After completing this chapter, you will be able to:
Other engineering domains such as mechanical, chemical, electrical, or physics engineering are based on the laws of nature as discovered by scientists. Figure 4.1 illustrates some of the many laws of nature.
Unfortunately, software engineering, unlike other engineering disciplines, is not based on the laws of nature. This explains, in part, some of the setbacks discussed in Chapter 1. The number of defective software, accidents and deaths, projects over budget and that are delivered past deadlines, and frustrated users are some examples of these setbacks.
The development of software is based only on the laws of logic and mathematics. Software engineering, like other disciplines, is based on the use of well-defined practices for ensuring the quality of its products. In software engineering, there are several standards, which are actually guides for management practices. A rigorous process is the framework for the way standards are developed and approved including, among others, international ISO standards and standards from professional organizations such as IEEE.
The four principles for the development of ISO standards are:
The ISO standards are developed by consensus, as defined below. Consensus is required to produce a standard that will be accepted by the community of interest.
Consensus means (adapted from Coallier (2003) [COA 03]):
The first condition to bear in mind is that standards, which differ from other written guidelines, are quasi-legal documents. Standards can be used either to prove or refute elements in a court of law. Standards often become legal requirements when they are adopted by governments and regulatory agencies. When this occurs, the content of a standard is important, since organizations then use it to develop products and services that can greatly impact human life, the environment, or business.
The right-hand side of Figure 4.2 shows the development of standards as of the 1970s when the American Department of Defense (DoD) created the “DoD-STD-1679A” military standard [DOD 83]. At that time, a contract was given to a supplier to develop a piece of software, and it took months, if not a year before receiving the final product. Since the client did not see any development with this process, and, in the end, received boxes containing documents and magnetic tape, this approach was called the “Big Bang.” The DoD then decided that the entire software development process had to become more transparent to allow documents produced throughout the development cycle to be evaluated. The military standard required that the supplier write and have a number of documents approved. These approvals allowed clients to review, comment, and approve documents instead of waiting until the end and receiving software that did not meet their needs. Review and approval activities for documents were related to certain project management activities: the approval of these documents led to the payment of a large sum of money as agreed to in the contract with the supplier. This enabled the client to remotely control the development of the requested software. Over the years, other organizations such as the IEEE, the International Organization for Standardization (ISO), and the European Space Agency (ESA) developed standards. During the late 1980s, the American DoD decided to use commercial standards instead of military standards, such as ISO/IEC/IEEE 12207 [ISO 17], to develop its software. Military software engineering standards were then removed.
On the left-hand side of the figure, we note the “Capability Maturity Model” (CMM®). It was developed at the request of the American DoD, by the Software Engineering Institute (SEI) in order to provide a road map of engineering practices to improve the performance of the development, maintenance and service provisioning processes. This model is described in a later section.
Figure 4.3 illustrates the evolution of standards that are maintained and published under the responsibility of the appointed subcommittee for standardized processes, tools, and supporting technologies for software engineering and systems: ISO/IEC JTC1 SC7.
In the 1980s, there were only five standards; in 2016, more than 160 standards make up the portfolio of sub-committee 7 (SC7). This rapid increase is due, among others, to the fact that more software engineering practices have matured and acquired a broad consensus since the late 1980s.
More than 39 countries actively participate in the development of SC7 standards and 20 countries participate as observers. For countries that actively participate and have the right to vote, the meaning of the Greek word “ISOS” implies that the vote of any ISO member country is equal to the vote of any other country, no matter its size, economic, or political influence.
The majority of software engineering standards of SC7 describe proven practices such as configuration management and quality assurance (QA) practices, while a small number of standards, such as ISO 25000 presented in the previous chapter, describe product requirements.
The ISO/IEC/IEEE 24765 [ISO 17a] glossary will be used as the reference for most of the definitions in this book. When a term is not defined in the ISO 24765, the definition of another standard will be used, such as ISO 9001, the IEEE standard or CMMI® for Development [SEI 10a].
In recent years, some software engineering standards in the portfolio of SC7 saw their scope expanded as the practices described can be applied to a wider area than software engineering alone. For example, the scope of software engineering standards of verification and validation, risk management, and configuration management has been extended to cover the field of systems engineering that develop products which often include hardware (e.g., electronic, mechanical, and optical) and software. Thus, a greater number of engineers and developers use the same standards. This facilitates communication between different domains.
In a previous chapter, we presented the notions of cost of quality and business models. Regarding cost of quality, standards are an element of prevention costs: in other words, the costs incurred by an organization to prevent errors from happening during different stages in the development or maintenance process. Table 4.1 lists the different prevention cost elements. Purchasing, training, and standards implementation are also prevention costs.
Table 4.1 Prevention Costs (Adapted from Krasner (1998) [KRA 98])
Majorcategory | Subcategories | Definition | Typical cost |
Prevention costs | Quality basis definition. | Efforts to define quality, set quality goals, standards, and thresholds. Quality trade-off analysis. |
Defining release criteria for acceptance testing and related quality standards. |
Project and process-oriented interventions. | Efforts to prevent poor product quality or improve process quality. | Training, process improvements, metrics collection, and analysis. |
We will briefly review the main business models in the software industry, namely (adapted from Iberle (2002) [IBE 02]):
The standards are commonly used in the following business models: custom systems written on contract, mass-market software and commercial and mass-market firmware. In these business models, standards are used to optimally manage development and minimize errors and risks. As for the “Custom systems written on contract” business model, it is the client who will decide whether or not to impose standards.
In this chapter, we present a brief overview of some standards: process standards, product standards, and quality systems. We also present the CMMI model because its widespread use has made it a de facto standard.
This section describes the main standards related to the management of software quality: ISO 9000 [ISO 15b] and ISO 9001 [ISO 15] and the application guide for software, the ISO/IEC 90003 standard. We also present a brief overview of the quality standard for the medical domain.
As described on the ISO website, “The ISO 9000 family addresses various aspects of quality management and contains some of ISO's best known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer's requirements, and that quality is consistently improved.” The ISO 9000 family includes the following four standards.
The ISO 9001 standard provides the basic concepts, principles and vocabulary of quality management systems (QMS) and is the basis for other standards for QMSs [ISO 15]. The “Quality Management Principles” (QMP) are a set of values, rules, standards, and fundamental convictions regarded as fair and that could be the basis for quality management. ISO 9001 proposes the following for each QMP:
The seven QMP of the ISO 9001, presented in order of priority, are [ISO 15]:
- Organizations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations.
