Research Article

ISO 9001 Registration:
Lessons Learned by Canadian Software Companies

By Chris FitzGibbon MMS, CSQE, CQMgr, CQA
Published in: Proceedings of the Fifth International Conference on Management of Technology.February 27-March 1, 1996, Miami, Florida, p. 193-201.

Abstract

This article provides the key lessons learned by Canadian software companies that have successfully registered to the ISO 9001 quality standard. The paper extracts important points made in the book ISO 9001 Registration for Small and Medium Sized Software Enterprises (1995).

The first section of the article describes the ISO 9000 series of standards and their applicability to software. In the second section, a list of benefits of ISO 9001 registration to Canadian software companies is identified. Finally, the key lessons learned from planning and implementing ISO 9001 projects are reviewed.

Key Words: software quality assurance; quality management; software process; software process improvement; ISO 9000; ISO 9001; ISO 9000-3

Introduction

Software is unusually error-prone and frequently displeasing to end users (Royce, 1993: 90). New software routinely overruns its schedule, exceeds its budget, and falls short of its performance targets (Bennatan, 1992: 9; Royce, 1993: 90; van Genuchten, 1991: 582-83; Thamhain and Wilemon, 1986: 75). To address these inadequacies, software development must be treated as a process that can be controlled, measured and improved (Humphrey, 1989: 4). Registration of a software company's quality management system (QMS) to ISO 9001 provides independent third-party assurance that an effective software development process is in use (Bailetti and FitzGibbon, 1995: 11).

Despite evidence of poor quality, most software developers have not capitalized on formalized quality design practices (Myers, 1993: 102). In Canada, less than two dozen of the 10,000 companies that design and develop software have registered their QMS to ISO 9001. A recent survey of Canadian software companies found that 91 percent of respondents considered the quality of their software products to be very important, however, only four of the 104 respondents felt their QMS was adequate for registration to ISO 9001 (Information Technologies Industry Branch, 1994: 8).

ISO 9000 Standards

ISO 9000 is a series of international standards developed by the International Organization for Standardization (ISO) and adopted by 71 countries. The ISO 9000 series of standards provide guidelines on quality management and assurance. The standards provide a framework for a QMS, but they do not specify the particulars for implementation. They state what has to be done, not how things must be done. ISO 9000 standards are not specific to any industry and they apply to companies of all sizes. The focus is on the QMS of a supplier's engineering and production process. This focus was selected in the belief that a high quality process will result in the production of high quality products and services. The standards emphasize achieving customer satisfaction through prevention of non-conformance rather than through testing. Although the scope of the standards is most applicable to contractual arrangements, provisions are made to include development processes in which no formal customer is identified such as production of off-the-shelf software. All customer-orientated development and production processes can be registered to an ISO 9000 standard.

Registration to an ISO 9000 standard provides assurance from an independent accredited registrar that a supplier has a documented quality system that satisfies the standard's requirements and that the ISO program has been implemented at the company's facility. ISO 9000 standards do not certify the specifications or performance of products.

The ISO 9000 series contains a total of five documents, three of which describe quality standards in different domains:

• ISO 9001: Quality Systems - Model for Quality Assurance in Design, Development, Production, Installation, and Servicing,
• ISO 9002: Quality Systems - Model for Quality Assurance in Production, Installation, and Servicing,
• ISO 9003: Quality Systems - Model for Quality Assurance in Final Inspection and Test.

The other ISO 9000 documents, named ISO 9000 and ISO 9004, are guidelines for the selection of the appropriate standard and its use. The ISO 9001 standard is the most comprehensive quality standard in the ISO 9000 series and is the most applicable of the ISO 9000 standards to software design and development. Registration to ISO 9001 certifies that a company's QMS and the processes used to design, develop, produce, install, and service a product or service meet the 20 requirements specified and explained in Appendix A.

Software Developers and ISO 9001 Registration

There is strong support for the development of an ISO 9001-compliant software QMS. High-quality software requires thorough planning from the start of the project and the characteristics of quality must be built into the product. It is no good producing a system, discovering major errors at the testing stage and then trying to correct them to produce a quality product; quality cannot be added as an extra ingredient at the end of a project (Deming, 1986: 29, Ince, 1993: 169).

