SOFTWARE QUALITY ASSURANCE (SQA)

PROCESS

Version 1.4

September 4, 1997

Software Engineering Process Office (SEPO), D13

Space and Naval Warfare Systems Center (SPAWARSYSCEN)

53560 Hull Street
San Diego, CA 92152-5001
 SQA Process
Version 1.4
9/4/1997

SOFTWARE QUALITY ASSURANCE (SQA)

PROCESS

Version 1.4

September 4, 1997

_____________________________________

ii
 SQA Process
Version 1.4
9/4/1997
Developed by Ann Hess, Software Engineering Process Office, D13,
SPAWARSYSCEN SAN DIEGO CA

_____________________________________
Approved by Elizabeth Gramoy, Director, Software Engineering Process Office,
D13, SPAWARSYSCEN SAN DIEGO CA

iii
 SQA Process
Version 1.4
9/4/1997

Administrative Information

Software Engineering Process Office, D13

Space and Naval Warfare Systems Center (SPAWARSYSCEN)
53560 Hull Street
San Diego, CA 92152-5001

SOFTWARE QUALITY ASSURANCE (SQA) PROCESS

Version 1.4

This document supersedes version 1.3 as guidance on the Software Quality Assurance
Process at Space and Naval Warfare Systems Center (SPAWARSYSCEN SAN DIEGO
CA). SEPO assumes responsibility for this document and updates it as required to meet
the needs of users within SPAWARSYSCEN SAN DIEGO CA. SEPO welcomes and
solicits feedback from users of this document so that future revisions of this document
will reflect improvements, based on organizational experience and lessons learned.

If you have any questions or comments regarding this document please feel free to
communicate them via the Document Change Request (DCR) form located at the back of
this document.

Approved for public release; distribution is unlimited.

Ann Hess, SEPO, SPAWARSYSCEN SAN DIEGO CA, D13

Voice: (619)553-3351, Fax: (619)553-6249, Internet: [email protected]

iv
 SQA Process
Version 1.4
9/4/1997

RECORD OF CHANGES

*A - ADDED M - MODIFIED D - DELETED

NUMBER OF A* CHANGE
CHANGE DATE FIGURE, TABLE OR M TITLE OR BRIEF DESCRIPTION REQUEST
NUMBER PARAGRAPH D NUMBER

1 8/19/ Complete document M (1) Correct discrepancies. 1

1997
M (2) Move “Establish SQA Organization”
before “Identify/Select SQA Tasks”.

M (3) Moved terms and definition to Section

10 and include list of acronyms.

2 9/4/97 Complete document M (1) Change references from NRaD to 2

SPAWARSYSCEN SAN DIEGO CA

M (2) Change references to intranet address

from nosc.mil to spawar.navy.mil

v
 SQA Process
Version 1.4
9/4/1997

TABLE OF CONTENTS

1. INTRODUCTION..........................................................................................................................................
1.1 PURPOSE............................................................................................................................................
1.2 BACKGROUND..................................................................................................................................
1.3 ENTRY CRITERIA.............................................................................................................................
1.4 SCOPE.................................................................................................................................................
1.5 TAILORING GUIDELINES.................................................................................................................
1.6 DOCUMENT OVERVIEW..................................................................................................................
1.7 REFERENCES.....................................................................................................................................
2. ESTABLISH SQA ORGANIZATION.......................................................................................................

3. SELECT SQA TASKS.................................................................................................................................

3.1 SQA OF SOFTWARE PRODUCTS, TOOLS, AND FACILITIES........................................................
3.1.1 Task: Review Software Products.......................................................................................................
3.1.2 Task: Evaluate Software Tools...........................................................................................................
3.1.3 Task: Evaluate Facilities....................................................................................................................
3.2 SOFTWARE PROCESS AUDITS........................................................................................................
3.2.1 Task: Evaluate Software Products Review Process...........................................................................
3.2.2 Task: Evaluate Project Planning and Oversight Process..................................................................
3.2.3 Task: Evaluate System Requirements Analysis Process.....................................................................
3.2.4 Task: Evaluate System Design Process..............................................................................................
3.2.5 Task: Evaluate Software Requirements Analysis Process.................................................................
3.2.6 Task: Evaluate Software Design Process...........................................................................................
3.2.7 Task: Evaluate Software Implementation and Unit Testing Process.................................................
3.2.8 Task: Evaluate Unit Integration and Testing, CSCI Qualification Testing, CSCI/HWCI
Integration and Testing, and System Qualification Testing.........................................................................
3.2.9 Task: Evaluate End-item Delivery Process.......................................................................................
3.2.10 Task: Evaluate the Corrective Action Process.................................................................................
3.2.11 Task: Media Certification.................................................................................................................
3.2.12 Task: Nondeliverable Software Certification...................................................................................
3.2.13 Task: Evaluate Storage and Handling Process................................................................................
3.2.14 Task: Evaluate Subcontractor Control.............................................................................................
3.2.15 Task: Evaluate Deviations and Waivers Process.............................................................................
3.2.16 Task: Evaluate Configuration Management Process.......................................................................
3.2.17 Task: Evaluate Software Development Library Control Process....................................................
3.2.18 Task: Evaluate Non-developmental Software Process.....................................................................
3.2.19 Task: Perform Configuration Audits................................................................................................
3.2.20 Task: Verifying Implementation of Requirements Management KPA.............................................
3.2.21 Task: Verifying Implementation of Software Project Planning KPA..............................................
3.2.22 Task: Verifying Implementation of Software Project Tracking and Oversight KPA.......................
3.2.23 Task: Verifying Implementation of Software Subcontract Management KPA.................................
3.2.24 Task: Verifying Implementation of Software Configuration Management KPA..............................
3.2.25 Task: Verifying Implementation of Organization Process Definition KPA......................................
3.2.26 Task: Verifying Implementation of Integrated Software Management KPA....................................
3.2.27 Task: Verifying Implementation of Software Product Engineering KPA.........................................
3.2.28 Task: Verifying Implementation of Intergroup Coordination KPA..................................................
3.2.29 Task: Verifying Implementation of Peer Reviews KPA.....................................................................
3.3 TECHNICAL AND MANAGEMENT REVIEWS................................................................................
3.3.1 Task: Participate in Technical Reviews.............................................................................................
3.3.1.1 Task: Report on Technical Review............................................................................................................
3.3.1.2 Task: Report Technical Review Metrics....................................................................................................

vi
 SQA Process
Version 1.4
9/4/1997
3.3.2 Task: Participate In Management Reviews........................................................................................
3.4 SQA REPORTING...............................................................................................................................
3.4.1 Task - Prepare Software Product Evaluation Records.......................................................................
3.4.2 Task - Prepare Software Process Audit Reports.................................................................................
3.5 SQA METRICS....................................................................................................................................
3.5.1 Task: Collect and Report Software Product Evaluation Metrics......................................................
3.5.2 Task: Collect and Report Software Product Quality Metrics............................................................
3.5.3 Task - Collect and Report Software Process Audit Metrics................................................................
4. CREATE/MAINTAIN SQA PLAN...........................................................................................................
4.1 SAMPLE PROCEDURES TO CREATE AND MAINTAIN A PROJECT SQA PLAN.........................
5. IMPLEMENT SQA PLAN..........................................................................................................................

6. CREATE/MAINTAIN SQA PROCEDURES...........................................................................................

7. IDENTIFY SQA TRAINING......................................................................................................................

8. IDENTIFY/SELECT SQA TOOLS...........................................................................................................

8.1 SQA TOOLS SELECTION PROCESS.................................................................................................
9. IMPROVE PROJECT SQA PROCESSES..............................................................................................

10. TERMS, DEFINITIONS AND ACRONYMS.........................................................................................

10.1 TERMS AND DEFINITIONS............................................................................................................
10.2 ACRONYMS.....................................................................................................................................

LIST OF TABLES

TABLE 1. MEASUREMENTS FOR SQA..........................................................................................................

LIST OF FIGURES

Figure 1. SQA Process Overview......................................................................................................................

