Reference Information for the Software Verification and Validation Process

[CAPRIO]

Caprio, William H., "The Tools for Quality," Total Quality Management Conference, Ft. Belvoir, Virginia, July 13-15, 1992.

[CONNOLLY]

Connolly, Brian, A Process for Preventing Software Hazards, Hewlett-Packard Journal, June 1993.

[DACS]

"Software Reliability Models," DACS Newsletter, Data & Analysis Center for Software, Volume X, Number 2, Summer, 1992.

[DAVENPORT]

Davenport, David, "Intelligent Systems: The Weakest Link?" Intelligent Systems: Safety, Reliability and Maintainability Issues, ed. by Okyay Kaynak, Ger Honderd and Edward Grant, New York: Springer-Verlag, 1992.

[DAZ]

D'az-Herrara, Jorge L, "Implications of Artificial Intelligence for Embedded Systems," Proceedings of the Software Technology Conference, Software Technology Support Center, 1995.

[DEMMY]

Demmy, W. Steven and Arthur B. Petrini, "Statistical Process Control in Software Quality Assurance," Proceedings of the 1989 National Aerospace and Electronics Conference, NAECON, May 22-26, 1989, Dayton, OH, IEEE, Inc.

[DUNN]

Dunn, Robert, Software Defect Removal, McGraw-Hill, Inc., 1984.

[EWICS3]

Bishop, P. G. (ed.), Dependability of Critical Computer Systems 3 - Techniques Directory, The European Workshop on Industrial Computer Systems Technical Committee 7 (EWICS TC7), Elsevier Science Publishers Ltd, 1990.

[FIPS101]

FIPS PUB 101, "Guideline for Lifecycle Validation, Verification, and Testing of Computer Software," U.S. Department of Commerce/National Bureau of Standards (U.S.), 1983 June 6.

[FIPS106]

FIPS PUB 106, "Guideline on Software Maintenance," U.S. Department of Commerce/National Bureau of Standards (U.S.), 1984 June 15.

[FIPS132]

FIPS PUB 132, "Guideline for Software Verification and Validation Plans," U.S. Department of Commerce/National Bureau of Standards (U.S.), 1987 November 19.

[FONER]

Foner, Leonard N., "What's An Agent, Anyway? A Sociological Case Study," Agents Group, MIT Media Lab, Agents Memo 93-01, 1993.

[FRAKES]

Frakes, William B. and Christopher J. Fox, Sixteen Questions about Software Reuse, Communications of the ACM, Vol. 38, No. 6, June 1995.

[FREEMAN]

Freeman, Peter, Tutorial: Software Reusability, IEEE Computer Society Press, Washington, D.C.,1987.

[FREEDMAN]

Freedman, David, Robert Pisani, and Roger Purves, Statistics , W.W. Norton & Company, Inc., New York, 1978.

[HOLLNAGEL]

Hollnagel, E., "The Intelligent Use of Intelligent Systems," Intelligent Systems: Safety, Reliability and Maintainability Issues, ed. by Okyay Kaynak, Ger Honderd and Edward Grant, Springer-Verlag, New York, 1992.

[HOOPER]

Hooper, James W. and Rowena O. Chester, Software Reuse Guidelines and Methods , Plenum Press, 1991.

[IEEE730]

ANSI/IEEE Std 730-1984, "Standard for Software Quality Assurance Plans," The Institute of Electrical and Electronics Engineers, Inc., 1984.

[IEEE982]

ANSI/IEEE Std 982.2-1988, "Guide for the Use of IEEE Standard Dictionary of Measures to Produce Reliable Software," The Institute of Electrical and Electronics Engineers Inc., June 1989.

[IEEE1012]

ANSI/IEEE Std 1012-1986, "IEEE Standard for Software Verification and Validation Plans," The Institute of Electrical and Electronics Engineers, Inc., February 10, 1987.

[IEEE1058]

ANSI/ IEEE Std 1058-1987, Standard for Software Project Management," The Institute of Electrical and Electronics Engineers, Inc., 1987.

[IEEE7432]

ANSI/IEEE Std 7432-1993, "Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," The Institute of Electrical and Electronics Engineers, Inc., 1993.

[IEEEP1059]

IEEE Std P1059-1994, "(DRAFT 7.1) IEEE Guide for Software Verification and Validation Plans," Institute of Electrical and Electronics Engineers, Inc., May 24, 1993.

[ISO12207]

ISO/IEC 12207, Information Technology-Software Life Cycle Processes, International Standards Organization/International Electrotechnical Commission, 22 February 1995.

[JOURNAL]

Journal of Systems and Software, Volume 30, Number 3, September, 1995.

[JURAN]

Juran, J. M. (ed.), Juran's Quality Control Handbook, 4th ed., McGraw-Hill, Inc., New York, 1988.

[KIRANI]

Kirani, Shekhar, I.A. Zualkernan, and W.T. Tsai, "Comparative Evaluation of Expert System Testing Methods," Proceedings of the 1992 IEEE Int. Conference on Tools with AI, IEEE Computer Society, 1992.

[KITCHENHAM]

Kitchenham, B. A. and B. Littlewood, Measurement for Software Control and Assurance, Elsevier Science Publishers Ltd, London and New York, 1989.

[KOHUT]

Kohout, L.J., J. Anderson and W. Bandler, Knowledge-Based Systems for Multiple Environments, Ashgate Publishing Co., Brookfield, VT, 1992.

[LEVESON93]

Leveson, Nancy G and Clark S. Turner, An investigation of the Therac-25 accidents, IEEE Computer, 26(7):18-41, July 1993.

[LEVESON95]

Leveson, Nancy G., Safeware: System Safety and Computers , Addison Wesley Publishing Company, 1995.

[LYLE]

Lyle, Jim, "Program Slicing," to be published in Encyclopedia of Software Engineering, John Wiley Publishing Co., New York, New York.

[LYU]

Lyu, Michael and Allen Nikora, "Applying Reliability Models More Effectively," IEEE Software, Vol. 9., No. 4, July 1992.

[MUSA87]

Musa, J.D., A. Iannino, and K. Okumoto, Software Reliability, Measurement, Prediction, Application, McGraw-Hill, New York, 1987.

[MUSA89]

Musa, J.D., and A.F. Ackerman, "Quantifying Software Validation: When to Stop Testing?" IEEE Software, May 1989.

[MYERS]

Myers, Glenford J., The Art of Software Testing, John Wiley & Sons, New York, 1979.

[NBS93]

NBS Special Publication 500-93, "Software Validation, Verification, and Testing Technique and Tool Reference Guide," U.S. Department of Commerce/National Bureau of Standards, (U.S.) September 1982.

[NGUYEN]

Nguyen, T.A., W.A. Perkins, T.J. Laffey, and D. Pecora, Knowledge Base Verification, AI Magazine, Summer 1987.

[NIST165]

NIST Special Publication 500-165, "Software Verification and Validation: Its Role in Computer Assurance and Its Relationship with Software Project Management Standards," U.S. Department of Commerce/National Institute of Standards and Technology, September 1989.

[NIST190]

NIST Special Publication 500-190, "Proceedings of the Workshop on High Integrity Software; Gaithersburg, MD; Jan. 22-23, 1991," U.S. Department of Commerce/National Institute of Standards and Technology, August 1991.

[NIST204]

NIST Special Publication 500-204, "High Integrity Software Standards and Guidelines," U.S. Department of Commerce/National Institute of Standards and Technology, September 1992.

[NIST209]

NIST Special Publication 500-209, "Software Error Analysis," U.S. Department of Commerce/National Institute of Standards and Technology, April 1993.

[NIST223]

NIST Special Publication 500-223, "A Framework for the Development and Assurance of High Integrity Software," U.S. Department of Commerce/National Institute of Standards and Technology, December 1994.

