WEBVTT

00:00.000 --> 00:13.800
Hello and good evening. It's 6 p.m. so this is the last talk in this room for today and yeah

00:13.800 --> 00:26.440
I think let's go on time.

00:26.440 --> 00:34.440
This one is on perfect. I can hear myself. Good. Thanks for coming. I see at least double

00:34.440 --> 00:40.400
the number then three years back when I gave you talk about safety critical Linux topics

00:40.400 --> 00:46.800
and so on. So thanks for coming. To give you a bit of background to I am. I work for

00:46.800 --> 00:52.920
ETAs. ETAs is not known for too many. It's a subsidiary of Bosch Bosch most likely. Everybody

00:52.920 --> 00:58.440
knows we're mainly doing automotive solutions. I'm an open source community manager there

00:58.440 --> 01:03.360
and I'm also responsible for automotive open source software processes which means how do we

01:03.360 --> 01:10.400
get the different open source projects into an automotive development and violence

01:10.400 --> 01:17.200
which also leads a little bit into this topic. I am no longer time participant in the

01:17.280 --> 01:21.440
release project and I believe safety application which is basically also there to bring

01:21.440 --> 01:25.840
Linux into safety criticality. I'm the chair of the technical zero community there. I'm

01:25.840 --> 01:31.840
a member of the board within Linux Foundation Europe and I'm also within the Clips SDV

01:31.840 --> 01:36.880
a computer for the safe open vehicle core project which will also heal like one or two slides later.

01:36.880 --> 01:46.480
Does it? Like this? Okay. Good. I take it like this and the last thing is that I'm

01:46.480 --> 01:51.840
a long time open source and see the S10 promoter. I want to give first question like what

01:51.840 --> 01:58.880
is functional safety so for those who are here who know what functional safety is and

01:58.880 --> 02:05.280
also know the difference between functional safety and cybersecurity? Good. There's a few who

02:05.360 --> 02:11.680
don't bring the background so just briefly look into the definition of safety that the freedom

02:11.680 --> 02:18.640
from unacceptable risk of physical engineering injury are of damage of the house of people directly

02:18.640 --> 02:24.320
or indirectly because of damage of property or the environment. Basically you're hit by autonomous

02:24.320 --> 02:30.240
car then it's safety or if someone steals the credit card information from your car then it's

02:30.240 --> 02:37.040
a security thing. Then definition of functional safety compared to just safety it's a part of

02:37.040 --> 02:42.320
the safety depends on the system or some equipment. This can be a control unit or something else

02:42.880 --> 02:50.160
and it's also checking that it's operating and response properly to the inputs and then it's

02:50.160 --> 03:00.080
like that you need to detect the dangerous conditions either resulting in the activation of

03:00.160 --> 03:04.960
protective or corrective device of the mechanism, prevent hazard events, providing mitigation measures,

03:06.240 --> 03:10.000
reduce the consequences of the hazard events. It's not to get rid of everything so you

03:10.000 --> 03:13.520
can improve that this is arrow-free or that there's nothing but you should limit the risk that

03:13.520 --> 03:21.040
it's acceptable and comparable. So for software parts this means the software does behave as specified,

03:21.040 --> 03:26.320
does not interfere or impair other system components and all the events are addressed somehow or

03:26.320 --> 03:31.200
somewhere if you detect an arrow you do a proper response or mitigation and so on and then you

03:31.200 --> 03:38.960
need to bring a lot of evidence in there. Once more here save but secure, secure, not save,

03:39.760 --> 03:44.240
an emergency access which is not the emergency exit would be the place for safety.

03:45.120 --> 03:50.240
Putting a login front of it make it secure but it breaks safety. On the left with you see the escape

03:50.240 --> 03:55.760
letter that's the safety part of it. You see in the top row there's a door open. This can be

03:55.760 --> 04:01.360
potential intrusion than this breaks security just as differentiation once more making it clear.

04:02.400 --> 04:09.120
There are numerous standards out there. I mainly in this field here of the IC6508 and the

04:09.120 --> 04:16.000
ISO26262 they have a little broader frame which is hardly detectable. At the end it basically

04:16.000 --> 04:21.920
standards mean best practices. They mean the shares similar demands like requirements documentation

04:21.920 --> 04:27.280
testing, they define a certain rigor which you have or which measures you have to take and

04:28.400 --> 04:31.920
it also means that you need to know all the system parts test it and manage.

04:33.440 --> 04:39.680
Setting the scene now really on the content. Well in the enabling Linux and safety application project

04:39.680 --> 04:46.320
we may look into Linux there are many more projects operating systems but we basically come from a very

04:46.880 --> 04:52.240
regulated environment. It's like safety buys a book for operating systems. There is the

04:52.240 --> 04:57.920
experts, Q and X you may remember from the Blackberry Handys and smartphones. It's still alive

04:57.920 --> 05:03.600
the Q and X is now one of the major operating system in cars. Safety criticals and safety for

05:03.600 --> 05:09.120
safety certified green holes integrity is another one of these so they are broadly used. They fall

05:09.120 --> 05:15.280
the traditional approach but it's also hard for them to keep up with modern development and speed

05:15.360 --> 05:22.000
which you have they don't have broad ecosystem and there's then the different to we now look at

05:22.000 --> 05:28.480
so with Linux if you're just type searching and you are preferred search engine and look for safety

05:28.480 --> 05:34.960
Linux safe Linux Linux in safety you will find easily all these kind of different articles and as you

05:34.960 --> 05:41.280
can see the presentation is called Code Compliance Confusion because there's so much marketing

05:41.280 --> 05:47.520
information and partially wrong parts in there so that I saw it bringing this in and that it

05:47.520 --> 05:54.480
basically means if it's me and save X whatever it is safety X X we're safety still qualified it does

05:54.480 --> 06:01.120
not really tell you what it is in the end. But Linux for example is super attractive to be used

06:02.400 --> 06:08.320
many of us most likely have it already on here devices using it there's almost no way around it

06:08.400 --> 06:15.120
but that's just some part of it. The broader ecosystem I tried to cover a little bit here

06:15.120 --> 06:19.600
so you see there's in the automotive there's a middleware stack but when the application and

06:19.600 --> 06:24.160
the operating system like auto wear and there's eyes rigs there's the clip safe open vehicle

06:24.160 --> 06:29.280
course it's all these purple colored ones we have broad initiatives which are building up more

06:29.280 --> 06:35.440
system ecosystem like the these are so few part. Compilers are there with the safety critical

06:35.440 --> 06:41.120
rust consortium and the LLVM qualification group there are frameworks like trustable software

06:41.120 --> 06:47.120
and so basically have this and in the description of this talk I think I have most or a bunch

