At the end of July, the IATF released the following document:
SI10: Further clarifications provided explaining the conditions and assessment required if non-accredited laboratories are used; including for test and measurement original equipment manufacturers. Effective August 2021.
7.1.5.3.2 External laboratory
- the laboratory shall be accredited to ISO/IEC 17025 [SI10] or its national equivalent (e.g., CNAS-CL01 in China) by an accreditation body (Signatory) of the ILAC MRA (International Laboratory Accreditation Forum Mutual Recognition Arrangement – www.ilac.org) and include the relevant inspection, test, or calibration service in the scope of the accreditation (certificate); the certificate of calibration or test report shall include the mark of a national accreditation body; or
- where a non-accredited laboratory is utilized (for example, but not limited to: specialist or integrated equipment, parameters with no international traceable standard reference, or original equipment manufacturers), the organization is responsible to ensure that there is evidence that the laboratory has been evaluated and meets the requirements of Section 7.1.5.3.1 of IATF 16949.
Note: integrated self-calibration of measurement equipment, including use of proprietary software, does not meet the requirements of calibration.
SI3: Minor clarifications, including addition of pandemics in situations requiring contingency plans. Also, recognition that employee knowledge is a key step for an effective contingency plan. Effective November 2021.
6.1.2.3 Contingency Plans
c) prepare contingency plans for continuity of supply in the event of any of the following, [SI3] but not limited to: key equipment failures (also see Section 8.5.6.1.1); interruption from externally provided products, processes, and services; recurring natural disasters; fire; pandemics; utility interruptions; cyber-attacks on information technology systems; labour shortages; or infrastructure disruptions;
e) periodically test the contingency plans for effectiveness (e.g. simulations, as appropriate); for cybersecurity: testing may include a simulation of a cyber-attack, regular monitoring for specific threats, identification of dependencies and prioritization of vulnerabilities. The testing is appropriate to the risk of associated customer disruption; Note: cybersecurity testing may be managed internally by the organization or subcontracted as appropriate.
h) include in contingency plans the development and implementation of appropriate employee training and awareness.
SI21 and 22 (New): Bring new requirements related to cyber attacks. Effective November 2021.
6.1.2.1 Risk analysis
The organization shall include in its risk analysis, at a minimum [SI21]:
a) lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework;
b) cyber-attack threats to information technology systems.
7.2.1 Competence - supplement
[SI22] To reduce or eliminate risks to the organization, the training and awareness shall also include information about prevention relevant for the organization’s working.
In doubt or need help?
We at E2S Consultoria can help you!
Contact us!
contato@e2sconsultoria.com.br