IATF 16949 Rules 6th Edition - PDF

1 ST Restricted Table des matières 1. ELIGIBILITY FOR CERTIFICATION TO IATF 16949...................................... 9 1.1. Certification structure eligibility requirements.......................................... 10 2. CERTIFICATION BODY GOVERNANCE, INTERNAL CONTROL, AND RISK MANAGEMENT........................................................................................................ 12 2.1. General IATF recognition requirements for certification bodies.............. 12 2.1.1. Legal entity structure................................................................................ 12 2.1.2. Joint ventures............................................................................................ 13 2.1.3. Outsourcing of certification activities..................................................... 13 2.2. Management system requirements............................................................. 13 2.3. Communication of changes......................................................................... 15 2.3.1. Communication of changes to the oversight office............................... 15 2.3.2. Communication of changes to clients..................................................... 16 2.4. Management of business continuity risks.................................................. 16 2.5. Management of impartiality risks................................................................ 16 2.5.1. Threats to impartiality............................................................................... 17 2.5.2. Conflicts of interest................................................................................... 17 2.5.3. impartiality risk assessment..................................................................... 18 2.6. Certification body internal system audits................................................... 19 2.7. Certification body internal witness audits.................................................. 21 2.8. Appeals and complaints............................................................................... 23 2.9. Management review...................................................................................... 24 2.9.1. Management review items........................................................................ 25 2.9.2. Management review records..................................................................... 26 2.10. IATF ongoing monitoring activities.......................................................... 27 2.10.1. IATF witness audits................................................................................ 27 2.10.2. IATF office assessments........................................................................ 28 2.10.3. Nonconformity management (certification body problem—solving) 28 2.10.4. Additional IATF monitoring activities................................................... 29 2.11. Certification body de-recognition process.............................................. 29 3. CERTIFICATION BODY LEGAL CONTRACT REQUIREMENTS WITH THE CLIENT..................................................................................................................... 31 2 ST Restricted 3.1. Certification body legal contract with the client........................................ 31 3.2. Notice of significant changes by a client.................................................... 32 4. PERSONNEL RESOURCE REQUIREMENTS MANAGEMENT................... 33 4.1. Technical reviewer approval criteria........................................................... 33 4.1.1. Maintaining technical reviewer approval................................................. 34 4.2. Application process and criteria for IATF 16949 auditors......................... 34 4.2.1. Application process for previously qualified IATF 16949 auditors....... 35 4.3. Auditor qualification process....................................................................... 35 4.3.1. Phase one - initial qualification................................................................ 35 4.3.2. Phase two - full qualification.................................................................... 36 4.4. Maintaining auditor qualification and approval.......................................... 36 4.4.1. Minimum audits and audit days............................................................... 37 4.4.2. Continuing personal development (CPD)................................................ 37 4.5. Internal witness auditor approval criteria................................................... 38 4.5.1. Maintaining internal witness auditor approval........................................ 38 4.6. Internal system auditor approval criteria.................................................... 39 4.6.1. Maintaining internal system auditor approval........................................ 39 4.7. IATF Database specialist competence criteria........................................... 39 5. AUDIT AND CERTIFICATION REQUIREMENTS.......................................... 40 5.1. Audit program................................................................................................ 40 5.1.1. Audit cycle.................................................................................................. 40 5.1.2. Certificate cycle......................................................................................... 40 5.2. Determining the audit duration for initial certification, surveillance, recertification, and transfer audits........................................................................ 41 5.2.1. Determining the audit duration for stage 1 readiness assessments.... 44 5.2.2. Determining the audit duration for special audits.................................. 44 5.2.3. Determining the audit duration for certification structures with standalone remote support locations................................................................... 45 5.3. Determining the audit duration - corporate scheme.................................. 46 5.4. Determining the audit duration - permitted reductions............................. 46 5.5. Support functions......................................................................................... 47 5.5.1. Audit program requirements for support functions............................... 47 3 ST Restricted 5.5.2. Auditing process Interfaces at remote support locations..................... 48 5.5.3. Reviewing remote support location audit records................................. 49 5.6. Establishing the audit team.......................................................................... 50 5.6.1. Auditor rotation and continuity................................................................ 50 5.6.2. IATF observers........................................................................................... 51 5.7. Audit planning............................................................................................... 51 5.7.1. Client information required for audit planning....................................... 52 5.7.2. Audit plan................................................................................................... 53 5.8. Conducting audits......................................................................................... 54 5.8.1. Agility.......................................................................................................... 56 5.8.2. Understanding the current quality management system....................... 56 5.8.3. Customer risk and performance orientation........................................... 56 5.8.4. PDCA cycles............................................................................................... 57 5.8.4.1. Continual improvement of quality management system performance 57 5.8.4.2. Systemic problem-solving..................................................................... 57 5.8.4.3. Management of changes........................................................................ 58 5.8.5. Automotive process approach................................................................. 58 5.9. Audit findings................................................................................................ 59 5.10. Audit reporting........................................................................................... 60 5.11. Nonconformity management.................................................................... 60 5.11.1. Client responsibility for a major nonconformity.................................. 61 5.11.2. Client responsibility for a minor nonconformity................................. 61 5.11.3. Certification body responsibility........................................................... 61 5.11.3.1. One hundred percent (100%) resolved conditions.......................... 62 5.11.4. Verification of a major nonconformity.................................................. 63 5.11.5. Verification of a minor nonconformity.................................................. 63 5.12. Technical review and certification decision............................................ 64 5.13. Certification and certificate issuance...................................................... 65 5.14. Letter of conformance............................................................................... 67 5.14.1. Letter of conformance content.............................................................. 67 5.14.2. Requesting a new letter of conformance............................................. 68 4 ST Restricted 5.14.3. Upgrade to IATF Certification from a letter of conformance.............. 68 5.15. Relocation................................................................................................... 68 5.15.1. Relocation scenarios requiring an initial audit.................................... 69 5.15.2. Other relocation scenarios.................................................................... 69 6. APPLICATION PROCESS AND BASIC AUDIT TYPES................................ 70 6.1. Application process...................................................................................... 70 6.1.1. Application for certification...................................................................... 70 6.1.2. Application review..................................................................................... 72 6.2. Initial certification audit................................................................................ 72 6.2.1. Stage 1 readiness assessment - certification body preparation........... 73 6.2.2. Stage 1 readiness assessment, part 1 - system and structure review. 73 6.2.3. Stage 1 readiness assessment, part 2 - operational review.................. 74 6.2.4. Stage 1 readiness assessment report..................................................... 74 6.2.5. Identifying concerns.................................................................................. 74 6.2.6. Stage 1 readiness assessment closing meeting.................................... 75 6.2.7. Stage 1 technical review and readiness assessment decision............. 