Chongwon Lee1, Jinyoung Lee1, Seunghun Hyun1, and Chisu Wu1 1 School of Computer Science and Engineering, Seoul National University {chanwoo, junoyoon, jylee, ljw, shhyun, wuchisu}@selab.snu.ac.kr 2 School of Computer Science, University of Seoul bjlee@venus.uos.ac.kr
Abstract one mapping) especially in comparing standards. But,
it is not practical in the field, because when CMMI is ISO 9001 is a standard for quality management implemented in an organization, changes in processes systems while CMMI is a model for process of the organization must be reflected in quality manual improvement. If an organization that has achieved as it is a prerequisite in ISO 9001:2000. When ISO registration wishes to improve processes reflecting changes in quality manual, N-N mapping continuously, CMMI can be a strong candidate may cause some confusion. It is not easy to decide because it provides a more detailed roadmap for where to place these changes in quality manual by process improvement. However, with respect to using N-N mapping. A mapping close to 1-1 mapping adopting CMMI in organizations that are familiar (Later, we call it “concise N-N mapping”) would, thus, with ISO 9001, there are some issues that need to be be helpful in decision making. resolved. For example, ISO 9001 and CMMI have A simple mapping between standards is not different targets, intent, and quantity of detail. In this sufficient. This mapping can be complemented by paper, we present an integrated model of ISO additional descriptions. There are some delicate 9001:2000 and CMMI, which would resolve the above differences between ISO 9001:2000 and CMMI in problems. We expect that this model will be a useful terms of context. Therefore, the mapping must be tool for ISO registered organizations aim to attain explained by some description on the detailed higher CMMI levels. difference between ISO 9001:2000 and CMMI. Once an organization has achieved ISO registration Keywords : ISO 9001:2000, CMMI, Integrated Model, by satisfying the necessary requirements of ISO Process Improvement 9001:2000, it is relatively simple to implement ISO 9004:2000 to achieve further improvements, because 1. Introduction ISO 9004:2000 has been developed as a complementary guideline for ISO 9001:2000 and thus If ISO 9001 registered organizations are not likely share similar structures with respect to assisting their to implement CMMI with ISO 9001:2000 because application as a consistent pair. such implementation would cause extra efforts brought In the same context, if there is a superset of ISO about by the difference between the two. Therefore it 9001:2000 and CMMI in the structure of ISO would be a priority to identify the similarities and 9001:2000, it will be easy to introduce CMMI into the differences between ISO 9001:2000 and CMMI. organization with ISO registration. Generally, a mapping table between standards to In this paper, we present an ISO 9001:2000 and transition one to another is used. CMMI integrated model constructed in ISO There is a N-N mapping (many to many mapping) 9001:2000 structure, in which the interpretation of N- between ISO 9001:2000 and CMMI[1]. N-N mappings N mapping is clearly described to eliminate confusion. are usually more reasonable than 1-1 mapping (one to Additionally, the integrated model provides an
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE explanation of the differences between ISO 9001:2000 staged representation offers process areas applicable to requirements and the practices of CMMI. each maturity level. The continuous representation This paper is organized as follows. Section 2 briefly provides flexibility for selecting processes fit for explains ISO 9001:2000 and CMMI. Section 3 achieving business goal of the organization[5]. presents an integrated model of ISO 9001:2000 and CMMI provides 25 process areas (Process area CMMI. Section 4 discusses related work and finally, means a cluster of related practices in an area that, Section 5 provides some conclusions. when implemented collectively, satisfies a set of goals considered important for making significant 2. ISO 9001:2000 and CMMI improvement in that area[4]. Goals are classified as generic goals and specific goals. A generic goal describes the characteristics that 2.1. ISO 9001:2000 must be present to institutionalize the processes that implement a process area. A specific goal describes ISO 9001:2000 is a necessary requirement for the unique characteristics that must be present to quality management system. It is a part of ISO 9000 satisfy the process area[4]. family that consist of ISO 9000 (fundamentals and Practices are expected components for satisfying vocabulary), ISO 9001 (requirements), ISO 9004 goals. Practices are classified as generic practices and (guidelines for performance improvements) and ISO specific practices. A generic practice is the description 19011 (guidelines for quality and environmental of an activity that is considered important in achieving management systems auditing). ISO 9001:2000 is an the associated generic goal. A specific practice is the abstract and sparse document that can be applied to description of an activity that is considered important any category of business. ISO 9001 could be in achieving the associated specific goal[4]. interpreted by ISO 9000-3[2] or TickIT[3] when applied to organizations in the