Figuring out why there are gaps in IATF 16949 audits
by R. Dan Reid
In my work with organizations from various manufacturing sectors, I’m shocked by some of the gaps—or potential gaps—that aren’t found and recorded by auditors during IATF 16949 audits. IATF 16949:2016 is the international standard for automotive quality management systems (QMS). Some examples, organized by clause, include:
QMS documentation (clause 4.4). This clause lists general documentation requirements.
- Many of the International Automotive Taskforce (IATF)-required documented processes are missing documentation.
- There isn’t a customer-specific requirements (CSR) document, such as a matrix.
- There’s insufficient documentation of the sequence and interaction of the QMS processes.
- The QMS process list is incomplete and still under development.
- QMS-documented information often isn’t readily available—a lot is in draft form and not yet implemented.
- There’s evidence of multiple versions of some documents in the system, and more than one is listed as approved.
Although ISO 9001:2015 no longer requires a quality manual, IATF 16949 does. Unfortunately, the International Organization for Standardization (ISO) doesn’t provide guidance on properly completing a quality manual. Some organizations copy IATF 16949 and substitute their organization’s name where the standard says “the organization,” but this doesn’t meet the intent of a quality manual and likely is a copyright violation. Rather, the manual should describe the organization’s approach to addressing the QMS requirements. IATF also requires the quality manual to include:
- a) the scope of the quality management system, including details of and justification for any exclusions;
- b) documented processes established for the quality management system, or reference to them;
- c) the organization’s processes and their sequence and interactions (inputs and outputs), including type and extent of control of any outsourced processes;
- d) a document (i.e., matrix) indicating where within the organization’s quality management system their customer-specific requirements are addressed.”1
Contingency plans (subclause 22.214.171.124). This clause requires a risk-based plan for continuing product supply in the event various events occur that could jeopardize delivery.
- Contingency plan document list options are available, but don’t include specific plans or directions.
- There’s no evidence:
- That the plans consider the outputs of risk evaluation.
- Of supply chain contingency plans.
- Of contingency plan testing.
Competence (clause 7.2). This clause requires the organization to use people who are competent for their job based on education, training or experience.
- The training process doesn’t address all the requirements, such as assessing training effectiveness.
- There’s no documented process for auditor competency, such as IATF 16949, CSRs, core tools, or process and product auditing.
- There are no records of on-the-job or other training.
Design and development of products and services (clause 8.3). This clause defines the QMS requirements for product and process design. Product design can be excluded from the QMS scope for organizations that don’t have any capability of providing product design.
- The product design is excluded, but the organization has the capability to perform it.
- There’s no process for identifying, designating or controlling special characteristics.
- There’s no evidence of purchased parts approval being submitted for customer approval prior to the production part approval process.
- Manufacturing process design outputs are missing, such as process flow diagrams, special characteristics, capacity studies and process failure mode and effects analysis (PFMEA).
- The PFMEA effects don’t consider end users or all external downstream customers.
Control of externally provided processes, products and services (clause 8.4). This clause has requirements for purchased products as well as those provided from allied or affiliated organizations.
- There’s no evidence:
- That the applicable required supplier selection criteria are used.
- That non-ISO 9001-certifed suppliers are tracked.
- That a supplier development process is in place.
- Of supplier risk assessment.
- Of a supplier assessment program for QMS, process or product audits.
- The supplier assessment process doesn’t use the automotive process approach, such as a checklist of closed questions.
- There’s insufficient evidence that:
- The change management process extends to the supply chain.
- Business continuity planning effectively addresses supply chain risk.
- Special characteristics are flowed down to the supply chain.
- Supplier QMS development doesn’t meet the intent of the standard.
- The organization’s process calls for a vendor rating system that isn’t being performed.
- Suppliers aren’t required to be ISO 9001 certified.
Production and service provision (clause 8.5). This clause requires QMS processes to be controlled.
- There’s no periodic process revalidation, as required.
- Control plans aren’t done for all phases, such as prototype and prelaunch, as required.
- The control plan format is missing some required content from IATF 16949, Annex A.
- There’s no evidence:
- That control plans are updated, such as after changes, as required.
- Of processes for special characteristics (product and process).
- Of a documented change management process.
- Of temporary process change controls (clause 126.96.36.199.1).
- A total productive maintenance system hasn’t been deployed.
- There’s evidence of production scheduling issues, such as wrong work flows and release prior to approval.
- The inspection status isn’t recorded after some verification activities, as required.
- Customer-owned property, such as customer drawings, is stored electronically on an unsecured drive.
- The shelf life for items in inventory isn’t defined.
- The inspection status isn’t recorded (clause 8.5.2).
Monitoring, measurement, analysis and evaluation (clause 9.1). This clause requires the organization to collect and analyze data for QMS processes and product.
- There’s no evidence:
- That manufacturing process capability or performance results, as specified by the customer’s part approval process requirements, have been maintained over time.
- Of measurement system analysis studies.
- Of an escalation process (also required by clause 4.4).
- Advanced product quality planning is in development but hasn’t been deployed.
- Statistical concepts aren’t well deployed throughout the organization, as required.
- There’s insufficient evidence that some required data are being analyzed, such as plan effectiveness, plans for addressing risks and opportunities or vendor performance.
Internal audit (clause 9.2). This clause lists the requirements for conducting internal QMS, product and process audits.
- There’s no evidence:
- That all QMS processes are included in the audit program and audited over time.
- Of auditor competency.
- Of product or process auditing.
- Of supplier audit, process or product audit programs or audits.