75 6.2.8. Repeated stage 1 readiness assessment................................................ 77 6.2.9. Stage 2 certification audit......................................................................... 77 6.3. Surveillance audit.......................................................................................... 77 6.4. Recertification audit...................................................................................... 78 7. OTHER AUDIT TYPES AND REMOTE AUDITING....................................... 79 7.1. Transfer audit................................................................................................ 79 7.1.1. Transfer audit pre-conditions................................................................... 79 7.2. Special audits................................................................................................ 80 7.3. Using the remote auditing method.............................................................. 81 8. DECERTIFICATION PROCESS..................................................................... 82 8.1. Initiation of the decertification process...................................................... 82 8.2. Analysis of the situation............................................................................... 82 8.3. Suspension decision.................................................................................... 82 8.4. Special audit.................................................................................................. 83 8.5. Certification reinstatement or withdrawal decision................................... 83 8.6. Certification reinstatement and withdrawal actions.................................. 83 5 ST Restricted 8.7. Actions after certification withdrawal......................................................... 83 9. RECORDS REQUIRED OF THE CERTIFICATION BODY............................ 85 9.1. Certification records..................................................................................... 85 9.2. Personnel records......................................................................................... 86 10. TERMS AND DEFINITIONS........................................................................... 87 6 ST Restricted INTRODUCTION The membership of the International Automotive Task Force (IATF) consists of automotive original equipment manufacturers (OEMs) and National Automotive Industry Associations. The IATF established five (5) oversight offices, commonly referred to as IATF Global Oversight, to implement and manage its IATF 16949 Certification Scheme. Public information related to the IATF, and its oversight offices can be found at www.iatfqlobaloversiqht.org. The IATF Certification Scheme is defined in the “Automotive Quality Management System Standard IATF 16949," the following “Rules for Achieving and Maintaining IATF Recognition,” any related Sanctioned interpretations (Sls) and Frequently Asked Questions (FAQs) (see section 10.0), and Certification Body and Stakeholder Communiqués that are issued by the IATF. Sanctioned interpretations, Frequently Asked Questions, and communiqués are available at www.iatfqlobaloversiqht.org The IATF recognizes certification bodies to conduct IATF 16949 audits and issue certificates or letters of conformance to their clients. The IATF OEM members only recognize IATF 16949 certificates or letters of conformance carrying the IATF logo and a unique IATF number issued by lATF-recognized certification bodies. Such an lATF—recognized certification body is herein referred to as a “certification body,” and public information about the validity of IATF-recognized certificates and letters of conformance can be found at https://www.iatfqlobaloversiqht.org/iatf-publications. A list of lATF-recognized certification bodies may be found at: www.igtialobaloversiqht.a It is strongly encouraged for each lATF—recognized certification body location involved in IATF 16949 certification activities and each of its IATF 16949 client locations to be in possession of the most recent IATF-authorized copy of the “Rules for Achieving and Maintaining IATF Recognition” and the “Automotive Quality Management System Standard IATF 16949”. The requirements, herein referred to as “Rules,” are binding on the certification body, and its clients where applicable and shall be implemented by the certification body and its clients as specified. Clients of IATF—recognized certification bodies should direct questions regarding these Rules to their certification body. Certification bodies should direct questions regarding interpretation of these Rules to their relevant oversight office. ln exceptional cases, a certification body may be unable to meet a requirement of these Rules. Where this occurs, the certification body shall submit a waiver request form to its relevant oversight office to request a deviation from the Rules requirement. IATF Global Oversight will provide guidance to certification bodies where waiver requests are not required to be approved by the relevant oversight office and can be internally approved by the certification body. Records of internally approved waivers shall be maintained by the certification body. The certification body shall enter the details of oversight office—approved and internally approved waivers (i.e., waiver number, approval date, and approval comments) into the IATF Database. Complaints related to certification bodies or certified clients may be submitted to the relevant certification body. Ethics and compliance concerns related to any lATF-recognized certification bodies, IATF 16949 third-party auditors, IATF 16949—certified organizations, or oversight offices may be filed at https://secure.ethicspoint.com/domain/media/en/gui/72672/index.htm 7 ST Restricted These Rules are subject to periodic review and may be modified at any time at the sole discretion of the IATF after consultation with appropriate stakeholders. Note: Within this document, the use of the term “certification” is synonymous with registration. 8 ST Restricted 1. ELIGIBILITY FOR CERTIFICATION TO IATF 16949 Only organizations that manufacture and, where applicable, design and develop automotive products and vehicles are eligible for IATF 16949 certification. Note: “Automotive Products” is the short term used in these Rules to describe parts and processed materials manufactured for automotive vehicles. "Automotive Vehicles" on public roads. shall be understood as homologated vehicles that are intended to be driven “Automotive Products" shall be understood as the following: a) parts (including those with embedded software) and processed materials (see section 10.0) which are manufactured to an automotive customer’s specifications and integrated into the automotive vehicle during its manufacture (also known as "Production Parts” or "Production Materials”) Note: “Integrated” also pertains to parts and materials that are filled into, attached to, connected to, or placed in or on the vehicle. b) parts manufactured to OEM specifications that are procured or released by the OEM and integrated into the automotive vehicle after its manufacture and before or after delivery to the final customer (also known as "Accessory Parts”) c) replacement parts and materials for automotive vehicles, including remanufactured parts. “Manufacturing” shall be understood as a process that includes at least one value-added activity that further transforms the process's input materials and/or parts into a semi- complete or complete state of an automotive product. Note 1: A manufacturing process may use multiple type of fabrication techniques to make or fabricate an automotive product (e.g., casting, molding, extrusion, soldering, machining, heat treatment, plating, painting, assembly, etc.). Note 2: “Manufacturing” is the short term used in these Rules to describe "automotive manufacturing”. The term "non—automotive manufacturing” is used to describe situations where “manufacturing” does not pertain to the fabrication of automotive products. "Automotive Customer” shall be understood as any organization in the automotive supply chain purchasing automotive products. "Client" shall be understood as the organization applying to or contracted with a certification body to become or remain certified to IATF 16949 under one or more certification structures, including all relevant manufacturing sites and, where applicable, all their relevant remote or standalone remote support locations. Acceptable certification structures are: - Single Manufacturing Site - Single Manufacturing Site with Extended Manufacturing Site(s) - Corporate Scheme. 9 ST Restricted “Manufacturing Site" shall be understood as a client location at which manufacturing occurs. A manufacturing site is the only type of client location eligible for independent certification to IATF 16949. If a manufacturing site supplies an automotive customer requiring third-party certification to IATF 16949, then all automotive customers of the site shall be included in the audit scope (see section 10.0). “Remote Support Location» (RSL) shall be understood as a client location where one or more support functions reside that provide support from the RSL to a client’s manufacturing site. Such support functions may be located at another manufacturing site or at another client location where no automotive manufacturing occurs (i.e., a "Standalone Remote Support Location"). Note 1: A support function is understood as a quality management system function established through non-manufacturing activities that are carried out to support one or more manufacturing sites. Manufacturing sites may have support functions carried out in the manufacturing site or at a remote or standalone remote support location. Note 2: A remote or standalone remote support location may provide support to one or more manufacturing sites. Support functions carried out at remote or standalone remote support locations shall be included in the scope of IATF 16949 certification of the manufacturing sites they support. Note 3: Under exceptional circumstances in which a client’s manufacturing activities are carried out at a customer's location, it will be considered as a standalone remote support location of the client‘s manufacturing site, and the function will be identified as “servicing” on the manufacturing site’s IATF 16949 certificate. Each manufacturing site and each standalone remote support location shall be audited and certified by only one lATF—recognized certification body during the contractually agreed period of certification. The only exception to this requirement is in the case of a client transferring to another certification body (see section 7.1). The certification body contracted with a standalone remote support location shall also have a contract with at least one manufacturing site for receiving support from the standalone remote support location. 