I just finished taking (and passing!) the IATF 16949 qualification test given by the IAOB. Lead Auditor qualification for this new specification is required prior to doing any upgrade audits.
Companies are required to upgrade to the new IATF 16949 (formerly TS 16949) by September 15, 2018.
This date aligns with the ISO 9001:2015 end date but does not provide as much time to upgrade since IATF 16949 was published several months later. You may know by now that IATF 16949 does not include the ISO 9001:2015 standard clauses but just references them. Therefore, to perform an audit or implement an IATF 16949 system, you need both documents as well as Rules 5th Edition.
In addition to adopting the high-level structure in ISO 9001:2015, IATF 16949 incorporates a number of new requirements. These new requirements include:
- Monitoring of safety-related parts and accessories
- Ensuring the traceability of products consistent with applicable regulations and standards
- Requirements for products with embedded software
- Implementation of a warranty management process
- Clarified requirements for sub-tier supplier management and development
- Requirements concerning corporate responsibility
Most of these requirements affect only tier 1 suppliers that ship finished parts directly to the OEMs. In addition, I would postulate that most of these requirements were already inherent in the previous specification, such as the transfer of requirements for product safety throughout the supply chain, traceability of products consistent with regulations and standards, and analysis of warranty data.
However, I would like to point out the following nuances of the new IATF 16949 that may raise a few eye brows in your organization:
- Corporate responsibility (220.127.116.11), which requires definition and implementation of polices for anti-bribery, employee code of conduct, and ethics escalation (‘whistle-blowing’) policy. Many smaller, family-owned companies do not have or need these types of policies.
- Contingency plans (18.104.22.168 e) that must be periodically tested for effectiveness. A requirement for service continuity for ISO 20000 and some financial institutions for business continuity plans.
- Plant, facility and equipment planning (22.214.171.124) assessments of manufacturing feasibility and evaluation of capacity planning shall be inputs into management reviews. This requirement may or may not be part of your existing management review depending on the metrics your organization has chosen.
- Employee motivation and empowerment (7.3.2) shall maintain a documented process. While this was a prior requirement, the words ‘documented process(es)’ are now added.
- Quality management system documentation (126.96.36.199) can be more than one document, but a list shall identify the documents that comprise the quality manual. While there is much hype that ISO 9001:2015 no longer requires a quality manual, IATF 16949 does require a quality manual whose structure and format is at the discretion of your organization.
- Control of reworked product (188.8.131.52) requires the utilization of a risk analysis (FMEA) methodology to assess risks in the rework process prior to a decision to rework. Most discussions that I have researched only address the definition of repaired versus reworked product. While much could be read into this statement, I have decided to incorporate the consideration of risk to the customer when product is dispositioned. Of course, this was always inherent in the disposition process, but it is now explicitly stated.
Given all 58 pages of the IATF 16949 specification, these nuances could be easily overlooked so I wanted to bring these to your attention. Good luck in your new IATF 16949 implementation!