Compliance: Scope

Compliance scope defines the precise boundaries within which regulatory obligations, quality standards, and internal controls apply to an organization or product line. Determining scope incorrectly — either too narrow or too broad — creates material exposure: under-scoping leaves regulatory gaps that invite enforcement action, while over-scoping consumes resources on activities that generate no measurable risk reduction. This page examines how scope is defined, the mechanisms that govern its application, the scenarios where boundaries become contested, and the decision rules used to classify activities as in-scope or out-of-scope.

Definition and scope

In quality and regulatory compliance, "scope" refers to the documented set of products, processes, sites, personnel, and activities to which a given standard or regulatory requirement applies. The ISO 9001 Quality Management System standard requires organizations to explicitly define the scope of their quality management system as a formal documented statement (ISO 9001:2015, §4.3), identifying what is included and providing justified exclusions for any requirements deemed inapplicable.

Regulatory bodies apply scope definitions differently depending on the sector. The U.S. Food and Drug Administration uses product classification and facility registration to establish the scope of its quality system requirements — for example, 21 CFR Part 820 (the Quality System Regulation, now being harmonized with ISO 13485 under the forthcoming QMSR rule) applies specifically to manufacturers of finished medical devices intended for commercial distribution in the United States. The Occupational Safety and Health Administration applies its standards at the establishment level, with scope determined by industry classification code and the nature of the hazard, not by the company's internal org chart.

Three core dimensions define compliance scope in practice:

1. Subject matter — which requirements, standards, or regulations apply (e.g., GMP, AS9100, IATF 16949)
2. Organizational boundary — which legal entities, sites, business units, or personnel are covered
3. Temporal boundary — the effective dates, transition periods, and sunset clauses that bound applicability

How it works

Scope determination follows a structured sequence that mirrors the process framework for compliance used across regulated industries.

1. Regulatory trigger identification — Identify which laws, regulations, and standards are potentially applicable based on product type, industry sector, and geographic market. For a U.S.-based aerospace parts manufacturer, this might include AS9100 Rev D, FAA Order 8130.21, and OSHA 29 CFR 1910.
2. Applicability analysis — Evaluate each requirement against the organization's actual operations. ISO 9001:2015 §4.3 instructs that exclusions are permissible only when inapplicable requirements do not affect the organization's ability to ensure product or service conformity.
3. Boundary documentation — Record the scope statement in the quality management system, typically in the Quality Manual or an equivalent controlled document, specifying included locations, product lines, and activities.
4. Gap mapping — Compare the defined scope against existing controls to identify coverage gaps. This step directly feeds internal audit compliance planning.
5. Scope change management — Any modification to products, services, or processes that could alter applicability must trigger a formal scope review, governed by change control compliance procedures.

Common scenarios

Medical device manufacturing — A contract manufacturer producing a component that becomes part of a finished device may discover mid-project that FDA considers them a "specification developer" under 21 CFR Part 820, placing the full QSR scope on their operations rather than just the supplier provisions. The FDA's Quality System Regulation at 21 CFR Part 820 defines "manufacturer" broadly enough to capture this scenario.

Multi-site certification bodies — Under ISO 9001:2015, a company with 3 manufacturing sites and 1 corporate primary location may include all 4 in a single certificate scope or maintain separate scopes per site. The choice affects third-party audit scheduling, supplier quality compliance obligations passed downstream, and the language that can appear on certificates of conformance.

Software and digital products — Software quality assurance compliance scope is particularly contested. FDA's 2022 draft guidance on Software as a Medical Device (SaMD) introduced a risk-based tiering approach that determines whether a software product falls within device regulation scope at all, based on its intended use and the significance of decisions it supports.

Healthcare settings — Hospitals subject to The Joint Commission accreditation must define scope in terms of the care settings, service lines, and patient populations covered. Scope misalignment between Joint Commission standards and CMS Conditions of Participation (42 CFR Part 482) is a documented source of survey findings.

Decision boundaries

The central decision in scope management is the in/out classification. Two contrasting approaches govern how organizations make this determination:

Risk-based scoping treats applicability as a function of potential harm. Risk-based compliance in QA frameworks prioritize including all activities where a failure could result in patient harm, product nonconformance, or regulatory violation. Under this model, a low-volume prototype line used for R&D might be excluded from GMP scope only if documented evidence confirms it never feeds commercial product.

Prescriptive scoping treats applicability as a function of defined criteria in the regulation itself, with no discretion allowed. OSHA's Process Safety Management standard (29 CFR 1910.119) applies automatically to any covered process using a threshold quantity of a listed highly hazardous chemical — the employer's risk assessment does not override the regulatory trigger.

Scope exclusions must be defensible, not merely convenient. Regulatory agencies and third-party auditors apply scrutiny to exclusion rationale: an exclusion that reduces audit burden without a documented technical or operational justification is a finding risk. The quality assurance compliance requirements that govern exclusion documentation typically require written justification, management approval, and periodic revalidation to confirm the exclusion basis still holds.