Update of the IATF Rules

Update of the IATF Rules.

What are the Implications for Organizations?

Surveillance audit frequency and planning: The 3rd edition formalizes the options for surveillance audit frequency, shown below:
6 monthly visits - 5 in 3 year cycle with a tolerance of -1 month/ +1 month
9 monthly visits - 3 in 3 year cycle with a tolerance of -2 months/ +1 month
12 monthly visits - 2 in 3 year cycle with a tolerance of -3 months/ +1 month

The frequency needs to be agreed between an organization and their certification body, and once agreed the frequency must then be fixed for the three year cycle (i.e. cannot change within the cycle) In the 2nd edition of the rules a lot of emphasis was placed on the auditor doing effective audit planning for the stage 2 audit. In rules 3rd edition a lot more emphasis is placed on planning surveillance and recertification audits. Prior to the audit, the auditor should request from the organization information to help in the planning of the audit. This should include details of any changes since the last visit (new customers, change in employee numbers etc), data related to performance against quality objectives, and customer satisfaction and complaint data. This will allow the auditor to prioritize areas to focus on during the audits, taking into account risk to the customer. For example, if an organization has three manufacturing processes, and data indicates that one process has more issues, the auditor should schedule time to investigate this, even if this process was not in the original audit plan. If the required information is not provided to the auditor by the organization, this could result in the certificate suspension process being instigated.

Auditor Rotation

Whereas Rules 2nd edition gave some flexibility on the requirement related to auditor rotation, the 3rd edition mandates that at the end of each three year audit cycle, a new auditor/auditors must be used for the next cycle. This has been reinforced to ensure continuing impartiality in the audit process, and ensure that auditors do not become "over familiar" with the organization being audited. Any deviation to this has to be agreed between the Certification Body and the relevant Oversight office.

Undertaking Audits

Rules 3rd edition does not identify any significant changes in the way an audit should be undertaken, and still mandates that auditors utilize the process approach to auditing. Further clarification is given regarding opportunities for improvement and is defined as:"An opportunity for improvement is a situation where the evidence presented indicates a requirement has been effectively implemented, but based on auditor experience and knowledge, additional effectiveness or robustness might be possible with a modified approach" There needs to be clear evidence recorded by the auditor that the situation in question meets the requirements of ISO/TS164949 (i.e. is not nonconforming). The auditor cannot recommend specific solutions as this may be seen as consulting. For the recertification audit, the 3rd edition of the Rules stress the auditor should look at the performance of the management system over the period of certification, and include the review of previous surveillance audit reports. Whereas surveillance audits would have sampled the processes of the management system, the recertification audit looks at:

The effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification

The demonstrated commitment from Top Management to maintain the effectiveness and improvement of the management system in order to enhance overall performance
Whether the operation of the certified management system contributes to the achievement of the client's policy and objectives

The effective interaction between all the processes defined in the quality management system and the overall effectiveness of the management system

Timing of the recertification audit is critical. It has to be timed in such a way that allows an organization to complete corrective action, to address any non-conformance found, prior to the expiration date of the certificate. The visit should be scheduled by the Certification Body three years from the date of the stage 2, or last recertification audit, +/- 3 months.

Transfer of Registration

The rules 3rd edition gives clear requirements in the event that an organization wants to transfer registration to another certification body. This includes:

The certification body shall ensure that clients applying for transfer have not transferred from another IATF recognized certification body within the previous three (3) year period

The new certification body shall be recognized by IATF, the existing certificate shall be valid, with all existing nonconformities considered to be 100% resolved

The client cannot be in any IATF OEM special status condition, or have their current ISO/TS 16949:2002 certification in suspension, cancelled or withdrawn status

The client shall provide the new certification body with the previous audit report and all findings issued by the existing certification body for the site and any remote support functions

The new certification body shall perform a review of the provided audit report and all findings

The new certification body shall perform a basic document review and a review of key indicators of quality management system performance

The new certification body should ensure the audit team members, if subcontracted, have not previously audited the client

The new certification body shall complete all transfer activities and a transfer audit including closure of any nonconformities and a certification decision prior to the next scheduled surveillance audit with the previous certification body or the expiration of the existing valid certificate

The new certification body shall conduct the transfer audit, which is equivalent in audit days to a recertification audit
Upon satisfying all the requirements for certification a certificate is issued by the new certification body and a new Three (3) year audit certification cycle begins

Conclusion

In summary most of the changes in the Rules affect the certification bodies, not directly an organization. However organizations should be familiar with the Rules and it is strongly recommended that certified organizations read a copy.

Scope Statements on Registration Certificates

Scope Statements on Registration Certificates

Many of our clients struggle with developing a Scope for inclusion in their Quality Manual. Some manuals that I have seen say something like “Our Quality System conforms to ISO 9000.” Unfortunately, while it’s true, that’s not a valid statement for a Scope. Here’s the “official” interpretation of that requirement.

The International Accreditation Forum (IAF) has issued the following guidance for registration certificates:

Certificates issued to ISO 9001:2000 shall state clearly in words the scope of the quality management system in a way that will not mislead customers, and shall ensure that information is available for the user to determine which categories of product and product realization processes are included within the scope of registration. (Emphasis added)

In particular, scope statements shall be explicit in stating the responsibility for product design and development and other principal realization processes, such as, manufacturing, sales, and service.

The exclusion of clause 7 requirements may relate to all or only some of the product categories that are within the scope of the quality management system. Justification for excluding these requirements must be given in the quality manual and the registration body must review the validity of any such exclusions during certification and surveillance audits.

If the organization has responsibility for (and realizes or outsources) the design and development process, the scope statement for registration must include the words "Design of ...", "Development of ...", or "Design and development of ....”

According to the IAF, the following sentence must appear on all certificates issued to ISO 9001:2000:

"Further clarifications regarding the scope of this certificate and the applicability of ISO 9001:2000 requirements may be obtained by consulting the organization."
(Registrars always miss this one!)

How does your Scope measure up? Email me a copy for a FREE analysis at mailto:george@4iqc.com