Compliance Testing Where It Fits Into Sdlc

Published Date: 02 Nov 2017

Author(s):

Rajesh Kumar ([email protected], 9891739903)

Abstract

In the real world approximate 10% of the world population (650 million people) has some kind of disability. Three broad areas of disabilities are worthy of note, Sensory disabilities, Mobility disabilities and Cognitive disabilities. For the purposes of web accessibility, the people with above disabilities are not able to access the web applications, Software?s via internet or other usual means until the web

2

application is made compliant to accessibility guidelines like WCAG or 508 or any other kind of compliances. Report says, more than 90% of web applications are not accessible to disabled people in a clear way.

Next question arises, is your application compliant to accessibility guidelines of WCAG or 508? if yes then how many disable people are covered? And if not then as a tester, are you ready for this change? Are you familiar with the Web compliances? Do you have a plan to test for accessibility compliance? Is important web portal content accessible with assistive technology?

In this whitepaper, we are focusing on highlighting legal mandates related to Web accessibility majorly covering 508 Compliance, the remediation strategy for new applications and existing applications, the cost involved to remediate the issues, different tools and techniques can be used for remediation, Risk and Mitigation plan. And more importantly, where compliance testing fits into SDLC, it should be continuous effort to improve the accessibility of the web applications or other software. And lastly, become familiar with assistive technology and discover techniques to achieve success in web accessibility and help other people to live healthier life.

1.0 Introduction

1.1 What is Accessibility?

Accessibility is the usability of a system by people with disabilities. Accessibility is relevant to both physical locations, which may require ramps for individuals in wheelchairs, as well as Information Technology (IT) systems which require enhancements such as code additions or hardware modifications to ensure they can be used by people with disabilities. Extensive accessibility legislation is present in most of the major domestic markets for IT systems including the United States, Canada, the European Union, Australia and Japan.

1.2 Why Accessibility is important?

Making products work for� Users with visual impairments Users with hearing impairments Users with motor impairments Users with cognitive impairments People with temporary disabilities Situational limitations The aging population

Up to 19% of the population is disabled, either through birth, ageing, illness, or the result of an accident

1.2 What is Web Accessibility?

3

Web accessibility can be thought of as the usability of a web based system to a person with a disability. Web accessibility is generally concerned with ensuring that pages are designed in such a way that they interact appropriately with assistive technology devices.

1.3 Why Web Accessibility is important?

There are certain factors which makes web accessibility an important factor for current organizations. Organizations face significant risks in terms of legal fees, negative brand impact and lost revenue if accessibility is not implemented within their sites or applications. Government has mandate few compliance laws, to gain more business in government sector these compliances should be met.

2.0 Web Accessibility Compliances Laws

There are 3 major laws that forces website/web applications/portal to be web compliant.

2.1 Section 508 is actually an amendment to the Workforce Rehabilitation Act of 1973. Section 508 requires that electronic and information technology that is developed by or purchased by the Federal Agencies be accessible by people with disabilities. Section 508 provides accessibility standards for all information technology. But 508 cover all information technology and it is the only standard that does so. Computer software, hardware, and documentation are all covered by Section 508. When states wanted to require accessible information technology, they turned to the Section 508 Accessibility Standards to define "accessibility". This rule applicable to below listed areas Web sites, applications, documents devices, video/multimedia products All Federal agencies (some military excluded) Applies to development and procurement

Below tables states different standards which comes under Section 508

508 Standard Description & Solution

Alt Text

4.2.1 �1194.22(a) A text equivalent for every non-text element shall be provided (e.g., via "Alt", "Longdesc", or in the element content).

Multimedia Presentation

Equivalent text should be present on the site

Colors

Set your browser to ignore color and font styles.

Readability

Check Content by disabling Style Sheets

Server Side Image Map

Redundant text links shall be provided for each active region of a server-side image map.

Client Side Image Map

4.2.6 �1194.22(f) Client-side image maps shall be provided instead of server-side image maps except where the regions cannot be defined with an available geometric shape.

4

Data Table Headers & Associations

Row and column headers shall be identified for data tables

Frames

4.2.9 �1194.22(i) Frames shall be titled with text that facilitates frame identification and navigation.

Flicker Rate

4.2.10 �1194.22(j) Pages shall be designed to avoid causing the screen to flicker with a frequency greater than 2 Hz and lower than 55 Hz.

Text-Only Alternative

4.2.11 �1194.22(k) A text-only page, with equivalent information or functionality, shall be provided to make a web site comply with the provisions of this part, when compliance cannot be accomplished in any other way. The content of the text-only page shall be updated whenever the primary page changes.

Scripts

4.2.12 �1194.22(l) When web pages utilize scripting languages to display content, or to create interface elements, the information provided by the script shall be identified with functional text that can be read by assistive technology.

Applets and Plug-Ins

2.13 �1194.22(m) When a web page requires that an applet, plug-in or other application be present on the client system to interpret page content, the page must provide a link to a plug-in or applet that complies with 1194.21 (a) through (l).

Electronic Forms

4.2.14 �1194.22(n) When electronic forms are designed to be completed on line, the form shall allow people using assistive technology to access the information, field elements and functionality required for completion and submission of the form, including all directions and cues.

Navigation Links

4.2.15 �1194.22(o) A method shall be provided that permits users to skip repetitive navigation links

Time Delays

Provision When a timed response is required, the user shall be alerted and given sufficient time to indicate more time is required.

2.2 The Americans with Disabilities Act (ADA) which became law in 1990 is a civil rights law that prohibits discrimination against people with disabilities. The ADA generally requires employers, state and local governments and places of public accommodation to offer reasonable services or tools to insure that people are not discriminated against on the basis of disability.

2.3 Web Content Accessibility Guidelines (WCAG) introduced in 1999 as WCAG 1.0 and later updated in 2008 as WCAG 2.0. This rule was developed by W3C?s web accessibility initiative (WAI) group. This rule is adopted internationally as a standard. WCAG primarily intended for web content developers (page authors, site designers etc), Web authoring tools developers and Web accessibility evaluation tool developer. WCAG is based on four principles of accessibility.

Perceivable: Information can?t be invisible to all of the user?s senses. Operable: The interface cannot require interaction that a user cannot perform Understandable: The content or operation cannot be beyond user?s understanding

5

Robust: As technologies and user agents evolve, the content should remain accessible

WCAG also defines three conformance levels. Each success criterion is indicated by a level of conformance, which could be Level A, Level AA and Level AAA. When you create an accessibility strategy for your web site, determine which level you would like to conform with. The levels are as follows:

Level A: All Priority 1 checkpoints are satisfied. For when you conform with Level A, it means that you eliminate the major accessibility barriers. This does not mean that your web site is very accessible; it only ensures that it is accessible for the most part for most scenarios. Unless you have a specific reason to use only Level A, it is not recommended. Level AA: All Priority 1 and 2 checkpoints are satisfied. This conformance level ensures a very good level of accessibility. If you conform to Level AA, it means that your web site will be accessible for most people, under most circumstances, with most technologies they use. Level AA is what most accessible sites follow, and when WCAG conformance is required, Level AA is mostly specified. Level AAA: All Priority 1, 2, and 3 checkpoints are satisfied. This conformance level is very meticulous, ensures a very high level of accessibility, but it is also very difficult to maintain. Level AAA is relevant in very specific situations, mostly related to live material, or just to refine the requirements of Level AA

3.0 SDLC where compliance testing fits in?

It?s an open question but generally there are two best possible approaches listed below.

Business Provides the Requirements: In this requirements will come from business team, all the requirements, design docs are baseline according to compliance. In this approach role of tester will come in later stage initially BA/SA and developers work on streamlining the product and finally testing team/UAT verify the compliance. This approach is recommended for New Web Applications, business should provide all the guidelines in the form of requirement and full SDLC cycle should be followed.

Business asks QA to do full scan and report issues: This is reverse engineering approach. In this QA do the initial scan and report all the issues, then SA/BA will analyze those issues and developer will on fixing issues. In this approach QA plays a major role as all the initial work is QA responsibility. This approach will cost more as Retesting will be major effort in this approach.

