Managing GRC in manufacturing: BPMN for efficient CE product compliance

Navigating the complex regulatory landscape and ensuring that products are always fully compliant with all regulatory requirements can be quite challenging for many manufacturers. Especially, when talking about the CE marking product compliance process, meticulous planning and coordination are a key for regulatory success.

In the following sections, we’ll briefly talk about Governance, Risk, and Compliance (GRC) as a practice before focusing on the product compliance process for achieving CE marking certification. We’ll present how the use of BPMN can help understand, analyze, and improve the process. And we’ll also discuss how Cardanit, an intuitive online BPMN tool with features like flow and time simulation, can improve the efficiency and accuracy of the compliance process.

What is GRC?

GRC is a comprehensive approach that ensures your organization achieves its objectives, manages uncertainty, and acts with integrity. It includes governance processes, risk management practices, and compliance protocols to improve decision-making, performance, and accountability.

GRC is important in several ways:

• improves decision-making in terms of strategic planning and operational effectiveness by providing a structured framework;
• helps identify, assess, and mitigate potential business risks;
• ensures compliance, helping avoid legal penalties, financial losses, reputational damage, and operational disruptions.

How are GRC and BPMN connected?

Effective GRC frameworks rely on clear, structured processes to achieve their goals. And this is where process modeling and BPMN 2.0 come into play.

Process modeling involves creating a visual representation of your organization's processes. These models help in understanding, analyzing, and improving workflows. For GRC, process modeling ensures that governance policies, risk management activities, and compliance requirements are integrated into the day-to-day operations of your organization.

BPMN 2.0 is a standardized graphical notation that depicts the steps in a business process. It provides a clear, detailed view of the process, making it easier for stakeholders to understand and follow.

BPMN 2.0 models are particularly useful in GRC for several reasons:

Compliance with CE marking

A vital aspect of GRC in the European market is ensuring compliance with the CE marking legislation. By following the CE marking process, organizations demonstrate their commitment to safety, quality, and regulatory compliance, thereby avoiding the consequences of non-compliance and fostering consumer trust in their products.

CE marking is a certification mark indicating that a product conforms to the health, safety, and environmental protection standards set by the European Union (EU). This mark is mandatory for certain non-food products, such as electronics and medical devices, sold within the European Economic Area (EEA). It signifies that the product meets all the relevant EU directives and regulations necessary to be marketed and sold in Europe.

The BPMN standard can prove very useful in the context of CE marking. You can use it to effectively map and optimize the entire product certification process, ensuring clarity, efficiency, and compliance throughout each phase. By integrating BPMN 2.0 with GRC, your organization can better manage non-compliance risks, ensure adherence to EU regulations, and maintain robust governance throughout the product lifecycle.

Let’s learn more about the compliance process itself and the role of BPMN at each phase.

The CE product compliance process and BPMN

The CE product compliance process is often overwhelming for manufacturers with little knowledge of the topic. It involves several key steps to ensure a product meets all applicable EU requirements.
Firstly, manufacturers must identify the applicable EU directives and regulations to ensure the product complies with essential requirements. For example, a fitness tracker monitoring physical activity must comply with the LVD, EMC, RED and RoHS, and if it has a medical purpose, the MDR instead. Then, manufacturers must select relevant standards like EN, ISO, and IEC, specifying product requirements. Using harmonized standards (EN) simplifies the CE process.

Some products require lab testing (in-house and/or external) to confirm compliance with relevant standards. Additionally, a Notified body (NB) may need to assess products’ compliance by reviewing technical files and inspecting production facilities. Not all products need this assessment, so manufacturers should check for it and submit their applications in advance due to long lead times.

Manufacturers must also compile technical documentation, known as ‘technical file’, to prove compliance and create a Declaration of Conformity (DoC), signed by them or another responsible person. Finally, the product must be labeled with the CE marking symbol, along with the NB’s ID number if applicable.

BPMN can help improve the CE marking process by providing clear and structured visualizations of each step. For example, BPMN helps to:

Modeling the CE compliance process

Useful BPMN elements

Various BPMN elements can be used to model the CE process comprehensively. And understanding those elements can help you create a detailed and accurate representation of the process.

Flow objects:

• Task - represents a unit of work in the process, such as “Identify applicable directives”.
• Call Activity - refers to a predefined process in another diagram, such as “Technical documentation compilation”.
• Subprocess - represents a group of tasks (for example, “Testing and certification”).
• Event - represents something that happens during the process. There are several types of events. A Start Event marks the beginning of the process - for example, “Begin CE marking process”. An End Event marks the end of the process - for instance, “CE marking achieved”. Intermediate Events map anything that occurs between the start and end events - for example, “Receive test results.”

Data objects:

• Data Object Reference - represents information used or produced by the process, such as “Test reports”.
• Data Store Reference - represents a place where data is stored, such as a “Compliance database”.

Gateways:

• Exclusive Gateway - diverges or converges paths based on a condition (for instance, “NB assessment needed?”)
• Parallel Gateway - diverges or converges multiple parallel paths (for example, “Conduct parallel testing, internal and external”).

Connecting objects:

• Sequence Flow - shows the order of tasks
• Message Flow - shows communication between participants
• Association - links artifacts of text to BPMN elements.

Swimlanes:

• Pool - represents a participant in the process, such as “Manufacturer”.
• Lane - represents sub-participants or departments within a pool, such as “Regulatory Affairs”.

Artifacts:

• Text Annotation - adds explanatory text to the diagram (for example, “NB assessment not required for achieving compliance under RED.”)

How to model the product compliance process

To model the CE marking process for an electrical product such as the fitness tracker (without a medical purpose) using BPMN, you can simplify the process slightly by focusing only on the directives and requirements relevant to non-medical devices.

Moreover, focus first on the foundations to ensure the diagram accurately represents the compliance workflow. You need to set up the structure and understand the scope of the process. Here's how to do it.

Where to start

First, identify the main participants in the process. Participants could be various departments within a company, such as Manufacturing, Quality Assurance (QA), Regulatory Affairs (RA), and external entities like Notified Bodies and testing laboratories. In BPMN, these participants are represented by pools and lanes. Pools represent major participants in a process, such as organizations, while lanes subdivide these pools into smaller units, indicating specific roles or functions within each participant.

Next, create the pool for the organization responsible for the compliance process. Inside this pool, define lanes for each department or role involved. For external entities, create separate pools to represent their activities.

Using Cardanit, you can easily build this participant diagram with intuitive drag-and-drop modeling and swimlane support. This speeds up setup and helps you model collaborative activities involving different departments more accurately.

Generally speaking, the BPMN diagram should include at least the following participants:

Internal

• Product Development - assists RA in accurately identifying relevant directives and ensures that the product design considers all regulatory requirements from the start.
• Regulatory Affairs - identifies and ensures compliance with all relevant EU requirements (directives and standards), compiles the technical documentation, and oversees the creation and signing of the Declaration of Conformity.
• Quality Assurance - provides RA with knowledge about industry-specific standards and QA best practices, ensures that the product meets all relevant standards through testing and quality checks, manages the testing process, and contributes to compiling accurate TF.
• Manufacturing - ensures that the product is produced in line with the standards, handles the practical aspects of lab testing, and is responsible for applying the CE mark.

External

• Third-party testing facilities - perform specialized testing that may not be feasible in-house.
• Notified Body - provides an independent assessment of the product's compliance and sometimes issues the Declaration of Conformity.
• Market authorities - responsible for approving market registration requests for specific types of products.

Due to the interconnected nature of the tasks involved in CE marking, roles and responsibilities often overlap. For example, an overlap can be observed between Regulatory Affairs and Quality Assurance. Both departments compile the technical documentation and manage the creation of the Declaration of Conformity. RA provides the legal and regulatory perspective, ensuring all documents meet EU requirements. QA, on the other hand, supplies test results, risk assessments, and compliance reports necessary for the technical file.

The role overlap can be managed effectively through clear role definition, strong communication, detailed process mapping, and robust project management practices.

Going into detail

Once the pools and lanes are established, you can begin with the Start Event. This event signifies the beginning of the product compliance process. A common starting point is "CE marking process initiated," which triggers the sequence of activities needed for compliance.

After defining the Start Event, outline the major phases of the process. These phases can be identified as Call Activities that reference predefined “child” processes in other diagrams. For example, Call Activities will include "Directives identification," "Lab testing," and "Technical documentation creation." An alternative to Call Activities is Subprocesses. However, it’s better to use the former to avoid cluttering the process model with images. Call Activities also help improve the readability of the map and simplify the mapping work.