- Leaders establish unity of purpose and direction of the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization's objectives.
- People at all levels are the essence of an organization and their full involvement enables their abilities to be used for the organization's benefit.
- A desired result is achieved more efficiently when activities and related resources are managed as a process.
- Identifying, understanding, and managing interrelated processes as a system contributes to the organization's effectiveness and efficiency in achieving its objectives.
- Effective decisions are based on the analysis of data and information.
- An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value.
As an example, the first principle of customer focus is described in detail [ISO 15]:
- The main objective of quality management is to satisfy customer requirements and strive to exceed their expectations.
- Sustainable performance is achieved when an organization obtains and retains the confidence of customers and of other interested parties. Every aspect of the interaction with customers provides an opportunity to create more value for the customer. Understanding the current and future needs of customers and other stakeholders contributes to the sustainable performance of the organization.
- Increased customer value
- Increased customer satisfaction
- Improved customer loyalty
- Improved recurring business activity
- Improved corporate image
- Expanded customer base
- Increased sales and market share
- Identify direct and indirect customers for which the organization creates value.
- Understand the needs and expectations of current and future customers.
- Link the objectives of the organization to the needs and expectations of its clients.
- Communicate the needs and expectations of clients at all levels of the organization.
- Plan, design, develop, produce, deliver, and support products and services to meet the needs and expectations of customers.
- Measure and monitor customer satisfaction and take appropriate action.
- Identify the needs and expectations of interested parties that may affect customer satisfaction and take appropriate action.
- Actively manage relationships with customers to achieve sustainable performance.
The ISO 9001 standard [ISO 15] applies to all organizations regardless of size, complexity, or business model. ISO 9000 specifies requirements for a QMS, as defined in the following text box, for both internal groups and for external partners.
ISO 9001 [ISO 15] is used worldwide in a wide range of organizations. About a million certificates of conformity to ISO 9001 are issued annually in nearly 187 countries.
ISO 9001 uses the process approach, the Plan-Do-Check-Act (PDCA) approach, and a risk-based thinking approach [ISO 15]:
The ISO 9001 [ISO 15] standard indicates that an organization can use a complementary improvement approach to that of the continuous improvement approach such as a drastic change, an innovation or a reorganization.
Figure 4.4 shows the elements of a process and the interaction between these elements. Note that the figure shows the links between processes with “Input sources” (e.g., upstream process) and “Target outputs” (e.g., downstream processes) to illustrate that a process does not work in isolation in an organization. The organization must master not only the elements of a process, but also the interactions and interdependencies between them, in order to improve its overall performance, such as reduced rework as presented in the section on the cost of quality.
Also note that one of the output elements in Figure 4.4 is a service. ISO 9000 defines a service as follows: output of an organization with at least one activity necessarily performed between the organization and the customer. For example, in software development, the organization that developed software for its client could offer implementation services and maintenance of the software.
ISO 9001 describes the elements of the PDCA cycle as follows [ISO 15]:
The requirements of ISO 9001 are presented in the following 10 items:
We have only briefly described the main articles of the standard. In regards to article 4, ISO 9001 [ISO 15] requires the organization to determine the pertinent external and internal issues. These issues, as for the needs and expectations of the interested parties, the QMS and its scope, have a great influence on the ability to achieve the expected results of its QMS. Article 5 of the standard explains that management must demonstrate leadership and commitment to the QMS and that the customer must ensure the establishment of the quality policy of the organization and must ensure that the responsibilities and authorities of roles have been assigned, communicated, and understood. Article 6 describes the actions to be implemented in regards to the risks and opportunities, the objectives of the QMS, the planning of actions to achieve these objectives, and the planning of changes to the QMS. Article 7 presents the requirements for resources for the establishment of the QMS, its implementation, updating, and the continuous improvement of the QMS: human resources, infrastructure, resources for monitoring, measurement, traceability, the knowledge and skills required of personnel, the needs of internal and external communication and documentation (e.g., creating, updating). Article 8 describes in detail the implementation of operational activities of the organization such as the process planning, the determination and review of the requirements of its products and services, design and development, products and services processes of its external suppliers, production and release of its product and services, and the identification of non-compliant output elements compared with requirements. Article 9 describes the requirements for performance evaluation, such as monitoring the extent of analysis and evaluation, customer satisfaction, internal audits, and management reviews of the QMS. Finally, article 10 provides the requirements for improvement such as improving customer satisfaction, non-compliance and corrective actions, and continuous improvement of the QMS.
The ISO 19011 standard [ISO 11g], which establishes guidelines for internal and external audits of QMSs, will be presented in the chapter on audits. ISO 9004 [ISO 09a], which shows how to increase the efficiency and effectiveness of a QMS, will be presented in the chapter concerning policies and processes.
The ISO/IEC 90003 [ISO 14] standard provides guidelines for the application of the ISO 9001 standard to computer software. It provides organizations with instructions for acquiring, supplying, developing, using and maintaining software. The following text box is part of the introduction to the ISO 90003 standard.
An example, Section 7.3.5 of the ISO 9001 standard is provided below as it is presented in the ISO 90003 standard.
The explanatory text from the ISO 90003 standard for Section 7.3.5 is shown in the following text box.
The text of the ISO 90003 standard correctly explains what a software audit is for the organization wishing to set up a QMS as well as for the QMS auditor.
The next section discusses the ISO/IEC/IEEE 12207 [ISO 17] standard for software engineering, which describes all the software life cycle processes (from cradle to grave).
The third edition of the ISO/IEC/IEEE 12207 standard [ISO 17] establishes a common framework for software life cycle processes. It applies to the acquisition of systems and software products and services, supply, development, operation, maintenance, and disposal of software products and the development of the software part of a system, whether performed internally or externally to an organization. In this standard, the software also includes the firmware. Each process of the standard is described in a few pages, and includes the following attributes [ISO 17]:
ISO 12207 [ISO 17] defines four sets of processes as shown in Figure 4.5:
As most modern systems are now controlled by software, the ISO 12207 [ISO 17] standard has been updated to interface with the new edition of the standard in engineering systems: ISO/IEC/IEEE 15288 [ISO 15].
Since ISO 12207 [ISO 17] is an important software engineering standard, we briefly describe one process (we will not describe the details of each task): The QA process [ISO 17]:
- The purpose of the QA process is to help ensure the effective application of the organization's quality management process to the project.
- QA focuses on providing confidence that quality requirements will be fulfilled. Proactive analysis of the project life cycle processes and outputs is performed to assure that the product being produced will be of the desired quality and that organization and project policies and procedures are followed.
