Comment:     by Yugal Joshi 11/12/2003 The article is really good. And it is really ironical that a defect itself is a problem and to solve that problem we are creating more problems by giving this severity and priority levels. I think to test means to deliver a high quality of a product (which invariably is less defect product) and this we should achieve by minimum fuss and chaos.
	Comment:     by Taidg Cosgrave 4/2/2003 Johanna, thank you for the challenge. I have been fighting for years to get Severity & Priority accepted; it is normally a case of one or the other. As a tester I would take issue with “Priority” dominates “Severity”, I push for Severity to be the main focus. Severity is unchanging; if something crashes or produces the wrong amount this does not change within a project or phase. Priority can change, if your Priorities are as follows: 1 – Must be done within 1 day 2 - Must be done within 2 days 3 - Must be done within 7 days Then after a day any “Open” Priority 2s should be upgraded to Priority 1s … With both Severity &...Read On
	Comment:     by Harriet Hardy 3/21/2003 Couldn't you use the priority of the requirement to which the defect is related to help manage defects? As a test manager, I would like my team to focus on the defects that affect the customer's most important requirements as well as the defects that will prevent release of the software.
	Comment:     by john van veen 3/19/2003 I think that Fiona made the clearest point so far. Priority is related to the (impact on) the test process, severity is related to the (impact on) the customer. Building on that idea the need to fix a defect will change in time; when approaching the release date the severity becomes more important. When it is possible to give both priority and severity a numeric value (say on a scale of 1 to 5, but any other scale will do for me), the need to fix a specific defect is defined by a ‘need2fix’ function depending on time: Fn(t). During the defect life cycle, our parameter t (time), will have a value in the interval [t0;t1], t0 being the time...Read On
	Comment:     by Kathy Iberle 3/14/2003 The problem with using a single variable to assess risk is that it assesses risk relative to the current release, but doesn't assess risk relative to future releases. If you're very close to the end of the project, and there's a serious penalty for not releasing on time, it makes sense to defer some defects till later. This makes them low priority. These same defects can be (often are) very high priority for the next release - but if you have only one field for priority/severity/whatever, then you don't have a place to state information about the seriousness of the problem. I agree that mixing severity and priority causes serious...Read On Author's Response: 3/15/2003     Kathy, you're right -- this scheme doesn't think past this release at all. Of course, these folks weren't going to be in business if they didn't release, but that's not the case for the general population :-)
	Comment:     by Brad Appleton 3/13/2003 I've actually seen systems that had three separate fields for each of Severity, Priority, and Urgency. Severity was allaged to be the impact upon operations at the customer site/installation; Urgency was an indication of a timeframe in which a resolution was needed (isn't it always "yesterday" :), and Priority was managements decision to make. So one was a measure of "customer pain", the others of "target resolution time" ("How bad does it hurt?" versus "How soon must you recover?") I think Urgency and Priority as separate fields is just too darn confusing and people dont seem to differntiate them well. In my experience the same can be...Read On Author's Response: 3/14/2003     Brad, thanks for explaining how you've seen priority and severity work together. It does require that project management (or when I've seen it work, a cross-functional management team) understand the consequences of their decision on the product and customers.
	Comment:     by Andrew Raybould 3/12/2003 A statement like "this causes the system to crash" is an objective fact about a defect, while "this must be fixed before we release" is a more subjective statement that is about the project as much as it is about the defect. Answers to questions like "what do we fix next?" and "how much must be done before we release?" need to be based on considerations of the latter sort, yet worthwhile statements in that domain can only be made with an adequate understanding of the former issues. The problem you have identified is that of failing to take the extra step of analysis before deciding what to do, and the three tiers are an addition to, rather...Read On Author's Response: 3/13/2003     Andrew, separating the defect's consequence and choice of action about the defect is a good idea. And many people leave that choice to the defect-tracking system rather than to people ("We fix everything with a priority/severity/whatever of some value.") Making the decision consciously is a good idea.
	Comment:     by Marc Duerr 3/12/2003 The 3 tiered ranking is a good approach to solve the problem of what to fix first. But from my point of view the questions we should ask to determin the criticality of a problem should always include the customer: Critical: The customer wants this to be fixed before it arrives on his (test)-system. Important: The customer want this to be fixed before it will go to the customers "customer". None the less it is not mandantory for the customer and the fix delivery will be done on mutual agreement. Minor: We can provide a workaround (which will most probably be stay forever) or the customer can live with the problem even on the live systems,...Read On Author's Response: 3/12/2003     Marc, you're taking overall risk into account, which is a good thing. I like the idea of not differentiating between internal and external customers, because otherwise too many things are deferred for too long.
	Comment:     by Ashwini Shirish Jorapur 3/12/2003 The above three levels are looking like a tailored version of different severities to me. On my experience, I have realized that we cannot have single entities like ‘priority’ or ‘severity’. Priority always dominates on severity. For example, if we consider the above 3 levels, what will be the priority of fixing, if there are more than one Critical bug? I think you will definitely agree with me that we should have priorities defined to fix different severity bugs. Author's Response: 3/12/2003     Ashwini, I don't completely agree with you. I agree that when you have several problems at the same ranking, you have to choose which one to fix (or verify) first. When there is more than one Critical problem, just as when there is more than one High Priority problem, the developer and manager talk, to make sure the most important work is done first. I've seen too many people pick and choose their work based on their manipulation of priority and severity, rather than what's most important to the project.
	Comment:     by edA-qa mort-ora-y 3/12/2003 I've always seen Priority and Severity as two independent fields. The severity of an issue is primarily an objective technical value (the application crashes, there is no workaround, etc.) and the priority is a subjective value that needs to consider user impact / business concerns. Naturally one would probably consider the severity of an issue when assigning a priority though. Author's Response: 3/12/2003     You may have seen objective severity assignments, but I have seen completely subjective severity (and priority) assignments leading to complete confusion. My job is to unwind the confusion, so the teams I work with can be more successful at work.
	Comment:     by Fiona Charles 3/11/2003 For me, it depends on where we are in the process. Your points make good sense at release time, when there should be no ambiguity about what does or does not have to be fixed. Although on any IT services project I've worked on, the list of mandatory fixes is decided by the whole management team: project manager, development manager, test manager, and architect -- and then reviewed with the customer. When I worked in software product development, we had a similar process, but with the Customer Service manager acting as proxy for the customers. During test execution, I find it very useful to have both severity and priority. Severity is the...Read On Author's Response: 3/12/2003     Fiona, you've hit the heart of the matter - bigger problems than just the bug ranking system. However, the urgent work kept them so busy they never realized that they had important work to deal with. Changing the ranking helped them organize their work to find a little breathing room, so we could work on the bigger problems.
	Comment:     by Tek Wallah 3/11/2003 Someone has to order defects. Obviously, in the shops mentioned, that person needed to be the manager, not the staff. Nevertheless, the more information testers and developers have about why particular defects are considered a problem, the better job they can do in handling the defects appropriately. Both the tester who felt over-whelmed, and the developer who didn’t care about the customer’s opinion, needed to be educated. In the cases mentioned, it sounded as though the manager needed to do a better job of communicating how customers interact with the product and how they are affected by defects. These testers and developers were working...Read On Author's Response: 3/12/2003     Tek, the technical staff in the article weren't intentionally kept in the dark. They were overwhelmed by their work, and had not kept up with the current project state. However, there are always developers who don't care about the customers' opinions or testers who don't know enough about the product to make good decisions. They have chosen to stay in the dark.
	Comment:     by Alicia Hinton 3/11/2003 Working in a regulated industry, we have found it to be helpful to have a higher degree of delineation in our Severity ratings. This helps us to identify the bugs that must be fixed prior to release (and only those bugs), and justify why the other ones do not. With only 3 tiers, there would be more bugs sitting in the must-fix bucket that didn't deserve that status. Approvers for placing a bug on hold are identified based on severity (all non-conformance to specifications require internal regulatory approval), so we can avoid having an army of reviewers for the lower severity bugs. We also use priority (3-tier), to help us to deal with...Read On Author's Response: 3/12/2003     Alicia, I agree, in a regulated industry, you need more clarification and specificity. And you're using the combination of priority and severity as risk - not just to your product customers, but also to your process customers. Smart idea.
	Comment:     by Joe Strazzere 3/11/2003 I've always felt that more than 3 levels was too many. I have used "High", "Medium" and "Low" with pretty much the same definitions as yours. During bug triage meetings at a prior company, we would quickly go over the open bug list. The President of the company would argue that she "absolutely" needed a particular "High" bug fixed. When I asked if she was willing to hold up the release for the fix, she would often say "No". Then I immediately changed the level to "Medium" - case closed! Author's Response: 3/12/2003     Joe, that's the rubber-meets-the-road question. Good for you!
	Comment:     by Mitchell Goldman 3/11/2003 To avoid such "fights," I've found it important for each group to have their say. That's why we have 3 ranking fields that only each group can specify: Severity (QA), Priority (Dev), and Priority (Help Desk). If there are any conflicts, the Project Manager breaks the tie. It also allows us to trace the history of the problem later on. If you only have 1 ranking field, you'll never be able to tell how you arrived at the final rank. Author's Response: 3/12/2003     Mitchell, which problems do the developers fix first, or do you somehow multiply the numbers together and fix the highest ranking problems first? If your team is using these fields successful, that's wonderful. However, I keep working with groups who are pathological about more than one field.
	Comment:     by Therese Cormack 3/11/2003 I like the idea of the 'absolute risk'. I will probably use that to classify the combination we use. We call them 'Business Severity' and 'IT Priority' to distinguish the severity as it would be appear to an end user and priority in fixing the defect. Author's Response: 3/12/2003     Therese, I agree that (for me) using the word risk has a better connotation to what the consequences are (of fixing or not).
	Comment:     by doug dahlby 3/11/2003 All the projects I've worked on with my current company have used a single 3-stage "priority" marking to indicate roughly the order in which bugs should be addressed. But of course, there is inevitable disagreement for how to assign priority. In the end, all parties came to a gentlemen's agreement that the strict definition of priority is an assessment of whether the product is ready to ship: priority 1 bugs must be fixed, priority 2 bugs should be fixed, and priority 3 bugs will be fixed only if resources allow. So in the end, priority is assigned (and periodically re-evaluated) by a management team. However, we used a...Read On Author's Response: 3/12/2003     Doug, I like the way your priority value has the risk of not fixing as part of the calculation. You didn't say, but are the people who evaluate the problems part of a cross-functional team? Since you come to a "gentleman's agreement," I assume they are. Cross-functional agreement is critical.
	Comment:     by Pat Barkman 3/11/2003 I concur, it's important to collect both severity & priority. But since they sometimes indicate opposing levels of importance, it's also valuble to bubble-up the Severity & Priority to a single attribute. I was happy to see the word "Risk" come up in this article. At our company we have 4 levels of each: S1 = System down, S2 = No work around, S3= has workaround, s4 = Cosmetic; P1=Fix now, P2=Fix soon, P3=Fix in future, P4= no specific fix time. We have more detailed explanations in our policy docs and test plans. The basic concept is that severity should be objective and priority is subjective -- Risk is a combination of the two. The classic...Read On Author's Response: 3/12/2003     Pat, your systems makes a lot of sense. (Love that Risk word.)
	Comment:     by Corey Snow 3/11/2003 Great subject. This is a perennial topic of debate in the profession. The question at hand is: Can a defect attribute that is ultimately irrelevant still serve an important function? Having implemented and/or managed perhaps a dozen different defect tracking systems over the years, I actually prefer having both Priority and Severity fields available for some (perhaps) unexpected reasons. Priority should be used as the 'risk scale' that the author describes. 3 levels, 5 levels, or whatever. Priority is used as a measure of risk. How important is it to fix this problem? Label the field 'Risk' if that makes it more clear. Not so complicated,...Read On Author's Response: 3/12/2003     Corey, Great counterpoint to my argument.
	Comment:     by David Dykes 3/11/2003 Based upon my experience if you have too many variables error management becomes confusing. Where I work we use Severity and Likelihood as parameters to deteremine the Priority. The severity is obvious, the likelihood allows the tester to determine how easy it is for the user to meet the problem and hence gives a measure of risk. Thus when dealing with the Developers for solutions we have a better understanding of the impact of the issue being addressed. Author's Response: 3/11/2003     David, this is a lovely example of using risk to determine which work should be done first. I am curious about how you can make a statement like "severity is obvious." I've clearly been a part of too many shouting matches where severity was NOT at all obvious. Maybe your product has fewer implicit requirements, or the marketing and engineering teams are on the same page, or you work with people with tons of experience in your industry. Good for you!
	Comment:     by Randy Gault 3/10/2003 Consider adding more values beyond Severity and Priority. Where I work, we use a system where the Priority is a value derived from the Severity and Frequency of the problem. If there's just one value describing a problem, then you can get into arguments about how you came up with that value. But if your report includes measures on the importance of the feature, how many users could be affected, how often, and in what way, then it becomes clearer how to prioritize rework, and any disagreements that occur have a framework for discussion that is more than "it's a Critical" vs "no it's not". In the end, you do have a single Priority value,...Read On Author's Response: 3/10/2003     Randy, is your Priority ranking really a Risk assessment? If so, that's a great idea, especially if you then use Risk when deciding which problems to fix. However, when I talk to groups where they're tied up in the priority/severity knots, and they can't agree on what's what, adding another variable to the mix seems unwise.
	Comment:     by Frank Patrick 3/10/2003 I had to smile at the comment about "too many critical...which should I do first?" Using the definition of criticality provided by Johanna, my immediate reaction would be to give the developer a coin to flip, and direct him to do sequential flipping of the coin between pairs of open critical defects. If they're critical, THEY'VE ALL GOT TO GET DONE!!! Stop the unnecessary analysis and get on with it. Of course, this assumes that these defects are independent of one another. If there are dependency relationships between various defects, that would provide additional clarity on which to do first....those that have to be done first to deal...Read On Author's Response: 3/11/2003     Frank, sometimes the coin flip is the best technique. (ouch) Most of the time, however, there are either interdependencies or areas that have more risk than others.
	Comment:     by Charles Reace 3/10/2003 The first question I would have asked concerning the severity / priority multiple combination quandary is, "Once priority has been assigned, what difference does the severity make when PRIORITIZING the work?" The priority rating should have been assigned based on all known factors, *including* severity. Once priority is assigned, severity becomes just another data point, mainly of historical interest only. I think we're probably saying the same thing in actuality, that ultimately you should end up with one prioritization rating of some small, finite number of possibilities. However, I would not "throw severity out with the bath water", so to...Read On Author's Response: 3/10/2003     Charles, Elisabeth Hendrickson agrees with you, and her counterpoint to this column will appear next week (as far as I know).
	Comment:     by Robert M Melendez 3/10/2003 Johanna, I like very much the direct connection of release intended to priority. I also like the simplification as an adjustment. Five levels may well be too many 'significant digits'. With my sense of humor, I even like that the number three makes the term 'triage' meaningful. An issue not addressed, that I've found every place I've worked, is the desire to tie immutable objective information to the priority. "It's a crash, it has to be top priority." "It's only documentation, we'll get to it later." There are only three levels of priority where I work now. But because of the objective urge, they have been crossed, as lost in...Read On Author's Response: 3/10/2003     Robert, it's not a problem if only the top three levels get fixed. What happens to the not-fixed-for-this-release problems? Do they go into the problem-bucket-in-the-sky? :-) Good luck with your nurturing.

Back to Top