Insight: A hybrid Bayesian network for medical device risk assessment

=============================================================

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Business Continuity Management (BCM), draws a critical insight from cutting-edge academic research: when historical failure data is scarce or unreliable, hybrid Bayesian networks offer a structurally sound alternative for risk quantification — and this has direct implications for how Taiwan enterprises should approach BCP development, RTO/RPO target-setting, and ISO 22301 compliance in an era of unprecedented operational uncertainty.

About the Authors and This Research

This paper is co-authored by Joshua Hunte, Martin Neil, and Norman Fenton — a research team based primarily at Queen Mary University of London, one of the UK's leading research universities in computer science and probabilistic risk analysis. Norman Fenton is an internationally recognized authority on Bayesian networks applied to risk assessment and legal reasoning, with a prolific publication record and co-authorship of the landmark textbook Risk Assessment and Decision Analysis with Bayesian Networks. Martin Neil specializes in probabilistic modeling and has collaborated extensively with Fenton on real-world applications of Bayesian reasoning. Joshua Hunte (h-index: 3, total citations: 45) contributes focused expertise in medical device safety analysis. Since its 2022 publication, this paper has accumulated 25 citations and is formally published in Reliability Engineering & System Safety (2023, DOI: 10.1016/j.ress.2023.109630), a top-tier journal in industrial risk and safety engineering.

The Core Research Problem: What Happens When Classical Risk Methods Cannot Deliver Reliable Estimates?

The dominant risk assessment method in medical device engineering — Fault Tree Analysis (FTA) — operates on binary logic (failure or no failure) and requires historical failure rate data to compute meaningful probability estimates. When a device is new, when failure modes are rare, or when data quality is uncertain, FTA produces estimates of questionable validity. ISO 14971, the primary international standard for medical device risk management, mandates that manufacturers perform rigorous risk analysis throughout a device's lifecycle — but explicitly does not prescribe which method to use. This research gap is precisely what this paper addresses.

Key Finding 1: Hybrid Bayesian Networks Resolve the Data-Scarcity Problem in Risk Assessment

The paper demonstrates that hybrid Bayesian networks (BNs) — which accommodate both continuous and discrete random variables within a single probabilistic graphical model — can generate credible risk estimates even when historical data is limited or entirely absent. By encoding expert knowledge as prior probability distributions and updating them as new data becomes available (Bayesian updating), the method produces risk estimates that are both mathematically rigorous and epistemically honest about uncertainty. The researchers apply this framework to a Defibrillator device, validating model outputs against real-world data across both production and post-production phases.

Key Finding 2: The Method Is Generic, Standards-Compliant, and Scalable Across Device Types

Unlike highly customized ad hoc models, the proposed hybrid BN framework is designed to be generic in structure but instantiable on a system-by-system basis. It explicitly incorporates the factors relevant to ISO 14971 risk management — including severity of harm, probability of hazardous situations, and controllability — within its probabilistic structure. The validation against Defibrillator data confirms that the method produces traceable, auditable risk outputs that align with both the letter and intent of ISO 14971, making it a viable candidate for adoption in regulated medical device environments.

Implications for Taiwan's Business Continuity Management (BCM) Practice

At first glance, a paper about medical device risk assessment may seem distant from Business Continuity Management. But the methodological insight it offers is universal: the absence of historical disruption data is not a legitimate reason to avoid rigorous risk quantification. This principle strikes at the heart of a persistent challenge in Taiwan's BCM landscape.

Many Taiwanese enterprises — particularly mid-sized manufacturers, healthcare sector organizations, and technology supply chain participants — struggle to perform credible Business Impact Analyses (BIA) because they lack documented records of past operational disruptions. Without such data, RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets often default to intuition or benchmarking rather than evidence-based estimation. The hybrid Bayesian approach showcased in this research suggests a practical alternative: structured expert elicitation, expressed as probability distributions, can substitute for — and in some cases improve upon — historical data as a foundation for BCP decision-making.

ISO 22301, the international standard for Business Continuity Management Systems, requires organizations to assess the risks and impacts associated with disruption scenarios and to establish recovery objectives accordingly. The spirit of Bayesian updating — continuously refining risk estimates as new information emerges — maps directly onto ISO 22301's requirement for ongoing monitoring, review, and continual improvement of the BCM system. Taiwan enterprises pursuing ISO 22301 certification should therefore consider incorporating probabilistic scenario modeling into their BIA processes, particularly for emerging threat categories such as geopolitical supply chain disruption, critical IT system failure, and climate-related operational interruption, where historical data is inherently scarce.