1.1. Certification structure eligibility requirements The following requirements shall be met when determining the certification structure for clients applying to become or remain certified to IATF 16949: a) Single Manufacturing Site: 1) Shall be a client location with a single physical address where manufacturing occurs. 2) Shall operate under a single quality management system (see IATF16949, 4.4.1). 3) May or may not receive support from remote or standalone remote support locations. 4) May provide support to other manufacturing sites 10 ST Restricted b) Single Manufacturing Site with Extended Manufacturing Site(s): 1) Shall be a single manufacturing site (also known as the main manufacturing site) whose manufacturing processes expand into one or more other locations (the extended manufacturing site[s]) with different addresses managed together as one manufacturing site that is part of the same legal entity. 2) An extended manufacturing site (EMS) shall only receive support from or provide support to the main manufacturing site. 3) An EMS shall be located within ten (10) miles (sixteen kilometers) and no more than sixty (60) minutes of driving distance from the main manufacturing site. 4) The main site and EMS shall operate under a single quality management system (see IATF 16949, 4.4.1). 5) An EMS shall be managed and controlled together, as one manufacturing site, with the main manufacturing site by the main manufacturing site’s management personnel. Therefore, the EMS shall not be controlled and managed autonomously from the main manufacturing site. In this regard, management responsibilities and authorities shall not be delegated to front—line management (see section 10.0) or the non—management personnel located at the EMS. 6) Management personnel's active involvement in the control and management of the EMS together with the main manufacturing site shall be demonstrated with evidence. 7) Management personnel may be located at an EMS, provided these personnel are responsible for controlling and managing their relevant area of responsibility at both the main site and the EMS, not just the EMS. 8) An EMS may have dedicated front-line management personnel located there with limited decision-making authority for operational, day—to—day decisions regarding the manufacturing processes for the EMS. Note: These types of decisions may include, but not be limited to, stopping production in the event of a quality problem or allocating relevant personnel within the EMS to ensure adequate staffing and support to execute the manufacturing processes. 9) An EMS may have non-management personnel (e.g., production schedulers, manufacturing engineers, facilities maintenance, etc.) located onsite who support the EMS and/or the main manufacturing site, but no other manufacturing site. c) Corporate Scheme: 1) Shall consist of at least two (2) manufacturing sites, with or without an EMS, which operate under a common quality management system. The common quality management system shall: i. be established by processes that are centrally defined, structured, and controlled ii. be monitored with a common set of process measurements iii. be implemented in substantially the same manner across all manufacturing sites and standalone remote support locations within the corporate structure being certiﬁed to IATF 16949 iv. have localization of the quality management system documentation and records only at the level of work instructions/procedures. v. have a centrally managed internal quality management system audit program. 11 ST Restricted 2) Shall have an identified central location where the quality management system function resides that is responsible for defining, structuring, and controlling the common quality management system. Note: The central location is not required to be the “headquarter” of the Organization. 2. CERTIFICATION BODY GOVERNANCE, INTERNAL CONTROL, AND RISK MANAGEMENT 2.1. General IATF recognition requirements for certification bodies A certification body shall have a contract (i.e., the “Agreement") with an oversight office and be recognized by the IATF before issuing an IATF 16949 certificate to a client and using the IATF logo on the certificate. The list of lATF—recognized certification bodies is available at www.iatialobaloversiahtgg. A certification body shall have a designated office approved by the IATF as its contracted office. The contracted office holds the IATF recognition. The lATF-recognized certification body or its corporate entity shall have one hundred percent (100%) ownership of the contracted office. The certification body Shall appoint an employee (i.e., not a contracted employee) from the contracted office with global technical authority for the autom0tive certification scheme to be the single point of contact between the relevant oversight office and the certification body. The certification body shall also appoint an employee (i.e., not & contracted employee) from the contracted office or a regional office as the deputy contact person. The certification body, with the involvement of the contracted office, may at any time establish regional offices with lines of authority and responsibility to the contracted office regarding matters that affect IATF 16949 certification activities. The certification body shall cooperate with the relevant oversight office when performing activities in support of the IATF certification scheme. A certification body shall be compliant with the statutory and regulatory requirements of each country in which it operates. The certification body shall comply with all data protection laws for the respective jurisdictions in which it operates, including providing employees and contracted employees with sufficient transparency regarding the uses of relevant personal identifying information. The certification body shall not violate any part of the contract with the oversight office, including the IATF Certification Body Code of Conduct. The certification body, and any related organization (see section 10.0), shall not violate intellectual property and copyright protection of any IATF trademark and documents, including those issued by any IATF member organization or any oversight office. The certification body shall only use the IATF logo on the IATF 16949 certificate and letter of conformance. 2.1.1. Legal entity structure A certification body shall be a legal entity, or a defined part of a legal entity, which can be held legally responsible for all its certification activities. 12 ST Restricted A certification body and any part of the same legal entity shall not operate as both a quality management system certification body and as a quality management system accreditation body. A certification body and any part of the same legal entity or any related organization shall not offer to or provide its clients with the prohibited activities listed in section 2.5.2. If a certification body is & defined part of or becomes a defined part of a corporate entity, no other lATF-recognized certification body shall exist within the same corporate entity. When the certification body is a defined part of a legal entity, its organizational structure shall include the line of authority and the relationship to other parts within the same legal entity. 2.1.2. Joint ventures The certification body or its corporate entity shall establish and maintain managerial and operational control in any joint venture involved in IATF 16949 certification activities. Before entering any joint venture partnership agreement, the certification body shall perform a comprehensive impartiality risk assessment of the intended joint venture. If a risk is identified and is determined to be not manageable (see section 2.5.3), the certification body shall not proceed with the agreement. 2.1.3. Outsourcing of certification activities Outsourcing on behalf of the certification body shall not be permitted, including the use of service agreements or Memorandums of Understanding (MOU), agents, franchisees, or any type of licensee model for any part of the IATF 16949 certification process (see section 10.0). The use of individual self-employed auditors and technical experts does not constitute outsourcing, provided that the lATF—recognized certification body has a legally enforceable agreement with each auditor and/or technical expert. 2.2. Management system requirements The certification body shall document and establish its organizational structure, including roles, responsibilities, and authorities of management and personnel involved in certification activities and committees. The certification body shall identify the top management (see section 10.0) in its organizational structure who is responsible for the overall effectiveness of the IATF 16949 certification activities, including the provision of competent and adequate resources. The organizational structure shall include all lines of authority from the contracted office to the global organization, if applicable, and to or between each regional office, including any joint ventures involved in IATF 16949 certification activities. The certification body's contracted office shall ensure that the roles, responsibilities, and authorities are understood throughout the certification body. The certification body shall define its management system processes and operating procedures, including their sequence and interactions, to ensure effective audit and certification of clients. The defined management system processes shall include process controls, measures of performance, and performance targets. The management system performance shall be continually monitored, controlled, and improved based on performance data pertaining to the IATF 16949 certification process, at minimum. The certification body’s management system shall include a process for effective problem- solving. 