Compliance Requirement Matrix

by Alan Chow

From working in regulated industries over the years, I have seen plenty of quality system audits. Depending on the industry, noncompliant audit findings can be both embarrassing and costly.1 I believe one of the best pre-audit tools is the compliance requirements matrix (CRM). The beauty of the CRM is it can be used to verify requirements for any regulation.

A defense contractor I worked for hired an ex-Defense Contract Administration Services auditor for internal quality auditing. The auditor frequently asked me the same question: “Where do you meet this requirement?” His intent was that I demonstrate where and how the requirement was met in the quality system manual (QSM).

Of course his interest did not stop there. He also expected to see one or more examples of actual implementation, whenever it was appropriate. I would start by pulling the QSM, finding the correct procedure and showing the specific paragraph that addressed the requirement. This would be followed by a show-and-tell of actual implementation.

It was clear to me that a cross reference document would readily provide the specific procedural paragraph for any regulation. Building a CRM showing the regulation and its compliance in the QSM was the logical step prior to the appropriate demonstration.

Use in Internal, External Audits

The CRM is useful at any stage of the quality system. In development of your QSM, the CRM will ensure all regulations have been covered. The CRM is a helpful internal auditing tool that can be reviewed to ensure your procedural system meets the regulatory or certification level requirements.

The CRM is also the right tool for an external compliance audit, providing direct links between the audited system regulations and the procedures in place to meet them. Finally, the CRM helps when upgrading to new versions of a regulation or standard to verify that all updates are in place.

A CRM is simple to create. Any software that builds tables will work. Make one column each for the regulation or requirement number, the regulation text, the associated procedure number and the procedural text (see Table 1). It’s best to have the actual text in the columns to verify that a specific procedural statement meets that regulation.

Table 1

It is simple to cut and paste the text from the procedure or specification directly into the matrix. Use an L-shaped matrix for compliance with a single standard and a T-shaped or X-shaped matrix for compliance with multiple standards.2

After completing and verifying the CRM, keep a copy near your QSM, so you won’t need to search for it in the event of an audit or if any questions about the regulations and procedures come up. A CRM also shows an auditor that you are on top of your compliance and have already done the work to verify compliance within your system.

Table 1 is part of an overall CRM for compliance with the medical device quality system requirements of the Food and Drug Administration’s 21 CFR Part 820 quality system regulation. As shown, in some cases there may be more than one paragraph in the QSM that addresses the regulatory requirement. In those cases, it’s a good idea to identify all procedures and paragraphs.

This serves two purposes: to identify all of the procedures that address the regulation and to ensure that no paragraph contradicts another. Too many quality systems have one procedure requiring A, and another procedure requiring B, with A and B being contradictory actions. The CRM also indicates erroneous references. One CRM identified contradictions in two procedures, each of which referred to the other for instructions on documenting nonconformances, but neither provided any instruction. The CRM quickly identified the problem.

If you have a quality system requirement or regulation, try building a CRM to see how well your system meets those requirements. It’s a valuable tool to have, and it could show you some things about your system that you didn’t know.


A more complete table can be found at www.asq.org/qualityprogress.


  1. Joe Tsiakals, “Standards Outlook: ISO 9001 and Regulatory Compliance in the Medical Device Industry,” Quality Progress, Vol. 34, No. 4, 2001, pp. 75-77.
  2. Jack B. ReVelle, Quality Essentials: A Reference Guide from A to Z, ASQ Quality Press, 2004, pp. 98-105.

ALAN CHOW is an instructor for Mitchell College of Business at the University of South Alabama in Mobile. He earned a master’s degree in quantitative business analysis from Louisiana State University. Chow is a certified Six Sigma Black Belt and is a senior member of ASQ.

a compliance requirement matrix / Requirements Matrix is a useful tool to quickly identify compliance Problems

Aylin N. Sener
--Aylin N. Sener, 06-25-2015

--Indira Ramjit, 02-20-2008

Average Rating


Out of 1 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers