# 12E: Formal Inspection

### Formal Inspection

<img src="ss/mod12/21.png" width=300>

In this lecture, I’ll describe the formal inspection quality review model.

The inspection is more formal and rigorous than the walkthrough model and it is considered to be an industry best practice for finding defects in software work products.

Inspections have the highest defect detection rate of any defect identification technique…average defect detection rates of 60-90 percent, whereas the more informal walkthrough model averages 30-60 percent. So…what makes this model more formal? Several characteristics. There are specialized roles that some of the reviewers play, there are more steps than just the inspection meeting, there are rules for conducting the inspection meeting, and there is mandatory preparation and follow-up.

The formal inspection review model was originally developed at IBM and was constructed specifically to mitigate the historical problems teams experienced with quality reviews of software work products. Let’s look at this review model in more detail.

### Inspection Process Roles

<img src="ss/mod12/22.png" width=300>

Inspections require that some participants play specialized roles. There are five roles, and they are used to clearly define participant responsibilities and to help mitigate commonly encountered review problems.

The **moderator role** is an extremely important one. The moderator is responsible for ensuring that all the steps in the inspection process are followed and that all the inspection process rules are complied with. The moderator is also responsible for facilitating the inspection meeting.

The **author** is the person (or persons) who authored the work product being inspected. The author is responsible for answering questions posed by the inspection team, for providing clarifying information, and for resolving any issues for which he or she is the designated owner.

An issues list is a mandatory inspection work product, and the person assigned to play the **role of recorder** is responsible for logging the issues.

The next role is the most unusual one. In the informal walkthrough model, the **work product author** typically walks the review team through the work product. In the formal inspection model, someone other than the author is selected to do this. Reasons for this include putting the focus on the work product instead of the author (which can mitigate defensiveness, particularly in design and code reviews), and to get an unbiased interpretation of the work product.

For a requirements inspection, in particular, this is a very important and powerful role. I recommend to my clients to pick a developer or tester for this role in requirements inspections…someone who will have to use the requirements as input to their work process. This has been very effective at increasing defect detection and uncovering ambiguous or untestable requirements.

Now…the traditional name for this role is **reader**, but I recommend the name **presenter**, because it more accurately reflects what the role is all about, and because historically people have interpreted reader literally…and actually just read the work product aloud…every single word. Experience has shown that the most effective way to implement this role is to present the work product by paraphrasing chunks of material rather than reading verbatim.

The first four roles are the specialized roles. Anyone else on the inspection team falls into the category of **general inspector**. Like the participants in a walkthrough, inspectors are relevant stakeholders and perhaps subject matter experts who evaluate the work product for defects and ensure the work product meets its requirements.

Now, in practice, it is common for one person to play more than one role. For example, the moderator may also assume the role of recorder or a general inspector. Similarly, a general inspector may also play the role of recorder. When it comes to playing multiple roles, there are two guidelines that I ask my clients to treat as rules: 
- the presenter should not play another role, and 
- the author should not play another role. 

The presenter role is a full-time role during the inspection meeting, and having that individual play another role will slow down the meeting momentum and make the role less effective. With regard to the author not playing another role, experience has shown that it is most important for the author to focus full attention on participant comments and issues to ensure that correct resolution takes place.

### Inspection Process Steps

<img src="ss/mod12/23.png" width=300>

Another inspection characteristic that distinguishes it from the informal walkthrough process is that there are more steps than just a meeting. The steps help to give the inspection process structure and repeatability.

The kick-off step starts the inspection process for a given work product. The author and moderator meet to verify that the work product is ready for inspection, the inspection team is selected, and the inspection meeting is scheduled. The traditional name for this step is planning, but I suggest the use of kick-off to my clients to give it the connotation that it usually takes minutes versus hours.

The moderator decides whether the overview step is necessary. Traditionally, this step has been used to give the inspection team project background information and orientation, but moderators can use it for whatever they want to. Some moderators, for example, will get the inspection team together to review inspection scope, objectives, and rules.

