On 21July 2021, IATF has revised and reissued a number of Sanctioned Interpretations (SIs) related to the IATF 16949 scheme.
- Two revised SIs on SI 3 and SI 10
- Two new SIs numbered SI 21 and SI 22
The revised SI 3 is related to 6.1.2.3 (Contingency Plans) and is effective November 2021
SI 3 is for clause 6.1.2.3 on contingency plans. There are three key points added.
First point: Pandemics in now added to the scope for inclusion in the contingency plan. Given that Covid-19 pandemic has caused huge disruption to automotive supply chain globally, it make sense that IATF wish to have this now included as part of risk management to future pandemics.
Second point: Another area of concern is cyber security testing. The requirements for cybersecurity testing is strengthened to include specific details listed below:
- simulation of a cyber-attack,
- regular monitoring for specific threats,
- identification of dependencies and
- prioritization of vulnerabilities.
Third point: The development and implementation of appropriate employee training and awareness is now required to be included in the contingency plan. This arises from the recognition that employee knowledge is a key step to ensure the effectiveness of contingency plan.
The revised SI 10 is related to 7.1.5.3.2 (External Laboratory) and is effective August 2021
The requirements on use of external laboratory has often invite questions. There has been four revision made before, making this the 5th revision. Despite previous attempts by IATF to clarify and revise the paragraph, ambiguous situation continue to raise confusion. In the previous 4th revision, built-in calibration such as that for integrated self-calibration of measurement equipment was made clearly as not acceptable as calibration.
Now, clarifications are provided for conditions and assessment required if non-accredited laboratories are used, there are situation where:
- specialist or integrated equipment is used, or
- original equipment manufacturers is used.
However, the organization remains responsible to ensure that there is evidence that the laboratory has been evaluated and meets the requirements of Section 7.1.5.3.1 of IATF 16949 for internal laboratory.
Organizations generally achieve that that by either verifying information about the capability of the external laboratory. This may be done via the review of technical data submitted by the equipment maker or by verifying the laboratory scope document. In normal times, audit or site visit may be an option but not for now as the pandemic restricts travel.
New SIs 21 relates to 6.1.2.1 (Risk Analysis), effective November 2021
The new SI 21 for Risk analysis now reads as follows.
The organization shall include in its risk analysis, at a minimum:
- lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework,
- cyber-attack threats to information technology systems.
Line (a) was the original statement, while line (b) for cyber-security threats is newly added.
This reflects recent industry trend where heavy reliance on IT system has made automotive supply chain vulnerable to threats from potential cyber-security attack. These attacks include Malware, Phishing, Denial of Service (DoS), man-in-the-middle (MITM), Structured Query Language (SQL) injection and password attacks. In line with the principle of risk-based thinking, organizations are required to consider cyber-attacks in their risk analysis.
New SIs 22 relates to 7.2.1 (Competence – supplemental), effective November 2021
The new paragraph reads as follows:
To reduce or eliminate risks to the organization, the training and awareness shall also include information about prevention relevant for the organization’s working environments and employees’ responsibilities, such as recognizing the symptoms of pending equipment failure and/or attempted cyber-attacks.
The original intent for this requirements was to focus on processes for identifying training needs. Now the new paragraph added the need to see employee knowledge as a key enabler to prevent issues from becoming significant, including identifying potential equipment failure and cyber-attacks.
This means organizations will have to expand the employee training scope with specific subjects related to cyber-security threats to equipment failures, how to recognize potential symptoms of these threads and relevant prevention controls.
Conclusion from July 2021 SI Update
In conclusion, July update of the IATF SIs brings a reflection of current industry concern where disruptions faced in the automotive supply chain due to pandemics and cyber-security issues are real. When these issues are prevalent and giving us the negative impacts, it make sense for us to take into account as part of risk-based thinking approach. Be reminded that most of the new updates will be effective from November 2021 onwards. If your next certification audit is after November, make sure you get prepared for it!
The update on the latest SIs by IATF can be found at https://www.iatfglobaloversight.org/
Written by Leon Ng, 6 Aug 2021.
Leon is a consultant specializing in IATF scheme for automotive supply chain. During the pandemic, he keeps sanity by working actively and writing articles on matters related to the industry. You can reached him at [email protected].