Modelling Software Inspection Methods for the Application of Tool

6 downloads 0 Views 259KB Size Report
any inspection, which can consequently be used as input to an inspection support tool, .... In this case, they include the document under inspection (the product) and .... Entry. Kickoff. Checking. Logging. Edit. Follow-up. Exit. Brain- storming ...... IEEE Transactions on Software Engineering, 13:1027{1037, September 1987.
Modelling Software Inspection Methods for the Application of Tool Support F. Macdonald and J. Miller Empirical Foundations of Computer Science (EFoCS)  RR-95-196 [EFoCS-16-95] December 1995 Abstract

Software inspection is a widely used method for nding defects in all types of software development documents. There are many variations on the method, each of which is designed to be used under certain circumstances or to address some perceived fault in those which already exist. A desirable attribute of inspections is that they are rigorous, i.e. the process is executed identically for each inspection that takes place. This allows feedback from each inspection to give guidance on expected future performance and also to suggest future improvements. Recent work in tool support for inspection is designed to tackle the issue of enforcing a rigorous inspection, but these tools tend to concentrate on enforcing only one, usually proprietary, inspection variation. This paper investigates existing inspection methods and derives a generic inspection process which can be used to describe any of these methods. This process is then used to determine a notation for describing any inspection, which can consequently be used as input to an inspection support tool, allowing the support of any inspection method.

1 Introduction Software inspection is a method for statically verifying documents. It was rst described by Michael Fagan in 1976 [3]. Since then there have been many variations and experiences described, but a typical inspection involves a team of four or ve people reviewing and understanding a document to nd defects1 . The bene ts of inspection are generally accepted, with success stories regularly published. In addition to Fagan's papers describing his experiences [3, 4], there are many other favourable reports. For example, Doolan [2] reports industrial experience indicating a 30 times return on investment for every hour devoted to inspection of software requirement speci cations. Russell [18] reports a similar return of 33 hours of maintenance saved for every hour of inspection invested. This bene t is derived from applying inspection early in the lifecycle. By inspecting products as early as possible, major defects are caught sooner and are not propagated through to the nal product, where the cost of removal is far greater. There are many variations on the basic inspection method. For example, Active Design Reviews [16] are intended to associate responsibilities with each reviewer. N-Fold inspections [14] aim to increase inspection e ectiveness by replicating the inspection a number of times using independent teams. Formal Technical Asynchronous review method (FTArm) [10] is an asynchronous review method which removes the need to have group meetings. These are just three of many variations. The variation used will depend on the document being inspected, past experience of inspection, team preference, criticality of inspection, and so on.  Department of Computer Science, University of Strathclyde, Livingstone Tower, Richmond Street, Glasgow, G1 1XH, U.K., +44 (0)141 552 4400, [email protected] 1 We use the terms `defect' and `error' interchangeably.

1

One desirable attribute of an inspection is rigour. The process must be rigorously followed to ensure repeatability, which is essential if feedback from the process is to be used to improve it. Rigour is also important to ensure the inspection is as e ective as possible. At the same time, some descriptions of inspection can be ambiguous or misleading. It therefore becomes dicult to enforce the proper inspection process, since the interpretation of guidelines will di er from person to person. Feedback from many slight variations of the process may not help improve the overall eciency. Recently, there has been interest in providing tool support for software inspection. Tools such as Scrutiny [7] and ICICLE [20] attempt to enforce the inspection process and support team members by allowing on-line annotation of documents, providing defect detection assistance and collecting inspection metrics. A full review of such systems can be found in [13]. A key feature of all systems, however, is that they help enforce the inspection method being used. Unfortunately, such systems tend to support only one speci c, proprietary method. As previously described, there are many useful inspection methods for which one may require support. The aim of this paper, therefore, is to study inspection methods, with a view to deriving a generic inspection process which can be instantiated to describe any inspection. From this, a process description language will be evolved which can be used as input to an inspection support tool. Hence, the tool could then be capable of supporting any inspection process.

2 Existing Inspection Methods In this section, the most important inspection methods are de ned. Several are well-used, while others are less well-known, but provide important concepts and ideas on an e ective inspection process. For each method, background and a description of the method are provided, along with a summary of the process. Except where absolutely necessary, the description is limited to the details provided in the original description, and we have not tried to ll in the obvious gaps which occur in some methods.

2.1 Fagan Inspection

The original inspection process was de ned by Michael E. Fagan in 1976 [3], with an update published ten years later [4]. A Fagan inspection team consists of four to six people, with each person having a well-de ned role in the inspection. The moderator is the person in overall charge of the inspection. It is the moderator's task to invite suitable people to join the inspection team, distribute source materials and to organise and moderate the inspection meeting itself. The inspection requires the presence of the author of the product under inspection. The author can give invaluable help to the inspectors by answering questions pertaining to the intent of the document. Any remaining team members are cast as inspectors. Generally, their only duty is to look for defects in the document. However, at the inspection meeting, two inspectors are given special roles. The reader paraphrases the document out loud. The recorder is tasked with noting all defects found, along with their classi cation and severity. Although Fagan indicates that this task is accomplished by the moderator, another member of the team is usually chosen, since the workload involved can be quite high, though mainly secretarial. Fagan describes ve stages in the inspection process, depicted in Figure 1. The inspection begins with an overview, involving the entire team. The author describes the general area of work then gives a detailed presentation on the document produced. This is followed by distribution of the document itself and any necessary related work to all team members. Each team member then carries out individual preparation, consisting of studying the document to gain an understanding of it. Errors in the document will be found during this stage, but, according to Fagan, not as many as will be found at the next stage. Checklists may be used to help inspectors focus their e ort on the most worthwhile parts of the document. The next stage is the inspection meeting, involving all team members. The reader paraphrases the document, covering all areas. During this process inspectors can stop the reader and raise any issues they have discovered, either in preparation or at the meeting itself. The team then discuss the issue until agreement is reached. If an issue is agreed to be a defect, it is classi ed as missing, wrong or extra. Its severity is also classi ed (major or minor). At this point the meeting moves on. No attempt is made to nd a solution to the defect; this is carried out later. After the 2

Overview

Preparation

Inspection

Rework

Follow-up

Figure 1: The original inspection process de ned by Michael Fagan. meeting, the moderator writes a report detailing the inspection and all defects found. This report is then passed to the author for rework, where the author carries out modi cations to correct the defects found in the document. A follow-up phase then occurs, where the moderator ensures that all required alterations have been made. The moderator then decides whether the document should be reinspected, either partially or fully. Although not explicitly stated by Fagan, we assume this verdict is presented in a report. It is also unclear whether partial or full reinspection is a continuation of this inspection, or whether a new inspection is convened on the same document. We assume the latter. The Fagan inspection process is summarised in Table 1. For each phase the table lists the phase timing (where appropriate), the participants, the documents made available and the documents produced. `Product' refers to the document undergoing inspection, while `sources' indicates the documents used when creating the product. For example, a low-level design document may be the source document for a section of code.

2.2 Structured Walkthroughs

Another popular method is Yourdon's Structured Walkthrough [22], which has aims similar to those of inspection, but tends to be less formal and less rigorous. Yourdon de nes seven possible participant roles. The coordinator is the person tasked with planning and organising the walkthrough, and also takes the role of moderator during the walkthrough meeting. The role of the scribe is to take notes on the walkthrough, including any defects found and suggestions made. The presenter is tasked with introducing the product and is usually the author of the product. The role of presenter is optional. There are also a number of reviewers, whose task is to nd defects in the product. The remaining three roles are maintenance oracle (who is concerned with future maintenance of the project), the standards bearer (whose remit concerns adherence to standards) and the user representative (whose task is to ensure the product meets the user's needs). Although Yourdon describes these as separate roles, it can be seen that they are simply reviewers with special responsibilities. The Structured Walkthrough process is shown in Figure 2. The rst phase is organisation which begins with the producer requesting a walkthrough. The producer supplies the appropriate documentation to the coordinator, who then distributes it to all participants. The coordinator also arranges a time and place for the walkthrough and contacts all participants to con rm the arrangements. The participants now spend the appropriate amount of time preparing for the walkthrough by reviewing the product. During this stage the producer should be available to answer questions and help participants familiarise themselves with the document. Although this preparation phase is not explicitly described 3

Phase Overview

Timing Participants Documents available S M,A,I Product Sources Preparation A M,A,I Product Sources Checklists Inspection S M,A,I Individual error logs Product Sources Rework A Product Sources Master error log Follow-up M Product Master error log

Documents produced Individual error logs Master error log Inspection report

Follow-up report

Table 1: Summary of Fagan inspection phases and the possible timings, participants, resources and products of each phase. Timing is either synchronous (S) or asynchronous (A). Participants are moderator (M), author (A) and inspector (I). Documents available indicate documents which are usually made available during the phase. In this case, they include the document under inspection (the product) and the documents from which this document is produced (sources). Documents produced indicates those documents which are created during the phase.

