Conducting Software Configuration Management Audits. Linda Westfall 12 October 2017

Similar documents
From Audit Requirements to Checklists to Evidence Gathering Plans. Linda Westfall 12 October 2017

Bidirectional Requirements Traceability By Linda Westfall.

Software Quality Engineering Courses Offered by The Westfall Team

Software Quality Engineering Courses Offered by The Westfall Team

Desk Audit of. Based on Federal Transit Administration (FTA) Quality Assurance and Quality Control Guidelines FTA-IT

Blatant Commercialism

WORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B

Quality Management_100_Quality Checklist Procedure

PART THREE: Work Plan and IV&V Methodology (RFP 5.3.3)

This document describes the overall software development process of microcontroller software during all phases of the Company Name product life cycle.

QUALITY ASSURANCE PLAN OKLAHOMA DEPARTMENT OF HUMAN SERVICES ENTERPRISE SYSTEM (MOSAIC PROJECT)

8 Steps to Effective Use Cases

Flexibility Stability

EVANS CAPACITOR COMPANY

Software Auditor Skills Training Course Offered by The Westfall Team

CMMI-DEV V1.3 CMMI for Development Version 1.3 Quick Reference Guide

CMMI V2.0 MODEL AT-A-GLANCE. Including the following views: Development Services Supplier Management. CMMI V2.0 outline BOOKLET FOR print.

Chapter 1 GETTING STARTED. SYS-ED/ Computer Education Techniques, Inc.

Cintipation Corp. CORINTHIAN PROJECT Policy for Requirements Management

Association of American Railroads Quality Assurance System Evaluation (QASE) Checklist Rev. 1/12/2017

Summary of TL 9000 R4.0 Requirements Beyond ISO 9001:2000

Software configuration management

Quality Management_200_Quality Product Review Procedure

ISO 9001: 2000 (December 13, 2000) QUALITY MANAGEMENT SYSTEM DOCUMENTATION OVERVIEW MATRIX

Work Plan and IV&V Methodology

QUALITY MANUAL ECO# REVISION DATE MGR QA A 2/25/2008 R.Clement J.Haislip B 6/17/2008 T.Finneran J.Haislip

INS QA Programme Requirements

APPENDIX C Configuration Change Management Verification and Validation Procedures

Supplier Quality Requirements SQR-1.0 Rev. 3

PURCHASE ORDER ATTACHMENT Q-201 SOFTWARE QUALITY SUBCONTRACTOR REQUIREMENTS TASK DESCRIPTIONS - PURCHASE CATEGORY "A"

VC SOFTWARE PROJECT MANAGEMENT PLAN

CMMI 2008 CMMI 2008 Denver, Colorado United States November Tim Kasse. Kasse Initiatives LLC Europe

EPICOR, INCORPORATED QUALITY ASSURANCE MANUAL

NR CHECKLIST Rev. 1. QAM IMP References NBIC Part 3, 1.8 Y N Y N a. Organization. Company Name/Certificate Number: Page 1 of 26

Skill Category 7. Quality Control Practices

DeFoe Corp. 800 South Columbus Ave. Mount Vernon, NY QUALITY ASSURANCE MEASUREMENT ANALYSIS AND IMPROVEMENT

CMMI-SVC V1.3 CMMI for Services Version 1.3 Quick Reference Guide

Independent Verification and Validation of SAPHIRE 8 Software Project Plan

ANCHOR ISO9001:2008 RPR-007 MARINE SERVICES ADDITIONAL PROCEDURE PRODUCT REALISATION

Centerwide System Level Procedure

Brumund Foundry Inc.

INTEGRATING ISO 9000 METHODOLOGIES WITH PROJECT QUALITY MANAGEMENT

Beaver Machine. Quality Manual

c) Have personnel been appointed to supervise the production operations across all shifts in order to ensure the product quality?

