Identification of Critical Risk Phase in Commercial-off-the-Shelf Software (CBSD) using FMEA Approach Introduction OTS-based software development aims in building the software using the existing developed components. The components can be developed in house for usage among vast projects of similar requirements. The components can also be purchased from the market as the components are also developed as small software's which intend to provide the basic functionality required for large projects.

Various components are also available in the repositories with their functionalities and Quality attributes. A target application/ software are developed by selecting the appropriate components from the component repository & then integrating the components into a target system as in Figure 1 below.

At present time, more than 60% of software are developed using component approach due to its enormous features such as:

Author ?: Student, School of CSE, Lovely Professional University Phagwara, Punjab. e-mail: palakarora718@gmail.com Author ?: Assistant Professor, School of CSE Lovely Professional University Phagwara, Punjab. e-mail: harshpreet.17478@lpu.co.in


# Select Integrate

Figure 1 : Component-based Software Development

? Rapidly development.

? Accessed Immediately.

? Reduced Complexity.

? Increases efficiency of products.

? Reduced implementation, operating and maintenance cost. ? Reduced amount of time to deliver products in the market, budget and schedule saving, more than half of the software developers used component based approach. This approach has reduced the software crisis at great extent [6].

The main rationale of CBSD approach is to develop big system by integrating the pre-built components which decrease the progress time & costs. There are five main phases: Identification, Evaluation, Selection, Integration and Development of component to develop software using CBSD approach as mentioned in Figure 2 below.


# II.


# Review of Literature

To provide a reliable and effective software product in the market, software industry influenced by COTS development approach. In software applications CBSD is the only need to be written once and re-used multiple times than being re-written every time when a new application is developed. CBSD approach overlaps the traditional software engineering approach where existing technologies were failed to deliver project ontime and on-budget. The main reasons of these failures are: Testing -Figure 2 : COTS Development Life cycle -efforts are not properly estimated; Team's skill is under/over estimated. However, the use of CBSD approach provides a lot of benefits, but still there are several challenges, risks, uncertainties related to this approach [6]. As the name suggested, CBSD approach means use of existing components, we are depending upon someone else (lack of trust). The main reasons of these problems are due to these factors:
? Wrong selection of components,
? Black box nature (non-availability of code) of COTS Components,

? Lack of knowledge, guidance etc.

? Unknown quality of COTS Products.

Many times, some risks are not identified in one phase and it overlaps to the second phase so in this way, it influences the whole software and fails to the organization's business. So, there is a need of proper Risk Management for using this CBSD approach from the starting phase. Failure Modes and Effects Analysis (FMEA) is a systematic method for evaluating a process to identify where risk is and how it might fail and to assess the relative impact of different failures [7]. With the help of FMEA approach, this paper provides risk management strategy for Commercial-off-The-Shelf Software development.


# III.


# Problem Definition & Solution

In developing software using CBSD approach there is an uncertainty that there can be variations between the planned development approach and the actual software developed. A risk could cause an organization to fail to meet its approach and objectives. The main steps of this paper are as in Figure 3 below: The use of commercial-off-The Shelf software Development has become an important need for developing software as they offer reduce development time and effort. Similarly there are many challenges faced such as the quality attribute of selected components may cause deviation in the quality of final product, also the cost and effort involved in integrating component during the design process may cause the product design to deviate from the actual requirement There are many challenges that start during COTS development (Identification, Selection, Evaluation, Integration, and Development) summarised as below [1]  


# i. Identification of risks during CBSD Lifecycle

Using the COTS development approach the components are purchased from the third party vendor due to which the development of the software depends upon the customer support services provided by the vendors. So, there are several chances of arising risks on each phase of CBSD as in figure 4. The risks in CBSD life cycle are due to the factors such as the black box nature of COTS components, lack of interoperability standards, the disparity between the user & suppliers, incomplete format of requirement documentation etc. The classification of risks based on various phases is briefly defined as in [6]. Risk during this phase is associated with the problems of evaluating and selecting off-the-shelf software for use in the system. The risks in this phase are due to some parameters as unavailability of source code, inflexibility of COTS components, lack of requirement document, architecture mismatches etc.


