Chapter 3

C. Standards and Models

Define and describe the ISO 9000 and IEEE software standards, and the SEI Capability Maturity Model Integration (CMMI) for Development, Services, and Acquisition assessment models. (Understand)

BODY OF KNOWLEDGE I.C

T he Software Engineering Institute (SEI) defines a standard as “the formal requirements developed and used to prescribe consistent approaches to acquisition, development, or service,” (SEI 2010). A standard defines a disciplined, consistent approach to software development and other activities through the specification of rules, requirements, guidelines, or characteristics. Standards aim at promoting optimum community or organizational benefit and should be based on the combined results of science, technology, and practical experience.

A standard is used as a basis for comparison when specifying, developing, reviewing, auditing, assessing, or testing a system, process, or product. An organization and/or its personnel comply with standards when a comparison between what the standard says should be done matches with what the organization and/or its personnel are actually doing. Products conform to standards when a comparison between what the standard requires matches with the actual characteristics, content, or status of the product. A standard is usually specified by standard practice, or it is defined by a designated standards body (ISO, IEC, IEEE, OMG, and so on). A standard can specify requirements for an item or activity, including:

• Size : For example, an external interface standard might specify a communication packet size of 32 bytes
• Content : For example, the IEEE Standard 828 for Configuration Management in Systems and Software Engineering (IEEE 2012) specifies what should be included in a Configuration Management Plan
• Value : For example, an external interface standard might specify values for error codes transmitted across that interface
• Quality : For example, modeling and coding standards provide workmanship standards for producing quality software work products and the ISO 9001:2015 standard (ISO 2015) specifies the requirements for the effective implementation of a quality management system (QMS)

At the organizational level, standards make it easier for professionals to move between project and product teams within the organization, reducing the effort required for training. Through the use of standards, the software developed by different groups within the organization is more consistent and uniform, and is therefore easier to integrate and reuse. The fact that everyone involved knows and understands the standard way of acquiring, developing, and/or maintaining the software products, permits a uniform method for reviewing the status of the product and the project.

At the industry level, standards can increase the professionalism of a discipline by providing access to good practices, as defined by experienced practitioners in the software industry. Many companies benchmark the ISO and IEEE standards as a basis for improving their own processes and practices. Standards can also help introduce new technologies and methods into the software industry. For example, the Systems Modeling Language (SysML) Standards from the Object Management Group (OMG 2015) helped introduce a consistent methodology that can be used to specify, analyze, design, verify, and validate object-oriented requirements and designs for systems and systems-of-systems.

It should be noted that guidelines (guides) are different from standards. Both standards and guides are typically issued by some body of authority. However, standards define requirements while guidelines define suggested practices, advice, methods, or procedures that are considered good practice, but are not mandatory requirements.

A model is an abstract representation of an item or process from a particular point of view. A model expresses the essentials of some aspect of an item or process without giving unnecessary detail. The purpose of a model is to enable the people involved to think about, discuss, and understand these essential elements without getting sidetracked by excessive or complex details. Unlike standards, models are communication vehicles and not mandatory requirements. The Capability Maturity Model Integration (CMMI) for Development (SEI 2010) and life cycle models (waterfall, V, or spiral) are examples of models.

ISO 9000 Standards

The “International Organization for Standardization (ISO) is a worldwide federation of national standards bodies (ISO member bodies)” (ISO 2015). ISO developed the 9000 family of standards to define good practice in the area of quality management and quality assurance. These standards define the basic, first level of a quality management system. Their implementation does not guarantee high quality.

Within the ISO 9000 family, the core standards include:

• ISO 9000:2015 Quality management systems—Fundamentals and vocabulary
• ISO 9001:2015 Quality management systems—Requirements
• ISO 9004:2009 Managing for the sustained success of an organization—A quality management approach

Figure 3.1 Major elements and interactions of an ISO 9001:2015 Quality Management System (ISO 2015).

ISO also provides a set of supporting standards/guidelines to help organizations establish and improve their quality management systems, their processes, or their activities. A list of these supporting standards/guidelines is included in Annex B of the ISO 9001:2015 standard (ISO 2015).

The ISO 9000 family of standards is based on seven quality management principles applicable to any organization including software, manufacturing, and/or service, including: (ISO 2015; ISO 2015a)

• Customer focus
• Leadership
• Engagement of people
• Process approach
• Improvement
• Evidence-based decision making
• Relationship management

The ISO 9001:2015 standard defines the specific set of quality management system requirements that are used by registrars to audit and certify organizations. ISO 9001:2015 takes a process approach, which incorporates the Plan-Do-Check-Act (PDCA) cycle and risk-based thinking. Figure 3.1 illustrates a model of the major clauses of ISO 9001:2015.

