From 4b70f62701f34bcb26822cde2d842583bcf4347f Mon Sep 17 00:00:00 2001 From: Fabien Chouteau Date: Mon, 16 Mar 2026 18:10:04 +0100 Subject: [PATCH] First version of the space systems software booklet --- .../chapters/abbreviations.csv | 29 + .../chapters/abbreviations.rst | 11 + .../chapters/compliance-e40c.rst | 884 +++++++++++ .../chapters/compliance-q80c.rst | 432 ++++++ .../chapters/introduction.rst | 550 +++++++ .../chapters/programming.rst | 1028 +++++++++++++ .../chapters/table-dva-cwe.csv | 18 + .../table-object-coverage-vs-criticality.csv | 2 + .../table-source-coverage-vs-criticality.csv | 4 + .../chapters/table-spark-cwe.csv | 22 + ...ble-technology-e40C-compliance-summary.csv | 10 + ...ble-technology-q80c-compliance-summary.csv | 11 + .../chapters/table-verification-support.csv | 32 + .../chapters/tools.rst | 1320 +++++++++++++++++ .../conf.ini | 5 + .../images/v-diagram.png | Bin 0 -> 30601 bytes .../images/v-diagram.pptx | Bin 0 -> 45131 bytes .../index.rst | 216 +++ .../references.bib | 265 ++++ content/global.txt | 16 + content/index.rst | 1 + 21 files changed, 4856 insertions(+) create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/conf.ini create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.png create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.pptx create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/index.rst create mode 100644 content/booklets/adacore-technologies-for-space-systems-software/references.bib diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv new file mode 100644 index 000000000..fec59f426 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.csv @@ -0,0 +1,29 @@ +Abbreviation,Expansion +API,Application Program Interface +AR,Acceptance Review +CDR,Critical Design Review +DDF,Design Definition File +DJF,Design Justification File +DRD,Document Requirements Definition +DRL,Document Requirements List +EAL,Evaluation Assurance Level +ECSS,European Cooperation for Space Standardization +ESA,European Space Agency +GCC,GNU Compiler Collection +GUI,Graphical User Interface +IDE,Integrated Development Environment +IRTAW,International Real-Time Ada Workshop +ISO,International Organization for Standardization +LSP,Liskov Substitution Principle +MF,Maintenance File +MGT,Management File +OP,Operational Plan +ORR,Operational Readiness Review +PAF,Product Assurance File +PDR,Preliminary Design Review +QR,Qualification Review +RB,Requirements Baseline +RTOS,Real-Time Operating Systems +SRR,System Requirements Review +TQL,Tool Qualification Level +TS,Technical Specification diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst new file mode 100644 index 000000000..574b84f8e --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/abbreviations.rst @@ -0,0 +1,11 @@ +.. include:: ../../../global.txt + +.. _Abbreviations: + +Abbreviations +============= + +.. csv-table:: + :file: abbreviations.csv + :header-rows: 1 + :widths: 20, 70 diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst new file mode 100644 index 000000000..b948571d0 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-e40c.rst @@ -0,0 +1,884 @@ +.. include:: ../../../global.txt + +.. _Compliance_with_ECSS-E-ST-40C: + +Compliance with ECSS-E-ST-40C +============================= + +The |E-ST-40C| standard is concerned with software engineering |mdash| +the principles and techniques underlying the production of code that is +reliable, safe, secure, readable, maintainable, portable and efficient. +These are the goals that drove the design of the Ada language (and its +SPARK subset), whose features assist in designing a modular and robust +system architecture and in preventing or detecting errors such as type +mismatches or buffer overruns that can arise in other languages. + +This chapter explains how Ada and SPARK, together with the relevant +AdaCore development and verification tools, can help a space software +supplier meet many of the requirements presented in |E-ST-40C|. The +section numbers in braces refer to the associated content in |E-ST-40C|. + +.. index:: single: ECSS-E-ST-40C compliance; §5.4 Software requirements and architecture engineering process + +Software requirements and architecture engineering process {§5.4} +----------------------------------------------------------------- + +Software architecture design {§5.4.3} ++++++++++++++++++++++++++++++++++++++ + +Transformation of software requirements into a software architecture {§5.4.3.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall transform the requirements for the software into an + architecture that describes the top-level structure; identifies the software + components, ensuring that all the requirements for the software item are + allocated to the software components and later refined to facilitate + detailed design; covers as a minimum hierarchy, dependency, interfaces and + operational usage for the software components; documents the process, data + and control aspects of the product; describes the architecture static + decomposition into software elements such as packages, classes or units; + describes the dynamic architecture, which involves the identification of + active objects such as threads, tasks and processes; describes the software + behavior." {§5.4.3.1a} + + * The Ada and SPARK languages (and thus the GNAT Pro Ada and SPARK Pro + toolsuites directly support this requirement. Relevant + features include packages, child libraries, subunits, private types, + tasking, and object-oriented programming (tagged types). The + :index:`GNATstub` utility (included with GNAT Pro Ada) is useful here; + it generates empty package bodies ("stubs") from a software design's + top-level API (package specs). + +Software design method {§5.4.3.2} +''''''''''''''''''''''''''''''''' + +* "The supplier shall use a method (e.g., object oriented or functional) to + produce the static and dynamic architecture including: software elements, + their interfaces and; software elements relationships." {§5.4.3.2a} + + * Ada and SPARK are methodology agnostic and fully support both + object-oriented and functional styles. + +Selection of a computational model for real-time software {§5.4.3.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The dynamic architecture design shall be described according to an + analytical computational model." {§5.4.3.3a} + + * The Ada and SPARK tasking facility supports a stylistic idiom + that is amenable to Rate Monotonic Analysis, allowing static + verification that real-time deadlines will be met. + +Description of software behavior {§5.4.3.4} +''''''''''''''''''''''''''''''''''''''''''' + +* "The software design shall also describe the behaviour of the software, + by means of description techniques using automata and scenarios." + {§5.4.3.4a} + + * Ada and SPARK are appropriate target languages for tools that support + such techniques. + +Development and documentation of the software interfaces {§5.4.3.5} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document a software preliminary design for + the interfaces external to the software item and between the software + components of the software item." {§5.4.3.5a} + + * The supplier can use the Ada / SPARK package facility to specify the + interfaces, both external and internal. The contract-based programming + features provide additional expressive power, allowing the specification + of pre- and postconditions for the subprograms comprising an interface. + +Definition of methods and tools for software intended for reuse {§5.4.3.6} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define procedures, methods and tools for reuse, and + apply these to the software engineering processes to comply with the + reusability requirements for the software development." {§5.4.3.6a} + + * Ada and SPARK facilitate reuse via the separate compilation semantics + (which allows "bottom-up" development by reusing existing libraries) + and the generic facility (which, for example, allows a module to be + defined in a general and type-independent fashion and then instantiated + with specific types as needed). The semantics for these features + enforces safe reuse: + + * All checks that are performed within a single compilation unit are + also enforced across separate compilation boundaries. + + * A post-compilation pre-link check detects and prevents "version skew" + (building an executable where some compilation unit depends on an + obsolescent version of another unit). + + * Unlike the situation with C++ templates, a type mismatch in an Ada + generic instantiation is detected and prevented at compile time, + ensuring consistency between the instantiation and the generic unit. + +.. index:: single: ECSS-E-ST-40C compliance; §5.5 Software design and implementation engineering process + +Software design and implementation engineering process {§5.5} +------------------------------------------------------------- + +Design of software items {§5.5.2} ++++++++++++++++++++++++++++++++++ + +Detailed design of each software component {§5.5.2.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop a detailed design for each component of the + software and document it." {§5.5.2.1a} + + * Ada / SPARK features, including packages and child units, + and thus GNAT Pro for Ada and SPARK Pro, help meet + this requirement. The contract-based programming feature (e.g., + pre- and postconditions) allows the supplier to express low-level + requirements as part of the software architecture, facilitating + the low-level design of algorithms. + +* "Each software component shall be refined into lower levels containing + software units that can be coded, compiled, and tested." {§5.5.2.1b} + + * Relevant Ada / SPARK features include packages, child units, and + subunits. + +Development and documentation of the software interfaces detailed design {§5.5.2.2} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document a detailed design for the interfaces + external to the software items, between the software components, and between + the software units, in order to allow coding without requiring further + information." {§5.5.2.2a} + + * Ada / SPARK features, including packages and child units, + and thus SPARK Pro and GNAT Pro for Ada, help meet this + requirement. The contract-based programming feature (e.g., pre- and + postconditions) allows the supplier to express low-level requirements as + part of the interfaces, facilitating the implementation of algorithms. + +Production of the detailed design model {§5.5.2.3} +'''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall produce the detailed design model of the software + components defined during the software architectural design, including their + static, dynamic and behavioural aspects." {§5.5.2.3a} + + * Ada / SPARK features such as packages, child units, and contract-based + programming, and thus SPARK Pro and GNAT Pro for Ada, help meet this + requirement. + +Software detail design method {§5.5.2.4} +'''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall use a design method (e.g. object oriented or functional + method) to produce the detailed design including: software units, their + interfaces, and; (*sic*) software units relationships." {§5.5.2.4a} + + * Ada and SPARK are methodology agnostic and fully support both + object-oriented and functional styles. + +Detailed design of real-time software {§5.5.2.5} +'''''''''''''''''''''''''''''''''''''''''''''''' + +* "The dynamic design model shall be compatible with the computational model + selected during the software architectural design model" {§5.5.2.5a} + + * The Ada / SPARK tasking model allows a straightforward mapping from the + architectural design (where the system comprises a collection of tasks + that interact via protected shared resources) to the detailed design. + +* "The supplier shall document and justify all timing and synchronization + mechanisms" {§5.5.2.5b} + + * The Ada / SPARK tasking model supplies the necessary timing and + synchronization support. + +* "The supplier shall document and justify all the design mutual exclusion + mechanisms to manage access to the shared resources." {§5.5.2.5c} + + * The Ada / SPARK tasking model supplies the necessary mutual exclusion + mechanisms (protected types/objects, pragma Atomic). + The protected type/object facility prevents certain kinds of race + conditions: in state-based mutual exclusion, the state of an object + cannot change between the time that a task evaluates the state + condition and when it executes the code based on that state. + Other race conditions can be detected by the Defects and Vulnerability + Analyszer in the GNAT Static Analysis Suite. + +* "The supplier shall document and justify the use of dynamic allocation + of resources." {§5.5.2.5d} + + * Ada has a general and flexible mechanism for dynamic memory management, + including the ability of the programmer to specify the semantics of + allocation and deallocation within a storage pool. This can be used, + for example, to define a fragmentation-free strategy for memory + management with constant time for allocation and deallocation. The + latest version of SPARK includes a facility for safe pointers. + +* "The supplier shall ensure protection against problems that can be induced + by the use of dynamic allocation of resources, e.g. memory leaks." + {§5.5.2.5e} + + * Ada includes a variety of mechanisms that assist in preventing dynamic + memory management issues. + The :ada:`No_Standard_Allocators_After_Elaboration` argument to + pragma :ada:`Restrictions` produces a run-time check that detects + attempts to perform allocations from a standard storage pool after + elaboration (initialization). Depending on the program structure, + static analysis by the GNAT Static Analysis Suite's Defect and + vulnerability Analyzer may be able to determine that this check + will never fail. + +Utilization of description techniques for the software behaviour {§5.5.2.6} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The behavioural design of the software units shall be described by means + of techniques using automata and scenarios." {§5.5.2.6a} + + * Ada and SPARK are appropriate target languages for tools that support + such techniques. + +Coding and testing {§5.5.3} ++++++++++++++++++++++++++++ + +Development and documentation of the software units {§5.5.3.1} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document the following: the coding of each + software unit; the build procedures to compile and link software units" + {§5.5.3.1a} + + * The GNAT Pro project and gprbuild facility automate the build process + and prevent "version skew". + +Software unit testing {§5.5.3.2} +'''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document the test procedures and data + for testing each software unit" {§5.5.3.2a} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "The supplier shall test each software unit ensuring that it satisfies its + requirements and document the test results." {§5.5.3.2b} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "The unit test shall exercise: code using boundaries at *n-1*, *n*, *n+1* + including looping instructions *while*, *for* and tests that use + comparisons; all the messages and error cases defined in the design + document; the access of all global variables as specified in the design + document; out of range values for input data, including values that can + cause erroneous results in mathematical functions; the software at the + limits of its requirements (stress testing)." {§5.5.3.2c} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +Integration {§5.5.4} +++++++++++++++++++++ + +Software units and software component integration and testing {§5.5.4.2} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall integrate the software units and software components, + and test them, as the aggregates are developed, in accordance with the + integration plan, ensuring each aggregate satisfies the requirements of + the software item and that the software item is integrated at the conclusion + of the integration activity." {§5.5.4.2a} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process, supplementing the GNAT Pro for Ada compilation facilities. + +.. index:: single: ECSS-E-ST-40C compliance; §5.6 Software validation process + + +Validation activities with respect to the technical specification {§5.6.3} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Development and documentation of a software validation specification with respect to the technical specification {§5.6.3.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document, for each requirement of the + software item in TS [Technical Specification] (including ICD [Interface + Control Document]), a set of tests, test cases (inputs, outputs, test + criteria) and test procedures ...." {§5.6.3.1a} + + * AdaCore's GNAT Pro Ada environment and GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can support + this process. + +* "Validation shall be performed by test." {§5.6.3.1b} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "If it can be justified that validation by test cannot be performed, + validation shall be performed by either analysis, inspection or review + of design" {§5.6.3.1c} + + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test case + will trigger a failure. + +Validation activities with respect to the requirements baseline {§5.6.4} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Development and documentation of a software validation specification with respect to the requirements baseline {§5.6.4.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall develop and document, for each requirement of the + software item in RB [Requirements Baseline] (including IRD [Interface + Requirements Document]), a set of tests, test cases (inputs, outputs, + test criteria) and test procedures ...." {§5.6.4.1a} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "Validation shall be performed by test." {§5.6.4.1b} + + * AdaCore's GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) can assist in + this process. + +* "If it can be justified that validation by test cannot be performed, + validation shall be performed by either analysis, inspection or review + of design” {§5.6.4.1c} + + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite and/or SPARK Pro may be able to + show that a run-time check will always succeed and that no test case + will trigger a failure. + +.. index:: single: ECSS-E-ST-40C compliance; §5.7 Software delivery and acceptance process + +Software delivery and acceptance process {§5.7} +----------------------------------------------- + +Software acceptance {§5.7.3} +++++++++++++++++++++++++++++ + +Executable code generation and installation {§5.7.3.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The acceptance shall include generation of the executable code from + configuration managed source code components and its installation on + the target environment." {§5.7.3.3a} + + * The GNAT Pro project and gprbuild facility can assist in the build + and installation process. + +.. index:: single: ECSS-E-ST-40C compliance; §5.8 Software verification process + +Software verification process {§5.8} +------------------------------------ + +Verification activities {§5.8.3} +++++++++++++++++++++++++++++++++ + +Verification of the software detailed design {§5.8.3.4} +''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall verify the software detailed design ensuring that: + ... 5. testing is feasible, by assessing that: (a) controllability + and observability features are identified and included in the detailed + design in order to prepare the effective testing of the performance + requirements; (b) computationally invariant properties and temporal + properties are added within the design; (c) fault injection is + possible. ... 7. the design is correct with respect to requirements + and interfaces, including safety, security, and other critical + requirements; 8. the design implements proper sequence of events, + inputs, outputs, interfaces, logic flow, allocation of timing and + sizing budgets, and error handling; ..." {§5.8.3.4a} + + * SPARK (and GNATprove) help meet criteria 5, 7, and 8. + +Verification of code {§5.8.3.5} +''''''''''''''''''''''''''''''' + +* "The supplier shall verify the software code ensuring at least that: + 1. the code is externally consistent with the requirements and design + of the software item; 2. there is internal consistency between + software units; 3. the code is traceable to design and requirements, + testable, correct, and in conformity to software requirements and coding + standards; 4. the code that is not traced to the units is justified; + 5. the code implements proper events sequences, consistent interfaces, + correct data and control flow, completeness, appropriate allocation + of timing and sizing budgets; 6. the code implements + safety, security, and other critical requirements correctly as shown by + appropriate methods; 7. the code is implemented in a way that it cannot + result in runtime errors; 8. the effects of any residual runtime errors + are controlled through error handling." {§5.8.3.5a} + + * SPARK (and GNATprove) help meet criterion 1. + * Ada's strong typing and interface checks (and thus GNAT Pro for Ada) + help meet criterion 2. + * For criterion 3, the Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite and/or SPARK Pro can help verify correctness, + and the GNATcheck utility included in the GNAT Static Analysis Suite + (see :ref:`GNATcheck`) can enforce conformance with a coding standard. + * For criterion 5, Ada's strong typing and interface checks,as well as + SPARK and GNATprove, can help show consistent interfaces and correct + data flow. + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite, SPARK Pro, and the + standard semantic checks performed by the GNAT Pro compiler can help + meet criterion 6. + * The GNAT Static Analysis Suite and SPARK / GNATprove can statically + detect potential run-time errors and thereby help meet criterion 7. + * Ada's exception handling facility can help meet criterion 8. + +* "The supplier shall verify that the following code coverage is achieved: + + .. csv-table:: + :file: table-source-coverage-vs-criticality.csv + :header-rows: 1 + :widths: 50, 10, 10, 10, 10 + + Note: 'TBA' means that the value is to be agreed with the customer and + measured as per |Q-ST-80C| clause 6.3.5.2." {§5.8.3.5b} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + +* "The supplier shall measure code coverage by analysis of the results of + the execution of tests." {§5.8.3.5c} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + +* "If it can be justfied that the required percentage cannot be achieved + by test execution, then analysis, inspection or review of design shall be + applied to the non-covered code." {§5.8.3.5d} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + +* "In case the traceability between source code and object code cannot be + verified, the supplier shall perform + additional code coverage analysis on object code level as follows: + + .. csv-table:: + :file: table-object-coverage-vs-criticality.csv + :header-rows: 1 + :widths: 50, 10, 10, 10, 10 + + Note: 'N/A' means not applicable. + + Note: The use of some compiler optimization options can make the + traceability between source code and object code not possible." {§5.8.3.5e} + + * The GNATcoverage tool (see :ref:`GNATcoverage`) in the GNAT Dynamic + Analysis Suite can help meet this requirement. + + * AdaCore can prepare an analysis of traceability between source and object + code; the company has provided this to customers in connection with + certification under the DO-178C/ED-12C standard for airborne software for + the commercial aviation industry. + +* "The supplier shall verify source code robustness. AIM: use static analysis + for the errors that are difficult to detect at run-time." {§5.8.3.5f} + + * Errors such as division by zero, null pointer dereferencing, array + indices out of bounds, and many others are flagged at run-time by + raising an exception. Effective practice is to keep these checks + enabled during development and then, after verifying either statically + or through sufficient testing that the run-time checks are not needed, + disable the checks in the final code for maximal efficiency. + + * The Defects and Vulnerability Analyzer + (see :ref:`Defects_and_Vulnerability_Analyzer`) in the GNAT Static + Analysis Suite will detect such errors as well as + many others, including suspicious constructs that, although legitimate + Ada, are likely logic errors. + + * SPARK Pro will enforce the SPARK subset and can be used to + demonstrate absence of run-time errors. + + * The GNATstack tool in GNAT Pro computes the potential maximum stack usage for + each task in a program. Combining the result with a separate analysis + showing the maximal depth of recursion, the developer can allocate + sufficient stack space for program execution and prevent stack overflow. + +Schedulability analysis for real-time software {§5.8.3.11} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +.. index:: Ravenscar profile + +* "As part of the verification of the software requirements and architectural + design, the supplier shall use an analytical model to + perform a schedulability analysis and prove that the design is feasible." + {§5.8.3.11a} + + * The Ada Ravenscar profile restricts the tasking model to enable precise + schedulability analysis, including Rate-Monotonic Analysis (RMA). + +.. index:: single: ECSS-E-ST-40C compliance; §5.9 Software operation process + +Software operation process {§5.9} +--------------------------------- + +Process implementation {§5.9.2} ++++++++++++++++++++++++++++++++ + +Problem handling procedures definition {§5.9.2.3} +''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The SOS [Software Operation Support] entity shall establish procedures for + receiving, recording, resolving, tracking problems, and providing feedback." + {§5.9.2.3a} + + * In the event that a product problem is due to a defect in an AdaCore tool + (e.g., a code generation bug), AdaCore has a rigorous QA process for + responding to and resolving such issues. The "sustained branch" service, + which is included with a GNAT Pro Assurance subscription, helps by + ensuring that a specific version of the toolchain is maintained over + the lifetime of the supplier's project. + +* "The SOS entity shall ensure that information regarding problems that can + have an impact on security is protected." {§5.9.2.3b} + + * AdaCore's internal processes for maintaining sensitive data help to meet + this criterion. + +Software operation support {§5.9.4} ++++++++++++++++++++++++++++++++++++ + +Problem handling {§5.9.4.2} +''''''''''''''''''''''''''' + +* "Encountered problems shall be recorded and handled in accordance with the + applicable procedures." {§5.9.4.2a} + + * As described above in connection with clause 5.9.2.3, AdaCore's QA + process, and more specifically the GNAT Pro Assurance sustained branch + service with its management of Known Problems, can help meet this + requirement when an issue arises that is due to an AdaCore tool. + +Vulnerabilities in operations {§5.9.4.3} +'''''''''''''''''''''''''''''''''''''''' + +* "During operations, security vulnerabilities, threats and exploits shall be: + 1. continuously monitored; 2. subject to further security analysis when + evaluated relevant to the security of the system; 3. maintained for auditing + purposes even when evaluated not relevant to the security of the system." + {§5.9.4.3a} + + * The ability to express security-related requirements as contracts in the + Ada source code, with run-time checks when needed, helps to meet + criterion 1. + +User support §5.9.5 ++++++++++++++++++++ + +Provisions of work-around solutions {§5.9.5.3} +'''''''''''''''''''''''''''''''''''''''''''''' + +* "If a reported problem has a temporary work-around solution before a + permanent solution can be released, the SOS entity shall give to the + originator of the problem report the option to use it." {§5.9.5.3a} + + * As part of the GNAT Pro Assurance sustained branch service, AdaCore + can supply work-arounds to critical problems prior to releasing + a permanent solution. + +.. index:: single: ECSS-E-ST-40C compliance; §5.10 Software maintenance process + +Software maintenance process {§5.10} +------------------------------------ + +Process implementation {§5.10.2} +++++++++++++++++++++++++++++++++ + +Long term maintenance for flight software {§5.10.2.2} +''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The maintainer shall propose + solutions to be able to implement and upload modifications to the spacecraft + up to its end of life." {§5.10.2.2a} + + * AdaCore's "sustained branch" service, which is included with a GNAT Pro + Assurance subscription, in effect means that the compilation environment + will receive support and not become obsolescent. + +Modification implementation {§5.10.4} ++++++++++++++++++++++++++++++++++++++ + +Invoking of software engineering processes for modification implementation {§5.10.4.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The maintainer shall apply the software engineering processes specified + in clauses 5.3 to 5.8 and 5.11 that are relevant to the scope of the + modifications, using the tailoring applied during the development of the + software." {§5.10.4.3a} + + * The Ada and SPARK languages have specific features that support the design + of modular, maintainable software with high cohesion and low coupling. + These include encapsulation (private types, separation of specification + from implementation), hierarchical child libraries, and object-oriented + programming (tagged types). By exploiting these features and utilizing + GNAT Pro for Ada and SPARK Pro, the developer + can localize the impact of maintenance changes. + + * The GNAT Static and Dynamic Analysis Suites can ensure that any modifications + meet the verification criteria applicable to the original software. + +.. index:: single: ECSS-E-ST-40C compliance; §5.11 Software security process + +Software security process {|sect| 5.11} +--------------------------------------- + +Process implementation {|sect| 5.11.2} +++++++++++++++++++++++++++++++++++++++ + +* "A software security management plan shall be produced documenting: ... + 7. the tools, methods and procedures to be used...." {|sect| 5.11.2a} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and + Dynamic Analysis Suites, and the SPARK Pro toolset support the + software security management plan. + +.. _Software_security_analysis: + +Software security analysis {|sect| 5.11.3} +++++++++++++++++++++++++++++++++++++++++++ + +* "The methods to be used for the security analysis shall be identified + as part of the planning of the project." {|sect| 5.11.3b} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and + Dynamic Analysis Suites, and the SPARK Pro toolset help meet this + requirement. For example: + + * Ada's compile-time checks prevent unsafe practices such as + treating an integer value as a pointer. + + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis + Suite can detect a number of dangerous software errors in the + MITRE Corporation's Common Weakness Enumeration. + + * The SPARK language and SPARK Pro can enforce security-related + properties such as correct information flows and absence of + run-time errors. + + * GNATfuzz can be used to stress test the software with malformed + input values. + +Security activities in the software life cycle {|sect| 5.11.5} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Security in the requirements baseline {|sect| 5.11.5.1} +''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The security assurance requirements shall determine the type and extent + of security verification and validation activities, including testing, + to be conducted.... Security verification and validation activities can + include, for example, fuzzing tests...." {|sect| 5.11.5.1c} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and + Dynamic Analysis Suites, and the SPARK Pro toolset help meet this + requirement. + +Security in the detailed design and implementation engineering {|sect| 5.11.5.