Blog post

Managing GRC in manufacturing: BPMN for efficient CE product compliance

Written by Andrea

5 August 2024 · 15 min read

governance, risk and compliance (GRC) in manufacturing industry

Navigating the complex regulatory landscape and ensuring that products are always fully compliant with all regulatory requirements can be quite challenging for many manufacturers. Especially, when talking about the CE marking product compliance process, meticulous planning and coordination are a key for regulatory success.

In the following sections, we’ll briefly talk about Governance, Risk, and Compliance (GRC) as a practice before focusing on the product compliance process for achieving CE marking certification. We’ll present how the use of BPMN can help understand, analyze, and improve the process. And we’ll also discuss how Cardanit, an intuitive online BPMN tool with features like flow and time simulation, can improve the efficiency and accuracy of the compliance process.

What is GRC?

GRC is a comprehensive approach that ensures your organization achieves its objectives, manages uncertainty, and acts with integrity. It includes governance processes, risk management practices, and compliance protocols to improve decision-making, performance, and accountability.

GRC is important in several ways:

  • improves decision-making in terms of strategic planning and operational effectiveness by providing a structured framework;
  • helps identify, assess, and mitigate potential business risks;
  • ensures compliance, helping avoid legal penalties, financial losses, reputational damage, and operational disruptions.

How are GRC and BPMN connected?

Effective GRC frameworks rely on clear, structured processes to achieve their goals. And this is where process modeling and BPMN 2.0 come into play.

Process modeling involves creating a visual representation of your organization's processes. These models help in understanding, analyzing, and improving workflows. For GRC, process modeling ensures that governance policies, risk management activities, and compliance requirements are integrated into the day-to-day operations of your organization.

BPMN 2.0 is a standardized graphical notation that depicts the steps in a business process. It provides a clear, detailed view of the process, making it easier for stakeholders to understand and follow. BPMN 2.0 models are particularly useful in GRC for several reasons:

  • help ensure that all regulatory requirements are clearly defined and adhered to;
  • ensure that decision-making procedures are transparent, accountable, and aligned with corporate policies;
  • allow you to visualize risk management processes, identifying potential risks and their impacts;
  • make it easier to monitor compliance activities by clearly describing each step of the compliance process, consequently facilitating the identification of gaps or non-compliance issues;
  • facilitate process optimization by identifying inefficiencies and bottlenecks;
  • serve as effective communication tools, helping to ensure everyone understands their roles in the GRC framework.

Compliance with CE marking

A vital aspect of GRC in the European market is ensuring compliance with the CE marking legislation. By following the CE marking process, organizations demonstrate their commitment to safety, quality, and regulatory compliance, thereby avoiding the consequences of non-compliance and fostering consumer trust in their products.

CE marking is a certification mark indicating that a product conforms to the health, safety, and environmental protection standards set by the European Union (EU). This mark is mandatory for certain non-food products, such as electronics and medical devices, sold within the European Economic Area (EEA). It signifies that the product meets all the relevant EU directives and regulations necessary to be marketed and sold in Europe.

The BPMN standard can prove very useful in the context of CE marking. You can use it to effectively map and optimize the entire product certification process, ensuring clarity, efficiency, and compliance throughout each phase. By integrating BPMN 2.0 with GRC, your organization can better manage non-compliance risks, ensure adherence to EU regulations, and maintain robust governance throughout the product lifecycle.

Let’s learn more about the compliance process itself and the role of BPMN at each phase.

The CE product compliance process and BPMN

The CE product compliance process is often overwhelming for manufacturers with little knowledge of the topic. It involves several key steps to ensure a product meets all applicable EU requirements.
Firstly, manufacturers must identify the applicable EU directives and regulations to ensure the product complies with essential requirements. For example, a fitness tracker monitoring physical activity must comply with the LVD, EMC, RED and RoHS, and if it has a medical purpose, the MDR instead. Then, manufacturers must select relevant standards like EN, ISO, and IEC, specifying product requirements. Using harmonized standards (EN) simplifies the CE process.

