Configuration Management Plans for Aerospace & Defense Suppliers

In CMstat’s recent post “Configuration Management Across Multi-Site Multi-National Aerospace & Defense Suppliers” we examined some of the challenges that A&D contractors have when implementing Configuration Management (CM).

One recurring obstacle identified was the expectation by some managers, who are not CM experts and don’t want to become one, that having a plan for implementing CM, perhaps as part of a PLM/PDM roadmap, was the same as having a CM Plan. It is not. This is especially true for A&D contractors with multiple sites, often acquired through mergers that serve different OEM customers, who seek to unify their operations to find all those efficiencies promised to their investors.

For Tier 1 or 2 suppliers with globally dispersed engineering and manufacturing sites, it is not uncommon that each location will have their own individual CM Plan, or perhaps one for each contract with an OEM. Or alternatively, they will have a rationalization for not having produced one at all by claiming CM is adequately addressed in some other plan, such as for quality assurance.

However, a collection of independently-produced CM Plans accommodating the requirements of each site or contract rarely results in a harmonized CM strategy and plan that addresses the larger needs and risks of the enterprise as a whole, including all the future business uncertainties, while leveraging its core strengths which they sell to their customers.

As a result, a valid question that CMstat often hears is how can one develop a comprehensive unambiguous CM Plan that has enough specificity to be immediately adopted and executed by all stakeholders and contracts across a global supply chain without it being so vague or malleable it is largely meaningless and can be ignored all together.

A second question that usually follows is what makes a CM Plan, developed with substantial effort to serve all stakeholders, sufficiently robust and resilient to not only survive but evolve into the future without it being discarded when there are inevitable business changes. This is especially relevant as customers, programs, contracts, requirements, products, production sites, processes, technologies, software tools and people all change with increasing velocity and added complexity.

Given all the constantly moving parts and the pace of change across a global A&D supply network, is a comprehensive CM strategy and plan even feasible? Or must a new plan be developed every few years for each site or each contract, then reconciled with all the others to produce at least the illusion of a cohesive CM strategy?

Let’s start to answer those questions by revisiting all that goes into a CM Plan as a basis to explore what elements are different or more important for global A&D suppliers. Specifically, we will address the following questions:

• What is a Configuration Management Plan?

• Why should a CM Plan be important to managers?

• Why are CM Plans so important for the A&D industry including supply chain?

• What can be found in a CM Plan?

• Who uses a CM Plan?

• Who should develop and approve the CM Plan?

• What are common mistakes in the development or application of a CM Plan?

• How to assess an effective CM Plan?

• How does CMstat help with development, review, updating, and implementation of a CM Plan?

Apologies to those CM-expert readers who have been paying attention to our numerous posts about CM Plans over the years and may find some of this material redundant.

What is a Configuration Management Plan?

The planning and implementation of configuration management must start with a well-conceived formal Configuration Management Plan, often abbreviated as CM Plan or CMP. The CM Plan should address a number of elements important in the development, implementation, interoperability, usage, maintenance and evolution of an organization’s configuration management goals, vision, strategy, processes, best practices, desired competencies and supporting technologies including software.

The CM Plan describes not only how the CM-related processes for a particular site, product, project, or program contract will be implemented, but also how they should be used and maintained throughout the lifecycle of that product or program which can last many years. The Plan thus provides a living roadmap for all the product configuration information to be captured and managed, how to acquire or migrate data, then how to govern, share, secure and archive that data, including legacy sources, throughout the entire lifecycle of a product or program and beyond as specified in data retention mandates.

It’s important to note that a CM Plan is not the same as a Quality Management Plan, Compliance Plan, Data Management Plan, Asset Management / Sustainment Plan or PLM Deployment Plan. It is not uncommon that CM considerations are included in these other plans, but doing so in a few pages of content is rarely sufficient to fully cover all the topics required for an effective implementation. Read on to find out why.

Why should a CM Plan be important to managers?

A CM Plan has become a necessity, and no longer optional, for all the same reasons that CM is increasingly important. The complexity of products, the increased need for and types of digital product information, embedded technologies, permutations of variants, longer use lifecycles, number of design/build suppliers, reuse/recycling considerations, and consequences of performance failures are just a few of the factors which have elevated the importance of CM from engineering managers to the executive offices. The explosion in digital data sources from not only the design and manufacturing of a product, but through its installation, use, repair and sustainment including uses in digital twins has also expanded the role of a CM Plan.

In past decades without all these physical and digital complexities, it was not unreasonable that simple change control or even document version control procedures would suffice as a rudimentary form of practicing CM. As we have written about HERE, effective configuration management is much more than simple change control. As a result, documenting change processes, maintaining spreadsheets, or having a Change Control Board is simply no longer a substitute for all that a formal CM Plan prescribes.

Furthermore, almost every product performance failure or engineering disaster, except those arising from natural causes or operator error, can ultimately be traced to at least one CM issue. Failures in CM have occurred in every industry and are often splashed across the news headlines worldwide when things go wrong as in the 2010 Deepwater Horizon accident. In that case a lack of configuration change controlled engineering documentation, equipment operation procedures and maintenance record distribution between designers, owners, operators, and service personnel was identified as a contributing cause to the accident. A number of other examples with analysis of CM failures can be found discussed in Chapter 11 of “Configuration Management Theory and Applications for Engineers, Managers, and Practitioners” by Jon Quigley and Kim Robertson.

The CM Plan, or lack of one, is typically the first item that program auditors or accident investigators will examine when they evaluate the sufficiency of a firm’s CM implementation, as well as when seeking contributing factors to a product malfunction or system failure. The lack of a diligently obeyed and rigorously maintained CM Plan can be seen as an act of negligence.

Why are CM Plans important for the A&D industry including its supply chain?

For the aerospace & defense industry, the CM Plan defines how an organization will establish and fulfill the program management, systems engineering and other mission requirements specified in the supplier’s contract throughout the life of the program’s Configuration Items (CIs). This includes the practice of “As-X CM” over the extended lifecycle of a deployed asset, equipment, system, or platform. This use case of CM after the product ships or is installed becomes more important than that of engineering-centric CM during product development and manufacturing.

In A&D it is well known that each delivered “product” by serial or lot number will eventually have its own unique configuration of replacement parts, maintenance history, service records, substitutions, engineering waivers, discrepancies, and accompanying compliance, test and service records. As a result, any CM Plan created and used by the OEM’s product engineering team is rarely satisfactory for use by suppliers or service providers after the product leaves manufacturing.

For A&D suppliers, the scope of a CM Plan is far greater than delivery of required data defined in the Contract Data Requirements List (CDRL), Mission Assurance Requirements (MAR) or the Statement of Work (SOW). It extends to requirements specified in the terms and conditions and general provisions of the contract, as well as those identified in requirements and mission assurance specifications.

It is important for the new A&D program manager, contract manager, logistics manager or engineering services lead to insist that the CM Plan scope be defined during the bid and proposal phase, not afterwards, and that there are sufficient resources and budget planned to maintain it throughout the milestone phases of CIs. A well-constructed CM Plan will assure an integrated infrastructure and appropriate traceability is in place, so it is possible to ascertain the configuration of each CI delivered as it proceeds from the As-Designed configuration through As-Built production, As-Tested validation, As-Delivered customer acceptance, and As-Maintained servicing, repair, and refurbishment.

The final challenge for A&D suppliers is to derive an Enterprise CM Plan structure so that it can be adopted, extended, and matured across the organization regardless of a particular site’s location, customers, contract, or deliverables. There are special considerations for A&D OEMs and their partners with multiple engineering, manufacturing, or service sites scattered across the globe that make both the implementation of CM and development of a CM plan far more challenging. These include:

• Coordination and communication is more crucial for multi-site environments where protocols must be planned for and facilitated across all functions in a way that respects cultural business norms.

• Data exchange across borders will pose challenges as ITAR restrictions, data elements and crucial relationships must be defined and interface standards must be specified that each site understands.

• Locality of subcontractors may necessitate different BOM elements, manufacturing processes, procurement details, all that must be verified to satisfy the set of requirements.

• Regulations and compliance will affect what sources and materials are legal for use, which may affect how the product is produced, configured, and commissioned.

• Product configuration data, processes, and components that are shared between sites will almost always be different in their origin.

• Software used for PLM, PDM, CM, and DM functions will almost always vary across sites. The CM Plan should be written in a way that accommodates a heterogenous architecture of constantly changing solutions.

• The process of change impact analysis is unwieldy enough within the same organization and even more so to perform a what-if analysis of a proposed change that extends across a multi-tiered international supply chain. No one office ends up with a complete view of a proposed change as has been written about by CM specialist Martijn Dullaart in his blog The Future of CM.

These are just a few of the numerous issues that CMstat consultants discuss with our clients who work across multiple sites of their own or customers. Other considerations can be found in CMstat’s “A Configuration Management Guide for A&D Project Managers.”

What can be found in a CM Plan?

A configuration management plan should address the responsibilities, procedures, activities, and oversight necessary to support the five foundational functions of CM: configuration planning, configuration identification, status accounting, change control, and verification and audits. Within the CM Plan, configuration planning defines how and where configuration management activities fit into the organization and its processes.

Specific details addressed in a Configuration Management Plan should include: identification of the applicability of the plan along with purpose and goals, the project plan and milestones (lifecycle definitions), organizational authority, role responsibilities, key definitions, requirements specification, configuration identification, configuration items, baseline control policy, change control, configuration reporting, configuration status accounting, process automation and improvement, performance metrics, standards support, training, subcontractor and vendor oversight, functional interfaces system interoperability and integrations, and data management integrity, retention, and security.

The CM Plan should define how and at what level Configuration Identification is to take place for all data types, the product itself, including specific lot or serial number requirements, and the metadata fields associated with them. It is well known that Configuration Identification evolves over the life of a program and may greatly expand in scope once all hardware or software CIs and Baselines are defined, approach deployment, and as logistic needs for maintenance are established. The plan should allow for these changes.

A CM Plan should define Change Control Classification (minor, major, or critical) levels and stipulate the Change Control Board (CCB). This includes specification of its structure, membership, responsibility of each participant, interdepartmental procedures, and approval authority for each classification. Change control should also include processes for how change proposals, change requests and change notices are handled as well as deviations, variances and waivers.

Configuration Status Accounting activities must be clearly addressed in the CM Plan. This includes the recording, reporting, and metrics pertaining to change states and status, change requests, change notices, and the impact of approved changes to releases of design data, documentation, red-lining, analysis, reports, procedures, etc. associated with each item under configuration control as well as the date the change is incorporated in each affected effectivity.

A CM Plan must define Verification and Audit of the product as well as its components. This includes verification and validation of the CIs against functional baseline requirements and sufficiency of functional requirements allocation to subsystems and components. In-process Functional Configuration Audits (FCA) as well as formal Physical Configuration Audit (PCA) criteria are defined against contractual requirements as are criteria for acceptance, delivery, maintenance and final disposition. (Learn more about CM audits HERE.)

Lastly, a good CM Plan is not stagnant; it should evolve and strengthen over time during each of the product or program lifecycle phases. It is not unusual to find CM Plan updates occurring at each milestone if the program or system is particularly long or complex. This is especially true when there are multiple subcontractors, vendors, and customers participating in any of the stages. CM Plan resources, definitions, metrics, reference libraries, data access, data management and data retention policies, along with data backup and recovery processes must be secured and preserved across all of the phases and participants.

Who uses a CM Plan?

The CM Plan is a critical component of a site or program manager’s tool chest assuring an integrated strategy and operating standards are deployed across all organizational functions. The long winding digital thread of the CM Plan flows through many groups including: Systems Design and Engineering, Requirements Planning, Safety, Quality Assurance, Supply Chain Management, Production, Assembly, Test, Compliance, Logistics, Acceptance, Delivery, Support, Maintenance and Disposition.

Nearly everyone in a manufacturer operates on or performs some element of Configuration Management whether they know it or not! A single Configuration Manager or even their entire team can neither do it all nor manage it all. An analogy is that each department in a company or function of a program is a section in an orchestra and the Program Manager is the conductor while the Lead Systems Engineer is the concertmaster, all playing in harmony to the CM Plan score.

As a result, the CM Plan should be accessible and usable by stakeholders across the organization. The best CM Plans are not written as a document for just the CM team or its manager to reference!

Who should develop and approve the CM Plan?

While constructing a CM Plan is a team effort, the CM Plan effort should be led by someone who:

• Has been trained to the SAE/EIA-649 Standard as a Certified Configuration Manager and has experience implementing CM.

• Can independently without bias or prejudice examine the company’s products, processes, customer requirements, and business culture.

• Possesses the skills to collaborate, communicate and lead across organizational and international boundaries.

• Has the experience to provide Configuration Management principles education and training for personnel at different functional levels.

It is not always necessary that the CM Plan be developed and the effort be led by an internal company employee. Often, an expert external CM consultant who guides the process can operate more effectively across organizational boundaries. This is especially true in helping the entire company to realize that no one single employee, department, or product manager can perform the CM function as there are important roles and responsibilities to be enacted by nearly all.

The CM Plan should be reviewed, then approved, and finally accepted by all the managers whose organizations create, manage, consume, distribute, touch, revise, secure, or repurpose configuration-related data. This list is often lengthy for the very good reason that effective configuration control is not the function of a single CM manager or CM group, but that of the entire company.

These managers may include Product Engineering, Project Management, Program Management, Manufacturing, Product Marketing, Tech Sales, Quality Assurance, Compliance, Procurement, Logistics, Supply Chain, Customer Support, and Service. Furthermore, the CM Plan should clearly state each manager’s responsibilities and authority relative to CM processes.

Finally, an executive at the Vice President or CXO level must put his or her signature on the plan to impart management confidence in it and signify that it is aligned with business policies and priorities of the organization. Admittedly, in business norms of yesteryear this was rarely done when executives thought of CM as a function buried inside of engineering, instead of enterprise quality management imperative.

What are common mistakes in the development or application of a CM Plan?

A common mistake in configuration management planning is thinking that if your organization has implemented PDM software with change control capabilities, or even uses an industry-focused CM solution like CMstat’s EPOCH CM, then you must have a CM Plan. Deploying a general purpose PDM solution or even a CM tool does not guarantee there is a CM Plan. Strategy, requirements, and processes defined in the CM Plan must always take the lead and software tool evaluation, selection, and implementation should follow that lead.

Some managers may be lulled into thinking that once a CM Plan is written their organizations must surely be adhering to it. Or worse yet, that a CM Plan is good forever without regularly recurring reviews and updates led by management. Most large aerospace OEMs know that a CM Plan is a living document that needs to be updated to reflect all the changes and complexities which their businesses are experiencing. These include variations in their customers’ requirements, products manufactured, operating envelopes, processes used, contractors employed, workforce training, and service life expectancy.

Attempting to force-fit a canned generic template upon the unique needs of an enterprise, site, program or product line is also a mistake. While once an option, industry-agnostic CM Plans created from fill-in-the-blank templates are simply no longer adequate due to the increasing variations and complexity in products, processes, customer markets, supply chains, regulatory compliance, business goals, and company operating cultures.

Not having an honest assessment of the level of training, expertise, and competency of individual personnel who will be involved in the effort is another common mistake. This will result in the misidentification of the level of maturity an organization may have which influences where to start and the pace of continual improvements. Like many disciplines, CM is no longer a domain that someone can pick up from scratch as referenced in this previous CMsights post on the importance of training and certification. Thankfully several outstanding organizations exist which can provide this core education and training including CMPIC and IpX.

Industry standards and compliance regulations that can vary across borders cannot be neglected or dealt with at the end or only when there is an audit. A common omission is a CM Plan without planning for all of the elements noted in the principles of EIA-649 such as interface management, data management, required resources (IT and otherwise), supply chain management and more. Learn more about relevant CM and DM standards HERE.

Finally, as referenced in a previous post, for suppliers that operate across multiple nationalities, differences due to international cultures, even within the same corporate business culture, can never be taken for granted. These differences may include communication styles, conflict resolution, authority power dynamics, risk tolerance, uncertainty avoidance, and performance motivations. Cultural differences are submerged mines that can explode to the surface when there are inevitable mistakes, delays, or failures.

How to assess an effective CM Plan?

There are a number of questions which managers can ask to determine the efficacy of a CM Plan. Here are just a few example elements of a CM Plan that CMstat inspects in an initial review:

• Is there a comprehensive definition of CM-related terms, processes, and resources within the plan stated in a language that is understood across the enterprise at all levels?

• Who has organizational responsibility and authority for configuration management (CM) and data management (DM) activities?

• What internal, contractual and international standards are being used to assure a comprehensive CM implementation?

• Are Configuration Items (CIs) justifiable in their use, clearly identified including what criteria was used to select them, as well as what items are not CIs but are to still be under CM and DM control?

• Where does impact assessment of changes start and does it include the impact of not implementing the change as well as the impact and planning for change implementation? Is Change Implementation validated to ensure compliance with the implementation plan?

• Who are the change board members, stakeholders and their responsibilities? How are change control board requests made, scheduled and evaluated?

• How are change effectivities handled when changes are made to documentation versus to the product (e.g., parts, systems, installations, etc.)

• What are the internal and external data recovery plans, who are the contacts, and is it appropriate to the physical environment in which the business is located?

• Who provides oversight and governance of the overall process; is it distributed or concentrated and how are the internal and external interfaces identified and managed?

• Are metrics being used to improve and refine processes over time? What reports are created, which metrics are tracked, and what are the Key Performance Indicators they support?

The last item, performance metrics, is an all too often overlooked element in CM planning. The use of metrics will lead an organization in determining how best to monitor and update a CM Plan that stands the test of time. Acceptable metrics ranges should be identified and a plan of action for correcting conditions when measurements are out of line should be clearly stated and planned for. Learn more about the importance of metrics in this CMsights post.

How does CMstat help with the development, review, updating, or implementation of a CM Plan?

Certified Configuration and Data Management professionals from CMstat have developed the expertise and insights over decades of work with customers to create, review, update and improve upon a CM Plan. Yet, instead of operating as the expert brought in from afar, they collaborate with the customer’s team, working as an embedded peer-to-peer team member in a way that helps the customer participate and learn in the process while taking ownership of the final result.

CMstat offers four services to help our customers with reviewing, developing, updating, and auditing their Configuration Management Plans:

• Configuration Management Plan Review (CMPR) – An independent review of an existing CM Plan using a multi-faceted analysis to assess its thoroughness in addressing the five core functions of CM which are configuration planning, identification, status accounting, change control, and verification and audits.

• Configuration Management Plan Development (CMPD) – CMstat undertakes the discovery process to develop a custom CM Plan from start to finish that addresses the specific unique needs of an organization along with its products, processes, customers, and suppliers.

• Configuration Management Plan Update (CMPU) – Here we update or often “rescue” an older CM Plan to accommodate changes in requirements, products, processes, workforce, customers, suppliers, and risks (technical, financial, and regulatory) that have occurred since the original plan was prepared that risk making it obsolete.

• Configuration Management Plan Audit (CMPA) – A formal audit of configuration management procedures and processes to determine how well the CM Plan is actually being followed and supported across the organization and supply chain.

The most often requested service is the Configuration Management Plan Review where we independently evaluate an existing written plan using a substantial checklist of the most important items that every valid CM Plan must address. As part of the review our CM team will evaluate how realistic it is for the plan to be adhered to given the applicability and specificity of the details – where all the devils and gremlins are hiding. Additionally, they will expose if the CM Plan was based on a generic plan using a generic template written mostly to satisfy contract quality management or a regulatory compliance officer. If that is the case, it is likely that it will eventually fail the test of CM implementation adequacy.

We are often asked why an organization can’t perform a CM Plan review on its own, especially when they have well-trained experienced CM experts deeply entrenched in their team. The answer is…because they have well-trained experienced CM experts deeply entrenched in their team! A standard Quality Assurance practice requires audits to be done by personnel from outside the organization to ensure a non-biased review. A fresh set of eyes can more readily see areas where corporate history may be forcing processes to run a certain way even when they are no longer appropriate. This culture change may be more easily made by someone from outside.

Having the same internal organization or professionals review the plan who led in its creation is unwise for several reasons. The most important of which is if the team missed an important element in the development of the plan, they will still be unaware that it is absent in a review. A second reason is the occasional “stove-piping” of a CM implementation to appear to comply with contractual and statutory mandates using a one-size-fits-all CM plan template.

Learn more about CMstat’s consulting services HERE.

A final recommendation…

In CMstat’s experience, CM plans for an enterprise as in their CM implementations share one commonality: they are all the same in that they are all quite different for many valid different reasons!

For A&D suppliers, a comprehensive CM Plan should be constructed such that when implemented it can satisfy the needs of each program contract and production site. That does not mean there should be dozens of different CM Plan spinoffs as is an easy trap to fall into.

The best master CM Plans have inherent to them a structure with policies and processes for individual sites and products to apply and extend the plan to meet their unique needs without a rewrite. Admittedly, investing the time and resources to develop such a plan structure that has this level of maturity and robustness is not trivial, but neither are the costs and risks of failing to do so.

The painstaking process of defining the often-conflicting needs of each individual site or product in collaboration with the needs of the larger enterprise is what allows a strategic CM Plan, once developed, to survive into the future as a true corporate asset with a measurable ROI. Otherwise, the CM planning effort risks producing an overly simplified transactional plan that is discarded at the end of the contract where lessons learned, competencies developed, and processes matured are lost. A business expense with little ROI other than CYA.

We now ask our readers what elements of a CM Plan, or CM planning process, in their experience are most often overlooked or not understood? Let us know by leaving a comment below then follow the discussion on CMstat’s LinkedIn page.

To receive future news and posts about CM, subscribe to CMsights HERE.

Receive CMsights

Subscribe to CMsights News for the latest updates from CMstat on Configuration Management, Data Management, EPOCH CM, and EPOCH DM.

Request a Demo

See how EPOCH CM and EPOCH DM support industry standards and best practices in Configuration Management and Data Management.

Follow CMstat

Recent Posts

CMsight Topics