Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Safety-Critical Rust Consortium RFCs - RFC Book

The “RFC” (request for comments) process is intended to provide a consistent and controlled path for changes to the Safety-Critical Rust Consortium and its artifacts (such as new subcommittees, new initiatives) so that all stakeholders can be confident about the direction of the Consortium.

Many changes, including bug fixes and documentation improvements can be implemented and reviewed via the normal GitHub pull request workflow.

Some changes though are “substantial”, and we ask that these be put through a bit of a design process and produce a consensus among the Rust community and the [subcommittee][subcommittees].

Table of Contents

When you need to follow this process

You need to follow this process if you intend to make “substantial” changes to artifacts produced by the Consortium, subcommittee charters or the RFC process itself. What constitutes a “substantial” change is evolving based on community norms and varies depending on what part of the ecosystem you are proposing to change, but may include the following.

Some changes do not require an RFC:

  • Typical “line of business”-style work, such as adding a new coding guideline or small reworkings of process within contributions to the coding guidelines for the Safety-Critical Rust Coding Guidelines
  • Rephrasing, reorganizing, refactoring, or otherwise “changing shape does not change meaning”.
  • Additions that strictly improve objective, numerical quality criteria (warning removal, speedup, better platform coverage, more parallelism, trap more errors, etc.)
  • Additions only likely to be noticed by other contributors to artifacts, invisible to users of artifacts.

If you submit a pull request or make some change to how a process is run without going through the RFC process, the PR may be closed or changes reverted with a note left to submit an RFC first.

Subcommittee specific guidelines

Currently there are no subcommittee specific guidelines.

Before creating an RFC

A hastily-proposed RFC can hurt its chances of acceptance. Low quality proposals, proposals for previously-rejected changes, or those that don’t fit into the near-term roadmap, may be quickly rejected, which can be demotivating for the unprepared contributor. Laying some groundwork ahead of the RFC can make the process smoother.

Although there is no single way to prepare for submitting an RFC, it is generally a good idea to pursue feedback from other project developers beforehand, to ascertain that the RFC may be desirable; having a consistent impact on the project requires concerted effort toward consensus-building.

The most common preparations for writing and submitting an RFC include talking the idea over on our official Zulip channel and occasionally posting “pre-RFCs” on the Zulip channel. You may file issues on this repo for discussion, but these are not actively looked at by the subcommittees.

As a rule of thumb, receiving encouraging feedback from long-standing project developers, and particularly members of the relevant subcommittee is a good indication that the RFC is worth pursuing.

What the process is

In short, to get a major change made added to the Safety-Critical Rust Consortium or its artifacts, one must first get the RFC merged into the RFC repository as a markdown file. At that point the RFC is “active” and may be implemented with the goal of eventual inclusion.

