As we have seen so far, there are various ways we can ensure quality in our projects, but how do we evaluate whether the quality system we pick is effective? This becomes more of a concern if one organization needs to contract its work to another and needs to know whether the contractor will be able to provide quality services and products. This need for the quality system to be auditable necessitates the use of a Quality Management System (QMS).
A QMS is a set of standards that defines how an organization can meet the requirements of its customers and other stakeholders. Quality standards are a set of guidelines, rather than actual standards, that have been widely accepted in the software industry with defined processes and evaluation metrics to help improve the quality of software. The motivation for the selection of a standard is left to the business and the management to decide. Once certified, it is imperative to have the quality plan in place based on the certification that is opted for.
All quality standards have the same underlying principles:
- Well-defined processes to develop software
- Aligning people with processes to synergize and promote commitment to the quality-improvement program
- Enforcing the requirement to produce documentation for each process
Thus, processes should be used as facilitators for quality improvement rather than a hindrance. It is the management's responsibility to foster a culture within the organization that works within the well-defined framework for development while promoting incentives to drive quality at every step of the development process.
There are several software-engineering standards that have been developed by major standardization and certification bodies. The ISO 9000 and Capability Maturity Model Integration (CMMI) are the most widely-used international standards in software-engineering and product-development organizations. Let's look at them in detail to understand how implementing standards can help an organization to ensure quality.
ISO 9000 is a set of standards defined by ISO. If an organization needed to be certified, it would certify for the latest standard, ISO 9001:2015, which replaced the previous version, ISO 9001:2008. ISO 9001:2015 provides guidelines that drive continual improvement for an organization.
This latest update is based on the High-Level Structure (HLS)—Annex SL, which helps organizations incorporate more than one management system into core business processes and make efficiencies.
The ISO 9001:2015 standard specifies 10 clauses, as summarized in the following points:
- Clause 1 (Scope): Explains what the standard is for and what it encompasses. The scope clause covers the following aspects:
- The goals and objectives of the standard to understand the expectations of the certifying organization
- The approach and reference to customer requirements
- The approach and reference to regulatory or statutory requirements
- The applicability of the standard requirements, since they are applicable to all sorts of organizations, regardless of their type, size, or the products and services being provided
- Clause 2 (Normative references): Includes the terms, principles, fundamental concepts, and vocabulary that are essential for the application of the ISO 9001 standard. It also provides references to other documentation to assist in complying with the requirements of the ISO 9001 standard.
- Clause 3 (Terms and definitions): Specifies the terms and definitions given in the ISO 9000:2015 that apply to ISO 9001. This clause helps to clarify unfamiliar terms and resolves unnecessary disputes or conflicts.
- Clause 4 (Context of the organization): Establishes the context of the QMS. The organization achieves this by doing the following:
- Identifying relevant external—such as market-driven, local or global environments, and competition—and internal factors—such as values, culture, or the performance of the organization—that can affect the quality of the product being delivered.
- Establishing the requirements and expectations of all stakeholders.
- Determining the scope of the QMS; whether it needs to be implemented organization-wide or for relevant business functions.
- Establishing, maintaining, and continually improving the QMS using a process approach.
