Minutes of Meeting #153

Meeting #153: Winter Plenary Meeting

IEEE Software and Systems Engineering Standards Committee

Meeting Dates: Tuesday, February 5 – Thursday, February 7, 2007

Meeting Location: Google Headquarters, Mountain View/Silicon Valley, CA

Attendees (in alpha order)

Mary Beth	Chrissis	SEI Liaison
Paul	Croll	S2ESC Chair
Mark	Henley	ExCom, Webmaster
Joe	Jarzombek	DHS Liaison, Dir for SW Assurance, National Cyber Security division, DHS
Keith	Middleton	Management Board
Jim	Moore	ISO JTC SC7 Liaison& S2ESC VP for International Affairs
Marcus	Plessel	IEEE SA Marketing
Annette	Reilly	Management Board
Dave	Schultz	Management Board Chair
Susan	Tatiner	IEEE, Associate Managing Director of Technical Program Development
Chuck	Walrad	S2ESC Secretary
Malia	Zaman	IEEE SA Program Manager

_______________________________________________________________________________________

Tuesday, February 5 – S2ESC Executive Committee Meeting

1 Introductions, Call To Order And Approval Of The Agenda

Meeting convened at 9:15 a.m. It was noted that we have a quorum, using the SOP definition of an S2ESC quorum (1/3 of members are present).

2 S2ESC Organization [ Croll ]

Croll reviewed current structure, members, and their terms of office. Croll pointed out that we would do well to invite Teresa Hunt), ASQ liaison to SC7, to be an S2ESC ASQ liaison.

AR: Croll will contact her about this.

3 Status Reports/Issues

3.1 Standards Status [ Schultz/Zaman ]

3.1.1 Question of scope for revision of 730-2002 (SQA Plans). Croll suggested that 14764 and 16326 would provide good models for 730 and 828 as they are revised to become process standards. Discussion of why focus should be Quality Assurance (project level) as opposed to Quality Management (organizational level). Middleton was encouraged to contact Dave Zubrow at SEI regarding work on the SQUARE series of SC7 standards. Moore pointed out that 12207 has clearly whittled down the scope of QA, and should be used as a litmus test for 730’s scope. It was pointed out that it is S2ESC policy to align with both 12207 and 15288, but 15288 (Systems Engineering) doesn’t delineate clearly between QA and QM.

3.1.2 Recirculation of 829 (SW and System Test documentation) closed Jan. 20, 2008. All objections except one have been disposed. The remaining will go to SA for decision.

3.1.3 1008 (SW Unit Testing) has been extended to 2009. IEEE and BSI will contribute their standards to serve as base documents for a new (revised) standard. A multi-part ISO/IEC standard is expected. Ursula Parker (IEEE) is the project editor. PARs are needed, but Moore recommends waiting for the IEEE/ISO cooperation agreement. One issue is whether or not static analysis should be in scope.

3.1.4 1012 (Verification and validation) is still being worked, as the WG wants to add systems, addressing H/W V&V, in the next revision. Another issue is that 1012 doesn’t align very well with 12207 and 15288, but it is seen by the community as the best existing standard in this area, and has established a footprint worldwide. This will be discussed in our strategy segment.

3.1.5 1016 (SW Design Descriptions) is coming up for maintenance.

3.1.6 1028 last re-affirmed in 2002. The WG has reviewed it for consistency with 1012, 12207, 1074, and other relevant standards. Currently in resolution stage.

3.1.7 1044 (Classification of SW Anomalies) is under consideration for conversion to a process standard. (Dave Zubrow is WG Chair)

3.1.8 1045 (Productivity Metrics) has expired and should be withdrawn.

3.1.9 1062 (SW Acquisition) revision will be chaired by Stan Wisseman who has submitted a revised PAR for this (in MyProject but not yet approved). The base doc was the DHS standard, but DHS specifics are being removed and they are looking at CMMI, too.

3.1.10 1063 (User doc) will be incorporated in a new ISO/IEC process and product standard, ISO/IEC 26514, which has been submitted for FDIS (Final Draft International Standard) ballot. Reilly recommends that we adopt the ISO/IEC standard when approved.

3.1.11 1175 set (Case Tool Interconnections) has five parts. WG Chair Singer has until 12/2008 to submit part #4.

