§01
The Change Programme
The Programme runs eleven workstreams covering qualification, classification, premarket, post-market, cybersecurity, and AI-specific transparency. It is iterative · each workstream produces guidance that can be applied without waiting for the others to finish.
- Qualification & classification · when software is a device, and how it lands in a class.
- Pre-market · clinical evaluation and best practice for AI-enabled SaMD.
- Post-market · vigilance, surveillance, and managing change for adaptive systems.
- Cybersecurity · aligned with NHS DTAC and broader UK cyber expectations.
§02
AI Airlock · the regulatory sandbox
The AI Airlock pairs the MHRA with manufacturers, approved bodies, and the NHS to test how novel AI medical devices can be safely regulated. The pilot ran Apr 2024–Mar 2025; the Pilot Programme Report was published 16 October 2025, and a Phase 2 cohort is now running through 2025–26. It is the closest thing in any major jurisdiction to a live conversation between developers and the regulator before product launch.
§03
Transparency and the clinician
MHRA guidance on transparency centres on the user · what does a clinician need to know to use an AI output safely? The bar is rising for intended-use statements, performance by subgroup, known limitations, and the human oversight model.
§04
Cybersecurity
The MHRA aligns with IMDRF principles on medical device cybersecurity and expects manufacturers to manage threat models, SBOMs, vulnerability disclosure, and post-market patching. Devices used inside the NHS additionally face DTAC and CE/UKCA evidence requirements.