MedDeviceGuideMedDeviceGuide
Back

Adaptive AI Medical Devices: Why an FDA PCCP Won't Update Your Model in the EU or Japan

A cross-market analysis of AI medical device change control, comparing the US FDA PCCP, Japan's IDATEN framework, and the EU's MDR and AI Act modification rules.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
Published 2026-07-16Last reviewed 2026-07-1624 min read

Reliance Converges, AI Diverges: The Global Algorithmic Challenge

In global medical device regulation, the trend for the past decade has been toward harmonization and regulatory reliance. Through programs like the Medical Device Single Audit Program (MDSAP) and abridged registration pathways, manufacturers of static hardware devices can frequently use a single U.S. FDA clearance or CE mark to streamline approvals in dozens of secondary markets.

However, when it comes to Software as a Medical Device (SaMD) utilizing Artificial Intelligence and Machine Learning (AI/ML), the regulatory landscape is fracturing. While the absolute volume of AI-enabled medical devices is growing rapidly—with the FDA's registry of AI-enabled devices reaching 1,524 cumulative authorizations by mid-2026 (over 330 added in 2025 alone, roughly three-quarters of them in radiology)—the rules governing how these algorithms are updated post-market are diverging.

The core of the challenge lies in the distinction between static and adaptive AI models. A static model is locked at the time of clearance; any update to its weights requires a new regulatory filing. An adaptive (or continuously learning) model, by contrast, is designed to update its parameters in response to new clinical data, shifting patient populations, or changes in clinical imaging equipment.

To manage these updates without requiring a new premarket submission for every algorithmic iteration, regulators have developed change-control frameworks. In the United States, this is the Predetermined Change Control Plan (PCCP). Under a PCCP, a manufacturer can define a pre-approved envelope of planned modifications, verification protocols, and risk mitigation strategies at the time of initial clearance, allowing subsequent updates to be implemented without a new 510(k) or PMA — provided each update is executed exactly as the authorized Modification Protocol specifies, with the associated design-control, verification, monitoring, and post-market reporting steps completed.

The critical trap for digital health manufacturers is the assumption that a PCCP-authorized update can be deployed globally. It cannot. As detailed in PureGlobal's global market access report on AI as a medical device, change-control regimes are localized, non-interoperable, and legally distinct. An update implemented under an FDA-authorized PCCP has no legal force outside the United States. Deploying that same update to clinical sites in the European Union or Japan without first completing that market's own change-control steps (Notified Body review in the EU; a Shonin amendment or an IDATEN change plan in Japan) is non-compliant with local obligations and can lead to corrective action — up to and including field-safety corrective action or suspension of the certificate or licence, particularly where the unassessed change affects safety or performance.


The Four Global Change-Control Regimes Compared

To build a compliant multi-market deployment pipeline, manufacturers must understand the specific requirements, mechanism of change, and international reciprocity of the four dominant change-control frameworks.

The comparison matrix below summarizes these four regimes:

Regime Primary Regulatory Instrument Mechanism of Approved Modification Scope of Allowed Modifications Reciprocity / Alignment
United States FDA Final Guidance (August 2025) Predetermined Change Control Plan (PCCP) Performance updates, clinical inputs, interoperability Co-authored 2023 Guiding Principles with HC & MHRA
Japan PMDA / PMD Act (IDATEN Framework) Post-Approval Change Management Protocol (PACMP) Algorithm improvements, software updates Japan-specific; no formal reciprocity
European Union EU MDR (substantial modification rules) & EU AI Act Conformity Assessment / Class IIb-III Auditing Not applicable (no formal pre-approved change plan) No recognition of foreign change plans; outlier
Canada & UK Health Canada MLMD Guidance / MHRA Policy PCCP (Health Canada finalized its MLMD guidance Apr 2026; MHRA pathway still in development) Performance adjustments, data drift corrections Co-authored 2023 tri-agency Guiding Principles with FDA

What Counts as a "Substantial Modification" Across Regimes?

The operational boundary between an update that can be implemented under a pre-approved plan and one that requires a new pre-market review depends on how each regulator defines a "substantial modification."

