Risk Management in a Software Development Life Cycle

Risk Management in a
Software Development Life Cycle

by Anton D. Buttigieg B.Sc. (Hons.) I.T.
(Email address abut001@mail.um.edu.mt)

Table of Contents

SECTION 1 - CAPERS JONES'S PERSPECTIVE

1.1. Introduction

1.2. Risks Associated With Inaccurate Estimating and Schedule Planning

1.3. Risks Associated With Incorrect and Optimistic Status Reporting

1.4. Risks Associated With External Schedule Pressures Which Damage Quality

SECTION 2 - PETER KULIK'S PERSPECTIVE

2.1. Introduction

2.2. Impact on Software Projects

2.3. Definition of Software Risk Management

2.4. Top-Down Risk Estimation

2.5. Identifying and Prioritizing Risks

2.6. Risk Mitigation Actions

2.7. Monitoring and Adjusting Execution

SECTION 3 - NASA'S PERSPECTIVE

3.1. Introduction

3.2. Risk Management Objectives

3.3. Continuous Risk Management Principle Functions

SECTION 4 - SOFTWARE RISK ASSESSMENT BY LIFE CYCLE PHASE

4.1. The Requirements Phase

    4.1.1. Requirement Attributes and Metrics

    4.1.2. Requirement Risks

4.2. The Design Phase

    4.2.1. Design Attributes and Metrics

    4.2.2. Design Risks

4.3. The Coding Phase

    4.3.1. Code Attributes and Metrics

    4.3.2. Code Risks

4.4. The Testing Stage

    4.4.1. Testing Attributes and Metrics

    4.4.2. Testing Risks

4.5. Life Cycle Implementation

    4.5.1. Life Cycle Implementation Attributes and Metrics

    4.5.2. Life Cycle Implementation Risks

SECTION 5 - SUMMARY AND CONCLUSIONS

APPENDICES

Appendix A - References and Bibliography

Appendix B - Glossary of Risk Management Terms used in Exercise

SECTION 1 - CAPERS JONES'S PERSPECTIVE

"Large software projects will never be without some risk, but if risks can be brought down to acceptable levels, that will be a good beginning" - Capers Jones, 1998
As stated by Capers Jones, Chairman Software Productivity Research Inc. [Jon98], software has been the most troubling technology of the 20^th century. Major software projects have the highest probability of being cancelled or delayed of any known business activity. Once deployed, software projects often display excessive error densities and low levels of reliability. In addition, software is achieving a very bad public reputation because of several highly publicized disasters. However, it is not a law of nature that software projects will run late, be cancelled, or be unreliable after deployment. A careful program of risk analysis and abatement can reduce the probability of major software disasters, and also shorten average development cycles at the same time.

1.1. Introduction
Software is an important but troubling technology. Software applications are the driving force of modern business operations, but software is also viewed by chief executives as one of the major problem areas of almost every major corporation in the modern world. The litany of executive complaints against software organizations is lengthy, but can be condensed down to a set of three very critical issues that occur over and over again in hundreds of corporations:

Software projects are not estimated or planned with acceptable accuracy.

Software project status reporting is often wrong and misleading.

Software quality and reliability are often unacceptably poor.

When software executives and managers themselves are interviewed, they agree that the three major complaints levied against software are real and serious. However from the point of view of software managers, top corporate executives are cited as contributing to the problems because of three additional risk factors outside the control of the software organization:

Executives often reject accurate and conservative estimates.

Executives add major new requirements in mid-development.

Executives apply harmful schedule pressure that damages quality.

Both corporate executives and software managers agree that software is a very troubling technology, but have somewhat divergent views as to why software troubles are so common. Both see the same issues, but these issues look quite different to each group. Hence, it is crucial to examine the root causes of each of these key risk factors and explore the current state of the art for minimizing their harmful effects:

Risks associated with inaccurate estimating and schedule planning

Risks associated with incorrect and optimistic status reporting

Risks associated with external pressures which damage software projects

1.2. Risks Associated With Inaccurate Estimating and Schedule Planning

Since both corporate executives and software managers find estimating to be an area of high risk, what are the factors which trigger software cost estimating problems? From analysis and discussions of estimating issues with more than 300 managers and executives in more than 50 companies between 1996 and 1998 the following are the major issues:

Formal estimates are demanded before requirements are fully defined.

Historical data is seldom available for calibration of estimates.

New requirements are added, but the original estimate cannot be changed.

Estimating tools are not always utilized on major software projects.

Conservative estimates tend to be overruled and replaced by aggressive estimates.

The first of these estimating issues, or demanding formal estimates prior to requirements completion, is an endemic problem which has troubled the software community for more than 50 years. The problem of early estimation does not have a perfect solution as yet, but there are some approaches that can reduce the risks to acceptable levels. These early estimates have confidence levels that initially will not be very high. As information becomes available and requirements are defined, the estimates will improve in accuracy and the confidence levels will also improve. But make no mistake: Software cost estimates performed prior to full understanding of requirements are intrinsically difficult.
The second estimating issue, or lack of historical data, is strongly related to the first issue. Companies that lack historical information on the staffing, schedules, resources, costs, and quality levels from similar projects are always at risk when it comes to software cost estimation. This is true in every domain, and a good measurement program pays handsome dividends over time. Even for companies just starting measurements, the situation is better than 10 years ago for several reasons:

Many companies are now starting software measurement programs.

Industry benchmark data is improving in terms of volumes and accuracy of results.

The utilization of function points has enabled accurate "activity-based cost" studies.

The availability of benchmark information for software projects still has room for improvement, but is now reaching the level that industry norms can be stated with reasonable certainty. Also, the impact of various tools, methods, programming languages, the five levels of the Software Engineering Institute’s capability maturity model (CMM) and other interesting topics now have empirical data associated with them.
One increasingly popular way of dealing with the problem of early estimation is to change the form of the estimate from a "project-level estimate" to a "function-level estimate". Instead of simply creating a gross project-level estimate the size of the application is first predicted using function point metrics, and then costs are expressed in four ways as part of the overall estimate:

The predicted size of the application in function points

The activity costs for project activities

The estimated cost per function point

The estimated total cost

This method has the advantage of being able to deal with the third estimating problem, or unanticipated growth of new features and requirements after the initial cost estimate has been created. The advantage that function points bring to early estimation is the fact that they are derived directly from the requirements and hence show the current status of requirements completeness. As new features are added, the function point total will go up accordingly.
Indeed, even if the clients decide to remove features or delay them to a subsequent release, the function point metric can handle this situation very well. The usefulness of function point metrics for dealing with projects whose features may change and grow during development is the reason why major outsource vendors such as Andersen, CSC, IBM, etc. are now utilizing function point metrics for contractual purposes.

