CMM vs. ISO

1
CMM vs. ISO

• David S. Craft CIRM, PMP
• Engineering Manufacturing Services

2
Agenda

• Who Am I - EDS
• Software Systems Development
• ISO
• CMM
• Sarbanes Oxley

3
Who Am I
Managing Consultant Engineering and
Manufacturing Services Applications Service
Delivery EDS
Inventory Control Manager
Shift Supervisor
Industrial Engineer
Team Leader
Materials Manager
Internal ISO Auditor
Manager Production Planning Control
VISTA Volunteer
Consultant
Project Manager
Chief Industrial Engineer
4
(No Transcript)
5
Process

• To Develop Software and Systems You Need A
  Process
• Anything goes
• Defined
• Structured

6
(No Transcript)
7
(No Transcript)
8
Process, people and technology are the major
determinants of project cost, quality and
schedule.
9
Common Misconceptions

• I dont need defined processes I have
• Really good people
• Advanced Technology
• An experienced manager
• Defined Processes
• Interfere with creativity
• Equals bureaucracy regimentation
• Isnt needed when building prototypes
• Is only useful on large projects
• Hinders agility in fast moving projects
• Costs too much

10
Why We Need Standard Processes

• Estimating (History)
• Scope
• Cost
• Time
• Tools
• Deliver the Product to Estimate (Visibility)
• Time
• Cost
• Quality
• Handling/Controlling Changes
• Planned
• Unplanned
• Scope Creep

11
How to Achieve Quality Processes

• ISO
• CMM

12
ISO CMM Differences
ISO90012000 CMMI
International standard, applies to all types of organizations, supports both product and service oriented organizations Written specifically for software development companies
A brief document about 25 pages long, identifying the minimal requirements for a quality system A detailed document over 500 pages long
Emphasizes on a management of continuous improvement process, based on the PDCA (Plan-Do-Check-Act) model Emphasizes on achieving maturity and improving its process continuously
One level of standard. The standard is based on recommendation Defines 5 maturity levels of the organization, covering 25 process areas (PAs)
Netta Dotan, Quality Assurance project
management, Ronkal Office Technologies
13
ISO CMM Differences My View
ISO 9000 SW-CMMI
Outwardly focused Inwardly focused
Minimum requirements with implied continuous improvements Explicit continuous quality improvement
Registration Document No documentation
Certification audit for a 50 employee organization will be executed by -12 auditors during one day Certification audit for a 50 employee organization will be executed by 4 auditors during 4-5 days
Netta Dotan, Quality Assurance project
management, Ronkal Office Technologies
14
ISO CMM Similarities

• Both require the organization be explicit about
  what their processes and quality systems are
• Say what you do do what you say
• The organization records and tracks data for
  objective analysis
• Require strong management support to succeed
• Provide a structured and measured approach to
  quality improvement
• Require an outside audit for certification
• Both are refined/improved over time

15
Meet ISO

• ISO (International Organization for
  Standardization) is the world's largest developer
  and publisher of International Standards.
• ISO is a network of the national standards
  institutes of 157 countries, one member per
  country, with a Central Secretariat in Geneva,
  Switzerland, that coordinates the system.
• ISO is a non-governmental organization that forms
  a bridge between the public and private sectors.
  On the one hand, many of its member institutes
  are part of the governmental structure of their
  countries, or are mandated by their government.
  On the other hand, other members have their roots
  uniquely in the private sector, having been set
  up by national partnerships of industry
  associations.
• Therefore, ISO enables a consensus to be reached
  on solutions that meet both the requirements of
  business and the broader needs of society.