- Clause 5 (Leadership): Dictates the activities required from top management for the success of a QMS, as follows:
- Being actively engaged in the operation of the QMS and ensuring that it is embedded in the organization’s processes
- Direct and establish a quality policy that aligns with the business strategy to formalize the goals and commitment required from all parties
- Ensure that roles, responsibilities, and authorities are defined for all employees and that everyone involved is made aware of them
- Clause 6 (Planning): Focuses on creating an action plan to address risks and opportunities. It requires the organization to do the following:
- Understand the risks and opportunities relevant to the scope of the organization, as required in clause 4
- Establish clear, measurable, and documented quality objectives with an action plan to monitor, control, and communicate risks and opportunities effectively
- Create a change-management plan to carry out changes to the system in a systematic way
- Clause 7 (Support): Stresses the basic HLS clauses of bringing the right resources, the right people, and the right infrastructure, are as follows:
- Ensure adequate resources are provisioned, which includes employees, equipment, and IT systems
- Assess existing competence and fill gaps in competence with training and documentation
- Awareness about the quality policy is a must for all personnel, as there is also the need to understand the relevance of their roles and the implications of non-conformance
- Communication, both external and internal, is key to the success of the system; the organization needs to plan and implement an effective communication process
- Document information to demonstrate compliance in any format that suits the organization while implementing appropriate access controls for information security
- Clause 8 (Operation): Focuses on enabling the organization to meet customer requirements by executing plans and processes, as follows:
- Establish appropriate performance monitoring for the continual improvement of all functions
- Understand customer requirements for products and services through effective communication
- Create a design plan that includes all customer specifications, budget, drawings, and so on
- Require the organization to select, evaluate, and re-evaluate all external entities sourced for procuring processes, products, or services
- Clarity in product specification and evaluation to monitor whether the processes, products, or services being provided by the external entity conform to the customer's requirements
- The need for systematic planning and the execution of all production operations to ensure quality control and to demonstrate the capabilities to deliver consistently to meet customer expectations
- Monitor and measure products and/or services to verify conformance to customer requirements, and have the evidence duly documented by authorized personnel before the product or service is released to the customer
- The control of nonconforming output being released to the customer and the establishment of a course of action to handle nonconforming deliveries
- Clause 9 (Performance Evaluation): Details ways to measure and evaluate the QMS to ensure it is effective and sustainable:
- Utilize simple analysis methods, such as bar charts, or complex statistical process controls to analyze collected data to identify opportunities for improvement and to measure the effectiveness of the management system
- Establish a clear and consistent internal audit program to audit processes at regular frequencies to find nonconformities and trigger preventive measures for improvement
- Require top management to be involved in reviewing the quality-management system to ensure continuing suitability, adequacy, and effectiveness
- Clause 10 (Improvement): Requires the organization to determine and identify what improvement means with regard to the following cases:
- Establish means of improvement by reviewing processes, products, or services, and analyzing the results from the management system
- Begin corrective actions to prevent the recurrence of non-conformities by using root-cause analysis, problem-solving methods, and providing training to improve capabilities
- Build a feedback mechanism that requires the management system to utilize input such as corrective actions, internal audits, management reviews, and customer feedback for continual improvement
These clauses can be grouped in relation to Plan-Do-Check-Act (PDCA), since it is the operating principle of the ISO 9001 process approach, which drives continuous improvement in the organization. The PDCA principle combines planning, implementing, controlling, and improving the operations of a QMS, as shown in the following diagram:
Let's look at each stage of the PDCA cycle:
Here's an example of the PDCA cycle for an SQA team—if the team wanted to increase the number of defects detected in each release sprint by 20%, the team would create a plan for making changes to the processes, following which the changes would be made to the process, and the process would be executed. After execution, checking the results shows a defect detection ratio of 15%, which is then acted on to make further changes. This is then taken up in the next planning phase to plan defect-detection until the goal of 20% is reached.
CMMI is a set of guidelines that enable organizations to produce good-quality software and improve its performance. CMMI was developed mainly to assess an organization's ability to take on large development projects for the US Department of Defense.
CMMI released version 2 of the model in March 2018. This was an update from version 1.3. CMMI v2.0 is divided into 4 categories and 10 capabilities with 25 practice areas.
Now let's understand the categories and the practice areas:
- Doing: This category deals with designing and developing high-quality products that adhere to customer needs while reducing supply-chain risks. The doing stage includes four capabilities with 10 practice areas, as follows:
- Ensuring quality (ENQ):
- Developing and managing requirements: Obtaining requirements, ensuring the mutual understanding of stakeholders, and aligning requirements, plans, and work products.
- Process quality assurance: Verifying and enabling the improvement of the quality of the processes performed and the resulting products.
- Verification and validation: Processes for this practice area should do the following:
- Verify that the selected solutions and components meet their requirements
- Validate that the selected solutions and components fulfill their intended use in their target environments
- Peer review: Utilize subject matter experts (SMEs) and peers to review the product to identify and address issues.
- Engineering and Developing Products (EDP):
- Delivering and Managing Services (DMS):
- Selecting and Managing Suppliers (SMS):
- Ensuring quality (ENQ):
- Managing: This category deals with improving staff productivity while managing disruptions from the Porter’s Five Forces model to achieve speed-to-market. This category includes three capabilities with seven practice areas, as follows:
- Planning and Managing Work (PMW):
- Estimating: Forecasting the factors of the Iron Triangle needed to produce quality product or solution.
- Planning: Developing plans describing delivery processes based on the standards and constraints of the organization. This includes budget, schedule, and resources, as well as stakeholders and the development team.
- Monitor and Control: Tracking the project's progress to assert appropriate controls if the project deviates from the plan.
- Managing Business Resilience (MBR):
- Risk management and opportunity management: Identifying, recording, and managing potential risks and opportunities
- Incident resolution and prevention: Analyzing nonconformance to find the root cause and create a plan to prevent the event from recurring
- Continuity: Establishing contingency plans for sustaining operations during emergencies
- Managing the Workforce (MWF):
- Planning and Managing Work (PMW):
- Enabling: This category deals with securing stakeholder buy-in and assuring product integrity. It includes one capability with three practice areas, as follows:
- Supporting Implementation (SI):
- Causal analysis and resolution: Understanding the root cause of all results and acting to prevent the recurrence of nonconformities and/or acting to ensure conformities
- Decision analysis and resolution: Making and recording decisions using a recorded process that analyzes alternatives
- Configuration management: Managing the integrity of deliveries using version control, change control, and appropriate audit mechanisms
- Supporting Implementation (SI):
- Improving: This category deals with ensuring that performance goals support business needs while establishing sustainable efficiencies. It includes two capabilities and five practice areas, as follows:
- Improving Performance (IMP):
- Process management: Managing and implementing the continuous improvement of processes and infrastructure to identify the most beneficial process improvements that support accomplishing business objectives in a sustainable way
- Process asset development: Recording and maintaining the list of processes used to perform the work
- Managing performance and measurement: Managing performance using measurement and analysis to achieve business objectives
- Sustaining Habit and Persistence (SHP):
- Improving Performance (IMP):
Note
To learn more and get updates about the new CMMI v2.0, please visit https://www.cmmiinstitute.com/cmmi/model-viewer.
The previously-mentioned categories and process areas are basically factors to improve the business performance of an organization. The ranks at which these organizations would be at, based on how they have implemented those process areas, are called maturity levels.
The following diagram shows the levels of software-process maturity. Based on software-process maturity, an organization can be at one of these six maturity levels:
https://commons.wikimedia.org/wiki/File:Characteristics_of_Capability_Maturity_Model.svg
Let's look at these maturity levels in detail:
- Maturity Level 0 (Incomplete): Organizations at this level do not have any defined processes. These organizations usually work on ad hoc procedures, and any positive outcomes are the result of chance. Work in these organizations may or may not get completed.
- Maturity Level 1 (Initial): Organizations at this level are characterized by last-minute chaos in terms of delivery due to a lack of clarity. Work in these organizations gets completed but its success is dependent on one or a few highly competent people. In most cases, work is often delayed and over-budget.
- Maturity Level 2 (Managed): Organizations at this level follow a well-defined process at the project level. Every project is planned and executed in a systematic way. Every activity is measured and controlled to be managed and improved upon later.
- Maturity Level 3 (Defined): Organizations at this level have a well-defined process across the organization, and processes at the project level are derived from ones defined at the organizational level. These organizations have clearer definitions of processes compared to Level 2 organizations, and targets to achieve performance objectives at both the project and organization levels. Efforts are also made to measure and continuously improve process definitions.
- Maturity Level 4 (Quantitatively Managed): Organizations at this level build on Level 3 practices, and use statistical and other quantitative techniques to understand process performance and product quality. Utilizing scientific quantitative tools helps the organization identify and predict variations, which provides agility to improve and achieve quality and performance objectives.
- Maturity Level 5 (Optimizing): Organizations at Level 5 build on Level 4 practices and utilize quantitative techniques to continuously optimize their process and product performance. These organizations are flexible and able to pivot, thus providing a platform for agility and innovation.
I hope the introduction to QMS has sparked an interest in understanding and learning more about the management systems in place in your current organization.
Note
To learn more about maturity levels and the adoption of the CMMI in your organization, make sure to check out https://consulting.itgonline.com/cmmi-consulting/cmmi-v2/.
There are various ways in which continuous improvement can be achieved in either CMMI or ISO 9001:2015 implementations. You can also integrate business improvement processes, such as Six Sigma quality control or the Consortium for IT software Quality (CISQ) quality model. A clear understanding of business processes, and alignment with the company goals and objectives are necessary for the success of the system.