By Christopher Paris, VP Operations
In the software world, under a contract from the Department of Defense, Carnegie Mellon University launched a quality management system for software developers called the Capability Maturity Model (CMM), and then gave administration rights to the CMM to the Software Engineering Institute (SEI). Years later, this model was improved and renamed the CMMI (Capability Maturity Model Integration).
Not accidentally, the CMMI looks a lot like ISO 9001, but on steroids. The requirements for attaining CMMI are much more complex and rigorous than ISO 9001, and based on a tiered model which assesses a company’s capability maturity level. Most companies start at CMMI Level 2, indicating they are just a tad above being totally chaotic and ad hoc. Companies then strive to increase their CMMI level to prove higher levels of quality maturity.
Yes, this is a grossly understated explanation of the CMMI, but suits the point of this article.
There are a few problems with CMMI. First, it is run solely by SEI and therefore has all the problems of a monopoly – it’s massively expensive, with implementation services starting in the six-figure range easily, and with only one approved auditing body and auditor training provider – SEI. Yes, they perform both services and no one has called foul on the obvious conflict of interest, as they have in the ISO 9001 world, where auditor trainers and auditing bodies must be separate entities.
In short, nothing goes through CMMI without SEI. And there are no allowable competitors.
Secondly, it is very, very complex. Organizations without serious resources and the willingness to study – hard – will find implementing CMMI nearly impossible. A demand for CMMI to a small, underfunded company could well put them out of business.
But it may be inevitable. CMMI does not only apply to software developers and related areas of the software industry. With its popularity increasing, CMMI Level 2 requirements are popping up in more and more government contracts, even if the subcontractor may not really be a provider of software.
SEI has grown into three “constellations”: the original CMMI for Development, CMMI for Acquisition (CMMI-ACQ), released in late 2007, and now CMMI for Services (CMMI-SVC) released in February of 2009.
Even the original CMMI for Development may apply to any type of design and manufacturing organization, and likewise now the Services and Acquisitions adaptations. This means CMMI has already expanded outside of just software development.
Expect ISO 9001 to face stiff competition from this new “Cadillac” on the lot, even giving the cost and difficulty of CMMI. In the software world, it is already true that ISO 9001 is seen as “quaint” in comparison with CMMI. How long will it take for that thinking to seep into the automotive or aerospace industries?
(Answer: it already has. More and more NASA contracts are beginning to “suggest” CMMI.)
As far back as 2003, I saw this writing on the wall and gave a series of free lectures to ASQ chapters and anyone else who would listen, called “Ten Steps to Save ISO 9001.” You can download the original presentation as a PDF file here (675 kb).
This talk presented my statistical analysis of the official ISO Survey data, and proved that the adoption rate of ISO 9001 was declining (something ISO still refuses to acknowledge or report, even though we are now in negative territory, meaning more companies are dropping ISO 9001 than picking it up.) Along with that data, I presented a solution: take the best of the CMM / CMMI and create a new framework for ISO 9001 based on it.
In short this meant making ISO 9001 a Management Maturity Model. I then proposed “The M3 Initiative” – breaking ISO 9001 into two or three maturity levels, so that small machine shops with little oversight by their customers could put into place only key elements of ISO 9001 (say, inspection, testing, manufacturing controls, calibration), while more “mature” companies would implement additional requirements (internal auditing, management reviews), and fully mature companies adopting the entire standard (including preventive action and continual improvement.) A possible ISO 9001 “Level 4” would adopt Baldridge criteria. The market would drive what level would be best for each organization. This would have the twofold effect of making ISO 9001 more palatable to smaller companies who wanted less documentation and rigor in their QMS, thus increasing the adoption rate of ISO 9001 worldwide. Large contractors would then mandate certain levels of ISO 9001 to its suppliers, driving them towards the highest level they felt they needed of their supplier, thus doing away with the binary “certified or not-certified” nature of ISO 9001 which leads to a lot of very bad companies brandishing an ISO 9001 logo with aplomb.
As an aside, I even proposed a model of core ISO requirements, which could then be augmented with sector-specific requirements, thus doing away with the proliferation of sector standards we now see (AS9100, TS 16949, ISO 13485, etc.) Even environmental or safety modules could be attached easily, making ISO 9001 would truly universal, yet infinitely flexible.
This is, of course, exactly what CMMI is proving can be done, and they are successful with it, while ISO 9001 withers on the vine. But a true Management Maturity Model could be less difficult than CMMI, which is stuck under the monopolistic thumb of SEI, and their engineers. They have no reason to make CMMI easy, since they are the sole provider of training and certification courses. (Even “independent” CMMI consultants must be blessed by CMMI, or they risk trademark infringement and a lack of proper credentials. For auditors, an annual fee — in the thousands — is now being discussed as a requirement.)
The audiences of my presentations — comprised mostly of quality managers in ISO 9001 user companies — were always interested, even if registrars sniffed their noses at the idea, citing it all as too much work. (Never underestimate the laziness of certification bodies.) I decided to bring the discussion to two venues: the International Association of Accredited Registrars (IAAR) and the US TAG to ISO TC 176.
The IAAR is the professional industry group whose membership is comprised of many of the world’s accredited registrars, along with a representative of ANAB and its Canadian counterpart, SCC. My discussion was met with one large “feh”. It was abundantly clear that despite statistical evidence that ISO 9001 was declining, and a prediction of registar door-closing — something that came true just a few years later — no one in the room much cared to save their own jobs. So strange and paranoid was their response, the IAAR actually put me under a verbal embargo, indicating I could not tell or write any articles about my presentation to them. (I am pretty sure that after six years, that embargo no longer holds.)
When I joined the US TAG to ISO TC 176 – the group responsible for developing ISO 9001 itself, I gave a similar presentation. But it was put on the schedule as an off-agenda item, and was not attended by anyone in any power of the TAG — Jack West, Lori Hunt, etc. were all off doing their own things. So naturally, as shocked as my little audience was to hear that ISO 9001 was dying, and CMMI presented the way to fix it, my proposal never got put on the table as anything to take serious.
An interesting aside, though: my proposal was the initial driver which formed the sub-committee to create a crosswalk between ISO 9001 and the CMMI. I attended the first meeting, but not being an IT professional, I did not take a leadership role and as a result my name appears nowhere on the final document eventually released by SEI. I mention this only as evidence that my little discussion on the impending growth of CMMI and the things we can learn from it, had some impact in the ISO and CMMI worlds.
My appearance at the US TAG was too late to affect the upcoming revised standard which would later be released as ISO 9001:2008. It had already been decided that every other standard would be a major revision, and nothing should be done to tinker with the ISO 9001:2000 too much at that time. I then proposed that we adopt the maturity model concept for whatever would follow ISO 9001:2008 (presumably ISO 9001:2012). I received no support from the leadership, and I suspect that much of this was due to (a) an uncomfortable lack of familiarity with CMMI by the leadership, and (b) the natural tendency of the US TAG to move glacially slow and respond only to the direction given to it by 2 or 3 key members, all who have their own motivations.
In the long term, however, failing to adopt a maturity model to ISO 9001 will ultimately lead to the CMMI eclipsing it entirely. ISO may lose power as well, as there will be no reason whatsoever for SEI to let loose the reins of its monopoly and let ISO start making money selling CMMI standards. The entire US TAG — and the entire TC 176 — will be left out of the development of the next generation of quality management system standards. And what of ASQ? It will be spelled S – E – I.
As it did in 2004, my solution remains the same. TC 176 needs to stop work right now on whatever it is planning for 2012 (which, face it, won’t be released until 2014 at best anyway) — and start talking to smart folks about adopting a maturity model for ISO 9001 that not only re-popularizes the standard, but makes it easier and more accessible to organizations who so desperately need it. If any quality professionals or TAG members want to be purely selfish, they can view it as a way to save their lofty positions and lucrative book contracts.
Take the best of CMMI and apply it to ISO 9001, or CMMI will just take over ISO 9001.
Is anyone listening?
We will find out. A copy of this article is being sent to the International Accreditation Forum (IAF), ISO TC 176 leadership and Alka Jarvis, current Chair of the US TAG.
Anyone interested in a more detailed (albeit boring) model of what ISO 9001 would look like as a Management Maturity Model can download the original “10 Steps to Save ISO 9001” presentation and jump to page 51.
(Christopher Paris is VP Operations and founder of Oxebridge, having worked with ISO 9001 since its inception in 1988. To date he has personally implemented over 150 ISO 9001, AS9100 and related quality management systems.)
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
