Professional Documents
Culture Documents
Management in Off-The-Shelf
Component-Based Development
Jingyue Li
Doctoral Thesis
Submitted for the Partial Fulfilment of the Requirements for the Degree of
Philosophiae Doctor
June 2006
Copyright © 2006 Jingyue Li
i
ii
Preface
This thesis is submitted to the Norwegian University of Science and Technology
(NTNU) for partial fulfilment of the requirements for the degree of Philosophiae
Doctor.
The work referred to has been performed at the Department of Computer and
Information Science, NTNU, Trondheim, under the supervision of Professor Reidar
Conradi.
The doctoral work was financed by NTNU for four years. This thesis has also been
affiliated with the INCO (INcremental and COmponent-based development) done
jointly by the University of Oslo and NTNU.
iii
iv
Acknowledgements
During the work on this thesis, I have benefited from a lot of communication with many
people, who have provided valuable input to my studies. First of all, I would like to
thank my supervisor Prof. Reidar Conradi for giving in valuable feedback and advice
during my work. His engagement and knowledge have inspired me a lot. I would also
thank Prof. Maria Letizia Jeccheri, Associate Prof. Dag Svanæs, Prof. Tor Stålhane, Dr.
Parastoo Mohagheghi, Dr. Carl Fredrik Sørensen, Odd Petter N. Slyngstad, Prof.
Kristen Ringdal, and Prof. Ola Listhaug at NTNU. They have all helped me with their
insights and advice. Furthermore, I acknowledge Assistant Prof. Marco Torchiano and
Associate Prof. Maurizio Morisio at Politecnico di Torino and Dr. Christian Bunse at
Fraunhofer IESE for their support and cooperation during the international survey.
Stewart Clark has been especially helpful by proof-reading this thesis. I also
acknowledge all the industrial partners that participated in this work.
Several master’s students at NTNU have contributed to studies in this thesis. I would
like to thank Axel Anders Kvale, Odd Are Sæhle, and Øivind Wang for their
contributions. Also, thanks to present and former colleagues at the software engineering
group at the Department of Computer and Information Science, NTNU, for providing a
good work environment.
I would like to thank Prof. Anthony Finkelstein at University College London, for his
kind hospitality and cooperation during my stay there in spring 2005.
I would also like to thank my family. A specific appreciation goes to my parents for
supporting and believing in me during all these years. Their effort in taking care of my
child provided me enough time to finish this work. I would especially express my
thanks to my wife, Fufen Jin and my son Lele for their love and support.
v
vi
Contents
Abstract........................................................................................................................ i
Preface........................................................................................................................ iii
Acknowledgements .................................................................................................... v
List of Figures............................................................................................................. x
Abbreviations ............................................................................................................ xi
1 Introduction ........................................................................................................ 1
1.1 Problem Outline 1
1.2 Research Questions 2
1.3 Research Design 3
1.4 Contributions 4
1.5 Selected Papers 9
1.6 Thesis Structure 11
vii
4.2 Risk Management in OTS Component-Based Development 33
4.3 Summary and Discussion 35
5 Research Methods............................................................................................. 37
5.1 Research Strategies in Empirical Software Engineering 37
5.2 Survey Methods 39
5.3 Research Design 40
5.3.1 Research Design of the Preliminary Study......................................... 40
5.3.2 Research Design of the Pre-study....................................................... 43
5.3.3 Research Design of the Main Study ................................................... 45
5.3.4 Research Design of the Follow-up Study ........................................... 52
5.4 Validity Issues 53
5.5 Summary and Discussion 54
6 Results................................................................................................................ 55
6.1 Collected Samples in Each Study 55
6.1.1 Collected Samples in the Preliminary Study ...................................... 55
6.1.2 Collected Samples in the Pre-study .................................................... 55
6.1.3 Collected Samples in the Main Study................................................. 56
6.1.4 Collected Samples in the Follow-up Study ........................................ 57
6.2 Answers to Research Questions 58
6.2.1 Reusing In-House Built Components – RQ1 ..................................... 58
6.2.2 Software Process Improvement – RQ2 .............................................. 59
6.2.3 Risk Management – RQ3 ................................................................... 65
6.2.4 Decision Making – RQ4 ..................................................................... 69
6.3 Our Lessons Learned on Performing the Studies 73
6.4 Summary and Discussion 74
viii
7.4.2 How Were the OTS Components Used in Practice? .......................... 86
7.4.3 COTS or OSS? Our Suggestions ........................................................ 87
7.5 Evaluation of Validity Threats 87
7.5.1 Possible Validity Threats in the Preliminary Study............................ 87
7.5.2 Possible Validity Threats in the Pre-study ......................................... 88
7.5.3 Possible Validity Threats in the Main Study ...................................... 89
7.5.4 Possible Validity Threats in the Follow-up Study.............................. 90
7.6 Summary 90
References................................................................................................................. 95
ix
List of Figures
Figure 1-1 Research questions and corresponding studies............................................... 3
Figure 1-2 Contributions C1 to C5 ................................................................................... 5
Figure 4-1 Risk management framework ....................................................................... 31
Figure 4-2 Risk management in OTS component-based development .......................... 35
Figure 5-1 Risk management before a project starts ...................................................... 46
Figure 5-2 Research framework for the risk management in the main study................. 46
Figure 6-1 Distribution of company size........................................................................ 56
Figure 6-2 Distribution of companies main business areas............................................ 57
Figure 6-3 Distribution of application domain of the systems ....................................... 57
Figure 6-4 The actual development process in the OTS-based project.......................... 60
Figure 6-5 What selection and evaluation actions were performed?.............................. 62
Figure 6-6 When was the OTS component selected?..................................................... 62
Figure 6-7 Result of thesis T5 ........................................................................................ 64
Figure 6-8 Occurrences of typical risks.......................................................................... 66
Figure 6-9 Risk management activities performed......................................................... 67
Figure 6-10 Project profiles of the COTS component-based system ............................. 69
Figure 6-11 Project profiles of the OSS component-based system ................................ 70
Figure 6-12 General motivations of using COTS components ...................................... 70
Figure 6-13 General motivations of using OSS components ......................................... 71
Figure 6-14 Specific motivations of using COTS components...................................... 71
Figure 6-15 Specific motivations of using OSS components......................................... 72
Figure 6-16 Occurrences of risks in COTS component-based projects ......................... 72
Figure 6-17 Occurrences of risks in OSS component-based projects ............................ 73
Figure 7-1 Scenarios 1 to 3............................................................................................. 78
Figure 7-2 Scenarios 4 to 6............................................................................................. 79
List of Tables
Table 1-1 Relations between research questions, contributions, and papers.................... 9
Table 2-1 Advantages and disadvantages of using COTS software............................... 19
Table 5-1 Qualitative vs. quantitative in empirical strategies ........................................ 38
Table 5-2 Questionnaire used in the preliminary study.................................................. 42
Table 5-3 Correspondence between questions and RQs in the preliminary study ......... 43
Table 5-4 Typical risks in OTS component-based projects ........................................... 48
Table 5-5 Typical risks management activities in OTS-based projects ......................... 49
Table 5-6 Revised research questions to investigate the newly published theses .......... 50
Table 6-1 Barriers to disseminating SPI theories to the IT industry .............................. 64
Table 6-2 Effective risk management activities ............................................................. 68
Table 6-3 Barriers to disseminating RM theories to the IT industry.............................. 68
x
Abbreviations
CBD Component-Based Development
CBSE Component-Based Software Engineering
CMM Capability Maturity Model
CRM Customer Relationship Management
COCOTS COnstructiveCOTS
CORBA Common Object Request Broker Architecture
COM Component Object Model (Microsoft)
COTS Commercial-Off-The-Shelf
DCOM Distributed Component Object Model (Microsoft)
EJB Enterprise Java Beans (Sun)
ERP Enterprise Resource Planning
GUI Graphical User Interface
HHM Hierarchical Holographic Modelling
ICT Information and Communication Technology
ISO International Standards Organization
IEC International Electrotechnical Commission
LOC Lines of Code
NTNU Norwegian University of Science and Technology
OO Object-Oriented
OTS Off-The-Shelf
OSS Open Source Software
ROI Return On Investment
RUP Rational Unified Process
SEI the Software Engineering Institute (SEI) at Carnegie Mellon University
SPI Software Process Improvement
UP Unified Process
XP eXtreme Programming
xi
xii
1 Introduction
In this chapter, the background to the research and the research context are briefly
presented. The chapter also describes research questions, research design, and the
claimed contributions. The list of papers, my specific contributions to each study, and
the thesis outline are also presented.
1
Introduction
conclusions. As a result, software project managers have few effective and well-proven
guidelines on using specific risk management activities to mitigate corresponding risks.
Although both COTS and OSS components can be acquired from third-party
providers, they are different in their nature and appearance. COTS components are
owned by commercial vendors that often provide specific support. Users of COTS
components have limited access to the source code. On the other hand, OSS
components are provided by open source communities with freely accessible source
code, but with no promise about specific support. When planning a new software
project, project decision-makers need to decide whether they should buy a COTS
component or acquire an OSS one, if it was decided to use OTS components. To make
such a decision, it is important to investigate previous projects using such components.
Unfortunately, the relevant decision-making processes are often intuitive and only
sparsely documented. Thus, further research is warranted to examine the current state-
of-the-practice and to define guidelines for making such decisions.
Based on results of the preliminary study, it was decided to investigate the software
process improvement (SPI) and risk management in COTS components-based
development with a pre-study. This study investigated research questions RQ2 and
RQ3:
RQ2: What are the development processes and OTS component-selection processes
used in OTS component-based development projects?
RQ3: Which risk management activities have been performed and what are the
results of performing them?
2
Introduction
By talking with the respondents face-to-face in the pre-study, we got insights on SPI
and risk management in OTS component-based development. We also found that OSS
components should be involved in future studies, because OSS components represent an
important type of OTS components. In addition to know their commonalities, it is
interesting to know the differences in using these two different types of OTS
components. Therefore, research question RQ4 is defined as:
RQ4: How do project managers make their acquire decisions in using COTS
instead of OSS components, or vice versa?
3
Introduction
1.4 Contributions
To manage the OTS component-based project successfully, project members need to
make several decisions. These decisions may not be sequential and may need several
iterations. We mainly contributed on summarizing the state-of-the-practice and giving
guidelines on making several key decisions, as shown in Figure 1-2.
4
Introduction
5
Introduction
efficiency will probably not increase with a higher reuse level (i.e., more reusable
components are available in the organization).
For a component repository, we confirm that this is not a key factor for successful
reuse. Furthermore, the potential value of a component repository will probably not
increase with higher reuse levels.
For component understanding, we reveal that most developers are not satisfied with
component documentation, and that developers’ satisfaction with component
documentation will decrease with higher reuse levels. The results also show that
informal communication channels (i.e., tacit knowledge), through which developers
may get necessary information about the components, should be given more attention.
For components’ quality attribute specification, we discover that developers still
need to spend much effort on testing the components before they start to use them, as
they cannot get relevant information from component specifications.
Based on the results of the pre-study, a main study with a formal questionnaire was
launched. This studied 133 projects from Norway, Italy, and Germany. It had a broader
focus than the pre-study and also included projects using OSS components. The results
confirm our findings in the pre-study. We conclude:
6
Introduction
- The actual OTS-based development process was the traditional process with
OTS-specific activities. The development process was dominated by the
company/department rules, instead of the decision of using OTS components.
- The actual OTS component selection can be done in different phases. The main
evaluation processes are familiarity-based or hands-on-trial-based. The phase to
select OTS component has relationship with the project members’ familiarity
with possible component candidates.
- The proposed software development process and OTS component selection
process need further investigation to be suited to different project contexts.
By summarizing the good practices and lessons learned in the projects investigated in
the pre-study, we got new insights on managing the possible risks in OTS component-
based development. In the main study, we further examined our findings. Our
contributions answered the following three sub-questions:
- What are the most frequent problems occurred in OTS component-based
development?
Two of the most frequent problems in OTS component-based development are
the incorrect estimation of the integration effort and inefficient debugging. The
least frequent problems are relevant to the negative effect of the OTS
components on the quality of the whole system.
- What are the most frequent risk management activities performed in OTS
component-based development?
Developers have seriously evaluated the quality of the OTS components in the
selection phase. They have considered the possible learning effort in the effort
estimation. They have done integration testing as early as possible and usually
have internal experts to follow the update of the OTS components. However,
developers have rarely involved their customers in the make vs. acquire decision
and OTS component selection.
- What are the results of the risk management activities on corresponding risks?
To increase the accuracy of effort estimation, it is important to allocate enough
effort to learn and understand the OTS components. To avoid the possible
quality problems and to increase the efficiency of locating the defects, it is
important to do black-box testing as part of OTS component selection and to do
integration testing as early as possible. To mitigate the problems due to
customers’ requirements changes, it is important to learn the OTS components
thoroughly in the selection phases and to integrate the unfamiliar OTS
components first. It is also important to be able to negotiate changed
requirements with the customers. To increase the efficiency of debugging and
7
Introduction
We compared who, why, and the results of using COTS components instead of OSS
components, or vice versa. This contributed to answer the three questions:
- Who were using OTS components?
Both COTS and OSS components were used in projects with different application
domains and different non-functional requirements. There was no significant
difference between the profiles of COTS-based and OSS-based projects.
- What are the possible problems of using each type of OTS components?
It is more difficult for COTS component users to follow requirement changes
than OSS users. It is also more difficult for COTS users to estimate the selection
effort.
C5: Empirical validation of the six newly published theses, which are related to the
process and risk management in OTS component-based development
The pre-study and main study also investigated six newly published theses in COTS
component-based development proposed in [Torchiano04]. Our results support four of
the theses and contradict the two others. The supported theses are: OSS components
were mainly used without modification in practice; custom code mainly provided
additional functionality; formal COTS selection processes were seldom used; COTS
component users managed to get the required changes from vendors. The unsupported
theses are: standard mismatches were more frequent than architecture mismatches;
COTS components were mainly selected based on architecture compliance instead of
functional completeness.
In the main study, a stratified-random sample selection strategy was used to collect data
in three European countries. The lessons learned from performing the main study
contributed to give guidelines on performing similar empirical studies in the IT
industry. We found that:
8
Introduction
[P1] [Li04a] Jingyue Li, Reidar Conradi, Parastoo Mohagheghi, Odd Are Sæhle, Øivind
Wang, Erlend Naalsund, and Ole Anders Walseth: A Study of Developer Attitude to
Component Reuse in Three IT Companies. Proceedings of 5th International Conf. on
9
Introduction
[P2] [Li06a] Jingyue Li, Finn Olav Bjørnson, Reidar Conradi, and Vigdis By
Kampenes: An Empirical Study of Variations in COTS-based Software Development
Processes in Norwegian IT Industry. To appear in the Journal of Empirical Software
Engineering (Special issue from Metrics 2004).
Relevance to this thesis: This paper reports the result of the pre-study, which
covers RQ2 and RQ3 and partly shows our contribution to C2 and C3.
My contribution: I was the leading author and contributed about 80% of the total
work, including research design, interview guide design, performing most interviews,
data analysis, and paper writing.
[P3] [Li05a] Jingyue Li, Reidar Conradi, Odd Petter N. Slyngstad, Christian Bunse,
Umair Khan, Marco Torchiano and Maurizio Morisio: Validation of New Theses on
Off-The-Shelf Component Based Development. Proceedings of the 11th IEEE
International Metrics Symposium (Metrics'05), Sep. 2005, Como, Italy, IEEE Press,
pp.26 (abstract), 10p.
Relevance to this thesis: This paper reports the result of the main study, which
covers RQ2 and RQ3 and shows our contribution to C5.
My contribution: I was the leading author and contributed 70% of the total work,
including research design, questionnaire design, and data collection in Norway, data
analysis, and paper writing.
[P4] [Li06b] Jingyue Li, Marco Torchiano, Reidar Conradi, Odd Petter N. Slyngstad,
and Christian Bunse: A State-of-the-Practice Survey of the Off-the-Shelf Component-
Based Development Processes, Proceedings of the 9th International Conference on
Software Reuse, Torino, Italy, June, 2006, Springer LNCS Vol. 4039, pp. 16-28.
Relevance to this thesis: This paper reports the result of the main study, which
covers RQ2 and shows our main contribution to C2.
My contribution: I was the leading author and contributed 70% of the total work,
including research design, questionnaire design, and data collection in Norway, data
analysis, and paper writing.
[P5] [Li06c] Jingyue Li, Reidar Conradi, Odd Petter N. Slyngstad, Christian Bunse,
Marco Torchiano, and Maurizio Morisio: A State-of-the-practice Study on Risk
Management in OTS Component-Based Development. Submitted to IEEE Transactions
on Software Engineering, June 2006.
Relevance to this thesis: This paper reports the result of the main study, which
covers RQ3 and shows our main contribution to C3.
10
Introduction
My contribution: I was the leading author and contributed 70% of the total work,
including research design, questionnaire design, data collection in Norway, data
analysis, and paper writing.
[P6] [Li06d] Jingyue Li, Reidar Conradi, Odd Petter N. Slyngstad, Christian Bunse,
Marco Torchiano, and Maurizio Morisio: An Empirical Study on the Decision Making
Process in Off-The-Shelf Component Based Development. Proceedings of the 28th
International Conference on Software Engineering (ICSE 2006), 20-28 May 2006,
Shanghai, P.R. China, pp. 897-900, IEEE Press.
Relevance to this thesis: This paper reports the result of the main study, which
covers RQ4 and shows our main contribution to C4.
My contribution: I was the leading author and contributed 70% of the total work,
including research design, questionnaire design, and data collection in Norway, data
analysis, and paper writing.
[P7] [Li05b] Jingyue Li, Reidar Conradi, Odd Petter N. Slyngstad, Christian Bunse,
Umair Khan, Marco Torchiano and Maurizio Morisio: Barriers to Disseminating Off-
The-Shelf Based Development Theories to IT Industry. Proceedings of the International
Workshop on Models and Processes for the Evaluation of COTS Components
(MPEC'05 Arranged in co-location with ICSE'05), May, 2005, St. Louis, Missouri,
USA, pp. 1-4. It is also published in the electronic version of ACM Software
Engineering Notes, Vol. 30, No. 4, July 2005.
Relevance to this thesis: This paper reports the result of the follow-up study,
which covers RQ2 and RQ3, and shows partly our contribution to C2 and C3.
My contribution: I was the leading author and contributed on 80% of the total
work, including research design, seminar organization, data collection, data analysis
and paper writing.
[P8] [Conradi05a] Reidar Conradi, Jingyue Li, Odd Petter N. Slyngstad, Christian
Bunse, Marco Torchiano and Maurizio Morisio: Reflections on conducting an
international CBSE survey in ICT industry. Proceedings of the 4th International
Symposium on Empirical Software Engineering (ISESE 2005), Nov. 2005, Noosa
Heads, Australia, pp. 214-223, IEEE Press.
Relevance to this thesis: This paper reports our lessons learned on the main study,
and shows our main contribution to C6.
My contribution: I contributed on 40% of the total work, including sample
selection design, performing the data collection, and major comments on the data
analysis and draft paper.
11
Introduction
Chapter 5: Research methods and metrics. In this chapter, the research goals and
research questions are specified. We give our rationale for using different research
methods to answer different research questions.
Chapter 7: Evaluation and discussion. The research questions are answered in this
chapter. We summarize the results from the empirical investigation and compare them
with the state-of-the-art. We also discuss possible threats to the validity of each study.
Chapter 8: Conclusion and future work. This chapter sums up the main findings from
the discussion ands outline possible future work.
Appendix A contains 8 selected papers (P1 to P8) that provide detailed results and
discussions of the individual studies.
Appendix B contains the abstracts of other seven relevant papers (AP1 to AP7) which
are not attached in this thesis.
In both parts of this thesis, I have generally used the term “we” to present the work. The
layout of papers in Appendix A has been changed to fit the format of the rest of the
thesis.
12
Software reuse and component-based development
This chapter describes the challenges in software engineering that are the motivations
behind reuse. The state-of-the-art in Component-Based Development (CBD), COTS
development, and OSS-based development are then described. Finally, the whole
chapter is summarized and the research challenges related to this thesis are discussed.
13
Software reuse and component-based development
The challenges facing reuse are structural, organizational, managerial, and technical
[Mili95]. Many organizations treat reuse as technology-acquisition problems instead of
a technology-transition problem. However, just buying technology usually does not lead
to extensive reuse. Morisio et al. [Morisio02b] found that:
− Top management commitment is the prerequisite for success.
− Product family practice, common architecture, and domain engineering increase
reuse capability.
− Size, development approach (object-oriented or not), rewards, repository, and
reuse measurement are not decisive factors, while training is.
− The other three factors that are considered to be success factors are reuse process
introduced, non-reuse process modified, and human factors.
− Successful cases tried to minimize change, to retain their existing development
approach, choosing reuse technology to fit that.
Griss [Griss95] summarized the experience from industrial reuse and pointed out
that:
− Reuse needs management support, since reuse involves more than one project.
− Object technologies or libraries give no improvement in reuse.
− Domain stability and experience are often more important for successful reuse
than general process maturity.
− One way to adopt reuse incrementally is to increase your investment and
experience.
14
Software reuse and component-based development
Frakes et al. [Frakes95] report that most software engineers prefer to reuse rather
than to build from scratch. In addition, they did not find any evidence that use of certain
programming languages, CASE tools, or software repositories promote reuse. On the
other hand, reuse education and a software process that promotes reuse have a positive
impact on reuse. They also found that the telecom industry has higher levels of reuse
than some other fields.
Software reuse includes two interrelated parts: reuse as and reuse with. Reuse as
means creating the asset for future reuse. Reuse with indicates using the reusable
artefacts in the new system.
None of these two aspects are found in OO approach. Some other differences
between component approach and OO approach are:
− Instantiation: components may be instantiated or not, and if instantiated there are
usually not many instances of them [Atkinson02].
15
Software reuse and component-based development
− Components may have state or not (in order to be replaceable they should not
have state).
− Components are generally considerably larger than individual classes [Bosch00].
16
Software reuse and component-based development
17
Software reuse and component-based development
− Accessed immediately.
− Obtained at significantly lower prices than otherwise.
− Developed by someone who is an expert in that functionality.
18
Software reuse and component-based development
19
Software reuse and component-based development
OSS software has risen to great prominence. There is excellent evidence that OSS
has a significant market share in numerous markets, for example,
− Netcraft’s statistics on web servers shows that Apache is the number one web
server with over three times the market share of its next ranked competitor
[Netcraft05]
− A 2004 InformationWeek survey found that 67% of companies use OSS
products with another 16% expecting to use it in 2005, and only 17% have no
near-term plans to support OSS products [Infoweek04].
OSS software offers many choices from large suites to small components. Typical
OSS suites are Linux (operating system), Apache (web server), MySQL (database),
PostgreSQL (database), Eclipse (development platform), and OpenOffice (office suites).
Examples of software components are zlib (compression/decompression Library),
SpamAssassin (spam-checker for email servers), and log4j (logging component). As of
27th April 2006, there are more than 118,615 OSS project registered at sourceforge.net
and more than 40,590 project registered at freshmeat.net. The projects are classified
according to the application domain of the software, such as clustering, games,
networking, and security at sourceforge.net and freshmeat.net.
OSS has many proposed advantages [Fitzgerald04], [Ruffin04] [Madanmohan04]:
− OSS is usually freely available for public download. The collaborative, parallel
efforts of globally distributed developers allow OSS to be developed more
quickly than conventional software.
− Many OSS products are recognized for high reliability, efficiency, and
robustness.
− When OSS is a de facto standard component and has a large user community, it
is a lasting solution that can resist the commercial supplier uncertainties that can
often abruptly end a product’s life
− Using mainstream OSS reduces cycle time for component updates and
corrections. More and often free labour is available to localize and correct
defects. Especially for embedded systems, OSS provides fast, new drivers and
hardware-related features, even for rather exotic environments.
− Another attraction is that the marginal cost of scaling up is zero. OSS does not
require additional licences as installation numbers grow.
Despite its wide appeal, OSS software faces a number of serious challenges and
constraints [Fitzgerald04] [Ruffin04]:
20
Software reuse and component-based development
− Since OSS projects have some typical characters, such as parallel development,
fast release, and peer review, some studies investigated how the OSS projects
are organized and managed. The intentions of these studies are to summarize the
good practice in OSS projects in order to improve the development of
commercial software [Feller02].
− Some studies compared the OSS products with COTS products. For example,
Paulson et al. [Paulson04] validated several hypotheses about the difference
between OSS and COTS products. They concluded that there is still no empirical
evidence that OSS fosters faster system growth and there is also no strong
evidence that OSS is more modular than COTS software.
− Other studies concentrate on using OSS in the commercial software projects in
order to facilitate the development in the IT industry [Madanmohan04].
21
Software reuse and component-based development
Typical COTS components are: Vector draw professional (3D modelling), Shamman
Reports for Excel (Database reporting), Dynamic Cube (OLAP). Typical OSS
components are: Xerces (XML parser), Kiwi Toolkit (Class library), OpenEJB, Python
(Interpreter).
22
Software reuse and component-based development
challenges in reusing the OTS components in different project contexts, so that the
project manager can efficiently customize their process, organization, and
technology according to their needs. This research challenge is investigated by
research questions RQ2 and RQ3 in this thesis.
− What are the differences between using COTS and OSS components?
Although both COTS and OSS components claim to save development effort, they
are different in their nature and appearance. When project members want to use
OTS components, they must select to either use COTS or OSS. It is therefore
important for them to be able to compare the benefits and risks of using COTS or
OSS components. This research challenge is investigated by research question RQ4
in this thesis.
23
Software reuse and component-based development
24
Process improvement
This chapter starts by introducing some software development models and the
challenges of process improvement in general. After that, it describes the proposed
processes in OTS component-based development and OTS component selection.
Finally, challenges facing our study are discussed.
25
Process improvement
There are three main types of processes: management, engineering, and support.
Within a software project, key processes could be classified in three major process
classes as follows:
- Management processes
- Software engineering (life cycle) processes
- Support processes (life cycle support)
- Code and Fix: Developers begin work without a set of good requirements or a
vision, writing code as long as there is time and money. This approach has no
planning and therefore yields early results. High maintenance and rework effort
are the result of this model.
- Waterfall: This model is a sequential, document-driven methodology. To
advance from the current phase to the next phase, the project team must review
and release an artefact in the form of a document [Royce87].
- V-model: This model is an extended waterfall model, adding more details on the
validation and verification side. For each phase in development, there is an
associated phase to verify and validate the result produced [V-Model05].
- Spiral: The spiral model breaks the project down into risk-oriented subprojects
[Boehm88], [Boehm98]. The advantage of this model is the breakdown of
development into small pieces, so that the areas of risk can be tackled at the
beginning of the project.
- Evolutionary Prototyping: In this model, the system starts with an initial idea or
proposal, which is then prototyped and released to the customer in incremental
releases based on feedback.
- Adaptive Software Development: The adaptive software development model is
an iterative, risk- and mission- driven, component-based, time-boxed, and
change-tolerant process [Highsmith99]. It works well for small teams (four to
eight people) when the requirements are uncertain or domain knowledge is
missing.
26
Process improvement
- Unified Process: The author of the Unified Modelling Language (UML) defined
a software process model called the Unified Process (UP) [Jacobson99]. The UP
is a risk- and use-driven, architecture-centric, iterative and incremental software
development model. The Rational Unified Process (RUP) [Kruchten00] is a
commercial extension of the UP.
- Extreme Programming: The eXtreme Programming (XP) model [Kent99] is a
flexible, lightweight, people- and result-oriented development process that allows
for requirement changes at any time during development. XP defines 12 core
practices that are essential to the success of an XP project, such as test-driven
development, planning game, on-site customer, pair programming, and so on.
A software development process model should not be dumped blindly onto the
project but rather should be carefully chosen according to the project, the environment,
and the goals. In addition, researchers and practitioners have realized that processes
cannot be defined and frozen once for all. Processes need to continuously undergo
changes and refinements to increase their ability to deal with the market expectations
and requirements of the company stakeholders. Hence, process need to be continuously
assessed and improved [Fuggetta00].
27
Process improvement
development team. The absence of source code bars the development team from
adjusting the COTS components to their needs.
Based on the above arguments, Boehm and Abts [Boehm99] proposed that
development models which explicitly take risk into account are more suitable for
COTS-based development than the traditional waterfall or evolutionary approaches.
The Software Engineering Institute has a large ongoing effort to address the
development of COTS-based systems, and they have developed the Evolutionary
Process for Integrating COTS-based Systems (EPIC) [Albert02]. The proposed process
integrates COTS-related roles and activities into a RUP process. The iterative and
evolutionary nature inherent in this process allows developers to adjust the architecture
and system design, as more knowledge is gained about the operations of the COTS
components.
The National Aeronautic and Space Administration (NASA) has been developing IT
systems with COTS for many years. Their experience has been captured by Morisio et
al. [Morisio00]. They have investigated the various processes that were used across 15
projects at NASA. Based on their insight, they have developed a COTS-based
development process that was the most representative for the processes used in the
projects.
- Inspect all modules of each of the available COTS components to check whether
they satisfy some or all of the functional requirements of the COTS-based system
being developed.
- Check whether a COTS component also satisfies the non-functional requirements
of the COTS-based system. Non-functional requirements may include properties
such as the interoperability of the modules of the COTS product with other
systems.
- Compare the COTS component candidates and select the most appropriate COTS
component that satisfies both the functional and non-functional requirement of
the COTS-based system.
Some of the direct assessment processes, such as OTSO [Kontio96], CAP [Ochs01],
and CISD [Tran97a], assume that the requirements are fixed and select the COTS
components by comparing how well the COTS component candidates satisfy the
28
Process improvement
requirements. A formal decision-making process is usually used to select the best COTS
component [Ncube02]. The formal decision-making process usually includes three basic
elements: selecting evaluation criteria (factors), collecting and assigning values to these
criteria, and applying formal decision-making algorithms such as MAUT
[Maccrimmon73], MCDA [Morisio97], and AHP [Saaty90]. Other direct assessment
processes, such as MBASE [Boehm00], PORE [Maiden98], IIDA [Fox97], CARE
[Chung02], RCPEP [Lawlis01], and CRE [Alves03] emphasize the trade-offs between
the requirements and COTS component functionalities. These processes do not assume
that the requirements are fixed and should not be changed. On the other hand, these
processes propose that the requirements in COTS-based development should be flexible
enough so that they can be negotiated or changed according to the available
functionalities of the COTS components.
Another kind of process is based on a domain-model [Leung02]. It includes a set-up
phase and a selection phase. In the set-up phase, the vendors need to map their COTS
modules to those modules of the domain that they find are applicable. In the selection
phase, the corresponding modules in a domain model are identified for each of the
modules of the COTS-based system in question. Then, the COTS modules that claim to
be applicable are identified by the mapping from the domain models to the COTS
modules. After that, the non-functional properties of the identified COTS modules are
assessed. In the end, the most appropriate COTS modules are selected with reference to
all of the assessment results.
After performing seven structured interviews of small and medium software
companies in Norway and Italy, Torchiano and Morisio [Torchiano04] proposed two
these T4 and T5 that reflect the state-of-the-practice of SPI in COTS-based
development.
- T4: Developers seldom use formal selection procedures. Familiarity with either
the product or the generic architecture is the leading factor in selection.
- T5: Architecture is more important than requirements for product selection.
29
Process improvement
30
Risk management
31
Risk management
for each identified risk item. Risk prioritization ranks the risk items identified and
analysed. Risk management planning helps prepare to address each risk item. Risk
resolution produces a situation in which the risk items are eliminated or otherwise
resolved. Risk monitoring involves tracking the progress of a project towards resolving
its risk items and taking corrective activities where appropriate.
In order to identify risks, a list of possible project risks must be produced. Boehm
[Boehm89a] lists the top 10 risks by probing several large software projects and their
common risks. Barki et al. [Barki93] identified 35 variables, which are subsequently
used as a basis for creating scales in a project risk assessment instrument. The Software
Engineering Institute (SEI) [Carr93] has contributed significantly to the literature with
the SEI Taxonomy-Based risk identification instrument, which contains 194 questions.
However, the notion of building single all-encompassing risk taxonomy to be globally
used by all software developers is probably unrealistic. Thus, we may need different
risk taxonomies in different project contexts [Moynihan97].
A few other studies have classified software risk items, i.e., consider software risks
along several dimensions and have provided some empirically founded insights of
typical software risks and their variation. The risks can be classified into technical,
organizational, and environmental [Sherer95]. The possible risks can also be
summarized into a hierarchical holographic modelling (HHM) framework
[Chittister96]. Ropponen and Lyytinen [Ropponen00] empirically delineate six
components of software development risks, such as scheduling and timing risks, system
functionality risks, subcontracting risks, requirement management risks, resource usage
and performance risks, and personnel management risks. Keil et al. [Keil98] extracted
the experience of more than 40 software project managers and identified a universal set
of risk factors, such as customer mandate, scope and requirements, environment, and
execution. A following study [Wallace04] investigated the relationship between these
factors and their effect on the result of the project.
During the risk analysis process, project managers have to consider each identified
risk and make a judgment about its probability to occur and seriousness. The project
managers can tabulate the results of this analysis process using a table ordered
according to the serious of the risk [Sommerville04]. The estimation of the seriousness
and the rank of the risk should be combined with cost estimation [Madachy97],
[Kansala97]. Once the risks have been analysed and ranked, the project managers need
to assess which are the most significant risks.
The purpose of identifying and analysing the risks is to manage these possible risks.
The possible risk management activities have been proposed from processes
[Boehm88], organization [Roppoen00], [Gemmer97], and technology [Hecht04]
viewpoints. However, many researchers advocate rather than investigate. As a result,
some advocated concepts are worth less than their advocates believe and there is a
shortage of evaluative research to help determine the actual value of new tools and
techniques [Glass01]. Although risk management proposals of the in-house software
development have been verified by a survey-based research [Verner05], few studies
have been performed to empirically investigate the risk management proposals in using
the OTS components.
32
Risk management
Torchiano and Morisio [Torchiano04] discovered several phenomena about risks and
risk management in COTS component-based development and proposed theses T2, T3,
and T6 as:
33
Risk management
34
Risk management
Since the OTS components involve both COTS and OSS components, risks and risk
management activities relevant to OTS components-based development are therefore
the subset of risks and risk management in component-based development, COTS-
based, and Open Source based development, as shown in Figure 4-2.
35
Risk management
36
Research methods
5 Research Methods
This chapter provides a brief review of empirical research approaches and strategies in
the empirical software engineering field. Since the survey method has been mainly used
in several studies in this thesis, the advantages, disadvantages and guidelines for using
this method are discussed. The research designs for each study in this thesis are
described. Validity threats for all studies and in particular how to overcome these in our
studies are further discussed.
37
Research methods
The important question in research design is when to use each strategy. If the
problem is identifying factors that influence an outcome or test the effect of some
manipulation, quantitative approaches are chosen. If the problem is to understand why
the results are as they are or to identify causes, a qualitative approach is better. The
mixed method approach uses different methods in the various phases of a study. Yin
[Yin03] answers that question of choosing an approach by listing three conditions:
38
Research methods
- The type of research question posed. How and why questions are explanatory,
and usually should be studied over time in replicated experiments or case studies.
What, who, where, how many, or how much questions asks about the frequency
or describe the incidence of a phenomenon.
- The extent of control. Only in experiments, the researcher can control treatments
or behavioural events. In a case study, the researcher cannot control treatment,
but may control the measures to be collected.
- The focus. The experiment or case study focuses on the contemporary as opposed
to the surveys, which focuses more on the historical events.
The two most common data collection methods for survey are questionnaires and
interviews [Babbie90]. Questionnaires could both be provided in paper form or in some
electronic form, for example, email or internet. Comparing with the questionnaire, the
advantages of interviews are:
- Interview surveys typically achieve higher response rates than, for example, a
mail survey.
- An interviewer generally decreases the number of “do not know” and “no
answer”.
- It is possible for the interviewer to observe and ask questions.