1.3. Risks Associated With Incorrect and Optimistic Status Reporting
One of the most common sources of friction between corporate executives and software managers is the fact that software project status reports are not accurate and believable. In case after case, monthly status reports are optimistic that all is on schedule and under control until shortly before the planned delivery, when it is suddenly revealed that everything was not under control and another six months may be needed. What has long been troubling about software project status reporting is the fact that this key activity is severely under-reported in the software management literature, and is also under-supported in terms of available tools and methods, although some of the methodology management tools are finally addressing this lack of automated support.
The situation of ambiguous and inadequate status reporting was common even in the days of the "waterfall model" of software development. Inaccurate reporting is even more common in the modern era where the "spiral model" and other alternatives such as rapid application development (RAD), client-server architectures, and the object-oriented paradigm are supplanting traditional methods. The reason is that these non-linear software development methods do not have the same precision or the completion milestones as the older linear software methodologies. The purpose of monthly status reports is to give clients and senior management a clear and precise indication of everything that is right and everything that is wrong with the condition of the project as of the current moment.
The idea of status reporting is to examine the actual condition of the project versus what was planned for the project for the current month. One should note that this concept of status reporting assumes that the plans for the project are reasonably detailed and thorough, or otherwise there will be no ability to create variance reports that contrast actual results with anticipated results. The normal frequency of status reporting on large systems is monthly.
The monthly status reports will consist of both quantitative data on topics such as current size and numbers of defects, and also qualitative data on topics such as problems encountered. Six general kinds of information are reported in monthly status reports:

Cost variances (quantitative)

Schedule variances (quantitative)

Size variances (quantitative)

Defect removal variances (quantitative)

Defects variances (quantitative)

Milestone completions (quantitative and qualitative)

Five of these six reporting elements are largely quantitative, although there may also be explanations for why the variances occur and their significance. The sixth element, or milestone completions, is both quantitative and qualitative. Because the most common reason for schedule slippages, cost overruns, and outright cancellation of major systems is because they have too many bugs or defects to operate successfully, a vital element of monthly status reporting is data on the actual numbers of bugs found compared to the anticipated numbers of bugs. Needless to say, this implies the existence of formal defect and quality estimation tools and methods.

1.4. Risks Associated With External Schedule Pressures Which Damage Quality
The last of the three major domains of project risk is that of external pressure by corporate executives or clients which lead to dangerous short cuts on the part of the project manager. Several kinds of external pressure are potentially harmful to project outcomes and need to be considered:

Pressure to agree to schedules which are completely impossible

Pressure to minimize inspections or testing in order to speed up development

Pressure to add new features very late in the development cycle

Although external pressures by executives and clients are a fact of life for software projects, a thoughtful analysis of the root causes of these pressures reveal that they are derived from the issues already discussed:

Cost estimates by project managers are not perceived as credible and defensible.

No historical data from similar projects is available for a "sanity check".

Impact analysis of the results of the pressure is not believed or not performed.

The essence of the situation is that software project managers who are not using formal software estimating methods and who lack historical data on similar projects will not be able to defend their cost and schedule estimates. If project managers cannot provide empirical data that their estimates are valid, then they must face the risk of being overruled.
Thus conservative estimates will be replaced by aggressive and even impossible demands simply because project managers are ill-equipped to defend their work. Executives may be arbitrary in their decisions but they are seldom stupid. While corporate executives might want a large software project finished in 18 months, if they know that not one of 50 similar projects within their industry has ever been completed in less than 24 months, then they will almost certainly accept a 24 month schedule as a fact of life.
However, it is the software project manager’s job to have available empirical data on the schedules, effort, costs, and outcomes of similar projects. In situations where neither the software project managers nor corporate executives have any idea of the average and "best in class" results of similar projects, then the whole situation is likely to be hazardous. If the software manager lacks solid data, then he or she is in no position to make a convincing argument that an arbitrary schedule set by an executive or a client is infeasible. The combination of formal estimating methods and tools coupled with accurate benchmarks from within the industry is the best defense against external pressures from executives and client demands.
The appropriate response by a project manager is to perform a side-by-side estimate of the original plan and the changed plan ordered by the executive or client, and show the impact of the changes in terms of schedules, effort, costs, quality, reliability, and maintenance affects. If the estimates are done professionally and if historical data is available to buttress the assertions of the estimates, then the risks of arbitrary changes can be reduced or eliminated. There is still a chance that external pressures cannot be eliminated or arbitrary schedules imposed, but good estimating approaches and solid historical data give the best probabilities that reality will win over impossible demands.

SECTION 2 - PETER KULIK'S PERSPECTIVE

"Tomorrow's problems are today's risks - Software risk management is becoming more and more widely implemented because of its proven results to identify and eliminate risks before they become problems" - Peter Kulik, 1996
Peter Kulik [Kul96a] states that awareness of Software Risk Management is growing throughout the industry. Proven industry results from implementation of Software Risk Management include earlier project completion, reduced project cost, more predictable schedules, and improved organizational capabilities. The practice of Software Risk Management includes both top-down and bottom-up perspectives. Projects that implement Software Risk Management become simpler and more focused. Further, a variety of tools are available for easier implementation.

2.1. Introduction
Software Risk Management is a set of practices that enable software development projects to assess overall project risk and identify, prioritize, and manage specific risks. Awareness of Software Risk Management has been increasing in the industry, and the US government actually requires it of their suppliers. Software Risk Management enables one to anticipate and eliminate risks before they become problems. By addressing the root cause sources of project risk - including process factors, technology and product factors, and organizational factors, organizational capabilities can be improved.
Projects using Software Risk Management to manage their risks have realized benefits including:

Prevention of schedule delays

Reduced project cost

More predictable schedules

Better attainment of customer commitments

2.2. Impact on Software Projects
At first glance, Software Risk Management might appear to just add complexity to an already complex undertaking. In reality, however, risk management activities make software projects less complex:

Identification and prioritization of risks enables project managers and project staff to focus on the areas with the most impact to their project.

