Your SlideShare is downloading. ×
Cmmi appraisal
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cmmi appraisal

198
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
198
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. An Integrated Model of ISO 9001:2000 and CMMI for ISO Registered Organizations Chanwoo Yoo1 , Junho Yoon1 , Byungjeong Lee2 , Chongwon Lee1 , Jinyoung Lee1 , Seunghun Hyun1 , and Chisu Wu1 1 School of Computer Science and Engineering, Seoul National University {chanwoo, junoyoon, jylee, ljw, shhyun, wuchisu}@selab.snu.ac.kr 2 School of Computer Science, University of Seoul bjlee@venus.uos.ac.kr Abstract ISO 9001 is a standard for quality management systems while CMMI is a model for process improvement. If an organization that has achieved ISO registration wishes to improve processes continuously, CMMI can be a strong candidate because it provides a more detailed roadmap for process improvement. However, with respect to adopting CMMI in organizations that are familiar with ISO 9001, there are some issues that need to be resolved. For example, ISO 9001 and CMMI have different targets, intent, and quantity of detail. In this paper, we present an integrated model of ISO 9001:2000 and CMMI, which would resolve the above problems. We expect that this model will be a useful tool for ISO registered organizations aim to attain higher CMMI levels. Keywords : ISO 9001:2000, CMMI, Integrated Model, Process Improvement 1. Introduction If ISO 9001 registered organizations are not likely to implement CMMI with ISO 9001:2000 because such implementation would cause extra efforts brought about by the difference between the two. Therefore it would be a priority to identify the similarities and differences between ISO 9001:2000 and CMMI. Generally, a mapping table between standards to transition one to another is used. There is a N-N mapping (many to many mapping) between ISO 9001:2000 and CMMI[1]. N-N mappings are usually more reasonable than 1-1 mapping (one to one mapping) especially in comparing standards. But, it is not practical in the field, because when CMMI is implemented in an organization, changes in processes of the organization must be reflected in quality manual as it is a prerequisite in ISO 9001:2000. When reflecting changes in quality manual, N-N mapping may cause some confusion. It is not easy to decide where to place these changes in quality manual by using N-N mapping. A mapping close to 1-1 mapping (Later, we call it “concise N-N mapping”) would, thus, be helpful in decision making. A simple mapping between standards is not sufficient. This mapping can be complemented by additional descriptions. There are some delicate differences between ISO 9001:2000 and CMMI in terms of context. Therefore, the mapping must be explained by some description on the detailed difference between ISO 9001:2000 and CMMI. Once an organization has achieved ISO registration by satisfying the necessary requirements of ISO 9001:2000, it is relatively simple to implement ISO 9004:2000 to achieve further improvements, because ISO 9004:2000 has been developed as a complementary guideline for ISO 9001:2000 and thus share similar structures with respect to assisting their application as a consistent pair. In the same context, if there is a superset of ISO 9001:2000 and CMMI in the structure of ISO 9001:2000, it will be easy to introduce CMMI into the organization with ISO registration. In this paper, we present an ISO 9001:2000 and CMMI integrated model constructed in ISO 9001:2000 structure, in which the interpretation of N- N mapping is clearly described to eliminate confusion. Additionally, the integrated model provides an Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE
  • 2. explanation of the differences between ISO 9001:2000 requirements and the practices of CMMI. This paper is organized as follows. Section 2 briefly explains ISO 9001:2000 and CMMI. Section 3 presents an integrated model of ISO 9001:2000 and CMMI. Section 4 discusses related work and finally, Section 5 provides some conclusions. 2. ISO 9001:2000 and CMMI 2.1. ISO 9001:2000 ISO 9001:2000 is a necessary requirement for quality management system. It is a part of ISO 9000 family that consist of ISO 9000 (fundamentals and vocabulary), ISO 9001 (requirements), ISO 9004 (guidelines for performance improvements) and ISO 19011 (guidelines for quality and environmental management systems auditing). ISO 9001:2000 is an abstract and sparse document that can be applied to any category of business. ISO 9001 could be interpreted by ISO 9000-3[2] or TickIT[3] when applied to organizations in the software industry. For every requirement in ISO 9001, an organization can choose to have two status, ‘satisfied’ or ‘not satisfied’. If every requirement is satisfied, then ISO registration is achieved. Compared with ISO 9001:2000, ISO 9004:2000 is not a requirements document, but rather a guidance document for process improvement of a greater level compared with ISO 9001:2000. ISO 9001:2000 and ISO 9004:2000 are both similar in terms of structure and terminology used to allow easy conversion from one to the other. 2.2. CMMI CMMI (Capability Maturity Model Integration) is an integrated model of many CMMs intended to achieve process improvement. CMM is a model that contains the essential elements of effective processes for one or more disciplines and describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness[4]. CMMI has two representations. One is the staged representation. The other is the continuous representation. In the staged representation maturity level of an organization ranges from level 1 to 5. In the continuous representation each process capability level ranges from 0 to 5. The staged representation is most suitable for an organization that does not know which processes need to be improved first because the staged representation offers process areas applicable to each maturity level. The continuous representation provides flexibility for selecting processes fit for achieving business goal of the organization[5]. CMMI provides 25 process areas (Process area means a cluster of related practices in an area that, when implemented collectively, satisfies a set of goals considered important for making significant improvement in that area[4]. Goals are classified as generic goals and specific goals. A generic goal describes the characteristics that must be present to institutionalize the processes that implement a process area. A specific goal describes the unique characteristics that must be present to satisfy the process area[4]. Practices are expected components for satisfying goals. Practices are classified as generic practices and specific practices. A generic practice is the description of an activity that is considered important in achieving the associated generic goal. A specific practice is the description of an activity that is considered important in achieving the associated specific goal[4]. 3. Integrated model 3.1. Purpose of the integrated model ISO 9001 requires that processes to be continuously improved even after achieving ISO registration. CMMI can be a good to an organization in the software and systems industry to achieve further process improvement, because CMMI is quite detailed and contains more concepts of ‘improvement of process’ than ISO 9001:2000. Furthermore, considering that many ISO 9001:1994 registered organizations are trying to introduce SW-CMM[6][7], it is expected that many ISO 9001:2000 registered organizations will want to adopt CMMI into their systems. As we described in the Introduction, it is simple to implement ISO 9004:2000 to ISO registered organizations because the structure of ISO 9004:2000 is similar to that of ISO 9001:2000. Therefore, it would be ideal for ISO registered organizations to adopt CMMI if the structure of CMMI is similar to that of ISO 9001:2000. 3.2. Method to make the integrated model We applied the concise N-N mapping for the integrated model while the concise N-N mapping was derived by using a N-N mapping table [1] between Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE
  • 3. ISO 9001:2000 and CMMI. However, some changes need to be made to the mapping table. First, many practices have dependencies among one another, and the N-N mapping table does not preserve these dependencies. Therefore, we need to place dependent practices in an adequate place together. Second, the concise N-N mapping may possibly make the relationship between CMMI practices and ISO 9001:2000 requirements too simple. Thus, in order to resolve this, some additional explanations on the relationships between CMMI practices and ISO 9001:2000 requirements should be added to the integrated model. Third, granularity of the integrated model is another issue. CMMI assesses that a process area is satisfied only when all the goals in the process area are satisfied. In other words, each goal in the process area is a primitive unit to be assessed. However, if the goals in CMMI are selected for the target of the integrated model, then the relationship between ISO 9001:2000 and CMMI can become “All Match”. Therefore, practices in each process area are selected as the CMMI-side target of the integrated model. After developing a concise N-N mapping, CMMI practices were merged with ISO 9001:2000 requirements using the method in Table 1. Targets of our integrated model were CMMI-SE/SW/IPPD/SS and ISO 9001:2000. Table 1. Method for integration classified according to the correspondence types Types of correspondence Methods to integrate models When ISO 9001:2000 shall-statements (requirements) fully satisfy CMMI practices ISO 9001:2000 shall- statements are kept and the relationships between CMMI and the integrated model are recorded. When ISO 9001:2000 shall-statements can or can not satisfy CMMI practices by interpretation ISO shall-statements are modified – ISO requirements’ focus are calibrated by using square brackets ([ ]). Relationships between CMMI and the integrated model are recorded. When ISO 9001:2000 shall-statements partially satisfy CMMI practices Relationships between ISO 9001:2000 shall-statements and CMMI are recorded. When ISO 9001:2000 shall-statements do not satisfy CMMI practices, but there is an appropriate position to insert CMMI practices CMMI practices are inserted. Relationships between CMMI and the integrated model are recorded. When ISO 9001:2000 shall-statements do not satisfy CMMI practices, and there is no appropriate position to insert CMMI practices New clauses are created in the integrated model. CMMI practices are inserted and relationships between CMMI and the integrated model are recorded. 3.3. Structure of the integrated model Because we can not show the complete integrated model in this paper, we summarized the integrated model’s structure, approximately, in Table 2. The complete integrated model is available at http://selab.snu.ac.kr/Library/TechReport/ISOCMMII ntegration.html Table 2. Structure of the integrated model Integrated model’s contents CMMI 4. Quality management system 4.1 General requirements GP 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.8, 2.9, 2.10, 3.1, 3.2 4.2 Documentation Requirements 4.2.1 General OPD 4.2.2 Quality manual OPD 4.2.2.1 Organization’s set of standard process OPD, GP 3.1 4.2.2.2 Organization’s set of standard process tailoring criteria and guidelines OPD, GP 3.1 4.2.3 Control of documents IPM, GP 3.2 4.2.4 Control of records 4.2.5 Process assets management OPD, IPM, GP 3.2 4.2.6 Measurement management OPD 4.3 Decision analysis and resolution DAR 5. Management responsibility 5.1 Management commitment GP 2.10, OEI 5.2 Customer focus 5.3 Quality policy GP 2.1 5.4 Planning 5.4.1 Quality objectives OPF Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE
  • 4. 5.4.2 Quality management system planning 5.5 Responsibility, authority and communication 5.5.1 Responsibility and authority GP 2.4 5.5.2 Management representative 5.5.3 Internal communication 5.6 Management review 5.6.1 General GP 2.10 5.6.2 Review input GP 2.10 5.6.3 Review output GP 2.10 6. Resource management 6.1 Provision of resources GP 2.3 6.2 Human resources 6.2.1 General GP 2.5 6.2.2 Competence, awareness and training OT, OEI, GP 2.5 6.3 Infrastructure GP 2.3 6.4 Work environment OEI 7. Product realization 7.1 Planning of product realization GP 2.2 7.2 Customer-related processes 7.2.1 Determination of requirements related to the product RD 7.2.2 Review of requirements to the product RD, REQM 7.2.3 Customer communication GP 2.7 7.3 Design and development 7.3.1 Design and development planning GG 2, PP, VAL, VER, PMC, GP 2.4, OEI 7.3.1.1 Establishing design and development plan GP 3.1, PP, IPM 7.3.1.2 Team composition and operation IPM, IT, OEI 7.3.1.3 Risk management RSKM 7.3.2 Design and development inputs 7.3.A Design and development process 7.3.A.1 Design and development process management IPM, REQM 7.3.A.2 Technical solution TS 7.3.A.3 Product integration PI 7.3.4 Design and development review PMC, IPM, RSKM 7.3.5 Design and development verification VER 7.3.6 Design and development validation VAL 7.3.7 Control of design and development changes CM 7.4 Purchasing 7.4.1 Purchasing process SAM, ISM 7.4.2 Purchasing information 7.4.3 Verification of purchased product SAM, ISM 7.5 Production and service provision 7.5.1 Control of production and service provision 7.5.2 Validation of processes for production the service provision 7.5.3 Identification and traceability CM, GP 2.6 7.5.4 Customer property 7.5.5 Preservation and delivery of product PI 7.6 Control of monitoring and measuring devices 8. Measurement, analysis and improvement 8.1 General 8.2 Monitoring and measurement MA 8.2.1 Customer satisfaction 8.2.2 Internal audit OPF, GP 2.9, PPQA 8.2.3 Quantitative project management QPM 8.2.3.1 Monitoring and measurement of processes MA, GP 2.8, QPM 8.2.3.2 Monitoring and measurement of product MA, QPM 8.2.4 Monitoring and measurement of product MA 8.3 Control of nonconforming product 8.4 Analysis of data MA, OPP 8.4A Measurement management OPF, MA 8.5 Improvement 8.5.1 Continual improvement OPF 8.5.1.1 Selecting improvements OID 8.5.1.2 Deploying improvements OID 8.5.2 Casual Analysis and Resolution CAR 8.5.2.1 Corrective action OPF, CAR 8.5.2.2 Preventive action CAR Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE
  • 5. 3.4. Form The integrated model is organized as Table 3. Table 3. Form of the integrated model ISO-CMMI Integrated Model ISO CMMI Explanation ࣜࣜ ࣜࣜ ࣜࣜ ࣜࣜ ISO-CMMI Integrated Model column in Table 3 shows the contents of the integrated model, a combination of CMMI practices and ISO 9001:2000’s requirements. ISO and CMMI column shows whether or not the contents in ISO-CMMI Integrated Model column is mapped to ISO or CMMI. Explanation column gives helpful comments to understand how to adopt CMMI and the integrated model. Table 4 shows an example as a part of the integrated model. 