Introducing Rust To The Automotive Stack: A Conversation With Julius Gustavsson Of Volvo Cars

Drew: I think it is good to remind people that Volvo Cars and Volvo Group are two separate entities. You work for Volvo Cars, right?

Julius: That’s true. The two companies used to be a single entity but split up a while ago when the car division was spun off. Now, they only share the brand name.

Drew: Almost everyone knows what a Volvo is, and most people have probably been in one or seen one. I thought it would be interesting to start with how Volvo is dealing with the two big forces changing the automotive world right now. One of those things is electrification. From my point of view, it seems like Volvo has done a lot with electrification and been very aggressive in rolling it out. Can you tell me more about that?

Julius: Yeah. We are dead set on becoming a fully electrified company. Our fleet will be fully electrified. We had a goal at one point to be fully-electric by 2035, which is shifting a bit due to all kinds of external conditions. I think the new target is 2040. But, I think the main idea is still aiming for full electrification.

Drew: That makes sense. The second big thing that is really changing the automotive world right now is autonomy. You've got Waymo doing robotaxis and Tesla getting into that game now as well. I haven't heard a lot about this from Volvo. Are you able to speak to what Volvo is doing with autonomy?

Julius: Yeah, we have a subsidiary called Zenseact that is aiming to be best-in-class in safe vehicle automation. I don't know their roadmap off the top of my head, but the SPA2 platform that I've been working on for the past five years has this central core computer which is based on the NVIDIA DRIVE Orin. That platform is now becoming SPA3. That system is a beast in terms of compute power. So, I'm one of the people making sure that the hardware and platform software is there, and the Zenseact people are doing the software for autonomy. But, what I do and what the software people do is pretty separate. I only do low-level software and electronics, so I'm a bit disconnected from the status of where we are overall on autonomy.

Drew: So, you're more involved with the aspect of making sure that the right hardware is on board, available, and connected properly.

Julius: And ensuring that the compute infrastructure is in place for this kind of application.

Drew: So are current Volvo cars coming off the line with that NVIDIA DRIVE Orin chip on board?

Julius: Yes, all current and future EVs. For example, the EX90, ES90, and the upcoming models.

Drew: The hardware isn't only the computer, right? I imagine you’re also talking about sensors, whether they're cameras, LIDAR, or something else. Are you involved with that part, too?

Julius: Only superficially, just on the architectural level.

Drew: What sensors are on the current cars?

Julius: I forget which cars have what exactly, but we have LIDAR, radar, and multiple cameras.

Drew: You have everything.

Julius: Yeah, we are absolutely building for autonomy. Volvo has a very safety-centric brand. So, you might not see a lot right now about Volvo cars actually driving themselves, but that is because we want to take autonomy in safe steps.

Drew: When I was researching, I discovered that one of the Volvo engineers created the three-point seatbelt.

Julius: Exactly. We're really proud of that invention, especially since they gave the patent away for everyone else to use. You can't measure the number of lives that have been saved worldwide.

Drew: Oh, I'm sure. So, there's this culture of safety which means Volvo is going to be very careful about the way they proceed?

Julius: At least very measured, or at least that's my impression. Though, this is not my exact expertise. If you look at the ADAS and safety functions that we already have in recent models, they are among the best in-class! Although, it's still supervised driving. You're still the one in charge.

Drew: What are the things that you personally are most excited about in Volvo's future?

Julius: These are fantastic cars. I don't know if you've driven any of these newer models, but they're really awesome to drive. The platform that we're building and this superset tech stack that we call it are going to put us in a great position for the future.

Drew: With that background about some of Volvo’s big objectives, can you tell me a little bit more about what you personally do? What is your job as a system architect?

Julius: I'm the lead architect for a specific ECU (Electronic Control Unit). So, it's the different boxes that do different functions in the car. My team is responsible for an ECU called a low-power processor, which is part of the core computer. Its main responsibility is basically keeping the lights on. A lot of these chips are fairly power-hungry, so we want to save power and turn them off when we don't need them. But, we need to monitor different conditions in the car when it's time to wake them up.

Julius: For example, if the driver approaches, we get a signal, and then we power up the system. There are some other functions as well, but that is the gist of it. So, I'm responsible for that unit. We set the architecture on a high level and coordinate with other architects responsible for the other parts of the system. I personally am fairly hands-on, so I'm deeply involved in the coding. I review all the code that we produce to ensure that it's actually in line with the architecture and future direction.

Julius: I'm also part of a technical committee that decides on future direction and overall architecture for the whole electronic platform. And then there’s a million other things I end up doing that have to do with creating automotive software: documentation, certification, verification, and so on.

Drew: So how did Rust come into the picture?

Julius: It all started with just wanting to try out Rust. I and a few others became very convinced that Rust is the future for automotive. So, we wanted a testbed to try it out as a first project. And, our work has been super encouraging so far.

Drew: You feel like Rust is the future of automotive. What makes you feel that way?

Julius: I had been doing all kinds of development but mostly C and C++, and I'd been doing that for maybe 15-16 years. I was starting to get a bit fed up with memory issues always popping up. No matter how careful you were, there was always some mistake somewhere. I was convinced that if we were ever going to make a dent in that, we were going to need something new that actually prevents these errors from happening. That's when I discovered Rust, and I was like "Wow, this may actually be something."

Drew: You talked about how Volvo has this culture of safety. For cars in general, safety is very important. The memory issues and errors that you're talking about, is the concern that there are ways in which those could impact physical safety?

Julius: That's definitely the case. There are a number of examples of that in the automotive industry, especially now where you have software-defined vehicles that are also connected to the internet. Previously, you could safety-certify some component, and you knew exactly what it was going to do in every single scenario. Sometimes, even if it had errors, you knew how they would interact. You could map out and fully understand the failure modes. So you knew what you had. But, now that things are connected to the internet, you don’t have that level of control. And, you have ways of exploiting these kinds of issues when they exist.

Julius: You can't really have safety without security. That's why this is even more important now when everything is connected to the internet. If you look at the safety standards that we need to adhere to, they basically ensure that you are not exhibiting undefined behaviors or cases in a language that are ill-defined or undefined. Rust is much more predictable when it comes to those things.

Julius: With languages like C and C++ it's a huge effort to ensure after the code is written that you are not using it in the wrong way. That's why Rust is such a big shift. You can't use it in the wrong way. That's a bit of an overstatement, but the ways to misuse Rust are much fewer and much less severe, meaning that you can more quickly reach the quality level that you need. Usually, you have this long tail of issues that you're fixing over a long period of time. With Rust, we see that this long tail of bugs just isn't there in the same way.

Drew: Rust makes everything much more explicit and makes it very hard to do the wrong things.

Julius: Yes, and you can also create constructs in the type system that prevent or enforce behavior before the code even compiles. So you can ensure that undesired behavior, things like dead-locks or data races that the software industry has been struggling with for decades, just can’t exist in the first place! .

Drew: I find the Rust type system so satisfying.

Julius: It is awesome, but it can be frustrating as well. Sometimes you end up with this “Type Tetris” sort of thing. But, overall it's definitely a huge plus that you can specify the intended behavior in a much more rigorous way. That’s especially true if you can do it in a way that what would be buggy code doesn't compile in the first place. Maybe that's utopia, but getting closer and closer to that reality is going to mean lower costs and a shorter time to market, because you can iron problems out early rather than having to find the faults in later stages.

Drew: I'm curious to hear more about how you initially got interested in Rust. You said you were aware of this explosion of software in cars, the fact that they were connected to the internet, and the software quality problems that existed with prior systems languages. And, all of that got you interested in Rust. Is that right?

Julius: Me and another colleague started out with Rust after we got the green light from a manager. I gave a talk back in 2017 about Rust and there was a manager who also saw the need for us to start working on this. So, he encouraged us to try to figure out where we could use Rust. The problem back then was that there were hardly any systems that we were using in the vehicle that supported Rust either on a hardware level or at the OS level. That has changed today, but back then the thing that we found that fit perfectly was this low-power processor.

Drew: When you say that the previous systems didn't support Rust, do you mean that literally Rust could not be compiled for those targets?

Julius: Exactly. A lot of automotive-specific processors have architectures that require special compilers and things like that. Rust is limited to whatever LLVM supports.

Drew: Right. Now you said that you did eventually find a part that you could target with Rust, and what is that part?

Julius: It's called the low-power processor. It's a small Cortex-M4 microcontroller that could basically run Rust on bare metal. Since there wasn't any safety certification for Rust at that time, the fact that this part didn't have any safety implications was key too. This component is not involved in driving where safety is absolutely critical. Basically, it's not doing anything that can cause harm, so it's not a safety-classified part.

Julius: So the combination of the chip having good Rust support and that it wasn’t safety critical meant we had a great candidate for a first project. Also, all the other teams were busy with other things and this component was kind of being left behind. So, we could just take it over and run with it.

Drew: I want to follow up on one thing you said earlier before we keep going with this story. You mentioned that Rust support for some of these components has gotten better over time. Is that getting significantly better? What does that look like exactly?

Julius: When we started the project back in 2018, we basically had one out of all the 100+ ECUs in the car where Rust was supported. So, that was the one we used. If we take the platform as it sits today, we have at least 90% support.

Drew: That's a huge change.

Julius: Yeah. Now, Blackberry supports it in their QNX. We have Linux support both in the kernel and in user space. ARM, RISC-V, and Infineon Tricore are all starting to get pretty good Rust support. We also have safety-qualified toolchains already available from multiple vendors, and people are already starting to do safety-certified projects as well.

Drew: I’m just starting to get acquainted with the world of safety certification. What does that mean to have a safety-qualified compiler?

Julius: So, there are different safety standards. These compilers use a standard called ISO26262, and that standard has a whole section on how the tools that you use are qualified and how you ensure that those tools actually do what they're supposed to. In a compiler, for example, you want it to produce the binary that you expect. You want it to have different mechanisms in place to detect errors, miscompilations, and so forth. You also need to ensure that it's available for a long period of time. You can imagine that for something like a car you need support for at least 15-20 years, the lifetime of the product. I don't know the full details on the certification process, but hopefully that gives you some sense.

Drew: Going back to your story a little bit, I believe you ended up shipping that low-power processor as part of the EX90, is that right?

Julius: That is correct. It's part of the SPA2 platform, which is also in the Polestar 3. That was actually the first car.

Drew: So it's in multiple cars?

Julius: Yeah. It's part of the SPA2 and SPA3 platforms now. All the cars we produce on those platforms have this component.

Drew: You’ve mentioned the SPA2 and SPA3 platforms a few times, what are they?

Julius: Scalable Product Architecture.

Drew: Is that a software-defined car platform?

Julius: It is a full car platform including the software.

Drew: So you ended up shipping the low-power processor in SPA2 and SPA3, and it's in some cars that are in production now. It sounds like it was a big success. Were there any stumbling blocks along the way, or was it smooth sailing?

Julius: It was remarkably smooth, given that no one had done this before in the automotive space. We had to invent a lot of things. There wasn't any ready-made solution for it, so we had to think on our feet a bit and address any obstacles as they came up. Automotive software is developed according to a certain methodology. You have very strict requirements and you need to basically show through documentation and code that the requirements are being met. There are traceability systems that you use to trace those requirements back and forth, and a lot of those tools didn't exist for us, so we had to invent a lot of that for ourselves. This processor resides as part of the core computer, which has multiple CPUs on one board. So, it's really hard to test the low power processor on the actual core computer because it doesn't have many direct connections; it's always indirectly connected through the other CPUs. So, we basically had to design and build our own test hardware where we isolated the circuit from the core computer and attached a bunch of test probes to it. That way, we could basically induce any scenario or inputs that we wanted to test.

