gekko

doing the math for you since 1994

The Power of Ten: A Decade of Wisdom in Safety-Critical Coding

by

gekko
in

In the vast and often perilous world of software engineering, where a single misplaced semicolon can doom a Mars mission or crash a nuclear reactor, the need for stringent coding standards is as critical as the systems they govern. Enter Gerard J. Holzmann’s “Power of Ten”—a compact yet draconian set of rules designed to keep safety-critical code as predictable as a Swiss watch and as resilient as a cockroach in a nuclear apocalypse.

But before we marvel at Holzmann’s brilliance, let’s put things into perspective: software safety standards have been around for a long time, and the “Power of Ten” is just one of many attempts to tame the wild beast that is C programming in safety-critical environments. From Spencer’s 10 Commandments to the Joint Strike Fighter Air Vehicle rules (JSF AV), the industry has produced numerous rulebooks—some elegant, some monstrous in length. So, what makes “The Power of Ten” special, and how does it compare to the heavyweight standards out there?

The Power of Ten – NASA JPL’s Minimalist Masterpiece

Holzmann’s rules are a refreshing departure from traditional safety-critical standards, which often resemble ancient scrolls filled with impenetrable decrees. The premise of “The Power of Ten” is simple: a short and strict set of rules that can be easily remembered, easily checked, and, most importantly, adhered to by real-world programmers (as opposed to hypothetical perfect coders who exist only in academic papers).

The Ten Commandments (abridged for effect):

  1. Keep Control Flow Simple – No gotos, setjmp/longjmp, or recursion. If you can’t explain the control flow in five seconds, you’ve already failed.
  2. Bound All Loops – If a tool can’t prove your loop has an upper bound, it’s a no-go.
  3. No Dynamic Memory Allocation Post-Initialization – malloc() and free() are like nuclear weapons: once you use them, chaos ensues.
  4. Functions Should Fit on a Single Page – If your function scrolls, it’s too long. If it has its own table of contents, seek help.
  5. Assert or Die – A function should contain at least two assertions. If it doesn’t, you’re either a genius or a fool.
  6. Declare Data at the Smallest Scope Possible – Global variables are like public restrooms—avoid them unless absolutely necessary.
  7. Check Return Values and Validate Parameters – If you call printf() and don’t check its return value, Holzmann will find you.
  8. Limit Preprocessor Use – Preprocessor abuse is the gateway drug to unreadable spaghetti code.
  9. Restrict Pointer Use – If you need multiple levels of dereferencing, you probably need therapy.
  10. Compile with Maximum Warnings and Static Analysis – If your code compiles with warnings, you’ve already failed.

How It Compares to Other Standards

The software safety world has seen a plethora of coding guidelines, ranging from “helpful suggestions” to “bureaucratic monstrosities.” Let’s pit Holzmann’s Ten against some of the industry’s most well-known rulebooks.

  1. Spencer’s 10 Commandments (1991) – The Ancient Scriptures
    Spencer’s rules were among the earliest attempts at formalizing safety-critical coding principles. They were good for their time but lacked the enforcement rigor of modern static analysis tools. Holzmann’s rules refine and distill the essence of Spencer’s approach into a mechanically verifiable format.
  2. MISRA C (1997, 2004, 2012, 2023) – The Legal Code of C
    With 127 rules in its original 1997 edition, growing to over 200 in later versions, MISRA is the legislative tome of safety-critical C. Unlike Holzmann’s minimalistic approach, MISRA tries to cover every possible edge case, making it comprehensive but often overwhelming. The advantage of “The Power of Ten” is its practicality—developers can actually remember and apply the rules without having to consult a 500-page document.
  3. Nuclear Regulatory Commission (1995, 22 rules) – The Atomic Doctrine
    The NRC’s rules focus heavily on correctness and reliability but are not as strict in structure as Holzmann’s approach. However, given that one of their main rules is “Don’t blow up the reactor,” we can assume their target audience takes compliance very seriously.
  4. JSF Air Vehicle Coding Rules (2005, 154 rules)The Fighter Jet Bible
    For code that flies fighter jets, you’d expect some heavy restrictions. At 154 rules, the JSF standard is exhaustive and includes military-grade paranoia about undefined behavior. Holzmann’s approach is more digestible but achieves a similar level of reliability.
  5. European Space Agency (2000, 123 rules) – Bureaucracy in Orbit
    ESA’s coding standards aim for extreme safety but suffer from the same verbosity problem as MISRA. Holzmann’s Power of Ten would likely be appreciated by engineers who prefer concise, actionable rules over endless legalese.
  6. JPL Institutional Coding Standard for C (2009, 31 Core Rules)The Extended Family
    Interestingly, Holzmann’s “Power of Ten” inspired many of the rules in the JPL Institutional Coding Standard. The JPL standard expands upon the “Power of Ten” by incorporating additional safety measures for multi-threaded environments, IPC, and memory safety, making it a logical extension rather than a competing doctrine.

Why The Power of Ten Works

  • Brevity: Unlike MISRA or JSF, these rules are easy to remember and apply.
  • Tool Friendliness: Every rule is designed to be statically checkable.
  • Human Friendliness: Developers don’t have to wade through a swamp of bureaucracy.
  • Real-World Tested: These rules have been used successfully in JPL’s mission-critical software, which has, to date, not resulted in any rogue AI takeovers.

The Fun Side of Safety-Critical Code

While safety-critical programming is serious business, the culture around it can be amusing. Imagine a world where ignoring “Power of Ten” rules leads to immediate exile to an asteroid. Developers would gather around, telling horror stories of the time someone used malloc() in flight software, causing a system crash that sent a spacecraft into deep space—never to be seen again.

To bring it full circle, Holzmann’s “Power of Ten” is the software equivalent of the Ten Commandments: clear, strict, and designed to prevent disasters of biblical proportions. While other standards have their place, the sheer practicality and elegance of Holzmann’s rules make them a favorite among engineers who value clarity and safety over bureaucratic convolution.

Conclusion

Holzmann’s “Power of Ten” isn’t just a coding guideline—it’s a philosophy. In a world drowning in overcomplicated safety standards, it stands as a beacon of clarity. It’s a reminder that sometimes, the best way to prevent catastrophic software failures isn’t with 200 pages of rules—it’s with a handful of well-thought-out principles that fit on a single sheet of paper.

So, next time you write safety-critical code, remember: keep it simple, avoid recursion, don’t trust malloc(), and for the love of all that is holy, check your return values.

Failure to do so may result in an unplanned planetary impact.

Keep up, get in touch.

About

Contact

GPTs

Privacy

Imprint

Privacy Policy

Terms & Conditions

©

2025

gekko