Concepts of ISO 9000:Developing a System of Procedures
Concepts of ISO 9000
Developing a System of Procedures
Perhaps one of the most significant challenges in analysis today is its role in the software life cycle. There has been much criticism of the lack of discipline applied to software development projects and personnel in general, and we continue to be an industry that has a poor reputation for delivering quality products on schedule. Although many organizations have procedures, few really follow them and fewer still have any means of measuring the quality and productivity of software development. A system of procedures should first be developed prior to implementing a life cycle that can ensure its adherence to the procedure. These procedures also need to be measured on an ongoing basis. This book restricts its focus to the set of procedures that should be employed in the analysis and design functions.
The process of developing measurable procedures in an organization must start with the people who will be part of its implementation. Standard procedures should not be created by upper management, as the steps will be viewed as a control mechanism as opposed to a quality implementation. How then do we get the implementors to create the standards? When examining this question, one must look at other professions and see how they implement their standards. The first main difference between computer professionals and members of many other professions is they lack a governing standards board like the American Medical Association (AMA) or the American Institute of Certified Public Accountants (AICPA). Unfortunately, as mentioned in previous chapters, it seems unlikely that any such governing board will exist in the near future. Looking more closely at this issue, however, we need to examine the ultimate value of a governing board. What standards boards really accomplish is to build the moral and profes- sional responsibilities of their trade. Accountants, attorneys and doctors look upon themselves as professionals who have such responsibilities. This is not to imply that governing boards can resolve every problem, but at least they can help. With or without the existence of a standards board, analysts within an organization must develop the belief that they belong to a profession. Once this identification occurs, analysts can create the procedures necessary to ensure the quality of their own profession. Currently, few analysts view themselves as part of a profession.
If analysts can create this level of self-actualization, then the group can begin the process of developing quality procedures that can be measured for future improvement. The standard procedures should be governed by the group itself and the processes integrated into the software life cycle of the organization. In fact, analysts should encourage other departments to follow the same procedures for implementing their respective quality procedures.
Although not typically required, many firms employ ISO 9000 as a formal vehicle to implement the development of measurable procedures. ISO 9000 stands for the International Organization for Standardization, an organization formed in 1947 and based in Geneva. As of this writing, 91 member countries are associated with it. ISO 9000 was founded to establish international quality assurance standards focused on processes rather than on products.
Why ISO 9000?
ISO 9000 offers a method of establishing agreed-upon quality levels through standard procedures in the production of goods and services. Many international companies require that their vendors be ISO 9000 compliant through the certification process. Certification requires an audit by an independent firm that specializes in ISO 9000 compliance. The certification is good for three years. Apart from the issue of certification, the benefits of ISO 9000 lie in its basis for building a quality program through employee empowerment. It also achieves and sustains specific quality levels and provides consistency in its application. ISO 9000 has a number of subcomponents. ISO 9001, 9002, and 9003 codify the software development process. In particular, 9001 affects the role of the analyst by requiring standards for design specifications and defines 20 different categories of systems. Essentially, ISO 9000 requires three basic things:
1. Say what you do.
2. Do what you say.
3. Prove it.
This means that the analyst needs to completely document what should occur during the requirements process to ensure quality. After these procedures are documented, the analyst needs to start implementing them based on the standards developed and agreed upon by the organization. The process must be self- documenting; that is, it must contain various control points that can prove at any time that a quality step in the process was not only completed but done within the quality standard established by the organization. It is important to recognize that ISO 9000 does not establish what the standard should be but rather that the organization can comply with whatever standards it chooses to employ. This freedom is what makes ISO 9000 so attractive. Even if the organization does not opt to go through with the audit, it can still establish an honorable quality infrastructure that:
• creates an environment of professional involvement, commitment and accountability,
• allows for professional freedom to document the realities of the process
itself within reasonable quality measurements,
• pushes down the responsibilities of quality to the implementor as opposed to the executive,
• identifies where the analyst fits in the scope of the software life cycle,
• locates existing procedural flaws,
• eliminates duplication of efforts,
• closes the gap between required procedures and actual practices,
• complements the other quality programs that might exist,
• requires that the individuals participating in the process be qualified within their defined job descriptions.