- As a result of the successful implementation of the QA process:
- Project QA procedures are defined and implemented.
- Criteria and methods for QA evaluations are defined.
- Evaluations of the project's products, services, and processes are performed, consistent with quality management policies, procedures, and requirements.
- Results of evaluations are provided to relevant stakeholders.
- Incidents are resolved.
- Prioritized problems are treated.
- The project shall implement the following activities and tasks in accordance with applicable organization policies and procedures with respect to the measurement process.
Note IEEE 730-2014 [IEE 14], software quality assurance (SQA) processes, provides additional detail.
- Prepare for QA. This activity consists of the following tasks:
- Define a QA strategy.
- Establish independence of QA from other life cycle processes.
- Perform product or service evaluations. This activity consists of the following tasks:
- Evaluate products and services for conformance to established criteria, contracts, standards, and regulations.
- Monitor that verification and validation of the outputs of the life cycle processes are performed to determine conformance to specified requirements.
- Perform process evaluations. This activity consists of the following tasks:
- Evaluate project life cycle processes for conformance.
- Evaluate tools and environments that support or automate the process for conformance.
- Evaluate supplier processes for conformance to process requirements.
- Manage QA records and reports. This activity consists of the following tasks:
- Create records and reports related to QA activities.
- Maintain, store, and distribute records and reports.
- Identify incidents and problems associated with product, service, and process evaluations.
- Treat incidents and problems. This activity consists of the following tasks:
- Record, analyze, and classify incidents.
- Identify selected incidents to associate with known errors or problems.
- Record, analyze and classify problems.
- Identify root causes and treatment of problems where feasible.
- Prioritize treatment of problems (problem resolution) and track corrective actions.
- Analyze trends in incidents and problems.
- Identify improvements in processes and products that may prevent future incidents and problems.
- Inform designated stakeholders of the status of incidents and problems.
- Track incidents and problems to closure.
The ISO 12207 standard can be used in one or more of the following modes [ISO 17]:
The ISO 12207 standard describes the limitations to its use as follows (adapted from [ISO 17]):
- The users of this document are responsible for selecting a life cycle model for the project and mapping the processes, activities, and tasks in this document into that model. The parties are also responsible for selecting and applying appropriate methodologies, methods, models, and techniques suitable for the project.
- It is intended to be compatible with the QMS specified by ISO 9001, the service management system specified by ISO/IEC 20000-1 [ISO 11h], and the information security management system (ISMS) specified by ISO/IEC 27000.
- ISO/IEC/IEEE 15289 addresses the content for life cycle process information items (documentation).
With the abandonment of military standards that defined the content and format of information elements, the international community developed a standard, ISO 15289 [ISO 17b], in support, among others, to ISO 12207 [ISO 17], to facilitate the description of the different types of information items to be produced.
The clauses of ISO 12207 [ISO 17] list the artifacts to produce without defining the content. The ISO 15289 standard describes seven types of documents: request, description, plan, policy, procedure, report, and specification. These document types are described in Table 4.2.
Table 4.2 Generic Types of Information Items Described by the ISO 15289 [ISO 17b]
Type | Purpose | Sample output |
Description | Represents a plan or an existing function, design or item. | Description of the design |
Policy | Establish an organization's high-level intention and approach to achieve objectives for, and ensuring effective control of, a service, process, or management system. | Quality management policy |
Plan | Define when, how, and by whom specific processes or activities are to be performed. | Project plan |
Procedure | Defines in detail when and how to perform certain activities or tasks including tools needed. | Problem resolution procedure |
Report | Describe the results of activities such as investigations, assessments, and tests. A report communicates decisions. | Problem report Validation report |
Request | Record information needed to solicit a response. | Change request |
Specification | Provide requirements for a required service, product, or process. | Software specification |
For example, the ISO 15289 standard defines what a procedure is and what it must describe. The following text box describes this type of document [ISO 17b].
The IEEE 730 [IEE 14] standard for the SQA process is presented next. This standard is based on ISO 12207 [ISO 17] and ISO 15289 [ISO 17b].
The scope of the IEEE 730-2014 Standard for SQA Processes [IEE 14] is very different from that of previous versions. Unlike previous versions, where the QA plan was the cornerstone of IEEE 730, the new version establishes the requirements for the planning and implementation of SQA activities for a software project. QA according to IEEE is a set of proactive measures to ensure the quality of the software product. The IEEE 730 provides guidance for the SQA activities of products or of services. The QA plan is presented in a clause and an annex of the standard.
The following text box provides the definition SQA of the IEEE 730 [IEE 14].
Publishers of a standard must use official versions of standards, that is, the latest published version, when producing a new standard or the revision of a published standard. The IEEE 730-2014 [IEE 14] standard is harmonized with the 2008 version of ISO 12207 [ISO 17] and the 2011 version of ISO 15289 [ISO 17b]. After the publication of the IEEE 730 in 2014, a new version of ISO 15289 was published in 2016 and ISO had also initiated a revision of ISO 12207 [ISO 17]. Given that the IEEE 730 used the 2008 version of the ISO 12207 as a normative reference, we present it below.
The IEEE 730 is structured as follows [IEE 14]:
The following text, taken from clause 7 of ISO 12207-2008, describes the purpose and the outcomes of the SQA process.
The SQA process of the IEEE 730 is grouped into three activities: the implementation of the SQA process, product assurance, and process assurance. Activities consist of a set of tasks.
IEEE 730 [IEE 14] describes what must be done by a project; it assumes that the organization has already implemented SQA processes before the start of a project. The activities and tasks of the IEEE 730 are presented next.
The standard includes a clause that describes what is meant by compliance. The following text box defines this term.
Compliance with all requirements of IEEE 730 [IEE 14] can be imposed by a client in an agreement (e.g., a contract) with the organization that will develop software. However, a given project may not need to use all the activities of the standard. The implementation of the standard implies the selection of a set of activities adapted to a project. For any activity or task that will not be performed, the standard requires that the SQAP describes them as not applicable and include a justification as to why the activity or task will not be performed. In order to improve, an organization can choose to gradually implement the activities and tasks of the IEEE 730.
Figure 4.6 shows the links between project requirements and artifacts produced during a project. The figure shows two categories of compliance: process assurance and product assurance. The figure also describes the transitive relationships for compliance: if process requirements are consistent with the contract and if the process and project plans meet the process requirements, then the project process and plans comply with the contract. This simplifies the work of the SQA as each artifact of the project does not have to be checked against the contract. Each artifact must be verified with respect to its immediate predecessor.