06:47.120 --> 06:51.280
of these links and there are otherwise just church for the name and what they have in common

06:51.280 --> 06:57.360
that they all try to get in a part of the safety certification or try to be safety certifiable

06:58.080 --> 07:04.400
and this means sorry for all these numbers if it's new for you but that's what you typically

07:04.480 --> 07:11.760
will find there's the IC6508 and the roots re-ass means this is a pass if you don't

07:11.760 --> 07:17.760
develop software directly by you have pre-existing software which you try to bring in to qualify

07:17.760 --> 07:24.560
it tells you super simply flight that you basically do with your pre-existing software the

07:24.560 --> 07:28.000
things which you would also do with your own software which you write but you already have it so you

07:28.000 --> 07:33.200
will check for requirements great traceability do the testing where testing is not so established

07:33.280 --> 07:40.560
you have to do a lot of things in the ISO 26262 there is the in part 8 there is close 12

07:41.120 --> 07:46.320
which is also for pre-existing software and there's also where something already starts

07:47.040 --> 07:54.720
because this is originally meant for I would say less complex components libraries also on

07:54.720 --> 08:01.040
so if you want to apply this to a huge set of parts this will be two complex to really follow

08:01.040 --> 08:05.680
the principles there is a rework on this on the third edition with the ISO Pass 896

08:06.480 --> 08:10.240
you will hear this here and there's a skips a more formula approach to pre-existing software

08:10.800 --> 08:17.600
and you're often when you want to deliver something you create a product an element which means

08:17.600 --> 08:23.760
it's some part of a whole system and this is called a safety element normally called safety element

08:23.760 --> 08:28.480
out of context that's how the ISO describes it we will later under and that there is nothing

08:28.560 --> 08:32.960
such as an out of context because you always have at least in the same context

08:34.000 --> 08:38.640
and then of course you need to go for safety element as part of your existing software

08:38.640 --> 08:43.200
so you still have to do all the work which would anyway do for software like writing test cases,

08:43.200 --> 08:50.000
specifications, requirements and so on I don't want to put more on this slide because I

08:50.000 --> 08:56.640
thought like nowadays AI is basically readings through all the things we prepare and when I asked

08:56.640 --> 09:02.480
AI on some things upfront based on the model they were quite strange answers saying for example

09:02.480 --> 09:10.400
that VX works as a safety certified Linux which is not the case but it's just like if things

09:10.400 --> 09:15.280
are on the wrong page so therefore on the another one there are another routes to safety

09:15.280 --> 09:24.240
certification which are more like to be handled with care there's one thing which is called decomposition

09:24.240 --> 09:29.360
which basically means you have the safety part and some part which are not safety and you try to

09:29.360 --> 09:34.640
isolate the safety part and make an argument that you do not need all the safety work for the other

09:34.640 --> 09:39.600
parts which you're doing because you have sufficient mechanisms and this is actually coming

09:39.600 --> 09:43.920
practice it's not the bad thing but it still remains that you have to do all the safety work

09:43.920 --> 09:49.520
just at another part and you need to have a really good argumentation why it's not interfering

09:49.520 --> 09:54.560
like that the things which are non-safety critical will really operate as they should

09:56.400 --> 10:01.440
yeah and this is then also causing mixed criticality what it seems it would basically mean you have

10:01.440 --> 10:06.800
your if you would consider a car and you would bring in some gaming engine I think on Tesla you can

10:06.800 --> 10:11.440
play games also there like controllers for playing it imagine that would be the auto system running

10:11.440 --> 10:17.280
in parallel to the games console thing and experience game controller and there would be any

10:17.280 --> 10:20.960
interference between the game controller and the car you need to really make clear that this

10:20.960 --> 10:24.480
will never interfere and that you do not start controlling your car with the game controller

10:24.480 --> 10:28.560
when you have the same event maybe a little bit but make up but it's like mixed criticality

10:28.560 --> 10:35.360
if it's in one system and environment very questionable already is like tool qualification the

10:35.360 --> 10:40.640
tool can be a compiler it can be a requirements tool configuration management documentation

10:40.640 --> 10:44.640
GitHub would be a tool when you host your environment in there and you need to say like

10:44.720 --> 10:50.720
this is safety critical and for software as such if you bring it into your device it's a

10:50.720 --> 10:55.600
you want to break an auto system you wouldn't go to before tool qualification but there are

10:55.600 --> 11:00.400
actually libraries out there which claim to have these kind of things so they say we have an

11:00.400 --> 11:05.760
highest level of safety integrity with this according to tool qualification while they're actually

11:05.760 --> 11:11.200
not tools but embedded software and then the last one where I'll give also an example on this

11:12.080 --> 11:19.360
as in part eight there's a plus 14 and the ISO is called proven in use and many would say well

11:19.360 --> 11:25.520
Linux is proven in use right because you will find Linux everywhere Linux is on Mars

11:26.800 --> 11:33.280
Linux is in cars Linux is in small rotors up to fancy devices desktop super computers

11:33.360 --> 11:41.920
it's proven in use right and would even see this for example in cars in in China so the

11:41.920 --> 11:48.240
Chinese cars build up on Linux to do driving a system but still this does not mean it's proven in use

11:48.240 --> 11:55.200
proven in use actually means that you have proven this in the past and you take it over to

11:55.200 --> 12:01.920
next generation of a product or something similar and here what but where you can make use because

12:02.000 --> 12:07.040
it's not proven in use what you have in Linux as you have arm x86 architecture where you run it on

12:07.040 --> 12:13.120
maybe a risk five we have 32 bits system 64 bits systems you have completely different configuration

12:13.120 --> 12:19.520
hardware devices you can argue for diversity and say well here's not only one Linux I bring in

12:19.520 --> 12:28.000
four Linux systems in parallel and then I run my safety workload on top and say it's very unlikely

12:28.000 --> 12:33.600
that all four Linux system will crash at the same time and whoever tried to reproduce an error

12:33.600 --> 12:37.680
like in a product it's almost oh I have this and then you go to another desk and it's not

12:37.680 --> 12:42.720
for many cases you simply cannot reproduce it directly but you have to look for it day two three

12:42.720 --> 12:48.000
four five until you find something and two devices do not behave the same way so this is more

12:48.000 --> 12:53.360
diversity argumentation and then you can say okay when something goes wrong with my three

12:53.440 --> 12:58.720
two four systems I will detect it and then I have an argument for diversity this is basically

12:58.720 --> 13:03.040
then also decomposition which you're doing and say I don't I can still make a step use of a standard

13:03.040 --> 13:10.240
Linux but the rest fits yeah so therefore whenever someone comes with a proven in use argumentation

