Insights & Intelligence for Regulatory Leaders

Rimsys Founder & CEO, James Gianoutsos, was recently a guest on the Gens and Associates Podcast, a series dedicated to regulatory trends, topics, and insights from industry thought leaders. During the interview, James and Gens and Associates Managing Partner, Steve Gens, shared their unique founding stories and discussed digital transformation in the medtech industry.

One particular aspect James and Steve discussed is the role of AI in medtech regulatory affairs. Historically, the medtech industry has lagged behind pharma in digital adoption by 10-15 years. As the medtech industry takes on digital transformation initiatives, some medtech companies pursue AI solutions first. Through his extensive experience helping medtech companies embrace and adopt digital change, James states the importance of starting with efficient regulatory information management. Listen to the full interview to learn why setting a proper data foundation is critical to leveraging AI successfully along with: 

• How AI will evolve in medtech regulatory affairs
• The importance of data governance in medtech digital transformation
• Why partnering with a medtech-focused RIM provider like Rimsys is essential for a successful transformation
• What's next on the Rimsys product roadmap as the company enters its next phase of growth, including enhancements to Rimsys Intel

Find the full interview on the Gens and Associates website, Spotify and Apple.

We'd like to thank Gens and Associates for featuring James and for the opportunity for him to share his thoughts about medtech digital transformation with the Gens and Associates community!

‍
About Gens and Associates

Gens and Associates is a boutique Life Science management and organizational consultancy specializing in strategic planning and roadmap development, industry benchmarking, regulatory information management, organizational transition management, and working with leadership and project teams to accelerate change and value realization. Learn more on the Gens and Associates website.

‍
TRANSCRIPT: 

Steve Gens: Welcome to the gens, an associates executive podcast series where I have one-on-one conversations with leading executives that represent the Regulatory software and services sector, to learn more about how their organizations are supporting, and more importantly innovating this space. So, Steve gens here, managing partner of Gens and Associates today, I'm happy to be speaking with James Gianoutsos, founder and CEO of Rimsys. So welcome, James, I've been looking forward to this conversation and, you know, as we have this executive series, it's kind of rare to have a founder, you know, founding Gens and Associates in 2005, seemed like a very risky proposition and it's different when you're founding something versus just being a CEO of existing organization. So, before we get started with Rimsys being a fairly new company, I think you were founded in 2017. Could you give our listers a brief history of Rimsys and yourself and how you support the me tech sector?  

James Gianoutsos: Yeah, absolutely. And before I start off, just thanks for having myself on board and being a presenter here. And yeah, for everybody who does not understand the med tech arena or know Rimsys, my name is James Gianoutsos on founder and CEO of Rimsys. And I've spent the last 17 plus years in the Regulatory and quality industry.

And so I started my career at Philips and worked for several small and medium sized medtech manufacturers. I've had, the experience of actually managing global Regulatory operations, doing global submissions, moving 600,000,000 dollar manufacturing locations under consent decrees in the midst of the EU MDR and I VDR transitions. And so I've also had a really nice breadth, of medtech background as well, medtech product background, I should say all the way from c- pap devices to internal surgical adhesives even on the consumer side such as pacifiers, incubators, you name it.  

I've really had a really diverse in broad experience level with medtech itself. And so back in 2017, I was actually working for a small medtech manufacturer. And fortunately, unfortunately, I was laid off of that position. It was something that I know that there's a lot of medtech manufacturers that are kind of doing the same thing in this year last year, I should say. And… and it was, you know, that would happen on May 31, 2017, at noon and I started Rimsys at 1 PM that same day. It was just something that I've always had in the back of my mind's something that I always wanted to pursue.  

And really looking at the landscape back then there were only pharmaceutical RIM providers on the market. And so there was nothing really catered to, the medtech industry. Medtech and pharma aren’t uniform and aren’t just worlds but universes apart in terms of regulatory complexity, how you get products to market, how you maintain those products on the market and just the regulatory pathways and workflows around that. And so really started my endeavor hiring a couple developers offshore.

And, and to your point, you know, it's definitely different to be a founder than just a CEO because you're so heavily invested and so heavily involved that's you know, over the last five to six years… seven years is to say it's been a really cool experience to be personally involved with this development and working with the largest tech manufacturers in the world to help develop our solution and improve the regulatory workflows. So at the end of the day, they can get the products to market faster and keep those products on the market.  

Steve Gens: Excellent. So thank you so much for that good introduction. And then again from one founder to another, I still remember I had a fold up desk in a spare room with a laptop, my cell phone, you know, one customer, one contract and, you know, we're starting our twentieth year and have over 100 global customers. Like, I could never imagine back then where it would be but, you start someplace, you have a vision, you see a need, you go after it. You, you just get the best team around you and you just do it. So, so congratulations, you had a very successful lift off, and that's where I'd like to start.

I know when we first got introduced and started covering you about four years ago. And, I think it's on your website too is, you know, that context because again, we support both the biopharmaceutical and tech and they are very different although there's growing combinational products, right? So they're starting to be a little worrying, but there they are two different worlds or universes. Kind of in your case, you know, I know you say, yeah, we build this by Regulatory affairs, you know, professionals, there's a better way to do this. And also like the other terminology that a lot of people use big words like transformation and all that. But in Regulatory, it's a major monetization and simplification. And I know on the medtech outside, organizationally you know, they tend to be a lot more distributed design center. So in some ways you have a different set of complexity. So we've been tracking you for about four years now, we've watched your growth. We get those regular annual updates, but I think one thing our customers would really be interested in is, you know, why do your customers pick Rimsys? You know, what differentiates you from, the competition?  

James Gianoutsos: Yeah, there's a lot to unpack from that question. And I'm, happy to dive in a little bit more to it. You know, one of the primary things that we do and understand is the medtech industry period. And so from day one, you know, this is why our company exists to support medtech. There's you know, the whole thesis around Rimsys around our solution and our product, in the industry historically medtech is 10 to 15 years behind pharma from a digital transformation standpoint.  

Medtech has been undergoing this digital transit initiative over the last several years and since then, we've really taken off because especially at the enterprise level standpoint, and the complexity around the workflows, the understanding of how the, in relation between the data elements of not just, you know, regulatory information, but of how the products are associated to those registrations to certificates to really all the entire Regulatory product life cycle really differentiates us because, we understand, those nuances better than anybody in the industry period.  

You know, we've a we've had a lot of success because it feels like, the pharma industry is kind of waking up to it. We've actually seen some pharma companies try to come into medtech and actually failed miserably because, you know, I would say with 100 percent conviction that nobody wants a pharma RIM with the medtech label slapped onto it. And what allows us to be successful in that is that we partner deeply with our enterprise customers to understand those nuances, and we're adaptable to those changing regulatory needs. We are a relatively young company. But we are broadly and vastly experienced in that med tech space. And so that's really been one of our competitive advantages is just understanding the space like nobody else.  

And you mentioned combination products and what's really unique about medtech is that, you know, combination products at the end of the day are a drug coded stint or some type of prefilled syringe, those are a medical device. And based on the primary mode of action, some other items that are typically more medtech forward devices. And so that creates an interesting opportunity for Rimsys because, you know, drugs are drugs at the end of the day, it might have different dosages, but the varying aspects of where that do can be put into the system or put into your system. I should say… your body is vast and a lot of those have or need a medical device to deliver that.

And so, the variations and complexity around that makes for Rimsys to be at the forefront and leader of that combination product standpoint. And a lot of our customers have actually adopted Rimsys even more heavily because of that, not just on the medtech side but on combination side.  

Another interesting item that we're seeing is that we are also because medtech as it is so vast and so complicated and complex from the workflows. You know, we're product centric and that has the adjacent categories as well where you can go into veterinary biocides, biologics consumer side combination because at the end of the day, the framework in the structure is generally the same. However, the regulatory pathways might be different. And so, that bodes well with our client base because a medical device manufacturers product portfolio, is ever-changing but also becoming more broad in nature as it expands itself into its new markets.  

Steve Gens: Yeah. Thanks for that overview. And I've been taking some notes on that. And I've seen kind of on the biopharmaceutical side, some of the RIM providers, hey, we should do medtech and, you know how I maybe I'm looking at this naive is like in the biopharmaceutical generics, you know, it's more of a data paradigm where, your life is an engineering paradigm and as opposed to like one to one with the health ministry or the health authority, you could have one to many in each country, right?  

James Gianoutsos: Precisely.  

Steve Gens: In your submission, so it's that extra kind of permutation if you will of complexity and maybe another podcast, maybe we'll do later on too. I was just thinking about, you brought up the stint in earlier in my career. I think, you know, I was a Johnson and Johnson guy and one day, you know, one of the pharma scientists was, you know, talking with one of the device scientists and they came up with a stint that must be like 20 years ago. But maybe another conversation, just the emergence of software as a device. You know, that's a big interesting topic. But that's venture on a little bit more so.  

And I know we talked about this kind of, the other day, you know, about monetization of regulatory systems and processes. And there's such an intense focus. The big word this day is AI, right? But there's AI and automation, and sometimes people confuse, the two. What's Rimsys doing as far as helping your customers, and maybe just in the very near term. So maybe tactical things we're you're doing either with AI or automation or the combination. And what does the longer term look like?

James Gianoutsos: Yeah, it's a great question. And to your point, I think there's a couple items that, I specifically want to address there because at the end of the day, you know, AI, is this thing that's being used from a marketing standpoint or just from a general industry standpoint in general, right? And it's this idea that these systems or software solutions can help do the work for you. Not, you know, it's not gonna take anybody's job, but there are ways that it can definitely help make you more efficient.  

You know, what's particularly interesting in the medtech digital digitalization transformation initiative that's going on right now is that, you know, medtech in itself is 10 to 15 years behind the times period. And so especially with these large enterprise level companies. And so, when you're in a horse and buggy, which is what the med tech industry is today. And we're trying to get into a spacecraft, of course, I think, the logical and the initial item in thinking is that, okay, we can just go straight to AI, but really at the end of the day AI is only as good as the data that is trained on.  