[NIST4909]

NISTIR 4909, "Software Quality Assurance: Documentation and Reviews," U.S. Department of Commerce/National Institute of Standards and Technology, September 1992.

[NIST5459]

NISTIR 5459, "Quality Characteristics and Metrics for Reusable Software (Preliminary Report)," U.S. Department of Commerce/National Institute of Standards and Technology, May 1994.

[NIST5589]

NISTIR 5589, "A Study on Hazard Analysis in High Integrity Software Standards and Guidelines," U.S. Department of Commerce/National Institute of Standards and Technology, January 1995.

[NUREG6316]

NUREG/CR-6316 (Volume 2), "Guidelines for the Verification and Validation of Expert System Software and Conventional Software (Survey and Assessment of Conventional Software Verification and Validation Methods)," U.S. Nuclear Regulatory Commission, March 1995.

[OKEEFE]

O'Keefe, Robert M. and Daniel E. O'Leary, "Expert System Verification and Validation," Artificial Intelligence Review: An International Survey and Tutorial Journal, Vol. 7, No. 1, February 1993.

[OLEARY]

O Leary, D.E. and N. Kandelin, Validating the Rule Weights in Rule-Based Expert Systems, International Journal of Expert Systems, Vol. 1, No. 3, 1988.

[OPMC]

The Organizational Process Management Cycle Programmed Workbook, Interaction Research Institute, Inc., Fairfax, Virginia.

[PAN]

Pan, Jeff Y.C. and Ja M. Tennenbaum, "An Intelligent Agent Framework for Enterprise Integration," IEEE Transactions on Systems, Man and Cybernetics, Vol. 21, No. 6, Nov./Dec., 1991.

[PREECE]

Preece, Alun D. and Rajjan Shinghal, Verifying and Testing Expert System Conceptual Models, IEEE International Conference on Systems, Man and Cybernetics, Vol. 1.

[RADATZ]

Radatz, J.W., "Analysis of IV&V Data," RADC-TR-81-145, Logicon, Inc., Rome Air Development Center, Griffiss AFB, NY, June 1981.

[ROOK]

Rook, Paul, Software Reliability Handbook, Elsevier Science Publishers Ltd, London and New York, 1990.

[RTCA178B]

RTCA/DO-178B, "Software Considerations in Airborne Systems and Equipment Certification," RTCA, Inc., December 16, 1992.

[SMITH]

Smith, Gary, Statistical Reasoning, Allyn and Bacon, Boston, MA, 1991.

[SQE]

"Software Measurement," Seminar Notebook, Version 1.2, Software Quality Engineering, 1991.

[SSR]

Proceedings of the Symposium on Software Reusability: SSR 95," Software Engineering Notes, ACM SIGSOFT, August 1995 .

[TANSLEY]

Tansley, D.S.W. and C.C. Hayball, Knowledge Based Systems Analysis and Design: A KADS Developers Handbook, Prentice Hall, New York, 1993.

[TRACZ]

Tracz, Will, Tutorial: Software Reuse: Emerging Technology , IEEE Computer Society Press, Los Alamitos, CA, 1990.

[TURING]

Turing, A.M., Computing Machinery and Intelligence, Mind, Vol.59, 1950.

[VOAS91]

Voas, J., L. Morell, and K. Miller, Predicting Where Faults Can Hide From Testing, IEEE Software, March 1991.

[VOAS92]

Voas, J., PIE: A Dynamic Failure-Based Technique, IEEE Transactions on Software Engineering, August, 1992.

[VOAS95]

Voas, J. and K. Miller, Software Testability: The New Verification, IEEE Software, May 1995.

[WALLACE91]

Wallace, D.R., D.R. Kuhn, and J.C. Cherniavsky, "Report on a Workshop on the Assurance of High Integrity Software," Proceedings of the Sixth Annual Conference on Computer Assurance (COMPASS 91), NIST, Gaithersburg, MD, June 24-27, 1991, The Institute of Electrical and Electronics Engineers, Inc., 1991.

[WALLACE94]

Wallace, Dolores R., "Verification and Validation," Encyclopedia of Software Engineering, Volume 2, John Wiley & Sons, Inc., 1994.

[WILEY]

Encyclopedia of Software Engineering, John Wiley & Sons, Inc., 1994.

[WING]

Wing, Jeannette M., "A Specifier's Introduction to Formal Methods," COMPUTER, September 1990.

[ZAGE]

Zage, Wayne M., Code Metrics and Design Metrics; An ACM Professional Development Seminar, November 19, 1991.

This appendix, condensed from [NIST209], identifies metrics related to software error detection, statistical process control (SPC) techniques, and several software reliability estimation models. Metrics are used to assess the product or process. SPC techniques are used to monitor a project by observing trends, and help to locate major problems in the software development process, the assurance processes (e.g., software quality assurance, software verification and validation (V&V) and the product itself. Software reliability estimation models provide information about the predicted performance of the software.

Error data from the V&V activities can be collected over the entire project and stored in an organizational database, for use with the current project or future projects. An organizational database may also play an important role in software reuse within an organization. In deciding whether or not to reuse a particular software unit, one can examine its error history to determine whether it satisfies the level of assurance required by the intended application. One can evaluate the component by observing its past failure rates and fault densities to ensure that the component is appropriate for reuse. A software component may sometimes be reused to build a system which is of a higher level of assurance than that in which the component was originally used. The database would provide data on the reliability or other quality attributes to help determine how much additional work is needed to increase the quality of the component to the desired level.

In this report, a metric is defined to be the mathematical definition, algorithm, or function used to obtain a quantitative assessment of a product or process. The actual numerical value produced by a metric is a measure. Thus, for example, cyclomatic complexity is a metric, but the value of this metric is the cyclomatic complexity measure.

Two general classes of metrics include the following:

• -- management metrics, which assist in the management of the software development process
• -- quality metrics, which are predictors or indicators of the product qualities

Management metrics can be used for controlling any industrial production or manufacturing activity. They are used to assess resources, cost, and task completion. Quality metrics are used to estimate characteristics or qualities of a software product. Some metrics may be both management metrics and quality metrics, i.e., they can be used for both project control and quality assessment.

A disadvantage of some metrics is that they do not have an interpretation scale which allows for consistent interpretation, as with measuring temperature (in degrees Celsius) or length (in meters). This is particularly true of metrics for software quality characteristics (e.g., maintainability, reliability, usability). Measures must be interpreted relatively, through comparison with plans and expectations, comparison with similar past projects, or comparison with similar components within the current project. While some metrics are mathematically-based, most, including reliability models, have not been proven.

Since there is virtually an infinite number of possible metrics, users must have some criteria for choosing which metrics to apply to their particular projects. Ideally, a metric should possess all of the following characteristics:

• -- simple - definition and use of the metric is simple
  
  
• -- objective - different people will give identical values; allows for consistency, and prevents individual bias
  
  
• -- easily collected - the cost and effort to obtain the measure is reasonable
  
  
• -- robust - metric is insensitive to irrelevant changes; allows for useful comparison
  
  
• -- valid - metric measures what it is supposed to; this promotes trustworthiness of the measure

Primitive metrics such as those listed below can be collected throughout software development. These metrics can be plotted using bar graphs, histograms, and Pareto charts as part of SPC. The plots can be analyzed by management to identify the activities that are most error prone, to suggest steps to prevent the recurrence of similar errors, to suggest procedures for earlier detection of faults, and to make general improvements to the software development process.

Primitive problem metrics
- Number of problem reports per activity, priority, category, or cause
- Number of reported problems per time period
- Number of open real problems per time period
- Number of closed real problems per time period
- Number of unevaluated problem reports
- Age of open real problem reports
- Age of unevaluated problem reports
- Age of real closed problem reports
- Time when errors are discovered
- Rate of error discovery

Primitive cost and effort metrics
- Time spent
- Elapsed time
- Staff hours
- Staff months
- Staff years

Primitive change metrics
- Number of revisions, additions, deletions, or modifications
- Number of requests to change the software requirements specification and/or software design

Primitive fault metrics
- Number of unresolved faults at planned end of activity
- Number of faults that have not been corrected, and number of outstanding change requests
- Number of software requirements and design faults detected during reviews and walkthroughs

The main reasons to measure software requirements specifications is to provide early warnings of quality problems, to enable more accurate project predictions, and to help improve the specifications.

Primitive size metrics. These metrics involve a simple count. Large components are assumed to have a larger number of residual errors, and are more difficult to understand than small components; as a result, their reliability and extendibility may be affected.
- Number of pages or words
- Number of requirements
- Number of functions

Requirements traceability (RT). This metric is used to assess the degree of traceability by measuring the percentage of requirements that has been implemented in the software design. It is also used to identify requirements that are either missing from, or in addition to the original requirements. The measure is computed using the equation: RT = R1/R2 x 100%, where R1 is the number of requirements met by the architecture (software design), and R2 is the number of original requirements. [IEEE982]

Completeness (CM). This metric is used to determine the completeness of the software specification during requirements activity. This metric uses 18 primitives (e.g., number of functions not satisfactorily defined, number of functions, number of defined functions, number of defined functions not used, number of referenced functions, and number of decision points). It then uses 10 derivatives (e.g., functions satisfactorily defined, data references having an origin, defined functions used, reference functions defined), which are derived from the primitives. The metric is the weighted sum of the 10 derivatives expressed as CM = w _i D_i, where the summation is from i=1 to i=10, each weight w _i has a value between 0 and 1, the sum of the weights is 1, and each D_i is a derivative with a value between 1 and 0. The values of the primitives also can be used to identify problem areas within the software requirements specification. [IEEE982]

Fault-days number (FD). This metric specifies the number of days that faults spend in the software product from its creation to their removal. This measure uses two primitives: the activity, date, or time that the fault was introduced, and the activity, date, or time that the fault was removed. The fault days for the ith fault, (FD_i ), is the number of days from the creation of the fault to its removal. The measure is calculated as follows: FD = FD_i. This measure is an indicator of the quality of the software design and software development process. A high value may be indicative of untimely removal of faults and/or existence of many faults, due to an ineffective software development process. [IEEE982]

Function points. This measure was originated by Allan Albrecht at IBM in the late 1970's, and was further developed by Charles Symons. It uses a weighted sum of the number of inputs, outputs, master files and inquiries in a product to predict development size [ALBRECHT]. To count function points, the first step is to classify each component by using standard guides to rate each component as having low, average, or high complexity. The second basic step is to tabulate function component counts. This is done by entering the appropriate counts in the Function Counting Form, multiplying by the weights on the form, and summing up the totals for each component type to obtain the Unadjusted Function Point Count. The third step is to rate each application characteristic from 0 to 5 using a rating guide, and then adding all the ratings together to obtain the Characteristic Influence Rating. Finally, the number of function points is calculated using the equation below. [SQE]

The main reasons for computing metrics during software design are the following: gives early indication of project status; enables selection of alternative designs; identifies potential problems early in the software development process; limits complexity; and helps in deciding how to modularize so the resulting modules are both testable and maintainable. In general, good design practices involve high cohesion of modules, low coupling of modules, and effective modularity. [ZAGE]

Primitive size metrics. These metrics are used to estimate the size of the software design or software design documents.
- Number of pages or words
- DLOC (lines of PDL)
- Number of modules
- Number of functions
- Number of inputs and outputs
- Number of interfaces

(Estimated) number of modules (NM). This metric provides measure of product size, against which the completeness of subsequent module based activities can be assessed. The estimate for the number of modules is given by, NM = S/M, where S is the estimated size in LOC, M is the median module size found in similar projects. The estimate NM can be compared to the median number of modules for other projects. [ROOK]

Primitive fault metrics. These metrics identify potentially fault-prone modules. [ROOK]
- Number of faults associated with each module
- Number of requirements faults and structural design faults detected during detailed design

Primitive complexity metrics. These metrics identify modules which are complex or hard to test. [ROOK]
- Number of parameters per module
- Number of states or data partitions per parameter
- Number of branches in each module

Coupling. Coupling is the manner and degree of interdependence between software modules [IEEE982]. Module coupling is rated based on the type of coupling, using a standard rating chart, which can be found in [SQE]. According to the chart, data coupling is the best type of coupling, and content coupling is the worst. The better the coupling, the lower the rating. [SQE, ZAGE]

Cohesion. Cohesion is the degree to which the tasks performed within a single software module are related to the module's purpose. The module cohesion value for a module is assigned using a standard rating chart, which can be found in [SQE]. According to the chart, the best cohesion level is functional, and the worst is coincidental , with the better levels having lower values. Case studies have shown that fault rate correlates highly with cohesion strength. [SQE, ZAGE]

(Structural) fan-in / fan-out. Fan-in/fan-out represents the number of modules that call/are called by a given module. Identifies whether the system decomposition is adequate (e.g., no modules which cause bottlenecks, no missing levels in the hierarchical decomposition, no unused modules ("dead" code), identification of critical modules). May be useful to compute maximum, average, and total fan-in/fan-out. [ROOK, IEEE982]

Information flow metric (C). This metric represents the total number of combinations of an input source to an output destination, given by, C = C_i x (fan-in x fan-out) ², where C _i is a code metric, which may be omitted. The product inside the parentheses represents the total number of paths through a module. [ZAGE]

Staff hours per major defect detected (M). This metric is used to evaluate the efficiency of the design inspection. The following primitives are used: time expended in preparation for inspection meeting (T1), time expended in conduct of inspection meeting (T2), number of major defects detected during the ith inspection (S_i), and total number of inspections to date (i). The staff hours per major defect detected is given below, with the summations being from i=1 to i=i. This measure is applied to new code, and should fall between three and five. If there is significant deviation from this range, then the matter should be investigated. (May be adapted for code inspections). [IEEE982]

(T1 + T2)i
M = ---------------------
S_i

Defect Density (DD). Used after design inspections of new development or large block modifications in order to assess the inspection process. The following primitives are used: total number of unique defects detected during the ith inspection or ith software development activity (D_i), total number of inspections to date (i), and number of source lines of design statements in thousands (KSLOD). The measure is calculated by the ratio below, where the sum is from i=1 to i=i. This measure can also be used in the implementation activity, in which case the number of source lines of executable code in thousands (KSLOC) should be substituted for KSLOD. [IEEE982]

Di
DD = ---------------------
KSLOD

Test related primitives. These metrics check that each module will be/has been adequately tested, or assesses the effectiveness of early testing activities. [ROOK]
- Number of software integration test cases planned/executed involving each module
- Number of black box test cases planned/executed per module
- Number of requirements faults detected (and re-assesses quality of requirements specification)

Lines of Code (LOC). Although lines of code is one of the most popular metrics, it has no standard definition. The predominant definition for LOC is "any line of a program text that is not a comment or blank line, regardless of the number of statements or fragments of statements on the line." [SQE] It is an indication of size, which allows for estimation of effort, time scale, and total number of faults. For the same application, the length of a program partly depends on the language the code is written in, thus making comparison using LOC difficult. However, LOC can be a useful measure if the projects being compared are consistent in their development methods (e.g., use the same language, coding style). Because of its disadvantages, the use of LOC as a management metric (e.g., for project sizing beginning from the software requirements activity) is controversial, but there are uses for this metric in error analysis, such as to estimate the values of other metrics. The advantages of this metric are that it is conceptually simple, easily automated, and inexpensive. [SQE]

Halstead software science metrics. This set of metrics was developed by Maurice Halstead, who claimed they could be used to evaluate the mental effort and time required to create a program, and how compactly a program is expressed. These metrics are based on four primitives listed below:

n₁ = number of unique operators

n₂ = number of unique operands

N₁ = total occurrences of operators

N₂ = total occurrences of operands

The program length measure, N, is the sum of N₁ and N₂. Other software science metrics are listed below. [SQE]

