See edit history of this section
Post feedback on this section
- 1. Multi-Logic Testing - Definitions
- 2. When Conditions Are Not Discrete
- 3. Summary
- 4. Resources
- 5. Lessons Learned
1. Multi-Logic Testing
1.1 – Definitions
- Unit Testing
- Testing of individual routines and modules by the developer or an independent tester (ISO/IEC/IEEE 24765).
- A test of individual programs or modules in order to ensure that there are no analysis or programming errors (ISO/IEC 2382-20).
- Test of individual hardware or software units or groups of related units. (ISO/IEC/IEEE 24765)
- MC/DC Testing
- Software Verification
- Confirmation that products properly reflect the requirements specified for them. Verification ensures that “you built it right.” (Source: IEEE 1012)
- Software Integration Testing -
- Integration testing examines if the individual components developed and tested separately, interact as expected when they are combined to form a part of a larger system. (Source: IEEE)
- Integration Testing -
- Integration testing examines if the individual components developed and tested separately, interact as expected when they are combined to form a part of a larger system. (Source: IEEE)
The recommendations in this topic are for unit testing for code coverage in conjunction with correct functional behavior.
See also SWE-190 - Verify Code Coverage,
1.2 Multi-Logic Condition Requirements
- Simplified Example of Multi-logic Condition Software Requirement:
- “ If mode is STANDBY and status is (ENABLED or ACTIVE), the software shall store the current time.”
- “ If mode is STANDBY and status is (ENABLED or ACTIVE), the software shall store the current time.”
- For software requirements, there should be very few multi-logic condition requirements
- Multi-logic condition requirements complicate testing and should be reduced or eliminated, if possible
- Operators used in textual requirements are typically “and” or “or”
- The example above can be restated as: If A and (B or C) then store the current time.
- If the result of “A and (B or C)” is TRUE, then the current time will be stored.
- Operators are “and” and “or”, operands are “A” , “B”, and “C” each with two possible states (i.e. True/False)
- Three operands yields a possible 2n test combinations, 8 possible test cases
1.3 Verifying Multi-logic Condition Requirements
- If possible, rewrite software requirement to eliminate multi-logic conditions
- The preferred method of verification should be test. Inspection, Analysis, or Demonstration should only be used if test is not possible
- For complete condition combination coverage (CCC) also called Multiple Condition Coverage (MCC), a test case for each possible combination may be run. This covers the full truth table.
- In many cases, running all 2**N test cases is not practical, in this case MC/DC test coverage is used to perform the minimal set of meaningful test cases (i.e. tests that use a unique set of inputs to achieve a unique outcome).
Examples below illustrate application of this recommendation.
1.4 MC/DC Example
MC/DC (Modified Condition/Decision Coverage) Rules:
|
Possible Test Cases:
Three (3) types of MCDC3 -- Unique-Cause (N+1 tests), Masking (2*Sqrt(n) tests), and Unique-Cause+Masking (NPR7150.2 does not dictate which to use)
|
---|
Using same methods used to find MCDC minimum set of unit tests: for n logic conditions (operands) n+1 tests will sufficiently verify the requirement.
2. Recommendations for Requirements When Conditions Are Not Discrete
Simplified Example:
- “ If mode is PROCESSING and TEMPERATURE is greater than 50.0, the software shall set a WARNING.”
The example above can be restated as: If A and (B>50.0) then set a warning.
- In this case, operand A can have two possible states but B can have many states
- Very difficult to test and analyze all combinations
Best practice is to run tests with values just below the limit, at the limit, and just above the limit.
| |
Analyzing and testing all combinations becomes even more difficult if both A and B can have many states
| |
Could break this requirement into two separate requirements, for example:
| |
In cases where a specific operand can have a range of values best practice is to use Boundary Parameter Testing and also select values in the middle of the range Example:
|
3. Summary - Verifying Multi-logic Condition Requirements
- Recommend either running the full set of 2n test cases for Multi-condition requirements, or running the minimal meaningful set using MC/DC criterion
- For safety-critical software, MC/DC must be performed with N+1 test cases, or request a waiver (to NPR 7150.2 083 and NASA-STD-8739.8 278)
- In practicality, all possible MC/DC tests may not be achievable, but in those cases all conditions/decisions not achievable through unit testing should be listed and waived by the appropriate level of technical authority and software assurance.