The table below compares what modifications are allowed under a pre-approved plan (or local QMS) versus what changes trigger a new pre-market review across the four core jurisdictions:

Change Type United States (FDA PCCP) Japan (PMDA IDATEN) European Union (MDR / AI Act) Health Canada
Retraining on same clinical population (e.g., adding site data) Allowed under PCCP (requires MP verification) Allowed under Confirmation Plan (notification required) Triggers Review (if it alters diagnostic sensitivity/specificity limits) Allowed under a PCCP (documentation required)
Adding support for a new hardware manufacturer (e.g., new MRI scanner) Allowed under PCCP (if hardware interface specs are in MP) Allowed under Confirmation Plan (requires verification report) Triggers Review (affects safety and performance under Annex IX) Allowed under a PCCP (documentation required)
Changing the intended use (e.g., expanding from adults to pediatrics) Triggers New 510k/PMA (outside PCCP scope) Triggers Shonin Amendment (outside IDATEN scope) Triggers New Conformity Assessment (substantial modification) Triggers License Amendment
Re-weighting features for a different clinical environment (e.g., ICU vs. Clinic) Allowed under PCCP (if pre-specified in MP) Allowed under Confirmation Plan Triggers Review (represents a change in clinical workflow) Allowed under a PCCP

Recommended Reading
Digital Twins and Synthetic Data in Medical Device Validation
Regulatory Digital Health & AI2026-04-30 · 11 min read

1. United States: The FDA PCCP Framework

In the U.S., the FDA finalized its landmark guidance, "Marketing Submission Recommendations for a Predetermined Change Control Plan (PCCP) for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions," in August 2025 (following the initial Federal Register availability notice in December 2024).

The FDA PCCP operates on three core pillars:

  1. Detailed Description of Modifications (DDM): A precise specification of the planned changes (e.g., training the model on a new scanner manufacturer's images or adjusting classification thresholds).
  2. Modification Protocol (MP): A detailed description of the data management, re-training, performance evaluation, and verification methodologies that will be used to implement the changes.
  3. Impact Assessment (IA): An analysis of the risks introduced by the modifications and the mitigation strategies that will be deployed to maintain device safety and efficacy.

Once authorized, a PCCP becomes part of the device's clearance or approval. The manufacturer can implement and ship any update that falls within the DDM and conforms to the MP without filing a new 510(k) or PMA supplement. To understand the underlying mechanics of setting up a monitoring protocol under this system, refer to our detailed guide on how the FDA PCCP works for AI/ML devices.


2. Japan: The PMDA IDATEN / PACMP System

Japan was an early pioneer in establishing a post-approval change management protocol (PACMP) for medical software, establishing the IDATEN (Improvement Design within Approval for Timely Evaluation and Notice) framework under the Pharmaceutical and Medical Devices (PMD) Act.

The IDATEN framework is designed to facilitate the rapid deployment of significant modifications to Software as a Medical Device (SaMD). Under this framework:

  • A manufacturer submits a Confirmation of Change Plan during the initial Shonin premarket review. This plan outlines the parameters of the algorithm that will be improved and the validation protocols that will be applied.
  • When an update is generated, the Marketing Authorization Holder (MAH) in Japan evaluates the change against the pre-approved Confirmation of Change Plan.
  • If the update conforms to the plan, the manufacturer can route the modification through a post-change notification that PMDA reviews, rather than filing a full, formal pre-market approval amendment (Shonin change application). PMDA's review of an IDATEN-conforming notification is lighter and faster than a Shonin amendment, but it is not absent — the change is released only once it stays within the confirmed plan and the supporting verification is complete.

While IDATEN is conceptually very similar to the FDA PCCP, it is governed by Japanese PMD Act administrative procedures and Japanese GCP clinical standards. The PMDA does not formally recognize an FDA-authorized PCCP, and any IDATEN Confirmation of Change Plan must be submitted and approved independently in Japan.