16
What are standards?
17
ISO 9000 and ISO 14000 (Management Systems)

• The ISO 9000 and ISO 14000 families are among
  ISO's best known standards ever. ISO 90012000
  and ISO 14001 (1996 and 2004 versions) are
  implemented by over 1,000,000 organizations in
  161 countries.
• The ISO 9000 family addresses "quality
  management". This means what the organization
  does to fulfill
• the customer's quality requirements and
• applicable regulatory requirements, while aiming
  to
• enhance customer satisfaction, and
• achieve continual improvement of its performance
  in pursuit of these objectives.
• The ISO 14000 family addresses "environmental
  management". This means what the organization
  does to
• minimize harmful effects on the environment
  caused by its activities, and to
• achieve continual improvement of its
  environmental performance.

18
ISOs Impact

• In the global economy
• ISO 90012000 and ISO 140012004 have become
  thoroughly integrated with the world economy.
• ISO 90012000 is now firmly established as the
  globally accepted standard for providing
  assurance about the quality of goods and services
  in supplier-customer relations.
• The positive roles played in globalization by
  ISOs standards for quality and environmental
  management systems include the following
• a unifying base for global businesses and supply
  chains such as the automotive and oil and gas
  sectors
• a technical support for regulation as, for
  example, in the medical devices sector)
• a tool for major new economic players to increase
  their participation in global supply chains, in
  export trade and in business process outsourcing
  
• a tool for regional integration  as shown by
  their adoption by new or potential members of the
  European Union
• In the rise of services in the global economy
  nearly 33 of ISO 90012000 certificates in 2005
  went to organizations in the service sectors.

19
Where are the Standards (12/31/07)
Sector Standards Pages
Generalities, Infrastructure and Sciences 1,482 54,929
Health, Safety and Environment 684 24,062
Engineering Technologies 4,659 202,370
Electronics, Information Technology and Telecommunications 2,739 181,455
Transport and Distribution of Goods 1,835 49,435
Agriculture and Food Technology 997 22,495
Materials Technology 4,166 101,731
Construction 341 12,447
Special Technologies 138 3,416
Total 17,041 652,340
20
Which ISO Standards

• The ISO family includes
• ISO 90002000 Quality Management Systems
  Fundamentals and vocabulary
• ISO 90012000 Quality Management Systems -
  Requirements
• ISO 90042000 Quality Management Systems
  Guidelines for performance improvement
• ISO 19011 Guidelines on quality and/or
  environmental management systems auditing.
• ISO 10012 Measurement control system

21
Quality System Documentation
22
ISO 90012000 Structure

• Quality Management System
• 4.1 General requirements
• 4.2 Document requirements

• Management Responsibility
• 5.1 Management commitment
• 5.2 Customer focus
• 5.3 Quality policy
• 5.4 Planning
• 5.5 Responsibility, authority, communication
• 5.6 Management review

• Product realization
• 7.1 Planning of product realization
• 7.2 Customer-related processes
• 7.3 Design and development
• 7.4 Purchasing
• 7.5 Production and service provision
• 7.6 Control of monitoring and measuring devices

• Measurement, Analysis Improvement
• 8.1 General
• 8.2 Monitoring and measurement
• 8.3 Control of nonconforming product
• 8.4 Analysis of data
• 8.5 Improvement

• Resource Management
• 6.1 Provision of resources
• 6.2 Human resources
• 6.3 Infrastructure
• 6.4 Work environment

23
Meet CMM

• CMM Capability Maturity Model
• The Capability Maturity models have been
  developed by the Software Engineering Institute
  (SEI)
• The Carnegie Mellon SEI is a federally funded (US
  Department of Defense) research and development
  center that provides the technical leadership to
  advance the practice of software engineering so
  that software intensive systems can be acquired
  and sustained with predictable and improved cost,
  schedule and quality.

24
(No Transcript)
25
SCAMPI Standard CMMI Appraisal Method for
Process Improvement
26
(No Transcript)
27
Process Areas
Requirements Management Organizational Process Definition
Project Planning Organizational Training
Project Monitoring Control Integrated Project Management
Supplier Agreement Management Risk Management
Measurement Analysis Integrated Teaming
Process Product Quality Assurance Integrated Supplier Management
Configuration Management Decision Analysis Resolution
Requirements Development Organizational Environment for Integration
Technical Solution Organizational Process Performance
Product Integration Quantitative Project Management
Verification Organizational Innovation Deployment
Validation Causal Analysis Resolution
Organizational Process Focus
28
(No Transcript)
29
EIA Electronic Industries Alliance Interim
Standard
30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
Staged Process Area Continuous
L2 Requirements Management Engineering
L2 Project Planning Project Mgmt
L2 Project Monitoring and Control Project Mgmt
L2 Supplier Agreement Management Project Mgmt
L2 Measurement and Analysis Support
L2 Process and Product Quality Assurance Support
L2 Configuration Management Support
L3 Requirements Development Engineering
L3 Technical Solution Engineering
L3 Product Integration Engineering
L3 Verification Engineering
L3 Validation Engineering
L3 Organizational Process Focus Process Mgmt.
L3 Organizational Process Definition Process Mgmt.
L3 Organizational Training Process Mgmt.
L3 Integrated Project Management Project Mgmt
L3 Risk Management Project Mgmt
L3 Integrated Teaming Project Mgmt
L3 Integrated Supplier Management Project Mgmt
L3 Decision Analysis and Resolution Support
L3 Organizational Environment for Integration Support
L4 Organizational Process Performance Process Mgmt.
L4 Quantitative Project Management Project Mgmt
L5 Organizational Innovation and Deployment Process Mgmt.
L5 Causal Analysis and Resolution Support
CMM Process Areas
40
Examples of CMMI Impact ROI

• 51 ROI for quality activities (Accenture)
• 131 ROI calculated as defects avoided per hour
  spent in training and defect prevention (Northrop
  Grumman Defense Enterprise Systems)
• Avoided 3.72 M in costs due to better cost
  performance (Raytheon North Texas Software
  Engineering) as the organization improved from
  SW-CMM level 4 to CMMI level 5
• 21 ROI over 3 years (Siemens Information Systems
  Ltd, India)
• 2.51 ROI over 12st year, with benefits amortized
  over less than 6 months (reported under non
  disclosure)
• (reported by the American Society for Quality)

41
Sarbanes-Oxley Implications

• With its more than 300 discrete points of
  enforceable law, this is the most significant
  piece of account legislation passed since the
  formation of the SEC in 1933
• SOX was passed with the specific intent of
  increasing accountability and attempting to
  install ethical behavior in financial reporting
  and business operations.
• With this increase spotlight on reporting,
  companies must invest resources and focus into
  their internal control process
• The Act created the Public Company Accounting
  Oversight Board (PCAOB) to oversee the activities
  of the auditing profession and mandated reforms
  to enhance corporate and criminal fraud
  accountability.
• A goal of SOX legislation is to continually
  improve the transparency of financial and
  business events that can impact the accuracy and
  future validity of financial statements.
  Projects to improve processes and regular review
  of controls will become common-place activities
  as compliance evolves. Tools that simplify
  project completion and track status will better
  enable organization to cost-effectively undertake
  these projects.

42
SOX Major Section

• 302 Corporate Responsibility for Financial
  Reports
• Requires Executives to certify the accuracy of
  corporate financial reports
• 404 Management Assessment of Internal Controls
• Requires executives and auditors to confirm the
  effectiveness of internal controls for financial
  reporting
• 409 Real Time Issuers Disclose
• Requires any material changes in financial state
  of issuer be communicated quickly and with
  supporting data to the public

43
Implications for IT

• Configuration management is now a must
• Change controls must be handled more carefully
• Security, security, security
• All system changes must be verifiable by a clear
  audit trail
• Reduce reliance on batch processing, update data
  warehouse more frequently
• Interfaces from any financial system must be
  documented and controlled
• IT activities must be aligned with the companys
  governance and risk policies