e>current page or check for previous versions at the Internet Archive. Yahoo! is not affiliated with the authors of this page or responsible for its content.

Certification Authorities Software Team (CAST)

Position Paper

CAST-6

Rationale for Accepting Masking MC/DC in Certification
Projects

Completed August, 2001

NOTE:  This position paper has been coordinated among
the software specialists of certification authorities from the United
States, Europe, and Canada.  However, it does not constitute official policy
or guidance from any of the authorities.  This document
is provided for educational and informational purposes only and should
be discussed with the appropriate certification authority when considering
for actual projects.

 

Rationale for Accepting Masking MC/DC in Certification
Projects

Background

Structural coverage analysis
in DO-178B (ref. 1) asks the question:  Do the requirements-based
test cases adequately exercise the structure of the source code? 
Two factors in exercising any structural element of the source code
are:  (a) the ability to test that element by setting the values
of the elements inputs (this is the concept of controllability), and
(b) the ability to propagate the output of that element to some observable
point (this is the concept of observability).  Controllability
and observability are fundamental concepts used in testing logic circuits,
and also apply well to testing software. 

Different coverage measures
found in Table A-7 of DO-178B address different structural elements
of the code.

For statement coverage, the structural elements to be exercised are
the statements, and the adequacy requirement is that each statement
must be executed at least once.
For decision coverage, the structural elements to be exercised are
the decisions, and the adequacy requirement is that each decision must
take on each possible value at least once.
For modified condition/decision coverage (MC/DC), the structural elements
to be exercised are the logical conditions within a decision, and the
adequacy requirement is that each logical condition must be shown to
independently affect the decisions outcome.

Showing that each logical condition within a decision
independently affects the decisions outcome requires a minimum test
set for each logical operator as given in the original paper on MC/DC
by Chilenski and Miller (ref. 2) and repeated here as follows:

For a 2-input and operator, there is one test set:  (TT, TF, FT).V
For a 2-input or operator, there is one test set:  (FF, TF, FT).
For a 2-input xor operator, there are 4 possible test sets:  (TT, TF,
FT); (TF, FT, FF); (FT, FF, TT), and (FF, TT, TF).

These minimum test sets establish the inputs needed
at a logical operator to show independent effect of each input to that
operator.  Note that the minimum test sets are not exhaustive test
sets and, hence, will not detect all possible errors.  For example,
a test set that contains the minimum tests for an or operator will not detect an error if
an xor is incorrectly coded in place of an or, and vice versa.  However, the
minimum test cases are sufficient to show independent effect required
to meet the MC/DC criteria. 

Two different approaches to confirming that the minimum
tests are achieved are the unique-cause approach and the masking approach. 

For unique-cause MC/DC, a condition is shown to independently affect
a decisions outcome by varying just that condition while holding fixed
all other possible conditions. 

For masking MC/DC, a condition is shown to independently affect a
decisions outcome by applying principles of Boolean logic to assure
that no other condition influences the outcome (even though more than
one condition in the decision may change value).

Purpose

The purpose of this white paper is to establish that
masking MC/DC:

meets the definition of independent effect by guaranteeing the same
minimum test cases at each logical operator as unique cause, and 
is acceptable for meeting the MC/DC objective of DO-178B (objective
5 in Table A-7). 

Note:  This paper assumes that the test cases are developed from
the software requirements, DO-178B per Section 6.4.4.3.

Showing Independent Effect

A condition independently affects a decision's outcome
if that condition alone can determine the value of the decision's outcome. 
Two test cases that show the independent effect of a condition within
a decision are referred to as an independence pair. 

Unique-Cause MC/DC

Unique cause is the original approach to showing the
independent effect of a condition mentioned in the description of MC/DC
in the DO-178B Glossary.  In the unique-cause approach, only the
values of the condition of interest and the decision's outcome can change
between the two test cases in an independence paireverything else must
remain the same.  Holding the value of every other condition fixed
ensures that the one condition that changed value is the only condition
that influences the value of the decision's outcome.  The logic
of the decision does not need to be examined to determine that the condition
of interest is solely responsible for the change in the value of the
decision's outcome. 

A truth table is often used to illustrate the unique-cause
approach.  The left-hand columns of the truth table list all possible
input combinations for the decision, while the shaded columns on the
right indicate the possible independence pairs for each condition. 
The truth table for the decision Z = (A or B) and (C or D), where A, B, C, D, and Z are Boolean conditions, is shown in Table
1. 

 

Table 1. Unique-Cause Approach to Independence Pairs
for Z = (A or B) and
(C or D)

Test Case #

A

B

C

D

 

Z

 

A

B

C

D