The IEEE 730 [IEE 14] does not require that the activities be performed by any unit of the organization (e.g., an SQA department); it requires that responsibilities are assigned to the SQA function with the resources needed to perform the SQA activities described by the standard.
A basic principle of the IEEE 730 is to first understand the risks of the software product to ensure that the SQA activities are appropriate for the risks of the product. This means that the extent and depth of SQA activities that will be defined in the SQAP are determined by the risk associated with the software product.
These activities aim to develop a strategy for conducting SQA, planning, and executing the activities and producing and maintaining the evidence. The six SQA process implementation activities are [IEE 14]:
- Use this standard and appendix C to help prepare an SQAP that is appropriate for the project, which meets the needs of all stakeholders and which is appropriate for the risks of the product.
- Review and update the SQA level as the project evolves.
- Present information on the status of the project to management in the agreed manner.
- Estimate the resources of the SQA function (including effort, schedule, people, required skills, tools and equipment) needed to perform the SQA activities, tasks, and outcomes.
- Analyze product risks, standards, and assumptions that could impact quality and identify specific SQA activities, tasks, and specific outcomes that could help determine whether these risks are mitigated effectively.
- Analyze the project and adapt SQA activities accordingly so that they are commensurate with the risks.
- Define specific measures for the evaluation of projects, software quality, performance of SQA function compared with quality objectives of the project and those of the quality management of the organization.
- Identify and track changes to the project that require additional planning from SQA function including changes to the requirements, resources, schedule, project scope, priorities, and product risk.
- If process areas or activities are not adequately addressed by the quality management function of the organization, or if the organization does not have a quality management function, these process areas can be documented in the SQAP.
We will not describe the remaining 10 activities of IEEE 730 listed below in detail here since they will be described in other chapters of this book.
The five product assurance activities that aim to evaluate adherence to the requirements are [IEE 14]:
The five process assurance activities which verify adherence to standards and procedures are [IEE 14]:
This section presents the quality models, standards, reference, and processes specific to the software industry and that are used by many organizations worldwide. First, maturity models for software processes are presented, followed by the ITIL reference and its ISO/IEC 20000-1 standard [ISO 11h]. Next, we will look at the IT governance processes proposed by the CobiT reference. We will then present the family of ISO 27000 standards for information security, followed by the ISO/IEC 29110 standards for very small organizations.
The SEI developed several Capability Maturity Models (CMM®). In this section, we will present the CMMI model used to develop products (e.g., software, system) and services.
The CMMI for Development (CMMI-DEV) covers a broader area than its predecessor by adding other practices, such as systems engineering, and the development of integrated processes and products. It was formed from the following model practices: version 2.0 of the SW-CMM, the “Systems Engineering Capability Model” of the Electronic Industries Alliance [EIA 98] and version 0.98 of the “Integrated Product Development CMM” model.
The CMMI model was developed as two versions: an initial staged version and a continuous version, which is the first CMM model for systems engineering (Systems Engineering CMM, SE-CMM). The CMMI is available in several languages: Germany, English, Traditional Chinese, French, Spanish, Japanese, and Portuguese.
Just like the SW-CMM model, the objective of this model is to encourage organizations to check and continuously improve their development project process and evaluate their level of maturity on a five-level scale as proposed by the staged CMMI model.
Two other CMMI models were developed based on architecture, namely the CMMI for Services (CMMI-SVC) [SEI 10b] and the CMMI for Acquisition (CMMI-ACQ) [SEI 10c]. The CMMI-SVC model provides guidelines for organizations that provide services either internally or externally, whereas the CMMI-ACQ model provides guidelines for organizations that purchase products or services. All three CMMI models use 16 common process areas.
For each level of maturity, a set of process areas are defined. Each area encompasses a set of requirements that must be met. These requirements define which elements must be produced rather than how they are produced, thereby allowing the organization implementing the process to choose its own life cycle model, its design methodologies, its development tools, its programming languages, and its documentation standard. This approach enables a wide range of companies to implement this model while having processes that are compatible with other standards.
Table 4.3 describes the maturity levels as well as the process areas for each maturity level in the CMMI-DEV model.
Table 4.3 CMMI Maturity Levels of the Staged Representation [SEI 10a]
CMMI Development Model Maturity Levels [SEI 10a] Model practices are grouped into 22 process areas, which are further broken down into five maturity levels. Maturity Level 1: Initial At maturity level 1, processes are usually ad hoc and chaotic. The organization usually does not provide a stable environment to support processes. Success in these organizations depends on the competence and heroics of the people in the organization and not on the use of proven processes. In spite of this chaos, maturity level 1 organizations often produce products and services that work, but they frequently exceed the budget and schedule documented in their plans. Maturity level 1 organizations are characterized by a tendency to overcommit, abandon their processes in a time of crisis, and be unable to repeat their successes. |
Maturity Level 2: Managed At maturity level 2, the projects have ensured that processes are planned and executed in accordance with policy; the projects employ skilled people who have adequate resources to produce controlled outputs; involve relevant stakeholders; are monitored, controlled, and reviewed; and are evaluated for adherence to their process descriptions. The process discipline reflected by maturity level 2 helps to ensure that existing practices are retained during times of stress. When these practices are in place, projects are performed and managed according to their documented plans. Process areas:
|
Maturity Level 3: Defined At maturity level 3, processes are well characterized and understood, and are described in standards, procedures, tools, and methods. The organization's set of standard processes, which is the basis for maturity level 3, is established and improved over time. These standard processes are used to establish consistency across the organization. Projects establish their defined processes by tailoring the organization's set of standard processes according to tailoring guidelines. |
Process areas:
|
Maturity Level 4: Quantitatively managed At maturity level 4, the organization and projects establish quantitative objectives for quality and process performance and use them as criteria in managing projects. Quantitative objectives are based on the needs of the customer, end-users, organization, and process implementers. Quality and process performance is understood in statistical terms and is managed throughout the life of projects. Process areas:
|
Maturity Level 5: Optimizing At maturity level 5, an organization continually improves its processes based on a quantitative understanding of its business objectives and performance needs. The organization uses a quantitative approach to understand the variation inherent in the process and the causes of process outcomes. Process areas
|
Figure 4.8 presents an overview of the CMMI model structure. Each process area has generic and specific goals, practices, and sub-practices. The specific goals, practices, and sub-practices are “specific” to a process area, such as Requirements Management, although the generic goals, practices, and sub-practices apply to all process areas for a given maturity level. Each process area also includes explanatory notes and references for other process areas. As indicated in the legend for Figure 4.8, model components are required, expected, or informative. The SEI defines these three components in the following way [CHR 08]:
The concept of CMM model characteristics was transferred to the CMMI: these are generic goals and practices. For level 2 of the staged representation of the CMMI model, the 10 generic practices are [SEI 10a]:
Figure 4.9 presents the process areas associated with maturity levels in the staged version of the CMMI development model. The path flow through the CMMI model is carried out gradually. To meet the requirements for a process area, the organization must satisfy all the goals of the given process area. In the same way, in order to move up between maturity levels, all goals must be satisfied for the process areas in question, as well as for all the goals of the process areas of the lower levels of process maturity.
