International Organization for Standardization: ISO 10006:2003(E)

When duration estimation involves significant uncertainty, the risks should be evaluated, documented and mitigated. Allowance for remaining risks should be incorporated into the estimates.

When required or appropriate, the customer or other interested parties should be involved in duration estimation.

Schedule development

Input data for schedule development should be identified and checked for conformity to specific project conditions. Activities with long lead times or long durations should be taken into account when determining the critical path. The critical path (the longest duration path through the network) activities require explicit identification.

Standardized schedule formats, suitable for the different user needs, should be implemented.

The relationships of duration estimates to activity dependencies should be checked for consistency. Any inconsistencies found should be resolved before schedules are finalized and issued. The schedules should identify critical and near-critical activities.

The schedule should identify events that require specific inputs or decisions, or ones at which major outputs are planned. These are sometimes referred to as "key events" or "milestones". Progress evaluations should be included in the schedule.

The customer and other interested parties should be kept informed during the development of the schedule and be involved in the development of the schedule when required. External inputs (e.g. customer-dependent inputs expected during the project) should be analysed and taken into account in the schedule.

Appropriate schedules should be supplied to the customer and other interested parties for information or, if required, for approval.

Schedule control

The project organization should carry out regular reviews of the project schedule, as defined in the project management plan. To ensure adequate control over project activities, processes and related information, the timing of schedule reviews and the frequency of data collection should be established.

Project progress should be analysed in order to identify trends and possible uncertainties in the work remaining in the project. (See 7.7 for a description of "uncertainties".) Up-to-date schedules should be used in progress evaluations and meetings. Deviations from the schedule should be identified, analysed and, if significant, acted upon.

Root causes for variances from schedule, both favourable and unfavourable, should be identified. Action should be taken to ensure that unfavourable variances do not affect project objectives. Causes of both favourable and unfavourable variances should be used to provide data as a basis for continual improvement (see Clause 8).

Possible impacts of schedule changes on the budget and resources of the project and on the quality of the product should be determined. Decisions on actions to be taken should only be made based on facts after taking into account their implications for other project processes and objectives. Changes that affect the project objectives should be agreed with the customer and relevant interested parties before implementation.

When action is required to take account of variances, the personnel involved and their roles should be identified. Revisions of the schedule should be coordinated with other project processes when developing the plan for the remaining work.

External inputs (e.g. customer-dependent inputs expected during the project) should be monitored. The customer and other interested parties should be kept informed of any proposed changes to the schedule and should be involved in making decisions that affect them.

Cost-related processes 7.5.1 General

The cost-related processes aim to forecast and manage the project costs. This should ensure that the project is completed within budget constraints, and that cost information can be provided to the originating organization.

The cost-related processes (see Annex A) are

cost estimation,

budgeting, and

cost control.

NOTE For further guidance on the economic effects of quality management, see ISO/TR 10014.

Cost estimation

All project costs should be clearly identified (e.g. cost of activities, overheads, goods and services). Cost estimation should consider relevant sources of information and should be linked to the project's breakdown structures (see 7.3.4). Cost estimates from past experience should be verified for accuracy and applicability to present project conditions. The costs should be documented and traceable to their origins.

Particular attention should be given to budgeting sufficient funds for the establishment, implementation and maintenance of the project quality management system.

Cost estimation should take into account present and forecast trends in the economic environment (e.g. inflation, taxation and exchange rates).

When cost estimation involves significant uncertainties, these uncertainties should be identified, evaluated, documented and acted upon (see 7.7.2). Allowance for remaining uncertainties, sometimes called contingencies, should be incorporated in the estimates.

The cost estimates should be in a form that enables budgets to be established and developed in accordance with approved accounting procedures as well as project organization needs.

Budgeting

The project budget should be based on the cost estimates and schedules with a defined procedure for its acceptance.

The budget should be consistent with the project objectives and any assumptions, uncertainties and contingencies should be identified and documented. The budget should include all authorized costs and should be in a form suitable for project cost control.

Cost control

Prior to any expenditure, a cost control system and associated procedures should be established, documented and communicated to those responsible for authorizing work or expenditure.

The timing of reviews and the frequency of data collection and forecasts should be established. This ensures adequate control over project activities and related information. The project organization should verify that the remaining work can be carried out to completion within the remaining budget. Any deviation from the budget should be identified and, if exceeding defined limits, the variance should be analysed and acted upon.

Project cost trends should be analysed, using techniques such as "earned value analysis". The plan for the remaining work should be reviewed to identify uncertainties.

Root causes for variances to budget, both favourable and unfavourable, should be identified. Action should be taken to ensure that unfavourable variances do not affect project objectives. Causes of both favourable and unfavourable variances should be used to provide data as a basis for continual improvement (see Clause 8).

