IATF Rules 6th Part I (Chapters 1-8) PDF

IATF RULES 6^th^ ^\ ^ **GLOBAL OVERVIEW OF THE FIRST 3-YEAR IATF 16949 CERTIFICATION CYCLE** A diagram of a company Description automatically generated **INTRODUCTION** The membership of the International Automotive Task Force (IATF) consists of automotive original equipment manufacturers (OEMs) and National Automotive Industry Associations. The IATF established five (5) oversight offices, commonly referred to as IATF Global Oversight, to implement and manage its IATF 16949 Certification Scheme. Public information related to the IATF and its oversight offices can be found at www.iatiglobaloversight.org. The IATF Certification Scheme is detined in the "Automotive Quality Management System Standard IATF 16949,\" the following "Rules for Achieving and Maintaining IATF Recognition," any related Sanctioned lnterpretations (SlS) and Frequently Asked Questions (FAQs) (see section 10.0), and Certification Body and Stakeholder Communiqués that are issued by the IATF. Sanctioned lnterpretations, Frequently Asked Questions, and communiqués are available at www.iatiqlobaloversiqht.orq. The IATF recognizes certification bodies to conduct IATF 16949 audits and issue certificates or letters of conformance to their clients. The IATF OEM members only recognize IATF 16949 certificates or letters of conformance carrying the IATF logo and a unique IATF number issued by lATF-recognized certification bodies. Such an lATF---recognized certitication body is herein referred to as a "certification body," and public information about the validity of IATF-recognized certiticates and letters of conformance can be found at httpszitiati-customemortal.orq. A list of lATF-recognized certification bodies may be found at: www.igtialobaloversiqht.a It is strongly enœuraged for each lATF---recognized certification body location involved in IATF 16949 certification activities and each of its IATF 16949 client locations to be in possession of the most recent IATF-authorized copy of the "Rules for Achieving and Maintaining IATF Recognition" and the "Automotive Quality Management System Standard IATF 16949". The requirements, herein referred to as "Rules," are binding on the certification body, and its clients where applicable, and shall be implemented by the certification body and its clients as specified. Clients of IATF---reœgnized certitication bodies should direct questions regarding these Rules to their certification body. Certification bodies should direct questions regarding interpretation of these Rules to their relevant oversight office. ln exceptional cases, a certification body may be unable to meet a requirement of these Rules. Where this occurs, the certification body shall submit a waiver request form to its relevant oversight office to request a deviation from the Rules requirement. IATF Global Oversight will provide guidance to certification bodies where waiver requests are not required to be approved by the relevant oversight office and can be intemally approved by the certitication body. Records of intemally approved waivers shall be maintained by the certification body. The certification body shall enter the details of oversight office---approved and intemally approved waivers (i.e., waiver number, approval date, and approval comments) into the IATF Database. Complaints related to certification bodies or certitied clients may be submitted to the relevant certification body. Ethics and compliance concerns related to any lATF-recognized certification bodies, IATF 16949 third-party auditors, IATF 16949---certified organizations, or oversight offices may be filed at httpsJ/secure.ethicsnoint.comlmedia/en/quifl2672tindex.htm\|. These Rules are subject to periodic review and may be moditied at any time at the sole discretion of the IATF after consultation with appropriate stakeholders. Note: Within this document, the use of the term "certification" is synonymous with registration. ELIGIBILITY FOR CERTIFICATION TO IATF 16949 =========================================== Only organizations that manufacture and, where applicable, design and develop automotive products and vehicles are eligible for IATF 16949 certification. Note: "Automotive Products" is the short term used in these Rules to describe parts and processed materials manufactured for automotive vehicles. \"Automotive Vehicles\" on public roads. shall be understood as homologated vehicles that are intended to be driven "Automotive Products\" shall be understood as the following: \"Manufacturing" shall be understood as a process that includes at least one value-added activity that further transforms the proœss\'s input materials and/or parts into a semi-complete or complete state of an automotive product. \"Automotive Customer" shall be understood as any organization in the automotive supply chain purchasing automotive products. \"Client\" shall be understood as the organization applying to or oontracted with a certification body to become or remain certified to IATF 16949 under one or more certification structures, including all relevant manufacturing sites and, where applicable, all their relevant remote or standalone remote support locations. Acceptable certification structures are: "Manufacturing Site\" shall be understood as a client location at which manufacturing occurs. A manufacturing site is the only type of client location eligible for independent certification to IATF 16949. If a manufacturing site supplies an automotive customer requiring third-party certification to IATF 16949, then all automotive customers of the site shall be included in the audit scope (see section 10.0). "Remote Support Location\" (RSL) shall be understood as a client location where one or more support functions reside that provide support from the RSL to a client's manufacturing site. Such support functions may be located at another manufacturing site or at another client location where no automotive manufacturing occurs (i.e., a \"Standalone Remote Support Location\"). Each manufacturing site and each standalone remote support location shall be audited and certified by only one lATF---recognized certification body during the contractually agreed period of certification. The only exception to this requirement is in the case of a client transferring to another certification body (see section 7.1 ). The certification body contracted with a standalone remote support location shall also have a contract with at least one manufacturing site for receiving support from the standalone remote support location. Certification structure eligibility requirements ================================================ The following requirements shall be met when determining the certitication structure for clients applying to become or remain certified to IATF 16949: a. Single Manufacturing Site: b. Single Manufacturing Site with Extended Manufacturing Site(s): 1. Shall be a single manufacturing site (also known as the main manufacturing site) whose manufacturing processes expand into one or more other locations (the extended manufacturing site\[s\]) with different addresses managed together as one manufacturing site that is part of the same legal entity. 2. An extended manufacturing site (EMS) shall only receive support from or provide support to the main manufacturing site. 3. An EMS shall be located within ten (10) miles (sixteen \[16\] kilometers) and no more than sixty (60) minutes of driving distance from the main manufacturing site. 4. The main site and EMS shall operate under a single quality management system (see IATF 16949, 4.4.1 ). 5. An EMS shall be managed and controlled together, as one manufacturing site, with the main manufacturing site by the main manufacturing site's management personnel. Therefore, the EMS shall not be controlled and managed autonomously from the main manufacturing site. In this regard, management responsibilitîes and authorities shall not be delegated to front---line management (see section 10.0) or the nen---management personnel located at the EMS. 6. Management personnel\'s acﬁve involvement in the control and management of the EMS together with the main manufacturing site shall be demonstrated with evidence. 7. Management personnel may be located at an EMS, provided these personnel are 8. An EMS may have dedicated front-line management personnel located there with limited decision-making authority for operational, day---to---day decisions regarding the manufacturing processes for the EMS. 9. An EMS may have non-management personnel (e.g., production schedulers, manufacturing engineers, facilities maintenance, etc.) located onsite who support the EMS and/or the main manufacturing site, but no other manufacturing site. c. Corporate Scheme: 1. Shall consist of at least two (2) manufacturing sites, with or without an EMS, which operate under a common quality management system. The common quality management system shall: i. be established by processes that are centrally defined, structured, and controlled ii. be monitored with a common set of process measurements iii. be implemented in subsæntially the same manner across all manufacturing sites and standalone remote support locations within the corporate structure being certiﬁed to IATF 16949 iv. have localization of the quality management system documentation and records only at the level of work instructions/procedures. v. have a centrally managed internal quality management system audit program. 2. Shell have an identified central location where the quality management system function resides that is responsible for defining, structuring, and controlling the common quality management system. 2. CERTIFICATION BODY GOVERNANCE, INTERNAL CONTROL, AND RISK MANAGEMENT ==================================================================== 2. General IATF recognition requirements for certification bodies ============================================================== A certification body shall have a contract (i.e., the "Agreement\") with an oversight office and be recognized by the IATF before issuing an IATF 16949 certiticate to a client and using the IATF logo on the certificate. The list of lATF---recognized certification bodies is available at www.iatialobaloversiahtgg. A certification body shall have a designated office approved by the IATF as its contracted office. The contracted office holds the IATF recognition. The lATF-reœgnized certitication body or its corporate entity shall have one hundred percent (100%) ownership of the contracted office. The certification body shail appoint an employee (i.e., not a contracted employee) from the contracted office with global technical authority for the autom0tive certification scheme to be the single point of contact between the relevant oversight office and the certification body. The certification body shall also appoint an employee (i.e., not & contracted employee) from the contracted office or a regional office as the deputy contact person. The certification body, with the involvement of the contracted office, may at any time establish regional offices with lines of authority and responsibility to the contracted office regarding matters that affect IATF 16949 certification activities. The certification body shall cooperate with the relevant oversight office when performing activities in support of the IATF certification scheme. A certification body shall be compliant with the statutory and regulatory requirements of each country in which it operates. The certification body shall comply with all data protection laws for the respective jurisdictions in which it operates, including providing employees and contracted employees with sufficient transparency with regard to the uses of relevant personal identifying information. The certification body shall not violate any part of the contract with the oversight office, including the IATF Certification Body Code of Conduct. The certification body, and any related organization (see section 10.0), shall not violate intellectual property and copyright protection of any IATF trademark and documents, including those