You are on page 1of 4

DNV Certification

Customer Communications

January 2009 update to the Rules for Achieving IATF Recognition Affect on organizations

The 3rd Edition of the Rules for Achieving IATF Recognition waiver from the relevant IATF Oversight office. This
were released in November 2008, and are required to be requirement will result in making it more difficult to change
implemented by Certification Bodies (CB) by January 1, the periodic audit frequency.
2009. The revised requirements found in the 3rd Edition
Rules will affect both DNV and our customers by changing Table 5.1
the way audits are planned and performed. To help you, our
customer, better understand these changes and why DNV is Surveillance
interval
6 months 9 months 12 months

changing its policies regarding certain activities, we feel it is Number of audits


5 3 2
per 3 year cycle
important to provide our customers guidance on the impact
Allowable timing -1 month / +1 month -2 months / +1 month -3 months / +1 month
of the changes prior to implementation.
Reasons for the update: 5.2 Audit Day Determination
 To align with ISO/IEC 17021: 2006 While the man day tables found in Table 5.2 of the rules
 To incorporate the sanctioned interpretation and have remained the same from the 2nd to the 3rd Edition of
frequently asked questions the Rules, the IAOB has incorporated an interpretation into
clause 5.2 which may have an effect on the number of man
 To provide clarification on requirements related
days assigned to audits. When determining the number of
to issues found in the field
man days for an audit, CBs must now take into consideration
 To incorporate a new way of calculating the witness the complexity of products and the number of customers
audit frequency
being supplied by the certified organization.
 To reference the new auditor development process
5.5 Supporting Activities
3.1 Certification Agreement with the Client As was required by the 2nd Edition Rules, when planning
All agreements between the CB and a certified organization the initial stage 2 audit, the remote supporting function(s)
must now state that the certified organization cannot refuse must be audited prior to the manufacturing site. The IAOB
the presence of a CB’s internal witness auditor. This has clarified this requirement by stating that additional
requirement will be incorporated into our certification audits of remote supporting functions may be necessary
agreements going forward. based upon their demonstrated performance, as seen at the
manufacturing site(s) it supports. If problems arise during
5.1 Audit Cycle
the manufacturing site audit, that can be attributed to the
The 2nd Edition Rules allowed for flexibility regarding the
support site, the CB may have to make additional visits to
determination and changing of the frequency of surveillance the support site to investigate the issue.
audits. The 3rd Edition rules now require that once the
surveillance audit frequency has been established, as A second revision to clause 5.5 is related to the acceptance
detailed in the table 5.1, the frequency shall be maintained by the CB of another CB’s audit report of a remote support
for the three (3) year audit cycle. In situations where the site. CB’s are still allowed to accept another CB’s report as
surveillance audit timing is likely to be exceeded, the CB evidence that the remote site has been assessed. However,
must either initiate the decertification process, or request a the organization must provide the CB a copy of the audit
DNV Certification
Customer Communications

plan, audit report, all findings, all corrective actions, and The audit planning activity shall be undertaken prior to
all verification actions performed by the other certification arrival on-site, and shall include a review of the following
body prior to each audit. If the organization does not provide information supplied by the client, as inputs to the plan:
the CB this information, the remote support site must be  Updates to the quality management system, e.g.
visited. processes, quality manual
 Updates to customer specific requirements
5.6 Establishing the Audit Team  Customer performance data
The CB’s flexibility regarding the scheduling of auditors has
 Internal performance data
been greatly diminished with the release of the 3rd Edition
Rules. The Oversight Bodies are concerned that auditors  Management review results
used on subsequent certification cycles may become overly  Internal audit results
familiar with an organization thus decreasing objectivity. To  New customers or part information
address this concern, the CB must comply with the following  Customer satisfaction and complaint summary
revised requirements: including verification of customer reports,
 The CB must appoint at least one auditor from the scorecards, and special status conditions
initial certification/re-certification audit team to
Auditors must evaluate this information prior to planning the
participate in all surveillance audits of the three (3)
audit. The results of their evaluation must be incorporated
year audit cycle.
into the agenda and audit of the organization.
 For each subsequent recertification and surveillance
audit, different auditors shall be used. 5.8 Conducting the Audit
 Any deviations from these requirements e.g. reuse of The 3rd Edition rules do not identify any significant
auditors, changing auditors from initial recertification changes regarding the performance of audits, however they
audit team, now requires prior approval by the still mandate the process approach be utilized to perform
IAOB. assessments.

5.7 Audit Planning 5.9 Audit Findings


The IAOB has increased their focus on the effective planning The definitions of an opportunity for improvement and
of audits and have provided their basic assumptions as requirements for documentation have been expanded. The
guidance: following definition now applies:
 The IATF assumes a linkage between certification  An opportunity for improvement is a situation where
and supplier performance. the evidence presented indicates a requirement
 The IATF assumes the CBs conduct analysis of has been effectively implemented, but based on
supplier performance as audits are planned. auditor experience and knowledge, additional
 The IATF is focusing on how Customer Service effectiveness or robustness might be possible with a
Request (CSR) are audited and applied worldwide. modified approach.
To support these assumptions, CBs must request and evaluate The new expanded definition requires that an auditor
much more information prior to performing audits than was document objective evidence of compliance prior to writing
previously required. Failure by the certified organization to an opportunity for improvement. This change will
provide the auditor the required information prior to the audit
must result in the initiation of the decertification process (see
clause 8.1 line f.)
DNV Certification
Customer Communications

significantly increase the content of an opportunity for It is important to remember that any major finding, results
improvement. in the initiation of the decertification process. The short
timeframes specified will require the certified organization
5.11 Non-Conformity Management to place great emphasis on addressing the issue and getting
The definitions of a Major and Minor non-conformity are the a response to the CB.
same in the 3rd Edition rules, however, some organizational
response requirements for findings have been revised. 6.9 Recertification Audits
When planning a recertification audit, Lead Auditors must
In line with ISO/IEC 17021 requirements, the CB now
consider the performance of the management system over the
must require the organization to provide a description of the
period of certification. This includes a review of surveillance
specific correction when responding to findings. Correction
audit reports from the previous certification cycle. The on-
is defined as “evidence containment of the condition to
site recertification audit must take previous performance
prevent risk to the customer has been taken”.
into consideration and evaluate the management system for
Major findings now require an on-site follow-up visit for the following items:
closure, unless adequate justification can be provided. a) The effectiveness of the management system in its

6.1 Application for ISO/TS 16949:2002 Certification entirety, in the light of internal and external changes,
The information required to be obtained from a new or and its continued relevance and applicability to the
existing customer prior to providing a quote for a new site scope of certification.
has increase slightly to include: b) Demonstrated commitment to maintain the
 Information regarding outsourced processes. effectiveness and improvement of the management
 Automotive customer supplier codes. system in order to enhance overall performance.

This information is considered by the IAOB to be critical c) Whether the operation of the certified management
for both audit planning and use of the IATF database by the system contributes to the achievement of the client’s
OEM customers. The intent is to ensure it is gathered early policy and objectives.
in the certification planning stages. d) The effective interaction between all the processes
defined in the quality management system and the
6.8 Surveillance Audit overall effectiveness of the management system.
The timeframe for responding to major findings issued during
surveillance audits has changed significantly. Certified The IAOB expects the focus of recertification audits to be
organizations are now required to provide the CB, root cause on improved performance over time.
analysis and provide evidence that they have implemented a
It is important to remember that the timing of recertification
correction within twenty (20) days from the end of the site
audits is critical. Recertification audits must be timed to
audit (see section 8.0). The 20 days allowed are not only for
ensure that the organization has adequate time to complete
the certified organization to respond, but also for the CB to
corrective actions and address non-conformities, prior to the
review the correction, and determine if the certificate should
expiration of the certificate, allowing additional time for the
be suspended (see section 8.0). In support of fulfilling this
processing of audit documentation.
20-day timeframe, DNV Certification will require a client
response with objective evidence be submitted by our clients
within 10 days of the last day of the audit. This will help
ensure that both the organization and DNV meet our joint
responsibilities within the mandated 20-day timeframe for
“correction”.
DNV Certification
Customer Communications

In order to properly schedule a recertification audit, the date  The new CB shall complete all transfer activities and
should be calculated 90 to 120 days prior to the expiration a transfer audit, including closure of any non-
of the certificate to ensure adequate time is allowed. All conformities and a certification decision, prior to the
organizations should work with their assigned schedulers to next scheduled surveillance audit with the previous
ensure recertification audits are scheduled in this manner. CB or the expiration of the existing certificate.
 New CB shall advise the client not to cancel a
7.0 Transfer Audit contract with existing CB prior to completion of all
Further restrictions have been placed on the transfer of transfer activities.
certification between different CBs. There are several
reasons for the revised requirements, including: Transfer audits always result in the start of a new 3 year
 Too many organizations changing accreditation certification cycle.
bodies too often.
 Failure to adequately evaluate the organization’s 8.2/8.3 Decertification Process
performance prior to transferring the certificate. The decertification process was carried over almost intact
 Organizations changing registrars to keep the same from the 2nd Edition Rules, with the slight exception of
auditor. corporate scheme certifications. In the case of a suspension
within a corporate audit scheme, the suspension shall only
To address these concerns, the changed/new requirements apply to the affected site(s) and not all sites included in the
include: corporate scheme. To further clarify, corporate audit schemes
 The CB shall ensure that clients applying for are still allowed, however if one site on a corporate scheme
transfer, have not transferred from another IATF loses their certification, all other sites can remain certified. All
recognized CB with the previous three (3) year findings, regardless of which site they were written against,
period. would still have to comply with Section 8.2 Analysis of the
 The client shall provide the new CB with the situation which states, “When the affected site is part of a
previous audit report and all findings issued by the corporate audit scheme, the analysis shall include a review
existing CB for the site and any remote support of the concern and its impact across all sites.” This change
functions. removes any penalties previously in place that prohibited the
 The new CB should ensure that the audit team corporate scheme approach.
members, if subcontracted, have not previously
Summary
audited the client.
This communication is intended to provide organizations
 The client cannot be on any OEM special status certified by DNV Certifications to ISO/IEC TS 16949:2002,
condition, nor have their current ISO/TS 16949:2002
an overview of the most significant changes to the Rules
certification cancelled, or withdrawn.
for Achieving IATF Recognition 3rd Edition, however it is
The IAOB feels that all certified organizations should have not all-inclusive. If you have additional questions please
a right to choose their certification provider however, they feel free to contact your regional office for more specific
are too often penalized for trying to make a change. To guidance.
improve support for organizations that wish to change their
registrars, the 3rd Edition Rules have included the following
revised requirements which should help prevent any lapses
in certification.

You might also like