ISO 9000 for Software EEE493 2000

1
ISO 9000 for Software EEE493 2000
Royal Military College of Canada Electrical and
Computer Engineering

• Major Greg Phillips
• greg.phillips_at_rmc.ca
• 1-613-541-6000 ext. 6190

Dr. Scott Knight knight-s_at_rmc.ca 1-613-541-6000
ext. 6190
2
ISO Key Software Standards

• ISO/IEC 12207 (1995)
• addresses best practices for software
  acquisition, supply, development, operation and
  maintenance
• ISO/IEC 15504 (2001?)
• addresses process maturity assessment and process
  improvement
• available in draft form on the SEI web site
• ISO 9001 (rev. 1, 1994) and ISO 9000-3 (rev. 2,
  1997)
• address the requirements for a quality system for
  software design, development and maintenance
• a draft version of ISO 9000-3 is included in the
  resources section of your CD
• this is not exactly the final version, but its
  close
• because its a draft, its legal to copy without
  fee

3
ISO 9000 Philosophy

• Document what you do
• in conformance with the requirements of the
  applicable standard
• Do what you document
• Record what you did
• Prove it
• maintenance of registration requires audits every
  three years, with mini-audits every six months

4
ISO 9000 (1994/7) Structure
ISO 9000
ISO 9001 Quality System Model for Quality
Assurance in design, development, production,
installation and service
ISO 9002 Quality System Model for Quality
Assurance in production, installation, and
servicing
ISO 9003 Quality System Model for Quality
Assurance in final inspection and test
ISO 9000-3 Guidelines for the application of ISO
9001 to the design, development and maintenance
of software
5
ISO 9000-3

• Similar structure to IEEE/EIA 12207-2
• quotes entirety of ISO 9001, one clause at a
  time, in boxes
• provides explanatory guidance afterwards
• sometimes no further software related guidance
  is provided
• sometimes several pages to amplify one clause
• Cross-referenced to ISO/IEC 12207
• each clause individually cross-referenced (where
  applicable)
• also contains a cross-reference table
• not intended to be a complete description of the
  relation between ISO/IEC 12207 and ISO 9001, in
  particular how ISO/IEC 12207 covers the
  requirements of ISO 9001 and vice versa.

6
4.1 Management responsibilities

• Define
• a quality policy
• the organizational structure to manage your
  quality system.
• quality system responsibilities
• a procedure that your senior managers can use to
  review the effectiveness of your quality system

7
4.2 Quality system requirements

• Develop
• a quality system and a manual that describes it.
• procedures consistent with your quality policy.
• quality plans to fulfill quality system
  requirements for
• products
• processes
• projects
• customer contracts
• quality plans to control development projects
• should explain how you intend to tailor your
  quality system so that it applies to your
  specific project, product, or contract.
• detailed quality plans and procedures to control
  configuration management, product verification,
  product validation, nonconforming products, and
  corrective actions

8
4.3 Contract review requirements

• Develop and document
• procedures to coordinate the review of sales
  orders and customer contracts
• include the customer in the process of review.
• procedures to coordinate the review of software
  development contracts.
• ensure all contractual requirements are
  acceptable before you agree to provide products
  or services to your customers
• ensure you and your customer agree how
• terms will be defined.
• products will be accepted.
• the customer will participate.
• software users will be trained.
• software upgrades will be handled.
• joint progress reviews will be conducted.
• changes in customer requirements will be handled.
• problems will be handled after product acceptance.

9
4.3 Contract review requirements (II)

• ensure you and your customers agree that
• The project is feasible.
• The legal rights of others will be respected.
• The customer can meet all contractual
  obligations.
• ensure that you have
• established a project schedule.
• identified significant risks and contingencies.
• specified all contractual liabilities and
  penalties.
• defined your software development procedures.
• confirmed that resources will be available when
  needed.
• clarified the extent of your responsibility for
  subcontractors.
• procedures which specify how customer contracts
  are amended, and which ensure that changes in
  contracts are communicated throughout the
  organization.
• a record keeping system that you can use to
  document the review of customer orders and
  contracts.

10
4.4 Product design requirements

• Develop and document procedures to
• control the product design and development
  process
• must ensure that all requirements are being met.
• plan product design and development
• identify groups who should be routinely involved
• ensure that their design input is properly
  documented, circulated, and reviewed.
• ensure that all design input requirements are
  identified, documented, and reviewed
• and that all design flaws, ambiguities,
  contradictions, and deficiencies are resolved.
• control design outputs
• specify how product design reviews should be
  planned and performed
• specify how design outputs should be verified

11
4.4 Product design requirements (II)

• Develop and document procedures to
• validate the assumption that your newly designed
  products will meet customer needs
• ensure that all product design modifications are
  documented, reviewed, and formally authorized
  before the resulting documents are circulated and
  the changes are implemented

12
4.5 Document and data control

• Develop procedures to
• control quality system documents and data.
• identify all documents and data that must be
  controlled.
• control your documents and data.
• review, approve, and manage all of your quality
  system documents and data.
• control electronic documents and data.
• control changes to documents and data.

13
4.6 Purchasing requirements

• Develop procedures to
• ensure that purchased products meet all
  requirements.
• should control the selection of subcontractors,
  the use of purchasing data, and the verification
  of purchased products.
• purchased products includes both products and
  services.
• select, evaluate, monitor, and control your
  subcontractors (your suppliers).
• keep quality records of the performance of all
  your subcontractors.
• records should identify the acceptable
  subcontractors and the products and services they
  provide.
• ensure that your purchasing documents precisely
  describe what you want to buy.
• allow you or your customers to verify the
  acceptability of products you have purchased.

14
4.7 Customer-supplied products

• Develop procedures to control products supplied
  to you by customers. These procedures should
  ensure that you
• Examine the product when you receive it to
  confirm that the right items were shipped without
  loss or damage.
• Prevent product loss, misuse, damage, or
  deterioration through proper storage and
  security.
• Record, and report to the customer, any product
  loss, misuse, damage, or deterioration.
• Clarify who is responsible for the maintenance
  and control of the product while it is in your
  possession.
• Control products, services, documents, and data
  supplied by customers.

15
4.8 Product identification and tracing

• Develop procedures to
• assign unique identifiers to your software
  products and components.
• You should assign identifiers during the product
  definition phase and be able to maintain these
  identities thoughout the product life cycle.
• track your software products and components.
• You should be able to track your software
  throughout its life cycle.
• Use configuration management methods to identify
  and track your software products and components

16
4.9 Process control requirements

• Develop and document
• procedures to plan, monitor, and control your
  production, installation, and servicing
  processes.
• record keeping system that monitors and controls
  process personnel and equipment.
• Make sure that all important process qualities
  are monitored and recorded.
• procedures to control the software replication
  process.
• procedures to control the software release
  process.
• procedures to control the software installation
  process.

17
4.10 Product inspection and testing

• Develop and document
• procedures to inspect, test, and verify that
  incoming, in-process, and final products meet all
  specified requirements.
• software test plans.
• procedures to verify software products and data
  that are provided by third parties and will be
  built into your software product.
• Third parties may include your customers and
  suppliers.
• procedures which ensure that work-in-process
  meets all requirements before work is allowed to
  continue.
• Perform software validation tests and software
  acceptance tests.
• Develop a record keeping system that your staff
  can use to document all product testing and
  inspection activities.

18
4.11 Control of inspection equipment

• Develop procedures
• to control, calibrate, and maintain inspection,
  measuring, and test equipment used to demonstrate
  that your products conform to specified
  requirements
• the term equipment includes both hardware and
  software
• to ensure that your measurement equipment is
  appropriate, effective, and secure.
• calibrate all of your quality oriented
  inspection, measuring, and test equipment.
• to calibrate hardware and tools used to test and
  validate your software products.
• Use tools, techniques, and equipment to test
  whether your software products meet specified
  requirements.

19
4.12 Inspection and test status of products

• Develop
• procedures to control the test status of your
  products. These procedures should ensure that
• Each and every product is identified as having
  passed or failed the required tests and
  inspections.
• The test status of each product is documented and
  respected throughout the production,
  installation, and servicing process.
• Only products that have passed all tests and
  inspections are subsequently used or sold to
  customers (unless an official exception is made
  under section 4.13).
• methods to identify and control the test status
  of your software products and components.

20
4.13 Control of nonconforming products

• Develop procedures
• to prevent the inappropriate use of nonconforming
  products.
• Also make sure that everyone is notified when
  your products do not conform to specified
  requirements.
• Segregate your nonconforming software by placing
  it into a separate environment.
• control how your nonconforming products are
  reviewed, reworked, regraded, re-tested,
  recorded, and discussed.
• Control
• how software defects and nonconformities are
  investigated and resolved.
• the disposition of nonconforming software
  products and components.
• Re-test modified software products.

21
4.14 Corrective and preventive action

• Develop procedures
• to correct or prevent nonconformities.
• to ensure that nonconformities are identified and
  corrected without delay.
• to ensure that potential nonconformities are
  routinely detected and prevented.
• Use
• configuration management procedures to control
  corrective and preventive actions that affect
  software items and products.
• document and data control procedures to control
  corrective and preventive actions that affect
  software life cycle processes.
• Develop preventive actions
• by analyzing the root causes of your
  nonconformities.
• by analyzing unfavorable metric levels and
  trends.

22
4.15 Handling, storage, and delivery

• Your product handling procedures should help
  prevent damage to your software products and
  avoid deterioration.
• Develop procedures and methods
• to control how your software products and items
  will be stored and protected.
• to protect and preserve software product quality
  prior to delivery while the product is still
  under your control
• to preserve product integrity and protect against
  software viruses.
• Store software masters and copies in a secure
  environment.
• Protect your software during delivery.

23
4.16 Control of quality records

• Identify and define the quality information that
  should be collected.
• Develop a quality record keeping system, and
  develop procedures to maintain and control it.
  Develop procedures to
• Collect and record quality information (create
  records).
• File, index, store, and maintain quality records.
• Remove, archive, and destroy old quality records.
• Protect quality records from unauthorized access.
• Prevent records from being altered without
  approval.
• Safeguard records from damage or deterioration.
• Software quality records are documents and files
  that prove that quality activities were performed
  and quality results were achieved.

24
4.17 Internal quality audit requirements

• Develop internal quality audit procedures which
• Determine whether quality activities and results
  comply with written quality plans, procedures,
  and programs.
• Evaluate the performance of your quality system.
• Verify the effectiveness of your corrective
  actions.
• These procedures should also ensure that
• Audit activities are properly planned.
• Auditors are independent of the people being
  audited.
• Audit results, corrective actions, and corrective
  action results and consequences are properly
  recorded.
• Audit conclusions are discussed with the people
  whose activities and results are being audited,
  and deficiencies are corrected.
• Audit reports are fed back into the quality
  system review process.
• Develop an internal audit plan or program for
  software projects.

25
4.18 Training requirements

• Develop quality training procedures.These
  procedures must ensure that
• Quality system training needs are identified.
• Quality training is provided to those who need
  it.
• People are able to perform quality system jobs.
• People have the qualifications they need to do
  the work.
• Accurate and appropriate training records are
  kept.
• Everyone understands how your quality system
  works.
• Identify the training that will be needed to
  develop software products and to manage software
  development projects.
• Identify your training needs by studying how
  software will be developed and how projects will
  be managed.

26
4.19 Servicing requirements

• Develop and document quality service procedures.
  Your procedures should specify how
• Products should be serviced.
• Product service activities are reported.
• The quality of product service is verified.
• Develop
• procedures to control your software maintenance
  process.
• plans to control your software maintenance
  projects.
• Keep a record of your software maintenance
  activities.

27
4.20 Statistical techniques

• Select statistical techniques that you will need
  in order to establish, control, and verify your
  process capabilities and product characteristics.
• Develop procedures
• to explain how your techniques should be applied.
• to monitor and control how techniques are used.
• Make sure that all statistical procedures are
  documented.
• Make sure that proper statistical records are
  kept.
• Use statistical techniques
• to analyze the software development process.
• to analyze software product characteristics.
• to evaluate process and product quality.

28
Recall ISO 9000 (1994/7) Structure
ISO 9000
ISO 9001 Quality System Model for Quality
Assurance in design, development, production,
installation and service
ISO 9002 Quality System Model for Quality
Assurance in production, installation, and
servicing
ISO 9003 Quality System Model for Quality
Assurance in final inspection and test
ISO 9000-3 Guidelines for the application of ISO
9001 to the design, development and maintenance
of software
29
This will all be obsolete shortly.

• a new version of the ISO 9000 series, ISO
  90002000 is now available in DIS (Draft
  International Standard) form
• merges ISO 9001, 9002, 9003 into a single
  standard called ISO 9001-2000
• significantly different in format and content
  from ISO 9001-1994
• eventual impact of this change on 9000-3 is
  unclear
• will 9000-3 be dropped?
• will there be a new version supporting ISO
  9001-2000?

30
ISO 9001-2000

• New quality system requirements
• Communicate with customers (7.2.3).
• Identify customer needs and expectations (5.2,
  7.2.1).
• Meet customer needs and expectations (5.2).
• Measure and monitor customer satisfaction
  (8.2.1).
• Meet regulatory requirements (5.1, 5.2).
• Meet legal requirements (5.1, 5.2).
• Support internal communication (5.5.4).
• Provide quality facilities (6.3).
• Provide a quality work environment (6.4).
• Evaluate the effectiveness of training (6.2.2).
• Measure and monitor realization processes
  (8.2.3).
• Evaluate the effectiveness and suitability of
  quality system (8.4).
• Identify quality management system improvements
  (5.1, 8.4).
• Improve quality management system (5.1, 8.5).
• Less emphasis on procedures, more emphasis on
  results
• Flexibility to exclude some requirements in some
  circumstances

31
ISO 9001 versus SEI SW-CMM

• The Capability Maturity Model for Software
  (CMM), developed by the Software Engineering
  Institute, and the ISO 9000 series of standards,
  developed by the International Standards
  Organization, share a common concern with quality
  and process management. The two are driven by
  similar concerns and intuitively correlated.
  Although an ISO 9001-compliant organization
  would not necessarily satisfy all of the level 2
  key process areas, it would satisfy most of the
  level 2 goals and many level 3 goals. Because
  there are practices in the CMM that are not
  addressed in ISO 9000, it is possible for a level
  1 organization to receive 9001 registration
  similarly, there are areas addressed by ISO 9001
  that are not addressed in the CMM. A level 3
  organization would have little difficulty in
  obtaining ISO 9001 certification, and a level 2
  organization would have significant advantages in
  obtaining certification.
• Mark Paulk, SEI

32
Next ClassBuild Cycle