Guidelines from the NASA Power of 10 rules for writing robust, verifiable code. Adapted for general software development with context-appropriate rigor. Use when writing critical code paths, reviewing for robustness, improving code quality. Do not use as rigid requirements for all code - match rigor to consequence.
apm install @athola/safety-critical-patterns
[](https://apm-p1ls2dz87-atlamors-projects.vercel.app/packages/@athola/safety-critical-patterns)---
name: safety-critical-patterns
description: 'Guidelines from the NASA Power of 10 rules for writing robust, verifiable
code. Adapted for general software development with context-appropriate rigor. Use
when writing critical code paths, reviewing for robustness, improving code quality.
Do not use as rigid requirements for all code - match rigor to consequence.'
category: code-quality
tags:
- safety
- defensive-coding
- assertions
- NASA
- robustness
- verification
tools:
- Read
- Grep
- Glob
complexity: intermediate
estimated_tokens: 600
dependencies:
- pensive:shared
- pensive:code-refinement
---
# Safety-Critical Coding Patterns
Guidelines adapted from NASA's Power of 10 rules for safety-critical software.
## When to Apply
**Full rigor**: Safety-critical systems, financial transactions, data integrity code
**Selective application**: Business logic, API handlers, core algorithms
**Light touch**: Scripts, prototypes, non-critical utilities
> "Match rigor to consequence" - The real engineering principle
## The 10 Rules (Adapted)
### 1. Restrict Control Flow
Avoid `goto`, `setjmp/longjmp`, and **limit recursion**.
**Why**: Ensures acyclic call graphs that tools can verify.
**Adaptation**: Recursion acceptable with provable termination (tail recursion, bounded depth).
### 2. Fixed Loop Bounds
All loops should have verifiable upper bounds.
```python
# Good - bound is clear
for i in range(min(len(items), MAX_ITEMS)):
process(item)
# Risky - unbounded
while not_done: # When does this end?
process_next()
```
**Adaptation**: Document expected bounds; add safety limits on potentially unbounded loops.
### 3. No Dynamic Memory After Initialization
Avoid heap allocation in critical paths after startup.
**Why**: Prevents allocation failures at runtime.
**Adaptation**: Pre-allocate pools; use object reuse patterns in hot paths.
### 4. Function Length ~60 Lines
Functions should fit on one screen/page.
**Why**: Cognitive limits on comprehension remain valid.
**Adaptation**: Flexible for declarative code; strict for complex logic.
### 5. Assertion Density
Include defensive assertions documenting expectations.
```python
def transfer_funds(from_acct, to_acct, amount):
assert from_acct != to_acct, "Cannot transfer to same account"
assert amount > 0, "Transfer amount must be positive"
assert from_acct.balance >= amount, "Insufficient funds"
# ... implementation
```
**Adaptation**: Focus on boundary conditions and invariants, not arbitrary quotas.
### 6. Minimal Variable Scope
Declare variables at narrowest possible scope.
```python
# Good - scoped tightly
for item in items:
total = calculate(item) # Only exists in loop
results.append(total)
# Avoid - unnecessarily broad
total = 0 # Why is this outside?
for item in items:
total = calculate(item)
results.append(total)
```
### 7. Check Return Values and Parameters
Validate inputs; never ignore return values.
```python
# Good
result = parse_config(path)
if result is None:
raise ConfigError(f"Failed to parse {path}")
# Bad
parse_config(path) # Ignored return
```
### 8. Limited Preprocessor/Metaprogramming
Restrict macros, decorators, and code generation.
**Why**: Makes static analysis possible.
**Adaptation**: Document metaprogramming thoroughly; prefer explicit over magic.
### 9. Pointer/Reference Discipline
Limit indirection levels; be explicit about ownership.
**Adaptation**: Use type hints, avoid deep nesting of optionals, prefer immutable data.
### 10. Enable All Warnings
Compile/lint with strictest settings from day one.
```bash
# Python
ruff check --select=ALL
mypy --strict
# TypeScript
tsc --strict --noImplicitAny
```
## Rules That May Not Apply
| Rule | When to Relax |
|------|---------------|
| No recursion | Tree traversal, parser combinators with bounded depth |
| No dynamic memory | GC languages, short-lived processes |
| 60-line functions | Declarative configs, state machines |
| No function pointers | Callbacks, event handlers, strategies |
## Integration
Reference this skill from:
- `pensive:code-refinement` - Clean code dimension
- `pensive:code-refinement` - Quality checks
- `sanctum:pr-review` - Code quality phase
## Sources
- NASA JPL Power of 10 Rules (Gerard Holzmann, 2006)
- MISRA C Guidelines
- HN discussion insights on practical application