IATF Reference Question
In ISO9000:2015 the definition of an audit is as follows: " systematic,
The practical application for product auditor
9.2.1, 9.2.2 competency is difficult to apply. Typically products
include daily, monthly, annual, in-process, etc.
Do we have to consider a risk analysis for each IATF
0.1, 6.1.2.1
16948 requirement?
It appears that clause 7.2.3 requirements a) through e) That is correct. 7.2.3 indicates a-e shall be minimum competencies with the
7.2.3 applies to all types of auditors (QMS, Manufacturing
Process and Product) is this the case?
For the product safety question, if we don't produce
any product with safety requirements, are we still
4.4.1.2
required to have a documented process on how we
would handle product-safety products?
Can you elaborate about the new requirements for the system, or reference to them; the organization’s processes and their
7.5.1.1
Quality Manual, requirements?
8.4.1.1 What about overseas suppliers?
Do current running projects need to fulfill the new
8.1
requirements (control plan risk assessments)?
We are a Tier 1 Supplier. All our sub-suppliers are
consigned / bailed. How do these requirements affect All the requirements of Section 8.4.1 with the exception of Supplier
8.4.1.3
this relationship? Technically, we have no sub-suppliers selection ( 8.4.1.2 ) are the responsibility of the Organization.
as they are all "owned" by the OEM.
For the supplier selection process it has been asked
does our documented process need to cover all of our
suppliers for everything, or can it just cover
8.4.1.1 components that we purchase that end up in our
product. For example, does the documented process
need to cover 3rd parties who perform sorting
activities?
All major automotive suppliers have at least a handful
of suppliers who have no intention to be 16949 at any
8.4.2.3
date due to size or scope of work. How was this
addressed?
Can you provide an example of, or refer us to a
6.1.2.1
resource for, risk assessment?
Answer
independent and documented process for obtaining objective evidence and
evaluating it objectively to determine the extent to which the audit criteria
are fulfilled". The competency requirements for a "Product Auditor" will be
different from a "Systems Auditor". They would need to be familiar with the
manufacturing process, Core Tools and the Automotive Process Approach
and relevant measuring and test equipment associated with product
conformity.
The IATF Standard Section 0.1(c) indicates addressing risks and
opportunities associated with the Organization's context and objectives. At
a minimum, risk should be analyzed and addressed for products, processes
and an organization’s supply chain. Section 6.1.2.1 is more specific in risk
analysis, at a minimum, lessons learned from product recalls, product
audits, field returns and repairs, complaints, scrap, and rework. A record of
the review is to be maintained. The ISO9001:2015 Section 6.1 refers to
Section 4.1 and 4.2 for Risks and Opportunities.
additional requirements for a Product Auditor and manufacturing process
auditors.
The best approach would be to partner with your Customer and determine
if any component, sub-component, assembly or module would have any
safety related impact. Retain a record of the investigation.
The quality manual shall include, at a minimum, the following: the scope of
the quality management system, including detail of and justification for any
exclusions; documented processes established for the quality management
sequence and interaction (inputs and outputs), including type and extent of
control of any outsourced processes; a document (i.e., matrix) indicating
where within the organization’s quality management system their customer-
specific requirements are addressed.
Supplier selection and evaluation should be based on the risk to the
Customer and Organization. There is no consideration of location.
No. However, it will benefit the Organization to revisit all Control Plans,
PFMEAs, etc. in the event of high scrap, Customer Complaints or Warranty
returns.
Section 8.4.1.1 specifically refers to services such as sub-assembly,
sequencing, sorting, rework, and calibration services in the scope of their
definition of externally provided products, processes, and services.
The new IATF has identified this potential and addressed in Section 8.4.2.3
including compliance to ISO 9001 through second-party audits. Verify the
intent and minimum requirements for Supplier compliance or Certification
with your Customer's Specific Requirements.
ISO 31000:2009—Risk management—Principles and guidelines (ISO, 2009)
is a good reference document to Risk Analysis. Also, SWOT and FMEA are
good tools.
 Check with your Customers to see if there are any prescriptive
requirements, but section 8.4.2.3 has a reference to the AIAG Minimum
Do 2nd Party Audits need to be performed to a certain
8.4.2.3 Automotive Quality Management System Requirements for Sub-Tier
standard (ex VDA) or can we create our own?
Suppliers ([MAQMSR] or equivalent) with the addition of second-party
audits. This is available on the IATF website iatfglobaloversight.org.
Once the Organization has performed a risk analysis, including product
Distribution of products, IATF Certified Suppliers, safety/regulatory requirements, performance of the supplier, and QMS
8.4.2.4.1 Would they require 2nd party audits, and the planning certification level, at a minimum, the organization shall document the
for IATF through the supplier chain for low dollar value. criteria for determining the need, type, frequency, and scope of second-
party audits.

For customer directed Suppliers, we are responsible for All the requirements of Section 8.4.1 with the exception of Supplier
8.4.1.3
all IATF requirements for these Suppliers??? selection ( 8.4.1.2 ) are the responsibility of the Organization.

ISO9000:2015 gives examples including Examples of the ways in which an

organization’s purpose can be expressed include its vision, mission, policies
and objectives for Context of the Organization. From ISO9000:2015 Section
You haven't really discussed the whole leadership and 2.2.4 : Part of the process for understanding the context of the organization
context and interested parties and how they drive is to identify its interested parties. The relevant interested parties are those
4.1, 4.2
down to objectives and risk analysis. What are auditors that provide significant risk to organizational sustainability if their needs
going to be looking for as evidence for these things? and expectations are not met. Organizations define what results are
necessary to deliver to those relevant interested parties to reduce that risk.
The Auditor will look for evidence this investigation was performed and the
results recorded.

8.7.1.4 says if required by the customer obtain approval He key phrase is " if required by the customer, the organization shall obtain
8.7.1.4 and 8.7.1.1 requires mandatory customer approval for approval from the customer prior to commencing rework of the product. "
rework. Why this conflict? Contact your Customer to determine their requirements.

That method would be acceptable with periodic verification. The intent of

8.7.1.7- we have a co. that takes our scrap and melts it.
this requirement is that the Organization periodically verify the product has
8.7.1.7 That makes it unusable, but it is off-site. Would that be
been made unusable. The Scope, frequency and methods are the
OK?
responsibility of the Organization to determine.
9.1.1.1- is this applicable to all machine measurements
9.1.1.1 There will probably be a clarification by the IATF. As of now, yes.
too (e.g. after gauge checks)?
If a CMM report has 40 to 50 dimensions does the A CMM Report would have the actual measurement results and would not
operator have to document this on a control plan need to be detailed on a Control Plan. The Control Plan could reference the
(check sheet) CMM check as the Control Method.

The Requirement applies to the Internal Audit process, not the External. The
Organization should audit all processes over the three year cycle according
to an annual plan. The intent is to free up more time and resources for
The 3-year window - is it for internal audit or external
9.2.2.2 "Special Audits" as a result of Customer Complaints and Warranty concerns.
audit?
The Auditor will look for a clear link between Customer Complaints, not
meeting Internal KPI's or Warranty Concerns for a Special Audit followed by
some type of Management Review.

This is controlled and administered by AIAG. Please refer to their website

4.3.2 Will CQI-19 have to be updated to meet IATF-16949? aiag.org for any updates. CQI-19 is a good source as a basis for Supplier
selection, evaluation, monitoring and 2nd Party Auditing.

Can First Party Audit be subcontracted as some Third
8.4.2.3
Party Registrars are providing?
First Party Audits are when the Organization performs the audit.. 2nd Party
Audits are performed by an Service on behalf of the Organization. Please
subscribe to DQSUS.com for any updates and availability of Audit Services.

Yes. There is a Gap Analysis Tool available at dqsus.com. Please use the
following link: https://dqsus.com/wp-content/uploads/2017/02/ISO9001-
IATF16949 Is there a recommended gap analysis tool? 2015-IATF16949-checklist.xlsx. Please subscribe to DQSUS.com for any
updates and availability of Audit Services. There is also a version available
on the AIAG Website. http://go.aiag.org/iatf-16949-gap-analysis-tool
 From ISO9000:2015: Understanding the context of the organization is a
process. This process determines factors which influence the organization’s
Please advise if there is a simple interpretation for the purpose, objectives and sustainability. It considers internal factors such as
4.1
context of the organization? values, culture, knowledge and performance of the organization. It also
considers external factors such as legal, technological, competitive, market,
cultural, social and economic environments. ISO9002 aslo has examples.

Several Japanese companies are my Customers and I

would like to confirm the IATF: 2016 requirement in
9.1.1.1.d because of all the questions which will be The intention of including this requirement is to avoid the potential to not
coming my way.  The requirement reads “The record the actual values of product and process paramaters. The data from
9.1.1.1
organization shall verify that the process flow diagram, the actual values from variable data is to reduce risk and identify potential
PFMEA, and control plan are implemented, including for improvement.
adherence to “d-) records of actual measurement
values and/or test results for variable data”.