And… phase one of the company has always been the information management period of medtech in the organization. In getting that, right, we've invested so much time and money and collaboration with our partners of how product attributes, UDI attributes, regulatory… attributes. And how all of that plays well and interlays with one another because if you don't get that fundamental framework, you're gonna have a hard time. You might do some really interesting things with AI, but you're gonna have a hard time keeping that information organized in the manner that you will need to have it organized to do things later on.

And so, what's really been interesting is that we're about complete with our phase one of the company, meaning that the information and organization and complex workflows have a majority of that has been addressed, meaning that we have now reached this pinnacle where we're gonna go into phase two of Rimsys.  

Pase two has really been in and is all about the Intelligence. And so if you think about everything we've done in the phase one of the company where it's the information management, the we're call it the data layer. Now, we're entering the phase two, we're now we can overlay intelligence and market information directly over that data layer, so you can do some really fun and interesting and innovative things with that data. And so from an AI standpoint, we actually have some things coming down the pipeline at the end of this year, early next year, that's really going to help one with data ingestion in our system.  

You know, we have companies that have 300,000 products and 249 countries globally and that's just one company, right? And so there are some really interesting things we can do with data ingestion and data maintenance from our standpoint. But also there's some really interesting things we're gonna do with market intelligence notifications of, you know, regulatory changes in the market as well as some things that are coming through with submissions as well. And, and we have a really nice road map played out that in the next six to 12 months that it'll be, it's gonna be really cool to see some of those things come to fruition here.  

Steve Gens: Yeah. There's there's a lot. I just took a lot of notes on that on this and just a few comments I think, you know, for our listeners too, just another layer of complexity between, the med tech and pharmaceutical is, besides the things you've mentioned, I've mentioned, you know, you're dealing with a class one, two or three, you know, device. So like the one client with, you know, all those products. It's kind of reminds me of the consumer side and JNJ, it's like you have Tylenol as a product but you have so many variations then different names of it in so many different countries, mind explodes just trying to manage the label.  

You know on that, I think the other thing on the probably where you guys are more ahead on the medtech side is there's this nirvana of embedded reg intel, you know, where, you know, the reg intel actually directs the workflow you know, as opposed to, the user based on whatever regulatory activity you're working on. If you're doing a renewal in Thailand, for example, it has the reg intel and it knows what to do so.  

The same thing too, some people are scared of AI is going to replace, you know, my job, but I think you know, more and more people realize it's a virtual assistant or a writing assistant where the AI might do the first version, one of a document, you know, the boring stuff. And then the expert medical writer would actually take it, you know, with their scientific knowledge.  

And the last thing I wanted to comment to because we just finished up our very large study, you know, with AI, it's only as good as the data we've proved out. And I don't know how much of an issue. It is just like having the highest level of data quality and regulatory, but, you know, a lot of folks on the biopharmaceutical side, it's like well, you know, should we enter it centrally, decentralize, hybrid at that time? How the data is entered into data quality where that is not linked. We've proved it out that having those really good data quality practices, the data governance, have that in place and that's a direct correlation.  We call those the data assets, you know. And then there's a shiny activity. If you have the right skills and the right KPI, you put those four together. And that's where the magic happens, right?  

So, the last question, and actually from founder to founder, you had the sparkle in your eye when you thought about this and you actually pulled the trigger. So instead of, you know, kind of having the CEO voice, but from the founder's voice, what excites you most about Rimsys in the coming years. So, where is the company going?  

James Gianoutsos: It's such a loaded question because I feel like there's so many amazing things to do. I mean, we're still at the beginning of this whole thing. And my mind has been going since, you know, 10 years ago when I first arrived this, you know, to 2017 when I first started putting… pen to paper.  

And, you know, having all these tools and things that I wish I had when I was in industry would have been absolutely amazing not just from a jobs perspective standpoint, but from the company perspective standpoint because the things that regulatory does has a direct impact on the revenue as well as getting those products to market for the patients need the most and maintain those products on the market for the patients that need in the most. And so, there's a high degree of vested interest to get those products and keep those products on the market as a regulatory professional, honestly just as a human being.

And so, the things that I'm excited for are the new Rimsys Intel that we're gonna be continuing to advance here in the next six to nine months. And there's gonna be some, really exciting things, that I think there's some new adjacent product regulatory life cycle items that we can get into. So, there's always the premarket, on-market, and post-market. And we really haven't even touched post-market yet. We've really been concentrating on the on-market and premarket aspects of things and especially getting UDI right. Because at the end of the day, those udi attributes are needed for a lot of the post-market activities that are on gonna be a regulatory requirement or already a regulatory requirement.  

But then two, from a reporting standpoint,  you're gonna need to maintain those products in the market. And so, there's this continuum of information management that we're gonna be continuing to do and gather, and address, and then, the layering on top of that Rimsys, Intel is absolutely gonna be a game changer because nobody really does RIM like Rimsys, and, you know, we've had the luxury of building this from the ground up specifically dedicated to the medtech industry. And that has so many more advantages than trying to, reposition or retransform an existing system to medtech because it just, it doesn't translate. And so, I'm really excited, for some of those aspects.  

Steve Gens: Yes, indeed. You know, a very exciting, and also just an amazing journey in just seven years. So, and it seems like it's a very bright future, you know, for you. So, so thanks again for your time, you know, some very Rich and insightful discussions, you know, and it's great with our listeners and some of them are many of them are biopharmaceutical, you know, learning a little bit more about the med tech side.  

But in the lens and why I thought this was so important and we kind of touched on it just the growing a portfolio of combination products - It's just really merging our latest data. Had 60 percent of the companies with their product portfolios have combination products. So that's something that's growing. So certainly listeners, if you're on the biopharmaceutical side, you know, maybe you have combo products or a device division, you know, definitely give them a look. Yeah. So as we kind of, you know, close up, some of our listeners might want to get a hold of you. So what's, the best way to contact you? I don't know if it's through the website or LinkedIn or, what would you suggest?  

James Gianoutsos: Yeah, I would say definitely get our website: www.rimsys.io. You can schedule a demo and you can actually just put a Linkedin request to me directly. I love talking shop. I love talking specifically around regulatory complexities and some of the issues that you're experiencing firsthand because at the end of the day, those help continue to expand our system capabilities and serve, the medtech market. You know, one of the things that I'm really proud of with Rimsys is, you know, we already have 40 percent of the top 10 medical device manufacturers globally and we're expanding more. And this is a really exciting time for the industry as well, as well as, for Rimsys as we enter into this new phase of growth.

Steve Gens: Excellent. And, you know, indeed. And I think, you shared, you know, the other day, well name of another very impressive logo thatat you're gonna be starting to work with there. So before I say goodbye to the listeners, you know, we're both fouders and have that in common. But I would be remiss here. Maybe this is more for us listeners that you're based in Pittsburgh, Pennsylvania. I grew up in central Pennsylvania. So it's the black and gold. I know we talk about the Pittsburgh steelers, the, you know, NFL football seasons about ready to kick off. So hopefully the black and gold, the Pittsburgh steelers are gonna do well. I know we another thing that we have in common. Yeah.  

So with that said with our listeners, if there's any questions you have for the Gens team use our contact page off of our website or similarly just reach out, I'm on Linkedin quite a bit and please enjoy our other podcasts. We actually just reorganized our whole podcast web page to have a section for this executive series, our world class RIM research, and then a third as we have different subject matter experts, really talking in detail about some of the key issues that industry works on today. So again, James, thanks a lot for your time and maybe in another six or nine months, we'll have you come back and see where yourself and Rimsys are at.  

James Gianoutsos: Sounds great. Thank you.

‍

‍

Rimsys is excited to announce a new feature to help medtech regulatory affairs professionals gain faster market entry: New Product Introduction (NPI). The Rimsys NPI solution significantly accelerates decision-making and reduces time to market by centralizing decision-making and automating time-consuming, manual processes. NPI also expands Rimsys’ extensive list of regulatory workflows that help medtech regulatory teams manage their products across the regulatory lifecycle.  

New product introductions typically involve one of two important decisions: deciding which market to take a new product or, more commonly, deciding where to take an existing product to market next. Both involve careful planning and collaboration across numerous internal and external stakeholders. Regulatory teams need to assess the amount of time, resources, and costs needed to enter each new market. This process often involves careful examination of the product’s existing registrations. There are also business considerations they need to make including forecasting expected revenue gains for each market.

Traditional approaches to new product introductions are time-consuming and manual. There's no centralized place to manage regulatory information, making it difficult to view the product’s existing registrations, collaborate efficiently, and forecast effectively. Additionally, these processes are often complex, involving numerous spreadsheets and disjointed systems that drastically increase operating costs and slow decision-making – and ultimately time to market.  

The Rimsys NPI solution addresses the common challenges companies face when doing a new product introduction project. By providing complete visibility into all regulatory information in a single platform, companies can streamline their processes and improve efficiency with:  

• Centralized data management – Streamline the request and approval workflows needed to place a product in a specific market in one platform

• Enhanced collaboration - Collaborate with all relevant internal and external stakeholders directly within Rimsys

• Automated workflows - Automatically create registrations directly from the project

• Forecasting and decision support - Forecast expected revenue from NPI projects directly in Rimsys, and realize revenue gains faster

• Easier market entry - Reduce manual data collection efforts. Stay updated on important timelines, delegate tasks, and keep track of progress in a streamlined project

With its new NPI solution, Rimsys is excited to continue its mission of increasing the accessibility of life-changing products by giving medtech RA teams a centralized collaboration hub for NPI projects backed by the automation necessary to more accurately forecast, speed decision-making, and remove market entry barriers.  

Ready to revolutionize your company’s NPI process? Request an NPI demo at rimsys.io/demo.  

‍

Rimsys is excited to announce the beta launch of its community-driven, centralized hub for regulatory intelligence data, Rimsys Intel. Rimsys Intel builds upon Rimsys’ mission of increasing the availability of life-changing medical technologies by giving users free access to regulatory intelligence, including regulatory affiliations, legislation, UDI requirements, risk class information for medical devices and IVDs, in addition to market access requirements for each regulated country.  

As part of our core company value to empower each other, Rimsys believes that regulatory intelligence should be easily accessible and free. I’m thrilled to provide a solution that enables medtech teams to make more informed decisions about market access for their products and execute faster.

To help keep Rimsys Intel up to date amid evolving global regulations, Rimsys is engaging RAPS Regulatory Affairs Certificate (RAC) holders. RAPS, the largest organization of regulatory affairs professionals in the life sciences industry, offers this credential to regulatory affairs professionals who demonstrate proficiency in the scope and application of medical device and pharmaceutical regulations. RAC holders who sign up for and review Rimsys Intel data will have the opportunity to earn recertification credits that count toward maintaining their RAC status.  

As Rimsys participates in RAPS Euro Convergence this week, I’m proud to be among its community of inspiring, helpful, and knowledgeable innovators. Our collaboration with RAC holders is a very exciting and mutually beneficial one. Not only is the medtech community able to leverage regulatory intelligence verified by highly regarded RAC holders, but we’re also giving RAC holders a free way to earn recertification credits and further their professional development.

From solopreneurs to enterprise-level medtech companies, Rimsys Intel is equalizing access to global regulatory intelligence data by making it free for the community. Rimsys Intel is currently open to a limited number of beta users. Those interested in signing up for Rimsys Intel can join the beta waitlist here. Rimsys Intel will become generally available later this year.  

The landscape of medical device regulations continues to undergo significant changes globally. Most recently, there have been some noticeable shifts in how regulators are approaching the cybersecurity of medical devices. Recent updates from leading regulatory bodies, including the U.S. Food and Drug Administration (FDA), the European Union (EU), and the International Medical Device Regulators Forum (IMDRF), signal a united front in the drive to enhance the cybersecurity measures of medical devices.  

The essence of these updates is clear: Cybersecurity is considered a fundamental aspect of medical device safety and efficacy. The FDA's proposed guidance adjustments, the EU's stringent requirements under the MDR and IVDR, and IMDRF's global harmonization efforts are reshaping the regulatory requirements for a broad range of device types. These changes underscore the importance of integrating robust cybersecurity protections from the earliest stages of device design to their operational lifespan.

With the ever-increasing incidents of security perimeter and data breaches, this transition while warranted, presents challenges for manufacturers to elevate their cybersecurity practices, to innovate with security in mind, and to navigate a complex global regulatory landscape. Yet, it also opens up opportunities to lead in the development of safer, more secure medical technologies that earn the trust of patients and healthcare providers alike.

FDA Cybersecurity Guidances

In the evolving landscape of medical device regulation, the FDA has proposed pivotal updates to its cybersecurity guidance, aiming to fortify the resilience of medical devices against cyber threats. This move reflects the growing interconnectedness of medical devices and the escalating sophistication of cyber threats targeting the healthcare sector. The FDA's draft guidance, "Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act," introduces an entirely new section dedicated to enhancing device cybersecurity throughout its lifecycle. This update emphasizes the criticality of integrating cybersecurity measures from the design phase through the entire lifespan of the device, encompassing premarket authorization, 510(k) clearances, De Novo requests, and more.  

One of the significant highlights from the FDA's proposal is the emphasis on ensuring that devices capable of internet connectivity, whether intentionally or unintentionally, maintain stringent cybersecurity safeguards. This perspective stems from an understanding that the ability to connect to the internet inherently poses potential cybersecurity risks. It also expands best practices for cybersecurity within the medical device sector, building on the earlier adoption of a Secure Product Development Framework (SPDF). This framework aims to minimize vulnerabilities in medical devices by incorporating robust processes throughout the product development lifecycle. The guidance also stresses the importance of transparency, urging manufacturers to provide users with comprehensive cybersecurity controls, potential risks, and technical details through labeling. This approach is intended to empower users to manage cybersecurity risks effectively and respond promptly to any identified issues.

In addition to the FDA updates to cybersecurity guidance within medical device regulations, similar positions have been taken by other global regulatory bodies, recognizing the critical importance of cybersecurity in medical devices. As these frameworks get enacted and updated, the industry is seeing a unified drive toward enhancing the cybersecurity of medical devices, reflecting the global nature of both healthcare and cyber threats.

European Union (EU) Cybersecurity Guidelines

The European Union has continued to be proactive in addressing cybersecurity concerns through the Medical Device Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR). The MDR, which came into full application in May 2021, and the IVDR, fully applicable from May 2022,  incorporate specific requirements for ensuring the cybersecurity of medical devices. These regulations require manufacturers to consider cybersecurity at all stages of a device's lifecycle, from initial conception to decommissioning.  

More recently, the EU has introduced updates to the Cyber Resilience Act  and drafted a new EU cybersecurity rule to establish a European cybersecurity certification scheme (“ECCS”). The ECCS  would introduce a detailed certification process, prohibiting self-assessment even for low-risk products. It mandates vulnerability disclosure for certified products, sets rigorous expectations for regulators and certification bodies, including regular product sampling and peer assessments, and requires a proactive approach to vulnerability management. The ECCS also would allow for the mutual recognition of standards internationally and mandate the consolidation of existing national certification schemes. This comprehensive approach highlights the EU's commitment to enhancing cybersecurity across the board.  

IMDRF Cybersecurity Guidelines

The International Medical Device Regulators Forum (IMDRF) has also published guidance aimed at harmonizing cybersecurity practices. The IMDRF's guidelines focus on principles for medical device cybersecurity, which include risk management, post-market surveillance, and information sharing amongst stakeholders. These guidelines serve as a reference point for both regulators and manufacturers, aiming to foster a unified approach to addressing cybersecurity risks.

Impact on Device Manufacturers

Manufacturers must navigate these evolving regulatory landscapes, ensuring their devices comply with each jurisdiction's specific requirements. This means incorporating robust cybersecurity measures from the design phase through the entire product lifecycle. Expectations include the ability to update and patch devices in the field, conduct thorough risk assessments, and maintain transparency about a device's cybersecurity measures.  The impact of these changes means that medtech design and commercialization pipelines will need to incorporate cybersecurity as a core component, rather than an afterthought. Manufacturers should anticipate:

1. Increased Scrutiny: Regulatory submissions will likely require more detailed cybersecurity information, including evidence of risk assessments and mitigation strategies.

2. Lifecycle Management: There will be a need for plans to address cybersecurity throughout a device’s lifecycle, including mechanisms for providing updates and patches.

3. Global Harmonization: While regulations may vary in specifics from one region to another, the overarching principles of ensuring device safety and effectiveness through cybersecurity measures are consistent. Manufacturers looking to enter multiple markets will benefit from developing products that meet high cybersecurity standards capable of satisfying various regulatory requirements.

The Path Forward for Medtech Cybersecurity

As medical devices become increasingly interconnected and reliant on digital technologies, the importance of cybersecurity cannot be overstated. The FDA’s, European Union’s, and IMDRF’s updates are part of a broader global movement towards securing medical devices against cyber threats. Manufacturers must stay informed about these regulatory changes, integrating cybersecurity into every stage of their device’s development and lifecycle in order to properly comply with regulatory requirements.  

Manufacturers and stakeholders should also closely monitor developments in cybersecurity regulations across all jurisdictions where they operate or plan to market their devices. Engaging with regulatory bodies, participating in industry forums, and adopting best practices in cybersecurity will be key strategies for navigating these evolving landscapes successfully and ensuring the trustworthiness and resilience of medical devices in the digital age.

The terms “listed," "cleared,” “approved,” and “granted” all refer to a finding or status from the FDA that authorizes a medical device to be legally placed on the market (for sale) in the United States. As a result, these terms tend to be used interchangeably, but they definitely don’t mean the same thing. Each references a unique pathway to market that is based on the device’s risk class. This article explains the differences between each term and what level of FDA review they require.

Market pathways depend on device classification

A business that is involved in the production and distribution of medical or in vitro diagnostic devices (intended for distribution and use in the United States) is required to register its establishment annually with FDA, using a process called establishment registration. This process requires putting information into an FDA database on their website. This also requires the business to list the devices and the activities performed on those devices, at their establishment. But before you can do this, you need to identify the proper classification of the device(s).

The FDA uses three levels of classifications for medical devices - each carrying a different patient risk value. Once the correct classification is determined, you must then choose the proper registration pathway – Premarket Notification (otherwise known as 510(k)), Pre-Market Approval (PMA), or De Novo process. Before you can legally market your device in the US, it must be FDA Cleared or Approved or in the case of the De Novo process, Granted.

What do the different FDA terms mean?

Regulatory professionals hear the terms Registered, Cleared, Approved, and Granted throughout the medical device industry, and even they are sometimes confused about the differences between them. However, the distinctions are significant, and it’s important to understand those differences and how and when to use them.

• Registered/Listed: A company that has registered with the FDA and has listed their device and the activities performed on those devices at that establishment, into the FDA's registration and listing database. It applies to all class devices, but for most of the Class I devices, it is the only form of registration with FDA. Important to know: the FDA does not issue any type of device registration certificates to medical device facilities.
  
• Cleared/Clearance: Most of the Class II and some Class I devices require a Pre-Market Notification (510(k)) submission. Before you can sell a device to the public, each submitter must receive an order, in the form of a letter, from FDA which finds the device to be substantially equivalent (SE) and states that the device can be sold in the U.S. This order clears the device for commercial distribution.
  
• Approved/Approval: A premarket approval (PMA) is the hardest type of device marketing application required by FDA for class III medical devices. To be legally sold on the market, they must undergo an extensive review and approval process. Following a successful submission of a (PMA) or a Humanitarian Device Exemption (HDE), the device is given Approval by FDA.
  
• Granted: Medical devices using the De Novo process will be Granted approval by FDA before they can be legally marketed in the United States.

Most Class I and some Class II medical devices are exempt from 510k submission requirements.

All other Class II devices require 510(K) clearance as a premarket submission to FDA to demonstrate that the device is safe and effective. Clearance is based on the device being substantially equivalent to an existing, legally marketed device, that does not require premarket approval (PMA). Medical devices in the 510(k) category receive an FDA clearance to bring the device to market.

All Class III devices require a Pre-Market Approval (PMA) - the most stringent type of device marketing application required by FDA. Premarket approval is the required process of scientific review to ensure the safety and effectiveness of Class III devices. Medical devices in this category receive FDA approval to bring the device to market.  

Novel devices that don’t have a predicate on the market are classified as Class III by default. However, companies can use the De Novo process to request that the FDA review the risk and safety information of the device for possible re-classification. When a De Novo request is granted, the device is re-classified as Class II, and the device may be brought to market.

Companies can also submit a Humanitarian Device Exemption (HDE) application for Class III devices. A Humanitarian Use Device (HUD) is a device that is intended to benefit patients by treating or diagnosing a disease or condition that affects fewer than 4,000 individuals in the United States per year. The HDE application is like a PMA application, but it is exempt from the effectiveness requirements of a typical PMA.

A relatively newer term being used now is the Emergency Use Authorization (EUA). This is when the Secretary of Health and Human Services declares that there may be circumstances justifying the authorization of emergency use of medical devices, such as during the COVID-19 pandemic. The FDA may issue an EUA to authorize unapproved medical products (or unapproved uses of approved medical products) so that they can be used in an emergency to diagnose, treat, or prevent serious or life-threatening diseases or conditions when certain criteria are met.

Checking the status of a device with the FDA

The FDA provides several ways to check if devices are approved, cleared, or granted.

To search for FDA-approved or FDA-cleared products by device name or company name:

• Go to the Devices@FDA Database.

To search for FDA-granted products by device name or company name:

• Go to the Device Classification Under Section 513(f)(2)(De Novo) database.

To search for FDA Emergency Use Authorization devices, go to the listing here.

Conclusion

Terminology is only one of the things that can be confusing about the FDA’s processes. Using the wrong terminology can impact your company’s reputation, and possibly have some legal implications, but more importantly, it can mean that you don’t have a clear understanding of how to bring your product to market.  

Making sense of the different FDA processes can be challenging—especially for companies that are bringing devices to the market for the first time. For a detailed walkthrough of the steps, documents, and timeline associated with each path to market, see our Beginners Guide to the 510(k), Beginner’s Guide to the FDA PMA Submission Process, and Beginner’s Guide to the FDA De Novo Process.

‍

This article was last updated March 12, 2024.

What is UDI?

Unique device identifiers (UDI) are now a requirement for medical devices marketed in the US, and are being phased in by the EU and other countries. UDI systems are intended to benefit healthcare providers, manufacturers, authorized health authorities, hospitals and institutions, and individual consumers by providing:

• Faster discovery of possible flawed medical device information by health authorities.
• Quicker access to recall information, and visibility into current inventory.
• A reduction in medical errors through consistently documented product expiration dates.
• Identification of any counterfeit products being used in healthcare facilities.
• Assurances that information regarding an implanted device is safely retained and traceable.

UDI timeframes and deadlines vary by market and product, and have been revised multiple times in some countries. This article details the UDI deadlines for the countries which have announced specific programs, and is current as of the date of this article. Note that these dates can change as participating countries adjust their plans. We will continue to update this as more information becomes available.

‍Quick Links to country-specific sections:

• Australia UDI
• Brazil UDI
• Canada UDI
• China UDI
• European Union UDI
• India UDI
• Japan UDI
• Saudi Arabia UDI
• Singapore UDI
• South Korea UDI
• Taiwan UDI
• US UDI requirements
• UDI databases by country

‍

The Australian Therapeutic Goods Administration (TGA) announced that mandatory compliance will be progressively phased by device classification, starting with high-risk and implantable medical devices, followed by lower risk class devices over subsequent years. Mandatory compliance will likely not go into effect until the Medical Device Regulations is updated in 2024.

Sponsors and manufacturers can choose to voluntarily comply with the UDI requirements from the date the UDI regulations take effect. Mandatory compliance will commence at a minimum of 12 months from the date the regulations take effect. The reporting database for UDI (AusUDID) is also still in the production phase.

‍

On January 10, 2022, RDC 591/2021, the regulation that requires UDI labeling and database registration for devices regulated by the Brazilian Health Regulatory Agency ANVISA, came into effect. The regulation calls for rolling implementation based on risk class and the establishment of a Brazil UDI database. In June 2024, an amendment to the regulation was published in RDC 884/2024. The updated timelines are published for each risk classes II, III, and IV below. The amendment had no impact on the timeline for class I devices.

In the case of reusable devices for which the UDI information is placed directly on the product, an additional two years have been added to the transition periods below. Details of the UDI reporting database, and related compliance dates, are not yet available. Additional information can be found here: ANVISA UDI guidelines

‍

‍

Health Canada has proposed a UDI framework based closely on the international UDI guidance from the IMDRF. The current proposal involves requiring UDI labeling for all devices, with the exception of Class I low-risk devices. Health Canada intends to either develop a UDI database or modify the existing Medical Devices Active License Listing database (MDALL) to accommodate UDI data.

In addition to labeling requirements, China requires that the UDI be recorded in the China National UDI Database as part of the medical device registration. Additional information on China UDI requirements (link in Chinese) from the China State Drug Agency and  Rimsys Ultimate Guide to the China NMPA UDI System.

