|
|
Conventions:
Creativyst® Software Stability Ratings
A proposed separation of software stability from process maturity
Author: Dominic John Repici
The relationship between software stability and version is tenuous at best.
Yet we software designers and engineers --people who should know better-- have
accepted software versioning as the primary indicator and feedback mechanism
about software's stability since people first started writing it.
Software designers know, as a matter of training, that it is unacceptable to
assign multiple meanings to a single variable, no matter how close in concept
those meanings may be. Yet, we happily go on overloading our software version
numbers to also connote the stability of the underlying package. Again,
because there is some --not quite quantifiable-- relationship there, and, well,
that's the way its always been done.
We've also always known at some level that there was something wrong,
somewhere, with the whole notion. We've filled many tombs with attempts to
understand and document the illusive relationship between a software project's
longevity and the resulting software's quality. We've approached it with
mathematical precision, religious zeal, and edgy rebellion, but have we ever
really been able to square it?
This paper proposes completely separating the concepts of software stability
(or "quality") from version maturity.
There are obvious advantages to separating software version numbers from
the software's stability rating:
- A credible trailing indicator of software's real,
experienced, stability is required before progress on good
predictive indicators can be made. -
Attempting to create acceptable leading indicators --such as development
practices and methodologies used-- without first developing a consistent set of
trailing indicators of experienced stability, is like trying to take
world-class photographs from inside an isolation tank. Widely accepted
trailing indicators are needed first, in order to validate (or invalidate)
proposed methods for producing more stable software.
- A non-ambiguous indication of a given piece of software's quality
(stability) can be made available to the people responsible for using,
supporting, upgrading, insuring, and valuing it (within any context).
- With two separate values to denote version and stability, the
subtle relationship between these two concepts can be better studied and
understood simply by analyzing historical records of both data sets.
At the same time, the relationship will become less important, because a value
based on something more germane than a software product's maturity can be used
to estimate how likely the product is to work or fail within a given context or
system.
The overriding philosophy of this project is simplicity. If we
have to tell people to defocus their eyes and concentrate on a point somewhere
behind the page (or some similar-sounding instructions) in order to understand
this system then we have failed.
It is important to the usefulness of this rating system that educated people in
any field be able to grasp the connection between the rating value and the
likelihood that the rated product will work or fail within their given
situation. It must also be explainable in such a way that, if they wish, people
can grasp the reasons and mechanisms that the system claims will insure it
reflects and predicts real-world probabilities.
Design Goals:
- The rating system shall be simple, unambiguous, and concise without being
too simple to be useful
- The rating system shall be based on a small, fixed set of self-evident
criteria that all who use it can comprehend and validate to their own
satisfaction.
- The rating system shall be independent of the code, the distribution
files, or the deliverables that make up the software. A rating shall never be
embedded within software distribution files or code because it will be free to
change without any changes to the underlying software or package.
- Primarily, the first phase/task in the rating system shall be a trailing
indicator with an eye to establishing future leading indicators. Initially, it
will be based on the software's real-world, historically observable behavior
with regard to its stability and generally not on other behaviors or
attributes of the software.
- Where little history is available to produce a trailing rating, that fact
should be easily discernable through observation of the rating alone. This
will be employed in the initial role of the rating system as a trailing
indicator and in future where a leading indicator rating may be published.
- For future leading ratings, when special processes or practices have been
employed during the design and/or development of the software to insure safety
and reliability, such special measures may be reflected within the rating so
long as they do not interfere with the rating's initial purpose of relating the
historically observed stability of the underlying software.
- [?tbd? probably too soon to be applicable to the current scope] For minor
determinations to a new project's rating (before sufficient historical data has
accumulated) should the rating system consider the software
stability record of individuals who perform the new development if a clear and
quantifiable connection between the individuals' past, " first
release" software's stability and the stability of the current software
can be made and statistically verified?
- [?tbd? probably too soon to be applicable to the current scope] To the
extent, if any, that the rating system is linked to the people who design and
develop the software being rated (as provided above), should
the only credential that shall be considered regarding the contributing
individuals is the complete documented stability history of first-release
software they've produced in the past?
- [?TBD?] Should the consideration put forward above for individuals be
extended to include organizations?
Publication is a foundational purpose of any rating system. This
specification prescribes a way in which to publish downgrades to a software
version's stability rating.
