A certificate on a factory wall is not a quality system. This is the first thing any serious buyer of contract-manufactured medical devices learns — usually after a setback that could have been avoided. ISO 13485 certification tells you a registrar audited the facility at a point in time and found enough evidence of a functioning quality management system to issue a document. It does not tell you whether that system is operational today, whether it covers the specific product you intend to source, or whether the people who passed the audit are still there. Treating the certificate as a proxy for readiness is the most common and most expensive mistake in medical device sourcing.

The gaps that matter are predictable. Across contract manufacturing audits in China's medical device sector, the same nonconformity categories surface repeatedly. Understanding them before you commit to a factory saves time, money, and market access.

Document Control. ISO 13485 clause 4.2 requires that documents be controlled, current, and available at the point of use. In practice, what auditors find most often is a paper-based system where procedures were written for the certification audit and have not been revised since. Operators on the floor reference printouts that predate the current product revision. Design changes made in response to a customer request were not propagated into the device master record. The procedure for handling obsolete documents exists but is not followed. None of these failures are dramatic on their own; together they mean the production record cannot be trusted as a faithful description of what was actually made.

Design History File Gaps. For OEM arrangements where the client owns the design, the design history file (DHF) obligation often falls to the client. But contract manufacturers who also develop products — or who adapt reference designs — frequently cannot produce a complete DHF. Risk management files reference a hazard analysis that has not been updated since the initial regulatory submission. Verification and validation reports exist for individual components but not for the assembled system as it is currently configured. Clinical evaluation, where required, was delegated to a third party without a documented methodology for reviewing the output. When a regulatory body or a clinical-authority partner requests the DHF during market entry, these gaps are discovery events, not administrative oversights.

CAPA Weakness. Corrective and preventive action is arguably the most scrutinised clause in a third-party audit, and the most often found wanting. The structural problem is that many factories treat CAPA as a paperwork requirement rather than a closed-loop investigation discipline. A nonconformance is raised, a root cause is documented — frequently at the level of "operator error" or "insufficient training," which are conclusions, not causes — a corrective action is assigned, and the record is closed. There is no evidence that the effectiveness of the action was verified, no evidence that similar processes were checked for the same root cause, and no trend analysis connecting individual CAPAs to systemic issues. A factory with a long list of closed CAPAs and no trend data is telling you something important about how it operates.

Supplier Control. ISO 13485 clause 7.4 requires that purchased product conform to specified requirements, and that suppliers be evaluated and selected on the basis of their ability to meet those requirements. In contract manufacturing, supplier control is frequently the weakest link in the audit. Approved supplier lists exist but have not been updated. Critical component suppliers have not been audited, only their certificates collected. Incoming inspection procedures are documented but the records show systematic acceptance without inspection. When a key raw material changes specification — a common occurrence as component suppliers respond to their own supply-chain pressures — there is no documented change control process that connects the material change to a re-evaluation of the finished device. This is one of the most direct routes from a document gap to a product quality failure.

Process Validation: IQ, OQ, PQ. For manufacturing processes where the output cannot be fully verified by inspection — sterilisation, injection moulding critical dimensions, coating adhesion — ISO 13485 requires validation. The three-stage framework of installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) is well understood in principle. In practice, factories that have been through the IQ and OQ phases often treat PQ as a one-time event tied to the initial product launch rather than an ongoing programme. When equipment is replaced, recalibrated, or moved, revalidation protocols do not automatically trigger. When process parameters drift — as they do over time in any high-throughput environment — there is no statistical process control programme detecting the drift before it reaches the product. The validation package presented during certification may be genuine; the question is whether it is still current.

Traceability. Full traceability — the ability to reconstruct, from a finished device serial number, every component lot, every production step, every operator, and every environmental record — is both a regulatory requirement under most major frameworks and a practical necessity when a field complaint requires root-cause investigation. The weakness here is almost always in the linkage between paper and electronic records. A factory may have a robust MES for production tracking and a separate paper-based system for incoming material inspection. If the two systems are not formally linked — if a production batch record references "component lot as per incoming inspection record" without a specific cross-reference — traceability exists in theory but cannot be executed reliably under time pressure. This matters most at the moment when it matters most: during a product recall or regulatory inspection.