  • Fork the RFC repo RFC repository
  • Copy 0000-template.md to text/0000-my-change.md (where “my-change” is descriptive). Don’t assign an RFC number yet; This is going to be the PR number and we’ll rename the file accordingly if the RFC is accepted.
  • Fill in the RFC. Put care into the details: RFCs that do not present convincing motivation, demonstrate lack of understanding of the design’s impact, or are disingenuous about the drawbacks or alternatives tend to be poorly-received.
  • Submit a pull request. As a pull request the RFC will receive design feedback from the larger community, and the author should be prepared to revise it in response.
  • Now that your RFC has an open pull request, use the issue number of the PR to rename the file: update your 0000- prefix to that number. Also update the “RFC PR” link at the top of the file.
  • Each pull request will be labeled with the most relevant subcommittee, which will lead to its being triaged by that subcommittee in a future meeting and assigned to a member of the subcommittee.
  • Build consensus and integrate feedback. RFCs that have broad support are much more likely to make progress than those that don’t receive any comments. Feel free to reach out to the RFC assignee in particular to get help identifying stakeholders and obstacles.
  • The subcommittee will discuss the RFC pull request, as much as possible in the comment thread of the pull request itself. Offline discussion will be summarized on the pull request comment thread.
  • RFCs rarely go through this process unchanged, especially as alternatives and drawbacks are shown. You can make edits, big and small, to the RFC to clarify or change the design, but make changes as new commits to the pull request, and leave a comment on the pull request explaining your changes. Specifically, do not squash or rebase commits after they are visible on the pull request.
  • At some point, a member of the subcommittee will propose a “motion for final comment period” (FCP), along with a disposition for the RFC (merge, close, or postpone).
    • This step is taken when enough of the tradeoffs have been discussed that the subcommittee is in a position to make a decision. That does not require consensus amongst all participants in the RFC thread (which is usually impossible). However, the argument supporting the disposition on the RFC needs to have already been clearly articulated, and there should not be a strong consensus against that position outside of the subcommittee. Subcommittee members use their best judgment in taking this step, and the FCP itself ensures there is ample time and notification for stakeholders to push back if it is made prematurely.
    • For RFCs with lengthy discussion, the motion to FCP is usually preceded by a summary comment trying to lay out the current state of the discussion and major tradeoffs/points of disagreement.
    • Before actually entering FCP, all members of the subcommittee must sign off; this is often the point at which many subcommittee members first review the RFC in full depth.
  • The FCP lasts ten calendar days, so that it is open for at least 5 business days. It is also advertised widely, e.g. in the Consortium mailing list. This way all stakeholders have a chance to lodge any final objections before a decision is reached.
  • In most cases, the FCP period is quiet, and the RFC is either merged or closed. However, sometimes substantial new arguments or ideas are raised, the FCP is canceled, and the RFC goes back into development mode.

The RFC life-cycle

Once an RFC becomes “active” then authors may implement it and submit the change as a pull request to the relevant Consortium repo. Being “active” is not a rubber stamp, and in particular still does not mean the change will ultimately be merged; it does mean that in principle all the major stakeholders have agreed to the change and are amenable to merging it.

Furthermore, the fact that a given RFC has been accepted and is “active” implies nothing about what priority is assigned to its implementation, nor does it imply anything about whether a developer or writer has been assigned the task of implementing the change. While it is not necessary that the author of the RFC also write the implementation, it is by far the most effective way to see an RFC through to completion: authors should not expect that other project developers or writers will take on responsibility for implementing their accepted change.

Modifications to “active” RFCs can be done in follow-up pull requests. We strive to write each RFC in a manner that it will reflect the final design of the change; but the nature of the process means that we cannot expect every merged RFC to actually reflect what the end result will be at the time of the next major release of an impacted Consortium artifact.

In general, once accepted, RFCs should not be substantially changed. Only very minor changes should be submitted as amendments. More substantial changes should be new RFCs, with a note added to the original RFC. Exactly what counts as a “very minor change” is up to the subcommittee to decide; check Subcommittee specific guidelines for more details.

Reviewing RFCs

While the RFC pull request is up, the subcommittee may schedule meetings with the author and/or relevant stakeholders to discuss the issues in greater detail, and in some cases the topic may be discussed at a subcommittee meeting. In either case a summary from the meeting will be posted back to the RFC pull request.

A subcommittee makes final decisions about RFCs after the benefits and drawbacks are well understood. These decisions can be made at any time, but the subcommittee will regularly issue decisions. When a decision is made, the RFC pull request will either be merged or closed. In either case, if the reasoning is not clear from the discussion in thread, the subcommittee will add a comment describing the rationale for the decision.

Implementing an RFC

Some accepted RFCs represent vital changes that need to be implemented right away. Other accepted RFCs can represent changes that can wait until some arbitrary developer or writer feels like doing the work. Every accepted RFC has an associated issue tracking its implementation in the RFC repository; thus that associated issue can be assigned a priority via the triage process that the subcommittee uses for all issues in the Rust repository.

The author of an RFC is not obligated to implement it. Of course, the RFC author (like any other developer or writer) is welcome to post an implementation for review after the RFC has been accepted.

If you are interested in working on the implementation for an “active” RFC, but cannot determine if someone else is already working on it, feel free to ask (e.g. by leaving a comment on the associated issue).

