ISO9001:2000和能力成熟度模型的集成
ISO9001:2000和能力成熟度模型的集成
ISO9001:2000and the Capability Maturity Model®Integration
原作者: Angela Tuffley and Terence P.Rout
Software Quality Institute,
Griffith University;
Mark Stone-Tolcher and Ian Gray,
Defence Materiel Organisation,
Australian Department of Defence
译者:Kwan,落日沉鱼
日期:2009-12-28
【E测中国翻译团队作品】
摘要
为保障客户购买产品及服务的质量,企业不仅需获得ISO9001:2000认证,而且要按照系统及软件工程(System and Software Engineering)的能力成熟度模型集成(CMMI)评估标准执行。
此文章阐述的检测方法是由软件质量学会、格里菲斯大学、国防物资委员会及澳大利亚国防部共同参与,这些机构评审了由卡内基梅隆大学软件工程学院的Mutafelija和Stromberg (2003,2004)两人提出的两项检测标准:ISO9001:2000标准及CMMI 1.1检测标准,以上标准现阶段仍然有效。检测目的在于判定,若产品符合CMMI或SCAMPISM的评估标准,是否能证明其同样完全符合ISO9001:2000认证标准,并证明过程域的能力及/或组织成熟度,从而降低了企业为了满足客户不同要求,进行两项评估及审查的成本。
文章不仅记录了该计划检测方法的设想及详细结果,还强调需关注CMMI评估中未达到ISO9001:2000标准的相同条目。另外,为了搜集足够的证据来获得ISO9001:2000认证,文章还提出了CMMI评估及附言中所必须涵盖的一套过程域及能力等级的方案。
简介
国际标准ISO9001明确规定了一个高质量管理体系所必须具备的条件,自从80年代后期,这一标准已成为了大多数企业确认他们的供应商商品及服务质量保证的一种机制。这种机制在全世界范围内被广泛的应用,在欧盟采用并促进了各成员国边境地区商品的自由贸易后,该标准更加流行了。尽管该标准的目的在于提供商品及服务上的质量保证,但在近几年,它更多关注于制造的产品而非客户的需求。
某些需要特别考虑的情况,例如那些开发软件的企业。针对这种情况开发了一些过程评估模型,其中最著名的是在1993年发布的软件能力成熟模型 1.1版(SW-CMM)。SW-CMM是由美国国防部赞助,由卡内基梅隆大学的软件工程协会开发的。SW-CMM集中关注利用等级(包括1-5 5个等级)来持续改进过程,以及通过企业在开发软件时的过程能力来评估企业成熟度。这种方法是由完全质量管理(Total Quality Management)演变而来的,灵感来自于W. Edward Deming, Joseph Juran 和Phillip Crosby (Deming 1986, Juran1988, Crosby 1979)合著的作品。他们所提倡的观点是,一个产品的质量主要取决于生产该产品的过程的质量。
SW-CMM最初在美国采用的时候,它之所以能推广起来,是因为当时美国国防部要求软件承包商必须获得能力成熟度3级(已定义级)才能竞争国防部的采购项目。而最终的结果就是这些承包商的改进了产品质量,增强了生产力,减少了开支并增加了客户的满意度。这一结果也鼓励了那些在国防领域以外的企业去采用SW-CMM。这一现象在印度尤其明显,经过一段时间的努力,他们的产品质量和美国一样取得了巨大的进步。这也推动了为其他领域开发更多的能力成熟度模型准则,例如系统工程,软件合并及信任系统。
很多早期与ISO9001有关的问题在2000修订版中已有论述,该修订版更加注重客户和持续过程改进。除此以外,SW-CMM已经进化成新一代的CMMI。系统及软件工程的CMMI包含了集成产品和过程开发以及供应商来源。CMMI的设计目标是整合来源模型,减少培训开支,消除矛盾以及为企业削减评估开支(这一条也是该文章的重点部分)。
ISO9001:2000和CMMI的映射
背景
现在,ISO9001:2000和CMMI都在大型外包商中得到广泛的应用,为它们的供应商生产和发布的产品及服务提供一个质量认可评定等级。因此,企业必须通过CMMI来证明他们的企业成熟度或过程能力,同时也可能需要通过ISO9001:2000的认证,这取决于他们客户的需要。
CMMI测定的成熟度或过程能力等级是通过SCAMPI-A级评估获得的。SCAMPI-A级评估需要一个6-8人的团队,由SEI授权的SCAMPI评估组长带领。企业在接受评估前,要做相当大的投入,评估小组会做一个8-10个工作日的评估工作,具体要取决于需要评估的范围。通过这个评估,能够很仔细的调查出该企业的过程管理制度。
ISO9001:2000认证是通过符合资格的第三方审查人员来决定的。不过非常遗憾,很多企业把大部分时间都用在了ISO9001来检查时如何使质量管理系统看起来规范,而不是去关注这个标准的真正目的:向客户确保他们的产品质量。
目的
当企业需要向客户证明他们的CMMI等级和ISO9001:2000认证时,他们需要通过SCAMPI鉴定和ISO9001审核。如果能把这两项工作合并,则可以减少企业在评估审核中的开支和力度。
将ISO9001:2000映射到CMMI当中,需要一套包含在SCAMPI评估里的过程域及实践,这些过程域和实践也为通过ISO9001:2000认证提供了足够的证明。另外,需要制定一个详细的映射表,标示在CMMI中缺少的那些ISO9001:2000条款,并且强调评估小组需要收集哪些额外的证明。
Mutafelija 对目前存在的映射的审查显示出一些重要的差异。我们对映射CMMI到ISO15504和ISO12207(Rout, Tuffley and Cahill, 2000; Rout and Tuffley, 2002)的经验使得我们深信维持一个具有非常详细的细节的映射的必要性。这个观点和Mutafelija 恰恰相反,他说:“现在的映射...阐述了中间立场。ISO9001 每一条“应该”的陈述已经被映射成一个CMMI实践,使用的仅仅是最显著的对应关系。在映射中我们试图详尽地将每个段落和段落中相关的个别条款映射成CMMI连续描绘的相应的特定实践的和通用实践。
CMMI有四条准则,系统工程、软件工程、集成产品和过程开发和供应商都要遵循。这里介绍的准则只考虑了系统中的过程域和软件工程准则。
结果
