UDI Requirements for Medical Devices: What Manufacturers Must Know in 2026

Medical device manufacturers must maintain a Unique Device Identification (UDI) system under 21 CFR Parts 801 and 830. This guide covers the DI/PI structure, GUDID submission requirements, FDA-accredited issuing agencies, direct marking for reusable devices, and how UDI compliance integrates with ISO 13485 and the FDA QMSR — including the audit findings that catch teams off guard.

What UDI requirements for medical devices mean and how to build a compliant Unique Device Identification system under FDA QMSR and ISO 13485

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


Your UDI System Has More Moving Parts Than You Think

Most medical device manufacturers know they need a UDI on their label. What most don’t account for until an audit is how many systems, procedures, and records that single barcode touches.

Your UDI isn’t just a labeling requirement. It links to your Device History Record, your GUDID submission, your CAPA system, your design change controls, and your post-market surveillance process. Miss any of those connections, and you have a UDI that looks right on the label but falls apart the moment an FDA investigator starts pulling threads.

That’s the compliance gap this article closes.

The FDA’s Unique Device Identification system, mandated under 21 CFR Part 801 and Part 830, requires medical device manufacturers to assign a standardized identifier to every device, submit key data to the Global Unique Device Identification Database (GUDID), and maintain records that connect that identifier throughout the product lifecycle. As of February 2, 2026, UDI compliance is also explicitly woven into the FDA Quality Management System Regulation (QMSR) framework under 21 CFR Part 820 — meaning your QMS and your UDI system are no longer separate compliance tracks.

I’ve walked through FDA QMSR inspections where the UDI records looked clean on paper but couldn’t be tied back to the Device History Record for a specific lot. The inspector didn’t raise a UDI finding — she raised a recordkeeping finding under QMSR. That’s how connected these systems have become. If your UDI implementation lives in a spreadsheet outside your QMS, you have an audit finding waiting to happen.

If you are building or auditing your ISO 13485 QMS and aren’t sure whether your traceability documentation covers UDI requirements, run a clause-by-clause gap check before your next audit.

👉 Download the ISO 13485 Gap Assessment Checklist — free tool for medical device QMS teams assessing compliance before a certification or surveillance audit


In This Guide

  • What UDI is and why the FDA created it
  • The two components of every UDI: Device Identifier and Production Identifier
  • Who counts as the “labeler” and what that means for your responsibilities
  • GUDID: what to submit, when, and how to stay current
  • FDA-accredited issuing agencies: GS1, HIBCC, and ICCBBA compared
  • Direct marking requirements for reusable devices
  • UDI exemptions and exceptions — what’s actually covered
  • How UDI integrates with ISO 13485, QMSR, and your QMS
  • Common UDI audit findings and how to avoid them
  • UDI for SaMD and combination products

Table of Contents


👉 Start Here: Top Resources for UDI Compliance

Before diving in, here are the tools most useful for teams building or auditing a UDI system:


What Is the FDA UDI System?

The Unique Device Identification (UDI) system is an FDA-mandated framework requiring medical device manufacturers to assign a standardized, globally unique identifier to every device placed on the US market. The legal authority comes from Section 519(f) of the Federal Food, Drug, and Cosmetic Act. The implementing regulations live in two places:

  • 21 CFR Part 801, Subpart B — labeling requirements for UDI placement on device labels and packaging
  • 21 CFR Part 830 — UDI system specifications, including issuing agency accreditation and GUDID data submission

The FDA published its final UDI rule in September 2013 and phased in compliance requirements by device class. As of December 2022, enforcement delays for Class I and unclassified devices have largely expired. Any device entering the US market in 2026 should operate under full UDI compliance unless a formal exemption applies.

Why UDI exists. The system creates a single, unambiguous way to identify a medical device across its entire lifecycle — from manufacturing through distribution, clinical use, post-market surveillance, and recall. Before UDI, adverse event reports frequently identified devices by trade name only, making it difficult or impossible for FDA to link events to specific device versions, lots, or manufacturing runs. UDI closed that gap.

The practical impact is straightforward: every adverse event, complaint, CAPA, recall, or MDR filed with FDA can now be linked to an exact device version via its UDI. That connection runs both directions — your GUDID record and your internal Device History Record need to tell the same story.


The Two Components of UDI Requirements for Medical Devices

Every UDI consists of two segments. Both must appear on the label for most device types.

