Safety and open source, oh my?

Video thumbnail (Frame 0) Video thumbnail (Frame 594) Video thumbnail (Frame 12991) Video thumbnail (Frame 18858) Video thumbnail (Frame 27246) Video thumbnail (Frame 29171) Video thumbnail (Frame 38101) Video thumbnail (Frame 43422)
Video in TIB AV-Portal: Safety and open source, oh my?

Formal Metadata

Title
Safety and open source, oh my?
Title of Series
Author
Contributors
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2021
Language
English

Content Metadata

Subject Area
Abstract
At FOSDEM 2020 we introduced Eclipse iceoryx, a true zero-copy middleware for safety-critical applications like automated driving. At FOSDEM 2021 we will give an overview of what needs to be considered when writing safety software in the open, share our experience regarding the development workflow and present the progress of the Eclipse iceoryx certification. Developing software in the automotive industry can be tedious. Old compilers, out-dated toolchains, resource constraint hardware. “Only use something which has been proven in-use” most safety engineers would argue. Well, hardly anyone would object, no one wants to jeopardise peoples lives when bringing a car on the road. The question we asked ourselves quite often in the last year: How can one combine the momentum and the freedom of an open source project while not compromising on the quality and safety? Apex.AI has extensive knowledge on the design and implementation of safety-critical applications written in modern C++ and is focused on certifying the robot operating system (ROS 2) according to the international standard for functional safety ISO26262. We will present an overview over the typical automotive software development process and discuss our modifications in the development workflow that we created for Eclipse iceoryx. Furthermore, we will share the key architectural design decisions, give examples of safe vs. unsafe code and conclude with a brief insight into the lessons learned.
Embedded system Open source Projective plane Open source
Axiom of choice Randomization Execution unit Range (statistics) Bit rate Roundness (object) Vector space Finitary relation Hazard (2005 film) Physical system Data integrity Theory of relativity Software developer Constructor (object-oriented programming) Shared memory Mereology Control flow Message passing Digital rights management Process (computing) Frequency Coefficient of determination Telecommunication Order (biology) Infotainment Slide rule Open source Control flow Black box Product (business) Frequency Term (mathematics) Energy level Data structure Digital rights management Standard deviation Prisoner's dilemma Code Line (geometry) System call Shape (magazine) Compiler Error message Software Personal digital assistant Universe (mathematics) Robotics Interpreter (computing) Video game Formal verification Standard deviation Greatest element State of matter INTEGRAL Code Multiplication sign Function (mathematics) Mereology Component-based software engineering Bit rate Military operation Process (computing) Endliche Modelltheorie Closed set Open source Perturbation theory Functional (mathematics) Flow separation Tablet computer Fluid statics Software testing Right angle Software architecture Physical system Resultant Dataflow Game controller Implementation Functional (mathematics) Enterprise architecture Observational study Software developer Menu (computing) Functional (mathematics) 2 (number) Whiteboard Telecommunication Robotics Operator (mathematics) Software Helix Message passing Hydraulic jump Operations research Addition Axiom of choice Mathematical analysis Planning Color management Film editing Formal grammar Transmissionskoeffizient Operating system Local ring
Torus Standard deviation System call Constructor (object-oriented programming) Ferry Corsten INTEGRAL Decision theory Mereology Disk read-and-write head Mathematics Computer configuration Different (Kate Ryan album) Semiconductor memory Vector space Personal digital assistant Electronic visual display Cuboid Arrow of time Process (computing) Position operator Lambda calculus Physical system Exception handling Programming paradigm Adaptive behavior Constructor (object-oriented programming) Open source Electronic mailing list Instance (computer science) Functional (mathematics) Distance Checklist Position operator Programmer (hardware) Fluid statics Repository (publishing) Mathematical singularity PRINCE2 Video game console Glass float Electric current Slide rule Implementation Open source Mathematical analysis Data storage device Content (media) Distance Checklist Rule of inference Product (business) Root Read-only memory Software testing Implementation Communications protocol Rule of inference Continuous integration Weight Projective plane Paradox Content (media) Mathematical analysis Code Line (geometry) Group action System call Template (C++) Voting Error message Personal digital assistant Calculation Network topology Computer programming Boundary value problem Exception handling
Equaliser (mathematics) Decision theory Parameter (computer programming) Public key certificate Route of administration Computer Labour Party (Malta) Different (Kate Ryan album) Single-precision floating-point format Personal digital assistant Cuboid Error message Physical system Middleware Decision theory Software developer Keyboard shortcut Open source Instance (computer science) Computer Functional (mathematics) Arithmetic mean Process (computing) Telecommunication Software testing Quicksort Cycle (graph theory) Resultant Point (geometry) Open source Disintegration Calculation Limit (category theory) Vector potential Graph coloring Portable communications device Product (business) Number Writing Goodness of fit Kritischer Punkt <Mathematik> Causality Telecommunication Operator (mathematics) Computer programming Software Gastropod shell Authorization Software testing Condition number Default (computer science) Code Line (geometry) Limit (category theory) Software Personal digital assistant Mixed reality Network topology Statement (computer science)
Purchasing Slide rule Multiplication Arm Open source Physical law 1 (number) Planning Real-time operating system Sequence Element (mathematics) Type theory Software Website Complex system Quicksort Freeware Resultant Physical system
Element (mathematics)
the.
hire one comes or talk and son and i will present the cost of four talk and christian will present a second year from the fixing on and we both work on an open source project called clips.
ok let's step back to you as we had a plan to open source isaacs and act and and some colleges said what you want to open source software random people will contribute. yeah and some even said it is often the city close to last and that done which is thought a challenge excited. first off i want to introduce you to the region and give a shortage of asian than of introduction to talking and motivate you was an example why formal process as can be beneficial to give you know you over the typical automotive software development prison. using goals that we didn't mind when the work flow of science and six talk about to lose the tools we are using and then present you in detail the workflow for example when it comes to community contributions. at the end will continue to some lessons learned and if you'd result look. came on. and what drives some what is important to us well we want to hear things apart and we want to look inside a black box then we can start building trust and on and fix the eye on we want to build software that does not fail so opens. this was just a perfect choice. recently a threat this very interesting quote from the bottom of posh his name hot congo where he taught the body automotive software development isn't the following and don't think it's sensible that everyone works alone and still much and on answer is use more force. ok i'm and we work and attic say i'm at its investment product is excellent served as a fork of the robotic operating system cross to it's been currently certified and you can think of it as to threaten to breslin was forced to christian. and i'm we work is developed as an atlas isaacs to see a copy little well for safety implication and it's being currently integrated into it so us can also be you stand alone. the main benefit of as an excuse to latency underground time is independent from the transmitter messages if you want to a morbid ice rinks i can recommend you to watch on last year's talk but we introduced as rocks and eight. kenny so just jump right into an example and why a formal process as beneficial ok use an example we have a tool called my will and is not being initial us and depending on the value of the pool with imprint on true or false. you some seconds to think about what the possible for cuts could be. right on the answer to compile can say an initial losing it with true so done deal put could be true. all the other way round and the output will be false but hey this is in my pool is an undefined stayed to compile it can also say i'm this is undefined behavior so he can say and or putting both true and false but the compiler can also say it is undefined behave. you and optimizing days away and then there's no open at all. so all in all and if and behavior means anything can happen and in order to prevent mistakes to come on at the base is linked to his formal processes can be very beneficial ok next up i want to introduce you to the model this is the development model most likely used in the. automotive industry and and a spice his interpretation of the modern sense for automotive software process improvement and capability to communication and i was starting you on the tablet on you typically start with use of software i am an analysis so. for example which would use often do in case of the middle where for example to execute the bills should exchange state in the breakdown these requirements into a software architectural tucson and and does different models that come from this design you typically income. and them in colder for example simplest plans and additionally create software the twenty's. when you've finished your implementation you start with very few occasions was used on but typically discourse hand in hand with the development so first off you on the bottom you very high unit construction new code. call the softer universe occasion so what does india is to rescue this can be used to coach who knows this and also unit as shouldn't take the small used to have created integrate and get on and intestine together against a softer architectural design and that the very end. you come to a software qualifications past that lead to a new requirements i'm against requirements in use britain for example in terms of the middle where you will test if to execute people's now can exchange data between them. how can he won the next lines want to introduce you to i saw two six two six to stand