Appropriate risk mitigation actions reduce overall project risk - which actually accelerates project completion.

Projects which finish sooner cost less, plus risk mitigation actions can further reduce project cost.

Projects using Software Risk Management have more predictable schedules; they experience fewer "surprises", since they have identified (and in many cases, eliminated) risks before they can become problems.

In sum, Software Risk Management helps projects secure their customer commitments. Further, managers and project staff utilizing Software Risk Management have a better overall understanding of their project and make better business decisions.

2.3. Definition of Software Risk Management

Software Risk Management includes the following aspects:

Top-down risk estimation
Bottom-up risk management

- Identifying and prioritizing risks

- Carrying out risk mitigation actions

- Monitoring and adjusting execution

- Conducting risk assessments

Top-down risk estimation maps project risk into schedule completion dates. An example of a top-down risk management tool is the TDM_schedule metric, shown in Figure 1 [Kul96]. This model enables project risk to be quantified in terms of a specific level of confidence (0% to 100%), or potential schedule slippage. Bottom-up risk management puts detail behind the top-down approach. Bottom-up risk management identifies underlying project strengths and risks that drive the top-down risk estimate. The power of Software Risk Management is realized by taking action to leverage project strengths and reduce and eliminate risks.

Figure 1: The TDM_schedule Risk Profile

2.4. Top-Down Risk Estimation

This activity provides a top-down perspective on project risk, and determines an overall risk framework for a project. Models such as Figure 1 enable informed decisions about schedule commitments and contingency. Tools to develop a risk framework include:

TDM_schedule metric
Statistical Project Profile
Project schedule simulation

The TDM_schedule metric [Kul96] uses project staff member knowledge, perspectives, and expectations to determine a project risk profile. As such, it can also reflect the impact of risk management actions; as risk mitigation actions reduce project risk, the risk profile will shift up – at a given level of confidence, the projected completion date will shift left! These shifts reflect improved confidence in the project’s ability to achieve customer schedule commitments.

The Statistical Project Profile looks at project size and software industry productivity models to develop a model of project risk. This model enables software organizations to evaluate factors which will make them more or less productive than the industry overall, and select a level of confidence which defines an achievable project completion commitment.

Simulating the project schedule can be accomplished using a tool such as Risk+ from Program Management Solutions, Inc. Based on probability distributions for individual tasks, simulation will construct a statistical model of project risk [Hul96]. For simulation to provide useful results, the project schedule must be accurate and complete; missing tasks, underscoped or overscoped tasks, and missed or invalid task or resource dependencies will result in GIGO (Garbage In, Garbage Out) results.

2.5. Identifying and Prioritizing Risks

After the top-down perspective has been developed, the underlying reasons for the risk profile need to be determined. This is accomplished by identifying and prioritizing individual risks for the project. Individual risks can be identified using a variety of approaches:

Reviewing published lists of project risk sources
Evaluating requirements specifications, project plans, Work Breakdown Structures, GANTT or PERT schedules, etc.
Interviewing project staff
Brainstorming

Risks can be prioritized through a number of methods. Some projects have used A-B-C or High-Medium-Low lists. Others have estimated individual risk likelihood of occurring and potential schedule impact to produce an overall rating for each risk. Experience shows that risks which impact critical path tasks should always have highest priority. Brainstorming for risk identification can often be completed more quickly and comprehensively with the help of a facilitator skilled in Software Risk Management practices. This strategy can also provide essential training for organizations and project staff not familiar with Software Risk Management practices.

2.6. Risk Mitigation Actions

Risk identification and prioritization activities are only useful if actions are defined and executed to mitigate risks. Aggressive, proactive risk mitigation actions for top priority risks are essential to achieve the benefits of Software Risk Management. Risk mitigation actions are defined individually for project risks. In some cases, immediate action will be called for; in others, future consideration will be more appropriate.

For example, user interface requirements may be a risk on a particular project. This risk can be mitigated by developing prototypes and using a spiral development process model. Another risk might be establishing host communication for the test environment. This risk could be re-evaluated during later phases of development, at which point a preliminary test environment can be constructed.

2.7. Monitoring and Adjusting Execution

Software Risk Management is an integral part of project execution. As a project proceeds, some risks will be eliminated, but some new risks may also occur. Some risk mitigation actions will work well, but some may not work and new action will need to be taken. As the project proceeds, priorities will change and new risk management planning will need to be undertaken.

For example, a risk related to host communication may be eliminated, but end-user system capacity may become a new risk for initial deployment. Prototypes may solidify user interfaces, but testing with unskilled operators may not work and an alternative strategy may be required. Setting up software development environments may be a high priority risk early in a project, but testing environments will become much more important as the project proceeds. Monitoring project risks can be accomplished through the following mechanisms:

Scheduling risk mitigation tasks and review milestones on the project schedule
Holding formal project risk management review meetings
Conducting regular anonymous surveys of project staff

The project schedule is an excellent tool for risk management. By scheduling explicit risk mitigation tasks, their progress and effectiveness can be reviewed on a timely basis at project status meetings. Further, schedule milestones can serve as a reminder of formal project risk management review meetings, which provide a forum for evaluation of project risks and the effectiveness of risk mitigation actions.

At project risk management review meetings, new risks can be identified, all project risks can be re-prioritized, and new risk mitigation actions can be planned. This review should take a holistic approach to a project, considering all core and supporting areas for effective project execution. Regular, anonymous surveys provide a mechanism to gather feedback from all project staff, efficiently allowing them to provide input on current project risks. With large projects, this can be the only practical way to gather input from all staff. After consolidation, the survey results can be used as a basis for evaluating risk mitigation actions and planning new actions to address risks.

SECTION 3 - NASA'S PERSPECTIVE

"Software risk management is important because it helps avoid disasters, rework, and overkill, but more importantly because it stimulates win-win situations" - The National Aeronautics and Space Administration (NASA), 1999

3.1. Introduction

The National Aeronautics and Space Administration (NASA) is increasingly reliant on software for the functionality of the systems it develops and uses. The Agency has recognized the importance of improving the way it develops software, and has adopted a software strategic plan to guide the improvement process [RHG99]. At the Goddard Space Flight Center (GSFC), the implementation of the plan has led to the establishment of the Software Assurance Technology Center (SATC). As part of its role of improving the quality of software at GSFC and NASA, the SATC has software metrics as one of its areas of emphasis.

