ISO 10007 - Quality management systems – Guidelines for

configuration management

Foreword  
ISO (the International Organization for Standardization) is a worldwide federation of
national standards bodies (ISO member bodies). The work of preparing International
Standards is normally carried out through ISO technical committees. Each member body
interested in a subject for which a technical committee has been established has the right
to be represented on that committee. International organizations, governmental and non-
governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with
the International Electrotechnical Commission (IEC) on all matters of electrotechnical
standardization.

The procedures used to develop this document and those intended for its further
maintenance are described in the ISO/IEC Directives, Part 1. In particular the different
approval criteria needed for the different types of ISO documents should be noted. This
document was drafted in accordance with the editorial rules of the ISO/IEC Directives,
Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be
the subject of patent rights. ISO shall not be held responsible for identifying any or all such
patent rights. Details of any patent rights identified during the development of the
document will be in the Introduction and/or on the ISO list of patent declarations received
(see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users
and does not constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to
conformity assessment, as well as information about ISO's adherence to the WTO
principles in the Technical Barriers to Trade (TBT) see the following URL:
www.iso.org/iso/foreword.html.

The committee responsible for this document is Technical Committee ISO/TC 176, Quality
management and quality assurance, Subcommittee SC 2, Quality systems.

This third edition cancels and replaces the second edition (ISO 10007:2003). This edition
has sought to improve the alignment of ISO 10007 with ISO 9000:2015 and ISO
9001:2015.

Introduction  
The purpose of this International Standard is to enhance common understanding of the
subject, to promote the use of configuration management, and to assist organizations
applying configuration management to improve their performance.
This International Standard outlines the responsibilities and authorities before describing
the configuration management process that includes configuration management planning,
configuration identification, change control, configuration status accounting and
configuration audit.
Configuration management is a management activity that applies technical and
administrative direction over the life cycle of a product and service, its configuration
identification and status, and related product and service configuration information.
Configuration management documents the product or service configuration. It provides
identification and traceability, the status of achievement of its physical and functional
requirements, and access to accurate information in all phases of the life cycle.
Configuration management can be implemented based on the size of the organization and
the complexity and nature of the product or service and should reflect the needs of specific
lifecycle phases.

1 Scope  
This International Standard gives guidance on the use of configuration management
within an organization. It is applicable to the support of products and services from
concept to disposal.

2 Normative references  
The following documents, in whole or in part, are normatively referenced in this document
and are indispensable for its application. For dated references, only the edition cited
applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
ISO 9000:2015, Quality management systems — Fundamentals and vocabulary

3 Terms and definitions  

For the purposes of this document, the terms and definitions given in ISO 9000 and the
following apply.

Comments
3.1 configuration  
interrelated functional and physical characteristics of a product or service defined in
configuration information (3.5)

Comments
3.2 configuration baseline  
approved configuration information (3.5) that establishes the characteristics of a product
or service at a point in time that serves as reference for activities throughout the life cycle
of the product or service

Comments
3.3 configuration item  
entity within a configuration (3.1) that satisfies an end use function

Comments
3.4 configuration status accounting  
formalized recording and reporting of configuration information (3.5), the status of
proposed changes and the status of the implementation of approved changes

Comments
3.5 configuration information  
requirements for product or service design, realization, verification, operation and
support

4 Configuration management responsibility  

Comments
4.1 Responsibilities and authorities  
The organization should identify, describe, and assign responsibilities and authorities,
including accountability, related to the configuration management process. The following
should be considered:
a)     the complexity and nature of the product or service;

b)    the needs of the different product or service life cycle stages;

c)     the interfaces between activities directly involved in the configuration management
process;

d)    the other relevant interested parties that are, or need to be, involved, within and
outside the organization;

e)     the identification of the responsible authority for verifying implementation

activities;

f)     the identification of the dispositioning authority.

Comments
4.2 Dispositioning authority  
Prior to approval of a change, the dispositioning authority should verify that:
a)     the proposed change is necessary, and the consequences would be acceptable;

b)    the change has been properly documented and categorized;

 c)     the planned activities for the implementation of the change into documented
information, hardware and/or software are satisfactory.

5 Configuration management process  

Comments
5.1 General  
The organization should establish, implement and maintain a configuration management
process. The organization should coordinate the activities of the configuration
management process in order for it to be effective.
The configuration management process should focus on customer and statutory and
regulatory requirements for the product or service and should take into account the
context in which it will be performed. The configuration management process should be
detailed in a configuration management plan. This should describe any project-specific
documented procedures and the extent of their application during the life cycle of the
product or service.

Comments
5.2 Configuration management planning  
Configuration management planning is the foundation for the configuration management
process. Effective planning coordinates configuration management activities in a specific
context over the product or service life cycle. The output of configuration management
planning is the configuration management plan.
The configuration management plan for a specific product or service should:
a)     be documented and approved;

b)    be controlled;

c)     identify the configuration management documented procedures to be used;

d)    make reference to relevant documented procedures of the organization wherever

possible;

e)     describe the responsibilities and authorities, including accountability, for carrying
out configuration management throughout the life cycle of the product.

The configuration management plan may be a stand-alone document, or a part of another

document, or composed of several documents.
In some situations, the configuration management plan will be provided by an external
provider. The organization may retain such plans either as stand-alone documents or
incorporate them into its own configuration management plan.
Annex A describes a potential structure and content for a configuration management plan.

Comments
5.3 Configuration identification  
Comments
5.3.1 Product structure or service capability and selection
of configuration items  
The selection of configuration items and their inter-relationships should describe the
product structure or service capability.
Configuration items should be identified using established selection criteria. Configuration
items should be selected whose functional and physical characteristics can be managed
separately to achieve the overall end- use performance of the item.
Selection criteria should consider:
a)     life-cycle of the configuration;

b)    statutory and regulatory requirements;

c)     criticality in terms of risks and safety;

d)    new or modified technology, design or development;

e)     interfaces with other configuration items;

f)     procurement conditions;

g)     support and service.

The number of configuration items selected should optimize the ability to control the
product or service. The selection of configuration items should be initiated as early as
possible in the product or service life cycle. The configuration items should be reviewed as
the product or service evolves.

Comments
5.3.2 Configuration information  
Configuration information comprises both definition and operational information. This
typically includes requirements, specifications, design drawings, parts lists, data models,
test specifications, commissioning maintenance and operating handbooks, plus any
specific requirements concerning decommissioning and disposal.
Configuration information should be relevant and traceable. Naming and numbering
conventions should be established that are unique and ensure proper control of both
configuration items and data and items associated with them. These should take into
consideration the existing naming and numbering conventions of the organization and the
change control information, such as revision status.

Comments
5.3.3 Configuration baselines  
A configuration baseline consists of the approved configuration information that
represents the definition of the product or service. Configuration baselines, plus approved
changes to those baselines, represent the current approved configuration.
Configuration baselines should be established whenever it is necessary in the product or
service life cycle to define a reference for further activities or to satisfy a specific
requirement for review.
The level of detail to which the product or service is defined in a configuration baseline
depends on the degree of control required.

Comments
5.4 Change control  
Comments
5.4.1 General  
After the initial release of configuration information, all changes should be controlled. The
potential consequence of a change, customer requirements and the configuration baseline
will affect the degree of control needed to process a proposed change or concession.
The process for controlling the change should be documented, and should include the
following:
a)     a description of, justification for, and documented information of, the change;

b)    a categorization of the change, in terms of complexity, resources and scheduling;

c)     an evaluation of the consequences of the change;

d)    details of how the change should be dispositioned;

e)     details of how the change should be implemented and verified.

NOTE:         Some organizations use terms such as “waivers” or “deviations” instead of “concession”.

Comments
5.4.2 Initiation, identification and documentation of the
need for change  
A change can be initiated by the organization, by a customer, or by an external provider.
Prior to submission for evaluation to the dispositioning authority (see 4.2), all change
proposals should be identified and retained as documented information.
Change proposals should typically include the following information:
a)     configuration item(s) and related information to be changed, including details of
their title(s) and current revision status;

b)    a description of the proposed change;

c)     details of other configuration items or information that can be affected by the
change;

d)    the interested party preparing the proposal, and the date it was prepared;

e)     the justification of the change;

f)     the category of the change.

The status of change processing, the related decisions and the dispositions should be
retained as documented information. A typical method for documenting change is the use
of a standard form that is given a unique identification number for ease of identification
and traceability.

Comments
5.4.3 Evaluation of change  
Comments
5.4.3.1  
Evaluations concerning the proposed change should be performed and retained as
documented information. The extent of any evaluation should be based on the complexity
of the product or service, the category of the change, and should include the following:

a)     the technical benefits of the proposed change;

b)    the risks associated with the proposed change;

c)     the potential consequences on contract, schedule and costs;

d)    the potential impact of not approving the proposed change.

Comments
5.4.3.2  
In determining the consequences of the change, the following factors should also be
considered:

a)     the relevant statutory and regulatory requirements;

b)    the interchangeability of configuration items and the need for their re-identification;

c)     the interfaces between configuration items;

d)    the manufacturing, test and inspection methods;

e)     inventory and purchases;

f)     delivery activities;

g)     customer support requirements.

Comments
5.4.4 Disposition of change  
A process should be established, implemented and maintained for the disposition of
change that identifies the dispositioning authority (see 4.2) for each proposed change.
This should take into account the category of the proposed change.
After a proposed change has been evaluated, the dispositioning authority should review
the evaluation and should decide upon the disposition of the change.
The disposition should be retained as documented information. Notice of the disposition
should be circulated to relevant internal and external interested parties.

Comments
5.4.5 Implementation and verification of change  
The implementation of an approved change normally includes:
a)     changes to the configuration information being released to relevant interested
parties;

b)    actions being taken by relevant internal and external interested parties that are
affected by the change.

After implementation, compliance with the approved change should be verified. This
verification should be retained as documented information to allow traceability.

Comments
5.5 Configuration status accounting  
Comments
5.5.1 General  
The configuration status accounting activity results in documented information and
reports that relate to a product or service and its configuration information.
The organization should perform configuration status accounting activities throughout the
life cycle of the product or service in order to support and enable an efficient configuration
management process.

Comments
5.5.2 Documented Information  
Comments
5.5.2.1  
        During the configuration identification and change control activities, configuration
status accounting documented information will be created. This documented information
allows for visibility and traceability and for the efficient management of the evolving
configuration. They typically include details of:

a)     the configuration information (such as identification number, title, effective dates,
revision status, change history and its inclusion in any baseline);

b)    the product or service configuration (such as part numbers, product design or build
status);

c)     the status of release of new configuration information;

d)    the processing of changes.

Comments
5.5.2.2  
        The evolving configuration information should be retained as documented
information in a manner that identifies the cross-references and interrelationships
necessary to provide the required reports (see 5.5.3).

Comments
5.5.2.3  
        To protect the integrity of the configuration information and to provide a basis for the
control of change, it is recommended that configuration items and related information be
held in an environment:

a)     that is commensurate with the conditions required (e.g. for computer hardware,
software, data, documented information, drawings);

b)    that provides protection from loss of integrity or unauthorized change;

c)     that provides means for disaster recovery;

d)    it is available and suitable for use, where and when it is needed;

e)     that permits retrieval.

Comments
5.5.3 Reports  
Reports of varying types will be needed for configuration management purposes. Such
reports may cover individual configuration items or the complete product or service.
Typical reports include:
a)     a list of configuration information included in a specific configuration baseline;

b)    a list of configuration items and their configuration baselines;

c)     details of the current revision status and change history;

d)    status reports on changes and concessions;

e)     details of the status of a delivered and maintained configuration (e.g. part and
traceability numbers and their revision status).

Comments
5.6 Configuration audit  
Configuration audits should be performed in accordance with documented procedures to
determine whether a product or service conforms to its requirements and configuration
information.
Normally there are two types of configuration audits:
 a)     a functional configuration audit; this is a formal examination to verify that a
configuration item has achieved the functional and performance characteristics
specified in its configuration information;

b)    a physical configuration audit; this is a formal examination to verify that a

configuration item has achieved the physical characteristics specified in its
configuration information.

A configuration audit can be required before the formal acceptance of a configuration

item. It is not intended to replace other forms of verification, review, test or inspection, but
will be affected by the results of these activities.

Annex A  
(Informative)

Structure and content of a configuration management plan

Comments
A.1 General  
A configuration management plan should be structured to allow for specific sections
addressing the topics given in Clauses A.2 to A.7, which also give guidance on content.

Comments
A.2 Introduction  
A configuration management plan will need to include an introductory section giving
general information. The following topics are typically addressed in such a section:
a)     the purpose and scope of the configuration management plan;

b)    a description of the product or service and configuration item(s) to which the plan
applies;

c)     a schedule to provide guidance on the time-scale of important configuration

management activities;

d)    a description of configuration management tools;

e)     related documented information (e.g. configuration management plans from

providers);

f)     a listing of relevant documented information and their interrelationships.

Comments
A.3 Policies  
The configuration management plan should detail the configuration management policies
that have been agreed with the customer and providers. This should provide the basis for
configuration management activities within the contract, such as:
 a)     policies on the practice of configuration management and related management
activities;

b)    the organization, responsibilities and authorities of relevant interested parties;

c)     qualification and training;

d)    the criteria for the selection of configuration items;

e)     the frequency, distribution and control of reports;

f)     terminology.

Comments
A.4 Configuration identification  
The configuration management plan should detail:
a)     a breakdown structure of configuration items, specifications and other documented
information;

b)    naming and numbering conventions to be adopted for specifications, drawings,

concessions and changes;

c)     the method for identification of the revision status;

d)    the configuration baselines to be established, schedules, and the type of

configuration information to be included;

e)     the use and allocation of serial numbers or other traceability identification;

f)     documented release procedures for configuration information.

Comments
A.5 Change control  
The configuration management plan should detail:
a)     the relationship of the dispositioning authority (see 4.2) of the organization with
that of other relevant interested parties;

b)    the documented procedures for the control of changes prior to the establishment of
a contractual configuration baseline;

c)     the methods for processing changes (including those for customer, or provider
initiated changes) and concessions.

Comments
A.6 Configuration status accounting  
The configuration management plan should detail
 a)     the methods for collecting, documenting, processing and maintaining the data that
are necessary for producing configuration status accounting documented
information;

b)    the definition of the content and format for all configuration status accounting
reports.

Comments
A.7 Configuration audit  
The configuration management plan should detail:
a)     a list of configuration audits to be conducted, and their occurrence within project
schedules;

b)    the configuration audit documented procedures to be used;

c)     the responsibilities and authorities of relevant internal and external interested
parties;

d)    a definition of the format for configuration audit reports.

Bibliography  
[1]         ISO 9001, Quality management systems — Requirements

[2]         ISO 9004, Managing for the sustained success of an organization — A quality

management approach

[3]         ISO 10006, Quality management systems — Guidelines for quality management in

projects