(IATF 16949 Surveillance audit, transition audit, upgrade audit)We have been reviewing the data from many sources on the common nonconformances during transition audits for IATF 16949: 2016 as well as ISO 9001, ISO 14001, AS9100, ISO 13485 and now ISO 17025.
Some things stay the same
An analysis of the data identified many nonconformances that are consistent with audits conducted prior to the newly revised standards. These nonconformance are more common than those written to the new requirements for companies that spend more time addressing the new requirements explicitly in their management systems. Examples include:
- A gage that is past due for calibration without any extension records
- Control Plans and PFMEAs that do not match
- Work instructions that are not being followed or out of date…
These are the typical struggles of organizations with relatively good management systems: keeping everything up-to-date, finding the few incidents where the system requirements that may not be followed, and enlisting everyone in the origination to point out when even minor things change. For these types of nonconformance, the organization needs to look at the risk of the issue and determine the appropriate magnitude of the corrective action effort required.
Common non-conformance to revised standards
Two of the Common nonconformancess relating to the new requirements we will discuss in this article include Internal audit and Total Productive Maintenance (TPM). Additional nonconformances will be addressed in future articles. Feel free to let us know if you have other concerns as well.
Internal audit issues
The entire internal audit process receives lots of focus during all surveillance audits. In addition, the IATF 16949 requirements are specific and intensive.
IATF16949: 2016 internal audit requirements include:
Internal auditors must be competent on the areas they are auditing. Core Tools are included. Evidence of evaluation (records) must be available for any Core Tool an auditor covers. If an auditor conducts audits of any Core Tool, competency records must be available. Refer to IATF 16949 section 7.2.3, the Core
Tools. To address this issue, companies have several options which could include:- Have qualified auditors audit specific core tools. Ensure records of competency are available.
- Assign a Core Tools competent staff member (independent of the area audited) to work with the internal auditor who qualified as an auditor, but is not core tool qualified. Ensure audit records include this staff member’s name and role.
- Use an outside, contract internal auditor who is qualified to perform the main internal audit, including the Core Tools. This should be supplemented with other audit functions that may happen more frequently during the year. Many companies use inspections, control plan audits, process audits, layered process audits, product audits, etc., that meet this need and help to ensure a valuable and effective audit process and management system.
- Have training sessions for internal auditors covering each of the core tools. These may be onsite or public training sessions. The core tools may be included in a standard overview session or auditor specific training classes. Ensure records of competency for each core tools taught are made available for your organization. Note: Management Solutions Group offers both overview training and Core Tools auditor specific workshops.
Nonconformances Common to All Internal Audit Systems
• Internal audit results not reported to management.
• Ineffective audit systems due to insufficient records or audits not identifying issues related to management review and clauses 4, 5, and 6.
• Auditor training inadequate as evidenced from records. Training must include how to audit Clauses 4, 5, and 6 and management review.
An effective internal audit program is expensive. Audit systems require significant resources to maintain and sustain the activities effectively. Due to a lack of resources, many internally resourced internal audits are not performed well and result in information / outputs that are not effective in improving the organization. For this reason, many organizations ultimately decide to outsource the main internal audit function. When an organization chooses this path, internal resources need to be allocated for completing regular, supplemental system checks. A common example for ISO 14001 include housekeeping inspections or additional items checked with the required SWPPP or SPCC inspections. Quality management systems examples of additional activities include Layered Process Audits, control plan audits, etc.
Total Productive Maintenance (TPM) ISO 16949: 2016
Another focus of the revised requirements that result in nonconformances is section 8.5.1.5. Many organizations with effective preventive / predictive maintenance programs do not fully address each requirement in this section. There are several, common issues being identified through the audit process.
• Lack of maintenance objectives that meet the requirements. The example given in the standard includes OEE (Overall Equipment Effectiveness). Where many organizations had objectives in line with “Maintenance activities completed on-time”, this is not the equivalent to the use of OEE type objectives. This is an fine point in the standard that is easy to miss. The intent described in the standard is to find a more effective measurement to use for evaluation of the maintenance program. The requirement is also to have this performance information as an input to management review.
• This does not mean that Management must review all objectives and data but should be receiving the correct information to make informed decisions. Often this is trend data. The questions management should be able to answer include:
1. Are the maintenance programs effective?
2. Are we seeing increasing or decreasing unscheduled downtime?
3. Is the equipment able to meet capacity?
4. What actions should be taken to increase efficiency and quality (effectiveness)?
Additional information in the next article focuses on how to address and implement the required changes. Currently, if the organization is struggling with fully completing the required tasks / implementation prior to the transition audit, an effective approach may include:
• First, the Organization selects one or more areas or process for full implementation. Ensure the change meets the requirements for change control. (Recall that change control must also provide evidence of effectiveness of the implementation.)
• Second, the Organization creates a plan to roll this change throughout your facility in a reasonable timeframe. (Recall that the plan must include the resources needed to meet the timeline.)
The combination of one effective implementation and a plan for future system wide implementation meets the requirements for change control. Please be aware of two related issues:
1. Processes included in the future plan must not be releasing non-conforming product
2. Auditors may not accept an organization only having a plan for the future. Evidence of one or more effective implementation is necessary.
What to Expect on Next Surveillance after transition audit for IATF 16949: 2016?
During a transition audit, most registrar auditors are focused on new requirements and how the organization is addressing them in the management system. In some cases, the system has been established and implemented in areas with additional action plans to complete the roll out. One example could be the Total Productive Maintenance requirements in IATF 16949: 2016. As an example, an organization may have a very effective maintenance program, but may have just started using a monitoring and measuring method tied to OEE. They may have been able to demonstrate a system in place and show some maturity using it in limited areas of the facility with plans for further roll out in other areas.
In this example, a good auditor would want to follow this up on a subsequent surveillance audit to verify that the action plans were followed as committed in the transition audit.
Many of the new requirements in the revised standards focus on monitoring and measuring as well as regular reviews (e.g. context, interested party requirements, risks…). For many organizations these tasks are newly implemented before a transition audit, so the monitoring, reviewing, identifying and closing of actions processes will become more important in subsequent audits.
Additionally, where registrar auditors are focused on new requirements in transition audits, other areas of the management system should be part of the focus for later audits. These may not have been reviewed as closely with the new requirements, so this is another area that may receive increased attention in succeeding surveillance audits.
The Internal audit process will be a good activity to identify any issues in these areas as well as organization communications and just general focus on details.
If you have any additional questions you would like to have us answer, please submit them through