#pragma once #include "safety_declarations.h" #include "can.h" // include the safety policies. #include "safety/safety_defaults.h" #include "safety/safety_honda.h" #include "safety/safety_toyota.h" #include "safety/safety_tesla.h" #include "safety/safety_gm.h" #include "safety/safety_ford.h" #include "safety/safety_hyundai.h" #include "safety/safety_chrysler.h" #include "safety/safety_rivian.h" #include "safety/safety_subaru.h" #include "safety/safety_subaru_preglobal.h" #include "safety/safety_mazda.h" #include "safety/safety_nissan.h" #include "safety/safety_volkswagen_mqb.h" #include "safety/safety_volkswagen_pq.h" #include "safety/safety_elm327.h" #include "safety/safety_body.h" // CAN-FD only safety modes #ifdef CANFD #include "safety/safety_hyundai_canfd.h" #endif uint32_t GET_BYTES(const CANPacket_t *msg, int start, int len) { uint32_t ret = 0U; for (int i = 0; i < len; i++) { const uint32_t shift = i * 8; ret |= (((uint32_t)msg->data[start + i]) << shift); } return ret; } const int MAX_WRONG_COUNTERS = 5; // This can be set by the safety hooks bool controls_allowed = false; bool relay_malfunction = false; bool gas_pressed = false; bool gas_pressed_prev = false; bool brake_pressed = false; bool brake_pressed_prev = false; bool regen_braking = false; bool regen_braking_prev = false; bool steering_disengage; bool steering_disengage_prev; bool cruise_engaged_prev = false; struct sample_t vehicle_speed; bool vehicle_moving = false; bool acc_main_on = false; // referred to as "ACC off" in ISO 15622:2018 int cruise_button_prev = 0; bool safety_rx_checks_invalid = false; // for safety modes with torque steering control int desired_torque_last = 0; // last desired steer torque int rt_torque_last = 0; // last desired torque for real time check int valid_steer_req_count = 0; // counter for steer request bit matching non-zero torque int invalid_steer_req_count = 0; // counter to allow multiple frames of mismatching torque request bit struct sample_t torque_meas; // last 6 motor torques produced by the eps struct sample_t torque_driver; // last 6 driver torques measured uint32_t ts_torque_check_last = 0; uint32_t ts_steer_req_mismatch_last = 0; // last timestamp steer req was mismatched with torque // state for controls_allowed timeout logic bool heartbeat_engaged = false; // openpilot enabled, passed in heartbeat USB command uint32_t heartbeat_engaged_mismatches = 0; // count of mismatches between heartbeat_engaged and controls_allowed // for safety modes with angle steering control uint32_t ts_angle_last = 0; int desired_angle_last = 0; struct sample_t angle_meas; // last 6 steer angles/curvatures int alternative_experience = 0; // time since safety mode has been changed uint32_t safety_mode_cnt = 0U; uint16_t current_safety_mode = SAFETY_SILENT; uint16_t current_safety_param = 0; static const safety_hooks *current_hooks = &nooutput_hooks; safety_config current_safety_config; static void generic_rx_checks(void); static void stock_ecu_check(bool stock_ecu_detected); static bool is_msg_valid(RxCheck addr_list[], int index) { bool valid = true; if (index != -1) { if (!addr_list[index].status.valid_checksum || !addr_list[index].status.valid_quality_flag || (addr_list[index].status.wrong_counters >= MAX_WRONG_COUNTERS)) { valid = false; controls_allowed = false; } } return valid; } static int get_addr_check_index(const CANPacket_t *to_push, RxCheck addr_list[], const int len) { int bus = GET_BUS(to_push); int addr = GET_ADDR(to_push); int length = GET_LEN(to_push); int index = -1; for (int i = 0; i < len; i++) { // if multiple msgs are allowed, determine which one is present on the bus if (!addr_list[i].status.msg_seen) { for (uint8_t j = 0U; (j < MAX_ADDR_CHECK_MSGS) && (addr_list[i].msg[j].addr != 0); j++) { if ((addr == addr_list[i].msg[j].addr) && (bus == addr_list[i].msg[j].bus) && (length == addr_list[i].msg[j].len)) { addr_list[i].status.index = j; addr_list[i].status.msg_seen = true; break; } } } if (addr_list[i].status.msg_seen) { int idx = addr_list[i].status.index; if ((addr == addr_list[i].msg[idx].addr) && (bus == addr_list[i].msg[idx].bus) && (length == addr_list[i].msg[idx].len)) { index = i; break; } } } return index; } static void update_addr_timestamp(RxCheck addr_list[], int index) { if (index != -1) { uint32_t ts = microsecond_timer_get(); addr_list[index].status.last_timestamp = ts; } } static void update_counter(RxCheck addr_list[], int index, uint8_t counter) { if (index != -1) { uint8_t expected_counter = (addr_list[index].status.last_counter + 1U) % (addr_list[index].msg[addr_list[index].status.index].max_counter + 1U); addr_list[index].status.wrong_counters += (expected_counter == counter) ? -1 : 1; addr_list[index].status.wrong_counters = CLAMP(addr_list[index].status.wrong_counters, 0, MAX_WRONG_COUNTERS); addr_list[index].status.last_counter = counter; } } static bool rx_msg_safety_check(const CANPacket_t *to_push, const safety_config *cfg, const safety_hooks *safety_hooks) { int index = get_addr_check_index(to_push, cfg->rx_checks, cfg->rx_checks_len); update_addr_timestamp(cfg->rx_checks, index); if (index != -1) { // checksum check if ((safety_hooks->get_checksum != NULL) && (safety_hooks->compute_checksum != NULL) && !cfg->rx_checks[index].msg[cfg->rx_checks[index].status.index].ignore_checksum) { uint32_t checksum = safety_hooks->get_checksum(to_push); uint32_t checksum_comp = safety_hooks->compute_checksum(to_push); cfg->rx_checks[index].status.valid_checksum = checksum_comp == checksum; } else { cfg->rx_checks[index].status.valid_checksum = cfg->rx_checks[index].msg[cfg->rx_checks[index].status.index].ignore_checksum; } // counter check if ((safety_hooks->get_counter != NULL) && (cfg->rx_checks[index].msg[cfg->rx_checks[index].status.index].max_counter > 0U)) { uint8_t counter = safety_hooks->get_counter(to_push); update_counter(cfg->rx_checks, index, counter); } else { cfg->rx_checks[index].status.wrong_counters = cfg->rx_checks[index].msg[cfg->rx_checks[index].status.index].ignore_counter ? 0 : MAX_WRONG_COUNTERS; } // quality flag check if ((safety_hooks->get_quality_flag_valid != NULL) && cfg->rx_checks[index].msg[cfg->rx_checks[index].status.index].quality_flag) { cfg->rx_checks[index].status.valid_quality_flag = safety_hooks->get_quality_flag_valid(to_push); } else { cfg->rx_checks[index].status.valid_quality_flag = true; } } return is_msg_valid(cfg->rx_checks, index); } bool safety_rx_hook(const CANPacket_t *to_push) { bool controls_allowed_prev = controls_allowed; bool valid = rx_msg_safety_check(to_push, ¤t_safety_config, current_hooks); bool whitelisted = get_addr_check_index(to_push, current_safety_config.rx_checks, current_safety_config.rx_checks_len) != -1; if (valid && whitelisted) { current_hooks->rx(to_push); } // Handles gas, brake, and regen paddle generic_rx_checks(); // the relay malfunction hook runs on all incoming rx messages. // check all applicable tx msgs for liveness on sending bus. // used to detect a relay malfunction or control messages from disabled ECUs like the radar const int bus = GET_BUS(to_push); const int addr = GET_ADDR(to_push); for (int i = 0; i < current_safety_config.tx_msgs_len; i++) { const CanMsg *m = ¤t_safety_config.tx_msgs[i]; if (m->check_relay) { stock_ecu_check((m->addr == addr) && (m->bus == bus)); } } // reset mismatches on rising edge of controls_allowed to avoid rare race condition if (controls_allowed && !controls_allowed_prev) { heartbeat_engaged_mismatches = 0; } return valid; } static bool tx_msg_safety_check(const CANPacket_t *to_send, const CanMsg msg_list[], int len) { int addr = GET_ADDR(to_send); int bus = GET_BUS(to_send); int length = GET_LEN(to_send); bool whitelisted = false; for (int i = 0; i < len; i++) { if ((addr == msg_list[i].addr) && (bus == msg_list[i].bus) && (length == msg_list[i].len)) { whitelisted = true; break; } } return whitelisted; } bool safety_tx_hook(CANPacket_t *to_send) { bool whitelisted = tx_msg_safety_check(to_send, current_safety_config.tx_msgs, current_safety_config.tx_msgs_len); if ((current_safety_mode == SAFETY_ALLOUTPUT) || (current_safety_mode == SAFETY_ELM327)) { whitelisted = true; } bool safety_allowed = false; if (whitelisted) { safety_allowed = current_hooks->tx(to_send); } return !relay_malfunction && whitelisted && safety_allowed; } static int get_fwd_bus(int bus_num) { int destination_bus; if (bus_num == 0) { destination_bus = 2; } else if (bus_num == 2) { destination_bus = 0; } else { destination_bus = -1; } return destination_bus; } int safety_fwd_hook(int bus_num, int addr) { bool blocked = relay_malfunction || current_safety_config.disable_forwarding; // Block messages that are being checked for relay malfunctions. Safety modes can opt out of this // in the case of selective AEB forwarding const int destination_bus = get_fwd_bus(bus_num); if (!blocked) { for (int i = 0; i < current_safety_config.tx_msgs_len; i++) { const CanMsg *m = ¤t_safety_config.tx_msgs[i]; if (m->check_relay && !m->disable_static_blocking && (m->addr == addr) && (m->bus == destination_bus)) { blocked = true; break; } } } if (!blocked && (current_hooks->fwd != NULL)) { blocked = current_hooks->fwd(bus_num, addr); } return blocked ? -1 : destination_bus; } bool get_longitudinal_allowed(void) { return controls_allowed && !gas_pressed_prev; } // Given a CRC-8 poly, generate a static lookup table to use with a fast CRC-8 // algorithm. Called at init time for safety modes using CRC-8. void gen_crc_lookup_table_8(uint8_t poly, uint8_t crc_lut[]) { for (uint16_t i = 0U; i <= 0xFFU; i++) { uint8_t crc = (uint8_t)i; for (int j = 0; j < 8; j++) { if ((crc & 0x80U) != 0U) { crc = (uint8_t)((crc << 1) ^ poly); } else { crc <<= 1; } } crc_lut[i] = crc; } } #ifdef CANFD void gen_crc_lookup_table_16(uint16_t poly, uint16_t crc_lut[]) { for (uint16_t i = 0; i < 256U; i++) { uint16_t crc = i << 8U; for (uint16_t j = 0; j < 8U; j++) { if ((crc & 0x8000U) != 0U) { crc = (uint16_t)((crc << 1) ^ poly); } else { crc <<= 1; } } crc_lut[i] = crc; } } #endif // 1Hz safety function called by main. Now just a check for lagging safety messages void safety_tick(const safety_config *cfg) { const uint8_t MAX_MISSED_MSGS = 10U; bool rx_checks_invalid = false; uint32_t ts = microsecond_timer_get(); if (cfg != NULL) { for (int i=0; i < cfg->rx_checks_len; i++) { uint32_t elapsed_time = get_ts_elapsed(ts, cfg->rx_checks[i].status.last_timestamp); // lag threshold is max of: 1s and MAX_MISSED_MSGS * expected timestep. // Quite conservative to not risk false triggers. // 2s of lag is worse case, since the function is called at 1Hz uint32_t timestep = 1e6 / cfg->rx_checks[i].msg[cfg->rx_checks[i].status.index].frequency; bool lagging = elapsed_time > MAX(timestep * MAX_MISSED_MSGS, 1e6); cfg->rx_checks[i].status.lagging = lagging; if (lagging) { controls_allowed = false; } if (lagging || !is_msg_valid(cfg->rx_checks, i)) { rx_checks_invalid = true; } } } safety_rx_checks_invalid = rx_checks_invalid; } static void relay_malfunction_set(void) { relay_malfunction = true; fault_occurred(FAULT_RELAY_MALFUNCTION); } static void generic_rx_checks(void) { // exit controls on rising edge of gas press if (gas_pressed && !gas_pressed_prev && !(alternative_experience & ALT_EXP_DISABLE_DISENGAGE_ON_GAS)) { controls_allowed = false; } gas_pressed_prev = gas_pressed; // exit controls on rising edge of brake press if (brake_pressed && (!brake_pressed_prev || vehicle_moving)) { controls_allowed = false; } brake_pressed_prev = brake_pressed; // exit controls on rising edge of regen paddle if (regen_braking && (!regen_braking_prev || vehicle_moving)) { controls_allowed = false; } regen_braking_prev = regen_braking; // exit controls on rising edge of steering override/disengage if (steering_disengage && !steering_disengage_prev) { controls_allowed = false; } steering_disengage_prev = steering_disengage; } static void stock_ecu_check(bool stock_ecu_detected) { // allow 1s of transition timeout after relay changes state before assessing malfunctioning const uint32_t RELAY_TRNS_TIMEOUT = 1U; // check if stock ECU is on bus broken by car harness if ((safety_mode_cnt > RELAY_TRNS_TIMEOUT) && stock_ecu_detected) { relay_malfunction_set(); } } static void relay_malfunction_reset(void) { relay_malfunction = false; fault_recovered(FAULT_RELAY_MALFUNCTION); } // resets values and min/max for sample_t struct static void reset_sample(struct sample_t *sample) { for (int i = 0; i < MAX_SAMPLE_VALS; i++) { sample->values[i] = 0; } update_sample(sample, 0); } int set_safety_hooks(uint16_t mode, uint16_t param) { const safety_hook_config safety_hook_registry[] = { {SAFETY_SILENT, &nooutput_hooks}, {SAFETY_HONDA_NIDEC, &honda_nidec_hooks}, {SAFETY_TOYOTA, &toyota_hooks}, {SAFETY_ELM327, &elm327_hooks}, {SAFETY_GM, &gm_hooks}, {SAFETY_HONDA_BOSCH, &honda_bosch_hooks}, {SAFETY_HYUNDAI, &hyundai_hooks}, {SAFETY_CHRYSLER, &chrysler_hooks}, {SAFETY_SUBARU, &subaru_hooks}, {SAFETY_VOLKSWAGEN_MQB, &volkswagen_mqb_hooks}, {SAFETY_NISSAN, &nissan_hooks}, {SAFETY_NOOUTPUT, &nooutput_hooks}, {SAFETY_HYUNDAI_LEGACY, &hyundai_legacy_hooks}, {SAFETY_MAZDA, &mazda_hooks}, {SAFETY_BODY, &body_hooks}, {SAFETY_FORD, &ford_hooks}, {SAFETY_RIVIAN, &rivian_hooks}, #ifdef CANFD {SAFETY_HYUNDAI_CANFD, &hyundai_canfd_hooks}, #endif #ifdef ALLOW_DEBUG {SAFETY_TESLA, &tesla_hooks}, {SAFETY_SUBARU_PREGLOBAL, &subaru_preglobal_hooks}, {SAFETY_VOLKSWAGEN_PQ, &volkswagen_pq_hooks}, {SAFETY_ALLOUTPUT, &alloutput_hooks}, #endif }; // reset state set by safety mode safety_mode_cnt = 0U; relay_malfunction = false; gas_pressed = false; gas_pressed_prev = false; brake_pressed = false; brake_pressed_prev = false; regen_braking = false; regen_braking_prev = false; steering_disengage = false; steering_disengage_prev = false; cruise_engaged_prev = false; vehicle_moving = false; acc_main_on = false; cruise_button_prev = 0; desired_torque_last = 0; rt_torque_last = 0; ts_angle_last = 0; desired_angle_last = 0; ts_torque_check_last = 0; ts_steer_req_mismatch_last = 0; valid_steer_req_count = 0; invalid_steer_req_count = 0; // reset samples reset_sample(&vehicle_speed); reset_sample(&torque_meas); reset_sample(&torque_driver); reset_sample(&angle_meas); controls_allowed = false; relay_malfunction_reset(); safety_rx_checks_invalid = false; current_safety_config.rx_checks = NULL; current_safety_config.rx_checks_len = 0; current_safety_config.tx_msgs = NULL; current_safety_config.tx_msgs_len = 0; current_safety_config.disable_forwarding = false; int set_status = -1; // not set int hook_config_count = sizeof(safety_hook_registry) / sizeof(safety_hook_config); for (int i = 0; i < hook_config_count; i++) { if (safety_hook_registry[i].id == mode) { current_hooks = safety_hook_registry[i].hooks; current_safety_mode = mode; current_safety_param = param; set_status = 0; // set } } if ((set_status == 0) && (current_hooks->init != NULL)) { safety_config cfg = current_hooks->init(param); current_safety_config.rx_checks = cfg.rx_checks; current_safety_config.rx_checks_len = cfg.rx_checks_len; current_safety_config.tx_msgs = cfg.tx_msgs; current_safety_config.tx_msgs_len = cfg.tx_msgs_len; current_safety_config.disable_forwarding = cfg.disable_forwarding; // reset all dynamic fields in addr struct for (int j = 0; j < current_safety_config.rx_checks_len; j++) { current_safety_config.rx_checks[j].status = (RxStatus){0}; } } return set_status; } // convert a trimmed integer to signed 32 bit int int to_signed(int d, int bits) { int d_signed = d; int max_value = (1 << MAX((bits - 1), 0)); if (d >= max_value) { d_signed = d - (1 << MAX(bits, 0)); } return d_signed; } // given a new sample, update the sample_t struct void update_sample(struct sample_t *sample, int sample_new) { for (int i = MAX_SAMPLE_VALS - 1; i > 0; i--) { sample->values[i] = sample->values[i-1]; } sample->values[0] = sample_new; // get the minimum and maximum measured samples sample->min = sample->values[0]; sample->max = sample->values[0]; for (int i = 1; i < MAX_SAMPLE_VALS; i++) { if (sample->values[i] < sample->min) { sample->min = sample->values[i]; } if (sample->values[i] > sample->max) { sample->max = sample->values[i]; } } } static bool max_limit_check(int val, const int MAX_VAL, const int MIN_VAL) { return (val > MAX_VAL) || (val < MIN_VAL); } // check that commanded torque value isn't too far from measured static bool dist_to_meas_check(int val, int val_last, struct sample_t *val_meas, const int MAX_RATE_UP, const int MAX_RATE_DOWN, const int MAX_ERROR) { // *** val rate limit check *** int highest_allowed_rl = MAX(val_last, 0) + MAX_RATE_UP; int lowest_allowed_rl = MIN(val_last, 0) - MAX_RATE_UP; // if we've exceeded the meas val, we must start moving toward 0 int highest_allowed = MIN(highest_allowed_rl, MAX(val_last - MAX_RATE_DOWN, MAX(val_meas->max, 0) + MAX_ERROR)); int lowest_allowed = MAX(lowest_allowed_rl, MIN(val_last + MAX_RATE_DOWN, MIN(val_meas->min, 0) - MAX_ERROR)); // check for violation return max_limit_check(val, highest_allowed, lowest_allowed); } // check that commanded value isn't fighting against driver static bool driver_limit_check(int val, int val_last, const struct sample_t *val_driver, const int MAX_VAL, const int MAX_RATE_UP, const int MAX_RATE_DOWN, const int MAX_ALLOWANCE, const int DRIVER_FACTOR) { // torque delta/rate limits int highest_allowed_rl = MAX(val_last, 0) + MAX_RATE_UP; int lowest_allowed_rl = MIN(val_last, 0) - MAX_RATE_UP; // driver int driver_max_limit = MAX_VAL + (MAX_ALLOWANCE + val_driver->max) * DRIVER_FACTOR; int driver_min_limit = -MAX_VAL + (-MAX_ALLOWANCE + val_driver->min) * DRIVER_FACTOR; // if we've exceeded the applied torque, we must start moving toward 0 int highest_allowed = MIN(highest_allowed_rl, MAX(val_last - MAX_RATE_DOWN, MAX(driver_max_limit, 0))); int lowest_allowed = MAX(lowest_allowed_rl, MIN(val_last + MAX_RATE_DOWN, MIN(driver_min_limit, 0))); // check for violation return max_limit_check(val, highest_allowed, lowest_allowed); } // real time check, mainly used for steer torque rate limiter static bool rt_rate_limit_check(int val, int val_last, const int MAX_RT_DELTA) { // *** torque real time rate limit check *** int highest_val = MAX(val_last, 0) + MAX_RT_DELTA; int lowest_val = MIN(val_last, 0) - MAX_RT_DELTA; // check for violation return max_limit_check(val, highest_val, lowest_val); } // interp function that holds extreme values static float interpolate(struct lookup_t xy, float x) { int size = sizeof(xy.x) / sizeof(xy.x[0]); float ret = xy.y[size - 1]; // default output is last point // x is lower than the first point in the x array. Return the first point if (x <= xy.x[0]) { ret = xy.y[0]; } else { // find the index such that (xy.x[i] <= x < xy.x[i+1]) and linearly interp for (int i=0; i < (size - 1); i++) { if (x < xy.x[i+1]) { float x0 = xy.x[i]; float y0 = xy.y[i]; float dx = xy.x[i+1] - x0; float dy = xy.y[i+1] - y0; // dx should not be zero as xy.x is supposed to be monotonic dx = MAX(dx, 0.0001); ret = (dy * (x - x0) / dx) + y0; break; } } } return ret; } int ROUND(float val) { return val + ((val > 0.0) ? 0.5 : -0.5); } // Safety checks for longitudinal actuation bool longitudinal_accel_checks(int desired_accel, const LongitudinalLimits limits) { bool accel_valid = get_longitudinal_allowed() && !max_limit_check(desired_accel, limits.max_accel, limits.min_accel); bool accel_inactive = desired_accel == limits.inactive_accel; return !(accel_valid || accel_inactive); } bool longitudinal_speed_checks(int desired_speed, const LongitudinalLimits limits) { return !get_longitudinal_allowed() && (desired_speed != limits.inactive_speed); } bool longitudinal_transmission_rpm_checks(int desired_transmission_rpm, const LongitudinalLimits limits) { bool transmission_rpm_valid = get_longitudinal_allowed() && !max_limit_check(desired_transmission_rpm, limits.max_transmission_rpm, limits.min_transmission_rpm); bool transmission_rpm_inactive = desired_transmission_rpm == limits.inactive_transmission_rpm; return !(transmission_rpm_valid || transmission_rpm_inactive); } bool longitudinal_gas_checks(int desired_gas, const LongitudinalLimits limits) { bool gas_valid = get_longitudinal_allowed() && !max_limit_check(desired_gas, limits.max_gas, limits.min_gas); bool gas_inactive = desired_gas == limits.inactive_gas; return !(gas_valid || gas_inactive); } bool longitudinal_brake_checks(int desired_brake, const LongitudinalLimits limits) { bool violation = false; violation |= !get_longitudinal_allowed() && (desired_brake != 0); violation |= desired_brake > limits.max_brake; return violation; } // Safety checks for torque-based steering commands bool steer_torque_cmd_checks(int desired_torque, int steer_req, const TorqueSteeringLimits limits) { bool violation = false; uint32_t ts = microsecond_timer_get(); if (controls_allowed) { // Some safety models support variable torque limit based on vehicle speed int max_torque = limits.max_torque; if (limits.dynamic_max_torque) { const float fudged_speed = (vehicle_speed.min / VEHICLE_SPEED_FACTOR) - 1.; max_torque = interpolate(limits.max_torque_lookup, fudged_speed) + 1; max_torque = CLAMP(max_torque, -limits.max_torque, limits.max_torque); } // *** global torque limit check *** violation |= max_limit_check(desired_torque, max_torque, -max_torque); // *** torque rate limit check *** if (limits.type == TorqueDriverLimited) { violation |= driver_limit_check(desired_torque, desired_torque_last, &torque_driver, max_torque, limits.max_rate_up, limits.max_rate_down, limits.driver_torque_allowance, limits.driver_torque_multiplier); } else { violation |= dist_to_meas_check(desired_torque, desired_torque_last, &torque_meas, limits.max_rate_up, limits.max_rate_down, limits.max_torque_error); } desired_torque_last = desired_torque; // *** torque real time rate limit check *** violation |= rt_rate_limit_check(desired_torque, rt_torque_last, limits.max_rt_delta); // every RT_INTERVAL set the new limits uint32_t ts_elapsed = get_ts_elapsed(ts, ts_torque_check_last); if (ts_elapsed > MAX_TORQUE_RT_INTERVAL) { rt_torque_last = desired_torque; ts_torque_check_last = ts; } } // no torque if controls is not allowed if (!controls_allowed && (desired_torque != 0)) { violation = true; } // certain safety modes set their steer request bit low for one or more frame at a // predefined max frequency to avoid steering faults in certain situations bool steer_req_mismatch = (steer_req == 0) && (desired_torque != 0); if (!limits.has_steer_req_tolerance) { if (steer_req_mismatch) { violation = true; } } else { if (steer_req_mismatch) { if (invalid_steer_req_count == 0) { // disallow torque cut if not enough recent matching steer_req messages if (valid_steer_req_count < limits.min_valid_request_frames) { violation = true; } // or we've cut torque too recently in time uint32_t ts_elapsed = get_ts_elapsed(ts, ts_steer_req_mismatch_last); if (ts_elapsed < limits.min_valid_request_rt_interval) { violation = true; } } else { // or we're cutting more frames consecutively than allowed if (invalid_steer_req_count >= limits.max_invalid_request_frames) { violation = true; } } valid_steer_req_count = 0; ts_steer_req_mismatch_last = ts; invalid_steer_req_count = MIN(invalid_steer_req_count + 1, limits.max_invalid_request_frames); } else { valid_steer_req_count = MIN(valid_steer_req_count + 1, limits.min_valid_request_frames); invalid_steer_req_count = 0; } } // reset to 0 if either controls is not allowed or there's a violation if (violation || !controls_allowed) { valid_steer_req_count = 0; invalid_steer_req_count = 0; desired_torque_last = 0; rt_torque_last = 0; ts_torque_check_last = ts; ts_steer_req_mismatch_last = ts; } return violation; } // Safety checks for angle-based steering commands bool steer_angle_cmd_checks(int desired_angle, bool steer_control_enabled, const AngleSteeringLimits limits) { bool violation = false; if (controls_allowed && steer_control_enabled) { // convert floating point angle rate limits to integers in the scale of the desired angle on CAN, // add 1 to not false trigger the violation. also fudge the speed by 1 m/s so rate limits are // always slightly above openpilot's in case we read an updated speed in between angle commands // TODO: this speed fudge can be much lower, look at data to determine the lowest reasonable offset const float fudged_speed = (vehicle_speed.min / VEHICLE_SPEED_FACTOR) - 1.; int delta_angle_up = (interpolate(limits.angle_rate_up_lookup, fudged_speed) * limits.angle_deg_to_can) + 1.; int delta_angle_down = (interpolate(limits.angle_rate_down_lookup, fudged_speed) * limits.angle_deg_to_can) + 1.; // allow down limits at zero since small floats from openpilot will be rounded to 0 // TODO: openpilot should be cognizant of this and not send small floats int highest_desired_angle = desired_angle_last + ((desired_angle_last > 0) ? delta_angle_up : delta_angle_down); int lowest_desired_angle = desired_angle_last - ((desired_angle_last >= 0) ? delta_angle_down : delta_angle_up); // check that commanded angle value isn't too far from measured, used to limit torque for some safety modes // ensure we start moving in direction of meas while respecting relaxed rate limits if error is exceeded if (limits.enforce_angle_error && ((vehicle_speed.values[0] / VEHICLE_SPEED_FACTOR) > limits.angle_error_min_speed)) { // flipped fudge to avoid false positives const float fudged_speed_error = (vehicle_speed.max / VEHICLE_SPEED_FACTOR) + 1.; const int delta_angle_up_relaxed = (interpolate(limits.angle_rate_up_lookup, fudged_speed_error) * limits.angle_deg_to_can) - 1.; const int delta_angle_down_relaxed = (interpolate(limits.angle_rate_down_lookup, fudged_speed_error) * limits.angle_deg_to_can) - 1.; // the minimum and maximum angle allowed based on the measured