Tridion's journey towards ISO 9001

Sergey Trofimov 20 Sep 2023 7 mins
RWS ISO 9001 security quality management
Interestingly, I could not find a simple definition of a Quality Management System (QMS) in the ISO 9000 family of standards, instead a definition is built hierarchically from simple concepts like requirement, system, and organization (see ISO 9000 - Fundamentals and vocabulary).
 
In simple terms a QMS is a set of interrelated or interacting activities and processes within an organization that allow it to satisfy customer requirements. It is accepted in the industry that to do this consistently an organization must have a certain level of rigor in what it is doing.
 
An ISO 9001 certification is confirmation by an independent 3rd party that an organization has established a QMS, which meets the requirements of the standard (in simple terms - in a proper way). 

Why? 

Customers and prospects, especially those in Regulated Industries, generally expect a QMS and an ISO 9001 certification, which is often stated explicitly in RFPs and supplier quality assessments. To address this, achieving ISO 9001:2015 certification became a formal objective of Tridion Product Development in May 2022.
 
An ISO 9001 certification proves to prospective customers that ‘we know what we are doing’ as a supplier and ticks the checkboxes required by their internal procedures and regulators. It is also a way to stand out from less ‘mature’ competitors.
 
Internally, formal certification is a way to streamline processes and potentially a ‘big stick’ to enforce best practice consistently.

Orientation

We knew that parts of the RWS Group were already ISO 9001 certified, so we reached out to the colleagues to get the two main questions we answered:
  • Should we establish a new QMS for Tridion Product Development organization or join an existing one?
  • Should we hire an external consultant to help us on the journey?
After several discussions we have decided to join the RWS Group QMS. The RWS Group QMS covered the Language Services division primarily that became part of RWS during the SDL acquisition, just like the Tridion organization, so it was a much better fit for Tridion in terms of infrastructure and processes. Moreover, the QMS was managed by a dedicated Group Quality team, who offered to support us on the journey, so no external consultants would be needed.
 
The chosen approach was a ‘scope’ (which activities the QMS covers, e.g., ‘language services’) extension of the RWS Group QMS focusing on Tridion Product Development, namely ‘the design, development, release and maintenance of content management software.’ This way we could focus on the product development activities in the scope extension and leverage the already established processes (e.g., internal audits, recruitment) and documentation in the QMS for the other ISO 9001:2015 requirements.

Plan and first impressions

Because of this focus on the product development aspects the extra compliance-related effort for Tridion Product Development staff members was very achievable:
  • Describe the development process at a high level – the Tridion Software Development Life Cycle (SOP – Standard Operating Procedure)
  • Undergo an internal audit by the Group Quality team and implement any recommendations 
  • Undergo an external audit by NSAI and implement any recommendation
  • Receive the certificate 
‘Very achievable’ was my first impression about ISO 9001:2015 requirements: the expectations generally made sense, even though sometimes the terminology used was not familiar. Even in relation to documentation requirements, the most feared area, the ISO 9001:2015 required little explicitly and left the rest to be ‘determined by the organization as being necessary for the effectiveness of the quality management system’ (see ISO 9001:2015, section 7.5.1), i.e., ‘document as much as appropriate to our situation’ – perfectly reasonable. Previous ISO 9001 editions, before 2015, may have been less forgiving, but I have not looked at them.
 
Besides any possible extra documentation requirements, we were confident that the rock-solid Tridion product development processes would already meet the bar.

Tridion Software Development Life Cycle SOP and SAFe

In Tridion Product Development, we use Scaled Agile Framework (SAFe) for the overarching department-wide processes and Scrum at the team level. While there are mixed and sometimes negative views on SAFe in the industry, we use the framework as a toolbox and not a dogma. We find it very useful for establishing clear roles and responsibilities, communication cadence, and dependency resolution for features cutting through multiple teams. And of course, continuous improvement is included as standard at every level. SAFe also helps in answering questions about our development process on RFPs.
 
Partially due to SAFe, the Tridion development processes were already established and relatively easy to describe in the SOP. The challenge was describing the important product development processes, while preventing ‘calcification’ of the continuously evolving team-level processes in the spirit of Agile development. The approach we took was to allow some level of flexibility in the teams by describing the development process at a sufficiently high level.

Internal audit

When the draft SOP was ready, we went through an internal audit with the members of the RWS Group Quality team. Having regular internal audits is one of the ISO 9001:2015 requirements. The main purpose of this one was to confirm that we ‘live’ the processes as described in the SOP. We received several minor findings as a result, which we were happy to implement, but we were good to go for an external certification.

External audit and certification

The external audit was scheduled for May 31, 2023, with NSAI, our external certification body. We went through the audit with flying colors (= with no non-conformities, opportunities for improvement, or observations).
 
On August 25, 2023, we received the certificate.
 
Getting formally certified is an independent recognition of all the hard work we put in over the years to establish development processes allowing us to consistently deliver quality products to customers. It's a proud moment in Tridion's long history!
 
If you'd like to learn more about the certification, read the press release.    
Sergey Trofimov
Author

Sergey Trofimov

Senior Development Manager at Tridion
Sergey Trofimov is a Senior Development Manager at Tridion. From July 2022 he is responsible for coordinating the compliance activities of the Tridion Product Development department. 
Before that Sergey served as a SAFe Release Train Engineer (RTE) and Release Manager of Tridion Sites.
All from Sergey Trofimov