You are on page 1of 20

ISO 9001

A Brief History
1968 AQAP - Allied Quality Assurance Publication Military standards
1972 BS4891- A Guide to QA - British Standards Institute
1974 BS5179 - Guide to Operation & Evaluation of QA Systems
1979 BS5750 - Quality Systems
1987 ISO 9000 series (EN 29000 series, IS 14000 series)
1994 ISO 9001 upgraded
2000 ISO 9001 upgraded
2008 New amendment

Major Benefits
• Applicability to all product categories, in all sectors and to all sizes of organizations
• Simple to use, clear in language, readily translatable and easily understandable
• Significant reduction in amount or required documentation
• Connection of QMS to Organizational processes
• Provision of natural move towards improved organizational processes
• Greater orientation towards continual improvement and customer satisfaction
• Compatibility with other management systems such as ISO 14001

ISO 9000:2008 standards

ISO 9000:2008 Process Model

IT Quality Assurance MIM - Sem V Page: 1 of 19

Eight Management Principles
• Customer focus:
Organizations depend on their customers and therefore should understand current and future customer
needs, should meet customer requirements and strive to exceed customer expectations.
• Leadership:
Leaders establish unity of purpose, direction, and the internal environment of the organization. They create
the environment in which people can become fully involved in achieving the organization’s objectives
• Involvement of people:
People at all levels are the essence of an organization and their full involvement enables their abilities to be
used for the organizations benefit.
• Process approach:
A desired result is achieved more efficiently when related resources and activities are managed as a process
• System approach to management:
Identifying, understanding and managing a system of interrelated processes for a given objective to the
effectiveness and efficiency of the organization.
• Continual improvement:
A permanent objective of the organization is continual improvement
• Factual approach to decision making:
Effective decisions are based on the logical or intuitive analysis of data and information
• Mutually beneficial supplier relationships:
The ability of the organization and its suppliers to create value is enhanced by mutually beneficial relationships

ISO 9001:2008 clauses

1 Scope
1.1 General
1.2 Application

2 Normative reference

3 Terms and definitions

4 Quality management system

4.1 General requirements
4.2 Documentation requirements

5 Management responsibility
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.4 Planning
5.5 Responsibility, authority & communication
5.6 Management review

IT Quality Assurance MIM - Sem V Page: 2 of 19

6 Resource management
6.1 Provision of resources
6.2 Human resources
6.3 Infrastructure
6.4 Work environment

7 Product realization
7.1 Planning of product realization
7.2 Customer-related processes
7.3 Design and development
7.4 Purchasing
7.5 Production and service provision
7.6 Control of monitoring & measuring equipment

8 Measurement, analysis and improvement

8.1 General
8.2 Monitoring and measurement
8.3 Control of nonconforming product
8.4 Analysis of data
8.5 Improvement

ISO Certification Process

IT Quality Assurance MIM - Sem V Page: 3 of 19

1986 US Federal govt needed a method to assess software contractors; Software Engineering Institute
(Carnegie Mellon University) and Mitre Corp. develop a process maturity framework
1987 Process maturity framework & maturity questionnaire developed by Watts Humphrey
1991 Capability Maturity Model v1.0 drafted based on feedback from government and industry
1992 CMM v1.1 drafted based on feedback from the software community and CMM Workshop
1997 CMMI Project initiated
2000 CMMI SE/SW v1.0 released
2002 CMMI SE/SW/IPPD/SS v1.1 released
2006 CMMI v1.2 released

SEI History
Established in 1984: to Provide leadership in advancing the state of the practice of software engineering to
improve the quality of systems that depend on software
Process Programme focus: Capability Maturity Models
CMM-based assessments
Software process-definitions
Personal software process
Software engineering measurement and analysis
CMMI, integrating Software, Hardware and Systems Engineering

CMMI Product Suite

CMMI for Dev constellation consists of 2 models
 CMMI for Dev+IPPD
 CMMI for Dev
 Hardware Engineering
 Systems Engineering
 Software Engineering
 Staged
 Continuous
 Model
 Introduction to CMMI
 Intermediate Concepts
 Instructor Training
 Lead Appraiser
Appraisal methods
 Appraisal Requirements for CMMI (ARC)
 SCAMPI Method Description Document (MDD)

IT Quality Assurance MIM - Sem V Page: 4 of 19

CMMI Structure
One Model, Two Representations
 CMMI Representations Based on the approaches of the source models
 Reflects the organization, use and presentation of components in a model
 Two representations
o Continuous - Process Capability approach
o Staged - Organizational Maturity approach
 The material in both representations is the same, just organized differently
o Capability Levels
o The Maturity Levels

The CMMI structure - Goals and Practices

Generic Goals:
 Common goal statement for a process area
 Aimed at achieving institutionalization
 Same goal statement appears in multiple process areas
 Each capability level has an associated generic goal
Generic Practices:
 Activities that ensure that the processes will be effective, repeatable, and lasting
 Generic practices contribute to the achievement of the generic goal when applied to a particular process area
Specific Goals:
 Addresses the unique characteristics that describe what must be implemented to satisfy the process area
 Signify the scope, boundary and intent of the process area
 Help to determine whether the process area has been effectively implemented
Specific Practices:
 Activities that are considered important in achieving the associated specific goal
 Describe what must be implemented to establish process capability

The CMMI structure

IT Quality Assurance MIM - Sem V Page: 5 of 19

Example PA: Requirements Management
SG1: Manage Requirements
SP1.1 Obtain an understanding of requirements
SP1.2 Obtain commitment to requirements
SP1.3 Manage requirements changes
GG2: Institutionalize a Managed Process
GP2.1 Establish an organizational policy
GP2.2 Plan the process
GP2.3 Provide resources
GP2.4 Assign responsibility

GG2: Institutionalize a Managed Process

GP 2.1 Establish an Organizational Policy
GP 2.2 Plan the Process
GP 2.3 Provide Resources
GP 2.4 Assign Responsibility
GP 2.5 Train People
GP 2.6 Manage Configurations
GP 2.7 Identify and Involve Relevant Stakeholders
GP 2.8 Monitor and Control the Process
GP 2.9 Objectively Evaluate Adherence
GP 2.10 Review Status with Higher Level Management

The 5 maturity Levels

IT Quality Assurance MIM - Sem V Page: 6 of 19

Process Areas by Maturity Level
Level Focus Process Areas

5 Optimizing Continuous process improvement Organizational Innovation and Deployment

Causal Analysis and Resolution

4 Quantitatively Managed Quantitative Management Organizational Process Performance

Quantitative Project Management

3 Defined Process standardization at organization level; Requirements Development

Proactive Technical Solution
Product Integration
Organizational Process Focus
Organizational Process Definition
Organizational Training
Integrated Project Management
Risk Management
Decision Analysis and Resolution

2 Managed Basic project management; often reactive Requirements Management

Project Planning
Project Monitoring and Control
Supplier Agreement Management
Measurement and Analysis
Process and Product Quality Assurance
Configuration Management

1 Performed

Performed/ Initial Level (L1)

 Environment unstable for software development and maintenance
 Lack of sound management practices
 Ineffective planning
 Reaction-driven systems
 Person-dependent systems
 Process unpredictable, informal and poorly controlled

Managed Level (L2)

 Focus on project management – learning from previous experiences
 Basic software management controls installed
 Stakeholder commitment established
 Senior management visibility
 Processes planned, performed, measured and controlled
 Stable planning and tracking; earlier successes can be repeated

