EUDAMED is a new European system for medical devices that aims to put all aspects of registering, monitoring, and managing information about products among different industry actors. This blog explains what the background to the system is, what it looks like (as far as we know, at the moment) and how it will work.
EUDAMED is the IT system developed by the European Commission to implement provisions of Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnosis medical devices. Commission published Implementing Regulation (EU) 2021/2078 on 26th November 2021 laying down rules for the application of Regulation (EU) 2017/745. According to the EUDAMED information page, the development and implementation of system is a high priority for the European Commission.
The new regulations aim to improve handling of information related to medical devices.
One of the ways the regulations hope to achieve this goal is the EUDAMED database. The new database contains more types of information than the one that currently exists under the Medical Devices Directives (Eudamed2). Eudamed2 is the European Databank on Medical Devices that has been in use for more than a decade.
Once fully operational, EUDAMED will function as a registration system, a collaborative system, a notification system, and a dissemination system (to the public) and it will be interoperable with other existing and upcoming systems managed by the European Commission, EMA, and Member States.
Technically, EUDAMED does not introduce any new technologies, nor does it require new knowledge from the industry actors who are already handling medical devices data. However, implementing a new system means that the processes need to updated, new processes created and trained. It can be also hoped that with the new system containing all relevant modules under the same umbrella, the data handling will become easier.
Structure of EUDAMED
EUDAMED consists of 6 interconnected modules and a public website.
The six modules are the following:
- Actor registration
- Unique Device Identification (UDI) and device registration
- Notified bodies and certificates
- Clinical investigations and performance studies
- Vigilance and post-market surveillance
- Market surveillance
Actor Registration Module
On 1st of December 2020, the European Commission made available the Actor Registration module; the first EUDAMED module to be operational.
As a side note, as you might have noticed, EUDAMED is called MDR EUDAMED on the Actor Registration module landing page. That “MDR” in “MDR EUDAMED” apparently stands for “Medical Device Regulation” and EUDAMED itself is an abbreviation for “European Database for Medical Devices”. So, the full name of the system is “Medical Device Regulation European Database for Medical Devices”. We’ll stick with just EUDAMED for the rest of the text.
You can log in to the Actor Registration module with EU Login details. If you do not have those yet, you can get them here. Once logged in, you can register as an Actor and request access to EUDAMED for the Actor.
When you start the Actor Registration process, you are shown the following disclaimer:
Disclaimer at the start of the Actor Registration process
After you agree to the disclaimer, you can start creating the Actor. First, you select your role out of the following options:
- Authorised Representative
- System/Procedure Pack Producer
Then, you select your country and enter the name of your organization.
You are then requested to enter further information about your organization.
You need to download, fill in and sign a “declaration on information security responsibilities in the context of the European medical device database”. This form basically asks for the same information you just provided in the previous pages of the registration form, but this time you need to either fill it in with a .pdf software or print it out, fill it by hand (and scan), sign it, and upload it to the registration form.
As a last step, the registration form is sent to the National Competent Authority (NCA) of the Member State you have selected for review and approval. After their review, you are asked by the NCA to provide proof of payment for the registration. For example, with the Finnish authority Fimea, the cost of the registration is €500.
The device companies and other parties are not required to use the Actor registration module until EUDAMED is fully functional according to the Medical Device Regulation. This means that additional national requirements on registrations can still be required by EU countries.
UDI and Devices Registration Module
Unique Device Identifier (“UDI”) is a series of numeric or alphanumeric characters that is created through internationally accepted device identification and coding standards and that allows unambiguous identification of specific devices on the market.
The module on Unique Device Identification and device registration is the second EUDAMED module that became available. Along with the module of Notified Bodies and Certificates (third module), it has been available since October 2021. The current release of the module does not include the mechanism for scrutiny and the clinical evaluation consultation procedure (CECP) functionalities. Afterwards, the remaining modules as well as the mechanism for scrutiny and the CECP will be released when EUDAMED is fully functional.
Unique Device Identification system
The Unique Device Identification system (“UDI system”) makes it possible to identify and trace medical devices. UDI system consists of the following functionalities:
- Production of a UDI
- UDI device identifier (“UDI-DI”) specific to a manufacturer and a device
- UDI production identifier (“UDI-PI”) that identifies the unit of device production and if applicable the packaged devices
- Placing of the UDI on the label of the device or on its packaging
- Storage of the UDI by economic operators, health institutions and healthcare professionals
- Establishment of an electronic system for Unique Device Identification (“UDI database”)
UDI database is used to validate, collate, process, and make available to the public the information mentioned above.
