Tests prioritization Tor Stålhane How to prioritize There are several ways to prioritize tests. We will however, focus on risk based prioritization. This lecture will cover • An introduction to risk assessment • How to use risk as a prioritization mechanism for tests • A small example Risk-Based Testing Risk-based testing is not a new concept. Most companies that develop or buy software think risk, albeit often in an unstructured, undocumented manner. Only companies with a tradition for using risk analysis will use systematic methods for handling risk through analysis and testing. Risk and stakeholders Risk has only meaning as a relationship between a system and its environment. Thus, what is a risk and how important it is, will vary from stakeholder to stakeholder. While the probability of an event is a system characteristic, the consequences will vary. Thus, we need to identify all stakeholders before we start to discuss and analyze risk. Stakeholders - 1 We have two main groups of stakeholders, each with their own concerns if a risk is allowed to become a problem, e.g.: • Customers: lose money, either directly – e.g. an expensive failure – or indirectly – losing business. • The company that develops the system: lose business – e.g. lose marked shares. Stakeholders - 2 All stakeholders must be involved in the risk assessment process. They will have different areas of expertise and experience. Thus, the methods we use must be simple to: • Use – no long training period needed. • Understand – people don’t have confidence in something they don’t understand. Risk identification We start with the system’s use cases. Prepare the use case diagram for the function to be analyzed. Each participant should familiarize himself with the use case diagram. Start with a warm-up exercise, for instance going through results from previous risk identification processes. The warm-up exercise will help us to clear up misunderstandings and agree on a common process Use case – high level example Review Treatment Plan Review Drug Data Doctor Review Documents Review Diagnoses Order Tests Lab Send Test Results Use case – detailed example Update existing schedule Create new schedule Re(schedule) train conflicting schedules Control center operator <<extends>> Change the schedule of a train <<extends>> Change the schedule of a track maintenance activity Risk identification from use cases For each function we need to consider: • How can this function fail? Identifies failure modes and what part of the code will contribute to this failure mode. • What is the probability that there are defects in this part of the code? • Which consequences can this failure have for the stakeholders? • Document results in a consequence table. • Assess the severity of each failure mode. Consequence Table Subsystem: Function What the user wants to achieve Failure mode description How the function may fail Consequences Code involved System parts involved. How likely is it that they will cause the failure mode User Cust. Dev. Risk assessment - 1 Even though risk assessment is a subjective activity it is not about throwing out any number that you like. To be useful, a risk assessment must be • Based on relevant experience. • Anchored in real world data. • The result of a documented and agreed-upon process. 12 Risk assessment - 2 Risk assessment uses the participants’ experience and knowledge to answer questions such as • Can this really happen; e.g. has it happened before? • Can we describe a possible cause consequence chain for the event? • How bad can it get? • How often has this happened in the past? 13 How to make an assessment We will look at the two main methods for risk assessment: • Qualitative risk assessment based on – The probability / consequence matrix – The GALE (Globally At Least Equivalent) method • Quantitative risk assessment based on the CORAS model Qualitative assessment We can assess consequences, probabilities and benefits qualitatively in two ways. We can use: • Categories – e.g. High, Medium and Low • Numbers – e.g. values from 1 to 10. Note that this does not make the assessment quantitative – it is just another way to document the assessments. 15 Categories – 1 When using categories, it is important to give a short description for what each category implies. E.g. it is not enough to say “High consequences”. We must relate it to something already known, e.g. • Project size • Company turn-over • Company profit 16 Categories – 2 Two simple examples: • Consequences: we will use the category “High” if the consequence will gravely endanger the profitability of the project. • Probability: we will use the category “Low” if the event can occur but only in extreme cases. 17 Consequences and probability - 1 Consequences Probability H M L H M L H H M H M L M L L 18 Consequences and probability - 2 The multiplication table is used to rank the risks. It can not tell us how large they are. In the general case, we should only use resources on risks that are above a certain, predefined level. 19 The GALE method The GALE method is a method for making decision about introducing or not introducing a change in e.g. a process or construction. We will, however, only use the scoring scheme for risk assessment. The scoring scheme focuses on deviations from current average. This is reasonable, given that it is mainly concerned with comparing status quo to a new situation. 