Sesam Base Template

Sesam Software Quality Management System Quality Handbook

Reference 1001

0 – Introduction...... 2 1 – Scope...... 2 2 – Normative Reference...... 2 3 – Terms and Definitions...... 2 4 – Quality Management System...... 3 4.1 – General Requirements...... 3 4.2 – Documentation Requirements...... 3 5 – Management Responsibility...... 5 5.1 – Management Commitment...... 5 5.2 – Customer Focus...... 5 5.3 – Quality Policy...... 5 5.4 – Planning...... 5 5.5 – Responsibility, Authority and Communication...... 5 5.6 – Management Review...... 6 6 – Resource Management...... 6 6.1 – Provision of Resources...... 6 6.2 – Human Resources...... 6 6.3 – Infrastructure...... 7 6.4 – Work Environment...... 8 7 – Product Realization...... 8 7.1 – Planning of Product Realization...... 8 7.2 – Customer Related Processes...... 8 7.3 – Design and Development...... 9 7.4 – Purchasing...... 9 7.5 – Production and Service Provision...... 9 7.6 – Control of Monitoring and Measuring Devices...... 10 8 – Measurement, Analysis and Improvement...... 10 8.1 – General...... 10 8.2 – Monitoring and Measurement...... 10 8.3 – Control of Nonconforming Product...... 11 8.4 – Analysis of Data...... 12 8.5 – Improvement...... 12 Appendix : Cross Reference Between Documents and Standard...... 12

0ba06801094ecc04e443924b2fac6ab1.doc 1 / 12 0 – Introduction

This publicly available document is the quality handbook of Sesam Software giving detailed information about its ISO 9001:2008 based quality management system.

Sesam is a software company providing solutions for businesses since 1990. Our vision is to build secure, scalable, flexible, functionally rich and device independent applications so that our customers can gain a competitive edge in today’s challenging world.

Between 1990 and 1999, Sesam had produced a number of custom solutions for its clients in a wide range of industries by using the client/server technology as well as providing consulting services. During 2000, Sesam went through a major reorganization to meet the requirements of new technologies and chose the Internet as the only application platform and n-tier object oriented technology as the only development platform for its solutions. After development of an in-house application framework called Turkuaz, Sesam became a software house not only producing web-enabled applications but also using the Internet platform as its internal development environment.

Detailed and most up-to-date information about the company as well as an electonic copy of this document can be obtained at www.sesam.com.tr address.

1 – Scope

Sesam produces Internet-based software solutions for local and international businesses.

In order to produce these solutions, we perform three core processes; analysis, implementation and provision. We utilize the analysis process in order to identify and review the product requirements and to conduct the communication with the customer. This process is a key one in achieving the customer satisfaction which is the base of our quality policy. After this process, we utilize the implementation process in order to implement a product based on the product requirements prepared during the analysis process. And in the last phase of the realization, we utilize the provision process in order to provide an implemented product to the user community.

Although each process mentioned here can be considered as producing a separate stand- alone product, we normally realize our products in a full manner by performing all three processes in a sequential and cyclic way.

Our quality management system covers all sections of the ISO 9001:2008 standard without any exception.

2 – Normative Reference

ISO 9001:2008 standard provides the base for our quality management system.

3 – Terms and Definitions

The terms and definitions of the ISO 9001:2008 standard are completely followed in this quality handbook and other documentation in our quality management system.

0ba06801094ecc04e443924b2fac6ab1.doc 2 / 12 4 – Quality Management System

4.1 – General Requirements

Our quality policy is based on achieving customer satisfaction and in order to support that policy we started to implement a quality management system in 2004 in line with the requirements of ISO 9001:2000 standard. First step was the establishment and documentation of the system which is detailed in section 4.2. After completing this step and conducting extensive trainings in our organization, we successfully deployed the system and obtained the certification by Det Norske Veritas (DNV) early 2005. In 2010, we upgraded our system to ISO 9001:2008 which was certified by LRQA.

We make sure that the system is applied properly in the whole organization by conducting internal audits every year. Management review meetings we hold every six months compare the results of the system with the objectives set for that period and suggest improvement activities and enhanced objectives in order to continuously improve the system.

During the setup phase of the quality management system, we determined three core processes which create the immediate difference for our customers; analysis, implementation and provision. These processes follow each other in our product realization period and output of each process is accepted as input by the next process. Each process is documented in a detailed manner so that activities to be performed and responsible people to perform these activities are clearly known. These documents also specify the performance indicators for the processes so that quantitative objectives can be set and evaluated against the monitored data. The management representative is the owner of all processes and he is responsible to make sure that process activities are properly performed and performance data needed to evaluate the process efficiency is timely collected. His responsibilities cover the processes and activities outsourced to suppliers as well.

4.2 – Documentation Requirements

Documentation supporting our quality management system consists of five categories.

1. This quality handbook is the root of all documents in the system. It describes our quality policy and quality management system in a clear manner and contains the references to detailed documents. As such, it is not only intended as an entry point to our system for our employees but also as an introductory document for external entities like potential customers & employees. It is maintained by the management representative and approved by the general manager to be published. This document is available on www.sesam.com.tr address.

2. Process documents describe the processes and their activities in a detailed manner with the associated performance indicators. Quality handbook document keeps the references to those documents in its relevant sections. They are also maintained by the management representative and approved by the general manager before being published.

3. Procedure documents describe the procedures and their activities in a detailed manner. These documents cover the areas which are important for our quality management system but do not create an immediate difference for our customers. They are constructed in a similar way to the process documents with the exception of performance indicators. Quality handbook document keeps the references to those documents in its relevant sections. They are also maintained by the management representative and approved by the general manager.

0ba06801094ecc04e443924b2fac6ab1.doc 3 / 12 4. Generic documents cover all types of documents necessary for proper realization of our quality management system and products like external standards, periodic quality objectives, instruction manuals, project plans, product requirements, etc. Process and procedure documents keep the references to these documents in their relevant sections as well as defining who will be maintaining and approving them before they are published.

5. Records cover all types of documents necessary for proper tracking of our quality management system and our products like corrective activity records, preventive activity records, meeting minutes, etc. Process and procedure documents keep the references to these records in their relevant sections as well as defining who will be creating and approving them before they are published.

All the documentation in Sesam is kept in electronic environment and all internally produced documentation is in electronic format. If some external documentation happens to be in a physical format, we perform the necessary activities to convert it to the electronic format before adding to our documentation, e.g. scanning a hand-written training certificate issued to an employee of ours. A weekly backup scheme is in place to save two copies of the complete documentation set in two separate locations. As it is very efficient to keep the documentation set in electronic environment, no documents or records are ever destroyed in the system.

Electronic documentation set is managed by an internally developed software product called SesamDMS (Documentation Management System). It is based on a large tree of folders containing all the documents and records utilized by the quality management system and the products. Each user is assigned access rights to a certain scope in this tree as well as functional rights on what he can do in that scope, e.g. creating a record, approving a document, moving a file, etc. It is also possible to create users for our customers so that they can benefit from a central documentation media especially related to their products. As the system is available on Internet, it is possible to reach the documentation anytime anywhere.

DMS has very strict rules for publishing documentation. Each new document or record must have two electronic signatures to be published. If an existing document is being updated, there must be a short description of the modification’s nature in addition to the signatures. All the changes to a document are tracked and logged with the old versions so that full life cycle of a document can be retraced. Records are frozen once they are published and it is possible to setup a workflow if they require some followup action. As an example, it is possible to setup a workflow for a corrective activity record to be created, analysed, implemented and closed with deadlines defined for each stage.

Handling distribution lists for documents and records are also automatically performed by DMS. When a new document or record is published in a folder or an existing document is re-published, a list of users whose scopes are covering the folder is constructed and associated with the file. It is the responsibility of these users to utilize the system to electronically sign that they are informed about the file. DMS tracks the date and time of each individual signature. Users can also query the system to filter the documents and records updated by certain operations in a certain timeframe. DMS supports extensive query capabilities so that users can search and find groups of documents and records satisfying certain criteria, e.g. documents waiting for approval, preventive activity records waiting to be closed, etc.

There is a document and record control procedure as part of the quality management system related to the documentation requirements.

0ba06801094ecc04e443924b2fac6ab1.doc 4 / 12 5 – Management Responsibility

5.1 – Management Commitment

Sesam management is dedicated to the proper application and continuous improvement of the quality management system. Both general manager and management representative take active part in defining the quality policy and periodic goals, in improving processes and procedures, and in management review meetings. They also make sure that necessary resources for the quality management system are allocated in a timely manner.

