Table Of ContentISO 9001:2000
for Software
and Systems
Providers
An Engineering Approach
Robert Bamford and
William J. Deibler
CRC PR ESS
Boca Raton London New York Washington, D.C.
Copyright © 2004 by Taylor & Francis
OTHER COMPUTER BOOKS FROM AUERBACH AND CRC PRESS
The ABCs of IP Addressing Information Security Policies, Procedures,
Gilbert Held and Standards: Guidelines for Effective
ISBN: 0-8493-1144-6 Information Security Management, 2nd
Edition
The ABCs of LDAP: How to Install, Run, and
Thomas R. Peltier
Administer LDAP Services
ISBN: 0-8493-1958-7
Reinhard Voglmaier
ISBN: 0-8493-1346-5 Information Security Risk Analysis
Thomas R. Peltier
The ABCs of TCP/IP
ISBN: 0-8493-0880-1
Gilbert Held
ISBN: 0-8493-1463-1 Interpreting the CMMI: A Process
Improvement Approach
Building an Information Security Awareness
Margaret Kulpa and Kent Johnson
Program
ISBN: 0-8493-1654-5
Mark B. Desman
ISBN: 0-8493-0116-5 IS Management Handbook, 8th Edition
Carol V. Brown and Heikki Topi
Building a Wireless Office
ISBN: 0-8493-1595-6
Gilbert Held
ISBN: 0-8493-1271-X Managing a Network Vulnerability Assessment
Thomas R. Peltier and Justin Peltier
The Chief Security Officer: A Guide to
ISBN: 0-8493-1270-1
Protecting People, Facilities, and Information
Ron Hale Maximizing the Enterprise Information
ISBN: 0-8493-1952-8 Assets
Timothy Wells
The Complete Book of Middleware
ISBN: 0-8493-1347-3
Judith Myerson
ISBN: 0-8493-1272-8 A Practical Guide to Security Engineering
and Information Assurance
Computer Telephony Integration,
Deborah S. Herrmann
2nd Edition
ISBN: 0-8493-1163-2
William A. Yarberry, Jr.
ISBN: 0-8493-1438-0 Server Disk Management in a Windows
Environment
Creating Components: Object Oriented,
Drew Robb
Concurrent, and Distributed Computing in
ISBN: 0-8493-2432-7
Java
Charles W. Kann Six Sigma Software Development
ISBN: 0-8493-1499-2 Christine B. Tayntor
ISBN: 0-8493-1193-4
Database Design Using Entity-Relationship
Diagrams Software Engineering Measurement
Sikha Bagui and Richard Karp John Munson
ISBN: 0-8493-1548-4 ISBN: 0-8493-1503-4
Electronic Bill Presentment and Payment A Technical Guide to IPSec Virtual Private
Kornel Terplan Networks
ISBN: 0-8493-1452-6 James S. Tiller
ISBN: 0-8493-0876-3
Information Security Architecture: An
Integrated Approach to Security in the Telecommunications Cost Management
Organization Brian DiMarsico, Thomas Phelps IV,
Jan Killmeyer Tudor and William A. Yarberry, Jr.
ISBN: 0-8493-9988-2 ISBN: 0-8493-1101-2
Information Security Management Handbook, Web Data Mining and Applications in Business
5th Edition Intelligence and Counter-Terrorism
Harold F. Tipton and Micki Krause, Editors Bhavani Thuraisingham
ISBN: 0-8493-1997-8 ISBN: 0-8493-1460-7
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail: [email protected]
Copyright © 2004 by Taylor & Francis
CMM is registered in the U.S. Patent and Trademark Office. Capability Maturity Model is a registered ser-
vice mark of Carnegie Mellon University.
Rational Unified Process and RUP are registered trademarks or trademarks of Rational Software Cor-
poration in the United States and/or other countries.
Library of Congress Cataloging-in-Publication Data
Bamford, Robert
ISO 9001:2000 for software and systems providers : an engineering approach / by Robert
Bamford and William J. Deibler.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-2063-1 (alk. paper)
1. ISO 9000 Series Standards. I. Deibler, William J. II. Title.
TS156.6.B36 2003
620′.0068′5—dc22 2003055803
This book contains information obtained from authentic and highly regarded sources. Reprinted material
is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable
efforts have been made to publish reliable data and information, but the author and the publisher cannot
assume responsibility for the validity of all materials or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, microfilming, and recording, or by any information storage or
retrieval system, without prior permission in writing from the publisher.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for
creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC
for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation, without intent to infringe.
Visit the CRC Press Web site at www.crcpress.com
© 2004 by CRC Press LLC
Auerbach is an imprint of CRC Press LLC
No claim to original U.S. Government works
International Standard Book Number 0-8493-2063-1
Library of Congress Card Number 2003055803
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
Printed on acid-free paper
Copyright © 2004 by Taylor & Francis
INTRODUCTION
This volume incorporates more than a decade of experience with ISO 9001, a
standard created by committees of volunteers working under the aegis of the
International Organization for Standardization (ISO). This volume is intended
for individuals who are responsible for using ISO 9001 to implement or revi-
talize systematic process improvement in engineering organizations.
Since 1989, the authors of this volume have assisted organizations in
implementing ISO 9001–based processes. Their clients range from start-up
organizations with fewer than ten people to multinational corporations with
thousands of employees. The authors have worked with organizations in a
wide variety of industries, from sheet metal shops and processed materials
manufacturers to developers of semiconductor manufacturing equipment
and stand-alone, commercial software products.
Although their focus has been on software, hardware, and systems engi-
neering practices, they have worked extensively in all of the functions that
deliver or support the delivery of value to customers—from sales, marketing,
order processing, and legal, to engineering and manufacturing, to logistics
and warehouse operations, to technical support, and to MIS, credit, finance
and administration, and human resources.
This volume is based on the material in the authors’ course, A Detailed
Introduction to ISO 9001. This course, originally developed in 1990, based
on the 1987 version of ISO 9001, reflects the authors’ commitment to ensuring
that client organizations develop the understanding necessary to maintain
and improve their own processes. Based on their extensive experience
with the no-nonsense Silicon Valley culture, without such systematic
knowledge transfer, the authors’ experience has been that when the con-
sultant leaves, so does most of the improvement.
Systematic knowledge transfer is the only way to ensure that the
improvement stays when the consultant leaves.
The course, which has evolved as the standard has evolved, from 1987
to 1994 to 2000, has been offered hundreds of times to thousands of stu-
dents. It has been presented publicly, through various extension campuses
of the University of California and California State University and through
professional organizations, including the Audit and Software Divisions of
the American Society for Quality and the Software Engineering Institute at
Carnegie Mellon University. It has also been selected by numerous compa-
nies for on-site training of their ISO 9001 implementation teams.
The extended history of the course brings three benefits to the reader of
this volume. The first benefit is that this volume weaves the information in
ISO 9001 into a framework that has been proven to be of use to a broad
audience. The concepts and presentation have been tested by and refined
with input from participants with every level of prior experience—from
individuals new to ISO 9001 to registrars’ auditors and implementers with
years of experience with this and other standards. These individuals have
come from a wide variety of industries and specialties and have represented
organizations ranging in size from under 200 to over 5,000 employees.
The second benefit is that the grounding in earlier versions of the stan-
dard provides readers with unique insights into the precedents that have
formed the latest version of the standard. The effect of the lack of such a
perspective is illustrated by the many Internet discussions in which previ-
ously exhausted issues reappear and are the subject of lengthy speculation
and analysis.
The third benefit derives from the extensive validation the course has
received. In addressing the diverse backgrounds of their students and con-
sulting clients, the authors have taken each offering of the course to be an
opportunity to test, expand, and refine their understanding of the many
ways in which organizations can gain the greatest possible bottom-line
business benefit from ISO 9001:2000.
WHAT’S IN THIS VOLUME
This volume is divided into three sections. The first section contains Chap-
ters 1 and 2. This section presents an implementation and maintenance
roadmap with suggested techniques for ensuring that the organization
secures and continues to accrue the greatest possible benefit from adopting
ISO 9001 as a global standard for its processes. The first section concludes
with an unavoidable discussion of the acronyms, specialized terms, and
concepts that inevitably insinuate themselves into any discussion of ISO
9001.
The second section provides a paragraph-by-paragraph analysis of ISO
9001. In this analysis, the paragraphs are presented, for the most part, in
the order in which they appear in the standard. Because the paragraphs do
not stand alone, paragraphs are also introduced where they fit logically.
Each paragraph is examined to determine how its requirements might be
effectively and efficiently satisfied by and to the benefit of an engineering
organization. The goal of presenting the paragraphs from this perspective
Copyright © 2004 by Taylor & Francis
is to ensure that the reader understands not only the requirements encom-
passed in the paragraphs but also the relationship among the paragraphs—
especially when that relationship is critical to efficient implementation. By
taking a rigorous approach to the language in the standard, the authors of
this volume build a foundation in fact that substantially reduces the effort
an implementation team spends in resolving seemingly conflicting interpre-
tations. In particular, it is intended that readers be able to identify various
ways in which the requirements of the paragraphs can be—and in many
cases are—satisfied in their organizations.
CONSIDER: The paragraphs do not stand alone.
Throughout this volume, one of the authors’ goals is to establish and
reinforce readers’ understanding that ISO 9001:2000 is about good engineer-
ing practices. If a requirement in the standard does not appear to support
a fundamental, relevant engineering practice or does not appear to offer
any benefit, further study is indicated. It is the experience of the authors of
this volume that an organization can demand that all of the requirements
of ISO 9001 be implemented in ways that deliver value to the organization,
its employees, and its customers. A value-based implementation takes
effort and investment, but it is also the experience of the authors that
adherence to a process or adoption of a new tool or methodology is propor-
tional to the perceived value. A process that does not have any perceived
value will not be followed for long—if at all.
CONSIDER: Demand value.
The third section comprises a number of appendices, referenced
throughout the volume. These appendices provide background, examples,
samples, and reference material.
The last page in this volume provides the information needed to submit
comments and questions to the authors.
WHAT’S NOT IN THIS VOLUME (AND WHY AND HOW TO GET IT)
ISO 9001:2000 is not provided. First, it is a copyrighted document and
would add unnecessarily to the cost of this volume for readers who already
have a copy of the standard. Second, it is important that the reader become
comfortable with the look and feel of ISO 9001:2000 in its published, official
form, rather than as a section or series of extracts embedded in a printed
or electronic book. In fact, the 32-page standard (as provided by the Amer-
ican Society for Quality) is the only source of information the reader can
trust without reservation. Books about the standard (including this one),
booklets, pamphlets, videotapes, movies, seminars, computer-based self-
study courses, descriptions of previous experience, and Internet discussions
are useful, but they require careful evaluation to determine whether they
are credible and accurate and whether, if accurate, they are relevant to the
reader’s current circumstances. The bases for this careful evaluation are
common sense and what is actually stated in ISO 9001:2000.
Although it is not necessary, consider obtaining a copy of ISO 9001:2000
before proceeding. In particular, to simplify word searches, consider pur-
chasing a downloadable soft copy. Standards are available from:
(cid:129) National standards bodies
To find a list of national standards bodies, go to the ISO home
page, at http://www.iso.ch, click on Enter, then click on Members
and follow the instructions provided.
(cid:129) ISO
International Organization for Standardization, Central Secretariat
1, rue de Varembé
CH-1211 Genève 20
SWITZERLAND
TEL: 011-41-749-01-11 FAX: 011-41-22-733-34-30
http://www.iso.ch
(cid:129) ASQ
American Society for Quality
P.O. Box 3066
611 East Wisconsin Avenue
Milwaukee, WI 53201-3066
TEL: 414-272-8575, 800-248-1946 FAX: 414-765-8661
http://www.asq.org
Copyright © 2004 by Taylor & Francis
Table of Contents
Section I A Brief Orientation
Chapter 1 An Implementation Roadmap
PARAGRAPH 4.1 a: Identify the Processes
PARAGRAPH 4.1 b: Determine the Interactions
PARAGRAPH 4.1 b: Determine the Sequence of Processes
PARAGRAPH 4.1 c: Map the Organization’s Processes against the
Standard
PARAGRAPH 4.1 d: Planning and Communication
PARAGRAPH 4.1 e: Monitor and Measure
PARAGRAPH 4.1 f: Execution
Representing the Implementation Process
Charting an Alternate Path through the Paragraphs
Recommendations for Implementers: Establishing ISO 9001 as a
Framework
Principle 1: ISO 9001:2000 Is a Requirements Specification
About Registrars and Their Auditors
Principle 2: It Is Easier To Achieve Compliance Than To Maintain
Compliance
Principle 3: Manage the Implementation as if It Were Product
Development
Recommendations for Maintainers: Addressing the Changes in
ISO9001:2000
Points To Focus on for Maintainers
Selecting a Scope
To Register or Not To Register?