Carry out manual tests on software products/applications/modules

Contents About This Guide... 5 Upgrade Overview... 5 Examining Your Upgrade Criteria... 7 Upgrade Best Practices... 8

ROTEK. IIInnInstI Instrument Corp. ISO 9001 Quality System Manual

Software Quality Assurance Framework (SQA) Yujuan Dou 窦玉娟 2008/11/28

Information Technology Independent Verification and Validation

Capability Maturity Model for Software (SW-CMM )

(your project name) QUALITY PLAN

This resource is associated with the following paper: Assessing the maturity of software testing services using CMMI-SVC: an industrial case study

Vendor Qualification Survey

Quality Manual. Specification No.: Q Revision 07 Page 1 of 14

Quality Management System Manual

Presented by: Linda Westfall Sponsored by:

Technical Manufacturing Corporation (TMC)

QUALITY MANUAL. Number: M-001 Revision: C Page 1 of 18 THIS DOCUMENT IS CONSIDERED UNCONTROLLED UNLESS ISSUED IDENTIFIED AS CONTROLLED

Quality Commitment. Quality Management System Manual

Quality Manual. This manual has been written to the ISO 9001:2000 International Quality Standard

Proprietary Document Disclosure Restricted To Employees and Authorized Holders

V&V = the Verification and Validation of Deliverables

C.A.S.E. AIR CARRIER SECTION POLICIES AND PROCEDURES

DORNERWORKS QUALITY SYSTEM

Contractual Aspects of Testing Some Basic Guidelines CONTENTS

The Standard Illustrations ISO The International Standard for Quality Management Systems. Year 2000 Edition. Leland R.

Integrated Flow Solutions Reynolds Road Tyler, TX Phone: (903) Fax: (903) UNCONTROLLED COPY

Carry out automated tests on software products/applications/modules

YOUR TRANSPORTATION CO.

Independent Verification and Validation (IV&V)

CMMI for Acquisition Quick Reference

SUPPLIER QUALITY ASSESSMENT

Quality management systems

Self-Audit Checklist

UNCONTROLLED DOCUMENT

Quality Assurance / Quality Control Plan

BHG Operational Awareness Program May 8, 1998 Configuration Management Revision 0 Page 1 of 11 CONFIGURATION MANAGEMENT

Quality Control Manual Revision 5 1/21/2011

INTERNATIONAL STANDARD

QuEST Forum. TL 9000 Quality Management System. Requirements Handbook

Reference Paragraphs. Appendix B AQS Auditor Handbook

Biometrics Enterprise Architecture Systems Engineering Management Plan (BMEA SEMP)

QUALITY POLICIES HANDBOOK

Control of Internal Auditing

CMMI for Services Quick Reference

Instrument Control System Project Management

Page 1 / 11. Version 0 June 2014

Project Procedures 1.0 PURPOSE 2.0 SCOPE 3.0 REFERENCES. No.: P /21/2012 PAGE 1 OF 13 BASIS OF OPERATION

Osprey Technologies, LLC. Quality Manual ISO9001:2008 Rev -

EX0-114_Wins_Exam. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0

PRECISE INDUSTRIES INC. Quality Manual

Software Project & Risk Management Courses Offered by The Westfall Team

IT Service Management Foundation based on ISO/IEC20000

PCA ELECTRONICS, INC. Quality Manual

Product Realization. Ameritube LLC 1000 N. Hwy 77, Hillsboro TX Revision Level: Procedure No. A

HFI Fluid Power Products Quality Manual Revision # 5 dated 02/07/10. HFI FLUID POWER PRODUCTS A Division of Hydraulic Fittings, Inc.

QUALITY ASSURANCE AND QUALITY CONTROL MANUAL

Rational Software White Paper TP 174

IBS Electronics, Inc.

Transcription:

Conducting Software Configuration Management Audits Linda Westfall 12 October 2017

SCM Processes Software Development, Acquisition & Service Software Configuration Identification Software Configuration Control Software Configuration Status Accounting Software Configuration Auditing Software Configuration Release Management SCM Planning Management of the SCM Functions

Configuration Audits Audits of SCM provide objective assurance that: SCM processes are being followed Configuration items are being built as required The primary purpose of SCM audits is to maintain the integrity of the configuration baselines Baselines are complete, correct & consistent in relation to functional & physical specifications Approved changes were correctly implemented & verified No unauthorized changes have occurred At delivery the software products are ready to release

When are SCM Audits Conducted Traditional Software Development In-Process SCM Audits

When are SCM Audits Conducted (cont.) In-Process SCM Audits Sprint #1 Sprint #2 Sprint #3 Sprint #4 Sprint #5 Sprint #6 Sprint #7 Sprint #8 Sprint #9 Sprint #10 Sprint #11 Sprint #12 Sprint #13 Sprint #14 Sprint #15 Sprint #16 Sprint #17 Sprint #18 Release #1 Release #2 Release #3 OPERATIONS Agile Software Development FCA PCA

