Improving organizational resilience in High Reliability Organizations

15.12.2023

In High Reliability Organizations (HROs) like in nuclear power plants or in aviation and medical device industry risk management has been taken seriously for decades. Several tools have been implemented to assist minimizing the realization of the risks. Typically, risk management is a multidisciplinary effort focusing improving the quality control and overall reliability of the product or service in development or in the market. Medical device industry is heavily regulated industry and there are many medical devices that are implemented as software.

The latest risk minimizing discipline in medical device industry is Resilience Engineering. In this thesis Hollnagel’s Four cornerstones of resilience (to monitor, to anticipate, to learn and to respond) were used to determine how to speed up processing of delays in SW development caused by hidden risks.

Could the hidden risks in SW development be considered as the indications of reduced resilience?

Software development can be divided into several steps — for example requirement definition, implementation, testing and deployment to production — that creates the natural chain of checkpoints and milestones. Each requirement and functionality have their own lifecycle inside the whole development process. This is true when modern SW project development methods, like Agile is used in the organization. If you could measure time between introducing the cause of degraded functionality and detection of those, you can also calculate the lifespan of a failure. By collecting other metadata like customer and SW component version(s) for each detected and realized risk you can group them and determine, which parts of the system or process (which development step) is causing most of the risks to the overall SW development work.

When these risks are considered as factors that reduce resilience, development team should analyze the root causes of the realized risks and anticipate potential risks. In this thesis proposed first phase response for the commissioning organization is to implement changes or to procure a risk management tool that would support the collection of the data and metadata from the work items like user stories and functionalities, that are potential risk items — or are realized risks. Currently, there are several commercial products that are claiming to fulfil requirements in resilience perspective even for HROs like the commissioning organization for this thesis, but how well these solutions would fit their CI/CD pipeline has to be evaluated during the procurement process. One critical part of improving any organizational resilience is to check, if the year clock is up to date.

Is your organization taking account the changing regulatory landscape?

One critical response that improves organizational resilience is to check, if the annual clock is up to date. For example, in the medical device industry in Finland there have been many updates in local and EU level regulations. Finnish Act on the Electronic Processing of Client Data on Healthcare and Social Welfare was updated this year and becomes effective on begin of 2024, EU is planning to have new AI Act and has updated EU Cybersecurity Act earlier this year. These are a few examples of regulatory changes, that have direct or indirect impact on medical device industry in the foreseeable future. All HROs should establish correct takt for checking regulatory changes in their annual clock.

”All HROs should establish correct takt for checking regulatory changes in their annual clock.”

Semi-structural interview proved to be a good way to learn where improvement and optimization on tools and processes would yield the best gain. In this thesis several data and metadata measurements, that could improve resilience in area of risk management were identified. Medical device manufacturers can improve resilience by starting to use these measurements in their risk management. Medical service providers, like wellbeing services counties in Finland, can evaluate the resilience of the potential suppliers during the tenders by asking from the bidders about how they measure resilience and their general approach on resilience.

References:

Peltokorpi, M. 2023. Resilient Risk Management : case study on medical device risk management, Theseus – Turku University of Applied Sciences thesis.

Wiig, S. and Fahlbruch, B. (eds) (2019) Exploring Resilience: A Scientific Journey from Practice to Theory. Cham: Springer International Publishing (SpringerBriefs in Applied Sciences and Technology). Available at: https://doi.org/10.1007/978-3-030-03189-3.

Christopher Nemeth, Erik Hollnagel, and Sidney Dekker (2019) Resilience Engineering Perspectives, Volume 2: Preparation and Restoration. CRC Press. https://www.routledge.com/Resilience-Engineering-Perspectives-Volume-2-Preparation-and-Restoration/Hollnagel-Nemeth/p/book/9780367385408.

Cover image: Image by Freepik.