ISO Standards - IT
ISO Standards - IT
ISO Standards - IT
Abstract
This paper considers how standards can be used in software testing. Two views are used to
identify relevant standards. First, those higher level standards that require software testing to
be performed as part of a larger process are considered, and then a generic software testing
model is presented and standards identified that support the activities within it. The concept
of integrity levels and their use in testing standards is introduced and the usefulness of
application-specific standards is considered and rejected. Finally a new framework of
standards to support software testing is proposed.
1 INTRODUCTION
What use are standards to you? First, we must qualify the question as there is a consumer
viewpoint and a producer viewpoint. As a consumer, standards affect our everyday lives and
are generally considered a good thing. For instance, a standard that governs the quality of
pushchairs generally meets with public approval as it is presumably safeguarding our children.
As such, the standard acts as a form of guarantee to the consumer that the product is of a
certain quality. The vast majority of consumers have no idea what a pushchair standard might
contain, but trust the authors to know what they are writing about. Initially we might expect
the standard to contain requirements that make a pushchair as safe as possible (so using best
practice), but after a moment’s reflection we will probably modify our view to expect a
reasonable balance between safety and cost (good practice). After all, we don’t want to make
the price prohibitive. So, to the consumer, standards are generally useful, their authors
providing the expertise to a transaction that would otherwise be lacking.
Now, what about the producer of pushchairs? They have a different perspective.
Manufacturers benefit from complying with the standard as they are then presumably making
‘good enough’ pushchairs. They thereby avoid the dual pitfalls of bad publicity and legal
liability from selling ‘unsafe’ pushchairs. Following the marketing theme, then if the pushchair
standard was not mandatory, then those manufacturers complying with it would be able to use
their compliance to market their products favourably compared with non-compliant
competitors. Consider, finally, the manufacturer new to pushchairs. The existence of a
standard detailing good practice in pushchair manufacture means that they do not have to start
from scratch, but can build on the experience of the standard's authors.
1
Unhappily, there is no single software testing standard in the way that a single pushchair
standard has been assumed here. Consumers of software testing services cannot simply look
for the ‘kite-mark’ and testers have no single source of good practice. As will be shown, there
are many standards that touch upon software testing, but many of these standards overlap and
contain what appear to be contradictory requirements. Perhaps worse, there are large gaps in
the coverage of software testing by standards, such as integration testing, where no useful
standard exists at all. Where standards related to software testing do exist this paper attempts
to show which ones are best, for both building up confidence between supplier and consumer,
and providing information on good practice to the new or inexperienced tester.
BS British Standard
BS 7925-1 Software Testing Vocabulary
BS 7925-2 Software Component Testing
Def Stan 00-55 Requirements for Safety-Related Software in Defence Equipment
DO-178B Software Considerations in Airborne Systems and Equipment Certification
ESA European Space Agency
IEC The International Electrotechnical Commission
IEC 60300-3-9 Risk analysis of technological systems
IEC 61508 Functional Safety of electrical/electronic/programmable Safety-Related
Systems
IEC 880 Software for computers in the safety systems of nuclear power stations
IEEE The Institute of Electrical and Electronics Engineers
IEEE 610 Standard Computer Dictionary
IEEE 610.12 Software Engineering Terminology
IEEE 730 Standard for Software Quality Assurance Plans
IEEE 829 Standard for Software Test Documentation
IEEE 1008 Standard for Software Unit Testing
IEEE 1012 Standard for Software Verification and Validation
IEEE 1028 Standard for Software Reviews
IEEE 1044 Standard Classification for Software Anomalies
IEEE 1044.1 Guide to Classification for Software Anomalies
ISO The International Organization for Standardization
ISO 9000 Quality management and quality assurance standards
ISO 9001 Model for quality assurance in design, development, production, installation
and servicing.
