What is 'Software Quality Assurance'?
QA involves the entire software development PROCESS - monitoring and improving
the process, making sure that any agreed-upon standards and procedures are followed,
and ensuring that problems are found and dealt with. It is oriented to 'prevention'.
What is 'Software Testing'?
involves operation of a system or application under controlled conditions and
evaluating the results (eg, 'if
the user is in interface A of the application while using hardware B, and does
C, then D should happen'). The
controlled conditions should include both normal and abnormal conditions.
Testing should intentionally attempt to make things go wrong to determine if
things happen when they shouldn't or
things don't happen when they
should. It is oriented to 'detection'.
vary considerably in how they assign responsibility for QA and testing.
Sometimes they're the combined
responsibility of one group or individual. Also common are project teams that
include a mix of testers and developers who work closely together, with overall
QA processes monitored by project managers. It will depend on what best fits an
organization's size and business
How can new Software QA
processes be introduced in an existing organization?
lot depends on the size of the organization and the risks involved. For large
organizations with high-risk (in terms of lives or money) projects, serious
management buy-in is required and a formalized QA process is necessary.
the risk is lower, management and organizational buy-in and QA implementation
may be a slower, step-at-a-time process. QA processes should be balanced with
productivity so as to keep bureaucracy from getting out of hand.
small groups or projects, a more ad-hoc process may be appropriate, depending
on the type of customers and projects. A lot will depend on team leads or
managers, feedback to developers, and ensuring adequate communications among
customers, managers, developers, and testers.
all cases the most value for effort will be in requirements management
processes, with a goal of clear, complete, testable requirement specifications.
What is verification? validation?
typically involves reviews and meetings to evaluate documents, plans, code,
requirements, and specifications. This can be done with checklists, issues
lists, walkthroughs, and inspection meetings. Validation typically involves
actual testing and takes place after verifications are completed. The term 'IV & V'
refers to Independent Verification and Validation.
What is a 'walkthrough'?
is an informal meeting for evaluation or informational purposes. Little or no
preparation is usually required.
What's an 'inspection'?
inspection is more formalized than a 'walkthrough', typically with 3-8 people including a moderator,reader (the author of whatever is being reviewed), and a recorder to take
notes. The subject of the inspection is typically a document such as a requirements spec or a test plan, and the purpose is to find problems and see what's missing, not to fix anything. Attendees should prepare for this type of meeting by reading thru the document; most problems will be found during this preparation. The result of the inspection meeting should be a written report. Thorough preparation for inspections is difficult, painstaking work, but is one of the most cost
effective methods of ensuring quality. Employees who are most skilled at
inspections are like the 'eldest
brother' in the parable in 'Why is it often hard for management to get serious about
quality assurance?'. Their skill may have low visibility but they are extremely
valuable to any software development organization, since bug prevention is far
more cost effective than bug detection.
What kinds of testing
should be considered?
box testing - not based on any knowledge of internal design or code. Tests are
based on requirements and functionality.
box testing - based on knowledge of the internal logic of an application's code. Tests are based on coverage of code
statements, branches, paths, conditions.
unit testing - the most 'micro' scale of testing; to test particular functions or
code modules. Typically done by the programmer and not by testers, as it
requires detailed knowledge of the internal program design and code. Not always
easily done unless the application has a well-designed architecture with tight
code; may require developing test driver modules or test harnesses.
integration testing - continuous testing of an application as new functionality
is added; requires that various aspects of an application's
functionality be independent enough to work separately before all parts of the
program are completed, or that test drivers be developed as needed; done by
programmers or by testers.
integration testing - testing of combined parts of
an application to determine if they function together correctly. The 'parts'
can be code modules, individual applications, client and server applications on
a network, etc. This type of testing is especially relevant to client/server
and distributed systems.
functional testing - black-box type testing geared
to functional requirements of an application; this type of testing should be
done by testers. This doesn't mean
that the programmers shouldn't check
that their code works before releasing it (which of course applies to any stage
testing - black-box type testing that is based on overall requirements
specifications; covers all combined parts of a system.
testing - similar to system testing; the 'macro' end of the test scale; involves testing of a
complete application environment in a situation that mimics real-world use,
such as interacting with a database, using network communications, or
interacting with other hardware, applications, or systems if appropriate.
sanity testing - typically an initial testing effort
to determine if a new software version is performing well enough to accept it
for a major testing effort. For example, if the new software is crashing
systems every 5 minutes, bogging down systems to a crawl, or destroying
databases, the software may not be in a 'sane' enough condition to warrant further testing in its
regression testing - re-testing after fixes or
modifications of the software or its environment. It can be difficult to
determine how much re-testing is needed, especially near the end of the
development cycle. Automated testing tools can be especially useful for this
type of testing.
acceptance testing - final testing based on
specifications of the end-user or customer, or based on use by
end-users/customers over some limited period of time.
load testing - testing an application under heavy
loads, such as testing of a web site under a range of loads to determine at
what point the system's response
time degrades or fails.
stress testing - term often used interchangeably with 'load'
and 'performace' testing. Also used to describe such tests as
system functional testing while under unusually heavy loads, heavy repetition
of certain actions or inputs, input of large numerical values, large complex
queries to a database system, etc.
performance testing - term often used interchangeably
testing. Ideally 'performance' testing (and any other 'type' of testing) is defined in requirements
documentation or QA or Test Plans.
usability testing - testing for 'user-friendliness'.
Clearly this is subjective, and will depend on the targeted end-user or
customer. User interviews, surveys, video recording of user sessions, and other
techniques can be used. Programmers and testers are usually not appropriate as
install/uninstall testing - testing of full,
partial, or upgrade install/uninstall processes.
recovery testing - testing how well a system
recovers from crashes, hardware failures, or other catastrophic problems.
security testing - testing how well the system
protects against unauthorized internal or external access, willful damage, etc;
may require sophisticated testing techniques.
compatability testing - testing how
well software performs in a particular hardware/software/operating
acceptance testing - determining if software is stisfactory to a customer.
comparison testing - comparing software weaknesses
and strengths to competing products.
alpha testing - testing of an application when
development is nearing completion; minor design changes may still be made as a
result of such testing. Typically done by end-users or others, not by
programmers or testers.
beta testing - testing when development and testing
are essentially completed and final bugs and problems need to be found before
final release. Typically done by end-users or others, not by programmers or
What are 5 common
problems in the software development process?
poor requirements - if requirements are unclear,
incomplete, too general, or not testable, there will be problems.
unrealistic schedule - if too much work is crammed
in too little time, problems are inevitable.
inadequate testing - no one will know whether or
not the program is any good until the customer complains or systems crash.
featuritis - requests to pile on
new features after development is underway; extremely common.
miscommunication - if developers don't know what's
needed or customer's have erroneous
expectations, problems are guaranteed.
What are 5 common
solutions to software development problems?
solid requirements - clear, complete, detailed,
cohesive, attainable, testable requirements that are agreed to by all players.
Use prototypes to help nail down requirements.
realistic schedules - allow adequate time for
planning, design, testing, bug fixing, re-testing, changes, and documentation;
personnel should be able to complete the project without burning out.
adequate testing - start testing early on,
re-test after fixes or changes, plan for adequate time for testing and
stick to initial requirements as much as possible -
be prepared to defend against changes and additions once development has begun,
and be prepared to explain consequences. If changes are necessary, they should
be adequately reflected in related schedule changes. If possible, use rapid
prototyping during the design phase so that customers can see what to expect.
This will provide them a higher comfort level with their requirements decisions
and minimize changes later on.
- require walkthroughs and inspections when appropriate; make extensive use of
group communication tools - e-mail, groupware, networked bug-tracking tools and
change management tools, intranet capabilities, etc.; insure that documentation
is available and up-to-date - preferably electronic, not paper; promote
teamwork and cooperation; use protoypes early on so
that customers' expectations are
What is software 'quality'?
software is reasonably bug-free, delivered on time and within budget, meets
requirements and/or expectations, and is maintainable. However, quality is
obviously a subjective term. It will depend on who the 'customer' is and their overall influence in the scheme of
things. A wide-angle view of the 'customers' of a software development project might include
end-users, customer acceptance testers, customer contract officers, customer
management, the development organization's
management/accountants/testers/salespeople, future software maintenance
engineers, stockholders, magazine columnists, etc. Each type of 'customer'
will have their own slant on 'quality' - the accounting department might define quality
in terms of profits while an end-user might define quality as user-friendly and
What is 'good code'?
'Good code' is code that works, is bug free, and is readable
and maintainable. Some organizations have coding 'standards' that all developers are supposed to adhere to, but
everyone has different ideas about what's
best, or what is too many or too few rules. There are also various theories and
metrics, such as McCabe Complexity metrics. It should be kept in mind that
excessive use of standards and rules can stifle productivity and creativity. 'Peer reviews',
code analysis tools, etc. can be used to check for problems and enforce
C and C++ coding, here are some typical ideas to consider in setting
rules/standards; these may or may not apply to a particular situation:
minimize or eliminate use of global variables.
descriptive function and method names - use both upper and lower case, avoid
abbreviations, use as many characters as necessary to be adequately descriptive
(use of more than 20 characters is not out of line); be consistent in naming
descriptive variable names - use both upper and lower case, avoid abbreviations,
use as many characters as necessary to be adequately descriptive (use of more
than 20 characters is not out of line); be consistent in naming conventions.
function and method sizes should be minimized;
less than 100 lines of code is good, less than 50 lines is preferable.