The practical implication for buyers is that a pre-commitment audit should go further than a certificate review and further than a checklist walk-through. It should test specific scenarios: ask to trace a finished device back to incoming material; ask to see the last three CAPAs and their effectiveness verifications; ask for the validation status of each critical process as of the date of the audit, not the date of the last regulatory submission. The answers to those three questions will tell you more about the real state of the quality system than any document review. This is a core part of what Asaptic helps clients execute during medical device sourcing — ensuring compliance readiness is assessed before capital and regulatory timelines are committed, not after.

ISO 13485 is not a barrier designed to slow things down. It is the framework that makes a product defensible in a regulated market, that gives a clinical-authority partner the confidence to integrate a device into its procurement pathway, and that protects a brand when something goes wrong in the field. The gaps described here are gaps in that defensibility. Finding them before you sign a contract is not due diligence performed out of caution — it is the minimum required to understand what you are actually buying.

挂在工厂墙上的证书，并不等于一套正在运转的质量体系。这是每一位认真采购合同制造医疗器械的买家终将学到的第一课——通常是在一次本可避免的挫折之后。ISO 13485 认证告诉你的，是某家认证机构在某一时间点审核了该设施，并认为其质量管理体系有足够证据支撑颁证。它无法告诉你：这套体系今天是否仍在运行、是否覆盖你意图采购的具体产品、通过审计的人员是否还在岗。将证书作为工厂就绪程度的替代指标，是医疗器械采购中最常见、代价最高的错误。

值得关注的漏洞是可以预判的。在中国医疗器械合同制造审计中，同样的不符合项类别反复出现。在正式签约前了解这些漏洞，可以节省时间、资金和市场准入窗口。

文件控制。ISO 13485 第 4.2 条要求文件受控、现行有效，并在使用点可获取。实践中，审计人员最常发现的是：程序文件是为认证审计而编写的，自此之后从未修订；车间操作人员引用的是早于当前产品版本的打印件；客户要求触发的设计变更未更新至器械主记录；废止文件的处理程序虽然存在，却未被实际执行。这些问题单独看并不严重，但合在一起意味着——生产记录无法被信任为实际制造过程的忠实反映。

设计历史文件缺失。在客户拥有设计的 OEM 合作中，设计历史文件（DHF）的义务通常由客户承担。但那些自行开发产品或基于参考设计进行改编的合同制造商，往往无法提供完整的 DHF：风险管理文件引用的危害分析自初始注册申报后从未更新；验证与确认报告仅覆盖单独组件，未覆盖当前配置下的整机系统；临床评价（如有要求）被委托给第三方，却没有对其输出成果进行审查的文件化方法论。当监管机构或临床权威合作方在市场准入阶段索取 DHF 时，这些漏洞是重大发现，而非行政疏漏。

CAPA 形式化。纠正和预防措施（CAPA）可以说是第三方审计中受审查最多、也最常被发现不足的条款。结构性问题在于：许多工厂将 CAPA 视为书面要求，而非闭环调查纪律。不符合项被记录，根本原因被填写——往往停留在"操作人员失误"或"培训不足"这类结论性描述，而非真正的原因分析——纠正措施被分配，记录随即关闭。没有证据显示措施有效性经过验证，没有证据显示类似流程已针对相同根本原因进行排查，也没有将单个 CAPA 与系统性问题相关联的趋势分析。一个拥有大量"已关闭" CAPA 却没有趋势数据的工厂，正在向你揭示它的真实运营方式。

供应商管理薄弱。ISO 13485 第 7.4 条要求采购产品符合规定要求，并根据供应商满足这些要求的能力对其进行评价与选择。在合同制造中，供应商管理往往是审计中最薄弱的一环：批准供应商名单存在但未更新；关键组件供应商从未被审计，仅收集了其证书；来料检验程序已文件化，但记录显示系统性免检放行；当关键原材料的规格发生变化时——这在供应商应对自身供应链压力时常有发生——没有将物料变更与成品器械再评价相关联的文件化变更控制流程。这是从文件漏洞直接导致产品质量问题的最直接路径之一。

