Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

3.2 Quality Management — SQA, TQM, ISO 9001, CMM/CMMI

Lesson 16 of 24 in the free Software Engineering notes on Siksha Sarovar, written by Rohit Jangra.

3.2 Quality Management — SQA, TQM, ISO 9001, CMM/CMMI

What is software quality?

Software quality is the degree to which the software meets specified requirements and meets customer needs and expectations.

Two views:

ViewDefinition
Conformance to specificationDoes it match the SRS? (producer view)
Fitness for useDoes it meet user needs? (consumer view)

A product that conforms to specification but fails to meet user needs is a requirements failure. A product that meets needs but violates specification is a process failure. Both are quality problems.

---

McCall's Quality Factors (1977) — the classic model

McCall classified quality into three perspectives:

            ┌─────────────────┐
            │  Product Use    │   (how it is operated)
            │  Correctness    │
            │  Reliability    │
            │  Efficiency     │
            │  Integrity      │
            │  Usability      │
            └─────────────────┘
                    │
     ┌──────────────┼──────────────┐
     │                              │
┌─────────────┐              ┌─────────────────┐
│ Revision    │              │ Transition      │
│ (changes)   │              │ (move it)       │
│ Maintainab. │              │ Portability     │
│ Flexibility │              │ Reusability     │
│ Testability │              │ Interoperab.    │
└─────────────┘              └─────────────────┘
PerspectiveQuality Factors
Product OperationCorrectness, Reliability, Efficiency, Integrity, Usability
Product RevisionMaintainability, Flexibility, Testability
Product TransitionPortability, Reusability, Interoperability

These 11 factors are the most-cited quality attributes in IPU exams.

---

ISO 9126 / 25010 — Modern quality model

The ISO/IEC 25010 standard (the current "Software Product Quality Model") lists 8 characteristics:

CharacteristicSub-characteristics
Functional suitabilityCompleteness, correctness, appropriateness
Performance efficiencyTime behaviour, resource utilisation, capacity
CompatibilityCo-existence, interoperability
UsabilityLearnability, operability, error protection, accessibility
ReliabilityMaturity, availability, fault tolerance, recoverability
SecurityConfidentiality, integrity, non-repudiation, authenticity
MaintainabilityModularity, reusability, analysability, modifiability, testability
PortabilityAdaptability, installability, replaceability
Exam tip: McCall's model is older but appears more often in IPU papers. ISO 25010 is the modern industry standard.

---

Software Quality Assurance (SQA)

SQA is the systematic activity that ensures quality throughout the software process. SQA is preventive — it builds quality into the process, not just into the product.

SQA activities (IEEE 730)

  1. Standards definition and enforcement — coding, documentation, testing standards
  2. Reviews and audits — Fagan inspections, walkthroughs
  3. Testing oversight — verify test coverage and adequacy
  4. Defect tracking — log, categorise, trend-analyse
  5. Process improvement — adjust based on metrics
  6. Configuration management oversight
  7. Training — keep team current on standards and tools
  8. Reporting — quality status to management

SQA Plan structure

1. Purpose and Scope
2. Reference Documents
3. Management
   3.1 Organisation
   3.2 Tasks
   3.3 Responsibilities
4. Documentation Standards
5. Standards, Practices, Conventions, Metrics
6. Reviews and Audits
7. Test
8. Problem Reporting and Corrective Action
9. Tools, Techniques, Methodologies
10. Code Control / Media Control / Supplier Control
11. Records Collection, Maintenance, Retention
12. Training
13. Risk Management

---

SQA Group — independent oversight

In larger organisations, an SQA group sits outside the project team — reporting to senior management — to provide independent quality oversight. Their role:

  • Develop the SQA plan
  • Define standards and procedures
  • Conduct audits at milestones
  • Report quality status independently
  • Maintain quality metrics database

---

Quality Costs

Crosby (1979) and Juran identified four cost categories:

Cost TypeDescriptionExample
PreventionBuilding quality inTraining, code reviews, design walkthroughs
AppraisalMeasuring qualityTesting, inspections, audits
Internal failureDefects found before deliveryRework, retesting, root-cause analysis
External failureDefects found after deliveryCustomer support, lawsuits, recalls, reputation damage

Crosby's insight: Prevention costs are the cheapest; external failure costs are catastrophic. The "1-10-100" rule: ₹1 spent on prevention saves ₹10 on appraisal and ₹100 on failure.