angle const int lowest_desired_angle_error = angle_meas.min - limits.max_angle_error - 1; const int highest_desired_angle_error = angle_meas.max + limits.max_angle_error + 1; // the MAX is to allow the desired angle to hit the edge of the bounds and not require going under it if (desired_angle_last > highest_desired_angle_error) { const int delta = (desired_angle_last >= 0) ? delta_angle_down_relaxed : delta_angle_up_relaxed; highest_desired_angle = MAX(desired_angle_last - delta, highest_desired_angle_error); } else if (desired_angle_last < lowest_desired_angle_error) { const int delta = (desired_angle_last <= 0) ? delta_angle_down_relaxed : delta_angle_up_relaxed; lowest_desired_angle = MIN(desired_angle_last + delta, lowest_desired_angle_error); } else { // already inside error boundary, don't allow commanding outside it highest_desired_angle = MIN(highest_desired_angle, highest_desired_angle_error); lowest_desired_angle = MAX(lowest_desired_angle, lowest_desired_angle_error); } // don't enforce above the max steer // TODO: this should always be done lowest_desired_angle = CLAMP(lowest_desired_angle, -limits.max_angle, limits.max_angle); highest_desired_angle = CLAMP(highest_desired_angle, -limits.max_angle, limits.max_angle); } // check not above ISO 11270 lateral accel assuming worst case road roll if (limits.angle_is_curvature) { // ISO 11270 static const float ISO_LATERAL_ACCEL = 3.0; // m/s^2 // Limit to average banked road since safety doesn't have the roll static const float EARTH_G = 9.81; static const float AVERAGE_ROAD_ROLL = 0.06; // ~3.4 degrees, 6% superelevation static const float MAX_LATERAL_ACCEL = ISO_LATERAL_ACCEL - (EARTH_G * AVERAGE_ROAD_ROLL); // ~2.4 m/s^2 // Allow small tolerance by using minimum speed and rounding curvature up const float speed_lower = MAX(vehicle_speed.min / VEHICLE_SPEED_FACTOR, 1.0); const float speed_upper = MAX(vehicle_speed.max / VEHICLE_SPEED_FACTOR, 1.0); const int max_curvature_upper = (MAX_LATERAL_ACCEL / (speed_lower * speed_lower) * limits.angle_deg_to_can) + 1.; const int max_curvature_lower = (MAX_LATERAL_ACCEL / (speed_upper * speed_upper) * limits.angle_deg_to_can) - 1.; // ensure that the curvature error doesn't try to enforce above this limit if (desired_angle_last > 0) { lowest_desired_angle = CLAMP(lowest_desired_angle, -max_curvature_lower, max_curvature_lower); highest_desired_angle = CLAMP(highest_desired_angle, -max_curvature_upper, max_curvature_upper); } else { lowest_desired_angle = CLAMP(lowest_desired_angle, -max_curvature_upper, max_curvature_upper); highest_desired_angle = CLAMP(highest_desired_angle, -max_curvature_lower, max_curvature_lower); } } // check for violation; violation |= max_limit_check(desired_angle, highest_desired_angle, lowest_desired_angle); } desired_angle_last = desired_angle; // Angle should either be 0 or same as current angle while not steering if (!steer_control_enabled) { const int max_inactive_angle = CLAMP(angle_meas.max, -limits.max_angle, limits.max_angle) + 1; const int min_inactive_angle = CLAMP(angle_meas.min, -limits.max_angle, limits.max_angle) - 1; violation |= (limits.inactive_angle_is_zero ? (desired_angle != 0) : max_limit_check(desired_angle, max_inactive_angle, min_inactive_angle)); } // No angle control allowed when controls are not allowed violation |= !controls_allowed && steer_control_enabled; return violation; } void pcm_cruise_check(bool cruise_engaged) { // Enter controls on rising edge of stock ACC, exit controls if stock ACC disengages if (!cruise_engaged) { controls_allowed = false; } if (cruise_engaged && !cruise_engaged_prev) { controls_allowed = true; } cruise_engaged_prev = cruise_engaged; }