39
Research methods
does not know the form of this information ahead of time, so the questions asked must
be as open-ended as possible. In a structured interview, the interviewer has very specific
objectives for the type of information sought in the interview, so the questions can be
fairly specific. Another form of the interview is the semi-structured interview. These
interviews include a mixture of open-ended and specific questions, designed to elicit not
only the information foreseen, but also unexpected types of information. One useful tool
to gather the data during an interview is the interview guide [Taylor84]. It usually
consists of a list of close questions and open-ended questions, possibly with some notes
about the direction in which to steer the interview under different circumstances.
To collect the data of the survey, samples should be selected from the target
population. The basic idea of sampling is that by selecting some of the elements in a
population, we may draw conclusions about the entire population. The sample selection
methods should consider [Cooper03]:
- What is the relevant population?
- What are the parameters of interests?
- What is the sampling frame?
- What is the type of the sample?
- What size sample is needed?
- How much it will cost?
40
Research methods
From these steps, we have selected several key factors. For step 1, we focus on the
efficiency of component-related requirements (re)negotiation and the value of
component repository. For step 2, we study how knowledge about components can be
transferred from a component provider to a component user. For step 3, we focus on
definition and reasoning of quality attributes for components.
The sub-questions and hypotheses are as following. Detailed rationale for these sub-
questions are in Section 3.1 of paper P1 [Li04a] in Appendix A.
Concerning the RQ1.2, the null hypothesis H01 and alternative hypothesis HA1
are:
o H01. There is no relationship between the companies’ reuse level and the
efficiency of component-related requirements (re)negotiation.
o HA1. There is a positive relationship between the companies’ reuse level and
the efficiency of component-related requirements (re)negotiation.
- RQ1.3: Does the value of component repository increase with more reusable
components available?
Concerning the RQ1.3, the null hypothesis H02 and alternative hypothesis HA2
are:
o H02. There is no relationship between the companies’ reuse level and the
value of component repository.
o HA2. There is a positive relationship between the companies’ reuse level and
the value of component repository.
- RQ1.4: How can a component user acquire sufficient information about relevant
components?
Concerning the RQ1.5, the null hypothesis H03 and alternative hypothesis HA3
are:
o H03. There is no relationship between the companies’ reuse level and
developers’ satisfaction with component documentation.
o HA3. There is a negative relationship between the companies’ reuse level
and developer’ satisfaction with component documentation.
41
Research methods
In this study, we used a questionnaire to collect the data. The questionnaire included
five parts. The questions in the first part were used to investigate the reuse level of the
companies. The definition of reuse level in this study is the number of reused
components vs. the number of total components in the organization. The other four parts
were organized based on the four key factors. Each question in the questionnaire was
used to study one or more research questions. The details of questions are given in the
Table 5-2. The correspondences between the questions in the questionnaire and research
questions are shown in Table 5-3. To increase the reliability of our survey, the
questionnaire also included the definition of concepts used in the questionnaire, and the
questions about the respondents’ personal information.
42
Research methods
Table 5-3 Correspondence between questions and RQs in the preliminary study
RQ1.1 RQ1.2 RQ1.3 RQ1.4 RQ1.5 RQ1.6
Q1-Q2 X X X
Q3-Q5 X X
Q6 X
Q7-Q10f X X
Q11-Q12 X
For research questions RQ1.1, RQ1.4, and RQ1.6, the results were analysed by
examining their distribution. Since the research questions RQ1.2, RQ1.3, and RQ1.5
are related to the reuse level of the companies, the results were analysed with Spearman
Rank Correlation Coefficient in SPSS version 11.0.
- RQ2.1: What was the actual process used in the projects using COTS
components?
- RQ2.2: What are the commonalities and possible variations in COTS-based
development processes?
- RQ3.1: What are process scenarios (variations) of the projects using COTS
components successfully and not successfully? What are possible problems and
good practices in different process scenarios?
Another intention of this study is to clarify research questions to test the newly
published theses in COTS-based development. The study performed by Torchiano and
Morisio [Torchiano04] with seven interviews reveals six theses, which contradicted
widely accepted (or simply undisputed) insights in COTS-based development. Since
the sample size of that study was small, it is necessary to investigate the six theses in a
larger and randomized sample. To test the theses, we decided to collect more data using
a randomized sample. Our initial plan was to transfer the theses directly into hypotheses
and make a quantitative survey with standardized questions in a formal questionnaire.
We designed six fixed hypotheses according to the theses and a preliminary
questionnaire. After two rounds of pre-testing, we discovered that it was difficult to
reliably investigate the six theses without a pre-study to clarify our research questions.
We therefore decided to resort to structured interviews, i.e., a qualitative pre-study,
before using a larger and randomized sample.
We used an interview guide (see Appendix C) to collect data. The interview guide
includes both closed and open-ended questions. The closed questions were used to
43
Research methods
solicit information on project context. For example, one question used the application
domains of the final system (product), which was based on the North American
Industrial Classification System (NAICS) [NAICS04]. The open-ended questions were
used to gather information on actual COTS-based development processes. The
questions covered the main life cycle process, the process changes due to using COTS
components, and the experience and lessons learned in the whole COTS-based
development process.
Interviews and data collection were conducted from Nov. 2003 to Feb. 2004. The
contacted 34 IT companies were mostly involved in two Norwegian R&D Projects
[INCO00], [SPIKE002] and one EU R&D project [FAMILIES03].
A pre-process was used to select relevant COTS-based projects. Contact people (IT
managers in the most cases) in the above projects were first contacted by phone and
email, using an introductory letter with our definition of COTS component and project
(the same as the definitions in the interview guide). They were asked to check if they
have a relevant COTS-based project. During this pre-process, 17 companies (among 34)
did not match our definition of a COTS-based project, and therefore could not join the
study. Of these 17 “rejected” companies, 13 used only in-house built components and 3
used only OSS components. There was one other company that could not participate
because of confidentiality issues.
For the remaining 17 companies, 13 of these volunteered to join the study. The
contact people in these 13 companies were asked to recommend people with most
experience on the relevant projects. In all, 16 people were recommended from these 13
companies. For each recommended respondents, they were asked to select one relevant
COTS-project. If a respondent claimed that he/she had experience from several COTS-
based projects, the respondent was asked to select one that he/she was most familiar
with. The whole process to find a suitable respondent and project in a prospective
company, and later agree upon time and place for a physical interview took weeks.
The interview guide was sent to respondents a few days before the personal
interview. In this way, the respondents were well-prepared and could have time to
remember the details of the projects and find some relevant documents. Each interview
was conducted by one of the two interviewers (none with two interviewers), took from
60 to 80 minutes, and was recorded.
The first step in the data analysis was to listen to the tape, and supplement and
transcribe the interview “as-is” into a field note. After that, we used different analysis
procedures based on the purpose of the different research questions.
The purpose of research question RQ2.1 is to investigate the actual development
processes used in the project. The data was analysed by the constant comparison method
[Strauss98].
The purpose of research question RQ2.2 is to see the similarities and differences
between process changes in the studied projects. The main analysis method used is
cross-case analysis [Strauss98].
The purpose of research question RQ3.1 is to summarize the process scenarios of
the successful and unsuccessful projects. We first grouped projects into two groups
based on the positive or negative effect of the COTS components regarding time-to-
market and general quality of the system. In each group, we divided projects into sub-
groups based on their main actual processes used. For each sub-group, we performed a
similar cross-case analysis [Strauss98], as for research question RQ2.2.
44
Research methods
Detailed processes of data analysis of RQ2.1, RQ2.2 and RQ3.1 are in Section 3.6
of Paper P2 [Li06a] in Appendix A.
The research focus of the main study (see papers P3 [Li05a], P4 [Li06b], P5 [Li06c],
and P6 [Li06d] in Appendix A) includes four parts:
5.3.3.1. Part one: Verify our conclusions about RQ2 (What were the development
processes and OTS component-selection processes used in OTS component-based
development projects?).
5.3.3.2. Part two: Investigate our findings from RQ3 (Which risk management
activities have been performed and what are the results of performing them?).
In this study, we have used the conceptual measurement framework proposed by Bush
and Fenton [Bush90]. The study includes one entity (i.e., the project) and two attributes
(i.e., possible risks of the project and possible risk mitigation activities to avoid these
risks). There are also two relationships, i.e., risks are related to a project and risk
mitigation activities that IMPACTS risks. Before the start of a project, project managers
must upfront estimate how often the risks may happen, how much effort they need to
put in to certain risk mitigation activities, and how well the risks may be managed. The
relationships are shown in Figure 5-1.
45
Research methods
To help project managers predict the possibility of risks and to plan the risk
management efficiently before a project starts, it is necessary to summarize practices
and results of risk management from finished projects. The research framework of risk
management in the main study, as shown in Figure 5-2, is designed to do posteriori
measurements (after the project is finished) on the occurrence of project risks and the
impacts of performed risk management activities on these risks.
Figure 5-2 Research framework for the risk management in the main study
The research questions RQ3.2, as shown in Figure 5-2, is to investigate the actual
risk incidence, i.e., how often had problems occurred in practice? The research question
46
Research methods
RQ3.3, is to investigate the execution of the risk management activities in projects, i.e.,
how often had certain risk management activities been performed in practice? The
research question RQ3.4 is to examine the effect of performed risk management
activities, i.e., how well the performed risk mitigation activities had reduced
corresponding risks? For a specific risk, we are interested in the most effective
mitigation activities.
In our study, we selected several typical risks and possible risk management
activities proposed in [Boehm03], [FAA03], [Li06a], [Rose03], [CBSEnet04],
[Vitharana03], [Lawton02], [Fitzgerald04], [Torchiano04]. The selection criteria are:
- First, the risks and risk management activities should address the common issues
in the CBD, COTS-based development, and OSS-based development, as shown
in Figure 4-2.
- OTS component-based development encompasses three primary types of
stakeholders, namely component developers, application assemblers/integrators,
and customer. Different stakeholders have different risks and challenges
[Vitharana03]. We have selected risks and challenges that are relevant only to
the application assemblers/integrators.
- The selected risk management activities in our study focus mainly on process
and organizational issues, instead of technical methods, such as wrapping,
composition prediction, and testing.
47
Research methods
48
Research methods
Based on results of the pre-study (see paper P2 [Li06a] in Appendix A), we clarified the
research questions that can be used to verify the six newly published theses
49
Research methods
Table 5-6 Revised research questions to investigate the newly published theses
Newly published theses Revised research questions
T1: Open source software is often T1.RQ1: Had the source code of OSS
used as closed source. components been read by integrators
during software development?
T1.RQ2: Had the source code of OSS
components been changed by integrators
during software development?
T2: Integration problems result from T2.RQ1: Were the standard mismatches
lack of compliance with standards. more frequent than architecture
Architecture mismatches constitute a mismatches?
secondary issue.
T3: Custom code mainly provides T3.RQ1: Were the occurrences of building
additional functionalities. glueware more frequent than the
occurrences of building addware?
T4: Developers seldom use formal T4.RQ1: How often had a formal process
selection procedures. Familiarity with been used in practice?
either the product or the generic T4.RQ2: How often had the familiarity-
architecture is the leading factor in based selection process been used in
selection. practice?
T4.RQ3: How often had the hands-on
experimentation based selection process
been used in practice?
T5: Architecture is more important T5.RQ1: Had architectural compliance
than requirements for product been considered more important than
selection. functionality completeness in the whole
COTS-based project?
T6: Integrators tend to influence the T6.RQ1: How often the required changes
vendor on product evolution whenever (corrections or new functionalities) from
possible. integrators had been satisfied by the
vendors.
50
Research methods
5.3.3.4. Part four: Compare COTS with OSS-based projects to investigate RQ4 (How
did project managers make their make vs. acquire decision in using COTS instead of
OSS, or vice versa?).
The high level question will be: Why do I use COTS instead of OSS components, or
vice versa? To investigate this question, we asked three sub-questions RQ4.1 to RQ4.3
as follows:
- RQ4.1: What are the commonalities and differences in profiles of projects using
COTS components vs. those using OSS components?
- RQ4.2: What are the commonalities and differences in the expectation of
projects using COTS components vs. those using OSS components?
- RQ4.3: What are the commonalities and differences in possible risks (problems)
of projects using COTS components vs. those using OSS components?
The background and rationale for RQ4.1 to RQ4.3 are reported in Section 3 of Paper
P6 [Li06d] in Appendix A.
We used a questionnaire (see Appendix D) to collect data in the main study. The
questionnaire was organized into three main parts.
The final questionnaire was first designed and pre-tested in English (internal and
external reviews). It was then translated into the native languages (Norwegian, German,
and Italian) and published on the SESE web survey tool [Sese04] at Simula Research
Lab in OSLO.
We defined the unit of this study as a completed software development project, and
its OTS-relevant properties. The projects were selected based on two criteria:
51
Research methods
To avoid bias in the data collection procedure, we made a guideline about how to
contact respondents before the survey started. All countries – Norway, Italy, and
Germany – followed the process in the guideline. Possible respondents were contacted
first by telephone. If the candidate respondents had suitable OTS-based projects and
would like to join our study, a username and password of the survey tool and an electric
version of the questionnaire were sent to them. The respondents could use either the
SESE web tool or the electronic version to fill in the questionnaire. The respondents
who did not want to answer the questionnaire were also registered. We logged the main
reasons of non-response, such as “no software development”, “no OTS-based projects”,
and “busy”. Most respondents used the Web tool to fill in the questionnaire. However,
phone interviews were used in Germany because of the confidentiality concern in some
companies [Conradi05a].
- First, we would like to report our results by giving guidelines on how to improve
processes and manage risks in OTS-based development.
- As most data of this study show only state-of-the-practice, we do not know
possible cause-effect relationships of our conclusions. We therefore had one hour
discussion as the second part of the seminar to get feedback from the participants.
52
Research methods
whole discussion section has been tape recorded. The data analysis was performed by
listening to the tape afterwards.
To avoid the possible threats to validity in the studies in this thesis, we performed
different methods. For example, in the pre-study (see Paper P2 [Li06a] in Appendix A)
and the main study (see papers P3 [Li05a], P4 [Li06b], P5 [Li06c], and P6 [Li06d] in
Appendix A), we did several rounds of pre-tests of the interview guide and the
questionnaire. These pre-tests helped to decrease the possible construct validity threats.
In the main study, we used random sample selection strategy to decrease the threats to
the external validity. Detailed information on the validity issue of the studies reported in
this thesis can be found in the “possible threats to validity” sections in Papers from P1
to P8 in Appendix A.
53
Research methods
54
Results
6 Results
This chapter summarizes and interprets the collected data for research questions RQ1 to
RQ4. Our lessons learned from performing the main study, i.e., the international survey,
are described at the end.
55
Results
Generally, we selected only one project from a company. However, we selected two
projects in three companies because these projects differed largely in project members,
development process, and COTS components used. Detailed background information
about the 16 projects is given in Table 2 of Paper P2 [Li06a] in Appendix A.
We had one respondent from each project. Three respondents are IT managers, 4 are
project managers, 5 are software architects, 3 are software developers, and 1 is a
software development researcher. Nine of them have more than 10 years of software
development experience, and 12 of them have more than 4 years of working experience
with COTS-based development. Eight of them have a master’s degree, and the rest have
a bachelor’s degree. Twelve of them have a principal degree in informatics or computer
science.
Some projects used one or two COTS components, others used more. Because of
time limitations, we asked the respondents to select no more than three typical COTS
components which were used in their projects. Totally, we gathered information about
30 different COTS components in 16 projects. Some typical COTS components are
listed in Table 3 of Paper P2 [Li06a] in Appendix A.
56
Results
The final systems produced by the 133 projects cover different application domains
as shown in Figure 6-3.
In the selected 133 projects, 83 used only COTS components, 44 used only OSS
components, and six used both COTS and OSS components. For the 44 projects using
only OSS components, each of them gave detailed information of an OSS component.
For the 83 projects using only COTS components, each of them gave detailed
information of a COTS component. For the six projects using both COTS and OSS
components, the respondents selected to give detailed information of five COTS
components and one OSS component.
Most respondents of the 133 projects have a solid IT background. More than 90% of
them are IT managers, project managers, or software architects. Most of them have
more than 2 years of experience with OTS-based development. All of them have at least
a bachelor’s degree in informatics, computer science, or telecommunications.
57
Results
medium-sized (with 20-99 employees) and 20% came from small-sized companies (less
than 20 employees).
- RQ1.3: Does the value of component repository increase with more reusable
components available?
Seventy-one percent of the respondents in Mogul and EDB regard
constructing a component repository as worthwhile, against 57% in Ericsson.
The result of correlation between the reuse level and the value of the repository,
using one-tailed Spearman Rank Correlation Coefficient analysis, is -.124, and
significance is .297. It shows that there is no obvious relationship between them.
- RQ1.4: How can a component user acquire sufficient information about relevant
components?
Sixty-seven percent of the respondents think the component structure is well
understood, 61% say that the component interfaces are understood, and 63%
regard the design rules of components are also well understood. However, no
one considers that the design/code of components is well documented. Eighty-
58
Results
- RQ2.1: What was the actual process used in the projects using COTS
components?
Results show that the main development processes of the studied projects can
be grouped into three categories: pure waterfall, waterfall mixed with
prototyping, and incremental mixed with prototyping. Five projects used
waterfall. One used waterfall mixed with a little prototyping (a small prototype
was used for discussing requirements of the Graphical User Interface, i.e., GUI,
part of the system). Ten projects used incremental mixed with some prototyping.
None of the respondents claimed that they selected the main development process
based on whether or not they intended to use COTS components. That is, they
decided the main process before they started to think about using COTS
components or not. They just added or changed some activities and roles in their
traditional process to reflect the use of COTS components.
Therefore, the answer to research question RQ2.1 is: The so-called COTS-
based development process is the customization of the traditional development
process due to the use of COTS components.
59
Results
The commonalities are that new activities were added and possible one new
role was added. The added new activities include make vs. acquire decision,
COTS component selection, learn and understand the COTS components, and
building glueware and addware. The possible added new role is: a COTS
component knowledge keeper. One or more project members had some previous
experience with selection and integration of the actual COTS components in ten
of our studied projects. They provided suggestions on COTS component
selection and integration. Although some of them were not dedicated to work as a
COTS component knowledge keeper, their previous experience improved the
speed and quality of COTS component selection and integration.
One variation in the customization of main development processes deals with
the phase to make the make vs. acquire decision and COTS component selection.
Another variation is the COTS component selection and evaluation process. The
selection process in our studied projects can be summarized into two categories,
i.e., familiarity-based selection process and Internet search, hands-on trial-based
selection process.
Therefore, the answer to research question RQ2.2 is: There are some common
new activities and one new role is added in COTS-based development processes.
The possible variations are when and how to perform these new activities.
60
Results
- RQ2.4: Was the actual development process decided before the make vs. acquire
decision or after the make vs. acquire decision.
The results show that 75% projects decided their main development processes
before they started to think about using OTS-components
- RQ2.6: What was the actual selection process used to select one of the OTS
components (we asked for information about the component, named Comp. 1,
that provides the most functionalities)?
We listed six possible selection activities as named a) to f) in the
questionnaire:
The results are summarized in Figure 6-5 and show that activities a, c, e, and
f were those mainly used. Thus, the familiarity-based selection process (activity
c) and the Internet search, trial-based selection process (activity a, e and f) from
the pre-study (see paper P2 [Li06a] in Appendix A) are proved to be more
popular than a formal processes (activity d) in general. However, the further
analysis with Chi-square shows that there are significant differences of the
activities b and c between countries. In Norway and Italy, very few projects used
the activity b. However, activity b was popular in Germany. In addition, almost
all German projects performed activity c, while it was used only in half of the
projects in Norway and Italy.
61
Results
- RQ2.8: What was the relationship between the selection phase and the project
context, such as the familiarities with the Comp. 1 and the importance of the
Comp. 1?
The results reveal that the selection phase was weakly (with Spearman
correlation coefficient value -.356) correlated with the project members’
familiarity with it. It means that the project members preferred to decide the
familiar OTS components in the early stage of the project. However, there is no
62
Results
In addition to answer the sub-questions RQ2.1 to RQ2.8, the pre-study (see paper P2
[Li06a] in Appendix A) and the main study (see paper P3 [Li05a] in Appendix A)
verified six newly published theses [Torchiano04] in OTS component-based
development. The results are summarized as following. Detailed information can be
found in Section 5 of Paper P3 [Li05a] in Appendix A.
We support T1. We have asked the respondents to answer whether they have
read or changed the source code of the component. We used a five-point Likert
scale to measure the answer. Respondents were asked to answer “very little”,
“little”, “some”, “much”, “very much”, or “don’t know”. The results show that
the median value of reading OSS code is 3 (meaning “some”). However, the
source code has seldom been changed as the median value of changing the OSS
code is 2 (meaning “little”). Further analysis discovered that 46% of the
respondents claimed that they modified “very little” parts of the source code in
OSS components. In addition, 29 (out of 88) selected COTS components
provided source code to their users.
- Thesis T2: Integration problems result from lack of compliance with standards.
Architecture mismatches constitute a secondary issue.
We are against T2. For the selected 88 COTS components, only 4.5% of the
COTS components had standard mismatches, compared with 28.4% COTS
components having architecture mismatches.
We support T3. Glueware was needed for 32.9% of the selected COTS
components and addware was needed for 65.9% of the selected COTS
components.
- Thesis T4: Developers seldom use formal selection procedures. Familiarity with
either the product or the generic architecture is the leading factor in selection.
We support T4. Formal procedures were only used in evaluating 19% of the
selected COTS components.
63
Results
0
N = 82
A RC H. VS . F U NC .
We support T6. Sixty percent of the selected COTS components have been
changed by vendors according to integrators’ requirements.
In the follow-up study (see paper P5 [Li05d] in Appendix A), we investigated the
cause-effect reason of the phenomena discovered from the previous studies. The results
are summarized in Table 6-1.
64
Results
- RQ3.1: What are process scenarios (variations) of the projects using COTS
components successfully and not successfully? What are possible problems and
good practices in different process scenarios?
The results of the risk management in the pre-study are the 11 problems
encountered (PEs) and the 12 good practices (GPs). One example of the
problems encountered is that the integration effort was under-estimated. An
example of the good practice is that the integration testing was done
incrementally. Details of these PEs and GPs are shown in Section 5.3 of Paper
P2 [Li06a] in Appendix A.
65
Results
R_
R_
R_
R_
R_
R_
R_
R_
R_
R_
R_
R_
R_
Pr
Co
Co
M
Co
Se
M
Co
In
Co
Co
Re
De
tE
ov
iss
ain
lE
qR
m
m
m
m
fL
ff
In
ff
Up
Se
Su
Ad
Co
Re
Pe
tP
oc
en
f
c
lan
rf
pp
l
d
a
66
Results
2
Rm
Rm
Rm
Rm
Rm
Rm
Rm
Rm
Rm
Rm
Rm
_S
_I
_C
_L
_M
_B
_C
_S
_U
_U
_P
nc
elQ
elA
ro
ea
stS
BE
stM
pd
nf
ktW
Te
vW
rn
Fi
Fo
el
ff
ua
rch
kB
st
Ef
rst
tch
ll
tch
l
f
uy
67
Results
In the follow-up study (see paper P7 [Li05b] in Appendix A), we investigated two
risk management issues, i.e., the customer involvement and knowledge management.
The details are shown in Table 6-3.
68
Results
- RQ4.1: What are the commonalities and differences in profiles of projects using
COTS components vs. those using OSS components?
The results in Figure 6-10 and 6-11 illustrate that there are no significant
differences of the project profiles between COTS and OSS-based projects. The
most emphasized requirements of the final systems were time-to-market,
reliability, and performance. Security was surprisingly listed as the least
emphasized requirement of the system.
69
Results
70
Results
For the specific expectations, results in Figure 6-14 show that COTS users
believe that paid software will give good reliability and will follow the market
trend. They also believe that the COTS vendor will provide good technical
support. On the other hand, results in Figure 6-15 show that OSS components
pay more attention to the free and available source code.
71
Results
- RQ4.3: What are the commonalities and differences in possible risks (problems)
of projects using COTS components vs. those using OSS components?
We compared the occurrences of typical risks in Table 5-4 (see Section 5.3.3)
in COTS vs. OSS projects. Results are shown in Figures 6-16 and 6-17, and
illustrate that COTS users had significantly more difficulties in R1 (R_SelEff),
i.e., estimating the component selection effort and R6 (R_ComAda), i.e.,
following requirement changes.
72
Results
- For all countries, there were problems in classifying large and perhaps
international ICT corporations, with many subsidiary companies and divisions.
73
Results
The second reflection from the main study is about the questionnaire design. A pre-
study often clarifies both research questions and concrete questions in a later
questionnaire.
The third reflection is about contacting the companies. Through a list of potential
companies, we had to find a contact person in each company. For convenience samples,
there are few problems in getting hold of a potential respondent, as we often have
personal and professional ties from earlier, joint activities. But for a large corporation,
from a census or member list and with thousands of employees, it can be very
frustrating to try to locate a quality manager, development/project manager, or just an
“IT responsible”. The final struggle is to convince a possible respondent over the phone
to use his/her time and effort to fill in a questionnaire, sent by email. The results show
that random sampling and the ensuing contact process appears to be much more
expensive (5 times?) than convenience sampling. In our case, this is because we got
stuck with no previous contact person, and scant pre-knowledge and “goodwill” from
such companies, especially the large ones.
74
Evaluation and discussion
75
Evaluation and discussion
76
Evaluation and discussion
in Appendix A). Our contributions can be used to help project managers to decide how
to improve the whole life cycle of the OTS-based projects and how to select the OTS
components based on the project contexts.
In scenarios 1 to 3 (see Figure 7-1), project members prefer to evaluate the possibility of
using OTS components right from the start. Due to time-to-market, cost, or capacity
issues, project managers realize that it is difficult, impossible, or not cost-effective to
make everything from scratch. In these scenarios, the first step is to do a make vs.
acquire decision (see step A in Figure 7-1). In case project members decide not to use
OTS components, the development process will be the same as the non-COTS based
development. If project members decide to use OTS components, they then need to
choose the main development process (see step B in Figure 7-1). To decide the main
development process, main issues are the traditional risks in a project, such as the
stability of the requirements. One of the other issues is their familiarity with possible
OTS candidates. According to the project members’ familiarity with the OTS candidates,
we define three scenarios as scenarios 1 to 3:
77
Evaluation and discussion
have never used before. In order to decide the main development process, the
issues are similar with those of scenario 1.
- Scenario 3 – planned OTS-based project with familiar OTS candidates: In this
scenario, the project members are familiar with all possible candidate
components. When deciding the main development process the OTS relevant
risks are not as critical as in scenarios 1 or 2. Other non-OTS relevant factors,
such as company rules or requirement flexibility may be used to decide the main
development process. In this scenario, the main development process can be any,
such as waterfall, incremental, or XP. It may not need to be changed because the
project members are very familiar with the OTS component candidates.
In scenarios 4 to 6 (see Figure 7-2), there is no clear intention of using OTS components
in the early phases of such a project. Project members decide on the main development
process according to some non-OTS relevant factors, such as company rules and
requirement stability. Due to the time-to-market pressure or internal capability, project
members start to evaluate the possibility of using OTS components at certain stages of
the project. At our follow-up study (see Paper P7 [Li05b] in Appendix A), several
78
Evaluation and discussion
79
Evaluation and discussion
80
Evaluation and discussion
81
Evaluation and discussion
common error in OTS-based development is the overly optimistic OTS learning curve
and propose that a most likely OTS learning curve must be accounted for during
planning and scheduling. Initially, the OTS component’s functional capability must be
well understood, which can be a daunting task because there may be a significant
amount of functionality to learn and that functionality might involve new technologies
to the team. Also, there is more to learn than just the functionality. The methods of
integration that the OTS component employs must be understood sufficiently to ensure
that the integration can be succeeded into the current architecture. Since the intention of
using OTS components is to shorten time-to-market and to save development cost, OTS
component users are eager to acquire the components and to integrate them as soon as
possible without understanding them thoroughly. Rose [Rose03] pointed out that
developers are usually working with one or more OTS components for which they most
likely have only a partial understanding. To improve the estimation on the OTS
integration effort, the proposed activity is to use OTS-sensitive analytical and budget
processes [Rose03], [FAA03], such as COCOTS [Abts00]. In our study, we did not
investigate the effect of using COCOTS because our pre-study (see Paper P2 [Li06a] in
Appendix A) did not find any companies using it. Therefore, we did not investigate this
activity because we wondered whether this activity has been popularly used in industry.
Although the results shown in Figure 6-9 reveal that the risk management activity Rm5
(i.e., effort in learning OTS component was seriously considered in effort estimation)
has been widely used, we still wonder whether there are good tools to help the project
managers to estimate the learning effort precisely.
82
Evaluation and discussion
infrastructure [FAA03]. Our results of RQ3.4 (see Section 6.2.3) did not show a strong
effect from these activities. A possible reason is that most OTS components investigated
in our studies followed the industrial standards or infrastructures - such as COM,
CORBA, .Net, and EJB - by default. The possible quality problems caused by the
architecture mismatch itself are therefore minimized.
83
Evaluation and discussion
84
Evaluation and discussion
Since the knowledge keepers know the current component version being used, it is
possible for them to evaluate the new versions and to figure out the benefits and risks of
updating the current version with the newer one. The personal capability and experience
remain the dominant factors influencing OTS-based development [Basili01]. Therefore,
it is important to involve OTS- knowledgeable individuals in all analytical processes
[FAA03].
However, planning maintenance of an OTS component-based system is very difficult
because the OTS component users have no control of the release cycle of the OTS
components being used. Since the release cycle of the OTS component depends on the
marketing strategy of the component vendors, the component users usually have no idea
when the new release of the OTS component will be published. Our investigated risk
management activities focus on the activities that can be controlled by the component
users. Such risk management activities did not show effectiveness to mitigate the
maintenance plan risk.
85
Evaluation and discussion
86
Evaluation and discussion
component selection effort. The possible reason is that it is not easy or cost-effective for
COTS users to switch to another COTS component once they have made the decision
and paid for some selected components. Therefore, COTS users might be more cautious
in selecting the right COTS component and spend more effort than estimated on
selecting the best one. COTS users have also more difficulties on following the
requirements changes. It might be because the source code is not available and it is
therefore difficult to change the source code of the COTS component.
Although OSS users did not have a commercial support contract with OSS
component providers, results of RQ4.3 (see Section 6.2.4) show that they were not less
satisfied by the technical support than COTS users. The possible interpretation is that
OSS users would like to read and change the code themselves, instead of asking for
help, as we found in the key motivations of using OSS.
87
Evaluation and discussion
attitude on reuse in three IT companies. Some threats to validity of this study and how
these are handled are as following:
• Internal validity. A major threat to internal validity is that we have not assessed
the reliability of our measurement. Most variables are measured on a subjective
ordinal scale. An important issue for future studies is to ensure the reliability and
validity of all measurement. In this survey, we gave clearly specified concepts in
the questionnaire and provided support to possible misunderstanding. These
methods increased the reliability.
• Construct validity. In our case, the main construct issue applies to the variables
chosen to characterize the data set. The independent variable, i.e., reuse level, is
the most sensitive one. We asked several questions in the questionnaire to
evaluate this variable. The results of these questions give a consistent value on
this variable.
• External validity. The small sample size and lack of randomness in the choice of
companies and respondents are threats to external validity.
• Conclusion validity. Although we used some statistical methods to analyse
results of this study. This study is still an explorative study. Future studies will
be implemented to give more statistically significant results.
88
Evaluation and discussion
that have been performed before the project start because we asked only salient
process changes within the studied projects.
• Construct validity. In this study, most variables are taken directly, or with little
modification, from the existing literature. To ensure construct validity, we did
two rounds of pre-tests on the interview guide in ten local IT companies. About
10% of the questions and alternatives in the interview guide were revised based
on the feedback from the pre-test. In addition we used three meta-questions to
evaluate whether the questions in the interview guide were understood
consistently. Answers of these meta-questions illustrate that the questions are
easy-to-understand and reliable. In the data analysis part, we divided the projects
into successful and unsuccessful projects. The criterion to define a successful
project is that the integrated COTS components should contribute positively
both to time-to-market and to the quality of the final system. However, this
criterion may not apply for all kinds of projects as some projects might emphasis
only time-to-market, and others might emphasis only quality.
• External validity. The primary threat to external validity is that the study is
based on few and possibly not typical companies in Norway. According to
Norwegian “Census Bureau” (SSB) [SSB02], the mean value of employee
number in Norwegian IT companies is 6. The first possible external validity
threat to this study is that our selected companies are mostly medium and large
sized. However, the selected projects covered several application domains. The
second possible threat to external validity is that the size (based on person-
hours) of the projects might bias the conclusions from this study. We have
divided the projects into three groups: small (less than 10,000 person-hours),
medium (between 10,000 and 100,000 person-hours), and large (more than
100,000 person-hours). We found out that the actual process used, the problems
encountered, and the good practice crossed small, medium, and large projects.
The third possible threat to external validity is that most COTS components are
well-defined and provided only secondary (support) functionality of the
delivered system. The process customizations may be different if the COTS
components are intended as the core part of the system, or the COTS
components are large packages, such as ERP and content management systems.
• Conclusion validity. This study is a qualitative study without statistical analysis.
The conclusions of this study are descriptive and may need further refinement
and verification.
89
Evaluation and discussion
their experience and wanted to learn from others. In general, we think that the
respondents answered the questionnaire truthfully. However, different people in
the same project might have different opinions on the same project. Asking only
one person in each project might not be able to get the whole picture of the
project. Due to length limitation of a questionnaire, we asked the respondent to
fill in information about only one component in the project. The possible threat
is that other OTS components in the same project might give different answers
to our questions.
• Construct validity. In this study, most variables and alternatives are taken
directly, or with little modification, from existing literature. The questionnaire
was pre-tested using a paper version by 10 internal experts and 8 industrial
respondents before being published on the SESE tool [Sese04]. About 15% of
the questions have been revised based on pre-test results. One possible threat to
construct validity is that respondents from different companies may have slightly
different understanding of the same concept, such as software architecture and
architectural mismatches.
• External validity. We used different randomization methods to select samples in
different countries. However, the sample selection processes were not exactly
the same due to resource limitations. Another possible threat to external validity
is that our study focused on OTS components followed the definition in Section
2.6. Conclusions may be different in projects using complex and large OTS
packages, such as ERP, content management systems, and web services in
general.
• Conclusion validity. This study is a state-of-the-practice one. We studied what
had happened in industrial projects. The same size of this study is generally
enough for statistical methods used to analyse the result. However, we generally
treat the data from three countries the same. The cultural differences between
three countries might affect the reliability of the conclusions.
7.6 Summary
In this chapter, we have illustrated our contributions to each research questions. We
compared our results with the state-of-the-art and gave some suggestions on process
improvement, risk management, and decision-making in OTS component-based
development. Due to possible threats to validity of each study, the conclusions of each
study should be interpreted considering these validity issues
90
Conclusions and future work
This thesis has presented the results of several empirical studies performed to
investigate project management issues of OTS component-based development. The
studies included several steps with mixed-method research design to take benefit of
different empirical methods and answer the research questions reliably.
8.1 Conclusions
Empirical research can be performed to verify theories, develop new theories or extend
existing ones, and improve practice. The thesis contributes to all these aspects by
describing difference aspects of reusing components, i.e., the power of example
[Parastoo04]; verifying existing theories and assessing existing method, i.e., the power
of replication; generating new theories, hypotheses, or methods, i.e., the power of
generalization.
91
Conclusions and future work
developers still need to spend a lot of effort on testing, as they cannot get relevant
information from the component specifications.
- We support T1 (i.e., open source software is often used as closed source) and
conclude that source code of OSS components was read frequently with very
few modifications. OSS components were de facto used as COTS components,
even if the source code was available.
- We support T3 (i.e., custom code mainly provides additional functionalities.).
We conclude that more addware had been built than glueware in the COTS
components integration.
- We support T4 (i.e., developers seldom use formal selection procedures.
Familiarity with either the product or the generic architecture is the leading
factor in selection.) We conclude that formal selection procedures were seldom
used to select COTS components. Familiarity-based and hands-on experiment-
based selection process were frequently used in practice.
- We support T6 (i.e., integrators tend to influence the vendor on product
evolution whenever possible). We conclude that, in most cases, COTS users
managed to get their required changes in the COTS components from COTS
vendors.