Some industries have created industry-specific interpretations, or add-ons, to the ISO 9000 family of standards. This has been done to standardize the interpretation of ISO 9001:2015 for their industry and/or to add industry-specific additional requirements. These industry-specific interpretations also help make certain that auditors are trained in and understand the specific needs of those industries. Examples of industry-specific standards include:

• ISO/IEC 90003:2014 Software engineering—Guidelines for the application of ISO 9001:2008 to computer software has not yet been updated to the ISO 9001:2015 version as of the publication date of this book
• AS9100 for Aviation, Space and Defense (and AS9115 specific to deliverable software)
• ISO/TS 16949 for Automotive
• TL 9000 for Telecommunications
• ISO 13485 for Medical Devices and ISO 62304 for Medical Device Software
• ISO/TX 29001 for Petroleum, Petrochemical and Natural Gas
• NQA 1 for Nuclear

IEEE Software Engineering Standards

The Software and Systems Engineering Standards Committee of the IEEE Computer Society develops and maintains a set of software and system engineering standards. This IEEE standards set is not always used verbatim, but they are used extensively as benchmarks, templates, and examples of industry good practices that organizations tailor to their own specific requirements. For organizations defining their software processes, these standards can provide guidance that minimizes time and effort. These standards can also serve as checklists that help verify that important items are not overlooked.

While ISO 9001:2015 and the CMMI models provide roadmaps for what should occur in a good software quality engineering practice set, the IEEE software and systems engineering standards provide more detailed “how-to” information and guidance. As of the date of this publication, the current list of IEEE software and systems engineering standards includes the following standards that are closely related to the topics of the Certified Software Quality Engineer (CSQE) Body of Knowledge. See the IEEE software and systems engineering standards Web site for the latest versions of these and other IEEE software and systems engineering standards:

• 730-2014—Software Quality Assurance Processes
• 828-2012— Configuration Management in Systems and Software Engineering
• 829-2008—Software and System Test Documentation
• 982.1-2005—Standard Dictionary of Measures of the Software Aspect of Dependability
• 1008-1987 (reaffirmed 2009 ) of —Software Unit Testing
• 1012-2012—Systems and Software Verification and Validation
• 1016-2009—Systems Design – Software Design Descriptions
• 1028-2008—Software Reviews and Audits
• 1044-2009—Standard Classification for Software Anomalies
• 1061-1998 (reaffirmed 2009) – A Software Quality Metrics Methodology
• 1062-2015—Recommended Practice for Software Acquisition
• 1220-2005 (reaffirmed 2011) – Application and Management of the Systems Engineering Process
• 1228-1994 (reaffirmed 2010) – Software Safety Plans
• 1320.1-1998 (reaffirmed 2004 ) – Functional Modeling Language – Syntax and Semantics for IDEF0
• 1320.2-1998 (reaffirmed 2004 ) – Conceptual Modeling Language – Syntax and Semantics for IDEF1X97 (IDEFobject)
• 1490-2011 — Adoption of the Project Management Institute (PMI®) Standard –A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Fourth Edition
• 1517-2010— System and Software Life Cycle Processes – Reuse Processes
• 1633-2008—Recommended Practice on Software Reliability
• 12207-2008—Systems and Software Engineering – Software Life Cycle Processes
• 14102-2010—Adoption of ISO/IEC 14102:2008 Information Technology – Guidelines for the Evaluation and Selection of CASE Tools
• 14471-2010—Guide for Adoption of ISO/IEC TR 14471:2007 Information Technology— Software Engineering – Guidelines for the Adoption of CASE Tools
• 14764-2006—ISO/IEC International Standard for Software Engineering – Software Life Cycle Processes – Maintenance
• 15026-n—Standard Adoption of ISO/IEC 15026-1 Systems and Software Engineering— Systems and Software Assurance
  • Part 1-2014: Concepts and Vocabulary
  • Part 2-2011: Assurance Case
  • Part 3-2013: System Integrity Levels
  • Part 4-2013: Assurance in the Life Cycle
• 15288-2015—ISO/IEC/International Standard – Systems and Software Engineering – System Life Cycle Processes
• 15289-2015—ISO/IEC/International Standard – Systems and Software Engineering – Content of Life-Cycle Information Products (Documentation)
• 15939-2008—Standard Adoption of ISO/IEC 15939:2007 – Systems and Software Engineering – Measurement Process
• 16085-2006—ISO/IEC 16085:2006 – Software Engineering – Software Life Cycle Processes – Risk Management
• 16326-2009—ISO/IEC/International Standard Systems and Software Engineering – Life Cycle Processes – Project Management
• 20000-n—Standard – Adoption of ISO/IEC 20000-1:2011, Information Technology – Service Management
  • Part 1-2013: Service Management System Requirements
  • Part 2-2013: Guidance on the Application of Service Management Systems
• 24748-n—Guide-Adoption of ISO/IEC TR 24748 Systems and Software Engineering – Life Cycle Management
  • Part 1-2011: Guide for Life Cycle Management
  • Part 2-2012: Guide to the Application of ISO/IEC 15288 (System Life Cycle Processes)
  • Part 3-2012: Guide to the application of ISO/IEC 12207 (Software Life Cycle Processes)
• 24765-2010—Systems and Software Engineering – Vocabulary
• 24774-2012—Guide – Adoption of ISO/IEC TR 24474:2010 Systems and Software Engineering – Life Cycle Management Guidelines for Process Description
• 26702-2007—ISO/IEC Systems Engineering – Application and Management of the Systems Engineering Process
• 29119-n—Software and Systems Engineering – Software Testing
  • Part 1-2013: Concepts and Definitions
  • Part 2-2013: Test Process
  • Part 3-2013: Test Documentation
  • Part 4-2015: Testing Techniques
• 29148-2011—Systems and Software Engineering – Life Cycle Processes – Requirements Engineering
• 42010-2011—ISO/IEC Systems and Software Engineering – Architecture Description

