ISO 9000 FOR SOFIYifrARE QUALITY SYSTEMS



Similar documents
An Alternative Method for Maintaining ISO 9001/2/3 Certification / Registration

FINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements

International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research)

International Accreditation Forum, Inc.

Software Quality Assurance: VI Standards

Quality Management System Certification. Understanding Quality Management System (QMS) certification

The Asset Management Landscape

ISO 9001:2000 Gap Analysis Checklist

Quality Management Standard BS EN ISO 9001:

Association for Project Management Business Management System

PRCA Communications Management Standard (CMS) for In-House Teams

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

AS9100 B to C Revision

International Workshop Agreement 2 Quality Management Systems Guidelines for the application of ISO 9001:2000 on education.

NABL NATIONAL ACCREDITATION

IAF Informative Document. Transition Planning Guidance for ISO 9001:2015. Issue 1 (IAF ID 9:2015)

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

quality, health & safety and environment training and consulting

Lecture 8 About Quality and Quality Management Systems

SOFTWARE QUALITY & SYSTEMS ENGINEERING PROGRAM. Quality Assurance Checklist

GFRS Quality Assurance (Fire Safety) Policy Statement

-Blue Print- The Quality Approach towards IT Service Management

Institutional Certified Evaluation and Accreditation of Universities General Principles:

QUALITY MANAGEMENT SYSTEM MANUAL

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

The Proposed Quality Competency Framework for the Future Quality Professional

GUIDE 62. General requirements for bodies operating assessment and certification/registration of quality systems

MTAT Software Engineering Management

ISO 9001:2008 Audit Checklist

What changes will ISO 9001:2015 bring?

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

(Draft) Transition Planning Guidance for ISO 9001:2015

Quality Management System Manual

Chain of Custody Standard

Office for Nuclear Regulation

EA IAF/ILAC Guidance. on the Application of ISO/IEC 17020:1998

QSS 0: Products and Services without Bespoke Contracts.

IAF Mandatory Document for the use of Computer Assisted Auditing Techniques ( CAAT ) for Accredited Certification of Management Systems

International Organization for Standardization

ISO 9001 : 2000 Quality Management Systems Requirements

Quality Management System Manual

Memorandum of Understanding

Benefits of an Integrated Management System for SME s

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

Quality Assurance in Higher Education

Australian Computer Society. Policy Statement

For the latest information on VHP publications, visit our website:

Quality Manual. UK Wide Security Solutions Ltd. 1 QM-001 Quality Manual Issue 1. January 1, 2011

ISO What to do. for Small Businesses. Advice from ISO/TC 176

Can a Level 2 or (3) organization be considered ISO compliant? Should SPI be based on CMM or ISO?

The IAF Multilateral Recognition Arrangement (MLA) Certified Once Accepted Everywhere

AS9100C Revised Standard Improves Aerospace Quality

EMS Example Example EMS Audit Procedure

CCD MARINE LTD QUALITY MANUAL PROCEDURE Q Date: Title. Revision: QUALITY MANUAL PROCEDURE Q September 2014

IAF Mandatory Document

Information Technology Engineers Examination

Contact address: Global Food Safety Initiative Foundation c/o The Consumer Goods Forum 22/24 rue du Gouverneur Général Eboué Issy-les-Moulineaux

The Advantages of ISO 9001 Certification

TOTAL QUALITY MANAGEMENT II QUALITY AUDIT

ISO 9001:2000 AUDIT CHECKLIST

Introduction to the ISO 9000 Quality Standard William E. Perry

Certification Process Requirements

INTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT

PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3)

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

NOS. Supply Chain Management Occupational Standards

INTEGRATED MANAGEMENT SYSTEM MANUAL IMS. Based on ISO 9001:2008 and ISO 14001:2004 Standards

Module 17: EMS Audits

ONTIC UK SUPPLIER QUALITY SURVEY

EA-7/01. EA Guidelines. on the application. Of EN Publication Reference PURPOSE

QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS

QUALITY MANAGEMENT SYSTEMS REQUIREMENTS FOR SERVICE QUALITY BY PUBLIC SERVICE ORGANIZATIONS

QUALITY MANAGEMENT IN VTS

Introduction to Quality Assessment

QUALITY MANUAL 3 KENDRICK ROAD WAREHAM, MA FAX

IT Service Desk Health Check & Action Plan

INTERNATIONAL STANDARD

Code of Practice on Electronic Invoicing in Europe

Space Project Management

Code of Practice on Electronic Invoicing in Europe

IAS ACCREDITED INSPECTION AGENCIES: GUIDELINES FOR CONDUCTING INTERNAL AUDITS AND MANAGEMENT REVIEWS. Revised January, 2016