issued by any IATF member organization or any oversight oftice. The certification body shall only use the IATF logo on the IATF 16949 certificate and letter of conformance. Legal entity structure ====================== A certification body shall be a legal entity, or a detined part of a legal entity, which can be held legally responsible for all its certification activities. A certification body and any part of the same legal entity shall not operate as both a quality management system certification body and as a quality management system accreditation body. A certification body and any part of the same legal entity or any related organization shall not offer to or provide its clients with the prohibited activities listed in section 2.5.2. If a certitication body is & detined part of or becomes a defined part of a corporate entity, no other lATF-recognized certification body shall exist within the same corporate entity. When the certification body is a detined part of a legal entity, its organizationa\| structure shall include the line of authority and the relationship to other parts within the same legal entity. Joint ventures ============== The certification body or its corporate entity shall establish and maintain managerial and operational control in any joint venture involved in IATF 16949 certification activities. Before entering any joint venture partnership agreement, the certification body shall perform a comprehensive impartiality risk assessment of the intended joint venture. If a risk is identified and is determined to be not manageable (see section 2.5.3), the certification body shall not proceed with the agreement. Outsourcing of certification activities ======================================= Outsourcing on behalf of the certification body shall not be permitted, including the use of service agreements or Memorandums of Understanding (MOU), agents, franchisees, or any type of licensee model for any part of the IATF 16949 certification process (see section 10.0). The use of individual self-employed auditors and technical experts does not constitute outsourcing, provided that the lATF---recognized certification body has a legally enforceable agreement with each auditor and/or technical expert. Management system requirements ============================== The certification body shall document and establish its organizationai structure, including roles, responsibilities, and authorities of management and personnel involved in certitication activities and committees. The certification body shall identify the top management (see section 10.0) in its organizational structure who is responsible for the overall effectiveness of the IATF 16949 certification activities, including the provision of competent and adequate resources. The organizational structure shall include all lines of authority from the contracted office to the global organization, if applicable, and to or between each regional office, including any joint ventures involved in IATF 16949 certification activities. The certification body\'s contracted office shall ensure that the roles, responsibilities, and authorities are understood throughout the certification body. The certification body shall define its management system processes and operating procedures, including their sequence and interactions, to ensure effective audit and certification of clients. The defined management system processes shall include process controls, measures of performance, and performance targets. The management system performance shall be continuaily monitored, controlled, and improved based on performance data pertaining to the IATF 16949 certitication process, at minimum. The certification body's management system shall include a process for effective problem-solving. This process shall be initiated following complaints from clients and other interested parties and non-conformities issued from internal witness, internal system, and IATF Office Assessments, Witness Audits, and additional monitoring activities. For non-conformity issued from IATF Office Assessments, "fitness Audits, and additional monitoring activities, the process shall align with the specific requirements in the IATF Certification Body Problem Solving Manual. Where & certification body has multiple offices involved in IATF 16949 certification activities, the following conditions shall be fulfilled: a. The use of a common, centrally managed management system, using the same processes and operating procedures for all offices. b. The use of common documents for all IATF 16949---related activities. c. Translated documents that include the original document language in addition to the language into which it was translated. d. The use of a common software system/platform to manage audit planning and conduct, technical review, certification status, and certiticate issuance. e. The use of a common software system/platform to manage appeals and complainte. f. The use of performance data pertaining to the IATF 16949 certification process, which is made available by the contracted office to all regional offices that are required to conduct a management review. The contracted office shall be responsible for establishing, developing, documenting, implementing, maintaining, controlling, and improving its management system related to IATF 16949 certification, regardless of where those certification activities occur. Where & certification body has regional offices involved in IATF 16949 certification activities, the contracted office shall be responsible and held accountable for monitoring and controlling all global activities related to IATF 16949 certification. Note: Any certification body locations involved in IATF 16949 certification activities, which the certitication body may call, "regional offices," "branch offices," "subsidiaries," "sales locations," "support centers," "affiliates," \"global headquaflers,\" etc., are considered to fall under the term "regional office" for purposes of these Rules. The contracted office shall monitor and control the following processes: - waiver management (see Introduction section) - performance monitoring for each regional office (see section 2.2) - impartiality risk assessment for certification activities (see section 2.5.3) - internal system audits (see section 2.6) - internal witness audits (see section 2.7) - appeals and complaints (see section 2.8) - management review (see section 2.9) - nonconformity management (see section 2.103) - determination and utilization of personnel conducting certification activities (see section 4.0) - defining, demonstrating, and maintaining competency for each role involved in IATF 16949 certification activities section 4.0) - applications for IATF 16949 auditors (see section 4.2) - continuing approval or rejection of IATF 16949 auditors (see section 4.4) - maintaining auditor qualification (see section 4.4) - nominating and maintaining approval of technical reviewers, witness auditors, and system auditors (see sections 4.1, 4.1.1, 4.5, 4.5.1, 4.6, and 4.6.1) - technical reviews and certification decisions (see section 5.12) decertification (see section 8.0) - IATF Database management, including monthly accuracy checks. The contracted office and all regional offices of the certification body responsible for IATF 16949 certification decisions and certificate issuance activities shall be accredited to ISO/IEC 17021 -1 to perform ISO 9001 certification by an lntemational Accreditation Forum (IAF) accreditation body. Any ISO/IEC 17021-1 accredited office involved in IATF 16949 certification shall conduct IATF 16949 certification activities in accordance with the scope detined in its ISO 9001 accreditation. The contracted office shall have a direct line of authority for the technical reviewer role and all related activities, regardless of the location of the physical office in which the technical reviewer resides and shall be responsible for managing any impartiality risks (see section 2.5) related to the technical review and certification decision activities. The contracted office shall be responsible for determining the extent of autonomy granted to regional offices, including granting or revoking the permission to conduct selected IATF 16949 certification activities. Records shall be maintained that detail the rationale and criteria used to make such determination, approval, or revocation decisions. The contracted office shall continuously manage risk(s) related to and resulting from the extent of autonomy granted to regional offices and the IATF 16949 certification activities assigned. This shall include risks identified from business continuity and impartiality risk assessments (see sections 2.4 and 2.5.3). The contracted office shall provide relevant client audit and certification-related information to their relevant oversight office upon request. The contracted office shall provide an overview of all oftices involved in IATF 16949 certitication activities to the relevant oversight oftice by using the IATF Standardized Regional Oftice Matrix Template. The most current IATF Standardized Regional Office Matrix (see section 10.0) shall be provided on a quarterly basis, whether or not changes occurred. 4. Communication of changes ======================== 4. Communication of changes to the oversight office ================================================ The certification body shall notify the relevant oversight office, in writing, within twenty (20) calendar days of any realized changes related to its: a. legal status b. ownership status (e.g., mergers, acquisitions of other certification bodies, business relationships or agreements, joint ventures, shareholding ratios, etc.) c. organizational status (e.g., establishment or closure of a regional office for IATF certification activities, management structure and related reporting relationships, etc.) d. loss or suspension of management system accreditations at the contracted or any regional office. Before implementing any of these changes, the certitication body shall analyze related business continuity and impartiality risks and mitigate the risks wherever possible. Communication of changes to clients =================================== The certification body shall notify its clients within ten (10) calendar days of any changes related to IATF certification activities and requirements that may impact its clients. The certitication body shall verify that each client oomplies with the new requirements. The certification body shall notify its clients within ten (10) calendar days of changes to the certification body's ownership or loss of IATF recognition. Management of business continuity risks ======================================= The certification body shall implement a business continuity risk assessment process that includes all offices involved in IATF 16949 certification activities. A certification body shall be able to demonstrate that it has evaluated risks that may affect the continuity of its management system certification activities and has implemented actions to mitigate the risks wherever possible, including adequate arrangements (e.g., Liability or cyberattack insurance, financial reserves, etc.) to cover liabilities arising from its operations and the geographic areas in which it operates. Management of impartiality risks ================================ The top management of the certification body shall establish a policy, make appropriate decisions, and take effective actions to promote and maintain impartiality and objectivity in carrying out certification activities. The certification body shall conduct impartiality risk assessments as required by these Rules (see section 2.5.3). The certification body shall implement preventive, detective, and corrective internal control activities (e.g., policies, procedures, approvals, authorizations, verifications, segregation of duties, etc.) to safeguard the impartiality and objectivity of its certification activities. At all levels of the organization, the certification body shall be responsible for ensuring impartiality and objectivity in its activities and decisions related to the certification of clients, which shall be based on objective evidence obtained by the certification body and shall not be influenced by other interests or by other parties. The top management of the certification body or its corporate entity shall implement a whistleblowing process and communicate it to all personnel involved in IATF 16949 certification activities. Threats to impartiality ======================= The certification body shall avoid any threat to impartiality, including, but not limited to, the following: a. Self-interest threats: threats that arise from a person or body acting in their own interest. For example, a concern related to certification, as a threat to impartiality, would be tinancial self- interest. b. Self---review threats: threats that arise from a person or body reviewing the work done by themselves. c. Familiarity (or trust) threats: threats that arise from a person or body being too familiar with or trusting of another person instead of seeking audit evidence. d. intimidation threats: threats that arise from a person or body having & perœption of being coerced openly or secretively. Conflicts of interest ===================== The certification body shall require its internal and external personnel to reveal any situation known to them that may present them or the certification body with a conflict of interest, including, but not limited to, training, consulting, or other related businesses they are or were involved in. The certification body shall use this information as input to identify threats to impartiality raised by the activities of such personnel or by the organizations that employ(ed) them and shall not use such internal or external personnel for certification activities unless the certification body can demonstrate that there is no conflict of interest. The certification body, including its sponsored auditors, any part of the same legal entity, and any related organization of the certification body or its auditors shall not offer or provide quality management system---related consultancy to their clients under contract or shall not have provided quality management system---related consultancy to new clients within twenty-four (24) months before contracting with them. Quality management system---related consultancy includes the provision of: a. quality management system---related training, which is fully or partially tailored for a client,including quality management system auditor training, delivered in any format b. any assistance with establishing, developing, documenting, implementing, maintaining, controlling, or improving an element of or related to & quality management system c. quality management system---related internal product, process, or system audits d. quality management system---related product, process, or system audits of suppliers on behalf of the client e. any type of quality management system---related and/or automotive-related audit or assessment or comparable activity requested by a client or a client's customer that is not expressly stated in these Rules (e.g., "pre-audits\"). The certification body may conduct standardized training courses that are not tailored to a client in any way, as advertised to the general public in its training catalog, including, for example, general quality management system auditor training or training courses on core tools, six sigma, or lean manufacturing. impartiality risk assessment ============================ The certification body shall implement an impartiality risk assessment process that includes all offices involved in IATF 16949 certification activities. This process shall cover impartiality threats, whether they arise from within the certification body or from the activities of external personnel, bodies, or organizations. The impartiality risk assessment shall consider, at minimum, the following: a. ownership and owners and their related organizations (e.g., entities through common ownership, links between owners. ownership shares, etc.) (see section 2.1) b. related businesses, including relationships with consulting and training companies c. management structure d. issues with authorities (e.g., convictions, violations, bans, bankruptcies, etc.) e. former or current relationships with other certification bodies for any accreditation scheme, including reasons for termination of the relationship f. auditor resources, contracts with auditors, and other internal and external resources involved in certification activities g. impartiality of internal system auditors, internal witness auditors, and technical reviewers h. self---employed auditors or internal personnel disclosure of other related businesses, including training or consulting businesses they or their family members have ownership in or de work with i. sales commissions and other inducements for the referral of new clients j. branding and logo usage misrepresentation k. managing complaints and appeals. The certitication body's contracted oftice shall conduct & detailed impartiality risk assessment specitic to IATF 16949 certification activities. At minimum, this impartiality risk assessment shall cover all certification process activities, the internal witness audit process, and the internal system audit process with focus on evaluating the preventive, detective, and corrective internal controls in place, including their testing for etiectiveness in safeguarding the impartiality and objectivity of certification activities. Any identified impartiality risk shall have actions documented to eliminate or mitigate them. Residual risk shall be accepted by top management. Impartiality risk assessments shall be reviewed and updated at detined intervals based on risk levels and whenever significant changes occur, including but not limited to, changes in management staff, tumover of employees, increase or decrease in client base, or changes to certification process steps or process controls. The impartiality risk assessment results shall be considered in the development and execution of the internal system and internal witness audit programs. The impartiality risk assessment records shall be documented and retained. The impartiality risk assessment results shall be an input to 1he œntracted oftiœ's management review (see section 2.9.1) and, where applicable, to any risk assessment activities to maintain its ISO/ IEC 17021 -1 accreditation. Certification body internal system audits ========================================= The certification body shall have a process for internal system audits to verify the effective implementation of the management system. This process shall include dedicated internal system audits specific to IATF 16949 certitication to assess conformance with: a. these Rules and any other IATF requirement documents b. relevant Certitication Body and Stakeholder Communiqués c. the certification body's processes and operating procedures (see section 2.2). The certification body shall develop and maintain a three (3) year internal system audit program. For each of the three (3) years, the program shall identify which of the regional offices from the IATF Standardized Regional Office Matrix (see section 2.2) are planned to be audited or were audited. The audit program shall identify the planned audit date(s) and, where applicable, the actual audit date(s), the audit status, the audit method (i.e., onsite or remote), and the assigned internal system auditor. An internal system audit shall be performed onsite at least once per year (i.e., every twelve \[12\] months \[-3/+3 months\]) at the contracted office and each regional office identified in the IATF Standardized Regional Office Matrix (see section 10.0). The frequency of internal system audits at a regional office may be reduced to once every three (3) years if the certification body can demonstrate that its management system continues to be effectively implemented at the regional office and no significant risks are identified. The documented justification for the reduction shall be based on the number of clients managed by the regional office, the extent of autonomy granted to the regional ofiice, its performance data and related trends, the latest management review results, results from the recent internal system audits, IATF Office Assessments, and the impartiality and business continuity risk assessment outcomes. Regional offices that are only responsible for marketing and sales activities or only provide support according to the IATF Standardized Regional Office Matrix (see section 10.0) shall be audited at least once every three (3) years. These offices may be included in an internal system audit of the contracted office or a regional office they support or may be audited separately, either onsite or remotely. The certification body shall manage the internal system audit program to ensure that: a. the program is updated based on internal and external performance data and identified disks and results from internal system and witness audits b. the program is based on me contracted office\'s input c. the program is executed as planned d. the audits are conducted by qualified and approved personnel (see section 4.6) e. auditors are selected to ensure impartiality and objectivity f. audit specific inputs are gathered to determine critical topics to be prioritized based on risk, performance trends, contracted office input, and criticality of the process(es) for each audit g. a process-based audit plan is created for each audit h. audit---speciﬁc objectives and ooncems to be investigated from the contracted office are included i. audits include veriﬁcation of systemic corrective actions from previous nonconformities pertaining to the audited office that were issued as a result of the internal system and witness audits, and IATF office assessments, witness audits, and additional monitoring activities j. audits are undertaken following the process approach with a focus on risk and performance k. adequate time is planned to audit all applicable processes and procedures pertaining to IATF 16949 certification activities l. each internal system audit covers every audit type (i.e., stage 1 readiness assessments,stage 2 certification audits, surveillance, recertification, transfer, and special audits) and adequate time is planned for sampling an appropriate number of client files from all applicable audit types during the time period being sampled. Each client file review shall include the verification of content entered into the IATF Database and applicable waivers m. the accuracy of recorded audit dates and audit team information, including reconciliation with travel receipts, hotel invoices, overlapping audits, etc., is verified n. each internal system audit is no less than two (2) days in duration at the contracted office and no less than one (1) day in duration at the regional office o. personnel responsible for the processes audited are informed of the outcome of the audit p. audit reports contain at minimum: 1. a management system performance overview as relevant to the audited office, including performance results from the last twelve (12) months in relation to established performance targets 2. identified systemic risks, including risks related to IATF 16949 certification 3. verification details and results of the investigation into concerns from the contracted office 4. verification details and results regarding the effective implementation of actions from previous nonconformities 5. a list of the management system processes audited and a written audit summary of each process, including & conclusion on its effectiveness, and a list of sampled client ﬁles with the name of the client location and the unique site identifier (USI), the client audit type, and the audit dates 6. nonconformities identiﬁed during the audit shall be written in at least three (3) distinct parts: i. the statement of nonconformity ii. the requirement(s) or speciﬁc referenœ(s) to the requirement(s) iii. the objective evidence that supports the statement of nonconformity. 