software industry. For every requirement in ISO 9001, an organization can 3. Integrated model choose to have two status, ‘satisfied’ or ‘not satisfied’. If every requirement is satisfied, then ISO registration 3.1. Purpose of the integrated model is achieved. Compared with ISO 9001:2000, ISO 9004:2000 is not a requirements document, but rather ISO 9001 requires that processes to be continuously a guidance document for process improvement of a improved even after achieving ISO registration. greater level compared with ISO 9001:2000. ISO CMMI can be a good to an organization in the 9001:2000 and ISO 9004:2000 are both similar in software and systems industry to achieve further terms of structure and terminology used to allow easy process improvement, because CMMI is quite detailed conversion from one to the other. and contains more concepts of ‘improvement of process’ than ISO 9001:2000. Furthermore, 2.2. CMMI considering that many ISO 9001:1994 registered organizations are trying to introduce SW-CMM[6][7], CMMI (Capability Maturity Model Integration) is it is expected that many ISO 9001:2000 registered an integrated model of many CMMs intended to organizations will want to adopt CMMI into their achieve process improvement. CMM is a model that systems. contains the essential elements of effective processes As we described in the Introduction, it is simple to for one or more disciplines and describes an implement ISO 9004:2000 to ISO registered evolutionary improvement path from ad hoc, organizations because the structure of ISO 9004:2000 immature processes to disciplined, mature processes is similar to that of ISO 9001:2000. Therefore, it with improved quality and effectiveness[4]. would be ideal for ISO registered organizations to CMMI has two representations. One is the staged adopt CMMI if the structure of CMMI is similar to representation. The other is the continuous that of ISO 9001:2000. representation. In the staged representation maturity level of an organization ranges from level 1 to 5. In 3.2. Method to make the integrated model the continuous representation each process capability level ranges from 0 to 5. The staged representation is We applied the concise N-N mapping for the most suitable for an organization that does not know integrated model while the concise N-N mapping was which processes need to be improved first because the derived by using a N-N mapping table [1] between
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE ISO 9001:2000 and CMMI. However, some changes When ISO 9001:2000 CMMI practices are inserted. need to be made to the mapping table. First, many shall-statements do not Relationships between CMMI practices have dependencies among one another, and satisfy CMMI practices, and the integrated model are the N-N mapping table does not preserve these but there is an appropriate recorded. dependencies. Therefore, we need to place dependent position to insert CMMI practices in an adequate place together. Second, the practices concise N-N mapping may possibly make the relationship between CMMI practices and ISO When ISO 9001:2000 New clauses are created in the 9001:2000 requirements too simple. Thus, in order to shall-statements do not integrated model. CMMI resolve this, some additional explanations on the satisfy CMMI practices, practices are inserted and relationships between CMMI practices and ISO and there is no appropriate relationships between CMMI 9001:2000 requirements should be added to the position to insert CMMI and the integrated model are integrated model. Third, granularity of the integrated practices recorded. model is another issue. CMMI assesses that a process area is satisfied only when all the goals in the process 3.3. Structure of the integrated model area are satisfied. In other words, each goal in the process area is a primitive unit to be assessed. Because we can not show the complete integrated However, if the goals in CMMI are selected for the model in this paper, we summarized the integrated target of the integrated model, then the relationship model’s structure, approximately, in Table 2. The between ISO 9001:2000 and CMMI can become “All complete integrated model is available at Match”. Therefore, practices in each process area are http://selab.snu.ac.kr/Library/TechReport/ISOCMMII selected as the CMMI-side target of the integrated ntegration.html model. After developing a concise N-N mapping, CMMI Table 2. Structure of the integrated model practices were merged with ISO 9001:2000 requirements using the method in Table 1. Targets of Integrated model’s contents CMMI our integrated model were CMMI-SE/SW/IPPD/SS 4. Quality management system and ISO 9001:2000. GP 2.1, 2.2, 2.3, 4.1 General requirements 2.4, 2.5, 2.6, 2.8, Table 1. Method for integration classified 2.9, 2.10, 3.1, 3.2 according to the correspondence types 4.2 Documentation Requirements 4.2.1 General OPD Types of correspondence Methods to integrate models 4.2.2 Quality manual OPD When ISO 9001:2000 ISO 9001:2000 shall- 4.2.2.1 Organization’s set of OPD, GP 3.1 standard process shall-statements statements are kept and the 4.2.2.2 Organization’s set of (requirements) fully relationships between CMMI standard process tailoring criteria OPD, GP 3.1 satisfy CMMI practices and the integrated model are and guidelines recorded. 4.2.3 Control of documents IPM, GP 3.2 When ISO 9001:2000 ISO shall-statements are 4.2.4 Control of records shall-statements can or modified – ISO requirements’ 4.2.5 Process assets management OPD, IPM, GP 3.2 can not satisfy CMMI focus are calibrated by using 4.2.6 Measurement management OPD practices by interpretation square brackets ([ ]). 4.3 Decision analysis and resolution DAR Relationships between CMMI 5. Management responsibility and the integrated model are 5.1 Management commitment GP 2.10, OEI recorded. 5.2 Customer focus When ISO 9001:2000 Relationships between ISO 5.3 Quality policy GP 2.1 shall-statements partially 9001:2000 shall-statements and 5.4 Planning satisfy CMMI practices CMMI are recorded. 5.4.1 Quality objectives OPF