Software Configuration Management Audits Functional Configuration Audits (FCA) Physical Configuration Audits (PCA) In-Process SCM Audits

Functional Configuration Audit (FCA) A FCA is conducted to verify that: The development of a configuration item has been completed satisfactorily The item has achieved the performance & functional characteristics specified Its operational & support documents are complete & satisfactory [ISO/IEC/IEEE-10]

FCA Checklist All Baselines Checklist Item Suggestions for Evidence Gathering Techniques 1. Does each baselined configuration item (CI) implement all and only the documented software/system requirements? Evaluate requirements-to-ci forward and backward traceability information for completeness and to ensure that no unauthorized functionality has been implemented. Sample a set of requirements and using the traceability information, review each associated, baselined CI for implementation completeness and consistency. Sample a set of approved enhancement requests and review their resolution status (or if approved for change, evaluate their associated, baselined CIs for implementation completeness and consistency). Sample a set of baselined CIs and compare with the previous versions to identify changes. Ensure that each change corresponds to a requirement or approved change request.

Bi-Directional Traceability Requirement Source Product Requirements Architectural Design Section # Component Design Section # Code Unit Unit Test Case # System Test Case # User Manual Business Rule #1 R00120 Credit Card Types 4.1 Parse Mag Strip 4.1.1 Read Card Type Read_Card _Type.c Read_Card _Type.h UT 4.1.032 UT 4.1.033 UT 4.1.038 UT 4.1.043 ST 120.020 ST 120.021 ST 120.022 Section 12 4.1.2 Verify Card Type Ver_Card _Type.c Ver_Card _Type.h Ver_Card _Types. dat UT 4.2.012 UT 4.2.013 UT 4.2.016 UT 4.2.031 UT 4.2.045 ST 120.035 ST 120.036 ST 120.037 ST 120.037 Section 12 Use Case #132 step 6 R00230 Read Gas Flow 7.2.2 Gas Flow Meter Interface 7.2.2 Read Gas Flow Indicator Read_Gas _Flow.c UT 7.2.043 UT 7.2.044 ST 230.002 ST 230.003 Section 21.1.2 R00231 Calculate Gas Price 7.3 Calculate Gas price 7.3 Calculate Gas price Cal_Gas_ Price.c UT 7.3.005 UT 7.3.006 ST 231.001 ST 231.002 Section 21.1.3 UT 7.3.007 ST 231.003

FCA Checklist All Baselines (cont.) Checklist Item 2. Are all the defects/anomalies reported during verification & validation (V&V) activities adequately resolved (or the appropriate waivers/deviations obtained and known defects with work-arounds are documented in the release notes)? Suggestions for Evidence Gathering Techniques Review a sample set of approved defect/ anomaly report records for evidence of adequate resolution. Sample a set of defect/anomaly report records and review their resolution status (or if approved for change, evaluate their associated CIs for implementation completeness and consistency). Review V&V iteration results data (e.g., repeer review records, re-test/regression test logs, test case status, and/or metrics) to ensure adequate V&V iteration coverage after defect correction.

FCA Checklist Product/Release Baseline Checklist Item 3. Can each system/software requirement be traced forward into tests cases/procedures that V&V that requirement? 4. Is comprehensive system/software testing complete, including functional testing, interface testing and the testing of required quality attributes (performance, usability, safety, security, etc.)? Suggestions for Evidence Gathering Techniques Evaluate requirements-to-tests traceability information for completeness. Sample a set of requirements and using the traceability information, review the associated test documentation (e.g., test plans, defined test cases/procedures) for adequacy of V&V by ensuring the appropriate level of test coverage for each requirement. Review approved V&V reports for accuracy and completeness. Evaluate approved test documentation (e.g., test plans, defined test cases/procedures) against test results data (e.g., test logs, test case/procedure status, test metrics) to ensure adequate test coverage of the requirements and system/software during test execution. Execute a sample set of test cases to evaluate accuracy of test results.

FCA Checklist Product/Release Baseline (cont.) Checklist Item 5. Is the operational & support documentation consistent with the requirements and as-built system/software? Suggestions for Evidence Gathering Techniques Review minutes from peer reviews and defect resolution information from operational & support documentation reviews for evidence of consistency. Evaluate formal test documentation (e.g., test plans, defined test cases/procedures) against test results data (e.g., test logs, test case/procedure status, test metrics) to ensure adequate test coverage of the operational & support documentation during test execution. Review sample set of updates to previously delivered documents to ensure consistency with requirements and as built system/ software?

Operational & Support Documentation Development documents User & operator s manual(s) Supporting web site Installation instructions Training materials Version description documents

Software Configuration Management Audits Functional Configuration Audits (FCA) Physical Configuration Audits (PCA) In-Process SCM Audits

Physical Configuration Audit (PCA) A PCA is conducted to verify that: Each configuration item, as built, conforms to the technical documentation that defines it: All items identified as being part of the configuration are present in the product baseline The correct version & revision of each part are included in the product baseline Each item correspond to information contained in the baseline s configuration status report [ISO/IEC/IEEE-10]

PCA Checklist All Baselines Checklist Item 1. Has each nonconformance or noncompliance from the associated FCA been appropriately resolved? 2. Have all of the identified CIs been baselined? Suggestions for Evidence Gathering Techniques Review findings from the FCA audit report, associated corrective actions, follow-up and verification records to evaluate adequacy of actions taken (or appropriate approved waivers/deviations exist). Sample a set of CIs and evaluate them against configuration status accounting records to verify that the appropriate version/revision has been captured as part of the baseline. 3. Do all of the baselined CIs meet workmanship standards? Sample a set of CIs and evaluate them against their associated workmanship standards (e.g., modeling standards, coding standards & naming conventions, documentation standards).

Correct Version & Revision Baseline Label 3 Baseline Label 2 Baseline Label 1 CI #1 1 2 3 4 5 6 7 CI #2 1 1 1 2 Codeline CI #n 1 1 1 1

PCA Checklist Product/Release Baseline Checklist Item 4. Has the software been built from the correct components and in accordance with the specification? Suggestions for Evidence Gathering Techniques Evaluate the build records against the configuration status accounting information to ensure that the correct version and revision of each module was included in the build. Evaluate any patches/temporary fixes made to the software to ensure their completeness and correctness. Sample a set of design elements from the architectural design and trace them to their associated detailed design elements and source code. Compare those elements with the build records to evaluate for completeness and consistency with the as built software.

Configuration Status Accounting Test Cases, Procedures & Scripts Tested With Constituent configuration items Target Platforms & Environments Described By Built Into Runs On Specifications Built Using Software Builds Supported By Tools, Macros, Libraries & Development Platform User Documentation

PCA Checklist Product/Release Baseline (cont.) Checklist Item 5. Is the deliverable documentation set complete? Suggestions for Evidence Gathering Techniques Evaluate the master copy of each document against the configuration status accounting information to ensure that the correct version/ revision of each document sub-component (e.g., chapter, section, figure) is included in the document. Sample the set of copied documents ready for shipment and review them for completeness and quality against the master copy. Evaluate the version description document against the build records for completeness and consistency. Compare the current build records to the build records from the last release to identify changed components. Evaluate this list of changed components against the version description document to evaluate the version description document s completeness and consistency.

PCA Checklist Product/Release Baseline (cont.) Checklist Item 6. Does the actual system delivery media conform to specification? Has the delivery media been appropriately marked/labeled? 7. Do the deliverables for shipment match the list of required deliverables? Suggestions for Evidence Gathering Techniques Evaluate the items on the master media against the required software deliverables (executables, help files, data) to ensure the correct versions and revisions were included. Sample a set of copied media ready for shipment and review them for completeness and quality against the master media. Sample a set of copied media ready for shipment and review their marking/labeling against specification. Evaluate the packing list against the list of documented deliverables to ensure completeness. Sample a set of ready-to-ship packages and evaluate them against the packing list to ensure that media (i.e., CD, disks, tape), documentation and other deliverables are included in each package.

PCA Checklist Product/Release Baseline (cont.) Checklist Item 8. Have 3 rd party licensing requirements been met? 9. Have export compliance requirements been met? Suggestions for Evidence Gathering Techniques Evaluate the build records against configuration status accounting information to identify 3 rd party components and license information to confirm adequate numbers of licenses exist. Evaluate the build records against configuration status accounting information to identify components with export restrictions and confirmed export compliance.

Software Configuration Management Audits Functional Configuration Audits (FCA) Physical Configuration Audits (PCA) In-Process SCM Audits

In-Process SCM Audit Objectives In-process SCM audits are value-added activities conducted to provide management with information about the: Adequacy of the organization s SCM plans, processes & systems Compliance to documented SCM plans, processes & systems Effectiveness of the SCM plans, processes & systems & their implementation Efficiency of resource utilization Identification of areas for continuous improvement

In-Process SCM Checklist Checklist Item 1. Are there defined SCM policies and/or standards associated with this process and are they adequate to meet the organization s defined objectives? 2. Are there defined SCM project plans associated with this process and are they adequate to meet defined policies and/or standards? 3. Are the procedures and/or work instructions for the processes adequate to implement defined policies, standards and/or plans? Suggestions for Evidence Gathering Techniques Perform a document review of the SCM policies and/or standards associated with the process being audited against the organization s defined objectives Interviews with key personnel to evaluate their knowledge of the connection between SCM policies and/or standards and organizational objectives. Perform a document review of the SCM plans associated with the process being audited to evaluate adequacy against SCM policies and/or standards Interviews with key personnel to evaluate their knowledge of the connection between SCM plans and SCM policies and/or standards. Perform a document review of the SCM plans associated with the process being audited to evaluate adequacy against SCM policies, standards and/or plans.

In-Process SCM Checklist (cont.) Checklist Item 4. Does each person performing SCM tasks associated with the process have access to applicable procedures or work instructions? 5. Are the procedures or work instructions up-to-date (latest revision)? Suggestions for Evidence Gathering Techniques Interview a sample of personnel performing tasks to evaluate their knowledge of the existence, availability and content of the applicable procedures or work instructions. Check revision numbers of the copies of procedures and work instructions in use by personnel and compare those against current baseline revisions, as interviews are conducted for checklist item 4. 6. Were the entry criteria to the SCM process verified before that process began? Interview a sample of personnel performing tasks to determine what entry criteria were used and how they determined that those entry criteria were met before initiation the process and evaluate their answers against process requirements. Examine a sample quality records (e.g., completed entry criteria checklists) if applicable.

In-Process SCM Checklist (cont.) Checklist Item 7. Does each person performing SCM tasks have the appropriate education, training, skills & experience? 8. Does everyone performing SCM tasks comply with the policies, standards, plans, procedures and work instructions? Suggestions for Evidence Gathering Techniques Interview a sample of personnel performing tasks to determine their knowledge/skill level or to ask about training received and evaluate their answers against process requirements. Observe tasks being performed to ensure that they are being performed as specified. Examine a sample quality records (e.g., completed checklists, data records, minutes, reports) for compliance to specification. Interview a sample of personnel performing tasks to determine how they think activities are being performed and evaluate their answers against process requirements. Observe tasks being performed to ensure that they are being performed as specified. Examine a sample quality records (e.g., completed checklists, data records, minutes, reports) for compliance to specification.

In-Process SCM Checklist (cont.) Checklist Item 9. Are the environment, infrastructure and tools utilized during the SCM tasks adequate to achieve conformity with the policies, standards, plans, procedures and work instructions 10. Were the exit criteria from the SCM process verified before that process was considered complete? Suggestions for Evidence Gathering Techniques Interview a sample of personnel performing tasks to determine adequacy of environment, infrastructure and tools. Observe tasks being performed to ensure that the environment, infrastructure and tools are adequate. Interview a sample of personnel performing tasks to determine what exit criteria were used and how they determined that those exit criteria were met before completing the process and evaluate their answers against process requirements. Examine a sample quality records (e.g., completed exit criteria checklists, minutes, reports) if applicable.

In-Process SCM Checklist (cont.) Checklist Item 11. Are nonconformities/defects appropriately reported and tracked to closure? 12. Are the appropriate records being kept? Suggestions for Evidence Gathering Techniques Interview a sample of personnel performing tasks to determine how nonconformities/defects are reported and tracked to closure and evaluate their answers against process requirements. Examine a sample of quality records (e.g., nonconformance reports, corrective action reports, defect reports) if applicable. Examination of the existence of required quality records and their storage and retention. 13. Were SCM processes effective. Look for evidence of escapes from the SCM processes (e.g., unauthorized changes, CIs that were not baselined appropriately, inability to recreate builds, lost intellectual capital and so on).

Questions?

Contact Information Linda Westfall 3000 Custer Road Suite 270, PMB 101 Plano, TX 75075-4499 phone: (972) 867-1172 email: lwestfall@westfallteam.com www.westfallteam.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback