MFDS Vigilance Reporting: 2026 Updated Timelines and Forms

Summary

MFDS issued Notification 2026-YY on April 3, 2026, revising the medical device adverse event reporting framework with effect from July 1, 2026. The most consequential changes are tightened reporting clocks for serious events and new mandatory fields for software-related and AI/ML-related adverse events. The 2026 framework also formalizes the long-informal expectation that the KLH (not the manufacturer) is the primary reporting party.

What Changed

Tightened Reporting Timelines

Three event categories saw timeline changes:

Event severity	Prior deadline	2026 deadline
Death	15 calendar days	7 calendar days
Serious injury / unanticipated hospitalization	30 calendar days	15 calendar days
Malfunction (no harm, but recurrence could cause harm)	30 calendar days	30 calendar days (unchanged)
Trend signals not yet meeting threshold	Annual PMS report	Annual PMS report (unchanged)

The shortened death-reporting clock brings Korea closer to the FDA's 5-day MDR threshold for deaths, though still slightly longer.

New Mandatory Fields for Software-Related Events

For events involving software-based devices (including SaMD and AI/ML devices), the reporting form now requires:

1. Software version at the time of the event
2. Configuration parameters in effect when the event occurred (for configurable systems)
3. AI/ML model version and training dataset identifier (for AI/ML devices)
4. Network connectivity status at the time of the event (online, offline, intermittent)
5. User account context (operator role, authentication method)

These fields are mandatory regardless of whether the event was confirmed to be software-related. The intent is to enable MFDS to retrospectively analyze software contributions to adverse events.

Formalization of KLH Reporting Responsibility

Prior to the 2026 framework, the question of who files the vigilance report — the manufacturer directly or the KLH — was handled by convention. The new framework explicitly designates the KLH as the primary reporting party for events occurring in Korea. The manufacturer remains responsible for the underlying technical investigation and root cause analysis but does not file the report directly.

This formalization has practical implications:

• KLH agreements should be reviewed to confirm the KLH has the contractual obligation, the portal access, and the SLA to report within the new timelines.
• KLHs that have been relying on the manufacturer to file directly will need to take over portal access and training.
• The manufacturer's role becomes supporting the KLH with technical content (root cause, corrective action) within the 7-day window for deaths.

What Stayed the Same

• The exemption for events occurring outside Korea — these continue to be reported only if they result in regulatory action that affects Korean-marketed devices.
• The PMS plan structure and annual reporting cadence.
• The integration with KGMP — vigilance procedures remain audited as part of KGMP scope.
• The MFDS Adverse Event Reporting System (the portal itself is unchanged; only the form fields are extended).

Three Action Items Before July 1

Action 1 — Audit your KLH agreement. Confirm the KLH has the contractual obligation to file vigilance reports, the access credentials, and an SLA that aligns with the new 7-day death clock. If the SLA is silent or longer than 5 business days (allowing time for manufacturer-side technical input), it needs amendment.

Action 2 — Build the 5-day RCA template. Death-event reports filed within 7 calendar days require preliminary root cause analysis. A 5-day RCA template — covering hazard identification, mechanism hypothesis, preliminary mitigation assessment, and confidence-level disclosure — is essential. Full investigation can continue post-filing; the 7-day clock requires the preliminary version.

Action 3 — Extend the complaint intake form. Update the KLH-side complaint intake form to capture the new mandatory fields (software version, configuration, AI model version, connectivity status, user context) at the time of complaint receipt. Retrofitting this data from the manufacturer's records after the fact is harder than capturing it from the complainant on intake.

Common Mistakes Already Surfacing

In the 90 days between announcement and effective date, three patterns have already emerged in pre-July filings:

1. Filing under the old timeline. Manufacturers and KLHs continuing to file death reports at day 14 will receive a non-compliance notice from MFDS at the next surveillance inspection. Even pre-July events that finish their clock after July 1 should be treated under the new timeline.

2. Treating the new software fields as optional. They are not. Forms missing the mandatory software fields are returned for completion, restarting the administrative clock.

3. Assuming the manufacturer's filing satisfies the requirement. It does not. After July 1, the KLH must be the filing party. Manufacturer-only filings will be rejected.

What MFDS Has Not Yet Clarified

Two areas where industry has asked for clarification:

1. Cybersecurity events. Are cybersecurity vulnerabilities discovered but not yet causing harm to be reported as adverse events? The notification is silent. Industry interpretation is that pure vulnerabilities are post-market security disclosures (separate process), not vigilance reports.

2. AI/ML model performance drift. Is documented performance degradation that triggers retraining a vigilance event, or a quality system signal? The notification implies the latter (quality system / PMS), but specific guidance is pending.

A clarification notification is expected by end of 2026.

How This Connects to PMS and License Maintenance

Vigilance is the reactive arm of post-market regulation. The proactive arms — PMS trending and license maintenance filings — are unchanged by the 2026 notification but are increasingly integrated with vigilance through the MFDS portal. Manufacturers running disjointed PMS, vigilance, and license maintenance procedures will find the integrated portal flow uncomfortable. Consolidated post-market procedures, covered in our Post-Market Surveillance Under MFDS guide, position better for the new framework.

Official Source

Notification 2026-YY (Revised Medical Device Adverse Event Reporting Framework), published by MFDS on April 3, 2026, with effective date July 1, 2026. Official Korean text is available on the MFDS website.

Where Leanabl Plugs In

Our Vigilance and PMS services together cover the reactive and proactive post-market regimes under the new framework, including KLH coordination and the 5-day RCA template. For manufacturers wanting one operational program covering all post-market obligations, Korea Post-Market Operations bundles the work. License-maintenance impact of vigilance findings is handled through Korea License Maintenance.