Upload
minhlongyb89
View
399
Download
1
Embed Size (px)
Citation preview
IEEE 1540 - SoftwareEngineering Risk Management:Measurement-Based Life Cycle
Risk ManagementPSM 2001 Aspen, Colorado
Paul R. CrollChair, IEEE SESC
Computer Sciences [email protected]
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 2
Objectives
l Describe Risk Management in the context of alife cycle process framework
l Describe IEEE 1540’s Risk Managementprocess model and process requirements
l Describe other Standards that complementIEEE 1540 in managing risk in the acquisitionand engineering of software intensive systems
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 3
Risk Management (RM) inthe Life Cycle Context
l An organizational life cycle processu responsibility of the organization using the process
u the organization ensures that the process exists andfunctions
l IEEE Standard 1540 assumes that the othermanagement and technical processes ofIEEE/EIA 12207 perform the treatment of risk
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 4
LIFE CYCLE
TAILORING
CONFIGURATION MANAGEMENTDOCUMENTATION
QUALITY ASSURANCEVERIFICATION
VALIDATIONJOINT REVIEW
AUDITPROBLEM RESOLUTION
PRIMARY
DEVELOPMENTOPERATION
MAINTENANCE
ACQUISITION
SUPPLY
ORGANIZATIONALMANAGEMENT
INFRASTRUCTUREIMPROVEMENT
TRAINING
SUPPORTING
Source: Singh97
IEEE/EIA 12207 Life CycleProcess Tree
Risk Management touched on in 12207
Risk Management focused on in 12207
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 5
Risk Management Objectivesin IEEE/EIA 12207
l Sprinkled throughout the Acquisition, Supply,Development, Operation, Verification, Joint Review,Problem Resolution, and Tailoring Processes
l Focused on in Management Process objectivesu Determine scope of risk management to be performed
u Identify risks to the project as they develop
u Analyze risks
u Determine mitigation priority
u Define, implement and assess mitigation strategies
u Define, apply and assess risk metrics
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 6
IEEE/EIA 12207 ProcessInteractions
Source: Singh97
ACQ - ACQUISITION.SUB - SUBCONTRACTOR
E - EXECUTE
F - FEEDBACK
M - MANAGE
P - PARTICIPATE
T - TASK
U - USE
E:N - EXECUTE THEPROCESS NUMBERED N
PDCA
FM
INFRASTRUCTURE TRAININGIMPROVEMENTMANAGEMENT
ORGANIZATION
MAINTENANCE
DEVELOPMENT
OPERATION
E: 2,3
E: 1,2,3
E: 3
QAE: 3
SUPPLYU: 4T
ACQUISITIONU: 4 E
FFFF
V&VE: 3
PROJECT
E
AUDIT
P
E
(T)E
E: 3
JOINTREVIEW
E: 3
T
U
U
CM PROBLEMRESOLUTION
DOCUMENTATION TAILORINGE
E
E
E
P
T
E: ACQT: SUB
(I)V&VE: 3
1 2 3 4
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 7
IEEE/EIA 12207 ProcessRoles
• Management • Improvement • Training• Infrastructure
ORGANIZATIONAL PROCESSES
ACQUISITION PROCESS
PROCESSDEVELOPMENT
PROCESS
SUPPLY PROCESS
OPERATION PROCESS
employemploy
use
contract
employ
use
MAINTENANCE
employ
employ
employ
employ
EMPLOYER
SUPPORTINGPROCESSES
OFSUPPORTINGROLE
MANAGERORGANIZATIONALROLE
• OPERATOR• USER
OPERATINGROLE
ACQUIRERACQUISITIONROLE
SUPPLIERSUPPLYROLE
• DEVELOPER• MAINTAINER
ENGINEERINGROLE
PR
ES
S
OC
SE
SUPPORTING
• Documentation • Validation
• Problem resolution• Verification
• Configuration management • Joint review• Quality assurance • Audit
Source: Singh97
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 8
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 9
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Define the information requirementsfor RM
– information needed and priority– risk areas of concern– RM policies required– risk acceptability thresholds
l Make decisions regarding risksl Make recommendations forimproving the RM process
measurement focus
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 10
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Establish RM policies to support informationrequired by decision makers
– how RM is to be performed– tools or techniques to be used– how RM activities will be coordinated– how risk is to be communicated
l Establish the RM process l Establish responsibility for RMl Assign RM resourcesl Establish RM process evaluation
measurement focus
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 11
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Create a consistent current and historical viewof the risks present and their treatment l Define the technical and managerial riskmanagement context
– risks areas of concern– stakeholder(s) perspective(s)– objectives, assumptions and constraints
l Establish risk thresholdsl Establish and maintain the project risk profilel Communicate risk status to stakeholders
measurement focus
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 12
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Identify risks defined by RM contextl Estimate risk likelihood and consequencesl Evaluate and prioritize the risks and theirinteractions against thresholdsl Recommend risk treatment where applicablel Document in risk action request
– measures of treatment effectiveness– contingency plans
measurement focus
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 13
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Management evaluates risk action requestsand determines acceptability of risksl If risk reduction actions are to be taken,management selects, plans, monitors, andcontrols treatment to decrease risk exposure
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 14
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Once a risk treatment has been selected– if a 12207 Life Cycle Process is employed,
+ risk treatment is managed using the problemmanagement approach of the Management Process
– if a non-12207 Life Cycle Process is employed,+ a detailed Risk Treatment Plan must be developedand implemented
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 15
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Review and update individual riskstates and the management contextl Assess effectiveness of risk treatmentsl Seek out new risks
measurement focus
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 16
Risk Management ProcessOverview
Improvement Actions
Feedback
Plan andImplement
RiskManagement
Evaluate the RiskManagement
Process
Project Risk Profile and Risk Action Requests
Project Risk Profile
Management Decisions
Technical and
Management Processes
Perform Risk Treatment
Information Needs
Managethe
ProjectRisk Profile
Perform RiskAnalysis
Perform RiskMonitoring
�
�
�
�
�
�
�
Source:IEEE Standard1540:2001© IEEE 2001.All rights reserved.
