Light-Weight Software Process for ISO 9000?

Disgruntled Software Engineer asks: "I work for a large engineering firm and it was recently decided in our company to have our software be ISO 9000 compliant. There exists a software development process in my organization, but it is extremely heavy-weight -- over two-dozen documents totaling 200 pages each! My team doesn't even have the time to read such a process, much less abide by it. I have been tasked by my team in creating a more light-weight process for our team to follow so that our software can pass the audit that is coming soon, but reading through the convoluted ISO website is not helping, and a 'plain English translation' that I found of the standard contains a bulleted list that is 17 pages long! I have not been able to get any idea of how to design a light-weight software engineering process that is ISO 9000 compliant with all of these extremely verbose documents and somewhat odd requirements. Also, the software that my team produces is more for research than for productization, and the dynamic nature of research does not mix well with the rigidity of a software process. What are the bare-minimum set of requirements for ISO 9000 software engineering compliance? What are some tips for designing a process that is light-weight and causes minimal damage in terms of efficient software development? Do you have any interesting experiences or wisdom regarding ISO 9000 and software engineering?"

The Tao of Programming

[Profane+MuthaFucka]

This may help you make sense of the ISO 9000 requirements which management has decreed must be used:

  7.2

In the east there is a shark which is larger than all other fish. It changes into a bird whose wings are like clouds filling the sky. When this bird moves across the land, it brings a message from Corporate Headquarters. This message it drops into the midst of the programmers, like a seagull making its mark upon the beach. Then the bird mounts on the wind and, with the blue sky at its back, returns home.

The novice programmer stares in wonder at the bird, for he understands it not. The average programmer dreads the coming of the bird, for he fears its message. The master programmer continues to work at his terminal, for he does not know that the bird has come and gone.

Re:The Tao of Programming

[Evil+Pete]

Actually, I think it is funny that the parent post is rated "Funny" instead of insightful.

Least Commented Story Ever

[Ajmuller]

I hereby submit this as the least commented story ever.
Either the subject is just painfully boring or we are having another power outage.....

Lightweight ISO-9000 is an oxymoron

[Usquebaugh]

ISO-9000 is not meant to ease the software development process. It's design is to make the process auditable. It takes some very good ideas about development and totally buries them in bullshit.

If you look who pushes for ISO-9000 it's large and slow moving companies that are used to a large and wasteful style of doing business. The people that sing the praises of ISO-9000 are not usually the ones who have to do the work.

If I were you I'd look for a way to get out from under ISO-9000. It that's not possible decide wether you want to stay with a company that thinks so little of it's staff that it mandates the use of a procedure that takes thousands of pages to describe.

I've been through BS-5750, ISO-9000, SOX, 21CfrPart11 etc etc etc and it's always the same shit. Software is unlike any other process/tool/discipline that man has ever tried to control, the problems of bad software will not be solved by old and tired audit systems. There is no silver bullet that will address all problems!

Re:Lightweight ISO-9000 is an oxymoron

Besides: the money wasted for an audit is in every fucking case better spent on real marketing instead of blindly believing some asshat's "oh, if you are certified, the customers will come to you in flocks!"-bullshit.

Re:Lightweight ISO-9000 is an oxymoron

[carpeweb]

ISO-9000 is not meant to ease the software development process. It's design is to make the process auditable. It takes some very good ideas about development and totally buries them in bullshit.

I wish I had a few mod points ... well said!

One could infer the same about Disgruntled Software Engineer's firm, which already has

... a software development process [with] over two-dozen documents totaling 200 pages each!

Standards seem like a great idea. Unfortunately, some people extrapolate to conclude that more and more detailed standards must be an even greater idea. (e.g., "a bulleted list that is 17 pages long!")