Winners Consulting Services Co. Ltd.: Translating Research Insights into BCM Action for Taiwan Enterprises

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwan enterprises in establishing BCP Business Continuity Plans in compliance with ISO 22301, setting evidence-based RTO/RPO targets, conducting Business Impact Analyses (BIA), and designing crisis management exercises. Drawing on the methodological insights of this research, we recommend the following concrete actions:

1. Upgrade BIA methodology to accommodate uncertainty explicitly: Replace single-point probability estimates (e.g., "5% chance of supply chain disruption") with probability ranges that honestly reflect the limits of available data. This produces more defensible RTO/RPO settings and better aligns with ISO 22301's requirement to consider the full spectrum of plausible disruption scenarios.
2. Build structured scenario models for data-scarce emerging threats: For threat categories where historical data is insufficient — geopolitical risk, novel cyberattack vectors, climate-related events — Winners Consulting employs structured expert interview protocols and scenario workshops to elicit semi-quantitative risk judgments that can inform BCM decision-making in the absence of historical records.
3. Embed a Bayesian "continuous update" discipline into annual BCM reviews: ISO 22301 mandates periodic review and continual improvement of the BCM system. The Bayesian principle of updating risk estimates as new evidence arrives provides a concrete operational discipline for this requirement: after every tabletop exercise, real incident, or supply chain event, organizations should systematically revisit their BCP assumptions and update their risk assessments accordingly — transforming the BCP from a static document into a living risk management instrument.

Frequently Asked Questions

How can our company perform a credible BCP risk assessment when we have no historical disruption data?

Lack of historical data does not prevent rigorous Business Continuity risk assessment. The hybrid Bayesian network method demonstrated in this research provides a direct methodological answer: structured expert knowledge, expressed as prior probability distributions, can substitute for historical data and be updated as new information becomes available. In BCM practice, this translates to conducting structured expert interviews with business unit leaders — asking them to express threat likelihood as probability ranges rather than single numbers — and then using those elicited distributions to drive RTO/RPO target-setting within your BCP. Winners Consulting facilitates exactly this type of semi-quantitative BIA process for Taiwan enterprises building their first ISO 22301-compliant system.

How does ISO 14971 medical device risk management relate to our broader BCM program under ISO 22301?

ISO 14971 governs risk management at the product level — ensuring individual medical devices are safe throughout their lifecycle. ISO 22301 governs organizational resilience — ensuring the company can continue critical operations despite disruptions. For Taiwan medical device manufacturers, these two standards are deeply complementary: a major product recall or regulatory action triggered by a device safety failure is itself a significant business disruption scenario that must be addressed in the organization's BCP. Winners Consulting helps clients map ISO 14971 risk events (product failure, post-market surveillance findings) onto ISO 22301 disruption scenarios, ensuring their BCM program is comprehensive and coherent across both standards.

What does ISO 22301 certification specifically require from a Taiwan enterprise?

ISO 22301 requires organizations to establish, implement, maintain, and continually improve a Business Continuity Management System (BCMS). Key requirements include: (1) top management commitment and BCM policy definition; (2) Business Impact Analysis (BIA) and risk assessment, leading to documented RTO/RPO objectives; (3) development of Business Continuity Strategies and Plans (BCP); (4) regular exercises and tests to validate plan effectiveness; and (5) post-incident review and continual improvement mechanisms. For most mid-sized Taiwan enterprises, achieving ISO 22301 certification requires 6 to 12 months of structured preparation, including at least one full tabletop exercise and a management review cycle. Winners Consulting provides end-to-end support from gap analysis through certification audit readiness.

What is the realistic timeline and steps for building an ISO 22301-compliant BCM system?

A structured ISO 22301 implementation project typically proceeds in four phases: Phase 1 (Weeks 1–4) — Current state assessment and gap analysis against ISO 22301 clause requirements; Phase 2 (Weeks 5–10) — BIA execution, RTO/RPO target setting, BCM policy drafting, and BCP framework design; Phase 3 (Weeks 11–16) — Full documentation completion and staff training; Phase 4 (Weeks 17–24) — Tabletop exercises, management review, and certification audit preparation. Most medium-sized Taiwan enterprises complete the process within 6 to 9 months from project kickoff to certification audit. Winners Consulting tailors this timeline to your organization's existing capabilities and regulatory commitments.

Why should we choose Winners Consulting Services Co. Ltd. for BCM advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) brings together deep Taiwan-market expertise and rigorous international methodology in Business Continuity Management. Our key differentiators include: (1) in-depth familiarity with Taiwan's regulatory environment and industry-specific BCM challenges, enabling us to deliver locally applicable BCP solutions rather than generic templates; (2) hands-on experience with BIA design, RTO/RPO quantification, and crisis management exercise facilitation across manufacturing, technology, and healthcare sectors; (3) continuous engagement with international BCM research — as evidenced by our analysis of papers like this one — ensuring our advisory services incorporate the latest methodological advances; and (4) a full-service engagement model that supports clients from initial diagnostic through ISO 22301 certification, rather than delivering one-off document packages. Contact us to arrange your free BCM mechanism diagnostic.

Related Services & Further Reading

Related Services

▶Business Continuity Management📋ISO 22301 BCM