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The software security analysis shall be used during verification and + validation activities to evaluate iteratively residual vulnerabilities and + to reassess security risks." {|sect| 5.11.5.3b} + + * The Ada and SPARK languages, the GNAT Static and Dynamic Analysis + Suites, and the SPARK Pro toolset help meet this requirement. For + examples, see :ref:`Software_security_analysis`. + +.. index:: single: ECSS-E-ST-40C compliance; Annex U: Software code verification + +Software code verification {Annex U (informative)} +-------------------------------------------------- + +* "The following checks are expected to be performed on the software code: + + 1. the code implements numerical protection mechanisms (e.g. against + overflow and underflow, division by zero); + + 2. the code does not perform out of bounds accesses - e.g. underrun or + overrun of buffers, arrays or strings; + + 3. the code does not include any infinite loop other than the main loop of + the software and the main loops of cyclic tasks; + + 4. the code appropriately uses arithmetical and logical operators (e.g. + arithmetical OR vs. logical OR); + + 5. implicit type conversions do not lead to arithmetical errors; + + 6. the lifetime of variables is consistent with their use; + + 7. the code makes proper use of static/global functions/variables to enforce + the correct level of visibility; + + 8. the code makes proper use of volatile variables for all variables that can + be modified asynchronously (e.g. hardware access, memory-mapped + I/O); + + 9. the code does not perform invalid memory accesses (e.g. NULL + dereferences); + + 10. the code does not access uninitialized variables; + + 11. the code does not perform unused assignments, unless this is done to + trigger HW side-effects; + + 12. there are no memory leaks; + + 13. pointer arithmetic is justified and types of operands are consistent; + + 14. the code does not lead to race conditions." {|sect| U.2} + +:numref:`Verification-Support` shows how AdaCore's technologies help meet these +requirements: + +.. _Verification-Support: + +.. table:: Verification Support + :align: center + :widths: 17 65 18 + + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | Verification check # | Technology | Explanation | + +=========================+===============================================================+========================================+ + | 1 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 2 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 3 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 4 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATcheck (in GNAT Static Analysis Suite) | User-defined rule | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 5 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 6 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 7 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 8 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 9 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`*` | + | +---------------------------------------------------------------+----------------------------------------+ + | | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 10 | SPARK language, SPARK Pro | Static check | + | +---------------------------------------------------------------+----------------------------------------+ + | | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 11 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 12 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + | +---------------------------------------------------------------+----------------------------------------+ + | | Ada Language, GNAT Pro for Ada, GNAT Pro Assurance | Run-time check\ :superscript:`***` | + | +---------------------------------------------------------------+----------------------------------------+ + | | GNATstack (for preventing stack overflow) | Static check | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 13 | Ada language, GNAT Pro for Ada, GNAT Pro Assurance | Static check | + | | SPARK language, SPARK Pro | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + | 14 | Defects and Vulnerability Analyzer | Static check\ :superscript:`**` | + | | (in GNAT Static Analysis Suite) | | + +-------------------------+---------------------------------------------------------------+----------------------------------------+ + +:superscript:`*` Depending on the source code, the GNAT Pro compiler may be +able to guarantee that the check will always succeed and can thus avoid +generating run-time code to detect violations. + +:superscript:`**` The static checks can result in false alarms +("false positives"), but the user can calibrate the tool to control the +tradeoff between soundness (no false negatives) and precision (minimization +of false positives). + +:superscript:`***` Exhausting dynamic memory raises the :ada:`Storage_Error` +exception at run time. Ada does not require a general garbage collector for +storage reclamation, but several techniques can be used to prevent storage +leaks: + +* Ensure, through analysis or testing, that dynamic allocations occur only + during startup ("elaboration time") and not thereafter. +* Reclaim storage explicitly through Ada's :ada:`Unchecked_Deallocation` + and ensure, through analysis or testing, that this does not create + dangling references. +* Define a memory pool for a pointer type ("access type") so that allocations + of objects for that type only use that storage area, and through analysis + or testing demonstrate that the pool is never exhausted. Ada's memory pool + facility can be used to implement a reference counting strategy (for + non-cyclic data structures) with automatic reclamation. + +Compliance Summary +------------------ + +:numref:`ECSS-E-ST-40C-Compliance-Support` shows how AdaCore's technologies support the +requirements in ECSS-E-ST-40C: + +.. _ECSS-E-ST-40C-Compliance-Support: + +.. table:: Technology Support for ECSS-E-ST-40C Compliance + :align: left + + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | Technology | |sect|\ 5.4 | |sect|\5.5 | |sect|\ 5.6 | |sect|\ 5.7 | |sect|\ 5.8 | |sect|\ 5.9 | |sect|\ 5.10 | |sect|\ 5.11 | Annex U | + +=============================+=============+============+=============+=============+=============+=============+==============+==============+=========+ + | Ada language | |check| | |check| | | | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | SPARK language | |check| | |check| | | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Pro for Ada | |check| | |check| | |check| | |check| | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | SPARK Pro | |check| | |check| | |check| | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Static Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Dynamic Analysis Suite | | |check| | |check| | | |check| | | |check| | |check| | | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ + | GNAT Pro Assurance | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+------------+-------------+-------------+-------------+-------------+--------------+--------------+---------+ diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst new file mode 100644 index 000000000..82d68efde --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/compliance-q80c.rst @@ -0,0 +1,432 @@ +.. include:: ../../../global.txt + +.. _Compliance_with_ECSS-Q-ST-80C: + +Compliance with ECSS-Q-ST-80C +============================== + +The |Q-ST-80C| standard defines software product assurance requirements +for the development and maintenance of space software systems. This +chapter explains how AdaCore's products can help a supplier meet many +of these requirements. The section numbers in braces refer to the +relevant content in |Q-ST-80C|. + +.. index:: single: ECSS-Q-ST-80C compliance; §5 Software product assurance programme implementation + +Software product assurance programme implementation {§5} +-------------------------------------------------------- + +Software product assurance programme management {§5.2} +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Quality requirements and quality models {§5.2.7} +'''''''''''''''''''''''''''''''''''''''''''''''' + +* "Quality models shall be used to specify the software quality + requirements" {§5.2.7.1a} + + * The GNATmetric tool (see :ref:`GNATmetric`) in the GNAT Static Analysis + Suite can show quality metrics related to the source code structure. + + * The GNATdashboard IDE tool (see :ref:`GNATdashboard`) can + display software quality data. + +Tools and supporting environment {§5.6} ++++++++++++++++++++++++++++++++++++++++ + +Methods and tools {§5.6.1} +'''''''''''''''''''''''''' + +* "Methods and tools to be used for all activities of the development cycle + ... shall be identified by the supplier and agreed by the customer" + {§5.6.1.1a} + + * The GNAT Pro for Ada environment and any supplemental tools that are + selected (e.g., GNAT Static and Dynamic Analysis Suites, SPARK Pro) + should be listed. + +* "The choice of development methods and tools shall be justified by + demonstrating through testing or documented assessment that ... the tools + and methods are appropriate for the functional and operational + characteristics of the product, and ... the tools are available (in an + appropriate hardware environment) throughout the development and + maintenance lifetime of the product, + ... the tools and methods are appropriate to the security sensitivity + of the product as determined by the security analysis and as defined + in the software security management plan" {§5.6.1.2a} + + * AdaCore can make available a variety of documentation showing + that the selected tools are "appropriate for the functional and + operational characteristics of the product", ranging from user + manuals to qualification material relative to other + high-assurance software standards such as |do-178c| + :footcite:p:`Space_SW_RTCA_EUROCAE_2011a` and |en-50128| + :footcite:p:`Space_SW_CENELEC_2020b`. + + * AdaCore's "sustained branch" service for its GNAT Pro for Ada Assurance + product (see :ref:`Sustained_Branches`) can guarantee that the toolchain + is maintained throughout the product lifetime. + + * AdaCore's SPARK Pro environment (see :ref:`Static_Verification_SPARK_Pro`) + can be used to demonstrate security properties such as correct information + flows and, for software at the highest security levels, compliance with + formally specified requirements. + +Development environment selection {§5.6.2} +'''''''''''''''''''''''''''''''''''''''''' + +* "The software development environment shall be selected according to the + following criteria: 1. availability; 2. compatibility; 3. performance; + 4. maintenance; 5. durability and technical consistency with the operational + environment; 6. the assessment of the product with respect to requirements, + including the criticality category; 7. the available support documentation; + 8. the acceptance and warranty conditions; 9. the conditions of + installation, preparation, training and use; 10. the maintenance conditions, + including the possibilities of evolutions; 11. copyright and intellectual + property rights constraints; 12. dependence on one specific supplier; + 13. the assessment of the product with respect to the security sensitivity + level of the products; 14. compliance with appropriate security requirements + due to organizational or national security regulations, policies or + directives." + {§5.6.2.1a} + + * AdaCore tools directly satisfy these criteria. The availability of + qualification material for specific tools (GNATcheck, + GNATprove, GNATstack) contributes to criterion 6, and the + "sustained branch" service for GNAT Pro for Ada Assurance supports + criteria 4, 7 and 10. AdaCore tools come with source code and + flexible licensing, mitigating the issues noted in criteria 11 and 12. + The GNAT Static Analysis Suite, SPARK, and the GNATfuzz tool in + the GNAT Dynamic Analysis Suite facilitate + demonstrating the relevant security properties (criteria 13 and 14). + +.. index:: single: ECSS-Q-ST-80C compliance; §6 Software process assurance + +Software process assurance {§6} +------------------------------- + +Requirements applicable to all software engineering processes {§6.2} +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Handling of critical software {§6.2.3} +'''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define, justify and apply measures to assure the + dependability and safety of critical software.... These measures can + include: ... use of a 'safe subset' of programming language; use of + formal design language for formal proof; 100% code branch coverage + at unit testing level; ... removing deactivated code or showing through + a combination of analysis and testing that the means by which such code + can be inadvertently executed are prevented, isolated, or eliminated; + use of dynamic code verification techniques." + {§6.2.3.2a} + + * Ada's pragma :ada:`Restrictions` and pragma :ada:`Profile`, together + with the GNAT Static Analysis Suite tool GNATcheck, can enforce a coding + standard for Ada (in effect a 'safe subset'). See + :ref:`GNAT_Pro_Enterprise` and :ref:`GNATcheck`. + + * The SPARK language serves as a safe subset of full Ada, and a formal + design language for formal proof. + + * SPARK Pro uses proof technology that can demonstrate a program's + conformance with formally specified requirements. + + * GNATcoverage can report code coverage up to MC/DC at the source level. + + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite + can detect unreachable code, including deactivated code. + + * The Ada language and the GNAT Pro Ada development environment allow + contracts to be verified either statically or with run-time checks and + thus facilitate dynamic code verification. + +Verification {§6.2.6} +''''''''''''''''''''' +* "The completion of actions related to software problem reports generated + during verification shall be verified and recorded." {§6.2.6.4a} + + * GNAT Pro for Ada Assurance, and its Sustained Branch service, help + support compliance. + +* "Software containing deactivated code shall be verified specifically to + ensure that the deactivated code cannot be activated or that its accidental + activation cannot harm the operation of the system." {§6.2.6.5a} + + * The Defects and Vulnerability Analyzer in the GNAT Static Analysis Suite + can detect unreachable code, including deactivated code. + +Software security {§6.2.9} +'''''''''''''''''''''''''' + +* "The supplier shall identify the methods and techniques for the software + security analysis." {|sect| 6.2.9.3a} + + * The Ada and SPARK languages, GNAT Pro for Ada, the GNAT Static and Dynamic + Analysis Suites, and the SPARK Pro toolset help meet this requirement. + +* "Based on the results of the software security analysis, the supplier shall + apply engineering measures to reduce the number of security sensitive + software components and mitigate the risks associated with security + sensitive software." {|sect| 6.2.9.4a} + + * Code modularization in Ada and SPARK can be used to minimize the number + of security sensitive components, and to localize and encapsulate them + in modules (packages) with compile-time enforcement of data consistency. + Checks performed by the GNAT Pro and SPARK Pro tools help mitigate + security risks, while hybrid verification can combine formal analysis + (for high security components in SPARK) with traditional testing methods. + + +Handling of security sensitive software {|sect| 6.2.10} +''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define and implement measures to avoid propagation + of failures, including the ones caused by deliberate action, between + software components." {|sect| 6.2.10.1a} + + * The Ada language provides features that support this requirement + for components in the same address space. + Failures can be modeled by exceptions, and software + components that need to interact synchronously or asynchronously + can be modeled by tasks. (A failure in one component may be due to a + device malfunction and is not necessarily security related, but it + needs to be handled in a way that does not compromise security or + other mission requirements.) If the failure (exception) occurs in an Ada + task, then an appropriate style is for the task to take corrective + measures by handling that exception and/or to report the failure so that + a separate component can take further actions. If the task terminates as + a result of the exception, the effect is localized; the failure that + triggered the termination does not propagate to other components. + + * The SPARK language and SPARK Pro can help by ensuring that failures + do not occur (proving the Absence of Run-Time Errors). + + +Requirements applicable to individual software engineering processes or activities {§6.3} ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +Coding {§6.3.4} +''''''''''''''' + +* "Coding standards (including security, consistent naming conventions and + adequate commentary rules) shall be specified and observed." {§6.3.4.1a} + + * Ada's :ada:`Restrictions` and :ada:`Profile` pragmas, together with + AdaCore’s GNATcheck tool (see section :ref:`GNATcheck`), can define and + enforce a coding standard. + + * The SPARK language can serve as a coding standard. + +* "The tools to be used in implementing and checking conformance with coding + standards shall be identified in the product assurance plan before coding + activities start." {§6.3.4.3a} + + * GNATcheck and SPARK Pro are relevant tools for this activity. + +* "The supplier shall define measurements, criteria and tools to ensure that + the software code meets the quality and security requirements." {§6.3.4.6a} + + * The GNATmetric tool (see :ref:`GNATmetric`) can be used to report quality + data related to the source code structure. + +* "Synthesis of the code analysis results and corrective actions implemented + shall be described in the software product assurance reports." {§6.3.4.7a} + + * GNATdashboard (see :ref:`GNATdashboard`) can be used to synthesize and + summarize code quality metrics. + +Testing and validation {§6.3.5} +''''''''''''''''''''''''''''''' + +* "Testing shall be performed in accordance with a strategy for each testing + level (i.e. unit, integration, validation against the technical + specification, validation against the requirements baseline, acceptance), + ...." {§6.3.5.1a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement for unit testing. + +* "Based on the dependability and safety criticality, and the security + sensitivity of the software, test coverage goals for each + testing level shall be agreed between the customer and the supplier and + their achievement monitored by metrics ...." {§6.3.5.2a) + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. + +* "Test coverage shall be checked with respect to the stated goals." + {§6.3.5.5a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. + +* "The test coverage of configurable code shall be checked to ensure that the + stated requirements are met in each tested configuration." {§6.3.5.7a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement. + +* "Test tool development or acquisition ... shall be planned for in the + overall project plan." {§6.3.5.24a} + + * The tools in AdaCore's GNAT Dynamic Analysis Suite (GNATtest, + GNATcoverage, GNATfuzz) are candidates for consideration in test tool + acquisition. + +* "Software containing deactivated code shall be validated specifically to + ensure that the deactivated code cannot be activated or that its accidental + activation cannot harm the operation of the system." {§6.3.5.30a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement by detecting non-covered code that is + intended (and can be categorized) as deactivated. + +* "Software containing configurable code shall be validated specifically to + ensure that unintended configuration cannot be activated at run time or + included during code generation". {§6.3.5.31a} + + * AdaCore's GNAT Dynamic Analysis Suite (GNATtest, GNATcoverage, GNATfuzz) + can help meet this requirement by detecting configurable code that, + because of incorrect configuration settings, was unintentionally included + during code generation. + +Maintenance {§6.3.9} +'''''''''''''''''''' + +* "The maintenance plans and procedures shall include the following as a + minimum: 1. scope of maintenance; 2. identification of the first version of the + software product for which maintenance is to be done; 3. support organization; + 4. maintenance life cycle; 5. maintenance activities; 6. quality measures to be + applied during the maintenance; 7. security measures to be applied during the + maintenance. 8. maintenance records and reports." + {§6.3.9.4a} + + * The "sustained branch" service of AdaCore's GNAT Pro Assurance product + can help meet this requirement. + +* "Maintenance records shall be established for each software product ...." + {§6.3.9.7a} + + * AdaCore's ticket system, which is part of the standard support in all + product subscriptions, provides an audit trail for problem reports / + resolution. + * The "sustained branch" service includes special maintenance + accommodation for dealing with problems that relate to software safety. + +.. index:: single: ECSS-Q-ST-80C compliance; §7 Software product quality assurance + +Software product quality assurance {§7} +--------------------------------------- + +Product quality objectives and metrication {§7.1} ++++++++++++++++++++++++++++++++++++++++++++++++++ + +Assurance activities for product quality requirements {§7.1.3} +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +* "The supplier shall define assurance activities to ensure that the product + meets the quality requirements as specified in the technical + specification" {§7.1.3a} + + * Any of AdaCore's tools could potentially contribute to meeting this + requirement, depending on the nature of the metrics that have been + defined, and the GNATdashboard tool can integrate the metrics + in a meaningful way. + + * Use of the SPARK language, and formal demonstration of absence of + runtime errors, support this requirement. + +Basic metrics {§7.1.5} +'''''''''''''''''''''' + +* "The following basic products metrics shall be used: size (code); complexity + (design, code); fault density and failure intensity; test coverage; number + of failures." {§7.1.5a} + + * The GNATmetric, GNATtest, and GNATcoverage tools in the GNAT Dynamic Analysis + Suite directly help to meet this requirement. + +Product quality requirements {§7.2} ++++++++++++++++++++++++++++++++++++ + +Design and related documentation {§7.2.2} +''''''''''''''''''''''''''''''''''''''''' + +* "The software shall be designed to facilitate testing." {§7.2.2.2a} + + * The Ada language encourages and supports the use of sound software + engineering principles such as modular design and structured programming, + which makes the code easier to test. + + * The contract facility in Ada and SPARK supports verification by both + static analysis and testing. + +* "Software with a long planned lifetime shall be designed with minimum + dependency on the operating system and the hardware in order to aid + portability." {§7.2.2.3a} + + * The Ada language has abstracted away the specifics of the underlying + operating system and hardware through standard syntax and semantics for + features such as concurrency, memory management, exception handling, + and I/O. As a result, Ada programs can often be ported across different + processor architectures and operating systems by simply recompiling, + with minimal or no source code changes needed. + +Test and validation documentation {§7.2.3} +'''''''''''''''''''''''''''''''''''''''''' + +* "Test procedures, data and expected results shall be specified." + {|sect| 7.2.3.4a} + + * The GNATtest and GNATfuzz tools in the GNAT Dynamic Analysis Suite + help meet this requirement. + +* "For any requirements not covered by testing a verification report shall be + drawn up documenting or referring to the verification activities performed." + {§7.2.3.6a} + + * In many cases where verification cannot be achieved by testing, + SPARK Pro may be able to provide convincing alternative verification + evidence (for example, a robustness demonstration by proof that an + out-of-range or otherwise non-valid input will never be passed to + the unit being verified). + + +Compliance Summary +------------------ + +:numref:`ECSS-Q-ST-80C-Compliance-Support` shows how AdaCore's technologies support the +requirements in ECSS-Q-ST-80C: + +.. _ECSS-Q-ST-80C-Compliance-Support: + +.. table:: Technology Support for ECSS-Q-ST-80C Compliance + :align: left + + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | Technology | |sect|\ 5.2 | |sect|\5.6 | |sect|\ 6.2 | |sect|\ 6.3 | |sect|\ 7.1 | |sect|\ 7.2 | + +=============================+=============+=============+=============+=============+=============+=============+ + | Ada language | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | SPARK language | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro for Ada | |blankcell| | |check| | |check| | |blankcell| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | SPARK Pro | |blankcell| | |check| | |check| | |blankcell| | |check| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Static Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Dynamic Analysis Suite | |blankcell| | |check| | |check| | |check| | |check| | |check| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro Assurance | |blankcell| | |check| | |check| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + | GNAT Pro IDEs | |check| | |blankcell| | |blankcell| | |check| | |check| | |blankcell| | + +-----------------------------+-------------+-------------+-------------+-------------+-------------+-------------+ + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst new file mode 100644 index 000000000..66be732ff --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/introduction.rst @@ -0,0 +1,550 @@ +.. include:: ../../../global.txt + +Introduction +=============== +Software for space applications must meet unique and formidable requirements. +Hard real-time deadlines, a constrained target execution environment with +limited storage capacity, and distributed functionality between ground and +on-board systems are some of the challenges, with little margin for error. +The software needs to work correctly from the outset, without safety or +security defects, and the source code needs to be amenable to maintenance +over the system’s lifetime (which may extend over decades) as requirements +evolve. + +.. index:: European Cooperation for Space Standardization (ECSS) +.. index:: European Space Agency (ESA) + +To provide a common approach to addressing these challenges, the European +Cooperation for Space Standardization (ECSS) was formed in the mid-1990s +in a joint effort conducted by the European Space Agency (ESA), individual +national space organizations, and industrial partners. As stated in +:footcite:p:`Space_SW_Kriedke_ElGammal_1995`: + +.. + + *The European Cooperation for Space Standardization (ECSS) is an initiative + established to develop a coherent, single set of user-friendly standards + for use in all European space activities.* + +The resulting set of standards, available from the ECSS web portal +:footcite:p:`Space_SW_ECSS_HomePage`, addresses space activities as a +whole and complement the relevant country-specific standards. + +The ECSS standards specify requirements that must be satisfied (although +project-specific tailoring is allowed) and fall into three categories: + +* *Space engineering* (the "|ndash|\ E" series), + +* *Space product assurance* (the "|ndash|\ Q" series), and + +* *Space project management* (the "|ndash|\ M" series). + +This document focuses on two specific standards: + +* |E-ST-40C| Rev.\ |nbsp|\ 1 (Space engineering / Software) + :footcite:p:`Space_SW_ECSS_2025a`, and + +* |Q-ST-80C|\ |nbsp|\ Rev.\ |nbsp|\ 2 (Space product assurance / + Software product assurance) :footcite:p:`Space_SW_ECSS_2025b` + +and shows how the Ada and SPARK languages, together with AdaCore's +product and services offerings, +can help space software suppliers comply with these standards. +Unless noted otherwise, all references to |E-ST-40C| and |Q-ST-80C| in this +document relate to these cited editions of the standards. + +AdaCore has a long and successful history supporting developers of space +software, and the company has proven experience and expertise in +qualification under |E-ST-40C| and |Q-ST-80C|. Examples include: + +.. index:: Zero Footprint (ZFP) run-time library + +* The ZFP (Zero Footprint) minimal run-time library for Ada on LEON2 ELF, + qualified at criticality category B, for the aerospace company AVIO + :footcite:p:`Space_SW_AdaCore_Web_2019a`. + +.. index:: Ravenscar Small Footprint (SFP) run-time library + +* The Ravenscar SFP (Small Footprint) QUAL run-time library for Ada on + LEON2 and LEON3 boards, pre­qualified at criticality category B, for + ESA :footcite:p:`Space_SW_AdaCore_Web_2019b`. + +.. index:: Memory safety + +An important update in the 2025 versions of |E-ST-40C| and |Q-ST-80C| +is the explicit attention paid to security issues. Memory-safe languages +like Ada and SPARK, and formal analysis tools such as SPARK Pro, help +reduce the effort in demonstrating security properties in space software. + +The remainder of this chapter summarizes the |E-ST-40C| and |Q-ST-80C| +standards, and the subsequent chapters have the following content: + +* :ref:`Programming_Languages_for_Space_Software` + describes the Ada and SPARK programming languages and relates their software + engineering support to the relevant sections / requirements in the two + standards. + +* Analogously, :ref:`Tools_for_Space_Software_Development` presents AdaCore's + various software development and verification toolsuites and relates their + functionality to the relevant sections / requirements in the two standards. + +* In the other direction, :ref:`Compliance_with_ECSS-E-ST-40C` + surveys the individual requirements in |E-ST-40C| and shows how a large + number of them can be met by a software supplier through Ada, SPARK, + and/or specific AdaCore products. + +* :ref:`Compliance_with_ECSS-Q-ST-80C` does likewise for the requirements in + |Q-ST-80C|. + +* For ease of reference, the :ref:`Abbreviations` chapter contains a table of + acronyms and initialisms used in this document, and bibliography lists + the various resources cited. + +Although this document is focused on specific ECSS standards, the +:ref:`Programming_Languages_for_Space_Software` and +:ref:`Tools_for_Space_Software_Development` chapters +explain how the Ada and SPARK languages / technologies and AdaCore's products +benefit software development in general for large-scale safety-critical +systems. These chapters may thus be applicable to software that has to comply +with regulatory standards in other domains. + +.. index:: single: ECSS-E-ST-40C; Summary + +ECSS-E-ST-40C: Space engineering / Software +------------------------------------------- + +As stated in |E-ST-40C| (:footcite:p:`Space_SW_ECSS_2025a`, p. 11): + + "This Standard covers all aspects of space software engineering including + requirements definition, design, production, verification and validation, + transfer, operations and maintenance." + + "It defines the scope of the space software engineering processes and its + interfaces with management and product assurance, which are addressed in the + Management (|ndash|\ M) and Product assurance (|ndash|\ Q) branches of the + ECSS System, and explains how they apply in the software engineering + processes." + +|E-ST-40C| defines the following space system software engineering processes: + +* Software-related systems requirements process (|sect| 4.2.2) + + This process links the system and software levels and "establishes the + functional and the performance requirements baseline (including the interface + requirement specification) (RB) of the software development" + (:footcite:p:`Space_SW_ECSS_2025a`, p. 27). + +* Software management process (|sect| 4.2.3) + + This process "tailors the M standards for software-specific issues" + and produces "a software development plan including the life cycle + description, activities description, milestones and outputs, the + techniques to be used, and the risks identification" + (:footcite:p:`Space_SW_ECSS_2025a`, pp. 27, 28). It covers the joint + review process, interface management, and technical budget and + margin management. + +* Software requirements and architecture engineering process (|sect| 4.2.4) + + This process comprises software requirements analysis (based on system + requirements) and a resulting software architecture design. Activities + associated with the latter include selection of a design method, selection + of a computational model for real-time software, description of software + behavior, development and documentation of the software interfaces, and + definition of methods and tools for software intended for reuse. + +* Software design and implementation engineering process (|sect| 4.2.5) + + This process covers the detailed design of the software items (including an + analysis of the dynamic model showing how issues such as storage leakage and + corrupted shared data are avoided), coding, testing, and integration. + +* Software validation process (|sect| 4.2.6) + + Software validation entails "software product testing against both the + technical specification and the requirements baseline" and "confirm[ing] + that the technical specification and the requirements baseline functions + and performances are correctly and completely implemented in the final + product" (:footcite:p:`Space_SW_ECSS_2025a`, p. 29). + +* Software delivery and acceptance process (|sect| 4.2.7) + + This process "prepares the software product for delivery and testing in its + operational environment" (:footcite:p:`Space_SW_ECSS_2025a`, p. 29). + +* Software verification process (|sect| 4.2.8) + + Software verification "confirm[s] that adequate specifications and inputs + exist for every activity and that the outputs of the activities are + correct and consistent with the specifications and inputs. This process + is concurrent with all the previous processes." + (:footcite:p:`Space_SW_ECSS_2025a`, p. 30) + +* Software operation process (|sect| 4.2.9) + + This process involves the activities needed to ensure that the software + remains operational for its users; these include "mainly the helpdesk and + the link between the users, the developers or maintainers, and the + customer." (:footcite:p:`Space_SW_ECSS_2025a`, p. 30) + +* Software maintenance process (|sect| 4.2.10) + + This process "covers software product modification to code or associated + documentation for correcting an error, a problem or implementing an + improvement or adaptation." (:footcite:p:`Space_SW_ECSS_2025a`, p. 31) + +* Software security process (|sect| 4.2.11) + + This process "is supported by a software security analysis that is + systematically maintained at different points in the lifecycle of the + software.... The software security analysis is used to ensure that + security risks are properly addressed.... It is also used to assess + and drive the design, implementation and operation of secure software." + (:footcite:p:`Space_SW_ECSS_2025a`, p. 32) + +The standard specifies the requirements associated with each of these +processes and defines the expected output for each requirement. The expected +output identifies three entities: + +* the relevant destination file, +* the DRL (Document Requirements List) item(s) within that file where the + requirement is addressed, and +* the review that will assess whether the requirement is met. + +The files in question are the RB (Requirements Baseline), TS (Technical +Specification), DDF (Design Definition File), DJF (Design Justification File), +MGT (Management File), MF (Maintenance File), OP (Operational Plan), and PAF +(Product Assurance File). + +The reviews are the SRR (System Requirements Review), PDR (Preliminary Design +Review), CDR (Critical Design Review), QR (Qualification Review), +AR (Acceptance Review), and ORR (Operational Readiness Review). + +The tables below, derived from Table A-1 in Annex A of |E-ST-40C|, show the +association between files, DRL items, and reviews. Cells with "E" indicate +requirements from |E-ST-40C|, and cells with "Q" are the contributions from +|Q-ST-80C|. + +.. To refer to a table by its number, use the :numref:`table-name` command, +.. and to refer to a table by its name, use the :ref:`table-name` command, +.. where table-name is as specified in the :name: option of the csv-table +.. For example: See :numref:`RB table` + +.. csv-table:: **Relationship between RB (Requirements Baseline), DRL items, and reviews** + :name: RB table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software System Specification","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Interface requirements document (IRD)","E",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Safety and dependability analysis results for lower level suppliers", "E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between TS (Technical Specification), DRL items, and reviews** + :name: TS table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software requirements specification (SRS)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software interface control document (ICD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + + +.. csv-table:: **Relationship between DDF (Design Definition File), DRL items, and reviews** + :name: DDF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software design document (SDD)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + "Software configuration file (SCF)",|blankcell|,E,E,"E Q",E,"E Q" + "Software release document (SRelD)",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Software user manual (SUM)",|blankcell|,|blankcell|,E,E,E,|blankcell| + "Software source code and media labels",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software product and media labels",|blankcell|,|blankcell|,|blankcell|,E,E,E + "Training material",|blankcell|,|blankcell|,|blankcell|,E,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between DJF (Design Justification File), DRL items, and reviews** + :name: DJF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software verification plan (SVerP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software validation plan (SValP)",|blankcell|,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Independent software verification and validation plan","E Q",E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software integration test plan (SITP)",|blankcell|,E,E,|blankcell|,|blankcell|,|blankcell| + "Software unit test plan (SUTP)",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software validation specification (SVS) with respect to TS",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software validation specification (SVS) with respect to RB",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Acceptance test plan",|blankcell|,|blankcell|,|blankcell|,E,E,|blankcell| + "Acceptance test report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Installation report",|blankcell|,|blankcell|,E,|blankcell|,|blankcell|,|blankcell| + "Software verification report (SVR)",E,E,E,E,E,"E Q" + "Independent software verification and validation report",|blankcell|,"E Q","E Q","E Q","E Q",E + "Software reuse file (SRF)","E Q",E,E,|blankcell|,|blankcell|,|blankcell| + "Software problems reports and nonconformance reports","E Q","E Q","E Q","E Q","E Q","E Q" + "Joint review reports",E,E,E,E,E,|blankcell| + "Justification of selection of operational ground equipment and support services","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between MGT (Management File), DRL items, and reviews** + :name: MGT table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software development plan (SDP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software review plan (SRP)",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Software configuration management plan",E,E,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Training plan","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Interface management procedures",E,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Identification of NRB SW and members","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Procurement data","E Q","E Q",|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between MF (Maintenance File), DRL items, and reviews** + :name: MF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Maintenance plan",|blankcell|,|blankcell|,|blankcell|,E,E,E + "Maintenance records",Q,Q,Q,"E Q","E Q","E Q" + "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Migration plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + "Retirement plan and notification",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell| + +.. csv-table:: **Relationship between OP (Operational Plan), DRL items, and reviews** + :name: OP table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software operation support plan",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + "Operational testing results",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + "SPR and NCR- User's request record- Post operation review report",|blankcell|,|blankcell|,|blankcell|,|blankcell|,|blankcell|,E + +.. csv-table:: **Relationship between PAF (Product Assurance File), DRL items, and reviews** + :name: PAF table + :header: "DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 58, 7, 7, 7, 7, 7, 7 + + "Software product assurance plan (SPAP)","E Q","E Q","E Q","E Q","E Q","E Q" + "Software product assurance requirements for suppliers","E Q",Q,Q,Q,Q,Q + "Audit plan and schedule","E Q",Q,Q,Q,Q,Q + "Review and inspection plans or procedures",Q,Q,Q,Q,Q,Q + "Procedures and standards",Q,"E Q",Q,Q,Q,Q + "Modelling and design standards","E Q","E Q",Q,Q,Q,Q + "Coding standards and description of tools",Q,"E Q",Q,Q,Q,Q + "Software problem reporting procedure",Q,"E Q",Q,Q,Q,Q + "Software dependability and safety analysis report- Criticality classification of software components",Q,"E Q","E Q","E Q","E Q",Q + "Software product assurance report",Q,Q,Q,Q,Q,Q + "Software product assurance milestone report (SPAMR)","E Q","E Q","E Q","E Q","E Q","E Q" + "Statement of compliance with test plans and procedures",Q,Q,"E Q","E Q","E Q","E Q" + "Records of training and experience",Q,Q,Q,Q,Q,Q + "(Preliminary) alert information",Q,Q,Q,Q,Q,Q + "Results of preaward audits and assessments, and of procurement sources",Q,Q,Q,Q,Q,Q + "Software process assessment plan",Q,Q,Q,Q,Q,Q + "Software process assessment records",Q,Q,Q,Q,Q,Q + "Review and inspection reports",Q,Q,Q,Q,Q,Q + "Receiving inspection report","E Q","E Q","E Q","E Q",Q,Q + "Input to product assurance plan for systems operation",Q,Q,Q,Q,Q,"E Q" + +.. csv-table:: **ECSS-E-ST-40 and ECSS-Q-ST-80 Document requirements list (DRL)** + :header: File,"DRL Item",SRR,PDR,CDR,QR,AR,ORR + :widths: 10, 48, 7, 7, 7, 7, 7, 7 + + RB, "Software system specification (SSS)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + RB, "Interface requirements document (IRD)", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + RB, "Safety and dependability analysis results for lower level suppliers", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + TS, "Software requirements specification (SRS)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + TS, "Software interface control document (ICD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software design document (SDD)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software configuration file (SCF)", |blankcell|, E, E, "E Q", E, "E Q" + DDF, "Software release document (SRelD)", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DDF, "Software user manual (SUM)", |blankcell|, |blankcell|, E, E, E, |blankcell| + DDF, "Software source code and media labels", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DDF, "Software product and media labels", |blankcell|, |blankcell|, |blankcell|, E, E, E + DDF, "Training material", |blankcell|, |blankcell|, |blankcell|, E, |blankcell|, |blankcell| + DJF, "Software verification plan (SVerP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation plan (SValP)", |blankcell|, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Independent software verification and validation plan", "E Q", E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + DJF, "Software integration test plan (SUITP)", |blankcell|, E, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software unit test plan (SUITP)", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation specification (SVS) with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation specification (SVS) with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Acceptance test plan", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Software unit test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software integration test report", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation report with respect to TS", |blankcell|, |blankcell|, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software validation report with respect to RB", |blankcell|, |blankcell|, |blankcell|, E, E, |blankcell| + DJF, "Acceptance test report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| + DJF, "Installation report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, E, |blankcell| + DJF, "Software verification report (SVR)", E, E, E, E, E, "E Q" + DJF, "Independent software verification and validation report", |blankcell|, "E Q", "E Q", "E Q", "E Q", E + DJF, "Software reuse file (SRF)", "E Q", E, E, |blankcell|, |blankcell|, |blankcell| + DJF, "Software problems reports and nonconformance reports", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + DJF, "Joint review reports", E, E, E, E , E , |blankcell| + DJF, "Justification of selection of operational ground equipment and support services", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software development plan (SDP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software review plan (SRevP)", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Software configuration management plan", E, E, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Training plan", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Interface management procedures", E, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Identification of NRB SW and members", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MGT, "Procurement data", "E Q", "E Q", |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Maintenance plan", |blankcell|, , |blankcell|, E, E, E + MF, "Maintenance records", Q, Q, Q, "E Q", "E Q", "E Q" + MF, "SPR and NCR- Modification analysis report- Problem analysis report- Modification documentation- Baseline for change - Joint review reports", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Migration plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + MF, "Retirement plan and notification", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell| + OP, "Software operation support plan", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + OP, "Operational testing results", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + OP, "SPR and NCR- User’s request record- Post operation review report", |blankcell|, |blankcell|, |blankcell|, |blankcell|, |blankcell|, E + PAF, "Software product assurance plan (SPAP)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + PAF, "Software product assurance requirements for suppliers", "E Q", Q, Q, Q, Q, Q + PAF, "Audit plan and schedule", "E Q", Q, Q, Q, Q, Q + PAF, "Review and inspection plans or procedures", Q, Q, Q, Q, Q, Q + PAF, "Procedures and standards", Q, "E Q", Q, Q, Q, Q + PAF, "Modelling and design standards", "E Q", "E Q", Q, Q, Q, Q + PAF, "Coding standards and description of tools", Q, "E Q", Q, Q, Q, Q + PAF, "Software problem reporting procedure", Q, "E Q", Q, Q, Q, Q + PAF, "Software dependability and safety analysis report- Criticality classification of software components", Q, "E Q", "E Q", "E Q", "E Q", Q + PAF, "Software product assurance report", Q, Q, Q, Q, Q, Q + PAF, "Software product assurance milestone report (SPAMR)", "E Q", "E Q", "E Q", "E Q", "E Q", "E Q" + PAF, "Statement of compliance with test plans and procedures", Q, Q, "E Q", "E Q", "E Q", "E Q" + PAF, "Records of training and experience", Q, Q, Q, Q, Q, Q + PAF, "(Preliminary) alert information", Q, Q, Q, Q, Q, Q + PAF, "Results of preaward audits and assessments, and of procurement sources", Q, Q, Q, Q, Q, Q + PAF, "Software process assessment plan", Q, Q, Q, Q, Q, Q + PAF, "Software process assessment records", Q, Q, Q, Q, Q, Q + PAF, "Review and inspection reports", Q, Q, Q, Q, Q, Q + PAF, "Receiving inspection report", "E Q", "E Q", "E Q", "E Q", Q, Q + PAF, "Input to product assurance plan for systems operation", Q, Q, Q, Q, Q, "E Q" + +.. index:: single: ECSS-Q-ST-80C; Summary + +ECSS-Q-ST-80C: Space product assurance / Software product assurance +------------------------------------------------------------------- + +The |Q-ST-80C| standard defines software product assurance requirements for +the development and maintenance of space software systems, including +non-deliverable software that affects the quality of the deliverable +product. As stated in :footcite:p:`Space_SW_ECSS_2025b`, p. 20: + + *The objectives of software product assurance are to provide adequate + confidence to the customer and to the supplier that the developed or + procured/reused software satisfies its requirements throughout the system's + lifetime. In particular, that the software is developed to perform properly, + securely, and safely in its operational environment, meeting the project's + agreed quality objectives.* + +The requirements apply throughout the software lifecycle and cover a range of +activities, including organizational responsibilities, process assessment, +development environment selection, and product verification. The specific set +of requirements that need to be met can be tailored based on several factors: + +* Dependability and safety aspects, as determined by the software criticality + category, +* Software development constraints, for example the type of development + (database vs. real-time), or +* Product quality / business objectives as specified by the customer + +|Q-ST-80C| defines requirements in the following areas: + +* Software product assurance programme implementation + + This set of activities includes organizational aspects, product assurance + management, risk management and critical item control, supplier selection + and control, procurement, tools and supporting environment selection, and + assessment and improvement process. + +* Software process assurance + + These activities comprise software life cycle management; requirements + applicable to all software engineering processes (e.g., documentation, + safety analysis, handling of critical software, configuration management, + metrics, verification, reuse, and automatic code generation); and + requirements applicable to individual software engineering processes or + activities (e.g., requirements analysis, architecture and design, coding, + testing and validation, delivery and acceptance, operations, and + maintenance). + +* Software product quality assurance + + These activities comprise product quality objectives and metrication; + product quality requirements; software intended for reuse; standard ground + hardware and services for operational system; and firmware. + +As with |E-ST-40C|, the expected output for each requirement identifies the +destination file, the DRL items within that file, and the review(s) that +assess compliance with the requirement. The table above includes this +information for the requirements in |Q-ST-80C|. + +.. index:: Criticality categories + +.. index:: DO-178C + +The ECSS standards recognize that software systems (and different components +of the same software system) may vary in their effects on system safety. +The standards accordingly define several criticality categories, +denoted A (most critical) to D, which correspond closely to the software +levels in the airborne standard |do-178c|. + +.. index:: ECSS Handbooks + +ECSS Handbooks +-------------- + +Supplementing the normative standards in the |ndash|\ E, |ndash|\ Q, and +|ndash|\ M series, ECSS has published a set of handbooks offering additional +support, guidance and practical discussion about the standards and their +requirements. They indicate how a customer (the organization acquiring +the space software or system) will likely interpret the standards and thus +how they will expect the supplier to comply. + +Several handbooks complement |E-ST-40C|, including: + +* |E-HB-40A| (Software engineering handbook) + :footcite:p:`Space_SW_ECSS_2013`, + + This document provides guidance, explanations, and examples on how to + satisfy the |E-ST-40C| requirements in practice. + +* |E-HB-40-01A| (Agile software development handbook) + :footcite:p:`Space_SW_ECSS_2020`. + + This handbook shows how to reconcile agile development practices + with the formal ECSS space software engineering processes. + +* |E-HB-40-02A| (Machine learning handbook) + :footcite:p:`Space_SW_ECSS_2024`. + + This handbook provides guidelines on how to create reliable machine + learning functions and perform the verification and validation considering + the specifics of machine learning development practices. + +Several handbooks complement ECSS-Q-ST-80C, including: + +* |Q-HB-80-01A| (Reuse of existing software) + :footcite:p:`Space_SW_ECSS_2011b` + + This handbook offers guidance on software reuse (including software + tools) and also presents a Tool Qualification Level (TQL) concept + based on |do-178c| :footcite:p:`Space_SW_RTCA_EUROCAE_2011a`, + |do-330| :footcite:p:`Space_SW_RTCA_EUROCAE_2011b`, and |ISO-26262| + :footcite:p:`Space_SW_ISO_2018`. + +* |Q-HB-80-03A-1| (Software dependability and safety) + :footcite:p:`Space_SW_ECSS_2017` + + This handbook focuses on analysis techniques such as Failure, + Mode and Effects Analysis (FMEA) and their application to software; + i.e., how to analyze what happens in case of failure due to software. + It covers topics such as defensive programming and prevention of failure + propagation. + +* |Q-HB-80-04A| (Software metrication program definition and implementation) + :footcite:p:`Space_SW_ECSS_2011a` + + This handbook offers recommendations on organizing and + implementing a metrication program for space software projects. + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst new file mode 100644 index 000000000..35e2414e4 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/programming.rst @@ -0,0 +1,1028 @@ +.. include:: ../../../global.txt + +.. _Programming_Languages_for_Space_Software: + +Programming Languages for Space Software +======================================== + +This chapter explains how space software developers can benefit from +the Ada language and its formally analyzable SPARK subset +(:footcite:p:`Space_SW_AdaCore_Capgemini_Web`, +:footcite:p:`Space_SW_McCormick_Chapin_2015`). Unless explicitly +stated otherwise, the Ada discussion applies to the |ada-2012| version +of the language standard with Technical Corrigendum\ |nbsp|\ 1 +(:footcite:p:`Space_SW_ISO_IEC_2016`, +:footcite:p:`Space_SW_Barnes_2014`, +:footcite:p:`Space_SW_Barnes_Brosgol_2015`), and the SPARK language +discussion applies to the 2014 version of the language as amended by +:footcite:p:`Space_SW_AdaCore_Capgemini_Web`. Both Ada and SPARK +support the development and verification of software at the highest +criticality class levels. + +.. index:: single: Ada language; Summary + +Ada +--- + +The choice of programming language(s) is one of the fundamental decisions +during software design. The source code is the artifact that is developed, +verified, and maintained, and it is also the subject of much of the analysis / +inspection required for certification / qualification against domain-specific +standards. Although in principle almost any programming language can be used +for software development, in practice the life-cycle costs for the +high-assurance real-time software found in space systems are reduced when the +chosen language has been explicitly designed for reliability, safety, +security, and ease of maintenance of large, long-lived systems. + +.. index:: Memory safety + +Ada helps meet high-assurance requirements through its support for sound +software engineering principles, compile-time checks that guarantee type +safety, and run-time checks for constraints such as array index bounds and +scalar ranges. As will be explained below, the SPARK subset of Ada shares +these benefits and adds an important advantage: the dynamic constraints are +enforced through mathematics-based static analysis. This avoids run-time +overhead for checks in production code while eliminating the risk that such +a check could fail. With their standard features for preventing buffer +overruns, pointer misuses and other vulnerabilities, Ada and SPARK both +serve as memory-safe languages. + + +Ada language overview +~~~~~~~~~~~~~~~~~~~~~ + +Ada is multi-faceted. From one perspective it is a classical stack-based +general-purpose language (unlike languages like Java, it does not require +garbage collection), and it is not tied to any specific development +methodology. It offers: + + * a simple syntax designed for human readability; + * structured control statements; + * flexible data composition facilities; + * strong type checking; + * traditional features for code modularization (“sub­programs”); + * standard support for "programming in the large" and module reuse, + including packages, Object-Oriented Programming, hierarchical + package namespace ("child libraries"), and generic templates; + * a mechanism for detecting and responding to exceptional run-time + conditions ("exception handling"); and + * high-level concurrency support ("tasking") along with a deterministic + subset (the Ravenscar profile) appropriate in applications that need + to meet high-assurance certification / qualification requirements + and/or small footprint constraints. + +The language standard also includes: + + * an extensive predefined environment with support for I/O, string + handling, math functions, containers, and more; + * a standard mechanism for interfacing with other programming languages + (such as C and C++); and + * specialized needs annexes for functionality in several domains (Systems + Programming, Real-Time Systems, Distributed Systems, Numerics, + Information Systems, and High-Integrity Systems). + +Source code portability was a key goal for Ada. The challenge for a +programming language is to define the semantics in a platform-independent +manner but not sacrifice run-time efficiency. Ada achieves this in several +ways. + + * Ada provides a high-level model for concurrency (tasking), memory + management, and exception handling, with standard semantics across + all platforms. The language's dynamic semantics can be mapped to the + most efficient services provided by the target environment. + * The developer can express the logical properties of a type (such as + integer range, floating-point precision, and record fields/types) + in a machine-independent fashion, which the compiler can then map + to an efficient underlying representation. + * The physical representation of data structures (layout, alignment, + and addresses) is sometimes specified by system requirements. Ada + allows this to be defined in the program logic but separated from + target-independent properties for ease of maintenance. + * Platform-specific characteristics such as machine word size are + encapsulated in an API, so that references to these values are through + a standard syntax. Likewise, Ada defines a standard type :ada:`Address` + and associated operations, again facilitating the portability of + low-level code. + +.. index:: single: Ada language; Background + +.. Ada_language_background: + +Ada language background +~~~~~~~~~~~~~~~~~~~~~~~ + +.. index:: Ichbiah (Jean), CII-Honeywell-Bull + +Ada was designed for large, long-lived applications |mdash| and embedded +systems in particular |mdash| where reliability, maintainability, and +efficiency are essential. Under sponsorship of the U.S. Department of Defense, +the language was originally developed in the early 1980s (this version is +generally known as |ada-83|) by a team led by Jean Ichbiah at +CII-Honeywell-Bull in France. + +.. index:: Taft (Tucker), Intermetrics + +Ada was revised and enhanced in an upward-compatible fashion in the early +1990s, under the leadership of Tucker Taft from Intermetrics in the U.S. +The resulting language, |ada-95|, was the first internationally standardized +object-oriented language. + +Under the auspices of the International Organization for Standardization +(ISO), a further (minor) revision was completed as an amendment to the +standard; this version of the language is known as |ada-2005|. + +Additional features (including support for contract-based programming +in the form of subprogram pre- and postconditions and type invariants) +were added in |ada-2012|, and other enhancements to increase the +language's expressiveness were introduced in |ada-2022| +:footcite:p:`Space_SW_ISO_IEC_2022`. + +.. index:: Lovelace (Augusta Ada), Babbage (Charles), Byron (Lord George) + +The name "Ada" is not an acronym; it was chosen in honor of Augusta Ada +Lovelace (1815-1852), a mathematician who is sometimes regarded as the +world's first programmer because of her work with Charles Babbage. +She was also the daughter of the poet Lord Byron. + +The Ada language has long been a language of choice +in high-assurance / safety-critical / high-security domains, where software +failures can have catastrophic consequences. +Ada has a proven track record in space applications, +military and commercial aircraft avionics, air traffic control, and railroad +software, and it has also seen successful usage in other domains (such as +automotive systems and medical devices). + +.. index:: Ravenscar profile + +With its embodiment of modern software engineering principles, Ada is +especially appropriate for teaching in both introductory and advanced +computer science courses, and it has also been the subject of +significant research, especially in the area of real-time +technologies. Throughout much of Ada's history, a worldwide group of +experts from industry, academia, and government convened a biannual +meeting |mdash| the *International Real-Time Ada Workshop* ("IRTAW") +|mdash| to