ISO 9001 Standards – Risks and opportunities

The first things to consider when we want to change a people intensive process are:

• What do the people involved fear? These are the risks – things that we must prevent.

• What do people hope for? These are the opportunities – things that we must strive to obtain.

In order to better understand risks and opportunities, we used a two-step approach. We started by interviewing two developers and one manager. The interviews were semi-structured in that we had a set of questions that we needed answers to but in

addition, we used follow-up questions to gain a better understanding of the answers to the predefined questions. The focus of the interview was on what they expected would happen if the company implemented an ISO 9001 certified process. Two typical examples of what came out of the interviews are shown below – one from a developer and one from a manger.

Manager: Implementing ISO 9001 will cost quite a lot. At the same time, the company will get a better overview of its competence, its experience and its document templates. ISO certification is an investment. We are, however, unsure of how long we have to wait before we can reap the benefits.

Developer: Some of the developers may have a negative attitude towards ISO certification because they are afraid it will hurt creativity. This is not only true for ISO 9001 standards but holds also for coding standards and other rules and regulations. Rules

and standards can take away all the fun from the job. In many ways this is the same attitude as we saw when we started to reuse components – many developers were afraid that they would not be allowed to develop things but just had to use “toy bricks”.

After the interviews we found that:

A. Everybody in the company – both mangers and developers – filled in the questionnaire.

The items in the questionnaire that got an average score of 5.0 or more were considered for risk and opportunity analysis. This gave us the following items:

• When we get ISO certified, we will have to generate more documents for each development project.

• It is important that all employees participate actively in the introduction of new processes, standards and procedures. This is consistent with e.g. Trittmann et al’s observation

• Active management participation is important in order to make the introduction of an ISO certified process a success.

• Active management support is important in order to make the introduction of ISO certification a success.

• An ISO certified process will lead to better working practices in the company in general.

Based on our findings, we identified the following risks that needed to be controlled throughout the implementation of the ISO 9001 certified process:

Risk 1: The introduction of new documents or additions to existing documents.

We decided that we should not make new documents except if absolutely needed.

Risk 2: Developer participation. The developers must be included at all steps in

the process. Their experiences and advices are important input to the new processes and procedures.

Risk 3: Management participation and support. Management must show their commitment by allocating money and time to the ISO implementation activities.

Opportunity 1: Better working practices. The changes in the development process must be considered to be improvements by the developers.

Management and developers are in agreement in the sense that everything the developers found important also was ranked high by management. There were, however, some cases where the two groups disagreed strongly – average score difference greater than 2.0. In all cases, management ranked these items higher than the developers.

The points are:

• Introducing an ISO certified process will cost a lot but will be a good investment – developers 3.3 vs. mangers 6.0

• Introducing an ISO certified process will give the company a better control over the order situation – developers 3.0 vs. mangers 6.0

• Introducing an ISO certified process will give us more satisfied customers already after one year – developers 3.2 vs. mangers 6.0

Management is more optimistic than the developers when it comes to business related issues such as order situation and customer satisfaction.

Extreme Programming For ICT In ISO 9001 Standards

Extreme Programming represents a new wave in software development known as the approach. Tom de Marco, the father of structural analysis, calls Extreme Programming the most important movement in software engineering. The strong points of Extreme Programming in the ICT context are as follows:

– Risk minimization. ICT is developing very fast. To catch up with current developments it is necessary to make investments in new technologies and try new tools out. On the other hand, new tools and technologies are immature and one cannot depend on them. The best approach is to make some (preferably small) investment now and after some time invest more or give up, depending on the developments (it is like buying an option on the stock exchange). Extreme Programming is based on incremental software development and its suites the strategy very well.

– Customer orientation. In Extreme Programming all the business decisions are made by the customer and he has the full control over the development process.

– Lack of excessive paperwork. In Extreme Programming programmers concentrate on programming, not on writing documentation. The only artifacts they have to produce are test cases and code.

– Quality assurance through intensive testing. In XP programmers first create test cases then they write code. Automated tests and integration are performed several times a day and they drive the development process.

– Lack of overtime. Short releases and increments allow to gain experience very fast. This makes planning easier and more dependable. As a result programmer do not have to (always) work overtime.

Extreme Programming has also weak points. The most important are problems with software maintenance.

Since the only artifacts are test cases and code, after some time it can be very difficult to maintain the software. It would be also the problem from the ISO 9001 point of view. In the remaining part of the paper we propose how to solve that problem.

Software Development in an ISO 9000 company

ISO 9001:2008 standard defines requirements for a process-oriented Quality Management System. This means that desired results are achieved more efficiently when the related resources and activities, together with encompassing customer needs and satisfaction, are managed as a process. Quality Management System is specified in a Quality Manual document featuring a three-tier structure, which consists of Quality Processes (including Quality Policies), Quality Procedures and Work Instructions.

The problem is that Work Instructions are sometimes too bureaucratic. A good example of that approach is Tricker’s book on ISO 9000. According to it, a Work Instruction takes about 16 pages. Half of them contains purely administrative data (document data sheet, distribution list, amendments, list of annexes etc.). That makes the whole Quality Management System documentation superfluously thick.

Another drawback of Tricker’s approach is form-orientation: Work Instructions focus on how to fill-in the forms used by the Quality Procedures. What we propose is to make Work Instructions shorter (some elements can be omitted, some, e.g. terminology, can be put together and placed in one section). Moreover, Work Instructions should describe practices specific for a given methodology of

software development.

In our opinion, quality organization needs two things: general Quality Management System operating on a high abstraction level and a Thesaurus (knowledge database), which should materialize company’s knowledge. In the thesaurus templates of e.g. Quality Plans, historical data concerning past projects etc can be deposited. This information will be indispensable during planning and improving software processes.

The clauses of ISO 9001:2008 can be split into two parts. One part describes the general Quality Management System (chapters 4, 5, and 6) while the other part specifies requirements for a methodology to be adopted by an ISO-9000 company (chapters 7 and 8 of ISO 9001:2008). In the remaining part of the paper we will focus on requirements imposed by chapters 7 and 8 of the ISO 9001:2008.

ISO 9001:2008 standard defines requirements for a process-oriented Quality Management System. This means that desired results are achieved more efficiently when the related resources and activities, together with encompassing customer needs and satisfaction, are managed as a process. Quality Management System isspecified in a Quality Manual document featuring a three-tier structure, which consists of Quality Processes (including Quality Policies), Quality Proceduresand Work Instructions. The problem is that Work Instructions are sometimes too bureaucratic. A good example of that approach is Tricker’s book on ISO 9000. According to it, a Work Instruction takes about 16 pages. Half of them contains purelyadministrative data (document data sheet, distribution list, amendments, list of annexes etc.). That makes the whole Quality Management System documentation superfluously thick.

Another drawback of Tricker’s approach is form-orientation: Work Instructions focus on how to fill-in the forms used by the Quality Procedures. What we propose is to make Work Instructions shorter (some elements can be omitted,some, e.g. terminology, can be put together and placed in one section). Moreover,Work Instructions should describe practices specific for a given methodology ofsoftware development.In our opinion, quality organization needs two things: general Quality Management System operating on a high abstraction level and a Thesaurus (knowledgedatabase), which should materialize company’s knowledge. In the thesaurustemplates of e.g. Quality Plans, historical data concerning past projects etc can be deposited. This information will be indispensable during planning and improving software processes. The clauses of ISO 9001:2008 can be split into two parts. One part describes the general Quality Management System (chapters 4, 5, and 6) while the other part specifies requirements for a methodology to be adopted by an ISO-9000 company (chapters 7 and 8 of ISO 9001:2008). In the remaining part of the paper we will focus on requirements imposed by chapters 7 and 8 of the ISO9001:2008.