- Whistleblower Hotline
- Request Quote
Welcome to The O-Forum! Read this first! Then, feel free to introduce yourself here! If you need immediate, real-time support for the Oxebridge ISO 9001 or AS9100 Template Kits, click here to join our Slack chat channel.
As ISO 9001 certification dies on the vine, the victim of an increasingly corrupt certification system and a decreasingly useful standard, companies are looking for alternatives. ISO 9001 was never intended to guarantee quality, sure, but the fact that illegal drug smugglers are now boasting ISO 9001 certification has to give one pause: is this really something companies want to align themselves with? It’s largely understood that the primary motivator for ISO 9001 certifications now is “customer mandate” — your top customers tell you to obtain it, so you do — rather than process improvement. But what if you could respond to your customers that you have something even better than ISO 9001?
An alternative process improvement scheme called “CMMI” has been patiently sitting in the wings, growing incrementally in numbers and exponentially in reputation. The Capability Maturity Model Integration, originally developed by Carnegie Mellon University and the Software Engineering Institute, spent an incredible amount of time creating a “model” or “framework” intended to improve processes for software development, and then silently expanded this to one that can now be used in three key areas: the development of a product or service (CMMI-DEV), the delivery of a service (CMMI-SVC) or the execution of acquisition and purchasing activities (CMMI-ACQ).
CMMI Appraisals, Not Audits
Whereas ISO 9001 provides binary pass-fail audit resulting in a certificate that must be reissued annually, and which is managed by a highly conflicted set of auditors, registrars and accreditation bodies, CMMI results in a “Maturity Level” (ML) rating. The ratings are issued after a formal audit — called an “appraisal” in CMMI parlance — with the entire activity overseen by the CMMI Institute.
Every company starts automatically at ML1, indicating an immature company operating in ad hoc chaos. Most companies operate normally at ML 2, but few would pursue an official rating at this level. Instead, almost all companies enter CMMI seeking an ML of 3, with some pursuing the higher grade of 4. A level 5 is feasible, but represents an “excellence model” which is very, very hard to obtain. Unlike ISO and the IAF which are willing to allow registrars to issue certificates to anyone, using raw total certificate numbers as a means of marketing, CMMI cracked down on companies who had obtained ML5 and clearly didn’t deserve it. The Institute is protecting its brand integrity, rightfully so.
Slowly, government contracts are introducing CMMI Maturity Levels into their requirements for bidding, taking out the older callouts for ISO 9001 certification. Typically an ML of 3 is fine, and if the government doesn’t indicate a level, ML3 is assumed.
Furthermore, a company can elect to pursue an ML in any — or all — of the three models: CMMI-DEV, CMMI-SVC or CMMI-ACQ. For those that pursue DEV, there’s even a mini “add-on” that bolts on some additional requirements for service provision, for those that don’t want to pursue a full “dual constellation” rating of both DEV and SVC. It’s very flexible that way.
Strategic Investment for Real Process Improvement
The overall structure of a CMMI implementation looks like that for ISO 9001: the company obtains a copy of the standard (in this case, the appropriate CMMI “model”), conducts training and implementation (often with the help of a consultant like Oxebridge), and then undergoes a formal audit (“appraisal,” as I said earlier.) But that’s about where the similarities end.
A CMMI implementation is not for the faint of heart. Moreover, it’s a significant strategic investment. Whereas a typical ISO 9001 implementation may cost $20 – 25K, with another $5K for the resulting audits and fees, CMMI runs at a much higher investment level, approaching and often exceeding $100K. This sticker shock is the primary deterrent for companies pursuing CMMI right now, next to CMMI’s obscurity. Often companies don’t want to pay that much for something they say no one has ever heard of.
But whereas ISO 9001 is rife with conflicts of interest, and registrars issue certs to anyone (did I mention an illegal drug smuggling ring?), this isn’t possible in the CMMI scheme. The CMMI Institute guards its reputation carefully, along with its trademark and licensing rights. You can’t simply call yourself a CMMI consultant, for example, without having some of the official (and expensive) CMMI training. Appraisers (auditors) have to undergo further training and testing, and the pool is shockingly small, especially for those qualified to audit ML4 or ML5. This makes them expensive.
The modular structure of each CMMI model provides “Process Areas” which are not at all similar to ISO 9001’s idea of processes, and which causes a lot of confusion as a result. Instead, the “PAs” can be thought of as collections of requirements. The higher the ML you select, the more PA’s are required, which provides another rationale for starting at ML3. Again, the PAs defined in the higher ML levels of 4 and 5 approach Baldridge-style “excellence model” requirements which may be out of reach for some companies.
The company decides which model it will adopt, and then which ML it will pursue. This gives the company tremendous flexibility to tailor its approach to its specific products or services, as well as its own maturity. CMMI doesn’t come in and “do an audit” which determines the final rating; the company decides what rating it will pursue, and then undergoes the appropriate audit. It’s feasible to fail an audit at one ML and still pass at a lower ML, however, but those rules get complicated.
The process demands, per the CMMI rules, that the company undergo some minimum training. Appraisals typically occur at three stages, each called a SCAMPI (Standard CMMI Appraisal Method for Process Improvement.) The initial SCAMPI audit is called SCAMPI C, which is a preliminary gap analysis; a SCAMPI B is then conducted to assess readiness for the final appraisal, which is the SCAMPI A. Only during the “A” appraisal is the final rating assessed and granted. While only SCAMPI A is required, companies that don’t undergo the B and C appraisals risk losing their entire investment if they fail the SCAMPI A.
And, yes, you can fail. This isn’t the ISO scheme, where registrars will print a certificate if your check clears. CMMI does not play like that.
As a result, a typical CMMI implementation looks something like this:
One caveat: the models recently underwent an update to version 2.0, and not all of the supporting rules are fully baked yet, so some of the steps above may yet be tweaked by the Institute. Even seasoned CMMI experts are still studying the new 2.0 appraisal rules, which can be complex.
Where CMMI gets weird, is that the model and structure is nearly quantum, and presents itself in two planes at once: it’s strict and structured, but also gives tremendous freedom to the implementing company. For example, the rules allow the Appraiser to be a consultant, helping the company implement the model, without a conflict of interest. This is because the final SCAMPI A is so highly structured, and dependent on “artifacts” (evidence) to prove compliance, your consultant can’t degrade the process if he or she wanted to. The final audit requires, as I said, a team of appraisers, and consensus has to be reached between them, always based on the volume or veracity of the evidence. It’s very, very hard to corrupt the final process, unlike ISO 9001 which starts from a conflicted position and then only worsens.
A Very Different Animal
The focus during the final appraisal is on how processes performed on certain pre-selected projects; these can be product design projects, manufacturing projects, or service delivery projects. The company selects a handful of these projects at the onset, and then focuses its implementation of CMMI on those projects; there’s no need to implement the CMMI model across all offerings. (Under the 2.0 models, however, the Institute may be choosing the projects, so expect changes in this approach.)
Another area where CMMI deviates from ISO 9001 is the longer-lasting effect of the implementation. Whereas the “copy and paste” nature of ISO 9001 is easy to drift from in less than a single year, the process improvements driven by CMMI are often permanently embedded into the company; you have to go out of your way to deviate from them, once they’re implemented. This results in a more meaningful, long-term set of improvements that go far beyond a “certificate on the wall.”
Next, you’re not subject to re-audits every 6 or 12 months, like those of ISO 9001. To maintain a CMMI rating, a company undergoes a new SCAMPI audit at the three-year mark, instead. (This, too, may change under 2.0.) This is much less costly than the initial effort, of course, since the training and preparation were already completed. This reduces the overall cost of CMMI so that over time, it becomes competitive with the never-ending costs associated with recurring ISO audits and their related expenses. Some companies have saved money just on the differences in hotel expenses for auditors alone.
Unlike ISO which has no central registry to verify a company’s certification status, the results of CMMI are published in a public registry, called PARS. ISO’s decades-long failure to create a single registry has allowed counterfeiters and certificate mill registrars to thrive, printing fake certificates to anyone who wants one. That’s not possible under CMMI, since every one of the world’s appraisal results is logged and easily confirmed via a single registry. You can’t have unaccredited certificate mills in the CMMI scheme, and when they try to pop up, the CMMI Institute has aggressive legal actions it can take to shut them down.
Not Just for Software
CMMI began as the “CMM” (Capability Maturity Model) and was designed specifically for software developers; it was even developed by Carnegie Mellon’s Software Enterprise Institute. When the CMM converted to CMMI, it attempted to dip a toe in the waters of manufacturing, but hadn’t caught on. With recent updates, including a coming 2.0 release of the CMMI models, manufacturing is no longer ignored. Those that design a product can pursue CMMI-DEV, and those that provided a product can pursue CMMI-SVC. In fact, a manufacturing company can make either DEV or SVC work for them, and even both if they want to pursue a dual-constellation rating.
Because the SCAMPI appraisals focus on given projects, it’s useful if the company has a single product or product family that it can assign as a “project” for CMMI’s purposes. Since most manufacturers focus on a certain type of product (“circuit boards,” “food packaging,” or “airplane components”) it’s just a matter of terminology. You would not need to follow a single product from beginning to end to provide CMMI readiness, but instead treat the product family as the project.
In some ways, manufacturers have it easier; CMMI requires ongoing quality assurance checks, which can sometimes flummox software developers who don’t follow standard design methodologies, or who get “too agile for Agile.” Manufacturers are already used to living with QA, and so this is an easy walk for them.
The hardest part of implementing CMMI in a hardware manufacturing environment is interpreting the models and their unique language. The jargon and phrasing used by CMMI is nothing like that of ISO, nor many other standards developers, and requires parsing. This is where the use of a consultant is critical, unfortunately. Many companies can implement ISO 9001 without ever hiring a third party to help; that’s rare in the CMMI world.
A manufacturer who achieves CMMI has to be ready with an information campaign to clearly explain just how CMMI exceeds the requirements of ISO 9001. It’s likely your customers have not heard of CMMI, or still remember it as a software-only tool. Once the process is explained, buyers are more likely to accept CMMI as a “better than” replacement for their standard ISO 9001 requirement. Furthermore, customers can clearly verify the status of a CMMI appraisal via the PARS portal, whereas under ISO 9001 they hope the copy of the certificate you send is valid, without any way of knowing for sure.
Pilot Clients Sought
As part of its new push to have CMMI make inroads in the management system certification scheme, Oxebridge is seeking pilot clients within the manufacturing sector for its CMMI implementation programs. Prior certification to ISO 9001 is not required, but having an already-compliant QMS does help reduce some effort for implementing CMMI.
Oxebridge partners with official CMMI Institute licensed trainers to provide the necessary training, and then can assist during SCAMPI audits. (Just getting Appraisal Team credentials was a five-year slog!) We then provide the necessary consulting and gap closure to ensure each of the necessary Process Areas is fully realized.
For more information on this pilot program, reach out, and I will get back to you with answers to any other questions you may have.
Also, watch for coming white papers on applying CMMI in a manufacturing environment, with an emphasis on aerospace companies. We may be the only consulting firm tackling this, and you’ll want to get it all from the horse’s mouth.*
(*CMMI not available for horse farmers.)
CORRECTION 2/12/2019: An earlier version of this article indicated the CMMI Models were free; as of version 2.0, the CMMI Institute now sells the models under a licensing agreement and v2.0 models are not free. V1.3 models are free to download, however. V1.3 model use will remain in effect and valid until at least 2023.
Regarding those Boeing 737 Max 7’s: I wonder if Boeing still is of the ‘opinion’ that CMMI is better than ISO9001 or is it just less costly?
Boeing Integrated Defense Systems Achieves Full CMMI Level 5 Certification at 7 Major Sites
Boeing [NYSE: BA] Integrated Defense Systems has achieved CMMI Level 5 ratings in all four areas of assessment — software and systems engineering; integrated product and process development; and supplier sourcing — at seven of the company’s major U.S. sites.
This moves the company into an industry-leading position as Boeing has the greatest number of certified sites in all four assessed disciplines.
The Software Engineering Institute (SEI) appraisal, known as the Capability Maturity Model Integration (CMMI), is an industry-recognized standard for benchmarking process integration and improvement in systems engineering; software engineering; integrated product and process development, and supplier selection management process disciplines. The certification process is recognized as a best practice in both the commercial and defense industries. Achieving a CMMI Level 5 appraisal provides insight into a company’s ability to execute on proposed projects, thereby reducing risk and required oversight by the customer.
“Integrated Defense Systems set the goal of achieving CMMI Level 5 because this certification is becoming a competitive discriminator in today’s market,” said John Tracy, IDS vice president of engineering. “It also is a customer prerequisite for many of our complex integration programs. We have held ourselves to the high standard of achieving a Level 5 rating in all four areas of assessment because we knew this would give our customers greater confidence in our commitment to continuous improvement and our ability to deliver quality systems.”
To date, the IDS sites certified at CMMI Level 5 in all four categories are Anaheim, Huntington Beach, Long Beach and Seal Beach, Calif.; Huntsville, Ala.; the Boeing Air Force Systems site in Washington’s Puget Sound region; and Wichita, Kan. Also, the IDS sites in Philadelphia and El Segundo, Calif., have attained Level 5 certification in two of the four assessed disciplines, and other assessments are also underway. For Boeing, site certification means that multiple key programs at each site are individually certified, and that other site-based activities perform to a similar level of continuous process discipline and improvement. A number of independent third-party assessor organizations conducted the certification audits at these sites.
Approximately 385 organizations worldwide have gone through the official Standard CMMI Appraisal Methodology for Process Improvement assessment. To date, Boeing sites comprise the majority that have achieved the Software Engineering Institute’s CMMI Level 5 rating in all four categories of the full CMMI…
That was from 2005. The CMMI Institute later realized companies were being given ML 5 like candy, and pulled them. Now barely any companies have it. This will get even harder under CMMI 2.0. I don’t know for sure if Boeing lost theirs, but I imagine they did. I can poke around to confirm.
If Boeing surrendered or lost their CMMI status then they should let the public know. As it sits now it appears that as a result of using an inferior system (CMMI) aircraft went down and people died. Unfortunately I have become very cynical in that I believe strongly that Canadian and American businesses will do,anything, anything at all, to save money and increase profits even if the lives of the unsuspecting public are risked. If CMMI is less expensive business will use it if they can get away with it. As I see it CMMI is an inferior “quality system” developed by non-Europeans to compete with the tried and true ISO (equal) 9001 standards. Will the rest of the world accept CMMI? I doubt it very much. So if a company wants to do business in Europe stick with ISO.
First, the plant at the heart of the 737MAX design issues does not appear to have had CMMI, nor ISO 9001 nor AS9100. I confirmed with two Boeing reps that they only declare “compliance” with the standards, and don’t get certified to them. I don’t think that plant EVER had CMMI.
Second, ISO 9001 was developed from the US Dept. of Defense standard MIL-Q-9858. The brits took it from NATO and then adapted it for the electronics industry; BSI then turned it into a certification standard in order to sell certs, and ISO jumped on board with that. But the text is adapted from MIL-Q-9858.
Third, CMMI is far more expensive than ISO 9001. It’s also not suited for manufacturing, which is what I am working on doing.
Fourth, CMMI has about 8,000 appraisals issued right now, and the bulk are in China and US, but with healthy representation throughout Europe.
Finally, there’s no requirement to obtain ISO 9001 in order to do business in Europe. I thought we debunked that myth back in the 1990s.
The main crippling factor for CMMI is the cost. It will run at least $100,000 to get appraised, and more than that if the scope is complex. US companies don’t want to pay $20K for ISO 9001, so they are not about to go to CMMI for $100K if they can avoid it, even if it might work better for them in the long run.