Configuration Management Implementation

From SEBoK Draft
Jump to navigation Jump to search

Lead Authors: John Metcalf, Philip Hallenbeck, Sandrine Gonthier Contributing Author: Garry Roedler

Implementing Configuration Management (CM) is about putting theory into practice—establishing the processes, tools, and responsibilities needed to manage changes to a system effectively. This involves planning how CM will function within an organization, defining roles, selecting appropriate tools, and integrating CM activities into the broader systems engineering workflow. By thoughtfully implementing CM, organizations can ensure that system changes are tracked, controlled, and communicated, maintaining the integrity and consistency of the system throughout its life cycle. This article is a compliment to Configuration Management.

Fundamental Concepts

Process Overview

As described Configuration Management, CM is a process that relies on appropriate practices, methods, and controls to provide the means to establish and maintain a source of authoritative data on system configuration.

This article provides guidance on how to plan the implementation of CM activities with a focus on explaining what elements to consider adapting CM to the dedicated context of the system to be addressed.

Principles and Concepts

Essential areas to evaluate for adjustments

Product information to be considered in CM

The Configuration information should encompass product operational information and should not be limited to product definition information (see recommendation from the EIA-649C standard paragraph 5.2.2). Starting from the initial source of information provided by the document describing the operational conditions of the product, information about the product’s physical environment of use, and the type of support to be provided in case of in-service support part of the contract, need to be considered.

Here are some examples of valuable product operation information: scope of use, user profiles, quantitative and qualitative requirements, etc.

CM boards

The organization of CM activities is heavily influenced by the scope of the CM activities to be considered, and by the organizational factors addressed below.

In general, complicated and critical products are managed by larger, more comprehensive CM organizations. Conversely, large organizations similarly require more comprehensive CM organizations and processes to manage the workload of key personnel.

Some considerations include the following:

Single CCB for small organizations

Small organizations, or those managing relatively simple products, may decide to have a single CCB staffed and operated at the organizational level, controlling not only organizational level configurations, but those of its respective projects or products. This can be a useful cost-saving measure, but one whose benefits must be balanced against the time demands of CCB membership and necessary expertise—especially as products increase in number.

Additional boards for larger organizations and/or for complex systems

Larger teams or organizations, or those managing products of significant complexity, may choose to institute a Technical Review Board (TRB) prior to the CCB.

The TRB’s function is to ensure thoroughness and correctness of the information supporting each CCB decision. Its membership depends on the demands of the CM subject, but it typically includes the relevant representatives of the major disciplines involved in the project, and subject matter experts as per needed. The TRB should address in detail the investigations and the arbitrations (technical and non-technical ones) prior to CCB to prepare the synthesis of the proposed analysis with predefined solutions to be agreed on in CCB.

CM augmentation

The CM team must adapt to the system's complexity; greater complexity requires more dedicated and structured CM resources to manage a volume of configuration information that is greater and more complex. It induces the need for a detailed and formalized implementation of CM tasks.

Additionally, the contribution of various stakeholders is essential in performing specific CM functions.

For instance, when evaluation the compliance of a complex system to its requirements in a Functional Configuration Audit (FCA) part of Configuration Verification and Audit activity, the assistance of test engineers and technical writers would be typically required. Status accounting activities on complex systems may require participation from domain experts per expertise area (such as mechanical engineers, radiation engineers, chemical engineers, …) to ensure the correctness of the process and its artifacts. Systems engineers should ensure that these are accounted for in technical planning, estimation, and resourcing.

