Severity Levels

Most bug and issue tracking systems use a prioritisation model where you can set a severity, criticality or priority on each bug or issue.

Most systems fail miserably at this one feature. Here’s why.

In one such system a typical default view of a bug would look like thisscreenshot-2017-02-15-22-22-20

The problem here is that “Low”,”Medium”,”High” and “Critical” or even worse 4-1 means different things to everyone, because everyone only relate it to their own little world.

Enter the critical bug

A typical everyday example is that in the morning someone enters a “Critical” bug. “Critical” to my team means; drop whatever else you are doing, cause something very bad have happened to one of our critical systems and nobody leaves work until this is resolved. Naturally this is what happens, we take it very seriously.

I then start to inspect the bug report to see what it is really is about (while my team is trying to fix the bug) and then find out that it’s a bug report for something that does work wrong, but only for a not yet launched product in a currently running project. The net effect for our customer base is currently NIL and the risk of a financial loss for the company is NIL. I call in the project manager who explains to me that it’s critical to him and his deadline that this bug gets resolved.

I truly understand his situation, but I also understand that this is not comparable to say if our serverroom was on fire. Our worlds are not the same, therefore we cannot prioritise using the same relative definitions of severity.

In the above situation after the project manager have explained his situation, I usually ask him how many people will die if I do not fix this bug today. I’ve not yet encountered a bug where I got a number higher than 0, despite the fact that there exists many software based products where a bug easily could kill many people in day. (We’re just not in that type of business)

We need absolute terms of severity

Critical simply means different things to different people. While “This will kill 1 person / day” means the same to everyone and is easily transferred between different projects and organisations.

I therefore propose that we state severity in absolute terms such as:

  1. 5+ people might die
  2. 1-5 people might die
  3. People might get physically or mentally hurt
  4. Our company might lose $100 mio+
  5. Our company might lose $1 mio+
  6. Our company might lose $10k+
  7. This bug is annoying, please fix it

Now I think we would get more accurately prioritised bugs.

One thought on “Severity Levels

  1. rephasing to “Our company will loose $10k+ per day this does not work” (for all amounts) – would probably yield better results.. but other than that, I totally agree 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s