Software verification and validation

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In software project management, software testing, and software engineering, verification and validation (V&V) is the process of checking that a software system meets specifications and that it fulfills its intended purpose. It may also be referred to as software quality control. It is normally the responsibility of software testers as part of the software development lifecycle. In simple terms, software verification is: "Assuming we should build X, does our software achieve its goals without any bugs or gaps?" On the other hand, software validation is: "Was X what we should have built? Does X meet the high level requirements?"


Verification and validation are not the same thing, although they are often confused. Boehm[1] succinctly expressed the difference between

  • Validation: Are we building the right product?
  • Verification: Are we building the product right?

Building the right product implies creating a Requirements Specification that contains the needs and goals of the stakeholders of the software product. If such artifact is incomplete or wrong, the developers will not be able to build the product the stakeholders want. This is a form of "artifact or specification validation".

Building the product right implies the use of the Requirements Specification as input for the next phase of the development process, the design process, the output of which is the Design Specification. Then, it also implies the use of the Design Specification to feed the construction process. Every time the output of a process correctly implements its input specification, the software product is one step closer to final verification. If the output of a process is incorrect, the developers are not building the product the stakeholders want correctly. This kind of verification is called "artifact or specification verification".

Software validation[edit]

Software validation checks that the software product satisfies or fits the intended use (high-level checking), i.e., the software meets the user requirements, not as specification artifacts or as needs of those who will operate the software only; but, as the needs of all the stakeholders (such as users, operators, administrators, managers, investors, etc.). There are two ways to perform software validation: internal and external. During internal software validation it is assumed that the goals of the stakeholders were correctly understood and that they were expressed in the requirement artifacts precise and comprehensively. If the software meets the requirement specification, it has been internally validated. External validation happens when it is performed by asking the stakeholders if the software meets their needs. Different software development methodologies call for different levels of user and stakeholder involvement and feedback; so, external validation can be a discrete or a continuous event. Successful final external validation occurs when all the stakeholders accept the software product and express that it satisfies their needs. Such final external validation requires the use of an acceptance test which is a dynamic test.

However, it is also possible to perform internal static tests to find out if it meets the requirements specification but that falls into the scope of static verification because the software is not running.

Artifact or specification validation[edit]

Not only the software product as a whole can be validated. Requirements should be validated before the software product as whole is ready (the waterfall development process requires them to be perfectly defined before design starts; but, iterative development processes do not require this to be so and allow their continual improvement).

Examples of artifact validation:

  • User Requirements Specification validation: User requirements as stated in a document called User Requirements Specification are validated by checking if they indeed represent the will and goals of the stakeholders. This can be done by interviewing them and asking them directly (static testing) or even by releasing prototypes and having the users and stakeholders to assess them (dynamic testing).
  • User input validation: User input (gathered by any peripheral such as keyboard, bio-metric sensor, etc.) is validated by checking if the input provided by the software operators or users meet the domain rules and constraints (such as data type, range, and format).

Software verification[edit]

It would imply to verify if the specifications are met by running the software but this is not possible (e. g., how can anyone know if the architecture/design/etc. are correctly implemented by running the software?). Only by reviewing its associated artifacts, someone can conclude if the specifications are met.

Artifact or specification verification[edit]

The output of each software development process stage can also be subject to verification when checked against its input specification (see the definition by CMMI below).

Examples of artifact verification:

  • Of the design specification against the requirement specification: Do the architectural design, detailed design and database logical model specifications correctly implement the functional and non-functional requirement specifications?
  • Of the construction artifacts against the design specification: Do the source code, user interfaces and database physical model correctly implement the design specification?

Validation vs. verification[edit]

According to the Capability Maturity Model (CMMI-SW v1.1),

  • Software Validation: The process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. [IEEE-STD-610]
  • Software Verification: The process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase. [IEEE-STD-610]

Validation during the software development process can be seen as a form of User Requirements Specification validation; and, that at the end of the development process is equivalent to Internal and/or External Software validation. Verification, from CMMI's point of view, is evidently of the artifact kind.

In other words, software verification ensures that the output of each phase of the software development process effectively carry out what its corresponding input artifact specifies (requirement -> design -> software product), while software validation ensures that the software product meets the needs of all the stakeholders (therefore, the requirement specification was correctly and accurately expressed in the first place). Software verification ensures that "you built it right" and confirms that the product, as provided, fulfills the plans of the developers. Software validation ensures that "you built the right thing" and confirms that the product, as provided, fulfills the intended use and goals of the stakeholders.

This article has used the strict or narrow definition of verification.

From testing perspective:

  • Fault – wrong or missing function in the code.
  • Failure – the manifestation of a fault during execution. The software was not effective. It does not do "what" it is supposed to do.
  • Malfunction – according to its specification the system does not meet its specified functionality. The software was not efficient (it took too many resources such as CPU cycles, it used too much memory, performed too many I/O operations, etc.), it was not usable, it was not reliable, etc. It does not do something "how" it is supposed to do it.

Related concepts[edit]

Both verification and validation are related to the concepts of quality and of software quality assurance. By themselves, verification and validation do not guarantee software quality; planning, traceability, configuration management and other aspects of software engineering are required.

Within the modeling and simulation (M&S) community, the definitions of verification, validation and accreditation are similar:

  • M&S Verification is the process of determining that a computer model, simulation, or federation of models and simulations implementations and their associated data accurately represent the developer's conceptual description and specifications.[2]
  • M&S Validation is the process of determining the degree to which a model, simulation, or federation of models and simulations, and their associated data are accurate representations of the real world from the perspective of the intended use(s).[2]
  • Accreditation is the formal certification that a model or simulation is acceptable to be used for a specific purpose.[2]

The definition of M&S validation focuses on the accuracy with which the M&S represents the real-world intended use(s). Determining the degree of M&S accuracy is required because all M&S are approximations of reality, and it is usually critical to determine if the degree of approximation is acceptable for the intended use(s). This stands in contrast to software validation.

Classification of methods[edit]

In mission-critical software systems, where flawless performance is absolutely necessary, formal methods may be used to ensure the correct operation of a system. However, often for non-mission-critical software systems, formal methods prove to be very costly[citation needed] and an alternative method of software V&V must be sought out. In such cases, syntactic methods are often used.[citation needed]

Test cases[edit]

A test case is a tool used in the process. Test cases may be prepared for software verification and software validation to determine if the product was built according to the requirements of the user. Other methods, such as reviews, may be used early in the life cycle to provide for software validation.

Independent Verification and Validation[edit]

Software verification and validation often is carried out by a separate group from the development team. In such cases, the process is called "independent verification and validation", or simply IV&V.

Regulatory environment[edit]

Verification and validation must meet the compliance requirements of law regulated industries, which is often guided by government agencies[3][4] or industrial administrative authorities. For instance, the FDA requires software versions and patches to be validated.[5]

See also[edit]

Notes and references[edit]

  1. ^ Boehm, Barry (1989). "Software Risk Management". In Ghezzi, C.; McDermid, J. A. Proceedings of 2nd European Software Engineering Conference. ESEC'89. LNCS. 387. pp. 1–19. doi:10.1007/3-540-51635-2_29. ISBN 3-540-51635-2. ISSN 0302-9743. 
  2. ^ a b c "Department of Defense Documentation of Verification, Validation & Accreditation (VV&A) for Models and Simulations". Missile Defense Agency. 2008. 
  3. ^ "General Principles of Software validation; Final Guidance for Industry and FDA Staff" (PDF). Food and Drug Administration. 11 January 2002. Retrieved 12 July 2009. 
  4. ^ "Guidance for Industry: Part 11, Electronic Records; Electronic Signatures — Scope and Application" (PDF). Food and Drug Administration. August 2003. Retrieved 12 July 2009. 
  5. ^ "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the Shelf (OTS) Software" (PDF). Food and Drug Administration. 14 January 2005. Retrieved 12 July 2009. 

External links[edit]