Keys to IATF 16949:2016
Understanding important changes to the automotive QMS
by R. Dan Reid
Editor’s note: This is the second installment of a two-part series that examines ISO TS 16949’s recent revision. Part one appeared in January’s QP.
The automotive industry’s revision of ISO technical specification (TS) 16949—now known as IATF 16949—carries over the requirement for process effectiveness and efficiency (subclause 126.96.36.199), the latter of which has never been required by ISO 9001. This subclause now requires process review activities to be an input to the management review process.
There is no definition of the term "process review" or what this activity includes, but the International Automotive Task Force (IATF) indicates process-review activities must include evaluation methods and implemented improvements. Top management should be conducting reviews of the process-specific reviews performed by process owners.
Ever since the 2000 revision of ISO 9001, implementing and auditing a quality management system (QMS) has required a process approach. The most recent revision (ISO 9001:2015) has not defined the term, but describes it by using terms—such as plan-do-check-act cycles—and by providing process models that show inputs and value-added steps that transform inputs into outputs.
Having a process owner is a key success factor in effectively managing processes. IATF 16949 now requires this in subclause 188.8.131.52, and it includes ensuring process owners can perform their assigned roles. They should have the necessary competency, responsibility, and authority for their owned processes’ activities and results. Note that while the process approach is a more explicit requirement, ISO 9001:2015 demoted measuring and monitoring of processes and products from a subclause level in the last version to simply embedded requirements within other clauses this time. IATF did make measurement of processes very explicit.
Typically, organizations do a good job defining and documenting job responsibilities. Many, however, do not adequately define and document workers’ authority to take action on their jobs if things go wrong. For a job to be done effectively, this guidance should be included in work instructions. The intent of this addition also is carried over to subclause 5.3.1 (organizational roles, responsibilities, and authorities—supplemental) to address the need for organizations to better document assigned personnel responsibilities and authority. ISO TS 16949 required an organization to address customer requirements, but this revised subclause now requires the organization to explicitly meet customer requirements.
Risk is still an immature concept in International Organization for Standardization (ISO) documents because there are different definitions of the term. Risk was explicitly introduced as a QMS requirement in ISO 9001:2015 and defined as "effects of uncertainty."
The new implicit ISO 9001:2015 requirement is for "risk-based thinking" rather than "risk management," which is addressed in ISO 31000:2009—Risk management—Principles and guidelines (ISO, 2009). The revision now requires an organization to identify and address risks and opportunities. It also indicates risk can be positive or negative. Positive risk is reportedly not equivalent to opportunity.
In IATF 16949, the definition of risk is, surprisingly, unimproved from the ISO 9001:2015 definition. In subclause 184.108.40.206, IATF 16949 explicitly has risk analysis as a requirement that includes a periodic review of lessons learned from product recalls, product audits, field returns, complaints, scrap and rework.
In clause 220.127.116.11, IATF 16949 carries over the requirement for preventive action, which was deleted from ISO 9001:2015. But preventive action is no longer aligned with corrective action, which was a concern for ISO 9001 writers. Preventive action is now aligned with QMS planning and should be implemented up front when engineering or re-engineering a QMS. Similarly, the contingency plan requirement is carried over from ISO TS 16949 and aligned with planning the QMS.
At a minimum, risk should be analyzed and addressed for products, processes and an organization’s supply chain. An effective approach would be to analyze the risks qualitatively and quantitatively, and implement actions to reduce and mitigate the prioritized risks based on severity and probability of occurrence.
An organization’s top management needs a process for setting and maintaining objectives because they can drive a QMS’s conformance and continual improvement. To be effective, enterprise-level objectives must be cascaded to relevant levels and functions inside the organization and aligned with additional objectives or targets set by middle and lower management as applicable.
In clause 18.104.22.168, IATF 16949 now specifies objectives are to be established at least annually. To drive continual improvement, they should be reset sooner if they are achieved. Objectives should not be so ambitious that there is no practical opportunity to achieve them over time.
In IATF 16949’s subclause 7.2, there are expanded and more prescriptive requirements for internal and second-party auditors. There is now a requirement for a documented process for competency of internal auditors. Auditors also are now categorized as QMS, process or product auditors with prescriptive requirements for each category. Most of these requirements are common to all categories, such as:
- Auditing according to ISO 19011.
- Understanding the process approach.
- Risk-based thinking.
- ISO 9001:2015.
The automotive core tools, including advanced product quality planning, statistical process control, measurement system analysis, and failure mode and effects analysis.
Maintenance and improvement of auditor competence must include conducting a specified number of audits annually and knowledge of changes related to what is referred to as "context of the organization."
IATF 16949’s subclause 22.214.171.124 requires organizations to use a process for the quality assurance of products with internally developed embedded software and to have an appropriate assessment method to assess their software development process.
The software development process also must be included in the scope of the internal audit program. Internal auditors should be able to assess the effectiveness of the software development method used. Subclause 126.96.36.199.1 on calibration and verification records also includes verification of the software version used for product and process control, although it is unfortunate that the final subclause structure uses up to five decimal places.
Subclause 188.8.131.52 also has design validation requirements around embedded software that should be included. Subclause 184.108.40.206.1 also requires cascading these software requirements to suppliers. Software verification and validation requirements, such as those found in ISO 13485 for medical devices, are appearing in sector QMS documents with increasing regularity.
Purchased product controls
ISO 9001:2015 subclause 8.4 expanded the scope of these requirements to include allied and affiliated locations of the same organization. Quality professionals probably are still applauding this change because often the allied suppliers are the worst-performing suppliers in terms of quality and delivery. Prior to this revision, the quality managers had no options to remedy the situation.
IATF 16949 adds more prescriptive requirements for purchased products or services. Typically, there are three processes that are owned by the purchasing function in organizations:
- Supplier qualification.
- Supplier selection.
- Supplier quality, which can include monitoring and development.
IATF 16949’s subclause 220.127.116.11 opens the scope to suppliers of subassembly, rework, sequencing and sorting. Subclause 18.104.22.168 requires suppliers to be ISO 9001 certified unless otherwise authorized by the customer. When compared with prior requirements, this will require more tier-two suppliers to be certified.
There is a new and prescriptive supplier selection subclause (22.214.171.124) that includes elements of supplier qualification—such as assessment and supplier selection processes (quality and delivery performance). There also is a prescriptive list of supplier selection criteria. Auditors generally do not have experience in processes that deal with purchasing, so this will require more auditor training on that and training on embedded software and other new requirements.
An ISO 9001:2015 certification must be attained to conform to IATF 16949. IATF 16949 raises the bar on top management requirements. It’s important to coach and train top leaders in these requirements for them to pass IATF 16949 audits. There are requirements that only top management will have responsibility for and authority over so top management must be audited to obtain objective evidence to determine whether the QMS is conforming.
Internal and second-party auditors will need additional training in processes, such as purchasing, software development, customer-specific requirements auditing per ISO 19011 and the automotive core tools. Organizations should conduct a gap analysis to determine what must be addressed from the new standard and implement actions to address the gaps.
International Automotive Task Force, IATF 16949:2016—Technical Specification.
International Organization for Standardization (ISO), ISO 9001:2015—Quality management systems—Requirements.
ISO, ISO 9000:2015—Fundamentals and vocabulary.
R. Dan Reid is the principal consultant with Management Systems Consulting LLC in Farmington, MI. He is an author of ISO Technical Specification 16949, QS-9000, ISO 9001:2000, the first International Organization for Standardization international workshop agreement, the Chrysler, Ford, GM Advanced Product Quality Planning With Control Plan, Production Part Approval Process and Potential Failure Modes and Effects Analysis manuals and the Automotive Industry Action Group’s Business Operating Systems for Healthcare Organizations. Reid was the first delegation leader of the International Automotive Task Force. He is an ASQ fellow and an ASQ-certified quality engineer.