13 ST Restricted This process shall be initiated following complaints from clients and other interested parties and non-conformities issued from internal witness, internal system, and IATF Office Assessments, Witness Audits, and additional monitoring activities. For non-conformity issued from IATF Office Assessments, “fitness Audits, and additional monitoring activities, the process shall align with the specific requirements in the IATF Certification Body Problem Solving Manual. Where & certification body has multiple offices involved in IATF 16949 certification activities, the following conditions shall be fulfilled: a) The use of a common, centrally managed management system, using the same processes and operating procedures for all offices. b) The use of common documents for all IATF 16949—related activities. c) Translated documents that include the original document language in addition to the language into which it was translated. d) The use of a common software system/platform to manage audit planning and conduct, technical review, certification status, and certificate issuance. e) The use of a common software system/platform to manage appeals and complaint. f) The use of performance data pertaining to the IATF 16949 certification process, which is made available by the contracted office to all regional offices that are required to conduct a management review. The contracted office shall be responsible for establishing, developing, documenting, implementing, maintaining, controlling, and improving its management system related to IATF 16949 certification, regardless of where those certification activities occur. Where & certification body has regional offices involved in IATF 16949 certification activities, the contracted office shall be responsible and held accountable for monitoring and controlling all global activities related to IATF 16949 certification. Note: Any certification body locations involved in IATF 16949 certification activities, which the certification body may call, “regional offices,” “branch offices,” “subsidiaries,” “sales locations,” “support centers,” “affiliates,” "global headquarters," etc., are considered to fall under the term “regional office” for purposes of these Rules. The contracted office shall monitor and control the following processes: - waiver management (see Introduction section) - performance monitoring for each regional office (see section 2.2) - impartiality risk assessment for certification activities (see section 2.5.3) - internal system audits (see section 2.6) - internal witness audits (see section 2.7) - appeals and complaints (see section 2.8) - management review (see section 2.9) - nonconformity management (see section 2.103) - determination and utilization of personnel conducting certification activities (see section 4.0) - defining, demonstrating, and maintaining competency for each role involved in IATF 16949 certification activities section 4.0) - applications for IATF 16949 auditors (see section 4.2) - continuing approval or rejection of IATF 16949 auditors (see section 4.4) - maintaining auditor qualification (see section 4.4) 14 ST Restricted - nominating and maintaining approval of technical reviewers, witness auditors, and system auditors (see sections 4.1, 4.1.1, 4.5, 4.5.1, 4.6, and 4.6.1) - technical reviews and certification decisions (see section 5.12) decertification (see section 8.0) - IATF Database management, including monthly accuracy checks. The contracted office and all regional offices of the certification body responsible for IATF 16949 certification decisions and certificate issuance activities shall be accredited to ISO/IEC 17021 -1 to perform ISO 9001 certification by an international Accreditation Forum (IAF) accreditation body. Any ISO/IEC 17021-1 accredited office involved in IATF 16949 certification shall conduct IATF 16949 certification activities in accordance with the scope defined in its ISO 9001 accreditation. The contracted office shall have a direct line of authority for the technical reviewer role and all related activities, regardless of the location of the physical office in which the technical reviewer resides and shall be responsible for managing any impartiality risks (see section 2.5) related to the technical review and certification decision activities. The contracted office shall be responsible for determining the extent of autonomy granted to regional offices, including granting or revoking the permission to conduct selected IATF 16949 certification activities. Records shall be maintained that detail the rationale and criteria used to make such determination, approval, or revocation decisions. The contracted office shall continuously manage risk(s) related to and resulting from the extent of autonomy granted to regional offices and the IATF 16949 certification activities assigned. This shall include risks identified from business continuity and impartiality risk assessments (see sections 2.4 and 2.5.3). The contracted office shall provide relevant client audit and certification-related information to their relevant oversight office upon request. The contracted office shall provide an overview of all offices involved in IATF 16949 certification activities to the relevant oversight office by using the IATF Standardized Regional Office Matrix Template. The most current IATF Standardized Regional Office Matrix (see section 10.0) shall be provided on a quarterly basis, whether or not changes occurred. 2.3. Communication of changes 2.3.1. Communication of changes to the oversight office The certification body shall notify the relevant oversight office, in writing, within twenty (20) calendar days of any realized changes related to its: a) legal status b) ownership status (e.g., mergers, acquisitions of other certification bodies, business relationships or agreements, joint ventures, shareholding ratios, etc.) c) organizational status (e.g., establishment or closure of a regional office for IATF certification activities, management structure and related reporting relationships, etc.) d) loss or suspension of management system accreditations at the contracted or any regional office. 15 ST Restricted Note: To avoid risks to IATF recognition, it is recommended for the certification body to notify the relevant oversight office, in writing, well in advance of any planned ownership changes as described in point b) above. Before implementing any of these changes, the certification body shall analyze related business continuity and impartiality risks and mitigate the risks wherever possible. 2.3.2. Communication of changes to clients The certification body shall notify its clients within ten (10) calendar days of any changes related to IATF certification activities and requirements that may impact its clients. The certification body shall verify that each client complies with the new requirements. The certification body shall notify its clients within ten (10) calendar days of changes to the certification body’s ownership or loss of IATF recognition. 2.4. Management of business continuity risks The certification body shall implement a business continuity risk assessment process that includes all offices involved in IATF 16949 certification activities. A certification body shall be able to demonstrate that it has evaluated risks that may affect the continuity of its management system certification activities and has implemented actions to mitigate the risks wherever possible, including adequate arrangements (e.g., Liability or cyberattack insurance, financial reserves, etc.) to cover liabilities arising from its operations and the geographic areas in which it operates. 2.5. Management of impartiality risks The top management of the certification body shall establish a policy, make appropriate decisions, and take effective actions to promote and maintain impartiality and objectivity in carrying out certification activities. The certification body shall conduct impartiality risk assessments as required by these Rules (see section 2.5.3). The certification body shall implement preventive, detective, and corrective internal control activities (e.g., policies, procedures, approvals, authorizations, verifications, segregation of duties, etc.) to safeguard the impartiality and objectivity of its certification activities. At all levels of the organization, the certification body shall be responsible for ensuring impartiality and objectivity in its activities and decisions related to the certification of clients, which shall be based on objective evidence obtained by the certification body and shall not be influenced by other interests or by other parties. The top management of the certification body or its corporate entity shall implement a whistleblowing process and communicate it to all personnel involved in IATF 16949 certification activities. 16 ST Restricted 2.5.1. Threats to impartiality The certification body shall avoid any threat to impartiality, including, but not limited to, the following: a) Self-interest threats: threats that arise from a person or body acting in their own interest. For example, a concern related to certification, as a threat to impartiality, would be financial self- interest. b) Self—review threats: threats that arise from a person or body reviewing the work done by themselves. c) Familiarity (or trust) threats: threats that arise from a person or body being too familiar with or trusting of another person instead of seeking audit evidence. d) intimidation threats: threats that arise from a person or body having & perception of being coerced openly or secretively. Note: In addition to the certification body’s whistleblowing process, threats to impartiality may also be reported through the IATF Ethics and Compliance reporting system as described in the Introduction to these Rules. 2.5.2. Conflicts of interest The certification body shall require its internal and external personnel to reveal any situation known to them that may present them or the certification body with a conflict of interest, including, but not limited to, training, consulting, or other related businesses they are or were involved in. The certification body shall use this information as input to identify threats to impartiality raised by the activities of such personnel or by the organizations that employ(ed) them and shall not use such internal or external personnel for certification activities unless the certification body can demonstrate that there is no conflict of interest. Note: A relationship that threatens the impartiality of the certification body can be based on personal or familial relationships, ownership, governance, management, personnel, shared resources, finances, training, contracts, marketing, payment of a sales commission, other inducements for the referral of new clients, etc. The certification body, including its sponsored auditors, any part of the same legal entity, and any related organization of the certification body or its auditors shall not offer or provide quality management system—related consultancy to their clients under contract or shall not have provided quality management system—related consultancy to new clients within twenty-four (24) months before contracting with them. Quality management system—related consultancy includes the provision of: a) quality management system—related training, which is fully or partially tailored for a client, including quality management system auditor training, delivered in any format b) any assistance with establishing, developing, documenting, implementing, maintaining, controlling, or improving an element of or related to & quality management system c) quality management system—related internal product, process, or system audits d) quality management system—related product, process, or system audits of suppliers on behalf of the client e) any type of quality management system—related and/or automotive-related audit or assessment or comparable activity requested by a client or a client‘s customer that is not expressly stated in these Rules (e.g., “pre-audits"). Note: “Quality management system—related” pertains to ISO 9001, IATF 16949, any sector-specific quality management system standard based on ISO 9001, and any 17 ST Restricted “tools,” methods,” and "concepts” (e.g., FMEA, SPC, VDA 6.3, ASPICE, lean manufacturing, six sigma, etc.) referenced in these standards or used to fulfill them. The certification body may conduct standardized training courses that are not tailored to a client in any way, as advertised to the general public in its training catalog, including, for example, general quality management system auditor training or training courses on core tools, six sigma, or lean manufacturing. 