“Declaration of Conformity” vs. “Certification of Conformity”

April 24, 2023

“Declaration of Conformity” vs. “Certification of Conformity”


There are different kinds of declarations and certifications germane to the medical devices sector.  And there is a proper distinction to be made between “declaration” and “certification”.  I give my further interpretations about that herein.


Ultimately, the precise context of each given scenario bears significantly on which vernacular is appropriate.  But also one’s real-world tolerance (or lack thereof) for longstanding entrenched tradition, vs. the strictest proper interpretation of these matters.  Indeed, this discussion reveals yet another example where there is tension between formally-established terminology vs. longstanding practice.  It can certainly be argued that the terminology like Certification of Conformity (CoC), Certification of Analysis (CoA), etc., isn’t the most correct language. On the other hand, it can also be argued that the CoC/CoA terminology isn’t wrong either.  Complicating the issue is that many organizations and agencies alike have organically woven the CoC/CoA terms into their paradigms.


For example, my experience is that the creation of such CoA/CoC by medical device manufacturers/suppliers is similar to analogous precedents from the pharmaceutical GMP sector like those modeled in the EMA Guideline on batch certification and in the EU GMP Guide Parts I & II.  This would not be the first time that I’ve seen pharma GMP concepts adapted into the medical device GMP sector.  Some more organic medical device precedents include those from the IMDRF (formerly the GHTF) and ISO/TC 210, who both acknowledge the use of the CoA/CoC vernacular.  For example ISO/TC 210’s guidance about the benefit of CoA/CoC for component (whether in-house or outsourced) traceability.


I think an insightful reference echoing (maybe even giving rise to) this terminology dilemma is ISO / EN ISO 17000 (as amended, and as applicable, covering vocabulary and principles, hereinafter “ISO 17000”).  Specifically, it fundamentally establishes the terms


  • “attestation” (i.e., a statement, based on a decision following review, that fulfilment of specified requirements has been demonstrated [emphasis added]),

  • “statement of conformity” (a generic expression used to include all means of communicating that fulfilment of specified requirements has been demonstrated, and conveying assurance that the specified requirements have been fulfilled [emphasis added]), and

  • “first-party attestation” (e.g., by a device manufacturer).


All of these, in my opinion, correlate with the CoA/CoC concepts.  For example, ISO 17000 says that, “…Instead of “assurance of conformity”, the term “attestation” is used…” [emphasis added].  Then the standard goes on to clarify that “declaration” is first-party attestation, while “certification” (e.g., notified body type test certification; other agency electrical safety testing certification, etc.) is a third-party attestation (thus bridging us over to the aforesaid ISO 17050-1 “declaration”).


So, the longstanding “CoA” / “CoC” terms don’t exactly fit nicely with these ISO 17000 terms.  Yet they aren’t exactly wrong either (in my opinion).  Because of this, and of the entrenched precedents for the “CoA” / “CoC” terminology (indeed, time and time again, I’ve seen organizations into whose operating infrastructure these terms are deeply woven, such that we’d be clanging gongs to try and strike down that language), I’m not ready to abandon/retire those terms just yet.   But when it becomes time to do that, I agree that the most standardized proper term is “declaration”.

External Documents Kept on an Externally-Controlled Server

April 21, 2023

External Documents Kept on an Externally-Controlled Server


I know of no regulations or standards specifically demanding an “internal” copy of standards or country regulations. Instead, the logistics of this are generally left to our discretion.  I elaborate further below.


Let’s start with ISO 13485 / EN ISO 13485 (as amended and as applicable; hereinafter “ISO 13485”), as that standard is a very common protocol for many medical device quality management systems.  Therein, clause 4.2.4 second paragraph indent (f) requires (my paraphrase and emphasis added) that we ensure documents of external origin are identified and their distribution controlled.  This doesn’t prescribe the format/logistics (e.g., internal repository vs. external repository; hard copy vs. digital, etc.) of such documents.  Although ISO/TC 210’s guidance about these documents provides an example that is the usual in-house maintenance paradigm, it doesn’t in my opinion overrule ISO 13485’s intended flexibility for document control.  Specifically, ISO 13485 states that, “…It is not the intent of this International Standard to imply the need for uniformity in the structure of different quality management systems…[or] uniformity of documentation…” [emphasis added].


Similarly, the U.S, FDA’s medical device quality system regulation (originally fashioned after ISO precedent, and now in the process of “converging” with ISO 13485) contains the same intended type of flexibility.


So ultimately, whether such documents live in an internal repository or an external repository, either approach can be acceptable as long as the basic fundamentals of document control are adhered to.  For example for practical intents and purposes, the document control SOP needs to contain the appropriate provisions for control of documents of external origin kept in an externally-controlled repository.  That procedure needs to control key things like:


  • Deliberated identification of which external documents (title and version) have been deemed necessary by the organization.

  • Assuring that only the authorized versions will be used.

  • Assuring proper consideration and integration of updated external documents/versions.

  • Assuring that unauthorized versions of external documents are not used.


These are just a few ideas of what the document control procedure would need to have in order to set up for use of external documents kept on an externally-controlled server.

Declarations of Conformity: U.S. FDA vs. Europe

April 20, 2023

Declarations of Conformity: U.S. FDA vs. Europe


I received a question wondering whether the U.S. FDA mandates Declarations of Conformity (DoC) in the way Europe does, and whether U.S. and EU DoC can be combined into a single document.


In short, no, the US FDA doesn’t, as a general rule, require us to have a DoC in the way of the EU.  But the U.S. FDA does allow the voluntary use of a DoC in certain situations.  For example, in those situations where a 510(k) both a) relies on a voluntary/mandatory consensus standard; and b) the device conforms to all of the requirements of the applied consensus standard.  In other words, if there is any deviation in conformity with the applied consensus standard, then a DoC is not allowed by the FDA.


At one time, such declarations were generally limited to an “Abbreviated 510(k)”.  But nowadays, the way standards are used in Traditional 510(k)s vs. Abbreviated 510(k)s has, in my opinion, become basically the same.


Further evidence of the voluntary nature of such DoCs for the FDA is that FDA may alternatively accept what the agency calls “general use” of consensus standards.  “General use” means situations where the Sponsor decides to apply a consensus standard, yet does not submit a DoC.  Such use could involve either full conformity or partial conformity with the applied standard.


In contrast, every EU MDR / IVDR conformity assessment (except special scenarios like custom-made devices, investigational devices, Article 22 products, etc.) shall include a DoC drawn up in accordance with those European Regulations.


Now, since the aforesaid U.S. DoCs and EU DoCs are both generally modeled after ISO 17050-1 / EN ISO 17050-1 as amended, it certainly wouldn’t be hard to draw up a hybrid DoC that covers both jurisdictions.  But my personal preference is to not mix such declarations.  This is for document succinctness, easier revision control, and to avoid convolution between Europe’s “EN” standards compared to the non-EN versions recognized by the U.S., and also because the basic legislative/statutory reasons/uses of DoCs in the U.S. are fundamentally different than their use for the EU.


And to be sure I haven’t confused anyone, here are a few other clarifying points to consider:


I think that most everyone knows that Annex IV of the EU MDR and IVDR prescribes the exact requirements for an EU MDR/IVDR DoC.  But this post isn’t about how to do an EU MDR/IVDR DoC, nor about what are the precise elements of an EU MDR/IVDR DoC.  Instead, the question at hand is about combining a US DoC with an EU DoC.  Accordingly, for such comparative purposes (U.S. vs. EU), it is, for two reasons, quite germane that an EU MDR/IVDR DoC, is fundamentally modeled after (not the same as; yet modeled after) EN ISO 17050-1.  Specifically:


a) EN ISO 17050-1 is the traditional basis that gave rise to EU MDR/IVDR Annex IV.  For example, the Blue Guide reminds us of that when it states, “…The standard EN ISO/IEC 17050-1 has been drawn up with the objective of providing the general criteria for the declaration of conformity…”. Prior to EU MDR/IVDR Annex IV’s prescription, notified body’s used EN ISO 17050-1 as the basis for auditing MDD DoCs.


b) The U.S. FDA’s stated policy is that, “…To certify conformance with a consensus standard, the submitter must submit a DOC…These elements of a DOC are consistent with ISO/IEC 17050-1…”.


