US: (888) 231-0816


An Open Letter to Medical Device Regulators

People-on-a-iPad-V3

The implementation and systemic use of a Unique Device Identification (UDI) System has the potential to radically improve the safety and effectiveness (including cost-effectiveness) of medical devices.

We only have to look at what the ubiquitous use of National Drug Code (NDC) numbers in the U.S. has achieved for prescription drugs.


Click here to download the PDF


Currently, significant challenges exist in identifying specific devices in adverse event reports or in a patient’s health records (EHRs), aggregating Post-Market Surveillance (adverse event) reports/data, conducting specific and effective recalls (including knowing whether a patient used or is implanted with a specific device), and having visibility into both global and national supply chains. UDI is intended to provide the necessary foundation and visibility to help resolve these issues; the opportunities beyond that are limitless.

To start to resolve these issues, after nearly 10 years of development, the US Food and Drug Administration (US FDA) published a UDI System Regulation in September 2013. At around the same time, the Global Harmonization Task Force (GHTF) and then the International Medical Device Regulators Forum (IMDRF) convened working groups that ultimately published guidance to assist regulators in achieving a “globally-harmonized” UDI System. FDA’s regulation is “harmonized” with these documents.

The new European device regulations – the Medical Device Regulation (MDR) and the In-Vitro Diagnostic Regulation (IVDR) – leveraged the IMDRF guidance for similar (though not the same) UDI requirements. At the same time, many other regulators are developing and implementing their own UDI System requirements. However, the whole notion of a globally-harmonized UDI System only works if we are actively working together toward a common understanding and convergence on requirements and implementation.

I have been working on UDI implementation for nearly 20 years. The first decade was spent at the US FDA developing what is now FDA’s UDI regulation, as well as the initial GHTF and IMDRF UDI guidance documents. Since the end of 2013, I’ve helped all types and sizes of device manufacturers to implement UDI globally, and have also worked with healthcare organizations (hospitals) and other regulators. I have learned a lot during this time, much of it I wish I knew when we started our UDI journey in about 2002.

For regulators looking to implement (or improve) a UDI System, I offer these thoughts on moving forward and the significant (and complex) issues that still need to be resolved.

The Four Corners

At FDA, our goal was to create a broad, high-level set of UDI regulatory requirements (and exemptions), a regulatory “box” within which there was flexibility to address the myriad of different devices and identification needs (what I call the “Four Corners” of the UDI regulation). We expected that, as long as we could stay within the four corners, this would allow for device-specific UDI applications to develop, evolve, and improve over time. Those working in the medical device regulatory space recognize both the very broad diversity of device types and the non-homogeneity of the device industry (and I would argue that the device industry is even more diverse than most regulators realize and is constantly changing [due to many factors, including the near constant mergers and acquisitions (M&A)]). Because of this, it was not seen as practical to define (and maintain) the specific UDI requirements for different device types.

Instead, UDI regulations (including the US FDA’s) establish these additional UDI requirements (e.g., put a UDI on the label of the device) on top of existing regulatory constructs. The expectation is that, as in other industries (e.g., pharma, retail, grocery), medical device manufacturers, working together and with stakeholders (including regulators), and through the Issuing Agencies (i.e., GS1, HIBCC), would develop and converge on the best UDI path forward for different device types and that this would evolve over time as new devices, changes in use/users, and new ideas (e.g., new Automatic Identification and Data Capture (AIDC) technologies) came into play. We also expected that FDA would guide (and codify) this work through a series of guidance documents. This has not happened and is not working. Instead, every manufacturer has created their own interpretation and application varies significantly.

