Table of contents
1. BACKGROUND ON ISO 9000
Buying nuts and bolts
A friend of mine makes a living out of buying and selling nuts and bolts. He buys large quantities from suppliers in southeast Asia and then distributes it to his customers in Scandinavia. I was intrigued to learn that the difficult part was not the selling, i.e. getting rid of the stuff at a profit; the difficult part is to buy the nuts and bolts.
My friend would receive a few lorries loaded with bolts and nuts every now and then. Were they faulty in any way, he would be in trouble. For example, the dimensions might be wrong, or the steel quality, or the threading. He would then not be able to deliver to his own customers, and thus - no profit (rather the opposite).
"But", I said, "surely you could claim damage from the suppliers." "Possibly", my friend answered, "but if I had lost my customers, that would not help very much. I can not live on damage, I must do business."
So, the solution for my friend was to put additional requirements on his suppliers. He would specify dimensions, steel quality, threading etc in the contract. But further, he would specify requirements on the internal workings of the supplier companies, in order to ensure that what was delivered would be what his customers needed. He would impose requirements on a supplier's purchasing of material, manufacturing process, quality control and checking procedures. If he were satisfied that the supplier would buy the right kind of raw material, use a reliable manufacturing process, and perform sufficient checks on the products, my friend would be able to sleep at nights while waiting for the delivery.
My friend states these "extra" requirements by requiring that the supplier fulfill the requirements in an ISO 9000 standard. ISO 9000 is a set of standards intended just for my friend's kind of needs. They specify requirements on the supplier's organization and procedures intended to give the customer confidence in the products to be delivered.
The ISO 9000 family of standards
ISO (International Organization for Standardization) is a worldwide federation of national standards bodies such as e.g. the US standardization body ANSI. ISO prepares international standards, which are publicized after voting among ISO members.
ISO 9000 is a family of standards and guidelines. Figure 1-1 shows some ISO 9000 documents which may be of interest for us.
The document ISO 9000-1 is a general guideline which gives background information about the family of standards.ISO 9001, ISO 9002 and ISO 9003 are the standards in the family, containing requirements on a supplier. ISO 9002 and ISO 9003 are subsets of ISO 9001. ISO 9002 is used for situations where there is no design. For software development, ISO 9001 is the standard to use.
ISO 9004 is a comprehensive guideline to the use of the ISO 9000 standards.
ISO 9000-3 is a guideline on how to use ISO 9001 for software development.
ISO 9004-2 is a guideline for the application of ISO 9001 to the supply of services. It may be of interest in the context of IT, since computer centers and other suppliers of data services can benefit from its advice.
In the United States, the ISO 9000 standards may be obtained from either ASQC or ANSI at these addresses:
American Society for Quality Control
P.O. Box 3006
Milwaukee, WI 53201-3006
American National Standards Institute
11 West 42nd Street, New York, NY 10036
Fax 212 398 0023
Since software production is mostly a question of design, ISO 9001 is the standard of interest for us. Its title is "Quality systems - Model for quality assurance in design, development, production, installation and servicing". Don't focus too much on the word "quality" in the title. ISO 9001 is about management. It contains requirements on how a company shall be managed on different levels and from different aspects. It most definitely does not include requirements on products.
Roughly, we might say that ISO 9001 puts only two basic requirements on a supplier:
- All operations influencing quality shall be under control
- This control shall be visible.
The standard of course puts these requirements in much more detail and with many more words, but those two requirements capture the essence of ISO 9001.
The second requirement is usually formulated as a requirement that plans, procedures, organization etc be documented, and that important activities be recorded.
ISO 9001 expects a fairly strict organization, where managers have responsibility and authority to control the work of their subordinates. Self-organizing groups are difficult to fit into the requirements of ISO 9001.
ISO 9001 is written for manufacturing industry. To apply the standard to software development requires certain interpretation.