---

Total Quality Management (TQM)

TQM is a management philosophy (W. Edwards Deming, 1950s, Japan) that says quality is everyone's responsibility, achieved through continuous improvement (Kaizen).

Four pillars of TQM

  1. Customer focus — quality is defined by the customer
  2. Continuous improvement (Kaizen) — small improvements every day
  3. Employee empowerment — workers identify and fix problems
  4. Process orientation — improve the process, not just the output

PDCA cycle (Deming / Shewhart)

       Plan ───► Do
        ▲         │
        │         ▼
       Act ◄─── Check
  • Plan — design a change
  • Do — implement on a small scale
  • Check — measure results
  • Act — adopt, adjust, or abandon

Six Sigma — TQM's quantitative descendant

Motorola (1986) refined TQM into Six Sigma: target defect rate of 3.4 per million opportunities. Uses the DMAIC cycle (Define, Measure, Analyze, Improve, Control). Roles: Green Belts, Black Belts, Master Black Belts.

---

ISO 9001 / ISO 9000-3

The ISO 9000 family is the international standard for quality management systems.

StandardTopic
ISO 9000Vocabulary and concepts
ISO 9001Requirements (the certifiable standard)
ISO 9004Improvement guidelines
ISO 9000-3Software-specific guidelines

ISO 9001 — 8 management principles

  1. Customer focus
  2. Leadership
  3. Engagement of people
  4. Process approach
  5. Improvement
  6. Evidence-based decision making
  7. Relationship management
  8. (Risk-based thinking — added in 2015 revision)

ISO 9001 certification is awarded by accredited auditors and renewed every 3 years. Indian software companies often hold ISO 9001 plus CMMI Level 5 + ISO 27001 (security).

---

CMM and CMMI — Process Maturity Models

The Capability Maturity Model (CMM) — developed by the Software Engineering Institute (SEI) at Carnegie Mellon under Watts Humphrey (1989) — measures the maturity of a software organisation's process.

CMM Levels (5)

LevelNameDescription
1InitialProcess is chaotic, ad-hoc, hero-driven
2RepeatableBasic project management; can repeat earlier successes on similar projects
3DefinedStandardised process for the whole organisation
4ManagedQuantitatively managed using metrics
5OptimisingContinuous process improvement

Key Process Areas (KPAs) per level

LevelKPAs
2Requirements mgmt, project planning, project tracking, configuration mgmt, QA, supplier mgmt
3Organisation process focus, process definition, training, integrated software mgmt, peer reviews
4Quantitative process management, software quality management
5Defect prevention, technology change management, process change management

CMMI (Capability Maturity Model Integration)

CMM was extended in 2002 into CMMI which integrates software, systems, hardware, services, and acquisition models. Levels are the same five, but with 22 process areas (e.g. CMMI for Development v2.0 / v3.0).

Famous fact: India has the largest number of CMMI Level-5 organisations in the world — Indian IT companies pursued CMMI certification aggressively in the 1990s–2000s as a competitive differentiator for outsourcing work.

---

Software Reviews, Walkthroughs, Inspections

Reviews are the most cost-effective way to find defects (Boehm: reviews cost 1/10th of testing per defect found).

TechniqueStyleWhenWho
Peer reviewInformalAnytime2–4 peers
WalkthroughAuthor-led overviewAfter completionTeam
Inspection (Fagan)Formal, role-based, defect-focusedAt milestonesTrained inspectors

Fagan Inspection — five stages

  1. Planning — moderator schedules, distributes material
  2. Overview — author explains the artefact
  3. Preparation — each inspector reads independently, marks defects
  4. Inspection meeting — defects collected, not solutions
  5. Rework and follow-up — author fixes; moderator verifies

Why inspections beat testing

AspectInspectionTesting
Cost per defect found₹X~10×X
Stage appliedEarly (design, code)Late (after coding)
Types of defectsConceptual, designBehavioural
CoverageWhole artefactOnly what is executed

Inspections find ~60–80% of defects in code before testing.

---

Defect-removal efficiency (DRE)

DRE = Defects found before release / (Defects found before + after release)

Best-in-class teams achieve DRE > 95%.

---

Key Terms — Lesson 3.2

The terms below define the quality-management vocabulary tested in every Unit-III PYQ on SQA, TQM, ISO, and CMM/CMMI.

Software Quality — The degree to which software satisfies its specified requirements and meets the customer's actual needs and expectations. Combines the producer view ("conformance to specification") with the consumer view ("fitness for use"). Both must be true for the software to be truly high-quality.

McCall's Quality Factors (1977) — The classic quality model, classifying 11 factors into three perspectives. Product Operation (correctness, reliability, efficiency, integrity, usability), Product Revision (maintainability, flexibility, testability), Product Transition (portability, reusability, interoperability). The most-cited model in IPU PYQs.

ISO/IEC 25010 — The modern ISO Software Product Quality Model, with eight characteristics: functional suitability, performance efficiency, compatibility, usability, reliability, security, maintainability, portability — each decomposed into sub-characteristics. Replaces the older ISO 9126.

SQA (Software Quality Assurance) — The systematic, preventive set of activities that ensures quality throughout the software process — standards definition and enforcement, reviews/audits, testing oversight, defect tracking, process improvement, configuration management oversight, training, and quality reporting. SQA is preventive ("build quality in"), not just defect-finding.

SQA Plan — The deliverable that documents how SQA will be conducted for a project — purpose, organisation, responsibilities, standards used, reviews/audits scheduled, problem-reporting procedures, tools, records management, training. The IEEE 730 standard defines the recommended structure.

SQA Group — An organisational unit independent of the project team that provides quality oversight — developing the SQA plan, defining standards, conducting milestone audits, reporting quality status to senior management. Independence is crucial; an SQA group reporting to the project manager is not independent.

IEEE 730 — The IEEE standard for Software Quality Assurance Plans, defining the recommended sections (purpose, reference docs, management, documentation standards, standards/practices, reviews/audits, test, problem reporting, tools, code/media/supplier control, records, training, risk management).

Quality Cost — The total cost of achieving (or failing to achieve) quality. Crosby and Juran identified four categories: prevention (training, reviews, walkthroughs), appraisal (testing, inspections, audits), internal failure (rework, retesting after a defect found before delivery), and external failure (customer support, lawsuits, recalls after a defect found in production).

1-10-100 Rule (Crosby) — Crosby's principle: ₹1 spent on prevention saves ₹10 on appraisal and ₹100 on failure. The single strongest economic argument for review- and prevention-heavy quality processes.

TQM (Total Quality Management) — A management philosophy popularised by W. Edwards Deming in 1950s Japan: quality is everyone's responsibility, achieved through continuous improvement (Kaizen). Four pillars: customer focus, continuous improvement, employee empowerment, process orientation.

Kaizen — Japanese for "change for the better" / "continuous improvement." The TQM principle that small, incremental improvements applied continuously outperform occasional large redesigns. Toyota's Production System is the canonical implementation.

PDCA (Plan-Do-Check-Act) Cycle — Deming/Shewhart's iterative improvement cycle. Plan a change → Do it on a small scale → Check the results → Act to adopt, adjust, or abandon. PDCA is the operational engine of TQM and Kaizen and is the ancestor of Agile retrospectives.

Six Sigma — Motorola's 1986 quantitative refinement of TQM, targeting a defect rate of 3.4 defects per million opportunities (the rate corresponding to ±6 standard deviations from the mean of a normal process). Uses the DMAIC cycle (Define, Measure, Analyze, Improve, Control) and certifies practitioners as Green Belts, Black Belts, Master Black Belts.

DMAIC — The Six Sigma process improvement cycle — Define the problem, Measure the current state, Analyze root causes, Improve the process, Control the new state to prevent regression. DMAIC is to Six Sigma what PDCA is to TQM.

ISO 9000 Family — The international standards for Quality Management Systems. ISO 9000 defines vocabulary; ISO 9001 is the certifiable standard (its requirements clauses); ISO 9004 offers improvement guidance; ISO 9000-3 is the software-specific application guideline.

ISO 9001 Certification — A formal certification by an accredited auditor that an organisation's QMS meets ISO 9001 requirements. Renewed every 3 years. Indian software companies typically hold ISO 9001 plus CMMI Level 5 plus ISO 27001 (security).

ISO 27001 — The international standard for Information Security Management Systems (ISMS). Complements ISO 9001 — ISO 9001 is about quality, ISO 27001 is about security. Enterprise customers and regulated industries often require ISO 27001 certification.

CMM (Capability Maturity Model) — A 1989 framework from the Software Engineering Institute (SEI) at Carnegie Mellon University, designed by Watts Humphrey, measuring an organisation's software process maturity on a five-level scale. CMM was the original; CMMI is its modern successor.

CMM Level 1 — Initial — Ad-hoc, chaotic process. Success depends on individual heroes; the organisation cannot reliably repeat past successes. Most uncertified startups operate here.

CMM Level 2 — Repeatable — Basic project management practices in place; the organisation can repeat past successes on similar projects. Six Key Process Areas: requirements management, project planning, project tracking, configuration management, QA, supplier management.

CMM Level 3 — Defined — A standardised, documented organisation-wide process is in place. Different projects use tailored versions of the same standard process. KPAs: organisation process focus, process definition, training, integrated software management, peer reviews.

CMM Level 4 — Managed (Quantitatively Managed) — The process is quantitatively measured and controlled using statistical methods. KPAs: quantitative process management, software quality management.

CMM Level 5 — Optimising — The process is continuously improved based on quantitative feedback. KPAs: defect prevention, technology change management, process change management. India hosts the largest number of CMMI Level-5 certified organisations globally — a legacy of the 1990s–2000s outsourcing boom.

CMMI (Capability Maturity Model Integration) — The 2002 successor to CMM that integrates software, systems, hardware, services, and acquisition into a single framework. Same five maturity levels, with 22 process areas. CMMI for Development (CMMI-DEV) is the most relevant variant for software organisations.

Key Process Area (KPA) / Process Area (PA) — A cluster of related activities that must be performed to satisfy a CMM/CMMI maturity level. Each KPA has goals, practices, and metrics. Achieving a level requires satisfying all the KPAs at that level and all lower levels.

Review — An activity in which a software work product (SRS, design, code) is examined to identify defects before they propagate. Reviews are the most cost-effective defect-removal activity — Boehm's research shows reviews find defects at roughly 1/10th the cost of testing.

Peer Review — An informal review where 2–4 peers examine the work product. Lower overhead than formal inspection, smaller defect yield. Suitable for routine code review.

Walkthrough — An author-led review where the author walks the team through the artefact. Useful for knowledge transfer and identifying obvious defects. Less rigorous than Fagan inspection.

Fagan Inspection — A formal, role-based, defect-focused review process introduced by Michael Fagan at IBM in 1976. Five stages: planning, overview, preparation, inspection meeting, rework and follow-up. Inspections find ~60–80% of defects in code before testing, at roughly 1/10th the cost.

Moderator (Fagan Inspection) — The trained inspector who plans and runs the inspection meeting — schedules, distributes material, keeps the meeting on track, focuses on defects (not solutions), and tracks rework to completion. The moderator is distinct from the author.

Defect Removal Efficiency (DRE) — The percentage of defects found and removed before release — DRE = defects-before-release / (defects-before + defects-after-release). DRE > 95% is the best-in-class target; safety-critical systems target 99%+.

---

Study deep

  1. Quality is non-negotiable in safety-critical software. For pacemakers, autopilots and nuclear-plant software, DRE must approach 100%. Cost of failure outweighs cost of perfection. Standards like DO-178C and IEC 61508 mandate quality processes.
  1. Process maturity ≠ Product quality. A CMM Level-5 organisation has predictable processes — but predictability doesn't guarantee that the product is what users want. Many Indian IT body-shops chase certification without proportional product improvement.
  1. TQM language is older; Lean/Agile is newer. Many modern Agile practices (retrospectives, continuous improvement, "stop the line" via failing CI) are direct descendants of TQM/Toyota. The vocabulary moves with fashion; the principles don't.
  1. ISO and CMMI are not mutually exclusive. ISO 9001 focuses on quality management system; CMMI focuses on process capability. Mature organisations hold both, plus ISO 27001 (security) and ISO 20000 (IT services).
  1. The single most important quality activity is the code review. Studies (Capers Jones) consistently show structured reviews find more defects per hour than any other technique, and at the cheapest unit cost. Yet many teams skip them — usually a false economy.
PYQ pattern: "What is SQA? Explain Total Quality Management with PDCA cycle." — Define SQA (IEEE 730), 4 pillars of TQM, draw PDCA diagram, mention Six Sigma as TQM's quantitative version.
PYQ pattern: "Explain CMM levels with their key process areas." — Table 5 levels with 1-line descriptions and 2–3 KPAs each; close with India's CMMI Level-5 dominance.