TrainingConferencesAbout UsContact UsAdvertiseSQE.com
StickyMinds.com: brain food for building better software

Join

Join

Search For:

Clarify Your Search Criteria
Tips on Using Our Search Feature(s)
StickyMinds.com Home
ResourcesEventsTopicsPowerPassJobs
Software Testing & QA Online Community  >  Detail: Arguing Apples and Oranges


A StickyMinds.com Original
Article Picture
Arguing Apples and Oranges

By Elisabeth Hendrickson

Send This Content to a FriendGet a Short Link to This ContentPrint This ContentSee User Comments About This Content

Summary: Last week Johanna Rothman proposed that tracking the priority and severity on bugs can lead to confusion about what's really important. She suggested adopting a simplified classification scheme. I think that severity and priority are two different kinds of information and that it’s important to track both. Where there’s confusion, the problem is usually a lack of agreement about definitions and confusion about who is calling the shots on the project. A simplified classification scheme may limit the confusion, but it won’t solve the underlying problem. It may actually increase tensions as project team members feel others aren’t listening to their concerns.


Tricentis
Let’s peek in on a discussion in a bug triage meeting. 
 
Tim, the marketing manager, is shaking his head. “That’s a high on the severity scale. It’s really bad, guys. You have to make it a high.” 
 
Jordan, the development manager, is barely containing her frustration. Her eye is starting to twitch as she replies, “No, Tim. That’s not all that bad. It’s an inconvenience, I agree, but there’s an easy workaround.” 
 
“Inconvenience?!?” Tim says a bit more loudly than he intended. “You call not being able to print an inconvenience?!? That’s a disaster!” 
 
“Yes, I call not being able to print from one particular type of printer without installing an upgraded driver from the vendor’s website an inconvenience. The user just needs…” 
 
“I know what the user needs,” Tim cut in. “The user needs to be able to print out of the box! You can fix this in our code, right?” 
 
Jordan nods, “Yes, but we’d just be working around the vendor’s…” 
 
“Then fix it.” Tim stood over Jordan, glaring. 
 
“But it’s a medium at best!” Jordan objected. “The user isn’t losing any data, doesn’t have to reboot, isn’t crashing. They just have to update a driver.” 
 
This argument could continue forever. I’ve seen many arguments like this go on and on. What’s really happening here? Why are Tim and Jordan about to be at each other’s throats? 
 
Priority is Business; Severity is Technical 
Tim is looking at business priority: “How important is it to the business that we fix the bug?” Jordan is looking at technical severity: “How nasty is the bug from a technical perspective?” These two questions sometimes arrive at the same answer: a high severity bug is often also high priority, but not always. Allow me to suggest some definitions. 
 
Severity is levels: 
* Critical: the software will not run 
* High: unexpected fatal errors (includes crashes and data corruption) 
* Medium: a feature is malfunctioning 
* Low: a cosmetic issue 
 
Now you see why Jordan was arguing that the Print bug was a medium: a feature was malfunctioning. 
 
Priority levels: 
* Now: drop everything and take care of it as soon as you see this (usually for blocking bugs) 
* P1: fix before next build to test 
* P2: fix before final release 
* P3: we probably won’t get to these, but we want to track them anyway 
 
And now you can see why Tim was so adamant that the issue was a high. From his perspective, it was a P1 matter. 
 
They’re both right. It’s of medium severity, but P1 to fix. 
 
Priority is Relative; Severity is Absolute 
Further, the priority might change over time. Perhaps a bug initially deemed P1 becomes rated as P2 or even a P3 as the schedule draws closer to the release and as the test team finds even more heinous errors. Priority is a subjective evaluation of how important an issue is, given other tasks in the queue and the current schedule. It’s relative. It shifts over time. And it’s a business decision. 
 
By contrast, severity is an absolute: it’s an assessment of the impact of the bug without regard to other work in the queue or the current schedule. The only reason severity should change is if we have new information that causes us to re-evaluate our assessment. If it was a high severity issue when I entered it, it’s still a high severity issue when it’s deferred to the next release. The severity hasn’t changed just because we’ve run out of time. The priority changed. 
 
Priority and Severity Don’t Mix 
In response to Johanna’s column last week, some people suggested using both severity and priority to come up with a composite risk number. While this intuitively sounds like a way to resolve the priority-severity divide, I suggest using such an approach with extreme caution. It’s multiplying apples by oranges in an attempt to quantify bananas. Risk is yet a third type of information. 
 
