1S/1S0 10007:2003

VT?R%T WW%_

( %w7 pi%7T)

Indian Standard
QUALITY MANAGEMENT SYSTEMS — GUIDELINES
FOR CONFIGURATION MANAGEMENT
( First Revision)

ICS 03.120.10

0 BIS 2003

BUREAU OF INDIAN STANDARDS

MANAK BHAVAN, 9 BAHADUR SHAH ZAFAR MARG
NEW DELHI 110002

December 2003 Price Group 5

Quality Management Sectional Committee, MSD 2

NATIONAL FOREWORD

This Indian Standard ( First Revision ) which is identical with ISO 10007:2003 ‘Quality management
systems — Guidelines for configuration management’ issued by the International Organization for
Standardization ( ISO ) was adopted by the Bureau of Indian Standards on the recommendations of the
Quality Management Sectional Committee ( MSD 2 ) and approval of the Management and Systems
Division Council,

ISO 10007 was prepared by Technical Committee lSO/TC 176 ‘Quality management and quality assurance’,
Subcommittee SC 2 ‘Quality systems’.

This is the first technical revision of lS/lSO 10007:1995. In this revision, ISO 10007:2003 has been
adopted so as to make Indian Standard identical with the International Standard. Therefore, this standard
cancels and replaces !S/1S0 10007:1995.

This edition nas sought to improve the alignment of ISO 10007 with the ISO 9000 family of International
Standards and to simplify the structure of the standard.

The text of the ISO Standard has been approved as suitable for publication as an Indian Standard
without deviations. Certain conventions are, however, not identical to those used in Indian Standards.
Attention is particularly drawn to the following:

Wherever the words ‘International Standard’ appear referring to this standard, they should be read
as ‘Indian Standard’.

In this adopted standard, normative reference appears to the following International Standard, for which
Indian Standard also exists. The Indian Standard, which is to be substituted in its place, is listed below
along with its degree of equivalence for the edition indicated:

International Standard Corresponding Indian Standard Degree of Equivalence

Iso9000:2000 1s/1s09000 : 2000 Quality management Identical

systems — Fundamentals and vocabulary
 1S/1S0 10007:2003

Introduction

The purpose of this International Standard is to enhance common understanding of the subject, to promote
the use of configuration management, and to assist organizations applying configuration management to
improve their performance.

Configuration management is a management activity that applies technical and administrative direction over
the life cycle of a product, its configuration items, and related product configuration information.

Configuration management documents the product’s configuration. It provides identification and traceability,
the status of achievement of its physical and functional requirements, and access to accurate information in ail
phases of the life cycle.

Configuration management can be implemented based on the size of the organization and the complexity and
nature of the product.

Configuration management can be used to meet the product identification and traceability requirements
specified in ISO 9001.
 1S/1S0 10007:2003

Indian Standard
QUALITY MANAGEMENT SYSTEMS — GUIDELINES
FOR CONFIGURATION MANAGEMENT
( First Revision)

1 Scope

This International Standard gives guidance on the use of configuration management within an organization. It
is applicable to the support of products from concept to disposal.

It first outlines the responsibilities and authorities before describing the configuration management process
that includes configuration management planning, configuration identification, change control, configuration
status accounting and configuration audit.

Since this International Standard is a guidance document, it is not intended to be used for
certification/registration purposes.

2 Normative references

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

ISO 9000:2000, Qua/ity management systems — Fundan?enta/s and vocahdary

3 Terms and definitions

For the purposes of this document, the definitions given in ISO 9000 and the following apply.

3.1
change control
activities for control of the product after formal approval of its product configuration information (3.9)

3.2
concession
permission to use or release a product that does not conform to specified requirements

NOTE 1 A concession is generally limited to the delive~ of the product that has nonconforming characteristics within
specified limits for an agreed time or quantity of that product.

[ISO 9000:2000, definition 3.6.11]

NOTE 2 Concessions do not affect the configuration baseline (3.4) and include permission to produce a product that
does not conform to specified requirements.

NOTE 3 Some organizations use terms such as “waivers” or “deviations” instead of “concession”.

3.3
configuration
interrelated functional and physical characteristics of a product defined in product configuration information
(3.9)

1
1S/1S0 10007:2003

3.4
configuration baseline
approved product configuration information (3.9) that establishes the characteristics of a product at a point
in time that serves as reference for activities throughout the life cycle of the product

3.5
configuration item
entity within a configuration (3.3) that satisfies an end use function

3.6
configuration management
coordinated activities to direct and control configuration

NOTE Configuration management generally concentrates on technical and organizational activities that establish and
maintain control of a product and its product configuration information (3.9) throughout the life cycle of the product.

3.7
configuration status accounting
formalized recording and reporting of product configuration information (3.9), the status of proposed
changes and the status of the implementation of approved changes

3.8
dispositioning authority
person or a group of persons assigned responsibility and authority to make decisions on the configuration
(33)

NOTE 1 Dispositioning authority can also be called a “configuration control board”.

NOTE 2 Relevant interested parties within and outside the organization should be represented on the dispositioning
authority.

3.9
product configuration information
requirements for product design, realization, verification, operation and support

4 Configuration management responsibility

4.1 Responsibilities and authorities

The organization should identify and describe responsibilities and authorities related to the implementation
and verification of the configuration management process. The following should be considered:

--- the complexity and nature of the product;

the needs of the different product life cycle stages;

the interfaces between activities directly involved in the configuration management process;

the other relevant interested parties that may be involved, within and outside the organization;

— the identification of the responsible authority for verifying implementation activities;

the identification of the dispositioning authority.

4.2 Dispositioning authority

Prior to approval of a change, the dispositioning authority should verify that

the proposed change is necessary, and the consequences would be acceptable,

2
 1S/1S0 10007:2003

the change has been properly documented and categorized, and

the planned activities for the implementation of the change into documents, hardware and/or software are
satisfactory.

5 Configuration management process

5.1 GeneraI

The activities that are performed within the configuration management process are described below. It is
essential that these activities be coordinated for this procpss to be effective.

The configuration management process should focus on customer requirements for the product and should
take into account the context in which it will be performed. The configuration management process should be
detailed in a configuration management plan. This should describe any project-specific procedures and the
extent of their application during the life cycle of the product.

5.2 Configuration management planning

Configuration management planning is the foundation for the configuration management process. Effective
planning coordinates configuration management activities in a specific context over the product life cycle. The
output of configuration management planning is the configuration management plan.

The configuration management plan for a specific product should

— be documented and approved,

— be controlled,

— identify the configuration management procedures to be used,

. make reference to relevant procedures of the organization wherever possible, and

— describe the responsibilities and authorities for carrying out configuration management throughout the life
cycle of the product.

The configuration management plan may be a stand-alone document, or a part of another document, or
composed of several documents.

In some situations, the organization will need to require a supplier to provide a configuration management
plan. The organization may wish to retain such plans either as stand-alone documents or to incorporate them
into its own configuration management plan.

Annex A describes a potential structure and content for a configuration management plan.

5.3 Configuration identification

5,3.1 Product structure and selection of configuration items

The selection of configuration items and their inter-relationships should describe the product structure.

Configuration items should be identified using established selection criteria. Configuration items should be
selected whose functional and physical characteristics can be managed separately to achieve the overall end-
use performance of the item.

Selection criteria should consider

— statutory and regulatory requirements,

3
1S/1S0 10007:2003

criticality in terms of risks and safety,

new or modified technology, design or development,

interfaces with other configuration items,

.-. procurement conditions, and

-- support and service.

The number of configuration items selected should optimize the ability to control the product. The selection of
configuration items should be initiated as early as possible in the product life cycle. The configuration items
should be reviewed as the product evolves.

5.3.2 Product configuration information

Product configuration information comprises both product definition and product operational information. This
typically includes requirements, specifications, design drawings, parts lists, software documents and listings,
models, test specifications, maintenance and operating handbooks.

Product configuration information should be relevant and traceable. Numbering conventions should be
established that are unique and ensure proper control of configuration items. These should take into
consideration the existing numbering conventions of the organization and the change control information, such
as revision status.

5.3.3 Configuration baselines

A configuration baseline consists of the approved product configuration information that represents the
definition of the product. Configuration baselines, plus approved changes to those baselines, represent the
current approved configuration.

Configuration baselines should be established whenever it is necessary in the product life cycle to define a
reference for further activities.

The level of detail to which the product is defined in a configuration baseline depends on the degree of control
required.

5.4 Change control

5.4.1 General

After the initial release of product configuration information, all changes should be controlled. The potential
impact of a change, customer requirements and the configuration baseline will affect the degree of control
needed to process a proposed change or concession.

The process for controlling the change should be documented, and should include the following:

a description of, justification for, and record of, the change;

-–- a categorization of the change, in terms of complexity, resources and scheduling;

-– an evaluation of the consequences of the change;

–- details of how the change should be dispositioned;

\

— details of how the change should be implemented and verified,

 1S/1S0 10007:2003

5.4.2 Initiation, identification and documentation of the need for change

A change may be initiated by the organization, by a customer,’ or by a supplier. Prior to submission for
evaluation to the dispositioning authority (see 4.2), all change proposals should be identified and documented.

Change proposals should typically include the following information:

configuration item(s) and related information to be changed, including details of their title(s) and current
revision status;

a description of the proposed change;

details of other configuration items or information that maybe affected by the change;

— the interested party preparing the proposal, and the date it was prepared;

the reason for the change;

the category of the change.

The status of change processing, the related decisions and the dispositions should be documented. A typical
method for documenting change may be the use of a standard form that is given a unique identification
number for ease of identification and traceability.

5.4.3 Evaluation of change

5.4.3.1 Evaluations concerning the proposed change should be performed and documented. The extent
of any evaluation should be based on the complexity of the product, the category of the change, and should
include the following:

— the technical merits of the proposed change:

— the risks associated with the change;

— the potential impact on contract, schedule and costs.

5.4.3.2 In determining the impact, the following factors should also be considered:

— the relevant statutory and regulatory requirements;

— the interchangeability of configuration items and the need for their re-identification;

— the interfaces between configuration items;

–- the manufacturing, test and inspection methods;

.— inventory and purchases;

— delivery activities;

—— customer support requirements.

5.4.4 Disposition of change

A process should be established for the disposition of change that identifies the dispositioning authority (see
4,2) for each proposed change. This should take into account the category of the proposed change.

5
1S/1S0 10007:2003

After a proposed change has been evaluated, the dispositioning authority should review the evaluation and
should decide upon the disposition of the change.

The disposition should be recorded. Notice of the disposition should be circulated to relevant interested
parties within and outside the organization.

5.4.5 Implementation and verification of change

The implementation of an approved change normally includes

changes to the product configuration information being released to relevant interested parties, and

actions being taken by relevant interested parties (both within and outside the organization) that are
affected by the change.

After implementation, compliance with the approved change should be verified. This verification should be
recorded to allow traceability.

5.5 Configuration status accounting

5.5.1 General

The configuration status accounting activity results in records and reports that relate to a product and its
product configuration information.

The organization should perform configuration status accounting activities throughout the life cycle of the
product in order to support and enable an efficient configuration management process.

5.5.2 Records

5.5.2.1 During the configuration identification and change control activities, configuration status
accounting records will be created. These records allow for visibility and traceability and for the efficient
management of the evolving configuration. They typically include details of

--- the product configuration information (such as identification number, title, effective dates, revision status,
change history and its inclusion in any baseline),

the product’s configuration (such as part numbers, product design or build status),

the status of release of new product configuration information, and

--- the processing of changes.

5.5.2.2 The evolving product configuration information should be recorded in a manner that identifies the
cross-references and interrelationships necessary to provide the required reports (see 5.5.3).

5.5.2.3 To protect the integrity of the product configuration information and to provide a basis for the
control of change, it is recommended that configuration items and related information be held in an
environment

—- that is commensurate with the conditions required (e.g. for computer hardware, software, data,
documents, drawings),

--–- that provides protection from corruption or unauthorized change,

— that provides means for disaster recovery, and

— that permits retrieval.

6
 1S/1S0 10007:2003

5.5.3 Reports

Reports of varying types will be needed for configuration management purposes. Such reports may cover
individual configuration items or the complete product.

Typical reports include

a list of product configuration information included in a specific configuration baseline,

a list of configuration items and their configuration baselines,

-– details of the current revision status and change history,

status reports on changes and concessions, and

details of the status of delivered and maintained products concerning part and traceability numbers and
their revision status.

5.6 Configuration audit

Configuration audits should be performed in accordance with documented procedures to determine whether a
product conforms to its requirements and product configuration information.

Normally there are two types of configuration audits:

a functional configuration audit; this is a formal examination to verify that a configuration item has
achieved the functional and performance characteristics specified in its product configuration information;

a physical configuration audit; this is a formal examination to verify that a configuration item has achieved
the physical characteristics specified in its product configuration information.

A configuration audit may be required before the formal acceptance of a configuration item. It is not intended
to replace other forms of verification, review, test or inspection, but will be affected by the results of these
activities.

7
1S/1S0 10007:2003

Annex A
(informative)

Structure and content of a configuration management plan

A.1 General

A configuration management plan should be structured to allow for discrete sections addressing the topics
given in A.2 to A.7, which also give guidance on content.

A.2 Introduction

A configuration management plan will need to include an introductory section giving general information. The
following topics are typically addressed in such a section:

the purpose and scope of the configuration management plan;

— a description of the product and configuration item(s) to which the plan applies;

— a schedule to provide guidance on the time-scale of important configuration management activities;

a description of configuration management tools (e.g. information technology);

related documents (e.g. configuration management plans from suppliers);

a listing of relevant documents and their interrelationships.

A.3 Policies

The configuration management plan should detail the configuration management policies that have been
agreed with the customer or suppliers. This should provide the basis for configuration management activities
within the contract, such as

— policies on the practice of configuration management and related management activities,

the organization, responsibilities and authorities of relevant interested parties,

— qualification and training,

— the criteria for the selection of configuration items,

— the frequency, distribution and control of reports, both internally and to the customer, and

— terminology.

A.4 Configuration identification

The configuration management plan should detail

— a family tree of configuration items, specifications and other documents,

the numbering conventions to be adopted for specifications, drawings, concessions and changes,
 1S/1S0 10007:2003

— the method for identification of the revision status,

— the configuration baselines to be established, schedules, and the type of product configuration
information to be included,

— the use and allocation of serial numbers or other traceability identification, and

— release procedures for product configuration information

A.5 Change control

The configuration management plan should detail

the relationship of the dispositioning authority (see 4.2) of the organization with that of other interested
parties,

— the procedures for the control of changes prior to the establishment of a contractual configuration
baseline, and

— the methods for processing changes (including those for customer, or supplier initiated changes) and
concessions.

A.6 Configuration status accounting

The configuration management pIan should detail

the methods for collecting, recording, processing and maintaining the data that are necessary for
producing configuration status accounting records, and

the definition of the content and format for all configuration status accounting reports.

A.7 Configuration audit

The configuration management plan should detail

— a list of audits to be conducted, and their occurrence within project schedules,

— the configuration audit procedures to be used,

— the authorities of relevant interested parties (both within and outside the organization), and

— a definition of the format for audit reports.

9
1S/1S0 10007:2003

Bibliography

[1] ISO 9001:2000, Quality management systems — Requirements

[2) ISO 9004:2000, Qua/ify management systems — Guidelines for performance improvements

[3] 1S0 10006:2003, Qua/ity management systems — Guidelines for quality management in projects

[4] IS0/1 ECl_TR 15846:1998, Information technology — Software life cycle processes — C0nfi9Urafi0n
Management for Software

10
Buleau of lndian Standards

B IS is a statutory institution established under the Bureau of Indian Standards Act, 1986 to promote
harmonious development of the activities of standardization, marking and quality certification of goods and
attending to connected matters in the country.

Copyright

BIS has the copyright of all its publications. No part ofthese publications maybe reproduced in any form without
the prior permission in writing of BIS. This does not preclude the free use, in the course of implementing the
standard, of necessary details, such as symbols and sizes, type or grade designations. Enquiries relating to
copyright be addressed to the Director (Publications), BIS.

Review of Indian Standards

Amendments are issued to standards as the need arises on the basis of comments. Standards are also reviewed
periodically; a standard along with amendments is reaffirmed when such review indicates that no changes are
needed: if the review indicates that changes are needed, it is taken up for revision. Users of Indian Standards
should ascertain that they are in possession of the latest amendments or edition by referring to the latest issue
of ‘BIS Catalogue’ and ‘Standards : Monthly Additions’.

This Indian Standard has been developed from Doc : No. MSD 2 ( 287 ).

Amendments Issued Since Publication

Amend No. Date of Issue Text Affected

BUREAU OF INDIAN STANDARDS

Headquarters:

Manak Bhavan, 9 Bahadur Shah Zafar Marg, New Delhi 110002 Telegrams: Manaksanstha
Telephones: 23230131,23233375,2323 9402 ( Common to all offices)

Regional Offices: Telephone

Central: Manak Bhavan, 9 Bahadur Shah Zafar Marg 23237617

NEW DELHI 110002 { 23233841

Eastern : 1/14 C. I. T. Scheme Vll M, V. I. P. Road, Kankurgachi 23378499,23378561

KOLKATA 700054 t 23378626,23379120
Northern: SCO 335-336, Sector 34-A, CHANDIGARH 160022 603843
{ 609285
Southern : C. 1.T. Campus, IV Cross Road, CHENNAI 600113 22541216,22541442
{ 22542519,22542315
Western : Manakalaya, E9 MlDC, Marol, Andheri (East) 28329295,28327858
MUMBA1400093 { 28327891,28327892

Branches : AHMEDABAD. BANGALORE. BHOPAL. BHUBANESHWAR. COIMBATORE.

FARIDABAD, GHAZIABAD. GUWAHATI. HYDERABAD. JAIPUR. KANPUR.
LUCKNOW. NAGPUR. NALAGARH. PATINA. PUNE. RAJKOT. THIRUVANANTI-LAPURAM.
VISAKHAPATNAM.
Printed at New India Printing Press, Khurja, Indm