3. The European Union: The Outlier with No PCCP

For manufacturers targeting the European market, the EU represents the most significant regulatory hurdle for adaptive AI. The EU has no dedicated PCCP regulation equivalent to the FDA's. By default, algorithm updates are governed by the EU MDR "substantial modification" rules and require Notified Body review; however, the interplay between MDR and the AI Act now offers a narrower, pre-agreed-change concept: under AI Act Annex IV point 2(f) and the MDCG 2025-6 guidance, predetermined changes that are described and assessed during the initial conformity assessment need not be treated as a "substantial modification." In practice this lets a manufacturer agree a predetermined change plan with its Notified Body up front, but there is still no standalone, FDA-style PCCP authorization route.

AI-enabled medical devices in the EU are regulated under two overlapping frameworks: the EU Medical Device Regulation (EU 2017/745) and the EU AI Act (Regulation EU 2024/1689), which established a comprehensive risk-based governance structure for artificial intelligence. Under this dual regime, the process of updating an algorithm is governed by the EU MDR's substantial modification rules:

+--------------------------------------------------------------------------+
|                     EU ALGORITHM UPDATE PATHWAY                          |
+--------------------------------------------------------------------------+
                                     |
                                     v
                       [ Does update change intended ]
                       [ use or clinical parameters? ]
                                     |
                  +------------------+------------------+
                  | Yes                                 | No
                  v                                     v
     +--------------------------+          +--------------------------+
     | "Substantial"            |          | "Non-Substantial"        |
     | Trigger new conformity   |          | Implement under QMS      |
     | assessment (Notified     |          | Update technical file    |
     | Body audit) & AI Act     |          | and inform Notified Body |
     | compliance review        |          | at next audit            |
     +--------------------------+          +--------------------------+

Under EU MDR, if a change to an algorithm is deemed "substantial"—which includes modifications that alter the device’s performance characteristics, clinical indications, diagnostic thresholds, or patient populations—the manufacturer must submit a design change notification to their Notified Body. The Notified Body must audit the change and issue an updated Annex IX certificate before the update can be distributed.

Furthermore, the EU AI Act classifies most AI medical devices (specifically those undergoing Class IIa, IIb, or III review under MDR/IVDR) as "high-risk AI systems." This classification layers on strict obligations regarding data governance, risk management, technical documentation, transparency, and human oversight.

To help compliance teams track these overlapping requirements, the timeline below outlines the key milestones and compliance dates for high-risk AI medical devices in the EU:

+--------------------------------------------------------------------------+
|                     EU AI ACT COMPLIANCE MILESTONES                      |
+--------------------------------------------------------------------------+
|  August 2024:      AI Act enters into force                              |
|  February 2025:    Prohibited AI systems banned                          |
|  December 2027:    Standalone high-risk AI (Annex III) compliance       |
|  August 2028:      High-risk AI in CE-marked MDR/IVDR devices           |
+--------------------------------------------------------------------------+

Note: The original AI Act deadlines were August 2026 for standalone high-risk AI and August 2027 for high-risk AI embedded in MDR/IVDR devices. The EU's Digital Omnibus simplification package — formally endorsed by the European Parliament and the Council in mid-2026 and entering into force upon its Official Journal publication — moved these to December 2027 and August 2028 respectively; the underlying high-risk obligations are unchanged, only the timing moved.

Because the EU does not recognize the concept of a pre-authorized "change envelope" like the PCCP, any significant algorithmic improvement requires a full Notified Body design review. For a detailed breakdown of these high-risk obligations, see our EU AI Act high-risk obligations for medical AI. To structure your clinical evaluation files to satisfy both regimes, consult our template for reconciling EU AI Act and MDR evidence.


Recommended Reading
How to Get FDA to Tell You Which Center Will Regulate Your Product: The Pre-RFD Playbook
Regulatory PMA2026-07-16 · 24 min read

4. The Anglo-American Axis: Health Canada & UK MHRA

The brightest area of regulatory harmonization for change control exists between the U.S., Canada, and the United Kingdom. In October 2023, the FDA, Health Canada, and the UK Medicines and Healthcare products Regulatory Agency (MHRA) co-authored the "Predetermined Change Control Plans for Machine Learning-Enabled Medical Devices: Guiding Principles."