How to Incorporate ISO 9000 into Existing Software Life Cycles
The question now is how to incorporate an ISO 9000-type process for the analyst function and incorporate it into the existing software life cycle. Listed below are the essential 9 steps to follow:
1. Create and document all the quality procedures for the analyst.
2. Follow these processes throughout the organization and see how they enter and leave the analyst function.
3. Maintain records which support the procedures.
4. Ensure that all professionals understand and endorse the quality policy.
5. Verify that there are no missing processes.
6. Changes or modifications to the procedures must be systematically reviewed and controlled.
7. Have control over all documentation within the process.
8. Ensure that analysts are trained and that records are kept about their training.
9. Ensure that constant review is carried out by the organization or through third party audits.
In order for ISO 9000 guidelines to be implemented, it is recommended that the analyst initially provide a work-flow diagram of the quality process (see Figure 17.1).
Figure 17.1 reflects some of the steps an analyst must perform in a quality process. Note that certain steps reflect that there is an actual form that needs to be completed in order to confirm the step’s completion. Figure 17.2 illustrates document AN0010; Figure 17.3 shows AN0050; and Figure 17.4 displays AN0160.
These forms confirm the activities in the quality work-flow process outlined by the analyst. At any time during the life cycle, an event can be confirmed by looking at the completed form.
In order to comply with the documentation standards, each form should contain an instruction sheet, as shown in Figure 17.5. This sheet will ensure that users have the appropriate instructions. Confirmation documents can be implemented in different ways. Obviously if forms are processed manually, the documentation will contain the actual storage of working papers by project. Such working papers are typically filed in a documentation storage room similar to a library where the original contents are secure and controlled. Access to the documentation is allowed, but must be authorized and recorded. Sometimes forms are put together using a word-processing package such as Microsoft Word. The blank forms are stored on a central library so that master documents can be accessed by the analyst via a network. Once the forms are completed, they can be stored in a project directory. The most sophisticated method of implementing ISO 9000 is to use a Lotus Notes electronic filing system. Here, forms are filled
out and passed to the appropriate individuals automatically. The confirmation documents then become an inherent part of the original work flow. In any event, these types of forms implementation affect only automation, not the concept of ISO 9000 as a whole.
Interfacing IT Personnel
We mentioned earlier that ISO 9000 requires qualified personnel. This means that the organization must provide detailed information about the skill set requirements for each job function. Most organizations typically have job descriptions
that are not very detailed and tend to be vague with respect to the specific requirements of the job. In addition, job descriptions rarely provide information that can be used to measure true performance. Questions such as “How many lines of code should a programmer generate per day?” cannot be measured effectively. There is also a question about whether lines of code should be the basis of measurement at all. A solution to this dilemma is to create a job description matrix, which provides the specific details of each job responsibility along with the necessary measurement criteria for performance (see Figure 17.6).
The document in Figure 17.6 is a matrix of responsibilities for an analyst. Note that the analyst has a number of efficiency requirements within the managing engagements (projects) responsibility. Efficiency here means that the analyst must perform the task at a certain indicated level to be considered productive at that task. To a degree, efficiency typically establishes the time constraints to deliver the task. Measurement defines the method used to determine whether the efficiency was met. Reports are simply the vehicle through which the analyst proves that the task was completed and on what basis.
The job description matrix represents a subset of the entire job description that focuses strictly on the procedural and process aspects of the individual’s position. It not only satisfies ISO 9000, but represents a healthier way of measuring
individual performance in an IT environment. Most individuals should know their exact performance at any time during the review period. Furthermore, the matrix is an easy tool to use for updating new or changed performance tasks.
Committing to ISO 9000
We have outlined the sequential steps to implement an ISO 9000 organization. Unfortunately, the outline does not ensure success, and often just following the suggested steps leads to another software life cycle that nobody really adheres to. In order to be successful, a more strategic commitment must be made. Let’s outline these guidelines for the analyst functions:
• A team of analysts should meet to form the governing body that will establish the procedures to follow to reach an ISO 9000 level (this does not necessarily require that certification be accomplished).