Having said that, I think there may be a way to give DSE an improvement on two fronts. As I see it, DSE needs two things:

1. A document to hand to the PHBs that will hopefully achieve ISO 9000 compliance or satisfy the PHBs that it is "better" (not as crazy as it sounds, or maybe crazier, depending on your PHB quotient)
2. A streamilined process to follow in the real world

DSE's own set of documents would make a great basis for an ISO submission. It's already heavy-weight and not even read by the people who are supposed to follow it. Perfect. What needs to be done with this (not a small task, unfortunately, but probably one that can be pawned off on some unsuspecting intern or "process expert", i.e., someone without anything important to do, like work) is to create a mapping between DSE's existing documents and the ISO 9000 documents. The desired outcome of this seemingly pointless and mind-numbing exercise, of course, is to show the PHBs how DSE has already complied with ISO 9000 --- hopefully even exceeded them. No one reads much except section headers and lead/summary paragraphs (and mabye, maybe the first page of a 17-page bulleted list), so this is definitely a feasible direction. Just claim that the existing (documented, not real) processes cover every one of the ISO 9000 requirements by drawing arrows between the two sets of requirements and then saying something like "we developed our own internal discipline in response to intrinsic requirements of our domain and found that they were, in fact, more rigorous than ISO standards". Preferably, the "map" should actually be a wall-sized map with lots and lots of arrows. Color-coding would be a nice touch (e.g., all the arrows proving DSE already complies with ISO category X should be in Cyan ...). If you can somehow laminate the thing, you're golden, because most people are afraid to question anything encased in acetone or plastic, and if they are tempted, DSE can simply remind them how expensive the map is, which should get the PHBs to respect it and even bless it.

The second objective involves real work, so it needs to involve real people (not interns or "process experts"). Make the existing documentation match what truly works and throw out the rest. Note that, because of the requirements of the first objective, "throw out" needs to mean something like "re-document" (by segregating the truly important and valuable into short documents that are used and keeping the rest in impenitrable documents that no one but interns and process experts will read or discuss. It will also give them something to do.

Note: if you have an intern or process expert who really adds value and don't think it's fair to relegate them to the space I've identified, then reward them with real titles that reflect real value.

There is no silver bullet that will address all problems!

Awww ... and I was so on the same page with you, until you went all cliche on me!

Re:Lightweight ISO-9000 is an oxymoron

>There is no silver bullet that will address all problems!

Yes there are! But only if you use the silver bullets on those that make the standards, push for the standards, write laws mandating the standards, those in congress, etc.

Re:Lightweight ISO-9000 is an oxymoron

[NitsujTPU]

You are wise.

I've witnessed a CMM process developing, but never suffered through ISO-9000.

CMM is interesting in that it has the possibility of being fairly lightweight (at least, level 2 or 3). The problem is that people never get the "point", accountability for ones actions and ability to find out what's going on, and see lots of documents.

It gets worse, because there are always people in charge who practically live for documents, that's why they do things that involve writing lots of them, rather than developing software. Then, you have sycophants who want to ingratiate themselves to these people, they just make lots of "helpful suggestions."

Then, you have a big group of people, kind of lost in what they're doing, but they're going to do it anyway.

In a meeting once, I could sense that our process was getting out of control, and suggested that we have a checklist, so a developer, like I was, at the time, could keep track of all of the pointless crap that he had to do. The checklist idea was added to our process... so, now, the checklist was another thing to do. It had a place for the developer had his manager to sign that he had done each step in the process. My bullets telling me what I had to do to make these people happy became another insane requirement.

When the org in question passed their audit (an external organization that I had been contracted to), they had a celebration touting how many documents they had produced in order to pass. In the end, there was a flood of inconvenient documents that provided no more transparency than there would be in their absence.

I hope that I didn't offend any of my former coworkers with this.

Re:Lightweight ISO-9000 is an oxymoron

[tomhudson]

Of course, if the PHB understood in the first place that ISO is not about initial quality, but about being able to track down who to blame when something fails, they might not be so enthusiastic.

The whole theory behind ISO 9000 is that, by being able to track down what failed, you can fix it and do better next production run. Doesn't work in software, because software is not a "production run". You don't want version 2, 3 and 4 to be an exact copy of version 1.

Re:Lightweight ISO-9000 is an oxymoron

ISO-9000 is not meant to ease the software development process.

Wrong.

ISO-9001 can be horribly misused. However, the purpose of the 9001 is to make business sense. Yes, being auditable is one very strong point, usually much more important than some mysterious "ease".