20 The GALE risk index The GALE risk index is computed based on our assessment of an incident’s • Frequency score – how often will the event occur. The event here is a defect that has not been removed. • Probability score – what is the probability that the event will cause a problem • Severity score – how serious is the problem. The risk index I = FE + PE + S Frequency score for event Frequency class Occurrences per project FE Very frequent 200 Every project 6 Frequent 100 Every few projects 5 Probable 40 Every 10th project 4 Occasional 10 Every 100th project 3 Remote 1 A few times in the company’s lifetime 2 Improbable 0.2 One or two times during the company’s lifetime 1 Incredible 0.01 Once in the company’s lifetime 0 22 Probability score for problem Classification Interpretation PE Probable It is probable that this event, if it occurs, will cause a problem 3 Occasional The event, if it occurs, will occasionally cause a problem 2 Remote There is a remote chance that this event, if it occurs, will cause a problem It is improbable that this event, if it occurs, will cause a problem Improbable 1 0 23 Severity score for event Severity class Severe Average Minor Interpretation The portion of occurring problems that have serious consequences is much larger than average The portion of occurring problems that have serious consequences is similar to our average The portion of occurring problems that have serious consequences is much lower than average S 2 1 0 24 The CORAS model – 1 CORAS was developed as a framework for assessment of security risks. What should concern us here, however, is how they related the qualitative risk categories, not to absolute values, but to the company’s turnover. 25 The CORAS model – 2 Quantitative risks and opportunities give us real values. The usefulness of this is, however, limited since it is • Difficult to find real values for all risks. • Not obvious how we can compare qualitative and quantitative risks. When we use the CORAS tables it is important to remember that developers, customers and users will have different values – e.g. different company incomes. 26 The CORAS consequence table Consequence values Category Measured related to income Measured loss due to impact on business Insignificant Minor Moderate Major Catastrophic 0.0 – 0.1% 0.1 – 1.0% 1 – 5% 5 – 10% 10 – 100% Lost profits Reduce the resources of one or more departments Loss of a couple of customers Close down departments or business sectors No impact on business. Minor delays Out of business 27 The CORAS frequency table - 1 As we will see on the next slide, CORAS allows us to interpret frequency in two ways: • The number of unwanted incidents per year – e.g. the number of times a function will fail. • The failing portion of demands – e.g. number of service demands to a system. 28 The CORAS frequency table - 2 Frequency values Category Rare Unlikely Possible Likely Almost certain Number of unwanted incidents per Year 1/100 1/100 – 1/50 1/50 - 1 1 - 12 > 12 Number of unwanted incidents per demand 1/1000 (1/500) 1/50 (1/25) 1/1 Each five times the system is used Each tenth time the system is used Every second time the system is used Interpretation of number of demands Unwanted incident never occurs Each thousand time the system is used 29 An alternative consequence table We have been introducing risk based testing in a Norwegian company that develop software that is used in health care. This company have made a table including: • Service receiver – the patient • Service provider – the hospital • Developing company – e.g. the software developers Consequence Levels Consequence level High – 3 Medium – 2 Low – 1 Service receiver Service provider One person killed or several persons seriously injured Several persons killed or many seriously injured Bad press Lose customer One person seriously injured User looks bad to his superior(s) or large sums lost Dissatisfied customers or users Minor irritant, small amount of money lost or wasted - Minor irritant Developing company Earlier test experiences – Worry list Testing is a sampling process. Thus, if we find a lot of defects in a component or sub-system, we should conclude that this component has many defects. The conclusion will not necessarily be the same if we conclude based on an inspection. The Worry List Consequences High (3) Number of errors registered High 10 Medium 3–9 Low 0-2 Medium (2) Low (1) Testing and resources We will always have limited resources for testing. This is made worse by the fact that testing often starts late in the project We make best use of the available resources by trying to minimize the total system-related risk. Risk-Based Testing – 1 Risk-based testing has the following steps • Identify how the product interact with its environment. This is necessary to understand failure consequences • Identify and rank risks – probability and consequence. If this is a white box or grey box test we should also identify possible causesevent chains to understand the failure mechanisms. Risk-Based Testing – 2 • Define tests that can be used to ensure that the code defect probability is low. – Black box test – apply e.g. random testing or domain testing. – White box or grey box test – make sure all identified cause-event chains are exercised. • Run the tests – highest risk first ATM example – 1 ATM example – 2 Subsystem: ATM transaction Function Failure mode description Consequences Code involved User Cust Dev. Withdrawal Withdraw more than allowed Wrong amount registered Wrong account W-1, M-1 Acc-1, M-1 Acc-2 L H L M H H H H H Deposit Wrong amount registered Wrong account M-1, V-1 Acc-2 H H H H H H Inquiry Wrong account Wrong value returned Acc-2, V-1 V-1, M-1 M M L M M M ATM example – 3 Frequency class Occurrences per project FE Very Frequent 200 Every project Frequent 100 Every few projects 5 Probable 40 Every 10th project 4 Occasional 10 Every 100th project 3 Remote 1 A few times in the company’s lifetime 2 Improbable 0.2 One or two times during The company’s lifetime 1 Incredible 0.01 Once in the company’s lifetime 0 Function Deposit – wrong amount registered Inquiry – wrong account 6 Classification Interpretation PE Probable It is probable that this event, if it occurs, will cause a problem 3 Occasional The event, if it occurs, will occasionally cause a problem 2 Remote There is a remote chance that this event, if it occurs, will cause a problem 1 It is improbable that this event, if it occurs, will cause a problem 0 Improbable Components S FE PE I M-1, V-1 2 4 3 9 Acc-2, V-1 1 3 2 6