FIGURE 2. EXAMPLE SQA ORGANIZATION..................................................................................................
FIGURE 3. SELECT SQA TASKS OVERVIEW.................................................................................................
FIGURE 4. SAMPLE SOFTWARE TOOL EVALUATION FORM...........................................................................
FIGURE 5. SAMPLE SOFTWARE TOOL EVALUATION FORM...........................................................................
FIGURE 6. SOFTWARE PROCESS AUDITS OVERVIEW.....................................................................................
FIGURE 7. PROCESS AUDIT REPORT FORM..................................................................................................
FIGURE 8. SAMPLE SRS EVALUATION METRIC............................................................................................
FIGURE 9. SAMPLE PROCESS AUDIT METRIC...............................................................................................
FIGURE 10. SAMPLE PROCEDURES TO CREATE AND MAINTAIN A PROJECT SQAP.........................................
FIGURE 11. SAMPLE PROCEDURES TO CREATE AND MAINTAIN A PROJECT SQAP (CONTINUED)....................

vii
 1INTRODUCTION

1.1PURPOSE

The purpose of this document is to assist Space and Naval Warfare Systems Center, San
Diego, CA (SPAWARSYSCEN SAN DIEGO CA) projects in establishing a Software
Quality Assurance (SQA) function. This SQA process describes eight activities. They
are:

1. Establish SQA Organization

2. Select SQA Tasks
3. Create/Maintain SQA Plan
4. Implement SQA Plan
5. Create/Maintain SQA Procedures
6. Identify SQA Training
7. Identify/Select SQA Tools
8. Improve Project SQA Processes.

Figure 1 is an overview of the SQA process activities.

1.2BACKGROUND

This document provides the activities for achieving compliance with the SQA Key
Process Area (KPA) at the “Repeatable” level on the Software Engineering Institute’s
(SEI) Software Capability Maturity Model (SW-CMM) and meeting Department of
Defense (DOD) and industry guidelines. This document covers the activities for
implementing SQA for a project.

1.3ENTRY CRITERIA

There are three entrance criteria for following this process:

1. Program and project management commitment to the SPAWARSYSCEN SAN

DIEGO CA SQA Policy.

2. Quality Factors have been identified.

3. Quality Program is defined in the Software Development Plan (SDP) and/or

Statement of Work (SOW).

SPAWARSYSCEN SAN DIEGO CA SQA Policy is our written organizational policy

for implementing SQA to provide management with appropriate visibility into the
process being used by the software project and of the products being built. The SQA
Policy is based on the SQA KPA of the SEI SW-CMM. Program and project
management must commit to this policy and ensure it is followed.

Quality Factors are characteristics which a software product exhibits that reflect the
degree of acceptability of the product to the user. Identifying quality factors is a
software engineering activity that involves identifying and building quality factors in the
software program which can be measured and evaluated. See references 3, 4, and 5 for
assistance in identifying quality factors.

A Quality Program is defined by the processes that will be used in developing software.
Software is, or should be, developed and maintained in accordance with a defined
process. A software development or maintenance process consists of the activities that
must be performed, the specific products that result from these activities, and the reviews
and audits that are held during, and at the conclusion of, these activities. The SDP is the
guide that should control all of the software developer’s activities and is the vehicle by
which the developer tells the acquirer how they will do the job. The SDP is tailored
specifically for the project, but should include proven methods and procedures from past
successful software development projects. The quality program is the checks and
balances in the software development process or methodology that will ensure that
quality software is being built. The quality program is defined in the project SDP and/or
SOW. MIL-STD-498, Software Development and Documentation, is the software
development standard referenced in this document.

1.4SCOPE

This process can be applied to a specific project within SPAWARSYSCEN SAN DIEGO
CA or an outside organization.

1.5TAILORING GUIDELINES

Projects that find it necessary to provide more in-depth details to their SQA processes
may add additional requirements to this process.

1.6DOCUMENT OVERVIEW

Section 1, Introduction, provides the purpose, background, entry criteria to this process,
scope, tailoring guidelines, and references.

Section 2, Establish SQA Organization, describes the measure of independence for

establishing an SQA organization.

Section 3, Select SQA Tasks, provides a list of SQA tasks that can or should be
performed by SQA on a project. This process activity involves program or project
management to agree with the SQA representative on the tasks that SQA will perform.
The selected SQA tasks are an input to the SQAP.
Section 4, Create/Maintain SQA Plan, describes the activity for documenting what SQA
plans to do to support the project by identifying all the SQA activities that will be
performed, getting project buy-in (all project participants review the plan), getting
program/project approval of the plan, placing the plan under configuration control, and
how process improvement may affect a change to the SQA Plan (SQAP) by requiring
approval of a change/update to the plan. The SQAP clearly defines the products to be
reviewed by SQA and the project processes to be audited by SQA.

Section 5, Implement SQA Plan, is the project’s implementation of the approved SQAP.

Section 6, Create/Maintain SQA Procedures, describes the activity for documenting how
SQA will perform a task, such as, SQA procedural steps to audit a process or evaluate a
software product. The goal of this process activity is to show “repeatability” of
performing a specific task.

Section 7, Identify SQA Training, describes the activity of SQA personnel identifying
any SQA training that may be required to perform the SQA tasks. Project specific
requirements will dictate what training SQA needs to adequately perform the SQA
function.

Section 8, Identify/Select SQA Tools, defines the steps in selecting a SQA tool to
support an SQA function or functions.

Section 9, Improve Project SQA Processes, describes the activity of project SQA
personnel to review existing project SQA processes and report on areas for improvement
and identify processes that need to be defined.

Section 10, is a list of terms, definitions, and acronyms.

1.7REFERENCES

The following documents were used to develop this process document:

1. CMU/SEI-93-TR-24, Capability Maturity Model for Software, Version 1.1, February

1993
2. SPAWARSYSCEN SAN DIEGO CA Software Quality Assurance Policy
3. Specifying Software Quality Requirements with Metrics, Steven E. Keller and
Lawrence G. Kahn, Dynamics Research Corporation, and Roger B. Panara, Rome
Air Development Center
4. A Method for Tailoring the Information Content of a Software Process Model, Dr.
Sharon Perkins and Mark B. Arend, Society for Software Quality Journal,
November 1994
5. SPAWARSYSCEN SAN DIEGO CA Requirements Management Guidebook
6. SPAWARSYSCEN SAN DIEGO CA Formal Inspection Process
7. ANSI/IEEE Std 730-1989, Standard for Software Quality Assurance Plans
8. IEEE Std 1298/A3563.1, Software Quality Management System
9. DOD-STD-2168, Defense System Software Quality Program
10. Data Item Description (DID) DI-QCIC-80572, Software Quality Program Plan
11. MIL-HDBK-286, A guide for DOD-STD-2168
12. MIL-STD-498, Software Development and Documentation
13. Process Development Guidelines for SPAWARSYSCEN SAN DIEGO CA Software
Engineering Process Documents, Version 2.0, 12/11/96
14. MIL-STD-1521B, Technical Reviews and Audits for System, Equipments, and
Computer Software (audit portion superseded by MIL-STD-973)
15. MIL-STD-973, Configuration Management
Figure 1. SQA Process Overview
 2ESTABLISH SQA ORGANIZATION

Many sources of good software practice call for a measure of independence for the SQA
group. This independence provides a key strength to SQA; that is, SQA has the freedom,
if the quality of the product is being jeopardized, to report this possibility directly above
the level of the project. While in practice this rarely occurs (for almost all problems are
correctly addressed at the project level), the fact that the SQA group can go above the
project level gives it the ability to keep many of these problems at the project level.

The SQA function may be assigned to one person or to an organization, or it may be

assigned to multiple persons or organizations. If an Independent Verification and
Validation (IV&V) function has been established for the project, the SQA organizational
group may be in the reporting line for IV&V information.

Figure 2 shows an example SQA organization with relation to the project organization.
The project SQA organization, including roles and responsibilities, is documented in the
project SQAP. The organization chart called for in the SQAP, SDP, SCMP, and other
plans controlling the project’s execution should be consistent.
Figure 2. Example SQA Organization
 3SELECT SQA TASKS

In implementing a Quality Program, program and project management should include

SQA activities to assure that the software development processes or methodology defined
in the SDP are followed. SQA’s role will:

1. identify and help mitigate project risk,

2. provide senior management with visibility into development activities, and
3. provide feedback into the effectiveness of continuous improvement in the
software development process.

This process activity requires the person tasked to perform SQA and program or project
management to identify and plan the SQA tasks to be performed. The objective is to
select those tasks that will provide an appropriate level of SQA on the project.
Identifying any SQA tasks requires consideration and compatibility with the project’s
SDP, SCMP, and other plans controlling the project’s execution. SQA tasks are
documented in the project SQAP.