• The ISO 9000 team should develop a budget of the milestones to be reached and the time commitments that are required. It is advisable that the budget be forecasted like a project, probably using a Gantt chart to develop the milestones and time-frames.
• The ISO 9000 team should then communicate their objectives to the remaining analysts in the organization and coordinate a review session so that the entire organization can understand the benefits, constraints and scope of the activity. It is also an opportunity to allow everyone to voice their opinions about how to complete the project. Therefore, the meeting should result in the final schedule for completing the ISO 9000 objective.
• The ISO 9000 team should inform the other IT groups of its objectives, although analysts should be careful not to provoke a political confrontation with other parts of the IT staff. The communication should be limited to helping other departments understand how these analyst quality standards will interface with the entire software life cycle.
• The work flows for the analyst tasks must be completed in accordance with the schedule such that everyone can agree to the confirmation steps necessary to validate each task. It is important that the ISO 9000 processes allow for a percentage of success. This means that not every process must be successful 100 % of the time, but rather can be acceptable within some fault tolerance level. For example, suppose that the analyst must have a follow-up meeting with the users within 48 hours after a previous step has been completed. It may not be realistic to meet this goal every time such a meeting is necessary. After all, the analyst cannot always force users to attend meetings in a timely way. Therefore, the ISO 9000 step may view this task as successful if it occurs within the 48 hours 80 % of the time, that is, within a 20 % fault tolerance.
• All task steps must have verification. This will require that standard forms be developed to confirm completion. While we have shown samples of these forms earlier, the ISO 9000 team should beware of producing an unwieldy process involving too many forms. Many software life cycles have suffered the consequences of establishing too many checkpoints. Remember, ISO 9000 is a professional’s standard and should cater to the needs of well-trained professionals. Therefore, the ISO 9000 team should review the initial confirmation forms and begin the process of combining them into a smaller subset. That is, the final forms should be designed to be as generic as possible by confirming multiple tasks.
• There should be meetings held with the analysis group that focus on the alternatives for automating the confirmation forms as outlined earlier in this chapter. It is advisable that this topic be confirmed by the group since their full cooperation is needed for the success of the program.
• Allow time for changing the procedures and the forms. Your first effort will not be the final one; therefore, the ISO 9000 team must plan to meet and review the changes necessary to make it work. Analysts should be aware that the opportunity for change always exists as long as it conforms to the essential objectives of ISO 9000.
• The ISO 9000 project should be at least a one-year plan, from inception of the schedule to actual fulfillment of the processes. In fact, an organization must demonstrate ISO 9000 for at least 18 months prior to being eligible for certification.
• The ISO 9000 group needs to be prepared and authorized to make changes to the job description of the analyst. This may require the submission of requests and authorizations to the executive management team or the human resources department. It is important not to overlook this step since an inability to change the organization structure could hinder the success of the ISO 9000 implementation.
As we can see from the above steps, establishing an ISO 9000 group is a significant commitment. However, its benefits can include a professional organization that controls its own quality standards. These standards can be changed on an ongoing basis to ensure compliance with the business objectives and require- ments of the enterprise. Certification, while not the focus of our discussion, is clearly another level to achieve. Most companies that pursue certification do so for marketing advantage or are required to obtain it by their customers. Implementing ISO 9000 should not require that the entire company conform at once; in fact it is almost an advantage to implement it in a phased approach, department by department. The potential benefits of ISO 9000 concepts may fill the void in many of the IT organizations which lack clearly defined quality standards.
Problems and Exercises
1. Explain why ISO 9000 represents a system of procedures.
2. What are the three fundamental things that ISO 9000 tries to establish?
3. What are the overall benefits of ISO 9000?
4. How is ISO 9000 incorporated into the life cycle?
5. Why are work flows the most critical aspect of developing the ISO 9000 model?
6. Why are forms used in ISO 9000?
7. How are personnel affected by ISO 9000?
8. What is a job description matrix?
9. What steps are necessary for an organization to adopt ISO 9000?
10. Does ISO 9000 need to be implemented in all areas of the business? Explain.
Comments
Post a Comment