Professional Documents
Culture Documents
TRANSITIONING from
ISO/TS
Overview 16949:2009
of Changes to
and Connection
IATF
to 16949:2016
the Automotive Industry Perspective
Introduction
As part of the systematic review process of ISO1 , a decision was
appropriated in 2016 to revise ISO 19011:2011.
The new ISO 19011 is intended to provide guidance for auditing management
systems. It will continue supporting the auditing processes (internal and
external) of organizations implementing one or more management system
standards as well as organizations involved in conformity assessment of
management systems.
At that time, ISO 9001 was the only MSS published by ISO and ISO 10011 was
fully aligned to it.
The second revision was a joint effort between experts from the ISO/TC 176
(quality) and ISO/TC 207 (environmental) technical committees. This revision
combined the three parts of ISO 10011, along with the environmental auditing
standards (ISO 14010, ISO 14011 and ISO 14012), into one standard and its
guidance was applicable for auditing both QMS & EMS. The resulting new
standard, ISO 19011, was published in 2002.
One positive result of ISO 19011:2002 was the alignment of the audit process
for QMS & EMS. This enabled combined internal audits to be conducted, with
both ISO 9001 and ISO 14001 compliance being assessed by a single audit team.
Similarly, combined certification audits have become established practice.
Copyright © 2018 Plexus International
www.plexusintl.com
By the time that ISO 19011 was revised in 2011, further MSS had been published
by ISO, bringing the number up to 11 MSS in total. Consequently, the scope of the
standard was expanded to take auditing all ISO MSS into account, and no longer
limited to just ISO 9001 and ISO 14001. The revision process involved experts from the
different technical committees of ISO, of whom were responsible for standards such as
ISO 9001, ISO 14001, ISO 22000, ISO/IEC 27001, ISO 50001, among others.
By the time that ISO 19011 was reviewed in 2016, the number of MSS published by ISO
had risen to 39, along with various sectoral MSS being produced outside of ISO. In light
of these developments, ISO decided to establish a new Project Committee on Auditing,
ISO/PC 302. A key issue that was considered during the revision was the High-Level
Structure (HLS) of MSS3 , which has been adopted by the current versions of ISO 9001,
ISO 14001, ISO 45001, ISO/IEC 27001, among others.
The revision work in the PC involved the participation of experts from a broad
spectrum of ISO technical committees responsible for MSS development, along with
experts from the ISO Committee on Conformity Assessment (ISO/CASCO).
• Principles of auditing
• Managing an audit program
• Conducting an audit
• Competence and evaluation of auditors
• Annex with additional guidance
The guidance is aimed primarily at internal audits (first party) and audits conducted by
organizations on their external providers and other external interested parties (second
party). Requirements for those involved in certification, or third-party audits are
provided in ISO/IEC 17021-1:2015, but ISO 19011 still offers useful guidance for persons
involved in the third-party certification audit process.
• ISO 19011 provides guidance for managing internal and external audits and can be
useful for any auditor of management systems.
• IATF 16949 (including ISO 9001 requirements) include specific requirements
for managing first and second party audits, including auditor competence
requirements. ISO 19011 and the IATF Auditor Guide are refearenced as guidance
documents in IATF 16949.
• ISO/IEC 17021, parts 1 and 3, and Rules for obtaining and maintaining IATF
recognition, 5th Edition, include specific requirements for managing third party
audits, including auditor competence requirements. These requirements can be
Combined Audit
audit (3.1) carried out together at a single auditee (3.13) on two or more
management systems (3.19)
A new principle of
auditing: risk-based approach
The audit process should focus on what can have a positive or negative impact
on the audit client.
The audit process should focus on what can have a positive or negative impact
on the audit client.
During the activities for reviewing and improving the audit program, one key
input is the effectiveness of the actions taken to address risks and opportunities
as well as the internal and external issues associated with the audit program.
IATF 16949:2016
Risk mitigation takes center stage in IATF 16949, as it does in ISO 9001:2015. IATF 16949 brings a number of
specific risk-related requirements to minimize the likelihood of failure during new program development and
maximize the potential realization of planned activities. These additions are the result of industry best practices
intended to make businesses safer and more stable by identifying and mitigating risk.
To ensure risk-based thinking is pervasive throughout the organization, it’s imperative that top management
remains actively engaged. Responsibilities include:
• Conducting contingency planning reviews
• Identifying and supporting of process owners
• Participating in the escalation process related to product safety
• Ensuring achievement of customer performance targets and quality objectives
• Implementing corporate responsibility initiatives including an anti-bribery policy, an employee
code of conduct, and an ethics escalation policy (“whistle-blowing policy”)
IATF 16949 requires that “organizations shall ensure conformance of all products and processes, including
service parts and those that are outsourced.” This use of the word “ensure” implies that the organization needs
to establish and maintain a system that mitigates the risk of nonconformance throughout the supply chain. The
organization is ultimately responsible for all conformity and must cascade all applicable requirements down the
supply chain to the point of manufacture.
Survival in the automotive industry requires continuous evolvement to address internal and external issues.
Organizations need to adopt a process to assess the risk of changes and take appropriate action. To manage
change, IATF 16949 requirements include adjusting the frequency of internal audits based on occurrence of
process changes.
The wording in the standard has been aligned with the terms introduced by the
HLS, such as risks and opportunities, or documented information, among others.
IATF 16949:2016
9.2.2.1 Internal audit programme
This section strengthens the need to drive a risk-based approach to the development and deployment
of an organization-wide internal audit program. Internal audit activities are considered a process,
which implies a clear definition of expected inputs, planned activities, intended outputs, and
monitored performance. The process would need to first identify and evaluate the level of risk related
to each QMS process, internal and external performance trends, and process criticality. Then, the
process would need to continuously monitor this information to trigger special internal audits and/or
to plan periodic internal audits. The process would adjust audit frequency, where appropriate, based
on process changes, internal and external nonconformities, and/or customer complaints. Finally,
the effectiveness of the process would be reviewed as part of management review. The capacity to
anticipate and/or address QMS process failures could be used as a metric to measure the effectiveness
of an internal audit program.
Internal audits must also consider software development capability assessments, when applicable.
This implies that auditor competencies should include knowledge of the models used by the
organization and the impact on the organization’s product and manufacturing process development
activities. (Software process assessment manuals referred to in IATF 16949 Annex B should be
considered in the internal auditor qualification process for organizations responsible for software
development and validation.)
Auditor competency
requirements and auditor evaluation
Improvements have been made to the guidance related to the
competence and evaluation of auditors (clause 7). The guidance
related to the generic competence requirements for auditors
has been expanded.
IATF 16949:2016
7.2.1 Competence – supplemental
This section adds a requirement of “awareness,” which includes knowledge of an organization’s
(client’s) quality policy, quality objectives, personnel contribution to the QMS, benefits of improved
performance, and implications of not conforming with QMS requirements. It also further emphasizes
the customer requirements for on-the-job training, not just quality requirements. Note that the use of
the term “process” rather than “procedure” implies that these activities need to be managed (via the
plan-do-check-act cycle), and not merely performed.
The new Annex A (previous Annex B) has been expanded to include guidance
on additional auditing concepts that are relevant to the audit process, such as
organization context, leadership and commitment, virtual audits, compliance,
and supply chain. Some of the previous concepts included in the previous
Annex B were also improved.
www.plexusintl.com
training@plexusintl.com
1 (888) 753-9871