IT Quality Assurance MIM - Sem V Page: 7 of 19

Process Areas for L2
 Requirements Management: Manage requirements of the products & product components; identify
inconsistencies between requirements and the project's plans & products
 Project Planning: Establish & maintain plans that define project activities
 Project Monitoring and Control: Provide an understanding of the project’s progress; take appropriate
corrective actions when the project’s performance deviates significantly from the plan
 Supplier Agreement Management: Manage acquisition of products from suppliers where a formal agreement
 Measurement and Analysis: Develop & sustain a measurement capability to support management information
 Process and Product Quality Assurance: Provide staff & management with objective insight into processes &
work products
 Configuration Management: Establish & maintain integrity of work products by identifying, controlling,
accounting and auditing configurable items

Defined Level (L3)

• Focus on organization level
• Software and management processes integrated
• Projects derive processes from organization-level and tailor them
• Processes more detailed - better understanding of inter-relationships
• Processes managed proactively
• OSSP ensures consistency across the organization
Process Areas for L3
• Organization Process Focus: Plan & implement organizational process improvement based on a thorough
understanding of strengths & weaknesses of the organization’s processes & process assets
• Organizational Process Definition: Establish & maintain a usable set of organizational process assets
• Organizational Training: Develop skills & knowledge of people so that they can perform their roles effectively &
• Integrated Project Management: Establish & manage the project & stakeholder involvement according to an
integrated & defined process tailored from the OSSP
• Risk Management: Identify potential problems before they occur; plan & invoke risk-handling activities, when
required, across the life of the product/project to mitigate adverse impacts on achieving project objectives
• Decision Analysis and Resolution: Analyze possible decisions using a formal evaluation process that evaluates
identified alternatives against established criteria
• Requirements Development: Produce and analyze customer, product and product-component requirements
• Technical Solution: Design, develop, and implement solutions to requirements. Solutions encompass products,
product components, and product-related life-cycle processes either singly or in combinations, as appropriate
• Product Integration: Assemble the product from product components; ensure that the integrated product
functions properly; deliver the product
• Verification: Ensure that selected work products meet their specified requirements
• Validation: Demonstrate that product or product component fulfills its intended use when placed in its
intended environment

Quantitatively Managed Level (L4)

• Quantifiable goals for product and process performance identified, measured and monitored throughout the
process life cycle
IT Quality Assurance MIM - Sem V Page: 8 of 19
• Organization-wide measurement repository
• Key processes and sub-processes identified
• Process performance controlled using statistical and other techniques
• Quantitative goals established based on customer and organizational needs
• Quantitative goals understood in statistical terms
Process Areas for L4
• Quantitative Project Management: Quantitatively manage the project’s defined processes to achieve
established quality & process-performance objectives
• Organizational Process Performance: Establish & maintain a quantitative understanding of the OSSP’s
performance (with respect to quality and process performance goals); provide process performance data,
baselines & models to quantitatively manage the organization’s projects

Optimizing Level (L5)

• Improvements to address common causes of process variation
• Measurably improve identified processes through incremental and innovative improvements
• Improvements selected based on expected RoI and impact
• Evaluation of known defects to identify root causes and prevent recurrence
• Organizational focus on improvement
• Process performance continually improved; quantitative goals established, based on business goals
Process Areas for L5
• Causal Analysis and Resolution: Identify causes of defects & other problems; take action to prevent recurrence
• Organizational Innovation and Deployment: Select & deploy incremental & innovative improvements that
measurably improve the organization's processes & technologies; improvements support organization's quality
& process performance objectives, derived from the organization's business objectives

PAs in the Business Context

IT Quality Assurance MIM - Sem V Page: 9 of 19

SEI’s IDEALSM Approach for Implementing CMMI

CMMI Appraisal Process

IT Quality Assurance MIM - Sem V Page: 10 of 19

ITIL - Background
• ITIL (Information Technology Infrastructure Library) is a framework of best practices to facilitate the delivery of
high quality IT services; published in a series of books
• ITIL focuses on aligning IT services with the ever changing needs of the business and improving the quality of IT
• It is aimed at supporting businesses in achieving high financial quality and value in IT operations
• Reduce the long term cost of service provision
• “Service management is all about the delivery of customer-focused IT services using a process-oriented
• Originally developed in the 1980’s under the auspices of the UK Government's Central Computer and
Telecommunications Agency (CCTA) - entitled "Government Information Technology Infrastructure
Management Methodology" (GITMM)
• In 2001, the CCTA was merged into the United Kingdom's Office of Government Commerce (OGC)
• V1 = 31 Books | V2 = 7 books | V3 = 5 Books
• World-wide de facto standard in Service Management

What is Service Management?

