Guidelines for Applying the ISO 9001
Standard to Software
This page summarizes
ISO
9000-3:1997(E). It highlights the
main points.
ISO prepared the 9000-3:1997(E) guidelines in order
to help organizations to apply the ISO 9001 standard to computer software.
Use ISO 9000-3 if you develop, supply, install, and maintain computer
software.
ISO 9000-3:1997 is really an expanded version of
the old ISO 9001:1994 standard. ISO has simply copied the old text from ISO
9001 and pasted it into the new version of ISO 9000-3, and then added some
new text that refers only to software. In order to avoid confusion, the old
ISO 9001 text is presented in black, while the new ISO 9000-3 text is presented in
red.
ISO
9000-3: 4.1 Management
responsibilities
·
Define a
quality policy. Your policy should describe
your organization's attitude towards
quality.
·
Define the
organizational structure that you will need
in order to manage your quality
system.
·
Define
quality system responsibilities, give quality system personnel the authority to
carry out these responsibilities, and ensure that the interactions between these
personnel are clearly specified. Also, make sure that all of this is well
documented.
·
Identify
and provide the resources that people will need to manage, perform, and verify
quality system work.
·
Appoint a
senior executive to manage your quality system and give him or her the
necessary authority.
·
Define a
procedure that your senior managers can use
to review the effectiveness of your quality
system.
ISO
9000-3: 4.2 Quality system
requirements
·
Develop a quality system
and a manual that describes it.
·
Develop and implement
quality system procedures that are consistent with your quality
policy.
·
Develop quality plans
which show how you intend to fulfill quality system requirements. You are
expected to develop quality plans for products, processes, projects, and
customer contracts.
·
Develop
quality plans to control software development
projects.
·
Develop a
quality plan whenever you need to control the quality of a specific
project, product, or contract.
·
Your
quality plan should explain how you intend to tailor your quality system so
that it applies to your specific project,
product, or contract.
·
Develop
detailed quality plans and procedures to control configuration management,
product verification, product validation, nonconforming products, and corrective
actions.
ISO
9000-3: 4.3 Contract review
requirements
·
Develop and
document procedures to coordinate the review of sales orders and customer
contracts. Make sure you include the customer in the process of
review.
·
Develop
and document procedures to coordinate the
review of software development
contracts.
·
Your
contract review procedures should ensure that all contractual requirements are
acceptable before you agree to provide products or services to your
customers.
·
Make sure
that you and your software customer agree on:
·
How terms
will be defined.
·
How
products will be accepted.
·
How the
customer will participate.
·
How
software users will be trained.
·
How
software upgrades will be handled.
·
How joint
progress reviews will be conducted.
·
How
changes in customer requirements will be handled.
·
How
problems will be handled after product
acceptance.
·
Make sure
that you and your customers agree that:
·
The
project is feasible.
·
The legal
rights of others will be respected.
·
The
customer can meet all contractual obligations.
·
Make sure
that you have:
·
Established a project
schedule.
·
Identified
significant risks and contingencies.
·
Specified
all contractual liabilities and penalties.
·
Defined
your software development procedures.
·
Confirmed
that resources will be available when needed.
·
Clarified
the extent of your responsibility for
subcontractors.
·
Develop
procedures which specify how customer contracts are amended, and which
ensure that changes in contracts are communicated throughout the
organization.
·
Develop a
record keeping system that you can use to document the review of customer
orders and contracts.
ISO
9000-3: 4.4 Product design
requirements
·
Develop and
document procedures to control the product design and development process.
These procedures must ensure that all requirements are being
met.
·
Control
your software development projects and make
sure they are executed in a disciplined
manner.
·
Control
your software design process and make
sure that it is performed in a systematic
way.
·
Develop
product design and development planning
procedures.
·
Prepare a
software development plan. Your plan should be documented and approved
before it is implemented.
Your plan should:
·
Define
your project.
·
List
project objectives.
·
Present
your project schedule.
·
Define
project inputs and outputs.