Figure 3 provides an overview of the SQA Process Activity “Select SQA Tasks”. The
list of SQA tasks is not intended to be an inclusive list of all SQA tasks.
Figure 3. Select SQA Tasks Overview
3.1SQA OF SOFTWARE PRODUCTS, TOOLS, AND FACILITIES

An SQA review of software products is evaluating a software product against a

prescribed standard or guideline and reporting errors, omissions, and additions for
corrective action. The SQA evaluation of tools used by the project may be necessary to
ensure that the project is using the appropriate technology for developing the software,
using the tool for its intended purpose, and using the tool by properly trained project
personnel. The SQA evaluation of project facilities helps management to consider such
things as future purchases, expansion of laboratory space, or possibly sharing resources
with another project’s facility.

3.1.1Task: Review Software Products

SQA reviews of software products shall be applied, but not limited, to the following:
development plans, standards, procedures, tools, and processes; software requirements;
software design; code; control mechanisms for tracking the design, code, database,
manuals, and test information (testing of software units; software integration tests;
software performance tests).

The project’s SDP identifies all software products to be developed and evaluated and
should include the standards or guidelines to be followed. As required, SQA should
assist the project in identifying the standards or guidelines to be followed in developing
the software product. Additionally, the project SDP should identify the review process
of the software products. The project SQAP should list the software products to be
evaluated by SQA and identify the review process to be followed.

The following provides examples of two types of software product reviews:

1. Informal Walkthrough (can also be called Non-Author Review, Technical

Review) - the item being reviewed is presented by the primary author in
an informal setting with his or her peers. Defects noted are recorded and
the author is obligated to address or fix them.

2. Formal Inspections - the item being reviewed is formally presented and

discussed in a group meeting conducted by a facilitator rather than the item’s
primary author. Errors discovered are rigorously recorded, categorized, and
analyzed for trends. SPAWARSYSCEN SAN DIEGO CA’s Formal
Inspection Process is a defined, structured, and disciplined method for finding
defects in any software work product at any stage of its development or
maintenance. See reference 6 in section 1.7.
SQA should report the results of the software product evaluation using the prescribed
format and report the metric for performing this task.

3.1.2Task: Evaluate Software Tools

SQA shall conduct evaluations of tools, both existing and planned, used for software
development and support. The tools are evaluated for adequacy by assessing whether
they perform the functions for which the tools are intended and for applicability by
assessing whether the tools capabilities are needed for the software development or
support. Planned tools are evaluated for feasibility by assessing whether they can be
developed with the techniques and computer resources available or by procurement.
Figure 4 provides an example format for reporting the results of a software tool
evaluation. The metric for performing this task should be reported.
 SOFTWARE TOOL EVALUATION

SQA:_________________________ DATE OF
EVALUATION:________

Software Tool Evaluated:

Methods or criteria used in the evaluation:

Evaluation Results:

Recommended Corrective Actions

Corrective Action Taken

Figure 4. Sample Software Tool Evaluation Form
3.1.3Task: Evaluate Facilities

SQA shall evaluate facilities, both existing and planned, for adequacy by assessing
whether they provide the needed equipment and space used for software development
and support. Figure 5 provides an example format for reporting the results of the
project’s software development and support facilities. The metric for performing this
task should be reported.
 PROJECT FACILITIES EVALUATION

SQA:_________________________ DATE OF
EVALUATION:________

Facility Evaluated (Equipment, User/Test/Library Space):

Methods or criteria used in the evaluation:

Evaluation Results:

Recommended Corrective Actions

Corrective Action Taken

 Figure 5. Sample Software Tool Evaluation Form

3.2SOFTWARE PROCESS AUDITS

Audits of compliance for prescribed organizational and project processes are a critical
component of software quality. Software Process Audits are conducted to ensure that the
process defined by the organization and the SDP are followed as the project progresses.
These audits take the form of selected reviews of individual project activities to
determine that the project conducts each activity.

Process improvement requires the process used on the project be periodically assessed to
determine their suitability and effectiveness. Based on these assessments, SQA should
identify any necessary and beneficial improvements to the process, and identify those
improvements as proposed updates to the SDP, SCMP, SQAP, or other plans controlling
the project’s execution, and if approved, implement the improvements on the project.
The following are guidelines when performing a software process audit by SQA:

1. Means of determining the scope of the audit - SQA should follow a defined
procedure in conducting the audit to ensure that the right steps are identified
and are being reviewed to provide the maximum benefit. The SQA Audit
Procedure should be made available to project personnel. This will
communicate SQA’s scope and purpose of conducting a specific software
process audit, e.g., SQA will audit the project’s peer review process for code,
unit test cases, and unit test procedures.

2. Process compliance - For those areas where the process is being followed, SQA
should favorably report the effectiveness of the process activity in meeting
activity and project goals, and recommended action to be taken, if any
(change the process if the process is not robust enough).

3. Process noncompliance - For those areas where the process is not being followed,
SQA should report noncompliance, its impact on the project, and recommended
action be taken by the project team and management.

A sample format for a Process Audit Report is found in Section 2.4, SQA Reporting.
The metric for performing this activity should also be reported.
The following tasks descriptions include phase specific activities of MIL-STD-498 and
verifying implementation of the Key Process Areas (KPAs) of the SW-CMM. Figure 6
provides an expanded overview of the SQA Task “Software Process Audits”.
Figure 6. Software Process Audits Overview
3.2.1Task: Evaluate Software Products Review Process

SQA evaluation of the Software Products Review process checks that software products
that are ready for review are reviewed, review results are reported and issues or problems
reported are resolved in accordance with the project’s SDP and procedures. Software
products may include representations of information other than traditional hard-copy
documents.

SQA should report the results of evaluating the software products review process using
the Process Audit Report form and report the metric for performing this task.

3.2.2Task: Evaluate Project Planning and Oversight Process

Project planning and oversight requires project management to develop and document
plans for the following:

Software Development Planning - A plan for conducting the activities required by the
software development standard, e.g., DOD-STD-2167A, MIL-STD-498, and by other
software-related requirements in the contract, Memorandum of Agreement,
Memorandum of Understanding, etc. Planning is documented in the SDP which
identifies events, reviews, and audits to be performed on the project based on the
appropriate point in the software development lifecycle.

CSCI Test Planning - A plan for conducting CSCI qualification testing. Planning is
documented in the Software Test Plan.

System Test Planning - A plan for conducting system qualification testing. For software
systems, planning is included in the Software Test Plan.

Software Installation Planning - A plan for performing software installation and training
at the user sites. Planning is documented in the Software Installation Plan.

Software Transition Planning - A plan for identifying all software development resources
that will be needed by the support agency, e.g., Software Support Activity, to fulfill the
support concept, e.g., maintenance. Planning for this involves identifying the resources
and describing the approach to be followed to transition deliverable items to the support
agency. Planning is documented in the Software Transition Plan.

SQA ensures that the project conduct the relevant activities stated in those project plans.
Any changes to those plans would require update and approval by project management.
For planning documents to be developed, SQA would identify standards or guidelines, or
an appropriate Data Item Description (DID) and assist with the tailoring of the standard,
guideline, or DID to meet the project’s needs.
3.2.3Task: Evaluate System Requirements Analysis Process

Requirements analysis establishes a common understanding of the customer’s

requirements between the customer and the software project team. An agreement with
the customer on the requirements for the software project is established and maintained.
This agreement is known as allocating system requirements to software and hardware.
System requirements are documented, such as in the Operational Concept Description
(OCD), System/Subsystem Specification (SSS), and Interface Requirements
Specification (IRS).

SQA shall perform the following:

a. Ensure that the correct participants are involved in the requirements definition
and allocation process to identify all user needs.

b. Ensure that requirements are reviewed to determine if they are feasible to

implement, clearly stated, and consistent.

c. Ensure that changes to allocated requirements, work products, and activities are
identified, reviewed, and tracked to closure.

d. Ensure that project personnel involved in the requirements definition and

allocation process are trained in the necessary procedures and standards
applicable to their area of responsibility in order to do the job correctly.

e. Ensure that the commitments resulting from allocated requirements are agreed
upon by negotiated with the affected groups.

f. Verify that commitments are documented, communicated, reviewed, and

accepted.

g. Ensure that allocated requirements identified as having potential problems are

reviewed with the group responsible for analyzing system requirements and
documents, and that necessary changes are made.

h. Verify that the prescribed processes for defining, documenting, and allocating
requirements are followed and documented.

i. Confirm that a CM process is in place to control and manage the baseline.

j. Verify that requirements are documented, managed, controlled, and traced

(preferably via a matrix).
 k. Verify that the agreed upon requirements are addressed in the SDP.

