No OEM tests their ADAS for a billion miles before release. It's a level 2 system that requires human attention, not a 100% self driving level 5 system. Ford claims they'll release their new adas, Blue Cruise, when they reach 500,000 miles of testing. (doubt it was that much for their current co-pilot 360) Openpilot so far has 50 million miles.
I think safety has already been proven, and I don't think that's preventing widespread adoption at all. It's not like most people even know about this product. It's currently being purposely kept down-low in order to only attract a certain type of tech savvy person who is more likely contribute to the project in some way (pull requests, bug reports) or at a type of person who at least won't need heavy hand holding. A large mainstream consumer audience for a dev kit is too much for them to handle, and would just be a distraction.
There's openpilot code, and then there's panda code that runs on a separate real time micro chip. All the safety relavent code runs on the panda, and it's written in C following misra c guidelines. They also comply with iso 26262.
See more info about their safety model in the safety architecture section of this blog post.
"No ADAS system currently on the market has safety guarantees on perception or planning algorithms.
So, what must be guaranteed is the ability of the driver to easily regain full control of the vehicle at any time. In openpilot, this is done through the satisfaction of the 2 main safety principles that a Level 2 driver assistance system must have:
1. The driver must always be capable to immediately re-take manual control of the vehicle, by stepping on either pedal or by pressing the cancel button;
2.The vehicle must not alter its trajectory too quickly for the driver to safely react. This means that while the system is engaged, the actuators are constrained to operate within reasonable limits."
"We have done most of the ISO26262 analysis, we're hiring someone right now to get it written up nicely and open sourced. (those interested can find the job posting) It's one of our goals for openpilot 1.0"
They have a slightly more in depth explanation of their safety model in the "Background — safety architecture" section of this post.
This is the first place I've seen this acknowledged - and, bizarrely, I read most of the PRs and commits to the `safety` part of Panda, and didn't find a single reference to the checklist in that Medium post (and, only some of the requirements seem to be implemented in most cars). It feels really late to me to be doing this, and it seems like they could use a good docs person and some, well, leadership in the project.
One thing I noticed in general was that it seems like most Comma communication is side-channeled - most commits and PRs do not have much of anything in terms of description or documentation, and code review is really sparse, it feels like there's a back-room discussion happening rather than GitHub, presumably on Discord? This makes it almost impossible to understand the safety constraints and reasoning, or to audit changes to the system.
But, it also sounds like they could very well be on the right track for 1.0, provided they hire the right person and they're able to clean things up.
>and didn't find a single reference to the checklist in that Medium post
Yeah, I always thought safety.md in the panda repo was lacking and the points from the medium post should be included. Perhaps someone should make a PR. I doubt anyone who has worked on panda code hasn't seen that medium post though.
>(and, only some of the requirements seem to be implemented in most cars)
May or may not be what you're referring to, but the majority car brands, don't support openpilot's longitudinal control, and maintain the stock ACC system while openpilot just controls steering. That's why you may not see any acceleration/deceleration safety code. Some brands also have lkas torque severely limited by the the eps firmware, which should already be ASIL D rated. Honda for example will get around 5 degrees of max steering at highway speeds despite what openpilot says it wants, so there's no real need to add steering safety code to the panda.
I think you would mostly likely see code review on merged PRs done by the community. Like look up almost any PR by deanlee. Comma employees most likely do have most of their communications side-channeled though.
They plan on open sourcing their ISO26262 documentation when Openpilot 1.0 is released. They were hiring (or already did? don't know) someone to help them write it up for release.
The driving model runs on the modified android OS (NEOS), but the safety critical code runs separately real-time on a SIL2 STM32 microcontroler. Comma strives for ISO26262 compliance.
The next comma hardware will ditch android and phones though.
Tesla does not use 12 cameras for autopilot. It just uses radar and 1 or 2 of the front facing cameras depending on the version. Not really different from OpenPIlot.
I think safety has already been proven, and I don't think that's preventing widespread adoption at all. It's not like most people even know about this product. It's currently being purposely kept down-low in order to only attract a certain type of tech savvy person who is more likely contribute to the project in some way (pull requests, bug reports) or at a type of person who at least won't need heavy hand holding. A large mainstream consumer audience for a dev kit is too much for them to handle, and would just be a distraction.