ISO 9000-3 1997 is now OBSOLETE.

It was replaced by ISO IEC 90003 2004*

 

* ISO IEC 90003 is a quality management standard for computer software and
related services. It replaces the old ISO 9000-3 1997 standard. ISO IEC 90003
explains how ISO 9001 2000 can be applied to software and related services.

RELATED RESOURCES

ISO 27001 Information Security Management Library

ISO 27002 (17799) Information Security Management Library

ARCHIVE OF OBSOLETE ISO 9000-3 MATERIAL

ISO 9000-3 Guidelines Translated into Plain English

Guidelines for Applying the ISO 9001 Standard to Software

ISO prepared the 9000-3:1997(E) guidelines in order to help organizations to apply
the ISO 9001 standard to computer software. Use ISO 9000-3 if you develop, supply,
install, and maintain computer software.

ISO 9000-3:1997 is really an expanded version of the old ISO 9001:1994 standard.
ISO has simply copied the old text from ISO 9001 and pasted it into the new
version of ISO 9000-3, and then added some new text that refers only to software.
In order to avoid confusion, the old ISO 9001 text is presented in black, while
the new ISO 9000-3 text is presented in red.

The page below summarizes ISO 9000-3:1997. It highlights the main points. It does not present detail. If you need a complete interpretation of the ISO 9000-3 standard, please visit our new ISO 9000-3 web page.

ISO 9000-3: 4.1 Management responsibilities

  • Define a quality policy. Your policy should describe your organization's attitude towards quality.

  • Define the organizational structure that you will need in order to manage your quality system.

    • Define quality system responsibilities, give quality system personnel the authority to carry out these responsibilities, and ensure that the interactions between these personnel are clearly specified. Also, make sure that all of this is well documented.

    • Identify and provide the resources that people will need to manage, perform, and verify quality system work.

    • Appoint a senior executive to manage your quality system and give him or her the necessary authority.

  • Define a procedure that your senior managers can use to review the effectiveness of your quality system.

ISO 9000-3: 4.2 Quality system requirements

  • Develop a quality system and a manual that describes it.

  • Develop and implement quality system procedures that are consistent with your quality policy.

  • Develop quality plans which show how you intend to fulfill quality system requirements. You are expected to develop quality plans for products, processes, projects, and customer contracts.

    • Develop quality plans to control software development projects.

    • Develop a quality plan whenever you need to control the quality of a specific project, product, or contract.

      • Your quality plan should explain how you intend to tailor your quality system so that it applies to your specific project, product, or contract.

      • Develop detailed quality plans and procedures to control configuration management, product verification, product validation, nonconforming products, and corrective actions.

ISO 9000-3: 4.3 Contract review requirements

  • Develop and document procedures to coordinate the review of sales orders and customer contracts. Make sure you include the customer in the process of review.

    • Develop and document procedures to coordinate the review of software development contracts.

  • Your contract review procedures should ensure that all contractual requirements are acceptable before you agree to provide products or services to your customers.

    • Make sure that you and your software customer agree on:

      • How terms will be defined.

      • How products will be accepted.

      • How the customer will participate.

      • How software users will be trained.

      • How software upgrades will be handled.

      • How joint progress reviews will be conducted.

      • How changes in customer requirements will be handled.

      • How problems will be handled after product acceptance.

    • Make sure that you and your customers agree that:

      • The project is feasible.

      • The legal rights of others will be respected.

      • The customer can meet all contractual obligations.

    • Make sure that you have:

      • Established a project schedule.

      • Identified significant risks and contingencies.

      • Specified all contractual liabilities and penalties.

      • Defined your software development procedures.

      • Confirmed that resources will be available when needed.

      • Clarified the extent of your responsibility for subcontractors.

  • Develop procedures which specify how customer contracts are amended, and which ensure that changes in contracts are communicated throughout the organization.

  • Develop a record keeping system that you can use to document the review of customer orders and contracts.

ISO 9000-3: 4.4 Product design requirements

  • Develop and document procedures to control the product design and development process. These procedures must ensure that all requirements are being met.

    • Control your software development projects and make sure they are executed in a disciplined manner.

    • Control your software design process and make sure that it is performed in a systematic way.

  • Develop product design and development planning procedures.

