risk-based testing
DESCRIPTION
Risk-based TestingTRANSCRIPT
ConfidentialPA12013-09-271
Risk-based TestingThe Devil is in the Details
ConfidentialPA12013-09-272
Introduction• Johan Hoberg
• Sony Mobile▫~10 years▫Tester, Test Team Leader, Test Architect
• This is a presentation of my experiences of risk-based testing
ConfidentialPA12013-09-273
Definition•Risk-based testing (RBT) is a type of
software testing that prioritizes the tests of features and functions based on the risk of their failure - a function of their importance and likelihood or impact of failure. (http://en.wikipedia.org/wiki/Risk-based_testing)
ConfidentialPA12013-09-274
The Devil is in the Details• Refers to a catch or mysterious element hidden in
the details
• Derives from “God is in the Details”▫ Generally attributed to Gustave Flaubert (1821–1880)
• It is easy to ask for efficient, risk-based testing
• It is much more difficult to actually do it well
ConfidentialPA12013-09-275
System Under Test
Android Jellybean Customer A
Android Gingerbread Generic
Android Gingerbread Customer A
Android Gingerbread Customer B
Configuration 1
Configuration 2
Configuration 3
Product X
Product Y
Android Jellybean Customer B
Android Jellybean Generic
ConfidentialPA12013-09-276
System Under Test
ConfidentialPA12013-09-277
Changes in the System•There is a change introduced somewhere
in the system
•Could be a bug fix, a change request, a new feature, refactoring, etc.
ConfidentialPA12013-09-278
Scope Selection• Do you run every available test on every possible
configuration of the system and verify all interoperability?
• A smart scope is necessary to make it containable
• We must be able to reuse test results between products, configuration, and branches
ConfidentialPA12013-09-279
Scope Selection based on Risk
Change Introduced
System Impact
Risk-based Scope
ConfidentialPA12013-09-2710
Complex vs. Complicated•Complicated
▫Opposite of simple▫Containing intricately combined or involved parts
•Complex▫Opposite of predictable?▫This adjective means having parts so
interconnected as to make the whole perplexing
ConfidentialPA12013-09-2711
Complex System•A complex system is difficult to predict
•It is therefore difficult to plan which actions to take to mitigate different outcomes
•It is difficult to plan which tests to run to cover all potentially relevant defects
ConfidentialPA12013-09-2712
Reduce complexity
Reduce Complexity
Change
Complex System
Scope Selection
Very difficult!
ConfidentialPA12013-09-2713
Example•A change is introduced into the Display Driver
component – What do I need to test?▫Camera?▫Interoperability with TV and similar devices?▫Multimedia
View pictures, video etc.?▫All UI testing?▫Other parts of the system?
ConfidentialPA12013-09-2714
Reduce Complexity•Risk Analysis•Automated Test Framework•Early Exploratory Testing
ConfidentialPA12013-09-2715
Risk Analysis – Input DataFeature & Hardware
Delta
Historical Data
Code Changes
System Dependencies & Architecture
•Easy to obtain•Might give us an indication on where to start looking, but can often give false confidence in scope selection, especially when it comes to E2E system test
•Hard to obtain
ConfidentialPA12013-09-2716
Risk Analysis – Risk Model
Risk Identificatio
nProbability Consequenc
eMitigation
Plan
Severity (S)Occurrence (O)Detection (D)
Risk Priority Number (RPN) = S*O*D
ConfidentialPA12013-09-2717
Risk Analysis - Complex vs. Complicated
Risk analysis of whole system is complex
Risk analysis of sufficiently small part is more complicated than complex
ConfidentialPA12013-09-2718
Risk Analysis Database• If each function performs risk analysis on
their components and enters risks in a database this information could be used on system level to get better understanding of impact of specific changes
•Requires a uniform way of handing risk information
ConfidentialPA12013-09-2719
Problems?• We can get a lot of data that will help us select a
scope – but ultimately we will introduce a lot of risk if we do not know how the system is designed, and how different components depend on each other
• To get a complete dependency map of the whole system requires not only a good risk-handling infrastructure, but a common effort from a lot of people
ConfidentialPA12013-09-2720
Dependency Map Example
Driver
Library
Application Framework
Application Framework
Application
Application
Application
Application
Application
ConfidentialPA12013-09-2721
Automated Test Framework
Change + Basic Risk Analysis
Scope Setting Test
Execution
Automated Test
Execution
Test Results Analysis
ConfidentialPA12013-09-2722
Automated Test Framework
ChangeAutomated
Tests ExecutedFailed Tests Investigated
Change in component mapped towards failed
tests in other components
Better understanding of
System Dependencies
ConfidentialPA12013-09-2723
Self-learning System•Over time you will have more and more
information about how different changes impact the system
•Map code changes to failed tests•This impact map can further help you
set an efficient scope
ConfidentialPA12013-09-2724
Continuous Integration•The more code changes we have and the
more isolated these code changes are, the easier it is to create the impact map
• If you only have one integration per month, with thousands of lines of code changed in different parts of the system, it will be difficult to draw conclusions
ConfidentialPA12013-09-2725
Problems?•The information value you receive is
dependant on how good the tests are•Dependency graph grows over time – in
the beginning there is very little data
ConfidentialPA12013-09-2726
Early Exploratory Testing
Change + Basic Risk Analysis
Scope Setting Test
Execution
Exploratory Testing
Test Results Analysis
ConfidentialPA12013-09-2727
Codifying Experience•How do you transfer the knowledge
gained from one tester to the other?•The understanding about impact and
dependencies we gain from performing exploratory testing must be stored in a way which makes it accessible to other testers for their risk-based scope selections
ConfidentialPA12013-09-2728
Manual Dependency Map•After each exploratory session it is
possible to add information to a dependency map, where you indicate which changes were made, and what impact those changes had
•It needs to be done in a way which is quick and easy, otherwise it will not be done at all
ConfidentialPA12013-09-2729
Problems?•Additional time might be needed before
testers get experience with the new process
•It will be more difficult to time plan activity before early exploratory testing is done – this can cause problems with test/project leaders and managers
•It requires skilled testers
ConfidentialPA12013-09-2730
Final thoughts•Every risk-based scope introduces risk –
our goal is to eliminate any unnecessary risk
•Without skilled testers to write good automated tests or perform exploratory testing it becomes very difficult without a very intricate risk/impact framework
ConfidentialPA12013-09-2731
Conclusion•It is very difficult to perform
risk-based testing for a large, complex system
•It is very easy to ask someone else to reduce their test scope by introducing risk-based testing
ConfidentialPA12013-09-2732
Contact•Email
•Slideshare▫www.slideshare.net/JohanHoberg