ISO 9001:2000 for Software and Systems Providers An Engineering Approach Robert Bamford and William J. Deibler CRC PR ESS Boca Raton London New York Washington, D.C. Copyright © 2004 by Taylor & Francis OTHER COMPUTER BOOKS FROM AUERBACH AND CRC PRESS The ABCs of IP Addressing Information Security Policies, Procedures, Gilbert Held and Standards: Guidelines for Effective ISBN: 0-8493-1144-6 Information Security Management, 2nd Edition The ABCs of LDAP: How to Install, Run, and Thomas R. Peltier Administer LDAP Services ISBN: 0-8493-1958-7 Reinhard Voglmaier ISBN: 0-8493-1346-5 Information Security Risk Analysis Thomas R. Peltier The ABCs of TCP/IP ISBN: 0-8493-0880-1 Gilbert Held ISBN: 0-8493-1463-1 Interpreting the CMMI: A Process Improvement Approach Building an Information Security Awareness Margaret Kulpa and Kent Johnson Program ISBN: 0-8493-1654-5 Mark B. Desman ISBN: 0-8493-0116-5 IS Management Handbook, 8th Edition Carol V. Brown and Heikki Topi Building a Wireless Office ISBN: 0-8493-1595-6 Gilbert Held ISBN: 0-8493-1271-X Managing a Network Vulnerability Assessment Thomas R. Peltier and Justin Peltier The Chief Security Officer: A Guide to ISBN: 0-8493-1270-1 Protecting People, Facilities, and Information Ron Hale Maximizing the Enterprise Information ISBN: 0-8493-1952-8 Assets Timothy Wells The Complete Book of Middleware ISBN: 0-8493-1347-3 Judith Myerson ISBN: 0-8493-1272-8 A Practical Guide to Security Engineering and Information Assurance Computer Telephony Integration, Deborah S. Herrmann 2nd Edition ISBN: 0-8493-1163-2 William A. Yarberry, Jr. ISBN: 0-8493-1438-0 Server Disk Management in a Windows Environment Creating Components: Object Oriented, Drew Robb Concurrent, and Distributed Computing in ISBN: 0-8493-2432-7 Java Charles W. Kann Six Sigma Software Development ISBN: 0-8493-1499-2 Christine B. Tayntor ISBN: 0-8493-1193-4 Database Design Using Entity-Relationship Diagrams Software Engineering Measurement Sikha Bagui and Richard Karp John Munson ISBN: 0-8493-1548-4 ISBN: 0-8493-1503-4 Electronic Bill Presentment and Payment A Technical Guide to IPSec Virtual Private Kornel Terplan Networks ISBN: 0-8493-1452-6 James S. Tiller ISBN: 0-8493-0876-3 Information Security Architecture: An Integrated Approach to Security in the Telecommunications Cost Management Organization Brian DiMarsico, Thomas Phelps IV, Jan Killmeyer Tudor and William A. Yarberry, Jr. ISBN: 0-8493-9988-2 ISBN: 0-8493-1101-2 Information Security Management Handbook, Web Data Mining and Applications in Business 5th Edition Intelligence and Counter-Terrorism Harold F. Tipton and Micki Krause, Editors Bhavani Thuraisingham ISBN: 0-8493-1997-8 ISBN: 0-8493-1460-7 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] Copyright © 2004 by Taylor & Francis CMM is registered in the U.S. Patent and Trademark Office. Capability Maturity Model is a registered ser- vice mark of Carnegie Mellon University. Rational Unified Process and RUP are registered trademarks or trademarks of Rational Software Cor- poration in the United States and/or other countries. Library of Congress Cataloging-in-Publication Data Bamford, Robert ISO 9001:2000 for software and systems providers : an engineering approach / by Robert Bamford and William J. Deibler. p. cm. Includes bibliographical references and index. ISBN 0-8493-2063-1 (alk. paper) 1. ISO 9000 Series Standards. I. Deibler, William J. II. Title. TS156.6.B36 2003 620′.0068′5—dc22 2003055803 This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe. Visit the CRC Press Web site at www.crcpress.com © 2004 by CRC Press LLC Auerbach is an imprint of CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0-8493-2063-1 Library of Congress Card Number 2003055803 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Printed on acid-free paper Copyright © 2004 by Taylor & Francis INTRODUCTION This volume incorporates more than a decade of experience with ISO 9001, a standard created by committees of volunteers working under the aegis of the International Organization for Standardization (ISO). This volume is intended for individuals who are responsible for using ISO 9001 to implement or revi- talize systematic process improvement in engineering organizations. Since 1989, the authors of this volume have assisted organizations in implementing ISO 9001–based processes. Their clients range from start-up organizations with fewer than ten people to multinational corporations with thousands of employees. The authors have worked with organizations in a wide variety of industries, from sheet metal shops and processed materials manufacturers to developers of semiconductor manufacturing equipment and stand-alone, commercial software products. Although their focus has been on software, hardware, and systems engi- neering practices, they have worked extensively in all of the functions that deliver or support the delivery of value to customers—from sales, marketing, order processing, and legal, to engineering and manufacturing, to logistics and warehouse operations, to technical support, and to MIS, credit, finance and administration, and human resources. This volume is based on the material in the authors’ course, A Detailed Introduction to ISO 9001. This course, originally developed in 1990, based on the 1987 version of ISO 9001, reflects the authors’ commitment to ensuring that client organizations develop the understanding necessary to maintain and improve their own processes. Based on their extensive experience with the no-nonsense Silicon Valley culture, without such systematic knowledge transfer, the authors’ experience has been that when the con- sultant leaves, so does most of the improvement. Systematic knowledge transfer is the only way to ensure that the improvement stays when the consultant leaves. The course, which has evolved as the standard has evolved, from 1987 to 1994 to 2000, has been offered hundreds of times to thousands of stu- dents. It has been presented publicly, through various extension campuses of the University of California and California State University and through professional organizations, including the Audit and Software Divisions of the American Society for Quality and the Software Engineering Institute at Carnegie Mellon University. It has also been selected by numerous compa- nies for on-site training of their ISO 9001 implementation teams. The extended history of the course brings three benefits to the reader of this volume. The first benefit is that this volume weaves the information in ISO 9001 into a framework that has been proven to be of use to a broad audience. The concepts and presentation have been tested by and refined with input from participants with every level of prior experience—from individuals new to ISO 9001 to registrars’ auditors and implementers with years of experience with this and other standards. These individuals have come from a wide variety of industries and specialties and have represented organizations ranging in size from under 200 to over 5,000 employees. The second benefit is that the grounding in earlier versions of the stan- dard provides readers with unique insights into the precedents that have formed the latest version of the standard. The effect of the lack of such a perspective is illustrated by the many Internet discussions in which previ- ously exhausted issues reappear and are the subject of lengthy speculation and analysis. The third benefit derives from the extensive validation the course has received. In addressing the diverse backgrounds of their students and con- sulting clients, the authors have taken each offering of the course to be an opportunity to test, expand, and refine their understanding of the many ways in which organizations can gain the greatest possible bottom-line business benefit from ISO 9001:2000. WHAT’S IN THIS VOLUME This volume is divided into three sections. The first section contains Chap- ters 1 and 2. This section presents an implementation and maintenance roadmap with suggested techniques for ensuring that the organization secures and continues to accrue the greatest possible benefit from adopting ISO 9001 as a global standard for its processes. The first section concludes with an unavoidable discussion of the acronyms, specialized terms, and concepts that inevitably insinuate themselves into any discussion of ISO 9001. The second section provides a paragraph-by-paragraph analysis of ISO 9001. In this analysis, the paragraphs are presented, for the most