dragonpilot/docs/SAFETY.md

# Safety

openpilot is an Adaptive Cruise Control (ACC) and Automated Lane Centering (ALC) system.
Like other ACC and ALC systems, openpilot is a failsafe passive system and it requires the
driver to be alert and to pay attention at all times.

In order to enforce driver alertness, openpilot includes a driver monitoring feature
that alerts the driver when distracted.

However, even with an attentive driver, we must make further efforts for the system to be
safe. We repeat, **driver alertness is necessary, but not sufficient, for openpilot to be
used safely** and openpilot is provided with no warranty of fitness for any purpose.

openpilot is developed in good faith to be compliant with FMVSS requirements and to follow
industry standards of safety for Level 2 Driver Assistance Systems. In particular, we observe
ISO26262 guidelines, including those from [pertinent documents](https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13498a_812_573_alcsystemreport.pdf)
released by NHTSA. In addition, we impose strict coding guidelines (like [MISRA C : 2012](https://www.misra.org.uk/what-is-misra/))
on parts of openpilot that are safety relevant. We also perform software-in-the-loop,
hardware-in-the-loop and in-vehicle tests before each software release.

Following Hazard and Risk Analysis and FMEA, at a very high level, we have designed openpilot
ensuring two main safety requirements.

1. The driver must always be capable to immediately retake manual control of the vehicle,
   by stepping on the brake pedal or by pressing the cancel button.
2. The vehicle must not alter its trajectory too quickly for the driver to safely
   react. This means that while the system is engaged, the actuators are constrained
   to operate within reasonable limits[^1]. 

For additional safety implementation details, refer to [panda safety model](https://github.com/commaai/panda#safety-model). For vehicle specific implementation of the safety concept, refer to [panda/board/safety/](https://github.com/commaai/panda/tree/master/board/safety).

**Extra note**: comma.ai strongly discourages the use of openpilot forks with safety code either missing or
  not fully meeting the above requirements.

[^1]: For these actuator limits we observe ISO11270 and ISO15622. Lateral limits described there translate to 0.9 seconds of maximum actuation to achieve a 1m lateral deviation.
Sphinx docs generation (#22697) * add sphinx * switch theme * Experiment: sphinx docs generation updated (#22708) * moved build to root gitignore, added .gitkeep * Improved makefile doc build process - Removed auto-generated docs from source control - Moved apidoc.sh into Makefile - Removed make.bat (can add back if Windows support desired) - Added sphinx viewcode and markdown extensions - Added feature to source /docs in build, so any .rst file in /docs will override the respective file during the build process - Added feature to copy all markdown/rst files from source into /build/ during build process so they can be easily referenced while writing docs (see examples in index.md) - Wrote basic starter index.md file TODO: Add new dependencies to Pipfile [dev-packages] * Revert accidental modification to Pipfile * fix command substitution * exclude xx * improve docs * dont include all docs in release build * Add dockerfile * update title * include normal readme * build container in CI * use buildkit * add login Co-authored-by: Chad Bailey <chadbailey904@gmail.com> 4 years ago			`# Safety`
root directory non hidden files 5 years ago
Add pre-commit hooks (#1629) 5 years ago			`openpilot is an Adaptive Cruise Control (ACC) and Automated Lane Centering (ALC) system.`
root directory non hidden files 5 years ago			`Like other ACC and ALC systems, openpilot is a failsafe passive system and it requires the`
			`driver to be alert and to pay attention at all times.`

			`In order to enforce driver alertness, openpilot includes a driver monitoring feature`
			`that alerts the driver when distracted.`

			`However, even with an attentive driver, we must make further efforts for the system to be`
			`safe. We repeat, **driver alertness is necessary, but not sufficient, for openpilot to be`
			`used safely** and openpilot is provided with no warranty of fitness for any purpose.`

			`openpilot is developed in good faith to be compliant with FMVSS requirements and to follow`
			`industry standards of safety for Level 2 Driver Assistance Systems. In particular, we observe`
			`ISO26262 guidelines, including those from [pertinent documents](https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13498a_812_573_alcsystemreport.pdf)`
Update MISRA link in SAFETY.md (#21933) Link is now a 404. Was only a blog post anyway: https://web.archive.org/web/20201028092101/https://www.misra.org.uk/MISRAHome/MISRAC2012/tabid/196/Default.aspx 4 years ago			`released by NHTSA. In addition, we impose strict coding guidelines (like [MISRA C : 2012](https://www.misra.org.uk/what-is-misra/))`
root directory non hidden files 5 years ago			`on parts of openpilot that are safety relevant. We also perform software-in-the-loop,`
			`hardware-in-the-loop and in-vehicle tests before each software release.`

			`Following Hazard and Risk Analysis and FMEA, at a very high level, we have designed openpilot`
			`ensuring two main safety requirements.`

Add pre-commit hooks (#1629) 5 years ago			`1. The driver must always be capable to immediately retake manual control of the vehicle,`
Add Disengage on Accelerator Toggle (#23977) * Squashed commit of the following: commit 953bcf0ecf8d03f0fec9ce0d5442cc660ae2347d Merge: b4198608d 333257bad Author: Shane Smiskol <shane@smiskol.com> Date: Fri Apr 1 19:58:06 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit b4198608dac9595bfeb9443f95cd6c5d385cd62d Merge: 24f90b2c8 0b9790dd2 Author: Shane Smiskol <shane@smiskol.com> Date: Fri Apr 1 14:32:54 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 24f90b2c8d6ae509c0776b6e33b743467aa08dee Author: Shane Smiskol <shane@smiskol.com> Date: Thu Mar 31 14:07:52 2022 -0700 revert changes and get ready for override commit aa514df6b5e8431f0faa07f6b25eb5cb6c9f2749 Author: Shane Smiskol <shane@smiskol.com> Date: Wed Mar 30 20:52:24 2022 -0700 temporary commit c874e10c2555968c683f629c4582ab22e51d431f Author: Shane Smiskol <shane@smiskol.com> Date: Wed Mar 30 00:30:13 2022 -0700 move gasPressed to controlsd commit fe670439dff5bc6dfc5963d79ca2febe0c5920c7 Merge: 49d3b6d11 81862fce7 Author: Shane Smiskol <shane@smiskol.com> Date: Wed Mar 30 00:15:48 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 49d3b6d1162893fa94b2294152f0718eeb4698ed Merge: 475b27e74 d60c44e03 Author: Shane Smiskol <shane@smiskol.com> Date: Mon Mar 28 13:06:08 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 475b27e74fd6479f1d148e9ded1eca6ee476865c Author: Shane Smiskol <shane@smiskol.com> Date: Thu Mar 24 20:24:59 2022 -0700 update SAFETY.md commit 0798eadb82749e12ecbaa86f4e57b21bd3dbc7e8 Author: Shane Smiskol <shane@smiskol.com> Date: Thu Mar 24 17:52:06 2022 -0700 ⛽ ➡️ 🔋 bump commit d2b64b89cf8d7265bc90848b4e3a2276c9a4cb78 Author: Shane Smiskol <shane@smiskol.com> Date: Thu Mar 24 16:19:34 2022 -0700 these changes will be in border PR these changes will be border PR commit bed31e63de2244c161729773978fef8a9246ddb5 Merge: 491417640 e91613bc6 Author: Shane Smiskol <shane@smiskol.com> Date: Thu Mar 24 16:17:31 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 49141764098e3a701ff123ead52de4656b31db4d Merge: 9291e9f00 c88ced1f1 Author: Shane Smiskol <shane@smiskol.com> Date: Wed Mar 23 19:00:26 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 9291e9f0045780669b2ffa7f08fb10373c03b070 Merge: 2aed64157 99c02bdd2 Author: Shane Smiskol <shane@smiskol.com> Date: Fri Mar 18 19:03:13 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 2aed64157d6e9dc993d103a2c6abf7e643410562 Author: Shane Smiskol <shane@smiskol.com> Date: Fri Mar 18 19:03:03 2022 -0700 Revert "send pre-enable state when gas is pressed" This reverts commit 8d82e697dc2efade307413e767d14b56b4d2d079. commit a219defe5342efa731a957b2ff4fd86292c1f239 Author: Shane Smiskol <shane@smiskol.com> Date: Thu Mar 17 12:50:46 2022 -0700 bump cereal commit 8d82e697dc2efade307413e767d14b56b4d2d079 Author: Shane Smiskol <shane@smiskol.com> Date: Wed Mar 16 22:40:13 2022 -0700 send pre-enable state when gas is pressed formatting and it's out forgot one allow gas press show toggle revert changes revert changes commit 5eb4d1ab1b77ac65bdd901f692ebfb848d5187ca Merge: bad1bdc74 db7b49c71 Author: Shane Smiskol <shane@smiskol.com> Date: Wed Mar 16 22:29:43 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit bad1bdc7428c5d8a4a765b259da504f0ade84424 Author: Shane Smiskol <shane@smiskol.com> Date: Tue Mar 15 23:03:56 2022 -0700 clean up a bit commit 7516ed9b786536a07f00a92b9c1742ca252a01d1 Author: Shane Smiskol <shane@smiskol.com> Date: Tue Mar 15 22:55:09 2022 -0700 these are null checks right now commit 408f5f1d633521b29b08d966c9b387fa79dff0d6 Author: Shane Smiskol <shane@smiskol.com> Date: Tue Mar 15 22:51:14 2022 -0700 should work commit be1978e29c03d8843cf073cc9ddf84020fd2b378 Author: Shane Smiskol <shane@smiskol.com> Date: Tue Mar 15 22:36:16 2022 -0700 stash commit f0bd4c47e9d27061c6cd3b88765a7c10995f42db Author: Shane Smiskol <shane@smiskol.com> Date: Tue Mar 15 22:26:24 2022 -0700 this was flipped commit d5b6e30389a727e8559331acd706422e1b246f60 Merge: 820b19894 5fe00fb77 Author: Shane Smiskol <shane@smiskol.com> Date: Tue Mar 15 22:25:49 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 820b1989496225df1f66f39b477f1e9402db1b19 Merge: 91763f9ff d7c758d4b Author: Shane Smiskol <shane@smiskol.com> Date: Mon Mar 14 23:39:34 2022 -0700 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 