Case Study on Non-Functional Requirement Change Impact Traceability for Agile Software Development

Currently, it is crucial to develop a complex software on time. Agile software development methodologies provide methods to develop a system in term of time and cost-saving but it has been criticized for software quality management. In this paper, a case study is used to find out the need of NFR change impact traceability approach in most of Agile software methodology. This case study was conducted in an undergraduate course that trained the students on how to develop software using Agile process model. This case study has been conducted for 4 months in an undergraduate-level course, Application Development. The samples of this case study are among Year 3 undergraduate students. The case study shows the lack of traceability techniques in the existing Agile process model (SFDDSecured Feature Driven Development) that result to non-awareness of NFR change impact during development. Based on the case study mentioned the main objective of the case study conducted in survey is to empirically test the theoretical constructs and the hypothesized relationships of the research issues that concern on the lack of change impact management towards NFR in Agile Software Methodology. TANC (Traceability for Agile Non-Functional Requirement Change Impact) model offered techniques in tracing change impact during the agile development process. Therefore, the result of the case study, a traceability process model needs to design in order to tackle the NFR change impact issues in Agile software development. Keywords— agile methodologies; scrum; feature driven development; traceability; non-functional requirement.


I. INTRODUCTION
Traceability approaches and methods have been applied in traditional software development process such waterfall [1], [2] model-driven [3] and started to be introduce in Agile software development projects [4]- [6]. As a matter of fact, many researchers have done their research on agile and traceability [7]. There are some researches that have started to create traceability models and techniques in various Agile software development model such as Scrum [8], FDD [9], AUP [10] and other Agile software development model. However, these established traceability techniques in Agile only support the functional requirements, not the NFRs [11]. There are even some researches state that traceability does not compatible with XP processes [12] due to the heavy documentation and architectural solutions, and that do not go well with XP lightweight processes. Therefore, a case study conducted in an undergraduate class where they were using Agile software development method and asked to check the change impact after some requirement changes. By using survey techniques which most of researchers use in order to justify any type of issues that related to Agile methodology [13]- [15] this case study was to testify whether the existing Agile software development method not only equipped with the Agile software development change management [16], [17] but also covers the NFR change impact management. The rest of the paper is organized as follows: Sections 2 presents a case study that experimented on NFR Change Impact Management in the existing Agile Software Development Process Models. Lastly, Section 3 presents the conclusion of this study.

II. MATERIALS AND METHOD
The course begins by introducing a variety of Agile software development models to the students. Then, one of the best students' group project which used SFDD were chosen to be documented in this case study. In the middle of their software development project, they were asked to implement one of the NFR features that is security. They must document the security features using the SAgile tool. Then, they were asked to check any affected functional features or NFR features by asking them to check for the performance of the functional features already embedded with security codes and compare them with the ones without security codes. Then, they were asked if the affected performance is too much for the clients to handle or is barely acceptable. The flow and results of this case study are explained in the next sections. The process details for the case study will be explained based on SFDD phases and generic traceability process model phases order. Lastly, the study continues by collecting and discussing the students' survey feedbacks on the NFR change impact management in the existing Agile process model.

A. Rafi Food Ordering System (RFOS) in Plan by Feature concerning Strategic Trace Phase
Since this team has chosen to use the FDD development process, they are recommended to use SAgile during the Plan by Feature phase. Here are the results of this experiment. First, the students fill out the details about the features. For example, in this case, study, one of the features in the developed system, Manage Payment feature is shown in  The figure above demonstrates that all details regarding the Manage Payment feature are present including start and end dates, which developer of this feature is assigned to, who is the tester, etc. This part completes the phase of creating the functional requirements phase in FDD. Next, NFR features are assigned to this feature.
In the first part of assigning NFR, the security elements need to be assigned first (this is based on the Strategic phase plan when the team decided on how they were going to prioritize the rank of the NFR. For example, if the system is security-based, they must check for security elements first or make the security itself as the main feature, then assign other NFR that seems relevant towards the system). The team has assigned a few security elements for this feature. team has assigned two types of security threats that are Cross-Site Scripting (XSS) and SQL injection. This indicates that this feature must have these two types of mitigation codes embedded in the feature codes for handling the types of security threats stated. After assigning security NFR to the feature, the team assigned performance features to the main feature. However, assigning performance features is a little bit different than the normal assigning process because the performance feature is assigned to detect any impact of the performance feature after the security features have been added. In this case, the team has added loading time, response time, and the buffering time as in  Due to security and performance features have been assigned simultaneously, SAgile marked these two features in yellow. If the feature is marked in red, then it means that the feature is only assigned to security features and if it is blue, it means that the feature has not been assigned to any NFR feature. Fig 4 shows these colored markings. This marking is a very important feature of SAgile tool in order to notify the development team in making sure that they have assigned adequate NFR features to each feature. Without this marking, it is difficult for the team members to be aware of which features that have not been assigned with which NFR feature.

