MISRA C is the coding standard for safety-critical embedded software in C — used across automotive, medical, industrial, aerospace, and defence systems. This guide explains what MISRA C requires, why its restrictions matter for real embedded deployments, and why full compliance is a hard requirement for safety-rated embedded GUI frameworks.
MISRA C (Motor Industry Software Reliability Association C) is a set of coding guidelines for the C programming language designed to promote safety, portability, and reliability in embedded software systems. Originally developed for the automotive industry, MISRA C is now the dominant coding standard across safety-critical embedded software development — covering automotive (ISO 26262), medical devices (IEC 62304), industrial systems (IEC 61508), aerospace (DO-178C), and defence embedded software.
MISRA C works by restricting or prohibiting C language constructs that produce undefined behaviour, implementation-defined behaviour, or unspecified behaviour — three categories of C language ambiguity that cause embedded software to behave differently across compilers, hardware platforms, and optimisation settings. In safety-critical systems, such variability is unacceptable: the firmware that passes qualification testing must behave identically in production, across millions of units, and across the full operating lifetime of the product.
The current version is MISRA C:2012 with a 2023 amendment. MISRA C:2012 defines 143 rules (mandatory and advisory) and 16 directives — each targeting a specific, documented failure mode in C embedded software. See Embedded GUI Functional Safety for the broader safety lifecycle context.
From why MISRA C exists to how compliance is verified — the complete picture for embedded engineers and safety managers.
The C language specification — ISO/IEC 9899 — defines hundreds of situations where the behaviour of a C program is left to the implementation (compiler and hardware) to determine, or is simply not defined at all. Signed integer overflow, left-shift of negative values, pointer arithmetic beyond array bounds, and reading uninitialised memory are all undefined in C — the standard permits the compiler to generate completely arbitrary machine code when these occur.
In desktop software, undefined behaviour typically manifests as rare, hard-to-reproduce crashes. In embedded safety-critical software, it can produce different binary output at different compiler optimisation settings — the firmware that passes qualification testing behaves differently from the firmware that ships in production. MISRA C was created to eliminate this class of risk by systematically restricting the constructs that cause it.

MISRA C rules are not arbitrary style preferences — each targets a specific failure mode. The 143 rules in MISRA C:2012 fall into seven broad restriction categories:

MISRA C:2004 was the widely adopted edition for over a decade. MISRA C:2012 introduced significant improvements:
Most new safety projects target MISRA C:2012. Legacy codebases may still reference MISRA C:2004 in their safety plans — both editions remain in active use.

MISRA C Compliant is a verifiable claim. Specifically: all mandatory rules are satisfied with no undocumented violations; advisory rule violations have written deviation notices with justification; static analysis tools (PC-lint Plus, LDRA, Polyspace, Helix QAC) have been run and results reviewed; a compliance documentation package exists as formal evidence.
Safety auditors under ISO 26262 and IEC 62304 will ask for static analysis evidence, the deviation log, and the compliance documentation. A compliant claim without this evidence will not survive an audit.
MISRA C Compatible, guideline adherent, or MISRA C friendly are marketing terms with no standardised meaning. They typically indicate partial rule application without formal verification — insufficient for safety-critical applications where the value of MISRA C comes from the completeness of verification.
For embedded GUI selection: LVGL and TouchGFX explicitly do not claim MISRA C compliance. emWin has partial alignment. Sparklet is fully, verifiably MISRA C compliant — Embien provides static analysis evidence and compliance documentation to customers for inclusion in safety cases.

| Category | Key Restriction | Failure Mode Addressed | Impact on Embedded GUI |
|---|---|---|---|
| Dynamic memory (Rule 21.3) | No malloc / realloc / free at runtime | Heap fragmentation causing allocation failures in long-running systems | All widget/screen memory from static pools |
| Recursion (Rule 17.2) | No recursive function calls | Unbounded stack depth, stack overflow risk | All rendering traversal loops are iterative |
| Undefined behaviour (multi) | No signed overflow, UB pointer arithmetic | Compiler-dependent code generation, production divergence from tested FW | All arithmetic uses unsigned or explicitly bounded ops |
| Type conversions (10.1–10.8) | Explicit casts required for all conversions | Silent truncations in coordinate / colour calculations | All GDI coordinate and colour arithmetic explicitly cast |
| Bounded loops (15.4, D4.1) | All loops have provable upper iteration bound | Unbounded rendering loops prevent WCET analysis | Widget list traversal bounded by maximum widget count |
| Unsafe stdlib (Rule 21.x) | Restricted use of atoi, sprintf, gets, etc. | Edge-case undefined behaviour in standard library functions | All string formatting uses bounded, checked alternatives |
| goto (Rule 15.1) | goto limited to forward-only jumps, one func | Unstructured control flow, difficult to audit and test | No goto in Sparklet source; structured error handling only |




ISO 26262 Part 6 specifies MISRA C as a highly recommended coding guideline for all ASIL levels — effectively mandatory for ASIL B through D in OEM supplier contracts.

IEC 61508 Annex D lists no dynamic objects and no recursion — the same constructs MISRA C restricts — as techniques for meeting software safety requirements at SIL 2 and above.

IEC 62304 requires an appropriate coding standard for Class B and C software. MISRA C is the dominant standard chosen by medical device manufacturers and accepted by FDA and CE notified bodies.

DO-178C structural coverage requirements and coding standard guidance are well-served by MISRA C compliant code. Aerospace teams increasingly adopt MISRA C for DAL A–C software.
No. MISRA C and ISO 26262 are related but distinct. MISRA C is a software coding standard — a set of C language rules that produce safer, more predictable software. ISO 26262 is a functional safety lifecycle standard for automotive systems — covering the entire development process from concept through decommissioning. ISO 26262 Part 6 references MISRA C as the required coding standard for C software at ASIL B and above, which is why the two are often mentioned together. MISRA C compliance is one requirement within an ISO 26262 software development lifecycle, not a substitute for it.
Get the Sparklet evaluation package and review the MISRA C compliant source code. Connect with Embien's engineering team to discuss your safety case requirements — ISO 26262, IEC 61508, or IEC 62304. Static analysis evidence and compliance documentation included.