7. audit results, recommendations, and follow---up needs for the contracted office. q. the nonconformity problem investigation and deﬁnition, root cause analysis, and the implemented systemic corrective actions with verification of their effectiveness are submitted for acceptance no later than ninety (90) calendar days after the internal system audit closing meeting date r. audit reports, including nonconformity records, are submitted to the contracted office s. results from the internal system audit process shall be an input to the management review process. The IATF reserves the right to observe internal system audits or to require additional activities in response to systemic corrective action follow-ups or based upon performance Certification body internal witness audits ========================================== The certification body shall have a process for internal witness audits that meets the following requirements: a. The internal witness audit program shall be based on the contracted oftiœ\'s input. b. All sponsored auditors shall be included in the internal witness audit program. c. Auditors sponsored by more than one certification body shall be witnessed by each sponsoring certification body. Internal and external witness audits pertaining to other standards (e.g., ISO 9001) or from other organizations (e.g., an oversight office, national accreditation bodies, other IATF certification bodies sponsoring the same auditor, etc.) shall not be considered as part of the certification body's internal witness audit process. d. Newly sponsored and/or newly qualified IATF 16949 auditors shall be intemally witnessed with acceptable results before conducting IATF 16949 certification audits as a lead auditor according to the following schedule: i. The primary sponsoring certification body (see section 10.0) shall intemally witness its newly qualified auditors within six (6) months of their successful oompletion of phase one qualitication requirements, (i.e., \"full" or "interim" pass status) and again within six (6) months of the successful œmpletion of phase two qualification requirements ii. Each co-sponscring certification body (see section 10.0) shall intemally witness each newly sponsored auditor within six (6) months of their sponsorship start date. e. Subsequent to the completion of the internal witness audits for newly qualified and newly sponsored auditors in point d) above, the certification body shall establish and adjust the internal witness audit frequency for each of its sponsored auditors based on a performance review (see section 4.4) with a maximum duration between the internal witness audits of six (6) years or seven hundred (TOO) "audit days", whichever comes first. f. Auditors shall be witnessed only while performing the audit team leader role during an IATF16949 audit. If necessary, the witnessed auditor shall be temporari assigned as the audit team leader for the purposes of the internal witness audit. g. The scope of internal witness audits shall cover the analysis and evaluation of audit planning inputs and outputs; the conduct of the audit, including a signiticant portion of the audit time spent auditing manufacturing processes; and the auditor's draft audit report submitted for technical review. h. Internal witness audits shall focus on compliance with these Rules, other IATF requirement documents, and the certification body's processes, and the auditor's performance relative to the IATF Auditor Guide\'s Essential and General Auditor Competencies. i. Internal witness audits shall include: 1. verification of systemic corrective actions implemented by the certification body in its management system as a result of nonœnformities issued internally or by the relevant oversight office 2. verification of systemic corrective actions implemented by the certification body in its management system as a result of IATF OEM complaints, as applicable 3. investigation of areas of concern raised by the contracted office. j. The certification body shall only use approved internal witness auditors (see section 4.5.1 ). k. Internal witness auditors shall be assigned to minimize the impartiality risk in the assessment of the witnessed auditor. l. Internal witness auditors shall not participate in the audit as a member of the audit team. m. Audits selected for an internal witness audit shall be selected from stage 2 certification, surveillance, recertification, and transfer audits. n. Audits shall be witnessed with the same audit method used for the audit et the client location (i.e., onsite or using remote technology where permitted) from the beginning through the end and be no less than two (2) days in audit duration. o. The internal witness audit report shall cover the scope of the witness audit, include all identified witness audit non-conformities, and include written statements on: 1. the witnessed auditor\'s conformanœ with requirements 2. the details of and results for the verification of systemic corrective actions implemented by the certification body in response to nonœnformities issued in internal audits, IATF audits, and/or IATF OEM complaints, where applicable 3. the investigation details of and results for the areas of concern raised by the contracted office 4. the auditor's ability to write clear and concise non-conformities in four (4) distinct parts (see section 5.9) to allow the client to achieve an understanding of and an effective resolution for the audit finding 5. the appropriateness of non-confomflties issued to the client and their justified classification 6. the appropriateness of audit conclusions and recommendations made to the technical reviewer 7. any concerns the witness auditor has related to soft---auditing or soft-grading 8. the auditor's performance relative to the Essential Auditing Competency criteria as stated in the IATF Auditor Guide 9. the auditor's strengths and opportunities for improvement 10. the witness auditor's overall conclusion and recommendations, including recommended approval status of the witnessed auditor, and follow-up actions, if any. p. All non-conformities identified during an internal witness audit shall be related to these Rules, other IATF requirement documents, or certification body process requirements and written in at least three (3) distinct parts: 1. a statement of nonconformity 2. the requirement(s) or a specific reference(s) to the requirement(s) 3. the objective evidence that supports the statement of nonconformity. q. The internal witness audit report shall be provided to the witnessed auditor and the contracted office for report review and approval. r. Based on the information provided in the witness audit report, the contracted office or personnel authorized by the contracted office shall make a decision to grant, maintain, or revoke the (lead) auditor approval status of the witnessed auditor. s. Each nonconformity issued from internal witness audits shall go through the problem-solving process (see section 2.2). Each nonconformity shall be categorized by the personnel involved in the problem---solving process (see section 4.0) as an auditor lapse, a local system problem, or a global system problem, and shall lead to appropriate actions at the relevant level(s) of the certification body. t. Any actions resulting from internal witness audits shall be taken in a time and appropriate manner and communicated to responsible personnel. Systemic corrective actions shall be implemented, accepted, and submitted to the contracted office no later than ninety (90) calendar days after the issue date of the nonconformity. u. The contracted office or personnel authorized by the contracted office shall determine actions to verify the effectiveness of systemic corrective actions, where appropriate. The certification body shall mark the client audit that was witnessed in the IATF Database within twenty (20) calendar days after the closing meeting date of the witnessed audit. Internal witness audit results and actions taken shall be an input for the process of maintaining auditor qualification and approval (see section 4.4) and shall be included in the management review process. Appeals and complaints ====================== The certification body shall have a process and one (1) centralized, common system for processing and managing appeals from clients and complaints from clients and other interested parties filed against the certification body. The certification body shall have & publicly accessible interface to allow & client or other interested parties to initiate a complaint or an appeal. Information about the process for initiating complaints and appeals shall be communicated to the client. The certification body's contracted office shall have access to all complaints and appeals relating to global IATF 16949 certification activities. A certification body's regional ofiice(s) shall have access to all complaints and appeals relating to its IATF 16949 certification activities. The processing of appeals and complaints shall include the following activities, where appropriate: a. receiving and assigning responsibility b. validating and investigating c. determining the root cause d. ensuring that any appropriate correction and systemic corrective actions are taken and verified for effectiveness in the certification body\'s management system e. providing progress reports and the outcome to the person or organization tiling the complaint or appeal f. maintaining records. The appeals process shall not impact the timing related to nonconformity management (see section 5.11) or the decertification process (see section 8.0). The certification body shall ensure that all appeals and complaints are processed with impartiality and in a time manner and that adequate resources are available. The people engaged in decision-making for appeals and complaints shall be different from those who conducted the audits and made the relevant certification decisions. Performance complaints issued to the certification body's clients from their customers shall follow the decertification process (see section 8.1 ). Management review ================= The certitication body's relevant top management shall conduct a local management review of the contracted office and relevant regional offices, which shall be specific to IATF 16949 certification. The certitication body's top management shall also conduct a comprehensive management review with the involvement of the oontracted office, which shall be specific to all global IATF 16949 certitication activities, hereafter known as "global management review.\" The outputs of the local management reviews shall be considered as inputs for the global management review. The purpose of these management reviews shall be to evaluate the management system, including its stated policies and objectives for its effectiveness in: - fulfilling these Rules and any other IATF requirement documents - IATF 16949 certification of clients - management, including monitoring and controlling certification activities - meeting the defined objectives - identifying and mitigating systemic risks - continually improving the management system. The certification body shall have a documented management review process that includes, at minimum, the following provisions: a. Global and local management reviews shall be conducted at planned intervals at least once per year (i.e., every 12 months \[---1/+1 month\]). b. Management reviews shall be conducted at all regional offices that schedule and conduct IATF 16949 audits for at least twenty-five (25) client sites per calendar year and/or perform technical reviews. c. Regional offices not meeting the criteria in point b) above are not required to perform a separate management review but shall be included in the contracted or another office's management review. d. Local management reviews shall be conducted no more than three (3) months before the global management review and serve as an input for the global management review. e. Every management review shall include the following sequential steps for each required management review item in section 2.9.1: 1. acquirement of relevant input data relating to the time period covered by the review 2. analysis of the input data 3. evaluation of the input data, leading to conclusions, including identified system-related issues (e.g., improvement needs, corrective or preventive action needs, risks, etc.) 4. development of improvement, corrective, and preventive actions to address the identified issues. f. Management review outputs shall meet the requirements in section 2.9.2. g. A feedback loop between the contracted office and the regional offices shall be established that includes: 1. the provision of input data to the regional offices where the required input for the local management review can only be generated by the contracted office 2. queries between the œntracted and regional offices relating to the management review process and/or records 3. improvements and/or corrective action requests between the contracted and regional otiice(s) in response to management review results) h. Relevant top management shall ensure and monitor the time and effective implementation of decisions and actions resulting from management review activities. 