- The QMS audit program is only for 2018 and audits weren’t performed according to the plan.
- Special processes aren’t addressed in the audit.
- The warehouse has past-due corrective actions from the last internal audit.
Management review (clause 9.3). This clause requires top management to periodically review the QMS for continuing suitability and effectiveness.
- The management review process doesn’t meet the standard’s intent. There’s no evidence that all the required inputs and outputs have been addressed, for example, and there’s no cost of poor quality process or review of total productive maintenance objectives.
- There’s evidence that resources needed for the QMS haven’t been addressed adequately. For example, QMS software was identified as a need in a 2017 management review and is still open, and resources to accomplish IATF certification (communicated in 2016) aren’t in place.
Change management (several clauses). There are several standard clauses that establish requirements for managing planned and unplanned changes.
- There’s no tracking of change implementation dates.
- There’s no evidence:
- That the current process addresses how to handle supplier change requests.
- Of verification and validation of changes.
- Of risk analysis of changes for impact to quality or customer—only safety, security or environmental.
- Of a requirement to notify customers prior to implementing changes.
- Customer requirement review (clause 8.2.2) is largely done after receipt of contracts.
- Top management isn’t aware of applicable QMS processes, such as context for the organization (clause 4.1).
- Responsibilities and authorities (clause 5.3) aren’t well specified, communicated or known.
- There’s no evidence of:
- Completed gage studies, when appropriate (subclause 188.8.131.52.1).
- A documented process to motivate employees to achieve quality objectives, make continual improvements and create an environment that promotes innovation, as required (clause 7.3.2).
Possible root causes
Many people still believe that internal auditors shouldn’t audit their own department or function due to the need for independence and impartiality.2 The current standard, however, is that auditors must not audit their own work. In fact, for processes involving technical work, how can anyone who doesn’t have the appropriate education, training or experience effectively audit these processes? Any trained auditor can audit most QMS processes—to a degree. But his or her lack of experience in some processes may explain why so many auditors have failed to identify the gaps mentioned earlier.
IATF requirements might be too restrictive to satisfy the demand for third-party auditors, although this wouldn’t explain why the auditors miss so many issues. A more likely explanation is the commercial relationship between the certification body and the supplier seeking certification. To help ensure their ongoing business relationship with these suppliers, certification body auditors may be too lenient.
It also appears that the IATF 16969 transition audits over the past few years weren’t long enough for auditors to sufficiently sample the QMSs—likely due to a short transition timeframe and lack of auditors to meet the demand in the required timeframe. Thus, much of the problem can be explained by sampling error based on the small sample size of transition audits—some processes simply weren’t audited.
IATF certification bodies shouldn’t certify organizations to IATF 16949 that have many of the gaps mentioned earlier. Current IATF auditor training should be revised and improved. How best to accomplish this requires significant data gathering and analysis by IATF.
Additional IATF witness audits of certification bodies also would help address the problem if the IATF could secure enough competent IATF witness auditors globally. This work could be outsourced to third parties. IATF could require selected contractors to use an IATF-prescribed surveillance process.
ISO 19011:2018, clause 7.2.3, defines the general and sector-specific knowledge and competency needed by auditors and others. Clause 7.2.4 describes how auditors can achieve competency and introduces the notion of evaluating auditors.3 The clause recommends developing auditor evaluation criteria followed by using two or more of the following auditor evaluation methods:
- Records review, such as education, training, employment, professional credentials and auditing experience.
- Feedback, such as surveys, questionnaires, personal references, testimonials, complaints, performance evaluations and peer reviews.
- Personal interviews.
- Observation, such as role playing, witnessed audits and on-the-job performance.
- Post-audit reviews, such as reviewing the audit report, interviews with the audit team leader and the audit team, and, if appropriate, feedback from the auditee.
Reviewing the performance of the global IATF auditor pool is a big job, but it could be outsourced to qualified third parties using an IATF-prescribed process based on ISO 19011:2018 guidance. IATF could use the results to revoke the IATF qualification of auditors who don’t demonstrate the required competency. Properly implemented, this could drive a big improvement in IATF audit results and benefit the sector globally. However, IATF may have to relax the current auditor qualification criteria to get enough auditors to replace those disqualified. The proposed outsourcing could be funded through IATF manual sales—which are a significant source of income globally—and through auditor training revenue.
While this article focuses on the automotive sector, it would behoove other sectors with ISO 9001-based QMS requirements to consider similar actions to improve the overall customer confidence in third-party certification.
- International Automotive Taskforce (IATF), IATF 16949—Quality management system documentation, clause 184.108.40.206.
- R. Dan Reid, “It’s All in the Approach,” Quality Progress, April 2019, pp. 54-57.
- International Organization for Standardization (ISO), ISO 19011:2018—Guidelines for auditing management systems, clauses 7.3 and 7.4.
R. Dan Reid is the principal consultant with Management Systems Consulting LLC in Farmington, MI. He is an author of ISO Technical Specification 16949, QS 9000, ISO 9001:2000, ISO IWA-1 (the first International Organization for Standardization international workshop agreement), the Chrysler, Ford, GM Advanced Product Quality Planning with Control Plan, Production Part Approval Process and Potential Failure Modes and Effects Analysis manuals. Reid was the first delegation leader of the International Automotive Task Force. He is an ASQ fellow, an ASQ-certified quality engineer and a trainer of many standards, including ISO 13485, AS9100, ISO 14001, and ISO 45001. He is also a trainer and auditor for the German automotive standard VDA 6.3.