2.5.3. impartiality risk assessment The certification body shall implement an impartiality risk assessment process that includes all offices involved in IATF 16949 certification activities. This process shall cover impartiality threats, whether they arise from within the certification body or from the activities of external personnel, bodies, or organizations. The impartiality risk assessment shall consider, at minimum, the following: a) ownership and owners and their related organizations (e.g., entities through common ownership, links between owners. ownership shares, etc.) (see section 2.1) b) related businesses, including relationships with consulting and training companies c) management structure d) issues with authorities (e.g., convictions, violations, bans, bankruptcies, etc.) e) former or current relationships with other certification bodies for any accreditation scheme, including reasons for termination of the relationship f) auditor resources, contracts with auditors, and other internal and external resources involved in certification activities g) impartiality of internal system auditors, internal witness auditors, and technical reviewers h) self—employed auditors or internal personnel disclosure of other related businesses, including training or consulting businesses they or their family members have ownership in or de work with i) sales commissions and other inducements for the referral of new clients j) branding and logo usage misrepresentation k) managing complaints and appeals. The certification body‘s contracted office shall conduct & detailed impartiality risk assessment specific to IATF 16949 certification activities. At minimum, this impartiality risk assessment shall cover all certification process activities, the internal witness audit process, and the internal system audit process with focus on evaluating the preventive, detective, and corrective internal controls in place, including their testing for effectiveness in safeguarding the impartiality and objectivity of certification activities. Any identified impartiality risk shall have actions documented to eliminate or mitigate them. Residual risk shall be accepted by top management. Impartiality risk assessments shall be reviewed and updated at defined intervals based on risk levels and whenever significant changes occur, including but not limited to, changes in management staff, turnover of employees, increase or decrease in client base, or changes to certification process steps or process controls. The impartiality risk assessment results shall be considered in the development and execution of the internal system and internal witness audit programs. The impartiality risk assessment records shall be documented and retained. 18 ST Restricted The impartiality risk assessment results shall be an input to 1he contracted office’s management review (see section 2.9.1) and, where applicable, to any risk assessment activities to maintain its ISO/ IEC 17021 -1 accreditation. 2.6. Certification body internal system audits The certification body shall have a process for internal system audits to verify the effective implementation of the management system. This process shall include dedicated internal system audits specific to IATF 16949 certification to assess conformance with: a) these Rules and any other IATF requirement documents b) relevant Certification Body and Stakeholder Communiqués c) the certification body’s processes and operating procedures (see section 2.2). The certification body shall develop and maintain a three (3) year internal system audit program. For each of the three (3) years, the program shall identify which of the regional offices from the IATF Standardized Regional Office Matrix (see section 2.2) are planned to be audited or were audited. The audit program shall identify the planned audit date(s) and, where applicable, the actual audit date(s), the audit status, the audit method (i.e., onsite or remote), and the assigned internal system auditor. An internal system audit shall be performed onsite at least once per year (i.e., every twelve months [-3/+3 months]) at the contracted office and each regional office identified in the IATF Standardized Regional Office Matrix (see section 10.0). The frequency of internal system audits at a regional office may be reduced to once every three (3) years if the certification body can demonstrate that its management system continues to be effectively implemented at the regional office and no significant risks are identified. The documented justification for the reduction shall be based on the number of clients managed by the regional office, the extent of autonomy granted to the regional office, its performance data and related trends, the latest management review results, results from the recent internal system audits, IATF Office Assessments, and the impartiality and business continuity risk assessment outcomes. Regional offices that are only responsible for marketing and sales activities or only provide support according to the IATF Standardized Regional Office Matrix (see section 10.0) shall be audited at least once every three (3) years. These offices may be included in an internal system audit of the contracted office or a regional office they support or may be audited separately, either onsite or remotely. The certification body shall manage the internal system audit program to ensure that: a) the program is updated based on internal and external performance data and identified disks and results from internal system and witness audits b) the program is based on me contracted office's input c) the program is executed as planned d) the audits are conducted by qualified and approved personnel (see section 4.6) e) auditors are selected to ensure impartiality and objectivity f) audit specific inputs are gathered to determine critical topics to be prioritized based on risk, performance trends, contracted office input, and criticality of the process(es) for each audit g) a process-based audit plan is created for each audit h) audit—speciﬁc objectives and concerns to be investigated from the contracted office are included 19 ST Restricted i) audits include veriﬁcation of systemic corrective actions from previous nonconformities pertaining to the audited office that were issued as a result of the internal system and witness audits, and IATF office assessments, witness audits, and additional monitoring activities j) audits are undertaken following the process approach with a focus on risk and performance k) adequate time is planned to audit all applicable processes and procedures pertaining to IATF 16949 certification activities l) each internal system audit covers every audit type (i.e., stage 1 readiness assessments, stage 2 certification audits, surveillance, recertification, transfer, and special audits) and adequate time is planned for sampling an appropriate number of client files from all applicable audit types during the time period being sampled. Each client file review shall include the verification of content entered into the IATF Database and applicable waivers m) the accuracy of recorded audit dates and audit team information, including reconciliation with travel receipts, hotel invoices, overlapping audits, etc., is verified n) each internal system audit is no less than two (2) days in duration at the contracted office and no less than one (1) day in duration at the regional office o) personnel responsible for the processes audited are informed of the outcome of the audit p) audit reports contain at minimum: 1) a management system performance overview as relevant to the audited office, including performance results from the last twelve (12) months in relation to established performance targets 2) identified systemic risks, including risks related to IATF 16949 certification 3) verification details and results of the investigation into concerns from the contracted office 4) verification details and results regarding the effective implementation of actions from previous nonconformities 5) a list of the management system processes audited and a written audit summary of each process, including & conclusion on its effectiveness, and a list of sampled client ﬁles with the name of the client location and the unique site identifier (USI), the client audit type, and the audit dates 6) nonconformities identiﬁed during the audit shall be written in at least three (3) distinct parts: i. the statement of nonconformity ii. the requirement(s) or speciﬁc reference(s) to the requirement(s) iii. the objective evidence that supports the statement of nonconformity. 7) audit results, recommendations, and follow—up needs for the contracted office. q) the nonconformity problem investigation and deﬁnition, root cause analysis, and the implemented systemic corrective actions with verification of their effectiveness are submitted for acceptance no later than ninety (90) calendar days after the internal system audit closing meeting date r) audit reports, including nonconformity records, are submitted to the contracted office s) results from the internal system audit process shall be an input to the management review process. The IATF reserves the right to observe internal system audits or to require additional activities in response to systemic corrective action follow-ups or based upon performance 20 ST Restricted 2.7. Certification body internal witness audits The certification body shall have a process for internal witness audits that meets the following requirements: a) The internal witness audit program shall be based on the contracted office's input. b) All sponsored auditors shall be included in the internal witness audit program. c) Auditors sponsored by more than one certification body shall be witnessed by each sponsoring certification body. Internal and external witness audits pertaining to other standards (e.g., ISO 9001) or from other organizations (e.g., an oversight office, national accreditation bodies, other IATF certification bodies sponsoring the same auditor, etc.) shall not be considered as part of the certification body‘s internal witness audit process. d) Newly sponsored and/or newly qualified IATF 16949 auditors shall be internally witnessed with acceptable results before conducting IATF 16949 certification audits as a lead auditor according to the following schedule: i. The primary sponsoring certification body (see section 10.0) shall internally witness its newly qualified auditors within six (6) months of their successful completion of phase one qualification requirements, (i.e., "full” or “interim” pass status) and again within six (6) months of the successful completion of phase two qualification requirements ii. Each co-sponsoring certification body (see section 10.0) shall internally witness each newly sponsored auditor within six (6) months of their sponsorship start date. e) Subsequent to the completion of the internal witness audits for newly qualified and newly sponsored auditors in point d) above, the certification body shall establish and adjust the internal witness audit frequency for each of its sponsored auditors based on a performance review (see section 4.4) with a maximum duration between the internal witness audits of six (6) years or seven hundred (TOO) “audit days”, whichever comes first. f) Auditors shall be witnessed only while performing the audit team leader role during an IATF16949 audit. If necessary, the witnessed auditor shall be temporary assigned as the audit team leader for the purposes of the internal witness audit. g) The scope of internal witness audits shall cover the analysis and evaluation of audit planning inputs and outputs; the conduct of the audit, including a significant portion of the audit time spent auditing manufacturing processes; and the auditor‘s draft audit report submitted for technical review. Note: The certification body, at its discretion, may extend the internal witness audit to include the corresponding onsite special audit for the verification of client systemic corrective action effectiveness. h) Internal witness audits shall focus on compliance with these Rules, other IATF requirement documents, and the certification body‘s processes, and the auditor‘s performance relative to the IATF Auditor Guide's Essential and General Auditor Competencies. 