What Is MISRA C? The Definitive Guide for Embedded Software Engineers

MISRA C is the coding standard for safety-critical embedded software in C — used across automotive, medical, industrial, aerospace, and defence systems. This guide explains what MISRA C requires, why its restrictions matter for real embedded deployments, and why full compliance is a hard requirement for safety-rated embedded GUI frameworks.

What Is MISRA C?

MISRA C (Motor Industry Software Reliability Association C) is a set of coding guidelines for the C programming language designed to promote safety, portability, and reliability in embedded software systems. Originally developed for the automotive industry, MISRA C is now the dominant coding standard across safety-critical embedded software development — covering automotive (ISO 26262), medical devices (IEC 62304), industrial systems (IEC 61508), aerospace (DO-178C), and defence embedded software.

MISRA C works by restricting or prohibiting C language constructs that produce undefined behaviour, implementation-defined behaviour, or unspecified behaviour — three categories of C language ambiguity that cause embedded software to behave differently across compilers, hardware platforms, and optimisation settings. In safety-critical systems, such variability is unacceptable: the firmware that passes qualification testing must behave identically in production, across millions of units, and across the full operating lifetime of the product.

The current version is MISRA C:2012 with a 2023 amendment. MISRA C:2012 defines 143 rules (mandatory and advisory) and 16 directives — each targeting a specific, documented failure mode in C embedded software. See Embedded GUI Functional Safety for the broader safety lifecycle context.

MISRA C: Four Perspectives

From why MISRA C exists to how compliance is verified — the complete picture for embedded engineers and safety managers.

The Engineering Problem MISRA C Solves

The C language specification — ISO/IEC 9899 — defines hundreds of situations where the behaviour of a C program is left to the implementation (compiler and hardware) to determine, or is simply not defined at all. Signed integer overflow, left-shift of negative values, pointer arithmetic beyond array bounds, and reading uninitialised memory are all undefined in C — the standard permits the compiler to generate completely arbitrary machine code when these occur.

In desktop software, undefined behaviour typically manifests as rare, hard-to-reproduce crashes. In embedded safety-critical software, it can produce different binary output at different compiler optimisation settings — the firmware that passes qualification testing behaves differently from the firmware that ships in production. MISRA C was created to eliminate this class of risk by systematically restricting the constructs that cause it.

  • Defined in 1998 by MISRA (Motor Industry Software Reliability Association) for UK automotive software
  • Current edition: MISRA C:2012 with 2023 Amendment 1 — 143 rules + 16 directives
  • Applied across automotive, medical, industrial, aerospace, and defence embedded C software

MISRA C:2012 Rule Categories — Summary

CategoryKey RestrictionFailure Mode AddressedImpact on Embedded GUI
Dynamic memory (Rule 21.3)No malloc / realloc / free at runtimeHeap fragmentation causing allocation failures in long-running systemsAll widget/screen memory from static pools
Recursion (Rule 17.2)No recursive function callsUnbounded stack depth, stack overflow riskAll rendering traversal loops are iterative
Undefined behaviour (multi)No signed overflow, UB pointer arithmeticCompiler-dependent code generation, production divergence from tested FWAll arithmetic uses unsigned or explicitly bounded ops
Type conversions (10.1–10.8)Explicit casts required for all conversionsSilent truncations in coordinate / colour calculationsAll GDI coordinate and colour arithmetic explicitly cast
Bounded loops (15.4, D4.1)All loops have provable upper iteration boundUnbounded rendering loops prevent WCET analysisWidget list traversal bounded by maximum widget count
Unsafe stdlib (Rule 21.x)Restricted use of atoi, sprintf, gets, etc.Edge-case undefined behaviour in standard library functionsAll string formatting uses bounded, checked alternatives
goto (Rule 15.1)goto limited to forward-only jumps, one funcUnstructured control flow, difficult to audit and testNo goto in Sparklet source; structured error handling only

MISRA C in Practice — Three Perspectives

Features Image

Industries That Require MISRA C Compliance

Four safety domains where MISRA C compliance is a regulatory or contractual requirement for embedded C software.
Automotive MISRA C

Automotive

ISO 26262 Part 6 specifies MISRA C as a highly recommended coding guideline for all ASIL levels — effectively mandatory for ASIL B through D in OEM supplier contracts.

Industrial MISRA C

Industrial

IEC 61508 Annex D lists no dynamic objects and no recursion — the same constructs MISRA C restricts — as techniques for meeting software safety requirements at SIL 2 and above.

Medical MISRA C

Medical Devices

IEC 62304 requires an appropriate coding standard for Class B and C software. MISRA C is the dominant standard chosen by medical device manufacturers and accepted by FDA and CE notified bodies.

Aerospace MISRA C

Aerospace

DO-178C structural coverage requirements and coding standard guidance are well-served by MISRA C compliant code. Aerospace teams increasingly adopt MISRA C for DAL A–C software.

Frequently Asked Questions: What Is MISRA C?

No. MISRA C and ISO 26262 are related but distinct. MISRA C is a software coding standard — a set of C language rules that produce safer, more predictable software. ISO 26262 is a functional safety lifecycle standard for automotive systems — covering the entire development process from concept through decommissioning. ISO 26262 Part 6 references MISRA C as the required coding standard for C software at ASIL B and above, which is why the two are often mentioned together. MISRA C compliance is one requirement within an ISO 26262 software development lifecycle, not a substitute for it.

Evaluate the Only Fully MISRA C Compliant Embedded GUI Framework

Get the Sparklet evaluation package and review the MISRA C compliant source code. Connect with Embien's engineering team to discuss your safety case requirements — ISO 26262, IEC 61508, or IEC 62304. Static analysis evidence and compliance documentation included.