Iso 10007 - 2017
Iso 10007 - 2017
configuration management
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of
national standards bodies (ISO member bodies). The work of preparing International
Standards is normally carried out through ISO technical committees. Each member body
interested in a subject for which a technical committee has been established has the right
to be represented on that committee. International organizations, governmental and non-
governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with
the International Electrotechnical Commission (IEC) on all matters of electrotechnical
standardization.
The procedures used to develop this document and those intended for its further
maintenance are described in the ISO/IEC Directives, Part 1. In particular the different
approval criteria needed for the different types of ISO documents should be noted. This
document was drafted in accordance with the editorial rules of the ISO/IEC Directives,
Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be
the subject of patent rights. ISO shall not be held responsible for identifying any or all such
patent rights. Details of any patent rights identified during the development of the
document will be in the Introduction and/or on the ISO list of patent declarations received
(see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users
and does not constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to
conformity assessment, as well as information about ISO's adherence to the WTO
principles in the Technical Barriers to Trade (TBT) see the following URL:
www.iso.org/iso/foreword.html.
The committee responsible for this document is Technical Committee ISO/TC 176, Quality
management and quality assurance, Subcommittee SC 2, Quality systems.
This third edition cancels and replaces the second edition (ISO 10007:2003). This edition
has sought to improve the alignment of ISO 10007 with ISO 9000:2015 and ISO
9001:2015.
Introduction
The purpose of this International Standard is to enhance common understanding of the
subject, to promote the use of configuration management, and to assist organizations
applying configuration management to improve their performance.
This International Standard outlines the responsibilities and authorities before describing
the configuration management process that includes configuration management planning,
configuration identification, change control, configuration status accounting and
configuration audit.
Configuration management is a management activity that applies technical and
administrative direction over the life cycle of a product and service, its configuration
identification and status, and related product and service configuration information.
Configuration management documents the product or service configuration. It provides
identification and traceability, the status of achievement of its physical and functional
requirements, and access to accurate information in all phases of the life cycle.
Configuration management can be implemented based on the size of the organization and
the complexity and nature of the product or service and should reflect the needs of specific
lifecycle phases.
1 Scope
This International Standard gives guidance on the use of configuration management
within an organization. It is applicable to the support of products and services from
concept to disposal.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document
and are indispensable for its application. For dated references, only the edition cited
applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
ISO 9000:2015, Quality management systems — Fundamentals and vocabulary
Comments
3.1 configuration
interrelated functional and physical characteristics of a product or service defined in
configuration information (3.5)
Comments
3.2 configuration baseline
approved configuration information (3.5) that establishes the characteristics of a product
or service at a point in time that serves as reference for activities throughout the life cycle
of the product or service
Comments
3.3 configuration item
entity within a configuration (3.1) that satisfies an end use function
Comments
3.4 configuration status accounting
formalized recording and reporting of configuration information (3.5), the status of
proposed changes and the status of the implementation of approved changes
Comments
3.5 configuration information
requirements for product or service design, realization, verification, operation and
support
b) the needs of the different product or service life cycle stages;
c) the interfaces between activities directly involved in the configuration management
process;
d) the other relevant interested parties that are, or need to be, involved, within and
outside the organization;
Comments
4.2 Dispositioning authority
Prior to approval of a change, the dispositioning authority should verify that:
a) the proposed change is necessary, and the consequences would be acceptable;
Comments
5.2 Configuration management planning
Configuration management planning is the foundation for the configuration management
process. Effective planning coordinates configuration management activities in a specific
context over the product or service life cycle. The output of configuration management
planning is the configuration management plan.
The configuration management plan for a specific product or service should:
a) be documented and approved;
b) be controlled;
e) describe the responsibilities and authorities, including accountability, for carrying
out configuration management throughout the life cycle of the product.
Comments
5.3 Configuration identification
Comments
5.3.1 Product structure or service capability and selection
of configuration items
The selection of configuration items and their inter-relationships should describe the
product structure or service capability.
Configuration items should be identified using established selection criteria. Configuration
items should be selected whose functional and physical characteristics can be managed
separately to achieve the overall end- use performance of the item.
Selection criteria should consider:
a) life-cycle of the configuration;
The number of configuration items selected should optimize the ability to control the
product or service. The selection of configuration items should be initiated as early as
possible in the product or service life cycle. The configuration items should be reviewed as
the product or service evolves.
Comments
5.3.2 Configuration information
Configuration information comprises both definition and operational information. This
typically includes requirements, specifications, design drawings, parts lists, data models,
test specifications, commissioning maintenance and operating handbooks, plus any
specific requirements concerning decommissioning and disposal.
Configuration information should be relevant and traceable. Naming and numbering
conventions should be established that are unique and ensure proper control of both
configuration items and data and items associated with them. These should take into
consideration the existing naming and numbering conventions of the organization and the
change control information, such as revision status.
Comments
5.3.3 Configuration baselines
A configuration baseline consists of the approved configuration information that
represents the definition of the product or service. Configuration baselines, plus approved
changes to those baselines, represent the current approved configuration.
Configuration baselines should be established whenever it is necessary in the product or
service life cycle to define a reference for further activities or to satisfy a specific
requirement for review.
The level of detail to which the product or service is defined in a configuration baseline
depends on the degree of control required.
Comments
5.4 Change control
Comments
5.4.1 General
After the initial release of configuration information, all changes should be controlled. The
potential consequence of a change, customer requirements and the configuration baseline
will affect the degree of control needed to process a proposed change or concession.
The process for controlling the change should be documented, and should include the
following:
a) a description of, justification for, and documented information of, the change;
NOTE: Some organizations use terms such as “waivers” or “deviations” instead of “concession”.
Comments
5.4.2 Initiation, identification and documentation of the
need for change
A change can be initiated by the organization, by a customer, or by an external provider.
Prior to submission for evaluation to the dispositioning authority (see 4.2), all change
proposals should be identified and retained as documented information.
Change proposals should typically include the following information:
a) configuration item(s) and related information to be changed, including details of
their title(s) and current revision status;
c) details of other configuration items or information that can be affected by the
change;
d) the interested party preparing the proposal, and the date it was prepared;
Comments
5.4.3 Evaluation of change
Comments
5.4.3.1
Evaluations concerning the proposed change should be performed and retained as
documented information. The extent of any evaluation should be based on the complexity
of the product or service, the category of the change, and should include the following:
Comments
5.4.3.2
In determining the consequences of the change, the following factors should also be
considered:
b) the interchangeability of configuration items and the need for their re-identification;
Comments
5.4.4 Disposition of change
A process should be established, implemented and maintained for the disposition of
change that identifies the dispositioning authority (see 4.2) for each proposed change.
This should take into account the category of the proposed change.
After a proposed change has been evaluated, the dispositioning authority should review
the evaluation and should decide upon the disposition of the change.
The disposition should be retained as documented information. Notice of the disposition
should be circulated to relevant internal and external interested parties.
Comments
5.4.5 Implementation and verification of change
The implementation of an approved change normally includes:
a) changes to the configuration information being released to relevant interested
parties;
b) actions being taken by relevant internal and external interested parties that are
affected by the change.
After implementation, compliance with the approved change should be verified. This
verification should be retained as documented information to allow traceability.
Comments
5.5 Configuration status accounting
Comments
5.5.1 General
The configuration status accounting activity results in documented information and
reports that relate to a product or service and its configuration information.
The organization should perform configuration status accounting activities throughout the
life cycle of the product or service in order to support and enable an efficient configuration
management process.
Comments
5.5.2 Documented Information
Comments
5.5.2.1
During the configuration identification and change control activities, configuration
status accounting documented information will be created. This documented information
allows for visibility and traceability and for the efficient management of the evolving
configuration. They typically include details of:
a) the configuration information (such as identification number, title, effective dates,
revision status, change history and its inclusion in any baseline);
b) the product or service configuration (such as part numbers, product design or build
status);
Comments
5.5.2.2
The evolving configuration information should be retained as documented
information in a manner that identifies the cross-references and interrelationships
necessary to provide the required reports (see 5.5.3).
Comments
5.5.2.3
To protect the integrity of the configuration information and to provide a basis for the
control of change, it is recommended that configuration items and related information be
held in an environment:
a) that is commensurate with the conditions required (e.g. for computer hardware,
software, data, documented information, drawings);
d) it is available and suitable for use, where and when it is needed;
Comments
5.5.3 Reports
Reports of varying types will be needed for configuration management purposes. Such
reports may cover individual configuration items or the complete product or service.
Typical reports include:
a) a list of configuration information included in a specific configuration baseline;
e) details of the status of a delivered and maintained configuration (e.g. part and
traceability numbers and their revision status).
Comments
5.6 Configuration audit
Configuration audits should be performed in accordance with documented procedures to
determine whether a product or service conforms to its requirements and configuration
information.
Normally there are two types of configuration audits:
a) a functional configuration audit; this is a formal examination to verify that a
configuration item has achieved the functional and performance characteristics
specified in its configuration information;
Annex A
(Informative)
Comments
A.1 General
A configuration management plan should be structured to allow for specific sections
addressing the topics given in Clauses A.2 to A.7, which also give guidance on content.
Comments
A.2 Introduction
A configuration management plan will need to include an introductory section giving
general information. The following topics are typically addressed in such a section:
a) the purpose and scope of the configuration management plan;
b) a description of the product or service and configuration item(s) to which the plan
applies;
Comments
A.3 Policies
The configuration management plan should detail the configuration management policies
that have been agreed with the customer and providers. This should provide the basis for
configuration management activities within the contract, such as:
a) policies on the practice of configuration management and related management
activities;
f) terminology.
Comments
A.4 Configuration identification
The configuration management plan should detail:
a) a breakdown structure of configuration items, specifications and other documented
information;
e) the use and allocation of serial numbers or other traceability identification;
Comments
A.5 Change control
The configuration management plan should detail:
a) the relationship of the dispositioning authority (see 4.2) of the organization with
that of other relevant interested parties;
b) the documented procedures for the control of changes prior to the establishment of
a contractual configuration baseline;
c) the methods for processing changes (including those for customer, or provider
initiated changes) and concessions.
Comments
A.6 Configuration status accounting
The configuration management plan should detail
a) the methods for collecting, documenting, processing and maintaining the data that
are necessary for producing configuration status accounting documented
information;
b) the definition of the content and format for all configuration status accounting
reports.
Comments
A.7 Configuration audit
The configuration management plan should detail:
a) a list of configuration audits to be conducted, and their occurrence within project
schedules;
c) the responsibilities and authorities of relevant internal and external interested
parties;
Bibliography
[1] ISO 9001, Quality management systems — Requirements