This guidance is intended to assist labelers and FDA-accredited issuing agencies in complying with unique device identifier (UDI) labeling requirements. The UDI Rule requires the label and device package of every medical device to bear a UDI, unless an exception or alternative applies (21 CFR 801.20). Additionally, some devices are required to bear a permanent marking providing the UDI on the device itself if the device is intended to be used more than once and intended to be reprocessed before each use (21 CFR 801.45). The UDI Rule also includes special labeling requirements for stand-alone software regulated as a device (21 CFR 801.50).
“Unique device identifier” is defined as “an identifier that adequately identifies a device through its distribution and use by meeting the requirements of [21 CFR 830.20]”. A UDI is composed of a device identifier (DI) and a production identifier (PI).
“Device identifier” is defined as “a mandatory, fixed portion of a UDI that identifies the specific version or model of a device and the labeler of that device” (21 CFR 801.3).
“Production identifier” is defined at 21 CFR 801.3 as “a conditional, variable portion of a UDI that identifies one or more of the following when included on the label of the device:
(i) The lot or batch within which a device was manufactured;
(ii) The serial number of a specific device;
(iii) The expiration date of a specific device;
(iv) The date a specific device was manufactured;
(v) For an HCT/P (Human cells, tissues, or cellular or tissue-based product) regulated as a device, the distinct identification code required by 21 CFR 1271.290(c) of this chapter.”
Stand-Alone Software:
There are different labeling requirements for stand-alone software depending on whether or not it is distributed in packaged form (21 CFR 801.50). For stand-alone software that is not distributed in packaged form, the UDI labeling requirements are met if the UDI is provided through either or both of the following and the version number is conveyed in its PI:
· an easily readable plain-text statement displayed whenever the software is started; or
· an easily readable plain text statement displayed through a menu command (e.g., an “about” command) (21 CFR 801.50(a)).
For stand-alone software that is distributed in packaged form, 21 CFR 801.50(a) does not apply. The stand-alone software must provide its UDI as an easily readable plain-text statement displayed whenever the software is started or through a menu command (21 CFR 801.50(b)). Additionally, the device label and device packages must also bear a UDI in both easily readable plain-text and AIDC (automatic identification and data capture) forms (21 CFR 801.20(a) and 801.40(a)). “Software version” is included in the definition of lot or batch at 21 CFR 801.3
The FDA is releasing this discussion paper to consider cybersecurity issues that are unique to the servicing of medical devices. The concepts presented in this discussion paper are intended to guide discussions among stakeholders about potential challenges and opportunities in cybersecurity and servicing.
The four areas identified in this paper are:
• Privileged access – Designing devices to limit access only to privileged device users (“privileged access”) is a key component of ensuring a secure medical device
• Identification of cybersecurity vulnerabilities and incidents – Detecting and responding to cybersecurity incidents remains a challenge for all critical infrastructure and not just the healthcare and public health sector
• Prevention and mitigation of cybersecurity vulnerabilities – The response to identified cybersecurity vulnerabilities or exploits is often a software update or upgrade to address a virus, malware, or other cybersecurity vulnerability
• Product lifecycle challenges and opportunities – FDA understands that the continued availability of “legacy devices” plays an important role, particularly in rural and underserved communities. In some cases, device manufacturers may be unable to provide updates to reduce an identified security risk after a component manufacturer ends their support.
Vero Biotech Recalls GENOSYL DS; Nitric Oxide Delivery System Due to Software Error
The GENOSYL DS; Nitric Oxide Delivery System is used to deliver a constant flow of GENOSYL (Nitric Oxide), which is a drug to help open blood vessels and improve oxygen levels in critically ill newborns with respiratory failure. The system consists of a cassette, which contains the drug, and a console. The device is used with a ventilator in hospital or healthcare settings.
Vero Biotech (based in Atlanta, Georgia) is recalling its GENOSYL DS; Nitric Oxide Delivery System due to a software issue that leads to errors in the delivery of nitric oxide. Typically, this issue caused delivery of lower-than-expected dosage of nitric oxide during the transition between primary and backup console. If this happens, this could cause serious adverse events such as drops in oxygen level, heart problems, and clinical instability in the newborn.
There have been 11 complaints, three injuries and no deaths reported for this issue.
© 2025 BeanStock Ventures
