As software becomes a more critical component in systems, concerns about software quality increase. Consequently, a number of organizations have developed quality standards that are specific to software or that can be applied to software. When developing software for some large organizations, especially government organizations, consider using one of the following most recognized standards. 

International Organization for Standardization ISO 9000

The International Organization for Standardization (ISO) developed the ISO 9000 family of standards for quality management and assurance. Many countries adopted these standards. In some cases, government agencies require compliance with this ISO standard. A third-party auditor generally certifies compliance. The ISO 9000 family of standards is used widely within Europe and Asia. It has not been widely adopted within the United States, although many companies and some government agencies are beginning to use it.

Each country refers to the ISO 9000 family of standards by slightly different names. For example, the United States adopted the ISO 9000 as the ANSI/American Society for Quality Control (ASQC) Q90 Series. In Europe, the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) adopted the ISO 9000 as the European Norm (EN) 29000 Series. In Canada, the Canadian Standards Association (CSA) adopted the ISO 9000 as the Q 9000 series. However, it is most commonly referred to as ISO 9000 in all countries.

ISO 9000 is an introduction to the ISO family of standards. ISO 9001 is a model for quality assurance in design, development, production, installation, and servicing. Its focus on design and development makes it the most appropriate standard for software products.

Because the ISO 9000 family is designed to apply to any industry, it is somewhat difficult to apply to software development. ISO 9000.3 is a set of guidelines designed to explain how to apply ISO 9001 specifically to software development.

ISO 9001 does not dictate software development procedures. Instead, it requires documentation of development procedures and adherence to the standards you set. Conformance with ISO 9001 does not guarantee quality. Instead, the idea behind ISO 9001 is that companies that emphasize quality and follow documented practices produce higher quality products than companies that do not.

U.S. Food and Drug Administration Standards

The U.S. Food and Drug Administration (FDA) requires all software used in medical applications to meet its Current Good Manufacturing Practices (CGMP). One of the goals of the standard is to make it as consistent as possible with ISO 9001 and a supplement to ISO 9001, ISO/CD 13485. These FDA standards are largely consistent with ISO 9001, but there are some differences. Specifically, the FDA did not think ISO 9001 was specific enough about certain requirements, so the FDA clearly outlined them in its rules.

Refer to the FDA Web site for more information about the CGMP rules and how they compare to ISO 9001.

Capability Maturity Model (CMM)

In 1984, the United States Department of Defense created the Software Engineering Institute (SEI) to establish standards for software quality. The SEI developed a model for software quality called the Capability Maturity Model (CMM). The CMM focuses on improving the maturity of the processes of an organization.

Whereas ISO establishes only two levels of conformance, pass or fail, the CMM ranks an organization into one of five categories.

• Level 1, Initial—The organization has few defined processes; quality and schedules are unpredictable.
• Level 2, Repeatable—The organization establishes policies based on software engineering techniques and previous projects that were successful. Groups use configuration management tools to manage projects. They also track software costs, features, and schedules. Project standards are defined and followed. Although the groups can deal with similar projects based on this experience, their processes are not usually mature enough to deal with significantly different types of projects.
• Level 3, Defined—The organization establishes a baseline set of policies for all projects. Groups are well trained and know how to customize this set of policies for specific projects. Each project has well-defined characteristics that make it possible to accurately measure progress.
• Level 4, Managed—The organization sets quality goals for projects and processes and measures progress toward those goals.
• Level 5, Optimizing—The organization emphasizes continuous process improvement across all projects. The organization evaluates the software engineering techniques it uses in different groups and applies them throughout the organization.

The following illustration shows the five levels of the CMM and the processes necessary for advancement to the next level.

Most companies are at Level 1 or 2. The U.S. Department of Defense prefers a Level 3 or higher CMM assessment in bids on new government software development. Some commercial companies, mainly in the United States, also use the CMM.

The CMM differs from ISO 9001 in that it is software specific. The ISO specifications are fairly high-level documents, consisting of only a few pages. The CMM is a very detailed document, consisting of more than 500 pages.

Institute of Electrical and Electronic Engineers (IEEE) Standards

IEEE defined a number of standards for software engineering. IEEE Standard 730, first published in 1980, is a standard for software quality assurance plans. This standard serves as a foundation for several other IEEE standards and gives a brief description of the minimum requirements for a quality plan in the following areas:

• Purpose
• Reference documents
• Management
• Documentation
• Standards, practices, conventions, and metrics
• Reviews and audits
• Test
• Problem reporting and corrective action
• Tools, techniques, and methodologies
• Code control
• Media control
• Supplier control
• Records collection, maintenance, and retention
• Training
• Risk management

As with the ISO standards, IEEE 730 is fairly short. It does not dictate how to meet the requirements but requires documentation for these practices to a specified minimum level of detail.

In addition to IEEE 730, several other IEEE standards related to software engineering exist, including the following:

• IEEE 610—Defines standard software engineering terminology.
• IEEE 829—Establishes standards for software test documentation.
• IEEE 830—Explains the content of good software requirements specifications.
• IEEE 1074—Describes the activities performed as part of a software lifecycle without requiring a specific lifecycle model.
• IEEE 1298—Details the components of a software quality management system; similar to ISO 9001.