WEBVTT NOTE This file was generated by switchtitle 1 00:00:14.041 --> 00:00:15.500 This is Self-Directed Research. 2 00:00:15.958 --> 00:00:18.000 Our hosts, James and Amos, entertain each 3 00:00:18.000 --> 00:00:18.875 other with weekly 4 00:00:18.875 --> 00:00:20.541 hyper-focused technical deep dives. 5 00:00:21.166 --> 00:00:22.875 James brushes the surface of his topic 6 00:00:22.875 --> 00:00:24.250 this week with "How is 7 00:00:24.250 --> 00:00:25.458 Software Safety Certified?" 8 00:00:25.958 --> 00:00:27.375 Make sure to like, follow, and subscribe 9 00:00:27.375 --> 00:00:28.333 wherever you find us, 10 00:00:28.583 --> 00:00:31.125 and visit sdr-podcast.com/episodes 11 00:00:31.125 --> 00:00:33.041 for all the presentations, videos, show 12 00:00:33.041 --> 00:00:33.833 notes, and transcripts. 13 00:00:34.541 --> 00:00:36.208 And as usual, stay tuned to the end to 14 00:00:36.208 --> 00:00:37.375 hear more about Depot, the 15 00:00:37.375 --> 00:00:38.291 sponsor of this episode. 16 00:00:42.708 --> 00:00:45.000 So James, what do you have for us today? 17 00:00:45.625 --> 00:00:48.041 So like every one of my actual good blog 18 00:00:48.041 --> 00:00:50.666 posts, I had someone ask exactly the 19 00:00:50.666 --> 00:00:53.583 right question that tickled my brain in a 20 00:00:53.583 --> 00:00:55.083 way that made all the information fall 21 00:00:55.083 --> 00:00:56.875 out in like a coherent way. 22 00:00:56.875 --> 00:00:59.041 So instead of just like an unordered web 23 00:00:59.041 --> 00:01:02.000 of random facts that I know, I was like, 24 00:01:02.000 --> 00:01:04.750 "Ah, I can imagine the person that asked 25 00:01:04.750 --> 00:01:06.958 me this question and how I should answer 26 00:01:06.958 --> 00:01:08.916 this question for that person." 27 00:01:08.916 --> 00:01:10.833 And the question they asked me was, "Hey, 28 00:01:10.833 --> 00:01:11.875 you do stuff with 29 00:01:11.875 --> 00:01:13.375 safety critical stuff, right? 30 00:01:13.375 --> 00:01:15.250 How is software safety certified?" 31 00:01:15.250 --> 00:01:16.625 Because like I've heard people talk about 32 00:01:16.625 --> 00:01:18.083 that, but I have no idea 33 00:01:18.083 --> 00:01:19.916 what that actually means. 34 00:01:19.958 --> 00:01:21.291 I love that the subtitle is 35 00:01:21.291 --> 00:01:23.083 "A Crash Course" because... 36 00:01:24.833 --> 00:01:25.416 Is that a pun? 37 00:01:25.416 --> 00:01:26.083 Is the pun intended? 38 00:01:26.416 --> 00:01:27.375 Yeah, exactly. 39 00:01:27.791 --> 00:01:29.250 Yeah, "Crash Course" is even probably a 40 00:01:29.250 --> 00:01:31.416 little bold, but it's just like common 41 00:01:31.416 --> 00:01:34.375 misnomers, like all the stuff that I 42 00:01:34.375 --> 00:01:36.666 either hear people say and be wrong or 43 00:01:36.666 --> 00:01:38.500 like that I always get asked and I'm 44 00:01:38.500 --> 00:01:40.125 like, "Okay, I'm going to actually..." 45 00:01:40.333 --> 00:01:41.666 So this is probably going to turn into a 46 00:01:41.666 --> 00:01:43.875 blog post as well with like a more 47 00:01:43.875 --> 00:01:45.500 written out request, but I figured you're 48 00:01:45.500 --> 00:01:46.125 the kind of person that 49 00:01:46.125 --> 00:01:47.041 might be interested in this. 50 00:01:47.041 --> 00:01:48.250 This is what SDR is for, right? 51 00:01:48.583 --> 00:01:50.208 It's like pitching blog posts to the 52 00:01:50.208 --> 00:01:52.166 co-host and seeing if 53 00:01:52.166 --> 00:01:53.625 they would actually work. 54 00:01:53.625 --> 00:01:54.958 Yeah, because it's faster to write bullet 55 00:01:54.958 --> 00:01:57.208 points in a slide than it is to write 56 00:01:57.208 --> 00:02:00.208 like a well-reasoned defendable blog post 57 00:02:00.208 --> 00:02:01.958 because people on the internet. 58 00:02:01.958 --> 00:02:02.750 That's what I've been doing. 59 00:02:03.125 --> 00:02:03.583 Yeah, exactly. 60 00:02:03.583 --> 00:02:05.000 Some things I pitched to you, I see the 61 00:02:05.000 --> 00:02:06.291 reaction, I'm like, "Oh no, I'm not 62 00:02:06.291 --> 00:02:08.166 dealing with YouTube comments on that. 63 00:02:08.166 --> 00:02:08.500 You're right. 64 00:02:08.791 --> 00:02:09.333 I was wrong. 65 00:02:09.666 --> 00:02:10.041 Never mind." 66 00:02:10.291 --> 00:02:10.500 Nice. 67 00:02:11.000 --> 00:02:12.541 Okay, so I get asked 68 00:02:12.541 --> 00:02:13.583 about this pretty often. 69 00:02:13.583 --> 00:02:15.625 I come from a background of safety 70 00:02:15.625 --> 00:02:17.500 critical and especially nowadays that 71 00:02:17.500 --> 00:02:20.000 safety critical Rust is a thing that you 72 00:02:20.000 --> 00:02:22.291 can be doing today after a lot of hard 73 00:02:22.291 --> 00:02:23.500 work and effort and time. 74 00:02:23.833 --> 00:02:25.333 More and more folks, especially in like 75 00:02:25.333 --> 00:02:26.875 the Rust scene that I'm hanging out in 76 00:02:26.875 --> 00:02:28.083 are like, "Hey, what does 77 00:02:28.083 --> 00:02:29.625 safety critical actually mean?" 78 00:02:29.625 --> 00:02:30.875 Just to clarify, you 79 00:02:30.875 --> 00:02:32.000 mentioned a lot of hard work. 80 00:02:32.250 --> 00:02:33.541 You're talking about hard work that's 81 00:02:33.541 --> 00:02:35.333 already been done by other people and are 82 00:02:35.333 --> 00:02:37.375 unlocking these use cases now, not hard 83 00:02:37.375 --> 00:02:39.333 work that you need to do in order to get 84 00:02:39.333 --> 00:02:40.708 anything done in that area, right? 85 00:02:41.000 --> 00:02:42.583 Correct, yeah, that work. 86 00:02:42.583 --> 00:02:44.875 The work has been done over years. 87 00:02:45.291 --> 00:02:47.000 We'll talk about this a bit more later, 88 00:02:47.000 --> 00:02:48.458 but safety critical is an 89 00:02:48.458 --> 00:02:50.000 industry that moves slow. 90 00:02:50.166 --> 00:02:52.750 Getting them to adopt some new tech, 91 00:02:53.000 --> 00:02:55.458 whether it's a language or anything, 92 00:02:55.458 --> 00:02:57.708 takes time because they're conservative. 93 00:02:58.416 --> 00:03:01.416 I'd probably argue reasonably so, but 94 00:03:01.416 --> 00:03:03.208 they're also open to like, 95 00:03:03.208 --> 00:03:04.500 "Hey, how can we do this better?" 96 00:03:04.500 --> 00:03:06.791 That process takes a while. 97 00:03:06.791 --> 00:03:09.041 For a new language that could be used for 98 00:03:09.041 --> 00:03:11.250 automotive or avionics and stuff like 99 00:03:11.250 --> 00:03:12.958 that, that's something that hasn't 100 00:03:12.958 --> 00:03:14.666 happened in literal decades. 101 00:03:15.458 --> 00:03:19.708 C and probably Ada have been the go-to 102 00:03:19.708 --> 00:03:21.375 languages for safety critical for a long 103 00:03:21.375 --> 00:03:23.833 time with a little bit of C++ in there, 104 00:03:23.833 --> 00:03:25.125 depending on your industry. 105 00:03:25.833 --> 00:03:27.708 Time since a new language has been 106 00:03:27.708 --> 00:03:29.875 introduced in safety critical processes 107 00:03:30.541 --> 00:03:33.625 probably 20 years, not exaggerating 108 00:03:33.625 --> 00:03:35.000 probably like mid to 109 00:03:35.000 --> 00:03:36.333 late 90s kind of stuff. 110 00:03:36.791 --> 00:03:37.041 I see. 111 00:03:37.500 --> 00:03:40.375 I mean, that seems like a long time, but 112 00:03:40.375 --> 00:03:43.291 I also realized recently that I was 17 113 00:03:43.291 --> 00:03:45.333 years old 17 years ago. 114 00:03:45.500 --> 00:03:45.958 Okay. 115 00:03:46.000 --> 00:03:47.041 Because I was looking for 116 00:03:47.041 --> 00:03:48.375 music for my teenage years. 117 00:03:48.375 --> 00:03:50.416 So my point is, if you're saying that a 118 00:03:50.416 --> 00:03:51.916 new language hasn't been adopted in 20 119 00:03:51.916 --> 00:03:53.708 years, I was probably already coding back 120 00:03:53.708 --> 00:03:55.458 then-- oh, maybe not, maybe not. 121 00:03:55.458 --> 00:03:57.666 Maybe I'm just like just shy of that, but 122 00:03:57.666 --> 00:04:00.416 it's a long time, but I'm 123 00:04:00.416 --> 00:04:01.250 not getting any younger. 124 00:04:01.583 --> 00:04:04.125 Even though everyone says I'm a Zoomer in 125 00:04:04.125 --> 00:04:05.375 the YouTube comments, I'm not. 126 00:04:05.875 --> 00:04:07.708 I'm a millennial and I'm 127 00:04:07.708 --> 00:04:09.750 mildly neutral about it. 128 00:04:09.750 --> 00:04:10.708 Time marches forward. 129 00:04:11.583 --> 00:04:12.625 And these days already, 130 00:04:12.625 --> 00:04:14.250 you can get three compilers. 131 00:04:14.250 --> 00:04:16.083 There's not just a safety critical Rust 132 00:04:16.083 --> 00:04:18.250 compiler, there's three people offering a 133 00:04:18.333 --> 00:04:19.791 safety critical compiler. 134 00:04:19.791 --> 00:04:21.583 So you'll see this on product pages. 135 00:04:21.583 --> 00:04:22.541 So there's Ferrocene from 136 00:04:22.541 --> 00:04:23.583 the Ferrous Systems folks. 