·
Identify
related plans and projects.
·
Explain
how your project will be organized.
·
Discuss
project risks and potential problems.
·
Identify
important project assumptions.
·
Identify
all relevant control strategies.
·
Identify
the groups who should be routinely involved in the product design and
development process, and ensure that their design input is properly
documented, circulated, and reviewed.
·
Make sure
that your software development plan defines:
·
How the
responsibility for software development will be distributed amongst
all participants.
·
How
technical information will be shared and transmitted between all
participants.
·
Make sure
that your customer has accepted the responsibility to cooperate and support
your software development project.
·
Make sure
that you schedule project reviews in order to evaluate the activities and the
results achieved by all participants.
·
Develop
procedures to ensure that all design input requirements are identified,
documented, and reviewed; and that all design flaws, ambiguities,
contradictions, and deficiencies are resolved.
·
Design
input requirements should be specified by the customer. However, sometimes the
customer will expect you to develop the design-input specification. In this case
you should:
·
Prepare
procedures that you can use to develop
design-input specifications.
·
Work
closely with your customer in order to avoid misunderstandings and to ensure
that the specification meets the customer's needs and
expectations.
·
Express
your specification using terms that will make it easy to validate
during product acceptance.
·
Ask your
customer to approve the resulting
design-input specification.
·
Develop
procedures to control design outputs.
·
Prepare
design output documents using standardized methods and make sure that your
documents are correct and complete.
·
Develop
procedures which specify how product design reviews should be planned and
performed.
·
Plan and
perform product design reviews for your software development
projects.
·
Develop
and document software design review procedures.
·
Develop
procedures which specify how design outputs, at every stage of the product
design and development process, should be
verified.
·
Verify
your software design outputs by performing
design reviews, demonstrations, and
tests.
·
Maintain a
record of your design verifications.
·
Develop
procedures that validate the assumption that your newly designed products
will meet customer needs.
·
Prove that
your product is ready for its intended use before you ask your
customer to accept it.
·
Accept
validated products for subsequent use only if they have been verified and only
if all remedial actions have been taken.
·
Maintain a
record of your design validations.
·
Develop
procedures to ensure that all product design modifications are documented,
reviewed, and formally authorized before the resulting documents are circulated
and the changes are implemented.
·
Develop
procedures to control software design changes that may occur during
the product's life cycle.
ISO
9000-3: 4.5 Document and
data control
·
Develop
procedures to control quality system documents and
data.
·
Identify
all documents and data that must be controlled.
·
Develop
procedures to control your documents and data.
·
Develop
procedures to review, approve, and manage
all of your quality system documents and
data.
·
Develop
procedures to control electronic documents and
data.
·
Develop
procedures to control changes to documents and
data.
ISO
9000-3: 4.6 Purchasing
requirements
·
Develop
procedures to ensure that purchased products meet all requirements. These
procedures should control the selection of subcontractors, the use of purchasing
data, and the verification of purchased
products.
·
The
term purchased products includes both products and
services.
·
Develop
procedures to select, evaluate, monitor, and control your subcontractors (your
suppliers). Make sure that quality records are kept which chronicle the
performance of all your subcontractors. Your records should identify the
acceptable subcontractors and the products and services they
provide.
·
Develop
procedures to ensure that your purchasing documents precisely describe what you
want to buy.
·
Develop
procedures that allow you or your customers to verify the acceptability of
products you have purchased.
ISO 9000-3:
4.7 Customer-supplied
products
·
Develop
procedures to control products supplied to you by customers. These procedures
should ensure that you:
·
Examine the
product when you receive it to confirm that the right items were shipped without
loss or damage.
·
Prevent
product loss, misuse, damage, or deterioration through proper storage and
security.
·
Record, and
report to the customer, any product loss, misuse, damage, or
deterioration.
·
Clarify who
is responsible for the maintenance and control of the product while it
is in your possession.
·
Control
products, services, documents, and data supplied by
customers.