But with "ease" you do not mean ease of calculating defect trends, ease of finding corrections (from e.g. VCS), etc. you mean ease of not doing your job by "easily" correcting bugs without testing or any followup.

ISO9001 does not bury stuff into shit. It makes it easy to make processes which bury stuff to shit, but its purpose is completely opposite.

I do the (programming/designing) work, I praise the IS0-9001 and I work for a smallish company.

While it is true that bad software will not be solved by audit systems, it is also true that good software can rarely be made without one (unless all the involved are very smart).

Re:Lightweight ISO-9000 is an oxymoron

[Gojira+Shipi-Taro]

Every place I've ever encountered ISO-9000, it's been more insideous. It's been a way of trying to get the skilled workers to document everything they did into an instruction manual so that unskilled workers could be hired off the street and "follow the ISO-9000 docs" to get the job done.

A previous employer tried to get me to do that (write ISO 9000 docs) so that he could hire my replacement at an even lower rate than he was paying me. I was working IT as a network administrator right out of college.

He's out of business now.

Re:Lightweight ISO-9000 is an oxymoron

[Gojira+Shipi-Taro]

Meant to mention this. the whole concept was developed for manufacturing (which is the main purpose of my former employer, a Hearing Aid manufacturer). For that purpose it does have a use. It's still abused there to try to create a manual to eliminate the need for skilled workers.

It's been expanded to IT and Software, as well as other purposes for which it is not suited. These are professions that require actual expertise, rather than the ability to mindlessly and accurately follow a set of instructions.

Re:Lightweight ISO-9000 is an oxymoron

[dnessl]

I've been at a software development shop that obtained ISO-9000 certification while I was there, mostly just to be able to bid on DoD/GSA (U.S. government) work.

Some ISO 9000 history: Originally, ISO 9000 was for manufacturing. Each station had a written procedure, was detailed enough for even a blue-collar, high-scool dropout, and it had few variables: make 100 ("how many") widgets that are green ("color"). So, not much variability. In 2001, ISO 9000 tried to include service industries, like software development. They did this mainly by adding processes. In ISO lingo, processes are meta-procedures, in which you can make a hierarchy of processes with procedures at the tree leaves.

So back to concrete recommendations. There are 2 key things to remember:

(1) Document your current processes, don't write up huge procedures that you don't really do. I assume that you use some sort of basic software methodology, e.g. waterfall or RUP or JAD or Agile or XP. Document, at a high, bullet-point level, the sequence of steps for requirements gathering, analysis, design, unit testing, integration testing, user-acceptance testing, etc. Don't get into how you actually code daily.

(2) Make sure that each procedure fits into the context of the plan-do-check-act cycle that ISO-9000 (and Six Sigma and PMI) loves. This fits well in the iterative software development methodologies like Agile and XP that get early and frequent customer feedback.

To get the initial certification, the auditor will check to make sure that all your procedures and processes are documented. Then for the next annual audit, he'll check that you are actually using your documented procedures/processes. Then still later, he'll look to see that you are performing the check-act feedback loop of the plan-do-check-act cycle (remember, ISO 9000 is really about Quality Improvement).

To make all this easier, I highly recommend 2 things:

(a) Find a Content Management System (CMS) package to store and management your documents, in particular one that has an approvals-based change-control workflow. There are many open source ones.

(b) Hire an ISO 9000 consultant. This will reduce confusion considerably. Make sure you get one who isn't from the old manufacturing school where procedures had to be heavyweight and inordinately detailed for the high-school-dropout blue collar workers, i.e. make sure he understands knowledge workers and service industries. Also make sure he's comfortable with using electronic document storage systems.

Re:Lightweight ISO-9000 is an oxymoron

It's design is to make

"Its".

so little of it's staff

"its".

Get a consultant for a couple days

[bill_mcgonigle]

Save yourself a man-year of frustration and hire in an ISO9000 consultant for a few days. If you already have a good control process in place (say, Bugzilla and SVN) he can help you write a compliant procedure around it. If you try it on your own, odds are you're going to miss out on some obscure requirement and have to resolve it during an audit anyhow.

I was quite skeptical about ISO9000 at first, but I found that it almost always gets management sign-off and therefore you have an opportunity to encode proper software engineering practices in the procedure. When someone later comes to you with pressure to take shortcuts and crank out crap, you can point back to the procedure and say, 'sorry'. In the end this makes your job happier, despite the bureaucratic trappings of the system.

Re:Get a consultant for a couple days

I admire the cleverness of such a stratagem.

Vagueness is Good

[Tteddo]

In my experience with ISO 9000 it does not matter how much detail you get into, you just have to document the procedures for a process and everyone must follow the documentation. For instance if you are writing up the process for buttering your toast the following works fine:
1. Scoop up butter with knife.
2. Apply to toast.
as opposed to:
1. Get butter from fridge.
2. Get knife from drawer.
3. Get bread and place in toaster. Wait until done.
4. Scoop up butter with knife.
5. Apply to toast in back and forth motion covering toast.
When they audit you they make sure you follow the procedures you have documented, and you can get into trouble if you really get into details.

Re:Vagueness is Good

[kenh]

I wouldn't say vagueness is good as much as limit yourslef to required specificity.

I worked at a major telcom software house, and they were going for ISO9000 certification in the mid-90's while I was there. The key seemed to be that you have a process, that you follow the process, and that you document your following the process. Also important was a feedback loop that included not only internal sources (bugzilla), but external (a way for customers to lodge complaints/requests that is tracked and managed (bugzilla?)).

The consultants we worked with often spoke of a japanese restaurant that was ISO9000 certified - the process is as hard as you want to make it (in most cases), and most people shoot themselves in the foot trying to impress the auditors with the process they think they should have, not the process they do have.

Re:Vagueness is Good

[Gr8Apes]

Your point is good, but you need to add the clause:

Describe your process with the minimum detail necessary.

ISO9000 isn't about adhering to any particular process, it's about fully documenting your processes and deviations from that process. You get certified by an auditor coming in and comfirming that your processes are adequately documented.

How does this help software? It prevents that "brilliant" new marketing VP from coming in and demanding, simply demanding, that you add targeted customer content based on customer data to your website for next week's release, damn it all. Just point him to the process and tell him he needs to file form 112, form 5134, and then get forms 32, 55, and 101 signed by the CEO for an "emergency feature addition" as defined in our process documentation. If they don't get the picture, they will by the time they get the docs filled out.

How does it hurt software? When some twit decides that every aspect of software development, from "how to write a method" to white space in comments needs to be documented, never mind that every class needs to be instantiated by Spring.

Too much detail will kill a company. ISO9000 isn't about minutae, unless you make it so.

Be Careful

[NullPointer]

When we did our ISO we hired an "expert" who told us, "It is up to you to describe your process, if you want to save a whole lot of grief in the future, make it as simple and sensible as possible."

In other words, forget what you're reading and create your own process, reporting, and compliance documents. Otherwise, you'll be creating a monster that will require several full-time ISO employees whose job description will essentially be, "make all other employees miserable".

Our expert's advice was well worth her fee. Any "expert" you hire who advises a massive documentation effort is simply creating future contract work for themselves.

Re:Be Careful

[clem.dickey]

if you want to save a whole lot of grief in the future, make it as simple and sensible as possible

Ditto. I work for one of the big, slow companies. We just hoped ISO 9000 wouldn't make us any slower. Our ISO experts told us "The specific process is not too important. What is important is to have a process, that you know and follow it, and that you can show [documents which demonstrate] that you follow it."

Don't do it.

[Stoutlimb]

RTFA? The wikipedia article you posted about the ISO 9000 standard specifically states that software development and other creative processes do not work well with ISO 9000.

so the answer is to give up, and just wing it?

Re:Don't do it.

[tomhudson]

Actually, they don't work at all.

Now if you REALLY want to go quality-wise, you could try NASA's approach. Of course, it means that your LOC will be down to almost nothing, but, hey, what you DO write will be amazingly bug-free.

