ieee 1540 - software engineering risk management: measurement-based life cycle

IEEE 1540 - SoftwareEngineering Risk Management:Measurement-Based Life Cycle

Risk ManagementPSM 2001 Aspen, Colorado

Paul R. CrollChair, IEEE SESC

Computer Sciences [email protected]

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 2

Objectives

l Describe Risk Management in the context of alife cycle process framework

l Describe IEEE 1540’s Risk Managementprocess model and process requirements

l Describe other Standards that complementIEEE 1540 in managing risk in the acquisitionand engineering of software intensive systems


Risk Management (RM) inthe Life Cycle Context

l An organizational life cycle processu responsibility of the organization using the process

u the organization ensures that the process exists andfunctions

l IEEE Standard 1540 assumes that the othermanagement and technical processes ofIEEE/EIA 12207 perform the treatment of risk


LIFE CYCLE

TAILORING

CONFIGURATION MANAGEMENTDOCUMENTATION

QUALITY ASSURANCEVERIFICATION

VALIDATIONJOINT REVIEW

AUDITPROBLEM RESOLUTION

PRIMARY

DEVELOPMENTOPERATION

MAINTENANCE

ACQUISITION

SUPPLY

ORGANIZATIONALMANAGEMENT

INFRASTRUCTUREIMPROVEMENT

TRAINING

SUPPORTING

Source: Singh97

IEEE/EIA 12207 Life CycleProcess Tree

Risk Management touched on in 12207

Risk Management focused on in 12207


Risk Management Objectivesin IEEE/EIA 12207

l Sprinkled throughout the Acquisition, Supply,Development, Operation, Verification, Joint Review,Problem Resolution, and Tailoring Processes

l Focused on in Management Process objectivesu Determine scope of risk management to be performed

u Identify risks to the project as they develop

u Analyze risks

u Determine mitigation priority

u Define, implement and assess mitigation strategies

u Define, apply and assess risk metrics


IEEE/EIA 12207 ProcessInteractions

Source: Singh97

ACQ - ACQUISITION.SUB - SUBCONTRACTOR

E - EXECUTE

F - FEEDBACK

M - MANAGE

P - PARTICIPATE

T - TASK

U - USE

E:N - EXECUTE THEPROCESS NUMBERED N

PDCA

FM

INFRASTRUCTURE TRAININGIMPROVEMENTMANAGEMENT

ORGANIZATION

MAINTENANCE

DEVELOPMENT

OPERATION

E: 2,3

E: 1,2,3

E: 3

QAE: 3

SUPPLYU: 4T

ACQUISITIONU: 4 E

FFFF

V&VE: 3

PROJECT

E

AUDIT

P

E

(T)E

E: 3

JOINTREVIEW

E: 3

T

U

U

CM PROBLEMRESOLUTION

DOCUMENTATION TAILORINGE

E

E

E

P

T

E: ACQT: SUB

(I)V&VE: 3

1 2 3 4


IEEE/EIA 12207 ProcessRoles

• Management • Improvement • Training• Infrastructure

ORGANIZATIONAL PROCESSES

ACQUISITION PROCESS

PROCESSDEVELOPMENT

PROCESS

SUPPLY PROCESS

OPERATION PROCESS

employemploy

use

contract

employ

use

MAINTENANCE

employ

employ

employ

employ

EMPLOYER

SUPPORTINGPROCESSES

OFSUPPORTINGROLE

MANAGERORGANIZATIONALROLE

• OPERATOR• USER

OPERATINGROLE

ACQUIRERACQUISITIONROLE

SUPPLIERSUPPLYROLE

• DEVELOPER• MAINTAINER

ENGINEERINGROLE

PR

ES

S

OC

SE

SUPPORTING

• Documentation • Validation

• Problem resolution• Verification

• Configuration management • Joint review• Quality assurance • Audit

Source: Singh97


Risk Management ProcessOverview

Improvement Actions

Feedback

Plan andImplement

RiskManagement

Evaluate the RiskManagement

Process

Project Risk Profile and Risk Action Requests

Project Risk Profile

Management Decisions

Technical and

Management Processes

Perform Risk Treatment

Information Needs

Managethe

ProjectRisk Profile

Perform RiskAnalysis

Perform RiskMonitoring

�

�

�

�

�

�

�

Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Define the information requirementsfor RM

– information needed and priority– risk areas of concern– RM policies required– risk acceptability thresholds

l Make decisions regarding risksl Make recommendations forimproving the RM process

measurement focus



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Establish RM policies to support informationrequired by decision makers

– how RM is to be performed– tools or techniques to be used– how RM activities will be coordinated– how risk is to be communicated

l Establish the RM process l Establish responsibility for RMl Assign RM resourcesl Establish RM process evaluation

measurement focus



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Create a consistent current and historical viewof the risks present and their treatment l Define the technical and managerial riskmanagement context

– risks areas of concern– stakeholder(s) perspective(s)– objectives, assumptions and constraints

l Establish risk thresholdsl Establish and maintain the project risk profilel Communicate risk status to stakeholders

measurement focus



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Identify risks defined by RM contextl Estimate risk likelihood and consequencesl Evaluate and prioritize the risks and theirinteractions against thresholdsl Recommend risk treatment where applicablel Document in risk action request

– measures of treatment effectiveness– contingency plans

measurement focus



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Management evaluates risk action requestsand determines acceptability of risksl If risk reduction actions are to be taken,management selects, plans, monitors, andcontrols treatment to decrease risk exposure



