STANDARDS OUTLOOK

IATF 16949:2016’s Evolution

How the automotive quality management system has changed
by R. Dan Reid

Editor’s note: This is part one of a two-part series that examines key changes in ISO TS 16949’s recent revision.
Look for part two in February’s column.

Last year, the automotive sector revised its ISO TS 16949 quality management system (QMS) requirements to

align with ISO 9001:2015’s substantial revision. The ISO TS 16949 revision also incorporated International

Automotive Task Force (IATF) original equipment manufacturer (OEM) customer-specific requirements (CSR)
among other items.

IATF 16949:2016 replaces ISO TS 16949 and is now a sector-owned document. The standard’s focus continues

to be on preventing the occurrence of problems, and the new automotive certification requirements also mandate
the use of ISO 9001:2015, which must be obtained separately.

Decoupling the automotive requirements from the International Organization of Standardization (ISO) gives the
automotive sector full control of this standard, and they avoid paying royalties for using the ISO standard.

Rather than provide an exhaustive review of this standard’s changes, additions and deletions from ISO TS
16949, I’ll highlight several significant alterations.

Scope problem addressed

The definition of management system in ISO 9000:2015 for the first time provides an option to scope the system

down to a single function or discipline. This was never the intent of a QMS, which was always intended to apply
to an entire organization.

ISO 9001:2015 also eliminated the term "permissible exclusions" by saying that if a requirement can be applied, it

must be applied. Minimalists can now argue they only must include one function in their systems and incorporate

only those requirements that apply to that function. IATF 16949:2016 addresses this problem in subclause 4.3.1,
which requires support processes and value-adding sites to be included in a QMS’s scope.

The previous 2008 version of ISO 9001 never mentioned omitting applicable requirements due to the geographic

location of the processes. In IATF 16949:2016, where you choose to locate activities is your organization’s

prerogative, but all applicable processes and requirements must be in the QMS regardless of where an

organization chooses to locate and perform them. Individuals, such as auditors, who must verify whether an

organization is conforming to applicable requirements must visit the locations in which those processes are being
performed to verify conformance.

The new ISO 9000:2015 definition of "management system" now allows for a QMS scope to be as narrow as one
function. Furthermore, top management is aligned to the scope of the QMS. If a minimalist organization chose to
include only the purchasing department in its scope, top management would be the purchasing executive.
There is another argument that can be used by minimalist ISO 9001 implementers. A clause in IATF 16949:2016
indicates that if an ISO 9001 requirement can be applied, it must be, and product quality cannot be compromised.

Minimalists can argue that this all depends on the QMS scope. As explained earlier, IATF 16949:2016 addresses
this unfortunate development in ISO 9000.

CSRs

The number of CSRs has concerned the automotive supply base since the early days of QS-9000—a quality

standard developed by automakers in the 1990s. A lot of work and expense has been created by the differences

in QMS requirements between the OEMs that remained after the QMS harmonization. The problem is

exacerbated at the tier-one level of the supply chain: All OEM CSRs are comprehended, and many tier-one

suppliers add their own CSRs for deployment to tier-two suppliers, which have fewer resources to deal with
CSRs than tier-one suppliers.

The 2008 version of ISO 9001 required an organization to determine the product requirements in subclause

7.2.1. ISO 9001:2015 continues this in subclause 8.2.2. Three groups can specify QMS requirements: customers,

regulators and internal functions, such as engineering. In this respect, there has been an ISO 9001 requirement

for organizations to identify and address CSRs. In the new IATF 16949, subclause 4.3.2 makes a process for this
to be a more explicit requirement.

Less to document?