21 ST Restricted i) Internal witness audits shall include: 1) verification of systemic corrective actions implemented by the certification body in its management system as a result of non-conformities issued internally or by the relevant oversight office 2) verification of systemic corrective actions implemented by the certification body in its management system as a result of IATF OEM complaints, as applicable 3) investigation of areas of concern raised by the contracted office. j) The certification body shall only use approved internal witness auditors (see section 4.5.1). k) Internal witness auditors shall be assigned to minimize the impartiality risk in the assessment of the witnessed auditor. l) Internal witness auditors shall not participate in the audit as a member of the audit team. m) Audits selected for an internal witness audit shall be selected from stage 2 certification, surveillance, recertification, and transfer audits. n) Audits shall be witnessed with the same audit method used for the audit et the client location (i.e., onsite or using remote technology where permitted) from the beginning through the end and be no less than two (2) days in audit duration. o) The internal witness audit report shall cover the scope of the witness audit, include all identified witness audit non-conformities, and include written statements on: 1) the witnessed auditor's conformance with requirements 2) the details of and results for the verification of systemic corrective actions implemented by the certification body in response to non-conformities issued in internal audits, IATF audits, and/or IATF OEM complaints, where applicable 3) the investigation details of and results for the areas of concern raised by the contracted office 4) the auditor’s ability to write clear and concise non-conformities in four (4) distinct parts (see section 5.9) to allow the client to achieve an understanding of and an effective resolution for the audit finding 5) the appropriateness of non-conformities issued to the client and their justified classification 6) the appropriateness of audit conclusions and recommendations made to the technical reviewer 7) any concerns the witness auditor has related to soft—auditing or soft-grading 8) the auditor‘s performance relative to the Essential Auditing Competency criteria as stated in the IATF Auditor Guide 9) the auditor‘s strengths and opportunities for improvement 10) the witness auditor’s overall conclusion and recommendations, including recommended approval status of the witnessed auditor, and follow-up actions, if any. p) All non-conformities identified during an internal witness audit shall be related to these Rules, other IATF requirement documents, or certification body process requirements and written in at least three (3) distinct parts: 1) a statement of nonconformity 2) the requirement(s) or a specific reference(s) to the requirement(s) 3) the objective evidence that supports the statement of nonconformity. q) The internal witness audit report shall be provided to the witnessed auditor and the contracted office for report review and approval. 22 ST Restricted r) Based on the information provided in the witness audit report, the contracted office or personnel authorized by the contracted office shall make a decision to grant, maintain, or revoke the (lead) auditor approval status of the witnessed auditor. s) Each nonconformity issued from internal witness audits shall go through the problem- solving process (see section 2.2). Each nonconformity shall be categorized by the personnel involved in the problem—solving process (see section 4.0) as an auditor lapse, a local system problem, or a global system problem, and shall lead to appropriate actions at the relevant level(s) of the certification body. t) Any actions resulting from internal witness audits shall be taken in a time and appropriate manner and communicated to responsible personnel. Systemic corrective actions shall be implemented, accepted, and submitted to the contracted office no later than ninety (90) calendar days after the issue date of the nonconformity. u) The contracted office or personnel authorized by the contracted office shall determine actions to verify the effectiveness of systemic corrective actions, where appropriate. The certification body shall mark the client audit that was witnessed in the IATF Database within twenty (20) calendar days after the closing meeting date of the witnessed audit. Internal witness audit results and actions taken shall be an input for the process of maintaining auditor qualification and approval (see section 4.4) and shall be included in the management review process. 2.8. Appeals and complaints The certification body shall have a process and one (1) centralized, common system for processing and managing appeals from clients and complaints from clients and other interested parties filed against the certification body. The certification body shall have & publicly accessible interface to allow & client or other interested parties to initiate a complaint or an appeal. Information about the process for initiating complaints and appeals shall be communicated to the client. The certification body‘s contracted office shall have access to all complaints and appeals relating to global IATF 16949 certification activities. A certification body‘s regional office(s) shall have access to all complaints and appeals relating to its IATF 16949 certification activities. The processing of appeals and complaints shall include the following activities, where appropriate: a) receiving and assigning responsibility b) validating and investigating c) determining the root cause d) ensuring that any appropriate correction and systemic corrective actions are taken and verified for effectiveness in the certification body's management system e) providing progress reports and the outcome to the person or organization tiling the complaint or appeal f) maintaining records. The appeals process shall not impact the timing related to nonconformity management (see section 5.11) or the decertification process (see section 8.0). 23 ST Restricted The certification body shall ensure that all appeals and complaints are processed with impartiality and in a time manner and that adequate resources are available. The people engaged in decision-making for appeals and complaints shall be different from those who conducted the audits and made the relevant certification decisions. Performance complaints issued to the certification body‘s clients from their customers shall follow the decertification process (see section 8.1 ). 2.9. Management review The certification body‘s relevant top management shall conduct a local management review of the contracted office and relevant regional offices, which shall be specific to IATF 16949 certification. The certification body‘s top management shall also conduct a comprehensive management review with the involvement of the contracted office, which shall be specific to all global IATF 16949 certification activities, hereafter known as “global management review." The outputs of the local management reviews shall be considered as inputs for the global management review. The purpose of these management reviews shall be to evaluate the management system, including its stated policies and objectives for its effectiveness in: - fulfilling these Rules and any other IATF requirement documents - IATF 16949 certification of clients - management, including monitoring and controlling certification activities - meeting the defined objectives - identifying and mitigating systemic risks - continually improving the management system. Note: Persons having the technical authority for IATF 16949 certification may only support the certification body’s management review process and cannot conduct the management system (self—) evaluation on behalf of the certification body’s top management. The certification body shall have a documented management review process that includes, at minimum, the following provisions: a) Global and local management reviews shall be conducted at planned intervals at least once per year (i.e., every 12 months [—1/+1 month]). b) Management reviews shall be conducted at all regional offices that schedule and conduct IATF 16949 audits for at least twenty-five (25) client sites per calendar year and/or perform technical reviews. c) Regional offices not meeting the criteria in point b) above are not required to perform a separate management review but shall be included in the contracted or another office’s management review. d) Local management reviews shall be conducted no more than three (3) months before the global management review and serve as an input for the global management review. e) Every management review shall include the following sequential steps for each required management review item in section 2.9.1: 1) acquirement of relevant input data relating to the time period covered by the review 2) analysis of the input data 24 ST Restricted 3) evaluation of the input data, leading to conclusions, including identified system- related issues (e.g., improvement needs, corrective or preventive action needs, risks, etc.) 4) development of improvement, corrective, and preventive actions to address the identified issues. f) Management review outputs shall meet the requirements in section 2.9.2. g) A feedback loop between the contracted office and the regional offices shall be established that includes: 1) the provision of input data to the regional offices where the required input for the local management review can only be generated by the contracted office 2) queries between the contracted and regional offices relating to the management review process and/or records 3) improvements and/or corrective action requests between the contracted and regional office(s) in response to management review results) h) Relevant top management shall ensure and monitor the time and effective implementation of decisions and actions resulting from management review activities. 