Organisation

Preparation

Walkthrough

Rework

Figure 2: The Structured Walkthrough process presented by Yourdon.

4

Phase Timing Participants Documents available Organisation C,P Preparation A C,P,R Product Walkthrough S C,P,R Product Individual error lists Rework C,P Product Error list Follow-up C Product

Documents produced Individual error lists Error list Summary

Table 2: Summary of the structured walkthrough phases and the possible timings, participants, resources and products of each phase. Timing is either synchronous (S) or asynchronous (A). Participants are coordinator (C), producer (P) and reviewer (R). The documents made available, and those produced by each phase, are also listed. by Yourdon as a separate phase, for our purposes it shall be treated as such. The walkthrough itself begins with the presenter providing an overview of the product. The length of this overview will depend on the familiarity of the participants with the document. The product is then presented in its entirety and reviewers have the opportunity to make comments. Comments from the preparation phase which require no explanation can be passed straight to the producer and the scribe. As reviewers present other comments, the producer may ask for clari cation, but should not spend time arguing about the validity of the comment. As with other review methods, there should be no discussion on how each defect may be corrected. The walkthrough phase should last between thirty and sixty minutes and nishes with a vote on the status of the product. After the walkthrough, the coordinator prepares a management summary and a list of detailed comments. These comments are distributed to all participants. The producer then makes the required alterations to the product during the rework phase, deciding on the validity of each comment and seeking guidance from the other participants as appropriate. Finally, a follow-up phase occurs to ensure that the required changes have been made to the product. The phases, participants and documents present during a structured walkthrough are summarised in Table 2.

2.3 Humphrey's Inspection Process

The inspection process described by Humphrey [8] is very similar to that described by Fagan; however, there are some major di erences. The inspection team consists of a number of people with the expected roles, although they are named moderator, producer and reviewer. The phases described are virtually identical in name to those described by Fagan, but the actual process is di erent. The process is depicted in Figure 3. The planning stage allows for selection of participants and preparation of entry criteria. The overview stage is identical to that of Fagan. It is during the preparation stage that the rst deviation from Fagan's process occurs. Here, reviewers are asked to nd and log defects, unlike Fagan's method where defect detection is deferred until the meeting. These defect logs are then passed to the producer for what could be termed the analysis phase, where the individual logs are analysed and consolidated into a single error list. At the inspection meeting itself, the producer addresses each defect and can ask reviewers to clarify the meaning of each defect. A list of agreed defects is then produced. The meeting is followed by the typical post-inspection activities of rework and follow-up. This inspection process is summarised in Table 3, which describes the possible timing of each phase and the documents required and produced.

2.4 Gilb Inspection

One of the most comprehensive texts on software inspections is that of Gilb and Graham [6]. The method they describe is obviously based on Fagan's work; however, it also incorporates other lessons. 5

Plannning

Overview

Preparation

Analysis

Inspection

Rework

Follow-up

Figure 3: The inspection process described by Watts Humphrey.

Phase Planning

Timing Participants Documents available Documents produced M,P Inspection objectives Participants list Overview S M,P,R Preparation A R Product Error logs Checklists Preparation report Standards Analysis P Error logs Consolidated log Inspection S M,P,R Consolidated log Master error log Inspection report Inspection summary Rework P Product Master error log Follow-up M,P Product Master error log

Table 3: Summary of Humphrey inspection phases and the possible timings, participants, resources and products of each phase. Timing is either synchronous (S) or asynchronous (A). Participants are moderator (M), producer (P) and reviewer (R). The documents made available, and those produced during each phase are also listed. 6

Entry

Planning

Kickoff

Checking

Logging

Brainstorming

Edit

Follow-up

Exit

Figure 4: The inspection process as described by Gilb and Graham. One such lesson is the defect prevention process described by Jones [11]. This discussion is limited to the inspection itself. There are three de ned roles in this type of inspection. The leader is in overall charge of the process and is tasked with planning and running the inspection. The author of the document is a required participant. As well as attending the logging meeting, the author should also take part in checking. The remaining team members are checkers, whose duty is simply to nd and report defects in the document. During the logging meeting, one of the checkers is assigned the role of scribe and logs the issues found during the inspection. The process is illustrated in Figure 4. It begins with ensuring that some entry criteria are satis ed. This ensures that the inspection is not wasted on a document which is fundamentally awed. This is followed by inspection planning, where the leader determines inspection participants and schedules the meeting. This phase produces a master plan for the entire inspection. The next phase is kicko , where the relevant documents are distributed and the inspectors briefed. Participants are assigned roles and goals are set. Such goals include checking rates to be met and expected error rates. The next phase, checking, is where each checker works alone to discover defects in the document. These potential defects are recorded for presentation in the next phase, the logging meeting. The logging session is a highly structured meeting where potential defects (`issues') found by the checkers are collected. The emphasis here is on logging as many issues as possible and to this end the meeting is moderated by the inspection leader, who ensures that discussion is kept focused and criticisms are minimised. In addition to defects 7

Phase Entry Planning Kicko Checking

Timing Participants Documents available L Entry criteria L S L,A,C A L,A,C Product Sources Standards Checklists Procedures Master plan Logging S L,A,C Issue lists Process Brainstorming S L,A,C Edit A Product Issue log Follow-up L Product Exit L Exit criteria

Documents produced Master plan Issue lists

Issue log Process improvements

Table 4: Summary of Gilb and Graham inspection process. Timing is either synchronous (S) or asynchronous (A). Inspection participants are leader (L), author (A) and checker (C). The documents made available, and those produced during each phase, are also listed. found during checking, other potential defects may be found at the meeting itself. The meeting can be followed by a brainstorming session to record process improvement suggestions. After all potential defects have been logged, the author takes the issue list and performs an edit on the product. At this point, the issues are also classed as defects. A follow-up phase then occurs where the leader ensures that the edit phase has been properly executed. Finally, some exit criteria must be satis ed before the inspection can be declared complete. These criteria typically consist of such items as checking rates, which must be within certain limits, and predicted number of defects left in the document. From the above description it can be seen that the fundamental di erence between this process and that of Fagan is the stage where defect detection is carried out, i.e. during an individual phase rather than in a group phase. The process is similar to Humphrey's, but the similarity is not complete, since the producer is not expected to analyse defect logs before the meeting. Instead, each checker simply presents defects when they are reached in the document. A summary of Gilb and Graham's process, along with documents available and documents produced at each stage, is given in Table 4.

2.5 Asynchronous Inspection

All the inspection methods described so far have had one common element: a meeting where the entire team get together to log and discuss defects. This meeting can be expensive to set up and run, however, since one must ensure that all team members are available at the same time, arrange suitable meeting space and so on. An alternative to an inspection meeting is to hold the entire inspection asynchronously, that is provide some means of supporting discussion without the entire team being present at the same place and time. The simplest example of an asynchronous activity is that of Usenet, the worldwide electronic news forum. Discussion proceeds by one person posting an article, which is then read by many people. Some of these people then reply to this article by posting a reply, usually containing an edited version of the original article. This process continues, allowing discussion to take place without everyone being present at the same time. A similar system can be used for inspection. By allowing users to access an online version of the document, they can add comments (indicating potential defects) to the document using some type of annotation technology. These comments can then be made available to other inspectors, who can 8

Setup

Orientation

Private review

Public review

Consolidation

Group Review Meeting

Conclusion

Figure 5: The asynchronous inspection process. comment on the comments. This procedure can continue until a consensus is reached on the status of the original comment, as either a defect or a non-issue. Once discussions have been completed on all comments, the inspection is complete and the document can enter rework. Such an inspection method has been implemented using a review tool called Collaborative Software Review System (CSRS) [10]. The tool implements an inspection method known as Formal Technical Asynchronous review method (FTArm) [9]. As with traditional inspection, FTArm de nes several roles: moderator, producer and reviewer. The process itself is shown in Figure 5 and consists of seven phases. The rst phase is setup, which involves choosing the members of the inspection team and preparing the document for inspection via CSRS. This involves organising the document into a hypertext structure and entering it into the database. Orientation is equivalent to overview in the Fagan process, and may involve a presentation by the author. Private review is similar to preparation. The inspector reads each source node in turn, and has the ability to create new nodes containing annotations. These annotations can include issues indicating defects, comments pertaining to the intention of the document, which may be answered by the producer, and actions, which indicate a possible solution to remove a defect. When each reviewer has covered each node (or sooner, if required), the inspection moves on to the next phase. In public review, all nodes become public and inspectors can asynchronously examine each one and vote on its status. Votes cast can either con rm the issue, discon rm the issue or indicate neutrality. Additional nodes can be created at this stage, immediately becoming publicly available. When all nodes have been resolved, or if the moderator decides that further voting and on-line discussion will not be fruitful, the public phase is declared complete. During consolidation, the moderator analyses the results of the private and public review phases, and summarises unresolved issues. The moderator can then decide whether a group review meeting is to be held to resolve the remaining issues. The nal inspection report is then produced by the moderator during conclusion, along with a metrics report. From this description it can be seen that FTArm is inherently computer-based. Computer support is essential for providing an asynchronous discussion environment. A summary of the FTArm process 9

Phase Setup Orientation Private review

Timing Participants Documents available Documents produced S M,P S M,P,R A M,P,R Product Issues Checklists Comments Actions Public review A M,P,R Product Issues Issues Comments Comments Actions Actions Consolidation M Issues Consolidated issues Comments Consolidation report Actions Group review meeting S M,P,R Product Issues Actions Conclusion M Reports

Table 5: Summary of the FTArm asynchronous inspection phases. The timing of each phase can be synchronous (S) or asynchronous (A). Roles de ned for the process are moderator (M), producer (P) and reviewer (R). The documents made available, and those produced during each phase, are also listed. Overview

Review

Discussion

Figure 6: The Active Design Review process. and the artifacts used and created during the process is given in Table 5.

2.6 Active Design Reviews

The Active Design Review (ADR) process [16] was designed to ensure thorough coverage of design documents. The technique di ers from traditional inspection processes in that instead of one review involving a large number of people, several smaller reviews are held, each one concentrating on di erent types of errors and involving a subset of reviewers. Reviewers are chosen based on their speci c skills and assigned such that each section of the document undergoes each type of review. Essentially, only two roles are de ned for the ADR process. A reviewer has the expected responsibility of nding defects, while the designer is the author of the design being scrutinised. There is no indication of who is responsible for setting up and coordinating the review. The process consists of three phases (Figure 6). It begins with an overview phase, where the designer presents an overview of the design and reviewers are assigned review types and document sections, and meeting times are set. The next phase is the review itself, which consists of each reviewer individually completing questionnaires speci c to their assigned error type. Although each reviewer has an assigned responsibility, there are also reviewers looking at the document overall, since the other reviewers are tightly focused. This phase is the equivalent of the checking phase in Gilb inspection. The nal stage, discussion, is where the designers read the completed questionnaires and meet with the reviewers to discuss issues raised. Several meetings are held, usually one for each reviewer responsibility, involving only that reviewer and members of the design team. Hence the meetings are 10

Phase Overview Review

Timing Participants Documents available Documents produced S D, R Product A R Product Completed questionnaires Questionnaires Discussion S D, R Completed questionnaires

Table 6: Summary of Active Design Review phases. Timing is either synchronous (S) or asynchronous (A). Participants can be designers (D) or reviewers (R). The review is based around the completion and discussion of appropriate questionnaires. The documents made available, and those produced during each phase, are also listed. Phase 1

Phase 2

Phase N

Figure 7: The Phased Inspection process. kept very small; at no point does the entire inspection team come together for a meeting. When issues are agreed on, the review is complete and the designers make appropriate changes to the design document. Active Design Reviews are summarised in Table 6.

2.7 Phased Inspection

The Phased Inspection technique was developed by Knight and Myers with the goal of permitting the inspection process to be \rigorous, tailorable, ecient in its use of resources, and heavily computer supported" [15]. A phased inspection consists of an ordered set of phases, each of which is designed to ensure the product possesses either a single, speci c property or a small set of related properties. The phases are ordered so that each phase can build on the assumption that the product contains properties that were inspected for in previous phases. The properties that can be checked for are not necessarily those concerned purely with defects of functionality. They can include such qualities as reusability, portability and compliance with coding standards. The process is depicted in Figure 7. There are two types of phase: single-inspector and multiple-inspector. A single-inspector phase uses a rigorous checklist, with the inspector deciding whether the product does or does not comply with each item. The phase cannot be completed until the product satis es all checks. These phases are carried out by lone inspectors. In contrast, multiple-inspector phases are designed for properties which cannot easily be described by the binary questions in single-inspector checklists. The appropriate documents are initially distributed to each participant, who begin by examining this information and generating questions which clarify and improve the documentation. The product is then inspected individually by each inspector. This individual checking makes use of a checklist that is both application speci c and domain speci c, though the questions are not binary, as they are in the single-inspector phase. The individual checking is followed by a meeting, called a reconciliation, in which the inspectors compare their ndings. In a good inspection, the results from all inspectors will be very similar. Note that although it is not designed to do so, the reconciliation provides a further opportunity for fault detection. Phased inspections are designed to allow experts to concentrate on nding defects that they have specialised knowledge of, thus making more ecient use of human resources. For example, it may be more ecient to have domain analysts inspecting code for reusability, since they will have expert knowledge in that particular eld. The phased inspection technique is summarised in Table 7, including the documents required and produced at each stage.

11

Phase Single inspector

Timing Documents available Documents produced Product Error list Checklist Completed checklist

Multiple inspector Examination

A

Inspection

A

Reconciliation

S

Product Question list Sources Product Sources Checklist Completed checklist Product Completed checklists

Table 7: Summary of the Phased Inspection phases. All phases are asynchronous (A), except for the group meeting, which is held synchronously (S). Unlike other inspection procedures, no roles are de ned for participants. The major inspection artifacts are checklists, which are used for both single and multiple inspector phases. The documents made available, and those produced by each phase, are also listed. Inspection 1 Planning and Overview

Collation

Rework and Follow-up

Inspection N

Figure 8: The N-Fold inspection process.

2.8 N-Fold Inspection

The N-Fold inspection process [14] was based on the idea that the e ectiveness of the inspection can be improved by replicating it. While two teams may individually nd 40-50% of the total number of errors in the document, one team may nd errors not found at all by the other and vice versa. There will be some overlap between the errors found but the new defects found can outweigh this disadvantage. By increasing the number of teams performing the inspection, the percentage of errors found overall will gradually increase, until a point where the cost of nding more defects (i.e. using more teams) is greater than the bene t gained from removing those extra defects. The technique was originally designed to be used for user requirements documents, since errors injected here are the most expensive to x, but it could be used any time that removal of defects is of paramount importance, such as in safety critical systems. In addition to the personnel required to hold each inspection, N-Fold inspection requires the services of a coordinator2, whose task is to coordinate the teams and collect and collate the inspection data. This is achieved by meeting with the moderator from each team. The description of N-Fold inspection given in [14] is rather vague, apart from the essential feature that multiple inspections are carried out by independent teams. Therefore, the following description is an extrapolated process, which would be necessary to e ectively implement an N-Fold inspection. The process is shown in Figure 8. It begins with the usual planning stage of a traditional inspection; however, this stage also includes deciding the number of teams to participate and other details relevant 2 This role was originally termed `moderator', but since each inspection team already contains a moderator, and to avoid con icting terminology the title `coordinator' has been adopted.

12

Phase Timing Participants Documents available Documents produced Planning C Overview S C, M, I Product Inspection Defect lists Collation S,A C,M Defect lists Master defect list Rework A Product Master defect list Follow-up C Product Master defect list Table 8: Summary of the N-Fold inspection phases. The only group phase is the collation stage, which can be asynchronous (A) or synchronous (S). Particpants roles coordinator (C), moderator (M) or inspector (I). Documents and particpants of each phase are listed, except for the inspection stage, where they depend on the exact inspection method(s) being used. to an N-Fold inspection. There will also be an overview stage to familiarise the participants with the context and content of the document and the goals of the inspection. This is followed by a number of (usually concurrent) inspection stages, each of which is entirely independent. This means they use completely independent teams, and possibly completely di erent inspection processes. For example, one team may use Fagan inspection, another may use Active Design Reviews and yet another may use an asynchronous inspection. Using di erent inspection processes improves the independence of each inspection, and will hopefully nd more errors in the document. Once each inspection has been completed, the process enters a collation phase, where the results of each inspection are tallied and collated by the coordinator. This stage produces a master list of defects which are given to the document's author for the traditional rework phase. This would be followed by a follow-up phase ensuring the required items have been addressed. The N-Fold inspection process is summarised in Table 8. Note that many of the details of this process depend on the inspection method being used. Generally, the inspections produce defect lists which must be collated into a single list.

3 Deriving a Generic Software Inspection Process The major inspection variations have been analysed and a generic inspection process capable of describing all processes can now be derived. This process should describe the essence of inspection, yet provide exibility in that each inspection variation can be adequately expressed. First, two existing frameworks for describing inspection processes are discussed.

3.1 Existing Software Inspection Frameworks

One attempt to de ne a framework for software inspection is that by Kim et al. [12]. Their Software Development Technical Review (SDTR) framework is based on three methods: Fagan Inspection, Yourdon's Structured Walkthrough technique and Freedman and Weinberg's Technical Reviews (FWTR) [5]. Freedman and Weinberg's work is not discussed in the previous section since the work is encompassed by the methods described. The SDTR framework describes core features of each review type and the major variations present in each technique, and is intended to allow comparison of review types. Key features are those which are common to all three review types. Variations are features which di er in at least one review type. These features are divided into several categories. In the rst category, Aims and Bene ts, a common aim of all reviews is to improve the quality of software by detecting errors, whilst actual bene ts, both quantitative and nonquantitative, depend on the particular review method. Key Human Elements are the use of a moderator and the allocation of roles to participants. Variations 13

here include the actual roles de ned, the tasks performed by each participant and team size. The next category is the Review Process itself. Common elements include the use of meetings and prescribing a maximum meeting duration. Variations include the number of meetings held and the degree of process control used. Review Output has only one key feature: the fact that each review produces some form of report. The actual report contents vary greatly between review type, along with how these reports are used. The Other Matters category is intended for features which do not t into the other categories. There are no key features here, but variations include defect de nition and the prerequisites required for the review to take place. Although this framework is a useful starting point, it has several shortcomings. First of all, it is based on only three techniques. Many other methods exist which are not taken into account, such as Phased inspection and N-Fold inspection. In addition, the text on FWTR is simply general advice on carrying out inspections, walkthroughs and technical reviews, and does not provide a single review process description, as Kim et al suggest to the contrary, although common features of review types can be extracted. The framework is also imprecise. Although it is intended to help compare methods it does not provide enough detail for accurate comparison. This imprecision also precludes its use in describing new methods. Since precise description is a key requirement, the SDTR framework is unsuitable. Another framework is described by Tjahjono [21]. This framework is intended to characterise review processes so that they can be modelled for use in a software inspection support tool, a similar requirement to ours. This framework is based on seven inspection methods, namely Fagan, Humphrey, Yourdon, ADR, Phased, FTArm and Cleanroom [19]. We do not speci cally address the Cleanroom method since it is based on the work of Fagan. The framework breaks each review variation into a series of phases. Each phase can be classi ed by three characteristics: objective, interaction mode and technique. The objective describes the goal of each phase, and can be one of comprehension, examination or consolidation. A comprehension phase is concerned with becoming familiar with and understanding the document. An examination phase is intended to be used for nding defects. A consolidation phase is where items found by individual reviewers are collated into an agreed form. The interaction mode is concerned with the degree and type of collaboration. A group interaction involves all participants together, while an individual interaction involves each reviewer working alone. A selective subgroup interaction involves only a subset of the inspection team. With a group or subgroup interaction, the type of collaboration can also be de ned, either synchronous or asynchronous. The nal characteristic is the technique used by participants to achieve the stated objective, of which there are several types. Inspection techniques vary from straightforward free review to checklist assisted inspection. Consolidation techniques include discussion and voting. Techniques may also involve the use of tools. Each phase may also have a set of entry and exit criteria associated with it. The criteria usually de ne properties that can be expected of both review artifacts and participants before and after each phase. Using this framework, the author summarises each of the seven inspection methods as a sequence of phases, along with the appropriate characteristics. Although this framework is more comprehensive, there are still areas which have not been tackled well. For example, a potentially important inspection method is N-Fold inspection [14], where a document is inspected multiple times using one or more inspection methods. While this may be modelled using the Tjahjono framework, the inspections may only occur serially. It is important that the inspections can occur concurrently, otherwise the expense of the inspection, in terms of time required to execute it, will far exceed the bene t of nding more errors. Similarly, the interpretation of Phased inspection is unnecessarily constrained. Another drawback is the lack of recognition of administrative tasks such as planning. These tasks are an integral part of the inspection process and must be modelled in some way, especially if it is intended to make use of computer assistance. Simply describing the inspection as a series of generic phases may restrict the support which can be provided for each phase as the objectives are too general. Since, as has been shown, inspections consist of a limited number of well-de ned phases, it is preferable to explicitly model as many of these phases as possible. Although both frameworks described make useful contributions, neither adequately expresses the full range of inspection activities possible. In the next section a generic software inspection process is 14

Organisation

Detection

Completion

Figure 9: The three stages of a software inspection. Entry

Planning

Overview

Figure 10: The organisation stage of a software inspection. derived.

3.2 Initial Process Derivation

The derivation of a generic inspection process begins with a simple observation: every inspection has three major stages: Organisation (deciding on participants, timing and other details), Detection (performing the actual inspection and nding errors) and Completion ( xing the errors and checking the work done). These three broad stages are present, to a greater or lesser extent, in all the inspection methods described in the previous section. The rst and last stages only vary slightly between various inspection methods, while the major variations appear during the detection stages. This provides us with an outline of a generic inspection process, as shown in Figure 9. In the next three sections, each of these stages will be expanded.

3.3 Organisation Activities

The earliest inspection phase described is the entry phase proposed by Gilb and Graham [6]. This phase ensures that speci c criteria are met before the inspection starts, reducing the chances of a wasted inspection. This becomes our rst inspection phase. This phase is optional depending on the actual inspection type. The next phase is some form of planning, sometimes known as set-up. At this point the moderator has to organise the numerous details of an inspection. This ranges from choosing and inviting participants, preparing documents and support material, and deciding how to split the target material. Other typical activities include distributing inspection material and assigning roles. This phase is an explicit part of some types of inspections, particularly Humphrey and Gilb, and it is implicit in all others. For example, in an Active Design Review, this phase is not described explicitly but presumably is where reviewer responsibilities are assigned. The nal activity during organisation is overview, present in numerous methods. This phase is multi-purpose, with many possible activities. A major event is usually a presentation on the document by the author. This phase is optional. Figure 10 summarises these three possible phases and the order in which they may occur. Overview is the most described phase of the three, but the planning phase is at least as important. The entry phase is only described by Gilb and Graham, but provides a clear start to the inspection.

3.4 Detection Activities

The next step is to examine the detection stage in more detail. A traditional inspection generally has two phases here: an individual phase and a group phase. Gilb and Graham, Fagan and Humphrey all have this type of arrangement, and so do the multiple inspector phases of phased inspections. An obvious rst step is to assume that the detection may have two type of phases: individual and group. This can be generalised further, however, by saying that detection will consist of one or more meetings. Meetings can then be categorised according to their timing (synchronous or asynchronous), objective 15

Meeting

Self-check

Figure 11: The detection stage of a software inspection. Inspection 1

Collation Inspection N

Figure 12: The N-Fold variation of the inspection process. (examination, detection or collection), the number of participants and whether data is shared between participants during or after the meeting (public and private visibility, respectively). For example, individual preparation in Fagan inspection is simply an asynchronous meeting with four or ve participants, where the data created is kept private to each participant. On the other hand, the inspection meeting itself is a synchronous meeting where data is available to all participants. These two meetings represent the detection activities of Fagan inspection and it can easily be seen that the approach is similar for both Humphrey and Gilb inspection. Now consider phased inspections. A single inspector phase is simply a meeting with only one person in attendance. A multiple inspector phase is similar to a Fagan or Humphrey inspection. So the entire phased inspection can then be described as a series of generic meetings. Active Design Reviews consist of a single individual phase followed by multiple group phases, each with di erent participants. This can also be modelled as a series of meetings. Next, consider the FTArm asynchronous process. Private and public review can be described by two generic meetings, however, there is also a period of consolidation where the moderator must decide if a synchronous group meeting should be held. This consolidation step can be generalised to a self-check phase where the moderator should ensure that the inspection has proceeded satisfactorily. If not, the inspection should be able to move back to another meeting phase, allowing us to model the optional group review meeting in FTArm. The generalised process is shown in Figure 11. It takes into account the above discussion and simply describes an arbitrary series of meetings, each of which has a set of associated attributes, possibly interspersed with self-check phases. Finally, as was shown in Section 2, one of the most radical ideas for performing inspections involves the use of two or more independent teams. These teams will inspect the same material, possibly using independent inspection methods, at the same time. A requirement of this technique is the presence 16

Rework

Follow-up

Exit

Figure 13: The completion stage of a software inspection. of a collation phase to assimilate the results from the independent inspections. To increase exibility, multiple collation phases are allowed. This leads to the process shown in Figure 12. Each detection stage (1 to N) represents a complete detection process as described in Figure 11.

3.5 Completion Activities

The last stage is perhaps the most well-de ned. Essentially, there are two objectives here: defects found during the inspection must be corrected, and the changes which have been carried out must be checked. These two objectives are achieved in the rework and follow-up phases respectively. During the rework phase, the author of the document tackles each defect found during the inspection. This phase is called the edit phase by Gilb and Graham and they also use this phase to assign a nal classi cation to each defect, unlike Fagan inspection where this is performed at the inspection meeting. With the changes being made to the document, it is now usually the moderator's duty to ensure that the changes have been carried out satisfactorily. At this point the moderator must also decide whether or not the document should be reinspected. This will depend on the extent and type of defects found. The average number of defects found per page of document should also be compared with a historical gure for this type of document. An unusually high or low value may indicate an extremely defective document or an ine ective inspection, respectively. In either case the document should probably be reinspected. The phase of rework is essential to the inspection. After all, it is pointless to nd errors and not x them. The follow-up phase is also a well-accepted practice, since it makes sense to validate the results of the inspection before moving on. It is at this point that the moderator decides whether or not to hold a reinspection. The follow-up is not de ned for all inspections, and is therefore optional. In addition, one other phase should be considered, the exit phase, proposed by Gilb and Graham. This phase is intended to validate the inspection, by ensuring that such criteria as checking rate and defect density have been met. As with the entry phase described by Gilb and Graham, it is assumed that some form of exit criteria are set and met, though these may be implicit. Figure 13 shows the possible completion activities.

3.6 Inspection Participants and Documents

Having derived the process, possible participants can now be decided, along with the possible resources required at each phase and the products generated by the inspection. Starting with the people involved, the key participant is the moderator, whose task is to plan and coordinate the entire inspection. The moderator will select and invite other participants, ensure that the required documentation is available and up-to-date, and moderate any group meeting that may be held. The moderator is sometimes referred to as the leader, and is required in every inspection. The next participant to be considered is the author. As the person responsible for the document under inspection, the author usually has two main tasks: to brief other inspection participants on the document and to x any defects found during the inspection. The author can also be known as the producer. The nal participants are those whose main responsibility is nding defects: the inspectors (known variously as reviewers or sometimes checkers). A typical inspection will require the services of two or more inspectors. It is therefore required that the number of possible inspectors is not constrained in any way. Given the assignment of reviewers to speci c defect types that is practiced in ADRs, and a similar scheme using scenarios proposed by Porter et al. [17], the ability to assign responsibilities to 17

Phase Organisation

Timing Participants Documents available

Entry Planning Overview

S

C,M C,M C,M,A,I

Meeting

S,A

M,A,I

Self-check

-

M

Collation

S,A

C,M

Rework

-

A

Follow-up

S

C,M,A

Exit

-

C,M

Detection

Completion

Entry criteria Product Product Sources Checklists Standards Procedures Inspection plan Individual defect lists Individual defect lists Master defect list Master defect lists Product Collated defect list Master defect list Product Collated defect list Master defect list Exit criteria

Documents produced Inspection plan Individual defect lists Master defect list Report

Report Collated defect list Report Report

Table 9: Summary of generic inspection phases and the possible timings, participants, resources and products. Timing is either synchronous (S) or asynchronous (A). The possible participants are coordinator (C), moderator (M), author (A) and inspector (I). Possible documents available each phase, along with documents that may be produced during each phase, are also listed inspectors is also required. The responsibilities will usually indicate a set of inspection aids which would assist inspectors in nding their assigned types of defects. Further roles are de ned for two of the inspectors if a traditional synchronous group meeting is held. The recorder (or scribe) is tasked with making a note of defects raised at the meeting. This master defect list is passed to the author for rework. The other role is reader, which involves guiding the pace of the meeting. The nal participant is only relevant to an N-Fold inspection. The coordinator is tasked with coordinating the entire inspection, much like a moderator, but dealing with multiple inspections rather than just one. The coordinator will typically only interact with the moderator of each inspection team involved, collating the results from each inspection. Therefore the coordinator is only involved in the entry, planning and overview phases of the organisation stage, the collation phase of the detection stage, and the follow-up and exit phases of the completion stage. From the process descriptions in Section 2, it can be seen that documents used and produced during each phase can be divided into several generic types:  Product The document undergoing inspection.  Report A report simply details the outcome of a phase, or of an entire inspection. It is usually completed by the moderator.  Inspection Plan This is created during the planning phase and is the de nitive prescription of the inspection process and the people who will follow it. 18



Source A document used to produce the document undergoing inspection, for example, the design

document for a section of code.  Detection aid A document which assists the inspector with nding errors. This includes checklists which help to ensure adequate coverage of both the document and of common error types, items such as scenarios which assign responsibilities to each inspector and questionnaires.  Standard The document will usually have to conform to a set of standards for that document type. These standards are used for compliance checking during the inspection.  Defect list These contain the defects (issues) found during the inspection. There may be individual lists produced by a single inspector, master lists which contain the results of the team's e ort or collated lists which contain the results of multiple teams. These lists may also be used to contain general comments about the document and actions to repair defects.  Procedure This type of document describes the process to be followed at each phase in the inspection. Gilb and Graham [6] suggest they should be subject to checking along with other material.  Criteria Inspection entry and exit criteria may be required. Entry criteria ensure the inspection is not wasted on unsuitable material while exit criteria are used to ensure the inspection has been carried out correctly. Such criteria include inspection rates and estimated percentage of defects found. Of course, some of these are only useful during certain phases, therefore the notation should only provide relevant alternatives at each phase. At the same time, the exibility of the notation should not be unnecessarily limited. Table 9 summarises the roles, resources and products relevant to each inspection phase. Note that the coordinator is only present in an N-Fold inspection, and that the roles of reader and recorder may only be assigned during a synchronous group meeting. This table should be taken as a guide only, and we should allow for other possibilities, within reasonable limits.

4 Inspection Process Modelling Language 4.1 Existing Process Modelling Languages

As stated previously, our goal is to develop a notation to adequately describe current inspection processes to allow their modelling, support and enforcement by an inspection tool. The notation chosen should be able to form the input to such a tool. Other requirements include simplicity and readability. Many general purpose process modelling languages have been proposed. A diculty with these languages for our application is that they are too general. Although a exible notation is required to allow all inspection variations to be described, there is also a well-de ned outline process which we need to enforce. Rather than take an existing language and apply arti cial constraints, it is preferable to de ne a new language which implements those constraints. Such a language will also be easier to parse, due to its reduced complexity. General purpose process modelling languages may also require extensive programming skills from their users. Ideally, an inspection description language should be simple to use for non-programmers. The only existing inspection modelling language is that described by Tjahjono [1], based on his inspection framework and used in an inspection tool called Collaborative Software Review System (CSRS) [10]. Developing a new inspection process involves writing a Lisp program describing the process and its related data. A set of macros are available to implement the process, and these are divided into four types. Data macros are used to describe data nodes in the system and are closely related to the type system of the underlying CSRS technology. Process macros are used to de ne review phases and data access privileges for each person during the review. These are based around 19

a single multi-purpose phase which can be given attributes, such as objective and interaction mode, de ned within the framework. Interface macros are used to specify the user interface presented to each participant. Finally, source macros de ne the parsing rules for documents being inspected. The language su ers from some of the same problems as the framework which it is derived from. Having a single multi-purpose phase is quite limiting in that it is dicult to adequately express the highly focused phases at the start and end of the inspection. Other questions arise with respect to computer assistance. For example, the framework introduces the idea of roles, but it is not clear how responsibilities are associated with these roles, other than basic moderator/author/inspector duties. The data model is oversimpli ed and only provides source nodes (containing the document to be inspected), commentary nodes (containing defects, actions and general comments) and checklist nodes. There is no provision for documents such as reports and standards, and it is not clear whether checklist nodes can contain defect nding aids other than checklists. As the language is based on a set of Lisp macros it is tightly coupled to the underlying system, making it dicult to use in another inspection tool, unless that tool is also written in Lisp. Implementing a new inspection process essentially involves writing code at the level of this underlying system, and would seem to require a fairly high level of programming skill. Moreover, the code is very bulky; the description of the FTArm method consists of over two thousand lines of code. It is our intention to describe a language which is both concise and system independent, and should be simple enough to obviate the need for extensive programming experience. The following sections describe the grammar of the inspection description language. It is described using a Backus-Naur style of notation. In this notation, a phrase in italics is non-terminal, while words in typewriter style indicate language keywords. The `::=' operator is used to show expansion of nonterminal clauses. A plus indicates one or more instances of a given clause, while opt indicates that the clause is optional. Finally, square bracket indicate alternatives, with the alternatives separated by vertical bars.

4.2 Structure of Process Description

The description of a software inspection consists of two parts. The rst part contains declarations listing the participants and their roles, along with the documents which will be used and created during the process. The second part describes the process itself. There should also be a facility for naming the inspection. The initial de nition of the inspection is then: software inspection ::= inspection inspection name declarations process end

::= string ::= \'" [letterjdigitj\ "j\ "]+ \'" The keywords inspection and end are used to delimit the description. inspection name is simply an arbitrary string surrounded by quotes, and may include spaces. The next de nition is that of the declaration section: declarations ::= declarations inspection name string

document declarations responsibility declarationsopt participant declarations end

The inspection documents, participants and responsibilities are described in the following sections. Our rst de nition of the inspection process itself is simply: process ::= process organisation process detection process completion process end

20

This mirrors the process described earlier, consisting of the three major phases of organisation, detection and completion. Each of these parts is described in more detail later.

4.3 Inspection Document, Participant and Responsibility Declarations

The rst section within the declaration part of the description describes all documents which are available and created during the entire inspection: document declarations ::= documents document de nition+

document de nition document name identi er document type

::= ::= ::= ::=

end

document name document type identi er [letterjdigitj\ "]+

[productjreportjplanjsourcejdetection aidj standardjdefect listjprocedurejcriteria] This section simply de nes names for each of the documents to be used within the inspection. When the inspection is instantiated and run, part of the planning task is to associate the real inspection documents with each document de ned. The format of such documents as criteria lists and reports is therefore left to the implementation. The de nition of each phase of the inspection will require the documents present and created during that phase to be de ned. This will be achieved by the use of several lists indicating categories of document. For example, one list will contain all the documents produced during the phase. It is important to note that these document categories are not the same as the document types de ned above, although there is some similarity and the types will be used to constrain the documents which can appear in each list. Each phase de nition will use some combination of these document de nitions to list the document types which are required or which are optional. Any document name appearing here must be declared within the document declaration section. The rst of these introduces target documents, which may be of any type described above and are the actual documents being inspected. There is no constraint on the type since it is not unreasonable to allow standards, checklists and other supporting material to be inspected at the same time as the product. targets ::= targets document name+ The outputs keyword indicates the documents created by the phase, which may either be of reports or defect lists. In the case of the planning phase there may be also be plans. outputs ::= outputs document name+ The remaining six categories correspond to six document types, as follows: sources ::= sources document name+ detection aids ::= detection aids document name+ standards ::= standards document name+ defects ::= defects document name+ procedures ::= procedures document name+ criteria ::= criteria document name+ The sources keyword indicates documents which have been used to create the document being inspected, such as the design document for a section of code. The detection aids item indicates detection aids which the inspectors should make use of during this phase, while standards indicates standards which should be consulted. The defects item indicates any defect lists which are brought to this phase. For example, the master defect list is usually brought to the rework phase, while each inspector may bring an individual defect list to a group meeting. The procedures item is used to introduce documents which indicate the procedure which should be followed when executing this phase. criteria indicates any lists of criteria which must be met. The documents appearing in each of these entries must match the type of the entry. Finally, the inspection master plan, if created, is implicitly available during all phases and should not appear under any of these entries. 21

The next part of the description is concerned with describing the participants involved with the process and the responsibilities which they may be assigned. A common inspection practice is to assign reviewers responsibility for certain defect types, thus hopefully improving the coverage and e ectiveness of the inspection. This responsibility usually comes in the form of a checklist or other defect nding aid. Therefore, our rst task is to allow responsibilities to be de ned in terms of documents listed above: responsibility declarations ::= responsibilities responsibility de nition+ end

::= responsibility name requires

responsibility de nition

document name+

end

::= identi er Each responsibility has a name and a list of documents associated with it. These will usually be checklists or other detection aids, but may also include standards or any other document type. These documents should be made available by the support tool during the inspection. The list of participants has the following form: participant declarations ::= participants responsibility name

participant de nition+

participant de nition

end

::= participant name is

role+ participant defectsopt responsibility assignmentopt end

::= identi er participant name ::= defects document name+ participant defects responsibility assignment responsibility responsibility name+ role ::= [coordinatorjmoderatorjauthorjinspector]

There will usually be several constraints on the selection of participants. Typically, there must either be one moderator, or one coordinator and several moderators, depending on the type of inspection. This constraint is not part of the language because it may unnecessarily limit its exibility. Instead, it is left to the implementation to enforce such restrictions as required. Zero or more authors may be declared, to allow maximum exibility. Any number of inspectors may also be declared. The defects subclause indicates the document which this participant will use to record defects. Finally, the responsibility names used must be previously declared in the responsibility declaration section above. Note that any single person may have more than one role or responsibility. During a defect detection stage, any participant with no de ned responsibility will only be given access to documents de ned in that phase, i.e. those generally available. One such possible document is a general checklist used by everyone. The participants description is simply a list of people involved and the names of their roles. Note that the participant list is not a list of the real people involved; it simply lists the names of the `characters' in the inspection and the roles they will play. For example, a Fagan inspection may have: Moderator is moderator

indicating that the person called Moderator is executing the moderator's duties. Contrast this with a Gilb inspection, where the person carrying out the task of the moderator is known as the leader: Leader is moderator

This convention allows the naming of roles in any way required, allowing us to use terms which coincide with any inspection practice. This also allows many people to take the same role, for example to have multiple inspectors, each with a unique responsibility: Inspector_MF is inspector

22

defects MF_defects responsibility Missing_Functionality end Inspector_AM is inspector defects AM_defects responsibility Ambiguity end

For each phase of the inspection the participants required to be present must be indicated. This is achieved with the following two de nitions: participant ::= participant participant name participants ::= participants participant name+ The rst de nition indicates that only one participant should be present, while the second indicates the possibility of more then one person taking part. The use of these de nitions will be shown along with each phase, but any participant name used within these clause must have previously been declared in the participants declaration section.

4.4 The Organisation Process

As seen in Section 3.3, the organisation stage may have three phases: organisation process ::= entryopt planning overviewopt This simply shows the order in which the three phases must occur, and indicates that the entry and overview phases are optional. Each of these phases is de ned in turn, starting with the entry phase: entry ::= entry phase name criteria end

phase name ::= string

This de nes a name for the entry phase and indicates one or more lists of entry criteria which must be met before moving into the planning phase. The only participant during this phase is either the moderator or the coordinator, depending on the type of inspection, therefore no participant list is required. The next phase de ned is planning: planning ::= planning phase name participants outputs end

Again, this phase may be named according to the method being described. Although planning will generally involve a single moderator, multiple participants must be allowed for, especially in the case of an N-Fold inspection, where the cooperation of several moderators and a coordinator may be required to form the inspection plan. In this case, the coordinator should have overall control over the planning stage, while the other participants can provide input. With multiple participants there must be either a single moderator or a single coordinator. Again, this constraint is left to the implementation. The output is usually a plan, but may include procedures. The nal organisation activity is overview: overview ::= overview phase name participants presenter participant name

end

This phase requires the de nition of the participants involved, and the naming of the presenter. The presenter is the person who carries out the brie ng; this is usually the author. This overview phase is optional.

23

4.5 The Detection Process

When de ning the detection activities in Section 3.4, we asserted that there would either be a single detection activity, or an N-Fold activity. This provides our rst de nition: detection process ::= [detectionjn fold] In Section 3.4, the detection activity was de ned to consist of at least one meeting phase, possibly interspersed with self-check phases. At this point the possibility of having several parallel meetings is also introduced to provide extra exibility. This allows subsets of the team to meet separately. The de nition of detection is then: detection ::= [meeting phase self checkjmeeting phase]+ meeting phase ::= [multi meeting jsingle meeting ] multi meeting ::= parallel phase name single meeting single meeting+ end

A meeting is de ned to be a phase with one or more participants who may meet synchronously or asynchronously, and whose discussion may be private or public. The meeting may have one of three objectives: examination, defect detection, or defect collection. The assignment of roles during the meeting must also be allowed. Finally, the documents produced and used in the meeting must be de ned. The meeting de nition is: single meeting ::= meeting phase name objective [examinationjdetectionjcollection] timing [synchronousjasynchronous] visibility [publicjprivate] durationopt participants rolesopt targets proceduresopt defectsopt sourcesopt detection aidsopt standardsopt outputsopt end

::= duration integer The de nition starts with the keyword meeting, followed by the meeting name. The objective, timing and visibility are then set, along with the maximum duration of the meeting in minutes. The implementation should use the duration to help guide the moderator during the meeting. This is followed by a list of all meeting participants, as de ned earlier. The roles of reader and recorder may be assigned (if they are not assigned then the moderator should be given the roles by default), followed by a list of all documents used or created at the meeting. All documents are optional except for target documents. The role assignment section can be de ned as follows: roles ::= roles role assignment+ role assignment ::= participant name is meeting role meeting role ::= [readerjscribe] Only the roles of Reader and Scribe are de ned. The self-check phase may follow any meeting. Its purpose is to validate the results of that meeting: duration

24

self check ::=

phase name participant targets defects sourcesopt detection aidsopt standardsopt outputsopt

self check

end

Again, the phase may be named, and this is followed by the single participant who will perform the self-check (usually the moderator). The target documents and input defect lists to this phase are then speci ed. Optionally, source documents, standards and detection aids may be present. Finally, at least one output must be de ned: this is usually a report. The alternative to a single detection activity is to have multiple, parallel detection activities with a collation stage, i.e. N-Fold inspection. To increase exibility, there is the possibility of holding more than one collation meeting. The de nition is then as follows: n fold ::= n fold phase name fold fold+ collation+

fold

::=

end fold

phase name detection end

As usual, the phase may be named. The de nition will then consist of two or more detection activity de nitions, as described above, surrounded by the keywords fold and end, along with one or more collation meeting de nitions: collation ::= collation phase name timing [synchronousjasynchronous] participants targetsopt defects sourcesopt standardsopt outputsopt end

For collation, a number of participants can be listed, usually several moderators along with the coordinator. Inputs defect lists will generally consists of a collected defect list from each inspection, The output will usually be a single master defect list for the entire inspection, but reports may also form outputs from this phase. Several collation meetings may take place, to allow for the possibility of the coordinator meeting with a subgroup of moderators. In this case, an input to subsequent meetings should be the collated defect lists from previous meetings.

4.6 The Completion Process

The completion process consists of three activities, as derived in Section 3.5: completion process ::= rework follow upopt exitopt The rework phase is followed by an optional follow-up phase. The nal phase, exit, is de ned to be optional since it is not used in every inspection type. The rework phase is de ned as follows:

25

rework ::=

phase name participant targets defects sourcesopt standardsopt outputsopt

rework

end

Although rework is generally carried out by the author, the possibility of another participant performing rework is catered for. This may occur if the author is not part of the inspection team, or is otherwise unavailable. Various documents may be made available during this phase. Target documents are always required, but many other documents may be present. The output of the phase may consist of one or more reports. The next phase is follow-up and involves checking the work performed in rework: follow up ::= follow up phase name participant targets defectsopt sourcesopt detection aidsopt standardsopt outputs end

Only one person should perform follow-up: this is usually the moderator (or coordinator), but there is the possibility of another participant performing this task. Generally, as many relevant documents as required should be present, which accounts for the numerous document de nitions. Finally, the de ned output is one or more reports. The last phase is the optional exit phase: exit ::= exit phase name criteria end

This is similar to the entry phase in that it de nes one or more lists of criteria which must be met. Again, these lists will have been de ned in the documents section and must be of type Criteria. One single participant is involved in this phase: this is either the moderator or the coordinator, depending on the inspection type.

