Lecture 5: The Implementation and Management of Quality Management

Systems.

Aim
This lecture discusses and outlines:
- the implementation of an ISO 9001 compliant QMS,
- the process, system and documentation approach of ISO 9001,
- the approach required for effective quality management systems,
- the steps to certification against ISO 9001.
These notes are supplemented by reference to three appendices (see Summary).

Implementation
Implementing a quality management system is fundamental to ISO 9001 certification; how is this
to be done? Three possible ways are;
- let the standard determine the system - implement those requirements of ISO 9001 that are
applicable,
- let the processes determine the system - document what is done by the organisation, then
compare these with ISO 9001,
- design the quality management system – put quality assurance requirements and processes
together with the processes and products of the organisation.
The first way creates a system that is often another task on top of existing tasks – systems like
this are not efficient and not liked. The second may give documentation that is proof of what is
done, but it unlikely to be a coherent and relevant set of documentation unless it also describes
the processes involved. The last is the most effective. It develops a work system that, by
redesigning business and software processes and procedures to incorporate quality assurance
requirements and processes, produces the products and services to satisfy the customer. At the
heart of the systems redesign is the use of the process and system approach described in ISO’s
“Guidance on the Process Approach to quality management systems” which is available at
http://isotc176sc2.elysium-ltd.net/Process.doc
It is not always safe to assume that a software quality management system will completely cover
an organisation; the first thing an Auditor would do is check that the scope of the system is
clearly defined. What is safe to assume is that while a quality management system will exist at
the organisational level, individual projects will have their own specific, customised quality
management systems.
From first contact with ISO 9001:2000 there are a number of steps any organisation will pass
through. Many organisations will have already been exposed to quality management systems in
one form or another, if so then the time it takes to reach any step, incorporate it and move on to
the next will probably be considerably less than for an organisation new to a system such as ISO
9001:2000. It is important, though, to realise that these steps must take place.
Awareness
Management must become familiar with the ISO 9001 standard and the steps in implementing it.
Whoever is responsible for the introduction and implementation of the standard, almost always
the quality manager (and we shall henceforth assume the quality manager), usually attends an
approved course and becomes the information source and promoter of the standard, within
management and within the organisation. Quality Policy is defined and approved by
management at this step and is then publicised and promoted.
Establish a team
A team is usually set up, under the management and direction of the quality manager. It is the
team’s job to become the experts and champions for the standard, and to develop sufficient
influence to overcome obstacles to implementation of the standard within planned and agreed
timescales. To do the job, sufficient resources must be made available, and accounted for.
Determine the existing quality management in the organisation
“How do you know which way to go, if you don’t know where you are?” Any current quality
systems and their effectiveness need to be reviewed. A report of the current status of an
organisation against ISO 9001:2000 serves to highlight what areas need to be addressed, and
what the priorities for attention are. The clear conclusion to this step is to plan how to bring the
organisation up to the standard; the report acts as a roadmap for improvements.
Prepare an action plan
Achieving readiness for an ISO 9001:2000 audit takes time and planning. An action plan should
include; the actions that need to be taken, the resources needed for them, the estimated time to
complete the actions, identified indicators that the actions have been successfully performed.
Implement the plan and track its progress
They say that in wartime, the plans rarely survive contact with the enemy. Implementation must
be managed, i.e., progress checked, obstacles addressed and overcome, timescales and resources
reviewed and sometimes revised, and reporting achieved. Progress needs to be visible at and to
all levels for an organisation (and its management) to maintain its motivation.
ISO Readiness Assessment
As with any other project, an organisation brought up to ISO 9001 standard should be tested
before it is audited by a Certification Body. Although not absolutely necessary, an independent
assessment of readiness can be very useful. Be prepared to act on the findings; if the
implementation can be seen as the ‘plan’ and ‘do’, the readiness assessment as the ‘check’, the
corrections stemming from the findings can be seen as the ‘act’.
History shows that for organisations to go from Awareness to Readiness is likely to be
somewhere between one to two years.
For a comparison with the steps to launch a software quality assurance programme, as advocated
by Watts Humphrey, the figure behind the Software Engineering Institute’s Capability Maturity
Model, refer to Appendix 1.
Typical activities (and the related clauses of ISO 9001) for developing an effective system are
listed in Appendix 2.
The Process, System and Documentation Approach
The process and system approaches are described in ISO’s “Guidance on the Process Approach
to quality management systems” - available at http://isotc176sc2.elysium-ltd.net/Process.doc, or
refer to Appendix 3.
The guidance document covers; the process approach (understanding its meaning, its relation to
PDCA, its implementation in respect of ISO 9001 requirements), the system approach to
(quality) management, and the documentation of processes.
Process
The principle involved is management of, and as, a process. ISO 9000:2000 defines a ‘Process’
as a ‘Set of interrelated or interacting activities which transforms inputs into outputs’. The cycle
of activities in any process can be summed up as; plan, do, check, act.
Plan, Do, Check, Act.
Heavily popularised by Deming, the PDCA cycle is automatic in good management systems.
The cycle is applied to all of the work processes in an organisation; the four stages of the cycle
are defined as follows:
“Plan” establish the objectives and processes necessary to deliver results in accordance with
customer requirements and the organization's policies (what to do, how to do it);

