Unit V: Software Quality and Risk

Management

•McCall quality factors, ISO and CMM

Model, Tools and Techniques for Quality
Control, Modern Quality Management, Risk
Management – importance, types, process
and phases, qualitative and quantitative risk
analysis, Risk Analysis and Assessment, Risk
Strategies, Risk Monitoring and Control, Risk
Response and Evaluation.
Quality Management

•Managing the quality of the

software process and
products
Software quality management

• Concerned with ensuring that the required level of quality is

achieved in a software product
• Involves defining appropriate quality standards and procedures
and ensuring that these are followed
• Should aim to develop a ‘quality culture’ where quality is seen as
everyone’s responsibility
What is quality?

• Quality, simplistically, means that a product should meet its

specification
The quality compromise

• We cannot wait for specifications to improve before paying

attention to quality management
• Must put procedures into place to improve quality in spite of
imperfect specification
• Quality management is therefore not just concerned with
reducing defects but also with other product qualities
Quality management activities

• Quality assurance
• Establish organisational procedures and standards for quality
• Quality planning
• Select applicable procedures and standards for a particular project and
modify these as required
• Quality control
• Ensure that procedures and standards are followed by the software
development team
• Quality management should be separate from project
management to ensure independence
Capability Maturity Model
Integration(CMMI)
 Capability Maturity Model Integration
(SW-CMMI)

• Not a software life cycle model.

• Instead it is a strategy for improving the software process, irrespective of
the actual life cycle model used.
• Developed in 1987 by the Software Engineering Institute (SEI) at Carnegie-
Mellon University under the sponsorship of DARPA
• Described in the book Managing the Software Process in 1989 by Watts
Humphrey
• Published as a separate document: Capability Maturity Model for Software
in 1991

8
What is CMM?
• Describes an evolutionary improvement path for software
organizations from an ad hoc, immature process to a mature,
disciplined one.
• Provides guidance on how to gain control of processes for
developing and maintaining software and how to evolve toward a
culture of software engineering and management excellence.
Process Maturity Concepts

• Software Process
• set of activities, methods, practices, and
transformations that people use to develop and
maintain software and the associated products (e.g.,
project plans, design documents, code, test cases,
user manuals)
• Software Process Capability
• describes the range of expected results that can be
achieved by following a software process
• means of predicting the most likely outcomes to be
expected from the next software project the
organization undertakes
What are the CMM Levels?
(The five levels of software process maturity)

Maturity level indicates level of process capability:

Initial
Repeatable
Defined
Managed
Optimizing
Five Levels of Software Process
Maturity
Level 1: Initial
Initial : The software process is characterized as ad hoc, and
occasionally even chaotic. Few processes are defined, and
success depends on individual effort.
At this level, frequently have difficulty making
commitments that the staff can meet with an orderly
process
Products developed are often over budget and
schedule
Wide variations in cost, schedule, functionality and
quality targets
Capability is a characteristic of the individuals, not of
the organization
Level 2: Repeatable
Basic process management processes are established to track
cost, schedule, and functionality. The necessary process
discipline is in place to repeat earlier successes on projects with
similar applications.
Realistic project commitments based on results
observed on previous projects
Software project standards are defined and faithfully
followed
Processes may differ between projects
Process is disciplined
earlier successes can be repeated
Level 3: Defined

A CMMI Level 3 (Defined) certification means a company has

established, documented, and standardized its processes
across projects, focusing on consistency and repeatability. This
level indicates that the organization understands its processes
well and can consistently deliver work according to those
processes.
Level 4: Managed
Detailed measures of the software process and product quality are
collected. Both the software process and products are quantitatively
understood and controlled.
A CMMI Level 4 company demonstrates a high level of process maturity,
meaning their processes are quantitatively managed and predictable,
based on data and analysis. They use quantitative data to develop
predictable processes, understand process deficiencies, and manage risks
effectively. This level also signifies a commitment to excellence and
efficiency, setting the stage for sustained success.
Narrowing the variation in process performance to fall
within acceptable quantitative bounds
When known limits are exceeded, corrective action can be
taken
Quantifiable and predictable
predict trends in process and product quality
Level 5: Optimizing

A CMMI Level 5 company signifies the highest level of organizational

maturity in process improvement. It means the company has
achieved a state of "optimizing," where processes are continually
improved based on quantitative data and a deep understanding of
business objectives. This level of maturity demonstrates a focus on
continuous improvement, innovation, and high-quality technology
solutions.
Key Process Areas in CMM

