Insights & Intelligence for Regulatory Leaders

Your UDI questions answered

Our first “Ask us Anything” webinar last week focused on the topic of Unique Device Identification (UDI). We had so many great questions that we couldn’t answer them all during the session! We have picked the most common questions and put them together here with the answers from our expert panel.

For additional information on this topic, see the following resources:

• Quick reference guide - global medical device UDI requirements and timelines
• BUDI-DI - Basic UDI explained
• The ultimate guide to the EU MDR/IVDR unique device identifier (UDI) system
• Watch a replay of the Ask us Anything about UDI webinar!

Q: I’ve heard that the EUDAMED timeline has been pushed back. Is that true?

Yes, that is true. The European Commission recently pushed back EUDAMED deadlines by one year. It is important to note that this does not affect UDI labeling requirements and timeframes, only the mandatory entry of UDI data attributes into  EUDAMED (now Q2 2026). The industry should not relax their efforts in regards to collecting and submitting UDI data. We make every effort to keep our Quick reference guide: global UDI requirements and timelines up-to-date and deadlines and regulations change.

Q: Are we expecting the FDA to be actively enforcing UDI regulations against class I manufacturers after September 2022?

Following this session, the FDA announced that they do not intend to enforce GUDID submission requirements for class I and unclassified devices, other than implantable, life-supporting, or life-sustaining devices.

Q. What governing body controls the correctness of GUDID data?

While the manufacturer is responsible for the accuracy of data they input into GUDID, the FDA is the agency that oversees the requirements.

Q: I have a UDI for a software device (SaMD) that includes features that will be included in a clinical study and features that will be part of the commercialized release version. Do I need to have separate UDIs or can I add the IDE label under a single UDI for the clinical version and keep the UDI for the market released version?

To fully answer this question, we might need a little more information. However, if the device involved in the clinical study is not released (i.e. marketed), then it would not require a UDI. If additional features are introduced during the clinical trial and a new product is released as a result, then a new UDI would be required.

Q: Can you provide insight into machine-to-machine transmission of UDI information?

Currently, the U.S. UDI database, GUDID, has the capability to accept machine-to-machine data transmission. More information can be found on the FDA website here. Most other major markets are working on providing this capability.

Q: How do I make a UDI implementation plan for the QMS process? What things need to be covered?

This is a broad question and there could be many different answers based on your product, QMS, and company structure.  Generally speaking:

• UDI should be integrated within your Design Controls/Development processes, including the company product release process. You cannot market your device into a country without complying with their UDI requirements.  Some countries require UDI information as part of the device registration process (e.g., EU and China).
• The company needs to establish accounts with the Issuing Agency (e.g., GS1) and with the country UDI databases (e.g., U.S. FDA GUDID)

Main things to consider: 

• Labeling: Barcoding software and a process for creating the labeling 
• Product UDI data attributes: All product related characteristics that are required to be recoded in the country UDI database. The specific characteristics/attributes can be found in the various country UDI guidance documents.

• Define methods for capturing, storing, controlling, transmitting data attributes (e.g., a RIM system, PLM system or both).
• Establish processes for maintaining the data including the country requirements (timeframes) for updates to the UDI data and periodic audits (reference country UDI guidance documents).

Q: How do I know what UDI information needs to be supplied to regulators?

The FDA regulations and data dictionary are mature and include information and required data fields to complete successful transmission of data. Data field details include information on whether data is required or conditional on other data, lists of standardized values, and guidance on the data that is expected for each field. EUDAMED has taken a similar approach, and also includes information that is expected  for BUDI. The EUDAMED data dictionary is still in flux. We expect a similar approach from other countries.

Q: When you are implementing UDI and have a kit or system pack, do you need to have a separate UDI for the device, accessories for that device, and a separate UDI for the kit (which would have those components)? 

Generally, the UDI is assigned at the lowest sellable product level. In the case of kits, procedure packs, or systems - each would be given a unique UDI as well.

Q: Is the GUDID barcode and the UDI barcode on the product label the same?

