The Software Engineering Institute developed Capability Maturity Model for software (CMM)

(1)

1. Introduction

The Software Engineering Institute developed Capability Maturity Model for software (CMM) and International Standards Organization developed ISO 9000 series, both have a common concern for quality and process management. Both the CMM and ISO 9001 are similar by purpose and interrelated with certain differences as well (Paulk).

1.1 ISO 9001

The ISO 9000 series is a set developed for quality management which can be used for the purpose of external quality management (ISO 9001, 9002 and 9003). The ISO 9001 is a quality management model that helps in assuring quality in design and development, production, installation and servicing. It is mainly used for the conformance for specific requirements, needs assurance by the suppliers at different stages like design, production, installation, servicing, etc. ISO 9001 among ISO 9000 series is chiefly for the purpose of quality assurance for software development and maintenance (Arthur, 1993). The key quality concepts of ISO 9001 are:

a. The organizations should imply and meet the needs of purchaser achieving and sustaining the quality of product or service.

b. The organizations should give confidence to their own management to achieve and sustain the quality.

c. The organizations should give confidence to the purchasers that the intended quality will be achieved and delivered in the product or service continually. To give confidence to the purchaser, it may require demonstration if provided in the contract.

(2)

1.2 Capability Maturity Model (CMM)

The Capability Maturity Model (CMM) for software is meant to describe basic principles and practices, essentially for software process maturity and the CMM intends to help the software development organizations to improve process maturity for software. Especially it assists in evolutionary terms, to perk up the software processes from ad hoc and chaotic to mature and disciplined software processes (Brown, 1994). The CMM is composed of five maturity levels and every level guides in provision of quality process improvement. The five maturity levels are as follows. a. Initial b. Repeatable c. Defined d. Managed e. Optimizing

2. Comparison of ISO 9001 & CMM

The ISO 9001 and CMM are compared as follows on the basis of analysis of TickIT training material [Lloyd’s 94]. There are certain differences in interpretation of CMM and ISO 9001. 2.1 Management Responsibility

ISO 9001 requires the quality policy to be well defined, understood and implemented. The authorities and responsibilities should be defined and the manager should ensure maintenance of quality. While CMM addresses management responsibility in software quality assurance for

(3)

quality policy. Contrary to CMM, ISO 9001 defines qualitative objectives for quality management (Brown, 1994).

2.2 Quality System

CMM defines the procedures of quality system that are distributed throughout key areas and in various practices and activities (Lloyd, 1994). ISO 9001 addresses strictly at project level and discusses suppliers’ quality system but does not include organizational support and project implementation like CMM does.

2.3 Contract Review

CMM describes the requirements of the customers and missing information is clarified, however, CMM is constrained to software only. The contracts can be outsourced to sub-contractors. While ISO 9001 does not clearly defines sub-contracting or contracts with external customers.

2.4 Design Control

ISO 9001 requires establishing the verification and controlling process of designing. It states the requirement about the suppliers to meet the required design and methodologies be correctly carried out (Bollinger & McGowan,1991). While CMM describes the activities of the life cycle of design control in software configuration management of products that are generated by the activities.

(4)

ISO requires the document controlling to be established throughout distribution and modification. While CMM are distributed in key areas through out various activities. Specifically it is described in Activity 8 of Software Product Engineering.

2.6 Purchasing

ISO 9001 requires meeting the specifications of purchased products including assessment of sub-contractors and verification of products (Arthur, 1993). CMM addresses it through Software Sub-contract Management in. That describes evaluation in Activity 2 and acceptance testing of software is described in Activity 12.

2.7 Process Control

ISO requires the facts continually monitored and controlled and it asks the production process to be carried out under defined instructions. CMM describes Process Assurance in Activity 4. It expresses the quantitative aspect exemplified by the statistical technique.

2.8 Training

ISO 9001 asks for required training because there is need of trained and qualified personnel for performance of certain tasks. While CMM identifies training needs and describes infrastructure in Training Program in Activity 6.

(5)

ISO 9001 necessarily requires audits to be performed and the deficiencies to be communicated to the management to rectify them. CMM describes need of audits in Software Quality Assurance and it calls for audits in Verifying Implementation common feature.

2.10 Servicing

ISO 9001 requires servicing activities to be performed as per clause 5.10 while CMM does not express maintenance as unique aspect and it must need proper interpretation in maintenance or development context.

3. Summarized Strengths and Weaknesses of ISO & CMM 3.1 Strengths

The key strength of ISO is that it is generic and widely applicable, having international support network. ISO 9001 describes guidance about software development and sets minimum requirement for general quality management. Meanwhile, CMM is well developed and keenly for software sector, applicable to evaluation and assessment and process monitoring (Bollinger & McGowan,1991). It is successfully applied by the software companies and it attracts academia as well as industry.

3.2 Weaknesses

ISO 9001 is general quality assurance system and not aimed at process assessment and lacks assessment guidance on maturity level and doe not encourage quality improvement (Lloyd, 1994). It is more oriented to the organization rather than the project. While CMM lacks

(6)

information and coverage it needs flexibility and scaled standard. Some requirements are too costly to be implemented and it is mainly meant for large organizations.

4. Conclusion

Though there are certain issues that are not described by CMM which are generally the concerns of ISO 9001. On the other hand, ISO 9001 describes minimum criteria for managing quality rather than improving, although in future the concern may be resolved. The differences between the two models are enough to map rote impractical. But similarities between the two models give high level of overlap.

(7)

References

1. Arthur, L.J. 1993, Improving Software Quality: An Insider's Guide to TQM, Wiley. 2. Bach, J. 1994, 'The Immaturity of the CMM', American Programmer, vol. 7, 9, pp. 13-8. 3. Bamford, R.C. & Deibler, W.J. 1993, 'Comparing, Contrasting ISO 9001 and the SEI Capability Maturity Model', Computer, October, pp. 68-70.

4. Billings, C., Clifton J., Kolkhorst, B., Lee, E., & Wingert, W.B. 1994, 'Journey to a Mature Software Process', IBM Systems Journal, vol. 33, no. 1, pp. 46-61.

5. Bollinger, T.B. & McGowan, C. 1991, 'A Critical Look at Software Capability Evaluations', IEEE Software, July, pp. 25-41.

6. Brodman, J.G. & Johnson, D.L. 1994, 'What Small Businesses and Small Organizations Say About the CMM', Proc.16th Int. Conf. on Software Engineering, May, pp. 331-40.

7. Brown, S. 1994, 'Now It Can Be Told', Sales and Marketing Management, November, pp. 34, 38.

8. Cater-Steel, A.P. & Fitzgerald, E.P. 1997, Quality Assurance Certification: Adoption by Australian Software Developers and its Association with Capability Maturity, Proc APSEC & ICSC, Hong Kong pp. 11-23.

9. Cattaneo, F., Fuggetta, A. & Lavazza, L. 1995, 'An experience in process assessment', Proc.

17th Int conf on Software Engineering Seattle, pp. 115-21.

(8)

11. Francois, C. “How ISO 9001 Fits Into the Software World,” IEEE 12. Software, Vol. 11, No. 1, January 1994, pp. 98-100.

13. Ian G. Durand, Donald W. Marquardt, et al. "Updating the ISO 9000 Quality Standards: Responding to Marketplace Needs." ASQC Quality Progress, Vol. 26, No. 7, July 1993, pp. 23-30.

14. Lloyd’s Register TickIT Auditors’ Course. Issue 1.4, Lloyd’s Register, (1994)

15. Donald Marquardt, et al. "Vision 2000: The Strategy for the ISO 9000 Series Standards in the '90s." ASQC Quality Progress, Vol. 24, No. 5, May 1991, pp. 25-31.

16. Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V. Weber. Capability Maturity Model for Software, Version 1.1 (CMU/SEI-93-TR-24, ADA 263403), Pittsburgh, PA: Software Engineering Institute, February 1993.

17. Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary Beth Chrissis, and Marilyn W. Bush. Key Practices of the Capability Maturity Model, Version 1.1, (CMU/SEI-93-TR-25, ADA 263432). Pittsburgh, PA: Software Engineering Institute, February 1993.

18. Mark C. Paulk. "Comparing ISO 9001 and the Capability Maturity Model for Software." Software Quality Journal, Vol. 2, No. 4, December 1993, pp. 245-256.

19. TickIT: A Guide to Software Quality Management System Construction and Certification Using EN29001, Issue 2.0. U.K. Department of Trade and Industry and the British Computer Society, 28 February 1992.

20. Dion, S.; Measuring the ROI of Software Process Improvement, (1992) 21. Dion ; Process Improvement and Corporate Balance Sheet, (1993)

(9)