On a related note, I’ve also seen some folks use ‘Declaration of Conformity’ in reference to showing that a product has been inspected and shown to meet device acceptance criteria.  But my experience is that such a document is instead called a Certificate of Conformity (CoC), or Certificate of Analysis (CoA), or something similar.  I’ve not heard of, or seen, such a document being called a ‘Declaration of Conformity’.  To avoid confusion with the more proper conventional and legislative use of ‘Declaration of Conformity’, I would recommend against using ‘Declaration of Conformity’ as the name for a CoC/CoA.

EU MDR/IVDR Annex IX Full QMS vs. Annex XI Production Quality Assurance

April 20, 2023

EU MDR/IVDR Annex IX Full QMS vs. Annex XI Production Quality Assurance


The assessment of the full QMS via Annex IX includes (among other things) the procedures and techniques for monitoring, verifying, validating and controlling the design of the devices and the corresponding documentation as well as the data and records arising from those procedures and techniques [EU MDR Annex IX.2.2(d) and IVDR Annex IX.2.2(c)].  In other words, Annex IX includes assessment of the integrity of the manufacturer’s device design process and results.


In contrast, an Annex XI “Production Quality Assurance” assessment of the QMS does not include the EU MDR Annex IX.2.2(d) / IVDR Annex IX.2.2(c) design process assessment (that’s not a typo; certain Annex IX elements are incorporated by reference into Annex XI). In other words, the Production Quality Assurance route does not directly include assessment of the integrity of the manufacturer’s design process.


For this reason, the the Annex XI Production Quality Assurance route is to be combined with the Notified Body’s own independent assessment/testing of an actual device unit(s) via an Annex X “Type Examination” rather than relying only on a paper review of the manufacturer’s design documentation/testing.  The exception to this is lower risk devices (e.g., EU MDR Class IIa and probably also EU IVDR Class B) for which the Production Quality Assurance route can be applied by the manufacturer without NB Type Examination.  So, be sure to remember that if the Annex X Type Examination route is used, then it means that an actual device unit(s) shall be made available to the NB (or its designee) so that the NB can independently do (or arrange for) direct testing/examination of an actual device unit(s) since the NB won’t be engaging in a deep-dive of the manufacturer’s design process.

Design & Development Includes Regulatory Submissions

April 18, 2023

Design & Development Includes Regulatory Submissions


Premarket regulatory submissions [e.g., U.S. FDA 510(k) / PMA; European Technical Documentation Submissions, Canadian Device Licensing, Australian ARTG registration, etc.] need to be driven by, and documented in association with, the design and development process and documentation.  For example, both the FDA (via the QS Regulation preamble) and ISO 13485 (clause 7.3) require that the design inputs address applicable regulatory requirements.


One of those regulatory requirements would be the corresponding premarket regulatory submission authorization, as it is not possible to fully characterize the applicable regulatory requirements without specifying the required premarket submission. Once the corresponding design input is written [e.g., “Device must be FDA 510(k)-cleared / CE-marked / Licensed in Canada / Registered on the ARTG, etc., prior to marketing”], then it would progress through the remainder of the design and development process to tie out the regulatory design input.


Updates are thereafter driven by the design change process, whereby new regulatory submissions are queued and assured.

EU MDR Accessories: Identification in the IFU

April 14, 2023

EU MDR Accessories: Identification in the IFU


In general, for any class of EU MDR device, but especially for a class III device, the IFU must identify any accessories.  Specifically, GSPR 23.4(f) requires (among other things) that, where applicable, the IFU shall contain information allowing the healthcare professional to select the corresponding accessories.


Now, if there really are true accessories for the parent device, then GSPR 23.4(f) will generally always be applicable.  I say “true accessories” because we need to be sure that we verify true applicability based on the fundamental meaning of “accessory” from its Article 2(2) definition, which establishes that accessories are intrinsically mandatory or medically-necessary for the parent device’s intended use or medical functioning.  In other words, if a proposed accessory isn’t really mandatory or medically-necessary for the parent device, then the proposed accessory is not a true accessory, and thus wouldn’t need to be identified in the IFU.  Nor would such an article be subject to the EU MDR’s various other requirements for accessories, though it might still trigger certain other EU MDR categorizations and requirements.


Another piece that needs to be properly considered is precisely how true accessories are described in the IFU.  For example, if there’s only one specific brand of accessory that will work with the parent device, then that branded accessory would need to be identified by name in the parent device’s IFU.  If there are only two, or some other limited number of accessory brands that will work, then they all need to be named, and so on.


On the other hand, if it is known via valid scientific evidence that the parent device only needs a certain generic type of accessory, or just an accessory with certain general technological attributes, wherefore brand specification isn’t necessary, then naming such accessories by brand might not be needed in the IFU.  But this approach could be difficult, if not impossible, to safely realize for higher risk devices like class III; and perhaps also even for any class of device.  Indeed, different regulatory authorities may have different habits/tolerances/expectations for such generalized accessory references, and each technology can raise its own unique questions. So, you’ll need to be sure you are in alignment with any such nuances if you choose a generalized accessory reference that doesn’t mention a specific accessory(s) by brand name.


Whatever level of accessory identification you choose, it must be commensurate with the parent device’s risk and complexity.  In other words, appropriate corresponding risk control needs to appear in the parent device’s risk analysis in support of the chosen accessory identification approach.


Follow-up thoughts April 15, 2023:

In my narrative above, I only paraphrased the Article 2(2) definition.  Per that definition, an ‘accessory for a medical device’ means an article which, whilst not being itself a medical device, is intended by its manufacturer to be used together with one or several particular medical device(s) to specifically enable the medical device(s) to be used in accordance with its/their intended purpose(s) or to specifically and directly assist the medical functionality of the medical device(s) in terms of its/their intended purpose(s).


But oftentimes, I instead see medical device companies use the word “accessory” in common language terms rather than with strict adherence to the Article 2(2) definition.  Accordingly, my approach is that any article meeting the Article 2(2) definition is a true (legislative) accessory.  Any article that does not meet the Article 2(2) definition is something else.


Also noteworthy is that the accessory(s) identified in the IFU should be linked to the accessory(s) identified in the technical documentation.  In fact, I’d generally say that those two locales should identify the same accessory(s).  And the same goes as well regarding the EU MDR’s various other places which also prescribe further requirements related to accessories.  But since this post is about the IFU (i.e., whether the IFU should identify all of a device’s accessories or just some of a device’s accessories), then for clarity, brevity, and succinctness, I intended not to stray into the EU MDR’s various other particular requirements for accessories.

EU MDR Device “Lifetime” vs. “Shelf-life”

April 13, 2023

EU MDR Device “Lifetime” vs. “Shelf-life”


Distinguishing between “lifetime” vs. “shelf-life” is important to realizing proper EU MDR compliance.  For example, regardless of device class, implantable device lifetime needs to be addressed in the information supplied to the patient [except for sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips, connectors, and other devices adopted in this context by the Commission (e.g., Article 18)].  Similarly, the IFU for reusable devices generally requires information regarding device lifetime [e.g., GSPR 23.4(p)].  In contrast, the label is required to state the shelf-life [e.g., GSPR 23.2(i)].  Moreover, certain GSPRs demand scientific evidence/data supporting these attributes.  Accordingly, it’s imperative to properly approach device “lifetime” vs. device “shelf-life”.


Toward that goal, I like to remember that all devices have a GSPR 6 lifetime, while not all devices have a GSPR 7 shelf-life.  Device “lifetime” is generally applied to the duration of time a device is expected to remain functional once usage has started.  Accordingly, lifetime is focused on questions of reliability (e.g., MTBF, etc.) during use.  In contrast, “shelf-life” is generally applied to devices that have sterile or otherwise intrinsically time/age-sensitive attributes that can degrade while awaiting use.  Thus, shelf-life is focused on questions of stability during transport and storage. Yet there could be some products whose inherent nature might cause lifetime to technologically merge with shelf-life; so, the foregoing narratives are just general rules.


For single-use devices, the GSPR 6 lifetime is simply the duration of the single-use.  Yet that can be trickier than first meets the eye. For example, in the case of a long-term active implantable device that meets the EU MDR’s definition of single-use device (i.e., intended to be used on one individual during a single procedure).  The GSPR 6 lifetime for reusable devices is governed by the device’s fitness after repeated use and reprocessing.


In contrast, the GSPR 7 shelf-life is determined via aging/stability studies that mimic and/or replicate the expected conditions of transport/handling/storage preceding use.

UDI for IVD Devices Used In-House: Part 3

April 13, 2023

UDI for IVD Devices Used In-House: Part 3


For those that would say that the part of an IVD assay/test used only in a manufacturer’s in-house lab isn’t in “commercial distribution” and thus asserting that UDI requirements don’t apply: That is definitely a thought provoking stance.  But I’m thinking that such an interpretation might be overuse of a regulatory technicality that skirts the fundamental intent of U.S. medical device UDI law and implementing regulations (though I offer a possible way around that later in this post).  The UDI regulation’s transition dates and the definition of “labeler” are indeed contingent on the longstanding term “commercial distribution”.  Yet on the other hand, I’ve always taken notice of FDA’s more holistic and very plain UDI interpretations such as, “The label of every medical device shall bear a unique device identifier (UDI)” [21 CFR Part 801], and like, “All devices, as defined by 21 USC 321(h), are subject to the requirements of the UDI Rule, unless an exception or alternative has been granted.” [FDA UDI FAQ Vo. 1].  So, I’m still careful to distinguish those more primary UDI interpretations from the lower level requirements aimed at establishing which party (the labeler who intends commercial distribution) is responsible for meeting the UDI requirements.  I explain more about the intent of “commercial distribution” later in this post.


We are always left with the fundamental UDI intent/requirement demanding that the health care community and the public be able to rely on UDI to definitively and rapidly identify (e.g., via the GUDID, via adverse event reports, via manufacturer communications, etc.) the devices by which they are impacted.  Indeed, if we don’t have UDI traceability of an IVD assay/test that is used to affect clinical decision making, then the basic intentions of the UDI requirements are undermined, if not compromised all together. For example, in the commonplace IVD hazardous situation where an IVD gives false positive/negative results leading to improper clinical decisions: If such an IVD can’t be identified in the GUDID or adverse event reports, then I’d say such a scenario is a failure to comply with the basic intent of U.S. medical device UDI law and implementing regulations (see the UDI regulation preamble, e.g., at 78 FR 58786).


Another angle for me is that I’m used to working with IVDs whose reagents are formulated specifically for the particular IVD assay/test. In that case, the assay/test and its reagents are, for regulatory purposes, an ensemble that together make up the finished regulated IVD subject to applicable regulatory controls including, but not limited to, UDI compliance. From a regulatory standpoint, such an assay/test and its reagents are generally inseparable (as with any finished device consisting of multiple functional parts).  For example, FDA’s UDI helpdesk stated to me that a component (such as an IVD reagent), “…is not a finished device, is not cleared or approved independently from the finished device, and does not require a UDI…”  This shows for UDI purposes the aforesaid inseparability of a finished device and its components; and also shows that UDI requirements don’t apply to components apart from the finished device’s UDI.  And again, in my humble opinion, it certainly doesn’t obviate the basic UDI requirement for traceability of the finished device from manufacturing through distribution to patient use (see more about that below).


Accordingly, due to the regulatory inseparability of a finished device and its component parts, it seems for the purposes of UDI that if such an IVD’s reagents are placed into commercial distribution, then that IVD is itself generally placed into commercial distribution.  In general, no commercial medical device intended for human clinical use (such as an IVD to test human clinical samples at a manufacturer’s in-house lab) can be without a UDI.  Moreover, the assay/test component of such an IVD is certainly being used commercially and thus seems to be in commercial distribution. On that note, I’d also say that distribution of the IVD assay/test from the manufacturer’s production area to its in-house clinical lab location doesn’t clearly meet the intent of the regulatory exemption “internal transfer of a device between establishments within the same parent, subsidiary, or affiliate company” (a key commercial distribution exemption incorporated by reference from Part 807 into the UDI regulation).


Again, I stay mindful that the UDI requirements are ultimately aimed at serving the safety needs of the marketplace.  Consequently, IVDs whose results are used by healthcare facilities for clinical decision making are certainly no exception, regardless of where the IVD testing is actually run.  This is driven by the aforesaid fundamental traceability intentions of UDI law and regulations. FDA repeatedly says it established the UDI system for adequately identifying medical devices sold in the United States from manufacturing through distribution to patient use.  I’d say this remains the case even when the “patient use” of an IVD device involves remote locational use of the assay/test for testing the patient’s samples.  The need for UDI assay/test traceability, for example in times of false negatives/positives, doesn’t go away just because the test was run at the manufacturer’s in-house lab.


Now…all this said…it may be feasible to realize a UDI exemption for certain LDTs (Laboratory Developed Tests) based on FDA enforcement discretion for LDTs.  But as alluded to before, if such an LDT isn’t clearly restricted to use only at the IVD manufacturer’s qualified in-house lab, then such a device could generally be disqualified from LDT classification and enforcement discretion.  And I’m also not sure if an IVD device can qualify for LDT classification when part of it [e.g., its reagent(s)] is sent out to health care facilities for clinician use as part of the test.  In addition, FDA’s requirements for ASRs also need to be factored into the overall regulatory strategy to be sure the final UDI strategy is compliant.  Similarly, if IVD reagents are categorized as “accessories” separate from the parent IVD device (thus making them separate devices in their own right for regulatory purposes), then that might also be an avenue of leverage as part of a compliant UDI strategy where an LDT doesn’t bear a UDI.

Use of Off-Label Clinical Data in Premarket Submissions

April 13, 2023

Use of Off-Label Clinical Data in Premarket Submissions



The supporting clinical data for a U.S. 510(k) notification (or other U.S. premarket submission) must generally meet FDA’s standard for “valid scientific evidence”.  Specifically, that means (21 CFR 860.7) evidence from well-controlled investigations, partially controlled studies, studies and objective trials without matched controls, well-documented case histories conducted by qualified experts, and reports of significant human experience with a marketed device, from which it can fairly and responsibly be concluded by qualified experts that there is reasonable assurance of the safety and effectiveness of a device under its conditions of use. The evidence required may vary according to the characteristics of the device, its conditions of use, the existence and adequacy of warnings and other restrictions, and the extent of experience with its use.  However, isolated case reports, random experience, reports lacking sufficient details to permit scientific evaluation, and unsubstantiated opinions are not regarded as valid scientific evidence to show safety or effectiveness.


These provisions would need to be carefully considered when assessing the utility of off-label clinical data/experience for the purposes of supporting eventual market authorization.


In terms of soliciting additional off-label experience/data, that gets to be a tricky scenario.  Specifically, FDA has strongly established that it can, and has, considered off-label use to actually become intended use once the manufacturer’s corresponding awareness reaches a certain level.  So this can get us in hot water quick once there is a known intended use for which no premarket authorization has yet been obtained.


The regulations require us to instead solicit/sponsor/facilitate such off-label use only under proper clinical investigation controls (see 21 CFR Part 812) and/or to assure that retrospective and unsponsored clinical data were gathered under comparable clinical investigation controls or equivalent (e.g., for overseas studies/data, compliance with the Declaration of Helsinki, ISO 14155 as amended and with any regional versions, etc.).

UDI for IVD Devices Used In-House: Part 2

April 13, 2023

UDI for IVD Devices Used In-House: Part 2


Once the reagent kit components (i.e., essential parts of the finished IVD device) of an IVD are sent to the healthcare facility for clinical use, then the finished IVD is in commercial distribution (thus triggering the UDI requirements) as I understand it.  Also, the UDI requirements are generally aimed at finished devices rather than components or shipping containers. So the UDI regulations don’t generally provide for parsing the finished device up into pieces for the purposes of UDI.


Moreover, in light of the key intent of the UDI traceability requirements, the healthcare facility still has a critical interest in the proper functioning of the manufacturer’s in-house assay/test.  For example, in the event of false positives/negatives that adversely affect clinical decision making/treatment, then the fundamental intent of the UDI requirements is that all parties, including the healthcare facility, be able to link the issue back to the suspect assay/test.  Lack of assay/test UDI could prevent this fundamental intent from being met, and thus in the eyes of the UDI regulations, would represent insufficient protection of public health.


Another aspect is that if the IVD’s cleared/approved labeling, premarket authorization data [e.g., in the 510(k), PMA, EU Technical Documentation, etc.] don’t clearly restrict the assay/test to use only at the IVD manufacturer’s in-house lab (e.g., if they don’t contraindicate against use outside the manufacturer’s in-house test environment), then that also works against the notion of a UDI exemption, as such premarket authorization is contingent on UDI compliance.


Accordingly, my understanding is that the UDI requirements definitely still apply to a finished device IVD consisting of the assay/test and its reagents. If one’s strategy was to try and exempt part(s) of the commercialized finished device from the UDI requirements, then that could definitely translate to compliance risk, public health risk, and legal/liability risk.  I would at least look to assure agency authorization for such an approach before implementing it.