    • Prepare a software development plan. Your plan should be documented and approved before it is implemented. Your plan should:

      • Define your project.

      • List project objectives.

      • Present your project schedule.

      • Define project inputs and outputs.

      • Identify related plans and projects.

      • Explain how your project will be organized.

      • Discuss project risks and potential problems.

      • Identify important project assumptions.

      • Identify all relevant control strategies.

  • Identify the groups who should be routinely involved in the product design and development process, and ensure that their design input is properly documented, circulated, and reviewed.

    • Make sure that your software development plan defines:

      • How the responsibility for software development will be distributed amongst all participants.

      • How technical information will be shared and transmitted between all participants.

    • Make sure that your customer has accepted the responsibility to cooperate and support your software development project.

    • Make sure that you schedule project reviews in order to evaluate the activities and the results achieved by all participants.

  • Develop procedures to ensure that all design input requirements are identified, documented, and reviewed; and that all design flaws, ambiguities, contradictions, and deficiencies are resolved.

    • Design input requirements should be specified by the customer. However, sometimes the customer will expect you to develop the design-input specification. In this case you should:

      • Prepare procedures that you can use to develop design-input specifications.

      • Work closely with your customer in order to avoid misunderstandings and to ensure that the specification meets the customer's needs and expectations.

      • Express your specification using terms that will make it easy to validate during product acceptance.

      • Ask your customer to approve the resulting design-input specification.

  • Develop procedures to control design outputs.

    • Prepare design output documents using standardized methods and make sure that your documents are correct and complete.

  • Develop procedures which specify how product design reviews should be planned and performed.

    • Plan and perform product design reviews for your software development projects.

    • Develop and document software design review procedures.

  • Develop procedures which specify how design outputs, at every stage of the product design and development process, should be verified.

    • Verify your software design outputs by performing design reviews, demonstrations, and tests.

    • Maintain a record of your design verifications.

  • Develop procedures that validate the assumption that your newly designed products will meet customer needs.

    • Prove that your product is ready for its intended use before you ask your customer to accept it.

    • Accept validated products for subsequent use only if they have been verified and only if all remedial actions have been taken.

    • Maintain a record of your design validations.

  • Develop procedures to ensure that all product design modifications are documented, reviewed, and formally authorized before the resulting documents are circulated and the changes are implemented.

    • Develop procedures to control software design changes that may occur during the product's life cycle.

ISO 9000-3: 4.5 Document and data control

  • Develop procedures to control quality system documents and data.

    • Identify all documents and data that must be controlled.

    • Develop procedures to control your documents and data.

  • Develop procedures to review, approve, and manage all of your quality system documents and data.

    • Develop procedures to control electronic documents and data.

  • Develop procedures to control changes to documents and data.

ISO 9000-3: 4.6 Purchasing requirements

  • Develop procedures to ensure that purchased products meet all requirements. These procedures should control the selection of subcontractors, the use of purchasing data, and the verification of purchased products.

    • The term purchased products includes both products and services.

  • Develop procedures to select, evaluate, monitor, and control your subcontractors (your suppliers). Make sure that quality records are kept which chronicle the performance of all your subcontractors. Your records should identify the acceptable subcontractors and the products and services they provide.

  • Develop procedures to ensure that your purchasing documents precisely describe what you want to buy.

  • Develop procedures that allow you or your customers to verify the acceptability of products you have purchased.

ISO 9000-3: 4.7 Customer-supplied products

  • Develop procedures to control products supplied to you by customers. These procedures should ensure that you:

    • Examine the product when you receive it to confirm that the right items were shipped without loss or damage.

    • Prevent product loss, misuse, damage, or deterioration through proper storage and security.

    • Record, and report to the customer, any product loss, misuse, damage, or deterioration.

    • Clarify who is responsible for the maintenance and control of the product while it is in your possession.

  • Control products, services, documents, and data supplied by customers.

ISO 9000-3: 4.8 Product identification and tracing

  • Develop and document procedures to identify and track products from start to finish. When appropriate, these procedures should ensure that you:

    • Identify and document products every step of the way from the purchase of supplies and materials through all stages of handling, storage, production, delivery, installation, and servicing.

    • Trace products or product batches by means of unique identifiers and suitable record keeping.

