Configuration Management and ISO 9001 - Page 2

Robert Bamford, William J. Deibler II, Software Systems Quality Consulting, www.ssqc.com

Beyond ISO 9000-3

There are a significant number of additional areas of ISO 9001 that can be addressed through CM-related activities.

• 4.1 Management responsibility
• 4.2 Quality system
• 4.4.2.2 Organizational and technical interfaces
• 4.6 Purchasing
• 4.7 Control of customer-supplied product
• 4.9 Process control
• 4.14 Corrective and preventive action
• 4.15 Handling, storage, packaging, preservation, and delivery
• 4.16 Control of quality records
• 4.19 Servicing
• 4.20 Statistical techniques

4.1 Management responsibility

Reports produced by the CM system on progress and exceptions support management review of the suitability and effectiveness of thedevelopment practices, as part of the quality system (ISO 9001 4.1.3).

4.2 Quality system

For a software engineering organization, the CM policies, procedures, and standards represent a significant portion of the quality system.Tools to support and automate the CM process support and enforce adherence to policies, procedures, and standards.

These procedures can also be automated through integrated workflow and groupware tools that increase the effectiveness and efficiency ofthe information exchange.

4.4 Design control

CM practices can go beyond control of configuration items to ensure that necessary information regarding status and change is communicated toappropriate individuals and organizations (ISO 9001 4.4.2.2).

Standard distribution lists and notification procedures linked to specific activities prevent significant missed communication.

4.6 Purchasing

The primary application of this paragraph of ISO 9001 in software engineering environments is to third party development. When an organization subcontracts software development to a third party, evaluation of the subcontractor's CM practices is a critical component of the vendor selection and approval process.

If appropriate, the subcontractor can be required to follow or implement specific CM practices.

Intermediate or final product and all related documentation (e.g., specifications, plans, progress reports, test reports) received from the subcontractor can all be treated as if they were in-house developed configuration items. Applying CM practices to third party development is of particular benefit for coordinating in-house integration and verification activities and for fault resolution.

4.7 Control of customer-supplied product

In software development, customer-supplied product includes software that is used in the development process or that is included in the product to be delivered to the customer. This software is specified by the customer and supplied by the customer or by a third party; the software can be a standard, off-the-shelf (shrink-wrapped) product or one that is custom developed.

Depending on how the included software is packaged and distributed, ISO requirements to verify, store, and maintain this software appropriately may met by considering the included software as a configuration item.

Requirements for the verification of customer-supplied product apply only to those portions of the customer-supplied product that are used in conjunction with the supplier's product. For example, if the customer specifies that the supplier's product is to run under UNIX System 5, the supplier's responsibility is to verify that the developed product works as specified under UNIX System 5. The supplier must identify and report any errors in UNIX System 5 that impact the operation of the supplier's product.

4.9 Process control

Process control, in conjunction with 4.4.2 Design and development planning, 4.2.2 Quality system procedures, and 4.2.3 Quality planning clarifies ISO 9001's implicit requirements for documented procedures, suitable production equipment, monitoring and control of process and

product characteristics, and approval of processes and equipment. In software engineering environments, the project management and CM processes combine to address the majority of these requirements.

By automating the product build process, a CM system contributes significantly to the effectiveness and efficiency of the software production process, both for intermediate versions of the product and for a released version.

This becomes particularly significant, when multiple versions of the product are being developed or maintained in parallel.

4.14 Corrective and preventive action

A significant portion of corrective action is creating the mechanism to ensure that customer-reported problems are resolved in an appropriate manner. The same requirements pertain to problems identified in the development process, starting from the point at which the software product or item comes under CM control.

Incidents must be tracked from report, through classification, and, if appropriate, to resulting changes in the product. CM practices, particularly those related to change management, product maintenance, and status accounting, ensure that incidents that result in product change are always handled properly.

There is significant opportunity for improving the efficiency of product support and software engineering organizations by minimizing the amount of manual intervention and effort in moving information between the problem tracking and the CM systems.

4.15 Handling, storage, packaging, preservation, and delivery

For software product, the CM practices address all of the handling, storage, packaging, preservation, and delivery requirements at least to the point where responsibility for the product is turned over to software production. ISO 9001 4.15.2 Handling specifies "methods of handling product that prevent damage or deterioration". For software product, this requirement is interpreted to include activities like virus checking if an outside replication vendor is used and off-site storage of product masters as a minimum level of disaster recovery. Automated support for the build process, included in most CM tools, reduces opportunities for error and can increase confidence in intermediate test results and in final product integrity.

4.16 Control of quality records

In ISO 9000, quality records are the records that establish that processes were followed and that quality requirements were met. Bydefinition, quality records includes records of:

• Product identification
• Non-conformity review and disposition
• All verification and validation activities, including: design review minutes, test logs and records, and fault reports

While these records are not documents (and are not subject to the requirements of ISO 9001 Paragraph 4.5), requirements for identification,collection, indexing, filing, storage, maintenance, and disposition ofquality records can be addressed through procedures implemented as part of the CM system.

4.19 Servicing

ISO 9000-3 ties servicing to all aspects of software maintenance, including problem resolution, interface modification (e.g., supportfor additional or modified hardware components), functional expansion orperformance improvement. CM practices ensure that the product is maintained inan orderly manner and that each approved change can be prioritized, tracked, and managed to completion.

Analysis of the data in the CM system related to all aspects of product maintenance can support systematic prioritization and planning forproduct and process enhancement (e.g., What modules change most often? What modules cause the most problems? Is the effectiveness of testing continuing toimprove?)

4.20 Statistical techniques

While ISO 9001 contains no specific requirements for statistical process control, as noted above, CM-related activities generate awealth of process and product data for analysis and comparison to plan: delivery dates, resources, benchmarking (e.g., lines of source code, executable size, performance), time to correct defects, etc.

Even if no modern statistical methods are implemented (e.g., Statistical Process Control, Design of Experiments, assuggested in Clause 20 in ISO 9004-1:1994), this data is considered input forISO 9001 4.9d, which requires "monitoring and control of suitable process parameters and product characteristics".

The data in the CM system is a primary input for problem analysis and the identification of root causes in products and processes.

Page 1    Page 3   Click here to view the complete list of archived articles