What Level 1 Document Control Maturity Looks Like in Medical Device Organizations

The quality manager opens the shared drive and searches for the CAPA procedure. She finds four files: CAPA_Procedure_v3.docx, CAPA_Procedure_FINAL.docx, CAPA_Procedure_FINAL_v2.docx, and CAPA Procedure (use this one).docx. None has an effective date. None has an approval signature. Welcome to Level 1 document control.

This is not a hypothetical scenario constructed for training purposes. It is Tuesday morning at hundreds of medical device companies. The shared drive is the document management system. File naming is the version control method. Email is the approval workflow. And the gap between what the quality system says should happen and what actually happens is wide enough to park an FDA Warning Letter in.

The Real Cost of "It Works for Us"

Organizations at Level 1 rarely describe themselves as Level 1. They describe themselves as small, or agile, or "pre-commercialization." The shared drive works because everyone knows where things are. The team is small enough that a conversation in the hallway substitutes for a formal change notification. And this arrangement does work — until it doesn't.

The failure modes are predictable. An engineer leaves the company, and her laptop contains the only current version of three critical design specifications. A contract manufacturer asks for the latest revision of the device master record, and assembling it takes two weeks because nobody knows which files are current. An FDA investigator asks to see the approval history for a process validation protocol, and there is no approval history because the protocol was never formally approved — it was emailed to the VP of Quality, who replied "looks good," and that email is now buried in a departed employee's inbox.

Each of these scenarios violates 21 CFR 820.40, which requires manufacturers to establish and maintain procedures to control all documents required by the quality system. At Level 1, those procedures either do not exist or exist as aspirational documents that bear no resemblance to daily practice.

What an Auditor Sees

Experienced FDA investigators and notified body auditors can identify Level 1 document control within the first hour of an inspection. The tells are unmistakable.

They ask for the master document index and receive either a blank stare or a spreadsheet that was last updated eight months ago. They request a specific SOP and watch as two people retrieve different versions from different locations. They examine a device history record and find references to document revisions that cannot be located. They ask when a procedure was last reviewed and learn that no periodic review process exists.

The absence of a controlled document numbering system is particularly revealing. When documents are identified by descriptive file names rather than unique identifiers, traceability collapses. Cross-references between documents become unreliable because there is no stable identifier to reference. A work instruction that says "refer to the incoming inspection procedure" could mean any of the four files the quality manager found on the shared drive that morning.

ISO 13485 Section 4.2.4 requires that the current revision status of documents be identified and that relevant versions of applicable documents be available at points of use. At Level 1, neither condition is reliably met.

The Part 11 Blind Spot

Electronic records and electronic signatures under 21 CFR Part 11 are not even on the radar at Level 1. Documents stored on shared drives have no audit trail. Anyone with network access can modify, rename, move, or delete files without any record of the action. There is no concept of an electronic signature that meets regulatory requirements — the closest equivalent is a reply-all email that says "approved."

This blind spot compounds over time. Every electronic record created without Part 11 controls is a record whose integrity cannot be demonstrated. Every electronic "approval" that lacks the signature manifestations required by Part 11.50 is an approval that an investigator may not accept. The longer an organization operates at Level 1, the larger the volume of records whose regulatory status is uncertain.

The Training Disconnect

At Level 1, document changes and training exist in entirely separate universes. When a procedure is revised — which at this level means someone edits a file and saves it — there is no mechanism to identify who needs to know about the change, notify them, deliver training, verify comprehension, or document that any of this occurred. The organization cannot demonstrate that operators were trained on the current revision of the procedures they follow daily.

This gap directly violates 21 CFR 820.25, which requires that training needs be established and that training be documented. It also makes the organization unable to answer a question that FDA investigators routinely ask: "How do you ensure that personnel are trained on the current revision of this procedure before they perform this task?" At Level 1, the honest answer is: we don't.

Records Retention by Inertia

Records retention at Level 1 is governed by hard drive capacity rather than policy. Nothing is deleted because nobody is sure what can be deleted. Nothing is archived because there is no archive. Records from five years ago sit alongside records from last week in the same folder structure, with no retention schedule, no disposition process, and no assurance that the files will remain readable over the retention periods required by 21 CFR 820.180.

The irony is that retaining everything is not the same as retaining records properly. An unmanaged accumulation of files is not a records retention program. It is a liability, because the organization cannot demonstrate that it knows what it has, where it is, or whether it will be accessible when needed.

Moving Out of Level 1

The first step out of Level 1 is acknowledging the risk — genuinely acknowledging it, not merely noting it in a management review presentation that gets filed and forgotten. Organizations at this stage often underestimate their exposure because they have not yet faced a serious regulatory action. The absence of findings is not evidence of compliance; it is evidence that the gap has not yet been discovered.

The path to Level 2 requires three foundational investments: a document control SOP that defines how documents are created, reviewed, approved, distributed, and retired; a document management system, even a simple one, that provides a single authoritative source for controlled documents; and a document numbering convention that gives every controlled document a unique, stable identifier.

These are not optional enhancements for organizations that are ready to "level up." They are the minimum viable infrastructure for a medical device quality system that can withstand regulatory scrutiny. The cost of establishing them is a fraction of the cost of the remediation that follows a Warning Letter — and an even smaller fraction of the cost of a recall triggered by uncontrolled documentation.