<url:http://www.fastcompany.com/online/06/writestu ff.html>

The 420,000 lines of code are backed up by 40,000 PAGES of specifications. And 20 years by 260 people. That's 6 lines of specifications for every line of code.

In other words, your "hello world" program:

#include &lt;stdio.h&gt;

int main(int argc, char( argv[], char* env[])
{
                printf("hello, world!\n");

                return 0x00L;
} // eof ... would need a full page (66 lines) of documentation specifying what it does, and would take 4.5 days to specify and write. But it WOULD probably be bug-free.

Re:Don't do it.

[stonecypher]

That all said, when NASA switched to the PSP and TSP, their bug rate dropped by almost 90%, and they had to generate far less documentation. Just because you have a team with an amazing record doesn't mean there isn't a better way. NASA has learned this several times.

Re:Don't do it.

Great, you linked to two Amazon bookstores and a non-existent article. What an intelligent contribution to the conversation.

Re:Don't do it.

[stonecypher]

That "non-existant article" is a 25 minute movie with slides and hard statistics. Nice try.

Re:Don't do it.

[rnelsonee]

That might not be an option. I just got an email from my boss today saying I need to read up on ISO compliance since we're going to become an ISO9000 company. The reason is because we do contract work for the government, and we're trying to get some contracts that are only available to ISO9000-compliant companies. So the submitter may be in a similar situation.

As an aside, I'm really glad to see this article. I plan on bookmarking it and printing out the good comments to show to my boss...

YOU set the standard in ISO 9000

[Invisible+Now]

You already have what you seek, grasshopper. People misunderstand the spec to require something ponderous. Maybe that's appropriate for an Airbus flight control system or my anti-lock brakes, but you said you design research systems. Presumably your CUSTOMERS (The ISO key) favor development speed over a few bugs and flexibility over reliablilty (assuming no one gets killed)
So reread the spec - it's asking you a question, not giving you a rulebook. What do your customers really want? What tradeoffs do you plan for to meet their needs? Everything in the spec is a question. The audit process is establishing how well you meet your organizations own unique goals.

Obligatory Dilbert Cartoon

[Chabil+Ha']

I agree with Scott Adams about the whole thing.

Re:Obligatory Dilbert Cartoon

Yep! That's it. Scott hit it dead center. Have a written process, follow it, and be able to prove that you did it. Its actual content is irrelevant to ISO 9000. All you need are documents that have the proper lables and headings. Otherwise, it could be fulled with "Mary had a little lamb." That is as long as that is in fact what you did and could prove it.

ISO 9000 is a worthless pile of crap that exists only to give bragging rights to pointy haired bosses and incompetent MBA types. If you had an effective and productive process you don't need ISO 9000 and if you don't, ISO 9000 won't help you. In fact, it will assure failure on all fronts. I have a theory that is in fact its goal in spite of 3000 tons of words to the contrary.

ISO 9000 is easy....

[rogersba]

It all boils down to this:

1) Write down what you're going to do.
2) Do it.
3) Write down that you did it.
4)....
5) Profit!

Now, FDA rules for medical device software are a whole other game, so maybe my perspective is skewed. Ah, to forget ISO 13485 and go back to _just_ ISO 9000!

ISO 9000

[JohnWiney]

I have written such a process, so I know it can be done.

The purpose of ISO 9000 is not to tell you what your process is. You can use any process you want, as long as your customers will accept it. What ISO 9000 requires is that you be able to prove you are following it. If your process requires code reviews, you must have recorded minutes describing the results, and the follow-up, for each one. If you require iteration plans, you must keep records of those plans. If you require the use code analysis tools, you have to record the results of the use of those tools regularly, to show you are meeting whatever benchmarks you choose. And so on. You do whatever you want - just prove that you really are doing it.

Put in your documented process everything that you do that you can document as having been done, and that you (as a group) want to keep doing. Do not put anything in your process that you cannot document. Keep a separate description of "best practices" - things that you expect developers to do, but that you do not want to insist on until you are more comfortable with them. In time, some of these methods may migrate into your documented process, but only when you are sure you want to be held accountable for following them.

