ISO 9000-3 Digest Sunday, 4 February 1996 Volume 01 : Number 008
In this issue:
Re: Question: Software Test Tools Control
Reply:Qualified ISO Software Auditor
Re: Am I Missing Something
Re: Question: Software Test Tools Control
Software test tools control
Registered companies in Canada and Mexico
RE: Question: Software Test Tools Contro
Re: Question: Software Test Tools Control
Re: Qualified ISO Software Auditors
re: ASQC Certified Quality Auditor (fwd)
Re: Am I Missing Something
Re: Qualified ISO Software Auditors
----------------------------------------------------------------------
From: Lee Stewart
Date: Thu, 1 Feb 96 13:48:25 -0500
Subject: Re: Question: Software Test Tools Control
Hi Sports Fans,
Paragraph 4.11.1, continued on page 7 of ANSI/ASQC Q9001-1994, clearly
states at the top left side of the page: "Where test software or comparative
references such as test hardware are used as suitable forms of inspection,
they SHALL be checked to prove that they are capable of verifying the
acceptability of product, prior to release for use during production,
installation, or servicing, and shall be rechecked at prescribed intervals.
The supplier shall establish the extent and frequency of such checks and
shall maintain records as evidence of control (see 4.16)."
In my opinion, thats a YES!
Sincerely,
Lee Stewart
SQA Manager
ARS Limited
At 11:01 AM 2/1/96 EST, you wrote:
>I have a question for the group regarding the use of script files to execute
>some aspects of our verification, then validation procedures on software.
>
>Here is how we are doing it: As the developer chuggs along developing, he
>realizes that he ought to verify his code using specific data sets and running
>"compares" against the results. Since he knows an automated way of doing the
>testing might exist, he asks around "Hey, does anyone have a script file
>(batch file for PC users) that does this?" Invariably, someone does have
>a similar file hanging around and gives it to the developer. The developer
then
>tweaks the script file to meet his immediate needs. He tests the code, then
>passes the script file on to the validation team for use during final
acceptance
>of the software.
>
>Now, keeping away from the major conceptual flaw (developer developes code,
then
>develops test to verify code, then validators just rubber stamp with the
assump-
>tion that the script file works properly), what about: documentation, config-
>uration control, release of these script files to the customer. Etcetera.
>Does ISO require that we document and verify these tools in a similar fashion
>that we use for product?
>
>Please post replies! Let's get some discussion going...
>===================================================================
> _/_/_/_/_/ _/_/_/_/ Greta Daczkowski
> _/ _/ _/ System Test Engineer
> _/ _/_/_/ _/ _/ Securicor Telesciences
> _/ _/ _/ _/ (609) 866-1000
> _/_/_/_/_/ _/_/_/_/ email:g.daczkowski@telesciences.com
>==================================================================
>
>
------------------------------
From: gdaczkow@telesciences.com (Greta H Daczkowski)
Date: Thu, 1 Feb 96 13:55 EST
Subject: Reply:Qualified ISO Software Auditor
In response to Henry Schneider's Question about Auditors with experience in
Software:
Our firm explicitly asked to have one person knowledgeable in software on the
auditing team. The reason for this was, we needed to have someone who would
understand our explanations for configuration control, or verification through
use of lint, CodeCheck, etcetera. We didn't want to have to go through a
training discussion for each item. In addition, we had heard that non-software
types would interpret requirements entirely different (which isn't uncommon
to all of the standard and quite a few auditors), but we wanted to minimize
the "interpretive slant" as much as possible. We hoped to avoid unrealistic
manufacturing/hardware types of interpretations.
I believe it is more efficient to guide external audits when the auditors are
knowledgable of the process/product that the firm is producing.
------------------------------
From: Philip Stein
Date: Thu, 1 Feb 1996 14:08:57 -0500
Subject: Re: Am I Missing Something
On Thu, Feb 1, 1996 9:12:00 AM at Schneider, Henry wrote:
>
>
>Hi,
>
>I subscribed to this list a couple of days ago. And as of this morning I
It's working. The ISO list is hyperactive. This might get one or two posts
a week
Philip Stein
Consultants in the Physical Sciences, Measurements, and Quality
Chair-elect, ASQC Measurement Quality Division
------------------------------
From: gdaczkow@telesciences.com (Greta H Daczkowski)
Date: Thu, 1 Feb 96 14:10 EST
Subject: Re: Question: Software Test Tools Control
With regard to: Verification and control of script files used to verify or
validate software.