The preparation step is a mandatory step in the inspection process, because advance preparation is essential if the inspection meeting is to be effective. Participants are also typically asked to record and report their preparation times. The general rule of thumb is to expect preparation time to be about the same as meeting time. So, if there’s a one hour inspection meeting it’s expected that participants will spend about an hour preparing.

During the inspection meeting, the work product is presented, issues are logged, and the inspection outcome is determined. The moderator is responsible for facilitating this step.

If any issues need to be resolved, there is a rework step external to the meeting. And the moderator will appoint someone to follow-up with the issue owners to verify that the issues have been resolved. A follow- up activity may also be to re-inspect the work product if serious issues were identified.

### Inspection Meeting Outcomes

<img src="ss/mod12/24.png" width=300>

A third characteristic of inspections that distinguish them from walkthroughs is that the outcomes of an inspection meeting are defined in advance.

There are four basic outcomes as illustrated on the slide…accept as is, conditional acceptance, re-inspect, or the inspection is not yet finished and requires another meeting. Normally, we estimate how many meeting will be required in advance, so this outcome is usually known ahead of time.

Pre-defining the inspection meeting outcomes is a simple, but very powerful idea. The team knows, going into the meeting, that one of these outcomes will be assigned at the end of the meeting and it kind of pre-conditions peoples’ thinking. This is something that could easily be incorporated into walkthroughs as well.

### Inspection Impact on Defect Removal

<img src="ss/mod12/25.png" width=300>

In an earlier lecture, I talked about the error amplification phenomenon…uncaught defects that get through any life cycle phase are inherited by subsequent phases where some just pass thru and some cause additional defects to be created.

This chart shows the impact that inspections can have on mitigating this phenomenon. It’s based upon data obtained from a number of projects, some of which used inspections and some of which did not. The red bars show a measure of how many defects get through each life cycle phase when inspections were not used, and the green bars show the same statistic for projects that used inspections. I plotted these to scale so that the effectiveness of inspections stand out visually. It’s easy to see the dramatic impact that inspections can have.

Now, not every organization uses inspections…nor do they need to. There’s a bit of overhead with inspections…more people are required to play the roles and its best to provide people with training so they know how to do inspections correctly. Many of my clients, following the walkthrough guidelines I talked about earlier, have achieved results very close to those of the formal inspection model without the additional overhead.

Regardless of the type of software quality review model used, what is most important is that it be effective at detecting and removing defects.



---

# 12F: Software Metrics

In this lecture, we’ll discuss some different types of software metrics and talk about how to specify software quality and measure software quality at early phases of the life cycle.

### What are Metrics and Why do we use them?

<img src="ss/mod12/26.png" width=300>

What are metrics, and why use them? A metric is a measurement of something. It could be a measurement of some aspect of a software process…like how many pages of requirements can be inspected per hour, or it could be some aspect of a software product…like how complicated a software component is.

There are a number of reasons to use metrics. First, metrics can provide useful visibility into project status…for example, by estimating how close to completion the project is. Another reason is to provide feedback to management, staff, and stakeholders…for example, by showing evidence that we are, in fact, building a product that satisfies a requirement that it be easy to maintain. Feedback may also be in the form of quality indicators…measurements that indicate whether a product is following good software engineering design principles, for example, or that is satisfactorily tested. Metrics can also be used to help manage and improve software processes. A good example of this can be found in the higher CMMI maturity levels that you learned about earlier in this course. So…let’s talk about some different types of metrics and how they might be used.

### Different Types of Metrics

<img src="ss/mod12/27.png" width=300>

There are a number of different types of metrics that organizations use. For our discussion I’m going to break them down into three categories: process metrics, product metrics, and quality metrics. Please note in advance that the categories are not mutually exclusive when it comes to quality metrics.

