See edit history of this section
Post feedback on this section
- 1. Requirement
- 2. Rationale
- 3. Guidance
- 4. Small Projects
- 5. Resources
- 6. Lessons Learned
- 7. Software Assurance
1. Requirements
3.7.5 If a project has safety-critical software, the project manager shall ensure all identified safety-critical software components have a cyclomatic complexity value of 15 or lower. Any exceedance shall be reviewed and waived with rationale by the project manager or technical approval authority.
1.1 Notes
Cyclomatic complexity is a metric used to measure the complexity of a software program. This metric measures independent paths through the source code. The point of the requirement is to minimize risk, minimize testing, and increase reliability associated with safety-critical software code components, thus reducing the chance of software failure during a hazardous event. The software developer should assess all software safety-critical components with a cyclomatic complexity score over 15 for testability, maintainability, and code quality. For more guidance on this requirement, see NASA-HDBK-2203.
1.2 History
1.3 Applicability Across Classes
Class A B C D E F Applicable?
Key: - Applicable | - Not Applicable
2. Rationale
To minimize risk, ensure complete software testing and increase reliability associated with safety-critical software code components.
3. Guidance
3.1 Ensure that all identified safety-critical software components have a cyclomatic complexity value of 15 or lower.
The requirement is to minimize risk, minimize testing, and increase reliability associated with safety-critical software code components, thus reducing the chance of software failure during a hazardous event. A section of source code's cyclomatic complexity is the number of linearly independent paths within it—where "linearly independent" means that each path has at least one edge that is not in one of the other paths. For instance, if the source code contained no control flow statements (conditionals or decision points), the complexity would be 1 since there would be only a single path through the code. If the code had one single-condition IF statement, there would be two paths through the code: one where the IF statement evaluates TRUE and another one where it evaluates to FALSE so that the complexity would be 2. Two nested single-condition IFs, or one IF with two conditions, would produce a complexity of 3.
Purpose:
- Limiting complexity during development
- Measuring the "structuredness" of a program - concerned with determining what the control flow graph
- Implications for software testing - Another application of cyclomatic complexity is determining the number of test cases necessary to achieve thorough test coverage of a particular module.
- Correlation to the number of defects - Some studies find a positive correlation between cyclomatic complexity and defects: functions and methods with the highest complexity tend to contain the most defects. However, the correlation between cyclomatic complexity and program size (typically measured in lines of code) has been demonstrated many times. Studies that controlled for program size (i.e., comparing modules with different complexities but similar size) are generally less conclusive, with many finding no significant correlation, while others find the correlation. Some researchers who have studied the area question the validity of the studies' methods finding no correlation.
- Code maintainability
- Reduces the coupling of code. The higher the cyclomatic complexity number, the more coupled the code is. Highly coupled code cannot be modified easily and independently of other code.
- Ease of understanding the code increases as the complexity decreases. With a higher complexity number, the programmer has to deal with more control paths in the code, which leads to more unexpected results and defects.
- Ease of testing. If a method has a cyclomatic complexity of 10, it means there are 10 independent paths through the method. This implies that at least 10 test cases are needed to test all the different paths through the code. The lesser the number, the easier it is to test.
See also SWE-023 - Software Safety-Critical Requirements and SWE-134 - Safety-Critical Software Design Requirements. SWE-135 - Static Analysis,
3.2 Software static analysis tools can provide the cyclomatic complexity value of any software component.
3.2.1 What is Cyclomatic Complexity?
Cyclomatic complexity is a software metric used to measure the complexity of a program. These metrics measure independent paths through program source code. An independent path is defined as a path with at least one edge that has not been traversed before in any other path. Cyclomatic complexity can be calculated concerning functions, modules, methods, or classes within a program.
Thomas J. McCabe developed this metric in 1976, and it is based on a control flow representation of the program. Control flow depicts a program as a graph that consists of Nodes and Edges.
In the graph, nodes represent processing tasks while edges represent control flow between the nodes.
