Codeplay joins MISRA to move C++ safety standards forward

Posted on January 9, 2018 by Illya Rudkin.

Codeplay is pleased to announce it has joined the MISRA working group for C++ to help move the standards forward to support C++ '11 and beyond, enabling software developers to build safety critical systems for automotive. We are experts in C++ and actively contribute to the ISO C++ WG23 and SG12 for programming vulnerabilities and core guidelines in modern C++ ‘11/’14/’17. We are also seeing first hand the challenges of the current MISRA C++ standard within our codebase positioning us well to advise on what is required for the future of automotive systems.

The automotive industry is in top gear driving forward to provide more and more advanced ADAS features, towards full electrification and ultimately fully autonomous vehicles which is imminent given the hype and expectations of the media and the general public. Within the industry the general consensus is we will have sophisticated adaptive safety systems capable of level 4 or 5 automation by 2021.

It is also accepted today that the effort to create a vehicle is now mostly focused on the software to deliver the capabilities required by the industry.  

However, like legislation, the automotive safety standards lag behind the development curve. Further behind are the quality management tools and software quality standards relied on by the automotive industry to assist and back up their safety development plans.

On the one hand, there are new advances in deep learning systems which the automotive industry know they need to adopt and adapt in order to deliver the driving monitoring systems that we expect. The algorithms and the software stacks to support them are developed and written mostly outside the automotive domain where there are few considerations for safety, and use the latest programming constructs to enable these systems on highly parallel computing hardware.

On the other hand, the automotive industry knows they need to bring these complex system into their domain in order to meet their self-imposed deadlines. But here is the dilemma, the constraints they work within in order to achieve the assured safety is hampering the adoption of software developed outside the automotive industry.

One set of coding guidelines used extensively throughout the industry is MISRA C. MISRA C came about through a collaboration between the Ford Motor Company and Rover Group back in the early 1990s. It was a follow-on to the earlier MISRA project in the UK government's "SafeIT" program which developed guidance concerned with automotive safety-related electronic systems to the then emerging IEC 61508 standard. The MISRA 'C' and C++ quality standards are now used extensively through out the automotive industry and are now used in conjunction with the ISO 26262 automotive standard which first came out in 2011 to help fulfil its requirements. If any C++ software used in an Item with a high safety level does not pass the quality management controls set in the safety plan for that Item then the Item cannot be allowed in the vehicle as ruled by the ISO 26262 standard. The issue currently is that the MISRA C++ 2008 standard, the latest ratified standard, is only suitable for C++ ’98. The software used to develop deep learning software stacks is written using at least C++ ’11 and very likely uses C++ constructs yet to be ratified in ISO C++ standards for C++ ’17 and ’20.

Most of the software that Codeplay create uses C++ '11 or C++ '14 and so applying the MISRA C++ standard to their codebase is a challenge. By Codeplay participating in the various bodies concerned it is in a unique position to monitor and contribute to relevant groups ensuring the emerging C++ standards, software quality standards and open standards are compatible with real life use cases. We are actively involved in the development of TensorFlow as a typical use case for SYCL on highly parallel low power systems, and have first-hand experience of the issues C++ can present when looking at the safety domain. ComputeAorta and ComputeCpp (our implementations of OpenCL and SYCL) are part of the deep learning software stack at Codeplay. We see this experience as critical in helping influence the relevant workgroups to ensure conflicts of interest are minimized when defining separate new standards in the various domains inside and outside the automotive industry.

Currently MISRA and other automotive software quality standards like Adaptive AUTOSAR do not consider one vital area complex software solutions today take for granted, and that is multi-threaded multi-core or GPU hardware software combinations. Even the ISO 26262 safety standard's chapter 6 for software as yet does not present rules for safety concerns in this area. Yet to solve complex problems such as pedestrian recognition and avoidance in a timely manner it is taken for granted that this software is running on highly parallel hardware in order to achieve the data processing and analysis required. This is the conundrum, the current standards either ban or do not cover Items which are built on heterogeneous hardware and threaded software due to its complexity.  The automotive industry today is inevitably gravitating towards introducing complex system into their domain faster than the safety committees can keep up. The safety committees recognize the large lag behind this trend and the need to create extra processes or rules to hold off the news head line of 'complex software losses control'. To briefly touch on another area concerned with safety and verification is the area concerned with the modelling of complex systems. These tools themselves are complex and are written with modern C++.  ISO 26262 asks that tools supporting the development of software for an Item has the same rigor applied to them too. So, as you can imagine, the scope of the misalignment of software and safety standards is not just limited to a program for an Item. Yet we need this type of hardware and software to support problem solving and deep learning ADAS systems in development now, ready for the future to satisfy customer expectations.

The goal for us is ultimately to have a Safety Critical Heterogeneous C++ language that is compatible with ISO standards and Khronos open standards. Codeplay is at the forefront of all these efforts either as chair leading the effort or participating fully to ensure a safer world for the future.