137 00:04:24.083 --> 00:04:25.500 AdaCore is adding Rust 138 00:04:25.500 --> 00:04:27.625 support to their existing Ada... 139 00:04:27.958 --> 00:04:29.458 I don't know. 140 00:04:29.458 --> 00:04:30.083 I have no idea. 141 00:04:30.458 --> 00:04:31.166 I always forget. 142 00:04:31.166 --> 00:04:32.000 You're the authority on 143 00:04:32.000 --> 00:04:33.000 this as far as I'm concerned. 144 00:04:33.250 --> 00:04:34.250 Yeah, yeah, should be. 145 00:04:34.500 --> 00:04:35.833 They're adding it to 146 00:04:35.833 --> 00:04:36.833 support to their tool chain. 147 00:04:36.833 --> 00:04:37.833 High-Tec is another one. 148 00:04:38.083 --> 00:04:40.375 They make compilers for a specific flavor 149 00:04:40.375 --> 00:04:41.708 of very popular chips 150 00:04:41.708 --> 00:04:42.833 that are used in automotive. 151 00:04:43.041 --> 00:04:43.916 And I say very popular. 152 00:04:44.291 --> 00:04:46.250 They're very popular in automotive and 153 00:04:46.250 --> 00:04:48.000 nowhere else in the world. 154 00:04:48.000 --> 00:04:49.083 So if you haven't worked in automotive, 155 00:04:49.500 --> 00:04:51.458 you probably have never used the Infineon 156 00:04:51.458 --> 00:04:54.583 TriCore processor from Infineon. 157 00:04:54.583 --> 00:04:56.291 I sure have not, but not 158 00:04:56.291 --> 00:04:57.458 the target audience for this. 159 00:04:57.458 --> 00:04:59.250 But yeah, when we had a chip 160 00:04:59.250 --> 00:05:00.625 shortage, cars were affected. 161 00:05:01.083 --> 00:05:02.500 But now you're telling me in cars we use 162 00:05:02.500 --> 00:05:04.083 things that nobody else uses. 163 00:05:04.458 --> 00:05:06.000 So I don't know, like same causes 164 00:05:06.000 --> 00:05:06.916 different supply 165 00:05:06.916 --> 00:05:08.125 chains or how does it work? 166 00:05:08.291 --> 00:05:08.875 It can't. 167 00:05:08.875 --> 00:05:09.041 Yeah. 168 00:05:09.041 --> 00:05:09.625 I mean, a lot of stuff 169 00:05:09.625 --> 00:05:10.375 goes into automotive. 170 00:05:10.583 --> 00:05:12.125 So that's just like the CPU that's 171 00:05:12.125 --> 00:05:13.041 running code, but you 172 00:05:13.041 --> 00:05:14.250 need a lot of other stuff. 173 00:05:14.250 --> 00:05:15.916 You need like voltage regulators for 174 00:05:15.916 --> 00:05:19.458 power supplies or analog circuitry for 175 00:05:19.458 --> 00:05:20.791 comparing voltages and stuff. 176 00:05:21.166 --> 00:05:23.041 So I'm not sure if these chips were ever 177 00:05:23.041 --> 00:05:25.500 in shortage because they're really only 178 00:05:25.500 --> 00:05:26.500 used in these niches. 179 00:05:27.000 --> 00:05:29.958 But there's a lot of periphery stuff that 180 00:05:29.958 --> 00:05:32.500 goes into laptops and phones and stuff 181 00:05:32.500 --> 00:05:34.250 like that, that is more 182 00:05:34.250 --> 00:05:36.000 common with automotive stuff. 183 00:05:36.583 --> 00:05:37.083 Yeah. 184 00:05:37.083 --> 00:05:38.041 I used to work at Safety Critical. 185 00:05:38.833 --> 00:05:40.791 I started my career in avionics. 186 00:05:40.916 --> 00:05:42.500 I did gas detection for a while. 187 00:05:42.500 --> 00:05:43.458 I've done some industrial 188 00:05:43.458 --> 00:05:45.916 like robotics-y kind of stuff. 189 00:05:46.208 --> 00:05:47.500 And then when I was at Ferrous, I looked 190 00:05:47.500 --> 00:05:49.083 into a lot of other safety standards 191 00:05:49.083 --> 00:05:50.083 because we were starting 192 00:05:50.083 --> 00:05:51.416 Ferrocene at the time. 193 00:05:51.500 --> 00:05:53.916 So like I've done quite a bit of this, 194 00:05:53.916 --> 00:05:55.458 not as much recently because I've been 195 00:05:55.458 --> 00:05:57.708 more on like connected devices and stuff. 196 00:05:57.875 --> 00:05:58.541 So my knowledge might 197 00:05:58.541 --> 00:06:00.083 be a little out of date. 198 00:06:00.083 --> 00:06:00.791 But like I said, these 199 00:06:00.791 --> 00:06:02.500 industries don't move super fast. 200 00:06:02.500 --> 00:06:03.333 And we're only going to hit 201 00:06:03.333 --> 00:06:04.958 the high notes here on this. 202 00:06:04.958 --> 00:06:06.208 This is probably not going to give you 203 00:06:06.208 --> 00:06:08.000 enough to ship your first product, but 204 00:06:08.000 --> 00:06:08.958 enough to get like the 205 00:06:08.958 --> 00:06:10.583 vague idea of how it works. 206 00:06:10.583 --> 00:06:12.375 I'm just curious, did Ferrocene start 207 00:06:12.375 --> 00:06:14.208 because you had that specific skill set 208 00:06:14.208 --> 00:06:16.500 and background or did you join first 209 00:06:16.500 --> 00:06:17.708 because you had the 210 00:06:17.708 --> 00:06:18.583 background they were looking for? 211 00:06:19.000 --> 00:06:22.000 Well, I started Ferrous with Felix and 212 00:06:22.000 --> 00:06:24.583 Florian and we were getting embedded 213 00:06:24.583 --> 00:06:25.500 stuff going like at 214 00:06:25.500 --> 00:06:27.125 the beginning of Ferrous. 215 00:06:27.166 --> 00:06:29.000 And at the time I went-- 216 00:06:29.000 --> 00:06:29.958 I didn't realize you were a founder. 217 00:06:29.958 --> 00:06:30.500 That's embarrassing. 218 00:06:30.833 --> 00:06:31.125 Yeah. 219 00:06:31.666 --> 00:06:32.000 Yeah. 220 00:06:32.458 --> 00:06:34.125 I mean, I was there for three years. 221 00:06:34.125 --> 00:06:35.416 I've been gone as long as 222 00:06:35.416 --> 00:06:36.958 I was there at this point. 223 00:06:37.250 --> 00:06:38.666 So I just assume everyone's been there at 224 00:06:38.666 --> 00:06:39.958 some point, except me. 225 00:06:40.291 --> 00:06:41.375 It's a rite of passage. 226 00:06:41.375 --> 00:06:43.250 It's a shibboleth that I don't have. 227 00:06:43.500 --> 00:06:43.708 Yeah. 228 00:06:44.166 --> 00:06:46.625 I know that this industry moves slowly 229 00:06:46.625 --> 00:06:48.500 and someday I want to get back into these 230 00:06:48.500 --> 00:06:49.833 industries and things like that. 231 00:06:50.125 --> 00:06:51.625 Well, there's no rush, literally. 232 00:06:52.083 --> 00:06:52.458 Yeah. 233 00:06:52.666 --> 00:06:54.125 It'll still be there when you're ready. 234 00:06:55.291 --> 00:06:56.083 I joke about it. 235 00:06:56.666 --> 00:06:57.958 Sometimes you have to start five year 236 00:06:57.958 --> 00:06:59.250 fights and like 237 00:06:59.250 --> 00:07:00.166 sometimes there are fights. 238 00:07:00.416 --> 00:07:02.458 You just have to keep working on it for 239 00:07:02.458 --> 00:07:04.541 five years before it's a thing. 240 00:07:04.958 --> 00:07:06.666 And so I was like, well, if it's going to 241 00:07:06.666 --> 00:07:07.500 be a five year fight, 242 00:07:07.791 --> 00:07:09.083 we better start today. 243 00:07:09.083 --> 00:07:10.875 I just started one of these. 244 00:07:11.208 --> 00:07:12.041 I've been working on facet. 245 00:07:12.250 --> 00:07:13.916 This is not a facet episode, but-- 246 00:07:13.916 --> 00:07:15.416 I'm excited for the facet episode. 247 00:07:15.625 --> 00:07:16.375 So am I. 248 00:07:16.666 --> 00:07:18.000 And we need something from the compiler. 249 00:07:18.333 --> 00:07:19.041 So much going on. 250 00:07:19.041 --> 00:07:20.166 The compiler team reached out. 251 00:07:20.166 --> 00:07:20.791 They were like, "Hey, is 252 00:07:20.791 --> 00:07:21.666 there anything you need?" 253 00:07:21.666 --> 00:07:23.375 And I made a little shopping list. 254 00:07:23.375 --> 00:07:24.333 Like, "Oh, that'd be nice. 255 00:07:24.333 --> 00:07:25.958 Like I need that in const and whatnot." 256 00:07:26.291 --> 00:07:27.291 And then I asked, "Hey, do you have any 257 00:07:27.291 --> 00:07:28.416 sort of ETA for that?" 258 00:07:28.416 --> 00:07:29.875 And they're like, "Looking at the track 259 00:07:29.875 --> 00:07:32.000 record for this... maybe five years. 260 00:07:32.875 --> 00:07:35.083 So, you know, staging for season three of 261 00:07:35.083 --> 00:07:38.541 Self-Directed Research in 2030. 262 00:07:38.541 --> 00:07:39.833 But I mean, it's what-- you got to start. 263 00:07:40.125 --> 00:07:41.291 And it's one of those if you want the 264 00:07:41.291 --> 00:07:43.500 industry to move, someone had to push it. 265 00:07:43.750 --> 00:07:45.916 And so I started just yelling about it. 266 00:07:45.916 --> 00:07:47.833 And I talked to people for like two years 267 00:07:47.833 --> 00:07:48.666 and it didn't feel like 268 00:07:48.666 --> 00:07:49.791 there was a lot of progress. 269 00:07:49.791 --> 00:07:51.583 And then right as I was actually leaving 270 00:07:51.583 --> 00:07:54.000 Ferrous is when we started really getting 271 00:07:54.000 --> 00:07:55.666 some traction and people started to be 272 00:07:55.666 --> 00:07:57.166 interested, especially in automotive. 273 00:07:57.833 --> 00:07:59.916 And so all the work of actually following 274 00:07:59.916 --> 00:08:02.125 through with this was not me. 275 00:08:02.458 --> 00:08:04.083 So like I came up with I was part of 276 00:08:04.083 --> 00:08:05.625 planning the initial plan and like 277 00:08:05.625 --> 00:08:07.458 talking to people and selling them on the 278 00:08:07.458 --> 00:08:09.333 idea and having them in a lot of 279 00:08:09.333 --> 00:08:10.000 industries, you just 280 00:08:10.000 --> 00:08:11.833 need to not surprise people. 281 00:08:12.291 --> 00:08:13.666 So like you kind of have to talk about 282 00:08:13.666 --> 00:08:15.791 stuff for years before they go, "Oh yeah, 283 00:08:15.791 --> 00:08:17.208 I've heard of someone talking about Rust 284 00:08:17.208 --> 00:08:17.875 for safety critical. 285 00:08:17.875 --> 00:08:18.500 That makes sense." 286 00:08:18.500 --> 00:08:19.000 So they don't have 287 00:08:19.000 --> 00:08:20.333 that immediate rejection. 288 00:08:20.333 --> 00:08:21.500 Like, "Ah! That sounds silly. 289 00:08:21.500 --> 00:08:22.750 I've never heard of that before." 290 00:08:23.000 --> 00:08:23.750 That's cool, right? 291 00:08:23.958 --> 00:08:25.500 The senior work pay off, even if you're 292 00:08:25.541 --> 00:08:28.541 not here.. 'here-here', because I've left 293 00:08:28.541 --> 00:08:30.791 companies and then things kind of fell 294 00:08:30.791 --> 00:08:31.833 through like all the things that I 295 00:08:31.833 --> 00:08:32.708 tried to start and 296 00:08:32.708 --> 00:08:33.583 that doesn't feel good. 297 00:08:33.875 --> 00:08:35.125 So I think I would be happy to see that 298 00:08:35.125 --> 00:08:36.333 all my work paid off even 299 00:08:36.333 --> 00:08:37.166 if I'm not there anymore. 300 00:08:37.583 --> 00:08:38.208 Very much so. 301 00:08:38.416 --> 00:08:38.750 Yeah. 302 00:08:38.750 --> 00:08:40.750 Like I said, it's what I wanted to happen 303 00:08:40.750 --> 00:08:41.875 even if I wasn't the one 304 00:08:41.875 --> 00:08:43.000 who was going to do it. 305 00:08:43.000 --> 00:08:44.041 But at the time I couldn't think of 306 00:08:44.041 --> 00:08:45.958 anyone but me who was going to do it. 307 00:08:46.208 --> 00:08:47.416 So, you know, you got 308 00:08:47.416 --> 00:08:48.166 to pick some fights. 309 00:08:48.500 --> 00:08:49.666 So James, I can see in your notes here 310 00:08:49.666 --> 00:08:50.625 that safety is like me. 311 00:08:50.625 --> 00:08:51.500 It's non-binary. 312 00:08:51.625 --> 00:08:52.375 Yes, exactly. 313 00:08:52.791 --> 00:08:54.166 So this is another one of those things 314 00:08:54.166 --> 00:08:55.500 where people are like, Oh, why don't we 315 00:08:55.500 --> 00:08:57.000 just have safe software? 316 00:08:57.000 --> 00:08:59.166 Why like, there's just safe software and 317 00:08:59.166 --> 00:09:00.375 there's not safe software. 318 00:09:00.375 --> 00:09:02.125 And that's one of those things in this 319 00:09:02.125 --> 00:09:03.500 process where there really, there really 320 00:09:03.500 --> 00:09:06.000 isn't a binary because there's no like, 321 00:09:06.250 --> 00:09:07.458 if you were thinking about something like 322 00:09:07.458 --> 00:09:09.916 a bolt that goes into a bridge, what does 323 00:09:09.916 --> 00:09:11.375 it mean to have a safe bolt? 324 00:09:11.916 --> 00:09:12.833 Does it hold the 325 00:09:12.833 --> 00:09:14.333 capacity that it's rated for? 326 00:09:14.666 --> 00:09:14.875 Yeah. 327 00:09:15.041 --> 00:09:17.333 Does it resist corrosion if it's going to 328 00:09:17.333 --> 00:09:18.625 be outside for 40 years 329 00:09:18.625 --> 00:09:19.500 or something like that? 330 00:09:19.500 --> 00:09:20.458 Yeah, you have to think about the whole 331 00:09:20.458 --> 00:09:21.958 system and all the constraints. 332 00:09:22.333 --> 00:09:23.000 And yeah. 333 00:09:23.250 --> 00:09:25.458 So I mean, like a component can do what 334 00:09:25.458 --> 00:09:28.500 it says it does, but it's not like in and 335 00:09:28.500 --> 00:09:30.041 of itself safe or not. 336 00:09:30.416 --> 00:09:31.208 Safety is a property 337 00:09:31.208 --> 00:09:32.166 of like the whole thing. 338 00:09:32.375 --> 00:09:34.208 Like the bridge is safe because we picked 339 00:09:34.208 --> 00:09:36.375 bolts that are corrosion resistant and, 340 00:09:36.375 --> 00:09:37.625 you know, girders and 341 00:09:37.625 --> 00:09:38.833 concrete and whatever. 342 00:09:38.833 --> 00:09:41.125 And we set up a schedule for maintenance. 343 00:09:41.125 --> 00:09:42.541 Like that is safe. 344 00:09:42.833 --> 00:09:44.791 I'm so glad you picked bridges because 345 00:09:44.791 --> 00:09:47.625 nobody gets mad when we compare bridge 346 00:09:47.625 --> 00:09:49.666 engineering and software development. 347 00:09:51.416 --> 00:09:53.250 And that's a whole other thing is that 348 00:09:53.250 --> 00:09:55.416 that software is just orders of magnitude 349 00:09:55.416 --> 00:09:59.208 more complex and newer and less studied 350 00:09:59.208 --> 00:09:59.791 Than bridges? 351 00:09:59.916 --> 00:10:01.333 like bridges, a lot of 352 00:10:01.333 --> 00:10:01.708 mechanical, 353 00:10:01.833 --> 00:10:03.208 electrical, chemical engineering. 354 00:10:03.583 --> 00:10:07.041 We haven't figured them out as much as we 355 00:10:07.041 --> 00:10:09.000 have other fields of engineering. 356 00:10:09.000 --> 00:10:11.541 And I think we will over time, but also 357 00:10:11.541 --> 00:10:12.875 software is just trickier. 358 00:10:12.875 --> 00:10:14.166 So it's not that we suck at it. 359 00:10:14.500 --> 00:10:15.458 It's just harder. 360 00:10:15.458 --> 00:10:16.416 Yeah, I see. 361 00:10:16.416 --> 00:10:18.125 Yeah, that makes me feel good somehow. 362 00:10:18.708 --> 00:10:19.625 It's good podcast. 363 00:10:19.875 --> 00:10:20.416 I like it. 364 00:10:20.416 --> 00:10:21.375 And the other thing is there's no one 365 00:10:21.375 --> 00:10:22.250 size fits all approach. 366 00:10:22.583 --> 00:10:24.541 Like safe means different 367 00:10:24.541 --> 00:10:26.000 things in different contexts. 368 00:10:26.333 --> 00:10:28.958 What you'd put in an airplane, there 369 00:10:28.958 --> 00:10:30.500 might be different levels of like, hey, 370 00:10:30.500 --> 00:10:32.458 this is what keeps the airplane in the 371 00:10:32.458 --> 00:10:34.416 air versus, hey, it would be really 372 00:10:34.416 --> 00:10:36.333 annoying and distracting if this failed, 373 00:10:36.333 --> 00:10:37.500 but it's not going to like 374 00:10:37.500 --> 00:10:40.125 ruin anyone's day kind of thing. 375 00:10:40.333 --> 00:10:42.583 So like, it really depends on what you're 376 00:10:42.583 --> 00:10:44.375 doing, the industry or even like the 377 00:10:44.375 --> 00:10:46.625 country that you're in and like how 378 00:10:46.625 --> 00:10:47.916 you're going to use the thing. 379 00:10:47.916 --> 00:10:49.791 So you can't just be like, I wrote a safe 380 00:10:49.791 --> 00:10:52.208 operating system scheduler, like because 381 00:10:52.208 --> 00:10:55.125 safe is a property, like it gets too 382 00:10:55.125 --> 00:10:56.208 crushed down to just 383 00:10:56.208 --> 00:10:57.875 one word of safe or not. 384 00:10:57.875 --> 00:10:59.958 And I would imagine that there's a cost 385 00:10:59.958 --> 00:11:01.500 aspect to all this that we 386 00:11:01.500 --> 00:11:02.708 probably hate to think about. 387 00:11:02.708 --> 00:11:04.375 But let's say you're one of several 388 00:11:04.375 --> 00:11:06.166 companies offering something, you have to 389 00:11:06.166 --> 00:11:07.458 win the contract, right? 390 00:11:07.958 --> 00:11:08.500 I would imagine. 391 00:11:09.000 --> 00:11:11.250 So if you go too far at the end, we made 392 00:11:11.250 --> 00:11:12.958 everything 3x what it needs 393 00:11:12.958 --> 00:11:14.416 to be, then it's too expensive. 394 00:11:14.416 --> 00:11:15.708 And then your thing never 395 00:11:15.708 --> 00:11:16.583 even gets on the market. 396 00:11:16.875 --> 00:11:18.250 Is that realistic at all? 397 00:11:18.666 --> 00:11:19.083 Exactly. 398 00:11:19.333 --> 00:11:19.708 For sure. 399 00:11:19.916 --> 00:11:21.375 Like there's material engineering that 400 00:11:21.375 --> 00:11:22.750 goes into bolts and stuff like that. 401 00:11:22.750 --> 00:11:24.875 And then like, how large or heavy they 402 00:11:24.875 --> 00:11:26.583 are is important and stuff like that. 403 00:11:26.583 --> 00:11:28.458 So you could have big chunky, you know, 404 00:11:28.833 --> 00:11:30.625 30 centimeter thick bolts for everything, 405 00:11:30.625 --> 00:11:31.916 but then the bridge won't 406 00:11:31.916 --> 00:11:33.083 work because it's too heavy. 407 00:11:33.083 --> 00:11:34.666 And the same way, like with software, you 408 00:11:34.666 --> 00:11:36.083 could spend five years 409 00:11:36.083 --> 00:11:37.208 shipping a component. 410 00:11:37.500 --> 00:11:40.041 But if the people don't care, like if 411 00:11:40.041 --> 00:11:41.458 you're not doing it for that level of 412 00:11:41.458 --> 00:11:43.500 criticality, it's a lot of 413 00:11:43.500 --> 00:11:44.958 extra work and formalism. 