9. Management review items ======================= All management reviews shall cover obtaining, analyzing, and evaluating input data for the items below: a. status of ISO 17021-1 accreditation (or its national equivalent) b. internal or external changes that affect the management system c. impartiality risk assessment frequency and outcomes, including significant risks identitied and any violations of impafliality requirements d. any significant changes identitied in the business continuity risk assessment e. actions from previous management reviews---including, at minimum, implementation timeliness---and their status f. management system performance and trends in relation to established performance targets (see section 2.2) g. internal system and witness audit program completion status h. internal system and witness audit---related nonconformities, including, at minimum, source, status, timeliness, count, country/region, reference to requirement, affected certification body process or activity, recurrence, and trends i. IATF oftice assessment---related and witness audit---related nonconformities, including, at minimum, source, status, timeliness, count, classification, country/region, reference to requirement, affected certification body process or activity, recurrence, and trends j. IATF certitication body problem-solving process performance (see section 2.103), including, at minimum, acceptability, timeliness, and related trends k. IATF OEM performance complaints, other customer performance œmplaints, and complaints initiated by the relevant oversight office, including, at minimum, timeliness, status, categorization, trends, and results l. appeals from clients, including, at minimum, timeliness, status, categorization, trends, and results m. complaints from clients, including, at minimum, timeliness, status, categorization, trends, and results n. other satisfaction-related and/or compliance-related feedback from interested parties (e.g., client satisfaction surveys, whistleblower hotlines, employee surveys, notifications from government bodies and technical committees, etc.) o. waiver requests, including, at minimum, the quantity and distribution across the Rules requirements and the relevant oversight ofiice's decisions p. technical review and certification decision process performance, including, at minimum, timeliness, detected error types and quantity, technical reviewer performance, and related trends q. nonconformity statistics for potential soft---auditing and soft---grading, including the number of nonconformities per audit, perœntage of major nonconformities, and percentage of audits with zero nonconformities by regional and, where applicable, global levels, and related trends r. utilization statistics for personnel involved in audits and certification decisions (i.e., auditors and technical reviewers) s. IATF Database KPI performance and related trends against objectives, where applicable t. issues found during monthly IATF Database accuracy checks (see section 2.2), where applicable. 10. Management review records ========================= Management review records shall provide evidence that input data were obtained, analyzed, and evaluated as required in sections 2.9 and 2.9.1 and that corresponding decisions and actions were identified to address systemic risks, issues, and resource needs derived from the input data analysis and evaluations. Input data used for management reviews shall be referenced and maintained as a part of the management review records. The management review record shall include, at minimum: 1. the date(s) of the management review(s) and all attendees 2. a written statement on the data analysis output and evaluation output, including identified system-related issues, for each of the management review items 3. the decisions and actions taken, including timing and responsibilities, for each of the management review items 4. opportunities to improve the effectiveness of the management system and its processes 5. a conclusion statement from top management whether or not the management system, including the stated policies and objectives, continues to be suitable and adequate to meet its purpose. IATF ongoing monitoring activities ================================== The certification body shall support the planning and conduct of ongoing monitoring activities by the relevant oversight office and manage nonconformities issued from these activities as required by these Rules. IATF witness audits =================== An IATF witness audit is a partial assessment of the certification body's certification process through observation of an IATF 16949 audit and review of related certification records. Witness audits are conducted by IATF witness auditors on behalf of the relevant oversight office at a manufacturing site and/or its remote or standalone remote support location. One (1) witness audit may include multiple physical locations of a client. Witness audits shall focus on audit planning and audit conduct and may also consider objective evidence relating to past certitication activities that were not directly observed during the witness audit. Witness audits verify the certification body's oonformanœ with the requirements of: a. these Rules and any other IATF requirement documents b. relevant Certitication Body and Stakeholder Communiqués c. the certification body's key processes and operating procedures (see section 2.2). By verifying the certification body's œnfomanœ wiih the requirements above through continued witness audits, the IATF seeks to gain reasonable assurance that the certitication body's certification process continues to be effective implemented and only issues certificates to clients that have implemented & quality management system in accordance with the requirements of IATF 16949. The IATF witness auditor shall not interfere with the audit. The relevant oversight office shall program and schedule at least the minimum number of witness audits per calendar year according to Table 2.10. The global distribution of these witness audits should be in proportion to the IATF 16949 audit activities performed by region. Witness audits are selected to sample from the different audit types (see sections 6.0 and 7.0) and observe as many different certification body auditors as possible. A witness audit may focus on all or selected certification body audit team members. On a monthly basis, the certification body shall provide a three (3) month schedule of their upcoming IATF 16949 audits (i.e., the current month plus two \[2\] months) to the relevant oversight office. The schedule shall include all audits et manufacturing sites and standalone remote locations and indicate confirmed and planned audits. Witness audits may be announced to the certification body with short notice. Once a witness audit has been announced, any audit-related changes (such as changes to the audit date, audit team, audit method \[i.e., onsite or remote\], or audit location) and justifications for the changes shall be immediate communicated to the relevant oversight office and the assigned witness auditor. Table 2.10 Minimum number of witness audits per certification body ![A table with numbers and numbers Description automatically generated](media/image2.png) The certification body shall provide information necessary for the witness auditor to prepare for the witness audit by the due date specitied by the relevant oversight office. When translation for a witness auditor is required, the certification body shall hire & professional third---party translator that can provide simultaneous translation to the witness auditor unless otherwise approved by the relevant oversight office. Upon the announcement of a witness audit, the certification body shall inform the client, without undue delay, of any IATF witness audit and any IATF witness auditors that will observe the IATF 16949 audit. The client shall not refuse a witness audit or the IATF witness auditor's observation of the entire audit (see section 3.1 ). IATF office assessments ======================= Office assessments are to be conducted at the contracted office or any regional office involved in IATF 16949 certification activities to assess the certification body's management system conformanœ with the requirements of: a. these Rules and any other IATF requirement documents b. relevant Certification Body and Stakeholder Communiqués c. the certitication body's key processes and operating procedures (see section 2.2). By verifying the certification body's oonfom1anœ with the requirements above through continued oftice assessments, the IATF seeks to gain reasonable assurance that the certitication body\'s management system is effective implemented, controlled, and continually improved (see section 2.2). Office assessments are to be conducted annually at the certification body\'s contracted office. Regional offices shall be audited at the discretion of the relevant oversight office based on IATF 16949 certification scheme risk considerations, certification body performance, peflonnance complaints, or other circumstanœs deemed appropriate. Results from an office assessment may lead to additional assessments at the contracted office or other regional offices (see section 2.10.4). The certification body shall provide the required information necessary to the office assessor to prepare for the office assessment by the due date specified by the relevant oversight office Nonconformity management (certification body problem---solving) =============================================================== A nonconformity can be issued to a certification body at an oftice assessment, a witness audit, or as a special (ad---hoc) nonconformity due to performance-related issues, any violation of these Rules, or any other IATF requirement documents. The certification body shall follow the requirements of the IATF Certitication Body Problem Solving Manual to resolve any nonœnformities issued to them by their relevant oversight office. The relevant oversight office shall verify the effective implementation of the systemic corrective actions taken. Verification may occur at subsequent office assessments, witness audits, and/or with additional IATF monitoring activities. Additional IATF monitoring activities ===================================== The relevant oversight office reserves the right to undertake additional monitoring activities through special witness audits or office assessments based on IATF 16949 certification scheme risk considerations, certification body performance, certification body auditor performance, performance complaints, or other circumstanœs deemed appropriate. Additional monitoring activities may be accomplished by an off---site review of documents and records et the discretion of the relevant oversight office. Certification body de-recognition process ========================================= The IATF has