Vocabulary: n = n₁ + n₂

Predicted length: N^ = (n₁ * log₂ n₁) + (n₂ * log₂ n₂)

Program volume: V = N * log₂n

Effort: E = (n₁ N₂ Nlog₂n)/ (2n₂)

Time: T = E/B ; Halstead B=18

Predicted number of bugs: B = V/3000

Number of entries/exits per module. Used to assess the complexity of a software architecture, by counting the number of entry and exit points for each module. The equation to determine the measure for the ith module is simply m_i = e_i + x_i, where e_i is the number of entry points for the ith module, and xi is the number of exit points for the ith module. [IEEE982]

Cyclomatic complexity (C). Used to determine the structural complexity of a coded module in order to limit its complexity, thus promoting understandability. In general, high complexity leads to a high number of defects and maintenance costs. Also used to identify minimum number of test paths to assure test coverage. The primitives for this measure include the number of nodes (N), and the number of edges (E), which can be determined from the graph representing the module. The measure can then be computed with the formula, C = E - N + 1. [IEEE982, SQE]

Amount of data. This measure can be determined by primitive metrics such as Halstead's n₂ and N₂, number of inputs/outputs, or the number of variables. These primitive metrics can be obtained from a compiler cross reference. [SQE]

Live variables. For each line in a section of code, determine the number of live variables (i.e., variables whose values could change during execution of that section of code). The average number of live variables per line of code is the sum of the number of live variables for each line, divided by the number of lines of code. [SQE]

Variable scope. The variable scope is the number of source statements between the first and last reference of the variable. For example, if variable A is first referenced on line 10, and last referenced on line 20, then the variable scope for A is 9. To determine the average variable scope for variables in a particular section of code, first determine the variable scope for each variable, sum up these values, and divide by the number of variables [SQE]. With large scopes, the understandability and readability of the code is reduced.

Variable spans. The variable span is the number of source statements between successive references of the variable. For each variable, the average span can be computed. For example, if the variable X is referenced on lines 13, 18, 20, 21, and 23, the average span would be the sum of all the spans divided by the number of spans, i.e., (4+1+0+1)/4 = 1.5. With large spans, it is more likely that a far back reference will be forgotten. [SQE]

Primitive defect/error/fault metrics. These metrics can be effectively used with SPC techniques, such as bar charts, and Pareto diagrams. These metrics can also be used to form percentages (e.g., percentage of logic errors = number of logic errors ö total number of errors).

- Number of faults detected in each module
- Number of requirements, design, and coding faults found during unit and integration testing
- Number of errors by type (e.g., logic, computational, interface, documentation)
- Number of errors by cause or origin
- Number of errors by severity (e.g., critical, major, cosmetic)

Fault density (FD). This measure is computed by dividing the number of faults by the size (usually in KLOC, thousands of lines of code). It may be weighted by severity using the equation

N = total number of faults

S = number of severe faults

A = number of average severity faults

M = number of minor faults

W_i = weighting factors (defaults are 10, 3, and 1)

FD can be used to perform the following: predict remaining faults by comparison with expected fault density; determine if sufficient testing has been completed based on predetermined goals; establish standard fault densities for comparison and prediction. [IEEE982, SQE]

Defect age. Defect age is the time between when a defect is introduced to when it is detected or fixed. Assign the numbers 1 through 6 to each of the software development activities from software requirements to software operation and maintenance. The defect age is computed as shown. [SQE]

(Activity Detected - Activity Introduced)

Average Defect Age = --------------------------------------------------------

Defect response time. This measure is the time between when a defect is detected to when it is fixed or closed. [SQE]

Defect cost. The cost of a defect may be a sum of the cost to analyze the defect, the cost to fix it, and the cost of failures already incurred due to the defect. [SQE]

Defect removal efficiency (DRE). The DRE is the percentage of defects that have been removed during an activity, computed with the equation below. The DRE can also be computed for each software development activity and plotted on a bar graph to show the relative defect removal efficiencies for each activity. Or, the DRE may be computed for a specific task or technique (e.g., design inspection, code walkthrough, unit test, 6 month operation, etc.). [SQE]

Primitive test case metrics
- Total number of planned white/black box test cases run to completion
- Number of planned software integration tests run to completion
- Number of unplanned test cases required during test activity

Statement coverage. Measures the percentage of statements executed (to assure that each statement has been tested at least once). [SQE]

Branch coverage. Measures the percentage of branches executed. [SQE]

Path coverage. Measures the percentage of program paths executed. It is generally impractical and inefficient to test all the paths in a program. The count of the number of paths may be reduced by treating all possible loop iterations as one path. [SQE] Path coverage may be used to ensure 100 percent coverage of critical (safety or security related) paths.

Data flow coverage. Measures the definition and use of variables and data structures. [SQE]

Test coverage. Measures the completeness of the testing activity. Test coverage is the percentage of requirements implemented (in the form of defined test cases or functional capabilities) multiplied by the percentage of the software structure (in units, segments, statements, branches, or path test results) tested. [AIRFORCE]

Mean time to failure (MTTF). Gives an estimate of the mean time to the next failure, by accurately recording failure times t_i, the elapsed time between the ith and the (i-1)st failures, and computing the average of all the failure times. This metric is the basic parameter required by most software reliability models. High values imply good reliability. [IEEE982]

Failure rate. Used to indicate the growth in the software reliability as a function of test time and is usually used with reliability models. This metric requires two primitives: t_i, the observed time between failures for a given severity level i, and f_i, the number of failures of a given severity level in the ith time interval. The failure rate (t) can be estimated from the reliability function R(t), which is obtained from the cumulative probability distribution F(t) of the time until the next failure, using a software reliability estimation model, such as the nonhomogeneous Poisson process (NHPP) or Bayesian type model. The failure rate is as shown below, where R(t) = 1 - F(t). [IEEE982]

                                      [dR(t)]
                      (t) = -1/R(t)---------
                                        dt

Cumulative failure profile. Uses a graphical technique to predict reliability, to estimate additional testing time needed to reach an acceptable reliability level, and to identify modules and subsystems that require additional testing. This metric requires one primitive, f_i, the total number of failures of a given severity level i in a given time interval. Cumulative failures are plotted on a time scale. The shape of the curve is used to project when testing will be complete, and to assess reliability. It can provide an indication of clustering of faults in modules, suggesting further testing for these modules. A nonasymptotic curve also indicates the need for continued testing. [IEEE982]

Most of the test metrics are also applicable during software installation. The specific metrics used will depend on the type of testing performed. If acceptance testing is conducted, a requirements trace may be performed to determine what percentage of the software requirements are satisfied in the product (i.e., number of software requirements fulfilled divided by the total number of software requirements).

Every metric that can be applied during software development may also be applied during software maintenance. The purposes may differ somewhat. For example, software requirements traceability may be used to ensure that software maintenance requirements are related to predecessor requirements, and that the test activity covers the same test areas as for the development. Metrics that were used during software development may be used again during software maintenance for comparison purposes (e.g., measuring the complexity of a module before and after modification). Elements of support, such as customer perceptions, training, hotlines, documentation, and user manuals, can also be measured.

Primitive change metrics
- Number of changes
- Cost/effort of changes
- Time required for each change
- LOC added, deleted, or modified
- Number of fixes, or enhancements

Customer ratings. These metrics are based on results of customer surveys, which ask customers to provide a rating or a satisfaction score (e.g., on a scale of one to ten) of a vendor's product or customer services (e.g., hotlines, fixes, user manual). Ratings and scores can be tabulated and plotted in bar graphs.

