ISO%209000%20and%20SEI%20CMM

1
ISO 9000and SEI CMM
2
What ISO 9000 Mandates

• The requirements for a quality system have been
  standardized - but many organizations like to
  think of themselves as unique. So how does ISO
  90012008 allow for the diversity of say, on the
  one hand, a "Mr. and Mrs." enterprise, and on the
  other, to a multinational manufacturing company
  with service components, or a public utility, or
  a government administration?
• The answer is that ISO 90012008 lays down what
  requirements your quality system must meet, but
  does not dictate how they should be met in any
  particular organization. This leaves great scope
  and flexibility for implementation in different
  business sectors and business cultures, as well
  as in different national cultures.
• -- ISO

3
Insuring Compliance

• The standard requires the organization itself to
  audit its quality system to verify that it is
  managing its processes effectively - or, to put
  it another way, to check that it is fully in
  control of its activities.
• In addition, the organization may invite its
  clients to audit the quality system in order to
  give them confidence that the organization is
  capable of delivering products or services that
  will meet their requirements.
• Lastly, the organization may engage the services
  of an independent quality system certification
  body to obtain an ISO 90012015 Certificate of
  Conformity. This last option has proved extremely
  popular in the market-place because of the
  perceived credibility of an independent
  assessment.
• -- ISO

4
ISO 9001 Contents

• Section 4 General Requirements
• Section 5 Management Responsibility
• Section 6 Resource Management
• Section 7 Product Realization
• Section 8 Measurement, Analysis and Improvement

5

• ISO 90003
• Section 7 - Product Realization
• 7.1 Product Realization Planning
• 7.2 Customer Processes
• 7.2.2 Review of Software Product Requirements
• 7.2.2.1 Review Product Requirements related to
  Customer Contract
• 7.3 Software Design and Development
• 7.4 Purchasing Parts and Components
• 7.5 Product and Service Provisions
• tracking builds, deliveries, releases
• 7.6 Monitoring and Measuring

http//www.praxiom.com/iso-90003.htm
6

• ISO 90003
• Section 8 - Measurement, Analysis, and
  Improvement
• 8.1 Carry out remedial processes
• Plan how monitoring, measuring, and analytical
  processes will be used to demonstrate conformity.
• Use monitoring, measuring, and analytical
  processes to demonstrate conformance.
• 8.2 Monitor and measure quality
• 8.2.1 Monitor and measure customer satisfaction.
• 8.2.2 Plan and perform regular internal audits.
• 8.2.3 Monitor and measure quality processes.
• 8.2.4 Monitor and measure product
  characteristics.
• 8.3 Control your nonconforming software products
  
• Prevent the delivery or use of nonconforming
  software products.
• 8.4 Analyze quality information
• 8.5 Take required remedial actions

http//www.praxiom.com/iso-90003.htm
7
9001 Required Documents

• Quality Policy
• Control of Documents
• Control of Records
• Internal Audits
• Control of Nonconforming Product / Service
• Corrective Action
• Preventive Action
• These may go in a single "Quality Manual".

http//en.wikipedia.org/wiki/ISO_9000
8

• Quality Policy
• intended for all levels of employees
• linked to business plan, marketing plan, customer
  needs
• measurable objectives
• Records
• allows problems to be traced back to causes
• includes
• test results, customer comments, etc.
• actions taken to improve
• Internal Audits
• is the system working?
• what improvements can be made?

9
Reality Check

• Does ISO 9001 actually improve software quality?
• independent studies indicate yes
• ISO 9001 creates a climate of quality
• or is this a self-selecting group that only
  applied for ISO certification because they were
  already interested in and doing QA?

10
Not always a good idea

• Good business judgment is needed to determine
  ISO9001's proper role for a company.
• Is certification important to the marketing plans
  of the company? If not, do not rush to
  certification.
• Even without certification, companies should
  utilize the ISO 9001 model as a benchmark to
  assess the adequacy of its quality programs.
• -- Frank Barnes

11
CapabilityMaturityModel
12
CMM History

• 1986 - Effort started by SEI and MITRE
  Corporation
• assess capability of DoD contractors
• First version published in 1991
• closely related to TQM
• goal is customer satisfaction
• not required that customer be "delighted"

13
Some Fundamental Ideas

• Process improvement is based on small steps,
  rather than revolutionary innovation.
• CMM is not exhaustive or dictatorial.
• CMM focuses on processes that are of value across
  the organization.

14
Levels

1. Initial
2. Repeatable
3. Defined
4. Managed
5. Optimizing

http//www.estylesoft.com/pictures/cmm_level3.CCC6
E28B8902407D8B1AA608D92EF004.gif
15
Level 1 The Initial Level

• ad hoc, sometimes chaotic
• overcommitment leads to a series of crises
• during a crisis, projects abandon plans
• capability is characteristic of individuals, not
  the organization
• when a good manager leaves, the success leaves
  with them

16
Level 2 The Repeatable Level

• Planning is based on experience with similar
  projects
• past successes can be repeated
• Policies for Managing and Implementation
• installed basic management controls
• track costs and schedules
• notice and deal with problems as they arise

17
Level 3 The Defined Level

• Standard Processes defined across the
  organization and used by all projects
• standard set of roles, activities, quality
  tracking, etc
• each project uses a tailored version of this
  standard process
• Training Program is in place to ensure everyone
  has the skills required for their assigned role

18
Level 4 The Managed Level

• Quantitative Quality Goals
• for both Products and Processes
• Organization-wide Process Database
• meaningful variations in process performance can
  be distinguished from random noise
• actions are then taken to correct the situation
• Products are of predictably high quality

19
Level 5 The Optimizing Level

• Organization has the means to identify weaknesses
  and strengthen the process proactively
• teams analyze defects to determine their cause,
  and disseminate lessons learned throughout the
  organization
• major focus on eliminating waste
• e.g. reduce amount of rework

20
Defect prevention Technology change
management Process change management
Key Process Areas by maturity level
Quantitative process management Software Quality
Management
Organization process focus Organization process
definition Training program Integrated software
management Software product engineering Intergroup
coordination Peer Reviews
Requirements management Software project
planning Software project tracking and
oversight Software subcontract management Software
quality assurance Software Configuration
management
This is a somewhat handy hierarchy of
activities.
21
Don't skip levels

• For example,
• collecting detailed data (level 4) is meaningless
  unless the data is from projects that use a
  consistent process (level 3)

22
Level Comparison - Risk

• Level 1
• Just do it
• Level 2
• problems are recognized and corrected as they
  occur
• Level 3
• problems are anticipated and prevented, or
  impacts minimized
• Levels 4 and 5
• sources of problems are understood and eliminated

23
Level Comparison - People

• Level 1
• success depends on individual heroics
• fire fighting is the way of life
• Level 2
• success depends on individuals
• efforts are supported by management
• Level 3
• people are trained for their role(s)
• groups work together
• Levels 4
• strong sense of teamwork in every project
• Level 5
• strong sense of teamwork across the organization
• everyone does process improvement

24
Level Comparison - Measurement

• Level 1
• ad hoc (if any) data collection and analysis
• Level 2
• individual projects use planning data
• Level 3
• data collected for all processes
• data shared across projects
• Levels 4
• data standardized across the organization
• Level 5
• data used for process improvement

25
Defect prevention Technology change
management Process change management
Key Process Areas by maturity level
Quantitative process management Software Quality
Management
Organization process focus Organization process
definition Training program Integrated software
management Software product engineering Intergroup
coordination Peer Reviews
Requirements management Software project
planning Software project tracking and
oversight Software subcontract management Software
quality assurance Software Configuration
management
26
Software Project Planning Goals

• Goals
• Software estimates are documented for use in
  planning and tracking the software project.
• Software Project activities and commitments are
  planned and documented.
• Affected groups and individuals agree to their
  commitments related to the software project.

27
Software Project Planning1. Commitment to Perform

• Commitment 1 -- A project software manager is
  designated to be responsible for negotiating
  commitments and developing the project's software
  development plan.
• Commitment 2 -- The project follows a written
  organizational policy for planning a software
  project.

28

• This policy typically specifies that
• The system requirements allocated to software are
  used as the basis for planning the software
  project.
• The software project's commitments are negotiated
  between
• the project manager,
• the project software manager, and
• the other software managers.
• Involvement of other engineering groups in the
  software activities is negotiated with these
  groups and is documented.
• Affected groups review the software project's
• software size estimates,
• effort and cost estimates,
• schedules, and
• other commitments.
• Senior management reviews all software project
  commitments made to individuals and groups
  external to the organization.
• The project's software development plan is
  managed and controlled.

29
Software Project Planning2. Ability to Perform

• Ability 1 -- A documented and approved statement
  of work exists for the software project.
• Ability 2 -- Responsibilities for developing the
  software development plan are assigned.
• Ability 3 -- Adequate resources and funding are
  provided for planning the software project.
• Ability 4 -- The software managers, software
  engineers, and other individuals involved in the
  software project planning are trained in the
  software estimating and planning procedures
  applicable to their areas of responsibility.

30

• The statement of work covers
• scope of the work,
• technical goals and objectives,
• identification of customers and end users,
• imposed standards,
• assigned responsibilities,
• cost and schedule constraints and goals,
• dependencies between the software project and
  other organizations,
• resource constraints and goals, and
• other constraints and goals for development
  and/or maintenance.
• The statement of work is reviewed by
• the project manager,
• the project software manager,
• the other software managers, and
• other affected groups.
• The statement of work is managed and controlled.

31
Software Project Planning3. Activities Performed

• Activity 1 -- The software engineering group
  participates on the project proposal team.
• Activity 2 -- Software project planning is
  initiated in the early stages of, and in parallel
  with, the overall project planning.
• Activity 3 -- The software engineering group
  participates with other affected groups in the
  overall project planning throughout the project's
  life.
• Activity 4 -- Software project commitments made
  to individuals and groups external to the
  organization are reviewed with senior management
  according to a documented procedure.
• Activity 5 -- A software life cycle with
  predefined stages of manageable size is
  identified or defined.
• Activity 6 -- The project's software development
  plan is developed according to a documented
  procedure.
• Activity 7 -- The plan for the software project
  is documented.
• Activity 8 -- Software work products that are
  needed to establish and maintain control of the
  software project are identified.
• Activity 9 -- Estimates for the size of the
  software work products (or changes to the size of
  software work products) are derived according to
  a documented procedure.
• Activity 10 -- Estimates for the software
  project's effort and costs are derived according
  to a documented procedure.
• Activity 11 -- Estimates for the project's
  critical computer resources are derived according
  to a documented procedure.
• Activity 12 -- The project's software schedule is
  derived according to a documented procedure.
• Activity 13 -- The software risks associated with
  the cost, resource, schedule, and technical
  aspects of the project are identified, assessed,
  and documented.
• Activity 14 -- Plans for the project's software
  engineering facilities and support tools are
  prepared.
• Activity 15 -- Software planning data are
  recorded.

32
Software Project Planning4. Measurement and
Analysis

• Measurement 1 -- Measurements are made and used
  to determine the status of the software planning
  activities.
• Examples of measurements include
• completions of milestones for the software
  project planning activities compared to the plan
  and
• work completed, effort expended, and funds
  expended in the software project planning
  activities compared to the plan.

33
Software Project Planning5. Verifying
Implementation

• Verification 1 -- The activities for software
  project planning are reviewed with senior
  management on a periodic basis.
• Verification 2 -- The activities for software
  project planning are reviewed with the project
  manager on both a periodic and event-driven
  basis.
• Verification 3 -- The software quality assurance
  group reviews and/or audits the activities and
  work products for software project planning and
  reports the results.

34
and on it goes
The full lists of activities can be found
at http//www2.umassd.edu/swpi/sei/tr25f/tr25.html