3.2. Risk Management Objectives

The objectives of software risk management are to identify, address, and eliminate software risk items before they become threats to success or major sources of rework. In general, good project managers are also good managers of risk. It makes good business sense for all software development projects to incorporate risk management as part of project management. There are a number of definitions and uses for the term risk, but there is no universally accepted definition. What all definitions have in common is agreement that risk has two characteristics:

- uncertainty: an event may or may not happen.

- loss: an event has unwanted consequences or losses.

Therefore, risk involves the likelihood that an undesirable event will occur, and the severity of the consequences of the event, should it occur. Risk management can:

Identify potential problems and deal with them when it is easier and cheaper to do so - before they are problems and before a crisis exists.
Focus on the project’s objective and consciously look for things that may affect quality throughout the production process.
Allow the early identification of potential problems (the proactive approach) and provide input into management decisions regarding resource allocation.
Involve personnel at all levels of the project; focus their attention on a shared product vision, and provide a mechanism for achieving it.
Increase the chances of project success.

Risk management must not be allowed to become "shelfware". The process must be a part of regularly scheduled periodic product management. It requires identifying and managing risks routinely throughout all phases of the project's life. The paradigm shown in Figure 2 illustrates the set of continuous risk management functions throughout the life cycle of a project. These functions serve as the foundation for the application of continuous risk management. Each risk nominally goes through these functions sequentially, but the activity occurs continuously, concurrently, and iteratively. Risks are usually tracked in parallel while new risks are identified and analyzed, and the mitigation plan for one risk may yield another risk.

Figure 2: Continuous Risk Management Principle Functions

3.3. Continuous Risk Management Principle Functions

- Identify

The purpose of identification is to consider risks before they become problems and to incorporate this information into the project management process. Anyone in a project can identify risks to the project. Each individual has particular knowledge about various parts of a project. During Identify, uncertainties and issues about the project are transformed into distinct (tangible) risks that can be described and measured.

- Analyze

The purpose of analysis is to convert the data into decision-making information. Analysis is a process of examining the risks in detail to determine the extent of the risks, how they relate to each other, and which ones are the most important. Analyzing risks has three basic activities: evaluating the attributes of the risks (impact, probability, and timeframe), classifying the risks, and prioritizing or ranking the risks.

- Plan

Planning is the function of deciding what, if anything, should be done about a risk or set of related risks. In this function, decisions and mitigation strategies are developed based on current knowledge of project risks. Hence, the purpose of planning is to:

make sure the consequences and the sources of the risk are known
develop effective plans
plan efficiently (only as much as needed or will be of benefit)
produce, over time, the correct set of actions that minimize the impacts of risks (cost and schedule) while maximizing opportunity and value
plan important risks first

Figure 3 indicates the potential approaches to Risk Planning.

Figure 3: Planning approaches

There are four options to consider when planning for risks:

Research: establish a plan to research the risk(s)
Accept: decide to "accept" the risk(s) and document the rationale behind the decision
Watch: monitor risk conditions for any indications of change in probability or impact (tracking metrics must be established and documented)
Mitigate: allocate resources and assign actions in order to reduce the probability or potential impact of risks. This can range from simple tasking to sweeping activities:

- Action Items: a series of discrete tasks to mitigate risk

- Task Plan: formal, well-documented and larger in scope

- Track

Tracking is the process by which risk status data are acquired, compiled, and reported. The purpose of tracking is to collect accurate, timely, and relevant risk information and to present it in a clear and easily understood manner to the appropriate people/group. Tracking is done by those responsible for monitoring "watched" or "mitigated" risks. Tracking status information becomes critical to performing the next function in the Continuous Risk Management paradigm, i.e. Control. Supporting information, such as schedule and budget variances, critical path changes, and project/performance indicators can be used as triggers, thresholds, and risk- or plan-specific measures where appropriate.

- Control

The purpose of the Control function is to make informed, timely, and effective decisions regarding risks and their mitigation plans. It is the process that takes in tracking status information and decides exactly what to do based on the reported data. Controlling risks involves analyzing the status reports, deciding how to proceed, and then implementing those decisions.

- Communication and Documentation

The purpose of Communicate and Document is for all personnel to understand the project’s risks and mitigation alternatives as well as risk data and to make effective choices within the constraints of the project. Communication and Documentation are essential to the success of all other functions within the paradigm and is critical for managing risks:

Identify: In risk identification, risk statements are communicated.
Analyze: In analysis, project personnel communicate information about impact, probability, and timeframe attributes. Risk classification involves grouping risk information communicated by individuals.
Plan: During planning, action plans are developed and communicated to project personnel.
Track: Reports designed to communicate data to decision-makers are compiled during tracking.
Control: The decisions made during control must be communicated and recorded to project personnel.

SECTION 4 - SOFTWARE RISK ASSESSMENT BY LIFE CYCLE PHASE

At this stage, it should be possible to assess the risks at each phase of the development life cycle and to project future risks. Figure 4 diagrams a possible implementation of this activity:

First, risk management - the relevant project risks must be identified, prioritized, then tracked through the life of the project.
Second, by identifying and prioritizing project goals, project management can focus a metrics program to specific areas relevant to their project.

Figure 4: Risk and Quality Interactions

4.1. The Requirements Phase

4.1.1. Requirement Attributes and Metrics

The goal for this first phase of software development is a complete, unambiguous, and understandable requirements document, the stabilization of requirements as quickly as possible, and the traceability of all requirements from their source to the software requirements document and then through design and implementation and test. The primary risks are that the wrong software will be developed, that the software will not be completed on schedule, and that the requirements will not be testable. The associated attributes are:

Ambiguity - Potential multiple meanings.
Completeness - Items left to be specified.
Understandability - Readability of the document.
Volatility - Rate and time within the life cycle changes are made to the requirements.
Traceability - Traceability of the requirements upward to higher level documents and downward to code and tests.

Table 1 shows the relationships for the requirement attributes and applicable metrics for this phase.

Table 1: Requirement Attributes & Metrics

Overall assessment of requirements risk has to blend the impact of all of the requirements metrics. To reduce risk, specific requirements that are ambiguous can be identified and revised, as illustrated in Table 2:

Table 2: Weak Phrases

Completeness is measured by the number of items not yet specified - that contain TBAs (to be added), TBDs (to be determined), or TBSs (to be supplied). Measures of Understandability rely on readability indices, the number of structure levels within the document and at what level the requirements are specified [WRH96].