Customer service metrics
- Number of hotline calls received
- Number of fixes for each type of product
- Number of hours required for fixes
- Number of hours for training (for each type of product)

Statistical process control (SPC) is the application of statistical methods to provide the information necessary to continuously control or improve activities throughout the entire development of a product [OPMC]. SPC techniques help to locate trends, cycles, and irregularities within the software development process and provide clues about how well the process meets specifications or requirements. They are tools for measuring and understanding process variation and distinguishing between random inherent variations and significant deviations so that correct decisions can be made about whether to make changes to the process or product.

To fully understand a process, it is necessary to determine how the process changes over time. To do this, one can plot error data (e.g., total number of errors, counts of specific types of errors) over a period of time (e.g., days, weeks) and then interpret the resulting pattern. If, for instance, a large number of errors are found in a particular software development activity, an investigation of the tasks in that activity or preceding ones may reveal that necessary development tasks were omitted (e.g., code reviews were not conducted during the code activity). A plot of the sources of errors may show that a particular group is the most frequent source of errors. Further investigation may confirm that members of the group do not have sufficient experience and training. A plot of the number of specific types of errors may show that many errors are related to incorrect or unclear software requirements specifications (e.g., software requirements are written in a way that consistently causes misinterpretations, or they fail to list enough conditions and restrictions). This would indicate that the software requirements activity needs to be modified.

There are several advantages to using SPC techniques. First, errors may be detected earlier or prevented altogether. By monitoring the software development process, the cause of the error (e.g., inadequate standards, insufficient training, incompatible hardware) may be detected before additional errors are created. Second, using SPC techniques is cost-effective, because less effort may be required to ensure that processes are operating correctly than is required to perform detailed checks on all the outputs of that process. Thus, higher quality may be achieved at a lower development expense. Finally, use of SPC techniques provides quantitative measures of progress and of problems so less guesswork is required [DEMMY].

Despite the advantages, there are also several potential disadvantages. To be successful, SPC requires discipline, planning, continuous commitment to the timely solution of process problems, and frequent access to information from the software development process [DEMMY].

The primary statistical technique used to assess process variation is the control chart. The control chart displays sequential process measurements relative to the overall process average and control limits. The upper and lower control limits establish the boundaries of normal variation for the process being measured. Variation within control limits is attributable to random or chance causes, while variation beyond control limits indicates a process change due to causes other than chance -- a condition that may require investigation. [OPMC] The upper control limit (UCL) and lower control limit (LCL) give the boundaries within which observed fluctuations are typical and acceptable. They are usually set, respectively, at three standard deviations above and below the mean of all observations. There are many different types of control charts, pn, p, c, etc., which are described in Table A-1. This section is based on [OPMC], [SMITH], [CAPRIO], and [JURAN].

1. Identify the purpose and the characteristics of the process to be monitored.
   
   
2. Select the appropriate type of control chart based on the type of characteristic measured, the data available, and the purpose of the application.
   
   
3. Determine the sampling method (e.g., number of samples (n), size of samples, time frame).
   
   
4. Collect the data.
   
   
5. Calculate the sample statistics: average, standard deviation, upper and lower control limits.
   
   
6. Construct the control chart based on sample statistics.
   
   
7. Monitor the process by observing pattern of the data points and whether they fall within control limits.

The existence of outliers, or data points beyond control limits, indicates that nontypical circumstances exist. A run, or consecutive points on one side of the average line (8 in a row, or 11 of 12, etc.) indicates a shift in process average. A sawtooth pattern, which is a successive up and down trend with no data points near the average line, indicates over adjustment or the existence of two processes. A trend, or steady inclining or declining progression of data points represents gradual change in the process. A hug, in which all data points fall near the average line, may indicate unreliable data. A cycle, or a series of data points which is repeated to form a pattern, indicates a cycling process.

Control charts are applicable to almost any measurable activity. Some examples for software include the following: number of defects/errors, training efforts, execution time, and number of problem reports per time period. An example of an np control chart with hypothetical data is shown in Figure A-1. In this example, the number of samples (n) is 100. Each data point represents the number of defects found in the software product in a work week.

A run chart is a simplified control chart, in which the upper and lower control limits are omitted. The purpose of the run chart is more to determine trends in a process, rather than its variation. Although very simple, run charts can be used effectively to monitor a process, e.g., to detect sudden changes and to assess the effects of corrective actions. Run charts provide the input for establishing control charts after a process has matured or stabilized in time. Limitations of this technique are that it analyzes only one characteristic over time, and it does not indicate if a single data point is an outlier. This section is based on [OPMC] and [CAPRIO].

Implementation

1. Decide which outputs of a process to measure.
2. Collect the data.
3. Compute and draw the average line.
4. Plot the individual measurements chronologically.
5. Connect data points for ease of interpretation.

Interpretation - See Interpretation for Control Charts.

Run charts are applicable to almost any measurable activity. Some examples for software include the following: number of defects/errors, number of failures, execution time, and downtime.

A bar graph is a frequency distribution diagram in which each bar represents a characteristic, and the height of the bar represents the frequency of that characteristic. The horizontal axis may represent a continuous numerical scale, or a discrete non-numerical scale. Generally,numerical-scale bar charts in which the bars have equal widths are more useful for comparison purposes; numerical-scale bar charts with unequal intervals can be misleading because the characteristics with the largest bars (in terms of area) do not necessarily have the highest frequency. This section is based on [SMITH].

Implementation

1. Define the subject and purpose.
   
   
2. Collect the data. Check that the sample size is sufficient.
   
   
3. Sort the data by frequency (or other measure) of characteristics.
   
   
4. For numerical-scale bar charts, determine the number of bars and the width of the bars (class width), by trying series of class widths, avoiding too fine or too coarse a granularity.
   
   
5. Construct the chart and draw the bars. The height of a bar represents the frequency of the corresponding characteristic.

Interpretation
In a simple bar graph in which the characteristics being measured are discrete and non-numerical or if each bar has the same width, the measures for each characteristic can be compared simply by comparing the heights of the bars. For numerical-scale graphs with unequal widths, one should remember not to interpret large bars as necessarily meaning that a large proportion of the entire population falls in that range.

Application Examples
Bar graphs are mostly used to compare the frequencies of different attributes. For example, in Figure A-2, it is used to plot the average customer rating for each evaluation category (e.g., customer service, hotlines, overall satisfaction). The graph shows that Category D has the highest rating.

Other examples of characteristics that may be plotted include: number or percentage of problem reports by software development activity or by type.

A Pareto diagram is a bar graph in which the bars are arranged in descending order of magnitude. The purpose of Pareto analysis is to identify the major problems in a product or process, or to identify the most significant causes for a given effect. This allows a developer to prioritize problems and decide which problem area to work on first. This section is based on [OPMC] and [CAPRIO].

Implementation

1. Construct a bar graph, except the bars should be in descending order of magnitude (height).
2. Determine the "vital few" cause: draw a cumulative percent line and applying the 20/80 rule.
3. Compare/identify the major causes. Repeat until root cause of the problem is revealed.

Interpretation

Pareto analysis is based on the 20/80 rule, which states that approximately 20% of the causes (the "vital few") account for 80% of the effects (problems). The "vital few" can be determined by drawing a cumulative percent line and noting which bars are to the left of the point marking 80% of the total count. In Figure A-3, the vital few are logic, computational, and interface errors since 80% of the errors are found in these modules. By knowing the primary causes of a problem or effect, the developer can decide where efforts should be concentrated.

Application Examples

Most data that can be plotted on a non-numerical scale bar graph can also be plotted on a Pareto diagram. Examples include: number or percentage of errors by type, by cause, or by software development activity, and number or percentage of problem reports by type or by software development activity.

A scatter diagram is a plot of the values of one variable against those of another variable to determine the relationship between them. This technique was popularized by Walter Shewhart at Bell Laboratories. Scatter diagrams are used during analysis to understand the cause and effect relationship between two variables. They are also called correlation diagrams. This section is based on [KITCHENHAM], [OPMC], and [CAPRIO].

