Embedded C Coding Standards for Medical Devices
Purpose
Define C coding practices aligned with MISRA C and medical device safety needs: type safety, control flow, memory management, interrupts, and static analysis.
When to Apply
- •All C firmware code for safety-related device functions.
- •New modules, refactors, or code reviews affecting safety classes.
Requirements (testable)
- •Types: Use fixed-width integers (
uint32_t, etc.); avoid implicit type promotions; enable warnings-as-errors (-Wall -Wextra -Werror). Rationale: predictability. - •Const Correctness: Mark read-only data/parameters
const; avoid casting away const. Rationale: prevent unintended mutation. - •Control Flow: No recursion; bounded loops; single exit per function preferred unless clarity dictates otherwise. Rationale: analyzability.
- •Memory: Avoid dynamic allocation in safety-critical paths; prefer static or pooled allocation; no unchecked
malloc. Rationale: determinism. - •Pointer Safety: No pointer arithmetic on unrelated objects; check for null before deref; avoid double-free; restrict casts. Rationale: memory safety.
- •Interrupt Safety: ISRs minimal, no blocking, defer work to threads; protect shared data with proper primitives; volatile on shared flags. Rationale: correctness under concurrency.
- •Complexity: Maintain function size and cyclomatic complexity within agreed limits; refactor large functions. Rationale: testability and reviewability.
- •Includes & Headers: Use include guards; separate interface in headers; no hidden macros; document ownership of globals. Rationale: clarity and hygiene.
- •Static Analysis: Run MISRA checks and SAST; address findings or document justified deviations. Rationale: defect prevention.
Recommended Practices
- •Use
static inlinefor simple accessors; minimize macros. - •Prefer enums over macros for states/constants; ensure exhaustive switch.
- •Keep module-level ownership clear; avoid global mutable state.
- •Use
static_assertfor sizes and assumptions where compiler supports. - •Document timing constraints near code (e.g., ISR max latency).
Patterns
Fixed-width types and const:
c
// REQ-C-TYPE-01; TEST-C-01
static uint32_t sum_samples(const uint16_t *samples, size_t n) {
uint32_t acc = 0U;
for (size_t i = 0; i < n; i++) {
acc += samples[i];
}
return acc;
}
Static buffer, no malloc:
c
// REQ-C-MEM-02; TEST-C-05
static uint8_t rx_buf[128];
size_t uart_read_safe(uint8_t *out, size_t max_len) {
size_t n = uart_read(rx_buf, sizeof(rx_buf));
if (n > max_len) n = max_len;
memcpy(out, rx_buf, n);
return n;
}
ISR defers work:
c
// REQ-C-ISR-03; TEST-C-10
volatile bool g_data_ready = false;
void UART_IRQHandler(void) {
clear_irq();
g_data_ready = true; // minimal work
}
Anti-Patterns (risks)
- •Heap allocation in control loops -> risk: fragmentation, failure to allocate.
- •Recursion or unbounded loops -> risk: stack overflow, non-termination.
- •Large ISRs doing I/O or blocking -> risk: missed deadlines, priority inversion.
- •Implicit int/enum conversions without checks -> risk: overflow/undefined behavior.
- •Ignoring MISRA/SAST findings -> risk: latent defects.
Verification Checklist
- • Fixed-width types used; warnings as errors enabled.
- • Const correctness applied; no casts removing const without justification.
- • No recursion; loops bounded; complexity within limits.
- • No dynamic allocation in safety paths; pools/static used; no unchecked malloc.
- • Pointer use validated; null checks present; casts justified.
- • ISRs minimal; shared data protected; volatile flags used where appropriate.
- • Headers guarded; interfaces clean; globals ownership documented.
- • MISRA/static analysis run; deviations documented; findings resolved.
Traceability
- •Tag requirements as
REQ-C-###; link to unit testsTEST-C-###and MISRA deviation records. - •Store tool reports with build artifacts for the release.
References
- •MISRA C:2012 with Amendment 1 (2016), Amendment 2 (2020), and Amendment 3 (2024) guidelines.
- •MISRA C:2023 (Third Edition) - consider for new projects.
- •IEC 62304 implementation discipline expectations.
- •SEI CERT C (informative).
Changelog
- •1.0.1 (2026-01-04): Audit correction - updated MISRA C references to include all amendments and MISRA C:2023.
- •1.0.0 (2026-01-04): Initial embedded C skill with MISRA-aligned rules, ISR handling, and static analysis.
Audit History
- •2026-01-04: Audit performed. Corrections:
- •MISRA C:2012 Amendment 2 reference expanded to include all amendments (1, 2, 3)
- •Added reference to MISRA C:2023 (Third Edition)
- •Code examples verified for C11 compliance and MISRA alignment