For those of you who've wished you could see your quality system's audit through your auditor's eyes, today is your lucky day. In this article, you'll find examples of some of the myths, misconceptions and problems I've encountered as a lead auditor for ISO/TS 16949:2002. Although this is far from a comprehensive recounting, organizations that are registered or considering registration should still find this information helpful.
Myth: "My organization can't be ISO/TS 16949-certified because we don't make parts for DaimlerChrysler Corp., Ford Motor Co. or General Motors Corp."
This is an incorrect misconception on the applicability of the standard. If your organization can show that your parts are used on an automobile, then you meet the applicability. Actually, ISO/TS 16949 is for organizations that have value-added manufacturing processes that produce products for cars, trucks (light, medium and heavy), buses and motorcycles. Whether you're a tier one company that ships directly to the original equipment manufacturer, or a tier 14 supplier, tracing a path of your parts to the vehicle will show your certification body (CB) that you're indeed eligible.
Myth (on occasion): "My organization must be registered to ISO/TS 16949."
If you have contracts with DaimlerChrysler Ford, and/or GM, then this is true. But before you make this declaration, you should consult your direct customer on what it desires and when. Most large tier one organizations have supplier quality manuals stipulating what they require of their suppliers. If you're in doubt, consult the authorized customer representative.
Myth: "I can keep our certification costs down by reporting a low number of employees."
Your application must show all of your organization's employees. You may want to list only the site's employees and ignore remote supporting functions, but when this is discovered during an audit, you'll get a major nonconformance. Make sure that "all" means "all" when documenting this fact for your CB. The CB's quote is based on the total number of employees, and that includes temporary and support personnel. See the TS Rules, Annex 3 and FAQ No. 35 on the International Automotive Oversight Bureau's Web site ( www.iaob.org) for details.
Myth: "Auditors need to see every single sheet of paper in the building!"
I can't stress enough that you need to carefully prepare for the audit. Although your organization needs to document its processes, this doesn't mean that your auditors want to audit your business plan or involve themselves in your corporate strategy. Their primary focus is on how you satisfy your customers. They will collect evidence of conformance to provide justification for granting the certificate. This evidence will consist of:
• Acceptable customer performance reports
• Resolved customer complaints
•A completed internal audit and closure
•A full management review, including a review of the internal audit
•Progress on continual improvement targets
•Demonstrations of effectiveness in achieving organizational objectives
•Closure of all corrective actions from the audit
Your auditors will sign confidentiality agreements with the CB--and with your organization, if necessary. If you have documents that are highly proprietary, then be sure to tell your auditors; they don't have to take these documents with them. The intent of the process approach is explained in the ISO/TS 16949 specification. Further information can be obtained from ISO 9004:2000.
Myth: "Another standard, and we have to laboriously prepare another quality manual."
This myth proliferates because many organizations think that ISO/TS 16949 is just like QS-9000. You can use your existing quality manual, but it must include all the requirements for ISO/TS 16949. Compared to an ISO 9001 manual, an existing QS-9000 manual would need more work because the ISO/TS 16949 specification differs from QS-9000.
The quality manual must contain:
• The scope of the system, with details of any exclusion. The only exclusion is for product design.
• The documented procedures or a reference to them. There are only seven required procedures, and if you have been QS-9000 certified, then you probably already have them.
• A description of the interaction of your processes.
Let's go over these points in more detail:
Procedures: Only seven procedures are mandated, but your organization may want or require more. Sometimes strange requirements that process owners impose upon the organization can create problems during the assessments (either the initial certification or subsequent surveillances). A cautionary note: Scrutinize your procedures before any assessment, and justify or remove any superfluous or nonvalue-added items.
Processes: One of the requirements of the quality manual is a description of the interaction of all quality management system processes. Probably the most frequent nonconformance auditors write is for a lack of identifying and describing the organization's processes. Organizations are aligned by functional departments, which are depicted on organizational charts or similar documents. The processes of an organization describe how work is done and performed by the groups of functions. Your process description should reflect how these various functions come together to form a process to achieve a desired output for the good of the business. How do your processes describe the business?
Design responsibility: There are only two answers to this and they are: You are responsible, or your customer is. A common misconception is that because your customer must approve your design, you're not responsible for it. This is incorrect. Your customer, no matter what tier you are, must always approve your design. If you have been granted the ability to change dimensional characteristics, material composition or functional requirements, then you're design responsible. If your customer uses your drawing and puts its name and part number on it, you're design responsible. Even if you subcontract these functions to an outside source, the source must have the capability to meet the requirements of your customer and the standard.
