Objective Measurement of the Extent of Conformity to Management System Standards



Similar documents
Improving the quality of ISO 9001 audits in the field of software

Appendix 3 (normative) High level structure, identical core text, common terms and core definitions

The Adoption of Management Systems Standards & Best Practices in Malaysia (Current and Future Trend)

COMBINE. Part B. Manual for Marine Monitoring in the. Programme of HELCOM. General guidelines on quality assurance for monitoring in the Baltic Sea

ISO 9001 : 2000 Quality Management Systems Requirements

FSSC Q. Certification module for food quality in compliance with ISO 9001:2008. Quality module REQUIREMENTS

16) QUALITY MANAGEMENT SYSTEMS

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

CQI briefing note. Annex SL

OIML D 18 DOCUMENT. Edition 2008 (E) ORGANISATION INTERNATIONALE INTERNATIONAL ORGANIZATION

ISO 9001:2015 vs. ISO 9001:2008

Chapter 1. The ISO 9001:2000 Standard and Certification Process

Revision of ISO 9001 Quality Management Systems Requirements

Network Certification Body

SPICE International Standard for Software Process Assessment

What changes will ISO 9001:2015 bring?

Selection and use of the ISO 9000 family of standards

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

Using COSO Small Business Guidance for Assessing Internal Financial Controls

MTAT Software Engineering Management

Procedure for Assessment of System and Software

Quality Management. Managing the quality of the software process and products

GFMAM Competency Specification for an ISO Asset Management System Auditor/Assessor First Edition, Version 2

Name: Lynda Cooper Date: November 24th. Revising ISO/IEC to fit the future of service management

Innovative Integrated Management System (IIMS) for Sustainable Food Industry

ISO 9001: 2008 Boosting quality to differentiate yourself from the competition. xxxx November 2008

ISO 9001 Quality Management Systems. Tips for Internal Auditing

Experience In Achieving MS ISO/IEC Accreditation Under Laboratory Accreditation Scheme Of Malaysia (SAMM)

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

Quality Management. Objectives

Quality Management. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 27 Slide 1

Gap Analysis of ISO 15189:2012 and ISO 15189:2007 in the field of Medical Testing

How do I gain confidence in an Inspection Body? Do they need ISO 9001 certification or ISO/IEC accreditation?

MANAGEMENT REVIEW FOR LABORATORIES AND INSPECTION BODIES

ISO/TMB/JTCG N 359. N0359 JTCG FAQ to support Annex SL. Document type: Other committee document. Date of document:

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

Quality Management. Objectives. Topics covered. Process and product quality Quality assurance and standards Quality planning Quality control

Moving from ISO 9001:2008 to ISO 9001:2015

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

RECOMMENDATION. on the Evaluation of Quality Management System of National Metrology Institutes

ISO 9001:2015 Overview of the Revised International Standard

SOFTWARE QUALITY MANAGEMENT THROUGH IMPLEMENTATION OF SOFTWARE STANDARDS

Navigating ISO 9001:2015

Translation Service Provider according to ISO 17100

Effective Internal Audit in the Financial Services Sector

Environmental management. The ISO family of International Standards

ISO/IEC/IEEE The New International Software Testing Standards

MALAYSIAN STANDARD INFORMATION AND DOCUMENTATION - RECORDS MANAGEMENT - PART 1: GENERAL (ISO :2001, IDT)

An Introduction to the ECSS Software Standards

Quality Management: Co-ordinated activities to direct and control an organisation with regards to quality ISO9000

How To Help Your Organisation Be Ethical

TOTAL QUALITY MANAGEMENT ADOPTION BY PROCESS ENGINEERING DESIGN FIRMS IN SOUTH AFRICA

HKCAS Supplementary Criteria No. 8

Information Security governance: COBIT or ISO or both?

xxxxx Conformity assessment Requirements for third party certification auditing of environmental management systems - competence requirements

PROFESSIONAL SERVICES SPECIFICATION

ISO 9001 Quality Systems Manual

Quality Management. What is quality? Managing the quality of the software process and products ISO 9000

Victorian Government Risk Management Framework. March 2015

Moving from ISO9000 to the Higher Levels of the Capability Maturity Model (CMM)

C015 Certification Report

Policy. VBA Enterprise Risk Management. Governance Unit

Quick Guide: Meeting ISO Requirements for Asset Management

How To Understand The Differences Between The 2005 And 2011 Editions Of Itil 20000

Information on the revision and insights into the new structure.

ISO ASSET MANAGEMENT FOR POWER

Quality Manual ISO 9001:2015 Quality Management System

Software quality assurance in Australia D. Wilson School of Computing Sciences, University of Technology, /, fo Boz

Certification Process Requirements

IRCA Briefing note ISO/IEC : 2011

Lecture 20: Software Evolution

TERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs)

Auditing Process-based Quality Management Systems. Charlie Cianfrani and Jack West

EA IAF/ILAC Guidance. on the Application of ISO/IEC 17020:1998

AUSTRALIAN FORESTRY STANDARD LIMITED

Improving global standard to be a key driver of innovation. Colin MacNee. 2012, 2013, 2014 Duncan MacNee Limited.

ISO What to do. for Small Businesses. Advice from ISO/TC 176

Information for Schools and Colleges. So you want to. Know more about the BS EN ISO 9000:2000 family of quality management system standards

Improving the quality of certification, measurement, verification and validation of conformity assessment results Dr Elsabe Steyn

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

A Review ISO 9001:2015 Draft

Lecture 8 About Quality and Quality Management Systems

Internal Audit Division

ISO 9001 and the Supply Chain

Chief Executive Officer, Academic Director, Training Coordinator. Chief Executive Officer, Academic Director, Training Coordinator

PHASE 6: DEVELOPMENT PHASE

I.3 Quality Management

ISO 9001:2000 Gap Analysis Checklist

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

GUIDE 62. General requirements for bodies operating assessment and certification/registration of quality systems

Data Quality Policy. Appendix A. 1. Why do we need a Data Quality Policy? Scope of this Policy Principles of data quality...

Revised October 2013

1 Introduction to ISO 9001:2000

Transcription:

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 143 Objective Measurement of the Extent of Conformity to Management System Standards Dr. Alastair Walker CEO, Software Process Improvement Laboratory, Johannesburg, South Africa ABSTRACT The approach described in this paper relies on a radical and innovative approach to enable a management system to demonstrate conformity to the requirements of an unlimited number of management system standard requirements, at the cost of performing a single mapping exercise. This unique approach relies on interposing a process reference model between the process evidence of the enterprise management system and the normative requirements of various management systems standards of interest. This approach requires that the process evidence of the enterprise management system is mapped to the process reference model elements a once-off exercise. The mapping of the process reference model elements to the various management system requirements is also performed as a once off exercise, and is completely independent of the enterprise management system. By quantifying the judgements made when creating these various links, and by appropriately aggregating the data to derive quantitative results for the extent of the coverage of process reference model (by the management system process evidence) we can derive the extent of the coverage of the requirements of the various management system standards of interest. This leads to a novel result that the question how much ISO 9001 have you got? can be expressed in meaningful, quantifiable and accurate terms, based on objective evidence. Keywords: ISO 9001, ISO/EIC 15504quantitive process improvement, process reference models 1.0 Introduction The conventional approach to demonstrating conformity of the processes of a management system to the requirements of a management system standard relies on a one-to-one mapping of process evidence in the management system to a sub-clause of the conformity standard. The obvious drawback of this arrangement is that when there is a need to demonstrate conformity to multiple standards then separate mappings have to be created one for each management system standard. In contrast to this, a radical and innovative approach is described in this paper which has major governance advantages. The key feature of new approach is to interpose a process reference model between management system process evidence and the requirements of the management system conformity standards. In this arrangement a single set of mappings is required between the management system process evidence and the process reference model elements. Requirements from one or more conformity standards are then mapped to or associated with the outcomes of the various processes in the process reference model. This approach allows an enterprise to identify and implement the processes that make sense to the business, and to evolve these processes in line with business needs. When evidence of conformity is required to be demonstrated to one or more stakeholder driven requirement standards, this is implemented by means of a mapping table (or matrix) that identifies which conformity requirements are associated with which items of process evidence in the enterprise management system. The analyses of the requirements of conformity standards have been facilitated by the development of a software tool for requirements management and analysis by the SPI Laboratory. This tool (known as MAP) has been assembled as a multi-user client-server application using a relational database. This technology

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 144 allows powerful and comprehensive reports to be produced regarding the links between management system process evidence, process model elements, and the requirements of various conformity standards. 2.0 Key features of the mapping approach The familiar approach to demonstrating conformity of a management system to the requirements of a management system standard relies on a one-to-one mapping of management system informational items (i.e. process evidence) to sub-clauses of the conformity standard. This approach is illustrated in Figure 1. The obvious drawback of this arrangement is that when there is a need to demonstrate conformity to the requirements of multiple management system standards separate mappings have to be created one for each management system standard. Figure 1: Conventional approach direct mapping of management system elements to conformity standard requirements The distinctive approach described in this paper is to map or associate requirements from one or more conformity standards to the outcomes of the various processes in a process reference model. This approach allows an enterprise to identify and implement the processes that make sense to the business, and to evolve these processes in line with business needs. The key elements of this approach are shown in Figure 2. Figure 2: A new approach direct mapping of management system elements to process model elements, and process model element links to conformity standard requirements The major advantages of this approach are:

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 145 a) The mappings between process model elements and requirements of conformity standards is performed offline, and when completed, remains valid until either (or both) the process model elements need to be revised, or when new editions of the management system conformity standards are published. b) The technical content underlying the process model elements tends to be highly stable. They represent domain knowledge and best practice. For example, the technical expectations of the practices associated with Configuration Management have not altered in the past 30 years! (The methods of implementation have but these have to do with how of a process is performed, not the what of the process model elements.) c) The mapping of process evidence (arising from the enterprise management system) to elements of the process reference mode is performed once. d) Through the use of database technology and structured queries, reports showing the relationship of conformity requirements and process evidence can be presented. e) By rating the quality of the links between the process evidence and the process model elements, quantitative results can be presented for the extent and quality of the coverage of the conformity requirements and the linked process evidence, thus yielding aggregated data that leads to a quantitative determination of the extent of coverage of the conformity requirements of the associated process evidence. 3.0 Requirements analysis methodology These benefits are achieved only if the underlying data and assumptions are satisfied. Conformity requirement standards (e.g. ISO 9001, ISO 14001 etc), as presented in the published documents, are not suitable for a detailed analysis of requirements. A key need to be satisfied in order to perform a requirements analysis is that: a) Each requirement is identified, and b) Each requirement is unique. To gain insight into the type of challenge faced in this area in conducting requirements analysis, consider an example from ISO 9001 [2]. A cursory review of the clause descriptions in this standard indicates that some clauses have multiple sentences, each with distinct implications and need for requirements traceability. The following clause fragment highlights the nature of the deconstruction work that has to be performed. ISO 9001 clause 4.1 The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard. Clause unpacked 4.1.1 The organization establishes and documents a quality management system in accordance with the requirements of ISO 9001:2000. 4.1.2 The organization implements and maintains a quality management system in accordance with the requirements of ISO 9001:2000. 4.1.3 The organization continually improves the effectiveness of the quality management system in accordance with the requirements of ISO 9001:2000. The key issue is that one clause from the published standard may contain a number of implications that require demonstrations of conformity, each of which warrants individual attention, and traceability.

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 146 4.0 Rationale for mapping requirements to process outcomes The key issues in Figure 2 may be summarised as: Process Capability Attributes Provides the foundation for Work Products Demonstrates process effectiveness & efficiency Process Reference Model Outcomes Performance evidence Provides the foundation for satisfying Conformity Standard Requirements Figure 3: Relationship between process outcomes, process capability attributes, conformity requirements, and process evidence based on work products a) There is a single process reference model representing the process needs of the enterprise management system, with potentially a large (and unbounded) set of processes; b) The model format associated with the process reference model (i.e. process name, process purpose, process outcomes) is matched by the process capability model elements (i.e. process attribute name, definition, achievement results) as defined in ISO/IEC 15504-2 [4]; c) There may be many conformity standards whose requirements need to be mapped to the outcomes of various processes; d) There will be a unique mapping for each conformity standard to the process reference model outcomes, and to the capability model process attribute achievement results. 5.0 An approach to rating of links In order to provide an answer to the question How much ISO 9001 have I got, several quantitative decisions have to made regarding: a) the strength of association or validity of the links between process outcomes and work products (i.e. process evidence), and secondly, between the requirements of a conformity standard and process outcomes; and b) the quality of the process evidence provided when called upon to make a judgement as to whether the intent of a process outcome has been satisfied. As items of process evidence are linked to process outcomes, two judgements have to be made: a) the strength of association of the item of process evidence to the scope of the process outcome, and secondly, the quality of the technical content of the item of process evidence in regard to satisfying the intent of the process outcome. b) the rated values of the item of process evidence to process outcome links are then aggregated up to represent ratings of process model outcomes, and secondly, ratings of the processes.

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 147 Each process outcome link to conformity requirement requires two judgements to be made: a) a judgement of the strength of association of the scope of the process outcome to the conformity requirement, and b) the determination of the aggregated value of the rating representing the process model outcome. The rating values of the process outcome links to the conformity requirements are aggregated to represent a) ratings of individual conformity requirements, and b) ratings of clauses. The approach to aggregating data is based upon the process evidence rating model described in ISO/IEC 15504-2. [3] 6.0 Steps to measure the extent of coverage of conformity requirements in a management system In this example, a single process is used to demonstrate the features and the analysis method, namely the Audit process. For sake of space, only ISO 9001:2000 (Clause 8.2.2) is considered. Step 1: Identify the process model Process models are described in terms of process names, a process purpose statement, and a list of process outcomes [5]. The process title summarizes the scope of the process. The purpose of the process is stated as a high level, overall goal for performing the process. Outcomes are observable results of the successful achievement of the process purpose. The elements for the Audit process are listed in Figure 4. Figure 4: Elements of the process model Step 2: Establish the links between the work products (process evidence) and the process outcomes ISO 9000 [1] defines a process as a set of interrelated or interacting activities which transforms inputs into outputs. A sample listing of inputs and output work products (i.e. instances of process evidence) for the Audit process is listed in Figure 5 [Wahid, 5].

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 148 Figure 5: A mapping from process outcomes to process evidence (work products) Step 3: Establish the links between the process outcomes and the conformity standards A sample fragment for the ISO 9001 requirements associated with clause 8.2.2 linked to the outcomes of the Audit process is shown in Figure 6. Figure 6: Links between ISO 9001 conformity standard requirements and process outcomes

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 149 Step 4: Rate the links between the process outcomes and work products Figure 7 shows the rating values and the aggregation of results to a) the process outcome level, and b) to the process level. The ratings alongside the items of process evidence are the result of human judgement being made by inspecting the item of evidence in the light of the technical requirement of the process outcome of interest. Note: The implications of the terms used for ratings are as follows [3]: Not achieved: There is little or no evidence of achievement of the process outcome. Partially achieved: There is some evidence of an approach to, and some achievement of, the process outcome. Largely achieved: There is evidence of a systematic approach to, and significant achievement of, the process outcome. Fully achieved: There is evidence of a complete and systematic approach to, and full achievement of, the process outcome. Figure 7: Ratings of links between process outcomes and work products Step 5: Aggregate the process outcome ratings Figure 8 is a summary report focussing upon the overall rating of the selected processes, and a summary computation of the overall aggregated result. (i.e. in this instance, 100%).

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 150 Figure 8: Aggregated result of process coverage Step 6: Aggregate the links data between the process outcomes and the conformity standard requirements Figure 9 shows the ratings of process outcome process evidence results carried forward from the results listed in Figure 7. The validity rating is applied to the process outcome process evidence rating to yield a rating for that conformity requirement. The ratings of the conformity requirements associated with a sub-clause are then aggregated to yield a rating for that subclause. Figure 9: Aggregated results of ratings of links between conformity requirements and process outcomes

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 151 Step 8: Rate the extent of conformity standard coverage of the selected processes So the question How much ISO 9001 have I got?, would be answered by the response For the Audit process selected in the process model, and for the selected the ISO 9001 subclause 8.2.2, the result is 100%. Figure 10: Aggregated result of extent of coverage of ISO 9001 requirements 7.0 Discussion The ability to quantify the extent of coverage of the requirements of a selected standard is very powerful. It provides means for managing quantitative process improvement. The early questions usually raised at the start of a process improvement initiative - where are we now? And 'What do we need to do to improve our coverage of process/requirements' - can now be answered in a tangible way.

Nang Yan Business Journal 1.1 2012 Paper #: 2-10 P- 152 References [1] ISO 9000, Quality management systems Fundamentals and vocabulary, 2000. [2] ISO 9001, Requirements Quality Management Systems, 2000. [3] ISO/IEC 15504-2, Information Technology Process Assessment Performing an Assessment, 2003. [4] ISO/IEC 24774, System and software engineering - Life Cycle Management - Guidelines for process definition, DTR, December 2006. [5] Wahid, Roslina, Beyond Certification: The Maintenance of ISO 9000 in Malaysian Service Organisations, in Sustainable Development through Innovation, 15 th International Conference on ISO & TQM, Malaysia, 26-28 July 2011, APBEST Academy & UNITEN, pp 51-52 & CD, available at: www.hk5sa.com/icit, 2011. Author s Background Dr. Alastair Walker is the founder and chief executive officer of the Software Process Improvement Laboratory, which was established in January 2001. He is a member of the Standards South Africa Information Technology Committee (TC 71) and chair of StanSA National Committee for Software and Systems Engineering Standards (SC 71C). He chairs the StanSA task group that developed and maintains the South African National Standard 10055 'ISO 9001:2000 Process Auditing - a multipart part series addressing practical issues related to the conduct of process auditing from an ISO 9001:2000, process performance and process capability perspective. Alastair is a Competent Certified Process Assessor (CCPA) registered with the Southern African Auditor and Training Certification Association (SAATCA). As a member of the SAATCA Advisory Board he advised on issues related to training of process capability assessors. He is the project leader for the recently established SAATCA certified process assessor (CPA) personnel registration programme. He is the South African representative on the international ISO/IEC JTC1/SC7 Software and Systems Engineering Standards Committee Advisory Board since 1994, and member of the SC7 Business Planning Group since May 2003.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information