3.2.4Task: Evaluate System Design Process

System-wide design decisions are decisions about the system’s behavioral design and
other decisions affecting the selection and design of system components. System
architectural design is organizing a system into subsystems, organizing a subsystem into
Hardware Configuration Items (HWCIs), Computer Software Configuration Items
(CSCIs), and manual operations, or other variations as appropriate. System design is
documented, such as in the System/Subsystem Design Description (SSDD) and Interface
Design Description (IDD).

SQA shall perform the following:

a. Ensure that lifecycle documents and the traceability matrix are prepared and kept
current and consistent.

b. Verify that relevant lifecycle documents are updated and based on approved
requirements change.

c. Ensure that design walkthroughs (peer reviews) evaluate compliance of the design
to the requirements, identify defects in the design, and alternatives are
evaluated and reported.

d. Participate in a sampled set of design walkthroughs and verify all walkthroughs

are conducted.

e. Identify defects, verify resolution for previously identified defects, and ensure
change control integrity.

f. Selectively review and audit the content of system design documents.

g. Identify lack of compliance with standards and determine corrective actions.

h. Determine whether the requirements and accompanying design and tools conform
to standards, and whether waivers are needed prior to continuing software
development.

i. Review demonstration prototypes for compliance with requirements and

standards.

j. Ensure that the demonstration conforms to standards and procedures.

k. Review the status of design milestones.

3.2.5Task: Evaluate Software Requirements Analysis Process

Software Requirements Analysis is defining and recording the software requirements to

be met by each CSCI, the methods to be used to ensure that each requirement has been
met, and the traceability between the CSCI requirements and system requirements.
Software requirements are documented, such as in the Software Requirements
Specification (SRS) and IRS.

SQA shall perform the following:

a. Ensure that the software requirements definition and analysis process and
associated requirements reviews are conducted in accordance with the
standards and procedures established by the project and as described in the
SDP.

b. Ensure that action items resulting from reviews of the software requirements
analysis are resolved in accordance with these standards and procedures.

3.2.6Task: Evaluate Software Design Process

Preliminary design activity determines the overall structure of the software to be built.
Based on the requirements identified in the previous phase, the software is partitioned
into modules, and the function(s) of each module and relationships among these modules
are defined.

Detailed design is to define and complete the detailed design of software logically to
satisfy allocated requirements. The level of detail of this design must be such that the
coding of the computer program can be accomplished by someone other than the original
designer. Software design is documented, such as in the Software Design Description
(SDD), Database Design Description (DBDD), and Interface Design Description (IDD).

SQA shall perform the following:

a. Ensure that the software design process and associated design reviews are
conducted in accordance with standards and procedures established by the
project and as described in the SDP.

b. Ensure that action items resulting from reviews of the design are resolved in
accordance with these standards and procedures.

c. Evaluate the method used for tracking and documenting the development of a
software unit in order to determine the method's utility as a management tool
for assessing software unit development progress. Example criteria to be
applied for the evaluation are the inclusion of schedule information, results of
 audits, and an indication of internal review and approval of what was
reviewed.

d. Ensure that the method, such as the Software Development File (SDF) or Unit
Development Folder (UDF) used for tracking and documenting the development
of a software unit is implemented and is kept current.

3.2.7Task: Evaluate Software Implementation and Unit Testing Process

Software implementation or coding is the point in the software development cycle at

which the design is implemented. This process includes unit testing of the software.

SQA shall perform the following:

a. Ensure that the coding process, associated code reviews, and software unit testing
are conducted in conformance with the standards and procedures.

b. Ensure that action items resulting from reviews of the code are resolved in
accordance with these standards and procedures established by the project and
as described in the SDP.

c. Ensure that the SDF/UDF used for tracking and documenting the development of
a software unit is implemented and is kept current.

3.2.8Task: Evaluate Unit Integration and Testing, CSCI Qualification Testing,

CSCI/HWCI Integration and Testing, and System Qualification Testing

Software integration and test activities combine individually developed components

together in the developing environment to ensure components work together to complete
the software and system functionality. For joint hardware and software development,
integration requires close synchronization of hardware and software to meet designated
integration and test milestones.

In the integration and test phase of the development lifecycle, the testing focus shifts
from an individual component correctness to the proper operation of interfaces between
components, the flow of information through the system, and the satisfaction of system
requirements.

SQA shall perform the following:

a. Ensure that software test activities are identified, test environments have been
defined, and guidelines for testing have been designed. SQA will verify the
software integration process, software integration testing activities and the
software performance testing activities are being performed in accordance
 with the SDP, the software design, the plan for software testing, and
established software standards and procedures.

b. Ensure any transfer of code to personnel performing software integration testing

or software performance testing is being accomplished in accordance with
established software standards and procedures.

c. Ensure as many of the software integration tests as necessary and all of the
software performance tests are witnessed to ensure that the approved test
procedures are being followed, that accurate records of test results are being
kept, that all discrepancies discovered during the tests are being properly
reported, that test results are being analyzed, and the associated test reports
are completed.

d. Ensure the corrective action process effectively allows discrepancies discovered

during software integration and performance tests are identified, analyzed,
and corrected; software unit tests, and software integration tests are re-
executed as necessary to validate corrections made to the code; and the
software unit's design, code, and test is updated based on the results of
software integration testing, software performance testing, and corrective
action process.

e. Ensure the software performance tests produce results that will permit
determination of performance parameters of the software.

f. Ensure that the responsibility for testing and for reporting on results has been
assigned to a specific organizational element.

g. Ensure that procedures are established for monitoring testing.

h. Review the Software Test Plan and Software Test Procedures for compliance
with requirements and standards.

i. Ensure that the software is tested.

j. Monitor test activities, witness tests, and certify test results.

k. Ensure that requirements have been established for the certification or calibration
of all support software or hardware used during tests.

3.2.9Task: Evaluate End-item Delivery Process

This activity is applicable for those projects providing a one-time delivery of a product
and may also be interpreted as required deliveries for a specified time period or time
frame.
SQA shall evaluate the activities in preparation for end-item delivery to ensure that
program or project requirement, if any, for functional and physical audits of the end-
item products are being satisfied. In some cases, SQA should be allowed to prohibit
delivery of certain items, such as documentation, code, or a system, if the project fails to
meet program or project requirements or standards.

3.2.10Task: Evaluate the Corrective Action Process

The corrective action process describes the steps for (1) problem identification and
correction occurring during software development to ensure early detection of actual or
potential problems, (2) reporting of the problem to the proper authority, (3) analysis of
the problem in order to propose corrective measures, (4) timely and complete corrective
action, and (5) the recording and follow-up of each problem's status. Problems in this
context include documentation errors, software errors, and noncompliance with standards
and procedures.

SQA shall perform the following:

a. Periodically review the corrective action processes and their results against the
SCMP in order to assess the effectiveness of the correction action process.

b. Perform periodic analysis of all reported problems to identify trends that may
disclose generic problem areas. These analyses shall include the study of the
causes, magnitude of impact, frequency of occurrence, and preventive measures.

3.2.11Task: Media Certification

SQA shall certify that the media containing the source code and the media containing the
object code which are delivered to the procuring agency correspond to one another. SQA
shall certify also that the software version represented by this media matches that on
which software performance testing was performed, or correctly represents an authorized
update of the code, as applicable.

SQA reports, together with the corrective action records, software test reports, and
software product evaluation records can constitute the required evidence for certification.

3.2.12Task: Nondeliverable Software Certification

The project may use non-deliverable software in the development of deliverable software
as long as the operation and support of the deliverable software, after delivery to the
acquirer, does not depend on the non-deliverable software or provision is made to ensure
that the acquirer has or can obtain the same software. SQA shall certify that the use of
non-deliverable software meets the above criteria, that is, deliverable software is not
dependent on non-deliverable software to execute, or verify that the acquirer can obtain
the same software. SQA shall certify that all non-deliverable software used on the
project performs its intended functions.

SQA reports, together with the corrective action records, software test reports, and
software product evaluation records can constitute the required evidence to verify that the
software performs its intended functions.

3.2.13Task: Evaluate Storage and Handling Process

SQA shall verify that there is an established plan, methodology, or set of procedures for
storage and handling of the media. SQA shall evaluate the storage of the software
product and documentation to ensure that storage areas for paper products or media are
free from adverse environmental effects such as high humidity, magnetic forces, and
dust.

3.2.14Task: Evaluate Subcontractor Control

SQA shall be responsible for ensuring that the quality of all software products from
subcontractors conforms to the contract requirements and that the subcontractor's CM
plan and procedures are being followed.

3.2.15Task: Evaluate Deviations and Waivers Process

SQA shall assist program or project management, with requests for deviations and
waivers if required, and verify that the deviation or waiver request is processed in
accordance with the project’s SCMP and approved by the approving agency.

3.2.16Task: Evaluate Configuration Management Process

Configuration Management is the discipline that applies technical and administrative

direction and surveillance to (1) Identify and document the functional and physical
characteristics of CIs, (2) Control the changes to CIs and their related documentation, (3)
Record and report information needed to manage CSCIs effectively, including the status
of proposed changes and the implementation status of approved changes, and (4) Audit
the CIs to verify conformance to specifications, interface control documents, and other
requirements.

SQA shall evaluate the following:

a. Ensure that configuration identification of documents, code, and computer data

have established standards for titling, naming, and describing change status.
 b. Ensure that baseline management of changes to the developmental baseline
(including documents, code and computer data) are identified, reviewed,
implemented, and incorporated in accordance with established procedures.

c. Ensure configuration control of changes to baseline documents and software are

being managed in accordance with CM requirements specified in the SDP.

d. Ensure configuration status accounting reports are prepared at established times,

are prepared in accordance with established procedures, and report the status
of items that are significant with respect to the management of the
configuration of the software product and documentation.

e. Ensure that the personnel assigned to participate in the configuration audits

comply with the SCMP.

f. Ensure for document control that only approved, up-to-date documentation is

being used by project personnel, and that the document distribution process
results in receipt of correct documentation.

g. Ensure that the program support library is the single place of storage for the
baseline version of all software and ensure that the identification of all software
includes the software name and a unique version identifier. The evaluation shall
also determine that control of access to software products is being properly
exercised and that unauthorized changes to master files cannot occur.

3.2.17Task: Evaluate Software Development Library Control Process

The SDL functions as the main control point for software CM. A SDL contains all units
of code developed for evolving project CSCIs, as well as carefully identified listings,
patches, errata, CSCI and system magnetic tapes and disk packs, and job control streams
for operating or building software systems. The SDL also contains previous versions of
the operational software system in the form of magnetic tapes or disk packs.

SQA shall perform the following:

a. Ensure the establishment of the SDL and procedures to govern its operation.

b. Ensure that documentation and computer program materials are approved and
placed under library control.

c. Ensure the establishment of formal release procedures for CM approved

documentation and software versions.
 d. Ensure that library controls prevent unauthorized changes to the controlled
software and ensure the incorporation of all approved changes.

3.2.18Task: Evaluate Non-developmental Software Process

Non-Developmental Software (NDS) is software that is provided by the contractor, the

Government, or a third party. NDS may be referred to as reusable software,
Government-furnished software, or commercially available software depending on it
source. SQA shall verify that non-developmental software performs its intended
functions.

3.2.19Task: Perform Configuration Audits

SQA may be required to perform or assist in a formal configuration audit in accordance

with the project SCMP. A configuration audit is a formal examination of a CSCI. Two
types of configuration audits exist: The Function Configuration Audit (FCA) and the
Physical Configuration Audit (PCA). (MIL-STD-973 provides further details of these
two audits.)

3.2.20Task: Verifying Implementation of Requirements Management KPA

The purpose of Requirements Management is to establish a common understanding of the

customer’s requirements between the customer and the software project.

The SQA group reviews and/or audits the activities and work products for managing the
allocated requirements and reports the results.

3.2.21Task: Verifying Implementation of Software Project Planning KPA

The purpose of Software Project Planning is to establish reasonable plans for performing
the software engineering and for managing the software project.

The SQA group reviews and/or audits the activities and work products for software
project planning and report the results.

3.2.22Task: Verifying Implementation of Software Project Tracking and Oversight KPA

The purpose of Software Project Tracking and Oversight is to establish adequate

visibility into actual progress so that management can take effective actions when the
software project’s performance deviates significantly from the software plans.
The SQA group reviews and/or audits the activities and work products for software
project tracking and oversight and report the results.

3.2.23Task: Verifying Implementation of Software Subcontract Management KPA

The purpose of Software Subcontract Management is to select qualified software

subcontractors and manage them effectively.

The SQA group reviews and/or audits the activities and work products for software
subcontract and report the results.

3.2.24Task: Verifying Implementation of Software Configuration Management KPA

The purpose of Software Configuration Management is to establish and maintain the

integrity of the products of the software project throughout the project’s software life
cycle.

The SQA group reviews and/or audits the activities and work products for software
configuration management and report the results.

3.2.25Task: Verifying Implementation of Organization Process Definition KPA

The purpose of Organization Process Definition is to develop and maintain a usable set
of software process assets that improve process performance across the projects and
provide a basis for cumulative, long-term benefits to the organization.

The SQA group reviews and/or audits the organization’s activities and work products for
developing and maintaining the organization’s standard software process and related
process assets and report the results.

3.2.26Task: Verifying Implementation of Integrated Software Management KPA

The purpose of Integrated Software Management is to integrate the software engineering

and management activities into a coherent, defined software process that is tailored from
the organization’s standard software process and related process assets, which are
described in Organization Process Definition.

The SQA group reviews and/or audits the activities and work products for managing the
software project and report the results.

3.2.27Task: Verifying Implementation of Software Product Engineering KPA

The purpose of Software Product Engineering is to consistently perform a well-defined

engineering process that integrates all the software engineering activities to produce
correct, consistent software products effectively and efficiently.
The SQA group reviews and/or audits the activities and work products for software
product engineering and report the results.

3.2.28Task: Verifying Implementation of Intergroup Coordination KPA

The purpose of Intergroup Coordination is to establish a means for the software

engineering group to participate actively with the other engineering groups so the project
is better able to satisfy the customer’s needs effectively and efficiently.

The SQA group reviews and/or audits the activities and work products for intergroup
coordination and report the results.

3.2.29Task: Verifying Implementation of Peer Reviews KPA

The purpose of Peer Reviews is to remove defects from the software work products
early.

The SQA group reviews and/or audits the activities and work products for peer reviews
and report the results.
3.3TECHNICAL AND MANAGEMENT REVIEWS

Technical reviews conducted by the project team are based on the key products produced
during the life of the project. Management reviews are held to examine and discuss
project status, software products, and/or project issues. Conducting a technical and
management review depend on the major milestones, the selected program strategies and
development methodologies, and the discretion of senior management and the project
manager. An SQA function provides input to ensure that reviews identified are adequate
for the project. Additionally, SQA participates in reviews and reports it’s review results
and metrics.

3.3.1Task: Participate in Technical Reviews

A primary component of engineering quality into software is the conduct of technical

reviews of software products, both deliverable and nondeliverable. Participants of a
technical review include persons with technical knowledge of the software products to be
reviewed. The reviews focus on in-progress and final software products rather than the
materials generated especially for the review. The SQA function assures that they are
accomplished and selectively attends them in accordance with approved sampling
techniques. The type and scope of technical reviews depends heavily on the size, scope,
risk and criticality of the software project. Technical reviews help increase proficiency
through on-the-job-training and permit a uniform method for reviewing the work and its
status. Objectives of this type of review are:

1. Review evolving software products. Review and demonstrate proposed technical

solutions. Provide insight and obtain feedback on the technical effort.
Surface and resolve technical issues.

Appendix D of MIL-STD-498, Software Product Evaluations, identifies

criteria to be used for an evaluation and contains a defaults set of definitions
for the evaluation criteria. MIL-STD-498 also identifies 3 conditions in using
Appendix D: (1) requirements may be tailored, (2) “approved” alternate
criteria or definitions may be used, and (3) if the development of a software
product has been tailored out, the requirement to evaluate that product does
not apply.

2. Review project status. Surface near- and long-term risk regarding technical,
costs, and schedule issues.

3. Arrive at agreed-upon mitigation strategies for identified risks, within the

authority of those present.

4. Identify risks and issues to be raised at joint management reviews.

 5. Ensure on-going communications between acquirer and developer technical
personnel.

A Technical Review involves an item to be reviewed is distributed to the group prior to

the review meeting, and the review centers on discussing reviewers comments. These
usually occur at the conclusion of each development cycle phase and center on whether
the product should proceed to the next phase of development. MIL-STD-1521B,
Technical Reviews and Audits for Systems, Equipments, and Computer Software,
defines the following Technical Reviews:

System Requirements Review (SRR) - the objective is to ascertain the adequacy of the
developer’s efforts in defining system requirements.

System Design Review (SDR) - the objective is to evaluate the optimization, correlation,
completeness, and risks associated with the allocated technical requirements. Also
included is a summary review of the system engineering process which produced the
allocated technical requirements and of the engineering planning for the next phase of
effort.

