“RISK” IN ISO 9001:2015/AS 9100 

1.  Objective  

2.  Overview 

One of the key changes in the revision of ISO 9001/AS 9100 is to establish a systematic approach to risk, rather than treating it as a single component of a quality management system. 

In previous editions of ISO 9001/AS 9100, a clause on preventive action was separated from the whole. Now risk is considered and included throughout the standard. 

By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk-based.

3.  What is risk-based thinking? 

Risk-based thinking is something we all do automatically. 

Example:      If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car.  

Risk-based thinking has always been in ISO 9001/AS 9100 – this revision builds it into the whole management system. 

In ISO 9001/AS 9100 risk is considered from the beginning and throughout the standards, making preventive action part of strategic planning as well as operation and review. 

Risk-based thinking is already part of the process approach. 

Example:      To cross the road I may go directly or I may use a nearby footbridge.  

Which process I choose will be determined by considering the risks.

Risk is commonly understood to be negative. In risk-based thinking opportunity can also be found – this is sometimes seen as the positive side of risk. 

Example:      Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars. 

The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car. 

Opportunity is not always directly related to risk but it is always related to the objectives. By considering a situation it may be possible to identify opportunities to improve. 

Example:     Analysis of this situation shows further opportunities for improvement: a subway leading directly under the road pedestrian traffic lights, or diverting the road so that the area has no traffic.  

It's necessary to analyze the opportunities and consider which can or should be acted on. Both the impact and the feasibility of taking an opportunity must be considered. Whatever action is taken will change the context and the risks and these must then be reconsidered. 

4.  Where is risk addressed in ISO 9001/AS 9100? 


The concept of risk-based thinking is explained in the introduction of ISO 9001/AS 9100. 


  1. ISO 9001/AS 9100 defines risk as the effect of uncertainty on an expected result. An effect is a deviation from the expected – positive or negative. 

      2.   Risk is about what could happen and what the effect of this happening might be 

      3.   Risk also considers how likely it is 

The target of a management system is to achieve conformity and customer satisfaction. 

ISO 9001/AS 9100 uses risk-based thinking to achieve this in the following way:  

5.  Why use risk-based thinking? 

By considering risk throughout the organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore: 

6.  How do I do it? 

Use a risk-driven approach in your organizational processes. Identify what YOUR risks and opportunities are – it depends on context 

Example:      If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with very few moving cars. It is also necessary to consider such things as weather, visibility, personal mobility and specific personal objectives. 

Analyze and prioritize your risks and opportunities 

What is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another? 

Example:      Objective: I need to safely cross a road to reach a meeting at a given time.  

It is UNACCEPTABLE to be injured. 

It is UNACCEPTABLE to be late. 

The opportunity of reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time. 

It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high. 

I analyze the situation. The footbridge is 200 meters away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time. 

I decide that walking directly across the road carries an acceptably low level of risk of injury and an opportunity to reach my meeting on time. Plan actions to address the risks 

How can I avoid or eliminate the risk? How can I mitigate risks? 

Example:      I could eliminate risk of injury by using the footbridge but I have already decided that the risk involved in crossing the road is acceptable.  

Now I plan how to reduce the likelihood of injury and/or the effect of injury. I cannot reasonably expect to control the effect of a car hitting me. I can reduce the probability of being hit by a car. 

I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident. I also choose to cross the road at a place where I have good visibility and can safely stop in the middle to re-assess the number of moving cars, further reducing the probability of an accident. Implement the plan – take action 

Example:      I move to the side of the road, check that there are no barriers to crossing and that there is a safe place in the center of the moving traffic. I check there are no cars coming. I cross half of the road and stop in the central safe place. I assess the situation again and then cross the second part of the road.  

Check the effectiveness of the actions – does it work? 

Example:      I arrive at the other side of the road unharmed and on time: this plan worked and undesired outcomes have been avoided.  

Learn from experience – continual improvement 

Example:      I repeat the plan over several days, at different times and in different weather conditions.  

This gives me data to understand that changing context (time, weather, quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury). 

Experience teaches me that crossing the road at certain times of day is very difficult because there are too many cars. 

To limit the risk I revise and improve my process by using the footbridge at these times. 

I continue to analyze the effectiveness of the processes and revise them when the context changes. 

I also continue to consider innovative opportunities:  

7.  Conclusion 

Transitioning From ISO/TS 16949:2009 to IATF 16949:2016 

A New Evolution 

This new standard will supersede and replace the current ISO/TS 16949:2009, defining the requirements of a quality management system for organizations in the automotive industry.  

IATF 16949 is aligned with and refers to the most recent version of ISO’s quality management systems standard, ISO 9001:2015, fully respecting its structure and requirements. IATF 16949 is not a standalone quality management standard, but is implemented as a supplement to, and in conjunction with, ISO 9001:2015. This means that an organization in the automotive sector seeking IATF 16949 certification must also comply with ISO 9001:2015. 

High Risk, High Cost 

The automotive industry produces high-risk, high-cost products and services and has tightly controlled industry requirements; therefore, IATF 16949 better aligns with the needs of its stakeholders. According to the IATF 16949 Revision Team, the goal of this standard is the development of a quality management system that provides for continual improvement, emphasizing defect prevention, and the reduction of variation and waste in the supply chain. 

A Smooth Transition 

IATF 16949 plays an essential role in ensuring quality requirements are met, thus reducing the risk of product and service failure for automotive production, service and/or accessory parts organizations. Certification to IATF 16949 is mandatory for organizations who wish to manufacture parts for the automotive industry.

To get you pointed in the right direction, this whitepaper will cover the following topic:

  1. Transition Guidance
  2. Transition Timeline
  3. New High Level Structure
  4. Preview of IATF 16949 changes

Intent Behind the Revision 

ISO standards are reviewed every five years to determine what changes, if any, are required to keep the standards up-to-date and relevant. Since the ISO 9001:2008 revision, business needs and expectations have changed significantly. 

The new ISO 9001:2015 better meets customer requirements, adapts to new technologies, better integrates with complex supply chains, and addresses the need for more sustainable development initiatives. 

This is accomplished through a better understanding of the organization’s context and relevant interested parties, and by taking appropriate actions to address risks and opportunities at every level. 

IATF 16949 fully supports these changes in ISO 9001:2015 with additional requirements that better meet automotive industry needs. Alignment with the ISO 9001:2015 structure makes it easier for organizations that need to implement more than one quality management system standard. If IATF 16949 is implemented and properly managed, an organization will:  

  1. Receive recognition from regulatory authorities

  2. Produce safer and more reliable products

  3. Meet or exceed customer requirements

  4. Improve processes and documentation system 

Transition Guidance: Suppliers 

The IATF has communicated that there will only be one transition option for organizations: Transition in line with the organization’s current ISO/TS 16949 audit cycle. 

Organizations transitioning from ISO/TS 16949:2009 to IATF 16949 must transition to the new standard through a transition audit in line with the organization’s current regularly scheduled recertification audit or surveillance audit, as defined in the IATF: 

For organizations currently certified to ISO/TS 16949, here is a recommended action plan for transitioning:  

  1. Familiarize yourself ISO 9001:2015 and IATF 16949. 

  2. Perform an organizational gap analysis against ISO 9001:2015 and IATF 16949 to identify the differences that need to be addressed to ensure your organization’s QMS meets all the new requirements, including those related to external providers. 

  3. Based on the results of the gap analysis, develop an implementation plan specific to your organization. 

  4. Provide appropriate training for all individuals involved in implementing ISO 9001:2015 and IATF 16949 at your organization. 

  5. Update your existing system and provide evidence that your organization meets the new requirements. 

New High Level Structure 

ISO 9001 embraces a new structure by switching from eight clauses to ten clauses in the 2015 revision.This change allows the standard to better align with business strategic direction, become more compatible with other management system standards, and incorporate the Plan-Do-Check-Act approach, as shown below. 

  1. Scope

  2. Normative references

  3. Terms and definitions 


Set objectives and build processes necessary to deliver results. 

4. Context of the organization 


4.1 Understanding the organization and its context 

4.2 Understanding needs and expectations of interested parties 

4.3 Determining the scope of the quality Management system

4.4 Quality management system and its processes 

5. Leadership 

5.1 Leadership and commitment 

5.2 Policy 

5.3 Organizational roles, responsibilities and authorities  

6. Planning 

6.1 Actions to address risks and opportunities 

6.2 Quality objectives and planning to achieve them 

6.3 Planning of changes 

7. Support 

7.1 Resources

7.2 Competence  

7.3 Awareness

7.4 Communication  

7.5 Documented information 


Implement what was planned 

8. Operation 

8.1 Operational planning and control

8.2 Requirements for products and services  

8.3 Design and development of products and services  

8.4 Control of externally provided processes, products and services  

8.5 Production and service provision  

8.6 Release of products and services  

8.7 Control of nonconforming outputs 


Monitor and measure processes and results against the objectives, including effectiveness, efficiency and risk. 

9. Performance evaluation 

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit  

9.3 Management review 


Take actions to improve results.  

10. Improvement 

10.1 General

10.2 Nonconformity and corrective action  

10.3 Continual improvement 

Implementation Considerations

An organization is not required to reflect the new ten-clause structure and terminology in the documentation of their organization’s quality management system. 

The purpose of the new structure is to provide a clear presentation of the requirements; it is not to intended to be a model for documenting an organization’s policies, objectives and processes. 

If an organization’s quality system documentation is currently aligned based on the structure of a previous standard, you are encouraged to consider realigning your documentation according to your organization’s value stream instead.  

Aligning the QMS with the business structure allows organizations to customize their documentation based on their unique business needs. 

Too many organizations impose a structure tied to the standard that is neither natural nor easy to understand within the organization. 

IATF16949 Key Changes

Unlike ISO/TS 16949 and some other industry-specific standards, IATF 16949 does not contain the ISO 9001:2015 text. The document contains only the automotive-specific additional requirements; however, the organization is still required to comply with ISO 9001:2015. IATF 16949 clarifies that it is a supplement to be used in conjunction with ISO 9001:2015.  

