Syntel CQA Forum Process Standards

CQA Doc No 4
Process Standards
CMM
The CMM (Capability Maturity Model) developed by SEI (Software Engineering Institute) aims at continuously
improving the quality of software processes in an organization. This model is divided into five levels, from level
1-- ad hoc and chaotic to level 5 -- mature and disciplined. From level 2 to level 5, each level contains several
Key Process Areas that an organization should focus on to improve its software processes. Each Key Process
Areas contains some Key Practices which are organized into Common Features for convenience.
This appendix is an abridged version of the CMM model. It only includes a brief description of each Key
Practice Areas and the Key Practices from the Activities Performed Common Feature.
The level 2 focuses on the quality issues of a project’s defined process. The activities include: gaining a clear
agreement on the requirements (Requirements Management), establishing reasonable software development
and management plans (Software Project Planning), tracking the actual performing progress against the plan to
ensure they do not deviate significantly (Software Project Tracking and Oversight), selecting qualified software
subcontractors and managing them effectively (Software Subcontract Management), reviewing and auditing the
software products and activities to verify their compliance with the applicable procedures and standards
(Software Quality Assurance), and systematically controlling changes to software configuration items (e.g.
products, data, documents) to maintain their integrity throughout the software life cycle (Software Configuration
Management).
The level 3 focuses on improving an organization’s overall software process capability. The activities include:
establishing the organizational responsibility for improving the organization’s and projects’ software
processes(Organization Process Focus), developing and maintaining the organization’s standard software
process and related process assets(Organization Process Definition), providing necessary training to individuals
to improve their efficiencies(training Program), tailoring the project’s defined software process from the
organization’s standard software process according to the project-specific characteristics(Integrated Software
Management), defining, integrating and performing all the software engineering tasks to produce correct and
consistent software products effectively(Software Product Engineering), coordinating actively among software
engineering groups(Intergroup Coordination), and reviewing the software products methodically by the
producer’s peers to identify defects and give change suggestions (Peer Reviews).
The level 4 focuses on adding more control to the processes and managing their quality quantitatively. The
activities include: measuring the performance of the process and using these measures to adjust the process
performance within acceptable limits(Quantitative Process Management), establishing the quantitative process
capability for the organization’s standard software process(Quantitative Process Management), and using
theses quantitative knowledge to manage the quality of the project’s software products(Software Quality
Management).
The level 5 focuses on the continuous improvement of the software processes. The activities include:
identifying the cause of the defects and preventing them from recurring (Defect Prevention), continuously
integrating new technologies (tools, methods, and processes) into the organization in an orderly manner
(Technology Change Management), and encouraging everyone in the organization to participation in the
activities of improving the software processes (Process Change Management).

How ISO 9001 Compares with the CMM

ISO 9001 and CMM are two standards concerning the quality of software process management. The paper
compares these two standards by mapping 20 clauses in the ISO 9001 to the practices in the CMM. The
objective of the comparison is to help the organizations gain better understanding of these standards, thereby
having more freedom when implementing them.
The author finds out that the ISO 9001 and the CMM overlap a lot. Most of the ISO 9001’s 20 clauses can be
explicitly mapped to the CMM practices in a one-to-one or many-to-many fashion.
However, the ISO 9001 focuses on the minimum criteria for an acceptable quality system, while the CMM
underlines continuous process improvement. Moreover, the CMM focuses strictly on software, while the ISO
9001 encompasses hardware, software, processed materials, and services. Therefore, some issues in the ISO
9001 are not covered or well addressed in the CMM, such as, the evaluation and integration of customer-
10718223.doc Page 1
of 4
Syntel CQA Forum Process Standards
CQA Doc No 4
supplied products, the replication, delivery, and installation of the products, and the maintenance of the
products. Also, the interpretations of the corrective and preventive actions, and the statistical techniques are
subject to significant debate. On the other hand, the continuous process improvement concerns in the ISO
9001 are implicit.
Therefore, the author suggests that a level 1 organization may be ISO 9001-compliant. The Level 2 and level 3
organizations would be considered ISO 9001-compliant as long as they address the delivery and installation of
the processes, and the use of included software products. Moreover, because of the more detailed guidance
and software specificity provided by the CMM, it is a better choice for an organization to base its quality system
on.
SPICE
SPICE (Software Process Improvement and Capability dEtermination) is an internationally cooperative project
to develop an International Standard for Software Process Assessment. It has finished developing a suite of
documents as a draft standard. Now, the industry trials of this standard have been conducted.
The SPICE suite of documents provides a framework for software processes assessment. This framework is
generic enough to be appropriate across all application domains and sizes of organization. The results of the
assessment can be used by an acquirer or a supplier itself to determine the supplier’s capability for a particular
(class of) requirement, or by an organization to improve its own processes.
The documents suite is composed of nine parts. Part 1, concepts and introductory guide, describes how the
different parts of the suite fit together, and provides guidance for their selection and use. It also explains the
requirements contained in the Standard and their applicability to the conduct of an assessment, to the
development of processes which extend those listed in the defined model, and to the construction of
assessment instruments.
Part 2,3,4,5,and 6 contains definitions and guidance related to the process assessment. The process
assessment activity is always conducted for process improvement or process capability determination. It is
based on the capability of specific process instances. The inputs to the assessment procedure include the
assessment purpose, scope, constraints, responsibilities, and the extended process definitions. Rather than just
a pass/fail result, the output of the assessment is a process profile which contains a set of practice adequacy
ratings and process capability level ratings.
The assessment is carried out by assessing the process instances against the process model defined in part 2,
a model for process management. This model consists of a set of process-specific base practices and generic
practices which are fundamental activities essential to software engineering. The base practices are grouped
into processes and process categories by the type of activity they address. There are five process categories,
customer-supplier, engineering, project, support, and organization. The generic practices, which represent the
activities necessary to manage a process and improve its capability to perform, are applicable to any process.
They are grouped into common features and capability levels. These baseline practices may also be extended
to meet specific industry, sector, or other requirements.
Part 3, rating processes, defines the requirements for conducting an assessment, sets out the basis for rating,
scoring and profiling process capabilities, and defines the circumstances under which assessment results may
be compared. Part 4, guide to conducting assessment, provides guidance on conducting a team-based
assessment and interpreting the requirements in Part 3.
The assessors need assessment instrument to assist them in performing the assessment. The Part 5 of the
Standard, construction, selection and use of assessment instruments and tools, defines the common elements
to construct an assessment instrument. The instrument contains a set of assessment indicators which help the
assessor to analyze the process under review, and to make consistent judgements about the implemented
practices. The part 5 also provides guidance on the selection and usability aspects of various types of
assessment instruments.
The Part 6, qualification and training of assessors, describes the competence, education, training and
experience of assessors who perform the assessment.
The results of process assessment can be used for continuous process improvement. This is provided in the
part 7, Guide for use in process improvement. The guidance covers analyzing the results of the assessment
against the organization’s business needs, identifying the strengths, weakness and risks inherent in the
processes, identifying the improvement actions, using the capability model in part 2 as a route map for
10718223.doc Page 2
of 4
Syntel CQA Forum Process Standards
CQA Doc No 4
improvement, the cultural issues in the context of software process improvement, and dealing with
management issues for software process improvement.
The results of process assessment can also be used for process capability determination. It is defined in the
part 8, guide for use in determining supplier process capability. The determination is either performed by an
acquirer to determine the capability of its supplier or by an organization to determine its own capability to meet
the contract. The input of the process capability determination is the specified requirements which are
translated into the target capability. The supplier also puts forward a proposed process capability of the selected
processes and analyzes it against the target capability to identify the risks involved in undertaking a project
using the selected processes. The results are reported in the process capability report.
The Part 9, Vocabulary, is a consolidated vocabulary of all terms specifically defined for the purposes of the
SPICE document set.
Personal Opinion
Producing high-quality software products is the goal of software development organizations. However, how
does an organization guarantee that the software products generated by the development processes are
effective, stable and reliable? How could a customer believe that his supplier has the capability to satisfy
his/her strict requirements? The process standards try to lead the organizations a way to produce high-quality
software products.
In this paper, three standards, ISO 9001, CMM, and SPICE are summarized. The ISO 9001 and the CMM are
proposed by different institutions. They are preferred and adopted by different organizations in their software
development experiences. While the SPICE attempts to create an intentional standard which is accepted by all
the countries and is used as a common measure to determine an organization’s software development
capability.
The focuses of these three standards are different. The ISO 9001 and the CMM both focus on creating a quality
system. However, the ISO 9001 defines the minimum requirements of a quality system while the CMM
underlines continuous process improvement. On the other hand, the SPICE concerns with creating a process
assessment framework, and using the results of the assessment to promote the organization’s continuous
process improvement or to determine its process capability. The process assessment in SPICE is to select a
process instance and compare it with a pre-defined process model. This model contains two parts. The first part
defines base practices which are the minimum requirements of a quality system. The concern of this part is
similar to that of the ISO 9001. The second part defines generic practices which are essential activities to
continuous capability improvement. These generic practices are grouped into common features and capability
levels which employs the similar idea as used in the CMM.
The SPICE also includes an architecture for rating practices and processes(Part 3), the guidance on the
conduct of the assessment (Part 4), the selection of an assessment instrument to assist the assessment (Part
5), the definition of the required skills and experience for assessors (Part 6), and the guide for using the
assessment results in the context of process improvement (Part 7) and process capability determination (Part
8). Therefore, the SPICE covers a much wider scope than the ISO 9001 and the CMM.
Another unique feature of the SPICE is that the result of the process assessment is not just fail/pass, but a
process profile which contains a set of practice adequacy ratings and process capability level ratings. The
practice adequacy rating indicates the extent to which a practice meets its purpose as defined in part 2 of the
SPICE. The process capability level rating is an aggregation of the practice adequacy ratings that belong to that
level. Using these ratings (the process profile), the organization may gain a clear understanding of the
strengths, weakness and risks inherent in its processes. Against its business goals, it can identify level-by-level
improvement actions according to the capability level model defined in part 2. This feature embodies the
original intent behind any process quality standard that certified by one standard (pass/fail) should not be the
ultimate goal of an organization. The standard should be used as a goad, a bridge and a measure to improve
the quality of its management and software development capacity, thereby gaining more advantages in the
competitive market.
However, whichever the standard an organization employs, the most important factor is the people. This is
because the standard is understood by the people, the corresponding policies are created by the people, and
the activities are planned and performed by the people. Therefore, the quality and the initiative of the people
directly determine the quality of the development process. In order to develop a quality system, perhaps the
first step is to develop qualified people.

10718223.doc Page 3
of 4
Syntel CQA Forum Process Standards
CQA Doc No 4

10718223.doc Page 4
of 4