Software Quality Assurance (QA) can play a vital role in providing clear vision into the development process. A great deal of support is expected from QA by the project management team in this regard, even though the role of QA is to ensure process compliance. Above all this vision is required to prevent any undesirable event that might be triggered by the process being observed.

Whether injection of a new defect or a schedule slippage, it can be traced and acted upon based on the "eyesight" one maintains into the process. QA looks at the process as an independent agent and brings out this eyesight that provides confidence to the development and project management team that nothing can go wrong without their knowledge.

One of the common problems with software development organizations of low- and medium-process maturity is that the priority is always to maintain the economic stability of the organization. Such organizations cannot afford to invest more money in process improvement because their future is unpredictable. Here is the opportunity for QA to play a useful role. This composite model is a guideline for such a QA role, typically in organizations where the basic development practices are not yet formalized but working toward defining and implementing processes based on ISO 9001 or CMM guidelines. Applying this model enhances transparency in the process that helps the process-owners take necessary action when uncontrolled situations occur.

Model Description
The composite model shown in Figure 1 integrates both the QA process and the measurement process. It is structured such that the objectives of both processes are obtained together. Of the ten elements of this model, two are "Common Elements," four are "Elements of the QA Process," and the remaining four are "Elements of the Measurement Process."

Figure 1: Composite model

1. Identifying key processes
A common question among managers, especially quality professionals, is how to identify the key processes. In organizations where CMM guidelines are implemented, the key processes are already identified. But in the case of low- and medium-maturity level organizations, it is a struggle to identify the key processes. Here is a simple solution that I would like to suggest. Go for a walk with your CEO on a sunny day and ask him a simple question: "What are the factors for success of our business?" After you have listened carefully, record the factors that most impact your processes. If you have no process to accommodate the CEO’s priority factors, define a new process. The processes most directly and heavily impacted by those priority factors are the key processes.

For this article we’ll focus on the most obvious and general process—the development lifecycle. A number of related activities include the development process, the project management process, the configuration management process, the review process, the testing process, the measurement, and analysis process, etc. An organization has to identify the key processes based on their criticality and relevance to business growth. The key processes should be well defined and controlled to a great degree, as even a small variation in these processes will have a great impact on business performance.

2. Identifying key activities
As these key processes are formed with a set of various activities, it is essential to identify these activities and individually control them to have better control over the entire process. For example, the configuration management process comprises various activities such as identifying and maintaining configuration items, baselining these items at appropriate stages, maintaining baseline records, and configuration status accounting. Once these activities are identified, the individual compliance of these activities can be periodically monitored to ensure compliance to the overall configuration management process.

3. Compliance monitoring
A measurement of compliance is essential to monitor and control these activities. A simple approach to compliance monitoring that I use is given in Figure 2. The identified key activities of the key processes are monitored for their timely compliance. Attributing a numeral to the status of completion of these activities provides a way to see the measure of compliance; for example, attributes such as 1 (for completing on time), 0 (for not completing), and 0.5 (for completing with delay).

Figure 2: A simple spreadsheet to measure process compliance

In this approach, various key processes are broken down into key activities and a compliance rating can be obtained at any point. A weighted factor is arrived at for each of these key processes based on the importance and criticality of these individual processes to overall business performance. The overall process compliance rating is obtained by measuring the weighted average of the individual process compliance measurements.

4. Assessing the variation
Variation is an enemy to process compliance and to process maturity. It is essential to assess the variation to understand how far the process has deviated. Once the extent of deviation is known, the cause of such variation is analyzed to take proper corrective measures so that the variation can be eliminated or minimized.

5. Identifying key parameters
Key parameters are either process measurements that characterize the process, or product measurements that characterize the product. The identification of such key measurements is critical, as suitably identified measurements give the required amount of visibility, so that the process is well controlled and the product is well built. In the case of development and project management processes, the effort, schedule, and number of defects are typical examples of such measurements.

6. Measuring key parameters
It is important to measure the key parameters and represent them in numbers. According to Lord Kelvin, "When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind. Then how do you control it?" It is a real challenge to quality professionals to devise the right mechanism that measures the identified key parameters with accuracy. Various tools and mechanisms such as timesheets for weekly activity reporting, project trackers for schedule tracking, and defect loggers for defect tracking and defect management, are used for this purpose.

7. Metrics analysis
The absolute measurements described above give "eyesight" into the process; however, they do not directly give you control over the process or over quality. Such metrics are derived from comparing with expected or estimated measurements. Such metrics, or compliance ratings, are used to control the process that results in process maturity and product quality. For example, once the defects associated with reviews and testing at various development stages are measured, the metric "Defect Removal Efficiency" can be calculated. By setting targets or statistically controlling this metric, one can analyze and take corrective action when an out-of-control situation is found. Such corrective activities are detailed later in this article. Figure 3 provides a typical defect removal efficiency of various development stages in a project.

8. Process control—taking corrective action
The quantitative measurement of the QA process (compliance rating) and the measurement process (metrics) represent process compliance and process maturity. Statistically controlling these measurements helps the process owners to take corrective action when these measurements cross control limits. Corrective actions are taken based on the detailed root-cause analysis of the out-of-control situation. The role of QA based on this composite model triggers the corrective action process. Figure 4 shows a typical process compliance rating chart based on data collected over a period. The Q shows that the process is out of control, as the compliance rating is less than the lower control limit (LCL) by 60 percent.

Figure 4: Process compliance measure chart

A similar statistical approach is applied for metrics to control the maturity of the process.

9. Escalating
Escalation is an inevitable step in any project. Noncompliance with the process is overlooked many times, not only due to negligence but also due to other commercial priorities. Escalation is a process through which the process-owners and the business-leaders are made aware of the need for corrective action when the process gets out of control repeatedly. Escalation plays a vital role in low- and medium-maturity organizations, where the process is adhered to when it is comfortable to follow, but discarded when other priorities interfere. Here I would like to give a note of caution: escalation is a step that has to be taken with much care and with the right intentions; otherwise, it can create chaos within the organization, since many times escalation is considered as a complaint.

10. Adding to the knowledge base
One of the valuable assets of an organization is its past experience. Unless the data associated with each project is organized and preserved in a systematic manner, it is hard to retrieve such information when required in the future. QA can play a role in taking the initiative to identify such assets and preserve them for future use. Such data include the variations found to the original estimates, root causes identified for major variations to the acceptable limits, corrective actions taken, etc. For example, the effort associated with one project and the estimation-variation will help the organization do better estimation on future projects. This is a service QA can offer to the other groups within the organization. This QA service eventually results in process maturity.

Benefits of the Composite Model
This Composite Model provides the project management team a comfortable and confident working atmosphere as QA takes the role of monitoring and measuring the process. Such an in-depth involvement of QA enables it to foresee the risks that are likely to impact the progress and quality of the work. Raising warning signals at the right time helps the project management team to take action toward mitigating and handling risks.