Fog Creek Software
Discussion Board

ISO 9000

My company is going to be trying to get ISO 9000 certification. Right now they're at CMM level "What?" based on my own observations. Does anyone have any thoughts on how to make this transition easier for my programmers? The upper management is going bonkers with required paperwork to always leave the "proper paper trail" I say that's good so long as it's not toilet paper... E.G. usefull for a second and then never seen again. Any thoughts?

Friday, June 6, 2003


Hardware Guy
Friday, June 6, 2003

One suggestion I have is to never, ever tell the staff that you're making changes so that you can get ISO 9000 certified. Why should they care? It will just seem like you're giving them pointless extra work so the company can get a checkmark on a feature list.

Instead, introduce industry best practices for software development because they're good ideas and they work.

Then, after a while, when the best practices have become standard operating procedure for the company, invite the ISO 9000 auditors in. You shouldn't even need to give the developers advanced warning.

Bill Tomlinson
Friday, June 6, 2003

The "required paper trail" is a myth. The ISO 9000 standard doesn't require paperwork; it merely requires that your processes be provably effective. You get to define 'effective'. Heck, you even get to define 'provably', although your auditor has to agree with your definition.

I agree that you shouldn't be introducing new steps or processes just to get ISO certified. Introduce new practices because they are a good idea; helping you reach ISO certification should be a side effect.

Friday, June 6, 2003

Don't get over-excited about ISO. Too many companies do. It's a simple document what you and do what you document system audited by clueless QA people. And I don't mean software QA people - they're often (but not always) former quality engineers or technicians that worked for DOD contractors. Most don't know a thing about software.

If you have no formal software processes in house, you just need to create one.  It doesn't have to be complicated - a waterfall lifecycle model would suffice. Include design reviews and validation activities in your model. Then document your activities during ther development process.

Not fun, but not too complicated.

Friday, June 6, 2003

I didn't think that ISO 9000 required effective processes - just repeatable. So if your process is "garbage in, garbage out," it's fine as long as you do it the same way every time.

I've been through an experience where support and manufacturing in the company were getting ISO900x certified and it wasn't pretty. Mainly there was lot of work to get process documentation written.

Bill has the right idea about getting the process in place then getting certified. This is how it was supposed to work. A lot of companies like to skip this step, though. They go right to getting certified becase that what really matters in the market.

Just explain to the programmers what the company goals are (e.g. to get certified). I wouldn't try to implement meaningful process changes, just comply with documentation requirements.

Friday, June 6, 2003

I once knew of a school that decided to be almost the only school in the world that was ISO certified. It needed to keep everything documented because none of the teachers could stand it more than a couple of semesters.

I would think the process is even more pointless in the software world.

The purpose of ISO9000 is to ensure that you use the same processes to produce consistent quality for the same model. With software you do that by turning error checking on on your CD Rewriter.


Stephen Jones
Friday, June 6, 2003

"You build crap!"
"yes...but it's consitent well-documented crap."

fool for python
Friday, June 6, 2003

My understanding is that ISO 9000 was designed during WWII to ensure that munitions etc. manufacturers would produce a product that was consistent. It's about ensuring repeatability, not quality - making sure that what comes off the assembly line is the same every time. This has some relevance to manufacturing, but very little to software engineering.

Saturday, June 7, 2003

Is there really any market significance to ISO 9000 for software development companies?  One of my previous (no longer existing) employers started investigating the possibility.  There were newsletters about the steps we would go through.  Then someone figured out that no one really cared if we were ISO 9000 or not.  The project just faded away.

Yes, Leave!
Saturday, June 7, 2003

I'm told some customers like it: for example, telecom carriers might like it, which is an incentive for telecom equipment manufacturers to show it.

Christopher Wells
Saturday, June 7, 2003

Is Microsoft ISO certified?

Saturday, June 7, 2003

---"an incentive for telecom equipment manufacturers to show it. "---

Exactly; equipment manufacturers. They're buying goods.

I used to train steelworkers. When the secretary went on holiday I took over the attendance and grading and put all the names on computer. They had special attendance and report sheets, and I copied them but made the lines bigger so you actually had space to put in the names and comments. I also moved their company logo over to the other side, make it larger, and instead of black and white printed it out in it's true colourful green. Nothing else changed.

They sent it back, saying that the forms would have to be redone because the old forms were ISO 9000 ceritified, and my readable ones weren't.

Stephen Jones
Sunday, June 8, 2003

Telecom equipment manufacturers write software too. They may have a design/manufacturing process for software, which may say for example that they test their software before they ship. The certification may imply that their process is repeated/followed: for example that they *always* test before they ship; that they know which version they are shipping; etc.

SFAIK MS isn't ISO-certified, not to say that they need to be.

Christopher Wells
Sunday, June 8, 2003

Good point, but I still suspect that they got the certiication because they produce hardware, and then had to come up with some kind of process for the software in order to get the certification.

Stephen Jones
Sunday, June 8, 2003

Incidentally, re. your forms: the process should include a mechanism that would allow you to initiate a change to the process, for example to get your (better) forms accepted as the new standard...

Christopher Wells
Sunday, June 8, 2003

But the forms had exactly the same layout and gave exactly the same information, and were printed on the same paper.

I followed a well-documented way to ensure our forms became the new standard. We told them if they wanted to play silly buggers they could copy all the stuff out again themselves and we would sign it.

When the second batch of my forms went in there was no problem.

Stephen Jones
Sunday, June 8, 2003

Some people think ISO 9000 can be "garbage in, garbage out" type of thing. Many people think this is the way it is. But as can be read form the ISO9000:

"To lead and operate on organisation succesfully, it is necessary to direct and control it in a systematic and transparent manner. Success can result from implementing and maintaining a management system that is designed to continually improve performance while addressing the needs of all interested parties. Managing an organisation encompasses quality management amongst other management disciplines."

In practise this means quite simple things you should do:

1) Know what you do and who your (internal) customers are.

2) Come up with solid methods on how to do your job and write them down.

3) Periodically revise your practises and improve them if possible.

In software business, you should have some practises written down from: requirements, code and bug mgmt. You have the tools and the Quality Documentation" can be their usage instructions or similar. You might also define the roles and responsibilities ("Project manager does this, Chief guru does that").

If you can place all these documents under some version control, you are already done most of the work.

But is there any reason for a software company to be ISO9000 certified? That really depents on the company and its customers. Some industries require their suppliers have good workmanners and they require ISO or other certification body to check that out. The companies where I have worked were ISO9000 ready, but we did not want to go through the actual process.

At the end it is the matter of how much money you get out of it.

Tuesday, June 10, 2003

*  Recent Topics

*  Fog Creek Home