A means of delivering value to customers by facilitating outcomes customers want to achieve without the
ownership of specific costs and risks
Service Management
A set of specialized organizational capabilities for providing value to customers in the form of services

Service Life Cycle

IT Quality Assurance MIM - Sem V Page: 11 of 19

Major Components
Service support: concentrates on the day to day running & support of IT Services
• Service desk*
• Incident management
• Problem management
• Change management
• Release management
Service delivery: focuses on long term planning and improvement of IT Services
• Capacity management
• Availability management
• IT service continuity management
• Configuration management
• Financial management for IT Services

Service Desk
• Provide vital day-to-day contact between clients, users, IT services & third party support organizations
• Provide a single point of contact for all calls
• Facilitate the restoration of normal operational service with minimal business impact on the client within
agreed service levels and business priorities
• Generate reports and communicate
• Provide value to the organization

Configuration Management
• Provide information on the IT Infrastructure -
• to all other processes
• to IT Management
• Enable control of the infrastructure by monitoring and maintaining information on -
• all resources needed to deliver services
• Configuration Items status and history
• Configuration Item relationships

Incident Management
• Restore normal service operation as quickly as possible
• Minimize the adverse impact on business operations
• Ensure that best possible levels of service quality & availability are maintained according to SLA’s

Problem Management
• Minimize the adverse impact of incidents & problems on the business that are caused by errors within the IT
• Prevent the recurrence of incidents related to errors
• Improve productive use of resources

Change Management
• Ensure that standardized methods and procedures are used for efficient and prompt handling of all changes
• Implement approved changes efficiently, and with the acceptable risk to the existing and to the new IT services

IT Quality Assurance MIM - Sem V Page: 12 of 19

Release Management
• Plan and oversee the successful rollout of software and related hardware
• Ensure that change to hardware and software is traceable and secure
• Ensure that only correct, authorized and tested versions are installed

Capacity Management
• Determine the right, cost justifiable, capacity of IT resources such that the Service Levels agreed upon are
achieved at the right time

Availability Management
• Predict, plan and manage the availability of services by ensuring that:
• all services are underpinned by sufficient, reliable and properly maintained CI’s
• where CIs are not supported internally there are appropriate contractual arrangements with third-party
• changes are proposed to prevent future loss of services

IT Service Continuity Management

• Increase business dependency on IT
• Reduce cost and time of recovery
• Cost to customer relationship
• Survival
• “Many businesses fail within a year of suffering a major IT disaster“

Service Level Management

• Maintain and improve IT Service quality, through a constant cycle of agreeing, monitoring and reporting upon
IT Service achievements
• Instigation of actions to eradicate poor service - in line with business or cost justification

IT Quality Assurance MIM - Sem V Page: 13 of 19

ISO 20000
International standard for IT service management
• Published in Dec 2005, it supersedes the earlier BS 15000, which was based on ITIL
• ISO 20000 has two parts:
• ISO 20000-1 ('part 1') is a ‘specification’, which defines the requirements of the standard
• ISO 20000-2 ('part 2') is a 'code of practice', and describes the best practices for service management
• Objectives:
o To promote the adoption of an integrated process approach to deliver managed services to meet the
business and customer requirements.
o To enable the understanding of best practices, benefits, and possible problems of service management
o To help the organization generate revenue or be cost effective via professional service management.