These principles set out five guiding expectations for change control, focusing on:

  • Clear clinical justification for modifications.
  • Robust software quality assurance (SQA) and lifecycle management.
  • Comprehensive data management protocols (specifically addressing data drift and algorithmic bias).
  • Continued validation using independent, representative testing datasets.

Health Canada has since operationalized this approach. Its finalized Pre-market Guidance for Machine Learning-Enabled Medical Devices (MLMD), dated 1 April 2026, establishes the PCCP (the same term the FDA and IMDRF use — there is no separate "PACP" mechanism) as a formal mechanism within Medical Device Licence submissions for machine-learning-enabled devices (Class II–IV, covering standalone SaMD, embedded software, and IVDs). The UK MHRA, by contrast, is still building its pathway: its Software and AI as a Medical Device Change Programme commits to making provision for PCCPs in secondary legislation, and the AI Airlock sandbox is exploring oversight of more adaptive models, but no statutory PCCP route is in force yet, with full implementation targeted for 2027 subject to legislation. While a manufacturer must still file separate applications in each country, the structure, data requirements, and validation protocols are increasingly harmonized where the pathway exists.

To compare how these regions classify software compared to other international jurisdictions, see our overview of how countries define and classify SaMD.


Continuous Learning vs. Batch Updates: Mathematical Limits

When designing an adaptive algorithm, software developers must choose between two retraining approaches:

  1. Continuous Learning (Online Learning): The model continuously updates its weights in real time with every patient encounter. While mathematically elegant, continuous learning is not approvable under any current major-regulator change-control framework, all of which require a locked model between authorized updates. The mathematical reason is that online learning is susceptible to catastrophic forgetting (where the model forgets previously learned patterns when exposed to new data) and covariate shift (where performance degrades due to changes in input distributions). It is impossible to validate or verify a model whose weights change between patients.
  2. Batch Updates (Iterative Releases): The model accumulates clinical data over time. Retraining is conducted in a controlled, isolated development environment. Once the new model is verified, its weights are locked, and the update is released as a new batch version. All current regulatory change frameworks (including the FDA PCCP and Japan IDATEN) are built exclusively for batch updates. The model must remain static between release events to allow for reproducible performance audits.

The Version-Divergence Trap: Operational and Quality Risks

The non-interoperability of global change-control regimes creates a significant operational risk: algorithmic version divergence.

If a manufacturer has an active PCCP in the United States, they can update their clinical algorithm in the U.S. every month based on new training data. However, if that same manufacturer operates in the EU, the cost and timeline associated with Notified Body reviews mean they may only update their CE-marked model once a year.

This mismatch results in a scenario where the manufacturer is running parallel, non-equivalent versions of the same product across different geographies:

+--------------------------------------------------------------------------+
|                       ALGORITHMIC VERSION DIVERGENCE                     |
+--------------------------------------------------------------------------+
|  United States:    [ Model v1.0 ] ---> [ Model v1.1 ] ---> [ Model v1.2 ]|
|  (PCCP Approved)   (August 2025)       (Oct 2025)          (Dec 2025)    |
|                                                                          |
|  European Union:   [ Model v1.0 ] -------------------------------------> |
|  (No PCCP)         (August 2025)  [ Locked pending NB Review ]           |
+--------------------------------------------------------------------------+

Running divergent algorithm versions introduces severe quality management and clinical risks:

  1. Divergent Performance Profiles: The diagnostic accuracy, sensitivity, and specificity of the device will vary by market. A clinical paper published in the U.S. demonstrating a specific performance metric will not represent the performance of the device deployed in Europe, leading to clinical confusion and potential liability.
  2. Fragmented Customer Support and Training: The manufacturer’s customer service teams, engineering support, and user training documentation must maintain parallel tracking for different algorithm behaviors, increasing QMS administrative costs.
  3. Post-Market Surveillance (PMS) Complications: Under ISO 13485 and EU MDR, manufacturers must monitor real-world device performance and report adverse events. If an adverse event occurs in Europe, the manufacturer must determine whether the failure was unique to the older model (v1.0) or if it applies to the newer U.S. versions (v1.2), complicating root-cause analysis.
  4. FDA Total Product Lifecycle (TPLC) Tracking: The FDA’s regulatory philosophy increasingly focuses on how software functions behave across their entire lifecycle. Divergent global performance profiles can complicate a manufacturer's TPLC reports. For more information on this approach, read about FDA's total product lifecycle approach to AI devices.

