In order to develop safe embedded systems, rigorous programming habits are mandatory. The programming language used to write the software has a great impact on how easy it is to put these good practices in use. CPAL has been conceived to help you give the best of yourself in the development of safe embedded systems.

The most widely used language for embedded systems is certainly C. Indeed C is closer to bare-metal that most of alternatives, which has advantages. Yet one needs rigour to write safe software in C. That is why the automotive industry came up with MISRA-C. Now this programming standard has spread over all industries.

The philosophy of MISRA can be synthesized in a few rules: The Power of Ten 10 Rules for Writing Safety Critical Code ‐ Rules for Developing Safety Critical Code, IEEE Computer, June 2006, pp. 93-95.

Today, I will focus on the first three.

1. Restrict to simple control flow constructs.

CPAL offers a number of control flow constructs. Obviously, the biggest difference with C is the support of Finite State Machines (FSMs), but it is so important that it requires a dedicated post in the future. CPAL also has classical control flow constructs.

CPAL has conditional:

if (someInput or someOtherInput) {
  /* do something */
} else {
  /* do something else */

CPAL has while-loop:

while (somecondition) {
  /* do something */

CPAL has for-loop:

var uint32: i;
for (i = 0; i < upper_bound; i = i + 1) {
  /* do something */

CPAL has loop over collections (array, queue, stack):

var queue<uint8>: data
[10]; loop over data with anIterator { if (someCondition(anIterator.current)) { anIterator.removeCurrent(); } }

2. Give all loops a fixed upper-bound.

While it is still possible in CPAL to write an infinite loop (while (true)), every time you need to iterate over data, you have at your disposal a loop construct that ensures that there is an upper-bound in the number of iterations. This is made easy because of the next rule.

3. Do not use dynamic memory allocation after initialization.

This is the most important point to avoid memory overflow. Thus, in CPAL, one always needs to declare a collection with the maximum number of elements it can contain. So every useful loop constructs can be upper-bounded:

var queue<uint8> : aFIFO[10];
var stack<uint8> : aLIFO[10];
var uint8: anArray[10];

while(aFIFO.notEmpty()) {


In this post, I tried to give you some hints on the design of the CPAL language with regard to its goal of being a language suited for the development of safe embedded software.

In future posts, I will present you other aspects of the language. Also, I will describe what inspired us in the design of CPAL and why. In the meantime, I warmly recommend the reading of