Professional Documents
Culture Documents
Study Relationship
Study Relationship
www.elsevier.com/locate/jss
Department of Business Administration, Korea University, Anam-dong 5Ka, Sungbuk-gu, Seoul 136-701, Republic of Korea
b
Department of Computer Science, University of Strathclyde, Richmond Street, Glasgow G1 1XH, UK
Received 13 November 2000; received in revised form 31 December 2000; accepted 12 February 2001
Abstract
The gradual spread in the use of ISO 9001 and ISO/IEC 15504 (also known as software process improvement and capability
determination (SPICE)) has raised questions such as ``At what ISO/IEC 15504 capability level would one expect an ISO 9001
certied organization's processes to be?'' and ``Is there any signicant dierence between the ISO/IEC 15504 capability levels
achieved by the processes of ISO 9001 certied organizations and those of non ISO 9001 certied organizations?''. This paper
provides answers to those questions as well as to the following question ``Is there any signicant dierence in the capability levels
achieved by the ISO/IEC 15504 processes of organizations with a large information technology (IT) sta and those with a small IT
sta?'' In order to answer these questions, we analyzed a data set including 691 process instances (PIs) taken from 70 SPICE phase 2
trial assessments performed over the two years from September 1996 to June 1998. Results show that the ISO/IEC 15504 processes
of the ISO 9001 certied organizations attained capability levels of around 12.3 in 15504 terms. Results also show dierences
between the capability levels achieved by ISO 9001 certied organizations and non ISO 9001 certied organizations, as well as
between organizations with a large IT sta and those with a small IT sta. 2001 Elsevier Science Inc. All rights reserved.
Keywords: Bootstrap; Condence interval; Capability level; Permutation test; ISO 9001 certication; SPICE assessments
1. Introduction
The software process improvement and capability
determination (SPICE) project is an ongoing project
supporting ISO/IEC JTC1/SC7/WG10 2 in the development and trialing of the emerging standard ISO/IEC
15504 for software process assessment, capability determination, and software process improvement. ISO/
IEC JTC1/SC7/WG10 has developed a technical report
2 (TR2) (ISO/IEC TR2, 1998) consisting of the document set shown in Table 1. In the development of these
*
0164-1212/01/$ - see front matter 2001 Elsevier Science Inc. All rights reserved.
PII: S 0 1 6 4 - 1 2 1 2 ( 0 1 ) 0 0 0 4 7 - 4
44
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
Table 1
A set of documents in ISO/IEC 15504
Part
Part
Part
Part
Part
Part
Part
Part
Part
1:
2:
3:
4:
5:
6:
7:
8:
9:
Standards have codied approaches whose eectiveness has not been rigorously and scientically
demonstrated. Rather, we have too often relied on
anecdote, `gut feeling', the opinions of experts, or
even awed research.
Fenton et al. (1993) and Fenton and Page (1993) have
made similar arguments.
The remainder of this paper is organized as follows:
Section 2 provides an overview of the ISO/IEC 15504
architecture, Section 3 presents the research method and
Section 4 presents the main results of the study and
discusses their implications. Finally, Section 5 concludes
with a summary of the paper and some nal remarks.