Process metrics measure something associated with a process…like the total effort spent on each phase in a project life cycle, an estimate of time remaining for project completion, maybe average inspection rates (measured in, say, pages inspected per hour), and so forth. As you can see by these examples these are characteristics of various processes.

Product metrics measure something associated with a product…like product size (maybe in lines of code), the number of defects per thousand lines of code, or maybe the control flow complexity of a software component.

Quality metrics measure something that is associated with the quality characteristics of a process or product. Examples include measures like the percentage of milestones satisfied on time, the defect density of a delivered product, or the percentage of code exercised under test. They are indicators of general or specific product or process quality. The remainder of this lecture will focus on examples of quality metrics.

### Specifying and Measuring Quality

<img src="ss/mod12/28.png" width=300>

Before you can measure software quality, you must be able to specify what software quality is…with respect to a specific software product. In the software engineering world there are some industry-wide practices that correlate with good software quality and that can be designed into software product components. Examples of such practices would be that a software component follow structured programming principles, that it is well-documented, etc.

There’s also a whole category of non-functional requirements in software engineering that are often referred to as quality requirements. These requirements often end with “ility”…maintainability, testability, and so forth. A definition of these frequently-specified quality requirements is illustrated in this table…and many leading-edge software organizations include at least a subset of them on most projects.

As you can see, almost all of these definitions begin with the phrase “the extent of”…so what does that mean? Simply put, it means how easy or difficult. For example, maintainability means how easy or difficult would it be to change the product. A product with good maintainability would be a lot easier to change than a product with poor maintainability…that is, it would take less effort.

Most people would agree that these seem like desirable characteristics for many software projects. The challenge for the software engineer is how to build those characteristics into the software product and demonstrate that the product does, in fact, satisfy those requirements. Let’s see how that might be done by using metrics.

### Quality Requirement Visibility

<img src="ss/mod12/29.png" width=300>

This table shows where in the overall product life cycle evidence of each of the quality requirements is traditionally able to be observed. We’ll refer to this as the requirement’s visibility. And by traditionally, I mean in projects where metrics are not used. The first four columns in the table correspond to the developmental phases for the product. Operations refers to the time period the product is in production mode, maintenance refers to maintenance mode where the product will undergo changes for whatever reasons and in which the requirements, design, code, and test activities would be repeated to varying extents, and transition refers to the situation in time when the product may need to be ported to a different hardware or software platform. The X’s indicate where the visibility appears.

One thing that’s pretty obvious is that…traditionally…visibility starts to occur very late in the product life cycle…during the testing phase at the earliest...and for many of the quality requirements, even later. In this situation, if a quality requirement is not met, there will be substantial rework required. And…we’ve already seen how costly that can be. Let’s compare this traditional approach to one that incorporates metrics.

<img src="ss/mod12/30.png" width=300>

This table illustrates where metrics can be used to provide early visibility and evidence as to whether a specific quality requirement is, in fact, being built into the software product. Note that we can get visibility much earlier in the product life cycle…in all cases by the design and code phases…and in some cases as early on as the requirements phase. Now…let’s see how this can be done.


---


# 12G: Specifying & Measuring Software Quality

In this lecture, I’ll discuss a model for specifying and
measuring software quality, and I’ll apply that model
to illustrate how one can measure software
testability.

### Measuring Software Quality

<img src="ss/mod12/31.png" width=300>

Here’s a model that can be used to develop metrics to
indicate that a quality requirement is built-into a
software product.

At the top is the quality requirement that needs to be
satisfied…such as testability. The next level defines
product or process attributes that lead to a product
having that quality characteristic. Then, for each of
the defined product and process attributes, one or
more metrics is defined.

I’ll illustrate how this is done using a specific quality
requirement.

### Measuring Software Testability

<img src="ss/mod12/32.png" width=300>

Let’s take testability as an example, and see how we
can develop some metrics that indicate whether the
software product is being built so that it is easy to
test.

