IEEE 1540 - Software

Engineering Risk Management:

Paul R. Croll Measurement-Based Life Cycle
Chair, IEEE SESC
Computer Sciences Corporation
Risk Management
pcroll@csc.com PSM 2001 Aspen, Colorado
 Objectives

l Describe Risk Management in the context of a

life cycle process framework
l Describe IEEE 1540’s Risk Management
process model and process requirements
l Describe other Standards that complement
IEEE 1540 in managing risk in the acquisition
and engineering of software intensive systems

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 2
 Risk Management (RM) in
the Life Cycle Context

l An organizational life cycle process

u responsibility of the organization using the process
u the organization ensures that the process exists and
functions
l IEEE Standard 1540 assumes that the other
management and technical processes of
IEEE/EIA 12207 perform the treatment of risk

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 3
 IEEE/EIA 12207 Life Cycle
Process Tree
ACQUISITION
SUPPLY
DEVELOPMENT
OPERATION
MAINTENANCE
PRIMARY

LIFE CYCLE

SUPPORTING
DOCUMENTATION
CONFIGURATION MANAGEMENT
QUALITY ASSURANCE
VERIFICATION
VALIDATION
Source: Singh97 JOINT REVIEW
AUDIT
PROBLEM RESOLUTION

ORGANIZATIONAL
MANAGEMENT
INFRASTRUCTURE
IMPROVEMENT
Risk Management touched on in 12207 TRAINING

Risk Management focused on in 12207 TAILORING

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 4
 Risk Management Objectives
in IEEE/EIA 12207
l Sprinkled throughout the Acquisition, Supply,
Development, Operation, Verification, Joint Review,
Problem Resolution, and Tailoring Processes
l Focused on in Management Process objectives
u Determine scope of risk management to be performed
u Identify risks to the project as they develop
u Analyze risks
u Determine mitigation priority
u Define, implement and assess mitigation strategies
u Define, apply and assess risk metrics
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 5
 IEEE/EIA 12207 Process
Interactions
ORGANIZATION
MANAGEMENT INFRASTRUCTURE IMPROVEMENT TRAINING

M F
PROJECT

OPERATION
F F F E: 3 F
ACQ - ACQUISITION.
SUB - SUBCONTRACTOR
T
E - EXECUTE

MAINTENANCE F - FEEDBACK
ACQUISITION SUPPLY
U: 4 T U: 4 E M - MANAGE
T E: 2,3
P - PARTICIPATE
P JOINT E E: ACQ E
REVIEW U T - TASK
E: 3 T: SUB
U - USE
U E P E QA
AUDIT DEVELOPMENT E:N - EXECUTE THE
E: 3 E: 3 PROCESS NUMBERED N
E: 1,2,3
(T)E (I)V&V E V&V
E: 3 E: 3
Source: Singh97

1 2 3 4
E PROBLEM
DOCUMENTATION CM RESOLUTION
TAILORING PDCA

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 6
 IEEE/EIA 12207 Process
Roles
employ S
ACQUISITION ACQUIRER ACQUISITION PROCESS
ROLE U
P
contract P
O
SUPPLY employ R
SUPPLIER SUPPLY PROCESS
ROLE T
employ employ employ I
N
OPERATING • OPERATOR employ G
OPERATION PROCESS
ROLE • USER
use
P
R
ENGINEERING • DEVELOPER MAINTENANCE use DEVELOPMENT employ O
ROLE • MAINTAINER PROCESS PROCESS C
E
S
EMPLOYER • Documentation • Validation
SUPPORTING OF S
SUPPORTING • Configuration management • Joint review E
ROLE • Quality assurance • Audit
PROCESSES S
• Verification • Problem resolution

ORGANIZATIONAL ORGANIZATIONAL PROCESSES Source: Singh97

MANAGER
ROLE • Management • Infrastructure • Improvement • Training

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 7
 Risk Management Process
Overview
ΠTechnical
Information Needs
and
Management Feedback
Management Decisions
Processes
Project Risk Profile
• Perform
and Risk Action Requests

Risk Treatment

• Perform Risk
Analysis
Ž
Manage
• Plan and the
Implement
Project
Risk
Risk Profile
Management

‘ Perform Risk
Monitoring
Source:
IEEE Standard
1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 8
 Risk Management Process
Overview
ΠTechnical
Information Needs
and
Management Feedback
Management Decisions
Processes
Project Risk Profile
• Perform
and Risk Action Requests

Risk Treatment

l Define the information requirements

for RM • Perform Risk
Analysis
– information needed and Ž priority
– risk •
areas of concern
Plan and Manage
Implement the
– RM policies
Risk required Project measurement focus
Risk Profile
Management
– risk acceptability thresholds
l Make decisions regarding risks ‘ Perform Risk
Monitoring
Source:
l Make recommendations for IEEE Standard
improving the RM process 1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 9
 Risk Management Process
Establish RM policies to support information
l
Overview
required by decision makers
– how RM is to be performed
Рtools or techniquesΠTechnicalto be used
Information Needs
and
– how RM
Management Decisions
activities
Managementwill be coordinated
Feedback

– how risk is toProcesses

be communicated Project Risk Profile

l Establish the RM • Perform

process and Risk Action Requests

Risk Treatment
l Establish responsibility for RM
l Assign RM resources
l Establish RM process • evaluation
Perform Risk
Analysis
Ž
Manage
• Plan and the
Implement
Project
Risk
Risk Profile
Management

‘ Perform Risk
Monitoring
Source:
IEEE Standard
measurement focus 1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 10
 Risk Management Process
Create a consistent current and historical view
l
of the risks present and their treatment
Overview Define the technical and managerial risk
l
management context
ΠTechnical
– risks areas of concern
Information Needs
and
–
Management Decisions
stakeholder(s)
Management perspective(s)
Feedback
Processes assumptions and constraints
– objectives, Project Risk Profile

l Establish• Perform and Risk Action Requests

risk thresholds
Risk Treatment
l Establish and maintain the project risk profile
l Communicate risk status to stakeholders

• Perform Risk
Analysis
Ž
Manage
• Plan and the
Implement
Project
Risk
Risk Profile
Management

‘ Perform Risk
Monitoring
Source:
IEEE Standard
measurement focus 1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 11
 l Risk Management Process
Identify risks defined by RM context
l Estimate risk likelihood and consequences
Overview
l Evaluate and prioritize the risks and their
interactions against thresholds
ΠTechnical
l Recommend risk treatment
Information Needs where applicable
and
l Document in risk action request
Management Decisions Management Feedback
Processes
– measures of treatment effectiveness Project Risk Profile
• Perform and Risk Action Requests
– contingency plans Risk Treatment

• Perform Risk
Analysis
Ž
Manage
• Plan and the
Implement
Project
Risk
Risk Profile
Management

‘ Perform Risk
Monitoring
Source:
IEEE Standard
measurement focus 1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 12
 Risk Management Process
Overview
ΠTechnical
Information Needs
and
Management Feedback
Management Decisions
Processes
Project Risk Profile
• Perform
and Risk Action Requests

Risk Treatment

l Management evaluates risk action requests• Perform Risk

Analysis
and determines acceptability of risks
Ž
l If risk reduction actions are to be taken,
Manage
• Plan and the
Implement
management selects, plans, monitors,
Risk
Projectand
Risk Profile
controls treatment
Managementto decrease risk exposure

‘ Perform Risk
Monitoring
Source:
IEEE Standard
1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 13
 Risk Management Process
Overview
ΠTechnical
Information Needs
and
Management Feedback
Management Decisions
Processes
Project Risk Profile
• Perform
and Risk Action Requests

Risk Treatment

• Perform Risk
Analysis
l Once a risk treatment has been Ž
selected
– if •
a 12207
Plan and Life Cycle Process
Manageis employed,
the
Implement
+ risk
Risk treatment is managed using the problem
Project
Risk Profile
Management
management approach of the Management Process
– if a non-12207 Life Cycle Process is ‘ Perform Risk
employed,
Monitoring
Source:
+ a detailed Risk Treatment Plan must be developed IEEE Standard
and implemented ’ Project Risk Profile
1540:2001
Improvement Actions Evaluate the Risk © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 14
 Risk Management Process
Overview
ΠTechnical
Information Needs
and
Management Feedback
Management Decisions
Processes
Project Risk Profile
• Perform
and Risk Action Requests

Risk Treatment

Review and update individual risk

l
states•and the management context
Perform Risk
l AssessAnalysis
effectiveness of risk treatments
Ž
Manage l Seek out new risks
• Plan and the
Implement
Project
Risk
Risk Profile
Management

‘ Perform Risk
Monitoring
Source:
IEEE Standard
measurement focus 1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 15
 Risk Management Process
Overview
ΠTechnical
Information Needs
and
Management Feedback
Management Decisions
Processes
Project Risk Profile
l•Capture
Perform RM information
and Risk Action Requests

Risk Treatment
Assess and improve the RM process
l
– collect RM information
– assess the quality of the process
• Perform Risk
– identify opportunities for improvement
Analysis
Ž – provide feedback to management
Manage
• Plan and the – make improvements to the process
Implement
Project
Risk
Management l Generate lessons learned
Risk Profile