18
SEI CMM Focus and KPAs

CMM Level Focus Key Process Areas(KPAs)

Initial Competent People -
Repeatable Project Management a) Software project planning
b) Software configuration
management
Defined Definition of a) Process definition
Processes b) Training program
c) Peer reviews

Managed Product and Process a) Quantitative process metrics

Quality b) Software quality management

Optimizing Continuous Process a) Defect prevention

Improvement b) Process change management
c) Technology change management
Characteristics of Each Level

• Level 0 : Incomplete
• The process area (e.g requirements management ) is either not performed or does not achieve all goals

• Initial Level (Level 1)

• Characterized as ad hoc, and occasionally even chaotic
• Few processes are defined, and success depends on individual effort
• Repeatable (Level 2)
• Basic project management processes are established to track cost,
schedule, and functionality
• The necessary process discipline is in place to repeat earlier successes
on projects with similar applications

20
Characteristics of Each Level (continued)

• Defined (Level 3)
• The software process for both management and engineering activities is
documented, standardized, and integrated into a standard software
process for the organization
• All projects use an approved, tailored version of the organization's
standard software process for developing and maintaining software
• Managed (Level 4)
• Detailed measures of the software process and product quality are
collected
• Both the software process and products are quantitatively understood
and controlled

21
Characteristics of Each Level (continued)

• Optimized (Level 5)
• Continuous process improvement is enabled by quantitative feedback
from the process and from piloting innovative ideas and technologies

22
McCall’s Quality Factors
McCall's Quality Model is used to evaluate and improve software
quality by identifying and assessing key factors that influence user
satisfaction and developer efforts. These factors, categorized into
product operation, product revision, and product transition, help
ensure software is functional, reliable, and maintainable, ultimately
leading to better user experiences and reduced development costs.

McCall's Quality Model aims to cover the gap between users and
developers by highlighting several kinds of software quality factors that
reflect both the views of users and developers' interests.
Why use McCall's Quality Model?
• Improved User Satisfaction:
By focusing on factors like usability, reliability, and correctness, the model ensures
the software meets user expectations and provides a positive experience.
• Enhanced Maintainability:
Factors like maintainability, flexibility, and testability help developers make
changes and updates to the software more easily and efficiently, reducing the time
and cost associated with maintenance.
• Reduced Development Costs:
By identifying and addressing quality issues early in the development process, the
model helps prevent defects and rework, ultimately lowering development costs.
• Better Communication:
McCall's model provides a common framework for developers and users to discuss
and understand the different aspects of software quality, facilitating better
communication and collaboration.
• Facilitates Software Evaluation:
The model helps in systematically evaluating software based on its quality factors,
making it easier to compare different software products or versions.
• Guides Software Development:
By understanding the different quality factors and their importance, developers can
make better decisions about how to design, implement, and test the software.
 ISO 9000
• International set of standards for quality management
• Applicable to a range of organisations from manufacturing to service
industries
• ISO 9000 specifies a set of guidelines for repeatable and high quality
product development
• ISO 9001 applicable to organisations which are engaged in design,
development, production and servicing of goods. This is the standard that
is applicable to most software development organizations.
• ISO 9002 standard applies to those organizations which do not design
products but are only involved in production. Examples of this category of
industries include steel and car manufacturing industries who buy the
product and pant designs from external sources and are involved in only
manufacturing those products.
• ISO 9003 standard applies to organizations involved only in installation
and testing of the products.
ISO 9000 certification

• ISO 9000 is a family of international standards focused on quality

management systems (QMS) that organizations use to improve and
maintain their quality control processes. It provides a framework for
developing and implementing a QMS that helps organizations
consistently meet customer expectations and regulatory
requirements. While ISO 9000 outlines the fundamental principles
and vocabulary, ISO 9001 is the specific standard that provides the
requirements for a QMS to be certified.
• Quality standards and procedures should be documented in an
organisational quality manual
• External body may certify that an organisation’s quality manual
conforms to ISO 9000 standards
• Customers are, increasingly, demanding that suppliers are ISO
9000 certified
ISO 9000 and quality management
Quality assurance and standards

• Standards are the key to effective quality management

• They may be international, national, organizational or project
standards
• Product standards define characteristics that all components
should exhibit e.g. a common programming style
• Process standards define how the software process should be
enacted
Importance of standards