- Throughout this unit test process, the developer and/or Subject Matter Experts/Responsible Engineers must ensure not only that the code is exercised, but it functions correctly to adequately cover intent or requirement and the expected behavior of the software.
- For safety-critical software, MC/DC must be performed with N+1 test cases, or request a waiver (to NPR 7150.2 083 and NASA-STD-8739.8 278)
- If running the full set of test is not practical, run the minimum subset of tests to prove that varying each operand affects the result, independently
- For requirements where conditions are not discrete, follow best practice and run tests with values just below the limit, at the limit, and just above the limit.
- Recommend thorough requirements analysis to ensure all permutations are represented by selected input values.
- Recommend thorough requirements analysis to ensure all permutations are represented by selected input values.
- For requirements where conditions have a range of values, follow best practice and run tests with values just below the limit, at the limit, just above the limit, and at least one value in the middle of the range.
See SWE-134 - Safety-Critical Software Design Requirements for additional guidance. See also SWE-219 - Code Coverage for Safety Critical Software, SWE-220 - Cyclomatic Complexity for Safety-Critical Software. See also Topic 8.57 - Testing Analysis.
3.1 Clarifications
Clarifications
- Condition - A condition is a leaf-level Boolean expression (it cannot be broken down into simpler Boolean expressions).
- Decision - A Boolean expression composed of conditions and zero or more Boolean operators. A decision without a Boolean operator is a condition.
- Condition coverage - Every condition in the program's decision has taken all possible outcomes at least once.
- Decision coverage - Every entry and exit point in the program has been invoked at least once, and every decision in the program has taken all possible outcomes at least once.
- Condition/decision coverage - Every entry and exit point in the program has been invoked at least once. Every condition in a decision in the program has taken all possible outcomes at least once, and the decision in the program has taken all possible outcomes at least once.
- Modified condition/decision coverage - Every entry and exit point in the program has been invoked at least once. Every condition in a decision in the program has taken all possible outcomes at least once, and each condition has been shown to affect that decision outcome independently. A condition is shown to affect a decision's outcome independently by varying just that condition while holding fixed all other possible conditions. The condition/decision criterion does not guarantee the coverage of all conditions in the module. In many test cases, some conditions of a decision are masked by other conditions. Using the modified condition/decision criterion, each condition must be shown to act on the decision outcome by itself, with everything else being held fixed. The MC/DC criterion is thus much stronger than the condition/decision coverage.
3.2 Another Example:
An example
Assume we want to test the following code extract:
A, B, and C represent Boolean expressions (i.e., not divisible in other Boolean sub-expressions).
In order to ensure Condition coverage criteria for this example, A, B and C should be evaluated at least one time "true" and one time "false" during tests, which would be the case with the 2 following tests:
- A = true / B = true / C = true
- A = false / B = false / C = false
In order to ensure Decision coverage criteria, the condition ( (A or B) and C ) should also be evaluated at least one time to "true" and one time to "false". Indeed, in our previous test cases:
- A = true / B = true / C = true ---> decision is evaluated to "true"
- A = false / B = false / C = false ---> decision is evaluated to "false"
and Decision coverage is also realized.
However, these two tests do not ensure a Modified condition/decision coverage, which implies that each boolean variable should be evaluated one time to "true" and one time to "false," affecting the decision's outcome. It means that changing the value of only one condition will also change the decision's outcome. However, with only the two previous tests, it is impossible to know which condition influences the decision's evaluation.
In practice, for a decision with n boolean conditions, we have to find at least n+1 tests in order to be able to ensure modified condition/decision coverage. As there are 3 boolean conditions (A, B et C) in our example, we can (for instance) choose the following set of tests:
- A = false / B = false / C = true ---> decision is evaluated to "false"
- A = false / B = true / C = true ---> decision is evaluated to "true"
- A = false / B = true / C = false ---> decision is evaluated to "false"
- A = true / B = false / C = true ---> decision is evaluated to "true"
Indeed, in this case:
- between the 1st and 4th test scenarios, only A changed of value, which also made the decision's outcome change its value ("false" in the 1st case, "true" in the 2nd);
- in the same way, between 1st and 2nd, only B changed of value, which also made the decision's outcome change its value (passing from "false" to "true");
- eventually, between 2nd and 3rd, only C changed value and the decision's outcome's value also changed (passing from "true" to "false").
