>Unless you can show that you are competent to modify safety critical software, and have a certified process in place
> require the full lifecycle documentation to allow you to understand the impact of any modifications you make, and be required to do a full impact analysis to prove that any modifications you make do not reduce the integrity of the existing safety functions
Car manufacturers does not use formal verification, even though it exists, and would be able to give hard guarantees about safety and the like. And given recent history about analysis of code that resulted in run away bugs, I, as a professional developer, are completely confident that few if any manufacturers do the above. They have an extensive testing procedure, surely, but they're not trying to avoid the bugs earlier in development, nor try to enforce a coding style that reduce the risk of bugs.
But besides that point, many people are not arguing that they should be allowed to tinker with safety settings and drive on the road. That would be illegal, just as it is illegal to remove the lights and drive at night. But I as an owner of the car, should be able to see and change that code for auditing purposes, or use on a closed road. If the entire system of the car is open, it is also trivially easy to compare the running code with the version supplied from the manufacturer and see if any modifications have been made.
European car manufacturers are required to develop safety critical software under ISO 26262, which is a derivation of IEC 61508, which absolutely does require formal verification and validation activities.
If you change the code outside of the development process, you could unwittingly compromise the safety of the vehicle. The manufacturer is required to use access controls to prohibit people from changing the software for exactly this reason.
ISO 26262 does not to my knowledge require formal verification, and some googling around seems to support this. Without access to the actual specification I cannot find out exactly what it requires.
So you don't know what's in the standard, but you make assertions and continue to support them? That's a fairly disappointing level of discourse for HN. It requires a very similar software development process to all other functional safety standards, in which verification and validation are key steps.
Here is a paper from Mathworks describing verification and validation according to ISO 26262:
I know how ISO standards are implemented in two unrelated fields, that was really the basis for my comment. Besides, I am now certain that it does not require formal verification, as several companies sell products that support formal verification as a mean to pass the verification part of the ISO.
I'm not going to pay for access to the standard just for a comment on HN.
When you say European manufactures are required to follow this, what about non European manufactures?
> require the full lifecycle documentation to allow you to understand the impact of any modifications you make, and be required to do a full impact analysis to prove that any modifications you make do not reduce the integrity of the existing safety functions
Car manufacturers does not use formal verification, even though it exists, and would be able to give hard guarantees about safety and the like. And given recent history about analysis of code that resulted in run away bugs, I, as a professional developer, are completely confident that few if any manufacturers do the above. They have an extensive testing procedure, surely, but they're not trying to avoid the bugs earlier in development, nor try to enforce a coding style that reduce the risk of bugs.
But besides that point, many people are not arguing that they should be allowed to tinker with safety settings and drive on the road. That would be illegal, just as it is illegal to remove the lights and drive at night. But I as an owner of the car, should be able to see and change that code for auditing purposes, or use on a closed road. If the entire system of the car is open, it is also trivially easy to compare the running code with the version supplied from the manufacturer and see if any modifications have been made.