SEI的风险提问单

SEI的风险提问单0.说明31. Product Engineering 产品工程31.1Requirements 需求31.2 Design 设计61.3 Code and Unit Test编码和单元测试91.4 Integration and Test 集成与测试111.5 Engineering Specialties 工程特性132. Development Environment 开发环境152.1 Development Process 开发过程152.2. Development System 开发环境172.3. Management Process 管理过程192.4 Management Methods 管理方法212.5 Work Environment 工作氛围223. Program Constraints 项目约束243.1 Resources 资源243.2 Contract 合同273.3 Program Interfaces 项目接口280.说明本提问单是 Marvin J. Carr 等所写的Taxonomy-Based Risk Identification 附录 ATaxonomy-Based Questionnaire o Taxonomy-Based Risk Identification是 CMU/SEI-93-TR-6 的 Technical Report。提问单共有194个问题，是对3大类13小类64项风险的注释提问。风险分类详细列表：产品工程开发环境项目约束1、需求1、开发过程1、项目资源2、设计2、开发环境2、合作合同3、编码和单元测试3、管理过程3、外部接口4、集成和测试4、管理方法5、工程特性5、工作氛围1、Product Engineering 产品工程1.1 Requirements 需求a. Stability 稳定性Are requirements changing even as the product is being produced?!在产品实现过程中，是 否有需求变更发生？1 Are the requirements stable?需求是否稳定？(No) (1.a) What is the effect on the system?(不)(1.a)需求稳定性会在哪些方面对系统造成影响? Quality 质量 Functionality 功能 Schedule 进度 Integration 集成 Design 设计 Testing 测试2 Are the external interfaces changing?外部接 口是否会发生变化？b. Completeness 完整性Are requirements missing or incompletely specified?需 求是否有遗漏或者表述不完整的 地方?3 Are there any TBDs in the specifications?在需求规格说明书中是否存在待确认 的内容？4 Are there requirements you know should be in the specification but aren 抉？需求 规格说明书中是否遗漏了一些需求？(Yes) (4.a) Will you be able to get these requirements into the system?(是)(4.a)你能够将这些需求纳入系统吗？5 Does the customer have unwritten requirements/expectations?是否有些客户的需求还没有编制成文档?(Yes) (5.a) Is there a way to capture these requirements?(是)(5.a)是否存在一个获取这些需求的途径或方法？6 Are the external interfaces completely defined?外部接口是否被完整定义？c. Clarity清晰性Are requirements unclear or in need of interpretation?!是否存在描述不清楚的需求，或需 进一步进行解释？7 Are you able to understand the requirements as written?规格说明书中的每一项 需求你都能正确理解吗？(No) (7.a) Are the ambiguities being resolved satisfactorily 不)含混不清的地方已经 修改清楚？(Yes) (7.b) There are no ambiguities or problems of interpretation?(是)(7.b)没有含混不清的需求描述或解释不清的问题？d. Validity 有效性Will the requirements lead to the product the customer has in mind?所确定的软件需求与客户需求是否是一致的？8 Are there any requirements that may not specify what the customer really wants?是否存在一些需求没有满足客户真正的要求？(Yes) (8.a) How are you resolving this?(是)你是怎样解决的？9 Do you and the customer understand the same thing by the requirements?你与客户对需求的理解是否一致？(Yes) (9.a) Is there a process by which to determine this?(是)有没有可以验证 这种一致性的相关流程？10 How do you validate the requirements?你是怎样进行需求有效性地验证？Prototyping原型法 Analysis 分析 Simulations 仿真e. Feasibility 可行性Are requirements infeasible from an analytical point of view?从需求分析的角度看，某些 需求是否是不可实现的？11 Are there any requirements that are technically difficult to implement?是否 有些需求在实现上存在技术难点？(Yes) (11.a) What are they?(是)都有哪些难点？(Yes) (11.b) Why are they difficult to implement?(是)为什么会难于实现？(No) (11.c) Were feasibility studies done for these requirements?(否)是否对这 些需求进行了可实现性的研究分析？(Yes) (11.c.1) How confident are you of the assumptions made in the studies?(是)你对分析研究中的假设有多大的把握？f. Precedent未实现过Do requirements specify something never done before, or that your company has notdonebefore?