Recommended Reading
How Generative AI Now Picks Medical Devices for Hospital Procurement
Commercialization Digital Health & AI2026-07-16 · 23 min read

Release Management Matrix for Global AI Deployment

To manage this version divergence, manufacturers must establish a structured Release Management Matrix within their Quality Management System (QMS).

The table below outlines the necessary verification steps, regulatory gates, and release schedules for a major software update (e.g., v1.0 to v2.0) vs. a minor hotfix (e.g., v1.0.1):

Release Type U.S. (FDA) EU (MDR / AI Act) Japan (PMDA) QMS Action Required
Major Update (v2.0) (new features / architecture) File new 510(k)/PMA or PCCP amendment Notified Body Design Review (Annex IX) Full PMDA Shonin Amendment Full verification & validation (V&V); clinical bridging trials in JP; update CE technical file
Minor Update (v1.1) (optimized weights) Push under active PCCP (verify via MP) Triggers Review (if substantial change is met under MDR) Notification under IDATEN Confirmation Plan Retrospective risk review; update GUDID registry entries in US; update PMS files
Hotfix (v1.0.1) (non-clinical bug fix) Document under QMS (PCCP documentation) Update technical file (non-substantial change) Notification to PMDA (or document in QMS) Regression testing; update software logs; notify users of patch

Quality System Integration under ISO 13485:2016

To manage a multi-market software release strategy, manufacturers must integrate change-control protocols directly into their ISO 13485:2016 Quality Management System. AI change control cannot exist as an isolated engineering process; it must be audited under the QMS design control and corrective action channels.

1. Design and Development Changes (Clause 7.3.9)

Any update to an AI algorithm must be managed under your QMS Design Change Procedure. The system must document:

  • Change Justification: A clear description of why the algorithm is being updated (e.g., resolving diagnostic drift or adding compatibility for a new sensor type).
  • Verification Protocols: Automated testing regression runs comparing the new model's output against the baseline validation dataset to ensure no degradation in performance.
  • Validation Protocols: Clinical validation using a separate, locked testing dataset that represents the target population for the specific country.

2. Risk Management (ISO 14971)

The risk log for the device must be updated for every release. The risk assessment must evaluate:

  • Algorithm Drift: The risk that the model’s performance degrades when exposed to clinical environments that differ from the training cohort.
  • User Training Mismatch: The risk that clinicians make incorrect decisions because they are operating divergent software versions across different sites.
  • Data Integrity Risks: Risks associated with data pipeline changes, including pre-processing differences (such as image compression or data format changes) that could impact algorithm accuracy.

Regulatory Audit Scenarios: Navigating the MDSAP Audit

During a Medical Device Single Audit Program (MDSAP) audit, which covers the US, Canada, Japan, Australia, and Brazil, inspectors will specifically evaluate your AI software change logs.

Be prepared for the following audit scenarios:

  • Scenario A: The Verifying of the Change Protocol: The auditor selects a minor algorithm update deployed in Canada. They will ask to see your design change logs (ISO 13485 Clause 7.3.9) and the specific PCCP approved under your Health Canada MDL. You must prove that the verification steps run by your engineering team matched the PCCP modification protocol exactly.
  • Scenario B: The Version Control Check: The auditor checks the active version deployed at clinical sites in the U.S. versus those in Japan. If they find that the U.S. site runs v1.2 and the Japanese site runs v1.0, they will ask to see your QMS version control and risk assessment logs. You must demonstrate that your risk assessment (ISO 14971) evaluated the clinical safety impact of running divergent versions and that your technical support teams are trained to support both configurations.