Volatility is an important factor in risk, and extensive measures are often taken to reduce its impact. But in order to measure volatility, a count of the requirements is needed. Identifying and counting the imperatives and continuances is one method to quantify the number of actual requirements in a document. Table 3 is a list of imperatives and continuances commonly found in requirement documents. The count of the requirements is the sum of the number of imperatives and the number of items that follow continuances [WRH96].

Table 3: Imperatives & Continuances

Once the requirements have been counted, the volatility can be measured by a count of the number of changes divided by the number of total requirements. The count for the number of changes is not by number of requirements changed, but by applying the same imperative/continuance count used to determine the base number of requirements.

4.1.2. Requirement Risks

It is generally accepted that poorly written, rapidly changing requirements are a principal source of project risk (and indeed, of project failure). The metrics and attributes defined above are related to project risk. For example, the metrics for ambiguity - the count of weak phrases and optional phrases in the requirements document - indicate problems in the requirements document that can result in confusion and the need to take unplanned actions to resolve the questions raised. Thus, the higher the count of ambiguous terms, the higher the project risk.

The requirements counting method discussed above only provides an indicator of the number of requirements. Even though it may not yield an exact count, it does provide the developer a working estimate of tasks to be done. Below is an example of a requirement that would be flagged by the SATC requirements metrics tool as ambiguous (because of the use of "normal speed"). It is also difficult to determine the number of real and implied requirements in the statement, although the tool would only count the one "shall". (In order to preserve the anonymity of the project, ITEM1 or ITEM2 are substituted for project specific terms.)

Requirement: Each channel shall be capable of processing and forwarding telemetry data to the ITEM1 and the ITEM2 at normal speed.

If the imperatives are counted, it has only one task, but in reading the requirement, it becomes obvious that it contains two or more tasks. Requirements volatility is always associated with project risk. In addition, the later in the life cycle changes are made to requirements, the more resources needed to implement them. Late requirement changes may also cause a ripple effect, causing additional changes in associated areas. The earlier in the life cycle the requirements stabilize, the lower the risk. The traditional cost increase for the impact of errors shown in Figure 5 can be used for the impact of requirements changes [Fen91].

Figure 5: Additional Cost of Errors

Because of the high cost and associated risk of changes made late in the life cycle, requirements attributes and risk must be measured throughout the life cycle.

4.2. The Design Phase

4.2.1. Design Attributes and Metrics

The design process translates requirements into a representation of the software that could be assessed for quality before coding begins. Like requirements, the design is documented and becomes a part of the software configuration baseline. However, the products of the design phase are even more difficult to measure. Design products lack the application of standard depictions and formats and a standard method for developing the design. This makes metrics for the design phase difficult to identify and to collect.

Design can be depicted by showing control flow, data flow, or object-oriented/functional structures. An ideal set of metrics covers all three, but most projects are designed by developing only one of these structures. Since the design phase is the transition between requirements and code, the attributes and metrics proposed for design overlap these two phases. The attributes for the design phase are:

Ambiguity - Multiple meanings.
Completeness - Items left to be specified.
Structure/Architecture - Amount of work a module must perform.
Coupling - Strength of the interconnection from one module to another.

The SATC has identified some design metrics proposed in the industry as shown in Table 4. Due to insufficient data, the SATC has been unable at this time to validate this set of metrics. Since high complexity increases the propensity for errors and hence increases risks to the schedule and maintainability, the goal of design quality minimizes the complexity of the design. The applicable metrics are level and completeness of the design and two types of complexity, similar to those used for code.

Table 4: Design Attributes & Metrics

Ambiguity could be measured by the amount of detail, and Completeness could be measured by the number of modules, not at the lowest level, whose structure is not specified. Structural complexity is measured using McCabe's cyclomatic complexity. It is a calculation of the number of test paths within a module. Coupling is measured by Fan-in and Fan-out. Fan-in is a count of the calls to a given module. This is the number of local flows into the module plus the number of data structures from which the procedure retrieves information. Fan-out is a count of calls from a given module. This is the number of local flows from a module plus the number of data structures which the module updates.

4.2.2. Design Risks

The design of the software is critical to all future stages of development. If the design is very complex, the coding requires more experienced programmers, more meticulous attention to detail, and more time to code and test. Unfortunately, due to the lack of standard design formats, metrics for this phase are often ignored or omitted from risk evaluation. This increases not only the risk to correctness but can lead to a snowball effect of schedule risk.

4.3. The Coding Phase

4.3.1. Code Attributes and Metrics

The primary goal of a software development project is to develop code and documentation that will meet the project's requirements. The primary risks in this phase are that the software be maintainable and reusable. The risks to schedule and reliability must be taken into account at this phase, but they are measured in the testing phase. The specific attributes measured during software development are as follows:

Structure/Architecture - Evaluation of the constructs within a module to identify possible error-prone modules.
Maintainability - Ease of finding and fixing errors.
Reusability - Feasibility of reuse of the software.
Documentation - Adequacy and usability of internal and external documentation.

The metrics used to evaluate these attributes are specified in Table 5.

Table 5: Development Attributes & Metrics

The attributes of Structure/Architecture, Maintainability and Reusability use the same metrics for evaluation, but with different emphasis and interpretation guidelines. The three areas of metrics applied here are complexity, size, and the correlation of module complexity with size.

There are many different types of complexity measurements. These include Logical (Cyclomatic) Complexity, which is the number of linearly independent test paths; Data Complexity, which measures the data types and parameter passing; and Calling Complexity, which counts the number of calls to and from modules [IEEE92]. The extent the GOTO command is used is an indication of disruption of the planned logic flow.

One of the oldest and most common forms of software measurement is size. There are many possibilities for representing size: Lines of Code counts all lines containing program headers, declarations, and executable and non-executable statements; Non-comment Non-blank (Source lines of code) counts lines that are not a comment line or a blank line; and Executable Statements counts the number of executable statements regardless of the number of physical lines.

4.3.2. Code Risks

It is generally accepted that modules with higher complexities are more difficult to understand and have a higher probability of defects than modules with smaller values. Thus, complexity has a direct impact on overall quality and specifically on maintainability and reusability. Projects developing code designed for reuse should be especially concerned with complexity since it may later be found to be more expedient to rewrite highly complex modules than to reuse them.