ISO
9000-3: 4.8 Product
identification and tracing
·
Develop and
document procedures to identify and track products from start to finish. When
appropriate, these procedures should ensure that
you:
·
Identify
and document products every step of the way from the purchase of supplies and
materials through all stages of handling, storage, production, delivery,
installation, and servicing.
·
Trace
products or product batches by means of unique identifiers and suitable record
keeping.
·
Develop
procedures to assign unique identifiers to your software products and
components. You should assign identifiers during the product definition phase
and be able to maintain these identities thoughout the product life
cycle.
·
Develop
procedures to track your software products and components. You should be able to
track your software
throughout its life cycle.
·
Use
configuration management methods to identify and track your software
products and components.
ISO
9000-3: 4.9 Process control
requirements
·
Develop and
document procedures to plan, monitor, and control your production, installation,
and servicing processes.
·
Design a
record keeping system that monitors and controls process personnel and
equipment. Make sure that all important process qualities are monitored and
recorded.
·
Develop
procedures to control the software replication
process.
·
Develop
procedures to control the software release
process.
·
Develop
procedures to control the software installation
process.
ISO
9000-3: 4.10 Product
inspection and testing
·
Develop
and document software test plans.
·
Develop procedures which
ensure that incoming products are not used until you have verified that
they meet all specified requirements.
·
Develop
and document procedures to verify software products and data that are
provided by third parties and will be built into your software product.
Third parties may include your
customers and suppliers.
·
Develop procedures which
ensure that work-in-process meets all requirements before work is allowed
to continue.
·
Develop procedures which
ensure that final products meet all requirements before they are made
available for sale.
·
Perform
software validation tests and software acceptance
tests.
·
Develop a record keeping
system that your staff can use to document all product testing and inspection
activities.
ISO
9000-3: 4.11 Control of
inspection equipment
·
Develop procedures to
control, calibrate, and maintain inspection, measuring, and test equipment used
to demonstrate that your products conform to specified requirements (please note
that the term equipment includes both hardware and
software).
·
Use tools,
techniques, and equipment to test whether your software products meet specified
requirements.
·
Develop procedures to
ensure that your measurement equipment is appropriate, effective, and
secure.
·
Develop procedures to
calibrate all of your quality oriented inspection, measuring, and test
equipment.
·
Develop
procedures to calibrate hardware and tools used to test and validate
your software products.
ISO
9000-3: 4.12 Inspection and
test status of products
·
Develop procedures to
control the test status of your products. These procedures should ensure
that:
·
Each and every product is
identified as having passed or failed the required tests and
inspections.
·
The test status of each
product is documented and respected throughout the production, installation, and
servicing process.
·
Only products that have
passed all tests and inspections are subsequently used or sold to customers
(unless an official exception is made under section 4.13
below).
·
Develop
methods to identify and control the test status of your software products
and components.
ISO
9000-3: 4.13 Control of
nonconforming products
·
Develop
procedures to prevent the inappropriate use of nonconforming products. Also make
sure that everyone is notified when your products do not conform to specified
requirements.
·
Segregate
your nonconforming software by placing it into a separate
environment.
·
Control
how software defects and nonconformities are investigated and
resolved.
·
Develop
procedures to control how your nonconforming products are reviewed, reworked,
regraded, re-tested, recorded, and discussed.
·
Control
the disposition of nonconforming software
products and components.
·
Re-test
software products that have been modified.
ISO
9000-3: 4.14 Corrective and
preventive action
·
Develop procedures to
correct or prevent nonconformities.
·
Use
configuration management procedures to control corrective and preventive actions
that affect software items and products.
·
Use
document and data control procedures to control corrective and preventive
actions that affect software life cycle
processes.
·
Develop procedures to
ensure that nonconformities are identified and corrected without
delay.
·
Develop procedures to
ensure that potential nonconformities are routinely detected and
prevented.
· Develop preventive actions by analyzing the root causes of your nonconformities.< o:p>
·
Develop
preventive actions by analyzing unfavorable metric levels and
trends.