This section presented a maturity model that should help software development organizations: “Given that software maintenance is a specific field of software engineering, it is therefore necessary to focus on the processes and methodologies that take into account the specific characteristics of software maintenance” [BAS 96]. The next section introduces a maturity model designed to improve the software maintenance process.
The software maintenance maturity model S3m (available at www.s3m.ca) proposes a structured approach to address a number of issues that arise in the context of the daily maintenance of software [APR 08]:
Figure 4.10 illustrates the structure of the S3m model.
Some authors have studied the differences and similarities between software development and maintenance activities. The maintenance organizational unit is structured to meet quite different challenges, such as randomly occurring daily events and requests from users, while providing continued service on the software for which it is responsible.
When we refer to software maintenance in the S3m model, we are specifically considering the operational support activities, corrections and software evolution that occur daily. The characteristics that are specific to software maintenance are [ABR 93]:
Additionally, in many organizations, maintenance is often performed by different organizational groups than the software development groups.
The software maintenance maturity model:
The previous sections described models for improving software development and maintenance processes. The next section considers the references and standards for improving processes for IT operations and infrastructure (also known as IT services).
The ITIL framework was created in Great Britain based on good management practices for computer services. It consists of a set of five books providing advice and recommendations in order to offer quality service to IT service users. It should be pointed out that IT services are typically responsible for ensuring that the infrastructures are effective and running (backup copies, recovery, computer administration, telecommunications, and production data). The ITIL books systematically cover all aspects of the computer operations in a company while at the same time not claiming to have all the answers.
The list of guides illustrated in Figure 4.11 is:
Support processes described in the ITIL are focused on daily operations. Their main goals are to resolve the problems when they arise or to prevent them from happening when there is a change in the computer environment or in the way the organization does things.
ITIL describes the support center function and the following five processes:
Service operation processes focus more on longer term management than support processes do. The main objective is to ensure that the IT infrastructure meets the business requirements of the organization. ITIL describes the following five processes for service operation:
ITIL is therefore a compendium of good practices and a compilation of descriptions of business processes that allow us to benefit from the experience of many organizations. It does not contain any implementation guidelines. ITIL is based on the sharing of operational experiences in IT.
Given the major recognition of ITIL worldwide, an international standard based on ITIL came into being: ISO/IEC 20000-1 [ISO 11h]. The principles of ITIL were successfully conveyed to many companies of all sizes and from all sectors of activity. The three main objectives are:
Just like the CMMI and S3m references, ITIL is a process-based approach founded on the principle of continuous improvement of the Deming Cycle: PDCA.
In the 1980s, the British government wanted to improve efficacy and reduce IT costs in public companies. Initially this meant developing a universal method that could be applied to all public organizations. The project, which was initiated in 1986, really took off in 1988. The conclusions of the study quickly led to the definition of general principles and the development of best practices. These results were also applicable to the private sector. Work groups were struck, bringing together operational managers, independent experts, consultants, and trainers from public organizations and from the private sector. Private companies that participated and accepted to have their work methods studied by competing companies ensured the objectivity of the conclusions drawn, and at the same time, prevented any risk of being influenced by proprietary technologies or systems. ITIL places service at the center of information systems management. This principle was highly innovative in 1980 and promoted the notion of the client of information systems management. In 1989, 10 books were published in a first version of ITIL. The areas covered by this version were the processes of Service Support and Service Delivery. Over 30 books have been produced since, but an update between 2000 and 2011 has reduced the number to five books today.
The definition of a service, when used in the computing context, is as an organizational unit of the company similar to the accounting department, in that it supports the organization. This concept is also linked to the fact that information systems render services to users; services such as email, desktop support, and others.
ITIL's philosophy is based on the following fundamental concepts:
The main subjects handled under ITIL are:
Therefore, based on these guidelines, we can help define the processes for IT infrastructure and IT operations groups.
The ISO/IEC 20000 standard is the first ISO standard dedicated to managing IT services. Inspired by the former British standard BSI 15000, which is based on ITIL, it was initially published on November 10, 2005, by the ISO. The main contribution of ISO 20000 is an international consensus on ITIL content.
As we show in Figure 4.12, this standard has two parts. The first part, ISO 20000-1 [ISO 11h] represents the certifiable part of the standard. It defines the IT service management requirements. These requirements are:
The next section introduces the reference for exemplary practices in IT governance. This guide is used by internal auditors specialized in IT in order to evaluate the quality of controls set up in an organization.
CobiT [COB 12] is a repository of best practices for IT governance established by ISACA (IT auditors). Oriented on auditing and governance assessment information systems, CobiT provides risk analysis and assessment of the effectiveness of internal controls. This repository of best practices tries to cover several concepts such as the analysis of business processes, technical aspects of IT, control needs in information technology, and risk management.
The CobiT process ensures that technological resources are well aligned with the company's fundamental objectives. It helps to achieve the right level of control to exercise on IT. This process is harmonized with the ITIL reference, the PMBOK® Guide from the Project Management Institute [PMI 13] as well as the ISO 27001 and ISO 27002 standards.
CobiT version 5 covers 34 generic guidance processes and 318 control objectives divided into four process domains:
The framework consists of checklists covering the four process domains, with 34 general control objectives and 302 detailed control objectives. The “planning and organization” domain has eleven goals covering everything related to strategy and tactics. These objectives identify means for IT to contribute most effectively to the achievement of the business goals of the company. The “acquisition and implementation” domain covers six goals for the achievement of the IT strategy: the identification, acquisition, development and implementation of IT solutions and their integration into business processes. The “distribution and support” domain considers thirteen goals, grouping the delivery of IT services required, that is, the operation, security, emergency plans, and training. The “monitoring and surveillance” domain has four objectives that allow management to assess the quality and compliance of process control requirements. The implementation tools include a presentation of cases where companies have implemented processes quickly and successfully using the CobiT methodology. These examples are therefore closely linked to business objectives while focusing particular attention on IT. This will reassure management, standardize work processes, and guarantee the security and controls of IT services.
