=Paper=
{{Paper
|id=None
|storemode=property
|title=ISO Software Quality Standards and Certification
|pdfUrl=https://ceur-ws.org/Vol-920/p113-dugalic.pdf
|volume=Vol-920
|dblpUrl=https://dblp.org/rec/conf/bci/DugalicM12
}}
==ISO Software Quality Standards and Certification==
https://ceur-ws.org/Vol-920/p113-dugalic.pdf
ISO Software Quality Standards and Certification
Bisera Dugalic Anastas Mishev
Faculty of Computer Science and Engineering Faculty of Computer Science and Engineering
"Rugjer Boshkovikj" 16 P.O. Box 393 "Rugjer Boshkovikj" 16 P.O. Box 393
1000 Skopje, FYR Macedonia 1000 Skopje, FYR Macedonia
+38976 536 333 +38970 330 386
Dugalikj.bisera@students.finki.ukim.mk Anastas.mishev@finki.ukim.mk
ABSTRACT
In recent years software quality has become a matter of high
2. ISO STANDARDS
interest especially to software developers, managers and ISO is the International Organization for Standardization that has
maintainers. Regarding the fact that software is evolving into membership from countries all around the world. It has developed
extremely important part for a company to be competitive in its about 19000 International Standards and about 1000 new
business, the requirement for the software to be greatly accessible standards every year.
for a company in accomplishing its ambitions means that the
software should have a great level of user convenience, quality ISO standards published in recent years are in fields of
and utility. The aim of this study is to determine the way ISO information and societal security, climate change, energy
standards and certification for software quality are accepted by efficiency and renewable resources, sustainable building design
companies and the customers. It examines the way it reflects on and operation, water services, nanotechnologies, intelligent
the quality management system of the company and how it helps transport systems, food safety management, and health
customers choose what is best for them and preserve their
informatics. [5]
interests.
Categories and Subject Descriptors 3. SOFTWARE QUALITY STANDARDS
D.2.4 [Software Engineering]: Software/Program Verification – 3.1 ISO/IEC 9126
Validation, Reliability
ISO/IEC 9126 is one of the best software quality standards in the
General Terms world. It is intended to specify the required software product
Documentation, Human Factors, Reliability, Security, quality for software development and software evaluation.
Standardization
This standard is divided into four parts:
Keywords • quality model
ISO 9001, certificate, software quality, standards, requirements,
• external metrics
QMS, quality management system, International Accreditation
Forum, accreditation body, ISO/IEC 9126 • internal metrics
• quality in use metrics
1. INTRODUCTION This quality model can be applied in many sectors. It describes
The most challenging goal of software engineering is to find the quality model framework that explains the relationships
better techniques and methods for developing quality and error - between the different approaches to quality and it consists of six
resistant software at reasonable cost. In today’s world of characteristics them is divided into a set of sub-characteristics:
information, computers have been applied in to a number of large
Functionality – a set of software attributes with specific
and critical areas of the industry. [1]
properties that provide functions that satisfy the needs of the user
Quality characteristics of the software can be measured with a set Reliability – A set of software attributes with ability to
of attributes defined for each characteristic. These characteristics maintain its specific level of performance under the specific stated
help evaluating the quality of software, but they do not define a conditions for a stated period of time.
guidance of constructing high quality software products. Quality Usability – A set of software attributes that are measure
characteristics are defined in the standard ISO/IEC 9126. [2] of the effort needed user to learn to use the product.
Quality management system requirements are defined in the ISO Efficiency – A set of software attributes that represents
9001 standard. The main goal of these requirements is to satisfy the ability of the software product to provide relationship between
the customer needs, which is the measure of quality software level of performance of the software and the amount of recourses
product. [3] that are used under the stated conditions.
Maintainability – A set of software attributes that are
BCI’12, September 16–20, 2012, Novi Sad, Serbia. needed to avoid unexpected effects from specified modifications.
Copyright © 2012 by the paper’s authors. Copying permitted only for private and
academic purposes. This volume is published and copyrighted by its editors.