IATF 16949 shares the same general section headings and clause structure as ISO 9001:2015, without reciting the text. This ensures all IATF 16949 requirements are fully aligned with the ISO 9001:2015 high level structure.  

Risk-Based Thinking 

Risk mitigation takes center stage in IATF 16949, as it does in ISO 9001:2015. IATF 16949 adds a number of specific risk-related requirements to minimize the likelihood of failure during new program development and to maximize the potential realization of planned activities. These additions are the result of industry best practices intended to make businesses safer and more stable by identifying and mitigating risk.  

To ensure risk-based thinking is pervasive throughout the organization, top management needs to be actively engaged. Responsibilities include:  

Other sources of risk, such as how to deal with nonconforming outputs, are covered in more detail to ensure suppliers are aligned with their customers.

Integration of Customer-Specific Requirements 

IATF 16949 integrates many common industry practices previously found in customer-specific requirements. Integrating these common practices as requirements encourages commonality throughout the industry and aims to reduce the need for extensive customer-specific requirements in these areas. 

Also important is the clear distinction between customer requirements and customer-specific requirements (CSRs). In IATF 16949, these two terms are defined as follows:

Customer Requirements: All requirements specified by the customer (e.g., technical, commercial, product and manufacturing process-related requirements, general terms and conditions, customer-specific requirements, etc.)

Customer-Specific Requirements: Interpretations of or supplemental requirements linked to a specific clause(s) of this Automotive QMS Standard.

The new standard more clearly defines these two terms to reduce misunderstandings, and to facilitate the sampling of customer-specific quality management system requirements for effective implementation.

For example, the organization needs to review and agree with customer requirements such as packaging manuals and manufacturing process guidelines. However, for customer-specific requirements, organizations need to review and agree after considering the impact on their entire QMS.

Here are some examples of areas that were previously customer-specific requirements that are now included in more detail in IATF 16949: 

  1. Manufacturing feasibility

  2. Warranty management

  3. Temporary change of process controls

  4. Supplier quality management system development

  5. Second-party audits

  6. Control plan

  7. Problem-solving methodologies

  8. Control of changes

  9. Total productive maintenance

  10. Standardized work 

First and Second Party Auditor Competency 

IATF 16949 adds additional requirements for both first and second-party auditors, which include: 

  1.  Organizations shall have a documented process to verify internal auditor

  2.  When training internal auditors, documented information shall be retained to  demonstrate trainer’s competency with the additional requirements.

  3. Organizations shall demonstrate the competency of second-party auditors, and  second-party auditors shall meet customer-specific requirements for auditor qualification. 

This standard also outlines the minimum competencies for auditors, which include: 

  1.  Automotive process approach for auditing, including risk- based thinking

  2.  Applicable core tools requirements

  3.  Applicable customer-specific requirements

  4. Software development assessment methodologies, if applicable

 These changes may require a competence gap analysis followed by additional auditor training and development activities.  

Product Safety  

Product safety is an entirely new section in the IATF standard, and a transitioning organization must have documented processes for the management of product-safety related products and manufacturing processes. New requirements related to product safety include, where applicable: 

  1.  Special approval of control plans and FMEAs

  2. Training identified by the organization or customer for personnel involved in product safety related products and associated manufacturing processes.

  3. Transfer of requirements with regard to product safety throughout the supply chain, including customer- designated sources.  

This clause highlights the fact that a product should perform to its designed or intended purpose without causing unacceptable harm or damage. Organizations must have processes in place to ensure product safety throughout the entire product lifecycle. 

Manufacturing Feasability 

In the new standard, an organization is required to assess if they are capable of achieving the performance and timing targets specified by the customer, otherwise known as manufacturing feasibility.  

While ISO/TS 16949 did require this kind of manufacturing feasibility analysis, it did not impose specific requirements. The new standard’s specific requirements include: 

  1. Using a multidisciplinary approach.

  2. Performing the analysis for any new manufacturing or product technology and for any changed manufacturing process or product design.

  3. Validating their ability to make product specifications at the required rate through production runs, benchmarking studies or other appropriate methods. 

Warranty Management 

Based on the increasing importance of warranty management, a new requirement has been added to IATF 16949. 

When an organization is required to provide warranty for their product(s), the warranty management process must address and integrate all applicable customer-specific requirements and warranty party analysis procedures to validate No Trouble Found (NTF). Decisions should be agreed upon by the customer, when applicable.  

Development of Products With Embedded Software

IATF 16949 requirements for products with embedded software reflect the additional challenges as we move toward more of a drive-by-wire world. The standard references embedded software in the requirements for product validation, warranty and troubleshooting of issues in the field. 

A product requiring embedded software may need to comply with sourcing-from-origin requirements established by a customer. OEM requirements for sourcing and materials change frequently, and early changes to a program may negatively affect timing and increase risk.  

Embedded software is here to stay and the new version of the standard may require companies to look at their purchased parts (now called outsourced components) and identify risks in their current system based on this new focus.