focus on Ada's support for real-time software. The 1997 +IRTAW in Ravenscar, UK, led directly to the definition of a subset of +Ada's concurrency features with deterministic semantics |mdash| the +so-called *Ravenscar Profile* :footcite:p:`Space_SW_Burns_et_al_2003`. +This work broke new ground in supporting the use of concurrent +programming in high-assurance software. + +AdaCore has a long history and close connection with the Ada programming +language. Company members worked on the original Ada 83 design and review +and played key roles in the Ada 95 project as well as the subsequent +revisions. The initial GNAT compiler was delivered at the time of the |ada-95| +language's standardization, thus guaranteeing that users would have a quality +implementation for transitioning to |ada-95| from |ada-83| or other languages. + +The following subsections provide additional detail on Ada language features. + +.. index:: single: Ada language; Scalar ranges + +Scalar ranges +~~~~~~~~~~~~~ + +Unlike languages based on C (such as C++, Java, and C#), Ada allows the +programmer to simply and explicitly specify the range of values that are +permitted for variables of scalar types (integer, floating-point, fixed-point, +and enumeration types). The attempted assignment of an out-of-range value +raises an exception, reflecting a run-time error. + +The ability to specify range constraints makes the programmer's intent +explicit and makes it easier to detect a major source of coding and user +input errors. It also provides useful information to static analysis tools +and facilitates automated proofs of program properties. + +Here's an example of an integer scalar range and an associated run-time check: + +.. code-block:: ada + + declare + My_Score : Integer range 1..100; + N : Integer; + begin + ... -- Code that assigns an integer value to N + My_Score := N; + -- A run-time check verifies that N is within the range 1 through 100, inclusive + -- If this check fails, the Constraint_Error exception is raised + end; + +The run-time check can be optimized out if the compiler can guarantee that +the value of :ada:`N` is within the range 1 through 100 when control reaches +the assignment to :ada:`My_Score`. + + +.. index:: single: Ada language; Contract-based programming +.. index:: single: Ada language; Preconditions +.. index:: single: Ada language; Postconditions + + +Contract-based programming +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A feature introduced in Ada 2012 allows extending a subprogram specification +or a type/subtype declaration with a contract (a Boolean assertion). +Subprogram contracts take the form of preconditions and postconditions; +type contracts are used for invariants; and subtype contracts provide +generalized constraints (predicates). Through contracts the developer can +formalize the intended behavior of the application, and can +verify this behavior by testing, static analysis or formal proof. + +Here's a skeletal example that illustrates contact-based programming; a +:ada:`Table` object is a fixed-length container for distinct :ada:`Float` +values. + +.. code-block:: ada + + package Table_Pkg is + type Table is private; -- Encapsulated type + + function Is_Full (T : in Table) return Boolean; + + function Contains (T : in Table; + Item : in Float) return Boolean; + + procedure Insert (T : in out Table; Item: in Float) + with Pre => not Is_Full(T) and + not Contains(T, Item), + Post => Contains(T, Item); + + procedure Remove (T : in out Table; Item: in Float); + with Pre => Contains(T, Item), + Post => not Contains(T, Item); + ... + private + ... -- Full declaration of Table + end Table_Pkg; + + package body Table_Pkg is + ... -- Implementation of Is_Full, Contains, Insert, Remove + end Table_Pkg; + +A compiler option controls whether the pre- and postconditions are checked +at run time. If checks are enabled, any pre- or postcondition failure |mdash| +i.e., the contact's Boolean expression evaluating to :ada:`False` |mdash| +raises the :ada:`Assertion_Error` exception. + +.. index:: single: Ada language; Type invariants +.. index:: single: Ada language; Type/subtype predicates + +Ada's type invariants and type / subtype predicates specify +precisely what is and is not valid for any particular (sub)type, including +composite types such as records and arrays. For example, the code fragment +below specifies that field :ada:`Max_Angle` in the +:ada:`Launching_Pad` structure below is the maximal angle allowed, given the +distance :ada:`D` to the center of the launching pad and the height :ada:`H` +of the rocket. The compiler will insert the necessary run-time checks when a +:ada:`Launching_Pad` object is created, to verify this predicate as well as +the constraints on the individual fields: + +.. code-block:: ada + + subtype Meter is Float range 0.0 .. 200.0; + subtype Radian is Float range 0.0 .. 2.0 * Pi; + + type Launching_Pad is + record + D, H : Meter; + Max_Angle : Radian; + end record + with + Predicate => Arctan (H, D) <= Max_Angle; + +Further information about type invariants and type / subtype predicates +may be found in the *Design by contracts* chapter of the *Introduction to Ada* +course of :footcite:p:`Space_SW_AdaCore_AdaLearn`. + +.. index:: single: Ada language; Programming in the large + +Programming in the large +~~~~~~~~~~~~~~~~~~~~~~~~ + +The original |ada-83| design introduced the package construct, a feature +that supports encapsulation ("information hiding") and modularization, and +which allows the developer to control the namespace that is accessible +within a given compilation unit. |ada-95| introduced the concept of +"child units", which provides a hierarchical and extensible namespace +for library units and thus eases the design and maintenance of very large +systems. + +|ada-2005| extended the language's modularization facilities by allowing +mutual references between package specifications, thus making it easier +to interface with languages such as Java. + +.. index:: single: Ada language; Generic templates + +Generic templates +~~~~~~~~~~~~~~~~~ + +A key to reusable components is a mechanism for +parameterizing modules with respect to data types and other program entities. +A typical example is a data structure (e.g., a stack, FIFO queue, or +varying-length array) for an arbitrary element type :ada:`T`, where each element +of the data structure is of type :ada:`T`. +For safety and efficiency, compile-time checks should enforce type safety +both within the parameterized module, and at each use ("instantiation"). +Conceptually an +instantiation can be regarded as an expansion of the parameterized module, +with actual parameters replacing the formal parameters. However, the expansion +is not at the lexical/syntactic level (source text) but rather at the semantic +level (scope-resolved names). +In addition, an implementation may be able to share a single copy of the code +across multiple instantiations and thereby save code space. + +.. index:: Stroustrup (Bjarne) + +Ada supplies this functionality through a facility known as +*generics*, with type consistency enforced by the compiler both within +the generic unit and at each instantiation. Ada generics are analogous +to C++ templates but with more extensive compile-time checking: a data +object within a generic unit can only be processed using operations +that are known to be available for the object's type. (As a historical +note, at the ACM SIGPLAN Conference on History of Programming +Languages in 1993, the C++ designer Bjarne Stroustrup acknowledged the +Ada design for generics as one of the inspirations for templates in +C++ :footcite:p:`Space_SW_ACM_1993`.) + +.. index:: single: Ada language; Object-Oriented Programming (OOP) + +Object-Oriented Programming (OOP) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +|ada-83| was object-based, allowing the partitioning of a system into modules +(packages) corresponding to abstract data types or abstract objects. +Full OOP support was not provided since, first, it seemed not to be required +in the real-time domain that was Ada's primary target, and second, the +apparent need for automatic garbage collection in an Object Oriented language +would have interfered with predictable and efficient performance. + +However, large real-time systems often have components such as graphical user +interfaces (GUIs) that do not have hard real-time constraints and that can be +most effectively developed using OOP features. In part for this reason, +|ada-95| added comprehensive support for OOP, through its "tagged type" +facility: classes, polymorphism, inheritance, and dynamic binding. +These features do not require automatic garbage collection; instead, +definitional features introduced by |ada-95| allow the developer to supply +type-specific storage reclamation operations ("finalization"). + +|ada-2005| brought additional OOP features, including Java-like interfaces +and traditional :ada:`X.P(...)` notation for invoking operation :ada:`P(...)` +on object :ada:`X`. + +Ada is methodologically neutral and does not impose a distributed overhead +for OOP. If an application does not need OOP, then the OOP features do not +have to be used, and there is no run-time penalty. + +See :footcite:p:`Space_SW_Barnes_2014` or +:footcite:p:`Space_SW_AdaCore_2016` for more details. + +.. index:: single: Ada language; Concurrent programming (tasking) + +Concurrent programming +~~~~~~~~~~~~~~~~~~~~~~ + +Ada supplies a structured, high-level facility for concurrency. The unit of +concurrency is a program entity known as a "task". Tasks can communicate +implicitly via shared data or explicitly via a synchronous control +mechanism known as the rendezvous. A shared data item can be defined +abstractly as a "protected object" (a feature introduced in |ada-95|), +with operations executed under mutual exclusion when invoked from multiple +tasks. Protected objects provide the functionality of semaphores and +condition variables but more clearly and reliably (e.g., avoiding subtle +race conditions). + +Ada supports asynchronous task interactions for timeouts, software event +notifications, and task termination. Such asynchronous behavior is deferred +during certain operations, to prevent the possibility of leaving shared data +in an inconsistent state. Mechanisms designed to help take advantage +of multicore architectures were introduced in |ada-2012|. + +.. index:: single: Ada language; Systems programming + +Systems programming +~~~~~~~~~~~~~~~~~~~ + +Both in the core language and the Systems Programming Annex, Ada supplies +the necessary features for low-level / hardware-specific processing. +For example, the programmer can specify the bit layout for fields in a +record, define alignment and size properties, place data at specific machine +addresses, and express specialized code sequences in assembly language. +Interrupt handlers can also be written in Ada, using the protected object +facility. + +.. index:: single: Ada language; Real-time programming + +Real-time programming +~~~~~~~~~~~~~~~~~~~~~ + +Ada's tasking facility and the Real-Time Systems Annex support common idioms +such as periodic or event-driven tasks, with features that can help avoid +unbounded priority inversions. A protected object locking policy is defined +that uses priority ceilings; this has an especially efficient implementation +in Ada (mutexes are not required) since protected operations are not allowed +to block. |ada-95| defined a standard task dispatching policy in which a task +runs until blocked or preempted, and |ada-2005| introduced several others +including Earliest Deadline First. + +.. index:: single: Ada language; Time and space analysis + +Time and Space Analysis +~~~~~~~~~~~~~~~~~~~~~~~ + +.. rubric:: Timing verification + +Suitably subsetted, Ada (and SPARK) are amenable to the static analysis of +timing behavior. This kind of analysis is relevant for real-time systems, +where worst-case execution time (WCET) must be known in order to guarantee +that timing deadlines will always be met. Timing analysis is also of interest +for secure systems, where the issue might be to show that programs do not leak +information via so-called side-channels based on the observation of +differences in execution time. + +AdaCore does not produce its own WCET tool, but there are several such tools +on the market from partner companies, such as RapiTime from +Rapita Systems Ltd. + +.. rubric:: Memory usage verification + +Ada and SPARK can support the static analysis of worst-case memory +consumption, so that a developer can show that a program will never +run out of memory at execution time. + +In both SPARK and Ada, users can specify pragma :ada:`Restrictions` with the +standard arguments :ada:`No_Allocators` and +:ada:`No_Implicit_Heap_Allocations`. This will completely prevent heap usage, +thus reducing memory usage analysis to a worst-case computation of stack usage +for each task in a system. Stack size analysis is implemented directly in +AdaCore's GNATstack tool, as described in :ref:`GNATstack`. + +.. index:: single: Ada language; High-integrity systems +.. index:: single: Ada language; Memory safety +.. index:: Memory safety + +High-integrity systems +~~~~~~~~~~~~~~~~~~~~~~ + +With its emphasis on sound software engineering principles, Ada +supports the development of safety-critical and other high-integrity +applications, including those that need to be certified/qualified +against software standards such as |E-ST-40C| and |Q-ST-80C| for space +systems, |do-178c| for avionics +:footcite:p:`Space_SW_RTCA_EUROCAE_2011a`, and CENELEC |en-50128| for +rail systems :footcite:p:`Space_SW_CENELEC_2020b`. Similarly, Ada (and +its SPARK subset) can help developers produce high Evaluation +Assurance Level (EAL) code that meets security standards such as the +Common Criteria :footcite:p:`Space_SW_CCDB_2022`. Key to Ada's +support for high-assurance software is the language's memory safety; +this is illustrated by a number of features, including: + +* Strong typing + + Data intended for one purpose will only be accessed via operations that are + legal for that data item's type, so errors such as treating pointers as + integers (or vice versa) are prevented. (Low-level code sometimes needs to + defeat the language's type checking; e.g., by treating "raw bits" as a + value of a specific type. As a language that supports systems programming, + Ada allows such usages but requires explicit syntax that makes the intent + clear.) + +* Array bounds checking + + A run-time check guarantees that an array index is within the bounds of + the array. This prevents buffer overrun vulnerabilities that + are common in C and C++. In many cases a compiler optimization can + detect statically that the index is within bounds and thus eliminate + any run-time code for the check. + +* Prevention of null pointer dereferences + + As with array bounds, pointer dereferences are checked to make sure that + the pointer is not null. Again, such checks can often be optimized out. + +* Prevention of dangling references + + A scope accessibility check ensures that a pointer (known in Ada as an + *access value*) cannot reference an object on the stack after exit/return + from the scope (block or subprogram) in which the object is declared. + Such checks prevent dangling references to stack objects (i.e., subprogram + parameters and local variables) and are generally static, with no run-time + overhead. + (Since Ada does not require garbage collection + of inaccessible dynamically allocated objects, it provides an + :ada:`Unchecked_Deallocation` facility for programmer-supplied + deallocation. Uses of this feature require explicit syntax |mdash| + a :ada:`with` clause at the beginning of the compilation unit. + This makes clear that special attention needs to be paid to verification, + since erroneous deallocations can lead to dangling references.) + +The evolution of Ada has seen a continued increase in support for +safety-critical and high-security applications. |ada-2005| +standardized the Ravenscar Profile +:footcite:p:`Space_SW_Burns_et_al_2003`, a collection of concurrency +features that are powerful enough for real-time programming but simple +enough to make safety certification practical. |ada-2012| introduced +contract-based programming facilities, allowing the programmer to +specify preconditions and/or postconditions for subprograms, and +invariants for encapsulated (private) types. These can serve both for +run-time checking and as input to static analysis tools. + +The most recent version of the standard, Ada 2022, has added several +contract-based programming constructs inspired by SPARK +(:ada:`Contract_Cases`, :ada:`Global`, and :ada:`Depends` aspects) +and, more generally, has enhanced the language's expressiveness. +For example, Ada 2022 has introduced some new syntax in its +concurrency support and has defined the Jorvik tasking profile, +which is more inclusive than Ravenscar. + +.. index:: Coding standard enforcement + +Enforcing a coding standard +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ada is a large language, suitable for general-purpose programming, but +the full language may be inappropriate in a safety- or security-critical +application. The generality and flexibility of some features |mdash| +especially those with complex run-time semantics |mdash| complicate +analysis and could interfere with traceability / certification +requirements or impose too large a memory footprint. A project will +then need to define and enforce a coding standard that prohibits +problematic features. Several techniques are available: + +* pragma :ada:`Restrictions` + + This standard Ada pragma allows the user to specify constructs + that the compiler will reject. Sample restrictions include dependence + on particular packages or language facilities, or usage + of features requiring unwanted implementation techniques (e.g. run-time + support that is overly complex and difficult to certify). + +* pragma :ada:`Profile` + + This standard Ada pragma provides a common name for a collection + of related :ada:`Restrictions` pragmas. The predefined pragma + :ada:`Profile(Ravenscar)` is a shorthand for the various restrictions + that comprise the Ravenscar tasking subset. + +.. index:: GNATcheck +.. index: GNAT Static Analysis Suite; GNATcheck + +* Static analysis tool (coding standard enforcer) + + Other restrictions on Ada features can be detected by AdaCore's + automated GNATcheck tool (see :ref:`GNATcheck`) that is included + with the GNAT Pro Ada Static Analysis Suite. The developer can + configure this rule-based and tailorable tool to flag violations + of the project's coding standard, such as usage of specific + prohibited types or subprograms defined in otherwise-permitted + packages. + +.. index:: single: Ada language; ECSS standards support + +.. _Ada_and_the_ECSS_Standards: + +Ada and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +|E-ST-40C| covers software engineering practice, and |Q-ST-80C| covers +software product assurance, and both of these areas are "sweet spots" +that match Ada's strengths. Please see :ref:`Compliance_with_ECSS-E-ST-40C` +and :ref:`Compliance_with_ECSS-Q-ST-80C` to learn how +specific clauses in these standards relate to individual Ada features. +In summary, the use of Ada can help the software supplier meet +the requirements in the following sections: + +* |E-ST-40C| + + * |sect|\ 5.4 Software requirements and architecture engineering process + + * |sect|\ 5.4.3 Software architecture design + + * |sect|\ 5.5 Software design and implementation engineering process + + * |sect|\ 5.5.2 Design of software items + + * |sect|\ 5.8 Software verification process + + * §5.8.3 Verification activities + + * |sect|\ 5.9 Software operation process + + * §5.9.4 Software operation support + + * |sect|\ 5.10 Software maintenance process + + * |sect|\ 5.10.4 Modification implementation + + * |sect|\ 5.11 Software security process + + * |sect| 5.11.2 Process implementation + + * |sect| 5.11.3 Software security analysis + + * |sect| 5.11.5 Security activities in the software life cycle + + * Annex U - Software code verification + +* |Q-ST-80C| + + * |sect|\ 6.2 Requirements applicable to all software engineering processes + + * |sect|\ 6.2.3 Handling of critical software + + * |sect|\ 6.2.9 Software security + + * |sect|\ 6.2.10 Handling of security sensitive software + + * |sect|\ 6.3 Requirements applicable to individual software engineering + processes or activities + + * |sect|\ 6.3.4 Coding + + * |sect|\ 7.2 Product quality requirements + + * |sect|\ 7.2.2 Design and related documentation + +In brief, Ada is an internationally standardized language combining +object-oriented programming features, well-engineered concurrency facilities, +real-time predictability and performance, and built-in reliability through +both compile-time and run-time checks. With its support for producing +software that is correct, maintainable, and efficient, the language is +especially well suited for writing space applications. + +SPARK +----- + +.. index:: single: SPARK language; Summary + +SPARK Basics +~~~~~~~~~~~~ + +SPARK (:footcite:p:`Space_SW_AdaCore_Capgemini_Web`, +:footcite:p:`Space_SW_McCormick_Chapin_2015`) is a software +development technology (programming language and verification toolset) +specifically oriented around applications demanding an ultra-low +defect level, for example where safety and/or security are key +requirements. SPARK Pro is the commercial-grade offering of the SPARK +technology developed by AdaCore, Capgemini Engineering (formerly +Altran), and Inria. As will be described in +:ref:`Static_Verification_SPARK_Pro`, the main component in the +toolset is GNATprove, which performs formal verification on SPARK +code. + +SPARK has an extensive industrial track record. Since its inception in the +late 1980s it has been used worldwide in a wide variety of applications, +including civil and military avionics, space satellite control, air traffic +management / control, railway signaling, cryptographic software, medical +devices, automotive systems, and cross-domain solutions. SPARK 2014 is the +most recent version of the technology. + +The SPARK language has been stable over the years, with periodic enhancements. +The 2014 version of SPARK represented a major revision, incorporating +contract-based programming syntax from Ada 2012, and subsequent upgrades +included support for pointers (access types) based on the Rust ownership +model. + +.. index:: single: SPARK language; Memory safety +.. index:: Memory safety + +The SPARK language is a large subset of Ada 2012 and is memory safe. +It includes as much of the Ada language as is possible / practical to +analyze formally, while eliminating sources of undefined and +implementation-dependent behavior. +SPARK includes Ada's program structure support (packages, generics, child +libraries), most data types, safe pointers, contract-based programming +(subprogram pre- and postconditions, scalar ranges, type/subtype predicates), +Object-Oriented Programming, and the Ravenscar subset of the tasking features. + +Principal exclusions are side effects in functions and expressions, +problematic aliasing of names, exception handling, pointer functionality +that may be unsafe, and most tasking features. + +.. index:: single: SPARK language; Soundness + +A legal SPARK program has unambiguous semantics: its effect is precisely +defined and does not depend on the implementation. This property helps +ensure the soundness of static verification; i.e., the +absence of "false negatives". If the SPARK tools report that a program does +not have a specific vulnerability, such as a reference to an uninitialized +variable, then that conclusion can be trusted with mathematical certainty. +Soundness builds confidence in the tools, provides evidence-based assurance, +completely removes many classes of dangerous defects, and significantly +simplifies subsequent verification effort (e.g., testing), owing to less +rework. Moreover, the SPARK tools achieve soundness while keeping +"false positives" manageable. + +SPARK offers the flexibility of configuring the language on a per-project +basis. Restrictions can be fine-tuned based on the relevant coding standards +or run-time environments. + +SPARK code can easily be combined with full Ada code or with C, so that new +systems can be built on and reuse legacy codebases. Moreover, the same code +base can have some sections in SPARK and others excluded from SPARK analysis +(SPARK and non-SPARK code can also be mixed in the same package or +subprogram). + +.. index:: single: SPARK language; Formal methods + +Software verification typically involves extensive testing, including unit +tests and integration tests. Traditional testing methodologies are a major +contributor to the high delivery costs for safety-critical software. +Furthermore, testing can never be complete and thus may fail to detect errors. +SPARK addresses this issue by using automated proof (embodying +mathematics-based formal methods) to demonstrate program +integrity properties up to functional correctness at the subprogram level, +either in combination with or as a replacement for unit testing. In the +high proportion of cases where proofs can be discharged automatically, +the cost of writing unit tests may be completely avoided. Moreover, +verification by proofs covers all execution conditions and not just a sample. + +Here is an example of SPARK code: + +.. code-block:: ada + + package Example is + N : Positive := 100; -- N constrained to 1 .. Integer'Last + + procedure Decrement (X in out Integer) + with Global => (Input => N), + Depends => (X => (X, N)), + Pre => X >= Integer'First + N, + Post => X = X'Old - N; + end Example; + + package body Example is + procedure Decrement (X in out Integer) is + begin + X := X - N; + end Decrement; + end Example; + +The :ada:`with` constructs, known as "aspects", here define the +:ada:`Decrement` procedure's contracts: + +* :ada:`Global`: the only access to non-local data is to read the value of + :ada:`N` + +* :ada:`Depends`: the value of :ada:`X` on return depends only on :ada:`N` + and the value of :ada:`X` on entry + +* :ada:`Pre`: a Boolean condition that the procedure assumes on entry + +* :ada:`Post`: a Boolean condition that the subprogram guarantees on return + +In this example the SPARK tool can verify the :ada:`Global` and :ada:`Depends` +contracts and can also prove several dynamic properties: no run-time errors +will occur during execution of the :ada:`Decrement` procedure, and, if the +:ada:`Pre` contract is met when the procedure is invoked then the :ada:`Post` +contract will be satisfied on return. + +SPARK (and the SPARK proof tools) work with Ada 2012 syntax, but a SPARK +program can also be expressed in Ada 95, with contracts captured as pragmas. + +Ease of Adoption +~~~~~~~~~~~~~~~~ + +User experience has shown that the language and the SPARK Pro toolset +do not require a steep learning curve. Training material such as +AdaCore's online AdaLearn course for SPARK +:footcite:p:`Space_SW_AdaCore_AdaLearn` can quickly bring developers +up to speed; users are assumed to be experts in their own application +domain such as space technology and do not need to be familiar with +formal methods or the proof approaches implemented by the toolset. In +effect, SPARK Pro is an advanced static analysis tool that will detect +many logic errors and security vulnerabilities very early in the +software life cycle. It can be smoothly integrated into an +organization's existing development and verification methodology and +infrastructure. + +SPARK uses the standard Ada 2012 contract syntax, which both simplifies the +learning process and also allows new paradigms of software verification. +Programmers familiar with writing executable contracts for run-time assertion +checking can use the same approach but with additional flexibility: the +contracts can be verified either dynamically through classical run-time +testing methods or statically (i.e., pre-compilation and pre-test) using +automated tools. + +.. index:: single: SPARK language; Levels of adoption + +.. _Levels_of_Adoption_of_Formal_Methods: + +Levels of Adoption of Formal Methods +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Formal methods are not an "all or nothing" technique. It is possible and +in fact advisable for an organization to introduce the methodology in a +stepwise manner, with the ultimate level depending on the assurance +requirements for the software. This approach is documented in +:footcite:p:`Space_SW_AdaCore_Thales_2020`, +which details the levels of adoption, including the benefits and costs at +each level, based on the practical experience of a major aerospace company +in adopting formal methods incrementally; the development team did not have +previous knowledge of formal methods. The levels are additive; all the +checks at one level are also performed at the next higher level. + +Stone level: Valid SPARK +^^^^^^^^^^^^^^^^^^^^^^^^ + +As the first step, a project can implement as much of the code as is possible +in the SPARK subset, run the SPARK analyzer on the codebase (or new code), +and look at violations. For each violation, the developer can decide whether +to convert the code to valid SPARK or exclude it from analysis. The benefits +include easier maintenance for the SPARK modules (no aliasing, no side effects +in functions) and project experience with the basic usage of formal methods. +The costs include the effort that may be required to convert the code to SPARK +(especially if there is heavy use of pointers). + +Bronze level: Initialization and correct data flow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This level entails performing flow analysis on the SPARK code to verify +intended data usage. The benefits include assurance of no reads of +uninitialized variables, no interference between parameters and global +objects, no unintended access to global variables, and no race conditions +on accesses to shared data. The costs include a conservative analysis of +arrays (since indices may be computed at run time) and potential +"false alarms" that need to be inspected. + +.. index:: single: SPARK language; Absence of run-time errors (AORTE) + +Silver level: Absence of run-time errors (AORTE) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +At the Silver level, the SPARK proof tool performs flow analysis, locates all +potential run-time checks (e.g., array indexing), and then attempts to prove +that none will fail. If the proof succeeds, this brings all the benefits of +the Bronze level plus the ability to safely compile the final executable +without exception checks. Critical software should aim for at least this +level. The cost is the additional effort needed to obtain provability. +In some cases (if the programmer knows that an unprovable check will always +succeed, for example because of hardware properties) it may be necessary to +augment the code with pragmas to help the prover. + +Gold level: Proof of key integrity properties +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +At the Gold level, the proof tool will verify properties such as correctness +of critical data invariants or safe transitions between program states. +Subprogram pre- and postconditions and subtype predicates are especially +useful here, as is "ghost" code that serves only for verification and is not +part of the executable. A benefit is that the proofs can be used for safety +case rationale, to replace certain kinds of testing. The cost is increased +time for tool execution, and the possibility that some properties may be +beyond the abilities of current provers. + +Platinum level: Full functional correctness +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +At the Platinum level, the algorithmic code is proved to satisfy its formally +specified functional requirements. This is still a challenge in practice for +realistic programs but may be appropriate for small critical modules, +especially for security-critical systems at high Evaluation Assurance Levels +where formal methods can provide the needed confidence. + +.. index:: single: SPARK language; Hybrid verification + +.. _Hybrid_Verification: + +Hybrid Verification +~~~~~~~~~~~~~~~~~~~ + +Hybrid verification combines formal methods with traditional testing. +A typical scenario is an in-progress project that is based on testing but +which has high-assurance requirements that can best be demonstrated +through formal methods. The new code will be in SPARK; and the adoption +level depends on the experience of the project team (typically Stone at +the start, then progressing to Bronze or Silver). The existing codebase +may be in Ada or other languages. To maximize the precision of the SPARK +analysis, the subprograms that the SPARK code will be invoking should +have relevant pre- and postconditions expressing the subprograms' low-level +requirements. If the non-SPARK code is not in Ada, then the pre- and +postconditions should be included on the Ada subprogram specification +corresponding to the imported function; here is an example. + +.. code-block:: ada + + function getascii return Interfaces.C.unsigned_char + with Post => getascii'Result in 0..127; + + pragma Import (C, getascii); + -- Interfaces.C.unsigned_char is a modular (unsigned) + -- integer type, typically ranging from 0 through 255 + + procedure Example is + N : Interfaces.C.unsigned_char range 0 .. 