=Paper=
{{Paper
|id=Vol-1471/paper1
|storemode=property
|title=ISO 9000 for Software Quality Systems
|pdfUrl=https://ceur-ws.org/Vol-1471/paper1.pdf
|volume=Vol-1471
|dblpUrl=https://dblp.org/rec/conf/quatic/Rienstra95
}}
==ISO 9000 for Software Quality Systems==
https://ceur-ws.org/Vol-1471/paper1.pdf
ISO 9000 FOR SOFIYifrAREQUALITY SYSTEMS
______________________________________________________________________
Folkert Rienstra, KEMA, the Netherlands
SUMMARY
This paper outlines some key elements of quality system standards ISO 9000 and their
application to Information Technology and software development. Emphasis is put on the need
for closed feedback loops in the organization which will provide a stable framework for effective
quality management.
Application of the generic ISO 9000 standards to software development has to take into account
the specific characteristics of this process. Additional guidelines are described in ISO 9000-3.
Implementation of a quality system in practice should be based on the existing process and
where necessary add improvements. The objective is not to impose rules, but to improve the
process.
Finally the paper describes audit and certification of qualify systems. In the Information
Technology Sector a number of initiatives have been taken to promote the general acceptance
and international harmonization of IT quality system certlficates.
1 PRINCIPLES OF QUALITY MANAGEMENT
The objectives of quality management are twofold:
improvement of customer satisfaction, and at the same time
improvement of the internal processes.
The realisation of these objectives in an organization requires a systematic approach, supported
by a quality system. In working out the details of a qualify system a few keyquestions have to
be considered;
What are the objectives of an organization?
What do we want to accomplish?
Which activities and processes do we need in order to achieve the objectives?
How can we manage and control these activities?
The principles of customer oriented quality.management are in the expression: Ten what we will
do, and do what we have told[
2 QUALITY MANAGEMENT BASED ON FEEDBACK LOOPS
Engineeringprinciplesteam us that a stable processhas to be based on a closedcontrolloop,
which provides feedback between the stated objectives and the actual results. The same
principleapplies to quality-managementWe need a numberof closed feedback loops.
1
� -2-
,-~~
First of all we need communication and feedback between the different levels in the
organization. Management has to define the objectives and to translate these objectives into
targets and results which can be understood by the staff carrying out the activities. Vice-versa
management should have an open mind for the practical experiences of their staff and the
bottlenecks encountered~ Such bottlenecks should be solved by improvement of the working
method and/or by adjustment of the objectives.
To be able to determine whether improvement has actually occurred we have to formulate the
objectives in a concrete and measurable way. And we have to measure our results, keeping
some formal records and comparing measurements made at different time intervals.
Ouality management involves also documentation of the procedures and working methods
throughout the organization. Here again a process of careful communication and feedback is
required to ensure that the actual working methods follow the documented procedures and that
these documents are kept up-todate when changes occur in practice.
The various feedback loops provide a framework for the quality management, in which a
number of elements are put together:
Managerrfafrf ResponafbiIify
Management will de6ne the qualify policies and ob}ectfves '-
Oua/f/frSystem
The quality system implements the procedures and working methods in the organization
which are necessary to achieve the objectives
- MeasuFerne'rf;s
Measuring and recording methods keep track of actual results and performance
/r;Jlfema/
aucfito
Internal audits will show whether the quality systems works in practice and how effective it is
Mar}agemenf revfew
Management will review and analyze the results of quality measurements and internal audits
and compare these with their objectives
Pr a/xfl correctj!ve action
The performanceanalysis will lead to actions for improvement of the quality system.
The essential requirements for a quality system are specified in a series of internationally
accepted standards: the ISO 9000 standards. Implementing these requirements enables an
organization to manage and control its quality processes and the "quality-level" of its products
or services.
3 CHARACTERISTICS OF SOll::TWAREDEVELOPMENT
The ISO 9000 standards are generally applicable. However in their application to software
development we have to take into account the special characteristics of this process.
In a software quality system a great deal of emphasis is put on design and development
activities. As soon as these activities have resulted in a first operational product which meets
the stated requirements this product is delivered.
2
� -3-
Reproduction of software seems rather trivial. As a consequence we have to pay much
attention to planning and control of the development process.
Software is intangible and often very complex which makes it difficult to determine its quality.
-, It is therefore important to use design reviews and verification and validation in order to
prevent errors or detect them as early as possible.
The intangible nature of software makes it also difficult to distinguish one version from
r
another version. This makes it necessary to have a rigorous configuration management
system.
- Software development involves strong interaction and cooperation with the customer,
whether this is external customer or an internal customer. It is necessary to ensure a
complete set of specifications and a clear understanding thereof before the development is
- started.
Software development is project oriented. Before a project is started the availability has to be
ensured of the capabilities and resources necessary to complete the project successfully.
_ In addition project planning and control are important in all phases of the project.
In many instances it is to be recommended to work according to formalized methods, using
supporting tools and techniques. However such methods and techniques should not become
- an end in themselves and become an obstacle for the quality objectives.
4 ISO 90003 FOR SOFTWARE DEVELOPMENT
To give guidelines for the application of the general requirements of ISO 9001 to software
- development, an additional guidance standard has been drawn up: ISO 9000-3" This guidance
document describes a software quality system in three layers.
The main layer comprises the lifecycle activities, covering the software development process
" from specification to maintenance. The lifecycle activities are project-specific: they have to be
carried out for each separate project in a way which takes into account the specific
requirements of the project.
In the lifecycle activities we can distinguish two phases:
~, , The planning phase, in which we complete a contract. agree the specifications and Prepare a
workplan.
The i,mplementation phase which comprises the actual development activities.
.^ The second layer of a software quality system consists of elements which support the lifecycle
activities. In many cases software projects will be carried out using an existing system
environment and using existing supporting procedures and tools which are not Project specific.
-.
Some of these supporting elements are software oriented, such as configuration management
and development tools. We have also supponlng elements which are more general and not
software specific, e.g. document control or purchasing Procedures.
,.
Finally a software qualify system needs a management framework to bring all elements together
and to create the general organization and conditions for control over the Process and for
achieving quality. This framework is highly similar to other sectors of industry and has to Provide
the feedback loops as described previously in section 2 of this paper.
3
� -4m
5 OTHER STANDARDS AND MODELS FOR SOFTWARE QUALITY
In addltion to the ISO 9000 series we have also other standards and models available aiming at
improvement of software quality, e.g.:
IEEE has published a whole series of standards. technical oriented and defining detailed
specification of working methods.
The Software Capability Maturity Model (CHM) defines five levels of quality and productivify
and it provides a road map for a step by step implementation of the requirements.
The SPICE initiative (Software Process Improvement and Capability Determination) develops
a series of standards based on similar principles and approach as CMM.
The various standards and models have a common objective: to assist and enable an
organization to achieve better quality management of the software process.
They have also in common that quality improvement is not merely a technical issue. It is
primarily a management issue and requires a systematic approach in the organization.
A key element in quality improvement in all cases is good control and management of the
activities and processes; this is strongly supported by ISO 0000 which can therefore be
considered as a series of base standards. How can we possibly achieve improvement of our
process If we do not have control over the process?
6 IMPLEMENTATION OF ISO 9001 REQUIREMENTS
s
ISO 9001 is a generic standard For each process in an organization all relevant clauses of the
standard apply. There is no simple one to-one relation between the clauses of the .standard and
the processes in the organization, especially not in software development. For example the
clause on Design Control does not apply only to the "Design Department" but is applicable to all
processes where design activities take place. The requirements of this clause may be
implemented in a different way for different processes, depending on specific conditions and
circumstances. Key requirement in all cases is to provide adequate control of the process.
Implementation of a quality system should take the existing process as a starting point- This will
enable us to use as much as possible existing knowledge and experiences, even if we know that
it is not perfect. Therefore the start is to document the various activities in our existing process,
e.g. in a flowchart or process diagram. This will enable us to analyze what are the objecflves,
which inputs do we use, what outputs do we have and how can we control the process.
Following this we can map the requirements of ISO 9001 on the process. This will clarify where
we already satisfy the standard and where we need additional controls or procedures. _-,
We should not take ISO 9001 as a starting point and force our organization or our process into
the structure of the standard. This would mean major changes in our process and would make
existing knowledge and experience useless. -
In a similar way it is very difficult to take over the existing quality system of another organization
and import that into our own organization. The differences between the two organizations in
goals working methods and culture etc. will lead to difficulties. -
4
� -5- ISO mJ br ~ Quality Systems
- Throughout the implementation process we have to remember that the objective of a quality
system is not to impose rules, but to improve our process. The improvement should be visible
to the people directly involved in the activities.
w~ Also we have to be careful about the paperwork. A thin quality manual is preferable to a thick
one. A thick manual will not be read and it will certainly not be observed in practice.
Finally we have to bear in mind that a software quality system involves more than just a
r documented development method. This method is important. However, let us be aware that
development is one section of the standard and that there are 19 other sections dealing with
other processes.
-
From practical experience we can identify some issues which are specific for software
development, e.g.;
In internal software departments or in development of embedded software we often see
confusion over who is "the customer' (as referred to in 150 9000). In such cases the
customer is the part in the organization that approves the software specifications and the
.
budget. When the specifications change also a change may be needed in the budget and the
time-schedule.
- Configuration management has to be applied to the development project. But also to the
environment which supports the development, e.g. the computer network, compilers, test
sets etc.
ISO 9001 requires a clear distinction between internal release by the supplier and acceptance
by the customer. These activities should not be merged into a single test.
Many organizations carry out already project-audits~ Such an audit Wat consider: have we
completed the project on schedule, or what went wrong? In addition to project-audits we
also need internal system-audits, i.e. an audit of the quality system as a whole in order to
consider e.g.: are our development method and other working methods adequate and how
can we improve our process?
7 AUDITAND CERTIFICATION
-
A third party audit means a formal investigation whether a quality system satisfies the
requirements of ISO 9001. A successful audit may result in the certification of the organizations
- quality system.
A quality system audit may be carried out for several reasons, e.g.:
Presenf a chaf/enge
The implementation of ISO 701 presents a clear and challenging goal to the internal
organization which will help to stimulate and focus the qualify activities.
Provfde a benohmarfr
- An audit of the qualify system provides a clear and objective comparison with other
organizations.
Cuaforfrer conffdence
-- Audit and certification of the suppliers quality system can provide confidence to the
customer.
5
� H-
Especially In software development, where the customer is depending on the suppliers
quality system for successful completion of an unique product made to the customer's
specifications.
An audit involves a number of activities. In preparation of an audit a detailed audit..plan will be
prepared based on an analysis of the suppliers activities and organization in relation to the
requirements of the standard.
The actual audit starts with an appraisal of the documented quality system, Le. the quality
manual and associated qualify procedures and work instructions.- All procedures as required by
the standard have to be in place, for instance for contract review, for development planning, for
the use of tools, for document control etc. -
The next step is the verification of the practical application of all procedures and work
instructions in the organization. This involves interviewing staff and inspection of project files,
test records and other qualify records. --
The third important element is an audit of the feedback loop for internal control and
management of the quality system, by means of internal audits, management reviews and
,_-
corrective actions.
,~
A third party audit will be based as much as possible on objective evidence. The supplier will be
,-
asked to demonstrate that the required procedures and work instructions are available and
followed in practice. Of course ail information collected by the auditors will be treated fully
confidential.
After a successful audit a Certificate can be issued for the supplier's quality system. This means
formally that the qualify system complies with the requirements of the standard. In practical
terms if means that the supplier is able to deliver a product as specified and has effective
control procedures for this purpose.
Certification of a qualify system will be followed by periodic surveHlanceaudits. -
8 ITQS
A number of certification bodies cooperate in ITQS: the Agreement Group for Assessment and _-
Certification of Quality Systems in the Information Technology Sector. The objective of ITQS is
to promote the general acceptance and international harmonization of IT qualify system
.
certificates based on ISO 9000 standards.
Currently ITQS has 10 certification body members, located in 9 European countries:
AENOR(ES), AFAQ(FR), AVI(BE) BSI-QA(GB), CETECOM(DE), DELTA(DK) IMO(IT), KEMA(NL), --
NSAI(IR), TOV-Bayem(DE).
Contacts have been established with candidate members outside Europe.
\TQS was established in 1992 with support from the Commission of the European Union, in .-
response to a growing market perception of significant difference in the quality and depth of
audits in the IT-sector, as carried out by different bodies~ ITQS offers an open platform for
international harmonisation of competent and consistent audit and certification. _-
6
� -7~
ITQS members offer a number of benefits to their clients:
Accra&fifed and high levf3fserffices
Alt members offer audit and certification services with a high level of integrity. Their operation
- is verified and monitored by national accreditation authorities.
Compefenf and consistenf sudicfng
- The audit and certification methods and procedures are harmonised among the ITQS
members. The harmonisation includes:
* common auditor qualiffcation criteria
* the use of a common European IT Quality System Auditor Guide
* a continuous program of mutual audit observation.
MtJtua/ recogniffon
- The mutual recognition agreement among the ITQS members enables an IT company to
avoid multiple assessments and to obtain a quality system certificate that will be endorsed by
all ITQS members.
~ Centfal regiaer cl certiffcafjeS
ITQS maintains a central register of quality system certificates issued by its members. This
register is published regufarly and currently lists over 2000 certificates
An important element in the harmonisation is the European Quality System Auditor Guide. The
guide identifies IT-related aspects in a qualify system which needs to be verified in an audit.
.- However, it does not give additional requirements. The auditor guide is based on 150 9001 and
on the implementation guidance as given in ISO 90003. The use of the guide makes it possible
for auditors from different certification bodies to reach equlvalent results. The auditor guide has
been developed in close cooperation between ITQS and TicklT, the UK sector scheme for
software qualify system certiffcation. As a result the same auditor guide is used in ITQS and in
TicklT.
9 INTERNATIONAL HARMONISATION
-- As described before ITQS is a cooperation of a number of certification bodies. In the UK the
TicklT scheme has been established. In addition also in other countries proPosats have been
developed for software specific certification schemes.
- The possible emerging of a number of certiffcation schemes presents confusion to the market
regarding the meaning and the value of certificates and may create barriers to the general
acceptance of certificates.
.- To avoid theses risks a User Forum Meeting on international Harmonisat\on of IT Quality System
Certification was organised in September 1995 (The Hague, NL). In this event representatives of
Information Technology suppliers, users and certifiers from 17 countries on four continents
-
discussed the market requirement for international harmonisation between 150 9000 certification
bodies.
Also representatives of accreditation bodies attended.
The meeting expressed the opinion that international harmonisation is needed tO aHow one stoP
audit and general acceptance of quality system certificates.
7
� 8-
This should be achieved through agreed auditor competency criteria, auditor qualification
procedures, and equivalent and consistent audit and certification practices
Certification must be based only upon conformity with the ISO 9001/9002 standard; no
additional requirements for IT supplier quality systems shall be formulated. Up-todate guidance
should bridge the gap between every day practice and the high level of abstraction in the
standard.
The meeting installed a Task Force with the mission to ensure that:
IT users and suppliers obtain optimum benefit from implementation of ISO 9000
~ .
Certifiers deliver a consistent, reliable and relevant certification service that is recognised
_ '
worldwide.
This task force is now considering further proposala.
10 CONCLUSIONS
After a period of initial development clear panama are now established for the application of
ISO 9001 to the Information Technology Sector and especially to software development. It is
important to bear in mind the objectives and the principles of quality management:
qualify management is aimed at improvement of customer satisfaction and of the internal
processes
effective quality management will be based on a number of feedback loops in the
organization.
Implementation of a quality system takes considerable effort. A number of essential conditions
can be summarized as follows:
we need Commitment; without clearly visible commitment from management the rest of the
organization will not move
we need Communication; topdown and bottom-up throughout the organization
we need Consultation; the people who carry out the activities know where improvements in
the process can be made
It means a change in Culture; working mathods will have to change and qualify will become
an important consideration in our decisions.
Finally an organization should consider an audit and certification of the qualify system following
intemationaOy harmonized practices. However, certification should not be the main objective but
will be an added benefit, The primary objective and benefit of a quality system ties in the
improvements which will result from a successful implementation of ISO 9001.
8
� FOLKERT RIENSTRA
FolkertRienstra(born 1941) has been invOlvedtn LTsince 1965.
He works at KEMA,a third party testing and certlflcatiOnbOdy in the
Netherlands, where he was responsible for the development of LT quality
system certificationservlces~
He was invOlved tn drafting of ISO 9000`.S and participates in Its current
revision.He is chairmanof the AgreementGroup ITQS.
9