B. RFOS in Test by Feature concerning Use Trace Phase
This section will report the results of the Test by the Feature phase. First, they performed stress testing on Make Payment feature, where they have around 50 users simultaneously making payment to the Make Payment feature and recorded the response time (based on time latency) and loading time (duration taken by the page to go to the next page). Fig 5 shows the result of the time latency. Fig 5 shows that it took 41 ms to respond to 50 simultaneous user queries and took around 5 seconds to load the next page. Next, the security codes were added on the same feature (Make Payment) and the same stress testing was conducted. Fig 6 shows the results of the experiment. Based on Fig 6, the time latency with the security feature is increased to 690 ms and the loading time increased by 45 seconds. In these two cases, the number of users simultaneously using the system is the same. This shows that security features do impact the performance of the system. If TANC was not used during the development phases, they will not be aware of this issue and might cause vulnerability to their system. They are unable to check whether the time difference is too significant for the system to operate smoothly or is it acceptable by the users' standards. The next step is for the tester to report to the developer either the bugs that have been found can be ignored or should be dealt with. Fig 7 shows the test report of the bugs that were found during the tests depicted in Fig 5 and Fig 6. The bug that causes a little delay on the response and loading time of the feature with the addition of SQL and XSS is then reported to the developer team. However, the bugs are considered as acceptable because the delay is tolerable and not too long. This step is critical to make sure that the feature is thoroughly tested and does not need to be fixed and retested. Besides, this shows a change impact on the system NFR has been traced. This section reports the survey feedback which was collected during the case study. The case study is conducted as a cross-sectional survey where the unit of analysis is the individual sample that is involved in the practice of Agile methods [18], [19]. Our survey questionnaire asks for the students' opinions [20] and they agree with us. When asked about, in the whole issue in Agile modeling in managing change impact on system NFR (Question 1 & 2), and what they consider to be the most suitable solution in handling the issues (Question 3).
This feedback was collected from 24 samples (four of them performed the Rafi's Food Ordering system) that have just finished their project using FDD, Scrum, and XP. The survey contains four questions and some samples offer multiples answers based on their understandings.   Based on the survey done, the problems or issues regarding the existing Agile methodology are listed above. As can be seen in Table 1, 75% of the samples' result shows that Agile does not emphasize on managing and updating the documentation of the project progress. The next major issue is that the requirement of the final product keeps changing. It means that as the project starts to progress, requirements provided by the clients are always changing and a slight change can impact the whole system. Due to this, the program cannot be finished according to the expected completion date.
To sum it up, Agile software is not good at managing changes. However, this does not mean that this method cannot accept changes, but it is weak in managing changes and the impact brought by changes toward the developed system. Out of the 24 samples' results that were collected during the case study, 6 students gave only 2 suggestions (25% of the total samples) and the rest gave 3 suggestions

Suggestions
No. of Subjects Suitable to use for a small team. Need tool support if the number of a team member is increasing 4 Product delivery is too frequent before the system finalized making the system need much modifying before the final product delivery.

13
Each iteration delays the project's completion time and extends the date for the new iteration phase 8 The final product is always delayed because the feature keeps on changing 13 Do not emphasis on documentation and management especially in the early stage 14 Needs to simultaneously develop the system as well as update the system's documentation 2 Every member needs to complete their tasks in order to complete the whole system 4 Do not employ any traceability technique 8 (75% of the total samples). In total there are 66 responds were recorded.
Question 2: When the lecturer asked you to add security features/elements inside your system, do you think that it will slow down your system development progress. The code becomes more complicated 13 More technical problems occur after changes, for example, database error 11 The process of development becomes more complicated 6 No 1 It is part of the iteration 1 Next, in the second question, the students were asked on the instruction to insert security features inside their projects which lead to delay or to increase the project cost. If this instruction is not given, they will most likely ignore this feature or did not give their best effort in implementing it. The results of this question are given in Table 2. Majority of them (96 percent) said that the addition of security elements in the middle of their project do interrupt the project progress. The top reason given to this issue is due to the increase in the number of codes needed in the system. Extra codes mean increased effort and time needed to develop the system and this, in turn, drags the development process. Moreover, they also need to check the overall system performance after the security features have been added, resulting in the need for extra time and effort.
However, one of the students viewed this matter in a different light. He stated that this process does not affect the completion duration because security features should be considered as part of the iteration from the beginning. Finally, based on the feedbacks, general issues in the Agile development process and problems that arise in handling NFR changes during the development phase will be investigated. Several suggestions were given on solving the problems of the Agile development process. Out of 24 samples' results, 20 of them show that Agile needs a proper traceability technique and its system progress should be rechecked so that if any change happens, the change can be traced and parts impacted can be determined. By doing this, the students do not need to check that everything is in order and the whole system is not affected by the changes made. In tackling this, 11 of them proposed to implement security features provided in the HTML tag. In other words, they recommended that the development tools should be able to build, check, and trace NFR automatically. Fig 9 shows the number of samples that provide one, two, or three suggestions. This bar chart analyses the majority numbers of respondents that give feedback. Referring to the chart, for Question 3, all samples provided three different suggestions, and for Question 2, only one sample provided one suggestion which that sample provided reason why sudden changes during the development phase do not affect the duration of the project.    Table 4 shows the percentage of feedbacks based on the number of suggestions that they provided. This table is directly related to the bar chart before. Out of the 24 samples, 58% of them said the main problem with Agile software development in handling change impact is that it does not emphasize documentation and management aspects, especially in the early stages. Next, 95.8% of them stated that a sudden change during Agile development does affect the project duration. Out of that 95.8 %, 70.8% said that adding security features increases the number of codes in the system, and simultaneously increases the testing and development time for the entire process. Lastly, 83.3% of the samples shows that Agile software development needs a proper traceability approach in handling this issue.
Based on the discussion above, the majority of the students understand the goals and objectives of the project. They can grasp the purpose and problem presented in the case study given to them. This results in their understanding of the purpose of the case study and the problem related to the issues that this case study is trying to investigate. Besides that, feedbacks obtained from the survey found that there is a consensus between the issues presented by the case studies and feedback obtained from the students ( Table 4 and Fig 9). Therefore, it is safe to say that Agile software development method needs traceability techniques to manage change impact on NFR of the system. Therefore, the reason behind the execution of this case study has been well justified that is to improve Agile software development, specifically in the area of change impact analysis.

IV. CONCLUSIONS
Based on this case study, the need for the Traceability approach for tracing change impact in Agile software development methodology, which offers better techniques in tracing change impact during the agile development process. The first main issue is the challenges of tracing the NFR change impact in the existing Agile Development. Then, this case study has investigated whether the Agile software development model, FDD could handle the NFR change impact management. This case study has proven that there are issues in tracing change impact especially in the term of NFR in the existing agile software development model. FDD was applied and they could not identify the impact of the system performance when they added security features in certain functional features in their system. Based on Fig 5  and 6, there are some changes that they did not expect to happen where the time latency was affected when they inject XSS mitigation code on the manage payment feature. Each case study strengthens the justification for the change impact issues in Agile software development methodology.