Risk Analysis (Quality)
Status: Draft v0.1
Owner: BionicLoop engineering
Scope: BionicLoop investigational closed-loop app (Dexcom G7 + OmniPod DASH + Algo2015)
Method
Each hazard is tracked with:
RA-ID- hazard statement
- initial severity/probability
- controls
- linked requirements (
SRS-*) - linked verification (
TV-*/ manual protocol IDs) - residual-risk note
Severity and probability are currently qualitative (Low, Medium, High) and can be replaced with numeric scoring later.
Risk Register
| RA-ID | Hazard | Initial Risk | Key Controls | SRS Links | Verification Links | Residual Risk |
|---|---|---|---|---|---|---|
| RA-001 | Loop step not executed on expected cadence due to iOS wake variability | High | CGM-triggered doWork, cadence anchor, skip logic, stale-state visibility | SRS-RUN-001, SRS-UI-001 | TV-RUN-001, TV-RUN-002 | Medium |
| RA-002 | Invalid CGM values used as real glucose input | High | Out-of-range sanitize to unavailable (-1), step-0 gate |
SRS-CGM-001, SRS-CGM-002 | TV-CGM-001, TV-CGM-002 | Medium |
| RA-003 | Pump unavailable causes incorrect delivery behavior | High | Degraded algorithm input with unavailable pump fields, command block on unavailable pump | SRS-PUMP-001 | TV-PUMP-001, TV-PUMP-002 | Medium |
| RA-004 | Meal announce accepted while pump not safe/ready | High | Meal announce pump-ready gating, borrow-window enforcement | SRS-MEAL-001, SRS-MEAL-002 | TV-MEAL-001, TV-MEAL-002 | Medium |
| RA-005 | Dose quantization mismatch with DASH minimum deliverable dose | Medium | Algorithm constants + command quantization validation + telemetry reconciliation | SRS-PUMP-003, SRS-LOG-001 | TV-PUMP-003, TV-LOG-001 | Low/Medium |
| RA-006 | App relaunch/reset causes state mismatch and unsafe cadence | High | Persisted runtime/algorithm state, explicit full reset semantics | SRS-STATE-001, SRS-STATE-002 | TV-STATE-001, TV-STATE-002 | Medium |
| RA-007 | Home pod status stale despite reconnect | Medium | Connection-driven refresh path, observer wiring | SRS-PUMP-004 | TV-PUMP-004 | Low |
| RA-008 | Missing auditability of algorithm inputs/outputs/commands | High | Per-step telemetry capture and traceability mapping | SRS-LOG-001, SRS-LOG-002 | TV-LOG-001, TV-LOG-002 | Medium |
| RA-009 | Sensitive telemetry exposed or leaked | High | Controlled export path, cloud-security plan, least-privilege storage | SRS-SEC-001, SRS-SEC-002 | TV-SEC-001, TV-SEC-002 | Medium |
| RA-010 | User workflow errors (profile, meal UI, status interpretation) | Medium | Explicit UI states, unavailable reasons, SOP-driven usability checks | SRS-UI-001, SRS-UI-002, SRS-VAL-001 | TV-UI-001, TV-UI-002 | Medium |
| RA-011 | Critical device/runtime alerts are missed, delayed, or masked by lower-severity messages | High | Multi-source alert normalization, severity precedence, debounce/coalescing rules, explicit ack/clear policy, protocol-aligned wording | SRS-ALERT-001, SRS-ALERT-002, SRS-ALERT-003, SRS-ALERT-004, SRS-ALERT-005, SRS-ALERT-006 | TV-ALERT-001, TV-ALERT-002, TV-ALERT-003, TV-ALERT-004, TV-ALERT-005 | Medium |
Open Items
- Replace qualitative risk levels with agreed scoring matrix.
- Add explicit residual-risk acceptance criteria and sign-off roles.
- Add cybersecurity threat model outputs as linked hazards (
RA-SEC-*) once finalized.