- We are against T2 (i.e., integration problems result from lack of compliance
with standards. Architecture mismatches constitute a secondary issue). We
conclude that there were more architectural mismatches than standard
mismatches in practice.
- We are against T5 (i.e., architecture is more important than requirements for
product selection). We conclude that functionality completeness was regarded to
be more important than architectural compliance in COTS component selection.
- The actual OTS-based development process was the traditional process with
OTS-specific activities. The development process was dominated by existing
company/department rule instead of the decision of using OTS components.
- The actual OTS component selection can be done in different phases. The main
evaluation processes are familiarity-based or hands-on-trial-based. The phase to
select OTS component depends on the project members’ familiarity.
- The proposed software development process and OTS component selection
process need further investigation to be suited to different project contexts.
We have also investigated the proposed risks and risk management theories in OTS
component-based development. The main findings are:
92
Conclusions and future work
- The most frequent problems in OTS-based projects are wrong estimation of the
integration effort and the difficulty to locate defects. The least frequent problems
are relevant to the negative effect of the OTS components on the quality of the
whole system.
- To increase the accuracy of effort estimation, it is important to allocate enough
time to learning and understanding the OTS components.
- To avoid the possible quality problems and to increase the efficiency of locating
the defects, it is important to do black-box testing as part of OTS component
selection and to do integration testing as early as possible.
- To mitigate the problems due to customers’ requirements changes, it is
important to learn the OTS components thoroughly in the selection phases and to
integrate the unfamiliar OTS components first. It is also important to be able to
negotiate changed requirements with the customers.
- To increase the efficiency of debugging and system deployment, it is necessary
to understand the components well and to do integration testing early.
- It is critical to keep and share the knowledge about OTS components and the
component providers inside the organization. It shows to help mitigate the
possible risks in system maintenance and evolution.
93
Conclusions and future work
94
References
References
[Abts00] Abts, C., Boehm, B. W., and Clark, E. B.: COCOTS: A COTS Software
Integration Cost Model - Model Overview and Preliminary Data Findings. Proc. of
the 11th European Software Control and Metrics Conference (ESCOM-SCOPE
2000), Apr. 2000, Munich, Germany, Shaker Publ., pp. 325-334.
[Albert02] Albert, C. and Brownsword L.: Evolutionary Process for Integrating COTS-
Based System (EPIC): An Overview. SEI, Pittsburgh, 2002, available at:
http://www.sei.cmu.edu/publications/documents/02.reports/02tr009.html.
[Alves03] Alves, C. and Fineklstein, A.: Investigating Conflicts in COTS Decision-
Making. Journal of Software Engineering and Knowledge Engineering, 13 (5): 473-
493, Oct. 2003.
[Atkinson02] Atkinson, C., Bayer, J., Bunse, C., Kamsties, E., Laitenberger, O., Laqua,
R., Muthig, D., Paech, B., Wüst, J., and Zettel, J.: Component-based Product Line
Engineering with UML. Addison-Wesley, 2002.
[Babbie90] Babbie, E.: Survey Research Methods. Wadsworth, 1990.
[Bachmann00] Bachmann, F., Bass, L., Buhman, C., Comella-Dorda, S., Long, F.,
Robert, J., Seacord, R., and Wallnau, K.: Volume II: Technical Concepts of
Component-Based Software Engineering. SEI Technical Report number CMU/SEI-
2000-TR-008, 2000, available at: http://www.sei.cmu.edu/
[Barki93] Barki, H., Rivard, S., and Talbot, J.: Toward an Assessment of Software
Development Risk. Journal of Management Information Technology, 22 (2): 359-
371, Dec. 1993.
[Basili86] Basili, V. R., Selby, R. W., and Hutchens, D. H.: Experimentation in
Software Engineering. IEEE Transaction on Software Engineering, 12 (7): 733-743,
July 1986.
[Basili01] Basili, V. R. and Boehm, B. W.: COTS-Based Systems Top 10 List. IEEE
Computer, 34 (5): 91-93, May 2001.
[Basili02] Basili V. R., Lindvall M., Rus I., Seaman C., and Boehm B.: Lessons-
Learned Repository for COTS-Based SW Development. Software Technology
Newsletter, 5 (3): 4-7, Sept. 2002, available at: http://fc-md.umd.edu/ll/index.asp
[Baskerville03] Baskerville, R., Ramesh, B., Levine, L., Pries-Heje, J., and Slaughter,
S.: Is Internet-Speed Software Development Different? IEEE Software, 20 (6): 70-
77, Nov./Dec. 2003.
[Bass00] Bass, L., Buhman, C., Comella-Dorda, S., Long, F., Robert, J., Seacord, R.,
and Wallnau, K: Volume I: Market Assessment of Component-based Software
Engineering. SEI Technical Report number CMU/SEI-2001-TN-007, available at:
http://www.sei.cmu.edu/
[Boehm88] Boehm, B. W.: A Spiral Model of Software Development and
Enhancement. IEEE Computer, 21 (5): 61-72, May 1988.
[Boehm89a] Boehm, B. W.: Software Risk Management, Tutorial, IEEE CS Press,
1989.
95
References
96
References
[Componentsource04] http://www.componentsource.com
[Conradi05a] [P8]Conradi, R., Li, J., Slyngstad, O. P. N., Bunse, C., Torchiano, M.
and Morisio, M.: Reflections on conducting an international CBSE survey in ICT
industry. Proc. of the 4th International Symposium on Empirical Software
Engineering (ISESE 2005), Nov. 2005, Noosa Heads, Australia, IEEE Press, pp.
214-223.
[Conradi05b] [AP3] Reidar Conradi and Jingyue Li: Observations on Versioning of
Off-the-Shelf Components in Industrial Projects (short paper). Proc. of the 12th
International Workshop on Software Configuration Management (co-located with
the ESEC/FSE 2005), Sept. 2005, Lisbon, Portugal, pp. 33-42, ACM Digital
Library.
[Cooper03] Cooper, D. R. and Schindler, P. S.: Business Research Methods. 8th
Edition, McGraw-Hill Press, 2003.
[Corra02] Corra, M. and Willer, D.: The Gatekeeper. Sociological Theory, 20 (2): 180-
207, July 2002.
[Creswell94] Creswell, J.W.: Research Design, Qualitative and Quantitative
Approaches. Sage Publications, 1994.
[Creswell03] Creswell, J.W.: Research Design, Qualitative, Quantitative, and Mixed
Methods Approaches. 2nd edition, Sage Publications, 2003.
[Crnkovic01] Crnkovic, I. and Larsson, M.: A Case Study: Demands on Component-
based Development. Proc. of the 22nd International Conference on Software
Engineering, June 2000, Limerick, Ireland, pp. 21-31.
[Crnkovic02] Crnkovic, I., Larsson, M.: Building Reliable Component-Based System.
Artech House, 2002.
[Denzin94] Denzin, N. K. and Lincoln, Y. S.: Handbook of Qualitative Research, Sage
Publications, London, UK 1994.
[Eisenhardt89] Eisenhardt, K.M.: Building Theories from Case Study Research.
Academy of Management Review, 14 (4): 532-550, 1989.
[Endres03] Endres, A. and Rombach, D.: A Handbook of Software and Systems
Engineering, Empirical Observations, Laws, and Theories. Addison-Wesley
Professional, 2003.
[FAA03] COTS risk factor, available at:
http://www.faa.gov/aua/resources/cots/Guide/CRMG.htm, 2003.
[FAMILIES03] FAMILIES project, available at:
http://www.esi.es/en/Projects/Families, 2003.
[Feller02] Feller, J. and Fitzgerald, B.: Understanding Open Source Software
Development. Addison-Wesley, 2002.
[Fenton97] Fenton, N. and Pfleeger, S.L.: Software Metrics: A Rigorous and Practical
Approach. International Thomson Computer Press, 2nd edition, 1997.
[Finkelstein00] Finkelstein, A. and Kramer, J.: Software Engineering: a Road Map.
Proc. of the 22nd International Conference on Software Engineering, Future of
Software Engineering Track, June 2000, Limerick Ireland, pp. 3-22.
97
References
[Fitzgerald04] Fitzgerald, B.: A Critical Look at Open Source. IEEE Computer, 37 (7):
92-94, July 2004.
[Frakes95] Frakes, W.B. and Fox, C.J.: Sixteen Questions about Software Reuse.
Communications of the ACM, 38 (6): 75-78, June 1995.
[Freesoftware05] www.gnu.org, 2005.
[Fox97] Fox, G., Lantner, K., and Marcom, S.: A Software Development Process for
COTS-based Information System Infrastructure. Proc. of the 5th International
Symposium on Assessment of Software Tools (SAST '97), June, 1997, Pittsburgh,
PA, USA, pp. 133-142.
[Fowler01] Fowler. F. J., Jr.: Survey Research Methods (Applied Social Research
Methods). 3rd edition, Sage Publications, 2001.
[Fuggetta00] Fuggetta, A.: Software Process: A Roadmap. Proc. of the 22nd
International Conference on Software Engineering, Future of Software Engineering
Track, June 2000, Limerick Ireland, pp. 25-34.
[Gemmer97] Gemmer, A.: Risk Management: Moving Beyond Process. IEEE
Computer, 30 (5): 33-41, May, 1997.
[Ghosh02] Ghosh, S.: Improving Current Component-Based Development Techniques
for Successful Component-Based Software Development. Proc. of International
Conference on Software Reuse (ICSR7), Workshop on Component-based Software
Development Processes, 2002, available at: http://www.idt.mdh.se/CBprocesses/
[Giacomo05] Giacomo, P. D.: COTS and Open Source Software Components: Are
They Really Different on the Battlefield? Proc. of the 4th International Conference
on COTS-Based Software Systems, Feb. 2005, Bilbo, Spain, Springer, LNCS Vol.
3412, pp. 301-310.
[Gifi90] Gifi, A.: Nonlinear Multivariate Analysis, John Wiley & Sons, 1990.
[Glaser67] Glaser, B.G. and Strauss, A. L.: The Discovery of Grounded Theory:
Strategies for Qualitative Research. Aldine Publishing, 1967.
[Glass01] Glass, R. L.: Frequently Forgotten Fundamental Facts about Software
Engineering, IEEE Software, 18 (3): 110-112, May/June, 2001.
[Griss93] Griss, M.L.: Software Reuse: From Library to Factory. IBM Systems Journal,
32 (4): 548-566, Nov./Dec. 1993.
[Griss95] Griss, M.L. and Wosser, M.: Making Reuse Work in Hewlett-Packard. IEEE
Software, 12 (1): 105-107, Jan. 1995.
[Hall98] Hall, E.: Managing Risk: Methods for Software Systems Development.
Readings, MA: Addision-Wesley, 1998.
[Hecht04] Hecht, H.: Systems Reliability and Failure Prevention. Artech House
Publishers, 2003.
[Heineman01] Heineman, G.T. and Councill, W.T.: Component-Based Software
Engineering, Putting Pieces Together. Addison-Wesley, 2001.
98
References
99
References
100
References
101
References
[Morisio97] Morisio, M. and Tsoukias, A.: IusWare: a Methodology for the Evaluation
and Selection of Software Products. IEE Proceedings – Software Engineering, 144
(3): 162-174, Mar. 1997.
[Morisio00] Morisio, M., Seaman, S., Parra, A., Basili, V., Kraft, S., and Condon, S.:
Investigating and Improving a COTS-Based Software Development Process, Proc.
of the 22nd International Conference on Software Engineering, June 200, Limerick,
Ireland, pp. 31-40.
[Morisio02a] Morisio, M. and Torchiano, M.: Definition and Classification of COTS: a
Proposal. Proc. of the 1st International Conference on COTS-Based Software
Systems (ICCBSS’02), Orlando, FL, USA, Springer, LNCS VOL. 2255, pp. 165-
175.
[Morisio02b] Morisio, M., Ezran, M., and Tully, C.: Success and Failures in Software
Reuse. IEEE Transactions on Software Engineering, 28 (4): 340-357, April 2002.
[Moynihan97] Moynihan, T.: How Experienced Project Managers Assess Risk. IEEE
Software, 14 (3): 35-41, May/June 1997.
[NAICS04] NAICS Code, Available at:
http://www.revenue.state.ne.us/tax/current/buscodes.pdf, 2004
[Ncube02] Ncube, C. and Dean, J. C.: The Limitation of Current Decision-Making
Techniques in the Procurement of COTS Software Components. Proc. of the 1st
International Conference on COTS-Based Software Systems (ICCBSS’02), Orlando,
FL, USA, Springer, LNCS VOL. 2255, pp. 176-187.
[Netcraft05] Netcraft’s survey available at:
http://news.netcraft.com/archives/2005/01/01/january_2005_web_server_survey.ht
m
[Oberndorf97] Oberndorf, T.: COTS and Open Systems - An Overview. 1997,
available at: http://www.sei.cmu.edu/str/descriptions/cots.html#ndi
[Ochs01] Ochs, M., Pfahl, D., Diening, G. C., and Kolb, B. N.: A Method for Efficient
Measurement-based COTS Assessment and Selection - Method Description and
Evaluation Results. Proc. of the 7th IEEE International Software Metrics
Symposium, Apr. 2001, London, England, IEEE Press, pp. 285-297.
[OSS04] Open Source Initiative, 2004, available at:
http://www.opensource.org/index.php
[Ould99] Ould, M. A.: Managing Software Quality and Business Risk. John Wiley &
Sons, 1999.
[Paulson04] Paulson, J.W., Succi, G. and Eberlein, A.: An Empirical Study of Open-
Source and Closed-Source Software Products. IEEE Transactions on Software
Engineering, Vol. 30, No. 4, Apr. 2004, pp. 246-256.
[Parastoo04] Mohagheghi, P.: The Impact of Software Reuse and Incremental
Development on the Quality of Large Systems. PhD thesis, ISBN: 82-471-6408-6.
[Pfleeger94] Pfleeger, S.: Experimental Design and Analysis in Software Engineering
Part 1-5. ACM SIGSOFT Software Engineering Notes, 19 (4):16-20; 20 (1):22-26;
20 (2):14-16; 20 (3):13-15; and 20 (4):14-17, 1994-1995.
102
References
[Raymond99] Raymond, E. S. The Cathedral and the Bazaar: Musings on Linux and
Open Source by an Accidental Revolutionary. O’Reilly, 1999.
[Robson02] Robson, C.: Real World Research: A Resource for Social Scientists and
Practitioner-researchers (Regional Surveys of the World), 2nd edition, Blackwell
Publishers, 2002.
[Ropponen00] Ropponen, J. and Lyytinen, K.: Components of Software Development
Risk: How to Address Them? A Project Manager Survey. IEEE Transactions of
Software Engineering, 26 (2): 98-112, Feb. 2000.
[Rose03] Rose, L. C.: Risk Management of COTS Based System Development.
Component-based Software Quality, Springer LNCS 2693, 2003, pp. 352-373.
[Rothenberger03] Rothenberger, M. A., Dooley, K. J. and Kulkarni, U. R.: Strategies
for Software Reuse: A Principal Component Analysis of Reuse Practices. IEEE
Transactions on Software Engineering, 29 (9): 825-837, Sept. 2003.
[Royce87] Royce W. W.: Managing the Development of Large Software Systems:
Concepts and Techniques. Proc. of the 9th International Conference on Software
Engineering, Mar. 1987, Monterey, California, USA, pp. 328-338.
[Ruffin04] Ruffin, M. and Ebert, C.: Using Open Source Software in Product
Development: A Primer. IEEE Software, 21 (1): 82-86, January/February 2004.
[Saaty90] Saaty, T. L.: How to make a decision: The Analytic Hierarchy Process
(AHP). European Journal of Operational Research, 48 (1): 9-26, Jan. 1990.
[Sai03] Sai, V.: COTS Acquisition Evaluation Process: The Preacher’s Practice. Proc.
of the 2nd International Conference on COTS-Based Software Systems (ICCBSS
2003), Feb. 2003, Ottawa, Canada, Springer LNCS Vol. 2580, pp. 196-206.
[Seaman99] Seaman, C.B.: Qualitative Methods in Empirical Studies of Software
Engineering. IEEE Transactions on Software Engineering, 25 (4): 557-572, Apr.
1999.
[Sese04] SESE tool, available at: http://sese.simula.no, 2004.
[Sherer95] Sherer, S. A.: The Three dimensions of Software Risk: Technical,
Organizational, and Environmental. Proc. of the 28th Hawaii International
Conference on System Sciences, Maui, Hawaii, January, Jan. 1995, pp. 369-378.
[Sommerville04] Sommerville, I.: Software Engineering. 7th edition, Addison-Wesley,
2004.
[Spc01] Software Productivity Consortium: Phased-Integrated COTS Approach.
Technical Report SPC-2001006-CMC, available at:
http://www.software.org/pub/pic, 2001.
[SPIKE02] SPIKE project, available at:
http://www.idi.ntnu.no/grupper/su/spike.html, 2002.
[SPSS01] SPSS Categories 11.0, available at www.spss-sa.com, 2001.
[SSB02] Norwegian Census Bureau (SSB), Oslo, ICT company data 2002,
http://www.ssb.no/emner/10 /03/ikt/.
[Stanish95] The Stanish Group: http://www.stanishgroup.com/, 1995.
103
References
[Stewart05] Stewart, K. J., Ammeter, A. P., and Maruping, L. M.: Preliminary Analysis
of the Influences of Licensing and Organizational Sponsorship on Success in Open
Source Projects. Proc. of the 38th Hawaii International Conference on System
Sciences, Jan. 2005, Hawaii, USA, pp. 197c.
[Strauss98] Strauss, A. and Corbin, J. M.: Basics of Qualitative Research: Grounded
Theory Procedures and Techniques. 2nd edition, Sage Publications, 1998.
[Szyperski02] Szyperski, C., Gruntz, D., and Murer, S.: Component Software, Beyond
Object-Oriented Programming. Addison Wesley, 2nd edition, 2002.
[Taylor84] Taylor, S. J. and Bogdan, R.: Introduction to Qualitative Research Methods.
John Wiley&Sons, 1984.
[Torchiano04] Torchiano, M. and Morisio, M.: Overlooked Facts on COTS-Based
Development. IEEE Software, 21 (2): 88-93, Mar./Apr. 2004.
[Tran97a] Tran, V., Liu, D. B., and Hummel, B.: Component-Based Systems
Development: Challenges and Lessons Learned. Proc. of the 8th IEEE International
Workshop on Software Technology and Engineering Practice, Jul. 1997, London,
UK, pp. 452-462.
[Tran97b] Tran, V. Liu, D. B.: A Risk-Mitigating Model For the Development of
Reliable and Maintainable Large-Scale Commercial-Off-the-Shelf Integrated
Software Systems, Proc. of the Annual Reliability and Maintainability Symposium,
Philadelphia, PA, USA, Jan. 1997, pp. 361-387.
[Tran99] Tran, V.N. and Liu, D. B.: Application of CBSE to Projects with Evolving
Requirements- A Lesson-learned. Proc. of the 6th Asia-Pacific Software
Engineering Conference (APSEC’ 99), Dec. 1999, Takamatsu, Japan, pp. 28-37.
[Verner05] Verner, J. M. and Evanco, W. M.: In-House Software Development: What
Project Management Practices Lead to Success? IEEE Software, 22 (1): 86-93,
Jan./Feb. 2005.
[Vigder96] Vigder, M. Gentleman, M. and Dean, J.: COTS Software Integration: State
of the Art. Technical Report NRC No. 39190, 1996.
[Vigder97] Vidger, M. and Dean, J.: An Architectural Approach to Building Systems
from COTS Software Components. Proc. of the 1997 Center for Advanced Studies
Conference (CASCON 97), Toronto, Ontario, Nov. 1997, available at:
http://seg.iit.nrc.ca/English/abstracts/NRC40221abs.html
[Vitharana03] Vitharana, P.: Risks and Challenges of Component-Based Software
Development. Communications of the ACM, 46 (8): 67-72, Aug. 2003.
[V-Model05] German V-model: http://www.v-modell.iabg.de/#AU250, 2005.
[Voas98a] Voas, J.M.: Certifying Off-the-Shelf Software Components. IEEE
Computer, 31 (6): 53-59, June 1998, pp.
[Voas98b] Voas, J.M.: The Challenges of Using COTS Software in Component-Based
Development. IEEE Computer, 31 (6): 44-45, June 1998.
[Voas98c] Voas, J.: COTS Software – the Economical Choice? IEEE Software, 15 (2):
16-19, March/April 1998.
104
References
[Wallace04] Wallace, L., Keil, M.: Software Project Risks and Their Effect on
Outcomes, Communications of the ACM, 47 (4): 68-73, April 2004.
[Wohlin00] Wohlin, C., Runeseon, P., M. Höst, Ohlsson, M.C., Regnell, B., and
Wesslén, A.: Experimentation in Software Engineering. Kluwer Academic
Publications, 2000.
[Yin03] Yin, R.K.: Case Study Research, Design and Methods. Sage Publications,
2003.
[Zahran98] Zahran, S.: Software Process Improvement-Practical Guidelines for
Business Success. Addison-Wesley, 1998.
[Zelkowitz98] Zelkowitz, M. V. and Wallace, D. R: Experimental Models for
Validating Technology. IEEE Computer, 31 (5): 23-31, May 1998.
105
References
106
Appendix A
This chapter contains the papers in the order given in Section 1.5.
Jingyue Li1, Reidar Conradi1,3, Parastoo Mohagheghi1,2,3, Odd Are Sæhle1, Øivind
Wang1, Erlend Naalsund1, and Ole Anders Walseth1
1
Department of Computer and Information Science,
Norwegian University of Science and Technology (NTNU),
NO-7491 Trondheim, Norway
{jingyue, conradi}@idi.ntnu.no
2
Ericsson Norway-Grimstad, Postuttak, NO-4898 Grimstad, Norway
{parastoo.mohagheghi}@ericsson.com
3
Simula Research Laboratory, P.O.BOX 134, NO-1325 Lysker, Norway
Abstract. The paper describes an empirical study to investigate the state of practice and
challenges concerning some key factors in reusing of in-house built components. It also
studies the relationship between the companies’ reuse level and these factors. We have
collected research questions and hypotheses from a literature review and designed a
questionnaire. 26 developers from three Norwegian companies filled in the
questionnaire based on their experience and attitudes to component reuse and
component-based development. Most component-based software engineering articles
deal with COTS components, while components in our study are in-house built. The
results show that challenges are the same in component related requirements
(re)negotiation, component documentation and quality attributes specification. The
results also show that informal communications between developers are very helpful to
supplement the limitation of component documentation, and therefore should be given
more attention. The results confirm that component repositories are not a key factor to
successful component reuse.
107
Appendix A
1. Introduction
Software reuse can take many different forms, from ad-hoc to systematic [16]. In the
broad definition of reuse, it includes reusing everything associated with software
projects, such as procedures, knowledge, documentation, architecture, design and code.
In our research, we focus on systematic reuse of software code. The code reuse
literature has identified reuse practice and success factors through several case studies
and surveys. A major reuse effort is the REBOOT (Reuse Based on Object-Oriented
Techniques) consortium [25]. This effort was one of the early reuse programs that
recognized the importance of not only the technical, but also the organizational aspects
of reuse [18]. As more experience become available from industrial studies, non-
technical factors, such as organization, processes, business drivers and human
involvement, appeared to be at least as important as technological issues [15][19].
Following the success of the structured design and OO paradigms, component -based
software development has emerged as the next revolution in software development [27].
108
Appendix A
More and more IT companies have started to reuse code by encapsulating it into
components. Whitehead defines a component as: A software component is a separable
piece of executable software, which makes sense as a unit, and can interoperate with
other components, within some supporting environment. The component is accessible
only via its interface and is capable of use ‘as-is’, after any necessary installation and
configuration procedures have been carried out [28].
Component-based development is assumed to have many advantages. These include
more effective management of complexity, reduced time to market, increased
productivity, improved quality, a greater degree of consistency and a wider range of
usability [4][13]. It also brings many challenges, because it involves various
stakeholders and roles, such as component developers, application developers, and
customers. Different stakeholders and roles have different concerns [3], and face
different issues and risks [2] [27].
Component-based development differs from traditional development, where the
usual approach is for stakeholders to agree upon a set of requirements and then build a
system that satisfies these requirements from scratch. Component-based development
builds application by reusing existing components. Available components may not be
able to satisfy all the requirements. Therefore, component-based projects must have
flexibility in requirements, and must be ready to (re)negotiate the requirements with the
customer. Moreover, components are intended to be used ‘as-is’. If some additional
functionality is required, ‘glue-code’ is needed to be built to meet the differences
between the requirement and component functionality. Another important feature of
component-based development is the strong focus on the quality attributes (such as
reliability, performance, and security etc.) and related testing. A major effort has to be
put into checking how components perform, how well they interact, and to make sure
that they are indeed compatible. Components may be developed in-house, acquired as
COTS (commercial-off-the-shelf) [3], or even as OSS (Open Source Software) [5].
Most current research on component-based software engineering focuses on COTS-
based development. Because COTS users cannot access the source code and must rely
on vendors to give technical support, COTS-based development is assumed to be more
challenging. Therefore, there is little research on the challenges based on in-house built
components.
3 Research approach
109
Appendix A
To reuse in-house components successfully, developers must follow three basic steps
[19]:
- Formulate the requirements in a way that supports retrieval of potentially useful
reusable components.
- Understand the retrieved components.
- If the retrieved components are sufficiently ‘close’ to the needs at hand and are of
sufficient quality, then adapt them.
From these steps, we selected several key factors. For step 1, we focus on the
efficiency of component related requirements (re)negotiation and the value of
component repository. For step 2, we study how knowledge about components can be
transferred from a component provider to a component user. For step 3, our study
focuses on definition and reasoning of quality attributes of components.
There is little research on the need for requirements (re)negotiation when
components are built in-house. People assume that owning source code of in-house built
components allows them to do any changes to meet the customers’ requirements.
However, components are intended to be used ‘as-is’, even it is built in-house. So, our
first research question is:
RQ1. Does requirements (re)negotiation for in-house components really work as
efficiently as people assume?
Concerning a component repository, Frakes claimed that it should not be given much
attention, at least initially [12]. So, our third research question is:
RQ3. Does the value of component repository increase with more reusable
components available?
To investigate this opinion more deeply, a null hypothesis H02 and an alternative
hypothesis HA2 was proposed:
H02. There is no relationship between the companies’ reuse level and the value of
component repository.
HA2. There is a positive relationship between the companies’ reuse level and the
value of component repository.
110
Appendix A
Berglund claimed that growing reusable software components will create a new
problem, i.e. the information-overload problem. Therefore, learning which component
to use and how to use them become the central part of software development [1].
Companies with a higher reuse level usually have more reusable components than
companies with lower reuse level. So, our fifth research question is:
RQ5. Does the difficulty of component documentation and component knowledge
management increase with increasing reuse level?
To study this question, we formalize null hypothesis H03 and alternative hypothesis
HA3:
H03. There is no relationship between the companies’ reuse level and developers’
satisfaction with component documentation.
HA3. There is a negative relationship between the companies’ reuse level and
developer’ satisfaction with component documentation.
The questionnaire included five parts. The questions in the first part were used to
investigate the reuse level of the companies. The definition of reuse level in this study is
the number of reused components vs. the number of total components in the
organization. The other four parts were organized based on the four key factors. Each
question in the questionnaire was used to study one or more research questions. The
details of questions are shown in the following Table 1. The correspondences between
the questions in the questionnaire and research questions are shown in Table 2. To
increase the reliability of our survey, the questionnaire also included the definition of
concepts used in the questionnaire, and the questions about the respondents’ personal
information.
The study was performed in three Norwegian IT companies. Data collection was carried
out by NTNU PhD and MSc students. Mohagheghi, Naalsund, and Walseth performed
the first survey in Ericsson in 2002. In 2003, Li, Sæhle and Wang performed the survey
111
Appendix A
reusing the core parts of the questionnaire in two other companies (i.e. EDB Business
Consulting and Mogul Technology). We selected those three companies because they
have experience on component reuse and would like to cooperate with NTNU in this
research. The respondents are developers in these three companies. They answered the
questionnaires separately. The questionnaires were filled in either by hand or
electronically (as a Word file). The MSc students provided support with possible
problems in answering the questionnaire.
Table 1. Questions in the questionnaire
Reuse level
Q1. What is the reuse level in your organization?
Q2. To what extend do you feel affected by reuse in your work?
Component related requirements (re)negotiation
Q3. Are requirements often changed/ (re)negotiated in typical develop projects?
Q4. Are requirements usually flexible in typical projects?
Q5. Do the component related requirements (re)negotiation processes work
efficiently in typical projects?
Value of component repository
Q6. Would the construction of a reuse repository be worthwhile?
Component understanding
Q7. Do you know the architecture of the components well?
Q8. Do you know the interface of the components well?
Q9. Do you know the design rules of the components well?
Q10a. Is the existing design/code of reusable components sufficiently
documented?
Q10b. If the answer of Q10a is ‘sometimes’ or ‘no’, is this a problem?
Q10c. If the answer of Q10a is ‘sometimes’ or ‘no’, what are the problems with
the documentation?
Q10d. If the answer of Q10a is ‘sometimes’ or ‘no’, how would you prefer the
documentation?
Q10e. What is your main source of information about reusable components
during implementation?
Q10f. How do you decide whether to reuse a component ‘as-is’, ‘reuse with
modification’ or ‘make a new one from scratch’?
Quality attributes specification of components
Q11. Are specifications for components’ quality attributes well defined?
Q12. Do you test components after modification for their quality attributes
before integrating them with other components?
112
Appendix A
3.3.1 Companies
Ericsson Norway-Grimstad started a development project five years ago and has
successfully developed two large-scale telecommunication systems based on the same
architecture and many reusable components in cooperation with other Ericsson
organization. Their two main applications share more than 60% of ca. 1M lines of code
[22].
EDB Business Consulting in Trondheim (now Fundator) is an IT-consultant firm
which helps its customers to utilize new technology. It started to build reusable
components from 2001. They have built some reusable components based on the
Microsoft .Net in their eCportal framework (i.e. a web-application framework) 1.0 &
2.0. These components have been successfully reused in their new e-commence
applications.
Mogul Technology (now Kantega) in Trondheim has large customers in the
Norwegian finance- and bank sector. The main responsibilities are development and
maintenance of the customers’ Internet bank application. The application was originally
a monolithic system. After several years in production, the customer itself took initiative
to reengineer the old system to a component-based solution based on EJB component
model in 2002. At the time of the survey, some components have been created and
reused in their new Internet bank system.
3.3.2 Respondents
4 Survey Results
In this section, we summarize the result of the survey. All the following statistical
analyses are based on valid answers, i.e. Don’t Know answers are excluded. The
statistical analysis tool we used is SPSS Version 11.0.
113
Appendix A
First, we wanted to know the reuse level in those three companies. Q1 and Q2 were
asked to get the answer based on developers’ subjective opinion on this issue. The result
of Q1 is shown in Fig. 1, and the result of Q2 is shown in Fig. 2. From Fig. 1 and Fig. 2,
we can see that most developers in Ericsson think that the reuse level in their company
is very high or high. Most developers in EDB regard the reuse level in their company is
high or medium. Most developers in Mogul think that the reuse level in their company
is medium or little.
Questions Q3-Q5 were asked to investigate RQ1.We can see that no respondents to Q3
believe that the requirements were never changed/ (re)negotiated. Only 8% of
respondents to Q4 think the requirements of their typical project are not flexible.
However, only 48% of respondents to Q5 think component related requirements
(re)negotiation works well. To study RQ2 and test the hypothesis H01, the correlation
between the reuse level and response to Q5 is studied. We assign ordinal values to
Ericsson, EDB and Mogul to represent their different reuse levels based on the
responses to Q1 and Q2 (Ericsson = 3, EDB = 2, Mogul = 1). We also assign ordinal
value to the answer of Q5 (Yes = 3, Sometimes = 2, No =1). The result of correlation
between them using one-tailed Spearman Rank Correlation Coefficient analysis is .112,
and the significance is .306. This shows that there is no significant statistical
relationship between the reuse level and the efficiency of component related
requirements (re)negotiation.
From the answer of Q6, we found that 71% of respondents in Mogul and EDB regard
constructing a component repository as worthwhile, against 57% in Ericsson. To study
RQ3 and test hypothesis H02, the relationship between the answer of Q6 and the reuse
level is studied. We use the same ordinal number mapping as previously. The result of
correlation between them using one-tailed Spearman Rank Correlation Coefficient
114
Appendix A
analysis is -.124, and significance is .297, which shows that there is no obvious
relationship between them.
What i s t he r euse l evel i n your company?
80%
70%
ers
60%
ercentage of answ
50%
ERI CSSON
40% EDB AS
MOGUL
30%
P
20%
10%
0%
Ver y hi gh Hi gh Medi um Li t t l e Don' t know
Reuse Level
Fig. 1. Result of the question “What is the reuse level in your company?”
To what ext end do you f eel af f ect ed by r euse i n your wor k
80%
70%
ers
60%
percent age of answ
50%
ERI CSSON
40% EDB AS
MOGUL
30%
20%
10%
0%
Ver y hi gh Hi gh Medi um Li t t l e Don' t know
Ef f ect Level
Fig. 2. Result of the question “To what extend do you feel affected by reuse in your
work?”
Questions Q7-Q10f were used to investigate RQ4. For Q7, Q8 and Q9, the results show
that 67% of the respondents think the component structure is well understood, 61% say
that the component interfaces are understood, and 63% regard the design rules of
components are also well understood. But for the responses to question Q10a, no one
thinks that the design/code of components is well documented, 73% think that they are
sometimes well defined, and 27% believe that they are not well documented.
Furthermore, the answers to questions Q10b and Q10c indicate that 86% believe that
insufficient component documentation is a problem, e.g. documentation is not complete,
not updated, and difficult to understand, etc. From responses to Q10d and Q10f, we can
see that the preferable way of documentation is web pages. Some of the developers’
knowledge of how to use components comes from informal communication sources, for
example, previous experience, suggestions from local experts, etc. To study RQ5 and
test hypothesis H03, the association between reuse level and response to Q10a is
115
Appendix A
studied. We use the same ordinal number mapping as previously. The result of
correlation between them using one-tailed Spearman Rank Correlation Coefficient
analysis is -.469, and significance is .014, which shows that there is a weak negative
relationship between them. It means that the higher the companies’ reuse level, the less
satisfied a developer is with the component documentation.
Question Q11 and Q12 were used to investigate RQ6. From the responses to these
questions, we see that 70% of the participants regard the design criteria for quality
requirements are not well defined, and 87% will test the quality attributes of
components after component modification, before integrating them into the system.
5 Discussions
Based on the result of the survey, we discuss our research questions and hypotheses, and
discuss the limitations and threats to validity.
116
Appendix A
Some researchers have claimed that repository is important, but not sufficient for
successful reuse [18] [21]. Our data confirms that developers are positive, but not
strongly positive to the value of component repository. So, this result gives future
support to the previous conclusion.
From the test result on H02, we can see that there is no statistically significant
relationship between developers’ positive attitude to a component repository and reuse
level. So, we cannot reject null hypothesis H02. Our conclusion to RQ3 is that
companies are not expected to invest in a repository to increase reuse.
117
Appendix A
components and systems, and reason about them, particularly in the early stage of
system development is still a key challenge in component-based development.
We now discuss the possible validity threats in this study. We use the definition given
by Judd et al. [14].
Construct validity In our case, the main construct issue applies to the variables
chosen to characterize the data set. The independent variable, i.e. reuse level, is the most
sensible one. The results of questions Q1 and Q2 give a qualitative and consistent value
on this variable.
Internal validity A major threat to this validity is that we have not assessed the
reliability of our measurement. Most variables are measured on a subjective ordinal
scale. An important issue for future studies is to ensure the reliability and validity of all
measurement. In this survey, we gave clearly specified concepts in the questionnaire
and provided support to possible misunderstanding. These methods partly increased the
reliability.
External validity The small sample size and lack of randomness in the choice of
companies and respondents are threats to external validity. In general, most empirical
studies in industry suffer from non-representative participation, since companies that
voluntarily engage in systematic improvement activities must be assumed to be better-
than-average.
Conclusion validity This study is still a pre-study. Future studies will be implemented
to give more statistically significant results.