Implementation

1. Define the subject and select the variables.
   
   
2. Collect the data.
   
   
3. Plot the data points using an appropriate scale.
   
   
4. Examine the pattern to determine whether any correlation exists (e.g., positive, negative). For a more precise specification of the relationship, regression, curve fitting or smoothing techniques can be applied.

Interpretation

If the data points fall approximately in a straight line, this indicates that there is a linear relationship, which is positive or negative, depending on whether the slope of the line is positive or negative. Further analysis using the method of least squares can be performed. If the data points form a curve, then there is a non-linear relationship. If there is no apparent pattern, this may indicate no relationship. However, another sample should be taken before making such a conclusion.

Application Examples

The following are examples of pairs of variables that might be plotted:

• -- complexity vs. defect density (example shown in fig. A-4)
• -- effort vs. duration (of an activity)
• -- failures vs. time
• -- failures vs. size
• -- cost vs. time

This technique can be used in conjunction with scatter diagrams to obtain a more precise relationship between variables. It is used to determine the equation of the regression line, i.e., the line that "best fits" the data points. With this equation, one can approximate values of one variable when given values of the other. The equation of the line is Y = a + bX, where a and b are constants which minimize S, the sum of squares of the deviations of all data points from the regression line. For any sample value x _i of X, the expected Y value is a + bx _i. This section is based on [OPMC], [CAPRIO], and [SMITH].

Implementation

1. Collect n data values for each of the 2 variables, X and Y, denoted by x₁, x₂,..., x_n and y₁, y₂,..., y_n.
   
   
2. Minimize S = (y_i - a - bx_i)² by first taking the partial derivative of S with respect to a and then with respect to b, setting these derivatives to zero, and then solving for a and b.
   
   
3. The results obtained from steps should be the following, where X_B = x_i /n and Y_B = y_i /n:

(X_i - X_B) (Y_i - Y_B)
b = ----------------------------------
(X_i - X_B) ²

Interpretation

The constant a represents the intercept of the regression line, i.e., the value of Y when X is 0, and b represents the slope of the regression line. The idea of this technique is to minimize S, so that all data points will be as close to the regression line as possible. The reason for taking the squares of the deviations, rather than simply the deviations, is so that positive and negative deviations will not cancel each other when they are summed. It would also be possible to sum the absolute values of the deviations, but absolute values are generally harder to work with than squares.

Application Examples

See Application Examples for Scatter Diagrams.

"Reliability" is used in a general sense to express a degree of confidence that a part or system will successfully function in a certain environment during a specified time period [JURAN]. Software reliability estimation models can predict the future behavior of a software product, based on its past behavior, usually in terms of failure rates. Since 1972, more than 40 software reliability estimation models have been developed, with each based on a certain set of assumptions characterizing the environment generating the data. However, in spite of much research effort, there is no universally applicable software reliability estimation model which can be trusted to give accurate predictions of reliability in all circumstances [BROCKLEHURST].

It is usually possible to obtain accurate reliability predictions for software, and to have confidence in their accuracy, if appropriate data is used [ROOK]. Also, the use of reliability estimation models is still under active research, so improvements to model capability are likely. Work by Littlewood (1989), for example, involves the use of techniques for improving the accuracy of predictions by learning from the analysis of past errors [ROOK], and recalibration [BROCKLEHURST].

Some problems have been encountered by those who have tried to apply reliability estimation models in practice. The algorithms used to estimate the model parameters may fail to converge. When they do, the estimates can vary widely as more data is entered [DACS]. There is also the difficulty of choosing which reliability model to use, especially since one can not know a priori which of the many models is most suitable in a particular context [BROCKLEHURST]. In general, the use of these models is only suitable for situations in which fairly modest reliability levels are required [ROOK].

There are three general classes of software reliability estimation models: nonhomogeneous Poisson process (NHPP) models, exponential renewal NHPP models, and Bayesian models. Some of the more common reliability estimation models are described below [DUNN], [LYU].

• -- Jelinski-Moranda (JM). One of the earliest models, it assumes the debugging process is purely deterministic, that is, that each defect in the program is equally likely to produce failure (but at random times), and that each fix is perfect, i.e., introduces no new defects. It also assumes that the failure rate is proportional to the number of remaining defects and remains constant between failures. This model tends to be too optimistic and to underestimate the number of remaining faults; this effect has been observed in several actual data sets.
  
  
• -- Goel-Okumoto (GO). This model is similar to JM, except it assumes the failure rate (number of failure occurrences per unit of time) improves continuously in time.
  
  
• -- Yamada Delayed S-Shape. This model is similar to GO, except it accounts for the learning period that testers go through as they become familiar with the software at the start of testing.
  
  
• -- Musa-Okumoto (MO). This NHPP model is similar to GO, except it assumes that later fixes have a smaller effect on a program's reliability than earlier ones. Failures are assumed to be independent of each other.
  
  
• -- Geometric. This model is a variation of JM, which does not assume a fixed, finite number of program errors, nor does it assume that errors are equally likely to occur.
  
  
• -- Schneidewind. Similar to JM, this model assumes that as testing proceeds with time, the error detection process changes, and that recent error counts are usually more useful than earlier counts in predicting future counts.
  
  
• -- Bayesian Jelinski-Moranda (BJM). This model is similar to JM, except that it uses a Bayesian inference scheme, rather than maximum likelihood. Although BJM does not drastically underestimate the number of remaining errors, it does not offer significant improvement over JM. Actual reliability predictions of the two models are usually very close.
  
  
• -- Littlewood. This model attempts to answer the criticisms of JM and BJM by assuming that different faults have different sizes, i.e., they contribute unequally to the unreliability of the software. This assumption represents the uncertainty about the effect of a fix.
  
  
• -- Littlewood-Verrall (LV). This model takes into account the uncertainty of fault size and efficacy of a fix (i.e., a fix is of uncertain magnitude and may make a program less reliable), by letting the size of the improvement in the failure rate at a fix vary randomly.
  
  
• -- Brooks and Motley (BM). The BM binomial and Poisson models attempt to consider that not all of a program is tested equally during a testing period and that only some portions of the program may be available for testing during its development.
  
  
• -- Duane. This model assumes that the failure rate changes continuously in time, i.e., it follows a nonhomogeneous Poisson process. The cumulative failure rate when plotted against the total testing time on a ln-ln graph follows a straight line. The two parameters for the equation of the line can be derived using the method of least squares.

Implementation

The following is a generic procedure for estimating software reliability [AIAA]. It can be tailored to a specific project or software development activity; thus some steps may not be used in some applications.

1. Identify the application. The description of the application should include, at a minimum, the identification of the application, the characteristics of the application domain that may affect reliability, and details of the intended operation of the application system.
   
   
2. Specify the requirement. The reliability requirement should be specific enough to serve as a goal (e.g., failure rate of 10-9 per hour).
   
   
3. Allocate the requirement. The reliability requirement may be distributed over several components, which should be identified.
   
   
4. Define failure. A specific failure definition is usually agreed upon by testers, developers, and users prior to the beginning of testing. The definition should be consistent over the life of the project. Classification of failures (e.g., by severity) is continuously negotiated.
   
   
5. Characterize the operational environment. The operational environment should be described in terms of the system configuration (arrangement of the system's components), system evolution and system operational profile (how system will be used).
   
   
6. Select tests. The test team selects the most appropriate tests for exposing faults. Two approaches to testing can be taken: testing duplicates actual operational environments as closely as possible; or testing is conducted under more severe conditions than expected in normal operational environments, so that failures can occur in less time.
   
   
7. Select the models. The user should compare the models prior to selection based on the following criteria: predictive validity, ease of parameter measurement, quality of the model's assumptions, capability, applicability, simplicity, insensitivity to noise, and sensitivity to parameter variations.
   