# Risks in COTS Integration Phase

These risks are associated with problems of integrating systems from the existing COTS components. These risks can occur while composing of COTS components due to the lack of interoperability standards, occurrence of incompatible format among different COTS components, incomplete format of requirements etc.


# Risks during COTS Development

The risks in this phase are arises when we develop the architecture from the selected COTS components. The risk arises due to the problem of using an inappropriate development process.


# Risks during COTS Implementation Phase

The risks in this phase are during when we implement the final systems after selecting the appropriate components. These risks are due to the unclear design assumptions, performance factors, and security factors.

ii. Classification of Risks during Phase-wise of CBSD There are three types of areas where the identified risk arises mostly:

? Functional/ Operational Requirements -The risks are which arises with the functionality and performance of the system as perceived by its operators.

? Procedural approach -The risks that are related with the technical characteristics of COTS products. ? Production strategy -Those risks which are related with the vendor of the COTS product. In COTS components, the actual functionality and performance of a COTS product are not as publicized so the system may not meet its requirements.

Requirements Gap COTS component does not match the current operational requirements or procedures.


# Security and Safety Issues

It may not be possible to certify that the product meets requirements because the COTS product must be tested as a black box without its implementation 


# Risk involving in Procedural Approach


# Source code

If there is no access to source code, then it may be difficult to trace integration and testing problems to COTS products Upgrades Sometime during upgrading COTS software, it increases the size of the programs & the size of the hardware memory in the system may be insufficient. 


# Risks involving in Production Strategy


# iii. Risk Mitigation

The main focus is to track, control and reduce the identified risk. A survey was conducted in various CMM level 2 companies which summarized the possibility of risk and corresponding impact of risks. Two approaches are used to calculate the risk score of identified risks in order to plan mitigation approach for the high impact risks. a. Failure Mode and Effect Analysis (FMEA) b. Goal-Driven software Risk Management (GSRM) a. Failure Mode and Effect Analysis A failure mode and effects analysis (FMEA) is a method for examine of potential failure modes within a system for classification by the probability and likelihood of the failures [5]. This procedure helps a team to identify potential failure modes based on past experience with similar products, enabling the team to design those failures out of the system with the minimum effort and resource expenditure. Effects analysis refers to studying the consequences of those failures. To calculate the risk score of identified risks, we are using this approach & filled the questionnaire from the 12 team member based on their past experience of using COTS components.

The probability of each risk item is measuring on likert scale ranging from low (1), moderate (3), and critical ( 5 The impact of corresponding risk item is ranging from very low (0) to critical (5)  Here are some assumptions of choosing these values:

? It is assuming that the impact of each risk could be different at each phase; it could be or not be same at each phase. ? Suppose there is a probability of arising risk is Low (1), but its impact may be moderate (2) or may be critical (5). The working formula is:

Results of questionnaire: The results that have been conducted from the respondents are shown as below: -  From the above risk score, we analyzed RS5; RS 8 are critical risks because they have high impact of risks.    During study it is analyzed that if the risk in one phase is unseen or undetected, it goes to the second phase and so in this way it impacts to the whole system. If the risk in one phase is not detected, it overlaps to the second phase and increases its multiplicative impact factor [5]. In GSRM approach the main focus is to integrate the whole risk activities, so that we can identify those phases which have high impact of risks and then we can mitigate those risks. So we will calculate the total impact of risks as table 10.


# Risk Score of Integration Phase

The working formula to calculate total risk is as:  Analysis of Total Risk Score  Now the mitigation strategy will be designed for most critical risk that is Integration Phase.
Total Risk Score= ?RS k +?RINT k +?RD k + ?RI k
COTS Integration means when different COTS packages are combine into a system with "glue code". For ex, Office Automation Software, email, messaging system, where the components are bundled as a procedural library [1]. But in this phase many risk arises as:

? Lack of interoperability standard.

? Lack of tools, methods to integrate components.

? Effort for integration may increase from what was estimated. ? When developers try to integrate incompatible COTS components etc.

