TickIT: Providing Confidence in ISO9001 Certification
European Software Institute
Parque Tecnologico de Zamudio
In July 1990 the UK Department of Trade launched the TickIT initiative which provides an accredited certification scheme for quality management systems specially designed for the needs of the software industry. TickIT is a means of providing confidence in ISO9001 certification. This paper traces the events that lead up to the initiative, outlines the features of the scheme which provide that confidence, discusses some of the outstanding issues concerning TickIT and looks forward to the proposed international arrangement for IT quality system certification.
TickIT is a quality initiative aimed at software and the IT industry. It was originated by UK industry and sponsored by the UK Department of Trade and Industry (DTI). It is now administered by DISC, that part of the British Standards Institution (BSI) responsible for standards relevant to Information Systems.
At the heart of the initiative is an accredited certification scheme for Quality Management Systems (QMS) specially designed to meet the needs of the software industry. TickIT certification is available to suppliers of software-based systems and to in-house developers who meet the requirements of the international standard ISO9001 and its European equivalent EN29001.
Certification is conducted by independent third party certification bodies using technically qualified TickIT auditors who have undergone specialist training and who are subject to rigorous professional vetting. To ensure the certification bodies are fully competent they are accredited by the National Accreditation Council for Certification Bodies (NACCB) on behalf of the Secretary of State for Trade and Industry.
2. The TickIT Initiative
In 1979, the BSI published its BS5750 series of generic quality system standards deriving their content from existing military standards. In 1987, the International Standards Organisation (ISO) published its ISO9000 series of standards for quality systems and quality assurance which were re-adopted by the BSI as BS5750:1987.
[Note: The ISO9000 series of standards have undergone a further revision in 1994. The International, European and British standards now have a similar numbering, BS5750 having been dropped. ISO9001, EN29001 and BS EN ISO9001 are all identical.]
These were not the only quality standards around. NATO for instance had developed AQAP-1 and in 1984 published AQAP-13 to supplement and support the requirements of AQAP-1 to the design and development of software. The nuclear power industry also had its own quality assurance standard BS5882.
In order to establish the relevance of all these standards to the production of software, the UK DTI in 1987 commissioned two complementary studies:
The studies undertook extensive research into the respective subjects and included a broad consultative process with users, suppliers, in-house developers and purchasers. The reports whilst evaluating different problems, arrived at similar conclusions and made a number of recommendations to the DTI which included:
These principal recommendations were accepted by the DTI and culminated in the launch of TickIT in July 1990. TickIT advocated a fresh approach to software QMS certification with the IT professionals, professional bodies and the main players coming together to underpin its success and credibility.
For many the TickIT certification is considered a higher grade of certificate than previously seen, since those within the scheme have to conform to uniform accreditation arrangements beyond those required for normal accreditation and certification.
Underpinning TickIT is an overall infrastructure consisting of three main elements. The three main elements of the infrastructure are:
3. TickIT Uniform Accreditation Criteria
In accrediting certification bodies to provide TickIT certification a number of topics have been embodied into uniform accreditation arrangements to ensure a common approach is applied. These arrangements provide confidence to both purchasers and users and meet the wider expectations of the software community. The TickIT uniform accreditation arrangements include:
The use of the TickIT logo infers accreditation. The name and logo are protected and can only be used to indicate accredited certification.
Certification under TickIT arrangements follows a three year cycle comprising initial assessment and surveillance visits followed by re-assessment and re-certification every three years. This was deemed to be necessary due to the changing nature of the industry.
As part of the surveillance visits the certification body must at least annually carry out a complete evaluation of the applicants management review activities which is a key activity in the operation of any quality management system.
Under the arrangement each certification body must give mutual recognition to any TickIT certification held.
All certification bodies offering TickIT certification must use the TickIT guide as its reference document excepting those requirements that relate directly to the standard itself.
Auditors carrying out TickIT certification and surveillance must meet the auditor performance standards set out in the TickIT guide.
There are currently seven accredited TickIT certification bodies:
In the UK, certified companies are listed in the DTI Register of Assessed Companies. The DISC TickIT office also maintains a list of TickIT certificated companies. Certification bodies maintain and publish their own lists.
It is important to note that certifications are carried out against scopes which may vary considerable. It is always important therefore for a potential purchaser to look closely at the defined scope of certification.
The general scope of the TickIT scheme includes:
but does not include:
4. The TickIT Guide
The TickIT Guide to Software Quality Management System Construction and Certification using EN29001 was produced by IT professionals. It is a comprehensive document which includes the authoritative international standardisation guide ISO9000-3 Guidelines for the Application of ISO9001 to the Development, Supply and Maintenance of Software which explains what ISO9001 means in the context of information systems supply.
In producing the guide, use of existing guidance material was made where possible, editing and updating it for TickIT purposes. There are therefore many sources from which the original material was taken.
The TickIT Guide comprises five sections covering:
Each section is structured in a different way to make it easy for appropriate guidance to be made available to all the parties involved in quality management work.
One of the Appendices of the Guide covers the professional attributes/performance standards for software quality management auditors which were developed to be aligned to the British Computer Society's (BCS) Industry Structured Model (ISM), which defines a set of personal performance standards designed to cover the skills of all staff within the broad spectrum of information technology.
The current TickIT Guide (version 2) has been under revision for some time to incorporate changes necessary to align with the new revision of ISO9001 in 1994 and to encapsulate auditor experience. It is due to be published in the 4th quarter of 1995.
5. TickIT Auditor Registration and Training
The TickIT scheme has emphasized the confidence placed in the qualification of software auditors and the strict rules it applies during the interview process which is required for auditors wishing to register as TickIT auditors.
The auditor performance standards defined in the TickIT Guide are use to screen applicants wishing to practice and register as software quality auditors. TickIT auditor registration is recorded in International Register of Certified Auditors IRCA) which is administered and maintained by the Institute of Quality Assurance (IQA) in the UK. A joint panel of IQA and BCS scrutinize applications and carry out the interview process.
There are three levels of software auditor defined:
All applicants for TickIT auditor registration must be experienced computer professionals. This experience must include appropriate training in informatics, software systems development and formal training in audit procedures.
Specifically auditors must have attended a 5 day TickIT auditors course and have passed the examination set. Training courses must meet the syllabus defined by the registration authority and training organizations must themselves be accredited to provide training according to defined procedures.
Before registration all candidates are required to conform formally their willingness to observe and be bound by a strict code of conduct.
6. TickIT Products
TickIT is more than a certification scheme, it is an overall initiative with supporting products and marketing aimed at stimulating developers to think about what quality is and how it may be achieved. TickIT and quality management systems are promoted in the context of Total Quality Management (TQM).
The overall initiative is supported by the DISC TickIT Office from where all products can be purchased and further information sought.
TickIT products consist of:
The contact address of the TickIT Office is:
DISC TickIT Office
389 Chiswick High Road
London W4 4AL
Telephone +44 171 602 8536
Facsimile +44 171 602 8912
7. TickIT to Success
TickIT has been voted a resounding success by the UK software industry as reported by a survey of the Computing Software and Services Association (CSSA) in February 1994 which listed the benefits gained as follows in order of importance:
Improvements have all been made without any significant increase in the cost of certification. Now organizations are reaching their three year re-assessment period, companies are now starting to ask the question 'what about life after TickIT'. These organizations are starting to take a great interest in process assessment through the SPICE project as a means to continually improve their processes matched to there business needs.
8. TickIT Issues
While TickIT has been a success in the UK, it has faced some problems which are now being addressed both by the TickIT scheme locally and in a wider context through the international community in the developing international arrangement for IT quality system certification. These problems have included:
Accreditation of TickIT certification bodies is carried out by NACCB which until very recently was only able to accredit UK based certification bodies. This provided a situation where foreign certification bodies whilst having all the necessary credentials could not be TickIT accredited. This was seen as a barrier to free trade.
The TickIT logo was designed with EN29001 as the reference standard due to political reasons as the European Community had at the time a project underway called ITQS which is an agreement group of certification bodies in Europe. TickIT wanted to be seen as harmonious with its European counterparts. The logo has now changed to reference ISO9001.
There has been confusion in the market place over the use of a separate logo for the IT sector. If this were to promulgate to other sectors certificates might have as many as ten logos.
Until late 1994 there had been a lack of accountability of the TickIT scheme. This has now been addresses and an infrastructure is now in place to manage all parts of the scheme.
The TickIT guidance was produced mainly for the software development community. It has lacked guidance on such issues as system integration, software product support and facilities management. The TickIT guide is currently under revision and a new version published later this year.
The lack of access to the scheme by foreign certification bodies and auditors has meant that the scheme has been seen as a UK scheme and not a world-wide scheme. Nevertheless it has been adopted in principle and modeled in several other countries. In Europe however there has always been conflict, although friendly cooperation between TickIT and ITQS. This has resulted in moves towards the internationalization of a software sector quality system certification scheme.
9. International Arrangement for IT Quality System Certification
As goods and services are purchased in global markets there is a clear need to recognize the credentials of both certificated organizations and certification bodies across national boundaries. The success of the TickIT scheme and the influence of ITQS in the main, together with support from the United States through the ASQC Software Division, has led to a proposal for an International Arrangement for IT Quality System Certification (Arrangement).
It is proposed that such an Arrangement be driven by the demands of its customers and users. The first international forum will be held in the Hague in September 1995 to progress such an Arrangement forward.
The essential features of an international Arrangement are perceived to include:
Whether such an Arrangement can deliver these features within an international context remains to be seen. Within this context, the European Software Institute (ESI), with international support, aims to move forward to develop the criteria for software auditor qualification and a common training syllabus for auditor training to ensure that the industry can have confidence in the professional knowledge, training and experience of auditors.
TickIT as a UK initiative has had tremendous success in promoting the benefits of quality management certification to UK companies and in providing confidence in the ISO9001 certification process as applied to the software industry.
The interest in TickIT has spread to all four corners of the world. There are now over 800 TickIT certificated companies (approximately 20% of these outside the UK) with over 30,000 TickIT Guides distributed to 20,000 contacts in 50 countries.
TickIT however has not been without problems, which have mainly arisen out of its visibility and success. One of the outstanding problems is raising and gaining acceptance of the principles of TickIT within an international context. This is being achieved through the proposed International Arrangement for IT Quality System Certification.
I.S.C.N. International Software Consulting Network
Tel: +353 1 286 1583, Fax: +353 1 286 5078