2.9.1. Management review items All management reviews shall cover obtaining, analyzing, and evaluating input data for the items below: a) status of ISO 17021-1 accreditation (or its national equivalent) b) internal or external changes that affect the management system c) impartiality risk assessment frequency and outcomes, including significant risks identified and any violations of impartiality requirements d) any significant changes identified in the business continuity risk assessment e) actions from previous management reviews—including, at minimum, implementation timeliness—and their status f) management system performance and trends in relation to established performance targets (see section 2.2) g) internal system and witness audit program completion status h) internal system and witness audit—related nonconformities, including, at minimum, source, status, timeliness, count, country/region, reference to requirement, affected certification body process or activity, recurrence, and trends i) IATF office assessment—related and witness audit—related nonconformities, including, at minimum, source, status, timeliness, count, classification, country/region, reference to requirement, affected certification body process or activity, recurrence, and trends j) IATF certification body problem-solving process performance (see section 2.103), including, at minimum, acceptability, timeliness, and related trends k) IATF OEM performance complaints, other customer performance complaints, and complaints initiated by the relevant oversight office, including, at minimum, timeliness, status, categorization, trends, and results l) appeals from clients, including, at minimum, timeliness, status, categorization, trends, and results m) complaints from clients, including, at minimum, timeliness, status, categorization, trends, and results 25 ST Restricted n) other satisfaction-related and/or compliance-related feedback from interested parties (e.g., client satisfaction surveys, whistleblower hotlines, employee surveys, notifications from government bodies and technical committees, etc.) o) waiver requests, including, at minimum, the quantity and distribution across the Rules requirements and the relevant oversight office‘s decisions p) technical review and certification decision process performance, including, at minimum, timeliness, detected error types and quantity, technical reviewer performance, and related trends q) nonconformity statistics for potential soft—auditing and soft—grading, including the number of nonconformities per audit, percentage of major nonconformities, and percentage of audits with zero nonconformities by regional and, where applicable, global levels, and related trends r) utilization statistics for personnel involved in audits and certification decisions (i.e., auditors and technical reviewers) s) IATF Database KPI performance and related trends against objectives, where applicable t) issues found during monthly IATF Database accuracy checks (see section 2.2), where applicable. 2.9.2. Management review records Management review records shall provide evidence that input data were obtained, analyzed, and evaluated as required in sections 2.9 and 2.9.1 and that corresponding decisions and actions were identified to address systemic risks, issues, and resource needs derived from the input data analysis and evaluations. Input data used for management reviews shall be referenced and maintained as a part of the management review records. The management review record shall include, at minimum: 1) the date(s) of the management review(s) and all attendees 2) a written statement on the data analysis output and evaluation output, including identified system-related issues, for each of the management review items 3) the decisions and actions taken, including timing and responsibilities, for each of the management review items 4) opportunities to improve the effectiveness of the management system and its processes 5) a conclusion statement from top management whether or not the management system, including the stated policies and objectives, continues to be suitable and adequate to meet its purpose. Note: The certification body may choose to integrate IATF 16949 certification— related management review records into the records of a consolidated management review, such as a corporate management review covering multiple certification schemes, provided the information required by these Rules can be clearly identified. 26 ST Restricted 2.10. IATF ongoing monitoring activities The certification body shall support the planning and conduct of ongoing monitoring activities by the relevant oversight office and manage nonconformities issued from these activities as required by these Rules. 2.10.1. IATF witness audits An IATF witness audit is a partial assessment of the certification body‘s certification process through observation of an IATF 16949 audit and review of related certification records. Witness audits are conducted by IATF witness auditors on behalf of the relevant oversight office at a manufacturing site and/or its remote or standalone remote support location. One (1) witness audit may include multiple physical locations of a client. Witness audits shall focus on audit planning and audit conduct and may also consider objective evidence relating to past certification activities that were not directly observed during the witness audit. Witness audits verify the certification body’s conformance with the requirements of: a) these Rules and any other IATF requirement documents b) relevant Certification Body and Stakeholder Communiqués c) the certification body’s key processes and operating procedures (see section 2.2). By verifying the certification body’s conformance with the requirements above through continued witness audits, the IATF seeks to gain reasonable assurance that the certification body’s certification process continues to be effective implemented and only issues certificates to clients that have implemented & quality management system in accordance with the requirements of IATF 16949. The IATF witness auditor shall not interfere with the audit. The relevant oversight office shall program and schedule at least the minimum number of witness audits per calendar year according to Table 2.10. The global distribution of these witness audits should be in proportion to the IATF 16949 audit activities performed by region. Note 1: If an annual witness audit program cannot be fully accomplished, it is at the discretion of the relevant oversight office to carry over unconducted witness audits to the next year‘s witness audit program. Note 2: The relevant oversight office may conduct special witness audits (see section 210.4). Witness audits are selected to sample from the different audit types (see sections 6.0 and 7.0) and observe as many different certification body auditors as possible. A witness audit may focus on all or selected certification body audit team members. On a monthly basis, the certification body shall provide a three (3) month schedule of their upcoming IATF 16949 audits (i.e., the current month plus two months) to the relevant oversight office. The schedule shall include all audits et manufacturing sites and standalone remote locations and indicate confirmed and planned audits. Witness audits may be announced to the certification body with short notice. Once a witness audit has been announced, any audit-related changes (such as changes to the audit date, audit team, audit method [i.e., onsite or remote], or audit location) and justifications for the changes shall be immediate communicated to the relevant oversight office and the assigned witness auditor. 27 ST Restricted Note: With each increase of 1,500 over 31,000 audit days, there shall be an increase of one (1) additional witness audit. The certification body shall provide information necessary for the witness auditor to prepare for the witness audit by the due date specified by the relevant oversight office. When translation for a witness auditor is required, the certification body shall hire & professional third—party translator that can provide simultaneous translation to the witness auditor unless otherwise approved by the relevant oversight office. Upon the announcement of a witness audit, the certification body shall inform the client, without undue delay, of any IATF witness audit and any IATF witness auditors that will observe the IATF 16949 audit. The client shall not refuse a witness audit or the IATF witness auditor’s observation of the entire audit (see section 3.1). 2.10.2. IATF office assessments Office assessments are to be conducted at the contracted office or any regional office involved in IATF 16949 certification activities to assess the certification body‘s management system conformance with the requirements of: a) these Rules and any other IATF requirement documents b) relevant Certification Body and Stakeholder Communiqués c) the certification body’s key processes and operating procedures (see section 2.2). By verifying the certification body’s oonfom1anœ with the requirements above through continued office assessments, the IATF seeks to gain reasonable assurance that the certification body’s management system is effective implemented, controlled, and continually improved (see section 2.2). Office assessments are to be conducted annually at the certification body's contracted office. Regional offices shall be audited at the discretion of the relevant oversight office based on IATF 16949 certification scheme risk considerations, certification body performance, performance complaints, or other circumstances deemed appropriate. Results from an office assessment may lead to additional assessments at the contracted office or other regional offices (see section 2.10.4). Note 1: If an annual office assessment program cannot be fully accomplished, it is at the discretion of the relevant oversight office to carry over unconducted office assessments to the next year’s office assessment program. Note 2: The relevant oversight office may conduct special office assessments. The certification body shall provide the required information necessary to the office assessor to prepare for the office assessment by the due date specified by the relevant oversight office 2.10.3. Nonconformity management (certification body problem—solving) A nonconformity can be issued to a certification body at an office assessment, a witness audit, or as a special (ad—hoc) nonconformity due to performance-related issues, any violation of these Rules, or any other IATF requirement documents. The certification body shall follow the requirements of the IATF Certification Body Problem Solving Manual to resolve any non-conformities issued to them by their relevant oversight 28 ST Restricted office. The relevant oversight office shall verify the effective implementation of the systemic corrective actions taken. Verification may occur at subsequent office assessments, witness audits, and/or with additional IATF monitoring activities. 