Paragraph 4.11.1, continued on page 7 of ANSI/ASQC Q9001-1994, clearly
states at the top left side of the page: "Where test software or comparative
ref...
Lee,
I really appreciate your response. Unfortunately, my management "weasels"
out of this requirement because:
If the paragraph of ISO is taken literally. The software I am referring to
is used during development and during the final validation test prior to
release to be "produced" by manufacturing. So, it isn't really used in
inspection for verification of the acceptability of the product for use
during production.
You see, 4.11.1 implies that the test software is used during production for
verifying the product, not for development.
Where is the flaw in the logic above? I have heard of thinking of code
development as a production process. I do have difficulty bending my mind
to view it that way.
If you have further comments, please respond.
------------------------------
From: Philip Stein
Date: Thu, 1 Feb 1996 14:14:38 -0500
Subject: Software test tools control
On Thu, Feb 1, 1996 12:00:00 AM at Greta H Daczkowski wrote:
>I have a question for the group regarding the use of script files to
execute
>some aspects of our verification, then validation procedures on software.
>
>Here is how we are doing it: As the developer chuggs along developing, he
>realizes that he ought to verify his code using specific data sets and
running
>"compares" against the results. Since he knows an automated way of doing
the
>testing might exist, he asks around "Hey, does anyone have a script file
>(batch file for PC users) that does this?" Invariably, someone does have
>a similar file hanging around and gives it to the developer. The
developer then
>tweaks the script file to meet his immediate needs. He tests the code,
then
>passes the script file on to the validation team for use during final
acceptance
>of the software.
>
>Now, keeping away from the major conceptual flaw (developer developes
code, then
>develops test to verify code, then validators just rubber stamp with the
assump-
>tion that the script file works properly), what about: documentation,
config-
>uration control, release of these script files to the customer. Etcetera.
>Does ISO require that we document and verify these tools in a similar
fashion
>that we use for product?
>
There is no problem with an individual developer using 'private' tools for
verification without futher documentation. Once there is a test for
acceptance purposes, even 'local' validation, say for subsystem
integration, that test, its methods and results, must be documented.
There should be a test plan prepared before, or at least in parallel with
development. Any intermediate acceptance test (manufacturing terminology is
in-process) should have been part of this plan, and will therefore be
documented.
Philip Stein
Consultants in the Physical Sciences, Measurements, and Quality
Chair-elect, ASQC Measurement Quality Division
------------------------------
From: "Francisco Robledo"
Date: Thu, 1 Feb 96 13:17:45 MST
Subject: Registered companies in Canada and Mexico
Good day everyone,
I'm currently doing research for UNAM (Universidad Nacional Autonoma de
Mexico) on ISO 9000-3, it's use on software related companies in Canada
certified under the ISO 9000 quality assurance standards, and the
benefits that this application will bring mexican companies.
The results of this work will be applied in the creation of a new course
at UNAM's Faculty of Management, offered to students pursuing studies in
information systems.
ISO 9000 certification is at an early stage of development in Mexico and
it is UNAM's intention to promote a quality oriented view of the software
development to the new professionals as well as to mexican industries.
We need information regarding specific examples in Canada, and
also looking for a list of all the registered companies under this
subject. As far as I know publications of the directories do exist, so if
anyone can help me with this specific information I would really
appreciate it.
Thank you!
Francisco Robledo
frobledo@acs.ucalgary.ca
University of Calgary
Faculty of Management
CANADA
(403) 220 7847
(403) 282 0095 fax
------------------------------
From: "Schneider, Henry"
Date: Thu, 1 Feb 1996 15:01:00 -0600
Subject: RE: Question: Software Test Tools Contro
What is production in terms of software development? It is the
no-brainer replication of the disks, packaging, shrink wrapping (if
appropriate), and delivery to the customer. Everything else we do is
design and development. Production is the final relatively minor step in
software development.
Given this definition, you probably don't use ANY test tools in
production.
Herein lies the reason why we have ISO 9000-3. ISO 9001, 9002, and 9003
are written for the hardware manufacturing environment where all the
emphasis is on production. Read paragraphs 5.7, 6.5, and 6.6 of ISO
9000-3 for how to interpret 4.11 for software development. In software
development the majority of the emphasis is on design and testing.
Therefore, the only way you can ensure the quality of your products is
to subject EVERYTHING you use to design, develop, and produce your
porduct to the same level of test and inspection.
Henry
----------
From: Greta H Daczkowski[SMTP:gdaczkow@telesciences.com]
Sent: Thursday, February 01, 1996 2:22 PM
To: iso9000-3
Subject: Re: Question: Software Test Tools Contro
With regard to: Verification and control of script files used to verify
or
validate software.
Paragraph 4.11.1, continued on page 7 of ANSI/ASQC Q9001-1994, clearly
states at the top left side of the page: "Where test software or
comparative
ref...
Lee,
I really appreciate your response. Unfortunately, my management
"weasels"
out of this requirement because:
If the paragraph of ISO is taken literally. The software I am referring
to
is used during development and during the final validation test prior to
release to be "produced" by manufacturing. So, it isn't really used in
inspection for verification of the acceptability of the product for use
during production.
You see, 4.11.1 implies that the test software is used during production
for
verifying the product, not for development.
Where is the flaw in the logic above? I have heard of thinking of code
development as a production process. I do have difficulty bending my
mind
to view it that way.
If you have further comments, please respond.
------------------------------
From: Lee Stewart
Date: Thu, 1 Feb 96 17:01:46 -0500
Subject: Re: Question: Software Test Tools Control
Gretta,
If I understand you correctly, you are using a software test tool, which is
used to test a piece of software, the software "tested" is then used in the
manufacturing facility to control a production device? If that's the case,
the software test tool must be controlled, if the software which drives the
production device could affect the quality of the end product. In my opinion
of course.
Bosses may not want to accept this in a lot of cases, initially. Need to
sell them on the concept. This is EXACTLY why "Auditors" should be certified
as "Software Auditors."
Sincerely,
Lee Stewart
At 02:10 PM 2/1/96 EST, you wrote:
>With regard to: Verification and control of script files used to verify or
>validate software.
>
>
>Paragraph 4.11.1, continued on page 7 of ANSI/ASQC Q9001-1994, clearly
>states at the top left side of the page: "Where test software or comparative
>ref...
>
>
>
>
>
>Lee,
>
> I really appreciate your response. Unfortunately, my management "weasels"
> out of this requirement because:
>
>If the paragraph of ISO is taken literally. The software I am referring to
>is used during development and during the final validation test prior to
>release to be "produced" by manufacturing. So, it isn't really used in
>inspection for verification of the acceptability of the product for use
>during production.
>
>You see, 4.11.1 implies that the test software is used during production for
>verifying the product, not for development.
>
>Where is the flaw in the logic above? I have heard of thinking of code
>development as a production process. I do have difficulty bending my mind
>to view it that way.
>
>If you have further comments, please respond.
>
>
------------------------------
From: doug@mincom.com (Doug Thiele)
Date: Fri, 2 Feb 1996 09:19:01 +1000
Subject: Re: Qualified ISO Software Auditors
>In a nutshell the proposal states any ISO 9000 auditor auditing a
>software company or software component of a company must be a qualified
>software auditor. We are NOT proposing any additional ISO 9000
>requirements, a separate certification scheme, or logo. This is where we
>differ from TickIT.
I would always want auditors who have knowledge of the software life cycle
processes.
We have had a certificate for ISO 9001 since 1992. Next week we are
extending this to include TickIT. There are no additional requirements, but
the auditor has formal software auditing qualifications.
I don't expect any major dramas as the same standard will be used as the
basis of the audit.
- --
Doug Thiele
Mincom Pty Ltd, Brisbane, Australia tel +61 7 3303-3139
doug@mincom.com fax +61 7 3303-3232
------------------------------
From: "Bill Casti, CQA (Moderator)"
Date: Fri, 2 Feb 1996 13:34:41 -0500 (EST)
Subject: re: ASQC Certified Quality Auditor (fwd)
NOTE: Should you choose to respond, please do so as directed by Mr.
Arter, in his notice below, not to me.
This is being distributed to all QUALITY.ORG email discussion lists, as
well as the QUALITY-L list from Princeton; if you are on more than one of
those lists, you will receive duplicates. Pleasse accept my apology for
that, but there's no simple way to avoid it--and you probably need
practice using your "delete" key anyway. :)
Thanks.
Bill
- ---------- Forwarded message ----------
Date: Fri, 2 Feb 1996 10:12:16 -0800
From: Dennis R. Arter
Subject: ASQC Certified Quality Auditor
====================================================================
TIME SENSITIVE
I need some advice from my cyber-colleagues around the world.
As many of you know, the American Society for Quality Control
(ASQC) has a Certified Quality Auditor (CQA) program. From the
beginning, those of us designing and maintaining that program have
had a strong desire to make it independent of any quality system
standard. In other words, a CQA should have a set of skills for
any quality audit application. It should not matter if they were
working to military, medical, aviation, automotive, or other
sector-specific approaches to quality. We resisted requests to
include knowledge of ISO 9001/2/3/4 in the CQA exam. On the other
hand, we include ISO 10011 as part of the required Body of
Knowledge for a Certified Quality Auditor.
Here in the USA, achievement of the CQA designation will allow one
to bypass some of the formal training to become a third party
auditor under the Registrar Accreditation Board (RAB) rules. Most
of us in a leadership position within the Quality Audit Division
of ASQC support that approach. We are working to support a
similar CQA "credit" under the new international agreements.
The ASQC's Professional Development Council is again requesting
that we (the ASQC Quality Audit Division and the ASQC
Certification Committee) consider placing knowledge of the ISO
9000 series into our CQA exam specifications. They are even
suggesting that the CQA become equivalent to the final exam given
to those taking an accredited course for third party auditors and
assessors. They want our recommendations fairly quickly. As
vice-chair of technical matters for the Quality Audit Division, I
have been asked to coordinate this effort.
If you care to contribute, please tell me which of the following
you support:
A) The CQA should not be changed
B) The CQA should include knowledge of ISO 9001/2/3
C) The CQA should become equivalent to the ISO 9000 Lead Assessor
final exam
If you choose to comment publicly, please also send me your
comments privately, to make sure I don't overlook them. Those
comments received by 21 FEBRUARY 1996 will be delivered to the
Quality Audit Division. You may also wish to send me your reasons
for choosing A, B, or C above.
- --------------------------------------------------------
Dennis R. Arter, "The Audit Guy" ->NEW ADDRESS<-
Columbia Audit, 6951 W. Grandridge Blvd, Kennewick, WA 99336
509/783-0377, fax/783-1115, internet: darter@mcimail.com
------------------------------
From: E-Media
Date: Sat, 3 Feb 1996 01:25:54 -0500 (EST)
Subject: Re: Am I Missing Something
You must be. I just counted 13 separate messages to the list between
yesterday and right now (01:25, 3 Feb 96). Doesn't seem that dead to me.
Bill
============================================================================
Bill Casti, CQA Voicemail: <800) 604-6149
Associated Quality Consultants Fax: (703) 716-0479
Reston, Virginia Email: e_media@cais.com
============================================================================
On Thu, 1 Feb 1996, Schneider, Henry wrote:
>
> Hi,
>
> I subscribed to this list a couple of days ago. And as of this morning I
> have not yet received any e-mail. I got the impression from reading the
> ISO 9000 Standards Discussion group that the ISO 9000-3 group was active.
> Is it always this quiet?
>
> Henry Schneider
>
------------------------------
From: sgeorgak@ix.netcom.com (Sotiris Georgakas)
Date: Sun, 4 Feb 1996 14:06:40 -0800
Subject: Re: Qualified ISO Software Auditors
In response to the message below from Henry Schneider:
I think that anyone auditing a software company should have a basic
understanding of the software development process. I am not sure how
the Software Industry Quality Forum "interprets" this view though.
Would it be possible to share the proposed qualifications for a
software auditor?
Sam Georgakas
Automatic Data Processing, Inc.
Ann Arbor, MI
Phone: 313-995-6400
Fax: 313-995-6424
E-mail: sgeorgak@ix.netcom.com
- --------------------------------------------------------------------
You wrote:
>
>
>Last January a group of software quality professionals formed the
>Software Industry Quality Forum to respond to the RAB's request for
>supplemental auditor requirements. Over the summer wrote the proposal
>and then presented it to the RAB on 14 November 1995.
>
>In a nutshell the proposal states any ISO 9000 auditor auditing a
>software company or software component of a company must be a
qualified
>software auditor. We are NOT proposing any additional ISO 9000
>requirements, a separate certification scheme, or logo. This is where
we
>differ from TickIT.
>
>Unfortunately for the SWIQ the RAB did not give us a firm yes or no to
>our proposal. We are still waiting for their answer. We have telecon
>tomorrow morning with the RAB and hopefully we will at that time get
>their official response.
>
>One question we did get from the RAB was how much support is there in
the
>US software community for requiring qualified software auditors.
>
>So let me ask the list membership. For an ISO audit of your software
>division, company, etc. who would you rather have lead the ISO audit a
>qualified lead software auditor or a qualified lead (pick your
industry)
>auditor? Why?
>
>Your response will be greatly appreciated.
>
>Henry Schneider
>henry@connect.fse.com
>
------------------------------
End of ISO 9000-3 Digest V1 #8
******************************