IBM Support

How do Code Coverage levels match DO-178C or DO-178B coverage levels?

Question & Answer


Question

The DO-178C or DO-178B standard defines five levels of software safety risk. According to the safety risk of the code under test, the DO-178C or DO-178B standard defines different levels of code coverage that you must achieve during testing . How do these levels of coverage map to the Test RealTime Runtime Analysis options?

Answer

DO-178C or DO-178B defines:

2.2.2 Software Level Definitions

Software level is based upon the contribution of software to potential failure conditions as determined by the system safety assessment process. The software level implies that the level of effort required to show compliance with certification requirements varies with the failure condition category. The software level definitions are:

Level A:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a catastrophic failure condition for the aircraft.

Level B:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a hazardous/severe-major failure condition for the aircraft.

Level C:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a major failure condition for the aircraft.

Level D:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a minor failure condition for the aircraft.

Level E:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function with no effect on aircraft operational capability or pilot workload. Once software has been confirmed as level E by the certification authority, no further guidelines of this document apply.

---------------------------------------------------------------------

For Levels D and E, you do not need to demonstrate code coverage (see Table A-7 of the DO-178C or DO-178B).

For Level C, you need to demonstrate data coupling; control coupling and statement coverage.

For Level B, you need to add decision coverage to the level C coverage.

Finally ,for Level A, you need to add Modified Condition/Decision Coverage (MC/DC) to the level B coverage.

When using the Graphical Interface "Studio" you can use the following table to choose the coverage options:

DO-178C or DO-178B level
C
B
A
TestRT Option
Functions
With exits
With exits
With exits
Calls
Yes
Yes
Yes
Blocks
Statement Blocks
And Decision
And Decision
Conditions
None
None
MC/DC(*)
* See below for additional information on how to be fully Level A compliant.

For the command line options of the Instrumentation Launcher, attolcc, you can use the following table:
DO-178C or DO-178B Level
Attolcc options
C
-PROC=RET -CALL -BLOCK
B
-PROC=RET -CALL -BLOCK=IMPLICIT
A
-PROC=RET -CALL -BLOCK=IMPLICIT -COND=MODIFIED(*)
* See below for additional information on how to be fully Level A compliant:

MC/DC coverage requires that all conditions of a decision be set to both TRUE and FALSE alternatively to determine whether or not that condition affects the decision.

Since the C language will short circuit a decision if latter conditions cannot affect the decision, these latter conditions will not be executed and their results will not be known. In this case the value in the truth table for such conditions would be X (that is neither True nor False). To be fully compliant with the MC/DC definition within the DO-178C or DO-178B, all conditions must be known even if, typically, some decisions would have been short-circuited.

When using Test RealTime Code Coverage and the FORCEEVALUATION option the evaluation of each condition in a decision is forced.

ATTENTION!
Sometimes the programmer explicitly coded with the short circuit operation in mind, for example consider the following decision:

if(y<Max && y--)
or
if(ptr && *ptr)

In such case the FORCEEVALUATION option will modify the functional behavior and so must not be used. To check that functionality has not been modified by this option Test RealTime lets you execute a test with and without Code Coverage to compare test results.

Notes:
  • The FORCEEVALUATION option is named "Forced" when using TestRT GUI.
  • The option -cond=modified is only available for the C programming language in the version 7.5 and later.

 

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSHUF","label":"Rational Test RealTime"},"ARM Category":[{"code":"a8m0z000000bmzLAAQ","label":"Test RealTime"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Historical Number

25724

Document Information

Modified date:
16 August 2022

UID

swg21142710