CM training

In general, CM training should adhere to the principle of training to the specific standard of the organization and its processes. Hence, trainers should use generic process areas and principles as a foundation and introduction, only, to their program and its implementation. Important considerations in CM training include:

  • Ensure that all organizational stakeholders are trained to a minimum level of awareness to support the Configuration Management (CM) initiative and help prevent interruptions to the CM process.
  • Check that all stakeholders take CM activities into account when scheduling meetings and other activities.
  • Make sure that CCB members and contributors understand the CCB workflow and necessary documents. It's especially important for contributors, like project systems and software engineers, to contribute to properly preparing CCB artifacts, as this avoids wasting time during CCB meetings.
  • Make sure that everyone knows the status accounting procedures and documents, along with those for verification and audits. These activities are often viewed as the most impactful by CM contributors in engineering, production, or support. Therefore, it's crucial to train engineering staff on CM audit procedures and their significance in verifying CM. Similarly, ensuring that all team members understand how to access status accounting documents and their relevance to their roles will help build support for the CM effort.
CM organizational legacy and tailoring

A CM organization with a background in previous projects can leverage the legacy of earlier CM plans, tools, and standardized methods as a foundational reference for new projects. However, the Configuration Manager must ensure that the existing processes and infrastructure align with the specific needs of the current CM efforts. If adjustments are necessary, the practices must be appropriately tailored, and such tailoring should be justified.

Constraints and Guidance

Constraints affecting and guiding the CM process come from various sources.  

There are a variety of sources for guidance on the development of a CM process. These include the ISO standards on system life cycle processes (refer to latest ISO/IEC/IEEE 15288 version) and configuration management guidelines (refer to latest ISO 10007 version), as well as the Guide to The Software Engineering Body of Knowledge (SWEBOK) (2024), and the CMMI for Development V1.3 (SEI 2010).

Policies, procedures, and standards set forth at corporate or other organizational levels might influence or constrain the design and implementation of the CM process.  

Guidance should also come from the CM purpose that may differ according to the organizations and/or to the projects, which has a direct influence on the CM effort:  

  • lifecycle phases to be considered, (operational and maintenance phases included or not), safety, cyber-security, environmental scope included or not,
  • specific acquirer processes to comply with
  • specific interfaces with authorities to consider,  
  • agreement(s) with acquirers or suppliers containing provisions affecting the CM process
  • tools and associated practices
  • other processes used in system development in interface with CM process
  • etc.

In all cases, the balance between CM scope and CM costs needs to be addressed.  

Highly rigorous CM implementation implies activities, resources and planning, that need to be adjusted to the correct level of control needed for each product. Highly critical products with safety constraints will, for example, need potentially a higher level of Configuration information to be managed and a higher number of CM verifications. The increase of control induces an increase of the cost of CM activities. However, for any product, the dedicated normative expectations of the context will drive the minimum set of CM requirements to be applied.

Organizational Issues

Successful CM planning, management, and implementation requires an understanding of the organizational context for the design and implementation of the CM process and why constraints are placed upon it.  

To plan a CM process for a project, it is necessary to understand the organizational context and the relationships among the organizational elements. CM interacts with other organizational elements, which may be structured in various ways. Although the responsibility for performing certain CM tasks might be assigned to other parts of the organization, the overall responsibility for CM often rests with a distinct organizational element or designated individuals that constitute the CM team (Bourque and Fairley 2014).

The following are some examples of elements to be considered for a dedicated project:

  • size of the organization,  
  • budgets,  
  • schedules,
  • contract requirements for CM,
  • approval authority for the configuration,
  • access and control of CM information, IT-security constraints,
  • certification requirements,
  • internal context:  enterprise management system, processes, and supporting systems to achieve the CM activities,
  • external context: Acquirer/Supplier CM interfaces with a contracted relationship to support external trusted interactions,
  • IT infrastructure to provide an adequate CM management system supporting the requested CM activities.

Some examples of organizational elements to be considered across the entire organization (this is not an exhaustive list) include:

  • IT needs to support the various CM management systems of the projects of the organization
  • IT support teams to provide training and support for the usage of the CM tools  
  • Cyber-resiliency expectations, with the support of the relevant subject-matter experts (SMEs)
  • IT infrastructure requirements:  
    • Capacity to support the CM activities for all the projects of the organization
    • Provision and status of backups.  While products of low complexity or criticality may be able to suffer a discontinuous CM tooling with little impact, complicated or safety-critical systems often require continuous access to CM info.  Hence, IT may need to include CM tools and repositories in a hot or warm backup scheme.
    • Traceability and preservation of the history of all Configuration Information are part of the requirements for CM.
    • Information hosting and access.  CM information is often proprietary and competition-sensitive and sometimes classified in accordance with national security requirements.  Hence, both hosting and access must often be controlled.

Measurement

To carry out certain CM activities, such as status accounting, verification and auditing, as well as to monitor and assess the effectiveness of CM processes, it is necessary to measure and collect data related to CM activities and system artifacts.  

CM management system and automated report tools provide convenient access and facilitation of data collection.  

Measurement of CM effectiveness would concern address the assessment of CM strategy deployment and maturity, for example:  

  • are the CM processes clearly documented for all life cycle phases, planned, deployed, known, applied?
  • are the stakeholders trained and aware of their involvement in CM activities?
  • are the tools providing the adequate capabilities to ensure CM activities?

Measurement of CM performance could address the quantitative aspects of CM activities implementation:

  • Volume of Configuration items to manage
  • Volume of configuration information
  • Volume and costs of changes
  • Volume of variances  
  • Duration of impact analysis to assess the impact of changes and variances
  • Time to approve a change, time to implement an approved change
  • Proportion of rework of impact analysis (not aiming to decision in CCB at first attempt)
  • Number of discrepancies detected in CM verifications
  • Number of attempts to get Functional and Physical Configuration Audits successfully passed.

It must be noted that most quantitative measures of CM performance would indeed address the performance of all the disciplines involved in the CM activity:  

  • the time to perform an impact analysis is mainly illustrating the time needed by the various expertise and engineering stakeholders to evaluate all the induced impacts of a change
  • the time to implement a change may be driven by the manufacturing or purchasing constraints that could delay the implementation to include it in a dedicated batch

Tools  

CM employs a variety of tools to support the process, that may depend on the nature of the system under CM and of the nature of the system artifacts. In a very general way, the Configuration Management system relies on tools such as Product Lifecycle Management and Application Lifecycle Management applications, and it can be seen as a federated environment. This environment could encompass various functionalities, among which

  • information management
  • tracking and change management
  • version management
  • release management
  • baseline management
  • breakdown structures management.

Practical Considerations

Pitfalls

Some of the key pitfalls encountered in implementing CM are in Table 1.

Table 1. Configuration Implementation Pitfalls. (SEBoK Original)
Name Description
Poor Tailoring
  • Inadequate CM tailoring to adapt to the project scale, number of subsystems, etc.
CM Boards organization not clarified
  • Missing a visible and detailed organization of the boards over the whole system
Insufficient CM training
  • Insufficient training of all affected disciplines
Insufficient CM tooling
  • Lack of tools supporting the CM tasks

Good Practices

Some good practices gathered from the references are provided in Table 2 below.

Table 2. Configuration Implementation Good Practices. (SEBoK Original)
Name Description
CM activities adjusted to the project needs
  • CM activities consider the context of the project, the characteristics of the system, and the context of the organization
CM Boards organization
  • The various boards have been set up according to the project needs, and their organization is adjusted along the lifecycle when needed
CM Resources
  • The CM team organization is anticipated
CM Tools
  • The Configuration Management system is set up to guarantee adequate support to the CM tasks, and to alleviate the administrative tasks.
CM Training
  • CM training is available all through the project with adequate content for the involved stakeholders' priorities

References

Works Cited

ISO/IEC/IEEE 15288:2023, Second Edition. Systems and software engineering — System life cycle processes - International Organization for Standardisation / International Electrotechnical Commissions / Institute of Electrical and Electronics Engineers. ISO/IEC/IEEE 15288:2023

INCOSE. 2023. Systems Engineering Handbook: A Guide for System Life Cycle Processes and Activities, version 5.0. Hoboken, NJ, USA: John Wiley and Sons, Inc, ISBN: 978-1-119-81429-0.

ISO 10007, Third Edition. Quality Management Systems – Guidelines for Configuration Management. International Organization for Standardization (ISO), ISO 10007:2017

Blanchard, B.S. and W J. Fabrycky. 2005. Systems Engineering and Analysis, 4th ed. Prentice-hall international series in industrial and systems engineering. Englewood Cliffs, NJ, USA: Prentice-Hall.

IEEE SWEBOK Version 4 2024. Guide to the Software Engineering Body of Knowledge (SWEBOK). Los Alamitos, CA, USA: IEEE Computer Society. Available at: https://www.computer.org/education/bodies-of-knowledge/software-engineering

ISO 10007, Third Edition. Quality Management Systems – Guidelines for Configuration Management. International Organization for Standardization (ISO), ISO 10007:2017

SEI. 2010. Capability Maturity Model Integrated (CMMI) for Development, version 1.3. Pittsburgh, PA, USA: Software Engineering Institute (SEI)/Carnegie Mellon University (CMU).

Primary References

ISO/IEC/IEEE 15288:2023, Second Edition. Systems and software engineering — System life cycle processes - International Organization for Standardisation / International Electrotechnical Commissions / Institute of Electrical and Electronics Engineers. ISO/IEC/IEEE 15288:2023

INCOSE. 2023. Systems Engineering Handbook: A Guide for System Life Cycle Processes and Activities, version 5.0. Hoboken, NJ, USA: John Wiley and Sons, Inc, ISBN: 978-1-119-81429-0.

ISO 10007, Third Edition. Quality Management Systems – Guidelines for Configuration Management. International Organization for Standardization (ISO), ISO 10007:2017

ANSI/GEIA. 2016. Configuration Management Standard Implementation Guide. Arlington, VA, USA: American National Standards Institute/Government Electronics & Information Technology Association, EIA649A.

ANSI/GEIA. 2019. Configuration Management Standard Implementation Guide. Arlington, VA, USA: American National Standards Institute/Government Electronics & Information Technology Association, EIA649C.

GEIA. 2022. Data Management. Arlington, VA, USA: Government Electronics & Information Technology Association. GEIA-859B.

Additional References

ISO/IEC/IEEE 16236:2019. Systems and Software Engineering - Life Cycle Processes - Project Management. International Organization for Standardisation / International Electrotechnical Commissions / Institute of Electrical and Electronics Engineers - ISO/IEC/IEEE 16326:2019 (Edition 2)

ISO/IEC/IEEE 15289:2019. Systems and software engineering — Content of life-cycle information items. International Organization for Standardisation / International Electrotechnical Commissions / Institute of Electrical and Electronics Engineers - ISO/IEC/IEEE 15289:2019 (Edition 4)

ISO/IEC/IEEE 24748-1:2024. Systems and software engineering — Life cycle management - Part 1: Guidelines for life cycle management. International Organization for Standardisation / International Electrotechnical Commissions / Institute of Electrical and Electronics Engineers - ISO/IEC/IEEE 24748-1:2024 (Edition 2)

ISO/IEC/IEEE 24748-2 Systems and software engineering — Life Cycle Management – Part 2: Guidelines for the Application of ISO/IEC/IEEE 15288

ISO/IEC/IEEE 24748-2:2024. Systems and software engineering — Life cycle management - Part 2: Guidelines for the application of ISO/IEC/IEEE 15288 (system life cycle processes) - International Organization for Standardisation / International Electrotechnical Commissions / Institute of Electrical and Electronics Engineers - ISO/IEC/IEEE 24748-2:2024 (Edition 2)

ECSS-M-ST-40C Rev.1. 2009. Space project management - Configuration and information management. Noordwijk, The Netherlands: European Cooperation for Space Standardization (ECSS)

ANSI/EEIA. 2020. Configuration Management Requirements for Defense Contracts EIA649_1A. Arlington, VA, USA: Government Electronics & Information Technology Association - EIA649_1A

< Previous Article | Parent Article | Next Article >
SEBoK v. 2.12, released 20 May 2025
Retrieved from "https://sebokwiki.org/draft/w/index.php?title=Configuration_Management_Implementation&oldid=73958"