Regulatory Constructs

As I stated above, UDI requirements and regulations are built upon existing regulatory concepts. The expectation was (and is) that these concepts as they relate to UDI are universally understood and applied by manufacturers/labelers (the entity responsible for UDI), on the label (the default location for the UDI), and to the medical device (the products needing a UDI). However, this is simply not true. Widely different interpretations and applications of these concepts exist in different companies, and sometimes even within the same company. Moreover, we lack many definitions and concepts needed for UDI implementation (for example, what is something if it is not a medical device or an accessory to a device and yet is part of a device; what does it mean to service or repair a device; what do we call a group of different devices that is not a “kit”?.

Probably the most basic concept associated with UDI implementation is that of a medical device’s label, which is the default location for all UDIs. When I was at FDA, the device’s label was sacrosanct. Many regulations and case laws are built on the concept of a label. FDA built the *entire* UDI System regulation on the concept of the label, which turns out to be a poorly understood and broadly interpreted regulatory concept. Granted, US FDA’s definition of label is vague, primarily focused on drugs, and is therefore not particularly helpful for devices (label means “…a display of written, printed, or graphic matter upon the immediate container of any article…”). Nonetheless, where and what the label is should be well understood by any device manufacturer’s regulatory affairs group because it is where other regulatory information, which must be on the label, is located. But we see very divergent interpretations of the concept of a label and therefore the location (and utility) of a device’s UDI.

At the same time, the European Union (EU) definition is also so broad that it’s not particularly useful for UDI application either (“Written, printed or graphic information appearing either on the device itself, or on the packaging of each unit or on the packaging of multiple devices …”). This becomes especially important – and more difficult – when we try to understand and compare the label requirements to what we generally call the (additional) Direct Mark (DM) requirement. Some erroneously interpret DM to mean any time a piece of information (e.g., a UDI) is placed “directly” on a device itself. This is not true nor is it the intent of the requirement. The preambles to the proposed and final US UDI regulations certainly makes clear the distinction between the label and DM UDI requirements. As we roll into EU implementation, there continues to be a great amount of confusion around these concepts.

The other critical foundational element is related to what is – and what is not – a medical device and therefore subject to UDI. Given the highly regulated space in which we work, you would think that this is relatively straightforward, and in some cases, it is: a single surgical instrument or a sterile catheter in a package. We can see the device, its label, and where the UDI belongs. But more often, the “device” is in fact a collection of many different “pieces.” During the premarket review phase, the distinction between these pieces is not important – and therefore not described or articulated; it is all just part of the device. For an ICU ventilator, it is clear that the box that is (primarily) providing ventilatory control and support is a device (subject to UDI), but what about the battery used for back-up protection? The power cord or charging cable? A new or replacement monitor? An auxiliary component (e.g., a humidifier)? A replacement wheel? What about the “system” when it is originally distributed with all sorts of manuals, starter kits, and other supporting materials?

Again, we have a US definition1 of medical device that is VERY broad:

“An instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component2, part, or accessory

A plain language reading of the definition would seem to include anything even remotely associated with the device “…or other similar or related article, including a component, part…” However, again, we see many interpretations and invented terms and concepts (e.g., “non-device” accessory), which are attempting to remove a “part” from the need to be UDI compliant. Absent clear direction, we have very divergent approaches to which pieces of “systems”3 or “configurable devices” are subject to UDI.

And finally, the regulatory concept of who is responsible for UDI. In the US, the term manufacturer is used very broadly and differently in different regulations (and guidances). As such, we felt that it was too difficult to use this term for UDI responsibility and instead borrowed (from the pharmaceutical side of FDA) the concept and term “labeler.” This created a firestorm of controversy4 that frankly, I have never understood. There is a tremendous amount of private labeling that goes on in the device space just as there is in other industries. However, in almost all instances, a specific company is (primarily) promoting and labeling the device as being theirs; therefore, they are the labeler (and their UDI is used).

In the EU, we have more specific view of manufacturer (“legal” manufacturer is not a term and is in fact redundant). They are the company legally responsible for the device and it is their name and address next to the manufacturer (manufacturing plant) symbol on the label. And though we are seeing a paradigm shift in the EU around the concept of own-brand/private labeling, I do not think this should fundamentally change how we approach UDI assignment. The distinction between who is legally responsible for the design and manufacturing of the device and the company who is branding and distributing the device is important and should be clear.

Specific Implementation Issues

Beyond the issues described above, there are many unresolved challenges with UDI implementation. A few are highlighted include:

  1. Convenience Kits/Procedure packs – When does a group of devices meet the definition of a convenience kit/procedure pack, which devices within it also need to be UDI compliant, and what do we call (and how do we manage) a group (“kit”) of devices that does not meet the definition?
  2. Non-homogeneous packing configurations – We did not even consider these in the development of the US rule or the Global UDI Database (GUDID), but there are many and they cannot be modeled or efficiently entered in GUDID or the European Database on Medical Devices (EUDAMED).
  3. UDI application to an individual device that does not have a label or package (which is not single use) and is not subject to DMing.
  4. Human Readable Interpretation (HRI) – The clearly articulated intent is that the human-readable/plain text version of the UDI (the exact information encoded in the associated AIDC) are clearly placed on the label in case the AIDC does not work, or the user does not have a way to access the AIDC (e.g., scan). However, we see manufacturers inventing all sorts of interpretations.
  5. New Device Identifiers (UDI-DIs) – When is a device different enough that it needs a new UDI-DI? When is it not? How should we best communicate this change?
  6. UDI application to (the device constituent parts of) combination products – Drugs and devices continue to be regulated very differently and the “overlap” that occurs with these products needs to be better understood and the application for UDI articulated.
  7. AIDC Technology – Though the concept of technology neutrality is fundamentally good, it has created overwhelming ambiguity over which AIDC to use (and when and how we can migrate from 1D to 2D barcode technologies).
  8. Global Nomenclature – The whole point of regulators working together on the Global Medical Device Nomenclature (GMDN) was (is) to allow regulators to have a single, harmonized way to describe/name a device and to be able to efficiently share post-market surveillance (PMS) information. We need to revisit this principle.
  9. Software – As we move to apply the regulatory concepts (e.g., a label) of physical devices to virtual devices, we need a better way to understand and apply the UDI requirements (especially given the frequency and ease with which software changes).
  10. Capital Equipment – One of the hallmarks of medical devices is that many of them have very long lives and can be in use for 20+ years. However, that device changes significantly over time. How do we manage the UDI for a device that does not move but significantly changes?

UDI Databases and New DI Triggers

During the development of the initial GHTF and then IMDRF guidance documents, the working groups had spirited debates about the notion of a single, universal, global UDI Database. However, the reality of the differences between countries’ regulations, languages, definition of medical devices, and UDI use cases made it impossible to envision. Instead, these guidance documents (and others that were subsequently published) lay out what we hoped would be a common path forward for these databases, such that the same data could be submitted using the same technology and standards, to these national and regional databases.

However, as we all know, this isn’t working. We have divergent database attributes, different definitions for the same attribute, and very different submission methodologies and standards. This is creating an enormous (insurmountable?) challenge for global device manufacturers. And though significant challenges exist when initially populating these databases, the overwhelming problem is what we have come to call the new DI triggers.

New DI triggers are those attributes that, when they change, they require a new DI to be assigned. The notion of new DI triggers needs to be abandoned. Maybe we can revisit them in a decade or so when we are all much further along in this journey. But today, the whole idea simply creates chaos. When we started, it seemed simple enough; there are times when we can all agree that a change to a device is different enough and needs to be assigned a new UDI-DI (e.g., a sterile device is now distributed non-sterile). Those two devices are clearly not interchangeable.

However, we are all currently struggling to even understand the data attributes needed for the growing and evolving national and regional UDI databases. We must strive to achieve the correct information (“data quality”) about a device and to know when and why a device has changed. At FDA, we didn’t think a manufacturer would ever need to change any of its data and vacillated over whether GUDID even needed such a capability (maybe, we thought, a rogue employee or criminal intent). Clearly many manufacturers had to change/update a lot of data, so much so that FDA had to introduce the “unlock” feature. We are not ready for new DI triggers.