The risk associated with any bug depends on the severity of the issue, certainly. But it also depends on the likelihood that the user will run into it as well as the possible losses that might occur. I don’t attempt to quantify all this when assessing the severity of an issue. In fact, I think that in most cases assessing the risk of a single issue takes more time than it’s worth. Only for potentially poisonous bugs involving dangerous fixes do I really want to weigh the risk of fixing it against the risk of not fixing it. 
 
Establish Work Precedence 
The best way to avoid confusion about what comes first is to ensure everyone in the organization takes their cues for work precedence from priority and nowhere else. Developers fix P1 defects first. Testers verify P1 fixes first. Technical writers document P1 issues first. Everyone works in priority order: the priority reflects importance to the business. Saying, “This bug is more severe than that one so I’ll work on it first” is as bad as saying, “I like this bug more, so I’ll work on it first.” The severity rating is technical information used by managers as a piece of the formula in determining the priority rating. The priority rating is the final word on the order in which the work is done by programmers, testers, and everyone else. 
 
The ultimate lesson here, regardless of the terms or levels you use to categorize your bugs, is that any classification scheme will only be effective if everyone agrees on definitions. So perhaps that’s the very first question to ask when an argument is brewing about severity, priority, or risk: “Help me understand exactly what information you’re using from each defect record and how you’re using it?” 
 
Reference 
Clarify Your Ranking for System Problem Reports, By Johanna Rothman

About the Author
Elisabeth Hendrickson (esh@qualitytree.com) is an independent consultant specializing in software quality assurance and management with fifteen years of experience working with leading software companies. You can read more about her ideas on quality and testing at http://www.qualitytree.com.

Back to Top 

StickyMinds.com Weekly Column From 3/17/03 

Member Comments
Add Your CommentExpand Comments
 
Comment:    
by veejay r 7/19/2010

Software bugs severity and priority, are they directly proportional or inversly proportional with each other?

 
 
Comment:    
by Moti D 9/6/2006

Excellent article, indeed, and I agree with everything said.



What I'm missing is how to lower (the overhead of large) Priority review cycles, done before every Major release or Service Pack. I mean that during the time, lots of bugs are accumulated in the system so you start the service pack with hundreds of bugs need to be reviewed. Some are moved to next version (will be reviewed again and majority may move to the following version), other are moved to next Service pack (and will be reviewed...Read On

 
 
Comment:    
by Srinivas Alugandula 5/5/2005

Could you please briefly describe with example for low Severity & high Priority and high Severity & low Priority.

 
 
Comment:    
by Amit Kantak 8/25/2004

Elisabeth, Nice Article, I read the article again and again to understand the underlying meaning of what you are trying to explain. My question to you after reading this article is that I agree " Priority overrides Severity " since Business comes first. But when somebody logs a sev. 1 defect its impact on customer has already been considered, and " Sev. 1 " means "Software unable to work and no workaround available " so it can't be underrated in Priority, at least definitely not below P2, What's your say ??

 
 
Comment:    
by Peter Clark 11/11/2003

Both articles focus on priority and severity as a metric to aid in making the decision about what gets done when. It appears that severity is used as a flag by somebody in the chain to influence the decision maker as to what a particular issues relative priority should be. Both articles neglected to address the issue of other uses for these metrics. For example, the severity metric could be potentially useful in assessing the health of the overall development process, e.g., number of high severity issues that reach system test before discovery. In my experience, the severity metric is often useless because of people in the chain trying to...Read On

 
 
Comment:    
by Tek Wallah 3/19/2003

I entirely agree with Ms Hendrickson’s conclusion. Priority is non-trivial to identify. It is the result of assessing all the other considerations: the potential damage to the customer; the frequency with which the defect will be met; what types of customer businesses will be most impacted; the particular individuals at the customer site who will be affected; how bad this will look to the press; how great the risk is from a defective fix…and on and on. Giving a numerical value to severity doesn’t make a lot of sense to me, because the person who assigns it probably doesn’t have the knowledge to assess the potential damage from the defect...Read On

Author's Response: 3/20/2003    
I like your prioritization consideration, "how bad this will look in the press." It's the Wall Street Journal Decision Criterion. In trying to elicit prioritization guidelines from upper management, it helps to say, "How would you feel if you woke up to find this bug reported on the front page of the Wall Street Journal?" Thank you for your comment!