RFC Postponement

Some RFC pull requests are tagged with the “postponed” label when they are closed (as part of the rejection process). An RFC closed with “postponed” is marked as such because we want neither to think about evaluating the proposal nor about implementing the described change until some time in the future, and we believe that we can afford to wait until then to do so. Historically, “postponed” was used to postpone changes until after 1.0. Postponed pull requests may be re-opened when the time is right. We don’t have any formal process for that, you should ask members of the relevant subcommittee.

Usually an RFC pull request marked as “postponed” has already passed an informal first round of evaluation, namely the round of “do we think we would ever possibly consider making this change, as outlined in the RFC pull request, or some semi-obvious variation of it.” (When the answer to the latter question is “no”, then the appropriate response is to close the RFC, not postpone it.)

Decision-making

Consensus

In a nutshell the premise of consensus decision-making is that a successful outcome is not where one side of a debate has “won”, but rather where concerns from all sides have been addressed in some way. This emphatically does not entail design by committee, nor compromised design. Rather, it’s a recognition that

… every design or implementation choice carries a trade-off and numerous costs. There is seldom a right answer.

Breakthrough designs sometimes end up changing the playing field by eliminating tradeoffs altogether, but more often difficult decisions have to be made. The key is to have a clear vision and set of values and priorities, which is the leadership team’s responsibility to set and communicate, and the subcommittee’s responsibility to act upon.

Whenever possible, we seek to reach consensus through discussion and design revision. Concretely, the steps are:

  • Initial RFC proposed, with initial analysis of tradeoffs.
  • Comments reveal additional drawbacks, problems, or tradeoffs.
  • RFC revised to address comments, often by improving the design.
  • Repeat above until “major objections” are fully addressed, or it’s clear that there is a fundamental choice to be made.

Consensus is reached when most people are left with only “minor” objections, i.e., while they might choose the tradeoffs slightly differently they do not feel a strong need to actively block the RFC from progressing.

One important question is: consensus among which people, exactly? Of course, the broader the consensus, the better. But at the very least, consensus within the members of the subcommittee should be the norm for most decisions. If the leadership team has done its job of communicating the values and priorities, it should be possible to fit the debate about the RFC into that framework and reach a fairly clear outcome.

Each RFC has a shepherd drawn from the relevant subcommittee. The shepherd is responsible for driving the consensus process – working with both the RFC author and the broader community to dig out problems, alternatives, and improved design, always working to reach broader consensus.

Lack of consensus

In some cases, though, consensus cannot be reached. These cases tend to split into two very different camps:

  • “Trivial” reasons, e.g., there is not widespread agreement about naming, but there is consensus about the substance.

  • “Deep” reasons, e.g., the design fundamentally improves one set of concerns at the expense of another, and people on both sides feel strongly about it.

In either case, an alternative form of decision-making is needed.

  • For the “trivial” case, usually either the RFC shepherd or subcommittee chair will make an executive decision.

  • For the “deep” case, there are a few stages this can progress through. If resolved at any stage, no further stages need be visited for that “deep” case item.

    1. A subcommittee member raises what they believe to be a blocking concern on the RFC. See Blocking concern process for the details. If the blocking concern cannot be resolved through that process, proceed to the next stage.
    2. The subcommittee chair is empowered to make a final decision, but should consult with the the leadership team before doing so.

The decision on which camp a decision falls into is the responsibility of the subcommittee chair, although they should consult with the leadership team if there’s doubt raised on the RFC.

Blocking concern process

We follow the below process for a blocking concern:

  1. A subcommittee member raises what they believe to be a blocking concern on the RFC. Included with their blocking concern comment they must include a reasonable length piece of writing outlining concerns and alternatives.
  2. The RFC shepherd is responsible for working with the author and the subcommittee to attempt to drive to resolution during the ten day period from blocking concern being opened.
  3. If working together, the subcommittee member that raised the blocking concern, the author, and the remainder of the subcommittee are able to resolve the concern, the RFC is updated to reflect the chosen resolution by the author. Done.
  4. If working together, the subcommittee member that raised the blocking concern, the author, and the remainder of the subcommittee are unable to resolve the concern, the blocking concern process is deemed to not have succeeded. Return to Lack of consensus for further stages.

Help this is all too informal!

