Top Findings During IATF16949:2016 Transition Audits

Top Findings During IATF16949:2016 Transition Audits


Many companies have transitioned from ISO/TS to IATF16949:2016 and most have had multiple non-conformances.  Some companies have been very prepared for the transition while others have not put much effort into the transition.  Typical transition implementation time is 6-12 months, but this varies depending on the scope of the organization and the status of their QMS at the beginning of the process. 

The new ISO9001:2015 and IATF16949:2016 standards were updated to put more focus on organizations being more proactive and utilizing risk-based-thinking to continuously improve organizations quality management systems.

Below are the top 15 reasons for non-conformances during IATF16949:2016 transition audits.  These are in order of clause, not in order of most frequent. The following list is compiled from several different registrars and IAOB publications. 

Clause 4.3.2 - Customer specific requirements

Clause - Product safety

Clause - Risk analysis

Clause - Contingency plans

Clause – Measurement system analysis

Clause 7.2.3 - Internal auditor competency

Clause – Special characteristics

Clause – Manufacturing process design output

Clause 8.5.1 - Control of production and service provision (ISO)

Clause – Control plan

Clause – Standardized work

Clause - Total productive maintenance

Clause - Management review inputs.

Clause 10.2.1 - Nonconformity and corrective action

Clause 10.2.3 - Problem solving


Below are explanations of what is mostly missed during implementation.


4.3.2 – Customer-specific requirements (CSR)

The clause simply states: Customer-specific requirements SHALL be evaluated and included in the scope of the organization’s quality management system.

Organizations are not defining their customers and their CSR’s in the scope of their QMS.  This must be defined in your quality manual (see IATF16949:2016 clause

Many organizations do not understand that customer specific requirements SHALL be met.  If it is a requirement in a customer’s CSR, then it IS a requirement.  You have two options: meet the requirement or get a concession from the customer. Organizations must list their customers, their customers CSR’s and where in their QMS they meet the CRS’s.

Clause Product safety

Organizations are now required to have a documented process for the management of product-safety related products and manufacturing processes.  This could be documented in a procedure, checklist or APQP process.  This process SHALL include ALL of the following:

  1. ID of statutory and regulatory product-safety requirements
  2. Customer notification of requirements in item a)
  3. Special approvals for design FMEA
  4. ID of product safety-related characteristics
  5. ID and controls of safety-related characteristics of product and at the point of manufacture
  6. Special approval of control plans and PFMEA’s
  7. Reaction plans (see section
  8. Defined responsibilities, definition of escalation process and flow of information, including top management and customer notification
  9. Training identified by the organization or customer for personnel involved in product-safety related products and associated manufacturing processes
  10. Changes to product or process SHALL be approved prior to implementation, including evaluation of the potential effects on product safety.
  11. Transfer of requirements with regard to product safety throughout the supply chain, including customer-designated sources (see section
  12. Product traceability by manufactured lot number throughout the supply chain
  13. Lessons learned for new product introduction.


Clause – Risk analysis

Risk analysis AT A MINIMUM SHALL include lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework.  This does not don’t mean you can pick and choose, you SHALL include lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework.  These are usually already covered in your management review.

Clause – Contingency plans

IATF strengthened the Contingency Plans requirement by adding testing and reviewing the contingency plans.  An example of a contingency plan test:  Company XYZ has identified one forging machine as key because they only have one on-site that can forge large parts.  The contingency includes the following: key critical spare parts list, minimum inventory on-hand for those parts, and transferring production to a sister facility.  To test these would be very simple.  Count the inventory of your spare parts and contact sister facility to see if they have the capability and capacity to handle the production needs.  If the test is OK, just document your test results.  If the test fails, document, re-evaluate and update contingency plan.

Contingency plans must also be reviewed by a multidisciplinary team including top management at least annually.  This could be added as an input for your management review.

Contingency plans must also include a notification process to the customer in the event of supply disruption.


Clause – Measurement system analysis

A measurement system analysis study SHALL be conducted for each measuring / inspection type of equipment listed on control plan.  This includes attribute and variable measurement systems, including visual inspection, go/no-go gages, etc…  Most companies address this through gage R&R studies.  Gage R&R studies can be done on attribute gages.


Clause 7.2.3 – Internal auditor competency

The initial 2016 revision added additional requirements for QMS internal auditors, manufacturing process auditors and product auditors.  This requirement has been clarified and relaxed with AIAG’s sanctioned interpretations issued in October, 2017. 

The minimum competency requirements for manufacturing process auditors and product auditors was removed.  Many companies use “non-certified” internal auditors for manufacturing process auditors and product auditors. 

Manufacturing process auditors SHALL demonstrate technical understanding of the relevant manufacturing process(es) to be audited, including process risk analysis (such as PFMEA) and control plans. Product auditors SHALL demonstrate competence in understanding product requirements and use of relevant measuring and test equipment to verify product conformity.

AIAG also clarified that the organization only needs to retain the trainer’s competency records if the organization’s personnel provide the training to achieve competency, documented information SHALL be retained to demonstrate the trainer’s competency with the above requirements.




Clause – Special Characteristics

Organizations SHALL have a documented process to identify special characteristics and SHALL include the following:

  1. Documentation of all special characteristics in the drawings, FMEA, Control Plan, and standard work instructions;
  2. Development of control and monitoring strategies for special characteristics of products and production processes;
  3. Customer-specified approvals, when required;
  4. Compliance with customer-specified definitions and symbols.

This process could be part of your APQP process or process for new products.

Clause – Manufacturing process design output

Previously many companies ignored all design requirements of ISO and TS since they did not design the product, but IATF16949:2016 has clarified that no IATF certified company can ignore manufacturing process design.  This process could be part of an organizations APQP process.

Organizations process for manufacturing process design output SHALL include but not be limited to the following:

a) specifications and drawings;

b) special characteristics for product and manufacturing process;

c) identification of process input variables that impact characteristics;

d) tooling and equipment for production and control, including capability studies of equipment and process(es);

e) manufacturing process flow charts/layout, including linkage of product, process, and tooling;

f) capacity analysis;

g) manufacturing process FMEA;

h) maintenance plans and instructions;

i) control plan (see Annex A);

j) standard work and work instructions;

k) process approval acceptance criteria;

I) data for quality, reliability, maintainability, and measurability;

m) results of error-proofing identification and verification, as appropriate;

n) methods of rapid detection, feedback, and correction of product / manufacturing process non conformities.


Clause 8.5.1 – Control of production and service provision

Simply stated, organizations SHALL control their production and service processes including having available documented information, having availability and use of suitable monitoring and measuring resources, use of suitable infrastructure and environment for the operation of processes, and the appointment of competent persons, including any required qualification.

Clause – Control plan

An organization’s control plan(s) should be living, up to date documents.  Many companies make the mistake of having a control plan for each part number manufactured.  If a company manufactures 1,000 parts and have 1,000 control plans, it is very difficult to keep control plans “living” unless the organization has an army of quality engineers.  If possible, it is always easier and best to have a family control plan.

Control plans need to have specified reaction plan when non-conforming product is detected.

Control plans SHALL be reviewed and updated as required for any of the following:

  • Organization determines it has shipped nonconforming product to the customer
  • When any change occurs affecting product, manufacturing process, measurement, logistics, supply sources, production volume changes, or risk analysis.
  • After a customer complaint
  • At a set frequency based on risk

If required by the customer, the organization SHALL obtain customer approval after review or revision of the control plan.

Clause – Standardized work

Communicated / understood by the employees who perform the work.  Standard work must now also include rules on operator safety.  Employees should know their SOP’s and records of training should be available.

Clause – Total productive maintenance

The new IATF clearly states that organizations SHALL develop, implement and document a TPM system.  There are 10 items that your TPM system must include as a minimum.  Responsibility for TPM should reside within your facilities or maintenance group.  Most common findings are related to maintenance objectives and periodic overhaul.  Maintenance objects need to be defined and reviewed in management review.  If maintenance objectives are not being met an action plan must be defined.

Clause – Management review inputs

ISO9001:2015 section 9.3.2 and IATF16949:2016 section clearly list what is required as inputs into an organization’s management review meeting.  These are not options but required inputs.  Top management should be responsible for meeting these requirements.  Top management should be conducting management reviews as a way of operating the QMS, not because it is a requirement of the standard. 

Most common input left out is the review of the effectiveness of actions taken to address risk.  Not just reviewing an action item list, but reviewing the effectiveness of the action taken.  Did the actions work?  If not, another action must be implemented.

Clause 10.2.1 – Nonconformity and corrective action

A good corrective action process is essential for any quality management system.  Most findings with this clause are related to not taking action to control and correct issues and determining if similar nonconformities exist or could potentially occur (doing a look across / read across).

Clause 10.2.3 – Problem solving

Effective organizations should have a very formal problem-solving process.  IATF now requires that organizations must have a documented process for problem solving.  If the customer has defined a prescribed process for problem solving, the organizations SHALL follow customer specific prescribed method.