A look will be taken at the requirements from the viewpoint of companies developing software. ISO 9001 standard was intended for the manufacturing industry. The requirements are interpreted for software development in accordance with ISO 9000-3 and TickIT.
There are 20 main elements. Each concept is well known in the quality management community.
1. Management Responsibility
1.1 Quality policy
The standard requires the supplier management to issue a quality policy, where it says the company shall produce quality products.
The quality policy shall:
– Define the managementâ€™s commitment to quality
– Define the companyâ€™s objectives regarding quality, that is, what management means by quality
– Be relevant to the customerâ€™s needs
– Be understood in the organization
– Be implemented
– Statement too vague or policy is not understood by staff
– Quality policy is not implemented.
E.g. of Quality policy
â€œWe achieve quality through motivated and skilled staff, defined work procedures, and intensive review and testing activities.â€
The standard requires documentation of responsibility, authority and interrelation of all personnel affecting quality. This means that if a person has a responsibility, it shall be formally assigned by the appropriate manager. The person should have the authority to fulfil the responsibility.
According to ISO, responsibility means:
â€œa duty to act on oneâ€™s own accord when something has to be done without being toldâ€.
– Existing of a responsibility that cannot be fulfilled.
– Project-maintenance organisation
– Software development-hardware development
– Maintenance organisation-help desk
Resources require that the supplier:
– Identify the requirements for resources
– Assign trained personnel.
Management representative requires appointment of manager representative with authority and responsibility to:
– Ensure that the company fulfils the requirements in ISO 9001
– Report the performance of the quality system to company management
1.3 Management Review
Quality manager should periodically present the results of
– Quality audits
– Statistics of quality complaints
– Records of corrective action
The results should be presented at a recorded management meeting with notes on who attended, what was presented and what decisions were taken and made.
2. Quality System
Quality system â€“ â€œthe organizational structure, responsibilities, procedures, processes and resources for implementing quality management.â€
Procedures, rules, decisions shall be put into writing. If you have a rule or procedure that is not required by ISO 9001, the standard still requires that it is written.
A quality manual shall contain reference and documentation of the quality system.
– An audit is a sample, therefore if in a sample, there are minor non-conformances, and they are fixed, it can still be a non-conformance because the auditor can suspect that there are many more minor non-conformances.
– Existing written procedures are not adhered to.
3. Contract Review
The supplier checks before signing contract that the organisation be able to perform what is required by the contract.
Questions that should be asked include:
– Are the requirements documented and understood?
– Are acceptance criteria included?
– Have requirements differing from the tender been resolved?
– Can the supplier muster enough resources for the contract?
– Can the supplier muster the competence needed for the contract?
– Can the task be completed in time?
The standard requires that a documented procedure with reviews be included. The supplier should identify how contract amendments and handling of requirements specification between customer and supplier be defined.
4. Design Control
ISO requires that you plan before doing and specify before designing.
4.2. Design and Development Planning
Design plan should contain:
– Definition of methodology to be used in development of product
– Time schedules, responsibilities, work assignments and progress control
– Phases project will be divided. This includes input, output and verification of output.
– Description of methods and tools to be used
Quality plan should contain:
– Quality targets
– Criteria for acceptability
– Identification of planning, validation and verification.
– Responsibilities for quality activities.
If a company wants to gain ISO qualification the plans must be held in all projects, since ISO certification is for the whole company and not for specific projects.
4.3 Organizational and Technical Interfaces
If there is group-work, the interfaces between them should be identified, documented and transmitted to those needing the information. The documentation shall be reviewed regularly.
4.4 Design Input
Requirements specifications contain the design input in software development. This may be done by the purchaser or prepared by the supplier using laws and regulations. Another design input includes design coding which is used as input to coding.
The standard wants to ensure that the work product of each step meets the requirements.
In software development, requirement changes are common so a procedure for handling new and changed requirements from the purchaser be created.
4.5 Design Output
Design Output: the design documentation and the source code. ISO requires that design documents and coding be reviewed before release.
A procedure for acceptance of the design output and criteria of acceptance should be created.
4.6 Design Review
Project functions like coding and testing shall be presented at the review. A common method for ensuring reviews are checklists.
4.7 Design Verification
This consists of reviews, module testing and integration testing.
4.8 Design Validation
Final system test, of the complete software product together with the reviewing of user documentation. There should be planned and documented validation. Beta testing is in conformance with ISO as long as the beta testing is covered by a clear agreement between supplier and beta-testing customer.
4.9 Design Changes
ISO 9001 requires that after release of design documentation or source, all changes shall go through a formal process where changes are documented, reviewed and approved before implementation.
Uncontrolled changes to complex technical documents or programs are extremely dangerous and as such the standard does not allow it.
5. Document and Data Control
Information that controls the development/maintenance of software. The standard requires that those who need some document/data shall have access to it. Changes to documents and data shall be controlled.by