3.2.2 Flow graph notation for a program:
Flow Graph notation for a program defines several nodes connected through the edges. Below are Flow diagrams for statements like if-else, While, until, and normal sequence of flow.
Cyclomatic complexity is a software metric used to measure the complexity of a program. These metrics measure independent paths through program source code. An independent path is defined as a path with at least one edge that has not been traversed before in any other path. It quantitatively measures the number of linearly independent paths through a program's source code. The application of the requirement is to limit the complexity of routines during program development; programmers should count the complexity of the modules they are developing and split them into smaller modules whenever the cyclomatic complexity of the module exceeded 15. The NIST Structured Testing methodology adopted this practice. The figure of 10 had received substantial corroborating evidence. There are occasional reasons for going beyond the agreed-upon limit. It phrased its recommendation as "For each module, either limit cyclomatic complexity to 15 or provide a written explanation of why the limit was exceeded. For example, if the source code contains no control flow statement, its cyclomatic complexity will be 1, and the source code contains a single path in it. Similarly, if the source code contains one if condition, then cyclomatic complexity is 2 because there will be two paths: true and the other for false.
Several studies have investigated the correlation between cyclomatic complexity numbers with the frequency of defects occurring in a function or method. Studies have found a positive correlation between cyclomatic complexity and defects: functions and methods with the highest complexity also tend to contain the most defects. However, international safety standards like ISO 26262 376 and IEC 62304 375 mandate coding guidelines that enforce low code complexity.
3.2.3 Use of Cyclomatic Complexity:
- Limit code complexity.
- Determine the number of test cases required.
- Determining the independent path executions has thus proven to be very helpful for Developers and Testers.
- It can make sure that every path has been tested at least once.
- This helps to focus more on uncovered paths.
- Code coverage can be improved.
- The risk associated with the program can be evaluated.
- These metrics being used earlier in the program help in reducing the risks.
Higher numbers of cyclomatic complexity are bad, and lower cyclomatic complexity numbers are good. That's because code with high complexity is difficult to test. And it's likely to result in errors. So, code with low complexity is easier to test. And it's less likely to produce errors.
The following table gives an overview of the complexity number and corresponding meaning:
Complexity Number | Meaning |
---|---|
1-10 | Structured and well-written code High Testability Cost and Effort are less |
10-20 | Complex Code Medium Testability Cost and effort are Medium |
20-40 | Very complex Code Low Testability Cost and Effort are high |
>40 | Not at all testable Very high Cost and Effort |
For safety-critical code, anything over 15 should be assessed for testability, maintainability, and code quality.
If the software safety-critical components have a cyclomatic complexity value of 16 or higher, then work with software assurance to provide a risk assessment showing why the cyclomatic complexity value needs to be higher than ten and why the software component cannot be structured to be 15 or lower.
Additional information can be found in NASA/TM−20205011566, NESC-RP-20-01515, Cyclomatic Complexity, and Basis Path Testing Study 377. See also 7.21 - Multi-condition Software Requirements
3.2.4 There are different types of cyclomatic complexity.
For example, standard cyclomatic complexity (CC or CC1) is equal to the number of decisions + 1 for the code in question.
Strict cyclomatic complexity (CC2) adds one for each Boolean condition within a compound decision predicate, rendering CC2 difficult to “game” (i.e., lowering the measured complexity through moving otherwise nested code decision blocks into complex multi-condition decision logic).
Another variation, modified cyclomatic complexity (CC3), reduces the penalty on multi-way decision branches, such as switch() statements in the C language, by counting them as one decision. CC3 may be sensible for certain non-safety-critical application types that use event handlers or finite state machines heavily.
3.3 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook:
Related Links |
---|
3.4 Center Process Asset Libraries
SPAN - Software Processes Across NASA
SPAN contains links to Center managed Process Asset Libraries. Consult these Process Asset Libraries (PALs) for Center-specific guidance including processes, forms, checklists, training, and templates related to Software Development. See SPAN in the Software Engineering Community of NEN. Available to NASA only. https://nen.nasa.gov/web/software/wiki 197
See the following link(s) in SPAN for process assets from contributing Centers (NASA Only).
