Thursday, November 03, 2005

What is CMM (SEI Capability Maturity Model)?

According to the Carnegie Mellon University Software Engineering Institute, CMM is a common-sense application of software or business process management and quality improvement concepts to software development and maintenance. Its a community-developed guide for evolving towards a culture of engineering excellence, model for organizational improvement. The underlying structure for reliable and consistent software process assessments and software capability evaluations.

The Capability Maturity Model for Software (CMM) is a framework that describes the key elements of an effective software process. There are CMMs for non software processes as well, such as Business Process Management (BPM). The CMM describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process. The CMM covers practices for planning, engineering, and managing software development and maintenance. When followed, these key practices improve the ability of organizations to meet goals for cost, schedule, functionality, and product quality. The CMM establishes a yardstick against which it is possible to judge, in a repeatable way, the maturity of an organization's software process and compare it to the state of the practice of the industry. The CMM can also be used by an organization to plan improvements to its software process. It also reflects the needs of individuals performing software process, improvement, software process assessments, or software capability evaluations; is documented; and is publicly available.

The Five Maturity Levels described by the Capability Maturity Model can be characterized as per their primary process changes made at each level as follows:

1) Initial The software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics.
2) Repeatable Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
3) Defined The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization's standard software process for developing and maintaining software.
4) Managed Detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.
5) Optimizing Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

The structure of the Capability Maturity model is as shown below:

At the Optimizing Level or the CMM level5, the entire organization is focused on continuous Quantitative feedback from previous projects is used to improve the project management, usually using pilot projects, using the skills shown in level 4. The focus is on continuous process improvement.

Software project teams in SEI CMM Level 5 organizations analyze defects to determine their causes. Software processes are evaluated to prevent known types of defects from recurring, and lessons learned are disseminated to other projects. The software process capability of Level 5 organizations can be characterized as continuously improving because Level 5 organizations are continuously striving to improve the range of their process capability, thereby improving the process performance of their projects. Improvement occurs both by incremental advancements in the existing process and by innovations using new technologies and methods.

Previously known as Key Process Area (KPA)

A process area (PA) contains the goals that must be reached in order to improve a software process. A PA is said to be satisfied when procedures are in place to reach the corresponding goals. A software organization has achieved a specific maturity level once all the corresponding PAs are satisfied. The process areas (PA's) have the following features:

1) Identify a cluster of related activities that, when performed collectively, achieve a set of goals considered important for enhancing process capability.

2) Defined to reside at a single maturity level.

3) Identify the issues that must be addressed to achieve a maturity level.

The different maturity levels have different process areas pre-defined as shown in the figure above. The SEI CMMI Level 5 has 3 PA's defined:

Process change management: To identify the causes of defects and prevent them from recurring.
Technology change management: To identify beneficial new technology and transfer them in an orderly manner
Defect prevention: To continually improve the process to improve quality, increase productivity, and decrease development time.

The purpose of Process Change Management is to continually improve the software processes used in the organization with the intent of improving software quality, increasing productivity, and decreasing the cycle time for product development. When software process improvements are approved for normal practice, the organization's standard software process and the projects' defined software processes are revised as suited.

The goals sought to achieve are as follows:

Continuous process improvement is planned.
Participation in the organization's software process improvement activities is organization wide.
The organization's standard software process and the projects defined software processes are improved continuously.

These defined standards give the organization a commitment to perform because:

The organization follows a written policy for implementing software process improvements.
Senior management sponsors the organization's activities for software process improvement.

The ability of the organization to perform transpires because:

Adequate resources and funding are provided for software process improvement activities.
Software managers receive required training in software process improvement.
The managers and technical staff of the software engineering group and other software-related groups receive required training in software process improvement.
Senior management receives required training in software process improvement.

Capability Maturity Model (CMM) Process Area (PA) Activities

The Process Area Activities performed include:
* A software process improvement program is established which empowers the members of the organization to improve the processes of the organization.
* The group responsible for the organization's software process activities coordinates the software process improvement activities.
* The organization develops and maintains a plan for software process improvement according to a documented procedure.
* The software process improvement activities are performed in accordance with the software process improvement plan.
* Software process improvement proposals are handled according to a documented procedure.
* Members of the organization actively participate in teams to develop software process improvements for assigned process areas.
* Where appropriate, the software process improvements are installed on a pilot basis to determine their benefits and effectiveness before they are introduced into normal practice.
* When the decision is made to transfer a software process improvement into normal practice, the improvement is implemented according to a documented procedure.
* Records of software process improvement activities are maintained.
* Software managers and technical staff receive feedback on the status and results of the software process improvement activities on an event-driven basis.

The primary purpose of periodic reviews by senior management is to provide awareness of, and insight into, software process activities at an appropriate level of abstraction and in a timely manner. The time between reviews should meet the needs of the organization and may be lengthy, as long as adequate mechanisms for exception reporting are available.

The Capability Maturity Model has been criticized in that, that it does not describe how to create an effective software development organization. The traits it measures are in practice very hard to develop in an organization, even though they are very easy to recognize. However, it cannot be denied that the Capability Maturity Model reliably assesses an organization's sophistication about software development.

The CMM was invented to give military officers a quick way to assess and describe contractors' abilities to provide correct software on time. It has been a roaring success in this role. So much so that it caused panic-stricken salespeople to clamor for their engineering organizations to "implement CMM" with CMM level 5 being the ultimate.

Wednesday, November 02, 2005

Capability Maturity Model aka (CMM)

The Capability Maturity Model (CMM) is a method for evaluating and measuring the maturity of the software development process of organizations on a scale of 1 to 5. The CMM was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh. It has been used extensively for avionics software and for government projects since it was created in the mid-1980s. The Software Engineering Institute has subsequently released a revised version known as the Capability Maturity Model Integration (CMMI).

The purpose of CMM Integration is to provide guidance for improving your organization’s processes and your ability to manage the development, acquisition, and maintenance of products or services.

Levels of the CMM

(See chapter 2 of (March 2002 edition of CMMI^SM from SEI), page 11.)

There are five levels of the CMM. According to the SEI, "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five levels. While not rigorous, the empirical evidence to date supports this belief."

1 - Initial

At maturity level 1, processes are usually ad hoc and chaotic. The organization usually does not provide a stable environment. Success in these organizations depends on the competence and heroics of the people in the organization and not on the use of proven processes. In spite of this ad hoc, chaotic environment, maturity level 1 organizations often produce products and services that work; however, they frequently exceed the budget and schedule of their projects.
Maturity level 1 organizations are characterized by a tendency to over commit, abandon processes in the time of crisis, and not be able to repeat their past successes.

2 - Repeatable

At maturity level 2, Software development successes are repeatable. The organization may use some basic project management to track cost and schedule.
Process discipline helps ensure that existing practices are retained during times of stress. When these practices are in place, projects are performed and managed according to their documented plans.
Project status and the delivery of services are visible to management at defined points (for example, at major milestones and at the completion of major tasks).

3 - Defined

At maturity level 3, processes are well characterized and understood, and are described in standards, procedures, tools, and methods.
The organization’s set of standard processes, which is the basis for level 3, is established and improved over time. These standard processes are used to establish consistency across the organization. Projects establish their defined processes by tailoring the organization’s set of standard processes according to tailoring guidelines.
The organization’s management establishes process objectives based on the organization’s set of standard processes and ensures that these objectives are appropriately addressed.
A critical distinction between level 2 and level 3 is the scope of standards, process descriptions, and procedures. At level 2, the standards, process descriptions, and procedures may be quite different in each specific instance of the process (for example, on a particular project). At level 3, the standards, process descriptions, and procedures for a project are tailored from the organization’s set of standard processes to suit a particular project or organizational unit.

4 - Managed

Using precise measurements, management can effectively control the software development effort. In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications.
Subprocesses are selected that significantly contribute to overall process performance. These selected subprocesses are controlled using statistical and other quantitative techniques.
A critical distinction between maturity level 3 and maturity level 4 is the predictability of process performance. At maturity level 4, the performance of processes is controlled using statistical and other quantitative techniques, and is quantitatively predictable. At maturity level 3, processes are only qualitatively predictable.

5 - Optimizing

Maturity level 5 focuses on continually improving process performance through both incremental and innovative technological improvements. Quantitative process-improvement objectives for the organization are established, continually revised to reflect changing business objectives, and used as criteria in managing process improvement. The effects of deployed process improvements are measured and evaluated against the quantitative process-improvement objectives. Both the defined processes and the organization’s set of standard processes are targets of measurable improvement activities.
Process improvements to address common causes of process variation and measurably improve the organization’s processes are identified, evaluated, and deployed.
Optimizing processes that are agile and innovative depends on the participation of an empowered workforce aligned with the business values and objectives of the organization. The organization’s ability to rapidly respond to changes and opportunities is enhanced by finding ways to accelerate and share learning.
A critical distinction between maturity level 4 and maturity level 5 is the type of process variation addressed. At maturity level 4, processes are concerned with addressing special causes of process variation and providing statistical predictability of the results. Though processes may produce predictable results, the results may be insufficient to achieve the established objectives. At maturity level 5, processes are concerned with addressing common causes of process variation and changing the process (that is, shifting the mean of the process performance) to improve process performance (while maintaining statistical probability) to achieve the established quantitative process-improvement objectives.

Recent versions of CMMI from SEI indicate a "level 0", characterized as "Incomplete". Many observers leave this level out as redundant or unimportant, but Pressman and others make note of it. See page 18 of the August 2002 edition of CMMI from SEI (Note: PDF file).

Anthony Finkelstein extrapolated that negative levels, or the Capability Immaturity Model, are necessary to represent environments that are not only indifferent, but actively counterproductive, and this was refined by Tom Schorsch:

CMM level 0 (negligent)

CMM level -1 (obstructive)

CMM level -2 (contemptuous)

CMM level -3 (undermining)

Do not completely agree.

Some praise of the CMM

The CMM was developed to give Defense organizations a yardstick to assess and describe the capability of software contractors to provide software on time, within budget, and to acceptable standards. It has arguably been successful in this role, even reputedly causing some software salespeople to clamour for their organizations' software engineers/developers to "implement CMM."
The CMM is intended to enable an assessment of an organization's maturity for software development. It is an important tool for outsourcing and exporting software development work. Economic development agencies in India, Ireland, Egypt, and elsewhere have praised the CMM for enabling them to be able to compete for US outsourcing contracts on an even footing. Whilst this may have been very positive for the employment of software engineers in emerging or Third World economies - notably in India during the early 2000s - it is regarded as having adversely affected the potential employment opportunities for software engineers in the developed economies - notably the USA and Europe. This outsourcing is a form of labor arbitrage which is similar to the movement of manufacturing of (for example) fashion clothing or Nike shoes to Third World economies with relatively cheap labor rates.
It is reputed that IBM, Motorola, Logica, BT, and others have discovered the following:
- It takes 18 months on average to move up one SEI level, but it has been done in 8 (refer XXX? to substantiate this).
- Defect rates can be lowered from 1 per 1,000 lines of code (said to be typical of Microsoft and its peers) down to 1 per 1,000,000 lines - this is roughly Six Sigma quality; refer also relevant Deming references (NB: Deming was not a proponent of Six Sigma per se, and advised against the use of any slogans for process quality improvement).(refer XXX? to substantiate this)
- There is no specific evidence for shortening "time to market", but there is (refer XXX? to substantiate this) for increasing the accuracy of estimating completion date from 75% overruns on average at level 1, to plus or minus 2% at level 5.
- Data on productivity increases is more variable, but it is at least (refer XXX? to substantiate this) a doubling of productivity.

Some criticism of the CMM

CMM has failed to take off the world over. It's hard to tell exactly how wide spread it is as the SEI only publishes the names and achieved levels of compliance of companies that have requested this information to be listed (http://www.sei.cmu.edu/cmmi/faq/ares-faq.html#RATE03). The most current Maturity Profile for CMMI is available at http://www.sei.cmu.edu/appraisal-program/profile/pdf/CMMI/2005marCMMI.pdf)
No external body actually certifies a software development center as being CMM compliant. It is supposed to be an honest self-assessment. http://www.sei.cmu.edu/cmmi/faq/ares-faq.html#APR04 and http://www.sei.cmu.edu/cmmi/faq/ares-faq.html#APR05
The CMM does not describe how to create an effective software development organization. The CMM contains behaviors or best practices that successful projects have demonstrated. Being CMM compliant is not a guarantee that a project will be successful, however being compliant can increase a project's chances of being successful.
The CMM can seem to be overly bureaucratic, promoting process over substance. For example, for emphasizing predictability over service provided to end users. More commercially successful methodologies (for example, the Rational Unified Process) have focused not on the capability of the organization to produce software to satisfy some other organization or a collectively-produced specification, but on the capability of organizations to satisfy specific end user "use cases" as per the Object Management Group's UML (Unified Modeling Language) approach. [1].cccc

The most beneficial elements of CMM Level 2 and Level 3

Creation of Software Specifications, stating what it is that is going to be developed, combined with formal sign off, an executive sponsor and approval mechanism. This is NOT a living document, but additions are placed in a deferred or out of scope section for later incorporation into the next cycle of software development.
A Technical Specification, stating how precisely the thing specified in the Software Specifications is to be developed will be used. This is a living document.
Peer Review of Code (Code Review) with metrics that allow developers to walk through an implementation, and to suggest improvements or changes. Note - This is problematic because the code has already been developed and a bad design can not be fixed by "tweaking", the Code Review gives complete code a formal approval mechanism.
Version Control - a very large number of organizations have no formal revision control mechanism or release mechanism in place.
The idea that there is a "right way" to build software, that it is a scientific process involving engineering design and that groups of developers are not there to simply work on the problem du jour.

References:

CMMI Official Web Site
A Whitepaper on CMMi Implementation
CMMi Automation Software
A critical look at implementing CMM Level 2
http://www.cio.com/archive/030104/cmm.html [CIO Article, Beware the CMM Hype]

: Name: hungle; Location: Hồ Chí Minh, Sài gòn, Vietnam

Hey ! Arigato gozaimasu ! I'm a software developer working for a Belgium Company Pyramid Consulting Viet Nam located at an offshore development center in Ho Chi Minh city, Viet Nam. I'm current holding MCP, MCAD, MCSD certifications from Microsoft .Net Frame Work track and being a gold member of MSDN Connection Viet Nam. You can reach me at hung.le.NoSpam.pyramid-consulting.com, and my yahoo IM at work tetsuyanomura81, and also join my contributing for asp.net forum, my nick is lethanhhung.

View my complete profile

Recent reading