FDA Pushes GUDID Compliance Back for Some Devices Due to Security Flaw

After discovering a security flaw in the Global Unique Device Identification Database (GUDID), the US Food and Drug Administration (FDA) is giving device makers an additional month to comply with new labeling and data submission requirements.

Background

In 2013, a new set of regulations required companies to comply with new labeling and data submission requirements, with staggered compliance dates based on device classification.

Specifically, companies distributing devices within the US would need to include a UDI on each device, combining static and dynamic identifiers. According to FDA, these identifiers "will help reduce medical errors, and will allow FDA, the healthcare community, and industry to more rapidly review and assess adverse event reports, identify problems relating to a particular device, and thereby allow for more rapid and effective corrective actions that focus sharply on the specific devices that are of concern."

Extension and Enforcement Discretion

Many high-risk, or class III, devices were required to comply with UDI and GUDID requirements by 24 September 2014. However, certain products, including some orthopedic implants and intraocular lenses, were given additional time to comply.

FDA gave non-class III devices that are "implantable, life sustaining and life supporting," until 24 September 2015 to comply with UDI and GUDID requirements.

However, after discovering a security flaw in the GUDID on 7 August 2015, FDA has said it has "decided to take the system offline until a patch is implemented" and will exercise its enforcement discretion to extend the compliance date to 24 October 2015, giving affected labelers an additional month to comply.

FDA