De-risking GuideSample Quality Assurance Surveillance Plan (QASP)
| Quality indicator for | Performance standard | Acceptable quality level | Method of assessment |
|---|---|---|---|
| Tested code | Code delivered under the order must have substantial test code coverage and a clean code base | Minimum of 90% test coverage of all code | Automated testing |
| Properly styled code | Meets acceptable quality level | 0 linting errors and 0 warnings | Styling standards and linters |
| Accessibility | Web Content Accessibility Guidelines 2.2 – ‘AA’ standards | 0 errors reported using an automated scanner, and 0 errors reported in manual testing | Automated and manual testing |
| Deployed code | Code must successfully build and deploy into a staging environment | Successful build with a single command | Live demonstration |
| Documented code |
All dependencies are listed and the licenses are documented Major functionality in the software/source code is documented in plain language
Individual methods are documented in-line using comments that permit the use of documentation generation tools such as JSDoc A system diagram is provided |
Vendor provides above documentation | Manual review |
| Security | Open Web Application Security Project (OWASP) Application Security Verification Standard 4.0.3 | Code submitted must be free of medium- and high-level static and dynamic security vulnerabilities | Evidence of automated testing per OWASP |
| User research | Usability testing and other user research methods are conducted at regular intervals throughout the development process (not just at the beginning or end) | Artifacts from usability testing and/or other research methods with end users are available at the end of every applicable sprint in accordance with the vendor’s research plan | Demonstrated evidence of user research best practices |