This study has investigated challenges related to four key factors for development based
on in-house components, especially in development-with-reuse. These factors are
component related requirements (re)negotiation, component repository, component
understanding and components’ quality attribute specification. Another contribution is
that we compared three IT companies with different reuse levels to study the possible
trend and challenges in these factors when more and more code will be encapsulated as
reusable components inside a company.
- For component-based requirements (re)negotiation, the results of research
questions RQ1 and RQ2 show that requirements (re)negotiation for in-house built
components is important but not efficient. The efficiency will probably not
increase with higher reuse level.
- For the component repository, the results of research question RQ3 confirm that a
component repository is not a key factor for successful reuse. Furthermore, the
potential value of a component repository will probably not increase with higher
reuse levels.
- For component understanding, the results of research questions RQ4 and RQ5
show that most developers are not satisfied with the component documentation,
and developers’ satisfaction with component documentation will probably
decrease with higher reuse level. The results also show that informal
118
Appendix A
The main limitation of our survey is that it depends on the subjective attitudes of
developers, and with few companies and participants involved. Later studies are
planned to be undertaken with more precise quantitative methods and on more
companies with more distinct reuse levels. Case studies will also be undertaken to
follow the change of companies from lower reuse level to higher reuse level to future
investigate our research questions.
7 Acknowledgements
This study is supported by the SPIKE and INCO projects. We thank the colleagues in
these projects, and all the participants in the survey.
References
119
Appendix A
120
Appendix A
121
Appendix A
122
Appendix A
1. Introduction
COTS-based development has become more and more important in software and system
development. Using COTS components promises faster time-to-market and increased
productivity (Voas, 1998a). At the same time, COTS-based software introduces many
risks. This means that unknown quality properties of the chosen COTS components can
be harmful for the final product, and a COTS vendor may terminate the maintenance
support of its COTS components (Voas, 1998b).
The use of COTS components introduces new system issues, which require revised
software development processes. Although researchers and practitioners have been
grappling with these new processes, most studies have been based on military or
aerospace projects (Morisio et al., 2000; SEI, 2004), or similar large projects. In order to
propose and design cost-effective COTS-based development processes, it is necessary
123
Appendix A
A pertinent question is “What do you mean by a COTS component?” There are many
different definitions of COTS components (Basili and Boehm, 2001; Carney and Long,
2001). We have used the definition by Torchiano and Morisio (2004), where a COTS
component should satisfy all the following requirements:
124
Appendix A
There is consensus that the use of a COTS component implies changes in the
software process (Brownsword et al., 2000). Most studies of a COTS-based
development process focus on two dimensions: Process of the whole software
development lifecycle and process of the specific phase, especially in COTS component
selection and evaluation.
2.2.1 Process of the whole software development lifecycle. Boehm and Abts (1999)
regard both the waterfall model and evolutionary development as unsuitable for COTS-
based development because:
Based on the above arguments, Boehm and Abts (1999) proposed that development
models which explicitly take risk into account are more suitable for COTS-based
development than the traditional waterfall or evolutionary approaches.
The Software Engineering Institute has a large ongoing effort to address the
development of COTS-based systems, and they have developed the Evolutionary
Process for Integrating COTS-based Systems (EPIC) (Albert and Brownsword, 2002).
The proposed process integrates COTS-related roles and activities into a RUP process.
The iterative and evolutionary nature inherent in this process allows developers to adjust
the architecture and system design, as more knowledge is gained about the operations of
the COTS components.
The National Aeronautic and Space Administration (NASA) has been developing IT
systems with COTS components for many years. Their experience has been captured by
Morisio et al. (2000). They have investigated the various processes that were used
across 15 projects at NASA. Based on their insight, they have developed a COTS-based
development process that was the most representative for the processes used in the
projects.
2.2.2 COTS component selection and evaluation process. Based on case studies,
researchers have proposed several COTS component selection processes and methods.
One kind of process is based on direct assessment (Leung and Leung, 2002), such as
125
Appendix A
MBASE (Model Based Architecting and Software Engineering) (Boehm, 2000), OTSO
(Off-the-Shelf-Option) (Kontio, 1996), CISD (COTS-based Integrated System
Development) (Tran et al., 1997), PORE (Procurement-Oriented Requirement
Engineering) (Maiden and Ncube, 1998), CAP (COTS Acquisition Process) (Ochs et
al., 2001), IIDA (Infrastructure Incremental Development Approach)(Fox et al., 1997),
CARE (COTS-Aware Requirements Engineering) (Chung and Cooper, 2002), RCPEP
(Lawlis et al., 2001), and CRE (COTS-Based Requirements Engineering) (Alves and
Finkelstein, 2003). In general, the direct assessment process includes three basic steps:
- Inspect all modules of each of the available COTS components to check whether
they satisfy some or all of the functional requirements of the COTS-based system
being developed.
- Check whether a COTS component also satisfies the non-functional requirements
of the COTS-based system. Non-functional requirements may include properties
such as the interoperability of the modules of the COTS product with other
systems.
- Compare the COTS component candidates and select the most appropriate COTS
component that satisfies both the functional and non-functional requirement of
the COTS-based system.
Some of the direct assessment processes, such as OTSO (Kontio, 1996), CAP (Ochs
et al., 2001), and CISD (Tran et al., 1997), assume that the requirements are fixed and
select the COTS components by comparing how well the COTS component candidates
satisfy the requirements. A formal decision-making process is usually used to select the
best COTS component (Ncube and Dean, 2002). The formal decision-making process
usually includes three basic elements: selecting evaluation criteria (factors), collecting
and assigning values to these criteria, and applying formal decision-making algorithms
such as MAUT (MacCrimmon, 1973), MCDA (Morisio and Tsoukias, 1997), and AHP
(Saaty, 1990). Other direct assessment processes, such as MBASE (Boehm, 2000),
PORE (Maiden and Ncube, 1998), IIDA (Fox et al., 1997), CARE (Chung and Cooper,
2002), RCPEP (Lawlis et al., 2001), and CRE (Alves and Finkelstein, 2003) emphasize
the trade-offs between the requirements and COTS component functionalities. These
processes do not assume that the requirements are fixed and should not be changed. On
the other hand, these processes propose that the requirements in COTS-based
development should be flexible enough so that they can be negotiated or changed
according to the available functionalities of the COTS components.
Another kind of process is based on a domain-model (Leung and Leung, 2002). It
includes a set-up phase and a selection phase. In the set-up phase, the vendors need to
map their COTS modules to those modules of the domain that they find are applicable.
In the selection phase, the corresponding modules in a domain model are identified for
each of the modules of the COTS-based system in question. Then, the COTS modules
that claim to be applicable are identified by the mapping from the domain models to the
COTS modules. After that, the non-functional properties of the identified COTS
modules are assessed. In the end, the most appropriate COTS modules are selected with
reference to all of the assessment results.
126
Appendix A
3 Research approach
3.1.1 Research question RQ1. Boehm and Abts (1999) regard both the waterfall and
evolutionary lifecycle process as unsuitable for COTS-based development. Most COTS-
based projects must therefore adjust their development process to a risk-driven spiral
process, instead of a waterfall and evolutionary one. However, there are still no
conclusive empirical studies on this issue. So, our first research question is:
RQ1: What was the actual process used in the projects using COTS components?
3.1.2 Research question RQ2. Morisio et al. (2000) have proposed that COTS-based
software processes differ considerably from “traditional” lifecycle processes, such as
waterfall, or prototyping. Not modifying the traditional process can be a failure factor.
They also pointed out that their proposed process has several variations for
customization purposes. They also indicated that it is important to investigate under
what conditions each variation is most suitable. However, there have been no further
studies on this so far. Our second research question is then:
127
Appendix A
RQ3. What are process scenarios (variations) of the projects using COTS
components successfully and not successfully? What are possible problems and good
practices in different process scenarios?
The initial plan for this study was to make a quantitative survey using a pre-stated
hypothesis with standardized questions in a formal questionnaire. After two rounds of
pre-tests on the questionnaire, we found that the questionnaire requires substantial work
to give consistent and reliable results. We decided, as a first step, to go for an
exploratory pre-study using semi-structured interview.
Face-to-face interviews offer the possibility of modifying one’s line of enquiry,
following up interesting responses and investigating underlying motives in a way that
questionnaire cannot (Robson, 2002). The choice of the semi-structured interview
approach enabled more open research questions, not fixed hypotheses, but still relying
on a rather detailed interview guide with both closed and open-ended questions. The
advantages of open ended questions are that they allow us to go into depth and clear up
misunderstandings, enable testing of limits of a respondent’s knowledge, allow us to
make a truer assessment of what the respondents really believe, and opening for
unexpected or unanticipated answers.
128
Appendix A
To evaluate the construct validity of the interview guide, we added three meta-
questions following each question. These meta-questions asked the respondents, if the
question was clear, if respondents needed clarification, and if respondents could give
specific comments if the question was confusing. All this is a standard procedure from
social science (Fowler, 2001).
Lastly, to ensure that a respondent had understood the COTS-relevant definitions
correctly and could select a proper company project, we asked the respondent to give
further examples of COTS components based on their understanding.
3.4 Sampling
Interviews and data collection were conducted by Li and Bjørnson from Nov. 2003 to
Jan. 2004. They contacted 34 IT companies, where most were involved in two
Norwegian R&D Projects (INCO, 2000; SPIKE, 2002) and one EU R&D project
(FAMILIES, 2003).
A pre-process was used to select relevant COTS-based projects. Contact persons (IT
manager in most cases) in the above projects were first contacted by phone and email,
using an introductory letter with our definition on COTS component and project (the
same as definitions in the interview guide). They were asked to check if they have a
relevant COTS-based project. During this pre-process, 17 companies (among 34) did
not match our definition of a COTS-based project, and therefore could not join the
study. Of these 17 “rejected” companies, 13 used only in-house built components and 3
used only open source components. There was one other company that could not
participate because of confidentiality issues.
For the remaining 17 companies, 13 of these volunteered to join in the study. The
contact persons in these 13 companies were asked to recommend persons with most
experience on the relevant projects. In all, 16 persons were recommended from these 13
companies. For each recommended respondents, they were asked to select one relevant
COTS-project. If a respondent claimed that he/she had experience from several COTS-
based projects, the respondent was asked to select one that he/she was most familiar
with. The whole process to find a suitable respondent and project in a prospective
company, and later agree upon place and time for a physical interview took weeks.
Although the total sample was based on convenience, we ensured that we had
included respondents from large, medium and small companies.
The interview guide was sent to respondents a few days before the personal interview.
In this way, the respondents were well-prepared and could have time to remember the
details of the projects and find some relevant documents.
We offered the company respondent a compensation of 100 euro and/or a copy of a
status report. Most companies did not want money, rather a status report. We
emphasized that all answers and other information would be treated strictly as
confidential.
129
Appendix A
Most of the answers and comments requested by the interview guide were filled-in
on paper during the interview by the interviewer. Each interview was conducted by one
of the two interviewers (none with two interviewers), took from 60 to 80 minutes, and
was recorded.
The first step in data analysis was to listen to the tape, and supplement and transcribe
the interview “as-is” into a field note. After that, we used different analysis procedures
according to the purpose of different research questions.
The purpose of the first research question RQ1 is to investigate the actual
development processes used in the project. The data was analysed by the constant
comparison method (Strauss and Corbin, 1998). As all respondents had a clear
definition on the main process used in their project. These processes were early grouped
into traditional process (waterfall, prototyping, or incremental) or a totally new process.
The purpose of the second research question RQ2 is to see the similarities and
differences between process changes in the studied projects. The main analysis method
used is cross-case analysis (Strauss and Corbin, 1998), i.e. treating each project as a
separate “case”. The field notes for the first two projects were first reviewed. For each
of these two projects, a list was compiled with short phases that describe the process
changes in each project (i.e. new or changed activities, when and how these changes
were performed). Then these two lists were compared to determine the similarities and
differences. The next step was to list, in the form of propositions, conclusions one
would draw if these two projects were the only two in the data set. Each proposition had
associated process changes that supported it. After analysing the first two projects in
this way, the third project was examined, and a list of its process changes was compiled.
Then it was determined whether this third project supported or refuted any of the
propositions formulated from the first two. If a proposition was supported, this third
project was added to its list of supporting evidence. If it contradicted a proposition, then
either the proposition was modified or the project was noted as refuting that proposition.
Any additional propositions suggested by the third inspection were added to the list.
This process was repeated for each project. The end result was a list of propositions,
each with a set of supporting and refuting evidence (projects).
The purpose of the third research question RQ3 is to summarize the process
scenarios of the successful and unsuccessful projects. We first grouped projects into two
groups based on the positive or negative effect of the COTS components regarding
time-to-market and general quality of the system. In each group, we divided projects
into sub-groups based on their main actual processes used. For each sub-group, we
performed a similar cross-case analysis as for research question RQ2. The difference is
that we included more information for analysis. For each project, a list of short phases
was compiled that describe not only the process changes in each project, i.e. new or
changed activities, but also when and how these changes were performed. We also
recorded project contexts, i.e. the developers’ experience with COTS components. To
summarize the lesson learned in different process scenarios, we selected the main
problems met and examples of good practice performed in each process scenario. The
problems and examples of good practice that occurred in more than one project were
grouped into one item. Some problems and examples of good practice, which occurred
130
Appendix A
in only one project, were also listed because they were regarded as the main factor that
decided the success and failure of the project.
4 Collected samples
4.1 Companies
4.2 Respondents
We had one respondent from each project. Three respondents are IT managers, 4 are
project managers, 5 are software architects, 3 are software developers, and 1 is a
software development researcher. Nine of them have more than 10 years of software
development experience, and 12 of them have more than 4 years of working experience
with COTS-based development. Eight of them have a master degree, and the rest have a
bachelor’s degree. Twelve of them have a principal degree in informatics or computer
science.
4.3 Projects
131
Appendix A
Generally, we selected only one project from a company. However, we selected two
projects in three companies because these projects differed largely in project members,
development process, and COTS components used.
Background information includes effort spent, development language, and
application domain. Table 2 lists the basic information on the 16 projects.
Some projects used one or two COTS components, others used more. Because of time
limitations, we asked the respondents to select no more than three typical COTS
components which were used in their projects. Totally, we gathered information about
30 different COTS components in 16 projects. Some typical COTS components are
listed in Table 3.
Table 3. Background information on some COTS components
COTS component name Functionality
CTI Computer Telephony Integration
Sheridan GUI
Intelligent Report Report generator
Active Reports Report preview and printing
Open MP Open parallel processing
IMAPP Image processing
SearchEngine Searching the context in the website
ComWork Workflow management
XML lite XML parser
132
Appendix A
The list is not exhaustive, and is only used to indicate the kinds of selected COTS
components. Some of the COTS components are based on standards like COM,
CORBA, and EJB, and some of them are C++ or Java libraries. All the COTS
components follow our previous definition, i.e., they were integrated into the final
product and were delivered together with the final system to the customer.
5 Results
Research question RQ1 is to identify the actual processes used in projects with COTS
components. To study this issue, we asked two open-ended questions: we first ask the
respondents to describe the development processes they used. We also asked if they
selected the actual development processes because of using COTS components.
Results of the first question show that the main development processes of the studied
projects can be grouped into three categories: pure waterfall, waterfall mixed with
prototyping, and incremental mixed with prototyping. Five projects used waterfall. One
used waterfall mixed with little prototyping (a small prototype was used for discussing
requirements of the GUI part of the system). Ten projects used incremental mixed with
some prototyping.
Results of the second question show that none of the respondent claimed that they
selected the main development process based on whether or not they intended to use
COTS components. That is, they decided the main process before they started to think
about using COTS components or not. They just added or changed some activities and
roles in their traditional process to reflect the use of COTS component.
Therefore, the answer to research question RQ1: The so-called COTS-based
development process is the customization of the traditional development process due to
the use of COTS components.
Research question RQ2 investigates the commonalities and possible variations in the
development processes. To study the common changes in the develop processes, we
asked if there are any new or changed activities, role and responsibilities in the project
due to use of COTS components. The detailed answers are listed in Appendix A. The
commonalities are that new activities were added and possible one new role was added.
The added new activities include:
- Make vs. buy decision: In COTS-based development, the first extra activity in
all the studied projects was to make the make vs. buy decision. Non-technical
issues, such as costs, licensing, and market trends, as well as technical issues
may dominate this stage.
- COTS component selection: After the respondents decided to use COTS
component; the following extra activity in all the 16 projects was COTS
component selection. However, different projects used different selection
processes and criteria in their COTS component selection.
133
Appendix A
The possible added new role is: a COTS component knowledge keeper. As
mentioned above, it was difficult to really understand the COTS components. In 10
projects, one or more project members had some previous experience with selection and
integration of the actual COTS components. They provided suggestions on COTS
component selection and integration. Although some of them were not dedicated to
work as a COTS component knowledge keeper, their previous experience improved the
speed and quality of COTS component selection and integration.
To investigate the variations in the processes, we transcribed respondents’
description on the above new activities and compared when, how, and why these
activities are performed. The detailed information on when and how the COTS
components were selected is listed in Appendix B. The results show that the main
variations in the customization of main development processes deal with the following
activities:
- The phase to make the make vs. buy decision and the COTS component
selection: Morisio et al. (2000) proposed a two-phase make vs. buy decision.
The first decision is in the requirement phase and the second in the design phase.
Our results indicate that only 2 of the 5 waterfall projects made the make vs. buy
decision and COTS component selection in the requirement phase. If the project
members had no relevant experience with specific COTS component, it was very
hard to make that choice in the requirement phase. Two waterfall process
projects managed to make the make vs. buy decision and COTS component
selection in the requirement phase, because they were already familiar with the
possible COTS components.
- The COTS component selection and evaluation process: The selection
process in our studied projects can be summarized in two categories:
• Familiarity-based selection process (SP_fam): The previous familiarity
came either from the project members in the projects, i.e. the COTS
component knowledge keeper, or from a colleague outside the project. If the
project members had enough previous experience with the candidate COTS
components, this experience will be the key factor in the COTS component
selection. In all, 16 of the 30 given COTS components were selected based
on the suggestion of the COTS component knowledge keeper inside the
projects. Four COTS components were selected based on recommendations
from colleagues outside the project or organization.
134
Appendix A
This kind of selection is similar to some proposed processes, such as OTSO (Kontio,
1996), CAP (Ochs et al., 2001), and CISD (Tran et al., 1997). The main difference is
that the actual process was much faster and no decision-making algorithms have been
used. In addition, developers knew that it was impossible to test several COTS
components completely due to limited time and cost. They generally tested only some
of the key functionalities, and depended on comments from a newsgroup to evaluate the
quality of the COTS components. Therefore, COTS components with more and better
comments in the newsgroup or marketplace bulletin had a good chance to be selected,
because they were assumed to be better tested and in general of higher quality.
The answer to research question RQ2: There are some common new activities and
one new role is added in COTS-based development processes. The possible variations
are when and how to perform these new activities.
Research question RQ3 is about summarizing the process scenarios of projects using
COTS components successfully and unsuccessfully. The focus is to investigate the
relationship between the possible risks and the development processes. We asked
respondents to summarize their problems encountered (PEs) and their examples of good
practices (GP) in the studied projects. First, we extracted process-relevant parts, i.e.
what were the main development processes, and when and how were the new activities
performed. We then summarized some other salient problems and examples of good
practice, which may give guidance to COTS-based development.
In our definition, a project that used COTS components successfully means that the
COTS components contributed positively to time-to-market and system quality.
Otherwise, it is regarded as being used unsuccessfully.
5.3.1 Scenarios of projects that used COTS components unsuccessfully. Four of the
16 studied projects were regarded as using COTS components unsuccessfully. The
scenarios are summarized in scenarios Sc1 to Sc3 in Table 4.
135
Appendix A
Table 4. The scenarios of the 4 projects that used COTS components unsuccessfully
Scenari Characterizatio Problems Good Practice (GP)
o ID ns Encountered (PEs)
(Project
ID)
Sc1 (P1 Two projects used PE1: Selected the GP1: Used external
and waterfall processes. COTS component too COTS expert.
P14) Made the make vs. late.
buy decision and PE2: Used only
the COTS demonstration,
component without pilot.
selection in the PE3: Could not (re)
implementation negotiate
phase. requirements with
Selected unfamiliar customer.
COTS components. PE4: It was difficult
to formally verify the
COTS component’s
reliability.
Sc2 One project used PE5: Selection was GP2: Used external
(P10) waterfall process. based only on COTS expert with
Selected COTS functionality. Ease of internal developers.
components in the integration was not
design phase, but considered.
mainly on their
functionality
Selected unfamiliar
COTS components.
Sc3 One project used PE5: Selection was
(P2) incremental & based only on
prototyping functionality. Ease of
process. integration was not
Selected the COTS considered.
components in the
design phase, but PE6: COTS
mainly because of component’s delay
their functionality. caused the delay of
Selected unfamiliar the project.
COTS components.
136
Appendix A
PE2: In project P1, the COTS component was selected only based on the vendor’s
demonstration. They did not do any hands-on trial to investigate how much effort is
needed to integrate the COTS component into the current system. As mentioned in
PE1, they had to spend a lot of effort on integrating the COTS components into the
system, which caused delay in the project.
PE3: Although some previous studies proposed to (re)negotiate requirements with
the customer when developers found later limitations of COTS components,
developers in project P14 could not (re)negotiate the requirements with customers
even if they wanted to. This is because the developer wanted to use COTS
components, not the customer. The customer cared only about the final result. If
developers were not allowed to use COTS components, (re)negotiation of
requirements due to COTS limitations is difficult.
PE4: The final product of project P14 is a highly safety-critical system. To ensure
reliability of the product, each line of code was required not only to be tested
strictly, but also to be formally proved. As the source code of the COTS component
was not available, they could not formally prove the correctness of the COTS
component even the COTS component passed all existing testing. They were
therefore always worried about it until they bought the source code.
PE5: In project P10, the project members did not know exactly how to integrate the
COTS components into the system and how to integrate them with other
components before COTS component selection. Their customer intervened in the
COTS component selection and recommended a certain COTS component that
could provide the needed functionality. This COTS component caused a lot of
quality problems.
Although these projects were regarded as being unsuccessful, there were still some
examples of good practice that helped to improve the project results. The background of
each example of good practices is the following:
- GP1: Project P1 hired one person from the vendor as a part-time consultant to
configure and integrate the COTS. Although a lot of glueware was needed to
integrate the COTS component because of the wrong selection, this external
expert helped to shorten the integration time to some degree.
- GP2: In project P10, the whole component part was outsourced to a consulting
company. The software company signed a fix-cost bid with the consulting
company. The consulting company did all the work to make the integration
work. As a result, the software company met the budget for the project. One of
their architecture and project managers worked closely with consulting
company. Therefore, these internal persons learned the COTS components in
this project. They believed that they could save a lot of money in the following
project, which will use the same COTS component.
5.3.2 Scenarios of projects that used COTS component successfully. Twelve projects
successfully integrated the COTS components. The scenarios are summarized into
scenarios Sc4 to Sc6 in Table 5.
137
Appendix A
138
Appendix A
GP10: Did
integration testing
incrementally.
GP11: Paid vendor
incrementally.
GP12: Investigated
COTS component
market.
To ensure the success of these projects, members of these projects performed some
other activities to reduce some possible negative effects of COTS components. Their
examples of good practices are summarized in the following:
- GP3: As the developers had experience with the relevant COTS components,
they knew how to integrate them and their limitations. In the COTS components
selection, they focused mainly on the ease of integration. If the COTS
components cannot provide all the required functionality, they built some
addware. In project P4, selecting COTS components based on the ease of
integration was highly recommended.
- GP4: In project P4, they not only consulted an internal expert, but also followed
the newsgroups of a COTS component on the Internet. Comments in the
newsgroups helped them to make the right selection.
- GP5: In project P13, they investigated the architecture of the system and the
COTS component to ensure the substitutability of the COTS component. This
139
Appendix A
means that they can easily change to other COTS components, if they are not
satisfied with the current COTS component. The same experience was also
emphasized by respondents in projects P11 and P12.
- GP6: Several projects started to select COTS components in the requirements
phase. This makes it simpler to match and possibly negotiate customers’
(volatile) requirements with the available functionality of the COTS
components, because the customer will accept the functionality of the COTS
components shown in the prototype. At the start of the prototyping process, the
main benefit of using COTS components is to build a prototype rapidly. They
could also learn and understand how to use the COTS components in building
such a prototype.
- GP7: In project P3, integrating unfamiliar COTS components was ranked as a
high risk task. These unfamiliar components had been integrated and tested
before other components.
- GP8: In project P3, one experience was that they tried to limit the amount of
glueware. They believed that the less glueware they need to produce, the easier
it would be to update in case a vendor provides new versions.
- GP9: In project P13, they had the source code of one COTS component.
However, they decided not to change the code because if the vendor released a
new version, it will be hard for the customer to maintain possible changes
himself.
- GP10: In some projects that used more than one COTS component, the
experience is that the COTS components should be integrated and tested
incrementally. It means that the integration test should be performed
immediately after one COTS component was integrated, instead of doing the
final integration testing. Without incremental integration testing, it may be
difficult to locate defects after all the COTS components are integrated.
- GP11: In project P7, the project paid part of the agreed amount after the
evaluation. As the project members discovered some limitations of the COTS
component, they asked the vendor to perform changes. After they got the
component as required, they paid the rest of the money to the vendor. They
believe that this allowed them to persuade the vendor to change the component.
- GP12: In project P15, they investigated the COTS component market share
before they selected it. They believed the vendor can survive for a long time if
their COTS products were used sufficiently in the market.
The studied projects showed that the COTS-based development could succeed under
different process scenarios. The answer to research question RQ3: COTS-based
development could be performed successfully using waterfall and evolutionary
processes. However, different process scenarios may face various risks.
6 Discussion
Results of this study confirmed some conclusions from previous studies and
contradicted others.
140
Appendix A
Boehm and Abts (1999) regard both the waterfall model and evolutionary
development as unsuitable for COTS-based development. The results from research
question RQ3 showed however that some projects could integrate COTS components
successfully, using waterfall or evolutionary processes. However, the results of RQ3
revealed that different process scenarios (Sc1 to Sc6) may have different risks. It is
therefore necessary to perform risk management according to customized process
scenarios, as proposed by Boehm and Abts (1999). In addition, results of RQ1 showed
that the main development processes were decided before the decision was made about
whether to use COTS components. That is, if the process is risk-driven as Boehm and
Abts (1999) proposed, developers should use non-COTS related risks to decide the main
development processes first. They should (only) start to consider COTS related risks,
after they decide to use COTS components.
Both EPIC (Albert and Brownsword, 2002) and the process proposed by Morisio et
al. (2000) indicated that some new activities and roles should be added to traditional
development processes. Examples are the make vs. buy decision, COTS components
selection, COTS components integration, and COTS component knowledge
management. The results of RQ2 gave further support to their conclusions. This study
shows that there are several possible variations in COTS-based development process,
for example, the COTS components were selected not only in the requirement phase,
but also in the design or coding phases.
Although the formal decision-making algorithms, such as MAUT (MacCrimmon,
1973), MCDA (Morisio and Tsoukias, 1997), or AHP (Saaty, 1990), was used in some
previous studies, such as OTSO (Kontio, 1996), CAP (Ochs et al., 2001), and CISD
(Tran et al., 1997). The results of RQ2 showed that none of the studied projects used
these formal decision-making algorithms. The results support findings (named thesis
T4) of Torchiano and Morisio (2004). The possible reason is that these techniques may
not be applicable in selecting COTS (Ncube and Dean, 2002; Maiden et al., 2002). In
practice, if developers had enough previous experience or tacit knowledge with specific
components, COTS component selection was based on their experience (see SP_fam in
Section 5.2). If they had no previous experience with the selected COTS components,
the selection was based on hands-on trials (see SP_unfam in Section 5.2). A handful of
candidate COTS components were compared very quickly with some key factors, for
example price, platform, and vendor reputations. Two or three COTS components were
selected for further hands-on trials.
Although methods to change or negotiate the requirements, such as MBASE
(Boehm, 2000), PORE (Maiden and Ncube, 1998), IIDA (Fox et al., 1997), CARE
(Chung and Cooper, 2002), RCPEP (Lawlis et al., 2001), and CRE (Alves and
Finkelstein, 2003), have been proposed to select COTS products. The results of RQ2
showed that these methods were not used in our studied projects. The possible reason is
that most COTS components being used in our studied projects are fine-grained COTS
components with limited functionalities (see Table 3). In case of using these fine-
grained COTS components, it is difficult for developers to negotiate the requirements
with the customer. As shown in PE3 (see Section 5.3.1), the customers can easily ask
the developers to build the required functionalities in-house instead of using a COTS
component, if the candidate COTS component cannot satisfy the customers’
requirements.
141
Appendix A
COTS-based software introduces many risks (Voas, 1998b). Some previous studies
summarized lessons learned and experiences by case studies (Boehm, et al., 2003;
COTS lessons learned repository, 2004; Tran et al., 1997; Fox et al., 1997; Rose, 2003;
Morris et al., 2003; FAA Guide, 2003; Kotonya and Rashid, 2001). The results of this
study gave further support to some of their conclusions. For example, faulty vendor
claims may result in feature loss and/or significant delays (Boehm, et al., 2003), and it is
not recommend changing the source code of the COTS component even if such a code
is available (COTS lessons learned repository, 2004; Morris et al., 2003). However, we
discovered some new salient problems encountered and examples of good practice, such
as incremental payment and preparation for replacement. In addition, previous studies
did not investigate the relationship between the risks and corresponding process
scenarios. Their lessons learned are proposed as general guidelines. It is therefore
difficult for practitioners to assess and evaluate the possible risks according to their
project contexts. The results of our study illustrated that some risks occur more
frequently in some development processes, such as waterfall process, than in other
development processes, such as incremental process.
Our results show that the COTS-based development process is not a totally new process.
It needs a customization (change or add new activities) on the traditional development
processes. Based on the results of this study, we propose how to design and customize a
COTS-based development process. As our studied projects mainly used waterfall and
evolutionary processes, our proposal focuses on these. The process design could include
two elements:
- First, decide the main development processes based on the project profile. The
main development process could be decided based on risk considerations such as
proposed by Boehm and Abts (1999), and based on the typical problems
discovered in this study.
- If the main development process is waterfall or evolutionary, the process could
be customized based on the actual main development process and project
members’ familiarity with relevant COTS components as following Figure 1. For
each customization, some possible risks must be identified and managed as we
discovered from this study.
6.2.1 Waterfall with unfamiliar COTS components. Scenarios Sc1 and Sc2 showed
that it is difficult to use an unfamiliar COTS component successfully if the general
process is waterfall. It will be difficult to find COTS components to fully satisfy the
requirements after the requirements and design have been decided upon. Therefore, our
recommendation is that the make vs. buy decision and the COTS components selection
should be performed before the implementation phase. The COTS components selection
process could be SP_unfam, and the ease of integration should be given much
consideration in the make vs. buy decision. If the candidate COTS components do not
appear to be easy to integrate, it is better to develop them in-house. Another
recommendation is to inform the customer; if possible, about using COTS components
after the make vs. buy decision. It may give the developers leeway to (re)negotiate the
requirements if later limitations of COTS components are found.
142
Appendix A
6.2.2 Waterfall with familiar COTS components. If the project members are quite
familiar with relevant COTS components, the make vs. buy decision and COTS
component selection could be performed in the requirement phase, because the
integrators know how to integrate them, and which functionality could be provided by
the COTS components. Our results showed that COTS components selection drives the
requirements to some extent.
6.2.3 Incremental & prototyping with unfamiliar COTS components. Here, the risk
of using unfamiliar COTS components is relatively low, compared to waterfall projects.
The integrator can select the COTS components based on the completeness of required
functionalities and build a prototype in a short time. The customers’ requirements can
be agreed upon by evaluating the prototype. For this customization, the
recommendation is to integrate the unfamiliar COTS components first, if there are
different phases to implement the system incrementally.
6.2.4 Incremental & prototyping with familiar COTS components. If the project
members have enough experience with relevant COTS components; they can easily
build a prototype of the system with the COTS component. In this case, our results
showed that buying COTS components had more advantages than building them in-
house. Here, the make vs. buy decision can be performed in the requirements and/or
design phase. If there are different phases to implement the system incrementally, they
do not need to integrate all COTS components upfront. In this case, COTS components
could be considered as in-house built components. The process could be the same as a
non-COTS one.
Waterfall with unfamiliar COTS component
6.3.1 Construct validity. In this study, most variables are taken directly, or with little
modification, from the existing literatures. To ensure construct validity, we did two
rounds of pre-tests on the interview guide in ten local IT companies. These companies
143
Appendix A
were selected based on convenience. For this, we wrote an introductory letter, sent by
email. This was followed up by a phone call to see if the company had a willing contact
person and a suitable COTS-based project. The interview guide (a MS-Word document)
was then sent to the respondents by email. The respondents filled in the questions in the
interview guide electronically, and gave free-text comments to each question and the
following alternatives. 10% of the questions and alternatives in the interview guide were
revised based on such comments.
The selected COTS component and further COTS component examples proposed
from respondents show that the definition of a COTS component was understood
correctly. Furthermore, the responses to the three meta-questions show that the
questions in the interview guide were understood consistently.
However, one possible threat to construct validity is our chosen success criteria for a
project successfully using COTS components, implying that the integrated COTS
components should contribute positively both to time-to-market and to the quality of the
final system. This may not apply for all kinds of projects as some projects might
emphasis only time-to-market, and others might emphasis only quality.
6.3.2 Internal validity. The first possible threat to internal validity is our
misunderstanding of respondents’ answers. Although two interviewers carried out the
interviews and there was only one in each interview, we taped all interviews. Listening
to the tape helped ensure correct interpretation of answers and comments. However,
having an independent (third) person to listen to the tape might increase data quality.
The second possible threat to internal validity is that people tend to talk about
examples of good practices instead of problems they encountered. As we had a
confidentiality agreement with the respondents, the respondents were encouraged to tell
the truth. The data in Tables 4 and 5 showed that 11 (out of 16) respondents stated at
least one problem encountered in their projects. However, the respondents might give
only the most salient problems they encountered and forget some minor problems
because we asked for data about past projects.
The third possible threat to the internal validity is that the lifecycle phases, such as
requirement, design, and implementation, may not be clearly separated in projects using
prototyping and incremental processes. We called back some respondents to ask
whether they had specific software architecture in mind before the make vs. buy
decision and COTS component selection. Their answers gave future clarification on
whether COTS components were selected in the requirements or design phases.
The fourth possible threat to the internal validity is that some projects might not
tailor the process because their processes already support COTS usage. So, we might
miss some necessary process improvements that have been performed before the project
start because we asked only salient process changes within the studied projects.
We selected 10 projects in 10 companies. However, we selected 2 projects in each of
the other 3 companies. The fifth possible threat is that they are the same instead of
different. However, data in Appendix A showed that all projects in the same company
are different:
- In the first company, one project used waterfall and another used incremental
process with prototyping. The project members were totally different, and the
COTS selection and strategy to integrate COTS were also different.
144
Appendix A
- In the second company, one project used waterfall and another used incremental
process with prototyping. The project members were totally different. The
architectures of the final systems were also different.
- In the third company, the first project was finished two years before the second
one started. The project members were totally different. The COTS selection
method and strategy were also different.
6.3.3 External validity. The primary threat to external validity is that the study is based
on few and possibly not typical companies in Norway. According to Norwegian
“Census Bureau” (SSB) (SSB, 2004), the mean value of employee number in
Norwegian IT companies is 6. The first possible external validity to this study is that our
selected companies are mostly medium and large sized. However, the selected projects
covered several application domains.
The second possible threat to external validity is that the size (based on person-
hours) of the projects might bias the conclusion of this study. We have divided the
projects into three groups: small (less than 10,000 person-hours), medium (between
10,000 and 100,000 person-hours), and large (more than 100,000 person-hours). We
found out that the actual process used, the problems encountered, and the good practice
crossed small, medium, and large projects.
The third possible threat to external validity is that most COTS components are well-
defined and provided only secondary (support) functionality of the delivered system.
The process customizations may be different if the COTS components are intended as
the core part of the system, or the COTS components are large packages, such as ERP
and content management systems.
145
Appendix A
industrial practitioners performed only the most necessary steps in COTS component
selection and made the final decision based on the results of the hands-on trial.