5.2 – Customer Focus

Sesam is a customer oriented company taking pride in listening to its customers, in detailed collection of their requirements, in extensive enrichment of those requirements by adding its own expertise and in meeting contracted requirements fully in order to achieve customer satisfaction. Our quality policy is simply based on achieving customer satisfaction.

5.3 – Quality Policy

We strive to achieve customer satisfaction by delivering software products meeting the contracted requirements which are compiled in a timely manner from initial customer requirements and enriched by our expertise in business and technology.

We strictly observe the laws, regulations and ethical rules in all our undertakings and recognize our responsibilities for the society we are living in.

We make sure that implementation and continuous improvement of our quality management system is the major responsibility of everyone in our organization.

F. Tayyar Öncü General Manager

5.4 – Planning

Each process in Sesam is associated with performance indicators which can be expressed in a quantitative manner. Based on these indicators, management review meetings produce quality goals for the upcoming period. Management representative closely follows up with the indicators and collect the performance data during the period and achievements are compared with the quality goals in the next management review meeting. If the goals are met, more aggressive goals are set for the next period. If the goals are not met, the quality management system is studied in depth and improvements are planned and applied in an integrated and consistent manner.

5.5 – Responsibility, Authority and Communication

Responsibilities for different roles in Sesam are clearly defined in the process and procedure documents. Our organization is based on a project oriented approach and project teams are constructed around our products. Each project team consists of one or

0ba06801094ecc04e443924b2fac6ab1.doc 5 / 12 more software engineers as team members and one of those engineers plays the project leader role. All project leaders report to the projects manager. Therefore when we talk of the responsibilities in different documents, we always refer to one of those 5 positions; general manager, management representative, projects manager, project leader and team member. Relations of these positions to each other and names of people filling these positions can be found in the organization chart document.

Management representative position is the general responsible for proper application and continuous improvement of the quality management system. This position is currently occupied by Osman Ataker.

Documentation management system is the base for storing and sharing all documentation in Sesam and therefore provides a very efficient communication environment for both our staff and the people in customer side of our projects.

5.6 – Management Review

Management review meetings are normally held every six months in Sesam and there can be some extra meetings if the necessity arises. General manager, management representative, projects manager, all project leaders and team members take part in these meetings.

Different types of inputs are provided to the meeting by the management representative like quality goals for the last period, performance data about process indicators, customer feedback, status of corrective and preventive activities, results of internal audits, potential opportunities and threats for the company and enhancement suggestions for the quality management system.

After the detailed discussion of the inputs by the meeting participants, different types of outputs are produced like quality goals for the next period, new corrective and preventive activities to be carried out, training plans for human resources, resource allocations for extra tasks and a meeting minutes record. This record is prepared by the management representative and approved by the general manager.

6 – Resource Management

6.1 – Provision of Resources

Sesam is dedicated to providing all necessary resources in terms of personnel, equipment and knowledge in order to support its quality policy and achieve its quality goals.

6.2 – Human Resources

We recognize our employees as our most important asset and establish a technical and intellectual environment where they can achieve their full potential not only by developing and using existing skills but also by obtaining new ones. Our employees are proud of the quality their company is delivering and they take active part in shaping the quality policies, processes and procedures.

Sesam has a very detailed recruitment procedure which guarantees that its employees have the sufficient education, training, skill and experience when they join the company. The first step in recruitment is the job announcement in a recruitment site. We accept all the applications via Internet and no alternative forms like letters or faxes are accepted. Once the applications are collected, CVs are evaluated and failed candidates are informed with an e-mail. Successful candidates are invited for a personal interview and evaluated against seven different criteria. The candidates failing at this stage are informed via an e-

0ba06801094ecc04e443924b2fac6ab1.doc 6 / 12 mail and successful candidates are invited for a 3-day workshop in Sesam offices. At the end of this workshop, candidates are evaluated against another set of seven criteria and successful ones are offered a position in Sesam.

Newcomers starting to work in Sesam attend a one-month training course in the company during which they are trained not only on our application development framework Turkuaz but also on the quality management system. Internal and external trainings continue after the first month so that our employees can obtain new skills and improve their existing skills. These activities are followed up by the management representative to make sure that intended results are achieved by training programs.

Documentation management system helps us in storing employee related information.

6.3 – Infrastructure

Sesam utilizes object oriented analysis, design and development methods troughout the full lifecycle of software projects. The hybrid in-house methodology is a combination of best parts of the modern techniques in use today and is supported by an in-house application development framework called Turkuaz that holds the whole process together. Turkuaz serves as the knowledge base shared by all the project teams, enforces the technical architecture principles and generates interfaces and code for the development team. As such it is an important asset of Sesam and is recognized and financially supported by Tübitak (The Scientific and Technical Research Council of Turkey) as a research and development project.

Regardless of the functionality they offer, all applications developed using Turkuaz consist of four layers of objects handling the different responsibilities. This architecture is an enhancement of SmallTalk MVC and achieves a high level of encapsulation and separation of the implementation from the interface. Four layers separate the user interfaces, use cases (scenarios), business logic and data neatly from each other and they communicate with each other via well defined protocols. This architecture not only raises the software quality to a new level but also makes it possible for large teams consisting of different roles to cooperate in the most productive way.

Interface generators of Turkuaz let the designers to create their solutions without the involvement of any developer. Given the specifications of the controllers they will use, designers use the in-house built XML to construct their interfaces and then use the generators to produce the server and client components automatically. This way they can design one interface and produce several component combinations without any developer intervention.

Code generators read the knowledge base created by the project team to automatically generate the source code of the application. The knowledge base acts as the application metadata (dictionary) and knows about the object architecture in every layer. All the property and method details of each and every class in the system as well as their relationships are kept in the metadata with the necessary documentation. Team members access this base with a web-enabled application which allows for location independent and continuous access to the project resources. As a matter of fact, even the application managing Turkuaz is built and generated by Turkuaz itself which shows the versatility and power of the environment.

Turkuaz being the major infrastructure element, Sesam also utilizes other infrastructure elements which are standard equipments like personal computers, networking hardware, operating systems and software development tools. These are all no-maintenance and industry-standard elements that can immediately be replaced or restored from a backup in case of a failure.

0ba06801094ecc04e443924b2fac6ab1.doc 7 / 12 6.4 – Work Environment

Sesam office is designed to provide an efficient and modern environment for its employees so that they can maximize their productivity. The office is located in the city business center with several transportation options. Each employee has at least 20 m2 office space in an open-office layout and a desk equipped with a networked computer having permanent Internet connection. There is also a library and a fully equipped training & meeting room for research and development purposes.

7 – Product Realization

7.1 – Planning of Product Realization

Sesam has a well-defined way of realizing products by performing analysis, implementation and provision processes in a sequential manner. All these processes are explained in the following sections and detailed in the related process documents. Each product realization cycle is closely followed up with a project plan which is constructed at the end of the analysis process when the product requirements are documented and signed with the customer.

7.2 – Customer Related Processes

Sesam utilizes the analysis process in order to identify and review the product requirements and to conduct the communication with the customer. This process is a key one in achieving the customer satisfaction which is the base of our quality policy.

We start this process by studying the customer requirements document prepared by the customer in advance. If this document does not exist, we run a number of customer visits to get an understanding of their business and their requirements.

Once we collect the customer requirements, we start to hold a number of analysis meetings with the customer to review them. In these meetings, we study their requirements in depth, enrich them with our relevant expertise in business and technology, make sure they are in line with laws, regulations and business ethics and finally come up with a consistent set of expectations from the product. Each analysis meeting produces a meeting minutes record which specifies the areas discussed and the decisions taken with the supportive reasoning.

All the decisions taken in the analysis meetings and the base customer requirements are brought together in a product requirements document. This document is reviewed and approved by the customer and becomes the base document for the final product. Based on the agreed product requirements document, a proposal is prepared for the customer detailing the timing, product delivery milestones, resources and budget necessary for the product’s implementation and provision. Once a proposal is accepted by the customer, we sign an agreement and start with the implementation of the product.

Documents and records produced during this process are stored and shared by the documentation management system which can be accessed by the project team members and people on the customer side. This option creates an environment where communication of all the details are handled in an efficient and up-to-date manner.

There is an analysis process document as part of the quality management system related to the customer related processes.

0ba06801094ecc04e443924b2fac6ab1.doc 8 / 12 7.3 – Design and Development

Sesam utilizes the implementation process in order to implement a product based on the product requirements document prepared during the analysis process.

We start this process by studying the product requirements document and holding a number of design meetings based on this document. We study the requirements in depth and come up with an integrated set of classes and implementation decisions for the product. Each design meeting produces a meeting minutes record which specifies the areas discussed and the decisions taken with the supporting reasoning.

All the decisions taken in design meetings are brought together in design specification documents in the form of class diagrams, state diagrams, algorithms, prototypes and similar structures. Depending on the complexity of the product, some or all of these documents can be produced by the process. These documents are reviewed, verified and validated by the project leader.

We start the development by creating the base definition of the product in our application development framework Turkuaz. All the elements of a product like packages, classes, properties, methods and relations are defined based on the class and state diagrams produced under design specification documents.

When the base is defined in Turkuaz, we use our code generator to produce the standard functions we reuse in all our products and start to write the product-specific code in special templates created by the generator. We design the product interfaces in Turkuaz environment as well and use the interface generator to prepare the final user interfaces. Finally we build the database that will support the product based on the class diagrams of the design specification documents.

All the team members are responsible to perform the steps above and when they are done with the coding, interfaces and database, they start to verify the product against the product requirements document. When they are finished with the first level verification, they hand over the product to the project leader. Project leader runs another set of tests as well as an audit of the product and validates it by creating a product release record. Once this record is approved by the projects manager, the product is ready for deployment with the necessary components like classes, interfaces and database scripts.

There is an implementation process document as part of the quality management system related to the design and development.

7.4 – Purchasing

Purchasing is not a fundamental activity in our processes as we are not buying project specific materials or services during the realization of our products but rather using the standard tools which are part of our infrastructure. The only exception to this is the outsourcing of hosting activity which is part of our provision process. The company to provide this service is selected from the major national Internet service providers by the general manager and projects manager based on site visits and evaluations. The company performance is closely followed up by the management representative based on the performance indicators defined in the provision process.

7.5 – Production and Service Provision

Sesam utilizes the provision process in order to provide an implemented product to the user community.

0ba06801094ecc04e443924b2fac6ab1.doc 9 / 12 We start the provision process by hosting the product which provides the physical surrounding necessary for the service. Servers, data storage and backup units, networking equipment, generators, uninterrupted power supplies, air conditioners and protection facilities against natural hazards are the basic physical needs for the provision of any software product. Hosting locations must also have the backup solutions for the possible failure scenarios of these resources.

It is also very important to provide security for a product and its database. Hosting locations need to implement the necessary security measures against physical threats like theft and sabotage as well as cyber threats like hackers and viruses. As we are not organized to provide professional hosting services to our customers, we always outsource this function to a national Internet service provider unless the customers take the responsibility for hosting their products themselves.

Once we start to provide the product by hosting, it becomes crucial to monitor the performance of the overall system and to make sure that it is in the limits set by the product requirements. Overall performance is based on the efficient functioning of logic and data components of the products. We make sure that performance data is regularly collected and analysed by the project teams supporting the products. They are also responsible to schedule regular maintenance activities to prevent the performance from downgrading into an unacceptable level.

Products constantly process and gather data which must be carefully backed up and stored against the disaster scenarios. We perform periodic backup operations based on the frequency dictated by the product requirements in order to save copies of the latest data in at least two different physical locations.

There is a provision process document as part of the quality management system related to the production and service provision.

7.6 – Control of Monitoring and Measuring Equipment

As we are not realizing physical products, our verification and validation mechanisms mostly rely on intellectual activity rather than some monitoring and measuring equipment. The only exception to this is the software “equipment” we are using to measure the performance level which is a performance indicator for the provision process. This equipment is a standard component which is embedded in all our products automatically by Turkuaz. As a software component, it is verified and validated by the Turkuaz project team in accordance with our quality management system rules and does not need any further control until a new modification.

8 – Measurement, Analysis and Improvement

8.1 – General

Sesam is fully aware that performing the three step cycle of monitoring and measuring the performance data, analysing the collected data against the quality policy and goals, and finally introducing improvements on the analysis results is the only way to succesfully implement and continuously improve our quality management system.