part, in the order in which they appear in the standard. Because the paragraphs do not stand alone, paragraphs are also introduced where they fit logically. Each paragraph is examined to determine how its requirements might be effectively and efficiently satisfied by and to the benefit of an engineering organization. The goal of presenting the paragraphs from this perspective Copyright © 2004 by Taylor & Francis is to ensure that the reader understands not only the requirements encom- passed in the paragraphs but also the relationship among the paragraphs— especially when that relationship is critical to efficient implementation. By taking a rigorous approach to the language in the standard, the authors of this volume build a foundation in fact that substantially reduces the effort an implementation team spends in resolving seemingly conflicting interpre- tations. In particular, it is intended that readers be able to identify various ways in which the requirements of the paragraphs can be—and in many cases are—satisfied in their organizations. CONSIDER: The paragraphs do not stand alone. Throughout this volume, one of the authors’ goals is to establish and reinforce readers’ understanding that ISO 9001:2000 is about good engineer- ing practices. If a requirement in the standard does not appear to support a fundamental, relevant engineering practice or does not appear to offer any benefit, further study is indicated. It is the experience of the authors of this volume that an organization can demand that all of the requirements of ISO 9001 be implemented in ways that deliver value to the organization, its employees, and its customers. A value-based implementation takes effort and investment, but it is also the experience of the authors that adherence to a process or adoption of a new tool or methodology is propor- tional to the perceived value. A process that does not have any perceived value will not be followed for long—if at all. CONSIDER: Demand value. The third section comprises a number of appendices, referenced throughout the volume. These appendices provide background, examples, samples, and reference material. The last page in this volume provides the information needed to submit comments and questions to the authors. WHAT’S NOT IN THIS VOLUME (AND WHY AND HOW TO GET IT) ISO 9001:2000 is not provided. First, it is a copyrighted document and would add unnecessarily to the cost of this volume for readers who already have a copy of the standard. Second, it is important that the reader become comfortable with the look and feel of ISO 9001:2000 in its published, official form, rather than as a section or series of extracts embedded in a printed or electronic book. In fact, the 32-page standard (as provided by the Amer- ican Society for Quality) is the only source of information the reader can trust without reservation. Books about the standard (including this one), booklets, pamphlets, videotapes, movies, seminars, computer-based self- study courses, descriptions of previous experience, and Internet discussions are useful, but they require careful evaluation to determine whether they are credible and accurate and whether, if accurate, they are relevant to the reader’s current circumstances. The bases for this careful evaluation are common sense and what is actually stated in ISO 9001:2000. Although it is not necessary, consider obtaining a copy of ISO 9001:2000 before proceeding. In particular, to simplify word searches, consider pur- chasing a downloadable soft copy. Standards are available from: (cid:129) National standards bodies To find a list of national standards bodies, go to the ISO home page, at http://www.iso.ch, click on Enter, then click on Members and follow the instructions provided. (cid:129) ISO International Organization for Standardization, Central Secretariat 1, rue de Varembé CH-1211 Genève 20 SWITZERLAND TEL: 011-41-749-01-11 FAX: 011-41-22-733-34-30 http://www.iso.ch (cid:129) ASQ American Society for Quality P.O. Box 3066 611 East Wisconsin Avenue Milwaukee, WI 53201-3066 TEL: 414-272-8575, 800-248-1946 FAX: 414-765-8661 http://www.asq.org Copyright © 2004 by Taylor & Francis Table of Contents Section I A Brief Orientation Chapter 1 An Implementation Roadmap PARAGRAPH 4.1 a: Identify the Processes PARAGRAPH 4.1 b: Determine the Interactions PARAGRAPH 4.1 b: Determine the Sequence of Processes PARAGRAPH 4.1 c: Map the Organization’s Processes against the Standard PARAGRAPH 4.1 d: Planning and Communication PARAGRAPH 4.1 e: Monitor and Measure PARAGRAPH 4.1 f: Execution Representing the Implementation Process Charting an Alternate Path through the Paragraphs Recommendations for Implementers: Establishing ISO 9001 as a Framework Principle 1: ISO 9001:2000 Is a Requirements Specification About Registrars and Their Auditors Principle 2: It Is Easier To Achieve Compliance Than To Maintain Compliance Principle 3: Manage the Implementation as if It Were Product Development Recommendations for Maintainers: Addressing the Changes in ISO9001:2000 Points To Focus on for Maintainers Selecting a Scope To Register or Not To Register? Selecting a Registrar About Accreditation Selection Criteria Chapter 2 Terminology and Definitions What Is in a Name: ISO 9000 and Standard Quality and Quality Management System Shall, Should, and Other Formalities Requirements versus Design: How Flexible Is the Standard? Effective Ensure The Purpose of ISO 9001 Registrars and Registration Revisited Section II ISO 9001: A Paragraph-by-Paragraph Analysis Chapter 3 The Structure of ISO 9001 Chapter 4 PARAGRAPH 4 Quality Management System PARAGRAPH 4.1 General Requirements Implementation Considerations PARAGRAPH 4.2 Documentation Requirements PARAGRAPH 4.2.1 General [Requirements for Documentation] PARAGRAPH 4.2.2 The Quality Manual PARAGRAPH 4.2.3 Control of Documents PARAGRAPH 4.2.4 Control of Records PARAGRAPH 4—Summary Chapter 5 PARAGRAPH 5 Management Responsibility PARAGRAPH 5.1 Management Commitment PARAGRAPH 5.2 Customer Focus PARAGRAPH 5.3 Quality Policy Implementation Considerations: Beyond ISO 9001 PARAGRAPH 5.4 Planning PARAGRAPH 5.4.1 Quality Objectives PARAGRAPH 5.4.2 Quality Management System Planning PARAGRAPH 5.5 Responsibility, Authority, and Communication PARAGRAPH 5.5.1 Responsibility and Authority PARAGRAPH 5.5.2 Management Representative PARAGRAPH 5.5.3 Internal Communication PARAGRAPH 5.6 Management Review Chapter 6 PARAGRAPH 6 Resource Management PARAGRAPH 6.1 Provision of Resources PARAGRAPH 6.2 Human Resources PARAGRAPH 6.2.2 a: Implementation Considerations for Determining Necessary Competence PARAGRAPH 6.2.2 b: Implementation Considerations for Satisfying Needs PARAGRAPH 6.2.2 c: Implementation Considerations for Evaluating Effectiveness Copyright © 2004 by Taylor & Francis PARAGRAPH 6.2.2 d: Implementation Considerations for Awareness of Quality Objectives PARAGRAPH 6.2.2 e: Implementation Considerations for Training Records PARAGRAPH 6.3 Infrastructure PARAGRAPH 6.4 Work Environment Chapter 7 PARAGRAPH 7 Product Realization PARAGRAPH 7.1 Planning of Product Realization Related Paragraphs Implementation Considerations PARAGRAPH 7.2 Customer-Related Processes PARAGRAPH 7.2.1 Determination of Requirements Related to the Product PARAGRAPH 7.2.2 Review of Requirements Related to the Product PARAGRAPH 7.2.3 Customer Communication PARAGRAPH 7.3 Design and Development PARAGRAPH 7.3.1 Design and Development Planning PARAGRAPH 7.3.2 Design and Development Inputs PARAGRAPH 7.3.3 Design and Development Outputs PARAGRAPH 7.3.4 Design and Development Review PARAGRAPH 7.3.5 Design and Development Verification PARAGRAPH 7.3.6 Design and Development Validation PARAGRAPH 7.3.7 Control of Design and Development Changes PARAGRAPH 7.4 Purchasing—A Brief Note PARAGRAPH 7.5 Production and Service Provision PARAGRAPH 7.5.1 Control of Production and Service Provision PARAGRAPH 7.5.2 Validation of Processes for Production and Service Provision PARAGRAPH 7.5.3 Identification and Traceability PARAGRAPH 7.5.4 Customer Property PARAGRAPH 7.5.5 Preservation of Product PARAGRAPH 7.4 Purchasing PARAGRAPH 7.4.1 Purchasing Process PARAGRAPH 7.4.2 Purchasing Information PARAGRAPH 7.4.3 Verification of Purchased Product PARAGRAPH 7.6 Control of Monitoring and Measuring Devices Implementation Considerations When Equipment Is Found not to Conform to Requirements For Software Establishing a Calibration Program Find Service Providers Implement, Monitor, Follow Up PARAGRAPH 7 Conclusions