Quality Assurance

As per this clause of ISO 9001:2008, there shall be Quality Management System addressing all aspects of the software development including support activities. The Quality management system of software producing organization should define and manage tasks related to the following processes:

1. The primary life cycle process of acquisition, supply, development, operation and maintenance of software.
2. The organization life cycle processes of management, infrastructure, improvement and training.
3. The supporting life cycle processes of documentation, configuration management, verification, validation, joint review, audit and problem resolution, which are needed to implement the primary and organizational.

This QMS shall be implemented and continuously improved. The improvement of QMS can result in:

• Increased control of the existing processes like Business Development, Project Management, and Change Management etc.
• Improvement of results achieved through the defined processes. The examples of results can be Defect Density, Schedule Variance, and Requirements Creep etc.

All applicable processes such as Business Development Process, Contract Process, Project Management Process, Requirements Management Process, Design and Development Process, Configuration Management Process, Release Process etc. shall be identified.

These processes shall have interaction with each other and this shall be mentioned in the processes. This could be done via flow charts or some other diagrams as appropriate. The software organizations, should define the sequence and interaction of the life cycle processes in:

• Procedures that define life cycle models for development such as waterfall, incremental or evolutionary.
• Development Plans, which should be based upon a life cycle model.

The outsourced process must also have interaction with other Quality management systems process. Examples:

• The output of Requirement Management Process is approved requirement document which is input for Design and Development Process.
• The output of feasibility study (Feasibility Report) going as an input into design stage.
• Approved detail design document going as an input into coding phase.

The criteria and methods should be defined to ensure the successful completion and effectiveness of the process. E.g. defining the process through ETVX (Entry, Task, Verification, and Exit) for all the tasks.

The availability of resources (human resources, infrastructure, environment, information etc.) should be ensured for successful implementation and monitoring of processes. E.g. successful execution of the project shall require human resources with some specific skills, computers, software tools etc. These resources shall be identified by the Project Planning and Project Management Process. Monthly SIR (Structured in-depth Review) or WSR (Weekly Status Report) could be the information to monitor the project status.

There shall be monitoring, measuring and analysis of the defined processes. The tolerance limits shall be set for pre-defined parameters which shall be monitored and action taken when they are exceeded. E.g. Schedule and Effort Variance could be the parameters which could be measured, monitored and analysed at pre-defined intervals or at each phase end. The goals and targets shall be defined for these parameters. When these parameters exceed the limit, the root cause shall be analysed and accordingly correction, corrective and preventive actions shall be applied. These actions shall be initiated to achieve continuous improvement.

If the organization outsources any of its process that has an impact of the product quality, the same should also be controlled. The outsourcing policy should be defined and implemented. E.g. if testing the product is to be outsourced, then the same shall be identified in the Quality Management System as well as in the Project Management Plan of the concerned project.

If a software organization chooses to outsource any process like testing or database design or even some part of coding which affects product / service conformity with requirements, the organization shall ensure control over such processes. These processes must be part of the quality management system.

The supplier / service provider can be of two types:

• Outside from the organization: An outsourced process generally performed by a supplier or service provider who is totally independent from the software organization.
• Within same organization but from a separate department: Supplier / service provider can also be part of the same organization but from a separate department that is not subject to the same quality management system. For example if an organization have multiple offices in different cities having different Quality management systems, then supplier can be from any other location.

In both cases, for the selection of supplier / service provider, the ISO 9001:2008 clause 7.4 Purchasing is applicable. Some kind of controls needs to be in place to ensure that the outsourced activities or tasks are performed according to the

• Requirements of ISO 9001
• Requirements of the organization’s quality management system

The type and extent of controls depend on the:

• Risk or impact of the outsourced process on the organization’s capability to provide product that conforms to the requirements.
• The competence of the supplier / service provider to meet the process requirements

If the software producing organization does not have the enough competence to carry out the process itself, and chooses to outsource it; then the organization may involve external specialists to ensure that the controls proposed by the supplier of the outsourced process are adequate. The controls have to be based on the need for product conformity to requirements including statutory and regulatory requirements.

However, if it is not possible to verify the output of the outsourced process, then a control needs to be in place for the validation of the output. For this validation, the ISO 9001:2008 clause 7.5.2 Validation of processes for production and service provision is applicable.