What are some attributes of a software product or a
development process that might make testing easier?
Let me start by listing three product attributes that
help to make testing easier: simplicity, self-
descriptiveness, and modularity. I’ll define them more
precisely in a minute, so for now use your intuitive
understanding of what you think they might mean.

Next, I’ll define two more attributes that aren’t direct
attributes of the software product itself, but have to
do with related work products and environment. I’ll
add traceability and support.

Now, let’s formally define what these attributes
mean.

Simplicity is a characteristic of a products design and
code. Are they implemented in a straightforward
manner.

Self-descriptiveness also applies to the design and
code. Are they easy to understand by visual
inspection.

Modular applies to the design and code as well. Is it
easy to see which components of the product
perform certain functions.

These three attributes help make product testing
easier…particularly for developer-level testing,
because they help developers understand which
components need to be exercised to test specific
functions and they make it easier to instrument test
cases. They also make it easier to determine what
needs to be fixed if tests indicate there are problems.
Traceability has to do with the ease of relating test
cases to the requirements that are being tested and
to the specific product components that implement
those requirements. Traceability helps testers
understand which tests may need to change if a
requirement changes, and which tests need to be re-
run.

Support has to do with the infrastructure that is in
place to support the testing effort.
The next thing we need to do is to identify some
metrics that can be used as indicators of these
attributes.


<img src="ss/mod12/33.png" width=300>

I’m going to just name the metrics right now, and
discuss most of them in more detail later in this
lecture.

Let’s start with simplicity. There are a number of
metrics that are associated with simplicity…control
flow complexity, coupling, cohesion, code structure,
code size, and something called information volume.
Most of these metrics can be applied to product
design, and all of them can be applied to code.
Most of the same metrics apply for measuring self-
descriptiveness. Additionally, standards such as
documentation and coding standards can help to
make product components easier to understand. This
would include things like source code documentation,
statement of pre-conditions and post-conditions, and
so forth…things that make code easier to read and
understand.

Modularity metrics are also pretty much the same as
simplicity metrics, and can be applied to both design
and code. The more modular the product is the easier
it is to determine which components implement
which requirements and which may need to be
retested when test failures indicate problems.
Traceability can be measured by using traceability
matrices. One type of traceability matrix traces each
requirement to the design and code components that
implement it. This is very useful for developers as it
helps them more easily instrument tests and
determine what code may need to be changed if tests
indicate problems. Another type of traceability matrix
traces each requirement to the test cases used to
verify that requirement. This can be very helpful to
both developmental testers and independent testers
in helping to determine which tests may need to be
changed if requirements are changed and which tests
may need to be re-run.

In terms of support, an effective configuration
management process can help gain access to the
correct versions of components that need to be
tested. Documents such as test plans and test reports
also help make testing easier, as well as having what
is commonly called a test bed…a repository of tests
that can easily be re-run.

Now…in practice…we wouldn’t necessarily use all of
these metrics…just the ones that have the most
value-add for our particular project. What I wanted to
demonstrate here is how metrics can be applied to
get early insight as to whether quality characteristics
are being built into the product.

This example also illustrates different types of
metrics: complexity, size, structure and volume are
examples of what I like to call computational
metrics…they are calculated using simple counts or
formulas. Coupling and cohesion are examples of
what I call classification metrics…we classify design
and code components according to whether they
implement good coupling and cohesion
characteristics or not so good. Traceability matrices
are yet another form of metric that don’t yield
numeric values, but are used to help find problems
and make testing easier. They can also be used to
construct quantitative quality metrics…for example,
to calculate the percentage of requirements that can
be traced to design components or test cases.

---

# 12H: Sample Software Quality Metrics

<img src="ss/mod12/34.png" width=300>

In this lecture, I’ll continue our discussion of
specifying & measuring software quality by illustrating
several software quality metrics.

