Compliance with quality standards is of fundamental importance for most companies nowadays. Whether it is an organisation that sells products or one that sells services, it is important that it complies with these standards as this means adhering to principles that, although generic, guarantee the control of the operation and highlight any strengths and weaknesses in order to determine the effectiveness and the efficiency of the time spent at work.
Although we are talking about principles common to many sectors in which companies operate to date, compliance with these standards appears to be more recognised for organisations operating in traditional industrial or administrative areas.
In recent years, however, things have changed due to the increasing presence of Information Technology in all sectors and to the growth of true “immaterial” standards for software and, notably, for databases, IT services, quality measures and documents.
ISO Standard in the software industry
The International Organization for Standardization (ISO) is responsible for developing standards, regulations and guidelines useful to manage quality, to conduct business processes, to improve the effectiveness and efficiency in the production and delivery of a product or service for companies. The members of which are the standards organisations of the 164 member countries from all over the world. In Italy the ISO is represented by UNI, the Italian Unification Authority, whose website contains all the current standards in place. International Organization for Standardization) si occupa di sviluppare standard, normative e linee guida utili a gestire la qualità, a condurre i processi aziendali, a migliorare l’efficacia e l’efficienza nella produzione ed erogazione di un prodotto o di un servizio per le aziende. Attualmente raccoglie l’adesione di circa 164 Paesi di tutti i continenti. In Italia l’ISO è rappresentata dall’UNI, ossia Ente Italiano di Unificazione il cui sito web racchiude tutti gli standard in essere nel nostro Paese.
The knowledge of the standards and the its fulfilment is certainly an added value for the company as they represent a tool of shared connection between abstract models and concrete realities, concepts and measures, the starting point for a dialogue between traditional experts and innovators. Moreover, the standards allow to reach a middle ground between customer, client and supplier that is often difficult to attain in this kind of relationship.
Since 1946 the ISO has published more than 22,000 standards in which more than 750 TC-Technical Committees and specific groups have participated, covering many economic sectors. Examples of technical committees are:
- ISO/TC 146 air quality,
- ISO/TC 34 es. ISO 22000 management system for food safety,
- ISO/TC 37 es. 639 language and terminology,
- ISO/TC 159/SC4 ergonomics of Human System Interaction,
- ISO/TC 180 solar energy,
- ISO/IEC JTC1 Join Technical Commette Information Technology,
- ISO/TC 268 sustainable cities and communities
where these last two have been developed specifically to support Smart Cities.
Within the whole range of standards and committees that have formed over the years, of which the previous ones represent a small part, it is important to mention subcommittees (SC) or working groups (WG) in the field of Information Technology involving Italian expertise:
- SC 7 Software and System engineering (e.g. ISO/IEC 25000 Systems and software Quality Requirements and Evaluation),
- SC 27 IT security evaluation (e.g. ISO/IEC 15408 concept of a Target and context of Evaluation and the audience to which it are addressed; ISO/IEC 27001 information security management),
- SC 35 User interface (e.g ISO/IEC 30071-1 code of practice for creating accessible ICT products and services),
- SC 38 Cloud Computing,
- SC 41 Internet of Things,
- SC 42 Artificial Intelligence (*) – (e.g ISO/IEC FDIS 20546 Big data: overview and vocabulary).
In the standard range of SC 7 subcommittee “Software and System engineering”, the ISO 25000 series concerns the quality of the software, data and services product, maintained in the ISO by WG6 (quality of the software and system product) and in Italy as part of the “Software Engineering” Commission at UNINFO, that is the Italian federated organisation at UNI for IT technologies. The latter acts as an intermediary between companies, Italian administrations and international and European standardisation bodies.
Some examples of Working Group (WG) in which Italian experts have participate in:
WG 6 Software Product and System Quality: - ISO/IEC 250nn SQuaRE Series (25000-25099) - CIF for Usability Reports (25060-25069) Joint TC 159/SC4 WG28 - ISO/IEC TR 12182 Categorization of IT systems and software - FSM SG (ISO/IEC 14143 FSM; ISO/IEC 20926 Ifpug FSM; etc.)
WG 7 Life cycle management: - ISO/IEC 12207 Software Live Cycle processes - ISO/IEC CD 24748-3 Guidelines for the application of ISO/IEC/IEEE 12207
WG 10 Process assessment: - ISO/IEC/IEEE 12207 Software life cycle processes - ISO/IEC 15288 System life cycle processes
Therefore, national and international experts have shared their knowledge and experience in the development of these standards with the aim of promote the companies that adopt the right business processes, academics and administrators in various fields and worldwide. The work has seen continuous confrontations between experts with national and international votes following the methods of development of these standards proper of the ISO modalities and has been structured in working group. Developments sharing is supported by the cataloguing of standards by area of expertise and aims at facilitating the accuracy and updating of standards.
Whenever there is a meeting of experts, majority voting and approval (ballot) are given to the development of standards and any changes to draft texts. In each vote each country has one vote. In particular, the following steps are planned:
- NP (New proposal) - WD (Working Draft) - CD (Committee Draft) - DIS (Draft IS) - FDIS (Final Draft IS) - PRF (Proof of a new IS) - IS (International Standard)
The principles on which any change or development of a standard must be based are:
Participation in the ISO’s work on standards brings many advantages including support for research and specific knowledge, also thanks to collaboration between experienced minds in every field where standards fit. The subsequent in-depth knowledge and the possibility of influencing the development of standards represent the best practices of companies, their country of origin, the EU and the various continents.
ISO 25000: software quality
The ISO/IEC 25010 “System and software quality models”, published in 2011, defines the quality characteristics of the software product. The model integrates the ISO/IEC 25012 data quality model.
The standard does not act on the functional properties of the software but on the quality properties, that is“as” this work. The standard consists of eight characteristics divided into sub-characteristics as in the following table.
This international standard defines a general model of process quality that contributes to improve the quality of the software product and documentation. As a result, this will drastically improve the quality of the system in use too. In addition to providing valuable feedback to improve the product, the quality evaluation of the product and its processes.
The quality is differentiated according to the categories that the standard defines and are:
- internal quality: concerning the “static/structural” properties of the software that can be verified by analysers or inspections;
- external quality: relating to the “dynamic/behavioural” properties of software that can be verified in simulated environments;
- quality in use: relating to the impact of software on the field that can be verified in contexts of use in simulated or real environments, also taking into account user participation and user-experience.
The standard is currently being systematically reviewed every five years at ISO due to ongoing technological developments. In addition, the characteristics that refer to this standard have no defined priority as for each it is possible to recall specific competences, tools, methods and techniques.
ISO 25000: code quality
The quality model in use established in ISO/IEC 25010 “System and software quality models” (quality in use model) is applicable both during simulations and, therefore, before the product enters the market and at the time when the product is in operation.
For the quality in use, which is treated separately from the software product but always within the same standard, are categorised into five characteristics: effectiveness, efficiency, satisfaction, freedom from risk and context coverage.
The quality defined by this standard depends on the interrelationship of elements such as software, system, data and IT services. In addition, the adaptation of the quality model in use to services includes, in particular, the coverage of the SLA-Service Level Agreement in the context.
ISO 25000: quality and data security
The ISO/IEC 25012 (data quality model), published in 2008, and reconfirmed in 2019, defines data quality characteristics and is a guideline for not only, data quality stakeholders, but also maintenance, with reference to software and service managers.
This international standard has become in 2014 national standard with the initials UNI CEI ISO/IEC 25012 “Model of data quality”. Developed in ISO has seen the contribution of the Software Engineering Commission of UNINFO.
In this case the quality attributes refer to 15 distinct characteristics between:
- inherent and dependent on the system: accessibility, comprehensibility, conformity, efficiency, accuracy, confidentiality, traceability
- dependent on the system: availability, portability, restorability.
The standard is used in an integrated framework of software quality, processes and services with the aim of preventing the quality of a“Data Lake” which is characterised by semantic harmonisation of information and efficient data interchange.
This model defines the quality of all structured data in a computer system (e.g. character strings, text, numbers, images, sounds, etc.), assigned values and relationships between data (in the same system or between different systems). Therefore it will identify the necessary actions to be taken to improve any procedural aspects of non-automated data.
The standard is applied for:
- define software and system quality requirements in development/maintenance;
- assess data quality requirements in production, acquisition and integration;
- improve the quality of the data to be displayed in “Open data” mode;
- identify data that require automatic (or manual) correction processing as a priority;
- describe an ontology of an information-informatics system;
- identify quality assurance criteria, which are also useful for re-engineering, assessment and data improvements;
- contribute to the quality of the “inputs” and “tributaries” of a “Data Lake”;
- examine the conformity of data with existing laws or requirements;
- have concrete evidence to estimate the costs of data quality loss and to implement organisational improvements.
ISO 25000: certified software for IT services
The ISO/IEC TS 25011 (service quality models) standard was published in 2017 and is closely linked to other quality models of the ISO 25000 series and influences the quality of the whole system.
The characteristics that the standard evaluates are eight (with 26 sub-characteristics):
- Capacity of response
The services to which we refer in this case are:
-fully automatic services provided by an IT system;
- services provided by persons using an IT system;
- mixed services of various kinds (technical and support services)
More concretely, in the IT world are consulting services, system integrations, software development, hardware maintenance, data and information provision and so on.
ISO/IEC 25000 quality certificates
ISO/IEC 25000 quality certification involves an accredited third-party body which ideally relies on accredited laboratory reports.
In order to obtain the certification it is necessary not only a documentary analysis, but also the re-execution of the software and the control of the databases, taking into account the requirements that the same software must possess and the business rules of the data.
The steps to arrive at a certification are as follow:
-compliance of the product with explicit requirements
- good results of evaluation activities
- ability to correct intercepted anomalies
- availability of adequate skills to follow the findings received
- pre-existing ISO 9001 e ISO/IEC 27000 certificates
Certification may concern the software product (in which case ISO/IEC 25010 will be indicated), the data content of a database (with indication ISO/IEC 25012) or a combination of software, data and possibly also services (with ISO/IEC 25000).
Obtaining ISO 25000 series certification brings many advantages to a company including:
-ensure that the data are reliable and of high quality;
- ensure that the software meets the functional requirements;
- improve the documentation and possible user manual, reducing subsequent costs;
- obtain formal recognition and credibility in the market
-contribute to increased safety in “mission critical” and “life critical” applications, while safeguarding risks relating to the environment, the economy and health.