> From: Pat Dey
> Subject: RE: Tick-IT & ISO 9001 /Chen/Kirk/Peter

Pat,

Since you've made some general statements about the CMM and ISO, I'd thought I'd play a little devil's advocate with you. My point throughout this response is to offer up a theme. The theme is that models really don't amount to a hill of beans as much as a desire to change. I make this statement in support of the fellow who said that all models are wrong....some are useful. I would say that all models have warts...and that the key to software process improvement (or any improvement) is wanting to improve....to deliver products better and faster...

> The strength of the CMM is its model for continuous improvement. The SEI's
> method includes, not only the process framework (the CMM itself) but the
> methods for managing improvement by involving everyone, eg, through a
> Software Engineering Process Group.

But the reality is that the CMM is a staged model that doesn't really focus on defect prevention until level 5. In addition, the SEPG can have the same problems you've referenced below with ISO auditors, in that they can end up driving an incredible bureaucracy that doesn't serve the developers or the rest of the product team.

In addition, the SEPG can't address a lack of management commitment. This is no different than a distributed model for ISO implementation that lacks true top-level support....you can have the buy-in from the troops and middle management and still fizzle.

> A TickIT certificate is somewhere around level 2/3 of the CMM - it skews
> across. the CMM has more software detail, ISO has more general business
> stuff, both useful and overlapping.

Actually, there is no true correlation between maturity levels and ISO implementation. However, it is true that there is strong support for ISO at all CMM levels, including Defect Prevention at Level 5. If one were to take a true organizational approach to an ISO implementation, then it would very much represent a level 3 organization. Both models pretty much say the same thing, whats not hows.....but one takes about 479 pages to do it.

> If an organisation is immature, the CMM offers a better strategy for
> building a QMS because it offers a sense of priority . TickIT and ISO require
> everything and can be overwhelming.

If you remove the models and look at software engineering fundamentals, you have the same problem of trying to bite off more than you can chew. A phased approach in any implementation is necessary. And I think alot has to do whether you agree with the construction of the CMM which pretty much focuses strictly on the management side at level 2 and doesn't have an engineering focus until level 3.

The simple framework that ISO offers can be phased-in on a project by
project basis, with the areas that offer the biggest bang for the buck
being addressed first.

The biggest problem I see in SPI is that folks don't have good implementation planning skills. This is the same for the CMM and ISO...and when you look at how large the CMM model is and how little has been written about how to successfully implement it.....well...the job can be daunting.

Although more commercial organizations are looking to the CMM for process improvement, it pales in comparison to the organizations that must implement or else....DoD contractors in bidding wars.

> Further, the continuous references to clauses and how auditors might
> interpret them takes ownership away from the people and gives it to
> auditors. The SEI's approach leaves ownership with those who operate the
> process, so it's better balanced, less inclined to be bureaucratic. Compare
> the discussion traffic in this List with, eg, comp.software-engineering.

The same darn problem exists in the CMM world. Don't kid yourself. Organizations face SCEs (software capability evaluations) and CBA IPIs....CMM based assessments for Internal Process Improvement. Many times the "Level Rating" is all that matters....even with the CBA IPI approach which is supposed to be a collaborative exercise for improvement. You would be surprised how many organizations coach their employees to get ready for a CBA IPI, when that is not the intent.....it's not supposed to be about the "score"....it's supposed to be about improvement.

Again....this is a management issue similar to the ISO implementation that says....let's get the certificate.....and we're done.....

> One way to approach this is to build the QMS using the SEI's CMM guidance,
> document it soundly, include a reconciliation with TickIT clauses - and add
> in the bits that the CMM does not explicitly require (eg, contract review,
> security & backups, etc).

Yes...there is a lot of information in the CMM that can assist one with an ISO implementation. I would also say that folks can also turn to the IEEE standards or ISO 12207 or other sources of information.

It's all fundamental stuff.

> Under the CMM, you can be a level 2, 3, 4 or 5 organisation (or, sadly,
> level 1).

Yes...but you could be a level 3 organization and that would mean little in many circumstances. For example, when was the organization's last assessment....3 years ago? I've been in shops that tout their level 3 profile but were behaving as level 1 (chaotic). Remember CMM ratings are not a certification scheme of any sort. There is no requirement other than individual customer or market requirements that would require you to reassess your organization.

> Under TickIT, you can be TickIT Certified. There's no measurement scale.
>
> Regards,
> Pat

Yes and TickIT is just an ISO 9001 registration, pure and simple. But the true measurement in implementing either model is whether you have a return on investment and whether it translates into better product and staying abreast of your competitors.

The companies that succeed with the CMM and ISO succeed because they aren't driven by what is in the model and they overlook the shortcomings of the models. They embrace what is good for their business and question what is unnecessary. They go beyond the models to crush their competition.

I've seen both models work effectively...and...I've seen them both fail
miserably.

The same can be said about Deming, Juran, Crosby, TQM.....

For the most part, the model doesn't matter...change does....

For some organizations models can be handy, because they can hang their failure on choosing one particular model over another.....but that's another story.....

best,
bill

> From: Satish Kumar Peter
> Subject: RE: Tick-IT & ISO 9001 /Chen/Kirk/Peter
>
> Hi,
> Greetings to you all. I have a query on Tick-IT also.
> Is continuous process improvement an issue in Tick-IT?
> CMM would be the one that offers tremendous potential for the process
> improvement.

Hi Peter,

Corrective and Preventive Action in ISO 9001 along with a few other clauses such as Control of nonconforming product map fairly closely to the Defect Prevention KPA in the CMM. ISO 9001 however, falls a little bit short of a continuous improvement requirement.

> I do not have an idea on Tick-IT certification, but the evolutionary
> model of CMM would definitely stand out as one of the best IT
> certification programs in the industry.

There is no certification scheme in the CMM. There are CMM appraisals (assessment and audits), but there is no accreditation nor certification scheme associated with the CMM. There are SEI "Authorized" Lead Assessors who have specific software backgrounds, assessment training, and assessment experience.

> The problem with the generic ISO9001 certification is the language
> itself. Though 9000-3 offers guidelines for the IT industry, the
> manufacturing centric terminology would be a stumbling block in marching
> forward.

Language is a problem with all models...The CMM language is biased toward military standards....as the DoD was the sponsor of the model. Remember, the CMM's main purpose was to act as a standard to support software acquisition....your tax dollars at work......

Please understand that all models have their warts...but if you dig a little...they all say pretty much the same thing...and a lot of it is good stuff....

I work in both models quite a bit...and the biggest difference in the two models is volume.....10 pages versus 479....but the similarities are quite striking....