414 00:11:45.250 --> 00:11:46.666 Like you could be doing 20 other things. 415 00:11:46.875 --> 00:11:48.000 You could write a web app in Rust. 416 00:11:48.333 --> 00:11:48.708 Yeah. 417 00:11:48.791 --> 00:11:50.250 Yeah, exactly. 418 00:11:50.416 --> 00:11:51.916 That's what I spent five years doing. 419 00:11:51.916 --> 00:11:52.791 It's working. 420 00:11:53.416 --> 00:11:54.416 Hey, it's research. 421 00:11:54.416 --> 00:11:55.333 With research, you know, 422 00:11:55.333 --> 00:11:57.000 there's no, yeah, no whatever. 423 00:11:57.291 --> 00:11:59.125 This is more... integration is not the right 424 00:11:59.125 --> 00:12:01.083 word... practical application, applied 425 00:12:01.083 --> 00:12:02.458 research kind of stuff. 426 00:12:02.833 --> 00:12:05.041 It's just if you don't get money out of 427 00:12:05.041 --> 00:12:06.916 it, just start a podcast about it. 428 00:12:08.083 --> 00:12:08.666 That's not true. 429 00:12:08.916 --> 00:12:09.750 I get money about it. 430 00:12:09.750 --> 00:12:11.541 There's a whole area of research that I 431 00:12:11.541 --> 00:12:13.041 think is interesting, which is research 432 00:12:13.041 --> 00:12:14.500 in the open for content, which is 433 00:12:14.500 --> 00:12:15.666 basically what we're doing. 434 00:12:16.000 --> 00:12:17.666 But that's a story for another day. 435 00:12:17.916 --> 00:12:20.416 I mean, it could feel better doing it for 436 00:12:20.416 --> 00:12:23.333 content is not a sentence I like to hear, 437 00:12:23.333 --> 00:12:24.041 but we're not like 438 00:12:24.041 --> 00:12:25.708 doing pranks or something. 439 00:12:26.166 --> 00:12:27.250 We're just, well, okay. 440 00:12:27.541 --> 00:12:28.208 Some of my Rust 441 00:12:28.208 --> 00:12:29.416 projects, maybe, I don't know. 442 00:12:29.416 --> 00:12:30.041 Well, merde is dead. 443 00:12:30.375 --> 00:12:30.833 Yeah. 444 00:12:30.833 --> 00:12:31.666 I mean, there's something to be said 445 00:12:31.666 --> 00:12:32.750 about like, you're always 446 00:12:32.750 --> 00:12:34.250 doing research for someone. 447 00:12:34.625 --> 00:12:37.291 Doing research with the goal of making it 448 00:12:37.291 --> 00:12:39.875 understandable and entertaining is one 449 00:12:39.875 --> 00:12:40.958 way... it's an 450 00:12:40.958 --> 00:12:42.166 alternative to writing grants. 451 00:12:42.458 --> 00:12:43.083 You know what I mean? 452 00:12:43.083 --> 00:12:44.500 Like the alternative is convincing a 453 00:12:44.500 --> 00:12:46.041 company that it's in their R and D 454 00:12:46.041 --> 00:12:47.583 interest to do that. 455 00:12:47.583 --> 00:12:49.625 Whereas like, if someone's learning 456 00:12:49.666 --> 00:12:52.166 metallurgy and has a YouTube channel 457 00:12:52.166 --> 00:12:54.125 about it and they're doing research and 458 00:12:54.125 --> 00:12:55.333 they're publishing the results and things 459 00:12:55.333 --> 00:12:56.666 like that, but the way that they get paid 460 00:12:56.666 --> 00:12:58.833 is not by a company paying them to do 461 00:12:58.833 --> 00:13:00.208 that research, but just because the 462 00:13:00.208 --> 00:13:01.541 research that they're presenting is 463 00:13:01.541 --> 00:13:03.708 entertaining enough for people to follow, 464 00:13:04.000 --> 00:13:05.083 like the folks that listen to this 465 00:13:05.083 --> 00:13:08.208 podcast, then it's interesting to me. 466 00:13:08.208 --> 00:13:09.375 I don't know if it would apply to all 467 00:13:09.375 --> 00:13:11.166 fields, but I do think it is like, you 468 00:13:11.166 --> 00:13:13.000 know, that or folks who like run museums 469 00:13:13.000 --> 00:13:13.958 and stuff like that. 470 00:13:14.208 --> 00:13:16.333 And they appeal to a wider audience by 471 00:13:16.333 --> 00:13:17.958 putting stuff online where they can 472 00:13:17.958 --> 00:13:19.708 increase their audience and get funding 473 00:13:19.708 --> 00:13:21.500 for like a regional museum that would 474 00:13:21.500 --> 00:13:24.291 never have that many people's eyes on 475 00:13:24.291 --> 00:13:25.791 whatever their museum is building. 476 00:13:25.791 --> 00:13:26.250 You know what I mean? 477 00:13:26.458 --> 00:13:28.583 I think you're right on as to the 478 00:13:28.583 --> 00:13:30.583 benefits we get from this work being 479 00:13:30.583 --> 00:13:33.000 public, but for me, I think it's also a 480 00:13:33.000 --> 00:13:34.750 way for the both of us to find ourselves 481 00:13:34.750 --> 00:13:36.416 in a call and discuss things. 482 00:13:36.416 --> 00:13:38.416 And I think facet has been shaped by 483 00:13:38.416 --> 00:13:40.375 season one of SDR when we talked about 484 00:13:40.375 --> 00:13:42.083 serializers and I was like, how much can 485 00:13:42.083 --> 00:13:43.125 we do with declarative macros? 486 00:13:43.416 --> 00:13:44.250 And then I was like, wait a minute, we 487 00:13:44.250 --> 00:13:45.291 don't need declarative macros. 488 00:13:45.291 --> 00:13:45.583 And we were like, what 489 00:13:45.583 --> 00:13:46.916 about stack based stuff? 490 00:13:46.916 --> 00:13:48.541 And now I'm like in Facet, I want every 491 00:13:48.541 --> 00:13:50.125 serializer and deserializer to be 492 00:13:50.125 --> 00:13:51.708 iterative and not recursive. 493 00:13:52.000 --> 00:13:52.833 Because why blow up the 494 00:13:52.833 --> 00:13:53.875 stack if you don't need it? 495 00:13:53.875 --> 00:13:54.833 You can make your own stack. 496 00:13:54.833 --> 00:13:55.125 It's fine. 497 00:13:55.333 --> 00:13:55.875 We need to focus. 498 00:13:57.000 --> 00:13:58.041 Back to the topic. 499 00:13:58.041 --> 00:13:59.666 Ok. So, the term that you're going to hear in 500 00:13:59.666 --> 00:14:01.375 a bunch of this, it's not the like 501 00:14:01.375 --> 00:14:03.583 concrete definition, but you'll hear the 502 00:14:03.583 --> 00:14:04.791 term functional safety. 503 00:14:05.583 --> 00:14:08.333 And most industries, their approach to 504 00:14:08.333 --> 00:14:09.958 safety critical is based around the 505 00:14:09.958 --> 00:14:11.583 concept of functional safety. 506 00:14:11.833 --> 00:14:13.500 And functional safety is too broad for me 507 00:14:13.500 --> 00:14:16.000 to go into a definition or where it comes 508 00:14:16.000 --> 00:14:17.166 from or anything like that. 509 00:14:17.166 --> 00:14:18.250 But I'm going to pull out the parts that 510 00:14:18.250 --> 00:14:20.958 I think are most core to the whole 511 00:14:20.958 --> 00:14:22.208 concept, because we only 512 00:14:22.208 --> 00:14:23.416 have so many minutes here. 513 00:14:23.416 --> 00:14:24.541 Is it basically checklists, 514 00:14:24.875 --> 00:14:25.916 like surgeons have checklists? 515 00:14:26.416 --> 00:14:26.875 We'll get there. 516 00:14:27.083 --> 00:14:27.875 Ok. 517 00:14:27.875 --> 00:14:29.291 So the first principle is that 518 00:14:29.291 --> 00:14:30.958 failure is statistical. 519 00:14:31.291 --> 00:14:33.166 Everything can fail, there is no such 520 00:14:33.166 --> 00:14:35.916 thing as a perfect component to some 521 00:14:35.916 --> 00:14:38.625 level of within 1 million hours, this 522 00:14:38.625 --> 00:14:39.416 many percent will 523 00:14:39.416 --> 00:14:40.875 fail or things like that. 524 00:14:40.875 --> 00:14:42.791 All failure is statistical, like any 525 00:14:42.791 --> 00:14:45.000 single component, whether we're talking 526 00:14:45.000 --> 00:14:47.500 about a bolt or a spring or a line of 527 00:14:47.500 --> 00:14:50.166 code or resistor on a circuit board, or 528 00:14:50.166 --> 00:14:51.041 the humans that are 529 00:14:51.041 --> 00:14:52.958 reviewing all of those things. 530 00:14:53.541 --> 00:14:56.166 Everything can fail and will fail. 531 00:14:56.166 --> 00:14:57.458 There is no perfect 532 00:14:57.458 --> 00:15:00.000 infallible fail 0% component. 533 00:15:00.416 --> 00:15:03.000 What's the company that publishes numbers 534 00:15:03.000 --> 00:15:04.833 for hard drive failures? 535 00:15:05.125 --> 00:15:05.583 Backblaze. 536 00:15:05.916 --> 00:15:06.416 Backblaze. 537 00:15:06.666 --> 00:15:07.333 Yeah, it's a fun read. 538 00:15:07.541 --> 00:15:09.750 Yeah, you go, ah, well, I will have fail 539 00:15:09.750 --> 00:15:12.250 safes, like I'll have a fuse, even fuses 540 00:15:12.250 --> 00:15:14.416 fail at some point, we designed them so 541 00:15:14.416 --> 00:15:15.541 they fail very rarely. 542 00:15:15.833 --> 00:15:17.750 But even some fuses can fail in a way 543 00:15:17.750 --> 00:15:18.541 where they don't 544 00:15:18.541 --> 00:15:20.458 actually break the circuit. 545 00:15:20.458 --> 00:15:22.416 And so they keep doing that or they have 546 00:15:22.416 --> 00:15:23.625 an arc across them or 547 00:15:23.625 --> 00:15:24.333 something like that. 548 00:15:24.333 --> 00:15:25.583 For the people who don't know 549 00:15:25.583 --> 00:15:27.541 any electronics at all, right? 