5 An Example Process De nition This section presents an example process de nition to illustrate the language de ned in the previous section. The process chosen is that of Fagan [3] and is applied to source code. The process description is shown in Figure 14. The description starts by titling the inspection `Fagan Code Inspection'. The declaration section rst of all lists all documents used and created in the inspection. The Master plan is the de nitive guide to the inspection. Although not explicitly mentioned by Fagan, it is assumed that such a plan must be prepared for the inspection. Code is the document under inspection. Design is the source document which the code is written from. This is followed by the declaration of six defect lists, one for each participant and a master list which will contain the defects logged by the entire team. Finally, two reports are declared. One is used to detail the outcome of the inspection meeting, while the other will contain the moderator's ndings from the follow-up phase. The declarations section also de nes the inspection participants. Five participants are declared: the moderator, author and three inspectors. The process section de nes the six phases of a Fagan inspection. The Planning phase simply involves the moderator creating the master plan for the inspection, which details the actual participants involved in the inspection, the code to be inspected and so on. The Overview is de ned to involve all participants 26

targets Code sources Design outputs Defects1 Defects2 Defects3 Defects4 Defects5

inspection ’Fagan Code Inspection’ declarations documents Code product Design source Defects1 defect_list Defects2 defect_list Defects3 defect_list Defects4 defect_list Defects5 defect_list Master_defects defect_list Meeting_report report Follow_up_report report Master_plan plan end participants Inspector1 is inspector defects Defects1 end Inspector2 is inspector defects Defects2 end Inspector3 is inspector defects Defects3 end Moderator is moderator defects Defects4 end Author is author defects Defects5 end end end process planning ’Planning’ participants Moderator output Master_plan end overview ’Overview’ participants Moderator Author Inspector1 Inspector2 Inspector3 presenter Author end meeting ’Preparation’ objective examination timing asynchronous visibility private participants Moderator Author Inspector1 Inspector2 Inspector3

end meeting ’Inspection’ objective collection timing synchronous visibility public participants Moderator Author Inspector1 Inspector2 Inspector3 roles Inspector1 is reader Inspector2 is scribe targets Code defects Defects1 Defects2 Defects3 Defects4 Defects5 sources Design outputs Master_defects Meeting_report end rework ’Rework’ participant Author targets Code defects Master_defects sources Design end follow-up ’Follow-up’ participant Moderator targets Code defects Master_defects sources Design outputs Follow_up_report end end end

Figure 14: A description of the Fagan inspection process.

27

and involves the author presenting the code to be inspected. The process then moves into the rst of two detection phases. The Preparation phase involves all participants individually examining the document. Hence the objective of the phase is examination, the work is carried out asynchronously, and all data created by participants remains private. The target of the phase is the product (i.e. Code) and the source is the design document. The output of this phase consists of the individual defect lists. Although Fagan states that this phase is not a defect nding activity, it is useful to have the capability to note glaring defects. The next phase is the inspection meeting, again involving all participants. This time the meeting occurs synchronously, and all data is made public. The objective of the phase is collection of defects into the master defect list, which is an output of the meeting, along with a meeting report. Two roles are de ned during the meeting: the reader and the scribe, which are assigned to Inspector1 and Inspector2 respectively. The Rework phase involves the author taking the code and the master list of defects and performing the required xes. This work is checked in the Follow-up phase by the moderator, again using the code and the master list of defects, who also produces a report on the follow-up.

6 Conclusions Software inspection is an e ective defect nding technique and has been widely used. Many variations of the basic Fagan inspection have been proposed to tackle various perceived drawbacks in the method. A common problem when applying inspection is ensuring the process is followed properly, since the de nition of the process may be vague, or understanding may be poor [18]. Failure to follow the correct procedure can mean a reduction in bene t, with less defects found. At the same time, metrics from such inspections can be misleading. Inspection support tools have been proposed as one solution to this problem. These tools help enforce the process, as well as providing support for individual inspectors. Most of the tools, however, are only capable of supporting a single, usually proprietary, inspection method. Alternative methods, such as N-Fold or Phased inspection, can therefore not be enforced. Our solution to this problem is to derive an inspection process modelling language. This language is derived from a generic inspection process based on eight of the most common inspection types. By basing our language on these eight variants, we have ensured that the language is capable of describing any existing inspection process, and through careful design it should also be capable of describing any future inspection variants. It improves on an existing inspection description language by Tjahjono [21] by providing more specialised facilities, especially in terms of the organisation and completion activities which are crucial to an inspection. The language is more structured than that described by Tjahjono, matching the highly structured nature of inspections. Descriptions written in the language are around ten to twenty times smaller than that of Tjahjono, and the language requires only limited programming knowledge to use. Future research will evolve a tool which will accept this language as an input, allowing it to support multiple inspection processes by simply selecting the appropriate process de nition, as part of an ongoing investigation of the application of computer support to the inspection process.

References [1] Collaborative Software Development Laboratory, Department of Information and and Computer Sciences, University of Hawaii. CSRS Version 3.4.3 Design Reference Manual, October 1995. [2] E. P. Doolan. Experience with Fagan's inspection method. Software{Practice and Experience, 22(2):173{182, February 1992. [3] Michael E. Fagan. Design and code inspections to reduce errors in program development. IBM Systems Journal, 15(3):182{211, 1976. 28

[4] Michael E. Fagan. Advances in software inspection. IEEE Transactions on Software Engineering, 12(7):744{751, July 1986. [5] Daniel P. Freedmam and Gerald M. Weinberg. Handbook of Walkthroughs, Inspections and Technical Reviews. Little, Brown and Company, third edition, 1982. [6] T. Gilb and D. Graham. Software Inspection. Addison-Wesley, 1993. [7] John W. Gintell, John Arnold, Michael Houde, Jacek Kruszelnicki, Roland McKenney, and Gerard Memmi. Scrutiny: A collaborative inspection and review system. In Proceedings of the Fourth European Software Engineering Conference, September 1993. [8] Watts S. Humphrey. Managing the Software Process, chapter 10, pages 171{190. Addison-Wesley, 1989. [9] Philip M. Johnson. An instrumented approach to improving software quality through formal technical review. In Proceedings of the 16th International Conference on Software Engineering, May 1994. [10] Philip M. Johnson and Danu Tjahjono. CSRS users guide. Technical Report ICS-TR-93-16, Collaborative Software Development Laboratory, Department of Information and and Computer Sciences, University of Hawaii, 1993. [11] C. L. Jones. A process-integrated approach to defect prevention. IBM Systems Journal, 24(2):150{ 167, 1985. [12] Lesley Pek Wee Kim, Chris Sauer, and Ross Je ery. A framework for software development technical reviews. In Proceedings of the First IFIP/SQI International Conference on Software Quality and Productivity, pages 294{299, 1994. [13] F. Macdonald, J. Miller, A. Brooks, M. Roper, and M. Wood. A review of tool support for software inspection. In Proceedings of the Seventh International Workshop on Computer Aided Software Engineering, pages 340{349, July 1995. [14] Johnny Martin and Wei Tek Tsai. N-Fold inspection: A requirements analysis technique. Communications of the ACM, 33(2):225{232, February 1990. [15] E. Ann Meyers and John C. Knight. An improved software inspection technique and an empirical evaluation of its e ectiveness. Technical Report TR-92-15, University of Virginia, May 1992. [16] David L. Parnas and David M. Weiss. Active design reviews: Principles and practices. In Proceedings of the Eighth International Conference on Software Engineering, pages 132{136, August 1985. [17] A. A. Porter, L. G. Votta, and V. R. Basili. Comparing detection methods for software requirements inspections: A replicated experiment. IEEE Transactions on Software Engineering, 21(6):563{575, June 1995. [18] Glen W. Russell. Experience with inspection in ultralarge-scale developments. IEEE Software, 8(1):25{31, January 1991. [19] R. W. Selby, V. R. Basili, and F. T. Baker. Cleanroom software development - an empirical evaluation. IEEE Transactions on Software Engineering, 13:1027{1037, September 1987. [20] V. Sembugamoorthy and L. R. Brothers. ICICLE: Intelligent Code Inspection in a C Language Environment. In Proceedings of the 14th Annual Computer Software and Applications Conference, pages 146{154, October 1990. 29

[21] Danu Tjahjono. Evaluating the cost-e ectiveness of formal technical review factors (Ph.D. dissertation proposal). Technical Report CSDL-94-07, University of Hawaii, 1994. [22] Edward Yourdon. Structured Walkthroughs. Yourdon Press, fourth edition, 1989.

30