ISO 9000-3 Guidelines for the application of ISO 9001 to the development, supply,
2
installation and maintenance of computer software
ISO 12207 Software life cycle processes
ISO 15026 System and software integrity levels
ISO 15288 System Life Cycle Processes
ISO 15504 Software process assessment
MISRA Development Guidelines for Vehicle Based Software (from the Motor
Industry Software Reliability Association)
NIST The National Institute of Standards and Technology
NIST 500-234 Reference Information for the Software Verification and Validation Process
PSS Procedures, Specifications and Standards
PSS-05-0 ESA Software Engineering Standards
SEI The Software Engineering Institute
SE CMM Systems Engineering Capability Maturity Model
SW CMM Capability Maturity Model for Software
TMM Testing Maturity Model
Systems Engineering
Software Engineering
Software Testing
3
Figure 1. The Process Context of Software Testing
Using the model in figure 1, process-oriented standards can be identified for each of the
different levels identified. In fact, the systems engineering, software engineering and
verification and validation processes are all covered by corresponding standards (e.g. ISO
15288, ISO 12207, and IEEE 1012 respectively). Each of these standards contains
requirements relevant to the software tester. Both ISO 15288 (full publication due Dec. 2000)
and ISO 12207 include processes for verification and validation, and although many software
developers and testers ignore the systems aspect of their work, it is impossible to deny the
relevance of ISO 12207, the software life cycle processes standard. ISO 12207 is a standard
that defines a framework for software throughout its life cycle and, unlike ISO 9000, has been
quickly accepted in the US - it has now been accepted as the ‘umbrella’, or integrating
standard by the IEEE for their complete set of software engineering standards. IEEE 1012,
one of this set, defines in detail the specific verification and validation processes, activities and
tasks to be performed, based on integrity levels (see section 5).
Quality provides a different perspective from which to view software testing and figure 2
shows how software testing fits into a quality model. From a quality perspective, testing, as
part of verification and validation, can be seen as an integral part of software quality assurance.
If software is part of a larger system, then software testing can also be considered as part of
overall quality management and assurance. As with the process model, the higher levels are
covered well by corresponding standards (e.g. ISO 9000, IEEE 730 and IEEE 1012,
respectively). Not many software developers will be ignorant of ISO 9000, but it considers
testing at such a high level that non-compliance would basically mean performing no
documented testing at all. IEEE 730 is similarly high level (and rather confusing as it separates
testing into two parts; that performed as a part of ‘verification and validation’ and ‘other
testing’).
Software Testing
A third model can be used where, unusually, software testing does have a corresponding
4
standard. This represents the terminology perspective as shown in figure 3. Natural language,
as spoken in our daily lives, is at the highest level, while computing terms and software
engineering terms lead eventually to software testing terms. Standards are available for each
level of this model, for example starting with the Oxford English Dictionary, leading onto
IEEE 610, IEEE 610.12 and finally onto BS 7925-1, the software testing vocabulary.
Computing Terms
Software Engineering
Terms
Software Testing
Terms
5
ORGANISATION
TEST POLICY
TEST STRATEGY
PROJECT
TEST DOCUMENTATION
TEST TERMINOLOGY
PHASE
PHASE TEST PLAN
TEST PROCESS
INCIDENT MANAGEMENT
6
determining integrity levels based on risk analysis, which is defined in IEC 60300-3-9.
REVIEWS INCIDENT
MANAGEMENT
CHECK
TEST TEST TEST CHECK
AND
PLAN SPECIFICATION EXECUTION COMPLETION
REPORT
Phase test planning was considered earlier in 4.5, but the decisions made during this activity,
such as which test case design techniques to use and which test completion criteria to apply,
should be dependent on the integrity levels for the software, which in turn are based on some
form of risk analysis. The process for determining integrity levels is defined in ISO 15026 and
the risk analysis process is defined in IEC 60300-3-9. Both test plans and test specifications
should be reviewed; software review techniques are defined in IEEE 1028. The techniques
used to design test cases in the ‘test specification’ activity and the test coverage measures used
7
in the ‘check completion’ activity are both defined, along with examples of their use, in BS
7925-2. Incident management, which forms a major part of the ‘check and report’ activity, is
covered in the next section.
8
The use of integrity levels was initially confined to application-specific standards, such as DO-
178B (avionics), Def Stan 00-55 (defence) and MISRA (automotive), but this is gradually
changing. The recently published IEC 61508, according to its title, is applicable to
“electrical/electronic/programmable safety-related systems”, and so could presumably be used
instead of the previously-mentioned standards, and this has been a well-debated point. The
take-up of IEC 61508 has been relatively slow in the US as it is perceived as a European
standard (despite its international title), in a similar way to ISO 9000. IEC 61508 has four
integrity levels, as do most standards using this concept, and is very comprehensive, covering
both hardware and software (part three of this standard covers software requirements). It does
include some rather strange software testing requirements (the relationship between the
requirements for boundary value analysis and equivalence partitioning needs some work), but
part 7, which is not yet available, will provide an overview of techniques and measures, and
may clarify such problems.
One thing that IEC 61508 has in common with the application-specific standards is that it is
aimed at safety-related applications. IEEE 1012, published in 1998, also uses the integrity
level concept, but is neither a safety-related standard, nor application-specific. This standard
defines the verification and validation to be performed based (again) on four software integrity
levels, but these integrity levels are not necessarily safety-related, but can be based on other
forms of risk, such as economic, security, etc. Also published in 1998, is ISO 15026, which
defines a process for determining integrity levels based on risk analysis. This standard defines
an integrity level as a range of values of a software property necessary to maintain risks within
tolerable limits, where the risk can be defined under different perspectives (e.g. safety,
financial, political, security). The availability of these standards (and IEC 60300-3-9 on risk
analysis) supports the recent emergence and popularity of risk-based testing and provides the
beginning of a framework of standards to support it.
6 APPLICATION-SPECIFIC STANDARDS
There are many application-specific standards for software development and testing, nearly all
of which are in the safety-related application domain. Examples of this type are DO-178B
(avionics), MISRA (automotive), Def Stan 00-55 (defence), and IEC 880 (nuclear). The first
three of these standards/guidelines use the concept of levels of integrity, while the last, IEC
880, does not, but this may be due to its age – it was published in 1986.
A relevant question to be asked of application-specific standards is why they were linked to a
particular application area and not simply published as generic software development and
testing standards. There are no ‘special’ testing techniques that are particularly appropriate
for avionics systems that are not just as useful when testing automotive, or pharmaceutical, or
medical, or financial software (as far as is known). As long as the perceived risks from the
software failing are of a similar level, then similar amounts of effort will be appropriate for the
development and testing. For instance, a safety-critical software component in a car and a
9
financial software component upon which an organisation’s economic future is dependent will
both be rigorously tested, but no-one knows of any testing technique that will work better for
the automotive component than the financial component, or vice versa. If both are perceived
as being similarly risky by the customer then they both deserve similar budgets for their testing
and, all other things being equal, this will mean similar approaches to their testing.
Given that there appears to be no good reason for application-specific standards for software
development and testing then why do they exist? Imagine that a particular industry body
decides that their industry needs a software development standard and commissions a new
standard from experts in software development who also work in their industrial area. On
completing the work (which is a generic software development standard), the authors, who
have little or no experience in other application areas, do not feel qualified to label it as a
generic standard or may not want to disappoint the commissioning body by not delivering the
application-specific standard they were expecting – and so another application-specific
software standard is created. The developers of PSS-05-0 (the European Space Agency (ESA)
software development standards) appear to have learnt this lesson. They have published the
software development standards used by ESA as generic standards which “provide a concise
definition of how to develop quality software”. PSS-05-0 is thus one step forward from
application-specific standards. For testing it references IEEE 1028 for software reviews, IEEE
1012 for verification and validation, and IEEE 829 for test documentation. Its failing is that it
does not use the integrity level concept. IEC 61508 is near to fulfilling the requirement for a
generic standard using integrity levels, but it states that it is specifically applicable to safety-
related applications. Why IEC 61508 could not be used for non safety-related applications,
such as financially-related applications, if suitable integrity levels could be determined, is not
clear.
There are few application-specific standards/guidelines that solely consider software testing,
although NIST 500-234 is an example of one that provides ‘reference information’ on software
verification and validation for the US health care industry. These guidelines give good general
(i.e. not especially relevant to healthcare) advice on verification and validation and also provide
special sections on testing reused software and knowledge-based systems. This text of 75
pages is a fine, generic introduction to software verification and validation, freely available on
the Web.
In general, application-specific standards for software development and testing do not appear
to be worth the effort unless some positive data confirming that application-specific
requirements are valid becomes available. With no basis for making this type of standard
application-specific, then the effort would be better spent on generic standards, so reducing
duplicated effort on very similar standards. The ideal use of application area experts is in
providing standards for determining integrity levels for their particular field, which can then be
10
applied to a generic software testing standard using integrity levels, written by experts in
software testing, as suggested in the next section.
Application-Specific
Application-Specific Integrity Levels
Application-Specific
Application-Specific risk criteria
Standards
Standards Standard
Standards
Standards
y levels els
integrit lev
V&V egrity
int
Standard phas Testing
es Testing
Testing Phase
TestingPhase
Testing Phase test techniques
Phase Techniques
Standards
Standards
Standards
ref
Standard
ce
nce
ref
n
re
ere
fe
re
n
ce
11
techniques and measures are defined from only that perspective and the associated guidelines,
which give examples of their use, also only cover their application to component testing. This
introduces a problem when standards for the other test phases are written. It is not
appropriate for the definitions in BS 7925-2 to be referenced by such standards, but re-defining
them in each standard is also problematic, as there will be problems of consistency, but, more
importantly, there will be duplication of effort. The solution is to create a single separate
standard that covers the techniques and measures, which should be defined in such a way as to
be applicable to whatever software testing phase is being performed. The guidelines to this
standard would then need to show how the techniques can be applied at each of the test
phases. A frustrating aspect of this solution is that the new techniques and measures standard
will require major changes to BS 7925-2 to remove the definitions of techniques and measures
and simply leave the component test process. However, the definitions of techniques and
measures from BS 7925-2 would be an ideal starting place for this new standard.
8 CONCLUSIONS
This paper has identified a number of high level standards that include requirements for
software testing, the two most important being ISO 9000 for compliance and marketing and
ISO 12207 to define the framework of life cycle processes within which testing is performed.
A generic testing model was then presented and used to identify those standards that support
the more detailed aspects of testing. The model was found to be poorly supported in one main
area - that of the individual test phases. Only the unit or component test phase is adequately
supported, and there are two standards available, the best of which is BS 7925-2. A second
shortcoming is that although information on test process improvement is available, it is
proprietary, so there is a requirement for standardisation. The other parts of the generic model
were generally well-supported, with the areas of incident management and integrity level
classification unexpectedly being supported by useful standards.
The use of the integrity levels in standards is now widespread in the safety-related applications
areas. This concept is gradually gaining more widespread use and IEEE 1012, a particularly
good verification and validation standard published in 1998, includes integrity levels. IEEE
1012 is also generic in that it applies to all software testing, so that economic or other risk
factors may be considered rather than safety. Application-specific standards were also
considered, and found to be obsolete for all but those activities based on risk analysis where
special application-specific knowledge is necessary. Overall, the availability of generic testing
standards, using the integrity level concept, that apply to all application areas is felt to be the
way forward.
Brief subjective comments by the author on each of the standards mentioned in this paper are
included in the Annex (section 10), where each standard is also given a rating on its usefulness
12
to a software tester.
Finally, for those who do pick up a standard, please note that standards are generally in two
parts; first a normative part, which defines what the user must comply with, and then an
informative part, which includes guidance on the normative part. The nature of standards is
that the normative part is difficult to read – do not be surprised at this. Before throwing it
away, try the informative part, which is generally the most useful!
13
[22] ISO/IEC 15504:1998, Information technology -- Software process assessment.
[23] Motor Industry Software Reliability Association (MISRA) Development Guidelines for
Vehicle Based Software, 1994.
[24] NIST 500-234, Reference Information for the Software Verification and Validation
Process (Health Care), 1996.
[25] PSS-05-0, ESA Software Engineering Standards, Issue 2, 1991.
[26] RTCA DO-178B, Software Considerations in Airborne Systems and Equipment
Certification, RTCA, 1992.
[27] SW-CMM, Paulk, M. et al, Capability Maturity Model for Software, Version 1.1,
Technical Report CMU/SEI-91-TR-24, SEI, 1991.
[28] SE-CMM, Bate, R. et al, Systems Engineering Capability Maturity Model, Version 1.1,
SEI, 1995.
[29] TMM, Burnstein, I., et al, Developing a Testing Maturity Model: Part 1 and 2, Illinois
Inst. Of Tech., 1996.
14
Standards Comments *Rating
of this document is freely available from:
[email protected].
IEEE 829 Good test documentation standard, but the standards
supporting the processes should include guidelines on the
necessary documentation. For instance BS 7925-2 for HR
component test documentation, and IEEE 1044 for incident
(anomaly) reporting.
IEEE 1008 Good coverage of unit testing process, but now superseded
U
by BS 7925-2.
IEEE 1012 Excellent V&V standard, using integrity levels. A must when
M
writing a test strategy.
IEEE 1028 Excellent introduction to software reviews. M
Supporting Standards covering those processes that support he test process.
IEEE 1044 Includes an anomaly (incident) classification process and
standard lists of anomaly classification schemes. If you’re
HR
setting up the incident reporting activity then there’s no need
to look any further, apart from…..
IEEE 1044.1 Guidance on the above, if you feel you need it. U
IEC 60300-3-9 A harmonising generic standard on risk analysis. Ideal if your
industry does not have an application-specific version – and HR
may be better anyway.
ISO 15026 An excellent generic (non-safety-specific) process for
determining integrity levels. The only minor problem is that it
HR
attempts to specify means of achieving levels of integrity –
this is best left to the development and test process standards.
High-level Process and QA standards that contain requirements related to software testing
ISO 9000 What can you say about the ISO 9000 series? More than a
ISO 9000-3 quarter of a million certified organisations can’t be wrong.
Testers need to be aware, but coverage of software testing is U
ISO 9001
minimal.
15
Standards Comments *Rating
IEEE 730 Very high level – states a requirement for the inclusion of
V&V and testing in QA plans, but not much else of use to the O
tester.
ISO 15288 Will contain (due for release in late 2000) systems level
requirements and simply require compliance with ISO 12207, O
below for software components of systems.
ISO 12207 The integrating software life cycle processes standard. Those
in software not using this standard in five years time will be M
negligible (and negligent?).
Application-specific This is only a small sample of the available application-specific standards. As is
typical of this genre, nearly all are safety-related and consider both software
development and testing.
IEC 880 An old (1986) standard that has a guidelines annex on
software testing. Aimed at very high integrity systems, its O
surprising its not been superseded.
DO-178B The best application-specific standard. Uses integrity levels.
Its only failings are the expectation of 100% coverage and the HR
inclusion of modified condition decision coverage.
Def Stan 00-55 Appears biased towards the use of mathematical proof for
verification. Defines required coverage in terms of code U
constructs rather than requiring techniques to be used.
MISRA A reasonable set of guidelines, freely-available on the Web at:
http://www.misra.org.uk/license.htm. No special automotive U
features discernible in the software testing.
NIST 500-234 Guidelines that specialise in V&V. Ostensibly for healthcare,
but actually generic. Unusually contains special topics on
testing reused software and knowledge-based systems.
U
Freely-available on the Web at:
http://hissa.ncsl.nist.gov/HHRFdata/Artifacts/ITLdoc/234/val-
proc.html.
Generic
These consider both software development and testing.
Development
PSS-05-0 No integrity levels. Testing requirements are largely based on
U
references to IEEE testing standards.
IEC 61508 Not completely generic (for safety-related software). Uses
integrity levels, but allocation of software testing U
requirements to levels looks flawed.
16
Standards Comments *Rating
Process Apart from TMM, these process improvement standards cover both development
Improvement and testing, but concentrate on development.
ISO 15504 Allows existing process improvement models (e.g. CMM,
Bootstrap, etc.) to be cross-referenced to a common base for U
measurement and comparison.
SE CMM A systems version of the original capability maturity model,
O
below.
SW CMM Used largely to measure the software development process, it
also gives guidance on what to add to increase the level of U
maturity of the process.
TMM A tester’s version of the above (so based on maturity levels),
HR
which focuses primarily on testing.
*Ratings
Mandatory – all testers should have
M
this
HR Highly Recommended
U Useful, but not necessary
O Other – only acquire if necessary
17