Compliance: Standards Overview

Compliance within quality assurance defines the measurable relationship between an organization's practices and the requirements imposed by external standards bodies, regulatory agencies, or contractual frameworks. This reference covers the structural definition of QA compliance, the mechanisms by which conformance is established and verified, the sectors where specific standards apply, and the decision logic used to determine which framework governs a given operation. The distinctions between voluntary standards, mandatory regulations, and sector-specific codes carry direct operational and legal consequence across manufacturing, healthcare, software, aerospace, and food production.

Definition and scope

QA compliance is the condition in which an organization's documented processes, outputs, and records satisfy the requirements specified by an applicable standard or regulation. The scope of applicable requirements depends on three factors: the sector in which the organization operates, the jurisdiction in which it operates or sells, and any contractual requirements imposed by customers or prime contractors.

Standards fall into two structural categories:

• Voluntary consensus standards — developed by bodies such as the International Organization for Standardization (ISO) or the American National Standards Institute (ANSI), adopted by organizations either as a competitive signal or as a contractual condition. ISO 9001:2015, published by ISO, is the most widely adopted quality management system standard globally.
• Mandatory regulatory requirements — established through statute or agency rulemaking and enforceable by law. Examples include FDA 21 CFR Part 820 (Quality System Regulation for medical devices), FAA regulations under 14 CFR Part 21 for aircraft production approval, and USDA FSIS regulations governing food safety programs.

The regulatory framework governing a given operation determines whether noncompliance triggers administrative penalties, product recalls, loss of operating authority, or contract termination. In federal contracting, compliance with standards such as AS9100 (aerospace) or CMMI (software-intensive systems) is frequently a prerequisite for award eligibility.

How it works

Compliance is established, maintained, and verified through a defined sequence of activities:

1. Gap analysis — The organization compares its existing documented processes against the requirements of the target standard or regulation to identify areas of nonconformance before a formal audit.
2. System development — Policies, procedures, and work instructions are drafted or revised to close identified gaps. This includes maintaining a quality manual and controlled document hierarchy.
3. Implementation — Processes are executed according to documented requirements, with objective evidence generated at each stage (records, inspection logs, training completions).
4. Internal audit — Trained auditors within the organization conduct structured reviews against the standard's requirements. See internal audit procedures for scope and methodology.
5. Corrective action — Nonconformances identified during audits are documented, root-caused, and resolved through a formal corrective action process before the next review cycle.
6. Third-party certification or regulatory inspection — An accredited certification body or regulatory authority conducts an independent assessment. ISO 9001 certification, for instance, requires audit by a certification body accredited under the International Accreditation Forum (IAF) Multilateral Recognition Arrangement.

Ongoing compliance requires surveillance audits at intervals defined by the certifying body — typically annual for ISO 9001 — and recertification every 3 years under that standard.

Common scenarios

Healthcare and medical devices: Organizations manufacturing medical devices for the US market must comply with FDA 21 CFR Part 820, which mandates design controls, device history records, and complaint-handling procedures. The FDA's Quality Management System Regulation (QMSR), finalized in 2024 and aligning 21 CFR Part 820 with ISO 13485:2016, restructures these requirements. Noncompliance can result in warning letters, consent decrees, or import alerts.

Aerospace and defense: Prime contractors and their supply chains typically require compliance with AS9100 Rev D, the aerospace extension of ISO 9001 published by the International Aerospace Quality Group (IAQG). The IAQG's Online Aerospace Supplier Information System (OASIS) database is the authoritative registry for certified organizations in this sector. See aerospace and defense standards for detailed framework coverage.

Software and IT systems: CMMI (Capability Maturity Model Integration), administered by the CMMI Institute, provides a tiered maturity model across 5 levels used in defense and government software procurement. SEI originally developed CMMI; the CMMI Institute now governs appraisals and training.

Food safety: Organizations in food manufacturing operating in the US are subject to FDA Food Safety Modernization Act (FSMA) rules, including 21 CFR Part 117 (Current Good Manufacturing Practice and Hazard Analysis). Food safety standards under FSMA operate alongside voluntary frameworks such as SQF (Safe Quality Food) and BRCGS.

Decision boundaries

Determining which standard or regulation applies requires resolving four classification questions:

Voluntary vs. mandatory: If a federal statute or agency rule names the standard or equivalent requirements, compliance is mandatory. If the requirement originates solely in a customer contract or industry best-practice guidance, it is contractually binding but not legally mandated absent enforcement authority.

Single-standard vs. layered requirements: Sectors such as medical devices require simultaneous conformance to both regulatory requirements (FDA QMSR) and customer-specified standards (ISO 13485). Aerospace suppliers may face AS9100, customer-specific quality requirements (CSQRs), and NADCAP accreditation for special processes — all simultaneously.

Certification vs. compliance: Certification by an accredited third party is not synonymous with regulatory compliance. An organization can hold ISO 9001 certification and still be noncompliant with FDA requirements if its QMS does not satisfy the specific provisions of 21 CFR Part 820 or the QMSR. Certification documents conformance to the ISO standard only.

Scope of registration: ISO 9001 and AS9100 certificates specify a defined scope statement limiting which sites, product lines, or processes are covered. Operations outside the registered scope are not covered by the certificate, even within the same legal entity.

Risk management decisions, nonconformance reporting obligations, and corrective action timelines differ materially across these frameworks, making accurate classification a prerequisite for any compliance program design.