过程验证：IQ/OQ/PQ。对于输出结果无法完全通过检验来验证的制造过程——如灭菌、注塑关键尺寸、涂层附着力——ISO 13485 要求进行验证。安装确认（IQ）、运行确认（OQ）、性能确认（PQ）三阶段框架在理论上广为人知。实践中，完成 IQ 和 OQ 阶段的工厂往往将 PQ 视为与初始产品上市绑定的一次性事件，而非持续性项目：设备更换、重新校准或搬移后，再验证协议不会自动触发；工艺参数随时间漂移时——在任何高产量环境中这都在发生——没有统计过程控制程序在问题到达产品之前检测到漂移。认证时提交的验证包可能是真实的；问题在于它是否仍然现行有效。

追溯性断链。完整的追溯性——即能够从成品器械序列号还原每一个组件批次、每一道生产步骤、每一位操作人员和每一项环境记录——既是大多数主要法规框架下的监管要求，也是现场投诉需要根本原因调查时的实际必需。这里的薄弱点几乎总是存在于纸质记录与电子记录之间的衔接。一家工厂可能拥有完善的生产跟踪 MES 系统和独立的纸质来料检验系统。如果两套系统未被正式关联——如果生产批次记录对组件批次的引用仅为"参见来料检验记录"而无具体交叉引用——追溯性在理论上存在，却无法在时间压力下可靠执行。这在最关键的时刻影响最大：产品召回或监管检查期间。

对买家而言，实践层面的启示是：签约前的审计应超越证书审查和清单走查，应测试具体场景——要求从成品追溯至来料；要求查看最近三份 CAPA 及其有效性验证；要求提供审计当日（而非上次注册申报日期）每个关键过程的验证状态。这三个问题的答案，比任何文件审查都更能揭示质量体系的真实状态。这也是 Asaptic 在协助客户开展医疗器械采购过程中的核心工作——确保在资本投入和注册时间表确定之前，而非之后，对合规就绪程度完成评估。

ISO 13485 并非为了拖慢进程而设立的障碍。它是使产品在受监管市场中具备可辩护性的框架，是让临床权威合作方有信心将器械纳入其采购路径的基础，也是在现场出现问题时保护品牌的防线。本文所述的漏洞，正是这种可辩护性上的裂缝。在签订合同前找到它们，不是出于谨慎而进行的尽职调查——而是真正理解你在购买什么的最低要求。

掛在工廠牆上的證書，並不等於一套正在運作的品質體系。這是每一位認真採購合約製造醫療器械的買家終將學到的第一課——通常是在一次本可避免的挫折之後。ISO 13485 認證告訴你的，是某家認證機構在某一時間點審核了該設施，並認為其品質管理體系有足夠證據支撐頒證。它無法告訴你：這套體系今天是否仍在運行、是否涵蓋你意圖採購的具體產品、通過審計的人員是否仍在崗。將證書作為工廠就緒程度的替代指標，是醫療器械採購中最常見、代價最高的錯誤。

值得關注的漏洞是可以預判的。在中國醫療器械合約製造審計中，相同的不符合項類別反覆出現。在正式簽約前了解這些漏洞，可以節省時間、資金和市場準入窗口。

文件管制。ISO 13485 第 4.2 條要求文件受控、現行有效，並在使用點可取得。實務上，審計人員最常發現的是：程序文件是為認證審計而編寫的，此後從未修訂；車間操作人員引用的是早於當前產品版本的列印件；客戶要求觸發的設計變更未更新至器械主記錄；廢止文件的處理程序雖然存在，卻未被實際執行。這些問題單獨看並不嚴重，但合在一起意味著——生產記錄無法被信任為實際製造過程的忠實反映。