I’m going to discuss several commonly used software
quality metrics. These metrics are used in the design
and coding phases to help build software products
that have good quality characteristics…as we saw in
the testability example.


### Coupling

<img src="ss/mod12/35.png" width=300>


A very important software engineering metric that
has been around for a long time…and is still very
relevant today…is coupling. It’s an example of a
classification metric. Coupling is a measure of inter-
dependence between software components. Any
components that interact with each other are coupled
to some degree. The more dependent components
are on each other, the more they know about each
other’s inner workings…the tighter the coupling. The
less dependent they are on each other, and the less
they know about each other’s inner workings…the
looser the coupling.

Loose coupling is good. Tight coupling is not good.
In practice, we want our designs to be as loosely
coupled as possible.

In object-oriented software engineering coupling
occurs as the result of inheritance, message
connections, and containment. We can control
coupling in class design by careful use of inheritance,
avoiding unnecessary message connections and
unnecessary containment, and by using strong
information hiding.

In traditional, non object-oriented software engineering coupling occurs through the use of global
data and shared memory. We can control coupling in
component design by avoiding the use of global data,
avoiding passing memory address information, using
minimal number of data parameters, and by passing
parameters using copies of data values.

Coupling impacts testability, maintainability, and
reusability. It can also impact reliability.
Let’s take a look at an example.

### Coupling Example

<img src="ss/mod12/36.png" width=300>


Suppose we need to design an application that
periodically reports temperatures. And let’s suppose
we came up with the following design. We have a
Thermometer class that is used by a WeatherStation
class to get periodic temperature readings. The
WeatherStation class maintains a reference to a
Thermometer, and its getThermometer method
returns a reference to its thermometer. We also have
a WeatherReporter class that is responsible for
reporting the temperatures. The WeatherReporter
maintains a reference to the WeatherStation class,
and its getTemperature method instantiates a
thermometer, assigns it to reference the
thermometer the WeatherStation maintains a
reference to, and then calls the Thermometer class
getTemp method to get the temperature. The
Weather reporter class is coupled to both the
WeatherStation and the Thermometer class…and the
coupling to the Thermometer class really shouldn’t be
necessary.

Let’s look at a design that improves the coupling…in
fact, that eliminates the unnecessary coupling
altogether.

In this design, the WeatherStation maintains the
Thermometer reference and provides a
getTemperature method that returns the current
temperature to any clients. The WeatherReporter
class simply invokes the WeatherStation
getTemperature method when it needs to. Now, the
WeatherReporter class is not coupled to the
Thermometer class at all.


### Cohesion

<img src="ss/mod12/37.png" width=300>


Another important classification metric is cohesion.
Cohesion is a measure of how single-purposed or
well-defined a software component is. The more
single-purposed or well-defined a component is the
higher its cohesion. The more multi-purposed or ill-
defined a component is the lower its cohesion.
High cohesion is good. Low cohesion is not good. In
object-oriented software engineering, cohesion is
applied at the class level as well as at the method
level.

At the class level, a highly cohesive class will
represent easy-to-understand things or concepts from
the problem domain or solution domain. A class with
low cohesion will be harder for a developer to
describe to another person…including another
developer or other stakeholder.

At the method level, a highly cohesive method will do
a single thing. A method with low cohesion will do
multiple things or things that are unrelated.
Cohesion also impacts testability, maintainability, and
reusability.
Let’s look at an example.

### Class Cohesion

<img src="ss/mod12/38.png" width=300>


Here’s an example that illustrates class cohesion.
Suppose we were designing software to implement a
blackjack card game.

In this design, all the components for the blackjack
game are modeled using a single class. The class name
is okay, but it’s doing to much…it has low cohesion.
For example, it is taking responsibility for modeling a
deck of cards, modeling the playsers, shuffling the
deck, calculating the value of a player’s hand, and so
forth.

