Process Framework for Compliance

A process framework for compliance defines the structured sequence of activities, controls, and verification steps an organization must execute to satisfy regulatory requirements and quality standards. This page covers the boundaries, exclusions, component interactions, and architectural structure of compliance process frameworks as applied to quality control operations in the United States. Understanding this framework is foundational to aligning internal quality systems with federal agency expectations, including those published by the FDA, EPA, and OSHA.

Boundaries of the Framework

A compliance process framework applies to any operational system where a regulatory body, standards organization, or contractual requirement mandates documented evidence of conformance. In U.S. quality control contexts, the framework's boundaries are defined by the intersection of three authoritative layers: federal statute, agency rulemaking, and adopted voluntary standards.

Federal rulemaking sets the outer boundary. For manufacturers, FDA 21 CFR Part 820 (FDA Quality System Regulation) establishes the minimum documented process requirements for medical device quality systems. For general industry, OSHA standards under 29 CFR Parts 1910 and 1926 define process safety and inspection requirements that intersect with quality control activities.

The framework's inner boundary is set by the scope of the quality management system itself. ISO 9001:2015, published by the International Organization for Standardization, defines that scope in clause 4.3, requiring organizations to determine which products, services, sites, and processes fall under the QMS. Any process outside that declared scope sits outside the framework's operational boundary — even if it affects product quality indirectly. The compliance scope of a given organization therefore determines which process steps are subject to documented control requirements.

Boundaries also shift by industry classification. Pharmaceutical manufacturers operating under FDA 21 CFR Parts 210 and 211 face current Good Manufacturing Practice (cGMP) requirements that extend the framework's reach into environmental monitoring, personnel qualification, and batch documentation — obligations not present in general manufacturing frameworks. This divergence between good manufacturing practice compliance and general ISO-aligned frameworks is a recurring decision point in scope definition.

What the Framework Excludes

A process compliance framework does not govern business strategy, product design intent, or commercial decisions — even when those decisions affect quality outcomes downstream. Design input requirements fall under design controls (FDA 21 CFR Part 820, Subpart C), which form a distinct regulatory category addressed separately in design control compliance.

The framework also excludes post-market surveillance activities unless those activities feed back into a defined corrective action or complaint handling process. Surveillance data that does not trigger a documented process step exists outside the framework's control loop.

Financial audits, employment law compliance, and environmental permitting (EPA Title 40 programs) operate on parallel regulatory tracks with their own documentation requirements. These intersect with quality compliance at specific points — such as hazardous material labeling under OSHA HazCom (29 CFR 1910.1200) — but the process framework does not absorb them wholesale.

One critical exclusion concerns supplier activities upstream of the organization's defined receiving inspection point. Once materials pass an accepted incoming inspection gate, they enter the framework. Before that gate, supplier quality obligations are governed by contractual flow-down and supplier qualification programs, which are a distinct functional domain covered under supplier quality compliance.

How Components Interact

The compliance process framework operates as a closed-loop system. Inputs enter through defined acceptance criteria, are processed through controlled procedures, and outputs are verified before release. Failures detected at any verification point generate nonconformance records that route through corrective action processes before the loop closes.

The interaction sequence follows this structure:

1. Input definition — Specifications, regulatory requirements, and customer requirements are translated into documented acceptance criteria (acceptance criteria compliance).
2. Process execution — Controlled procedures govern how work is performed, by whom, and under what conditions. Personnel qualification records link to training requirements.
3. In-process monitoring — Statistical process control charts, inspection checkpoints, and calibrated measurement equipment provide real-time conformance data. NIST Handbook 44 and ISO/IEC 17025 govern metrology requirements relevant to this layer.
4. Output verification — Final inspection, testing, and release decisions are documented against predefined criteria.
5. Nonconformance routing — Any output failing verification triggers a documented nonconformance report (NCR) per nonconformance reporting requirements.
6. Corrective and preventive action (CAPA) — Root cause analysis and systemic corrections are documented, tracked, and verified for effectiveness per FDA 21 CFR 820.100.
7. Management review — Aggregated data from all prior steps feeds periodic review processes that assess framework performance and drive process improvement.

The critical distinction between corrective action and preventive action is regulatory in origin: corrective action addresses detected nonconformances, while preventive action addresses potential nonconformances identified through risk analysis. ISO 9001:2015 clause 10.2 addresses both, though the FDA's QSR maintains them as separate procedural requirements in 21 CFR 820.100.

The Structural Framework

The structural architecture of a compliance process framework organizes all required activities into four functional tiers:

Tier 1 — Policy and Scope: Top-level quality policy, QMS scope declaration, and regulatory applicability mapping. Documents at this tier define what the organization is committed to and which regulatory requirements apply.

Tier 2 — Procedures: Documented instructions governing each controlled process. FDA 21 CFR Part 820 refers to these as Standard Operating Procedures (SOPs); ISO 9001:2015 uses the term "documented information." Both require that procedures be reviewed, approved, versioned, and accessible to relevant personnel — requirements addressed in document control compliance.

Tier 3 — Work Instructions and Forms: Granular task-level instructions and data capture forms that populate the quality record system. These are the primary evidence artifacts examined during regulatory inspections.

Tier 4 — Records: Completed documentation demonstrating that controlled processes were executed as required. Record retention periods are set by regulation — FDA 21 CFR Part 820 requires device history records to be retained for the expected life of the device or 2 years from release date, whichever is greater (21 CFR 820.186).

This four-tier structure aligns with the documentation hierarchy described in the quality management system compliance framework and forms the audit trail that regulatory inspectors and third-party auditors use to assess conformance. Each tier depends on the tier above it for authority and the tier below it for evidence.