by Chad Kymal

The International Automotive Task Force’s second edition rules were recently updated in response to a number of factors having to do with the IATF audit scheme, registrar office and witness audits, and IATF training feedback. They were also updated to improve the overall performance of audits within the ISO/TS 16949:2002 scheme.

The second edition of the rules was launched through a training class for certification bodies (CB) in July, and the Automotive Industry Action Group made the new rules available in September. They become effective on December 15, 2004.

The rules document accomplishes three major tasks by clearly laying out the requirements of the automotive process audit, the requirements necessary for stage 1 (readiness review) and stage 2 (on-site audit), and providing precision and clarification in a number of areas of auditor performance. Two seemingly insignificant changes will have a major affect on the standard. The first is the definition of minimum expectations for closing out corrective actions; the second is the definition of ISO/TS 16949:2002 as solely automotive and how that decision affects the rules document.

Summary of changes
The changes can be classified into six areas--scope (defines what is audited) and assumption (when one registrar takes over another registrar’s client certification) audit changes, stage 1 changes, stage 2 changes, automotive process audit clarifications, pre-audit requirements and registrar quality system changes. The registrar quality system changes can be segmented into three areas--auditor requirements, quality system requirements and stage 2 days classification.

The scope and assumption changes are really quite significant. There are two changes in scope. The scope must list the company’s automobile customers and may include any that do not subscribe to ISO/TS 16949:2002, as long as their product meets the applicability requirements of the standard. In other words, if the product is part of the automotive supply chain, that customer can be included in the scope.

The second change, which may have a larger implication, is the requirement that ISO/TS 16949:2002 can only be applied to automotive organizations and that an ISO/TS audit can be conducted only for the automotive products of a company. Thus, if an organization produces automotive and farm equipment in the same plant and requires the total plant to be certified by a third party, there needs to be a split-scope audit performed, using ISO/TS 16949:2002 for the automotive product and ISO 9001:2000 for the farm equipment. The IATF even remarked that there needs to be two quotes applied for such an organization. This clarifies the content of the scope statement and what is detailed on the certificate.

Another major change in scope and planning is the identification and audit of the interfaces between the site and support functions. Per the new rules, support functions need to be audited before the site audit, and the two must occur within 90 days of the completion of the stage 1 assessment.

Some highlights include the addition of a stage 1 audit with clear direction that it be conducted on-site and with very specific content requirements. What is a stage 1 audit? It is a review with the intent to ascertain the “readiness” of the organization to proceed to a stage 2 on-site audit. The stage 1 audit needs to examine two questions: Are the rules of the second edition annex 1 and the requirements of ISO/IEC DIS 17021 annex A.2.F. being met? As the rules state:

“The stage 1 audit shall be performed to evaluate if the internal audits and management review are being planned and performed effectively and that the level of implementation of the management system substantiates that the client organization is ready for the stage 2 audit.”

Stage 2 changes include clear direction on the automotive approach to process auditing, many examples of supporting functions versus site audit requirements (which were shared in the CB training class), requirements that supporting functions should be audited before sites, clarification of the days required for on-site audits and many other changes provided in annex B.

A clear definition of the automotive approach to process auditing is probably one of the biggest changes in the rules document. An automotive process audit is clearly distinguished as having the following five steps:

Identification of the organization’s processes

Analysis of those processes

Prioritization of audit activities

Finalization of the audit plan

Conducting the audit

The detailed requirements found in these five steps were provided by the IATF in its July training of U.S. registrars. Organizations would be wise to understand what the IATF is asking of registrars so they can implement accordingly and perform audits internally using the process approach. For example, rules regarding step 1 specify that the information that identifies an organization’s processes needs to be provided during the readiness review. The IATF offered further guidance that this should be found in the process maps and diagrams and that auditors will look for sequence and interaction between individual processes and between sites and their supporting functions. Furthermore, auditors will look for evidence that all ISO/TS 16949:2002 and customer-specific requirements are being addressed by the organization’s processes. The training suggests that auditors need to understand the automotive process approach to auditing and the organization’s process approach and process map. It encourages auditors to use the customer-oriented processes identified by the organization. The focus of the automotive approach to auditing is to focus on value-added processes for product realization and support.

Registrars normally pay the IATF a royalty for each audit performed. However, pre-audits have been determined by the IATF to be outside the scope of its contract, and as such do not require royalty payments. Many organizations have routinely prepared for implementation by performing a pre-audit. In many cases they just worked on these pre-audit concerns to prepare for their formal audit. The IATF has made the following conditions in regard to pre-audits:

Must be conducted prior to the stage 1 assessment

Not allowed after a stage 1 assessment has been conducted

The auditor who conducts the pre-audit cannot be on the team of the stage 1 or stage 2 assessments.

The auditor who conducted the pre-audit cannot participate alone in audit activity for the first three-year cycle.

Only one pre-audit per site allowed

Pre-audit findings are nonbinding--concerns are documented, but nonconformance reports are not issued. A corrective action plan shouldn’t be requested.

Regarding assumption audits, the IATF says, “Assumptions must be on-site and (for) the duration of an ISO/TS 16949:2002 re-registration assessment. Assumptions of clients’ previous certifications (QS-9000, ISO 9001:2000, etc.) must be followed by at least one surveillance assessment prior to upgrade to ISO/TS 16949:2002.”

There were several changes and requirements that affect registrars. One of the changes includes the definition of a sanctioned interpretation as “changes to the interpretation of a rule or a requirement which itself then becomes the basis for a nonconformity.” In other words, a sanctioned interpretation is now a requirement that needs to be implemented by the auditee and, subsequently, by the organization.

The details of requirements for stage 1 and stage 2 audits affect not only auditors, but auditees. The scope statement is key, and many scenarios exist in this complex global market, including one organization using multiple registrars. Who audits a supporting function? How should information about a site be exchanged between registrars?

Other requirements are the need to audit to all applicable customer-specific requirements. Next year, U.S.-based auditors will need to know European customer-specific requirements. It’s important for both the auditee and auditor to have a clear understanding of what a process audit entails. Not only should this audit be performed by the registrar’s auditor but also by the internal auditor. The registrar will be looking for root cause and system corrective action in audit results. It is important that the auditing world treats audit nonconformances in a similar fashion as a customer’s quality complaint. Registrars audited by the IATF have seen corrective actions that have real teeth, including those that take the tone of an 8-D (eight discipline) problem-solving process with the customer. This is the first step in a culture shift toward making substantive changes based on audit findings.

Rule changes affecting registrars
This article has primarily focused on rules changes that will pass from auditors to auditees. Rules changes that affect registrars, but which are transparent to the auditee, include:

The registrar adopting a process approach and including a process audit for an internal audit

Use of corrective action with root cause and system corrective actions

Internal auditor competence and auditor performance evaluation

Maintenance of audit records

Rules for auditing a new site

Issuing letters of conformance

Registrars have been asked to conduct recertification audits of sites and support functions within three years of the initial certification audit. If the certification takes place after three years, technically the auditee has to start over with a readiness review and full initial certification.

The rules document details what needs to be included in a certificate, as before. The days calculation for audits, including those for corporate schemes, has been clarified. The IATF provides registrars with software to help them quote in a uniform manner.

Significance of ISO/IEC DIS 17021
The second edition IATF document cites the ISO/IEC DIS 17021 requirements in many places. Overall, ISO/IEC DIS 17021 raises the bar in the following areas of registrar quality system requirements:

Auditor competency definition and evaluation

Registrars to implement a process-based quality management system

Stage 2 assessment approach to registration

Significance of IATF’s second edition rule changes
The goal of the second edition rule changes is to improve the overall quality of ISO/TS 16949:2002 audits conducted worldwide. The IATF is trying to bring about a culture change in many respects, mainly in the definition of performance-based process audits. Its message is simple: Is the organization performing and satisfying the customer, and are its processes supporting this performance? Many details about how audits need to be performed are provided to support the overarching theme of improving overall audit quality.

The second big change evidenced in the IATF’s second edition rules and its subsequent actions is an improved performance-based IATF audit of registrars and a much higher expectation of the corrective action process used. The high quality of audits performed by the IATF and their follow-through in root cause, corrective action and system corrective action expectations will have a ripple effect on the whole automotive auditing process. With the implementation of the new rules, this type of expectation will be required by auditors within the organizations they audit, which will have a positive effect on the industry.

A clear challenge still faces the IATF. How does it implement all of its changes worldwide? The five IATFs worldwide are independent bodies, and initial interactions with European registrars show that the message isn’t consistent.

Lastly, the IATF promises a scorecard for registrars to identify colleagues who are performing satisfactorily and those who are not.

About the author
Chad Kymal is an international trainer, consultant and CEO of Omnex Inc. He recently published The ISO/TS 16949:2002 Implementation Guide, available through Paton Press (www.patonpress.com). He is currently working on his third book, Conducting Effective Process-Based Audits--Auditor Handbook for ISO/TS 16949:2002.

Kymal’s interests include working with large corporations in designing effective business management systems, getting value from implementations and implementing effective business strategies. He has served on the Malcolm Baldrige board of examiners and is an RAB-certified lead auditor. He has a bachelor’s degree in mechanical engineering from General Motors Institute, a master’s degree in industrial and operations engineering from the University of Michigan and an MBA from the University of Michigan.