ISO/IEC TR 29110-2-2:2016

TECHNICAL ISO/IEC TR
REPORT 29110-2-2
First edition
Systems and software engineering —
Lifecycle profiles for Very Small
Entities (VSEs) —
Part 2-2:
Guide for the development of domain-
specific profiles
Ingénierie des systèmes et du logiciel — Profils de cycle de vie pour
très petits organismes (TPO) —
Partie 2-2: Guide de préparation de profils spécifiques à un domaine
PROOF/ÉPREUVE
Reference number
©
ISO/IEC 2016
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 1
5 Overview of a domain-specific VSE profile . 1
5.1 Preparation of a domain-specific VSE profile . 1
5.2 Implementation of a domain-specific VSE profile . 2
5.3 VSE profile in a supply chain and operational environments . 3
6 Background factors to identify a new domain-specific profile . 4
6.1 User view for process purposes . 4
6.2 Contract and distribution of processes . 4
6.3 Contract and distribution of responsibilities . 5
6.4 Competency of suppliers . 6
6.5 Interface problem and integrating process . 7
6.6 Application domain and business convention . 8
6.7 Other situational factors affecting development of a VSE profile for a specific domain . 8
7 Identifying VSE processes . 8
7.1 Selection approach . 8
7.2 Factors that should be considered in the profile development procedure . 9
7.2.1 System integrity level . . 9
7.2.2 Project size, complexity, novelty, product lifetime, and/or reuse conventions . 9
7.2.3 Adding processes and/or practices . 9
7.2.4 VSE competency . 9
7.2.5 Contractual situation . 9
7.2.6 Effective use of external resources and support tools .10
7.2.7 Other factors .10
7.2.8 Impacts of factor consideration and rationales.10
7.2.9 Expression of rationales .11
7.3 Examples for a profile preparation consideration .11
8 Developing the profile description .11
9 Self-defined profile and self-declaration of conformance .12
Annex A (informative) Example for a profile preparation consideration .13
Annex B (informative) Classification of situational factors on software development .17
Annex C (informative) Tools and services .18
Annex D (informative) Example of a VSE profile definition .20
Bibliography .25
© ISO/IEC 2016 – All rights reserved PROOF/ÉPREUVE iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 7, Software and systems engineering.
The full list of parts of ISO/IEC 29110 is available here.
iv PROOF/ÉPREUVE © ISO/IEC 2016 – All rights reserved

Introduction
Very Small Entities (VSEs) around the world are creating valuable products and services. For the
purpose of this part of ISO/IEC 29110, a Very Small Entity (VSE) is an enterprise, an organization, a
department or a project having up to 25 people. Since many VSEs develop and/or maintain system
and software components used in systems, either as independent products or incorporated in larger
systems, a recognition of VSEs as suppliers of high-quality products is required.
According to the Organization for Economic Cooperation and Development (OECD) SME and
Entrepreneurship Outlook report (2005) “Small and Medium Enterprises (SMEs) constitute the
dominant form of business organization in all countries worldwide, accounting for over 95 % and
up to 99 % of the business population depending on country”. The challenge facing governments
and economies is to provide a business environment that supports the competitiveness of this large
heterogeneous business population and that promotes a vibrant entrepreneurial culture.
From studies and surveys conducted, it is clear that the majority of International Standards do not
address the needs of VSEs. Implementation of and conformance with these standards is difficult, if not
impossible. Consequently VSEs have no, or very limited, ways to be recognized as entities that produce
quality systems/system elements including software in their domain. Therefore, VSEs are excluded
from some economic activities.
It has been found that VSEs find it difficult to relate International Standards to their business needs
and to justify the effort required to apply standards to their business practices. Most VSEs can neither
afford the resources, in terms of number of employees, expertise, budget and time, nor do they see a
net benefit in establishing over-complex systems or software life cycle processes. To address some of
these difficulties, a set of guides has been developed based on a set of VSE characteristics. The guides
are based on subsets of appropriate standards processes, activities, tasks, and outcomes, referred to
as Profiles. The purpose of a profile is to define a subset of International Standards relevant to the
VSEs’ context; for example, processes, activities, tasks, and outcomes of ISO/IEC 12207 for software;
and processes, activities, tasks, and outcomes of ISO/IEC/IEEE 15288 for systems; and information
products (documentation) of ISO/IEC/IEEE 15289 for software and systems.
VSEs can achieve recognition through implementing a profile and by being audited against
ISO/IEC 29110 specifications.
The ISO/IEC 29110 series of International Standards and Technical Reports can be applied at any
phase of system or software development within a life cycle. This series of International Standards
and Technical Reports is intended to be used by VSEs that do not have experience or expertise in
adapting/tailoring ISO/IEC 12207 or ISO/IEC/IEEE 15288 standards to the needs of a specific project.
VSEs that have expertise in adapting/tailoring ISO/IEC 12207 or ISO/IEC/IEEE 15288 are encouraged
to use those standards instead of ISO/IEC 29110.
ISO/IEC 29110 is intended to be used with any lifecycle, such as waterfall, iterative, incremental,
evolutionary, or agile.
The ISO/IEC 29110 series, targeted by audience, has been developed to improve system or software
and/or service quality and process performance. See Table 1.
© ISO/IEC 2016 – All rights reserved PROOF/ÉPREUVE v