Software Specification Review (SSR) - the objective is to review the finalized Computer
Software configuration Item (CSCI) requirements and operational concept. A successful
SSR shows that the SRS, IRS, and Operational Concept Document form a satisfactory
basis for proceeding into preliminary software design.

Software Preliminary Design Review (PDR) - the objective is to evaluate the progress,
consistency, and technical adequacy of the selected top-level design and test approach,
compatibility between software requirements and preliminary design, and the preliminary
version of the operation and support documents.

Software Critical Design Review (CDR) - the objective is to determine acceptability of

the detailed design, performance, and test characteristics of the design solution, and on
the adequacy of the operation and support documents.

Software Test Readiness Review (TRR) - the objective is to determine whether the
software test procedures are complete and to assure that the developer is prepared for
formal CSCI testing.

Formal Qualification Review (FQR) - the test, inspection, or analytical process by which
a group of configuration items comprising the system are verified to have met specific
program or project management performance requirements.

Production Readiness Review (PRR) - the objective is to determine the status of

completion of the specific actions which must be satisfactorily accomplished prior to
executing a production go-ahead decision.
In each case, the goal is to provide constructive feedback on the review item so that
problems can be identified and corrected as early as possible, to verify that the item fully
meets its objectives in the overall project plan, and to ensure that the item complies with
established standards.

The choice of which type of review is conducted, which items are reviewed, and the
participants for each review should be delineated in the software development processes,
project SDP, and project SQAP. Compliance with the established processes is verified
through Software Process Audits.

Technical reviews can be conducted on any component of the software product, if

deemed appropriate by the formalized processes, SDP, SQAP, or project staff and project
management. Typical items that are reviewed include requirements specifications,
interface specifications, functional descriptions, design specifications, source code, test
plans, test data, test cases, test procedures, user documentation, and maintenance
manuals. The following are criteria that may apply to a technical review:

(1) Item completeness - Determine whether the item fully met its intended objectives

(2) Problem Identification - Identify problems as early as possible in order to correct

them before they are compounded in subsequent project phases

(3) Compliance with standards - Ensure the item complies with established or require
standards, or that waivers are sought where it does not meet them

(4) Risk identification - Identify potential risk areas in the project so risks can be
managed and mitigated as the project progresses

(5) Traceability - Ensure the item is traceable to the appropriate previous phase in the
project. Recording item traceability, through a matrix, is very important to developers
and managers. They use the traceability matrix to verify that the software satisfies its
requirements and to provide input to subsequent project activities

3.3.1.1Task: Report on Technical Review

Issues or discrepancies with the product must be recorded, managed, and tracked to
closure. In some cases, the item will also need to be reviewed again prior to its
acceptance. In other cases, the items noted from the review will be relatively minor and
will not necessitate a second review. The criterion for making this determination should
be included as part of the project SQAP. The results of a review are utilized by:

1. Project Manager - the project manager uses the review results to track action
items and discrepancies and as input into the status of the item relative to
the overall project.
 2. SQA - the report provides objective evidence that the review has been
conducted. The reviews allow SQA to focus its activities and resources
on those items that have more impact on the process.

3. SEPO - the report provides the SEPO with data on the effectiveness of
individual process steps through an analysis of review items from projects
across the organization.

3.3.1.2Task: Report Technical Review Metrics

Various metrics should be collected as part of technical reviews to help determine the
effectiveness of the review process itself as well as the process steps that are used to
produce the item being reviewed. These metrics, reported to the project manager and
SEPG, should include the amount of time spent by each person involved in the review
for preparation and conduct of the review and deficiencies (the number and criticality of
deficiencies found).

3.3.2Task: Participate In Management Reviews

SQA’s periodic management review of software project status, progress, problems, and
risk will provide an independent assessment of project activities. Such participation
requires that SQA be prepared to provide the following information to management:

Compliance - Identification of the level of compliance of the project with established

organizational and project processes.

Problem areas - identification of potential or actual project problem areas based on

analysis of technical review results.

Risks - identification of risk based on participation and evaluation of project progress and
trouble areas.

The SQA function is integral to the success of the project, and should freely
communicate its results to senior management, SEPG, project management and the
project team. SQA can often provide additional support to the project manager during
management reviews to emphasize areas for senior management attention.

The method for reporting compliance, problem areas, and risks should be communicated
in a documented report or memorandum. Compliance, problem areas, and risks needs to
be followed-up and in some cases tracked to closure.
3.4SQA REPORTING

An important SQA activity is reporting the results of any software product evaluation or
software process audit. SQA should document the results of the activities performed and
promptly initiate corrective action or provide certification. The reporting results are
provided to the appropriate program/project personnel. The following subparagraphs
discuss the reporting requirements of SQA software product evaluations and software
process audits.

3.4.1Task - Prepare Software Product Evaluation Records

For any software product evaluation conducted, evaluation records are required. The
requirements for software product evaluation records are they must be prepared and
made available to affected program and project personnel. As a minimum, evaluations
records should include:

1. the product evaluated,

2. the methods or criteria used in the evaluation,
3. the evaluation results,
4. the recommended corrective actions, and
5. the actual corrective actions taken.

The project SDP would identify all software products to be developed and may reference
the Data Item Description (DID) or a project-tailored DID to follow. See Appendix D,
Software Product Evaluations, of MIL-STD-498, which identifies the software products
that are to undergo software product evaluations, identifies the criteria to be used for
each evaluation, and contains a default set of definitions for the evaluation criteria.

The format of an evaluation record may be dependent on the process used to perform
software product evaluations. For example, a project may implement
SPAWARSYSCEN SAN DIEGO CA’s Formal Inspection (FI) Process as the
methodology to use for Peer Reviews to evaluate software products. The
SPAWARSYSCEN SAN DIEGO CA FI process includes the form and format to report
defects. The project SDP would describe the peer review process. Another example is
that a project evaluating a software product may use the Software Trouble Report form
which is an input to the Corrective Action Process. The Software Configuration
Management Plan would describe the Corrective Action Process and the STR format.

SQA’s reporting of software product evaluations should be documented in the SQAP that
describes what products will be evaluated by SQA, how the evaluations will be done
(the method or criteria), what format is used to report the evaluation results which would
include recommended corrective actions or corrective actions to be taken. The software
products that are to be evaluated is further discussed in the paragraph entitled SQA of
Software Products, Tools, and Facilities.
3.4.2Task - Prepare Software Process Audit Reports

Each Software Process Audit produces a report that shows areas in which the process
is being followed correctly and working effectively, is being followed but is not working
effectively, and is not being followed. SQA recommendations may lead to adjustments
in the process, or enforcement activities intended to bring the project’s execution in line
with established plans and processes. Figure 7 provides a sample format for a Process
Audit Report.

The Software Process Audit report is directed to:

1. Senior management - The results of Software Process Audits are used in

conjunction with other project status information to guide senior management
attention to identify and mitigate project risks at the organizational level.

2. SEPG - The SEPG utilizes the process audits results, in conjunction with the
results of audits of other projects, to identify process weaknesses and initiate
or enhance process improvement in specific areas. This data becomes part of
the process database so that it is available for future project analysis and use.

3. Project Manager - The project manager utilizes the report to provide insight into
whether there is compliance with the development process and its
effectiveness in meeting project goals. Where necessary and appropriate, the
project manager may initiate enforcement activities or initiate change to the
established processes using the approved procedures.
 PROCESS AUDIT REPORT

TRACKING IDENTIFIER:______
_____________________________________________________________________________________
LEAD AUDITOR: DATE OF REPORT:
_____________________________________________________________________________________
_
AUDIT TEAM:

_____________________________________________________________________________________
_
PROJECT NAME:
_____________________________________________________________________________________
_
DATE OF AUDIT:
_____________________________________________________________________________________
_
PROCESS/PROCEDURE AUDITED:

_____________________________________________________________________________________
_
AUDIT CHECKLIST USED: (Attach)
_____________________________________________________________________________________
_
AUDIT FINDINGS: (Check one.)
_____ Process/Procedure Acceptable
_____ Process/Procedure Conditionally Acceptable
(Subject to satisfactory completion of action items listed below)
Conditions noted:

_____ Process/Procedure Unacceptable

(Subject to satisfactory completion of action items listed below)
Conditions noted:

_____________________________________________________________________________________
_
ACTION ITEM (AI):
AI # TITLE: ASSIGNED TO: DUE DATE: COMP DATE:_______
_____________________________________________________________________________________
_
_____________________________________________________________________________________
_
_____________________________________________________________________________________
_
CORRECTIVE ACTION:

_____________________________________________________________________________________
_
DISPOSITION: APPROVE CANCEL DEFER
Project Manager: DATE:
_____________________________________________________________________________________
_
AI CLOSURE:
SQA Sign-off: DATE:

(FILE COMPLETED FORM IN SQA EVALUATION RECORD.)

