Skip to main content
Magline joins Rapita Trailblazer Partnership Program to support DO-178 Certification
Eve Air Mobility joins Rapita Systems Trailblazer Partnership Program for eVTOL projects
Rapita Systems launches MACH178 Foundations for multicore DO-178C compliance
Collins Aerospace and Rapita present award winning paper at DASC 2024
Data Coupling Basics in DO-178C
Control Coupling Basics in DO-178C
Components in Data Coupling and Control Coupling
The ‘A’ Team comes to the rescue of code coverage analysis
DO-278A Guidance: Introduction to RTCA DO-278 approval
ISO 26262
Data Coupling & Control Coupling
Verifying additional code for DO-178C
DO-178C Multicore In-person Training (Fort Worth, TX)
DO-178C Multicore In-person Training (Toulouse)
If you're involved in developing and verifying high integrity software (especially if DO-178B is involved), you have probably come across the use of MC/DC (modified condition/decision coverage) for helping to demonstrate that tests are thorough enough.
Sometimes, the use of masking MC/DC is also discussed. In this blog post, I briefly describe how masking MC/DC is different from "regular" (unique cause) MC/DC.
Before I talk about what masking MC/DC is, let's briefly recap what MC/DC is. In a complex decision (for example, the expression within an if-statement), you have to run enough tests to demonstrate that each individual condition can independently affect the outcome. (We also discuss this in more detail in a previous blog post). This means that for an if statement:
If (A and B) or (C and D) then
X;
else
Y;
You need to run pairs of tests where:
- B, C, D remain constant. By varying A you get two different outcomes (X or Y)
- A, C, D remain constant. By varying B you get two different outcomes
- A, B, D remain constant. By varying C you get two different outcomes
- A, B, C remain constant. By varying D you get two different outcomes
Each of these pairs of tests is termed an independence pair.
This suggests that we need four pairs of tests. However, if you’re smart about it, you can combine one member of an independence pair with another member of an independence pair. If you manage to do this at the best level possible, the testing can be done with five tests (in general N+1 tests for N conditions).
This relies on all of the conditions being independent. This approach is termed unique-cause MC/DC.
So what happens if conditions aren’t independent? This is where masking MC/DC comes in. Masking refers to the approach where specific conditions can mask the effects of other conditions.
The masking approach to MC/DC allows more than one condition to change in an independence pair, as long as the condition of interest is shown to be the only condition that affects the value of the decision outcome.
Using the above example, to show that A can independently affect the outcome of the decision, test cases require that B is true and (C and D) is false, so:
- If A is true, the outcome is true
- If A is false, the outcome is false
Provided that in both test cases (i.e where A is false and where A is true), the subexpression (C and D) is false, masking MC/DC allows the values of C and D to vary, so for example the following test vectors would be acceptable:
| A | B | C | D | Outcome |
|---|---|---|---|---|
| True | True | False | True | True |
| False | True | True | False | False |
One common example where masking might occur is where a condition is repeated within an expression, for example:
If (A and B) or (A and D)
More information on masking MC/DC is available in this FAA paper. You might also be interested in our white paper on Eight code coverage questions in embedded avionic systems.
DO-178C webinars
White papers
Mitigation of interference in multicore processors for A(M)C 20-193
Developing DO-178C and ED-12C-certifiable multicore software
Efficient Verification Through the DO-178C Life Cycle
A Commercial Solution for Safety-Critical Multicore Timing Analysis