Device Identifier (DI)

The Device Identifier is the fixed, mandatory portion of the UDI. It identifies the labeler and the specific version or model of the device. The DI is:

  • Issued by an FDA-accredited issuing agency (GS1, HIBCC, or ICCBBA)
  • The primary key for GUDID submissions — all device attribute data is registered under the DI
  • Searchable in the public AccessGUDID database hosted by the National Library of Medicine

A new DI is required when:

  • A device change results in a new version or model
  • A change affects the intended use of the device
  • A change introduces major differences in safety or performance
  • A new FDA regulatory submission (510(k), De Novo, PMA) is triggered

The DI assignment decision is a change control issue. Your QMS procedures need to define the threshold at which a design or manufacturing change triggers a new DI — and that procedure needs to be followed consistently.

Production Identifier (PI)

The Production Identifier is the variable portion of the UDI. It identifies specific production characteristics of a device unit and must be included whenever the corresponding information appears on the device label.

PI ElementInclude When…
Lot or batch numberLot number appears on label
Serial numberSerial number appears on label
Manufacturing dateManufacturing date appears on label
Expiration dateExpiration date appears on label
Distinct identification codeRequired for HCT/P devices regulated as medical devices
Diagram showing the two components of UDI requirements for medical devices, including the Device Identifier (DI) and Production Identifier (PI) with key data elements used for FDA UDI compliance.
Every UDI consists of two parts: the Device Identifier (DI), which identifies the device version and labeler, and the Production Identifier (PI), which captures lot, serial number, expiration date, and manufacturing date information.

Class I devices are not required to include a PI — the DI alone satisfies UDI requirements for Class I. All dates on labels must follow the YYYY-MM-DD format per 21 CFR 801.18.


Who Is the Labeler?

Under 21 CFR Part 830, the labeler is the entity that causes the label to be applied to the device. In most cases, that is the manufacturer. But contract manufacturers, specification developers, repackagers, and relabelers can all become the labeler depending on who is responsible for what appears on the final label.

This matters because the labeler is responsible for:

  • Assigning the DI through an accredited issuing agency
  • Submitting device attribute data to GUDID before the device is placed on the market
  • Maintaining and updating GUDID records when device attributes change
  • Ensuring the UDI appears correctly on the label, packaging, and (where required) directly on the device

If your organization contracts out labeling, or if you are a specification developer whose devices are manufactured and labeled by a contract manufacturer, establish in writing who holds labeler responsibility. Ambiguity here surfaces as a finding in both FDA inspections and ISO 13485 audits.


FDA-Accredited Issuing Agencies

Three organizations are accredited by FDA to issue UDIs for medical devices distributed in the US:

AgencyStandard UsedCode TypeBest For
GS1GTIN (Global Trade Item Number)NumericMost medical device manufacturers; broadest global compatibility
HIBCCHIBC (Health Industry Bar Code)AlphanumericHealthcare-specific supply chains; common in hospital settings
ICCBBAISBT 128AlphanumericBlood products, HCT/Ps, and products of human origin
Comparison chart of FDA-accredited UDI issuing agencies for medical devices including GS1, HIBCC, and ICCBBA with code types and recommended use cases.
Visual comparison of the three FDA-accredited UDI issuing agencies showing code formats and ideal implementation scenarios for medical device manufacturers.

GS1 is the most widely used issuing agency among medical device manufacturers and provides the broadest compatibility across global regulatory systems, including the EU’s EUDAMED. GS1 charges an initial enrollment fee and an annual renewal based on company revenue. HIBCC charges a one-time Labeler Identification Code (LIC) fee. ICCBBA is category-specific and is the required issuing agency for ISBT 128-regulated products.

Your issuing agency choice has long-term implications. It affects how your UDI is structured, what barcode symbology you use, how your labels integrate with distributor and hospital systems, and how you manage multi-jurisdiction compliance. Most manufacturers establish this relationship during product development, not during pre-market submission — don’t defer this decision.


GUDID: Submission Requirements and Timelines

GUDID — the Global Unique Device Identification Database — is FDA’s public repository for device identification data. The AccessGUDID platform, hosted by the National Library of Medicine, makes this data publicly searchable by clinicians, regulators, and purchasing organizations.

What You Must Submit

For every DI, you must submit:

  • Device description and proprietary name
  • Device class (I, II, III)
  • Whether the device contains latex or DEHP
  • Whether the device is labeled sterile
  • Whether the device is a single-use device
  • Packaging quantity and configuration
  • MRI safety information (where applicable)
  • Issuing agency and DI
  • Company contact information

Submission must occur before the device is placed on the market — not after the label is printed, not concurrent with distribution, before.

