Regulatory Background
In line with evolving regulatory expectations on SaMD and cybersecurity, additional clarification has been provided through Q&A and guidance addressing software distribution, statutory labeling, and network security responsibilities.
SaMD Q&A
Timing of Marketing and Provision
Question 1: When a medical device software intended primarily for general consumer use (hereinafter referred to as a "home-use medical device software") is provided via telecommunication networks, how should the timing of marketing and sales or provision be interpreted?
➜ Answer 1: When a home-use medical device software is provided via telecommunication lines, the timing of marketing refers to the point when the software is made available on download servers, app store, or similar platform (or, in the case where the software is pre-installed during an OS update for devices such as smartwatches, this refers to the time when the updated OS version is released on download servers or app stores). The timing of sales or provision refers to when the user enables the software for use (e.g., when it is activated).
Statutory Labeling Requirements
Question 2: How should statutory labeling and information, such as precautions, be handled for home-use medical device software?
➜ Answer 2: Concerning statutory labeling, appropriate measures should be taken by referring to "Handling of Medical Device Programs" (Notification No. 1121-33 of November 21, 2014, issued by the Counsellor for Medical Device and Regenerative Medicine Product Review Management, Minister's Secretariat, MHLW; Notification No. 1121-1 of the Director of the Safety Division, Pharmaceutical and Food Safety Bureau, MHLW; and Notification No. 1121-29 of the Director of the Compliance and Narcotics Division, Pharmaceutical and Food Safety Bureau, MHLW), in particular Section 13 "Statutory Labeling", in the same manner as for medical devices intended for healthcare professionals.
For medical devices intended primarily for general consumer use, Article 63-2, Paragraph 2 of the Act stipulates that precautionary information must be directly stated on the device's primary container or packaging (Package Insert or labelling), rather than merely providing a code (e.g. QR code) to access such information.
On the other hand, for home-use medical device software, Article 225 of the Ordinance for Enforcement of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices (MHLW Ordinance No. 1 of 1961; hereinafter referred to as the "Ordinance") provides an exemption. If the mandatory information required under Article 63-2, Paragraph 2 of the Act, is attached in an electronic format that is easily accessible to the user, physical labelling on the container or packaging is not required.
Please note that the methodology for providing documentation via electronic records shall follow the principles set forth in Article 224, Paragraph 7 of the Ordinance.
Accessibility of Information
Question 3: Is it acceptable if the information related to statutory labeling for users of a medical device software is made viewable only during use of the program?
➜ Answer 3: Information must be provided to users not only while the medical device program is in use, but also before use. For example, one possible approach would be to design the program so that information, such as links to web pages containing statutory disclosures, is displayed before the user activates the program, and the activation setup is performed only after the user has confirmed this information. Furthermore, it is desirable to implement similar measures not only before using the program, but also when changes to the statutory disclosure items occur due to program updates or other reasons.
Network Security and Infrastructure Management
Securing the Network Path: Strengthening VPN and Gateway Protection for Medical Devices
1. For peripheral equipment other than the medical device itself, such as network devices including VPN equipment used for remote maintenance, confirm that the division of responsibilities between the parties is clearly defined with the medical institution based on maintenance contracts or similar agreements.
2. For network devices, such as VPN equipment connected to medical devices, for which the Marketing Authorization Holder is responsible for management, the following inspections shall be conducted:
(1) Verify that all firmware and related software components are maintained at their latest validated versions and phase out any devices that are no longer supported by the manufacturer [End-of-Support (EOS) or End-of-Life (EOL)].
(2) Upon identifying EOS or EOL hardware, notify the medical institution and, in coordination with the institution, take appropriate measures such as updating or replacing the equipment.
(3) For VPN equipment, implement appropriate security measures, including strengthening authentication, enforcing access controls, and other relevant safeguards.
With evolving expectations for SaMD and cybersecurity, medical device companies should review software distribution models, labeling approaches, and network security responsibilities to ensure compliance with regulatory requirements in Japan.
Qualtech supports manufacturers in SaMD registration, e-labeling implementation, and cybersecurity risk management in line with Pharmaceuticals and Medical Devices Agency (PMDA) expectations.
Contact us to ensure your digital health products remain compliant and secure throughout their lifecycle.
References