The first version of ISO 9001 was published in 1987. Versions of ISO standards are defined by the year of publication, so that version was defined as ISO 9001:1987. In mid 1994, version 2 of the standard was published, not surprisingly called ISO 9001:1994, and this book is about this version. The differences between version 1 and 2 are relatively minor. To a large extent the new version makes explicit some things one earlier had to deduce.
ISO 9001 and documentation
ISO 9001 is very insistent on documentation. Procedures shall be documented and records shall be prepared and kept for most of what is going on inside the company. This has lead many managers to fear the standard. They have nightmares about mountains of paper and a bureaucratic organization, where the filling of forms takes more time and is more important than producing goods. They are right. Improper use of the standard can easily introduce unnecessary complexities, which make a supplier inferior compared to the situation before ISO 9001. This danger is especially pronounced if the standard is enforced by bureaucratic personalities, who mistake paper for results.
I frequently fight quality managers whose main argument is "We must do this because it says so in the standard. "But will it make you a better supplier?" I ask. "But it says so in the standard." is the irrelevant answer. The key question to ask in this situation is why a standard would enforce something which does not make you a better supplier. If this specific paperwork does not benefit you and it does not benefit your customers, why should anyone in his or her right mind want it?
The risk for bureaucracy
Please notice an important word in the title of ISO 9001: "Model". The requirements in the standard do not necessarily all have to be taken literally. If there is a simpler way in your company to achieve the same thing as the requirement in ISO 9001 is intended to achieve, well, good for you!
Notice that there often are two ways to meet a requirement in ISO 9001:
- Issue a written procedure for the activity and check that the procedure is followed.
- Give a competent person the responsibility and authority to perform the activity. Show that this person has the necessary training and experience. We can see this as a special case of 1), where the written procedure only assigns the responsibility and authority.
I heard about an extreme case the other day. The owner of a small company manufacturing specialized ultra-high-precision custom instruments wanted to show that his company fulfilled ISO 9001. However, he refused to issue detailed procedures. He claimed that he only hired extremely well qualified staff, with solid education, long experience and excellent references. "To throw detailed instructions at them would be insulting and counterproductive, and I will not do it", he was reported to say.
So, he documented his method of controlling his company, describing what responsibility and authority he had given to his employees. He also documented his own means for knowing that excellent products were produced. He then brought in some third-party auditors to assess the compliance with ISO 9001. The assessors shook their heads at the sight of the slim documentation handed them as a definition of the "quality system" of the company. They then spent considerable time trying to find holes in the quality system. In the end, they had to give up. You see, the question they all the time were asking themselves was: "Can we see that this activity is under control?" And then they found that there was a brief but exact documentation of the control, and they could see in the workshops that the work was actually controlled and performed in this way.
Creating rules and formality in order to fulfill ISO 9001 is rather like balancing on an edge. On one side is the dangerous swamp "Bureaucracy", which can clog your activities forever, and on the other side is the slippery hillside "Happy-go-lucky", where you don't know what will happen.
Figure 1-2 is an attempt to illustrate this phenomenon. The Y dimension is quality and productivity. The X dimension is formality and paper work. Too little formality and paperwork leads to low quality and productivity, since the developers make errors and repeat work done in other projects e.g. on development methods. Too much of it also leads to low quality and productivity, since most effort goes into fulfilling rules and doing paperwork. If a software developing organization finds the right level of formality and paper work, there is an optimum, which will give very high quality and productivity.
However, I sometimes see how organizations find themselves to the left in figure 1-2. Management realizes that something has to be done about software development. Perhaps some persons are available, since they have not done too well with software development, and management must find some other use for them. Chances are that management will give just these persons the task to define procedures and standards for software development. Alternatively, an external consultant may be called in to do the job. In either case, the organization will probably after a while find itself in the right hand side in figure 1-2.
Two or three thick binders with rules and standards have been produced, and management tries to enforce them. And neither quality nor productivity improves. Very soon, the developers stop trying to use the rules, and then the managers say: "Software developers are creative artists who can't be controlled. Let's leave them alone." And the software engineers say: "You can't have rules for software development; we must each in each case decide how to work."
Quality audits and objective evidence
Let us look into two closely linked concepts, which are central to ISO 9001: Quality audits and objective evidence.
"Quality audit: A systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives." (ISO 8402-1986 "Quality - Vocabulary")
A quality audit of an organization is when somebody who is independent of the manager of that organization checks if rules and procedures are followed, and if the rules and procedures lead to the intended result. A first party audit is when the audit is conducted by or on the behalf of company management. First party audits cover the different parts of a company, but not the company as a whole (nobody inside the company would be independent enough) A second party audit is when a customer conducts an audit of some part or the whole of a supplier's operation. Third party audits are conducted by independent external auditors.
A central concept in auditing is "objective evidence". When a customer or a third party auditor comes to a company to see whether it fulfills ISO 9001, they must be able to see what has been done prior to the visit. Therefore, if for example, the supplier's procedures require a review or check to be performed, ISO 9001 requires documented evidence of the review or check. I might for example ask a manager "Has this inspection been done?". The answer is: "Oh yes!" -"How do you know?" - "Charlie in the workshop told me the other day that he had made that inspection." I would not accept that answer; hearsay is not enough for ISO 9001. If, however, I were shown a document saying that Charlie did the inspection of item x according to procedure y and found this, signed Charlie, date, then I would believe it. That document would constitute objective evidence.
How do we know that Charlie did not fake and sign the document although what it says is not true? Of course, we can't know absolute for sure. However, in general people are reluctant to put their signatures on something which is clearly a lie. I have personally during many years not been able to find any cases where a person has signed a statement he or she knew to be false.
The concept of quality system
ISO 9001 contains requirements on a supplier's quality system.
According to ISO, a quality system comprises "the organizational structure, responsibilities, procedures, processes and resources for implementing quality management".
This is an important concept, and it is frequently misunderstood. When I come to audit a supplier, sometimes the quality manager gives me a binder and proudly states: "This is our quality system." Paper can only be part of a quality system; it also includes such things as people, equipment, competence, practices etc.
In a software development organization, the quality system may consist of for example:
- The quality policy
- The organization
- The staff
- The competence of the staff
- The quality manual
- Written procedures
- Records, e.g. minutes of meetings, test records
- Common practices
Twenty quality elements
The meat of ISO 9001 is placed in its chapter 4, which is subdivided into 20 paragraphs:4.1 Management responsibility
4.2 Quality system
4.3 Contract review
4.4 Design control
4.5 Document and data control
4.7 Control of customer-supplied product
4.8 Product identification and traceability
4.9 Process control
4.10 Inspection and testing
4.11 Control of inspection, measuring and test equipment
4.12 Inspection and test status
4.13 Control of nonconforming product
4.14 Corrective and preventive action
4.15 Handling, storage, packaging, preservation and delivery
4.16 Control of quality records
4.17 Internal quality audits
4.20 Statistical techniques
The subject of each paragraph is called a quality element, defined by the paragraph headline. These quality elements are household concepts in the world of quality assurance. Especially quality auditors, who specialize in assessing conformance to ISO 9000 standards, will refer a lot to the quality elements when discussing conformance. Also, they tend to have a common understanding of what is needed in order to fulfill each quality element.
In chapter 3 we will look into each quality element in turn.
Certification to ISO 9001
ISO 9001 is intended to be used in a contract between a customer and a supplier. However, a growing use of the standard is also for certification.
When customers started including ISO 9001 in contracts, they realized that they had to convince themselves that the supplier actually fulfilled the requirements in the standard. It was not enough just to include a reference to the standard in the contract; if the supplier failed to fulfill ISO 9001 you might be able to sue them for breaking the contract, but this would not give you your nuts and bolts or whatever you had contracted. So, customers started to conduct quality audits on the supplier's premises, looking into the methods for management and also spot-checking ongoing activities and comparing with the requirements in the standard. Quality audits were both part of the pre-contract assessment of suppliers and a continuing supervision of the selected supplier.