No single metric is a precise risk determinant in the analysis of a product. While poor quality of any product is a risk to the specific goals of the project, some of the best measures of risk come from correlations of the base metrics. Complexity and size of modules are two common measurements of modules, but alone they provide a very one dimensional picture. A more comprehensive view of the data can be obtained by correlating the complexity to the size. A scatter plot of the modules (procedure, function, method, class) is useful to evaluate this data. The SATC uses the Extended Cyclomatic Complexity and the number of Executable Statements. These metrics were chosen because they allow maximum comparison across languages and are the least influenced by programmer style. Using a historical database of code metrics, error data and discussions with numerous programmers and software managers, the SATC developed the diagram applied in Figure 6 (counts in Table 6). Each symbol represents one module.

The purpose of this diagram is to help prioritize the modules' risk and identify which modules should be further investigated. The seven risk areas are comprehensive, including probability of numerous errors, difficult testing, maintaining and reusing.

Figure 6: Modules at Risk

Modules with an extended cyclomatic complexity of less than 20 and the number of executable statements less than 50 have a minimal risk (Region 0). These modules are within most industry acceptable ranges. Modules with a complexity less than 20 but more than 50 executable statements are usually lists of assignment statements and are considered low risk (Region 1). Modules with a complexity between 20 and 40 are more difficult to understand. Those with less than 50 executable statements (Region 3) are terse and tend to be more complex and hence a higher risk than those modules with 50 to 100 executable statements (Region 2). The SATC has found that modules with proportional size to complexity, approximately 2 statements for each unit of complexity (Region 4), are easier to re-engineer and tend to be at a lower risk than modules in the two other "HIGH" risk areas. Modules that have a high complexity for a few number of executable statements (Region 6) are the highest risk. These modules are very terse and compact. They tend to be very difficult to understand, increasing the difficulty of maintenance and decreasing the possibility of reuse.

The percentage of modules in each region, shown in Table 6, and a list of the names of the modules in Regions 4, 5, and 6 are supplied to the project management. It is recommended that developers further investigate the modules in these regions using additional metrics such as fan in/ fan out, comment percentage and number of errors, especially the modules probably at risk in Region 6 with very high complexity and size.

Table 6: Counts & Percentages Figure 6

The diagram in Figure 6, when completed, identifies the potential risks to reliability and, especially, maintainability and reusability based on size and complexity. The diagram's values are used to show risk for maintainability by the number of modules in the higher risk areas. Lower values for complexity and size would be used to redefine the risk areas for reusability since the candidates for reusability have both upper and lower guidelines.

Since resources are usually limited in any project development, another application of the diagram in Figure 6 is to assist developers and project managers in identifying where to focus resources. Modules in the highest risk areas should be re-engineered if possible, breaking them into smaller units or applying a different design algorithm that decreases complexity. If code redesign and modification is not feasible, high-risk modules should be rigorously tested and explicit commenting verified.

4.4. Testing Phase

4.4.1. Testing Attributes and Metrics

Once code has been generated and completed, unit testing, formal testing - System, Integration, and Acceptance Testing - begins. During formal testing, all software modules are integrated into a cohesive whole and a series of system integration and validation tests are conducted. The purpose of this testing is to find both errors remaining for unit testing and errors which result from unanticipated interactions between subsystems and components. It is also concerned with validating that the overall system provides functions specified in the requirements and that the dynamic characteristics of the system match those required.

The goals for effective testing are to locate and repair faults in the software, to identify error-prone software, and to complete testing on schedule with sufficient number of faults found and repaired that the software will operate as well as needed when it is put into operation. The risks are to schedule and reliability. The attributes measured are:

Correctness - The likely number of errors remaining in the software.
Reliability - The likely number of highly critical errors remaining in the software.

The associated metrics are shown in Table 7.

Table 7: Testing Attributes & Metrics

Correctness and Reliability of a computer program are the most important elements of its overall quality. If a program repeatedly and frequently fails to perform, the users will not be satisfied, regardless of the acceptability of other quality factors. Software reliability is defined in statistical terms as the probability of failure free operation of a computer program in a specified environment for a specified time. Software reliability is often measured by the "mean time between failure", but it can also be measured by estimating the number of errors left in the software that are of high criticality - that is, that prevent the software or some major function from operating [KP96].

Correctness can be measured by stating the percentage of errors within a program that must be removed. This implies the ability to estimate the number of errors in the software. One industry guideline is to expect approximately 7 errors per 1000 Source Lines of Code. This estimate is helpful in an overall estimate of the number of errors, but does not take into account the rate at which errors are found. If the rate of finding errors has not started to flatten out, the projection is that if the software is released, the risk to reliability is high that it will not meet the qualifications.

The SATC is working to release the Waterman Error Trending Model for determining the status of testing by projecting of the number of errors remaining in the software and the expected time to find a specified percentage of errors. This model used the Musa Reliability model and the Raleigh curve for effort estimations. The SATC is developing this model rather than using the standard Musa model because it is less sensitive to data inaccuracy and provides for non-constant testing resource levels. Figure 7 is an example of the model's application.

Figure 7: Waterman Error Trending Model

During the testing phase, as the errors are identified, they may result in changes to the code. Code "at risk" that was identified using development phase metrics can now be linked to errors/changes. This linkage is important because changes to code, especially code that is high risk due to size and complexity, can lead to additional problems and ripple effect errors. High-risk code with multiple changes before release indicates that re-engineering of that code should strongly be considered. Table 8 indicates a method for combining the metrics on code modules and presenting a risk picture.

Table 8: Module Total Risk Indication

In this table, metrics from the development phase are combined with metrics from the testing phase to provide a more accurate assessment of which modules pose potential risks. The size/complexity correlation risk and comment percentage are now combined with the number of errors detected and the criticality of those errors. The comment percentage represents the amount of internal documentation that will provide information to the people making the changes to the code. Minimal internal documentation can cause indirect or "bad" fixes, or introduce new errors.

Analysis of completion rate data can also be used to identify risks. The completion rate of tests can be used to estimate the risk of completing all tests on time, hence completion of testing requirements and modules. The risk is measured by use of test report data. Table 9 is an example of data that might be compiled from the test data and used for projecting testing results for the next 3 months of testing (test months 6, 7, & 8). Using this information, a project manager might conclude that if all tests must be passed by the end of the eighth month, this project is at high risk.

