TickITplus aims to improve the quality of software for business and industry internationally
Ai interviews - Peter Lawrence, director of global quality excellence at CSC and chair of BSI’s Joint TickITplus Industry Steering Committee (JTISC)
There has been a growing movement by IT governance and compliance experts to push organizations around the globe to upgrade to the new, accredited TickITplus IT certification scheme or risk losing valuable business. TickITplus aims to improve the quality of software for business and industry internationally, covering sectors as diverse as finance, construction and transportation. The goal is to help software suppliers, including in-house developers and IT service and system providers, define and implement a quality system that covers all the essential business processes in the product lifecycle, within the framework of the quality management systems standard ISO9001.
Peter Lawrence, director of global quality excellence at CSC and chair of BSI’s Joint TickITplus Industry Steering Committee (JTISC), says: “Building on the established TickIT scheme, TickITplus is now the recognized software and IT quality assurance benchmark for UK businesses. Any company without TickITplus s risks being overlooked for valuable contracts by potential customers, who will seek the assurances of quality control TickITplus certification provides.”
Lawrence continues: “Launched in 1990, the original TickIT no longer meets the rapidly evolving requirements of 21st-century IT. Technology and working practices have changed. TickITplus, however, represents a solid long-term investment because, unlike TickIT, the new scheme is flexible enough to evolve at the same pace as business, industrial, IT and software communities across the globe.”
“Furthermore,” says Lawrence, “TickITplus provides better criteria for customers selecting a supplier than TickIT, by assessing each supplier’s unique capabilities. This assessment therefore presents a perfect opportunity for suppliers to outperform their competitors and become the supplier of choice.”
Lawrence says: “In quality assurance, complacency is not an option. If a company fails to ensure product quality, and that product fails, the consequences could be disastrous, ranging from reputational damage through to legal action by the customer. TickITplus s is therefore particularly important for any organization developing software to sell to third parties.”
TickITplus, which is accredited by the UK Accreditation Service (UKAS), represents a far more cost-effective option than alternative quality assurance schemes. Lawrence explains: “TickITplus certification costs, on average, less than 20% of the six-figure cost of complying with the requirements of alternative international schemes. TickITplus is therefore particularly appealing not only to large organizations on an international basis, but also to small and medium-sized enterprises, which rightly take quality very seriously but are operating with limited budgets.”
The Joint TickITplus Industry Steering Committee, or JTISC, refers to the committee of technical experts that has written, and continues to maintain, TickITplus scheme documentation. Managed by the British Standards Institution (BSI), its membership includes a wide range of stakeholders from across the ICT and quality sectors, all of whom are committed to developing robust solutions that both meet and adapt to the needs of end-users. The JTISC includes representatives from the UK Accreditation Service, three certification bodies (BSI, DNV, LRQA), organizations offering TickITplus training, industry associations (Intellect, BCS – the Chartered Institute for IT), academics and Logica, an early scheme adopter (now certified).
TickIT was developed in the early 1990s to fill the urgently perceived gap in providing software trained assessors/auditors and the infrastructure needed to certify software development organizations to ISO 9001. Over the intervening period there have been a number of updates to the guidance material, but the scheme, its purpose and operation has remained the same. Organizations have now come to rely much more on technology and consequently they and their managers and IT professionals demand more of the processes and infrastructure that support it.
So how is TickITplus different from TickIT? In short, TickITplus adds a Capability Dimension to the existing TickIT scheme. There is considerable flexibility in the way that this additional dimension can be added. This flexibility allows a business to select the level of capability to be attained and assessed; flexibility to include additional IT related standards; and flexibility to operate either within or outside the certification environment. The Capability Dimension is based on ISO/IEC 15504: an IT Process Assessment standard, (to which Capability Maturity Model Integration, or CMMI, is referenced), TickITplus will be graded into five levels, four of them dealing with capability: Foundation – requiring a process model definition only, and Bronze, Silver, Gold and Platinum, equating to levels 2 – 5 of the ISO/IEC 15504 model. With only minor changes for compatibility, Foundation is equivalent to current TickIT certification.
TickIT is accredited both by UKAS in the UK and SWEDAC in Sweden; BSI undertakes certification audits. For companies, TickITplus helps by encouraging and promoting continuous improvements. In addition, it supports process development to meet business needs and embeds good process practices. For customers, it helps to choose the best suppliers and offers a clear indication of a supplier’s capability and organizational maturity as well as allowing for better risk management of suppliers.
Automotive Industries spoke to David Wynn, director of Omniprove and committee member of BSI’s Joint TickITplus Industry Steering Committee (JTISC), and author of a number of key TickITplus scheme documents.
AI: What are some of the benefits of opting for TickITplus certification for companies?
There are three key goals for the TickITplus scheme. First, it has been developed predominantly to drive business improvements through better, more capable processes. Secondly, it helps customers, which also include organizations adopting TickITplus, to gain a much better understanding of supplier capabilities and risks during the supplier selection. Thirdly, it aims to provide a better degree of consistency across Certification Bodies conducting assessments of an organization’s capability.
The TickITplus scheme includes a comprehensive set of IT and IT-related processes. These provide a clear indication of the practices that should be undertaken, along with sample work products, in order to achieve defined process outcomes. These defined outcomes provide organizations with clear indications of when processes are working effectively; they therefore provide the motivation for driving improvement if the outcomes are not being observed in the organization.
The TickITplus scheme also aims to harmonize processes across multiple internationally-recognized standards, such as ISO 9001 (the quality management standard), ISO/IEC 20000-1 (the service management standard) and ISO/IEC 27001 (the information security standard). Through the mappings provided by the processes, organizations are encouraged to implement processes once in a unified manner, to cover multiple standards, and therefore achieve an “implement once and tick many” approach. This also provides for easier and more effective third party assessments to be conducted. In addition, by allowing organizational staff, given strict rules, to participate actively during the assessment, it encourages greater accuracy of results and better management buy-in for improvement actions.
While it still gives assessors a good degree of freedom to interpret and understand organizational processes, the assessment approach has been improved to provide additional assessment rules, in order to ensure greater consistency across assessment teams.
The scheme also includes the concept of process capability levels, whereby processes are developed and improved through successive levels of process maturity, using well defined criteria for each level. At the lower levels, known as the Bronze and Silver levels, organizational processes are implemented, deployed and standardized across the organizations. At the higher levels, known as Gold and Platinum, processes are monitored and improved using statistical techniques. In essence, at the lower levels, organizations can clearly see how processes have performed, whereas, at the higher levels, organizations see how processes are likely to perform in the future; given this ability, early corrective action and improvement can be taken if necessary.
AI: Tell us a little about the older TickIT scheme and how it differs from the current TickITplus certification.
The old TickIT scheme has been around for over 20 years. While it has provided significant advantages and benefits over the years, it struggled to keep up-to-date with changes in process development, improvement and assessment techniques. The original TickIT scheme was mainly designed to support traditional software engineering activities. However, as the IT sector expands, we are increasingly seeing these become far less significant or critical to business. In many cases, bottom-up coding has been replaced by customization and configuration of standard products, for example by using SAP or modern visual development systems. There is significantly increased use of advanced development tools, where coding standards are automatically enforced, and configuration control systems take the effort out of versioning, baselining and releasing software systems. The integration of software and hardware is now seen in many more everyday situations. In addition, the relationship between software engineering, hardware engineering and systems engineering is paramount in bringing state-of-the-art products to market in ever decreasing timescales. Just look at the mobile phone market by way of an illustration.
The IT sector has also widened significantly. As ever greater numbers of organizations use customizable commercial off-the-shelf (COTS) products, and as IT systems become ever more prevalent in our everyday lives, increased emphasis is being placed on service management. If you think about it, it is possible to book a hotel room, travel to a location, check in at hotels and airports and return home without actually interacting with another person. On-line web-based booking is now common place. Driverless trains, such as those used on the Docklands Light Railway (DLR), in London, are becoming more common, and automatic airline, and even hotel, check-in kiosks are increasingly being used.
With all this on-line technology and given the dependency on information being transferred from one system to another, the vulnerabilities that are presented in information security are constantly increasing and the controls that are necessary must continually be upgraded and improved.
Reliance on all these systems is huge. Over the last few years, much greater emphasis is being placed on business continuity and disaster recovery. However, the most important aspect of all these issues is that they do not exist in isolation. The systems have to be developed, implemented and used with all their components working effectively together.
The old TickIT scheme was struggled to accommodate all these aspects in a single integrated manner. Many may not remember that the old TickIT scheme only ever provided guidance for organizations. During the early development of TickITplus, we received feedback that organizations actually welcome clear requirements on what should be implemented to achieve improved processes. That said, the scheme only provides an indication of what should be done. It is still for organizations themselves to implement how this is achieved in practice - thereby continuing to give organizations the opportunity to implement the processes that work best for them.
AI: Has TickITplus completely replaced the earlier scheme?
Almost. The current TickIT scheme runs until December 2014, when it will be fully replaced by the new TickITplus scheme. The current overlap allows existing TickIT-registered organizations to transition across to the new TickITplus scheme. An interim transitional assessment approach is available for existing TickIT-registered organizations, which provides a very cost-effective method of moving the new scheme. Given that organizations are already compliant with TickIT, the transitional assessment uses a reduced sampling and coverage approach. However, this is only available during routine surveillance visits - and not during an initial or certification renewal assessment, when accreditation requirements demand that a full assessment is undertaken. Organizations which transition across to the new scheme enter at Foundation level; they then progress up through the capability levels at a speed relevant to their needs.
Once the December 2014 deadline has been passed, organizations that have not transitioned across to the TickITplus scheme will either lose registration or revert to a “vanilla” ISO 9001 certification. From that point on, all organizations that wish to demonstrate process capability using the TickITplus scheme would need to undertake a full TickITplus assessment.
AI: What are some of the benefits of TickITplus certification for automotive OEMs, suppliers, designers etc?
As above, the interaction between software, hardware and systems is becoming increasing significantly in today’s world - no more so than in the automotive sector. Most modern cars have tens, if not hundreds, of software-driven systems on board, from engine management systems, to safety systems, such as braking, steering, and emergency systems, not to mention entertainment, environmental and navigational systems. Some of the more recent car designs have self-driving, accident prevention and self-awareness systems, which provide much greater information and even control over the driving experience. Again, none of these systems work in isolation. The interfacing between them is huge and the data channels are complex. Point-to-point wiring would be impossible to use; effective and reliable data networking between these systems is, therefore, paramount. Additionally, with such a significant increase in data and data processing, and with the potential for cars to communicate with remote systems, security is becoming much more important to the design and operation of these systems.
Such advanced technology places huge demands on business performance in terms of bringing new technology to market in a safe and reliable manner - and also in terms of controlling the costs of doing so. Developing such systems cost-effectively and safely cannot be done without clear, well-defined and implemented development processes. This is something that TickITplus has been designed to address.
TickITplus currently incorporates mappings to ISO 9001 and ISO/IEC 20000-1, with ISO 27001 being planned for later in 2012 or early 2013. This will provide the first full baseline of the TickITplus Base Process Library. However, the aim is to continue to enhance the library to include mappings and, therefore, coverage for other common or popular standards, such as ISO 22301 (the business continuity standard). Some discussion has already taken place on the incorporation of safety-related standards and, in particular, ISO 61508 and its automotive derivative - ISO 26262. The aim here will be to enhance the processes in the Base Process Library to provide coverage for the requirements included in these standards, and thus provide organizations working in the automotive sector with process definitions that are harmonized across common quality, safety, and security requirements.
AI: How do you hope to spread the awareness of the TickITplus scheme beyond Britain and Sweden?
It’s not going to be easy, but this is certainly one of the goals of the TickITplus scheme. While, as you suggest, TickIT was adopted by the UK and Sweden, it was also used and assessed throughout the world. There are many TickIT-registered organizations in many countries - on all continents, bar Antarctica.
So, what are we doing about it? First, our aim is to ensure that TickITplus is seen as a valuable and effective business improvement tool for organizations, and that these organizations themselves spread the word through supplier-selection mechanisms. The scheme includes aspects that contribute to the supplier selection process, and it is anticipated that this will drive organizations to seek suppliers to demonstrate the adoption of the TickITplus principles. In turn, these suppliers will find benefits from TickITplus and cascade the selection criteria to their suppliers. Given the international operation of global organizations involving suppliers from many parts of the world, the visibility and acceptance of TickITplus as a beneficial business tool, not just a certification scheme, should evolve steadily over time.
Additionally, the scheme has engaged with the Global Association for Software Quality (GASQ) to provide regulation and registration for TickITplus assessors and practitioners, provision of training courses, and the administration of independent examinations. Based in Germany, GASQ already enjoys a significant position in the automotive sector, not only in that country, but also across many parts of the globe. GASQ is actively involved in the TickITplus scheme, viewing it as a significant step forward in providing the requisite catalyst for organizations to continually improve the effectiveness and efficiency of processes.
As an example of some international coverage, TickITplus scheme members recently conducted a workshop in Finland, followed by another in Sweden, both of which were warmly received.
AI: What has the reaction been to the certification program from countries outside Europe – and how has it been received in developing economies?
It is still early days for the TickITplus scheme. So far, much of the activity has been with existing TickIT organizations in the UK and Sweden. However, there has also been considerable interest from India, where TickITplus training has been provided. Web-based statistics also indicate clear interest from around the globe.
AI: Tell us a little about the advantages of TickITplus, compared to other certification programs.
Essentially, the TickITplus committee is not trying to compete with other certification programs or schemes, as they all have specific benefits. In many ways, TickITplus tries to bring together the advantages of all these other schemes for the benefit of their users. TickITplus has adopted the capability-level criteria and assessment approach from ISO 15504, which is a very well established and respected international standard. It pulls in three of the most popular and relevant ISO standards - namely, 9001, 20000-1 and 27001. While it maps to these standards, it does not replace them. Organizations still need to understand and use these standards in developing the processes required by TickITplus. TickITplus defines the processes based on the good practices and requirements from these standards.
There are other similar schemes to TickITplus, notably the SEI CMMI model and automotive Spice. These are well established, and are probably considered to be ‘blue-chip’ methods for their respective fields. TickITplus was not designed to compete with them. What it has been designed to do, however, is to help organizations currently using ISO standards to move toward the goals and principles offered by these schemes in a cost-effective manner. The chief aim of TickITplus is to ‘mature’ the certification approach towards the approach taken by such ‘blue-chip’ schemes, while ensuring that the costs are not as significant as is often noted. We would hope that, by adopting TickITplus, organizations will not only enjoy the benefits I’ve talked about, but will also be able to move towards these schemes should a business need arise in future.