Get 4 FREE months of Conformio to implement ISO 27001

Case study: Design and development in the software industry

The software industry is one of the fastest-growing industries in the last few decades and although software production is regulated by its own rules, very often there is a requirement for establishing a Quality Management System according to ISO 9001. Due to the specificity of the software development industry, implementation of ISO 9001 can be even more challenging than in some other industries. One of the first questions to arise is: “Are we a production or a service delivery company?” And, although this question doesn’t change much in terms of requirements to be met, it indicates future doubts that will emerge in the implementation project.

Case study

A small start-up software company developed some accounting software and sells the software together with support. The accounting software is the main and most lucrative product they developed, and requires constant updating to meet changes in legislation, but they also develop other software solutions according to the requirements of their customers. In this case study we will discuss the process of developing new software for individual clients.

Is it production or design and development?

This question may come as a surprise in other industries, but here it is hard to make a distinction. Once the product is designed, it no longer requires production as in the manufacturing industry, so the design and development is the production and the process needs to meet the requirements of both clauses 8.3 and 8.5 at the same time.


Planning software development

Let’s assume that the requirements for the product are identified during the sales process. Because all employees in the company had little experience with project management, one of the challenges was to define the planning step in the design process. After consideration of the requirements of the standard, the company developed a planning stage that included:

  • the nature and complexity of the software production activities
  • the required stages, including applicable reviews
  • the required verification and validation activities
  • the internal and external resources needed for software production
  • the need to control interfaces between persons involved in the design and development process
  • the requirement for subsequent provision of products and services
  • roles and responsibilities within the design project, including the project team
  • inputs for design and development, including functional and performance requirements, statutory and regulatory requirements, etc.

Based on all of this information, the company later developed the project plan with defined phases, inputs, outputs, relevant documents, roles, etc. This typically involves a preliminary or high-level design of the main modules with an overall picture (such as a block diagram) of how the parts fit together. Information about the language, operating system, and hardware components are also defined at this time. Then, a detailed or low-level design is created, sometimes with prototyping as proof-of-concept or to firm up requirements.

Executing software development, testing and documenting

Once the project stages are defined, the people involved in the design start with programming the code for the project. Software testing is an integral and important phase of the software development process. Their estimate was that 50% of the whole software development process should be tested. The purpose of the testing, which includes both validation and verification, is to ensure that defects are recognized as soon as possible. (For more information, see: ISO 9001 Design Verification vs. Design Validation.) The company adopted the test-driven development process, meaning that the tests are developed just before implementation and serve as a guide for the implementation’s correctness. Early discovery of errors and their remedy is the key to reliable software.

Deployment and maintenance

Deployment starts directly after the code is appropriately tested, approved for release, and sold or otherwise distributed into a production environment. This may involve installation, customization (such as by setting parameters according to the customer’s values), testing, and possibly an extended period of evaluation.

In some cases, maintaining and enhancing software to cope with newly discovered problems or new requirements can take far more time than the initial development of the software. Not only might it be necessary to add code that does not fit the original design, but just determining how software works at some point after it is completed may require significant effort by a software engineer. About 60% of all software engineering work is maintenance, but this statistic can be misleading. A small part of that is fixing bugs. Most maintenance is extending systems to do new things, which in many ways can be considered new work.

To prevent problems, go by the book

Many small software development companies have problems because they perceive planning the projects and structuring the process to be redundant and time-consuming, but development of the procedure with clear steps and responsibilities does a great deal in preventing problems and avoiding rework of the code. ISO 9001 is rarely a customer requirement for software companies, but the requirements of the standard – and especially clause 8.3 – can help a lot in defining the software development process, and improving the performance of the company by cutting time spent on rework due to misunderstanding of product requirements, and other challenges that emerge in the design process.

 Click here to download the free  ISO 9001 Implementation Diagram to help with understanding the steps in the ISO 9001 implementation.

Advisera Strahinja Stojanovic
Author
Strahinja Stojanovic

Strahinja Stojanovic is certified as a lead auditor for the ISO 13485, ISO 9001, ISO 14001, and OHSAS 18001 standards by RABQSA. He participated in the implementation of these standards in more than 100 SMEs, through the creation of documentation and performing in-house training for maintaining management systems, internal audits, and management reviews.