3.1.12 1228 (SW Safety Plans) was extended until 12/2009. Previously was going to be generalized from Safety to Assurance and incorporated into 15026. This will be reversed, and 1228 will be continued. Issue is whether SW safety can be isolated from system safety. AR: Croll to ID someone to chair a WG for this. He will contact his friends in the Safety and Reliability communities. AR: Croll to contact John Harauz and Paige Ripani among others.

3.1.13 1362 (ConOps) and 1362A were re-affirmed 12/2007. It’s a very useful document, but needs to be expanded to focus on the business problem to be solved by the system. AR: Croll to send message to NDIA (National Defense Industry Association) SW Industry Experts Panel and AFEI to see if anyone in their companies would be willing to head this up. We’ll also try to get SC7 TG25 and other industry participants.

3.1.14 1420 set (SW Re-use) was withdrawn by vote in Stds Bd 12/2007. AR: Croll to contact OMG to determine if they’d be interested in proposing a new standard for re-use in OO, and re-use the good parts of 1420.

3.1.15 1462 ( Eval of Case tools) was IEEE adoption of ISO/IEC 14102. In future, will remain with ISO/IEC numbering.

3.1.16 1490 (Guide to the Project Management Body of Knowledge) revision is going forward. Walrad has a final draft of announcement ot IEEE CS regarding opportunity to participate in the review of the exposure draft. The exposure draft should be up on the web and available for review shortly. Next steps are for IEEE SA to work with PMI on the licensing/royalty agreement for the revised version.

3.1.17 1517 (SWLC Processes – Reuse Processes) was intended to be an add-on to the original 12207, which had omitted this area. Now, the current 12207 includes this area. Now, 1517 should be revised to include references to the material that 112207 took from 1517. AR: Schultz/Croll to identify a resource.

3.1.18 1644 SW Nomenclature – Naming Conventions) WG has re-started.

3.1.19 1648 (Rec. Practice for Establishing and Managing SW Development Efforts Using Agile Methods) is now in limbo. AR: Croll to appoint a new WG Chair to take the existing draft and submit it for ballot, assuming it meets basic sanity check. (Possibilities are Rich Turner at Stevens Institute and Hillel Glazier.)

3.1.20 P1723 (SOA solution Reference Architecture) PAR has been approved. LJ Zhang is WG Chair, is very active in IEEE. MB rep (Ken Costello) should assure that it is corporate-neutral. Should also involve 1471 (Architecture) people in reviewing the draft. AR: Schultz to assure Costello’s involvement.

3.1.21 P2063 (Requirements Engineering) is chaired by Croll. The SC7 study group recommends incorporating 830 and 1233. SC&/WG7 directed the editor, Mark Henley, to create a mash-up document of these and other materials as a first draft. We need to find an IEEE editor with funding for international travel.

3.1.22 12207.0 (SWLC Processes) will be replaced by the new 12207, to be published this year. 12207.1 (data) and .2 (Implementation considerations) will be replaced by other standards (15289 for 12207.1; and 24748 for 12207.2) . AR: Zaman to locate MOU with EIA WRT 12207 and send to Moore and Croll to determine if we have an obligation to form a joint project with EIA to revise 12207.2.

3.1.23 P14471 (Guidelines for the Adoption of CASE Tools) – need someone to shepherd adoption of this ISO standard for the IEEE.

3.1.24 P15026 (Systems and Software Assurance) has seen some contention about the scope of this. Moore worked with Sam Redwine, editor, to come up with a compromise that has been adopted – splitting it into 4 parts (the fourth part addresses hooking the other parts into the SLC). S2ESC will need 4 new PARs for the 4 parts. Henley will represent us in the international meetings.

3.1.25 P15289 (Life Cycle data) will replace 12207.1 (Life Cycle Data). It needs editorial revision to accommodate revisions to 12207 and 15288, but Reilly recommends adoption of this now.

3.1.26 P15939 (SW & Systems Engineering-Measurement Process) PAR has been approved, and Zaman is awaiting draft from WG chair Cheryl Jones. Moore will supply it to her.

3.1.27 P16326 (SWE Project Management) merges IEEE 1058 and ISO/IEC 16326 and is in the FCD comment resolution stage. Henley will shepherd this through the IEEE re-circ process.

3.1.28 P20000.1, .2 (IT Service Management, part 1(specification)) and part 2 (Code of Practice)) stems from BSI 15000. These were fast track adoptions of BSI 15000. There is contention within the WG WRT alignment with 12207. (BSI standards do not reference the 12207 processes.) S2ESC would like to be able to package this with other S2ESC standards that are applicable to IT organizations.

3.1.29 P24765 (Glossary of SWE Terminology) is a snapshot of the SEVOCAB database, which is available free on-line at http://comrie.computer.org/sev_display/index.action. Work is moving forward smoothly. Note: There currently is no plan for future updates to SEVOCAB. This will need to be addressed.

3.1.30 P25010 (Product Quality – Part 1: Quality Model) adopts ISO/IEC 25010. It is part of the SQAre group.

3.1.31 P25051 (SW Packages – quality requirements and testing) replaces 1465-1998. ISO/IEC 12119 is currently under revision as 25051. IEEE balloters agreed that both 1465 and this should be withdrawn.

3.1.32 P42010 (Architectural Descriptions). SC7 adopted 1471. This will replace it. (??)

3.1.33 P90003 (Guidelines for the Application of ISO 90003 to SW) – is near completion. Has been brought this far by Scott Duncan. AR: Schulz to take action necessary to bring this to completion.

3.1.34 AR: Schultz to add info to standards spreadsheet about which have been adopted from ISO/IEC and which are joint efforts.

3.1.35 1061 (SW Quality Metrics Methodology). AR: Schultz to assign a MB rep to recommend appropriate actions WRT 1061 (SW Quality Metrics Methodology (Quality Attributes)), by contacting members of the old WG. It has fallen out of step with international standards. SEI has done some good work in this area. AR: Chrissus to find out what the SEI is doing in this area and whether we can work with them to update this standard.

3.1.36 1175.3 is due for maintenance this year. Schultz will remind Singer.

3.1.37 1320.1 , .2 (Functional Modeling Language - Syntax and Semantics for IDEF0 and for IDEF1x) are candidates for stabilization.

3.1.38 982 (Dictionary of Measures) is up for maintenance in 2010. AR: Croll to work with Lou Gullo of the Reliability Society to initiate a joint effort.

3.1.39 14143.1 (SW – Functional size Measurement, part 1, Definition of Concepts) corrigendum work underway within SC7/WG12.

3.2 Working Group/Study Group Reports

3.2.1 P1644 - Practice for Software Nomenclature WG [ Tanious ]

3.2.2 Small Business Study Group [ Phillips ]

Dave Phillips (of the Huntsville small business and technology council) is the chair of a new S2ESC study group looking at how small businesses might use standards and participate in their development. Contact him at drphillips@computer.org. There was considerable discussion about why so many SW engineers haven’t heard of and don’t use IEEE standards. The fact is that the majority of SWEs outside of government work do not know about them. There is an anti-process bias in small companies for a variety of reasons.

3.3 Liaison Reports

3.3.1 SC7 Liaison [ Moore ]

Good news --We are very close to achieving complete alignment between ISO/IEC and IEEE SW standards. However, the honeymoon is over. Further coordination is going to take a lot more energy to be successful. In future, we will only be permitted to do collaborative projects if we provide considerable IP (a standard or an editor). Else, we are limited to having our liaison (currently, Moore) provide inputs/comments to an SC7 WG. Thus, we should consider very carefully which areas are most important for harmonization. Note also that IEEE is currently negotiating a new collaboration agreement (PSDO) with ISO. We will have to update the relevant S2ESC policy regarding cooperation because it will be supplanted by the coming PSDO.

3.3.2 DHS Liaison Report [ Jarzombek ]

They are advancing SW Assurance in the Cyber Security initiative and have posited that Security is a requisite quality attribute. They have found that 75% of hacks occur at the applications level; Gartner says that 90% of security threats are aimed at the app interface. The DHS SW security initiative is Build Security In (https://buildsecurityin.us-cert.gov/daisy/bsi/home.html ) and emphasizes good = secure coding practices. They’ve created a Common Weakness Enumeration (CWE) dictionary; Common Attack Pattern enumeration (CAPEC), and Malware Attribution & Enumeration. There is also a Systems Assurance Guide, Software Security Assurance State of the Art Report, in addition to the community portal. They provide tools to detect code problems and to wrap code to make it safe for use before the problems are fixed. The website provides secure coding rules and practices, and a corresponding skills assessment, and a high-level model of a “Process-Agnostic Lifecycle.” They now have an Assurance WG to “extend” the CMMI to include assurance and leverage existing Security Maturity Capability Models (MSSDM, SSE-CMM). They’re looking to process standards (12207 and 15026 level) and lower level standards (1012 level) to supply guidance. Focus is on IEEE std 1062 (Recommended Process for SW Acquisition). They are doing security tracks at SEI SEPG annual meetings.

