News
Most of our work doesn’t make headlines which is usually a good sign.
Still – some things are worth sharing. You can find them here.
IQMS goes live!
With our intelligent, integrated information security and quality management system we succesfully passed our IRIS and ISO 9001 certification. Explore how it works.
Many management systems create overhead instead of clarity.
In many organizations, management systems
are not used during daily work but are simply created for display during audits. Processes are documented, evidence is collected and audits are prepared – but the work happens alongside development, not as part of it.
As a result, these systems often add effort without significantly improving how products are actually built.
Safety, security and quality are integral parts of development.
They must be visible at any time – not only during audits, but during daily work.
It must be clear what is implemented, how quality is ensured, who is responsible and where evidence is generated.
This requires a structure where development, quality management and compliance are aligned.
One system – one consistent reality
In our approach, there is no distinction between a system for development and a system for audits. Developers, project leaders, quality management and all work on the same system.
Requirements, processes and artifacts are directly connected.
The system always reflects the current state of development and auditability follows naturally from this structure.
With our approach, quality is not separated from development.
It is part of our safety culture and embedded in the way we work.
A single source of truth for processes
We apply the logic of Model-Based Systems Engineering (MBSE) to the management system itself.
Instead of maintaining multiple documents, a common model manages each task, role, artifact and template. Each model element exists exactly once and is consistently reused.
Responsibilities are explicitly assigned, and quality-relevant elements are directly linked to their context. The model grants different perspectives and a consistent structure: roles carry clear responsibilities, processes are linked to their required artifacts, and requirements are directly realized through their implementation.
How this is implemented in practice
This structure is realized directly within the company’s ALM system, using Polarion.
Normative requirements – for example from IRIS, ISO 9001 or IEC 62443 – are represented as dedicated work items and linked to process work items, which form the core structure of the management system. Depending on the context, these processes can exist at company level or within specific projects.
A key design decision was not to model elements such as roles or outputs as simple attributes of a process. While this might seem straightforward, it would require constant administrative changes whenever new work products are introduced and would prevent these elements from carrying their own structure and properties.
Instead, roles, artifacts, assets, tools and process steps are modeled as independent work item types and are explicitly linked to processes. This creates a flexible and extensible structure without duplication.
Parametrized report pages are used to generate role-specific and process-specific views, allowing all relevant information to be presented in a structured and accessible way without maintaining separate documentation
In addition, standard Polarion quality assurance mechanisms are applied to the system itself. Missing links, incomplete coverage of requirements or inconsistencies can be identified and evaluated directly within the system and used in reviews and audits.
As development and quality management are not separated, the system is actively used instead of being maintained in parallel.
It remains consistent, easy to update and directly relevant for daily work.
Built for real use
Using this approach, we established a consistent management system for IRIS (ISO 22163) and ISO 9001 with reasonable effort – without external consulting or creating additional documentation structures. Activities such as separate process documentation, retrospective traceability or audit preparation were largely unnecessary.
The same system, extended into projects
The same system is used directly in development projects.
When new requirements arise, for example from IEC 62443, they are integrated into the existing structure. If they align with existing processes, they can be linked immediately. If not, project-specific processes are added using the same model.
In both cases, implementation and compliance remain directly connected.
There is no transition between management system, project execution and audit preparation.
Everything happens within the same structure.
This enables continuous transparency, immediate traceability and auditability without leaving the system or creating additional artifacts.
The first internal project for which we employ this system is EMBAR – a safe and secure embedded architecture. We will provide more insights into our first product in our next post.