The CobiT management section of the guide focuses on several aspects: the performance measurement and control of the IT profile and awareness of technological risks. This document provides the key indicator objectives, the key performance indicators, key success factors, and the maturity model. The maturity model evaluates the achievement of one or more general objectives of the process on a scale of 0–5:
The audit guideline allows an organization to evaluate and justify the risks and shortcomings of general and detailed objectives. Then, once this step is completed, corrective actions can be implemented. This audit guideline respects four principles: developing an in-depth understanding, evaluating controls, verifying compliance, and justifying the risk of not attaining the control objectives.
The next section presents information security standards.
The ISO 17799 standard [ISO 05d] initially published in December 2000 by ISO introduces a code of good practices for information security management. The second edition of this standard was published in June 2005, and then obtained a new reference number in July 2007. This standard is now known as ISO/IEC 27002 [ISO 05c].
The ISO 27002 standard comprises 133 practical steps to be used by anyone in charge of implementing or maintaining an ISMS. Information security is defined within the standard as the “preservation of confidentiality, integrity and availability of information.”
This standard is not mandatory for companies. However, it may be required under a contract: a service provider could then agree to respect the standardized practices with a client.
The ISO 27002 standard is made up of 11 main sections, which cover security management as well as its strategic and operational aspects. Each section makes up a chapter of the standard:
The chapters in the standard specify the objectives to reach and list practices that allow for the fulfillment of these objectives. The standard does not provide detailed practices, since each organization is supposed to carry out an evaluation of its own risks in order to determine its needs before choosing the practices that are appropriate in each of the possible cases.
This standard is based on the ISO 27000 family of standards as shown in the Figure 4.13.
Note that the ISO 20000 standard, based on ITIL, connects directly to the ISO 27001 guideline concerning information security.
The next section presents the ISO/IEC 29110 standard and guides that have been developed specifically for small organizations that develop software or systems.
Worldwide there are numerous very small entities (VSEs), namely enterprises, organizations (e.g., public organizations and not-for profit organizations), departments or projects with up to 25 people. For example, in Europe more than 92.2% of companies have between 1 and 9 employees and only 6.5% of firms have between 10 and 49 employees [MOL 13]. In the US, about 95% of companies have 10 employees or less [USC 16]. In Canada, nearly 80% of software companies in the Montreal region have 25 or fewer employees, and 50% of companies have 10 employees or less [GAU 04]. In Brazil, small businesses represent approximately 70% of the total number of companies [ANA 04]. Lastly, in Northern Ireland [MCF 03], a survey showed that 66% of organizations employ fewer than 20 people.
Unfortunately, according to surveys and studies carried out, it is clear that the ISO standards were not developed for VSEs, that they do not meet their needs, and therefore they are difficult to apply in such contexts. In order to help VSEs, an international standardization project developed a set of ISO/IEC 29110 standards and guides [ISO 16f]. ISO 29110 standards were developed by taking relevant information for VSEs from existing standards, such as ISO 12207 and ISO 15289. This “assemblage” is called a profile. We will briefly introduce ISO 15289 at the end of this chapter.
In 2005, Professor Laporte was appointed as project editor of the ISO 29110 standards and guides. Since 2005, the working group has developed a set of ISO 29110 standards and guides to help VSEs that develop software, systems involving hardware and software or who provide maintenance services to their clients. The interest of several countries was such that several ISO 29110 documents have been translated into Czech, French, German, Japanese, Portuguese, Spanish. Some countries, such as Brazil, Japan and Peru, have adopted ISO 29110 as a national standard.
The essential characteristic of organizations covered by ISO/IEC 29110 standards is size. However, we know that there are other aspects and characteristics of VSEs that may impact the preparation of profiles, such as the business model, situational factors like the application domain (e.g., medical), uncertainty, criticality, and risk levels. The creation of a profile for each possible combination of characteristics presented above would have resulted in a large and unmanageable number of profiles. Therefore, the profiles were designed so as to be applicable to more than one category. A profile group is a collection of profiles that are related either by process composition (e.g., activities, tasks) or by capacity level, or both [ISO 16f]. For example, the generic profile group was defined as applicable to VSEs that do not develop critical software or critical systems. Critical systems or software are systems or software having the potential for serious impact on the users or environment, due to factors including safety, performance, and security [ISO 16f]. The generic profile group is a roadmap made up of four profiles (Entry, Basic, Intermediate, and Advanced) providing a progressive approach in order to satisfy the greatest amount of VSEs. The main characteristics of these four profiles are described in Table 4.4.
Table 4.4 VSEs Targeted by Generic Profiles [ISO 16f]
Title of profile | VSEs targeted by each profile |
Entry | This profile is for VSEs working on small projects (e.g., a project of up to six person-months) and for start-ups. |
Basic | This profile is for VSEs developing only one project at a time with a single team. |
Intermediate | This profile is for VSEs involved in the simultaneous development of more than one project with more than one team. |
Advanced | This profile is for VSEs wishing to significantly improve the management of their business and their competitiveness. |
Table 4.5 illustrates the documents that have been developed and the intended recipients. Technical reports are marked “TR” (Technical Report) in their titles whereas the other documents are standards [ISO 16f]:
Table 4.5 ISO 29110 Documents and their Targeted Recipients [ISO 16f]
ISO/IEC 29110 | Title | Target |
Part 1 | Overview | The VSE and their customers, evaluators, standards developers, vendors of tools and methodologies. |
Part 2 | Framework for profile preparation | Standards developers, vendors of tools and methodologies. This document is not intended for VSEs. |
Part 3 | Certification and Assessment Guide | The VSE and their customers, assessors, accreditation bodies. |
Part 4 | Profile Specifications | The VSE, standards developers, vendors of tools and methodologies. |
Part 5 | Management and Engineering and Service Delivery Guides | The VSE and their customers. |
When a new profile is required, only parts 4 and 5 of ISO 29110 are developed without affecting other documents. To facilitate the adoption of ISO 29110 by a large number of VSEs, Working Group 24, which was mandated to develop the ISO 29110, negotiated that the ISO technical reports be available for free.
The software basic profile is made up of two processes: the project management process and the software implementation process. The goal of the project management process is to establish a systematic way to carry out the tasks of implementing the software project which will meet the project objectives with regard to quality, schedule, and cost. The purpose of the software implementation process is the systematic performance of the analysis, design, construction, integration, and tests for new or modified software products according to the specified requirements.
