
Released and Certified: Qt Safe Renderer - ofrzeta
https://blog.qt.io/blog/2018/05/31/function-safety-certified-qt-safe-renderer/
======
pknopf
A little of topic, but I'm confused about something.

These certs open the door for medical devices, which is great.

I work on Class 1 medcial device. We have customers and regulatory people
saying I can't even use Qt because we compile it ourselves. Apparently, once
we have access to the source code, we must bring the software up to our target
safety class.

This of course isn't feasible. Apparently, this even applies to the kernel.

My regulatory people are demanding that we hire someone like WindRiver to
deliver use pre-compiled images and tool chains, removing the source from our
hands.

I don't follow regulatory closely, but this has got to be wrong. Are you
saying that I can never use open source software? Even if the software has
these certs like this (Safe Render)? Surely we can still treat 3rd party libs
as SOUP, even if we have the source, yeah?

~~~
seren
You can use any SOUP you want, the rule is that it is up to you, medical
device seller, to write the requirements (performance or other) you want from
it, and verify them. Additionally, you need to assess any risk added by the
inclusion of the SOUP and mitigate them. (The effort depends on whether you
include it into a Class A/B/C sw unit). You are ultimately responsible for any
bug in the SOUP. And this is rather orthogonal to license of the sw.

Since this is a daunting task to verify something like QT, now you can at
least pay for the certified version, and point some of your risk mitigations
directly to the QT specifications/FMEA/Test results.

The usual strategies to avoid having to validate a huge external SW is to
either have HW redundancies, or to segregate it completely from your main SW
so that any failure of your SOUP is harmless.

~~~
pknopf
We use Yocto. By default, the distribution is super minimal.

As I enable features in the Kernel, or add dependencies, they are driven based
off of some functionality of our GUI/device which is tested/validated before
each release.

So, if I enable squashfs in the kernel, and I can boot my box (which uses it),
I can say that I have tested the requirements needed from the Kernel.

If I add in openssl for TLS connection to mobile devices and have validation
in place to ensure connectivity, I can say that I have tested the required
functionality of openssl.

I'd think this would be enough, but I never can seem to satisfy regulatory
people. They are (in general) not very technical.

~~~
seren
I would say it depends a bit of the usage of the system, and what is the worse
case scenario of a failure (patient data corrupted, life sustaining devices
switched off), in which case you might need to add another mitigation (CRC
check, manual procedure) independent of your Yocto box.

~~~
pknopf
I would understood under those circumstances where patients are at risk.

I'm not trying to get consultation services from HN, but for the sake of
discussion, these devices are recorders used for post-op educational purposes.
External/separate monitors are used for the actual operation.

I bring this up because the risk is very low, yet I have had multiple
customers who wish to distribute our product ask about this.

This is turning into more of a rant than anything. I'll end with this comment.

~~~
ska
You aren’t expected to do anything in analysis and mitigation for SOUP that
you shouldn’t already be doing for all of your own software. The point is you
can’t just punt on that stuff when you use others software. It doesnt have to
be that onerous, but you do need to put some thought into it.

------
ofrzeta
ASIL-D, SIL 3, SIL 4 und IEC 62304:2015(2006+A1) certifications mean that Qt
can now officially be used for displays in automotive, medical devices, trains
etc.

~~~
bpicolo
What were the previous alternatives?

~~~
adrianN
Roll your own while following the regulations to get the safety certification.

------
PerryCox
I've always been very impressed by the work of the Qt teams. I don't do much
coding in C++ but when I have dabbled in it using Qt feels like a breath of
fresh air.

~~~
dekhn
yeah, after working in the web world and being depressed by javascript apps
that consume 100% CPU doing nothing to render a page of ads, I love to go back
to Qt and spend 5 minutes writing a high performance app that does amazing
things.

It's really incredible how the world of software developed by adults differs
from the software developed by kids.

~~~
Waterluvian
That's just so out of touch with reality. People with that attitude scare me
because they lock us into the "one true solution" rather than the one that
actually makes the company successful. Nobody pretends that JS/electron apps
are supafast, but don't pretend like they don't have tremendous benefits too.

~~~
gameswithgo
there are many true solutions, electron is not one of them though.