Some products require lab testing (in-house and/or external) to confirm compliance with relevant standards. Additionally, a Notified body (NB) may need to assess products’ compliance by reviewing technical files and inspecting production facilities. Not all products need this assessment, so manufacturers should check for it and submit their applications in advance due to long lead times.

Manufacturers must also compile technical documentation, known as ‘technical file’, to prove compliance and create a Declaration of Conformity (DoC), signed by them or another responsible person. Finally, the product must be labeled with the CE marking symbol, along with the NB’s ID number if applicable.

BPMN can help improve the CE marking process by providing clear and structured visualizations of each step. For example, BPMN helps to:

  • outline the steps for identifying relevant EU directives and product standards, ensuring thorough and accurate identification;
  • map testing procedures where different schedules and resources need to be coordinated;
  • illustrate the coordination and submission tasks involved in NB assessments, facilitating timely and organized evaluations;
  • structure the documentation process so that the technical file is accurately compiled;
  • formalize the creation and review of the DoC, ensuring correctness and completeness;
  • visualize the labeling process, ensuring the correct labeling of the product.

Modeling the CE compliance process

Useful BPMN elements

Various BPMN elements can be used to model the CE process comprehensively. And understanding those elements can help you create a detailed and accurate representation of the process.

BPMN 2.0 elements for mapping GRC processes
BPMN 2.0 elements for product regulatory compliance mapping

Flow objects:

  • Task - represents a unit of work in the process, such as “Identify applicable directives”.
  • Call Activity - refers to a predefined process in another diagram, such as “Technical documentation compilation”.
  • Subprocess - represents a group of tasks (for example, “Testing and certification”).
  • Event - represents something that happens during the process. There are several types of events. A Start Event marks the beginning of the process - for example, “Begin CE marking process”. An End Event marks the end of the process - for instance, “CE marking achieved”. Intermediate Events map anything that occurs between the start and end events - for example, “Receive test results.”

Data objects:

  • Data Object Reference - represents information used or produced by the process, such as “Test reports”.
  • Data Store Reference - represents a place where data is stored, such as a “Compliance database”.

Gateways:

  • Exclusive Gateway - diverges or converges paths based on a condition (for instance, “NB assessment needed?”)
  • Parallel Gateway - diverges or converges multiple parallel paths (for example, “Conduct parallel testing, internal and external”).

Connecting objects:

Swimlanes:

  • Pool - represents a participant in the process, such as “Manufacturer”.
  • Lane - represents sub-participants or departments within a pool, such as “Regulatory Affairs”.

Artifacts:

  • Text Annotation - adds explanatory text to the diagram (for example, “NB assessment not required for achieving compliance under RED.”)

How to model the product compliance process

To model the CE marking process for an electrical product such as the fitness tracker (without a medical purpose) using BPMN, you can simplify the process slightly by focusing only on the directives and requirements relevant to non-medical devices.

Moreover, focus first on the foundations to ensure the diagram accurately represents the compliance workflow. You need to set up the structure and understand the scope of the process. Here's how to do it.

Where to start

First, identify the main participants in the process. Participants could be various departments within a company, such as Manufacturing, Quality Assurance (QA), Regulatory Affairs (RA), and external entities like Notified Bodies and testing laboratories. In BPMN, these participants are represented by pools and lanes. Pools represent major participants in a process, such as organizations, while lanes subdivide these pools into smaller units, indicating specific roles or functions within each participant.

Next, create the pool for the organization responsible for the compliance process. Inside this pool, define lanes for each department or role involved. For external entities, create separate pools to represent their activities.

Generally speaking, the BPMN diagram should include at least the following participants:

Internal

  • Product Development - assists RA in accurately identifying relevant directives and ensures that the product design considers all regulatory requirements from the start.
  • Regulatory Affairs - identifies and ensures compliance with all relevant EU requirements (directives and standards), compiles the technical documentation, and oversees the creation and signing of the Declaration of Conformity.
  • Quality Assurance - provides RA with knowledge about industry-specific standards and QA best practices, ensures that the product meets all relevant standards through testing and quality checks, manages the testing process, and contributes to compiling accurate TF.
  • Manufacturing - ensures that the product is produced in line with the standards, handles the practical aspects of lab testing, and is responsible for applying the CE mark.

External

  • Third-party testing facilities - perform specialized testing that may not be feasible in-house.
  • Notified Body - provides an independent assessment of the product's compliance and sometimes issues the Declaration of Conformity.
  • Market authorities - responsible for approving market registration requests for specific types of products.
A BPMN diagram illustrating the main participants in the CE marking product compliance process

Due to the interconnected nature of the tasks involved in CE marking, roles and responsibilities often overlap. For example, an overlap can be observed between Regulatory Affairs and Quality Assurance. Both departments compile the technical documentation and manage the creation of the Declaration of Conformity. RA provides the legal and regulatory perspective, ensuring all documents meet EU requirements. QA, on the other hand, supplies test results, risk assessments, and compliance reports necessary for the technical file.

The role overlap can be managed effectively through clear role definition, strong communication, detailed process mapping, and robust project management practices.

Going into detail

Once the pools and lanes are established, you can begin with the Start Event. This event signifies the beginning of the product compliance process. A common starting point is "CE marking process initiated," which triggers the sequence of activities needed for compliance.

After defining the Start Event, outline the major phases of the process. These phases can be identified as Call Activities that reference predefined “child” processes in other diagrams. For example, Call Activities will include "Directives identification," "Lab testing," and "Technical documentation creation." An alternative to Call Activities is Subprocesses. However, it’s better to use the former to avoid cluttering the process model with images. Call Activities also help improve the readability of the map and simplify the mapping work.

Then, in separate diagrams, detail the individual tasks related to each “child” process referenced by a Call Activity in the main diagram. For instance, in regard to the "Directives identification" process, tasks often include:

  • "Conduct initial research"
  • "Review product specifications"
  • "Identify directives"
  • "Document findings"
  • "Verify compliance requirements"
  • "Internal review"
  • “Finalize directives list”
A BPMN diagram illustrating the process of identifying directives and regulations for compliance with the CE marking legislation

Use the BPMN element Tasks to represent these actions and connect them sequentially to reflect the workflow.

Incorporate gateways to manage decision points. Exclusive Gateways can direct the flow based on conditions, such as whether a product falls under multiple directives or requires external testing. These gateways ensure the process follows the correct path based on specific criteria.

Model the data flow

As you map out the tasks, consider including Data Object References to illustrate documents or information generated, modified, or required by tasks. These represent graphical references to the abstract entities called Data Objects, allowing you to draw several references that point to the same Data Object. In regard to the CE process, Data Object References facilitate the documentation and tracking needed for each step, ensuring thorough compliance and efficient process management.

For instance, during the "Compile technical documentation" process, data objects might include design documents, test reports, and compliance checklists. To show their relevance, connect these data objects to their respective tasks using Data Associations.

Moreover, various documents are stored and managed throughout the entire product compliance process. You can use a Data Store Reference called “Document repository” to visualize where the data is kept in the BPMN diagram.

The finish line

Throughout the modeling process, ensure that the flow of activities is logical and reflects real-world practices. Sequence Flows should connect tasks in the order they’re performed, illustrating the progression from one activity to the next.

Use End Events to signify the completion of each “child” process and the entire CE marking process. For instance, the final End Event could be "CE marking achieved," indicating that the product is fully compliant and market-ready.

A BPMN diagram illustrating all the steps in the entire CE marking product compliance process

In summary, by identifying participants, structuring pools and lanes, defining the start event, and mapping out “child” processes and tasks, you can create a comprehensive BPMN model that accurately represents the CE marking compliance process. This approach ensures clarity, consistency, and a thorough understanding of the workflow, facilitating effective management and execution of compliance activities.

Potential deadlocks

In process mapping, avoiding deadlocks ensures smooth and efficient workflows. Deadlocks occur when a process gets stuck and cannot proceed to the next task, typically due to incorrect configurations of gateways or incomplete paths.