When a reliability rating of a version of software
is changed the new rating must be published to an easily accessible web-page
where users of the software have been clearly instructed such ratings can be
found.
A reliability rating that is downgraded to any rating other than
"Unsecure" must be published in this way within ten business days
from the day it is downgraded.
A reliability rating that is changed to "Unsecure" must be
published in this way within three business days of the day it is changed.
Also, in the case of a rating that is changed to "Unsecure", users
who have purchased the downgraded version in the past year and have not
purchased or received more recent versions must be sent email stating that the
version was downgraded. If there is no email address, or an attempt to send
mail to the email address on file has failed, no further emails need be sent to
that user.
When a previously unreported, non-security related defect that can
affect a software version's current reliability rating is reported, the
software must be tested within 20 business days of the report to verify if the
defect exists. If the defect is found to exist, or the test for verification
is not performed the reliability rating must be changed to reflect the defect.
The existence and non-existence of software defects MUST be verified in writing
and signed by the individual making the determination.
When a previously un-reported defect is reported that can cause a software
version's current reliability rating to be changed to
"Unsecure", the software must be tested within 3 business days
of the report to verify if the defect exists. If the defect is found to exist,
or the test for verification is not performed, the reliability rating must be
changed to "Unsecure" to reflect the defect.
The existence and non-existence of software defects MUST be verified in writing
and the individual making the determination must sign a declaration attesting
to the veracity of the reported result.
Generally, stability ratings SHOULD NOT be used in product advertisements. If
a stability rating is used in a product advertisement in a dynamic media, it
must adhere to the same time restrictions as have been documented here for
publicizing rating downgrades along with a link to the webpage where the
downgrade ratings for the product are published in accordance with the above
recommendations. If the stability rating is used in a fixed media type, such
as magazines, the date it was valid on MUST be displayed along with the URL of
the webpage where downgrades are published.
Color is optional, but if rating values are portrayed in such a way that
each rating value is assigned a different color or set of colors, the color
scheme defined here MUST be used.
An optional-use color scheme is defined for the recommendation so that if
colors are associated with rating values they will be consistent. This will
eliminate color differences as a possible source of confusion when viewing
stability ratings.
The rating values currently defined, along with the criteria requirements
for software to be assigned these ratings are documented in this table.
Value
Use example
|
Name - value
Color, if used
|
|
|
Unsecure - 0
Black with red lettering
|
|
A security vulnerability has been found in this version.
Users should upgrade to a more recent version immediately.
Use of this version should be avoided
in the future. Current media containing this version should
be destroyed or prominently labeled as Unsecure software.
Demotion to [0]
Software versions that have achieved a
Beta (B)
rating or better and subsequently been found
to have security
vulnerabilities MUST be downgraded
to this rating value.
Software versions that have been demoted to UNSECURE [0] from
Beta (B) or higher levels are destined to remain
in the UNSECURE [0] rating forever, since once downgraded, a new
version MUST be produced.
|
|
|
Defects (Downgraded) - /
Black-grey
|
|
"Downgraded" software
(/
or /n where n is the
rating it has been downgraded from) is software
that has been Downgraded because
Defects have been
discovered that do not affect security.
Demotion to [/]
Software at Beta [B] or higher
that has been found to
contain non-security defects MUST be downgraded [/].
Software at Alpha [A] with
defects may optionally be
reworked rather than downgraded depending on the processes
and policies of the developer regarding control of [A]
level software (see below).
When downgrading software to [/] (downgraded), the developer
may optionally show the rating it was downgraded from with
a lower-case letter code (e.g. [/b], [/c], etc). This is
recommended because the option to denote a downgrade without the
letter qualifier may be obsoleted in future version
Software versions that have been downgraded to this level from
Beta (B) or higher levels MUST remain
in the downgraded rating forever, since once downgraded, a new
version must be produced.
|
|
|
Alpha - A
Orange-red
|
|
Under Development
Alpha (A) rated
software can be thought
of as software that is generally
in late development and in-house testing. It may have known
defects, including security defects.
Important:Unsecure and tainted.
Alpha (A) rated
software MAY be tested outside if done in tightly controlled
environments that are strictly managed and monitored by the
developer. Alpha rated software MUST NOT be published to the
general user base except under tightly controlled and
documented "person
to person"
conditions.
While a software version is in Alpha
the develper has the
option, based on their own internal processes, to make changes to
the code without changing the version
number.