550 00:15:27.541 --> 00:15:28.291 Any electricity stuff 551 00:15:28.375 --> 00:15:28.708 Yeah. 552 00:15:28.708 --> 00:15:30.958 So normally you have a fuse, which 553 00:15:30.958 --> 00:15:33.291 usually is in most cases, like a little 554 00:15:33.291 --> 00:15:35.375 barrel looking thing that just has a very 555 00:15:35.375 --> 00:15:37.333 thin chunk of wire in it. 556 00:15:37.750 --> 00:15:39.583 And when you put too much power through 557 00:15:39.583 --> 00:15:43.541 that wire, it melts and it breaks or, you 558 00:15:43.541 --> 00:15:44.041 know, there's a lot of 559 00:15:44.041 --> 00:15:45.416 different ways you can build fuses. 560 00:15:45.416 --> 00:15:47.083 But the idea is that if you have some 561 00:15:47.083 --> 00:15:49.708 problem, like a short circuit where power 562 00:15:49.708 --> 00:15:51.583 is flowing in a way that it shouldn't, 563 00:15:51.583 --> 00:15:53.958 instead of burning the component up or 564 00:15:53.958 --> 00:15:55.875 even burning your house up, you have one 565 00:15:55.875 --> 00:15:58.458 component that fails above some limit. 566 00:15:58.458 --> 00:16:00.541 Because it's designed to fail at a 567 00:16:00.541 --> 00:16:02.416 certain level, because like the wire is a 568 00:16:02.416 --> 00:16:04.250 certain length, a certain diameter, more 569 00:16:04.250 --> 00:16:05.416 importantly in certain 570 00:16:05.416 --> 00:16:07.166 material and whatnot. 571 00:16:07.166 --> 00:16:08.666 Is there gas in like the chamber? 572 00:16:08.958 --> 00:16:09.333 It depends. 573 00:16:09.708 --> 00:16:11.708 So some of them are just like in a glass 574 00:16:11.708 --> 00:16:13.916 tube so that when it melts, there's 575 00:16:13.916 --> 00:16:15.000 nothing there to like 576 00:16:15.000 --> 00:16:16.666 continue completing the circuit. 577 00:16:17.208 --> 00:16:19.083 For the higher rated ones, they put like 578 00:16:19.083 --> 00:16:21.958 sand in them so that the metal because 579 00:16:21.958 --> 00:16:24.250 like one failure mode of fuses is if they 580 00:16:24.250 --> 00:16:26.208 fail explosively, you 581 00:16:26.208 --> 00:16:27.541 can vaporize the metal. 582 00:16:27.541 --> 00:16:29.000 And what it does is it deposits all that 583 00:16:29.041 --> 00:16:31.083 metal on the glass tube and the glass 584 00:16:31.083 --> 00:16:32.708 tube keeps conducting electricity. 585 00:16:33.208 --> 00:16:36.125 So the higher rated ones will put sand in 586 00:16:36.125 --> 00:16:38.166 there so that when the fuse breaks, the 587 00:16:38.166 --> 00:16:39.875 sand fills in the gaps and it won't 588 00:16:39.875 --> 00:16:41.916 conduct. For the really high voltage ones 589 00:16:41.916 --> 00:16:43.833 like the ones on power lines, they 590 00:16:43.833 --> 00:16:45.875 actually have explosives that go off. 591 00:16:46.166 --> 00:16:48.166 So it throws the wires apart from each 592 00:16:48.166 --> 00:16:50.375 other so that they can't continue arcing 593 00:16:50.375 --> 00:16:51.125 and things like that. 594 00:16:51.125 --> 00:16:52.958 So this is exactly that layer of like-- 595 00:16:52.958 --> 00:16:53.583 That's amazing 596 00:16:53.583 --> 00:16:55.000 depending on how important it is. 597 00:16:55.041 --> 00:16:56.666 You might even design a 598 00:16:56.666 --> 00:16:58.375 fuse in very different ways. 599 00:16:58.916 --> 00:16:59.083 Right. 600 00:16:59.291 --> 00:17:00.000 The important part is 601 00:17:00.000 --> 00:17:01.000 that everything can fail. 602 00:17:01.250 --> 00:17:03.208 And we're just talking about how do we 603 00:17:03.208 --> 00:17:06.416 make things fail less often, because we 604 00:17:06.416 --> 00:17:08.083 admit that it can never be zero. 605 00:17:08.500 --> 00:17:10.458 So how do we say one of them 606 00:17:10.458 --> 00:17:12.208 fails every thousand hours? 607 00:17:12.500 --> 00:17:14.500 How do we take that to how does it fail 608 00:17:14.500 --> 00:17:15.833 every million hours 609 00:17:15.833 --> 00:17:17.291 or something like that? 610 00:17:17.291 --> 00:17:19.625 We're reducing the leading 611 00:17:19.625 --> 00:17:21.541 zeros in the failure rate. 612 00:17:21.833 --> 00:17:24.125 And like before, you have to you have to 613 00:17:24.125 --> 00:17:24.875 take the whole system 614 00:17:24.875 --> 00:17:25.666 into account, right? 615 00:17:25.666 --> 00:17:26.333 Because it's the 616 00:17:26.333 --> 00:17:27.791 weakest link kind of deal. 617 00:17:28.458 --> 00:17:28.625 Exactly. 618 00:17:28.875 --> 00:17:29.958 Because systems are made out of 619 00:17:29.958 --> 00:17:32.250 components and every component can fail. 620 00:17:32.500 --> 00:17:35.791 And no system can fail less often than 621 00:17:35.791 --> 00:17:37.333 how often its components fail. 622 00:17:37.666 --> 00:17:40.375 Like a bolt that we were saying, we can't 623 00:17:40.375 --> 00:17:43.083 say the bridge lasts longer than the 624 00:17:43.083 --> 00:17:46.041 bolts are with some caveats of if there's 625 00:17:46.041 --> 00:17:48.041 redundancy or things like that. 626 00:17:48.041 --> 00:17:50.166 But in general, you can't have a system 627 00:17:50.250 --> 00:17:53.250 that's markedly failing less often than 628 00:17:53.250 --> 00:17:54.583 the components that make it up. 629 00:17:54.833 --> 00:17:55.000 Yeah. 630 00:17:55.291 --> 00:17:57.208 Speaking of bridges and maintaining them, 631 00:17:57.583 --> 00:18:00.041 I was watching the XKCD 632 00:18:00.041 --> 00:18:01.500 "What If?" they have video series. 633 00:18:02.208 --> 00:18:04.625 And one of the what ifs was 634 00:18:04.625 --> 00:18:06.916 what if the sun went dark? 635 00:18:07.500 --> 00:18:08.541 And mostly people are like, 636 00:18:08.541 --> 00:18:09.791 well, we were all freeze and die. 637 00:18:10.208 --> 00:18:12.791 But here they had like nine upsides to 638 00:18:12.791 --> 00:18:14.750 the sun going out like no time zones. 639 00:18:15.000 --> 00:18:15.750 So you can just do business. 640 00:18:16.208 --> 00:18:17.416 You know, everyone is on 641 00:18:17.416 --> 00:18:18.458 a coordinated time zone. 642 00:18:18.666 --> 00:18:19.375 Everyone's on UTC. 643 00:18:19.708 --> 00:18:21.791 And one I didn't see coming is you don't 644 00:18:21.791 --> 00:18:23.333 need to maintain bridges anymore, because 645 00:18:23.333 --> 00:18:24.333 the oceans are frozen. 646 00:18:24.666 --> 00:18:25.625 So you just lay down 647 00:18:25.625 --> 00:18:27.250 road on it and just cross. 648 00:18:27.500 --> 00:18:28.958 Everyone just gets spiked tires. 649 00:18:28.958 --> 00:18:29.208 Exactly. 650 00:18:29.583 --> 00:18:31.208 And since we are talking about safety 651 00:18:31.208 --> 00:18:32.416 critical, because all these things that 652 00:18:32.416 --> 00:18:33.958 I'm saying so far are true everywhere, 653 00:18:34.166 --> 00:18:35.416 like you do this in all engineering. 654 00:18:35.833 --> 00:18:36.791 Hey, how do we make sure our washing 655 00:18:36.791 --> 00:18:39.000 machine lasts five years or 10 years or 656 00:18:39.000 --> 00:18:39.708 something like that? 657 00:18:39.708 --> 00:18:40.333 You've got to think 658 00:18:40.333 --> 00:18:41.541 about, hey, what can fail? 659 00:18:41.541 --> 00:18:42.666 Like what goes wrong on that? 660 00:18:42.916 --> 00:18:44.000 But the difference with safety critical 661 00:18:44.000 --> 00:18:45.541 is that failure has a 662 00:18:45.541 --> 00:18:46.916 very specific price. 663 00:18:47.916 --> 00:18:50.375 And in safety critical, those prices are 664 00:18:50.375 --> 00:18:52.208 deaths, injuries and 665 00:18:52.208 --> 00:18:54.291 financial damage in that order. 666 00:18:54.583 --> 00:18:55.708 And we say that deaths are 667 00:18:55.708 --> 00:18:56.708 more important than injuries. 668 00:18:57.125 --> 00:18:58.333 Injuries are more important than 669 00:18:58.333 --> 00:19:00.083 financial and financial is something like 670 00:19:00.083 --> 00:19:01.333 property damage or equipment 671 00:19:01.333 --> 00:19:02.750 damage or anything like that. 672 00:19:02.750 --> 00:19:04.583 But we really have to say like, no, 673 00:19:04.583 --> 00:19:05.541 really, if stuff goes 674 00:19:05.541 --> 00:19:07.583 wrong, people could die. 675 00:19:07.583 --> 00:19:09.416 Yeah, but thanks to some lawyer, you can 676 00:19:09.416 --> 00:19:10.458 put a number on that as well. 677 00:19:10.791 --> 00:19:11.416 I forget his name. 678 00:19:11.958 --> 00:19:14.083 You can, I mean, whether you put a number 679 00:19:14.083 --> 00:19:15.958 on it or not, like those are the stakes 680 00:19:15.958 --> 00:19:17.416 that we're working with here. 681 00:19:17.625 --> 00:19:19.583 I agree with the order for that matter. 