>but don't pretend like they don't have tremendous benefits too.

Javascript+html+css is not a global optimum in the solution space of "making
cross platform GUI apps", its just the best solution that exists right now (if
you are afraid of C++), and that is too bad.

We could have simpler, better performing ways if we bothered to do things that
aren't web related more often.

~~~
chrisco255
But time and money is a real constraint for projects. It's hard enough writing
native Android, native iOS, and a web app to boot without also having to write
native Mac, Linux, and Windows and dealing with all the cross platform UI
quirks on Qt.

~~~
EStudley
Wait, what? How are you going to write a native app with less quirks than Qt?
VTK? That's a little disingenuous.

~~~
chrisco255
This is in reference to using Electron so you don't have to both write a web
app and a native desktop app using Qt (in addition to native mobile, where
performance issues are much more noticeable).

~~~
kbutler
...and electron apps have no UI quirks and no performance issues on mobile.

------
joosters
Are the 'safety critical' UI components rendered any differently to the non-
critical ones? From reading the related blog posts, I understand that they are
generated in a separate process, but asides from that detail, are they any
more reliable?

Or to put it another way, if we an pick some UI components and marking them as
safety critical' somehow improves their reliability, why would you not mark
everything as safety critical?

Does the safety factor decrease as more and more components enter the safety
critical section? Why not subdivide the UI into more than just one 'critical'
process and one 'non-critical' process, e.g. perhaps a light-weight process
per component?

~~~
freedomben
The article links to
[http://blog.qt.io/blog/category/functionalsafety/](http://blog.qt.io/blog/category/functionalsafety/)
which has a lot more details.

The short answer tho, is that "the tooling separates out the safety-critical
elements for execution by the Qt Quick Renderer run-time."

------
ogennadi
Sounds like Qt Safe Renderer is a graphics library for displaying safety-
critical information in cars, planes, medical devices etc.

In these domains, safety-critical information has to be displayed by certified
hardware/software; QT Safe Renderer just got certified and released.

~~~
1stranger
It doesn't specifically state aviation. Is it covered under one of their
certifications?

~~~
gmueckl
Aviation has their own standards. But all of these standards are quite similar
in their requirements. So reaching the first certification is the hardest
part.

------
santix
How do those standards compare to aviation? Are there similar certifications
that would allow to use a software implementation like this?

~~~
kejaed
Friendly neighbourhood aerospace systems engineer here.

Yes, the certifications on the aviation side are DO-178C for Software and
DO-254 for Airborne Electronic Hardware. Rather than SIL or ASIL (Automotive
Safety Integrity Level), the aviation equivalent is DAL (Development Assurance
Level). Of course, while they each use letters for levels of Integrity /
Assurance, in aviation DAL A is the most stringent and in automotive ASIL-D is
the most stringent.

[https://www.rapitasystems.com/blog/what%E2%80%99s-difference...](https://www.rapitasystems.com/blog/what%E2%80%99s-difference-
between-sil-and-dal-how-does-it-affect-my-code-coverage)

~~~
annerajb
Kinda related question is there a do-178b certified compiler that coult
compile a future certified qt?

~~~
kejaed
Not just compiler but operating system as well. Look at the names like Wind
River, Green Hills or even LynxOS for a certified compiler / OS solution

~~~
annerajb
Ah yes I took the 5 day greenhills training for a project that got put on
hold. Was wondering if anything opensource exist for do187b usage. For example
a GCC toolchain and a standard set of libraries (apart from the OS)

------
RVuRnvbM2e
Does a compiler exist with the same certifications?

~~~
rhencke
Yes.

[https://developer.arm.com/products/software-development-
tool...](https://developer.arm.com/products/software-development-
tools/compilers/arm-compiler/safety)

~~~
irundebian
When I'm seeing TÜV seals for highly-complex IT-related topics, I'm always
asking myself if the people working for TÜV are really qualified for doing
such certifications. The TÜV historically inspected steam engines and is
mostly known today for doing driving tests.