The Fallacy of Issuing Agencies

In early meetings we had at FDA on what eventually became UDI and the US UDI regulation, the device manufacturers we spoke to insisted that two things had to happen for them to get behind this:

  1. Make it global – Manufacturers wanted to create single, globally labeled devices with a global identifier. They were concerned that devices would end up looking like many drug products that have country-specific labeling and identifiers.
  2. Leverage existing identification standards – A number of particularly large device manufacturers were already using Health Industry Business Communications Council (HIBCC) or GS1 standards (or sometimes both). They (erroneously) thought that they would not have to change their labels if FDA (and other regulators) leverage these standards and systems.

So, to promote a globally harmonized approach to UDI and to keep FDA out of the numbering business5, we decided to pursue the use of what the US FDA UDI regulation calls Accredited UDI Issuing Agencies (in the EU, designated issuing entities)6. In the US, there are three Issuing Agencies (IAs) – GS1, HIBCC, and ICCBBA7 (in the EU, there is a fourth, the IFA8, focused primarily on the drug identification). All of these provide a system for the assignment and marking of UDIs.

Beyond the two purposes mentioned above, we also believed that the IAs would provide a forum for convergence on device identification issues (which has not happened through any fault of their own). But there are no Issuing Agencies (plural), there is GS1. HIBCC has all but vanished and ICCBBA has a very limited interest in medical devices. GS1 is also the only IA in some countries (e.g., China). I don’t think this is good or bad, we just need to be honest with ourselves (even though we go through pains to pretend that there are multiple IAs.

However, where things get tricky is not in the assignment and management of numbers (for example, the assignment of GS1 Global Company Prefixes [GCPs] to develop Global Trade Item Numbers [GTINs] to serve as UDI-DIs), but in the rules that GS1 also has (that is, the GS1 General Specification). Device manufacturers have to meet both the various regulatory requirements (US FDA, EU MDR/IVDR, SFDA, others) and a set of (primarily) supply chain related rules that change over time. And what does a manufacturer do when there is a conflict between regulatory requirements and the General Specification? Can the General Specification interpret or override the regulatory requirements? There is a significant, fundamental conflict between these that must be resolved.

Final Thoughts and Words of Wisdom

Though I have only touched on a handful of “infrastructure” issues that need attention, we must also be prepared to address myriad implementation issues, such as the effective use of UDIs in recalls, adverse event reporting, PMS more broadly, global supply chains, and electronic records (e.g., reimbursement, EHRs). These activities are also necessary for the broader goals of UDI to be realized. Having said that, unless and until the global regulatory community, its medical device manufacturers, and other interested stakeholders (clinicians, patients, payors, IAs) agree on how UDI should work, we will continue to diverge and the goal (aspiration? dream?) of a globally harmonized approach to UDI will fail. By default, we will need to produce regional or local labels and associated identifiers to meet those specific local needs. The negative ramifications of this are self-evident.


1 I would also suggest that the EU definition is as broad and vague: “… any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings…”

2 In some documents there is a comma between component and part and sometimes not.

3 The US does not have regulatory definitions of system or configurable device.

4 Oddly, there does not seem to be any confusion with the use of this term in the US pharma space.

5 We had worked closely with the Center for Drug Evaluation and Research (CDER) during the development of UDI and saw firsthand how challenging the National Drug Code (NDC) system is to maintain.

6 It is only through the hard work and diligence of our Office of the General Counsel (OGC) attorney Vince Amatrudo that we prevailed. The government does not normally like to assign its responsibilities to others.

7 International Council for Commonality in Blood Banking Automation

8 Informationsstelle für Arzneispezialitäten

Comments

There are no comments for this post, be the first one to start the conversation!

Resources that might interest you