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE 5.4.2 Quality management system 7.3.6 Design and development VAL planning validation 5.5 Responsibility, authority and 7.3.7 Control of design and CM communication development changes 5.5.1 Responsibility and authority GP 2.4 7.4 Purchasing 5.5.2 Management representative 7.4.1 Purchasing process SAM, ISM 5.5.3 Internal communication 7.4.2 Purchasing information 5.6 Management review 7.4.3 Verification of purchased SAM, ISM 5.6.1 General GP 2.10 product 5.6.2 Review input GP 2.10 7.5 Production and service provision 5.6.3 Review output GP 2.10 7.5.1 Control of production and service provision 6. Resource management 7.5.2 Validation of processes for 6.1 Provision of resources GP 2.3 production the service provision 6.2 Human resources 7.5.3 Identification and CM, GP 2.6 6.2.1 General GP 2.5 traceability 6.2.2 Competence, awareness and 7.5.4 Customer property OT, OEI, GP 2.5 training 7.5.5 Preservation and delivery of PI 6.3 Infrastructure GP 2.3 product 6.4 Work environment OEI 7.6 Control of monitoring and measuring devices 7. Product realization 8. Measurement, analysis and 7.1 Planning of product realization GP 2.2 improvement 7.2 Customer-related processes 8.1 General 7.2.1 Determination of 8.2 Monitoring and measurement MA requirements related to the RD 8.2.1 Customer satisfaction product OPF, GP 2.9, 7.2.2 Review of requirements to 8.2.2 Internal audit RD, REQM PPQA the product 8.2.3 Quantitative project 7.2.3 Customer communication GP 2.7 QPM management 7.3 Design and development 8.2.3.1 Monitoring and GG 2, PP, VAL, MA, GP 2.8, QPM 7.3.1 Design and development measurement of processes VER, PMC, GP 8.2.3.2 Monitoring and planning MA, QPM 2.4, OEI measurement of product 7.3.1.1 Establishing design and 8.2.4 Monitoring and GP 3.1, PP, IPM MA development plan measurement of product 7.3.1.2 Team composition and 8.3 Control of nonconforming IPM, IT, OEI operation product 7.3.1.3 Risk management RSKM 8.4 Analysis of data MA, OPP 7.3.2 Design and development 8.4A Measurement management OPF, MA inputs 8.5 Improvement 7.3.A Design and development 8.5.1 Continual improvement OPF process 8.5.1.1 Selecting 7.3.A.1 Design and development OID IPM, REQM improvements process management 8.5.1.2 Deploying 7.3.A.2 Technical solution TS OID improvements 7.3.A.3 Product integration PI 8.5.2 Casual Analysis and 7.3.4 Design and development PMC, IPM, CAR Resolution review RSKM 8.5.2.1 Corrective action OPF, CAR 7.3.5 Design and development VER 8.5.2.2 Preventive action CAR verification
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE describes what ISO registered organizations must do 3.4. Form to adopt CMMI. But ISO registered organizations may implement more requirements than ISO 9001:2000 The integrated model is organized as Table 3. demands. Therefore the organization should first evaluate the process status of the organizations accurately. Table 3. Form of the integrated model In the integrated model, granularity of CMMI is a practice and not requirements. But as we all know, ISO-CMMI Integrated one needs practice in order to achieve goals. An ISO CMMI Explanation organization considering to adopt CMMI should Model consider that they have substitution for practices ࣜࣜ ࣜࣜ ࣜࣜ ࣜࣜ described in the integrated model. The integrated model includes inserted practices of ISO-CMMI Integrated Model column in Table 3 CMMI which are inserted into an appropriate position. shows the contents of the integrated model, a But because of the differences between ISO 9001:2000 combination of CMMI practices and ISO 9001:2000’s and CMMI, the following will need to be considered. requirements. ISO and CMMI column shows whether The prime goal of technical solution process area is to or not the contents in ISO-CMMI Integrated Model identify and implement solutions about product and column is mapped to ISO or CMMI. Explanation product components, but also applied to selecting and column gives helpful comments to understand how to applying processes related to products. Practices of adopt CMMI and the integrated model. technical solution process area are inserted into Table 4 shows an example as a part of the “Design and development” as it’s prime goal. In case integrated model. of organizational training process area, the view of ISO 9001:2000 is different from that of CMMI. While 3.5. Advice for Understanding the Integrated ISO 9001:2000 is focused on the competencies of Model people related to products, CMMI is focused on how to provide education on an organizational level. These Explanation column in the integrated model differences should be considered by organizations.
Table 4. Partial example of the integrated model
ٻ ISO-CMMI Integrated Model ISO CMMI Explanation 4.2.4 Control of records CMMI requires evidences of Records shall be established and maintained to provide evidence of ࣜࣜ ࣜࣜ achieving goals. A type of evidence conformity to requirements and of the effective operation of the can be a record. Records are quality management system. Records shall remain legible, readily maintained as reports, identifiable and retrievable [as process assets]. A documented management records, meeting procedure shall be established to define the controls needed for the minutes. These records should be identification, storage, protection, retrieval, retention time and stored as an appropriate type in disposition of records. process assets libraries. 4.2.5 Process assets management Organizations shall add data Organizations shall establish and maintain process asset libraries that derived from projects or OPD SP contain quality management system, measurements, documents, organizational process execution 1.5-1 records. into process assets continuously. Organizations shall make work products, measurements, This satisfies IPM SP 1.5-1 and IPM SP 1. improvement instruction, documented experiences derived from GP 3.2 5-1 organizational activities to be contained in process asset libraries for GP 3.2 continuous contribution to process assets.
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
Our integrated Model is expected to be useful to Table 6. Example of quality manual
ISO registered organizations that plan to adopt CMMI corresponding to 4.3 clause in two ways. in the integrated model First, it is expected to be useful to gap analysis. Because the model is based on concise N-N mapping 4.3 Decision analysis and resolution requirements and describes differences between CMMI practices Each chief of department guarantee that formal decision and ISO 9001:2000 requirements, organizations will analysis is performed for every important decision item. Each be able to perceive without difficulty the gap between chief of department guarantee that selected decision items the organizations’ status according to ISO 9001:2000 are evaluated by evaluation criteria, appropriate alternatives and CMMI as demonstrated by the integrated model. are selected by evaluation results. Second, it will help to write out a quality manual. A quality manual contains contents of a quality Selecting decision items conform to guidelines for selecting management system in an organization. When CMMI decision items. is introduced into an organization, process changes Decision analysis and resolution conform to decision analysis will need to be reflected into the organization’s quality and resolution guidelines. manual. As the structure of the quality manual is generally the same as ISO 9001:2000, it will be easy Related documents: to reflect the changes in organization’s quality manual (1) Decision analysis and resolution procedure documents by using the integrated model written in the structure (2) Guidelines for selecting decision items of ISO 9001:2000 when introducing CMMI. Organizations can easily distinguish what is in the integrated model but not in the quality manual. 4. Related work An example of writing out a quality manual by using the integrated model can be summarized as There are fewer studies on the comparison of ISO follows. Table 5 shows the 4.3 clause in the integrated 9001:2000 with CMMI on the comparison of ISO model. This clause contains contents of DAR in 9001:1994 with SW-CMM. Because of ISO 9001:2000 CMMI and is not contained in ISO 9001:2000. and CMMI, there have been less comparison done Organizations can add this clause next to the 4.2 between ISO 9001:1994 and SW-CMM. But since clause in the quality manual as shown in Table 6. these studies can provides hints to understanding the relationships between ISO 9001:2000 and CMMI, we Table 5. Clause 4.3 of the integrated model present some related studies below. M.C. Paulk compared ISO 9001:1994 with SW- 4.3 Decision analysis and resolution requirements CMM to answer the following questions[8][9] An organization shall perform decision analysis and • At what level in the CMM would an ISO 9001- resolution for critical decision items. compliant organization be? Selecting decision items shall conform to documented • Can a level 2(or 3) organization be considered guidelines. compliant with ISO 9001? Selected decision items shall be evaluated by evaluation • Should a software-quality-management and process- criteria, appropriate alternatives shall be selected by improvement efforts be based on ISO 9001 or on the evaluation results. Decision analysis and resolution shall CMMI? contain next activities. This study shows that SW-CMM has more requirements than ISO 9001:1994 when ISO a) Establishing and maintaining criteria for evaluation of 9001:1994 is mapped onto SW-CMM. He further alternatives and relative importance of criteria asserts that ISO 9001:1994 compliant organization b) Identifying alternative solutions treating problems should satisfy most of the level 2 and many of the level c) Selecting evaluation methods. 3 goals in CMMI. Figure 3 shows ISO 9001 compliant d) Evaluating alternative solutions by using established organization’s level of satisfaction of SW-CMM. criteria and methods e) Selecting a solution from alternatives based on evaluation
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE Figure 2. Mapping CMMI process areas Figure 1. Key process area profile for an ISO according to clauses of ISO 9001:2000[5] 9001-compliant organization[8][9]
P. Jalote proposed a way for transitioning from ISO 5. Conclusion
9001:1994 to SW-CMM level 4 based on actual organization’s experience of transitioning[10]. In this In this paper, we proposed an integrated model by study, he pointed out that simple mapping between inserting CMMI practices into ISO 9001:2000 ISO 9001:1994 and SW-CMM are not useful to field requirements. We expect that this model will be staffs and it is useful to describe what additional helpful to ISO registered organizations as it will allow things to do for typical ISO 9001 compliant existing ISO assets to be re-used without redundant organization transitioning to SW-CMM. efforts. In addition, the model will help organizations Works on simultaneously implementing ISO to perform gap analysis and maintain their quality 9001:2000 and CMMI have been conducted by B. manual without any difficulty when adopting CMMI. Mutafelija and H. Stromberg[5]. In these works, they And, even if an organization does not have ISO insisted that CMMI satisfied most of ISO 9001:2000 registration but plans to adopt CMMI only, the requirements, and so, proposed a way of introducing organization will be able to implement ISO 9001:2000 two frameworks simultaneously by implementing and CMMI simultaneously by this integrated model. CMMI and adding new requirements for ISO In future research, we plan to conduct experiments to 9001:2000. Figure 4 illustrates how CMMI process confirm how effective this model will be real areas are mapped to ISO 9001:2000. For example, application.. ISO 9001:2000’s 6th clause, resource management has some of its contents mapped onto CMMI’s OPF, 6. References OPD and PP process areas. This method focuses on CMMI organization adopting the ISO 9001:2000 [1] B. Mutafelija and H. Stromberg, Mappings of ISO rather than ISO registered organization adopting 9001:2000 and CMMI Version 1.1, CMMI. Therefore it is not useful to ISO registered http://www.sei.cmu.edu/cmmi/adoption, July 2003. organization that intends to introduce CMMI. B. Mutafelija and H. Stromberg also studied about [2] Department of Trade and Industry, British Standards the mapping between ISO 9001:2000 and CMMI[1]. institute, The TickIT Guide Issue 5, London-DISC TickIT They explain that a mapping should be subjective and Office, 2001. according to granularity of mapping, degree of [3] ISO, Quality management and quality assurance correspondence is different. In this work, practices of standards ˂ Part 3: Guidelines for the application of ISO CMMI are mapped to requirements of ISO 9001:2000. 9001:1994 to the development, supply, installation and And mechanically inverted mapping is also provided. maintenance of computer software, ISO 9000-3, 1997.
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE [4] M. B. Chrissis, M. Konrad and S. Shrum, CMMI ˀ Guidelines for Process Integration and Product Improvement, Addison-Wesley, 2003.
[5] B. Mutafelija and H. Stromberg, Systematic Process
Improvement Using ISO 9001:2000 and CMMI, Artech House, 2003.
[6] M. C. Paulk, C. V. Weber and B. Curtis, The Capability
Maturity Model for Software, Addison-Wesley, 1995.
[7] W. Humphrey. "Characterizing the software process : A
maturity framework", IEEE Software, Vol.5, No.2, pp.73-79, Mar. 1988.
[8] M. C. Paulk, "Comparing ISO 9001 and the capability
maturity model for Software", Software Quality Journal, Vol. 2, No. 4, pp.245-256, Dec. 1993.
[9] M. C. Paulk, "How ISO 9001 Compares with the CMM",
IEEE Software, Vol.12, No.1, pp.74-83, Jan. 1995.
[10] P. Jalote, CMM in Practice: Processes for Executing
Software Projects at Infosys (The SEI Series in Software Engineering), Addison-Wesley, 1999.
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)