这份报告为我们提供了另一种ISO9001:2000和CMMI映射关系,此关系有别于Mutafelijia和Stromberg开发的模式。需要注意的是,对于一些事例,在我们的结论保持一致的时候,那个详细的映射表却存在着差异。详细的映射表可以参考本报告的附录。
我们已经发现了以下的问题:
A. CMMI无法充分体现ISO9001需求的一些方面
B. 在覆盖范围方面,我们的分析与Mutafelijia观点的一些重要的区别。
覆盖范围
以下部分存在于IS9001里,但是在CMMI的任何适当等级中都没有阐述:
1. 4.2.4-质量记录控制 - 记录应保持清晰、易于识别和检索。
对工作产品没有影响的规格参数表的这一类问题,没有标记在CMMI中。
2. 条款 7.5.4 - 客户财产
这一点在CMMI中没有很好的体现。在供应协议管理下,将当客户当作供应商时,能 否达到某些覆盖范围存在着争论,这一部分需要进行更加明确的规定。例如,增加额外的子实践或者其他指导,来明确客户和开发者之间的关系这一方面是很有必要的。
3. 条款 7.6 - 测量设备的管理与监控
该条款中的最后3个子条款,在CMMI中没有相关标记。
4.条款8.2.1 - 客户满意度
CMMI中没有任何一个条目中有提及客户满意度的监控。利益相关者的情况有涉及,但是在CMMI条款中用户不被认为是利益相关者的情况是很有可能出现的。还有一个可能的争议,用户满意信息应该视作必要的信息,并以此推动度量和分析。然而,这未作要求。
5.条款8.3 - 不合格产品的控制
这个条款中的最终子条款,用来处理不合格产品在交付或已经开始使用后问题被发现的情形,但这已经超出了CMMI的范围。
下面的是ISO9001的部分条款,它们在CMMI有描述,但在一定程度上并没有完全覆盖ISO关心的问题:
1. 条款4.1 - 在质量管理体系中应该明确对这些外包过程的控制。
尽管供应商协议管理特定实践1.3(Supplier Agreement Management Specific Practice1.3)已经对此类问题提供了描述,但CMMI并没有在质量管理体系中明确外包过程。
2. 条款5.5.2 - 管理高层应该指定一名管理成员,该成员不管有什么其他的责任,应该有以下的责任和权力:
C.确保质量管理体系所需的过程被建立、执行和维持
D.向管理高层汇报质量管理体系的效能和任何提高所需的努力
E.确保整个公司关注客户需求的意识的改进。
注意,一个管理层的代表的责任包括和外部团体在有关质量管理体系上的问题保持联系。
这个问题从特定实践2.4(GenericPractice 2.4)到恰当过程域都有描述,连续的,针对子条款、组织过程定义(Organizational Process Definition)、组织过程焦点(Organizational ProcessFocus)和需求管理(RequirementsManagement)。CMMI没有在通用实践2.4(Generic Practice 2.4)详细定义管理责任的分配。
3. 条款5.5.3 - 管理高层应该确保公司内建立了适当的沟通过程,并确保对有关质量管理体系的有效性进行沟通。
尽管通用实践2.1、2.7和2.10(Generic Practices 2.1, 2.7 and 2.10)对公司内的沟通进行了纵向和横向的描述,但问题沟通机制对质量管理体系有效性的必要性描述不清楚。
4. 条款6.3 - 公司应该确定、提供并维持达到产品需求所需的基础架构。
这在项目计划(Project Planning )和通用实践2.3(Generic Practice 2.3 )有描述 ,尽管并不详细。
5. 条款6.4 - 公司应该确定达到产品需求所需的工作环境。
如上,项目计划(Specific Practice 2.4)和通用实践2.3(Generic Practice 2.3 )描述了这个情况,但是该问题在CMMI中应该有更加详细的描述。
6. 条款7.2.2 - 这个审核应该在公司履行向客户提供产品的义务之前实施(例如,提交投标书,验收合同和订单,验收合同和订单的变化)
CMMI没有针对指定这些审核时间的有力条款。
7. 条款7.2.3 - 公司应该确定和执行与客户沟通的有效的方案。
这个问题在需求管理(Requirements Management)里有描述,贯穿了特定实践2.3(Specific Practice 2.3)、通用实践2.7(Generic Practice 2.7)的应用到需求开发(Requirements Development)和需求管理(Requirements Management)。通过特定目标2(Specific Goal2),综合项目管理(Integrated Project Management)进一步加强了覆盖度。主要弱点是在对这个问题的明确确定的程度。
8. 条款7.3.3 - 设计和开发产品...应该在释放之前批准。
CMMI对设计许可的问题没有特别的描述。这个许可应该是通过通用实践2.1(GenericPractice 2.1)在技术解决策略上被正式要求的,并通过通用实践2.10(Generic Practice 2.10)接受管理层的审核。然而,CMMI并没有在这些通用实践中进行详细的描述来很好的满足此条款。
9. 条款7.4.3 - 凡公司或它的客户打算对供应商进行审核,公司应该在采购信息中说明审核的安排和产品释放的方法。
尽管该问题在供应商协议管理特定实践1.3(SupplierAgreement Management Specific Practice 1.3)有描述,是否应该对审核安排进行记录的问题并没有明确规定。
10. 条款7.6 - 控制和监控测量设备。
在测量和分析(Measurement and Analysis)中描述了全部和测量设备有关的测量问题。然而,关于这些设备的校准、调整和控制,问题来了。从通用实践2.6和2.8(Generic Practices 2.6 and 2.8)的应用到测量和分析(Measurement and Analysis)对该问题进行了描述,然而,CMMI需要扩展来解决ISO9001提出的测量设备问题。例如,在测量和分析特定实践1.3-1(Measurement and Analysis Specific Practice 1.3-1)中,一个典型的产品如某测试工具的校准证书应该添加上来以便辨识出此类需求。通过测量和分析(Measurement and Analysis),在特定实践2.2(Specific Practice 2.2)的应用和通用实践2.9(Generic Practice 2.9)中再次描述了如果测量设备被发现不合格时要采取行动。在通用实践2.8中描述了采取的纠正行动。然而,在CMMI中依然没有关于将这些实践应用于测量设备的详细指导。