2.10.4. Additional IATF monitoring activities The relevant oversight office reserves the right to undertake additional monitoring activities through special witness audits or office assessments based on IATF 16949 certification scheme risk considerations, certification body performance, certification body auditor performance, performance complaints, or other circumstances deemed appropriate. Additional monitoring activities may be accomplished by an off—site review of documents and records et the discretion of the relevant oversight office. 2.11. Certification body de-recognition process The IATF has a de-recognition process for certification bodies that pose a risk to the integrity of the IATF 16949 certification scheme. The relevant oversight office may initiate the de-recognition process for a certification body when: a) any provision of the legally enforceable agreement with the IATF, including the Certification Body Code of Conduct, is violated b) these Rules or any other IATF requirement documents are violated c) impartiality and/or conflict of interest requirements (see section 2.5.2) are not met or are not enforced d) ISO/IEC 17021 -1 accreditation to perform ISO 9001 certification, including all regional offices, as applicable (see section 2.2), is not maintained e) fewer than twenty—five (25) different client sites are audited per calendar year f) IATF Database accuracy, integrity, and timeliness of entries as required by these Rules and any other IATF requirement documents is not maintained g) the integrity of the auditor qualification process is not maintained (see sections 4.2 and 4.3) h) statutory or regulatory requirements in countries in which it operates (see section 2.1) are violated i) the nonconformity management (see section 2.103) performance level is not achieved or maintained as required by the relevant oversight office j) systemic corrective actions (see section 2.103) are not effective implemented. Based on risk analysis, the relevant oversight office shall make a recommendation to IATF Global Oversight to suspend or not suspend the certification body. The decision to suspend only a certification body’s regional office is at the discretion of IATF Global Oversight. A certification body that is in a status of suspension: - shall not quote any new business for IATF 16949 - shall not conduct any stage 1 readiness assessments - shall not conduct any stage 2 certification audits - shall not conduct any transfer audits unless the legal contract with the client was signed before the date of the certification body’s suspension - shall conduct surveillance audits for existing clients - shall conduct recertification audits for existing clients 29 ST Restricted - shall conduct special audits for existing clients (see section 7.2). Note: The relevant oversight office may impose additional controls and sanctions on the certification body. The final decision of the de-recognition process may result in the termination of the certification body’s legally enforceable agreement (i.e., the “Agreement”) and the termination of the certification body's IATF recognition. 30 ST Restricted 3. CERTIFICATION BODY LEGAL CONTRACT REQUIREMENTS WITH THE CLIENT 3.1. Certification body legal contract with the client The certification body shall have a legal contract (i.e., a legally enforceable agreement) with the client for the provision of IATF 16949 certification activities. Where there are multiple client locations included in the scope of certification, the certification body shall ensure that each client location is covered by a legal contract between the certification body and client. A client’s location shall not be included in & corporate scheme until it has been included in the legal contract between the certification body and the client. The legal contract between the certification body and the client shall include the following provisions: a) The client shall provide the certification body information related to previous and/or existing certification to IATF 16949 before contract signature. b) The client shall notify the certification body of significant changes. c) The client shall not refuse an IATF witness audit of the certification body. d) The client shall not refuse a certification body internal witness audit. e) The client shall not refuse the presence of IATF observers. f) The client shall not refuse the request of the certification body to provide the final audit and nonconformity reports to the IATF. g) The only use of the IATF logo is as displayed on the certificate or the letter of conformance issued by the certification body. Any other use of the IATF logo by the client is prohibited. Note: The client may duplicate the IATF 16949 certificate bearing the IATF logo for marketing and advertising purposes. h) Quality management system—related consultants to the client shall not be physically present at the client‘s site during an audit and shall not participate in the audit in any way either directly or indirectly. The client’s failure to meet this contractual requirement shall result in audit termination by the certification body. i) The client shall provide pre-audit planning information to the certification body as required by the certification body. j) The client shall notify the certification body of its intent to transfer once a legal contract is signed with a new certification body. Note 1: This notification may allow the contract to be extended until all transfer activities are complete with the new certification body, which allows the IATF 16949 certificate to remain valid for a maximum of one-hundred-and-twenty (120) calendar days after the recertification audit due date (see section 10.0) or until the certificate expiration date, whichever comes first. ln cases where & transfer occurs at a surveillance audit, the IATF 16949 certificate would be allowed to remain valid for a maximum of two—hundred-and-ten (210) calendar days after the surveillance audit due date. Note 2: The certification body may have other valid reasons for cancelling the contract or withdrawing the client’s certification before the transfer activities are completed. k) The client shall work with the certification body to resolve open issues related to its transfer to or from another lATF—recognized certification body. 31 ST Restricted l) The client shall remove all references to IATF 16949 certification from all internal and external marketing channels—including, but not limited to, websites and printed and electronic media—when its certification is cancelled, withdrawn, or expired. m) The certification body shall notify its clients within ten (10) calendar days of any changes in the certification body’s ownership status or loss of IATF recognition. n) The certification body shall work with the client to resolve open issues related to the client‘s transfer to or from another lATF-recognized certification body. o) The certification body, including all of its sponsored IATF 16949 auditors, shall comply with all relevant data protection laws for the respective client jurisdictions and provide sufficient transparency regarding the use of relevant personally identifiable information (PII). Any violation of provisions a) — I) above shall be considered a material breach of contract and shall lead to appropriate actions by the certification body, including, but not limited to, audit termination, audit cancellati0n, contract cancellation, or certification withdrawal. 3.2. Notice of significant changes by a client The client shall notify the certification body of imminent changes that may affect the capability of the quality management system to continue to fulfill the requirements of the IATF 16949 certification. These include, for example, changes relating to: a) legal status b) ownership status (e.g., mergers, acquisitions, alliances, joint ventures, etc.) c) management structure (e.g., top management, key decision-making staff, etc.) d) contact address or location e) relocation of the manufacturing process(es) or support activities (see section 5.15) f) closure or relocation of a manufacturing site, extended manufacturing site, or a standalone remote support location (see section 5.15) g) scope of operations under the quality management system, including any new locations and/or support relationships to be covered in the certification scope h) outsourcing of quality management system processes to other organizations i) customer dissatisfaction scenarios that require certification body notification as described in IATF OEM customer—specific requirements (e.g., special status conditions, etc.) j) a signed contract with another lATF—recognized certification body (see section 7.1). The certification body shall take appropriate actions based on the changes communicated by the client, including special audits (see section 7.2). Records of the notification of significant changes and the actions taken shall be maintained as a part of the certification records. 32 ST Restricted 4. PERSONNEL RESOURCE REQUIREMENTS MANAGEMENT The certification body shall have a process to define the responsibilities and the necessary competencies (i.e., knowledge, skills, and abilities) for each role involved in IATF 16949 certification activities. This process shall include, but not be limited to, the following roles: a) technical reviewer b) application reviewers c) IATF 16949 auditor candidates d) IATF 16949 auditors e) internal witness auditors f) internal system auditors g) IATF Database specialists entering data and/or performing accuracy checks h) personnel involved in the problem-solving process for non-conformities issued to the certification body by the relevant oversight office (see section 2.103) i) personnel involved in problem-solving activities related to complaints raised by clients and other interested parties, and non-conformities issued in internal witness audits and internal system audits (see section 2.2). The certification body shall have a process to develop, demonstrate, and maintain the necessary competencies of personnel performing these roles. The certification body's contracted office shall determine the methods and means to demonstrate, with evidence, the competencies of personnel involved in IATF 16949 certification activities. The necessary competencies shall be demonstrated before carrying out these roles. Records of demonstrated competence shall be retained by the certification body. Where technical experts

IATF 16949 Rules 6th Edition - PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue