Question & Answer
Question
The DO-178C or DO-178B standard defines five levels of software safety risk. According to the safety risk of the code under test, the DO-178C or DO-178B standard defines different levels of code coverage that you must achieve during testing . How do these levels of coverage map to the Test RealTime Runtime Analysis options?
Answer
DO-178C or DO-178B defines:
2.2.2 Software Level Definitions
Software level is based upon the contribution of software to potential failure conditions as determined by the system safety assessment process. The software level implies that the level of effort required to show compliance with certification requirements varies with the failure condition category. The software level definitions are:
Level A:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a catastrophic failure condition for the aircraft.
Level B:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a hazardous/severe-major failure condition for the aircraft.
Level C:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a major failure condition for the aircraft.
Level D:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a minor failure condition for the aircraft.
Level E:
Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function with no effect on aircraft operational capability or pilot workload. Once software has been confirmed as level E by the certification authority, no further guidelines of this document apply.
---------------------------------------------------------------------
For Levels D and E, you do not need to demonstrate code coverage (see Table A-7 of the DO-178C or DO-178B).
For Level C, you need to demonstrate data coupling; control coupling and statement coverage.
For Level B, you need to add decision coverage to the level C coverage.
Finally ,for Level A, you need to add Modified Condition/Decision Coverage (MC/DC) to the level B coverage.
When using the Graphical Interface "Studio" you can use the following table to choose the coverage options:
DO-178C or DO-178B level |
C
|
B
|
A
|
TestRT Option | |||
Functions |
With exits
|
With exits
|
With exits
|
Calls |
Yes
|
Yes
|
Yes
|
Blocks |
Statement Blocks
|
And Decision
|
And Decision
|
Conditions |
None
|
None
|
MC/DC(*)
|
For the command line options of the Instrumentation Launcher, attolcc, you can use the following table:
DO-178C or DO-178B Level
|
Attolcc options
|
C
|
-PROC=RET -CALL -BLOCK |
B
|
-PROC=RET -CALL -BLOCK=IMPLICIT |
A
|
-PROC=RET -CALL -BLOCK=IMPLICIT -COND=MODIFIED(*) |
MC/DC coverage requires that all conditions of a decision be set to both TRUE and FALSE alternatively to determine whether or not that condition affects the decision.
Since the C language will short circuit a decision if latter conditions cannot affect the decision, these latter conditions will not be executed and their results will not be known. In this case the value in the truth table for such conditions would be X (that is neither True nor False). To be fully compliant with the MC/DC definition within the DO-178C or DO-178B, all conditions must be known even if, typically, some decisions would have been short-circuited.
When using Test RealTime Code Coverage and the FORCEEVALUATION option the evaluation of each condition in a decision is forced.
ATTENTION!
Sometimes the programmer explicitly coded with the short circuit operation in mind, for example consider the following decision:
if(y<Max && y--)
or
if(ptr && *ptr)
In such case the FORCEEVALUATION option will modify the functional behavior and so must not be used. To check that functionality has not been modified by this option Test RealTime lets you execute a test with and without Code Coverage to compare test results.
Notes:
- The FORCEEVALUATION option is named "Forced" when using TestRT GUI.
- The option -cond=modified is only available for the C programming language in the version 7.5 and later.
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSHUF","label":"Rational Test RealTime"},"ARM Category":[{"code":"a8m0z000000bmzLAAQ","label":"Test RealTime"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Historical Number
25724
Was this topic helpful?
Document Information
Modified date:
16 August 2022
UID
swg21142710