Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/commaai/openpilot/llms.txt

Use this file to discover all available pages before exploring further.

openpilot is a Level 2 driver assistance system. Like other Adaptive Cruise Control and Automated Lane Centering systems, it is a failsafe passive system that requires the driver to remain alert and in control at all times. Driver attentiveness is necessary but not sufficient for safe operation—the system itself is designed with layered safety requirements to bound what the vehicle can do while openpilot is engaged.

Two core safety requirements

Following Hazard and Risk Analysis and Failure Mode and Effects Analysis (FMEA), openpilot is designed around two fundamental requirements:
  1. The driver must always be able to immediately retake manual control by pressing the brake pedal or the cancel button.
  2. The vehicle must not alter its trajectory too quickly for the driver to safely react. While engaged, all actuators are constrained to operate within limits derived from ISO 11270 and ISO 15622. The lateral limit translates to a maximum of 0.9 seconds of actuation to achieve a 1 m lateral deviation.
These two requirements drive the architecture of every safety-relevant component in the system.

Standards compliance

openpilot is developed in good faith to comply with FMVSS requirements and follows Level 2 ADAS industry standards, including:
  • ISO 26262 — functional safety guidelines for road vehicles, including those described in relevant NHTSA ALC system documentation.
  • MISRA C: 2012 — coding standard applied to all safety-relevant code paths.
  • ISO 11270 / ISO 15622 — standards for lane-keeping and ACC systems, used to derive the actuator limits above.
comma.ai performs software-in-the-loop, hardware-in-the-loop, and in-vehicle tests before every software release.

panda hardware safety enforcement

The panda is the hardware interface between the comma device and the car’s CAN bus. It enforces safety constraints independently of the software running on the device. Even if openpilot software sends an out-of-bounds command, panda will not transmit it. Safety models are defined per-car in opendbc/safety/safety. When openpilot starts, it programs the panda with the correct safety model for the detected vehicle. selfdrived continuously verifies that the panda’s active safety configuration matches what was programmed—any mismatch triggers an immediate disengagement. 
# From selfdrived.py — safety model mismatch check
safety_mismatch = (
  pandaState.safetyModel != self.CP.safetyConfigs[i].safetyModel or
  pandaState.safetyParam != self.CP.safetyConfigs[i].safetyParam or
  pandaState.alternativeExperience != self.CP.alternativeExperience
)
if safety_mismatch and self.sm.frame * DT_CTRL > 10.:
    self.events.add(EventName.controlsMismatch)

Driver monitoring requirement

openpilot includes a camera-based driver monitoring system (dmonitoringmodeld) that watches the driver-facing camera and issues alerts when distraction is detected. If the driver remains unresponsive across escalating alert levels, openpilot locks out engagement for the remainder of the ignition cycle. Driver monitoring is a required safety feature. It cannot be disabled or weakened—doing so violates the safety model that the system is built on.

Excessive actuation checks

selfdrived runs continuous checks (ExcessiveActuationCheck) that compare the vehicle’s actual trajectory—derived from calibrated pose estimates—against what the system is commanding. If the system detects that actuation is exceeding expected limits, engagement is blocked and an offroad alert is set. This check is enforced in software as a second layer beyond panda’s hardware limits.

Fork safety requirements

Forks of openpilot that modify safety-relevant code are subject to strict requirements:
  • Do not disable or weaken driver monitoring.
  • Do not disable or weaken excessive actuation checks.
  • If your fork modifies any code under opendbc/safety/:
    • The full safety test suite must be preserved and all tests must pass, including any new coverage required by the fork’s changes.
    • Your fork cannot use the openpilot trademark.
Failure to meet these requirements will result in the fork and its users being banned from comma.ai servers.
Disabling or nerfing safety features—including driver monitoring and excessive actuation checks—violates the conditions under which openpilot’s trademark may be used. comma.ai strongly discourages the use of any fork that does not fully meet these safety requirements.

Build docs developers (and LLMs) love

Get started for freeTalk to us