18
Feb
2025

“How-To” Guide for GUDID

, ,
0
GUDID FDA guidance

Read on for some helpful questions to ask (essentially a “How-To” Guide for GUDID) when following GUDID, based on the recent FDA guidance document, “Global Unique Device Identification Database (GUDID).”

 

“How-To” Guide for GUDID

  1. What does the UDI rule require labelers to do?
    1. Include a unique device identifier (UDI) on device labels and packages
      1. If a device is intended for more than one use and intended to be reprocessed before each use, the device labeler must also mark the UDI directly on the device.
    2. And, submit device information to the Global Unique Device Identification Database (GUDID).
  2. Are you a labeler?
    1. YES, you are a labeler if: 1) you cause a label to be applied to a device with the intent to commercially distribute the device without any further replacement or modification of the label, or 2) you replace or modify the label of a device with the intent to commercially distribute the device without any further replacement or modification of the label
    2. NO, you are not a labeler if: you simply add the name and contact information for a person who distributes the device, without making any other changes to the label
  3. Does my product require a unique device identifier (UDI) or do we fall under an exception?
    1. Exceptions (the device does not require a UDI):
      1. 21 CFR 801.30 exceptions include things like: a Class I device that has been exempted from GMP requirements (other than recordkeeping requirements), individual single-use devices stored in a single device package which are not intended for individual commercial distribution (though the device package containing these individual devices does need a UDI), a device used solely for research activities and not intended for any clinical use, a custom device, an investigational device, veterinary medical device, a device intended for export from the US, etc.
      2. 21 CFR 801.45 exceptions for devices where: direct marking would interfere with the safety or effectiveness of the device, marking the device directly is not technologically feasible, etc. The manufacturer must document the basis of the exception decision in the design history file.
      3. 21 CFR 801.128 exception: a device held and exempted by the Strategic National Stockpile
      4. 21 CFR 801.55 provides instructions to request an exception from or alternative to a UDI requirement
    2. Every other medical device AND every device package = requires a UDI
      1. Examples: combo products with a device constituent part, convenience kits, in vitro diagnostic products, HCT/Ps regulated as devices, standalone software, etc.
      2. *UDI special case: a UPC may serve as the UDI for Class I devices if a UPC is present on the device label and device packages.
  4. What are the parts of a UDI? Device Identifier (DI) and Production Identifiers (PI)
    1. DI – a mandatory, fixed portion of a UDI that identifies the labeler and the specific version or model of a device. The DI is the primary key used to look up information about the device in the GUDID.
    2. PI – a conditional, variable portion of a UDI that identifies one or more of the following when included on the label of a device, unless excepted:
      1. The lot or batch number within which a device was manufactured;
      2. the serial number of a specific device;
      3. the expiration of a specific device;
      4. the date a specific device was manufactured;
      5. and, for HCT/P devices only, the distinct identification code required by 21 CFR 1271.290(c)
        *Note: the UDI of Class I devices do not have to include a PI
  5. What is the standard format for a UDI?
    1. UDIs are created and maintained by device labelers based on global device identification standards managed by FDA-accredited issuing agencies (GSI, HIBCC, and ICCBBA).
    2. See the document “UDI Formats by FDA Accredited Issuing Agency” for the standard formats for each issuing agency
  6. When do I submit to the Global Unique Device Identification Database (GUDID)?
    1. Preferred: prior to introducing the device into commercial distribution
    2. Deadline: no later than 15 calendar days from the initial date that version or model is introduced into commercial distribution
  7. Where do I submit to GUDID?
    1. GUDID Web Interface – requires manual entry; intended for low volume submitters
    2. FDA Electronic Submissions Gateway – Health Level 7 Structured Product Labeling submission with xml files; intended for high volume submitters
  8. What information should I have ready before requesting a GUDID Account?
    1. Labeler organization name, address, and DUNS number (as it appears in the D&B DUNS database)
    2. Regulatory Contact info (name, email, phone, physical address); they will serve as the point of contact to FDA to ensure the organization meets GUDID submission requirements
    3. Labeler DUNS numbers (can be the same as the Organization DUNS number)
    4. Coordinator info (name, email, phone); they will manage the GUDID account and be responsible for each Labeler DUN(S)
    5. Labeler Data Entry (LDE) user; they will be responsible for data entry, submission, and management of device identification information for their designated Labeler DUNS into the GUDID
    6. Third-party DUNS numbers, if applicable (a labeler may choose to designate a third-party submitter for GUDID submissions)
  9. Are GUDID Submissions required to be compliant with 21 CFR Part 11?
    1. All submitters must retain records in accordance with 21 CFR 830.360 (UDI recordkeeping requirements). If those records are kept electronically, part 11 applies. However, a record developed to collect all the data elements required to be entered into a device record via the GUDID web user interface is not subject to part 11 requirements.

 

UDI and Software

A few notes about software, based on the FDA guidance document “Unique Device Identifier System: Frequently Asked Questions, Vol. 1” (2014):

  • Stand-alone medical software, whether packaged or unpackaged, is required to be labeled with a UDI that is displayed through either or both of the following:
    (1) an easily readable plain-text statement displayed whenever the software is started;
    (2) An easily readable plain-text statement displayed through a menu command (e.g., an “About…” menu command).
  • Stand-alone software that is distributed in both packaged and not packaged form may be identified with the same DI.
  • Stand-alone software that is not distributed in packaged form must convey the version number in its production identifier.
  • Under 21 CFR § 830.50(a), a software update will require a new DI only if the upgrade results in a new version or model.
  • There are attributes within the GUDID device record that cannot be changed. When these particular attributes change value, FDA has determined that these changed attributes represent a new device requiring a new DI, and the new device record will be required to represent the new version/model.

 

Further Reading

See our previous posts about UDI/GUDID here: FDA Unique Device Identifier Webpage Status UpdateFDA UDI Class I and Unclassified Policy GuidanceFDA Accredits UDI AgenciesFDA Unique Device Identifier SW Requirements

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 24-26, 2025 (Boston, MA)

Multiple participants from the same company: If you register 5 or more from the same company before March 15, 2025, receive a special discounted registration of $1999 per person.  These registrations may be transferred to another person at any time. Email training@softwarecpr.com to register and secure the TEAM discount.

 

For private, in-house courses, please contact us.

Email training@softwarecpr.com for more info.

 

 

Being Agile & Yet Compliant (Public)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for registration!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

3 days virtual (Zoom) with group exercises, quizzes, examples, Q&A.

Lead Instructor: Mike Russell

Next public offerings:

  • Americas: 11-13 February 2025
  • EU/Eastern Europe/Middle East/Africa/Atlantic/eastern South America: 18-20 February 2025
  • Southern Central Northeastern Pacific: 24-26 February 2025
See our post titled: 1st Quarter 2025 Agile Compliant Courses Scheduled

 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
office@softwarecpr.com
Partners located in the US (CA, FL, MA, MN, TX) and Canada.