Sign Up to Our Magazine

 

reqm

 

I recently updated the matrix I use to visualize the average of all my CMMI-based initial assessments in Europe. I assign any CMMI practice in any assessment a value of 0, if the practice was characterized as not implemented, a value of 2, if it has been characterized as fulfilled and a value in between for the other characterizations.

For any CMMI practices I summed up all values and divide the result by the number of assessments, in which this practice has been characterized.

The pattern in the first line of this matrix, i.e., the Requirements Management (REQM) line, did not change:

REQM SP 1.1, 1.2 and 1.3 have values slightly below 2, i.e., the practices addressing basic requirements activities, including treating changes to requirements, are in most organizations implemented adequately.

Weaker slightly higher than 1 is SP 1.4 (Bi-directional traceability). I have not verified it, but have a suspicion that the value would be much closer to 0, if I only sum up assessments outside the automotive industry, where Automotive SPICE is not required.

Most organizations have shown an issue with REQM SP 1.5 (coordination between project work and requirements to make sure). The value of this practice is very close to 0 in my matrix.

That means organizations with no or very little experience with CMMI did not enough to ensure that developed products comply to the specified requirements.

These organizations effectively did nothing to ensure that all requirements are implemented and that no non-required functionality are included in the product.

In such an assessment I then mostly ask the organization, what they do to ensure that their products do not contain backdoors or even worse malware. Typically they answer with a very vague statement, very honest and open organizations answer with

"Nothing".

Some organizations try to save the situation by telling me that they have effected a product liability insurance for this and therefore this practice is covered by risk management.

Nice try that at least shows that a fundamental principle of CMMI was rudimentarily understood.

I then continue to ask whether this insurance pays even in the case of a gross negligence. Almost always this is excluded in the contract.

If one considers that this requirement was already contained in the predecessor of

CMMI, the SW-CMM since 1995, my impression now is that this practice is after more than 20 years state of the art. Therefore not implementing it is definitely at least gross negligence.

If this risk becomes a problem, then there is only the hope that the insurance or the judge do not know CMMI or does not recognize this practice as state of the art.

If followed the news in the last months, delivery of malware is now a significant risk. And a failure to comply with legal and regulatory requirements can be quite expensive and uncomfortable for a company.

What is the implementation status of CMMI's REQM SP 1.5 in your organization?

What do you mean, is REQM SP 1.5 adequately implemented in a company, if the following sentences can be read in the resignation letter of the CEO:

"I am shocked by what has happened in the past few days. I am especially stunned that offenses of this scope within the Volkswagen Group were possible." (Martin

Article by Gerhard Fessler

Comments powered by CComment

Sign Up to Our Magazine