Embed Size (px)
Citation preview
IATF 16949 FAQ
On March 9, 2017, we hosted a webinar about the requirements of IATF 16949:2016, and we received many questions as we went through the material. Below is a list of the compiled questions as well as the answers from our IATF 16949 standard experts. You can also view a recording of the webinar at https://dqsus.com/standard-revision/iatf-169492016/.
Q: The practical application for product auditor competency is difficult to apply. Typically products include daily, monthly, annual, in-process, etc.
A: In ISO9000:2015 the definition of an audit is as follows: “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”. The competency requirements for a “Product Auditor” will be different from a “Systems Auditor”. They would need to be familiar with the manufacturing process, Core Tools and the Automotive Process Approach and relevant measuring and test equipment associated with product conformity.
Q: Do we have to consider a risk analysis for each IATF 16949 requirement?
A: The IATF Standard Section 0.1(c) indicates addressing risks and opportunities associated with the Organization’s context and objectives. At a minimum, risk should be analyzed and addressed for products, processes and an organization’s supply chain. Section 6.1.2.1 is more specific in risk analysis, at a minimum, lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework. A record of the review is to be maintained. The ISO9001:2015 Section 6.1 refers to Section 4.1 and 4.2 for Risks and Opportunities.
Q: It appears that clause 7.2.3 requirements a) through e) applies to all types of auditors (QMS,
Manufacturing Process and Product) is this the case?
A: That is correct. 7.2.3 indicates a-e shall be minimum competencies with the additional requirements for a Product Auditor and manufacturing process auditors.
Q: For the product safety question, if we don’t produce any product with safety requirements, are we still required to have a documented process on how we would handle product-safety products?
A: The best approach would be to partner with your Customer and determine if any component, sub-component, assembly or module would have any safety related impact. Retain a record of the investigation.
Q: Can you elaborate about the new requirements for the Quality Manual, requirements?
A: The quality manual shall include, at a minimum, the following: the scope of the quality management system, including detail of and justification for any exclusions; documented processes established for the quality management system, or reference to them; the
Continued on page 4
Topics covered in this issue: IATF 16949 FAQ, ISO 9001:2015 Key Considerations, and FSSC Version 4 Changes.
2017 Quarter 2
Key Considerations ISO 9001:2015
March 15, 2017 marked the eighteenth month anniversary of ISO9001:2015. Incidentally, it is also the midpoint of the transition period. All current ISO9001:2008 certifications not upgraded to ISO9001:2015 will be withdrawn on September 15, 2018.
In an effort to balance the upgrade schedule and have adequate resources in place to service all our clients, DQS has the following options available for our clients to upgrade:
1- As part of the Recertification Audit. Upon successful completion, a new certificate of registration will be issued. The new certificate will be good for a period of three years.
2- As part of the Surveillance Audit, with days equivalent to a Recertification Audit.
This option will reset the certification cycle, and a new certificate will be issued that will be good for three years as well.
3- As a Special Audit anytime during the certification cycle. The number of days for this audit will be equivalent to a Recertification Audit. Also, a new certificate will be issued, and the new certificate will be valid for a period of three
years.
All upgrades will be conducted as part of a two stage process. Since the extent of the changes between the new standard and the previous version are significant, Stage 1 audits are intended to assist our clients in identifying the gaps in their quality management system so they could be addressed prior to Stage 2. In line with the ISO17021 (Conformity Assessment Requirements for Certification Bodies) requirements, Stage 1 will provide a method for verifying the client’s readiness before allocation of resources for Stage 2. Other benefits include:
Clarification of the requirements
Implementation of the core foundations for an effective management system
Provision of information on the transition process
In-depth, independent review of the system
Detailed and systemic approach for identification of deficiencies
Written report of deficiencies, if any
Primarily intended for scoping and planning of Upgrade audit
Ideally scheduled 2-3 months before the Upgrade audit or as part of the prior surveillance audit
Provides auditor valuable information for Upgrade audit
The primary intent of Stage 1 is to reduce the possibility of a failed Upgrade Audit. Additional information about the transition
process is available on our website – www.dqsus.com, under Informational Sessions, ISO9001:2015, Important ISO9001:2015 Bulletin.
To better balance the upgrade audits and to ensure the availability of adequate resources, all audits after June 15, 2017 are required to be scheduled as Upgrade Audits. Any organization that does not select one of the three above-mentioned options to upgrade after June 15, 2017 or elects to upgrade in late 2018, will have to be aware of the following risks:
1- Due to the increased demand during the last year of the upgrade period cycle, we may not have auditors available to carry out the upgrade audit at a client’s desired time. As such, we may not be in a position to either complete the audit, or have the certificate issued by September 14, 2018. As such, all ISO9001:2008 certificates will be withdrawn on September 15, 2018, without renewal.
2- No Upgrade audits will be planned after July 1, 2018. Any audit that is scheduled after that time may not allow enough time for the corrective actions to be resolved and the new certificate issued.
To prevent the above risks, it will be most beneficial for your organization to consider one of the above-mentioned three options. Please advise your Customer Service Professional of your upgrade plans so adequate arrangements could be made for the upgrade audit to be conducted at your preferred timing requirement.
Continued on page 3
2
UPDATES TO STANDARDS
2017 Quarter 2
2017 Quarter 2
3
UPDATES TO STANDARDSContinued from page 2
There are several major changes that will have to be addressed, including:
1. In accordance with clause 4.0, organizations are required to consider the Context of their organization to identify the interested parties and their expectations, define the scope of the quality management system and then define the processes needed to support the scope. Although a written procedure is not required for all aspects of clause 4.0, it may be a worthwhile effort to have all aspects documented. A well written procedure will satisfy the requirements of 4.0, and may very well reduce the amount of audit time with the management personnel.
2. Risk-based thinking has to be utilized when implementing and improving the processes of the organization. Although FMEA (Failure Mode Effects Analysis) is commonly used for the design and manufacturing processes,
it may very well be used for the non-production related processes too. Some companies opt to have different types of risk-based systems in place for different processes, i.e. FMEA for production, Risk Registers for some of the remaining processes and SWOT Analysis for yet others. A formal Risk Management program is not required.
3. Processes should cover all aspects of the quality management system. Inputs, outputs, risks, objectives and responsibilities are required to be defined for all processes.
As with any other strategic decision, a well-defined transition plan should be developed to ensure effective implementation of the new requirements. Basic tasks may include obtaining a copy of the standard, establishing a timeline, taking advantage of the Informational Sessions provided by DQS, or requesting a Gap Assessments, performing an internal audit of all processes in accordance with the new requirements and last but not least, holding at least one management review.
Detailed information about the requirements of the Standard are included in a free five part recorded webinar at https://dqsus.com/iso-90012015/. Also included are a FAQ document and information about the transition process.
We look forward to working with your organization in making a successful transition to the new standard. Please advise your Customer Service Professional of your upgrade plans.
Joe Mansour
ISO 9001:2015 Program Manager
Ready or Not?
Stage 1 Upgrade Audit Preparations
As part of the DQS ISO 9001:2015 and ISO 14001: 2015 transition plans, DQS includes a Stage 1 audit to assess whether our clients that are certified to the prior version are ready for the upgrade audit. The objective of the audit is to identify any major issues that may result in the organization not being recommended for upgrade. The audit report includes a list of items that require attention before the upgrade audit. In addition, the Lead Auditor will assess the extent of changes made to the management system in order meet the revised
standard requirements and determine if previously given increase or reduction factors are still applicable. At the conclusion of the Stage 1 audit, we could adjust the upgrade audit time accordingly.
In order to minimize client external costs for the Stage 1 upgrade audit, DQS offers to conduct the audit remotely. With remote audits, it is important to provide the appropriate documents and evidence needed to demonstrate all significant changes have been addressed. To assist in preparing, below is a list of the information that will be reviewed by the auditor during the Stage 1 transition audit:
- Identification of processes, their indicators and process interactions (for ISO 9001:2015)
- Objectives and Targets
- Quality and/ or Environmental Policy
- Quality or Environmental Manual, if maintained.
- Consideration of Context of Organization
- Definition of the Scope of
Continued on page 6
2017 Quarter 2
4
UPDATES TO STANDARDS Continued from page 1
organization’s processes and their sequence and interaction (inputs and outputs), including type and extent of control of any outsourced processes; a document (i.e., matrix) indicating where within the organization’s quality management system their customer-specific requirements are addressed.
Q: What about overseas suppliers?
A: Supplier selection and evaluation should be based on the risk to the Customer and Organization. There is no consideration of location.
Q: Do current running projects need to fulfill the new requirements (control plan risk assessments)?
A: No. However, it will benefit the Organization to revisit all Control Plans, PFMEAs, etc. in the event of high scrap, Customer Complaints or Warranty returns.
Q: We are a Tier 1 Supplier. All our sub-suppliers are consigned / bailed. How do these requirements affect this relationship? Technically, we have no sub-suppliers as they are all “owned” by the OEM.
A: All the requirements of Section 8.4.1 with the exception of Supplier selection ( 8.4.1.2 ) are the responsibility of the Organization.
Q: For the supplier selection process it has been asked does our documented process need to cover all of our suppliers for everything, or can it just cover components that we purchase that end up in our product. For example, does the documented process need to cover 3rd parties who perform sorting activities?
A: Section 8.4.1.1 specifically refers to services such as sub-assembly,
sequencing, sorting, rework, and calibration services in the scope of their definition of externally provided products, processes, and services.
Q: All major automotive suppliers have at least a handful of suppliers who have no intention to be 16949 at any date due to size or scope of work. How was this addressed?
A: The new IATF has identified this potential and addressed in Section 8.4.2.3 including compliance to ISO 9001 through second-party audits. Verify the intent and minimum requirements for Supplier compliance or Certification with your Customer’s Specific Requirements.
Q: Can you provide an example of, or refer us to a resource for, risk assessment?
A: ISO 31000:2009—Risk management—Principles and guidelines (ISO, 2009) is a good reference document to Risk Analysis. Also, SWOT and FMEA are good tools.
Q: Do 2nd Party Audits need to be performed to a certain standard (ex VDA) or can we create our own?
A: Check with your Customers to see if there are any prescriptive requirements, but section 8.4.2.3 has a reference to the AIAG Minimum Automotive Quality Management System Requirements for Sub-Tier Suppliers ([MAQMSR] or equivalent) with the addition of second-party audits. This is available on the IATF website iatfglobaloversight.org.
Q: Distribution of products, IATF Certified Suppliers, Would they require 2nd party audits, and the planning for IATF through the supplier chain for low dollar value?
A: Once the Organization has performed a risk analysis, including product safety/regulatory requirements, performance of the supplier, and QMS certification level, at a minimum, the organization shall document the criteria for determining the need, type, frequency, and scope of second-party audits.
Q: For customer directed Suppliers, we are responsible for all IATF requirements for these Suppliers???
A: All the requirements of Section 8.4.1 with the exception of Supplier selection ( 8.4.1.2 ) are the responsibility of the Organization.
Q: You haven’t really discussed the whole leadership and context and interested parties and how they drive down to objectives and risk analysis. What are auditors going to be looking for as evidence for these things?
A: ISO9000:2015 gives examples including examples of the ways in which an organization’s purpose can be expressed to include its vision, mission, policies and objectives for Context of the Organization. From ISO9000:2015 Section 2.2.4 : Part of the process for understanding the context of the organization is to identify its interested parties. The relevant interested parties are those that provide significant risk to
organizational sustainability if their needs and expectations are not met. Organizations define what results are necessary to deliver to those relevant interested parties to reduce that risk. The Auditor will look for evidence this investigation was performed and the results recorded.
Continued on page 5
2017 Quarter 2
5
UPDATES TO STANDARDSContinued from page 4
Q: 8.7.1.4 says if required by the customer, obtain approval and 8.7.1.1 requires mandatory customer approval for rework. Why this conflict?
A: The key phrase is “ if required by the customer, the organization shall obtain approval from the customer prior to commencing rework of the product. “ Contact your Customer to determine their requirements.
Q: 8.7.1.7- we have a co. that takes our scrap and melts it. That makes it unusable, but it is off-site. Would that be OK?
A: That method would be acceptable with periodic verification. The intent of this requirement is that the organization periodically verify the product has been made unusable. The Scope, frequency and methods are the responsibility of the organization to determine.
Q: 9.1.1.1- is this applicable to all machine measurements too (e.g. after gauge checks)?
A: There will probably be a clarification by the IATF. As of now, yes.
Q: If a CMM report has 40 to 50 dimensions does the operator have to document this on a control plan (check sheet)
A: A CMM Report would have the actual measurement results and would not need to be detailed on a Control Plan. The Control Plan could reference the CMM check as the Control Method.
Q: The 3-year window - is it for internal audit or external audit?
A: The Requirement applies to the
Internal Audit process, not the External. The organization should audit all processes over the three year cycle according to an annual plan. The intent is to free up more time and resources for “Special Audits” as a result of Customer Complaints and Warranty concerns. The Auditor will look for a clear link between Customer Complaints, not meeting Internal KPI’s or Warranty Concerns for a Special Audit followed by some type of Management Review.
Q: Will CQI-19 have to be updated to meet IATF-16949?
A: This is controlled and administered by AIAG. Please refer to their website aiag.org for any updates. CQI-19 is a good source as a basis for Supplier selection, evaluation, monitoring and 2nd Party Auditing.
Q: Can First Party Audit be subcontracted as some Third Party Registrars are providing?
A: First Party Audits are when the Organization performs the audit. 2nd Party Audits are performed by an Service on behalf of the Organization. Please subscribe to DQSUS.com newsletters for any updates and availability of Audit Services.
Q: Is there a recommended gap analysis tool?
A: Yes. There is a Gap Analysis Tool
available at dqsus.com. Please use the following link: https://dqsus.com/wp-content/uploads/2017/02/ISO9001-2015-IATF16949-checklist.xlsx. Please subscribe to DQSUS.com newsletters for any updates and availability of Audit Services. There is also a version available on the AIAG Website. http://go.aiag.org/iatf-16949-gap-analysis-tool
Q: Please advise if there is a simple interpretation for the context of the organization?
A: From ISO9000:2015: Understanding the context of the organization is a process. This process determines factors which influence the organization’s purpose, objectives and sustainability. It considers internal factors such as values, culture, knowledge and performance of the
organization. It also considers external factors such as legal, technological, competitive, market, cultural, social and economic environments. ISO9002 also has examples.
Q: Several Japanese companies are my Customers, and I would like to confirm the IATF: 2016 requirement in 9.1.1.1.d because of all the questions which will be coming my way. The requirement reads
“The organization shall verify that the process flow diagram, PFMEA, and control plan are implemented, including adherence to “d-) records of actual measurement values and/or test results for variable data”.
A: The intention of including this requirement is to avoid the potential to, not record the actual values of product and process parameters. The data from the actual values from variable data is to reduce risk and identify potential for improvement.
2017 Quarter 2 www.dqsus.com
6
UPDATES TO STANDARDSFSSC 22000 Version 4: An
Overview of the Main ChangesThe widely adopted certification scheme FSSC
22000 has been revised, in order to stay in tune with the changing expectations of the market. The new issue, Version 4, was published in December 2016. As one of the leading certification bodies for the FSSC 22000 scheme, we have prepared an overview of the main changes.
The main reason to revise the existing scheme has been to align the FSSC 22000 scheme with the benchmark requirements of the GFSI. With the publication of the GFSI Guidance Document Version 7 certain updates to the scheme had become necessary in order to maintain status as a GFSI-benchmarked scheme.
With the new GFSI requirements as a baseline, it is no surprise that the changes in the new version of FSSC 22000 revolve around two major topics: the introduction of an unannounced audit scheme as well as the prevention of food fraud. Thus, the changes appearing in FSCC 22000 Version 4 are reminiscent of the changes we already noted in the latest revisions of the IFS and BRC food safety standards.
Unannounced audits with FSSC 22000
In order to safeguard the credibility of FSSC 22000 certification and to comply with GFSI requirements, the
new version of the FSSC scheme introduces unannounced audits. Unlike for BRC and IFS certification, the unannounced audits are not optional but mandatory: at least one of the two surveillance audits must be unannounced. The decision which of the two surveillance audits shall be unannounced lies with the certification body.
Certified sites can also choose to have both surveillance audits unannounced. The initial audit and the recertification audit, however, can never be unannounced.
As far as the time window is concerned, the unannounced audit needs to be conducted at any point between 3 and 12 months after the last day of the previous audit. The next announced audit shall be within 24 months of the last day of the previous announced audit.
Preventing Food Fraud
One of the most conspicuous new requirements, applicable to any scope, is the requirement on food fraud prevention: according to Version 4, certified organizations shall have a documented food fraud vulnerability assessment procedure in place, in order to identify potential vulnerabilities and prioritize food fraud mitigation measures.
This also includes “a documented plan
that specifies the measures the organization has implemented to mitigate fraud and the public health risks from the identified food fraud vulnerabilities, supported by the organization’s food safety management system and compliant with relevant legislation”.
Other Changes in Version 4
Other noteworthy changes in the new version include:
Extension of the scope: Catering is now also an area covered by FSSC 22000 certification, with ISO/TS 22002-2:2013 as the relevant standard. The scheme also covers Retail, with PAS 221 as the reference. Storage and distribution is another area to be added to the scope in the near future.
The new version introduces mandatory auditor rotation: auditors will no longer be permitted to audit the same organization for longer than three years in a row.
Dr. Thijs Willaert
This article was previously published in DQS Holding’s Compact newsletter.
Continued from page 3
the organization and expectations of the Interested Parties.
- Copy of the most recent Management Review to the 2015 standard, or to the prior version with a supplemental review covering the new requirements.
- Copy of the most recent Internal Audit to the 2015 standard, or to the prior version and a supplemental audit covering the new requirements.
- Any additional information that may be necessary for the preparation of the Stage 2 agenda.
DQS Inc. has available checklists of the changes to ISO 9001:2015 and ISO 14001:2015 which can be used by the organization to self-check or perform a gap assessment. If you desire a copy, please contact your DQS Customer Service representative. We also have informational session and gap assessment services if additional support is immediately needed, also arranged through Customer Service.
