Here's the low-level controller for Comma AI's self-driving software. Lateral and longitudinal control, as well as actuator command are contained within.
Their low level control is done in Python, on top of Android, on a smartphone. No further comment, your honor.
No safety relevant code is written in Python. All the safety relevant code runs real-time on a STM32 micro (inside the Panda), it's written in C and it's placed at the interface between the car and the Eon. This code ensures the satisfaction of the 2 main safety principles that a Level 2 driver assistance system must have: 1- the driver needs to be able to easily disengage the system at any time; 2- the vehicle must not alter its trajectory too quickly for the driver to safely react. See https://github.com/commaai/openpilot/blob/devel/SAFETY.md
Among the processes that runs on the Eon, you can find algorithms for perception, planning and controls. Most of it is actually autogenerated code in C++ (see model predictive controls). Python code is used mainly as a wrapper and for non-computational expensive parts.
To use functional safety terminology, the Eon functionality is considered QM (Quality Management). This means that any failure in delivering the desired output at the right time is perceived as bad quality and has no safety implications. So, how often those algorithms deliver the wrong output because some parts are written in Python? How often because RT isn’t enforced? Negligible. Pretty much all the mistakes of a level 2 driver assistance system are due to the quality of the algorithms, the models, the policies etc… There is a long way to go before changing the coding language will be the lowest hanging fruit to improve the system. Until then, using the simplest and most agile coding language (given performance constraints) is probably the best way to maximize quality.
As someone who has had a bit to do with safety critical software in agricultural machinery, and I am sure to any one in any other regulated industry this sounds crazy. The regulation in many industries for software that can kill is onerous, python on Android for any safety related code in other industries would be the punch line of a joke.
To clarify (as a safety hobbyist) why this is a problem:
* consumer hardware does not normally fulfil automotive safety requirements. It could for instance go into thermal shutdown or into a degraded mode if the temperature is too high. Additionally, there is no HW redundancy, I assume that if any of the HW components of the smartphone fail, the system cannot continue to maintain its safety properties.
* Android is a consumer OS, designed for consumer workloads. A real-time, safety certified OS like INTEGRITY, ThreadX, Nucleus etc should be typically used for such workloads.
* The safety-relevant software running on top of the OS is developed with specific toolchains and using specific programming languages.
Some requirements [1] for a language used in safety-critical context are defined behaviour, explicit dependability support (e.g. design by contract), predictable timing, suitability for static verification, significant field use, strong typing (not necessarily static typing!), feasibility to restrict the language to a subset (e.g. MISRA, JSF, etc).
One of the most popular languages for such software is C, which is not safe and doesn't fulfil several of the above criteria. This is mitigated through tooling, processes, code generation, design validation & verification and so on.
[1]: Taken from Embedded Software Development for Safety-Critical Systems, Hobbs. Interestingly the author would personally choose D or Rust for safety-critical development with the condition of having enough confidence in the compilers.
> [...] to any one in any other regulated industry this sounds crazy.
This sounds crazy even to a person who makes living from running software on
commodity hardware (x86/x86_64). Android does not sound like a hard real-time OS. I've seen
it hang up in a fsckin' coffee machine! I don't want it at the center of two tons of
steel that move 100km per hour.
Ummm... If you look in the actual lib/ directory where the work happens, you will see a bunch of high-performance C written in and generated by Acado, which is a very efficient optimization framework. It does look like there is a bunch of python logic for managing that controller, but a significant amount of work seems to have gone into performance optimization.
I am curious how they prevent the Android GC from causing problematically long pauses, though.
Because it's not a statically typed language for the most part, which brings in an entire class of bugs of its own. It's also an extremely mutable language.
Great for scripts, but there is a reason why most large companies start bolting on types on whatever dynamic language they started with.
Most production languages that nominally do some static typing aren't statically very safe - certainly Java, Go, C/C++ are rife with runtime errors. After the required testing to eliminate those, it's not clear Python is significantly different.
