CMM-SW and ISO 9001 - The Ending of the Hero Era
18 August 2006The computer software was a hero-oriented industry. All the success stories are about several history-making figures who come with god given gift and luck. Even look at a small organization or a single project, one or couple of technical heroes were the key to the success. Other people were mentored and followers. While people still are hunting for the most talent sheep-head for their projects, a noticeable sign is becoming clear, the hero era is ending.
The new era is not a far-reaching stage shown in sci-fi channel. Just look the current Auto industries, which will be how the software is made. What you will be seeing is assemble lines that take raw materials and specification and spit out the product. What you will not be seeing is THE Process that drives the assemble line. People in the process will be no differences from bolts and nuts in the final products. There will be no hero at all.
The reality is that it’s not a trend talk either. It’s happening, not in US yet, though. Those CMM-SW level 4 and 5 certified software centers in India and China are the realities.
While people slowly accept the fact that software development should rely on process or quality system rather than key players (heroes), several such systems are shining at horizon. The talk about CMM-SW, and ISO9001 are heard around. Practices are adopted and certifications are announced. But what they are? What the relations among them and what are the differences?
CMM-SW – Capability Maturity Model for Software
There are many resources cover the history of CMM-SW. In short, the Mitre Corporation and Software Engineering Institute (SEI) started the development of CMM-SW in 1986. The version 1.0 was released to software community during 1991 and 1992. CMM-SW is a set of tools armed with maturity questionnaire that severs only one purpose, which is to improve the quality of software development process.
The maturity of an organization’s software process is measured in five levels, which is the framework of CMM-SW. There are18 key process areas that compose the five maturity levels.
Level 1 – Initial
The software process is ad hoc, even chaotic. Few processes are defined. The success depends on individual effort and heroics.
Key Process Areas:
- Competent people and heroics.
Level 2 – Repeatable
Basic project management processes are established to track cost, schedule and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
Key Process Areas:
- Project Management processes
- Requirements management
- Software Project Planning
- Software Project Tracking & Oversight
- Software Quality Assurance
- Software Configuration Management
Level 3 – Defined
Management and engineering activities are documented, standardized, and integrated into a family of standard software processes for the organization. Projects use a tailored version of the organization’s standard software processes for developing and maintaining software.
Key Process Areas:
- Organization Process Focus
- Organization Process Definition
- Training Program
- Integrated Software Management
- Software Product Engineering
- Inter-group Coordination
- Peer Reviews
Level 4 – Managed
Detailed measures of the software process and product quality are collected. Software processes and products are quantitatively understood and controlled.
Key Process Areas:
- Quantitative Process Management
- Software Quality Management
5 – Optimizing
Continuous process improvement is facilitated by quantitative feedback from the process and from piloting innovative ideas and technologies.
Key Process Areas:
- Defect Prevention
- Technology Change Management
- Process Change Management
ISO 9001 9000-3
The ISO 9000 series was published in 1987 by, obviously, the International Standard Organization. ISO 9001 is the standard for guiding software development and maintenance. It’s quality system for software development stages including design, development, production, installation, and servicing. ISO 9000-3 provides guidelines for applying ISO 9001. There are about 20 ISO 9001 Clauses that cover the process/system of this standard. They are started from Management Responsibility, Quality System, and Contract Review to Training, Servicing and Statistical Techniques.
Correlation Between CMM-SW and ISO 9001
Since both CMM and ISO 9001 is address the same issues, software development and both was developed by researching the best practices happening on the same planet, there are strong correlation and similarities between them. In the mean time, the details show that there are significant different between them too.
Here are some areas that are covered by both standards:
Management and Quality Policy
Management plays a very critical role in both standards. Clearly defined and document management responsibility and authority is the first basic requirement of ISO 9001. A quality policy should also be defined and understood up front. In CMM, everything meaningfully and constructive is start from Level 2. At CMM level 2, the management and software quality insurance start the play. But CMM does not end the emphasis of management just here. At CMM level 4, Quantitative Process Management becomes a key process area. In the ISO 9001 case, there is no measurement of management process and the quality-management is not quantified.
Software Design
ISO 9001 requires an organization to establish procedures to control and verify design. The software development life cycle, including design, coding and test, is described in CMM level 3. A design review is required by both standards. A range of options, from technical reviews to inspections, can satisfy the review defined in ISO 9001. However, in CMM, a peer reviews is specifically required. Again, the CMM extends the design process further in Level 4, in which it describes a more formal and quantitative aspects of the design process. In contrast, ISO 9001 lack of such formality.
Production Process Control
ISO 9001 requires an organization to define and plan its production process and it must continuously monitor and control the process. In the CMM, the software production process is specified in the software development plan at Level 2. At Level 3, CMM define the further integration of software production process and tools. As usual, at CMM Level 4, the quantitative aspect of control is described. The transition of applying new technology and tools is mentioned in ISO 9001 along with production process control, whereas CMM deals with it in Level 5.
Testing
ISO 9001 requires an organization to inspect or verify incoming materials before use and to perform in-process inspection and testing. Also, ISO 9001 requires good test status record keeping. The CMM addresses testing at Level 2 with configuration and Level 3 with testing practices.
Defect prevention
ISO 9001 emphasizes on prevention and eliminating the causes of non-conformities. In CMM, Software Quality Assurance at Level 2 and Defect Prevention on Level 5 are addressing the same issues. ISO 9001 is focusing on defect report and record documentation, whereas the defect Prevention in CMM Level 5 coves more broad aspect of prevention.
Servicing
Servicing activity is specified requirement in ISO 9001. In CMM, however, servicing is addressed as software maintenance through out the development process. It’s not single-out as a Key Process Area in any CMM level.
The above are a few of the related areas that covered by both ISO 9001 and CMM-SW. There are many other areas (or clauses in ISO 9001) can be mapped between these two standards.
CMM or ISO, It is a Question
CMM and ISO 9001 are preaching the same goal, Delivery What You Promised. For both standards, documentation is considered the most powerful tool to reach this goal. Every aspect of processes and activities is required to follow documented instructions, policies or guidelines.
ISO 9001 is an umbrella quality system that guides the project life cycle. Comparing to CMM, it functions at more abstract level. ISO 9001 sometimes has been compared with preparatory system integration methodologies developed by large organizations, especially the ones from big consulting firms. While some consulting firms campaign ISO 9001 certification as a marketing tools, many also try to demonstration the superior of their own methodologies.
There is a dilemma when applying ISO 9001, especially for consulting-service-staff-extension type of companies. For the large management consulting firm that crafts large scale project as major revenue stream, the large amount of documentation required is sort of cumbersome. Besides, the ISO 9001 is from a independent standard organization, under certification, there is no way of flexibility that the company could adjust or adapt it to its own best practices. Therefore, they tend to develop their own quality system or some time, adapt certain simple and flexible methodology such as, the Extreme Project (XP). It’s different story for the staff extension type of company, there are more and more such companies are actively seeking ISO 9001 certification. It is said in the industry that if you are willing to commit enough of manpower to deal with the piles of paper works, you could be ISO 9001 certified. Such saying may sounds a bit of extreme, but indeed we could easily find consulting companies market the certification heavily and as staff extension type of business, there is actually no good use of it.
It’s not saying that ISO 9001 is lack of credibility or anything like that. The ISO 9001 is developed to cover no only the software development, but also can be applied to hardware or other system development practices. It could be one of the best reference and guideline when developing a quality system that fit into the organization’s very own business practice.
As quality system, there are significant similarities between ISO 9001 and CMM-SW. There are also academic and industry advocates trying to establish exchangeable certification or guideline between these two. Some says the ISO 9001 certification is equivalent to CMM Level 1, some says Level 2 and other up to 4. But in reality, they are different animals. CMM-SW is very much focusing on software development within a stable organization. The CMM quality system is evolving from Level 1 to Level 5. The CMM system is specific developed as the measure of maturity of the software development process. It’s hard to be applied or absorbed as a business practice or merely a marketing tool. If you want build a software factory, CMM is the guide and the way.
After all, ISO 9001 or CMM, it’s NOT a question. It’s an answer. And the question should be why in June 8, 2001, the NYSE (the symbol of the capitalism) was halt the whole morning by software bug that from a software upgrade introduced in the previous night.
No comments yet
![[Valid RSS]](http://www.itcareersuccess.com/wp-content/themes/andyblue-ver-1/images/valid-rss.png "Validate my RSS feed")