Drew: That's very interesting. Once you got this all done and rolled out, what was the reception from management and other people within Volvo?

Julius: The reception has been really positive. We want to continue to find new avenues where we can deploy Rust. Other teams are also starting to become curious and want to use it themselves. So, the interest is growing in the company. Our numbers have been really impressive so far. We are essentially twice as effective as the other comparable teams. The number of bugs found by testers outside of our team is almost non-existent—at least so far. So, that is extremely encouraging.

Drew: Those are amazing results!

Julius: We're definitely going to try to introduce it in more places, but we're not going to just throw everything out and rewrite it in Rust. We need to find where it makes sense.

Drew: Right. Have any of these other teams already started working with it, or is it more of just an interest right now?

Julius: I'm not sure about the status everywhere, but there's definitely interest, and there's definitely prototyping taking place. Whether there are any actual projects started with production intent, I'm not sure.

Drew: How many people are using Rust in the company?

Julius: Our team is small. We're only about eight developers who have taken this ECU from a concept on paper to production. The teamwork there has been really impressive and hard to match. I would guess maybe another 10 or so outside of our team are dabbling with it that I know of. It's a huge organization, so there might be a bunch of people that I'm not aware of. It is still a very small niche compared to the multiple thousands of developers that we have.

Drew: Do you think that Volvo will be hiring a lot of Rust engineers in the future? How do you see that going?

Julius: It's hard for me to say, but our ambition is to grow and deploy it in more projects. At the same time, most of the engineers we have added to our team have been C++ developers that are just eager to learn. I would say that eagerness to learn is basically the main criteria. We want you to be eager to learn, curious, and humble. Whether or not a person has Rust experience isn't that important. But, in general, I would say that I foresee more hiring down the line.

Drew: These people that you have brought in that you said are former C++ developers, do they often have a background in automotive or something similar, or is it just C++?

Julius: It’s actually more C than C++. Mostly they have some kind of low-level embedded background. Some have an automotive-specific background.

Drew: In your day to day, are you working hands-on with a lot of hardware? You kind of answered this already because you said you had to even build some of your own test hardware. But, can you speak to that a little bit more?

Julius: Yeah. So, we define hardware in two ways. In automotive, hardware is usually the parts that go into the car, like metal, bolts, and everything. But on the software side of things, we usually mean the electronics that execute our software. If you're developing anything that is going into the car, you interact with both kinds of hardware on a daily basis. Those are either interconnected ECUs on a board somewhere, on a table, or in an actual car. Depending on the team, like in our case, you might also be designing some of your own hardware and using oscilloscopes and logic analyzers and things like that to make sense of what’s going on.

Drew: I asked that because I think for a lot of people that sit at their desk all day, it's exciting to think about getting hands-on with things.

Julius: Absolutely. That's definitely what makes this job really fun. You can see the car come to life.

Drew: Is there anything unique that you would point out about working at Volvo that hasn’t come out in our conversation yet?

Julius: Volvo and Sweden in general is a very consensus-driven culture. There's a lot of coming together and finding consensus. Sometimes it takes a bit longer to get things done, but you usually arrive at a really good solution in the end. Everything is not just top-down commands from above. Compensation can be quite unique as well. For example, Sweden is famous for their parental leave. Volvo has basically extended that to all countries where they have operations. They provide six months of parental leave for everyone. I should say it is at least six months, and then if the local country has anything better than that, they use that instead.

Drew: That's awesome. I know your case is a little bit different because you went to school in Sweden, but does Volvo have a big culture of people moving to Sweden from other countries to work there?

Julius: Definitely. I think at least half of the people I work with are non-Swedish born.

Drew: Okay. So it's very, very common.

Julius: Yeah, very common. I don't think we could do it without everyone. It's an extremely multi-national company.

Drew: Thanks so much for sharing all this information Julius!

Julius: Thank you! It was my pleasure!