PDCA in Service Management

ISO 20000 Process Model

IT Quality Assurance MIM - Sem V Page: 14 of 19

ISO 20000 Clauses

4: Planning & Implementing Service Management

4.1 Plan Service Management
To plan the implementation and delivery of service management
4.2 Implementing Service management and provide the services (Do)
To implement the service management objective and plan
4.3 Monitoring, Measuring and Reviewing (Check)
To monitor, measure and review that the service management objectives and plan are being achieved
4.4 Continual Improvement (Act)
To improve the effectiveness and efficiency of service delivery and management

5 : Planning & implementing new or changed services

To ensure that new services and changes to services will be deliverable and manageable at the agreed cost
and service quality.

6: Service Delivery Process

6.1 Service Level Management
To define, agree, record and manage levels of service
6.2 Service Reporting
To produce agreed timely, reliable, accurate reports for informed decision making and effective
6.3 Service Continuity and Availability Management
To ensure that agreed service continuity and availability commitments to customers can be met in all
6.4 Budgeting and Accounting for IT Services
To budget and account for the cost of service provision.
6.5 Capacity Management
To ensure that the service provider has, at all times, sufficient capacity to meet the current and future
agreed demands of the customer’s business needs.
6.6 Information Security Management
To manage information security effectively within all service activities.

7 : Relationship Processes
7.1 General
Relationship processes describes the two related aspects of Supplier Management and Business
Relationship Management
7.2 Business Relationship Management
To establish and maintain a good relationship between the service provider and the customer based on
understanding the customer and their business drivers.
7.3 Supplier Management
To manage suppliers to ensure the provision of seamless, quality services.

8 : Resolution Processes
8.1 Background
Incident and problem management are separate processes, although they are closely linked.
IT Quality Assurance MIM - Sem V Page: 15 of 19
8.2 Incident Management
To restore agreed service to the business as soon as possible or to respond to service requests
8.3 Problem Management
To minimize disruption to the business by proactive identification and analysis of the cause of
incidents and by managing problems to closure

9 : Control Processes
9.1 Configuration Management
To define and control the components of the service and infrastructure and maintain
configuration information.
9.2 Change Management
To ensure all changes are assessed, approved, implemented and reviewed in a controlled manner.

10 : Release Process
10.1 Release Management Process
To deliver, distribute and track one or more changes into the live environment.

Benefits of Implementing ISO 20000

• Provides control, greater efficiency and opportunities for improvement.
• Turns technology focused departments into ones with a service focus
• Ensures that IT services are aligned with and satisfy business deeds
• Improves system reliability and availability
• Provides a basis to agree on levels of service and the ability to measure IT service quality
• Establishes the true cost of IT

IT Quality Assurance MIM - Sem V Page: 16 of 19

Deming’s Principles
William Edwards Deming (October 14, 1900 – December 20, 1993)
• American statistician, professor, author and consultant
• Proponent of Total Quality Management (TQM)
• Helped in improving production in USA during World War II
• Best known for his significant contribution to Japan becoming renowned for innovative high-quality products
• Author of:
– Out of the Crisis
– The New Economics for Industry, Government, Education
• Founded the W. Edwards Deming Institute in Washington D.C. in 1993
• Deming Prize established by JUSE (Japanese Union of Scientists & Engineers)

Some Common Problems

a) Defective products b) Rework c) Production delays d) Scrap/ waste e) Higher costs f) Client complaints

Chain Reaction

Deming’s Philosophy
• Need for awakening to the crisis – followed by action
• Transformation can be achieved only by people – not by machines / automation
• Management plays a critical role in transformation
• The 14 points for management
– Provide a “Roadmap for Change" - for achieving improved quality and productivity
– Apply to all organizations – of any size
– Apply to all industries
• Main Themes
– Leadership and teamwork
– Long-term planning
– Focus on Quality instead of Costs
– Strive for Continual Improvement

Deming’s 14 Principles

1. Create constancy of purpose

• Define clear objectives
• Focus on long-term planning – think of “problems of tomorrow”; not just “problems of today”
• Efficiency alone is not enough – innovate!
• Constantly improve the design of products and services
• Be pro-active; not reactive

