aP3A6y##mbQpxY+i6zYqz#t`t=vWl0s zB-~LTolWvyrYoL`0dY`hH0V)%Z+$UTKJD`}!Zq8nIQ!Kw1xbRQ4#~_OSZM~|cVV3gq7$^Sry+=z$7X5uJ`K1mPU#(uC z5R^J0jz-mF5)tG2JyG;j=2||`0GARcIym{|=haX4Occ*r0^^IG{+LG-7&XGyZoXyLUcp8~o?dKUzE0fF5 z5A1%Uw$X{}E&M6zV@scJ6k{xZ6|x`-gd?93+xzQ=Gk0WBQoPM-Rwj%Zd10g4*;jN~ zb;F#hyKtYP@v!^HpYx^L(vJFl{=Z|lV?RGO9IakFSpMWGGjTq;=16`U^G@@sKoJS@h`rTf+ z+WBl{;h^$?6i4gcHkGy#YlnT8-W~O2+QSeLZrU=t>e2r<8sS%C0WiJt{l7 zk*Ep8THj3aFiNxkL~N&=ERWRY19oy2##-~`_$a{uUO-*qMExUpxBD!WGH%COuG5{E zO_BgvaoMeR<*z8~=kb{A(>RgK#^v?9)Q^k3&7wf_2R043Hch*8#xj*9PkW_yE3M9z z8Bcm-D!G2+9)(?&I@eq3e{5FqU(uE}@g?R+mPuB!THbM#i|QGiFn$T6Q>`&e7gbrm zE0)2X6(`b`8WkODzVcH~%0)T6wC3aV*v9s}q4T){!6cn#m=Rd=v~s_zhT2z-njP7n zdVxOObYltzJU1jlnVo{lC_&N#htOe$_eo9FbB-0h=$J1V#xA8Z20M>;RRcDT*G{5?_d35`3rOu+PdVz<}iIfSimzaSvA z;@;)yoy6^efc^NyYMFDv-xJvzemmHbafiuP=RZH@HnWNZg5;5-(sSXKK?#$?^2Gu7PgdSM zkUzEI=Q5Bgzr^p#R|#0#r@W7yb`QBkfX1~LC3{NpF>8wb@Fu0 zmEgr4``%S)*rFRcs}XD2ANwFiDJ9d<{Qj7CEZr_$C&Zpy9`w!>IIkRUEDx?@19 zZLU*|+*lf$8(mCnCyY28_RkT z7X66q$AxIKAbnyb?<#oE=2f-Ag;9T+g&(eWNxw_N!<~g2;Z?YZ3+evqpzPoI`7a%!(X;f2x@C63>)QR2^i+8eVdi=|^jVqeFsdcp7j#n*Ed&n12j{Do<-KBrye} zsAVwTe#!Ys>P%;?#h?F9o77XvOxofdi`L$Q4k_;zQ*CT@{2cEk`J&Vts?Rb&s=qW2 zZprYP;Ar>SIn^^IFg^ zidGz4xnDF?Vq~;B9du+HFL5{*BcZbN%F$CzT)y(U&>I}MnT=UU7+%gUzEkxhLwYZ5 zgww=?u>mYyP2bE%dENf9`kNxae6i2FV5MJ=>RmuwY%|85nq=}6P5=)K^f43nqS66Mylac_*Rf~Ie>K@Cu zOd~&7x4Y;yJd<3$sJf}NQ} z55ceQv>YxC>|l5CO{28lxP*zJb4no5I*9*V|&D9d35S=S)Li@*_}IJ{?+O)<;CEQL{Zv{ z3v(C71*BE`+mJ4#o+@bSC9tR=v6-F95Vlo(Y>S19p%9XQ2bVQnh93?xC%DTW z@#5T;x5GWRCbnwmq|!7`d99cyp1(IyJMFGFq$e`67;;H6gknqrCL-##Z4;w@IB;+N)4h014@(PYmu+wb_mGRr+zq!yu1< z(9wxvQ7NTK|C$ar66bE^6TLf*eZc%Zi;u3bf$e{e)*W zI@z#`1r7&B;RoJ0OWVjpZC1Rcs*g()l4d{Y`7Cfr(x1rR85Rw{zfO_fGNyxb%Y4yo zdG|j+*PxC)$o>fWn|Uoy_O#StbdSZ%rV`u6!Z7aO5yBFX6w&v&x%x1QEmiQ@EVJTs ztiHJ@RhM=S&#HH$>*U;_##D0odNq*L0AS6YKZ&=D9?^U9gCjDZGc2>mn-QNrCgOLOWc38{X8e2^(q{}LgYy9O4Z_-OD(G^X< z#XO#YiNA}34VJ6Dqzg{y3Qm-mfDP*KGR>%LyXkO}ay&G+a{_Xy`*HY_c-5~)NUp(*DrHjt>4zEKix;9+ z-FIJH=f;0fIee)SVInN?g|+*JvtS_kGM zwx1SK`xr?27}GNV&#Lscybuni14va_L={=1Xy7jT;oQsIln3%~Pd@r4rh8TutBF)- z;#)SyEFCVz_-v7R@)kl)?w_QZUa>dMW7v^RUQ=(`v_N!k7ZX2QSyjv>LebF*YMY4} zWa*!!Ci_VMC(rZRVzz7kP^3bL7;z+VDSXbA(NA}tA0&@|vTE{ep_gNCz3-r&t*+z! z%OY%_#ehD;(FVU;S)bggPqv-oI-f7~es#PFIUT5Vx0TvGkl<~r4Ve%<)}uY= zyU~PoE3p0wVA7IU5FpaMDKB^m~>_eyvOT8$_vVweau)z^&!cx3yeEOswds z^9cT9ap@VIZ6gyG%y))h60bm-?6ZL3_n3=}^X%2VI8yRv8WMvt^&@_ni$1!HBvg+zemKlvF;css;lm7~La` znU86dr@)YJ_KV$N^-ssS+dA6vxE=Oqd-&#KJ1;pJbJ-h#xAyQ@ifz!7f|)ly-$EnX zAI&v0-!OdB|J8Brtl>@4*A?|QZkHElza8=BKCy;{_+QyGW*5?aZI%A8)QL zwx*lIL(|Lj#Km;;Nbo=XmfbWk^&}|Ir~S$4+_0Or2g(gP>X3PkgZtKAI?Q@j5lXDlJ!n4%Y!enIE+zcZ@=?Pz7(~s- zMP1M5RW|+C#|1@KV4Ivh2ma*b@b_b zC39rqdDcQ9OV1j_yZuD;GRR%ubNy$pBj%BomN2#3Ig><9d*q8_<*rt|VK%r7~3Dm{+} zgS%(R=nKL->N1+OH@6Re{#-m*=`x%BlqnakMmI=&M)*VxMyK=;ctbHAZnMUD7fJ!l1m^q*G?38@0vtY3By-hbRPXQpmeEAJOLq;hWFr$j6jAIzBiI+TLl+n{qoOs9qA=*XAWY$n->{kj-nf$B@b-Sykw3 z)1bp@Lp*mqBM#lA)tkeEE}6Z)g>>c87k|=ewV$uG+YavR{Uufx@?!pHa@d@Kh?8xx z*0*N3aD-}$F!os{!#l2vf|xDx`Af>YmWQPbA3jZLyU#jvks?xs!K3PvFW>%XcPY*I z@$JUbVF^Jor3NLWs^A1Y2g%eI6}j-dsffzWnDrT)!x?sm61KW0DL3AJ`jDtKB=Sm< zUg`oXj*k)(cTQY#;%F>$?`gHto7aL9lpLf}HyoN~yh@PAGLwrtHy#u4n~{GPy04Nr zQZxZ&vCt99vwWzrE?J(Qaqmrb!ee@+9SS;9>b)sLFIf5mVnAS18F(0yCQ1+9iSRRA z2){9rE~Wz~Oo_+Ave3CfQRiLz1ncqExUmDv>$#$7T&5g3gptI1?kQebViW?hAMB`2 z8s#qP_jOw3jcdj7_!Ii)KQ9hq{zr9R{TEf#y*o27baxL(iwL3;(kVzIA=06=45)Mr zB@H6dEeaA+A|W+&DIwi6gdjOIlJ_{g-}~PC7u?UC&-^rV&OU3ez1G_2tY@v~+^~l{ z(1|uMlX~UFG#cJnhJNVbR1&N$J$petu`<=SM-SK?AwCpQ20t~<=@+lu^)bj~N>ZN)?KtPaj^XCJ(uI%Qsn&nk#uiBc z3EM8D|L(HQim#-0)}$MgjML_6M7Bm1PcHe*%Hj;RVH?fO2c_%53M4!BG4I(D{5F}V z+)dRi(x$^lGkd@51x~7HX5l6=SH3o}`B+*>#@TJF5T7k7@x4fW3im+%hT-cG!S}wR zl}?Jz$uj8pSo&J1kZ2vrYl*;#{vBaTD6s^lSpjKs;sSLifpcW3;% zlP^^1HH2%0mrus}I|!+R<7_9sXW!Lw(Q#&-AD%R`Xm~;dBXhy)@+hAhGDrxK<4pV( zqBW`V#YCX{LByB#?%J4Y>E9d6Jx5&?EHBta%NB-izwwdXYyfyKJ_9*1280xo7s`K`Mg7G1{OB0c99GDdU&kXqY47@JJ$o*~`6BiQ1I) zakRCyRnOn;!Bmvq75Io5`(>wfEAe%Z^&}g}wYwqQleE3u+vZGlbLVdY@S%=XvGJO8 z%dGr+=K^lDj(_X^9dO2HPQ$~+r-XLRZ9YJea-PJ5j9Go4TzC{E_A)a+-?J)n_hw;7|oJ z*|Rj7KxYH$mGf3*3plVCgU}S9*Eh{MjK(fMy2Ig$yXiE)G&*P_! ztoy4~<~)|Sk~)gDtZyMlV>a5pTWM<#`Vi%7k4Hi z)kMZ|O+hv-vBXY~*Bl`pO#Fh#feQj4PjI?0c13jS>wL1-_&^%U{D?O$(j z22KXz0nl^Gg6$lZs380d^qY3IV*et}Kpa>R3)5kFqf94pKLSM&mDhvlMHANjKK+NH z9~WReP}!X|(gKZl$oKJ`KkoeQ8H}_smWNre10!8uM4gofwWXH^)EcLuYvlsvf_z*} zt86_^nw-TU_Wufd!xmx+Nx;tgj+2m>Fs#_|>zc^08UVB3Y3{6XArD*F$a0$bx}6z$ zRm;H$B0$A(tD|f-XSRu2nAQ0qljCC*PzG{r8#LQk24Y`-%+)+pSVC_&+m;Fc01${h}H-wGnVu!`FMJdc}M$o2fv|M=n|MVoT1qS+SSr^rcM!>ff;-$xS3YF{?9 zqOSmGeUxM84GvJUU1}g^t?51%i&N9&^XcqP9B6TPFR3BAMD@|OUpLSYB|sNILf`eFc_5IWt^TYYA9Q4;VB$z||R(xM=tRle+-Wx+`d$ z0fd2%EfbBm^97v=<2fGu5jq5u7-UZD+@ zqnMSdE+`dF@ZE+f8~`{b3U+tj&~VB=RWxXSj&AYS>Zc8TNK|nC9s%l0&u@q}I?SMb zU`S|L@k9s27pJdxGGwys`}O&QcZ|0XuJj8AE5U-uYYMY{-6lf&yq9<+-qXV5P_A2u z3h$b4KbjB80D2>z)d%b2zN=Y!9(2XY&vb+nDnNLi3E@jq`SS#{{eKz$ww(4);a`!^ zve&7bKmf4)zd|cj@aFH(88HX9ExqWP53N5MQkcn>4wO6cKqknkf@p^!;sVvg;8nDNujyS}lYqehVc8S}4`7U98ZWn&K7t7|6Dj8kx!?OfcqJ z^n2%Ob#y{sOi>4vwVu8664Gu7oF7h9gHUu`c7=own7;*8K~r(DZV+%&6r3mXTffjY zmiRL24{idj%%q|;XLuGe_g-sp+6eye*#!ZqaV+0T(4hewUwBPlQjh1ijAEt+e3 zOhPn*|Cub%5S)QHab^m>UyY2gF#=^p!Cttjyw8OffxFd%A#2%PUmSbUZ}vvrd#vE} zH1~~74qAe2$nvt7nFyp6FG<@oIibQ{N59QxgP(^8B9*XG6YEqG+8aArVk(-HWS;ZD zI35pXddDg=@Gsrd$zsZQPmwC@blCS7M;`pX@K3{3)=4L&+`_9TL1wcBUTdUYq%#+t z!SO+TtZ}9>I$~1sS6q2!jU~NACWuJvI??4?Q|l=DJutcB4CcW`I}=2)rrgD6ZNL*X zLb20g2c~tZoAGaLNU&=oe^U(nI$!jky)a^ydJML zxBmRuo~KC`u5@CU90sX8btmzVj0<-r%~5lH!?b8?{S>f#;%ha@|HAdlbut?~*xnuv zNPF-=N@~{rUQK*V%;wAt&qEaz6%R3{SQmh=^YVYn1SUSiy@A>uB;B)#cnuZc~+3P_4TyTt@Xh_ zXdEmIPi%mN;l;Nfx7``>DHx>!3MfsmJCaH2cTKsL18IrIFO~kwMHROU2AdP+fE$a# zjYRqX9>k=HEbA>h*z&8cYJ8Qo zpFg?_hM7huGO*0K3zsrIuUwtXhiBPL(0>a0?=gLMz_3YBh?$49M;pb6P#R~0C-UCi z3^IC=1c1Kc%e93DFa8s%An#O~l8z|R`y81lEcM)RhPB-pT!5vMtRaX36qt@nZ7l86 zravQ;&C52!-4Uwjazy+UntE-dH~7YJO=~If&R9nZR(!9)*z-&&Fl&28LCxbZ8)D&W zBT?4LB@_?Xd%}_JXRG~$zH0xctlxB1_Qg014YSLsDRu4N8muorl5sU2hwT8E5_D(3 zW#8;@UefDiBk;qe2FiOuH>_f3(t$&z{HLr4z*|9cZL!L_JgCoq^25ZNnh<}~E&O^V zR%^`-Atyk>omCs8dtx3*hqTKiT?lUg9{N1Mb$QS0JJPwX<6o_}qB>D}bjuSm;9dzWulcS(UjZ$;$_GWUs!{AYo6F z4?{c`{M+A2hA4>=TaI?MiPtF-xczR0$NU1eQ6{WkMt>lnhA*Or6*l>vcfjmNzFtw8 zpVvFDd>B_l@8e>;`ycE$PVVdR(+=|2`)Q36a(=t*ZWFZWyR61hu)0R|oLHC?Ymdsh z2tx5^r4%zn6_*r4l0}-idgbB(hGuC58f>!kUlqzWJZyUo?r0fkKHCt-_6f_iV^sWr(%G=6E#1vgn%bApDFe~_cL^kC6v~eLR3ys{`v~mDQ>x0wrh0ZqD z)xJyUW2v2W%LD^t699%LQh$C9#K8YpRPSdv*>jtXOZa$g7$;(qKE_4wJ@@4KMG8=H zVW3e1pq6!>J7P(=Z+wFWn=Wc*#rP219+8`^f2>7-6(_>3xIlV4U_uw8;f|1STndw- z1rJ<|1Pd=ty9H*D2i#FPTD;m}P)lz`tn&%9EnTG;p_rE5s-b>;ZYmo`O(=DciixXUm8bynUaxA9#2sFp5>i5*H>9oK0ve6nm+u(Veu}C6dnTPcU!&}k{nFMye zXI=nu`Amn9{quXrvEXF>3Q`sdxnr-fRKxY(_rByy$*l@G2+|F-iV-t7_MTu_WWVV2 z4a@3tvJk{B83MF`@3~#&s%IEW-wUxLbfi0c^7Irwy%-|gjC=;%xlq?N-GsixXx`yx zkuD&;7W-ZM%9_P;KD^5O4bI=@EeFQ+6i3#xbY$I(_CiSEV$SAA29it zHwow(v1~M^CwhK$yHbWlmPZzA4QE&wA>zbR+C~)qVtYhj5x)>-lEQkRqx-@#$oR&lXka#&>yNd zlJfIGtJ9_X10gQLe810xb}l-ZlMmMiQH)fsHfy@#&fY0)9+hd53PjjvuA0Tv8#Qzi z=Tm-fW_;)0?6&`VoHB8Xq3mwsAK-F(TY~7k-p{OJsI}dp!psk+ptne{ZbYmO8V`8?>5WT=Qqmbe><)Ylia`QpWuiP8|^ z?MQ>uq-9=P1B02hop@`Stw#hYnomUHdN&g0dGT8mE_$?;j*HwJmvWxY>*^rr) zo_ylNugxnpgo`^7S~=yH~L{w7->{{&Qitj!=!AII1+wkJ`Kst1aI=^{<__NQ8sU$+r}{r)GAM$R6l)h>ARj|=|j zS-Mh*`AvqhzSf6*mo}AkcQ3qeRqj#R*V{YfW-E^&pT^zx*8@JMI3}8MpUk%S9(M}~ zfDc@CGYtfOqQ5@`NIdKfL-uIDslXK@Vx=J8uQL?_*+u!C1CTfEs{Ajfk$t`Uhw7O? z%#vH0NRp}NEBHU*ilApGP%RUqAb?mj(Y<4Tz&U?F(KqHXcm#p@I|{72~(nr z#;0jgTnHfr7y*iqeVk#i3AK$U#~aD}e1J}NGHq}3_$g8D2Y;~CQNiT-TVI(1zH5I9 ziF68^9J6-ZQe?F>bgw5vXJ!*BKHYU7Ts6_Ql}$jv{t6Ou11cpqS|qk? zUY-?r(GUkmCjAe4;Aezfv&V`yeSlaB;R@Uds{c>p@VNw%T%&5bM}|Hto+j zJhFSHC_L_wb*@P+xRimL_l_jX)yOFxLx12J~OwCsQ#7dVQrZf%T5D?lsQ9 zlQ=EXrR9iW?-MyeEB`mp&@167f-A1_*Kgs9JOJDg-%39)EFp;GoY5w}V)$N;wzW^@~c>U2ex?K|Em+{&> zjzkLo5*3f$CD#VIWs)=_AEM96e?3DNEx8ii@erA~?7MyrtMaygN3r-Szk)ZE8uJfK zaFM+kDt?!ng}&g)wH4&x`-l>Au+3+e@MmVX;NuImJTxMD=;2DO5MzF2DbAxYe7#JB zg*=)R3eGcGUmtSOihF{Kh)|cT4WSexm}bY=81{26m9EP?WEuy**Zt^BXDC>|OWLN*9JRuOOh3 zzX1MF2;e0Lw%Gjs&t*l@;oq%z7#|YU-e+nkNoe~|&bn`vT0vtid;D&FG|YvQ7`rA1 zj1%|kS7VGgI=Xf-yDCeQJw2*HiUc`KjEqyi?4?9DMPDVv&H)MG*`M-kSV<1hL1ksV z(jyK2uN9Vifns}fHxo#8QFY_yqS~yBEZZ+ce#pDD}Uz5+^hAie~1w+9_PZV9$*%MLEp(Iz^*E>Jt8eb)&f&D4dVQ3InE2K zHE0|4n_gJB3h>Hb4!OL%9BgB@d9pjada}?BGZ}ZT8@<16k^{VVB+$xuJmn%qmZ`cl z>Fefk`AOV4eC;COEb%gLDssYiWql}YG_1GXS7%MTsioXcYUzS}tp8q)^vMeSMU8a+ z)!hY&rDu(r47d-OXRpek-*VPbmsE%gB6 zwN)j(gwy}@Wp8ucuc}hUGA~t^>Mio+sZHWNZ86Ibi@!?@CagZ%0d6`B7Fxt9(KFXT-VR+`Cqe^VBA} zw8KUY2;nXwh(A!w2Y<>(Gp-h0Dl)b;zF+78_V;_A9T664E;(ox0udXFbr@4yxe^;| zt6jy!m=or;Z>Ka;03S2e^3jXp8#A1>CL1Um{E4D=1w~&?>~@*@;!$+X^qR zANkHed?QWl&)Qd^j|-q_xI=kr*+hkZsNDhCYNXXgJ{wBEuIvWd| zt;`enP4cc0SVMlDtq0k{*M?z+O7MTW?alG>c zGC~xS_DhtOhpT3zo&V{dnZeGl>#~OpM`W7(Uq2KjqZX*BkhDdPgqnM{UkHmlX1($9 z-%0ea(*UwOB}OG-9tK++^)g9~Df^L^8X5?`i5-F@uZB=t?0X~19`p$fEHJE*I?HV8{hrMC6@?fQUh0}cUuQJHr^G2}0fmFFk_JNyq zeva+W>bqCr_nN=&CHeo6?q@o0n@|ef>u0h=XbT|l7he}zBEq7-2R{dg+MHhG#F}u%E1Qgrsa6-ZbS&79{R)315ga@w`I+7aa`I_rWtWfucfNmK`>%7YFIv%I7D*~VO>J%- zG#V;v_Zy%n!3MZveOzUj8cB15 z^`QkXoSW3M2VmTNbep7$kUao5fb&E$1RUIE7Tpl=wusox=&csWCQfqxK!vblfhC9~}?i=4psV6Ph z5ph!`G5=-o=iSd5p|c0RyXsY2(e&r}py6Bt(+Fz0a{_UW08-1_)^fR3jNTV5!NO({ z4Z*J<3@>k;C)dqAxUECi0>esWdSDtXPDj1> zH>8a{kqvC~Vbv!z^9>(<-JCVlr;Ugwo}#U;1X@ll_aN5LoW5(t{+2 z*cPuizaG6{P-_tVV)<3#V7N?7Q!oSgz~AG1tUWfQMHOu6+US0g*DTH#_^74MV+H5r zd&S5sEwb)E3c4Rk`hvS65Q+CrjIE}%q6sY4L?d@%)@6#*RL8^I8x-{pw}g)`Kb41F z33Fv6qM3)sp2ag3yodfoGP~$bkzw;!%yrk6EGm$Zs6kJi&E8|VSbuj)JR6*6!KjA^W4>Nn zK4-*?FHb(mv=WDf>=GXx`qc?#l{8q+tm9KI<1kGPPYC&@+LW_D1>xkddfsAT+!dxU zWmprQ&4l&l?;0u;g682+;q8twJw=`jIZ~?-lAsyJZ7zxT&>B_#j`7shJK%LPm2xQz z9^^IceS3N?YG?U6c>^)F%##Zz(D|c=5MN56XDGUq>CnDC-BG%nA69*X-`5SN8$I9Q zQfN)ZE7#*0#6|3fwnEy7#nN=U(6nn`OQqVAal!AyTeV|fPCmK?!R2uX70q1Xw5Z~( zplZNFlwU-W#3GJFO`u&2{TYXbuTE@OGsyRcSh~VWU(_eqaf$q(#m$Tg zZ!d`ci_tY=apLoLzQG?=>K@=8j;J%%B^m_FGdIdQM(>n9QHRdy&IQd&szKH~yOxsx zH{C@K(O1Fl-9o^d13sziiTmfUM^echu1D?c=O@lXx%NMtmrt<~zg$uO6r|JNL7tHQ zhwiQ(h@-+NZ_d{Nj>keI6LHF8Q!aZ+^px0gvl8=6`JO2{CZ}iSkoxs2Ol=<}auP7N z!!&2yv2absRiegy6pulOy&2ea=@7a|=Zvow%~pq(^}0B?VA}qzE?luK?vWmc!)j!m_ry5k3I?3sH; z=DHXJ%A4l%frbCQSEO0GcIuRnh~lGq6I^b!VWfl1LxJl0@vSOIy8rt9@gZ4*XNlb; zZT(NcxWp)t1CU^6be-r&l^Jfcz;oJaI^?8{Zo^zj2enm$QhK0{wne_^!wHa$wyEHl zT@|H1o2bT3m`*F^n++>C)Gs|qVtck#JfNe#b0Ngz9t-5S@ZHVA?~pV8qF_(XbC(Wv z#)VuXieY12fN6jrrIIRameMqhDFMP4PPxRNamIA9s*6m@`)C73D<^`!_fc^o_U_d1 zfDe+Yxu5Jp2~{1z`AS9QN@7CFUSr{PPqQJ+?9B% zG8bF-%Cm@*h1l%GA0NJI#@iz} z7U&6Pf&V692zmdCO%j>M=_RW`)|XAgVn<(^fNrSTSR(SvUa&s?L=p!_N}do^HUo`37vn;B?CT)3a8&sYCJHm zA@#pep}qLetcd=ZRp3(tby$ny*cDVZ2R@N!sd#I7kj50k*Ce^debkYp_pion#VVws z)B8D%9%%b%=}nZ}eHL}1V}aRcCncMtG4jI=UWe1D@UJUhT`MTVDFW_%zDGGiI{z3F zv9tIkcCev1KIudc?*JEn0I~TYQ`9x+RzkdzIREA{!^bY89pfGU$S`t(+;VlAT6CCV z_`yo+?|s!FJ^W8e3K#UaD|VaNF+B0 zt`zQ=ov~OHAERnQ9VB()+!iyYl3zpni3)>uD8uKwv+MM34%*)R{J_~O|9iG97sY3y zOT56tX7?6!K=t5Z&e0swX6qxg6WIEQ`|LYTzk z-HgQh9yuVN&X=cQI-8BL*g5Z!kO};o@FeCLa)tkj@XcD?0rU!zkKY}5n=8-O1~`uKAAZdnRtbA@6r8<$r&hGm8zR?)Ix#7NmAEL-@_pU}wF6gPnV)Ndi9&eaFx_wo*=P&VXi_X(K z+4;txv5}D!BL!)Z$?8CIUxN?Op$vPJ5n)yXRlQxw>5oUWJb`Ovejfvu2@8 z(Rn>-i3%Mw+`G(_zIV_{3p~YcP2W!vohT#ouTY5lhWUkQFG1~|sKkPD%vqV9uFw0x zwE~}!^ThrAwHhygXCjI{0Qc=e;4Bv?)Ta7V0PAASn0dM#Fe0J7{4ETQDuhqE?f0lDfzHg3p zQ)HMhL@}gbiZ~e>kDg&ZSTdWYdYVzt?+EC3KAw4|mK(Zl*J;t>C%I09nR&%{5Jwo` zv0T|hdw#nN4@wfS@5g#zluXtuG~FrfeI8lzVO>KM7hqoMKxo1DwRttKb33VgWn^Xu zx)&I*dmAUst;RS>MyJ+5GL!Vs^XGweD{h}Z>Wi6#L1Dxh=882l=NR)h|6`<*EEqUC01^NV004*q#RjQz^&kMi2s{9Q27m_D7PYr?F|~8i z|L*Bv>a5G)VQWKF2o6e>4*>nT{{J5T2S0&{v{Ac0CgiZIlo!N=S`6ly)Vau>g7I=V zl@qYvqX0Yn^?HQRmMaqwpy0vZV*OUK;k}n9)R`7HU!qOQWrZ5hC&!c;0v-4x6S+rZ}k6i=+93ufYSfu>K0Ef z1z=y6-7imu`*L-CCsP||Muvad|Lfxa2mAH^F!ZX#br~?`FBgZ{CZ6!+T&E$Kv#}RD z&KY?D7_+qFZsJLm%yo4Z>=+u-2X#(N2oi3SY1%*7p5 z{fn}-;tV&#k0n2YX>f^3O4}KtkYDVDP@BhyZG_5IsxhKmj|$l zs+=yq3dC!yo}!0;iwvXlB%E$pvyi?X!~gCxG^_$EXkR`91P1^J0ni{04la!U;WrLW zrp{mMq@jzYz1=^n=Y!|8PT^LEug^_av ziJDt%ndC+6vLCi_Ip{aB2E%vvxJUV)xnMMFx_Bm=kEJz9iDXp_EM&B)=b=3|`E)iw zi-_dOo7k!HC4+#De$74-^rCo$YTQQ5gYf|z;O@iRDfDiMsAn?+DQhnZVN|~TIdt2m z!F-DI5RZHCRER9AZKylTi{!uLudW$an`?kS9-H5eXF|{<9p);f!G{SgsobF*Q*L-2YsV;DAV&M7*J*&KDF}&4S{ksKac~Q_046ZAkKV zPWNi z&%AQBu{1Gt{*M#$KU3;lXWeOi1jSbo_yIEbs5$jssO1R% zHzk=iN|*Z?|4kb5k;0QZiuOrM4}RG64ddt39PywAqWKLQuFLzl?#ofqs7rFl^RZQ` z36S=u+}!V=jA_QwK_BAk6>%+P3TNc`zj|47xE}Shnmjdece@>Oi7#~Re%hGkgW>h9 z@8kF3b6K&%`e2Mv=J~0;zuITnt-H*YCr2HMUI%yC1X?qa8(yHN4>z+Bg`QjPkA8Kf zZhYS=>*Q){=V|llF1|QsS)23vjb-qg#lrn%M3lM9qoT#s59kq%(DvMsr5=@`n=(J& zTRWvpOER1g%sNnaFe0%*B$*Lg<^*DT+tS9FKv~3M+4%lgyo~HQtaUXgA!Kq~6mVQCs_n*eQ5Aw;w;ilEzOM|E zufz;{Z1Qt&h0*4E_SJNtraua)zONN9Av5u~K|*YBb{V0_iJV&;R8w@RuBh$FRB@S} zc9~)>k;@oZ%&rY0Pu=i5?IsmwtJ^2}94=Cp1{(n{V&?X&({0zyXPdjS59~5aF8J10 zd+XZdlU~d+edQ?f3)Wb1h+~|Ri0C`dxcKo0icmVXrM%Br2q-U1Nv@sz#t9}{Bn&pa zK!X`f-9ekj?FL;gaC77+M$5F^hPE#|&S#^u&E0d%=jj+*V5F`j?ABXgtuR!xzjJaB zZZExe^`Q84Rm~A8W~m!z$1pfYa1>S8#H3GEHnbVv6soJfvHn@;xim=1;djHeGU@i~EH_9O4Fly*KX0~ma9Nx$y5Sx&TnuTDLCH@6qLolH zotp=F1w%Fw&Y&BVbID&S9}&MX=U?+DUd0-gI$x==)|6g5Hjkx!~Xa%yIf;Qfv*93lkfOAPS*= z!dZ>)&p?iZsctIzL(JTrXyqu9L3AGROnQhE{H(azcsrHk2_dusa}q`7S1N+APPNeJ zH!nDVCLwMDBhg0_R`m;HPDUCX);fnmix#z0q9DvF%u-jxvrGxh27rF6Q4pqLm0l2s zX+;o!JK=)mGOpNBc2l2^9 z>rX3lt`(!L<<9T*xHz)Hl=n12-0Kn%;f9KG>hmNM(ZHsX`1FdnwMCYLnfI;WEL2S( z>_$)?OR?S&Au}#3(C6s-{lLiksSE9mPevh){K5HJB5T{Dv3Ai_62B<$`^c>n>1nvo zc=1kzDm9VOYkEX!ykqT>%3iKw@j)`!z0oEtbn#pS!(WCQxh7({Mvqh-k@^p=Tv>;m z(!QtMBtQDSU6=R+O%@Hum7z4)&k9hKoc-o^IO^j$=PZuJETU-%X=Tr6lNi1}i|tGO z>2lkqd8MnUpEk=XkJGAY;^ncuf17Z~@mLcu1a|!Zgz@2^o+u#o*NZr`7_k$TOzC05 z^^|D^>ev&aBoEUD`)-h=FPYJ0@mMmaQjWV=h6>EXdf_e5#8j5nu*odqAuB?4 zGd*f;zTDd|_LgbQh*O#Z6rUZLsnVT<=YT3xP4%k^Yv1ZpNqDF*El8yRCJ7&+J1xyf z5hK_9jC$fNc5;7gYh?}ARhFkxx{~Vp)Nrx$yr!~?D)EPf5xM~_nEnK18WA}jD8fKd zWs7V=7*g!C+J3EE%L7tt?j>EsDgD%Zz1y^|U2fzJo+5f90h5fd7f_TvZ4;LPvc+hX z`()i1#vR7%(|oZ;j~Z3f*%6KEc899d$R+my{SS`L-(pvZXJq_b;V?q8aH5haUfQLS6Baz%VW7ehbha(fj9Ldvn*P1vjJ}=v|O| zpPX^nhEX?ZV43v46jxiQk|HILscDLf$cw(woI{L2lXg@WIMF2Uc!5o)TY)4WdK)ns zstnGvVLv9dSJkJ7_bM^|tqu;nca;^xlKSREqGXXHmJEq!c}Ba>G#>;_+~{3Q{+*ba zv;-tLfGuY{M&+l`3ezG4C&LdL+&961KY!@G8xd!>(hi5yWufj9>(9Sy@Rkb326xDD z0B*!Ga_Fv1RXEJta*s~lthC6_ASTQe8K#ExTr)iU-#)IUzZ$|T`0OWZ9g3~?6SAA2 zb>+62&?E2)uavIAL&E#!Uys8B;j&BK`)#>!dO`3;=dkg?qOGc4@D}?E!A^DoVJWYLQrOxVcN>D8q~xE z(@PWo$fiWvyMV4IxZK|+z}^1X&GRN4dpo$XM~L#>bg7Mo3y#n>`H2z%ZSa$;4<{kQ z`ZOy5{Dat^Q}HbHCbJB$&SPNr9RZZ^El%(XBAUHLD<;|(Atr%BU=Isb4BwCpOjday zRGe6i1APj>zTpky0udXjBF{t6h7r5KRMW`achim#^M`)Ng6H;)PQm_YzSUjrsQB#U zvH`h`fKgf>jAB_!i-ZcbfK}?%ud|54hzizPuRMdXk%!Eayh_v7LM8)NRhkpiC=U94 z3&l(AQ-Adiu!e{EY1Vwbc39P)+axh3q-_G@9uY1Tj^qFR z8}}jd%~}QXx$zl{Gl=(z{WLs11O`}mcWP!AwTEiFN!SoGcT4Da^U*d-1g}PJI-^5l zWzZsjmANpD`2GR+@3s<@%#F!rumC`v+P_CWmj6ON2~^+higzgVZOZIdaSZOzR?ij= z+;%$3D<&A}Do_wQ=us7w^0Dyq51lR(sBbDH@~c0|Xrv~-0l>|?AUAzWrvJh}UAS}J z(X}a54pxmQN*?2KMb7!C$eBM6o*WN95{xJ}mL>UQnuzD-#@fvf9=EIef3CM2jFMzY z6u5P9Nh?UEx$5Rd4@Zrf@+e|%qnl=in;(g@E1q6Av|%Y$?iW_$(~f zx|Qo^=S@?T(^IJ5vDNYt12f58kDqs))EH9d#&mzC0NbFA*4C_by)d?HoKoep?h1YM zi!Gf~^t)@u8g6YD1wQ_~*kVkU230lgaw`TR zsRxM22fBR+iTmNA;Smh;*;F3$H2PC!{o~EKSbadyGws<%1tV&=Hx6;}^z zRq%eHUjQSUuNuykXe`xwfpN_V%Q4PVF%ThRxKuJyWnf@0f?Q zygJMRS?A80$VwIxlYBF@KHiJpU^6O69Z7!-vH>K2dkv6M)F0@ zFbCjSX)MjL3#ouAwi-!>#qm4U(BK$q>2_KV#MDR{p0im`s;@N@uN>uxbg~V*g))b; zO4aZ=n2|;hA@k7b`Q(65VF0gDhFV>M)Wv_{pc54p#jff&U3CoDD(9)PeQe~lzVM1X)q7OQ!z#Xn7$Ysv zN+*Jqvj8+7uu;xq$5J@NN#IRETa*=r6had|&IcT+CCJ1!;Tv+Z5ryTEH_1+I48+=^>o zJ@M@?x{Ztnis-?}rySxy<7w~cRDqZm5P}b;I{gH9eh7#+PgD|azriDwLf(QNl^h`? z_Qx72U8E!0^Aw8Paa*ViEX>6^EGNP8IOTR=4iRE50O6>+XHLj=c9L3PrIDK6g%$}R z@)LVUxrY*eUko244(QIbuLUD?)g{<@TQ|fI?F*O>T%o0Bhwj)4#NtIS6YQTF6(#xH z+K(cU!y=K~Crt2{+W$w9%_>Q)5}w;^-jxxyy6q&5#3iU*4<2j8Ft z-DT=VBn`lr^CqC3(jy5BP6+zVd?yN%-2)#aB9PY8i$z;_ZH~r;B;{$6iP+#u8x9GT zS)z(isme@*u59poSBUgDz(v4KO9fSGD@x-ZA~a0jo*vVW#Ar7=QCrfD`y3&7^7Zp|rn>~P-EMPYtFz_oS!eFm>6>M6$sCbG0 zk^Cr~CNkvoI+|I%3aOKp&luh`soMH_f(#?bmtY#`u;Xj^_9Mx!D)H7O`I{$C+tIIT z#*`Z%zS!Ty_SVMbb>D*>oFPOd8A^Yjf zUO8tLya}Q)MdQ6~eifG4gmmX?&Yni(77J?F0lFp%ACIh1mTtJx_yI~MDJ1QY*0pW^ z=Tcz&i>>Y&@al37t^;vaEsJuF@PtIL4broikl;DYd;2mSg?&2CmPRP+vn92jN1S3k zbAs=3Fv`?@%*#9uM`SD!z?6ic*^-czj39&*SV|#W!Y+c3D6jF0)1mQ72c20%4RNCw zr~sMs1k?J|+t0)2yQn^SdZnv`Q=T?$>AL65oQ90e!JI1!oHGbWTsS14C}IF@d_;Np zV64}>1uJtJ~#A!EVtK$$JHu_ybC_E-RITVjVZSQr8Jt(qQE{G0Jc$&Fmb?O zCRjBeJeicmol2!fT;pxR1>WjZ@9LBl=X2x*yep|EUBaMzmeL5olnlXOBm569{Gk{L zBh$mz??V&o-1Ev&Ar6F(x$@Ee*m1HSQI~PE(V}di%lY6gpYol%V{#j@(jG?TH7Voe z$!5lasRU_^2Vj$e8%1*|vABf|D`|@AgY!xmK)y2mN;k@GKsbj6#X#|;`-vBd>W_KN zcb@&3zqda6>aLYq>DlwFq&vfCsj_c| zMEB>zcAnqoh5xLk!)}~(ip2Kx)cnYXLcJ?JA4N^VV#Q$l4q<_}CQd>@jW+Ul$hSEV z$q-1r9xNsaHlk?ZpCM`^mu;@M%-SUoXxVO~ToWi;I+aT4b7mk#;$*{#26LBvUV2gl znkNPtmiE6oyTAWlN5+tt|9fP_5i_IIBE~G+(KJa2?m;2s;Dvx*#2he#W(!XO;>pOu zO@^h~*G3{y657ud`7I=&uz*Dc&6<=iNC*cL zj8GLO`3PKy5xX&)n{*?JNhK0&pXwAqY7Ny2HJ_%JqAhO$d zmW(3=Cl^j4YLpqQYsis0?DVlMkdI%>F5j`tA$ee6fOnoQ(+b%m8-fZkiPE@LnXLpd zL9{OcDy012vcT4XPhz|lKlXuR=NRzEDQ5~XWs*jbdM_C?Fa$DC!K;VN>h@y+WtRi-TpLU}(A=2s)64MHLF;FX?F?PRR5H&X3A{+8H&+MV4KrVgea;V>8h~tVC$(TT=D6?D6RI+ zOTDer0t*+jXlc5pZ5q5+bF7yFHM^ATJ^)n$uU3bp7Be$s6vo;oMOsT+z$&vd8i1MtH)RVb5MQnHB*dEW^ zbou$$@CsrwUM8;&<`<+OK*LgKeWO4ST&_)XN7iA|_{$t07K1hQey92A00iG`)Z6AJO< z7-kS9*$L=55n?S-wfcwmRhVL^CBK5oF-MrV`>EHcfzx=BhrB9=p8eK+JAasAeyet3 zeHKjX^9_uXH$CT%yQ1Zj?J0!B_R~3iZ3fnNs*#0caxTNrEHx1}n>@icnQg)j4>Ti~ zSLI%0l1<8#GMLU)!%Nn)%>+w*g&Ks|ednbyqh`kW85aN*?A}eHfGRWNa-8CX7v#kQ zJsiC?;~4t;bHb*n?DXS>^uD><4!tOEU|ueN=kyz$OPc%T{$;ISX?uYm$md2H1V};+ zi9C z@uI3Hs;h|}#38>xKnXp#Fw(tWBp~1Qvlx!-7 z*`v>U^3nJ+pX}35IW<|m2sNomX9}TDvjkvFsv5tz7Vr*opsdvWJ5TUEd739pZNu5a ztGWPZ{a?%~lXYmW6(#9IWj$Q$)VPUNb`~h}D=2(t&O{{6Mc`!XmtahIc3R(7wumcG z!)O%`Ln2>fAp5HpJ)eSy!&SR#(ZJ#A#+u)xf8Db)S)C~k1P3(I{nnev@=Xm(T2`)k z!Q^I~v}4rh1^Q8_+hE4KTnAXW(SKmjnO!NjzwvuSv+tW}ZcuGwDp<}GZb6gw;_Ap7 zX{@7EDRZ3>mgWHB4-5rqgTa-X(v>LE^WS*~^CS2a?CSZxQcZWnk03kabmikE*-`G& zt>=7_yhH{uQb&F&dxCudPbSeuaPrV~6gBcy(A*2K=ay0y5%{|+dA!B}Q!f>2%*RVx z*uuec-;Ye4=CQf8A=)!#k=6c7`;n4=*cJ^e*kj^Ofv(*TtF1O!=wiiQ9=6LtH_toD z9ZcJU)C!)fpL|a_KO%@eIRcMNd~H`?2Yt`9vGAU;Iu$)q#G?K&90|T3Jt4LrlLkuS z-hq0+cgAL=PhEN|p%dAjUFoWRE1O`gL}kvBa?|&6QO_R56?IG3$}DDi&4wnCHjsQm zyc~#5-7c;Hnh%cHEDNj@JpY^;`Xq<+eH@lN{g@4rn_0P|cSmhoB6Fw{AI`Of*wI|U zZQl#XPjmN&Df=$PbMc7^F*3Zsj|VwWFyi>OhZJn??MI&DSDgzSIFbx%Oot6QOpyBh zi3zdrr$y)XC!GrEk#(-1Fv&;rK&7~vpl-g5TR6nfK?PD{CAjB^=2;;S~1xKvxWElu-4A?G3;Z`a>G(7-b?DTLdV?F>IRhMBGu_AIzG1_ z;z1_^x9>#1K;iAAI;llgo^7o10+3Nx6NgvtD-OG>w5Tqj>SpQ0lbzLU=E}I>Ab0kZ z5KlOAkDQ_aHA+9fRhi8RJhJrW{cx)&;%AV}h@k9t)~hLC(7}Z*#Oy|L`>8?XtpnfZ!L7c(Ug{cAfY2G5qum zo?Ps8gK2Zv+q2?s|K{{pN)&Mm#WMk4W1uJ&!wXuQAR`2m*aL4(;W)nh^OksdpL*rI zu1uAG?vAE9>O5Ha@lf`nZfK)qAvQtQ=2W42rgZ04A%tEqGYr#-LYYmRfWX*W)e09| z1;S%kmG*p@@$+N-t9eGe2kQPU$a?T%KQ-cnH;lu5F2Eo`)iy!(SmJUk$50KAr}{gb zz?xF0O?=Db7WmY-Qa!fqshg6)Qz7Q|tqYdK2x_6uccb;!oV-3K^BTS|h37kKW%Me0 zkewXSuPgfKIb5vCn!2Bc(*22$q^V>b$UUDOxz}spfXx?)Z=GhOPr@WIs_lz zHtFT)iG+n(J2WtU#NWv{Ick#I2FfxdGDt!`a7aF2i+H+pkGDw|XRWTD8f!L&Gj!T) z(tKgdv-X%Ot2<@ebaCp>#ACdd_=M-j1HmdCm!|m5teq;}cKb_tGI`3^S-NiPcbUab zC?z^gUqs}+X6z|gsUw5$vS_hT)U%CMW$KS!27~0^hpJtNT!)0tA~8(CS~!|TE%=~y z?x9GU#>DC)R$0bP8$d!#dQZcmHox^v3 z@s<&9iCn&Xr~ZT`Djg1aiXsoViufJUD!Q>sf{3dnx%LMB%u1{-!Rs_aK83&k6NG+XgTlkAw^DwLL;ZBFZqwdq%>Ag)>qGv?aM#?2Nj^U>2XIIc za;>|2_7jW?+hW=du)t4#BHGy?+o_tkb;0&JS^Ody`ccsQj^Fa`{CYw}hr2&+YjRvn{Sxi6nwZEWHs$BaTTu&h zG}O|nHB#Ip<;Sf&ZC9^pFm5Tk8=Z3fQdfYMhS24}VsTr<*JtAg&T-R(y0XzFj7o8& zKFti+6aN;PH9IkD!r&#RC26eA*BSCUThqouWO7yn+aXRTkc?rLTN}MYi5xYjKO&k~ zcl9F~T?V>^e5aZS5MCg)@?AhjcsF~G`zzr%Dj#)!-9t$Uc}1YECdyJ zn7tYg2N&KF$+#SLLjuI60D&MN!g4tni$yj zZD!Q5^(8ni%ww`FKSp|f-rmAdFxN|C1%bDshlGRxxCy{n33rKLBf`xu@8ba{cU-4b zRm5Aw*9j3d{Fe2KIm(=gRD;&j>oMYrB{=JgM5S^LIVHV~-8Gc$V%y^^PE3Knj*y7y zR80w4E=lKbsVGb(bYZWqSB+cH95L9Q)h_f#lyB3QRx1+Rw+n~qc$vSgC!Rc)h*h&t zGg@DCA99+H3mzCfJ}&$`UHHiFZO*$gY&?~f96Tst0j7j5?(B64D&U2iCit?58UN}) z9tv+ni^hFfN-CBNqUy;_BuQIGxYO_=3yq{5TMy4|=-EPB7EN7J zpk-5+ICaap9_TYn;OiRDl3j%7^^T6H6;o>LrT=m}IZL#X%NH$lFml~WKuDsk2ZP7} z?ukGhD6}>A`;f(i#n1$W$RhnkzO^SGNYGx^x{jHiO3c11W?iGtb}}sfEqPb1wH!KW z)7l`}@GJ@;U6ywcAwibe0&y{bH#nvw5`(5-9rfCu@Dt(HIAk$@blT#yt<|Y!%JDQryL;&1Nqd3~9--|qT&gmbQLF@#K@UnuC-Rd&QmVu!Tr!wXTa>89`SeAbE&SdgtoHM4JHRj!Nk|HS)*`gdEg z_w;XZieJ@|N?!$)|I=3N-^9;jg)(S#KblL zGC>#NEyLD=zIYAKGbQN!D>pW`W}Uyv@JtR}H!aUY|?V-%n<~9}UuPOUa%bhs_%q))t>D z;+s<~SJ8)|Z8a$PYCFzis&q!;mZA!QBbw-VJ}!Q+*@sEDrvQv9Dw6t znl!v>W4z^T*ntJzsL>~yE$_g;;~y&NzVS)P^yXaF$V8ynmp`@jsmXP*FLuNW>M)92FQxgWG5LvslgH zR4vh2RRAws7Dr>l6iSYTQB(HtAz|07}!+ z^Yk#wU4$whpCj;syQv9;x?O3g5b

%ibC3I6J zJN5Q#0nv&J?L)YcoP~U#2 z*VX4~LH>*Bu(pm7`?i?I1*{8)RL1kBj?w-tT0jWJHlz7#wb)>2y(5)BgiAodiK6@A=p{ITGQ;RcTdCU; z^;yJ@rs!>LHBWFOYovwB-P~E z$oiBKndH z>3!FQ6wbBxm^NC}yJih{tM^W9sA{OzWKMR@3)>h9DRTYyg6QyW%;rqX)Uhd{79>1x zUuHiM?#0$EB@Z|~#$oP#PaX9^ZCN)=Mp{e$X{gaq)A}MeJoX3z2Qovv4o>EY6?rcG zwBq)p;;A{)oNqpxi&hC*PhuF6N;qEBrbI$@NcHKSfFX1caNVH|rg05Cz7CNlDmEhe z$}1F_8x0|!M{5yrf{+M&`US@Fc`GMJLyo!%`o*xCtRd?=ksPg|Gog<3o}2rbMPLTd z)s}$Gkgq1RY0|n$u6Ec~POTcx8*3}d&zw)-V%YI8!>$%#e!%UJ0zCw$K3Sw|m0g0)4FZf>NbWzT-W@pSH)j{jH&*dzTRVW-tJ!%Sdz}6Elphkc z@NUJ|E$TEcVyvNK*PAJ@8MG;6X>V%9ySWy{y9soopkEOOkxGh576c|9Zb3NVCv$(f zh;4PoS_eAD_Ej=aJpn^_% zM(2bxb{EOKPf5Eix|XW5#$+T2Nrh&%2g`tZ zYKg)3*3nRzO}e(vvZQWt7r|63{}Qiq4r#m26*l`zL^MhivmZ#%2q*@6`(RRz zph0AT(&#D@zAx7yNUr5hZj47yARL*<&){Buuq5{oND;WkJ-ck6Bl5dk;^^U6mmHbG zs%tbZ!lB_9%*h9bHAVswiQrN#UY4=VJCK+0-JAx z2=m@ewTBd{79z|ED;CBzRW)^ID+1@??8rNk#$qyXUQ~P2FI_9Q#Rbn4Lo{#PTuG|h z<_LyTnpqX1zap=8My#{-^Ya4z1LINQVs%A`tLN7as^)KP(eO%fnVNVfU5P zsB=VX^R=F5E7hDup5GTPJIPa)^tfgxFX>#dklf;p==Xu|%+th!nwP;k_W@TbgfkOy zLWs)gy+n#cBzb?W;?C28u;o6=DC|5<;HH}yAPApyE>k-2e=y(33ZFcaCi9HNVU=JN z#|II)!3Z%;3X53+^3$HVBUzFQj^{N171LjZD99@5G&uS2M4TZ2wEbbv%n&jpe=>wHB$|)Hj57xY&Y|s{K71!6 zTiDF3M6GtY6V8Ol#xi*(F-+;n)nlIECE*3Rbii8LbzN&V7s&;sw+G|Og z0qxL5GY4S6m3K{v;Pu!70CYCUv5}KaH!CUsOL{y-dB5rPZ~*$Qsn&O9wO% zNdcmNAiYt^0>_lWNwC^L5Lu>!Y1XN!LJO+2QstQu1`y(&4hHsgi zz9$sG-GnL8fP;Cf=b#rpIcG&~i*mBe(jVy%LhGX;b}RLTI!3~Xb6+zN2M|F(!s@_N zmCR6D5-5LS+r2tdFGat4YeECtez+iQyby@Cm3}d1elGhzj5+>rj=8g644PYl0%HvC zlh`f<10S>zBf0}&nJtl!>5JGCUZTR@j&=uS2e<7yGeB^oE5{-vS|t;^0D?<_4M8B2 zM5dY+gVnYSHJML*@!h38mr-Bf^KLzD`ct6y#3=Kma^$<~JZ`I~rI-P#iV(jblphWR z(G(0Mw?tRo43mOVN$b4#2Z#H@j@`z|GXxrc?W8&BH2z5g&EF<+=(m8Kh;;Q(~jGj|$r_#1z!S{ug3?aWa~-Z5#7!tK#-3;=eDSXxE}Thl2zFKnVZ)P{;nSP^WqJ zg_v0Hf(BPa9^INz?lcxE$2{;-Sq2J(LJ7wjS$0V#l$y%3vW*Xw2BNOg+MS{2PB<#h~yok_-bOSRk!MS)x~A-SsNsByNbN|j4R z22);7_v<@F`?F3CMWnrPt5r?dBAdtE_tC<$)6SDddCdBVbxt6??EQL&Rpf6~{j3Jd zwSgnp_L0(&=GDfC1}BzidpB(T$sZ%#`g5;%i9^TIUHfmEo3R%63>L1W+7QMP z`bg#NRf|^bcc=Ti`yD(y@5V+MQK@pH*{P9#c~Lg(Av9_UeSI*Tq<+vqIqa`nd3(lR`a1TIv=7+OXkz3<`ag zjsGomWV~d5M1WKippGB3Bc6*$L?a|ZQlRg=fdFAuZ%(Rz-2SADam3D1%S2kWX|cmQ z>H8p2tg>;Wf)pf=YjPeQmU1)}7{@&cGIO7h7&a6KJSgt!1`^XVpG`odXGbPbF8m%5 zj_`-YSwGElL(`ZHO0nmKXZz`FQhDvY(L(Z8QGxzvk!6*;C+#38uMTuSz8N}+SB{N^ zs#FI5FKFh%R|A?tg$M#RPs8H4@f0dRuM{mn>!U*~w5oOmN`E`vAy4nIdrrKJ(8k{r`_vQXWcjA{#2700 zfDQTIDi}t7SMH00m~W^O5^rM~ySW}e+Y49wJ&u{jf=BT?e z_F{X?IYRCA3#(r7@%y!?f;wlwpMFom(tBjD ztIP1n1SH;K$WJ5G(a^(vFTN5I| z+G=9T&)Nlr9PVmX)u#LH`DlG3j=LBar=;%brd2F`H84v#p}#TS+eR6$gCODckW2+Q z=pZqD6E$#7OOjfJH|xDa+d3>?YpBll-!q&jiXIA$UiqF;PFc3*bWTe2HUowX)kRog z)Gz*!GTWFrry|}`+3oXwJI$!y{q~B#F{m??mb_P!wUm!P?TmFB3dJY&JrNQS%5H!v zf{J3`G30Dd$+|Rbzu9eJa zyg6g3vACAh=@IGMvicojy3J_$OR7)+ug&-Z=Jg6fGy8Ydj{6{_v6#9KbE(^vN*hyh zYrokg$#s?rquP)ez4G%YS6wZ7>*O67YfTCHEBN=69i8d5_p3tv$Fx4Ij%|I|N}8tN z(HXar80ks6_09~g$BEh_YHd7@!r7vVP*;sL*!rRm9<3pyIT{H=$3)EaC`p$n+mDE5 zR>GYP?(gR8kdI9G_6p`z!3=Rf_I%=<#dwwJFYJ@O$VR9^zfS_3U_i+vne%fA4+u)i zkHR_EaKfTQ9D>IP4<;C}1cVyPVP_FGC2}!zS(S~=(m~M*VdU@+THq=D-gy36QvfM;#CL38#Ohrz?(Q5f zleXVrOHxgt#2f)T87mUlPr`|br#}_0IjB1{n>~wz5v3xsDq*Cv?;XB}uF)xW1^P6b znBUYVF7a|mG0-`8wat!2DLBZfN*dzvlm_Qu-}*ys2;d_8IWM7NTP>z zj5p2(WrRTya?A~+iZn*{PKW}_7CnCEbgrbu2&=c^s;+Sl(m($hcrDOWRghpgsp-8g zwol{sJ%N82P9a2v7;9zyHWB9G53%4U+~$lN=bCHgm^;i-_fkpH43h*gxF(J$fIkyN zE*RcqK$1xjEbVar0H!6u$Ydjrm*V@0+1zCFv{2j8zhum1;Ar(@`{6u)&nztjo;MXG znUs(M6$Dp=uMkxqQ7kKtq$ke*!`@p*$JOlkqHT^LW@d(%nPX;VikX>Wro_z57&F^3 zGcz+YGc&)=H+1IAx$Dk-|Gc;EnR1uyYFF>ICGV0{(od?K@OGZfWAg%wd&>QFSe8`q zz`@VmxY3mIWDiOR!sfDo+ZvWJqI=|tHft8Yz*?0l-nx$0$M*$WzV?qdxV1jGn;ol) z<`kJ#B2xG^7UCcLcTD^m;Xj)@L4N&=l9$XOowEfu2AdK(r`(!poN>`@1p3EXb+fsr zOeZYvr24YIV8G{^`I_$zQfYpE)jX)|*K9R>>syb`W9)dC4R)6qRk+K`am*q(EzSCe zn`w_<_=W*Mxo`_C81TQ73+#W%g+y&&NCk0V1NIi)_gPvhuc%UF{%3DOD5#Cq_c$Q7 zZGl=?H@^|b77VOO)gwJUPe`(MW)b3556lgzcnXe_`6G+6&CO$_Zd_ro80)z%Y{GK^ z$%}PX#;3-aua#b5n=5YHYiuPO!}5WY{NW7f#B9S-Q_|ACoUxOKFPoC1Zg+l=jG&%K zD``7?{LU7h6J**V;QXzty!Farh_7o|`vhqtsx^|mt)+M5pckP*9QC91-3br%V4kvC|#)LM(1_o6cz2f;eM z|3UE+?@3h0usyeq#LmmPD_KUte3exA2`vITyWlXuOMvtN*%0Z z#_ik;n|*1z1)D0uyoJw`zil0T=H>k<rvMox+KBDn!G?k2=nBF!27a-mG76H&eDFJ< zhRCZLla`b6tQnMPX@00lP{yS3gshjJDSjSK1<~%VQO(1wZ`9r2A5Wb*uT>F7yAg0GAE28exh?;L6P(~q# ztIKW`QH>DFRWCr<6z)o|W*(4&G6+p%&Zf6^3&d>&KkF<1;(^ZI10kW*7m2j{ ztzXv3I27#TGbyb(jbH6?{&amevhkOShfSw5`MqJb;>4`AICR58O!G4dbq0A#20OPb zTu?a>Bp+^F1sydt18HX9^v9LkX?PC>(Lgq%5B;Ls zwZ7Hfg=Z@dwx}NcWHQ!FQB%4$!ME>6_qJ#M3x`L zh=1QD5)c>vlF%QTW&lPa$h-g|IfmBNc@otpWt5W(%lL(I)l!nuxC0RxwO!W(&4~yI z^lp*oXm8JB?g|{#bG2?N_)(YCF1tlc<<+gNT=-s%!7;d;)=BXiipu$1_}Zn;xBI&X zSvm`1)-f663v<0Ud9tSM6{o5mIb;u4P?#&ne2@0wo;aDWo(uXt7h&yK;rM_3_Pf z8Kclf`8YPk1j`&hBQ^pb9K%iBw-mir*4N>{p(*!ynp-sIUJZgM{zl6;&iRMgX2&eQMC35HQ4#C>vBI{_wQ#i)g9M;@vQ`JLJVp-eC;5w+x zs6zh9I1H%5qhgHNOvJ?S(0f^TW}{KlqFC16BV_{&9fc>va%m;yCTpd&nsAU+U%@08 zaY*MhystgGAmUJEmi)8Dn~8{VW3w}4XZ*8HA4^e}_M;@L%bpbT^^jI~VvIFpJ z;mYoUuogOh5l@kcBpmj*@rk)0qq{v9&ZtBVUyr+`)n-`W*09Sv{t!mFN50*y)9@Qx zqdCx5QnZwONzO!*DA`wu=@Q-z&}1=)`{8ivM`4Jdz=XtLPZ$H2(yPwIx7p>W$ucqD z5Z$wOq%U!$C#MS|+S+oztB!bvWhh4uvB$fO=;0kiAtQcn7_!={3Gn|8m1u213lOXa zJF)rm)0SW!lyLXuH##7DF{lpkY42+p1pnbh&;1YW3D0tZ2NnAn1AJYuT61Y=Gnd&P zXBy#Z1etr^@>Nne12l`b0ixAeR|c8vK`7I2{`PfNn|RyuqRs%ruO2@x?GxhHYF%i@ zOtA9lYs0%&iTjB}K%04B1ks83QoCWTdpXFfF3DqFUNdwSDr4MS_azu-ip!xqc9V|iG|%-VP=UQZWX+*Lo= zQxNR&lJfeAH2hm+Pw@e-kM&ryM*`Zzu}@8HYR#P=#H1%9eo7Znhb}FK4k>s#Dn&XG zq&B$3(aUe6BN#bhOqA!PcjM@vf!giz_TF_?voFS`q^tFbGjz?rhR6~lr9PR#i{2sa>J67^zJg1Okl=(X&-y^|y#@2BUz4FY-X(Z2UKbC)$?KNsK51JZa97=|#Uv}aHm z19$`X_$r3zxM1u{EUX}(6>rs4n*eS~fAJ43Ryph|w`yJu~6!tLx4PnpuFT!36 zh#^FMBhb4iG;7xgLr_qj%=>L-&cMG68TTEegmggg4m-p-10ABdJZ0}YnWKb+_wH14 zvDR)6I;}4L+K8j8`0-PilZJX}+1Yh7SKSr!Kz;R>;+fXwuXP*WM8p?W3%9>Sgf$P# zo~4!5=%&BDuiWhCQBU7I7U+C|Whgl({aS}1$x0C?kwjC?be=gUquS+j(@bj!!MAcE zvD|+F(n3StYyX%Relv{!+z@nId2qusWa3m!QzLmtXsy}{bA5sCHWOhsMr0qDH!* zWG>6vap_xa!Aa?yh~-{!AU5IY(B%N4iMJ~CO!DfnH!s^x++8c}9hzvbX4W$QYQ%fy zp~sTuAAjJ|x(s^dMTiXg7VlKt6-Zo0&~eH0?s=k6ze9zCicumyW!!*UVSjj{wYP;& zI5Bdgey=<@ZEyOIY(k^2p`Xx*u81WlKk_^by<=-rw)QK(&tmSoxYFL_mAAN8WRf{? zelnWHk`G~54qXC3Wq;5C^lmU2=uDroz187-eW_7S*w z4#s00)($;+mJu28&h(~vsNB1(SPj$GbefetZWKdtL8GFjkxG4HyjomVH@f)a01ym$ zN_E(Uqtuh!LUnMGlb1_5VD7HaD^Xt*hKetoSt6W!G@GkVEUk^8Zz~$}9WR>FNEpv_ z-yiwIGsO4q$a8+>uqWWyK;Y_^vaV}*9CrR?o*G;5RdxFbP`;7>Xzd0>jKP{%4w)^xHn`SQA z0=G7hPn6EF3|tdYqtk-+_4SOP>?U8@B@`Y*)2un zi8UQhhdv?uvc9&gLb-Zy+aj0WXT^u=PocI+6h2)$$GQ8^7gMYThVQwD?e>dL_)~aE7PfiM)q^vm z?sYU9>%{4ND%}#OoIJaOal*uEkhl_CGDucC#Qj3Qa6Ul0TZjV~Tas>UPq*-mS(HXo zcCHa2x&w#`V+o0R0OPmJR6-mdvLQ8$sj^C%0?t9tBfwbB`_TE^k<#Y-7ItsE+Ny&U6K~>{w6B^QuoPq?^!;py`?Tf*M}#t)^=W^uzh^9kqjPXX16f>arGh!WPC&lQ+v; ztU=hKqcNDauB??3-&wACrF+NX;0&@Y)vhUr#A8?mUb&ihcVL~WRW`_2TO}V-uVt?+HBiAh@mmZOi=S;~Ehv)Fe9b-I zDJe2JyFlt?R6ecWAwMI*D6NR55Ijk~x6#UaPRf*N{ z3i_q%J0&=)*E7_kqYnn&z=Mm%Z(kvt@}7|9d+DWt zm#jcjQ<5XdUxV$z`tW{o2QM8Fwf{#j4wOVHr<~F6XGj|Ac*mb-W-FDCShX(qr z4-en-oS>sn7Gv!R(epfWTs`D`N~cy_w;K*&3HX7#RTti3im;Y@cABYTRA6`7R+oCCh*E_Sl|ZX)7MK zbc}L98|%ZGk^(1`iiDfmU>K&lrZGRJyxeel-pG>2!ZN+O++bQY-U>sh{w1Mm=|;=@ zAF6^D!E(P$peis${BNj&f6oR2x?a8LCw&lSO+|@CB;sS7ep&uOvscWxh-|wD9IA%4 zXs~~Z-mu`K&;_OxFI_EHEd*#k8cQfJ_oQ%|2F|v7*H~H@j`YbpoptwCTFq=)PbH{$ zR55I1nFgoy6W-L1o>c6?-ozs8r|o3c5;i=b;dFO5#h`+jIpmd{61J6XfT%M z={k4U8sJhY%hKd8X0M+>`~hB{woF`qrXizKx1UE3KXsv6TCypjW`(^zJQcj@MA!A9 zuYK2JRnFI|N&g5islAs;+BHU)5;WL#BeTS>-+LNoscl{C#<9W|f(bR&#?R=8 zM02w?a|2^CNx#XMH4yTl<4~({eknandP|vHzNk0tE|N61t~St|36qfKtJmVKx}T-r zH}|g93K5Nn#xrbS0O^&wvn*z{>!$4Q+jg&0&srzaDx2ZXD|Z7sX^~M;&UI|)A#&vK zkWi4AfzN<*aJD8X33%ch5#KGq62TfptRo4{iHD>lftL!&>g&B~r?fuBL-V!l^rkl5 z*1teslu-$`IaIw?nPNq;G`R*DPnPANcHwK0?KV3O2zFZ(GanV)WilZNw?C~OtglJ- zPGJK1I*}XMoeG-8#6ZGyOQC&b&#(-Ss04@t=tzVYl~n1<8O41OE0_v_q2zS1oyHcq z+vR$4A)Wy4%{_W&uf9pIrjZij>p!=FE*N7n2b~G=q@G9Z(j5;=<-dW5{!n$RWpJyI z#~Ygm!r(_zPl9yb%nHFjEi@eywu)RN<(Bb8o|HVA4UTUblSMQ<5jHV=pPe-5481mx zt_W4dsjXO>%v_t`K4800-ZXX6xpYzkY7e(;)bP0YfYEvd)Mz*|==&exG=ij#IfO&$ zq&@dHO7b9W1N?TjF6FPE$hpE-g@iX;if+<{Ptl+n?o=#2co-8(QY#(N-ZY)E#W^}=oeVROg$eo@r6TuCmmQr@{G85o*# z&f(1TK%C})cd*@N)2A6yA)Rz&1o(^}NC!`)&Hi8T-+jfe-B}lITz`N3{&m-8*m3SH zZ%*9^c4St3&{BLc5bTdH!Xl2+tB&~V2g8cX8>%7N*(s_XWoe-4T%YLWOhhx)nn?^J z3sZ&Ly3Sk`4?K-HQ&otE%)jUk)22b64w=3WL3Wn{t$C*sB2PJvXF+JOO;qSMLLvA| zc#sY&)MkzFSJL0SkZA+@udn`E5{yje6Ebv!PRvL693p=qmzLAAb>>xuB3#n;d+;~U zrP|mRy`!h&`GZ1uj40TIW&^P7vv=|`g@o?;zGFV3`lqjjG=1&QY@G66%&kAkr!=6; zTMdCWu*W7kCACjC$nx)Pw_x$}t%bONKcfex>Aa0JRDSRXxJ>oD9YJL45RZ|! zH}zUQ%{TV1LP@01_`>U4(;f=7WMV~iV-4D7sSP4?7Kp#xKOy+;{9|zZ+*IsUD^O|t zDg5%El*hjrx__fQ{wCq^-^!rC01tzJy41eJ>pmkd_X}omLh9-gxdn;bU4~pC-OV{% zNt^QZ+wppP|5oE8lk2KzfYBPLsY*DQrk8QSx>_+XhYoIfi$1U^(UXRGf95dt&8+uZ zq^n(whysr#rb8rm{vsR;(Fo#Dk_5)Ie^Y$18qye^hvG@ea?!0dKR0vVkcBvfmS1B# z$(vzNg<~Lm7Z3UMlbHWDu&gwRsboOktkOK;o{LYt@(40WiS_L1+WkK)fAfFNh5u9x z=AV`ef2B+O(?1J;ftUa3x$qaR@t>Xxe_?X|>ACP10^y&Y3xCCM|LM8#S8(J1VlL4B z?Uwt0Z8iPnB>W#X{HGFv|CiWJS_zp|SU~3s3eZ#hZw2(en;Bah)BpATUyF^6Md7fb zc92~0sXNLsGe1?N=6EVDuQ}JX&~6_ZrDL&YUJW`svkNB3bJ`0Cg7!j$;6VBFgF^QP z@D(7V5%_@Dn=)Zh;7cB%f2qPTH}vqncsh8<%+gI?b=@H*--Kg~G@o{9wX6V>XDS4d z?QVDc_^x@v^#e8;JbDuRE`xP@9EV-k=M1uyju@4Ma1X^B?><93_}0B`{J;V8+LA>i z#IybvO`xE&hB^W!Pm;T#;)8aBb`+5;Zgi)5Nn3;ZCMRg2WWJ+guBYH`hp-(h1I4Lu zv1p)wKctjg+Z8JT6684H5w}C;kIbwb*ew8PQ#8VJWa&rx^BB&ZU~n+ZQtYbo$DTtI z|L@y6Tv*e9U))zMGL@5+Ai}3R17A@L*1Bv_^GdV2_SJ>q3 zc^y@i9Siu+GGLVg8Z}KF{pPkzHdwBohf~XWUpw!D+5&$r{3=^o?_sC#i{xXx#70F* zr+Jt}wK&|vN{KTxTHq#FJgEnfOdN0*PKQ(-+~!xMzaYe8 z8b1>NxX@$pU$lr-;$hA)r~VE*FimfXBXDHf!xn_l8I7Fw%*e$Y<6z5gpcE3U-_O1! z*||83*`F8A^MklLh6nf$(zm0_D-;r@Oa>2jOdI8`XFFW~$z-ds<}E&76=DQRZ#@Vm zZjQxSFromyGdqk$p@8**t~-nvuo(7E>HnT-p?RrBOSJB9)27 z%(BGlPE}RAWVsj;OSj}*6R*y~=;g-7lA+@M7GJc$1T6{5%SQbe6=^^C$`8%}Ox(rk za#Y6E4m5=oiLmlA2Uy1$n>G0jDtCi)o?Osp+b>y3syE-f>y#4Yoh{S9tlAhe=g@Rk zdh0U>mhOHUs@W~6XezOMk8+Zk^KLIOsVGS)wb<7!HK~UPZ--p|c5g;&zc)4kisC># z4~}Q2{cP9t;8%=0i$|;cjU_+EYJUc+F5<)TwT38PJt36Ck|L3# zPc*dz_tno|XDR>pp@#bRgl9?gXWEBQo^*in!gjeyzj$C8+!6m1RosT_!!)n9v9#k- zyRjQ@-<<=Gbu?u_nnVt2U}1NaeXI~$P(`2OpZb04xE-Rk1TA( z(W8S=gGx@w@v!X6@JzT6*`fY*h95v0q34|!U*iV3aONv(j+c6LUNY+4o~%)ne%n28 zUK8M4ZPEvw6Di{X>gHDH88XLqg;Q3&+Lm_eo@S)xB;EQLBA-*AG5V_jQ>#b?4?jsA zDZYSOu;w_r@pMOz-C_>9ii*a`_F~1F%Y%}{hh}6BZAes{*dx`!y_e+y>+`%@+@)2L zk>zq8NGxtHL}yokbPC(ft}X$F#3@G_Kb}s&uep)}y~qvnOhFFV%MMgJQZ`l(qOuW( zG*Ekm(ey3mAT$k)=PtHg-ofY3)w9!1Wgr7?VZH)fpEJM1Uk_6O=<*PEYv%jx}2C44fo zb-&-yfW?qMU<5Tqrmrb05g;oW z1v-ob0Ql2^z!`v%t)aYwt(_xKlR8-&*yx*E(OK9Tn|>^QYyuD^MI}T5ARr(BJ>VDM zV+9}t00Ra6^8z+-;0xjt1OzxZ1Pl}u^7I5=1sSlG|-$cUfek>Fur5z!HmP*Bm( z(BKd-Fws#lkx|i5|6BwF4EPyv2xtfhXw=WJpHcsh+eaq==@TFt1ONs?3;;y}0Yd`$ z=mj1f2mpZq-tC_o{?`Tq3cN>1s87%^u)qm*hyYL!FfdSXus?SVob3htI{+LB0-1mFZ_p_9qg-sxCCesY_C30|#Gd7<3FwENn7z3QDRkEUawo9GqN2!Xlz# z;u4Zd$||aA>KdAcM#d(lX66=--<_OYT;1IL`~w1mf*^aCo0_|Odi(kZ28V{HXJ+T-7Z#V6x3+h7_x2ACkB+adZ*K4IA0D5c|Iqb^ z&VOtFLfGHYg#@Gv6dW839O@5UAfPV54u%8{LBt4&ET90TZ;wLE^z##{U`%#Z7c>d8 z;w74a!xRiUDa#hw)gRLSqU^s%nD759%Kn|O|DbCb00%rL6%+{!3BU(l{0_k~`k31_;ufwWg5D7S8ZeoBa0K_xJ!b+P=>f`1gJQ{Nv<50NHA4 zAApW}pVt_%SJKp=H<;#*x3`)Pz;5V9PFO%V!lMK$!ZVta&&!MH2Ve-*r(2@PXR@^P z1F*5e_by)kOxdX3`9GKX|AJS8Q?L9^QZFr3wJU9G`^%ICM$L?PgL~c4hAw!9HjQVR zcR!6k03`cW9{{}-`ZpXGty=~G5mZG?1rbz$D#Gi8&%@^rz;a!iI^PZN2Vj-`17I;D zXmW?DAg=#yyd>#ChcM{lHFNk?YT7$e zo6vh;x$gU$#s}b<*X{#=xX^uV;U3P_cV232>qvusGiHt~o@KFIj!i#!eZly1(#@6P zF{Hxg^_5Xd>m}goYXNO%DAnf@?ucQB7Ii@f?HmI;yR!)jbBOMN3ZHJyB2$9PgyW?T zK!vK$Yn1%q0|uMsV|AKJnp$0J4LjTPXqBFe$VybJ^@Q zxu1c9?y?G#z_Ab&`p~&nL4?>hl=2s7c1ufO_q1hN2)Mjp1Zgb0h&+?TGl-HZRKy2h znuYIlYsA8_&p_U5KVlKO>YVsSi?@D16=e#I#fw05mL-h3bOZ4?(Iu`kcFY==EnDAN zUIX$_qLVaIg2zEd3%KrV|19CsKTG%zovNNv+fur)=H2&q#tc~KxV^tJ&bsMI9VY6a zO1UDRD&eMCgclBn<@77{cmlUvXHYAT;MVyG>!t#_fDYKU+f3}~ zEG1KGk#Yme*yECQeR(Y+ez5dgv|JPwFgHwn4-;HHL zfV0H)MNs8I{^rS^ztj5wj6Qq->^9y?WuVh$6-0;vOkC5XaERgI`1b zW{k4}hkCGFd-w~1ZuZq_OU5d3t`=6~9EQ|^c5XlU9JJBSKP{8r2?~#iN_QX=A->8B zzHdb0fbFD>X7A}~;#q9{DJ`=#OY_td=RHE-tsoOewl#5;@}(H-tI-!;e??*5s>r#t z9fVLWv7dKoynIR;NoR~$s_H*H^)gG~&j(@|kJ8zeXR2V{Mu~Pl0H6FAvB{#D0i=AE z)9-eiI33fRuNJgE+p;lUTOMmn!^_+*Y-4yu+ETJA0p0JXKj>VSyTk{iVHyYqCg3Ev z1d(69hmj1tM7#LY;rv*_%_d;Ln)qeFO#thfInlQ)>>d$29Ni(3;@mh0$He4bO7-g2 zH3(|?`}8Fh9YgTBe|?W%C6zTAaQrwpv92g^GK=_L((cKh@Qm>sre$_dL(& zDZ1z$Ndob{pIh~foCWm{bM1Awu28w4f<5`jRxQc$1h+R0&X*xkAk=3<@?|>nYP?oA zf2P}K&i`i7y`4aH^}YEO+*MeF8~7RRg|+L)tAF`m%u4*+ao z*MByc~~nXpN04 zpn%CDE?JmOyQQ8eeU)U=CgsA9FDXS4q8@7ey2;Z=G6s$|bdbF?u>Pb)S9e9#*HiGb zps#uho#S6&uy2KEW#m6i3C>kvD? zS!4a!{ks~|O7}{P4KX)4=g>PAZRhSTeVtR?!F|U{v}>A3)BNjf*jVg3C&_jF-i~42 z;DI@18(%P)I|Lk}0#G`9c2S?LK`hB7jr#%N2*h|D+ky?S)|A)1XQMVurKk~OnVQ6d zatAPhoTKMm%@$aHzD?dv)VK>s?B*j&kVFp@rBB=mP(5|)GXUAK1AqaX-}+Q4LfZ4W z$Jn>w3vHoO5#YrfVxexZuoZLt0%#cf59IALgBF~^l6l;13AL>GdhAy`3rua99rYT9 zIX1o4-8VBq_-H!*g^5v*%G`0B^W!CDnVzDLV+~6kHh(R0$jPGW$*D>?QrKs||yoERPrD+fgPK1)!RdHNz zqVpwc;JjV?_cQz>e+LK%6==+p7MsbHG}yxrKuyqD({@(ib9+jTYyG>7Pgh^;+WP5v z({EW+E{TT}We0_t&L{En5@SbshrA10YR2jDqvlYw+!62MHP4Aw9&X1g{Fh$-^{*-D zDdz3a3zR2zFOUn0K@NzUzGYD0_>U4|uQUhsbuT>4pJKVyx6{r-PmMAJkR_U#0N^*Z zl$`^zBD52oYxu|S_ov6ry^7jxJzOgjxRN{v35%Xp;hSTGa7$LW$Rf;wk5slfkG|R> zcW<)KjHHTPsHZKtMs^2uP(+cN{9r*O?Up@Xlc$^OuK<^_rF8X|+7@h;cz4yBVs*Mh z>iNplLlAipKX>2G5%{^q^Ch+=NStEXK@w(n8F)Xj?se1_4oLX`O|7l6c0x;$Syt+h z`4PEV2SEvLY6dznZZw7DoeIF&JR&V~zS2jV$c6yETwJ&a6U7=b< zb2YaVtc7q_tG(5I#3MLxrP<&}ry}0MJ(oRO&Az5rqpDw(pi<|sOncRTCX)syyMPp8 z!uobGwtW89cHctZJ%PmU3AJr4IxfDg#Cx9MtzsOHjDrJe3=cKDw0Vn1GQ1EyrCNfid8tn!*GxWnNG|U8OfF(>EyJtm|-@)$9Y|fmQ z_4duXC*yUsAA<35z4z+YiRNCh_hJ|Nzv_%QZd3ceIMtT~7vCpD zvWP}Z@q_qQTq*;+y+H`rryqQvZ(+wo&#!ixH0biojf5NZS{4II;Wrr81{~z{qp;hs zwvIhG&%MxbkmS%LRPxSK1V6hBG*pWdPT%^FNuf1Kj0W#K{Gh}MBFq7%PO`w!&6nH4 zu0J+ktLM*`v$S}qfl--~aKn}2b%k_c!7xS&neyoE>AvD!HXruSJKEb8bf*|GZ=r$y zCXD^MkNMiP%(-b}z47@~>aBizx>a!KvPbG#uhvxDX-q%W+!(?+F%tL3uRBPY-H2ZS z%Owp#Ju1B;iK!%L;kkZMtmc|8E~bZ69{`!F<;bu?^CiM-tim|J3mW>^2f&Bg!92Gi ze2BWtjH@OcAKzOw5m5D)d<}0K6!aBG-KW z2cRb^=(#p}%bzDzQfVH;p1UrJ@E)MF^q3|#t4>=`ZuouRSKuCQ*5JafXv`)7 zgk=M}^X193xqlkR*}6w^0nr|?!0J!bL3BZqC&q?E9($mA>n^yA@8<{ZXl^HolLcSS zf=C>UXCAVcwnEN^V>F&sD|nmNHBmF zyPEC#yX+Ty1%=X?SnmeW(y#gG3F@qeGkjWRmFavY2rDGgj}M;j1hcmrr}Suj&>031 zBP-fDJNDt3DuE922a!T-@L!`UvCFBZ;sQiWygp;!ULmSbaTn-m_zXUk`7E-Hd;mn( z=HLE)Y%=!W&>qTn8N>^^Qx~-@hyM5Mza^}Bgm*k`^3}ZwQ=3GHvf@7gI3ECm3H(>8 zIl98>?<1AyuBP^8^tXrMHKG~*QkFno$(81|J9Gz9~MgQdQ4%+!YA z5i{dOB(%kwmT2`>`8@)t>4AG*p)0=ri?