Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cmmi appraisal
1. An Integrated Model of ISO 9001:2000 and CMMI
for ISO Registered Organizations
Chanwoo Yoo1
, Junho Yoon1
, Byungjeong Lee2
,
Chongwon Lee1
, Jinyoung Lee1
, Seunghun Hyun1
, and Chisu Wu1
1
School of Computer Science and Engineering, Seoul National University
{chanwoo, junoyoon, jylee, ljw, shhyun, wuchisu}@selab.snu.ac.kr
2
School of Computer Science, University of Seoul
bjlee@venus.uos.ac.kr
Abstract
ISO 9001 is a standard for quality management
systems while CMMI is a model for process
improvement. If an organization that has achieved
ISO registration wishes to improve processes
continuously, CMMI can be a strong candidate
because it provides a more detailed roadmap for
process improvement. However, with respect to
adopting CMMI in organizations that are familiar
with ISO 9001, there are some issues that need to be
resolved. For example, ISO 9001 and CMMI have
different targets, intent, and quantity of detail. In this
paper, we present an integrated model of ISO
9001:2000 and CMMI, which would resolve the above
problems. We expect that this model will be a useful
tool for ISO registered organizations aim to attain
higher CMMI levels.
Keywords : ISO 9001:2000, CMMI, Integrated Model,
Process Improvement
1. Introduction
If ISO 9001 registered organizations are not likely
to implement CMMI with ISO 9001:2000 because
such implementation would cause extra efforts brought
about by the difference between the two. Therefore it
would be a priority to identify the similarities and
differences between ISO 9001:2000 and CMMI.
Generally, a mapping table between standards to
transition one to another is used.
There is a N-N mapping (many to many mapping)
between ISO 9001:2000 and CMMI[1]. N-N mappings
are usually more reasonable than 1-1 mapping (one to
one mapping) especially in comparing standards. But,
it is not practical in the field, because when CMMI is
implemented in an organization, changes in processes
of the organization must be reflected in quality manual
as it is a prerequisite in ISO 9001:2000. When
reflecting changes in quality manual, N-N mapping
may cause some confusion. It is not easy to decide
where to place these changes in quality manual by
using N-N mapping. A mapping close to 1-1 mapping
(Later, we call it “concise N-N mapping”) would, thus,
be helpful in decision making.
A simple mapping between standards is not
sufficient. This mapping can be complemented by
additional descriptions. There are some delicate
differences between ISO 9001:2000 and CMMI in
terms of context. Therefore, the mapping must be
explained by some description on the detailed
difference between ISO 9001:2000 and CMMI.
Once an organization has achieved ISO registration
by satisfying the necessary requirements of ISO
9001:2000, it is relatively simple to implement ISO
9004:2000 to achieve further improvements, because
ISO 9004:2000 has been developed as a
complementary guideline for ISO 9001:2000 and thus
share similar structures with respect to assisting their
application as a consistent pair.
In the same context, if there is a superset of ISO
9001:2000 and CMMI in the structure of ISO
9001:2000, it will be easy to introduce CMMI into the
organization with ISO registration.
In this paper, we present an ISO 9001:2000 and
CMMI integrated model constructed in ISO
9001:2000 structure, in which the interpretation of N-
N mapping is clearly described to eliminate confusion.
Additionally, the integrated model provides an
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
2. explanation of the differences between ISO 9001:2000
requirements and the practices of CMMI.
This paper is organized as follows. Section 2 briefly
explains ISO 9001:2000 and CMMI. Section 3
presents an integrated model of ISO 9001:2000 and
CMMI. Section 4 discusses related work and finally,
Section 5 provides some conclusions.
2. ISO 9001:2000 and CMMI
2.1. ISO 9001:2000
ISO 9001:2000 is a necessary requirement for
quality management system. It is a part of ISO 9000
family that consist of ISO 9000 (fundamentals and
vocabulary), ISO 9001 (requirements), ISO 9004
(guidelines for performance improvements) and ISO
19011 (guidelines for quality and environmental
management systems auditing). ISO 9001:2000 is an
abstract and sparse document that can be applied to
any category of business. ISO 9001 could be
interpreted by ISO 9000-3[2] or TickIT[3] when
applied to organizations in the software industry. For
every requirement in ISO 9001, an organization can
choose to have two status, ‘satisfied’ or ‘not satisfied’.