Edit: also, Python does eagerly signal type errors, unlike say Javascript or C, so you don't get silently wrong answers. C is the default language in auto industry.
.
Yeah, this is a bit of whataboutism, certainly it would be nice if the state of the art in production languages was closer to the ideal of statically verified... Haskell and Rust are in the right direction, and would be clearly superior in this regard
I wasn't implying that static types solve everything, they just make things n+1 better and remove a class of bugs.
Statically typed languages are mature and you have no excuse not using them if your doing anything that approaching a need for reliability. Cars do, social cat pictures, not so much.
Lack of type safety and static analysis tools. You can't apply formal verification to it. I wouldn't sit in a car in which any safety critical component was driven by python. Hopefully you would also not be able to get it certified for road use. I happen to know people that work on these problems for German automotive companies. This wouldn't fly there. I truly hope that solid engineering wins out over these approaches. That being said I admire the audacity.
I think it's great that your code is open source. The other self driving cars are all based on secret code that the public is not allowed to inspect or audit. This is extremely worrying.
Having your code open source means that outsiders will notice flaws in it, try not to "push back" too much against them. Sometimes they will point out serious flaws that allow you to improve your code significantly, sometimes they will point out non-issues or simply be wrong about things. So instead you should embrace it and take the time to consider the feedback. The crowd is a valuable resource that you have, that closed source projects don't.
> But the software that enables the semi-autonomous driving is free to download. Hotz says this allows him to sidestep the regulatory issue, though it’s unclear whether NHTSA would agree. “We aren’t selling any products that control a car,” he says. “We are giving away free software, and software is speech.” (A spokesperson for NHTSA did not respond to a request for comment.)
Sounds like they're just using open source to avoid liability and side step regulators. I love open source, but I do not think it's being used for benevolent reasons here.
As much as I love Python, you need realtime processing for this kind of things. You can't have a slow language with gc pauses and no way to guaranty execution time for a given operation.
CPython spent actually need the GC. If you make sure you have no cycles, you can disable it, since the rest uses reference counting (which AFAIK is predictable).
It's not necessarily about speed of reaction, although that certainly plays a part.
Such software needs to react in real time though, if the task that's turning the steering wheel gets preempted in the middle of taking a curve on a cliff your self-driving car will become a self-flying car.
Such a system would be the equivalent of a driver that suddenly starts texting at all sorts of poorly chosen times.
In the 1980's the backup flight control software for landing the space shuttle ran on a HP-41 calculator, though they never had to use it AFAIK, with the multiple redundant onboard computers.
That's not what I found online: the devices running customized SW were apparently used as personal calculators by the crew and they would have also used them for manual calculation in case their flight computer had a problem.
They weren't connected to other shuttle computers, were they?
I found multiple stories/blogs with recollections like this one from Smithsonian including the use of calculators on early missions before laptops were used:
I remembered reading it in the newspapers at the time which would have probably make the reports generally pre internet (or pre newspapers on the internet) in the 1980's. Of course I could be remembering it wrong or it could have been a HP calculator ad.
It sounds to me like you don't understand how little performance you actually need for this kind of stuff. People have been writing effective autopilot software for decades using hardware that wasn't even particularly fast at the time and may as well be a pile of sand today. What exactly do you think that that code needs to do? I promise that Python on a new smartphone can do way more now than we could do 20 years ago on a Pentium in C or C++. You're lucky if any of your sensors emit at even 100Hz.
you can't do timing sensitive stuff without an RTOS, because resources could be preempted by the os or other applications.
it used to be that certain chipsets could do motor control by bitbanging the parallel port, but modern pcs/phones can no longer do this due to latency.
I think that's not a fair comparison - a digital control system needs much finer time slices to compete with human reaction time. A control system that worked off of webcam images at 4hz would be a jittery mess, or just very slow if using a Kalman filter.
Their low level control is done in Python, on top of Android, on a smartphone. No further comment, your honor.
https://github.com/commaai/openpilot/tree/devel/selfdrive/co...