IATF 16949 continues to require "documented processes" while ISO 9001:2015 now uses the generic term
"documented information." The IATF 16949 subclauses that require a documented procedure include:

 4.4.1.2—product safety.
 7.1.5.2.1—calibration/verification records.
 7.2.1—competence—supplemental.
 7.2.3—internal auditor competency.
 7.3.2—employee motivation and empowerment.
 7.5.3.2.2—engineering specifications.
 8.4.2.1—type and extent of control—supplemental (outsourced processes).
 8.4.2.4—supplier monitoring.
 8.5.6.1—control of changes—supplemental.
 8.7.1.4—control of reworked product.
 8.7.1.5—control of repaired product.
 8.7.1.7—nonconforming product disposition.
 10.2.3—problem solving.
 10.2.4—error-proofing.
 10.3.1—continual improvement—supplemental.

ISO 9001:2015 requires an organization to have documented information, not including records, in 10 additional

clauses and subclauses. While the stated intent of the ISO 9001:2015 revision was to reduce the need for

documentation, it has actually made the documentation requirements less prescriptive but similar in amount.
IATF 16949 adds to those.
IATF 16949 continues to require a quality manual, which was deleted from ISO 9001:2015. A quality manual now

must indicate where CSRs are addressed within the QMS. Organizations should have a process for identifying

and addressing any CSRs because these are critical to customers that require their suppliers to be IATF 16949
certified.

IATF 16949 no longer requires disposal of records after a specified retention period, but this is covered in ISO

9001:2015, which is a normative reference in the automotive standard. A normative reference must be used with
the document referencing it while an informative reference is for guidance only.

New conformance requirements

IATF 16949:2016 subclause 4.4.1.1 requires an organization to be responsible for the conformity of outsourced

processes. It also requires that all products and processes meet applicable requirements and expectations of all
interested parties.

The first part of subclause 4.4.1.1 is a carryover from previous versions of the standard. The second part is

driven by ISO 9001:2015’s requirement to address interested party needs and expectations. This was formerly
limited to customers, which are only one category of an organization’s interested parties.

This is a significant expansion of a QMS. Product and process design, and validation processes will take on

additional responsibilities. The processes must ensure interested parties’ typically soft needs and expectations—

such as "smooth ride" or "quiet ride"—are effectively translated into product and process requirements, and
validated as meeting needs and expectations.

‘Big Q’ QMS reintroduced

In the 1980s, General Motors had full business supplier-assessment criteria and targets for excellence. These

included sections for quality, cost, delivery, technology and leadership. This was abandoned with the initial

harmonization effort with Chrysler and Ford. At that time, they wanted a QMS scope to be specific to quality—that
is, "small Q" with delivery.

Over time, ISO 9001 brought back "leadership." This latest revision of the automotive requirements in IAFT

16949:2016 carries over and expands on the issue of safety-related products and manufacturing process safety

in subclause 5.1.1.1. Product safety is defined in the standard as "standards relating to the design and

manufacturing of products to ensure they do not represent harm or hazards to customers." 1

This safety subclause requires an escalation process with defined responsibilities, flow down of safety

requirements to the supply chain, management of safety characteristics and special approvals for control plans,
and failure mode and effects analyses, among other items.

This is a more practical approach to the subject compared to the ISO occupational health and safety (OH&S)

project—ISO 45001—which is in the draft stage. This draft standard is assigned to a new ISO committee with

significant representation from organized labor. It requires workers and worker representatives to participate in
matters—such as policy making—that normally have been the responsibility of leadership.
Given the redundancy and immaturity of the OH&S draft—coupled with several problematic requirements—it is

not clear whether this standard will be approved for publication. If not, sector documents will be the primary
impetus for organizations to provide for safety.

Corporate responsibility also is included in the new automotive document, reinforcing that it’s now more than a

QMS. The term is not defined in the standard. At a minimum, policies against bribery and for employee codes of

conduct and ethics escalation must be implemented. IATF indicates this implies responsibility and empowerment

at all levels and functions of an organization to follow an ethical approach and report any observed unethical
behavior without fear of reprisal.

IATF 16949 introduced several other key changes, such as how the standard incorporates the process approach

and process review requirements, and how it addresses risk and auditor competency, which I’ll cover in the
second part of this column.