682 00:19:19.583 --> 00:19:19.958 Yeah, yeah. 683 00:19:20.250 --> 00:19:20.833 Yeah. 684 00:19:21.041 --> 00:19:24.166 So because there's those tiers to those, 685 00:19:24.708 --> 00:19:27.250 there's different levels of diligence 686 00:19:27.250 --> 00:19:28.833 that you might do where you go, look, if 687 00:19:28.833 --> 00:19:31.208 this piece of software is life or death 688 00:19:31.208 --> 00:19:33.041 for someone, we're going to put a lot 689 00:19:33.041 --> 00:19:34.916 more effort into it because we know like 690 00:19:34.916 --> 00:19:37.000 how serious the stakes are versus like 691 00:19:37.000 --> 00:19:38.833 you were saying that might be doing that 692 00:19:38.833 --> 00:19:40.083 for something that's just an 693 00:19:40.083 --> 00:19:41.833 inconvenience for someone or you go, oh, 694 00:19:41.833 --> 00:19:42.708 it might burn out a motor. 695 00:19:43.125 --> 00:19:45.250 And that's annoying, but whatever. 696 00:19:45.666 --> 00:19:47.583 Like you might put a different level of 697 00:19:47.583 --> 00:19:49.583 diligence on that, whether that's like 698 00:19:49.583 --> 00:19:51.291 what you do because you're doing your 699 00:19:51.291 --> 00:19:52.958 best or like what you're legally required 700 00:19:52.958 --> 00:19:54.791 to do before you sell that thing. 701 00:19:55.208 --> 00:19:56.666 I have two things to say. 702 00:19:56.666 --> 00:19:57.208 I cannot stop 703 00:19:57.208 --> 00:19:58.416 interrupting you, James, today. 704 00:19:58.416 --> 00:19:59.666 I'm just it's been a while. 705 00:19:59.916 --> 00:20:00.458 I've missed you. 706 00:20:00.458 --> 00:20:02.666 I've missed you too. 707 00:20:02.666 --> 00:20:03.333 It's not a monologue. 708 00:20:03.375 --> 00:20:04.458 It's a dialogue. 709 00:20:04.750 --> 00:20:05.083 It is. 710 00:20:05.416 --> 00:20:06.583 So the first thing I wanted to say is 711 00:20:06.583 --> 00:20:08.375 that one of my favorite podcasts is, 712 00:20:08.375 --> 00:20:09.333 "Well, there's your problem." 713 00:20:09.708 --> 00:20:10.875 And if you're interested in engineering 714 00:20:10.875 --> 00:20:13.291 disasters and very, very long discussions 715 00:20:13.291 --> 00:20:15.000 with slides, we stole that from them. 716 00:20:15.291 --> 00:20:16.833 So thanks for the, thanks for the idea. 717 00:20:17.375 --> 00:20:18.958 You should listen to "Well, 718 00:20:19.083 --> 00:20:20.500 that's your problem" podcast. 719 00:20:21.458 --> 00:20:23.000 WYTG, whatever. 720 00:20:23.333 --> 00:20:23.708 You get it. 721 00:20:23.875 --> 00:20:25.583 And the second thing I wanted to say is, 722 00:20:25.791 --> 00:20:28.000 is it true that planes used to have more 723 00:20:28.000 --> 00:20:30.208 engines because we didn't know how to 724 00:20:30.208 --> 00:20:31.666 make them more reliable, but now they 725 00:20:31.666 --> 00:20:33.625 only have two because even if one fails, 726 00:20:33.625 --> 00:20:35.750 it can flow like you can fly with one. 727 00:20:35.958 --> 00:20:36.958 Where did I hear that? 728 00:20:37.375 --> 00:20:39.458 Yes, I might've mentioned it, but I mean, 729 00:20:39.458 --> 00:20:42.000 there's a standard called ETOPS, which I 730 00:20:42.000 --> 00:20:42.875 can't even remember 731 00:20:42.875 --> 00:20:44.833 what the actual acronym is. 732 00:20:44.833 --> 00:20:47.458 It's like enhanced something, something, 733 00:20:47.458 --> 00:20:48.958 but the joking name is 734 00:20:48.958 --> 00:20:51.083 engines turn or passengers swim. 735 00:20:51.541 --> 00:20:53.208 Because this is the 736 00:20:53.208 --> 00:20:54.416 standard that you have to follow. 737 00:20:54.416 --> 00:20:56.125 Because when you're flying like over the 738 00:20:56.166 --> 00:20:58.625 ocean, where if something goes wrong, you 739 00:20:58.625 --> 00:21:00.375 can't turn around and quickly 740 00:21:00.375 --> 00:21:01.541 land at the closest airport. 741 00:21:01.791 --> 00:21:03.708 You're like three, four, five hours. 742 00:21:03.958 --> 00:21:06.291 And ETOPS is usually rated by how far you 743 00:21:06.291 --> 00:21:08.041 are from the nearest airport. 744 00:21:08.583 --> 00:21:10.125 And like you're saying, back in the day, 745 00:21:10.125 --> 00:21:12.833 we used to say for ETOPS type stuff, or 746 00:21:12.833 --> 00:21:15.000 for long range flights like that, you 747 00:21:15.000 --> 00:21:18.166 wanted at least three engines or ideally 748 00:21:18.166 --> 00:21:20.125 four so that if one or two of them 749 00:21:20.125 --> 00:21:21.041 failed, you could keep 750 00:21:21.041 --> 00:21:22.250 going into your destination. 751 00:21:22.666 --> 00:21:24.375 But now we're at the point where both 752 00:21:24.375 --> 00:21:26.000 engines have gotten more reliable and 753 00:21:26.000 --> 00:21:27.166 engines have gotten more powerful. 754 00:21:27.791 --> 00:21:30.041 So your typical two engine plane can 755 00:21:30.041 --> 00:21:32.250 actually take off with just one engine. 756 00:21:32.250 --> 00:21:33.916 And so we've said that they are now high 757 00:21:33.916 --> 00:21:36.750 enough reliability that the chances of 758 00:21:36.750 --> 00:21:38.666 two of them failing at the same time is 759 00:21:38.666 --> 00:21:41.125 low enough that we can now have planes 760 00:21:41.125 --> 00:21:42.791 that are allowed to go over long 761 00:21:42.791 --> 00:21:45.125 distances that only have two engines. 762 00:21:45.625 --> 00:21:47.041 But yeah, it's exactly this kind of like, 763 00:21:47.041 --> 00:21:48.791 we figured out how to do it better and 764 00:21:48.791 --> 00:21:50.416 the failure rate is low enough where it's 765 00:21:50.416 --> 00:21:53.291 now an acceptable risk for the gain that 766 00:21:53.291 --> 00:21:54.791 it is not having four engines. 767 00:21:55.125 --> 00:21:56.583 The taking off was just one engine is 768 00:21:56.583 --> 00:21:58.375 breaking my brain because I'm still in 769 00:21:58.375 --> 00:21:59.708 game dev mode from when 770 00:21:59.708 --> 00:22:01.833 I was a little younger. 771 00:22:02.416 --> 00:22:05.041 And I like imagining one point where you 772 00:22:05.041 --> 00:22:07.166 apply force and the plane going, weeee, 773 00:22:07.166 --> 00:22:08.583 spinning around out of control. 774 00:22:08.875 --> 00:22:10.375 Does that mean that they choose the 775 00:22:10.375 --> 00:22:11.416 altitude of the plane? 776 00:22:11.416 --> 00:22:12.166 Like what if there's no 777 00:22:12.166 --> 00:22:14.166 airport within one hour flying? 778 00:22:14.541 --> 00:22:15.541 Or if you go over the 779 00:22:15.541 --> 00:22:16.375 desert or something? 780 00:22:16.833 --> 00:22:17.291 What do you do? 781 00:22:17.583 --> 00:22:19.000 If you are flying that route, then you 782 00:22:19.000 --> 00:22:20.500 have to be in an aircraft 783 00:22:20.500 --> 00:22:21.916 that is rated for that. 784 00:22:21.916 --> 00:22:22.791 To land in the desert. 785 00:22:23.375 --> 00:22:25.000 Okay, if you're flying far enough from an 786 00:22:25.000 --> 00:22:26.333 airport, you have to have an aircraft 787 00:22:26.333 --> 00:22:28.500 that is rated to be able to handle like 788 00:22:28.500 --> 00:22:29.916 one engine out with no problem. 789 00:22:30.208 --> 00:22:31.708 If both your engines are out, 790 00:22:31.708 --> 00:22:33.250 Yeah, you need to crash land. Yeah, yeah. 791 00:22:33.250 --> 00:22:34.791 Oh, well, you're done now. 792 00:22:34.791 --> 00:22:35.291 Like you will just 793 00:22:35.291 --> 00:22:36.541 land as best as you can. 794 00:22:36.541 --> 00:22:37.625 There's no real rating for that. 795 00:22:39.458 --> 00:22:40.791 The point that we're at is like 796 00:22:40.791 --> 00:22:42.666 statistically, the chances of both 797 00:22:42.833 --> 00:22:46.041 engines going out is so like one in a 798 00:22:46.041 --> 00:22:49.083 million, one in a billion, that it's low 799 00:22:49.083 --> 00:22:50.875 enough to be palatable because this is 800 00:22:50.875 --> 00:22:51.916 that statistical thing. 801 00:22:51.916 --> 00:22:54.291 Like we admit no failure can go to zero. 802 00:22:54.916 --> 00:22:57.875 We just make sure that 9999 out of a 803 00:22:57.875 --> 00:22:59.500 million times it doesn't happen. 804 00:22:59.958 --> 00:23:02.000 I'm reminded of that time where someone 805 00:23:02.000 --> 00:23:03.833 close to me had a medical emergency in 806 00:23:03.833 --> 00:23:05.708 a plane and they were just flipping through 807 00:23:05.708 --> 00:23:07.750 pages like, okay, it's not that it's not 808 00:23:07.750 --> 00:23:09.666 that I was like, I'm gonna call the 809 00:23:09.666 --> 00:23:11.416 doctor on but I was like, yeah, so 810 00:23:11.416 --> 00:23:12.500 there's a doctor in every flight. 811 00:23:12.500 --> 00:23:13.541 And they're like, no, no, no, we just, 812 00:23:13.541 --> 00:23:14.583 you know, see if there's... 813 00:23:14.666 --> 00:23:15.833 see if there happens to be a 814 00:23:15.833 --> 00:23:16.625 doctor on the flight. 815 00:23:16.875 --> 00:23:17.208 Yeah, exactly. 816 00:23:17.458 --> 00:23:19.708 Like in the movies, they're like, sir, 817 00:23:19.958 --> 00:23:20.958 there's a protocol, we're 818 00:23:20.958 --> 00:23:21.750 just following it. 819 00:23:22.208 --> 00:23:22.416 Okay. 820 00:23:24.083 --> 00:23:25.708 Death injuries, financial, 821 00:23:26.208 --> 00:23:28.208 are the three tiers of failures. 