    • Develop procedures to assign unique identifiers to your software products and components. You should assign identifiers during the product definition phase and be able to maintain these identities thoughout the product life cycle.

    • Develop procedures to track your software products and components. You should be able to track your software throughout its life cycle.

      • Use configuration management methods to identify and track your software products and components.

ISO 9000-3: 4.9 Process control requirements

  • Develop and document procedures to plan, monitor, and control your production, installation, and servicing processes.

  • Design a record keeping system that monitors and controls process personnel and equipment. Make sure that all important process qualities are monitored and recorded.

  • Develop procedures to control the software replication process.

  • Develop procedures to control the software release process.

  • Develop procedures to control the software installation process.

ISO 9000-3: 4.10 Product inspection and testing

  • Develop procedures to inspect, test, and verify that incoming, in-process, and final products meet all specified requirements. Also ensure that appropriate product inspection and testing records are developed, and that your procedures ensure that these records are properly maintained.
  • Develop and document software test plans.

  • Develop procedures which ensure that incoming products are not used until you have verified that they meet all specified requirements.

    • Develop and document procedures to verify software products and data that are provided by third parties and will be built into your software product. Third parties may include your customers and suppliers.

  • Develop procedures which ensure that work-in-process meets all requirements before work is allowed to continue.

  • Develop procedures which ensure that final products meet all requirements before they are made available for sale.

    • Perform software validation tests and software acceptance tests.

  • Develop a record keeping system that your staff can use to document all product testing and inspection activities.

ISO 9000-3: 4.11 Control of inspection equipment

  • Develop procedures to control, calibrate, and maintain inspection, measuring, and test equipment used to demonstrate that your products conform to specified requirements (please note that the term equipment includes both hardware and software).

    • Use tools, techniques, and equipment to test whether your software products meet specified requirements.

  • Develop procedures to ensure that your measurement equipment is appropriate, effective, and secure.

  • Develop procedures to calibrate all of your quality oriented inspection, measuring, and test equipment.

    • Develop procedures to calibrate hardware and tools used to test and validate your software products.

ISO 9000-3: 4.12 Inspection and test status of products

  • Develop procedures to control the test status of your products. These procedures should ensure that:

    • Each and every product is identified as having passed or failed the required tests and inspections.

    • The test status of each product is documented and respected throughout the production, installation, and servicing process.

    • Only products that have passed all tests and inspections are subsequently used or sold to customers (unless an official exception is made under section 4.13 below).

      • Develop methods to identify and control the test status of your software products and components.

ISO 9000-3: 4.13 Control of nonconforming products

  • Develop procedures to prevent the inappropriate use of nonconforming products. Also make sure that everyone is notified when your products do not conform to specified requirements.

    • Segregate your nonconforming software by placing it into a separate environment.

    • Control how software defects and nonconformities are investigated and resolved.

  • Develop procedures to control how your nonconforming products are reviewed, reworked, re-graded, re-tested, recorded, and discussed.

    • Control the disposition of nonconforming software products and components.

    • Re-test software products that have been modified.

ISO 9000-3: 4.14 Corrective and preventive action

  • Develop procedures to correct or prevent nonconformities.

    • Use configuration management procedures to control corrective and preventive actions that affect software items and products.

    • Use document and data control procedures to control corrective and preventive actions that affect software life cycle processes.

  • Develop procedures to ensure that nonconformities are identified and corrected without delay.

  • Develop procedures to ensure that potential nonconformities are routinely detected and prevented.

    • Develop preventive actions by analyzing the root causes of your nonconformities.

    • Develop preventive actions by analyzing unfavorable metric levels and trends.

ISO 9000-3: 4.15 Handling, storage, and delivery

  • Develop and document procedures to handle, store, package, preserve, and deliver your products.

  • Develop product handling methods and procedures that prevent product damage or deterioration.

    • Your product handling procedures should help prevent damage to your software products and avoid deterioration.

  • Designate secure areas to store and protect your products.

  • Develop procedures which specify how your products will be placed into storage and removed from storage.

  • Develop procedures which specify how your products will be protected from damage or deterioration during storage.

    • Develop procedures to control how your software products and items will be stored and protected.

      • Store software masters and copies in a secure environment.

  • Develop procedures which specify how your products will be monitored and evaluated to detect damage or deterioration while in storage.

  • Develop packing, packaging, and marking methods and procedures to protect and control the quality of products and packaging materials.

  • Develop methods and procedures to protect and preserve product quality prior to delivery and while the product is still under your control.

    • Develop methods to protect and preserve software product quality prior to delivery while the product is still under your control.

  • Develop procedures to protect your products after final testing and inspection, and during product delivery.

    • Protect your software during delivery.

      • Develop and document procedures to preserve product integrity and protect against software viruses.

ISO 9000-3: 4.16 Control of quality records

  • Identify and define the quality information that should be collected.

  • Develop a quality record keeping system, and develop procedures to maintain and control it. Develop procedures to:

    • Collect and record quality information (create records).

    • File, index, store, and maintain quality records.

    • Remove, archive, and destroy old quality records.

    • Protect quality records from unauthorized access.

    • Prevent records from being altered without approval.

    • Safeguard records from damage or deterioration.

  • Software quality records are documents and files that prove that quality activities were performed and quality results were achieved.

ISO 9000-3: 4.17 Internal quality audit requirements

  • Develop internal quality audit procedures which:

    • Determine whether quality activities and results comply with written quality plans, procedures, and programs.

    • Evaluate the performance of your quality system.

    • Verify the effectiveness of your corrective actions.

  • These procedures should also ensure that:

    • Audit activities are properly planned.

    • Auditors are independent of the people being audited.

    • Audit results, corrective actions, and corrective action results and consequences are properly recorded.

    • Audit conclusions are discussed with the people whose activities and results are being audited, and deficiencies are corrected.

    • Audit reports are fed back into the quality system review process.

  • Develop an internal audit plan or program for software projects.

ISO 9000-3: 4.18 Training requirements

  • Develop quality training procedures.
    These procedures must ensure that:

    • Quality system training needs are identified.

    • Quality training is provided to those who need it.

    • People are able to perform quality system jobs.

    • People have the qualifications they need to do the work.

    • Accurate and appropriate training records are kept.

    • Everyone understands how your quality system works.

  • Identify the training that will be needed to develop software products and to manage software development projects.

    • Identify your training needs by studying how software will be developed and how projects will be managed.

ISO 9000-3: 4.19 Servicing requirements

  • Develop and document quality service procedures.
    Your procedures should specify how:

    • Products should be serviced.

    • Product service activities are reported.

    • The quality of product service is verified.

  • Develop procedures to control your software maintenance process.

  • Develop plans to control your software maintenance projects.

  • Keep a record of your software maintenance activities.

ISO 9000-3: 4.20 Statistical techniques

  • Select the statistical techniques that you will need in order to establish, control, and verify your process capabilities and product characteristics.

  • Develop procedures to explain how your techniques should be applied.

  • Develop procedures to monitor and control how techniques are used.

  • Make sure that all statistical procedures are documented.

  • Make sure that proper statistical records are kept.

  • Use statistical techniques to analyze the software development process.

  • Use statistical techniques to analyze software product characteristics.

  • Use statistical techniques to evaluate process and product quality.

 
This web page was first published on May 25, 1997
This web page was updated on March 17, 2009
Praxiom Research Group Limited
9619 - 100A Street, Edmonton,
Alberta, Canada, T5K 0V7
Phone: (780)461-4514
 info@praxiom.com
© 1997-2008 Praxiom Research Group Limited. All Rights Reserved.
Home Page Contents Site Map Detailed Index
Introduction Definitions Theory Requirements
Guidelines Q.S.D. Plan Audit Programs Quality Awards
Our Guarantee How to Order Our Publications Link Partners

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and developing
this electronic publication. We make no representation or warranties with respect
 to accuracy or completeness of the contents of this publication and specifically
disclaim any implied warranties or merchantability or fitness for any particular
purpose and shall in no event be liable for any loss of profit or any other
commercial damage, including but not limited to special,
incidental, consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view
our material as often as you wish, free of charge. And as long as
you keep intact all copyright notices, you are also welcome
to print or make one copy of this page for your own personal,
noncommercial, home use.  But, you are not legally
authorized to print or produce additional copies. 
 

© 1997 - 2009 by Praxiom Research Group Limited. All Rights Reserved.