risk-based testing in practice - erik van veenendaal testing in practice .pdf · riskrisk--based...
TRANSCRIPT
RiskRisk--Based Testing In PracticeBased Testing In Practice
PRISMAPRISMA®®
Erik van VeenendaalErik van Veenendaalwww.erikvanveenendaal.nlwww.erikvanveenendaal.nl
Never speculate on Never speculate on that which can be that which can be known for “certain”known for “certain”
Erik van Veenendaal
� Founder and major shareholder ImproveQS
� In testing since 1989 working for many different clients and in many different roles
� Author “TMap”, “The Testing Practitioner” and many other books and papers
www. erikvanveenendaal.nl
Improve Quality Services BV 22
other books and papers
� Vice-President International Software Testing Qualifications Board (ISTQB) 2005 - 2008
� Vice-Chair TMMi Foundation
� Keynote speaker, e.g. EuroSTAR, STAReast
� Winner of the European Testing Excellence Award (2007)
Improve Quality Services BV
� Service organization in the area ofTesting, Requirements Engineering and Quality Management
� Consultancy, Subcontracting and Training
www. improveqs.nl
Improve Quality Services BV 33
� Consultancy, Subcontracting and Training
SW Process ImprovementQuality AssuranceIT-AuditingRequirements Engineering& management (IREB)
Testing (TMap, TMMi)Test Process ImprovementCertification (ISTQB)- incl. Advanced !!Inspections / Reviews
What is Risk?What is Risk?
�� “A factor that could result in a “A factor that could result in a future future negativenegative consequence; usually expressed consequence; usually expressed as impact and likelihood” (ISTQB Glossary)as impact and likelihood” (ISTQB Glossary)
��Testers ‘only’ have the responsibility to Testers ‘only’ have the responsibility to
Improve Quality Services BV 4
��Testers ‘only’ have the responsibility to Testers ‘only’ have the responsibility to identify the risks and provide information on identify the risks and provide information on their statustheir status
�� “to dare to undertake”“to dare to undertake”��management attitude and style…..management attitude and style…..
Testing = Risk ManagementTesting = Risk Management
�� Objective: most Objective: most feasiblefeasible coveragecoverage��Effective usage of limited resourcesEffective usage of limited resources
�� ResourcesResources��StaffingStaffing
Improve Quality Services BV 5
��StaffingStaffing
�� InfrastructureInfrastructure
��Time !Time !
�� ....
�� the the rightright level and type of coverage on thelevel and type of coverage on therightright parts at the parts at the rightright timetime
The challenge….The challenge…. if onlyif onlywe knew !!we knew !!
Improve Quality Services BV 6
RiskRisk--Based TestingBased Testing
�� Risk identificationRisk identification looks at ways of looks at ways of establishing what the risks are and where establishing what the risks are and where they arethey are
�� Risk analysisRisk analysis looks into the critical, complex looks into the critical, complex
Improve Quality Services BV 7
�� Risk analysisRisk analysis looks into the critical, complex looks into the critical, complex and potential error prone areasand potential error prone areas
�� Then we build tests to Then we build tests to mitigatemitigate the riskthe risk
�� Subsequently we Subsequently we monitormonitor and and reportreportregarding the risksregarding the risks
Based on practical experiencesBased on practical experiences
Improve Quality Services BV 8
Risk IdentificationRisk Identification
�� Split up in functional and/or technical itemsSplit up in functional and/or technical items
�� Higher level test according to requirementsHigher level test according to requirements
�� Lower levels test according to architectureLower levels test according to architecture
Improve Quality Services BV 9
�� May also be based on a brainstorm sessionMay also be based on a brainstorm session
�� Maximum number of appr. 35 risk itemsMaximum number of appr. 35 risk itemsRisk item 1Risk item 1 FunctionalityFunctionality
Risk item 2Risk item 2 SecuritySecurity
Risk item 3Risk item 3 FunctionalityFunctionality
Risk item 4Risk item 4 InteroperabilityInteroperability
Risk AnalysisRisk Analysis
�� Risk = impact x likelihoodRisk = impact x likelihood��What is the impact for the business ?What is the impact for the business ?
��What is the likelihood that there are defects ?What is the likelihood that there are defects ?