When the stability rating of a version of software
is changed from Alpha to
Beta however, the version MUST be frozen. That is, further
changes to the files that constitute the software
MUST NOT be made. Instead, if defects are
found
once a software release has been changed to Beta, the
defective version MUST be downgraded to [/] (defects) or
[0] (unsecure), where it
shall remain. A new
version number must be produced to fix the defects.
The reason for this is so users
who have obtained the defective Beta version
may be informed that it is no
longer considered safe or stable.
Promotion to [A]
Software versions that have never received any other stability
rating may be promoted to Alpha [A].
Software versions that have acheived any other stability rating
([0], [/], Beta [B] or higher)
MUST NOT be promoted to Alpha [A]. Versions that have been
promoted to Beta [B] or higher and found to have defects WILL
be downgraded to [/] or [0] and remain their.
|
|
|
Beta - B
Yellow
|
|
Early Outside Testing
Beta (B) rated
software is software
that has been released for early outside testing. It should be
tested by customers and clients using it under real-world
conditions, in real-world environments.
Outside testing should be conducted by a reasonably large sample
of outside implementations, based on the total number of users
available. Obviously, single custom jobs will have a single
beta test site.
In house testing should continue and is considered
Beta [B] testing once a Beta rating has been acheived
and testing has begun.
In some cases, only in-house testing will be viable. In these
cases, considerable effort should be made to insure real-world
conditions and environments are simulated. Including unusually
extreme conditions and environments.
Promotion to [B]
Only from: [A]
Software in Alpha MUST be thoroughly reviewed and tested
and free of known defects before it is promoted to
Beta [B].
New software versions that are primarily fixes of
versions that were rated [B] or better must be
started in Alpha and remain in Alpha with no defect reports
for at least three
days of active, documented test operations before promotion
to [B].
Demotion
Non-security Related Defects:
If confirmed defects that do not affect security have been
found, the version must be downgraded to [/] or [/b],
where it WILL remain.
If reports of defects that do not affect security have not
been tested for confirmation or dismissal within
60 days, the version must be downgraded to [/] or [/b],
where it WILL remain.
Security Related Defects:
If confirmed defects that affect security
have been found, the version must be downgraded to [0] or [0b],
where it WILL remain.
If reports of defects that do affect security
have not
been tested for confirmation or dismissal within
20 days, the version must be downgraded to [0] or [/0b],
where it WILL remain.
|
|
|
Commercial - C
Green
|
|
Commercial Grade Software
Software rated commercial is considered to be stable and usable
within business and commercial environments. there is a reasonable
degree of confidence --relative
to the number of installations the software generally gets--,
that [C] rated software will perform with few or no defects.
The longer a given version of software is in [C], and the more
installations it is in, the greater the confidence that it will
perform with few or no defects.
Promotion to [C]
Only from: [B]
Beta software must be run continuously
under LIVE conditions, --LIVE, running implementations whenever
possible--
for at least 30 days without defect reports of any kind
before they may be promoted to [C].
Reasonably large number -
For custom, one-shot projects, a
reasonable number is one, by necessity. For other types of
projects, a reasonable number is at least 10 percent of the
actively upgrading customer base, with a minimum of one.
LIVE conditions -
In instances where it is not possible to test a Beta release
in a live implementation, it is desirable to have customers
run it in as near-live a test system as is possible. running
continously with their test data, or better yet, parallel
data entry from their live systems.
Demotion
Non-security Related Defects:
If confirmed defects that do not affect security have been
found, the version must be downgraded to [/] or [/c],
where it WILL remain.
If reports of defects that do not affect security have not
been tested for confirmation or dismissal within
60 days, the version must be downgraded to [/] or [/c],
where it WILL remain.
Security Related Defects:
If confirmed defects that affect security
have been found, the version must be downgraded to [0] or [0c],
where it WILL remain.
If reports of defects that do affect security
have not
been tested for confirmation or dismissal within
20 days, the version must be downgraded to [0] or [/0c],
where it WILL remain.
|
|
|
Exceptional - E
Cyan
|
|
Criteria for rating a software version exceptional (E) are
[TBD] (to be determined) at this time. Until criteria have been
established, no software may carry a stability rating of E.
[TBD] Notes:
Has been in C
for more than 75 business days.
A higher release that is
no more than four versions removed from this version
has
been the highest version in C for at least 40
business days and is currently in C.
Special note: Software that is custom
produced and released in a single phase with no upgrade
releases planned is not required
to meet the last criteria in order to be promoted to
E.
