This section answers questions typically asked when first encountering HFI PRA.
Is conducting an HFI assessment expensive, and how might the cost of the exercise be justified? The ‘Initial’ assessment takes a few days of resource and is likely to be a very cost-effective form of risk reduction on any project with HFI risks, issues or opportunities. A full assessment would consume typically 45 days of MOD effort as the assessor, and 5 days of the organisation being assessed (this might be a contractor or may include MOD). This cost would be justified on the basis of the risk reduced. The question is slightly misleading. The question to be asked by the HFI focus is "Is an assessment using HFI PRA the best use of resources in a risk assessment or risk mitigation exercise?" and (because the resources are already to hand) the answer is likely to be "yes".
Conducting even a simple assessment looks difficult – do I need specialist resources? For any use of HFI PRA, it is important that someone involved has been on a (brief) training course or workshop. For simple assessments, this is all that is necessary. For a full assessment, it would be cost-effective to involve a specialist.
Why is the Human-System Lifecycle (HSL) model an International Standard, rather than something specifically tailored for MoD requirements? The advantages of an International Standard (IS) are as follows. An IS can be used without controversy in international procurement. An IS can be used in conjunction with multi-national operations. An IS is given the highest precedence in the MoD standards hierarchy. An IS is in accord with the MoD wish to use commercial standards and best practice where possible. The IS has been developed to provide a supportable definition of best practice that could be used in support of safety cases, security accreditation or mitigation of business risks. It also represents a stable body that can be used as the basis for the development of expertise, methods and tools. The tailoring to the (evolving) MoD procurement practice is contained in this document that is more easily kept up to date.
Does HFI PRA mean that I don’t need an HFIP? No. A CMM assessment will look for evidence of planning and management processes. A HFIP is required for all but very small projects when it can be embraced in some wider project plan. An internal brainstorming session using the processes in HFI PRA may well be a valuable aid to developing a HFIP,in conjunction with the list of project HFI risks, issues and opportunities. When evaluating a supplier HFIP, HFI PRA may assist in 2 ways: as a framework to discuss the HFIP against project need with the supplier, and as an aide memoire of best practice.
Surely you can’t expect reference model perfection on a limited budget? No. It is extremely unlikely that any project would require that all practices under all processes would need to be fully carried out to the highest standards of maturity, or anything approaching this. It is intended that a project can set a profile of what processes are required to what level in order to mitigate project risk. This profile can then be examined for each of the project stakeholders and an evaluation made of the Process Improvement required. The intent of HFI PRA is that scarce resources are used to best effect, not that unnecessary paperwork is generated.
HFI is not my only source of risk – why should I conduct a specialist assessment? The way that HFI PRA has been organised is that an assessment can be made in conjunction with software risks and (prospectively) system engineering risks. However, because HFI is still a specialist area, it may be desirable to involve a specialist in the assessment to some degree.
The contracts have already been placed – does this mean that HFI PRA is no longer relevant? No, HFI PRA can be used once a contract is in place, but the scale of benefit is likely to be reduced. However, if a contract has been placed with a supplier that is proving incapable of delivering HFI, then HFI PRA is one of the few instruments that can improve the situation. Depending on the climate, and the particulars of the contract, there are a number of options for using HFI PRA post-contract award. Firstly, the customer team can conduct an assessment of their own processes with the participation of the suppliers, and then broaden this out to look at the supplier processes with the intent of informal PI. Secondly, the customer can decide to use HFI PRA as a means of monitoring the project, as a supplement to normal progress reporting. Whilst the metrics produced would not have contractual status, they would flag up problems and opportunities in a very clear fashion, which may lead to an improvement in the situation.
Our project is only just starting, is using HFI PRA overkill? No, HFI PRA has a range of assessment methods that can be adopted to suit the situation. For a project that is still at a very low spend rate, with participants from a small number of stakeholder organisations, then a very brief self-assessment can prove a cost-effective aid to thought. There are times when projects - even at start up - are at a high spend rate with multiple stakeholders. Under these circumstances, a larger scale of assessment may be appropriate, even at an early stage. Where a project is safety-critical, then a fairly formal process assessment at start up is an extremely cost-effective way of ensuring that the necessary processes are in place. Being able to demonstrate this represents a significant milestone on such projects.
The project is using the HFI Guides – does this mean that HFI PRA is unnecessary? Maybe. A project that is using the guides correctly is likely to be undertaking appropriate HFI activities. There are two circumstances when HFI PRA would be valuable. Firstly, when there are concerns that HF activities are not being fully integrated into the project, and secondly when there are concerns that the HF activities are not correctly focused on the needs of the project. Under such circumstances, it is possible to identify the specific processes of interest and conduct a tailored assessment.
What is the difference between an HFI PRA assessment and an ISO 9000 audit?
There are a number of differences.
Firstly, in style and approach: an ISO 9000 audit is generally conducted in a hostile and uncompromising atmosphere. CMM assessments are specifically designed to avoid these problems.
Secondly an ISO 9000 audit addresses whether the tasks and procedures called up in the quality plan have been carried out. A CMM assessment looks underneath the paperwork to see if the real activities have been carried out to meet the correct intent.
Thirdly, ISO9000 has no reference model of HFI best practice against which to base an assessment. However, ISO 9000/2000 incorporates Process Improvement as an integral requirement, and the initial assessment uses the ISO 9000/2000 scale, so by doing a initial assessment, a project is contributing to the requirements of ISO 9000/2000.
A software assessment using SEI CMM gives a formal maturity level that can be used for tendering and accreditation. Does HFI PRA give such a level? US DOD Software PCAE is aimed at providing a rating of the CMM maturity level of each contractor’s process. However in the UK the default is that no such rating is produced. In SCE as tailored for MoD usage, the primary focus is on assessing the impact of contractors’ processes on project risks. A similar approach has been adopted for HFI PRA.
The model contains quite general activities such as risk management, project management and planning. Is this another case of HF specialists re-inventing the wheel? No, the approach taken to the development of HFI PRA has been to enable assessments of QIU process risks on their own, concentrating on HFI processes and their management, or to include HFI processes in a wider software or system assessment. When taking part in a wider assessment it is possible to replace generic processes in the QIU model with those from the software or SE model with the proviso that the aspects of concern to HFI are fully addressed (probably by assessor expertise
Back to Top
Back to HFI PRA Home Page