If every requirement is satisfied, then ISO registration
is achieved. Compared with ISO 9001:2000, ISO
9004:2000 is not a requirements document, but rather
a guidance document for process improvement of a
greater level compared with ISO 9001:2000. ISO
9001:2000 and ISO 9004:2000 are both similar in
terms of structure and terminology used to allow easy
conversion from one to the other.
2.2. CMMI
CMMI (Capability Maturity Model Integration) is
an integrated model of many CMMs intended to
achieve process improvement. CMM is a model that
contains the essential elements of effective processes
for one or more disciplines and describes an
evolutionary improvement path from ad hoc,
immature processes to disciplined, mature processes
with improved quality and effectiveness[4].
CMMI has two representations. One is the staged
representation. The other is the continuous
representation. In the staged representation maturity
level of an organization ranges from level 1 to 5. In
the continuous representation each process capability
level ranges from 0 to 5. The staged representation is
most suitable for an organization that does not know
which processes need to be improved first because the
staged representation offers process areas applicable to
each maturity level. The continuous representation
provides flexibility for selecting processes fit for
achieving business goal of the organization[5].
CMMI provides 25 process areas (Process area
means a cluster of related practices in an area that,
when implemented collectively, satisfies a set of goals
considered important for making significant
improvement in that area[4].
Goals are classified as generic goals and specific
goals. A generic goal describes the characteristics that
must be present to institutionalize the processes that
implement a process area. A specific goal describes
the unique characteristics that must be present to
satisfy the process area[4].
Practices are expected components for satisfying
goals. Practices are classified as generic practices and
specific practices. A generic practice is the description
of an activity that is considered important in achieving
the associated generic goal. A specific practice is the
description of an activity that is considered important
in achieving the associated specific goal[4].
3. Integrated model
3.1. Purpose of the integrated model
ISO 9001 requires that processes to be continuously
improved even after achieving ISO registration.
CMMI can be a good to an organization in the
software and systems industry to achieve further
process improvement, because CMMI is quite detailed
and contains more concepts of ‘improvement of
process’ than ISO 9001:2000. Furthermore,
considering that many ISO 9001:1994 registered
organizations are trying to introduce SW-CMM[6][7],
it is expected that many ISO 9001:2000 registered
organizations will want to adopt CMMI into their
systems.
As we described in the Introduction, it is simple to
implement ISO 9004:2000 to ISO registered
organizations because the structure of ISO 9004:2000
is similar to that of ISO 9001:2000. Therefore, it
would be ideal for ISO registered organizations to
adopt CMMI if the structure of CMMI is similar to
that of ISO 9001:2000.
3.2. Method to make the integrated model
We applied the concise N-N mapping for the
integrated model while the concise N-N mapping was
derived by using a N-N mapping table [1] between
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
3. ISO 9001:2000 and CMMI. However, some changes
need to be made to the mapping table. First, many
practices have dependencies among one another, and
the N-N mapping table does not preserve these
dependencies. Therefore, we need to place dependent
practices in an adequate place together. Second, the
concise N-N mapping may possibly make the
relationship between CMMI practices and ISO
9001:2000 requirements too simple. Thus, in order to
resolve this, some additional explanations on the
relationships between CMMI practices and ISO
9001:2000 requirements should be added to the
integrated model. Third, granularity of the integrated
model is another issue. CMMI assesses that a process
area is satisfied only when all the goals in the process
area are satisfied. In other words, each goal in the
process area is a primitive unit to be assessed.
However, if the goals in CMMI are selected for the
target of the integrated model, then the relationship
between ISO 9001:2000 and CMMI can become “All
Match”. Therefore, practices in each process area are
selected as the CMMI-side target of the integrated
model.
After developing a concise N-N mapping, CMMI
practices were merged with ISO 9001:2000
requirements using the method in Table 1. Targets of
our integrated model were CMMI-SE/SW/IPPD/SS
and ISO 9001:2000.
Table 1. Method for integration classified
according to the correspondence types
Types of correspondence Methods to integrate models
When ISO 9001:2000
shall-statements
(requirements) fully
satisfy CMMI practices
ISO 9001:2000 shall-
statements are kept and the
relationships between CMMI
and the integrated model are
recorded.
When ISO 9001:2000
shall-statements can or
can not satisfy CMMI
practices by interpretation
ISO shall-statements are
modified – ISO requirements’
focus are calibrated by using
square brackets ([ ]).
Relationships between CMMI
and the integrated model are
recorded.
When ISO 9001:2000
shall-statements partially
satisfy CMMI practices
Relationships between ISO
9001:2000 shall-statements and
CMMI are recorded.
When ISO 9001:2000
shall-statements do not
satisfy CMMI practices,
but there is an appropriate
position to insert CMMI
practices
CMMI practices are inserted.
Relationships between CMMI
and the integrated model are
recorded.
When ISO 9001:2000
shall-statements do not
satisfy CMMI practices,
and there is no appropriate
position to insert CMMI
practices
New clauses are created in the
integrated model. CMMI
practices are inserted and
relationships between CMMI
and the integrated model are
recorded.
3.3. Structure of the integrated model
Because we can not show the complete integrated
model in this paper, we summarized the integrated
model’s structure, approximately, in Table 2. The
complete integrated model is available at
http://selab.snu.ac.kr/Library/TechReport/ISOCMMII
ntegration.html
Table 2. Structure of the integrated model
Integrated model’s contents CMMI
4. Quality management system
4.1 General requirements
GP 2.1, 2.2, 2.3,
2.4, 2.5, 2.6, 2.8,
2.9, 2.10, 3.1, 3.2
4.2 Documentation Requirements
4.2.1 General OPD
4.2.2 Quality manual OPD
4.2.2.1 Organization’s set of
standard process
OPD, GP 3.1
4.2.2.2 Organization’s set of
standard process tailoring criteria
and guidelines
OPD, GP 3.1
4.2.3 Control of documents IPM, GP 3.2
4.2.4 Control of records
4.2.5 Process assets management OPD, IPM, GP 3.2
4.2.6 Measurement management OPD
4.3 Decision analysis and resolution DAR
5. Management responsibility
5.1 Management commitment GP 2.10, OEI
5.2 Customer focus
5.3 Quality policy GP 2.1
5.4 Planning
5.4.1 Quality objectives OPF
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
4. 5.4.2 Quality management system
planning
5.5 Responsibility, authority and
communication
5.5.1 Responsibility and authority GP 2.4
5.5.2 Management representative
5.5.3 Internal communication
5.6 Management review
5.6.1 General GP 2.10
5.6.2 Review input GP 2.10
5.6.3 Review output GP 2.10
6. Resource management
6.1 Provision of resources GP 2.3
6.2 Human resources
6.2.1 General GP 2.5
6.2.2 Competence, awareness and
training
OT, OEI, GP 2.5
6.3 Infrastructure GP 2.3
6.4 Work environment OEI
7. Product realization
7.1 Planning of product realization GP 2.2
7.2 Customer-related processes
7.2.1 Determination of
requirements related to the
product
RD
7.2.2 Review of requirements to
the product
RD, REQM
7.2.3 Customer communication GP 2.7
7.3 Design and development
7.3.1 Design and development
planning
GG 2, PP, VAL,
VER, PMC, GP
2.4, OEI
7.3.1.1 Establishing design and
development plan
GP 3.1, PP, IPM
7.3.1.2 Team composition and
operation
IPM, IT, OEI
7.3.1.3 Risk management RSKM
7.3.2 Design and development
inputs
7.3.A Design and development
process
7.3.A.1 Design and development
process management
IPM, REQM
7.3.A.2 Technical solution TS
7.3.A.3 Product integration PI
7.3.4 Design and development
review
PMC, IPM,
RSKM
7.3.5 Design and development
verification
VER
7.3.6 Design and development
validation
VAL
7.3.7 Control of design and
development changes
CM
7.4 Purchasing
7.4.1 Purchasing process SAM, ISM
