5.1.7 The project manager shall perform software configuration audits to determine the correct version of the configuration items and verify that they conform to the records that define them.
NPR 7150.2, NASA Software Engineering Requirements, does not include any notes for this requirement.
1.2 Applicability Across Classes
For software configuration, audits help ensure that configuration items (CIs) have been developed and completed in accordance with the documents and requirements that define them. Audits also help ensure that CIs achieve their performance and functional characteristics goals and that all associated operational and support documents are complete and meet their requirements. Audits also determine if all CIs that are supposed to be part of the baseline or release are actually in the baseline or release and are the correct version and revision.
Configuration audits provide checks to ensure that the planned product is the developed product.
There are two types of configuration audits: the Functional Configuration Audit (FCA) and the Physical Configuration Audit (PCA). Configuration audits are performed for all releases; however, audits of interim, internal releases may be less formal and rigorous, as defined by the project.
Per NASA/SP-2007-6105, Rev 1, NASA Systems Engineering Handbook
The PCA "(also known as a configuration inspection) examines the physical configuration of the configured product and verifies that the product corresponds to the build-to (or code-to) product baseline documentation previously approved at the CDR. PCAs will be conducted on both hardware and software configured
Audit plans, including goals, schedules, participants, contractor participation, and procedures are documented in the configuration management (CM) plan (see SCMP).
When planning audits, it is important to remember that audits are samplings, not a look at every record. It is also important to remember that auditors should not have any direct responsibility for the software products they audit.
The basic steps in an audit are:
The Department of Defense Configuration Management Guidance Handbook
The SMA (Safety and Mission Assurance) Technical Excellence Program (STEP) Level 2 Software Configuration Management and Data Management course taught by the Westfall Team
The STEP 2 course suggests that the following be included in a PCA
Additional audit topics to consider include:
NASA/SP-2007-6105, NASA Systems Engineering Handbook,
Consider the following options when deciding when to conduct audits:
NASA-specific configuration management information and resources are available in Software Processes Across NASA (SPAN), accessible to NASA users from the SPAN tab in this Handbook.
Additional guidance related to configuration audits may be found in the following related requirements in this Handbook:
4. Small Projects
For projects with limited personnel, consider sharing lead auditors or audit team members among projects. Another suggestion is for members of small projects to conduct configuration audits of other small projects.
6. Lessons Learned
A documented lesson from the NASA Lessons Learned database notes the following:
Mars Climate Orbiter Mishap Investigation Board - Phase I Report. Lesson Number 0641: Configuration audits are called out as one of several mitigations for the root cause of the Mars Climate Orbiter (MCO) mishap. One of the Recommendations states to "Conduct [a] software audit for specification compliance on all data transferred between JPL and [contractor]."