function descriptions should be clearly spelled
out in comments preceding a function's
organize code for readability.
whitespace generously - vertically and horizintally
each line of code should contain 70 characters max.
one code statement per line.
coding style should be consistent throught
a program (eg, use of brackets, indentations, naming
adding comments, err on the side of too many rather than too few comments; a
common rule of thumb is that there should be at least as many lines of comments
(including header blocks) as lines of code.
no matter how small, an application should include
documentaion of the overall program function and flow
(even a few paragraphs is better than nothing); or if possible a separate flow
chart and detailed program documentation.
make extensive use of error handling procedures and
status and error logging.
for C++, to minimize complexity and increase
maintainability, avoid too many levels of inheritance in class heirarchies (relative to the size and complexity of the
application). Minimize use of multiple inheritance,
and minimize use of operator overloading (note that the Java programming
language eliminates multiple inheritance and operator overloading.)
for C++, keep class methods small, less than 50
lines of code per method is preferable.
C++, make liberal use of exception handlers
What is 'good design'?
'Design' could refer to many things, but often refers to 'functional design'
or 'internal design'. Good internal design is indicated by software
code whose overall structure is clear, understandable, easily modifiable, and
maintainable; is robust with sufficient error-handling and status logging
capability; and works correctly when implemented. Good functional design is
indicated by an application whose functionality can be traced back to customer
and end-user requirements.
programs that have a user interface, it's
often a good idea to assume that the end user will have little computer knowledge
and may not read a user manual or even the on-line help; some common
program should act in a way that least surprises the user
should always be evident to the user what can be done next and how to exit
the program shouldn't
let the users do something stupid without warning them.
What is SEI? CMM? ISO? IEEE?
ANSI? Will it help?
= 'Software Engineering Institute' at Carnegie-Mellon
University; initiated by
the U.S. Defense Department to help improve software development processes.
= 'Capability Maturity Model', developed by the SEI. It's
a model of 5 levels of organizational 'maturity' that determine effectiveness in delivering quality
software. It is geared to large organizations such as large U.S. Defense Department
contractors. However, many of the QA processes involved are appropriate to any
organization, and if reasonably applied can be helpful. Organizations can
receive CMM ratings by undergoing assessments by qualified auditors.
Level 1 - characterized by chaos, periodic panics, and heroic efforts required by individuals to successfully complete projects. Few if any processes in place; successes may not be repeatable.
Level 2 - software project tracking, requirements management,
realistic planning, and configuration management
processes are in place; successful practices can
Level 3 - standard software development and maintenance
processes are integrated throughout an organization;
a Software Engineering Process Group is is in place
to oversee software processes, and training programs
are used to ensure understanding and compliance.
Level 4 - metrics are used to track productivity, processes,
and products. Project performance is predictable,
and quality is consistently high.
Level 5 - the focus is on continouous process improvement. The
impact of new processes and technologies can be
predicted and effectively implemented when required.
= 'International Organisation
for Standards' - The ISO 9001, 9002,
and 9003 standards concern quality systems that are assessed by outside
auditors, and they apply to many kinds of production and manufacturing
organizations, not just software. The most comprehensive is 9001, and this is
the one most often used by software development organizations. It covers
documentation, design, development, production, testing, installation,
servicing, and other processes. ISO 9000-3 (not the same as 9003) is a
guideline for applying ISO 9001 to software development organizations. The U.S. version of
the ISO 9000 series standards is exactly the same as the international version,
and is called the ANSI/ASQ Q9000 series. The U.S. version can be purchased
directly from the ASQ (American Society for Quality) or the ANSI organizations.
To be ISO 9001 certified, a third-party auditor assesses an organization, and
certification is typically good for about 3 years, after which a complete
reassessment is required. Note that ISO 9000 certification does not necessarily
indicate quality products - it indicates only that documented processes are
= 'Institute of Electrical and
Electronics Engineers' - among other
things, creates standards such as 'IEEE
Standard for Software Test Documentation'
(IEEE/ANSI Standard 829), 'IEEE
Standard of Software Unit Testing (IEEE/ANSI Standard 1008), 'IEEE Standard for Software Quality Assurance Plans' (IEEE/ANSI Standard 730), and others.
= 'American National Standards
Institute', the primary industrial
standards body in the U.S.;
publishes some software-related standards in conjunction with the IEEE and ASQ
(American Society for Quality).
software development process assessment methods besides CMM and ISO 9000
include SPICE, Trillium, TickIT.
What is the 'software life cycle'?
life cycle begins when an application is first conceived and ends when it is no
longer in use. It includes aspects such as initial concept, requirements
analysis, functional design, internal design, documentation planning, test
planning, coding, document preparation, integration, testing, maintenance,
updates, retesting, phase-out, and other aspects.