What Level 2 Document Control Maturity Looks Like in Medical Device Organizations
Learn how document control maturity level 2 organizations begin formalizing QMS documentation but still face gaps in consistency and compliance.
You have a document management system. Approval workflows are defined. Version numbers are sequential. So why did an operator on second shift run a process using a procedure that was superseded six weeks ago — and nobody caught it until the nonconformance investigation?
This is the defining paradox of Level 2 document control. The infrastructure exists. The procedures are written. The system technically works. But there is a persistent gap between document control and document effectiveness — between having the right revision in the DMS and having the right knowledge in the hands of the person doing the work.
The DMS Works. The Ecosystem Doesn't.
Level 2 organizations have invested in the basics, and that investment is real. There is a document control SOP. There is a designated document controller or a small team. Documents have numbers, revision levels, effective dates, and approval signatures. Compared to the shared-drive chaos of Level 1, this feels like a major accomplishment. It is.
But the DMS at Level 2 is an island. It manages documents in isolation from the systems and processes that depend on those documents. When a procedure is revised and approved, the DMS updates the revision status. What it does not do — because it cannot, or because it has not been configured to — is tell the training system that twelve operators need to be retrained, alert the supplier quality team that a referenced specification changed, or notify the regulatory affairs group that a submission-referenced document has a new revision.
The result is a quality system that is technically compliant in its document control practices but practically fragile in its change management. The document is controlled. The consequences of the document change are not.
Level 2 Tells
Quality leaders who suspect their organization is operating at Level 2 should look for these specific patterns.
The hybrid approval workflow. Documents are routed electronically, but the approval evidence is a mix of electronic timestamps, scanned signature pages, and email confirmations. Assembling a complete approval chain for any given document revision requires pulling evidence from multiple sources. An auditor can verify that the document was approved, but the evidence trail is not clean or immediate.
The manual training trigger. When a document is revised, someone — usually the document controller or the change initiator — manually identifies who needs training and sends a notification. The training system has no automatic awareness that a document changed. If the person responsible for sending the notification is out sick or overwhelmed, the notification does not get sent. The gap between document revision and training completion is measured in weeks, not days.
The incomplete impact assessment. Change request forms include an impact assessment field, but the assessments are superficial. "No impact on other documents" is the default entry, even when the changed document is referenced by a dozen downstream procedures. Cascading changes are missed regularly, creating version mismatches that surface during audits or, worse, during manufacturing.
The periodic review backlog. A periodic review schedule exists on paper, but 20 to 30 percent of documents are overdue for review at any given time. The organization knows this is a problem but lacks the bandwidth or the system capability to close the gap. The backlog grows slowly, and nobody raises the alarm until a notified body auditor pulls a sample and finds that half the documents in the sample have not been reviewed within the required interval.
The Part 11 gap acknowledged but unresolved. A Part 11 assessment has been conducted, or at least discussed. The gaps are known: incomplete audit trails, electronic signatures that do not meet manifestation requirements, system validation documentation that is thin or absent. The remediation is on the quality plan, but it has been on the quality plan for two years because the investment required to close the gaps competes with every other quality system priority.
Where Change Control Breaks Down
The change control process at Level 2 functions but does not connect. A change request is submitted. The reason for the change is documented. Reviews and approvals are obtained. The revised document is issued. These steps happen reliably for most changes.
The breakdown occurs at the boundaries. The change control process lives inside the document control system, but its effects extend into training, manufacturing, supplier management, and regulatory submissions. At Level 2, those connections are manual. A change to a component specification should trigger an update to the incoming inspection procedure, a revision to the supplier quality agreement, and a review of the design history file. Whether those downstream actions actually happen depends on the institutional knowledge and diligence of the change initiator — not on system-enforced linkages.
EU MDR Annex IX Section 2.3 requires procedures for the control and updating of technical documentation. A notified body auditing a Level 2 organization will recognize that change control procedures exist, and that recognition is valuable. But the auditor will also probe the effectiveness of impact assessments, and this is where Level 2 organizations frequently receive observations. The procedure says impact assessment is required. The executed assessments suggest it is not happening rigorously.
The Multi-Site Multiplier
Level 2 challenges multiply at organizations with more than one site. Each site may have adopted the document control SOP in principle but implemented it differently in practice. Document numbering conventions may overlap. Templates may diverge. One site may have upgraded to a newer DMS version while another remains on the legacy system.
The result is a corporate quality system that looks harmonized in the quality manual but reveals inconsistencies under examination. A notified body conducting a multi-site assessment under EU MDR will compare document control practices across sites and expect consistency. At Level 2, that consistency is aspirational rather than demonstrated.
Records Retention: Policy Without Practice
A records retention policy exists at Level 2 — a genuine improvement over Level 1's retention-by-inertia. The policy identifies retention periods for key record types based on 21 CFR 820.180 and ISO 13485 Section 4.2.5 requirements. It has been approved and distributed.
Implementation is another matter. Some record types are managed according to the schedule. Others accumulate without oversight. The organization may not have a reliable process for reviewing and dispositioning records that have exceeded their retention period. More fundamentally, the organization may not have validated that records stored electronically will remain readable and accessible over the full retention period. A retention policy that says "retain for 15 years" is meaningless if the file format becomes obsolete in seven.
The Distance to Level 3
The gap between Level 2 and Level 3 is not about adding more procedures. It is about replacing manual connections with system-enforced connections. Moving to Level 3 requires a DMS that does not merely store and track documents but actively governs their lifecycle — routing approvals automatically, triggering training assignments on revision, maintaining cross-references between related documents, and enforcing access controls that prevent unauthorized changes.
This transition typically requires investment in a validated eQMS platform, which is why many organizations plateau at Level 2. The system they have works well enough to avoid the most egregious audit findings. The investment required to reach Level 3 is significant. And the burning platform that motivated the move from Level 1 to Level 2 has cooled.
That plateau is a strategic risk. Level 2 document control manages documents. Level 3 document control ensures that documents drive the right behavior across the organization. The difference shows up not in the document control audit but in every other audit — training, CAPA, production controls, supplier management — where the effectiveness of document changes is tested against operational reality.
Document Control CMM
8 dimensions · 5 levels · 8 deliverables