MHLW administrative notice providing Q&A guidance on Software as a Medical Device (SaMD) regulatory handling and requirements under the PMD Act.

MHLW caution alert regarding cybersecurity measures for VPN devices and network equipment connected to medical devices, emphasizing the need for strengthened security protocols to protect medical device networks from cyber threats.

MHLW guidance on procedures for registration applications submitted by organizations seeking to become registered conformity assessment bodies under the PMD Act, including application requirements and administrative handling.

MHLW notice establishing witness inspection procedures for registered conformity assessment bodies and revising on-site inspection implementation standards to ensure compliance and quality oversight.

Amendment to medical device adverse event reporting requirements, updating procedures for manufacturers and importers to report defects, malfunctions, and serious incidents to PMDA and MHLW in a timely manner.

Notice on post-market vulnerability management framework. Requires manufacturers/distributors to integrate vulnerability monitoring, evaluation, response, and disclosure processes (including SBOM utilization) into quality management systems. Mandates establishment of PSIRT structure, clear vulnerability notification policies to customers, and practical end-of-life support management procedures.

Expanded Q&A set on application and conformance assessment of Essential Principles Article 12(3). Provides guidance on system architecture diagram formats, post-transition application handling, third-party testing utilization, SBOM documentation scope, and legacy product compliance strategies based on practical implementation experience.

Notice clarifying handling of cybersecurity events in adverse event/serious adverse event reporting systems. Addresses reporting applicability for patient harm from cyber attacks or vulnerability exploitation, decision-making flowcharts, and manufacturer response procedures. Serves as foundational regulatory documentation for post-market cybersecurity management.

Practical worked examples of application forms and supporting documentation for IDATEN change control plan confirmation applications specific to SaMD. Illustrates how to describe proposed changes, set acceptance criteria, and prepare draft revised approval documents. Issued concurrently with the consolidated Q&A revision.

Consolidated revision of Q&A guidance on the IDATEN change control plan confirmation system, integrating three previously separate documents. Adds provisions specific to AI/ML-enabled medical devices and SaMD, requiring submission of procedures for developing and implementing the change control plan and materials for appropriate AI technology management. Reflects startup company needs and accumulated regulatory experience since the system's 2020 launch.