Selecting a Registrar
About Accreditation
Selection Criteria
Chapter 2 Terminology and Definitions
What Is in a Name: ISO 9000 and Standard
Quality and Quality Management System
Shall, Should, and Other Formalities
Requirements versus Design: How Flexible Is the Standard?
Effective
Ensure
The Purpose of ISO 9001
Registrars and Registration Revisited
Section II ISO 9001: A Paragraph-by-Paragraph Analysis
Chapter 3 The Structure of ISO 9001
Chapter 4 PARAGRAPH 4 Quality Management System
PARAGRAPH 4.1 General Requirements
Implementation Considerations
PARAGRAPH 4.2 Documentation Requirements
PARAGRAPH 4.2.1 General [Requirements for Documentation]
PARAGRAPH 4.2.2 The Quality Manual
PARAGRAPH 4.2.3 Control of Documents
PARAGRAPH 4.2.4 Control of Records
PARAGRAPH 4—Summary
Chapter 5 PARAGRAPH 5 Management Responsibility
PARAGRAPH 5.1 Management Commitment
PARAGRAPH 5.2 Customer Focus
PARAGRAPH 5.3 Quality Policy
Implementation Considerations: Beyond ISO 9001
PARAGRAPH 5.4 Planning
PARAGRAPH 5.4.1 Quality Objectives
PARAGRAPH 5.4.2 Quality Management System Planning
PARAGRAPH 5.5 Responsibility, Authority, and Communication
PARAGRAPH 5.5.1 Responsibility and Authority
PARAGRAPH 5.5.2 Management Representative
PARAGRAPH 5.5.3 Internal Communication
PARAGRAPH 5.6 Management Review
Chapter 6 PARAGRAPH 6 Resource Management
PARAGRAPH 6.1 Provision of Resources
PARAGRAPH 6.2 Human Resources
PARAGRAPH 6.2.2 a: Implementation Considerations for Determining
Necessary Competence
PARAGRAPH 6.2.2 b: Implementation Considerations for Satisfying
Needs
PARAGRAPH 6.2.2 c: Implementation Considerations for Evaluating
Effectiveness
Copyright © 2004 by Taylor & Francis
PARAGRAPH 6.2.2 d: Implementation Considerations for Awareness
of Quality Objectives
PARAGRAPH 6.2.2 e: Implementation Considerations for Training
Records
PARAGRAPH 6.3 Infrastructure
PARAGRAPH 6.4 Work Environment
Chapter 7 PARAGRAPH 7 Product Realization
PARAGRAPH 7.1 Planning of Product Realization
Related Paragraphs
Implementation Considerations
PARAGRAPH 7.2 Customer-Related Processes
PARAGRAPH 7.2.1 Determination of Requirements Related to the
Product
PARAGRAPH 7.2.2 Review of Requirements Related to the Product
PARAGRAPH 7.2.3 Customer Communication
PARAGRAPH 7.3 Design and Development
PARAGRAPH 7.3.1 Design and Development Planning
PARAGRAPH 7.3.2 Design and Development Inputs
PARAGRAPH 7.3.3 Design and Development Outputs
PARAGRAPH 7.3.4 Design and Development Review
PARAGRAPH 7.3.5 Design and Development Verification
PARAGRAPH 7.3.6 Design and Development Validation
PARAGRAPH 7.3.7 Control of Design and Development Changes
PARAGRAPH 7.4 Purchasing—A Brief Note
PARAGRAPH 7.5 Production and Service Provision
PARAGRAPH 7.5.1 Control of Production and Service Provision
PARAGRAPH 7.5.2 Validation of Processes for Production and
Service Provision
PARAGRAPH 7.5.3 Identification and Traceability
PARAGRAPH 7.5.4 Customer Property
PARAGRAPH 7.5.5 Preservation of Product
PARAGRAPH 7.4 Purchasing
PARAGRAPH 7.4.1 Purchasing Process
PARAGRAPH 7.4.2 Purchasing Information
PARAGRAPH 7.4.3 Verification of Purchased Product
PARAGRAPH 7.6 Control of Monitoring and Measuring Devices
Implementation Considerations
When Equipment Is Found not to Conform to Requirements
For Software
Establishing a Calibration Program
Find Service Providers
Implement, Monitor, Follow Up
PARAGRAPH 7 Conclusions
Description:Our world is rapidly becoming an Internet-based world, with tens of millions of homes, millions of businesses, and within a short period of time, possibly hundreds of millions of mobile professionals accessing the literal mother of all networks. One of the key problems affecting many Internet users,