a de-recognition process for certification bodies that pose a risk to the integrity of the IATF 16949 certification scheme. The relevant oversight office may initiate the de-reoognition process for a certification body when: a. any provision of the legally enforceable agreement with the IATF, including the Certification Body Code of Conduct, is violated b. these Rules or any other IATF requirement documents are violated c. impartiality and/or conflict of interest requirements (see section 2.5.2) are not met or are not enforced d. ISO/IEC 17021 -1 accreditation to perform ISO 9001 certification, including all regional offices, as applicable (see section 2.2), is not maintained e. fewer than twenty---five (25) different client sites are audited per calendar year f. IATF Database accuracy, integrity, and timeliness of entries as required by these Rules and any other IATF requirement documents is not maintained g. the integrity of the auditor qualification process is not maintained (see sections 4.2 and 4.3) h. statutory or regulatory requirements in countries in which it operates (see section 2.1) are violated i. the nonconformity management (see section 2.103) performance level is not achieved or maintained as required by the relevant oversight office j. systemic corrective actions (see section 2.103) are not effective implemented. Based on risk analysis, the relevant oversight office shall make a recommendation to IATF Global Oversight to suspend or not suspend the certification body. The decision to suspend only a certification body's regional office is at the discretion of IATF Global Oversight. A certification body that is in a status of suspension: - shall not quote any new business for IATF 16949 - shall not conduct any stage 1 readiness assessments - shall not conduct any stage 2 certification audits - shall not conduct any transfer audits unless the legal contract with the client was signed before the date of the certification body's suspension - shall conduct surveillance audits for existing clients - shall conduct recertification audits for existing clients - shall conduct special audits for existing clients (see section 7.2). Note: The relevant oversight office may impose additional controls and sanctions on the certification body. The final decision of the de-recognition process may result in the termination of the certification body's legally enforceable agreement (i.e., the "Agreement") and the termination of the certification body\'s IATF recognition. 3. CERTIFICATION BODY LEGAL CONTRACT REQUIREMENTS WITH THE CLIENT ============================================================== 13. Certification body legal contract with the client ================================================= The certification body shall have a legal contract (i.e., a legally enforceable agreement) with the client for the provision of IATF 16949 certification activities. Where there are multiple client locations included in the scope of certification, the certification body shall ensure that each client location is covered by a legal contract between the certification body and client. A client's location shall not be included in & corporate scheme until it has been included in the legal contract between the certification body and the client. The legal contract between the certification body and the client shall include the following provisions: a. The client shall provide the certification body information related to previous and/or existing certification to IATF 16949 before contract signature. b. The client shall notify the certification body of significant changes. c. The client shall not refuse an IATF witness audit of the certification body. d. The client shall not refuse a certification body internal witness audit. e. The client shall not refuse the presence of IATF observers. f. The client shall not refuse the request of the certitication body to provide the final audit and nonconformity reports to the IATF. g. The only use of the IATF logo is as displayed on the certificate or the letter of conformance issued by the certification body. Any other use of the IATF logo by the client is prohibited. h. Quality management system---related consultants to the client shall not be physically present at the client's site during an audit and shall not participate in the audit in any way either directly or indirectly. The client's failure to meet this oontractual requirement shall result in audit termination by the certitication body. i. The client shall provide pre-audit planning information to the certification body as required by the certification body. j. The client shall notify the certification body of its intent to transfer once a legal contract is signed with a new certification body. k. The client shall work with the certification body to resolve open issues related to its transfer to or from another lATF---recognized certification body. l. The client shall remove all references to IATF 16949 certification from all internal and external marketing channels---including, but not limited to, websites and printed and electronic media---when its certification is cancelled, withdrawn, or expired. m. The certification body shall notify its clients within ten (10) calendar days of any changes in the certification body's ownership status or loss of IATF recognition. n. The certification body shall work with the client to resolve open issues related to the client's transfer to or from another lATF-recognized certitication body. o. The certification body, including all of its sponsored IATF 16949 auditors, shall comply with all relevant data protection laws for the respective client jurisdictions and provide sufficient transparency regarding the use of relevant personally identifiable information (PII). Any violation of provisions a) --- I) above shall be considered a material breach of contract and shall lead to appropriate actions by the certification body, including, but not limited to, audit termination, audit cancellati0n, contract cancellation, or certitication withdrawal. Notice of significant changes by a client ========================================= The client shall notify the certification body of imminent changes that may affect the capability of the quality management system to continue to fulfill the requirements of the IATF 16949 certification. These include, for example, changes relating to: a. legal status b. ownership status (e.g., mergers, acquisitions, alliances, joint ventures, etc.) c. management structure (e.g., top management, key decision-making staff, etc.) d. contact address or location e. relocation of the manufacturing process(es) or support activities (see section 5.15) f. closure or relocation of a manufacturing site, extended manufacturing site, or a standalone remote support location (see section 5.15) g. scope of operations under the quality management system, including any new locations and/or support relationships to be covered in the certification scope h. outsourcing of quality management system processes to other organizations i. customer dissatisfaction scenarios that require certification body notification as described in IATF OEM customer---specific requirements (e.g., special status conditions, etc.) j. a signed contract with another lATF---recognized certification body (see section 7.1). The certification body shall take appropriate actions based on the changes communicated by the client, including special audits (see section 7.2). Records of the notification of significant changes and the actions taken shall be maintained as a part of the certification records. PERSONNEL RESOURCE REQUIREMENTS MANAGEMENT ========================================== The certification body shall have a process to define the responsibilities and the necessary competencies (i.e., knowledge, skills, and abilities) for each role involved in IATF 16949 certification activities. This process shall include, but not be limited to, the following roles: a. technical reviewer b. application reviewers c. IATF 16949 auditor candidates d. IATF 16949 auditors e. internal witness auditors f. internal system auditors g. IATF Database specialists entering data and/or performing accuracy checks h. personnel involved in the problem-solving process for nonœnf0rmities issued to the certification body by the relevant oversight office (see section 2.103) i. personnel involved in problem-solving activities related to complaints raised by clients and other interested parties, and non-conformities issued in internal witness audits and internal system audits (see section 2.2). The certification body shall have a process to develop, demonstrate, and maintain the necessary competencies of personnel performing these roles. The certification body\'s contracted office shall determine the methods and means to demonstrate, with evidence, the competencies of personnel involved in IATF 16949 certification activities. The necessary competencies shall be demonstrated before carrying out these roles. Records of demonstrated competence shall be retained by the certification body. Where technical experts are used, the certification body shall ensure that their competece is evidenced before allowing their participation in IATF 16949 audits. The certification body shall perform specific calibration activities for the roles listed in a), b), d), 9), and f) above to ensure consistency of evaluations made by and between the persons performing these roles, including, where applicable, appropriate activities to address soft auditing, soft grading, and other weaknesses related to nonconformity management activities. These calibration activities shall be a minimum of three (3) hours per role and calendar year. The certification body shall ensure a sufficient number of competent personnel resources are available and allocated to effectively conduct IATF 16949 certification activities as planned and required. Technical reviewer approval criteria ==================================== The certification body shall nominate individuals as technical reviewers (see section 10.0) to their relevant oversight office for approval who meet the certification body's internally defined competence criteria in addition to meeting the following requirements: a. is a permanent employee (see section 10.0) of the nominating certification body b. has a valid, single sponsorship from the nominating certification body c. is an active, or previously active, IATF 16949 auditor that has successfully completed the two (2) phases of the IATF auditor qualification process d. has conducted a minimum of thirty (30) IATF 16949 audits, excluding special audits, with any sponsoring certification body e. has conducted a minimum of eight (8) IATF 16949 audits, excluding special audits, as audit team leader for the nominating certification body within the last twelve (12) months f. has IATF 16949 audit nonconformity statistics, calculated from a statistically significant sample, which meet the nominating certitication body's global nonconformity statistics or the IATF global nonconformity statistics g. has no auditor---related major non-conformities, as determined in the certitication body's problem-solving process, raised during an IATF witness audit within twenty-four (24) months for the nominating certification body. 15. Maintaining technical reviewer approval ======================================= The responsibility for maintaining technical reviewer approval shall be shared between the technical reviewers and their certification body to ensure the certification body\'s internally defined competence criteria and the following requirements are continuously met: a. remain a permanent employee of the relevant certification body b. retain & valid, single sponsorship for the relevant certification body c. maintain IATF 16949 auditor qualification (see section 4.4) or for technical reviewers who are not active auditors, ensure that the requirements under 4.4 d) are met d. undertake a minimum of twenty---five (25) technical reviews for either step one or two per calendar year (see section 5.12) e. complete