l Capture RM information l Assess and improve the RM process
– collect RM information– assess the quality of the process– identify opportunities for improvement– provide feedback to management– make improvements to the process
l Generate lessons learned
measurement focus
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 17
IEEE 1540 andISO/IEC 15026
l ISO/IEC 15026:1998, InformationTechnology —System and Software IntegrityLevels
u Defines a process for establishing integrity levelsthat are used to contain risk within acceptablevaluesn the system integrity level reflects the worst case risk that
is associated with the as-designed systemn all appropriate risk dimensions are addressed
u Requires employment of a risk managementprocess
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 18
IEEE 1540 andISO/IEC 15939
l ISO/IEC 15939:FDIS, InformationTechnology —Software Measurement Process
u Identifies the activities and tasks that are necessaryto successfully identify, define, implement, andimprove a software measurement processn Two core activities
• Plan the Measurement Process• Perform the Measurement Process
n Two supporting activities
• Establish and Sustain Measurement Commitment• Evaluate Measurement
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 19
IEEE 1540 andISO/IEC 15939 - 2
l References to risk in ISO/IEC 15939u Plan the Measurement Process
n Identify Information Needs
u Annex A: The measurement information modeln Measurable Concept
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 20
IEEE 1540 and IEEE 1012
l IEEE Std 1012 -1998, IEEE Standard forSoftware Verification and Validation
u Uses integrity levels to determine appropriateV&V activities
u These integrity levels could be determined in thebaseline risk profile
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 21
IEEE 1540 and IEEE 1228
l IEEE Std 1228 - 1994, IEEE Standard forSoftware Safety Plans
u Addresses planning for a software safety programthat provide a systematic approach to reducingsoftware risksn Requires that a risk assessment be performed to identify
potential safety risks
n Requires that risk treatment alternatives be addressed foruncontrolled risks
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 22
IEEE 1540 and IEEE 1058
l IEEE Std 1058 -1998, IEEE Standard forSoftware Project Management Plans
u requires the specification of a risk managementplann identification, analysis and prioritization of project risk
factorsn procedures for contingency planning, risk monitoring, and
changes in risk status
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 23
IEEE 1540 andIEEE 982.1 and 982.2
l IEEE Std 982.1 -1988, IEEE StandardDictionary of Measures to Produce ReliableSoftware
u measures appropriate for use in risk management
l IEEE Std 982.2 -1988, IEEE Guide for theUse of IEEE Standard Dictionary of Measuresto Produce Reliable Software
u guidance regarding measures appropriate for use inrisk management
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 24
For more information . . .
Paul R. CrollComputer Sciences Corporation5166 Potomac DriveKing George, VA 22485-5824
Phone: +1 540.663.9251Fax: +1 540.663.0276
e-mail: [email protected]
For IEEE Standards:
http://standards.ieee.org/catalog/
For the IEEE Software Engineering Standards Committee:http://computer.org/standard/sesc/
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 25
Questions?
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 26
References
[IEEE 982.1] IEEE Std 982.1-1988, IEEE Standard Dictionary ofMeasures to Produce Reliable Software, Institute of Electricaland Electronics Engineers, Inc. New York, NY, 1988.
[IEEE 982.2] IEEE Std 982.2-1988, Guide for the Use of IEEEStandard Dictionary of Measures to Produce Reliable Software,Institute of Electrical and Electronics Engineers, Inc. New York,NY, 1988.
[IEEE 1012] IEEE Std 1012-1998, IEEE Standard for SoftwareVerification and Validation, Institute of Electrical andElectronics Engineers, Inc. New York, NY, 1998.
[IEEE 1228] IEEE Std 1228-1994, IEEE Standard for SoftwareSafety Plans, Institute of Electrical and Electronics Engineers,Inc. New York, NY, 1994.
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 27
References - 2
[IEEE 1058] IEEE Std 1058-1998, IEEE Standard for SoftwareProject Management Plans, Institute of Electrical and ElectronicsEngineers, Inc. New York, NY, 1998.
[IEEE 1540] IEEE Standard 1540-2001, IEEE Standard forSoftware Life Cycle Processes — Risk Management, Institute ofElectrical and Electronics Engineers, Inc. New York, NY, 2001.
[IEEE/EIA 12207] IEEE/EIA Standard 12207.0-1996, IndustryImplementation of International Standard ISO/IEC12207:1995— (ISO/IEC 12207) Standard for Information Technology—Software life cycle processes, Institute of Electrical andElectronics Engineers, Inc. New York, NY, 1998.
[Singh97] Raghu Singh, An Introduction to International StandardISO/IEC 12207, Software Life Cycle Processes, 1997.
PSM 2001, Aspen, CO Tuesday, July 24, 2001, 1:15 PM - 1:55 PM Paul R. Croll - 28
References - 3
[ISO/IEC 15026:1998] ISO/IEC 15026:1998, InformationTechnology —System and Software Integrity Levels, ISO/IEC,1998.
[ISO/IEC 15939] ISO/IEC 15026:FDIS, Information Technology —Software Measurement Process, ISO/IEC, 2001.
[Singh97] Raghu Singh, An Introduction to International StandardISO/IEC 12207, Software Life Cycle Processes, 1997.