All geek questions in one place

MC / DC Conformity Assessment

I am reading the following article about MC / DC: http://shemesh.larc.nasa.gov/fm/papers/Hayhurst-2001-tm210876-MCDC.pdf .

I have the source code: Z := (A or B) and (C or D) and the following test cases:

 ----------------- | A | FFTFT | | B | FTFTF | | C | TFFTT | | D | FTFFF | | Z | FTFTT | -----------------

I want to prove that these test cases correspond to a unique definition of the cause.

I started by eliminating masked tests:

  • A or B = FTTTT , i.e. it masks the first test case from C or D as F and (C or D) = F
  • C or D = TTFTT , i.e. it masks the third test case from A or B as (A or B) and F = F

Then I defined MC/DC :

Required test cases for A or B :

  • FF (first case)
  • TF (fifth case)
  • FT (second or fourth case)

Required test cases for C or D :

  • FF (third case)
  • TF (fourth or fifth case)
  • FT (second case)

Required test cases for (A or B) and (C or D) :

  • TT (second, fourth or fifth case)
  • FT (first case)
  • TF (third case)

According to the document, this example does not correspond to a unique definition of the cause. Instead, they suggest changing the second test case from FTFT to TFFT .

 ----------------- | A | FTTFT | | B | FFFTF | | C | TFFTT | | D | FTFFF | | Z | FTFTT | -----------------

I again defined MC/DC for A or B :

  • FF (first case)
  • TF (fifth case)
  • FT (fourth case)

Then they enter the following table of pairs of independent parameters, which shows the difference between the two examples (on page 38):

enter image description here

I understand that for the first example, the independence pair that they show changes two variables instead of one, however I don’t understand how they calculate the independence pairs.

In column A I can conclude that they take the FFTF from the test case table A , and they calculate the independence pair as the same test case, only with the modified A ( TFTF ).

In column B they again select FFTF . In my opinion, this should be equal to column B : FTFT .

The remaining letters show the same dilemma.

Also for the column of the first column of D they show that the FTFT independence FTFT is equal to TFFF , which destroys my theory that they calculate the independence pair from the first value and prove that they are assembling it from somewhere else.

Could someone better explain how (and where) they create such a pair of cases?

+7
source share
1 answer

First, let's reread the definitions:

(From www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-10.pdf)

DO-178B / ED-12B includes the following definitions:

Condition

A Boolean expression that does not contain Boolean operators.

Decision

A Boolean expression consisting of conditions and zero or more Boolean operators. A solution without a Boolean operator is a condition. If any condition appears more than once in a decision, each event is an excellent condition.

Solution Coverage

Each entry and exit point in the program is called at least once, and each decision in the program took all possible results at least once.

Changed Status / Decision Making

Each entry and exit point into the program is called at least once, each condition in the decision in the program accepted all possible results at least once, each decision in the program accepted all possible results at least once, and each condition in the solution was shown independently affect the outcome of the decision. It is shown that the condition independently affects the result of the solution, simply changing this condition while maintaining all the other possible conditions.

So, to solve "(A or B) and (C or D)" we have four conditions: A, B, C and D

For each condition, we must find a pair of test vectors that show that the condition "independently affects the outcome of the solution."

For the unique cause of MC / DC, only the value of the condition in question can vary in a pair of test vectors.

For example, consider condition A. The following pair of test vectors covers condition A:

 (A or B) and (C or D) = Z TFTFTFFTFF

With this pair of test vectors (TFTF, FFTF), only the values ​​of A and Z (solution) are changed.

Then we look for pairs for conditions B, C, and D.

Using the RapiCover graphical interface (a tool for checking the suitability of code from Rapita Systems - www.rapitasystems.com/products/rapicover), we can see a complete set of test vectors (observed or absent) to fully cover all the conditions of the solution.

Screenshot RapiCover

Vector V3 (yellow in the screenshot above) is not used in any pair of independence. Vector V6 (in red in the screenshot) is missing to cover MC / DC condition D.

This is for determining the "unique cause" of MC / DC.

Now for "disguising MC / DC":

“Masking MC / DC” requires that the value of one condition can change in a pair of test vectors is weakened, provided that any other change is masked by Boolean operators in the expression.

For example, consider a pair of vectors for condition D:

  (A or B) and (C or D) = Z TFFTTTFFFF

We can represent these two test vectors in the expression tree:

  and / \ or1 or2 / \ / \ ABCD and and [T] [F] / \ / \ or1 or2 or1 or2 [T] [T] [T] [F] / \ / \ / \ / \ ABCDABCD [T] [F][F] [T] [T] [F][F] [F]

This is a pair for a unique reason for MC / DC.

Now consider a new pair of test vectors for condition D:

  (A or B) and (C or D) = Z FTFTTTFFFF

Again we can represent these two test vectors in the expression tree:

  and and [T] [F] / \ / \ or1 or2 or1 or2 [T] [T] [T] [F] / \ / \ / \ / \ ABCDABCD [F] [T][F] [T] [T] [F][F] [F]

This is a pair for masking MC / DC, because although the values ​​for 3 conditions (A, B and D) have changed, conditions A and B have been masked by the Boolean operator 'or1' (that is, the value of “A or B” does not change).

So, to mask the MCDC, the independence pair for all conditions D can be:

Screenshot RapiCover

+8
source

Source: https://habr.com/ru/post/980270/

More articles:


All Articles