This characteristic describes the ease with which the software
Local Proceedings also appeared in ISBN 978-86-7031-200-5, Faculty of Sciences, product can be changed.
University of Novi Sad.
113
� have not been implemented during testing and B is the Total
number of maintainability compliance items specified. The value
X should be 0<=X<=1. If it is closer to 1, maintainability
compliance is better. Inputs to this measurement are: product
description (user manual or Specification) of compliance and
related standards, conventions or regulations, test specification
and report. The target audience is suppliers and users. [9]
4. ISO CERTIFICATION
The process of issuing ISO certificates is done by appropriate
accreditation bodies. Regarding the evident fact that ISO 9000
presents significant addition to any company, many countries
have accreditation bodies that are supposed to authorize further
Figure 1: ISO/IEC 9126-1 external and internal quality attributes. certification bodies. The two, accreditation and certification
bodies charge for their services.
Portability – A set of software attributes that are needed
for software to be transferred from one environment to another. The accreditation bodies have joint concept to provide that
This is important when the application is made for using on certificate released by some of the accredited certification bodies
different distributed platforms. [8][9] is internationally approved. The accreditation bodies operate
under ISO/IEC 17011 and certification bodies operate under
Internal Metrics are metrics that are static and that do not rely on ISO/IEC 17021. [10] [11]
software execution and describe the internal metrics used to
measure the characteristics and sub-characteristics identified in In the past years ISO 9000 has proven to be very important and
quality model. effective tool that cannot be overlooked. According to a study
done in Sweden which was focused on factors for implementing
External metrics rely on running software and they describe the the standard, benefits gained after implementation and motives for
external metrics used to measure the characteristics and sub- implementing it, it was determined that the essential interests for
characteristics identified in quality model. getting certification is to increase corporate reputation and
Quality in use metrics can be measured only when the final quality. Another meaningful outcome is that the effectiveness of
product is used in real environment with real conditions and it ISO 9000 can be influenced by the motivation which brought the
identifies the metrics used to measure the effects of the quality idea for certification. [12]
characteristics.
5. MEANING OF ISO CERTIFICATE
For example internal metrics can be data corruption prevention. Many times while looking for goods or services customers run
Its purpose will be to find the completeness of the implementation into labels that say ISO 9001:2000, ISO 9001:2008, or, ISO 9000.
of data corruption prevention. The method of application can be: The idea of having these labels is to help the customers to find
comparing the number of implemented instances of data what they are looking for and to make sure that the retailers
corruption prevention and number of instances of operations comprehend what is expected from them and that they are
specified in requirements capable of destroying data. delivering an expected, reconciling product.
Mathematically, the result can be expressed as X=A/B, where A ISO 9001 has a goal to implement a group of requirements that
is the number of implemented instances of data corruption when definitely implemented, should supply the costumer and the
prevention and B is the number of instances of operations retailer with confirmation that the goods and services supplied:
specified in requirements capable of destroying data. The value X
should be 0<=X<=1. If it is closer to 1, data corruption prevention • Meet the needs and expectations
is more complete. Inputs to this measurement are: Requirement • Comply with applicable regulations
specification, Design, Source code and Review Report. The product design, procession of incoming orders, acquiring,
Example of the external metrics can be maintainability supervising and evaluation of products and processes,
compliance. Its purpose will be to find compliance of the arrangement of measuring accessories, dissolving customer’s
maintainability of the product to be applicable regulations, complains, improving or preventive activities, claims to animate
standards and conventions. The method of application can be: constant progression on the QMS, supplier’s top management to
comparing the number of items requiring compliance that have quality, the customer focus, adequacy of resources, employee
been met and number of items requiring compliance in the competence, process management (this includes production,
specification. service delivery and relevant administrative and support
processes) are among the topics considered by the requirements.
Mathematically, the result can be expressed as X=1-A/B, where A Another important requirement for the supplier to monitor
is the Number of maintainability compliance items specified that
114
�customer perceptions about the quality of the goods and services For example in the US there are specific Food and Drug
provided. Administration Standards that assign requirements for software
used in medical applications.
The label ISO 9001 and having the certificate does not specify
requirements for the products or services offered for purchasing. The FDA made validation requirements that are applied to
The customer should exactly define his needs and presumptions software used in medical devices, software that is a medical
for the product or service. device, and to software used in production of such device or in
implementation of its manufacturer’s quality system. The process
The submission to ISO 9001 means that in regards toward the
of software validation defined by the FDA is considered to be
quality management there is a systematic approach established by
acceptance through testing and analysis and confirmation by
the supplier and that the business is managed to provide that the
impartial proof that software specifications are appropriate to
needs of the customer are of high matter and that they are
intended users and their inquiries and that all implemented
undoubtedly apprehended, admitted and conformed. Anyway, the
requirements can be constantly performed.
affirmation of submission to ISO 9001 should not be interpreted
as an alternative for a proclamation to the agreement of the Among the goals of this standard is to be as compatible with ISO
product. 9001 although there may be some differences. Some of the
requirements are considered as not specific enough with the ISO
Being familiar with the fact that a company has ISO 9001 9001, so the FDA pointed them in their rules. [20] [21]
certificate could be useful for the customers. The customer is
Similar to this, the Council of Canadian quality assurance
included in some of the requirements for the purchasing process standards (SCC), promotes the country’s voluntary national
which refer the following cases: standards that are directed by the quality management principles
defined in ISO 9001:2000 with several improvements. [24]
• requirements regarding the purchasing information that
should be provided so that suppliers clearly understand In North Carolina Office of Information Technology (ITS), in
their customers' needs 2004 they decided to make changes on the way the software
• the ways in which supplied products can be verified as quality assurance testing is performed and to create some criteria
meeting the requirements of the customer for developers. This was brought up because of the significant
difference in the way some agencies handled the developing
The client has the obligation to specify to the supplier what is
cycle.
expected by the product. This practice is bets because otherwise
the product that the company shall not receive what is needed or ITS decided to save complications by consolidating SQA testing
expected and might not satisfy their requirements. Another very methods under ITS. The idea was to let agencies subscribe to
important detail is the further use and the needs of the product quality assurance tools presented by the ITS and not to purchase
which should be specified by the client. tools themselves. This is supposed to unify the application testing
with less fuss.
In order to check if the QMS of the supplier meets the
requirements of ISO 9001 the customer could receive a The SaaS delivering model has become quite popular and it
declaration affirming that the QMS meets the ISO 9001 quickly spread worldwide. The main reason organizations try
requirements, the supplier could be inspected by the customer to SaaS is the possibility to save on implementation. The software
see if the QMS meets ISO 9001 and the requirements of the runs on servers owned by SaaS and the host also mobilizes its
customer, or, a third party could lead an assessment to check the own IT personnel to handle problems in order not to worry about
conformity to ISO 9001requirements and to issue an appropriate maintenance. In this case the customers pay for service, not for
certificate. ownership. [16][18]
In order to improve confidence level some certification bodies are The State of New York has established a State System
accredited by national or international accreditation bodies. These Development Lifecycle (SDLC) that is written using a common
bodies verify the independence and competence of the language and has enough detail to enable a Project Manager to
certification body to carry out the certification process. A lot of plan and manage a system. It is consisted of standard phases and
these accreditation bodies have agreements under the cover of the processes that should be followed indifferent of the environment
IAF (International Accreditation Forum) in order to develop and tools.
international common admission to uphold the WTO (World
Regarding the quality of the software, there is Quality Assurance
Trade Organization) and free trade principles. [14][17][23]
Plan that is established and executed by Software quality
Assurance Analyst who is also collaborating in the test scripts and
5.1 State Agencies for Software Quality data preparation. According to the Quality Assurance Plan
In some countries there are government agencies that are meant to associated with the project management lifecycle, software
improve the software quality. Some of them have resulted as very quality testing process should be made of three components:
good practices that give excellent results and are further quality standards, quality assurance processes, and quality
recommended to be implemented in other countries. controls.
115
�With the Software Quality Standards the programming standards [7] P. Botella, X. Burgués, X. Franch, G. Grau, J. Marco, C. Quer,
are defined same as development/testing standards that are “ISO/IEC 9126 in practice: what do we need to know?”
accorded throughout the project. [8] Krzysztof Sacha, Evaluation of Software Quality, Warsaw
The Software Quality Assurance Processes describes and makes University of Technology
procedures that are later implemented by the Project Team to [9] ISO standards: ISO 12207, ISO 15504 & ISO 9126, ISACA –
provide management with evidence that these procedures are CETIC Meeting
being adopted, and to meet the quality standards. Further the [10] ISO/IEC 17021: "Conformity assessment. Requirements for
Software Quality Controls encloses a series of reviews and audits bodies providing audit and certification of management systems"
that evaluate deliverables according to stated standards and (2011)
acceptance criteria. The controls are consisted of software testing
[11] ISO/IEC 17011: "Conformity assessment. General
techniques and reviews. [22]
requirements for accreditation bodies accrediting conformity
assessment bodies" (2004)
6. HOW TO GET ISO CERTIFICATE
[12] The TQM Magazine “The state of ISO 9000 certification: a
Basically there are four major steps that a company needs to get
study of Swedish organizations”
ISO certificate.
[13] Managerial Auditing Journal “An adaptation to ISO
The first step is to prepare the documentation. The company 9001:2000 for certified organizations”
needs a written quality manual, procedures, and some forms. (http://www.emeraldinsight.com/journals.htm?articleid=1463722
They will all have to meet the requirements of the ISO quality &show=html)
standard but it will also have to fit the company’s quality goals.
[14] Capers Jones, Olivier Bonsignour, Jitendra Subramanyam,
Next step is the training part. All of the employees will require “The Economics of Software Quality”
some training. The quantity of training depends on each [15] Software Quality Standards, National Inst., August 2007
individual’s responsibilities.
[16] “North Carolina, State Technology Plan”, February 2011
Further the company should practice and use that quality system [17] Software Quality, James A McCall (http://www-public.it-
for a few months. This might bring some changes that need to be sudparis.eu/~gibson/Teaching/CSC7302/ReadingMaterial/Cavano
made. Another important thing in this step is to keep records McCall78.pdf)
about the quality system. In a few months the quality system and
[18] Defining Software Quality and Economic Value
the employees should be ready for the registration audit.
(http://www.informit.com/articles/article.aspx?p=1743012)
The final part is to get audited. The time involved conducting a [19] Quality management systems — Requirements, ISO 9001
registration audit and the number of required auditors varies with Third edition
to the size of the company. The auditors can range the problems
[20] “Off-The-Shelf Software Use in Medical Devices”, U.S.
as “non-conformances” or “observations”. Non-conformances can
Department of Health and Human Services
be defined as “major” or “minor”. Major can cause the company
not to get certificate. The minors may in some cases prevent the [21] “General Principles of Software Validation”, U.S.
certification depending on the number and severity of the Department of Health and Human Services
problems. On the other hand, observations do not cause the lost of [22] “System Development Lifecycle” New York City Project
certification. They are a sort of suggestions on how to make Management
improvements to the quality system. (http://www.cio.ny.gov/pmmp/guidebook2/Phase.pdf)
[23] ISO 9001 – What does it mean in the supply chain
7. REFERENCES [24] Canadian Quality Assurance (QA) & Control Standards
[1] “CMM and Project Quality Management”, Dave Nietsen (http://www.mastercontrol.com/quality-management-
(http://www.pmhut.com/cmm-and-project-quality-management) software/quality-assurance/canadian.html)
[2] Software engineering — Product quality, ISO/IEC 9126-
1:2001,ISO/IEC 2001 (http://www.iso.org/iso/iso_
catalogue/catalogue_tc/catalogue_detail.htm?csnumber=22749)
[3] ISO 9001 Standard official page (http://www.iso9001.com/)
[4]Daniel Galin, “Software quality assurance from theory to
implementation “, Edinburgh Gate, England, 2004
[5] Official ISO site (http://www.iso.org)
[6] ISO standards integrated confidence, Annual Report 2008
(http://www.iso.org/iso/annual_report_2008.pdf)
116