• Encapsulation of best practice- avoids

repetition of past mistakes
• Framework for quality assurance process - it involves checking
standard compliance
• Provide continuity - new staff can understand
the organisation by understand the standards
applied
Product and process standards
Problems with standards

• Not seen as relevant and up-to-date by software engineers

• Involve too much bureaucratic form filling
• Unsupported by software tools so tedious manual work is
involved to maintain standards
Tools and Techniques for Quality
Control
•In software engineering, quality control
relies on tools and techniques
like automated testing frameworks
(JUnit, Selenium), static code analysis
(SonarQube), continuous integration
(Jenkins), and techniques such as code
reviews and behavior-driven
development (BDD) to ensure software
meets standards and reduces defects.
Tools:
• Automated Testing Frameworks:
• JUnit: A popular framework for writing and running
unit tests in Java.
• Selenium: A framework for automating web browser
interactions, useful for testing web applications.
• PyTest: A framework for writing and running unit
tests in Python.
• Static Code Analysis Tools:
• SonarQube: A platform for managing code quality,
including identifying bugs, code smells, and security
vulnerabilities.
Importance of Risk Management:

Protects Assets:
Risk management helps safeguard an organization's assets, including
people, property, and profits.
Enables Informed Decision-Making:
It provides a framework for understanding potential threats, allowing for
better decision-making and strategic planning.
Improves Business Performance:
By proactively addressing risks, organizations can improve their overall
performance and achieve their goals more effectively.
Enhances Resilience:
Risk management helps organizations become more resilient to
unexpected events and challenges.
Builds Trust:
Effective risk management builds trust with stakeholders, including
employees, customers, and investors.
 Types of Risk Management
Financial Risk Management: Focuses on managing financial
uncertainties, such as market fluctuations, credit risks, and
liquidity issues.
Operational Risk Management: Deals with risks arising from
day-to-day operations, including technology failures, human
errors, and supply chain disruptions.
Strategic Risk Management: Addresses risks related to an
organization's long-term goals and strategies, such as market
shifts, technological advancements, and regulatory changes.
Enterprise Risk Management (ERM): A holistic approach that
integrates risk management across the entire organization,
focusing on both internal and external risks.
 Risk Management Process:
• Risk Identification: Identify potential risks that
could impact the organization.
• Risk Analysis: Analyze the likelihood and potential
impact of identified risks.
• Risk Prioritization: Prioritize risks based on their
likelihood and impact, focusing on the most
critical risks.
• Risk Treatment: Develop and implement strategies
to mitigate or minimize the impact of identified
risks.
• Risk Monitoring: Continuously monitor and review
the effectiveness of risk management strategies
 Phases of Risk Management (Project Life Cycle):
• Initiation: Identify potential risks early in the project.
• Planning: Develop a risk management plan and
identify specific risks.
• Execution: Implement risk mitigation strategies and
monitor risks.
• Monitoring and Controlling: Continuously monitor
risks and adjust plans as needed.
• Closure/Handover: Document lessons learned and
ensure all risks are addressed.
qualitative and quantitative risk analysis,

In project management, qualitative risk analysis uses subjective

judgment to assess and prioritize risks, while quantitative risk
analysis employs numerical data and statistical techniques to
quantify the impact of risks on project objectives.
Qualitative Risk Analysis:

• Purpose:
• To identify, assess, and prioritize risks based on their probability and
impact using subjective judgment.
• Methods:
• Relies on expert judgment, brainstorming, and risk matrices to evaluate
risks.
• Output:
• A prioritized list of risks, often categorized as high, medium, or low,
based on their likelihood and impact.
• Tools:
• Risk register, risk matrices, and other tools that facilitate the
identification and prioritization of risks.
• When to use:
• When data is limited, risks are complex or ambiguous, or when a quick
overview of risks is needed.
Quantitative Risk Analysis:

• Purpose:
• To quantify the potential impact of risks on project objectives, using
numerical data and statistical techniques.
• Methods:
• Employs techniques like Monte Carlo simulation, sensitivity analysis,
and decision tree analysis.
• Output:
• Numerical estimates of the potential impact of risks on project cost,
schedule, and other objectives.
• Tools:
• Specialized software, statistical models, and data analysis tools.
• When to use:
• When sufficient data is available, risks have a significant impact on
project objectives, or when a more precise assessment of risk is needed.