6

4.0 Compliance testing in SDLC phases

Compliance testing is often carried out with the purpose of improving or

maintaining the Web content, it is closely related to the development process. At

each stage of the SDLC, different types of evaluations are carried out to assess

different aspects.

Figure illustrates a Web

development life cycle

that consists of a

��Requirements??,

�Design??,

��Implementation??, as well

as ��Operation?? stages,

each of which is

connected in a closed

loop.

7

4.1 Requirements Phase

During the requirements phase of Web development, the objectives and requirements are identified. Typically, common requirements analysis techniques such as sketches, storyboards, and personas are used to develop the requirements

and ensure that they address the needs of the end-users. The accessibility

requirements are ideally also considered during this early stage of development

as it will save valuable time and effort in addressing these requirements later.

For example, a common accessibility provision is to grant the user sufficient

time to complete tasks, such as by alerting the user before a timeout is reached.

Such provisions can influence the requirements on the overall behavior and

characteristics of the Web content

4.2 Design Phase

After the objectives and requirements are matured, first prototypes and mockups

to validate the requirements are created. During this stage of development,

formative and functional evaluations should be carried out on the overall

design concepts, for example on the document structure, the navigational

features, the color schemes, and general presentation. Also during this stage, Web accessibility standards and guidelines provide important guidance on how to design Web content that is usable by people with disabilities, for example by determining the relevant accessibility provisions and assessing how well the Web content conforms to them.

4.3 Implementation Phase

Once the overall design has matured, the realization of the actual Web content

starts during the implementation phase. This primarily involves developing the

markup code that controls the content structure, as well as the server- and

Client-side scripts that control the functional behavior of the content. For example, the implementation of a Web site should involve evaluating the individual Web pages (or representative samples thereof) as they are being developed, as well as evaluating the accessibility requirements that affect the whole Web site such as the navigation or consistency.

4.4 Operation Phase

If the Web content has been developed with consideration for accessibility and

meets certain standards for accessibility, then the evaluations that are carried

out during the operation phase are primarily intended to maintain that level of

quality or possibly to identify additional optimizations that can be made to

further improve the quality. The following are some of the different types of evaluations that are typically carried out during the operation phase; ideally these different approaches are combined:

Conformance audits � address whole Web sites or Web site parts to assess how well these meet certain Web accessibility standards and guidelines On-going monitoring � can be recurring conformance audits or evaluation of individual Web pages or Web site parts as they are being published

8

Focused assessments � examine specific aspects in more detail to

improve or optimize the accessibility solutions provided by the Web content

Exploratory audits � exploration of some of the pertinent issues to assess

the overall performance and gather requirements for future repairs.

As Compliance testing fits into each phase of SDLC, what is the impact of each

phase if single phase is skipped how much it will cost? How cost varies from testing

of existing project and new project?

Table states that how cost varies from each phase to another, skipping a single

phase will make a huge impact on project cost.

Source: Mynott C et al (1994)

5.0 Compliance Testing Strategy

In General there are three best possible ways of accessibility testing. While these

techniques overlap in many of the accessibility issues that they can address, each

one is more apt for addressing specific types of issues. Optimal results are

achieved by combining different approaches to benefit from each of their specific

advantages.

Figure: Relationship between Web accessibility testing techniques

9

5.1 Automated Testing (30%)

Automated testing is carried out without the need for human intervention. It is

cost effective and can be executed periodically over large amounts of Web pages. At the same time, automated testing only addresses a subset of the accessibility provisions set out by most standards generally 30 % of overall testing.

In general, one could differentiate between the following types of automated testing: Syntactic checks � analyze the syntactic structure of the Web content such as checking the existence of ALT-attributes in IMG elements or LANG attributes in the root HTML elements, and others. While these types of syntax checks are reliable and quite simple to realize, they only address the minor subset of the provisions that relate to syntax issues Heuristic checks � examine some of the semantics in the Web content such as the layout and markup or the natural language of information. While these types of checks cover a broader range of provisions they are considered less reliable and usually only serve as warnings for human evaluators to further validate and confirm potential accessibility issues Indicative checks � use statistical metrics and profiling techniques to estimate performance of whole Web sites or large collections of Web content. While these checks are too imprecise for detailed assessment of the Web content, they are useful for large-scale surveys, for example to monitor the overall developments in the public sector of a country

Figure shows Reports generated from Automation Tool.

10

5.2 Manual Testing (25-30%)

In practice, the majority of the tests need to be carried out by human evaluators,

even if they are sometimes guided or supported by software tools. For example,

while software tools can quickly determine the existence ALT-attributes in

HTML IMG elements, human evaluators need to judge the adequacy of the

text in these attributes. In general, one can differentiate between the

following types of manual testing:

Non-technical checks � can be carried out by non-technical evaluators such as content authors, for example to determine if the ALT-attributes describes the purpose of the images appropriately or if the captioning (or transcriptions) for the multimedia content is effective and correct Technical checks � are usually carried out by Web developers who have

technical skills and basic knowledge about Web accessibility. Such checks

typically address markup code and document structure as well as compatibility with assistive technology and other programming aspects Expert checks � are carried out by evaluators who have knowledge of how

people with disabilities use the Web and who can identify issues that relate to the user interaction.

Manual Testing also includes testing using assistive technologies. Most people with severe disabilities use assistive technology in conjunction with core operating system functions to access information in electronic systems. Assistive technology commonly refers to products, devices or equipment, whether acquired commercially, modified or customized, that are used to maintain, increase or improve the functional capabilities of individuals with disabilities. Assistive technologies that are commonly used by people with disabilities to interact with electronic documents include: Screen readers which translate the text of electronic documents into speech. People who are blind are the primary users. Braille keypads render the text of web pages in a refreshable Braille display. People who are blind are the primary users. Screen magnification software enlarges selected components of the computer screen. People with low visual acuity (low vision) are the primary users. Voice-recognition software translates speech into text and allows for control of a web browser utilizing only voice commands. People who have mobility disabilities are the primary users. Head pointers take the place of the mouse and allow individuals without fine motor control to move a mouse pointer around the screen. People who have mobility disabilities are the primary users.

11

Below detail chart shows which all 508 compliance standards can be tested using automation tool, assistive tools and manually. 508 Standard Mode of Testing

Alt Text

Automation & Manual

Multimedia Presentation

Manual

Colors

Manual

Readability

Manual

Server Side Image Map

Automation

Client Side Image Map

Automation

Data Table Headers & Associations

Automation & Assistive

Frames

Automation & Assistive

Flicker Rate

Automation

Text-Only Alternative

Automation & Assistive

Scripts

Automation & Manual

Applets and Plug-Ins

Automation & Manual

Electronic Forms

Automation & Assistive

Navigation Links

Assistive

Time Delays

Manual

5.3 Global Testing

Global testing is carried out by real end-users rather than by human evaluators or

by software tools. It focuses on the end-users and how well the technical solutions match their needs in a specific context. For example, it is generally good practice to provide orientation cues and landmarks to help users to navigate through the

web content. At the same time, too many cues can be irritating or even become

a barrier in itself. While it is the goal of accessibility standards to capture such

conflicts and define provisions to avoid them, studies show that even experienced

usability evaluators only find about 35% of the problems on average the same applies to accessibility. Involving people with disabilities during an evaluation helps clarify the accessibility issues and implement more effective accessibility solutions

In general one can differentiate between two modes

Informal checks � are simple and can be carried out by non-experts, for example by asking individual persons like friends or colleagues for their opinions. While these types of quick checks can be effective and useful, they are coarse and thus prone to personal bias and preferences Formal checks � are usually carried out by professionals who follow well established usability procedures. It is important that the evaluators can identify a sufficiently diverse user base and appropriate user tasks, as well as have expertise in how people with disabilities use the Web.

12

6.0 Test Writing Strategies - Accessibility

In general Web testing we follow approach to divide modules, write use cases and report defects. Now next question arises is that same approach can be used for Web accessibility testing? Answer to this is yes, but criteria in selecting modules, use cases are bit different. Below data will give details about creating modules and use cases.

6.1 Module List Creation Guide

The Module List defines the list of system components. For web and software based systems, the module list is the set of screens and visual components tested within the application. For web sites, this generally maps to individual pages within the site or to UI components. For software applications, this maps to individual panes in the application or to UI components. For hardware systems, it is a combination of individual controls, standard control groups, and displays on the device. In selecting the modules several factors should be considered such as occurrence rate, type of navigation either simple or complex, whether templates are used, and complexity of the page like, features such as site search as they are expected to be used more widely by disabled persons

6.2 Use Case Creation Guide

There are few factors that need to taken care while writing use cases. Name should be terse and specific. Goal should be defined in the user?s own words as a whole task that they are trying to accomplish in the application Generally the �Home� should be the starting point for any specific use case. Issues list the issues found in a system. This field is used by testers and should be blank by default. Level two directives define the specific actions that the user must take to accomplish the level one action. Generally the last action in a list of level two directives should be to confirm that the action has occurred. The idea here is that visually, users will get some indication that an action has occurred and we want to make sure that same information is available to non-visual users. When the tester can enter in any value they like no value need be specified. In this case there is real specific login information. Whenever users enter values into a form a later step in the use case should be to confirm that the value entered into the form is correct. Visual users tend to do this sub-consciously � scanning application state to make sure that information entered in a prior step was entered properly. Specific names should be in quotes. For default values that it is unlikely will be changed just have the user review the value is correct. Overall score for the use case. Filled in by the tester

13

7.0 Additional Cost, Support and Timeframes

During any project lifecycle there are three major factors that will come in picture Cost, Support and Timeframe. Apart from regular testing cost, compliance testing incurs additional cost as additional tools need to procure, additional effort to verify compliance standards by different teams. Below listed points will explain the impact of these factors during compliance testing.

Tools Procurement: Additional cost related to purchase tools for automation testing and Assistive technology tools. BA and SA team support to gather and finalize requirements for different compliance Laws. Development team effort to understand the requirement and then to implement those requirements. QA team performing full site scan for compliance laws (approx 85 hours per site) Defect Management Master Test Plan Updations Timelines for scans vary from release to release, generally full scan is required during Major Releases Compliance Laws changes every year, to remain compliant Team need to be updated with latest standards. Scanning frequency will increase as Laws changes. Training required to Dev/SA and QA staff on different compliance laws. Trainings can be on automation tools, Assistive tools, Manual Testing and Awareness related to different laws.

8.0 Tools Recommendation Strategy

To select a particular tool Accessibility Testing Software Committee can be formed. The purpose of the committee is to review software that tests the website for accessibility and make recommendations on software to purchase. Different products can be selected and Vendors can provide web based demonstrations for the products. After the demonstration evaluation copy can be taken from different vendors and product can be evaluated as per requirement. There are various factors that need to taken into consideration while finalizing automation or assistive technology tool.

Out of box functionality Scan Customization Report Customization Ease of Use � Website scanning Ease of Use � Issues reports Technical Documentation Trainings Current Age of product Size of organization/company How long the company has been in business and the accessibility software arena Profit vs. not-for-profit

14

9.0 Risks

Organizations face significant risks in terms of legal fees, negative brand impact, and lost revenue if accessibility is not implemented within their sites or applications. The business case for implementing accessibility can be seen in light of reducing the risk associated with each of these risk factors. Each risk is a cost to your organization, with the total cost equal to the total potential damage multiplied by the likely rate of an occurrence. Given the scope of the operations of most major organizations today, and the multi-year span of such a risk analysis, an average organization faces the potential for significant damages if accessibility is not addressed in the near term.

Web accessibility lawsuits in the US tend to happen most frequently with sites that get a lot of traffic and to different companies in the following industries: Finance and Insurance Healthcare Travel E Commerce Government Education

There are possibilities Organizations most likely to get sued if they are not compliant. There different organization that have been sued.

Stats are stated below. Fortune 100: 8 Fortune 101-500: 11 Fortune 501-100: 26

It is very important to understand the risk associated with it and calculating it in advance. Organization with one of 6 types mentioned above and with large web traffic are at more risk. Probability increases with each factor. Below stats shows how much risk in terms of cost.

Fortune 100: $10,000,000+ Fortune 101-1000: $2,000,000 Small: $1,000,000

Source: http://www.karlgroves.com/2011/11/15/list-of-web-accessibility-related-litigation-and-settlemen

15

Two out of three Americans report having lost interest in a technology product

because it seemed too complex to set up or operate.� - Philips Index (2004)

Product Experience

10.0 Benefits

Many benefits can be derived from developing web compliant products. One of the

biggest advantages is that the U.S. government purchases well over $100 billion in

E&IT every year, and companies that deliver web compliant products can

participate in selling products to the U.S. government. During the third quarter of

fiscal year 2005 alone, the U.S. government awarded over $67 billion in E&IT -

related prime contracts!

Additional benefits of producing web compliant products include the ability to

deliver products that are more accessible, usable, and useful for an increased

number of consumers in addition to consumers with disabilities. The E&IT access

needs of consumers living in big emerging markets vary greatly from that of the

United States and are surprisingly similar to the access needs of people with

disabilities. These important consumer groups include

Users who speak English as a second language (ESL);

People living in countries where bandwidth is low;

People 65+ years of age;

Individuals who never learned to read;

People living in societies that speak many languages; and,

Consumers living in countries where the average population density is high.

16

11.0 Case Study

For one of our portal applications we got the requirement to test 508 compliance testing. Initially only 2 standards are chosen out of 15 to perform the scan.

11.1 Goals Verify Alt Text: �1194.22(a) A text equivalent for every non-text element shall be provided (e.g., via "Alt", "Longdesc", or in the element content). Verify Navigation Links: �1194.22(o) A method shall be provided that permits users to skip repetitive navigation links

11.2 Actions Taken:

Testing Alt Text: Testing this standard involves both automation and manual effort. There are different use cases which all are tested using different techniques.

Automation testing tool: Automation tool is used to verify cases such as �Are Alt tags provided for every image/animated image/applet/ Programmatic objects?�, �Are ALT tags provided for every hotspot on an image map?�, �Are ALT tags provided for Images used as spacers?� and Are ALT tags provided for Images used as list bullets? Manual Testing: is done to verify cases such as �Ensure CSS background images that convey meaning have textual equivalents�, �Ensure alternative text for images is spelled and spaced correctly�, �Ensure text is used instead of images of images of text when technology allows unless it is essential� and �Provide mathematical formulas in appropriate mark up�

Testing Navigation Links: Testing this standard involves use of assistive technologies and manual testing.

Assistive technology: It is tested using assistive technology tools such as screen reader. Reader will provide an option to the user to skip repetitive content displayed on page. User need to perform keyboard action to skip repetitive action. Tool is also used to verify that rest content on the page is read properly after skipping common navigation. Manual testing: is done to verify use cases such as �Ensure a valid skip link is present and located appropriately�, �Ensure speech is not the only mean to access content� , �Ensure page use consistent navigation structure� and �provide a mechanism for skipping past repetitive navigation links�

11.3 Results 45 pages are scanned and tested for above mentioned standards Portal is made compliant to above two standards

17

12.0 Web Compliance Checklist

Web Standards Compliant Checklist

Site: ________________________________________

Date: _________________

Assistive Technology: Name of tools used

Fully Compliant (FC) = All instances are fully Compliant.

Partially Compliant (PC) = There is a mixture of FC, PC or NC.

Non-Complaint (NC) = All instances are Non-Complaint.

Not Applicable (N/A) = There are no instances on the page.

ID

Check

FC

PC

NC

N/A

1

Alt Text

2

Multimedia Presentation

3

Colors

4

Readability

5

Server Side Image Map

6

Client Side Image Map

7

Data Table Headers & Associations

8

Flicker Rate

9

Frames

10

Time Delay

11

Scripts

12

Navigation Links

13

Electronic Forms

14

Applets and Plug-Ins

15

Text-Only Alternative

Enter the ID number and an explanation for any Partially Compliant (PC) or Non-Compliant (NC) results from above.

ID

Explanation