Thursday, March 8, 2007

Can VER and CM Audits Satisfy PPQA Requirements?

Dear Appraiser,

Our current PPQA processes are currently under a process improvement review cycle in preparation for Level 3. Through some internal discussions, a few of us believe we can satisfy PPQA requirements, minus PPQA of PPQA, through the Verification (Peer Review) and Configuration Management (CM Audit) activities. What are your thoughts, pitfalls with this approach?

- Detroit

It's nice to see a neighbor on the blog! I'm from Detroit (although you wouldn't know it from all my trips to the airport).

Satisfy PPQA through VER and CM Audits? Hmmmm. You might be on to something. As the SEI always tells us, that depends.

First I would want to understand the scope of both your VER and CM processes. VER is normally performed as a "qualitative review" of work products (no, it's not just testing) including both code and all other non-code work products and requires peer reviews. CM, of course, is the infrastructure you use to manage storage and revision control of all your work products (both code and non-code). A "typical" CM audit audits these mechanics . . . are labels created, are versions correct, are the changes controlled?

PPQA, on the other hand, is more complex than it sounds and is more "quantitative". PPQA.SP1.1 tells us to evaluate "the Process" itself to determine if it is appropriate, where SP1.2 is directed at process performance and work products. If you're a "deliverable-based" organization, and if you keep a detailed CM plan, and if your CM Audits include those things (and all the details associated with them) AND your work products faithfully reflect process execution, then I could see where SP1.2 might be satisfied. But what about 1.1 (and 2.x as well)? How would you evaluate the process itself, as well as "provide objective insight?" I suppose if your CM process adds in all of those "features" (remember, this is a "Process Product" we are talking about) then it could satisfy the PPQA goals, but at that point you a have PPQA process don't you?

What about objectivity? Is you're CM and VER process performed objectively (i.e.; not by anyone who might want to influence the results)? If not, then the "spirit" of PPQA would not be satisfied. The VER Peer Review Goal is by definition not objective because it is performed by "peers."

I think you're on the right track from the perspective that you're seeking to "combine" process areas to be more process-efficient, thereby reducing overhead. I like that idea and encourage you to do more of that.

Pitfalls? The biggest one of all is to misinterpret the complexity, effort, and uniqueness of PPQA, and thereby underestimate its scope. It's by far the greatest cause of appraisal "failures" according to the SEI. As a Lead Appraiser I can confirm their findings.

Your best bet is to ask an expert to evaluate your VER and CM process independently and determine if your interpreting PPQA appropriately. You don't want to find out about a PPQA weakness at your Level 3 Appraisal.

Best of luck!


Lovina said...

I don't quite agree with your comment that PPQA SP 1.1 expects to evaluate the process sufficiency. The title of SP1.1 does say "Objectively evaluate processes" but remember titles are model components that are 'informative'. It is the italicized text right after the title that is 'expected' and is a true reflection of the practice requirements.

It says "Objectively evaluate the designated performed processes against the aplicable process descriptions, standards and procedures". So, in essence SP1.1 does not expect to evaluate if the process is good enough. It expects to evaluate if the process as-performed is in accordance with the process as-defined.

Anonymous said...


I don't think I agree with you. The text you refer to is indeed expected, but you have to understand the informative material to really understand the intent behind the practice statement itself.

You're statement would be easier for me to accept if it were not for that pesky part about "applicable process descriptions, standards, and procedures."

SP1.1 (together with SP1.2 to support it) is not intended to evaluate the processes in a vacuum - just say what you do and do what you say - it is the opposite. What you do AND what you say you do has to be evaluated in context of the "applicable" standards, which in this case I read to be the CMMI itself.