Hello everybody. So for our next speakers we have Nicole and Philip. So Nicole is from
Electomatis and Philip from Bosch and they'll be talking about how open source projects
approach functional safety. Thank you.
Thanks and welcome. As the title says we're talking on how open source projects approach
functional safety. There are so many projects out there so we just took three examples which
will be the Xan Zafire and Linux part. So we do together so just to give you a short
intro on who we are. My name is Philip as introduced. I'm currently a product manager for embedded
open source inside Bosch. But the time where I'm speaking here I mainly do is the chair
of the technical steering committee within the ELISA project which works on enabling
safety and I'm also leading a work group there which basically puts the different pieces
of open source projects together. Then I'm currently also a member of the Linux Foundation
Europe advisory board which has been started last year and personally I'm open source
into the S since like 15-20 years or something where I'm using it mainly. And this gives
time for Nicole directly. Yeah so this works. So yeah I'm Nicole. Yeah I'm mainly a safety
person. I started off in production maintenance so not maintenance like a maintainer that
you might know but really like yeah something breaks and somebody has to fix it. I went
then to software development, been a software developer and tester mainly always with some
safety background in the automotive and the defense industry. And then changed to do more
safety sort of safety centric work. About five years ago we decided we can do things
better and founded ElectroMetres so that's where I'm currently at. Doing safety consulting
a little bit of what we heard before the license compliance stuff. I'm in and out of the open
chain project. I'm mainly involved with the ELISA projects in the system and the medical
group. I'm in the SPDX project in a safety working group. The safety manager of the
SEFA project and so on. So yeah if you want to know about open source and safety maybe
we should talk. Yeah if you talk to me and I won't recognize you again. I'm not arrogant
I just cannot remember your face so please just you know if you know me just tell me
hey we know each other. That's completely normal for me that I won't recognize you again.
So you can also text me so mainly each social media platform. I have the same handle Nick
Pablo so yeah please feel free to reach out. So starting with the real thing. So yeah we're
starting about functional safety so who is in the room familiar with the term functional
safety at all. Oh that looks good. So for those who aren't so we're not talking security
we're talking safety here so that part of the system that should not kill you in case
of an internal fault. So yeah it's mainly it's a do not harm thing that the system behaves
always in a safe way whatever happens whatever input you have whatever thing that breaks
that's a part of safety and the stuff that you need to ship with your product to really
prove that the system cannot kill you or most probably won't kill you let's put it like that.
So with functional safety the main things that you do expect are yeah that software behaves
as specified which implies already that you have a specification that it does not interfere
in any way with the system components you have and all around us events are addressed
somehow so that you even can avoid them or at least detect them and have some mitigation
efforts in there and yeah that you have sufficient evidence that's really proof this. Right and
I guess the next one is for me. So as in the title we talk about the three example projects
so we have one as the Linux representative while there's so much more we'll later see
this. We have a real time OS with Zepfire there are recently also others coming out which
claim to have safety certification and may all be open source but this is the one in
there and we have the last one which the Xen hypervisor has a virtualization solution and
they all run under the Linux foundation projects and to just get an idea on who's in there so
we have a large number of members within the Zepfire a few people in Xen actually and then
the middle size in Elisa and as you could see from my introduction I'm coming from Bosch
so we're doing a lot of automotive work also and with this respect I just wanted to show
how different members are because if you think about like medical devices, automotive, railway,
industrial parts that's where really safety standards come into picture and if you look
into Zepfire it's not really our mobility or ever space member in there it's mainly hardware
driven and so we have microcontroller companies, sensor manufacturers and so which really have
this visibility in there while for the Xen projects you have some mobility suppliers
but it's originated from the server process there's no real car manufacturer in there and
what I had here in my also to mention is that they have a bunch of other members in there
but we're just not supporting the project as a finance while if you look into the Elisa
project there are mobility aerospace system providers in there so from OEM to one supplier
base and so we will now go through the different projects one by one just say where they are
and how they have common parts on safety and how they differ so the next slide goes already
again wants to because she comes from Zepfire. Yeah so I'm not sure how many people in the
room already know about Zepfire so Zepfire is let's say the coolest real time art class
that you can find out there it's open source it's permissively licensed you can bring it
down to a really resource safety as a safety size really even smaller than the Linux kernel
we're currently heading for safety certification we have yeah the safety working group that
now currently preparing and let's say enhancing what's there in the project so that anybody
can take the project artifacts to go through their own certification or qualification or
at least has a look into it to say hey that really brings everything that I need for my
application at the moment yeah the safety awareness honestly in the community is limited
there's a high awareness but quality but yeah safety sometimes really is the hot potato
nobody wants to touch but yeah we have this working group and we're working on it and
we're getting more and more support in the complete community. What's important still
yeah it's posicompatible so for all that that come here from the automotive domain and think
hey we need something it's you can use your posic stuff on that and the main part of Zepfire
is hardware agnostic so there's a very strict hardware abstraction layer so it's really
easily to port from one application or one platform to the other.