13:10.240 --> 13:16.480
if this what is proven is not proven in safety before and it should be used for safety don't

13:16.480 --> 13:21.520
accept that this would be problematic the other question of part which I was mentioning is for

13:22.160 --> 13:28.720
the tool qualification I want to give the example of the cute safe renderer because some

13:28.720 --> 13:36.640
use case which we analyzed who if you have a car or a e-scouter or something like this

13:38.000 --> 13:43.280
if you have it at home and you look into the car or if you're driving license you know that

13:43.280 --> 13:48.320
there are these warning signs in there which told which gear you have they make a check engine

13:48.320 --> 13:53.200
oil pressure water pump whatever this is actually a warning indicator and you need to make sure

13:53.200 --> 13:58.240
that this whatever is really coming because it's safety critical at the end right if you're not

13:58.240 --> 14:02.560
knowing if you're in front gear or in reverse gear if you don't know when the oil pressure is

14:03.200 --> 14:08.000
going to high if it's not indicated so therefore you need check why I'm telling what you typically

14:08.000 --> 14:15.200
do is you check whatever is there in the display and this is done for example by hardware checkers

14:15.840 --> 14:21.040
and you really read what's written out the cute safe renderer says I do save rendering whatever

14:21.040 --> 14:26.080
you give in I process properly and it's get out and then it's just written to the frame buffer

14:26.880 --> 14:31.120
and from the frame buffer you do know what happening because the frame buffer needs to get

14:31.120 --> 14:35.680
process to the vision pipeline into the screen and you need to see that what's things are really on the

14:35.680 --> 14:41.280
screen so they claim to do save rendering up to an asyld and if you look into it you figure out

14:41.280 --> 14:47.040
they treated as a tool rather than embedded software and the good thing about it it's not causing harm

14:47.040 --> 14:52.000
to anybody because you would any day take additional measures because you secure your safe

14:52.960 --> 14:58.080
safe your pipeline from frame buffer to the display but you may pay for something you don't even

14:58.080 --> 15:02.720
need and you get just something wrong and this is like a marketing activity for all the motive

15:03.520 --> 15:08.080
but for railways for example it gives you safe rendering for signaling and there such a library

15:08.160 --> 15:16.240
can make sense but then it's not the tool qualification of here for all the motive also but it's

15:16.240 --> 15:20.960
more a tool qualification for signaling displaying or maybe for medical devices this can also

15:20.960 --> 15:28.000
be helpful so be aware of the use case if we look like for a concept system architectures

15:28.000 --> 15:34.640
how Linux or operating system getting deployed you need to choose the system where you want to go

15:34.640 --> 15:42.000
to so if you look into modern architectures so this architecture was as basically on the left side

15:42.000 --> 15:46.560
safety allocated to Linux that means you really work hard and trying to argue why everything is

15:46.560 --> 15:53.040
fulfilled from the Linux side that's something out there in the automotive space another way which is

15:53.040 --> 15:58.400
more spread and existing since many years is that you keep the Linux as a standard Linux for example

15:58.400 --> 16:04.880
and give more responsibility to real time or as this can be for example it should be a 351 it

16:04.880 --> 16:10.640
could be also bare metal application something like this the reason in the middle it gives you more

16:10.640 --> 16:16.080
control you can control things and you get more independence but you need to it in the

16:16.080 --> 16:20.800
additional part right you need to get a microcontroller and intelligent one you need to get the logic

16:20.800 --> 16:25.680
and the artisels while you can see on the left side if you real the brings the responsibility to Linux

16:25.680 --> 16:31.280
you can save this part and maybe just end up with a very good external challenge response watchdog which

16:31.280 --> 16:36.560
is just making sure that your workload is properly executed in data tech when something hangs

16:37.680 --> 16:42.160
something we also see in the open quiet often is that you put a hyperwider underneath that's a

16:42.160 --> 16:47.360
third architecture and there you give them safety focus and safety monitoring all these kind of things

16:48.160 --> 16:53.760
into the hypervisor and therefore you have more control you can have access on caches you can steer

16:53.840 --> 17:00.080
the caches you can give control like for memory parts how control the CPU restart systems and so on

17:00.080 --> 17:04.000
this makes it attractive but of course you need to make sure that the hypervisor runs all the

17:04.000 --> 17:08.400
different architectures and it could be that you have the one as you see which runs Linux perfectly

17:08.400 --> 17:14.640
but you get just limited support on hypervisors there or as they can when that does not want to support

17:14.640 --> 17:19.120
your hypervisor could also happen so this is like why say choose your battle wisely you need to see

17:19.120 --> 17:23.520
what's your application what you're planning to do what do you want to achieve where do you see

17:23.520 --> 17:29.600
the complexity is the lowest and best fitting to it any pattern of these solutions there's always a

17:29.600 --> 17:35.040
watchdog involved I would say because you need to make sure that when something fails you detect

17:35.040 --> 17:41.280
if a system part hangs then you would go for any kind of watchdog and this is not that you really

17:41.280 --> 17:47.600
want this or you expect that the watchdog is triggered it's your ultimate safety net so if you do a

17:47.600 --> 17:53.520
proper system design the watchdog will never get triggered this is then moral inequality issue

17:53.520 --> 17:59.200
imagine you will have your MOI phones in the past ten years back Android system sometimes hang

17:59.200 --> 18:03.840
and then they would restart know what I see you expect that the system runs for a month or two or

18:03.840 --> 18:09.280
whatever who is out any restart necessary and this can be something where it's still stable that

18:09.280 --> 18:14.160
there is no reset in the software anymore and that your system you're watching or so never get triggered

18:14.960 --> 18:20.560
and that's something you should see so it's always an intended functionality some kind of

18:20.560 --> 18:24.960
monitoring of this functionality and then make sure that this monitor also operates properly

18:25.520 --> 18:32.400
that for example if someone stops the CPU it's not causing a harm yeah who more to trust

18:32.400 --> 18:39.280
than in the end for these kind of architectures and it means like even if you do decomposition

18:39.360 --> 18:44.320
even if you're an environment where Linux has less responsibility it's like can you say now from

18:44.320 --> 18:50.720
this image who is the best candidate whom you would trust to be on this rope and never go down

18:50.720 --> 18:55.760
the safety net while you can say it needs training where you don't know if maybe the left person

18:55.760 --> 19:00.160
is the one as the same person as in the middle or if it's just giving you anything so that's why

19:01.200 --> 19:08.400
evidence qualification trainings proven history on things are there and therefore example other

19:08.480 --> 19:12.880
artists on a rope which give you much higher confidence that they will not fall down and

19:12.880 --> 19:18.960
may not even require because they have built in elements also to protect that there and this

19:18.960 --> 19:24.240
shows you like you need to really understand where the system is going and what you what you will

19:24.240 --> 19:31.680
do comparable also like for freedoms for interference I gave this picture because before where

19:31.680 --> 19:36.480
things can violate each other and if you go in an arm architecture there's an armed trusted

19:37.440 --> 19:43.440
which is the security functionality it basically makes sure it's handling certificates and so on

19:43.440 --> 19:49.520
and you can use opti with trusted applications to store things and it's assumed that the

19:49.520 --> 19:55.920
trusted application has an intrusion detection and the trusted application sends the command to the

19:55.920 --> 20:03.920
armed trusted firmware which is below CPUs and tells this CPU to stop then for security reason

20:04.000 --> 20:08.240
this is perfectly but if you run in a mixed criticality environment with different use cases

20:08.240 --> 20:14.000
this would stop then your whole environment and you would not even have scheduling so your workload

20:14.000 --> 20:20.240
will not work anymore but therefore it's like you need to see what's in there and you need to understand

20:21.280 --> 20:25.920
the thing and what it means to understand the system part are I'm building a bit on this because

20:25.920 --> 20:30.080
it's good for the understanding what is the probability that a car will fall on your hat

20:30.560 --> 20:38.960
on this room it's very unlikely but maybe you're building a product for a different environment

20:38.960 --> 20:46.080
right and I guess here the risk is much higher and that's also why these lifts for cars in

20:46.080 --> 20:52.080
workshops have certain certifications checks controlled and that it's not unrealistic that's

20:52.080 --> 20:56.880
such a car can fall on yet you can just also search in the net there are mentionedings where

20:56.960 --> 21:01.040
these lifts were not working properly where the car was not secured to just somewhere

21:01.040 --> 21:05.920
rolling down and somewhere people were seriously injured so it really means like what is it about

21:06.640 --> 21:16.880
and now finally to the code part we have various approaches existing and basically it means

21:16.880 --> 21:21.280
for example you enable safety afterwards that's a lot of things which we touched so you have

21:21.360 --> 21:27.040
approaches how you get forward but you can also go for more secure environment where you say

21:27.040 --> 21:32.240
you have a security footprint critical industry is project some projects start with certification

21:32.240 --> 21:37.520
in mind from the beginning you may have more control about environment it's super hard to

21:37.520 --> 21:41.840
control it in experimental containers if you tell them now we want to write

21:41.840 --> 21:45.840
established traceability to test cases and write on requirements it will be a long pass

21:45.840 --> 21:51.520
and hard to convince them while it may be much easier for a small project which has already

21:51.520 --> 21:55.840
used in very secure environments and several parts whereas the community smaller

21:55.840 --> 22:01.120
school sizes smaller and other parts um last thing is where certification comes in before going

22:01.120 --> 22:08.000
open source and that project which I want to mention here overall so the first example I bring

22:08.000 --> 22:14.320
in is the consent project from the Linux Foundation they came with a good security background

22:14.320 --> 22:20.000
strong footprint over there and it was already widely adopted they have a good traceability

22:20.000 --> 22:26.160
multi-ci pipelines and so controlling this part and the community brings the quality awareness

22:26.160 --> 22:31.840
so this was possible for them to work and say like okay we switch up dynamic memory

22:31.840 --> 22:38.640
allocation because this is something which can cause issues or we follow misragued lines as

22:39.520 --> 22:44.240
static analysis and follow the rules there to try to improve our stack and this is working

22:44.800 --> 22:52.880
there so they have an easy way forward another one to be mentioned is Zaffer Artus there's also

22:52.880 --> 22:58.640
safety certification part there and it was also considered from the beginning that there is

22:58.640 --> 23:06.160
safety certification considered but what we have it's a wide-wide-wide use case range and

23:07.360 --> 23:11.840
many of those using the Artus don't require functional safety so it's much harder to convince

23:11.840 --> 23:17.360
the community to follow all these kind of practices and therefore that's the challenge is

23:17.360 --> 23:22.960
really the heterogeneous community non safety critical use cases but still there have been misragued

23:22.960 --> 23:29.280
checks starters we can start with certification of code subsets that you are not influencing the whole

23:29.280 --> 23:35.920
environment there is the traceability and requirements with strict doc so Stan was bringing this in

23:35.920 --> 23:42.960
and Nicole you're also an audience so you're yes Stan's also yeah yeah that's all right

23:42.960 --> 23:49.520
so this is what we see that there's actually acceptance on this making progress here you can see

23:49.520 --> 23:56.160
that the IC650A road 3S is a safety certification pass primarily which will not limit other

23:56.160 --> 24:01.760
use cases but that's where a scope comes in I don't know if I put it in here for extent it's also

24:01.760 --> 24:10.480
in this direction and I have also the FRE I don't know you're also here so for from can concept

24:10.480 --> 24:17.440
this is a kind of single vendor open source and this thing is that they have ownership of the

24:17.440 --> 24:23.200
code it's open source and it's also like not only safety it has a high degree like BSI

24:23.200 --> 24:30.880
certificate certified for also cyber security parts and they have a full control so it's easy

24:30.880 --> 24:35.760
to change processes to establish how the rules and to bring this forward and they also have to

24:35.760 --> 24:41.680
safety and security mine but it much harder to create a community because they may fear a certain

24:41.680 --> 24:49.040
lock in that it's not spread how to contribute and so on also it's more costly for a company

24:49.040 --> 24:53.760
if there's not a sponsorship of a foundation to bring this forward so there's higher effort and

24:53.760 --> 24:59.680
there you know I call it soft lock in which can happen because you people may think I'm dependent

24:59.680 --> 25:04.560
on this company for this open source project while if it's under a foundation I have more control

25:04.560 --> 25:08.960
like if we go for Hashie Corp things it's more the extreme case where the change license also

25:10.080 --> 25:14.560
then they move open to through there instead of terraform and so this is something which you can see

25:15.120 --> 25:22.240
yeah this is just to know still this is another option which you can bring as so as an hypervisor

25:22.240 --> 25:29.840
part then we had this doing the hard thing before there are thread acts as a contrary to the

25:31.520 --> 25:38.880
zeffer it's on under eclipse foundation and it was Azure Artals before so Microsoft donated this

25:38.960 --> 25:44.720
project they have safety certified it and they also plan to go forward with it that it's continuously

25:44.720 --> 25:50.480
safety certified but now suddenly the process which they had is not made for a community so they

25:50.480 --> 25:55.360
didn't have open source community in mind when they started so they need to see how do a handle

25:55.360 --> 26:00.480
contributions how do I actually finance future certification when this big company is not in there

26:00.480 --> 26:07.200
are there enough members will pay for it the liability because normally when you buy such a safety

26:07.280 --> 26:12.800
certified product you get also set of liability and in the automotive the companies actually ask for

26:12.800 --> 26:18.160
unlimited liability which basically can kill your company and if you're not subscribing to it

26:18.160 --> 26:23.840
and say okay it's not you don't sign say that's okay for me they you will not get to job

26:23.840 --> 26:28.640
so therefore this is something to be answered how will this work with an open source foundation

26:28.640 --> 26:32.960
because if an injury would happen and there is an incident you don't want to kill the whole eclipse

26:33.040 --> 26:36.400
foundation just because of one crash right so this is something which you need to

26:36.400 --> 26:42.400
make up your mind and the measures they have taken they come up with certification organization

26:42.400 --> 26:48.480
they have a commercial model behind and that's it and approach a little bit to bring the

26:48.480 --> 26:57.280
things together is done by the eclipse safe open vehicle core project as an example so

26:57.520 --> 27:03.920
they came like with the automotive focus so it's mainly automotive members in there

27:03.920 --> 27:07.840
so they already come from background from the security and safety they have the knowledge about it

27:07.840 --> 27:13.280
and it's targeted for automotive so it's not that we have a why use case they also start from the

27:13.280 --> 27:19.280
beginning with the process so that you have certification in mind therefore the development process

27:19.280 --> 27:23.680
is more mature sometimes may contradict with some open source flavors but as they mainly

27:23.680 --> 27:29.280
expect automotive contribution this it's also not a big issue as it's under foundation they

27:29.280 --> 27:34.960
overcome this single vendor open source thingy a little bit so the eclipse foundation helped them

27:34.960 --> 27:41.520
to have a neutral governance and yeah regarding doing the hot thing before a lot of these components

27:41.520 --> 27:46.800
which are brought in are discussed and have been previously used in safety critical products

27:46.800 --> 27:51.600
however you really see that there is a big clash then of the world because suddenly you have

27:51.680 --> 27:56.800
contributions they come from automotive but they still miss the open source understanding like

27:56.800 --> 28:03.600
how to collaborate on poricvers how to do the reviews how to act and be excellent to each other

28:03.600 --> 28:11.600
how to not mix things internally and externally and that's more than the open source environment

28:11.600 --> 28:16.080
the open source licensing but still many who just bring open automotive professionals rather

28:16.080 --> 28:20.560
than open source professionals which you would find in a community and then also the last

28:20.560 --> 28:25.280
part is that they over don't want to take a certification there they just bring things to make

28:25.280 --> 28:30.560
a certification ready which basically means you forget all the artifacts all testing everything

28:30.560 --> 28:35.760
you would expect but not the certificate which we would need for a product this is then handed

28:35.760 --> 28:42.720
over to a distributor a distributor would be like normally sous a rat hat canonical right they

28:42.720 --> 28:46.720
provide you with Linux distributions here it would be automotive companies which take this up

28:47.360 --> 28:52.960
and they then also take over the liability most likely with the reinsurance model or so because

28:52.960 --> 29:00.080
also they have hard times in doing unlimited liability and by this it's a little trying to overcome

29:00.080 --> 29:10.720
all these different challenges right and then as the repeating theme you really see that from

29:10.800 --> 29:18.080
all the solutions which we have it's not fully open everything because open or safety critical

29:18.080 --> 29:25.440
software is expensive it doesn't come for free and if it's completely for free it's hard and I make

29:25.440 --> 29:33.120
an exception because for the ferocene so if I draw a scompiler Florian always tells that he basically

29:33.120 --> 29:38.880
has everything open there while you hear from a bunch of people they also like this can easily break

29:38.960 --> 29:44.320
his business because everybody can just build on it if you see everything there and again

29:44.320 --> 29:49.600
a compiler falls on a two qualification parts it's also some different things you have to do there

29:50.160 --> 29:55.920
so but but that's just something to mention what you always have is source code available

29:56.800 --> 30:03.120
and this is actually already a change because for traditional safety critical environment

30:03.840 --> 30:12.640
you're not supposed to have anything at hand so if it's really proprietary you'd get

30:12.640 --> 30:17.920
binaries and a manual how to use these binaries so we have no control about finding bugs or issues

30:17.920 --> 30:24.800
and so on and even if you would have seen something you maybe have hard times to send this back

30:24.800 --> 30:30.080
and we see that the updates come in that this is an important thing we had in discussion with

30:30.160 --> 30:35.760
Linaro guy who is responsible also for scheduler in the Linux kernel part and he said he was called

30:35.760 --> 30:41.120
to proprietary development and should have a look at the scheduler because he was in a company

30:41.120 --> 30:47.040
and then had some of the interaction and said that it was it was not the safety certified compiler

30:47.040 --> 30:51.840
but it was more critical environment compiler for everything and he said he took 10 minutes to find

30:51.840 --> 30:58.000
the back in the compiler which will cause something to fail which was just like a closed environment

30:58.080 --> 31:03.920
and I don't want to say that there is anything out there which is previously certified

31:03.920 --> 31:08.560
things but you cannot make sure that there is not such a buck which can come in there it's really

31:08.560 --> 31:15.680
hard to prove this especially because you certified this proprietary software once typically

31:15.680 --> 31:20.560
and the hardware evolves over time right imagine like how much performance a PC or phone

31:20.560 --> 31:24.800
had 10 years back what they can do now and imagine your software wouldn't have evolved over time

31:24.800 --> 31:29.520
on the memory management and so on he would have would be still bound to for a gigabyte of

31:29.520 --> 31:34.000
memory or something like this and this is basically the environment of a bunch of proprietary

31:34.000 --> 31:39.040
solutions because this certification is expensive you have to find the experts and so on but this

31:39.040 --> 31:43.040
makes it a really hard job to move on and that's why people would like to go over this open

31:43.040 --> 31:48.560
source because there is evolution and things going on then the second part is that you have

31:48.640 --> 31:55.120
really limited view on tests, requirements, traceability right you just get your manual and say

31:55.120 --> 32:00.320
in best case they tell you our tests have passed you may be also don't wonder need this because

32:00.320 --> 32:05.280
you say anyway have the liability of it but it also prevents you from getting a full understanding

32:05.280 --> 32:11.520
what's in there so therefore this is something which is in the proprietary world but you will

32:11.520 --> 32:17.920
also find this already in these project because I say we do so much effort on testing in the open

32:17.920 --> 32:24.160
and we have so much effort in making it safely soluble so we may give you not all the artifacts

32:24.160 --> 32:32.320
also for open source projects to just come into like a business case topic yeah and typically this

