ISO 9001 an overview Tor Stlhane IDI NTNU

ISO 9001 – an overview Tor Stålhane IDI / NTNU

ISO 9001 and software development ISO 9001 is a general standard – equally applicable to software development and cooking. The standard originated in the production industry. In order to simplify the introduction of ISO 9001 to software development, ISO has developed a guide – ISO 90003. This is, however, not a standard

The main part The standard ISO 9001 has five main parts. In this part of the course, we will focus on the first four of them. • Quality management – part 4 • Management responsibility – part 5 • QA resources – part 6 • Product realization – part 7 • Measurement, analysis and improvement – part 8

Quality management • Establish, document, implement and maintain a quality system • Requirements for – what the quality system shall contain – not how things should be done – development and maintenance of a quality manual – control over the documents specified in the quality system

Management responsibility - 1 First and foremost – quality is the management’s responsibility. Management shall • show that they take QA seriously. This goes for both introduction and maintenance of the quality system • make sure that the QA system is adapted to the needs of the company One person in the management shall have responsibility for everything pertaining to QA.

Management responsibility - 2 Management shall periodically check how the QA system function. Important input is • Reviews of the QA system • Feedback from the customers • Status on preventive and corrective actions • Changes that may influence the QA system • Suggested improvements in general

QA resources The organization shall • Make available the resources needed to implement the QA system • Have an overview over the need for competence and provide the training necessary • Provide the infrastructure such as office space, equipment and services that are needed to make products that satisfies all requirements

Product realization - 1 The organization shall plan and develop a process for product realization. The process shall take into considerations • Quality goals • The needs for validation and verification • The needs for proof of conformance

Product realization - 2 The organization shall identify • Explicit and implicit customer requirements • Requirements related to laws and regulations • Organizational specific requirements, such as requirements pertaining to reuse and documentation

Product realization - 3 The organization shall evaluate all requirements before they sign a contract for development and delivery. The evaluation shall ensure that • All requirements are defined • All problems and TBDs are solved • The organization will be able to fulfill all requirements

Product realization - 4 The organization shall establish communication channels with the customer pertaining to • Product information • Contract questions and problems • Feedback – e. g. complaints - from the customer

Product realization - 5 The organization shall plan and design the product. This includes plans for • Design and development • Inspection, verification and validation • Communication between those who make the design and those who do the development in order to establish a clear line of responsibility. The plan shall be updated during the project as needed.

Product realization - 6 Input to the requirements phase shall, in addition to the customer’s requirements, also include • Government rules and regulations • Experience from earlier, similar projects Output from design and development shall be documented in such a way that verification and validation against input is simple to perform.

Product realization - 7 • We shall perform inspections and reviews according to plan. This is necessary to check that we have met all requirements for – Design and development – have worked as promised – Product – delivered as promised • The organization shall control that all products that we buy from a third party are according to our requirements

Product realization - 8 If we identify process steps where we cannot verify the results based on measurement or control, these steps need to be revalidated. The validation shall show that the process step can achieve the planned / specified results.

Proof of conformance - 1 Proof of conformance – Po. C – is a problem for many companies that want to be ISO certified. The purpose of Po. C is to prove that we have followed the defined processes • Po. C has no value for the company – it is only needed for the audits • It will always be a matter of opinion what should be accepted as Po. C

Proof of conformance - 2 The problem with Po. C is that it do not give the companies anything of value – it is just an extra cost. This creates a negative attitude towards QA plans and against QA in general. We should carefully assess how much extra work we will give the company here. It must • Be sufficient to satisfy the auditors • Not be so much that it creates strong negative attitudes among the developers

Proof of conformance - 3 As an example, we will consider some Po. Cs for the activity “Update project risk analysis”. • Meeting minutes – OK • Meeting plan or agenda – not so OK • The risk plan is updated on the right date according to the project plan – OK but not alone