設計歷史文件缺漏。在客戶擁有設計的 OEM 合作中，設計歷史文件（DHF）的義務通常由客戶承擔。但那些自行開發產品或基於參考設計進行改編的合約製造商，往往無法提供完整的 DHF：風險管理文件引用的危害分析自初始申報後從未更新；驗證與確認報告僅涵蓋單獨組件，未涵蓋當前配置下的整機系統；臨床評價（如有要求）被委託給第三方，卻沒有對其輸出成果進行審查的文件化方法論。當監管機構或臨床權威合作方在市場準入階段索取 DHF 時，這些漏洞是重大發現，而非行政疏漏。

CAPA 形式化。糾正和預防措施（CAPA）可以說是第三方審計中受審查最多、也最常被發現不足的條款。結構性問題在於：許多工廠將 CAPA 視為書面要求，而非閉環調查紀律。不符合項被記錄，根本原因被填寫——往往停留在「操作人員失誤」或「培訓不足」這類結論性描述，而非真正的原因分析——糾正措施被分配，記錄隨即關閉。沒有證據顯示措施有效性經過驗證，沒有證據顯示類似流程已針對相同根本原因進行排查，也沒有將單個 CAPA 與系統性問題相關聯的趨勢分析。一個擁有大量「已關閉」CAPA 卻沒有趨勢數據的工廠，正在向你揭示它的真實運營方式。

供應商管理薄弱。ISO 13485 第 7.4 條要求採購產品符合規定要求，並根據供應商滿足這些要求的能力對其進行評價與選擇。在合約製造中，供應商管理往往是審計中最薄弱的一環：核准供應商名單存在但未更新；關鍵組件供應商從未被審計，僅收集了其證書；來料檢驗程序已文件化，但記錄顯示系統性免檢放行；當關鍵原料規格發生變化時，沒有將物料變更與成品器械再評價相關聯的文件化變更管制流程。這是從文件漏洞直接導致產品品質問題的最直接路徑之一。

製程驗證：IQ/OQ/PQ。對於輸出結果無法完全透過檢驗來驗證的製造過程——如滅菌、射出成型關鍵尺寸、塗層附著力——ISO 13485 要求進行驗證。安裝確認（IQ）、運行確認（OQ）、性能確認（PQ）三階段框架在理論上廣為人知。實務上，完成 IQ 和 OQ 階段的工廠往往將 PQ 視為與初始產品上市綁定的一次性事件，而非持續性項目：設備更換、重新校準或搬移後，再驗證協議不會自動觸發；製程參數隨時間漂移時，沒有統計製程管制程序在問題到達產品之前偵測到漂移。認證時提交的驗證包可能是真實的；問題在於它是否仍然現行有效。

追溯性斷鏈。完整的追溯性——即能夠從成品器械序號還原每一個組件批次、每一道生產步驟、每一位操作人員和每一項環境記錄——既是大多數主要法規框架下的監管要求，也是現場投訴需要根本原因調查時的實際必需。這裡的薄弱點幾乎總是存在於紙本記錄與電子記錄之間的銜接。一家工廠可能擁有完善的生產追蹤 MES 系統和獨立的紙本來料檢驗系統。如果兩套系統未被正式關聯——如果生產批次記錄對組件批次的引用僅為「參見來料檢驗記錄」而無具體交叉引用——追溯性在理論上存在，卻無法在時間壓力下可靠執行。這在最關鍵的時刻影響最大：產品召回或監管查廠期間。

對買家而言，實務層面的啟示是：簽約前的審計應超越證書審查和清單走查，應測試具體情境——要求從成品追溯至來料；要求查看最近三份 CAPA 及其有效性驗證；要求提供審計當日每個關鍵製程的驗證狀態。這三個問題的答案，比任何文件審查都更能揭示品質體系的真實狀態。這也是 Asaptic 在協助客戶開展醫療器械採購過程中的核心工作——確保在資本投入和申報時間表確定之前，對合規就緒程度完成評估。

ISO 13485 並非為了拖慢進程而設立的障礙。它是使產品在受監管市場中具備可辯護性的框架，是讓臨床權威合作方有信心將器械納入其採購路徑的基礎，也是在現場出現問題時保護品牌的防線。本文所述的漏洞，正是這種可辯護性上的裂縫。在簽訂合約前找到它們，不是出於謹慎而進行的盡職調查——而是真正理解你在購買什麼的最低要求。