Table 9: Sample Test Data and Projections

4.4.2. Testing Risks

The metrics for this phase lend themselves to a number of risk projections. If the project has quantified the percentage of the errors that are to be found before the software is accepted, the Waterman Error Trending Model can be used to project when that will happen. If the time is significantly after the time at which the schedule requires the software to be available, then schedule risk is high.

Another risk determination can be done by looking at the code modules or sub-systems in which the errors occur. Segments of code with more than the average number of errors need investigation to see if re-engineering should be considered. Additionally, the time to fix errors should be tracked. If this metric is increasing, then a threat to reliability and to schedule exists and should be pointed out to the project.

Finally, the location of faults that caused high criticality errors should be tracked. A concentration of them in a segment of code indicates a risk that the requirements are not well understood, or that the design is not suitable.

4.5. Life Cycle Implementation

4.5.1. Life Cycle Implementation Attributes and Metrics

The goal of implementation effectivity within the life cycle activities is to maximize the effectiveness of resources within the project scheduled activities. This is not phase specific but starts in the requirements phase and continues to the release of the software. The primary risk that can be assessed is to the schedule. The attributes of this goal are:

Resource use - The extent resource usage correlates to the appropriate phase of the project.

Completion Rates - Progress made in completing items such as peer reviews or turnover of completed modules to CM.

The metrics for these attributes are shown in Table 10 below:

Table 10: Implementation Attributes & Metrics

The purpose of collecting resource hours is not to monitor personnel attendance but to validate schedule risks. Figure 8 is the Rayleigh curve, which is commonly used to estimate the expected effort expended for any people intensive activity. Projects tend to ramp up fairly quickly then slowly decrease - the level of effort is not consistent throughout implementation and projects need to staff accordingly [Fen91]. Projects that schedule a fixed number of personnel throughout the development will be understaffed initially and then over staffed towards the project conclusion.

Figure 8: Rayleigh Manpower Effort Curve

4.5.2. Life Cycle Implementation Risks

The risks that can be determined from the metrics of resource use are based on the appropriateness of the tasks to which resources are being applied at a given time during the life cycle. To the extent that for those activities that do not match the expected or planned activities, an element of risk may have been identified. For example, work on prior phase activities during the current phase is a risk indicator. If significant effort is being expended on requirement activities during the design phase (or worse, during the implementation phase), there is significant risk that the project will not be able to meet its schedule objective. This is demonstrated in Figure 9 below.

Figure 9: Effort by Activity

In Figure 9 requirements are still being written during the time allotted to coding, rippling coding into the testing phase. This indicates that in order to maintain the schedule, testing must decrease, putting reliability at risk, or the schedule is at risk if the testing must be completed.

SECTION 5 - SUMMARY AND CONCLUSIONS

As highlighted by Capers Jones (Section 1), large software projects are very hazardous business ventures. For projects above 10,000 function points, cancellations, delays and cost overruns have been the norm rather than the exception. But careful analysis of the root causes of large software project delays and disasters indicate that most of the problems stem from inaccurate estimation, inaccurate status reporting, and lack of historical data from similar projects.

All of these root causes can be minimized or even eliminated by the adoption of formal estimating methods and tools, by formal monthly status reports of both quantitative and qualitative data, and by benchmark analysis of similar projects to provide a solid basis of what can and cannot be accomplished.

Peter Kulik (Section 2) views risk assessments as a tool of most benefit to projects with significant risk. Generally, a risk assessment will identify root cause strengths and risks, and may recommend risk management actions to optimize project execution. Risk assessment methodologies include SEI’s Taxonomy-Based Risk Identification, Global PM’s Risk Assessment, and Kulik & Lazarus Consulting, Inc.’s Detailed Risk Assessment^SM. Risk assessments are typically performed by outside agents expert in Software Risk Management.

Risk assessments generally focus on identification of project strengths and risks, risk prioritization, and estimation of overall project risk. For example, the Detailed Risk Assessment^SM develops a TDM_schedule profile, analyzes project documentation, and conducts short interviews with project staff to identify strengths and risks. The results of these activities are used to develop an actionable framework of risk mitigation actions based on assessor experience and individual project characteristics. Formal risk assessment is most effective for projects with relatively significant risk. In addition, the organization for whom a project is being assessed needs to have sufficient project management infrastructure to be able to take action based on the results. The organization also needs to have a commitment to improving project execution effectiveness.

Risk management benefits range from accelerating project completion and reducing costs, to improving organizational capabilities and achieving customer commitments. A number of tools are available to facilitate implementation of Software Risk Management. For example, the Project Self-Assessment Kit from Kulik & Lazarus Consulting, Inc. is an integrated tool which enables users to:

Measure 22 project metrics
Identify project strengths and risk areas
Quantify overall project risk
Develop customized action plans

Using the Project Self-Assessment Kit, these results can be achieved quickly, easily, and confidentially. Software risk management has the most benefit for projects with 5 or more staff members. Its practices can be implemented at any point in a project - but the earlier in a project, the greater the impact.

On its part, the SATC (Section 3) argues that most project managers agree that risk management works, but find difficulty in actually implementing it, even when required to do so. The risk management plan is often hastily written and then thrown in a corner to gather dust. The SATC has applied its metrics experience and some concepts from theoretical models of software quality to develop a unique model for evaluation of quality and project risks. This model fits the needs of project managers in the NASA and GSFC environment in the following ways:

The model is dynamic, not static, in the fact that it allows the production of multiple snapshots of project status across the development. The data is used to make projects about specific project risks at project milestones.

The model uses a broad range of measures for both software products and development processes.

The model is applicable across the development life cycle. The model's metrics are derived based on aspects of the attributes that answer questions of the project managers. The model includes analysis guidelines for the data collected.

New metrics, especially those relating to requirements quality, need to be validated, and a set of higher level design quality metrics is needed to supplement those done at the code level. The objective is to be able to establish a numerical metric scale for assessment of all of the metrics that affect software quality. Based on the work done to date, four conclusions can be reached:

Requirement metrics assist in identifying potential project risks
Multiple metrics are needed for comprehensive evaluation
Evaluation of requirement text can yield risk information very early in the life cycle
Metric collection is cheaper, faster and more reliable with requirement management tools

Using automated tools to track requirements has opened the door to deriving metrics for characterizing requirement text, stability and expansion rate. Tracking and correlating test cases and test results to individual requirements within a database is essential for viewing relationships not otherwise available. The use of an automated requirements database allows the metrics program to generate metrics for best insight into the requirements and test case interplay.