Problems arise when an organization states that it's not responsible, and the auditors later discover that it is. This has even happened during a surveillance assessment, well after the initial assessment has taken place. The auditor will write a major nonconformance for not describing this process to the CB. The cause could be that the organization didn't understand the definition of "design responsible" or because of the 15-percent reduction in certification costs for not being design responsible. Both causes have occurred during assessments. "Be prepared" is the Boy Scouts' motto, and it should be yours, too.
Myth: "We got a major nonconformance on our audit, so the auditors will leave and we won't be certified."
If your organization does obtain a major nonconformance, then you may elect to stop the audit in consultation with the audit team, but it's not wise to do so. If the audit team leaves at your request, then you won't gain the full benefit of the audit. There could be other areas that have potential major or numerous minor nonconformances, which your organization would have to spend more money to correct. The audit team should advise you to continue with the audit so that you gain the full value from it. If you continue through to completion and successfully perform any corrective actions, the audit team will recommend your organization for certification.
Myth: "If the auditor wrote a nonconformance, then it's mandatory that we accept it."
This isn't true. Your CB must have an appeal process, and it's the obligation of the lead auditor to explain it to you during the opening and closing meetings. Per ISO/IEC 17021 (page 20, paragraph 9.7), if you don't agree with a nonconformance, you have the right to appeal. Usually this appeal goes to the certification manager of the CB. Auditors are human beings, and they make mistakes just like anyone else. Take some time to review all the nonconformances before making an appeal. If you find yourself wanting to appeal all the nonconformances, then you might be in denial, thinking your system is perfect.
Myth: "To perform a corrective action, all I have to do is to provide a plan to the audit team."
This is incorrect. The requirements must have root cause analysis and systemic corrective actions. These must be closed within 90 days of the end of the site audit. The audit team leader should provide you with a list of requirements for completing corrective actions and the time frame. Some CBs state 45 or 60 days, which will provide you with a bit of a cushion in the event that your corrective actions are rejected and need to be resubmitted. If you go beyond 90 days, then you'll have to start over at stage one (the readiness review), and you'll lose money and valuable time.
Myth: "Our certificate will be issued as soon as the audit is over."
Some organizations believe that when the audit is done, the certificate will be issued. This isn't correct. The audit team won't recommend your organization for certification until it receives evidence that any nonconformances have been eliminated. Your organization will be notified of this closure and decision, and you'll receive a supplementary report. This varies among CBs but is usually a status letter of completion or similar document.
Myth: "We can talk the audit team into giving us opportunities for improvement (OFI) so there won't be too many nonconformances."
Wrong, wrong and, again, wrong! There are only two things the audit team can write during an audit: major and minor nonconformances. OFI written in lieu of nonconformances are only hiding the fact that changes need to be made in the system. The final report to the organization may contain recommendations for improvement, but these can't be deficiencies in the system and ISO/TS 16949 nonconformances. Auditors are continually cautioned that making recommendations for improvement could be considered consulting. The audit team won't consult in any way because this can affect the CB's status as an impartial third party. These recommendations for improvement have been abused in the past under other standards and specifications.
Myth: "We can stretch out the timing of our surveillances a little bit."
The time interval for surveillance audits is somewhere between nine and 13 months. Your organization should be notified within at least eight months of an impending surveillance audit. If you're not notified, contact your registrar to find out when your audit will occur. If you go beyond 13 months, your certificate will be invalid and you'll have to start over at the readiness review phase. This can be very costly. Be aware of when your audits should occur.
Myth: "We got more nonconformances during the surveillance audit than during the initial assessment. We're going backward."
The number of nonconformances on an audit is due to many factors. Remember that variation brings about a deviation from the norm, which requires correction to return to the norm. This is a learning experience for your organization and the audit team. Embrace it and it will make you rich in wisdom.
Your certification and good business practices will keep your organization in good standing with both your customers and the CB. Remember, this is a performance audit of your processes to see how well your organization satisfies your customers' requirements. You must maintain a careful balance in your business to stay in the propitious niche you've chosen. For the certification process to be valuable to your organization, you must use it as an augmentation to your daily operations.
Ray Ness is a program manager and senior lead assessor for Intertek Systems Certification. Ness is a certified auditor for ISO/TS 16949, ISO 9001 and ISO 14001, and has more than 20 years of automotive tier one quality program experience. His areas of expertise include automotive quality systems, plant management, purchasing and supplier management, process engineering, process failure modes and effects analysis (PFMEA), and production part approval process (PPAP).