Configuration Management - Physical Audit and Functional Audit for Software and Hardware

Nadaabo

Involved In Discussions
#1
Hi,
I was wondering if I can bounce some ideas around to see if I'm on the right track with respect to Physical and functional audits (for Software and Hardware).

From reading the ISO 10007 I understand that:
A Functional configuration audit; is a formal examination to verify that a configuration item has achieved the functional and performance characteristics specified in its product configuration information; and

A Physical configuration audit; is a formal examination to verify that a configuration item has achieved the physical characteristics specified in its product configuration information.

I realized that when we perform a first article inspection (FAI) on our product, we test it to make sure it functions properly and we inspect it against the drawing to make sure it matches. Would I be able to use the results of my FAI as evidence of these two audits?

Now, as per the Software one (This comes from the IEEE Std 730):
A functional Audit is held prior to the software delivery to verify that all requirements specified in the SRD have been met.
A Physical Audit is held to verify internal consistency of the software and its documentation, and their readiness for release.

To me, a functional audit here sounds like me sitting by a SW tester and watching them perform SW testing? Would I be able to audit that test reports exist for this and move on?

and Physical auditing sounds like insuring the SW was released properly in our system with all it's required documents (SPMP, SCMP, SFD, etc)?


I'm still unsure how or what is expected of me for the SW audits, so if anyone has any ideas or suggestions or experience, I'm all ears.
I think the FAI package would work for the Hardware audit, I just want to see if someone else can see risks associated with doing this that I might have overlooked.

Thank you all, I appreciate your time and help with this.
 
Elsmar Forum Sponsor

yodon

Leader
Super Moderator
#2
I don't think you want to sit around and observe a tester verifying requirements. The protocols should collect sufficient objective evidence to enable an independent reviewer to come to the same conclusion as the tester.

What you do want to do in a software audit is to confirm that:
  • all the elements used in a software build are under configuration control; i.e., not pulled from the builder's PC, etc.
  • all changes are tracked to change authorization (this gets a bit tricky in initial development when change 'authorization' is the baseline requirements).
  • all problem reports are tracked to changes and only changes associated with that problem report are authorized (developers may have a tendency to add things not necessarily authorized)
You may want to review the process to confirm it complied with internal procedures (if any). You can also ensure all the artifacts from development are well-controlled.

Presuming you have traceability between software and system requirements, you can review the trace tables to confirm all system requirements to be implemented in software have been covered. And that all software requirements are fully covered by the associated tests.
 

Nadaabo

Involved In Discussions
#3
I don't think you want to sit around and observe a tester verifying requirements. The protocols should collect sufficient objective evidence to enable an independent reviewer to come to the same conclusion as the tester.

What you do want to do in a software audit is to confirm that:
  • all the elements used in a software build are under configuration control; i.e., not pulled from the builder's PC, etc.
  • all changes are tracked to change authorization (this gets a bit tricky in initial development when change 'authorization' is the baseline requirements).
  • all problem reports are tracked to changes and only changes associated with that problem report are authorized (developers may have a tendency to add things not necessarily authorized)
You may want to review the process to confirm it complied with internal procedures (if any). You can also ensure all the artifacts from development are well-controlled.

Presuming you have traceability between software and system requirements, you can review the trace tables to confirm all system requirements to be implemented in software have been covered. And that all software requirements are fully covered by the associated tests.

==============
This is wonderful. Thank you.
I spoke with our Software Manager and I feel like I have a much better grasp on this. I'm adding this just incase someone is searching for similar solutions.

  • Our process has requirements for the developer to complete a form to describe how the SW is built (Tools, methods description, etc.).
  • All SW is held in an SVN database that tracks all changes made to the SW and is referenced in an item tracking system that captures the work completed. This helps the reviewer of the code see what the approved change was vs what was changed.
  • The process also requires all code to go through review, testing, approval and release.
Our SW goes through qualification and testing and a test report is created that traces back to the requirements - Which I can audit for functional audits.
We also have a Software Version Description Document for each project that outlines the code used and it's most current version which will be helpful for the physical audit.

Thank you so much again!
 

yodon

Leader
Super Moderator
#4
Just to add on a bit to what you wrote. The physical configuration audit should allow you to say that only the authorized changes were made and that each change is associated with its change authorization. What you DON'T want to see is one big massive checkin with a long string of change requests (or some vague description) where you can't tie specific changes to the change request (authorization). There would be no way, then, to say that only authorized changes were implemented.
 
#5
Hi,

explaining FCA and PCA to my organization is a challenge since developers (incl. RE) and quality have the opinion that an FCA is (more or less) performed by requirements management and PCA would be a quality responsibility.

I honestly think this makes sense, and given that, I'd think in order to satisfy FCA/PCA audit requirements, I, as a configuration manager, would refer to the documentation that requirements management and quality produce.

Does anyone assign handling of FCA/PCA to the role of a configuration manager? I mean I've never seen a configuration manager inspect a physical part ...
 
Thread starter Similar threads Forum Replies Date
R Configuration Management - Identifying Documentation IEC 62304 - Medical Device Software Life Cycle Processes 3
H AS9100 D - 8.1.2 Configuration Management for Build-to-Print Service Provider AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
William55401 Distributed By Product - Best Practices for Configuration Management and Purchasing Controls ISO 13485:2016 - Medical Device Quality Management Systems 0
John Predmore Configuration Management as a process instead of a procedure AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
G AS9100-8.1.2 Configuration Management AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
R Configuration Management in AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
T Change control and configuration management - When to create a new model/part number? Other Medical Device and Orthopedic Related Topics 0
P Configuration Management Software EASA and JAA Aviation Standards and Requirements 4
Q Configuration management clarification and example AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
A Risk Management and Configuration Management ISO 14971 - Medical Device Risk Management 3
K Example of ISO 10007 - Configuration Management Plan AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
A AS9100. 7.1.3 Configuration Management. PCB production. ECN. Revision Control. AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
K Software Configuration Management Audit Questions Quality Assurance and Compliance Software Tools and Solutions 8
Q Configuration Management Audit AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
Wes Bucey Aerospace Configuration Management Webinar Book, Video, Blog and Web Site Reviews and Recommendations 3
Q Understanding Configuration Management AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 16
B How to define and implement Configuration Management Document Control Systems, Procedures, Forms and Templates 5
Q Configuration Management Form example(s) wanted Document Control Systems, Procedures, Forms and Templates 1
P Configuration Management for Build to Print Company AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
L What exactly does Configuration Management in ISO 9001, Clause 7.5.3 means? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S Configuration Management System software that can also be linked to our ERP system AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
N Change Management, Configuration Management or Other Process? Manufacturing and Related Processes 9
G AATT Focus: Configuration Management & Risk Management AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
B AS9100 (FCA / PCA) of section 7.1.3 - Configuration Management - Audit question AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
B Configuration Management and ISO 10007 (again) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
K Configuration Management Procedure Template wanted AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
K Configuration Management - AS9100 Requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
T Upgrading to AS9120A - Configuration Management AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
B What is meant by "Configuration Management"? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 36
O Difference between Configuration Management Procedure / Plan in IT context? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T Who owns Configuration Management Document Control Systems, Procedures, Forms and Templates 6
C Configuration Management template or db wanted Document Control Systems, Procedures, Forms and Templates 2
B How to ensure Configuration Management and Control manually AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
D AS9100 Configuration Management Procedure example wanted AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
V Configuration Management - Configurable, Managed and Controlled Document Control Systems, Procedures, Forms and Templates 3
M Configuration Management - AS9100 Rev B or C AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
C Configuration Management requirements if this facility is not design responsible AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
T Configuration Management For Design and Development (Clause 7.1.3) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
S Is Configuration Management Mandatory? AS9100 Clause 7.1.3 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
B Configuration Management - Is Configuration Management a requirement of ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
N The International Society of Configuration Management (ISCM) certification exam Professional Certifications and Degrees 2
A Configuration Management and On-Hand/In-Transit Inventory Quality Manager and Management Related Issues 3
L Definition Configuration Management - What is Configuration Management? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 5
J Configuration Management - ISO 9001 - 7.6 Monitoring and Measuring Equipment ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
S Configuration Management compliance - Adding information to individual procedures AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
W Configuration Management for sub-contractors working to Customer Drawings AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
C Compliance with AS9100 Configuration Management Requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
K Configuration, Risk Analysis and Project Management in one procedure AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
K Configuration Management Basics - AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
N Configuration Management Exemption? AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14

Similar threads

Top Bottom