Figure 7. Process Audit Report Form

3.5SQA METRICS

Table 1 provides measurements that are made and used to determine the schedule and
cost status of the SQA activities:

Table 1. Measurements for SQA

MEASUREMENTS METRIC TO COLLECT

SQA Milestone Dates (Planned) Report plan

SQA Milestone Dates (Completed) Report actual vs. plan
SQA Work Scheduled (Planned) Report plan
SQA Work Completed (Actual) Report actual vs. plan
SQA Effort Expended (Planned) Report # of Hours
SQA Effort Expended (Actual) Report # of Hours
SQA Funds Expended (Planned) Report $ of Person Year
SQA Funds Expended (Actual) Report $ of Person Year

The following paragraphs provide example task descriptions to collect and report metrics
on (1) Software Product Evaluations, (2) Software Product Quality, and (3) Software
Process Audits.

3.5.1Task: Collect and Report Software Product Evaluation Metrics

This activity involves recording the effort involved in SQA performing an evaluation of
the software product. The metric collected and recorded is a person’s effort (hours) for
evaluating a software product, including reporting software product evaluation findings.
Recording this metric would show the allocation of SQA time in performing a specific
SQA activity. Figure 8 provides an example of SQA evaluating a requirements
specification and reporting on the results:

Software Product # of Pages Hours Used for Hours used for

Evaluating Reporting
Software 20 3 1
Requirements
Specification (SRS),
Increment 1

Figure 8. Sample SRS Evaluation Metric

3.5.2Task: Collect and Report Software Product Quality Metrics

A metric that could be collected is the number and type of errors reported on a software
product evaluation. SQA would analyze this metric to ensure quality. For example, if
SQA found a high number of requirement or design errors, then root cause analysis
would be the recommended action to be taken by the software development team. Cause
analysis would look at why the requirement or design errors were not initially caught by
the product reviewers. An area of investigation would be to look at the process to see if
the process is robust enough, were the appropriate reviewers included to evaluate the
product, were requirements too ambiguous, etc.

3.5.3Task - Collect and Report Software Process Audit Metrics

This activity involves conducting and reporting the hours expended for performing an
SQA audit of the project’s software processes. Figure 9 is a sample process audit metric
for SQA evaluating the project’s corrective action process.

Software Hours Used for Hours Used for Hours used for
Development Audit Preparation Evaluating Reporting
Process Audited
Corrective Action 2 2 1
Process

Figure 9. Sample Process Audit Metric

 4CREATE/MAINTAIN SQA PLAN

This SQA activity details the process for creating and maintaining a project SQAP. The
purpose of the SQAP is to describe how the developer intends to ensure that the software
is a product whose quality meets those standards defined by the quality policy. The
SQAP details the quality procedures and techniques to be used. The objective of the plan
is to be able to demonstrate how the developer will ensure that the requirements for a
software system are met. The first major quality assurance task is to determine the
quality assurance activities that will be carried out during the execution of the project.
This means that, for each phase, the SQAP must define explicitly how quality assurance
activities (such as design reviews and system testing) are to be executed.

As a minimum, the SQAP should address:

1. Quality objectives, expressed in measurable terms whenever possible.

2. Identification of types of test, verification and validation activities to be carried
out on product specification, plans and test specifications together with the
methods and tools to be employed.
3. Defined entry and exit criteria for each development phase.
4. Detailed planning of test verification and validation activities to be carried out,
including schedules, resources and approval authorities.
5. Specific responsibilities for quality activities such as inspections, reviews and
tests,
configuration management and change control, measurement and reporting,
defect control and corrective action.
6. Responsibilities and authority of the SQA group.
7. Resource requirements for the SQA group (including staff, tools, and facilities).
8. Schedule and funding of the project’s SQA group activities.
9. The SQA group’s participation in establishing the software development plan,
standards, and procedures for the project.
10. Evaluations to be performed by the SQA group.
11. Audits and reviews to be conducted by the SQA group.
12. Project standards and procedures used as the basis for the SQA group’s reviews
and audits.
13. Procedures for documenting and tracking noncompliance issues to closure.
14. Documentation that the SQA group is required to produce.
15. Method and frequency of providing feedback to the software engineering group
and other software-related groups on SQA activities.

References 7 through 12 in Section 1.7 provide references that may be used in

developing a project SQAP.

4.1SAMPLE PROCEDURES TO CREATE AND MAINTAIN A PROJECT SQA

PLAN
Figure 10 provides a sample procedure for creating and maintaining a project SQAP.
 Procedures to Create and Maintain a Project SQA Plan (SQAP)
Version 1.0
2/27/1997

This Procedures details the steps to create and maintain a Project SQAP.

1. Entry Criteria

Entry criteria is defined as the elements and conditions necessary to be in place to begin a
procedure. The entry criteria for this procedure are:

A. SQA Policy
B. Project requirements
C. Project Software Development Plan (SDP)
D. Project products, i.e., specifications, standards and procedures
E. SQA activities identified
F. SQA tasks assigned
G. Responsibility for coordinating and implementing SQA for the project is explicitly
assigned
H. An SQA person, group or function has a reporting channel to senior management that
is independent of all other groups involved with the project
I. Adequate resources and budget for software project planning have been identified
and allocated
J. Members involved in SQA activities are trained or skilled in SQA objectives,
procedures, and methods

2. Controls

Controls are defined as the data that constrains or regulates a process activity. Controls
regulate the transformation of inputs into outputs. The following are controls for
creating and or maintaining an SQAP:

A. SQAP guidelines,
B. Quality Program Requirements
C. SQA Policy

3. SQAP Review

The SQAP shall be reviewed by all project personnel. This allows project personnel to
submit comments and feedback on the role, responsibility, resources, and activities
delineated in the SQAP . The SQAP shall be reviewed by following the Formal
Inspection Process or by following the informal document review process.
Figure 10. Sample Procedures to Create and Maintain a Project SQAP
4. SQAP Approval

The approval process of the SQAP shall require program or project management and
Configuration Control Board (CCB) approval.

5. Configuration Control

The approved SQAP shall be placed under configuration control. Updates to the plan to
reflect current project requirements, processes and practices require review and approval.

6. Measurements

Staffing levels, labor-hours, and the start and stop dates shall be recorded for developing
the SQAP including any updates to the SQAP.

7. Exit Criteria

Exit criteria is defined as elements and/or conditions necessary to be in place to complete

a procedure. The exit criteria for this process activity is the SQAP is approved and
placed under configuration management.

8. Process Improvement on Creating/Maintaining a Project SQAP Procedure

A review on how closely project personnel follow this procedure to create and maintain a
Project SQAP and the areas for improvement shall be provided to those responsible for
process improvement. Efficiencies in the process to generate a SQAP may require an
update to this procedure.

Figure 11. Sample Procedures to Create and Maintain a Project SQAP (continued)
 5IMPLEMENT SQA PLAN

The purpose of this SQA activity is to perform the SQA function in accordance with the
project approved SQAP.
 6CREATE/MAINTAIN SQA PROCEDURES

The purpose of this activity is to document and maintain the procedures that describe
how SQA is performed on a project in accordance with the currently approved project
SQAP. The goal of this process activity is to show “repeatability” of performing a
specific task. Therefore, a documented procedure should be written for performing any
SQA activity.

The SQA Manager is responsible for drafting or directing the development of an SQA
procedure, implementing the SQA procedure, and maintaining the SQA procedure to
reflect activities performed as described in the project SQAP.

Inputs to creating/maintaining SQA procedures include identified tasks (WBS) and the
SQAP. An output of this activity is a documented SQA procedure. A documented SQA
procedure may be included as an appendix to the SQAP or as a separate stand-alone
document from the SQAP. The author suggests that procedures be separate from the
SQAP because procedure documents do not necessarily require the formality of change
management as does an SQAP. This suggestion is based on the assumption that the
SQAP is reviewed and approved by the project Configuration Control Board (CCB) and
formally placed under configuration management.

In defining what a procedure should contain it is important to understand what the

objective of the procedure is. The objective of a procedure is to provide step-by-step
instructions for someone or persons performing the task.
 7IDENTIFY SQA TRAINING

SQA personnel needs to identify any training that may be required to perform the SQA
tasks. Project requirements will dictate what training SQA needs to adequately perform
the SQA function.

Announcements of SEPO offered courses are found in SEPO’s homepage at

http://sepo.spawar.navy.mil or contact SEPO for information.
 8IDENTIFY/SELECT SQA TOOLS

This paragraph in no way attempts to identify tools to assure quality of a project’s

product. But rather this paragraph describes the steps in selecting a tool to support a
software quality or SQA function or functions.

8.1SQA TOOLS SELECTION PROCESS

1. Define your project SQA requirements. A prerequisite for defining SQA

requirements is that project requirements must already be defined. SQA
requirements are defined in the SQAP and are based on project requirements
as defined in the project’s Software Development Plan (SDP).

2. Develop a Plan of Action and Milestone for selecting the SQA tool:
Schedule a target date of when you want the vendor selected.
Schedule the tentative dates for product demos.
Schedule the tool evaluation period and date of selecting the best vendor.
Schedule the date for purchasing the tool.
Schedule the tool setup and installation.
Schedule formal training.
Identify the target date of when you want the tool in place.

3. Establish a working group, if possible, to help identify and select the tool based
on project and SQA requirements.

4. Define and document SQA Tool Requirements. Requirements would include the
computer platforms that the software must reside, the operating systems of the
platforms, the interface of the SQA tool with the software engineering
environment, the type of software being developed, e.g., Ada, C, etc., the
target computer, etc. Considerations would include how much the project can
afford on a tool, the resources to support the tool, decision to buy or develop
the tool in house, doing a cost benefit analysis, etc.

5. Read the Product Literature. Know what’s out there. A source is the Software
Technology Support Center (STSC) reports on tools. STSC reports are
available in SEPO’s Library. Another source is surfing the World-Wide Web
(WWW) for information.

6. Narrow the Tools down to a workable level (3 to 5 vendors perhaps) that best
meets the SQA Tool Requirements.

7. Ask for a Vendor Product Demo. Provide a copy of the SQA Tool Requirements
to the Vendor. Ask that the vendor address the tools capabilities for meeting
the requirements specified in the SQA Tool Requirements document.
8. Ask for an Evaluation Copy of the SQA Tool Software. Ask for support during
the evaluation period.

9. Base the evaluation of the tool against the SQA Tool Requirements document.
Rate the tools using a 1 to 5 point scale with 5 being the highest. Make a decision
on the tool to buy.
 9IMPROVE PROJECT SQA PROCESSES

The SQA activity for process improvement requires:

1. Understanding project and SQA processes

2. Determining where inefficiencies or defects occur (root causes of defects)
3. Recommending changes to project processes to improve efficiency or reduce
defects
4. Recommending improvements to eliminate the root causes of defects
5. Recommending training courses for the project team

The purpose of this activity is for SQA to review existing project and SQA processes and
report on efficiencies and areas for improvement and identify processes that need to be
defined. To improve project SQA processes, SQA needs to review and audit both
project processes and SQA processes. This will ensure that project processes and project
SQA processes are consistent and compatible with one another. Section 2 described the
SQA tasks for conducting software process audits. A method for improving project SQA
processes is for SQA to conduct internal SQA reviews. Internal SQA reviews involves
compliance with the SPAWARSYSCEN SAN DIEGO CA SQA Policy, compliance with
the project SQAP and SDP, and compliance to documented SQA processes and
procedures. The method for reporting findings of a software process audit is the process
audit form. The process audit form should be used as the vehicle to initiate action for
process improvement. Process improvement may result in changes to the policy,
processes, and/or procedures.

1
 10TERMS, DEFINITIONS AND ACRONYMS

10.1TERMS AND DEFINITIONS

Terms fundamental to any discussion of quality assurance include:

PROCESS. An organized set of activities performed for a given purpose; for example,
the software development process. [MIL-STD-498]

QUALITY. The totality of features and characteristics of a product or service that bear
on its ability to satisfy stated or implied needs.

QUALITY POLICY. The overall quality intentions and direction of an organization as

regards to quality, as formally expressed by top management.

QUALITY MANAGEMENT. The aspect of overall management function that

determines and implements a quality policy.

QUALITY SYSTEM. The organization structure, responsibilities, procedures, processes

and resources for implementing quality management.

SOFTWARE DEVELOPMENT PLAN (SDP). The SDP describes a developer’s plans

for conducting a software development effort. The term “software development” is
meant to include new development, modification, reuse, reengineering, maintenance, and
all other activities resulting in software products. The SDP also provides the acquirer
insight into, and a tool for monitoring, the processes to be followed for software
development, the methods to be used, the approach to be followed for each activity, and
project schedules, organization, and resources. [MIL-STD-498]

SOFTWARE METRICS. Numerical measures of the products and processes that make
up the software project. The careful use of numerical measures can introduce precision
and clarity to the process instead of opinion, informality, and open interpretation.

SOFTWARE QUALITY. Ability of software product to satisfy specified requirements.

[MIL-STD-498]

SOFTWARE QUALITY ASSURANCE. Planned and systematic pattern of all actions

necessary to provide adequate confidence that a software work product conforms to
established technical requirements, and, set of activities designed to evaluate the process
by which software work products are developed and maintained.

SOFTWARE QUALITY ASSURANCE PLAN (SQAP). The SQAP describes the plans
and activities of the SQA staff. [IEEE Std 730.1-1985]

1
SQA SPECIALIST. Individuals who specialize in quality assurance. An SQA specialist
assists in formulating quality assurance policy and practices. SQA’s role is to ensure that
appropriate quality assurance practices are being used correctly. SQA’s advisory role is
to help project teams when plans go astray, or when special circumstances arise.

STATEMENT OF WORK (SOW). A SOW describes tasks and directs methodologies in

service acquisitions. It may incorporate specifications that provide details covering
performance.

SOFTWARE UNIT (SU). A SU is an element in the design of a CSCI; for example, a

major subdivision of a CSCI, a component of that subdivision, a class, object, module,
function, routine, or database. Software units may occur at different levels of a hierarchy
and may consist of other software units. Software units in the design may or may not
have a one-to-one relationship with the code and data entities (routines, procedures,
databases, data files, etc.) that implement them or with the computer files containing
those entities. [MIL-STD-498]

SOFTWARE DEVELOPMENT FILE (SDF). A SDF as a repository for material

pertinent to the development of a particular body of software. Contents typically include
(either directly or by reference) considerations, rationale, and constraints related to
requirements analysis, design, and implementation; developer-internal test information;
and schedule and status information. [MIL-STD-498]

10.2ACRONYMS

AI Action Item
CCB Configuration Control Board
CDR Critical Design Review
CSCI Computer Software Configuration Item
DBDD Data Base Design Description
DCR Document Change Request
DID Data Item Description
DOD Department of Defense
FCA Functional Configuration Audit
FI Formal Inspection
FQR Formal Qualification Review
HWCI Hardware Configuration Item
IDD Interface Design Description
IRS Interface Requirements Specification
IV&V Independent Verification and Validation
KPA Key Process Area
NDS Non-Developmental Software
OCD Operational Concept Document
PCA Physical Configuration Audit
PDR Preliminary Design Review

2
PRR Product Readiness Review
SDD Software Design Document
SDF Software Development File
SDP Software Development Plan
SDR System Design Review
SEI Software Engineering Institute
SEPO Software Engineering Process Office
SOW Statement of Work
SQA Software Quality Assurance
SQAP Software Quality Assurance Plan
SRR System Requirements Review
SRS Software Requirements Specification
SSDD System/Subsystem Design Description
SSR Software Specification Review
SSS System/Subsystem Specification
STSC Software Technology Support Center
SW-CMM Software Capability Maturity Model
TRR Test Readiness Review
UDF Unit Development Folder
WBS Work Breakdown Structure
WWW World-Wide Web

3
 DOCUMENT CHANGE REQUEST (DCR)

Document Title: ñññññ Tracking Number: ñññññ

Name of Submitting Organization: ñññññ

Organization Contact: ñññññ Phone: ñññññ

Mailing Address: ñññññ

Short Title: ñññññ Date: ñññññ

Change Location: ñññññ

(use section #, figure #, table #, etc.)
Proposed change: ñññññ

Rational for Change: ñññññ

Note: For the Software Engineering Process Office (SEPO) to take appropriate action on a change
request, please provide a clear description of the recommended change along with supporting rationale.

Send to: Commanding Officer, Space and Naval Warfare Systems Center, D13, 53560 Hull Street,
San Diego, CA 92152-5001 or Fax to: (619)553-6249 or Email to: sepo.spawar.navy.mil
DCR Form 9/1997