If a supplier had many customers, it would become costly and awkward to have all of them visiting the supplier a few days each to convince themselves that the supplier fulfills the requirements of ISO 9001. Customers' audits would also occupy key staff, and thereby risk disrupting the actual performance of contracts.
Someone then had a bright idea: "Why not have only one party investigate the supplier and issue a certificate, which the supplier would then use as a simple way to convince all customers that the standard is fulfilled. This would make ordinary quality audits by the customers unnecessary." And thus, the scheme of ISO 9000 certificates was born.
Today, a large number of European and other industries can show certificates of their compliance to ISO 9000 standards. Customer audits have become rare, but there is still a need for them because:
- An ISO 9000 certificate is only a simple "yes" to the question about compliance. In order to compare different suppliers, the customers still have to look for themselves.
- Especially for new technical areas, e.g. software, judgements vary widely between certification bodies depending on the competence of the auditors and the choice of interpretation of the standard.
Still, there are cases now in Europe, where you would not be welcome to tender if your company were not certified to the appropriate ISO 9000 standard.
Third party certification
A number of companies specialize in certification of suppliers to ISO 9001 and other standards. This is called third party certification and the certifying company is a certification body. Such companies sell only one commodity, the service of assessing conformance to standards, combined with the issuing of certificates for those customers who actually do fulfill the requirements of the applicable standard.
A third party certification of a supplier to ISO 9001 might consist of the following steps:
- The supplier invites bids from several certification bodies.
- The supplier agrees a contract with one certification body. The selection criteria are usually price, reputation and competence in the supplier's business area.
- The certification body makes a thorough study (audit) of the supplier's rules, practices, organization, documentation etc and raises non-conformance notes on aspects which are not up to ISO 9001.
- When the supplier has shown that the non-conformances are corrected, the certification body issues a certificate saying that the supplier fulfills the requirements of ISO 9001.
- Thereafter the certification body will regularily, e.g. twice a year make follow-up audits to check that the certificate is still valid.
The certificate will expire after three years, when a new certification has to be done. Under certain circumstances, the certification body is obliged to withdraw an existing certificate immediately, for example if the supplier is using the certificate improperly in the marketing, implying that the products have been certified to ISO 9001.
Who is watching the watchers?
Thus, the certification body is paid by the supplier to issue a certificate which is important for that supplier. Isn't there a risk that the certification body will be too lenient because they want to keep the supplier as customer? A less serious certification body might perhaps even specialize in selling budget priced certificates.
Actually, the certification business seems to work fine in Europe. This is because the value of a certificate depends on how the supplier's own customers will value it. This in turn mainly depends on the reputation of the certification body. In this way then, there is a definite pressure on the certification bodies not to be lenient. A very unpleasant situation for a certification body would be if the supplier's customer phones and says: "How could you certify that company? I contracted them because they were certified, but the bungled the contract and the product is useless!" If rumors of such occasions start to circulate, the certification body will find itself without a business.
Also, most certification bodies are accredited in the countries where they operate. National accreditation authorities establish the rules for each certification body, and in what business areas each may issue ISO 9000 certificates. The accreditation authorities monitor all accredited certification bodies continuously, e.g. by observing their practices during actual certifications. The accreditation authority in the United States is Registrar Accreditation Board (RAB). The RAB uses a terminology, which differs somewhat from the European. A certification body is a registrar, and registration is registration. In this book, we stick to the European terms certification body and certification, since those are well established in most of the world. Figure 1-3 summarizes the relation between accreditation and certification.
Certification bodies accredited in Europe work under ISO 10011 "Guidelines for auditing quality systems", "Part 1: Auditing" and "Part 2: Qualification criteria for quality system auditors", and under EN45012 "General criteria for certification bodies operating quality system". RAB uses other means to formulate requirements on certification bodies in the United States.