   
8. Collect data.
   
   
9. Determine the parameters. There are three common methods of estimating the parameters from the data: method of moments, least squares, and maximum likelihood. Each of these methods has useful attributes, but maximum likelihood estimation is the most commonly used approach. As stated previously, some data sets may cause the numerical methods not to converge. There exist automated software reliability engineering tools, which are capable of performing parameter estimation.
   
   
10. Validate the model. The model should be continuously checked to verify that it fits the data, by using a predictive validity criteria or a traditional statistical goodness-of-fit test (e.g., Chi-square).
    
    
11. Perform analysis. The results of software reliability estimation may be used for several purposes, including, but not limited to, estimating current reliability, forecasting achievement of a reliability goal, establishing conformance with acceptance criteria, managing entry of new software features or new technology into an existing system, or supporting safety certification.

Interpretation

A disadvantage of these models is that they rely on testing and hence are used rather late in the software development process. The models are usually time based, that is, the probability is based on time to failure. Research is needed to identify how to use more valuable parameters with these models. See [ROOK].

Application Examples

Applicability of the models should be examined through various sizes, structures, functions and application domains. An advantage of a reliability model is its usability in different development and operational environments, and in different software development activities. Software reliability models should be used when dealing with the following situations:

• -- evolving software (i.e., software that is incrementally integrated during testing)
• -- classification of failure severity
• -- incomplete failure data
• -- hardware execution rate differences
• -- multiple installations of the same software
• -- project environments departing from model assumptions

                                                                    Page(s)