So yeah San is you.
And in contrast if you take San so we saw that it's a much smaller community but they
are really coming from a strong security background they were used to have virtualization to isolate
systems so in there from the beginning of the project they had a very strong quality mindset
which you can see that they have every commit tested they have two different CIP pipelines
for this testing they also have a strong rigorous quality process so that they really just have
full commit traceability so from the first commit to the end you can see everything
which happened which is organized there due to having it in official production also data
centered it shows you how much care you need to take because there's a lot of chance for
intrusion there yeah AMD silings are those which are mainly driving the San project they
are also the ones which work on the safety certification and that's also what they said
if you have an open source project you need to do this continuously right because traditional
things are often safety certified for one shot and then you have hard times to update things
so it's a challenge which many have to follow now and what they said in the first phase they
show that actually open source is certifiable that's what they have as the certification
concept approval and then they go for what for an assessment if you want to do the same
thing in Linux just imagine all the distributions out there the flavors how you build create
things life gets much more complicated this is really the open source superlative you
have so many contributors such a large code size and everything and then also very large
community much more flexibility how user use cases and also in this way I just took some
by searching the web some examples from all the companies which making their attempt and
how to do this either together with others or independent and it was having a first
activity with the social Linux and P project so it was roughly a range of 10 years back
already where they worked on it it stopped a little bit it transitioned into the Lisa
project which I'm representing and it recently get a new momentum due to what's called the
software defined vehicle where you have much more centralized high performance compute
cloud connectivity and so on and there is a we want to have more open source usage and
bring more things into the space but then the first question when they come to the Lisa
project they asked to me when will you have a safety certified linux which I can simply
use I was a well that's something which we are not able to provide directly because when
you are in an environment you need to make sure that your system is safe and we cannot
make sure that you do your engineering properly and we cannot also not guarantee that you
follow certain processes which are required we can just give you guidance how to use them
and the last thing is like oh will you just have one snapshot which is then safety certified
and for that this doesn't make sense because you know how many fixes are getting into a
product so there's most likely a vulnerability coming up things are connected you want to
enhance features so we need to go on a continuous path and that's something completely new also
for traditional safety part works and we always put the disclaimer in you cannot be relieved
from your responsibilities so it's like legal notice here but yeah we have different projects
which can provide fast forward and as we share same burdens on regulations that goes together
certification will be the key part of it at the end and this gets complicated because
certification is very expensive so it takes some authorities a lot of checks audits and so on
and how this is financed you can see with three different approaches so there's for Zephyr
their Platinum members which finance it they get the full access for Xanad's AMD Xilinx which is
the business in there they mainly spent the effort in the project and as for Linux there are
integrators so the strongest people in their involved is currently Red Hat and Coating they
are really trying to bring the things forward and you can also see this difference in there on how
open the people are so Nicole mentioned there is the workgroup on safety the safety workgroup
when Zephyr it opened last year so there has been always safety activities from the beginning
considered but to get a wider outreach this was opened also to the non-platinum members so that
there's new inputs new activities the requirements management is a good example which came out of it
and a little bit things keep behind the scenes because it's basically then a benefit also for
the Platinum member to get the commitment and to guarantee that there is financing in
Xan has the approach from AMD they are working on getting code MISRAC compliant which is some
special activity which often was asked by automotive and they also provide documentation
and their parts upstream so later on for Zephyr and for Xanad if you have the software at hand
this is a software which is running on safety systems but you don't know how to use it because
you miss maybe a manual or you miss certain test cases or you don't know how to really bring it
into picture in the ELISA project or so we really focus on the enablement we don't do a safety
certification and it will just enable others so we want to pre-helping pass why we do so
code complexity is one reason of it so if you see we have million lines of code in Linux
and small footprint in the artist in the hypervisor due to the nature of the software
and I don't I put it in here and said it can be easier so I don't say it is easier but due to
the small code size you have a much better chance in reaching these things faster but to get code
coverage testing and so on you need trainings which Nicole for example does a lot with in the past
and currently so maybe Shoddy can give a word on this yeah so yeah asking for what do the people
contributing to the safety element have enough skills it's a it's a frequent question and we have
different approaches in the different projects so in Zephyr we had a training just by a usual
training provider for who was interested some while ago there is the option to have another
training for that and we have two committees we have a safety committee and we have a safety
working group which are full with as a seasoned safety experts that can guide and train and
are just there and to to help people out with open questions the sand project had a little bit of
different approach they are very centric about their code quality and about complying with
coding standards so everybody who wants to contribute needs to know about Misra and they had
even a training by boxing to do so and yeah they have mainly one safety expert that really spreads
the word in Elisa we again have a different approach so for the complete community we have
open web in ours that you can yeah either dial in or watch them again on YouTube
there are the safety experts again in the working groups there are different working groups
so there is no direct training provided but you can have the webinars and you can
yeah just learn as you go from the experts in there right and then if you think well that's a