Thus one can conclude that formal risk management analysis and formal project assessments are effective and useful approaches that are starting to add rigor to the phrase "software engineering". Not every risk factor is fully controllable, and several risk factors exceed the authority of software managers, such as the risk of excessive paperwork caused by military standards themselves. Nonetheless, risk analysis and assessment methods are quite effective in the identification of significant problems. Once problems are identified and examined, solutions can often be developed.

APPENDIX A - REFERENCES AND BIBLIOGRAPHY

[Fen91] Fenton, N., Software Metrics: A Rigorous Approach, Chapman & Hall, London, UK, 1991.

[Hul96] Hulett, David, Schedule Risk Analysis Simplified, PM Network, July 1996.

[IEEE92] IEEE Standard for a Software Quality Metrics Methodology, IEEE Std 1061-1992, 1992.

[Jon98] Jones, Capers, Minimizing the Risks of Software, May 1998.

[KP96] Kitchenham, B. & Pfleeger, S., Software Quality: The Elusive Target, IEEE Software, 1/96.

[Kul96] Kulik, Peter, Team-Driven Schedule Metrics, March 1996.

[Kul96a] Kulik, Peter, What is Software Risk Management?, October 1996.

[RHG99] Rosenberg, L., Hammer, T., Gallo, A., Continuous Risk Management at NASA, May 1999.

[RH96] Rosenberg, L., Hyatt, L., Software Metrics Program for Risk Assessment, October 1996.

[WRH96] Wilson, W., Rosenberg, L., Hyatt, L., Automated Analysis of Requirement Specifications, Fourteenth Annual Pacific Northwest Software Quality Conference, 10/96.

APPENDIX B - GLOSSARY OF RISK MANAGEMENT TERMS USED IN EXERCISE

Assessment
A general term for a review of the processes used in developing and maintaining software. Sometimes used more narrowly to mean the status of a project in the context of how closely it comes to its planned rate of progress. Also used more restrictively in context with other terms, such as "stage assessment" or "quality assessment".

Bottom Up Estimate
Synonymous with micro estimate, and refers to the method of producing a software estimate by dealing with each activity separately and then summing the results. It is the opposite concept from top down estimating or macro estimating which generates an entire estimate from a single equation and then divides the estimate into small components via ratios or percentages.

Bugs
This term is one of the oldest in the software profession. It originated in the 1950's when the late Admiral Grace Hopper found an actual insect hamming the contacts of an electromechanical switch. The term now refers to errors or defects that find their way into programs and systems. Some software quality researchers find it desirable to replace the pejorative term "bugs" with other terms such as errors, defects, faults, and failures.

Configuration Management
This term means the methodical storage and recording of all software components and deliverables as projects are under development. The term also implies cross referencing among deliverables, and the ability to trace backwards to the original requirement for any function.

Coupling
Denotes the way parts of a program or system interface. Some forms of coupling, such as branching directly via "go to" statements are considered harmful.

Function Points
A unit of measure for software projects developed by A.J. Albrecht of IBM. Function Points are derived by a formula that multiplies the number of inputs, outputs, inquiries, logical files, and interfaces by empirically derived weights and then adjusts these values by a complexity multiplier. Function Points were used initially for information systems, and have the useful attribute of remaining constant regardless of the source language or languages used for an application.

Life Cycle
This is a very widely used term, but it has been troubled by totally inconsistent definitions. The earliest known definition circa the 1960's meant the sequence of events in building and maintaining software from requirements to retirement. More recently, CASE vendors have started advertising "full life cycle support" but have not included defect removal, maintenance, user documentation, and many other tasks. Exactly what any given assertion of "full life cycle support" means is now seriously flawed.

Maturity Level
This ambiguous term originated with Watts Humphrey of the Software Engineering Institute (SEI). It denotes an arbitrary and artificial five-level set of plateaus of increasing sophistication in the treatment and understanding of software. The SEI maturity metric runs from low (1) to high (5) and is an absolute rather than relative metric. The middle value (3) is not actually the U.S. average, but instead one of the plateaus of increasing sophistication.

Methodology
The general meaning of this term is a set of formal protocols followed when performing a task, such as an inspection. A somewhat more restrictive definition refers to a recognized and sometimes commercially marketed complex of tasks and deliverables which, it is asserted, will give better results for software development than random techniques.

Metric
A unit of measure for expressing quantified information in such a way that comparisons are possible. Examples of software metrics include Function Points, McCabe complexity metrics, cost per defect, cost per KLOC, and many others.

Outsource
A fairly new term, originating circa 1990, meaning contracting with a vendor for all of the work of an entire software and data processing function. Outsourcing is often perceived (and often truly is) as more cost effective than internal software and data processing groups. Domestic outsourcing deals with companies in the same country. International outsourcing deals with companies in other countries.

Quality
This term is extremely ambiguous for software. It has been variously defined to mean conformance to user requirements, high levels of customer satisfaction, reliability, and a low number of bugs found in a given program or system. Most of the common definitions are subjective and semi-unmeasurable, except for treating quality as the number of bugs found. It is notable that software with a high bug count is almost never satisfactory under any of the other definitions of quality.

Reengineering
This term is defined as the extraction of latent information contained in the source code of an aging existing program or system in order to develop a new and improved version of the existing software. The technical idea of re-engineering is that much of the missing design information that is normally lost as software ages is actually present but hidden in the code itself. By sophisticated expert systems methods, this hidden information can be reconstructed.

Risk
This term means the probability that a software project will experience undesirable events, such as schedule delays, cost overruns, or outright cancellation. Risk is proportional to size and inversely proportional to skill and technology levels. In considering aspects of risk for large systems, the risk of schedule slippage approaches 100% since most such systems are late. The risk of cost overruns is greater than 50% and the risk of outright cancellation is about 10%.

Risk Analysis
This term denotes a more or less formal study of the potential hazards that might be encountered in the course of developing a new software system. Risk analysis is usually formal for military projects and informal for other classes of software.

Top Down Estimate
This term means estimating a complete project with a single equation, and then decomposing the estimating via ratios or percentages to calculate individual tasks. The term is roughly synonymous with macro estimating, and shares that method's intrinsic lack of accuracy. The opposite of top down estimating is bottom up or micro estimating.