 
 
Comment:    
by Larry Waters 3/19/2003

Much of this controversy could be avoided if software engineering professionals would first seek to understand international and professional standards. Standards authorities have already addressed this subject, specifically in IEEE Std 1044. It defines both Severity and Priority, essentially what's presented in this article. Commit yourselves to the Software Engineering Code of Ethics and Professional Practice (see clauses 3.06 and 8.05) at http://computer.org/certification/ethics.htm. Then go to http://shop.ieee.org/store/, search for 1044, buy it, adopt it, implement it, move on, and build systems that add value. It's called process...Read On

Author's Response: 3/20/2003    
Hi Larry, Thank you for noting the relevant IEEE standard. I think more companies would consider using the standards if they weren't so expensive. Just buying 1044 and 829, the test documentation standard, could eat up a large chunk of a QA or test group's book budget in smaller organizations. Further, the organization would still need to assess applicability before applying the standard in their context, so buying the standard may not end the controversy.

 
 
Comment:    
by David Buddenbaum 3/19/2003

Amen. I definitely agree. And, it also brings to mind the old adage "The only thing constant around here is change. They are constantly changing something." Make your priorities and stick to them unless some other disaster discovered by some astute tester overrides your previous decision. And, then be sure to explain why. No one likes to be left in limbo, especially when a high priority fix is almost completed and then you are told to drop it and work on another high priority problem.

Author's Response: 3/19/2003    
Hi David, Sounds like you have some personal experience with having your task stack yanked around. That can be frustrating. I completely agree that it's important to note the reasons for changing priorities. First, I think we all find it easier to accept change when we understand why it's happening. Second, perhaps if we review the reasons for shifting priorities, we'll discover some things we can do to reduce the chaos. Some change is inevitable: requirements shift as business conditions change. That's good and healthy. But sometimes priority shifts are due to unnecessary knee-jerk reactions. The key is knowing the difference and responding accordingly, and that where understanding "Why" comes in. Thanks for pointing that out!

 
 
Comment:    
by Christopher Meisenzahl 3/19/2003

Elisabeth, Thank you so much for writing this! I've been trying to explain this to clients for several years. You did a superb job. Keep up the great work, Christopher

Author's Response: 3/19/2003    
You're most welcome! Glad you liked it!

 
 
Comment:    
by Cem Kaner 3/19/2003

Hi, Elisabeth: I agree with you completely on the value of separating severity and priority. My consistent experience has been that organizations that try to characterize bug importance on one dimension suffer for it. The opinions of the bug reporter and the project manager often differ, whether we are speaking about "risk" or "urgency" or "badness" or any other name for the one dimension. If you have only the one dimension, one person wins and the other person's view is squelched. In my view, this is organizationally unhealthy. Some organizations characterize on three dimensions. * "Severity" is assigned by the bug reporter...Read On

Author's Response: 3/19/2003    
Hi Cem, I've never tried characterizing bugs on 3 dimensions, but I can see how it would ensure everyone's views are represented in making decisions. And you pointed out something I failed to: the bug reporter should set the severity, at least initially. Though I'll add that it's a good idea for a member of the technical team (whether tester, developer, or other) to review severities on new bugs to make sure the levels are being used consistently.

 
 
Comment:    
by Jon Vernon 3/18/2003

I agree that it is the lack of definition of the terms and the procedures of prioritizing work that cause the confusion. I have found that a well defined system of priority and severity rankings work well. I have one additional priority ranking that I use: "Suspended/Deferred." This is used when we can't fix a defect until some other event occurs, or if we recognize that this is a defect we are not going to fix. (Eg. The defect exists in the DOS version of the product that is no longer supported.)

Author's Response: 3/18/2003    
Hi Jon, I've sometimes had a priority like suspended/deferred, but my preference is to have different statuses instead. So if we're never going to fix the bug because it's in an unsupported version, I'd rather mark it Closed/Will Not Fix. At that point, priority doesn't matter: the bug is officially off the to do list. But that raises a whole other issue of what statuses to use for bugs in a bug tracking system...