7.4.2 Purchasing information
7.4.3 Verification of purchased
product
SAM, ISM
7.5 Production and service provision
7.5.1 Control of production and
service provision
7.5.2 Validation of processes for
production the service provision
7.5.3 Identification and
traceability
CM, GP 2.6
7.5.4 Customer property
7.5.5 Preservation and delivery of
product
PI
7.6 Control of monitoring and
measuring devices
8. Measurement, analysis and
improvement
8.1 General
8.2 Monitoring and measurement MA
8.2.1 Customer satisfaction
8.2.2 Internal audit
OPF, GP 2.9,
PPQA
8.2.3 Quantitative project
management
QPM
8.2.3.1 Monitoring and
measurement of processes
MA, GP 2.8, QPM
8.2.3.2 Monitoring and
measurement of product
MA, QPM
8.2.4 Monitoring and
measurement of product
MA
8.3 Control of nonconforming
product
8.4 Analysis of data MA, OPP
8.4A Measurement management OPF, MA
8.5 Improvement
8.5.1 Continual improvement OPF
8.5.1.1 Selecting
improvements
OID
8.5.1.2 Deploying
improvements
OID
8.5.2 Casual Analysis and
Resolution
CAR
8.5.2.1 Corrective action OPF, CAR
8.5.2.2 Preventive action CAR
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
5. 3.4. Form
The integrated model is organized as Table 3.
Table 3. Form of the integrated model
ISO-CMMI Integrated
Model
ISO CMMI Explanation
ࣜࣜ ࣜࣜ ࣜࣜ ࣜࣜ
ISO-CMMI Integrated Model column in Table 3
shows the contents of the integrated model, a
combination of CMMI practices and ISO 9001:2000’s
requirements. ISO and CMMI column shows whether
or not the contents in ISO-CMMI Integrated Model
column is mapped to ISO or CMMI. Explanation
column gives helpful comments to understand how to
adopt CMMI and the integrated model.
Table 4 shows an example as a part of the
integrated model.
3.5. Advice for Understanding the Integrated
Model
Explanation column in the integrated model
describes what ISO registered organizations must do
to adopt CMMI. But ISO registered organizations may
implement more requirements than ISO 9001:2000
demands. Therefore the organization should first
evaluate the process status of the organizations
accurately.
In the integrated model, granularity of CMMI is a
practice and not requirements. But as we all know,
one needs practice in order to achieve goals. An
organization considering to adopt CMMI should
consider that they have substitution for practices
described in the integrated model.
The integrated model includes inserted practices of
CMMI which are inserted into an appropriate position.
But because of the differences between ISO 9001:2000
and CMMI, the following will need to be considered.
The prime goal of technical solution process area is to
identify and implement solutions about product and
product components, but also applied to selecting and
applying processes related to products. Practices of
technical solution process area are inserted into
“Design and development” as it’s prime goal. In case
of organizational training process area, the view of
ISO 9001:2000 is different from that of CMMI. While
ISO 9001:2000 is focused on the competencies of
people related to products, CMMI is focused on how to
provide education on an organizational level. These
differences should be considered by organizations.
Table 4. Partial example of the integrated model
ٻ
ISO-CMMI Integrated Model ISO CMMI Explanation
4.2.4 Control of records
Records shall be established and maintained to provide evidence of
conformity to requirements and of the effective operation of the
quality management system. Records shall remain legible, readily
identifiable and retrievable [as process assets]. A documented
procedure shall be established to define the controls needed for the
identification, storage, protection, retrieval, retention time and
disposition of records.
ࣜࣜ ࣜࣜ
CMMI requires evidences of
achieving goals. A type of evidence
can be a record. Records are
maintained as reports,
management records, meeting
minutes. These records should be
stored as an appropriate type in
process assets libraries.
4.2.5 Process assets management
Organizations shall establish and maintain process asset libraries that
contain quality management system, measurements, documents,
records.
OPD SP
1.5-1
Organizations shall make work products, measurements,
improvement instruction, documented experiences derived from
organizational activities to be contained in process asset libraries for
continuous contribution to process assets.
IPM SP 1.
5-1
GP 3.2
Organizations shall add data
derived from projects or
organizational process execution
into process assets continuously.
This satisfies IPM SP 1.5-1 and
GP 3.2
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
6. 3.6. Discussion
Our integrated Model is expected to be useful to
ISO registered organizations that plan to adopt CMMI
in two ways.
First, it is expected to be useful to gap analysis.
Because the model is based on concise N-N mapping
and describes differences between CMMI practices
and ISO 9001:2000 requirements, organizations will
be able to perceive without difficulty the gap between
the organizations’ status according to ISO 9001:2000
and CMMI as demonstrated by the integrated model.
Second, it will help to write out a quality manual.
A quality manual contains contents of a quality
management system in an organization. When CMMI
is introduced into an organization, process changes
will need to be reflected into the organization’s quality
manual. As the structure of the quality manual is
generally the same as ISO 9001:2000, it will be easy
to reflect the changes in organization’s quality manual
by using the integrated model written in the structure
of ISO 9001:2000 when introducing CMMI.
Organizations can easily distinguish what is in the
integrated model but not in the quality manual.
An example of writing out a quality manual by
using the integrated model can be summarized as
follows. Table 5 shows the 4.3 clause in the integrated
model. This clause contains contents of DAR in
CMMI and is not contained in ISO 9001:2000.
Organizations can add this clause next to the 4.2
clause in the quality manual as shown in Table 6.
Table 5. Clause 4.3 of the integrated model
4.3 Decision analysis and resolution requirements
An organization shall perform decision analysis and
resolution for critical decision items.
Selecting decision items shall conform to documented
guidelines.
Selected decision items shall be evaluated by evaluation
criteria, appropriate alternatives shall be selected by
evaluation results. Decision analysis and resolution shall
contain next activities.
a) Establishing and maintaining criteria for evaluation of
alternatives and relative importance of criteria
b) Identifying alternative solutions treating problems
c) Selecting evaluation methods.
d) Evaluating alternative solutions by using established
criteria and methods
e) Selecting a solution from alternatives based on evaluation
criteria
Table 6. Example of quality manual
corresponding to 4.3 clause
in the integrated model
4.3 Decision analysis and resolution requirements
Each chief of department guarantee that formal decision
analysis is performed for every important decision item. Each
chief of department guarantee that selected decision items
are evaluated by evaluation criteria, appropriate alternatives
are selected by evaluation results.
Selecting decision items conform to guidelines for selecting
decision items.
Decision analysis and resolution conform to decision analysis
and resolution guidelines.
Related documents:
(1) Decision analysis and resolution procedure documents
(2) Guidelines for selecting decision items
4. Related work
There are fewer studies on the comparison of ISO
9001:2000 with CMMI on the comparison of ISO
9001:1994 with SW-CMM. Because of ISO 9001:2000
and CMMI, there have been less comparison done
between ISO 9001:1994 and SW-CMM. But since
these studies can provides hints to understanding the
relationships between ISO 9001:2000 and CMMI, we
present some related studies below.
M.C. Paulk compared ISO 9001:1994 with SW-
CMM to answer the following questions[8][9]
• At what level in the CMM would an ISO 9001-
compliant organization be?
• Can a level 2(or 3) organization be considered
compliant with ISO 9001?
• Should a software-quality-management and process-
improvement efforts be based on ISO 9001 or on the
CMMI?
This study shows that SW-CMM has more
requirements than ISO 9001:1994 when ISO
9001:1994 is mapped onto SW-CMM. He further
asserts that ISO 9001:1994 compliant organization
should satisfy most of the level 2 and many of the level
3 goals in CMMI. Figure 3 shows ISO 9001 compliant
organization’s level of satisfaction of SW-CMM.
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
7. Figure 1. Key process area profile for an ISO
9001-compliant organization[8][9]
P. Jalote proposed a way for transitioning from ISO
9001:1994 to SW-CMM level 4 based on actual
organization’s experience of transitioning[10]. In this
study, he pointed out that simple mapping between
ISO 9001:1994 and SW-CMM are not useful to field
staffs and it is useful to describe what additional
things to do for typical ISO 9001 compliant
organization transitioning to SW-CMM.
Works on simultaneously implementing ISO
9001:2000 and CMMI have been conducted by B.
Mutafelija and H. Stromberg[5]. In these works, they
insisted that CMMI satisfied most of ISO 9001:2000
requirements, and so, proposed a way of introducing
two frameworks simultaneously by implementing
CMMI and adding new requirements for ISO
9001:2000. Figure 4 illustrates how CMMI process
areas are mapped to ISO 9001:2000. For example,
ISO 9001:2000’s 6th clause, resource management
has some of its contents mapped onto CMMI’s OPF,
OPD and PP process areas. This method focuses on
CMMI organization adopting the ISO 9001:2000
rather than ISO registered organization adopting
CMMI. Therefore it is not useful to ISO registered
organization that intends to introduce CMMI.
B. Mutafelija and H. Stromberg also studied about
the mapping between ISO 9001:2000 and CMMI[1].
They explain that a mapping should be subjective and
according to granularity of mapping, degree of
correspondence is different. In this work, practices of
CMMI are mapped to requirements of ISO 9001:2000.
And mechanically inverted mapping is also provided.
Figure 2. Mapping CMMI process areas
according to clauses of ISO 9001:2000[5]
5. Conclusion
In this paper, we proposed an integrated model by
inserting CMMI practices into ISO 9001:2000
requirements. We expect that this model will be
helpful to ISO registered organizations as it will allow
existing ISO assets to be re-used without redundant
efforts. In addition, the model will help organizations
to perform gap analysis and maintain their quality
manual without any difficulty when adopting CMMI.
And, even if an organization does not have ISO
registration but plans to adopt CMMI only, the
organization will be able to implement ISO 9001:2000
and CMMI simultaneously by this integrated model.
In future research, we plan to conduct experiments to
confirm how effective this model will be real
application..
6. References
[1] B. Mutafelija and H. Stromberg, Mappings of ISO
9001:2000 and CMMI Version 1.1,
http://www.sei.cmu.edu/cmmi/adoption, July 2003.
[2] Department of Trade and Industry, British Standards
institute, The TickIT Guide Issue 5, London-DISC TickIT
Office, 2001.
[3] ISO, Quality management and quality assurance
standards ˂ Part 3: Guidelines for the application of ISO
9001:1994 to the development, supply, installation and
maintenance of computer software, ISO 9000-3, 1997.
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE
8. [4] M. B. Chrissis, M. Konrad and S. Shrum, CMMI ˀ
Guidelines for Process Integration and Product
Improvement, Addison-Wesley, 2003.
[5] B. Mutafelija and H. Stromberg, Systematic Process
Improvement Using ISO 9001:2000 and CMMI, Artech
House, 2003.
[6] M. C. Paulk, C. V. Weber and B. Curtis, The Capability
Maturity Model for Software, Addison-Wesley, 1995.
[7] W. Humphrey. "Characterizing the software process : A
maturity framework", IEEE Software, Vol.5, No.2, pp.73-79,
Mar. 1988.
[8] M. C. Paulk, "Comparing ISO 9001 and the capability
maturity model for Software", Software Quality Journal, Vol.
2, No. 4, pp.245-256, Dec. 1993.
[9] M. C. Paulk, "How ISO 9001 Compares with the CMM",
IEEE Software, Vol.12, No.1, pp.74-83, Jan. 1995.
[10] P. Jalote, CMM in Practice: Processes for Executing
Software Projects at Infosys (The SEI Series in Software
Engineering), Addison-Wesley, 1999.
Proceedings of the 11th Asia-Pacific Software Engineering Conference (APSEC’04)
1530-1362/04 $ 20.00 IEEE