The Software Development Cost Estimating Handbook was developed by the Software Technology Support Center and sponsored by the Naval Center for Cost Analysis and the Air Force Cost Analysis Agency. The purpose of the Handbook is to provide cost analysts and program managers with a resource manual to use in developing credible software development cost estimates.

A realistic estimate is based upon a solid understanding of the software development process and the historical data that forms a framework for the expected values. An estimating methodology that follows a proven process and is consistent with best practices, as well as, Department of Defense (DoD) policies, further contributes to estimate validity.

The Handbook information is presented at two levels. The first level will help the experienced analyst immediately focus on the material necessary to develop an estimate. The second level is for the novice, or infrequent user, to use as educational information regarding the software development and estimating processes.

You can download the free Handbook from this STSC webpage.

The estimating process starts with a determination of the purpose of the estimate. Next, the cost (or effort) and schedule for the software development project are determined using three factors: effective size, development environment, and product complexity.

The key, and most important, element in the software estimate is the effective size of the software product. Determining size can be approached from several directions depending upon the software size measure (lines of code, function points, use cases, etc.) used by the development organization. A system developed by writing lines of code requires a different estimating approach than a previously developed or off-the-shelf application. The acquisition phase also influences the analyst's approach because of the amount and type of software development data available from the program or developers.

The development environment is the next most important effort and schedule driver. The environment can be factored into five categories:

(1) developer capability or efficiency,
(2) personnel experience,
(3) development system characteristics,
(4) management characteristics, and
(5) product characteristics.

The last four categories are largely driven by the product requirements. These factors take into consideration the development environment itself, the capabilities and experience of the developers, the developing organization's management style, security requirements, etc.

These factors, along with software size and complexity, combine to determine the productivity or efficiency with which a developer can build and test the software. Ultimately, these environmental characteristics drive the cost and schedule of the software development and implementation of the system.

It is uncertain who first coined the phrase, "A fool with a tool is still a fool." Plugging numbers into a parametric model without knowing if the results are realistic fits this adage. This handbook addresses estimate realism using historical data, industry best practices, and authoritative insight. The insight comes from experts in the fields of software development and cost estimating. This information helps the analyst conduct a "sanity check" of their estimate results.

A well-understood and validated estimate offers a defensible position for program office analysts, component cost agency analysts, and independent evaluators. A reasonable estimate is useful in budgeting, milestone decision reviews, and determining the life cycle or other costs of the program.

The contents of the Handbook, ten sections and nine appendices, are grouped into four major parts. An introduction and the basics of the software development process lead off the tutorial. The next two major parts cover the estimating process and related details. Finally, concepts and examples presented in the sections are expanded in a set of appendices. The idea behind this structure is to present principles for instruction and reference in the core sections and, then, examine details and related examples.

Note: The information in this article was based on the Executive Summary section of the Handbook.

Check out our recently released January 2010 to June 2010 class schedule. You can see the classes, dates, and locations by clicking on the desired course listed on the left side of our Web Site home page.

For example, we have ISO 9001:2008 auditing classes scheduled for Atlanta, Baltimore, Chicago, Dallas, El Paso, Houston, Kansas City, Milwaukee, Minneapolis, Orlando, Philadelphia, Portland, Reston, San Diego, San Jose, and Seattle.

Have you noticed the surveillance audits by your certification body always seem to address some of the same ISO 9001 clauses? The reason is that ISO 17021, a standard that applies to bodies providing audit and certification of management systems, requires a few areas to be a mandatory part of a surveillance audit program.

Section 9.3.2.1 of ISO 17021 reminds us that surveillance audits are on-site audits, but not necessarily full system audits. And, surveillance audits must be planned together so the certification body can be confident that the certified system continues to meet its requirements between the three-year re-certification audits. Therefore, ISO 17021 requires the surveillance audit program to include, at least:

a) internal audits (8.2.2) and management review (5.6)

b) a review of the action taken (8.5.2) on nonconformities identified during the previous audit

c) treatment of complaints (8.2.1, 8.5.2)

d) effectiveness of the management system with regard to achieving the certified client's objectives (5.4.1, 5.3)

e) progress of planned activities aimed at continual improvement (8.5.1)

f) continuing operational control (8.1)

g) review of any changes (4.2.2, 5.4.2)

h) use of marks and/or any other references to certification

Please note that I added the references to the ISO 9001 clause numbers to identify what might be called the mandatory clauses for surveillance audits.

Some of the clauses are very easy to determine. For example, the mention of Internal Audits and Management Review leads quickly to ISO 9001 clauses 8.2.2 and 5.6. Next on the surveillance list is the "review of the action taken on nonconformities", which relates to clause 8.5.2 for Corrective Action.

What about the clause for "treatment of complaints"? Monitoring the customer's perception as to how well an organization has met requirements would involve clause 8.2.1 on Customer Satisfaction. Clause 8.2.1 includes determining the methods for obtaining and using this information, which would address the treatment of complaints. Clause 8.5.2 on Corrective Action requires the review of nonconformities and specifically customer complaints.

The next area to evaluate is the "effectiveness of the management system" with regard to achieving an organization's objectives. Clause 5.4.1 on Quality Objectives should be examined, and since these objectives must be consistent with the Quality Policy, the auditor could also assess clause 5.3.

In addition, surveillance audits must evaluate the "progress of planned activities aimed at continual improvement". Auditing clause 8.5.1 on Continual Improvement will address this surveillance topic.

Selecting a clause for "continuing operational control" is not as simple. Operational control includes monitoring and analysis to ensure planned results are being achieved, and if not, taking actions to improve the results.

Clause 8.2.3, Monitoring and Measurement of Processes, certainly relates to this subject, as does 8.4, Analysis of Data. However, 8.1 seems the most inclusive clause since it requires an organization to plan and implement the monitoring, measurement, analysis, and improvement processes needed to ensure that the product and system requirements are met and the effectiveness of the system is continually improved.

Another required surveillance topic is the "review of any changes". System changes need to be planned in accordance with clause 5.4.2, Quality Management System Planning, and the changes may result in revisions to the Quality Manual described in clause 4.2.2.

Certification bodies may have a different view of these requirements and include a slightly different set of mandatory clauses for their surveillance audits. For example, one registrar includes 8.5.3, Preventive Action, which could be considered part of assessing operational control and how well an organization prevents potential problems.

The last item on the surveillance list is for auditors to ensure that certification marks and other references to certification are properly used by the organization. Registrars provide information on how their certification marks are to be displayed, and ISO provides guidance at this web page on how to publicize your ISO 9001 certification.

After several delays and unsuccessful lawsuits, the Department of Homeland Security's E-Verify program became effective on September 8, 2009. E-Verify is an Internet-based system that is operated by the Department of Homeland Security in partnership with the Social Security Administration.

The E-Verify system aids compliance with federal immigration laws, helps deter unauthorized individuals from attempting to work, and helps employers avoid employing unauthorized aliens. According to the E-Verify web site, it should virtually eliminate Social Security mismatch letters and improve the accuracy of wage and tax reporting.

Use of the E-Verify system applies to federal contractors and subcontractors, including those who receive American Recovery and Reinvestment Act funds. Applicable federal contracts will include a Federal Acquisition Regulation (FAR) E-Verify clause requiring government contractors to use the E-Verify system.

Companies awarded a contract with the E-Verify clause must enroll in E-Verify within 30 days of the contract award date. E-Verify will confirm that all new hires, whether employed on a federal contract or not, and existing employees directly working on these contracts, are legally authorized to work in the United States.

E-Verify allows employers to check the employment eligibility of new hires online by comparing information from an employee's Form I-9, Employment Eligibility Verification, against SSA and Department of Homeland Security databases.

More information on the program is available at the E-Verify web site. E-Verify customer support is also available by calling toll free 888-464-4218. You can read about the failed legal challenges to E-Verify in this e-Week article by Roy Marks.

The Occupational Health and Safety Administration (OSHA) has issued a final rule to revise the Personal Protective Equipment (PPE) sections of its general industry standards on the requirements for eye- and face-protective devices, head protection, and foot protection.

OSHA is updating the references in its regulations to recognize the more recent editions of the applicable national consensus standards. OSHA is also amending the provision that requires safety shoes to comply with a specific American National Standards Institute (ANSI) standard, as well as, a provision that requires filter lenses and plates in eye-protective equipment to meet a test for transmission of radiant energy specified by another ANSI standard.

In amending these regulations, OSHA will require the safety equipment to comply with the applicable PPE design provisions. These revisions are a continuation of OSHA's effort to update or remove references to specific consensus and industry standards located throughout its standards.

According to OSHA, this final rule neither reduces employee protection nor alters an employer's obligations under the existing standard. Employers will be able to continue using the same equipment they have been using to meet their compliance obligation under the existing standards' design-criteria requirements. The final rule provides employers with additional options for meeting the design-criteria requirement.

Therefore, this final rule does not alter the substantive protection that must be provided to employees and the compliance burdens on employers. This final rule becomes effective on October 9, 2009. You can read more about these changes in this Rules and Regulations section of the Federal Register.

Root Cause Analysis

ISO 9001:2008
Understanding ISO 9001:2008
ISO 9001:2008 Requirements
Implementing ISO 9001:2008
Quality System Documentation
ISO 9001:2008 Internal Auditor
ISO 9001:2008 Lead Auditor

ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

Core Tools
Advanced Product Quality Planning
Design Failure Modes Effects Analysis
Process Failure Modes Effects Analysis
Production Part Approval Process
Statistical Process Control
Measurement System Analysis

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001:2005
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000-1:2005
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2009 Whittington & Associates, LLC