This integration phase becomes a most challenging phase in Component-based Software Development. The main failures in software arise due to wrong integration of components. As in [4], the recent computer screen upgrade in the British Government caused nearly 80,000 desktop computers to crash The crash halted the United Kingdom's pension and benefits agency that provides benefits to about 24 million people. The crash delayed the process of new claims and forced employees to fax and fill out some payment checks by hand. The problem occurred during an upgrade across the network of computers. So there is need to improve Integration techniques of COTS components.

Mitigation guidelines for Integration of COTS Components:

1. A proper understanding of component's capabilities is must how components are packaged and evaluated.

2. A developer should avoid general modifications to COTS components.

3. Modifications that add the complexity to the project of COTS components should be avoided. IV.


# Conlcusion

Commercial-off-The-Shelf Software Development has become a great need for large organizations as it saves development time and money. It is belief that COTS components fulfill everyone's needs and can be used as-is. In reality, the risk arises in each phase of CBSD as, COTS selection, Integration, Development and on maintenance phase. In this paper, the main focus is to provide risk identification strategy for COTS based software Development. The risk adds on each phase of CBSD was identified and risk score is calculated to examine the critical risk phase.
3![Figure 3 : Step-wise Problem definition a) Challenges Faced during COTS-based Software Development life cycle](image-2.png "Figure 3 :")
![Identification of Critical Risk Phase in Commercial-off-the-Shelf Software (CBSD) using FMEA ApproachGlobal Journal of Computer Science and TechnologyVolume XIV Issue II Version I implementation to ensure successful risk reduction.](image-3.png "")
4![Figure 4 : Risks in CBSD life cycle 1. Risks in COTS Selection Phase](image-4.png "Figure 4 :")
![Identification of Critical Risk Phase in Commercial-off-the-Shelf Software (CBSD) using FMEA ApproachGlobal Journal of Computer Science and TechnologyVolume XIV Issue II Version I](image-5.png "")
4![Figure 4 : Analysis of Selection Phase](image-6.png "Figure 4 :")
56![Figure 5 : Analysis of Integration Phase](image-7.png "Figure 5 :Figure 6 :")
7![Figure 7 : Analysis of Implementation Phase From the above risk score of Implementation Phase we analyzed that RI 1, RI 4 are critical risks because they have high impact of risks. 4. Goal-Driven Software Risk Management (GSRM)](image-8.png "Figure 7 :")
8![Figure 8 : Impact of Risks during phase-wise](image-9.png "Figure 8 :")
![Where RS k = Risk in Selection Phase, RINT k = Risk in Integration Phase, RD k = Risk in Development Phase, RI k= Risk in Implementation Phase A: The risk is in this phase Risk Score of all CBSD (Commercial-Off-The-Shelf Development)](image-10.png "")
9![Figure 9 : Analysis of Total Risk Score From the total risk score of all CBSD phases, we analyzed that Integration phase is more critical. So there is need to mitigate these risks. a) Risk Mitigation Strategy for Integration phase of CBSD Development approach From the results obtained during risk analysis, the following graph shows the risk score percentile in various COTS-based Development phases.](image-11.png "Figure 9 :")
10![Figure 10 : Risk Score Percentile of all Phases](image-12.png "Figure 10 :")
11. Risks Involving in Functional/ OperationalRequirementsRequirementsAvailabilityIn the case of COTS components, it isRisksdifficult to predict that the availableCOTS component will meet thefunctional requirements, so theestimated development cost andschedule are highly uncertainFunctionality& Performance
2ConformanceCOTS components do not conform totocommercialstandardssoCommercialinteroperability with other selectedStandardsCOTS products may be difficult &costly.IntegrationContractor does not have the technical
3For thisRiskspotentialkinds ofRisks are:AcquisitionDuring evaluation time, alternativeAlternativesmethods of acquiring COTS productsRisksare not evaluatedVendorSometimes, the vendor of COTSReliabilityproduct is financially weak or unstableRisks& poor support.Cost andThe cost and schedule estimates areSchedulenot considered during acquiring theCompleteness:COTS-based system.Business Skills Therelationshipbetweenthecontractor and vendor contractor areweak.
4COTSRisk IdRisk in Selection PhaseRisk ScoreDriver/FactorBehaviour FactorsRS1Unavailability of source124codeRS2Organizations have very108limited access to product'sinternal design.RS 3The Quality level of a118component is unknown.RS 4Duringevaluation,126developers have limitedchance to verify COTSbehaviour.FunctionalityRS 5Requirement of the user and174Factorscomponentarchitecturedoes not match.RS6Architectureofthe113component is not analyzedaccordingtothefunctionality.RS 7Difficult for requirement86engineers to select amongdifferenttechniquesofselection.RS 8Lack of market survey.207Cost FactorRS 9Required COTS is foundcostly as compared to in-house Development cost.69Analysis of Risk Score
5Risk Driver/Risk Id Risks in IntegrationRiskFactorsPhaseScoreCost FactorsRINT1Underestimatethe122development time andcostRINT2The cost is too much to83configure the componentsRINT3ImmatureCOTS91components.RINT4Lackofrequirement211configurations.RINT5Lack of cost control.112Size FactorsRINT5Difficult to predict the size132of components.PersonnelRINT6Lack of knowledge.73shortfall factorsRINT7Lack of interoperability146standard.RINT8Lackofintegrator150personnel.SecurityRINT9Vulnerability risks.140factorsFunctionalityRINT10Unavailability of source137Factorscode.RINT11Componentsare not86platform independent.Analysis of Risk Score
7PhaseFunctionalityRI 1Uncleardesign139Factorsassumptions.UsabilityRI 2Users cannot retrieve97Factorsrelevant & neededinformation.SecurityRI 3System can be used in132Factorsunintended way.RI 4Increase in vulnerability160attack by integratingcomponents with oneanother.PerformanceRI 5Effectonsystem114Factorsperformance.
8Total impact of riskCBSD phaseTotal RiskRisk in Selection phase1098Risk in Implementation Phase1481Risk in Implementation Phase642
44 Year 2014 Volume XIV Issue II Version I4. 11. A developer should use open Standard technologies that are freely distributed among different data models or software infrastructure( D D D D ) cwhich provide basis for communication and enable consistency among different COTSGlobal Journal of Computer Science and Technologycomponents [6]. 12. A proper estimation of time and cost should be estimated, before integrating COTS Components. 13. All drivers should be considered before measuring component behaviour. For ex, ACIEP-used for COTS Integrator Experience with the product, ACIPC -used for COTS Integrator Personnel Capability.
			© 2014 Global Journals Inc. (US)
		
