Abstract

Introducitng digital control systems into nuclear power reactor safety systems requires, as a practical matter, that the software code be shown to be free of errors.  If this is not the case, the uncertainty associated with the probability of an error manifesting itself prohibits the programs's use in a safety system.  

Complete testing ensures that a program is free of errors.  An approach for this for simple software program is that of McCabe ("Structured Testing: A Software Testing Methodology Using the cyclomatic Complexity Metric.", NBS publication 500-99, 1982).  This approach analyzes the structure of a program using flowgraphs of the program executiion sequence to define independent paths and create complete sets of tests.  This method can be streamlined by testing multiple paths in parallel, or a the same time.  Doing this requires checking to be sure that the two paths being tested are not logically interconnected.  If this can be done on a large scale, larger programs can be tested msuch quicker than by testing each path sequentially, or separately.  

Small, simple programs can be completely tested and large, complex programs cannot be completely tested.  This work attempts to answer the question of where the demarcation line between testable and untestable programs is by determining how large of a program can be tested completely.  As the program gets larger, so will the amount of testing necessary and reducing potential errors occurring in the testing become important.  This work identifies likely locations for errors and shows the tradeoff between error reduction and reduction in number of tests needed for complete testing.  As programs grow in size, the number of independent paths gets larger fairly quickly.  The majority of the savings in number of tests needed compared to testing every independent path sequentially is obtained by testing non interrelated setions in parallel and testing intterrelated sections in series.  Further test savings can be made by carefully coordinating the testing of interdependent section, but this increases the chances for error.  The hybrid parallel-sequential testing method offers a compromise between the number of tests needed and ease of setting up the tests.  The maximum size of a program that can be completely tested depends upon the number of tests that the tester is willing to conduct and upon how much probability of error or difficulty of setting up the tests that the tester is willing to tolerate.