32:32.320 --> 32:35.760
is then also through membership fees if you look for a zephyr for example you become a

32:35.760 --> 32:40.240
premium member you pay money for it and then you get access to all the things and you can all

32:40.240 --> 32:47.280
steer an influence part and even if this cost money it's comparably cheap to what you would normally

32:47.280 --> 32:54.160
pay most likely for your commercial artists environment right and the other way to secure

32:54.160 --> 32:58.080
your business is to create a service around it so you bring in open source you say this is

32:58.080 --> 33:04.320
safely soluble and usable but you provide additional debugging and all of this diagnostic tooling

33:04.320 --> 33:08.800
and SDK and so on you do the maintenance the updates and this is something how you

33:09.440 --> 33:14.000
create the native on business and start to refinance also as a company because they need to be also

33:14.000 --> 33:19.680
an interest in the company within a distribute or also in taking this open source base to bring it

33:19.680 --> 33:24.880
forward and if you would consider to say like I go in a safety critical space with open source

33:24.880 --> 33:30.400
make up your mind before how you make money out of it and how you finance the activity and keep it

33:30.400 --> 33:38.880
going right what's also quite good to see I haven't touched this which can help is that you bring

33:38.880 --> 33:44.480
like a premium model that you provide all the things you need as an open source environment

33:44.480 --> 33:50.160
if you go or I would take redhead as an example the redhead has a redhead in vehicle as

33:50.160 --> 33:56.960
which is a proprietary solution based on an open source of the observative but there's also the

33:56.960 --> 34:03.360
auto SD which is a derivative then from the centers and therefore you have then something to

34:03.440 --> 34:09.280
try out right everybody can try out auto SD can build would be even able to re-certify things

34:09.280 --> 34:15.040
based on the auto SD environment which is close to what the rivals does but of course you may

34:15.040 --> 34:20.560
pay then better a redhead for giving you the service and the liability similar like you would

34:20.560 --> 34:26.320
do in your normal desktop or enterprise environment why you would go maybe with redhead as a provider

34:26.320 --> 34:31.120
but if you say like okay I basically need the environment I trust in what redhead is doing

34:31.760 --> 34:36.240
I may go for anomaly nooks instead right which is also then the base here so the business which

34:36.240 --> 34:43.920
come in is liability certification add-on the SDK IDE customer support maintenance is a main part

34:45.200 --> 34:52.800
right why have I told all these kind of things on the concept methods is also that you find

34:52.800 --> 34:59.120
so much marketing is information out there so if you really go out and look for this

35:00.000 --> 35:04.800
um people will start really telling this is safety certified it's an asyl whatever

35:05.840 --> 35:10.400
as soon as you see an asyld which is a highest safety level always be careful to look at it

35:10.400 --> 35:17.440
if it's like a very huge code base try to figure out where it is make logical checks in there and

35:17.440 --> 35:22.720
um do not directly trust in what they're trying to find the certificate see which part of

35:22.720 --> 35:30.320
standard the certificates are are four and also is there an assessment report for example

35:31.360 --> 35:36.480
like you will find linux assessments reports for I mentioned redhead code thing is also out there

35:36.480 --> 35:44.560
and their assessment reports are downloadable from the exceter assessor right and that's basically

35:44.560 --> 35:51.520
what I said like wording does not tell you what it is and uh the industry and the safety standards

35:51.600 --> 35:57.040
are very very much regulated there's writing for everything the assessors know what to do this is

35:57.040 --> 36:02.640
very close but in the open what kind of comes to marketing nobody clearly defines the limits

36:04.720 --> 36:10.640
what to be used which words to be used and which not and then um yeah when you then go out

36:10.640 --> 36:14.880
and you find some news out there what they do or if you have a company or in charge with

36:14.880 --> 36:19.040
going there so like what is actually the contents where do you use the system

36:19.680 --> 36:25.840
uh is the sufficient what I want to achieve check where the safety is allocated so maybe they say

36:25.840 --> 36:31.840
whether I have a safe linux but actually it's domain safety work is done by uh the hypervisor from

36:31.840 --> 36:37.280
the cancuncer people so they do the actual safety work and they make it sure and the or above

36:37.280 --> 36:41.280
it's just like a standard linux this could be something all right so let's actually look

36:41.280 --> 36:45.920
looking to the part the assessment and see what else is there is their additional security certificates

36:46.000 --> 36:52.960
which can help you in having a good feeling on the quality they deploy and uh always check

36:52.960 --> 36:57.440
what's your safety net so don't go on the rope without having a sufficient confidence that you

36:57.440 --> 37:00.960
will survive when you fall down right it could be a narrow rope you may avoid it but if it's a

37:00.960 --> 37:08.880
high rope better look for these kind of things uh last word before I would conclude it's like

37:08.880 --> 37:13.920
my really personal view nothing about my employer or any environment not the projects are

37:14.000 --> 37:21.040
for me as like we had ten years back there was a lot of security by obscurity and we learned that

37:21.040 --> 37:28.080
security can be the best in class when it's open of course we find things we find bugs there we find

37:28.080 --> 37:33.680
vulnerabilities by we fix them and we have a chance to go forward and we are still currently in the

37:33.680 --> 37:39.120
phase where we define safety by obscurity not that we say that's the reason why it's safe but we

37:39.200 --> 37:50.080
prevent the view and you can make a very simple example you can say will my system be less safe

37:51.200 --> 37:58.960
when I get the visibility to the source code or will I have the possibility to make it safer because

37:58.960 --> 38:07.760
I have access to more information and the main reason why people put this behind is like they have

38:07.840 --> 38:14.320
IPs behind they have patterns they bring all this in they spend a whole lot of money and they

38:14.320 --> 38:19.040
have the concern that they will lose all their business and the money by not opening it and this

38:19.040 --> 38:26.080
is then put over the uh environment of the people right so basically that's where they open really

38:26.080 --> 38:33.680
benefits in and yeah for the community side and to finding this taking the linearer guy who looks

38:33.760 --> 38:38.960
into the compiler part like where we have the crowd intelligence it's like there's a thing if you

38:38.960 --> 38:46.080
want to to go fast go alone if you want to go far go together and I guess by this I will conclude

38:46.160 --> 38:50.160
an open for questions

38:50.800 --> 38:52.800
you

39:07.760 --> 39:12.320
anyone oh yeah this one in front

39:20.240 --> 39:30.080
right just to I don't know if it understood you correctly but proven in use would not be

39:30.080 --> 39:35.120
good enough if I say but it's you boom to debut and it's used by a lot of people right

39:35.920 --> 39:42.320
exactly so you can say for you personal private use whatever you would always say it's proven

39:42.320 --> 39:47.680
news and that's why I'm choosing it but proven in use is basically there imagine you would go

39:47.680 --> 39:52.720
from one generation to next generation of a product and you don't want to do all this

39:52.720 --> 39:58.400
re-certification and testing and so you have an untouched software past library and you bring this

39:58.400 --> 40:04.160
to the next product then you can say this is proven in use until the assessor see I haven't modified it

40:04.160 --> 40:08.880
and here come the catch I don't know if you have ever read about the Ariana 5 rocket

40:09.680 --> 40:14.000
which exploded during stars it was not a safety failure at the end everything behaved

40:14.000 --> 40:18.640
properly but I think it's was an overrun or something from a timer volume which

40:18.640 --> 40:23.600
where it was showing then a speed of speed or something they couldn't explain it the safety

40:23.600 --> 40:29.760
maker isn't attached to it said okay something is completely wrong or so and then they do the

40:29.760 --> 40:34.560
emergency explosion of the rocket it was basically something like this so it was proven in use

40:34.560 --> 40:39.840
technology for an Ariana 4 but this Ariana rocket was having a different software environment

40:39.920 --> 40:44.400
component part I don't get the full audience to just check for Ariana 5 software issue

40:44.400 --> 40:48.080
and then you will find this and this is basically taking over existing software to a new

40:48.960 --> 40:54.160
generation believing its proven is as it shows your whole complex things also be very careful

40:54.160 --> 40:58.560
when you ever come to proven in use augmentation that your assumptions haven't changed that

40:58.560 --> 41:02.960
everything specification wise is really similar and that's why it doesn't work for a gabion

41:02.960 --> 41:10.160
you go into it so but is it debatable I mean if you look at some of the standards they're

41:10.160 --> 41:14.720
quite open for this intervention right yeah this this is also a great question because

41:14.720 --> 41:21.520
the standard doesn't tell you directly and we were talking here about safety integrity standards

41:21.520 --> 41:26.000
and there's a fundamental difference between safety integrity standards and safety standards

41:26.640 --> 41:34.640
safety standards for toys will for example tell you that your teddy bear or doll shouldn't

41:34.640 --> 41:42.240
inflame under fire like 30 minutes on a fire or so it gives you clear conditions what is allowed

41:42.240 --> 41:47.040
what is not allowed and what you have to prove and the safety integrity standard will tell you

41:48.640 --> 41:54.720
measures cyclomatic complexity and it will never tell you it should be 5, 10 or something

41:54.720 --> 41:58.800
actually it doesn't even tell you that you should measure cyclomatic complexity I at least

41:58.800 --> 42:04.800
notice safety standards I'm aware of but they they say like to branch coverage or other parts

42:04.800 --> 42:08.240
so this is something which they mentioned but they don't give you the rigor of it and then

42:08.240 --> 42:14.160
it's your part of arguing a why it is like this and when the assessor has the evidence and they

42:14.160 --> 42:20.560
will say okay I believe that all the processes which you're doing as properly and don't believe

42:20.640 --> 42:25.520
that the assessor also can understand everything because this would mean they need to have the

42:25.520 --> 42:29.920
process understanding the technology understanding and everything they cannot have a full system

42:29.920 --> 42:35.200
understanding of everything but they do checks, bot checks and the area I'll see that you have

42:35.200 --> 42:39.600
that they have a confidence that you do everything properly that you bring the right qualified

42:39.600 --> 42:45.040
people this is all the things they can check but they cannot really give you 100% guarantee that

42:45.040 --> 42:49.600
what you have done that you didn't miss it so if you miss that the rescuing need to float

42:49.680 --> 42:55.040
if it's not your requirement in somewhere you can still be completely process compliant

42:55.040 --> 42:58.240
it will just not rescue the people it's obvious that you will not miss this but

43:00.160 --> 43:07.760
this Swedish government was making a request how many language they should support in their

43:07.760 --> 43:13.920
official governmental model so they was a ticklist and they almost forgot Swedish

43:14.880 --> 43:18.400
in the list of languages because they were I mean it was super in the article that they have

43:18.480 --> 43:25.200
Swedish in there so it was like what language should we support English Polish German Italians

43:25.200 --> 43:29.520
Spanish so they gave this list and they let the people vote and see like how many language do we

43:29.520 --> 43:35.280
actually need where they demand and they almost forgot Swedish in the list as Swedish and this is just

43:35.280 --> 43:40.320
like sometimes you just miss make something up but most likely this would be something in

43:40.320 --> 43:44.960
all the time it's like what's no Swedish in there that's why there's a benefit also there

43:45.520 --> 43:50.000
okay I don't like question great

43:52.560 --> 43:59.840
so regarding your example about the climatic complexity it's not written in any standard but

43:59.840 --> 44:06.160
I have not met any auditor that did not ask me about it I come from automotive so question is

44:06.160 --> 44:14.160
I see a big bottleneck in this rigid auditor with traditional view for introducing

44:14.720 --> 44:20.720
software in safety critical systems or anything innovative I want to hear your view on it

44:20.720 --> 44:26.880
and what we as a community can do to maybe change this in future so first of all I will not

44:26.880 --> 44:34.720
give you any number on what I see as a useful cyclomatic complexity I know that there are a bunch

44:34.720 --> 44:39.360
of auditors and assessors which bring an outsource mindset you just need to find the right people

44:39.440 --> 44:44.080
in there and see the environment maybe one is the next one could be directly in front of you

44:45.680 --> 44:52.960
so not kidding and then what what we started with originally also from the user project was to go

44:55.040 --> 45:00.320
yeah basically an open source conference talking about the topic like we are here but we can also just

45:00.320 --> 45:08.400
flip the whole thing around and in our thing in April I will be at the two suit and present

45:08.400 --> 45:15.280
about open source processes this is one step and I will do it also to run on September most likely

45:15.280 --> 45:19.360
I've been to exceed up and pause you and just bringing this in so this first of all gives you the

45:19.360 --> 45:23.760
awareness in the safety critical environment because they also have a community and you can go to

45:23.760 --> 45:28.400
this community and spread the word you can spread the word like explaining things right it's

45:28.400 --> 45:36.000
everybody can take a little part of it another inverse which we currently take is we try to turn it around

45:36.960 --> 45:42.640
the open source development is fundamentally different right or to the traditional

45:42.640 --> 45:48.880
fee model or the mode of a device device development artifacts by very similar you find requirements

45:48.880 --> 45:54.160
in open source you can find traces you have better documentation you have better checks you have

45:54.160 --> 45:59.200
see eye pipelines and a lot of best practices from open source of those which are taken over in

45:59.200 --> 46:04.320
industries based on the demand based on the community which needed it and what we currently