It should be noted that in addition to the ISO 9000 family of standards, there are many ISO/IEC Information Technology, Software Engineering, and Systems and Software Engineering standards written/being written through ISO/IEC JTC 1/CS 7. Some of these standards have been adopted by IEEE and others may potentially replace the current IEEE standards listed above in the future. (A list of current ISO/IEC standards can be found at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_tc_browse.htm?commid=45086 .)

Capability Maturity Model Integration (CMMI)

The Software Engineering Institute (SEI) promotes the evolution of software engineering from an ad hoc, labor-intensive activity to a discipline that is well-managed and supported by technology. According to the SEI Web site, principal areas of work for the SEI include:

• “Software engineering management practices: This work focuses on the ability of organizations to predict and control quality, schedule, cost, cycle time, and productivity when acquiring, building, or enhancing software systems.”
• “Software engineering technical practices: This work focuses on the ability of software engineers to analyze, predict, and control selected properties of software systems. Work in this area involves the key choices and trade-offs that must be made when acquiring, building, or enhancing software systems.”

As part of this work, the SEI established the CMMI models (now supported by the CMMI Institute), which are intended to communicate sets of good practices for use by organizations pursuing enterprise-wide process improvement. The resulting CMMI framework allows for the generation of multiple CMMI models, depending on the representation (staged or continuous), and the disciplines:

• Capability Maturity Model Integration (CMMI) for Development (CMMI-DEV) (SEI 2010): Provides a roadmap of good practices to organizations for improving their product development practices in order to produce high quality products that meet their customers’, users’, and other stakeholders’ needs
• Capability Maturity Model Integration (CMMI) for Service (CMMI-SVC) (SEI 2010a): Provides a roadmap of good practices for organizations interested in providing high quality services to their customers and users
• Capability Maturity Model Integration (CMMI) for Acquisition (CMMI-ACQ) (SEI 2010b): Provides a roadmap of good practices to organizations to improve their product and service acquisition practices in order to initiate and manage the acquisition of high quality products and services that meet customers’, users’, and other stakeholders’ needs

In the staged representation, each of the three CMMI models is subdivided into five levels (or stages) that are used to gauge organizational maturity. Each model includes a four-level structure (levels 2 to 5) of good practices designed to improve product and service quality, and project performance. Each level from 2 to 5 in the staged representation of these three CMMI models is made up of process areas, as illustrated in Table 3.1 .

Table 3.1 CMMI staged representation levels and process areas.

Figure 3.2 CMMI definition components.

As illustrated in Figure 3.2 , each CMMI process area is defined using detailed required, expected, and informational components, including:

• Required components:
  • Specific goals : Each process area has one or more goals that apply specifically to that process area, which the organization is required to achieve for that process area.
  • Generic goals : The model also includes a set of generic goals, which the organization must achieve for every process area. Each process area description interprets those generic goals and how they apply to that process area.
• Expected components:
  • Specific practices : Each specific goal has associated practices that apply specifically to that goal, for that process area. The organization is expected to implement either the specific practices documented in the model, or acceptable alternative practices, which lead to achieving the associated specific goals.
  • Generic practices : Each generic goal has associated practices that apply to that generic goal. The organization is expected to implement either the generic practices documented in the model, or acceptable alternative practices, which lead to achieving the associated generic goals.
• Informational components:
  • Each process area has a purpose statement that defines the purpose of that process area, as well as introductory notes, which describe the major concepts covered by that process area, and a list of related process areas , with specific linkages defined.
  • Each specific practice has subpractices, associated notes, examples, and references, which provide details for interpreting and implementing the specific practice.
  • Each generic practice has subpractices, which provide details for interpreting and implementing the generic practice. Each generic practice also has an elaboration of how that generic practice applies to the process area being specified.

