2. THE USE OF ISO 9001 WITH SOFTWARE DEVELOPMENT
Manufacturing industry vs software industry
The ISO 9000 standard concerning us is ISO 9001, since it applies to "quality assurance in design, development, production, installation and servicing". As we have said, this standard is written for manufacturing industry, and this poses some problems when applying it to development and maintenance of software.
In what way, then, is software different? Figure 2.1 illustrates manufacturing and software development from this perspective. The rectangles symbolize cost or effort.
Figure 2-1
If we first look at manufacturing, e.g. of kettles, we see that design is a relatively small activity. Instead, the cost for each manufactured item is notable, so that when a few items have been produced, production is by far the major part of the activity. Therefore, when we talk about quality or productivity problems and improvements in manufacturing, we tend to focus on production.
Software development, however, is nearly 100% design. Production means to copy executable code to diskettes, tapes or ROM:s, and is performed and checked automatically. So, when talking about quality and productivity we focus on design.
Another difference is illustrated by the circles to the right in the figure. The functionality and complexity of software and complex electronics is many orders of magnitude higher than that of ordinary appliances. Actually, in my opinion, today's software products are the most complex items created by humanity, with one exception: Our civilizations. Thus, the need for control is greater for software development than for the production of appliances, and at the same time, the control is more difficult to define and apply.
ISO 9001 covers design but it focuses on production. Even for a production expert, the text in the standard is brief and needs explanation. In order to apply it to software development, the standard needs to be interpreted and explained still more. Chapter 3 in this part of the book gives such interpretations and explanations.
ISO 9000-3
The need for a special interpretation of ISO 9001 for software was noted quite early, and in 1998 ISO published a guide for this purpose. The guide is numbered ISO 9000-3, and its title is "Quality management and quality assurance standards - Part 3: Guidelines for the application of ISO 9001:1994 to the development, supply, installation and maintenance of computer software (ISO 9000-3:1997".
This document is a guideline, not a standard. It incorporates some parts of ISO 9001 in verbatim, and in those parts the word "shall" is used. In the rest of the text, the word "should" is used.
Even though ISO 9000-3 is a guideline and uses "should", it has a special status. It is not any guideline; it is ISO's own authorized guideline to the use of ISO 9001 with software. Thus, ISO 9000-3 is occasionally used as a requirement standard in the same manner as ISO 9001. In those cases, "should" is taken to mean "shall".
ISO 9000-3 is only one of many possible interpretations of ISO 9001 for software. It is possible to fulfill ISO 9001 without fulfilling every "should" in ISO 9000-3. However, if there is a "should" in ISO 9000-3, which you do not fulfill, you should be prepared to explain to an auditor how you handle that issue instead, and why you still believe that you fulfill ISO 9001.
ISO 9000-3 is organised in the same 20 quality elements as ISO 9001. However, as one might expect, the chapter 4.4 Design Control is much larger in ISO 9000-3.
Sometimes I meet software engineers, who are frustrated with ISO 9001 and 9000-3. "It does not tell us how to develop quality software", they complain, quite rightly. It is important to notice, though, that ISO 9001 (and thus ISO 9000-3) was never intended as a help for the developers! The standard is solely aimed at being a tool for the customer. Basically, ISO 9001 makes the supplier implement basic management of software development, and the standard then enforces visibility, so that the customer can see what the developers are doing and judge it. In practice, ISO 9001 and 9000-3 can also be used as guides for the supplier's management, helping them control development and gain insight into what is really going on.
The TickIT initiative
Background
In the end of the eighties, the ISO 9000 standards had become quite popular in Europe. Manufacturing industries were certified to the ISO 9000 standards in increasing numbers. Some of the certified companies had a considerable computer department, developing and maintaining software for use inside the company, and the certification of these departments came to vary depending on the auditors' competence and the attitude of the certification body. About this time, companies with software as a part of their products started to apply for certification, and soon pure software houses joined in.
The industry in Europe was becoming increasingly apprehensive about ISO 9001 certification of development and maintenance of software. It was feared that different certificates might have very different value, and thereby remove the rationale for certification. British software industry, together with the British Department of Trade and Industry, launched an initiative to amend the situation and called it TickIT. The name is constructed by the word "tick" ("check" in America) and "IT" for "Information Technology". The goal was to establish an effective and unified certification of software development and maintenance.
The TickIT initiative has been quite successful, and TickIT certificates can be found in many countries in Europe, America and Asia.
What isTickIT?
TickIT is a system for certifying software developing organizations to ISO 9001. TickIT comprises 6 items:
- An interpretation of ISO 9001 for software,
- a standard set of requirements on the competence and behavior of certification auditors,
- a standardized training course for certification auditors,
- a registration scheme for approved certification auditors,
- a system for accrediting certification bodies for conducting TickIT certifications,
- a logotype to be used on certificates to show TickIT certification.
Most of this is documented in the TickIT Guide published by the TickIT initiative.
The TickIT scheme is implemented in Britain and is now handled by the DISC TickIT Office. Today, the British NACCB (National Accreditation Council for Certification Bodies) and the Swedish SWEDAC (Swedish Board for Accreditation and Conformity Assessment) are the only national accreditation authoritis issuing TickIT accreditation to certification bodies. This means, for example, that in all other countries, TickIT certification is done under the accreditation of NACCB or SWEDAC. This works, since many certification bodies operating in the world are accredited by NACCB or SWEDAC, and other national accreditation authorities recognize NACCB's and SWEDAC's accreditations.
RAB (Registrar Accreditation Board), the US accreditation authority, does not currently support a software-specific scheme for ISO 9001 certification. However, several certification bodies operating in the US are accredited in Britain to conduct TickIT certification. American companies can thus receive TickIT certificates under British or Swedish accreditation.
The TickIT guide
The current version (4.0) of theTickIT Guide is named "A guide to Software Quality System Construction and Certification" This is the table of contents:
Part A Introduction to TickITPart B Customer Guide
Part C Supplier Guide
Part D Auditor Guide
Appendix 1 Management and Assessment of IT Processes
Appendix 2 Defining a Certification Scope
Appendix 3 TickIT Auditor Registration and Professional Attributes Standards
Appendix 4 Standards Information and Recommended Reading
You can order the TickIT Guide and find more information about TickIT on http://www.tickit.org/guide.htm
TickIT auditors
What's really special with TickIT certification is the auditors. TickIT auditors are registered by the International Register of Certificated Auditors (IRCA) in London (http://www.irca.org). TickIT auditors come in three levels: "Provisional TickIT Auditor", "TickIT Auditor" and " Lead TickIT Auditor". In order to become one, you have to fulfill several requirements, e.g.:
- You must yourself have worked for at least four years with software development, including all different types of work.
- You must have successfully concluded an approved one-week TickIT auditor's course ending with a formal examination.
- To become senior or lead TickIT auditor, you must have experience in conducting and leading, respectively, TickIT certifications.
- Plus further requirements on your personal attributes.
The IRCA shows all signs of taking seriously the requirements on TickIT auditors. In 1993, it was reported that 15% of the applicants for registration as TickIT auditors were not called to an interview, and of those interviewed, 25% failed.
TickIT certification
All this means, that when you apply for TickIT certification, you know that your software development and maintenance will be judged by well trained auditors with personal experience in software development. To assess a software development quality system is to a certain part a question of judgement. TickIT auditors are taught not to be insistent on literal fulfillment of all requirements in ISO 9001. Instead, they are encouraged to use their own professional judgement to ascertain whether activities are under control. If so, they are accepted, even though the control may not be exactly as prescribed by the standard. This indicates that there is a certain element of subjectivity in TickIT audits (as in most other types of audit). However, the TickIT Guide and the standardized training of TickIT auditors still give a comprehensive framework.
TickIT certifications are conducted in the same manner as other certifications to ISO 9001. However, the TickIT Guide contains comprehensive guidance for the auditors.
Why comply with ISO 9001?
Is it necessary to fulfill the requirements in ISO 9001 in order to be able to supply quality software products? Definitely not; small organizations, especially, may well be able to output quality products without going into all the paraphernalia of ISO 9001. However, they will then probably only be able to demonstrate their capability by referring to earlier projects.
One reason for a company to implement a quality system in accordance with ISO 9001 is of course when this is a contract requirement. Some customers require visible control of the supplier's operation as well as comprehensive records of what has been done. However, I have met several software development managers who apply the requirements in ISO 9001 although there is no external pressure to do this. "We need to do something about the way we manage and work", is the usual reasoning, "so why not use ISO 9001 as a tool?" The choice of ISO 9001 is of course made with an eye on the possibility that customers will require compliance later.
I noted that certification to ISO 9000 standards is becoming popular. Why would a software company take pains to get a third-party certificate of its conformance to ISO 9001?
The reason that first comes to mind, is of course that a certificate has a value in the customers' eyes. The certificate says something about the suppliers capability for delivery of quality products, and the holding of an ISO 9000 certificate is therefore often used in marketing. Also, in some acquisitions today, you are not welcome with a tender if your company does not hold an appropriate ISO 9000 certificate.
The second reason for acquiring a certificate is a need for improving the company's ability, irrespective of the customers' view on certification. The certificate is used as a target for the improvement of the company's management, procedures etc, with the certification by external auditors as a combined stick and carrot.