�� Determine factors based on previous Determine factors based on previous
Improve Quality Services BV 10
�� Determine factors based on previous Determine factors based on previous projects, e.g. defect patternsprojects, e.g. defect patterns
You already know this !You already know this !Exercise: Risk FactorsExercise: Risk FactorsImpact Impact –– Business riskBusiness risk
Like
lihoo
dLi
kelih
ood
Tech
nica
l ris
kTe
chni
cal r
isk
Factors From PracticeFactors From Practice
�� LikelihoodLikelihood��complexitycomplexity
��new development new development (level of re(level of re--uses)uses)
��
�� ImpactImpact��business importance business importance
(“selling item”)(“selling item”)
�� financial (or other) financial (or other) damage (e.g. safety)damage (e.g. safety)
defect patterns / historydefect patterns / history
Improve Quality Services BV 11
�� interrelationship interrelationship (# interfaces)(# interfaces)
��sizesize
�� technologytechnology
��geographical spreadgeographical spread
�� inexperience (of inexperience (of development team)development team)
damage (e.g. safety)damage (e.g. safety)
��usage intensityusage intensity
��external visibilityexternal visibility
��cost of reworkcost of rework
�� legal sanctionslegal sanctions
WeightingsWeightingscan be appliedcan be applied
CustomizationCustomizationneededneeded
Stakeholder AnalysisStakeholder Analysis
�� A stakeholder is anyone who is interested in A stakeholder is anyone who is interested in the product (both internal and externalthe product (both internal and external)
�� Who is responsible?, Who is responsible?,
�� Who has a problem when things go wrong?Who has a problem when things go wrong?
�� Who needs the system at their work?Who needs the system at their work?
Improve Quality Services BV 12
�� Who needs the system at their work?Who needs the system at their work?
�� Document the knowledge areas of the Document the knowledge areas of the stakeholdersstakeholders��e.g. factors, domain, requirements typee.g. factors, domain, requirements type
�� Missing stakeholders means missing risks!!Missing stakeholders means missing risks!!
�� Assign factors to stakeholdersAssign factors to stakeholders
Individual stakeholders scoringIndividual stakeholders scoring
BusinessBusiness
importanceimportance
Usage Usage
intensityintensity
SafetySafety
Item 1Item 1 5555
9 : Critical9 : Critical5 : High5 : High3 : Moderate3 : Moderate1 : Low1 : Low0 : None0 : None
Improve Quality Services BV 13
Item 2Item 2Item 3Item 3Item 4Item 4Item 5Item 5
5555445544
5544552211
they shallthey shallmakemake
choiceschoices
“Consensus” Meeting“Consensus” Meeting
�� Discuss issue list Discuss issue list -- first defects found !!first defects found !!
�� Result could influence developmentResult could influence development
LikelihoodLikelihood ImpactImpact
Com
plexityC
omplexity
New
development
New
development
InterfacingInterfacing
TechnologyTechnology
Experience level
Experience level
Business im
port.B
usiness import.
Usage intensity
Usage intensity
Safety
Safety
Improve Quality Services BV 14
Com
plexityC
omplexity
New
development
New
development
InterfacingInterfacing
TechnologyTechnology
Experience level
Experience level
Business im
port.B
usiness import.
Usage intensity
Usage intensity
Safety
Safety
Item 1Item 1 55 33 22 11 55 1616 55 44 11 1010
Item 2Item 2 22 11 22 11 22 88 33 33 11 77
Item nItem n
The Product Risk MatrixThe Product Risk Matrix
IIIIII
2525
xxxxxx
MoSCoW prioritiesMoSCoW priorities
Must TestMust TestCould TestCould Test
X1X1
focus of focus of development development
testingtestingfocus focus
of of
Improve Quality Services BV 15
IVIVIIIIII
55
1515
33 151599
xx
xx
xx
xx
LikelihoodLikelihood
ImpactImpact
Should TestShould Test“Won’t Test”“Won’t Test”
X2X2
testingtesting of of systemsystem
level level testingtesting
Example System Level TestingExample System Level Testing
IIIIII
2525
xxxx
xxxx
Use Cases (incl. alternatives)Use Cases (incl. alternatives)Decision Table TestingDecision Table Testing
Use Cases (basic flow)Use Cases (basic flow)Equivalence PartitioningEquivalence Partitioning
Improve Quality Services BV 16
IVIVIIIIII
55
1515
33 151599
xxxx
xx
xx
xx
LikelihoodLikelihood
ImpactImpact
Use Cases (incl. alternatives)Use Cases (incl. alternatives)Equivalence PartitioningEquivalence PartitioningUse Cases (basic flow)Use Cases (basic flow)
Differentiated Test Approach !!Differentiated Test Approach !!
•• Reviews & inspectionReviews & inspection
•• Test design startTest design start--up up meetingsmeetings
•• Reviews of test designReviews of test design
•• More time & effortMore time & effort
•• Most experienced Most experienced personperson
•• Priority settingPriority settingMust Test
Improve Quality Services BV 17
•• Reviews of test designReviews of test design
•• Level of detail of test Level of detail of test casescases
•• Exit criteriaExit criteria
•• Level of independenceLevel of independence
•• Priority settingPriority setting
•• Regression testingRegression testing
•• ReRe--testingtesting
without this risk managementdoesn’t make much sense !!
Must Test….. Test Approach …..
Should test…… Test Approach …..
Could Test….. Test Approach …..
Would Test….. Test Approach …..
Practical GuidelinePractical Guideline Shall be companyShall be companyspecificspecific
Test levelTest level QualityQuality
AttributeAttribute
LowLow
RiskRisk
MediumMedium
RiskRisk
High riskHigh risk
Acceptance Acceptance testtest
FunctionalityFunctionality IsolationIsolationrere--testtest
Basic flow UCBasic flow UC
Isolation Isolation rere--testtest
Use casesUse cases
Full reFull re--testtest
Use casesUse cases
Improve Quality Services BV 18
Basic flow UCBasic flow UC
TestersTesters
Use casesUse cases
TestersTesters
Use casesUse cases
Domain Domain expertsexperts
SecuritySecurity
System testSystem test FunctionalityFunctionality EquivalenceEquivalence
PartitioningPartitioning
No testware No testware reviewsreviews
EquivalenceEquivalence
PartitioningPartitioning
Internal Internal Review TDsReview TDs
DecisionDecision
Table testingTable testing
External External Review TDsReview TDs
…..
Recognize this .... ?Recognize this .... ?
�� After months of testing the system finally After months of testing the system finally goes life and …………. Failsgoes life and …………. Fails
�� Test manager says: ‘we already knew this Test manager says: ‘we already knew this would happen’would happen’
Improve Quality Services BV 19
would happen’would happen’
�� Who is at fault?Who is at fault?
�� Risk based testing = Risk based reportingRisk based testing = Risk based reporting
The majorThe majorTest DeliverableTest Deliverable
ManagementManagementInformation!!Information!!
20
25
Does this support managementDoes this support managementto make the release decision?to make the release decision?
Defect Reporting exampleDefect Reporting example
Improve Quality Services BV 20
0
5
10
15
wk1 wk2 wk3 wk4wk5 wk6 wk7 wk8 wk9w
k10
wk11
wk12
open defects
No, just
can I release !!
Communication Levels …Communication Levels …
Improve Quality Services BV 21
Risk Based Reporting (1)Risk Based Reporting (1)
TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS8
Risk item 1
Risk item 2
Improve Quality Services BV 22
Risk item 3
Risk item 4
Risk item 5
Can we release the product?Can we release the product?
TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS8
Risk item 1
Risk item 2
Management view
Improve Quality Services BV 23
Risk item 3
Risk item 4
Risk item 5
Survey ResultsSurvey Results
•• EaseEase--ofof--useuse 6,56,5 77 (large (large σσnn))
“it’s simple but not easy”“it’s simple but not easy”
7,67,6 88
averageaverage medianmedian
Improve Quality Services BV 24
•• UsefulnessUsefulness 7,67,6 88
•• EfficiencyEfficiency 7,47,4 77
•• EffectivenessEffectiveness 7,27,2 77
Benefits: Defect Detection %Benefits: Defect Detection %
80
introductionintroductionriskrisk--based testingbased testing
in addition to lead time reduction ...in addition to lead time reduction ...
Improve Quality Services BV 25
50
55
60
65
70
75
Y1 Y2 Y3 Y4 Y5
DDP Alpha Test
Key learning pointsKey learning points
�� A structured and A structured and practical approachpractical approach for for risk based testing is risk based testing is availableavailable
�� ReRe--discuss discuss the risk assessment on a the risk assessment on a regular basisregular basis
Improve Quality Services BV 26
regular basisregular basis
�� Define a risk based Define a risk based differentiated test differentiated test approachapproach
�� Provide riskProvide risk--based based management reportingmanagement reporting
�� … it doesn’t stop at the planning stage… it doesn’t stop at the planning stage
………
Thank You !!Thank You !!
Improve Quality Services BV 27
Full PRISMA white paper available Full PRISMA white paper available at at www.erikvanveenendaal.nlwww.erikvanveenendaal.nl
Thank You !!Thank You !!