SPAN Links |
---|
4. Small Projects
No additional guidance is available for small projects.
5. Resources
5.1 References
- (SWEREF-197) Software Processes Across NASA (SPAN) web site in NEN SPAN is a compendium of Processes, Procedures, Job Aids, Examples and other recommended best practices.
- (SWEREF-375) IEC 62304:2006, Medical device software — Software life cycle processes A copy of this standard is available from https://www.iso.org/standard/38421.html
- (SWEREF-376) ISO 26262-1:2011, Road vehicles — Functional safety — Part 1: Vocabulary A copy of this standard is available from: https://www.iso.org/standard/43464.html
- (SWEREF-377) NASA/TM?20205011566, NESC-RP-20-01515
5.2 Tools
NASA users find this in the Tools Library in the Software Processes Across NASA (SPAN) site of the Software Engineering Community in NEN.
The list is informational only and does not represent an “approved tool list”, nor does it represent an endorsement of any particular tool. The purpose is to provide examples of tools being used across the Agency and to help projects and centers decide what tools to consider.
6. Lessons Learned
There are currently no Lessons Learned identified for this requirement.
7. Software Assurance
7.1 Tasking for Software Assurance
1. Perform or analyze Cyclomatic Complexity metrics on all identified safety-critical software components.
7.2 Software Assurance Products.
- Software assurance status reports
- Software hazard reports
- Software design analysis
- Source code quality analysis
- Software complexity data
- Software assurance risk assessment of any software developers' rationale if requirements are not met.
Objective Evidence
- Evidence of confirmation that all identified safety-critical software components have a cyclomatic complexity value of 15 or lower or provide a risk assessment explaining why the cyclomatic complexity value needs to be higher than 15 and why the software component cannot be structured to be lower than 15.
- NPR 7150.2 and NASA-STD-8739.8 requirements mapping matrices signed by the engineering and SMA technical authorities for each development organization.
7.3 Metrics
- Software cyclomatic complexity # for all identified safety-critical software components
7.4 Guidance
Confirm that all identified safety-critical software components have a cyclomatic complexity value of 15 or lower. If not, assure that software developers provide a risk assessment explaining why the cyclomatic complexity value needs to be higher than 15 and why the software component cannot be structured to be lower than 15.
The requirement is to minimize risk, minimize testing, and increase reliability associated with safety-critical software code components, thus reducing the chance of software failure during a hazardous event. A section of source code's cyclomatic complexity is the number of linearly independent paths within it—where "linearly independent" means that each path has at least one edge that is not in one of the other paths. For instance, if the source code contained no control flow statements (conditionals or decision points), the complexity would be 1 since there would be only a single path through the code. If the code had one single-condition IF statement, there would be two paths through the code: one where the IF statement evaluates TRUE and another one where it evaluates to FALSE so that the complexity would be 2. Two nested single-condition IFs, or one IF with two conditions, would produce a complexity of 3.
Purpose:
- Limiting complexity during development
- Measuring the "structuredness" of a program - concerned with determining what the control flow graph
- Implications for software testing - Another application of cyclomatic complexity is determining the number of test cases necessary to achieve thorough test coverage of a particular module.
- Correlation to the number of defects - Some studies find a positive correlation between cyclomatic complexity and defects: functions and methods with the highest complexity tend to contain the most defects. However, the correlation between cyclomatic complexity and program size (typically measured in lines of code) has been demonstrated many times. Studies that controlled for program size (i.e., comparing modules with different complexities but similar size) are generally less conclusive, with many finding no significant correlation, while others find the correlation. Some researchers who have studied the area question the validity of the studies' methods finding no correlation.
- Code maintainability
- Reduces the coupling of code. The higher the cyclomatic complexity number, the more coupled the code is. Highly coupled code cannot be modified easily and independently of other code.
- Ease of understanding the code increases as the complexity decreases. With a higher complexity number, the programmer has to deal with more control paths in the code, which leads to more unexpected results and defects.
