ISO Standards – Part 2: Can’t see the wood for the trees?

Welcome to the second of this three part series of blogs related to Quality Management and supporting processes, where we will take a look at another “companion” document created to help businesses navigate the implementation of a management system that meets the requirements of ISO 9001:2015.

The document under discussion is ISO /IEC/ IEEE 90003 – Software engineering – Guidelines for implementation of ISO 9001:2015. The first edition of  ISO /IEC/ IEEE 90003 was published in 2018 and was developed to provide guidance to organisations involved in the supply, development, operation and maintenance of computer software and other related support services. 

Software development is an extremely complex and fast paced industry which widely employs the use of “Agile Methodologies” and the “Agile Manifesto” which when compared to the requirements of ISO 9001:2015 would, at first reading, seem to repel from each other like oil and water.

Some of the key points of the Agile manifesto are:

• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Responding to a change over following a plan

Agile methodologies, as the name would suggest, are heavily focused on speed and lean development activities to get working software to the client as quickly as possible. When looking at the examples above from the Agile Manifesto and coupling them to the methodologies used it can appear difficult to align this to the need for processes, traceability, control and documented evidence required by an ISO 9001:2015 compliant management system. 

The great news is that ISO 9001:2015 has been developed to be flexible enough so that it can be molded to fit any organisation. ISO /IEC/ IEEE 90003 provides a means of understanding how software organisations can demonstrate compliance to the requirements of ISO 9001:2015 without having to abandon the Agile methodologies on which their business functions.

ISO /IEC/ IEEE 90003 states the content ISO 9001:2015 standard and goes on to provide users with guidance on the types of documented evidence that could be used to demonstrate compliance with the requirements of ISO 9001:2015. It provides a few key definitions related to the software industry and then moves through each clause providing industry relevant examples to demonstrate compliance.  

ISO /IEC/ IEEE 90003  provides guidance in relation to clause 6.1.1 of ISO 9001:2015, which is entitled Risk identification,  it states that “It is imperative to understand the level of risk associated with the use of the software and the consequences of its failure so that adequate measures can be put in place to prevent failures form occurring”. The guidance then states that the severity of the measures implemented should be appropriate to the level of risk and consequence of that potential failure. Examples of specific risks to be considered are:

• Quality & availability of software tools
• Safety & security issues
• Capability and experience of the organisation or its suppliers

Another good example of guidance provided by ISO /IEC/ IEEE 90003 can be found in its commentary around subclause 7.1.3 Infrastructure. The guidance outlines that when a software organisation is taking an account of its infrastructure items such as the following should be considered:

• Any tools required for analysis, testing and configuration management etc.
• Tools for code creation
• Network tools e.g. disaster recovery tools

As you can imagine, the level of detail contained within ISO /IEC/ IEEE 90003 is too vast to include in a single blog entry and what I have included here is but the smallest of snapshots. My advice to those of you in the software industry looking to attain ISO 9001:2015 certification but are struggling to translate its requirements to your operations, would be to get yourself a copy of ISO /IEC/ IEEE 90003  (which was developed with help of experts from the software industry) and start clearing a path out of the confusion towards having an internationally recognised, ISO 9001:2015 compliant management system.

Join me next time for the third and final blog of this series which will look at ISO 14971 – Risk Management for medical devices and its companion document ISO TR 24971.

By Stuart Hardie, Quality Management Consultant