Correct gateway configuration

To prevent deadlocks, ensure that gateways are configured correctly.

Exclusive Gateways route the process flow based on conditions that must be mutually exclusive. For instance, if you have an Exclusive Gateway deciding between in-house testing and external lab testing, the conditions must be set so that only one path is taken based on the criteria defined.

Furthermore, be very mindful of Parallel Gateways. They’re more often the cause of deadlocks. All the sequence flows entering a Parallel Gateway must be “active” before the process can proceed.

It’s a good idea to always add / set a default condition to avoid any gateways without exits.

Paths leading to End Events or Tasks

It’s essential to ensure that all possible paths lead to an End Event or another task, avoiding orphaned tasks with no follow-up actions. For instance, after the lab testing is completed, the process should either move to compile technical documentation or return for re-testing if the product fails the compliance check.

In the BPMN model, this can be visualized by ensuring every gateway decision has a clear outcome, leading to subsequent tasks like compiling documentation, creating the Declaration of Conformity, or applying the CE mark.

Optimization areas

Optimizing the CE marking process in BPMN could involve streamlining tasks, utilizing parallel processing, and incorporating automation where possible.

Parallel Gateways for simultaneous tasks

Parallel Gateways can handle tasks that can be performed simultaneously, reducing the overall time required for the CE marking process. For instance, technical documentation creation and initial product testing can occur in parallel in our fitness tracker example. To illustrate this in the BPMN model, you can place a Parallel Gateway after identifying the relevant standards, branching into simultaneous tasks for compiling preliminary documentation, and conducting in-house testing. This approach has the potential to cut down the time to market significantly.

Service Tasks for automation

Implementing Service Tasks for automated compliance checks and document creation can enhance efficiency. For example, a Service Task can automatically verify if the fitness tracker meets specific standards and generate compliance documents. This reduces manual work and minimizes errors. In the BPMN model, Service Tasks can be integrated at stages like compliance checks after lab testing and during the creation of technical documentation, ensuring that these tasks are performed consistently and accurately.

Eliminating redundant tasks

Identifying and eliminating redundant tasks or combining similar tasks helps streamline the process. For example, several departments have tasks related to the identification of EU directives and standards:

  • Regulatory Affairs identifies applicable EU directives and standards.
  • Product Development provides detailed product information to help determine the applicable directives and standards.
  • Quality Assurance provides Regulatory Affairs with knowledge of industry-specific standards based on the identified directives.

Combining these into a single, well-coordinated Task called “Identify applicable directives and standards” can save time and resources. This task involves a cross-functional team from Regulatory Affairs, Product Development, and Quality Assurance working together to simultaneously identify all relevant directives and standards. By sharing information and expertise, they can ensure all aspects are considered, reducing redundancy and improving accuracy.

Regular process review and update

Regularly reviewing and updating the BPMN model to incorporate feedback and changes in regulatory requirements is crucial for maintaining compliance and process efficiency. In the BPMN model, you can use a feedback loop with scheduled periodic reviews. A Task labeled "Review and update process" can feed back into earlier stages, ensuring that changes are incorporated into the process promptly.

Common pitfalls in the CE marking process

Organizations aiming to enhance their product compliance process often encounter several common pitfalls and areas where best practices aren’t fully implemented. These areas include prototype development, technology use, risk management, post-market surveillance, and regulatory intelligence.

Many manufacturers usually prioritize prototype design and functionality over regulatory requirements like CE marking. This approach can lead to compliance issues later, resulting in costly redesigns and market entry delays. To avoid such issues, it's crucial to integrate compliance considerations early in the product development lifecycle by conducting thorough compliance research upfront, designing prototypes with compliance in mind and seeking guidance from regulatory experts.

Efficient technology utilization can significantly enhance compliance processes by automating tasks such as compliance checks, document generation, and data analysis. However, many organizations underuse available software tools, leading to manual errors and inefficiencies. Using technology during the process can streamline workflows and ensure accuracy in meeting EU requirements.

