Project Nexus: Integrated Risk for a Connected Device

Challenge

A digital health company developing a connected drug delivery system struggled to integrate their software and hardware risk assessments. Their ISO 14971 file treated the pump and the mobile app as separate entities, failing to address the unique risks arising from their interaction (e.g., connectivity failures, data breaches).

Solution

Leanabl facilitated a series of integrated risk workshops using a STPA (System-Theoretic Process Analysis) approach. We created a unified Risk Management File that mapped user harms to specific failures in software, hardware, and the interface between them. This included a full cybersecurity threat model based on AAMI TIR57.

Outcome

The integrated Risk Management File was accepted by their Notified Body without any major questions. The process also uncovered two critical design flaws related to data transmission, which were corrected prior to V&V testing, saving an estimated three months of rework and re-testing.