lot of things which I have to do I just go with the traditional approach I save some money I take
a normal artist but then I just took the Linux example you can read it from the left the right
or from the right to the left so you don't have hard real-time requirements you don't have safety
certification yeah these are some topics but you have a really rich ecosystem portability
features experts any kind of hardware support it's two tackle complex products this something
which you don't have with a certified artist because it's often proprietary and just for a very
limited set of devices so it depends on which point you are you need to tackle both sides you
need to see how does my system look like what do I want to achieve where is my complexity and how
do I want to solve the complexity for this we put together different working groups within Elisa
and created the largest system so it's also why we have this talk here where we really bring an
on a microcontroller micro processor base we're bringing different Linux flavors and all put
things together to showcase this is the reproducible system however you can make use of because
from our mission we say we would like to give you elements processes tools software documentation
which brings things forward and this especially means if you have safety critical systems you need
to get understanding about the systems so this is what you need call wants to take about yeah so
I think everybody here in the room will agree with me to say yeah to assess whether a system is
safe you first need to know about the system you need to understand the complete system to see if
a system or a subsystem in the system is safe enough so then you really need to understand
if this element or subsystem that you want to qualify for safety is in this context of your
complete system in a safe enough or capable enough to do what you want it to do really needs to
yeah choose which features are important for your safety to evaluate them to qualify them and
identify the gaps that you might want needs to fill yourself with your own application with your own
basic software with your own whatever so in safety there's this approach for that called safety
element out of context so I think the market approach is that you have a safe a generically
safety qualified or safety certified system software component whatever that you can integrate
into your system and it has been developed without knowing where it will go into so in fact it's not
a safety element out of context safety element was an assumed context so whatever you do for example
as a sefer or a son you assume what you will need for functional safety and you write this down
and you work according to that so typically these elements are then come with obligations they come
with a safety manual that you need to adhere to you prove that for your assumed context and
that the features that you identified as maybe safety critical for your user that they are developed
efficiently that they have requirements suitable implementation that there is test that there's
completeness that there's planning and that there are these obligations of use when you want to
integrate it to your final system and yeah sounds all very great but we still come over some
community challenges or some general challenges when we want to bring open source to the safety
world so we will we get a lot of pushback still from the safety world that yeah open source is not
behaving like commercial software and we can't do this as a death sentence yeah it's true in the
same in this open source project you have less influence on maintainers you can you're not the
boss you can't tell them do this what you can do is hey I need this and I'll I'll propose the change
to do this and I do it and we will do it together oh yeah it's not it's it's not a top down hierarchical
approach there it's harder to bring skills into the community you can just say hey these 20 developers
will get this training because they just don't care people tell us hey who so often who will be
liable for a certified suffer who will be liable for this who will be liable for that so this is
something that still needs more understanding out there because the community will never be liable
whatever CRA will say we need a development process that somehow is present in the document saying hey
I need to ship this with requirements there needs to be a system architecture there needs to be
auditable code whatever that is so really to map map what a safety integrity standard needs from a product
and how yeah I guess as we approach the last three to four minutes already yeah I just keep this one
short so what we do is we cannot do this alone and we really try to find communities areas where we
can collaborate so that's why the project really reaches out to all the different areas seeing what
are related activities to go through development and really share ideas and for the sapphire for
example can be something to learn from also for other communities yeah so then I also keep this
very short because so yeah we try what we are currently approaching is to apply something like
a v-model as a knowledge model not like as a process model to the sepah project to really have
requirements and traceability and everything that we need so there's a lot of stuff there and there's
a lot of stuff happening so we have already said we have two committees working on that there's this
safety committee consisting of the platinum members that really do the strategic decisions
about a final certification and there's a working group really creating the value for everybody
that you can have all the artifacts and all the information that you need for a safety qualification
this is a current snapshot of our requirements work we do requirements using stricter
stand from stricter is over there and for everybody who wants to know more about that we do have a
talk on sunday in the esbombe deaf room around lunchtime for that we also get asked what to do
if you want to contribute same thing as always just show up please when you show up and you have
ideas you have best practices please share them the communities are all open to that even when you
don't know much about safety just show up because everybody will just tell you hey listen and learn
and we do this together and when you're a safety person that wants to contribute or that wants to
bring open source to their products yeah just become an ambassador for open source and safety because
the quality usually is really high the functionality is very high there's a lot of stuff around that
can be used and where we have the value through collaboration and not just through yeah purchasing
license agreements and all that so we have many value here yeah final thing yeah there is no
certification date set so please don't come to us and ask we can we can collect money and bet on
that when we are ready we are very far in a lot of projects there won't be a certification for
elisa because elisa should help you to certify or to qualify and this yeah elfen and sefer we are
on it we are creating the stuff let's say soon and that's it and before you leave we have a little
bit swag left over there but not the hat this is from someone else