Configuration Management Audits

A customer recently shared with us that a new-hire fresh out of engineering school asked, “Why do A&D programs need to perform so many reviews and audits; aren’t they obsolete or redundant in a world of continuous integration, AGILE development, model-based systems engineering, virtual prototyping, and digital twins?”

The answer from the perspective of an A&D project manager is no; audits are not redundant nor are they a relic of the analog past to be discarded in the hype of a digitally transformed future. Audits are the bastion against failures small and large such as hardware/software incompatibilities, data breaches, incorrect part substitutions, product performance deficiencies, and system disasters that become news headlines. In the complexity of increasingly digital world, audits have become more important, certainly not less.

A&D contractors are confronted by numerous categories of audits including business, regulatory, legal, and engineering. These can include financial, compliance, operational, security, delivery, product performance, data, and configuration management audits. In A&D contracts, Configuration Management audits are of two types: the Functional Configuration Audit (FCA) and Physical Configuration Audit (PCA).

In this first of two CMsights posts we will describe the process of continuous CM audits and two types of configuration audits. In Part 2 we will explore how CM software like EPOCH CM and PDMPlus support configuration audits.

Where Audits Fit in to the Product Development Lifecycle

The above illustration shows each of the steps in the management of a typical new product development (NPD) launch. The process flow may look logical but there are numerous traps, detours, and dead ends along the way as the devil is always hiding in the details. We will focus on the latter half of the NPD process.

Starting at Preliminary Design Review (PDR) the contractor’s allocation of the functional requirements to subsystems is evaluated to ensure the system will be operationally effective. Once a PDR is complete those allocations constitute what we call the Allocated Baseline. Critical Design Review (CDR) then takes a critical look at the detailed design against the allocations. Once completed in multi-unit procurements, the Configuration Items (CIs) are authorized for fabrication and test. Depending on design maturity there may be multiple PDRs and multiple CDRs until all systems and subsystems have been covered.

It looks very straight forward but looks are deceiving. As example, contract deliverable data is often identified with a specific due date associated with a program milestone. Program managers and systems engineers need to monitor this on an as released basis. (No company has the data pipeline bandwidth or the staff to hold deliveries until the specified date.) Data deliveries for documents like drawings, test procedures, test reports, analysis, inspection reports, and performance demonstration reports have to be released and delivered with precision. As a result there are multiple data deliverable pipes running in parallel at any one time which are often disconnected. Learn more about contract deliverables data management or CDDM.

Configuration Items and Configuration Audits

What often confuses A&D program managers and systems engineers alike is the relationship between Configuration Items and Configuration Audits. Going back to the fundamentals, we recall that all items under configuration control are subject to the five pillars of a sound CM implementation. CIs are subject to enhanced CM (often called distinct control) when it comes to Configuration Traceability (or Verification) & Audit.

Items not designated as CIs are also subjected to verification and audit activities. This is where continuous auditing becomes critically important. The continuous iterative process of audit, release, and delivery – instead of release, delivery, then audit – is a capability provided by the configuration management plan and change control system because:

• Each change to an item under configuration control is audited prior to release in the CM system and delivery to the customer.
• The customer then performs an incremental buy-off of the functional aspects of the CI as it is developed and tested.

CIs are items chosen for “distinct control” and subject to Functional Configuration Audits and Physical Configuration Audits.

The goal of these configuration audits is to provide the following:

1. Ensures that product design provides agreed-to performance capabilities
2. Validates integrity of product configuration information
3. Verifies consistency between a product and its product configuration information
4. Determines that adequate processes are in place to provide continuing control of the configuration
5. Provides confidence that product definition information is under configuration control
6. Ensures a controlled configuration is the basis for manufacture, installation, and maintenance instructions, training, spare and repair parts, etc.
7. Verifies that we know what we built including that part substitutions are known, and that assembly heritage is verified
8. Ties performance requirements to program documents that verify all technical requirements are met and documented

FCAs and PCAs are the two processes used to address these goals and thus verify that the end item delivered was vetted against requirements stated in the contract award. When the results of the FCAs and PCAs are combined they offer tangible proof that a controlled design, fabrication, test, and documentation system exists; and the product not only performs as required but you know what you manufactured and can replicate it.

FCA and PCA findings and observations can be positive or negative and they can be written against the customer or the contractor. Findings require a succinct statement of fact based on what is found or observed. All findings must be dispositioned before the audit is considered closed.