Then, in separate diagrams, detail the individual tasks related to each “child” process referenced by a Call Activity in the main diagram. For instance, in regard to the "Directives identification" process, tasks often include:

• "Conduct initial research"
• "Review product specifications"
• "Identify directives"
• "Document findings"
• "Verify compliance requirements"
• "Internal review"
• “Finalize directives list”

Use the BPMN element Tasks to represent these actions and connect them sequentially to reflect the workflow.

Incorporate gateways to manage decision points. Exclusive Gateways can direct the flow based on conditions, such as whether a product falls under multiple directives or requires external testing. These gateways ensure the process follows the correct path based on specific criteria.

Model the data flow

As you map out the tasks, consider including Data Object References to illustrate documents or information generated, modified, or required by tasks. These represent graphical references to the abstract entities called Data Objects, allowing you to draw several references that point to the same Data Object. In regard to the CE process, Data Object References facilitate the documentation and tracking needed for each step, ensuring thorough compliance and efficient process management.

For instance, during the "Compile technical documentation" process, data objects might include design documents, test reports, and compliance checklists. To show their relevance, connect these data objects to their respective tasks using Data Associations.

Moreover, various documents are stored and managed throughout the entire product compliance process. You can use a Data Store Reference called “Document repository” to visualize where the data is kept in the BPMN diagram.

The finish line

Throughout the modeling process, ensure that the flow of activities is logical and reflects real-world practices. Sequence Flows should connect tasks in the order they’re performed, illustrating the progression from one activity to the next.

Use End Events to signify the completion of each “child” process and the entire CE marking process. For instance, the final End Event could be "CE marking achieved," indicating that the product is fully compliant and market-ready.

In summary, by identifying participants, structuring pools and lanes, defining the start event, and mapping out “child” processes and tasks, you can create a comprehensive BPMN model that accurately represents the CE marking compliance process. This approach ensures clarity, consistency, and a thorough understanding of the workflow, facilitating effective management and execution of compliance activities.

Potential deadlocks

In process mapping, avoiding deadlocks ensures smooth and efficient workflows. Deadlocks occur when a process gets stuck and cannot proceed to the next task, typically due to incorrect configurations of gateways or incomplete paths.

Correct gateway configuration

To prevent deadlocks, ensure that gateways are configured correctly.

Exclusive Gateways route the process flow based on conditions that must be mutually exclusive. For instance, if you have an Exclusive Gateway deciding between in-house testing and external lab testing, the conditions must be set so that only one path is taken based on the criteria defined.

Furthermore, be very mindful of Parallel Gateways. They’re more often the cause of deadlocks. All the sequence flows entering a Parallel Gateway must be “active” before the process can proceed.

It’s a good idea to always add / set a default condition to avoid any gateways without exits.

Paths leading to End Events or Tasks

It’s essential to ensure that all possible paths lead to an End Event or another task, avoiding orphaned tasks with no follow-up actions. For instance, after the lab testing is completed, the process should either move to compile technical documentation or return for re-testing if the product fails the compliance check.

In the BPMN model, this can be visualized by ensuring every gateway decision has a clear outcome, leading to subsequent tasks like compiling documentation, creating the Declaration of Conformity, or applying the CE mark.

Optimization areas

Optimizing the CE marking process in BPMN could involve streamlining tasks, utilizing parallel processing, and incorporating automation where possible.

Parallel Gateways for simultaneous tasks

Parallel Gateways can handle tasks that can be performed simultaneously, reducing the overall time required for the CE marking process. For instance, technical documentation creation and initial product testing can occur in parallel in our fitness tracker example. To illustrate this in the BPMN model, you can place a Parallel Gateway after identifying the relevant standards, branching into simultaneous tasks for compiling preliminary documentation, and conducting in-house testing. This approach has the potential to cut down the time to market significantly.

Service Tasks for automation

Implementing Service Tasks for automated compliance checks and document creation can enhance efficiency. For example, a Service Task can illustrate an automated step that verifies whether the fitness tracker meets specific standards and prepares the necessary documentation. This reduces manual errors and clearly defines responsibilities.

In Cardanit, you can model Service Tasks as part of your BPMN diagram and simulate compliance-check durations to better understand and optimize time-critical steps. This helps teams plan for delays, bottlenecks, or dependencies even if the actual automation happens outside the platform.

Eliminating redundant tasks

Identifying and eliminating redundant tasks or combining similar tasks helps streamline the process. For example, several departments have tasks related to the identification of EU directives and standards:

• Regulatory Affairs identifies applicable EU directives and standards.
• Product Development provides detailed product information to help determine the applicable directives and standards.
• Quality Assurance provides Regulatory Affairs with knowledge of industry-specific standards based on the identified directives.

Combining these into a single, well-coordinated Task called “Identify applicable directives and standards” can save time and resources. This task involves a cross-functional team from Regulatory Affairs, Product Development, and Quality Assurance working together to simultaneously identify all relevant directives and standards. By sharing information and expertise, they can ensure all aspects are considered, reducing redundancy and improving accuracy.

Regular process review and update

Regularly reviewing and updating the BPMN model to incorporate feedback and changes in regulatory requirements is crucial for maintaining compliance and process efficiency. With Cardanit’s version history and cloud-based collaboration, teams can track updates over time and ensure that everyone works from the latest compliant version.

In the BPMN model, you can use a feedback loop with scheduled periodic reviews. A Task labeled "Review and update process" can feed back into earlier stages, ensuring that changes are incorporated into the process promptly.

Common pitfalls in the CE marking process

Despite best intentions, many manufacturers encounter the same roadblocks when managing their CE product compliance process. Below are some common pitfalls and how to avoid them.

Prioritizing design over compliance

Many teams focus heavily on prototype functionality while treating regulatory requirements as an afterthought. This can result in:

• Late-stage redesigns
• Missed deadlines
• Delayed market entry

To avoid that, start compliance research early. Involve Regulatory Affairs in the design phase and seek expert guidance before development begins.

Underusing available tools

Efficient use of technology can significantly enhance compliance processes by supporting tasks such as compliance checks, document preparation, and data analysis. However, many organizations still rely on manual methods or underuse the tools available, which increases the risk of errors and inefficiencies.

While full automation may happen outside your modeling tool, using a BPMN platform like Cardanit helps streamline workflows and improve accuracy by visually structuring each step of the process, ensuring nothing is overlooked when working toward EU requirements.

Weak risk management

Skipping or rushing risk analysis can result in non-compliance. Many companies overlook:

• Risk assessments during testing
• Risk mitigation actions
• Ongoing risk documentation

Build a risk management file from the start, and treat it as a living document, not a checkbox.

Falling behind on regulatory changes

Regulations evolve, and if your internal processes don’t keep pace, you risk falling out of compliance, even if your diagrams are up to date.
Best practices include:

• Assigning someone to monitor updates
• Building review checkpoints into your compliance process
• Keeping all stakeholders aligned and informed of changes

With Cardanit’s version tracking, you can monitor updates to your BPMN models over time. But to stay truly compliant, it’s crucial to translate those model changes into real actions, ensuring that updated procedures are understood and carried out by the teams involved.

Managing GRC processes with Cardanit

Cardanit, our online BPMN tool, has robust process modeling features and simulation capabilities that can help improve any GRC process. Cardanit also has a wide range of templates for different needs, among which you can also find the process map for achieving EU compliance.

Firstly, its flow simulation feature helps visualize the entire process, helping to identify bottlenecks in steps such as lab testing or documentation compilation. This ensures a smooth progression from initial product design to final product marking and labeling.

Secondly, the time simulation feature aids in estimating project timelines by simulating the time required for each step. For example, if an NB assessment is anticipated to take six months, time simulation helps schedule this task appropriately within the overall project timeline, ensuring that deadlines are met.

Moreover, when it comes to process modeling, users can benefit from a number of features - for example:

Additionally, Cardanit is cloud-based which facilitates real-time collaboration among team members. For example, as the Regulatory Affairs team identifies applicable standards for the fitness tracker, the QA team can simultaneously prepare for compliance testing, ensuring alignment and efficiency.

Overall, Cardanit helps manufacturers ensure timely compliance and a streamlined path to market for their products.

In conclusion

Mastering the CE marking compliance process is important for manufacturers aiming to market their products in the EEA. Through the steps we’ve outlined above, it’s clear that the process has many key areas that shouldn’t be overlooked. Using BPMN for managing GRC processes helps in visualizing and optimizing such areas, reducing the risk of errors and inefficiencies. Moreover, leveraging Cardanit's process modeling and simulation capabilities can significantly improve the compliance process, allowing manufacturers to navigate the regulatory landscape more effectively and ensure their products meet all EU requirements and reach the market without delays.