Functional Safety Management: As Easy As (SIL) 1, 2, 3

PHARMACEUTICAL QUALITY SYSTEM Q10

AEROSPACE STANDARD. Quality Management Systems - Requirements for Aviation, Space and Defense Organizations RATIONALE

THE QUALITY MANAGEMENT SYSTEM IS YOURS UP TO STANDARD?

Contents. 2. Why use a Project Management methodology?

For the Design, Installation, Commissioning & Maintenance of Fixed Gaseous Fire Suppression Systems

0. 0 TABLE OF CONTENTS

The IP3 accreditation process. Bob Hart Chief Assessor September 2008

Foundation Bridge in IT Service Management (ITSM) according to ISO/IEC Specification Sheet. ISO/IEC Foundation Bridge TÜV SÜD Akademie

Quality Management System Certification. Understanding Quality Management System (QMS) certification

QUALITY MANAGEMENT SYSTEM Corporate

16) QUALITY MANAGEMENT SYSTEMS

Australian Transport Council. National Standard for the Administration of Marine Safety SECTION 5

ISO 9001:2015 Overview of the Revised International Standard

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

Transcription:

ISO 9000 FOR SOFIYifrARE QUALITY SYSTEMS Folkert Rienstra, KEMA, the Netherlands SUMMARY This paper outlines some key elements of quality system standards ISO 9000 and their application to Information Technology and software development. Emphasis is put on the need for closed feedback loops in the organization which will provide a stable framework for effective quality management. Application of the generic ISO 9000 standards to software development has to take into account the specific characteristics of this process. Additional guidelines are described in ISO 90003. Implementation of a quality system in practice should be based on the existing process and where necessary add improvements. The objective is not to impose rules, but to improve the process. Finally the paper describes audit and certification of qualify systems. In the Information Technology Sector a number of initiatives have been taken to promote the general acceptance and international harmonization of IT quality system certlficates. 1 PRINCIPLES OF QUALITY MANAGEMENT The objectives of quality management are twofold: improvement of customer satisfaction, and at the same time improvement of the internal processes. The realisation of these objectives in an organization requires a systematic approach, supported by a quality system. In working out the details of a qualify system a few key questions have to be considered; What are the objectives of an organization? What do we want to accomplish? Which activities and processes do we need in order to achieve the objectives? How can we manage and control these activities? The principles of customer oriented quality.management are in the expression: Ten what we will do, and do what we have told[ 2 QUALITY MANAGEMENT BASED ON FEEDBACK LOOPS Engineering principles team us that a stable process has to be based on a closed controlloop, which provides feedback between the stated objectives and the actual results. The same principle applies to qualitymanagement We need a number of closed feedback loops. 1

,~~ 2 First of all we need communication and feedback between the different levels in the organization. Management has to define the objectives and to translate these objectives into targets and results which can be understood by the staff carrying out the activities. Viceversa management should have an open mind for the practical experiences of their staff and the bottlenecks encountered~ Such bottlenecks should be solved by improvement of the working method and/or by adjustment of the objectives. To be able to determine whether improvement has actually occurred we have to formulate the objectives in a concrete and measurable way. And we have to measure our results, keeping some formal records and comparing measurements made at different time intervals. Ouality management involves also documentation of the procedures and working methods throughout the organization. Here again a process of careful communication and feedback is required to ensure that the actual working methods follow the documented procedures and that these documents are kept upto date when changes occur in practice. The various feedback loops provide a framework for the quality management, in which a number of elements are put together: Managerrfafrf ResponafbiIify Management will de6ne the qualify policies and ob}ectfves Oua/f/frSystem The quality system implements the procedures and working methods in the organization which are necessary to achieve the objectives Measu Ferne'rf;s Measuring and recording methods keep track of actual results and performance /r;jlfema/ aucfito Internal audits will show whether the quality systems works in practice and how effective it is Mar}agemenf revfew Management will review and analyze the results of quality measurements and internal audits and compare these with their objectives Pr a/xfl correctj!ve action The performance analysis will lead to actions for improvement of the quality system. ' The essential requirements for a quality system are specified in a series of internationally accepted standards: the ISO 9000 standards. Implementing these requirements enables an organization to manage and control its quality processes and the "qualitylevel" of its products or services. 3 CHARACTERISTICS OF SOll::TWARE DEVELOPMENT The ISO 9000 standards are generally applicable. However in their application to software development we have to take into account the special characteristics of this process. In a software quality system a great deal of emphasis is put on design and development activities. As soon as these activities have resulted in a first operational product which meets the stated requirements this product is delivered. 2

3, r _ Reproduction of software seems rather trivial. As a consequence we have to pay much attention to planning and control of the development process. Software is intangible and often very complex which makes it difficult to determine its quality. It is therefore important to use design reviews and verification and validation in order to prevent errors or detect them as early as possible. The intangible nature of software makes it also difficult to distinguish one version from another version. This makes it necessary to have a rigorous configuration management system. Software development involves strong interaction and cooperation with the customer, whether this is external customer or an internal customer. It is necessary to ensure a complete set of specifications and a clear understanding thereof before the development is started. Software development is project oriented. Before a project is started the availability has to be ensured of the capabilities and resources necessary to complete the project successfully. In addition project planning and control are important in all phases of the project. In many instances it is to be recommended to work according to formalized methods, using supporting tools and techniques. However such methods and techniques should not become an end in themselves and become an obstacle for the quality objectives. 4 ISO 90003 FOR SOFTWARE DEVELOPMENT " ~,, To give guidelines for the application of the general requirements of ISO 9001 to software development, an additional guidance standard has been drawn up: ISO 90003" This guidance document describes a software quality system in three layers. The main layer comprises the lifecycle activities, covering the software development process from specification to maintenance. The lifecycle activities are projectspecific: they have to be carried out for each separate project in a way which takes into account the specific requirements of the project. In the lifecycle activities we can distinguish two phases: The planning phase, in which we complete a contract. agree the specifications and Prepare a workplan. The i,mplementation phase which comprises the actual development activities.. ^. The second layer of a software quality system consists of elements which support the lifecycle activities. In many cases software projects will be carried out using an existing system environment and using existing supporting procedures and tools which are not Project specific. Some of these supporting elements are software oriented, such as configuration management and development tools. We have also supponlng elements which are more general and not software specific, e.g. document control or purchasing Procedures.,. Finally a software qualify system needs a management framework to bring all elements together and to create the general organization and conditions for control over the Process and for achieving quality. This framework is highly similar to other sectors of industry and has to Provide the feedback loops as described previously in section 2 of this paper. 3

4m 5 OTHER STANDARDS AND MODELS FOR SOFTWARE QUALITY In addltion to the ISO 9000 series we have also other standards and models available aiming at improvement of software quality, e.g.: IEEE has published a whole series of standards. technical oriented and defining detailed specification of working methods. The Software Capability Maturity Model (CHM) defines five levels of quality and productivify and it provides a road map for a step by step implementation of the requirements. The SPICE initiative (Software Process Improvement and Capability Determination) develops a series of standards based on similar principles and approach as CMM. The various standards and models have a common objective: to assist and enable an organization to achieve better quality management of the software process. They have also in common that quality improvement is not merely a technical issue. It is primarily a management issue and requires a systematic approach in the organization. A key element in quality improvement in all cases is good control and management of the activities and processes; this is strongly supported by ISO 0000 which can therefore be considered as a series of base standards. How can we possibly achieve improvement of our process If we do not have control over the process? 6 IMPLEMENTATION OF ISO 9001 REQUIREMENTS ISO 9001 is a generic standard For each process in an organization all relevant clauses of the standard apply. There is no simple one toone relation between the clauses of the.standard and the processes in the organization, especially not in software development. For example the clause on Design Control does not apply only to the "Design Department" but is applicable to all processes where design activities take place. The requirements of this clause may be implemented in a different way for different processes, depending on specific conditions and circumstances. Key requirement in all cases is to provide adequate control of the process. s Implementation of a quality system should take the existing process as a starting point This will enable us to use as much as possible existing knowledge and experiences, even if we know that it is not perfect. Therefore the start is to document the various activities in our existing process, e.g. in a flowchart or process diagram. This will enable us to analyze what are the objecflves, which inputs do we use, what outputs do we have and how can we control the process. Following this we can map the requirements of ISO 9001 on the process. This will clarify where we already satisfy the standard and where we need additional controls or procedures. We should not take ISO 9001 as a starting point and force our organization or our process into the structure of the standard. This would mean major changes in our process and would make existing knowledge and experience useless. In a similar way it is very difficult to take over the existing quality system of another organization and import that into our own organization. The differences between the two organizations in goals working methods and culture etc. will lead to difficulties. _, 4

5 ISO mj br ~ Quality Systems w~ r. Throughout the implementation process we have to remember that the objective of a quality system is not to impose rules, but to improve our process. The improvement should be visible to the people directly involved in the activities. Also we have to be careful about the paperwork. A thin quality manual is preferable to a thick one. A thick manual will not be read and it will certainly not be observed in practice. Finally we have to bear in mind that a software quality system involves more than just a documented development method. This method is important. However, let us be aware that development is one section of the standard and that there are 19 other sections dealing with other processes. From practical experience we can identify some issues which are specific for software development, e.g.; In internal software departments or in development of embedded software we often see confusion over who is "the customer' (as referred to in 150 9000). In such cases the customer is the part in the organization that approves the software specifications and the budget. When the specifications change also a change may be needed in the budget and the timeschedule. Configuration management has to be applied to the development project. But also to the environment which supports the development, e.g. the computer network, compilers, test sets etc. ISO 9001 requires a clear distinction between internal release by the supplier and acceptance by the customer. These activities should not be merged into a single test. Many organizations carry out already projectaudits~ Such an audit Wat consider: have we completed the project on schedule, or what went wrong? In addition to projectaudits we also need internal systemaudits, i.e. an audit of the quality system as a whole in order to consider e.g.: are our development method and other working methods adequate and how can we improve our process? 7 AUDIT AND CERTIFICATION A third party audit means a formal investigation whether a quality system satisfies the requirements of ISO 9001. A successful audit may result in the certification of the organizations quality system. A quality system audit may be carried out for several reasons, e.g.: Presenf a chaf/enge The implementation of ISO 701 presents a clear and challenging goal to the internal organization which will help to stimulate and focus the qualify activities. Provfde a benohmarfr An audit of the qualify system provides a clear and objective comparison with other organizations. Cuaforfrer conffdence Audit and certification of the suppliers quality system can provide confidence to the customer. 5

H Especially In software development, where the customer is depending on the suppliers quality system for successful completion of an unique product made to the customer's specifications. An audit involves a number of activities. In preparation of an audit a detailed audit..plan will be prepared based on an analysis of the suppliers activities and organization in relation to the requirements of the standard. The actual audit starts with an appraisal of the documented quality system, Le. the quality manual and associated qualify procedures and work instructions. All procedures as required by the standard have to be in place, for instance for contract review, for development planning, for the use of tools, for document control etc. The next step is the verification of the practical application of all procedures and work instructions in the organization. This involves interviewing staff and inspection of project files, test records and other qualify records. The third important element is an audit of the feedback loop for internal control and management of the quality system, by means of internal audits, management reviews and corrective actions. A third party audit will be based as much as possible on objective evidence. The supplier will be asked to demonstrate that the required procedures and work instructions are available and followed in practice. Of course ail information collected by the auditors will be treated fully confidential.,_,~, After a successful audit a Certificate can be issued for the supplier's quality system. This means formally that the qualify system complies with the requirements of the standard. In practical terms if means that the supplier is able to deliver a product as specified and has effective control procedures for this purpose. Certification of a qualify system will be followed by periodic survehlance audits. 8 ITQS A number of certification bodies cooperate in ITQS: the Agreement Group for Assessment and Certification of Quality Systems in the Information Technology Sector. The objective of ITQS is to promote the general acceptance and international harmonization of IT qualify system certificates based on ISO 9000 standards. Currently ITQS has 10 certification body members, located in 9 European countries: AENOR(ES), AFAQ(FR), AVI(BE) BSIQA(GB), CETECOM(DE), DELTA(DK) IMO(IT), KEMA(NL), NSAI(IR), TOVBayem(DE). Contacts have been established with candidate members outside Europe. \TQS was established in 1992 with support from the Commission of the European Union, in response to a growing market perception of significant difference in the quality and depth of audits in the ITsector, as carried out by different bodies~ ITQS offers an open platform for international harmonisation of competent and consistent audit and certification. _.. _ 6

7~ ~ ITQS members offer a number of benefits to their clients: Accra&fifed and high levf3f serffices Alt members offer audit and certification services with a high level of integrity. Their operation is verified and monitored by national accreditation authorities. Compefenf and consistenf sudicfng The audit and certification methods and procedures are harmonised among the ITQS members. The harmonisation includes: * common auditor qualiffcation criteria * the use of a common European IT Quality System Auditor Guide * a continuous program of mutual audit observation. MtJtua/ recogniffon The mutual recognition agreement among the ITQS members enables an IT company to avoid multiple assessments and to obtain a quality system certificate that will be endorsed by all ITQS members. Centfal regiaer cl certiffcafjes ITQS maintains a central register of quality system certificates issued by its members. This register is published regufarly and currently lists over 2000 certificates. An important element in the harmonisation is the European Quality System Auditor Guide. The guide identifies ITrelated aspects in a qualify system which needs to be verified in an audit. However, it does not give additional requirements. The auditor guide is based on 150 9001 and on the implementation guidance as given in ISO 90003. The use of the guide makes it possible for auditors from different certification bodies to reach equlvalent results. The auditor guide has been developed in close cooperation between ITQS and TicklT, the UK sector scheme for software qualify system certiffcation. As a result the same auditor guide is used in ITQS and in TicklT. 9 INTERNATIONAL HARMONISATION. As described before ITQS is a cooperation of a number of certification bodies. In the UK the TicklT scheme has been established. In addition also in other countries proposats have been developed for software specific certification schemes. The possible emerging of a number of certiffcation schemes presents confusion to the market regarding the meaning and the value of certificates and may create barriers to the general acceptance of certificates. To avoid theses risks a User Forum Meeting on international Harmonisat\on of IT Quality System Certification was organised in September 1995 (The Hague, NL). In this event representatives of Information Technology suppliers, users and certifiers from 17 countries on four continents discussed the market requirement for international harmonisation between 150 9000 certification bodies. Also representatives of accreditation bodies attended. The meeting expressed the opinion that international harmonisation is needed to ahow one stop audit and general acceptance of quality system certificates. 7

8 This should be achieved through agreed auditor competency criteria, auditor qualification procedures, and equivalent and consistent audit and certification practices Certification must be based only upon conformity with the ISO 9001/9002 standard; no additional requirements for IT supplier quality systems shall be formulated. Uptodate guidance should bridge the gap between every day practice and the high level of abstraction in the standard. The meeting installed a Task Force with the mission to ensure that: IT users and suppliers obtain optimum benefit from implementation of ISO 9000 Certifiers deliver a consistent, reliable and relevant certification service that is recognised worldwide. This task force is now considering further proposala. ~. _ ' 10 CONCLUSIONS After a period of initial development clear panama are now established for the application of ISO 9001 to the Information Technology Sector and especially to software development. It is important to bear in mind the objectives and the principles of quality management: qualify management is aimed at improvement of customer satisfaction and of the internal processes effective quality management will be based on a number of feedback loops in the organization. Implementation of a quality system takes considerable effort. A number of essential conditions can be summarized as follows: we need Commitment; without clearly visible commitment from management the rest of the organization will not move we need Communication; topdown and bottomup throughout the organization we need Consultation; the people who carry out the activities know where improvements in the process can be made It means a change in Culture; working mathods will have to change and qualify will become an important consideration in our decisions. Finally an organization should consider an audit and certification of the qualify system following intemationaoy harmonized practices. However, certification should not be the main objective but will be an added benefit, The primary objective and benefit of a quality system ties in the improvements which will result from a successful implementation of ISO 9001. 8

FOLKERT RIENSTRA Folkert Rienstra (born 1941) has been involved tn LT since 1965. He works at KEMA, a third party testing and certlflcation body in the Netherlands, where he was responsible for the development of LT quality system certification servlces~ He was involved tn drafting of ISO 9000`.S and participates in Its current revision. He is chairman of the Agreement Group ITQS. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information