Hong Kong Healthcare Artificial Intelligence SocietyHong Kong Healthcare Artificial Intelligence Society

Risk Management & the AI Systems Lifecycle

Apply a total product lifecycle approach — pre-market, post-market surveillance, and change management — with holistic risk controls for cybersecurity, bias, and model updates.

All articlesSource document
Risk management phases across AI medical device lifecycle

Total product lifecycle approach

WHO recommends considering AI across pre-market development management, post-market surveillance, and change management — not only at initial approval. AI performance can change through code updates or new training data, so controls must persist after deployment.

Holistic risk management should address:

  • Cybersecurity threats and vulnerabilities (IMDRF security risk management processes apply);
  • Algorithmic bias, underfitting, and performance degradation;
  • Interoperability with other software in the same clinical environment; and
  • organisational quality culture and real-world performance monitoring.

Risk-based proportionality

Failure of a diet-adherence app carries different consequences than a diagnostic AI tool. WHO references the IMDRF SaMD risk framework: risk depends on the significance of information to the healthcare decision (treat/diagnose, drive management, inform management) and the seriousness of the patient's situation (critical, serious, non-serious) — yielding categories I–IV.

Higher-risk tools may require stricter evidence, auditing of training data version control, and active reporting of failure cases. Some jurisdictions may limit initial deployment to "AI-ready" institutions with strong surveillance and backup workflows.

Post-market and change management

Post-market monitoring identifies problems not seen in development — especially when diverse users adopt the tool in real workflows. Manufacturers should proactively collect literature, user feedback, and vulnerability disclosures; report serious incidents to regulators; and plan patching, updates, and recovery.

For change management, when models or data change, re-validation may be needed. WHO notes that performance drops after an update often trace to new training data rather than network architecture changes alone.

For Hong Kong practice

When your institution adopts AI:

  • Align local governance with MDACS-listed or exempt devices where applicable;
  • Define who owns post-market monitoring and incident reporting;
  • Plan how algorithm updates will be communicated to clinical users; and
  • Do not assume a one-time procurement sign-off replaces ongoing risk review.

Source: WHO — Regulatory considerations on artificial intelligence for health (2023)

Ready to test your knowledge?

Take a short quiz based on this article to check your understanding.

Take the quiz