822 00:23:28.708 --> 00:23:29.250 No, the consequences. 823 00:23:29.541 --> 00:23:30.041 Exactly. 824 00:23:30.250 --> 00:23:30.666 Yeah. 825 00:23:31.000 --> 00:23:31.666 Simplified a bit. 826 00:23:31.666 --> 00:23:33.208 But yeah, those are the three things that 827 00:23:33.208 --> 00:23:34.958 we're usually thinking about. 828 00:23:35.250 --> 00:23:37.583 And when we know that failure is 829 00:23:37.583 --> 00:23:39.416 statistical, and when we know that 830 00:23:39.416 --> 00:23:42.250 there's a price to failure, now we have 831 00:23:42.250 --> 00:23:43.416 to reason about failure 832 00:23:43.416 --> 00:23:44.541 as an engineering problem. 833 00:23:44.791 --> 00:23:46.500 How do we decide what the acceptable 834 00:23:46.500 --> 00:23:48.833 limits for exactly that of like, how many 835 00:23:48.833 --> 00:23:50.333 one out of a million, one out of a 836 00:23:50.333 --> 00:23:52.208 billion cases do we allow? 837 00:23:52.458 --> 00:23:53.708 Because there's always going to be some 838 00:23:53.708 --> 00:23:55.666 because we say everything could fail. 839 00:23:55.666 --> 00:23:57.416 It's equally possible that all four of 840 00:23:57.416 --> 00:23:58.375 those engines just go 841 00:23:58.375 --> 00:23:59.708 off at the same time. 842 00:23:59.708 --> 00:24:01.958 Or it is possible that that could happen. 843 00:24:02.208 --> 00:24:03.000 But there's not just one 844 00:24:03.000 --> 00:24:04.416 lever you can action, right? 845 00:24:04.416 --> 00:24:06.208 Because okay, you can have the fanciest 846 00:24:06.208 --> 00:24:08.916 pieces and the fanciest parts and make it 847 00:24:08.916 --> 00:24:09.958 as resilient as possible. 848 00:24:10.166 --> 00:24:11.416 But you also have like maintenance. 849 00:24:11.833 --> 00:24:13.750 So you can schedule maintenance at 850 00:24:13.750 --> 00:24:14.833 different intervals and 851 00:24:14.833 --> 00:24:16.791 Yeah, and safety critical, like when 852 00:24:16.791 --> 00:24:18.083 you're talking about the safety of a 853 00:24:18.083 --> 00:24:20.041 system, all of that goes into it. 854 00:24:20.041 --> 00:24:20.916 That's why there's no like, 855 00:24:20.916 --> 00:24:22.666 this is a safe engine, right? 856 00:24:22.666 --> 00:24:25.083 It is a safe engine if it is integrated 857 00:24:25.083 --> 00:24:27.125 the way that it's supposed to be operated 858 00:24:27.125 --> 00:24:28.666 in the range that it's supposed to be 859 00:24:28.666 --> 00:24:29.541 maintained in the way 860 00:24:29.541 --> 00:24:30.708 that it is supposed to be. 861 00:24:30.708 --> 00:24:33.041 So if someone were to buy an airline and 862 00:24:33.041 --> 00:24:35.791 strip mine it, that would be very bad. 863 00:24:36.083 --> 00:24:36.625 It would be. 864 00:24:36.791 --> 00:24:39.375 Good thing that never happens routinely. 865 00:24:39.500 --> 00:24:39.833 Never ever. 866 00:24:40.125 --> 00:24:41.750 But the thing is like aviation is 867 00:24:41.750 --> 00:24:43.833 probably one of the safest industries 868 00:24:43.833 --> 00:24:45.666 because they are 869 00:24:45.666 --> 00:24:47.666 typically so strict about that. 870 00:24:47.666 --> 00:24:49.833 At least in the US, if the FAA doesn't 871 00:24:49.833 --> 00:24:51.708 like what you're doing, they have the 872 00:24:51.708 --> 00:24:53.291 power to just say, okay, you can't fly 873 00:24:53.291 --> 00:24:57.000 like both to like, a carrier like Boeing, 874 00:24:57.000 --> 00:24:58.875 they could just say, okay, you have 48 875 00:24:58.875 --> 00:25:01.333 hours to decommission all planes, and you 876 00:25:01.333 --> 00:25:02.791 can't take off with those planes again 877 00:25:02.791 --> 00:25:04.541 until that's resolved. 878 00:25:04.875 --> 00:25:05.875 Or like this airline 879 00:25:05.916 --> 00:25:06.875 hasn't kept maintenance. 880 00:25:07.125 --> 00:25:08.166 That airline is not allowed. 881 00:25:08.416 --> 00:25:10.750 Like they can end you like almost no 882 00:25:10.750 --> 00:25:12.666 other regulator can in the US. 883 00:25:13.000 --> 00:25:14.500 So you're talking about the time that the 884 00:25:14.500 --> 00:25:16.833 US still had airline traffic controllers. 885 00:25:17.333 --> 00:25:17.791 Yeah. 886 00:25:18.000 --> 00:25:18.208 Yeah. 887 00:25:18.791 --> 00:25:19.166 Yeah. 888 00:25:19.166 --> 00:25:20.291 Sorry. 889 00:25:20.708 --> 00:25:21.458 You're gonna make me sad. 890 00:25:22.666 --> 00:25:23.291 I know. 891 00:25:24.083 --> 00:25:24.583 It's true. 892 00:25:24.875 --> 00:25:25.416 Let's talk about 893 00:25:25.416 --> 00:25:26.583 engineering for now at least. 894 00:25:26.875 --> 00:25:27.708 Because that's what I could still do 895 00:25:27.708 --> 00:25:28.833 something about engineering. 896 00:25:29.416 --> 00:25:29.583 Yeah. 897 00:25:30.041 --> 00:25:32.125 And so the whole point of this is to make 898 00:25:32.125 --> 00:25:33.958 engineering decisions about like, hey, 899 00:25:34.166 --> 00:25:36.250 what is our expected level of failure? 900 00:25:36.583 --> 00:25:38.750 How can we reason about that, decide 901 00:25:38.750 --> 00:25:40.833 whether that is reasonable or not set 902 00:25:40.833 --> 00:25:42.583 some standard about what is reasonable 903 00:25:42.583 --> 00:25:44.958 and not and then as often as possible, 904 00:25:45.250 --> 00:25:47.458 reduce that where we go, okay, if you are 905 00:25:47.458 --> 00:25:49.416 going to require this level of 906 00:25:49.416 --> 00:25:51.916 reliability, you have to be doing these 907 00:25:51.916 --> 00:25:53.666 things to keep that reliable. 908 00:25:54.583 --> 00:25:55.958 And at the end of the day, we're just 909 00:25:55.958 --> 00:25:58.541 trying to address risk the best way we 910 00:25:58.541 --> 00:25:59.708 know how because this 911 00:25:59.708 --> 00:26:01.458 isn't an ideal system. 912 00:26:02.166 --> 00:26:03.875 It's an engineering statistical system, 913 00:26:04.208 --> 00:26:05.625 which means there's no right answer. 914 00:26:05.916 --> 00:26:07.250 There is just the best 915 00:26:07.250 --> 00:26:09.083 way we know how to today. 916 00:26:09.375 --> 00:26:11.625 This is tailored industry to industry. 917 00:26:11.625 --> 00:26:13.291 Like what you do in automotive is very 918 00:26:13.291 --> 00:26:14.458 different than you do in avionics. 919 00:26:15.000 --> 00:26:16.291 Because if you have a problem with your 920 00:26:16.291 --> 00:26:18.000 engine in a car, you can pull over. 921 00:26:18.500 --> 00:26:19.458 And if you have a problem with your 922 00:26:19.458 --> 00:26:20.208 engine in an airplane, 923 00:26:20.666 --> 00:26:21.916 you can't pull over as easy. 924 00:26:22.250 --> 00:26:24.083 And if a plane crashes, there are 925 00:26:24.083 --> 00:26:26.541 hundreds of people on board versus if a 926 00:26:26.541 --> 00:26:29.000 car crashes, there are single digits 927 00:26:29.000 --> 00:26:31.125 often, or if it's a bus, maybe double 928 00:26:31.125 --> 00:26:33.125 digits, but much less than a plane. 929 00:26:33.458 --> 00:26:36.000 So the level at what you set certain 930 00:26:36.000 --> 00:26:37.666 thresholds is going to be different 931 00:26:37.666 --> 00:26:38.916 industry to industry. 932 00:26:39.333 --> 00:26:40.875 And also just the concerns that they have 933 00:26:40.875 --> 00:26:42.041 automotive has more 934 00:26:42.041 --> 00:26:43.375 parts for more vendors. 935 00:26:43.750 --> 00:26:45.166 So their safety standards takes into 936 00:26:45.166 --> 00:26:47.416 account how do you deal with having tons 937 00:26:47.416 --> 00:26:49.333 of different vendors for all the 938 00:26:49.375 --> 00:26:51.000 different pieces of the engine, whereas 939 00:26:51.000 --> 00:26:53.333 there are relatively fewer parts in a 940 00:26:53.333 --> 00:26:55.291 plane from a fewer number of suppliers 941 00:26:55.291 --> 00:26:56.416 and things like that. 942 00:26:56.708 --> 00:26:58.541 So these different industries will have 943 00:26:58.541 --> 00:27:01.083 customizations to this approach of 944 00:27:01.083 --> 00:27:02.166 functional safety that is 945 00:27:02.166 --> 00:27:04.291 more tuned to their industry. 946 00:27:04.291 --> 00:27:06.708 So that's why there's different standards 947 00:27:06.708 --> 00:27:08.541 for all of these industries. 948 00:27:08.875 --> 00:27:11.416 There's no one safety critical standard. 949 00:27:11.416 --> 00:27:15.250 They all borrow 95% of how you approach 950 00:27:15.250 --> 00:27:17.041 safety statistically, at least at the 951 00:27:17.041 --> 00:27:18.000 base layer like this. 952 00:27:18.000 --> 00:27:19.708 But what they expect you to do and 953 00:27:19.708 --> 00:27:22.166 functional safety is 954 00:27:22.166 --> 00:27:24.166 generally common to most of them. 955 00:27:24.500 --> 00:27:25.583 A lot of them actually just 956 00:27:25.583 --> 00:27:27.833 derive from the same standard. 