11. 条款8.2.4 - 产品发布和服务交付应该在所有计划安排(见7.1)完满完成后才可以继续,除非得到相关授权的许可并经由客户同意。
从普通实践2.1、2.7、2.8和2.10(Generic Practices 2.1, 2.7, 2.8 and 2.10)到特定目标3(Specific Goal 3)描述了该条款的常见问题。然而,CMMI对产品发布的正式授权的问题没有足够的描述。
12. 条款8.3 - 对不合格产品的控制
这个条款下有大量的问题。第一个是对处理不合格产品的控制和职责的定义,自普通实践2.4和普通实践3.1的应用到过程和产品质量保障(Process and Product Quality Assurance 普通实践2.1)和项目监控和控制(Project Monitoring andControl特定目标2)都有阐述。项目监控和控制特定目标2(Project Monitoring and Control Specific Goal 2 )需要进一步关注不合格产品的控制,以及一些指导来保证工程问题和项目管理问题一样被描述。
13. 条款8.4 - 数据分析
第三个子条款详细说明了需要数据分析的主题。尽管这样的数据分析在CMMI中有描述,但是整个测量和分析(Measurement and Analysis)中却找不到明确的要求来描述这些主题。
分歧点
我们的映射和Mutafelija的记录在以下方面存在分歧:
1. 记录控制
Mutafelija 认为记录控制在CMMI中是“证据”,然而我们却认为记录控制通过过程和产品质量保证特定实践2.2(Process andProduct Quality Assurance Specific Practice 2.2)、通用实践2.2(Generic Practice 2.2)、通用实践2.6(Generic Practice2.6)和通用实践3.1(GenericPractice 3.1)在CMMI中有明确描述。
2. 以客户为中心/客户满意度
ISO通过条款5.2、条款8.2.1和条款8.4对用户满意度的完成和评估给与了极大的关注。尽管CMMI在需求开发(Customer Focus)中提到要以客户为中心,但对客户满意度的监控在CMMI的描述中几乎毫无地位而不是对所需的项目信息进行周全的考虑。CMMI没有出于对信息收集和分析方面的考虑将这些特殊的问题作为硬性要求。
我们不同于Mutafelija 的地方在于,我们将CMMI理解为以客户为中心,尽管客户满意度并没有明确描述。Mutafelija 认为缺少对客户满意度的考虑会导致失去更大的客户关注度。
3. 内部沟通
Mutafelija 认为这个概念在CMMI中是不明确的,并发现没有对质量管理体系有效性进行明确沟通的要求。我们认为通用实践2.1、2.7和2.10(Generic Practice 2.1, 2.7 and 2.10)建立了一个高效的沟通过程,而且,通用实践2.10特别是在组织过程定义(OrganizationalProcess Definition)和组织过程焦点(Organizational Process Focus)的有效应用会给质量管理体系的有效性带来良好的沟通机制。
4. 基础设施和工作环境
Mutafelija 宣称基础设施和工作环境目前和产品集成和过程开发原则一样。我们在映射中没有包括产品集成和过程开发和供应商采购原则。然而,我们发现在项目监控和控制中,通用实践2.3(Generic Practice 2.3)和特定实践2.4(Specific Practice 2.4)提供了合理的但是不完全的针对基础设施和环境的问题覆盖。CMMI在这些主题上以及CMMI 和 ISO15504之间的关系上的表现出的薄弱值得关注。
5. 控制和监控测量设备
Mutafelija认为很多控制和监控测量设备的内容都超出了CMMI的范围。这尤其针对测量设备的校准、调整和存放和对适当矫正行动的定义和追查。我们认为能力等级2通用实践(capability level 2 generic practices)尤其是2.2、2.6、2.8和2.9的应用提供了一些,但是没有足够覆盖该主题。
6. 内部审计
我们和Mutafelija 的主要差异是关于审计人员的选择、审计的实施和审计过程本身的独立性。Mutafelija 认为这些问题在CMMI中没有描述,我们却清楚地看到通用实践2.3和2.9(Generic Practice 2.3 and 2.9)在产品质量保证中有全面的描述。
7. 不合格产品的控制
Mutafelija 的观点是对不合格产品的控制在CMMI中没有要求。我们认为这在验证、过程和产品质量保证和产品集成中有完整的描述,并通过项目监控和控制和过程和产品质量保证对不合格问题进行管理。
8. 预防措施
Mutafelija 再一次认为ISO9001中大多数预防措施要求在CMMI要么没有要么只有粗略的描述。我们认为原因分析和解决(Causal Anaylsis and Resolution)详尽地描述了所有预防措施的问题,Williams (2003)也持同样观点。该差异可能来自于对过程能力和组织成熟度阶段性和连续性观点之间的差异。
CMMI概况
基于附录里的映射,可以通过CMMI过程域的概况,派生出一组在SCAMPI评估范围内适用的过程域和能力等级,来获取更充足的客观证据,作为ISO9001评审员判断是否能获得ISO9001:2000认证的依据。不过也需要注意,这些额外的资料需要搜集在一起,要标记在ISO9001:2000的条款里,而这些条款正是在CMMI中没有标记或者如同前一章所介绍比较欠缺的方面。表1列出了过程域的概述和相对应的能力等级。
尽管这个映射显示了CMMI中各种过程域的最小能力级别,也应该考虑将所有过程域覆盖至能力级别3,CMMI中的所有过程域的通用实践和目标为ISO9001:2000提供证据。
| 类别 |
过程域 |
能力等级 |
| 工程学 |
|
|
|
|
需求管理 |
2 |
|
|
需求开发 |
2 |
|
|
专业的解决办法 |
3 |
|
|
产品集成 |
3 |
|
|
验证 |
3 |
|
|
确证 |
3 |
| 项目管理 |
|
|
|
|
项目计划 |
2 |
|
|
项目监测及控制 |
3 |
|
|
供应商管理协议 |
2 |
|
|
