What code coverage metrics exist and which is required for safety certification? Explain the differences.

Code coverage measures how much of your source code is exercised by your test suite. The three primary metrics, in increasing order of rigor, are:

Statement coverage (C0) measures whether each executable statement (line of code) has been executed at least once. It is the weakest metric — 100% statement coverage can miss entire branches. For example, in if (a && b) { action(); }, executing the function once with both a and b true achieves 100% statement coverage but never tests the case where the condition is false. Statement coverage answers "was this line reached?" but not "were all paths through this line tested?"

Branch coverage (C1, also called decision coverage) measures whether each branch of every decision point (if/else, switch, loop entry/exit) has been taken at least once. This is significantly stronger — it requires testing both the true and false outcomes of every conditional. In the example above, branch coverage requires at least two test cases: one where (a && b) is true and one where it is false. Branch coverage is the minimum required by IEC 61508 SIL 2, ISO 26262 ASIL B, and DO-178C Level C.

MC/DC (Modified Condition/Decision Coverage) is the most rigorous practical metric. It requires that every individual condition within a compound decision independently affects the outcome. For if (a && b), MC/DC requires test cases demonstrating that: (1) changing a alone changes the decision outcome (while b is true), and (2) changing b alone changes the decision outcome (while a is true). This typically requires N+1 test cases for a decision with N conditions. MC/DC is mandated by DO-178C Level A (flight-critical avionics software) and ISO 26262 ASIL D (highest automotive safety level). It catches masking bugs where one condition hides the effect of another — a real concern in complex boolean expressions controlling safety interlocks.

Tools like gcov/lcov (GCC-based, free), BullseyeCoverage, and VectorCAST measure these metrics. For safety-certified projects, the coverage tool itself must often be qualified, meaning you must demonstrate that the tool accurately reports coverage — an additional engineering and documentation effort.