是否有需求是公司以前没有实现过，或业界也没有实现过？12 Are there any state-of-the-art requirements?是否存在一些可以代表最新技 术发展水平的需求？ Technologies 技术Methods方法Languages语言Hardware硬件(No) (12.a) Are any of these new to you?(否)在这些需求中，是否有一些对你来 说是全新的？(Yes) (12.b) Does the program have sufficient knowledge in these areas?(是)在这些领域，本开发团队是否存在足够的技术知识基础？(No) (12.b.1) Is there a plan for acquiring knowledge in these areas?否)有没有 获得这些领域知识的相应计划？g. Scale 范围Do requirements specify a product larger, more complex, or requiring a larger organization than in the experience of the company?与公司以往的开发经历相比，开发产品将是规模更大、更复杂或需要更多的人参与？13 Is the system size and complexity a concern?系统的规模和复杂度是否也 被作为本次开发的一个关注点？(No) (13.a) Have you done something of this size and complexity before?(否) 你以前进行过类似规模和复杂度的开发吗？14 Does the size require a larger organization than usual for your company? 这么大规模的开发任务是否需要比以往更大的开发团队？1.2 Design 设计a. Functionality 功能性Are there any potential problems in meeting functionality requirements?在 系统需求功能 实现方面，是否存在潜在的问题？15 Are there any specified algorithms that may not satisfy the requirements?是否存的某些运算法则不能满足需求的情况？(No) (15.a) Are any of the algorithms or designs marginal with respect to meetingRequirements?（否）是否所有运算法则和设计都能满足需求要求?16 How do you determine the feasibility of algorithms and designs?你是如何 决定运算法则和设计的可行性的？Prototyping原型法Modeling建模Analysis分析 Simulation 仿真b. Difficulty 困难Will the design and/or implementation be difficult to achieve?在 系统的设计和实现中，是 否存在一些困难？17 Does any of the design depend on unrealistic or optimistic assumptions?是否有设计是基于不可实现或过分乐观的假设之上的？18 Are there any requirements or functions that are difficult to design?是否有 些需求存在设计上的困难？(No) (18.a) Do you have solutions for all the requirements?(否)对这些设计困难 的需求，你有相应的解决方案吗？(Yes) (18.b) What are the requirements?(是)都是哪些需求？Why are they difficult?为什么会存在这些困难？c. Interfaces 接口Are the internal interfaces (hardware and software) well defined and controlled?内 部接口 (包括硬件和软件两个方面)是否均得到了良好的定义和控制？19 Are the internal interfaces well defined?内部接口是否得到了良好的定 义？Software-to-software软件和软件之间Software-to-hardware软件和硬件之间20 Is there a process for defining internal interfaces?是否存在一个关于内部 接口定义的流程？(Yes) (20.a) Is there a change control process for internal interfaces?(是)内部接口的更改是否存在一个变更控制流程？21 Is hardware being developed in parallel with software?硬件是否和软件平 行进行开发？(Yes) (21.a) Are the hardware specifications changing?(是)硬件需求规格说明 书可能会发生变化吗？(Yes) (21.b) Have all the interfaces to software been defined?(是)是否所有与 软件的接口均得到了定义？(Yes) (21.c) Will there be engineering design models that can be used to test the software?（是）在软件测试过程中是否用到了一些工程设计模型?d. Performance 性能Are there stringent response time or throughput requirements?在 响应时间和吞吐量方面 是否有严格的要求？22 Are there any problems with performance?性能方面有哪些问题？Throughput吞吐量 Scheduling asynchronous real-time events 异步实时事件处理的调度 Real-time response 实时响应Recovery timelines故障复时间Response time响应时间 Database response, contention, or access 数据库的响应、竞用与访问？23 Has a performance analysis been done?做过性能分析吗？(Yes) (23.a) What is your level of confidence in the performance analysis?(是) 在性能分析方面，你有多大的把握？(Yes) (23.b) Do you have a model to track performance through design andimplementation?