openpilot_comma/SAFETY.md

openpilot Safety
======

openpilot is an Adaptive Cruise Control and Lane Keeping Assist System. Like
other ACC and LKAS systems, openpilot requires the driver to be alert and to pay
attention at all times. We repeat, **driver alertness is necessary, but not
sufficient, for openpilot to be used safely**.

Even with an attentive driver, we must make further efforts for the system to be
safe. We have designed openpilot with two other safety considerations.

1. The vehicle must always be controllable by the driver.
2. The vehicle must not alter its trajectory too quickly for the driver to safely
   react.

To address these, we came up with two safety principles.

1. Enforced disengagements. Step on either pedal or press the cancel button to
   retake manual control of the car immediately.
  - These are hard enforced by the board, and soft enforced by the software. The
    green led on the board signifies if the board is allowing control messages.
  - Honda CAN uses both a counter and a checksum to ensure integrity and prevent
    replay of the same message.

2. Actuation limits. While the system is engaged, the actuators are constrained
   to operate within reasonable limits; the same limits used by the stock system on
   the Honda.
  - Without an interceptor, the gas is controlled by the PCM. The PCM limits
    acceleration to what is reasonable for a cruise control system.  With an
    interceptor, the gas is clipped to 60% in longcontrol.py
  - The brake is controlled by the 0x1FA CAN message. This message allows full
    braking, although the board and the software clip it to 1/4th of the max.
    This is around .3g of braking.
  - Steering is controlled by the 0xE4 CAN message. The EPS controller in the
    car limits the torque to a very small amount, so regardless of the message,
    the controller cannot jerk the wheel.
openpilot release 9 years ago			`openpilot Safety`
			`======`

			`openpilot is an Adaptive Cruise Control and Lane Keeping Assist System. Like`
			`other ACC and LKAS systems, openpilot requires the driver to be alert and to pay`
			`attention at all times. We repeat, **driver alertness is necessary, but not`
			`sufficient, for openpilot to be used safely**.`

			`Even with an attentive driver, we must make further efforts for the system to be`
			`safe. We have designed openpilot with two other safety considerations.`

			`1. The vehicle must always be controllable by the driver.`
			`2. The vehicle must not alter its trajectory too quickly for the driver to safely`
			`react.`

			`To address these, we came up with two safety principles.`

			`1. Enforced disengagements. Step on either pedal or press the cancel button to`
			`retake manual control of the car immediately.`
			`- These are hard enforced by the board, and soft enforced by the software. The`
			`green led on the board signifies if the board is allowing control messages.`
			`- Honda CAN uses both a counter and a checksum to ensure integrity and prevent`
			`replay of the same message.`

			`2. Actuation limits. While the system is engaged, the actuators are constrained`
			`to operate within reasonable limits; the same limits used by the stock system on`
			`the Honda.`
			`- Without an interceptor, the gas is controlled by the PCM. The PCM limits`
			`acceleration to what is reasonable for a cruise control system. With an`
			`interceptor, the gas is clipped to 60% in longcontrol.py`
			`- The brake is controlled by the 0x1FA CAN message. This message allows full`
			`braking, although the board and the software clip it to 1/4th of the max.`
			`This is around .3g of braking.`
			`- Steering is controlled by the 0xE4 CAN message. The EPS controller in the`
			`car limits the torque to a very small amount, so regardless of the message,`
			`the controller cannot jerk the wheel.`