A better design would model the different aspects of
the game as separate classes. We’d have a Card class
to model a playing card, a Deck class that would hold
a set of cards, and so forth. Each class has high
cohesion…each class represents a clear component
with well-defined responsibilities.

### Method Cohesion

<img src="ss/mod12/39.png" width=300>


Here’s an example that illustrates method cohesion.
Let’s suppose we’re building an application that
simulates ships at a port. A natural class for such an
application would be a Ship class.

Look at the names of the methods in this class. What
the getName and setName methods do are easy to
understand. They each do a single thing…and they
have high cohesion. But, what about the doStuff
method…what does it do? We get absolutely no clue
from its name. If we look inside the method, it’s doing
a whole bunch of things…and it has low cohesion.

A better design would be something like this. There
are more methods, but each one performs a single,
well-defined function…each has high cohesion.


### Cyclomatic Complexity

<img src="ss/mod12/40.png" width=300>


A very well-known metric that has been around for
some time now is cyclomatic complexity. Cyclomatic
complexity is a metric that measures how
complicated the control flow logic for a software
component is…where a component is the equivalent
of a function, or a subroutine in traditional
programming languages, and a class method in
object-oriented software engineering.

Cyclomatic complexity can be easily calculated from
pseudo-code or actual code. The formula is
simple…complexity is equal to the number of decision
keywords plus the number of ands and ors plus 1.
Decision keywords correspond to language constructs
that would cause control flow to depart from a
straight sequential flow…keywords like if, while, do-
while, for, switch, case, go to.

Cyclomatic complexity impacts testability,
maintainability, understandability, and reliability.
McCabe and others have reported that components
with very high complexity are likely to be
problematic…error prone, require more testing, and
are harder to understand and change. Software
engineers have historically used 10 as the upper
bound for complexity when designing components.

I can tell you from my own work that cyclomatic
complexity is correlated to the things I just
mentioned. A project that I worked on for a software
vendor client invloved analyzing about a million lines
of code for several of the company’s software
products. Those products that had high cyclomatic
complexity components were by far the most problematic components for my clients.

<img src="ss/mod12/41.png" width=300>


Here’s an example of calculating cyclomatic
complexity for a method written in Java programming
language. The method, named calculateGrade,
accepts an integer test score and calculates the
associated letter grade, passing it back to whatever
component called it.

The decision keywords in this example are all if-
statements. There are 5 of them and I’ve highlighted
them in blue. This method also contains three logical
“and” operators that I’ve highlighted in red. So…for
this method…the complexity is 9…5 decision
keywords plus 3 “ands” plus 1.


### Measuring Structure

<img src="ss/mod12/42.png" width=300>

There are a number of metrics that have been used in
software engineering that measure whether a
software component like a function or subroutine is
structured…that is, whether it follows the rules of
structured programming.

One such metric is the program knots metric, which
I’ve illustrated graphically here. There are a set of
formulas that can be used to make this calculation,
but they are complicated…and for our purposes the
visual example will suffice. And, in practice, tools exist
that calculate the metric.

A “knot” exists whenever one control flow path
crosses over another. In this example I wrote a little
Fortran code because it’s really easy to write
unstructured code with that language. I traced the
control flow paths with arrows, and wherever one
control flow path crosses over another I drew in a
little red circle corresponding to a knot. This code has
four knots so it is not structured.

Unstructured code also impacts testability,
maintainability, understandability, and reliability. The
more unstructured a code component is…the more
difficult it will be to test, maintain, and
understand…and the more error-prone it’s likely to
be.


### Information Volume

<img src="ss/mod12/43.png" width=300>


One more example of a computational metric is
Halstead’s Information Volume metric. It’s how much
information is contained in a software component
based on a count of operators and operands, as
illustrated here.

Halstead found that this metric impacts the amount
of maintenance and unit test effort. For a specific
component, the metric just computes a number. The
number by itself is not very revealing…it must be
correlated to other statistics such as hours to test or
hours to debug in order to make it useful in practice.


---