Who Needs Configuration Management?
by Vince Guess
If is often said that you need configuration management only if you work in a regulated industry; that is, if your products and processes must conform to requirements that are regulated by a government agency, then you need CM. Government agencies often cited as examples include the US Department of Defense, Food and Drug Administration, Federal Aviation Administration, Nuclear Regulatory Commission, NASA, NATO, and so on. Stated more simply, if you produce military equipment, commercial aircraft, or medical devices, you need CM. If you operate a commercial nuclear power plant, you need CM.
If you were to review the various regulations imposed on such producers, you would find the requirements to be very similar. Your product designs must be defined and documented. The processes used to produce those products must be defined and documented. Changes to those designs and processes must be controlled. The documents in both cases must also be controlled.
Organizations that work in regulated industries must also keep records. Those records must provide conclusive evidence that the designs and processes were approved, that the processes were followed, and that the as-delivered products did conform to the approved requirements.
ISO 9000 imposes similar requirements but they are not called configuration management. If you are certified to ISO 9000, why do you need CM?
If you are "regulated," you are audited. If you are ISO-certified, you were assessed and to keep your certification, you are reassessed. Auditors and assessors are those who visit your site and verify that you are doing what you are supposed to do.
What do companies do different when they are not regulated? Is it true that nonregulated companies do not have to worry about safety? Is it true that they have only quality, schedule, cost and profit to worry about? Is it true that they do not have to worry about legal liabilities?
What would your company do different if an auditor was, or was not, looking over your shoulder? How much more does it cost to do business in a regulated industry and have an auditor periodically check to assure that you are doing what you are supposed to do? What corners would you cut if there was no auditor? How much would you save?
The regulations state that designs, processes, documentation, changes and records must be managed and that products must conform. They do not specify how. That is up to the producer/operator.
To be afraid of an auditor is to be ashamed of your processes. Every organization should want a showcase process that can be shown-off to customers and regulators at every opportunity.
Institute of Configuration Management Scottsdale, AZ 85261-5656 Tel: (480) 998-8600 Fax: (480) 998-8923 Email: info@icmhq.com