127; + begin + N := getascii; + -- SPARK can prove that no range check is needed + end Example; + +The verification activity depends on whether the formally verified code +invokes the tested code or vice versa. + +* The SPARK code calls a tested subprogram + + If the tested subprogram has a precondition, the SPARK code is checked + at each call site to see if the precondition is met. Any call that the + proof tool cannot verify for compliance with the precondition needs to be + inspected to see why the precondition cannot be proved. It could be a + problem with the precondition, a problem at the call site, or a limitation + of the prover. + + The postcondition of the called subprogram can be assumed to be valid at + the point following the return, although the validity needs to be + established by testing. In the example above, testing would + need to establish that the :ada:`getascii` function only returns a result + in the range 0 through 127. + +* The SPARK code is invoked from tested code + + Testing would need to establish that, at each call, the precondition of the + SPARK subprogram is met. Since the SPARK subprogram has been formally + verified, at the point of return the subprogram’s postcondition is known + to be satisfied. Testing of the non-SPARK code can take advantage of this + fact, thereby reducing the testing effort. + +Hybrid verification can be performed within a single module; e.g., a package +can specify different sections where SPARK analysis is or is not to be +performed. + +.. index:: single: SPARK language; ECSS standards support + +.. _SPARK_and_the_ECSS_Standards: + +SPARK and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In summary, the qualities that make Ada an appropriate choice for space +software also apply to SPARK (see :ref:`Ada_and_the_ECSS_Standards`). +And specific to SPARK, the static determination that the code is free +from run-time errors ("Silver" level of SPARK adoption) can significantly +reduce the effort in showing that the application is sufficiently safe +and secure. + +The use of SPARK can help the software supplier meet the requirements in the +following sections of |E-ST-40C| and |Q-ST-80C|: + +* |E-ST-40C| + + * |sect|\ 5.4 Software requirements and architecture engineering process + + * |sect|\ 5.4.3 Software architecture design + + * |sect|\ 5.5 Software design and implementation engineering process + + * |sect|\ 5.5.2 Design of software items + + * |sect|\ 5.8 Software verification process + + * §5.8.3 Verification activities + + * |sect|\ 5.10 Software maintenance process + + * |sect|\ 5.10.4 Modification implementation + + * |sect|\ 5.11 Software security process + + * |sect| 5.11.2 Process implementation + + * |sect| 5.11.3 Software security analysis + + * |sect| 5.11.5 Security activities in the software life cycle + + * Annex U Software code verification + +* |Q-ST-80C| + + * |sect|\ 6.2 Requirements applicable to all software engineering processes + + * |sect|\ 6.2.3 Handling of critical software + + * |sect|\ 6.2.9 Software security + + * |sect|\ 6.2.10 Handling of security sensitive software + + * |sect|\ 6.3 Requirements applicable to individual software engineering + processes or activities + + * |sect|\ 6.3.4 Coding + + * |sect|\ 7.2 Product quality requirements + + * |sect|\ 7.2.2 Design and related documentation + +Note in particular that the SPARK language directly addresses several criteria +in |Q-ST-80C| requirement 6.2.3.2a: + +* "use of a 'safe subset' of programming language" +* "use of formal design language for formal proof" + +Further details on how SPARK and SPARK Pro can contribute to compliance +with the ECSS standards are presented in :ref:`Compliance_with_ECSS-E-ST-40C` +and :ref:`Compliance_with_ECSS-Q-ST-80C`. + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv new file mode 100644 index 000000000..bfc6cb76e --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-dva-cwe.csv @@ -0,0 +1,18 @@ +CWE weakness,Description +"CWE 120, 124, 125, 126, 127, 129, 130, 131",Buffer overflow/underflow +"CWE 136, 137","Variant record field violation, Use of incorrect type in inheritance hierarchy" +"CWE 190, 191",Numeric overflow/underflow +"CWE 362, 366",Race condition +CWE 369,Division by zero +CWE 457,Use of uninitialized variable +CWE 476,Null pointer dereference +CWE 561,Dead (unreachable) code +CWE 563,Unused or redundant assignment +CWE 570,Expression is always false +CWE 571,Expression is always true +CWE 628,Incorrect arguments in call +CWE 667,Improper locking +CWE 682,Incorrect calculation +CWE 820,Missing synchronization +CWE 821,Incorrect synchronization +CWE 835,Infinite loop diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv new file mode 100644 index 000000000..8e8a807cf --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-object-coverage-vs-criticality.csv @@ -0,0 +1,2 @@ +Code coverage versus criticality category,A,B,C,D +Object code coverage,100.00%,N/A,N/A,N/A diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv new file mode 100644 index 000000000..938e1600a --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-source-coverage-vs-criticality.csv @@ -0,0 +1,4 @@ +Code coverage versus criticality category,A,B,C,D +Source code statement coverage,100.00%,100.00%,TBA,TBA +Source code decision coverage,100.00%,100.00%,TBA,TBA +Source code modified condition and decision coverage,100.00%,TBA,TBA,TBA diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv new file mode 100644 index 000000000..e10e492ce --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-spark-cwe.csv @@ -0,0 +1,22 @@ +CWE Weakness,Description +"CWE 119, 120, 123, 124, 125, 126, 127, 129, 130, 131",Buffer overflow/underflow +"CWE 136, 137","Variant record field violation, Use of incorrect type in inheritance hierarchy" +CWE 188,Reliance on data layout +"CWE 190, 191",Numeric overflow/underflow +CWE 193,Off-by-one error +CWE 194,Unexpected sign extension +CWE 197,Numeric truncation error +"CWE 252, 253",Unchecked or incorrectly checked return value +CWE 366,Race Condition +CWE 369,Division by zero +"CWE 456, 457",Use of uninitialized variable +"CWE 466, 468, 469",Pointer errors +CWE 476,Null pointer dereference +CWE 562,Return of stack variable address +CWE 563,Unused or redundant assignment +CWE 682,Range constraint violation +"CWE 786, 787, 788, 805",Buffer access errors +CWE 820,Missing synchronization +CWE 821,Incorrect synchronization +"CWE 822, 823, 824, 825",Pointer errors +CWE 835,Infinite loop diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv new file mode 100644 index 000000000..f2816aff2 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-e40C-compliance-summary.csv @@ -0,0 +1,10 @@ +.. csv-table:: Technology Support for ECSS-E-ST-40C Compliance + + Technology, |sect|\ 5.4, |sect|\5.5, |sect|\ 5.6, |sect|\ 5.7, |sect|\ 5.8, |sect|\ 5.9, |sect|\ 5.10, |sect|\ 5.11, Annex U + Ada language, |check| , |check| , |blankcell|, |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + SPARK language, |check| , |check| , |blankcell|, |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + GNAT Pro for Ada, |check| , |check| , |check| , |check| , |check| , |blankcell|, |check| , |check| , |check| + SPARK Pro, |check| , |check| , |check| , |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + GNAT SAS, |blankcell|, |check| , |check| , |blankcell|, |check| , |blankcell|, |check| , |check| , |check| + GNAT DAS, |blankcell|, |check| , |check| , |blankcell|, |check| , |blankcell|, |check| , |check| , |blankcell| + GNAT Pro Assurance, |check| , |check| , |check| , |check| , |check| , |check| , |check| , |check| , |check| \ No newline at end of file diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv new file mode 100644 index 000000000..ad84ef269 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-technology-q80c-compliance-summary.csv @@ -0,0 +1,11 @@ +.. csv-table:: Technology Support for ECSS-Q-ST-80C Compliance + + Technology, |sect|\ 5 , |sect|\6 , |sect|\ 7 + Ada language, |blankcell|, |check| , |check| + SPARK language, |blankcell|, |check| , |check| + GNAT Pro for Ada, |check| , |check| , |check| + SPARK Pro, |check| , |check| , |check| + GNAT SAS, |check| , |check| , |check| + GNAT DAS, |check| , |check| , |check| + GNAT Pro Assurance, |check| , |check| , |check| + IDE, |check| , |check| , |check| \ No newline at end of file diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv new file mode 100644 index 000000000..6aa50db14 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/table-verification-support.csv @@ -0,0 +1,32 @@ +.. Not needed, it was converted to a grid table + +.. csv-table:: + :header-rows: 1 + :widths: 23, 37, 40 + + Verification check #,Technology,Explanation + 1,Ada language,Run-time check\ :superscript:`*` + 1,SPARK language,Static check + 1,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 2,Ada language,Run-time check\ :superscript:`*` + 2,SPARK language,Static check + 2,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 3,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 3,GNATcheck (in GNAT Static Analysis Suite),User-defined rule + 4,Ada and SPARK languages, Static check + 5,Ada and SPARK languages, Static check + 5,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 6,Ada and SPARK languages, Static check + 7,Ada and SPARK languages, Static check + 8,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 9,Ada language,Run-time check\ :superscript:`*` + 9,SPARK language,Static check + 9,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 10,SPARK language,Static check + 10,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 11,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 12,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + 12,Ada Language,Run-time check\ :superscript:`***` + 13,Ada and SPARK languages, Static check + 14,Defects and Vulnerability Analyzer (in GNAT Static Analysis Suite),Static check\ :superscript:`**` + diff --git a/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst new file mode 100644 index 000000000..5cc5a712c --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/chapters/tools.rst @@ -0,0 +1,1320 @@ +.. include:: ../../../global.txt + +.. _Tools_for_Space_Software_Development: + +Tools for Space Software Development +==================================== + +This chapter explains how suppliers of space software can benefit from +AdaCore's products. The advantages stem in general from reduced life cycle +costs for developing and verifying high-assurance software. More +specifically, in connection with space software qualification, several +tools can help to show that an application complies with the requirements +in |E-ST-40C| and |Q-ST-80C|. + +.. index:: Software life cycle, "V" diagram (software life cycle) + +AdaCore Tools and the Software Life Cycle +----------------------------------------- + +The software life cycle is often depicted as a "V" diagram, and the figure below +shows how AdaCore's major products fit into the various stages. Although the +stages are rarely performed as a single sequential process |mdash| the phases +typically involve feedback / iteration, and requirements often evolve as a +project unfolds |mdash| the "V" chart is useful in characterizing the various +kinds of activities that occur. + +.. figure:: ../images/v-diagram.png + :align: center + +As can be seen in the figure, AdaCore's toolsuites apply towards the bottom +of the "V". In summary: + +.. index:: single: SPARK Pro; Software life cycle +.. index:: single: Software life cycle; SPARK Pro + +* The SPARK Pro static analysis toolsuite + (see :ref:`Static_Verification_SPARK_Pro`) applies during Detailed Design and + Software Development. It includes a proof tool that verifies properties + ranging from correct information flows to functional correctness. + +.. index:: single: GNAT Pro for Ada; Software life cycle +.. index:: single: Software life cycle; GNAT Pro + +* The GNAT Pro development environment + (see :ref:`GNAT_Pro_Development_Environment`) applies during + Detailed Design, Software Development, and Unit Testing. It consists of + gcc-based program build tools, an integrated and tailorable graphical user + interface, accompanying tools, and a variety + of supplemental libraries (including some for which qualification material + is available for |E-ST-40C| and |Q-ST-80C|.) + +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); Software life cycle +.. index:: single: Software life cycle; GNAT Static Analysis Suite (GNAT SAS) + +* The GNAT Static Analysis Suite + (see :ref:`Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS`) + applies during Software Development. It contains a variety of tools for Ada, + including a vulnerability detector that can be used retrospectively to + detect issues in existing codebases and/or during new projects to prevent + errors from being introduced. + +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); Software life cycle +.. index:: single: Software life cycle; GNAT Dynamic Analysis Suite (GNAT DAS) + +* The GNAT Dynamic Analysis Suite + (see :ref:`GNAT_Dynamic_Analysis_Suite_GNAT_DAS`) applies during Software + Development and Unit Testing. One of these tools, GNATcoverage, supports + code coverage and reporting at various levels of granularity for both Ada + and C. It can be used during unit and integration testing. + +The following sections describe the tools in more detail and show how they can +assist in developing and verifying space system software. + +.. index:: single: SPARK Pro; Static verification + +.. _Static_Verification_SPARK_Pro: + +Static Verification: SPARK Pro +------------------------------ + +SPARK Pro is an advanced static analysis toolsuite for the SPARK subset of +Ada, bringing mathematics-based confidence to the verification of critical +code. Built around the GNATprove formal analysis and proof tool, SPARK Pro +combines speed, flexibility, depth and soundness, while minimizing the +generation of "false alarms". It can be used for new high-assurance code +(including enhancements to or hardening of existing codebases at lower +assurance levels, written in full Ada or other languages such as C) or +projects where the existing high-assurance coding standard is sufficiently +close to SPARK to ease transition. + +Powerful Static Verification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The SPARK language supports a wide range of static verification techniques. +At one end of the spectrum is basic data- and control-flow analysis; i.e., +exhaustive detection of errors such as attempted reads of uninitialized +variables, and ineffective assignments (where a variable is assigned a +value that is never read). For more critical applications, dependency +contracts can constrain the information flow allowed in an application. +Violations of these contracts |mdash| potentially representing violations +of safety or security policies |mdash| can then be detected even before +the code is compiled. + +In addition, SPARK supports mathematical proof and can thus provide high +confidence that the software meets a range of assurance requirements: +from the absence of run-time exceptions, to the enforcement of safety or +security properties, to compliance with a formal specification of the +program's required behavior. + +As described earlier (see :ref:`Levels_of_Adoption_of_Formal_Methods`), +the SPARK technology can be introduced +incrementally into a project, based on the assurance requirements. Each +level, from Bronze to Platinum, comes with associated benefits and costs. + +.. index:: single: SPARK Pro; Minimal run-time footprint + +Minimal Run-Time Footprint +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Developers of systems with security requirements are generally advised to +"minimize the trusted computing base", making it as small as possible so that +high-assurance verification is feasible. However, adhering to this principle +may be difficult if a Commercial Off-the-Shelf (COTS) library or operating +system is used: how are these to be evaluated or verified without the close +(and probably expensive) cooperation of the COTS vendor? + +For the most critical embedded systems, SPARK supports the so-called +"Bare-Metal" development style, where SPARK code is running directly on a +target processor with little or no COTS libraries or operating system at all. +SPARK is also designed to be compatible with GNAT Pro's Light run-time +library. In a Bare-Metal / light run-time development, every byte of object +code can be traced to the application’s source code and accounted for. +This can be particularly useful for systems that must undergo evaluation by +a national technical authority or regulator. + +SPARK code can also run with a specialized run-time library on top of a +real-time operating system (RTOS), or with a full Ada run-time library and +a commercial desktop operating system. The choice is left to the system +designer, not imposed by the language. + +.. index:: single: SPARK Pro; CWE compatibility +.. index:: single: Common Weakness Enumeration (CWE) compatibility; SPARK Pro +.. index:: MITRE Corporation + +CWE Compatibility +~~~~~~~~~~~~~~~~~ + +SPARK Pro detects a number of dangerous software errors in The MITRE +Corporation's Common Weakness Enumeration (CWE), and the tool has been +certified by the MITRE Corporation as a "CWE-Compatible" product +:footcite:p:`Space_SW_MITRE_Web`. + +The table below lists the CWE weaknesses detected by SPARK Pro: + +.. csv-table:: SPARK Pro and the CWE + :file: table-spark-cwe.csv + :widths: 20, 70 + :header-rows: 1 + +.. index:: single: SPARK Pro; ECSS standards support + +SPARK Pro and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SPARK Pro can help a space software supplier in various ways. At a general +level, the technology supports the development of analyzable and portable +code: + +* The tool enforces a number of Ada restrictions that are appropriate for + high-assurance software. For example, the use of tasking constructs outside + the Ravenscar subset will be flagged. + +* The full Ada language has several implementation dependencies that can + result in the same source program yielding different results when compiled + by different compilers. For example, the evaluation order in expressions is + not specified, and different orderings may produce different values if one + of the terms has a side effect. (A detailed discussion of this issue and its + mitigation may be found in :footcite:p:`Space_SW_Brosgol_2021`.) + Such implementation dependencies are either prohibited in SPARK and thus + detected by SPARK Pro, or else they do not affect the computed result. + In either case the use of SPARK Pro eases the effort in porting the code + from one environment to another. + +More specifically, using the SPARK Pro technology can help the supplier meet +|E-ST-40C| and |Q-ST-80C| requirements in a number of areas. These comprise +the ones mentioned earlier (see :ref:`SPARK_and_the_ECSS_Standards`) that +relate to the SPARK language, together with the following: + +* |E-ST-40C| + + * §5.4 Software requirements and architecture engineering process + + * §5.4.3 Software architecture design + + * §5.5 Software design and implementation engineering process + + * §5.5.2 Design of software items + + * §5.6 Software validation process + + * §5.6.3 Validation activities with respect to the technical + specification + * §5.6.4 Validation activities with respect to the requirements + baseline + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + + * §5.11.3 Software security analysis + + * §5.11.5 Security activities in the software life cycle + + * Annex U - Software code verification + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.1 Methods and tools + + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + + * §6.2.9 Software security + + * §6.2.10 Handling of security sensitive software + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.4 Coding + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + + * §7.2 Product quality requirements + + * §7.2.3 Test and validation documentation + +Details are provided in chapters :ref:`Compliance_with_ECSS-E-ST-40C` and +:ref:`Compliance_with_ECSS-Q-ST-80C`. + +.. _GNAT_Pro_Development_Environment: + +GNAT Pro Development Environment +-------------------------------- + +.. index:: GNAT Pro for C, GNAT Pro for C++, GNAT Pro for Rust + +This section summarizes the main features of the two editions of AdaCore's +|gnatpro| language toolsuite, *Enterprise* and *Assurance*. +These editions correspond to different levels of customer requirements and +are available for Ada, C, C++, and Rust. + +.. index:: single: GNAT Pro for Ada; Summary + +Based on the GNU GCC technology, |gnatpro| for Ada supports the |ada-83|, +|ada-95|, |ada-2005|, and |ada-2012| standards, as well as selected features +of |ada-2022|. It includes: + +* several Integrated Development Environments + (See :ref:`Integrated_Development_Environments_IDEs`); +* a comprehensive toolsuite including a stack analysis tool + (see :ref:`GNATstack`) and a visual debugger; +* a library that enables customers to develop their own + source analysis tools for project-specific needs + (see :ref:`Libadalang`); and +* other useful libraries and bindings. + +For details on the tools and libraries supplied with |gnatpro| for +Ada, see :footcite:p:`Space_SW_AdaCore_Web_UG_Native` and +:footcite:p:`Space_SW_AdaCore_Web_UG_Cross`. + +Other |gnatpro| products handle multiple versions of C (from C89 +through C18), C++ (from C++98 through C++17), and Rust. + +.. index:: GNAT Pro Enterprise + +.. _GNAT_Pro_Enterprise: + +GNAT Pro Enterprise +~~~~~~~~~~~~~~~~~~~ + +*GNAT Pro Enterprise* is a development environment for producing critical +software systems where reliability, efficiency, and maintainability are +essential. +Several features of |gnatpro| for Ada are noteworthy: + +.. rubric:: Run-Time Library Options + +The product allows a variety of choices for the run-time +library, based on the target platform. In addition to the Standard run-time, +which is available for platforms that can support the full language +capabilities, the product on some bare-metal or RTOS targets also includes +restricted libraries that reduce the footprint and/or help simplify safety +certification: + +.. index:: single: GNAT Pro Enterprise; Light run-time library +.. index:: Light run-time library + +* The *Light Run-Time* library offers a minimal application footprint while + retaining compatibility with the SPARK subset and verification tools. + It supports a non-tasking Ada subset suitable for certification / + qualification and/or storage-constrained embedded applications. + It supersedes the ZFP (Zero FootPrint) and Cert run-time libraries from + previous |gnatpro| releases. + +.. index:: single: GNAT Pro Enterprise; Light-tasking run-time library +.. index:: Light-tasking run-time library +.. index:: Ravenscar profile +.. index:: Jorvik profile + +* The *Light-Tasking Run-Time* library augments the Light run-time library + with support for the Ravenscar and Jorvik tasking profiles. It supersedes the + Ravenscar-Cert and Ravenscar-SFP libraries from previous |gnatpro| releases. + +.. index:: single: GNAT Pro Enterprise; Embedded run-time library +.. index:: Embedded run-time library + +* The *Embedded Run-Time* library provides a subset of the Standard + Ada run-time library suitable for target platforms lacking file I/O and + networking support. It supersedes the Ravenscar-Full library from previous + |gnatpro| releases. + +Although limited in terms of dynamic Ada semantics, these predefined libraries +fully support static Ada constructs such as private types, generic templates, +and child units. Some dynamic semantics are also supported. For example, +tagged types (at library level) and other Object-Oriented Programming features +are supported, as is dynamic dispatching. +The general use of dynamic dispatching at the application level can be +prevented through pragma :ada:`Restrictions`. + +Details on these libraries may be found in the "Predefined GNAT Pro +Run-Times" chapter of :footcite:p:`Space_SW_AdaCore_Web_UG_Cross`. + +.. index:: single: Run-time libraries; Qualification at criticality category B +.. index:: single: Run-time libraries; Configurability + +Adapted versions of the earlier ZFP and Ravenscar-Cert libraries have been +qualified under |E-ST-40C| and |Q-ST-80C| at criticality category B. + +.. rubric:: Run-Time Library Configurability + +A traditional problem with predefined profiles is their inflexibility: +if a feature outside a given profile is needed, then it is the developer's +responsibility to address the certification issues deriving from its use. +|gnatpro| for Ada accommodates this need by allowing the developer to define +a profile for the specific set of features that are used. Typically this will +be for features with run-time libraries that require associated certification +materials. Thus the program will have a tailored run-time library supporting +only those features that have been specified. + +More generally, the configurable run-time capability allows specifying support +for Ada's dynamic features in an à la carte fashion ranging from none +at all to full Ada. +The units included in the executable may be either a subset of +the standard libraries provided with |gnatpro|, or specially tailored to the +application. This latter capability is useful, for example, if one of the +predefined profiles implements almost all the dynamic functionality needed +in an existing system that has to meet new safety-critical requirements, +and where the costs of adapting the application without the additional +run-time support are considered prohibitive. + +.. index:: single: GNAT Pro for Ada; Enhanced data validity checking + +.. rubric:: Enhanced Data Validity Checking + +Improper or missing data validity checking is a notorious source of security +vulnerabilities in software systems. Ada has always offered range checks for +scalar subtypes, but |gnatpro| goes further, offering enhanced validity +checking that can protect a program against malicious or accidental memory +corruption, failed I/O devices, and so on. This feature is particularly useful +in combination with automatic Fuzz testing, since it offers strong defense +for invalid data at the software boundary of a system. + +.. index:: GNAT Pro Assurance + +GNAT Pro Assurance +~~~~~~~~~~~~~~~~~~ + +*GNAT Pro Assurance* extends GNAT Pro Enterprise with specialized support, +including bug fixes and "known problems" analyses, on a specific version of +the toolchain. This product edition is especially suitable for applications +with long-lived maintenance cycles or assurance requirements, since critical +updates to the compiler or other product components may become necessary +years after the initial release. + +.. index:: single: GNAT Pro Assurance; Sustained branches +.. index:: Sustained branches + +.. _Sustained_Branches: + +Sustained Branches +^^^^^^^^^^^^^^^^^^ + +Unique to GNAT Pro Assurance is a service known as a "sustained branch": +customized support and maintenance for a specific version of the product. +A project on a sustained branch can monitor relevant known problems, +analyze their impact and, if needed, update to a newer version of the +product on the same development branch (i.e., not incorporating changes +introduced in later versions of the product). + +Sustained branches are a practical solution to the problem of ensuring +toolchain stability while allowing flexibility in case an upgrade is +needed to correct a critical problem. + +.. index:: single: GNAT Pro Assurance; Source to object traceability + +Source to Object Traceability +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Source-to-object traceability is required in standards such as |do-178c|, +and a |gnatpro| compiler option can limit the use of language constructs +that generate object code that is not directly traceable to the source +code. As an add-on service, AdaCore can perform an analysis that +demonstrates this traceability and justifies any remaining cases of +non-traceable code. + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Supplementing the support provided by GNAT Pro for Ada +(see :ref:`GNAT_Pro_and_the_ECSS_Standards`), GNAT Pro Assurance +helps compliance with the following requirements from |E-ST-40C| +and |Q-ST-80C|: + +* |E-ST-40C| + + * §5.9 Software operation process + + * §5.9.2 Process implementation + * §5.9.4 Software operation support + * §5.9.5 User support + +* |Q-ST-80C| + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.6 Verification + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.9 Maintenance + +.. index:: single: GNAT Pro for Ada; Libadalang +.. index:: Libadalang + +.. _Libadalang: + +Libadalang +~~~~~~~~~~ + +Libadalang is a library included with GNAT Pro that gives applications access +to the complete syntactic and semantic structure of an Ada compilation unit. +This library is typically used by tools that need to perform some sort of +static analysis on an Ada program. + +AdaCore can assist customers in developing libadalang-based tools to meet +their specific needs, as well as develop such tools upon request. + +Typical libadalang applications include: + +* Static analysis (property verification) +* Code instrumentation +* Design and document generation tools +* Metric testing or timing tools +* Dependency tree analysis tools +* Type dictionary generators +* Coding standard enforcement tools +* Language translators (e.g., to CORBA IDL) +* Quality assessment tools +* Source browsers and formatters +* Syntax directed editors + +.. index:: GNATstack +.. index:: single: GNAT Pro for Ada; GNATstack + +.. _GNATstack: + +GNATstack +~~~~~~~~~ + +GNATstack is a static analysis tool included with |gnatpro| that enables an +Ada/C software developer to accurately predict the maximum size of the memory +stack required for program execution. + +GNATstack statically predicts the maximum stack space required by each task +in an application. The computed bounds can be used to ensure that sufficient +space is reserved, thus guaranteeing safe execution with respect to stack +usage. The tool uses a conservative analysis to deal with complexities such +as subprogram recursion, while avoiding unnecessarily pessimistic estimates. + +This static stack analysis tool exploits data generated by the compiler to +compute worst-case stack requirements. It performs per-subprogram stack usage +computation combined with control flow analysis. + +GNATstack can analyze object-oriented applications, automatically determining +maximum stack usage on code that uses dynamic dispatching in Ada. +A dispatching call challenges static analysis because the identity of the +subprogram being invoked is not known until run time. GNATstack solves this +problem by statically determining the subset of potential targets (primitive +operations) for every dispatching call. This significantly reduces the +analysis effort and yields precise stack usage bounds on complex Ada code. + +GNATstack's analysis is based on information known at compile time. When the +tool indicates that the result is accurate, the computed bound can never be +exceeded. + +On the other hand, there may be cases in which the results will not be +accurate (the tool will report such situations) because of some missing +information (such as the maximum depth of subprogram recursion, indirect +calls, etc.). The user can assist the tool by specifying missing call graph +and stack usage information. + +GNATstack's main output is the worst-case stack usage for every entry point, +together with the paths that result in these stack sizes. +The list of entry points can be automatically computed (all the tasks, +including the environment task) or can be specified by the user (a list of +entry points or all the subprograms matching a given regular expression). + +GNATstack can also detect and display a list of potential problems when +computing stack requirements: + +* Indirect (including dispatching) calls. The tool will indicate the number + of indirect calls made from any subprogram. +* External calls. The tool displays all the subprograms that are reachable + from any entry point for which there is no stack or call graph information. +* Unbounded frames. The tool displays all the subprograms that are reachable + from any entry point with an unbounded stack requirement. + The required stack size depends on the arguments passed to the subprogram. + For example: + + .. code-block:: ada + + procedure P(N : Integer) is + S : String (1..N); + begin + ... + end P; + +* Cycles. The tool can detect all the cycles (i.e., potential recursion) in + the call graph. + +GNATstack allows the user to supply a text file with the missing information, +such as the potential targets for indirect calls, the stack requirements for +external calls, and the maximal size for unbounded frames. + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The GNATstack tool can help meet several requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.8.3.5f Verification of code / source code robustness + + * Annex U - Software code verification + + * Verification check 12 (memory leaks) + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.2 Development environment selection + + +.. index:: GNAT Pro for Rust +.. index:: Rust language support + +GNAT Pro for Rust +~~~~~~~~~~~~~~~~~ + +The Rust language was designed for software that needs to meet stringent +requirements for both assurance and performance: Rust is a memory-safe +systems-programming language with software integrity guarantees (in both +concurrent and sequential code) enforced by compile-time checks. The language +is seeing growing use in domains such as automotive systems and is a viable +choice for other high-assurance software. + +AdaCore's GNAT Pro for Rust is a complete development environment for the +Rust programming language, supporting both native builds and cross compilation +to embedded targets. The product is not a fork of the Rust programming +language or the Rust tools. Instead, GNAT Pro for Rust is a professionally +supported build of a selected version of rustc and other core Rust development +tools that offers stability for professional and high-integrity Rust projects. +Critical fixes to GNAT Pro for Rust are upstreamed to the Rust community, +and critical fixes made by the community to upstream Rust tools are backported +as needed to the GNAT Pro for Rust code base. +Additionally, the Assurance edition of GNAT Pro for Rust includes the +"sustained branch" service (see :ref:`Sustained_Branches`) that strikes the +balance between tool stability and project flexibility. + +.. index:: Integrated Development Environments (IDEs) + +.. _Integrated_Development_Environments_IDEs: + +Integrated Development Environments (IDEs) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. index:: single: Integrated Development Environments (IDEs); GNAT Studio +.. index:: GNAT Studio IDE + +GNAT Pro includes several graphical IDEs for invoking the build tools +and accompanying utilities and monitoring their outputs. + +GNAT Studio +^^^^^^^^^^^ + +GNAT Studio is a powerful and simple-to-use IDE that streamlines software +development from the initial coding stage through testing, debugging, system +integration, and maintenance. It is designed to allow programmers to get the +most out of GNAT Pro technology. + +.. rubric:: Functionality + +GNAT Studio's extensive navigation and analysis tools can generate a variety +of useful information including call graphs, source dependencies, +project organization, and complexity metrics, giving a thorough understanding +of a program at multiple levels. The IDE allows interfacing with third-party +version control systems, easing both development and maintenance. + +.. rubric:: Robustness, Flexibility and Extensibility + +Especially suited for large, complex systems, GNAT Studio can import existing +projects from other Ada implementations while adhering to their +file naming conventions and retaining the existing directory organization. +Through the multi-language capabilities of GNAT Studio, components +written in C and C++ can also be handled. The IDE is highly extensible; +additional tools can be plugged in through a simple scripting +approach. It is also tailorable, allowing various aspects of the program's +appearance to be customized in the editor. + +.. rubric:: Ease of Learning and Use + +GNAT Studio is intuitive to new users thanks to its menu-driven interface +with extensive online help (including documentation on all the +menu selections) and "tool tips". The Project Wizard makes it simple to get +started, supplying default values for almost all of the project properties. +For experienced users, it offers the necessary level of control for +advanced purposes; e.g., the ability to run command scripts. Anything that +can be done on the command line is achievable through the menu interface. + +.. rubric:: Support for Remote Programming + +Integrated into GNAT Studio, Remote Programming provides a secure and +efficient way for programmers to access any number of remote servers +on a wide variety of platforms while taking advantage of the power and +familiarity of their local PC workstations. + +.. index:: single: Integrated Development Environments (IDEs); VS Code support +.. index:: VS Code support + +VS Code Extensions for Ada and SPARK +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +AdaCore's extensions to Visual Studio Code (VS Code) enable Ada and SPARK +development with a lightweight editor, as an alternative to the full +GNAT Studio IDE. Functionality includes: + +* Syntax highlighting for Ada and SPARK files +* Code navigation +* Error diagnostics (errors reported in the Problems pane) +* Build integration (execution of GNAT-based toolchains from within VS Code) +* Display of SPARK proof results (green/red annotations from GNATprove) +* Basic IntelliSense (completion and hover information for known symbols) + +.. index:: single: Integrated Development Environments (IDEs); GNATbench +.. index:: single: Integrated Development Environments (IDEs); Workbench +.. index:: single: Integrated Development Environments (IDEs); Eclipse +.. index:: Workbench IDE (Wind River) +.. index:: Eclipse IDE +.. index:: GNATbench IDE + +Eclipse Support |ndash| GNATbench +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +GNATbench is an Ada development plug-in for Eclipse and Wind River's Workbench +environment. The Workbench integration supports Ada development on a variety +of VxWorks real-time operating systems. The Eclipse version is primarily +for native applications, with some support for cross development. In both +cases the Ada tools are tightly integrated. + +.. index:: single: Integrated Development Environments (IDEs); GNATdashboard +.. index:: GNATdashboard IDE + +.. _GNATdashboard: + +GNATdashboard +^^^^^^^^^^^^^ + +GNATdashboard serves as a one-stop control panel for monitoring and improving +the quality of Ada software. It integrates and aggregates the results of +AdaCore's various static and dynamic analysis tools (GNATmetric, GNATcheck, +GNATcoverage, SPARK Pro, among others) within a common interface, helping +quality assurance managers and project leaders understand or reduce +their software's technical debt, and eliminating the need for manual input. + +GNATdashboard fits naturally into a continuous integration environment, +providing users with metrics on code complexity, code coverage, +conformance to coding standards, and more. + +.. index:: single: GNAT Pro for Ada; ECSS standards support + +.. _GNAT_Pro_and_the_ECSS_Standards: + +GNAT Pro and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +GNAT Pro can help meet a number of requirements in |E-ST-40C| and |Q-ST-80C|; +details are provided in chapters :ref:`Compliance_with_ECSS-E-ST-40C` and +:ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* |E-ST-40C| + + * §5.4 Software requirements and architecture engineering process + + * §5.4.3 Software architecture design + + * §5.5 Software design and implementation engineering process + + * §5.5.2 Design of software items + * §5.5.3 Coding and testing + * §5.5.4 Integration + + * §5.7 Software delivery and acceptance process + + * §5.7.3 Software acceptance + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.9 Software operation process + + * §5.9.2 Process implementation + + * §5.10 Software maintenance process + + * §5.10.2 Process implementation + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + + * §5.11.3 Software security analysis + + * §5.11.5 Security analysis in the software lifecycle + + * Annex U - Source code verification + + * Verification check 12 (memory leaks) + +* |Q-ST-80C| + + * §5.2 Software product assurance programme management + + * §5.2.7 Quality requirements and quality models + + * §5.6 Tools and supporting environments + + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + * §6.2.6 Verification + * §6.2.9 Software security + + * §6.3 Requirements applicable to individual processes or activities + + * §6.3.4 Coding + * §6.3.9 Maintenance + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance objectives for product quality requirements + * §7.1.5 Basic metrics + +AdaCore's ZFP (Zero Footprint) minimal run-time library (superseded by +the Light run-time in current |gnatpro| releases) on LEON2 ELF has +been qualified at criticality category B, and the Ravenscar SFP (Small +Footprint) QUAL run-time library (superseded by the Light-Tasking +run-time) on LEON2 and LEON3 boards have been qualified at criticality +category B (see :footcite:p:`Space_SW_AdaCore_Web_2019b`). + +.. index:: GNAT Static Analysis Suite (GNAT SAS) + +.. _Static_Verification_GNAT_Static_Analysis_Suite_GNAT_SAS: + +Static Verification: GNAT Static Analysis Suite (GNAT SAS) +---------------------------------------------------------- + +GNAT SAS is a set of Ada static analysis tools that complement |gnatpro| +for Ada. These tools can save time and effort in general during software +development and verification, and they are useful in particular in +supporting compliance with ECSS standards. + +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); Defects and Vulnerability Analyzer + +.. _Defects_and_Vulnerability_Analyzer: + +Defects and Vulnerability Analyzer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +One of the main tools in GNAT SAS is an Ada source code analyzer that detects +run-time and logic errors that can cause safety or security vulnerabilities +in a codebase. +This tool inspects the code for potential bugs before program execution, +serving as an automated peer reviewer. +It can be used on existing codebases, thereby +helping vulnerability analysis during a security assessment or system +modernization, and when performing impact analysis during updates. +It can also be used on new projects, helping to find errors +early in the development life-cycle when they are +least costly to repair. Using control-flow, +data-flow, and other advanced static analysis techniques, this analysis tool +detects errors that would otherwise only be found through labor-intensive +debugging. + +The defects and vulnerability analyzer can be used from within the |gnatpro| +development environment, +or as part of a continuous integration regime. As a stand-alone tool, +it can also be used with projects that do not use |gnatpro| for +compilation. + +.. index:: single: Defects and Vulnerability Analyzer; CWE compatibility +.. index:: single: Common Weakness Enumeration (CWE) compatibility; Defects and Vulnerability Analyzer + +CWE Compatibility +^^^^^^^^^^^^^^^^^ + +The tool can detect a number of "Dangerous Software Errors" in the +MITRE Corporation's Common Weakness Enumeration, and the tool has been +certified (under its previous name, CodePeer) by The MITRE Corporation +as a "CWE-Compatible" product :footcite:p:`Space_SW_MITRE_Web`. + +Here are the weaknesses that are detected: + +.. csv-table:: Defects and Vulnerability Analyzer and the CWE + :header-rows: 1 + :widths: 20, 70 + :file: table-dva-cwe.csv + +.. index:: single: Defects and Vulnerability Analyzer; ECSS standards support + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The defects and vulnerability analyzer can help meet a number of requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.5 Software design and implementation engineering process + + * §5.5.2 Design of software items + + * §5.6 Software validation process + + * §5.6.3 Validation activities with respect to the technical specification + * §5.6.4 Validation activities with respect to the requirements baseline + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Software analysis in the software life cycle + + * Annex U - Software code verification + +* ECSS-Q-ST-80C + + * §5.6. Tools and supporting environment + + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + * §6.2.6 Verification + * §6.2.9 Software security + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATmetric +.. index:: GNATmetric + +.. _GNATmetric: + +GNATmetric +~~~~~~~~~~ + +GNATmetric is a static analysis tool that calculates a set of commonly used +industry metrics, thus allowing developers to estimate code complexity and +better understand the structure of the source program. This information also +facilitates satisfying the requirements of certain software development +frameworks and is useful in conjunction with GNATcheck (for example, in +reporting and limiting the maximum subprogram nesting depth). + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The GNATmetric tool can help meet a number of requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and +:ref:`Compliance_with_ECSS-Q-ST-80C`. +Here is a summary: + +* ECSS-E-ST-40C + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + +* ECSS-Q-ST-80C + + * §5.2 Software product assurance programme management + + * §5.2.7 Quality requirements and quality models + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.4 Coding + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + + * §7.1.5 Basic metrics + +.. index:: GNATcheck +.. index:: single: GNAT Static Analysis Suite (GNAT SAS); GNATcheck + +.. _GNATcheck: + +GNATcheck +~~~~~~~~~ + +GNATcheck is a coding standard verification tool that is extensible and +rule-based. It allows developers to completely define a project-specific +coding standard as a set of rules, for example a subset of permitted +language features and/or code formatting and style conventions. +It verifies a program's conformance with the resulting rules and thereby +facilitates demonstration of a system's compliance with a certification +standard's requirements on language subsetting. + +GNATcheck provides: + +* An integrated "Ada Restrictions" mechanism for banning specific features + from an application. This can be used to restrict features + such as tasking, exceptions, dynamic allocation, fixed- or floating point, + input/output, and unchecked conversions. + +* Restrictions specific to GNAT Pro, such as banning features that result + in the generation of implicit loops or conditionals + in the object code, or in the generation of elaboration code. + +* Additional Ada semantic rules resulting from customer input, such as + ordering of parameters, normalized naming of entities, and + subprograms with multiple returns. + +* An easy-to-use interface for creating and using a complete coding standard. + +* Generation of project-wide reports, including evidence of the level of + compliance with a given coding standard. + +* Over 30 compile-time warnings from GNAT Pro that detect typical error + situations, such as local variables being used before being + initialized, incorrect assumptions about array lower bounds, certain cases + of infinite recursion, incorrect data alignment, and accidental hiding of + names. + +* Style checks that allow developers to control indentation, casing, + comment style, and nesting level. + +AdaCore's :index:`GNATformat` tool +:footcite:p:`Space_SW_AdaCore_Web_GNATformat`, which formats Ada +source code according to the GNAT coding style +:footcite:p:`Space_SW_AdaCore_Coding_Style`, can help avoid having +code that violates GNATcheck rules. GNATformat is included in the GNAT +Pro for Ada toolchain. + +GNATcheck comes with a query language (LKQL, for Language Kit Query Language) +that lets developers define their own checks for any in-house rules that need +to be followed. +GNATcheck can thus be customized to meet an organization's specific +requirements, processes and procedures. + +Compliance with the ECSS Standards +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The GNATcheck tool can help meet a number of requirements +in |E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.8.3.4 Verification of the software detailed design + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Software analysis in the software life cycle + + * Annex U - Software code verification + + * Verification check 3 (infinite loops) + * Verification check 4 (misuse of arithmetic and logical operators) + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + + + * §6.3 Requirements applicable to individual software engineering processes or activities + + * §6.3.4 Coding + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + + +.. index:: GNAT Dynamic Analysis Suite (GNAT DAS) + +.. _GNAT_Dynamic_Analysis_Suite_GNAT_DAS: + +GNAT Dynamic Analysis Suite (GNAT DAS) +-------------------------------------- + +.. index:: GNATtest +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATtest + +.. _GNATtest: + +GNATtest +~~~~~~~~ + +The GNATtest tool helps create and maintain a complete unit testing +infrastructure for complex projects. It captures +the simple idea that each public subprogram (these are known as +"visible" subprograms in Ada) should have at least one corresponding +unit test. GNATtest takes a project file as input, and produces two outputs: + +* The complete harnessing code for executing all the unit tests under + consideration. This code is generated completely automatically. + +* A set of separate test stubs for each subprogram to be tested. + These test stubs are to be completed by the user. + +.. index:: Liskov Substitution Principle (LSP) + +GNATtest handles Ada's Object-Oriented Programming features and can be used +to help verify tagged type substitutability (the Liskov Substitution +Principle) that can be used to demonstrate consistency of class hierarchies. + +Testing a private subprogram is outside the scope of GNATtest but can be +implemented by defining the relevant testing code in a private child of the +package that declares the private subprogram. +Additionally, hybrid verification can help (see :ref:`Hybrid_Verification`): +augmenting testing with the use of SPARK to formally prove relevant properties +of the private subprogram. + +.. index:: GNATemulator +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATemulator + +GNATemulator +~~~~~~~~~~~~ + +GNATemulator is an efficient and flexible tool that provides integrated, +lightweight target emulation. + +Based on the :index:`QEMU` technology, a generic and open-source machine +emulator and virtualizer, GNATemulator allows software developers to +compile code directly for their target architecture and run it on their +host platform, through an approach that translates from the +target object code to native instructions on the host. This avoids the +inconvenience and cost of managing an actual board, while offering an +efficient testing environment compatible with the final hardware. + +There are two basic types of emulators. The first can serve as a surrogate +for the final hardware during development for a wide range of verification +activities, particularly those that require time accuracy. However, they +tend to be extremely costly, and are often very slow. The second, which +includes GNATemulator, does not attempt to be a complete time-accurate +target board simulator, and thus it cannot be used for all aspects of +testing. But it does provide a very efficient and cost-effective way to +execute the target code very early in the development and verification +processes. GNATemulator thus offers a practical compromise between a native +environment that lacks target emulation capability, and a cross configuration +where the final target hardware might not be available soon enough or in +sufficient quantity. + +.. index:: GNATcoverage +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATcoverage + +.. _GNATcoverage: + +GNATcoverage +~~~~~~~~~~~~ + +GNATcoverage is a code coverage analysis tool. Its results are computed from +trace files that show which program constructs have been exercised by a given +test campaign. With source code instrumentation, the tool produces these files +by executing an alternative version of the program, built from source code +instrumented to populate coverage-related data structures. +Through an option to GNATcoverage, the user can specify the granularity of +the analysis: statement coverage, decision coverage, or Modified Condition / +Decision Coverage (MC/DC). + +Source-based instrumentation brings several major benefits: efficiency of tool +execution (much faster than alternative coverage strategies using binary +traces and target emulation, especially on native platforms), compact-size +source trace files independent of execution duration, and support for coverage +of shared libraries. + +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); GNATfuzz +.. index:: GNATfuzz +.. index:: Fuzz testing + +.. _GNATfuzz: + +GNATfuzz +~~~~~~~~ + +GNATfuzz is a fuzzing tool; i.e., a tool that automatically +and repeatedly executes tests and generates new test cases at a very high +frequency to detect faulty behavior of the system under test. Such anomalous +behavior is captured by monitoring the system for triggered exceptions, +failing built-in assertions, and signals such as SIGSEGV. + +Fuzz testing has proven to be an effective mechanism for finding corner-case +vulnerabilities that traditional human-driven verification mechanisms, +such as unit and integration testing, can miss. +Since such vulnerabilities can often lead to malicious exploitations, +fuzzing technology can help meet security verification +requirements. + +However, fuzz-testing campaigns are complex and time-consuming to construct, +execute and monitor. GNATfuzz simplifies the process by analyzing a code base +and identifying subprograms that can act as fuzz-test entry points. GNATfuzz +then automates the creation of test harnesses suitable for fuzzing. +In addition, GNATfuzz will automate the building, executing and analyzing +of fuzz-testing campaigns. + +GNATfuzz can serve a useful role as part of the software development +and verification life cycle processes. For example, by detecting +anomalous behavior such as data corruption due to +task or interrupt conflicts, GNATfuzz can help prevent defects from being +introduced into the source code. + +.. index:: TGen library +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); TGen library + +TGen +~~~~ + +TGen is an experimental run-time library / marshalling technology that can be +used by :index:`GNATtest` and/or :index:`GNATfuzz` to automate the production +of test cases for Ada code. It performs type-specific low-level processing to +generate test vectors for subprogram parameters, such as uniform value +distribution for scalar types and analogous strategies for unconstrained +arrays and record discriminants. A command-line argument specifies the number +of test values to be generated, and these can then be used as input to test +cases created by GNATtest. + +TGen can also be used with GNATfuzz, to help start a fuzz-testing campaign +when the user supplies an initial set of test cases where some may contain +invalid data. GNATfuzz will utilize coverage-driven fuzzer mutations coupled +with TGen to convert invalid test cases into valid ones. TGen represents test +data values compactly, removing a large amount of memory padding that would +otherwise be present for alignment of data components. With its +space-efficient representation, TGen significantly increases the probability +of a successful mutation that results in a new valid test case. + +.. index:: single: GNAT Dynamic Analysis Suite (GNAT DAS); ECSS standards support + +GNAT Dynamic Analysis Suite and the ECSS Standards +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The GNAT Dynamic Analysis Suite can help meet a number of requirements in +|E-ST-40C| and |Q-ST-80C|; details are provided in chapters +:ref:`Compliance_with_ECSS-E-ST-40C` and :ref:`Compliance_with_ECSS-Q-ST-80C`. +In summary, these are the relevant sections of the two standards: + +* ECSS-E-ST-40C + + * §5.5 Software design and implementation engineering process + + * §5.5.3 Coding and testing + * §5.5.4 Integration + + * §5.6 Software validation process + + * §5.6.3 Validation activities with respect to the technical + specification + * §5.6.4 Validation activities with respect to the requirements + baseline + + * §5.8 Software verification process + + * §5.8.3 Verification activities + + * §5.10 Software maintenance process + + * §5.10.4 Modification implementation + + * §5.11 Software security process + + * §5.11.2 Process implementation + * §5.11.3 Software security analysis + * §5.11.5 Security analysis in the software lifecycle + +* ECSS-Q-ST-80C + + * §5.6 Tools and supporting environment + + * §5.6.1 Methods and tools + * §5.6.2 Development environment selection + + * §6.2 Requirements applicable to all software engineering processes + + * §6.2.3 Handling of critical software + * §6.2.9 Software security + + * §6.3 Requirements applicable to individual software engineering processes + or activities + + * §6.3.5 Testing and validation + + * §7.1 Product quality objectives and metrication + + * §7.1.3 Assurance activities for product quality requirements + * §7.1.5 Basic metrics + + * §7.2 Product quality requirements + + * §7.2.3 Test and validation documents + +.. index:: single: AdaCore; Support and expertise + +Support and Expertise +--------------------- + +Every AdaCore product subscription comes with front-line support provided +directly by the product developers themselves, who have deep expertise in +the Ada language, domain-specific software certification / qualification +standards, compilation technologies, embedded system technology, and static +and dynamic verification. AdaCore's development engineers have extensive +experience supporting customers in critical areas including space, commercial +and military avionics, air traffic management/control, railway, and +automotive. Customers' questions (requests for guidance on feature usage, +suggestions for technology enhancements, or defect reports) are handled +efficiently and effectively. + +.. index:: single: AdaCore; Training and consulting services + +Beyond this bundled support, AdaCore also provides Ada language and tool +training, on-site consulting on topics such as how to best deploy the +technology, and mentoring assistance on start-up issues. On-demand tool +development or ports to new platforms are also available. + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/conf.ini b/content/booklets/adacore-technologies-for-space-systems-software/conf.ini new file mode 100644 index 000000000..24a3d481f --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/conf.ini @@ -0,0 +1,5 @@ +[DEFAULT] +title=AdaCore Technologies for Space Systems Software +author=Benjamin M. Brosgol \\and Jean-Paul Blanquart +version=2.1 +bibtex_file=references.bib diff --git a/content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.png b/content/booklets/adacore-technologies-for-space-systems-software/images/v-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..92209789e46efb21cae88459b229e2240ad15b82 GIT binary patch literal 30601 zcmdSBcT`kgwv4?v(#v4m%4fGK211Frq>^70ak zMeygsBBg+=pqhST=XVxawf@nGt(`waoMMMZ#}*#Qxa{}kwGHxy*14q>T6S)(!O^ec zP~X0NQ&Lg_VA$7Li($mvr zWo0oK%*@Qp&6_t54-Xj`83hCcT3T8N2?>XXhnJR?yu7>w1qA~F0>s6|Q&LhgGc()T z+M=SO-oAaixVRV}A3rrUwYIiqZf-t1JNxC!myaJm`uOV57k;j>_X{1Lp6%=# zMCF%AXq$2>YSD`+;_*Mk6I3FS)gzKKy!ph5Sm7BChd6-&9j0Gs~!v zs@ajMT3UMtQX2VTvx(xuguXPjQRsW(a!EZhcNBVTDD%{Un@=FOqympk7>t7lA)z3L z@zMy&dW648dG|p+ApPL@O zhV)D?9-W->yT$27y_fb)9bZ_x=kVI-O=0Kc{KCf0ZJV(5Kl?MQ8*^)0=$`S(rQa)C zyYs)d2suQ9i@zmRcbFu6Fpe*(ANr9~{~d=-)GepdDWjr)cBy@Q4pocsdRLv-)EiJ( z8(-CClTxM{oF(p+?3`KgrEh{xO!0A8?$?2-(9(JZWP0Y;ZjU@P_B}yDPBC0giJs|& zitf>_sb4kylO)^{FuBLHA_@);4sbX;C@AR7n>Xw0>oztv%gf7pdV1B>)g2ujrlzJe zG&E#nWVW`pE-o%iOiX=!ePLl?o}Qk{%F5Z<*?4$(TU%SPv9Y3}q74lVe0+TGA@4na zeTna)tnUT_k+l5%1MYAx1a1g-85M;G+MdQ6-;T4Xl)N`lU`h$>#KdrNY)Fj)m0UDi zW4i$vH<^=R{n!E18$E6Dwt7_rWHbChkm&)j-K2fB<*=g)_eAAznuAC6uv7I^a@|ME z*pFMnf*zaSZNZgqcm$-Btp)sSLmd%EI4m7sT;fnaqDXO5 z=qX^K-Eh)06r3^5ES&`wCK4CueY|J>dWFRK?nCOGKPtA?0$#wd52?@@1%kE3p~%&@ ztY0H2rCPgLb5WRu+*{};t!l!5f56|$jdq$}Oz8h^`G<^nN^c%UxBq9g)pH&?)rw!) zUBHxv8NNd+y!Ov!EJI|7?EQoy`TL0Be}?0uL4>btVOn9f(PKIPhM4X}LbUg>`z!9oK&Es|?t zKm=?k6md<25Fmmz0naC%z9vEn5Fw~V!D(x+i7*00DBT57_ua3FNC8CHR;&f=R<4P7 z14N$m_gD^+kz5l&ayK?JWndET&|eb)0TFp1n!qkEdQAij5D9XDX@$C66S)Bp!I^{S z6D?j5iIoN};4Z>pz=ih$6J>QX=#5(<--(=gV`k_aeRMsU-+b_eL;i~q--K+&oBD~l z>WV=Ln_jg!N7*eS2}O`rVysFqcjJ6c1|~R{9!&|GlAPMC^XmP$KlO5!d+ty`Ab`nW z35R;TT5*i`zZ&0RKqted1(yz;H~d7iD)1a`02o0y239-iaW&(^s&qHVZ3QmR`XRrNVG zcy%DBtBr)*9jnWhvy>fUlN*y4Eyz`z!M(RNbi>YSnZw=qCLgd8zIh273UMDdKq0=l z1#z3a*JZQlM)>ewfR}!nHuzd3`%Wxx4zV8IBEZk_c&h+L=t#p*d(fYfQ}z4#5?jhH z;^Z7_H3R=aQx`V%6LN~K^9|tryixa*tCrz6emA1d`8c!t{mUjgLF!y1p3ly8Z55jj z%!2)N<<=VY&u%TqJdv}m;<%jvw zP+JJ-F0Wwn;Txvg#a+KsIKZu6VaZRB_e1G@5^oTMRkf=GdNs}F>Vp>@nHuKdCNolx z5L5Ms4)p}SjdLzWZ*<0{4(#toe$Gk4R+db_$Vni$;ld^qo&%YjvKty7mb@V264dd{ zUh?