As ISO 9001 certification dies on the vine, the victim of an increasingly corrupt certification system and a decreasingly useful standard, companies are looking for alternatives. ISO 9001 was never intended to guarantee quality, sure, but the fact that illegal drug smugglers are now boasting ISO 9001 certification has to give one pause: is this really something companies want to align themselves with? It’s largely understood that the primary motivator for ISO 9001 certifications now is “customer mandate” — your top customers tell you to obtain it, so you do — rather than process improvement. But what if you could respond to your customers that you have something even better than ISO 9001?
An alternative process improvement scheme called “CMMI” has been patiently sitting in the wings, growing incrementally in numbers and exponentially in reputation. The Capability Maturity Model Integration, originally developed by Carnegie Mellon University and the Software Engineering Institute, spent an incredible amount of time creating a “model” or “framework” intended to improve processes for software development, and then silently expanded this to one that can now be used in three key areas: the development of a product or service (CMMI-DEV), the delivery of a service (CMMI-SVC) or the execution of acquisition and purchasing activities (CMMI-ACQ).
CMMI Appraisals, Not Audits
Whereas ISO 9001 provides binary pass-fail audit resulting in a certificate that must be reissued annually, and which is managed by a highly conflicted set of auditors, registrars and accreditation bodies, CMMI results in a “Maturity Level” (ML) rating. The ratings are issued after a formal audit — called an “appraisal” in CMMI parlance — with the entire activity overseen by the CMMI Institute.
Every company starts automatically at ML1, indicating an immature company operating in ad hoc chaos. Most companies operate normally at ML 2, but few would pursue an official rating at this level. Instead, almost all companies enter CMMI seeking an ML of 3, with some pursuing the higher grade of 4. A level 5 is feasible, but represents an “excellence model” which is very, very hard to obtain. Unlike ISO and the IAF which are willing to allow registrars to issue certificates to anyone, using raw total certificate numbers as a means of marketing, CMMI cracked down on companies who had obtained ML5 and clearly didn’t deserve it. The Institute is protecting its brand integrity, rightfully so.
Slowly, government contracts are introducing CMMI Maturity Levels into their requirements for bidding, taking out the older callouts for ISO 9001 certification. Typically an ML of 3 is fine, and if the government doesn’t indicate a level, ML3 is assumed.
Furthermore, a company can elect to pursue an ML in any — or all — of the three models: CMMI-DEV, CMMI-SVC or CMMI-ACQ. For those that pursue DEV, there’s even a mini “add-on” that bolts on some additional requirements for service provision, for those that don’t want to pursue a full “dual constellation” rating of both DEV and SVC. It’s very flexible that way.
Strategic Investment for Real Process Improvement
The overall structure of a CMMI implementation looks like that for ISO 9001: the company obtains a copy of the standard (in this case, the appropriate CMMI “model”), conducts training and implementation (often with the help of a consultant like Oxebridge), and then undergoes a formal audit (“appraisal,” as I said earlier.) But that’s about where the similarities end.
A CMMI implementation is not for the faint of heart. Moreover, it’s a significant strategic investment. Whereas a typical ISO 9001 implementation may cost $20 – 25K, with another $5K for the resulting audits and fees, CMMI runs at a much higher investment level, approaching and often exceeding $100K. This sticker shock is the primary deterrent for companies pursuing CMMI right now, next to CMMI’s obscurity. Often companies don’t want to pay that much for something they say no one has ever heard of.
But whereas ISO 9001 is rife with conflicts of interest, and registrars issue certs to anyone (did I mention an illegal drug smuggling ring?), this isn’t possible in the CMMI scheme. The CMMI Institute guards its reputation carefully, along with its trademark and licensing rights. You can’t simply call yourself a CMMI consultant, for example, without having some of the official (and expensive) CMMI training. Appraisers (auditors) have to undergo further training and testing, and the pool is shockingly small, especially for those qualified to audit ML4 or ML5. This makes them expensive.
The modular structure of each CMMI model provides “Process Areas” which are not at all similar to ISO 9001’s idea of processes, and which causes a lot of confusion as a result. Instead, the “PAs” can be thought of as collections of requirements. The higher the ML you select, the more PA’s are required, which provides another rationale for starting at ML3. Again, the PAs defined in the higher ML levels of 4 and 5 approach Baldridge-style “excellence model” requirements which may be out of reach for some companies.
The company decides which model it will adopt, and then which ML it will pursue. This gives the company tremendous flexibility to tailor its approach to its specific products or services, as well as its own maturity. CMMI doesn’t come in and “do an audit” which determines the final rating; the company decides what rating it will pursue, and then undergoes the appropriate audit. It’s feasible to fail an audit at one ML and still pass at a lower ML, however, but those rules get complicated.
The process demands, per the CMMI rules, that the company undergo some minimum training. Appraisals typically occur at three stages, each called a SCAMPI (Standard CMMI Appraisal Method for Process Improvement.) The initial SCAMPI audit is called SCAMPI C, which is a preliminary gap analysis; a SCAMPI B is then conducted to assess readiness for the final appraisal, which is the SCAMPI A. Only during the “A” appraisal is the final rating assessed and granted. While only SCAMPI A is required, companies that don’t undergo the B and C appraisals risk losing their entire investment if they fail the SCAMPI A.
And, yes, you can fail. This isn’t the ISO scheme, where registrars will print a certificate if your check clears. CMMI does not play like that.
As a result, a typical CMMI implementation looks something like this:
- Company downloads the appropriate model(s) – (CMMI-DEV, CMMI-SVC or CMMI-ACQ)
- Company undergoes initial rough training (one day) and defines a Process Action Team (roughly like a Steering Committee)
- Company undergoes initial rough implementation of known gaps.
- PAT members undergo official CMMI “Introduction” training, for each model selected
- SCAMPI C provides more structured gap analysis
- Company undergoes further implementation and closure of identified gaps.
- Company selects appraisal team (minimum of 4 auditors is required), and undergoes official CMMI Appraisal Team Training
- Company undergoes pre-SCAMPI B readiness review
- SCAMPI B provides formal appraisal to determine if company is ready for final SCAMPI A
- Company undergoes final implementation steps
- SCAMPI A appraisal is performed
- Final rating awarded
One caveat: the models recently underwent an update to version 2.0, and not all of the supporting rules are fully baked yet, so some of the steps above may yet be tweaked by the Institute. Even seasoned CMMI experts are still studying the new 2.0 appraisal rules, which can be complex.
Where CMMI gets weird, is that the model and structure is nearly quantum, and presents itself in two planes at once: it’s strict and structured, but also gives tremendous freedom to the implementing company. For example, the rules allow the Appraiser to be a consultant, helping the company implement the model, without a conflict of interest. This is because the final SCAMPI A is so highly structured, and dependent on “artifacts” (evidence) to prove compliance, your consultant can’t degrade the process if he or she wanted to. The final audit requires, as I said, a team of appraisers, and consensus has to be reached between them, always based on the volume or veracity of the evidence. It’s very, very hard to corrupt the final process, unlike ISO 9001 which starts from a conflicted position and then only worsens.
A Very Different Animal
The focus during the final appraisal is on how processes performed on certain pre-selected projects; these can be product design projects, manufacturing projects, or service delivery projects. The company selects a handful of these projects at the onset, and then focuses its implementation of CMMI on those projects; there’s no need to implement the CMMI model across all offerings. (Under the 2.0 models, however, the Institute may be choosing the projects, so expect changes in this approach.)
Another area where CMMI deviates from ISO 9001 is the longer-lasting effect of the implementation. Whereas the “copy and paste” nature of ISO 9001 is easy to drift from in less than a single year, the process improvements driven by CMMI are often permanently embedded into the company; you have to go out of your way to deviate from them, once they’re implemented. This results in a more meaningful, long-term set of improvements that go far beyond a “certificate on the wall.”
Next, you’re not subject to re-audits every 6 or 12 months, like those of ISO 9001. To maintain a CMMI rating, a company undergoes a new SCAMPI audit at the three-year mark, instead. (This, too, may change under 2.0.) This is much less costly than the initial effort, of course, since the training and preparation were already completed. This reduces the overall cost of CMMI so that over time, it becomes competitive with the never-ending costs associated with recurring ISO audits and their related expenses. Some companies have saved money just on the differences in hotel expenses for auditors alone.
Unlike ISO which has no central registry to verify a company’s certification status, the results of CMMI are published in a public registry, called PARS. ISO’s decades-long failure to create a single registry has allowed counterfeiters and certificate mill registrars to thrive, printing fake certificates to anyone who wants one. That’s not possible under CMMI, since every one of the world’s appraisal results is logged and easily confirmed via a single registry. You can’t have unaccredited certificate mills in the CMMI scheme, and when they try to pop up, the CMMI Institute has aggressive legal actions it can take to shut them down.
Not Just for Software
CMMI began as the “CMM” (Capability Maturity Model) and was designed specifically for software developers; it was even developed by Carnegie Mellon’s Software Enterprise Institute. When the CMM converted to CMMI, it attempted to dip a toe in the waters of manufacturing, but hadn’t caught on. With recent updates, including a coming 2.0 release of the CMMI models, manufacturing is no longer ignored. Those that design a product can pursue CMMI-DEV, and those that provided a product can pursue CMMI-SVC. In fact, a manufacturing company can make either DEV or SVC work for them, and even both if they want to pursue a dual-constellation rating.
Because the SCAMPI appraisals focus on given projects, it’s useful if the company has a single product or product family that it can assign as a “project” for CMMI’s purposes. Since most manufacturers focus on a certain type of product (“circuit boards,” “food packaging,” or “airplane components”) it’s just a matter of terminology. You would not need to follow a single product from beginning to end to provide CMMI readiness, but instead treat the product family as the project.
In some ways, manufacturers have it easier; CMMI requires ongoing quality assurance checks, which can sometimes flummox software developers who don’t follow standard design methodologies, or who get “too agile for Agile.” Manufacturers are already used to living with QA, and so this is an easy walk for them.
The hardest part of implementing CMMI in a hardware manufacturing environment is interpreting the models and their unique language. The jargon and phrasing used by CMMI is nothing like that of ISO, nor many other standards developers, and requires parsing. This is where the use of a consultant is critical, unfortunately. Many companies can implement ISO 9001 without ever hiring a third party to help; that’s rare in the CMMI world.
A manufacturer who achieves CMMI has to be ready with an information campaign to clearly explain just how CMMI exceeds the requirements of ISO 9001. It’s likely your customers have not heard of CMMI, or still remember it as a software-only tool. Once the process is explained, buyers are more likely to accept CMMI as a “better than” replacement for their standard ISO 9001 requirement. Furthermore, customers can clearly verify the status of a CMMI appraisal via the PARS portal, whereas under ISO 9001 they hope the copy of the certificate you send is valid, without any way of knowing for sure.
Pilot Clients Sought
As part of its new push to have CMMI make inroads in the management system certification scheme, Oxebridge is seeking pilot clients within the manufacturing sector for its CMMI implementation programs. Prior certification to ISO 9001 is not required, but having an already-compliant QMS does help reduce some effort for implementing CMMI.
Oxebridge partners with official CMMI Institute licensed trainers to provide the necessary training, and then can assist during SCAMPI audits. (Just getting Appraisal Team credentials was a five-year slog!) We then provide the necessary consulting and gap closure to ensure each of the necessary Process Areas is fully realized.
For more information on this pilot program, reach out, and I will get back to you with answers to any other questions you may have.
Also, watch for coming white papers on applying CMMI in a manufacturing environment, with an emphasis on aerospace companies. We may be the only consulting firm tackling this, and you’ll want to get it all from the horse’s mouth.*
(*CMMI not available for horse farmers.)
CORRECTION 2/12/2019: An earlier version of this article indicated the CMMI Models were free; as of version 2.0, the CMMI Institute now sells the models under a licensing agreement and v2.0 models are not free. V1.3 models are free to download, however. V1.3 model use will remain in effect and valid until at least 2023.