IT Quality Assurance MIM - Sem V Page: 17 of 19

2. Adopt a new philosophy
• Delays and mistakes increase costs
• Rework/ repair and replacements cost money and create customer dissatisfaction
• Adopt a new philosophy of cooperation (win-win) in which everybody wins
• Put it into practice by teaching it to employees, customers and suppliers
• Management should “walk the talk”

3. Cease dependence on mass inspection

• Inspection to achieve quality is too late and costly
• Putting more inspectors will not solve the problem
• Don’t depend on quality control to achieve quality
• Instead, improve the process and build quality into the product – from start to finish
• Focus on quality assurance
• Aim for preventing defects rather than detecting them

4. Don’t award business based on price only

• Price has no meaning without a measure of the quality being purchased
• Don’t compromise quality for the sake of saving costs
• Focus on total cost of ownership
• Aim for long term cost reduction rather than short term profits
• Advantages of single supplier:
– Long-term contracts => partnership
– Economies of scale
– Mutual confidence - loyalty and trust

5. Improve constantly and forever

• Quality must be built into the product from design
• Quality starts with the intent (of management)
• Teamwork across departments is essential
• Putting out fires is not improvement
• Strive for continual improvement in all areas

6. Institute training for skills

• People should be trained appropriately for their job
• Need for a structured training program across the organization
• Training for management and new employees

7. Institute leadership for the management of people

• The job of management is leadership, not supervision
• Leaders must know the work they supervise
• Avoid MBO and MBWA
• Aim should be to help people do a better job
• Some performance will always be “below average”

8. Drive out fear

• People cannot deliver their best if they feel insecure
IT Quality Assurance MIM - Sem V Page: 18 of 19
• People should not be afraid to express ideas, ask questions, seek knowledge or admit mistakes
• Drive out fear and build trust

9. Break down barriers between departments

• Teamwork across departments is fundamental
• People in research, design, sales, and production must work as a team
• Abolish competition and build a win-win system of cooperation within the organization
• Star Team vs. Team of Stars

10. Eliminate slogans and exhortations

• Eliminate “empty” slogans and exhortations
• Instead, focus on the system
• Most errors are caused by the system, rather than people
• Strive to improve the processes to help in improving the quality and productivity

11. Eliminate management by objectives

• Don’t focus only on numbers and quotas
• Quotas are a retardant to improvement
• Numerical goals without a roadmap to achieve them, are useless
• Stress on quality

12. Remove barriers to pride of workmanship

• People should be able to enjoy their work and take pride in their workmanship
• Focus on quality, instead of quantity (production targets)
• Don’t treat people as a commodity
• Absenteeism is largely dependent on supervisor – if people feel important, they’ll come to work

13. Institute education and self-improvement

• Institute a proper training program at organization level – for everyone
• Ensure that the employees are appropriately trained for the job they are expected to perform
• This will also facilitate their professional development and self-improvement

14. The transformation is everybody's job

• Plan for action - Involve all the company employees to work on the transformation
• People should understand the objectives of the transformation
• This will ensure buy-in of the people

The 7 Deadly Diseases

1. Lack of constancy of purpose.
2. Emphasis on short-term profits.
3. Evaluation by performance, merit rating, or annual review of performance.
4. Mobility of management.
5. Running a company on visible figures alone.
6. Excessive medical costs.
7. Excessive costs of warranty, fueled by lawyers who work for contingency fees.

IT Quality Assurance MIM - Sem V Page: 19 of 19

• Certified Software Quality Analyst - CBOK
• Out of the Crisis by W. Edwards Deming
• International Organisation for Standardisation (ISO)
• Software Engineering Institute (SEI) for CMMI
• IT Service Management Forum International
• Quality Assurance Institute Worldwide
• American Society for Quality
• IT Metrics & Productivity Institute
• The Total Quality Management Free Article Library

IT Quality Assurance MIM - Sem V Page: 20 of 19

Related Interests