DNV: Improving software life cycle programmes using IT risk management
In recent years, software development processes have become a core element in agile, market-focused organisations. These processes – and their continued improvement - are seen as vital in cutting operational costs or maintaining margins in highly competitive, globalised markets. Over the same timeframe, safety critical systems used in different energy and process industries sectors are recognised as essential in providing a range of mission-critical safety and process monitoring requirements.
Because of IT’s growing role in organisations – securing efficient operational processes, providing data for effective decision-making and supporting critical tasks - software development is rightly being recognised one of the core assets of many companies. And while such IT-dependent processes and systems are vital for operational efficiency and to develop safe products, they nevertheless effectively increase those processes’ overall complexity and their potential to be a source of vulnerability in the business. This is particularly true when business processes are changed, whether in response to new safety legislation in a particular industry or when internal processes are adapted to better meet market needs.
Failure of IT-dependent processes and applications may lead to system failure, critical business consequences and potentially catastrophic incidents. Recent years have seen disastrous process breakdowns including lack of connectivity for teams that need 24/7 online access to services and information security leaks where loss of client information has damaged an organisation’s overall integrity. Process failures have seen telecommunications providers’ call switching systems fail, effectively bringing down entire networks, while safety-critical incidents have included malfunctioning car airbags that have compromised driver safety.
As leading organisations’ management teams fully recognise the value of continuous software improvement processes in improving efficiency or safety critical operations, they are starting to look more closely at ways to fully integrate and refine these processes into their businesses’ operations. In addition, they are examining their main suppliers to see how they understand and conform to the norms they apply to their own software development processes.
Application life cycle development
To get on the path to eradicating process failures, organisations need to adopt a holistic approach to application life cycle management. They need to ensure that their software development should meet best practices in both development process and project requirements. Focusing on software components in isolation is no longer considered sufficient to ensure product quality or performance excellence against global competitors that have overturned traditional cost and quality assumptions. Companies need to formalise and improve the way that they acquire, develop and maintain their IT-dependent, high integrity systems.
There are clearly many different approaches to resolving such performance improvement issues. Among them, ISO 9001 or market specific standards specifies minimum acceptable quality levels and compliance levels. Arguably more practical and long-term process improvement thinking comes from Capability Maturity Models Integrated (CMMI). These models not only outlinine the necessary tools, but also the internal reorganisation and the personnel skills behaviour and knowledge that companies need to be acquire for virtuous software life cycles to be established and the risks associated with IT investments to be mitigated.
Through a five stage methodology, CMMI envisages process life cycles that move from an initial level where they are chaotic and not repeatable, to a second repeatable level. In the third, defined level, software processes are standardised through greater documentation and integration through the entire organisation, to the fourth managed level where the organisation uses data collection and analysis to monitor and statistically control processes. In the fifth optimising level, continuous monitoring feedback inspires innovative processes and technology choices to better serve organisations’ development needs.
Benchmarking improvement
The Capability Maturity Model Integration (CMMI) model provides the tools for effective process improvement. This is because it addresses multiple disciplines – software, systems, hardware and acquisition – across the organisation. It also identifies the key parameters for process improvement. Organisations can then benchmark their operations against CMMI models using Standard CMMI Appraisal Method for Process Improvement (SCAMPI). This methodology highlights maturity level ratings, the necessary process improvements and the evaluation of suppliers needed by the management and software specialists alike in the improvement-focused organisation.
Adoption of “holistic” maturity models is a considerable undertaking for any organisation’s management, personnel and its supply chains. Process improvement specialists can advise in the key areas needed to build organisations’ capabilities so they can progress towards particular maturity levels - or improve aspects of their processes to prepare for such an undertaking. In this vein, systems and software process improvement experts as well as change management specialists can also help organisations to improve the process of system inception, development and its maintenance. Gradually as a process’s capability increases, it becomes measurable and repeatable: manufacturers can eliminate causes of poor quality and productivity and better control production costs. As a result, the company’s production operations align themselves more closely with the overall business needs.
Skills acquisition
Another vital element in building effective software life cycles is building the skills of IT and software engineering departments to embed improvement thinking across their organisation and its business processes. Improvement specialists provide consultancy and personnel training in the different areas of capability maturity information management, IT architecture, and knowledge management. Applied as part of a holistic company-wide maturity model, these improvements can reduce staff training, appraisal costs as well as the maintenance of redundant processes.
For specialist market sectors such as energy and process, all of which are dependent on safety-critical organisational processes, organisations will place special emphasis on continual analysis and refinement of safety and information security procedures. Organisations need to ensure that their process improvement models meet relevant industry and safety analysis frameworks.
Life cycles: efficiency and predictability?
Process improvement is to embed knowledge and tools to define, visualise, measure, report and improve software life cycle development and embedded systems. Global organisations need to apply IT risk management through the use of capability maturity models, to better understand their processes’ variability and whether adjustments to those processes are necessarily advantageous. Organisations that ensure the efficiency and predictability of high integrity IT-dependent processes and software, will not only reduce risk, they will maximise their business opportunities.