# Rust in Automotive Florian Gilcher, Christof Petig, May 2022 --- ## Structure - AUTOSAR adaptive and Rust - Tiny introduction to Functional Safety - Ferrocene compiler qualification --- ### [*AUT*omotive *O*pen *S*ystem *AR*chitecture](https://autosar.org) - alliance of OEMs, Tier-1s, HW+SW+tool+silicon suppliers, … - Munich based - Two system variants - classic: Microcontroler, C API - adaptive: POSIX, C++17 API ---- ## AUTOSAR adaptive specs - POSIX PSE51 system interface - Reference implementation (Demonstrator) - system defined in AR**XML** - [dynamic communication bindings](https://www.autosar.org/fileadmin/user_upload/standards/adaptive/21-11/AUTOSAR_EXP_ARAComAPI.pdf) - similar to CORBA, dbus, ROS, … - SOME/IP, shm or DDS backend ---- ## [AUTOSAR adaptive (ARa)](https://www.autosar.org/fileadmin/user_upload/standards/adaptive/21-11/AUTOSAR_EXP_SWArchitecture.pdf)  ---- ## Rust for AUTOSAR adaptive - Static bindings - Manually using C API - Working demonstrator - Dynamic bindings (ARXML), WIP - Async or blocking style - Implement services from traits ---- ### Rust ara code example  ---- ## Com: Proxy and Skeleton  --- ## Functional Safety, [ISO 26262](https://en.wikipedia.org/wiki/ISO_26262)? - Goal is to avoid [*hazard*](https://discord.com/channels/@me/792494125169508382/970802969664684032)ous **mal**function - ISO 26262 implements IEC 61508 standard for Automotive - Five levels: QM, A…D --- - Hazards by non-functioning systems are scope of “SOTIF” ISO/PAS 21448 - Cyber security is scope of ISO/SAE 21434 ---- ## ISO 26262 and software - **Document** for later need --- - Part 6/12 is about software - Set of practices to avoid common errors - Per level, customization expected - Designing, coding, testing guidelines ---- ## Rust and functional safety - [SAE international](https://sae.org) … - Former "Society of Automotive Engineers" - … hosts the [SAfEr Rust Task Force](https://connection.sae.org/volunteeropportunities/volunteer-opportunity-details?VolunteerOpportunityKey=057a92a9-c6b8-4405-ae81-e293136a9284) - Concretize ISO 26262 and more for Rust: - Language subset, guidelines, evidence ---- ## [SAE international](https://sae.org) - Volunteer based standards body - HQ Warrendale, PA - 140k+ Members are individuals, not companies - Publishing technical information since 1906 - Also Aerospace standards ⇒ S.A.E. to SAE international ---- ## Wishlist - FuSa goals match with Linux kernel and EmbAssy - Async - Documentation of async memory allocation - streams, async traits - non-allocating interfaces preferred (dyn*) - no implicit dtor, explicit call by value --- # What is Ferrocene? ---- * A high assurances downstream of the Rust compiler, **quality managed** * Additional (proprietary) targets * Extended testing for specific configurations * Even compiler flags need to be tested in every used combination! * **A long term support organisation** ---- ## Quality management ---- * Quality management ensures to customer that they have a good understanding of the tools quality * It gives a **support framework** that allows to inform them of and fix issues fast * It explains what features are there, how they are implemented and how they are tested. ---- ## Upstreaming * Ferrocene upstreams what can be maintained by the Rust project * test suite improvements * documentation * upstreamable targets * fixes for problems found ---- https://rustacean-station.org/episode/067-quentin-ochem-florian-gilcher/ --- # Summary - AUTOSAR is de facto standard OS in automotive - You can already use Rust by wrapping the C/++ API - Rust is suited for safety requirements - Ongoing work on standard practices - Ferrocene is doing compiler qualification - Libraries and async need additional work --- ## Appendix: Additional links [The Economic Impacts of Inadequate Infrastructure for Software Testing](https://www.nist.gov/system/files/documents/director/planning/report02-3.pdf) [Rust Formal Methods IG: Ferrocene](https://www.youtube.com/watch?v=eaObPhTnoGo)