Figure 4.14 shows the project management process and the software implementation process and their activities. Activities consist of tasks. The input to the project management process is a document entitled “Statement of Work (SOW),” the output of the implementation process is the set of deliverables (e.g., documentation, code) that are defined early in the project and called software configuration.
The management and engineering guide of the ISO 29110 software Basic profile is presented next. Remember that a standard describes “what to do”, while management and engineering guides describe “how to do it”.
The goal of the project management process is to establish a systematic way to carry out the tasks of implementing the software project which will meet the project objectives with regard to quality, schedule and cost.
The management process, as illustrated in Figure 4.15, uses the SOW to develop the project plan. Assessment and control tasks for this process will use the project plan to assess project progress. Steps are taken, if necessary, either to eliminate gaps with the project plan or to incorporate changes into the plan. Project closure activities provide the deliverables that are produced during the implementation process to the client for their approval so as to officially close the project. A project repository is established to save work products and control their versions during the project.
The project management process includes four activities that are broken down into 26 tasks.
The purpose of the software implementation process is the systematic performance of the analysis, design, construction, integration, and tests for new or modified software products according to the specified requirements. Carrying out the implementation process, as illustrated in Figure 4.16, is controlled by the project plan. The project plan guides the analysis of software requirements, detailed architecture and design, construction and integration of software, tests and delivery activities for the deliverables. To eliminate the defects in a product, verification and validation activities as well as test tasks are included in this process's activities. The client provides a SOW as input to the project management process and receives the set of deliverables initially identified in the project plan as the result of the implementation process.
The implementation process, as shown in Figure 4.16, includes six activities that are broken down into 41 tasks. To illustrate how management and engineering guides facilitate the implementation of ISO 29110 in a VSE, Table 4.6 provides an example of the requirements analysis task (SI.2.4-Validate and obtain approval of the requirements specification). The left column lists the roles involved in this task: the Analyst (AN) and the Customer (CUS). A second column describes the task as well as some additional information to help execute the task and a third column describes the input work product required for task execution as well as its status (e.g., verified). The last column shows the output work products and their status resulting from the execution of the task.
Table 4.6 Description of One Task of the Requirements Analysis Activity [ISO 11e]
Roles | Tasks | Input workproducts | Output workproducts |
CUSAN | SI.2.4 Validate and obtain approval of the Requirements Specifications Validate that requirements specification satisfies needs and agreed upon expectations, including the user interface usability. The results found are documented in a validation results and corrections are made until the document is approved by the CUS. |
Requirements Specification [verified] | Validation Results Requirements Specification [validated] |
Table 4.7 shows an example of a document, a change request, and the content proposed by the ISO 29110 management and engineering guide. Note that the guide does not impose specific content by stating that a document “may,” not “shall,” include the following items, but provides information items that can be grouped. The right-hand column shows the source who requested the document. In this example, a change request is drafted by the client, the development team or by project management. We also note at the end of the description, the applicable status of this document.
Table 4.7 Description of the Content of a Document [ISO 11e]
Name | Description | Source |
Change request | Identifies a Software, or documentation problem or desired improvement, and requests modifications. It may have the following characteristics:
The applicable statuses are: initiated, evaluated, and accepted. |
Customer Project management Software implementation |
Although the ISO working group created a management and engineering guide, many VSEs do not have the resources to readily use the two processes described. Therefore, Professor Laporte, as the ISO 29110 project editor, recommended to the delegates for Working Group 24 during a meeting in Moscow in 2007, the development of material that can be used “as is” by VSEs [LAP 08a]. He coordinated the development of a set of documents called the Deployment Package (DP), based on the management and engineering guides.
A DP is a set of artifacts that facilitate and accelerate the implementation of the ISO 29110 standard in VSEs by providing them with ready-to-use processes. The table of contents for the package is described in Table 4.8. Note that the tasks from the management and engineering guides were broken down into steps to help the VSE concretely implement the standard.
Table 4.8 Table of Contents of a DP [LAP 08a]
|
Figure 4.17 shows the DPs that have been developed for the software Basic profile.
These DPs are available for free in English, French, and Spanish on the Web (www.sqabook.org). This site also provides access to templates, checklists, and examples of the implementation of ISO 29110, such as the example provided below.
Following is a brief description of the implementation of the ISO 29110 basic profile for BitPerfect Inc.—a start-up of four persons located in Lima, Peru [GAR 15].
The certification process for the Peruvian VSE will be presented in the chapter on audits.
Since a large number of VSEs develop systems that include hardware and software, members of the SC7 countries mandated Working Group 24 to develop a set of documents similar to those already created for the development of software: a roadmap consisting of a set of four profiles (Entry, Basic, Intermediate, and Advanced). The system development and software development profiles are similar since the strategy was to develop the system profiles using, as the foundation, the software profiles already published.
Figure 4.18 shows the processes and activities for the systems engineering Basic profile. Since this is based on the software Basic profile, there are similarities with the software Basic profile presented above:
The system and software management and engineering guides are freely available from ISO in French and English. A version in German is also available on the Web.
In this section, we provide examples of standards that are specific to an application domain, such as aerospace and railways, to highlight the fact that certain fields comprising critical systems have developed their own standards. Unlike ISO's software engineering standards, which are developed by representatives of member countries, the standards described below have been developed by the organizations involved in a specific field (e.g., aerospace companies and aviation authorities). One notable example is the CobiT guide [COB 12] that is used by internal auditors to audit the information systems organizations.
The development of DO-178 “Software Considerations in Airborne Systems and Equipment Certification,” was initiated in 1980 by the Radio Technical Commission for Aeronautics (RTCA). At the same time, the European Organisation for Civil Aviation (EUROCAE) had also developed a similar document. Later, the two organizations decided to develop a common guidance. In 1982, EUROCAE published ED-12 with technical content identical to DO-178. As stated in DO-178C, since 1992, the aviation industry and certification authorities around the world have used the considerations in DO-178B/ED-12B as an acceptable means of compliance for software approval in the certification of airborne systems and equipment. The latest version of these two documents was published in 2011 [EUR 11, RTC 11].
Their purpose is to provide guidance for the production of software for airborne systems and equipment. These systems must provide a high level of safety that complies with airworthiness requirements.
The reader may wonder why this document is called guidance and not a standard. This is the explanation extracted from DO-178 [RTC 11]: “This document recognizes that the guidance herein is not mandated by law, but represents a consensus of the aviation community. It also recognizes that alternative methods to the methods described herein may be available to the applicant. For these reasons, the use of words such as ‘shall’ and ‘must’ is avoided.”
