Standards Chair Report
by Scott Duncan
IEEE Software and Systems Engineering Standards Committee (S2ESC - Executive Committee and Management Board) meeting in Ft. Lauderdale, FL in mid-August.
The New Name and DoD Software Assurance
As reported in a prior column, the SESC voted to changed its name to S2ESC in February, adding "and Systems" to its name. One of the primary reasons for this was to address the fact that the Committee covers standards for software development as well as "systems containing software." An important aspect of this is to acknowledge the close cooperation between S2ESC and the DoD's latest efforts in software assurance. Joe Jarzombek is Deputy Director of Software Assurance and the DoD liaison to the S2ESC Executive Committee. Discussion at this meeting covered the DoD initiative from the perspective of safety and security. As taken from the official meeting minutes, activities included would be:
- Establish a process to prioritize assets that require high assurance
- Establish a threat assessment capability focused on software suppliers
- Offer security evaluation criteria for supplier SW development capabilities
- Develop software assurance guidelines for high assurance system eng.
- Institutionalize an Enhanced Risk Management Process to address risks attributable to software vulnerabilities and threats
- Provide explicit authorities to exclude untrustworthy suppliers
- Invest in software evaluation tools and in engineering capabilities to:
- Effectively diagnose and mitigate software risks and make software security more operationally compatible/supportable
- Establish DoD executive agent for SW vulnerability and Mitigation and Discovery
- Establish a federated, national High Assurance SW Tech and EvalCenter
- Foster a workforce culture that demands software integrity: Integrate SW security in -
- IT acquisition and PM education and training.
- Coordinate with standards bodies and academic institutions.
One consideration was the comprehensiveness of evaluation of software: What does software do that is does not advertise as a feature? A presentation, by Bill Beckwith, on software evaluation and associated assurance levels was given. Using methods with increasing rigor, up to and including formal proofs, levels could be assigned to software based on such an evaluation. There were also associated comments on the need for style guides for safe and secure subsets of programming languages, i.e., subsets more safe and secure than the entire language. (For example, ISO 15942 addresses AdaT's use in critical systems.)
Another aspect of the discussion included software maintenance, which Jarzombek mentioned he preferred to see referenced as "sustainment" due to that word's broader context for the entire lifecycle of a system. It was recommended that IEEE 1219 and ISO 14764 need merging as maintenance standards.
It was also noted that Jarzombek will continue as Chair for IEEE1062 (an RP on SW Acquisition) though it is an area that is no longer his main work focus in the DoD.
Revision of IEEE 730 on Quality Assurance
The revision of this document will begin sometime next summer. The anticipated chair for this work is Ron Dean of Galaxy Scientific. This will be a fine opportunity for ASQ Software Division members to be actively involved in the work on a standard.
IEEE On-Line Balloting
Early in 2005, the IEEE Standards Association will begin on-line balloting of and commenting upon standards. The new system, known as MyBallotT, will address registration for balloting groups as well as submitting ballots. Working Group Chairs will be able to review ballot status and comments through this system as well.
The High Integrity Systems Study Group, led by Deborah Sparkman, will develop a detailed strategy to include a suggested document outline for an expanded IEEE 1228 revision. A proposal is expected at the S2ESC's October teleconference.
John Walz, of the Quality Management Study Group presented a summary on the progress of the group. A presentation had been made to TC176, which ASQ administers to handle the ISO 9000 series, and was received well by that TC with regard to cooperative review and comment on IEEE's version of 90003. Recall that the ISO/IEC 90003 is a revision of ISO 9000-3 which became an SC7 document but required the number change.
Mary Beth Chrissis, SEI liaison, suggested that S2ESC should contact SEI partners (i.e., assessment and training consultants) regarding use of IEEE Standards to support process improvement.
S2ESC Strategic Planning
How does S2ESC best market its standards collection? What's the business model for getting people interested in using the standards?
S2ESC will check the feasibility of a student-watermarked version of the collection and draft a business case with other possible incentives for students who purchase the collection.
S2ESC needs to form a study group to research and pursue the translation of IEEE standards into other languages as IEEE CS is currently the only transnational computer society.
Agile Methods Guidance for Acquirers
This project (P1648) is about to start drafting the actual content of the Recommended Practice.
Those who wish to be involved with the editorial effort, as opposed to just balloting, need to contact me now to join the Working Group if you have not already done so and formerly submitted a roster entry.
IEEE Book Series - Roger Fujii gave a presentation. The series is moving ahead, slowly, but surely. John Horch is working on the Software Quality Assurance volume and we have offered the Division's help in reviewing it. Would our Division want to propose volumes on software methodology design or software quality engineering?
IEEE SE-Online Portal - This website has been implemented but is in need of content on various topics.
CASE Standards Adoption - Carl Singer, who chairs the IEEE 1775 series on CASE tool interconnection, will investigate adoption of ISO/IEC 14102 and 14471 on CASE tool evaluation and selection.
International Certification of Software Developers - Steve Seidman will chair a study group on this topic and certification compatibility. The focus will be on ISO 19759, the international adoption of the Guide to the Software Engineering Body of Knowledge (SWEBoK).
The official minutes of this meeting, and some of the presentations given, can be found at standards.computer.org.
US TAG Pittsburgh Meeting Notes
Last minute family emergencies and work demands plus the loss of three members (i.e., ARINC, MEDTRONICS, Northup-Grumman) resulted in lower attendance at this meeting compared to others in the recent past. There was, however, no lack of activity in a variety of areas.
New Work Items Proposed to SC7
One NWI was to develop a guidance document on applying ISO 9001 to system engineering as ISO 90003 now exists for applying it to software.
Another NWI was to develop a meta-model for software development methodologies based on an Australian definition "language."
A third NWI had to do with developing a data quality model along the lines of the product quality model in ISO/IEC 9216.
Task Groups (and related international Working Group topics)
TG2 - Work is being done on the CD for ISO/IEC 15289 related to system and software information items. There is an issue as to where processes for user documentation need to go. WG2 handles documentation as a product, not a process, but WG7 and WG10 have no current place for this. Perhaps it should simply be regarded as a subset of the whole documentation process.
TG6 - The New Work Item proposal on a data quality model seems particularly targeted to e-government and e-commerce data. Standards do exist internationally and in the USA on this topic in specific domains (e.g., aerospace, medical records, financial transactions) that could affect any SC7 work. The US Government has initiatives in this regard, including working through IEEE on a standard related to voting machines/data. Tthere would seem to be interest in the topic, but perhaps not from current TAG members. [Are there Division members with an interest in this topic (i.e., as an international standard)?] Other WG6 work is the continuing effort to develop the SquaRE (ISO/IEC 250nn) series to combine/replace 9126 and 14598. There are also still issues with ISO/IEC 12119 related to COTS software "testing" and the demands placed on user packaging and documentation with regard to their use as testing "specifications."
TG7 - Work continues on the very significant harmonization effort between 12207 and 15288. As these documents change, there will be impacts on others such as the 15504 series and standards for user documentation. Coordination with WG10 and WG2, in particular, become important in this regard.
TG9 - Work is being done on a variety of items related to software risk, safety, security and dependability issues. Much of the material is being coordinated with related IEEE standards and work in these areas.
TG10 - ISO/IEC 15504-5 (the exemplar model) still appears to be 2 years from completion. The rest of the document set should be done by early 2005. The "normative" part (15594-2) already exists as an IS, for example. WG10 has two proposals to develop a New Work Item to add the concept of "Organizational Maturity" to its work program. One seeks to add a "staged" model to take 15504 assessment profiles and produce an organizational "level" while another covers a broader definition of what "organizational maturity" might mean. If WG10 could do the latter for organizations in general, not just software development, it would be a significant. As 15504 is not limited to software process assessment, adding "organizational maturity" would require a broad definition of what that means. Existing organizational models like the Baldrige Award and EFQM (an organizational quality model used in Europe), as well as others, address this, but go far beyond the product development domain.
TG22 - WG22's work is to develop a new SC7 vocabulary starting with all existing terms in SC7 materials plus IEEE's vocabulary standard (610.12), which has been offered to SC7 for this work. There was some discussion at the TAG meeting of "ontologies" that exist to handle vocabulary and the ISO 9000 annex on vocabulary. There is a target (but not absolute) date of April 2005 for a first version of the new vocabulary. It will be available in print as all other ISO standards, but the "living" version will be a database (of some sort) accessible through the Internet.
TR 15846 (Configuration Management) has been withdrawn and SC7 will refer to IEEE 828 instead.
As always, those interested in any of the topics mentioned above, or other standards-related issues, can contact Scott Duncan by email (email@example.com or firstname.lastname@example.org or email@example.com or firstname.lastname@example.org) or phone (706-649-2345 (weekdays), (706-562-1256 (evenings and weekends)).