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Once a risk treatment has been selected– if a 12207 Life Cycle Process is employed,

+ risk treatment is managed using the problemmanagement approach of the Management Process

– if a non-12207 Life Cycle Process is employed,+ a detailed Risk Treatment Plan must be developedand implemented



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Review and update individual riskstates and the management contextl Assess effectiveness of risk treatmentsl Seek out new risks

measurement focus



Improvement Actions

Feedback

Plan andImplement

RiskManagement


Process




Technical and



Information Needs

Managethe

ProjectRisk Profile



�

�

�

�

�

�

�


l Capture RM information l Assess and improve the RM process

– collect RM information– assess the quality of the process– identify opportunities for improvement– provide feedback to management– make improvements to the process

l Generate lessons learned

measurement focus


IEEE 1540 andISO/IEC 15026

l ISO/IEC 15026:1998, InformationTechnology —System and Software IntegrityLevels

u Defines a process for establishing integrity levelsthat are used to contain risk within acceptablevaluesn the system integrity level reflects the worst case risk that

is associated with the as-designed systemn all appropriate risk dimensions are addressed

u Requires employment of a risk managementprocess


IEEE 1540 andISO/IEC 15939

l ISO/IEC 15939:FDIS, InformationTechnology —Software Measurement Process

u Identifies the activities and tasks that are necessaryto successfully identify, define, implement, andimprove a software measurement processn Two core activities

• Plan the Measurement Process• Perform the Measurement Process

n Two supporting activities

• Establish and Sustain Measurement Commitment• Evaluate Measurement


IEEE 1540 andISO/IEC 15939 - 2

l References to risk in ISO/IEC 15939u Plan the Measurement Process

n Identify Information Needs

u Annex A: The measurement information modeln Measurable Concept


IEEE 1540 and IEEE 1012

l IEEE Std 1012 -1998, IEEE Standard forSoftware Verification and Validation

u Uses integrity levels to determine appropriateV&V activities

u These integrity levels could be determined in thebaseline risk profile



l IEEE Std 1228 - 1994, IEEE Standard forSoftware Safety Plans

u Addresses planning for a software safety programthat provide a systematic approach to reducingsoftware risksn Requires that a risk assessment be performed to identify

potential safety risks

n Requires that risk treatment alternatives be addressed foruncontrolled risks



l IEEE Std 1058 -1998, IEEE Standard forSoftware Project Management Plans

u requires the specification of a risk managementplann identification, analysis and prioritization of project risk

factorsn procedures for contingency planning, risk monitoring, and

changes in risk status


IEEE 1540 andIEEE 982.1 and 982.2

l IEEE Std 982.1 -1988, IEEE StandardDictionary of Measures to Produce ReliableSoftware

u measures appropriate for use in risk management

l IEEE Std 982.2 -1988, IEEE Guide for theUse of IEEE Standard Dictionary of Measuresto Produce Reliable Software

u guidance regarding measures appropriate for use inrisk management


For more information . . .

Paul R. CrollComputer Sciences Corporation5166 Potomac DriveKing George, VA 22485-5824

Phone: +1 540.663.9251Fax: +1 540.663.0276

e-mail: [email protected]

For IEEE Standards:

http://standards.ieee.org/catalog/

For the IEEE Software Engineering Standards Committee:http://computer.org/standard/sesc/


Questions?


References

[IEEE 982.1] IEEE Std 982.1-1988, IEEE Standard Dictionary ofMeasures to Produce Reliable Software, Institute of Electricaland Electronics Engineers, Inc. New York, NY, 1988.

[IEEE 982.2] IEEE Std 982.2-1988, Guide for the Use of IEEEStandard Dictionary of Measures to Produce Reliable Software,Institute of Electrical and Electronics Engineers, Inc. New York,NY, 1988.

[IEEE 1012] IEEE Std 1012-1998, IEEE Standard for SoftwareVerification and Validation, Institute of Electrical andElectronics Engineers, Inc. New York, NY, 1998.

[IEEE 1228] IEEE Std 1228-1994, IEEE Standard for SoftwareSafety Plans, Institute of Electrical and Electronics Engineers,Inc. New York, NY, 1994.


References - 2

[IEEE 1058] IEEE Std 1058-1998, IEEE Standard for SoftwareProject Management Plans, Institute of Electrical and ElectronicsEngineers, Inc. New York, NY, 1998.

[IEEE 1540] IEEE Standard 1540-2001, IEEE Standard forSoftware Life Cycle Processes — Risk Management, Institute ofElectrical and Electronics Engineers, Inc. New York, NY, 2001.

[IEEE/EIA 12207] IEEE/EIA Standard 12207.0-1996, IndustryImplementation of International Standard ISO/IEC12207:1995— (ISO/IEC 12207) Standard for Information Technology—Software life cycle processes, Institute of Electrical andElectronics Engineers, Inc. New York, NY, 1998.

[Singh97] Raghu Singh, An Introduction to International StandardISO/IEC 12207, Software Life Cycle Processes, 1997.


References - 3

[ISO/IEC 15026:1998] ISO/IEC 15026:1998, InformationTechnology —System and Software Integrity Levels, ISO/IEC,1998.

[ISO/IEC 15939] ISO/IEC 15026:FDIS, Information Technology —Software Measurement Process, ISO/IEC, 2001.

[Singh97] Raghu Singh, An Introduction to International StandardISO/IEC 12207, Software Life Cycle Processes, 1997.

ieee 1540 - software engineering risk management: measurement-based life cycle

Documents