Author: Nico Ondracek
https://safecubed.com/
Abstract – Certified iQMS in Polarion: End-to-End Quality Management
When being audited for compliance to quality and safety norms, many companies struggle with the fragmentation of their process landscapes and development environments across multiple tools. Using Polarion as a unified platform brings all normative requirements, processes and development artifacts into one fully consistent and auditable system.
This article explores how such an integrated Quality Management System (iQMS) can be implemented in Polarion to be fully prepared both for projects with high quality requirements and audits.
With Polarion, we achieved IRIS and ISO 9001 certification for our own quality management system—this post shows how.
Key topics: iQMS, Polarion ALM, quality management, compliance, traceability, auditability, process integration, certification
The Full Article
Introduction
Based on our many years of experience in consulting and working within the automotive and railway industries, we have consistently observed three distinct approaches to quality management:
First, standards and norms are often stored in company-wide databases or as PDF documents on network drives. While these are typically easy to access, demonstrating end-to-end traceability remains a persistent challenge and usually requires significant manual effort.
Second, company-wide processes are commonly documented in Word files or process modeling tools and then distributed as released PDFs. Although they can provide guidance during development and serve as useful references during audits, maintaining and updating them is cumbersome. Ensuring consistency across roles, processes, and artifacts is particularly difficult without dedicated tool support.
Third, development projects—covering technical requirements, system design, and verification—are often well managed in specialized tools such as Polarion. However, the overall safety case and process compliance are frequently documented outside these systems, resulting in a disconnect between project execution and company-level quality processes.
For our own quality management system, we set out to unify these fragmented approaches within Polarion—and our successful IRIS and ISO 9001 certifications demonstrate that we achieved this goal. This post outlines how we got there.
Step 1 – the standards
Although Polarion supports the import of Excel and Word files, this step can be quite labor-intensive. In practice, standards are often only available as PDFs, with inconsistent structures, wording, and types of requirements, making a straightforward import difficult.
To avoid complications later on, it is essential to carefully review the licensing model of your standards provider in advance. Depending on the terms, a full import may not be permitted, or access to imported content may need to be restricted. These aspects, however, are beyond the scope of this article.
Once the relevant standards have been properly identified and structured, you can fully leverage Polarion’s reporting and traceability capabilities. For example, you can build glossaries, extract and visualize all relevant process requirements from a given standard, and—most importantly—link these requirements to your projects. This enables you to highlight gaps for your internal teams or demonstrate to auditors that all requirements have been comprehensively addressed.
Step 2 – the quality management project
This step forms the core of our approach. Every organization operates with a mix of formal and informal processes, so our first task was to identify, consolidate, and document them. Even at our relatively small scale, we quickly realized that maintaining consistency across roles and processes using only a handful of Word documents was highly inefficient and error-prone.
Drawing from our experience in (often model-based) system and software development, we recognized that a single source of truth is essential. We therefore began iteratively developing a Polarion configuration—effectively a process meta-model—that enabled us to establish exactly that: a unified environment in which each artifact and role is defined once and reused consistently.
As a result, we created a structured set of work item types, each with clearly defined attributes and link roles. This allowed us to model process outputs, responsibilities, and dependencies in a transparent and traceable way—precisely the level of detail expected by auditors and valuable for all process stakeholders.
However, this introduced a new challenge. While static documents like PDFs may be difficult to maintain, they often include intuitive visualizations such as process diagrams. In contrast, no one wants to reconstruct an entire process mentally from linked work items alone. To address this, we implemented parameterized report pages that automatically visualize complete process information in the form of turtle diagrams (a key representation used in IRIS). With some additional effort, other diagram types can be supported as well.
Finally, we created a central process overview page that dynamically links to all individual process reports, allowing users to navigate the full process landscape easily and access information in a clear and intuitive way.
This evaluation of the process model is not limited to a process-centric view—it can be applied to any work item. For example, we can easily identify which processes a given role is responsible for and automatically generate up-to-date role descriptions. By assigning these roles to specific employees, everyone gains clear visibility into the artifacts they are responsible for—a significant improvement in transparency and accountability.
Defining processes and roles is an important first step—but it does not yet describe what these processes actually do. Processes consume inputs, utilize resources, and produce outputs. This is where the strength of the model becomes evident: each company artifact is defined exactly once within the process model. If an artifact changes—such as review checklists, audit reports, or integrations like an issue tracking system—only a single reference needs to be updated, and consistency is maintained across the entire system.
This unified structure also makes it straightforward to identify all relevant artifacts and compute the (K)PIs associated with each process—since these metrics are embedded directly within the model.
For both internal and external audits, standard Polarion QA capabilities can be leveraged. It becomes easy to identify gaps, such as requirements not linked to any process or processes without assigned roles, significantly simplifying process reviews. Finally, for documents created directly in Polarion—such as the quality policy—built-in review and release workflows, including electronic signatures, ensure compliance and proper governance.
The process logic is defined within the configuration rather than in static documents, making it independent of any specific organizational structure and inherently transferable.
Step 3 – the actual development projects
IRIS audits also require evidence that projects adhere to the defined quality management processes. To address this, our iQMS includes a dedicated Polarion project template that provides exactly what is needed for projects subject to external assessments, such as ISO 26262.
While such development projects can, in principle, be audited independently, the predefined structure and processes significantly support both project execution and assessment activities—and are consistently applied in practice.
For example, every project requires an issue tracking process. When the corresponding ISO 26262 requirements are directly linked to company-wide processes, and this traceability is clearly visualized in report pages, compliance becomes immediately evident during an assessment. As a result, no additional documentation is required—everything can be demonstrated seamlessly within a single system, without the need to switch tools.
Summary
The implementation of step 2 closes a significant gap commonly found in the process landscapes of many organizations. Our approach not only made a strong impression on our auditor—which is always valuable—but also enables us to fully leverage Polarion to continuously improve our development processes. Ultimately, this is the true objective of quality and safety standards.
Our successful certification further demonstrates that Polarion is not just a requirements management tool, but a comprehensive lifecycle management platform capable of supporting and governing company-wide processes.
Author: Nico Ondracek
https://safecubed.com/