ISO 9001's generic nature does not consider the special requirements of software. The production process in software is a relatively insignificant part of the total development effort. Definition of requirements, as well as design, implementation, maintenance, verification, and validation, account for a larger share of development activities. Further factors differentiating software include the market demand for open systems and the global nature of the software industry. Such needs led to the introduction of ISO 9000-3: Guidelines for the Application of ISO 9001 to the Development, Supply and Maintenance of Software.

The objective of ISO 9000-3 is to facilitate the implementation of ISO 9001 requirements to the software engineering process. ISO 9000-3 does not add any further requirements to those in ISO 9001. It is a document created to assist companies in interpreting ISO 9001 requirements within the context of software; topics include joint reviews, acceptance testing, and configuration management.

The Benefits of ISO 9001 Registration

The benefits that managers of Canadian software firms associate with ISO 9001 registration include:

• increased Productivity
• increased efficiency of the company's internal operations;
• clearer definition of responsibility and accountability;
• better traceability of quality problems to their root causes;
• less time required to fix errors;
• increase in the number of activities that are performed properly on the first try;
• lower costs
• lower costs and increased productivity;
• fewer procedures - elimination of unnecessary approvals and redundant work practices;
• reduced number, cost, and scope of customer audits;
• more effective marketing
• greater access to foreign markets that require ISO 9001;
• greater likelihood of winning government contracts;
• improved ability to compete with larger, more established, software firms;
• broader exposure to new clients; and
• competitive advantage over those firms not registered to ISO 9001.
• superior design
• improved reuse practices and easier retrieval of software components;
• fewer recurring errors;
• increased designer self-discipline;
• greater customer confidence in the company's products.

Key Lessons Learned

The implementation of ISO 9001 is driven by a commitment to quality management, continuous improvement, compliance requirements, reliability needs, and procurement demands. The following section summarizes the key lessons learned by several Canadian software companies that have successfully registered to ISO 9001 quality standard. The information was collected through a series of interviews. It also benefits from the experiences of quality systems auditors and consultants with expertise in ISO 9000.

Senior Management Commitment

For an ISO 9001 registration project to succeed, it must have commitment from the top management. Consent is not enough. The registration project will take time and effort. In the early stages, it may be seen as overhead and an easy target for cost savings. Moreover, procedures will change, and the authority to overcome barriers to change will be needed. Senior management commitment enables employees to solve problems themselves.

Senior management must: be directly involved in the registration project, obtain a commitment to ISO 9001 registration at all levels of the organization, and assist the ISO Coordinator and ISO Steering Committee to overcome obstacles to ISO 9001 registration. Sufficient resources may be required for the following:

1. the inclusion of non-software development activities in the QMS;
2. an addition of detail to operating plans;
3. the clarification of quality management roles and responsibilities;
4. an introduction of changes to operating procedures; and
5. process improvement.

Senior management's understanding and commitment are prerequisites for successful ISO 9001 registration. A lack of management commitment is the most commonly identified obstacle to registration. If there is no commitment from top management do nothing else but gain that commitment (Shelley, 1994: 105).

QMS Infrastructure

Site-wide processes must be defined early. Process and document templates should be standardized, and the format re-used throughout the organization. Straightforward procedures for software development must be defined and applied to all new projects as soon as they are developed. Ensuring software change and version control mechanisms are adequate is a good starting point.

There is a tendency to complicate documentation. The procedures should be written to the employees' level of capability. Large volumes of documentation have proven to be an obstacle to efficiency. Each document must have a purpose and add value to the QMS. The objective of the QMS is to help staff do their jobs, not to be an imposition. Remember, the focus is on developing an effective QMS that serves the company first and serves ISO 9001 and its auditors second.

Documentation should be divided by department or function into easily usable local manuals. Electronic quality manuals are best. A sentence-by-sentence traceability matrix should be prepared that relates company documentation and procedures to ISO 9001 requirements. The traceability matrix should be used to identify 1) the ISO 9001 requirements that are fully covered by the existing documents and procedures of the company; 2) the requirements that are partially covered; and 3) those that are not covered. Buy, borrow, or re-use existing materials, documents, and processes whenever possible. Corrections to documents, unless the corrections are very minor, should be submitted to the registrar for review prior to the registration audit. All efforts must be made to ensure that the company's QMS documentation is accurate before the audit.

There is also a tendency to over elaborate definitions of measures. Keep metrics definitions very simple. Over elaborate definitions rarely accord with actual perceptions and cause difficulty later. Initially metrics definitions should be very simple, crude even, and elaborated only when understanding develops (Shelley, 1994: 105).

Project Management

The QMS implementation should follow a gradual, staged approach from general processes to more specific processes, and from a small user base to an increasingly larger base. This allows time to 'debug' processes before they are widely used. Aim to achieve staff understanding and acceptance early. Expect other projects to take priority, but continue to gradually introduce facets of the software QMS without the big bang approach.

The ISO Coordinator must develop department-level templates, issue document tracking and amendment procedures, commit dates and resources, and continuously monitor the registration project's progress at all company levels. Attention must also be given to quality management activities not related to the software. For example, include the process development labs that calibrate test equipment, anti-static measures, etc.

It is important for the ISO coordinator to understand the details of the ISO 9001 registration project and monitor its progress. Internal audits are performed to identify both the strengths and weaknesses in the QMS and the way it is applied. The major areas of weakness and the most difficult problems should be addressed first. All QMS documents should be subjected to a thorough walkthrough and review process that serves not only to improve the resulting standard or procedure, but also spreads information and awareness, invites contribution and builds confidence and commitment.

Audits

Audits provide feedback on the QMS. Audits measure how well the company complies with its own documentation and how well that documentation reflects the activities of the company. Beware of idealizing your business processes or presenting them the way you think the auditor would like to see them.

Begin the audit with a pre-audit meeting to introduce all key personnel and auditors. This reassures staff and gives all concerned a sense of confidence at the start of the audit. Staff should be familiar with audit procedures before the actual audit. Likewise, the auditors should be very familiar with the company's documentation at this point. It is too late to start discussing documentation issues during the audit.

Work with the auditors, not against them. Provide each auditor with an escort who can take notes during the entire audit. Be honest and open during the audit, but do not offer information that has not been requested by the auditors. If you do not know the answer to an auditor's question, say so. The more questions the auditor is forced to ask to get basic information, the more frustrating the whole exercise becomes for all concerned.

Don't fall into the trap of blaming the auditor. Auditors are trained to find non-compliances. However, it is not enough for auditors to say that they do not like a process. They must demonstrate how a firm's process does not comply with the ISO 9001 standard. Be prepared to clearly describe to the auditors what action will be taken to remedy non-compliance.

Continuous Process Improvement

The ISO 9001 registration project should have a dual focus: process improvement and registration. Reinforce the belief that disciplined software development, process improvement, and a concern for quality are good for the company and that registration benefits all employees, the company and its customers. Sell ISO 9001 for its benefits and avoid malicious compliance.

The customers and developers are the primary interface with the QMS. They are also the most important source of process improvement information. Management should build a momentum for process improvement before attempting registration and carry that momentum after the registration. Make process improvement a priority and do not allow audits to delay the process improvement. Continue to improve the company's QMS and encourage company-wide learning of quality improvement practices. It should be clear to all in the company that ISO 9001 registration is a means to an end, not an end in itself.

The People Network

Shortly after the decision to pursue ISO 9001 registration an ISO Steering Committee is formed and a senior executive of the company is appointed as the ISO Coordinator. In small companies, the ISO Steering Committee comprises

1. the ISO Coordinator;
2. those who design and develop software; and
3. individuals in functions that may be affected by ISO 9001 registration.

When the size of the company makes the inclusion of all staff impractical, the ISO Steering Committee should represent only the stakeholders.

The ISO Coordinator becomes the management representative, and thus must have the authority and responsibility to oversee the effective implementation and maintenance of the QMS. The ISO Coordinator will mainly be responsible for

1. the translation of the ISO 9001 standard into the company's documentation and procedures;
2. the preparation of a schedule and plan for the ISO 9001 Registration project;
3. obtaining executive approval for the required resources;
4. the buy-in of the software developers; and
5. negotiations with consultants and registrars.

If possible, the ISO Coordinator is assigned full time to the ISO Registration project; however, if this is impractical, the ISO Coordinator may have other management responsibilities. These should not include operating or production responsibilities that would conflict with the autonomous authority required by the ISO 9001 standard.

Other important components of the people network are the department representatives; the auditors; experienced consultants; and the software developers.

Delegate responsibility to department representatives. Ensure that the representatives of departments found not to comply with ISO 9001 requirements are held responsible for implementing a plan to remedy the situation. However, ensure a thorough investigation of the root cause of each notice of non-compliance is conducted and that corrective action is taken.