Recommended Reading
Ukraine DLS Medical Device Register Teardown: Germany-First Supply Map
Regulatory Reimbursement & Market Access2026-07-16 · 17 min read

Step-by-Step Quality Workflow: Managing Algorithm Drift

To see how these QMS and regulatory gates operate in practice, let us trace a step-by-step example of an AI cardiology diagnostics company that detects performance drift in its CE-marked and FDA-cleared ECG analysis model.

Step 1: Detection of Performance Drift

During routine Post-Market Clinical Follow-up (PMCF) monitoring, the company’s data team notices a 3% drop in diagnostic sensitivity for detecting atrial fibrillation in European clinical sites using a newly released cardiac recorder model.

Step 2: Risk Assessment and Root-Cause Analysis (ISO 14971)

The engineering team initiates a CAPA (Corrective and Preventive Action) file. The root cause is identified: the new recorder model applies a different noise-filtering algorithm, which introduces high-frequency artifacts that confuse the AI's classification layers. The risk is classified as "moderate" since it could lead to false-negative diagnoses, but is mitigated by clinician verification.

Step 3: Algorithm Retraining and Verification (ISO 13485 Clause 7.3.9)

The team collects 10,000 de-identified ECG strips recorded on the new hardware. They retrain the algorithm’s convolutional layers to ignore the specific artifacts. Verification testing shows that the new model restores sensitivity to 98% on the new recorder while maintaining 99% accuracy on older hardware.

Step 4: U.S. Regulatory Filing (FDA PCCP Execution)

Because the company's U.S. FDA 510(k) contains an authorized PCCP that explicitly pre-approved "retraining on new ECG recorder hardware models," the company executes the PCCP Modification Protocol. They document the verification results in their DHF and release the update (v1.1) to U.S. customers without filing a new FDA submission.

Step 5: EU Regulatory Filing (MDR Substantiality Assessment)

In the EU, the regulatory team conducts a substantiality assessment. Because the update alters the algorithm’s baseline classification weights to accommodate a new hardware brand, the change is deemed substantial under EU MDR. The company locks its European deployments at v1.0 and submits a Design Change Notification to their Notified Body. They must wait 6 months for Notified Body approval before they can push the update (v1.1) to European hospitals.

Step 6: Japan Regulatory Filing (PMDA IDATEN Notice)

In Japan, the company’s MAH reviews the change against the pre-approved Confirmation of Change Plan. The plan covers "adjustments for hardware artifact mitigation." The MAH submits a post-change notification to the PMDA along with the local verification report and releases the update to Japanese clinics.

Step 7: Version-Convergence Verification

The company's Quality Assurance team monitors the deployment. For 6 months, U.S. and Japanese clinics run v1.1, while European hospitals run v1.0. Support teams maintain parallel documentation, and PMS tracking monitors the two distinct versions separately. Once the EU Notified Body issues the certificate, the European sites are updated to v1.1, restoring version convergence.


A Manufacturer's Multi-Market Change-Control Workflow

To avoid the version-divergence trap, AI medical device manufacturers must design their software deployment pipeline around a per-regime change-control stack. Use the following workflow to structure your global update strategy:

  1. Establish the Core Algorithm Release Baseline: Design your algorithm updates around structured, discrete releases (e.g., major version updates) rather than a continuous stream of minor updates. This baseline allows you to synchronize regulatory filings across jurisdictions.
  2. Implement the Aligned Anglo-American Filing: Prepare your change-control documentation using the tri-agency Guiding Principles. Submit your PCCP to the FDA and your PCCP to Health Canada simultaneously. This ensures that your updates in the U.S. and Canada remain synchronized.
  3. File the Japanese IDATEN Plan: Appoint your Japanese MAH to translate and adapt your modification protocol into a PMDA Confirmation of Change Plan. Ensure that the validation testing includes data from East Asian patient cohorts to satisfy PMDA requirements.
  4. Manage the EU Substantiality Decision and Version Lock: For every proposed update, conduct a formal "substantiality assessment" under your QMS.
    • If the change is non-substantial (e.g., minor security patches or interface adjustments), implement the change under your QMS and update the technical file.
    • If the change is substantial, lock the European deployment at the current version. Accumulate substantial changes into a single, major version update and submit a design change notification to your Notified Body.
  5. Execute the Version-Convergence Policy: Establish a QMS policy that limits the maximum allowable version gap between deployments (e.g., no market may run a version more than one major release behind the primary baseline). If the European Notified Body review is delayed, consider holding back the deployment of the update in the U.S., even if authorized under the PCCP, to maintain quality system integrity and prevent version divergence.

Frequently Asked Questions

Does an FDA PCCP satisfy EU AI Act or MDR obligations?

No. The European Union does not recognize the FDA's PCCP framework. Under EU MDR, any modification to an algorithm that changes its performance characteristics, clinical indications, or safety profile is regulated as a "substantial modification." This requires a formal design review and clearance by a Notified Body before the update can be distributed. Furthermore, the EU AI Act layers additional compliance audits on high-risk AI devices, completely independent of FDA approvals.

What is Japan's IDATEN and is it the same as an FDA PCCP?

IDATEN (Improvement Design within Approval for Timely Evaluation and Notice) is Japan's regulatory framework under the PMD Act that allows for pre-approved post-approval changes to SaMD. While conceptually similar to the FDA's PCCP, it uses a Japan-specific "Confirmation of Change Plan" and requires administration by a local Marketing Authorization Holder (MAH) under PMDA supervision. It is not reciprocated by the FDA.

Which regulators are actually aligned on PCCPs?

The U.S. FDA and Health Canada are the most aligned: both co-authored the 2023 Predetermined Change Control Plans Guiding Principles, and Health Canada's April 2026 MLMD guidance now operationalizes a PCCP mechanism in MDL submissions, so the two are largely interoperable. The UK MHRA co-authored the same 2023 principles but has not yet put a statutory PCCP pathway in force (targeted for 2027), and the European Union has no standalone PCCP regulation — though AI Act Annex IV 2(f) and MDCG 2025-6 now allow predetermined changes to be assessed up front so they are not treated as substantial modifications.

How does the EU AI Act affect software updates for medical AI?

Under the EU AI Act, AI-enabled medical devices are classified as "high-risk AI systems." Any "substantial modification" to the AI system—including adjustments to the model training data, decision logic, or safety parameters—requires the manufacturer to re-verify compliance with the AI Act’s requirements (including data bias mitigation and human oversight protocols) and potentially undergo a new conformity assessment by a Notified Body.

Can a manufacturer implement an AI update in the U.S. and withhold it in the EU?

Yes, this is legally possible and common. However, it creates "version divergence," where different versions of the algorithm run in different markets. This increases the complexity of post-market surveillance, user training, customer support, and clinical performance validation. It requires a robust version control system within the manufacturer's QMS.

How do I document AI change control in an MDSAP audit?

Under MDSAP (which covers the US, Canada, Japan, Australia, and Brazil), auditors will verify that software modifications comply with the approved filings in each country. You must show that you have a documented design change procedure (ISO 13485 Clause 7.3.9), that your risk logs reflect the changes, and that you have verified that updates deployed to specific regions conform strictly to local approvals (such as the FDA PCCP or Health Canada PCCP).


Conclusion: Engineering for Global Compliance

The operational reality of launching an adaptive AI medical device is that software development speed is constrained by regulatory speed. While your engineering team can write and test an algorithmic update in a week, the regulatory path to deploying that update globally is a complex, multi-speed journey.

By designing a global regulatory strategy that accounts for the non-equivalence of change-control regimes, and by implementing a strict version-convergence policy within your QMS, you can prevent the version-divergence trap. Success in the global digital health market requires recognizing that compliance is not a single gateway—it is an ongoing process of aligning software releases with localized regulatory requirements across every market you serve.

Related reading: To explore how change control plans are implemented in detail under the FDA, see our guide on how the FDA PCCP works for AI/ML devices. For global software classification rules, read about how countries define and classify SaMD. For navigating European compliance, see our deep-dives on EU AI Act high-risk obligations for medical AI and reconciling EU AI Act and MDR evidence.