Accuracy . . . . . . . . . . . . . . v, 7, 9, 11-17, 23, 26, 29, 30, 33, 76
Actual and formal parameters mismatch. . . . . . . . . . . . . . . . . . 29
Algorithm analysis . . . . . . . . . . . . . . . . . . . . . 23, 25, 26, 35
Algorithm efficiency . . . . . . . . . . . . . . . . . . . . . . . . 26, 31
Allocation of V&V resources. . . . . . . . . . . . . . . . . . . . . . . 31
Alternative model. . . . . . . . . . . . . . . . . . . . . . . . . . 33, 36
Anachronistic data . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Analytic modeling. . . . . . . . . . . . . . . . . . . . . . . . . . 26, 35
Anomalies or discrepancies between versions. . . . . . . . . . . . . . . 26
Array size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Back-to-back testing . . . . . . . . . . . . . . . . . . . . . . . . 26, 35
Behavior . . . . . . . . . . . . . . . . 10, 15, 25, 30, 31, 45, 46, 48, 76
Bottlenecks. . . . . . . . . . . . . . . . . . . . . . . 26, 27, 31, 32, 63
Boundary test cases. . . . . . . . . . . . . . . . . . . . . 27, 28, 30, 31
Boundary value analysis. . . . . . . . . . . . . . . . . . . . . . . 26, 35
Branch and path identification . . . . . . . . . . . . . . . 27, 28, 30, 31
Branch testing . . . . . . . . . . . . . . . . . . . . . . . 27, 28, 30, 31
Calls to subprograms that do not exist . . . . . . . . . . . . . . . . . 28
Cell structure of units. . . . . . . . . . . . . . . . . . . . . . . . . 27
Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . 29, 30, 33
Code reading . . . . . . . . . . . . . . . . . . . . . . . . . . 24, 26, 35
Code V&V . . . . . . . . . . . . . . . . . . . . . . . . . . .4, 10, 15, 24
Common code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Completeness . . . . . . . . . . . . . . .11-17, 19, 30, 33, 34, 61, 62, 67
Consistency. . . . . . . . . . 11, 12, 14-16, 19, 26, 27, 29-31, 33, 36, 60
Consistency analysis . . . . . . . . . . . . . . . . . . . . . . . . 33, 36
Consistency in computation . . . . . . . . . . . . . . . . . . . . . . . 26
Control flow analysis. . . . . . . . . . . . . . . . . . . . . 5, 23-26, 35
Control groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 33, 36
Correctness. . . . . . . . v, 1, 3, 7, 10-16, 23, 24, 26, 27, 30-32, 35, 51
Coverage analysis. . . . . . . . . . . . . . . . . . . . . . . . . . 27, 35
Credibility analysis . . . . . . . . . . . . . . . . . . . . . . . . 33, 37
Critical timing/flow analysis. . . . . . . . . . . . . . . . . . . . 27, 35
Criticality analysis . . . . . . . . . . . . . . . vii, 7-9, 25, 32, 36, 41
Data characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Data fields unconstrained by data boundaries . . . . . . . . . . . . . . 28
Data flow analysis . . . . . . . . . . . . . . . . . . . . . . . 23, 27, 35
Database analysis. . . . . . . . . . . . . . . . . . . . . . 23, 24, 27, 35
Decision (truth) tables. . . . . . . . . . . . . . . . . . . . . . . 27, 35
Design errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . .9, 32
Design evaluation. . . . . . . . . . . . . . . . . . . . . . . . .4, 14, 27
Desk checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 35
Dynamic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 23, 29
Effective forerunners to testing . . . . . . . . . . . . . . . . 29, 31, 33
Environment interaction. . . . . . . . . . . . . . . . . . . . . 27, 30, 31
Error propagation. . . . . . . . . . . . . . . . . . . . . . 26, 27, 32, 33
Error seeding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28, 35
Evaluation of program paths. . . . . . . . . . . . . . . . . . . . . 27, 32
Execution monitoring, sampling, support. . . . . . . . . . . . . . . . . 31
Expected vs actual results . . . . . . . . . . . . . . . . . . . . . . . 27
Failure to implement the design. . . . . . . . . . . . . . . . . . . . . 28
Failure to save or restore registers . . . . . . . . . . . . . . . . . . 28
Feasibility. . . . . . . . . . . . . . . . . . . . . . . . . 11, 26, 31, 52
Field testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33, 37
File sequence error. . . . . . . . . . . . . . . . . . . . . . . 27, 28, 31
Finite state machines. . . . . . . . . . . . . . . . . . . . . .vii, 28, 35
Formal specification evaluation. . . . . . . . . . . . . . . 27, 29, 31, 33
Functional testing . . . . . . . . . . . . . . . . . . . . . . . 24, 28, 35
Global information flow and consistency. . . . . . . . . . . . . . . . . 27
Go-no-go decisions . . . . . . . . . . . . . . . . . . . . . . . . . 29, 33
Hazard analysis. . . . . . . . . . . . . . . . . . . 2, 7-9, 28, 30, 32, 56
Hierarchical interrelationship of units. . . . . . . . . . . . . . . 27, 31
Illegal attribute testing. . . . . . . . . . . . . . . . . . . . . . 33, 37
Improper nesting of loops and branches . . . . . . . . . . . . . . . . . 28
Improper program linkages. . . . . . . . . . . . . . . . . . . . . . . . 28
Improper sequencing of processes . . . . . . . . . . . . . . . . . . . . 28
Inaccessible code. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Incomplete predicates. . . . . . . . . . . . . . . . . . . . . . . . . . 28
Incomplete software requirements specification . . . . . . . . . 28, 30, 32
Inconsistencies between limits . . . . . . . . . . . . . . . . . . . . . 26
Inconsistencies between subroutine usage list and called subrout . . . . 29
Inconsistency of attributes of global variables. . . . . . . . . . . . . 29
Inconsistent interface parameters. . . . . . . . . . . . . . . . . . . . 29
Inconsistent software requirements . . . . . . . . . . . . . . . . . . . 28
Incorrect access of array components . . . . . . . . . . . . . . . . . . 28
Incorrect assumptions about static and dynamic storage of values . . . . 29
Incorrect functions used or incorrect subroutine called. . . . . . . . . 29
Incorrect product version shipped. . . . . . . . . . . . . . . . . . . . 32
Incorrect test results . . . . . . . . . . . . . . . . . . . . . . . . . 32
Inefficient data transport . . . . . . . . . . . . . . . . . . . . . . . 28
Infinite loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Information flow consistency . . . . . . . . . . . . . . . . . . . . 29, 31
Initialization faults. . . . . . . . . . . . . . . . . . . . . . . . . . 28
Input-output description errors. . . . . . . . . . . . . . . . . . . . . 29
Input-output faults. . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Inspections. . . . . . . . . . . . . . . . . . . . . . . 23, 24, 29, 35, 63
Instruction modification . . . . . . . . . . . . . . . . . . . . . . . . 28
Inter-unit structure . . . . . . . . . . . . . . . . . . . . . . . . 27, 31
Interface analysis . . . . . . . . . . . . 4, 12-14, 16, 25, 29, 33, 35, 41
Interface testing. . . . . . . . . . . . . . . . . . . . . . 18, 29, 33, 35
Inverted predicates. . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Knowledge-based system (KBS)iii, v-vii, 1, 2, 11, 13, 15-22, 33, 34, 36, 45-50
Logic errors . . . . . . . . . . . . . . . . . . . . 17, 27, 29, 31, 33, 65
Logical verification . . . . . . . . . . . . . . . . . . . . . . 16, 33, 37
Loop invariants. . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 29
Manual simulation. . . . . . . . . . . . . . . . . . . . . . . . . . 29, 33
Memory allocation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Meta models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33, 37
Mismatched parameter lists . . . . . . . . . . . . . . . . . . . . . . . 28
Missing labels or code . . . . . . . . . . . . . . . . . . . . . . . . . 28
Missing validity tests . . . . . . . . . . . . . . . . . . . . . . . . . 28
Misuse of variables. . . . . . . . . . . . . . . . . . . . . . . . . 26, 28
Modeling . . . . . . . . . . . . . . . . . . . . . . . . .26-28, 30, 48, 49
Mutation analysis. . . . . . . . . . . . . . . . . . . . . . . . . . 29, 35
Numerical roundoff . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Numerical stability. . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Omitted functions. . . . . . . . . . . . . . . . . . . . . . . . . . 26, 30
Parameter checking . . . . . . . . . . . . . . . . . . . . . . . 26, 32, 33
Partition testing. . . . . . . . . . . . . . . . . . . . . . . . . . 34, 37
Path testing . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 28, 31
Performance testing. . . . . . . . . . . . . . . . . . . . . . . . . 30, 35
Petri-nets . . . . . . . . . . . . . . . . . . . . . . . . . . . .9, 30, 35
Planning for defaults when system over-stressed. . . . . . . . . . . . . 32
Poor programming practices . . . . . . . . . . . . . . . . . . . . . . . 26
Processing efficiency. . . . . . . . . . . . . . . . . . . . . . 26, 27, 31
Prodigal programming . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Program decomposition. . . . . . . . . . . . . . . . . . . . . . . . . . 31
Program execution characteristics. . . . . . . . . . . . . . . . 28, 31, 32
Proof of correctness . . . . . . . . . . . . . . . . . . . . .23, 30-32, 35
Proof of critical sections . . . . . . . . . . . . . . . . . . . . . . . 30
Prototyping. . . . . . . . . . . . . . . . . . . . . . . 23, 30, 36, 47, 50
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Regression analysis and testing. . . . . . . . . . . . . . . 16, 24, 30, 36
Reliability. . . . . . .v, 1-3, 9, 19, 31, 51-53, 55, 57, 59, 61, 67, 76-79
Reports on test cases that were omitted. . . . . . . . . . . . . . . . . 32
Requirements parsing . . . . . . . . . . . . . . . . . . . . . . . . 30, 36
Retest after change. . . . . . . . . . . . . . . . . . . . . . . . . .27-33
Reuse. . . . . . . iii, 2, 9, 11-22, 33, 36, 39, 40, 42, 46, 50, 53, 57, 59
Reviews. . . . . . . . . . . . . 2, 6, 7, 23, 24, 29, 31-33, 36, 56, 61, 68
     status reviews. . . . . . . . . . . . . . . . . . . . . . . . . 29, 33
     technical reviews . . . . . . . . . . . . . . . . . . . . . . . 29, 33
Rule verification. . . . . . . . . . . . . . . . . . . . . . . . . . 34, 37
Safety . . . . . . .v, 1, 3, 6-8, 12, 14, 28, 30, 32, 39, 40, 52-54, 66, 79
Security . . . . . . . . . . . . . . . . . . . . . v, 1, 3, 6-9, 12, 40, 66
Sensitivity analysis . . . . . . . . . . . . . . . . . . . . . . . . 31, 36
Simulation . . . . . . . . . . . . . . . . . . . . . . . 23, 29, 31, 33, 36
Sizing and timing analysis . . . . . . . . . . . . . . . . . .23-25, 31, 36
Slicing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31, 36, 54
Small, but difficult, or error-prone sections of design or code. . . . . 33
Software design  evaluation. . . . . . . . . . . . . . . . . . . . . . . 27
Software Design Evaluation . . . . . . . . . . . . . . . . . . . . . .4, 14
Software design V&V. . . . . . . . . . . . . . . . . . . . . . 4, 9, 13, 23
Software failure mode, effects, and criticality  analysis. . . . . .vii, 32
software failure mode, effects, and criticality analysis . . . . . . .9, 36
Software fault tree analysis . . . . . . . . . . . . . . . . . . .9, 32, 36
Software installation test . . . . . . . . . . . . . . . . . . . .4, 10, 21
Software integration test. . . . . 4, 10, 14, 18, 19, 25, 27, 30, 31, 64-66
Software requirements evaluation . . . . . . . . . . . . . . . . .4, 11, 31
Software requirements indexing . . . . . . . . . . . . . . . . . . . . . 31
Software requirements to design correlation. . . . . . . . . . . . . . . 31
Software requirements V&V. . . . . . . . . . . . . . . . . . . .4, 9-11, 23
Software system test . . . .3, 4, 10, 11, 18-20, 24, 25, 27, 28, 30, 31, 33
Space utilization evaluation . . . . . . . . . . . . . . 26, 27, 29, 31, 41
Specification error. . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Standards check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Statement coverage testing . . . . . . . . . . . . . . . . . . . . . 28, 31
Static analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 23, 29
Statistical validation . . . . . . . . . . . . . . . . . . . . . . . 34, 37
Stress testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 32, 36
Structural testing . . . . . . . . . . . . . . . . . . . . . . . 24, 32, 36
Symbolic execution . . . . . . . . . . . . . . . . . . . . . . . . . 32, 36
Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 30
Syntax errors. . . . . . . . . . . . . . . . . . . . . . . . . . 29, 31, 33
System performance prediction. . . . . . . . . . . . . . . . . . .26-28, 31
Test case adequacy . . . . . . . . . . . . . . . . . . . . . . . . . 28, 31
Test case preparation. . . . . . . . . . . . . . . . . . . . . . 27, 28, 30
Test certification . . . . . . . . . . . . . . . . . . . . . . . . . 32, 36
Test thoroughness. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Threat analysis. . . . . . . . . . . . . . . . . . . . . . . . . 28, 30, 32
Timing . . . . . . . . . . . . . . . . . . . . . . 9, 23-28, 30, 31, 35, 36
Turing tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34, 37
Unauthorized recursion . . . . . . . . . . . . . . . . . . . . . . . . . 28
Undeclared variables . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Uninitialized variables. . . . . . . . . . . . . . . . . . . . . .27-29, 31
Unreachable code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Unreferenced labels. . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Unused variables . . . . . . . . . . . . . . . . . . . . . . . . .27-29, 31
User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 30, 50
Variable references. . . . . . . . . . . . . . . . . . . . . . . 27, 28, 31
Variable snapshots/tracing . . . . . . . . . . . . . . . . . . . . . 28, 31
Walkthroughs . . . . . . . . . . . . . . . . . . . . . . . . . . 24, 32, 36
Weight analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 34, 37