From the title I was sure this was going to be about the branch forward only pattern used in the Gripen, that John Carmack has briefly written about. In that pattern, there's a top-level loop, but other than that, no looping constructs or other backward-branches are permitted anywhere in the codebase.
A popular example given for this is often pcap/tcpdump filters— for perf reasons they have to be executed by the kernel, but because they're an untrusted user "program" being run in kernel space, they can only ever jump forward, ensuring an upper bound on their runtime.
Seems curious to ban functions. If you ban function-pointers then you can statically ensure there's no recursion (including mutual recursion). At that point, all function calls are in principle able to be inlined, so any backtracking is merely a compiler-level implementation detail.
iirc, OpenCL C does something similar, banning function pointers and recursion (including mutual recursion), although it does so for different reasons than this pattern.
It seems to me that this would be best ensured by writing the codebase in a custom language the compiler of which would put a loop around the whole code but the language itself wouldn't have loops. This could be yet another instance of "patterns mean 'I've run out of language'".
* http://lambda-the-ultimate.org/node/5362
* https://news.ycombinator.com/item?id=22192656