A Formal Control Model for Risks Management within Software Projects Felipe Rafael Motta Cardoso, Paulo Marcelo Tasinaffo, Denis Ávila Montini, Danilo Douradinho Fernandes, Adilson Marques da Cunha, Luiz Alberto Vieira Dias. Brazilian Aeronautics Institute of Technology (Instituto Tecnologico de Aeronatica – ITA) Sao Jose dos Campos, Brazil felipemc@ita.br , tasinafo@ita.br , denisavilamontini@yahoo.com.br , danilodf@gmail.com , cunha@ita.br , vdias@ita.br Abstract - This paper presents a proposed Formal Control Model (FCM) using a Colored Petri Net (CPN) and an inspection form for risks management within a software project. The basis for this model was the risk areas of the Capability Maturity Model Integration for Software Development (CMMI-DEV). The integration of risk elements from a formally defined quality model using a graphical and mathematical modeling tool has provided risks management. On the context of a Management Information System (MIS), an FCM prototype was developed to reduce human inference dependences, supporting organizational goals to track critical points for decision makers. The major contribution of this paper was the FCM conceptualization and application. The proposed model was applied to a project within the financial department of an enterprise CMMI level 5. It was able to identify, control, and manage risks of software development. At the end, a successful case study was performed involving the two experiments of Project Planning (PP) and Risk Management (RSKM). Their assessments have shown that after the proposed FCM execution, PENDING activities were completely fixed. Keywords: Software Project Risks Management, Petri Nets, Capability Maturity Model Integration for Development - CMMI- DEV, Formal Methods, Management Information System. I. INTRODUCTION Enterprises are increasingly using information systems to do businesses. Security incidents can direct and negatively impact on enterprises’ images and also on their trust relationships with customers, networks and suppliers [1]. Information analysis has been one of the main key factors for conquering new markets and keeping existing ones. It has required mechanisms involved in information handling to be confidential, fair, available, and free from ambiguity. In spite of security incident occurrences, organizations continuously have been operating and creating values to its stakeholders. Information security has been including broader concepts, not only related to technologies and protection tools. The concept of security has been added as one of the pillars that supports the business strategy for decision makers. Nowadays, a safe development of information systems requires the use of methods, techniques, and tools that provide a semantic and systemic analysis of project risks throughout its software life cycle. The utilization of continuous improvement concepts based on evolutionary models (or maturity processes) supports the software development. In this research, risk elements which impact on project objectives are addressed. The main concern with processes improvements has been leading large organizations to develop and maintain the best practices models, showing which guidelines reflect success or failure. One of the models used and accepted by the world community is the Capability Maturity Model Integration (CMMI) [2], developed by the Software Engineering Institute (SEI). The CMMI assesses the quality processes of organizations and provides guidance for what should be done or changed in order to attain more advanced maturity levels. The extraction of the CMMI risk areas and the use of a mathematical formalism to develop a model for risks management provide an important element as part of a Management Information System (MIS) [3] to assist an organization. Software systems may have two types of complexity: essential and accidental. The essential complexity of software systems increases as computer applications deal with growing number of requirements and critical variables [4]. Ambiguous requirements raise the accidental complexity on risks management for a software project development. A solution that can help in managing the accidental complexity is the use of a Formal Control Model (FCM). A FCM supports a MIS [3], to verify if the key points of a project solve the proposed problem, through a formal approach. In a context of quality control, backed by security in the development of software projects, this research paper presents a prototype of a FCM that is able to verify the behavior of a generated product, considering its specification. It describes a fragment of an ongoing research taking place at the Computer Science Department of the Brazilian Aeronautics Institute of Technology (ITA). It presents a prototype of a Formal Control Model for the Risk Management of a Software Project. This FCM application provides better inspections within project information systems and dependences reductions on