Modified Condition/Decision Coverage (MC/DC) is a software testing concept that originated the rigorous testing of critical embedded software systems in the aviation industry. It is a structural coverage metric that specifically addresses those instances where the exhaustive testing of all possible combinations of conditions would be impractical.
The concept of MC/DC has since been adopted in other industries where software reliability is paramount. It is recommended for the highest safety integrity levels in functional safety standards typified by IEC 61508 and its derivatives including ISO 26262 for automotive software and IEC 62304 for medical devices. As a further example of its popularity, NASA mandates 100% MC/DC coverage for safety-critical software components.
Multiple condition decision statements are such that the outcome depends on the evaluation of two or more conditions. These conditions are typically combined using logical operators such as AND, OR, and NOT. For example, a decision statement like if (A AND B) OR C is a multiple condition decision because the outcome depends on the values of conditions A, B, and C.
For example, the decision in this code has 6 conditions:
Exhaustive testing is sometimes impractical. It can take a lot of tests to ensure that all possible paths through a multiple condition decision have been exercised. MC/DC coverage is designed to alleviate that, and it does not require every possible combination to be executed. If “n” is the number of conditions, then a minimum of “n + 1” combinations are required to achieve 100% coverage, as opposed to 2n total combinations.
Modified Condition/Decision Coverage (MC/DC) is a software testing criterion that ensures each condition within a decision statement independently influences the decision’s outcome. Formally, MC/DC requires that:
MC/DC is an abbreviation for Modified Condition/Decision Coverage.
Exhaustive testing is practical where there are 3 or less conditions. For 4 or more, Modified Condition/Decision Coverage (MC/DC) becomes a far more practical solution.
Applying Modified Condition/Decision Coverage (MC/DC) from first principles involves five key steps:
MC/DC test pairs (also known as independence pairs) are pairs of test cases designed to demonstrate that each condition in a decision statement independently affects the decision’s outcome.
Many standards call for the use of MC/DC, particularly for the most critical of embedded systems. Examples include:
In the civil aviation sector, DO-178C §6.4.4.2 requires that “test coverage of software structure is achieved”, with Table A-7 making clear that “modified condition/decision coverage” is required for Software Level A (DAL A).
For electronic safety-related systems generally, IEC 61508 Part 3 §7.4.7 and §7.4.8 discuss software module and integration testing. Table B-2 details which techniques are to be used according to criticality.
That table specifies “Structural test coverage (conditions, MC/DC) 100%” with the proviso that “where 100% coverage cannot be achieved…an appropriate explanation should be given”.
In the automotive sector, ISO 26262 Part 6 §9.4.4 requires that “structural coverage shall be measured in accordance with the metrics in Table 9″. Table 9 shows that MC/DC is “recommended” for ASIL A-C, and “highly recommended” for ASIL D.
In the space sector, NPR 7150.2D §3.7.4 states that “If a project has safety-critical software, the project manager shall ensure that there is 100 percent code test coverage using the Modified Condition/Decision Coverage (MC/DC) criterion for all identified safety-critical software components.”
LDRA MC/DC analysis is available with both the TBrun component of the LDRA tool suite, and the LDRAunit stand-alone, point product tool for automated unit test generation and management.
TBrun and LDRAunit can each leverage the TBextreme add-in to automatically generate test cases that provide 50-80% of coverage, and their intuitive test case building environment lets developers quickly augment those test cases to increase their coverage if necessary.
Each condition needs a pair of tests to prove that when that condition changes in isolation, then the output changes. To achieve MC/DC coverage for n conditions requires a minimum of (n+1) tests. For example, if there are 6 conditions, at least 7 tests will be required.
Clear, concise reporting presents a truth table showing which pairs could be used for each condition, highlights the combinations that hit the greatest number of independent pairs, and indicates which combinations constitute a complete minimal test set.
Technical Briefing: DO-178C: Get on a High with your software development
Technical White Paper: Verification of Airborne Software in Compliance with DO-178C
Technical briefing: IEC 61508: Know your SILs from your elbow
Technical white paper: implementing IEC 61508:2010 with the LDRA tool suite
Technical briefing: ISO 26262 – a pain in the ASIL?
Technical white paper – Implementing ISO 26262 second edition with the LDRA tool suite
Email: info@ldra.com
EMEA: +44 (0)151 649 9300
USA: +1 (855) 855 5372
INDIA: +91 80 4080 8707