Additionally, effective risk management is key to preventing compliance issues. This involves conducting thorough risk analyses and creating comprehensive risk management files throughout the compliance process, from lab testing to implementing risk mitigation actions.

Post-market surveillance (PMS) is critical for monitoring product performance and ensuring ongoing compliance after market release. Establishing robust PMS systems involves tasks such as data collection, analysis of customer feedback, and periodic reviews to promptly detect and address issues.

Lastly, staying updated with regulatory changes is crucial but often overlooked. Implementing systems for monitoring regulatory updates, assessing their impact, and updating internal procedures accordingly ensures that compliance practices remain current and aligned with regulatory requirements.

Managing GRC processes with Cardanit

A BPMN model and a process flow simulation heatmap created in Cardanit

Cardanit, our online BPMN tool, has robust process modeling features and simulation capabilities that can help improve any GRC process. Cardanit also has a wide range of templates for different needs, among which you can also find the process map for achieving EU compliance.

Firstly, its flow simulation feature helps visualize the entire process, helping to identify bottlenecks in steps such as lab testing or documentation compilation. This ensures a smooth progression from initial product design to final product marking and labeling.

Secondly, the time simulation feature aids in estimating project timelines by simulating the time required for each step. For example, if an NB assessment is anticipated to take six months, time simulation helps schedule this task appropriately within the overall project timeline, ensuring that deadlines are met.

Moreover, when it comes to process modeling, users can benefit from a number of features - for example:

  • The Auto Layout feature arranges BPMN diagrams for optimal readability, making it easier to follow and identify any issues. This is especially beneficial for complex processes involving multiple directives.
  • With Version History, users can track changes over time, which is crucial when regulatory requirements change.
  • The user-friendly, intuitive interface with drag-and-drop functionality simplifies the creation and modification of BPMN diagrams. This makes it easy to add tasks for risk management or PMS, thus speeding up the modeling process.
  • The automatic report generation feature saves time and ensures consistency in process documentation, which is essential for internal reviews.

Additionally, Cardanit is cloud-based which facilitates real-time collaboration among team members. For example, as the Regulatory Affairs team identifies applicable standards for the fitness tracker, the QA team can simultaneously prepare for compliance testing, ensuring alignment and efficiency.

Overall, Cardanit helps manufacturers ensure timely compliance and a streamlined path to market for their products.

In conclusion

Mastering the CE marking compliance process is important for manufacturers aiming to market their products in the EEA. Through the steps we’ve outlined above, it’s clear that the process has many key areas that shouldn’t be overlooked. Using BPMN for managing GRC processes helps in visualizing and optimizing such areas, reducing the risk of errors and inefficiencies. Moreover, leveraging Cardanit's process modeling and simulation capabilities can significantly improve the compliance process, allowing manufacturers to navigate the regulatory landscape more effectively and ensure their products meet all EU requirements and reach the market without delays.

Andrea
Andrea

Andrea is the collective pseudonym for the group of people working behind Cardanit, the Business Process Management Software as a Service of ESTECO. The group has different backgrounds and several decades of experience in fields varying from BPM, BPMN, DMN, Process Mining, Simulation, Optimization, Numerical Methods, Research and Development, and Marketing.

Andrea is the collective pseudonym for the group of people working behind Cardanit, the Business Process Management Software as a Service of ESTECO. The group has different backgrounds and several decades of experience in fields varying from BPM, BPMN, DMN, Process Mining, Simulation, Optimization, Numerical Methods, Research and Development, and Marketing.

Free BPMN and DMN cheat sheet

Use it as a reference list of the most used elements in BPMN and DMN or as a guide on how to put those elements into practice.

Free BPMN and DMN cheat sheet

Use it as a reference list of the most used elements in BPMN and DMN or as a guide on how to put those elements into practice.

Download cheat sheet
Free BPMN and DMN cheat sheet

Use it as a reference list of the most used elements in BPMN and DMN or as a guide on how to put those elements into practice.

Download cheat sheet