Safety support for ETL

[rolandreichweinbmw]

Hi! Together with the colleagues of the OpenBSW project (https://github.com/eclipse-openbsw/openbsw) where ETL will be replacing the ESTD library, I'm planning to qualify ETL for ISO26262 safety with regard to development process. Would you be interested to do this in mainline ETL?

Another option would be to do this in a separately maintained fork inside the OpenBSW project but I would prefer to do it in mainline ETL, qualifying the different parts one after another.

What do you think?

[jwellbelove]

That sounds very interesting.
How would that affect the development of the ETL going forward?
Would there be a particular version of the ETL that would be qualified for ISO26262, and any changes after that being unqualified until the process was run again on the ETL codebase?

As you probably know, I had a plan to dual licence the ETL to bring in some income. To that end, I had held back some functionality to use in a dual licenced V21 ETL. (tuple.h, chrono.h (unfinished), function.h (to replace the current function.h - unfinished), plus a general refactor of the code base to remove deprecated features, make a few small breaking changes, and generally tidy up the 'cruft' that has built up over the last decade.

I've come to realise that I have a big issue with copyright, in that I would have to get a copyright release for everyone who has contributed since 2014, if I wanted to create a non-free licence variant.
I did have an idea that I could create and sell a MISRA qualified fork, but I think I would have the same licence issues.

So now I am probably just going integrate the V21 additions under the current MIT licence and hope some of the larger companies using the ETL would see funding the development of the ETL as a "good investment".

[rolandreichweinbmw]

Most probably, potential changes are mostly regarding the development process, not primarily certain releases of ETL (even though this might be an issue).

I'll include a safety specialist colleague in this discussion. Then we can answer those open questions better.

Regarding the non-safety related points you raised - I think we should open a separate discussion for this.

[rolandreichweinbmw]

I discussed this with colleagues, and the proposal from my side is as follows:

We aim for ISO26262 (function safety in road vehicles), ASIL D. This implies some requirements to the documentation and development artifacts that accompany the source code:

• Requirements
• Software architecture
• Detailed design
• Code coverage for tests
• Static Code Analysis (as mentioned in MISRA checks of ETL #1053)

Especially in ISO26262-6 "Product development at the software level", some things are required by being marked with double plus signs ("++"):

• Simulation of dynamic behavior of design: This might be a major effort because some effort needs to go into testing of design artifacts that are currently not part of current repo
• Scheduling analysis: need to define the relevance to ETL of this point
• Control flow analysis
• Data flow analysis

Further, we wondered if ETL should be defined as a so called "Safety Element out of Contect" ("SEooC") which is a separately qualified software library, besides safety qualification of projects using the ETL.

For practical reasons, we propose not to do this, but instead make ETL "safety prepared" instead of officially qualifying it. This way, we would provide everything mentioned above, but leaving safety qualification to the projects using the ETL. They will need their own safety qualification anyway.

We could start with an example interface, e.g. ipool.h and see if the approach can be extended to the rest of the ETL later, or a reasonable subset.

[rolandreichweinbmw]

As a reasonable subset of ETL to safety qualify, this is a first proposal:

algorithm.h
array.h
endianess.h
deque.h
functional.h
limits.h
singleton_base.h
span.h
static_assert.h
type_traits.h
unaligned_type.h
uncopyable.h
utility.h

Need to sort out further processes to do it.

Talking about ISO26262 qualification. Is it reasonable to concentrate on this one now or is there a requirement for other industries' standards?

[jwellbelove]

Maybe you should try asking this on Slack too.
I'm not sure how mnay people notice what goes on on the Github 'Discussion' page.
I could create a dedicated channel?

[rolandreichweinbmw]

Yes, if it's the preferred communication, let's do. And note it here when available.