在整个设计和实现过程中，有没有一个模型来对性能进行跟踪?e. Testability 可测性Is the product difficult or impossible to test?产品是否很难或不可能测试?24 Is the software going to be easy to test?软件是否将很容易测试？25 Does the design include features to aid testing?进行了可测性设计？26 Do the testers get involved in analyzing requirements?测试人员是否参与 了对需求的分析过程？f. Hardware Constraints 硬件限制Are there tight constraints on the target hardware?硬 件方面有没有严格的限制？27 Does the hardware limit your ability to meet any requirements?硬件是否限制了需求的实现？Architecture硬件结构Memory capacity存储能力 Throughput 容量 Real-time response 实时响应Response time响应时间Recovery timelines恢复时间边界 Database performance 数据库性能 Functionality 功能Reliability 可靠性 Availability 可用性g. Non-Developmental Software 非自主开发Are there problems with software used in the program but not developed by the program?项目组使用的非本项目组开发的软件是否有问题？If re-used or re-engineered software exists如果软件有重用或者需二次开发 部分28 Are you reusing or re-engineering software not developed on the program?本项目中是否存在重用或者需二次开发的软件？(Yes) (28.a) Do you foresee any problems?是否预见了下列问题？ Documentation 文档 Performance 性能 Functionality 功能 Timely delivery 按时发布 Customization 客户化If COTS software is being used是否使用了商用外购软件29 Are there any problems with using COTS (commercial off-the-shelf) software?在使用商用外购软件方面是否存在问题? Insufficient documentation to determine interfaces, size, or performance软件接口、规模和性能等方面缺乏充分的文档。Poor performance较差的性能 Requires a large share of memory or database storage 要求有一个较大的共 享内存或者数据库存储 Difficult to interface with application software 与应用软件较难接口Not thoroughly tested没有经过充分测试Not bug free工具本身存在的缺陷没有解决Not maintained adequately没有足够的维护支持Slow vendor response 供应商响应较慢30 Do you foresee any problem with integrating COTS software updates or revisions?你预测过因为所使用的商用软件升级引起的问题吗？1.3 Code and Unit Test编码和单元测试a. Feasibility 可行性Is the implementation of the design difficult or impossible?设计的实现存在困难或不可能?31 Are any parts of the product implementation not completely defined by the design specification?实现与设计不一致？32 Are the selected algorithms and designs easy to implement?选取的算法和 设计是否较容易实现？b. Testing单元测试的充分性Are the specified level and time for unit testing adequate?给定的测试覆盖度是否是足够的？单元测试时间是否是充分的？33 Do you begin unit testing before you verify code with respect to the design?在验证代码与设计的一致性之前，你是否进行了单元测试？34 Has sufficient unit testing been specified?单元测试设计、方案和用例是否是充分的？35 Is there sufficient time to perform all the unit testing you think should be done?是否有足够的时间执行你认为应该进行的所有单元测试？36 Will compromises be made regarding unit testing if there are scheduleproblems?是否因为进度压力而使得单元测试做出了一些让步？c. Coding/Implementation 编码 /实现Are there any problems with coding and implementation ?编码和实现是否存在什么问题？37 Are the design specifications in sufficient detail to write the code?详细设计说明书是否详细到足以指导编码的程度？38 Is the design changing while coding is being done?编码开始后，设计规格 书是否还有变更？39 Are there system constraints that make the code difficult to write?代码编写是否受到下列系统的限制？-Timing时间效率限制Memory内存限制External storage外部存储介质限制40 Is the language suitable for producing the software on this program?项目开发的语言是否适用？41 Are there multiple languages used on the program?项目开发中使用了多种语言？(Yes) (41.a) Is there interface compatibility between the code produced by thedifferent compilers?(是)不同语言的编译环境下生成的代码之间有无兼容性问 题？42 Is the development computer the same as the target computer ?开发中使 用的计算机与目标环境的计算机是否一样？(No) (42.a) Are there compiler differences between the two ?(否)两者之间是否 存在编译方面的区别？If developmental hardware is being used 是否用到了专用硬件设备？43 Are the hardware specifications adequate to code the software?是否硬件 使用说明书中的内容满足软件编码的需要？44 Are the hardware specifications changing while the code is being written? 编码过程中，硬件使用说明书是否有变更？1.4 Integration and Test 集成与测试a. Environment 环境Is the integration and test environment adequate?集 成与测试环境是否是充分的？45 Will there be sufficient hardware to do adequate integration and testing?集成与测试是否有足够的硬件支持？46 Is there any problem with developing realistic scenarios and test data to demonstrate any requirements？在构建目标环境和测试数据以验证需求实现方面是否存在问题？Specified data traffic特定的数据吞吐量 Real-time response 实时响应 Asynchronous event handling 异步事务处理 Multi-user interaction 多客户响应47 Are you able to verify performance in your facility?是否可以在你的设备上 对性能进行验证？48 Does hardware and software instrumentation facilitate testing?硬件和软件 是否有助于进行测试？(Yes) (48.a) Is it sufficient for all testing?(是)足够吗？b. Product产品集成和测试Is the interface definition inadequate, facilities inadequate, time insufficient?接 口定义、设 备和时间方面是否存在不充分的问题？49 Will the target hardware be available when needed?如果需要，实际的运行 环境是否可以获得？50 Have acceptance criteria been agreed to for all requirements?所有需求的 接受标准是否达成一致？(Yes) (50.a) Is there a formal agreement?(是)有正式的协议吗？51 Are the external interfaces defined, documented, and baselined?夕卜部接口 是否确定、成文、并建立基线？52 Are there any requirements that will be difficult to test?是否有难于测试的 需求？53 Has sufficient product integration been specified?是否确定了充分的产品 集成方案？54 Has adequate time been allocated for product integration and test?为产品 集成和测试是否分配了足够的时间？If COTS software is being used是否使用了商用外购软件55 Will vendor data be accepted in verification of requirements allocated to COTSProducts?供应商是否能提供足够的数据，以验证商业外购件能满足所分配需 求？Yes) (55.a) Is the contract clear on that?(是)双方协议上这些要求是否表述清 楚？c. System系统集成和测试System integration uncoordinated, poor interface definition, or inadequate facilities?系统 集成是否存在不匹配、接口定义较差，缺乏工具等问题？56 Has sufficient system integration been specified?集成设计和方案是否是充 分的？57 Has adequate time been allocated for system integration and test ?是否为系统集成和测试分配了足够的时间？58 Are all contractors part of the integration team?协约双方都参与了系统集成 吗？59 Will the product be integrated into an existing system?产品是否将被集成 到已有的系统中？(Yes) (59.a) Is there a parallel cutover period with the existing system?(是)产品的集成是否要求不中止原有系统？(No) (59.a.1) How will you guarantee the product will work correctly when integrated?在整个过程中，你如何保证该项工作的顺利进行？60 Will system integration occur on customer site?系统的整体集成是在客户 地点进行的吗？1.5 Engineering Specialties 工程特性a. Maintainability 可维护性Will the implementation be difficult to understand or maintain?系统的实现是否难以理解或不易维护性？61 Does the architecture, design, or code create any maintenance difficulties?系统的结构、设计和编码是否会导致系统维护的困难？62 Are the maintenance people involved early in the design ?在早期的设计阶 段，是否维护人员就参与了进来？63 Is the product documentation adequate for maintenance by an outsideorganization?为外部组织提供的与维护有关的产品文档是否充分？b. Reliability 可靠性Are the reliability or availability requirements difficult to meet?可靠性和可用性的需求是否较难实现？64 Are reliability requirements allocated to the software?可靠性的需求是否分配？65 Are availability requirements allocated to the software?可用性需求是否分配到软件？(Yes) (65.a) Are recovery timelines any problem?(是)恢复时限是否存在问题？c. Safety系统安全性Are the safety requirements infeasible and not demonstrable?安 全性需求是否不可实现 并且不可验证？66 Are safety requirements allocated to the software?安全性的需求是否分 配？(Yes) (66.a) Do you see any difficulty in meeting the safety requirements?(是)在安全性需求方面，你发现存在哪些困难？67 Will it be difficult to verify satisfaction of safety requirements?是否较难验证系统安全性？d. Security 保密性Are the security requirements more stringent than the current state of the practice or program experience?系统保密性的要求是否比当前或以往项目所能达到的程度更严格？68 Are there unprecedented or state-of-the-art security requirements?系统的机密性是否要求达到当代最新的技术发展水平？69 Is it an Orange Book system?是一个高度机密的系统吗？70 Have you implemented this level of security before?你以前实现过这样的 保密安全性需求吗？e. Human Factors接口的友好性Will the system will be difficult to use because of poor human interface definition?人机接口不够友好，系统使用用不方便？71 Do you see any difficulty in meeting the Human Factors requirements?在满足友好性方面，你发现了哪些问题？(No) (71.a) How are you ensuring that you will meet the human interfacerequirements?你是如何保证你的系统能够满足客户的可操作性要求？If prototyping是否使用了原型法?(Yes) (71.a.1) Is it a throw-away prototype?(是)是一个放弃原型吗？(No) (71.a.1a) Are you doing evolutionary development?(否)你正在进行的是一 次渐增式开发吗？(Yes) (71.a.1a.1) Are you experienced in this type of development?(是)你有这 方面的开发经验吗？(Yes) (71.a.1a.2) Are interim versions deliverable?(是)中间版本要发布吗？(Yes) (71.a.1a.3) Does this complicate change contro l?这个是否使得变更控制 复杂化？f. Specifications 规格说明书Is the documentation adequate to design, implement, and test the system?系 统设计、执行和测试的文档是否充分72 Is the software requirements specification adequate to design the system?软件需求规格说明书对于设计是否充分73 Are the hardware specifications adequate to design and implement the software?硬件使用说明书对于软件开发是否充足？74 Are the external interface requirements well specified?外部接口需求是否 定义良好？75 Are the test specifications adequate to fully test the system?测试规程对系统全面测试是否充分？If in or past implementation phase是否处于编码阶段还是编码阶段巳经完 成？76 Are the design specifications adequate to implement the system? 设计说 明书对于指导编码是否充分？ Internal interfaces 内部接口2. Development Environment 开发环境2.1 Development Process 开发过程a. Formality过程正规化Will the implementation be difficult to understand or maintain?系 统的实现是否难以理解 或维护？77 Is there more than one development model being used?是否使用多个开发 模型？Spiral螺旋型Waterfall瀑布型Incremental 增量型(Yes) (77.a) Is coordination between them a problem?(是)(77.a )在他们之 间的协作是一个问题？78 Are there formal, controlled plans for all development activities? 开发活动 有正式和受控的开发计划？Requirements analysis 需求分析Design设计Code编码Integration and test 集成和测试Installation 安装Quality assurance 质量保证Configuration management 配置管理(Yes) (78.a) Do the plans specify the process well?计划中项目过程的描述是否 清楚？(Yes) (78.b) Are developers familiar with the plans?开发者们对计划熟 悉？b. Suitability 程适用性Is the process suited to the development model, e.g., spiral, prototyping?过程是否适合开发模型，例如，螺旋，快速原型吗？79 Is the development process adequate for this product ?开发过程对这个产 品而言是否适用？80 Is the development process supported by a compatible set of procedures, methods, andtools?开发过程是否有一套与之相协调的规程、方法和工具所支 持？c. Process Control 过程控制Is the software development process enforced, monitored, and controlled using metrics?Are distributed development sites coordinated?开发过程是否被强制实施，并使用度量监控开发过程？对于分散的开发地点是否同等对 待？81 Does everyone follow the development process ?是否每个人都遵循开发过 程？(Yes) (81.a) How is this insured?(是)(81.a )如何保证这一点？82 Can you measure whether the development process is meeting your productivity and quality goals?你是否估计过开发过程能实现你的生产率和质量目标？If there are distributed development sites 如果开发地点是分散的83 Is there adequate coordination among distributed development sites?分散的开发地点之间是否有足够的协调合作？d. Familiarity 过程熟悉Are the project members experienced in use of the process? Is the process understoodby all staff members?项目成员有过程应用经验吗？是否都能理解过程？84 Are people comfortable with the development process?人们适应这种开发过程吗？e. Product Control 产品控制Are there mechanisms for controlling changes in the product?是 否有控制产品变更的机 制？85 Is there a requirements traceability mechanism that tracks requirements from the source specification through test cases?是否有一套贯穿始终的需求跟踪机制来确保需求从需求说明书到测试用例都有 相应的实现？86 Is the traceability mechanism used in evaluating requirement change impact analyses?是否有明确的机制来评估需求变更可能带来的影响冲击？87 Is there a formal change control process?有一个正式的变更控制过程？(Yes) (87.a) Does it cover all changes to baselined requirements, design, code, anddocumentation?(是)(87.a )它是否包含己基线化的设计，代码，文档的变 化？ 88 Are changes at any level mapped up to the system level and down through the test level?是否任何级别的变化都映射到系统一级，并且贯穿到测 试一级？89 Is there adequate analysis when new requirements are added to the system ?当有新需求时，是否有足够的分析？90 Do you have a way to track interfaces?你是否有跟踪接口变化的方法？91 Are the test plans and procedures updated as part of the change process? 测试计划和过程是否作为变化过程的部分同步更新？2.2. Development System 开发环境a. Capacity 能力Is there sufficient work station processing power, memory, or storage capacity?工作站的处理能力、硬盘和内存是否足够？92 Are there enough workstations and processing capacity for all staff?提供给所有项目成员的资源是否足够，比如计算机、工作站？93 Is there sufficient capacity for overlapping phases, such as coding, integration and test?当诸如编码、集成和测试阶段重叠，是否足够的资源？b. Suitability 适应性Does the development system support all phases, activities, and functions? 开发环境是否支持所有的阶段，活动，功能？开发环境94 Does the development system support all aspects of the program?是否可支持项目的下列各个方面？Requirements analysis 需求分析Performance analysis 性能分析Design设计Coding编码Test测试Documentation 文档Configuration management 配置管理Management tracking管理活动跟踪Requirements traceability 需求跟踪c. Usability可 用性How easy is the development system to use?开发系统是否易用？95 Do people find the development system easy to use ?人们觉得开发系统易 用吗？96 Is there good documentation of the development system?开发系统有好的 文档？d. Familiarity 开发经验Is there little prior company or project member experience with the development system?对于开发的系统，公司或项目以前有过类似的开发经验？97 Have people used these tools and methods before?人们使用过这些工具和方法？e. Reliability 可靠性Does the system suffer from software bugs, down-time, insufficient built-in back-up?系统是否遇到了 BUG、宕机、内存不足等原因？98 Is the system considered reliable?系统是可靠的吗？Compiler编译器Develo