My QA Prof yesterday asked whether the "rules" of ISO 9000, QS 9000 (as ISO 9000 is used within the automotive industry) and other international regulations are :

1) being used or being referenced (in general) by the software companies you are working inside of? Or the ones you are contracted with.

2) used personally (by your team, yourself, or your company) to control and test or document output?

3) been referenced or quoted as a requirement by other companies you have contacted or been under contract to for software development.

4) Is it (or other ISO procedures) is quoted more now more than it has been in the past, because of the emphasis of Y2K on software changes and testing? Or because of international trade increasing?

I didn't have a specific answer, but told him I would ask the general group. ISO 9000, of course, more controls "how" a company should set up and maintain/monitor/document its internal QA procedures - it doesn't in of itself talk much about software development. But I would like your responses.

-- Robert A Cook, PE (Kennesaw, GA) (Cook.R@csaatl.com), April 16, 1999

Answers

Negative answers, and "never hear of it" answers will be equally useful:

For example, "....of 32 who answered, 6 companies are required to ISO 9000, 24 are not, and 2 did not know what these specifications were....."

-- Robert A Cook, PE (Kennesaw, GA) (Cook.R@csaatl.com), April 16, 1999.

Certainly. The firm where I work (Lockheed Martin) was recently audited and approved for ISO 14001 compliance (which is the later successor to ISO 9001). The auditors said it was the best they'd ever seen done by a facility of our size. For those who don't know, ISO deals with regulatory compliance, prevention of pollution, continual improvement, and prevention of injuries. We were all shown a brief film that basically said, hey look, the environment sucks and we're here to improve on this. Er, I mean improve it. ;-) We have web sites for employees with the regulations, and a phone# they can call as well. ISO stuff actually affects the plant workers (who make the jet planes) to a larger degree than it does the admin people (like me, I'm a consultant doing web development on the intranet), since they work with many more hazardous and recyclable materials, and do much more physical work. I know these details because along with my photo ID badge (I work on an airforce base), I wear around my neck this ISO card with the web site, phone#, and goals of ISO. They stuffed the subject down our throat and spammed us with email about it daily (if not more often) for a couple of months.

I cannot quote any specific ISO procedure, because (a) very few of them likely relate to my job, and (b) because those which do are incorporated into the basic job policy/description learned as part of the position and I may comply without being aware it's ISO-based.

Hope that answers your question.

PJ in TX

-- PJ Gaenir (fire@firedocs.com), April 16, 1999.

Robert -

No knowledge of ISO9000, but I do have some experience with the SEI Capability Maturity Model, which is something of an industry standard. It's used by software development firms to assess and improve their processes. You and your prof might want to have a look at it, if you're interested.

Most companies are SEI CMM Level 1 (or not even that), which translates as "barely controlled chaos." Just moving up to Maturity Level 2 requires months of work, establishing the key processes and getting personnel to work to them. If a company has been assessed as SEI Level 3 or above (and when last I looked, that's a very select and small group), it means that they've done some very hard work and established some kick-butt development processes.

Many companies would be hard pressed just to point you to current documentation for their mission-critical systems...

-- Mac (sneak@lurk.hid), April 16, 1999.

Just did some searching... Hey, PJ, looks like LM Fed Systems has been busy, busy, busy: SEI Level 5

Lockheed Martin Federal Systems in Owego, N.Y., has achieved ISO 9001 Certification and has also attained the Carnegie Mellon Software Engineering Institute (SEI) Capability Maturity Modelsm1 (CMM.2) Level 5 rating, the highest rating for a company's software development capability.

It's probably three or four years of work to attain CMM Level 5. They're to be congratulated.

-- Mac (sneak@lurk.hid), April 16, 1999.

That's what this semester's grad project covers - getting a company past SE Level 3 up to Level 4 or Level 5, specifically the test procedures, test results database(s) needed, test protocals required, test feedback (bug reports, upgrade progress reprtos, "wish lists", want-to's, rework, rework rates, priorities, etc.

-- Robert A Cook, PE (Kennesaw, GA) (Cook.R@csaatl.com), April 16, 1999.

Worked as consultant for large insurance firm. They were at level 1 (or below) when we began writing a plan to get to level 2 then to level 3. My previous company was at level 2 in places and level 3 in others. Did you have a copy of the CMM? Most libraries have it. It's a relatively easy task to write the plan to go up levels but to get company "buy in"... well good luck. Most company cultures are reluctant to change, especially in the area of discipline. I'm familiar with the ISO 9000 series, initiated (I thought) by the government as a rewrite to earlier standards and guidelines. Good luck with your work.

-- Maria (anon@ymous.com), April 16, 1999.

I work with a State Agency. They talk a good game with emphasis on quality, Quality Assurance Reviews (QARs) etc. but the whole effort collapses because management absolutely refuses to recognize that to achieve quality, you have to slip the intermediate production dates if the work was not done properly. In other words add 2 months to the phase completion date and deduct 2 months from the final due date. They will not do that. So of Edward Demmings 14 points, they fail 9 due to the undue emphasis on production. This is an F.

-- Ken (official@dot.dot), April 16, 1999.

ISO 14001 is the de-facto standard for company operations in Japan. I believe Japan may have the highest certification rate. The driving force in Asia was for international competitive reasons. Trade with Europe and throughout Asia is vital for all Asian economies, especially in light of the new Euroeconomy. It certainly would be applied to all internal operations, including in-house software/firmware development.

-- PNG (png@gol.com), April 17, 1999.