There is no GUDID barcode, but the information on the UDI barcode is contained within the GUDID database. The barcode or human-readable numbers provide high level information about the device. They act as an access key to all of the device attribute data within the GUDID database. The expected barcode on the product is the full UDI including the device identifier (DI) and the production identifier (PI). The GUDID is the FDAs regulatory database where labelers are required to submit information about the UDI DI.

Imagine that you have started working in a new position at a medtech company, and you’re trying to organize your current knowledge of the products, registrations, and information now under your charge. However, something feels off, and you realize that you cannot find all of your company’s current medical device certificates.    

Lost medical device certificates are a more frequent occurrence in our industry. In fact, it’s my experience with the frustration of recovering lost medical device certificates that finds me writing this brief post about what it’s like to lose a medical device certificate and the strategies I’ve used to recover the lost information. We’ll even discuss what you can do to prevent having to live “The Tales of the Lost Document” in the future. 

How do certificates get lost?

The most common factor in misplaced or lost certificates is human error stemming from lax filing systems with disjointed practices and team member departures. Many large medtech companies have a complex structure of emails and document storage sites (such as Sharepoint or Dropbox). These storage sites are often siloed, with different regulatory teams having varying excel spreadsheets, folder structures, and naming conventions to organize their regulatory submission workload. 

In many companies, managing global medical device certificate information is a manual and burdensome process. The problem could be as simple as a file-naming mixup, or it could be a document your company hasn’t needed the certificate in so long that they simply lost track of it. Now let's talk about ways you can recover your lost certificates or information that’s missing from them.

How can you recover lost certificates?

The good news is that you can recover your lost documents in many cases, though it may take a bit of legwork. There are two primary strategies for finding lost medical device certificate information, and utilizing both is the best way to ensure you recover your lost certificates and information. 

The first and often most successful pathway is to search through your internal resources. 

Strategies for Searching through internal resources:

• Have you found every Sharepoint site used in the past five years?
• Have you checked previously recorded submissions of that medical device?
• Have you contacted IT to see if they can recover emails from a departed colleague? They might have sent emails with the certificate attached to them. Many regulatory professionals email a copy of the certificate to announce to the marketing teams they can begin product sales.  
• Are you working with a distributor? Contact them and request knowledge on all of the current medical device certificates. 

Other channels are available if you can’t find what you’re looking for in your company’s local storage. 

The second strategy is to use governmental medical device registration databases. For example, if you’re registration information for a class 2 medical device, you could look it up in the FDA 510(k) database. Here are some examples of the international regulatory databases that may help in your situation: 

United States - FDA

• 510(k) Database
• Post Market Approvals (PMAs)

Canada - Health Canada

• Active Licenses Search
• Archived Licenses Search

European Union

• EUDAMED Certificate Database

Australia

• Australia Register of Therapeutic Goods

Belgium

• Notification of Devices

Brazil -  ANVISA

• Search for Regulated Products 

Singapore - Health Sciences Authority

• Class B and Above Medical Device Search
• Class A Device Search

Saudi Arabia - SFDA

• Medical Equipment List

If you are looking for a certificate that was approved by a notified body and not in a current database, you can contact the notified body, but you should expect to pay a fee for their services. It’s also important to note that not all countries and regulatory bodies have a database that allows companies to look up their certificates. 

You may also have to accept that you can’t recover your medical device certificate or information. Not every country has a medical device database, and even those with a database often don’t contain the certificate itself. That’s why it’s critical to the efficacy of your RA operations that your team has the tools necessary to store, track, and share regulatory information and documents securely and efficiently. 

How do you make sure this never happens again?

We understand that trying to find missing certificates is an administratively heavy burden. When you can’t find a certificate or its missing information, there’s no way to tell whether it’s lost forever until you’ve exhausted all possibilities and channels, which is why it’s much better to prevent losing documents altogether. 

With the right tools, your RA team can store, locate, and share documents in a secure and largely automated environment. That means no more awkward conversations where you have to tell your boss you can’t find the expiring certificate for your company’s flagship medical device. 

Rimsys is regulatory information management (RIM) software created by RA professionals from the medtech industry with RA professionals in mind. It empowers RA teams to store and track all certificates by product and country and even provides a portal where you can see all of your regulatory documents in a centralized view. Furthermore, you’ll receive emails when a certificate is about to expire, allowing you to act in ample time to prevent lapses in compliance and continue market access per your company’s global device strategy. 