on its a functional safety standards for old cars so what is and what doesn't contain first of the contains a formal process like the one you've seen on the last flight it also contains. a formal definition for almost a tap on mind that might happen during and on initial operation of car. follow the mission of risk was relation to the possible to roast of risk assessment and and take issue is also a few and also in four thousand in the and safety assessment at home you will find very of me when you from me through the eyes all standard is the term seasonal stands for baltimore. to safety integrity local and comes with five different levels q i'm being coerced and using the been highest johnston's for quality management and for example an item item could be in for payment of as well as on the other side's isn't he. p. for example ultimate fighting. mccain if we dig further into also standard we can also see the safety is defined as an unreasonable risk and they use to a formula new or defined risk as a function of frequency of curtains. controllability answer very cheap and the frequency used to force so it has the heart exposure and how all the current situation was such as a cook and as well on the other side as failure rates for the probability of system to fail and isn't. not considered a risk assessment that angels houston's. let me give you try to excel and braking system exposure so when you're driving with the car is very likely that you'll break. let's jump to control ability to break start to fail it will be very difficult to control your car. and now regarding severity if to break stops working fatal injuries a very light. came down and we had a look at the process as now i want to talk about the goals that we had in mind around when we created the workflow pfizer six considering of course to the model and nicest.
first of all want to make develop as b. and b. also transparent to the community want to be helpful to new beast and in general just encourage knowledge sharing and make life easy for external as we also have you had the idea to have as much as possible the open like any and all saw struggling. regular call because in the open to planning the discussions of russian should be transparent on the other side and also want to shape the workflow after stylish guidelines for examples to one used on short sale. mccain now on. how are you going to do on what kind of tools will you use when when implementing. such as the model and if you look at you to the globe and saw structure and what you to believing that is you get cold you will get some basic humans first wind and most often also some designed of humans on how and why things could come and that's a great start for sure i'm. but you can always use more tools in order to improve the quality and on the next flight i want to show you what kind of tools we are using force or explore what kind of tools actually we are planning to use phones. came i will walk you through the slide. he on the top left corner on can see that we are planning to use a tool called john now for the requirements and when it comes to know what it is time for the cold we're not planning to use any additional tools and when it comes to you know first we are planning to use. the tool called back to the cost is also so different and it's a commercial to come. unknown are some downsides to commercial tools because some people cannot buy these licenses or cannot afford it so this is where we planned for the study called an analysis we are planning just get on with have for felix you see two from green to scan to solve our into the open you know. continues integration for example and also to not make people by a specific license and wanting to contribute. planning for integration trusts for the uk to the e.u. such as a tool called freedom we also want to use the tools developed an epic say eyes as a performance to school and also want to. tracing to force ricks it is called l.t. ci and she. but was very important as the co-pays alone does not qualify for the usage and say system so what you need in addition the safety menu and use if human you guys you through the process well on its talks about things like what are you have to use on what component world works. another thing to note use i'm not all of these artifacts will be publicly available so for example the safety manual or extended will not be publicly available for commercial reasons. craig range on with done with the first part of to talk now christian will talk about the bottom of the cold and the unit and talk about how to do things in practice.
i think is offering production articles look at it was a pause at our heads for saying we have to realize is that it was all those are not enough because every poconos although was and need to have safe places almost a quarter hours tool to catch most of the each use you can find a cold but of. everything and is every feature be implemented few also introducing critics as of test but you also have the same rule applies some kind of bach or court he slipped through might you google tested and then you introduce about new future. and now we had the idea in some kind of homecoming paradigms to reduce sees box and hours even further wealth of of the paradoxes and day or or as productive which every introduce an attic stop the slide and next thing we did austrians to be implemented some is to construct source says. like the back to a list of expected option and soul princes to safety critical a systemic you have to what memory for a petition because you have to guarantee to the memories of a little he can korea it decision the we do not want to use exceptions and our safety critical system and the dead. do you want to avoid and you find behaviour because and you find the you can eat to anything can happen this is something he loved one is if critical source to the next thing we also and forces baldry checks the s.p.l. as a paradigm just what you love pay for what you do not need or not use here for its as we say it's the. the first and then perform with therefore we enforce ball reach six to reduce that amount of air was even further the next thing we also do would be a implement some kind of six test a sense of test cricket cheese which fuel you want to function safety stunt. he claims he prepares for instance have to go even further to really catch walls of say she can sing cough and cold and but let's take a look at it could example. say you want to what at plym and function made sure to travel just as a heads up display the first thing you have to do is caught receive position was the pollution to try the option to you this means that its or white to mock receive a position you and caught want to communicate this to live up or therefore we decided. use option year but the option as adults side you have to be very high if current position contains a you that you really into received position before you can exit and all the question as what happens this will position was received this line for instance you have to cut travel to starts with stop wish. when and directs get you ready for its current position but it does not contain any value exceeds that it never and memory but the arbitrary content and therefore you have to have changed and defined state and but you put it into to dispense function yet defined behaviour and this is something the different he want to avoid that. safety critical system and the question is how can you want this was also was the and said or as paradigm it was a plus plus fourteen implementation be added to additional methods called the or else both are provided the full of love which is called and then techies with the option. teams have let you or in the or as his if the option does not contain any value and the and then case you can then excess on the lying but you directly think it will hold would look like credit as he again you'd call it received position and then directly to become captivated caught. hugh pro at all i'm not be required to cripple distance and to get our excess to the underlying been to call position so we can use it in a triple distance calculation and the other case that with the position is not receive any position update you just print the new position of people's received and then we can do something. of heredity. in this hypothetical person looks like this year the left side to cede discussed are worth a lot of the right side to see that classical approach may have to bury five first the current position contains any kind of about you and that you can coakley truffle distance or else cases using a position of people's receive but. you have always the case hit you can access current position the reference to an excess the underlying wouldn't even that the us will have the line will impress a new run always into a different behavior case and in use and to organise paf you avoid this. so now you may think. contributing to such as safety critical portrait might be a change because you don't know all the rules about has roots as part of the kids home dish and yes some rules or clothes and a kid's temple but also a eight kilometers majorities from pigs and some awful a posh they will get you when you pull request you. the review would repeat tension that you do you see to look for exceptions that's all for all these woods. in the cottage with with those who poor person if you have to improve as you can nurture into the repository some all sometimes these are some. she took a more strict to send a comment open source project reasons because we are working the safety critical system.
purpose of what look like this you would create a pull requests and then you have to pull the weakest review checklist like you see the right side they can vary fight that if you commit was a tree instance flows or was that all of the of the moves are right here and you can verify them and it is a. tempe checklist is also will always have to my g.p. at a pretty poor request additional even put a ruckus is created the e.u. also if he could analysis tools one through would have been very fight a conservative voters aug that's all that all these are rules are the two full of the swells and dish. finally our continues integration into problems every five that make was windmills the new console supported all claims that it has also running through that we try to find more weeks and soul and also be treat everybody and simplest as an arrow and their foot it's impossible for you to introduce ever as well. out safety nets are in place and you can safely be introducing new future warm you up fix it to a bus routes oppose the tory every new feature you introduce you have to also introduce some kind of tests let's take a look at this it's safer instead as you have implemented the cable eight they were.
it's very simplistic and used to obstruct a former side of both novels which of what he does arguments here off creation so and then you do something with the result and return it. had the first thing you or anyone for his ball percent like coverage this you can achieve if you call cake live with two positive about most two friends to this case. and this is not enough for safety critical system phrases you also able to project coverage and it's possible for instance if a beyond operators are up to mach go through the statement and therefore we have to test for this be a tool for instance called with my was two and two but it is equally concerned. so this is even not enough we are going for it to the coverage which means body for a condition decision coverage and this means that every condition must be executed twice also true of us have costs and this means we have to call that this is a functional most live a great as are also occur at the end. the sensor and the singles what we therefore we have to cope with two additional a parachutist constructs you like this have to call it was two miles to income grew to two and now you could say a caf tested this fortune quite excessively not for things fixed and stable but it's talking. you see it that all told the process of our limited back in the year. but some kind of qualities it's possible that his producer will for instance but it's wall and then into his line and if statement quoted from result and then be and move the value of sooner or later and the return statement the device bussereau by we sought and this leads also cool. you are or not and five even bought through critical state and we have to do this the end to head our developers to deal with such situations you have some kind of your guy i'd like to think always does kill as many protests have seen or want any color he says limits so your wall many. these fronts as interesting as you can teach us at u.c.l. test that can team up but it's empty what it contains one though you are contained several. the cork is this case for instance would be it but we call it with equal sea world this one should that be a dilution but as the world but he did to test the limits you have this case and he adds another park what happens if a is a mix of a lot number and one of the largest number of possible as food point. then this again gets twenty five even the interim statement because if they're not just not possible and at something to it and then i'd be a food import who will flow and do what we know will hold rick here this week to and from be here. so here we showed you owe how or even with all the tools and ideas and processes we have plays we can still income some box a notice everything here so shocking but if you don't hear the christening is that open source is quite a good idea to. will go for it and the safety critical system it reduces costs because you have a lot of computers would have lot of you look off your product or off your of software and a half a quite by said yes from new features the phone box this reduces your cause and increases equality best a fully. and also its shell shown some kind of transparency to the community while the evening before you know their future cough what kind of sort of them to be one additionally on it's quite easy to all the fuel up as if he's ok and you all but yes there are challenges we have to face but it's a lot. so challenging of that it's a kind of infeasible the two will develop open source software safe open source software being car also the case that some thousand very supportive and offering thing about commercial it was for free to a growth size of the guys were exporter and what also lot and done. testing case at all of the previous example and certification doesn't mean that it's safe it's a necessary step we have to undertake and be have something like and cities in testing as on a piece of the best practices and industry but they are not enough we need more needs good pork robust we need some kind of portable productions. and you need some really good ideas hope to test called seasons and experience of experience program as and when you contribute to the ice rinks portrait these experience program as the computers we got you through the pool because he was coming next twice rics said the opening all one point zero release. and the only you quarter off quite often the twenty want but the interviews and and communication be a new functions simplest possibly p i as you'll see an example of how short of pieces can make it or freeze more save this error prone this would build it was very going for additional be. the c.p.i. beach can be very interesting full of everyone wants the clinic for instance a binding author labour trying to make was support and issue a lead as rich as well constructed the more fun to pose as a communication you can also what i saw weeks instances of different computers and they are connected via cycle tedious. and in twenty twenty twenty you want to go for the eyes all twenty six twenty six two was at a few caijing and trees and so that's that. are there any questions.
i.
i. the. i. i. i. so much to sign and christian for about a very interesting talk. so we have now a question. on the was the s.p.l. construct an open source and we try to address not been kind to hire unsure how the answers and the church overly so yes they all can saw some currently do this unless just make package. you can just credit and women and for example use it in no obvious was fortunate and discuss the grisly i was in there under several construction in on that come or has a plan to backwards as everything simplest of fortune and things to settle seventeen sequences twenty that once. on integrated sort of implemented in his interest was fourteen so those are things like a very and types if union for example or electrician mentioned the optional i'm just angling concept that we arm to inspire or rest as far as i'm to two daughters air handling concert i'm just. called the expected and also said a lot three hundred rooms so calm now for example a multi cushion on to consumers you which is no threat safe and law free and this is quite young and it's a when some cruel and hundred new look if you're interested and. ok i think it's our care of him he must have your examples in the slides are related to automotive publications are there any people you know all working using your are your techniques outside would argue for. you should also and was happy for him to has reached usual so i still complex system young inspired by both trust someone comes to expect that also will easily and haskell and thought of that and just called meantime i'm so looking to make him simplest. mitterrand and and improving simplest doesn't just trying to build on software or construct where on the yacht can hardly make mistakes you can always avoided on purchases ago also to to just write good and safe quality software. ok excellent. as a result as the question do you use real time shuttling in your system. does this route. two. in his arms ones who we are supporting tunics from the site's linux nine currently much worse so steadily from months to close to work in real time system but what we can really know.
Feedback