46:04.320 --> 46:09.040
started is we try to look for the evidence for best practices and literature existing like

46:09.040 --> 46:14.480
open as a scorecard best practices from Linux Foundation I'll put looking into this right this down

46:14.480 --> 46:21.440
and try to make this a standard why not a safety standard or just the quality kind of standard because

46:21.440 --> 46:28.000
it's often says like is your base for your safety development quality managed and if we can prove

46:28.160 --> 46:36.960
that the open source work creates the same level of quality by different measures but same

46:36.960 --> 46:42.160
artifacts in the end or comparable artifacts we have an argument and then the processor will have

46:42.160 --> 46:46.560
hard times in arguing like saying well yeah but you're using another quality so because it doesn't

46:46.560 --> 46:53.360
tell you that you have to use exactly CMMI ace pies or similar right so it's something where you have

46:53.440 --> 46:59.280
the possibilities that's where we currently also try to add an additional element in there like

46:59.280 --> 47:04.080
from and leaves are perspective not that we wanted but I think it's it's a good thing too to

47:04.080 --> 47:16.960
bring this forward good question we're two more minutes so it would be room for one or two

47:16.960 --> 47:25.600
question well let's just go for another one well when everybody else is shy so during the presentation

47:25.600 --> 47:32.320
you mentioned tool qualification yes and there okay for tool chain compilers it's clear but

47:32.320 --> 47:38.800
you mentioned also GitHub if you're storing code there and mostly interested in all infrastructure

47:38.800 --> 47:44.800
tuning like doctors if he was build environments yeah doctors so where do we draw the line what is

47:45.760 --> 47:52.160
what what which tools we need to qualify in the process you think you do you do need to qualify

47:52.160 --> 47:58.000
everything and that would be over kill but you do a two classification you see like how mature as the

47:58.000 --> 48:05.120
tool you may sometimes even come to say like oh it brings a low complexity I can easily identify

48:05.120 --> 48:11.520
issues also so for example if you say here is the GitHub environment and for the reviews you see

48:11.520 --> 48:15.600
that there's a look and representation and there's a representation GitHub you have different views

48:16.320 --> 48:20.240
then you can maybe have an argument and say that this part is not important but you may want to

48:20.240 --> 48:24.880
look into your build tooling that the artifacts are properly fit together and then you say well I detect

48:24.880 --> 48:30.240
all these kind of things in my testing if I detect everything in the testing I may not need to qualify

48:30.240 --> 48:36.000
something but if you have a script for traceability then you most like you want to make testing

48:36.000 --> 48:40.080
there because you say on the traceability there's so much dependency and therefore you do the classification

48:40.720 --> 48:47.760
and decide what to will need this imagine you have requirements tool and this requirements

48:47.760 --> 48:54.960
tool has a tendency to lose data entries then you may this safety critical requirements so therefore

48:54.960 --> 49:00.320
you're a requirement tool maybe a good candidate for a two qualification and that's how you

49:00.320 --> 49:06.160
basically bring in and I really love that you brought up this question because we have this

49:06.800 --> 49:14.560
thing that the safety critical products are often seen as slow and we kind kind

49:15.360 --> 49:19.680
keep up with the pace but we have a very manual driven environment with a lot of still a little

49:19.680 --> 49:26.640
of spreadsheets, PDF files, manual signatures and so on and like if you see this SQL project this

49:26.640 --> 49:32.480
is also developed a full automotive process and it would naturally have the tendency to become very

49:33.040 --> 49:39.600
slow by what actually happens is that we put so much effort and tools in automation

49:39.600 --> 49:45.120
that later on you can continuously generate all the things and the assessor will know from the

49:45.120 --> 49:50.560
process from the environment that nothing can go wrong because there are all these hard gates and

49:50.560 --> 49:57.280
everything around it and by this the tools are an essential element for the upcoming

49:57.280 --> 50:02.080
environment because this is the only way to make it better understandable for the assessors

50:02.080 --> 50:07.360
to have more assessments, shorter cycles so two qualification is the thing you need to bet on

50:08.720 --> 50:17.840
in my perspective. I think that will be the very last question. Thank you. You mentioned

50:17.840 --> 50:23.040
several times the significance of the environment and the context of the software in which it is

50:23.920 --> 50:29.360
how do you approach classifying something like a library where that environment depends entirely

50:29.360 --> 50:37.520
on the user? Yeah so I tried to answer and if I did not understand properly you can see it

50:37.520 --> 50:42.000
from true perspective so you can have a library which is broadly used and if you would start this

50:42.000 --> 50:48.800
library would be a safety element it can make an assumption and say I will develop this library

50:48.800 --> 50:54.320
for being used in medical products with certain interface. Then it would be from this perspective

50:54.320 --> 50:59.840
quite easy and you cannot bring it to other industries. The other part is like which library

50:59.840 --> 51:05.440
will you choose if it is for the purpose but then this library most likely will never know

51:06.720 --> 51:11.600
what you wouldn't know of your existing. If you're not interacting you don't have a contract

51:11.600 --> 51:16.160
you have nothing. So you want to use this library and then you would most likely go into like

51:16.160 --> 51:20.880
first to first assessment do you judge it as a fit and then you may if it's a small part go into

51:20.880 --> 51:27.280
this part a class 12 pre-existing software and write down the requirements you have to the library

51:27.280 --> 51:32.320
and write the test cases for it and see if everything you have is fulfilled you can go for a

51:32.320 --> 51:37.680
STPA analysis potentially to say like how is it behaving to my inputs outputs what our hazards

51:37.680 --> 51:41.440
what our risk which come in and you do all this assessment then use it so then you can use a

51:41.440 --> 51:47.120
very generic library for your very specific part but you put it into the context of your system

51:47.840 --> 51:51.440
but this library will most likely never know about your system but it's not the idea of the

51:51.440 --> 51:55.600
library because the library would just be a library. It was not that the developer thought I built

51:55.600 --> 52:01.600
this library for a safety critical product. The developer may say it when they want to do it but

52:01.600 --> 52:05.360
then they will provide you with assumptions of use and say like this is how I'm supposed to be

52:06.240 --> 52:10.480
operating from my limited understanding on your use case and that's why often things become

52:10.480 --> 52:15.280
always in context so you talk to the hardware people to the application developer and whatever

52:15.280 --> 52:20.880
is involved just make it in context and have more and out of context contractual and why I'm in

52:20.880 --> 52:25.760
ways say I have guaranteed services or something like this or response times so it's becomes

52:25.760 --> 52:35.040
more contractual seeing than a technical thing. But I guess now we are at the end thanks for staying

52:35.040 --> 52:39.520
up to the end.