NASA has published the guidelines that it uses for writing safety-critical code. The agency primarily uses C for safety-critical code, but the guidelines are also applicable to other languages. Here are the guidelines:
- Restrict all code to very simple control flow constructs. Do not use GOTO statements, setjmp or longjmp constructs, or direct or indirect recursion.
- All loops must have a fixed upper bound.
- Do not use dynamic memory allocation after initialization.
- No function should be longer than what can be printed on a single sheet of paper (in a standard reference format with one line per statement and one line per declaration.)
- The assertion density of the code should average a minimum of two assertions per function. Assertions must always be side effect-free and should be defined as Boolean tests.
- Data objects must be declared at the smallest possible level of scope.
- Each calling function must check non-void function return values, and the validity of parameters must be checked inside each function.
- Preprocessor use must be limited to the inclusion of header files and simple macro definitions. Token pasting, variable argument lists (ellipses), and recursive macro calls are not allowed.
- The use of pointers should be restricted. Specifically, no more than one level of dereferencing is allowed.
- All code must be compiled, from the first day of development, with all compiler warnings enabled at the compiler?s most pedantic setting. All code must compile with these setting without any warnings.