{8?17I8sj94q4w zhS|~6g{+EYO|9id4hT1M)K7w3jqS6zM3J2;l*96#M-MnEwdQvF9 z8o5`VYX9Pjb?eHiGE=8d**IhB!7Uy)p=_Jbnyj!Si2)93|M1&+yMz6m)D!kuZ&ADtqA2>ps@^RC|#d$~K-XNE~u8LktHh#W53 z(M)qrT+l6kg3SkR5xNn6nPWQ_ZjNwoR0$40TneO8}4$cx;N4E!21wbf1lrj5rDHi>kPo4G&N8OWt=}prfk6-Gr(|7Hh zxR-O!>=!EUUiT>9ytqDm&IFpf6az+0bKt2hd?u{G33^cqNw1{xA|$z| zy~hR{Vi$j5nk;KMw2QAago9e%Dip zKXP~e#4Gmdq1L~F%eR@a(2gIZu)qUR*5{J1)%$>Ku32i8Nv1;6&B?#~#sP-`@Y-j+ zmu}!g)~{~Mux6nSi-()k%oPX!fso*Wj%gsk$piQEoRu}imi04i&%CC;lx>j(JKKmO z_KpD)LalTC(erZaX#c$G%w7BR*1?l z@m+k+MD+e6P}BY1DqDd8LD?_sO*;fZVMRLa*_Y=BQjN)wkx1@WZi?1=J+{LwF4lw) zmR717B!@-Alv$9@R?UDmk?>`5euz@C9Vql@D^y%p1+QPefAJVk~CaTo#|ezV|Ca0cr<0EBAQ)k9CI8J*QdEB5u#SPAPcw+*Ol zv=ukYE7=5jo$kik-hynil8=yNp@ zL3H6;DUMbQPy@)lhP?M=T%2LN13E@uL)y9cqC9!(+c6&Pi-#&s#kZShkj>{h+)sP^ zQ&uI>bTV2DGbSLs`w1{wt!cb<1IVVVlQ-8aV_`+)O4u)aNLim(M1;nU^X52K=1-@L zP>p6v+1`-F#tCYmPHhW3!P|WhE!>mtFGBbHJF9^*t{kbVQ51n@0F%ys07Q*~Pi#uW zbE_nGay;pFdzY*s)oS02M(&S!$B%n!gh zP>R=Cy8o@GdF+@nC%XHOGpw3NP5*0l_Go?a{#p;IntWe$yHSjIb&1g>J1T7EQn@=N zSVoq1Yg0&0S~pi-RfDoi4dFYa`&CpZUp-%sTo6}4e@vzMLc?Hy1=J*s-=eODd(7i4So8nNaqAwL4XH+EXZJr&_QfTBQlJiG%nUI!ISk3LS0$09iWk8H zxN53M;lB8~M<$$Oy99c=fN3uFToH&y$=1X#A&_4p2Mcy(wD3n`W{A2VstBGx@mIRL z;?m-fq4{uU(aSOQZ`19u+ftKE>fTqqhhj7t;{-Lcmaa+sxasRq9f!L zq;QA3-E2nj*>Bd4zy zu&S=1jKv(+4U?2Pq5IsRe^$`Hb~sr2Cj!=}7sw@_!mg&3SXp1SOllg(N{@5 zL05t|YDV0WfL_hsB_3YKVg$d2ZgJv}v8L1=kD6APF2ofmTl%pimyyI5P9wNTOn?`x z#`8tc_exar3;nXAMEAC^w->FG@2TX^rJ$c(2O_+v)J=QG+2bwxIyv{Son&_NbLmmb`@!}5WrrPmzPmA3ZaDTvkU0AG1Be& z|4eMC_quutdykLVu>SFek$QE3BbN)K&H^8!DpF!SUVDB;3zZ&UdxYQr+lgtr+`JjZ0RJ6RIPn} zr>cxd{s0(n#=Rpm+|oZ%G<4&U&8{sSKW`HBcokKH-CYYioqqlFNV_Q)cv|gh+3l_x zXO~N08Mq|Vg&(LolGVGA`Y5*}*N0H|s4KnDj;YO)^dJFoUJ52zrPbfP`V^TdH`p_t z94$L_@6dAHgY%Vg?w!`vLuZOsFHCOU>MlZjsrK0`?rcV%NsA-ZV5}3d;1}~`ix$12 z#6gC8oi``@4L8-6nY>SnuTBX5n24)Sq^H1@ZWrR?7s}5KAvScjz3w$fsVrm3H85Mw ziOS<921aJHaNd`wEA$*2Sno`h7@E9iNj=#)N5@@Guv&*UrqO=(1=KOYF*Ud@YCU_3 zxJxzJ-vMkm85Gms)y5sXr*u)uZ&S_-9?43>l8wdR$55-qjYb`Ii`Ap>ty_!J^=RrR zJ^-|Ak-0q^=&v57uFZG^@{jh8d5aT;6VA<*X*4nY$2VU@JG%h}#Ni1v2p54&7^Fvb zCx%Oum8leub61)k^a#2~_)xP>mHy$W9J#R@fc(L|Oquh8fu>{E zbDr-M2N)U_- zL2Sr^xBt1^|4(?A{db}4yR^JV_Ysj)xAK6VF|Hg5+OgRNcoi2kteE51O-9PvMAN&f}n`BNsLY+Au~ zg%A<2`5^IvfPMkaz!q7~k${J5K8;^c@&+>451q>RNqnXF*oVMz`pX(iaq9hd!tVnv zc4=u8ykrQ|ZpQoA(P)q%=^o5QPx5{*Exh0SdZ8E*447)lx)6@K#_n$lBg)I-bjAhz zlb^@PswPjV75of8)e88 zE4S?y@Ev{Pz_54FBz-R`^C>ssQ#@;qa>=u{Qv4cF`SqLX&`>cpj|;?#lkq%%;1RqD zsg(Zz)84s9L%H>Fd|bi^xhAI*Q;|zZ5k?BRM3W+fL?f5T7?;r~N^eujluNJUev28? zjSLx7vlDZm$h5qR$pE+H@5&EKorEjXLTVP+D zd(%ck*Y`z*XN7*d(JvlaDdvqFMwj2<_s+NW?Ws2|*4|2;A_w+ABYqFhNOwV&);0Hw zrp>O@sk#*J_Xeri7aO54I(z`=nP2nBnbgj2c%bhjIQkCn>lOO5@1hUZVlQZkR2}Fx zGApOnbQGt*svI0VbR`i85EAxhka8$LXaASSmJ8O-EwU+s}QcV9YOcvOW zdAC~EV+A5+Nb6z`u4< z*Gx=YKG1!ozzela}pzMocJ_b$zOSDSWx9w>Se~^@6{8{;ndvGv(EfG3ir!pu9vJ=foVkB8?>~3 z3zOS#%QSo$FKc0XNsQT=!RVuqNOex9N^bBD$&_Vp_1$Bhm~(eRroM})kHe2P2sm(mPJ)qDQA$!^HOF-`-r>@)MaC-j6OMXC+BHLBleBNa@ z-2V2)shyA1o<*lsQHD#wpTPUTw!4%=Rg zcHAuf+NQ#CExrY7$decAPuFyv8q3rdx0Ee8hHFeuP1Yk166rI3lt%e8Hl6#5O{mu; zv?3FmFgNL&j`qfAOOmt>`uL&K)*(D6rUwK|$2-r*3GK2zhj7WSbUpqDpP4fGOuOYZUbUcxu~rvNP;OaTr1k$xGO&I z*81MoW2dUjh2!I*D#i3Pi@|g{>rN)3ngqL)YC+)ij zOx90C<{nnypke*yVj6%A@xq22wLcx`g>z-alnrVjz-KZf2RMccdkw@P@HphShJZ!N zoHPMDrw(eUroF363NUm4&QY_x11|+2QH!-Ioik>wO#v6&Lwp0UEC&{a9e9+XSOe&8 zf7%a&0W}0Uu2A5wEEo>s>*+OL7Mh*z1@%XHD=onrIObk-2#PoXJjJ01wzvQkp)DrQ zUjzJamQn+P!v`3QPksS{L$QJF%cA$RG>uimhQlEa8mM^y_3imZ>Gz31AK8h{Wx#>% z&Cb)H4Gkr9X&X>QfOiOO-8pS!knnf|hd)0gjo1y&A!Y={K`VHJIEl?1xF6}7Y#fKY z1r!G@Xba+OwU);%+Lh3XlpwB8XL%f3Z~^Kaw9p!eb2L~U$5t+Y;-JNhK-_Ml<#B8Y z04NSx(E`Lpn=g-J=h8!QP$7H}mus~=j-8Ya#X&W>L7b2E@;G*OHxvg|eFbq2cFW_~ zY0^*}RE7}5NjWc%n-e93@}N>-Ag|h$gZCrKIAWh8))t*lpek7)S^g*od9i?7bi#xx zvVgp4k41PKo^pioqMj~I=Jn!+y!0%%G+D@-8#1V-0`0e@$zsR3A%hAf+>@n!xFLh8 zAKa6F^W}yNDrs;}Mx5Y=460LbPu}Fm4H;B?;GV3G;f4&VC@e>2X%T?eHh*r&b2G(% z4V8sxB$g}m((4as&OGR~aljlJnn6Ez-%F)j1sI a^Dn$Ms1-noLl{gM_`CvE`_ + + .. image:: ../../images/ccheart_black.png + :width: 108pt + +.. only:: builder_html + + .. container:: ebook-download + + .. raw:: html + + + Download PDF + + + + Download EPUB + + +.. only:: builder_latex or builder_epub + + .. raw:: latex + + \clearpage + +.. rubric:: **About the Authors** + +Benjamin M. Brosgol + +Dr. Brosgol is a senior member of the technical staff at AdaCore. He has been +involved with programming language design and implementation throughout his +career, concentrating on languages and technologies for high-assurance +systems. He was a Distinguished Reviewer during the original Ada development, +a member of the language design team in the |ada-95| revision, and a member of +the Expert Group for the Real-Time Specification for Java under the Java +Community Process. He has published dozens of journal articles and delivered +conference presentations on topics including the avionics software standard +|do-178c|, the Ada and SPARK languages, real-time software technologies, +object-oriented methodologies, and the FACE\ |reg| (Future Airborne +Capabilities Environment) approach to software portability. + +Jean-Paul Blanquart + +Dr. Blanquart is a recognized authority on computer-based systems safety and +dependability, with a decades-long career that spans academic research +(LAAS-CNRS, Toulouse, France) and the space industry (Airbus Defence and +Space). He was a member of the ECSS Working Groups in charge of revision 1 +of ECSS-Q-ST-80C and ECSS-Q-HB-80-03A (and also the dependability and safety +standards ECSS-Q-ST-30C and ECSS-Q-ST-40C). He has been an active member of a +French cross-domain Working Group on safety and safety standards since its +creation in 2010. This Working Group gathers industrial safety experts and +related tool providers from domains that include automotive, aviation, +defense, nuclear, industrial processes, railway and space. + +.. rubric:: **Foreword** + +| **"Failure is not an option"** +| Gene Kranz (NASA) in the film *Apollo 13* + +Software development presents daunting challenges when the resulting system +needs to operate reliably, safely, and securely while meeting hard real-time +deadlines on a memory-limited target platform. Correct program execution can +literally be a matter of life and death, but such is the reality facing +developers of space software systems. A project's ability to produce +high-assurance software in a cost-effective manner depends on two factors: + +* Effective processes for managing the software and system life cycles, + with well-defined activities for planning, controlling, and monitoring + the work; and + +* Effective technologies (programming languages, development and verification + tools, version control systems, etc.) to support the software life-cycle + processes. + +For safety-critical application domains, the first factor is typically +anticipated by a regulatory authority in the form of certification / +qualification standards such as are found in the civil aviation and +nuclear industries. In the space domain the ECSS software-related standards +play a similar role, with the current set of documents based on decades of +experience with space system development. In particular, the software +engineering standard |E-ST-40C| and the software product assurance standard +|Q-ST-80C| provide a framework in which software suppliers and customers +can interact, with a clear statement and understanding of processes and +responsibilities. + +Technologies, and more specifically the choice of programming language(s) +and supporting toolsuites, directly affect the ease or difficulty of +developing, verifying, and maintaining quality software. The state of +the art in software engineering has made large strides over the years, +with programming language / methodology advances in areas such as +modularization and encapsulation. Nevertheless, the key messages have +stayed constant: + +* The programming language should help prevent errors from being + introduced in the first place; and + +* If errors are present, the language rules should detect them early in + the software life cycle, when defects are easiest and least expensive + to correct. + +These messages come through clearly in the Ada programming language, +which was designed from the start to enforce sound software engineering +principles, catching errors early and avoiding pitfalls such as buffer +overrun that arise in other languages. Ada has evolved considerably +since it first emerged in the mid-1980s, for example adding +Object-Oriented Programming support in Ada 95, but each new version +has kept true to the original design philosophy. + +AdaCore's Ada-based tools have been helping developers design, develop +and maintain high-assurance software since the mid 1990s, in domains +that include space systems, commercial and military avionics, air +traffic control, train systems, automotive, and medical devices. +This document summarizes AdaCore's language and tool technologies +and shows how they can help space software suppliers meet the requirements +in |E-ST-40C| and |Q-ST-80C|. With effective processes as established by +these standards, and effective technologies as supplied by AdaCore, +software suppliers will be well equipped to meet the challenges of +space software development. + +| Benjamin M. Brosgol +| AdaCore +| Bedford, Massachusetts USA +| November 2021 + +| Jean-Paul Blanquart +| Airbus Defence and Space +| Toulouse, France +| November 2021 + +.. rubric:: Foreword to V2.1 + +In the years since the initial version of this document was published, +both |E-ST-40C| and |Q-ST-80C| have been revised, and AdaCore's products +have evolved to meet the growing demands for, and challenges to, high +assurance in mission-critical real-time software. This new edition +reflects the current (2025) versions of |E-ST-40C|, |Q-ST-80C|, and AdaCore's +offerings. +Among other updates and enhancements to the company's products, the static +analysis tools supplementing the |gnatpro| development environment have been +integrated into a cohesive toolset (the *GNAT Static Analysis Suite*). +The dynamic analysis tools have likewise been consolidated, and the resulting +*GNAT Dynamic Analysis Suite* has introduced a fuzzing tool |mdash| *GNATfuzz* +|mdash| which exercises the software with invalid input and checks for +failsafe behavior. + +As editor of this revised edition, I would like to thank my AdaCore colleagues +Olivier Appéré and Vasiliy Fofanov, as well as co-author Jean-Paul Blanquart, +for their detailed and helpful reviews and suggestions. + +For up-to-date information on AdaCore support for developing space +software, please visit :footcite:p:`Space_SW_AdaCore_Web_Space`. + +| Benjamin M. Brosgol, AdaCore +| Bedford, Massachusetts USA +| December 2025 + +.. toctree:: + :maxdepth: 4 + :numbered: + + Introduction + Programming Languages for Space Software + Tools for Space Software Development + Compliance with ECSS-E-ST-40C + Compliance with ECSS-Q-ST-80C + Abbreviations + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/references.bib b/content/booklets/adacore-technologies-for-space-systems-software/references.bib new file mode 100644 index 000000000..6b8d7ec39 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/references.bib @@ -0,0 +1,265 @@ +@online{Space_SW_AdaCore_Web_Space, + author = {AdaCore}, + title = {{AdaCore + Space}}, + url = {https://www.adacore.com/industries/space} +} + +@article{Space_SW_Kriedke_ElGammal_1995, + author = {{W. Kriedte and Y. El Gammal}}, + title = {{A New Approach to European Space Standards}}, + journal = {ESA Bulletin 81}, + month = feb, + year = {1995}, + url = {https://www.esa.int/esapub/bulletin/bullet81/krie81.htm} +} + +@online{Space_SW_ECSS_HomePage, + author = {{European Cooperation for Space Standardization}}, + title = {{ECSS Web Portal}}, + url = {https://www.ecss.nl} +} + +@manual{Space_SW_ECSS_2025a, + title = {{ECSS-E-ST-40C Rev.1 - Software}}, + organization = {ECSS}, + month = apr, + year = {2025}, + url = {https://ecss.nl/standard/ecss-e-st-40c-rev-1-software-30-april-2025/} +} + +@manual{Space_SW_ECSS_2025b, + title = {{ECSS-Q-ST-80C Rev.2 - Software product assurance}}, + organization = {ECSS}, + month = apr, + year = {2025}, + url = {https://ecss.nl/standard/ecss-q-st-80c-rev-2-software-product-assurance-30-april-2025/} +} + +@online{Space_SW_AdaCore_Web_2019a, + author = {AdaCore}, + title = {{Press Release: AVIO Selects AdaCore's GNAT Pro Assurance Toolsuite for European Space Agency Program}}, + note = {January 8, 2019}, + url = {https://www.adacore.com/press/avio-selects-adacores-gnat-pro-assurance-toolsuite-for-european-space-agency-program} +} + +@online{Space_SW_AdaCore_Web_2019b, + author = {AdaCore}, + title = {{Press Release: European Space Agency Selects AdaCore's Qualified-Multitasking Solution for Spacecraft Software Development}}, + note = {September 24, 2019}, + url = {https://www.adacore.com/press/european-space-agency-selects-adacores-qualified-multitasking-solution-for-spacecraft-software-development} +} + +@manual{Space_SW_ECSS_2013, + title = {{ECSS-E-HB-40A: Space engineering / Software engineering handbook}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 11 December 2013}} +} + +@manual{Space_SW_ECSS_2020, + title = {{ECSS-E-HB-40-01A: Space engineering / Agile software development handbook}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 7 April 2020}} +} + +@manual{Space_SW_ECSS_2024, + title = {{ECSS-E-HB-40-02A: Space engineering / Machine learning handbook}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 15 November 2024}} +} + +@manual{Space_SW_RTCA_EUROCAE_2011a, + title = {{DO-178C/ED-12C: Software Considerations in Airborne Systems and Equipment Certification}}, + organization = {RTCA and EUROCAE}, + month = dec, + year = {2011} +} + +@manual{Space_SW_RTCA_EUROCAE_2011b, + title = {{DO-330/ED-215: Software Tool Qualification Considerations}}, + organization = {RTCA and EUROCAE}, + month = dec, + year = {2011} +} + +@manual{Space_SW_ISO_2018, + title = {{ISO 26262:2018 Road vehicles – Functional safety}}, + organization = {{International Organization for Standardization}}, + year = {2018} +} + +% Space booklet +@manual{Space_SW_ECSS_2017, + title = {{ECSS-Q-HB-80-03A Rev.1: Space Product Assurance / Software dependability and safety}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 30 November 2017}} +} + +@manual{Space_SW_ECSS_2011a, + title = {{ECSS-Q-HB-80-04A: Space product assurance / Software metrication programme definition and implementation}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 30 March 2011}} +} + +@online{Space_SW_MITRE_Web, + author = {{The MITRE Corp.}}, + title = {{CWE-Compatible Products and Services}}, + url = {https://cwe.mitre.org/compatible/compatible.html} +} + +@online{Space_SW_AdaCore_Web_UG_Cross, + author = {AdaCore}, + title = {{GNAT User's Guide Supplement for Cross Platforms}}, + url = {https://docs.adacore.com/live/wave/gnat_ugx/html/gnat_ugx/gnat_ugx.html} +} + +@online{Space_SW_AdaCore_Web_UG_Native, + author = {AdaCore}, + title = {{GNAT User's Guide for Native Platforms}}, + url = {https://docs.adacore.com/live/wave/gnat_ugn/html/gnat_ugn/gnat_ugn.html} +} + +@online{Space_SW_AdaCore_Web_GNATformat, + author = {AdaCore}, + title = {{GNATformat Documentation}}, + url = {https://docs.adacore.com/live/wave/gnatformat/html/user-guide/} +} + +@manual{Space_SW_CENELEC_2020b, + title = {{EN 50128/A2: Railway applications – Communications, signalling and + processing systems – Software for railway control and + protection systems}}, + organization = {CENELEC}, + month = jul, + year = {2020}, +} + +@manual{Space_SW_AdaCore_Capgemini_Web, + author = {{AdaCore and Capgemini Engineering}}, + title = {{SPARK Reference Manual}}, + url = {https://docs.adacore.com/live/wave/spark2014/html/spark2014_rm/index.html} +} + +@book{Space_SW_McCormick_Chapin_2015, + author = {John W. McCormick and Peter C. Chapin}, + title = {{Building High Integrity Applications with SPARK}}, + publisher = {Cambridge University Press}, + year = 2015 +} + +@manual{Space_SW_ISO_IEC_2016, + title = {{Ada Reference Manual, Language and Standard Libraries}}, + organization = {International Organization for Standardization}, + author = {{ISO/IEC JTC1/SC22}}, + year = {2016}, + note = {{ISO/IEC 8652:2012(E) with Technical Corrigendum 1}}, + url = {https://www.adacore.com/documentation/ada-2012-reference-manual} +} + +@book{Space_SW_Barnes_2014, + author = {John Barnes}, + title = {{Programming in Ada 2012}}, + publisher = {Cambridge University Press}, + year = 2014 +} + +@manual{Space_SW_Barnes_Brosgol_2015, + author = {John Barnes and Ben Brosgol}, + title = {{Safe and Secure Software, an invitation to Ada 2012}}, + year = {2015}, + url = {https://www.adacore.com/books/safe-and-secure-software} +} + +@manual{Space_SW_ISO_IEC_2022, + title = {{Ada Reference Manual, 2022 Edition, Language and Standard Libraries}}, + organization = {International Organization for Standardization}, + author = {{ISO/IEC JTC1/SC22}}, + year = {2022}, + url = {https://www.adacore.com/documentation/ada-2022-reference-manual} +} + +@techreport{Space_SW_Burns_et_al_2003, + title = {{Guide for the use of the Ada Ravenscar Profile in + high integrity systems}}, + institution = {University of York}, + author = {{Alan Burns, Brian Dobbing and Tullio Vardanega}}, + month = jan, + year = {2003}, + type = {{Technical Report}}, + number = {YCS-2003-348}, + url = {https://www.open-std.org/jtc1/sc22/wg9/n424.pdf} +} + +@online{Space_SW_AdaCore_AdaLearn, + author = {AdaCore}, + title = {{Online training for Ada and SPARK}}, + url = {https://learn.adacore.com/} +} + +@proceedings{Space_SW_ACM_1993, + organization = {{Association for Computing Machinery (ACM)}}, + title = {{HOPL-II: The Second ACM SIGPLAN Conference on History of Programming Languages}}, + year = {1993}, + url = {https://dl.acm.org/doi/proceedings/10.1145/154766} +} + +@manual{Space_SW_AdaCore_2016, + organization = {AdaCore}, + title = {{High-Integrity Object-Oriented Programming in Ada, Version 1.4}}, + year = {2016}, + month = oct, + url = {https://www.adacore.com/knowledge/technical-papers/high-integrity-oop-in-ada/} +} + +@manual{Space_SW_AdaCore_Coding_Style, + organization = {AdaCore}, + title = {{GNAT Coding Style: A Guide for GNAT Developers}}, + year = {2025}, + url = {https://gcc.gnu.org/onlinedocs/gnat-style.pdf} +} + +@manual{Space_SW_AdaCore_Thales_2020, + organization = {{AdaCore and Thales}}, + title = {{Implementation Guidance for the Adoption of SPARK, Release 1.2}}, + note = {July 24, 2020}, + url = {https://www.adacore.com/books/implementation-guidance-spark} +} + +@article{Space_SW_Brosgol_2021, + author = {{Benjamin M. Brosgol}}, + title = {{Making Software FACE™ Conformant and Fully Portable: Coding Guidance for Ada}}, + journal = {{Military Embedded Systems}}, + month = mar, + year = {2021} +} + +@article{Space_SW_Burns_et_al_2004, + author = {{Alan Burns, Brian Dobbing and Tullio Vardanega}}, + title = {{Guide for the use of the Ada Ravenscar Profile in + high integrity systems}}, + journal = {Ada Letters}, + month = jun, + year = {2004} +} + +@manual{Space_SW_CCDB_2022, + organization = {Common Criteria Development Board}, + title = {{Common Criteria for Information Technology + Security Evaluation (ISO/IEC 15408)}}, + year = {2022}, + url = {https://www.commoncriteriaportal.org/} +} + +@manual{Space_SW_CENELEC_2020a, + title = {{EN 50128/A1: Railway applications – Communications, signalling and + processing systems – Software for railway control and + protection systems}}, + organization = {CENELEC}, + month = feb, + year = {2020}, +} + +@manual{Space_SW_ECSS_2011b, + title = {{ECSS-Q-HB-80-01A: Space Product assurance / Reuse of existing software}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 5 December 2011}} +} diff --git a/content/global.txt b/content/global.txt index f72eaf999..e034f9b98 100644 --- a/content/global.txt +++ b/content/global.txt @@ -66,3 +66,19 @@ .. |ssil0| replace:: SSIL\ |nbsp|\ 0 .. |ssil4| replace:: SSIL\ |nbsp|\ 4 +.. |ISO-26262| replace:: ISO\ |nbsp|\ 26262 + +.. |E-ST-40C| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ ST\ |nbhyphen|\ 40C +.. |Q-ST-80C| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ ST\ |nbhyphen|\ 80C +.. |E-HB-40A| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ HB\ |nbhyphen|\ 40A +.. |E-HB-40-01A| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ HB\ |nbhyphen|\ 40\ |nbhyphen|\ 01A +.. |E-HB-40-02A| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ HB\ |nbhyphen|\ 40\ |nbhyphen|\ 02A +.. |Q-HB-80-01A| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ HB\ |nbhyphen|\ 80\ |nbhyphen|\ 01A +.. |Q-HB-80-03A-1| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ HB\ |nbhyphen|\ 80\ |nbhyphen|\ 03A\ |nbsp|\ Rev.\ |nbsp|\ 1 +.. |Q-HB-80-04A| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ HB\ |nbhyphen|\ 80\ |nbhyphen|\ 04A + +.. |ada-83| replace:: Ada\ |nbsp|\ 83 +.. |ada-95| replace:: Ada\ |nbsp|\ 95 +.. |ada-2005| replace:: Ada\ |nbsp|\ 2005 +.. |ada-2012| replace:: Ada\ |nbsp|\ 2012 +.. |ada-2022| replace:: Ada\ |nbsp|\ 2022 diff --git a/content/index.rst b/content/index.rst index 19b1bf8eb..c5a157d3e 100644 --- a/content/index.rst +++ b/content/index.rst @@ -134,6 +134,7 @@ AdaCore Technologies For Airborne Software AdaCore Technologies For Railway Software + AdaCore Technologies For Space Systems Software .. only:: builder_html From 3aa805f5129931440f01cd372662339956b56b15 Mon Sep 17 00:00:00 2001 From: Fabien Chouteau Date: Wed, 25 Mar 2026 14:34:56 +0100 Subject: [PATCH 02/12] Add Space_Systems_SW_ prefix to references --- .../chapters/abbreviations.rst | 2 +- .../chapters/compliance-e40c.rst | 139 ++++++----- .../chapters/compliance-q80c.rst | 59 +++-- .../chapters/introduction.rst | 42 ++-- .../chapters/programming.rst | 59 ++--- .../chapters/tools.rst | 225 +++++++++--------- 6 files changed, 280 insertions(+), 246 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst index 574b84f8e..34d194010 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst @@ -1,6 +1,6 @@ .. include:: ../../../global.txt -.. _Abbreviations: +.. _Space_Systems_SW_Abbreviations: Abbreviations ============= diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index b948571d0..84772c7c8 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -1,6 +1,6 @@ .. include:: ../../../global.txt -.. _Compliance_with_ECSS-E-ST-40C: +.. _Space_Systems_SW_Compliance_with_ECSS-E-ST-40C: Compliance with ECSS-E-ST-40C ============================= @@ -258,16 +258,16 @@ Software unit testing {§5.5.3.2} * "The supplier shall develop and document the test procedures and data for testing each software unit" {§5.5.3.2a} - * AdaCore's GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in - this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "The supplier shall test each software unit ensuring that it satisfies its requirements and document the test results." {§5.5.3.2b} - * AdaCore's GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in - this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "The unit test shall exercise: code using boundaries at *n-1*, *n*, *n+1* including looping instructions *while*, *for* and tests that use @@ -277,9 +277,9 @@ Software unit testing {§5.5.3.2} cause erroneous results in mathematical functions; the software at the limits of its requirements (stress testing)." {§5.5.3.2c} - * AdaCore's GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in - this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. Integration {§5.5.4} ++++++++++++++++++++ @@ -293,9 +293,10 @@ Software units and software component integration and testing {§5.5.4.2} the software item and that the software item is integrated at the conclusion of the integration activity." {§5.5.4.2a} - * AdaCore's GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in - this process, supplementing the GNAT Pro for Ada compilation facilities. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process, supplementing the GNAT Pro for Ada + compilation facilities. .. index:: single: ECSS-E-ST-40C compliance; §5.6 Software validation process @@ -311,25 +312,26 @@ Development and documentation of a software validation specification with respec Control Document]), a set of tests, test cases (inputs, outputs, test criteria) and test procedures ...." {§5.6.3.1a} - * AdaCore's GNAT Pro Ada environment and GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can support - this process. + * AdaCore's GNAT Pro Ada environment and GNAT Dynamic Analysis + Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + support this process. * "Validation shall be performed by test." {§5.6.3.1b} - * AdaCore's GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in - this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "If it can be justified that validation by test cannot be performed, validation shall be performed by either analysis, inspection or review of design" {§5.6.3.1c} - * The Defects and Vulnerability Analyzer - (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static - Analysis Suite and/or SPARK Pro may be able to - show that a run-time check will always succeed and that no test case - will trigger a failure. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test + case will trigger a failure. Validation activities with respect to the requirements baseline {§5.6.4} ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -342,25 +344,25 @@ Development and documentation of a software validation specification with respec Requirements Document]), a set of tests, test cases (inputs, outputs, test criteria) and test procedures ...." {§5.6.4.1a} - * AdaCore's GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in - this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "Validation shall be performed by test." {§5.6.4.1b} - * AdaCore's GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in - this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "If it can be justified that validation by test cannot be performed, validation shall be performed by either analysis, inspection or review of design” {§5.6.4.1c} - * The Defects and Vulnerability Analyzer - (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static - Analysis Suite and/or SPARK Pro may be able to - show that a run-time check will always succeed and that no test case - will trigger a failure. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test + case will trigger a failure. .. index:: single: ECSS-E-ST-40C compliance; §5.7 Software delivery and acceptance process @@ -425,19 +427,20 @@ Verification of code {§5.8.3.5} * SPARK (and GNATprove) help meet criterion 1. * Ada's strong typing and interface checks (and thus GNAT Pro for Ada) help meet criterion 2. - * For criterion 3, the Defects and Vulnerability Analyzer - (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static - Analysis Suite and/or SPARK Pro can help verify correctness, - and the GNATcheck utility included in the GNAT Static Analysis Suite - (see :ref:`GNATcheck`) can enforce conformance with a coding standard. + * For criterion 3, the Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite and/or SPARK Pro can help verify + correctness, and the GNATcheck utility included in the GNAT + Static Analysis Suite (see :ref:`Space_Systems_SW_GNATcheck`) + can enforce conformance with a coding standard. * For criterion 5, Ada's strong typing and interface checks,as well as SPARK and GNATprove, can help show consistent interfaces and correct data flow. - * The Defects and Vulnerability Analyzer - (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static - Analysis Suite, SPARK Pro, and the - standard semantic checks performed by the GNAT Pro compiler can help - meet criterion 6. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite, SPARK Pro, and the standard + semantic checks performed by the GNAT Pro compiler can help meet + criterion 6. * The GNAT Static Analysis Suite and SPARK / GNATprove can statically detect potential run-time errors and thereby help meet criterion 7. * Ada's exception handling facility can help meet criterion 8. @@ -452,21 +455,24 @@ Verification of code {§5.8.3.5} Note: 'TBA' means that the value is to be agreed with the customer and measured as per |Q-ST-80C| clause 6.3.5.2." {§5.8.3.5b} - * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic - Analysis Suite can help meet this requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. * "The supplier shall measure code coverage by analysis of the results of the execution of tests." {§5.8.3.5c} - * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic - Analysis Suite can help meet this requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. * "If it can be justfied that the required percentage cannot be achieved by test execution, then analysis, inspection or review of design shall be applied to the non-covered code." {§5.8.3.5d} - * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic - Analysis Suite can help meet this requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. * "In case the traceability between source code and object code cannot be verified, the supplier shall perform @@ -482,8 +488,9 @@ Verification of code {§5.8.3.5} Note: The use of some compiler optimization options can make the traceability between source code and object code not possible." {§5.8.3.5e} - * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic - Analysis Suite can help meet this requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. * AdaCore can prepare an analysis of traceability between source and object code; the company has provided this to customers in connection with @@ -500,11 +507,11 @@ Verification of code {§5.8.3.5} or through sufficient testing that the run-time checks are not needed, disable the checks in the final code for maximal efficiency. - * The Defects and Vulnerability Analyzer - (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static - Analysis Suite will detect such errors as well as - many others, including suspicious constructs that, although legitimate - Ada, are likely logic errors. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite will detect such errors as well as + many others, including suspicious constructs that, although + legitimate Ada, are likely logic errors. * SPARK Pro will enforce the SPARK subset and can be used to demonstrate absence of run-time errors. @@ -651,7 +658,7 @@ Process implementation {|sect| 5.11.2} Dynamic Analysis Suites, and the SPARK Pro toolset support the software security management plan. -.. _Software_security_analysis: +.. _Space_Systems_SW_Software_security_analysis: Software security analysis {|sect| 5.11.3} ++++++++++++++++++++++++++++++++++++++++++ @@ -701,7 +708,7 @@ Security in the detailed design and implementation engineering {|sect| 5.11.5.3} * The Ada and SPARK languages, the GNAT Static and Dynamic Analysis Suites, and the SPARK Pro toolset help meet this requirement. For - examples, see :ref:`Software_security_analysis`. + examples, see :ref:`Space_Systems_SW_Software_security_analysis`. .. index:: single: ECSS-E-ST-40C compliance; Annex U: Software code verification @@ -747,10 +754,10 @@ Software code verification {Annex U (informative)} 14. the code does not lead to race conditions." {|sect| U.2} -:numref:`Verification-Support` shows how AdaCore's technologies help meet these -requirements: +:numref:`Space_Systems_SW_Verification-Support` shows how AdaCore's +technologies help meet these requirements: -.. _Verification-Support: +.. _Space_Systems_SW_Verification-Support: .. table:: Verification Support :align: center @@ -857,10 +864,10 @@ leaks: Compliance Summary ------------------ -:numref:`ECSS-E-ST-40C-Compliance-Support` shows how AdaCore's technologies support the -requirements in ECSS-E-ST-40C: +:numref:`Space_Systems_SW_ECSS-E-ST-40C-Compliance-Support` shows how +AdaCore's technologies support the requirements in ECSS-E-ST-40C: -.. _ECSS-E-ST-40C-Compliance-Support: +.. _Space_Systems_SW_ECSS-E-ST-40C-Compliance-Support: .. table:: Technology Support for ECSS-E-ST-40C Compliance :align: left diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst index 82d68efde..04159eb99 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -1,6 +1,6 @@ .. include:: ../../../global.txt -.. _Compliance_with_ECSS-Q-ST-80C: +.. _Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C: Compliance with ECSS-Q-ST-80C ============================== @@ -25,11 +25,13 @@ Quality requirements and quality models {§5.2.7} * "Quality models shall be used to specify the software quality requirements" {§5.2.7.1a} - * The GNATmetric tool (see :ref:`GNATmetric`) in the GNAT Static Analysis - Suite can show quality metrics related to the source code structure. + * The GNATmetric tool (see :ref:`Space_Systems_SW_GNATmetric`) in + the GNAT Static Analysis Suite can show quality metrics related + to the source code structure. - * The GNATdashboard IDE tool (see :ref:`GNATdashboard`) can - display software quality data. + * The GNATdashboard IDE tool (see + :ref:`Space_Systems_SW_GNATdashboard`) can display software + quality data. Tools and supporting environment {§5.6} +++++++++++++++++++++++++++++++++++++++ @@ -63,14 +65,16 @@ Methods and tools {§5.6.1} :footcite:p:`Space_SW_RTCA_EUROCAE_2011a` and |en-50128| :footcite:p:`Space_SW_CENELEC_2020b`. - * AdaCore's "sustained branch" service for its GNAT Pro for Ada Assurance - product (see :ref:`Sustained_Branches`) can guarantee that the toolchain - is maintained throughout the product lifetime. + * AdaCore's "sustained branch" service for its GNAT Pro for Ada + Assurance product (see + :ref:`Space_Systems_SW_Sustained_Branches`) can guarantee that + the toolchain is maintained throughout the product lifetime. - * AdaCore's SPARK Pro environment (see :ref:`Static_Verification_SPARK_Pro`) - can be used to demonstrate security properties such as correct information - flows and, for software at the highest security levels, compliance with - formally specified requirements. + * AdaCore's SPARK Pro environment (see + :ref:`Space_Systems_SW_Static_Verification_SPARK_Pro`) can be + used to demonstrate security properties such as correct + information flows and, for software at the highest security + levels, compliance with formally specified requirements. Development environment selection {§5.6.2} '''''''''''''''''''''''''''''''''''''''''' @@ -121,10 +125,11 @@ Handling of critical software {§6.2.3} use of dynamic code verification techniques." {§6.2.3.2a} - * Ada's pragma :ada:`Restrictions` and pragma :ada:`Profile`, together - with the GNAT Static Analysis Suite tool GNATcheck, can enforce a coding - standard for Ada (in effect a 'safe subset'). See - :ref:`GNAT_Pro_Enterprise` and :ref:`GNATcheck`. + * Ada's pragma :ada:`Restrictions` and pragma :ada:`Profile`, + together with the GNAT Static Analysis Suite tool GNATcheck, can + enforce a coding standard for Ada (in effect a 'safe + subset'). See :ref:`Space_Systems_SW_GNAT_Pro_Enterprise` and + :ref:`Space_Systems_SW_GNATcheck`. * The SPARK language serves as a safe subset of full Ada, and a formal design language for formal proof. @@ -212,9 +217,10 @@ Coding {§6.3.4} * "Coding standards (including security, consistent naming conventions and adequate commentary rules) shall be specified and observed." {§6.3.4.1a} - * Ada's :ada:`Restrictions` and :ada:`Profile` pragmas, together with - AdaCore’s GNATcheck tool (see section :ref:`GNATcheck`), can define and - enforce a coding standard. + * Ada's :ada:`Restrictions` and :ada:`Profile` pragmas, together + with AdaCore’s GNATcheck tool (see section + :ref:`Space_Systems_SW_GNATcheck`), can define and enforce a + coding standard. * The SPARK language can serve as a coding standard. @@ -227,14 +233,15 @@ Coding {§6.3.4} * "The supplier shall define measurements, criteria and tools to ensure that the software code meets the quality and security requirements." {§6.3.4.6a} - * The GNATmetric tool (see :ref:`GNATmetric`) can be used to report quality - data related to the source code structure. + * The GNATmetric tool (see :ref:`Space_Systems_SW_GNATmetric`) can + be used to report quality data related to the source code + structure. * "Synthesis of the code analysis results and corrective actions implemented shall be described in the software product assurance reports." {§6.3.4.7a} - * GNATdashboard (see :ref:`GNATdashboard`) can be used to synthesize and - summarize code quality metrics. + * GNATdashboard (see :ref:`Space_Systems_SW_GNATdashboard`) can be + used to synthesize and summarize code quality metrics. Testing and validation {§6.3.5} ''''''''''''''''''''''''''''''' @@ -396,10 +403,10 @@ Test and validation documentation {§7.2.3} Compliance Summary ------------------ -:numref:`ECSS-Q-ST-80C-Compliance-Support` shows how AdaCore's technologies support the -requirements in ECSS-Q-ST-80C: +:numref:`Space_Systems_SW_ECSS-Q-ST-80C-Compliance-Support` shows how +AdaCore's technologies support the requirements in ECSS-Q-ST-80C: -.. _ECSS-Q-ST-80C-Compliance-Support: +.. _Space_Systems_SW_ECSS-Q-ST-80C-Compliance-Support: .. table:: Technology Support for ECSS-Q-ST-80C Compliance :align: left diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst index 66be732ff..7dea11c78 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst @@ -79,34 +79,38 @@ reduce the effort in demonstrating security properties in space software. The remainder of this chapter summarizes the |E-ST-40C| and |Q-ST-80C| standards, and the subsequent chapters have the following content: -* :ref:`Programming_Languages_for_Space_Software` +* :ref:`Space_Systems_SW_Programming_Languages_for_Space_Software` describes the Ada and SPARK programming languages and relates their software engineering support to the relevant sections / requirements in the two standards. -* Analogously, :ref:`Tools_for_Space_Software_Development` presents AdaCore's - various software development and verification toolsuites and relates their - functionality to the relevant sections / requirements in the two standards. +* Analogously, + :ref:`Space_Systems_SW_Tools_for_Space_Software_Development` + presents AdaCore's various software development and verification + toolsuites and relates their functionality to the relevant sections + / requirements in the two standards. -* In the other direction, :ref:`Compliance_with_ECSS-E-ST-40C` - surveys the individual requirements in |E-ST-40C| and shows how a large - number of them can be met by a software supplier through Ada, SPARK, - and/or specific AdaCore products. +* In the other direction, + :ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` surveys the + individual requirements in |E-ST-40C| and shows how a large number + of them can be met by a software supplier through Ada, SPARK, and/or + specific AdaCore products. -* :ref:`Compliance_with_ECSS-Q-ST-80C` does likewise for the requirements in - |Q-ST-80C|. +* :ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C` does likewise + for the requirements in |Q-ST-80C|. -* For ease of reference, the :ref:`Abbreviations` chapter contains a table of - acronyms and initialisms used in this document, and bibliography lists - the various resources cited. +* For ease of reference, the :ref:`Space_Systems_SW_Abbreviations` + chapter contains a table of acronyms and initialisms used in this + document, and bibliography lists the various resources cited. Although this document is focused on specific ECSS standards, the -:ref:`Programming_Languages_for_Space_Software` and -:ref:`Tools_for_Space_Software_Development` chapters -explain how the Ada and SPARK languages / technologies and AdaCore's products -benefit software development in general for large-scale safety-critical -systems. These chapters may thus be applicable to software that has to comply -with regulatory standards in other domains. +:ref:`Space_Systems_SW_Programming_Languages_for_Space_Software` and +:ref:`Space_Systems_SW_Tools_for_Space_Software_Development` chapters +explain how the Ada and SPARK languages / technologies and AdaCore's +products benefit software development in general for large-scale +safety-critical systems. These chapters may thus be applicable to +software that has to comply with regulatory standards in other +domains. .. index:: single: ECSS-E-ST-40C; Summary diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst index 35e2414e4..30b3c6b5d 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst @@ -1,6 +1,6 @@ .. include:: ../../../global.txt -.. _Programming_Languages_for_Space_Software: +.. _Space_Systems_SW_Programming_Languages_for_Space_Software: Programming Languages for Space Software ======================================== @@ -454,7 +454,7 @@ standard arguments :ada:`No_Allocators` and :ada:`No_Implicit_Heap_Allocations`. This will completely prevent heap usage, thus reducing memory usage analysis to a worst-case computation of stack usage for each task in a system. Stack size analysis is implemented directly in -AdaCore's GNATstack tool, as described in :ref:`GNATstack`. +AdaCore's GNATstack tool, as described in :ref:`Space_Systems_SW_GNATstack`. .. index:: single: Ada language; High-integrity systems .. index:: single: Ada language; Memory safety @@ -569,27 +569,28 @@ problematic features. Several techniques are available: * Static analysis tool (coding standard enforcer) Other restrictions on Ada features can be detected by AdaCore's - automated GNATcheck tool (see :ref:`GNATcheck`) that is included - with the GNAT Pro Ada Static Analysis Suite. The developer can - configure this rule-based and tailorable tool to flag violations - of the project's coding standard, such as usage of specific - prohibited types or subprograms defined in otherwise-permitted - packages. + automated GNATcheck tool (see :ref:`Space_Systems_SW_GNATcheck`) + that is included with the GNAT Pro Ada Static Analysis Suite. The + developer can configure this rule-based and tailorable tool to flag + violations of the project's coding standard, such as usage of + specific prohibited types or subprograms defined in + otherwise-permitted packages. .. index:: single: Ada language; ECSS standards support -.. _Ada_and_the_ECSS_Standards: +.. _Space_Systems_SW_Ada_and_the_ECSS_Standards: Ada and the ECSS Standards ~~~~~~~~~~~~~~~~~~~~~~~~~~ |E-ST-40C| covers software engineering practice, and |Q-ST-80C| covers software product assurance, and both of these areas are "sweet spots" -that match Ada's strengths. Please see :ref:`Compliance_with_ECSS-E-ST-40C` -and :ref:`Compliance_with_ECSS-Q-ST-80C` to learn how +that match Ada's strengths. Please see +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C` to learn how specific clauses in these standards relate to individual Ada features. -In summary, the use of Ada can help the software supplier meet -the requirements in the following sections: +In summary, the use of Ada can help the software supplier meet the +requirements in the following sections: * |E-ST-40C| @@ -665,9 +666,9 @@ defect level, for example where safety and/or security are key requirements. SPARK Pro is the commercial-grade offering of the SPARK technology developed by AdaCore, Capgemini Engineering (formerly Altran), and Inria. As will be described in -:ref:`Static_Verification_SPARK_Pro`, the main component in the -toolset is GNATprove, which performs formal verification on SPARK -code. +:ref:`Space_Systems_SW_Static_Verification_SPARK_Pro`, the main +component in the toolset is GNATprove, which performs formal +verification on SPARK code. SPARK has an extensive industrial track record. Since its inception in the late 1980s it has been used worldwide in a wide variety of applications, @@ -805,7 +806,7 @@ automated tools. .. index:: single: SPARK language; Levels of adoption -.. _Levels_of_Adoption_of_Formal_Methods: +.. _Space_Systems_SW_Levels_of_Adoption_of_Formal_Methods: Levels of Adoption of Formal Methods ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -882,7 +883,7 @@ where formal methods can provide the needed confidence. .. index:: single: SPARK language; Hybrid verification -.. _Hybrid_Verification: +.. _Space_Systems_SW_Hybrid_Verification: Hybrid Verification ~~~~~~~~~~~~~~~~~~~ @@ -948,17 +949,18 @@ performed. .. index:: single: SPARK language; ECSS standards support -.. _SPARK_and_the_ECSS_Standards: +.. _Space_Systems_SW_SPARK_and_the_ECSS_Standards: SPARK and the ECSS Standards ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In summary, the qualities that make Ada an appropriate choice for space -software also apply to SPARK (see :ref:`Ada_and_the_ECSS_Standards`). -And specific to SPARK, the static determination that the code is free -from run-time errors ("Silver" level of SPARK adoption) can significantly -reduce the effort in showing that the application is sufficiently safe -and secure. +In summary, the qualities that make Ada an appropriate choice for +space software also apply to SPARK (see +:ref:`Space_Systems_SW_Ada_and_the_ECSS_Standards`). And specific to +SPARK, the static determination that the code is free from run-time +errors ("Silver" level of SPARK adoption) can significantly reduce the +effort in showing that the application is sufficiently safe and +secure. The use of SPARK can help the software supplier meet the requirements in the following sections of |E-ST-40C| and |Q-ST-80C|: @@ -1016,9 +1018,10 @@ in |Q-ST-80C| requirement 6.2.3.2a: * "use of a 'safe subset' of programming language" * "use of formal design language for formal proof" -Further details on how SPARK and SPARK Pro can contribute to compliance -with the ECSS standards are presented in :ref:`Compliance_with_ECSS-E-ST-40C` -and :ref:`Compliance_with_ECSS-Q-ST-80C`. +Further details on how SPARK and SPARK Pro can contribute to +compliance with the ECSS standards are presented in +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. .. only:: builder_html diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst index 5cc5a712c..abc6d15e2 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst @@ -1,6 +1,6 @@ .. include:: ../../../global.txt -.. _Tools_for_Space_Software_Development: +.. _Space_Systems_SW_Tools_for_Space_Software_Development: Tools for Space Software Development ==================================== @@ -33,47 +33,49 @@ of the "V". In summary: .. index:: single: SPARK Pro; Software life cycle .. index:: single: Software life cycle; SPARK Pro -* The SPARK Pro static analysis toolsuite - (see :ref:`Static_Verification_SPARK_Pro`) applies during Detailed Design and - Software Development. It includes a proof tool that verifies properties - ranging from correct information flows to functional correctness. +* The SPARK Pro static analysis toolsuite (see + :ref:`Space_Systems_SW_Static_Verification_SPARK_Pro`) applies + during Detailed Design and Software Development. It includes a proof + tool that verifies properties ranging from correct information flows + to functional correctness. .. index:: single: GNAT Pro for Ada; Software life cycle .. index:: single: Software life cycle; GNAT Pro -* The GNAT Pro development environment - (see :ref:`GNAT_Pro_Development_Environment`) applies during - Detailed Design, Software Development, and Unit Testing. It consists of - gcc-based program build tools, an integrated and tailorable graphical user - interface, accompanying tools, and a variety - of supplemental libraries (including some for which qualification material - is available for |E-ST-40C| and |Q-ST-80C|.) +* The GNAT Pro development environment (see + :ref:`Space_Systems_SW_GNAT_Pro_Development_Environment`) applies + during Detailed Design, Software Development, and Unit Testing. It + consists of gcc-based program build tools, an integrated and + tailorable graphical user interface, accompanying tools, and a + variety of supplemental libraries (including some for which + qualification material is available for |E-ST-40C| and |Q-ST-80C|.) .. index:: single: GNAT Static Analysis Suite (GNAT SAS); Software life cycle .. index:: single: Software life cycle; GNAT Static Analysis Suite (GNAT SAS) -* The GNAT Static Analysis Suite - (see :ref:`Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS`) - applies during Software Development. It contains a variety of tools for Ada, - including a vulnerability detector that can be used retrospectively to - detect issues in existing codebases and/or during new projects to prevent - errors from being introduced. +* The GNAT Static Analysis Suite (see + :ref:`Space_Systems_SW_Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS`) + applies during Software Development. It contains a variety of tools + for Ada, including a vulnerability detector that can be used + retrospectively to detect issues in existing codebases and/or during + new projects to prevent errors from being introduced. .. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); Software life cycle .. index:: single: Software life cycle; GNAT Dynamic Analysis Suite (GNAT DAS) -* The GNAT Dynamic Analysis Suite - (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) applies during Software - Development and Unit Testing. One of these tools, GNATcoverage, supports - code coverage and reporting at various levels of granularity for both Ada - and C. It can be used during unit and integration testing. +* The GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) + applies during Software Development and Unit Testing. One of these + tools, GNATcoverage, supports code coverage and reporting at various + levels of granularity for both Ada and C. It can be used during unit + and integration testing. The following sections describe the tools in more detail and show how they can assist in developing and verifying space system software. .. index:: single: SPARK Pro; Static verification -.. _Static_Verification_SPARK_Pro: +.. _Space_Systems_SW_Static_Verification_SPARK_Pro: Static Verification: SPARK Pro ------------------------------ @@ -107,10 +109,11 @@ from the absence of run-time exceptions, to the enforcement of safety or security properties, to compliance with a formal specification of the program's required behavior. -As described earlier (see :ref:`Levels_of_Adoption_of_Formal_Methods`), -the SPARK technology can be introduced -incrementally into a project, based on the assurance requirements. Each -level, from Bronze to Platinum, comes with associated benefits and costs. +As described earlier (see +:ref:`Space_Systems_SW_Levels_of_Adoption_of_Formal_Methods`), the +SPARK technology can be introduced incrementally into a project, based +on the assurance requirements. Each level, from Bronze to Platinum, +comes with associated benefits and costs. .. index:: single: SPARK Pro; Minimal run-time footprint @@ -181,10 +184,11 @@ code: In either case the use of SPARK Pro eases the effort in porting the code from one environment to another. -More specifically, using the SPARK Pro technology can help the supplier meet -|E-ST-40C| and |Q-ST-80C| requirements in a number of areas. These comprise -the ones mentioned earlier (see :ref:`SPARK_and_the_ECSS_Standards`) that -relate to the SPARK language, together with the following: +More specifically, using the SPARK Pro technology can help the +supplier meet |E-ST-40C| and |Q-ST-80C| requirements in a number of +areas. These comprise the ones mentioned earlier (see +:ref:`Space_Systems_SW_SPARK_and_the_ECSS_Standards`) that relate to +the SPARK language, together with the following: * |E-ST-40C| @@ -249,10 +253,11 @@ relate to the SPARK language, together with the following: * §7.2.3 Test and validation documentation -Details are provided in chapters :ref:`Compliance_with_ECSS-E-ST-40C` and -:ref:`Compliance_with_ECSS-Q-ST-80C`. +Details are provided in chapters +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. -.. _GNAT_Pro_Development_Environment: +.. _Space_Systems_SW_GNAT_Pro_Development_Environment: GNAT Pro Development Environment -------------------------------- @@ -271,12 +276,12 @@ Based on the GNU GCC technology, |gnatpro| for Ada supports the |ada-83|, of |ada-2022|. It includes: * several Integrated Development Environments - (See :ref:`Integrated_Development_Environments_IDEs`); + (See :ref:`Space_Systems_SW_Integrated_Development_Environments_IDEs`); * a comprehensive toolsuite including a stack analysis tool - (see :ref:`GNATstack`) and a visual debugger; + (see :ref:`Space_Systems_SW_GNATstack`) and a visual debugger; * a library that enables customers to develop their own source analysis tools for project-specific needs - (see :ref:`Libadalang`); and + (see :ref:`Space_Systems_SW_Libadalang`); and * other useful libraries and bindings. For details on the tools and libraries supplied with |gnatpro| for @@ -288,7 +293,7 @@ through C18), C++ (from C++98 through C++17), and Rust. .. index:: GNAT Pro Enterprise -.. _GNAT_Pro_Enterprise: +.. _Space_Systems_SW_GNAT_Pro_Enterprise: GNAT Pro Enterprise ~~~~~~~~~~~~~~~~~~~ @@ -400,7 +405,7 @@ years after the initial release. .. index:: single: GNAT Pro Assurance; Sustained branches .. index:: Sustained branches -.. _Sustained_Branches: +.. _Space_Systems_SW_Sustained_Branches: Sustained Branches ^^^^^^^^^^^^^^^^^^ @@ -431,10 +436,10 @@ non-traceable code. Compliance with the ECSS Standards ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Supplementing the support provided by GNAT Pro for Ada -(see :ref:`GNAT_Pro_and_the_ECSS_Standards`), GNAT Pro Assurance -helps compliance with the following requirements from |E-ST-40C| -and |Q-ST-80C|: +Supplementing the support provided by GNAT Pro for Ada (see +:ref:`Space_Systems_SW_GNAT_Pro_and_the_ECSS_Standards`), GNAT Pro +Assurance helps compliance with the following requirements from +|E-ST-40C| and |Q-ST-80C|: * |E-ST-40C| @@ -457,7 +462,7 @@ and |Q-ST-80C|: .. index:: single: GNAT Pro for Ada; Libadalang .. index:: Libadalang -.. _Libadalang: +.. _Space_Systems_SW_Libadalang: Libadalang ~~~~~~~~~~ @@ -487,7 +492,7 @@ Typical libadalang applications include: .. index:: GNATstack .. index:: single: GNAT Pro for Ada; GNATstack -.. _GNATstack: +.. _Space_Systems_SW_GNATstack: GNATstack ~~~~~~~~~ @@ -560,10 +565,11 @@ external calls, and the maximal size for unbounded frames. Compliance with the ECSS Standards ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The GNATstack tool can help meet several requirements -in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters -:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. -In summary, these are the relevant sections of the two standards: +The GNATstack tool can help meet several requirements in |E-ST-40C| +and |Q-ST-80C|; details are provided in chapters +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. In summary, +these are the relevant sections of the two standards: * ECSS-E-ST-40C @@ -597,22 +603,23 @@ concurrent and sequential code) enforced by compile-time checks. The language is seeing growing use in domains such as automotive systems and is a viable choice for other high-assurance software. -AdaCore's GNAT Pro for Rust is a complete development environment for the -Rust programming language, supporting both native builds and cross compilation -to embedded targets. The product is not a fork of the Rust programming -language or the Rust tools. Instead, GNAT Pro for Rust is a professionally -supported build of a selected version of rustc and other core Rust development -tools that offers stability for professional and high-integrity Rust projects. -Critical fixes to GNAT Pro for Rust are upstreamed to the Rust community, -and critical fixes made by the community to upstream Rust tools are backported -as needed to the GNAT Pro for Rust code base. -Additionally, the Assurance edition of GNAT Pro for Rust includes the -"sustained branch" service (see :ref:`Sustained_Branches`) that strikes the +AdaCore's GNAT Pro for Rust is a complete development environment for +the Rust programming language, supporting both native builds and cross +compilation to embedded targets. The product is not a fork of the Rust +programming language or the Rust tools. Instead, GNAT Pro for Rust is +a professionally supported build of a selected version of rustc and +other core Rust development tools that offers stability for +professional and high-integrity Rust projects. Critical fixes to GNAT +Pro for Rust are upstreamed to the Rust community, and critical fixes +made by the community to upstream Rust tools are backported as needed +to the GNAT Pro for Rust code base. Additionally, the Assurance +edition of GNAT Pro for Rust includes the "sustained branch" service +(see :ref:`Space_Systems_SW_Sustained_Branches`) that strikes the balance between tool stability and project flexibility. .. index:: Integrated Development Environments (IDEs) -.. _Integrated_Development_Environments_IDEs: +.. _Space_Systems_SW_Integrated_Development_Environments_IDEs: Integrated Development Environments (IDEs) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -703,7 +710,7 @@ cases the Ada tools are tightly integrated. .. index:: single: Integrated Development Environments (IDEs); GNATdashboard .. index:: GNATdashboard IDE -.. _GNATdashboard: +.. _Space_Systems_SW_GNATdashboard: GNATdashboard ^^^^^^^^^^^^^ @@ -721,15 +728,16 @@ conformance to coding standards, and more. .. index:: single: GNAT Pro for Ada; ECSS standards support -.. _GNAT_Pro_and_the_ECSS_Standards: +.. _Space_Systems_SW_GNAT_Pro_and_the_ECSS_Standards: GNAT Pro and the ECSS Standards ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -GNAT Pro can help meet a number of requirements in |E-ST-40C| and |Q-ST-80C|; -details are provided in chapters :ref:`Compliance_with_ECSS-E-ST-40C` and -:ref:`Compliance_with_ECSS-Q-ST-80C`. -In summary, these are the relevant sections of the two standards: +GNAT Pro can help meet a number of requirements in |E-ST-40C| and +|Q-ST-80C|; details are provided in chapters +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. In summary, +these are the relevant sections of the two standards: * |E-ST-40C| @@ -808,7 +816,7 @@ category B (see :footcite:p:`Space_SW_AdaCore_Web_2019b`). .. index:: GNAT Static Analysis Suite (GNAT SAS) -.. _Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS: +.. _Space_Systems_SW_Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS: Static Verification: GNAT Static Analysis Suite (GNAT SAS) ---------------------------------------------------------- @@ -820,7 +828,7 @@ supporting compliance with ECSS standards. .. index:: single: GNAT Static Analysis Suite (GNAT SAS); Defects and Vulnerability Analyzer -.. _Defects_and_Vulnerability_Analyzer: +.. _Space_Systems_SW_Defects_and_Vulnerability_Analyzer: Defects and Vulnerability Analyzer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -869,10 +877,11 @@ Here are the weaknesses that are detected: Compliance with the ECSS Standards ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The defects and vulnerability analyzer can help meet a number of requirements -in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters -:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. -In summary, these are the relevant sections of the two standards: +The defects and vulnerability analyzer can help meet a number of +requirements in |E-ST-40C| and |Q-ST-80C|; details are provided in +chapters :ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. In summary, +these are the relevant sections of the two standards: * ECSS-E-ST-40C @@ -921,7 +930,7 @@ In summary, these are the relevant sections of the two standards: .. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATmetric .. index:: GNATmetric -.. _GNATmetric: +.. _Space_Systems_SW_GNATmetric: GNATmetric ~~~~~~~~~~ @@ -936,11 +945,11 @@ reporting and limiting the maximum subprogram nesting depth). Compliance with the ECSS Standards ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The GNATmetric tool can help meet a number of requirements -in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters -:ref:`Compliance_with_ECSS-E-ST-40C` and -:ref:`Compliance_with_ECSS-Q-ST-80C`. -Here is a summary: +The GNATmetric tool can help meet a number of requirements in +|E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. Here is a +summary: * ECSS-E-ST-40C @@ -967,7 +976,7 @@ Here is a summary: .. index:: GNATcheck .. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATcheck -.. _GNATcheck: +.. _Space_Systems_SW_GNATcheck: GNATcheck ~~~~~~~~~ @@ -1025,10 +1034,11 @@ requirements, processes and procedures. Compliance with the ECSS Standards ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The GNATcheck tool can help meet a number of requirements -in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters -:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. -In summary, these are the relevant sections of the two standards: +The GNATcheck tool can help meet a number of requirements in +|E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. In summary, +these are the relevant sections of the two standards: * ECSS-E-ST-40C @@ -1075,7 +1085,7 @@ In summary, these are the relevant sections of the two standards: .. index:: GNAT Dynamic Analysis Suite (GNAT DAS) -.. _GNAT_Dynamic_Analysis_Suite_GNAT_DAS: +.. _Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS: GNAT Dynamic Analysis Suite (GNAT DAS) -------------------------------------- @@ -1083,7 +1093,7 @@ GNAT Dynamic Analysis Suite (GNAT DAS) .. index:: GNATtest .. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATtest -.. _GNATtest: +.. _Space_Systems_SW_GNATtest: GNATtest ~~~~~~~~ @@ -1106,12 +1116,13 @@ GNATtest handles Ada's Object-Oriented Programming features and can be used to help verify tagged type substitutability (the Liskov Substitution Principle) that can be used to demonstrate consistency of class hierarchies. -Testing a private subprogram is outside the scope of GNATtest but can be -implemented by defining the relevant testing code in a private child of the -package that declares the private subprogram. -Additionally, hybrid verification can help (see :ref:`Hybrid_Verification`): -augmenting testing with the use of SPARK to formally prove relevant properties -of the private subprogram. +Testing a private subprogram is outside the scope of GNATtest but can +be implemented by defining the relevant testing code in a private +child of the package that declares the private subprogram. +Additionally, hybrid verification can help (see +:ref:`Space_Systems_SW_Hybrid_Verification`): augmenting testing with +the use of SPARK to formally prove relevant properties of the private +subprogram. .. index:: GNATemulator .. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATemulator @@ -1146,7 +1157,7 @@ sufficient quantity. .. index:: GNATcoverage .. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATcoverage -.. _GNATcoverage: +.. _Space_Systems_SW_GNATcoverage: GNATcoverage ~~~~~~~~~~~~ @@ -1170,7 +1181,7 @@ of shared libraries. .. index:: GNATfuzz .. index:: Fuzz testing -.. _GNATfuzz: +.. _Space_Systems_SW_GNATfuzz: GNATfuzz ~~~~~~~~ @@ -1207,14 +1218,15 @@ introduced into the source code. TGen ~~~~ -TGen is an experimental run-time library / marshalling technology that can be -used by :index:`GNATtest` and/or :index:`GNATfuzz` to automate the production -of test cases for Ada code. It performs type-specific low-level processing to +TGen is an experimental run-time library / marshalling technology that +can be used by :index:`Space_Systems_SW_GNATtest` and/or +:index:`Space_Systems_SW_GNATfuzz` to automate the production of test +cases for Ada code. It performs type-specific low-level processing to generate test vectors for subprogram parameters, such as uniform value -distribution for scalar types and analogous strategies for unconstrained -arrays and record discriminants. A command-line argument specifies the number -of test values to be generated, and these can then be used as input to test -cases created by GNATtest. +distribution for scalar types and analogous strategies for +unconstrained arrays and record discriminants. A command-line argument +specifies the number of test values to be generated, and these can +then be used as input to test cases created by GNATtest. TGen can also be used with GNATfuzz, to help start a fuzz-testing campaign when the user supplies an initial set of test cases where some may contain @@ -1230,10 +1242,11 @@ of a successful mutation that results in a new valid test case. GNAT Dynamic Analysis Suite and the ECSS Standards ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The GNAT Dynamic Analysis Suite can help meet a number of requirements in -|E-ST-40C| and |Q-ST-80C|; details are provided in chapters -:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. -In summary, these are the relevant sections of the two standards: +The GNAT Dynamic Analysis Suite can help meet a number of requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and +:ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C`. In summary, +these are the relevant sections of the two standards: * ECSS-E-ST-40C From 2747cf5ee342a655a20a8246de0f8f82bc182da0 Mon Sep 17 00:00:00 2001 From: Fabien Chouteau Date: Wed, 25 Mar 2026 15:43:21 +0100 Subject: [PATCH 03/12] Fix sections headers format --- .../chapters/compliance-e40c.rst | 91 ++++++++++--------- .../chapters/compliance-q80c.rst | 41 +++++---- .../chapters/introduction.rst | 19 ++-- 3 files changed, 77 insertions(+), 74 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index 84772c7c8..e907a16e1 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -24,10 +24,10 @@ Software requirements and architecture engineering process {§5.4} ----------------------------------------------------------------- Software architecture design {§5.4.3} -+++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Transformation of software requirements into a software architecture {§5.4.3.1} -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall transform the requirements for the software into an architecture that describes the top-level structure; identifies the software @@ -50,7 +50,7 @@ Transformation of software requirements into a software architecture {§5.4.3.1} top-level API (package specs). Software design method {§5.4.3.2} -''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall use a method (e.g., object oriented or functional) to produce the static and dynamic architecture including: software elements, @@ -60,7 +60,7 @@ Software design method {§5.4.3.2} object-oriented and functional styles. Selection of a computational model for real-time software {§5.4.3.3} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The dynamic architecture design shall be described according to an analytical computational model." {§5.4.3.3a} @@ -70,7 +70,7 @@ Selection of a computational model for real-time software {§5.4.3.3} verification that real-time deadlines will be met. Description of software behavior {§5.4.3.4} -''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The software design shall also describe the behaviour of the software, by means of description techniques using automata and scenarios." @@ -80,7 +80,7 @@ Description of software behavior {§5.4.3.4} such techniques. Development and documentation of the software interfaces {§5.4.3.5} -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall develop and document a software preliminary design for the interfaces external to the software item and between the software @@ -92,7 +92,7 @@ Development and documentation of the software interfaces {§5.4.3.5} of pre- and postconditions for the subprograms comprising an interface. Definition of methods and tools for software intended for reuse {§5.4.3.6} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall define procedures, methods and tools for reuse, and apply these to the software engineering processes to comply with the @@ -122,10 +122,10 @@ Software design and implementation engineering process {§5.5} ------------------------------------------------------------- Design of software items {§5.5.2} -+++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Detailed design of each software component {§5.5.2.1} -''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall develop a detailed design for each component of the software and document it." {§5.5.2.1a} @@ -144,7 +144,7 @@ Detailed design of each software component {§5.5.2.1} subunits. Development and documentation of the software interfaces detailed design {§5.5.2.2} -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall develop and document a detailed design for the interfaces external to the software items, between the software components, and between @@ -158,7 +158,7 @@ Development and documentation of the software interfaces detailed design {§5.5. part of the interfaces, facilitating the implementation of algorithms. Production of the detailed design model {§5.5.2.3} -'''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall produce the detailed design model of the software components defined during the software architectural design, including their @@ -169,7 +169,7 @@ Production of the detailed design model {§5.5.2.3} requirement. Software detail design method {§5.5.2.4} -'''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall use a design method (e.g. object oriented or functional method) to produce the detailed design including: software units, their @@ -179,7 +179,7 @@ Software detail design method {§5.5.2.4} object-oriented and functional styles. Detailed design of real-time software {§5.5.2.5} -'''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The dynamic design model shall be compatible with the computational model selected during the software architectural design model" {§5.5.2.5a} @@ -231,7 +231,7 @@ Detailed design of real-time software {§5.5.2.5} will never fail. Utilization of description techniques for the software behaviour {§5.5.2.6} -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The behavioural design of the software units shall be described by means of techniques using automata and scenarios." {§5.5.2.6a} @@ -240,10 +240,10 @@ Utilization of description techniques for the software behaviour {§5.5.2.6} such techniques. Coding and testing {§5.5.3} -+++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ Development and documentation of the software units {§5.5.3.1} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall develop and document the following: the coding of each software unit; the build procedures to compile and link software units" @@ -253,7 +253,7 @@ Development and documentation of the software units {§5.5.3.1} and prevent "version skew". Software unit testing {§5.5.3.2} -'''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall develop and document the test procedures and data for testing each software unit" {§5.5.3.2a} @@ -282,10 +282,10 @@ Software unit testing {§5.5.3.2} assist in this process. Integration {§5.5.4} -++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~ Software units and software component integration and testing {§5.5.4.2} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall integrate the software units and software components, and test them, as the aggregates are developed, in accordance with the @@ -302,10 +302,10 @@ Software units and software component integration and testing {§5.5.4.2} Validation activities with respect to the technical specification {§5.6.3} -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Development and documentation of a software validation specification with respect to the technical specification {§5.6.3.1} -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall develop and document, for each requirement of the software item in TS [Technical Specification] (including ICD [Interface @@ -334,10 +334,10 @@ Development and documentation of a software validation specification with respec case will trigger a failure. Validation activities with respect to the requirements baseline {§5.6.4} -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Development and documentation of a software validation specification with respect to the requirements baseline {§5.6.4.1} -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall develop and document, for each requirement of the software item in RB [Requirements Baseline] (including IRD [Interface @@ -370,10 +370,10 @@ Software delivery and acceptance process {§5.7} ----------------------------------------------- Software acceptance {§5.7.3} -++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Executable code generation and installation {§5.7.3.3} -'''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The acceptance shall include generation of the executable code from configuration managed source code components and its installation on @@ -388,10 +388,10 @@ Software verification process {§5.8} ------------------------------------ Verification activities {§5.8.3} -++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Verification of the software detailed design {§5.8.3.4} -''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall verify the software detailed design ensuring that: ... 5. testing is feasible, by assessing that: (a) controllability @@ -408,7 +408,7 @@ Verification of the software detailed design {§5.8.3.4} * SPARK (and GNATprove) help meet criteria 5, 7, and 8. Verification of code {§5.8.3.5} -''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall verify the software code ensuring at least that: 1. the code is externally consistent with the requirements and design @@ -522,7 +522,8 @@ Verification of code {§5.8.3.5} sufficient stack space for program execution and prevent stack overflow. Schedulability analysis for real-time software {§5.8.3.11} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + .. index:: Ravenscar profile * "As part of the verification of the software requirements and architectural @@ -539,10 +540,10 @@ Software operation process {§5.9} --------------------------------- Process implementation {§5.9.2} -+++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Problem handling procedures definition {§5.9.2.3} -''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The SOS [Software Operation Support] entity shall establish procedures for receiving, recording, resolving, tracking problems, and providing feedback." @@ -562,10 +563,10 @@ Problem handling procedures definition {§5.9.2.3} this criterion. Software operation support {§5.9.4} -+++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Problem handling {§5.9.4.2} -''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "Encountered problems shall be recorded and handled in accordance with the applicable procedures." {§5.9.4.2a} @@ -576,7 +577,7 @@ Problem handling {§5.9.4.2} requirement when an issue arises that is due to an AdaCore tool. Vulnerabilities in operations {§5.9.4.3} -'''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "During operations, security vulnerabilities, threats and exploits shall be: 1. continuously monitored; 2. subject to further security analysis when @@ -589,10 +590,10 @@ Vulnerabilities in operations {§5.9.4.3} criterion 1. User support §5.9.5 -+++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~ Provisions of work-around solutions {§5.9.5.3} -'''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "If a reported problem has a temporary work-around solution before a permanent solution can be released, the SOS entity shall give to the @@ -608,10 +609,10 @@ Software maintenance process {§5.10} ------------------------------------ Process implementation {§5.10.2} -++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Long term maintenance for flight software {§5.10.2.2} -''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The maintainer shall propose solutions to be able to implement and upload modifications to the spacecraft @@ -622,10 +623,10 @@ Long term maintenance for flight software {§5.10.2.2} will receive support and not become obsolescent. Modification implementation {§5.10.4} -+++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Invoking of software engineering processes for modification implementation {§5.10.4.3} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The maintainer shall apply the software engineering processes specified in clauses 5.3 to 5.8 and 5.11 that are relevant to the scope of the @@ -649,7 +650,7 @@ Software security process {|sect| 5.11} --------------------------------------- Process implementation {|sect| 5.11.2} -++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * "A software security management plan shall be produced documenting: ... 7. the tools, methods and procedures to be used...." {|sect| 5.11.2a} @@ -661,7 +662,7 @@ Process implementation {|sect| 5.11.2} .. _Space_Systems_SW_Software_security_analysis: Software security analysis {|sect| 5.11.3} -++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * "The methods to be used for the security analysis shall be identified as part of the planning of the project." {|sect| 5.11.3b} @@ -685,10 +686,10 @@ Software security analysis {|sect| 5.11.3} input values. Security activities in the software life cycle {|sect| 5.11.5} -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security in the requirements baseline {|sect| 5.11.5.1} -''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The security assurance requirements shall determine the type and extent of security verification and validation activities, including testing, @@ -700,7 +701,7 @@ Security in the requirements baseline {|sect| 5.11.5.1} requirement. Security in the detailed design and implementation engineering {|sect| 5.11.5.3} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The software security analysis shall be used during verification and validation activities to evaluate iteratively residual vulnerabilities and diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst index 04159eb99..4c2bba0d3 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -17,10 +17,10 @@ Software product assurance programme implementation {§5} -------------------------------------------------------- Software product assurance programme management {§5.2} -++++++++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Quality requirements and quality models {§5.2.7} -'''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "Quality models shall be used to specify the software quality requirements" {§5.2.7.1a} @@ -34,10 +34,10 @@ Quality requirements and quality models {§5.2.7} quality data. Tools and supporting environment {§5.6} -+++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Methods and tools {§5.6.1} -'''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^ * "Methods and tools to be used for all activities of the development cycle ... shall be identified by the supplier and agreed by the customer" @@ -77,7 +77,7 @@ Methods and tools {§5.6.1} levels, compliance with formally specified requirements. Development environment selection {§5.6.2} -'''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The software development environment shall be selected according to the following criteria: 1. availability; 2. compatibility; 3. performance; @@ -110,10 +110,10 @@ Software process assurance {§6} ------------------------------- Requirements applicable to all software engineering processes {§6.2} -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Handling of critical software {§6.2.3} -'''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall define, justify and apply measures to assure the dependability and safety of critical software.... These measures can @@ -147,7 +147,8 @@ Handling of critical software {§6.2.3} thus facilitate dynamic code verification. Verification {§6.2.6} -''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^ + * "The completion of actions related to software problem reports generated during verification shall be verified and recorded." {§6.2.6.4a} @@ -162,7 +163,7 @@ Verification {§6.2.6} can detect unreachable code, including deactivated code. Software security {§6.2.9} -'''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall identify the methods and techniques for the software security analysis." {|sect| 6.2.9.3a} @@ -184,7 +185,7 @@ Software security {§6.2.9} Handling of security sensitive software {|sect| 6.2.10} -''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall define and implement measures to avoid propagation of failures, including the ones caused by deliberate action, between @@ -209,10 +210,10 @@ Handling of security sensitive software {|sect| 6.2.10} Requirements applicable to individual software engineering processes or activities {§6.3} -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Coding {§6.3.4} -''''''''''''''' +^^^^^^^^^^^^^^^ * "Coding standards (including security, consistent naming conventions and adequate commentary rules) shall be specified and observed." {§6.3.4.1a} @@ -244,7 +245,7 @@ Coding {§6.3.4} used to synthesize and summarize code quality metrics. Testing and validation {§6.3.5} -''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "Testing shall be performed in accordance with a strategy for each testing level (i.e. unit, integration, validation against the technical @@ -299,7 +300,7 @@ Testing and validation {§6.3.5} during code generation. Maintenance {§6.3.9} -'''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^ * "The maintenance plans and procedures shall include the following as a minimum: 1. scope of maintenance; 2. identification of the first version of the @@ -327,10 +328,10 @@ Software product quality assurance {§7} --------------------------------------- Product quality objectives and metrication {§7.1} -+++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Assurance activities for product quality requirements {§7.1.3} -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The supplier shall define assurance activities to ensure that the product meets the quality requirements as specified in the technical @@ -345,7 +346,7 @@ Assurance activities for product quality requirements {§7.1.3} runtime errors, support this requirement. Basic metrics {§7.1.5} -'''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^ * "The following basic products metrics shall be used: size (code); complexity (design, code); fault density and failure intensity; test coverage; number @@ -355,10 +356,10 @@ Basic metrics {§7.1.5} Suite directly help to meet this requirement. Product quality requirements {§7.2} -+++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Design and related documentation {§7.2.2} -''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "The software shall be designed to facilitate testing." {§7.2.2.2a} @@ -381,7 +382,7 @@ Design and related documentation {§7.2.2} with minimal or no source code changes needed. Test and validation documentation {§7.2.3} -'''''''''''''''''''''''''''''''''''''''''' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * "Test procedures, data and expected results shall be specified." {|sect| 7.2.3.4a} diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst index 7dea11c78..eb5397c3c 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst @@ -1,15 +1,16 @@ .. include:: ../../../global.txt Introduction -=============== -Software for space applications must meet unique and formidable requirements. -Hard real-time deadlines, a constrained target execution environment with -limited storage capacity, and distributed functionality between ground and -on-board systems are some of the challenges, with little margin for error. -The software needs to work correctly from the outset, without safety or -security defects, and the source code needs to be amenable to maintenance -over the system’s lifetime (which may extend over decades) as requirements -evolve. +============ + +Software for space applications must meet unique and formidable +requirements. Hard real-time deadlines, a constrained target +execution environment with limited storage capacity, and distributed +functionality between ground and on-board systems are some of the +challenges, with little margin for error. The software needs to work +correctly from the outset, without safety or security defects, and the +source code needs to be amenable to maintenance over the system’s +lifetime (which may extend over decades) as requirements evolve. .. index:: European Cooperation for Space Standardization (ECSS) .. index:: European Space Agency (ESA) From c73e05630400f5374ce96c6aff44456792361ed5 Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 20:10:08 +0100 Subject: [PATCH 04/12] Fix directive option indentation in space systems booklet Per CONTRIBUTING.md guidelines, directive options must use 4-space indentation. Fix all toctree, csv-table, and table options that were using 3-space indentation across index.rst, introduction.rst, tools.rst, compliance-e40c.rst, and compliance-q80c.rst. Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/compliance-e40c.rst | 6 +-- .../chapters/compliance-q80c.rst | 2 +- .../chapters/introduction.rst | 52 +++++++++---------- .../chapters/tools.rst | 12 ++--- .../index.rst | 4 +- 5 files changed, 38 insertions(+), 38 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index e907a16e1..25b90900c 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -761,8 +761,8 @@ technologies help meet these requirements: .. _Space_Systems_SW_Verification-Support: .. table:: Verification Support - :align: center - :widths: 17 65 18 + :align: center + :widths: 17 65 18 +-------------------------+---------------------------------------------------------------+----------------------------------------+ | Verification check # | Technology | Explanation | @@ -871,7 +871,7 @@ AdaCore's technologies support the requirements in ECSS-E-ST-40C: .. _Space_Systems_SW_ECSS-E-ST-40C-Compliance-Support: .. table:: Technology Support for ECSS-E-ST-40C Compliance - :align: left + :align: left +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ | Technology | |sect|\ 5.4 | |sect|\5.5 | |sect|\ 5.6 | |sect|\ 5.7 | |sect|\ 5.8 | |sect|\ 5.9 | |sect|\ 5.10 | |sect|\ 5.11 | Annex U | diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst index 4c2bba0d3..ca03436a2 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -410,7 +410,7 @@ AdaCore's technologies support the requirements in ECSS-Q-ST-80C: .. _Space_Systems_SW_ECSS-Q-ST-80C-Compliance-Support: .. table:: Technology Support for ECSS-Q-ST-80C Compliance - :align: left + :align: left +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ | Technology | |sect|\ 5.2 | |sect|\5.6 | |sect|\ 6.2 | |sect|\ 6.3 | |sect|\ 7.1 | |sect|\ 7.2 | diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst index eb5397c3c..c33f3e200 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst @@ -236,27 +236,27 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from .. For example: See :numref:`RB table` .. csv-table:: **Relationship between RB (Requirements Baseline), DRL items, and reviews** - :name: RB table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: RB table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Software System Specification","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| "Interface requirements document (IRD)","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| "Safety and dependability analysis results for lower level suppliers", "E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between TS (Technical Specification), DRL items, and reviews** - :name: TS table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: TS table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Software requirements specification (SRS)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| "Software interface control document (ICD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between DDF (Design Definition File), DRL items, and reviews** - :name: DDF table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: DDF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Software design document (SDD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| "Software configuration file (SCF)",|blankcell|,E,E,"E Q",E,"E Q" @@ -267,9 +267,9 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from "Training material",|blankcell|,|blankcell|,|blankcell|,E,|blankcell|,|blankcell| .. csv-table:: **Relationship between DJF (Design Justification File), DRL items, and reviews** - :name: DJF table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: DJF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Software verification plan (SVerP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| "Software validation plan (SValP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| @@ -289,9 +289,9 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from "Justification of selection of operational ground equipment and support services","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between MGT (Management File), DRL items, and reviews** - :name: MGT table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: MGT table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Software development plan (SDP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| "Software review plan (SRP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| @@ -302,9 +302,9 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from "Procurement data","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between MF (Maintenance File), DRL items, and reviews** - :name: MF table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: MF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Maintenance plan",|blankcell|,|blankcell|,|blankcell|,E,E,E "Maintenance records",Q,Q,Q,"E Q","E Q","E Q" @@ -313,18 +313,18 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from "Retirement plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between OP (Operational Plan), DRL items, and reviews** - :name: OP table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: OP table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Software operation support plan",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E "Operational testing results",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E "SPR and NCR- User's request record- Post operation review report",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E .. csv-table:: **Relationship between PAF (Product Assurance File), DRL items, and reviews** - :name: PAF table - :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 58, 7, 7, 7, 7, 7, 7 + :name: PAF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 "Software product assurance plan (SPAP)","E Q","E Q","E Q","E Q","E Q","E Q" "Software product assurance requirements for suppliers","E Q",Q,Q,Q,Q,Q @@ -348,8 +348,8 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from "Input to product assurance plan for systems operation",Q,Q,Q,Q,Q,"E Q" .. csv-table:: **ECSS-E-ST-40 and ECSS-Q-ST-80 Document requirements list (DRL)** - :header: File,"DRL Item",SRR,PDR,CDR,QR,AR,ORR - :widths: 10, 48, 7, 7, 7, 7, 7, 7 + :header: File,"DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 10, 48, 7, 7, 7, 7, 7, 7 RB, "Software system specification (SSS)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| RB, "Interface requirements document (IRD)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst index abc6d15e2..4afd07c05 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst @@ -156,9 +156,9 @@ certified by the MITRE Corporation as a "CWE-Compatible" product The table below lists the CWE weaknesses detected by SPARK Pro: .. csv-table:: SPARK Pro and the CWE - :file: table-spark-cwe.csv - :widths: 20, 70 - :header-rows: 1 + :file: table-spark-cwe.csv + :widths: 20, 70 + :header-rows: 1 .. index:: single: SPARK Pro; ECSS standards support @@ -868,9 +868,9 @@ as a "CWE-Compatible" product :footcite:p:`Space_SW_MITRE_Web`. Here are the weaknesses that are detected: .. csv-table:: Defects and Vulnerability Analyzer and the CWE - :header-rows: 1 - :widths: 20, 70 - :file: table-dva-cwe.csv + :header-rows: 1 + :widths: 20, 70 + :file: table-dva-cwe.csv .. index:: single: Defects and Vulnerability Analyzer; ECSS standards support diff --git a/content/booklets/adacore-technologies-for-space-systems-software/index.rst b/content/booklets/adacore-technologies-for-space-systems-software/index.rst index 33ec547f1..91bc3edd5 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/index.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/index.rst @@ -198,8 +198,8 @@ software, please visit :footcite:p:`Space_SW_AdaCore_Web_Space`. | December 2025 .. toctree:: - :maxdepth: 4 - :numbered: + :maxdepth: 4 + :numbered: Introduction Programming Languages for Space Software From f9f61f6cc0ad717bc13b4a922ba32a32bd8bbf7b Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 20:10:21 +0100 Subject: [PATCH 05/12] Fix code-block content indentation in space systems booklet Per CONTRIBUTING.md guidelines, directive content must use 4-space indentation. Normalize all code-block content in programming.rst to a 4-space minimum indent (some blocks had 2-space, others 3-space). Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/programming.rst | 124 +++++++++--------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst index 30b3c6b5d..790b5f5ce 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst @@ -197,15 +197,15 @@ Here's an example of an integer scalar range and an associated run-time check: .. code-block:: ada - declare - My_Score : Integer range 1..100; - N : Integer; - begin - ... -- Code that assigns an integer value to N - My_Score := N; - -- A run-time check verifies that N is within the range 1 through 100, inclusive - -- If this check fails, the Constraint_Error exception is raised - end; + declare + My_Score : Integer range 1..100; + N : Integer; + begin + ... -- Code that assigns an integer value to N + My_Score := N; + -- A run-time check verifies that N is within the range 1 through 100, inclusive + -- If this check fails, the Constraint_Error exception is raised + end; The run-time check can be optimized out if the compiler can guarantee that the value of :ada:`N` is within the range 1 through 100 when control reaches @@ -234,30 +234,30 @@ values. .. code-block:: ada - package Table_Pkg is - type Table is private; -- Encapsulated type + package Table_Pkg is + type Table is private; -- Encapsulated type - function Is_Full (T : in Table) return Boolean; + function Is_Full (T : in Table) return Boolean; - function Contains (T : in Table; - Item : in Float) return Boolean; + function Contains (T : in Table; + Item : in Float) return Boolean; - procedure Insert (T : in out Table; Item: in Float) - with Pre => not Is_Full(T) and - not Contains(T, Item), - Post => Contains(T, Item); + procedure Insert (T : in out Table; Item: in Float) + with Pre => not Is_Full(T) and + not Contains(T, Item), + Post => Contains(T, Item); - procedure Remove (T : in out Table; Item: in Float); - with Pre => Contains(T, Item), - Post => not Contains(T, Item); - ... - private - ... -- Full declaration of Table - end Table_Pkg; + procedure Remove (T : in out Table; Item: in Float); + with Pre => Contains(T, Item), + Post => not Contains(T, Item); + ... + private + ... -- Full declaration of Table + end Table_Pkg; - package body Table_Pkg is - ... -- Implementation of Is_Full, Contains, Insert, Remove - end Table_Pkg; + package body Table_Pkg is + ... -- Implementation of Is_Full, Contains, Insert, Remove + end Table_Pkg; A compiler option controls whether the pre- and postconditions are checked at run time. If checks are enabled, any pre- or postcondition failure |mdash| @@ -279,16 +279,16 @@ the constraints on the individual fields: .. code-block:: ada - subtype Meter is Float range 0.0 .. 200.0; - subtype Radian is Float range 0.0 .. 2.0 * Pi; + subtype Meter is Float range 0.0 .. 200.0; + subtype Radian is Float range 0.0 .. 2.0 * Pi; - type Launching_Pad is - record - D, H : Meter; - Max_Angle : Radian; - end record - with - Predicate => Arctan (H, D) <= Max_Angle; + type Launching_Pad is + record + D, H : Meter; + Max_Angle : Radian; + end record + with + Predicate => Arctan (H, D) <= Max_Angle; Further information about type invariants and type / subtype predicates may be found in the *Design by contracts* chapter of the *Introduction to Ada* @@ -741,22 +741,22 @@ Here is an example of SPARK code: .. code-block:: ada - package Example is - N : Positive := 100; -- N constrained to 1 .. Integer'Last + package Example is + N : Positive := 100; -- N constrained to 1 .. Integer'Last - procedure Decrement (X in out Integer) - with Global => (Input => N), - Depends => (X => (X, N)), - Pre => X >= Integer'First + N, - Post => X = X'Old - N; - end Example; + procedure Decrement (X in out Integer) + with Global => (Input => N), + Depends => (X => (X, N)), + Pre => X >= Integer'First + N, + Post => X = X'Old - N; + end Example; - package body Example is - procedure Decrement (X in out Integer) is - begin - X := X - N; - end Decrement; - end Example; + package body Example is + procedure Decrement (X in out Integer) is + begin + X := X - N; + end Decrement; + end Example; The :ada:`with` constructs, known as "aspects", here define the :ada:`Decrement` procedure's contracts: @@ -903,19 +903,19 @@ corresponding to the imported function; here is an example. .. code-block:: ada - function getascii return Interfaces.C.unsigned_char - with Post => getascii'Result in 0..127; + function getascii return Interfaces.C.unsigned_char + with Post => getascii'Result in 0..127; - pragma Import (C, getascii); - -- Interfaces.C.unsigned_char is a modular (unsigned) - -- integer type, typically ranging from 0 through 255 + pragma Import (C, getascii); + -- Interfaces.C.unsigned_char is a modular (unsigned) + -- integer type, typically ranging from 0 through 255 - procedure Example is - N : Interfaces.C.unsigned_char range 0 .. 127; - begin - N := getascii; - -- SPARK can prove that no range check is needed - end Example; + procedure Example is + N : Interfaces.C.unsigned_char range 0 .. 127; + begin + N := getascii; + -- SPARK can prove that no range check is needed + end Example; The verification activity depends on whether the formally verified code invokes the tested code or vice versa. From 40d716762626d32e0fe92f0ef22bbfd45d420cd7 Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 20:14:41 +0100 Subject: [PATCH 06/12] Fix typos and punctuation in space systems booklet compliance-e40c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - "Analyszer" → "Analyzer" - "justfied" → "justified" - "checks,as" → "checks, as" (missing space after comma) Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/compliance-e40c.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index 25b90900c..9feffa917 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -204,7 +204,7 @@ Detailed design of real-time software {§5.5.2.5} cannot change between the time that a task evaluates the state condition and when it executes the code based on that state. Other race conditions can be detected by the Defects and Vulnerability - Analyszer in the GNAT Static Analysis Suite. + Analyzer in the GNAT Static Analysis Suite. * "The supplier shall document and justify the use of dynamic allocation of resources." {§5.5.2.5d} @@ -433,7 +433,7 @@ Verification of code {§5.8.3.5} correctness, and the GNATcheck utility included in the GNAT Static Analysis Suite (see :ref:`Space_Systems_SW_GNATcheck`) can enforce conformance with a coding standard. - * For criterion 5, Ada's strong typing and interface checks,as well as + * For criterion 5, Ada's strong typing and interface checks, as well as SPARK and GNATprove, can help show consistent interfaces and correct data flow. * The Defects and Vulnerability Analyzer (see @@ -466,7 +466,7 @@ Verification of code {§5.8.3.5} in the GNAT Dynamic Analysis Suite can help meet this requirement. -* "If it can be justfied that the required percentage cannot be achieved +* "If it can be justified that the required percentage cannot be achieved by test execution, then analysis, inspection or review of design shall be applied to the non-covered code." {§5.8.3.5d} From 85a2eb7133c233d196e4cc77217af33742db593a Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 20:15:01 +0100 Subject: [PATCH 07/12] =?UTF-8?q?Fix=20"contact"=20=E2=86=92=20"contract"?= =?UTF-8?q?=20typo=20in=20space=20systems=20booklet=20programming?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two occurrences of "contact" used where "contract" was intended, in the section on contract-based programming. Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/programming.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst index 790b5f5ce..4f17f6cbc 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst @@ -228,7 +228,7 @@ generalized constraints (predicates). Through contracts the developer can formalize the intended behavior of the application, and can verify this behavior by testing, static analysis or formal proof. -Here's a skeletal example that illustrates contact-based programming; a +Here's a skeletal example that illustrates contract-based programming; a :ada:`Table` object is a fixed-length container for distinct :ada:`Float` values. @@ -261,7 +261,7 @@ values. A compiler option controls whether the pre- and postconditions are checked at run time. If checks are enabled, any pre- or postcondition failure |mdash| -i.e., the contact's Boolean expression evaluating to :ada:`False` |mdash| +i.e., the contract's Boolean expression evaluating to :ada:`False` |mdash| raises the :ada:`Assertion_Error` exception. .. index:: single: Ada language; Type invariants From 0a7d99e84d07baedbc32cc0d21bf183fee8947e2 Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 21:34:38 +0100 Subject: [PATCH 08/12] Fix directive content indentation in space systems booklet Per CONTRIBUTING.md, directive content must use 4-character indentation. Fix toctree entries (index.rst) and table/csv-table bodies (introduction.rst, compliance-e40c.rst, compliance-q80c.rst) that were indented with 3 spaces instead of 4. Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/compliance-e40c.rst | 178 ++++++------ .../chapters/compliance-q80c.rst | 38 +-- .../chapters/introduction.rst | 260 +++++++++--------- .../index.rst | 12 +- 4 files changed, 244 insertions(+), 244 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index 9feffa917..e0ce7b601 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -764,78 +764,78 @@ technologies help meet these requirements: :align: center :widths: 17 65 18 - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | Verification check # | Technology | Explanation | - +=========================+===============================================================+========================================+ - | 1 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | - | +---------------------------------------------------------------+----------------------------------------+ - | | SPARK language, SPARK Pro | Static check | - | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 2 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | - | +---------------------------------------------------------------+----------------------------------------+ - | | SPARK language, SPARK Pro | Static check | - | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 3 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - | +---------------------------------------------------------------+----------------------------------------+ - | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | - | +---------------------------------------------------------------+----------------------------------------+ - | | SPARK language, SPARK Pro | Static check | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 4 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | - | | SPARK language, SPARK Pro | | - | +---------------------------------------------------------------+----------------------------------------+ - | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 5 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | - | | SPARK language, SPARK Pro | | - | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 6 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | - | | SPARK language, SPARK Pro | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 7 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | - | | SPARK language, SPARK Pro | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 8 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 9 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | - | +---------------------------------------------------------------+----------------------------------------+ - | | SPARK language, SPARK Pro | Static check | - | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 10 | SPARK language, SPARK Pro | Static check | - | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 11 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 12 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - | +---------------------------------------------------------------+----------------------------------------+ - | | Ada Language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`***` | - | +---------------------------------------------------------------+----------------------------------------+ - | | GNATstack (for preventing stack overflow) | Static check | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 13 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | - | | SPARK language, SPARK Pro | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 14 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | - | | (in GNAT Static Analysis Suite) | | - +-------------------------+---------------------------------------------------------------+----------------------------------------+ + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | Verification check # | Technology | Explanation | + +=========================+===============================================================+========================================+ + | 1 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 2 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 3 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 4 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 5 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 6 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 7 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 8 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 9 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 10 | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 11 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 12 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + | +---------------------------------------------------------------+----------------------------------------+ + | | Ada Language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`***` | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATstack (for preventing stack overflow) | Static check | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 13 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 14 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ :superscript:`*` Depending on the source code, the GNAT Pro compiler may be able to guarantee that the check will always succeed and can thus avoid @@ -873,20 +873,20 @@ AdaCore's technologies support the requirements in ECSS-E-ST-40C: .. table:: Technology Support for ECSS-E-ST-40C Compliance :align: left - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ - | Technology | |sect|\ 5.4 | |sect|\5.5 | |sect|\ 5.6 | |sect|\ 5.7 | |sect|\ 5.8 | |sect|\ 5.9 | |sect|\ 5.10 | |sect|\ 5.11 | Annex U | - +=============================+=============+============+=============+=============+=============+=============+==============+==============+=========+ - | Ada language | |check| | |check| | | | |check| | |check| | |check| | |check| | |check| | - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ - | SPARK language | |check| | |check| | | | |check| | | |check| | |check| | |check| | - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ - | GNAT Pro for Ada | |check| | |check| | |check| | |check| | |check| | | |check| | |check| | |check| | - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ - | SPARK Pro | |check| | |check| | |check| | | |check| | | |check| | |check| | |check| | - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ - | GNAT Static Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | |check| | - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ - | GNAT Dynamic Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | | - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ - | GNAT Pro Assurance | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | - +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | Technology | |sect|\ 5.4 | |sect|\5.5 | |sect|\ 5.6 | |sect|\ 5.7 | |sect|\ 5.8 | |sect|\ 5.9 | |sect|\ 5.10 | |sect|\ 5.11 | Annex U | + +=============================+=============+============+=============+=============+=============+=============+==============+==============+=========+ + | Ada language | |check| | |check| | | | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | SPARK language | |check| | |check| | | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Pro for Ada | |check| | |check| | |check| | |check| | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | SPARK Pro | |check| | |check| | |check| | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Static Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Dynamic Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Pro Assurance | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst index ca03436a2..45f732bae 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -412,25 +412,25 @@ AdaCore's technologies support the requirements in ECSS-Q-ST-80C: .. table:: Technology Support for ECSS-Q-ST-80C Compliance :align: left - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | Technology | |sect|\ 5.2 | |sect|\5.6 | |sect|\ 6.2 | |sect|\ 6.3 | |sect|\ 7.1 | |sect|\ 7.2 | - +=============================+=============+=============+=============+=============+=============+=============+ - | Ada language | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | |check| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | SPARK language | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | GNAT Pro for Ada | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | SPARK Pro | |blankcell| | |check| | |check| | |blankcell| | |check| | |check| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | GNAT Static Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | GNAT Dynamic Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |check| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | GNAT Pro Assurance | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ - | GNAT Pro IDEs | |check| | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | - +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | Technology | |sect|\ 5.2 | |sect|\5.6 | |sect|\ 6.2 | |sect|\ 6.3 | |sect|\ 7.1 | |sect|\ 7.2 | + +=============================+=============+=============+=============+=============+=============+=============+ + | Ada language | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | SPARK language | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro for Ada | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | SPARK Pro | |blankcell| | |check| | |check| | |blankcell| | |check| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Static Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Dynamic Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro Assurance | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro IDEs | |check| | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ .. only:: builder_html diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst index c33f3e200..a3c1925eb 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst @@ -240,17 +240,17 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Software System Specification","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Interface requirements document (IRD)","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Safety and dependability analysis results for lower level suppliers", "E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software System Specification","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Interface requirements document (IRD)","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Safety and dependability analysis results for lower level suppliers", "E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between TS (Technical Specification), DRL items, and reviews** :name: TS table :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Software requirements specification (SRS)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Software interface control document (ICD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + "Software requirements specification (SRS)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software interface control document (ICD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between DDF (Design Definition File), DRL items, and reviews** @@ -258,166 +258,166 @@ requirements from |E-ST-40C|, and cells with "Q" are the contributions from :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Software design document (SDD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| - "Software configuration file (SCF)",|blankcell|,E,E,"E Q",E,"E Q" - "Software release document (SRelD)",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| - "Software user manual (SUM)",|blankcell|,|blankcell|,E,E,E,|blankcell| - "Software source code and media labels",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| - "Software product and media labels",|blankcell|,|blankcell|,|blankcell|,E,E,E - "Training material",|blankcell|,|blankcell|,|blankcell|,E,|blankcell|,|blankcell| + "Software design document (SDD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + "Software configuration file (SCF)",|blankcell|,E,E,"E Q",E,"E Q" + "Software release document (SRelD)",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Software user manual (SUM)",|blankcell|,|blankcell|,E,E,E,|blankcell| + "Software source code and media labels",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software product and media labels",|blankcell|,|blankcell|,|blankcell|,E,E,E + "Training material",|blankcell|,|blankcell|,|blankcell|,E,|blankcell|,|blankcell| .. csv-table:: **Relationship between DJF (Design Justification File), DRL items, and reviews** :name: DJF table :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Software verification plan (SVerP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Software validation plan (SValP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Independent software verification and validation plan","E Q",E,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Software integration test plan (SITP)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| - "Software unit test plan (SUTP)",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| - "Software validation specification (SVS) with respect to TS",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| - "Software validation specification (SVS) with respect to RB",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| - "Acceptance test plan",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| - "Acceptance test report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| - "Installation report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| - "Software verification report (SVR)",E,E,E,E,E,"E Q" - "Independent software verification and validation report",|blankcell|,"E Q","E Q","E Q","E Q",E - "Software reuse file (SRF)","E Q",E,E,|blankcell|,|blankcell|,|blankcell| - "Software problems reports and nonconformance reports","E Q","E Q","E Q","E Q","E Q","E Q" - "Joint review reports",E,E,E,E,E,|blankcell| - "Justification of selection of operational ground equipment and support services","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software verification plan (SVerP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software validation plan (SValP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Independent software verification and validation plan","E Q",E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software integration test plan (SITP)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + "Software unit test plan (SUTP)",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software validation specification (SVS) with respect to TS",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software validation specification (SVS) with respect to RB",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Acceptance test plan",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Acceptance test report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Installation report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software verification report (SVR)",E,E,E,E,E,"E Q" + "Independent software verification and validation report",|blankcell|,"E Q","E Q","E Q","E Q",E + "Software reuse file (SRF)","E Q",E,E,|blankcell|,|blankcell|,|blankcell| + "Software problems reports and nonconformance reports","E Q","E Q","E Q","E Q","E Q","E Q" + "Joint review reports",E,E,E,E,E,|blankcell| + "Justification of selection of operational ground equipment and support services","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between MGT (Management File), DRL items, and reviews** :name: MGT table :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Software development plan (SDP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Software review plan (SRP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Software configuration management plan",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Training plan","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Interface management procedures",E,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Identification of NRB SW and members","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Procurement data","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software development plan (SDP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software review plan (SRP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software configuration management plan",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Training plan","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Interface management procedures",E,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Identification of NRB SW and members","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Procurement data","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between MF (Maintenance File), DRL items, and reviews** :name: MF table :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Maintenance plan",|blankcell|,|blankcell|,|blankcell|,E,E,E - "Maintenance records",Q,Q,Q,"E Q","E Q","E Q" - "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Migration plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| - "Retirement plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Maintenance plan",|blankcell|,|blankcell|,|blankcell|,E,E,E + "Maintenance records",Q,Q,Q,"E Q","E Q","E Q" + "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Migration plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Retirement plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| .. csv-table:: **Relationship between OP (Operational Plan), DRL items, and reviews** :name: OP table :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Software operation support plan",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E - "Operational testing results",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E - "SPR and NCR- User's request record- Post operation review report",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + "Software operation support plan",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + "Operational testing results",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + "SPR and NCR- User's request record- Post operation review report",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E .. csv-table:: **Relationship between PAF (Product Assurance File), DRL items, and reviews** :name: PAF table :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 58, 7, 7, 7, 7, 7, 7 - "Software product assurance plan (SPAP)","E Q","E Q","E Q","E Q","E Q","E Q" - "Software product assurance requirements for suppliers","E Q",Q,Q,Q,Q,Q - "Audit plan and schedule","E Q",Q,Q,Q,Q,Q - "Review and inspection plans or procedures",Q,Q,Q,Q,Q,Q - "Procedures and standards",Q,"E Q",Q,Q,Q,Q - "Modelling and design standards","E Q","E Q",Q,Q,Q,Q - "Coding standards and description of tools",Q,"E Q",Q,Q,Q,Q - "Software problem reporting procedure",Q,"E Q",Q,Q,Q,Q - "Software dependability and safety analysis report- Criticality classification of software components",Q,"E Q","E Q","E Q","E Q",Q - "Software product assurance report",Q,Q,Q,Q,Q,Q - "Software product assurance milestone report (SPAMR)","E Q","E Q","E Q","E Q","E Q","E Q" - "Statement of compliance with test plans and procedures",Q,Q,"E Q","E Q","E Q","E Q" - "Records of training and experience",Q,Q,Q,Q,Q,Q - "(Preliminary) alert information",Q,Q,Q,Q,Q,Q - "Results of preaward audits and assessments, and of procurement sources",Q,Q,Q,Q,Q,Q - "Software process assessment plan",Q,Q,Q,Q,Q,Q - "Software process assessment records",Q,Q,Q,Q,Q,Q - "Review and inspection reports",Q,Q,Q,Q,Q,Q - "Receiving inspection report","E Q","E Q","E Q","E Q",Q,Q - "Input to product assurance plan for systems operation",Q,Q,Q,Q,Q,"E Q" + "Software product assurance plan (SPAP)","E Q","E Q","E Q","E Q","E Q","E Q" + "Software product assurance requirements for suppliers","E Q",Q,Q,Q,Q,Q + "Audit plan and schedule","E Q",Q,Q,Q,Q,Q + "Review and inspection plans or procedures",Q,Q,Q,Q,Q,Q + "Procedures and standards",Q,"E Q",Q,Q,Q,Q + "Modelling and design standards","E Q","E Q",Q,Q,Q,Q + "Coding standards and description of tools",Q,"E Q",Q,Q,Q,Q + "Software problem reporting procedure",Q,"E Q",Q,Q,Q,Q + "Software dependability and safety analysis report- Criticality classification of software components",Q,"E Q","E Q","E Q","E Q",Q + "Software product assurance report",Q,Q,Q,Q,Q,Q + "Software product assurance milestone report (SPAMR)","E Q","E Q","E Q","E Q","E Q","E Q" + "Statement of compliance with test plans and procedures",Q,Q,"E Q","E Q","E Q","E Q" + "Records of training and experience",Q,Q,Q,Q,Q,Q + "(Preliminary) alert information",Q,Q,Q,Q,Q,Q + "Results of preaward audits and assessments, and of procurement sources",Q,Q,Q,Q,Q,Q + "Software process assessment plan",Q,Q,Q,Q,Q,Q + "Software process assessment records",Q,Q,Q,Q,Q,Q + "Review and inspection reports",Q,Q,Q,Q,Q,Q + "Receiving inspection report","E Q","E Q","E Q","E Q",Q,Q + "Input to product assurance plan for systems operation",Q,Q,Q,Q,Q,"E Q" .. csv-table:: **ECSS-E-ST-40 and ECSS-Q-ST-80 Document requirements list (DRL)** :header: File,"DRL Item",SRR,PDR,CDR,QR,AR,ORR :widths: 10, 48, 7, 7, 7, 7, 7, 7 - RB, "Software system specification (SSS)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - RB, "Interface requirements document (IRD)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - RB, "Safety and dependability analysis results for lower level suppliers", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - TS, "Software requirements specification (SRS)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| - TS, "Software interface control document (ICD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| - DDF, "Software design document (SDD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| - DDF, "Software configuration file (SCF)", |blankcell|, E, E, "E Q", E, "E Q" - DDF, "Software release document (SRelD)", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| - DDF, "Software user manual (SUM)", |blankcell|, |blankcell|, E, E, E, |blankcell| - DDF, "Software source code and media labels", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| - DDF, "Software product and media labels", |blankcell|, |blankcell|, |blankcell|, E, E, E - DDF, "Training material", |blankcell|, |blankcell|, |blankcell|, E, |blankcell|, |blankcell| - DJF, "Software verification plan (SVerP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| - DJF, "Software validation plan (SValP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| - DJF, "Independent software verification and validation plan", "E Q", E, |blankcell|, |blankcell|, |blankcell|, |blankcell| - DJF, "Software integration test plan (SUITP)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| - DJF, "Software unit test plan (SUITP)", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| - DJF, "Software validation specification (SVS) with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| - DJF, "Software validation specification (SVS) with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| - DJF, "Acceptance test plan", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| - DJF, "Software unit test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| - DJF, "Software integration test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| - DJF, "Software validation report with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| - DJF, "Software validation report with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| - DJF, "Acceptance test report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| - DJF, "Installation report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| - DJF, "Software verification report (SVR)", E, E, E, E, E, "E Q" - DJF, "Independent software verification and validation report", |blankcell|, "E Q", "E Q", "E Q", "E Q", E - DJF, "Software reuse file (SRF)", "E Q", E, E, |blankcell|, |blankcell|, |blankcell| - DJF, "Software problems reports and nonconformance reports", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" - DJF, "Joint review reports", E, E, E, E , E , |blankcell| - DJF, "Justification of selection of operational ground equipment and support services", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| - MGT, "Software development plan (SDP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MGT, "Software review plan (SRevP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MGT, "Software configuration management plan", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MGT, "Training plan", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MGT, "Interface management procedures", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MGT, "Identification of NRB SW and members", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MGT, "Procurement data", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| - MF, "Maintenance plan", |blankcell|, , |blankcell|, E, E, E - MF, "Maintenance records", Q, Q, Q, "E Q", "E Q", "E Q" - MF, "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MF, "Migration plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - MF, "Retirement plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| - OP, "Software operation support plan", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E - OP, "Operational testing results", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E - OP, "SPR and NCR- User’s request record- Post operation review report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E - PAF, "Software product assurance plan (SPAP)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" - PAF, "Software product assurance requirements for suppliers", "E Q", Q, Q, Q, Q, Q - PAF, "Audit plan and schedule", "E Q", Q, Q, Q, Q, Q - PAF, "Review and inspection plans or procedures", Q, Q, Q, Q, Q, Q - PAF, "Procedures and standards", Q, "E Q", Q, Q, Q, Q - PAF, "Modelling and design standards", "E Q", "E Q", Q, Q, Q, Q - PAF, "Coding standards and description of tools", Q, "E Q", Q, Q, Q, Q - PAF, "Software problem reporting procedure", Q, "E Q", Q, Q, Q, Q - PAF, "Software dependability and safety analysis report- Criticality classification of software components", Q, "E Q", "E Q", "E Q", "E Q", Q - PAF, "Software product assurance report", Q, Q, Q, Q, Q, Q - PAF, "Software product assurance milestone report (SPAMR)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" - PAF, "Statement of compliance with test plans and procedures", Q, Q, "E Q", "E Q", "E Q", "E Q" - PAF, "Records of training and experience", Q, Q, Q, Q, Q, Q - PAF, "(Preliminary) alert information", Q, Q, Q, Q, Q, Q - PAF, "Results of preaward audits and assessments, and of procurement sources", Q, Q, Q, Q, Q, Q - PAF, "Software process assessment plan", Q, Q, Q, Q, Q, Q - PAF, "Software process assessment records", Q, Q, Q, Q, Q, Q - PAF, "Review and inspection reports", Q, Q, Q, Q, Q, Q - PAF, "Receiving inspection report", "E Q", "E Q", "E Q", "E Q", Q, Q - PAF, "Input to product assurance plan for systems operation", Q, Q, Q, Q, Q, "E Q" + RB, "Software system specification (SSS)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + RB, "Interface requirements document (IRD)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + RB, "Safety and dependability analysis results for lower level suppliers", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + TS, "Software requirements specification (SRS)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + TS, "Software interface control document (ICD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software design document (SDD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software configuration file (SCF)", |blankcell|, E, E, "E Q", E, "E Q" + DDF, "Software release document (SRelD)", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DDF, "Software user manual (SUM)", |blankcell|, |blankcell|, E, E, E, |blankcell| + DDF, "Software source code and media labels", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software product and media labels", |blankcell|, |blankcell|, |blankcell|, E, E, E + DDF, "Training material", |blankcell|, |blankcell|, |blankcell|, E, |blankcell|, |blankcell| + DJF, "Software verification plan (SVerP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation plan (SValP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Independent software verification and validation plan", "E Q", E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Software integration test plan (SUITP)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software unit test plan (SUITP)", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation specification (SVS) with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation specification (SVS) with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Acceptance test plan", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Software unit test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software integration test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation report with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation report with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Acceptance test report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| + DJF, "Installation report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| + DJF, "Software verification report (SVR)", E, E, E, E, E, "E Q" + DJF, "Independent software verification and validation report", |blankcell|, "E Q", "E Q", "E Q", "E Q", E + DJF, "Software reuse file (SRF)", "E Q", E, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software problems reports and nonconformance reports", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + DJF, "Joint review reports", E, E, E, E , E , |blankcell| + DJF, "Justification of selection of operational ground equipment and support services", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software development plan (SDP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software review plan (SRevP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software configuration management plan", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Training plan", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Interface management procedures", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Identification of NRB SW and members", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Procurement data", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Maintenance plan", |blankcell|, , |blankcell|, E, E, E + MF, "Maintenance records", Q, Q, Q, "E Q", "E Q", "E Q" + MF, "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Migration plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Retirement plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + OP, "Software operation support plan", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + OP, "Operational testing results", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + OP, "SPR and NCR- User’s request record- Post operation review report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + PAF, "Software product assurance plan (SPAP)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + PAF, "Software product assurance requirements for suppliers", "E Q", Q, Q, Q, Q, Q + PAF, "Audit plan and schedule", "E Q", Q, Q, Q, Q, Q + PAF, "Review and inspection plans or procedures", Q, Q, Q, Q, Q, Q + PAF, "Procedures and standards", Q, "E Q", Q, Q, Q, Q + PAF, "Modelling and design standards", "E Q", "E Q", Q, Q, Q, Q + PAF, "Coding standards and description of tools", Q, "E Q", Q, Q, Q, Q + PAF, "Software problem reporting procedure", Q, "E Q", Q, Q, Q, Q + PAF, "Software dependability and safety analysis report- Criticality classification of software components", Q, "E Q", "E Q", "E Q", "E Q", Q + PAF, "Software product assurance report", Q, Q, Q, Q, Q, Q + PAF, "Software product assurance milestone report (SPAMR)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + PAF, "Statement of compliance with test plans and procedures", Q, Q, "E Q", "E Q", "E Q", "E Q" + PAF, "Records of training and experience", Q, Q, Q, Q, Q, Q + PAF, "(Preliminary) alert information", Q, Q, Q, Q, Q, Q + PAF, "Results of preaward audits and assessments, and of procurement sources", Q, Q, Q, Q, Q, Q + PAF, "Software process assessment plan", Q, Q, Q, Q, Q, Q + PAF, "Software process assessment records", Q, Q, Q, Q, Q, Q + PAF, "Review and inspection reports", Q, Q, Q, Q, Q, Q + PAF, "Receiving inspection report", "E Q", "E Q", "E Q", "E Q", Q, Q + PAF, "Input to product assurance plan for systems operation", Q, Q, Q, Q, Q, "E Q" .. index:: single: ECSS-Q-ST-80C; Summary diff --git a/content/booklets/adacore-technologies-for-space-systems-software/index.rst b/content/booklets/adacore-technologies-for-space-systems-software/index.rst index 91bc3edd5..bbba2de37 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/index.