What you'll learn:
- Why Rust is needed for safety- and mission-critical application development.
- How a Rust compiler is certified for safe and secure applications.
- Why Ferrocene needs to incorporate Rust enhancements carefully.
Developing applications for safety- and mission-critical applications for automotive, industrial, and medical devices requires a certified toolset. On that front, Ferrous Systems will show off its latest incarnation of Ferrocene at embedded world. This Rust toolset meets ISO 26262 (ASIL D), IEC 61508 (SIL 4), and IEC 62304 certifications. It’s open source and available on Linux, QNX Neutrino, and various RTOSes.
I talked with Florian Gilcher, Managing Director at Ferrous Systems, about the importance of the platform and how it was certified.
Why Rust is Important for Safety- and Mission-Critical Applications
C and C++ tend to be the programming languages of choice for safety- and mission-critical applications these days, but they have significant issues when it comes to creating this software. Their ability to take advantage of the underlying hardware requires programmers to make sure the errors aren’t included in the generated software. The review process required to certify applications is rigorous; however, it depends on people rather than software to check for these errors.
Rust incorporates a number of features designed to make creation of software with this level of quality easier by having the compiler check for certain types of errors that can’t be checked by C and C++. Other programming languages like Ada and SPARK provide similar but different checks. It’s worth comparing them to see what might work best.
Check out our coverage of embedded world 2025, and this TechXchange for similar articles and videos
What can be done with Rust—and not with C and C++—is static analysis at compile time. Static- analysis tools are available for C/C++, and most developers creating safety- and mission-critical software use them. But the definition of the C/C++ programming language doesn’t lend itself to rigorous analysis, whereas Rust was designed for this type of checking.
Whacking the Pointer Mole Using Rust
Safe memory management is one of the main features of Rust. Pointers and memory management are areas where Rust excels, and where C/C++ have the most problems. Rust avoids these pitfalls, and its static analysis catches most pointer errors at compile time.
The reason this can be done is that the language forces programmers to explicitly state how memory is referenced and it prevents accidental misuse of pointers. Rust’s “borrow checker” makes sure the lifetime of the underlying data matches what the program is doing. References to unallocated memory isn’t possible assuming Rust’s requirements aren’t bypassed.
Why Not Just Use Open-Source Ferrocene?
Ferrocene is an open-source project that can be downloaded and used for free. So why would developers want to buy it?
As it turns out, certifying applications and systems requires a bit more than being careful while developing an application. The tools being used must be certified as well.
