You need to identify the changes from the preceding version, and these changes need to be identifiable during the period the documents are maintained. There are two things at play here:
- The intent behind changelogs in the documents is to make the people working according to/with the documents aware of the changes, and how it impacts the work and their way of working. For this reason we prefer three in-document, as that can help the people returning after long vacations or similar, but our people can look back to the recent previous versions in system, and QA ensures there's no avalanche of updates so people lose sight of it. But yes, the most recent one being available I would regard as compliant, though not robust (what if you have a really minor update (textual correction) 2 days after a major update: people might not know etc. etc. It should be weighed against the risk, but well, pah)
- The intent of retention of all revisions/version of the document is to be able to provide a full picture of the product or process at the various points in its existence, for a period in which it is worthwhile to look back.
For 1: Very dependent on information we cannot presume on. Could be: Show training records of personnel to the document from 2., or how they are instructed in induction to only use the hardcopy in a controlled binder, or how they will always pull the recent one up electronically. Elsmar cannot really know.
For 2.: If each version has its changes from its predecessor identified within itself, then take some document you have with multiple revisions going back a long while and demonstrate that you can still retrieve them and demonstrate them to be readable. (Make it ironic if you have so many changelog entries, that the table can be comically compiled into one big one for 'easy perusal' in the mail towards the auditor.) An additional concern they could express is risk of loss or deterioration, and if you securely store those (i.e. backup arranged with retrieval validated) and demonstrate that as well they'll be hard-pressed to make a case on this point.
I can also state that the 13485 handbook that NB auditors might fall back on does not state anything clearly on this matter, and to my knowledge no other applicable standard or regulation does either. Show you meet the intent, and you should be good.