Our current PPQA processes are currently under a process improvement review cycle in preparation for Level 3. Through some internal discussions, a few of us believe we can satisfy PPQA requirements, minus PPQA of PPQA, through the Verification (Peer Review) and Configuration Management (CM Audit) activities. What are your thoughts, pitfalls with this approach?
It's nice to see a neighbor on the blog! I'm from Detroit (although you wouldn't know it from all my trips to the airport).
Satisfy PPQA through VER and CM Audits? Hmmmm. You might be on to something. As the SEI always tells us, that depends.
First I would want to understand the scope of both your VER and CM processes. VER is normally performed as a "qualitative review" of work products (no, it's not just testing) including both code and all other non-code work products and requires peer reviews. CM, of course, is the infrastructure you use to manage storage and revision control of all your work products (both code and non-code). A "typical" CM audit audits these mechanics . . . are labels created, are versions correct, are the changes controlled?
PPQA, on the other hand, is more complex than it sounds and is more "quantitative". PPQA.SP1.1 tells us to evaluate "the Process" itself to determine if it is appropriate, where SP1.2 is directed at process performance and work products. If you're a "deliverable-based" organization, and if you keep a detailed CM plan, and if your CM Audits include those things (and all the details associated with them) AND your work products faithfully reflect process execution, then I could see where SP1.2 might be satisfied. But what about 1.1 (and 2.x as well)? How would you evaluate the process itself, as well as "provide objective insight?" I suppose if your CM process adds in all of those "features" (remember, this is a "Process Product" we are talking about) then it could satisfy the PPQA goals, but at that point you a have PPQA process don't you?
What about objectivity? Is you're CM and VER process performed objectively (i.e.; not by anyone who might want to influence the results)? If not, then the "spirit" of PPQA would not be satisfied. The VER Peer Review Goal is by definition not objective because it is performed by "peers."
I think you're on the right track from the perspective that you're seeking to "combine" process areas to be more process-efficient, thereby reducing overhead. I like that idea and encourage you to do more of that.
Pitfalls? The biggest one of all is to misinterpret the complexity, effort, and uniqueness of PPQA, and thereby underestimate its scope. It's by far the greatest cause of appraisal "failures" according to the SEI. As a Lead Appraiser I can confirm their findings.
Your best bet is to ask an expert to evaluate your VER and CM process independently and determine if your interpreting PPQA appropriately. You don't want to find out about a PPQA weakness at your Level 3 Appraisal.
Best of luck!