Re:ISO 9000

[Keick]

I've been through it as well, and I can tell you the most painless solution is to choose a standard software development process, like IEEE 12207. A lot of companies are using the IEEE as of the last 10 years or so. We adopteded it about 5 years back, and it's actually quite nice, and completly tailorable per project.

But no matter which process you use, I HIGHLY recommend that you invenst in tools that will help you follow the process. One such tool is Seapines TestTrack which we've also been using for the past 3 years. You can make it follow your process, and it tracks all the artifacts for you. You can even tie into source control, and have it handle that process as well.

Re:ISO 9000

Your apostrophe key is broken.

Ha!

[/dev/trash]

Good luck. ISO 9000 is THE biggest scam. Ever.

ISO 9000

The company i work for recently went through this and all you have to do is:

Define what it is you want to document, is it the whole process from start to finish or just one small part. Dont try to do it all at once, when you get certified you can change and refine the process if necessary.

Once you decide what to certify, document what youre already doing.

Then, audit it yourself. can you really prove you did what youre already doing, if you cant, leave it out of the process, you can still do it, just dont document it.

Organize an internal auditing team and make sure youre strict on this.

Next step, once you see that your documentation is too complex and theres no way you can do it, simplify the process by not going into detail, an example of this is, we needed to certify that our new hires were given a tour of the building, we just put that in but didnt specify a timeframe for this, and we schedule this activity with different areas via email notifying when we would be taking new hires in and that is our evidence, the email itself.

last step is simple, make sure everyone knows the process, so keep it simple, and youre ready!!!

ISO 9000 Compliance

[Statman]

First of all who ever wrote that ISO9000 is a complete joke does not know what he/she is talking about. I work for a medical device manufacturing company and let me tell you I sure as hell would not want a medical device being used on me if the the company manufacturing the device was not ISO 9000/13485 compliant. As for your question, remember the software only has to be validated and a few quick test scripts should do the trick. The hardest part is just writing out validation procedure or work instruction. I do some ISO consultation on the side as well. If you need any help then PM me and I will help you out!

Re:ISO 9000 Compliance

Have to disagree.

"As for your question, remember the software only has to be validated and a few quick test scripts should do the trick."

Testing software is one of the hardest thing to do. If only quick test scripts could do the trick.. I think you're thinking only on UT. I'm not sure if you only have medical background, anyway. Let me tell you. Having code with 0 bugs is really really hard, because most of the time you aren't alone. UT isn't enough. For instance, deadlocks or any synchronization problems won't be detected by most in UT.

Standards help keep nimble competitors at bay

[ClosedSource]

"If you look who pushes for ISO-9000 it's large and slow moving companies that are used to a large and wasteful style of doing business."

It's not just becuase those companies like to waste time and money. These big, costly standards are a great way for big companies to compete with small, nimble competitors by getting business and government customers to require them. The increased cost and decreased efficiency keeps small companies out of the game.

Re:Standards help keep nimble competitors at bay

Mod parent up. We've teamed with a couple extremely large software companies and system integrators (#1 and #2?) to help the government write some of these requirements into RFPs; and indeed the reason any one of these requirements gets put in is because they're barriers to competitors.

Re:Standards help keep nimble competitors at bay

[budgenator]

My industry is getting pushed into FDA 501K requirements, primarily to stiffle foreign competition; I'm making dentures, easily removeable, life is about 5 years, If it it was cardiac pacemakers I could see the need, right now document retention is 30 years for a device with a 5 year clinical life expectantcy

Its all about good change-management

[the_arrow]

ISO 9000 is basicly about tracking changes. That's it.
Everytime you make a change in the program, a document should be written saying who did it, why, when, and what. Everything done to the program should be tracable. And no, a CVS log will not do, but it may help.

Here's your problem!

[montyzooooma]

"There exists a software development process in my organization, but it is extremely heavy-weight -- over two-dozen documents totaling 200 pages each! "

I've no experience of ISO9000 in a software development environment but I just ditched it last year at the engineering company I work for, having run the quality system since BS5750 days (UK).

If you have a few thousand pages of software development processes to be picked over by an ISO auditor then your life is going to be a living hell. Ditch them and try to condense the philosophy down to something that will fit on one side of a single piece of paper. With double line-spacing.

Re:Here's your problem!

[MeSat]

I agree with the single sheet idea. The basic idea is if a new employee arrives, they should be able to grab the manual or sheet for the process and know what to do without having to ask questions.

I took an ISO9000 course many years ago as I worked for a small company that needed to become certified for some contracts. Being small, we couldn't afford the ISO Guru.

The one thing that the course taught us was that a single sheet of a clear and easy to follow process is better than a volume of detailed information.

One thing that I found was quite useful about the ISO9000 documentation was if someone had to fill in for someone that was sick or away, they could follow the procedures and do the job without having to run and ask questions every ten minutes.

In the job I am at now, to find out how to use some of the equipment can be a 10 day headache that includes hours of Googling for manuals and techniques. There are no procedures written up on how to do most of the things we do. When I was a new employee, I was given a manual for a piece of equipment that I needed to fix and after three days of scratching my head, I found out that it wasn't even the correct manual and there was no correct manual. And I was getting into trouble for being slow. Grr.

Yes, getting the certification can be a pain, but trying to think complicated can make it much worse than it needs to be.

The case against ISO 9000

[dave_macleod]

You need to get hold of a copy of John Seddon's book "In Pursuit of Quality: Case Against ISO 9000". If you're stuck with a mandate to comply then at least it should help you avoid the most common pitfalls. There's an article at http://www.iso.org/iso/en/iso9000-14000/addresourc es/articles/pdf/viewpoint_4-98.pdf where he summarises his position.

Here's the essense of the requirements

[Geccie]

From what I've seen, the requirements ask you to document what you do as a process and illustrate that you follow the process. The problem is that the process becomes overarching to address the worst case. Therefore, many steps can be skipped.

Here's an example, you produce a web server - You need to build your software - document how you do that. You need to package your software - document how to do that. Deploy on a test server - document that process too. Setup a test server - document that. How do you test the software? Document that. Now put the documents in order.

There are three reasons for this: 1) That a new employee or subordinate can take over a task and perform it properly. 2) A task may be so complex that it is difficult to perform it twice in exactly the same way especially if it is only done every 6 months. 3) Your job can be outsourced.

Have no fear, your value is in your solutions, not in how repetitive or mundane processes are performed.

ISO 9000 is Your Friend

[occamboy]

I've actually run an effort to put software under ISO 9000 control - we passed the third-party audit, and we got a lot of software completed, and our product got approved by the FDA, and we followed our own rules - so I guess that it was a successful effort.

As you write, one key is to keep things lightweight, so that everyone can read and follow the procedures.

Another key is to write your own procedures - what usually happens is that someone snags a copy of another company's procedures and tries to use them. Other companies are different than yours. Do what works for your people and your product.

ISO9000 basically says three things:
1. do what you say you'll do
2. say what you actually do
3. don't let stuff fall between the cracks

1. and 3. are relevant to software development - 2. is aimed at the sales and marketing.

1. is a matter of having a process in place - having specs to work and test against, and so forth. Standard lifecycle stuff.

3. is best served by having a single place for everyone to enter any info that might affect the code - bugs, features, customer gripes, whatever. Once a week, have a cross-functional meeting - decision-makers from R&D, marketing, and whoever else is needed to MAKE DECISIONS. Then go through the list of issues, and make sure priorities are correct.

Having 2-3 pages of coding standards is also helpful. My personal favorite for the first rule is something like "It is the responsibility of those who write code to make the code's function quite clear to other programmers. All of the other standards are suggestions that may be bypassed for the sake of clarity of code - but think twice before you discard them."

Writing all of this up should take no more than 10-20 pages - try to make them somewhat "conversational", and use lots of flowcharts, so it's not too dry to read.

Good luck!

Pick your favorite process and stick to it.

[Randolpho]

Others have mentioned this, but I feel the need to add my own pair of pennies.

ISO 9000 boils down to two things:

1) Write down how you are going to do something.
2) Do it the way you said you would.

To that end, pretty much any software engineering approach is ISO 9000 compliant, provided that you 1) write down how you are going to develop software and 2) develop software the way you said you would.

That means you can pick any "lightweight" software development process you like. Agile, XP, TDD... whatever you want to do, you can do it, as long as you 1) write down how you are going to develop your software in an Agile/XP/TDD way, and 2) develop software the way you said you would.

Re:Pick your favorite process and stick to it.

[slcdb]

ISO 9000 boils down to two things:

1) Write down how you are going to do something.
2) Do it the way you said you would.

If I'm ever put in charge of developing an ISO-9000 compliant software development process, I'll be sure to add a requirement that each engineer is required to drink a beer after fixing every bug!

Lightweight PLC

[ChrisLeif]

Many years ago I found Brian Lawrence's product life cycle site: http://www.coyotevalley.com/ He has one of the simplest, cleanest and most flexible processes I've ever used. I even managed to explain it and get upper management to use it!

Re:ISO 9000 is easy.... but utterly worthless

Ah, to forget ISO 13485 and go back to _just_ ISO 9000!

I've also dealt with FDA & Medical Devices & the processes.

This distinction here is that the FDA regulations are *useful*. It is a safer world we live in because of these regulations. After working in that industry for 6 years, I came out with a pretty secure feeling that stuff that does get these approvals works *far* more reliably than your average desktop software. Apparently FAA regulations on airline autopilot software are also very strict and useful.

ISO 9000 in contrast, does *NOTHING* to insure that the resulting software is better. It's a bureaucracy for bureaucracy's sake; and does nothing except act as a barrier to entry for small companies and an excuse for yet another expensive consultant to drain the resources of small companies.

For a 2 line summary

• FDA regs protect *you* when you go to the hospital.
  
• ISO 9000 protects large software companies from agile ones.
  

The fact that ISO 9000 is so easy to get if you cough up the $ for a consultant is a joke (as you pointed out) isn't the problem. It's that unlike FDA regs, ISO 9000 does more harm than good.

Yes, ISO is easy this way!

[Roadkills-R-Us]

We went through this at one of the largest computer companies around, 15 years ago. We were told by management, ``Just document what you do enough that anyone can do it from the docs. Since you've already done that for most things, just do it for the rest. Don't get fancy.''

So we didn't. Straight text docs, simple instructions. Just cleaned up what we had laready written (didn't take that much), put things together in order and added a few checklists and charts, filled in the blanks, and made up a higher level doc. Our department passed with flying colors.

That is the most important point

[vinn01]

have a process, that you know and follow it, and that you can show that you follow it .

That is the most important point: "Say what you do - do what you say" -- and be prepared to demonstrate it to someone else.

The "do what you say" part is probabaly the biggest stumbling block. Most corporate cultures are not tuned to that much honestly. Corporations are used to having a pile of rules/regulations/processes and selectivly following them. That does not work with ISO9000.

Light Weight ISO 9001 Software Development

[richardavitar]

Cliff,

You may not want to hear this, but read on it gets better...

As a consultant who supports companies like yours with ISO 9001 (in fact it was one of the software team who sent me the link) there is a way to set up a light weight system and the only people you'll have trouble with are your internal ISO 9001 advisers. Why, because often the over-kill gets put in to ensure the company and therefore their position does not fail an assessment.

If I was advising you I would be asking you what you actually did to deliver your software and use this as a basis to move forward. It is understanding this core software development thread that is the key and this in turn is how we keep it light and 'real'. Real processes that are audited pass assessment because that is what the people are doing and it can therefore demonstrate without any problems.

So what can get in the way of this panacea?

Firstly, and I have never yet found someone who isn't, it is based on people wanting to do a good job. By this I mean that no-one is actually trying to avoid things like checking what they have done works etc. Secondly, you have not made any reference to the TickIT scheme through which your company may achieve ISO 9001 for software development. In either case we would need to talk further so I leave an open offer to help.

Best regards,
Richard

It boils down to...

[smitherz]

Four things...

1) say what you do
2) do what you say
3) be able to repeat the process
4) be able to prove it (audit trails)

This goes for CMM/SEI also.