The process is intended to be as lightweight as reasonable for the present circumstances. As usual, we are trying to let the process be driven by consensus and community norms, not impose more structure than necessary.

Code of Conduct

The Rust Foundation has adopted a Code of Conduct that we expect project participants to adhere to. Please read the full text so that you can understand what actions will and will not be tolerated.

Contributing

See CONTRIBUTING.md.

Licenses

Rust is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0), with documentation portions covered by the Creative Commons Attribution 4.0 International license.

See LICENSE-APACHE, LICENSE-MIT, LICENSE-documentation, and COPYRIGHT for details.

You can also read more under the Foundation’s intellectual property policy.

Other Policies

You can read about other Rust Foundation policies on the Rust Foundation website.

Subcommittees

Summary

This RFC documents the current operational structure of the Safety-Critical Rust Consortium (SCRC), including its governance, membership model, subcommittee organization, and decision-making processes. The purpose is to establish a baseline understanding of how the consortium functions today, enabling future RFCs to propose targeted improvements with clear context.

Motivation

The Safety-Critical Rust Consortium has grown organically since its founding in June 2024 and first meeting in September 2024, reaching approximately 200 members across automotive, aerospace, medical, industrial, and other safety-critical domains. During this growth, operational practices have emerged through consensus and necessity rather than explicit documentation.

This creates several challenges:

  1. Onboarding difficulty: New members lack a comprehensive reference for understanding how the consortium operates, what roles exist, and how to participate effectively.

  2. Inconsistent expectations: The distinction between “observer” and “producer” roles exists in principle but lacks clear definition, leading to uncertainty about participation expectations.

  3. Non-uniform subcommittee structures: Each subcommittee has developed its own practices (task forces, core member roles, etc.) without a common framework, making cross-subcommittee participation harder to navigate.

  4. Foundation for improvement: Without documenting the current state, proposals for operational improvements lack baseline context, making it difficult to evaluate whether changes represent genuine improvements.

This RFC addresses these challenges by providing a single source of truth for current consortium operations. Future RFCs can reference this document when proposing changes, making the evolution of consortium practices traceable and deliberate.

Use cases this documentation enables:

  • A new member can read this RFC to understand membership expectations and find where to participate
  • Subcommittee leads can reference common terminology when describing roles
  • Future RFC authors can clearly articulate what they’re proposing to change
  • External parties (standards bodies, the Rust Project, etc.) can understand how the consortium is organized

Guide-level explanation

What is the Safety-Critical Rust Consortium?

The Safety-Critical Rust Consortium is a Rust Foundation initiative that supports the responsible use of the Rust programming language in safety-critical software, i.e. systems whose failure can impact human life or cause severe environmental or property harm.

The consortium brings together practitioners from across safety-critical industries to collaborate on shared challenges: developing coding guidelines, identifying and cataloging tooling, engaging with standards bodies, and building bridges to the Rust Project.

How is the Consortium Organized?

The consortium operates at two levels:

Consortium Level

At the top level, the consortium has:

  • Rust Foundation Sponsor: Joel Marcey (Director of Technology at the Rust Foundation) manages logistics and provides organizational support
  • Consortium Lead: Pete LeVasseur coordinates activities across subcommittees and represents the consortium externally
  • In-person meetings: Twice yearly at major Rust conferences (e.g., RustConf, RustWeek)

Subcommittee Level

The consortium has three subcommittees, each focused on a specific domain:

  1. Coding Guidelines Subcommittee (led by Pete LeVasseur)

    • Develops community-vetted coding guidelines for Rust in safety-critical applications
    • Meets weekly rotating globally across time zones

  2. Liaison Subcommittee (led by Alex Celeste)

    • Engages with external organizations: standards bodies, the Rust Project, industry groups
    • Meets as-needed

  3. Tooling Subcommittee (led by Alexandru Radovici)

    • Catalogs and evaluates tools for safety-critical Rust development
    • Identifies gaps in tooling and advocates for improvements
    • Meets biweekly

How Do I Participate?

Joining the Consortium

Membership is intentionally low-barrier. To join:

  1. File a membership application issue on GitHub
  2. Provide your name, email, and optionally your company affiliation

Membership grants access to:

  • The consortium mailing list
  • Occasional virtual all-hands meetings
  • Invitations to in-person meetings

Joining Subcommittees

Concurrently with submitting to join the consortium, you can apply to subcommittees by filing a subcommittee application issue.

Subcommittee membership adds:

  • Invitations to that subcommittee’s meetings
  • Easier ability to coordinate on subcommittee-specific discussions and work items

Observer vs. Producer Roles

The consortium distinguishes between two participation modes:

  • Observer: Primarily follows discussions, provides feedback, and stays informed. Observers participate in meetings and may contribute occasionally.
  • Producer: Actively contributes to artifacts, takes on work items, and participates in reviews.

This distinction is informal. In other words, members self-select their participation level, and both roles are valued. The specific expectations for each role vary by subcommittee (see Reference-level explanation).

Meeting Policies

All consortium meetings follow these policies:

Chatham House Rule

Participants may share the meeting notes publicly gathered from meetings but must not reveal the identity of speakers. This encourages candid discussion.

No Recordings or Transcriptions

Meetings are not recorded, and AI transcription tools are prohibited. Meeting notes are taken by designated notetakers who volunteer, following consortium templates:

Reference-level explanation

Consortium Governance

Leadership Structure

RoleCurrent HolderResponsibilities
Rust Foundation SponsorJoel MarceyOrganizational support, logistics, Rust Foundation liaison
Consortium LeadPete LeVasseurCross-subcommittee coordination, external representation
Coding Guidelines Subcommittee LeadPete LeVasseurSubcommittee operations, meeting facilitation, coding guidelines overall maintenance
Liaison Subcommittee LeadAlex CelesteSubcommittee operations, external engagement coordination
Tooling Subcommittee LeadAlexandru RadoviciSubcommittee operations, tooling catalog management

Decision Making

The consortium follows a consensus-based decision-making model as described in the RFC process documentation. Key principles:

  • Decisions seek to address concerns from all sides rather than having one side “win”
  • Consensus is reached when major objections are addressed
  • For trivial disagreements, subcommittee chairs may make executive decisions
  • For deep disagreements, a blocking concern process exists with escalation paths

RFC Process

Substantial changes to consortium artifacts or operations require an RFC:

  1. Author creates an RFC using the template
  2. RFC is submitted as a pull request
  3. The relevant subcommittee reviews and iterates
  4. Final Comment Period (FCP) of 10 days before merge
  5. After merge, RFC is “active” and can be implemented

The full process is documented in the RFC repository README.

Membership Details

Observer and Producer Definitions

At the consortium level, these roles are intentionally loosely defined:

Observer:

  • Participates in meetings
  • Follows discussions on Zulip and GitHub
  • Provides feedback and perspective
  • No specific contribution expectations

Producer:

  • Actively works on consortium artifacts
  • Takes ownership of work items
  • Participates in reviews
  • Expected to follow through on commitments

Members may shift between roles based on availability and interest. There is no formal process to change status.

Subcommittee Operations

Coding Guidelines Subcommittee

Mission: Develop community-vetted coding guidelines for Rust in safety-critical systems. A living document updated as Rust evolves and practitioners learn from experience.

Meeting Schedule: Weekly, alternating time zones (one EU/Asia-friendly, one Asia/Americas-friendly, one Americas/EU-friendly)

Primary Artifact: Safety-Critical Rust Coding Guidelines

Role Definitions:

RoleDescriptionExpectations
ObserverFollows discussion, provides feedbackAttend meetings as interest allows
ProducerActively contributes guidelinesTagged by guidelines-bot for reviews in round-robin fashion; expected to complete reviews
Core MemberInformal designation for active maintainersHigher involvement in process decisions, mentoring new contributors

Key Resources:

Liaison Subcommittee

Mission: Proactively and reactively collaborate with external groups including standards committees, the Rust Project, and industry organizations. Drive agreement on safety-critical Rust efforts and handle IP considerations for referencing external documents.

Meeting Schedule: As-needed

Primary Artifacts:

Role Definitions:

The Liaison subcommittee has not formalized observer/producer distinctions beyond the consortium-wide definitions.

External Engagement Areas:

  • ISO 26262 (automotive functional safety)
  • IEC 61508 (general functional safety)
  • DO-178C (aerospace)
  • MISRA
  • AUTOSAR
  • Rust Project (including FLS maintenance)
  • WG23 (TR 24772 language vulnerabilities)
  • Various national standards bodies (INCITS, BSI, etc.)

Tooling Subcommittee

Mission:

  1. Aggregate community-vetted tooling for safety-critical Rust certification
  2. Maintain a tools list with development status
  3. Identify tooling gaps and advocate for solutions

Meeting Schedule: Biweekly

Primary Artifacts:

Role Definitions:

The Tooling subcommittee has not formalized observer/producer distinctions beyond the consortium-wide definitions.

Task Forces:

The Tooling subcommittee has established two task forces:

Task ForcePurposeMembers
Tooling Submissions Task ForceReview and catalog tool submissions, maintain the tools listTiago Manczak, Manuel Hatzl, Arnaud Fontaine
Rust Project Bridge Task ForceFacilitate engagement between SCRC and the Rust Project, support Rust Project Goals related to safety-criticalAlexandru Radovici, Xander Cesari, Pete LeVasseur

Tool Submission Process:

  1. Anyone creates an issue requesting a tool addition/change/deletion
  2. Issue is triaged and assigned to a Tooling Submissions Task Force member
  3. Up to 15 days for review (checking tool information, validity for safety-critical use)
  4. PR created to update available-tools.yaml
  5. PR reviewed and merged

Annual Review: The Tooling Task Force conducts an annual review of all listed tools to verify maintenance status, license updates, and vendor status.

Artifacts and Resources

Consortium-wide

ResourceLocationPurpose
Main repositorygithub.com/rustfoundation/safety-critical-rust-consortiumCentral coordination, membership, meeting notes
RFC repositorygithub.com/rustfoundation/safety-critical-rust-consortium-rfcsProcess changes, major decisions
Websitearewesafetycriticalyet.orgPublic-facing information, documentation
Zuliprust-lang.zulipchat.com/#narrow/channel/445688-safety-critical-consortiumReal-time discussion

Subcommittee-specific

SubcommitteeRepository/LocationKey Artifact
Coding Guidelinesgithub.com/rustfoundation/safety-critical-rust-coding-guidelinesCoding guidelines document
Liaisongithub.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/liaisonResponsible individuals list
Toolinggithub.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/toolingTools list (YAML)

Drawbacks

  1. Documentation overhead: Maintaining accurate documentation of operations requires ongoing effort. If the consortium changes practices without updating this RFC (or successor documents), the documentation becomes misleading.

  2. Premature formalization: By documenting current practices, we risk implicitly endorsing them as “correct” when some practices emerged from convenience rather than deliberate design.

  3. Scope limitations: This RFC captures a snapshot in time. It may not age well as the consortium evolves.

Rationale and alternatives

Why document the current state?

The primary alternative is to proceed directly to proposing improvements without this baseline RFC. However:

  • Without a baseline, “change” is ambiguous: Future RFCs proposing operational changes would need to describe both current state and proposed state, making them longer and less focused.

  • Institutional knowledge is fragile: Current operations exist primarily in the heads of active participants. This RFC captures that knowledge explicitly.

  • New members need orientation: A single document describing operations is more useful than piecing together information from scattered READMEs and meeting notes.

Why use an RFC for this?

An RFC provides:

  • Review by consortium members
  • A permanent, versioned record
  • A template for future operational documentation

The alternative (a simple README or wiki page) lacks the review rigor and versioning benefits.

Impact on code readability

This RFC does not affect Rust code directly. It affects consortium processes, which indirectly influence the quality of coding guidelines and tooling recommendations.

Prior art

Rust Project Governance

The Rust Project maintains governance documentation describing teams, working groups, and decision processes. The SCRC’s structure is simpler but follows similar patterns of distributed ownership through subcommittees.

Rust Project RFC Process

The Rust Project uses an RFC process for proposing substantial changes to the language, libraries, and project processes. The SCRC’s RFC process is modeled after this approach. Key similarities include:

  • Proposals submitted as pull requests with structured templates
  • Community discussion and iteration on the PR
  • Final Comment Period (FCP) before acceptance
  • “Active” RFCs that are approved but not yet implemented

The Rust Project’s process has evolved over a decade and handles language-level changes, which are more complex than consortium operational changes. The SCRC’s process is intentionally simpler, reflecting our smaller scope and membership. However, the core principles—transparent discussion, consensus-building, and permanent records—are shared.

For reference:

MISRA

MISRA (Motor Industry Software Reliability Association) operates similarly: an industry consortium developing guidelines for safety-critical software. MISRA’s structure includes working groups focused on specific languages (C, C++) and topics. The SCRC’s subcommittee model mirrors this approach.

AUTOSAR

AUTOSAR (AUTomotive Open System ARchitecture) uses working groups for different technical areas. Their Working Group for Functional Safety (WG-SAF) has addressed Rust, and SCRC maintains liaison connections with them.

Other Rust Foundation Initiatives

The Rust Foundation has established other community initiatives with varying governance models. The SCRC’s approach of low-barrier membership with optional deeper involvement (producer role, task forces) seeks to balance accessibility with effective contribution.

Unresolved questions

The following aspects of current operations remain unclear and may require future RFCs to address:

  1. Observer/Producer distinction enforcement: Currently self-selected. Should there be any formal designation or tracking?

  2. Membership removal: Under what circumstances might a member be removed? No process exists currently.

Future possibilities

This baseline RFC enables several follow-on RFCs:

  1. Establishment of a Consortium Leadership Council: The council would be comprised of a Rust Foundation Sponsor, a Consortium Lead, and then the Team Leads. This council would facilitate in-person meetings at conferences and support cross-subcommittee decision-making.

  2. Standardization of Joining the Consortium: Define clear expectations, privileges, and responsibilities for member role within the Consortium.

    • The observer / producer distinction at the Consortium level may not make much sense. The bulk of the work happens at the Subcommittee level. It seems possible that simply having there be a member role within the Consortium can help streamline this.

  3. Team Normalization: Normalization of teams’ structure, similar in nature to the Rust Project, to allow for a Team to have a Sub-Team, and so on, as necessary.

    • An example of this would be having the Tooling Subcommittee become the Tooling Team. Then to have the Tooling Submissions Task Force become the Tool Catalog Team and exist as a sub-team beneath the Tooling Team.
    • Helps normalize the structure without needing to consult a thesaurus each time we want a new team.

  4. Separation Between Teams, Contributor Teams, Observer Teams: Subcommittees need the ability to assign permissions to Consortium resources. Currently with the observer/producer distinction and lack of an established way to migrate someone from one to the other we have no clean way to do this.

    • An example of this would be having what we currently call the Coding Guidelines Subcommittee be split into three teams:
      • Coding Guidelines Team: What we currently call the “Core Team” of the Coding Guidelines Subcommittee. The people on this team would then clearly be able to have permissions needed on the Safety-Critical Rust Coding Guidelines repo.
      • Coding Guidelines Contributors Team: The remainder of the Coding Guidelines Subcommittee which self-selected as Producers. Sub-team of Coding Guidelines Team. Team expectation to review and contribute to the coding guidelines.
      • Coding Guidelines Observers Team: The remainder of the Coding Guidelines Subcommittee which self-selescted as Observers. Sub-team of Coding Guidelines Team. No real expectation here, allows ability to join meetings.
    • Meeting invites would still be sent out to all three teams sent out to the above.

  5. A Mechanism to Change Team Memberships: Given the breakdown of Teams, Contributor Teams, and Observer Teams it seems worthwhile to have there be a flexible mechanism to allow change in team membership.

    • For example, if someone on the Coding Guidelines Contributors Team is indeed contributing and taking a real interest in the work of maintainership, they may be asked if they would like to join the Coding Guidelines Team.

  6. A Mechanism to Record (Changes in) Team Membership: We likely need some better-published way of recording team memberships, probably on our website: arewesafetycriticalyet.org.

These possibilities are out of scope for this RFC, which is intentionally limited to documenting current state rather than proposing changes.