The title of ISO/IEC/IEEE 15289 is “Systems and software engineering — Content of life-cycle information items (documentation)”.
As the title suggests, it establishes specifications for the content of software documentation. This makes the standard ideal for:
This means that ISO/IEC/IEEE 15289:2019 is a standard that affects every organization that develops software.
The standard is aimed at people involved in software documentation in the following roles:
Responsibilities in the context of ISO/IEC/IEEE 15289
Defining the information management process
Determining the documentation requirements (and therefore the documents and their content)
Buyer (of the software)
Defining the requirements for the documentation that the manufacturer must produce
Developer (e.g., architecture, implementation, testing)
Writing the software and systems development documentation
Checking conformity with standards (ISO/IEC/IEEE 12207 and ISO/IEC/IEEE 15288 are mentioned in this regard)
ISO/IEC/IEEE 15289:2019 contains 10 sections across 86 pages.
You can download the mind map as a PDF here:
The following table gives an overview of the individual sections of the standard.
The standard wants to describe the content of all documents in a software documentation but not a management system
References to ISO/IEC/IEEE 12207 and ISO/IEC/IEEE 15288
Terms, definitions and abbreviated terms
29 definitions. But the document classes are only defined for the first time in section 7
Purpose, intended users, applicability (software systems and software projects of all kinds)
The standard can be used to check conformity with ISO/IEC/IEEE 12207 and ISO/IEC/IEEE 15288
Life-cycle data and information items
General requirements for documents and records and the difference between them. See section TODO
Generic types of information items
Overview of seven document classes and their generic content (see below)
Mapping of information items to the life cycle processes
Mapping to the standards ISO/IEC/IEEE 12207 and ISO/IEC/IEEE 15288
Specific information on records, which the standard interprets slightly differently to ISO 9000
Specific information item (document) contents
Specific guidance for individual document types, e.g., “software architecture description”
In section 6, ISO/IEC/IEEE 15289 describes the general requirements for documents:
The Johner Institute recommends creating specific documentary requirements in work instructions and checklists for the document review. For example, for a software requirements specification, checking whether the runtime environment has been defined based on the hardware and operating system (including version) should be explicitly required.
Additional requirements for documents at the meta-level are:
ISO 15289 is not specifically about document control. Read more on the topic of document control here to comply with the requirements of ISO 13485, among others.
c) Content requirements
ISO 15289 establishes the requirements for specific documents at two levels:
In section 10, ISO/IEC/IEEE 15289 describes a total of 74 document types, such as Release Plan or System architecture description. The standard splits all these document types into seven document classes. However, it does not use the term document class, preferring to use the term Generic type of information items.
Representation of a planned or actual function, service, product, component, etc.
Software architecture, service catalog, operational concept
Defining when and how specific processes or activities will be carried out and by who
V&V plans, software development plan, risk management plan
Defining the top-level aims of an organization to achieve specific goals
Quality policy, risk policy (although is not specified by ISO 15289)
Detailed definition of when and how a certain process, a certain activity or task should be carried out, including, if applicable, the tools
Instructions for use, test instructions, SOP on processing complaints
Description of the results of activities
Test report, problem report, incident report, review minutes
Information to ask for a response or reaction
Change request, customer satisfaction survey, RFP (request for proposal)
Requirements for a service, product or process
Contract, software requirements specification, SLA
The standard specifies the generic content for each of these document classes. Therefore, for example, a document in the “Description” class must contain at least the following information:
Section 10 of ISO 15289 then adds additional content for each specific document. For example, a software architecture, which falls into the “Description” document class must also contain:
In addition to the documents and document classes (Generic types of information items), ISO 15289 also refers to Records. However, the standard understands the term records slightly differently to ISO 9000 and, as a result, also uses the terms records of data and data records.
These data records are more reminiscent of raw data in databases, registers or repositories. Records as defined by ISO 15289 contain the factual data (e.g., lists of test results in a test database) that are then turned into records as defined by ISO 9000.
A (final) test report would, therefore, already be a record.
ISO 15289 also establishes the standard content for records
For these records, ISO 15289 maps to the requirements of ISO/IEC/IEEE 12207 and ISO/IEC/IEEE 15288 in the same way as it does for documents.
Medical software developers who follow IEC 62304 can also benefit from the specifications of ISO 15289. To do this, it is necessary to map the content required by IEC 62304 onto the document types listed in ISO 15289.
Section of IEC 62304
Documents according to ISO 15289
Section of ISO 15289
Software development plan
Project management plan
Software risk management planning
Risk management plan (not 100% equivalent)
Information management plan
Information management procedure
Software configuration management planning
Configuration management plan
Configuration management procedure
Software requirement analysis
System requirements specification
If necessary, interface description
Re-evaluate medical device risk analysis
Risk action request
Verify software requirements
Example mapping of IEC 62304 and ISO 15289
ISO 15289 is not just helpful for development documentation according to IEC 62304 section 5. It also provides an overview of additional life-cycle documents, some of which IEC 62304 only lists rudimentarily in sections 7 to 9.
ISO/IEC/IEEE 15289 is a useful standard:
Established companies can also benefit from the standard, particularly if their documentation processes have become a bit chaotic over the years with redundant or superfluous content.
The Johner Institute helps medical device manufacturers whose devices contain software or are software create legally compliant software and review before audits. Get in touch with us (e.g., via our web form) to find out how you can establish lean, precise and compliant documentation that will make you shine in audits and reviews.
Auditgarant contains a comprehensive set of templates for software documentation to ensure compliance with ISO 62304 and ISO 13485 and avoid problems during medical device authorizations.