Risk analysis (IATF only)
Plain-language summary
Risk analysis must include, at minimum, the hard lessons: product recalls, audit findings, field returns and complaints, scrap and rework — learn from what has already hurt you.
What the clause is really asking
IATF anchors risk-based thinking in real data. Your risk analysis cannot be a blue-sky workshop only — it must digest recalls, customer rejections, warranty and internal failure history, and keep documented information as evidence.
What auditors look for
Auditors check the inputs: does the risk analysis reference complaint history, audit findings, scrap data? When a field failure occurred, did the risk analysis get updated? Sampling a recent recall or major complaint and finding no risk-register trace is a classic finding.
Typical evidence
Risk analysis records referencing complaints/recalls/rejects; FMEA revision history after failures; lessons-learned records.
How to comply — recommendations
Make 'update risk analysis / FMEA' a mandatory closure step on every significant complaint, field failure and audit finding. One rule, evidenced in the CAR form, satisfies the loop and genuinely improves the system.
Common nonconformities
Risk analysis silent on known failures; FMEAs not revised after recurring complaints; lessons learned filed but never fed back.
Related clauses
Builds on ISO 9001 6.1
Qlause provides interpretive guidance only and is not a substitute for the standard. Refer to your licensed copy of ISO 9001 / IATF 16949 for the authoritative text.