ISO standards

ISO is the creation of the International Organization for Standardization (ISO), a Swiss-based federation of national standards bodies. ISO started out as a European standard. If your company didn’t have ISO 9000 certification, it wasn’t permitted to bid on a proposal. In particular, many European telecom companies require ISO 9000. ISO 9000 shows customers and potential customers that you have a basic quality system in place to produce a consistent product.

ISO 9000

The standards have been adopted by over 60 countries including all members of the European Community, Canada, Mexico, the United States, Australia, New Zealand, and the Pacific Rim. Countries in Latin and South America have recently shown interest in the standards. After adopting the standards, a country typically permits only ISO registered companies to supply goods and services to government agencies and public utilities.

It serves as a reference for contract between independent parties. It specifies guidelines for maintaining a quality system. It is based on the premise that if a proper process is followed for production; good quality products are bound to follow.

ISO 9000 addresses organizational aspects such as responsibilities, reporting, procedures, processes, and resources for implementing quality management. It is basically a set of guidelines for the production process and not concerned about the product itself.

The process to get a ISO 9000 certifications consists of following steps:

• Application
• Pre-assessment
• Documents review and adequacy of audits
• Compliance audit
• Registration
• Continued surveillance

It consist a series of 3 standards: ISO 9001, ISO 9002, and ISO 9003.

ISO 9001

Applies to organizations engaged in design, development, production, and servicing of goods and is applicable to most software development organizations. It has been designed to be used in a third-party audit mode where the organization’s quality system is audited against the requirements set out in the standard. ISO 9001 specifies requirements for a quality management system where an organization:

• Needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements, and
• Aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

All requirements of ISO 9001 are generic and are intended to be applicable to all organizations, regardless of type, size and product provided. Some of the requirements are:

• Management responsibility
• Quality System
• Contract Reviews
• Design Control
• Document control
• Purchasing
• Purchaser Supplied product
• Product Identification
• Process control
• Inspection and testing
• Inspection, Measuring and Test Equipment
• Inspection and Test Status
• Control of Nonconforming Product
• Corrective action
• Handling
• Quality records
• Quality Audits
• Training
• Servicing
• Statistical Techniques

ISO 9000:1994 – It was published in 1994, the 9000-3 guidelines were revised to incorporate a much more proactive approach to quality. Quality Assurance activities were specifically added to each phase of the development cycle.

ISO 9001:2000 – It was introduced in 2000, a further shift was made away from the pure quality control of 9000-3 to the concept that management must be actively involved in the development of quality systems. This was a major shift from a line focused, documentation heavy approach that enriched the quality assurance approach introduced in 9000:1994. This publication introduced five Quality Elements to replace the list of 23 contained in 9000-3. These are

• Quality Management System
• Management Responsibilities
• Resource Management
• Product Realization
• Measurement, Analysis and Improvement

As ISO received feedback from various organizations using their guidelines, they addressed gaps and issues brought to their attention. ISO 9126 was introduced in 2000 as a standard for evaluating software. It created a list of characteristics and sub-characteristics for quality software, which are

• Functionality – which includes suitability, accuracy, interoperability, compliance and security
• Reliability -which includes maturity , recoverability and fault tolerance
• Usability – which includes learnability, understandability and operability
• Efficiency – which includes time behavior and resource behavior
• Maintainability – which includes stability, analyzability, changeability and testability
• Portability – which includes installability, replaceability and adaptability

ISO 9002

ISO 9002 applies to organizations which do not design products but are only involved in production. These are not applicable to software development organizations.

ISO 9003

ISO 9003 applies to organizations involved only in installation and testing of the products.

The International Organization for Standardization (ISO) was founded in 1946 and is based in Geneva, Switzerland. It has more than 90 member countries. The ISO through one of its technical committees developed a series of international standards for quality systems – ISO 9000 They were first published in 1987 and have been revised twice, once in 1994 and most recently in late 2000.

The ISO 9000 series of standards is generic in scope. By design, the series can be tailored to fit any organization’s needs, whether large or small, manufacturing or service. These standards have been adopted by 3, 50,000 organizations in more than 60 countries.

The new ISO 9000 series consists of three standards:

• ISO 9000:2000: Quality Management Systems – Fundamentals and Vocabulary
• ISO 9001:2000: Quality Management Systems – Requirements: This is the new, unified standard against which an organization can be certificated. It replaces 1994’s ISO 9001, 9002 and 9003 and is based on a ‘plan, do, check, act’ model
• ISO 9004:2000: Quality Management Systems – Guidelines for Performance Improvement

ISO 9001:2000

ISO 9001:2000 is the core and auditable standard and is described in a little detail below: ISO 9001:2000 ISO 9001 is a standard designed to specify requirements for a quality management system where an organization:

• Aims to enhance customer satisfaction through the effective application of the system, including processes for continual business improvement, and
• Needs to demonstrate its ability to provide products and services that constantly meet customer and applicable regulatory requirements.

Process Model

Any activity or operation which receives inputs and converts them to outputs can be considered as a process. Essentially all production and/or service activities and operations are processes.

For organizations to function, they have to define and manage numerous interlinked processes. Often the output from one process will directly from the input into the next process. The systematic identification and management of the various processes employed within an organization, and particularly the interactions between such processes, may be referred to as the ‘process approach’ to management.

This International Standard encourages the adoption of the process approach for the management of the organization and its processes, and as a means of readily identifying and managing opportunities for improvement.

To adopt this “process approach” ISO 9001 includes a Plan Do Check Act (PDCA) methodology that can be applied to all processes and can briefly be described as follows:

Plan: establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization’s policies.

Do: implement the processes.

Check: monitor and measure processes and products against policies, objectives and requirements for the product and report the results. Act: take actions to continually improve process performance.

The continual improvement model in t he standard, looks like this:

Key Clauses of ISO 9001:2000

Management Responsibility: Top management has an ongoing commitment to the quality management system. They are responsible for identifying all of the relevant business requirements, communicating organizational policy and providing resources to ensure implementation, maintenance and continual improvement of the quality management system.

Resource Management: The day today management of quality and effectiveness relies on using the appropriate resources for each task. These include competent staff with relevant (and demonstrable) training, the correct tools and supporting services.

Product Realization: This is the design (where applicable) and production of the products and services you provide. In addition to production planning and scheduling resources, product realization includes determining and measurably meeting customer requirements.

Measurement, Analysis and Improvement: This is a key requirement for a successful business. It involves those measurements being made to help improve your organization and demonstrate product conformity. Statistical techniques should be used where appropriate.

Quality Management Principles

ISO 9000:2000 sets out eight quality management principles to facilitate the achievement of quality objectives within an organization. These are:

Customer focus: understanding and meeting customer needs, whilst striving to exceed customer expectations

Leadership: creating an environment in which people become fully involved in achieving objectives

Involvement of people: enabling people at all levels of an organization to use their abilities for the maximum benefit of the organization

Process approach: the management of related resources and activities as a process, i.e. matched to the business structure of the organization

System approach to management: managing a system of interrelated processes to contribute to the effectiveness management and efficiency of the organization Continual improvement: this should be a permanent objective of the organization Factual approach to decision making: to using logical or intuitive analysis of data and information for effective decision decision-making

Mutually beneficial supplier relationships: using mutually beneficial relationships between the organization and its suppliers to create value these principles have been identified as being able to facilitate the achievement of quality objectives and assist with the aim of implementing a management system that will continually improve performance by addressing the needs of all interested parties.

Benefits of Adopting ISO 9000

The following are some of the benefits that accrue to an organization that successfully implements ISO 9000 quality management framework:

• Improved consistency of service/product performance and therefore higher customer satisfaction levels
• Improved customer perception of the organization’s image, culture and performance
• Improved productivity and efficiency, which lead to cost reductions
• Improved communications, morale and job satisfaction staff understands what is expected of them and each other.
• Competitive advantage and increased marketing and sales opportunities.

However, ISO 9000 also attracts its fair share of criticism, particularly due to the fact that obtaining and maintaining ISO 9000 certification is a lengthy and costly effort. Critics say that the complex process and sheer volume of documentation involved can be daunting, especially for small and medium sized enterprises. Some companies adopting the frame work also claim that they find it difficult to sustain the initial enthusiasm for the process within their staff. But the increasingly wide availability of accredited training providers and the comparatively flexible and stream lined structure of the revised standards has somewhat alleviated these perceived drawbacks.

Checklist for Conducting a Gap Analysis of a Quality Management System:

‘Gap analysis’ refers to the detailed analysis of the present quality management system in an organization to determine whether it meets the requirements of ISO 9001:2000. What are the gaps from the specified requirements? Following is an abbreviated checklist to give you an idea about what is involved.

• Does the company have framed a quality policy with the accompanying objectives?
• Does the company have a documented procedure for controlling the documents, issuing the documents, controlling the obsolete documents from unintended use?
• Have the company identified the quality records per the requirements of the standard? Have they defined the storage, identification, and retention requirements?
• Does the company have a purchasing policy with the approval procedures for its suppliers?
• Does the company identify, monitor, measure and analyze different processes?
• Does the company have laid down quality objectives at all levels and at all functions?
• Does the company measure the dissatisfaction or satisfaction levels of the customer?
• Are the measuring devices that affect product quality calibrated?
• Are the data from operations, quality analyzed for continual improvement?
• Does the company have a procedure for assessing the training needs and measuring the effectiveness of training?
• Are there any corrective and preventive actions program laid down?
• Does the company have framed an effective procedure to identify and control the non-conforming product to prevent its unintended use or delivery?
• Does the company take care of the customer’s properties provided for use or incorporation into the product?
• Does the company identify the product by suitable means during product realization? In case of traceability requirement, does the organization control and record the unique identification of the product?
• How does the company determine the competency necessary to perform work affecting product quality? How does the company organize training and evaluate the effectiveness of training?
• How does the company determine, provide and maintain the infrastructure needed to achieve conformity to product requirements?
• How does the company determine and manage the work environment needed to achieve conformity to product?
• How does the organization determine, review the customer’s requirements, even though they were not specified?
• How does the organization pass these requirements to other functions for product realization?
• Does the top management conduct the review of the quality management system to check its continuing suitability, adequacy and effectiveness?

A Few Key Terms

ISO 9000: a generic name given to the standards developed to provide a framework around which a quality management system can effectively be planned and documented.

Quality Management System (QMS): a well documented system that ensures consistency and improvement of working practices, including the products and services produced.

Assessment: a verification of the effectiveness of the management system operated by an organization through examination of materials, processes, finished product, methods of test, records, systems, services and other activities established by an organization within its quality system.

Process: any activity or set of activities that uses resources to transform inputs into outputs can be considered a process.

Plan – Do – Check – Act: the model forms the basis for much of the strategy embodied in ISO 9000. A fairly common sense process of planning, doing, checking and then acting to continually improve the quality system

Continual Improvement: a recurring activity to increase the ability to fulfill requirements.

Gap Analysis: a process an organization goes through to determine the difference between what the processes or quality management system is like now and what it should be when it conforms to the requirements of ISO 9001:2000

ISO 15504

It incorporated much of the process assessment capability developed by SPICE (Software Process Improvement and Capability dEtermination). This framework was designed to support process assessment, process improvement and capability determination.

In addition to the five Maturity Levels de scribed in SEI/CMM and CMMI, the SPICE model adds a Level 0: Incomplete Processes. ISO 15504 focused on five process areas

• Customer-supplier processes
• Engineering processes
• Support processes
• Management processes
• Organization processes

ISO/IEC 9241-11

Part 11 of this standard deals with the extent to which a product can be used by specified users to achieve specified goals with Effectiveness, Efficiency and Satisfaction in a specified context of use.

This standard proposed a framework which describes the usability components and relationship between them. In this standard the usability is considered in terms of user performance and satisfaction. According to ISO 9241-11 usability depends on context of use and the level of usability will change as the context changes.

ISO 20000

It is the standard introduced to addressed the issue of Information Technology Service Management. Based significantly on work done by the British Standards Institute, ISO 20000 addresses how to control and manage the delivery of Information Technology products and services. There are two areas: 20000-1 is the Specification for Service Management and 20000-2 is the Code of Practice for Service Management.

Shortcomings of ISO Certification

• It requires a software production process to be adhered to, but does not guarantee the process to be of high quality
• No international accreditation agency exists
• Organizations getting ISO 9000 certification often tend to downplay domain expertise.
• ISO 9000 does not automatically lead to continuous process improvement.