集成项目管理 |
1 |
|
|
项目量化管理 |
1 |
| 支持 |
|
|
|
|
过程及产品质量保证 |
3 |
|
|
度量及分析 |
2 |
|
|
配置管理 |
3 |
|
|
原因分析及解决 |
3 |
| 过程管理 |
|
|
|
|
企业化过程中心 |
2 |
|
|
企业化过程定义 |
2 |
|
|
企业化培训 |
1 |
|
|
企业化过程实施 |
1 |
|
|
企业化改革及部署 |
1 |
表1 - CMMI过程域概况
进一步的说明
需要对SCAMPI - A级评估管理做进一步的审查,来证明这份报告中的映射表的有效性,通过这个审查去确定SCAMPI评估包含表1里的过程域。另外,SCAMPI评估小组需要包含一个获得ISO9001:2000认证的审查员,去核查SCAMPI评估过程中收集到的客观证据,决定这些证据是否足够用来包含ISO9001:2000认证。
同时需要注意,这个映射只适用于CMMI中的系统工程和软件工程准则。当该映射需要扩展包含供应商采购准则,则需要添加某些相应的方面准则。
结论
根据分析,我们发现,如果搜集一些额外的信息去弥补那些在CMMI中甚少提及或者根本没有提及的方面,SCAMPI评估就会有足够的证据包含ISO9001:2000认证。
SCAMPI评估指导我们去处理这个问题,证明了这个映射的有效性,同时也提供了数据证明,相比分别验证,在单独进行的CMMII和ISO9001:20000验证中为证明企业成熟度或过程能力所做的更多工作是否更加有效率。
参考文献
CMMI Product Team, Capability Maturity Model Integration (CMMI) v1.1 for SystemsEngineering and Software Enginering Continuous Representation, CMU/SEI-2002-TR-001,Software Engineering Institute, Carnegie Mellon University, Piitsburgh, PA,December 2001.
Crosby, P.B.; Quality is free: the art of making quality certain; New York : New AmericanLibrary, c1979
Deming, W.D.; Out of the Crisis; Cambridge, Mass. : MIT Press, 2000, c1986
International Organization forStandardization, Quality managementsystems – Requirements, ISO9001:2000, ISO publication, December 2000
Juran, J.M.; Juran on planning for quality; New York : The Free Press, 1988.
Mutafelija, B. and Stromberg, H.; Systematic Process Improvement UsingISO9001:2000 and CMMI; Artech House; Norwood, MA; April 2003
Mutafelija, B. and Stromberg, H.; Mappings of ISO 9001:2000 and CMMI Version1.1, Software Engineering Institute, Carnegie Mellon University, http://www.sei.cmu.edu/cmmi/adoption/iso-mapping.html,July 2004
Paulk, M.C., Curtis, B., Chrissis, MB.,and Weber, C.; Capability Maturity Modelfor Software; CMU/SEI-93-TR-24, Software Engineering Institute, CarnegieMellon University, Piitsburgh, PA, February 1993.
Rout, T.P., Tuffley, A. and Cahill, B.; Capability Maturity Model IntegrationMapping To ISO/IEC 15504-2:1998, Software Quality Institute, Griffith University, http://www.sqi.gu.edu.au/cmmi/indexFrameset.html,2000.
Rout, T.P. and Tuffley, A.; SPICE and CMMI: conformance of the CMMImodels to ISO/IEC 15504; SPICE 2001, Venice, Italy, March2001
Williams, R; Causal Analysis and Resolution (CAR) at Level 1; SEPG 2003, Phoenix, Arizona.
ISO9001:2000 and the Capability Maturity Model® Integration
AngelaTuffley and Terence P. Rout
SoftwareQuality Institute,
Griffith University;
MarkStone-Tolcher and Ian Gray,
DefenceMateriel Organisation,
AustralianDepartment of Defence
Abstract
In order to provide their customers withsome guarantee of the quality of their goods and services, an organisation maybe required to demonstrate its certification to ISO9001:2000 and compliancewith the Capability Maturity Model Integration (CMMI®) for Systemsand Software Engineering.
This paper describes an exerciseundertaken by the Software Quality Institute, Griffith University and theDefence Materiel Organisation, Australian Department of Defence to review themapping of ISO9001:2000 and the CMMI version 1.1 developed by Mutafelija andStromberg (2003, 2004) currently available from the Software EngineeringInstitute, Carnegie Mellon University. The purpose of the exercise was to determine whether a CMMI-basedappraisal or SCAMPISM could be scoped toinclude sufficient evidence to be collected for the purposes of ISO9001:2000certification, whilst also determining the process area capability and/ororganisational maturity, thereby, reducing the costs of appraisal / audits foran organisation to satisfy both requirements for their customers.
The paper documents the assumptions anddetailed results of the mapping exercise and highlights any concerns in areaswhere ISO9001:2000 requirements are not adequately represented in equivalentCMMI practices. It also proposes a set of process areas and capability levelsthat must be included in the scope of a CMMI-based appraisal and identificationof additional information required in order to gather sufficient evidence forISO9001:2000 certification.
Introduction
Since the late 1980s, the use of theinternational standard ISO9001, which specifies the requirements for a qualitymanagement system, has been a mechanism for acquisition organisations to havesome guarantee of the quality of their suppliers’ goods and services. This mechanism has been widely adoptedthroughout the world and cemented its popularity through its adoption by the EuropeanCommunity to facilitate the free trade of goods across member’s countryborders. Though it is intended toprovide some guarantee of the quality of these goods and services, in theseearlier years, this was not always the case as it focused on conformance ofmanufactured goods rather than the requirements of the customers.
Of particular concern were organisationsthat developed software. In response to this issue, a number of processassessment models were developed, one of the most notably being the CapabilityMaturity Model for Software Version 1.1 (SW-CMM®)published in 1993 (Paulk et al 1993). The SW-CMM was developed by the SoftwareEngineering Institute (SEISM), Carnegie Mellon Universityand sponsored by the US Department of Defense (US DoD). The SW-CMM focuses on continuous processimprovement by rating, on a scale from 1 to 5, the maturity of an organisationthrough assessing the capability of the processes the organisation uses todevelop their software. The premise of this approach comes from the TotalQuality Management movement, derived from the work of W. Edward Deming, JosephJuran and Phillip Crosby (Deming 1986, Juran 1988, Crosby 1979), whichadvocates that the quality of a product is largely determined by the quality ofthe processes used to produce it.
The initial adoption of the SW-CMM in theUSA was driven by the mandated requirement from the US DoD that contractorsachieve a maturity level of 3 (Defined), in order to compete for US DoDacquisition projects. As a result of this requirement, these contractororganisations reported improvements in quality, better productivity, reducedcosts and increased customer satisfaction. This demonstrated success encouraged many organisations outside of thedefense industry to adopt the SW-CMM, most notably in India, where similar experiences ofimprovements and quality have subsequently been observed. This also prompted the development of morecapability maturity models for other disciplines such as systems engineering,software acquisition and trusted systems.
Many of the earlier problems experiencedwith ISO9001 have been addressed in the 2000 revision, which now places greateremphasis on customer focus and continuous process improvement. In addition, the SW-CMM has also evolved intoits successor the Capability Maturity Model – Integration (CMMI) for systemsand software engineering with integrated product and process development andsupplier sourcing. The design goals of the CMMI were to integrate the sourcemodels, reduce training costs, eliminate inconsistencies and of particularimportance for this paper reduce the costs of appraisals fororganisations.
Mapping ISO9001:2000 to CMMI
Background
Currently, both ISO9001:2000 and CMMI arewidely adopted by large acquirers to have some degree of confidence in theability of their suppliers to produce and deliver goods and services of anacceptable quality. Consequently, organisations required to demonstrate a levelof organisational maturity or process capability against the CMMI may also berequired to demonstrate ISO9001:2000 certification; depending on the mandate oftheir customers.
Determination of a level of organisationmaturity or process capability against the CMMI is obtained through the conductof a Standard CMMI Appraisal Method for Process Improvement (SCAMPI) Class A. A SCAMPI Class A appraisal requires a team of6 to 8 appraisers led by an SEI Authorized SCAMPI Lead Appraiser. It requires aconsiderable investment of effort by the organisation to prepare for theappraisal team on-site period of approximately 8 to 10 working days dependingon the scope of the appraisal. Thisclearly provides a very detailed investigation into the institutionalization ofthe processes within the organisation.
ISO9001:2000 certification is determinedby the services of an accredited external auditor and unfortunately it is notuncommon for organisations to focus on getting the quality management system inshape just prior to the visit from the ISO9001 auditor rather than focus onensuring a level of quality to their customers as is the intent of thestandard.
Purpose
If an organization is required todemonstrate both CMMI levels and ISO9001:2000 certification, they need a SCAMPIappraisal and an ISO9001 audit in order to furnish these results to theircustomers. Being able to combine thesetwo activities would reduce the cost and effort of appraisals and audits fororganizations.
Mapping ISO9001:2000 to the CMMI shouldprovide a set of process areas and practices to be included in the scope of aSCAMPI Appraisal that provide sufficient evidence to also determineISO9001:2000 certification. In addition,a detailed mapping will indicate which clauses of ISO9001:2000 are notaddressed by CMMI and highlight any additional evidence that would need to becollected by the appraisal team.
A review of the existing mapping byMutafelija indicated some significant differences. Our experiences in mapping CMMI to ISO 15504and ISO 12207 (Rout, Tuffley and Cahill, 2000; Rout and Tuffley, 2002) hadconvinced us for the need for maintaining a high level of detail in themapping. This view contrasted withMutafelija who states, "The mappings presented … address the middleground. Each ISO9001 'shall' statementhas been mapped to a CMMI practices, using only the most prominentcorrespondence". In our mapping wehave attempted to explicitly map each paragraph and where relevant individualitems within paragraphs to relevant specific and generic practices drawn fromthe continuous representation of the CMMI.
