Understanding Roles & Processes in ISO 13485:2016
What is a role and how does it connect to processes?
The 2016 edition is much more complicated than the 2003 edition so here is a little help to make things a little more understandable.
In ISO 13485:2016 there are many new terms, definitions, and requirements compared with the 2003 edition.
"First, a stab of the ISO bureaucrats… who conjured up this wish list of roles… Not all companies are HUGE! Most are startups or small innovation companies and there are no extra “bodies” floating around waiting for work (government departments excepted). So when they describe CEO then label the Management as a senior Management Representative, that kind of label is redundant. You don’t need separate roles for CEO and Management Representative… that’s just duplication. It does not explain things better, it just confuses things more… but that’s ISO…"
Below we will try to explain the best way to understand “roles” so it is not so confusing. However, remember the 1st rule of QMS:
“If it’s not documented, it does not exist”.
And the 2nd rule,
“Whatever your document, is what counts”.
"So word of advice.
DOCUMENT THE WAY YOU WANT IT TO WORK!"
Definitions of roles and processes
The ISO 13485:2016 says: “4.1.2 The organization shall determine the processes needed for the quality management system and the application of these processes throughout the organization taking into account the roles undertaken by the organization.”
One of the main new items are roles and their connection to processes. It is not that roles are new, but that roles should now be understood in reference to specific processes. That is, how a role is connected to a particular process.
A role is not a job within the organization. Rather a person can have a particular job but they play a role within that process. That is the part where a role meets a process. They would play a role in the process if that process related to their job function or area of responsibility.
So what is a process?
By the ISO handbook: a process is a set of coherent activities that transforms an input (anything received by the process whether it’s transforming or not) to output (the result of the process, like a product or advice).
Juran and Hammer[1] (ref. ISO 9000 Quality Systems Handbook, the 4th edition by David Hoyle, gave the same definition, but the difference is that Hammer added value to output for a customer. Davenport[2] combined and sublimated Juran's and Hammers's definition and said: “A process is a structured measured set of activities designed to produce a specified output for a particular customer or market.”
"...a process is a set of coherent activities which transforms input..."
Today every process needs a purpose that gives a reason for its existence.
A good definition of processes if found in ISO 9000 Quality Systems Handbook, where there are 3 types of processes:
- Processes that convert inputs into outputs without adding value (example: a distributor who bills shop supplying with goods, without adding plus value to those goods)
- Processes that convert inputs into outputs with perceived added value for the internal customer, but no added value for external parties (example: the maintenance in a factory who takes care about the machines from damages, but doesn’t add value to the final product)
- Processes that convert inputs into outputs of added value for the external interested party (example: producing vaccines against deadly diseases for saving the health of humanity)
Connecting Roles and Processes
A simple example to show the connection between role and process is an HR manager. They have a role in reviewing the process to welcome new employees that might have been hired by a Unit Manager (department manager, or Team Leader, or even the HR Manager themselves).
In the new employee process (you define for your own situation), the new employee would go through various tasks, such as Getting ID card, getting a Key, completing the Employment Info form, etc. which together would form the New Employee Process. The last task would trigger a QMS event, which would then flag the Process as needing a QMS review by the HR Manager. The HR manager would validate that all tasks are done correctly. If required, they would then initiate any subsequent processes, for example, New Employee Training. The QMS manager would do the final approval that it was done correctly.
Essentially companies can now define, then assign, different roles to different people based on the company’s needs, size, and organization. This must be documented of course.
So what does this mean in English (ISO bureaucratize is a language few of us understand)? Let see what is it and how does it work.
If a person in an organization gets a defined role, it means he/she has the role to authenticate a process. Multiple roles can be assigned to a single person, provided of course they are not “managing themselves” or are otherwise in a conflict of interest.
Some Jobs in a company are clearly Jobs and not roles. For example, a CEO is a CEO (there is only one per company). However, the CEO in a small 12-person company can also be the HR Manager, the Purchasing Manager, and the CTO, or chief technical officer (we prefer the use of the term PTO or Project Technical Office). The CEO is also, by default the Management Representative.
As companies have more people, fewer roles should be assigned to any one person, otherwise, the company would become unmanageable.
Roles inside an organization are new in the world of ISO 13485 and they must be documented to meet applicable regulatory requirements (as with everything else according to new ISO 13485:2016.
Define the roles for your company based on the size and processes you need.
I hope we could help clear the terms role and process which follows you in the whole ISO 13485:2016.
Good luck!