Subject: Re: Q: CMMI in Software/Sheehan/Pfrang
Date: Mon, 24 Aug 1998 10:43:46 -0600
From: ISO Standards Discussion

From: (Doug Pfrang)
Subject: Re: Q: CMMI in Software/Sheehan/Pfrang

The CMMI can be found at: SEI Home

As the name suggests, Capability Maturity Model deals with the "maturity," or the level of control, of the software development processes of a firm; i.e., a greater level of "maturity" means (roughly) a greater level of control.

This relates to ISO-9000 in that the Model provides a possible framework for implementing process improvement: first you determine which level of "maturity" your firm currently fits into (according to the detailed descriptions of each level), and then you look at the description of the next higher level to see what you must improve in your existing processes to bring your firm up to the standards of the higher level. This analysis helps you plan and prioritize a series of logically sequenced process improvements related to your software development activities. Accordingly, you can use the CMMI as a tool to:
- provide guidance for quality planning,
- improve design control procedures,
- identify potential corrective and preventive actions,
- develop agenda items for management review meetings,
- etc.

Thus, ISO-9000 tells you "what" you have to do in your quality system, CMMI gives you a tool to help you figure out "how" to do it.

-- Doug Pfrang


Subject: Re: Q: CMMI in Software/Sheehan/Lessman
Date: Mon, 24 Aug 1998 11:02:30 -0600
From: ISO Standards Discussion
From: Robert Lessman
Subject: Re: Q: CMMI in Software/Sheehan/Lessman

For an excellent comparision of the requirements of CMMI and the requirements of ISO 9000 in the area of software deveolopment, I would urge you to read this well-written site:

MKS Web Site (http://www.mks.com) - Link was: /solution/si/2134.htm - CMMI Information

Although SEI and ISO have no direct affiliation, they are both seeking very similar goals. The ISO 9000-3 Guidlines for Software Development can be viewed as a subset of CMMI requirements. The objectives are strikingly similar. ISO 9000 has more to do with supplier review criteria, as its perspective. The CMMI perspective is to define good project managment in-house and is not really intended as a supplier review model.

The owners of the CMMI model - See the SEI Home Page (http://www.sei.cmu.edu)
tele: 703 818-5137
--
Robert Lessman, (ASQ) CQA #16411

One more:

From: Pat Dey
Subject: Re: Q: CMM in Software/Sheehan/Dey

The CMM is a model of the maturity of a software development organization. Its development was sponsored by the US Department of Defense, to promote process improvement, to give organizations a strategy for doing so, and to provide a measure of organizational maturity.

Using the CMM to define software process improvement strategy is an excellent way of building an ISO 9001 software development organization, because it gives a rationale for prioritizing the action plan. Each level defines a set of practices, and you mature by addressing the levels in numeric order. For example, it places Reviews at level 3 because most organizations starve reviews of the necessary reviewing time until they understand planning and tracking (time) properly, practices they introduce in level 2.

There have been one or two papers comparing CMM and ISO 9001. Very broadly and crudely, the CMM includes more guidance on software development detail, whilst ISO 9001 has a broader business basis. ISO 9001 certification slews across CMM levels 2 and 3.

The European SPICE initiative (http://www.isospice.com/standard/is15504.htm) is working on merging these standards in order to get the best from both.

Hope this helps.
Pat

EDIT NOTE: Site has undergone major revision.

[This message has been edited by Marc Smith (edited 29 December 1999).]

Here's another source for CMM info:

Subject: Re: CMM/ISO in Software/Sheehan/Deibler
Date: Thu, 10 Sep 1998 11:44:16 -0600
From: ISO Standards Discussion

From: Bill Deibler <ssqc@concentric.net> Subject: RE: CMM/ISO in Software/Sheehan/Deibler

> From: "John Sheehan"

Can anyone on the list please give me some information regarding to "CMM" in software development and how (if at all), it relates / compares to ISO9000. I understand that CMM stands for Capability Maturity Model. I am looking for as much info. as I can get on the subject, and as usual with any plea for help I am in a mad rush for it.

> Thanks > John Sheehan --------------------

Hi John,

Bob Bamford and I recently had an article published that directly relates to your inquiry. The topic is hybrid multi-model software process assessments (CMM/ISO) and was published in CrossTALK - The Journal of Defense Software Engineering magazine. The article and other software process improvement articles are freely available online from the publishers of CrossTALK.

An abstract on the paper and links to the article follow:

Abstract --------

Hybrid Multi-Model Assessment (HM2) - When the CMM Meets ISO 9001 Robert C. Bamford and William J. Deibler II

Faced with governments transitioning to commercial standards and with business pressures to expand into new lines of business, many software engineering organizations are faced with adapting CMM - and ISO 9001-based systems for compliance with the other model. At the same time, many small and medium-sized software engineering organizations are exploring methods to exploit these models - ISO 9001 and the CMM - for process definition and improvement. While significant work has been done in defining methods for implementing each model, there is a lack of cost-effective tools and methods to evaluate and compare the models for selecting the most appropriate model or for planning the transition between the models.

This article outlines a strategy and methods for employing formal appraisals to determine which model - or which elements from either model - offer the most value for a particular software engineering organization. The article is illustrated with examples from the authors experiences in guiding software engineering organizations in examining and selecting the most appropriate model for software development.

Keywords ISO 9001, CMM, Assessment, Process Assessment, Process Improvement, Comparison, Process, Standards, Software, Software Development

CrossTalk Magazine
The main page listing the articles for September.

Dead link: http://www.stsc.hill.af.mil/crosstalk/1998/sep/bamford.pdf - The PDF URL for the article

Dead link: http://www.stsc.hill.af.mil/crosstalk/1998/sep/bamford.html - The HTML URL for the article

Hope you find the article useful. You might also want to check out an article we published in IEEE COMPUTER in October 1993 on comparing and contrasting the CMM and ISO 9001 for software. It's in the standards section of the magazine.

Sincerely, Bill
Bill Deibler <ssqc@concentric.net>

I've been reading thru a number of these CMM articles. They have some good thoughts for manufacturing, as well. Anyone else out there look thru any of the articles?

Does anyone have articles or documents regarding companies' journey through the levels of SW-CMM (Capability Maturity Model for Software)? Articles or docus which include the costs, the people directly invloved, and the time it took could help immensely. HELP!

WHICH ARE THE AGENCIES WHO CALIBRATE THE SOFTWARE ONE HAS DEVELOPED? WHAT CERTIFICATE THEY PROVIDE? WHAT ARE COMMERCIALS INVOLVED?

Originally posted by tong:

Does anyone have articles or documents regarding companies' journey through the levels of SW-CMM (Capability Maturity Model for Software)? Articles or docus which include the costs, the people directly invloved, and the time it took could help immensely. HELP!I found a few back a year or more ago - but can't recall them. Have youy been to the CMM site? Go to www.sei.cmu.edu/cmm/cmms/cmms.html (http://www.sei.cmu.edu/cmm/cmms/cmms.html)

Originally posted by PRASHANT:

WHICH ARE THE AGENCIES WHO CALIBRATE THE SOFTWARE ONE HAS DEVELOPED? WHAT CERTIFICATE THEY PROVIDE? WHAT ARE COMMERCIALS INVOLVED?Please, don't 'shout' with all capitals. Hurts my eyes!

As far as I understand it, your company 'calibrates' its own software. There is no agency I am aware of which provides 'certificates'.

Dear Sir

I would like to know whether there is any time gap required before an organisation goes in for CMM level 5 certification.

We have already been recommended for ISO 9001:2000 certification. My question is that can we go in for CMM level 5 assessment in 9 months from now?

Is there any time stipulation that from the date of implementation of quality system 18 months should lapse for going in for CMM level 5 assessment

Readers can you help me please

Originally posted by venkat
Dear Sir

I would like to know whether there is any time gap required before an organisation goes in for CMM level 5 certification.

We have already been recommended for ISO 9001:2000 certification. My question is that can we go in for CMM level 5 assessment in 9 months from now?

Is there any time stipulation that from the date of implementation of quality system 18 months should lapse for going in for CMM level 5 assessment

Readers can you help me please

When I attended CBA-IPI (CMM-based Assessment for Internal Process Improvement) [now called "SCAMPI"] training at the SEI in 1996, two aspects were stressed: the existence of a verifiable "quality system" (those words were not used explicitly, they are my paraphrase into ISO 9xxx language), and more importantly, strong evidence that the documented practices are indeed "institutionalized".

