This Technical Report provides guidance on the use of Ada when producing high integrity systems. In producing such applications it is usually the case that adherence to guidelines or standards has to be demonstrated to independent bodies. These guidelinesor standards vary according to the application area, industrial sector or nature ofthe risk involved.For safety applications, the international generic standard is[IEC 61508] of whichpart 3 isconcerned withsoftware.For security systems, the multi-national generic assessment guide is [ISO CD 15408].For sector-specific guidance and standards there are:Airborne civil avionics: [DO-178B]Nuclear power plants: [IEC880]Medical systems: [IEC601-4]Pharmaceutical: [GAMP] For national/regional guidance and standards there are the following:UK Defence: [DS 00-55]European rail: [EN 50128]European security: [ITSEC]US nuclear: [NRC]UK automotive: [MISRA]US medical: [FDA]US space: [NASA] The above standards and guides are referred to as Standards in this Technical Report. The above list is not exhaustive but indicative ofthe type of Standard to which this Technical Report provides guidance.The specific Standards above are not addressed individually but this Technical Report is synthesized from an analysis of their requirementsand recommendations.Within the scopeThis Technical Report assumes that a system is being developed in Ada to meet a standard listed above or one of a similar nature. The primary goal of this Technical Report is to translate general requirements into Ada specific ones. For example, a general standard might require that dynamic testing provides evidence of the execution of all the statements in the code of the application. In the case of generics, this is interpreted bythis Technical Report to mean all instantiations of the generic should be executed.This Technical Report is intended to provide guidance only, and hence there are no 'shalls'. However, this Technical Report identifies verification and validation issues which should be resolved and documented according to the sector-specific standards being employed.The following topics are within the scope of this Technical Report:the choice of features of the language which aid verification and compliance to the standards,identification of language features requiring additional verification steps,the use of tools to aid design and verification,issues concerning qualification of compilers for use on high integrity applications,tools, such as graphic design tools, which generate Ada source code which is accessible to users. Tools which generate Ada source code require special consideration. Where generated code may be modified or extended, verification of the extensions and overall system will be assisted if the guidelines have been taken into account. Even where modification is not planned, inspection and analysis of the generated code may be unavoidable unless the generator is trusted or 'qualified' according to an applicable standard. Finally, even if generated code is neither modified nor inspected, the overall verification process may be made more complicated if the code deviates from guidelines intended to facilitate testing and analysis. Potential users of such tools should evaluate their code generation against the guidance provided in this Technical Report.Out of scopeThe following topics are considered to be out of scope with respect to this Technical Report:Domain-specific standards,Application-specific issues,Hardware and system-specific issues,Human factor issues in the application (as opposed to human factors in the use of the Ada language which is in scope).