However, DO-178 provides some text that transforms this guidance to a de facto standard for that industry [RTC 11]: “If an applicant adopts this document as a means of compliance, the applicant should satisfy all applicable objectives. This document should apply to the applicant and any of its suppliers, who are involved with any of the software life cycle processes or the outputs of those processes described herein. The applicant is responsible for oversight of all of its suppliers.”
The purpose of this guidance includes [RTC 11]:
A system safety assessment determines the software level of the software components of a system. The software level may even be specified in the system requirements. The DO-178 divides software into five levels [RTC 11]:
The EN 50128 standard describes the application domain in the following way [CEN 01]: by specifying the procedures and technical requirements applicable to the development of programmable electronic systems used in railway control and protection applications. It is meant to be used in any field having safety implications. It applies to all software used in developing and implementing railway control and protection systems, including application programming, operating systems, support tools, and micro-programming. It also focuses on the requirements applicable to the systems configured using application data.
The standard was developed for the following reasons [CEN 01]:
The EN 50128 standard introduces five software safety integrity levels (SWSIL) where each level is associated with a degree of risk when using a software system. Level 0 is assigned to software that is non-safety-related, whereas level 4 means a very high risk. A special feature of this standard is that it imposes an organizational structure on organizations that develop risky software, that is, software with safety issues. Figure 4.19 illustrates the different organizational structures based on the SWSIL.
The standard describes the sharing of roles and responsibilities of stakeholders. For level 0, there is no constraint, the designer/implementer, verifier, and validator can all be the same person.
For SWSIL levels 1 and 2, the verifier and validator can be the same person, but they cannot be the designer/implementer. However, the designer/implementer, verifier, and validator can all report through the project manager. At SWSIL levels 3 and 4, there are two acceptable arrangements:
Moreover, in this standard, there are requirements about using or not using certain development techniques. The classification table has five levels, from mandatory to not recommended and appears in Table 4.9.
Table 4.9 Example of a Technique Classification Table (Translated from [CEN 01])
Classification | Explanation |
The use of a technique is mandatory (M). | |
The technique is highly recommended (HR) for this safety integrity level. | If this technique or measure is not used then the rationale behind not using it should be detailed in the SQAP or in another document referenced by the SQAP. |
The technique or measure is recommended (R) for this safety integrity level. | |
The technique or measure has no recommendation (-) for or against being used. | |
The technique or measure is positively not recommended (NR) for this safety integrity level. | If this technique or measure is used then the rationale behind using it should be detailed in the SQAP or in another document referenced by the SQAP. |
Table 4.10 illustrates the classification of static analysis techniques for SWSIL from 0 to 4. Here, we see the requirement for performing design reviews is “HR” for all levels of criticality.
Table 4.10 Description of Classification of Static Analysis Techniques [CEN 01]
Technique | SW IL 0 |
SW IL 1 |
SW IL 2 |
SW IL 3 |
SW IL 4 |
Boundary value analysis | - | R | R | HR | HR |
Checklists | - | R | R | R | R |
Data flow analysis | - | HR | HR | HR | HR |
Fagan inspections | - | R | R | HR | HR |
Walk-through/design reviews | HR | HR | HR | HR | HR |
In Table 4.11, we list requirements made as to whether or not to use certain programming languages, such as C or C++ (without restriction), for the five criticality levels.
Table 4.11 Description of Classification of Programming Languages [CEN 01]
Technique | SW IL 0 |
SW IL 1 |
SW IL 2 |
SW IL 3 |
SW IL 4 |
Ada | R | HR | HR | R | R |
C or C++ (unrestricted) | R | - | - | NR | NR |
Subset of C or C++ with coding standard | R | R | R | R | R |
The ISO 13485 standard focuses on QA of products, customer requirements, and various items related to the management of quality systems [ISO 16d]. This standard specifies the requirements of a QMS that can be used by an organization for design and development, production, installation, and related services for medical devices, as well as the design, development, and supply of related services. The following definition of medical device illustrates the wide spectrum of devices that could be impacted by poor quality software.
Although this standard is independent of ISO 9001, it is based upon it. Given that certain requirements of ISO 9001 were excluded from ISO 13485, organizations whose QMS comply with ISO 13485 can claim compliance with the ISO 9001 standard only if their QMSs comply with all the requirements of the ISO 9001standard. Appendix B of ISO 13485 provides correspondence between these two standards.
Standards have a central place in a project's SQAP (Software Quality Assurance Plan). In order to conduct product and process assurance activities, the project team as well as the SQA function need to assess the adherence of project processes and products to the applicable agreements (e.g., contracts), regulations and laws, organizational standards, and procedures. Effectiveness of organizational software processes need to be constantly evaluated and improvements suggested. Problems and non-conformance are identified and recorded. The IEEE 730 standard defines the requirements regarding standards, practices, and conventions that must be described in the SQAP of a project. The SQAP identifies all applicable standards, practices, and conventions used for the project such as:
Once the standards are identified and staff are trained on how to use them, SQA has a duty to conduct process and product assurance evaluations based on organizational QA policies and processes. Both process and product assurance evaluations have to be done on all projects. Process assurance consists of the following activities [IEE 14]:
We have seen that organizational standards used by software and system engineers are adapted locally to fit each project specificity. To ensure consistency, high quality and reduce project risks, the SQA is asked to:
Note that standard conformance, regulatory concerns, or customer requirements are to be included in any tailoring for projects that use an agile methodology. As well, the SQA cannot replace the project team's responsibility for the product quality. The IEEE 730 standard insists that resources and information necessary for performing SQA are identified, made available, allocated, and used in projects. The project team should ask the following questions, regarding standards, practices and conventions, at the project planning stage:
During the project execution, the project team will have to verify:
The implementation of standards into practice may be facilitated or hindered depending on the factors at play in the organization. The following text box lists a few of these factors.
Name five advantages and five disadvantages of software engineering standards.
Provide five advantages and five disadvantages of the CMMI-DEV.
If an organization implements all the standards needed for the development of its software products, is this sufficient to produce quality software?
If an organization implements all the standards needed for the development of its software products, is this sufficient to produce software and make a profit or bring other benefits to the organization?
Can the CMMI-DEV model be used for development in an organization with 10 developers? Explain why or why not.
Can software be developed in an environment that has adopted agile practices and the CMMI-DEV?
What could be the benefits of using ISO 29110 for a small organization?
18.227.134.133