Should new project phases or releases be made subsequently,
versions that were promoted to E must be
downgraded
until the criteria for more recent releases are met.
|
|
The above SSR's are trailing indicators,
based on experienced stability.
The following two SSR's are predictive
and must be based on observed,
statistically valid correlations between software development practices
used and
trailing SSRs achieved.
They are [TBD] at this time.
|
|
|
Hi-Rel - H
Blue
|
|
Criteria for rating a software version hi-rel (H) are
[TBD] (to be determined) at this time. Until criteria have been
established, no software may carry a stability rating of H.
Software developed for this level must move through lower SSR's.
While in lower SSR's this rating intention must be denoted
by following the SSR with
a lower-case 'h' ('Ah', 'Bh', 'Ch', 'Eh').
Likewise software developed for this level must maintain a complete
and public record of downgrades. Downgrades MUST use the (otherwise
optional) trailing letter after the slash to show what level was
achieved before downgrade ('/ah', '/bh', '/ch', '/eh', '/h').
[TBD] Notes:
LGFs all at E or higher.
|
|
|
Safe - S
Violet
|
|
Criteria for rating a software version safe (S) are
[TBD] (to be determined) at this time. Until criteria have been
established, no software may carry a stability rating of S.
Software developed for this level must move through lower SSR's.
While in lower SSR's this rating intention must be denoted
by following the SSR with
a lower-case 's' ('As', 'Bs', 'Cs', 'Es').
Likewise software developed for this level must maintain a complete
and public record of downgrades. Downgrades MUST use the (otherwise
optional) trailing letter after the slash to show what level was
achieved before downgrade ('/as', '/bs', '/cs', '/es', '/s').
[TBD] Notes: All requirements of Hi-rel, and:
Tested and guaranteed by a third party/underwriter?
. . . to run without damage-causing or life-threatening defects in the
context where it is designed to run? . . . Guarantee to
include a specific and published
amount of financial compensation for any such failure or a set
of compensations for specific types of failure within the context
of the software (damage of specific type, death, loss of use, etc)?
. . .
Testing organization must openly publish its record of failure
in all cases except where doing so would violate government
classified information? (Where government classified information
is required to disclose a failure, testing organization must make
those failure records accessible to all individuals who have proper
clearances upon request.)
|
|
To use the SSR helper functions, include the following in the <head>
section of your web document, like this:.
<script
type="text/javascript"
LANGUAGE="JAVASCRIPT"
SRC="https://creativyst.com/Doc/Std/StableSW/SwSr.js">
</script>
Right now, there is one function
ssrLg(ssr,UseClick);
To call this function inside html you have to surround it with a
<script type="text/javascript">
tag. Also, this returns a string with the html of the button,
which you
must hand to document.write() in order to display. Here's an example of
how this will be called inside your d/x/html to display an SSR button
('C' in this case):
<script type="text/javascript">
document.write(ssrLg("C",1));
</script>
Pass an SSR string to this in
the "ssr" parameter (as defined above and here).
The UseClick parameter says to make a button that pops up a small
reference window
when it is clicked. Keeping UseClick at 1 will allow users to get an
explanation of the Software Stability Rating they're seeing.
Here are some examples of this function's output along with the calls that
produced it. Click on these to see the behavior of the
UseClick option.
<script
type="text/javascript">
document.write(ssrLg("A",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("B",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("C",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("E",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("H",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("S",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("Ah",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("Cs",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("Eh",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("0",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("0b",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("0cs",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("/",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("/e",1));
</script>
|
<script
type="text/javascript">
document.write(ssrLg("/cs",1));
</script>
|
This article is © Copyright, Creativyst, Inc. 2002 - 2005 ALL RIGHTS
RESERVED.
Links to this article are always welcome.
However, you may not copy, modify, or distribute this work or any part of it
without first obtaining express written permission from Creativyst, Inc.
Production and distribution of derivative products, such as displaying this
content along with directly related content in a common browser view are
expressly forbidden!
Those wishing to obtain permission to distribute copies of this article or
derivatives in any form should
contact Creativyst.
Permissions printed over any code, DTD, or schema files are supported as our
permission statement for those constructs. JavaScript code may be linked to
but not copied (to ensure fresh content).
If you're interested in improving or promoting this project please
contact me. If used,
your code and contributions will be attributed to you with a link to your site.
|
|