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/index.rst @@ -201,12 +201,12 @@ software, please visit :footcite:p:`Space_SW_AdaCore_Web_Space`. :maxdepth: 4 :numbered: - Introduction - Programming Languages for Space Software - Tools for Space Software Development - Compliance with ECSS-E-ST-40C - Compliance with ECSS-Q-ST-80C - Abbreviations + Introduction + Programming Languages for Space Software + Tools for Space Software Development + Compliance with ECSS-E-ST-40C + Compliance with ECSS-Q-ST-80C + Abbreviations .. only:: builder_html From 37472e36820501dd91936d9f8b40be4a6f2700d3 Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 23:14:46 +0100 Subject: [PATCH 09/12] Fix sub-bullet indentation causing blockquote rendering in space booklet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In RST, a bullet item `* text` places the body text at column 2. Nested bullets must align exactly with that column-2 body start. Indenting sub-bullets to column 3 or beyond causes Sphinx to parse them as block quotes rather than as nested list items, producing visually distinct "quote" boxes in the HTML and PDF output instead of the intended bullet hierarchy. This commit normalises the indentation across all four chapters: - compliance-e40c.rst: 3-space sub-bullets corrected to 2-space; 5-space continuation lines corrected to 4-space; a 3-space directive (.. note::) corrected to 2-space. - compliance-q80c.rst: 36 × 3-space sub-bullets corrected to 2-space; 75 × 5-space continuation lines corrected to 4-space; one 3-space directive corrected to 2-space. - programming.rst: 40 × 4-space bullets that appeared directly under section paragraphs (not inside a parent list item) corrected to 0-space (top-level bullets); their 6-space continuation lines corrected to 2-space accordingly. - tools.rst: mixed correct (2→4→6) and incorrect (2→3→6) chains normalised; 3-space sub-bullets corrected to 2-space; 5-space continuation lines corrected to 4-space; 6-space sub-sub-bullets that were under 3-space parents moved to 4-space; a 9-space bullet (line 781) corrected to 6-space. Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/compliance-e40c.rst | 424 +++++++++--------- .../chapters/compliance-q80c.rst | 226 +++++----- .../chapters/programming.rst | 76 ++-- .../chapters/tools.rst | 292 ++++++------ 4 files changed, 509 insertions(+), 509 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index e0ce7b601..60b448d86 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -41,13 +41,13 @@ Transformation of software requirements into a software architecture {§5.4.3.1} active objects such as threads, tasks and processes; describes the software behavior." {§5.4.3.1a} - * The Ada and SPARK languages (and thus the GNAT Pro Ada and SPARK Pro - toolsuites directly support this requirement. Relevant - features include packages, child libraries, subunits, private types, - tasking, and object-oriented programming (tagged types). The - :index:`GNATstub` utility (included with GNAT Pro Ada) is useful here; - it generates empty package bodies ("stubs") from a software design's - top-level API (package specs). + * The Ada and SPARK languages (and thus the GNAT Pro Ada and SPARK Pro + toolsuites directly support this requirement. Relevant + features include packages, child libraries, subunits, private types, + tasking, and object-oriented programming (tagged types). The + :index:`GNATstub` utility (included with GNAT Pro Ada) is useful here; + it generates empty package bodies ("stubs") from a software design's + top-level API (package specs). Software design method {§5.4.3.2} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -56,8 +56,8 @@ Software design method {§5.4.3.2} produce the static and dynamic architecture including: software elements, their interfaces and; software elements relationships." {§5.4.3.2a} - * Ada and SPARK are methodology agnostic and fully support both - object-oriented and functional styles. + * Ada and SPARK are methodology agnostic and fully support both + object-oriented and functional styles. Selection of a computational model for real-time software {§5.4.3.3} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -65,9 +65,9 @@ Selection of a computational model for real-time software {§5.4.3.3} * "The dynamic architecture design shall be described according to an analytical computational model." {§5.4.3.3a} - * The Ada and SPARK tasking facility supports a stylistic idiom - that is amenable to Rate Monotonic Analysis, allowing static - verification that real-time deadlines will be met. + * The Ada and SPARK tasking facility supports a stylistic idiom + that is amenable to Rate Monotonic Analysis, allowing static + verification that real-time deadlines will be met. Description of software behavior {§5.4.3.4} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -76,8 +76,8 @@ Description of software behavior {§5.4.3.4} by means of description techniques using automata and scenarios." {§5.4.3.4a} - * Ada and SPARK are appropriate target languages for tools that support - such techniques. + * Ada and SPARK are appropriate target languages for tools that support + such techniques. Development and documentation of the software interfaces {§5.4.3.5} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -86,10 +86,10 @@ Development and documentation of the software interfaces {§5.4.3.5} the interfaces external to the software item and between the software components of the software item." {§5.4.3.5a} - * The supplier can use the Ada / SPARK package facility to specify the - interfaces, both external and internal. The contract-based programming - features provide additional expressive power, allowing the specification - of pre- and postconditions for the subprograms comprising an interface. + * The supplier can use the Ada / SPARK package facility to specify the + interfaces, both external and internal. The contract-based programming + features provide additional expressive power, allowing the specification + of pre- and postconditions for the subprograms comprising an interface. Definition of methods and tools for software intended for reuse {§5.4.3.6} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -98,23 +98,23 @@ Definition of methods and tools for software intended for reuse {§5.4.3.6} apply these to the software engineering processes to comply with the reusability requirements for the software development." {§5.4.3.6a} - * Ada and SPARK facilitate reuse via the separate compilation semantics - (which allows "bottom-up" development by reusing existing libraries) - and the generic facility (which, for example, allows a module to be - defined in a general and type-independent fashion and then instantiated - with specific types as needed). The semantics for these features - enforces safe reuse: + * Ada and SPARK facilitate reuse via the separate compilation semantics + (which allows "bottom-up" development by reusing existing libraries) + and the generic facility (which, for example, allows a module to be + defined in a general and type-independent fashion and then instantiated + with specific types as needed). The semantics for these features + enforces safe reuse: - * All checks that are performed within a single compilation unit are - also enforced across separate compilation boundaries. + * All checks that are performed within a single compilation unit are + also enforced across separate compilation boundaries. - * A post-compilation pre-link check detects and prevents "version skew" - (building an executable where some compilation unit depends on an - obsolescent version of another unit). + * A post-compilation pre-link check detects and prevents "version skew" + (building an executable where some compilation unit depends on an + obsolescent version of another unit). - * Unlike the situation with C++ templates, a type mismatch in an Ada - generic instantiation is detected and prevented at compile time, - ensuring consistency between the instantiation and the generic unit. + * Unlike the situation with C++ templates, a type mismatch in an Ada + generic instantiation is detected and prevented at compile time, + ensuring consistency between the instantiation and the generic unit. .. index:: single: ECSS-E-ST-40C compliance; §5.5 Software design and implementation engineering process @@ -130,18 +130,18 @@ Detailed design of each software component {§5.5.2.1} * "The supplier shall develop a detailed design for each component of the software and document it." {§5.5.2.1a} - * Ada / SPARK features, including packages and child units, - and thus GNAT Pro for Ada and SPARK Pro, help meet - this requirement. The contract-based programming feature (e.g., - pre- and postconditions) allows the supplier to express low-level - requirements as part of the software architecture, facilitating - the low-level design of algorithms. + * Ada / SPARK features, including packages and child units, + and thus GNAT Pro for Ada and SPARK Pro, help meet + this requirement. The contract-based programming feature (e.g., + pre- and postconditions) allows the supplier to express low-level + requirements as part of the software architecture, facilitating + the low-level design of algorithms. * "Each software component shall be refined into lower levels containing software units that can be coded, compiled, and tested." {§5.5.2.1b} - * Relevant Ada / SPARK features include packages, child units, and - subunits. + * Relevant Ada / SPARK features include packages, child units, and + subunits. Development and documentation of the software interfaces detailed design {§5.5.2.2} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -151,11 +151,11 @@ Development and documentation of the software interfaces detailed design {§5.5. the software units, in order to allow coding without requiring further information." {§5.5.2.2a} - * Ada / SPARK features, including packages and child units, - and thus SPARK Pro and GNAT Pro for Ada, help meet this - requirement. The contract-based programming feature (e.g., pre- and - postconditions) allows the supplier to express low-level requirements as - part of the interfaces, facilitating the implementation of algorithms. + * Ada / SPARK features, including packages and child units, + and thus SPARK Pro and GNAT Pro for Ada, help meet this + requirement. The contract-based programming feature (e.g., pre- and + postconditions) allows the supplier to express low-level requirements as + part of the interfaces, facilitating the implementation of algorithms. Production of the detailed design model {§5.5.2.3} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -164,9 +164,9 @@ Production of the detailed design model {§5.5.2.3} components defined during the software architectural design, including their static, dynamic and behavioural aspects." {§5.5.2.3a} - * Ada / SPARK features such as packages, child units, and contract-based - programming, and thus SPARK Pro and GNAT Pro for Ada, help meet this - requirement. + * Ada / SPARK features such as packages, child units, and contract-based + programming, and thus SPARK Pro and GNAT Pro for Ada, help meet this + requirement. Software detail design method {§5.5.2.4} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -175,8 +175,8 @@ Software detail design method {§5.5.2.4} method) to produce the detailed design including: software units, their interfaces, and; (*sic*) software units relationships." {§5.5.2.4a} - * Ada and SPARK are methodology agnostic and fully support both - object-oriented and functional styles. + * Ada and SPARK are methodology agnostic and fully support both + object-oriented and functional styles. Detailed design of real-time software {§5.5.2.5} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -184,51 +184,51 @@ Detailed design of real-time software {§5.5.2.5} * "The dynamic design model shall be compatible with the computational model selected during the software architectural design model" {§5.5.2.5a} - * The Ada / SPARK tasking model allows a straightforward mapping from the - architectural design (where the system comprises a collection of tasks - that interact via protected shared resources) to the detailed design. + * The Ada / SPARK tasking model allows a straightforward mapping from the + architectural design (where the system comprises a collection of tasks + that interact via protected shared resources) to the detailed design. * "The supplier shall document and justify all timing and synchronization mechanisms" {§5.5.2.5b} - * The Ada / SPARK tasking model supplies the necessary timing and - synchronization support. + * The Ada / SPARK tasking model supplies the necessary timing and + synchronization support. * "The supplier shall document and justify all the design mutual exclusion mechanisms to manage access to the shared resources." {§5.5.2.5c} - * The Ada / SPARK tasking model supplies the necessary mutual exclusion - mechanisms (protected types/objects, pragma Atomic). - The protected type/object facility prevents certain kinds of race - conditions: in state-based mutual exclusion, the state of an object - cannot change between the time that a task evaluates the state - condition and when it executes the code based on that state. - Other race conditions can be detected by the Defects and Vulnerability - Analyzer in the GNAT Static Analysis Suite. + * The Ada / SPARK tasking model supplies the necessary mutual exclusion + mechanisms (protected types/objects, pragma Atomic). + The protected type/object facility prevents certain kinds of race + conditions: in state-based mutual exclusion, the state of an object + cannot change between the time that a task evaluates the state + condition and when it executes the code based on that state. + Other race conditions can be detected by the Defects and Vulnerability + Analyzer in the GNAT Static Analysis Suite. * "The supplier shall document and justify the use of dynamic allocation of resources." {§5.5.2.5d} - * Ada has a general and flexible mechanism for dynamic memory management, - including the ability of the programmer to specify the semantics of - allocation and deallocation within a storage pool. This can be used, - for example, to define a fragmentation-free strategy for memory - management with constant time for allocation and deallocation. The - latest version of SPARK includes a facility for safe pointers. + * Ada has a general and flexible mechanism for dynamic memory management, + including the ability of the programmer to specify the semantics of + allocation and deallocation within a storage pool. This can be used, + for example, to define a fragmentation-free strategy for memory + management with constant time for allocation and deallocation. The + latest version of SPARK includes a facility for safe pointers. * "The supplier shall ensure protection against problems that can be induced by the use of dynamic allocation of resources, e.g. memory leaks." {§5.5.2.5e} - * Ada includes a variety of mechanisms that assist in preventing dynamic - memory management issues. - The :ada:`No_Standard_Allocators_After_Elaboration` argument to - pragma :ada:`Restrictions` produces a run-time check that detects - attempts to perform allocations from a standard storage pool after - elaboration (initialization). Depending on the program structure, - static analysis by the GNAT Static Analysis Suite's Defect and - vulnerability Analyzer may be able to determine that this check - will never fail. + * Ada includes a variety of mechanisms that assist in preventing dynamic + memory management issues. + The :ada:`No_Standard_Allocators_After_Elaboration` argument to + pragma :ada:`Restrictions` produces a run-time check that detects + attempts to perform allocations from a standard storage pool after + elaboration (initialization). Depending on the program structure, + static analysis by the GNAT Static Analysis Suite's Defect and + vulnerability Analyzer may be able to determine that this check + will never fail. Utilization of description techniques for the software behaviour {§5.5.2.6} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -236,8 +236,8 @@ Utilization of description techniques for the software behaviour {§5.5.2.6} * "The behavioural design of the software units shall be described by means of techniques using automata and scenarios." {§5.5.2.6a} - * Ada and SPARK are appropriate target languages for tools that support - such techniques. + * Ada and SPARK are appropriate target languages for tools that support + such techniques. Coding and testing {§5.5.3} ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -249,8 +249,8 @@ Development and documentation of the software units {§5.5.3.1} software unit; the build procedures to compile and link software units" {§5.5.3.1a} - * The GNAT Pro project and gprbuild facility automate the build process - and prevent "version skew". + * The GNAT Pro project and gprbuild facility automate the build process + and prevent "version skew". Software unit testing {§5.5.3.2} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -258,16 +258,16 @@ Software unit testing {§5.5.3.2} * "The supplier shall develop and document the test procedures and data for testing each software unit" {§5.5.3.2a} - * AdaCore's GNAT Dynamic Analysis Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - assist in this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "The supplier shall test each software unit ensuring that it satisfies its requirements and document the test results." {§5.5.3.2b} - * AdaCore's GNAT Dynamic Analysis Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - assist in this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "The unit test shall exercise: code using boundaries at *n-1*, *n*, *n+1* including looping instructions *while*, *for* and tests that use @@ -277,9 +277,9 @@ Software unit testing {§5.5.3.2} cause erroneous results in mathematical functions; the software at the limits of its requirements (stress testing)." {§5.5.3.2c} - * AdaCore's GNAT Dynamic Analysis Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - assist in this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. Integration {§5.5.4} ~~~~~~~~~~~~~~~~~~~~ @@ -293,10 +293,10 @@ Software units and software component integration and testing {§5.5.4.2} the software item and that the software item is integrated at the conclusion of the integration activity." {§5.5.4.2a} - * AdaCore's GNAT Dynamic Analysis Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - assist in this process, supplementing the GNAT Pro for Ada - compilation facilities. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process, supplementing the GNAT Pro for Ada + compilation facilities. .. index:: single: ECSS-E-ST-40C compliance; §5.6 Software validation process @@ -312,26 +312,26 @@ Development and documentation of a software validation specification with respec Control Document]), a set of tests, test cases (inputs, outputs, test criteria) and test procedures ...." {§5.6.3.1a} - * AdaCore's GNAT Pro Ada environment and GNAT Dynamic Analysis - Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - support this process. + * AdaCore's GNAT Pro Ada environment and GNAT Dynamic Analysis + Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + support this process. * "Validation shall be performed by test." {§5.6.3.1b} - * AdaCore's GNAT Dynamic Analysis Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - assist in this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "If it can be justified that validation by test cannot be performed, validation shall be performed by either analysis, inspection or review of design" {§5.6.3.1c} - * The Defects and Vulnerability Analyzer (see - :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in - the GNAT Static Analysis Suite and/or SPARK Pro may be able to - show that a run-time check will always succeed and that no test - case will trigger a failure. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test + case will trigger a failure. Validation activities with respect to the requirements baseline {§5.6.4} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -344,25 +344,25 @@ Development and documentation of a software validation specification with respec Requirements Document]), a set of tests, test cases (inputs, outputs, test criteria) and test procedures ...." {§5.6.4.1a} - * AdaCore's GNAT Dynamic Analysis Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - assist in this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "Validation shall be performed by test." {§5.6.4.1b} - * AdaCore's GNAT Dynamic Analysis Suite (see - :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can - assist in this process. + * AdaCore's GNAT Dynamic Analysis Suite (see + :ref:`Space_Systems_SW_GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can + assist in this process. * "If it can be justified that validation by test cannot be performed, validation shall be performed by either analysis, inspection or review of design” {§5.6.4.1c} - * The Defects and Vulnerability Analyzer (see - :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in - the GNAT Static Analysis Suite and/or SPARK Pro may be able to - show that a run-time check will always succeed and that no test - case will trigger a failure. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test + case will trigger a failure. .. index:: single: ECSS-E-ST-40C compliance; §5.7 Software delivery and acceptance process @@ -379,8 +379,8 @@ Executable code generation and installation {§5.7.3.3} configuration managed source code components and its installation on the target environment." {§5.7.3.3a} - * The GNAT Pro project and gprbuild facility can assist in the build - and installation process. + * The GNAT Pro project and gprbuild facility can assist in the build + and installation process. .. index:: single: ECSS-E-ST-40C compliance; §5.8 Software verification process @@ -424,102 +424,102 @@ Verification of code {§5.8.3.5} result in runtime errors; 8. the effects of any residual runtime errors are controlled through error handling." {§5.8.3.5a} - * SPARK (and GNATprove) help meet criterion 1. - * Ada's strong typing and interface checks (and thus GNAT Pro for Ada) - help meet criterion 2. - * For criterion 3, the Defects and Vulnerability Analyzer (see - :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in - the GNAT Static Analysis Suite and/or SPARK Pro can help verify - correctness, and the GNATcheck utility included in the GNAT - Static Analysis Suite (see :ref:`Space_Systems_SW_GNATcheck`) - can enforce conformance with a coding standard. - * For criterion 5, Ada's strong typing and interface checks, as well as - SPARK and GNATprove, can help show consistent interfaces and correct - data flow. - * The Defects and Vulnerability Analyzer (see - :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in - the GNAT Static Analysis Suite, SPARK Pro, and the standard - semantic checks performed by the GNAT Pro compiler can help meet - criterion 6. - * The GNAT Static Analysis Suite and SPARK / GNATprove can statically - detect potential run-time errors and thereby help meet criterion 7. - * Ada's exception handling facility can help meet criterion 8. + * SPARK (and GNATprove) help meet criterion 1. + * Ada's strong typing and interface checks (and thus GNAT Pro for Ada) + help meet criterion 2. + * For criterion 3, the Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite and/or SPARK Pro can help verify + correctness, and the GNATcheck utility included in the GNAT + Static Analysis Suite (see :ref:`Space_Systems_SW_GNATcheck`) + can enforce conformance with a coding standard. + * For criterion 5, Ada's strong typing and interface checks, as well as + SPARK and GNATprove, can help show consistent interfaces and correct + data flow. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite, SPARK Pro, and the standard + semantic checks performed by the GNAT Pro compiler can help meet + criterion 6. + * The GNAT Static Analysis Suite and SPARK / GNATprove can statically + detect potential run-time errors and thereby help meet criterion 7. + * Ada's exception handling facility can help meet criterion 8. * "The supplier shall verify that the following code coverage is achieved: - .. csv-table:: + .. csv-table:: :file: table-source-coverage-vs-criticality.csv :header-rows: 1 :widths: 50, 10, 10, 10, 10 - Note: 'TBA' means that the value is to be agreed with the customer and - measured as per |Q-ST-80C| clause 6.3.5.2." {§5.8.3.5b} + Note: 'TBA' means that the value is to be agreed with the customer and + measured as per |Q-ST-80C| clause 6.3.5.2." {§5.8.3.5b} - * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) - in the GNAT Dynamic Analysis Suite can help meet this - requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. * "The supplier shall measure code coverage by analysis of the results of the execution of tests." {§5.8.3.5c} - * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) - in the GNAT Dynamic Analysis Suite can help meet this - requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. * "If it can be justified that the required percentage cannot be achieved by test execution, then analysis, inspection or review of design shall be applied to the non-covered code." {§5.8.3.5d} - * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) - in the GNAT Dynamic Analysis Suite can help meet this - requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. * "In case the traceability between source code and object code cannot be verified, the supplier shall perform additional code coverage analysis on object code level as follows: - .. csv-table:: + .. csv-table:: :file: table-object-coverage-vs-criticality.csv :header-rows: 1 :widths: 50, 10, 10, 10, 10 - Note: 'N/A' means not applicable. + Note: 'N/A' means not applicable. - Note: The use of some compiler optimization options can make the - traceability between source code and object code not possible." {§5.8.3.5e} + Note: The use of some compiler optimization options can make the + traceability between source code and object code not possible." {§5.8.3.5e} - * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) - in the GNAT Dynamic Analysis Suite can help meet this - requirement. + * The GNATcoverage tool (see :ref:`Space_Systems_SW_GNATcoverage`) + in the GNAT Dynamic Analysis Suite can help meet this + requirement. - * AdaCore can prepare an analysis of traceability between source and object - code; the company has provided this to customers in connection with - certification under the DO-178C/ED-12C standard for airborne software for - the commercial aviation industry. + * AdaCore can prepare an analysis of traceability between source and object + code; the company has provided this to customers in connection with + certification under the DO-178C/ED-12C standard for airborne software for + the commercial aviation industry. * "The supplier shall verify source code robustness. AIM: use static analysis for the errors that are difficult to detect at run-time." {§5.8.3.5f} - * Errors such as division by zero, null pointer dereferencing, array - indices out of bounds, and many others are flagged at run-time by - raising an exception. Effective practice is to keep these checks - enabled during development and then, after verifying either statically - or through sufficient testing that the run-time checks are not needed, - disable the checks in the final code for maximal efficiency. + * Errors such as division by zero, null pointer dereferencing, array + indices out of bounds, and many others are flagged at run-time by + raising an exception. Effective practice is to keep these checks + enabled during development and then, after verifying either statically + or through sufficient testing that the run-time checks are not needed, + disable the checks in the final code for maximal efficiency. - * The Defects and Vulnerability Analyzer (see - :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in - the GNAT Static Analysis Suite will detect such errors as well as - many others, including suspicious constructs that, although - legitimate Ada, are likely logic errors. + * The Defects and Vulnerability Analyzer (see + :ref:`Space_Systems_SW_Defects_and_Vulnerability_Analyzer`) in + the GNAT Static Analysis Suite will detect such errors as well as + many others, including suspicious constructs that, although + legitimate Ada, are likely logic errors. - * SPARK Pro will enforce the SPARK subset and can be used to - demonstrate absence of run-time errors. + * SPARK Pro will enforce the SPARK subset and can be used to + demonstrate absence of run-time errors. - * The GNATstack tool in GNAT Pro computes the potential maximum stack usage for - each task in a program. Combining the result with a separate analysis - showing the maximal depth of recursion, the developer can allocate - sufficient stack space for program execution and prevent stack overflow. + * The GNATstack tool in GNAT Pro computes the potential maximum stack usage for + each task in a program. Combining the result with a separate analysis + showing the maximal depth of recursion, the developer can allocate + sufficient stack space for program execution and prevent stack overflow. Schedulability analysis for real-time software {§5.8.3.11} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -531,8 +531,8 @@ Schedulability analysis for real-time software {§5.8.3.11} perform a schedulability analysis and prove that the design is feasible." {§5.8.3.11a} - * The Ada Ravenscar profile restricts the tasking model to enable precise - schedulability analysis, including Rate-Monotonic Analysis (RMA). + * The Ada Ravenscar profile restricts the tasking model to enable precise + schedulability analysis, including Rate-Monotonic Analysis (RMA). .. index:: single: ECSS-E-ST-40C compliance; §5.9 Software operation process @@ -549,18 +549,18 @@ Problem handling procedures definition {§5.9.2.3} receiving, recording, resolving, tracking problems, and providing feedback." {§5.9.2.3a} - * In the event that a product problem is due to a defect in an AdaCore tool - (e.g., a code generation bug), AdaCore has a rigorous QA process for - responding to and resolving such issues. The "sustained branch" service, - which is included with a GNAT Pro Assurance subscription, helps by - ensuring that a specific version of the toolchain is maintained over - the lifetime of the supplier's project. + * In the event that a product problem is due to a defect in an AdaCore tool + (e.g., a code generation bug), AdaCore has a rigorous QA process for + responding to and resolving such issues. The "sustained branch" service, + which is included with a GNAT Pro Assurance subscription, helps by + ensuring that a specific version of the toolchain is maintained over + the lifetime of the supplier's project. * "The SOS entity shall ensure that information regarding problems that can have an impact on security is protected." {§5.9.2.3b} - * AdaCore's internal processes for maintaining sensitive data help to meet - this criterion. + * AdaCore's internal processes for maintaining sensitive data help to meet + this criterion. Software operation support {§5.9.4} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -571,10 +571,10 @@ Problem handling {§5.9.4.2} * "Encountered problems shall be recorded and handled in accordance with the applicable procedures." {§5.9.4.2a} - * As described above in connection with clause 5.9.2.3, AdaCore's QA - process, and more specifically the GNAT Pro Assurance sustained branch - service with its management of Known Problems, can help meet this - requirement when an issue arises that is due to an AdaCore tool. + * As described above in connection with clause 5.9.2.3, AdaCore's QA + process, and more specifically the GNAT Pro Assurance sustained branch + service with its management of Known Problems, can help meet this + requirement when an issue arises that is due to an AdaCore tool. Vulnerabilities in operations {§5.9.4.3} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -585,9 +585,9 @@ Vulnerabilities in operations {§5.9.4.3} purposes even when evaluated not relevant to the security of the system." {§5.9.4.3a} - * The ability to express security-related requirements as contracts in the - Ada source code, with run-time checks when needed, helps to meet - criterion 1. + * The ability to express security-related requirements as contracts in the + Ada source code, with run-time checks when needed, helps to meet + criterion 1. User support §5.9.5 ~~~~~~~~~~~~~~~~~~~ @@ -599,9 +599,9 @@ Provisions of work-around solutions {§5.9.5.3} permanent solution can be released, the SOS entity shall give to the originator of the problem report the option to use it." {§5.9.5.3a} - * As part of the GNAT Pro Assurance sustained branch service, AdaCore - can supply work-arounds to critical problems prior to releasing - a permanent solution. + * As part of the GNAT Pro Assurance sustained branch service, AdaCore + can supply work-arounds to critical problems prior to releasing + a permanent solution. .. index:: single: ECSS-E-ST-40C compliance; §5.10 Software maintenance process @@ -618,9 +618,9 @@ Long term maintenance for flight software {§5.10.2.2} solutions to be able to implement and upload modifications to the spacecraft up to its end of life." {§5.10.2.2a} - * AdaCore's "sustained branch" service, which is included with a GNAT Pro - Assurance subscription, in effect means that the compilation environment - will receive support and not become obsolescent. + * AdaCore's "sustained branch" service, which is included with a GNAT Pro + Assurance subscription, in effect means that the compilation environment + will receive support and not become obsolescent. Modification implementation {§5.10.4} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -633,16 +633,16 @@ Invoking of software engineering processes for modification implementation {§5. modifications, using the tailoring applied during the development of the software." {§5.10.4.3a} - * The Ada and SPARK languages have specific features that support the design - of modular, maintainable software with high cohesion and low coupling. - These include encapsulation (private types, separation of specification - from implementation), hierarchical child libraries, and object-oriented - programming (tagged types). By exploiting these features and utilizing - GNAT Pro for Ada and SPARK Pro, the developer - can localize the impact