openpilot_comma/docs/SAFETY.md

# Safety

openpilot is an Adaptive Cruise Control (ACC) and Automated Lane Centering (ALC) system.
Like other ACC and ALC systems, openpilot is a failsafe passive system and it requires the
driver to be alert and to pay attention at all times.

In order to enforce driver alertness, openpilot includes a driver monitoring feature
that alerts the driver when distracted.

However, even with an attentive driver, we must make further efforts for the system to be
safe. We repeat, **driver alertness is necessary, but not sufficient, for openpilot to be
used safely** and openpilot is provided with no warranty of fitness for any purpose.

openpilot is developed in good faith to be compliant with FMVSS requirements and to follow
industry standards of safety for Level 2 Driver Assistance Systems. In particular, we observe
ISO26262 guidelines, including those from [pertinent documents](https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13498a_812_573_alcsystemreport.pdf)
released by NHTSA. In addition, we impose strict coding guidelines (like [MISRA C : 2012](https://www.misra.org.uk/what-is-misra/))
on parts of openpilot that are safety relevant. We also perform software-in-the-loop,
hardware-in-the-loop and in-vehicle tests before each software release.

Following Hazard and Risk Analysis and FMEA, at a very high level, we have designed openpilot
ensuring two main safety requirements.

1. The driver must always be capable to immediately retake manual control of the vehicle,
   by stepping on either pedal or by pressing the cancel button.
2. The vehicle must not alter its trajectory too quickly for the driver to safely
   react. This means that while the system is engaged, the actuators are constrained
   to operate within reasonable limits.

For additional safety implementation details, refer to [panda safety model](https://github.com/commaai/panda#safety-model). For vehicle specific implementation of the safety concept, refer to [panda/board/safety/](https://github.com/commaai/panda/tree/master/board/safety).

**Extra note**: comma.ai strongly discourages the use of openpilot forks with safety code either missing or
  not fully meeting the above requirements.
Sphinx docs generation (#22697) * add sphinx * switch theme * Experiment: sphinx docs generation updated (#22708) * moved build to root gitignore, added .gitkeep * Improved makefile doc build process - Removed auto-generated docs from source control - Moved apidoc.sh into Makefile - Removed make.bat (can add back if Windows support desired) - Added sphinx viewcode and markdown extensions - Added feature to source /docs in build, so any .rst file in /docs will override the respective file during the build process - Added feature to copy all markdown/rst files from source into /build/ during build process so they can be easily referenced while writing docs (see examples in index.md) - Wrote basic starter index.md file TODO: Add new dependencies to Pipfile [dev-packages] * Revert accidental modification to Pipfile * fix command substitution * exclude xx * improve docs * dont include all docs in release build * Add dockerfile * update title * include normal readme * build container in CI * use buildkit * add login Co-authored-by: Chad Bailey <chadbailey904@gmail.com> old-commit-hash: b816b5b6442c21e63a09108c70986eeedb0372b2 4 years ago			`# Safety`
root directory non hidden files old-commit-hash: 012535a84e6b3bd486e1a1007978302f57b52a27 5 years ago
Add pre-commit hooks (#1629) old-commit-hash: ab83e48ec4f7c7ddaa742d9797b0d38646fdb268 5 years ago			`openpilot is an Adaptive Cruise Control (ACC) and Automated Lane Centering (ALC) system.`
root directory non hidden files old-commit-hash: 012535a84e6b3bd486e1a1007978302f57b52a27 5 years ago			`Like other ACC and ALC systems, openpilot is a failsafe passive system and it requires the`
			`driver to be alert and to pay attention at all times.`

			`In order to enforce driver alertness, openpilot includes a driver monitoring feature`
			`that alerts the driver when distracted.`

			`However, even with an attentive driver, we must make further efforts for the system to be`
			`safe. We repeat, **driver alertness is necessary, but not sufficient, for openpilot to be`
			`used safely** and openpilot is provided with no warranty of fitness for any purpose.`

			`openpilot is developed in good faith to be compliant with FMVSS requirements and to follow`
			`industry standards of safety for Level 2 Driver Assistance Systems. In particular, we observe`
			`ISO26262 guidelines, including those from [pertinent documents](https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13498a_812_573_alcsystemreport.pdf)`
Update MISRA link in SAFETY.md (#21933) Link is now a 404. Was only a blog post anyway: https://web.archive.org/web/20201028092101/https://www.misra.org.uk/MISRAHome/MISRAC2012/tabid/196/Default.aspx old-commit-hash: 4c69fc121b9b59b366b9a961d5340b99ccb88c00 4 years ago			`released by NHTSA. In addition, we impose strict coding guidelines (like [MISRA C : 2012](https://www.misra.org.uk/what-is-misra/))`
root directory non hidden files old-commit-hash: 012535a84e6b3bd486e1a1007978302f57b52a27 5 years ago			`on parts of openpilot that are safety relevant. We also perform software-in-the-loop,`
			`hardware-in-the-loop and in-vehicle tests before each software release.`

			`Following Hazard and Risk Analysis and FMEA, at a very high level, we have designed openpilot`
			`ensuring two main safety requirements.`

Add pre-commit hooks (#1629) old-commit-hash: ab83e48ec4f7c7ddaa742d9797b0d38646fdb268 5 years ago			`1. The driver must always be capable to immediately retake manual control of the vehicle,`
root directory non hidden files old-commit-hash: 012535a84e6b3bd486e1a1007978302f57b52a27 5 years ago			`by stepping on either pedal or by pressing the cancel button.`
			`2. The vehicle must not alter its trajectory too quickly for the driver to safely`
			`react. This means that while the system is engaged, the actuators are constrained`
			`to operate within reasonable limits.`

RE fixup (#21309) * Fixup doc urls/references - Fixup broken/changed links - Remove eon links and label as depreciated - Add link to panda safety model - Rename "testing closet" to "test lab" I'll admit the last one is a bit pedantic but I think it's a better understood term. My day job deals with things like this so I'm biased * Update CONTRIBUTING.md * Update CONTRIBUTING.md * Update CONTRIBUTING.md * Update README.md * Update CONTRIBUTING.md * Update README.md * Update README.md * Update README.md Co-authored-by: Adeeb Shihadeh <adeebshihadeh@gmail.com> old-commit-hash: 6e74afd7b227b944110b9d4df45554790b266682 4 years ago			`For additional safety implementation details, refer to [panda safety model](https://github.com/commaai/panda#safety-model). For vehicle specific implementation of the safety concept, refer to [panda/board/safety/](https://github.com/commaai/panda/tree/master/board/safety).`
root directory non hidden files old-commit-hash: 012535a84e6b3bd486e1a1007978302f57b52a27 5 years ago
			`Extra note: comma.ai strongly discourages the use of openpilot forks with safety code either missing or`
			`not fully meeting the above requirements.`