the minimum hours of calibration activities (see section 4.0). If items a) - e) above are not achieved or maintained, the certification body shall revoke the technical reviewer\'s approval. The certification body shall notify the relevant oversight office within twenty (20) calendar days of any changes that affect the technical reviewer approval status. The relevant oversight office reserves the right to revoke the technical reviewer's approval. Application process and criteria for IATF 16949 auditors ======================================================== The certification body shall have a process for selecting new auditor candidates for admission into the IATF 16949 auditor qualification process. The contracted office of the sponsoring certification body shall complete an application form with relevant supporting information for each auditor candidate and submit it to an lATF-recognized training organization for approval and access to the IATF 16949 auditor qualification process. The auditor candidate shall meet the following criteria with supporting evidence: a. is qualified according to ISO/IEC 17021-1 and the relevant accreditation body's requirements to perform ISO 9001 audits b. has conducted at least six (6) ISO 9001 third-party audits in manufacturing industries, and at least three (3) of those as an audit team leader Note: Automotive manufacturing first- or second-party system auditing experience may be considered. c. is competent in automotive core tools (at minimum FMEA, MSA, and SPC) Note: Documented evidence must demonstrate the way in which competency was achieved (i.e. education and/or training with examination and/or experience in application). d. has four (4) years of full-time appropriate practical experience, including two (2) years dedicated to quality assurance and/or quality management activities, within the past fifteen (15) years in an automotive manufacturing organization Note: Experience in industries with similar scopes of applicability (e.g., Aerospace, Telecommunications, Rail, Industrial Off---Road Equipment, etc.), chemical, electrical, or metallic commodities may be considered. e. observed & minimum of one (1) IATF 16949 third---party audit, excluding special audits, from the beginning through the end, lasting a minimum of two (2) audit days. 16. Application process for previously qualified IATF 16949 auditors ================================================================ Previously qualified IATF 16949 auditors whose credentials were deactivated within the previous thirty---six (36) months of the application date due to: a. failure to achieve "full pass\" status in phase one of the auditor qualification process (see section 4.3.1) b. failure to successfully complete phase two of the auditor qualification process (see section 4.3.2) c. failure to successfully complete the mandatory IATF Auditor Development Process (IATF ADP) training modules within the required timing d. failure to complete the minimum number of audits and/or audit days (see section 4.4.1) e. failure to meet continuing personal development (CPD) requirements (see section 4.4.2) Auditor qualification process ============================= The IATF 16949 auditor qualification process has two (2) phases: initial qualification and full qualification. Details of the two (2) phases can be found a www.iatfqlobaloversiqht.org. Phase one - initial qualification ================================= The new auditor candidate shall demonstrate competence through the successful (i.e., "full pass" or "interim pass" status) completion of phase one in the IATF 16949 auditor qualification process. Upon successful completion of phase one, the newly qualified auditor will be issued an IATF 16949 auditor number to allow the auditor to conduct IATF 16949 audits for a sponsoring certification body. Newly qualified auditors may participate in IATF 16949 audits as audit team members but shall not be assigned the role of audit team leader. Within six (6) months of successful completion of phase one, the new auditor shall undergo an internal witness audit (see section 2.7) with acceptable results before undertaking any IATF 16949 audit as an audit team leader for the sponsoring certification body. The newly qualified auditor shall be temporarily assigned the role of audit team leader while undergoing the internal witness audit in compliance with the requirements listed in section 2.7. Phase two - full qualification ============================== An auditor shall enter phase two of the auditor qualification process no earlier than twelve (12) months and no later than twenty-four (24) months after achieving \"full pass\" status in phase one. Upon successful completion of phase two of the auditor qualification process, the auditor will be issued a new IATF 16949 auditor number to allow the auditor to continue to conduct IATF 16949 audits for a sponsoring certification body and shall undergo an internal witness audit within six (6) months (see section 2.7). Maintaining auditor qualification and approval ============================================== The responsibility for maintaining IATF 16949 auditor approval shall be shared between the auditors and their sponsoring certification bodies. Each certification body shall have a process for maintaining and controlling auditor approval status for each sponsored auditor, which shall include the following inputs: a. sponsorship status b. qualification status c. completion of the required minimum number of audits and audit days (see section 4.4.1) d. completion of the required minimum hours of CPD requirements, mandatory IATF ADP training modules, and required calibration hours (see section 4.4.2) e. performance data from at least the previous twelve (12) months and related trends, which shall include, at minimum: 1. timeliness of audit-related information provided to the technical reviewer (see section 5.10 and 5.12) 2. timeliness of nonconformity management-related information provided to the technical reviewer (see sections 5.11 and 5.12) 3. acceptability of the audit-related information provided to the technical reviewer, including details on detected error types, quantity, and related trends 4. acceptability of the nonconformity management-related information provided to the technical reviewer, including details on detected error types, quantity, and related trends 5. client audit nonconformity statistics. f. auditor-related performance feedback over the previous thirty-six (36) months, if applicable, which shall include, at minimum: 1. results of IATF witness audits 2. results of certification body internal witness audits 3. auditor-related feedback from clients, including accepted appeals, valid complaints, and the results from post-audit surveys 4. other auditor- related performance problems, including unethical behavior, issues identified from internal system audits, oversight office complaints, customer performance complaints, or other sources. The certification body shall use records described in points e) and f) above as input to a performance review and to establish and adjust the internal witness audit frequency for each sponsored auditor (see section 2.7). Records described in points a) - f) above for all sponsored auditors shall be maintained by the certification body and made accessible by the contracted office as needed to monitor and control the process for maintaining and controlling auditor approval status of IATF 1 6949 auditors. If an acceptable level of performance is not achieved or maintained, the certification body shall decide on: - remedial actions - revocation of audit team leader status - temporary suspension of the auditor - termination of sponsorship. The certification body shall notify the relevant oversight office within twenty (20) calendar days if either of the following occur: - termination of sponsorship of an auditor - fraudulent activity or unethical behavior is discovered related to a sponsored auditor. The relevant oversight office has the authority to suspend or terminate the credentials of an IATF 16949 auditor due to performance-related or ethics issues. While in suspension, an auditor shall not perform any of the roles listed in section 4.0 a) - i), where applicable. Minimum audits and audit days ============================= Each auditor shall conduct a minimum of one (1) IATF 16949 audit per quarter and conduct a minimum total of ten (10) audit days in each full calendar year to maintain their auditor credentials. The following audit types count towards the achievement of the required minimum audit activity: stage 1 readiness assessments, stage 2 certification audits, surveillance, recertification, transfer, and special audits. Failure to meet these requirements shall result in the termination of the auditor credentials, and the auditor shall be deactivated by both the relevant oversight office and the certification body. Continuing personal development (CPD) ===================================== It is the joint responsibility of the certification body and personnel performing any of the roles listed in section 4.0 a), d), e), and f) to ensure that the annual minimum of subject-matter-related CPD is achieved (see section 10.0). The certification body shall be responsible for providing access for the personnel performing any of the roles listed in section 4.0 a), d), e), and f) to a minimum of eight (8) hours of structured subject- matter-related CPD per calendar year, including calibration activities, to ensure consistent evaluations (see section 4.0). The certification body shall maintain records to demonstrate that the CPD hours provided were undertaken by the personnel performing these roles. Each sponsored auditor shall be responsible for completing a total of twenty (20) hours of CPD per calendar year, which may be a combination of unstructured and structured activities (see section 10.0). The total number of unstructured hours shall not constitute more than five (5) hours of the minimum twenty (20) hours. Personnel performing any of the roles listed in section 4.0 a), d), e), and f) shall successfully complete mandatory IATF ADP training modules within the required timing as part of their CPD activities. It is the responsibility of the personnel performing the roles listed in section 4.0 a), d), e), and f) to maintain current CPD records in the IATF ADP. Failure to meet CPD requirements may result in the termination of credentials to perform these roles. Internal witness auditor approval criteria ========================================== The certification body shall nominate individuals as internal witness auditors to its relevant oversight office for approval, who meet the certification body's internally defined competence criteria in addition to meeting the following requirements: a. has a valid sponsorship from the nominating certification body b. is a fully qualified, active IATF 16949 auditor that has successfully completed both phases of the auditor qualification process c. has conducted a minimum of fifty (50) IATF 16949 audits, excluding special audits, as audit team leader for any sponsoring certification body d. has conducted a minimum of eight (8) IATF 16949 audits, excluding special audits, as an audit team leader for the nominating certification body within the last twelve (12) months e. has IATF 16949 audit nonconformity statistics, calculated from a statistically significant sample, which meet the certification body's global nonconformity statistics or the IATF global nonconformity statistics f. has no auditor-related major nonconformities, as determined in the certification body's problem-solving process, raised during an IATF witness audit within twenty-four (24) months for the nominating certification body. The certification body shall nominate no more than fifteen percent (15%) of all sponsored IATF 16949 auditors as internal witness auditors. Maintaining internal witness auditor approval ============================================= The responsibility for maintaining certification body internal witness auditor approval shall be