There are no explicit time requirements, but in general, we were taught that to be institutionalized, all the processes must have been executed end-to-end at least once (more is better), not just "we plan to do this". At least this is how I performed assessments from '95 to '98.

PERSONAL OPINIONS FOLLOW:

Theoretically, there is nothing preventing a software organization from being assessed at level 5 in its first assessment, but I have to admit that I am somewhat suspicious of it.

I'm also sensing a certain "grade inflation" here: not so long ago, the industry was desperate for "level 3 out of the box"; now we're looking for "level 5 in 9 months".

Further, the people I have met from level 5 organizations (in North America -- note that at least one of them did NOT wish to have their results made public, for competitive reasons) have all said that reaching level 5 was a "side effect" of their commitment to quality, customer and employee satisfaction, management visibility, etc., and was NEVER an explicit goal.

Anyway, Mr/Ms Venkat, in your case, I would recommend contacting a local SEI-approved "Transition Partner" (see http://www.sei.cmu.edu/collaborating/partners/partners-tech.html ) who can help answer your questions.

Good luck!

Dear Sir

Now that the CMM is going to change to CMMI si there any deadline fixed by SEI. Moreover the number of auditors who are authorised to do CMM assessmengts are less they do not follow uniformity in assessment. Unklike ISO the auditors in CMM are some what crazy and after spending too much money of the company make remark that they have not complied with soa nd so key process areas. Is there any guideline available

Anybody can give their please

In India may I know apart from KPMG and QAI is there any other organisation who are doing this activity

venkat said:

Dear Sir

Now that the CMM is going to change to CMMI si there any deadline fixed by SEI.

<...>

In India may I know apart from KPMG and QAI is there any other organisation who are doing this activity

After a short visit to the SEI's website (http://www.sei.cmu.edu), I do not see anything about a deadline for migration from the Software CMM to CMMI.

As for assessors, you are correct, there are only a few who are so far certified for CMMI (called "SCAMPI"), but there is a relatively rich list of certified SW CMM assessors (called "CBA-IPI") in India beyond KPMG and QAI. Look here (http://www.sei.cmu.edu/managing/assessors.html#II) .

It seems that you have had a particularly negative experience with the CMM. That's a shame.

Bruce

Dear Sir

We have been recommended for ISO 9001:2000 certification. We intend to go in for CMMI level 5. I dont say that I had negative experience with CMM. What I want to bring to the notice is that there are only handful of persons who are doing this assessment and it is their call, unlike ISO where we have a number of certification bodies. You have quoted that " That's a shame" I dont understand as to why I should feel ashamed. The system is like that

venkat,

I wasn't saying that you personally need to be ashamed of anything.

And personally I find it regrettable that "the system is like that".

In any case, congratulations on your ISO 9001:2000 certification; at that point, any CMM assessor worth his/her salt will agree that you exhibit at least the characteristics of SW-CMM level 3. And the reputable assessors with whom I have worked have told me that the moment they walk into an organization that is truly level 5, they can "smell it in the air" (please note, this is only a metaphor, I am not suggesting that there is some fragrence that should be diffused in the building to improve one's chances of obtaining a level 5 evaluation).

If any particular lead assessor behaves in a non-objective or arbitrary manner (which seems to be what is worrying you), s/he risks losing his/her certification. The SEI does (or at least did) take very seriously the idea of maintaining objectivity. Their goal is that *any* lead assessor going into the same organization should produce identical results.

On the other hand, if an organization chooses their lead assessor solely on the basis of their chances of being assessed at level N, then they DO have a reason to be ashamed (in my view).

You see, what I regret is that CMM levels, which were originally designed as nothing more than indications of progress, have turned into objectives for their own sake. (Kind of like the grade chase associated with getting into medical school.) I know that these situations exist, but it saddens me anyway.

Best regards,
Bruce

Now that the CMM standards are getting changed to CMMI I would like to know the assessment procedure. In what way the procedure is going to change (or) the procedure is same and the process areas are more and whioch means that we need to comply with many things to get assessed.

Also I would like to know the names of the persons in India who do CMMI consulting and assessment. I checked the sitee- sei.cmm.edu and found a couple of names only. I thought that the details are not updated. I kindly request the forum members to post the names of the persons in India who does consulting and assessment for CMMI

Hi Guys,

I believe that more than running for the certification it is important that an internal process improvement is crucial. Whatever certification one goes for .... be it CMM or ISO or 6 Sigma, it is important we understand the objective - which is to internally get your processes in place... so if you find the easy way out by going in for either CMM or ISO, at the end of the day we should realise that by finding shortcuts in our processes, we are fooling ourselves and these governing bodies are just going to certify us based on the processes that we set

Venkat,

You may write mannu.thareja@wipro.com
he is a black belt , and quality coordinator in a CMM 5 organisation. You would certainly find some information thru' him.

p thareja

at the SEI in 1996, two aspects were stressed: the existence of a verifiable "quality system" (those words were not used explicitly, they are my paraphrase into ISO 9xxx language), and more importantly, strong evidence that the documented practices are indeed "institutionalized".

Theoretically, there is nothing preventing a software organization from being assessed at level 5 in its first assessment, but I have to admit that I am somewhat suspicious of it.

I'm also sensing a certain "grade inflation" here: not so long ago, the industry was desperate for "level 3 out of the box"; now we're looking for "level 5 in 9 months".

Further, the people I have met from level 5 organizations (in North America -- note that at least one of them did NOT wish to have their results made public, for competitive reasons) have all said that reaching level 5 was a "side effect" of their commitment to quality, customer and employee satisfaction, management visibility, etc., and was NEVER an explicit goal.

Good luck!


I agree with Mr Bruce Epstein observation. assessment to CMM 5 level perhaps pre-demands that the seeking organisation benchmarks one's operations, so as to assure implementation of so called "institutionalized" systems. In the absence of which the confidence of operating in a cost effective manner is not established. { perhaps that's the reason CMM-5 organisations wish to hide their benchmarkable data, as quoted by your goodself}

Software industry deserves this valued perk / control (of CMM c/f ISO 9 k for SW) over one's processes/ operations, perhaps for the very nature of operations. It is understandable that here perfect documentaion ("institutionalized documentaion") is vital. since this and only this can save the organisation's inputs and efforts, in case of in-process/ post product realisation product review. After all when the coding guy packs up his mind for next morning / assignment, who the **** can decipher that? The solution has been engineered.

The thread is vital to clarify doughts, and let venkat be proud.

p thareja

I was playing around and found this:
http://www.sei.cmu.edu/pub/documents/94.reports/pdf/tr12.94.pdf
A Comparison of ISO 9001 and the Capability Maturity Model for Software

M. Paulk

Technical Report
CMU/SEI-94-TR-012

Important: The Software CMM is being phased out and will no longer be supported by the SEI. For more information, see Sunset of the Software CMM - http://www.sei.cmu.edu/cmmi/adoption/sunset.html

Abstract: The Capability Maturity Model for Software (CMM), developed by the Software Engineering Institute, and the ISO 9000 series of standards, developed by the International Standards Organization, share a common concern with quality and process management. The two are driven by similar concerns and intuitively correlated. The purpose of this report is to contrast the CMM and ISO 9001, showing both their differences and their similarities. The results of the analysis indicate that, although an ISO 9001-compliant organization would not necessarily satisfy all of the level 2 key process areas, it would satisfy most of the level 2 goals and many level 3 goals. Because there are practices in the CMM that are not addressed in ISO 9000, it is possible for a level 1 organization to receive 9001 registration; similarly, there are areas addressed by ISO 9001 that are not addressed in the CMM. A level 3 organization would have little difficulty in obtaining ISO 9001 certification, and a level 2 organization would have significant advantages in obtaining certification.
Has anyone been following any of this?

Just picking up on this subject Marc at work.

The link in your post was great, however is there now an updated report comparing CMM to ISO9001:2000 - I imagine that some of the key gaps are now filled by the 2000 standard ?

You can find a CMMI vs. ISO 9001: 2000 comparison here:

http://www.sei.cmu.edu/cmmi/adoption/comparisons.html

It was mentioned in another thread on the cove.

Tom