Ferrocene Part 3: The Road to Rust in mission- and safety-critical

Published on 5 min read
Ferrocene icon
A Rust compiler toolchain for safety- and mission-critical environments.

    The Ferrocene logo. A ball between two planes. The name ferrocene next to it.

    Announcing Ferrocene

    Ferrocene is an effort led by Ferrous Systems and its newly formed subsidiary Critical Section GmbH to qualify the Rust Language and Compiler for use in the safety-critical domain. This is the third post in a series detailing our plans and actions around this effort, addressing topics discussed in The Pitch and The Plan. Ferrocene's draft name was "Sealed Rust."

    Our goal is to improve the status-quo of software quality and correctness in safety-critical domains by enabling the use of the Rust Programming Language for safety-critical software development. We believe that Rust is a significant improvement over existing tools both from a safety and quality perspective and as an improvement for developer productivity.

    You can follow the progress on these efforts on the Ferrous Systems' Blog, by subscribing to our newsletter, or by contacting us directly. Ferrocene is currently looking for partner commitments! Please get in touch via email if interested.

    Since our last post in February 2020, we have moved Ferrocene from an idea to an actual project. We strengthened our contacts with interested companies and went deeper into our industrial and language research.

    Finding a route: User Research

    Over the last 1.5 years, we have conducted several interviews with parties deploying software in safety-critical or mission-critical environments. The participants were diverse, from cloud providers to vehicle manufacturers. We found broad interest in adopting Rust in those industries.

    There were several key takeaways:

    1. Rust as a language is seen as the big contender in critical spaces. Particularly, its focus on rigor and stability is seen as a major competitive advantage.
    2. At the same time, language evolution and improvement speed is also a crucial factor of interest.
    3. There is a desire for improvement over current language specification practices.
    4. Rust only having one main compiler at the moment is seen as a strength at the current phase of the language.
    5. Interviewed organisations see the language on a good trajectory towards their needs.

    On further investigation, we found a lot of openness and desire for modern, tool-assisted specification and verification techniques. Rust was regarded as being on a good path and quoted as being a language that was already easier to analyze and inspect than other languages. For that reason, we researched existing practices.

    In addition to the above, we overwhelmingly found that the projects and tools already providing analysis and further safety guarantees operate on MIR, Rust's mid-level intermediate representation, and other IR rather than the Rust source language. They utilized MIR to carry program meaning in a simplified manner, enabling easier analysis and reasoning. As such, a desire expressed was visibility into changes to MIR and versioned stability.

    When further interviewed on stability, organizations expressed a desire to adopt a technology that continually increases safety and assurance levels. Most organizations considered stability a consequence of structured, deliberate changes between documented milestones one can predictably target. We summed this up as "addressability". This framing resonated in interviewed organizations.

    There was a high respect for Rust's software practices both inside and outside of the main project. It was mentioned as a strong point that many traditionally research-related tasks are conducted within the project.

    In conclusion, there was a shared desire to produce safer, higher-quality software faster and a sense that fundamental changes are necessary.

    Finding an orientation: why Ferrocene?

    A key question from these discussions with industry-leaders: what is Ferrocene, the product, and how does it relate to Rust? There was strong interest from potential clients that work that can be upstreamed into the Rust compiler should be wherever possible. We believe this points to a focus shift in the industry. Companies understand the value of FOSS as a neutral commons but also want to invest through initiatives that work towards their goals.

    There are services required for mission and safety-critical industries that go beyond shipping a compiler. This includes (very) long-term support, qualification packages, industry-specific tooling, backends and targets, training, verification help and industry-specific advice. This is Ferrocene, the product.

    During our conversations with industry leaders, we found that there's a need for Ferrocene as a wider initiative. Increasing the trust level of the Rust compiler will benefit many industries, and focusing only on typical safety-critical environments is one part of the picture. Improvements in the trust level of the core technology benefit all participants in the ecosystem. For example, we see efforts in better describing the semantics of Rust as it exists today as an important baseline for guiding the evolution of the language.

    Ferrocene is both. It is a product to serve markets that need high assurances and committments. It is an initiative to take Rust to the next level of reliabilty and trust. Out of that comes a strong desire for collaboration.

    Having a direction: First Waypoints

    We intend to publish a solidified roadmap for Ferrocene by June 2021.

    A major early milestone for Ferrocene is achievable criticality levels. Currently, we're aiming at ISO 26262/ASIL-B qualification readiness and general availability by the end of 2022. Along the way, we will work closely with early adopters to increase the toolchain's quality and gather feedback and experiences.

    Ferrocene is a vehicle for a versioned Rust and MIR specification, paired with automated verification of Rust semantics. These "runnable specs" give developers in mission-critical and high-security environments a sound, proven, and addressable foundation for building critical libraries, analysis tools, and further system assurances.

    Critical Section is also committed to improving the developer experience in mission and safety-critical industries. Ferrocene includes efforts to bring existing verification tools, like MIRI, to a production-ready state, while also improving the ease and advanced capabilities of formally verifying Rust programs.

    Finding Partners: The travel group

    We have a lot of work ahead of us, but also a lot of experiences to tap into.

    Ferrous Systems and Critical Section are calling for additional partners to join that effort! We're interested in partners from many industries, including:

    • Safety-critical sectors, such as automotive, railway and aerospace
    • Operators of mission-critical infrastructure with high-reliability and security concerns, such as cloud vendors
    • Hardware vendors
    • Compiler vendors
    • Organisations that require structured knowledge of their base systems
    • Is interested in building strong, deep Rust knowledge now

    Partners also get early access to Ferrocene releases and can follow the development closely with engineer support.

    If that describes your organisation, we're happy to be in touch.

    Starting the engine

    In August 2020, Ferrous Systems GmbH created a wholly-owned subsidiary called Critical Section GmbH. Critical Section started work on Ferrocene in September 2020, setting up roadmaps, finalizing user research, and outreach to partners. Ferrocene is currently managed by Florian Gilcher and Sabree Blackmon.


    We would like to thank Tim Reed and Jack Greenbaum from Green Hills Software for their constant advice, guidance and collaborative experimentation along the way.