+&%@mDRW?-TWHWiQ|u+%Kyu<=ad9B03hoA9=NBy7+hC(2~5{sN(K7fmE|&CZLN z=_KxzeCp0dYJEa>HwxFz?9T!v3+}GF zaN+*yuRqQgx>F}gY@m;96-04Wwv2XJ?ve&I#YDMKj8n;)P|z5Y7&k090pDD74`De0 z3lT94Wh%!@Lks)!Zj#aupKd;5=Y09c;kAqC@JG~HQg^T}lxYVJBit#k5|{|Qk(=^L zYuG1j4QmIB>}8$L(%roim)l2AUnG`PZpLLYnNrWx$YqTNyk!9+^rc~009iFAXtNtv|2ayF?Th9rP>LE4HI>(R6OXA^nL$WJS$at+UocGXej*|U?CUnyDzfT_>p}0v^=+X z&1Yp>HJh3~DyL;28MI~v*6g$Vph0R_1T#E^=s6un!4j}nqzPDyS9TK}!HhUjScxs> zzK=KA!txlv!`~q+*%*afMzp3H8iG|m{O6V$4k4NNtK5U-m&bBjGBL=M8@U6`8YGJS zbGGszq0b?&bvW30g^U~n+zcK1UO!Z-e~ zp7oh->wcdx9v~-gWX#Tc`#VKae2Q2!g}#&#zM@ z?3laJzP}eT%#@%aC-e7Ksp6|mYriK^>|fXOa0Iw5B7h9|Ha8o?l6xDikkI4xhyAp9 zr5B4CzZ?FJ`I9f42*{(v=WtjAj@cuDi3ML|LxP2wyG?wG56;g|122_1Zc`8gDLn51 zOiLlC{9Y>J;#RI8NwiwVA_oQjqJ_Dw9awI}c=Y=sJ(5xMwtHiZ%aWu6thymL8@o{c zUt>1Yn1Tq06Zy3?Xe*@=g`H??+g+Di*Jxg?Th<&INn3=EO3ip6-b zas)X64xd5j4d)db@Y)*; zt~(|~W>U%bI8_vY>7_56tIAFSon%H@gAr4+{e6((I|=M><;Ts{giTzJsE^-pW`>R7 z*3J2o)lJL^z0m;u($zlXm4H4*07NwPkiD^n2|9PM`yYP=Ej^Sc)QE(`!b!{`g(mJ| zktN`K2)g+@NWXaLhs@C0w>%XPb8>>)Q*DpsoJdwQ5LRw(*^k6rPu<+U5h{T)o%a-{ zjQtWQ8}DBzcK!^P|F39o(;9o_8UV1O2SF7Ne^WP(V~32uTL-nG?)?QS<(4fV<_buZ z+`7w#+)UwGZgt*p#v+ca>a+}8Awzp6l-5wR@*<5nJBx3X)tmK3-@@vzUe}Y{ zS+sa-=Li;WaQfr$$A{V&kO+0>;qFBiM;A&f#Hvb-$~F=xhC)?d>z z8NT1NaGN`=Q5EFZ9dnP&P#P9b3C$Tg(&0AE_L!rPUDYbQ)I6q}$$YaHy=Dtui^J^o z-vt)O(8bJs1pn?+@mQnV@UrZcGw|;miKO68s*&@*I407t*Y}}0+Whwn{r^rS$8D{H zBf8<{nOCH|5}`&cJUe3ijOMjLJm|q&qZcEl`Ph zZ0i}<=Z(d3P%Wi=H3ds%L!2t8suCoGv2gPH(}-aDAP6r-C0%ICg)1;C}Y22SD*{z_EM* z92Ts8HOAx|sFNARtpx746I`v!S{QfZpMLfP{9K(YKTkyv;N);!6dbqoYC-C2%?QgC zD!VMjZKlY`tX-1IQI0vE|LHjSAdKDC^!~y(YKjuzO9&Q-mS@2iYhAf|8#NG>L1IY z2froh?&lc7C?3?6-^_l2^4zfxK639j=))nlO~Ksn=RveS69!Cg0#SWf2hV@?(u{et z;wG#d3Ihv#>s$bZMH?FZrCaf3is z#L#j@#Q>n;%syYq6f9tR@%@Qp9fl+;@3+fs zLaG;;m3E>+xf==k1rr>UhRUs8PIxa*R!`r1;qvlG>LHMnzj-PG9H?y5Ffa1##s%sC z@#1*;TX1@eEwnpF*t3s(3cYnsyJmh5cU8ikn(d#@@0&l9*pU(dd(IZ~ZbeI*V5SAaDo+kh_ zk>jBXdvFl+*U~Bd3%Jt3JnFA#QOzE0AtKZmgO|~%wIokl{r>iBX>^*C%fSVF|K&32 zxcoP_jS-JI&T9Ox-|IJ^-L<$vt|-St?(4eW?bk*N-$bO1KoNH%ho1qdAeZbj!5Sxb zVndP?$D8*Z9TDffK>@kgMEmtVPrF`c!g6L zXxA>S4jdaobfO-5^j4PqcFCK<3f%}A;4`Rr!fcHr(=Zj9LEJ} z5gJ~4=h0%1sJnR-5i1`~X5dGMy2o3YoJ_g((i9gA_VRx{ngSkWlcY;qDG4=Z;bqj0 zEy*KRZeeAnvVMX!#+Af| z)<7(WFMfPzmDBGjPi%^**V>96WC~_D-PFbL>0RhDlC%KyvF`eiD*O{@zh}XFKp5dz ziy-`Tpuy+}?PL18O-}ywS7mNMixE&%ji@bsnE|nP3WV;(2;G$)5G(T{VdF&<<1KzhRFnOh|K^Mqw8|hmE~%zs?p9Ez3dj+CPWVEWv9Tm=|xKU*F3&^|=~B zI!Bc-eWbXJYo;yzRbJ3hfD!gTrjjmIf#&q0j96*IuJRJqKq$5z_LAN|#w-6amh&ep zCnu@^RrM~=4v1YRtl%F|Qz05luze;*=&jp0gl9@lDD+@vSkS!e#4$tT^ZjuwL<^(@ zCx}b7RIoo%LIN{Ns>NmWoSDk(udlWIA85h z{~-u^tXZWrPfLY>RAB2d7}&V_*)j+>bfYz-AIJpAN=fSwM?gAZOu(+oeE}N_8#UXl zL#Tpqsg=QdrD>nnvZoH#(p~J;#Cpop^cAEPYJq!9#JSR@+Q6FikE3%OqsKI(346=?Yi-!AhRMCHqaVMtYAVz0WFv@#kQh zW-x&BJ*eiFZcj9|Y~5DqsUi30p|b;5o0*rkkkhe^2p(glcuTPO=WKDE1K7KVoDCl= z8+85fBTf~}60r-tU}K>(X1g^AbzVNSo?r1&A(7_gLwu&QDS**R_4KXRJAO9gthY0r zAixa1*@LSUsH+yIl+*m)@^wLmB@-Ovx5|%=ggt18BxTnOg_KrPjf`1!L55tPDR$6x z#-vMG&eM#4hXa8zrqe6?1ufTm&rWEj%hRmFNOWsKM}(yF7Wmn1xlQH*0;0OA zI2tRkeHNxF*JIq5Cw&j(vpg42uj8gknDaCuoU(Cy>H)AMQ@`?t)Ecn}`|WOYFG>YM zInyd`LhyWwZr?dmN#p;S&MhPV!8ai^ zJ7`MTD&^RK>8zFc7k7bMWaudRvmP^+#yJ6|EMLcMGuv)|=H^VtaZ&tbjfv%oLtLsA zcr6R_BG+qNGDQtPhn&6O4$G-^Q{`7D=770QdSQo51Ch6M8F<#b6NsCWm!7D*l+#4SJoj0KloZt+bsbc3;Hw({f zE{JV1cA*b!EM(K{(eH{js|T2O+*uJUhRBKv|7@)W62p=K$cpf*q+X#7iV>`s<2B;X zpsK!ww00Q%p#EIBH2%7aA;se(pmZ0PZbXB+^T@&jo83D@m_Xs_HvHRb^2cTDbFqX2S-vm+Q@2Bx@1(F9Oj;hhV#eE){Y-D?y;iWGN*!^;?% zuTjVW6z{0cg*E8E-pD@}Sr7``M(ijfq5NQ=BLgc?Tuw#)YDrNiX6BZ) z5U4T#zn3Zh(lJE%bjPd@#OI%o{fR}U9utMP{-vn}=oOVWB%YMPXUt5Y(l_q%-%H?Z zPb`0u?HuBL{2F=0#h0&sBaiR@eAONGkF7#~XfM`=sVeMg6u()X^s2!ApDNOwh#a*{ z{K=+Ncp22!gh^93OH)dftQg7{fi5*S*(e=7C89-4U=mn>i~%P-|g?Be;sT&J!Mhd+ z`2P(Pjw>$Rq=v{U3vJlbuqW4g*nb>S!jLCWBOZ0FhyMU-V1p(JGh(KFrH51g2CAbF zUPkiy+VfXHV#!!rxmu-Cp|$_^Uj8;yaM$&dtx8We=&Vm>O{@>6=P#!MlxdeHs;8-D z@|AU@iGk4hfA3o8;^RaV!O`WQ-p?Bo7l)518?_gQ$biXpl)%e~J~toTj_tRCLKSBqO&&m=JtMYZfA4U5)9XpJ`b+~QBT*8 zqfedc*}qE7i{!(_n;`eO6N;PvaR!|{SUW|^luLnwqXYO%0r_%)rk+AB6P;kWl+U71 z5p)Mep>=z`RnD2KQ)z5SyRL%U&!Iohz)==%`(lxxgI?4SOU|uT;1OO4FC%DaPHwj} zEUX}R!7BIQ`I;dEdX4^$K24sjf!D7x&M#~WoT3f6elzw<>j!D~SbI3U1?976`?u;N zcM+$f>6>3$oZ{=aAma#a%X|th*&$%!a6&_Z1n$2z9I_b`VD*xOr*SRAC!D--rUw1( zue9-GQ_URg>mL=>OnfXc&n4TzjOX$BDL0bA3{0DXp)xZV*Gxq`VKgnrSs}<7?wXJW z(;NL9>J90QdsP|%Nqy@(dD8~m+}Audef#Du=y4rH`1i(*m$RGi~VMaGaEoHFh=-tk&_VW#*FoB~WuWiqO#E zDyW_+lpEl#m|uoWhxIYHh?W~^-%5s6zd$+ihDF8Zzc_XWd|*Kzd>&C;B@}vf=Z7tc z9P{B!5{>ET>qLb8U*TmqznYW#EYoF7ucGpS7^TT`xm4y1CdcZ+Rfn`Mg{c+!p$-s zWq4C1tJvj$^1dNhL;ju6kSBrIpi!{V%$fh~Taar~EFV5J=aemDd96pU1gpP_a+{Q9 z5BKA;*kdMdx&h;FRJXq=Hd^=GMKYL!X;U#t0GmH3M6pxwSz-&K`<}`13b_MVP9AC> zpzg6Lbp!2pxK;GTzxsSB8vV_H0U#`y z z9sz>|m==YhGBqC;NJp$anY|^#+FNqVSXN2|)vc5Y;cnDip&{(=gqMLRT9PL$cVU>v z-ehH7)`uCEJh#opA@2esP)1W`O~jQ$!dbWsb2wgUhBDoX z`o8doUjU)6CTv3z?2|Ue8wptq=0a(^Tb;+C^e6colD`27*^&lG$V>}x+J6i#19d4qk?-E>r1GH$ z!;K$EG3a+IrLYicaMO`FXLW5HopqFqXOan3+0RSIxyNAJTEkLeQD)t?701ir$!8@a0tMtlnNRuxE&<%)osel#d6ZR=X%o>3fJr+A2~j|{bTT}{1( zj)EDMpidw zHR5F`unj)G9G0%`)#l++C!#UFBNb0l0V3{M7~~g3+)_iEvMQS%GdMrbVk71I2(kv~ z$8-H{F;Va0oqX_%d_b9wO?IH!AbBKl-vShaho2)T1iaWrUr&UH*ibluTa*Y^ex`2P z#;DwoPc^)YXWIVf$-M!H`($IqF|G0FS?Foz(ec<)&LWU=q>$N8*CY$CBZ_9rnHvB(>C6Tcr||+0J|M z>rhAM$6Y}5?R82Q{1?&Z7k`P-YMm(0v;?Q6VXQ1{$16~XT&20d?yWDJ2coOEN4gq) z_mC4^N=cT48f(e+U=dyi#yiLdyAQlc=lqPqAY-@GF9^gjko!Uj-R=G5R)Q1F33sq` z#XP8&pYM)fx);_Tu^1i~#v{O829sNFjURG3%&3BvCl1!=mVVI8uttJj#$(&s!&0J) z%s9I(Iqk9cE4rTEuoX3ZNxz;WQ{Qupy-~3czz+odlUk@G{@NBnB!d% zHXEnEeYo*Z#nKZk~s`X`@in zZ|=$1wob5=$WPZr;T0y8Ci0|kJJQvU@M$SrG-nvQvI zetm=}g~$-u$|su8-TL#YFV1@l4T>;xfu%$=U84f8y~$gC!g(lyu5+s8ID{p%31tL> zUH9l!fU1u;L9j*vetnh+(1LGhVK%N2sn=(j?lnP~gy6jk>yr z($9i5_rG5gnFok4THCnVr7~RgirN4oQr~+Q2Kgkeh(rc)%X+6~V&0p1UK0VjNm%@n z3Ej=x*F0f z)R~)&FDmVezpx@p*nb4)!T*;G`@a`*zgpV+0x5}QaOKE<3D(emC#91i)Z{v&$5Z>> zx1h-8STYEiOr4Uv|s;c%X;-fPeFz}@i3 z#?p1pUGZvVmm8r>&%~J%2nz(Sq?0tD;#LQ5p^QW`Z(eN=F@SAKZ|6eu>YFPnkAa7) znK(;AWImwh|2a~KZ-@+DeFNu7Be`xRvjDpxUtXZbR-EOETLJ)*N`hHe}W3Y$V&AP2CxGUpsi3D(;sZ$pFpN686h5G6@%C;qdlXs`1sJUo0OHLCh00O0s zSqKCmfW(>znnX)c`WJijW~9rdFHIb*zr^M1aqhVM}2U@Oz8qB zGS14?tXCr*Rh&Q)e@cn~YvyYS)R>CH5GXi0MD=L%(?-2vpz}k#oOe>-@4EFs*X_-H zh6GI8Air6+WrY|7uhh_Uz~>a{*!RT@R(K1LMr-Y0pvw2jx8jyh(uS;T5-j}$inNn_ zcSvfHZxs+-J8@V-+eWQ?U7wo5MY{+lY@qLus=mE4JPc0$G`Tk>wcRxAdWA6^l>n*dCbnpgSB!{b)Iu zI}!t>lr22?=eXP`4g=UoX!!!AyTxz^ytgI(rLhP%|7Ih6u^4E1+YO1KjMy?M&|H6u zgLPr6bBOIT4=E=C;JnOO6ZRLIF7-G6jU|NwJF4|&qZcsIP%#lMeujcdT}6L z!kGz}kU=rCZu1J@px9n-(m5T_6PluueeYE0*90rCE4Dw)r)uQ-Fa8-Q(L}IxT0G)t zBeG_z{&esqiOQp`UMkh;B~nkwm+$D5k9g~8MHDQ+Jdxb8^X?ijY8BiN?jQ`*n^K+F z|I^$nQeVH{a19ZkM&osSCVIE2XBW?wNgIpn+t{)B_q;b5#YFK>uL_1C!XY=cMmU*f$XY|Yvmf}t~qX- zj;QSJfHJ)hXHOt}2fXu`vdnu{uSckHaF`=Pnly}o@9Si?k zGUR&zT9k~K!FpYat+ByL`dy*J5Xq2)!5&mG%X6$4;4vw|PGv&6W+}{`nO#m~h&{qx zADK-RWVOzBtokU)_gaV_w*q_o3Cf6xfl9awMkibCy8|^11gQp6uysw`n-9-KJOR$6 zmaTO{O>L}PpSx?1v!x?I(|_6wkY->b>%;StL2%uc$gqV#JwD}4CD8d0Z02(-dc&t- zNe#Uc#dWA2^4R#0d-L=>>7wrdc$xEAphi@j1CgjEjC48%6qhx)k~%M{N1amkvNEC@ zA=zI2@zgfj=R*jvF-XZdViDk%x-e=brI6?f3{F2cFd>>dNWbnaqZo>1Wrj!uK9y=^c)Tw&|sx6>3%3*BbX@~gc5bBNHfRo}D zqV~W1(w1Cl+OFx$QGsa%y&Pv;o9zEw?~|w8le($$W_E5@v|ng~Wh3$9ir#TVH7E~T zqZdiRi=4X!or_yt9Dsxu*z4Rt*nwlVfKQLCuA)Y#zp>MYt|K;qU%)>HM}#=e#DwG| zfTO1O5u|FXs9~w5x@F+=DUAN_25h4gD&7y+5|NUUo;nRi4|$Ki5E>x>6v&)SU>=6w zNhGvnQC{_*IrURDHeuVVAQK@gQ=^>A$&OACp91?iu%aQ7;uDNM*URt@sAY<_G1&!~ zHW4GS*%e47I9D} zyjhk*+y{7{+&sSwj7tl+viLTI{5k5}RJ54dezN5z;&J=K13Y%C3Pm#fsU!9w9r?wT z7z^gpW)Xekm?(ry8Lf{6s~SVngykbWCaKV)PqjtLTJ;~y7vq2ftsV)H8D9}zcn%IX?bK; z&6HkO@Yv}>h@J2*s)P=!S=hg8kKeOJ(%00-PzWVTlI5wO>(Z`%!V9R4PlWGIL$}0H zYjnkQG|lM|x-iqEPk$8nnjn>24g(u}Mq9>W3N`<5xwk26J6jnc5byc*N3{y*SrYL% zQS{biIoiif_DDVSW1)8pRba+nbPN_JzR6^3ZA6wl(trR*9spg-!`MSEGF@@UDe*$2FT`=VxtIOi#7L zk*vi+(e}gPK1`fN>=&rR;a(B@bacjWCMHeOVO+hmBedHkFR=?Q$ni<(wn0jT8F_4^QM94bgRXlr@~S-qI610?XL+N{&tV~)2TRpRS8mt1h} zn1m5(^Y=rtz^^WyFASAV)twzQY&Y|*7sg3O9uG=Mt&~F*{7@xALLnPX`#*nVNE^Ev z@}x<1{M5~GDSTll>h;Rq=EzBbxZmxg0J#~2JbWY|<*x4g3gA(H+HiUMqT^EK(Z;Te zj>~Q?=HXLphc3(MB4z|B0%`m`(~y8BJ}Jd->Na+)gJWd&d@%N)UyBE`WaAGAjWBpW zLZ>Jy-52jvJj+-6>BcUN*Z~b~P+lKB&!9mma{_VBNqMvcR%y*IA?r%ZS*Y!7CW@RV zJNpXc{mgOu8X8cW6dDD3N$oeZ3e224Mmu5{h^XOD4>HE@I5r6;MAGu=`N8NOjF_bl zatC{snDcVRbdXB2x8@hk33#{izS+E8Uo0u>9Ihw}n(aP3A6y##mbQpxY+i6zYqz#t`t=vWl0s zB-~LTolWvyrYoL`0dY`hH0V)%Z+$UTKJD`}!Zq8nIQ!Kw1xbRQ4#~_OSZM~|cVV3gq7$^Sry+=z$7X5uJ`K1mPU#(uC z5R^J0jz-mF5)tG2JyG;j=2||`0GARcIym{|=haX4Occ*r0^^IG{+LG-7&XGyZoXyLUcp8~o?dKUzE0fF5 z5A1%Uw$X{}E&M6zV@scJ6k{xZ6|x`-gd?93+xzQ=Gk0WBQoPM-Rwj%Zd10g4*;jN~ zb;F#hyKtYP@v!^HpYx^L(vJFl{=Z|lV?RGO9IakFSpMWGGjTq;=16`U^G@@sKoJS@h`rTf+ z+WBl{;h^$?6i4gcHkGy#YlnT8-W~O2+QSeLZrU=t>e2r<8sS%C0WiJt{l7 zk*Ep8THj3aFiNxkL~N&=ERWRY19oy2##-~`_$a{uUO-*qMExUpxBD!WGH%COuG5{E zO_BgvaoMeR<*z8~=kb{A(>RgK#^v?9)Q^k3&7wf_2R043Hch*8#xj*9PkW_yE3M9z z8Bcm-D!G2+9)(?&I@eq3e{5FqU(uE}@g?R+mPuB!THbM#i|QGiFn$T6Q>`&e7gbrm zE0)2X6(`b`8WkODzVcH~%0)T6wC3aV*v9s}q4T){!6cn#m=Rd=v~s_zhT2z-njP7n zdVxOObYltzJU1jlnVo{lC_&N#htOe$_eo9FbB-0h=$J1V#xA8Z20M>;RRcDT*G{5?_d35`3rOu+PdVz<}iIfSimzaSvA z;@;)yoy6^efc^NyYMFDv-xJvzemmHbafiuP=RZH@HnWNZg5;5-(sSXKK?#$?^2Gu7PgdSM zkUzEI=Q5Bgzr^p#R|#0#r@W7yb`QBkfX1~LC3{NpF>8wb@Fu0 zmEgr4``%S)*rFRcs}XD2ANwFiDJ9d<{Qj7CEZr_$C&Zpy9`w!>IIkRUEDx?@19 zZLU*|+*lf$8(mCnCyY28_RkT z7X66q$AxIKAbnyb?<#oE=2f-Ag;9T+g&(eWNxw_N!<~g2;Z?YZ3+evqpzPoI`7a%!(X;f2x@C63>)QR2^i+8eVdi=|^jVqeFsdcp7j#n*Ed&n12j{Do<-KBrye} zsAVwTe#!Ys>P%;?#h?F9o77XvOxofdi`L$Q4k_;zQ*CT@{2cEk`J&Vts?Rb&s=qW2 zZprYP;Ar>SIn^^IFg^ zidGz4xnDF?Vq~;B9du+HFL5{*BcZbN%F$CzT)y(U&>I}MnT=UU7+%gUzEkxhLwYZ5 zgww=?u>mYyP2bE%dENf9`kNxae6i2FV5MJ=>RmuwY%|85nq=}6P5=)K^f43nqS66Mylac_*Rf~Ie>K@Cu zOd~&7x4Y;yJd<3$sJf}NQ} z55ceQv>YxC>|l5CO{28lxP*zJb4no5I*9*V|&D9d35S=S)Li@*_}IJ{?+O)<;CEQL{Zv{ z3v(C71*BE`+mJ4#o+@bSC9tR=v6-F95Vlo(Y>S19p%9XQ2bVQnh93?xC%DTW z@#5T;x5GWRCbnwmq|!7`d99cyp1(IyJMFGFq$e`67;;H6gknqrCL-##Z4;w@IB;+N)4h014@(PYmu+wb_mGRr+zq!yu1< z(9wxvQ7NTK|C$ar66bE^6TLf*eZc%Zi;u3bf$e{e)*W zI@z#`1r7&B;RoJ0OWVjpZC1Rcs*g()l4d{Y`7Cfr(x1rR85Rw{zfO_fGNyxb%Y4yo zdG|j+*PxC)$o>fWn|Uoy_O#StbdSZ%rV`u6!Z7aO5yBFX6w&v&x%x1QEmiQ@EVJTs ztiHJ@RhM=S&#HH$>*U;_##D0odNq*L0AS6YKZ&=D9?^U9gCjDZGc2>mn-QNrCgOLOWc38{X8e2^(q{}LgYy9O4Z_-OD(G^X< z#XO#YiNA}34VJ6Dqzg{y3Qm-mfDP*KGR>%LyXkO}ay&G+a{_Xy`*HY_c-5~)NUp(*DrHjt>4zEKix;9+ z-FIJH=f;0fIee)SVInN?g|+*JvtS_kGM zwx1SK`xr?27}GNV&#Lscybuni14va_L={=1Xy7jT;oQsIln3%~Pd@r4rh8TutBF)- z;#)SyEFCVz_-v7R@)kl)?w_QZUa>dMW7v^RUQ=(`v_N!k7ZX2QSyjv>LebF*YMY4} zWa*!!Ci_VMC(rZRVzz7kP^3bL7;z+VDSXbA(NA}tA0&@|vTE{ep_gNCz3-r&t*+z! z%OY%_#ehD;(FVU;S)bggPqv-oI-f7~es#PFIUT5Vx0TvGkl<~r4Ve%<)}uY= zyU~PoE3p0wVA7IU5FpaMDKB^m~>_eyvOT8$_vVweau)z^&!cx3yeEOswds z^9cT9ap@VIZ6gyG%y))h60bm-?6ZL3_n3=}^X%2VI8yRv8WMvt^&@_ni$1!HBvg+zemKlvF;css;lm7~La` znU86dr@)YJ_KV$N^-ssS+dA6vxE=Oqd-&#KJ1;pJbJ-h#xAyQ@ifz!7f|)ly-$EnX zAI&v0-!OdB|J8Brtl>@4*A?|QZkHElza8=BKCy;{_+QyGW*5?aZI%A8)QL zwx*lIL(|Lj#Km;;Nbo=XmfbWk^&}|Ir~S$4+_0Or2g(gP>X3PkgZtKAI?Q@j5lXDlJ!n4%Y!enIE+zcZ@=?Pz7(~s- zMP1M5RW|+C#|1@KV4Ivh2ma*b@b_b zC39rqdDcQ9OV1j_yZuD;GRR%ubNy$pBj%BomN2#3Ig><9d*q8_<*rt|VK%r7~3Dm{+} zgS%(R=nKL->N1+OH@6Re{#-m*=`x%BlqnakMmI=&M)*VxMyK=;ctbHAZnMUD7fJ!l1m^q*G?38@0vtY3By-hbRPXQpmeEAJOLq;hWFr$j6jAIzBiI+TLl+n{qoOs9qA=*XAWY$n->{kj-nf$B@b-Sykw3 z)1bp@Lp*mqBM#lA)tkeEE}6Z)g>>c87k|=ewV$uG+YavR{Uufx@?!pHa@d@Kh?8xx z*0*N3aD-}$F!os{!#l2vf|xDx`Af>YmWQPbA3jZLyU#jvks?xs!K3PvFW>%XcPY*I z@$JUbVF^Jor3NLWs^A1Y2g%eI6}j-dsffzWnDrT)!x?sm61KW0DL3AJ`jDtKB=Sm< zUg`oXj*k)(cTQY#;%F>$?`gHto7aL9lpLf}HyoN~yh@PAGLwrtHy#u4n~{GPy04Nr zQZxZ&vCt99vwWzrE?J(Qaqmrb!ee@+9SS;9>b)sLFIf5mVnAS18F(0yCQ1+9iSRRA z2){9rE~Wz~Oo_+Ave3CfQRiLz1ncqExUmDv>$#$7T&5g3gptI1?kQebViW?hAMB`2 z8s#qP_jOw3jcdj7_!Ii)KQ9hq{zr9R{TEf#y*o27baxL(iwL3;(kVzIA=06=45)Mr zB@H6dEeaA+A|W+&DIwi6gdjOIlJ_{g-}~PC7u?UC&-^rV&OU3ez1G_2tY@v~+^~l{ z(1|uMlX~UFG#cJnhJNVbR1&N$J$petu`<=SM-SK?AwCpQ20t~<=@+lu^)bj~N>ZN)?KtPaj^XCJ(uI%Qsn&nk#uiBc z3EM8D|L(HQim#-0)}$MgjML_6M7Bm1PcHe*%Hj;RVH?fO2c_%53M4!BG4I(D{5F}V z+)dRi(x$^lGkd@51x~7HX5l6=SH3o}`B+*>#@TJF5T7k7@x4fW3im+%hT-cG!S}wR zl}?Jz$uj8pSo&J1kZ2vrYl*;#{vBaTD6s^lSpjKs;sSLifpcW3;% zlP^^1HH2%0mrus}I|!+R<7_9sXW!Lw(Q#&-AD%R`Xm~;dBXhy)@+hAhGDrxK<4pV( zqBW`V#YCX{LByB#?%J4Y>E9d6Jx5&?EHBta%NB-izwwdXYyfyKJ_9*1280xo7s`K`Mg7G1{OB0c99GDdU&kXqY47@JJ$o*~`6BiQ1I) zakRCyRnOn;!Bmvq75Io5`(>wfEAe%Z^&}g}wYwqQleE3u+vZGlbLVdY@S%=XvGJO8 z%dGr+=K^lDj(_X^9dO2HPQ$~+r-XLRZ9YJea-PJ5j9Go4TzC{E_A)a+-?J)n_hw;7|oJ z*|Rj7KxYH$mGf3*3plVCgU}S9*Eh{MjK(fMy2Ig$yXiE)G&*P_! ztoy4~<~)|Sk~)gDtZyMlV>a5pTWM<#`Vi%7k4Hi z)kMZ|O+hv-vBXY~*Bl`pO#Fh#feQj4PjI?0c13jS>wL1-_&^%U{D?O$(j z22KXz0nl^Gg6$lZs380d^qY3IV*et}Kpa>R3)5kFqf94pKLSM&mDhvlMHANjKK+NH z9~WReP}!X|(gKZl$oKJ`KkoeQ8H}_smWNre10!8uM4gofwWXH^)EcLuYvlsvf_z*} zt86_^nw-TU_Wufd!xmx+Nx;tgj+2m>Fs#_|>zc^08UVB3Y3{6XArD*F$a0$bx}6z$ zRm;H$B0$A(tD|f-XSRu2nAQ0qljCC*PzG{r8#LQk24Y`-%+)+pSVC_&+m;Fc01${h}H-wGnVu!`FMJdc}M$o2fv|M=n|MVoT1qS+SSr^rcM!>ff;-$xS3YF{?9 zqOSmGeUxM84GvJUU1}g^t?51%i&N9&^XcqP9B6TPFR3BAMD@|OUpLSYB|sNILf`eFc_5IWt^TYYA9Q4;VB$z||R(xM=tRle+-Wx+`d$ z0fd2%EfbBm^97v=<2fGu5jq5u7-UZD+@ zqnMSdE+`dF@ZE+f8~`{b3U+tj&~VB=RWxXSj&AYS>Zc8TNK|nC9s%l0&u@q}I?SMb zU`S|L@k9s27pJdxGGwys`}O&QcZ|0XuJj8AE5U-uYYMY{-6lf&yq9<+-qXV5P_A2u z3h$b4KbjB80D2>z)d%b2zN=Y!9(2XY&vb+nDnNLi3E@jq`SS#{{eKz$ww(4);a`!^ zve&7bKmf4)zd|cj@aFH(88HX9ExqWP53N5MQkcn>4wO6cKqknkf@p^!;sVvg;8nDNujyS}lYqehVc8S}4`7U98ZWn&K7t7|6Dj8kx!?OfcqJ z^n2%Ob#y{sOi>4vwVu8664Gu7oF7h9gHUu`c7=own7;*8K~r(DZV+%&6r3mXTffjY zmiRL24{idj%%q|;XLuGe_g-sp+6eye*#!ZqaV+0T(4hewUwBPlQjh1ijAEt+e3 zOhPn*|Cub%5S)QHab^m>UyY2gF#=^p!Cttjyw8OffxFd%A#2%PUmSbUZ}vvrd#vE} zH1~~74qAe2$nvt7nFyp6FG<@oIibQ{N59QxgP(^8B9*XG6YEqG+8aArVk(-HWS;ZD zI35pXddDg=@Gsrd$zsZQPmwC@blCS7M;`pX@K3{3)=4L&+`_9TL1wcBUTdUYq%#+t z!SO+TtZ}9>I$~1sS6q2!jU~NACWuJvI??4?Q|l=DJutcB4CcW`I}=2)rrgD6ZNL*X zLb20g2c~tZoAGaLNU&=oe^U(nI$!jky)a^ydJML zxBmRuo~KC`u5@CU90sX8btmzVj0<-r%~5lH!?b8?{S>f#;%ha@|HAdlbut?~*xnuv zNPF-=N@~{rUQK*V%;wAt&qEaz6%R3{SQmh=^YVYn1SUSiy@A>uB;B)#cnuZc~+3P_4TyTt@Xh_ zXdEmIPi%mN;l;Nfx7``>DHx>!3MfsmJCaH2cTKsL18IrIFO~kwMHROU2AdP+fE$a# zjYRqX9>k=HEbA>h*z&8cYJ8Qo zpFg?_hM7huGO*0K3zsrIuUwtXhiBPL(0>a0?=gLMz_3YBh?$49M;pb6P#R~0C-UCi z3^IC=1c1Kc%e93DFa8s%An#O~l8z|R`y81lEcM)RhPB-pT!5vMtRaX36qt@nZ7l86 zravQ;&C52!-4Uwjazy+UntE-dH~7YJO=~If&R9nZR(!9)*z-&&Fl&28LCxbZ8)D&W zBT?4LB@_?Xd%}_JXRG~$zH0xctlxB1_Qg014YSLsDRu4N8muorl5sU2hwT8E5_D(3 zW#8;@UefDiBk;qe2FiOuH>_f3(t$&z{HLr4z*|9cZL!L_JgCoq^25ZNnh<}~E&O^V zR%^`-Atyk>omCs8dtx3*hqTKiT?lUg9{N1Mb$QS0JJPwX<6o_}qB>D}bjuSm;9dzWulcS(UjZ$;$_GWUs!{AYo6F z4?{c`{M+A2hA4>=TaI?MiPtF-xczR0$NU1eQ6{WkMt>lnhA*Or6*l>vcfjmNzFtw8 zpVvFDd>B_l@8e>;`ycE$PVVdR(+=|2`)Q36a(=t*ZWFZWyR61hu)0R|oLHC?Ymdsh z2tx5^r4%zn6_*r4l0}-idgbB(hGuC58f>!kUlqzWJZyUo?r0fkKHCt-_6f_iV^sWr(%G=6E#1vgn%bApDFe~_cL^kC6v~eLR3ys{`v~mDQ>x0wrh0ZqD z)xJyUW2v2W%LD^t699%LQh$C9#K8YpRPSdv*>jtXOZa$g7$;(qKE_4wJ@@4KMG8=H zVW3e1pq6!>J7P(=Z+wFWn=Wc*#rP219+8`^f2>7-6(_>3xIlV4U_uw8;f|1STndw- z1rJ<|1Pd=ty9H*D2i#FPTD;m}P)lz`tn&%9EnTG;p_rE5s-b>;ZYmo`O(=DciixXUm8bynUaxA9#2sFp5>i5*H>9oK0ve6nm+u(Veu}C6dnTPcU!&}k{nFMye zXI=nu`Amn9{quXrvEXF>3Q`sdxnr-fRKxY(_rByy$*l@G2+|F-iV-t7_MTu_WWVV2 z4a@3tvJk{B83MF`@3~#&s%IEW-wUxLbfi0c^7Irwy%-|gjC=;%xlq?N-GsixXx`yx zkuD&;7W-ZM%9_P;KD^5O4bI=@EeFQ+6i3#xbY$I(_CiSEV$SAA29it zHwow(v1~M^CwhK$yHbWlmPZzA4QE&wA>zbR+C~)qVtYhj5x)>-lEQkRqx-@#$oR&lXka#&>yNd zlJfIGtJ9_X10gQLe810xb}l-ZlMmMiQH)fsHfy@#&fY0)9+hd53PjjvuA0Tv8#Qzi z=Tm-fW_;)0?6&`VoHB8Xq3mwsAK-F(TY~7k-p{OJsI}dp!psk+ptne{ZbYmO8V`8?>5WT=Qqmbe><)Ylia`QpWuiP8|^ z?MQ>uq-9=P1B02hop@`Stw#hYnomUHdN&g0dGT8mE_$?;j*HwJmvWxY>*^rr) zo_ylNugxnpgo`^7S~=yH~L{w7->{{&Qitj!=!AII1+wkJ`Kst1aI=^{<__NQ8sU$+r}{r)GAM$R6l)h>ARj|=|j zS-Mh*`AvqhzSf6*mo}AkcQ3qeRqj#R*V{YfW-E^&pT^zx*8@JMI3}8MpUk%S9(M}~ zfDc@CGYtfOqQ5@`NIdKfL-uIDslXK@Vx=J8uQL?_*+u!C1CTfEs{Ajfk$t`Uhw7O? z%#vH0NRp}NEBHU*ilApGP%RUqAb?mj(Y<4Tz&U?F(KqHXcm#p@I|{72~(nr z#;0jgTnHfr7y*iqeVk#i3AK$U#~aD}e1J}NGHq}3_$g8D2Y;~CQNiT-TVI(1zH5I9 ziF68^9J6-ZQe?F>bgw5vXJ!*BKHYU7Ts6_Ql}$jv{t6Ou11cpqS|qk? zUY-?r(GUkmCjAe4;Aezfv&V`yeSlaB;R@Uds{c>p@VNw%T%&5bM}|Hto+j zJhFSHC_L_wb*@P+xRimL_l_jX)yOFxLx12J~OwCsQ#7dVQrZf%T5D?lsQ9 zlQ=EXrR9iW?-MyeEB`mp&@167f-A1_*Kgs9JOJDg-%39)EFp;GoY5w}V)$N;wzW^@~c>U2ex?K|Em+{&> zjzkLo5*3f$CD#VIWs)=_AEM96e?3DNEx8ii@erA~?7MyrtMaygN3r-Szk)ZE8uJfK zaFM+kDt?!ng}&g)wH4&x`-l>Au+3+e@MmVX;NuImJTxMD=;2DO5MzF2DbAxYe7#JB zg*=)R3eGcGUmtSOihF{Kh)|cT4WSexm}bY=81{26m9EP?WEuy**Zt^BXDC>|OWLN*9JRuOOh3 zzX1MF2;e0Lw%Gjs&t*l@;oq%z7#|YU-e+nkNoe~|&bn`vT0vtid;D&FG|YvQ7`rA1 zj1%|kS7VGgI=Xf-yDCeQJw2*HiUc`KjEqyi?4?9DMPDVv&H)MG*`M-kSV<1hL1ksV z(jyK2uN9Vifns}fHxo#8QFY_yqS~yBEZZ+ce#pDD}Uz5+^hAie~1w+9_PZV9$*%MLEp(Iz^*E>Jt8eb)&f&D4dVQ3InE2K zHE0|4n_gJB3h>Hb4!OL%9BgB@d9pjada}?BGZ}ZT8@<16k^{VVB+$xuJmn%qmZ`cl z>Fefk`AOV4eC;COEb%gLDssYiWql}YG_1GXS7%MTsioXcYUzS}tp8q)^vMeSMU8a+ z)!hY&rDu(r47d-OXRpek-*VPbmsE%gB6 zwN)j(gwy}@Wp8ucuc}hUGA~t^>Mio+sZHWNZ86Ibi@!?@CagZ%0d6`B7Fxt9(KFXT-VR+`Cqe^VBA} zw8KUY2;nXwh(A!w2Y<>(Gp-h0Dl)b;zF+78_V;_A9T664E;(ox0udXFbr@4yxe^;| zt6jy!m=or;Z>Ka;03S2e^3jXp8#A1>CL1Um{E4D=1w~&?>~@*@;!$+X^qR zANkHed?QWl&)Qd^j|-q_xI=kr*+hkZsNDhCYNXXgJ{wBEuIvWd| zt;`enP4cc0SVMlDtq0k{*M?z+O7MTW?alG>c zGC~xS_DhtOhpT3zo&V{dnZeGl>#~OpM`W7(Uq2KjqZX*BkhDdPgqnM{UkHmlX1($9 z-%0ea(*UwOB}OG-9tK++^)g9~Df^L^8X5?`i5-F@uZB=t?0X~19`p$fEHJE*I?HV8{hrMC6@?fQUh0}cUuQJHr^G2}0fmFFk_JNyq zeva+W>bqCr_nN=&CHeo6?q@o0n@|ef>u0h=XbT|l7he}zBEq7-2R{dg+MHhG#F}u%E1Qgrsa6-ZbS&79{R)315ga@w`I+7aa`I_rWtWfucfNmK`>%7YFIv%I7D*~VO>J%- zG#V;v_Zy%n!3MZveOzUj8cB15 z^`QkXoSW3M2VmTNbep7$kUao5fb&E$1RUIE7Tpl=wusox=&csWCQfqxK!vblfhC9~}?i=4psV6Ph z5ph!`G5=-o=iSd5p|c0RyXsY2(e&r}py6Bt(+Fz0a{_UW08-1_)^fR3jNTV5!NO({ z4Z*J<3@>k;C)dqAxUECi0>esWdSDtXPDj1> zH>8a{kqvC~Vbv!z^9>(<-JCVlr;Ugwo}#U;1X@ll_aN5LoW5(t{+2 z*cPuizaG6{P-_tVV)<3#V7N?7Q!oSgz~AG1tUWfQMHOu6+US0g*DTH#_^74MV+H5r zd&S5sEwb)E3c4Rk`hvS65Q+CrjIE}%q6sY4L?d@%)@6#*RL8^I8x-{pw}g)`Kb41F z33Fv6qM3)sp2ag3yodfoGP~$bkzw;!%yrk6EGm$Zs6kJi&E8|VSbuj)JR6*6!KjA^W4>Nn zK4-*?FHb(mv=WDf>=GXx`qc?#l{8q+tm9KI<1kGPPYC&@+LW_D1>xkddfsAT+!dxU zWmprQ&4l&l?;0u;g682+;q8twJw=`jIZ~?-lAsyJZ7zxT&>B_#j`7shJK%LPm2xQz z9^^IceS3N?YG?U6c>^)F%##Zz(D|c=5MN56XDGUq>CnDC-BG%nA69*X-`5SN8$I9Q zQfN)ZE7#*0#6|3fwnEy7#nN=U(6nn`OQqVAal!AyTeV|fPCmK?!R2uX70q1Xw5Z~( zplZNFlwU-W#3GJFO`u&2{TYXbuTE@OGsyRcSh~VWU(_eqaf$q(#m$Tg zZ!d`ci_tY=apLoLzQG?=>K@=8j;J%%B^m_FGdIdQM(>n9QHRdy&IQd&szKH~yOxsx zH{C@K(O1Fl-9o^d13sziiTmfUM^echu1D?c=O@lXx%NMtmrt<~zg$uO6r|JNL7tHQ zhwiQ(h@-+NZ_d{Nj>keI6LHF8Q!aZ+^px0gvl8=6`JO2{CZ}iSkoxs2Ol=<}auP7N z!!&2yv2absRiegy6pulOy&2ea=@7a|=Zvow%~pq(^}0B?VA}qzE?luK?vWmc!)j!m_ry5k3I?3sH; z=DHXJ%A4l%frbCQSEO0GcIuRnh~lGq6I^b!VWfl1LxJl0@vSOIy8rt9@gZ4*XNlb; zZT(NcxWp)t1CU^6be-r&l^Jfcz;oJaI^?8{Zo^zj2enm$QhK0{wne_^!wHa$wyEHl zT@|H1o2bT3m`*F^n++>C)Gs|qVtck#JfNe#b0Ngz9t-5S@ZHVA?~pV8qF_(XbC(Wv z#)VuXieY12fN6jrrIIRameMqhDFMP4PPxRNamIA9s*6m@`)C73D<^`!_fc^o_U_d1 zfDe+Yxu5Jp2~{1z`AS9QN@7CFUSr{PPqQJ+?9B% zG8bF-%Cm@*h1l%GA0NJI#@iz} z7U&6Pf&V692zmdCO%j>M=_RW`)|XAgVn<(^fNrSTSR(SvUa&s?L=p!_N}do^HUo`37vn;B?CT)3a8&sYCJHm zA@#pep}qLetcd=ZRp3(tby$ny*cDVZ2R@N!sd#I7kj50k*Ce^debkYp_pion#VVws z)B8D%9%%b%=}nZ}eHL}1V}aRcCncMtG4jI=UWe1D@UJUhT`MTVDFW_%zDGGiI{z3F zv9tIkcCev1KIudc?*JEn0I~TYQ`9x+RzkdzIREA{!^bY89pfGU$S`t(+;VlAT6CCV z_`yo+?|s!FJ^W8e3K#UaD|VaNF+B0 zt`zQ=ov~OHAERnQ9VB()+!iyYl3zpni3)>uD8uKwv+MM34%*)R{J_~O|9iG97sY3y zOT56tX7?6!K=t5Z&e0swX6qxg6WIEQ`|LYTzk z-HgQh9yuVN&X=cQI-8BL*g5Z!kO};o@FeCLa)tkj@XcD?0rU!zkKY}5n=8-O1~`uKAAZdnRtbA@6r8<$r&hGm8zR?)Ix#7NmAEL-@_pU}wF6gPnV)Ndi9&eaFx_wo*=P&VXi_X(K z+4;txv5}D!BL!)Z$?8CIUxN?Op$vPJ5n)yXRlQxw>5oUWJb`Ovejfvu2@8 z(Rn>-i3%Mw+`G(_zIV_{3p~YcP2W!vohT#ouTY5lhWUkQFG1~|sKkPD%vqV9uFw0x zwE~}!^ThrAwHhygXCjI{0Qc=e;4Bv?)Ta7V0PAASn0dM#Fe0J7{4ETQDuhqE?f0lDfzHg3p zQ)HMhL@}gbiZ~e>kDg&ZSTdWYdYVzt?+EC3KAw4|mK(Zl*J;t>C%I09nR&%{5Jwo` zv0T|hdw#nN4@wfS@5g#zluXtuG~FrfeI8lzVO>KM7hqoMKxo1DwRttKb33VgWn^Xu zx)&I*dmAUst;RS>MyJ+5GL!Vs^XGweD{h}Z>Wi6#L1Dxh=882l=NR)h|6`<*EEqUC01^NV004*q#RjQz^&kMi2s{9Q27m_D7PYr?F|~8i z|L*Bv>a5G)VQWKF2o6e>4*>nT{{J5T2S0&{v{Ac0CgiZIlo!N=S`6ly)Vau>g7I=V zl@qYvqX0Yn^?HQRmMaqwpy0vZV*OUK;k}n9)R`7HU!qOQWrZ5hC&!c;0v-4x6S+rZ}k6i=+93ufYSfu>K0Ef z1z=y6-7imu`*L-CCsP||Muvad|Lfxa2mAH^F!ZX#br~?`FBgZ{CZ6!+T&E$Kv#}RD z&KY?D7_+qFZsJLm%yo4Z>=+u-2X#(N2oi3SY1%*7p5 z{fn}-;tV&#k0n2YX>f^3O4}KtkYDVDP@BhyZG_5IsxhKmj|$l zs+=yq3dC!yo}!0;iwvXlB%E$pvyi?X!~gCxG^_$EXkR`91P1^J0ni{04la!U;WrLW zrp{mMq@jzYz1=^n=Y!|8PT^LEug^_av ziJDt%ndC+6vLCi_Ip{aB2E%vvxJUV)xnMMFx_Bm=kEJz9iDXp_EM&B)=b=3|`E)iw zi-_dOo7k!HC4+#De$74-^rCo$YTQQ5gYf|z;O@iRDfDiMsAn?+DQhnZVN|~TIdt2m z!F-DI5RZHCRER9AZKylTi{!uLudW$an`?kS9-H5eXF|{<9p);f!G{SgsobF*Q*L-2YsV;DAV&M7*J*&KDF}&4S{ksKac~Q_046ZAkKV zPWNi z&%AQBu{1Gt{*M#$KU3;lXWeOi1jSbo_yIEbs5$jssO1R% zHzk=iN|*Z?|4kb5k;0QZiuOrM4}RG64ddt39PywAqWKLQuFLzl?#ofqs7rFl^RZQ` z36S=u+}!V=jA_QwK_BAk6>%+P3TNc`zj|47xE}Shnmjdece@>Oi7#~Re%hGkgW>h9 z@8kF3b6K&%`e2Mv=J~0;zuITnt-H*YCr2HMUI%yC1X?qa8(yHN4>z+Bg`QjPkA8Kf zZhYS=>*Q){=V|llF1|QsS)23vjb-qg#lrn%M3lM9qoT#s59kq%(DvMsr5=@`n=(J& zTRWvpOER1g%sNnaFe0%*B$*Lg<^*DT+tS9FKv~3M+4%lgyo~HQtaUXgA!Kq~6mVQCs_n*eQ5Aw;w;ilEzOM|E zufz;{Z1Qt&h0*4E_SJNtraua)zONN9Av5u~K|*YBb{V0_iJV&;R8w@RuBh$FRB@S} zc9~)>k;@oZ%&rY0Pu=i5?IsmwtJ^2}94=Cp1{(n{V&?X&({0zyXPdjS59~5aF8J10 zd+XZdlU~d+edQ?f3)Wb1h+~|Ri0C`dxcKo0icmVXrM%Br2q-U1Nv@sz#t9}{Bn&pa zK!X`f-9ekj?FL;gaC77+M$5F^hPE#|&S#^u&E0d%=jj+*V5F`j?ABXgtuR!xzjJaB zZZExe^`Q84Rm~A8W~m!z$1pfYa1>S8#H3GEHnbVv6soJfvHn@;xim=1;djHeGU@i~EH_9O4Fly*KX0~ma9Nx$y5Sx&TnuTDLCH@6qLolH zotp=F1w%Fw&Y&BVbID&S9}&MX=U?+DUd0-gI$x==)|6g5Hjkx!~Xa%yIf;Qfv*93lkfOAPS*= z!dZ>)&p?iZsctIzL(JTrXyqu9L3AGROnQhE{H(azcsrHk2_dusa}q`7S1N+APPNeJ zH!nDVCLwMDBhg0_R`m;HPDUCX);fnmix#z0q9DvF%u-jxvrGxh27rF6Q4pqLm0l2s zX+;o!JK=)mGOpNBc2l2^9 z>rX3lt`(!L<<9T*xHz)Hl=n12-0Kn%;f9KG>hmNM(ZHsX`1FdnwMCYLnfI;WEL2S( z>_$)?OR?S&Au}#3(C6s-{lLiksSE9mPevh){K5HJB5T{Dv3Ai_62B<$`^c>n>1nvo zc=1kzDm9VOYkEX!ykqT>%3iKw@j)`!z0oEtbn#pS!(WCQxh7({Mvqh-k@^p=Tv>;m z(!QtMBtQDSU6=R+O%@Hum7z4)&k9hKoc-o^IO^j$=PZuJETU-%X=Tr6lNi1}i|tGO z>2lkqd8MnUpEk=XkJGAY;^ncuf17Z~@mLcu1a|!Zgz@2^o+u#o*NZr`7_k$TOzC05 z^^|D^>ev&aBoEUD`)-h=FPYJ0@mMmaQjWV=h6>EXdf_e5#8j5nu*odqAuB?4 zGd*f;zTDd|_LgbQh*O#Z6rUZLsnVT<=YT3xP4%k^Yv1ZpNqDF*El8yRCJ7&+J1xyf z5hK_9jC$fNc5;7gYh?}ARhFkxx{~Vp)Nrx$yr!~?D)EPf5xM~_nEnK18WA}jD8fKd zWs7V=7*g!C+J3EE%L7tt?j>EsDgD%Zz1y^|U2fzJo+5f90h5fd7f_TvZ4;LPvc+hX z`()i1#vR7%(|oZ;j~Z3f*%6KEc899d$R+my{SS`L-(pvZXJq_b;V?q8aH5haUfQLS6Baz%VW7ehbha(fj9Ldvn*P1vjJ}=v|O| zpPX^nhEX?ZV43v46jxiQk|HILscDLf$cw(woI{L2lXg@WIMF2Uc!5o)TY)4WdK)ns zstnGvVLv9dSJkJ7_bM^|tqu;nca;^xlKSREqGXXHmJEq!c}Ba>G#>;_+~{3Q{+*ba zv;-tLfGuY{M&+l`3ezG4C&LdL+&961KY!@G8xd!>(hi5yWufj9>(9Sy@Rkb326xDD z0B*!Ga_Fv1RXEJta*s~lthC6_ASTQe8K#ExTr)iU-#)IUzZ$|T`0OWZ9g3~?6SAA2 zb>+62&?E2)uavIAL&E#!Uys8B;j&BK`)#>!dO`3;=dkg?qOGc4@D}?E!A^DoVJWYLQrOxVcN>D8q~xE z(@PWo$fiWvyMV4IxZK|+z}^1X&GRN4dpo$XM~L#>bg7Mo3y#n>`H2z%ZSa$;4<{kQ z`ZOy5{Dat^Q}HbHCbJB$&SPNr9RZZ^El%(XBAUHLD<;|(Atr%BU=Isb4BwCpOjday zRGe6i1APj>zTpky0udXjBF{t6h7r5KRMW`achim#^M`)Ng6H;)PQm_YzSUjrsQB#U zvH`h`fKgf>jAB_!i-ZcbfK}?%ud|54hzizPuRMdXk%!Eayh_v7LM8)NRhkpiC=U94 z3&l(AQ-Adiu!e{EY1Vwbc39P)+axh3q-_G@9uY1Tj^qFR z8}}jd%~}QXx$zl{Gl=(z{WLs11O`}mcWP!AwTEiFN!SoGcT4Da^U*d-1g}PJI-^5l zWzZsjmANpD`2GR+@3s<@%#F!rumC`v+P_CWmj6ON2~^+higzgVZOZIdaSZOzR?ij= z+;%$3D<&A}Do_wQ=us7w^0Dyq51lR(sBbDH@~c0|Xrv~-0l>|?AUAzWrvJh}UAS}J z(X}a54pxmQN*?2KMb7!C$eBM6o*WN95{xJ}mL>UQnuzD-#@fvf9=EIef3CM2jFMzY z6u5P9Nh?UEx$5Rd4@Zrf@+e|%qnl=in;(g@E1q6Av|%Y$?iW_$(~f zx|Qo^=S@?T(^IJ5vDNYt12f58kDqs))EH9d#&mzC0NbFA*4C_by)d?HoKoep?h1YM zi!Gf~^t)@u8g6YD1wQ_~*kVkU230lgaw`TR zsRxM22fBR+iTmNA;Smh;*;F3$H2PC!{o~EKSbadyGws<%1tV&=Hx6;}^z zRq%eHUjQSUuNuykXe`xwfpN_V%Q4PVF%ThRxKuJyWnf@0f?Q zygJMRS?A80$VwIxlYBF@KHiJpU^6O69Z7!-vH>K2dkv6M)F0@ zFbCjSX)MjL3#ouAwi-!>#qm4U(BK$q>2_KV#MDR{p0im`s;@N@uN>uxbg~V*g))b; zO4aZ=n2|;hA@k7b`Q(65VF0gDhFV>M)Wv_{pc54p#jff&U3CoDD(9)PeQe~lzVM1X)q7OQ!z#Xn7$Ysv zN+*Jqvj8+7uu;xq$5J@NN#IRETa*=r6had|&IcT+CCJ1!;Tv+Z5ryTEH_1+I48+=^>o zJ@M@?x{Ztnis-?}rySxy<7w~cRDqZm5P}b;I{gH9eh7#+PgD|azriDwLf(QNl^h`? z_Qx72U8E!0^Aw8Paa*ViEX>6^EGNP8IOTR=4iRE50O6>+XHLj=c9L3PrIDK6g%$}R z@)LVUxrY*eUko244(QIbuLUD?)g{<@TQ|fI?F*O>T%o0Bhwj)4#NtIS6YQTF6(#xH z+K(cU!y=K~Crt2{+W$w9%_>Q)5}w;^-jxxyy6q&5#3iU*4<2j8Ft z-DT=VBn`lr^CqC3(jy5BP6+zVd?yN%-2)#aB9PY8i$z;_ZH~r;B;{$6iP+#u8x9GT zS)z(isme@*u59poSBUgDz(v4KO9fSGD@x-ZA~a0jo*vVW#Ar7=QCrfD`y3&7^7Zp|rn>~P-EMPYtFz_oS!eFm>6>M6$sCbG0 zk^Cr~CNkvoI+|I%3aOKp&luh`soMH_f(#?bmtY#`u;Xj^_9Mx!D)H7O`I{$C+tIIT z#*`Z%zS!Ty_SVMbb>D*>oFPOd8A^Yjf zUO8tLya}Q)MdQ6~eifG4gmmX?&Yni(77J?F0lFp%ACIh1mTtJx_yI~MDJ1QY*0pW^ z=Tcz&i>>Y&@al37t^;vaEsJuF@PtIL4broikl;DYd;2mSg?&2CmPRP+vn92jN1S3k zbAs=3Fv`?@%*#9uM`SD!z?6ic*^-czj39&*SV|#W!Y+c3D6jF0)1mQ72c20%4RNCw zr~sMs1k?J|+t0)2yQn^SdZnv`Q=T?$>AL65oQ90e!JI1!oHGbWTsS14C}IF@d_;Np zV64}>1uJtJ~#A!EVtK$$JHu_ybC_E-RITVjVZSQr8Jt(qQE{G0Jc$&Fmb?O zCRjBeJeicmol2!fT;pxR1>WjZ@9LBl=X2x*yep|EUBaMzmeL5olnlXOBm569{Gk{L zBh$mz??V&o-1Ev&Ar6F(x$@Ee*m1HSQI~PE(V}di%lY6gpYol%V{#j@(jG?TH7Voe z$!5lasRU_^2Vj$e8%1*|vABf|D`|@AgY!xmK)y2mN;k@GKsbj6#X#|;`-vBd>W_KN zcb@&3zqda6>aLYq>DlwFq&vfCsj_c| zMEB>zcAnqoh5xLk!)}~(ip2Kx)cnYXLcJ?JA4N^VV#Q$l4q<_}CQd>@jW+Ul$hSEV z$q-1r9xNsaHlk?ZpCM`^mu;@M%-SUoXxVO~ToWi;I+aT4b7mk#;$*{#26LBvUV2gl znkNPtmiE6oyTAWlN5+tt|9fP_5i_IIBE~G+(KJa2?m;2s;Dvx*#2he#W(!XO;>pOu zO@^h~*G3{y657ud`7I=&uz*Dc&6<=iNC*cL zj8GLO`3PKy5xX&)n{*?JNhK0&pXwAqY7Ny2HJ_%JqAhO$d zmW(3=Cl^j4YLpqQYsis0?DVlMkdI%>F5j`tA$ee6fOnoQ(+b%m8-fZkiPE@LnXLpd zL9{OcDy012vcT4XPhz|lKlXuR=NRzEDQ5~XWs*jbdM_C?Fa$DC!K;VN>h@y+WtRi-TpLU}(A=2s)64MHLF;FX?F?PRR5H&X3A{+8H&+MV4KrVgea;V>8h~tVC$(TT=D6?D6RI+ zOTDer0t*+jXlc5pZ5q5+bF7yFHM^ATJ^)n$uU3bp7Be$s6vo;oMOsT+z$&vd8i1MtH)RVb5MQnHB*dEW^ zbou$$@CsrwUM8;&<`<+OK*LgKeWO4ST&_)XN7iA|_{$t07K1hQey92A00iG`)Z6AJO< z7-kS9*$L=55n?S-wfcwmRhVL^CBK5oF-MrV`>EHcfzx=BhrB9=p8eK+JAasAeyet3 zeHKjX^9_uXH$CT%yQ1Zj?J0!B_R~3iZ3fnNs*#0caxTNrEHx1}n>@icnQg)j4>Ti~ zSLI%0l1<8#GMLU)!%Nn)%>+w*g&Ks|ednbyqh`kW85aN*?A}eHfGRWNa-8CX7v#kQ zJsiC?;~4t;bHb*n?DXS>^uD><4!tOEU|ueN=kyz$OPc%T{$;ISX?uYm$md2H1V};+ zi9C z@uI3Hs;h|}#38>xKnXp#Fw(tWBp~1Qvlx!-7 z*`v>U^3nJ+pX}35IW<|m2sNomX9}TDvjkvFsv5tz7Vr*opsdvWJ5TUEd739pZNu5a ztGWPZ{a?%~lXYmW6(#9IWj$Q$)VPUNb`~h}D=2(t&O{{6Mc`!XmtahIc3R(7wumcG z!)O%`Ln2>fAp5HpJ)eSy!&SR#(ZJ#A#+u)xf8Db)S)C~k1P3(I{nnev@=Xm(T2`)k z!Q^I~v}4rh1^Q8_+hE4KTnAXW(SKmjnO!NjzwvuSv+tW}ZcuGwDp<}GZb6gw;_Ap7 zX{@7EDRZ3>mgWHB4-5rqgTa-X(v>LE^WS*~^CS2a?CSZxQcZWnk03kabmikE*-`G& zt>=7_yhH{uQb&F&dxCudPbSeuaPrV~6gBcy(A*2K=ay0y5%{|+dA!B}Q!f>2%*RVx z*uuec-;Ye4=CQf8A=)!#k=6c7`;n4=*cJ^e*kj^Ofv(*TtF1O!=wiiQ9=6LtH_toD z9ZcJU)C!)fpL|a_KO%@eIRcMNd~H`?2Yt`9vGAU;Iu$)q#G?K&90|T3Jt4LrlLkuS z-hq0+cgAL=PhEN|p%dAjUFoWRE1O`gL}kvBa?|&6QO_R56?IG3$}DDi&4wnCHjsQm zyc~#5-7c;Hnh%cHEDNj@JpY^;`Xq<+eH@lN{g@4rn_0P|cSmhoB6Fw{AI`Of*wI|U zZQl#XPjmN&Df=$PbMc7^F*3Zsj|VwWFyi>OhZJn??MI&DSDgzSIFbx%Oot6QOpyBh zi3zdrr$y)XC!GrEk#(-1Fv&;rK&7~vpl-g5TR6nfK?PD{CAjB^=2;;S~1xKvxWElu-4A?G3;Z`a>G(7-b?DTLdV?F>IRhMBGu_AIzG1_ z;z1_^x9>#1K;iAAI;llgo^7o10+3Nx6NgvtD-OG>w5Tqj>SpQ0lbzLU=E}I>Ab0kZ z5KlOAkDQ_aHA+9fRhi8RJhJrW{cx)&;%AV}h@k9t)~hLC(7}Z*#Oy|L`>8?XtpnfZ!L7c(Ug{cAfY2G5qum zo?Ps8gK2Zv+q2?s|K{{pN)&Mm#WMk4W1uJ&!wXuQAR`2m*aL4(;W)nh^OksdpL*rI zu1uAG?vAE9>O5Ha@lf`nZfK)qAvQtQ=2W42rgZ04A%tEqGYr#-LYYmRfWX*W)e09| z1;S%kmG*p@@$+N-t9eGe2kQPU$a?T%KQ-cnH;lu5F2Eo`)iy!(SmJUk$50KAr}{gb zz?xF0O?=Db7WmY-Qa!fqshg6)Qz7Q|tqYdK2x_6uccb;!oV-3K^BTS|h37kKW%Me0 zkewXSuPgfKIb5vCn!2Bc(*22$q^V>b$UUDOxz}spfXx?)Z=GhOPr@WIs_lz zHtFT)iG+n(J2WtU#NWv{Ick#I2FfxdGDt!`a7aF2i+H+pkGDw|XRWTD8f!L&Gj!T) z(tKgdv-X%Ot2<@ebaCp>#ACdd_=M-j1HmdCm!|m5teq;}cKb_tGI`3^S-NiPcbUab zC?z^gUqs}+X6z|gsUw5$vS_hT)U%CMW$KS!27~0^hpJtNT!)0tA~8(CS~!|TE%=~y z?x9GU#>DC)R$0bP8$d!#dQZcmHox^v3 z@s<&9iCn&Xr~ZT`Djg1aiXsoViufJUD!Q>sf{3dnx%LMB%u1{-!Rs_aK83&k6NG+XgTlkAw^DwLL;ZBFZqwdq%>Ag)>qGv?aM#?2Nj^U>2XIIc za;>|2_7jW?+hW=du)t4#BHGy?+o_tkb;0&JS^Ody`ccsQj^Fa`{CYw}hr2&+YjRvn{Sxi6nwZEWHs$BaTTu&h zG}O|nHB#Ip<;Sf&ZC9^pFm5Tk8=Z3fQdfYMhS24}VsTr<*JtAg&T-R(y0XzFj7o8& zKFti+6aN;PH9IkD!r&#RC26eA*BSCUThqouWO7yn+aXRTkc?rLTN}MYi5xYjKO&k~ zcl9F~T?V>^e5aZS5MCg)@?AhjcsF~G`zzr%Dj#)!-9t$Uc}1YECdyJ zn7tYg2N&KF$+#SLLjuI60D&MN!g4tni$yj zZD!Q5^(8ni%ww`FKSp|f-rmAdFxN|C1%bDshlGRxxCy{n33rKLBf`xu@8ba{cU-4b zRm5Aw*9j3d{Fe2KIm(=gRD;&j>oMYrB{=JgM5S^LIVHV~-8Gc$V%y^^PE3Knj*y7y zR80w4E=lKbsVGb(bYZWqSB+cH95L9Q)h_f#lyB3QRx1+Rw+n~qc$vSgC!Rc)h*h&t zGg@DCA99+H3mzCfJ}&$`UHHiFZO*$gY&?~f96Tst0j7j5?(B64D&U2iCit?58UN}) z9tv+ni^hFfN-CBNqUy;_BuQIGxYO_=3yq{5TMy4|=-EPB7EN7J zpk-5+ICaap9_TYn;OiRDl3j%7^^T6H6;o>LrT=m}IZL#X%NH$lFml~WKuDsk2ZP7} z?ukGhD6}>A`;f(i#n1$W$RhnkzO^SGNYGx^x{jHiO3c11W?iGtb}}sfEqPb1wH!KW z)7l`}@GJ@;U6ywcAwibe0&y{bH#nvw5`(5-9rfCu@Dt(HIAk$@blT#yt<|Y!%JDQryL;&1Nqd3~9--|qT&gmbQLF@#K@UnuC-Rd&QmVu!Tr!wXTa>89`SeAbE&SdgtoHM4JHRj!Nk|HS)*`gdEg z_w;XZieJ@|N?!$)|I=3N-^9;jg)(S#KblL zGC>#NEyLD=zIYAKGbQN!D>pW`W}Uyv@JtR}H!aUY|?V-%n<~9}UuPOUa%bhs_%q))t>D z;+s<~SJ8)|Z8a$PYCFzis&q!;mZA!QBbw-VJ}!Q+*@sEDrvQv9Dw6t znl!v>W4z^T*ntJzsL>~yE$_g;;~y&NzVS)P^yXaF$V8ynmp`@jsmXP*FLuNW>M)92FQxgWG5LvslgH zR4vh2RRAws7Dr>l6iSYTQB(HtAz|07}!+ z^Yk#wU4$whpCj;syQv9;x?O3g5b

%ibC3I6J zJN5Q#0nv&J?L)YcoP~U#2 z*VX4~LH>*Bu(pm7`?i?I1*{8)RL1kBj?w-tT0jWJHlz7#wb)>2y(5)BgiAodiK6@A=p{ITGQ;RcTdCU; z^;yJ@rs!>LHBWFOYovwB-P~E z$oiBKndH z>3!FQ6wbBxm^NC}yJih{tM^W9sA{OzWKMR@3)>h9DRTYyg6QyW%;rqX)Uhd{79>1x zUuHiM?#0$EB@Z|~#$oP#PaX9^ZCN)=Mp{e$X{gaq)A}MeJoX3z2Qovv4o>EY6?rcG zwBq)p;;A{)oNqpxi&hC*PhuF6N;qEBrbI$@NcHKSfFX1caNVH|rg05Cz7CNlDmEhe z$}1F_8x0|!M{5yrf{+M&`US@Fc`GMJLyo!%`o*xCtRd?=ksPg|Gog<3o}2rbMPLTd z)s}$Gkgq1RY0|n$u6Ec~POTcx8*3}d&zw)-V%YI8!>$%#e!%UJ0zCw$K3Sw|m0g0)4FZf>NbWzT-W@pSH)j{jH&*dzTRVW-tJ!%Sdz}6Elphkc z@NUJ|E$TEcVyvNK*PAJ@8MG;6X>V%9ySWy{y9soopkEOOkxGh576c|9Zb3NVCv$(f zh;4PoS_eAD_Ej=aJpn^_% zM(2bxb{EOKPf5Eix|XW5#$+T2Nrh&%2g`tZ zYKg)3*3nRzO}e(vvZQWt7r|63{}Qiq4r#m26*l`zL^MhivmZ#%2q*@6`(RRz zph0AT(&#D@zAx7yNUr5hZj47yARL*<&){Buuq5{oND;WkJ-ck6Bl5dk;^^U6mmHbG zs%tbZ!lB_9%*h9bHAVswiQrN#UY4=VJCK+0-JAx z2=m@ewTBd{79z|ED;CBzRW)^ID+1@??8rNk#$qyXUQ~P2FI_9Q#Rbn4Lo{#PTuG|h z<_LyTnpqX1zap=8My#{-^Ya4z1LINQVs%A`tLN7as^)KP(eO%fnVNVfU5P zsB=VX^R=F5E7hDup5GTPJIPa)^tfgxFX>#dklf;p==Xu|%+th!nwP;k_W@TbgfkOy zLWs)gy+n#cBzb?W;?C28u;o6=DC|5<;HH}yAPApyE>k-2e=y(33ZFcaCi9HNVU=JN z#|II)!3Z%;3X53+^3$HVBUzFQj^{N171LjZD99@5G&uS2M4TZ2wEbbv%n&jpe=>wHB$|)Hj57xY&Y|s{K71!6 zTiDF3M6GtY6V8Ol#xi*(F-+;n)nlIECE*3Rbii8LbzN&V7s&;sw+G|Og z0qxL5GY4S6m3K{v;Pu!70CYCUv5}KaH!CUsOL{y-dB5rPZ~*$Qsn&O9wO% zNdcmNAiYt^0>_lWNwC^L5Lu>!Y1XN!LJO+2QstQu1`y(&4hHsgi zz9$sG-GnL8fP;Cf=b#rpIcG&~i*mBe(jVy%LhGX;b}RLTI!3~Xb6+zN2M|F(!s@_N zmCR6D5-5LS+r2tdFGat4YeECtez+iQyby@Cm3}d1elGhzj5+>rj=8g644PYl0%HvC zlh`f<10S>zBf0}&nJtl!>5JGCUZTR@j&=uS2e<7yGeB^oE5{-vS|t;^0D?<_4M8B2 zM5dY+gVnYSHJML*@!h38mr-Bf^KLzD`ct6y#3=Kma^$<~JZ`I~rI-P#iV(jblphWR z(G(0Mw?tRo43mOVN$b4#2Z#H@j@`z|GXxrc?W8&BH2z5g&EF<+=(m8Kh;;Q(~jGj|$r_#1z!S{ug3?aWa~-Z5#7!tK#-3;=eDSXxE}Thl2zFKnVZ)P{;nSP^WqJ zg_v0Hf(BPa9^INz?lcxE$2{;-Sq2J(LJ7wjS$0V#l$y%3vW*Xw2BNOg+MS{2PB<#h~yok_-bOSRk!MS)x~A-SsNsByNbN|j4R z22);7_v<@F`?F3CMWnrPt5r?dBAdtE_tC<$)6SDddCdBVbxt6??EQL&Rpf6~{j3Jd zwSgnp_L0(&=GDfC1}BzidpB(T$sZ%#`g5;%i9^TIUHfmEo3R%63>L1W+7QMP z`bg#NRf|^bcc=Ti`yD(y@5V+MQK@pH*{P9#c~Lg(Av9_UeSI*Tq<+vqIqa`nd3(lR`a1TIv=7+OXkz3<`ag zjsGomWV~d5M1WKippGB3Bc6*$L?a|ZQlRg=fdFAuZ%(Rz-2SADam3D1%S2kWX|cmQ z>H8p2tg>;Wf)pf=YjPeQmU1)}7{@&cGIO7h7&a6KJSgt!1`^XVpG`odXGbPbF8m%5 zj_`-YSwGElL(`ZHO0nmKXZz`FQhDvY(L(Z8QGxzvk!6*;C+#38uMTuSz8N}+SB{N^ zs#FI5FKFh%R|A?tg$M#RPs8H4@f0dRuM{mn>!U*~w5oOmN`E`vAy4nIdrrKJ(8k{r`_vQXWcjA{#2700 zfDQTIDi}t7SMH00m~W^O5^rM~ySW}e+Y49wJ&u{jf=BT?e z_F{X?IYRCA3#(r7@%y!?f;wlwpMFom(tBjD ztIP1n1SH;K$WJ5G(a^(vFTN5I| z+G=9T&)Nlr9PVmX)u#LH`DlG3j=LBar=;%brd2F`H84v#p}#TS+eR6$gCODckW2+Q z=pZqD6E$#7OOjfJH|xDa+d3>?YpBll-!q&jiXIA$UiqF;PFc3*bWTe2HUowX)kRog z)Gz*!GTWFrry|}`+3oXwJI$!y{q~B#F{m??mb_P!wUm!P?TmFB3dJY&JrNQS%5H!v zf{J3`G30Dd$+|Rbzu9eJa zyg6g3vACAh=@IGMvicojy3J_$OR7)+ug&-Z=Jg6fGy8Ydj{6{_v6#9KbE(^vN*hyh zYrokg$#s?rquP)ez4G%YS6wZ7>*O67YfTCHEBN=69i8d5_p3tv$Fx4Ij%|I|N}8tN z(HXar80ks6_09~g$BEh_YHd7@!r7vVP*;sL*!rRm9<3pyIT{H=$3)EaC`p$n+mDE5 zR>GYP?(gR8kdI9G_6p`z!3=Rf_I%=<#dwwJFYJ@O$VR9^zfS_3U_i+vne%fA4+u)i zkHR_EaKfTQ9D>IP4<;C}1cVyPVP_FGC2}!zS(S~=(m~M*VdU@+THq=D-gy36QvfM;#CL38#Ohrz?(Q5f zleXVrOHxgt#2f)T87mUlPr`|br#}_0IjB1{n>~wz5v3xsDq*Cv?;XB}uF)xW1^P6b znBUYVF7a|mG0-`8wat!2DLBZfN*dzvlm_Qu-}*ys2;d_8IWM7NTP>z zj5p2(WrRTya?A~+iZn*{PKW}_7CnCEbgrbu2&=c^s;+Sl(m($hcrDOWRghpgsp-8g zwol{sJ%N82P9a2v7;9zyHWB9G53%4U+~$lN=bCHgm^;i-_fkpH43h*gxF(J$fIkyN zE*RcqK$1xjEbVar0H!6u$Ydjrm*V@0+1zCFv{2j8zhum1;Ar(@`{6u)&nztjo;MXG znUs(M6$Dp=uMkxqQ7kKtq$ke*!`@p*$JOlkqHT^LW@d(%nPX;VikX>Wro_z57&F^3 zGcz+YGc&)=H+1IAx$Dk-|Gc;EnR1uyYFF>ICGV0{(od?K@OGZfWAg%wd&>QFSe8`q zz`@VmxY3mIWDiOR!sfDo+ZvWJqI=|tHft8Yz*?0l-nx$0$M*$WzV?qdxV1jGn;ol) z<`kJ#B2xG^7UCcLcTD^m;Xj)@L4N&=l9$XOowEfu2AdK(r`(!poN>`@1p3EXb+fsr zOeZYvr24YIV8G{^`I_$zQfYpE)jX)|*K9R>>syb`W9)dC4R)6qRk+K`am*q(EzSCe zn`w_<_=W*Mxo`_C81TQ73+#W%g+y&&NCk0V1NIi)_gPvhuc%UF{%3DOD5#Cq_c$Q7 zZGl=?H@^|b77VOO)gwJUPe`(MW)b3556lgzcnXe_`6G+6&CO$_Zd_ro80)z%Y{GK^ z$%}PX#;3-aua#b5n=5YHYiuPO!}5WY{NW7f#B9S-Q_|ACoUxOKFPoC1Zg+l=jG&%K zD``7?{LU7h6J**V;QXzty!Farh_7o|`vhqtsx^|mt)+M5pckP*9QC91-3br%V4kvC|#)LM(1_o6cz2f;eM z|3UE+?@3h0usyeq#LmmPD_KUte3exA2`vITyWlXuOMvtN*%0Z z#_ik;n|*1z1)D0uyoJw`zil0T=H>k<rvMox+KBDn!G?k2=nBF!27a-mG76H&eDFJ< zhRCZLla`b6tQnMPX@00lP{yS3gshjJDSjSK1<~%VQO(1wZ`9r2A5Wb*uT>F7yAg0GAE28exh?;L6P(~q# ztIKW`QH>DFRWCr<6z)o|W*(4&G6+p%&Zf6^3&d>&KkF<1;(^ZI10kW*7m2j{ ztzXv3I27#TGbyb(jbH6?{&amevhkOShfSw5`MqJb;>4`AICR58O!G4dbq0A#20OPb zTu?a>Bp+^F1sydt18HX9^v9LkX?PC>(Lgq%5B;Ls zwZ7Hfg=Z@dwx}NcWHQ!FQB%4$!ME>6_qJ#M3x`L zh=1QD5)c>vlF%QTW&lPa$h-g|IfmBNc@otpWt5W(%lL(I)l!nuxC0RxwO!W(&4~yI z^lp*oXm8JB?g|{#bG2?N_)(YCF1tlc<<+gNT=-s%!7;d;)=BXiipu$1_}Zn;xBI&X zSvm`1)-f663v<0Ud9tSM6{o5mIb;u4P?#&ne2@0wo;aDWo(uXt7h&yK;rM_3_Pf z8Kclf`8YPk1j`&hBQ^pb9K%iBw-mir*4N>{p(*!ynp-sIUJZgM{zl6;&iRMgX2&eQMC35HQ4#C>vBI{_wQ#i)g9M;@vQ`JLJVp-eC;5w+x zs6zh9I1H%5qhgHNOvJ?S(0f^TW}{KlqFC16BV_{&9fc>va%m;yCTpd&nsAU+U%@08 zaY*MhystgGAmUJEmi)8Dn~8{VW3w}4XZ*8HA4^e}_M;@L%bpbT^^jI~VvIFpJ z;mYoUuogOh5l@kcBpmj*@rk)0qq{v9&ZtBVUyr+`)n-`W*09Sv{t!mFN50*y)9@Qx zqdCx5QnZwONzO!*DA`wu=@Q-z&}1=)`{8ivM`4Jdz=XtLPZ$H2(yPwIx7p>W$ucqD z5Z$wOq%U!$C#MS|+S+oztB!bvWhh4uvB$fO=;0kiAtQcn7_!={3Gn|8m1u213lOXa zJF)rm)0SW!lyLXuH##7DF{lpkY42+p1pnbh&;1YW3D0tZ2NnAn1AJYuT61Y=Gnd&P zXBy#Z1etr^@>Nne12l`b0ixAeR|c8vK`7I2{`PfNn|RyuqRs%ruO2@x?GxhHYF%i@ zOtA9lYs0%&iTjB}K%04B1ks83QoCWTdpXFfF3DqFUNdwSDr4MS_azu-ip!xqc9V|iG|%-VP=UQZWX+*Lo= zQxNR&lJfeAH2hm+Pw@e-kM&ryM*`Zzu}@8HYR#P=#H1%9eo7Znhb}FK4k>s#Dn&XG zq&B$3(aUe6BN#bhOqA!PcjM@vf!giz_TF_?voFS`q^tFbGjz?rhR6~lr9PR#i{2sa>J67^zJg1Okl=(X&-y^|y#@2BUz4FY-X(Z2UKbC)$?KNsK51JZa97=|#Uv}aHm z19$`X_$r3zxM1u{EUX}(6>rs4n*eS~fAJ43Ryph|w`yJu~6!tLx4PnpuFT!36 zh#^FMBhb4iG;7xgLr_qj%=>L-&cMG68TTEegmggg4m-p-10ABdJZ0}YnWKb+_wH14 zvDR)6I;}4L+K8j8`0-PilZJX}+1Yh7SKSr!Kz;R>;+fXwuXP*WM8p?W3%9>Sgf$P# zo~4!5=%&BDuiWhCQBU7I7U+C|Whgl({aS}1$x0C?kwjC?be=gUquS+j(@bj!!MAcE zvD|+F(n3StYyX%Relv{!+z@nId2qusWa3m!QzLmtXsy}{bA5sCHWOhsMr0qDH!* zWG>6vap_xa!Aa?yh~-{!AU5IY(B%N4iMJ~CO!DfnH!s^x++8c}9hzvbX4W$QYQ%fy zp~sTuAAjJ|x(s^dMTiXg7VlKt6-Zo0&~eH0?s=k6ze9zCicumyW!!*UVSjj{wYP;& zI5Bdgey=<@ZEyOIY(k^2p`Xx*u81WlKk_^by<=-rw)QK(&tmSoxYFL_mAAN8WRf{? zelnWHk`G~54qXC3Wq;5C^lmU2=uDroz187-eW_7S*w z4#s00)($;+mJu28&h(~vsNB1(SPj$GbefetZWKdtL8GFjkxG4HyjomVH@f)a01ym$ zN_E(Uqtuh!LUnMGlb1_5VD7HaD^Xt*hKetoSt6W!G@GkVEUk^8Zz~$}9WR>FNEpv_ z-yiwIGsO4q$a8+>uqWWyK;Y_^vaV}*9CrR?o*G;5RdxFbP`;7>Xzd0>jKP{%4w)^xHn`SQA z0=G7hPn6EF3|tdYqtk-+_4SOP>?U8@B@`Y*)2un zi8UQhhdv?uvc9&gLb-Zy+aj0WXT^u=PocI+6h2)$$GQ8^7gMYThVQwD?e>dL_)~aE7PfiM)q^vm z?sYU9>%{4ND%}#OoIJaOal*uEkhl_CGDucC#Qj3Qa6Ul0TZjV~Tas>UPq*-mS(HXo zcCHa2x&w#`V+o0R0OPmJR6-mdvLQ8$sj^C%0?t9tBfwbB`_TE^k<#Y-7ItsE+Ny&U6K~>{w6B^QuoPq?^!;py`?Tf*M}#t)^=W^uzh^9kqjPXX16f>arGh!WPC&lQ+v; ztU=hKqcNDauB??3-&wACrF+NX;0&@Y)vhUr#A8?mUb&ihcVL~WRW`_2TO}V-uVt?+HBiAh@mmZOi=S;~Ehv)Fe9b-I zDJe2JyFlt?R6ecWAwMI*D6NR55Ijk~x6#UaPRf*N{ z3i_q%J0&=)*E7_kqYnn&z=Mm%Z(kvt@}7|9d+DWt zm#jcjQ<5XdUxV$z`tW{o2QM8Fwf{#j4wOVHr<~F6XGj|Ac*mb-W-FDCShX(qr z4-en-oS>sn7Gv!R(epfWTs`D`N~cy_w;K*&3HX7#RTti3im;Y@cABYTRA6`7R+oCCh*E_Sl|ZX)7MK zbc}L98|%ZGk^(1`iiDfmU>K&lrZGRJyxeel-pG>2!ZN+O++bQY-U>sh{w1Mm=|;=@ zAF6^D!E(P$peis${BNj&f6oR2x?a8LCw&lSO+|@CB;sS7ep&uOvscWxh-|wD9IA%4 zXs~~Z-mu`K&;_OxFI_EHEd*#k8cQfJ_oQ%|2F|v7*H~H@j`YbpoptwCTFq=)PbH{$ zR55I1nFgoy6W-L1o>c6?-ozs8r|o3c5;i=b;dFO5#h`+jIpmd{61J6XfT%M z={k4U8sJhY%hKd8X0M+>`~hB{woF`qrXizKx1UE3KXsv6TCypjW`(^zJQcj@MA!A9 zuYK2JRnFI|N&g5islAs;+BHU)5;WL#BeTS>-+LNoscl{C#<9W|f(bR&#?R=8 zM02w?a|2^CNx#XMH4yTl<4~({eknandP|vHzNk0tE|N61t~St|36qfKtJmVKx}T-r zH}|g93K5Nn#xrbS0O^&wvn*z{>!$4Q+jg&0&srzaDx2ZXD|Z7sX^~M;&UI|)A#&vK zkWi4AfzN<*aJD8X33%ch5#KGq62TfptRo4{iHD>lftL!&>g&B~r?fuBL-V!l^rkl5 z*1teslu-$`IaIw?nPNq;G`R*DPnPANcHwK0?KV3O2zFZ(GanV)WilZNw?C~OtglJ- zPGJK1I*}XMoeG-8#6ZGyOQC&b&#(-Ss04@t=tzVYl~n1<8O41OE0_v_q2zS1oyHcq z+vR$4A)Wy4%{_W&uf9pIrjZij>p!=FE*N7n2b~G=q@G9Z(j5;=<-dW5{!n$RWpJyI z#~Ygm!r(_zPl9yb%nHFjEi@eywu)RN<(Bb8o|HVA4UTUblSMQ<5jHV=pPe-5481mx zt_W4dsjXO>%v_t`K4800-ZXX6xpYzkY7e(;)bP0YfYEvd)Mz*|==&exG=ij#IfO&$ zq&@dHO7b9W1N?TjF6FPE$hpE-g@iX;if+<{Ptl+n?o=#2co-8(QY#(N-ZY)E#W^}=oeVROg$eo@r6TuCmmQr@{G85o*# z&f(1TK%C})cd*@N)2A6yA)Rz&1o(^}NC!`)&Hi8T-+jfe-B}lITz`N3{&m-8*m3SH zZ%*9^c4St3&{BLc5bTdH!Xl2+tB&~V2g8cX8>%7N*(s_XWoe-4T%YLWOhhx)nn?^J z3sZ&Ly3Sk`4?K-HQ&otE%)jUk)22b64w=3WL3Wn{t$C*sB2PJvXF+JOO;qSMLLvA| zc#sY&)MkzFSJL0SkZA+@udn`E5{yje6Ebv!PRvL693p=qmzLAAb>>xuB3#n;d+;~U zrP|mRy`!h&`GZ1uj40TIW&^P7vv=|`g@o?;zGFV3`lqjjG=1&QY@G66%&kAkr!=6; zTMdCWu*W7kCACjC$nx)Pw_x$}t%bONKcfex>Aa0JRDSRXxJ>oD9YJL45RZ|! zH}zUQ%{TV1LP@01_`>U4(;f=7WMV~iV-4D7sSP4?7Kp#xKOy+;{9|zZ+*IsUD^O|t zDg5%El*hjrx__fQ{wCq^-^!rC01tzJy41eJ>pmkd_X}omLh9-gxdn;bU4~pC-OV{% zNt^QZ+wppP|5oE8lk2KzfYBPLsY*DQrk8QSx>_+XhYoIfi$1U^(UXRGf95dt&8+uZ zq^n(whysr#rb8rm{vsR;(Fo#Dk_5)Ie^Y$18qye^hvG@ea?!0dKR0vVkcBvfmS1B# z$(vzNg<~Lm7Z3UMlbHWDu&gwRsboOktkOK;o{LYt@(40WiS_L1+WkK)fAfFNh5u9x z=AV`ef2B+O(?1J;ftUa3x$qaR@t>Xxe_?X|>ACP10^y&Y3xCCM|LM8#S8(J1VlL4B z?Uwt0Z8iPnB>W#X{HGFv|CiWJS_zp|SU~3s3eZ#hZw2(en;Bah)BpATUyF^6Md7fb zc92~0sXNLsGe1?N=6EVDuQ}JX&~6_ZrDL&YUJW`svkNB3bJ`0Cg7!j$;6VBFgF^QP z@D(7V5%_@Dn=)Zh;7cB%f2qPTH}vqncsh8<%+gI?b=@H*--Kg~G@o{9wX6V>XDS4d z?QVDc_^x@v^#e8;JbDuRE`xP@9EV-k=M1uyju@4Ma1X^B?><93_}0B`{J;V8+LA>i z#IybvO`xE&hB^W!Pm;T#;)8aBb`+5;Zgi)5Nn3;ZCMRg2WWJ+guBYH`hp-(h1I4Lu zv1p)wKctjg+Z8JT6684H5w}C;kIbwb*ew8PQ#8VJWa&rx^BB&ZU~n+ZQtYbo$DTtI z|L@y6Tv*e9U))zMGL@5+Ai}3R17A@L*1Bv_^GdV2_SJ>q3 zc^y@i9Siu+GGLVg8Z}KF{pPkzHdwBohf~XWUpw!D+5&$r{3=^o?_sC#i{xXx#70F* zr+Jt}wK&|vN{KTxTHq#FJgEnfOdN0*PKQ(-+~!xMzaYe8 z8b1>NxX@$pU$lr-;$hA)r~VE*FimfXBXDHf!xn_l8I7Fw%*e$Y<6z5gpcE3U-_O1! z*||83*`F8A^MklLh6nf$(zm0_D-;r@Oa>2jOdI8`XFFW~$z-ds<}E&76=DQRZ#@Vm zZjQxSFromyGdqk$p@8**t~-nvuo(7E>HnT-p?RrBOSJB9)27 z%(BGlPE}RAWVsj;OSj}*6R*y~=;g-7lA+@M7GJc$1T6{5%SQbe6=^^C$`8%}Ox(rk za#Y6E4m5=oiLmlA2Uy1$n>G0jDtCi)o?Osp+b>y3syE-f>y#4Yoh{S9tlAhe=g@Rk zdh0U>mhOHUs@W~6XezOMk8+Zk^KLIOsVGS)wb<7!HK~UPZ--p|c5g;&zc)4kisC># z4~}Q2{cP9t;8%=0i$|;cjU_+EYJUc+F5<)TwT38PJt36Ck|L3# zPc*dz_tno|XDR>pp@#bRgl9?gXWEBQo^*in!gjeyzj$C8+!6m1RosT_!!)n9v9#k- zyRjQ@-<<=Gbu?u_nnVt2U}1NaeXI~$P(`2OpZb04xE-Rk1TA( z(W8S=gGx@w@v!X6@JzT6*`fY*h95v0q34|!U*iV3aONv(j+c6LUNY+4o~%)ne%n28 zUK8M4ZPEvw6Di{X>gHDH88XLqg;Q3&+Lm_eo@S)xB;EQLBA-*AG5V_jQ>#b?4?jsA zDZYSOu;w_r@pMOz-C_>9ii*a`_F~1F%Y%}{hh}6BZAes{*dx`!y_e+y>+`%@+@)2L zk>zq8NGxtHL}yokbPC(ft}X$F#3@G_Kb}s&uep)}y~qvnOhFFV%MMgJQZ`l(qOuW( zG*Ekm(ey3mAT$k)=PtHg-ofY3)w9!1Wgr7?VZH)fpEJM1Uk_6O=<*PEYv%jx}2C44fo zb-&-yfW?qMU<5Tqrmrb05g;oW z1v-ob0Ql2^z!`v%t)aYwt(_xKlR8-&*yx*E(OK9Tn|>^QYyuD^MI}T5ARr(BJ>VDM zV+9}t00Ra6^8z+-;0xjt1OzxZ1Pl}u^7I5=1sSlG|-$cUfek>Fur5z!HmP*Bm( z(BKd-Fws#lkx|i5|6BwF4EPyv2xtfhXw=WJpHcsh+eaq==@TFt1ONs?3;;y}0Yd`$ z=mj1f2mpZq-tC_o{?`Tq3cN>1s87%^u)qm*hyYL!FfdSXus?SVob3htI{+LB0-1mFZ_p_9qg-sxCCesY_C30|#Gd7<3FwENn7z3QDRkEUawo9GqN2!Xlz# z;u4Zd$||aA>KdAcM#d(lX66=--<_OYT;1IL`~w1mf*^aCo0_|Odi(kZ28V{HXJ+T-7Z#V6x3+h7_x2ACkB+adZ*K4IA0D5c|Iqb^ z&VOtFLfGHYg#@Gv6dW839O@5UAfPV54u%8{LBt4&ET90TZ;wLE^z##{U`%#Z7c>d8 z;w74a!xRiUDa#hw)gRLSqU^s%nD759%Kn|O|DbCb00%rL6%+{!3BU(l{0_k~`k31_;ufwWg5D7S8ZeoBa0K_xJ!b+P=>f`1gJQ{Nv<50NHA4 zAApW}pVt_%SJKp=H<;#*x3`)Pz;5V9PFO%V!lMK$!ZVta&&!MH2Ve-*r(2@PXR@^P z1F*5e_by)kOxdX3`9GKX|AJS8Q?L9^QZFr3wJU9G`^%ICM$L?PgL~c4hAw!9HjQVR zcR!6k03`cW9{{}-`ZpXGty=~G5mZG?1rbz$D#Gi8&%@^rz;a!iI^PZN2Vj-`17I;D zXmW?DAg=#yyd>#ChcM{lHFNk?YT7$e zo6vh;x$gU$#s}b<*X{#=xX^uV;U3P_cV232>qvusGiHt~o@KFIj!i#!eZly1(#@6P zF{Hxg^_5Xd>m}goYXNO%DAnf@?ucQB7Ii@f?HmI;yR!)jbBOMN3ZHJyB2$9PgyW?T zK!vK$Yn1%q0|uMsV|AKJnp$0J4LjTPXqBFe$VybJ^@Q zxu1c9?y?G#z_Ab&`p~&nL4?>hl=2s7c1ufO_q1hN2)Mjp1Zgb0h&+?TGl-HZRKy2h znuYIlYsA8_&p_U5KVlKO>YVsSi?@D16=e#I#fw05mL-h3bOZ4?(Iu`kcFY==EnDAN zUIX$_qLVaIg2zEd3%KrV|19CsKTG%zovNNv+fur)=H2&q#tc~KxV^tJ&bsMI9VY6a zO1UDRD&eMCgclBn<@77{cmlUvXHYAT;MVyG>!t#_fDYKU+f3}~ zEG1KGk#Yme*yECQeR(Y+ez5dgv|JPwFgHwn4-;HHL zfV0H)MNs8I{^rS^ztj5wj6Qq->^9y?WuVh$6-0;vOkC5XaERgI`1b zW{k4}hkCGFd-w~1ZuZq_OU5d3t`=6~9EQ|^c5XlU9JJBSKP{8r2?~#iN_QX=A->8B zzHdb0fbFD>X7A}~;#q9{DJ`=#OY_td=RHE-tsoOewl#5;@}(H-tI-!;e??*5s>r#t z9fVLWv7dKoynIR;NoR~$s_H*H^)gG~&j(@|kJ8zeXR2V{Mu~Pl0H6FAvB{#D0i=AE z)9-eiI33fRuNJgE+p;lUTOMmn!^_+*Y-4yu+ETJA0p0JXKj>VSyTk{iVHyYqCg3Ev z1d(69hmj1tM7#LY;rv*_%_d;Ln)qeFO#thfInlQ)>>d$29Ni(3;@mh0$He4bO7-g2 zH3(|?`}8Fh9YgTBe|?W%C6zTAaQrwpv92g^GK=_L((cKh@Qm>sre$_dL(& zDZ1z$Ndob{pIh~foCWm{bM1Awu28w4f<5`jRxQc$1h+R0&X*xkAk=3<@?|>nYP?oA zf2P}K&i`i7y`4aH^}YEO+*MeF8~7RRg|+L)tAF`m%u4*+ao z*MByc~~nXpN04 zpn%CDE?JmOyQQ8eeU)U=CgsA9FDXS4q8@7ey2;Z=G6s$|bdbF?u>Pb)S9e9#*HiGb zps#uho#S6&uy2KEW#m6i3C>kvD? zS!4a!{ks~|O7}{P4KX)4=g>PAZRhSTeVtR?!F|U{v}>A3)BNjf*jVg3C&_jF-i~42 z;DI@18(%P)I|Lk}0#G`9c2S?LK`hB7jr#%N2*h|D+ky?S)|A)1XQMVurKk~OnVQ6d zatAPhoTKMm%@$aHzD?dv)VK>s?B*j&kVFp@rBB=mP(5|)GXUAK1AqaX-}+Q4LfZ4W z$Jn>w3vHoO5#YrfVxexZuoZLt0%#cf59IALgBF~^l6l;13AL>GdhAy`3rua99rYT9 zIX1o4-8VBq_-H!*g^5v*%G`0B^W!CDnVzDLV+~6kHh(R0$jPGW$*D>?QrKs||yoERPrD+fgPK1)!RdHNz zqVpwc;JjV?_cQz>e+LK%6==+p7MsbHG}yxrKuyqD({@(ib9+jTYyG>7Pgh^;+WP5v z({EW+E{TT}We0_t&L{En5@SbshrA10YR2jDqvlYw+!62MHP4Aw9&X1g{Fh$-^{*-D zDdz3a3zR2zFOUn0K@NzUzGYD0_>U4|uQUhsbuT>4pJKVyx6{r-PmMAJkR_U#0N^*Z zl$`^zBD52oYxu|S_ov6ry^7jxJzOgjxRN{v35%Xp;hSTGa7$LW$Rf;wk5slfkG|R> zcW<)KjHHTPsHZKtMs^2uP(+cN{9r*O?Up@Xlc$^OuK<^_rF8X|+7@h;cz4yBVs*Mh z>iNplLlAipKX>2G5%{^q^Ch+=NStEXK@w(n8F)Xj?se1_4oLX`O|7l6c0x;$Syt+h z`4PEV2SEvLY6dznZZw7DoeIF&JR&V~zS2jV$c6yETwJ&a6U7=b< zb2YaVtc7q_tG(5I#3MLxrP<&}ry}0MJ(oRO&Az5rqpDw(pi<|sOncRTCX)syyMPp8 z!uobGwtW89cHctZJ%PmU3AJr4IxfDg#Cx9MtzsOHjDrJe3=cKDw0Vn1GQ1EyrCNfid8tn!*GxWnNG|U8OfF(>EyJtm|-@)$9Y|fmQ z_4duXC*yUsAA<35z4z+YiRNCh_hJ|Nzv_%QZd3ceIMtT~7vCpD zvWP}Z@q_qQTq*;+y+H`rryqQvZ(+wo&#!ixH0biojf5NZS{4II;Wrr81{~z{qp;hs zwvIhG&%MxbkmS%LRPxSK1V6hBG*pWdPT%^FNuf1Kj0W#K{Gh}MBFq7%PO`w!&6nH4 zu0J+ktLM*`v$S}qfl--~aKn}2b%k_c!7xS&neyoE>AvD!HXruSJKEb8bf*|GZ=r$y zCXD^MkNMiP%(-b}z47@~>aBizx>a!KvPbG#uhvxDX-q%W+!(?+F%tL3uRBPY-H2ZS z%Owp#Ju1B;iK!%L;kkZMtmc|8E~bZ69{`!F<;bu?^CiM-tim|J3mW>^2f&Bg!92Gi ze2BWtjH@OcAKzOw5m5D)d<}0K6!aBG-KW z2cRb^=(#p}%bzDzQfVH;p1UrJ@E)MF^q3|#t4>=`ZuouRSKuCQ*5JafXv`)7 zgk=M}^X193xqlkR*}6w^0nr|?!0J!bL3BZqC&q?E9($mA>n^yA@8<{ZXl^HolLcSS zf=C>UXCAVcwnEN^V>F&sD|nmNHBmF zyPEC#yX+Ty1%=X?SnmeW(y#gG3F@qeGkjWRmFavY2rDGgj}M;j1hcmrr}Suj&>031 zBP-fDJNDt3DuE922a!T-@L!`UvCFBZ;sQiWygp;!ULmSbaTn-m_zXUk`7E-Hd;mn( z=HLE)Y%=!W&>qTn8N>^^Qx~-@hyM5Mza^}Bgm*k`^3}ZwQ=3GHvf@7gI3ECm3H(>8 zIl98>?<1AyuBP^8^tXrMHKG~*QkFno$(81|J9Gz9~MgQdQ4%+!YA z5i{dOB(%kwmT2`>`8@)t>4AG*p)0=ri?{8?17I8sj94q4w zhS|~6g{+EYO|9id4hT1M)K7w3jqS6zM3J2;l*96#M-MnEwdQvF9 z8o5`VYX9Pjb?eHiGE=8d**IhB!7Uy)p=_Jbnyj!Si2)93|M1&+yMz6m)D!kuZ&ADtqA2>ps@^RC|#d$~K-XNE~u8LktHh#W53 z(M)qrT+l6kg3SkR5xNn6nPWQ_ZjNwoR0$40TneO8}4$cx;N4E!21wbf1lrj5rDHi>kPo4G&N8OWt=}prfk6-Gr(|7Hh zxR-O!>=!EUUiT>9ytqDm&IFpf6az+0bKt2hd?u{G33^cqNw1{xA|$z| zy~hR{Vi$j5nk;KMw2QAago9e%Dip zKXP~e#4Gmdq1L~F%eR@a(2gIZu)qUR*5{J1)%$>Ku32i8Nv1;6&B?#~#sP-`@Y-j+ zmu}!g)~{~Mux6nSi-()k%oPX!fso*Wj%gsk$piQEoRu}imi04i&%CC;lx>j(JKKmO z_KpD)LalTC(erZaX#c$G%w7BR*1?l z@m+k+MD+e6P}BY1DqDd8LD?_sO*;fZVMRLa*_Y=BQjN)wkx1@WZi?1=J+{LwF4lw) zmR717B!@-Alv$9@R?UDmk?>`5euz@C9Vql@D^y%p1+QPefAJVk~CaTo#|ezV|Ca0cr<0EBAQ)k9CI8J*QdEB5u#SPAPcw+*Ol zv=ukYE7=5jo$kik-hynil8=yNp@ zL3H6;DUMbQPy@)lhP?M=T%2LN13E@uL)y9cqC9!(+c6&Pi-#&s#kZShkj>{h+)sP^ zQ&uI>bTV2DGbSLs`w1{wt!cb<1IVVVlQ-8aV_`+)O4u)aNLim(M1;nU^X52K=1-@L zP>p6v+1`-F#tCYmPHhW3!P|WhE!>mtFGBbHJF9^*t{kbVQ51n@0F%ys07Q*~Pi#uW zbE_nGay;pFdzY*s)oS02M(&S!$B%n!gh zP>R=Cy8o@GdF+@nC%XHOGpw3NP5*0l_Go?a{#p;IntWe$yHSjIb&1g>J1T7EQn@=N zSVoq1Yg0&0S~pi-RfDoi4dFYa`&CpZUp-%sTo6}4e@vzMLc?Hy1=J*s-=eODd(7i4So8nNaqAwL4XH+EXZJr&_QfTBQlJiG%nUI!ISk3LS0$09iWk8H zxN53M;lB8~M<$$Oy99c=fN3uFToH&y$=1X#A&_4p2Mcy(wD3n`W{A2VstBGx@mIRL z;?m-fq4{uU(aSOQZ`19u+ftKE>fTqqhhj7t;{-Lcmaa+sxasRq9f!L zq;QA3-E2nj*>Bd4zy zu&S=1jKv(+4U?2Pq5IsRe^$`Hb~sr2Cj!=}7sw@_!mg&3SXp1SOllg(N{@5 zL05t|YDV0WfL_hsB_3YKVg$d2ZgJv}v8L1=kD6APF2ofmTl%pimyyI5P9wNTOn?`x z#`8tc_exar3;nXAMEAC^w->FG@2TX^rJ$c(2O_+v)J=QG+2bwxIyv{Son&_NbLmmb`@!}5WrrPmzPmA3ZaDTvkU0AG1Be& z|4eMC_quutdykLVu>SFek$QE3BbN)K&H^8!DpF!SUVDB;3zZ&UdxYQr+lgtr+`JjZ0RJ6RIPn} zr>cxd{s0(n#=Rpm+|oZ%G<4&U&8{sSKW`HBcokKH-CYYioqqlFNV_Q)cv|gh+3l_x zXO~N08Mq|Vg&(LolGVGA`Y5*}*N0H|s4KnDj;YO)^dJFoUJ52zrPbfP`V^TdH`p_t z94$L_@6dAHgY%Vg?w!`vLuZOsFHCOU>MlZjsrK0`?rcV%NsA-ZV5}3d;1}~`ix$12 z#6gC8oi``@4L8-6nY>SnuTBX5n24)Sq^H1@ZWrR?7s}5KAvScjz3w$fsVrm3H85Mw ziOS<921aJHaNd`wEA$*2Sno`h7@E9iNj=#)N5@@Guv&*UrqO=(1=KOYF*Ud@YCU_3 zxJxzJ-vMkm85Gms)y5sXr*u)uZ&S_-9?43>l8wdR$55-qjYb`Ii`Ap>ty_!J^=RrR zJ^-|Ak-0q^=&v57uFZG^@{jh8d5aT;6VA<*X*4nY$2VU@JG%h}#Ni1v2p54&7^Fvb zCx%Oum8leub61)k^a#2~_)xP>mHy$W9J#R@fc(L|Oquh8fu>{E zbDr-M2N)U_- zL2Sr^xBt1^|4(?A{db}4yR^JV_Ysj)xAK6VF|Hg5+OgRNcoi2kteE51O-9PvMAN&f}n`BNsLY+Au~ zg%A<2`5^IvfPMkaz!q7~k${J5K8;^c@&+>451q>RNqnXF*oVMz`pX(iaq9hd!tVnv zc4=u8ykrQ|ZpQoA(P)q%=^o5QPx5{*Exh0SdZ8E*447)lx)6@K#_n$lBg)I-bjAhz zlb^@PswPjV75of8)e88 zE4S?y@Ev{Pz_54FBz-R`^C>ssQ#@;qa>=u{Qv4cF`SqLX&`>cpj|;?#lkq%%;1RqD zsg(Zz)84s9L%H>Fd|bi^xhAI*Q;|zZ5k?BRM3W+fL?f5T7?;r~N^eujluNJUev28? zjSLx7vlDZm$h5qR$pE+H@5&EKorEjXLTVP+D zd(%ck*Y`z*XN7*d(JvlaDdvqFMwj2<_s+NW?Ws2|*4|2;A_w+ABYqFhNOwV&);0Hw zrp>O@sk#*J_Xeri7aO54I(z`=nP2nBnbgj2c%bhjIQkCn>lOO5@1hUZVlQZkR2}Fx zGApOnbQGt*svI0VbR`i85EAxhka8$LXaASSmJ8O-EwU+s}QcV9YOcvOW zdAC~EV+A5+Nb6z`u4< z*Gx=YKG1!ozzela}pzMocJ_b$zOSDSWx9w>Se~^@6{8{;ndvGv(EfG3ir!pu9vJ=foVkB8?>~3 z3zOS#%QSo$FKc0XNsQT=!RVuqNOex9N^bBD$&_Vp_1$Bhm~(eRroM})kHe2P2sm(mPJ)qDQA$!^HOF-`-r>@)MaC-j6OMXC+BHLBleBNa@ z-2V2)shyA1o<*lsQHD#wpTPUTw!4%=Rg zcHAuf+NQ#CExrY7$decAPuFyv8q3rdx0Ee8hHFeuP1Yk166rI3lt%e8Hl6#5O{mu; zv?3FmFgNL&j`qfAOOmt>`uL&K)*(D6rUwK|$2-r*3GK2zhj7WSbUpqDpP4fGOuOYZUbUcxu~rvNP;OaTr1k$xGO&I z*81MoW2dUjh2!I*D#i3Pi@|g{>rN)3ngqL)YC+)ij zOx90C<{nnypke*yVj6%A@xq22wLcx`g>z-alnrVjz-KZf2RMccdkw@P@HphShJZ!N zoHPMDrw(eUroF363NUm4&QY_x11|+2QH!-Ioik>wO#v6&Lwp0UEC&{a9e9+XSOe&8 zf7%a&0W}0Uu2A5wEEo>s>*+OL7Mh*z1@%XHD=onrIObk-2#PoXJjJ01wzvQkp)DrQ zUjzJamQn+P!v`3QPksS{L$QJF%cA$RG>uimhQlEa8mM^y_3imZ>Gz31AK8h{Wx#>% z&Cb)H4Gkr9X&X>QfOiOO-8pS!knnf|hd)0gjo1y&A!Y={K`VHJIEl?1xF6}7Y#fKY z1r!G@Xba+OwU);%+Lh3XlpwB8XL%f3Z~^Kaw9p!eb2L~U$5t+Y;-JNhK-_Ml<#B8Y z04NSx(E`Lpn=g-J=h8!QP$7H}mus~=j-8Ya#X&W>L7b2E@;G*OHxvg|eFbq2cFW_~ zY0^*}RE7}5NjWc%n-e93@}N>-Ag|h$gZCrKIAWh8))t*lpek7)S^g*od9i?7bi#xx zvVgp4k41PKo^pioqMj~I=Jn!+y!0%%G+D@-8#1V-0`0e@$zsR3A%hAf+>@n!xFLh8 zAKa6F^W}yNDrs;}Mx5Y=460LbPu}Fm4H;B?;GV3G;f4&VC@e>2X%T?eHh*r&b2G(% z4V8sxB$g}m((4as&OGR~aljlJnn6Ez-%F)j1sI a^Dn$Ms1-noLl{gM_`CvE`_ + + .. image:: ../../images/ccheart_black.png + :width: 108pt + +.. only:: builder_html + + .. container:: ebook-download + + .. raw:: html + + + Download PDF + + + + Download EPUB + + +.. only:: builder_latex or builder_epub + + .. raw:: latex + + \clearpage + +.. rubric:: **About the Authors** + +Benjamin M. Brosgol + +Dr. Brosgol is a senior member of the technical staff at AdaCore. He has been +involved with programming language design and implementation throughout his +career, concentrating on languages and technologies for high-assurance +systems. He was a Distinguished Reviewer during the original Ada development, +a member of the language design team in the |ada-95| revision, and a member of +the Expert Group for the Real-Time Specification for Java under the Java +Community Process. He has published dozens of journal articles and delivered +conference presentations on topics including the avionics software standard +|do-178c|, the Ada and SPARK languages, real-time software technologies, +object-oriented methodologies, and the FACE\ |reg| (Future Airborne +Capabilities Environment) approach to software portability. + +Jean-Paul Blanquart + +Dr. Blanquart is a recognized authority on computer-based systems safety and +dependability, with a decades-long career that spans academic research +(LAAS-CNRS, Toulouse, France) and the space industry (Airbus Defence and +Space). He was a member of the ECSS Working Groups in charge of revision 1 +of ECSS-Q-ST-80C and ECSS-Q-HB-80-03A (and also the dependability and safety +standards ECSS-Q-ST-30C and ECSS-Q-ST-40C). He has been an active member of a +French cross-domain Working Group on safety and safety standards since its +creation in 2010. This Working Group gathers industrial safety experts and +related tool providers from domains that include automotive, aviation, +defense, nuclear, industrial processes, railway and space. + +.. rubric:: **Foreword** + +| **"Failure is not an option"** +| Gene Kranz (NASA) in the film *Apollo 13* + +Software development presents daunting challenges when the resulting system +needs to operate reliably, safely, and securely while meeting hard real-time +deadlines on a memory-limited target platform. Correct program execution can +literally be a matter of life and death, but such is the reality facing +developers of space software systems. A project's ability to produce +high-assurance software in a cost-effective manner depends on two factors: + +* Effective processes for managing the software and system life cycles, + with well-defined activities for planning, controlling, and monitoring + the work; and + +* Effective technologies (programming languages, development and verification + tools, version control systems, etc.) to support the software life-cycle + processes. + +For safety-critical application domains, the first factor is typically +anticipated by a regulatory authority in the form of certification / +qualification standards such as are found in the civil aviation and +nuclear industries. In the space domain the ECSS software-related standards +play a similar role, with the current set of documents based on decades of +experience with space system development. In particular, the software +engineering standard |E-ST-40C| and the software product assurance standard +|Q-ST-80C| provide a framework in which software suppliers and customers +can interact, with a clear statement and understanding of processes and +responsibilities. + +Technologies, and more specifically the choice of programming language(s) +and supporting toolsuites, directly affect the ease or difficulty of +developing, verifying, and maintaining quality software. The state of +the art in software engineering has made large strides over the years, +with programming language / methodology advances in areas such as +modularization and encapsulation. Nevertheless, the key messages have +stayed constant: + +* The programming language should help prevent errors from being + introduced in the first place; and + +* If errors are present, the language rules should detect them early in + the software life cycle, when defects are easiest and least expensive + to correct. + +These messages come through clearly in the Ada programming language, +which was designed from the start to enforce sound software engineering +principles, catching errors early and avoiding pitfalls such as buffer +overrun that arise in other languages. Ada has evolved considerably +since it first emerged in the mid-1980s, for example adding +Object-Oriented Programming support in Ada 95, but each new version +has kept true to the original design philosophy. + +AdaCore's Ada-based tools have been helping developers design, develop +and maintain high-assurance software since the mid 1990s, in domains +that include space systems, commercial and military avionics, air +traffic control, train systems, automotive, and medical devices. +This document summarizes AdaCore's language and tool technologies +and shows how they can help space software suppliers meet the requirements +in |E-ST-40C| and |Q-ST-80C|. With effective processes as established by +these standards, and effective technologies as supplied by AdaCore, +software suppliers will be well equipped to meet the challenges of +space software development. + +| Benjamin M. Brosgol +| AdaCore +| Bedford, Massachusetts USA +| November 2021 + +| Jean-Paul Blanquart +| Airbus Defence and Space +| Toulouse, France +| November 2021 + +.. rubric:: Foreword to V2.1 + +In the years since the initial version of this document was published, +both |E-ST-40C| and |Q-ST-80C| have been revised, and AdaCore's products +have evolved to meet the growing demands for, and challenges to, high +assurance in mission-critical real-time software. This new edition +reflects the current (2025) versions of |E-ST-40C|, |Q-ST-80C|, and AdaCore's +offerings. +Among other updates and enhancements to the company's products, the static +analysis tools supplementing the |gnatpro| development environment have been +integrated into a cohesive toolset (the *GNAT Static Analysis Suite*). +The dynamic analysis tools have likewise been consolidated, and the resulting +*GNAT Dynamic Analysis Suite* has introduced a fuzzing tool |mdash| *GNATfuzz* +|mdash| which exercises the software with invalid input and checks for +failsafe behavior. + +As editor of this revised edition, I would like to thank my AdaCore colleagues +Olivier Appéré and Vasiliy Fofanov, as well as co-author Jean-Paul Blanquart, +for their detailed and helpful reviews and suggestions. + +For up-to-date information on AdaCore support for developing space +software, please visit :footcite:p:`Space_SW_AdaCore_Web_Space`. + +| Benjamin M. Brosgol, AdaCore +| Bedford, Massachusetts USA +| December 2025 + +.. toctree:: + :maxdepth: 4 + :numbered: + + Introduction + Programming Languages for Space Software + Tools for Space Software Development + Compliance with ECSS-E-ST-40C + Compliance with ECSS-Q-ST-80C + Abbreviations + + +.. only:: builder_html + + .. rubric:: Bibliography + +.. footbibliography:: diff --git a/content/booklets/adacore-technologies-for-space-systems-software/references.bib b/content/booklets/adacore-technologies-for-space-systems-software/references.bib new file mode 100644 index 000000000..6b8d7ec39 --- /dev/null +++ b/content/booklets/adacore-technologies-for-space-systems-software/references.bib @@ -0,0 +1,265 @@ +@online{Space_SW_AdaCore_Web_Space, + author = {AdaCore}, + title = {{AdaCore + Space}}, + url = {https://www.adacore.com/industries/space} +} + +@article{Space_SW_Kriedke_ElGammal_1995, + author = {{W. Kriedte and Y. El Gammal}}, + title = {{A New Approach to European Space Standards}}, + journal = {ESA Bulletin 81}, + month = feb, + year = {1995}, + url = {https://www.esa.int/esapub/bulletin/bullet81/krie81.htm} +} + +@online{Space_SW_ECSS_HomePage, + author = {{European Cooperation for Space Standardization}}, + title = {{ECSS Web Portal}}, + url = {https://www.ecss.nl} +} + +@manual{Space_SW_ECSS_2025a, + title = {{ECSS-E-ST-40C Rev.1 - Software}}, + organization = {ECSS}, + month = apr, + year = {2025}, + url = {https://ecss.nl/standard/ecss-e-st-40c-rev-1-software-30-april-2025/} +} + +@manual{Space_SW_ECSS_2025b, + title = {{ECSS-Q-ST-80C Rev.2 - Software product assurance}}, + organization = {ECSS}, + month = apr, + year = {2025}, + url = {https://ecss.nl/standard/ecss-q-st-80c-rev-2-software-product-assurance-30-april-2025/} +} + +@online{Space_SW_AdaCore_Web_2019a, + author = {AdaCore}, + title = {{Press Release: AVIO Selects AdaCore's GNAT Pro Assurance Toolsuite for European Space Agency Program}}, + note = {January 8, 2019}, + url = {https://www.adacore.com/press/avio-selects-adacores-gnat-pro-assurance-toolsuite-for-european-space-agency-program} +} + +@online{Space_SW_AdaCore_Web_2019b, + author = {AdaCore}, + title = {{Press Release: European Space Agency Selects AdaCore's Qualified-Multitasking Solution for Spacecraft Software Development}}, + note = {September 24, 2019}, + url = {https://www.adacore.com/press/european-space-agency-selects-adacores-qualified-multitasking-solution-for-spacecraft-software-development} +} + +@manual{Space_SW_ECSS_2013, + title = {{ECSS-E-HB-40A: Space engineering / Software engineering handbook}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 11 December 2013}} +} + +@manual{Space_SW_ECSS_2020, + title = {{ECSS-E-HB-40-01A: Space engineering / Agile software development handbook}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 7 April 2020}} +} + +@manual{Space_SW_ECSS_2024, + title = {{ECSS-E-HB-40-02A: Space engineering / Machine learning handbook}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 15 November 2024}} +} + +@manual{Space_SW_RTCA_EUROCAE_2011a, + title = {{DO-178C/ED-12C: Software Considerations in Airborne Systems and Equipment Certification}}, + organization = {RTCA and EUROCAE}, + month = dec, + year = {2011} +} + +@manual{Space_SW_RTCA_EUROCAE_2011b, + title = {{DO-330/ED-215: Software Tool Qualification Considerations}}, + organization = {RTCA and EUROCAE}, + month = dec, + year = {2011} +} + +@manual{Space_SW_ISO_2018, + title = {{ISO 26262:2018 Road vehicles – Functional safety}}, + organization = {{International Organization for Standardization}}, + year = {2018} +} + +% Space booklet +@manual{Space_SW_ECSS_2017, + title = {{ECSS-Q-HB-80-03A Rev.1: Space Product Assurance / Software dependability and safety}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 30 November 2017}} +} + +@manual{Space_SW_ECSS_2011a, + title = {{ECSS-Q-HB-80-04A: Space product assurance / Software metrication programme definition and implementation}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 30 March 2011}} +} + +@online{Space_SW_MITRE_Web, + author = {{The MITRE Corp.}}, + title = {{CWE-Compatible Products and Services}}, + url = {https://cwe.mitre.org/compatible/compatible.html} +} + +@online{Space_SW_AdaCore_Web_UG_Cross, + author = {AdaCore}, + title = {{GNAT User's Guide Supplement for Cross Platforms}}, + url = {https://docs.adacore.com/live/wave/gnat_ugx/html/gnat_ugx/gnat_ugx.html} +} + +@online{Space_SW_AdaCore_Web_UG_Native, + author = {AdaCore}, + title = {{GNAT User's Guide for Native Platforms}}, + url = {https://docs.adacore.com/live/wave/gnat_ugn/html/gnat_ugn/gnat_ugn.html} +} + +@online{Space_SW_AdaCore_Web_GNATformat, + author = {AdaCore}, + title = {{GNATformat Documentation}}, + url = {https://docs.adacore.com/live/wave/gnatformat/html/user-guide/} +} + +@manual{Space_SW_CENELEC_2020b, + title = {{EN 50128/A2: Railway applications – Communications, signalling and + processing systems – Software for railway control and + protection systems}}, + organization = {CENELEC}, + month = jul, + year = {2020}, +} + +@manual{Space_SW_AdaCore_Capgemini_Web, + author = {{AdaCore and Capgemini Engineering}}, + title = {{SPARK Reference Manual}}, + url = {https://docs.adacore.com/live/wave/spark2014/html/spark2014_rm/index.html} +} + +@book{Space_SW_McCormick_Chapin_2015, + author = {John W. McCormick and Peter C. Chapin}, + title = {{Building High Integrity Applications with SPARK}}, + publisher = {Cambridge University Press}, + year = 2015 +} + +@manual{Space_SW_ISO_IEC_2016, + title = {{Ada Reference Manual, Language and Standard Libraries}}, + organization = {International Organization for Standardization}, + author = {{ISO/IEC JTC1/SC22}}, + year = {2016}, + note = {{ISO/IEC 8652:2012(E) with Technical Corrigendum 1}}, + url = {https://www.adacore.com/documentation/ada-2012-reference-manual} +} + +@book{Space_SW_Barnes_2014, + author = {John Barnes}, + title = {{Programming in Ada 2012}}, + publisher = {Cambridge University Press}, + year = 2014 +} + +@manual{Space_SW_Barnes_Brosgol_2015, + author = {John Barnes and Ben Brosgol}, + title = {{Safe and Secure Software, an invitation to Ada 2012}}, + year = {2015}, + url = {https://www.adacore.com/books/safe-and-secure-software} +} + +@manual{Space_SW_ISO_IEC_2022, + title = {{Ada Reference Manual, 2022 Edition, Language and Standard Libraries}}, + organization = {International Organization for Standardization}, + author = {{ISO/IEC JTC1/SC22}}, + year = {2022}, + url = {https://www.adacore.com/documentation/ada-2022-reference-manual} +} + +@techreport{Space_SW_Burns_et_al_2003, + title = {{Guide for the use of the Ada Ravenscar Profile in + high integrity systems}}, + institution = {University of York}, + author = {{Alan Burns, Brian Dobbing and Tullio Vardanega}}, + month = jan, + year = {2003}, + type = {{Technical Report}}, + number = {YCS-2003-348}, + url = {https://www.open-std.org/jtc1/sc22/wg9/n424.pdf} +} + +@online{Space_SW_AdaCore_AdaLearn, + author = {AdaCore}, + title = {{Online training for Ada and SPARK}}, + url = {https://learn.adacore.com/} +} + +@proceedings{Space_SW_ACM_1993, + organization = {{Association for Computing Machinery (ACM)}}, + title = {{HOPL-II: The Second ACM SIGPLAN Conference on History of Programming Languages}}, + year = {1993}, + url = {https://dl.acm.org/doi/proceedings/10.1145/154766} +} + +@manual{Space_SW_AdaCore_2016, + organization = {AdaCore}, + title = {{High-Integrity Object-Oriented Programming in Ada, Version 1.4}}, + year = {2016}, + month = oct, + url = {https://www.adacore.com/knowledge/technical-papers/high-integrity-oop-in-ada/} +} + +@manual{Space_SW_AdaCore_Coding_Style, + organization = {AdaCore}, + title = {{GNAT Coding Style: A Guide for GNAT Developers}}, + year = {2025}, + url = {https://gcc.gnu.org/onlinedocs/gnat-style.pdf} +} + +@manual{Space_SW_AdaCore_Thales_2020, + organization = {{AdaCore and Thales}}, + title = {{Implementation Guidance for the Adoption of SPARK, Release 1.2}}, + note = {July 24, 2020}, + url = {https://www.adacore.com/books/implementation-guidance-spark} +} + +@article{Space_SW_Brosgol_2021, + author = {{Benjamin M. Brosgol}}, + title = {{Making Software FACE™ Conformant and Fully Portable: Coding Guidance for Ada}}, + journal = {{Military Embedded Systems}}, + month = mar, + year = {2021} +} + +@article{Space_SW_Burns_et_al_2004, + author = {{Alan Burns, Brian Dobbing and Tullio Vardanega}}, + title = {{Guide for the use of the Ada Ravenscar Profile in + high integrity systems}}, + journal = {Ada Letters}, + month = jun, + year = {2004} +} + +@manual{Space_SW_CCDB_2022, + organization = {Common Criteria Development Board}, + title = {{Common Criteria for Information Technology + Security Evaluation (ISO/IEC 15408)}}, + year = {2022}, + url = {https://www.commoncriteriaportal.org/} +} + +@manual{Space_SW_CENELEC_2020a, + title = {{EN 50128/A1: Railway applications – Communications, signalling and + processing systems – Software for railway control and + protection systems}}, + organization = {CENELEC}, + month = feb, + year = {2020}, +} + +@manual{Space_SW_ECSS_2011b, + title = {{ECSS-Q-HB-80-01A: Space Product assurance / Reuse of existing software}}, + organization = {ECSS}, + note = {{Noordwijk, The Netherlands; 5 December 2011}} +} diff --git a/content/global.txt b/content/global.txt index f72eaf999..e034f9b98 100644 --- a/content/global.txt +++ b/content/global.txt @@ -66,3 +66,19 @@ .. |ssil0| replace:: SSIL\ |nbsp|\ 0 .. |ssil4| replace:: SSIL\ |nbsp|\ 4 +.. |ISO-26262| replace:: ISO\ |nbsp|\ 26262 + +.. |E-ST-40C| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ ST\ |nbhyphen|\ 40C +.. |Q-ST-80C| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ ST\ |nbhyphen|\ 80C +.. |E-HB-40A| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ HB\ |nbhyphen|\ 40A +.. |E-HB-40-01A| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ HB\ |nbhyphen|\ 40\ |nbhyphen|\ 01A +.. |E-HB-40-02A| replace:: ECSS\ |nbhyphen|\ E\ |nbhyphen|\ HB\ |nbhyphen|\ 40\ |nbhyphen|\ 02A +.. |Q-HB-80-01A| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ HB\ |nbhyphen|\ 80\ |nbhyphen|\ 01A +.. |Q-HB-80-03A-1| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ HB\ |nbhyphen|\ 80\ |nbhyphen|\ 03A\ |nbsp|\ Rev.\ |nbsp|\ 1 +.. |Q-HB-80-04A| replace:: ECSS\ |nbhyphen|\ Q\ |nbhyphen|\ HB\ |nbhyphen|\ 80\ |nbhyphen|\ 04A + +.. |ada-83| replace:: Ada\ |nbsp|\ 83 +.. |ada-95| replace:: Ada\ |nbsp|\ 95 +.. |ada-2005| replace:: Ada\ |nbsp|\ 2005 +.. |ada-2012| replace:: Ada\ |nbsp|\ 2012 +.. |ada-2022| replace:: Ada\ |nbsp|\ 2022 diff --git a/content/index.rst b/content/index.rst index 19b1bf8eb..c5a157d3e 100644 --- a/content/index.rst +++ b/content/index.rst @@ -134,6 +134,7 @@ AdaCore Technologies For Airborne Software AdaCore Technologies For Railway Software + AdaCore Technologies For Space Systems Software .. only:: builder_html