As an example, the specific goals (SG) and specific practices (SP) for the CMMI for Development measurement and analysis process area are: (SEI 2010)

• SG 1: Align measurement and analysis activities
  • SP 1.1: Establish measurement objectives
  • SP 1.2: Specify measures
  • SP 1.3: Specify data collection and storage procedures
  • SP 1.4: Specify analysis procedures
• SG 2: Provide measurement results
  • SP 2.1: Collect measurement data
  • SP 2.2: Analyze measurement data
  • SP 2.3: Store data and results
  • SP 2.4: Communicate results

All three of the CMMI models share the same level-2 and level-3 generic goals (GG) and their associated generic practices (GP): (SEI 2010; SEI 2010a; SEI 2010b)

• Level-2:
  GG 2: Institutionalize a managed process
  • GP 2.1: Establish an organizational policy
  • GP 2.2: Plan the process
  • GP 2.3: Provide resources
  • GP 2.4: Assign responsibility
  • GP 2.5: Train people
  • GP 2.6: Control work products
  • GP 2.7: Identify and involve relevant stakeholders
  • GP 2.8: Monitor and control the process
  • GP 2.9: Objectively evaluate adherence
  • GP 2.10: Review status with higher-level management
• Level-3:
  GG3: Institutionalize a defined process
  • GP 3.1: Establish a defined process
  • GP 3.2: Collect improvement information

When assessing an organization’s maturity level, the process areas in the staged representation are cumulative. For example, as illustrated in Figure 3.3 , for an organization to achieve level-2 maturity, it would have to:

• Achieve all of the specific goals for all the level-2 process areas by implementing all of the associated specific practices, or acceptable alternative practices, for each of those specific goals

Figure 3.3 CMMI for Development level-2 maturity for staged representation.

• Achieve all the level-2 generic goals for each level-2 process area by implementing all of the associated generic practices, or acceptable alternative practices, for each of those generic goals

As illustrated in Figure 3.4 , to move forward and achieve level-3 maturity, which organization would have to:

• Add the achievement of all the level-3 generic goals for each level-2 process area by implementing all of the associated generic practices, or acceptable alternative practices, for each of those generic goals
• Achieve all of the specific goals for all the level-3 process areas by implementing all of the associated specific practices, or acceptable alternative practices, for each of those specific goals
• Achieve all the level-2 and level-3 generic goals for each level-3 process area by implementing all of the associated generic practices, or acceptable alternative practices, for each of those generic goals

Since there are no generic level-4 or level-5 goals in the staged representation, to move forward and achieve level-4 maturity, an organization would have to achieve all of the specific goals for all the level-4 process areas by implementing all of the associated specific practices, or acceptable alternative practices, for each of those specific goals. To move forward and achieve level-5 maturity, an organization would have to achieve all of the specific goals for all the level-5 process areas by implementing all of the associated specific practices, or acceptable alternative practices, for each of those specific goals.

Figure 3.4 CMMI for Development level-3 maturity for staged representation.

So far, only the CMMI staged representation has been discussed. In the continuous representation, the same process areas are used. However, instead of the organization being assessed at a maturity level, in the continuous representation each process area is assessed independently at a capability level, designated as level-0 to level-3, and described as follows:

• Capability level-0, Incomplete: The initial level for process capability, which indicates that the process is either not performed at all, or that one or more of its associated specific goals have not been achieved
• Capability level-1, Performed: A process area with level-1 has achieved all of its specific goals by implementing all of the associated specific practices, or acceptable alternative practices, for each of those specific goals
• Capability level-2, Managed: A process area with level-2 has achieved all the level-2 generic goals by implementing all of the associated generic practices, or acceptable alternative practices, for each of those generic goals, in addition to achieving all of its specific goals from level-1
• Capability level-3, Defined: A process area with level-3 has achieved all the level-3 generic goals by implementing all of the associated generic practices, or acceptable alternative practices, for each of those generic goals, in addition to achieving all of its specific goals from level-1 and the generic level-2 goals

Achieving high maturity is done through the equivalent staging concept. Once all of the level-2 and level-3 process areas from the staged representation have reached level-3 capability, level-4 high maturity is reached by achieving level-3 capability for the organizational process performance and quantitative project management process areas. Once level-4 high maturity is reached, level-5 high maturity is reached by achieving level-3 capability for the causal analysis and resolution and organizational performance management.

People Capability Maturity Model

In addition to the three CMMI models, there is also a People Capability Maturity Model (P-CMM) (SEI 2009). This model provides a roadmap of good practices to help organizations address their critical people issues and improve the processes of managing and developing the organization’s workforce. The People CMMI process areas and process threads are illustrated in Table 3.2.

Table 3.2 People Capability Maturity Model (P-CMM) process areas and process threads. (SEI 2009).