3.5. Advice for Understanding the Integrated Model Explanation column in the integrated model describes what ISO registered organizations must do to adopt CMMI. But ISO registered organizations may implement more requirements than ISO 9001:2000 demands. Therefore the organization should first evaluate the process status of the organizations accurately. In the integrated model, granularity of CMMI is a practice and not requirements. But as we all know, one needs practice in order to achieve goals. An organization considering to adopt CMMI should consider that they have substitution for practices described in the integrated model. The integrated model includes inserted practices of CMMI which are inserted into an appropriate position. But because of the differences between ISO 9001:2000 and CMMI, the following will need to be considered. The prime goal of technical solution process area is to identify and implement solutions about product and product components, but also applied to selecting and applying processes related to products. Practices of technical solution process area are inserted into “Design and development” as it’s prime goal. In case of organizational training process area, the view of ISO 9001:2000 is different from that of CMMI. While ISO 9001:2000 is focused on the competencies of people related to products, CMMI is focused on how to provide education on an organizational level. These differences should be considered by organizations. Table 4. Partial example of the integrated model ‫ٻ‬ ISO-CMMI Integrated Model ISO CMMI Explanation 4.2.4 Control of records Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. Records shall remain legible, readily identifiable and retrievable [as process assets]. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records. ࣜࣜ ࣜࣜ CMMI requires evidences of achieving goals. A type of evidence can be a record. Records are maintained as reports, management records, meeting minutes. These records should be stored as an appropriate type in process assets libraries. 4.2.5 Process assets management Organizations shall establish and maintain process asset libraries that contain quality management system, measurements, documents, records. OPD SP 1.5-1 Organizations shall make work products, measurements, improvement instruction, documented experiences derived from organizational activities to be contained in process asset libraries for continuous contribution to process assets. IPM SP 1. 5-1 GP 3.2 Organizations shall add data derived from projects or organizational process execution into process assets continuously. This satisfies IPM SP 1.5-1 and GP 3.2 Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE
  • 6. 3.6. Discussion Our integrated Model is expected to be useful to ISO registered organizations that plan to adopt CMMI in two ways. First, it is expected to be useful to gap analysis. Because the model is based on concise N-N mapping and describes differences between CMMI practices and ISO 9001:2000 requirements, organizations will be able to perceive without difficulty the gap between the organizations’ status according to ISO 9001:2000 and CMMI as demonstrated by the integrated model. Second, it will help to write out a quality manual. A quality manual contains contents of a quality management system in an organization. When CMMI is introduced into an organization, process changes will need to be reflected into the organization’s quality manual. As the structure of the quality manual is generally the same as ISO 9001:2000, it will be easy to reflect the changes in organization’s quality manual by using the integrated model written in the structure of ISO 9001:2000 when introducing CMMI. Organizations can easily distinguish what is in the integrated model but not in the quality manual. An example of writing out a quality manual by using the integrated model can be summarized as follows. Table 5 shows the 4.3 clause in the integrated model. This clause contains contents of DAR in CMMI and is not contained in ISO 9001:2000. Organizations can add this clause next to the 4.2 clause in the quality manual as shown in Table 6. Table 5. Clause 4.3 of the integrated model 4.3 Decision analysis and resolution requirements An organization shall perform decision analysis and resolution for critical decision items. Selecting decision items shall conform to documented guidelines. Selected decision items shall be evaluated by evaluation criteria, appropriate alternatives shall be selected by evaluation results. Decision analysis and resolution shall contain next activities. a) Establishing and maintaining criteria for evaluation of alternatives and relative importance of criteria b) Identifying alternative solutions treating problems c) Selecting evaluation methods. d) Evaluating alternative solutions by using established criteria and methods e) Selecting a solution from alternatives based on evaluation criteria Table 6. Example of quality manual corresponding to 4.3 clause in the integrated model 4.3 Decision analysis and resolution requirements Each chief of department guarantee that formal decision analysis is performed for every important decision item. Each chief of department guarantee that selected decision items are evaluated by evaluation criteria, appropriate alternatives are selected by evaluation results. Selecting decision items conform to guidelines for selecting decision items. Decision analysis and resolution conform to decision analysis and resolution guidelines. Related documents: (1) Decision analysis and resolution procedure documents (2) Guidelines for selecting decision items 4. Related work There are fewer studies on the comparison of ISO 9001:2000 with CMMI on the comparison of ISO 9001:1994 with SW-CMM. Because of ISO 9001:2000 and CMMI, there have been less comparison done between ISO 9001:1994 and SW-CMM. But since these studies can provides hints to understanding the relationships between ISO 9001:2000 and CMMI, we present some related studies below. M.C. Paulk compared ISO 9001:1994 with SW- CMM to answer the following questions[8][9] • At what level in the CMM would an ISO 9001- compliant organization be? • Can a level 2(or 3) organization be considered compliant with ISO 9001? • Should a software-quality-management and process- improvement efforts be based on ISO 9001 or on the CMMI? This study shows that SW-CMM has more requirements than ISO 9001:1994 when ISO 9001:1994 is mapped onto SW-CMM. He further asserts that ISO 9001:1994 compliant organization should satisfy most of the level 2 and many of the level 3 goals in CMMI. Figure 3 shows ISO 9001 compliant organization’s level of satisfaction of SW-CMM. Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE
  • 7. Figure 1. Key process area profile for an ISO 9001-compliant organization[8][9] P. Jalote proposed a way for transitioning from ISO 9001:1994 to SW-CMM level 4 based on actual organization’s experience of transitioning[10]. In this study, he pointed out that simple mapping between ISO 9001:1994 and SW-CMM are not useful to field staffs and it is useful to describe what additional things to do for typical ISO 9001 compliant organization transitioning to SW-CMM. Works on simultaneously implementing ISO 9001:2000 and CMMI have been conducted by B. Mutafelija and H. Stromberg[5]. In these works, they insisted that CMMI satisfied most of ISO 9001:2000 requirements, and so, proposed a way of introducing two frameworks simultaneously by implementing CMMI and adding new requirements for ISO 9001:2000. Figure 4 illustrates how CMMI process areas are mapped to ISO 9001:2000. For example, ISO 9001:2000’s 6th clause, resource management has some of its contents mapped onto CMMI’s OPF, OPD and PP process areas. This method focuses on CMMI organization adopting the ISO 9001:2000 rather than ISO registered organization adopting CMMI. Therefore it is not useful to ISO registered organization that intends to introduce CMMI. B. Mutafelija and H. Stromberg also studied about the mapping between ISO 9001:2000 and CMMI[1]. They explain that a mapping should be subjective and according to granularity of mapping, degree of correspondence is different. In this work, practices of CMMI are mapped to requirements of ISO 9001:2000. And mechanically inverted mapping is also provided. Figure 2. Mapping CMMI process areas according to clauses of ISO 9001:2000[5] 5. Conclusion In this paper, we proposed an integrated model by inserting CMMI practices into ISO 9001:2000 requirements. We expect that this model will be helpful to ISO registered organizations as it will allow existing ISO assets to be re-used without redundant efforts. In addition, the model will help organizations to perform gap analysis and maintain their quality manual without any difficulty when adopting CMMI. And, even if an organization does not have ISO registration but plans to adopt CMMI only, the organization will be able to implement ISO 9001:2000 and CMMI simultaneously by this integrated model. In future research, we plan to conduct experiments to confirm how effective this model will be real application.. 6. References [1] B. Mutafelija and H. Stromberg, Mappings of ISO 9001:2000 and CMMI Version 1.1, http://www.sei.cmu.edu/cmmi/adoption, July 2003. [2] Department of Trade and Industry, British Standards institute, The TickIT Guide Issue 5, London-DISC TickIT Office, 2001. [3] ISO, Quality management and quality assurance standards ˂ Part 3: Guidelines for the application of ISO 9001:1994 to the development, supply, installation and maintenance of computer software, ISO 9000-3, 1997. Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE
  • 8. [4] M. B. Chrissis, M. Konrad and S. Shrum, CMMI ˀ Guidelines for Process Integration and Product Improvement, Addison-Wesley, 2003. [5] B. Mutafelija and H. Stromberg, Systematic Process Improvement Using ISO 9001:2000 and CMMI, Artech House, 2003. [6] M. C. Paulk, C. V. Weber and B. Curtis, The Capability Maturity Model for Software, Addison-Wesley, 1995. [7] W. Humphrey. "Characterizing the software process : A maturity framework", IEEE Software, Vol.5, No.2, pp.73-79, Mar. 1988. [8] M. C. Paulk, "Comparing ISO 9001 and the capability maturity model for Software", Software Quality Journal, Vol. 2, No. 4, pp.245-256, Dec. 1993. [9] M. C. Paulk, "How ISO 9001 Compares with the CMM", IEEE Software, Vol.12, No.1, pp.74-83, Jan. 1995. [10] P. Jalote, CMM in Practice: Processes for Executing Software Projects at Infosys (The SEI Series in Software Engineering), Addison-Wesley, 1999. Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04) 1530-1362/04 $ 20.00 IEEE

×