~~~
mbeex
Here in Germany, the TUEV not only certifies nuclear power plants, but will be
involved in most of the precursory steps (the politics of a general
'Atomausstieg / nuclear power phase-out' aside for the moment)

[https://www.tuev-sued.de/plants-buildings-technical-
faciliti...](https://www.tuev-sued.de/plants-buildings-technical-
facilities/fields-of-engineering/nuclear-services/nuclear-power-plant-
licensing)

------
kosinus
Sounds like a great achievement! Congrats to the team!

So is this a completely separate implementation from Qt proper? Do they share
some API and tooling?

------
kristoffer
This does not really mean Qt (and/or QML) is certified. It means there is
support in QtCreator for exporting certain graphics (tell tales) so that they
can be rendered by Qt Safe Renderer and if that happens on a certified RTOS
the system could be certified.

So the Qt libraries or QML renderer are still not certifiable.

~~~
gmueckl
Nor will they ever be, at least at that high level. The standards are very
strict about what is allowed in the code and Qt is coded in a way that is
fundamentally incompatible with that.

But that is okay. Isolating the core components that have the highest safety
requirement and developing the rest to a lower standard is accepted and good
practice. You also need to have an operating system that enforces the
separation and a design that guarantees that the safety critical part cannot
be disrupted by failures in the rest of the system.

For example, a fancy navigation map display is not safety critical at all and
developing that to ASIL standards would be madness. Icon ovelays for engine or
braking system failures are quite important, on the other hand. Separating
then out into a different process and making sure that it cannot be affected
by a misbehaving navigation system is just common sense. So even with the
current limits, this is very useful.

~~~
kristoffer
Sure, I agree that you should limit ASIL certified software as much as
possible. Nothing running on Linux will be certified ever.

That also limits the benefits of Qt Safe Renderer. I think it is mostly a
marketing thing within the automotive sector. The competitors there (Disti,
Kanzi, etc) have their "solutions" for safety critical and say Qt can't handle
it. So Qt needs to check the box of "safety critical" to fend for themselves.

Tell tales can quite simply be implemented by hand coding. But there is OpenGL
SC which possibly could support more fancy and certified graphics. It could be
nice if Qt/QtCreator/Qt3dStudio supported that in some manner. Having a layer
that is safety critical and separated out to it's own OpenGL SC code. The
usual argument for this kind of stuff is that nice graphical ADAS features
(think advances HUDs) will need this (although I think it is still reasonable
to hand code it in OpenGL SC).

------
justaaron
Just to be clear, QT still has the same licensing, correct? dual:LGPL or
commercial

commercial license costs + not redistributable (example, if included in a BSD
or MIT library/framework/tool...)

or LGPL (also requires project to be LGPL)

just checking, as it's a factor in why Qt is not universal, but only
ubiquitous, which is still a good thing, because "diversity" and not wanting
to put the fate of all gui forever into the hands of one entity etc..

but: any other declarative (like qml) gui frameworks out there in Linux land?

~~~
joshvm
Note that some modules are not available under the LGPL. You don't get charts,
data visualisation or any of the embedded tooling.

LGPL does not require the project to be LGPL. It simply means that you must
provide users means to link your program to a version of Qt that they've
compiled, or you provide the source of the Qt distribution that you compiled
to build your application. You can have a commercial, closed-source,
application using LGPL Qt.

"A program that contains no derivative of any portion of the Library, but is
designed to work with the Library by being compiled or linked with it, is
called a "work that uses the Library". Such a work, in isolation, is not a
derivative work of the Library, and therefore falls outside the scope of this
License."

Contrary to popular belief you can even statically link an LGPL library and
remain closed source, but you may need to distribute your object files so that
someone can statically link a different library version with your code.

I'm not sure what happens if you modify Qt in some way though, presumably
you're still covered if you release the modifications you made.

Full answer here:
[http://answers.google.com/answers/threadview/id/439136.html](http://answers.google.com/answers/threadview/id/439136.html)

~~~
beojan
I'm pretty sure Chart, DataViz, etc are now available in the open source
edition.

~~~
pritambaral
Yes, under GPLv3[1], though that may be unpleasant to people who wanted to use
only LGPL-licensed Qt.

1: [https://doc.qt.io/qt-5/qtmodules.html#gpl-licensed-
addons](https://doc.qt.io/qt-5/qtmodules.html#gpl-licensed-addons)

