I just finished taking (and passing!) the IATF 16949 qualification test given by the IAOB. Lead Auditor qualification for this new specification is required prior to doing any upgrade audits.
Companies are required to upgrade to the new IATF 16949 (formerly TS 16949) by September 15, 2018.
This date aligns with the ISO 9001:2015 end date but does not provide as much time to upgrade since IATF 16949 was published several months later. You may know by now that IATF 16949 does not include the ISO 9001:2015 standard clauses but just references them. Therefore, to perform an audit or implement an IATF 16949 system, you need both documents as well as Rules 5th Edition.
In addition to adopting the high-level structure in ISO 9001:2015, IATF 16949 incorporates a number of new requirements. These new requirements include:
- Monitoring of safety-related parts and accessories
- Ensuring the traceability of products consistent with applicable regulations and standards
- Requirements for products with embedded software
- Implementation of a warranty management process
- Clarified requirements for sub-tier supplier management and development
- Requirements concerning corporate responsibility
Most of these requirements affect only tier 1 suppliers that ship finished parts directly to the OEMs. In addition, I would postulate that most of these requirements were already inherent in the previous specification, such as the transfer of requirements for product safety throughout the supply chain, traceability of products consistent with regulations and standards, and analysis of warranty data.
However, I would like to point out the following nuances of the new IATF 16949 that may raise a few eye brows in your organization.
1. Customer Specific Requirements (4.3.2) are communicated on customer purchase orders, supplier quality manuals, drawings and/or specifications. Make sure that you have identified all of the requirements, auditors have been trained on them and internal audits have audited all customer-specific requirements. If you previously had waivers, you will probably need new waivers, since supplier quality manuals have been updated and they were probably for ISO/TS requirements.
2. Product safety (18.104.22.168) should not be written off so quickly when considering its applicability and special characteristics. ‘Manufacturing processes’ is also listed. For example, be sure that the product safety requirements like ‘mercury free’ is listed on the material certifications and any product certificates. The escalation process must be defined.A sanctioned interpretation specifies that special product safety requirements may also be identified and approved internally by the organization.
A sanctioned interpretation specifies that special product safety requirements may also be identified and approved internally by the organization.
3. Corporate responsibility (22.214.171.124), which requires definition and implementation of polices for anti-bribery, employee code of conduct, and ethics escalation (‘whistle-blowing’) policy. Many smaller, family-owned companies do not have or need these types of policies.
4. Preventive action (126.96.36.199) is still required as the result of some type of a risk analysis. Keep your preventive action procedure, however additional triggers for the procedure may need to be updated. Also, please note the additional requirement (on the next page!) for utilizing lessons learned to prevent recurrence. Note the key words ‘lessons learned’ which makes this a little more formal than a ‘check box’ were other processes considered. These key words will need to be added to the procedure.
5. Contingency plans (188.8.131.52 e) that must be periodically tested for effectiveness. A requirement for service continuity for ISO 20000 and some financial institutions for business continuity plans.A sanctioned interpretation also specifies that the contingency plan must also consider cyber-attacks on information systems.
A sanctioned interpretation also specifies that the contingency plan must also consider cyber-attacks on information systems.
Also, make sure that the contingency plan (or a supplement) describes the notification process to the customer and any other interested parties, such as suppliers which might need to be contacted for a prolonged disruption.
6. Quality planning (184.108.40.206) now includes interested parties, so make sure this is an input and these parties are addressed in the business plan.
7. Plant, facility and equipment planning (220.127.116.11) assessments of manufacturing feasibility and evaluation of capacity planning shall be inputs into management reviews. This requirement may or may not be part of your existing management review depending on the metrics your organization has chosen.
8. Internal auditor competency (7.2.3) sanctioned interpretations relaxed the internal auditor competency requirements for manufacturing and product auditors.
9. Employee motivation and empowerment (7.3.2) shall maintain a documented process. While this was a prior requirement, the words ‘documented process(es)’ are now added.
10. Quality management system documentation (18.104.22.168) can be more than one document, but a list shall identify the documents that comprise the quality manual. While there is much hype that ISO 9001:2015 no longer requires a quality manual, IATF 16949 does require a quality manual whose structure and format is at the discretion of your organization.
A quality manual shall also include a document indicating where within the organization’s quality management system their customer-specific requirements are addressed. Note the new Sanctioned Interpretations changed the word matrix to ‘a table, a list or a matrix’.
I like to create a work instruction/procedure summarizing the customer-specific requirements that are not inherent in the ISO/IATF 16949 implementation, such as ISO 14001 certification. I added a reference to the process matrix (Rules 5th Edition Annex 1.1) in the quality manual or included the process matrix with a CSR column. Of course, the right answer is that CSRs are addressed in every process. However, they literally still want a list of customer specific requirements and the process(es) where the requirement is addressed. Matrix was expanded into a list through a sanctioned interpretation.
11. Special characteristics (22.214.171.124) – Please note that 126.96.36.199 says special characteristics are identified, ‘including by the customer and the risk analysis’. The definition of special characteristics includes ‘requirements or subsequent processing of product’. Hence, processing of product could mean that all characteristics are special (leaving nothing special!). You need to refer back to 188.8.131.52 where it says customer and risk analysis’. It might be appropriate to document that unless a characteristic is directly related to the final product characteristic, it isn’t special since it causes minimal risk. The intent is to develop some criteria to your risk analysis and provide evidence so everything is not a special characteristic.
12. Supplier selection process (184.108.40.206) requires an assessment of supplier’s risk. Requiring IATF compliance takes care of the ‘other selection criteria’ except for financial stability. Subsequently, you will want to reference your Accounting Department’s vetting process for adding new vendors.
13. The process for second party audits (220.127.116.11.1) is required to be defined even if you never plan on doing one. Most importantly, you must document the criteria for which you would do a second-party audit and also the type of audit you would do.
14. Operator instructions (18.104.22.168) standardized work documents must also include rules for operator safety, reference them, or be available on the floor with the work instructions.
15. Temporary change of process controls (22.214.171.124.1) requires you to have approved backup and alternate methods, should something like an error proof device be done. These methods need to be referenced on the control plan. Product under these conditions needs traceability.
16. Control of reworked product (126.96.36.199) requires the utilization of a risk analysis (FMEA) methodology to assess risks in the rework process prior to a decision to rework. Most discussions that I have researched only address the definition of repaired versus reworked product. While much could be read into this statement, I have decided to incorporate the consideration of risk to the customer when product is dispositioned. Of course, this was always inherent in the disposition process, but it is now explicitly stated.
17. Internal audits (188.8.131.52) Make sure that you have identified all of the requirements, auditors have been trained on them and internal audits have audited all customer-specific requirements. Make sure internal audit reports mention auditing the shift changeover and competency of process owners.
If you should use a subcontracted auditor or only have one internal auditor, you will need to train another person to audit the internal audit program. It cannot be the audit program manager any more. This independent person must meet all systemic internal auditor requirements.
18. Manufacturing process audits (184.108.40.206) shall audit each manufacturing process on all shifts where it occurs, including sampling the shift handover. For example, if the manufacturing process includes molding, grinding, and heat treating activities, then all of these activities would have to be audited. If heat treating operates on all three shifts, then all three shifts must be audited.
These audits must include a review of the control plan, PFMEA and work instructions. Your auditors are verifying how they align with each other. If the control plan identifies a width inspection, then the PFMEA must identify that failure mode and inspection control. The work instructions should also address this inspection.
19. Warranty management system (10.2.5) should not be written off so quickly either. If your organization has a policy not to accept a claim after a specified period of time, then this is an implied warranty and needs to be addressed. The process will probably not need to change, but just defined.