‘ Perform Risk
Monitoring
Source:
IEEE Standard
measurement focus 1540:2001
Improvement Actions
’ Evaluate the Risk Project Risk Profile © IEEE 2001.
Management All rights reserved.
Process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 16
 IEEE 1540 and
ISO/IEC 15026
l ISO/IEC 15026:1998, Information
Technology —System and Software Integrity
Levels
u Defines a process for establishing integrity levels
that are used to contain risk within acceptable
values
n the system integrity level reflects the worst case risk that
is associated with the as-designed system
n all appropriate risk dimensions are addressed
u Requires employment of a risk management
process
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 17
 IEEE 1540 and
ISO/IEC 15939
l ISO/IEC 15939:FDIS, Information
Technology —Software Measurement Process
u Identifies the activities and tasks that are necessary
to successfully identify, define, implement, and
improve a software measurement process
n Two core activities
• Plan the Measurement Process
• Perform the Measurement Process
n Two supporting activities
• Establish and Sustain Measurement Commitment
• Evaluate Measurement

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 18
 IEEE 1540 and
ISO/IEC 15939 - 2

l References to risk in ISO/IEC 15939

u Plan the Measurement Process
n Identify Information Needs
u Annex A: The measurement information model
n Measurable Concept

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 19
 IEEE 1540 and IEEE 1012

l IEEE Std 1012 -1998, IEEE Standard for

Software Verification and Validation
u Uses integrity levels to determine appropriate
V&V activities
u These integrity levels could be determined in the
baseline risk profile

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 20
 IEEE 1540 and IEEE 1228

l IEEE Std 1228 - 1994, IEEE Standard for

Software Safety Plans
u Addresses planning for a software safety program
that provide a systematic approach to reducing
software risks
n Requires that a risk assessment be performed to identify
potential safety risks
n Requires that risk treatment alternatives be addressed for
uncontrolled risks

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 21
 IEEE 1540 and IEEE 1058

l IEEE Std 1058 -1998, IEEE Standard for

Software Project Management Plans
u requires the specification of a risk management
plan
n identification, analysis and prioritization of project risk
factors
n procedures for contingency planning, risk monitoring, and
changes in risk status

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 22
 IEEE 1540 and
IEEE 982.1 and 982.2

l IEEE Std 982.1 -1988, IEEE Standard

Dictionary of Measures to Produce Reliable
Software
u measures appropriate for use in risk management
l IEEE Std 982.2 -1988, IEEE Guide for the
Use of IEEE Standard Dictionary of Measures
to Produce Reliable Software
u guidance regarding measures appropriate for use in
risk management

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 23
 For more information . . .
Paul R. Croll
Computer Sciences Corporation
5166 Potomac Drive
King George, VA 22485-5824

Phone: +1 540.663.9251
Fax: +1 540.663.0276
e-mail: pcroll@csc.com

For IEEE Standards:

http://standards.ieee.org/catalog/
For the IEEE Software Engineering Standards Committee:
http://computer.org/standard/sesc/

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 24
 Questions?

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 25
 References
[IEEE 982.1] IEEE Std 982.1-1988, IEEE Standard Dictionary of
Measures to Produce Reliable Software, Institute of Electrical
and Electronics Engineers, Inc. New York, NY, 1988.
[IEEE 982.2] IEEE Std 982.2-1988, Guide for the Use of IEEE
Standard Dictionary of Measures to Produce Reliable Software,
Institute of Electrical and Electronics Engineers, Inc. New York,
NY, 1988.
[IEEE 1012] IEEE Std 1012-1998, IEEE Standard for Software
Verification and Validation, Institute of Electrical and
Electronics Engineers, Inc. New York, NY, 1998.
[IEEE 1228] IEEE Std 1228-1994, IEEE Standard for Software
Safety Plans, Institute of Electrical and Electronics Engineers,
Inc. New York, NY, 1994.

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 26
 References - 2

[IEEE 1058] IEEE Std 1058-1998, IEEE Standard for Software

Project Management Plans, Institute of Electrical and Electronics
Engineers, Inc. New York, NY, 1998.
[IEEE 1540] IEEE Standard 1540-2001, IEEE Standard for
Software Life Cycle Processes — Risk Management, Institute of
Electrical and Electronics Engineers, Inc. New York, NY, 2001.
[IEEE/EIA 12207] IEEE/EIA Standard 12207.0-1996, Industry
Implementation of International Standard ISO/IEC12207:1995
— (ISO/IEC 12207) Standard for Information Technology
—Software life cycle processes, Institute of Electrical and
Electronics Engineers, Inc. New York, NY, 1998.
[Singh97] Raghu Singh, An Introduction to International Standard
ISO/IEC 12207, Software Life Cycle Processes, 1997.

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 27
 References - 3

[ISO/IEC 15026:1998] ISO/IEC 15026:1998, Information

Technology —System and Software Integrity Levels, ISO/IEC,
1998.
[ISO/IEC 15939] ISO/IEC 15026:FDIS, Information Technology —
Software Measurement Process, ISO/IEC, 2001.
[Singh97] Raghu Singh, An Introduction to International Standard
ISO/IEC 12207, Software Life Cycle Processes, 1997.

PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 28