Table 1 — ISO/IEC 29110 target audience
ISO/IEC 29110 Title Target audience
ISO/IEC 29110-1 Overview VSEs and their customers, assessors,
standards producers, tool vendors and
methodology vendors.
ISO/IEC 29110-2 Framework for profile Profile producers, tool vendors and
preparation methodology vendors.
Not intended for VSEs.
ISO/IEC 29110-3 Certification and Assessment VSEs and their customers, assessors,
guidance accreditation bodies.
ISO/IEC 29110-4 Profile specifications VSEs, customers, standards producers,
tool vendors and methodology vendors.
ISO/IEC 29110-5 Management, engineering and VSEs and their customers.
service delivery guides
ISO/IEC 29110-6 Management and engineering VSEs and their customers.
guides not tied to a specific
profile
If a new profile is needed, ISO/IEC 29110-4 and ISO/IEC/TR 29110-5 can be developed with minimal
impact to existing documents.
ISO/IEC TR 29110-1 defines the terms common to the set of ISO/IEC 29110 series. It introduces
processes, lifecycle and standardization concepts, the taxonomy (catalogue) of ISO/IEC 29110 profiles
and the ISO/IEC 29110 series. It also introduces the characteristics and needs of a VSE and clarifies the
rationale for specific profiles, documents, standards and guides.
ISO/IEC 29110-2-1 introduces the concepts for systems and software engineering profiles for VSEs.
It establishes the logic behind the definition and application of profiles. For standardized profiles, it
specifies the elements common to all profiles (structure, requirements, conformance, assessment). For
domain-specific profiles (profiles that are not standardized and developed outside of the ISO process),
it provides general guidance adapted from the definition of standardized profiles.
ISO/IEC 29110-3 defines certification schemes, assessment guidelines and compliance requirements
for process capability assessment (ISO/IEC 33xxx), conformity assessments (ISO/IEC 17xxx), and self-
assessments for process improvements. ISO/IEC 29110-3 also contains information that can be useful
to developers of certification and assessment methods and developers of certification and assessment
tools. ISO/IEC 29110-3 is addressed to people who have direct involvement with the assessment
process, e.g. the auditor, certification and accreditation bodies and the sponsor of the audit, who need
guidance on ensuring that the requirements for performing an audit have been met.
ISO/IEC 29110-4-m provides the specification for all profiles in one profile group that are based on
subsets of appropriate standards elements.
ISO/IEC TR 29110-5-m-n provides management, engineering and service delivery guides for the profiles
in a profile group.
The future ISO/IEC TR 29110-6-x provides management and engineering guides not tied to a specific
profile.
This part of ISO/IEC 29110 provides to any domain-specific group the guidance for developing a profile
which is domain-specific to business situation of specific kind of VSEs. It may also be used by technical
advisers including consultants to VSEs on software process problems. It also enhances a conceptual
framework for standardized profile developers using the ISO/IEC 29110 series concept.
Figure 1 describes the International Standards (IS) and Technical Reports (TR) and positions the parts
within the framework of reference. Overview, assessment guide, management and engineering guide
vi PROOF/ÉPREUVE © ISO/IEC 2016 – All rights reserved

are available from ISO as freely available Technical Reports (TR). The Framework document, profile
specifications and certification schemes are published as International Standards (IS).
Figure 1 — ISO/IEC 29110 series
© ISO/IEC 2016 – All rights reserved PROOF/ÉPREUVE vii

