Configuration Management and ISO 9001

Robert Bamford, William J. Deibler II Software Systems Quality Consulting, http://www.ssqc.com/

Configuration management is about managing change of the multiple items composing an information system. This article puts in reference the configuration management function and the ISO 9001 standard. This standard offers a wide range of advice on how to deal with this important, but often neglected, aspect of software engineering.

The software engineering practices associated with software configuration management (SCM or CM) offer a number of opportunities to address requirements found in the International Standard, ISO 9001. From a management perspective, the principles and practices of CM represent an accepted and understood foundation for implementing ISO-compliant processes in software engineering organizations. In addition, the growing number of tools for automating CM practices is chance for improving the efficiency and effectiveness of these processes.

This article begins with brief, general definitions of configuration management and of ISO 9001.
Configuration Management
While there is no single definition of CM, there are three widely disseminated views from three different sources: the Institute of Electrical and Electronics Engineers (IEEE), The International Organisation for Standardisation (ISO), and the Software Engineering Institute (SEI) at Carnegie Mellon University.


The IEEE perspective on CM
A most widely understood description of the practices associated with configuration management is found in the IEEE Standard 828-1990, Software Configuration Management Plans.
[Numbers in brackets are added]

"SCM activities are traditionally grouped into four functions: [1] configuration identification, [2] configuration control, [3] status accounting, and [4] configuration audits and reviews."
IEEE Standard 828-1990 goes on to list specific activities associated with each of the four functions (the number of the paragraph containing the reference appears in parentheses):
Identification: identify, name, and describe the documented physical and functional characteristics of the code, specifications, design, and data elements to be controlled for the project. (Paragraph 2.3.1)

Control: request, evaluate, approve or disapprove, and implement changes (Paragraph 2.3.2)
Status accounting: record and report the status of project configuration items [initial approved version. status of requested changes, implementation status of approved changes] (Paragraph 2.3.3)

Audits and reviews: determine to what extent the actual configuration item reflects the required physical and functional characteristics (Paragraph 2.3.4)

This list is similar to the set of activities noted by Pressman:
"Software configuration management is an umbrella activity ... developed to (1) identify change, (2) control change, (3) ensure that change is being properly implemented, and (4) report change to others who may have an interest."


The ISO perspective on CM
In the guideline document, ISO 9000-3:1991 Guidelines for the application of ISO 9001 to the development, supply and maintenance of software, the International Organisation for Standardisation identifies a similar set of practices as CM:
"Configuration management provides a mechanism for identifying, controlling and tracking the versions of each software item. In many cases earlier versions still in use must also be maintained and controlled.


"The [CM] system should
"a) identify uniquely the versions of each software item;
"b) identify the versions of each software item which together constitute a specific version of a complete product;
"c) identity the build status of software products in development or delivered and installed;
"d) control simultaneous updating of a given software item by more than one person;
"e) provide coordination for the updating of multiple products in one or more locations as required;
"f) identify and track all actions and changes resulting from a change request, from initiation ... to release."

The SEI perspective on CM
Based on a review of currently available tools and an evolving understanding of the organizational role of CM, the SEI advocates a broader definition of CM in SEI-92-TR-8:
"The standard definition for CM taken from IEEE standard 729-1983 [updated as IEEE Std 610.12-1990] includes:
"Identification: identifying the structure of the product, its components and their type, and making them unique and accessible in some form
"Control: controlling the release of product and changes to it throughout the life cycle …
"Status Accounting: recording and reporting the status of components and change requests, and gathering vital statistics about components in the product
"Audit and review: validating the completeness of a product and maintaining consistency among the components …


"[The IEEE] definition of CM … needs to be broadened to encompass … :
"Manufacturing: managing the construction and building of the product
"Process management: ensuring the correct execution of the organization's procedures, policies, and life-cycle model
"Team work: controlling the work and interactions between multiple developers on a product."

more

more

Advice on Configuration Management