 
 
Comment:    
by Brad Appleton 3/18/2003

Priority and Severity certainly represent distinct (albeit connected) perspectives, and while I agree priority is business, I think severity is a *customer* perspective that we assess in technical terms to help us make business decisions. When we say "severity" and "priority", we often must remind ourselves "of what?" -- Severity rates the impact of the problem upon the customer's operations; Priority rates the impact of the problem's resolution to the business (it's ROI, in a sense). Severity deals with the work 'stimulus' from the customer, Priority with the work 'response' from the business. I think the main reason there is so much...Read On

Author's Response: 3/18/2003    
Hi Brad, Good point: there is sometimes a difference between what's good for the customer and what's good for the business. Given that distinction, I agree that severity is customer-focused while priority is business-focused.

 
 
Comment:    
by David Ball 3/18/2003

I agree that Priority and Severity are very different animals. I have used a very similar design in my bug tracking system. Severity is the impact of the issue upon the application. Priority is the impact of the issue upon the user. "User" means, the person who uses the product. I chose "user" to avoid a war of words with marketing when bugs appear in internal tools - does a bug in an internal tool really cause the business to lose a sale? In the end, the Priority is really business based, but in this extraction we suggest that a bug that stops Development (internal tool) still has a large business impact. The bug tracking tool has ToolTips...Read On

Author's Response: 3/18/2003    
Hi David, you raise an important point about prioritizing bugs in internal tools that I want to highlight. When internal test tools break, they're often assigned a lower priority than shipping code. While it makes intuitive sense that it's more important to fix the product than the supporting tools, doing so habitually is usually a short sighted policy. Given that we already have to make decisions with imperfect and incomplete information, all the information we can gather through testing is precious. So when we can't test something because our internal testing tools are broken, it's like throwing away the key to a treasure trove of information.

 
 
Comment:    
by Neal Boswell 3/18/2003

If the development folks decide the severity and the business folks decide the priority, then what role does the tester play? I understand the development team must be involved to determine the technical complexity of the repair and the project manager is driving the timeline, but the test team has a role to play as well. It might vary depending upon what type of testing is taking place. A tester might provide valuable input regarding the severity while doing white box testing, but provide input as to the priority during intersystem testing. The important lesson (and I have learned from my mistakes!) is to define a process for...Read On

Author's Response: 3/18/2003    
Hi Neal, At a minimum, testers provide information about defects to help decision makers prioritize wisely. How much information and what kind depends, as you point out, on the role the tester plays on the project. In a lot of organizations I've seen, testers set the severity. That tends to work well because testers understand both the problem and the implication of the problem to the user. Whatever process is in place, I completely agree with you that it's critical to define it early.

 
 
Comment:    
by Bob Evans 3/18/2003

We use different actual wording to describe each level but the definitions reflect how we do it and are pretty logical to me. Try thinking of it as severity relating to production impact whereas priority relates to process impact. In other words, severity levels reflect the potential impact on the business if the bug occurred AFTER go-live. Priority levels reflect the actual impact on the test process NOW if the bug is not resolved. Both are relevant but consider the impact of the bug from different perspectives.

Author's Response: 3/18/2003    
Hi Bob, Thanks for your perspective on severity/production/after, priority/process/now. I'll have to think on that some more...

 
 
Comment:    
by balvinder Potdar 3/18/2003

This analysis is good but I still am confused about this definition "Priority is Business; Severity is Technical". If we say Priority is Business then Severity is also very much related to business for that matter everything we do for a project. After all what ever we do and analyse is for client's business only. when we say, Priority is assigned so that it should get solved early and dont hurt the business, then so does the severity, after seeing the severity only a manager assigns the priiority.

Author's Response: 3/18/2003    
Hi Balvinder, You make a good point: everything relates to the business. However, severity is only one factor the manager considers in assigning priority. Other factors might include what else is currently on the plate (not everything can be a P1, after all), how much time is left in the schedule, and possibly even who is available to fix the issue. The way I see it, assigning a severity should be a relatively straightforward application of some general guidelines while assigning a priority is much more of a juggling act. Does that help?

 
 
Comment:    
by yogita sahoo 3/18/2003

Excellent analysis of Priority/Severity factors for defects. I have little concern about the conclusion that ‘Priority is Business’. I don't disagree. But my point is, prioritizing in true business-sense is correct only when marketing/cust-support is involved. Like in your story, Jim prioritizes it as P1 bug. But if Jordan had to prioritize, it would definitely be a P3. If a tester had to do the same job, the bug probably gets prioritized as P2. In some organizations test team files bugs and prioritizes the same. In others, Project leaders prioritize while test team files. But never ever Marketing/Cust-Support prioritize bugs, and they...Read On

Author's Response: 3/18/2003    
Hi Yogita, I confess I'm confused. Are you saying that marketing and customer support shouldn't be making prioritization decisions? Roles vary by organization, of course. Some organizations have a single person--usually a product manager, project manager, or program manager--with full accountability for the success of the project. Others have a management team with representatives from each of the functional groups (test, development, marketing, customer support, etc.). Whoever is guiding the project, whether an individual or a management team, should be the final decision maker on bug priorities. Either way, I think the customer's voice in the process is critical, whether they participate directly (as on XP projects) or are represented by marketing, customer support, or another surrogate.

 
 
Comment:    
by Srinivasan Desikan 3/17/2003

Good points and excellent perspectives. I agree that all perspectives are to be taken into account when defects are analysed and limiting levels may not solve the problems. However, I don't want to agree that priority is business and severity is technical. Severity should also reflect the impact to the customer becuase of a defect. If there is a nasty defect that was found but customer usage will not enter that portion of the code, then severity is not "extreme". Priority also should take into account the side effects becuase of a defect fix. If from business perspective something is P1, but by making a fix, if it is going to put the...Read On

Author's Response: 3/18/2003    
Hi Srinivasan. You raise several good points. I agree that it's a good idea to understand the impact, probability, and occurrence of potentially serious issues when triaging them. (I don't want to track that information for every bug, but it's important analysis to do for dangerous bugs.) I also agree that "don't worry about testing this P3 issue" is a big red flag for testers. It's a good idea to test around changed areas in addition to testing a fix for exactly that reason. However, I don't try to assign severity according to customer impact based on usage. My problem is that I don't have perfect knowledge of what the customer will do. So if a bug corrupts data, even if I think it's highly unlikely a user will run into it, I would call it a high severity. The perceived unliklihood of the event will be reflected in the priority.

 
 
Comment:    
by Alex Verkhovsky 3/17/2003

This issue indeed leads to many misunderstandings. Sme time before commencement of the system test, I usually do a half-hour briefing for developers about bug tracking procedure. Out of this half hour, something like a third is actually devoted to this topic. My main message: severity is "how bad the bug is" and decided by us, testers. Priority is "how soon we plan to fix it", and decided by you, developers. Usually they corresppond, but not necessarily. I like your idea to describe gradations of both with different words. "High severity" and "high priority" sound like synonyms. "high severity" and "P1 priority" probably makes the...Read On

Author's Response: 3/18/2003    
Hi Alex. I agree that getting agreement with everyone on the project team about how to use the bug tracking system is a great idea. It's funny how 5 different people can fill out a "simple" form at least 6 different ways.

 
 
Comment:    
by Robert M Melendez 3/17/2003

I believe you and Johanna agree. Johanna addresses the confusion that comes from not separating the two in the minds of the engineers. You address the benefits that accrue when that separation can be accomplished. Johanna and you both say talking to severity when you mean priority confuses the issue. Johanna says focus on priority, when that confusion is a problem. You say when you get that far, severity can be very useful. It sounds like a one-two punch to me.

Author's Response: 3/17/2003    
Hi Robert. What a wonderful synthesis of our two points of view. Thank you!

 
 
Comment:    
by Robert E. Lee 3/17/2003

I like your analysis, Elizabeth. One caution: developers *WORK* on P1 problems first, but often encounter and repair P2 or P3 errors in the P1 effort. I think it's unwise to overlook the serendipity factor in search & repair work. I also think that clarifying who establishes severity vs. who establishes priority is vital in avoiding squabbles. Business owns the priority, development owns the effort estimates. Keeping an open mind for feature work-arounds is important for priority trade-offs, especially in iterative development.

Author's Response: 3/17/2003    
Good point, Robert. I did say "developers fix P1 issues first." I should have said "developers work on P1 issues first." I agree that there is a distinction between *work* and *fix.* Thank you for noticing that! And I love your phrase "serendipity factor."

 
Back to Top



 
Ads By Google
What's This?
 
 

About Us   |   Contact Us   |   Terms & Conditions   |   Privacy Policy   |   RSS Feed



© 2013 StickyMinds.com. All rights reserved.
PNSQC

Tricentis



Agile Development Conference & Better Software Conference West