According to the initial provisions of the European MDR and IVDR regulation, industry use of EUDAMED may not be mandated until all modules are declared fully functional. In the last several months, the MDR/IVDR amendment proposal (23/01/2024) was released to suggest a gradual implementation of individual EUDAMED modules once each has been audited and declared functional. This proposal has been issued with a goal to speed up launch of the modules of EUDAMED as each is finalized to allow for industry implementation and adoption without additional, undue delay. The UDI module of EUDAMED is available for voluntary use currently and, with the provisions of the proposed amendment, could be mandatory use for industry in late-2025 with an expected transition period beginning at the time the UDI module is ready. Additional information on EU UDI system and requirements: EU UDI system and requirements.

At the end of 2021, the Indian Ministry of Health and Family Welfare delayed the implementation of UDI requirements in India and no new deadline has yet been put in place. Originally, Rule 46 of Medical Device Rule 2017 was set to require UDI labeling by January 1, 2022 for medical devices approved for manufacture, sale, distribution, or import in India. Details on how the UDI needs to be displayed and the specific information that needs to be included have not yet been released.

Japan was an early promoter of standardized barcodes, but is still working towards harmonizing their requirements with global UDI expectations.

As of Dec 2022,  according to the type of device, bar code labeling based on the international standards is required for immediate containers/wrappings/retail packages of medical devices. It is expected that barcodes would be displayed on every pharmaceutical and medical device in unit of use for patients. Also, safety measures using bar code labeling at clinical settings shall be promoted, as well as registration of production information in the database by MAHs.

Saudi Arabia has allowed voluntary UDI registration since October 1, 2020, but mandatory compliance for class B, C and D devices went into effect September 1, 2023. These requirements apply to both labeling and database (SaudiDI) registration.

Medical devices imported before the compliance date may be distributed without UDI information until one year after the date of full enforceability. This exception does not apply, however, to the Direct Marking (DM) requirement, which is a permanent marking of the UDI on the device itself. For additional information, refer to the Saudi Arabia guidance document.

Singapore is requiring compliance with UDI labeling or database registration regulations based upon classification and a phased in approach. Singapore will accept UDI labels for devices already marketed in the U.S. and the EU, otherwise the UDI will need to comply with all of Singapore’s HSA guidelines, including partnering with an HSA-designated UDI issuing entity. Singapore is also allowing companies a 6-month grace period for medical devices imported before the November deadlines listed below.

Guidance on Medical Device UDI system (GN-32-R2)

UDI compliance is mandatory and was implemented by Article 20 of Medical Device Act (No. 14330) and Article 54-2 of Enforcement Regulations of Medical Device Act (No. 1512). Note that South Korean regulations refer to “Integrated Medical Device Information System,” or IMDIS, which is their UDI database and “Medical Device Standard Code,” which is the UDI code itself. As part of the introduction of UDI, South Korea has also mandated that manufacturers provide a device monthly supply history report, required 1 year from the UDI compliance dates.

South Korean regulations:  Guidelines for generating UDIs, Medical Device Act No. 14330 and the Regulation on KGMP No 2016-156 (links in Korean).

Taiwan has already implemented UDI regulations, which includes both labeling and database reporting requirements. The UDI reporting database is referred to as Taiwan UDID (TUDID) and has 23 required data elements. If medical materials meet one of the following conditions, however, then they could be exempt from UDI: Customized medical devices, special medical equipment for export and non-implantable medical device components in the medical device package and in vitro diagnostic medical device package for single use only and not used separately and sold. Read more in the Guidance document from Taiwan FDA.

The United States mandates compliance with both labeling and database requirements for all devices. The FDA does not intend to enforce the GUDID submission requirements for Class I and unclassified devices, other than implantable, life-supporting or life-sustaining devices (I/LS/LS), regardless of whether they were consumer health products, before December 8, 2022.

Implantable, life-supporting or life-sustaining devices, including Class I I/LS/LS devices, should also be complying with GUDID submission requirements. The US FDA requires that all UDI information be entered into the US-specific GUDID database. For additional information, see the FDA UDI system and requirements.

Each country has their own UDI database and varying requirements for the data stored in those databases. There is overlap in the data required among the various UDI databases, but each country also has unique data they require.  

In addition, countries require that UDI-DI information be provided by “issuing entities.”  Note that with the exception of China, all countries accept GS1, HIBCC, and ICCBA as issuing entities.

Note: * Data attributes are approximations based on country UDI requirements and include mandatory, optional, mandatory if applicable, and country database auto generated elements.

** Expected to be similar to US GUDID requirements.

Keeping pace with UDI regulations

Keeping track of country-specific UDI requirements, implementation timelines, and affected devices can be a big challenge to RA teams—especially because the information is scattered across many sources and hard to find. In this guide, we have consolidated timeline information and device class requirements across multiple countries. While we make every effort to provide accurate and up to date information, it's always advised to check the government website for the country in question.

Additional UDI resources

Our team discussed country-specific UDI requirements and strategies that regulatory affairs teams can use to better manage UDI data in an in-depth webinar. For additional information on UDI requirements, you can watch the webinar replay here, or review our Ultimate Guide to the EU MDR/IVDR UDI and the Ultimate Guide to the China NMPA UDI System.