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
45
Table 2
The processes in process dimension
Customersupplier process category (CUS) processes that have direct impact on the customer, support development and software transition to
the customer, and provides the correct operation and use software of products and/or services. Its processes are:
CUS.1: Acquire software
CUS.2: Manage customer needs
CUS.3: Supply software
CUS.4: Operate software
CUS.5: Provide customer service
Engineering process category (ENG) processes that directly specify, implement, or maintain the software product, its relation to the system and
its customer documentation. Its processes are:
ENG.1: Develop system requirements and design
ENG.2: Develop software requirements
ENG.3: Develop software design
ENG.4: Implement software design
ENG.5: Integrate and test software
ENG.6: Integrate and test system
ENG.7: Maintain system and software
Support process category (SUP) processes that may be employed by any of the other processes (including other supporting processes) at various
points in the software life cycle. Its processes are:
SUP.1: Develop documentation
SUP.2: Perform conguration management
SUP.3: Perform quality assurance
SUP.4: Perform work product verication
SUP.5: Perform work product validation
SUP.6: Perform joint review
SUP.7: Perform audits
SUP.8: Perform problem resolution
Management process category (MAN) processes which contain generic practices that may be used by those who manages any type of project or
process within a software life cycle. Its processes are:
MAN.1: Manage the project
MAN.2: Manage quality
MAN.3: Manage risks
MAN.4: Manage subcontractors
Organization process category (ORG) processes that establish business goals of the organization and develop processes, products, and resource
assets which, when used by the projects in the organization, will help the organization achieve its business goals. Its processes are:
ORG.1: Engineer the business
ORG.2: Dene the process
ORG.3: Improve the process
ORG.4: Provide skilled human resources
ORG.5: Provide software engineering infrastructure
46
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
Table 3
Process attributes for each capability level (ISO/IEC 15504: Part 5)
Capability level
Level 0 Incomplete
There is a general failure to attain the purpose of the process. There are little or no easily identiable work
products or outputs of the process. Thus, there are no PAs.
The purpose of the process is generally achieved. The achievement may not be rigorously planned and tracked.
There are identiable work products for the process, and these testify to the achievement of the purpose.
PA 1.1, Process performance attribute: The extent to which the process achieves the process outcomes by
transforming identiable input work products to produce identiable output work products.
The process delivers work products according to specied procedures and is planned and tracked. Work
products conform to specied standards and requirements.
PA 2.1, Performance management attribute: The extent to which the performance of the process is managed to
produce work products that meet the dened objectives.
PA 2.2, Work product management attribute: The extent to which the performance of the process is managed to
produce work products that are appropriately documented, controlled, and veried.
The dened process is performed and managed based upon good software engineering principles.
Individual implementations of the process use approved, tailored versions of standard, documented
processes to achieve the process outcomes. The resources necessary to establish the process denition are also
in place.
PA 3.1, Process denition attribute: The extent to which the performance of the process uses a process denition
based upon a standard process to achieve the process outcomes.
PA 3.2, Process resource attribute: The extent to which the process draws upon suitable resources (for
example, human resources and process infrastructure) that is appropriately allocated to deploy the dened
process.
The dened process is performed consistently in practice within control limits to achieve its process goals.
Detailed measures of performance are collected and analyzed. This leads to a quantitative understanding of
process capability and an improved ability to predict and manage performance. Performance is quantitatively
managed. The quality of work products is quantitatively known.
PA 4.1, Measurement attribute: The extent to which product and process goals and measures are used to ensure
that performance of the process supports the achievement of the dened goals in support of the relevant business
goals.
PA 4.2, Process control attribute: The extent to which the process is controlled through the collection, analysis,
and use of product and process measures to correct, where necessary, the performance of the process to achieve
the dened product and process goals.
Process performance is optimized to meet current and future business needs, and the process achieves
repeatability in meeting its dened business goals. Performance of quantitative process eectiveness and
eciency goals (targets) for performance are established, based on the business goals of the organization.
Continuous process monitoring against these goals is enabled by obtaining quantitative feedback and
improvement is achieved by analysis of the results.
PA 5.1, Process change attribute: The extent to which changes to the denition, management and performance of
the process are controlled to achieve the relevant business goals of the organization.
PA 5.2: Continuous improvement attribute: The extent to which changes to the process are identied and
implemented to ensure continuous improvement in the fulllment of the relevant business goals of the
organization.
empirically evaluating the emerging international standard through a series of trials consisting of three phases.
Phase 2 of the trials was based on ISO/IEC proposed
draft technical report (PDTR) (ISO/IEC 15504, 1998)
15504 and took place over the two years from September 1996 to June 1998. The PDTR version of the standard preceded the TR 2 version.
The data was from 70 assessments of 44 organizations from ve regions: Europe (24 trials), South AsiaPacic (34 trials), North Asia-Pacic (10 trials), USA (1
trial), and Canada/Mexico (1 trial) (Hunter, 1998; ISO/
IEC, 1999). Note that the number of assessments is
greater than that of the OUs due to multiple assessments
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
47
Fig. 2. Box and whisker plots showing the variation of the capability levels for the 29 ISO/IEC 15504 processes (see Appendix C for interpretation of
the box and whisker plot).