A set of explanatory scenarios, encountered problems, and examples of good
practices have been synthesized to assist in the customization of the traditional
development processes with the new activities and roles. Although some of these
problems and examples of good practice have been mentioned in other previous studies,
we discovered several new ones, which decided the success or failure of the studied
projects and deserve to be investigated further.
The main limitation of this research is that it is based only on software development
projects in Norway, and that the sample size is small and perhaps not representative in
profile for a typical COTS-based project. In the future, we will investigate further the
actual COTS-based development processes. Although we proposed some possible
customization of COTS-based development processes based on the results of this study,
more samples are needed to validate them. The validation will focus on when, how, and
why the new activities (make vs. buy decision, and COTS component selection) are
performed.
We will also do a further study on systematic risk management in COTS-based
development. The different process scenarios may meet different risks and need
different risk mitigation methods. To manage risks in COTS-based development, it is
necessary to identify risks, evaluate them and design risk mitigation strategies.
Although several risk management methods have been proposed by case studies, there
are few studies to verify these proposals and investigate how to use them in different
process scenarios.
We are now formulating more explicit research hypotheses based on the findings of
this study and the lessons learned. We plan to design a web-based questionnaire and use
this to perform a quantitative survey in a large sample in Norwegian IT companies, in
parallel with replicating the study in Germany and Italy.
8 Acknowledgements
This study is supported by the INCO, SPIKE, and FAMILIES projects. Comments from
our colleague Tore Dybå gave valuable input to this study. We thank the colleagues in
these projects, and all the participants in this study.
146
Appendix A
Build glueware.
C2 P3 Succ. Incremental Buy vs. build. Internal
& Selection. expert.
prototyping Learning.
Build glueware &
addware.
C2 P4 Succ. Waterfall Buy vs. build. Internal
Selection. expert.
Learning.
Build glueware &
addware.
C3 P5 Succ. Incremental Buy vs. build.
& Selection.
prototyping Learning.
Build glueware.
C3 P6 Succ. Incremental Buy vs. build.
& No selection as it
prototyping was the only
alternative.
Learning.
Build glueware.
C4 P7 Succ. Incremental Buy vs. build.
& Selection.
prototyping Learning.
Build glueware &
addware.
C5 P8 Succ. Incremental Buy vs. build. Internal
& Selection. expert.
prototyping Build addware.
C6 P9 Succ. Incremental Without make vs. Internal
& buy decision expert.
prototyping because using
COTS is a
company strategy.
Selection.
Learning.
Build glueware &
addware.
C7 P10 Failed Waterfall Buy vs. build. External
Selection. expert: The
Build glueware integration
Learning. was
outsourced
to a
consulting
company.
C8 P11 Succ. Incremental Buy vs. build. Internal
147
Appendix A
148
Appendix A
P9 17 Experience Design
P9 18 Experience Design
P10 19 Demo. Design
P10 20 Demo. Design
P10 21 Demo. Design
P11 22 Internet search with pilot Design
P11 23 Internet search with pilot Design
P12 24 Experience Design
P13 25 Experience Requirements
P14 26 Demo. Implementation
P15 27 Experience Design
P15 28 Recommended from external Requirements
expert
P16 29 Experience Design
P16 30 Experience Design
References
Abts, C., Boehm, B. W., and Clark, E. B. 2000. COCOTS: A COTS Software
Integration Cost Model - Model Overview and Preliminary Data Findings. Proc. of
the 11th ESCOM Conf, Munich, Germany, 325 -- 333.
Albert, C. and Brownsword L. 2002. Evolutionary Process for Integrating COTS-Based
System (EPIC): An Overview. SEI, Pittsburgh, Available at:
http://www.sei.cmu.edu/publications/documents/02.reports/02tr009.html.
Alves, C. and Fineklstein, A. 2003. Investigating Conflicts in COTS Decision-Making.
Journal of Software Engineering and Knowledge Engineering 13(5):473 – 493.
Basili, V.R. and Boehm, B. W. 2001. COTS-Based System Top 10 Lists. IEEE
Computer, 34(5):91 -- 93.
Boehm, B.W. and Abts, C. 1999. COTS integration: Plug and Pray? IEEE Computer,
32(1):135 -- 138.
Boehm, B. W., Port, D., Yang, Y., and Bhuta, J. 2003. Not All CBS Are Created
Equally COTS-intensive Project Types. Proc. of the 2nd Int. Conf. on COTS-Based
Software Systems (ICCBSS’03), Ottawa, Canada, Springer, LNCS Vol. 2580, 36 --
50.
Boehm, B. 2000. Requirements that Handle IKIWISI, COTS, and Rapid Change. IEEE
Computer 33(7):99 --102.
Brownsword, L., Oberndorf, T. and Sledge, C. 2000. Developing New Processes for
COTS-Based Systems. IEEE Software, 17(4):48 -- 55.
Carney, D. and Long, F. 2001. What do You Mean by COTS? Finally, a Useful Answer.
IEEE Software, 7(2):83 -- 86.
Chung, L. and Cooper, K. 2002. A Knowledge-Based COTS-Aware Requirements
Engineering Approach. Proc. of the 14th Int. Conf. on Software Engineering and
Knowledge Engineering, Ischia, Italy, 175 – 182.
ComponentSource. 2004. Available at: http://www.componentsource.com/.
COTS Lessons Learned Repository. 2004. Available at: http://fc-
md.umd.edu/ll/index.asp
149
Appendix A
Crnkovic, I., Hnich, B., Jonsson, T., and Kiziltan, Z. 2002. Specification,
Implementation, and Deployment of Components. Communication of the ACM,
45(19):35 -- 40.
FAA Guide. 2003. Federal Aviation Administration, Software Engineering Resource
Center. FAA COTS Risk Mitigation Guide: Practical Methods for Effective COTS
Acquisition and Life Cycle Support. Available at:
http://www.faa.gov/aua/resources/cots/Guide/CRMG.htm
FAMILIES project. 2003. Available at: http://www.esi.es/en/Projects/Families.
Fowler. F. J., Jr 2001. Survey Research Methods (Applied Social Research Methods).
3rd edition, Sage Publications.
Fox, G., Lantner, K., and Marcom, S. 1997. A Software Development Process for
COTS-based Information System Infrastructure. Proc. of the 5th Int. Symposium on
Assessment of Software Tools (SAST '97), Pittsburgh, PA, USA, 133 – 142.
INCO project. 2000. Available at: http://www.ifi.uio.no/~isu/INCO/.
Kontio, J. 1996. A Case Study in Applying a Systematic Method for COTS Selection.
Proc. of the 18th Int. Conf. on Software Engineering, Berlin, Germany, 201 – 209.
Kotonya, G. and Rashid, A. 2001. A Strategy for Managing Risk in Component-based
Software Development. Proc. of the 27th EUROMICRO Conference, Warsaw,
Poland, 12 -- 21.
Lawlis, P. K., Mark, K. E., Thomas, D.A., and Courtheyn, T. 2001. A Formal Process
for Evaluating COTS Software Products. IEEE Computer, 34(5):58 -- 63.
Leung, K. R. P. H. and Leung, H. K. N. 2002. On the Efficiency of Domain-Based
COTS product Selection Method. Journal of Information and Software Technology
44(12):703 --715.
MacCrimmon, K. R. 1973. An Overview of Multiple Objective Decision Making. Proc.
of the Multiple Criteria Decision Making, University of South Carolina Press, 18 --
44.
Maiden, N. A. M., Kim, H., and Ncube, C. 2002. Rethinking Process Guidance for
Selecting Software Components. Proc. of the 1st Int. Conf. on COTS-Based Software
Systems (ICCBSS’02), Orlando, FL, USA, Springer, LNCS VOL. 2255, 151 -- 164.
Maiden, N. A. M, and Ncube, C. 1998. Acquiring COTS Software Selection
Requirement. IEEE Software 15 (2):46-56.
Morisio, M. and Tsoukias, A. 1997. IusWare: a Methodology for the Evaluation and
Selection of Software Products. IEE Proceedings – Software Engineering, 144(3):162
-- 174.
Morisio, M., Seaman, C.B., Parra, A. T., Basili, V. R., Kraft, S. E., and Condon, S. E.
2000. Investigating and Improving a COTS-Based Software Development Process.
Proc. of the 22nd Int. Conf. on Software Engineering, Limerick, Ireland, 31 -- 40.
Morris, E., Albert, C., and Brownsword, L. 2003. COTS-Based Development: Taking
the Pulse of a Project. Proc. of the 2nd Int. Conf. on COTS-Based Software Systems
(ICCBSS 2003), Ottawa, Canada, Springer LNCS, VOL. 2580,168 – 177.
NAICS.2004. Available at: http://www.revenue.state.ne.us/tax/current/buscodes.pdf.
Ncube, C. and Dean, J. C. 2002. The Limitation of Current Decision-Making
Techniques in the Procurement of COTS Software Components. Proc. of the 1st Int.
Conf. on COTS-Based Software Systems (ICCBSS’02), Orlando, FL, USA, Springer,
LNCS VOL. 2255, 176 -- 187.
150
Appendix A
Ochs, M., Pfahl, D., Diening, G. C., and Kolb, B. N. 2001. A Method for Efficient
Measurement-based COTS Assessment and Selection - Method Description and
Evaluation Results. Proc. of the 7th Int. Software Metrics Symposium, London,
England, 285 – 297.
Robson, C. 2002. Real World Research: A Resource for Social Scientists and
Practitioner-researchers (Regional Surveys of the World), 2nd edition, Blackwell
Publishers.
Rose, L. C. 2003. Risk Management of COTS Based Systems Development. In:
Component-Based Software Quality, Springer LNCS, VOL. 2693, 352 -- 373.
Saaty, T. L. 1990. How to make a decision: The Analytic Hierarchy Process (AHP).
European Journal of Operational Research, 48(1): 9 -- 26.
SPIKE project. 2002. Available at: http://www.idi.ntnu.no/grupper/su/spike.html.
SEI (Software Engineering Institute). 2004. COTS-Based Initiative Description.
Available at http://www.sei.cmu.edu/cbs/cbs_description.html.
SSB: Norwegian Census Bureau. 2004. Available at: http://www.ssb.no
Strauss, A. and Corbin, J. M. 1998. Basics of Qualitative Research: Grounded Theory
Procedures and Techniques. 2nd edition, Sage Publications.
Torchiano, M. and Morisio. M. 2004. Overlooked Aspects on COTS-based
Development. IEEE Software, 21(2):88 -- 93.
Tran, V., Liu, D. B., and Hummel, B. 1997. Component-Based Systems Development:
Challenges and Lessons Learned. Proc. of the 8th IEEE Int. Workshop on Software
Technology and Engineering Practice, London, UK, 452 -- 462.
Voas, J. 1998a. COTS Software – the Economical Choice? IEEE Software, 15(2):16 --
19.
Voas, J. 1998b. The challenges of Using COTS Software in Component-Based
Development. IEEE Computer, 31(6):44 -- 45.
151
Appendix A
152
Appendix A
Jingyue Li1, Reidar Conradi1,2, Odd Petter N. Slyngstad1, Christian Bunse3, Umair
Khan3,
Marco Torchiano4 and Maurizio Morisio4
1
Department of Computer and Information Science,
Norwegian University of Science and Technology (NTNU),
NO-7491 Trondheim, Norway
{jingyue, conradi, oslyngst}@idi.ntnu.no
2
Simula Research Laboratory, P.O.BOX 134, NO-1325 Lysaker, Norway
3
Fraunhofer IESE, Sauerwiesen 6,
D- 67661 Kaiserslautern, Germany
{Christian.Bunse, khan}@iese.fraunhofer.de
4
Dip. Automatica e Informatica, Politecnico di Torino
Corso Duca degli Abruzzi, 24, I-10129 Torino, Italy
{maurizio.morisio, marco.torchiano}@polito.it
1. Introduction
153
Appendix A
Italy, and Germany). We have gathered answer from 133 projects using either COTS or
OSS components from a sample of 1500 companies.
Data of this survey support four of the six new theses and contradict the other two.
How to interpret the survey result is also discussed in detail in order to give
recommendations and suggestions on OTS based development.
The rest of this paper is organized as follows: Section 2 introduces the six theses we
intend to investigate. Section 3 presents the research questions and survey design.
Section 4 presents the actual sample. Section 5 lists results of each research question.
Detailed discussion on the survey results is given in Section 6. Conclusions and future
work are presented in Section 7.
After performing seven structured interviews of small and medium software companies
in Norway and Italy, Torchiano and Morisio summarized six new theses which
contradicted statements or implicit assumptions from previous literatures [12].
2.1 New Thesis T1: Open source software is often used as closed source.
2.2 New thesis T2: Integration problems result from lack of compliance with
standards. Architecture mismatches constitute a secondary issue.
In previous literature, architectural mismatches were cited as one of the primary sources
of integration problems [5, 13]. However, Torchiano and Morisio did not find any
instances of this. The integration problem in their interviewed was that the selected
components did not fully or correctly support the claimed standards [12].
2.3 New thesis T3: Custom code mainly provides additional functionalities.
The previous literature greatly emphasized the integration aspects of custom code
(named glueware or gluecode) [3, 9]. However, Torchiano and Morisio concluded that
one of the most common remedial solutions among interviewees was to add code
(called addware) to provide missing functionalities [12].
2.4 New Thesis T4: Developers seldom use formal selection procedures. Familiarity
with either the product or the generic architecture is the leading factor in selection.
154
Appendix A
2.5 New thesis T5: Architecture is more important than requirements for product
selection.
For COTS component selection, previous literature proposes selection processes mainly
based on requirements and their (re)negotiation [2, 7]. However, Torchiano and Morisio
discovered that the architecture drove the selection process, and was the fulcrum of all
trade-off activities [12].
2.6 New thesis T6: Integrators tend to influence the vendor on product evolution
whenever possible.
Literature generally describes the lack of control over the features and evolution of
COTS component as an immutable condition that integrators must tolerate [3].
However, Torchiano and Morisio found out that their interviewees were acting to
modify this condition [12].
3. Research design
To test the six new theses, we decided to collect more data using a randomized sample.
Our initial plan was to transfer the theses directly into hypotheses and make a
quantitative survey with standardized questions in a formal questionnaire. We designed
six fixed hypotheses according to the new theses and a preliminary questionnaire. The
process was as following:
After these two rounds of pre-testing, we discovered that it was difficult to reliably
investigate the six theses without a pre-study to clarify our research questions. For
example, we asked respondents whether they had influenced the vendors on product
evolution. The question was intent to investigate T6. After the pre-tests, we concluded
that it was not possible to get reliable results on this question. Some respondents had
pushed the vendor to change a COTS component concerning bugs fixing or new
functionalities. Although these respondents could tell whether they had got the required
changes or not, they were not sure whether they had influenced the evolution of the
COTS component.
155
Appendix A
rather detailed interview guide. We used a convenience sample, i.e. a list of large,
medium and small IT companies from existing project contacts. We ended up with 16
personal interviews in 13 Norwegian IT companies with an initial selection of 34
companies. The results of the pre-study were reported in [8].
After the pre-study, we were able to make testable research questions to investigate each
new thesis. Although the research questions might not give complete answers to each
thesis, they were designed to investigate each thesis in a reliable way.
3.2.1. Research questions for thesis T1. T1 claims that OSS components are being
used as COTS components in practice. From the pre-study, we discovered that we had
to interpret the word “used” correctly. The word “used” in [12] means that the source
code of OSS component was seldom read and changed. OSS components were therefore
“used” as “black-box”. As the meaning of “used” in T1 includes two activities, read and
change, we designed two research questions T1.RQ1 and T1.RQ2 to study T1.
T1.RQ1: Had the source code of OSS components been read by integrators
during software development?
T1.RQ2: Had the source code of OSS components been changed by integrators
during software development?
3.2.2. Research questions for thesis T2. T2 indicates that standard mismatches were
the most frequent problem in COTS based development, and the architecture
mismatches were a secondary issue. From the pre-study, we concluded that it was
difficult to conclude that the architecture mismatches constituted a second issue.
Although we can answer whether standard mismatches were more frequent than
architecture mismatches, some other mismatches might be more frequent than these
two. As a result, we limited our research question to compare the frequency of standard
mismatches and architecture mismatches, as shown in T2.RQ1.
3.2.3. Research questions for thesis T3. T3 argues that most custom code was used to
provide additional functionalities rather than solving mismatches between components,
or between components and application. In one word, T3 concludes that more addware
(code to add missing functionalities) was built than glueware (code to solve various
mismatches) in COTS-based development. In the pre-study, we asked the respondents
to give the exact LOC (Line-Of-Code) of glueware and addware they developed in the
project. However, most respondents could not give us the exact LOC of
glueware/addware. Some respondents claimed that this information was confidential.
Others complained that it was time-consuming to calculate this number. To avoid
getting wrong or incomplete data, we limited the research question to investigate the
156
Appendix A
occurrences of building glueware and addware instead of comparing the exact LOC. So,
the research question T3.RQ1 is:
T3.RQ1: Was the occurrences of building glueware more frequent than the
occurrences of building addware?
3.2.4. Research question for thesis T4. T4 concludes that formal selection procedures,
which generally come from the academia, were seldom used in practice. T4 also
concludes that familiarity with either the product or the generic architecture was used as
the leading factor in COTS component selection.
From the pre-study, we discovered that the definition of “formal selection procedure”
in [12] was too general, because there are several different kinds of formal selection
methods. After detailed analysis, we concluded the formal process defined in [12] is a
kind of process includes three basic elements: selecting evaluation criteria (factors);
collecting and assigning values to these criteria; making decisions using formal decision
making methods. In the pre-study, we discovered two other selection processes were in
frequent use [8]:
To test T4, we decided to compare how often these three kinds of selection processes
had been used in practice. So, the corresponding three research questions are:
T4.RQ2: How often had the familiarity-based selection process been used in
practice?
T4.RQ3: How often had the hands-on experimentation based selection process
been used in practice?
3.2.5. Research questions for thesis T5. T5 claims that architecture was more
important than requirements for product selection. From the pre-study, we discovered
that the architecture decision affected most components in the system and there were
157
Appendix A
3.2.6. Research questions for thesis T6. T6 argues that COTS users were not
completely passive in the COTS market and they managed to influence the vendor on
product evolution whenever possible. As mentioned in above, it was difficult to know
whether the COTS users actually influenced COTS component evolutions or not, even
if it was possible to know whether the required changes (corrections or new
functionalities) from the COTS users had been satisfied. To get a reliable conclusion on
T6, we limited our research question T6.RQ1 to evaluate how often the required
changes had been implemented by the vendors.
After we clarified the research questions based on results from the pre-study, we
designed a new questionnaire. To validate thesis T1, several questions related to OSS
components were also included.
The questions in the questionnaire were organized into three main parts:
158
Appendix A
• What was the technical base, such as Library, COM; CORBA, EJB etc.
Concepts used in this survey are listed in the first page of the questionnaire. In
general, the concepts are consistent with definitions proposed by Torchiano and Morisio
[12]. The difference is that we extended the definition to involve OSS component. The
key concepts are:
The final questionnaire was first designed and pre-tested in English (internal and
external reviews). It was then translated into the native languages and published on the
SESE web survey tool [11] at Simula Research Lab in OSLO.
We define the unit of this study as a completed software development project, and its
OTS-relevant properties. The projects were selected based on two criteria:
- The project should use one or more OTS components.
- The project should be a finished project, possibly with maintenance, and
possibly with several releases.
Projects were collected randomly from IT companies in Norway, Italy and Germany.
Slightly different sampling procedures were used in each country due to limited
resources. Detailed discussions on sample selection in this study are reported in [4].
159
Appendix A
To avoid bias in the data collection procedure, we made a guideline on how to contact
respondents before the survey started. All countries – Norway, Italy, and Germany –
followed the process in the guideline.
Possible respondents were contacted first by telephone. If the candidate respondents
had suitable OTS-based projects and would like to join our study, a username and
password of the survey tool and an electric version of the questionnaire were sent to
them. The respondents could use either the SESE web tool or the electronic version to
fill in the questionnaire. The respondents who didn’t want to answer the questionnaire
were also registered. We logged the main reasons of non-response, such as “no software
development”, “no OTS-based projects”, and “busy”. Most respondents used the Web
tool to fill in the questionnaire. However, phone interview were used in Germany
because of the confidential concerns in some companies [4].
4. Selected sample
We have gathered results from 133 projects (47 from Norway, 48 from Germany, and
38 from Italy) from 127 companies. In general, we selected one project from each
company. However, we selected more than one projects in three Norwegian IT
companies because those companies have many OTS-based projects and would like to
share more experience to this study.
The responding companies involved small (5-19 employees), medium (20-99
employees) and large (100 or more employees) ones as shown in Figure 1. The main
business areas of the sampled companies also cover different types as shown in Figure
2.
160
Appendix A
The final systems produced by the 133 projects cover different application domains as
shown in the Figure 3.
161
Appendix A
In the selected 133 projects, 83 used only COTS components, 44 used only OSS
components, and six used both COTS and OSS components. For the 44 projects using
only OSS components, each of them gave the detailed information of an OSS
component. For the 83 projects using only COTS components, 83 different COTS
components were selected. For the six projects used both COTS and OSS components,
the respondents selected to give detailed information of five COTS components and one
OSS component. In total, we got detailed information of 88 COTS components and 45
OSS components.
4.3. Respondents
Most respondents of the 133 projects have a solid IT background. More than 90% of
them are IT managers, project managers, or software architects. Most of them have
more than 2 year experiences with OTS-based development. All of them have at least a
bachelor degree in informatics, computer science, or telecommunication.
T1.RQ1 and T1.RQ2 is to test thesis T1, i.e. whether the OSS components had been
used in the same way as COTS components. To investigate T1.RQ1, the corresponding
question in the questionnaire is:
We used a five-point Likert scale to measure the answer. Respondents were asked to
answer “very little”, “little”, “some”, “much”, “very much”, or “don’t know”.
For question T2.RQ2, we used the same measurement scale as for T1.RQ1, and the
corresponding question is:
162
Appendix A
0
N = 44 44
RE A D C O DE C HA NGE C O DE
0
N = 26 27
RE A D C O DE C HA NGE C O DE
From Figure 4 and Figure 5, we can see that the source code of COTS or OSS
components had been read to some degree, if it was available. However, the source code
in both COTS and OSS components had seldom been changed.
T2.RQ1 asks whether the architecture mismatches were more frequent than standard
mismatches. To investigate T2.RQ1, the corresponding question is:
Did you encounter some of the following aspects (risks) with the selected OTS
component?
Standard mismatch and architecture mismatch were listed as option a) and b) of this
question:
a) The OTS component did not follow industrial standards (COM, CORBA etc.) as
the provider claimed (i.e. glueware was needed)
b) The OTS component had mismatching architectural assumptions towards other
parts of the system (i.e. glueware was needed)
Respondents were asked to answer “yes”, “no”, or “don’t know”. For the selected 88
COTS components, only 4.5% of the COTS components had standard mismatches,
compared with 28.4% COTS components having architecture mismatches.
163
Appendix A
T3.RQ1 is to test thesis T3, i.e. to compare glueware vs. addware. To investigate
T3.RQ1, we asked respondents the same questions as in T2.RQ1. We listed another
option c):
c) The OTS component could not provide all required functionality (i.e. addware
needed)
Have you performed some of the following actions for the selected OTS component?
Respondents were asked to answer “yes”, “no”, or “don’t know” for each option.
Results of the five options are listed in Table 1.
Data in Table 1 shows that one common criterion for identifying OTS components is
familiarity-based. 58% COTS components were selected according to local expert
(option c). Formal procedures (option d) were only used in evaluating 19% of the
selected COTS components. The most common evaluation method was hands-on
experimentation (option f). It was used to select 65% of the selected COTS components
in this study.
164
Appendix A
We listed several possible actions in the project. The action relevant to T5.RQ1 is:
OTS components were selected mainly based on architectural and standards
compliance, instead of expected functionality.
Respondents were asked to answer “don’t agree at all”, “hardly agree”, “agree
somewhat”, “agree mostly”, “strongly agree”, or “don’t know”. We assigned an ordinal
number from 1 to 5 to the above alternatives (5 meaning strongly agree). Results of the
83 projects using only COTS components are shown in Figure 6.
0
N = 82
A RC H. VS. F U NC .
From Figure 6, we can see that the median value of this question is 2. It indicates that
most respondents hardly agree that COTS components were selected mainly based on
architectural and standards compliance. So, we concluded that expected functionality
still constituted the main concern in COTS components selection.
To investigate T6.RQ1, we asked the same question as T2.RQ1 with another option
e):
165
Appendix A
e) The provider did not want to or could not change OTS component functionality as
requested.
Results show that 60% of the selected COTS components have been changed by
vendors according to integrators’ requirements.
6. Discussion
Our results support thesis T1. If “white-box” vs. “black-box” is regarded as the main
difference between COTS and OSS components, results of T1.RQ1 and T1.RQ2 show
that COTS and OSS component are not as different as people might assume. COTS
components were not always “black-box”, as 33% of the COTS components selected in
this study opened their source code to users.
If the source code is available, both COTS and OSS users tend to read the code.
However, both COTS and OSS component users did not change much of the available
source code. From this result, we can generally conclude that the OSS component was
used the same as COTS component, i.e. integrated without modification.
Our results support thesis T4. For COTS component selection, results of T4.RQ1 to
T4.RQ3 show that developers often choose a sub-optimal product only because they
already know it. Formal selection procedures try to find out the most optimal product.
However, these procedures might not be cost-effective in some industrial projects. As a
result, selection techniques should also include familiarity as a main criterion [12].
Results of T5.RQ1 do not support thesis T5. COTS components users believe that
functionality completeness is more important than architectural compliance in COTS
component selection. However, we need to interpret this result carefully. The result
does not claim that architectural and standard compliance are not important in COTS
component selection. One lesson learned from our pre-study was that easiness of
integration should be seriously considered before you decide to use a COTS component
[8]. The possible explanation for result of T5 is that all candidate COTS components
support required standards and architectures. So, the only comparable features are their
functionalities. Then, COTS components were appeared to be selected based on their
functionalities instead of architectural compliance.
For COTS component integration, results of T2.RQ1 contradict thesis T2, and show
that architecture mismatches were more frequent than standard mismatches. With the
maturity of COTS component standard, we believe that less standard mismatches will
occur in the future.
Results of T3.RQ1 support thesis T3. It means that missing or incomplete features in
COTS products raise significant problems. It is therefore important to develop effective
techniques that allow seamless extension of existing products [12].
166
Appendix A
Results of T6.RQ1 support thesis T6. It shows that COTS component users actually
pushed vendors to change the COTS components either because of bug fixes or new
features. However, this result does not imply that most COTS component users actually
influenced COTS component evolution. In general, we believe that the COTS
component evolution is decided by the vendors’ marketing strategy rather than the
requirements of a specific user, unless this user is very powerful.
6.4.1. Construct validity. In this study, most variables and alternatives are taken
directly, or with little modification, from existing literature. The questionnaire was pre-
tested using a paper version by 10 internal experts and 8 industrial respondents before
being published on the SESE tool. About 15% questions have been revised based on
pre-test results. One possible threat to construct validity is that respondents from
different companies may have slight different understanding on the same concept, such
as software architecture and architectural mismatches.
6.4.2. Internal validity. We have promised respondents in this study a final report and a
seminar to share experience. The respondents were persons who wanted to share their
experience and wanted to learn from others. In general, we think that the respondents
answered the questionnaire truthfully. However, different persons in the same project
might have different opinions on the same project. Asking only one person in each
project might not be able to get the whole picture of the project. Due to length limitation
of a questionnaire, we asked the respondent to fill in information of only one component
in the project. The possible threat is that other OTS components in the same project
might give different answers to our questions.
167
Appendix A
- T1: Source code of OSS components was read frequently with very few
modifications. OSS components were de facto used as COTS components, even
if the source code was available.
- T3: In the COTS components integration process, more addware had been built
than glueware.
- T4: Formal selection procedures were seldom used to select COTS components.
Familiarity-based and hands-on experiment based selection process were
frequently used in practice.
- T6: In most cases, COTS users managed to get their required changes in the
COTS components from COTS vendors.
Results of this study contradict the two (T2 and T5) other theses and concluded that:
- T2: There were more architecture mismatches than standard mismatches in
practice.
- T5: Functionality completeness was regarded more important than architectural
compliance in COTS component selection.
8. Acknowledgements
This study was partially funded by the INCO (INcremental COmponent based
development) project [14]. We thank the colleagues in these projects, and all the
participants in the survey
9. References
168
Appendix A
[7] Lawlis, P., Mark, K. E., Thomas, D.A., Courtheyn, T. “A Formal Process for
Evaluating COTS Software Products,” IEEE Computer, Vol. 34, No. 5, 2001, pp. 58–
63.
[8] Li, J., Bjørnson, F. O., Conradi, R., and Kampenes, V. B., “An Empirical Study of
Variations in COTS-based Software Development Processes in Norwegian IT
Industry,” Proc. of the 10th IEEE International Metrics Symposium, Chicago, USA,
September, 2004, IEEE CS Press (2004), pp. 72-83.
[9] Morisio, M. et al., “Investigating and Improving a COTS-Based Software
Development Process,” Proc. of 22nd International Conference on Software
Engineering, Limerick, Ireland, June, 2000, ACM Press, pp. 32–41.
[10] Norwegian Census Bureau (2004): Available at: http://www.ssb.no
[11] SESE tool (2004), Available at: http://sese.simula.no
[12] Torchiano, M. and Morisio, M., “Overlooked Aspects on COTS-based
Development,” IEEE Software, Vol. 21, No. 2, 2004, pp. 88-93.
[13] Yakimovich, D., Bieman, J., and Basili, V., “Software Architecture Classification
for Estimating the Cost of COTS Integration,” Proc. 21st International Conference on
Software Engineering (ICSE 99), ACM Press, 1999, pp. 296–302.
[14] INCO Project (2000): INCO project description, Available at:
http://www.ifi.uio.no/~isu/INCO.
169
Appendix A
170
Appendix A
1 Introduction
171
Appendix A
There is a consensus that the use of COTS components implies changes in the software
process [2]. Some studies focused on the whole software development lifecycle [1], [3],
and [10]. Others investigated the specific phase, especially in COTS component
selection and evaluation [5], [8], [9], [11], [12], [13], [14].
Boehm et al. [3] regard both the waterfall model and evolutionary development as
unsuitable for COTS-based development. In the waterfall model, requirements are
identified at an earlier stage and COTS components chosen at a later stage. This
increases the likelihood of COTS components not offering the required features.
Evolutionary development assumes that additional features can be added if required.
However, COTS components cannot be upgraded by one particular development team.
The frequent lack of code availability hinders developers to adapt them to their needs.
Therefore, Boehm et al. proposed that development models, which explicitly take risk
into account, are more suitable for COTS-based development than the traditional
waterfall or evolutionary approaches.
The National Aeronautic and Space Administration (NASA) has been developing
systems using COTS components for many years (see [10] for the summary of
experience made). Various processes, used across 15 projects, were examined and used
as a basis for a common COTS-based development process.
172
Appendix A
Based on case studies, researchers have proposed several COTS component selection
processes and methods. Some of the direct assessment processes, such as OTSO [5],
CAP [13], and CISD [8], assume that the requirements are fixed and select the COTS
components by comparing how well the COTS component candidates satisfy the
requirements. A formal decision-making process is usually used to select the “best”
COTS component [12]. The formal decision-making process usually includes three
basic elements: selecting evaluation criteria (factors), collecting and assigning values to
these criteria, and applying formal decision-making algorithms such as MAUT [9],
MCDA [11], and AHP [14]. However, both the study of Torchiano and Morisio [16]
and our exploratory study [6] showed that these formal selection methods were seldom
used. In fact, our exploratory study discovered two other popularly used selection
processes. One is familiarity-based selection process and the other is Internet search
with trial-based selection process. In addition, our exploratory study concluded that
there are common new activities and that the possible variations are when and how to
perform them, especially when and how to select COTS components. Therefore,
research questions RQ4 to RQ6 are designed to investigate how OTS components were
selected.
- RQ4: What was the actual selection process used?
- RQ5: When was the OTS component selected?
- RQ6: What was the relationship between the selection phase and the project
context, such as the familiarities with the OTS component candidate and the
importance of the OTS component candidate?
173
Appendix A
The general questionnaire design, sample definition and selection, and data collection
procedures are reported in [4], [7]. This study extended the exploratory study in two
dimensions. First, it included OSS components because they represent an alternative to
COTS components. Second, this study included much larger samples from three
countries - Norway, Italy, and Germany. In addition, the sample was selected randomly
instead of by convenience as in the exploratory study.
We have gathered results from 133 projects (47 from Norway, 48 from Germany,
and 38 from Italy) from 127 companies. In general, we selected one project from each
company. However, we selected more than one projects in three Norwegian IT
companies because those companies have many OTS-based projects and would like to
share more experience to this study. In the selected 133 projects, 83 used only COTS
components, 44 used only OSS components, and six used both COTS and OSS
components. Profiles of collected companies and projects are reported in [7].
4. Empirical results
The first research question RQ1 is to investigate the actual development processes used
in an OTS-based project. In the questionnaire, we asked the respondents to describe
their development process in detail, whereby the answers were then summarized by
different categories. The results are summarized in Figure 1 and show that the waterfall,
incremental, XP [18], German V-model [19], and prototyping model are those mainly
used in practice. Between these, the ‘incremental with prototyping’ model and XP was
the most popular. The German V-model was also used widely in Germany as the OTS-
based development process.
The second research question RQ2 is to examine whether the actual development
process was changed, considering the use of OTS-components. In the questionnaire, we
asked the respondents to select whether the actual development process was decided
before or after the make vs. acquire decision or after that. The results show that most
(75%) projects decided their main development processes before they started to think
about using OTS-components.
174
Appendix A
The third research question RQ3 is to identify the decision maker concerning the actual
development process. Within the questionnaire, we listed five options, such as
company/department rules, project manager, software architect, software developer, and
customer. The respondents were asked to select one or more from the options. The
answers reveal that in 29% of all projects the development process is predefined by
global company or department rules. In addition, concerning 14% of the remaining
projects the decision was at least affected by company/department rules. This trend is
especially obvious in Germany as the company rules dominated the development
processes in 65% of our studied projects.
The research question RQ4 is aimed at summarizing the OTS selection and evaluation
processes used in practice. Due to the length limitation of the questionnaire, we could
not ask the respondents to fill in the details of every OTS component in their projects.
Instead, they were asked to select one of the most important OTS components and fill in
the details for this component, named Comp.1. Information provided for Comp. 1 was
then used to investigate RQ5 and RQ6. To answer RQ4, we listed six possible activities
as named a) to f) in the questionnaire:
175
Appendix A
The respondents were asked to fill in “yes”, “no”, or “do not know” for these
options. The results are summarized in Figure 2 and show that activities a, c, e, and f
were those mainly used. Thus, the familiarity-based selection process (activity c) and
the Internet search, trial-based selection process (activity a, e and f) from the
exploratory study are proved to be more popular than a formal processes (activity d) in
general. However, the further analysis with Chi-square shows that there are significant
differences of the activities b and c between countries. In Norway and Italy, very few
projects used the activity b. However, activity b was popularly used in Germany. In
addition, almost all German projects performed activity c, while it was used only in half
projects in Norway and Italy.
From the exploratory study, we concluded that OTS components are selected in
different development phases. Thus, research question RQ5 was postulated to
investigate the selection phase of OTS component. The respondents were asked to select
one of five phases, ranging from pre-study to coding, as selection time. Figure 3 shows
that OTS components were selected in the early stages, such as pre-study, requirement,
and overall design, in most projects, especially in Germany.
RQ6 aims at investigating the correlation between the project context and the OTS
component selection process. We investigated two project context variables. The first is
the project members’ familiarity with the Comp.1, measured by a five point Likert scale
(i.e. very little, little, some, much, very much). The answers were coded into 1 to 5 (1
means very little and 5 means very much). The second variable is the importance of
Comp.1 in the system, measured by the contribution (in %) of ‘Comp.1’ to the overall
system functionality.