		
			

				


* 
	
		Requirements Engineering Challenges in Development of Software Applications and selection of Customer-off-The-Shelf (COTS) components
		
			Dr
		
		
			MahrukhAsghar
		
		
			Umar
		
	
	
		International Journal of Software Engineering(IJSE)
		
			
			2010
		
	




* 
	
		Risk Management Guide for DOD Acquisition
	
	
		OUSD (AT&L) Systems and Software Engineering/Enterprise Development
				
	




* 
	
		Conceptual Model for Integration of COTS Components
		
			JamesEverett Tollerson
		
		
			MHisham
		
		
			Haddad
		
	
	
		Department of Computer science &IT
				
			
		
	




* 
	
		Designing of RIMCOTS model for Risk identification and mitigation for COTS-based Software Development
		
			AmandeepKaur
		
		
			& ShivaniGoel
		
		
		
			Research Journal of Computer Systems Engineering-an International Journal
		
	




* 
	
		Determination of Risk During Requirement Engineering Process
		
			SaimaAmber
		
		
			NarmeenShawoo & Saira
		
		
			Begum
		
	
	
		Journal of Emerging Trends in Computing and Information Sciences
				
			
		
	




* 
	
		Improving COTSbased Software Development Process by Identification and Mitigation of Component Risks
		
			PalakArora
		
		
			AmandeepKaur
		
	
	
		International Journal of Advanced Research in Computer Science and Software Engineering
		
			
			2013
		
	




* 
	
		Failure Effect Mode Analysis (FMEA)
		
	
	in Institute for healthcare Improvements