48
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
Table 4
Capability level of SPICE processes of ISO 9001 certied and non ISO 9001 certied organizations
Process
CUS.1
CUS.2
CUS.3
CUS.4
CUS.5
ENG.1
ENG.2
ENG.3
ENG.4
ENG.5
ENG.6
ENG.7
SUP.1
SUP.2
SUP.3
SUP.4
SUP.5
SUP.6
SUP.7
SUP.8
MAN.1
MAN.2
MAN.3
MAN.4
ORG.1
ORG.2
ORG.3
ORG.4
ORG.5
No. of PIs
Average x1
No. of PIs
Average x2
2
15
8
3
3
13
26
30
21
20
9
9
16
22
7
12
8
8
5
15
27
16
22
4
5
7
6
5
6
0.50
1.87
1.63
1.00
1.33
2.00
1.77
1.90
1.76
1.80
2.00
2.00
1.75
2.09
2.00
1.42
1.75
1.38
2.20
2.13
1.59
1.00
1.14
2.25
1.60
2.29
1.00
1.60
1.00
3
16
14
10
16
4
30
15
11
16
5
15
17
24
11
4
4
11
5
8
36
9
10
2
9
6
5
15
10
1.00
1.50
0.93
0.90
0.81
1.00
1.40
1.53
0.91
0.88
2.20
1.53
1.00
0.79
0.73
0.25
0.75
0.91
0.40
1.25
1.11
0.33
0.60
0.50
0.67
0.17
0.20
0.87
0.80
x1
x2
)0.50
0.37
0.70
0.10
0.52
1.00
0.37
0.37
0.85
0.93
)0.20
0.47
0.75
1.30
1.27
1.17
1.00
0.47
1.80
0.88
0.48
0.67
0.54
1.75
0.93
2.12
0.80
0.73
0.20
One-sided
exact P -value
0.400
0.058
0.017
0.604
0.159
0.134
0.143
0.181
0.015
0.002
0.481
0.134
0.018
0.000
0.015
0.074
0.176
0.154
0.060
0.025
0.005
0.118
0.060
0.200
0.119
0.001
0.056
0.007
0.419
The processes with P-value shown in bold denote the existence of the dierence in the capability level distribution of the two groups at the a 0:05
level of signicance.
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
49
Table 5
Capability level of SPICE processes of organizations with a large IT sta and organizations with a small IT sta
Process
CUS.1
CUS.2
CUS.3
CUS.4
CUS.5
ENG.1
ENG.2
ENG.3
ENG.4
ENG.5
ENG.6
ENG.7
SUP.1
SUP.2
SUP.3
SUP.4
SUP.5
SUP.6
SUP.7
SUP.8
MAN.1
MAN.2
MAN.3
MAN.4
ORG.1
ORG.2
ORG.3
ORG.4
ORG.5
No. of PIs
Average x1
No. of PIs
Average x2
3
20
14
8
12
9
42
32
22
23
7
13
45
16
22
3
9
7
6
11
11
23
32
10
8
5
13
5
15
1.00
1.65
1.29
1.13
1.00
2.00
1.60
1.94
1.59
1.43
2.43
2.08
1.40
0.69
1.05
2.00
1.11
1.57
0.83
1.18
0.91
1.52
1.72
1.60
1.38
1.60
1.46
1.60
2.00
2
9
8
5
7
6
10
9
8
11
5
10
14
7
8
3
5
6
5
9
5
9
11
7
5
5
6
5
6
0.50
1.56
1.00
0.60
0.71
1.50
1.50
1.56
1.25
1.55
1.60
1.10
1.07
1.14
0.75
1.33
0.80
1.00
0.40
0.89
0.80
0.89
0.73
0.86
1.20
1.00
0.33
1.00
1.50
x1
x2
0.50
0.09
0.29
0.53
0.29
0.50
0.10
0.38
0.34
)0.11
0.83
0.98
0.33
)0.46
0.30
0.67
0.31
0.57
0.43
0.29
0.11
0.63
0.99
0.74
0.18
0.60
1.13
0.60
0.50
One-sided
exact P -value
0.400
0.483
0.290
0.093
0.327
0.272
0.460
0.192
0.258
0.447
0.138
0.002
0.117
0.257
0.300
0.400
0.469
0.314
0.284
0.204
0.544
0.070
0.018
0.145
0.506
0.333
0.007
0.381
0.208
The processes with P-value shown in bold denote the existence of the dierence in the capability level distribution of the two groups at the a 0:05
level of signicance.
50
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
51
Table 4 shows the number of PIs rated and the average capability level achieved for each of the 29 SPICE
processes rated both for the ISO 9001 certied and the
non ISO 9001 certied organizations. The average capability level of the ISO 9001 certied organizations is
greater than that of the non ISO 9001 certied organizations for all processes, apart from CUS.1 and ENG.6.
Dierent samples will produce dierent values for the
dierence. Thus, we need a statistical test to determine
the existence of the true dierences in capability level
between two groups (the ISO 9001 certied and the non
ISO 9001 certied organizations).
Although the assumption of an interval scale for
capability measurement (see Section 3.2.3) would allow
the use of a parametric test for determining the existence of true dierences in capability level between the
two groups, a nonparametric test (Permutation test)
suitable for nonnormal, small, unbalanced or skew data
was employed in this study. This analysis of the
dierence between the two groups used the capability levels of the 350 PIs from ISO 9001 certied
52
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
Fig. 7. Condence interval of the capability levels of ISO 9001 certied organisations (processes with sample size P 9; a 0:05).
the IT sta size is the same as the one used in the previous section. Unfortunately, in ve projects assessed,
the necessary data was incomplete. Thus, we used a total
of 652 PIs, 446 that belonged to organizations with a
large IT sta and 206 that belonged to organizations
with a small IT sta. The processes with the P -value
shown in bold in Table 5 denote the existence of a difference in the capability level distribution of the two
groups at the a 0:05 level of signicance.
As shown in Table 5, in all SPICE processes except
ENG.5 and SUP.2, the average capability level for organizations with a large IT sta is greater than for organizations with a small IT sta. However, since P -value
for all processes except ENG.7 and ORG.3 is greater
than 0.05, it is only for ENG.7 and ORG.3 that we can
reject the hypothesis that the capability level distribution
of organizations with a large IT sta is the same as that
for organizations with a small IT sta.
5. Final remarks
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
In addition, in 11 processes out of 29, there was statistical evidence indicating that the capability level is
greater for the ISO 9001 certied organizations than
for the non ISO 9001 certied organizations.
The capability levels of the processes associated with
organizations with a large IT sta was greater than
those of the processes associated with organizations
with a small IT sta. However, only two processes
(ENG.7 and ORG.3) showed a statistical signicant
dierence in the capability levels.
In interpreting the results obtained in comparing SPICE
and ISO 9001, the similarities between the requirements
of the two standards should be borne in mind. In this
sense the results are perhaps not too surprising, though
it is encouraging to have empirical evidence to suggest
that SPICE and ISO 9001 applied to software, produce
broadly similar results.
One limitation of this study should be made clear in
interpreting our results. This limitation is not unique to
our study, but is characteristic of most comparison
studies. It is worth explaining here.
Suppose that an experimenter is interested in investigating the eect of a specic binary factor (i.e., ISO
9001 certication and non ISO 9001 certication) to
determine whether this factor has a signicant eect on
an observed quantity. In retrospective studies of this
sort designed to ``look into the past'' (Agresti, 1996),
observed data is obtained through the analysis of historical data concerning the system or process (Montgomery et al., 1998). Thus, retrospectiveobservational
studies of this sort are limited in that they cannot consider possibilities such as non ISO 9001 certied companies not going through the certication process
because it was not necessary for their business, but
nonetheless having satised all the clauses of ISO 9001.
This limitation can be solved by performing a randomized experiment which is a more appropriate way of
investigating the eect of such factors (Montgomery
et al., 1998). However, sometimes such randomized experiments are not possible due to cost, ethics, or for legal
reasons. Cost is a major barrier preventing randomization studies in the SPICE trials data collection.
Acknowledgements
The authors are members of the SPICE trials team,
and wish to acknowledge the contributions of other past
and present members of the trials team, in particular
those of Khaled El Emam, Inigo Garro, Dennis Goldenson, Peter Krauth, Bob Smith, Kyungwhan Lee,
Angela Tuey and Alastair Walker. The research of
Ho-Won Jung was supported by Korea Research
Foundation Grant (KRF-99-041-C00329). This support
is gratefully acknowledged.
53
Management responsibility
Quality system
Contract review
Design control
Document and data control
Purchasing
Control of customer-supplied product
Product identication and traceability
Process control
Inspection and testing
Control of inspection, measuring, and test
equipment
Inspection and test status
Control of nonconforming product
Corrective and preventive action
Handling, storage, packaging, preservation, and delivery
Control of quality records
Internal quality audits
Training
Servicing
Statistical techniques
~ is a permutation of wg;
or w
54
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
n1
X
i1
~ i1
w
and t
n1
X
wi1 :
i1
H.-W. Jung, R. Hunter / The Journal of Systems and Software 59 (2001) 4355
Capability Determination. IEEE Computer Soc Press, Silver
Spring, MD.
El Emam, K., Jung, H.-W., 2001. An evaluation of the ISO/IEC 15504
assessment model. Journal of Systems and Software 59, 2341.
Fenton, N., Page, S., 1993. Towards the evaluation of software
engineering standards. In: Proceedings of the Software Engineering
Standards Symposium, pp. 100107.
Fenton, N., Littlewood, B., Page, S., 1993. Evaluating software
engineering standards and methods. In: Thayer, R., McGettrick, A.
(Eds.), Software Engineering: A European Perspective. IEEE
Computer Soc Press, Silver Spring, MD.
Gardner, P., 1975. Scales and statistics. Review of Educational
Research 45 (1), 4357.
Gibbons, J.D., 1985. Nonparametric Statistical Inference, 2nd ed.
Marcel Dekker, New York.
Goldenson, D.R., El Emam, K., 1996. The international SPICE trials:
Project description and initial results. In: Proceedings of the 8th
Software Engineering Process Group Conference.
Good, P., 1993. Permutation Tests, A Practical Guide to Resampling
Methods for Testing Hypotheses. Springer, New York.
Hailey, V., 1998. A comparison of ISO 9001 and the SPICE
framework. In: El Emam, K., Drouin, J.-N., Melo, W. (Eds.),
SPICE: The Theory and Practice of Software Process Improvement
and Capability Determination. IEEE Computer Soc Press, Silver
Spring, MD.
Hunter, R.B., 1998. SPICE trials assessment prole. IEEE Software
Process Newsletter 12, 1218.
ISO 9000-3, 1997. Quality Management and Quality Assurance
Standards Part 3: Guidelines for the Application of ISO
9001:1994 to the Development, Supply, Installation and Maintenance of Computer Software, ISO, Geneva, Switzerland.
ISO 9001, 1997. Quality Systems Model for Quality Assurance in
Design, Development, Production, Installation and Servicing, ISO,
Geneva, Switzerland.
ISO/IEC JTC1/SC7/WG10, 1999. SPICE Phase 2 Trials Final Report,
vol. 1.
ISO/IEC PDTR 15504, Information Technology Software Process
Assessment: Part 1Part 9, 1998.
ISO/IEC TR2 15504, 1998: Part 1Part 9, Information Technology
Software Process Assessment, Geneva, Switzerland.
Kenett, R.S., Zacks, S., 1998. Modern Industrial Statistics: Design and
Control of Quality and Reliability. Duxbury Press, Pacic Grove,
CA (Chapter 7).
Kuvaja, P., 1999. BOOTSTRAP 3.0 A SPICE conformant software
process assessment methodology. Software Quality Journal 8, 7
19.
Maclennan, F., Ostrolenk, G., 1995. The SPICE trials: Validating the
framework. In: Proceedings of the 2nd International SPICE
Symposium, Brisbane.
55