Hong Kong paves the way for mandatory regulatory framework for medical devices

Author: Jenny Lin, Senior Manager, Medical Devices / IVD, Australia 

Following the announcement of the new tender requirement for medical devices by the Department of Health (DoH) in Hong Kong, the Medical Device Division (MDD) of the DoH released a series of guidance notes and technical references for medical devices within a 2-month period.  This is a step further on its path to implementing a mandatory regulatory framework for governing medical devices.  


Major Changes Require Prior Approval 

Effective from 30 November 2023, the MDD implemented major changes which impact the safety, quality and performance of a listed medical device. These changes require documentation be submitted to and approved by the MDD according to the newly released guidance document ‘GN-10 Guidance Notes for Changes of Listed Medical Devices’. The key changes include those that may: 

  • result in new risks not previously identified;  
  • increase the chance of existing hazard occurring; or 
  • change the presentation of the existing and new risks. 

It should be noted that some changes that are typically considered as “significant changes” in other major markets (such as the US, Europe and Australia) do not necessarily qualify as major changes in Hong Kong. An example of this is the shift of sterilization facilities: relocation of a sterilization site without changing sterilization method/process and sterile barrier system may be considered to be a minor change in Hong Kongi 


In addition, some changes affecting Quality Management System (QMS) documentation that was not previously submitted to the MDD as part of a Listing Application may still be treated as a major changeii. For example, changes made to the manufacturing process, equipment, facility or critical supplier that affect the product’s safety, quality and performance are considered to be major changes. Currently , a Listing Application does not necessarily require a detailed assessment of the manufacturers’ QMS processes unless specifically requested by an assessor. Therefore, the criteria for submitting a change application are independent of whether the same level of detail had been reviewed during the initial Listing Application. 


The GN-10 guidance provides detailed flowcharts to assist in determination of major or minor changes. Readers are encouraged to refer to the flowcharts and document the rationale for the categorization (major or minor) of their proposed changes.  


Major changes must be approved by the MDD prior to implementationiii. Failure to do so may result in the changed product no longer being regarded as listed under the Medical Device Administrative Control System (MDACS)iv. 

Minor changes are also notifiable to the agency and the notification should be lodged within 24 weeks from the time the Local Responsible Person (LRP) became aware of the changev.


Software and Cybersecurity  

 On 29 December 2023, the MDD issued a new Technical Reference (TR-007: Software Medical Devices and Cybersecurity) to formally define SaMD (Software as A Medical Device) and SiMD (Software in a Medical Device) and to address applicability of the relevant classification rules for both types. The Technical Reference also captures the agency’s expectations on the Technical Documentation for software MDs for their listing under MDACS. Aside from the general requirements, such as compliance with Essential Principles for Safety and Performances, which apply to all MDs, there are specific requirements for software MDs, including:  


      • Device identification information such as device model, product codes and software versions, are recommended to be included on the Device Labelling (physical labels, instructions for use, user manuals etc.) to allow product identification and traceability; and 
      • For Software MDs without physical labelling, manufacturers should provide electronic copies downloaded from a website or provide screenshots from the website

Software verification and validation: 

      • It is encouraged that manufacturers follow “IEC 62304 Medical device software- Software life cycle processes” or equivalent standards to demonstrate compliance to the requirements. 

Software versioning and traceability: 

      • Manufacturers are required to clearly identify the software version in the pre-market submission and to ensure that the version used in the submitted technical files is equivalent to the one to be listed with MDACS. 
      • For any version update, including major and minor change, manufacturers should work with LRP to submit a change application according to the above-mentioned Guidance Note GN-10.  


      • Manufacturers of software MDs with connectivity capabilities should demonstrate it has addressed cybersecurity risks as part of its risk management process throughout the useful life of the device. Evidence should be in place to support that the manufacturer has met the basic cybersecurity requirements, including steps to avoid brute force attacks on the device’s authentication mechanisms, a system to manage vulnerability reporting, and procedures for ongoing/proactive monitoring and identification of new threats. The following two standards are recommended by the agency: 
        • ISO 27032 Cybersecurity- Guidelines for Internet Security 
        • ISO/IEC 27001 Information security, cybersecurity and privacy protection. Information security management systems. 

Changes to Software MDs: 

      • Manufacturers should also refer to the above-mentioned Guidance Note GN-10 (specifically, flowchart D Changes to Software for Medical Devices) before making changes to software MDs to assess its categorization (major or minor) and report to the MDD as appropriate.  

Artificial Intelligence (AI) and Machine Learning (ML) Enabled Devices 

Although not meant as mandatory documents to be incorporated in a submission dossier for a Listing Application, on 3 January 2024 the MDD released another Technical Reference (TR-008: Artificial Intelligence Medical Devices) to elaborate its expectation on the documentation requirements applicable to AI or ML-enabled devices (collectively, “AI-MD”). The following information should be made available upon request by the agency: 

  • Datasets: e.g., input data that is used to generate the output data, training, validation and test datasets, including source and size 
  • Al model selection: a description on the ML model, including any base model used 
  • Performance and clinical evaluation: e.g., verification and validation tests protocols and reports, clinical relationship between the output and clinical conditions 
  • Deployment: device workflow, interval for training data update cycle in cases where data is collected after deployment, software version and traceability procedures/plans for iterations. 

Manufacturers of AI-MDs equipped with continuous learning capability (CLC) should also have the following information readily available for review if requested by the agency:  

  • a description of the continuous learning process of the AI-MD 
  • safety mechanism to detect anomalies and inconsistencies of the output data and the mitigation method 
  • the inclusion and exclusion criteria for the real-world data collected during deployment to prevent potential bias 
  • measures to ensure data integrity, reliability and validity of the new data set used for learning  
  • Software version control process in case of frequent updates and availability of a roll-back option to the previous version 

Manufacturers should also consider the unique nature of AI-MDs after deployment with regard to post-market responsibilities, including implementing a process to proactively trace and monitor the product performance in clinical setting, a system to prevent potential concept drift for those with CLC, and a mechanism to collaborate with the local representative (also known as the LRP), importers and distributors to record and report real-world performance. Again, the MDD can request post-market reports as it deems necessary. 



i Flowchart C, p. 10, Medical Device Administrative Control System (MDACS), Department of Health, The Government of the Hong Kong Special Administrative Region. https://www.mdd.gov.hk/filemanager/common/mdacs/GN-10.pdf 

ii Flowchart A, p. 8, https://www.mdd.gov.hk/filemanager/common/mdacs/GN-10.pdf 

iii Per Section 3.2https://www.mdd.gov.hk/filemanager/common/mdacs/GN-10.pdf 

iv Per Section 3.3https://www.mdd.gov.hk/filemanager/common/mdacs/GN-10.pdf 

v Per Section 5.2.1https://www.mdd.gov.hk/filemanager/common/mdacs/GN-10.pdf 


This blog is intended to communicate PharmaLex’s capabilities which are backed by the author’s expertise. However, PharmaLex US Corporation and its parent, Cencora, Inc., strongly encourage readers to review the references provided with this article and all available information related to the topics mentioned herein and to rely on their own experience and expertise in making decisions related thereto as the article may contain certain marketing statements and does not constitute legal advice. 

Contact us for more information

Scroll to Top