TECHNICAL REPORT ISO/IEC TR 29110-2-2:2016(E)
Systems and software engineering — Lifecycle profiles for
Very Small Entities (VSEs) —
Part 2-2:
Guide for the development of domain-specific profiles
1 Scope
This part of ISO/IEC 29110 provides a guide for developing a profile which is domain-specific for VSEs
(Very Small Entities) business situation. It may be used by technical advisers, including consultants,
to help VSEs on software process problems. It also provides a conceptual framework for standardized
profile developers using the ISO/IEC 29110 series concept.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29110-2-1, Systems and software engineering — Lifecycle profiles for Very Small Entities (VSEs)
—Part 2: Framework and taxonomy
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29110-2-1 apply.
4 Abbreviations
VSE Very Small Entity
QCD Quality, Cost and Delivery
UML Unified Modelling Language
5 Overview of a domain-specific VSE profile
5.1 Preparation of a domain-specific VSE profile
The purpose of a domain-specific VSE profile is to define a subset of processes and product requirements
for systems or software engineering. International Standards, such as ISO/IEC/IEEE 15288,
ISO/IEC 12207, ISO/IEC/IEEE 15289 and others provide the base information for the development of
the profile.
The preparation of a domain-specific VSE profile includes the following steps.
a) Determine VSE characteristics related to: finance, resources, internal business processes, target
application domain characteristics and position in the supply chain.
b) Identify VSE needs, suggested knowledge and competencies derived from business and/or social
practices and/or conventions and various regulation requirements.
© ISO/IEC 2016 – All rights reserved PROOF/ÉPREUVE 1

c) Specify domain-specific VSE profile elements required to respond to the VSE’s needs and suggested
competencies according to ISO/IEC 29110-2-1.
d) Select and link to the subset of specific VSE profile elements that map to the ISO/IEC/IEEE 15288,
ISO/IEC 12207 processes or other appropriate domain specific process standard and to the subset
of specific VSE product elements that map to the ISO/IEC/IEEE 15289 product elements or other
appropriate domain specific work product standard.
e) Identify and specify other process and product elements.
f) Define a domain-specific VSE profile and/or its Management and Engineering Guide.
Figure 2 illustrates the steps to prepare a domain-specific VSE profile.
Business/Social Practices/ Various
VSE Characteristics
a)
Conventions Regulations
derives derives
derives
Base Standard ISO/IEC
b) VSE Needs and Competencies /IEEE 12207/15288
Elements
responds
included
d)
based on
Base Standard
ISO/IEC 29110 -2
Speciic VSE
included
ISO/IEC/IEEE 15289
c)
VSE proile framework
proile and a guide
and taxonomy
Elements
f)
included
included
Necessary additional
Other Base Standards including
e)
processes
existing VSE Proile
Elements
Key
rectangles VSE situational elements
ellipses standards or subsets of their elements
solid arrow labeled relationships
circles with dashed arrows reference to preparation steps
Figure 2 — Domain-specific VSE Profile preparation
A profile can be built not only from standards but also from a standardized profile. For example,
a domain-specific profile could be built using the ISO/IEC 29110 Basic Profile and adding necessary
processes following procedures introduced in Clause 7 and Clause 8.
A domain-specific profile may be defined by an organization other than a de-jure standardization
organization. In such a case, the domain-specific profile is not a standardized profile in accordance
with the ISO/IEC TR 10000-1 definition and the ISO/IEC 29110-2-1 definition.
5.2 Implementation of a domain-specific VSE profile
To implement a domain-specific VSE profile, a typical contract or agreement should be identified. This
may be based on the customer and/or market requirements and/or regulations, supplemented by the
business practices and/or conventions. Business practices and/or conventions are sometimes used to
avoid the detailed requirement, but such an assumption should be clarified.
2 PROOF/ÉPREUVE © ISO/IEC 2016 – All rights reserved

A VSE system or software development project follows the domain-specific VSE profile to fulfil the
statement of work and to generate the products. A VSE can perform other activities to support the
project, as required.
Figure 3 illustrates the context of the implementation rationale for a domain-specific VSE profile.
Business Practices/ Customer/Social Requirements/
Conventions Regulations
supplemented by based on
Contract/Agreement with
Statement of Work
Customer
depends on
Collaboration and user
processes
and
communication
follows
Domain-speciic
VSE software
proile development project
supports
generates
Products VSE activities
Figure 3 — Context of the implementation rationale for a domain-specific VSE profile
The notation of Figure 3 is similar to the notation of Figure 2.
5.3 VSE profile in a supply chain and operational environments
A software and/or system supplied to users are sometimes an output from a supply chain, i.e. a series
of suppliers contributing to final products. The software and software intensive IT system is valuable
while used and their criticality or integrity levels are defined based on the environment and context in
which they are used. Stakeholders in a software and/or system supply chain should share necessary
processes and/or practices to support software and/or system criticality or integrity levels. The VSE
roles and responsibilities depend on their backgrounds.
A software and software intensive IT system sometimes has a wide range of influence on users,
consumers and the public while in use. The consumer and public viewpoint should be considered when
risks are analysed for software/system use. This consideration should also cover any environmental
change impact of the systems usage.
Figure 4 shows the relationship between risk/integrity recognition and a domain-specific VSE profile.
© ISO/IEC 2016 – All rights reserved PROOF/ÉPREUVE 3

User Requirements and
System Characteristic or
Business Processes
ISO/IEC 15026
Risk and Integrity Necessary Processes/
Recognition Outcomes
ISO/IEC 16085
ISO 31000
Social Requirements Distribution of work,
processes and
responsibilities
Contract/Agreements
VSE pro‡ile (process
capability)
Figure 4 — Risk and/or integrity recognition for a domain-specific VSE profile
6 Background factors to identify a new domain-specific profile
6.1 User view for process purposes
A software or a system is expected to be dependable throughout its whole lifecycle by customers, end-
user, and society. The user expects that the developer’s lifecycle processes are complete and accurate
for delivery of a dependable software/system.
Quality aspects of industrial processes are characterized to include quality, cost, and delivery (QCD). In
addition, safety, security, and usability requirements are emphasized as important factors along with
system functionality and benefits. Sometimes one software program and/or system is connected with
another software program and/or system on a network. Some software program works with hardware
components, such as control devices, so, in many situations, fully inter-operable and dependable
software is required.
Operational mistakes often result from insufficient usability and integrity of software and IT systems.
Systems and software used in an organization should support business continuity and sustainability of
the organization. Based on this, system and/or software developed by VSEs should have the appropriate
dependable quality characteristics from the user’s point of view.
In addition, industrial software and/or system development should provide a dependable product
with a reasonable cost and delivery schedule. That means integrity recognition is needed for a profile
development.
A VSE should fulfil such expectations through its organizational activities and system and/or software
processes. A domain-specific VSE profile should be developed to meet such expectations.
6.2 Contract and distribution of processes
A VSE usually works under an agreement or a contract with the acquirer. The contract should define a
statement of work (SOW) for the VSE. The SOW should show explicitly, or implicitly in an appropriate
case, the processes that the VSE should perform for that contract to fulfil and processes performed by
the acquirer. From the user point of view, every necessary process should be distributed between the
4 PROOF/ÉPREUVE © ISO/IEC 2016 – All rights reserved

acquirer, supplier, or other stakeholders in a consistent set of documents. To support this, it may be
useful to read ISO/IEC 12207:2008, 6.1.1.3.1, 6.1.1.3.4 and 6.1.2.3.4 on acquisition process/practices.
6.1.1.3.1 Acquisition preparation. This activity consists of the following tasks:

6.1.1.3.1.11 The acquirer should determine which processes of this International Standard are ap-
propriate for the acquisition and specify any acquirer requirements for tailoring those processes. The
acquirer should specify if any of the processes are to be performed by parties other than the supplier,
so that suppliers may, in their proposals, define their approach to supporting the work of other par-
ties. The acquirer shall define the scope of those tasks that reference the contract.

6.1.1.3.1.12 The acquisition documentation shall also define the contract milestones at which the sup-
plier’s progress shall be reviewed and audited as part of monitoring the acquisition (see 7.2.6 and 7.2.7).

6.1.1.3.4 Contract agreement. This activity consists of the following tasks:

6.1.1.3.4.1 The acquirer may involve other parties, including potential suppliers or any necessary
third parties (such as regulators), before contract award, in determining the acquirer’s requirements
for tailoring of this International Standard for the project. In making this determination, the acquirer
shall consider the effect of the tailoring requirements upon the supplier’s organisationally-adopted
processes. The acquirer shall include or reference the tailoring requirements in the contract.
[ISO/IEC 12207:2008]
6.1.2.3.4 Contract execution. This activity consists of the following tasks:

6.1.2.3.4.1 The supplier shall conduct a review of the acquisition requirements to define the frame-
work for managing and assuring the project and for assuring the quality of the deliverable software
product or service.
6.1.2.3.4.2 If not stipulated in the contract, the supplier shall define or select a life cycle model appro-
priate to the scope, magnitude, and complexity of the project. The life cycle model shall be comprised
of stages and the purpose and outcomes of each stage. The processes, activities, and tasks of this
International Standard shall be selected and mapped onto the life cycle model.

NOTE Ideally, this is performed by using an organisationally-defined life cycle model.
[ISO/IEC 12207:2008]
In a software/system supply chain, a VSE may have a contract with a system integrator. The system
integrator has software or system lifecycle processes for their own activities and may also have
acquisition-related processes for collaboration with the VSE. System or software users also have
acquisition-related processes along with requirement-related processes and operation-related
processes. They may distribute and share these software processes with the VSE. Users are sometimes
not familiar with systems/software technology and system and/or software processes. In this case, a
VSE or consultant can provide proposals to the users addressing the use of the processes.
6.3 Contract and distribution of responsibilities
The distribution and/or sharing of process with related parties can be sometimes described in a
contract as parts of the responsibility statement.
The contract should define the agreements, including
a) responsibility to perform the identified and necessary processes,
© ISO/IEC 2016 – All rights reserved PROOF/ÉPREUVE 5

b) objects and methods for collaboration and communication,
c) deliverables and their release timing,
d) responsibility of acceptance tests and maintenance,
e) overall assurance and/or warranty, including
1) related to verification and validation, and
2) related to responsibility for Product-Liability assurance,
f) control of information, including
1) confidential information, including disclosure agreement establishment
2) personal information,
3) security management concerning deliverable software,
4) due care of overall project information, and
g) control of intellectual rights, including
1) property right, copyright, patent right, reuse right, and backup right,
2) intellectual rights responsibility on third party software usage, and
3) intellectual rights responsibility on free or open source software usage.
NOTE Reuse rights significantly affect VSE’s processes, since effective processes may include many aspects
of reuse strategy for analysis, design, code, test and others.
6.4 Competency of suppliers
A VSE may be competent in some application and engineering process relating to some domains.
Such competencies may contribute to an enhanced process capability for, for example, requirement
engineering. The specific application domain may have some specific business convention that
the VSE’s competency supports. The competency may relate to a specific domain engineering or a
specific system/software technology. All VSEs have different characteristics. Some VSEs specialize
in a specific technical skills where they provide specific skills to end-users or other stakeholders.
Their system/software process may be centralized to specific processes, thus other processes should
be provided by other stakeholders. For example, IV and V (independent verification and validation)
suppliers provide verification and validation processes, and audit suppliers provide audit processes.
Test processes may be provided by a security test provider, usability test provider, and other test
service providers.
Members of a large system integration team may include VSEs. Networking and network security
components may be provided by a network integrator VSE. A Cloud service provider VSE may provide
the development environments and configuration management services. Some other services may be
provided by consultants, multi-vendor system coordinators, or a system integrator VSE.
A VSE’s competency is influenced by cultural factors an
...