Learn more about how a RIM system can help your organization keep track of all its regulatory information in our “RIM Buyer’s Guide.”

‍

What is a Class III medical device?

There are three classes of medical devices in the United States, all regulated by the Food and Drug Administration (FDA). Class III devices have the highest risk profile and therefore have the most significant regulatory requirements. In the United States, a Class III device is also a device that has no substantial equivalence to an existing Class I or II device. This means that if there is no device with similar intended use and indications for use, or if the device is using novel technology, it will be classified as Class III by default. To find substantially equivalent devices, use the FDA’s product classification database. Because medical device classification in the U.S. also depends on risk level, there are exceptions for novel devices with lower risk profiles (see De Novo classification process).

Examples of Class III medical devices

Class III devices “usually sustain or support life, are implanted, or present potential unreasonable risk of illness or injury.” Only 10% of medical devices marketed in the U.S. fall under this category.

Examples of Class III devices include:

• Pacemakers
• Implanted prosthetics
• Cochlear implants
• Defibrillators
• Software defined as a medical device (Software as a Medical Device or SaMD), which meets the risk profile of a Class III device. This may include diagnostic software that is using imaging to identify conditions that, if misdiagnosed, would pose a risk to the patients health or life.

FDA regulatory approval process for Class III medical devices

Almost all Class III medical devices in the United States require premarket approval (PMA) from the FDA before being marketed. Due to the high risk profile of Class III devices, the PMA process requires significant data to demonstrate the safety and efficacy of the device. Unlike Class II devices which require a 510(k) premarket notification, the PMA process requires a thorough review by the FDA that results in their approval of the product for entry into the U.S. market.

The PMA process is defined in Title 21 Code of Federal Regulations (CFR) Part 814 and a full overview of the process is included in our Beginner’s Guide to the FDA PMA Submission Process. A PMA will almost always require:

• Substantial clinical trial data.
• A fully documented quality system compliant with design controls as defined in 21CFR Part 820.
• Documented conformance to recognized consensus standards.
• Detailed descriptions of the device and all of its components.
• Product samples and/or the ability for the FDA to examine the device on-site.

Note that there are exceptions to PMA requirements, most notably the humanitarian device exemption, designed to encourage investment in devices that would serve a small population. See the FDA’s Acceptance and Filing Reviews for Premarket Approval Applications (PMAs) for more information.

Post-market compliance for Class III medical devices

Medical device manufacturers and distributors must also conform with specific requirements once a product is being sold in the market. These requirements include:

• Mandatory reporting of device issues and adverse events by manufacturers, importers, and device user facilities (such as a hospital) as detailed in the Medical Device Reporting regulation (21 CFR Part 803).
• Tracking systems to support any necessary product recalls as detailed in 21 CFR Part 821.
• Post-approval studies that are required with the approval of a PMA, Humanitarian Device Exemption (HDE), or Product Development Protocol (PDP). Post-approval studies are a condition of approval and are mandatory.

Class III medical devices in other countries

Device classification is different in each country, therefore you should not make any assumptions regarding classification in other countries based on the fact that your device is a Class III device in the United States. Each country with medical device regulations has their own classification scheme that may cause your device to be regulated in a different way. During the initial phase of planning for global commercialization of a product, it is imperative that you consider international regulations, their classification schemes, and the registrations that each country will require.

For additional information on the Class III approval process, read our Beginner’s Guide to the FDA PMA Submission Process.

What is BUDI?

By now, you should be familiar with the terminology surrounding UDI - The Unique Device Identification System. The United States FDA, the European Commission, and other regulatory bodies around the world have developed UDI regulations for medical devices and in vitro diagnostic devices that involve both labeling and database registration requirements. In the EU, UDI regulations were introduced under Regulations (EU) MDR 2017/745 and (EU) IVDR 2017/746. There is UDI, UDI-DI, UDI-PI - so then what is a BUDI-DI?

BUDI is an abbreviation for “Basic UDI” and is commonly pronounced “Buddy.” A BUDI-DI is unique to the EU and allows devices with multiple UDI-DI’s to be grouped together. It is necessary whether you have one device group (sometimes referred to as device ‘family’) or have many different device configurations such as systems, procedure packs, or kits. The general rule is there can only be one BUDI-DI to many UDI-DI’s and never multiple BUDI-DI’s to just one UDI-DI.  The only time a BUDI-DI is not required is for a custom-made device, which generally doesn’t fall into the UDI requirements of the MDR/IVDR anyway.

A BUDI-DI allows manufacturers to connect and identify device groups with the same intended purpose, risk class, essential design, and manufacturing characteristics. It is an identification number that is only used for administrative purposes. It is required in the EUDAMED database and is referenced in relevant documents such as certificates, declarations of conformity, and technical documentation. If the device requires Notified Body review, then the BUDI-DI should also be listed on the CE Certification and the Certificate of Free Sale. 

A BUDI-DI is the key that unlocks the EUDAMED and provides access to all of the product information. 

• It’s the primary identifier of the device group/family
• It’s the main record key in the EUDAMED
• It’s the main product identifier in the regulatory documentation
• It’s independent of packaging and labeling

UDI issuing agencies

The manufacturer is legally responsible for utilizing a human-readable BUDI-DI assigned by an approved UDI issuing agency, such as HIBCC or GS1. The format of the BUDI-DI will vary slightly depending upon which issuing agency you work with. Currently, the only approved issuing agencies in Europe are GS1, HIBBC, ICCBBA, and IFA.

Per the MDCG 2019-1 guideline, each agency must:

• Create a code format that is close to the existing UDI-DI format
• Use no more than 25 total characters
• Assign a check/digit character that was determined by an algorithm

A BUDI-DI cannot be changed. A product UDI-DI created because of a new product variation or changes to the UDI-DI data elements can report into an existing BUDI-DI.

The EU provides an EU UDI Helpdesk to assist with navigating UDI requirements and answering questions device manufacturers may have.

Note that EUDAMED registrations, including BUDI-DI numbers, are currently recommended but not required. Use of the EUDAMED databases will not become required until all six databases are live, which is expected to be in Q2 of 2023, with a 24-month transition period.

Read our Quick reference guide - global medical device UDI requirements and timelines for additional information on general UDI requirements.

‍

Regulatory Information Management (RIM) systems provide a single platform for regulatory teams to manage submission and compliance data, reducing administrative overhead and increasing confidence in a company’s global regulatory data. RIM systems can digitize and automate a broad set of regulatory activities from new product submissions, to registration and standards management, to UDI data management. These capabilities can significantly improve RA efficiency and effectiveness - reducing workload for new releases by over 80% and maintenance time for technical files more than 90%. However, not all organizations can realize results like these immediately. When deciding to implement a RIM system, medical device companies need to consider many factors and ensure that they have the needed systems, processes, and personnel in place.

Technology requirements

RIM systems are fundamentally about data. They first and foremost provide a system to collect (either directly within the system or through integrations) and centralize regulatory information, making it easily accessible across the organization.  This means that in order for a RIM system to be useful, your data needs to be accessible to the system. Medtech companies without the following in place may not be ready for a RIM system:

• Digitized documentation: It is imperative that regulatory documentation, such as technical files and design history files, are in a digital format. If you still have older product documentation on paper in locked file cabinets - it’s time to get them digitized!
• Application infrastructure: RIM systems rely on data that is often stored in other applications, such as eQMS, PLM, or ERP systems. It is rare to implement a RIM system as the first application in a medtech company’s software stack. Medtech companies should have, at a minimum an eQMS system that is compliant with 21 CFR Part 820 and/or ISO 13485 and an ERP system in place before implementing RIM.
• No competing major IT initiatives: A RIM implementation is a major project that should be given dedicated resources and the attention of the management team. Consider the timing of a RIM implementation carefully if there are other majorIT projects, such as an ERP implementation or a major system upgrade.

Corporate priorities

It’s important to understand RIM projects as a true digital transformation. While it is primarily a technology implementation, the end result is a significant change in that way that regulatory affairs teams work. This change is very beneficial, but it’s still disruptive in the short term. Teams without the right leadership support and change management plans may struggle to realize value from their RIM investment.

• Digital transformation strategy: A RIM implementation is an integral part of a larger digital transformation strategy. Medtech companies that are most successful with RIM have a digital transformation initiative in place, and an understanding that they are driving organizational process change in addition to technology adoption.
• Recognized need: RIM implementations are significant projects that require resources and the attention of the management team. RIM projects are most successful when the management team recognizes that the status quo is not sustainable and places a priority on providing resources for the regulatory team.

Timing a RIM implementation

Medical device manufacturers who can benefit the most from a RIM system are those whose regulatory teams are, or will soon be, surpassing their ability to handle submission and product market data manually. For most medtech companies, the best time to start a RIM system implementation is about a year before they expect a significant increase in the demands on the regulatory team. While a RIM implementation rarely takes a year to complete, this will give you time to put in place the data and processes in time for them to be tested and accepted before the regulatory team is overwhelmed with other priorities. Consider:

• Expanding geographic reach: Expanding from one country or region into multiple markets creates significant complexity for regulatory teams. Manually maintained spreadsheets become insufficient for handling the ever-changing regulatory requirements in multiple countries.
• Growing product portfolio: Similarly to entering new markets, new products can exponentially increase the complexity of processes and data that regulatory teams need to manage. 
• Greater product complexity or risk: Regulatory teams managing lower risk products, such as Class I products in the U.S., will not have as great of a need for a RIM system as those managing more complex products with greater regulatory requirements.
• Significant upcoming changes: Pending company acquisitions, changes to legal entities, major design updates, or other changes that would trigger re-registration activities mean significant increase in activity and risk for your regulatory team.

Teams and personnel

A RIM system empowers regulatory teams, allowing them to save time on administrative tasks and spend more time making sure their company’s products are entering markets efficiently and staying in market effectively. This means that a RIM system will be of use to a seasoned (almost always overworked) regulatory team. It is rare to implement a RIM system before an internal regulatory team is in place. If your company doesn’t have the following, then you likely won’t get full use or value out of a RIM implementation:

• Dedicated regulatory personnel: One or more regulatory professionals responsible for obtaining and maintaining market clearance for your products, and interacting with government health authorities. 
• Committed management team: A management and executive team that recognizes the importance of a strong regulatory system, and is willing to commit the resources necessary to make it successful.

Think your team is ready for RIM? Not sure? Download our RIM readiness checklist or talk to us today!

What is ISO 14971?

ISO 14971 is the globally accepted international risk management standard for medical devices. This article discusses the most current version of this standard, ISO 14971:2019, currently considered the state-of-the-art standard. 

ISO 14971:2019, provides the processes for identifying, evaluating, and mitigating hazards associated with the use of medical devices. While not mandatory, it is the most commonly used, industry-recognized standard to demonstrate conformity to when addressing product safety requirements. This article provides an overview of the standard, but should not be used as a substitute for the actual text of the standard. 

As in the case of a quality management system, a risk management system addresses the full lifecycle of a medical device; including the design, manufacture, and use of the device. Also, while ISO 14971:2019 does not, itself, require the implementation of a quality management system, risk management is most often an important part of a strong quality management system.

Compliance with ISO 14971:2019 requires that a risk management system be established and maintained throughout the product lifecycle, and that all processes and results are stored in a risk management file. The risk management system will include processes for risk analysis, evaluation, and control. It is important to note that the standard does not define acceptable levels of risk for medical devices - this is left to the manufacturer to determine as part of their risk management processes. However, the guidance document, ISO TR 24971:2020, provides significant clarity and direction in interpreting the standard and developing a risk management system consistent with ISO 14971:2019.

EN ISO 14971:2019: EU harmonized standard 

In the European Union, as of May 11, 2022, the specific version of the standard which has been  officially recognized as a harmonized standard with current Medical Devices Regulation (MDR) ((EU) 2017/745 ) and In vitro Diagnostic Medical Devices Regulation (IVDR) ((EU) 2017/746), is EN ISO 14971:2019 and the amendment EN ISO 14971:2019+A11:2021. The amended  version includes two Annexes, Annex ZA and ZB, which demonstrate the relationship between the standard and the risk management process required in the MDR and IVDR. The technical content of the two versions are identical and does not included any content deviations, unlike EN ISO 14971:2012, the version of the standard which is harmonized with the previous EU MDD and IVDD regulations.

Risk analysis

Under ISO 14971:2019 a manufacturer is required to document risk analysis activities and the results of those activities in a risk management file. These should include:

• Intended use and “reasonably foreseeable” misuse, along with all device characteristics which impact the safety of the device.
• Hazards (a potential source of harm*), both known and foreseeable.
• Estimation of risk for each hazard, based on the probability of occurrence of the hazard and possible consequences.

*Note:  ISO 14971:2019 revises the definition of harm by excluding the word “physical” injury from the ISO 14971:2007 definition. The resulting ISO 14971:2019 definition of harm is “Injury or damage to the health of people, or damage to property or the environment” 

Risk evaluation 

Risk evaluation involves the determination of whether a risk reduction is required for a particular hazard. Manufacturers should weigh the combination of the probability that a hazard occurs with the severity level of the hazard. A risk evaluation matrix, such as the following example, is often used to to visualize risk acceptability.

It is important to note that ISO 14971:2019 and TR 24971:2020 added significant emphasis and clarity regarding the evaluation of risk and establishment of risk acceptability criteria. Under the previous versions of the standard (both ISO 14971:2007 and EN ISO 14971:2012), there was confusion and a lack of guidance around defining acceptable risk. It was common to use a two-dimensional matrix showing severity of harm along one axis and probability of harm along the other, but with little guidance there were multiple interpretations of how to establish these criteria and these matrices were often used to define policy. The latest version of the standard and guidance, however, emphasize that the matrix should be the output of the risk management policy, which would define the criteria for risk evaluation.

Risk control 

When a hazard is found to have an unacceptable risk level, risk control activities are put in place to mitigate the risk. ISO 14971:2019 requires that “state-of-the-art” best practices that are used for similar devices be employed. State-of-the-art does not necessarily mean the most advanced processes and technical features, but rather those that are generally accepted in the industry. Risk control options should include, in order of importance:

• Inherent safety by design and manufacture
• Protective measures built into the device or into the manufacturing process
• Provided safety information, and where appropriate, training to users

Risk/benefit analysis should be performed and where benefit is determined to outweigh risk, the manufacturer will need to decide what safety information is necessary to disclose.

Relevant standards should be applied as part of the risk control process whenever applicable. Some of the standards which reference ISO 14971:2019 include ISO 13485 (quality management systems), IEC 60601-1 (electrical safety), IEC/EN 62366 (usability of medical devices), and IEC 62304 (medical device software). This makes ISO 14971:2019 essential for manufacturers seeking market approval for a medical device in the U.S., European Union, Japan, Australia and many other major markets.

Production and post-production information

A substantial change in ISO 14971:2019 standard is the expansion of requirements for production and post-production activities. The manufacturer will need to perform a full review of the risk management process prior to commercial distribution. The review should ensure that the risk management plan has been appropriately implemented, the overall risk is acceptable, and that procedures are in place to gather and maintain risk data during production and post-production of the medical device. ISO 14971:2019 aligns closely with the ISO 13485:2016 section 8 requirements for feedback, analysis of data and CAPA. Information collected and reported should include any newly identified hazards, changes that affect risk analysis calculations, and results of regular reviews of the risk management file. 

Management responsibilities

Medical device manufacturers who wish to demonstrate compliance with ISO 14971:2019 must have a management team that is dedicated to and supportive of the risk management system. This includes ensuring that adequate resources are assigned to support the system and that the personnel assigned are qualified for their respective responsibilities. In addition to enabling the implementation and maintenance of the risk management system, management is responsible for reviewing the system periodically to ensure continued effectiveness.

For more information about technical documentation/compliance for medical devices, check out our comprehensive ebook, The ultimate guide to EU MDR and IVDR general safety and performance requirements (GSPR).

‍