Compliance: Scope

Compliance scope defines the boundaries within which an organization's quality obligations apply — which processes, products, facilities, personnel, and suppliers fall under a given regulatory or standards requirement. Determining scope is a foundational step in any quality management program because an incorrectly drawn boundary can leave regulated activities unexamined or draw audit scrutiny to areas outside a program's actual mandate. This page covers how scope is defined, how it functions within compliance frameworks, the scenarios where scope boundaries become operationally significant, and the decision rules used to expand or contract those boundaries.

Definition and scope

In compliance practice, "scope" refers to the defined universe of entities, activities, and outputs to which a specific standard or regulation applies. The International Organization for Standardization (ISO) treats scope as a formal element of every management system standard: ISO 9001:2015, Section 4.3, requires an organization to determine the boundaries and applicability of its quality management system and to document that determination.

Scope has two structural dimensions:

1. Organizational scope — which legal entities, business units, sites, and personnel are covered
2. Product/process scope — which product lines, manufacturing steps, service categories, or design activities are included

A compliance scope statement answers four questions: What is being controlled? Where does the obligation apply? Who is responsible? Which regulatory instruments govern?

The U.S. Food and Drug Administration's Quality System Regulation at 21 CFR Part 820 (since updated as part of the Quality Management System Regulation final rule) applies to manufacturers of finished devices — a product-class boundary that explicitly excludes component manufacturers unless they also produce finished devices. That precision is characteristic of how regulators operationalize scope.

Understanding the full compliance standards overview provides the vertical and horizontal framing that scope decisions sit within.

How it works

Scope determination follows a structured sequence. Executing it out of order — for example, selecting control activities before mapping the regulatory triggers — is one of the most frequent root causes of scope gaps identified during third-party audits.

Step 1 — Identify applicable regulatory instruments. Map the product or service category against governing statutes, agency regulations, and voluntary standards. For U.S. manufacturers, this typically includes FDA, OSHA, EPA, and applicable industry standards such as ISO 9001 or AS9100.

Step 2 — Define the legal and physical boundary. Specify which legal entity and which physical locations are inside the scope. Multi-site organizations may seek a single ISO 9001 certificate covering all sites or separate certificates per facility — a choice that carries audit and cost implications.

Step 3 — Enumerate included and excluded processes. Not all clauses of a standard apply to every organization. ISO 9001:2015 permits exclusions only for requirements in Section 8 where the organization neither performs the relevant function (e.g., design and development) nor outputs the relevant product. Exclusions must be justified and documented.

Step 4 — Map supplier and subcontractor boundaries. Regulatory scope commonly extends to critical suppliers. The supplier quality compliance framework determines how far external-party obligations reach.

Step 5 — Document and approve the scope statement. The scope statement becomes a controlled document. Changes to it trigger change-control procedures under standards such as ISO 13485:2016 for medical devices.

Step 6 — Review at defined intervals. Business changes — new product lines, new facilities, mergers — may alter scope. ISO 9001:2015 Section 9.3 (management review) specifically lists changes in external and internal issues as inputs to be evaluated.

Common scenarios

Scenario A — Expanding scope to cover a new product line. A medical device manufacturer adding a Class II device must determine whether the existing 21 CFR Part 820 / QMSR-compliant system covers the new product or whether design controls, risk management (per ISO 14971:2019), and a new 510(k) submission alter the system's scope.

Scenario B — Geographic expansion. A company operating one FDA-registered facility that opens a second manufacturing site must assess whether the second site triggers a new registration, whether the existing quality management system certificate extends to that site, and whether state-level requirements (e.g., California's CDPH regulations) create parallel obligations.

Scenario C — Outsourced manufacturing. When a brand-owner outsources production to a contract manufacturer, FDA's definition of "manufacturer" in 21 CFR Part 820.3(o) may still attribute regulatory responsibility to the brand-owner. Scope cannot be delegated away simply by contracting out production.

Scenario D — Software as a medical device (SaMD). FDA's Digital Health Center of Excellence has published guidance indicating that certain software functions meet the statutory definition of a medical device, drawing them into QMSR scope even when the developer has no physical manufacturing operation.

Decision boundaries

Scope decisions are not binary pass/fail choices — they involve graduated risk assessments. The key decision boundaries include:

• Inclusion threshold: A process is in scope when it directly affects product conformance, patient/user safety, or a regulatory trigger such as 21 CFR 820's "finished device" definition or OSHA 29 CFR 1910's general industry applicability.
• Exclusion justification: ISO 9001:2015 and ISO 13485:2016 both require that exclusions not affect the organization's ability or responsibility to provide conforming products. An exclusion that impairs product conformance is invalid.
• Supplier boundary: The process framework for compliance typically distinguishes between critical suppliers (in scope for qualification and audit) and commodity suppliers (monitored through approved vendor lists only).
• Regulatory vs. voluntary scope: A company may voluntarily certify to ISO 9001 across a narrow product line while being subject to FDA QMSR obligations across a broader set. The two scope boundaries are independent and must be managed separately.
• Temporal boundaries: Scope applies from the date of regulatory trigger (e.g., first commercial distribution) and continues until the product is retired from the market and all post-market obligations — complaint handling, recalls — are resolved.

Scope misalignment between the quality management system certificate and the actual regulatory obligation is a recurring finding in FDA Warning Letters and ISO certification audits. The qc-regulatory-framework-us page details the agency-level instruments that drive these determinations.