Top Findings During IATF16949:2016 Transition Audits
Many companies have transitioned from ISO/TS to IATF16949:2016 and most have had multiple non-conformances. Some companies have been very prepared for the transition while others have not put much effort into the transition. Typical transition implementation time is 6-12 months, but this varies depending on the scope of the organization and the status of their QMS at the beginning of the process.
The new ISO9001:2015 and IATF16949:2016 standards were updated to put more focus on organizations being more proactive and utilizing risk-based-thinking to continuously improve organizations quality management systems.
Below are the top 15 reasons for non-conformances during IATF16949:2016 transition audits. These are in order of clause, not in order of most frequent. The following list is compiled from several different registrars and IAOB publications.
Clause 4.3.2 - Customer specific requirements
Clause 220.127.116.11 - Product safety
Clause 18.104.22.168 - Risk analysis
Clause 22.214.171.124 - Contingency plans
Clause 126.96.36.199.1 – Measurement system analysis
Clause 7.2.3 - Internal auditor competency
Clause 188.8.131.52 – Special characteristics
Clause 184.108.40.206 – Manufacturing process design output
Clause 8.5.1 - Control of production and service provision (ISO)
Clause 220.127.116.11 – Control plan
Clause 18.104.22.168 – Standardized work
Clause 22.214.171.124 - Total productive maintenance
Clause 126.96.36.199 - Management review inputs.
Clause 10.2.1 - Nonconformity and corrective action
Clause 10.2.3 - Problem solving
Below are explanations of what is mostly missed during implementation.
4.3.2 – Customer-specific requirements (CSR)
The clause simply states: Customer-specific requirements SHALL be evaluated and included in the scope of the organization’s quality management system.
Organizations are not defining their customers and their CSR’s in the scope of their QMS. This must be defined in your quality manual (see IATF16949:2016 clause 188.8.131.52)
Many organizations do not understand that customer specific requirements SHALL be met. If it is a requirement in a customer’s CSR, then it IS a requirement. You have two options: meet the requirement or get a concession from the customer. Organizations must list their customers, their customers CSR’s and where in their QMS they meet the CRS’s.
Clause 184.108.40.206 Product safety
Organizations are now required to have a documented process for the management of product-safety related products and manufacturing processes. This could be documented in a procedure, checklist or APQP process. This process SHALL include ALL of the following:
Clause 220.127.116.11 – Risk analysis
Risk analysis AT A MINIMUM SHALL include lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework. This does not don’t mean you can pick and choose, you SHALL include lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework. These are usually already covered in your management review.
Clause 18.104.22.168 – Contingency plans
IATF strengthened the Contingency Plans requirement by adding testing and reviewing the contingency plans. An example of a contingency plan test: Company XYZ has identified one forging machine as key because they only have one on-site that can forge large parts. The contingency includes the following: key critical spare parts list, minimum inventory on-hand for those parts, and transferring production to a sister facility. To test these would be very simple. Count the inventory of your spare parts and contact sister facility to see if they have the capability and capacity to handle the production needs. If the test is OK, just document your test results. If the test fails, document, re-evaluate and update contingency plan.
Contingency plans must also be reviewed by a multidisciplinary team including top management at least annually. This could be added as an input for your management review.
Contingency plans must also include a notification process to the customer in the event of supply disruption.
A measurement system analysis study SHALL be conducted for each measuring / inspection type of equipment listed on control plan. This includes attribute and variable measurement systems, including visual inspection, go/no-go gages, etc… Most companies address this through gage R&R studies. Gage R&R studies can be done on attribute gages.
Clause 7.2.3 – Internal auditor competency
The initial 2016 revision added additional requirements for QMS internal auditors, manufacturing process auditors and product auditors. This requirement has been clarified and relaxed with AIAG’s sanctioned interpretations issued in October, 2017.
The minimum competency requirements for manufacturing process auditors and product auditors was removed. Many companies use “non-certified” internal auditors for manufacturing process auditors and product auditors.
Manufacturing process auditors SHALL demonstrate technical understanding of the relevant manufacturing process(es) to be audited, including process risk analysis (such as PFMEA) and control plans. Product auditors SHALL demonstrate competence in understanding product requirements and use of relevant measuring and test equipment to verify product conformity.
AIAG also clarified that the organization only needs to retain the trainer’s competency records if the organization’s personnel provide the training to achieve competency, documented information SHALL be retained to demonstrate the trainer’s competency with the above requirements.
Clause 22.214.171.124 – Special Characteristics
Organizations SHALL have a documented process to identify special characteristics and SHALL include the following:
This process could be part of your APQP process or process for new products.
Clause 126.96.36.199 – Manufacturing process design output
Previously many companies ignored all design requirements of ISO and TS since they did not design the product, but IATF16949:2016 has clarified that no IATF certified company can ignore manufacturing process design. This process could be part of an organizations APQP process.
Organizations process for manufacturing process design output SHALL include but not be limited to the following:
a) specifications and drawings;
b) special characteristics for product and manufacturing process;
c) identification of process input variables that impact characteristics;
d) tooling and equipment for production and control, including capability studies of equipment and process(es);
e) manufacturing process flow charts/layout, including linkage of product, process, and tooling;
f) capacity analysis;
g) manufacturing process FMEA;
h) maintenance plans and instructions;
i) control plan (see Annex A);
j) standard work and work instructions;
k) process approval acceptance criteria;
I) data for quality, reliability, maintainability, and measurability;
m) results of error-proofing identification and verification, as appropriate;
n) methods of rapid detection, feedback, and correction of product / manufacturing process non conformities.
Clause 8.5.1 – Control of production and service provision
Simply stated, organizations SHALL control their production and service processes including having available documented information, having availability and use of suitable monitoring and measuring resources, use of suitable infrastructure and environment for the operation of processes, and the appointment of competent persons, including any required qualification.
An organization’s control plan(s) should be living, up to date documents. Many companies make the mistake of having a control plan for each part number manufactured. If a company manufactures 1,000 parts and have 1,000 control plans, it is very difficult to keep control plans “living” unless the organization has an army of quality engineers. If possible, it is always easier and best to have a family control plan.
Control plans need to have specified reaction plan when non-conforming product is detected.
Control plans SHALL be reviewed and updated as required for any of the following:
If required by the customer, the organization SHALL obtain customer approval after review or revision of the control plan.
Clause 188.8.131.52 – Standardized work
Communicated / understood by the employees who perform the work. Standard work must now also include rules on operator safety. Employees should know their SOP’s and records of training should be available.
The new IATF clearly states that organizations SHALL develop, implement and document a TPM system. There are 10 items that your TPM system must include as a minimum. Responsibility for TPM should reside within your facilities or maintenance group. Most common findings are related to maintenance objectives and periodic overhaul. Maintenance objects need to be defined and reviewed in management review. If maintenance objectives are not being met an action plan must be defined.
Clause 184.108.40.206 – Management review inputs
ISO9001:2015 section 9.3.2 and IATF16949:2016 section 220.127.116.11 clearly list what is required as inputs into an organization’s management review meeting. These are not options but required inputs. Top management should be responsible for meeting these requirements. Top management should be conducting management reviews as a way of operating the QMS, not because it is a requirement of the standard.
Most common input left out is the review of the effectiveness of actions taken to address risk. Not just reviewing an action item list, but reviewing the effectiveness of the action taken. Did the actions work? If not, another action must be implemented.
Clause 10.2.1 – Nonconformity and corrective action
A good corrective action process is essential for any quality management system. Most findings with this clause are related to not taking action to control and correct issues and determining if similar nonconformities exist or could potentially occur (doing a look across / read across).
Clause 10.2.3 – Problem solving
Effective organizations should have a very formal problem-solving process. IATF now requires that organizations must have a documented process for problem solving. If the customer has defined a prescribed process for problem solving, the organizations SHALL follow customer specific prescribed method.