Decisions on actions to be taken should only be made based on facts, after taking into account the implications for other project processes and objectives. Changes in the cost of the project should be appropriately approved and authorized prior to expenditure. Revisions of the budget forecast should be coordinated with other project processes when developing the plan for remaining work.

The information needed to ensure the timely release of funds should be made available and provided as input to the resource control process.

The project organization should carry out regular reviews of the project costs, as defined in the project management plan, and take into account any other financial reviews (e.g. external reviews by relevant interested parties).

Communication-related processes

General

The communication-related processes aim to facilitate the exchange of information necessary for the project.

They ensure timely and appropriate generation, collection, dissemination, storage and ultimate disposition of project information.

The communication-related processes (see Annex A) are

communication planning,

information management, and

communication control.

NOTE Further information is available in ISO 9004:2000, 5.5.3 (internal communication) and 7.2 (processes related to interested parties).

Communication planning

The originating and project organizations should ensure that appropriate communication processes are established for the project, and that communication takes place regarding the effectiveness and efficiency of the quality management system.

Communication planning should take into account the needs of the originating organization, project organization, customers and other interested parties, and should result in a documented communication plan.

This communication plan should define the information that will be formally communicated, the media used to transmit it and the frequency of communication. The requirements for the purpose, frequency, timing and records of meetings should be defined in the communication plan.

The format, language and structure of project documents and records should be planned to ensure compatibility. The communication plan should define the information management system (see 7.6.3), identify who will send and receive information, and should reference the relevant document control, record control and security procedures. The format for progress evaluation reports should be designed to highlight deviations from the project management plan.

NOTE For additional guidance on the control of documents and records, see ISO 9004:2000, 4.2.

Information management

The project organization should identify its information needs and should establish a documented information management system.

The project organization should also identify internal and external sources of information. The way in which information is managed should take into consideration the needs of both the project and originating organizations.

In order to manage the project's information, procedures defining the controls for information preparation, collection, identification, classification, updating, distribution, filing, storage, protection, retrieval, retention time and disposition should be established.

Recorded information should indicate conditions prevailing at the time the activity was recorded. This will allow the validity and relevance of the information to be verified before use in other projects.

The project organization should ensure appropriate security of information, taking into account confidentiality, availability and integrity of information.

Information should be relevant to the needs of the recipients, and should be clearly presented and distributed with strict adherence to time schedules.

All agreements, including informal ones, affecting the project performance should be formally documented. Rules and guidelines for meetings should be established and should be appropriate to the type of meeting.

Meeting agenda should be distributed in advance and should identify for each item the personnel whose attendance is required.

Minutes of meetings should include details of the decisions made, the outstanding issues and the agreed actions (including due dates and the personnel assigned to carry them out). The minutes should be distributed to relevant interested parties within an agreed time.

The project organization should use the data, information and knowledge to set and meet its objectives. The managers of the project organization and originating organization should evaluate the benefits derived from the use of the information in order to improve the management of information (see Clause 8).

NOTE An information management system need only be as complex as the project requires. 7.6.4 Communication control

The communication system should be planned and implemented. It should be controlled, monitored and reviewed to ensure that it continues to meet the needs of the project. Particular attention should be given to interfaces between functions and organizations where misunderstandings and conflicts may occur.

Risk-related processes

General

Commonly "risk" has only been considered as a negative aspect. "Uncertainty", which is a more modern concept, has always included both negative and positive aspects. Positive aspects are usually referred to as "opportunities".

The term "risk" is used in this International Standard in the same sense as "uncertainty", i.e. having both negative and positive aspects.

The management of project risks deals with uncertainties throughout the project. This requires a structured approach that should be documented in a risk management plan. The risk-related processes aim to minimize the impact of potential negative events and to take full advantage of opportunities for improvement.

Uncertainties are also related either to the project processes or to the project's product. The risk-related processes (see Annex A) are risk identification,

risk assessment,

risk treatment, and

risk control.

Risk identification

Risk identification should be performed at the initiation of the project, at progress evaluations and other occasions when significant decisions are made. Experience and historical data from previous projects maintained by the originating organization (see 8.3.1) should be used for this purpose. The output of this process should be recorded in a risk management plan, which should be incorporated or referenced in the project management plan.

Potential risks arising from activity-, process- and product-related interactions between the project organization, the originating organization and interested parties should be identified and recorded.

Risk identification should consider not only risks in cost, time and product, but also risks in areas such as product quality, security, dependability, professional liability, information technology, safety, health and environment. This identification should take into account any applicable current and anticipated statutory or regulatory requirements. The interactions between different risks should be considered. The risks resulting from new technologies and developments should also be identified.

Any identified risk with significant impact should be documented and a person should be assigned with the responsibility, authority and resources for managing that risk.

Risk assessment

Risk assessment is the process of analysing and evaluating identified risks to the project processes and to the project's product.

All identified risks should be assessed. In this assessment, experience and historical data from previous projects should be taken into account.

The criteria and techniques to be used in the assessment should be evaluated. A qualitative analysis should be made and a quantitative analysis should follow wherever possible.

NOTE There are various qualitative and quantitative methods of risk assessment available for performing such analyses. These are generally based on assessing the probability of occurrence and the impact of identified risks.

Levels of risk acceptable for the project, and the means to determine when agreed-to levels of risk are exceeded, should be identified.

The results of all analyses and evaluations should be recorded and communicated to relevant personnel.

Risk treatment

Solutions to eliminate, mitigate, transfer, share or accept risks, and plans to take advantage of opportunities should preferably be based on known technologies or data from past experience. Consciously accepted risks should be identified and the reasons for accepting them recorded.

When a solution to an identified risk is proposed, it should be verified that there will be no undesirable effects or new risks introduced by its implementation, and that the resulting residual risk is addressed.

When contingencies to manage risks are made in the time schedule or in the budget, they should be identified and maintained separately.

Special attention should be given to developing solutions for potential risks arising from activity-, process- and product-related interactions between the project organization, the originating organization and interested parties.

Risk control

Throughout the project, risks should be monitored and controlled by an iterative process of risk identification, risk assessment and risk treatment.

The project should be managed by taking into account that there are always risks. Personnel should be encouraged to anticipate and identify risks and report them to the project organization.

Risk management plans should be maintained ready for use.

Reports on project risk monitoring should be part of progress evaluations.

Purchasing-related processes

General

The purchasing-related processes deal with obtaining products for the project. The purchasing-related processes are

purchasing planning and control,

documentation of purchasing requirements,

supplier evaluation,subcontracting, andcontract control.

NOTE 1 The terms "purchase", "acquisition" or "procurement" are also often used in this context.

NOTE 2 As noted in ISO 9000:2000, 3.4.2, the term "product" refers to both tangible and intangible product.

NOTE 3 Guidance on purchasing products, in addition to that given below, can be found in ISO 9004:2000, 7.4.

For the purposes of this International Standard, and for reference to ISO 9004:2000, in this clause the "organization" is the "project organization", and "suppliers" supply products to the project organization.

Purchasing planning and control

A purchasing plan should be prepared in which the products to be obtained are identified and scheduled, taking note of product requirements including specification, time and cost.

All products that are input to the project should be subjected to the same levels of purchasing controls, regardless of whether they are obtained from external suppliers or from the originating organization (i.e. "in-house"). External products are normally obtained by contract. "In-house" products can be obtained using internal acquisition procedures and controls. For "in-house" products, some of the purchasing controls described below may be simplified.

Purchasing should be planned so that the interfaces and interactions with suppliers can be managed by the project organization.

Adequate time should be allocated to complete the activities in the purchasing-related processes. Previous experience of supplier performance should be used to plan for potential problems, such as the delivery of items with long delivery times.

To provide adequate purchasing control, the project organization should carry out regular reviews of the purchasing progress, which should be compared to the purchasing plan and action taken if needed. The results of the reviews should be input into progress evaluations.

Documentation of purchasing requirements

Purchasing documents should identify the product, its characteristics, appropriate quality management system requirements, and associated documentation. They should also include purchasing responsibility, cost and delivery dates for the product, requirements for auditing (when necessary), and right of access to supplier premises. It should be ensured that customer requirements are taken into account in the purchasing documents.

Tendering documents (e.g. "Requests for Quotation") should be structured to facilitate comparable and complete responses from potential suppliers.

Purchasing documents should be reviewed before distribution, to verify that all product-related requirements, and other aspects (such as purchasing responsibility) are completely specified.

NOTE For further information, see ISO 9004:2000, 7.4.1.

Supplier evaluation

Suppliers to the project should be evaluated. An evaluation should consider all the aspects of a supplier that may impact on the project, such as technical experience, production capability, delivery times, quality management system and financial stability.

A register of approved suppliers should be maintained by the project organization. A register may also be maintained by the originating organization and be communicated to the project organization, where applicable.

NOTE For further guidance on supplier evaluation, see ISO 9004:2000, 7.4.2 and 8.4

Contracting

There should be a process for the project organization to contract with suppliers to the project. It should include communication of the projects' quality management system requirements and, where applicable, the quality policy and quality objectives to the supplier.

In tender evaluations, all deviations from the specification in a supplier proposal should be identified and taken into account in the evaluation. Deviations from the specification, and recommendations for improvement, should be approved by the same functions that carried out the original review and approval of the specification.

Cost evaluation of tenders should be based not only on the price from suppliers, but also on other associated costs such as cost of operation, maintenance, license fees, transport, insurance, customs duty, exchange rate variation, inspection, audits and resolution of deviations.

The contract documents should be reviewed to ensure that they include the results of any pre-contract negotiation with the supplier.

Before contracting for the supply of product, the supplier's quality management system should be evaluated.

Contract control

Contract control starts at the placing of the contract, or at the time of an agreement in principle to award the contract, such as a letter of intent. A system should be implemented to ensure that the contract conditions, including due dates and records, are met.

Contract control should include the establishment of appropriate contractual relationships and the integration of the outputs from these relationships into the overall management of the project.

Supplier performance should be monitored to ensure that it meets contract conditions. The results of monitoring should be fed back to suppliers and any actions agreed.

Prior to contract closure, it should be verified that all contract conditions have been met and that feedback on supplier performance has been obtained to update the register of approved suppliers.

Measurement, analysis and improvement 8.1 Improvement-related processes

This clause provides guidance on how the originating organization and project organization should learn from projects.

Both should use the results of measurement and of the analysis of data from the project processes and apply corrective action, preventive action and loss prevention methods (see ISO 9004:2000, 8.5) to enable continual improvement in both current and future projects.

The improvement-related processes are

measurement and analysis, and

corrective action, preventive action and loss prevention.

Measurement and analysis

The originating organization needs to ensure that measurement, collection and validation of data are effective and efficient, to improve the organization's performance and enhance the satisfaction of the customer and other interested parties.

Examples of measurement of performance include the evaluation of individual activities and processes, auditing,

evaluations of actual resources used, together with cost and time, compared to the original estimates, product evaluations, the evaluation of supplier performance, the achievement of project objectives, and

-- the satisfaction of customers and other interested parties.NOTE For further information, see ISO 9004:2000, Clause 8.

The project organization's management should ensure that records of nonconformities and the disposition of the nonconformities, in the project's product and processes, are analysed to assist learning and to provide data for improvement. The project organization, in conjunction with the customer, should decide which nonconformities should be recorded and which corrective actions controlled.

Continual improvement

Continual improvement by the originating organization

The originating organization should define the information it needs to learn from projects and should establish a system for identifying, collecting, storing, updating and retrieving information from projects.

The originating organization should ensure that the information management system for its projects is designed to identify and collect relevant information from the projects, in order to improve the project management processes.

The originating organization should maintain a list of all significant risks identified by its projects.

The originating organization should ensure that relevant information is used by other projects that it originates.

The relevant information needed to learn from projects is derived from information contained within the project, including feedback from customers and other interested parties. Information is also derived from other sources such as project logs, appropriate closure reports, claims, audit results, analysis of data, corrective and preventive actions, and project reviews. Before using this information, its validity should be verified by the originating organization.

Just prior to closing the project, the originating organization should carry out documented reviews of project performance, highlighting experience from the project that can be used by other projects. The project management plan should be used as the framework for conducting the review. If possible, these reviews should involve the customers and other relevant interested parties.

NOTE For long-term projects, interim reviews should be considered to collect information more effectively, and allow for timely improvements.

Continual improvement by the project organization

The project organization should design the project's information management system to implement the requirements specified for learning from the project by the originating organization.

The project organization should ensure that the information it provides to the originating organization is accurate and complete.

The project organization should implement improvements using information relevant to the project derived from the above-mentioned system, established by the originating organization.

Bibliography

1. ISO 9001:2000, Quality management systems -- Requirements.

2. ISO 10005:1995, Quality management -- Guidelines for quality plans.

3. ISO 10007:2003, Quality management systems -- Guidelines for configuration management.

4. ISO/TR 10013:2001, Guidelines for quality management system documentation.

5. ISO/TR 10014:1998, Guidelines for managing the economics of quality.

6. ISO 10015:1999, Quality management -- Guidelines for training.

7. ISO/TR 10017:2003, Guidance on statistical techniques for ISO 9001:2000.

8. ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing.

9. ISO/IEC 12207:1995, Information technology -- Software life cycle processes

10. ISO/IEC 170001), Conformity assessment -- General vocabulary.

11. ISO/IEC Guide 73:2002, Risk management -- Vocabulary -- Guidelines for use in standards.

12. EC 60300-3-3:1996, Dependability management -- Part 3: Application guide -- Section 3: Life cycle costing.

13. IEC 60300-3-9:1995, Dependability management -- Part 3: Application guide -- Section 9: Risk analysis of technological systems.

14. IEC 62198:2001, Project risk management -- Application guidelines.