Submitting to GUDID

There are two submission paths:

  • Manual entry via the FDA GUDID web interface — suitable for small product portfolios
  • Electronic submission via XML upload through the Electronic Submissions Gateway (ESG) — required for larger portfolios; validated interface required under 21 CFR Part 11 where applicable

If electronic submission is not technologically feasible, a waiver may be requested in writing to FDA’s Center for Devices and Radiological Health.

Keeping GUDID Current

GUDID records must be updated whenever device attribute data changes. This is where most manufacturers fall short. A device name change, a sterilization method update, a packaging configuration change — each triggers an obligation to update GUDID. Build that trigger into your change control procedure, not as an afterthought.

If your QMS doesn’t currently have a documented procedure connecting design and manufacturing changes to GUDID update obligations, that is a gap auditors will find.

👉 Download the ISO 13485 Gap Assessment Checklist — includes traceability and labeling controls relevant to UDI compliance


Labeling Format Requirements

Under 21 CFR Part 801, the UDI must appear on the device label in two forms:

  1. Human Readable Interpretation (HRI) — plain text that can be read without scanning equipment
  2. Automatic Identification and Data Capture (AIDC) — a machine-readable format, typically a barcode or 2D data matrix, that can be electronically captured

Both formats must appear on the label and on all packaging levels intended for commercial distribution. Shipping containers used solely for logistics are exempt.

Barcode readability is a compliance issue, not just a quality issue. In 2026, “it looked fine when we printed it” is not a defensible audit response. Barcode print quality must be verified against ISO/IEC quality grades, and your label verification records must be maintained in the Device History Record. If your production line doesn’t include end-of-line barcode scan verification, that is an audit exposure.


Direct Marking for Reusable Devices

Reusable devices — those intended to be used more than once and reprocessed between uses — must bear the UDI directly on the device itself, in addition to the label and packaging. This is called direct part marking (DPM).

Direct marking methods vary by device material and design:

  • Laser etching
  • Chemical etching
  • Electrochemical etching
  • Inkjet or dot peen marking

The DI (not necessarily the full UDI with PI) must be permanently marked on the device. The marking must remain legible after reprocessing for the expected service life of the device. Validation records for the direct marking process, including legibility after simulated reprocessing cycles, belong in the Design History File and should be cross-referenced in the Device Master Record.


UDI Exemptions and Exceptions

Not every device is required to bear a UDI. Exemptions under 21 CFR 801.30 include:

✅ Class I devices exempt from GMP requirements under 21 CFR Parts 862–892 ✅ Individual single-use devices packaged together in a single device package, not intended for individual commercial distribution (the outer package must still bear a UDI)
✅ Devices used solely for research, teaching, or chemical analysis — not for clinical use
✅ Custom devices under 21 CFR 812.3(b)
✅ Investigational devices under 21 CFR Part 812
✅ Veterinary devices not intended for human use
✅ Devices intended for export from the United States
✅ Devices held by the Strategic National Stockpile under approved alternatives

What is not exempt: accessories. Even if the primary device is exempt, accessories regulated as medical devices require a UDI unless they independently qualify for an exemption.

If you believe a device qualifies for an exemption or need an alternative approach, 21 CFR 801.55 provides a formal process for requesting an exception from FDA.


UDI and Your ISO 13485 QMS

ISO 13485:2016 doesn’t mention UDI by name. It doesn’t need to. The standard’s traceability and labeling requirements create the documented control infrastructure that UDI compliance depends on.

The relevant ISO 13485 clauses that intersect with UDI:

ClauseRelevance to UDI
7.5.8 — IdentificationDevices must be identified throughout production and storage — UDI is the primary identification mechanism for marketed devices
7.5.9 — TraceabilityRecords must enable tracing of device identity, components, and processing history — the DI/PI structure directly supports this
7.6 — Control of monitoring and measuring equipmentBarcode scan verification equipment must be calibrated and maintained
8.3 — Control of nonconforming productUDI enables precise identification of affected lots in nonconformance handling
4.2.4 — Control of recordsGUDID submission records, AIDC verification logs, and change control documentation are QMS records

As of February 2026, the FDA QMSR under 21 CFR Part 820 aligns US quality system requirements with ISO 13485:2016. That alignment means FDA inspectors now assess QMS infrastructure — including traceability controls — through the lens of ISO 13485 clause structure. Your UDI system needs to fit inside that framework, not sit beside it.

If you are building your ISO 13485 QMS from the ground up, the BSI Group ISO 13485 training program covers design controls, traceability, and labeling requirements in the context of FDA regulatory expectations — a practical foundation for teams that need to connect QMS infrastructure to UDI compliance.


UDI for Software and Combination Products

Software as a Medical Device (SaMD)

Software devices follow the same UDI principles as hardware devices, with adaptations for how the identifier is displayed. For standalone software distributed in packaged or downloaded form:

  • The UDI must be displayed when the software is launched, or accessible through a menu
  • Software distributed in packaged form and as a download may display the same DI
  • A new DI is required when software changes affect the intended use or introduce a new regulatory submission
  • For AI/ML-enabled devices operating under a Predetermined Change Control Plan, algorithm updates within approved boundaries may require only PI updates; changes outside the approved plan require a new DI

Combination Products

Combination products — products that combine two or more of a drug, device, and/or biological — carry UDI requirements on each device constituent part. The specifics depend on how the combination product is classified (device-led or drug-led) and whether the constituent parts would independently require UDI. FDA issued draft guidance in June 2025 addressing UDI requirements for combination products with device constituent parts — review the current guidance on FDA.gov for your specific product configuration.


Common UDI Audit Findings

Dark navy infographic showing five common UDI audit findings for medical devices including DI reassignment controls, GUDID updates, direct part marking validation, CAPA linkage, and submission timing requirements.
Quick-reference graphic highlighting five common UDI audit findings that frequently appear during FDA inspections and internal compliance reviews.

These are the gaps most frequently identified during FDA inspections and ISO 13485 audits related to UDI:

⚠️ GUDID records not updated after a design or manufacturing change. The change control procedure doesn’t include a UDI/GUDID review step.

⚠️ Barcode verification records not maintained in the DHR. Labels are printed and inspected visually, but scan verification results aren’t documented.

⚠️ No documented procedure defining when a design change triggers a new DI. The threshold for DI reassignment is ambiguous.

⚠️ Direct part marking not validated. Reusable device marking process was implemented without legibility testing after reprocessing.

⚠️ UDI not linked to CAPA or complaint records. When a CAPA is opened, the affected device version is identified by trade name only — not by DI/lot.

⚠️ UDI submission timing. Device reached distribution before GUDID submission was completed.

Most of these findings have one root cause: UDI compliance was treated as a labeling project rather than a QMS integration project. Getting it right requires connecting your UDI system to change control, CAPA, complaint handling, and post-market surveillance — not just to your label artwork approval process.

Most auditors don’t find UDI problems in the labeling department. They find them in the QMS.


✅ UDI Compliance Quick Checklist

Before your next audit, verify:

  • [ ] DIs assigned through an FDA-accredited issuing agency (GS1, HIBCC, or ICCBBA)
  • [ ] GUDID records complete and submitted before device placement on market
  • [ ] Both HRI and AIDC formats present on all commercial distribution labels and packaging
  • [ ] Barcode print quality verified and records maintained in DHR
  • [ ] Change control procedure includes a UDI/GUDID review trigger
  • [ ] Direct marking validated for all reusable devices (legibility after reprocessing documented)
  • [ ] UDI (DI + lot/serial) linkage established in CAPA and complaint records
  • [ ] GUDID records updated after any applicable device attribute change
  • [ ] Exemption rationale documented for any device or packaging level excluded from UDI
  • [ ] UDI training completed and documented for personnel responsible for labeling, change control, and GUDID management

Frequently Asked Questions

What is a UDI in medical devices?

A UDI — Unique Device Identifier — is a standardized code assigned to medical devices that enables consistent identification throughout the device’s distribution and use. It consists of a Device Identifier (fixed, identifies the labeler and device version) and a Production Identifier (variable, identifies lot, serial number, expiration date, or manufacturing date). The FDA requires UDIs under 21 CFR Parts 801 and 830, and the system is enforced as part of the broader FDA QMSR quality system framework.

Is UDI required for all medical devices?

Most medical devices distributed in the United States are required to bear a UDI. Exemptions exist for certain Class I devices exempt from GMP requirements, custom devices, investigational devices, devices used solely for research, and devices intended for export. Individual single-use devices packaged in bulk are also exempt (but their outer packaging is not). Check 21 CFR 801.30 for the complete exemption list, and document any exemption determination in your quality system records.

What is GUDID and what do I need to submit?

GUDID — the Global Unique Device Identification Database — is FDA’s public repository for device identification data. Manufacturers (labelers) must submit Device Identifier data for each version or model of a device before it is placed on the market. Required data includes device description, device class, packaging information, single-use status, sterility, latex content, and MRI safety information. Records must be kept current whenever device attributes change.

What is the difference between a Device Identifier and a Production Identifier?

The Device Identifier (DI) is the fixed portion of the UDI — it identifies the labeler and the specific device version or model. It is issued by an FDA-accredited issuing agency and is the primary key in GUDID. The Production Identifier (PI) is the variable portion — it captures specific production data such as lot number, serial number, expiration date, or manufacturing date. The PI must be included whenever the corresponding information appears on the device label.

Which issuing agency should I use — GS1, HIBCC, or ICCBBA?

Most medical device manufacturers use GS1, which offers the broadest global supply chain and regulatory system compatibility. HIBCC is common in hospital-centric supply chains and is preferred by some healthcare systems. ICCBBA (ISBT 128) is required for blood products, tissues, and human-derived products. Select based on your product category, existing supply chain barcode infrastructure, customer requirements, and multi-jurisdiction needs. The decision has long-term implications — establish your issuing agency relationship during product development.

What are the UDI requirements for reusable devices?

Reusable medical devices — those intended for use more than once and reprocessed between uses — must bear the UDI directly on the device itself (direct part marking), in addition to the label and packaging. The DI must be permanently marked and must remain legible after reprocessing for the device’s expected service life. Validation records for the marking process, including legibility testing after simulated reprocessing, are required.

How does UDI connect to my ISO 13485 QMS?

UDI compliance depends on the same documented control infrastructure required by ISO 13485:2016 — traceability (Clause 7.5.9), device identification (7.5.8), control of records (4.2.4), and nonconforming product management (8.3). Under the FDA QMSR effective February 2026, FDA inspectors assess quality system infrastructure through ISO 13485 clause structure. Your UDI system must be integrated into your QMS — change control, CAPA, complaint handling, and post-market surveillance — not maintained as a separate labeling function.

What happens if my GUDID record is out of date?

An outdated GUDID record is a regulatory violation and an audit finding. It can also create downstream problems: if a recall is issued, FDA uses GUDID data to identify the scope of affected devices. If your records don’t accurately reflect the current device configuration, the recall scope may be incorrectly defined. Keep GUDID current by building a GUDID review trigger into your change control procedure.


📥 Free Resources

ISO 13485 Gap Assessment Checklist — free clause-by-clause gap assessment tool for medical device QMS teams preparing for certification, surveillance audits, or FDA QMSR alignment. Covers traceability, labeling, CAPA, and design controls.

AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause gap assessment for aerospace suppliers — included here for teams operating in both medical device and aerospace quality systems.

ISO 9001 Roadmap — step-by-step implementation guide for manufacturers building or improving a quality management system.

Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments.

Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts.


Not Sure What to Do Next?

🔹 Still building your UDI knowledge base? Start with What Is ISO 13485? for an overview of the QMS standard that governs your traceability and labeling systems, then review ISO 13485 Documentation Requirements to understand what records your UDI system needs to generate.

🔹 Ready to assess your current QMS against ISO 13485 requirements? Download the ISO 13485 Gap Assessment Checklist and work through the traceability and labeling sections before your next audit or inspection.

🔹 Need to purchase the standard? ISO 13485:2016 is available from the ANSI Webstore — the authorized source for US manufacturers. Use code CC2026 for 5% off through December 31, 2026. The ANSI Webstore serves international buyers and offers standards in multiple languages.


UDI isn’t a checkbox. It’s the data backbone that connects your device to every regulatory touchpoint across its lifecycle — from your first GUDID submission to a potential recall years after launch. Getting the system right means integrating it into your QMS from day one, not retrofitting it after an audit finding.

The Standards Navigator covers medical device quality and compliance requirements with the same direct, practitioner-grounded approach you need to make good decisions — not just check boxes.


Subscribe and Stay Ahead

Teams that struggle with UDI compliance share one common trait: they treat it as a labeling project. Teams that pass FDA inspections treat it as a QMS integration project — and they built the documentation before the auditor walked in.

Organizations that build UDI compliance into their change control, CAPA, and post-market surveillance from the start don’t scramble before inspections. They already have the records. Organizations that don’t maintain connected systems spend inspection days searching for GUDID submission confirmations and barcode verification logs across disconnected folders and spreadsheets.

The Standards Navigator covers ISO 13485, FDA QMSR, UDI, risk management, and the full spectrum of medical device compliance requirements — for quality professionals who need the detail, not the overview.

👉 Get updates on medical device compliance and QMS implementation
👉 Be first to access new ISO 13485 resources and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.