Introduction to the goal-based approach
Achieving compliance, regardless of whether it concerns a formal standard, procedure or technical requirements, generally takes place in three phases. In the first phase, the standard and requirements are defined. The next phase is achieving conformance, which results in evidence that the requirements are met. The evidence is the subject to review and evaluation in the last phase, which leads to confirmation of conformance. Depending on the standard and the assessing party, the result may be a certificate.
Different persons and institutions may be involved in all the phases of the conformance process. The phase of producing evidence is usually carried out by the user of the standard, but a third party, auditors or testing departments of certification bodies may be involved in the case of product or facility certification.
In practice, this is usually a complex process that requires meeting different compliance goals and a large number of requirements in a way that depends on the specifics of the organization, processes, technology, and other factors. During preparation for assessment or certification many questions arise, such as whether we are to gather all required evidence of compliance, whether specific goals have been met or not, whether the information we have is current or how we manage risks, deviations, hazards and other issues. These problems become more difficult when we work with systems or critical infrastructure in industries such as energy, transport, aviation, chemical industry or medical devices. The need to ensure correctness, consistency and verifiability is becoming one of the main issues in conformance management. One way to manage such problems is systematic goal-oriented conformance management.
The basic assumption of the goal-based approach is to manage in a systematic and consistent way the relations between goals, the required properties of processes and products and finally the evidence that is to be demonstrated to justify accomplishment of the goal. The scope of information is broad and can cover organization, management, processes, products and tools, knowledge and other aspects. What’s more the information can come from different sources, have different format and different level of details and still we should have a common approach to manage this.
Another aspect is how we achieve conformance goals. Some standards define only goals or general requirements and we have to decide how to satisfy them. The way how you plan to implement a specific goal in your organization is you “implementation strategy”. In some cases the standards and regulations quite accurately define the way how we should proceed, but even then we have to decide on the specific way of implementation. If we operate with wrong assumptions or we don’t select the right strategy for goal implementation we may put big effort to learn that we finally miss the target. For that reason it’s important to carefully decide on implementation strategies and demonstrate them for validation.
Collecting all required information on compliance requires a systematic approach. In general the process starts with conformance goals. The main goals should be decomposed into sub-goals depending on the standards we want to conform to and our strategies how we plan to satisfy the given standard, regulation or other goal. The goal decomposition process can be quite complex and take many steps and decisions. High level goals are usually decomposed to low level goals related to operational processes or products. They are further decomposed in detailed requirements for some activities or product properties, like product testing. It may take weeks to specify conformance goals for a system or process to the level of detailed requirements. The final step of conformance planning is specification what evidence is required and how it should be evaluated.
Both evidence and strategies should be evaluated when checking the conformance. In short the evaluation process has two goals, that is to evaluate:
- if the evidence we have is right and
- if we have the right evidence (and that requires the strategies to be sound).
Each step of goal decomposition should be clear and well founded. This gives the possibility to track and verify every step of the process both ways from the top level conformance goals to detailed requirements and supporting evidence.
In fact we intuitively follow this process when working on conformance but the knowledge on the relations between goals, requirements and evidence is often distributed in different applications, Excel files, is on paper and sometimes in our heads only. We use NOR-STA software platform to keep this information in one place even when we work on conformance to many standard or have our own specific goals.
When you apply the goal-based approach to manage conformance you have to explicitly specify relations between goals, requirements and evidence. This gives you traceability of all elements in the conformance process and high verifiability of achieved goals.
We will describe it step by step starting with the simplest scenarios.