crusspic-stmpl-heuristic
Pure-reference catalog of James Bach's CRUSSPIC STMPL heuristic - twelve quality criteria a tester can evaluate a system against. CRUSSPIC: Capability, Reliability, Usability, Security, Scalability, Performance, Installability, Compatibility. STMPL: Supportability, Testability, Maintainability, Portability, Localizability. Use as the quality-criteria checklist for evaluating a product holistically; complementary to ISO/IEC 25010 quality model.
crusspic-stmpl-heuristic
Overview
CRUSSPIC STMPL is James Bach's quality-criteria mnemonic - twelve categories of "what does it mean for this system to be good?" Published in James Bach's testing-curriculum materials (satisfice.com) and widely taught.
It overlaps with ISO/IEC 25010:2023 (the formal software- quality model) but offers a more practitioner-friendly mnemonic form that fits in an exploratory tester's working memory.
This skill is a pure reference consumed by exploratory-charter-author when shaping a session's evaluation lens, and by the product-risk-register-builder when categorising risks (see its "Quality characteristic" step).
When to use
The twelve criteria
CRUSSPIC - primary criteria
C - Capability
Does the system do what's claimed?
Functional correctness - the product performs its stated functions. Maps to ISO/IEC 25010 "Functional suitability."
Test heuristics: HICCUPPS-F's Claims oracle + Coverage from FCC CUTS VIDS.
R - Reliability
Does the system work consistently over time?
Maps to ISO 25010 "Reliability."
U - Usability
Can the user figure out how to use it?
Per Nielsen's usability heuristics.
S - Security
Is the system safe from misuse?
Maps to ISO 25010 "Security." Composes with qa-sast, qa-dast, qa-secrets, qa-test-data-privacy.
S - Scalability
Does the system grow with load?
Composes with qa-load-testing.
P - Performance
Is the system fast enough?
Distinct from Scalability - performance is "fast for the user"; scalability is "still fast when load grows." Composes with qa-load-testing.
I - Installability
Can the user install + configure the system?
Maps to ISO 25010 "Portability - Installability."
C - Compatibility
Does the system work alongside other things?
Maps to ISO 25010 "Compatibility." Composes with qa-compatibility.
STMPL - secondary (operational) criteria
S - Supportability
Can the support team diagnose + fix issues?
A system with terrible logs is hard to support even when it's otherwise high-quality.
T - Testability
Can the testers verify the system?
A system that's hard to test usually has worse quality everywhere else.
M - Maintainability
Can the team change the system?
Maps to ISO 25010 "Maintainability."
P - Portability
Can the system move between environments?
Maps to ISO 25010 "Portability."
L - Localizability
Can the system be adapted to other languages + cultures?
Composes with qa-localization.
Mapping to ISO/IEC 25010
ISO 25010 has 8 top-level characteristics:
| ISO 25010 | CRUSSPIC STMPL |
|---|---|
| Functional suitability | C (Capability) |
| Reliability | R (Reliability) |
| Usability | U (Usability) |
| Security | S1 (Security) |
| Performance efficiency | P1 (Performance), S2 (Scalability) |
| Compatibility | C2 (Compatibility) |
| Maintainability | M (Maintainability), T (Testability), S3 (Supportability) |
| Portability | I (Installability), P2 (Portability), L (Localizability) |
CRUSSPIC STMPL is more granular; ISO 25010 is more formal. The two are complementary, not substitutable. Per ISO/IEC 25010:2023 (cite by stable ID).
Worked example - applying CRUSSPIC STMPL to a release review
Pre-release review:
## Release v3.0 quality-criteria walkthrough
- **C — Capability:** Functional acceptance tests 98% pass. ✓
- **R — Reliability:** Last 30 days uptime 99.94% (SLA: 99.9%). ✓
- **U — Usability:** User research session N=8; 7/8 completed
signup without help (target: 6/8). ✓
- **S — Security:** Last pen-test 2026-03; all critical findings
fixed; SAST + DAST clean. ✓
- **S — Scalability:** k6 load test at 10x expected peak passed
with p99 < 800ms. ✓
- **P — Performance:** p95 latency 220ms (target 300ms). ✓
- **I — Installability:** New install flow 5 steps; user testing
4/5 completed. ✓
- **C — Compatibility:** Browser matrix Chrome / Firefox / Safari
all current + N-1 tested. ✓
- **S — Supportability:** All log lines structured; trace IDs
end-to-end. ✓
- **T — Testability:** E2E suite runs in 18 min; deterministic
mode available. ✓
- **M — Maintainability:** Sonar tech-debt rating A. ✓
- **P — Portability:** Cloud-portable (Terraform); no AWS-specific
primitives. ✓
- **L — Localizability:** All UI strings extracted to ICU
messages; 7 locales supported. ✓
Verdict: cleared for release.Anti-patterns
| Anti-pattern | Why it fails | Fix |
|---|---|---|
| Treating CRUSSPIC STMPL as flat | Some criteria matter much more for some products (Security for fintech, Localizability for global B2C) | Weight per product context |
| Confusing Performance with Scalability | "Fast" doesn't mean "stays fast under load" | Test both independently |
| Treating Maintainability + Testability as "developer concerns" | They're quality criteria the tester evaluates | Include in release walkthrough |
| Skipping Supportability | Released system unmaintainable in production | Always walk S |
| One person evaluates all 12 | Inter-criterion expertise differs | Distribute walkthrough across team |
| Walkthrough at release time only | Quality criteria degrade silently between releases | Continuous monitoring per criterion |