8.2 – Monitoring and Measurement

As the base of our quality policy, we pay special attention to monitoring and measuring customer satisfaction. All the negative and positive customer feedback is stored in our documentation management system and closely followed up by the management. Number of corrective activity records triggered by customer feedbacks are measured and

0ba06801094ecc04e443924b2fac6ab1.doc 10 / 12 used as performance indicators for our processes. Before each management review meeting, the projects manager runs a number of focus group sessions with our customers in order to evaluate their overall satisfaction with our products and services and to understand their expectations. There is a customer feedback procedure document as part of the quality management system related to customer satisfaction.

The process and procedure documents in our quality management system documentation clearly indicate the activities to be performed and the roles responsible for performing them. It is the responsibility of our management representative to make sure that these directives are properly followed. Our documentation management system gives us a big advantage on tracking these by its document tracking, workflow management and query capabilities. Other than this continuous auditing, the management representative runs an internal audit every year spanning all the processes in the whole organization and reports the results in the next management review meeting. There is an internal audit procedure document as part of the quality management system related to this topic.

All our processes are associated with performance indicators and the performance data related to those indicators are collected by the management representative with the help of documentation management system. One typical indicator is the corrective activity records created during the provision phase of our products which can be triggered by our customers or project team members. The performance data collected is presented in the management review meetings against the quality goals set for the previous period.

Each product is associated with a product requirements document before the implementation phase and this document is used for the acceptance and release of our products. Any deviation found during provision phase is marked with a corrective activity record and followed up by the project leader. These records are also collected as performance data and presented in the management review meetings.

8.3 – Control of Nonconforming Product

Each product is associated with a product requirements document and it is the responsibility of the whole project team to make sure there is no deviation from requirements as specified in these documents. During the implementation phase, team members are responsible to perform unit and integration tests to make sure that the developed product is in line with the requirements. Project leaders inspect what the team members produce and run another round of tests to verify and validate the products.

In case of a nonconformity, if it is not possible to correct the situation in line with the timing of the project plan, the project leader contacts the customer to check the possibility of releasing the product with some missing requirements for that delivery milestone. Agreement with the customer must be in accordance with the laws, regulations and business ethics. If the customer does not agree with the product release with missing requirements, the scheduled deployment is postponed.

Once the necessary steps are taken to apply the solution to correct the nonconformity, project team members perform the verification and validation activities again. Whether the product is released by missing functionality or by postponing the deployment, a product release record is prepared by the project leader and approved by the projects manager in order to validate the product to be released.

There is a nonconforming product control procedure document as part of the quality management system related to this topic.

0ba06801094ecc04e443924b2fac6ab1.doc 11 / 12 8.4 – Analysis of Data

Sesam is fully aware that monitoring and measuring all the performance data detailed in sections above is only the beginning for a more crucial activity called analysis of data. Management review meetings are the primary events where the performance data is analysed against the quality goals while the management representative is responsible to continuously analyse the data to be able to spot alarming situations and call for an emergency meeting.

8.5 – Improvement

Sesam is fully aware that analysis of data detailed in section 8.4 is also an intermediate stage for a more crucial activity called continuous improvement of the quality management system. Management review meetings are the primary events where the performance data is analysed against the quality goals and suggestions are made either to improve the quality goals or to improve the core processes and resources in order to meet the current goals.

Improvement activities can be one of two categories; corrective and preventive. Corrective activities are designated to correct the non-conforming behaviour either in our products or in our processes while preventive activities are designated for some potential non-conformity which is expected to appear in the future.

Independent of the type of activity, we always apply the same workflow in Sesam. We study and identify the solution to be applied, we implement the solution, we follow-up with the results of the activity to make sure that we obtained the expected outcomes and finally we close the activity. All this workflow is stored and tracked in our documentation management system to be shared by the management, project teams and customers.

There is an improvement activity procedure document as part of the quality management system related to this topic.

Appendix : Cross Reference Between Documents and Standard

Document Standard Analysis Process 7.2 Implementation Process 7.3 Provision Process 7.5 Customer Feedback Procedure 8.2.1 Document and Record Control Procedure 4.2.3 and 4.2.4 Improvement Activity Procedure 8.5.2 and 8.5.3 Internal Audit Procedure 8.2.2 Nonconforming Product Control Procedure 8.3

0ba06801094ecc04e443924b2fac6ab1.doc 12 / 12