Besides, Decision and Condition coverage criteria are still respected (each Boolean variable and the decision's outcome itself take at least one time the "true" and "false" values). The modified condition/decision coverage is then ensured.
Additional information can be found in NASA/TM−20205011566, NESC-RP-20-01515, Cyclomatic Complexity, and Basis Path Testing Study 377.
3.3 Additional Guidance
Links to Additional Guidance materials for this subject have been compiled in the Relevant Links table. Click here to see the Additional Guidance in the Resources tab.
4. Resources
4.1 References
- (SWEREF-083) NPR 7150.2D, Effective Date: March 08, 2022, Expiration Date: March 08, 2027 https://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=7150&s=2D Contains link to full text copy in PDF format. Search for "SWEREF-083" for links to old NPR7150.2 copies.
- (SWEREF-278) NASA-STD-8739.8B , NASA TECHNICAL STANDARD, Approved 2022-09-08 Superseding "NASA-STD-8739.8A,
- (SWEREF-377) NASA/TM?20205011566, NESC-RP-20-01515
- (SWEREF-384) MCDC Checker source code implemented by GTD GmbH, tool to check all conditions in your C/C++ source code if they are in the necessary form, so that Gcov can generate modified condition decision coverage.
- (SWEREF-393) Couverture was an Open Source project financially supported by the French Government, the city of Paris and the Ile-de-France region The original Couverture project had the objectives to produce a Free Software coverage analysis toolset together with the ability to generate artifacts that allow the tools to be used for safety-critical software projects undergoing a DO-178B software audit process for all levels of criticality.
- (SWEREF-394) Cyrille Comar, Jerome Guitton, Olivier Hainque, Thomas Quinot AdaCore, 46 rue d’Amsterdam, F-75009 PARIS (France), comar, guitton, hainque, quinot}@adacore.com, Embedded Real Time Software and Systems Conference, Feb 2012,
- (SWEREF-395) Thomas Wucher, Andoni Arregui, ESA Software Product Assurance Workshop 2021,
- (SWEREF-396) DOT/FAA/AR-01/18, US. Department of Transportation, Federal Aviation Administration, April 2001.
- (SWEREF-397) Matteo Bordin, Cyrille Comar, Tristan Gingold, J´erˆome Guitton, Olivier Hainque, Thomas Quinot AdaCore, 46 rue d’Amsterdam, F-75009 PARIS (France) {bordin, comar, gingold, guitton, hainque, quinot}@adacore.com, Embedded Real Time Software and Systems Conference, May 2010
4.2 Tools
NASA users find this in the Tools Library in the Software Processes Across NASA (SPAN) site of the Software Engineering Community in NEN.
The list is informational only and does not represent an “approved tool list”, nor does it represent an endorsement of any particular tool. The purpose is to provide examples of tools being used across the Agency and to help projects and centers decide what tools to consider.
4.2.1 gcov
See references 384, 393, 394, 395, 396, and 397 for tools related to MC/DC.
Gcov is one tool that can be used to aid in MC/DC testing, see section XXX for more details. https://gcc.gnu.org/onlinedocs/gcc/Gcov.html
4.3 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook:
Related Links |
---|
4.4 Center Process Asset Libraries
SPAN - Software Processes Across NASA
SPAN contains links to Center managed Process Asset Libraries. Consult these Process Asset Libraries (PALs) for Center-specific guidance including processes, forms, checklists, training, and templates related to Software Development. See SPAN in the Software Engineering Community of NEN. Available to NASA only. https://nen.nasa.gov/web/software/wiki 197
See the following link(s) in SPAN for process assets from contributing Centers (NASA Only).
SPAN Links |
---|
5. Lessons Learned
Currently there are no Lessons Learned identified for this topic.