First, we investigated the correlation between the two context variables and the phase
in which Comp.1 was selected. The selecting phases are treated as an ordinal variable
and coded into the values 1 to 5 (1 means the pre-study phase and 5 means the coding
phase). The importance of Comp.1 was also treated as an ordinal variable, although it is
measured on a continuous scale. We then used the Spearman correlation test in SPSS
14.0 to investigate the correlation. The results are shown in Table 1 and reveal that the
selection phase of Comp.1 was weakly (with correlation coefficient value -.356)
correlated with the project members’ familiarity with it. It means that the project
members preferred to decide the familiar OTS components in the early stage of the
project. However, there is no significant connection between the importance of an OTS
component and the phase it was selected.
176
Appendix A
Second, we investigated the relationship between the two context variables with the
selection and evaluation activities performed. Since possible answers on the selection
and evaluation activity variable are “yes”, “no”, or “do not know”, we treated the
projects with “yes” and “no” answers as two independent samples and then compared
the mean differences of the two context variables. For the project members’ familiarity
variable, we used the Mann-Whitney test in SPSS 14.0 to compare their rank
differences. Results, presented in Table 2, show that project members will search the
internet for a possible candidate, if there is no proper or familiar candidate at hand.
177
Appendix A
Table 1. The correlation between the selection phase and the context variables
Context variables What phase was Comp.1 selected
Spearman correlation
Project members’ experience Correlation Coefficient -.356
with the Comp.1 Sig (2-tailed) .000*
The importance of the Comp.1 Correlation Coefficient -.132
Sig (2-tailed) .150
* P < .05
For the importance of Comp.1 variable, we used the independent T-test in SPSS 14.0
to compare mean differences, whereby the results are shown in Table 3. The overall
result is that there is no significant relationship between the selection and evaluation
activities performed with the importance of the OTS component.
Table 2. The relationship between selection activities and familiarity with the OTS
component
Selection activities Familiarity with Comp.1
Mann-Whitney Z Asymp. Sig
(2-tailed)
a) 1263.000 -2.407 .016*
b) 1072.500 -1.622 .105
c) 1626.500 -1.043 .297
d) 964.000 -.533 .594
e) 1724.500 -.870 .385
f) 1481.500 -.913 .361
(Selection activities a) to f) are explained in Section 4.4) * P < .05
Table 3. The relationship between the selection activities with the importance the
OTS component
Selection activities Importance of the Comp.1
t-test (equal variance not assumed) Sig (2-tailed)
a) .379 .706
b) -.971 .337
c) .804 .424
d) -.436 .666
e) 1.543 .126
f) 1.096 .278
(Selection activities a) to f) are explained in Section 4.4) * P < .05
Concerning the conclusions drawn in another study [3], we agree that using OTS
components in system development is bearing potential danger, especially when using
unfamiliar OTS components. Although the risk driven processes proposed in [3] may
give benefits, results of RQ1 show, however, that most projects integrate OTS
components successfully with traditional processes, such as waterfall, incremental with
prototyping, XP, or V-model. Results of RQ2 show that most actual development
178
Appendix A
processes were decided before the decision of using OTS components was made. In
addition, results of RQ3 show that company rules pre-defined the main development
processes in many OTS-based projects. According to the results of RQ1 to RQ3, we
summarize the state-of-the-practice of OTS-based development processes into seven
different scenarios. The classification of the scenarios is based on the phase of the make
vs. acquire decision and the developers’ familiarity with the OTS candidates.
In these scenarios (see Figure 4), project members prefer to evaluate the possibility of
using OTS components right from the start. Due to the time-to-market, cost, or capacity
issues, project managers realize that it is difficult, impossible, or not cost-effective to
make everything from scratch. In these scenarios, the first step is to do a make vs.
acquire decision (see step A in Figure 4). In case project members decide not to use
OTS components, the development process will be the same as the non-COTS based
development. If project members decide to use OTS components, they then need to
decide the main development process (see step B in Figure 4). To decide the main
development process, main issues are the traditional risks in a project, such as the
stability of the requirements. One of the other issues is their familiarity with possible
OTS candidates. According to the project members’ familiarity with the OTS
candidates, we define three scenarios from scenario 1 to 3.
In our investigated projects, only 25% can be classified into scenario 1 to 3, because
they decided their main development processes after they decided to use OTS
179
Appendix A
components. In these projects, 67% can be put into scenario 3, because they used
familiar OTS components.
The COTS-based development model in [10] illustrates the differences between
COTS-based development and traditional software development, such as new, reduced,
or modified activities. The underlying assumption of this model is that the rate or degree
of using OTS components is fixed in the very early phases of a project and that the main
development process has to be modified accordingly. The model can therefore be used
as a reference in scenarios 1 to 3.
Fig. 4. Scenario 1 to 3
In these scenarios (see Figure 5), the decision of using OTS component was not planned
or made in advance, i.e. there is no clear intention of using OTS components in the early
phases of such a project. Project members decide on the main development process
according to some non-OTS relevant factors, such as company rules and requirement
stability. Due to the time-to-market pressure or internal capability, project members
start to evaluate the possibility of using OTS components at certain stages of the project.
At an industrial seminar [17], several industrial participants mentioned such conditions.
According to the project members’ familiarity with the OTS candidates, we classify
three scenarios from scenario 4 to 6.
180
Appendix A
projects with pure waterfall processes, the project members may need to add a
short prototyping step to evaluate the OTS component and to negotiate the use
of OTS component with their customer.
- Scenario 5 – Unplanned OTS-based project with some familiar OTS candidates:
In this scenario, the project members decided to use OTS components in a late
phase. However, they do not have previous experience with all OTS component
candidates. In order to decide the main development process, the issues are
similar with those of scenario 4.
- Scenario 6 – Unplanned OTS-based project with familiar OTS candidates: In
this scenario, although the project members decided to use OTS components in a
late development phase, they have enough experience on the OTS component
candidates or are able to hire a person with such experience. In case the project
members have used the OTS component many times before, the OTS component
can be regarded as comparable to in-house built components. Although the use
of OTS component is a little risky due to the same reasons as described in
scenarios 4 and 5, this scenario is less risky because of using familiar OTS
components. It may not be necessary to do major changes to the current
development process.
Fig. 5. Scenario 4 to 6
In our studied project, about 75% of them can be classified into scenario 4 to 6,
because they decided their main development processes before they started to think
about using OTS components. In these projects, 65% used familiar OTS components
and therefore can be classified into scenario 6.
181
Appendix A
process is decided according to the use of OTS components. However, in a late phase of
the project, the project member may need to add some unplanned OTS component due
to the same reasons as scenario 4, 5, or 6.
The EPIC approach [1], like the RUP, consists of four phases and each phase
consists of one or more EPIC iterations. The information of four spheres of influences,
such as stakeholders’ needs, architecture design, risk, and marketplace, was gathered
and evaluated in each iteration. The project management, customer requirements, and
system architecture will be adjusted according to the trade-offs of the four spheres of
influences. Since every iteration includes a complete sub-process to make the trade-off
decision and select the OTS component, it is more flexible and suitable to be used as a
reference in scenarios 4 to 7.
The results of this study support our conclusion in the exploratory study [6], and shows
that the familiarity-based and internet search-based processes are frequently used in
practice. The results also confirm that OTS component selection can be performed in
different development phases (requirements, design, or implementation), depending on
the project context, especially on the familiarity with possible OTS components, and/or
the flexibility of requirements [6]. In addition, results show project members aim at
reusing familiar OTS components and selecting them in early phases. In our study, we
measured the importance of an OTS component by their contribution on the
functionality of the system. Although the results show no correlation between the OTS
component’s importance with the phase it was selected, we still suggest project
members to select OTS in the earlier phases, especially if the OTS component has a
tight coupling with other components.
In different scenarios shown in Section 5, different OTS component selection
strategies and processes can be used. In scenarios 1, 2, 4, 5, and 7, some unfamiliar OTS
component candidates are going to be used. The selection process for unfamiliar OTS
components can either be an internet search with hand-on trial-based, or a formal
selection process, such as processes shown in [5], [8], [9], [11], [13], and [14]. In
scenarios 3 and 6, all possible OTS component candidates have been used by the project
members, the selection process could mainly be familiarity-based.
In scenarios 1 to 3, the use of OTS component is well-planned. In general, the OTS
component will be selected in the early phase of the project in these scenarios. Selecting
OTS component in the early phase can help to design the software architecture with
consideration on constrains of the OTS components. Therefore, it is easier to avoid the
mismatch between the OTS components and other components in the system.
In scenarios 4 to7, the OTS components are usually be evaluated at a phase which
most of the other components are already integrated in the system. Since the goal is to
integrate the OTS component into the current system and to check its integration
thoroughly, integrate the demo version of the OTS component and do a hand-on trial is
necessary. In case the OTS component was selected in the very late stage of the project,
it is better to select a component that has a loose coupling with the other components.
OTS components tightly coupled with existing components may impose a high number
of changes onto the system.
182
Appendix A
7. Threats to validity
To avoid possible threats to the construct validity of this study, we performed a pre-test
to verify the questionnaire. In addition, we use a lot of effort to ensure the representative
of the sample. Detailed discussion on other validities issue of this study are reported at
[4], [7].
This paper has presented a state-of-the-practice survey on the process issues in OTS-
based development. We have studied 133 projects from Norway, Italy, and Germany.
The main findings are:
- The actual OTS-based development process was the traditional process with
OTS-specific activities. The development process was dominated by the
company/department rule instead of the decision of using OTS components.
- The actual OTS component selection can be done in different phases. The main
evaluation processes are familiarity-based or Internet search with hands-on-trial-
based. The phase to select OTS component has relationship with the project
members’ familiarity.
- The proposed software development process and OTS component selection
process need further investigation to be suited to different project contexts.
7. References
183
Appendix A
Industry. Proc. of the 10th IEEE Int. Metrics Symposium (Metrics'04), Chicago,
USA, Sept. (2004) 72-83.
7. Li, J., Conradi, R., Slyngstad, O. P. N., Bunse, C., Khan, U., Torchiano, M., and
Morisio, M.: Validation of New Theses on Off-The-Shelf Component Based
Development. Proc. of the 11th IEEE Int. Metrics Symposium (Metrics’05), Como,
Italy, Sept. (2005) 26.
8. Tran, V., Liu, D. B., and Hummel, B.: Component Based Systems Development:
Challenges and Lessons Learned. Proc. of the 8th IEEE Int. Workshop on Software
Technology and Engineering Practice, London, UK, (1997) 452-462.
9. MacCrimmon, K. R.: An Overview of Multiple Objective Decision Making. Proc. of
the Multiple Criteria Decision Making, University of South Carolina Press, (1973)
18-44.
10. Morisio, M., Seaman, C.B., Parra, A. T., Basili, V. R., Kraft, S. E., and Condon, S.
E.: Investigating and Improving a COTS-Based Software Development Process. Proc.
of the 22nd Int. Conf. on Software Engineering, Limerick, Ireland, June (2000) 31-40.
11. Morisio, M. and Tsoukias, A.: IusWare: a Methodology for the Evaluation and
Selection of Software Products. IEE Proceedings-Software Engineering, June (1997),
144(3):162-174.
12. Ncube, C. and Dean, J. C.: The Limitation of Current Decision-Making Techniques
in the Procurement of COTS Software Components. Proc. of the 1st Int. Conf. on
COTS-Based Software Systems (ICCBSS’02), Orlando, FL, USA, Feb. (2002),
LNCS Vol. 2255, Springer-Verlag Berlin Heidelberg New York 176-187.
13. Ochs, M., Pfahl, D., Diening, G. C., and Kolb, B. N.: A Method for Efficient
Measurement-based COTS Assessment and Selection - Method Description and
Evaluation Results. Proc. of the 7th IEEE Int. Software Metrics Symposium, London,
England, Apr. (2001) 285-297.
14. Saaty, T. L.: How to Make a Decision: The Analytic Hierarchy Process (AHP).
European Journal of Operational Research, (1990), 48(1): 9-26.
15. SEI COTS-Based Initiative Description. Software Engineering Institute, Pittsburgh,
(2004), http://www.sei.cmu.edu/cbs/cbs_description.html
16. Torchiano, M. and Morisio, M.: Overlooked Facts on COTS-based Development.
IEEE Software, March/April (2004), 21(2):88-93.
17. Li, J. Conradi, R. Slyngstad, O. P. N., Bunse, C., Khan, U., Torchiano, M., and
Morisio, M.: Barriers to Disseminating Off-The-Shelf Based Development Theories
to IT Industry. Proc. of the ICSE2005/MPEC workshop, St. Louis, Missouri, USA,
May (2005), 1-4.
18. Kent, B.: Extreme Programming Explained: Embrace Change. (1999) Addison-
Wesley.
19. German V-model: http://www.v-modell.iabg.de/#AU250
184
Appendix A
1 Introduction
185
Appendix A
2 Related Work
2.1 Risk Management in Software Development
Risks are factors that may adversely affect a project, unless project managers take
appropriate countermeasures. Risk management includes two primary steps each with
three subsidiary steps as described by Boehm [Boehm91], and shown in Figure 1. Risk
identification produces lists of project-specific risk items likely to compromise the
success of a project. Risk analysis assesses the loss probability and loss magnitude for
each identified risk item. Risk prioritization ranks the risk items identified and analysed.
Risk management planning helps prepare to address each risk item. Risk resolution
produces a situation in which the risk items are eliminated or otherwise resolved. Risk
monitoring involves tracking the progress of a project towards resolving its risk items
and taking corrective activities where appropriate.
186
Appendix A
In order to identify risks, a list of possible project risks must be produced. Boehm
[Boehm89] lists the top 10 risks by probing several large software projects and their
common risks. Barki et al. [Barki93] identified 35 variables, which are subsequently
used as a basis for creating scales in a project risk assessment instrument. The Software
Engineering Institute (SEI) [Carr93] has contributed significantly to the literature with
the SEI Taxonomy-Based risk identification instrument, which contains 194 questions.
However, the notion of building single all-encompassing risk taxonomy to be globally
used by all software developers is probably unrealistic. Thus, we may need different
risk taxonomies in different project contexts [Moynihan97].
A few other studies have classified software risk items, i.e., consider software risks
along several dimensions and have provided some empirically founded insights of
typical software risks and their variation. The risks can be classified into technical,
organizational, and environmental [Sherer95]. The possible risks can also be
summarized into a hierarchical holographic modelling (HHM) framework
[Chittister96]. Ropponen and Lyytinen [Ropponen00] empirically delineate six
components of software development risks, such as scheduling and timing risks, system
functionality risks, subcontracting risks, requirement management risks, resource usage
and performance risks, and personnel management risks. Keil et al. [Keil98] extracted
the experience of more than 40 software project managers and identified a universal set
of risk factors, such as customer mandate, scope and requirements, environment, and
execution. A following study investigated the relationship between these factors and
their effect on the result of the project [Wallace04].
During the risk analysis process, project managers have to consider each identified
risk and make a judgment about its probability to occur and seriousness. The project
managers can tabulate the results of this analysis process using a table ordered
according to the serious of the risk [Sommerville04]. The estimation of the seriousness
and the rank of the risk should be combined with cost estimation [Madachy97],
187
Appendix A
[Kansala97]. Once the risks have been analysed and ranked, the project managers need
to assess which are the most significant risks.
The purpose of identifying and analysing the risks is to manage these possible risks.
The possible risk management activities have been proposed from processes
[Boehm88], organization [Roppoen00], [Gemmer97], and technology [Hecht04]
viewpoints. However, many researchers advocate rather than investigate. As a result,
some advocated concepts are worth less than their advocates believe and there is a
shortage of evaluative research to help determine the actual value of new tools and
techniques [Glass01]. Although risk management proposals of the in-house software
development have been verified by a survey-based research [Verner05], few studies
have been performed to empirically investigate the risk management proposals in using
the OTS components.
In addition to the classical risks associated with developing large systems, OTS
components requires managers to modify their typical mitigation activities for some of
the classic risks and to develop new mitigation activities for risks that are particular to
the use of OTS components in a system.
Vigder et al. [Vigder96] investigated the specific risk issues in the COTS-based
development and point out the fundamental differences between COTS-based
development and building in-house are:
188
Appendix A
- If you reproduce or sell the product without the licensor’s permission, the
licensor might claim damages or force you to end the product’s production,
delivery and sale.
- Another exposure is infringement of third party’s patents or other intellectual-
property rights.
- A third risk area is the use of OSS in development activities when OSS is a tool.
The developed product may need to follow the licences of the OSS tool, i.e., the
code should also be open.
189
Appendix A
Since the OTS components involve both COTS and OSS components, risks and risk
management activities relevant to OTS components-based development are therefore
the subset of risks and risk management in component-based development, COTS-
based, and Open Source based development, as shown in Figure 2.
Although the mentioned risk management activities have been proposed to avoid the
corresponding risks in OTS component-based development, they are generally based
either on common sense or on small and non-representative case studies. Few empirical
studies have subsequently validated their conclusions. In addition, it is important to
compare the results of the performed risk management activities and to find out the
most efficient ones that mitigated a specific risk. The results can help project managers
put their (limited) resources on the most efficient risk mitigation activities to avoid
identified risks.
190
Appendix A
3 Research Design
In this study, we have used the conceptual measurement framework proposed by Bush
and Fenton [Bush90]. The study includes one entity (i.e., the project) and two attributes
(i.e., possible risks of the project and possible risk mitigation activities to avoid these
risks). There are also two relationships, i.e., risks are related to a project and risk
mitigation activities that IMPACTS risks. Before the start of a project, project managers
must upfront estimate how often the risks may happen, how much effort they need to
put in to certain risk mitigation activities, and how well the risks may be managed. The
relationships are shown in Figure 3.
To help project managers predict the possibility of risks and to plan the risk
management efficiently before a project starts, it is necessary to summarize practices
and results of risk management from finished projects. The research framework, as
shown in Figure 4, of this study is designed to do posteriori measurements (after the
project is finished) on the occurrence of project risks and the impacts of performed
risk management activities on these risks.
The first research questions RQ1, as shown in Figure 4, is to investigate the actual
risk incidence, i.e., how often had problems occurred in practice? The second research
question RQ2, is to investigate the execution of the risk management activities in
projects, i.e., how often had certain risk management activities been performed in
practice? The third research question RQ3 is to examine the effect of performed risk
management activities, i.e., how well the performed risk mitigation activities had
reduced corresponding risks? For a specific risk, we are interested in the most effective
mitigation activities.
191
Appendix A
In our study, we selected several typical risks and possible risk management
activities proposed in [Boehm03], [Faa03], [Li04], [Rose03], [CBSEnet04],
[Vitharana03], [Lawton02], [Fitzgerald04] [Torchiano04]. The selection criteria are:
- First, the risks and risk management activities should address the common issues
in the CBD, COTS-based development, and OSS-based development, as shown
in Figure 2.
- OTS component-based development encompasses three primary types of
stakeholders, namely component developers, application assemblers/integrators,
and customer. Different stakeholders have different risks and challenges
[Vitharana03]. We have selected risks and challenges that are relevant only to
the application assemblers/integrators.
- The selected risk management activities in our study focus mainly on process
and organizational issues, instead of technical methods, such as wrapping,
composition prediction, and testing.
192
Appendix A
193
Appendix A
The data was collected with a web-based questionnaire using the SESE tool [Sese04]
at Simula Research Laboratory. To answer research questions RQ1 to RQ3, we listed
the risks and risk management activities shown in Table 1 and 2. Respondents are asked
if these risks and risk management activities had occurred. The alternatives are “don’t
agree at all”, “hardly agree”, “agree somewhat”, “agree mostly”, “strongly agree”, or
“don’t know”. We assign an ordinal number from 1 to 5 to the above alternatives (5
meaning strongly agree). In addition, we asked if there are any dedicated personnel (or
knowledge keeper) in the actual project to keep track of OTS component
knowledge/information. The answer is “yes” or “no”.
The components investigate in our study have larger granularity than the component in
“OO” theory [Crnkovic02]. The main definitions used in the questionnaire are:
The questionnaire includes six sections. The three sections relevant to this study are:
We define the unit of this study as a completed software development project using
OTS components. The projects were selected based on two criteria:
194
Appendix A
195
Appendix A
Concerning research questions RQ1 and RQ2, we compared the occurrences of typical
risks and performed risk management activities. The results are visualized with the
boxplot graph.
The intention of research question RQ3 is to find out the correlations between
occurrences of risks and risk management activities performed. If there is a negative
correlation between the risk management activity and the occurrence of possible
problems, we assume that the performed risk management activity actually helped to
mitigate the possible problems. Since several performed risk management activities may
have helped to mitigate the same risk, we are only interested in finding out the most
effective risk mitigation activities.
For research question RQ3, we decided to use Nonlinear Canonical Correlation
Analysis (Nonlinear CCA) [Gifi90], [Michailidis98], because we face a nonlinear CCA
problem with a set of explanatory variable vector defined by a nominal (knowledge
keeper) variable and several ordinal (risk management activities performed) variables
and a dependent variable matrix defined by a series of ordinal (risk occurrences) scales.
The linear combination on the explanatory variable side is undefined, because we have
no metric to quantify the categories of each variable. The linear combination of the
variables on the dependent side is also undefined, because the categories of each
variable can be re-scaled by any nonlinear function the preserves monotonicity. Thus,
we need to optimally scale or quantify the variables while simultaneously solving the
traditional linear CCA problem of finding weights for each explanatory variable.
Nonlinear CCA corresponds to categorical canonical correlation analysis with optimal
scaling. The detailed introductions and discussions on using the Nonlinear CCA instead
of other analysis methods in this study are given in the Appendix A.
The nonlinear CCA used in this study is the OVERALS in SPSS version 14.0
[Spss06]. The outputs of the OVERALS in SPSS include several parts. The most
important ones are:
- The fit and loss values tell how well the nonlinear CCA solution fits the
optimally quantified data with respect to the association between the sets.
- The plot of component loading for the data. When there is no missing data, the
component loading is equivalent to the Pearson correlation between the
quantified variables and the canonical variate. The distance from the origin to
each variable point approximates the importance of that variable.
- The object score plots and centroids plots provide the remainder of the
information we need to interpret a nonlinear CCA solution.
4 Collected Data
We have gathered results from 133 projects (47 from Norway, 48 from Germany, and
38 from Italy) in 127 companies. In general, we selected one project from each
company. However, we selected more than one projects in three Norwegian IT
companies because those companies have many OTS-based projects wanted to
contribute more experience to this study.
196
Appendix A
As the occurrences of possible risks are measured with an ordinal scale, we used
boxplot to illustrate the distribution of the risk occurrences. The results are in Figure 5
and show that the most frequent risks are R2 (R_IntEff) and R8 (R_DefLoc). It means
that the integration effort was usually wrongly estimated. In addition, it was difficult to
figure out whether the defects are inside or outside the OTS components. The least
frequent risks are R3 (R_ComRel), R4 (R_ComSec) and R5 (R_ComPerf), i.e., the
problems relevant to the negative effect of the OTS components on the quality of the
whole system.
2
R
R
R
R
R
R
R
R
R
R
_C
_C f
_C
_I
_M
_C
_C an
_C
_P d
_M
_S
_R a
_D
nt
ro
el
om
om
om
om
om
om
eq
ef
ai
is
E
E
vI
L
sS
nt
R
ff
ff
Se
C
R
U
Pe
oc
nf
en
Pl
up
el
om
d
p
c
p
p
197
Appendix A
R
R
R
R
R
R
R
R
R
m
m
m
m
m
m
m
m
m
_I
_M
_S
_L
_C
_B
_U
_S
_U
_P
_C
nc
el
el
ea
ro
B
st
st
nf
pd
kt
Te
Q
A
Se
Ef
M
vW
rn
Fi
W
Fo
ua
rc
kB
st
Ef
l
rs
tc
ll
h
tc
l
t
f
h
uy
h
Fig. 6 Occurrences of Risk Management Activities
From Figure 6, we can see that the activities Rm4 (Rm_SelQual), Rm5
(Rm_LearnEff), Rm7 (Rm_UnfFirst), Rm8 (Rm_IncTest) and Rm9 (Rm_UpdFoll)
were used more frequently than others. It means that developers have seriously
evaluated the quality of the OTS components in the selection phase. They have
considered the possible learning effort in the effort estimation. They have done
integration testing as early as possible and they usually have internal expert to follow
the update of the OTS components. However, the activities relevant to the users, such as
Rm1 (Rm_CstMkBuy) and Rm2 (Rm_CstSel), were least frequently used.
5.3 RQ3: Correlations between the Risks and Risk Management Activities
The analysis is organized in six parts (See section 5.3.1 to 5.3.6). In the first section, we
analyze the correlation between the effort estimation risks, i.e., R1 and R2, with the risk
management activities Rm1 to Rm8, i.e., for development. Although Rm1 to Rm8 have
been proposed as effective activities to mitigate possible risks in OTS component-based
development, there are few empirical studies to verify and compare which risks they can
most effectively mitigate. The target of our analysis is to find out which of the activities
Rm1 to Rm8 are most effective to avoid overly optimistic effort estimation. Due to the
same rationale, we analyzed the correlation between the quality risks, i.e., R3 to R5, and
the risk management activities Rm1 to Rm8 in the second section. In the third section,
we analyzed the correlation between the requirements relevant risks, i.e., R6 and R7,
198
Appendix A
with the same Rm1 to Rm8. In the forth section, we analyzed the debugging and
deployment risks, i.e., R8 and R9, also with Rm1 to Rm8.
In the fifth section, we analyze the maintenance risks, i.e., R10 and R11, with Rm9 to
Rm13, i.e., for maintenance. In addition, we want to investigate whether the projects
involving a knowledge keeper had less maintenance problems than projects without this
role. Therefore, the existence of a knowledge keeper was also added as a risk
management variable. In the sixth section, we analyzed the correlation between the
vendor support risks, i.e., R12 and R13, with Rm9 to Rm13 and the existence of the
knowledge keeper.
The result of the correlations between the effort estimation risks, i.e., R1 (R_SelEff) and
R2 (R_IntEff) and risk management activities (Rm1 to Rm8) are analyzed with
OVERALS (two dimensions, some variables not multiple nominal, multiple steps,
random initial configuration) in SPSS. We selected to use two dimensions because the
upper bound of the number of the dimensions, i.e., the number of the canonical variates,
is the minimum of the number of the variables in each set [Gifi90]. In our study, the
minimum number of the variable in our analysis is two. Another reason for selecting the
two-dimension analysis is due to the interpretative convenience of two-dimension plots
[Gifi90]. The risk management activities (i.e., Rm1 to Rm8) are given to the first set
and each is defined as an ordinal variable with scale from 1 to 5. The effort estimation
risks (i.e., R1 and R2) are given as the second set and each is also defined as ordinal
variable with scale from 1 to 5.
The purpose of the analysis is to find out the most negative correlation between the
risk management activities and the occurrence of possible problems. The analysis
includes two steps:
- Step 1: For each possible problem, for example R1 (R_SelEff), we first check
the dimension (i.e., dimension 1 or 2) that R1 has been mostly loaded. If R1 is
loaded more in one dimension, for example dimension 1, it means that the
correlation between R1 and the dimension 1 is stronger than the correlation
between the R1 and dimension 2.
- Step 2: In the most loaded dimension of a risk, for example R1 (R_SelEff), we
then check the component loading to find out the risk management actions (i.e.,
Rms), which are in the peak positions of the opposite domain of R1.
The summary of OVERALS analysis show that 53% of the actual fit is accounted for
by the first dimension, and the 47% of the actual fit is accounted for by the second
dimension. The component loadings plots are shown in Figure 7 and detailed
component loading data are shown in Table 2 in Appendix B.
The results reveal that R1 (R_SelEff) is much more loaded (-.844) in the first
dimension (i.e., the horizontal axis) than (-.496) in the second dimension (i.e., the
vertical axis). R1 (R_SelEff) is in the negative domain of the first dimension and the
Rm5 (Rm_LearnEff) is in the peak of its positive domain.
199
Appendix A
R2 (R_IntEff) is also much more loaded (-.859) in the first dimension than (-.424) in
the second dimension. R2 (R_IntEff) is also in the negative domain of the first
dimension and the Rm5 (Rm_LearnEff) is in the peak of its positive domain.
The results illustrate that seriously taking the learning effort in consideration and
giving enough leeway on the learning curve helped to mitigate the effort estimation
risks.
For the quality risks, the results of the OVERALS analysis show that 51% of the actual
fit is accounted for by the first dimension and 49% by the second dimension. The
component loading plots are shown in Figure 8 and detailed component loading is
shown in Table 3 in Appendix B.
Results show that R3 (R_ComRel) is much more loaded (-.530) in the first
dimension (i.e., the horizontal axis) than (.264) in the second dimension (i.e., the
vertical axis). R4 (R_ComSec) is also much more loaded (-.643) in the first dimension
than (-.258) in the second dimension. However, R5 (R_ComPerf) is loaded weakly both
in the first dimension (.087) and the second dimension (.072).
Both R3 (R_ComRel) and R4 (R_ComSec) are in the negative domain of the first
dimension and the Rm8 (Rm_IncTest) is in the peak (with loading .456) of its positive
domain. In addition, Rm6 (Rm_BBEff) is very close (i.e., with loading .435, which is
4.6% less than Rm8) to Rm8 (Rm_IncTest) in the peak of the positive domain of the
first dimension.
The results illustrate that early incremental testing and black-box testing of the OTS
components in the selection phases helped to increase the reliability and security of the
OTS component-based system. However, none of our investigated risk management
activities helped to avoid the OTS components’ negative effect on the system
performance.
200
Appendix A
For the requirements risks, the results of the OVERALS show that 52% of the actual fit
is accounted for by the first dimension and the 48% by the second dimension. The
component loading is shown in Figure 9 and detailed component loading data is shown
in Table 4 in Appendix B.
Results show that R6 (R_ComAda) is loaded strongly both in the first dimension
(.647) and in the second dimension (-.620). R7 (R_ReqRen) is also loaded strongly both
in the first dimension (-.553) and the second dimension (-.761).
In the first dimension, R6 (R_ComAda) is in the positive domain and Rm6
(Rm_BBEff) is loaded (-.428) in the peak of the negative domain. In addition, Rm5
(Rm_LearnEff) is very close (i.e., with loading -.408, which is 4.6% less than Rm6) to
Rm6 (Rm_BBEff) in the peak of the negative domain of the first dimension. In the
second dimension, R6 (R_ComAda) is in the negative domain and Rm4 (Rm_SelQual)
is in the peak of the positive domain.
R7 (R_ReqRen) is in the negative domain of the first dimension and Rm7
(Rm_UnfFirst) is in the peak of the positive domain. In the second dimension, R7
(R_ReqRen) is in the negative domain and the peak in the positive domain is Rm4
(Rm_SelQual). Moreover, the results show that R6 (R_ComAda) and R7 (R_ReqRen)
are in different domains of the first dimension.
The results illustrate that evaluating the quality of OTS components carefully and
doing a thorough black-box testing in the selection phase may help to reduce the effect
of requirements changes. Integrating the unfamiliar OTS components first helped to
facilitate requirements negotiation with the customer. If the developers have
possibilities to (re) negotiate the requirements with their customer, it will also avoid the
occurrences of OTS components being unable to satisfy requirements changes.
201
Appendix A
For the debugging and deployment risks, the results of the OVERALS show that 52% of
the actual fit is accounted for by the first dimension and the 48% by the second
dimension. The component loading plots are shown in Figure 10 and detailed
component loading data is shown in Table 5 in Appendix B.
Results show that R8 (R_DefLoc) is much more loaded in the second dimension
(.961) than in the first dimension (.223). R9 (R_ComComp) is much more loaded in the
first dimension (-.829) than in the second dimension (.303).
R8 (R_DefLoc) is in the positive domain of the second dimension and Rm5
(Rm_LearnEff) is in the peak of the negative domain. R9 (R_ComComp) is in the
negative domain of the first dimension and Rm8 (Rm_IncTest) is in the peak of the
positive domain.
The results illustrate that more effort on learning the OTS components helped to
solve the most frequent risk, i.e., identifying whether the bugs were inside or outside the
OTS components. Starting the integration testing early helped to mitigate the possible
deployment problems.
202
Appendix A
For the maintenance risks, we used the same methods as others. However, the
knowledge keeper variable is added as a single nominal with the value “Yes” (coded as
1) and “No” (coded as 2). The knowledge keeper variable is added in the same set as
Rm9 to Rm11. The maintenance risks, i.e., R10 (R_MaintPlan) and R11 (R_CompUpd)
are added in the second set. The results of the OVERALS show that 53% of the actual
fit is accounted for by the first dimension and the 47% by the second dimension. The
component loading plots are shown in Figure 11 and detailed component loading is
shown in Table 6 in Appendix B.
Results show that R10 (R_MaintPlan) is loaded weakly both in the first dimension
(.286) and in the second dimension (.072). R11 (R_CompUpd) is much more loaded in
the first dimension (-.622) than the second dimension (.158).
The R11 (R_CompUpd) is loaded in the negative domain of the first dimension and
Rm9 (Rm_UpdFoll) is in the peak of the corresponding positive domain. It illustrates
that local experts following the update of the OTS component helped to make the
system up-to-date with the newest OTS components.
203
Appendix A
For the provider support risks, we used the same methods as the maintenance risks. The
knowledge keeper variable is also added in the same set as Rm9 to Rm11. The provider
support risks, i.e., R12 (R_ProvInf) and R13 (R_MissSupp) are added in the second set.
The results of the OVERALS show that 52% of the actual fit is accounted for by the
first dimension and the 48% by the second dimension. The component loading plots are
shown in Figure 12. The detailed component loading data is shown in Table 7 in
Appendix B.
It shows that the risk R12 (R_ProvInf) is much more loaded in the first dimension (-
.839) than in the second dimension (-.012). The R13 (R_MissSupp) is much more
loaded in the second dimension (-.624) than the first dimension (-.117).
R12 (R_ProvInf) is in the negative domain of the first dimension. The knowledge
keeper is also in the peak of the negative domain. The analysis on the centroids of the
variable “knowledge keeper” shows that the projects without a knowledge keeper (code
2 in the Figure 1 in the Appendix B) are in the lower left domain as the project with
high occurrences of risk R12 (coded 5 or 4 in the Figure 2 in Appendix B). It means that
projects without the knowledge keeper have more problems on getting the information
of providers than the project with this role.
R13 (R_MissSupp) is in the negative domain of the second dimension and Rm11
(Rm_ProvWtch) is in the peak of the corresponding positive domain.
The results reveal that the experience from the knowledge keeper and maintaining a
continuous watch on the providers’ support ability and reputation is an effective way to
ensure the providers’ support.
204
Appendix A
Nonlinear CCA is one kind of the Alternating Least Squares methods [Gifi90],
[Burg94]. All least squares techniques are prone to be over sensitive to outliers, and the
outlier problem is manifested in nonlinear CCA in a terms of variable categories with
small number of observations (small usually being defined as less than about five
observations). To avoid the outlier problem, samples with missing data are simply
deleted. In addition, we checked the sensitivity of the results in two steps:
- The first step is to identify abnormal/unusual data points by using the plot of
object scores (see Figures 3 to 8 in Appendix B). Results show that there are no
outliers that might tend to dominate the solution.
- The second step to verify our conclusion on the random subsets of the data. We
deleted one data point every 10th (i.e., 10th, 20th, 30th etc.) and run the same
analysis on the remaining data, which accounts for about 90% of the original
data. The conclusions based on the remaining data are the same as the
conclusions shown in sections 5.3.1 to 5.3.6.
Since we put data from three countries together in our data analysis, we wonder whether
the national differences will affect the direction and/or strength of the relationship
between the risk management activities and risks occurrences we discovered. It is
therefore necessary to verify the moderator effect of the country differences on our
conclusions. As we also put the data from projects using COTS component and projects
using OSS components into one analysis, the same validity analysis is done to figure out
whether the differences between COTS and OSS will have moderator effect on our
conclusions.