The UDI database is designed so that no UDI-PIs and no commercially confidential product information can be included therein. The core data elements of UDI database are accessible to the public for free. The EC will provide for technical and administrative support to device manufacturers and other users of the UDI database.
Notified Bodies and Certificates Module
Notified Bodies and Certificates Modules is the third module that is currently available. According to the new regulations, the Notified Bodies should register in EUDAMED any information regarding certificates. This includes:
- Issuing new certificates
- Amendments and supplements to certificates
- Suspending certificates
- Reinstating certificates
- Withdrawal of certificates
- Refusal and other restrictions imposed on certificates.
The European Commission cannot require the use of the module until EUDAMED is fully functional according to the Medical Device Regulation. So, currently, all information registered related to certificates and Summaries of Safety and Clinical Performance (SSCP) has been added on voluntary basis.
For the Notified Body to be able to add certificate data into the module, it is required that all of the parties referenced in the certificates are first registered in the database because the certificates include the UDI-DI(s). The parties to be registered would include the manufacturer, the authorised representative (where applicable), and/or the system procedure pack producer.
The above information from the Notified Bodies about certificates is accessible to the public. At the time of writing this (16-Dec-2021) only one certificate had been registered to the module.
A single registered certificate on 16th December 2021
Certificate Unique Identifier
Each certificate in the module has a unique identifier. The certificate paper version unique identifier is identified by a unique number which is the “NB number + Certificate number (+ possibly ‘Revision number’)”. The EUDAMED Certificate data version is identified by the “Certificate paper version unique identifier” and the “EUDAMED version number”.
The EUDAMED version number increases after any update of a certificate as for the certificate paper version identifier. If the certificate is withdrawn, suspended, or reinstated, there is a new EUDAMED version but not a new Certificate paper version.
Clinical Investigations and Performance Studies Module
The EUDAMED module for clinical investigations and performance studies is currently not available.
As per the legislation the European Commission “shall, in collaboration with the Member States, set up, manage and maintain an electronic system:
a) to create the single identification numbers for clinical investigations
b) to be used as an entry point for the submission of all applications or notifications for clinical investigations
c) for the exchange of information relating to clinical investigations
d) for information to be provided by the sponsor, including the clinical investigation report and its summary
1. Irrespective of the outcome of the clinical investigation, within one year of the end of the clinical investigation or within three months of the early termination or temporary halt, the sponsor shall submit to the Member States in which a clinical investigation was conducted a clinical investigation report
e) for reporting on serious adverse events and device deficiencies and related updates
1.The sponsor shall fully record all of the following:
i. any adverse event of a type identified in the clinical investigation plan as being critical to the evaluation of the results of that clinical investigation;
ii. any serious adverse event;
iii. any device deficiency that might have led to a serious adverse event if appropriate action had not been taken, intervention had not occurred, or circumstances had been less fortunate;
iv. any new findings in relation to any event referred to in points (a) to (c).
2. The sponsor shall report, without delay to all Member States in which the clinical investigation is being conducted, all of the following by means of the electronic system:
i. any serious adverse event that has a causal relationship with the investigational device, the comparator or the investigation procedure or where such causal relationship is reasonably possible;
ii. any device deficiency that might have led to a serious adverse event if appropriate action had not been taken, intervention had not occurred, or circumstances had been less fortunate;
iii. any new findings in relation to any event referred to in points (a) and (b).”
Vigilance and Post-market Surveillance Module
The EUDAMED module for vigilance and post-market surveillance is currently not available.
Ensuring and monitoring safety (surveillance and vigilance) of the products is an important aspect of the medical devices sector. The purpose of the Medical Device Vigilance System is to improve the protection of health and safety of patients, healthcare professionals, and other users by reducing the likelihood of reoccurrence of incidents related to the use of a medical device.
The Medical Devices Directives requires that the device companies evaluate adverse incidents and, if appropriate, report the adverse incident information using a National Competent Authority Report (NCAR).
The objective of the reporting of the adverse incidents is to prevent repetition of such incidents by adopting appropriate corrective actions.
Market Surveillance Module
The EUDAMED module for market surveillance is currently not available.
According to the Medical Devices Directives the national authorities must follow certain procedures when considering whether:
- a medical device is unsafe and should be withdrawn from the market (‘safeguard clause’)
- a CE marking is unduly affixed to a device or missing (‘wrongly affixed CE marking’).
Uploading and Downloading Data
EUDAMED offers multiple ways of inputting and downloading data. There are a few points you must take into consideration before you decide how to upload and download data from EUDAMED.
The different ways to upload and download data include:
- The User Interface: manual input of data through the application.
- The XML upload/download: semi-automated option, where the data can be uploaded as XML files. The XML data is validated against the provided EUDAMED DTX service and entity model XSDs. The generation of the files can be automated, but uploading and downloading the files remains manual.
- The Data Exchange Machine-to-Machine (M2M) system: automatic data exchange between an external organization’s backend system and EUDAMED’s backend services. You can enter and update data in your own system, and the data is automatically transmitted to EUDAMED. The XML files are created, uploaded and downloaded the same way as in the 2nd option but without any human intervention. The best option for high frequency bulk uploading and downloading.
The User Interface
User interface option is the simplest one from data handling, manipulation, and implementation point of view. You only need a PC with Internet connection and a browser to connect to EUDAMED.The XML upload and download through EUDAMED UI
In addition to the above requirements to connect to EUDAMED, you would upload the data in XML format to EUDAMED. This will allow bulk upload of existing information by uploading the XML files through the User Interface. It is advisable to produce the XML format data in an automated way (using software) to avoid validation errors of the data. Some implementation effort by an IT team will be required taking into consideration the complexity of the data format (XSDs) and validation rules (e.g. field sizes, tags positions, mandatory / vs. not mandatory, etc.). Similarly, you can bulk download the data in XML format. This format, while understandable, is not very human readable. A software that displays this information in a more readable structure should be considered. This solution could be useful when EUDAMED goes fully live, where a high volume of data needs to be input, but where subsequent updates can be done through the User Interface. In this situation, the set up of a data exchange connection would not be justified, as it would be a one-off upload.The Data Exchange
In this case, the data will be automatically transmitted between an external system and EUDAMED. To achieve this, the external system must be extended in order to convert its data into the XML format requested by EUDAMED DTX and implement a specific data exchange protocol. Furthermore, in order to establish the connection through eDelivery, you have to link your system with an Access Point. This Access Point needs to be installed on specific hardware on premises, and maintained (support, versions updates, configuration, etc.). This mechanism allows bulk download of sensitive data in a fast way and the application connected to EUDAMED will need to comply with a series of security requirements.
Read More About: single registration number
The data exchange may be updated in future releases. When there is a new release, all systems connected through the data exchange system will have a 6 month-period to be updated in order to adapt to the new changes. M2M Data Exchange is the most complex and costly option, and authorities recommend that companies choose it only under the following conditions:
- the amount of data to be uploaded/downloaded cannot be entered manually
- there will be frequent exchanges of information between systems
- the cost of manual input outweighs the cost of automation
- there are available resources for implementation and maintenance.
Data Layers and Models in EUDAMEDHow Data Exchange (DTX) works
The data exchanged in EUDAMED is based on two independent data models. One data model is used to describe the communication protocols and target services. This data model is called ”Service Data Model”. The second data model is used to represent the business domain entities involved in data exchange and it is called ”Entity Model”.
Two Data Models in EUDAMED
CEF EUSEND eDelivery building blocks rely on business-to-business communication protocols with a specific conformance profile AS4 ebHandler for the ebMS 3.0, ebXML Messaging Services (e-SENS profile). Compared to the AS4 ebHandler Conformance Profile, e-SENS profile, from a security point of view, updates or adds some functionality:
- Transport Layer Security (TLS), if handled in the AS4 handler, is profiled and is mandatory
- The Web Services (WS) Security version is the 1.1.1 version
- Algorithms specified for securing messages at the Message Layer are updated to current guidelines and use of signing and encryption is mandatory
- All payloads are exchanged in separate MIME (Multipurpose Internet Mail Extensions) parts
- Receipts and errors are reported synchronously only
- WS-Security support is limited to the 509 Token Profile. The use of UserName Tokens is not supported. When using digital signatures or encryption, an AS4 Message Service Handler (MSH) implementation is required to use the Web Services Security X.509 Certificate Token Profile. The certificate authority (CA) / Public Key Infrastructure (PKI) support instance is currently provided by CEF (EUSEND service)