“Do” implement the processes (do what was planned);

“Check” monitor and measure processes and product against policies, objectives and requirements
for the product and report the results (did things go according to plan?);

“Act” take actions to continually improve process performance (how to do it better next time);”
(ref: Appendix 3)
System
The system approach to management is inextricably linked to the process approach. There are
work systems, management systems, including quality management systems, they are interlinked
and they all have their processes. Any effective quality management system therefore has many
interrelated processes, for example, internal auditing, management review, resource
management, document control, etc.
With so many processes there is a high requirement for clear process and system boundaries. It
is necessary that everyone involved knows their role. A good Quality Management System
should have the answers to such questions as:
- How do people know what to do?
- Do they know how well they are expected to do it?
- Who has the responsibility/authority to decide, agree, and approve?
- Do people have the requisite training/skills/experience?
- Do people know how well or otherwise they are performing?
The answers can be very revealing - especially to an Auditor!
Most software development is organised into projects, each with a Project Manager having,
hopefully, well-defined responsibilities. For effective project management, it is essential that the
respective authorities and responsibilities of the Project Manager, his or her management, and
the SQA group are complementary. That means that the Project Manager must have the
authority to do the job effectively; including task allocation, setting priorities, change
management, functional contract management and responsibility for quality. The Project
Manager's own manager must have the authority of securing and allocating resources, and the
responsibility of providing the monitoring of and support to the Project Manager. The SQA
group must have the authority to define standards and procedures, track quality and report to
management, and provide support to the project.
Documentation and Records
Quality Management Systems need to documented, implemented, and effective – an Auditors
job is to verify exactly these points. Many different types of documents and records expected by
a Quality Management System, organisations usually present their system as a layered structure
similar to the one shown.

POLICY

CONTRACT MANUAL
SPECIFIC
PLANS
PROCEDURES

WORK
INSTRUCTIONS STANDARDS

The existence of the various types of documentation identified will depend on the size and
complexity of the organisation, and the way that the Quality Management System was initially
developed. The precise names given to the various documents also differs from organisation to
organisation.
The implementation, operation and the effectiveness of the QMS is shown by the records it
produces. To be conformant with the ISO standard a organisation must maintain a procedure
that states what records are maintained, how long they will be kept for, how they will be kept,
protected and retrieved, and how they will eventually be disposed of.
Organisations developing and maintaining software should retain the following types of records:
- Project deliverables,
- Meeting records,
- Review records,
- Test results,
- Audit reports
- Problem reports,
- Project deliverable release records.
(ref: The TickIT Guide, Issue 5.0)
QMS Effectiveness
The effectiveness of any QMS is one of the primary questions in the mind of an Auditor.
Effectiveness is often most clearly displayed at the boundaries between functions and groups:

Purchaser - Development Organisation

Development - Subcontractor (if any)

Development Group - Support

Management - Development Group

Marketing - Development Group

Q.A. Function - Development Group, Project

Development Group - User

Project Manager - Management

These are all critical interfaces; common agreement on the objectives is crucial to the quality of
the product. Essentially, if the QMS is being managed correctly there will be effective control of
operations and activities affecting quality together with regular information about performance
and quality achieved. That information will come from a defined data collection, a measurement
programme. ISO 9001:2000 explicitly lays down requirements for Measuring, Analysis, and
Improvement. Any process control and inspection data must be analysed to reveal the
information it contains. For example:
- Incidence of software defects/rework levels vs. targets.
- Time trends.
- Comparing planned and actual periods for tasks.
- Correlation between productivity in function point terms and defect rates.
The key word is FEEDBACK. Feedback to project management, their management, project
staff, in fact, to a greater or lesser extent, everyone involved - even, at times, the purchaser.
If there are problems, management must ensure that something is done to correct the situation.
Management must ensure that there is corrective action.
Corrective action must be considered and agreed by the various parties concerned. A record of
corrective action decisions must be kept, for example, a record of, or minutes of meetings. The
effectiveness of the action taken must be reviewed. Further corrective action must be planned as
required.
Preventative action is essential to improving quality on an ongoing, a continual, basis. It is pre-
emptive, it looks for defects and their causes, identifies the action to be taken, and afterwards
reviews its effectiveness.
ISO 9001:2000 Certification Process
Once an organisation has implemented and is successfully managing an ISO 9001:2000
compliant QMS, it is unlikely to be a surprise if it decides to seek certification to the standard.
The certification process is conceptually straightforward; preparation, audit, correct any
problems, verify, grant of the certificate. Underlying the steps must be a realisation of the two
abiding ideas at the core of thinking behind ISO 9001:2000. They are, first, the Quality
Principles discussed in Lecture 2, second, a fundamental plan-do-check-act approach to all
processes in software development, customer interaction, and the quality management system.
An outline of the steps in a certification looks roughly as follows:
• Implement the Quality Management System
• Perform a readiness audit, review the feedback and assign any corrective actions
• Track the implementation of the corrective actions
• Make the decision to go for the official assessment, contact the certification body/ registrar
• Agree the assessment date, brief participants and organise all the logistics for the event
• External Audit team perform the on-site assessment
• Audit team provide an evaluation report and findings
• Findings are reviewed and corrective actions carried out
• Corrective actions are verified prior to registration
• Registration is granted
• Follow up audits ensure the QMS remains compliant – use the feedback for improvements
• Plan for complete re-registration in three years
Auditors will be looking for; definition and documentation of processes, plans and records of
achievement, effectiveness and efficiency of the QMS, and last but not least an emphasis on
improvement and attention to the customer.

Summary
This lecture has discussed and outlined; the implementation of an ISO 9001 compliant QMS, the
process, system and documentation approach of ISO 9001, the approach required for effective
quality management systems, and the steps to certification against ISO 9001.
The scope of Quality Management Systems is at both the organisational level and the individual
project level. The effectiveness of QMSs can be very clearly assessed at the interfaces between
groups at the project level. Responsibilities need to be clear; QMSs need to be documented,
implemented and effective.
These notes have been supplemented by reference to three appendices.
Appendix 1 – Watts Humphrey's guidelines for launching Software Quality Assurance
programmes have been looked at, and a few of the mistakes it is possible to make have been
pointed out.
Appendix 2 - Typical activities for developing an effective QMS.
Appendix 3 - “Guidance on the Process Approach to quality management systems”.