The CMMI has four disciplines systemsengineering, software engineering, integrated product and process developmentand supplier coursing. The mappingpresented here only considers the process areas in the systems and softwareengineering disciplines.
Results
This report provides an alternative mappingof ISO9001:2000 to CMMI from the one developed by Mutafelija andStromberg. It should be noted that inmany instances, while our conclusions are the same, the detailed mapping onwhich we based those conclusions are different. The detailed mapping is provided as an appendix to this report.
In the following discussion we haveidentified
a. Areas where CMMI does notadequately address the requirement of ISO9001.
b. Areas where our interpretationdiffers significantly from Mutafelija in terms of coverage. Differences in the detail of individualclause mapping which still result in similar coverage are not discussed.
Coverage
The following areas in ISO 9001[1] arenot addressed to any adequate degree in CMMI:
1. 4.2.4 - Control of quality records - Quality records shall remain legible,readily identifiable and retrievable
The issue of non functionalcharacteristics of work products is not addressed in CMMI.
2. Clause 7.5.4 – CustomerProperty
This issue is not addressedsatisfactorily in CMMI. It can be arguedthat some coverage can be achieved by regarding the Customer as a"supplier" within the terms of Supplier Agreement Management, butthis needs to be made much more explicit. Potentially, additional sub-practices or other guidance to make explicitthis aspect of the customer – developer relationship are required.
3. Clause 7.6 – Control andmonitoring of measuring devices
The last three sub-clauses of thisClause are not addressed in CMMI.
4. Clause 8.2.1 – Customersatisfaction
The CMMI does not address themonitoring of customer satisfaction in any specific practice. The involvement of relevant stakeholders isaddressed, but it is quite possible for a customer not to be considered as a"relevant stakeholder" in CMMI terms. It might also be argued that information on customer satisfaction shouldbe seen as an information need, and thereby a driver for Measurement andAnalysis; however, this is not required.
5. Clause 8.3 – Control ofnon-conforming product
The final sub-clause in this Clause,dealing with situations where nonconforming product is detected after deliveryor use has started, is outside the scope of CMMI.
The following areas in ISO 9001 areaddressed in CMMI, but to an extent that does not cover all of the ISOconcerns:
1. Clause 4.1 - Control of such outsourced processes shallbe identified within the quality management system.
While Supplier Agreement ManagementSpecific Practice1.3 has provision for such issues to be addressed, the CMMI isnot explicit about identification of outsourced processes in the qualitymanagement system.
2. Clause 5.5.2 - Top management shall appoint a member ofmanagement who, irrespective of other responsibilities, shall haveresponsibility and authority that includes
c. ensuring that processes needed for the quality management system areestablished, implemented and maintained,
d. reporting to top management on the performance of the qualitymanagement system and any need for improvement, and
e. ensuring the promotion of awareness of customer requirementsthroughout the organization.
NOTE The responsibility of a management representative can includeliaison with external parties on matters relating to the quality managementsystem.
This issue is addressed through theapplication of Generic Practice 2.4 to the appropriate Process Area –successively, for the sub-clauses, Organizational Process Definition,Organizational Process Focus and Requirements Management. The CMMI is not explicit in defining theallocation of management responsibilities as an issue for Generic Practice 2.4.
3. Clause 5.5.3 - Top management shall ensure that appropriatecommunication processes are established within the organization and thatcommunication takes place regarding the effectiveness of the quality managementsystem.
While Generic Practices 2.1, 2.7 and2.10 address the issue of communication both vertically and horizontally in theorganization, the need for effectiveness of the quality management system to beamong the matters communicated is not explicit.
4. Clause 6.3 - The organization shall determine, provideand maintain the infrastructure needed to achieve conformity to productrequirements.
This is addressed in Project Planningand in Generic Practice 2.3, though the reference is not explicit.
5. Clause 6.4 - The organization shall determine end managethe work environment needed to achieve conformity to product requirements.
As above, Project Planning (SpecificPractice 2.4) and Generic Practice 2.3 address this issue, but the matter couldbe made more explicit in CMMI.
6. Clause 7.2.2 - This review shall be conducted prior to theorganization’s commitment to supply a product to the customer (eg. submissionof tenders, acceptance of contracts or orders, acceptance of changes tocontracts or orders)
CMMI is weak in terms of specifyingthe timing of these reviews.
7. Clause 7.2.3 - The organization shall determine andimplement effective arrangements for communicating with customers.
The issue is addressed inRequirements Management, through Specific Practice 2.3, and through applicationof Generic Practice 2.7 to Requirements Development and RequirementsManagement. Integrated ProjectManagement, through Specific Goal 2, further strengthens this coverage. The major weakness is in the extent to whichthe issue is explicitly identified.
8. Clause 7.3.3 - Design and development outputs … shall beapproved prior to release
The issue of approval of designs isnot specifically addressed in CMMI. Therequirements for approval could be formalised in the policy for TechnicalSolution through Generic Practice 2.1 and reviewed by management throughGeneric Practice 2.10, however, the CMMI is not explicit in these genericpractices for satisfaction of the clause.
9. Clause 7.4.3 - Where the organization or its customerintends to perform verification at the suppliers premises, the organization shallstate the intended verification arrangements and method of product release inthe purchasing information.
While this issue is addressed inSupplier Agreement Management Specific Practice 1.3, the issue of whetherverification arrangements should be documented is not explicitly identified.
10. Clause 7.6 – Control andmonitoring of measuring devices.
Overall policy issues relating tomeasuring devices are addressed through Measurement and Analysis. In relation to the calibration, adjustmentand control of such devices, however, the situation becomes problematic. The issue is addressed through theapplication of Generic Practices 2.6 and 2.8 to Measurement and Analysis,particularly Specific Practice 1.3; however, CMMI needs extension to cover themeasuring equipment issues raised in ISO 9001. For example in Measurement andAnalysis Specific Practice 1.3-1 a typical work product such as a testinstrument calibration certificate could be added to recognise this type ofrequirement.
Action to be taken where measurementequipment is found to be non-conformant is addressed again through Measurementand Analysis, in the application of Specific Practice 2.2 and Generic Practice2.9. Corrective actions are addressedthrough Generic Practice 2.8. However,once again, there is no explicit guidance in CMMI regarding application ofthese practices to measurement devices.
11. Clause 8.2.4 - Product release and service delivery shallnot proceed until all the planned arrangements (see 7.1) have beensatisfactorily completed, unless otherwise approved by a relevant authority,and where applicable by the customer.
The general issues in this clause areaddressed through application of Generic Practices 2.1, 2.7, 2.8 and 2.10 toSpecific Goal 3 in Product Integration; however the issue of formalauthorization of product release is not adequately addressed in CMMI.
12. Clause 8.3 – Control ofnon-conforming product
There are a number of issues withinthis clause. The first matter is thedefinition of controls and responsibilities for dealing with non-conformingproduct; these are addressed through the application of Generic Practice 2.4and Generic Practice 3.1 to Process and Product Quality Assurance (SpecificPractice 2.1) and Project Monitoring and Control (Specific Goal 2). Project Monitoring and Control Specific Goal2 needs some further typical work products concerning control of non-conformingproduct, and guidance to ensure that engineering issues are addressed as wellas project management issues.
13. Clause 8.4 – Analysis of data
The third sub-clause specifiesexplicit topics where analysis of data is required. While the analysis of such data is addressedwithin CMMI, through Measurement and Analysis, the specific requirement toaddress these topics is not to be found.
Points at Issue
Our mapping indicates a divergence fromthe conclusions of Mutafelija in the following areas.
1. Control of Records
Mutafelija asserts that control ofrecords is "evidence" in the CMMI, however we maintain that thecontrol of records is explicitly addressed in the CMMI through Process andProduct Quality Assurance Specific Practice 2.2, Generic Practice 2.2, GenericPractice 2.6 and Generic Practice 3.1.
2. Customer Focus / CustomerSatisfaction
ISO9001 places a strong emphasis onthe achievement and evaluation of customer satisfaction through clauses 5.2,and in particular 8.2.1 and 8.4. Whilst the CMMI has a customer focus throughRequirements Development, the monitoring of customer satisfaction is notaddressed to any significant extent in CMMI other than through an informativeconsideration of information needs for a project. The structure of CMMI does not recognize thespecific issues as mandated for consideration in information collection andanalysis.
We differ from Mutafelija in that weinterpret CMMI as customer focused even though customer satisfaction is notexplicitly addressed. Mutafelija interprets the lack of consideration ofcustomer satisfaction to result in a wider lack of customer focus.
3. Internal Communication
Mutafelija believes this concept isnot explicit in CMMI and finds there is no requirement to communicate theeffectiveness of the quality management system specifically. We believe thatGeneric Practice 2.1, 2.7 and 2.10 establish a highly effective communicationprocess and that effective implementation of Generic Practice 2.10 particularlyin Organizational Process Definition and Organizational Process Focus shouldresult in strong communication regarding the effectiveness of the quality managementsystem.
4. Infrastructure and WorkEnvironment
Mutafelija addresses theinfrastructure and work environment (clauses 6.3 and 6.4) only in so far asthey are addressed in Integrated Product and Process Developmentdiscipline. We did not include the IntegratedProduct and Process Development and Supplier Sourcing disciplines within ourmapping. However we find that Generic Practice 2.3 and Specific Practice 2.4 inProject Monitoring and Control provide reasonable, but not complete, coverageof infrastructure and environment issues. It is noteworthy that weaknesses in CMMI in relation to these topics canalso be noted when considering the relationship between CMMI and ISO15504.
5. Control and Monitoring ofMeasuring Devices
Mutafelija takes the view that muchof the content on the control and monitoring of measurement devices fallsoutside the scope of CMMI. This particularly related to the calibration,adjustment and storage of measuring equipment and the identification andfollow-up of appropriate corrective actions. We take a view that the application of the capability level 2 genericpractices, particularly 2.2, 2.6, 2.8 and 2.9 provides some, but not fullyadequate, coverage of this topic.
6. Internal Audit
The major difference we have withMutafelija is in relation to the selection of auditors, the conduct of auditsand the independence of the audit process itself. Mutafelija believes these issues are notaddressed in CMMI, we see them as clearly and comprehensively addressed byconsidering the application of Generic Practice 2.3 and 2.9 to Process andProduct Quality Assurance.
7. Control of NonconformingProduct
Mutafelija's view is that control ofnon conforming product is not required by CMMI. We believe that it is quite well addressed through Verification, Processand Product Quality Assurance and Product Integration and that the managementof nonconformances is handled through Project Monitoring and Control andProcess and Product Quality Assurance.
8. Preventive Action
Again, Mutafelija takes the view thatmost preventive action requirement in ISO9001 are either absent or weaklyaddressed in CMMI. We believe thatCausal Anaylsis and Resolution addresses all preventive action issues perfectlyadequately; this view is also taken by Williams (2003). The difference may derive from the differencebetween the staged and continuous views of process capability andorganizational maturity.
CMMI Profile
Based on the mapping provided in theappendix, a profile of CMMI process areas can be derived to provide an appropriateset of process areas and capability levels to be included in the scope of aSCAMPI Appraisal for the purposes of obtaining sufficient objective evidence toallow an ISO9001 auditor to make a valued judgment on whether ISO9001certification could be awarded. Itshould be noted however, that additional information should be gathered toaddress those clauses in ISO9001:2000 where CMMI either does not address theclause or is weak in that area as indicated above. Table 1 shows the profile of Process Areasand their associated Capability Levels.
Whilst the mapping indicates the minimumcapability levels for various process areas in the CMMI, consideration shouldbe given to scope all process areas to capability level 3 as the genericpractices and goals of all process areas in the CMMI provide evidence forISO9001:2000.
| Category |
Process Area |
Capability Level |
| Engineering |
|
|
|
|
Requirements Management |
2 |
|
|
Requirements Development |
2 |
|
|
Technical Solution |
3 |
|
|
Product Integration |
3 |
|
|
Verification |
3 |
|
|
Validation |
3 |
| Project Management |
|
|
|
|
Project Planning |
2 |
|
|
Project Monitoring and Control |
3 |
|
|
Supplier Agreement Management |
2 |
|
|
Integrated Project Management |
1 |
|
|
Quantitative Project Management |
1 |
| Support |
|
|
|
|
Process and Product Quality Assurance |
3 |
|
|
Measurement and Analysis |
2 |
|
|
Configuration Management |
3 |
|
|
Causal Analysis and Resolution |
3 |
| Process Management |
|
|
|
|
Organizational Process Focus |
2 |
|
|
Organizational Process Definition |
2 |
|
|
Organizational Training |
1 |
|
|
Organizational Process Performance |
1 |
|
|
Organizational Innovation and Deployment |
1 |
Table1 – CMMI Process Area Profile
Future Directions
Further investigations through theconduct of SCAMPI Class A appraisals need to be conducted to prove the validityof the mapping presented in this report. This future exercise would need to ensure that the scope of the SCAMPIappraisal included the process areas listed in Table 1. In addition, the SCAMPI appraisal team wouldneed to include a certified ISO9001:2000 auditor to review the objectiveevidence gathered during the SCAMPI appraisal to decide whether sufficientevidence was available to include ISO9001:2000 certification.
It should also be noted that this mappingwas limited to the Systems Engineering and Software Engineering disciplines ofthe CMMI. Some areas of concern may beaddressed if mapping was extended to include the Supplier Sourcing disciplinewas included.
Conclusion
On analysis, it appears that a SCAMPIappraisal could be scoped to include sufficient evidence for ISO9001:2000certification provided some additional evidence was gathered to support thoseclauses that are either weakly addressed or not implicit in the CMMI or notaddressed at all.
SCAMPI appraisals conducted to addressthis issue would prove the validity of this mapping and also provide data on whetherthe additional effort required to demonstrating a level of organizationalmaturity or process capability against the CMMI and ISO9001:2000 certification,within the one exercise is efficient as opposed to two separate exercises.
Bibliography
CMMI ProductTeam, Capability Maturity ModelIntegration (CMMI) v1.1 for Systems Engineering and Software EngineringContinuous Representation, CMU/SEI-2002-TR-001, Software EngineeringInstitute, Carnegie Mellon University, Piitsburgh, PA, December 2001.
Crosby, P.B.; Quality is free: the art of making qualitycertain; New York: New American Library, c1979
Deming, W.D.; Out of the Crisis; Cambridge, Mass.: MIT Press, 2000, c1986
InternationalOrganization for Standardization, Qualitymanagement systems – Requirements, ISO9001:2000, ISO publication, December2000
Juran, J.M.; Juran on planning for quality; New York : The FreePress, 1988.
Mutafelija, B.and Stromberg, H.; Systematic ProcessImprovement Using ISO9001:2000 and CMMI; Artech House; Norwood, MA;April 2003
Mutafelija, B. and Stromberg, H.; Mappings of ISO 9001:2000 and CMMI Version1.1, Software Engineering Institute, Carnegie Mellon University, http://www.sei.cmu.edu/cmmi/adoption/iso-mapping.html,July 2004
Paulk, M.C.,Curtis, B., Chrissis, MB., and Weber, C.; CapabilityMaturity Model for Software; CMU/SEI-93-TR-24, Software EngineeringInstitute, Carnegie Mellon University, Piitsburgh, PA, February 1993.
Rout, T.P.,Tuffley, A. and Cahill, B.; CapabilityMaturity Model Integration Mapping To ISO/IEC 15504-2:1998, SoftwareQuality Institute, Griffith University, http://www.sqi.gu.edu.au/cmmi/indexFrameset.html,2000.
Rout, T.P. andTuffley, A.; SPICE and CMMI: conformanceof the CMMI models to ISO/IEC 15504; SPICE 2001, Venice, Italy,March 2001
Williams, R; Causal Analysis and Resolution (CAR) atLevel 1; SEPG 2003, Phoenix, Arizona.
® 能力成熟度模型(CapabilityMaturity Model) 和 CMMI 已经由卡内基梅隆大学在美国国家专利和商标办公室注册
® CapabilityMaturity Model and CMMI are registered in the U.S. Patent and Trademark Officeby Carnegie Mellon University.
SM SCAMPI is aservice mark of Carnegie Mellon University.
® SW-CMM isregistered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
SM SEI is a service mark of Carnegie Mellon University.
[1] Where relevant, text in italics fromISO9001:2000 is included to support understanding of the comments.