How Ferrocene’s Certified Rust Core Enables Safety‑Critical Embedded Systems

Overview

Ferrocene is an open‑source Rust compiler toolchain designed for safety‑ and mission‑critical systems. Its core library has been certified to IEC 61508 (Safety Integrity Level 2), demonstrating that Rust can meet the rigorous verification requirements of regulated embedded environments.

Certification Details

The certification was performed by TÜV SÜD, which also recognized the Ferrocene toolchain as compliant with ISO 26262 (ASIL D), IEC 61508 (SIL 3), and IEC 62304 (C‑level). TÜV SÜD supports Ferrocene’s ongoing effort to achieve higher safety grades such as SIL 4 and DO‑178C (DAL C).

Certified Core Subset

The certified portion of the Rust core library provides safe access to the following language features:

Traits and types: Option, Clone, str Pointer types and raw pointer operations

Primitive types and slices ( [T])

These features are sufficient for developing safety‑critical applications while preserving Rust’s memory‑safety guarantees.

Supported Target Platforms

The certified core can be used on qualified platforms, including:

x86_64 Linux

Armv8‑A running QNX Neutrino

Real‑time operating systems (RTOS) on Armv8‑A and Armv7E‑M

Industrial Use Cases

Two early adopters illustrate practical deployments:

Sonair integrates Ferrocene into robotic systems that combine Armv8‑A and Armv7E‑M subsystems, providing acoustic detection and ranging (ADAR) capabilities.

Kiteshield is building a Rust‑based ultra‑wideband safety system for mining operations, intended to prevent collisions between manually operated and autonomous machinery.

Safety Integrity Levels (SIL)

SIL quantifies the probability of dangerous failure per hour of operation. The hierarchy is:

SIL 4 – highest reliability (e.g., nuclear reactor control)

SIL 3 – high‑risk equipment (e.g., chemical or medical devices)

SIL 2 – typical for industrial robots

SIL 1 – lower‑risk systems such as CCTV or building lighting

Certification of the Rust core library at SIL 2 enables its use in regulated industries, where the language’s inherent memory‑safety can reduce error rates and improve system stability, provided the certified subset is used without introducing new bugs.