205
Appendix A
To analyze the effect of the national and OTS differences, we added the category
variable country and OTS types as the third set in each correlation between the risks and
risk management activities. The results show that our conclusions on the requirements
risks indeed are affected by the country variable. The component loading plots are
shown in Figure 13. It shows that the correlation between R7 (R_ReqRen) and Rm7
(Rm_UnfFirst) in Figure 9 is not valid anymore. Therefore, we need to interpret these
conclusions cautiously in different countries. The further analysis on the centroids of the
variable country and the centroids of R7 shows that Italy (coded 3 in Figure 9 in
Appendix B) is in the positive domain of the first dimension. It means that it has fewer
occurrences of R7 (R_ReqRen) (coded 1 in Figure 10 in Appendix B). On the other
hand, Germany (coded 1 in the Figure 9 in Appendix B) is in the negative of the first
dimension, which means that it has more occurrences of R7 (R_ReqRen) (coded 5 or 4
in Figure 10 in Appendix B). The occurrences of R7 (R_ReqRen) in Norway are
between Germany and Italy. The possible explanation is from the business etiquette in
different countries. The Geert Hofstede study [Geert06] indicates that “Germans do not
like surprises. Sudden changes in business transactions, even if they may improve the
outcome, are unwelcome.” On the other hand, a known Italian tacit is to dramatically
change demands at the eleventh hour to unsettle or test the flexibility of their
counterparts [kwintessential06].
The result of the correlations between the risks and risk management activities are
summarized in the Table 3.
206
Appendix A
Table 3 Summary of the Risks and Most effective Risk Management Activities
Results in Table 3 show that some risk management actives are more effective on
mitigating possible risks than the other activities. However, the effectiveness of the
activities may not be different valid in different countries.
6 Discussion
Both the effort in selecting OTS components and the effort to integrate them sufficiently
are difficult to estimate [Boehm03], [Mitre05]. Basili and Boehm [Basili01]
hypothesized that COTS-based development is currently a high-risk activity, with effort
and schedule overruns exceeding non-CBS software overruns. The results of the first
research question show that the wrong estimation of the integration effort happened
more frequently than other problems.
To estimate the selection effort correctly, Boehm et al. [Boehm03] propose to
identify the core “showstopper” requirements and filter all the OTS candidates that do
not meet these during the initial assessment and then proceed for a more detailed
assessment with the remaining OTS candidates. Although this method may be
applicable to limit the number of OTS components that need to be evaluated, it is still
difficult to estimate the possible effort to compare the limited OTS candidates, because
both technical and non-technical issues of the OTS components need to be evaluated
and compared [Rose03]. Our findings show that in case the effort on learning in the
OTS components has been seriously considered, it will be easier to estimate the
selection effort correctly. Boehm et al. [Boehm03] found that one common error in
OTS-based development is the overly optimistic OTS learning curve and propose that a
most likely OTS learning curve must be accounted for during planning and scheduling.
207
Appendix A
Initially, the OTS component’s functional capability must be well understood, which
can be a daunting task because there may be a significant amount of functionality to
learn and that functionality might involve new technologies to the team. Also, there is
more to learn than just the functionality. The methods of integration that the OTS
component employs must be understood sufficiently to ensure that the integration can
be succeeded into the current architecture. Since the intention of using OTS components
is to shorten time-to-market and to save development cost, OTS component users are
eager to acquire the components and to integrate them as soon as possible without
understanding them thoroughly. Rose [Rose03] pointed out that developers are usually
working with one or more OTS components for which they most likely have only a
partial understanding. To improve the estimation on the OTS integration effort, the
proposed activity is to use OTS-sensitive analytical and budget processes [Rose03],
[Faa03], such as COCOTS [Abts00]. In our study, we did not investigate the effect of
using COCOTS because our pre-study [Li04] did not find any companies using it.
Therefore, we did not investigate this activity because we wondered whether this
activity has been popularly used in industry. Although the results shown in Figure 6
reveal that the risk management activity Rm5 (i.e., effort in learning OTS component
was seriously considered in effort estimation) has been widely used, we still wonder
whether there are good tools to help the project managers to estimate the learning effort
precisely.
208
Appendix A
possible reason is that most OTS components investigated in our studies followed the
industrial standards or infrastructures - such as COM, CORBA, .Net, and EJB - by
default. The possible quality problems caused by the architecture mismatch itself are
therefore minimized.
Another popular issue on OTS component integration is the requirements changes and
mismatches with OTS component functionalities [Boehm03], [Faa03], [Rose03]
[Mitre05].
Since it is difficult to change the OTS component to follow the customers’ changes
in requirements, it is important for the OTS component integrator to be able to negotiate
requirements with the customer [Boehm03], [Rose03], and involving customers into
make vs. acquire decision and OTS component selection [Faa03]. However, our results
show that very few integrators have actually involved customers into the make vs.
acquire decision and the OTS component selection. Results of the study [Li04] illustrate
that it is not easy to negotiate requirements with the customer in OTS component-based
development. One reason is that customer only cares about the final product without
willingness or capability of knowing the technical details.
To mitigate the possible requirements risks, our results show that careful evaluation
and testing of OTS components in the selection phase helped to increase the possibility
to follow the customers’ requirements changes. The possible explanation is that people
understand the OTS components better when they did testing and quality evaluation in
the selection phase. They therefore know the capability and the possible extensions of
the OTS components.
Another possible activity is to first integrate the unfamiliar, i.e., high risk or critical
OTS components [Rose03], [Li04]. Integrating the critical components first helped to
provide the solid foundation for the architecture of the system [Rose03]. Integrating the
high risk or most complex components first can help to find problems in the early phase
of the project, which may give the integrator leeway to negotiate with their customers to
redefine the requirements [Lauesen06]. To negotiate the requirements with the
customer, educating the customer in requirements negotiation will be critical, but this
must be accomplished in a manner that is politically viable for the particular customer
[Rose03]. The possibility of negotiation depends on the willingness of the customer to
negotiate issues and to accept changes. Our results illustrate that customers in certain
business culture, such as in Germany, are more difficult to accept requirements
negotiation than others.
Our results show that the difficulty in locating the cause of defects happened more
frequently than other problems. Kotonya and Rashid [Kotonya01] point out that OTS
component offering similar functionalities may have very different system resource
requirements (i.e., memory and processor requirements). When a problem is identified,
it may not be obvious where the root cause of the problem is located. The problem
could be in one of the components, it could be in the integration code, or it could be a
misinterpretation of the semantic operation of a component interface [Rose03].
209
Appendix A
The results of the research question RQ3 show that this risk can be mitigated by
giving developers enough time to learn and understand the OTS components. Since both
COTS and OSS components are acquired from a third-party organization, it will require
a lot of time for the users to understand the underlying design and code in these
components. It is especially difficult for the COTS component users to use the
components properly when source code is not available. In case there are defects in the
OTS components or the interactions between the OTS components are not properly
controlled, it may take longer time for the component users to figure out the problems
than they had expected.
For the possible deployment problem, our findings indicate that an effective way of
controlling it is to start integration testing as early as possible. In the early days of
integrating OTS into a system solution, there was a false assumption that the need for
integration testing was either minimal or not needed at all. It seems that there was a
belief (actually a false hope) that once the OTS components were installed, the system
would be operational [Rose03]. The OTS providers are only knowledgeable in their
own OTS components. If there is no strong evidence that problems in the integrated
system are caused by a specific OTS component, the component vendor may not want
to help the users to debug and solve the problems. The benefit of doing integration
testing after one OTS component is integrated is that it is easy to conclude that the
problems lie in a specific component. An additional possible mitigating activity is to do
some analysis to determine the order in which the OTS components are to be integrated
[Spc01].
210
Appendix A
The personal capability and experience remain the dominant factors influencing OTS-
based development [Basili01]. Therefore, it is important to involve OTS-
knowledgeable individuals in all analytical processes [Faa03].
However, planning maintenance of an OTS component-based system is very difficult
because the OTS component users have no control of the release cycle of the OTS
components being used. Since the release cycle of the OTS component depends on the
marketing strategy of the component vendors, the component users usually have no idea
when the new release of the OTS component will be published. Our investigated risk
management activities focus on the activities that can be controlled by the component
users. Such risk management activities were not effective in mitigating the maintenance
plan risk.
We have promised respondents in this study a final report and a seminar (in Norway) to
share experience. The respondents were persons who wanted to share their experience
and wanted to learn from others. In general, we think that the respondents answered the
questionnaire truthfully. However, different persons in the same project might have
different opinions on the same project. Asking only one person in each project might
not be able to get the whole picture of the project. Although all questionnaires were
filled in through the web tool in Norway, questionnaires were mostly filled in by
211
Appendix A
telephone interviews in Germany. The different fill-in methods may bring biases to the
results of this study (a so-called “mode problem” in surveys).
In this study, most variables and alternatives are taken directly, or with little
modification, from existing literatures. However, we may omit some possible risks and
risk management activities because they were not mentioned in previous literatures. The
questionnaire was pre-tested using a paper version by 10 internal experts and 8
industrial respondents before being published on the SESE tool [Sese04]. About 15%
questions have been revised based on pre-test results.
OTS component-based development brings both benefits and risks. Although several
studies have investigated and proposed risk management activities in OTS component-
based development, few studies have verified and compared the effects of the risk
management activities on the corresponding risks. This study is an exploratory study on
examining the occurrences of typical risks in OTS-based projects and relations between
the occurrence of these risks and the risk mitigation activities performed. The intention
is to find out the most effective activities that helped to mitigate corresponding risks in
practice. The data was collected from 133 OTS component-based projects in Norway,
Italy and Germany. The analysis was performed with nonlinear canonical correlation
analysis, i.e., OVERALS in SPSS.
The results of this study show that two of the most frequent problems in OTS-based
projects are the incorrect estimation of the integration effort and inefficient debugging.
212
Appendix A
The least frequent problems are relevant to the negative effect of the OTS components
on the quality of the whole system. We also conclude that:
As this is an exploratory study, further studies are needed to confirm our conclusions.
The assumption of this study is that the a priori risk probabilities of typical risks in the
investigated projects are similar. However, it is possible that there are minor differences
in the a priori risk probabilities between projects. It is therefore necessary to follow
several OTS component-based projects from start by case studies. In the future, we plan
to examine the several projects by estimating risk probabilities before the project start,
following the project execution, and measuring the risk occurrences after the projects
are finished. The intention is to investigate the cause-effect of the risk management
activities on the corresponding risks.
Moreover, some of the conclusions of this study need further clarification. For
example, which knowledge needs to be kept and shared in the organization and how to
share it? How to estimate the possible learning effort needed when using the unfamiliar
OTS components? These research questions need to be further studied by case studies
or experiments.
Acknowledgment
The authors wish to thank Barbara Kitchenham for commenting on the data analysis
methods.
References
213
Appendix A
214
Appendix A
215
Appendix A
216
Appendix A
217
Appendix A
However, it cannot do both things at once. Thus, the risk factors identified using
principal component analysis represent hypotheses/theories that should have been
confirmed by an independent study before investigating risk strategies. The underlying
problem in this study [Ropponen00] (and many others) was trying to do too much in
one investigation.
218
Appendix A
Set Dimension
1 2
1 Rm1 -,271 ,042
Rm2 -,039 -,149
Rm3 ,226 -,414
Rm4 -,168 ,596
Rm5 -,408 ,165
Rm6 -,428 ,301
Rm7 ,538 ,214
Rm8 ,309 ,281
2 R6 ,647 -,620
R7 -,553 -,761
219
Appendix A
Fig.1. Centroids of the Knowledge keeper in the analysis of provider support risks
220
Appendix A
221
Appendix A
222
Appendix A
223
Appendix A
224
Appendix A
General Terms
Management
Keywords
Commercial-Off-the-Shelf Software, Open Source Software, Empirical Study,
Component-based Development
225
Appendix A
1. INTRODUCTION
2. RELATED WORK
226
Appendix A
However, few studies have investigated a higher level question: Why do I use COTS
instead of OSS components, or vice versa?
Some studies compared the differences between COTS and OSS products per se and
concluded that there is still no empirical evidence that OSS fosters faster system growth
and that OSS is more modular than closed source software [15]. However, there were
few systematic empirical studies of the commonalities and differences in integrating
COTS vs. OSS components in a software product. In order to guide the project decision
maker in deciding between an OSS component and a COTS component, it is necessary
to empirically investigate how the decision was made and what was the result of the
decision in finished projects.
3. RESEARCH DESIGN
The empirical study on decision making OTS based development followed a three step
approach. We started from a pre-study of state-of-the-practice and the challenges in
integrating COTS components. The pre-study was performed by structured interviews
of 16 COTS projects in 13 Norwegian IT companies selected by convenience [8]. The
study reported in this paper represents the second step, and investigated decision
making in OTS component-based development by a questionnaire-based survey. This
study extended the pre-study in two dimensions. First, it included OSS. Second, the
study included randomly selected IT companies from Norway, Italy and Germany. The
third future step will focus on investigating the underlining reasons of the conclusions in
the second step and more studies on OSS projects. It will be performed with structured
interviews and case studies.
Based on the design of the study a couple of research questions were defined. First, we
wanted to know the profiles of those using OTS components. Therefore, the first
research question is:
RQ1: What are the commonalities and differences in profiles of projects using COTS
components vs. those using OSS components?
We then wanted to know their expectation of using OTS components. The second
research question therefore is:
RQ2: What are the commonalities and differences in the expectation of projects
using COTS components vs. those using OSS components?
After we know who and why, we need to know the actual risks/problems of using
such components. We investigated whether the motivation and expectation of using
OTS components are proper or not. So, the third research question is:
RQ3: What are the commonalities and differences in possible risks (problems) of
projects using COTS components vs. those using OSS components?
227
Appendix A
In this study, we used a questionnaire to collect data. The detailed information of the
questionnaire and sample selection are reported in [3, 9, 10]
In [10], we reported the preliminary results of this study with 71 projects using only
COTS components and 39 projects using only OSS components. Now, the data
collection is finished. In total, we gathered results from 83 projects using only COTS
components, 44 projects using only OSS components, and six projects using both COTS
and OSS components.
4.1 RQ1: What was the Profile of Projects Using OTS Components?
228
Appendix A
good reliability and will follow the market trend. They also believe that the COTS
vendor will provide good technical support. We also listed specific expectations of
using OSS components listed in the questionnaire. Results show that the main
motivation of using OSS components is that code could be acquired for free and that
the source code is available.
In summary, results show that business considerations, such as reducing time and
cost, are the main motivation for using OTS components. OSS component users care
more about the initial investment. Another attraction of OSS components is that the
marginal cost of scaling up is zero, i.e. using OSS does not require additional licences as
the number of installations grows [18]. This benefit is especially important when
integrating OSS components into a software product with many installation bases.
Concerning the use of domain-specific OTS components, it is important to ensure
that the evolution of the selected OTS component will follow the market trend.
Although a COTS user cannot directly influence the evolution of the selected COTS
component, results of this study show that these users still trust that the COTS vendor
will update the component according to market needs. OSS components can be changed
out of similar market reasons, but can also be changed out of political or social reasons
– not necessarily in a direction suitable to the organization [6]. It is therefore important
for OSS users to ensure that they are planning to use the software in the way it was
intended to be used and the way most other users are using it. If OSS users stray too far
away from the beaten path, the OSS developers might not want to help them when they
run into trouble, or OSS developers will not accept the changes contributed by them
[11].
229
Appendix A
easy or cost-effective for COTS users to switch to another COTS component once they
have made the decision and paid for some selected components. Therefore, COTS users
might be more cautious in selecting the right COTS component and spend more effort
than estimated on selecting the best one. Without paying for the OSS components, OSS
users might be less cautious and might spend less effort on selecting the best OSS
component from several candidates. In addition, it might be easier for OSS users to
change the source code of the OSS component if their customers’ requirements do
change. Therefore, OSS components are ideal when the software solution requires high
customization [11].
OSS users had more problems on getting the information on a providers’ support
reputation. Although the preliminary data [10] showed the differences between the OSS
users and COTS users were significant, the current data (six months after the analysis of
the preliminary data) does not show such significant differences any longer. This might
be because more and more commercial organizations provide support to OSS
components. In fact, OSS components with support by a commercial organization
usually become more popular than components without such support [12]. In addition,
more and more OSS portals, such as sourceforge.net and freshmeat.net, have started to
measure the vitality and popularity of an OSS project. These metrics might have helped
OSS users to estimate the quality and duration of support they can expect.
This paper has presented the results of an international empirical study to investigate the
decision making of integration COTS or OSS components in software products. In
general, it appears that the motivation for using either COTS or OSS components and
the risks involved are important factors to be concerned. Future research has to pay
specific attention to these facts before defining systematic guidelines and methods.
Results of this study have answered the following three questions:
Based on these results we identified several emerging research questions that should
be investigated in the near future:
230
Appendix A
REFERENCES
231
Appendix A
232
Appendix A
1. INTRODUCTION
233
Appendix A
2. BACKGROUND
Our survey is the second phase of a systematic study on process improvement and risk
management in OTS based development. We started from a pre-study, focusing on
software process improvement in COTS based development, and being performed with
structured interviews of 16 COTS projects in Norwegian IT companies [11]. The
following main survey extended the pre-study in two dimensions. First, it included OSS
components because they represent an alternative to COTS components. Second, this
study included samples from Norway, Italy and Germany. In addition, the sample was
selected randomly instead of on convenience as in the pre-study.
The survey was designed to investigate six main research questions:
- RQ1: What are the main motivations of using OTS components instead of
building them in-house?
- RQ2: What are the real common OTS-based process models, and what are the
possible variances?
- RQ3: What is the OTS component selection process used in practice?
- RQ4: What risks have been identified and what are their relationships with the
project contexts?
- RQ5: Which risk management methods have been performed and with what the
results?
- RQ6: What are the differences between COTS and OSS components?
The unit of study is a completed software development project. The projects were
selected based on two criteria:
- The project should use one or more OTS components
- The project should be a finished project, possibly with maintenance, and possibly
with several releases.
In the data collection process, we promised our participants that we would report the
result of the study in the form of a seminar. After we have finished the data collection in
Norway (47 projects) and gathered some data from Germany and Italy (23 from
Germany and 20 from Italy), we held a seminar at Oslo in Feb. 2005 as we promised to
the Norwegian participants.
The intentions of the seminar include two parts:
- First, we would like to report our results by giving guidelines on how to improve
processes and manage risks in OTS based development.
- As most data of this study show only the state-of-the-practice, we do not know
possible cause-effect relationships of our conclusions. We therefore had one hour
discussion as the second part of the seminar to get feedback from the participants.
234
Appendix A
the second part, we hypothesized some questions based on the survey result. We also
listed our assumed explanations on these questions. Industrial participants gave their
opinions to support or reject our explanations.
3. RESULTS
Concerns and comments from industrial colleagues gave us valuable ideas on what we
need to do in order to disseminate OTS based development theories into industry. We
have summarized industrial concerns and comments into five barriers.
Industrial answers: Industrial colleagues agreed with our second explanation. They
said people would not like to change the way they work. They think it is either too
expensive or too difficult. They argued that there were few empirical studies to
investigate the cost and benefit of the proposed COTS-based development processes. It
is therefore difficult to convince industrial developers to use them. They do not want to
change their development processes dramatically, being a painful procedure, without
enough confidence.
Relevant studies: Some previous studies have analysed the barriers of using COTS
information technology based on lessons learned in small and medium sized companies
(SMEs) [18]. The conclusions are:
- SMEs do not formally define their processes and tend to use tribal knowledge.
- SMEs use flexible processes as a competitive advantage and take pride in that
flexibility. Changing this approach is difficult, because many SMEs equate
process flexibility with having undocumented processes.
- The culture within SMEs is one of informal teamwork and therefore is resistant
to formalism or change.
Our insight: In our study, we excluded companies with less than 5 employees
because most such companies do not have a formally defined process. Most companies
in our study have one de-facto process, such as RUP or CMMI. The reason for not using
a formal COTS process is not because they do not have any formal development
process.
However, before adopting their process into a formal process, such as EPIC [1], the
industrial practitioners will need evidences that the formal process is more cost-
effective. It is also necessary for them to know how to downsize a formal process
235
Appendix A
Although many formal OTS selection processes have been proposed [4, 9], results of
this study and some other studies [20] showed that they were seldom used in practice. In
the discussion section, we asked why they did not use these formal selection processes.
Our assumed explanations were:
Relevant studies: The balance between COTS uncertainty risks and risks resulting
from project delay has been investigated by an empirical study [16]. They concluded
COTS assessment appears qualitatively intuitive for any given aspect. However there
are often many factors that must be considered simultaneously. The impact of all
considerations may be quite complex and counter intuitive.
Our insights: Most formal selection processes were proposed without evaluations on
their pre-conditions and their cost-benefit. For example, the selection process for fine-
grained small OTS component (the object of this study) would be different with
selection process for large OTS suites. The large OTS suites usually have more features
than required from the customer. How to evaluate these extra features have not been
investigated in current formal selection processes [15]. In addition, most selection
processes assumed that the general software architecture was ready before OTS
selection. However, our studies discovered that the OTS component can be selected in
the pre-study phase, requirement phase, general design phase, detailed phase, and
coding phase [11]. That is, how to customize the formal selection process according to
little information needs future studies.
236
Appendix A
3.3 The barrier to sharing OTS based development knowledge inside company
Our pre-study and some other studies [14] showed that a new role, an OTS knowledge
keeper, is necessary in COTS-based development, Result of this survey showed that
projects with a dedicate person keeping fresh of the knowledge of OTS component had
fewer problems (see problems we listed in [12]) than projects without it. The results
also show that the more project members had general experience with OTS-based
development, the fewer problems they had in their projects. In the discussion section,
we asked what other knowledge is necessary, in addition to the technical insights in
concrete OTS components.
Industrial answers: Industrial participants argued that general risk management and
cost estimation experience must be shared. However, they had no good idea on how to
do it. Moreover, they were interested in how much effort the knowledge keeper needs to
spend on OTS component based development and what kind of knowledge needs to be
kept.
Relevant studies: In study [6], the authors concluded that a pre-fabricated, reusable
set of generic requirements, based upon the practical analysis in business environments
of application and COTS middleware components characteristics helped to ensure the
success of COTS middleware selection.
Our insight: Knowledge accumulation and transfer inside a software company and
software projects have been investigated in other software development fields.
However, what knowledge should be documented and shared in OTS-based
development has seldom been investigated. It is therefore difficult for industrial
practitioners to collect and share relevant OTS based development knowledge.
Barrier three: Few studies on knowledge accumulation and transfer delayed the
dissemination of the OTS based development experience.
Our study compared the differences between projects using only COTS component with
project using only OSS components. Results show that OSS users have serious
problems in getting the support reputation information on OSS component providers
[13]. We asked the question: How to evaluate the support reputation of OSS
community?
237
Appendix A
Relevant studies: OSS component have been used more popular in commercial
projects. As discussed in [7], how to establish credible and mutually acceptable
combinations of OSS delivery and procurement models therefore needs future research.
Our pre-study showed that customers’ involvement on OTS component selection and
decision making could be a good risk mitigation strategy. It gives integrators the leeway
to (re) negotiate requirements when the limitations of an OTS component are found at
the very end [11]. However, data of this study shows that this strategy has been seldom
used in practice. We asked the question: why customer had seldom been involved in
COTS component decision making?
Industrial answers: Industrial colleagues explained that their customers either had
no technical background to make such decisions or cared only the final product without
considering the technical details. So, the integrators had to take all the responsibilities
on OTS component decision making. As a result, the requirements (re)negotiation
because of OTS component’s limitations is impossible in practice.
238
Appendix A
This paper has reported some industrial obstacles to conduct OTS based theory into
practice. We believe that answers to these barriers will help to improve OTS-based
development practice in industry. In the future, we plan to study on these barriers by
case studies and personal interviews.
5. ACKNOWLEDGMENTS
This study was partially funded by the INCO (INcremental COmponent based
development) project [8]. We thank the colleagues in these projects, and all the
participants in the survey and seminar.
REFERENCES
239
Appendix A
Li, J., Conradi, R., Slyngstad, O. P. N., Torchiano, M., Morisio, M., and Bunse, C. A
State-of-Practice Survey on Risk Management in Off-the-Shelf Component-Based
Development. In Proc. of the 4PthP Int. Conf. on COTS-based Software System
(ICCBSS’05), (Bibao, Spain Feb. 2005), LNCS Vol. 3412 Springer-Verlag, 2005,
278-288.
Li, J., Conradi, R., Slyngstad, O. P. N., Bunse, C., Khan, M., Torchiano, M., and
Morisio, M. An Empirical Study on Off-the-Shelf Component Usage in Industrial
Projects. Forthcoming in the 6PthP Int. Conf. on Product Focused Software Process
Improvement(PROFES 2005) (Oulu, Finland, June, 2005)
Morisio, M., Seaman, C.B., Parra, A. T., Basili, V. R., Kraft, S. E., and Condon, S. E.
Investigating and Improving a COTS-Based Software Development Process. In Proc.
of the 22PndP Int. Conf. on Software Engineering (ICSE 2000). (Limerick, Ireland,
June, 2000). ACM Press, New York, NY, 2000, 31-40.
Perrone, V. A Wish List for Requirements Engineering for COTS-Based Information
Systems. In Proc. of the 3PrdP Int. Conf. on COTS-Based Software Systems
(ICCBSS’04) (Redondo Beach, CA, USA, Feb. 2004), LNCS Vol. 2959, Springer-
Verlage, 2004, 146-158.
Port, D. and Chen, S. Assessing COTS Assessment: How Much Is Enough? In Proc. of
the 3PrdP Int. Conf. on COTS-Based Software Systems (ICCBSS’04) (Redondo
Beach, CA, USA, Feb. 2004), LNCS Vol. 2959, Springer-Verlage, Berlin Heidelberg
New York (2004), 183-198.
Port, D. and Chen, S.,: Empirical Analysis of COTS Activity Effort Sequences. Proc. of
the 3PrdP Int. Conf. on COTS-Based Software Systems (ICCBSS’04) (Redondo
Beach, CA, USA, Feb. 2004), LNCS Vol. 2959, Springer-Verlage, 2004, 169-182.
Robert, J., Buhman, C., Garcia, S., Allinder, D., Bringing COTS Information
Technology into Small Manufacturing Enterprises. In Proc. of the 2PndP Int. Conf.
on COTS-Based Software Systems (ICCBSS’03), (Ottawa Canada, Feb. 2003),
LNCS Vol. 2580. Springer-Verlag, 2003, 187-195.
SEI (Software Engineering Institute). COTS-Based Initiative Description.
http://www.sei.cmu.edu/cbs/cbs_description.html. 2004
Torchiano M. and Morisio M., “Overlooked Facts on COTS-based Development”, IEEE
Software, 21, 2, (March/April 2004), 88-93.
240
Appendix A
1. Introduction
241
Appendix A
Although the survey topic is CBSE, the focus of this paper is to convey some
reflections and lessons learned in performing a large-scale, multinational survey of
software engineering in the ICT industry. For a definition of “component”, see [30]. Let
us summarize the overall survey process:
We scanned the literature to formulate research hypotheses and questions. Sampling
was planned.
NTNU and the Simula Research Lab in Oslo performed a pre-study on COTS
(Commercial-Off-The-Shelf) development through on-site, structured interviews of 16
projects in 13 companies in autumn 2003 [18].
Based on the pre-study, we started preparing the main study in late 2003. This
included questions on OSS components, and extended the survey to Germany and Italy.
We designed a more formal questionnaire for this study in spring 2004, translated it into
Norwegian, German, and Italian and installed it on the SESE web server at the Simula
Research Lab [28].
The main study was performed in May 2004 – March 2005. We got name lists of ca.
500 ICT companies in each country. For each company, we got hold of a possible
respondent over the phone. This person was asked to identify a suitable OTS-based
project (Off-The-Shelf, being either COTS or OSS), and encouraged to answer the
questionnaire. Most respondents filled in the web-questionnaire him/herself, but some
were filled in by phone interviews. Per 16 August 2005, 133 company responses have
been recorded.
We are now analysing and publishing the results [19]. The survey has taken much
more effort than anticipated, so we need to reflect on the choices, e.g. on sampling,
approaching the companies, filling in the questionnaire etc.
The three research partners (NTNU/Simula, IESE, Torino group) have been working
on software reuse, CBSE, process improvement, and industrial studies for over 15 years.
We have planned and conducted the entire survey with no physical meetings, just email
contact and two-weekly phone meetings – even the web server has been accessed
remotely.
The main conclusions of this paper are that we at best can obtain a stratified-random
sample of ICT companies, and thereafter a convenience sample of relevant projects. The
sampling and contact process can be exceedingly expensive, and national process
variations are difficult to avoid. This in turn can lead to uncontrollable method biases.
This paper is a method paper to reflect on the main study. The remainder of the paper
is structured as follows. Section 2 presents some related work. Section 3 discusses
definition of population, and Section 4 how to make a sample from this population.
Section 5 discusses questionnaire design, and Section 6 discusses the company contact
process. Section 7 has lessons learned, and Section 8 concludes the paper.
There are many different types of empirical studies for software engineering [31].
Several guidelines have been published for how to conduct such studies [15] [4]. Aside
from action research and case studies, the following two study types seem most relevant
for CBSE, but are not discussed in [31]:
242
Appendix A
Sometimes there is a sequence, even an iteration, in the studies. That is, we start with
local case studies and through interviews end up with a survey, reflecting increased
theory building and generalization. As an example, the research partners have
previously carried out case studies of CBSE at NASA [22], at Ericsson [20] and in
German companies [2].
There is a massive literature from the social sciences on how to perform valid and
reliable surveys - e.g. regarding questionnaire design, sampling, and how to contact the
respondents [10]. A challenge in international surveys is to stay methodologically
similar across countries to avoid national bias, e.g. with sampling, contacting, and
questionnaire fill-in.
Typical samples are based on convenience (reusing previous contacts), snowball
(from a few seeds like a pyramid game), randomly selected subsets (from some
population list), or stratified subsets (considering e.g. ICT sub-sector, company size, or
country). Typical ways to fill in a questionnaire are by paper copy via post or possibly
fax, by phone or site interviews, and recently by email or web. The questionnaire can be
filled in either by the respondent her/himself or by an interviewer. Interviews, or phone
contact in general, may result in a higher response rate, and may also contribute to
quality-assure the returned data. However, they cost more to perform and some answers
may be influenced by the interviewer, possibly resulting in dishonest answers (a “mode”
problem, see later discussion in Section 5).
When asking about past events, in our case finished software projects, a respondent
may have to think a bit, retrieve old documents, or speak to colleagues. This may take
time and effort. We must therefore offer a print-out version, in addition to a web-
questionnaire - read on the bus, or similar.
There have been published some more specific advice for surveys on software
engineering [25], and for how to use web-based questionnaires in surveys [26].
However, even these more ICT-specific papers have not been of much help in our
sampling and contact process.
243
Appendix A
In light of the issues discussed in Sections 2.1 and 2.2, we will briefly present some
published software engineering studies. The external validity or generalizability of all
these surveys is speculatively or not at all discussed, because the population and
associated sample are not clearly specified. First some non-CBSE surveys, summarized
in Table 1, then an annotated list of CBSE surveys as shown in Table 2.
244
Appendix A
As with these studies, most published surveys in our field fail to report on how the
population is defined, what ICT sub-sectors are covered, what sampling procedure has
been applied, how representative the final sample is, what the mean and median
company sizes are etc. Even most controlled experiments in our field, where the
demand for rigor is high, have similar problems. Furthermore, generalizability raises
more fundamental concerns than valid statistical sampling [17].
245
Appendix A
This has two parts: how to define the ICT sector (Section 3.1), and how to define our
study objects inside this (3.2). We will use the terminology at
(www.socialresearchmethods.net/kb/sampterm.htm):
We generally have a problem in defining our study population of ICT companies, or the
commercial ICT sector. In our study, this should be defined for three countries, and is
expected to be representative for the ICT sector world-wide, the theoretical population.
A quick glance at public statistics, however – using Standard Industry Codes from the
US Census Bureau or their EU/OECD adaptation as four digit NACE codes [24] – gives
little clue of what is ICT or not. For instance, the software business is bafflingly
categorized under sector K for “Real estate, renting and business activities”. Thus,
OECD, SSB (the Norwegian Census Bureau), and similar national agencies have jointly
defined the following four sub-sectors to constitute the ICT sector in a country:
We will use ICT sector as the general name. In Norway, this sector comprises 4-5%
of the economy, excluding public services, i.e. it is the biggest industrial sector after
petroleum. Of course, the trade sub-section (5x.xx) is not very R&D-intensive, and
hence outside the scope of our study.
In addition comes the ICT contents sector (database and web services, media
industry etc.), expected to be finally classified by OECD et al. in 2007. There is also
internal software development outside the ICT sector – as part of finance, engineering,
public services etc. This is considered by the EU to be larger than the ICT sector itself.
We will not deal with the contents sector or the non-ICT sector (including the public
one) here, other than including some large non-ICT companies in our survey.
As a start, let us look at the structure of the ICT sector in Norway [29]. By employee
is meant both owners and hired staff. By company (the Norwegian SSB uses the term
enterprise) is meant a “legal” economic unit (typically a public shareholding company),
not just an internal development department or a branch office. Some comments are:
246
Appendix A
- For software, ICT as well as the total, over 2/3 of the companies are small (1-4
employees) and with a median of 1 employee. The company average is 4.5
employees for software, 7 for all ICT, and 5 for the total. Only 0.5% (46) of the
software companies, 1.5% of the ICT companies, and 0.5% of all companies
have 100 or more employees.
- 8,228 (about 2/3) of the 12,861 ICT companies are software companies (NACE
code 72.xx), having over 40% of the employees. Of the 7,171 software
companies with 0-4 employees, 4,113 have one employee and 1610 have no
employees!
- Ca. 30% of both software and ICT employees work in companies with less than
20 employees, 30% in companies with 20-99 employees, while 40% work in
companies with 100 or more employees.
- There are regrettably some deviations in the totals, since they are drawn from
different SSB sources.
- The ICT company distribution in Germany [8] and Italy [14] in 2002 shows that,
as in Norway, most ICT companies are small. In Germany, the average software
company has 7 employees and the ICT average is 13. 1% of German software
companies have 100 employees or more. In Italy, the average software company
has 4.5 employees, the median is 1 employee, and the average ICT company has
7 employees.
The software company distribution in the US in 1997 can be found in [9]. The US
pattern is similar to that described in Europe, with many small companies and a median
of 1 (!) employee. However, the average company size is 150 employees in the US (4.5
in Norway, 7 in Germany, 7 in Italy), and 3% of the software companies had 100 or
more employees.
The documented structure of the ICT sector in all these countries has clear
consequences for defining our population and later samples of this (Section 4). We have
four main sources for concrete names of ICT companies in our study population, called
P1-P4:
In all such lists, there will be a substantial share of outdated information: ceased
companies, mergers or split-ups, or companies with e.g. new names, contact persons,
locations, or phone/email addresses. All this reflects a very dynamic marketplace.
247
Appendix A
For many ICT surveys, including this one, we do not only have a problem in defining
the population of all ICT companies, and later samples with respondents of these. Our
real problem is that the actual study object (experimental unit) – a special kind of
project – is not identical to the primary object (accessible sampling unit), being a
company or a respondent.
To be precise, our study object is “finished software project using OTS components”.
The corresponding study topic is “OTS-based development processes”. In other studies,
the study object could be “maintained software system” (to study software evolution
processes), “finished software project” (to study estimation accuracy), or “applications
of inspection methods” (to study related cost-efficiency).
Thus, we should first ask “every” ICT company (see 3.1) in the relevant countries to
comprehensively document all recent instances of OTS-based projects, e.g. by an
explorative pre-study. We might even conduct such a pre-study in two steps: first
identify “typical” software projects, and then identify the “OTS” subset of this. But
which project attributes should be collected to serve as later sampling criteria, and how
to validate such criteria? We could consider company size, company profile, project size
and duration, application domain, lifecycle process, developer skills, development
technology, actual OTS-components being used etc. etc.
The above circumstances mean that many companies may have to give us project
data, that later will be unused (“wasted”). Due to resource constraints and logistical
problems, it seems totally unrealistic to perform such an explorative pre-study of a
potential population of relevant study objects, both from the research and industry side.
Furthermore, only 1/3 of the sampled ICT companies in our survey had OTS-based
development. This share would be close to 100%, if the study topic was effort
estimation or software maintenance – i.e. activities that all companies routinely perform.
In surveys in medicine and social sciences, the population is often well-defined and
coming from reliable public sources, although use of volunteers leads to an open-ended
population. There, however, a responding person often matches the actual study object.
A valid sample is a representative subset of the study population. Sections 3.1 and 3.2
have indicated some problems in defining the study population in software engineering
surveys in the ICT sector. Then, how to pick a valid sample from a poorly or even un-
documented population of study objects? Even if we had a complete list of all OTS-
based projects, what would be the selection method – complete, stratified, random, or
combinations?
At best, we can establish a hopefully representative population of primary objects
(ICT companies) from which we can draw a valid sample. The study population of ICT
companies may be defined as described in 3.1. We could then draw either a complete or
a random-subset sample of primary objects as defined by P1-P3, or a stratified-random-
subset sample from P4, as mostly done here.
The final sample will be a convenience sample of study objects (OTS-based
projects), that the actual contact person (respondent) in the selected ICT company is
248
Appendix A
willing to provide. We can expect one or two such projects per company, but mostly
none.
In our case, we needed about 50 study objects from each country to achieve
statistical significance, given our research questions and related questionnaire questions.
We therefore planned to ask about 250 companies in each country. Assuming an overall
response rate of 1/3 or around 80 answers in each country, that would give us a
satisfactory yield with some margin. (In reality, we needed 400-500 companies to get 50
responses per country). However, we should not draw a random sample from “all” ICT
companies. Based on the documented structure of the ICT sector, our sample frame
should ideally be stratified according to NACE code and company size.
For the Norwegian sample, our sample frame consists of three groups of ICT
companies: large (all ICT sub-sectors including some non-ICT ones), medium (only
software), and small (also software). Each group has roughly the same amount of
software developers. The sample frame is then as follows:
- All large ICT companies (with 100 or more employees) with any ICT-relevant
NACE code; totally 114 companies and with average size of 330 employees. We
sampled the topmost 100 of these 114 ICT companies, and 26 turned out to be
software companies.
- Additionally, simply the 3 largest companies in 5 non-IT sectors (finance,
engineering, energy, food processing, public/other). We sampled all these 15
companies.
- All medium-sized software companies, NACE codes 72.xx (20-99 employees),
totally 228 companies with average size of 40 employees. From this we randomly
sampled 100 companies (increased to 200, due to poor response rate).
- All small software companies, NACE codes 72.xx (5-19 employees), totally 783
companies and with average size of 9 employees. From these 783 companies we
randomly sampled 100. We removed those with 0-4 employees, as they represent
87% (7171) of the companies, but only 19% (7514) of the employees. They are
not expected to have very structured work processes, and are assumed irrelevant
for our study.
We got company names for year 2002 for category 1, 3, and 4 of ICT-companies.
Randomization for category 3 and 4 was performed beforehand, and the data sent to us
as spreadsheets via email. The 15 large non-ICT companies in category 2 are from a
business magazine for year 2002.
Some observations: The Norwegian SSB struggles with incomplete or erroneous
company lists. SSB has one part-time person on ICT and twelve on agricultural
statistics! SSB has cooperated with one of the Norwegian industrial ICT organizations,
IKT-Norge, since 1998 to help establish a reliable database of Norwegian ICT
companies. IKT-Norge has recently set up the Infosector subsidiary [33] to sell services
around this database. This subsidiary turned out to be the only practical way to get a
stratified sample of the official database on electronic form, based on NACE category
and company size. We hence got the requested company list very fast at a low price
(1250 euro) – on the condition that we reported back anomalies in the data.
For the German sample, we got a list of company names for the years 2001 and
2002 from the German census bureau (Statistisches Bundesamt) for the four sub-sectors
249
Appendix A
of the ICT industry, enhanced by major non-ICT companies whose revenues are largely
based on software (e.g., Siemens, DaimlerChrysler, Allianz). These lists were then
validated using our customer database (e.g., removing falsely classified organizations or
companies which clearly do not develop software, such as hardware stores). From the
resulting sample frame of 430 companies, we selected a random sample for each
category. Each sample was then cross-checked with the IESE customer database in
order to obtain a contact point.
For the Italian sample, there is no national directory of ICT companies available to
us. We therefore started with a study population of 43,580 assumed software companies
from the yellow pages in 2001 (the same database as in the ELISS project on OSS [3]).
From this population, we made a sample frame of 6,000 possible company contacts.
From this sample frame, we randomly picked a sample of 747 companies, which we
cross-checked (by web etc.) that their addresses were still valid and that they really did
software development. We were left with 248 software companies, whereof 125 were
using OTS components. 118 of these accepted to fill in the web-questionnaire.
However, many potential respondents didn’t know what an OTS component was.
Tables 3 and 4 show the response rates in the three countries. In “Likely” we have
pruned duplicates or irrelevant items such as holding companies. “Contactable” means
the company coordinates were still valid.
Reflections on sampling and response rates:
- For all countries, there were problems in classifying large and perhaps
international ICT corporations, with many daughter companies and divisions.
That is, what is the relevant company unit? A company (legal economic unit)
may have 10,000s of employees, but a local business unit (e.g. R&D department)
less than 100. E.g., we twice “adjusted” a too high company size in Norway.
- The relatively high mean size for companies in Germany and especially in Italy is
caused by a few large “outlier” companies.
- The local business unit size is considered the most representative measure. This
does not vary much between the three countries, with the larger business units in
Italy and Germany, as expected.
- In the pre-study in Norway, 17 of 34 (50%) of the ICT companies in our
convenience sample had COTS-based development, and most of the remaining
said they also used internal components. 13 of these 17 companies (almost 80%)
agreed to participate and all responded.
- In the main study in Norway, 94 of 334 (28%) of the “contactable” companies
had OTS-based development, and only 41 of the 94 (44%) eventually responded
with a total of 47 projects. That gives an overall response rate of 12% (41 of
334).
- In Norway, 50 of 380 (13%) of the companies were no longer “contactable”, as
the company lists were two years old in 2004. This is not surprising, and
represents a very dynamic marketplace, as mentioned earlier.
- In Norway, we found that 70 of 285 (24%) software companies (NACE code
72.xx) claimed to have no software development at all. Many of these companies
were sales subsidiaries of international ICT corporations, perhaps belonging to
NACE code 51.84? However, no “penalty” for a company to be registered with a
wrong NACE code exists!
250
Appendix A
- The response rate in Norway increases with decreasing company size. The
response rate was especially low in large companies, cf. “gatekeeper” problem in
Section 6.
251
Appendix A
5. Questionnaire design
The (English) interview guide for the pre-study included standard meta-questions to test
understandability, was held in two runs in fall 2003 on ten industrial colleagues in
Norway, and lead to 10% of the questions being revised.
The main study questionnaire was designed in cooperation with the partners in Dec.
2003 – April 2004, relying on email correspondence and phone meetings. Most of the
questions from the pre-study were reused, and we used much effort to reliably map the
research questions and hypotheses into the questionnaire. The design went through 16
major revisions and this lead to changes in hypotheses, measure scale, and answer
categories. Also, we created an analysis plan and conducted a questionnaire pre-test to
increase survey quality.
The final questionnaire had an introductory letter, a set of concept definitions
(component, OTS etc.) and some control questions to the reader. Thereafter 10 pages
with 80 questions divided in 6 parts. Questions on personal or company matters were
put at the end, emphasizing the confidentiality of the responses.
The pre-test had 18 respondents (industrial and academic) in the three countries. 15%
of the questions were altered based on this. All work was done in English using an ms-
word (.doc) file.
The questionnaire was finally translated into the native language of the three partners
to ensure equal comprehension across cultures, and this revealed only few unclarities.
Filling in took ca. 20-30 minutes.
Reflections on the questionnaire:
- The questionnaire showed robust, with very few misunderstandings. Only four
incompletely filled-in forms (of 47) came in for Norway.
- In Germany the fill-in procedure was improvised to be phone interviewing of
respondents. This introduced a mode problem that could affect “sensitive”
answers, the response rate, or cause misunderstandings [12]. However, most
questions are factual and technical, and the few national differences in German
answer are not likely caused by mode problems, yet this mode difference
represents an unplanned method bias.
- In Germany, we also had to offer extra anonymity for respondents and
companies, in spite of an explicit confidentiality clause.
252
Appendix A
convince a possible respondent over the phone to use his/her time and effort to fill in a
questionnaire, sent by email.
Phone or site-interviews were discussed thoroughly in March 2004, but, despite
recommendation [21] by researchers at Simula Research Lab, rejected, as we at that
time estimated having 80-100 respondents per country and therefore did not have the
capacity to do so (especially based on German arguments!).
Problems (low response rate etc.) were anticipated, so written procedural guidelines
were made early:
- All this turned out to be very costly and with a rather low response rate.
Given a person-year of total effort just in Norway, the cost of a filled-in
questionnaire is ca. one person-week (2000 euro).
- As mentioned, the German fill-in procedure was performed through
interviews, i.e. different from that used in Norway and Italy.
- Italy lost their research assistant (a summer student) in Oct. 2004, not
replaced before March 2005. Likewise, IESE had 5 months delay (May-Sept.
2004) in PhD student upstart. Also, Norway hired an extra research assistant
(upstarting PhD-student Slyngstad in March-June 2004). All this lead too
much improvisation.
- There was marginal interest for any reward system - maybe we were not
inventive enough?
253
Appendix A
7. Lessons learned
The industrial ICT environment seems extremely busy in recent years. It is very hard to
ask for any extra commitment of effort. Also, of an audience of 25 at our final seminar,
only 5 were respondents.
The SESE web server in Oslo has generally worked fine. One of the researchers had
earlier experience as a webmaster, and spent two days in Oslo to learn about the SESE
tool. The tool has already been used by over 20 studies, mostly controlled experiments,
including a shared one by NTNU and the Simula Research Laboratory on software
maintenance.
254
Appendix A
The researcher cooperation has gone very well, due to previous contacts, shared
research interests, and good person chemistry. No physical meetings were held, and all
data are sharable among the partners.
Extra resources through an external project would have helped to minimize national
process differences, and having a social scientist on the team is strongly advised, as we
found it highly useful.
Finally, the senior researchers must be thoroughly acquainted with details around
sampling etc., i.e. getting their hands “dirty” by serving as research assistants.
8. Conclusion
This study is the first survey on CBSE and indeed software engineering, which uses
stratified-random sampling of ICT companies in several countries. All previous surveys
have had problems in defining the study population and in selecting a valid sample of
this, especially since the study object is a special project, not a company.
We had few real problems with questionnaire design and implementation, and some
problems with randomized company sampling. On all these points we anticipated
problems, and put in a lot of effort. However, unexpected much work went into
contacting the companies and having the questionnaires filled in. National differences in
sampling procedures and questionnaire fill-in may have introduced method biases,
although not serious it seems.
We have learned a lot in running a representative, multinational survey, and also on
OTS-based development. We plan to follow up the survey in other countries (China and
US), and to supplement with more qualitative studies.
9. Acknowledgements
This study was funded in part by INCO (Incremental COmponent based development,
2001-2004,http://www.ifi.uio.no/~isu/INCO) and SPIKE (SPI by better Knowledge and
Experience), 2003-2005, http://www.idi.ntnu.no/grupper/su/spike.html). We thank our
colleagues in these projects, social scientist Ola Listhaug at NTNU, and all participants
in the survey.
10. References
[1] C. Abts, B.W. Boehm, and E.B. Clark, “COCOTS: A COTS Software Integration
Lifecycle Cost Model – Model Overview and Preliminary Data Collection Findings”,
Proc. of the ESCOM-SCOPE 2000, 18-20 April 2000, Munich, Germany, Shaker
Publ., pp. 325-333.
[2] C. Atkinson, C. Bunse, and J. Wüst, “Driving Component-Based Software
Development through Quality Modelling”, In A. Cechich, M. Piattini, and A.
Vallecillo (Eds.), “Component-Based Software Quality: Methods and Techniques,
State-of-the-Art Survey”, Springer Verlag LNCS 2693, 2003, pp. 207-224.
[3] Andrea Bonaccorsi and Cristina Rossi, "Why Open Source software may succeed”,
Research Policy, 32(7):1243–1258, 2003.
255
Appendix A
[4] Reidar Conradi and Alf Inge Wang (Eds.), Empirical Methods and Studies in
Software Engineering -- Experiences from ESERNET, Springer Verlag LNCS 2765,
ISBN 3-540-40672-7, Aug. 2003, 278 pages.
[5] M. Corra and D. Willer, “The Gatekeeper”, Sociological Theory, 20(2):180-207,
July 2002.
[6] Tore Dybå, "Factors of SPI Success in Small and Large Organizations: An
Empirical Study in the Scandinavian Context", Proc. Joint ESEC'03/FSE-11 conf.,
Helsinki, Finland, 1-5 Sept., ACM Press, pp.148-157.
[7] Marisa Escalante and Pedro Gutierrez, “CBSE: State of the Practice”, Proc. 16th
Int’l Conf. on Software & Systems Engineering and their Applications
(ICSSEA'2003), 2-4 Dec. 2003, Paris, Vol. 2, Session 9: Reuse & Components, ISSN
1637-5033, 16 p.
[8] EuroStat office, EU, Luxembourg, http://europa.eu.int.comm/eurostat, 2002.
[9] M. E. Fayad, M. Laitinen, R. P. Ward, “Software Engineering in the Small”,
CACM, 43(3):115-118, March 2000.
[10] Floyd D. Fowler, Survey Research Methods, 3rd edition, Thousand Oaks, Sage,
1988.
[11] W. B. Frakes and C. J. Fox, “Sixteen Questions About Software Reuse”, CACM,
38(6):75-87, June 1995.
[12] Robert M. Groves et al., Survey Methodology, Hoboken, NJ, John Wiley, 2004.
[13] Knut K. Holgeid, John Krogstie, Dag I. K. Sjøberg, “A study of development and
maintenance in Norway: assessing the efficiency of information systems support
using functional maintenance”, Information & Software Technology, 42(10):687-700,
2000.
[14] Italian Census Bureau, www.istat.it, 2002.
[15] Barbara A. Kitchenham et al., "Preliminary guidelines for empirical research in
software engineering", IEEE Trans. on Software Engr., 28(8):721-734, Aug. 2002.
[16] N. Y. Lee and C. R. Litecky, “An Empirical Study of Software Reuse with Special
Attention to Ada”, IEEE Trans. on Sw. Engineering, 23(9):537-549, Sept. 1997.
[17] A. S. Lee and R. L. Baskerville, “Generalizing Generalizability in Information
Systems Research”, Information Systems Research, 14(3):221-243, Sept. 2003.
[18] J. Li, F. O. Bjørnson, R. Conradi, and V. B. Kampenes, “An Empirical Study of
Variations in COTS-based Software Development Processes in Norwegian IT
Industry", Proc. 10th IEEE Int’l Metrics Symposium (Metrics'04), Sept. 14-16 2004,
Chicago,p.72-83 (pre-study).
[19] J. Li, R. Conradi, O. P. N. Slyngstad, C. Bunse, M. Torchiano, and M. Morisio,
"Preliminary Results of a State-of-the-Practice Survey on Motivations of Using Off-
The-Shelf Components", in Proc. 6th International Conference on Product Focused
Software Process Improvement (PROFES'2005), 13-16 June, 2005, Oulu, Finland, 17
p. (on main study).
[20] P. Mohagheghi et al., "An Empirical Study of Software Reuse vs. Defect Density
and Stability", Proc. 26th Int’l Conf. on Software Engineering (ICSE'2004), 23-28
May 2004, Edinburgh, Scotland, IEEE-CS Press, pp. 282-292.
[21] K. J. Moløkken-Østvold et al., “A Survey on Software Estimation in the
Norwegian Industry”, Proc. 10th IEEE Int’l Metrics Symposium (Metrics'04),
Chicago, USA, 14-16 Sept. 2004, p. 208-219.
256
Appendix A
257
Appendix A
258
Appendix B
Abstract: More and more software projects are using COTS (commercial-off-
the-shelf) components. One of the most challenging problems in COTS-based
development is to evolve a system to follow changes in the customer
requirements. It is therefore important to increase the changeability of the
COTS-based system, so that new component can easily replace the problematic
COTS components. Aspect-Oriented Programming (AOP) claims to make it
easier to develop and maintain certain kinds of application. We performed a case
study to investigate whether AOP can help to build an easy-to-change COTS-
based system. This compared the changes when adding and replacing
components between a COTS system implemented using Object-Oriented
Programming (OOP) and the same system implemented using AOP. The results
show that integrating COTS components using AOP may help to increase the
changeability of the COTS-based system if the cross-cutting concerns in the
code used to glue the COTS component are homogeneous (i.e., have a consistent
application of the same or very similar policy in multiple places). Extracting
heterogeneous or partially homogeneous cross-cutting concerns in glue-code as
aspects does not give any benefits. This study also discovered some limitations
in the AOP tool that makes it difficult or even impossible to integrate COTS
components with AOP.
Relevance to this thesis: This paper is relevant to the risk management
section of this thesis. It reports a case study on mitigating the one typical risk,
difficult to replace the problematic components, in COTS-based development.
My contribution: I contributed on 50% of the total work, including research
design, data analysis and paper writing. Axel Anders Kvale worked on
implementing the system, which includes 40% of the total work.
[AP2] [Li04b] Jingyue Li, Siv Hilde Houmb, Axel Anders Kvale: A Process to
Combine AOM and AOP: A Proposal Based on a Case Study. Proceedings of the 5th
Aspect-Oriented Workshop (In conjunction with UML 2004), Oct. 11, 2004, Lisbon,
Portugal, http://www.cs.iit.edu/~oaldawud/AOM/AcceptedPapers/
259
Appendix B
[AP4] [Li05c] Jingyue Li, Reidar Conradi, Odd Petter N. Slyngstad, Marco
Torchiano, Maurizio Morisio, and Christian Bunse: Preliminary Results from a State-
260
Appendix B
[AP5] [Li05d] Jingyue Li, Reidar Conradi, Odd Petter N. Slyngstad, Marco
Torchiano, Maurizio Morisio, and Christian Bunse: An Empirical Study on Off-the-
Shelf Component Usage in Industrial Projects. Proceeding of the 6th International
Conference on Product Focused Software Process Improvement, Oulu, Finland
(PROFES 2005), June 2005, Springer LNCS Vol. 3547, pp. 54-68.
261
Appendix B
[AP6] [Li04c] Jingyue Li, Finn Olav Bjørnson, Reidar Conradi, and Vigdis By
Kampenes: An Empirical Study of COTS Component Selection Processes in Norwegian
IT companies. Proceeding of the Int'l Workshop on Models and Processes for the
Evaluation of COTS Components (MPEC'04 Arranged in co-location with ICSE'04),
May, 2004, Edinburgh, Scotland, IEE Press, pp. 27-30.
[AP7] [Li04d] Jingyue Li, Finn Olav Bjørnson, and Reidar Conradi: Empirical Study on
COTS Component Classification, Proc. International Workshop on COTS Terminology
and Concepts, Co-located with International Conference on Component-Based Software
Systems (ICCBSS'04), 1-4 Feb., 2004, Redondo Beach, USA,
http://softeng.polito.it/iwctc/accepted.html
262
Appendix B
proposed by previous research. From the result of this study, we conclude that
some attributes are not good because they are either not measurable or
unnecessary. We also propose one other attribute that will affect the
development process dramatically. Our future study will focus on investigating
these attributes in a larger sample.
Relevance to this thesis: This paper is relevant to the SPI section of the
thesis. It reports the results related to COTS classification.
My contribution: I contributed to 80% of the total work, including research
design, interview guide design, performing most interviews, data analysis and
paper writing.
263
Appendix B
264
Appendix C
Project: Software development project, in which the respondent has been involved. We
aim for finished projects and possibly with maintenance, and possibly with several
releases.
Component: Software components are executable units of independent production,
acquisition, and deployment that can be composed into a functioning system. To enable
composition, a software component adheres to a particular component model and targets
a particular component platform.
COTS (Commercial Of The Shelf) component: A component that:
• is either provided by some other organizations in the same company, or
provided by external companies as a commercial product.
• is integrated into the final delivered system.
• is not a commodity, i.e. not shipped with operating system, not provided with
the development environment, not generally included in any pre-existing
platform
• is not controllable, in terms of provided features and their evolution
System
Glueware/
Addware
Application
COTS
Components
265
Appendix C
The projects we want to investigate in this survey are finished software development
project using one or more COTS components. If you have experience with several
such projects, please select one that you are most familiar with and base your answers
on this project.
1.1.1 What was the total staff size of the project? (full-time and part-time persons)
Full time: _________________
Part time: _________________
1.1.2 What was the starting time of the project (mm/yy) / ?
1.1.3 What was the time of final delivery of the project (mm/yy) ___/____?
1.1.4 What was the development environment of the project?
• Programming Languages: ____________________
• CASE tools: ______________________________
• Overall develop process (e.g. waterfall, prototyping, incremental, etc.):
_________
1.2 Information about the system
1.2.1 What were the main functionalities of the system?
1.2.2 What were the major types of industry / services (application domain) of the
customers of the system?
[Mark one or more alternatives]
o Agriculture and forestry, fishing and o Professional, scientific, and
hunting technical service
o Mining and quarrying o Management of companies and
o Power, electricity, gas, water supply enterprises
o Construction o Administration and support
o Manufacturing services
o Whole trade o Waste management services
o Retail trade o Educational services
o Transport, storage, and communication o Health care and social assistance
o Information(informatics/telecommunica o Arts, entertainment, and
tion ) recreation
o Finance, Insurance o Accommodation and food
o Real estate and rental and leasing services
o Public administration
o Other sevices
Reference: North American Industrial Classification System (NAICS)
Link: http://www.revenue.state.ne.us/tax/current/buscodes.pdf
266
Appendix C
1.2.9 What was the emphasis on the Reliability (failure rate) of the system?
• High: If a failure occurs, the losses are very high and are very hard to be
recovered.
• Nominal: If a failure occurs, losses are fairly easily recoverable
• Low: If a failure occurs, losses are easily recoverable (e.g., document
publishing)
High Nominal Low Don’t know
267
Appendix C
2.2 Which COTS components were used in the project? And what kind of
functionality did they provide? (If there were more than three COTS
components used in the project, please select the COTS components most
relevant to your job in the project.)
[Use text to answer the name and functionalities of COTS component]
COTS ID COTS COTS Component Standard Main Functionality
Component (COM, CORBA, EJB etc.)
Name
1
2
3
2.3 What was the highest level of stated management commitment to these COTS
component in the project? (Use the COTS ID given to your components in question
2.2)
• Business top manager: The highest level of stated commitment to use this
component is business top manager
• IT top-level manager: The highest level of stated commitment to use this
component is IT-top manager
• IT project managers: The highest level of stated commitment to use this
component is IT project manager
• No commitment: There is no management commitment to use this
components, it is decided by software architects or
268
Appendix C
developers
• Don’t know
[Mark one alternative per row below]
COTS Business IT top-level IT project No Don’t know
ID Top manager manager commitment
manager
1
2
3
2.5 What was your project members’ experience with these COTS components?
(Use the COTS ID given to your components in question 2.2)
• Very much experience: All project members have the experience of using the
same COTS components.
• Much experience: Roughly ¾ project members have the experience of using
the same COTS components.
• Some experience: Roughly ½ project members have the experience of using the
same COTS components.
• Little experience: Roughly ¼ project members have the experience of using the
same COTS components.
• No experience: No project member has the experience of using the same COTS
components.
[Mark one alternative per row below]
COTS ID Very much Much Some Little No
experience experience experience experience experience
1
2
3
269
Appendix C
2.6 What was the role of the COTS components at the architecture level of the
system?
(Use the COTS ID given to your components in question 2.2)
• Core: The COTS component provided the main functionality of the system.
The system was built around this COTS component.
• Support: The COTS component provided some functionality to support the
central application of the system.
[Mark one alternative per row below]
COTS ID Core Support
1
2
3
2.7 What was the most influential information/method to support selection of COTS
components? (Use the COTS ID given to your components in question 2.2)
• Experience: Based on own or other COTS users’ previous success or failure
experience.
• Demonstration: Based on the result of the vendors’ demonstration.
• Pilot: Based on the result of a short-term trial use or test of COTS.
• Formal method: Based on the result of formal decision making process, such as
multi-attribute utility theory, Multi-criteria decision aid, weighted sum method,
etc.
• Others: There are other information/methods except the alternatives listed
above. Please specify
[Mark one alternative per row below]
COTS ID Experience Demonstration Pilot Formal Others
method (Please
Specify)
1
2
3
2.7.1 If you didn’t use Formal Selection Method (see question 2.7), why?
• I never heard about it
• It isn’t cost-effective
• It is not necessary
• It is not easy/accurate to use
• Others______________________
2.8 Please rank-order your top three non-technical factors based on their influence in
COTS components selection. Mark three factors with rating 1, 2, and 3 (1 is the most
influential factor, 3 is the least influential one)
Licensing arrangements
Cost in general
Market trend
COTS reputation (maturity, stability)
270
Appendix C
Vendor reputation
Vendor support capability
Others (please specify): _________________________
2.9 Please specify the importance of the following issues for the initial selection of
COTS components.
• Integrations easiness: Whether the COTS components can be plugged into the
system without extra integration code.
• Possible integrations effort: How much extra code may need to be produced to
correct the possible mismatch between the COTS components and other parts
of the system.
• Functionalities completeness: Whether the components have all the required
functionalities.
• Possible functionalities supplement effort: How much effort may be used to
add the required functionalities.
Scales:
• Very Much: It is considered as the most important issue
• Much: It is considered as a very important issue
• Some: It is considered as an important issue
• Little: It is not considered as an important issue
• No: I didn’t consider this issue.
[Mark one alternative per row below]
Very Much Some Little No
much
Integrations easiness
Possible integrations effort
Functionalities completeness
Possible functionalities supplement
effort
Other issues:
271
Appendix C
• Very much: Almost all the integration effort was spent on solving this problem
• Much: Roughly ¾ integration effort was spent on solving this problem
• Nominal: Roughly ½ integration effort was spent on solving this problem
• Some: Roughly ¼ integration effort was spent on solving this problem
• Little: Very few effort was spent on solving this problem
• No: No such problem, no integration effort was spent on solving this problem
[Mark either No problem or one or several other alternatives per row below]
Problem Very Much Nominal Som Little No
much e
Do not support architecture
style
Support different architecture
style
Do not support committed
standard
Support different standards
Support different standard
versions
Other problems (Specify):
2.11 How the COTS components were integrated into the system (possibly to solve
the problems mentioned in 2.10)?
(Use the same COTS components and COTS ID as in question 2.4)
• By Plug: Just plug in the COTS components to assemble an executable system
without any extra work.
• By Configuration: Setting or defining shell parameters or configuration options
available for a COTS component, but which do not require modification of
COTS source code.
• By Glueware: integrate COTS components mostly by using glueware (i.e. code
to solve possible mismatch between components, or between components and
application/platform.)
• By Addware : integrate COTS components mostly by using addware (i.e. code
to add the functionalities which are required but not provided by the
components.)
• By Source Modification: change the source code of COTS components so that
it can be integrated
[Mark either By plug or one or several other four alternatives per row ]
COTS By Plug By By By Addware By Source
ID Configuration Glueware Modification
1
2
3
2.12 What level of training and/or documentation for the COTS components was
available AND obtained for the developers, either directly from the component vendors
or through third parties?
272
Appendix C
2.13 How did you try to influence a COTS components vendor to change components
to your own needs? [Mark one alternative per row below]
• No control: Cannot drive vendor to make the change and have to follow the
market
• Pay vendor: Pay the vendors to change it to meet my requirements
• Press vendor: Put pressure on the COTS vendor in order to make them change
the OTS wthout pay them
• Merge with or buy vendor: Merge with or buy the COTS vendor firm and make
them change the component
• Other methods:___________________
2.14 What was the effect on certain properties by using COTS components in your
system?
• Strong positive effect: Using COTS contributed much in achieving the planned
result
• Some positive effect: Using COTS contributed some in achieving the planned
result.
• No effect: Using COTS had no contribution in achieving the planned result
• Some Negative effect: Using COTS hindered some in achieving the planned
result
• Strong Negative effect: Using COTS hindered much in achieving the planned
result
[Mark one alternative per row below]
Perceived effect The effect on certain properties
on certain
properties Strong Some No Some Strong Don’t
positive positive effect Negative Negativ know
effect effect effect e
effect
273
Appendix C
Time-to-market
System
Reliability
System security
System
performance
Development
cost
Maintenance
cost
2.15 Would you like to use these COTS components in the future projects? [Mark
one alternative]
□ Yes, I would like to use these COTS components in the future projects.
□ No, I don’t want to use these COTS components in the future projects.
□ Don’t know.
274
Appendix C
Section 4. Extra questions (will only be used in the personal interview, the
alternatives of each question are different viewpoints that you can talk with.)
4.2.2 Did your business unit have any specific processes concerning the selection and
use of COTS components before the project started?
If yes, please explain briefly what kind of processes:
(e.g. activities, roles, responsibilities)
4.2.3 Did you have to introduce or make any process changes during the project
related to the selection or use of COTS components?
If yes, please explain briefly the situation and the changes introduced:
(e.g. new or changed activities, roles and responsibilities)
4.2.4 What impact on the development process did the use of COTS components
have for future project?
275
Appendix C
4.4.2 What part of the system had the largest amount of change requests (not
covering trouble reports, e.g. upgrade) during the first 6 months of system
maintenance? [Mark one alternative]
□ The application part of the system
□ The COTS components of the system
□ The glueware/addware of the system
□ Don’t know
4.4.3 How could you ensure the quality (reliability, security, etc.) of your COTS-
based system in the process of system evolution (system update, COTS components
update, etc.)?
o Technical (testing, configuration management, version control, ...)
o Vendor relationship (technical support, contract, …)
o Others:______________________________
4.5 General lessons learned and experience of using COTS components in your
system
o Business
o Technical
o Process
o Organization
o Others: ______________________________
276
Appendix C
In the questionnaire we used, there is a meta-question after some question (1.2.4, 1.2.5,
1.2.8 to 1.2.11, 2.1, 2.4 to 2.14, and 4.4) to evaluate the quality of the questions as
following. Due to the space reason here, they have been removed.
277
Appendix C
278
Appendix D
279
Appendix D
Question for comments. Can you mention some OTS components based on your
understanding?
1.1.1 What was the total staff size of the project (full-time and part-time persons)?
Full time: _________________
Part time: _________________
1.1.2 How large a percentage of the project members have previous experience with
general
OTS-based development __ (%)?
1.1.3 What was the starting time of the project (mm/yy) / ?
1.1.4 What was the time of first complete delivery from the project (mm/yy)
___/____?
1.1.5 What was the development environment of the project (describe textually)?
• Programming Languages: ____________________
• CASE (Computer Assistant Software Engineering) tools: _______________
• Main development method (RUP etc.): _______________
1.2 Information about the system
1.2.1 What were the names and the main functionalities of the system (describe
textually)?
1.2.2 What was the emphasis on the following characteristics of the system?
[Mark one alternative per row]
Very Low Medium High Very Don’
low high t
know
a) Time-to-market
b) Effort (cost)
c) Reliability
d) Security
e) Performance
f) Maintainability
280
Appendix D
2.2 What were the specific motivations for using OSS Component(s) in your project?
[NB: If you did not use an OSS Component in the project, please skip this
question]
[Mark one alternative per row]
281
Appendix D
2.3 What were the specific motivations of using COTS Component(s) in your project?
[NB: If you did not use a COTS Component in the project, please skip this
question]
[Mark one alternative per row]
282
Appendix D
3.3 When was the main process decided? [Mark one alternative]
□ Before the “acquire vs. build” decision, i.e. before the decision whether to
acquire
OTS components instead of building them in-house
□ After such an “acquire vs. build” decision
3.4 Were there any dedicated personnel in your project to keep track of OTS
component knowledge/information? [Mark one alternative]
□ Yes
□ No
If Yes, what is the role and OTS component-relevant experience of this person?
283
Appendix D
4.2 What actions were performed during development or maintenance of the project?
[Mark one alternative per row]
284
Appendix D
functionality
d) OTS components qualities
(reliability, security etc.) were
seriously considered in the
selection process
e) Effort in learning OTS
component was seriously
considered in effort estimation
f) Effort in black-box testing of
OTS components was seriously
considered in effort estimation
g) Unfamiliar OTS components
were integrated first
h) Did integration testing
incrementally (after each OTS
component was integrated)
i) Local OTS-experts actively
followed updates of OTS
components and possible
consequences
j) Maintained a continual watch
on the market and looked for
possible substitute components
k) Maintained a continual watch
on provider support ability and
reputation.
285
Appendix D
5.3 How large a percentage of the application functionality in the whole system was
provided by the selected OTS component Comp.1 ___________________(%)?
5.4 What was the source code status of the selected OTS component Comp.1?
[Make one alternative per row]
OSS, i.e. with source COTS, but with source COTS, without
code available code available source code
Comp.1
5.5 Have you read parts of the source code of OTS component Comp.1?
[NB: If the source code of Comp.1 is not available, please skip this question]
[Make one alternative per row]
Very Little Some Much Very Don’t
little much know
Comp.1
5.6 Have you modified parts of the source code of OTS component Comp. 1?
[NB: If the source code of Comp.1 is not available, please skip this question]
[Make one alternative per row]
Very Little Some Much Very Don’t
little much know
Comp.1
5.7 What was the technical base of the selected OTS component Comp.1? [Mark one
or more alternatives]
o .Net o DLL
o ActiveX o VBX/ VB Class Library
o Java Class/ Library o COM/DCOM
o Java Applet/ Servlet o CORBA
o Java Bean/Enterprise Java Bean o Windows Static Link Library
o C/C++ class/Library o Windows Foundation Class (WFC)
o MFC o Others (specify):____________
5.8 What was your project members’ experience with the selected OTS component
Comp.1? [Make one alternative per row]
Very little Little Some Much Very Don’
much t
know
Comp.1
5.9 When were the selected OTS components Comp.1 selected? [Make one alternative
per row]
Pre-study Requirem Overall Detailed Coding Don’t
phase ents/Analy design design phase know
sis phase phase phase
Comp.1
5.10 Did you encounter some of the following aspects (risks) with the selected OTS
component Comp.1? [Make one alternative per row]
286
Appendix D
Yes No Don’t
know
a) The OTS component did not follow the industry standard
(COM, CORBA etc.) as the provider claimed (i.e. glueware
needed)
b) The OTS component had mismatching architectural
assumptions towards other parts of the system (i.e.
glueware needed)
c) The OTS component could not provide all required
functionality (i.e. addware needed)
d) The recent OTS component versions were not
backwards-compatible with the first version
e) The provider did not want to or could not change OTS
component functionality as requested
5.11 Have you performed some of the following actions for the selected OTS
component Comp.1?[Make one alternative per row]
Yes No Don’
t
know
a) Searched Internet for possible OTS component
candidates.
b) Got recommendation of possible OTS component
candidates from the customer
c) Got recommendation of possible OTS component
candidates from a local colleague/OTS-expert
d) Used a formal decision-making method to compare
possible OTS component candidates, e.g. with weighted
evaluation criteria
e) Limited possible candidates into 1-3 components, by
reading literature or other documentation
f) Did “hands-on” try-out of 1-3 components, e.g. on a
down-loaded demo version.
5.12 What is your opinion on the following aspects of the selected OTS component
Comp.1? [Make one alternative per row]
Don’t Hardl Agree Agree Stron Don’t
agree y some mostl gly know
at all agree what y agree
a) Comp. 1 was integrated
successfully
b) Comp. 1 was maintained
successfully so far
287
Appendix D
6.2.3 What is the staff size of your embedding company (full- & part-time persons)
____?
What is the staff size of your local business unit (full- & part-time persons) ___?
[This staff size may be the same for small and medium sized companies]
288
Appendix D
6.2.4 What is the main business areas of your company?[Mark one alternative]
□ IT/ Telecom industry (Ericsson, Nokia, NERA, Nordic VLSI etc.)
□ Telecom service provider (Telenor, NetCom etc.)
□ Software House / Software Vendor (Opera, MicroSoft etc.)
□ Software / IT consulting company (Accenture, Cap Gemini E&Y, TietoEnator
etc.)
□ Other software-intensive company (please specify): ___________________
Note: In the main study, the questionnaire was translated into local language
(Norwegian, German, and Italian) and published in the web for filling in.
289