- Ease of testing. If a method has a cyclomatic complexity of 10, it means there are 10 independent paths through the method. This implies that at least 10 test cases are needed to test all the different paths through the code. The lesser the number, the easier it is to test.
See also SWE-023 - Software Safety-Critical Requirements and SWE-134 - Safety-Critical Software Design Requirements.
7.4.1 Software static analysis tools can provide the cyclomatic complexity value of any software component. Work with Engineering and IV&V (If used on the project) to get the cyclomatic complexity value of all of the safety-critical software components.
7.4.2 What is Cyclomatic Complexity?
Cyclomatic complexity is a software metric used to measure the complexity of a program. These metrics measure independent paths through program source code. An independent path is defined as a path with at least one edge that has not been traversed before in any other path. Cyclomatic complexity can be calculated concerning functions, modules, methods, or classes within a program.
Thomas J. McCabe developed this metric in 1976, and it is based on a control flow representation of the program. Control flow depicts a program as a graph that consists of Nodes and Edges.
In the graph, nodes represent processing tasks while edges represent control flow between the nodes.
Flow graph notation for a program:
Flow Graph notation for a program defines several nodes connected through the edges. Below are Flow diagrams for statements like if-else, While, until, and normal sequence of flow.
Cyclomatic complexity is a software metric used to measure the complexity of a program. These metrics measure independent paths through program source code. An independent path is defined as a path with at least one edge that has not been traversed before in any other path. It quantitatively measures the number of linearly independent paths through a program's source code. The application of the requirement is to limit the complexity of routines during program development; programmers should count the complexity of the modules they are developing and split them into smaller modules whenever the cyclomatic complexity of the module exceeded 15. The NIST Structured Testing methodology adopted this practice. The figure of 10 had received substantial corroborating evidence. There are occasional reasons for going beyond the agreed-upon limit. It phrased its recommendation as "For each module, either limit cyclomatic complexity to 15 or provide a written explanation of why the limit was exceeded. For example, if the source code contains no control flow statement, its cyclomatic complexity will be 1, and the source code contains a single path in it. Similarly, if the source code contains one if condition, then cyclomatic complexity is 2 because there will be two paths: true and the other for false.
Several studies have investigated the correlation between cyclomatic complexity numbers with the frequency of defects occurring in a function or method. Studies have found a positive correlation between cyclomatic complexity and defects: functions and methods with the highest complexity also tend to contain the most defects. However, international safety standards like ISO 26262 376 and IEC 62304 375 mandate coding guidelines that enforce low code complexity. See also 7.21 - Multi-condition Software Requirements.
Use of Cyclomatic Complexity:
- Limit code complexity.
- Determine the number of test cases required.
- Determining the independent path executions has thus proven to be very helpful for Developers and Testers.
- It can make sure that every path has been tested at least once.
- This helps to focus more on uncovered paths.
- Code coverage can be improved.
- The risk associated with the program can be evaluated.
- These metrics being used earlier in the program help in reducing the risks.
Higher numbers of cyclomatic complexity are bad, and lower cyclomatic complexity numbers are good. That's because code with high complexity is difficult to test. And it's likely to result in errors. So, code with low complexity is easier to test. And it's less likely to produce errors.
The following table gives an overview of the complex number and its corresponding meaning:
Complexity Number | Meaning |
---|---|
1-10 | Structured and well-written code High Testability Cost and Effort are less |
10-20 | Complex Code Medium Testability Cost and effort are Medium |
20-40 | Very complex Code Low Testability Cost and Effort are high |
>40 | Not at all testable Very high Cost and Effort |
For safety-critical code, anything over 15 should be assessed for testability, maintainability, and code quality.
If the software safety-critical components have a cyclomatic complexity value of 16 or higher, then work with engineering to provide a risk assessment showing why the cyclomatic complexity value needs to be higher than ten and why the software component cannot be structured to be 15 or lower.
Additional information can be found in NASA/TM−20205011566, NESC-RP-20-01515, Cyclomatic Complexity, and Basis Path Testing Study 377.
7.5 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook: