Even though standards governing quality management systems (QMS) were instituted more than a decade ago, consistent areas of weakness in the application of the automotive process approach still exist. The technical specification ISO/TS 16949--”Quality management systems--Particular requirements for the application of ISO 9001:2000 for automotive production and relevant service part organizations” is based on ISO 9001. This leaves considerable latitude in how an effective and efficient QMS can be achieved.
Despite this freedom of design, examination of the results of dozens of third-party registration and surveillance audit events shows that many organizations fail to address common issues that could be easily remedied.
Auditing to the process approach requires that the key processes identified by the organization must be presented on a process matrix. The matrix cross-references between the key processes and the related clauses and subclauses of the technical specification; these “links” are often the support processes to the key processes, and it is expected that auditors check as many of the links as time permits. This article is intended to highlight common “decouplings.”
The following summary, organized by ISO/TS 16949 subclause number, presents typical areas of nonconformance or audit weakness--and some easy fixes.
• 4.1 General requirements. Organizations should implement actions necessary to achieve planned results and continual improvement of the processes.
Often process owners do not have detailed remedies in place to address the failure to meet measurable quality objectives. Even when the objectives are met, there is often no continual improvement project triggered to raise performance beyond the stated goals of the process.
• 4.2.3 Control of documents. To avoid product/process issues, only the current documents are allowed at the work site.
Organizations are expected to regularly review, carefully scrutinize, and, if necessary, revise process documentation available to personnel. Auditors often discover obsolete documents because memos and post-it notes are used as “Band-Aids” for revised documents.
• 4.2.4 Control of records. Organizational records should be regarded as company assets and be managed to protect the company in the event of a product liability lawsuit.
Archival records practices are often poorly organized, and electronic media controls are not fully followed. For example, not all fields on a form have been completed, handwritten changes to records are not traceable to the individual who made the changes, and the master list of electronic records is incomplete.
• 5.3 Quality policy. The policy is intended to serve as a guiding principle to be understood throughout the organization.
Employees can’t follow the quality policy if they can’t remember it, or if they don’t understand how to follow it. When the policy statement is not well crafted or succinct, employees have difficulty using it as a guiding principle.
• 5.5.1 Responsibility and authority. In most companies responsibility statements abound, but the definition of authority is regularly overlooked.
Clarifying the extent of each employee’s power promotes timely--and correct--action. Look closely at job descriptions or procedural statements to ensure that both responsibility and limits of authority are clearly defined.
• 5.6 Management review. Organizations should recognize that management review is usually a layered approach with daily, weekly, and monthly management oversight that should be documented.
The most common failure in this area is the lack of documentation of assumptions and conclusions in meeting minutes. Whether a meeting covers tactical, detailed reviews on the more dynamic aspects of the system, or strategic reviews of year-to-date performance, when documentation fails to provide detail of the discussions and conclusions, inefficiency can occur and quality can be compromised.
• 6.2.2 Competence, awareness, and training. Organizations must record which quality procedures require training, that timely training occurs, and that employees demonstrate competence in all quality procedures.
Most organizations do not provide a clear definition of what training is required on quality system procedures, or if competence has been achieved in all procedures, particularly if they are new or revised.
Which policies, procedures, and instructions require training for each position? A simple training matrix or position checklist can easily address this. Records should demonstrate that each person has been provided initial training on these documents and given additional training when revisions are made.
Another area of concern is the absence of defined competency criteria for every position of the organization that affects product quality; employee records should note that evaluations not only occur as warranted, but also that actions address any deficiencies. Look at how often training is an action within your corrective action responses, when the training has been provided, and when it has corrected the issues.
• 6.3.2 Contingency plans. Organizations should explain procedures for all reasonable crises.
What most organizations consider contingency plans are simply phone chains of whom to call in case of emergency. In fact, not all reasonable disasters are considered. ISO/TS 16949 anticipates that not only are detailed plans established, but that these plans are also tested for effectiveness before being rolled out. Personnel should be trained to act immediately, first to protect personnel, and then to safeguard the customer’s supply chain. Periodic reviews and amendments should take place as circumstances change.
• 6.4 Work environment. Inconsistent application of housekeeping standards are quality and safety issues.
Organizing the work site, then taking a photograph to record expectations, is one simple solution. Observing employees who do not consistently wear their personal protective equipment is another issue that can be easily policed.
• 7.2 Customer-related processes. Organizations must determine all customer- specific requirements.
The onus is on the organization to determine all customer-specific requirements during the contract review process. A robust knowledge of a customer’s needs and even potential requirements is an essential prerequisite for achieving customer satisfaction.
• 22.214.171.124 Multidisciplinary approach. The failure mode and effects analysis (FMEA) tool and the process control plan must align.
The FMEA is rarely seen as a living, breathing document that captures all related improvement efforts to drive down the risk priority numbers. One cause of the underutilization of this tool is that training is not sufficient for process owners, engineers, quality personnel, and internal auditors on these five core tools: advanced product quality planning and control plan, FMEA, measurement system analysis, statistical process control, and production part approval process (PPAP).
• 126.96.36.199 Product approval process. PPAP should extend to key suppliers.
Organizations generally follow their customer PPAP submission requirements, but they don’t extend the procedure through to their key suppliers. The effective use of this tool can clearly communicate expectations to suppliers and get assurance from them of their capability to satisfy these expectations.
• 188.8.131.52 Supplier quality management system development. Organizations should measure the quality systems of their suppliers using ISO/TS 16949.
The organization’s plans to bring supplier systems in line with the same requirements that it is measured against is an important strategy. Supply chain management is an important factor in your manufacturers’ success.
• 184.108.40.206 Control plan. All system changes should be reflected in the control plan.
Control plans are excellent high-level descriptions of your operational controls; only when they reflect actual methods can they be the basis for problem solving and improvement efforts. Too often, auditors find weaknesses in the completeness of the control plan and in keeping plans current with all of the system changes.
• 7.6 Control of monitoring and measuring devices. Organizations should review calibration procedures, particularly when conducted by outside laboratory services.
If controls over devices are not strong, a company may make faulty decisions about whether to change a process or product, or leave it alone. Auditors see devices with past-due calibration, records not capturing the “as found”/”as left” readings, and a lack of complete action when devices don’t conform to requirements. In addition, calibration records provided by outside laboratory services are not always reviewed by the organization and appropriate actions taken.
• 7.6.1 Measurement systems analysis. Organizations make potentially costly “accept or reject” decisions when the inherent error in measurement systems is not fully considered.
Understanding the inherent error in your measurement systems leads to a full appreciation of the risks to customer satisfaction. These statistical studies are vital to assess the credibility of “accept or reject” decisions, yet typically they have flaws for which little consideration is given. First, not all measurement systems (e.g., variable and attribute devices) listed on the control plan have been studied. Second, there are technical issues with them, such as not studying the devices across the working range, out-of-control ranges with no action to resolve them, and excessive error identified but no effort taken to address this risk.
• 8.2.2 Internal audit. Organizations should use their audits strategically and avoid under-auditing.
Third-party audit findings and those of internal auditors often are not in sync. Third-party auditors find weaknesses that internal auditors do not find. One factor: Internal auditor training is typically weak, with insufficient initial and ongoing training. In many cases, these auditors are volunteers and the allocation of time to schedule, prepare, conduct, report, and follow-up is undervalued. With ISO/TS 16949 and the automotive process approach to auditing, we see internal auditors who do not understand the process approach and continue to audit by the element or clause, instead of assessing the links to other related or support procedures of the process under examination.
• 220.127.116.11 Monitoring and measurement of manufacturing processes. Organizations should manufacture according to customer requirements.
Management should be vigilant in monitoring this clause. Auditors’ samples of current capability compared to the capability submitted in the PPAP may find that short-term and long-term process capability (Cpk/Ppk) has deteriorated with no reaction.
• 18.104.22.168 Continual improvement of the organization. Organizations should establish a project management structure to capture information from each continual improvement project and incorporate those findings into future efforts.
ISO/TS 16949 requires the organization to have a format or process for continual improvement projects. Each effort employs a stepped approach in which the organization forms teams to achieve a certain gain; then the project ends until a new team is formed to raise the bar further. Earlier project records serve as a springboard for new projects in the same area of improvement. Don’t squander the resource.
• 8.5.2 Corrective action. Because errors and changes ripple through the organization’s cost structure, corrective action should be based on an effective problem-solving approach.
When an organization is not able to address an issue effectively, the problem recurs. A thorough root cause analysis leads to better decisions. Many organizations view corrective actions as unwelcome and inhibit the issuance of corrective actions. Remember that corrective action is simply one of the tools of subclause 8.5--”Improvement.”
• 8.5.3 Preventive action. Organizations should take time to look at the characteristics of processes over time, as well as any negative trends, as the basis of preventive action steps.
Preventive action deals with “time series of data” issues and not one-off events where corrective action is taken. Longer-term negative trends or the analysis of process characteristics over time, as subclause 8.4--”Analysis of data” explains, is where opportunities for preventive action reside. Many organizations do not clearly define the conditions or triggers for the issuance of these actions, and few if any of these actions are initiated.
The examples provided in this article are certainly not the only weaknesses most often observed; nonconformance can come from any process and all of the “shall” requirements of ISO/TS 16949. However, take a closer look during your internal audits to see if you are at risk in these common pitfall areas.
Robert Wallace is a senior lead assessor for SRI Quality System Registrar, a Wexford, Pennsylvania, registrar accredited by ANAB, RvA, and IATF. Wallace is RABQSA- and IATF-certified, and he is an SRI lead instructor for ISO 9001 and ISO/TS 16949 standards. Wallace has a broad range of auditing experience and is a founding auditor with SRI, having conducted more than 900 audits since 1992.