Defining the Assurance Case is critical: it contains claims based on arguments, based on evidence.

To participate in DHS WGs or SwA Forums, ask Jarzombek for an invitation. Participation is encouraged.

3.3.3 SEI Liaison [ Chrissis ]

SEI’s funding has continued to grow as they have extended their product line to include architecture and dynamic environments as wells as SWE Process Management. Acquisition support aims to accelerate adoption of improved practices for acquiring & deploying systems. Some of 2007’s R&D projects included Applying Game Theory and Mechanism Design to Address Critical Design Challenges of Ultra-Large-Scale Systems, Improving Architectural Design based on Organizational Dynamics (year two), Modeling Stakeholder Requirements for Integrated Use in Both Process Improvement and Product Development, Performance Challenges of Advanced Embedded System Architectures for Real-Time Systems, A Research Agenda for Service-Oriented Architectures, and

A Software Engineering Approach for Fault Containment.

SEI also formed the IPRC (International process research consortium – www.sei.cmu.edu/iprc). Has 5 corporate sponsors; international team of 27 process experts. Looked at the process/product quality relationship. Published their study, concluding that there are 5 areas needing research: relationships between processes and product quality, process engineering, managing project processes, process deployment and use, emerging trends and technologies.

Meanwhile, global adoption of the CMMI is steadily growing: 75,000 individuals trained; 2500 SCAMPI “A” appraisals reported to SEI; 20K hits on website per day.

They are moving to certification of appraisers now (especially important for high maturity practices) and trainers later. They have a new course “Improving Process Performance Using Six Sigma”. This IPPSS training is their version of 6 Sigma. See http://www.sei.cmu.edu/products/courses/p49b.html

CMM-ACQ originated in SEI-GM effort, but has been generalized for corporate M&As. It stresses the Acquirer/Supplier Team. They must work together towards transparency to be successful, rather than playing a cat & mouse game about what do you have/what do we need/how much will it cost? Must also look at how capable the product team is and how well they are performing. CMMI maturity levels are not sufficient to answer these questions. There was much debate in the model development team about whether Reqs Dev belonged in Level 2 or 3. Note: S2ESC’s IEEE Acquisition Guide will be aligned with the CMM-ACQ.

CMM-SVC (for services) includes broad spectrum of services: admin, R&D, medical, help desk, customer service, etc. Led by Northrop Grumman. Addresses service delivery best practices. (CMM-Dev does not address end-to-end functions.) They examined COBIT, ITIL, ITSCMM, BPM and ISO 20000. Draft model is out, but a lot remains to be decided. The team is primarily Northrop Grumman and is funded solely by NGC. Jarzombek suggested they look at CMU’s ITSM e-sourcing std. Walrad suggested the Baldrige for administrative and other business services.

4 IEEE-SA S2ESC Standards-Related Product Discussion [ Plessel ]

4.1 VuSpec Software Engineering Standards Collection:

4.1.1 Copies have been sent to S2ESC members, whose feedback is solicited. He will collect our inputs (m.plessel@ieee.org), and we will collectively decide whether or not this instrument should be published.

4.1.2 43 SW and Systems Engineering standards

4.1.3 Pdf and html versions of SWEBOK

4.1.4 IEEE SW Developer’s Toolkit: Templates, examples …

4.1.5 600 term electronic glossary (source not known, probably culled from individual stds .

4.1.6 1000 Index keywords

4.1.7 300 tables And figures

4.1.8 1000 time-saving links

4.2 NeuraMetrics Assessment Tool: This company was contracted to develop an online self-assessment tool (NeuraTool) based on the SWEBOK and 43 IEEE S2ESC standards. Translates results into visuals, uses demographics of various types and recommends specific standards for remediation of assessed weaknesses. Plessel suggests an online meeting for a demo of the product. Plessel wants to work with us to come up with agreement about how or if this tool should be made available to the software and systems engineering community. It might not be valuable to existing standards users, but might be a reasonable approach for reaching a new audience.

4.3 Strategic Partnership Pilot: Working to document the process(es) for joint S2ES products and to establish fault-tolerant mechanisms for discussing issues, gathering feedback and working successfully together.

4.4 Standards for Students: Jovanovic had presented at last Winter’s FTF a list of standards that should be included in a specially-priced student’s collection. AR: Walrad to send this to Croll.

5 SEVOCAB Update [ Reilly ]

P24765 (Glossary of SWE Terminology) is a snapshot of the SEVOCAB database, which is available free on-line at http://comrie.computer.org/sev_display/index.action. Work is moving forward smoothly. Note: There currently is no plan for future updates to SEVOCAB. This will need to be addressed in the future.

The day’s meeting adjourned at 5:00 p.m..

Wednesday, February 6 – S2ESC Executive Committee Meeting Re-convened at 9:00 a.m.

6. S2ESC Mission and Vision [ Reilly/Walrad ]

Reilly and Walrad explained that their effort had taken into account the need for a long-range vision to guide its activities. In addition, they sought to echo the IEEE’s new vision statement.

Discussion questioned echoing the IEEE vision as too grand. Some argued for inclusion of the concept of relevance of standards in the vision, although others felt that this concept is included in the mission.

Although some changes were incorporated during the discussion, the vote did not approve the draft. AR: Reilly will circulate the draft for comments and voting (the 30-day policy approval process).

7 S2ESC Procedure/Policy Update [ Schultz/Walrad ]

7.1 Governance Model

7.1.1 [Insert picture here] This is a first attempt to show the relationships between the various sets of documents (policies, procedures, guidelines, etc. that influence S2ESC work. Need to add Procedures and the S2ESC guides for WGs. Need to add Study Group Plans and Planning Group Plans.

7.1.2 Discussion: Should we have a process for Qs and comments re “change requests” for standards? This is currently not a part of the standards dev process. We see the value of it, but are not clear about how we would support it. We should also have a process and tool well –defined/.We can look at what the SEI does, and try to get IEEE to help support this.

7.1.3 Discussion: Should we add a strategy map? [Probably. We will look into it.]

AR: Walrad will distribute an update prior to the next FTF.

7.2 S2ESC Logo policy. AR: We need to develop a policy WRT using S2ESC logo on materials generated by our efforts. The S2ESC Secretary should maintain the current official logo and should use the policy to determine who can and should use the logo on their materials. Cf. IEEE-SA logo policy.

7.3 AR: Schultz/Walrad to draft a policy for offering volunteers the opportunity to be listed on the S2ESC website.

7.4 We need to re-instate the quarterly newsletter to members. AR: Croll to investigate if we can have a Listserv mailing list (for a Software SE Standards Community of Practice) that people could self-subscribe to from our website.

AR: Croll re agenda. In next telecon, discuss tool suggested by Phillips WRT mapping CMMI and IEEE standards. (Previously, the group had investigated the use of Quagmap for this purpose, but it was not freely available and not compatible with MS XP.)

8 Planning the next S2ESC Standards Collection [ Croll ]

8.1 Expectations: See Section 11, below.

8.2 Utility to the Practice: See Section 11, below.

8.3 IEEE Reliability Society standards development overlap with S2ESC: We now have Lew Gullo participating in S2ESC meetings to align our societies’ efforts. AR: Croll will invite him to make a 20-minute presentation about the Reliability Society at one of our upcoming meetings.

9 S2ESC Web Presence [ Henley ]

9.1 Status: All Procedures, MB info, and WG spreadsheets are updated. Will update link to IEEE copyright link. Will update 2008 meeting schedule. AR: Schultz to review Active WG column in his WG files.

9.2 AR: Croll to make sure that presentations about S2ESC standards at SSTC include the logo.

9.3 Henley described areas of IEEE and CS web pages that should link to S2ESC site. AR: Zaman to report back on whether there is a Change Request process for changes to the IEEE and CS websites.

9.4 It would be desirable to have SEI website point to S2ESC. AR: Chrissus asked Croll to specify a page where we request a link.

9.5 Software Assurance process diagram would be a useful webpage that could link to S2ESC. AR: Jarzombek agreed to look into adding this to the buildsecurityin website, and Croll will send him the diagram.

9.6 AR: Henley to add link to SSTC conference (sstc-online.org).

9.7 AR: Moore, Croll and others who often speak publicly should remember to give topic, event and date info to Henley to post on website.

9.8 AR: Henley to check with IEEE and CS on the status of portal tools for discussions.

9.9 AR: Phillips will check if his company’s intern has some free time that could be used to help with our website.

10 Community of Interest/Community of Practice Outreach [ Croll ]

10.1 AR: Walrad/Croll will add info to Wikipedia (and links) about S2ESC and our portfolio of standards. (Cf. explanatory blurb on sharedinsights.) In addition, for S2ESC website, give blurb to Henley about what S2ESC is and does. In addition to an overview of S2ESC, we need a page that lists/shows the collection and their architecture (landscape), and how standards get used in SPI efforts. Get one or more of Moore’s architecture diagram for this.

10.2 Mechanisms

10.2.1 AR: Croll to create new mailing list for an S2ESC Community of Practice mailing list. Who to target? Can we leverage our liaisons?

10.2.2 AR: Croll to draft first newsletter. Be sure to add notice at bottom that enables recipients to unsubscribe (e.g., follow anti-spam best practice).

10.2.3 AR: Schultz/Walrad to add to policies/procedures re use of cs-listserv.ieee.org/request/add-list.html for WG chairs.

10.3 Targets

10.3.1 AR: Walrad to take Spin contact list from http://www.sei.cmu.edu/collaborating/spins/spins.us.active.html and create a spreadsheet for mailing list.

10.3.2 Other possible targets are LinkedIn SPIN, ABI, Systers, and FaceBook.

Wednesday’s meeting adjourned at 5:00 p.m.

Thursday, February 7 – S2ESC Executive Committee Meeting (Cont.)

Reconvened at 9:00 a.m.

11 Strategic Planning – Building from our Mission and Vision [ Croll ]

11.1 Collection Management [Croll/Moore/Schultz/Walrad]: Discussion about the need to consider IT operations as an extension area for the collection, and to consider going up a level, mapping the collection against std. 20000 to do a gap analysis WRT our ability to serve the IT world (corresponding to the airlines Maintenance, Repair and Overhaul function) as well as the S2E world (as reflected in the SWEBOK). It was pointed out that the ITIL library specifically claims *not* to be a standard, so this area lacks standards which could be useful for acquirers of ITSM services. The Collection Planning Group will take this up and report back at the next FTF. Walrad will drive this.

Having now had all the existing IEEE SW standards that are in maintenance mode adopted by ISO, we should concentrate on developing new standards that would help the community of practice. Examples are patch management and release engineering.

There was much discussion of the opportunity to provide benefit to the community by resuming the development of standards that specify the types of information that should be included in various SWE activities – product standards for process areas, such as for the CMM-DEV processes.

11.2 Recruitment and Retention [ Schultz /Duncan ]: We currently have over 2,000 people in the participating community per the website. Many of the items discussed under Outreach (above) will potentially bring us candidates. We might look at recruiting from the GOLD program, as well as

11.3 Liaisons and Partnering [Walrad/Duncan/Croll ]: Professional Communications Society, conferences (e.g., SD East and West), TC56 and OMG are candidates.

11.4 WG Orientation Package [Middleton/Costello ]; Middleton will review

11.5 AR: Chuck – add list of Strategic Planning Groups’ members to these minutes.

1600 12 Next Meeting Date And Venue [ Croll ]

Next FTF (Summer Plenary) will be in Fort Lauderdale, July 29 -31.

AR: Croll/Moore/Walrad to determine presentation about the collection for the WG Chairs..

AR: Schultz/Croll: most useful ways to engage WG Chairs at the Summer FTF, such as presentation about the overall collection and a working session on harmonization requirements.

AR: Croll to make arrangements with the hotel.

12 Action Item Review [ Walrad ]

12.1 Walrad reminded the group that the Action Items log is on sharedinsights and that members should review and update their own actions.

12.2 Much discussion about the non-intuitiveness of the site. Walrad believes that Walz had sent the group instructions for using the site. Will attempt to locate and re-circulate.

The Winter Plenary was adjourned at 11:30 a.m.