ISO 14971¶
The iso-14971 pack enforces rules based on ISO 14971:2019 -- Application of risk management to medical devices. It covers input validation, error handling, fail-safe defaults, defensive programming, and the full risk management documentation lifecycle.
Organization tier required
This pack requires an Organization or Enterprise license key. See sentrik.dev for details.
Enable¶
Rules¶
The pack includes 16 rules across code enforcement and documentation obligations:
Code rules (10)¶
| ID | Clause | Severity | Description |
|---|---|---|---|
| ISO14971-001 | 5.5 | critical | Dynamic code execution (eval/exec) is a critical hazard |
| ISO14971-002 | 5.5 | critical | Unsafe deserialization (pickle, yaml.load) allows arbitrary code execution |
| ISO14971-003 | 5.5 | critical | Unsafe string functions (gets, strcpy, strcat, sprintf) are hazardous due to buffer overflow |
| ISO14971-004 | 5.5 | critical | SQL queries built via string formatting are vulnerable to injection |
| ISO14971-005 | 6.2 | high | Bare except clauses mask safety-critical errors and prevent hazard detection |
| ISO14971-006 | 6.2 | high | Empty catch blocks silently swallow errors in safety-critical paths |
| ISO14971-007 | 6.2 | high | Catching generic Exception hides specific failure modes that may constitute hazards |
| ISO14971-008 | 5.5 | critical | Hardcoded credentials violate access control risk mitigations |
| ISO14971-009 | 7.4 | medium | TODO/FIXME comments indicate unresolved issues that may represent unmitigated hazards |
| ISO14971-010 | 5.5 | high | MD5 and SHA-1 are cryptographically broken and their use is a known hazard |
Documentation obligations (6)¶
| ID | Clause | Description |
|---|---|---|
| ISO14971-011 | 4.4 | Risk Management Plan defining scope, responsibilities, and acceptance criteria |
| ISO14971-012 | 5.4 | Hazard identification for all foreseeable hazards and hazardous situations |
| ISO14971-013 | 5.5 | Risk estimation using defined severity and probability for each hazard |
| ISO14971-014 | 6.2 | Risk control measures identified, implemented, and verified |
| ISO14971-015 | 6.4 | Residual risk evaluation and documentation after control measures |
| ISO14971-016 | 8 | Risk Management Report summarizing the process and results |
Use case¶
Medical device manufacturers building software under ISO 14971 risk management requirements. The pack provides:
- Hazard detection -- Catches critical code-level hazards including unsafe deserialization, buffer overflows, SQL injection, and uncontrolled dynamic code execution
- Error handling enforcement -- Flags bare excepts, empty catch blocks, and generic exception handling that mask safety-critical failures
- Risk management lifecycle -- Documentation obligations cover the full ISO 14971 process from Risk Management Plan through hazard identification, risk estimation, control measures, residual risk evaluation, and final Risk Management Report