shared between the internal witness auditors and their sponsoring certification body to ensure the certification body's internally defined competence criteria and the following requirements are continuously met: a. retain valid sponsorship from the relevant certification body b. maintain IATF 16949 auditor qualification and approval (see section 4.4) c. undertake a minimum of eight (8) IATF 16949 audits, excluding special audits, as an audit team leader or as an internal witness auditor for the relevant certification body per calendar year d. the auditor's activity as an IATF 16949 auditor or internal witness auditor does not indicate any concern regarding soft auditing or soft grading e. maintain audit team leader status for the relevant certification body f. complete the minimum hours of calibration activities (see section 4.0). If items a) - f) above are not achieved or maintained, the certification body shall revoke the internal witness auditor's approval. The certification body shall notify the relevant oversight office of any changes that affect the internal witness auditor approval status within twenty (20) calendar days. The relevant oversight office reserves the right to revoke the internal witness auditor approval. Internal system auditor approval criteria ========================================= The certification body shall nominate individuals as internal system auditors to their relevant oversight office for approval, who meet the certification body's internally defined competence criteria in addition to meeting the following requirements: a. demonstrated competence in ISO/IEC 1 7021 -1, ISO 19011, and ISO 9001 b. demonstrated competency through successful completion of the knowledge and application assessments in the IATF ADP (as either an auditor or a non-auditor) and all additional mandatory training modules c. have worked at least twelve (1 2) months in the management system certification sector for the nominating certification body. 22. Maintaining internal system auditor approval ============================================ The responsibility for maintaining IATF internal system auditor approval shall be shared between the internal system auditor and their certification body to ensure the certification body's internally defined competence criteria and the following requirements are continuously met: a. conduct at least one (1) internal system audit in a twenty-four (24) month period b. successfully complete all mandatory training modules in the IATF ADP c. complete the minimum hours of calibration activities (see section 4.0). If items a) - c) above are not achieved or maintained, the certification body shall revoke the internal system auditor's approval. The certification body shall notify the relevant oversight office of any changes that affect the internal system auditor approval status within twenty (20) calendar days of the change in status. The relevant oversight office reserves the right to revoke the internal system auditor approval. IATF Database specialist competence criteria ============================================ IATF Database entry and accuracy check personnel shall be competent in the application of the IATF Database user manual and relevant Rules, including relevant Sis and FAQs, and understand the importance of IATF Database entry accuracy and timeliness. 5. AUDIT AND CERTIFICATION REQUIREMENTS ==================================== 22. Audit program ============= The audit program for a manufacturing site has a three (3) year audit cycle and a corresponding three (3) year certificate cycle, as shown in Figure 5.1. Audit program requirements for standalone remote support locations are located in section 5.5.1 of these Rules. **Figure 5.1 Manufacturing site audit and certificate cycle** A diagram of a diagram Description automatically generated Audit cycle =========== The first three (3) year audit cycle of a manufacturing site shall include an initial certification audit (stage 1 readiness assessment and stage 2 certification audit), followed by a surveillance audit in the first and second years. The first three (3) year audit cycle starts from the last day of the stage 2 certification audit. Each subsequent audit cycle starts from the last day of the recertification audit. Surveillance audits shall be scheduled from the last day of the stage 2 certification audit, the last day of a recertification audit, or the last day of a transfer audit in accordance with Table 5.1.1. The last day of the surveillance audit shall not exceed the maximum allowable timing. The certification body shall cancel the certificate, update the certification status in the IATF Database, and inform the client of the certificate cancellation within seven (7) calendar days of the maximum allowable surveillance audit timing being exceeded. The only exception to this requirement is when the client is in the transfer process and has notified the certification body of its intent to transfer (see section 3.1 j\] and section 7.1). **Table 5.1.1 Surveillance interval** ![A close-up of a number Description automatically generated](media/image4.png) The last day of a recertification audit shall not exceed three (3) years (-3 months/+0 days) from the last day of the stage 2 certification audit or the previous recertification audit or transfer audit. The certification body shall cancel the certificate, update the certification status in the IATF Database, and inform the client of the certificate cancellation within seven (7) calendar days of the maximum allowable recertification audit timing being exceeded. The only exception to this requirement is when the client is in the transfer process and has notified the certification body of its intent to transfer (see section 3.1 j\] and section 7.1). Recertification audits shall be scheduled to provide sufficient time for nonconformity management activities to be completed (see section 5.11 ) and the certification decision made (see section 5.12) before the expiration of the existing IATF 16949 certificate. The audit cycle requirements for standalone remote support locations are located in section 5.5.1 of these Rules. Certificate cycle ================= The first three (3) year certificate cycle of a manufacturing site begins with the date of the certification decision (see section 5.12) following a stage 2 certification audit. The date of the certification decision shall be the issue date of the certificate (see section 5.13). A new three (3) year certificate cycle begins with the date of the certification decision following a recertification or transfer audit. The certification decision shall be made before the expiration date of the existing certificate, and the date of the certification decision shall be the issue date of the new certificate. The existing certificate is therefore superseded on this date. The expiration date of the certificate shall be a maximum of three (3) years minus one (-1) day from the date of the certification decision. A certificate, once issued, remains valid until it expires or is superseded, canceled, or withdrawn. Standalone remote support locations do not have a certificate cycle. Standalone remote support locations shall be included in the scope of the IATF 1 6949 certificate(s) for the manufacturing site(s) they support. Determining the audit duration for initial certification, surveillance, recertification, and transfer audits ============================================================================================================ The certification body shall have a process for determining the audit duration required to accomplish a complete and effective audit of the client's quality management system. "Audit duration" shall be understood to include "audit days" + "additional audit time." For examples of applying audit day calculations, see Annex 1 - Audit Day Calculation Examples. The audit duration determined by the certification body and the justification for the audit duration determination, or any changes to it, shall be retained as part of the audit record for each audit. When determining the audit duration and developing an audit plan (see section 5.7.2), the certification body shall consider, at minimum, the following: The minimum audit days for the stage 2 certification audits, surveillance audits, and recertification audits are determined from Table 5.2. The determination of the minimum audit days shall be based on the audited entity (see section 10.0), which includes the total number of employees at the manufacturing site, including its extended manufacturing site(s), and the number of relevant employees at the standalone remote support location(s). Employees from the standalone remote support location(s) shall be apportioned to the manufacturing site(s) as demonstrated in Annex 1 - Audit Day Calculation Examples. An alternative method to determine the minimum audit days for standalone remote support locations is described in section 5.2.3 b). When determining the number of employees for the audited entity, the certification body shall include permanent, part-time, contract, and temporary employees, and the average number of daily workers. Where daily workers are utilized, the average number of daily workers utilized in the previous six (6) month period shall be used to determine the average number of daily workers used in the audit day calculation. When the number of employees increases before the audit (see section 5.7.1), the minimum audit days shall be recalculated. If the minimum audit days increase, the change shall be applied to the audit duration of the current audit. The only audit day reductions permitted are listed in section 5.4. f\) When calculating the audit days, after applying all allowable reductions, the result shall be rounded up to the nearest half day (i.e., 2.02 -\> 2.5). After applying all permitted reductions and rounding, audits shall be no less than one and one-half (1.5) audit days at manufacturing sites. If a portion of the manufacturing site is dedicated to automotive, then the number of employees from that portion can be used to determine the minimum audit days, provided the following conditions are met: 1. "Application for Audit Day Reduction\" is approved internally by a certification body technical reviewer based on the following criteria: i. The automotive manufacturing shop floor (see section 10.0) is physically separated from non-automotive manufacturing (e.g., separate building, permanent barrier between automotive and non -automotive lines/machines, no shared equipment/tooling/production lines, etc.) ii. Personnel working on the automotive manufacturing shop floor are trained for and primarily dedicated to working on the automotive shop floor, and non-automotive personnel do not work on the automotive manufacturing shop floor iii. At minimum, the same employee ratio (automotive manufacturing personnel divided by all manufacturing personnel) shall be applied to the support activity employee count. 2. The certification body-approved "Application for Audit Day Reduction" shall be entered into the IATF Database and forwarded to the relevant oversight office with supporting evidence before the start of the audit. Where more than one (1) auditor is appointed to an audit, each auditor shall perform a minimum of one (1 ) audit day, excluding "additional audit time". A maximum of fifteen percent (15%) of the audit days may be allocated to audit reporting, which includes time allocated to optional daily wrap-up/debrief meetings and developing the draft audit report in the IATF Common Audit Report Application (IATF CARA). Where an auditor or auditee is not fluent in the language(s) in which the audit will be conducted, a translator shall be used. A minimum of twenty percent (20%) "additional audit time" shall be allocated to the audit of the client process(es) in which the translator is used. One (1) "audit day\" is equivalent to eight (8) hours. One-half (0.5) of an "audit day" is equivalent to four (4) hour

IATF Rules 6th Part I (Chapters 1-8) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue