[DesolationJones]

This is what Geohot said in a reddit post.

"We have done most of the ISO26262 analysis, we're hiring someone right now to get it written up nicely and open sourced. (those interested can find the job posting) It's one of our goals for openpilot 1.0"

They have a slightly more in depth explanation of their safety model in the "Background — safety architecture" section of this post.

https://medium.com/@comma_ai/how-to-write-a-car-port-for-ope...

[bri3d]

Thank you!

This is the first place I've seen this acknowledged - and, bizarrely, I read most of the PRs and commits to the `safety` part of Panda, and didn't find a single reference to the checklist in that Medium post (and, only some of the requirements seem to be implemented in most cars). It feels really late to me to be doing this, and it seems like they could use a good docs person and some, well, leadership in the project.

One thing I noticed in general was that it seems like most Comma communication is side-channeled - most commits and PRs do not have much of anything in terms of description or documentation, and code review is really sparse, it feels like there's a back-room discussion happening rather than GitHub, presumably on Discord? This makes it almost impossible to understand the safety constraints and reasoning, or to audit changes to the system.

But, it also sounds like they could very well be on the right track for 1.0, provided they hire the right person and they're able to clean things up.

Thank you for pointing this out, cheers!

[DesolationJones]

>and didn't find a single reference to the checklist in that Medium post

Yeah, I always thought safety.md in the panda repo was lacking and the points from the medium post should be included. Perhaps someone should make a PR. I doubt anyone who has worked on panda code hasn't seen that medium post though.

>(and, only some of the requirements seem to be implemented in most cars)

May or may not be what you're referring to, but the majority car brands, don't support openpilot's longitudinal control, and maintain the stock ACC system while openpilot just controls steering. That's why you may not see any acceleration/deceleration safety code. Some brands also have lkas torque severely limited by the the eps firmware, which should already be ASIL D rated. Honda for example will get around 5 degrees of max steering at highway speeds despite what openpilot says it wants, so there's no real need to add steering safety code to the panda.

I think you would mostly likely see code review on merged PRs done by the community. Like look up almost any PR by deanlee. Comma employees most likely do have most of their communications side-channeled though.

More code documentation does seem to also be a goal for 1.0 https://twitter.com/comma_ai/status/1255932750671953921

I think they aim for self documenting code though. It's mostly pretty readable.