91763f9ff4321986babce1a7b1272fcf64c8f753 Author: Shane Smiskol <shane@smiskol.com> Date: Thu Feb 24 20:15:26 2022 -0800 add icon from jozef 🔥 commit 1885c9e2bacd9351c7e421b1436dcbfbde238436 Merge: 1f591736a 9c70e8bca Author: Shane Smiskol <shane@smiskol.com> Date: Thu Feb 24 20:08:07 2022 -0800 Merge remote-tracking branch 'upstream/master' into disengage-on-gas commit 1f591736a2767b1ed892c29ec5000cc7348f01c7 Merge: 465811f0b 7410160d0 Author: Jason Wen <47793918+sunnyhaibin@users.noreply.github.com> Date: Sat Feb 12 10:24:29 2022 -0500 Merge branch 'master' into disengage-on-gas commit 465811f0b4776e43a289398e4d4369362b7da58c Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Feb 11 11:20:32 2022 -0500 Add param to process replay commit 0344363a533505435cff87eb33356b2364a4156f Merge: 700efcb3f 3e915cf62 Author: Jason Wen <47793918+sunnyhaibin@users.noreply.github.com> Date: Fri Feb 11 11:07:31 2022 -0500 Merge branch 'master' into disengage-on-gas commit 700efcb3f444092f99ef10e9908f83402429d742 Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Feb 11 11:04:39 2022 -0500 Add param to unsafeMode commit 220ce272fee1f7f5ace2a04052605a6e4f95712b Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Feb 11 10:54:16 2022 -0500 Add param to unsafeMode commit d273bb78acbc23ee5255e461fa71b2f0400a5e03 Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Feb 11 10:52:22 2022 -0500 Resolve conflicts commit 1a85afd60c2f0d3140dfa8e7cd574d6b88abd5e3 Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Feb 11 10:51:50 2022 -0500 Resolve conflicts commit e3be32afc2bb2423d29e2b4f85b3cff3fe72aab9 Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Feb 11 10:51:08 2022 -0500 Resolve conflicts commit f27203af3afe612173bf9a63e15c57118598b5b8 Author: Jason Wen <haibin.wen3@gmail.com> Date: Wed Jan 19 00:30:09 2022 -0500 Add param to process replay commit 04c0ad1a54f4fea5efe74b3203d9bdbd693b64a6 Author: Jason Wen <47793918+sunnyhaibin@users.noreply.github.com> Date: Wed Jan 19 00:28:49 2022 -0500 Update interfaces.py Co-authored-by: Willem Melching <willem.melching@gmail.com> commit 99cf13caeb4d9f2c95c25e1e78b6e353ea508cb6 Author: Jason Wen <haibin.wen3@gmail.com> Date: Sat Jan 15 00:03:38 2022 -0500 Fix missing params lib commit 2230254ca709625d591b0c73d1a6022c450f6ef6 Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Jan 14 23:38:46 2022 -0500 Disengage on gas toggle commit 87475e02cb63cc39c9b16edc67f303e02d17e6ef Author: Jason Wen <haibin.wen3@gmail.com> Date: Fri Jan 14 23:24:00 2022 -0500 Disengage on gas toggle * bump * use ALTERNATIVE_EXPERIENCE * or it * de-bump * update refs * update refs! * you can just ctrl+click ALTERNATIVE_EXPERIENCE! * already have a params * update text 3 years ago			`by stepping on the brake pedal or by pressing the cancel button.`
root directory non hidden files 5 years ago			`2. The vehicle must not alter its trajectory too quickly for the driver to safely`
			`react. This means that while the system is engaged, the actuators are constrained`
Update SAFETY.md (#29129) 2 years ago			`to operate within reasonable limits[^1].`
root directory non hidden files 5 years ago
RE fixup (#21309) * Fixup doc urls/references - Fixup broken/changed links - Remove eon links and label as depreciated - Add link to panda safety model - Rename "testing closet" to "test lab" I'll admit the last one is a bit pedantic but I think it's a better understood term. My day job deals with things like this so I'm biased * Update CONTRIBUTING.md * Update CONTRIBUTING.md * Update CONTRIBUTING.md * Update README.md * Update CONTRIBUTING.md * Update README.md * Update README.md * Update README.md Co-authored-by: Adeeb Shihadeh <adeebshihadeh@gmail.com> 4 years ago			`For additional safety implementation details, refer to [panda safety model](https://github.com/commaai/panda#safety-model). For vehicle specific implementation of the safety concept, refer to [panda/board/safety/](https://github.com/commaai/panda/tree/master/board/safety).`
root directory non hidden files 5 years ago
			`Extra note: comma.ai strongly discourages the use of openpilot forks with safety code either missing or`
			`not fully meeting the above requirements.`
Update SAFETY.md (#29129) 2 years ago
			`[^1]: For these actuator limits we observe ISO11270 and ISO15622. Lateral limits described there translate to 0.9 seconds of maximum actuation to achieve a 1m lateral deviation.`