Hong Kong MDD Issues New Technical Reference Document for SaMD, SiMD and Cybersecurity
Published on: January 18th, 2024
Hong Kong’s Medical Device Division has released a new technical reference document related to software medical devices (SaMD and SiMD). Released on December 29, 2023, TR-007: Software Medical Devices and Cybersecurity, aims to provide more clarity for Software in a Medical Device (SiMD) and standalone software (Software as a Medical Device (SaMD)), specifically related to definitions, classification and cybersecurity.
A full list of Hong Kong MDD’s Technical Reference documents can be found here.
Listing Software on the MDACS and Maintaining Compliance
The new technical reference document, TR-007, asserts that SaMD is considered a medical device under Hong Kong’s MDACS and can be listed under their voluntary system. While listing of medical devices on MDACS is currently voluntary, listings are highly preferred by public institution purchasing departments. Therefore, it is recommended that manufacturers list products intended to be sold to public establishments.
After being listed, manufacturers will need to work closely with their Local Responsible Person (LRP) to guarantee ongoing compliance with version controls. The MDD introduced updated change notification guidance towards the close of 2023 which outlined the differences between minor and major changes. You can read more about the new new change notification guidance here.
Classification of SaMD and SiMD in Hong Kong
The guidance states that the classification of software medical devices follows the risk-based classification principles outlined in Technical Reference TR-003. Software devices are considered active medical devices and classified in accordance with the formal intended use statement.
Software as a Medical Device (SaMD) is defined as:
software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.
SaMD typically functions independently and does not require collaboration with a hardware medical device. Generally, SaMD should be listed autonomously and be classified based on its own characteristics using the classification rules outlined in TR-003 and TR-006. Common examples of SaMD include mobile apps, imaging software, and AI applications.
Software in a Medical Device (SiMD) is defined as:
software intended to be used for one or more medical purposes that perform these purposes by controlling and operating a hardware medical device or operating in a medical computing platform.
SiMD typically integrates with a hardware medical device as a component or accessory. In these cases, classification should align with the intended use of this combination. Applicants are recommended to include this software in conjunction with the associated hardware medical device. Common examples of SiMD include patient monitors, ventilators, infusion pumps, etc.
Technical Document Requirements
Technical document requirements are similar to non-software medical devices with the exception of more obvious documents such as biocompatibility, manufacturing process, and other items related to physical device production.
Document requirements expected by the MDD, as part of the MDACS listing application, include:
- A quality management system (QMS) – ISO 13485 is considered the standard but the MDD will accept equivalent QMS such as 21 CFR Part 820 (USFDA), or Medical Device Single Audit Program (MDSAP)
- Essential Principles (Technical Reference TR-004)
- International standards such as “Medical Device Administrative Control System Essential Principles Conformity Checklist” (MD-CCL or IVDMD-CCL) or Essential Requirements / General Safety and Performance Requirements Checklist in accordance with relevant European Union (EU) Medical Device directives or regulations are acceptable.
- Labeling must meet the requirements outlined in Technical Reference TR-005: Additional Medical Device Labelling Requirements and Special Listing Information (as specified in Clause 4.4.13 of Guidance Notes GN-01 Guidance Notes for Overview of the Medical Device Administrative Control System).
- Risk Management requirements follow the international standard ISO 14971 Medical Devices — Application of Risk Management to Medical Devices in addition to the Hong Kong specific cybersecurity requirements outlined in Clause 5.5.3 of the new TR-007 guidance.
- Clinical Evaluation establishes the acceptability of risks and side effects when weighed against the intended benefits of the device and should follow the international standard ISO 14155 Clinical investigation of medical devices for human subjects – Good Clinical Practice.
- Marketing approvals from reference countries including the US, Canada, Europe, Japan, Australia, Mainland China, and/or South Korea. Note: Products approved by 2 or more reference markets will be reviewed quicker.
- Software Verification and Validation. Manufacturers are encouraged to refer to the international standard IEC 62304 Medical device software – Software life cycle processes.
- Software Versioning and Traceability. Manufacturers should have clear processes for tracking versions of their software and will need to work with their Local Responsible Person (LRP) to submit change applications for new versions in accordance with Guidance Notes GN-10 (Guidance Notes for Changes of Listed Medical Device).
- Cybersecurity Management. Manufacturers will need to demonstrate that they identified potential threats and implemented appropriate measures to mitigate risks.
Cybersecurity management refers to manufacturers considering the potential cybersecurity threats medical devices face when connected to the internet and potential risks posed to patient data or the product’s functionality. Applicants can refer to ISO 27032 Cybersecurity – Guidelines for Internet Security and ISO/IEC 27001 Information security, cybersecurity and privacy protection. Information security management systems for best practices. Primary considerations include:
- General items such as administrative protocols, application of standards, provision of user data, etc.
- Technical aspects such as penetration testing, operating platform security, etc.
- Environmental functionality such as connecting to networks and uploading/downloading data.
- Physical considerations such as mechanical locks on devices, physically securing networks, and waste management.
- Social concerns such as minimizing social engineering threats (e.g. phishing, impersonation, baiting, tailgating).
More information on the cybersecurity management requirements and guidance can be found in sections 5.5.3 to 5.5.7 of TR-007: Software Medical Devices and Cybersecurity.
Come Grow With Us
Please contact us if you’d like support understanding these new requirements or are interested in registering your product in Hong Kong. Asia Actual specializes in helping medical device manufacturers grow their sales in Asia with experienced, bi-lingual commercial and regulatory experts on the ground in each market. Contact Asia Actual today with any questions or support requests.
Asia Actual is a regulatory consulting company specializing in helping manufacturers grow their sales through independent license holding, direct fulfillment, and a variety of sales channel support services.