Staff must be involved in the registration project to ensure a sense of ownership and acceptance. For example, the work procedures should be documented by the people who do the work. Further, all staff should be kept informed of the development of the QMS and trained in its use from the start.

It is essential that the auditors are qualified to audit a software company. Obtain information on ISO 9000 registration services from several registrars, and meet with representatives of at least two. Don't hesitate to ask for the résumés of potential auditors. Determine the criteria to select a registrar, and start the process of selecting one well in advance of registration. Select the registrar that best meets the needs of the company and its customers.

Use consultants who are experienced in both software development and ISO 9000 standards. The best consultants are former auditors or individuals who have championed the registration for their employer. Software development differs considerably from manufacturing. This must be kept in mind when searching for consultants, registrars, and information on ISO 9001.

Training

Training is required for the ISO Steering Committee and all personnel who must change their work processes in order to comply with ISO 9001. No matter how good the QMS, if staff are not appropriately trained in its use, there will be problems or even total failure (TickIT Guide, 1992: 4.2.5). ISO 9001 training should be provided to everyone so that expectations are clear. This training should continue until the company is registered to ISO 9001, and as needed thereafter.

Staff training should communicate the benefits of ISO 9001 registration. Education should consist of 1) overview and awareness training; 2) explanations of ISO 9001 standard and ISO 9000-3 guidelines; 3) assessor and lead assessor training; 4) implementation training; and 5) pre-audit training. Ensure that all staff know the company's policy statement of registration and that all members of the ISO Steering Committee become familiar with ISO 9000-3: The Guidelines on the Application of ISO 9001 to the Development, Supply and Maintenance of Software.

Conclusion

The achievement of quality is the primary objective of the ISO 9001 standard. Despite all the audits, documentation, and procedures that come with the formalization of the software development process, the customer will always remain the ultimate judge of quality. Always place the company's customers first. ISO 9001 registration provides customers with assurance that a development process contains the elements essential in producing quality software. ISO 9001 also provides software companies with a framework for creating or improving their QMS, reducing budget and schedule overruns, and improving customer satisfaction. Learning from the experiences of others should assist in making ISO 9001 registration of the software development process a reality for more Canadian companies.

Appendix A: The 20 Requirements of ISO 9001 (1994)

References

Arter, D. R., "Demystifying the ISO 9000/Q90 Series Standards". Quality Progress, November 1992: 65-68.

Bailetti, A. J., and FitzGibbon, C., ISO 9001 Registration for Small and Medium Sized Software Enterprises. Ottawa: Carleton University Press, 1995.

Bennatan, E. M., On Time, Within Budget: Software Project Management Practices and Techniques. Toronto: QED Publishing Group, 1992.

Deming, W. E., Out of the Crisis. Cambridge: Massachusetts Institute of Technology, 1986.

Ince, D. C., et al. Introduction to Software Project Management and Quality Assurance. London, UK: McGraw-Hill, 1993.

Information Technologies Industry Branch A First Review of the Performance of Canada's Software Products Industry: Establishing Benchmarks. Ottawa: Industry Canada, November 1994.

ISO 9001: Quality Systems - Model for Quality Assurance in Design, Development, Production, Installation and Servicing. 2nd ed. Geneva: International Organization for Standardization, 1994.

ISO 9000-3: Guidelines on the Application of ISO 9001 to the Development, Supply and Maintenance of Software. 1st ed. Geneva: International Organization for Standardization, 1991.

Myers, W., "Debating the Many Ways to Achieve Quality". IEEE Software, March 1993: 102-103.

Royce, W., "Why Software Costs So Much". IEEE Software, May 1993: 90-91.

Shelley, C. C., "Practical Experience of Implementing Software Measurement Programmes in Industry". Software Quality Management, 1994: 95-106.

Thamhain, H. J. and Wilemon, D. L., "Criteria for Controlling Projects According to Plan". Project Management Journal, June 1986: 75-81.

TickIT Guide: Guide to Software Quality Management System Construction using EN29001.British Department of Trade and Industry and the British Computer Society, 1992.

van Genuchten, M., "Why is Software Late? An Empirical Study of Reasons For Delay in Software Development". IEEE Transactions on Software Engineering, June 1991: 582-590.