of maintenance changes. + * The Ada and SPARK languages have specific features that support the design + of modular, maintainable software with high cohesion and low coupling. + These include encapsulation (private types, separation of specification + from implementation), hierarchical child libraries, and object-oriented + programming (tagged types). By exploiting these features and utilizing + GNAT Pro for Ada and SPARK Pro, the developer + can localize the impact of maintenance changes. - * The GNAT Static and Dynamic Analysis Suites can ensure that any modifications - meet the verification criteria applicable to the original software. + * The GNAT Static and Dynamic Analysis Suites can ensure that any modifications + meet the verification criteria applicable to the original software. .. index:: single: ECSS-E-ST-40C compliance; §5.11 Software security process diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst index 45f732bae..3def5d018 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -25,13 +25,13 @@ Quality requirements and quality models {§5.2.7} * "Quality models shall be used to specify the software quality requirements" {§5.2.7.1a} - * The GNATmetric tool (see :ref:`Space_Systems_SW_GNATmetric`) in - the GNAT Static Analysis Suite can show quality metrics related - to the source code structure. + * The GNATmetric tool (see :ref:`Space_Systems_SW_GNATmetric`) in + the GNAT Static Analysis Suite can show quality metrics related + to the source code structure. - * The GNATdashboard IDE tool (see - :ref:`Space_Systems_SW_GNATdashboard`) can display software - quality data. + * The GNATdashboard IDE tool (see + :ref:`Space_Systems_SW_GNATdashboard`) can display software + quality data. Tools and supporting environment {§5.6} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -43,9 +43,9 @@ Methods and tools {§5.6.1} ... shall be identified by the supplier and agreed by the customer" {§5.6.1.1a} - * The GNAT Pro for Ada environment and any supplemental tools that are - selected (e.g., GNAT Static and Dynamic Analysis Suites, SPARK Pro) - should be listed. + * The GNAT Pro for Ada environment and any supplemental tools that are + selected (e.g., GNAT Static and Dynamic Analysis Suites, SPARK Pro) + should be listed. * "The choice of development methods and tools shall be justified by demonstrating through testing or documented assessment that ... the tools @@ -57,24 +57,24 @@ Methods and tools {§5.6.1} of the product as determined by the security analysis and as defined in the software security management plan" {§5.6.1.2a} - * AdaCore can make available a variety of documentation showing - that the selected tools are "appropriate for the functional and - operational characteristics of the product", ranging from user - manuals to qualification material relative to other - high-assurance software standards such as |do-178c| - :footcite:p:`Space_SW_RTCA_EUROCAE_2011a` and |en-50128| - :footcite:p:`Space_SW_CENELEC_2020b`. - - * AdaCore's "sustained branch" service for its GNAT Pro for Ada - Assurance product (see - :ref:`Space_Systems_SW_Sustained_Branches`) can guarantee that - the toolchain is maintained throughout the product lifetime. - - * AdaCore's SPARK Pro environment (see - :ref:`Space_Systems_SW_Static_Verification_SPARK_Pro`) can be - used to demonstrate security properties such as correct - information flows and, for software at the highest security - levels, compliance with formally specified requirements. + * AdaCore can make available a variety of documentation showing + that the selected tools are "appropriate for the functional and + operational characteristics of the product", ranging from user + manuals to qualification material relative to other + high-assurance software standards such as |do-178c| + :footcite:p:`Space_SW_RTCA_EUROCAE_2011a` and |en-50128| + :footcite:p:`Space_SW_CENELEC_2020b`. + + * AdaCore's "sustained branch" service for its GNAT Pro for Ada + Assurance product (see + :ref:`Space_Systems_SW_Sustained_Branches`) can guarantee that + the toolchain is maintained throughout the product lifetime. + + * AdaCore's SPARK Pro environment (see + :ref:`Space_Systems_SW_Static_Verification_SPARK_Pro`) can be + used to demonstrate security properties such as correct + information flows and, for software at the highest security + levels, compliance with formally specified requirements. Development environment selection {§5.6.2} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -94,15 +94,15 @@ Development environment selection {§5.6.2} directives." {§5.6.2.1a} - * AdaCore tools directly satisfy these criteria. The availability of - qualification material for specific tools (GNATcheck, - GNATprove, GNATstack) contributes to criterion 6, and the - "sustained branch" service for GNAT Pro for Ada Assurance supports - criteria 4, 7 and 10. AdaCore tools come with source code and - flexible licensing, mitigating the issues noted in criteria 11 and 12. - The GNAT Static Analysis Suite, SPARK, and the GNATfuzz tool in - the GNAT Dynamic Analysis Suite facilitate - demonstrating the relevant security properties (criteria 13 and 14). + * AdaCore tools directly satisfy these criteria. The availability of + qualification material for specific tools (GNATcheck, + GNATprove, GNATstack) contributes to criterion 6, and the + "sustained branch" service for GNAT Pro for Ada Assurance supports + criteria 4, 7 and 10. AdaCore tools come with source code and + flexible licensing, mitigating the issues noted in criteria 11 and 12. + The GNAT Static Analysis Suite, SPARK, and the GNATfuzz tool in + the GNAT Dynamic Analysis Suite facilitate + demonstrating the relevant security properties (criteria 13 and 14). .. index:: single: ECSS-Q-ST-80C compliance; §6 Software process assurance @@ -125,26 +125,26 @@ Handling of critical software {§6.2.3} use of dynamic code verification techniques." {§6.2.3.2a} - * Ada's pragma :ada:`Restrictions` and pragma :ada:`Profile`, - together with the GNAT Static Analysis Suite tool GNATcheck, can - enforce a coding standard for Ada (in effect a 'safe - subset'). See :ref:`Space_Systems_SW_GNAT_Pro_Enterprise` and - :ref:`Space_Systems_SW_GNATcheck`. + * Ada's pragma :ada:`Restrictions` and pragma :ada:`Profile`, + together with the GNAT Static Analysis Suite tool GNATcheck, can + enforce a coding standard for Ada (in effect a 'safe + subset'). See :ref:`Space_Systems_SW_GNAT_Pro_Enterprise` and + :ref:`Space_Systems_SW_GNATcheck`. - * The SPARK language serves as a safe subset of full Ada, and a formal - design language for formal proof. + * The SPARK language serves as a safe subset of full Ada, and a formal + design language for formal proof. - * SPARK Pro uses proof technology that can demonstrate a program's - conformance with formally specified requirements. + * SPARK Pro uses proof technology that can demonstrate a program's + conformance with formally specified requirements. - * GNATcoverage can report code coverage up to MC/DC at the source level. + * GNATcoverage can report code coverage up to MC/DC at the source level. - * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite - can detect unreachable code, including deactivated code. + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite + can detect unreachable code, including deactivated code. - * The Ada language and the GNAT Pro Ada development environment allow - contracts to be verified either statically or with run-time checks and - thus facilitate dynamic code verification. + * The Ada language and the GNAT Pro Ada development environment allow + contracts to be verified either statically or with run-time checks and + thus facilitate dynamic code verification. Verification {§6.2.6} ^^^^^^^^^^^^^^^^^^^^^ @@ -159,8 +159,8 @@ Verification {§6.2.6} ensure that the deactivated code cannot be activated or that its accidental activation cannot harm the operation of the system." {§6.2.6.5a} - * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite - can detect unreachable code, including deactivated code. + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite + can detect unreachable code, including deactivated code. Software security {§6.2.9} ^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -218,31 +218,31 @@ Coding {§6.3.4} * "Coding standards (including security, consistent naming conventions and adequate commentary rules) shall be specified and observed." {§6.3.4.1a} - * Ada's :ada:`Restrictions` and :ada:`Profile` pragmas, together - with AdaCore’s GNATcheck tool (see section - :ref:`Space_Systems_SW_GNATcheck`), can define and enforce a - coding standard. + * Ada's :ada:`Restrictions` and :ada:`Profile` pragmas, together + with AdaCore’s GNATcheck tool (see section + :ref:`Space_Systems_SW_GNATcheck`), can define and enforce a + coding standard. - * The SPARK language can serve as a coding standard. + * The SPARK language can serve as a coding standard. * "The tools to be used in implementing and checking conformance with coding standards shall be identified in the product assurance plan before coding activities start." {§6.3.4.3a} - * GNATcheck and SPARK Pro are relevant tools for this activity. + * GNATcheck and SPARK Pro are relevant tools for this activity. * "The supplier shall define measurements, criteria and tools to ensure that the software code meets the quality and security requirements." {§6.3.4.6a} - * The GNATmetric tool (see :ref:`Space_Systems_SW_GNATmetric`) can - be used to report quality data related to the source code - structure. + * The GNATmetric tool (see :ref:`Space_Systems_SW_GNATmetric`) can + be used to report quality data related to the source code + structure. * "Synthesis of the code analysis results and corrective actions implemented shall be described in the software product assurance reports." {§6.3.4.7a} - * GNATdashboard (see :ref:`Space_Systems_SW_GNATdashboard`) can be - used to synthesize and summarize code quality metrics. + * GNATdashboard (see :ref:`Space_Systems_SW_GNATdashboard`) can be + used to synthesize and summarize code quality metrics. Testing and validation {§6.3.5} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -252,52 +252,52 @@ Testing and validation {§6.3.5} specification, validation against the requirements baseline, acceptance), ...." {§6.3.5.1a} - * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) - can help meet this requirement for unit testing. + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement for unit testing. * "Based on the dependability and safety criticality, and the security sensitivity of the software, test coverage goals for each testing level shall be agreed between the customer and the supplier and their achievement monitored by metrics ...." {§6.3.5.2a) - * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) - can help meet this requirement. + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. * "Test coverage shall be checked with respect to the stated goals." {§6.3.5.5a} - * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) - can help meet this requirement. + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. * "The test coverage of configurable code shall be checked to ensure that the stated requirements are met in each tested configuration." {§6.3.5.7a} - * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) - can help meet this requirement. + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. * "Test tool development or acquisition ... shall be planned for in the overall project plan." {§6.3.5.24a} - * The tools in AdaCore's GNAT Dynamic Analysis Suite (GNATtest, - GNATcoverage, GNATfuzz) are candidates for consideration in test tool - acquisition. + * The tools in AdaCore's GNAT Dynamic Analysis Suite (GNATtest, + GNATcoverage, GNATfuzz) are candidates for consideration in test tool + acquisition. * "Software containing deactivated code shall be validated specifically to ensure that the deactivated code cannot be activated or that its accidental activation cannot harm the operation of the system." {§6.3.5.30a} - * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) - can help meet this requirement by detecting non-covered code that is - intended (and can be categorized) as deactivated. + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement by detecting non-covered code that is + intended (and can be categorized) as deactivated. * "Software containing configurable code shall be validated specifically to ensure that unintended configuration cannot be activated at run time or included during code generation". {§6.3.5.31a} - * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) - can help meet this requirement by detecting configurable code that, - because of incorrect configuration settings, was unintentionally included - during code generation. + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement by detecting configurable code that, + because of incorrect configuration settings, was unintentionally included + during code generation. Maintenance {§6.3.9} ^^^^^^^^^^^^^^^^^^^^ @@ -310,17 +310,17 @@ Maintenance {§6.3.9} maintenance. 8. maintenance records and reports." {§6.3.9.4a} - * The "sustained branch" service of AdaCore's GNAT Pro Assurance product - can help meet this requirement. + * The "sustained branch" service of AdaCore's GNAT Pro Assurance product + can help meet this requirement. * "Maintenance records shall be established for each software product ...." {§6.3.9.7a} - * AdaCore's ticket system, which is part of the standard support in all - product subscriptions, provides an audit trail for problem reports / - resolution. - * The "sustained branch" service includes special maintenance - accommodation for dealing with problems that relate to software safety. + * AdaCore's ticket system, which is part of the standard support in all + product subscriptions, provides an audit trail for problem reports / + resolution. + * The "sustained branch" service includes special maintenance + accommodation for dealing with problems that relate to software safety. .. index:: single: ECSS-Q-ST-80C compliance; §7 Software product quality assurance @@ -337,13 +337,13 @@ Assurance activities for product quality requirements {§7.1.3} meets the quality requirements as specified in the technical specification" {§7.1.3a} - * Any of AdaCore's tools could potentially contribute to meeting this - requirement, depending on the nature of the metrics that have been - defined, and the GNATdashboard tool can integrate the metrics - in a meaningful way. + * Any of AdaCore's tools could potentially contribute to meeting this + requirement, depending on the nature of the metrics that have been + defined, and the GNATdashboard tool can integrate the metrics + in a meaningful way. - * Use of the SPARK language, and formal demonstration of absence of - runtime errors, support this requirement. + * Use of the SPARK language, and formal demonstration of absence of + runtime errors, support this requirement. Basic metrics {§7.1.5} ^^^^^^^^^^^^^^^^^^^^^^ @@ -352,8 +352,8 @@ Basic metrics {§7.1.5} (design, code); fault density and failure intensity; test coverage; number of failures." {§7.1.5a} - * The GNATmetric, GNATtest, and GNATcoverage tools in the GNAT Dynamic Analysis - Suite directly help to meet this requirement. + * The GNATmetric, GNATtest, and GNATcoverage tools in the GNAT Dynamic Analysis + Suite directly help to meet this requirement. Product quality requirements {§7.2} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -363,23 +363,23 @@ Design and related documentation {§7.2.2} * "The software shall be designed to facilitate testing." {§7.2.2.2a} - * The Ada language encourages and supports the use of sound software - engineering principles such as modular design and structured programming, - which makes the code easier to test. + * The Ada language encourages and supports the use of sound software + engineering principles such as modular design and structured programming, + which makes the code easier to test. - * The contract facility in Ada and SPARK supports verification by both - static analysis and testing. + * The contract facility in Ada and SPARK supports verification by both + static analysis and testing. * "Software with a long planned lifetime shall be designed with minimum dependency on the operating system and the hardware in order to aid portability." {§7.2.2.3a} - * The Ada language has abstracted away the specifics of the underlying - operating system and hardware through standard syntax and semantics for - features such as concurrency, memory management, exception handling, - and I/O. As a result, Ada programs can often be ported across different - processor architectures and operating systems by simply recompiling, - with minimal or no source code changes needed. + * The Ada language has abstracted away the specifics of the underlying + operating system and hardware through standard syntax and semantics for + features such as concurrency, memory management, exception handling, + and I/O. As a result, Ada programs can often be ported across different + processor architectures and operating systems by simply recompiling, + with minimal or no source code changes needed. Test and validation documentation {§7.2.3} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -394,11 +394,11 @@ Test and validation documentation {§7.2.3} drawn up documenting or referring to the verification activities performed." {§7.2.3.6a} - * In many cases where verification cannot be achieved by testing, - SPARK Pro may be able to provide convincing alternative verification - evidence (for example, a robustness demonstration by proof that an - out-of-range or otherwise non-valid input will never be passed to - the unit being verified). + * In many cases where verification cannot be achieved by testing, + SPARK Pro may be able to provide convincing alternative verification + evidence (for example, a robustness demonstration by proof that an + out-of-range or otherwise non-valid input will never be passed to + the unit being verified). Compliance Summary diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst index 4f17f6cbc..6e6356196 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst @@ -56,53 +56,53 @@ general-purpose language (unlike languages like Java, it does not require garbage collection), and it is not tied to any specific development methodology. It offers: - * a simple syntax designed for human readability; - * structured control statements; - * flexible data composition facilities; - * strong type checking; - * traditional features for code modularization (“sub­programs”); - * standard support for "programming in the large" and module reuse, - including packages, Object-Oriented Programming, hierarchical - package namespace ("child libraries"), and generic templates; - * a mechanism for detecting and responding to exceptional run-time - conditions ("exception handling"); and - * high-level concurrency support ("tasking") along with a deterministic - subset (the Ravenscar profile) appropriate in applications that need - to meet high-assurance certification / qualification requirements - and/or small footprint constraints. +* a simple syntax designed for human readability; +* structured control statements; +* flexible data composition facilities; +* strong type checking; +* traditional features for code modularization (“sub­programs”); +* standard support for "programming in the large" and module reuse, + including packages, Object-Oriented Programming, hierarchical + package namespace ("child libraries"), and generic templates; +* a mechanism for detecting and responding to exceptional run-time + conditions ("exception handling"); and +* high-level concurrency support ("tasking") along with a deterministic + subset (the Ravenscar profile) appropriate in applications that need + to meet high-assurance certification / qualification requirements + and/or small footprint constraints. The language standard also includes: - * an extensive predefined environment with support for I/O, string - handling, math functions, containers, and more; - * a standard mechanism for interfacing with other programming languages - (such as C and C++); and - * specialized needs annexes for functionality in several domains (Systems - Programming, Real-Time Systems, Distributed Systems, Numerics, - Information Systems, and High-Integrity Systems). +* an extensive predefined environment with support for I/O, string + handling, math functions, containers, and more; +* a standard mechanism for interfacing with other programming languages + (such as C and C++); and +* specialized needs annexes for functionality in several domains (Systems + Programming, Real-Time Systems, Distributed Systems, Numerics, + Information Systems, and High-Integrity Systems). Source code portability was a key goal for Ada. The challenge for a programming language is to define the semantics in a platform-independent manner but not sacrifice run-time efficiency. Ada achieves this in several ways. - * Ada provides a high-level model for concurrency (tasking), memory - management, and exception handling, with standard semantics across - all platforms. The language's dynamic semantics can be mapped to the - most efficient services provided by the target environment. - * The developer can express the logical properties of a type (such as - integer range, floating-point precision, and record fields/types) - in a machine-independent fashion, which the compiler can then map - to an efficient underlying representation. - * The physical representation of data structures (layout, alignment, - and addresses) is sometimes specified by system requirements. Ada - allows this to be defined in the program logic but separated from - target-independent properties for ease of maintenance. - * Platform-specific characteristics such as machine word size are - encapsulated in an API, so that references to these values are through - a standard syntax. Likewise, Ada defines a standard type :ada:`Address` - and associated operations, again facilitating the portability of - low-level code. +* Ada provides a high-level model for concurrency (tasking), memory + management, and exception handling, with standard semantics across + all platforms. The language's dynamic semantics can be mapped to the + most efficient services provided by the target environment. +* The developer can express the logical properties of a type (such as + integer range, floating-point precision, and record fields/types) + in a machine-independent fashion, which the compiler can then map + to an efficient underlying representation. +* The physical representation of data structures (layout, alignment, + and addresses) is sometimes specified by system requirements. Ada + allows this to be defined in the program logic but separated from + target-independent properties for ease of maintenance. +* Platform-specific characteristics such as machine word size are + encapsulated in an API, so that references to these values are through + a standard syntax. Likewise, Ada defines a standard type :ada:`Address` + and associated operations, again facilitating the portability of + low-level code. .. index:: single: Ada language; Background diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst index 4afd07c05..63c0d61b8 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst @@ -192,66 +192,66 @@ the SPARK language, together with the following: * |E-ST-40C| - * §5.4 Software requirements and architecture engineering process + * §5.4 Software requirements and architecture engineering process - * §5.4.3 Software architecture design + * §5.4.3 Software architecture design - * §5.5 Software design and implementation engineering process + * §5.5 Software design and implementation engineering process - * §5.5.2 Design of software items + * §5.5.2 Design of software items - * §5.6 Software validation process + * §5.6 Software validation process - * §5.6.3 Validation activities with respect to the technical - specification - * §5.6.4 Validation activities with respect to the requirements - baseline + * §5.6.3 Validation activities with respect to the technical + specification + * §5.6.4 Validation activities with respect to the requirements + baseline - * §5.8 Software verification process + * §5.8 Software verification process - * §5.8.3 Verification activities + * §5.8.3 Verification activities - * §5.10 Software maintenance process + * §5.10 Software maintenance process - * §5.10.4 Modification implementation + * §5.10.4 Modification implementation - * §5.11 Software security process + * §5.11 Software security process - * §5.11.2 Process implementation + * §5.11.2 Process implementation - * §5.11.3 Software security analysis + * §5.11.3 Software security analysis - * §5.11.5 Security activities in the software life cycle + * §5.11.5 Security activities in the software life cycle * Annex U - Software code verification * ECSS-Q-ST-80C - * §5.6 Tools and supporting environment + * §5.6 Tools and supporting environment - * §5.6.1 Methods and tools + * §5.6.1 Methods and tools - * §5.6.2 Development environment selection + * §5.6.2 Development environment selection - * §6.2 Requirements applicable to all software engineering processes + * §6.2 Requirements applicable to all software engineering processes - * §6.2.3 Handling of critical software + * §6.2.3 Handling of critical software - * §6.2.9 Software security + * §6.2.9 Software security - * §6.2.10 Handling of security sensitive software + * §6.2.10 Handling of security sensitive software - * §6.3 Requirements applicable to individual software engineering processes or activities + * §6.3 Requirements applicable to individual software engineering processes or activities - * §6.3.4 Coding + * §6.3.4 Coding - * §7.1 Product quality objectives and metrication + * §7.1 Product quality objectives and metrication - * §7.1.3 Assurance activities for product quality requirements + * §7.1.3 Assurance activities for product quality requirements - * §7.2 Product quality requirements + * §7.2 Product quality requirements - * §7.2.3 Test and validation documentation + * §7.2.3 Test and validation documentation Details are provided in chapters :ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and @@ -585,9 +585,9 @@ these are the relevant sections of the two standards: * ECSS-Q-ST-80C - * §5.6 Tools and supporting environment + * §5.6 Tools and supporting environment - * §5.6.2 Development environment selection + * §5.6.2 Development environment selection .. index:: GNAT Pro for Rust @@ -741,71 +741,71 @@ these are the relevant sections of the two standards: * |E-ST-40C| - * §5.4 Software requirements and architecture engineering process + * §5.4 Software requirements and architecture engineering process - * §5.4.3 Software architecture design + * §5.4.3 Software architecture design - * §5.5 Software design and implementation engineering process + * §5.5 Software design and implementation engineering process - * §5.5.2 Design of software items - * §5.5.3 Coding and testing - * §5.5.4 Integration + * §5.5.2 Design of software items + * §5.5.3 Coding and testing + * §5.5.4 Integration - * §5.7 Software delivery and acceptance process + * §5.7 Software delivery and acceptance process - * §5.7.3 Software acceptance + * §5.7.3 Software acceptance - * §5.8 Software verification process + * §5.8 Software verification process - * §5.8.3 Verification activities + * §5.8.3 Verification activities - * §5.9 Software operation process + * §5.9 Software operation process - * §5.9.2 Process implementation + * §5.9.2 Process implementation - * §5.10 Software maintenance process + * §5.10 Software maintenance process - * §5.10.2 Process implementation - * §5.10.4 Modification implementation + * §5.10.2 Process implementation + * §5.10.4 Modification implementation - * §5.11 Software security process + * §5.11 Software security process - * §5.11.2 Process implementation + * §5.11.2 Process implementation - * §5.11.3 Software security analysis + * §5.11.3 Software security analysis - * §5.11.5 Security analysis in the software lifecycle + * §5.11.5 Security analysis in the software lifecycle - * Annex U - Source code verification + * Annex U - Source code verification - * Verification check 12 (memory leaks) + * Verification check 12 (memory leaks) * |Q-ST-80C| - * §5.2 Software product assurance programme management + * §5.2 Software product assurance programme management - * §5.2.7 Quality requirements and quality models + * §5.2.7 Quality requirements and quality models - * §5.6 Tools and supporting environments + * §5.6 Tools and supporting environments - * §5.6.1 Methods and tools - * §5.6.2 Development environment selection + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection - * §6.2 Requirements applicable to all software engineering processes + * §6.2 Requirements applicable to all software engineering processes - * §6.2.3 Handling of critical software - * §6.2.6 Verification - * §6.2.9 Software security + * §6.2.3 Handling of critical software + * §6.2.6 Verification + * §6.2.9 Software security - * §6.3 Requirements applicable to individual processes or activities + * §6.3 Requirements applicable to individual processes or activities - * §6.3.4 Coding - * §6.3.9 Maintenance + * §6.3.4 Coding + * §6.3.9 Maintenance - * §7.1 Product quality objectives and metrication + * §7.1 Product quality objectives and metrication - * §7.1.3 Assurance objectives for product quality requirements - * §7.1.5 Basic metrics + * §7.1.3 Assurance objectives for product quality requirements + * §7.1.5 Basic metrics AdaCore's ZFP (Zero Footprint) minimal run-time library (superseded by the Light run-time in current |gnatpro| releases) on LEON2 ELF has @@ -885,47 +885,47 @@ these are the relevant sections of the two standards: * ECSS-E-ST-40C - * §5.5 Software design and implementation engineering process + * §5.5 Software design and implementation engineering process - * §5.5.2 Design of software items + * §5.5.2 Design of software items - * §5.6 Software validation process + * §5.6 Software validation process - * §5.6.3 Validation activities with respect to the technical specification - * §5.6.4 Validation activities with respect to the requirements baseline + * §5.6.3 Validation activities with respect to the technical specification + * §5.6.4 Validation activities with respect to the requirements baseline - * §5.8 Software verification process + * §5.8 Software verification process - * §5.8.3 Verification activities + * §5.8.3 Verification activities - * §5.10 Software maintenance process + * §5.10 Software maintenance process - * §5.10.4 Modification implementation + * §5.10.4 Modification implementation - * §5.11 Software security process + * §5.11 Software security process - * §5.11.2 Process implementation - * §5.11.3 Software security analysis - * §5.11.5 Software analysis in the software life cycle + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Software analysis in the software life cycle - * Annex U - Software code verification + * Annex U - Software code verification * ECSS-Q-ST-80C - * §5.6. Tools and supporting environment + * §5.6. Tools and supporting environment - * §5.6.1 Methods and tools - * §5.6.2 Development environment selection + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection - * §6.2 Requirements applicable to all software engineering processes + * §6.2 Requirements applicable to all software engineering processes - * §6.2.3 Handling of critical software - * §6.2.6 Verification - * §6.2.9 Software security + * §6.2.3 Handling of critical software + * §6.2.6 Verification + * §6.2.9 Software security - * §7.1 Product quality objectives and metrication + * §7.1 Product quality objectives and metrication - * §7.1.3 Assurance activities for product quality requirements + * §7.1.3 Assurance activities for product quality requirements .. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATmetric .. index:: GNATmetric @@ -953,25 +953,25 @@ summary: * ECSS-E-ST-40C - * §5.10 Software maintenance process + * §5.10 Software maintenance process - * §5.10.4 Modification implementation + * §5.10.4 Modification implementation * ECSS-Q-ST-80C - * §5.2 Software product assurance programme management + * §5.2 Software product assurance programme management - * §5.2.7 Quality requirements and quality models + * §5.2.7 Quality requirements and quality models - * §6.3 Requirements applicable to individual software engineering processes or activities + * §6.3 Requirements applicable to individual software engineering processes or activities - * §6.3.4 Coding + * §6.3.4 Coding - * §7.1 Product quality objectives and metrication + * §7.1 Product quality objectives and metrication - * §7.1.3 Assurance activities for product quality requirements + * §7.1.3 Assurance activities for product quality requirements - * §7.1.5 Basic metrics + * §7.1.5 Basic metrics .. index:: GNATcheck .. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATcheck @@ -1048,39 +1048,39 @@ these are the relevant sections of the two standards: * §5.8.3.4 Verification of the software detailed design - * §5.10 Software maintenance process + * §5.10 Software maintenance process - * §5.10.4 Modification implementation + * §5.10.4 Modification implementation - * §5.11 Software security process + * §5.11 Software security process - * §5.11.2 Process implementation - * §5.11.3 Software security analysis - * §5.11.5 Software analysis in the software life cycle + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Software analysis in the software life cycle * Annex U - Software code verification - * Verification check 3 (infinite loops) - * Verification check 4 (misuse of arithmetic and logical operators) + * Verification check 3 (infinite loops) + * Verification check 4 (misuse of arithmetic and logical operators) * ECSS-Q-ST-80C - * §5.6 Tools and supporting environment + * §5.6 Tools and supporting environment - * §5.6.2 Development environment selection + * §5.6.2 Development environment selection - * §6.2 Requirements applicable to all software engineering processes + * §6.2 Requirements applicable to all software engineering processes - * §6.2.3 Handling of critical software + * §6.2.3 Handling of critical software - * §6.3 Requirements applicable to individual software engineering processes or activities + * §6.3 Requirements applicable to individual software engineering processes or activities - * §6.3.4 Coding + * §6.3.4 Coding - * §7.1 Product quality objectives and metrication + * §7.1 Product quality objectives and metrication - * §7.1.3 Assurance activities for product quality requirements + * §7.1.3 Assurance activities for product quality requirements .. index:: GNAT Dynamic Analysis Suite (GNAT DAS) @@ -1250,57 +1250,57 @@ these are the relevant sections of the two standards: * ECSS-E-ST-40C - * §5.5 Software design and implementation engineering process + * §5.5 Software design and implementation engineering process - * §5.5.3 Coding and testing - * §5.5.4 Integration + * §5.5.3 Coding and testing + * §5.5.4 Integration - * §5.6 Software validation process + * §5.6 Software validation process - * §5.6.3 Validation activities with respect to the technical - specification - * §5.6.4 Validation activities with respect to the requirements - baseline + * §5.6.3 Validation activities with respect to the technical + specification + * §5.6.4 Validation activities with respect to the requirements + baseline - * §5.8 Software verification process + * §5.8 Software verification process - * §5.8.3 Verification activities + * §5.8.3 Verification activities - * §5.10 Software maintenance process + * §5.10 Software maintenance process - * §5.10.4 Modification implementation + * §5.10.4 Modification implementation - * §5.11 Software security process + * §5.11 Software security process - * §5.11.2 Process implementation - * §5.11.3 Software security analysis - * §5.11.5 Security analysis in the software lifecycle + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Security analysis in the software lifecycle * ECSS-Q-ST-80C - * §5.6 Tools and supporting environment + * §5.6 Tools and supporting environment - * §5.6.1 Methods and tools - * §5.6.2 Development environment selection + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection - * §6.2 Requirements applicable to all software engineering processes + * §6.2 Requirements applicable to all software engineering processes - * §6.2.3 Handling of critical software - * §6.2.9 Software security + * §6.2.3 Handling of critical software + * §6.2.9 Software security - * §6.3 Requirements applicable to individual software engineering processes - or activities + * §6.3 Requirements applicable to individual software engineering processes + or activities - * §6.3.5 Testing and validation + * §6.3.5 Testing and validation - * §7.1 Product quality objectives and metrication + * §7.1 Product quality objectives and metrication - * §7.1.3 Assurance activities for product quality requirements - * §7.1.5 Basic metrics + * §7.1.3 Assurance activities for product quality requirements + * §7.1.5 Basic metrics - * §7.2 Product quality requirements + * §7.2 Product quality requirements - * §7.2.3 Test and validation documents + * §7.2.3 Test and validation documents .. index:: single: AdaCore; Support and expertise From 606647b539e1b96aa3659101919a33e0b085ba7e Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 23:26:49 +0100 Subject: [PATCH 10/12] Replace superscript markers with RST footnotes in verification table The "Verification Support" table in the Software code verification section used inline :superscript:`*`, :superscript:`**`, and :superscript:`***` roles as ad-hoc footnote markers, with matching :superscript: paragraphs below the table acting as footnote text. This is replaced with proper RST/docutils footnote syntax: - Table cells now use [#rtcheck]_, [#stcheck]_, and [#memleak]_ footnote references. - The footnote text is defined with .. [#rtcheck], .. [#stcheck], and .. [#memleak] directives immediately below the table. Docutils renders these as linked superscript numbers: clicking a marker in the table jumps to the footnote definition, and a backlink returns to the reference site. Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/compliance-e40c.rst | 76 +++++++++---------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index 60b448d86..b451c120f 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -767,21 +767,21 @@ technologies help meet these requirements: +-------------------------+---------------------------------------------------------------+----------------------------------------+ | Verification check # | Technology | Explanation | +=========================+===============================================================+========================================+ - | 1 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | 1 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check [#rtcheck]_ | | +---------------------------------------------------------------+----------------------------------------+ | | SPARK language, SPARK Pro | Static check | | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 2 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | 2 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check [#rtcheck]_ | | +---------------------------------------------------------------+----------------------------------------+ | | SPARK language, SPARK Pro | Static check | | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 3 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | 3 | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | | +---------------------------------------------------------------+----------------------------------------+ | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | @@ -796,7 +796,7 @@ technologies help meet these requirements: | 5 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | | | SPARK language, SPARK Pro | | | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ | 6 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | @@ -805,62 +805,62 @@ technologies help meet these requirements: | 7 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | | | SPARK language, SPARK Pro | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 8 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | 8 | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 9 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | 9 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check [#rtcheck]_ | | +---------------------------------------------------------------+----------------------------------------+ | | SPARK language, SPARK Pro | Static check | | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ | 10 | SPARK language, SPARK Pro | Static check | | +---------------------------------------------------------------+----------------------------------------+ - | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 11 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | 11 | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 12 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | 12 | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | | +---------------------------------------------------------------+----------------------------------------+ - | | Ada Language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`***` | + | | Ada Language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check [#memleak]_ | | +---------------------------------------------------------------+----------------------------------------+ | | GNATstack (for preventing stack overflow) | Static check | +-------------------------+---------------------------------------------------------------+----------------------------------------+ | 13 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | | | SPARK language, SPARK Pro | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ - | 14 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | 14 | Defects and Vulnerability Analyzer | Static check [#stcheck]_ | | | (in GNAT Static Analysis Suite) | | +-------------------------+---------------------------------------------------------------+----------------------------------------+ -:superscript:`*` Depending on the source code, the GNAT Pro compiler may be -able to guarantee that the check will always succeed and can thus avoid -generating run-time code to detect violations. - -:superscript:`**` The static checks can result in false alarms -("false positives"), but the user can calibrate the tool to control the -tradeoff between soundness (no false negatives) and precision (minimization -of false positives). - -:superscript:`***` Exhausting dynamic memory raises the :ada:`Storage_Error` -exception at run time. Ada does not require a general garbage collector for -storage reclamation, but several techniques can be used to prevent storage -leaks: - -* Ensure, through analysis or testing, that dynamic allocations occur only - during startup ("elaboration time") and not thereafter. -* Reclaim storage explicitly through Ada's :ada:`Unchecked_Deallocation` - and ensure, through analysis or testing, that this does not create - dangling references. -* Define a memory pool for a pointer type ("access type") so that allocations - of objects for that type only use that storage area, and through analysis - or testing demonstrate that the pool is never exhausted. Ada's memory pool - facility can be used to implement a reference counting strategy (for - non-cyclic data structures) with automatic reclamation. +.. [#rtcheck] Depending on the source code, the GNAT Pro compiler may be + able to guarantee that the check will always succeed and can thus avoid + generating run-time code to detect violations. + +.. [#stcheck] The static checks can result in false alarms + ("false positives"), but the user can calibrate the tool to control the + tradeoff between soundness (no false negatives) and precision (minimization + of false positives). + +.. [#memleak] Exhausting dynamic memory raises the :ada:`Storage_Error` + exception at run time. Ada does not require a general garbage collector for + storage reclamation, but several techniques can be used to prevent storage + leaks: + + * Ensure, through analysis or testing, that dynamic allocations occur only + during startup ("elaboration time") and not thereafter. + * Reclaim storage explicitly through Ada's :ada:`Unchecked_Deallocation` + and ensure, through analysis or testing, that this does not create + dangling references. + * Define a memory pool for a pointer type ("access type") so that allocations + of objects for that type only use that storage area, and through analysis + or testing demonstrate that the pool is never exhausted. Ada's memory pool + facility can be used to implement a reference counting strategy (for + non-cyclic data structures) with automatic reclamation. Compliance Summary ------------------ From e535e20efcd0b73353d930e952048b96c6619d48 Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 23:42:47 +0100 Subject: [PATCH 11/12] Replace quoted terms with italics in space systems booklet Quotes should only be used when a term is referred to in the bibliography. Introduced technical terms, Ada/SPARK language concepts, and domain vocabulary should use italic markup instead. The following terms were converted from "term" to *term* across all four chapters: compliance-e40c.rst: stubs, bottom-up, version skew, sustained branch, false positives, elaboration time, access type. compliance-q80c.rst: sustained branch. tools.rst: V (diagram/chart), false alarms, Bare-Metal, known problems, sustained branch, tool tips, visible. programming.rst: programming in the large, child libraries, exception handling, tasking, IRTAW, information hiding, child units, instantiation, tagged type, finalization, task, protected object, raw bits, aspects, false negatives, false positives, false alarms, ghost, sweet spots, all or nothing. The following quoted terms were intentionally left unchanged: "Ada Restrictions", "Dangerous Software Errors", "CWE-Compatible", "Silver", "minimize the trusted computing base", the proper noun "Ada" in its historical naming sentence, and verbatim quotations from ECSS standards. Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/compliance-e40c.rst | 18 ++++----- .../chapters/compliance-q80c.rst | 8 ++-- .../chapters/programming.rst | 40 +++++++++---------- .../chapters/tools.rst | 20 +++++----- 4 files changed, 43 insertions(+), 43 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst index b451c120f..7e1b370ee 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -46,7 +46,7 @@ Transformation of software requirements into a software architecture {§5.4.3.1} features include packages, child libraries, subunits, private types, tasking, and object-oriented programming (tagged types). The :index:`GNATstub` utility (included with GNAT Pro Ada) is useful here; - it generates empty package bodies ("stubs") from a software design's + it generates empty package bodies (*stubs*) from a software design's top-level API (package specs). Software design method {§5.4.3.2} @@ -99,7 +99,7 @@ Definition of methods and tools for software intended for reuse {§5.4.3.6} reusability requirements for the software development." {§5.4.3.6a} * Ada and SPARK facilitate reuse via the separate compilation semantics - (which allows "bottom-up" development by reusing existing libraries) + (which allows *bottom-up* development by reusing existing libraries) and the generic facility (which, for example, allows a module to be defined in a general and type-independent fashion and then instantiated with specific types as needed). The semantics for these features @@ -108,7 +108,7 @@ Definition of methods and tools for software intended for reuse {§5.4.3.6} * All checks that are performed within a single compilation unit are also enforced across separate compilation boundaries. - * A post-compilation pre-link check detects and prevents "version skew" + * A post-compilation pre-link check detects and prevents *version skew* (building an executable where some compilation unit depends on an obsolescent version of another unit). @@ -250,7 +250,7 @@ Development and documentation of the software units {§5.5.3.1} {§5.5.3.1a} * The GNAT Pro project and gprbuild facility automate the build process - and prevent "version skew". + and prevent *version skew*. Software unit testing {§5.5.3.2} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -551,7 +551,7 @@ Problem handling procedures definition {§5.9.2.3} * In the event that a product problem is due to a defect in an AdaCore tool (e.g., a code generation bug), AdaCore has a rigorous QA process for - responding to and resolving such issues. The "sustained branch" service, + responding to and resolving such issues. The *sustained branch* service, which is included with a GNAT Pro Assurance subscription, helps by ensuring that a specific version of the toolchain is maintained over the lifetime of the supplier's project. @@ -618,7 +618,7 @@ Long term maintenance for flight software {§5.10.2.2} solutions to be able to implement and upload modifications to the spacecraft up to its end of life." {§5.10.2.2a} - * AdaCore's "sustained branch" service, which is included with a GNAT Pro + * AdaCore's *sustained branch* service, which is included with a GNAT Pro Assurance subscription, in effect means that the compilation environment will receive support and not become obsolescent. @@ -842,7 +842,7 @@ technologies help meet these requirements: generating run-time code to detect violations. .. [#stcheck] The static checks can result in false alarms - ("false positives"), but the user can calibrate the tool to control the + (*false positives*), but the user can calibrate the tool to control the tradeoff between soundness (no false negatives) and precision (minimization of false positives). @@ -852,11 +852,11 @@ technologies help meet these requirements: leaks: * Ensure, through analysis or testing, that dynamic allocations occur only - during startup ("elaboration time") and not thereafter. + during startup (*elaboration time*) and not thereafter. * Reclaim storage explicitly through Ada's :ada:`Unchecked_Deallocation` and ensure, through analysis or testing, that this does not create dangling references. - * Define a memory pool for a pointer type ("access type") so that allocations + * Define a memory pool for a pointer type (*access type*) so that allocations of objects for that type only use that storage area, and through analysis or testing demonstrate that the pool is never exhausted. Ada's memory pool facility can be used to implement a reference counting strategy (for diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst index 3def5d018..6cdbcd766 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -65,7 +65,7 @@ Methods and tools {§5.6.1} :footcite:p:`Space_SW_RTCA_EUROCAE_2011a` and |en-50128| :footcite:p:`Space_SW_CENELEC_2020b`. - * AdaCore's "sustained branch" service for its GNAT Pro for Ada + * AdaCore's *sustained branch* service for its GNAT Pro for Ada Assurance product (see :ref:`Space_Systems_SW_Sustained_Branches`) can guarantee that the toolchain is maintained throughout the product lifetime. @@ -97,7 +97,7 @@ Development environment selection {§5.6.2} * AdaCore tools directly satisfy these criteria. The availability of qualification material for specific tools (GNATcheck, GNATprove, GNATstack) contributes to criterion 6, and the - "sustained branch" service for GNAT Pro for Ada Assurance supports + *sustained branch* service for GNAT Pro for Ada Assurance supports criteria 4, 7 and 10. AdaCore tools come with source code and flexible licensing, mitigating the issues noted in criteria 11 and 12. The GNAT Static Analysis Suite, SPARK, and the GNATfuzz tool in @@ -310,7 +310,7 @@ Maintenance {§6.3.9} maintenance. 8. maintenance records and reports." {§6.3.9.4a} - * The "sustained branch" service of AdaCore's GNAT Pro Assurance product + * The *sustained branch* service of AdaCore's GNAT Pro Assurance product can help meet this requirement. * "Maintenance records shall be established for each software product ...." @@ -319,7 +319,7 @@ Maintenance {§6.3.9} * AdaCore's ticket system, which is part of the standard support in all product subscriptions, provides an audit trail for problem reports / resolution. - * The "sustained branch" service includes special maintenance + * The *sustained branch* service includes special maintenance accommodation for dealing with problems that relate to software safety. .. index:: single: ECSS-Q-ST-80C compliance; §7 Software product quality assurance diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst index 6e6356196..b481e7465 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst @@ -61,12 +61,12 @@ methodology. It offers: * flexible data composition facilities; * strong type checking; * traditional features for code modularization (“sub­programs”); -* standard support for "programming in the large" and module reuse, +* standard support for *programming in the large* and module reuse, including packages, Object-Oriented Programming, hierarchical - package namespace ("child libraries"), and generic templates; + package namespace (*child libraries*), and generic templates; * a mechanism for detecting and responding to exceptional run-time - conditions ("exception handling"); and -* high-level concurrency support ("tasking") along with a deterministic + conditions (*exception handling*); and +* high-level concurrency support (*tasking*) along with a deterministic subset (the Ravenscar profile) appropriate in applications that need to meet high-assurance certification / qualification requirements and/or small footprint constraints. @@ -160,7 +160,7 @@ computer science courses, and it has also been the subject of significant research, especially in the area of real-time technologies. Throughout much of Ada's history, a worldwide group of experts from industry, academia, and government convened a biannual -meeting |mdash| the *International Real-Time Ada Workshop* ("IRTAW") +meeting |mdash| the *International Real-Time Ada Workshop* (*IRTAW*) |mdash| to focus on Ada's support for real-time software. The 1997 IRTAW in Ravenscar, UK, led directly to the definition of a subset of Ada's concurrency features with deterministic semantics |mdash| the @@ -300,10 +300,10 @@ Programming in the large ~~~~~~~~~~~~~~~~~~~~~~~~ The original |ada-83| design introduced the package construct, a feature -that supports encapsulation ("information hiding") and modularization, and +that supports encapsulation (*information hiding*) and modularization, and which allows the developer to control the namespace that is accessible within a given compilation unit. |ada-95| introduced the concept of -"child units", which provides a hierarchical and extensible namespace +*child units*, which provides a hierarchical and extensible namespace for library units and thus eases the design and maintenance of very large systems. @@ -322,7 +322,7 @@ A typical example is a data structure (e.g., a stack, FIFO queue, or varying-length array) for an arbitrary element type :ada:`T`, where each element of the data structure is of type :ada:`T`. For safety and efficiency, compile-time checks should enforce type safety -both within the parameterized module, and at each use ("instantiation"). +both within the parameterized module, and at each use (*instantiation*). Conceptually an instantiation can be regarded as an expansion of the parameterized module, with actual parameters replacing the formal parameters. However, the expansion @@ -359,11 +359,11 @@ would have interfered with predictable and efficient performance. However, large real-time systems often have components such as graphical user interfaces (GUIs) that do not have hard real-time constraints and that can be most effectively developed using OOP features. In part for this reason, -|ada-95| added comprehensive support for OOP, through its "tagged type" +|ada-95| added comprehensive support for OOP, through its *tagged type* facility: classes, polymorphism, inheritance, and dynamic binding. These features do not require automatic garbage collection; instead, definitional features introduced by |ada-95| allow the developer to supply -type-specific storage reclamation operations ("finalization"). +type-specific storage reclamation operations (*finalization*). |ada-2005| brought additional OOP features, including Java-like interfaces and traditional :ada:`X.P(...)` notation for invoking operation :ada:`P(...)` @@ -382,10 +382,10 @@ Concurrent programming ~~~~~~~~~~~~~~~~~~~~~~ Ada supplies a structured, high-level facility for concurrency. The unit of -concurrency is a program entity known as a "task". Tasks can communicate +concurrency is a program entity known as a *task*. Tasks can communicate implicitly via shared data or explicitly via a synchronous control mechanism known as the rendezvous. A shared data item can be defined -abstractly as a "protected object" (a feature introduced in |ada-95|), +abstractly as a *protected object* (a feature introduced in |ada-95|), with operations executed under mutual exclusion when invoked from multiple tasks. Protected objects provide the functionality of semaphores and condition variables but more clearly and reliably (e.g., avoiding subtle @@ -481,7 +481,7 @@ this is illustrated by a number of features, including: Data intended for one purpose will only be accessed via operations that are legal for that data item's type, so errors such as treating pointers as integers (or vice versa) are prevented. (Low-level code sometimes needs to - defeat the language's type checking; e.g., by treating "raw bits" as a + defeat the language's type checking; e.g., by treating *raw bits* as a value of a specific type. As a language that supports systems programming, Ada allows such usages but requires explicit syntax that makes the intent clear.) @@ -584,7 +584,7 @@ Ada and the ECSS Standards ~~~~~~~~~~~~~~~~~~~~~~~~~~ |E-ST-40C| covers software engineering practice, and |Q-ST-80C| covers -software product assurance, and both of these areas are "sweet spots" +software product assurance, and both of these areas are *sweet spots* that match Ada's strengths. Please see :ref:`Space_Systems_SW_Compliance_with_ECSS-E-ST-40C` and :ref:`Space_Systems_SW_Compliance_with_ECSS-Q-ST-80C` to learn how @@ -704,14 +704,14 @@ that may be unsafe, and most tasking features. A legal SPARK program has unambiguous semantics: its effect is precisely defined and does not depend on the implementation. This property helps ensure the soundness of static verification; i.e., the -absence of "false negatives". If the SPARK tools report that a program does +absence of *false negatives*. If the SPARK tools report that a program does not have a specific vulnerability, such as a reference to an uninitialized variable, then that conclusion can be trusted with mathematical certainty. Soundness builds confidence in the tools, provides evidence-based assurance, completely removes many classes of dangerous defects, and significantly simplifies subsequent verification effort (e.g., testing), owing to less rework. Moreover, the SPARK tools achieve soundness while keeping -"false positives" manageable. +*false positives* manageable. SPARK offers the flexibility of configuring the language on a per-project basis. Restrictions can be fine-tuned based on the relevant coding standards @@ -758,7 +758,7 @@ Here is an example of SPARK code: end Decrement; end Example; -The :ada:`with` constructs, known as "aspects", here define the +The :ada:`with` constructs, known as *aspects*, here define the :ada:`Decrement` procedure's contracts: * :ada:`Global`: the only access to non-local data is to read the value of @@ -811,7 +811,7 @@ automated tools. Levels of Adoption of Formal Methods ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Formal methods are not an "all or nothing" technique. It is possible and +Formal methods are not an *all or nothing* technique. It is possible and in fact advisable for an organization to introduce the methodology in a stepwise manner, with the ultimate level depending on the assurance requirements for the software. This approach is documented in @@ -843,7 +843,7 @@ uninitialized variables, no interference between parameters and global objects, no unintended access to global variables, and no race conditions on accesses to shared data. The costs include a conservative analysis of arrays (since indices may be computed at run time) and potential -"false alarms" that need to be inspected. +*false alarms* that need to be inspected. .. index:: single: SPARK language; Absence of run-time errors (AORTE) @@ -866,7 +866,7 @@ Gold level: Proof of key integrity properties At the Gold level, the proof tool will verify properties such as correctness of critical data invariants or safe transitions between program states. Subprogram pre- and postconditions and subtype predicates are especially -useful here, as is "ghost" code that serves only for verification and is not +useful here, as is *ghost* code that serves only for verification and is not part of the executable. A benefit is that the proofs can be used for safety case rationale, to replace certain kinds of testing. The cost is increased time for tool execution, and the possibility that some properties may be diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst index 63c0d61b8..036b9c006 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst @@ -17,18 +17,18 @@ in |E-ST-40C| and |Q-ST-80C|. AdaCore Tools and the Software Life Cycle ----------------------------------------- -The software life cycle is often depicted as a "V" diagram, and the figure below +The software life cycle is often depicted as a *V* diagram, and the figure below shows how AdaCore's major products fit into the various stages. Although the stages are rarely performed as a single sequential process |mdash| the phases typically involve feedback / iteration, and requirements often evolve as a -project unfolds |mdash| the "V" chart is useful in characterizing the various +project unfolds |mdash| the *V* chart is useful in characterizing the various kinds of activities that occur. .. figure:: ../images/v-diagram.png :align: center As can be seen in the figure, AdaCore's toolsuites apply towards the bottom -of the "V". In summary: +of the *V*. In summary: .. index:: single: SPARK Pro; Software life cycle .. index:: single: Software life cycle; SPARK Pro @@ -84,7 +84,7 @@ SPARK Pro is an advanced static analysis toolsuite for the SPARK subset of Ada, bringing mathematics-based confidence to the verification of critical code. Built around the GNATprove formal analysis and proof tool, SPARK Pro combines speed, flexibility, depth and soundness, while minimizing the -generation of "false alarms". It can be used for new high-assurance code +generation of *false alarms*. It can be used for new high-assurance code (including enhancements to or hardening of existing codebases at lower assurance levels, written in full Ada or other languages such as C) or projects where the existing high-assurance coding standard is sufficiently @@ -128,7 +128,7 @@ system is used: how are these to be evaluated or verified without the close (and probably expensive) cooperation of the COTS vendor? For the most critical embedded systems, SPARK supports the so-called -"Bare-Metal" development style, where SPARK code is running directly on a +*Bare-Metal* development style, where SPARK code is running directly on a target processor with little or no COTS libraries or operating system at all. SPARK is also designed to be compatible with GNAT Pro's Light run-time library. In a Bare-Metal / light run-time development, every byte of object @@ -396,7 +396,7 @@ GNAT Pro Assurance ~~~~~~~~~~~~~~~~~~ *GNAT Pro Assurance* extends GNAT Pro Enterprise with specialized support, -including bug fixes and "known problems" analyses, on a specific version of +including bug fixes and *known problems* analyses, on a specific version of the toolchain. This product edition is especially suitable for applications with long-lived maintenance cycles or assurance requirements, since critical updates to the compiler or other product components may become necessary @@ -410,7 +410,7 @@ years after the initial release. Sustained Branches ^^^^^^^^^^^^^^^^^^ -Unique to GNAT Pro Assurance is a service known as a "sustained branch": +Unique to GNAT Pro Assurance is a service known as a *sustained branch*: customized support and maintenance for a specific version of the product. A project on a sustained branch can monitor relevant known problems, analyze their impact and, if needed, update to a newer version of the @@ -613,7 +613,7 @@ professional and high-integrity Rust projects. Critical fixes to GNAT Pro for Rust are upstreamed to the Rust community, and critical fixes made by the community to upstream Rust tools are backported as needed to the GNAT Pro for Rust code base. Additionally, the Assurance -edition of GNAT Pro for Rust includes the "sustained branch" service +edition of GNAT Pro for Rust includes the *sustained branch* service (see :ref:`Space_Systems_SW_Sustained_Branches`) that strikes the balance between tool stability and project flexibility. @@ -661,7 +661,7 @@ appearance to be customized in the editor. GNAT Studio is intuitive to new users thanks to its menu-driven interface with extensive online help (including documentation on all the -menu selections) and "tool tips". The Project Wizard makes it simple to get +menu selections) and *tool tips*. The Project Wizard makes it simple to get started, supplying default values for almost all of the project properties. For experienced users, it offers the necessary level of control for advanced purposes; e.g., the ability to run command scripts. Anything that @@ -1101,7 +1101,7 @@ GNATtest The GNATtest tool helps create and maintain a complete unit testing infrastructure for complex projects. It captures the simple idea that each public subprogram (these are known as -"visible" subprograms in Ada) should have at least one corresponding +*visible* subprograms in Ada) should have at least one corresponding unit test. GNATtest takes a project file as input, and produces two outputs: * The complete harnessing code for executing all the unit tests under From d1f1ecab8d092d3cdb3d317185992fde4316b3c6 Mon Sep 17 00:00:00 2001 From: gusthoff Date: Fri, 27 Mar 2026 23:50:44 +0100 Subject: [PATCH 12/12] Fix broken cross-references to GNATtest and GNATfuzz in tools chapter Two occurrences of :index:`Space_Systems_SW_GNATtest` and :index:`Space_Systems_SW_GNATfuzz` in the TGen section were using the index role instead of the ref role, causing the raw label names to appear as visible text in the generated HTML. Replaced with :ref:`GNATtest ` and :ref:`GNATfuzz ` respectively, which render as proper hyperlinks to the corresponding sections. Co-Authored-By: Claude Sonnet 4.6 --- .../chapters/tools.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst index 036b9c006..448a037c8 100644 --- a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst @@ -1219,8 +1219,8 @@ TGen ~~~~ TGen is an experimental run-time library / marshalling technology that -can be used by :index:`Space_Systems_SW_GNATtest` and/or -:index:`Space_Systems_SW_GNATfuzz` to automate the production of test +can be used by :ref:`GNATtest ` and/or +:ref:`GNATfuzz ` to automate the production of test cases for Ada code. It performs type-specific low-level processing to generate test vectors for subprogram parameters, such as uniform value distribution for scalar types and analogous strategies for