ISO
9000-3: 4.15 Handling,
storage, and delivery
·
Develop and document
procedures to handle, store, package, preserve, and deliver your
products.
·
Develop product handling
methods and procedures that prevent product damage or
deterioration.
·
Your
product handling procedures should help prevent damage to your software
products and avoid deterioration.
·
Designate secure areas to
store and protect your products.
·
Develop procedures which
specify how your products will be placed into storage and removed from
storage.
·
Develop procedures which
specify how your products will be protected from damage or deterioration
during storage.
·
Develop
procedures to control how your software products and items will be stored
and protected.
·
Store
software masters and copies in a secure
environment.
·
Develop procedures which
specify how your products will be monitored and evaluated to detect damage or
deterioration while in storage.
·
Develop packing,
packaging, and marking methods and procedures to protect and control the quality
of products and packaging materials.
·
Develop methods and
procedures to protect and preserve product quality prior to delivery and while
the product is still under your control.
·
Develop
methods to protect and preserve software product quality prior to delivery while
the product is still under your control.
·
Develop procedures to
protect your products after final testing and inspection, and during product
delivery.
·
Protect
your software during delivery.
·
Develop
and document procedures to preserve product integrity and protect against
software viruses.
ISO
9000-3: 4.16 Control of
quality records
·
Identify and define the
quality information that should be collected.
·
Develop a quality record
keeping system, and develop procedures to maintain and control it. Develop
procedures to:
·
Collect and record
quality information (create records).
·
File, index, store, and
maintain quality records.
·
Remove, archive, and
destroy old quality records.
·
Protect quality records
from unauthorized access.
·
Prevent records from
being altered without approval.
·
Safeguard records from
damage or deterioration.
·
Software
quality records are documents and files that prove that quality activities were
performed and quality results were achieved.
ISO
9000-3: 4.17 Internal
quality audit requirements
·
Develop internal quality
audit procedures which:
·
Determine whether quality
activities and results comply with written quality plans, procedures,
and programs.
·
Evaluate the performance
of your quality system.
·
Verify the effectiveness
of your corrective actions.
·
These procedures should
also ensure that:
·
Audit activities are
properly planned.
·
Auditors are independent
of the people being audited.
·
Audit results, corrective
actions, and corrective action results and consequences are properly
recorded.
·
Audit conclusions are
discussed with the people whose activities and results are being audited, and
deficiencies are corrected.
·
Audit reports are fed
back into the quality system review process.
·
Develop an
internal audit plan or program for software
projects.
ISO
9000-3: 4.18 Training
requirements
·
Develop
quality training procedures.
These procedures
must ensure that:
·
Quality
system training needs are identified.
·
Quality
training is provided to those who need it.
·
People are
able to perform quality system jobs.
·
People have
the qualifications they need to do the work.
·
Accurate
and appropriate training records are kept.
·
Everyone
understands how your quality system works.
·
Identify
the training that will be needed to develop software products and to
manage software develoment projects.
·
Identify
your training needs by studying how software will be developed and how
projects will be managed.
ISO
9000-3: 4.19 Servicing
requirements
·
Develop and document
quality service procedures.
Your procedures should specify
how:
·
Products should be
serviced.
·
Product service
activities are reported.
·
The quality of product
service is verified.
·
Develop
procedures to control your software maintenance
process.
·
Develop
plans to control your software maintenance
projects.
·
Keep a
record of your software maintenance activities.
ISO
9000-3: 4.20 Statistical
techniques
·
Select the statistical
techniques that you will need in order to establish, control, and verify your
process capabilities and product characteristics.
·
Develop procedures to
explain how your techniques should be applied.
·
Develop procedures to
monitor and control how techniques are used.
·
Make sure that all
statistical procedures are documented.
·
Make sure that proper
statistical records are kept.
·
Use
statistical techniques to analyze the software development
process.
·
Use
statistical techniques to analyze software product
characteristics.
·
Use
statistical techniques to evaluate process and product
quality.