957 00:27:28.125 --> 00:27:29.666 IC61508 is the 958 00:27:29.666 --> 00:27:31.000 definition of functional safety. 959 00:27:31.416 --> 00:27:32.958 It's typically used for industrial, but 960 00:27:32.958 --> 00:27:35.000 even automotive has a standard called ISO 961 00:27:35.000 --> 00:27:38.000 26262, which is basically like a themed 962 00:27:38.000 --> 00:27:40.541 version of 61508 for automotive. 963 00:27:40.916 --> 00:27:42.250 Aviation is a little different because it 964 00:27:42.250 --> 00:27:46.708 actually predates 61508, but 90% of what 965 00:27:46.708 --> 00:27:48.833 they ask for, the gist is the same. 966 00:27:48.833 --> 00:27:50.166 The forms they ask you to fill out are 967 00:27:50.166 --> 00:27:51.916 different, but the kind of things that 968 00:27:51.916 --> 00:27:52.791 they're asking you to check 969 00:27:52.791 --> 00:27:54.666 against are the same concerns. 970 00:27:55.416 --> 00:27:57.291 So as you can imagine, functional safety 971 00:27:57.291 --> 00:27:58.916 is very process oriented. 972 00:27:59.458 --> 00:28:01.083 It is all like you were saying, "Oh, how 973 00:28:01.083 --> 00:28:02.375 many forms do you have to fill out?" 974 00:28:02.375 --> 00:28:04.416 Or what kind of check boxes do you have? 975 00:28:04.416 --> 00:28:07.083 It is very, very process oriented because 976 00:28:07.083 --> 00:28:09.708 generally we've realized in engineering, 977 00:28:09.708 --> 00:28:11.416 this is the best way to get reliable 978 00:28:11.416 --> 00:28:13.250 results out when you have a reliable 979 00:28:13.291 --> 00:28:14.708 process of doing things. 980 00:28:15.000 --> 00:28:17.000 It has defined ways of saying what you're 981 00:28:17.000 --> 00:28:18.208 going to do and how 982 00:28:18.208 --> 00:28:19.041 you're going to do it. 983 00:28:19.041 --> 00:28:20.708 So you specify both what you're building 984 00:28:20.708 --> 00:28:22.625 and how you're going to build it. 985 00:28:22.625 --> 00:28:24.750 You make sure that you do what you say 986 00:28:24.750 --> 00:28:25.625 you are going to do. 987 00:28:25.875 --> 00:28:27.625 So you implement code and you implement 988 00:28:27.666 --> 00:28:29.750 process, and then you make sure that you 989 00:28:29.750 --> 00:28:30.708 did it the way that you 990 00:28:30.708 --> 00:28:31.875 said you were going to do it. 991 00:28:32.166 --> 00:28:33.958 So that if someone goes and checks the 992 00:28:33.958 --> 00:28:35.625 way that you're doing things, it actually 993 00:28:35.625 --> 00:28:38.125 matches reality of what you did. 994 00:28:38.125 --> 00:28:40.250 And that's like requirement tracking that 995 00:28:40.250 --> 00:28:41.208 you were talking about. 996 00:28:41.500 --> 00:28:41.750 Exactly. 997 00:28:42.166 --> 00:28:42.958 In another episode. 998 00:28:42.958 --> 00:28:44.083 Yeah, we talked about traceability. 999 00:28:44.333 --> 00:28:46.250 And then verification is proving that you 1000 00:28:46.250 --> 00:28:47.875 did what you said you were going to do. 1001 00:28:47.875 --> 00:28:49.916 And in that episode where we talked about 1002 00:28:49.916 --> 00:28:52.875 traceability, that is one way that you 1003 00:28:52.875 --> 00:28:53.833 make sure that all of 1004 00:28:53.833 --> 00:28:55.083 that chain is unbroken. 1005 00:28:55.500 --> 00:28:56.833 That you make sure that if you ever 1006 00:28:56.833 --> 00:28:58.208 changed what you said you were going to 1007 00:28:58.208 --> 00:29:00.833 do, you also made sure that reality got 1008 00:29:00.833 --> 00:29:02.666 updated to match what 1009 00:29:02.666 --> 00:29:04.125 you were planning to do. 1010 00:29:04.500 --> 00:29:07.000 So traceability is one tool of making 1011 00:29:07.000 --> 00:29:07.958 sure these are all 1012 00:29:07.958 --> 00:29:09.541 connected top to bottom. 1013 00:29:09.875 --> 00:29:11.916 So how's hooded is functional safety to a 1014 00:29:11.916 --> 00:29:13.250 couple with trust issues? 1015 00:29:14.708 --> 00:29:15.708 It may not be the most 1016 00:29:15.708 --> 00:29:17.375 effective use of your efforts. 1017 00:29:17.875 --> 00:29:20.333 I think there might be other things that 1018 00:29:20.333 --> 00:29:20.791 you could do that 1019 00:29:20.791 --> 00:29:21.541 would be more efficient. 1020 00:29:21.541 --> 00:29:22.750 It's a neurotypical couple. 1021 00:29:23.166 --> 00:29:24.708 So I need clear requirements from you. 1022 00:29:24.708 --> 00:29:25.500 Hey, communication. 1023 00:29:25.791 --> 00:29:26.541 Like what traceability 1024 00:29:26.541 --> 00:29:27.500 methods are you going to employ? 1025 00:29:27.708 --> 00:29:28.833 This is kind of what I was getting into 1026 00:29:28.833 --> 00:29:30.333 with the traceability stuff too, though, 1027 00:29:30.333 --> 00:29:33.666 is like you can do 20 percent of the 1028 00:29:33.666 --> 00:29:35.000 formalism and get 80 1029 00:29:35.000 --> 00:29:35.833 percent of the value. 1030 00:29:36.166 --> 00:29:37.833 It's like having checklists and having 1031 00:29:37.833 --> 00:29:40.291 process and writing stuff down and making 1032 00:29:40.291 --> 00:29:41.000 sure that you keep that 1033 00:29:41.000 --> 00:29:43.000 up to date is a good thing. 1034 00:29:43.000 --> 00:29:44.250 And surprise, I'll get to 1035 00:29:44.250 --> 00:29:45.625 this where this pops out later. 1036 00:29:45.958 --> 00:29:47.000 And it's not your relationship. 1037 00:29:47.458 --> 00:29:50.458 But the point is to make a paper trail so 1038 00:29:50.458 --> 00:29:51.833 that we can figure out what you did. 1039 00:29:52.291 --> 00:29:55.041 And if we realize much later that, oh, 1040 00:29:55.041 --> 00:29:56.416 hey, there's something potentially wrong, 1041 00:29:56.750 --> 00:29:58.583 we can go back and figure out who is and 1042 00:29:58.583 --> 00:30:00.583 isn't affected, like who is following the 1043 00:30:00.583 --> 00:30:03.375 same assumptions and what is affected or 1044 00:30:03.375 --> 00:30:04.000 what isn't affected. 1045 00:30:04.291 --> 00:30:06.291 Or if you have multiple products and you 1046 00:30:06.291 --> 00:30:08.750 find a bug in one of them, we can go back 1047 00:30:08.750 --> 00:30:10.291 and figure out if all of these products 1048 00:30:10.291 --> 00:30:13.291 have that same like root cause or 1049 00:30:13.750 --> 00:30:15.916 commonality to them and things like that. 1050 00:30:16.375 --> 00:30:19.500 The real goal is to catch issues before 1051 00:30:19.500 --> 00:30:21.333 they become a failure, because if you 1052 00:30:21.333 --> 00:30:23.875 catch things before a crash happens, 1053 00:30:24.208 --> 00:30:26.708 that's a win like you caught it. 1054 00:30:26.708 --> 00:30:28.625 It got fixed, whether that was when you 1055 00:30:28.625 --> 00:30:30.750 were in development or after you shipped 1056 00:30:30.750 --> 00:30:32.875 before it went out, like even in those 1057 00:30:32.875 --> 00:30:34.500 cases where sometimes you'll have like, 1058 00:30:34.875 --> 00:30:36.791 oh, the engine went out, 1059 00:30:36.791 --> 00:30:38.125 but we managed to land back. 1060 00:30:38.375 --> 00:30:40.458 But then we were able to do analysis on 1061 00:30:40.458 --> 00:30:41.083 the engine and figure 1062 00:30:41.083 --> 00:30:42.291 out why it went wrong. 1063 00:30:42.833 --> 00:30:44.833 And then we can go back and go, oh, we 1064 00:30:44.833 --> 00:30:47.250 have the same issue in all of our process 1065 00:30:47.250 --> 00:30:48.750 or something like that and catch those 1066 00:30:48.750 --> 00:30:50.583 things before they fall through. 1067 00:30:50.875 --> 00:30:52.541 In safety critical, we talk about the 1068 00:30:52.541 --> 00:30:54.625 Swiss cheese model, where for something 1069 00:30:54.625 --> 00:30:57.083 to really fail, a lot of things have to 1070 00:30:57.083 --> 00:30:58.875 go wrong, because you're doing all of 1071 00:30:58.875 --> 00:30:59.666 these things to make sure 1072 00:30:59.666 --> 00:31:00.791 that you're doing things right. 1073 00:31:01.250 --> 00:31:02.541 And for something to really have to go 1074 00:31:02.541 --> 00:31:04.416 wrong, it had to be missed in 1075 00:31:04.416 --> 00:31:06.958 requirements, implementation, testing, 1076 00:31:07.416 --> 00:31:08.708 usage, no other fail 1077 00:31:08.708 --> 00:31:09.916 safe had to have caught it. 1078 00:31:10.125 --> 00:31:10.500 And so it's called 1079 00:31:10.500 --> 00:31:11.500 the Swiss cheese model. 1080 00:31:11.500 --> 00:31:13.375 It's because it's like stacking up pieces 1081 00:31:13.375 --> 00:31:14.875 of Swiss cheese with holes in it. 1082 00:31:14.875 --> 00:31:16.875 And for an actual failure to happen, you 1083 00:31:16.875 --> 00:31:18.125 have to be able to go all the way from 1084 00:31:18.125 --> 00:31:19.875 the top to touch the table. 1085 00:31:20.125 --> 00:31:21.916 So you're basically giving yourself the 1086 00:31:21.916 --> 00:31:24.500 most possibilities here to catch things 1087 00:31:24.500 --> 00:31:26.125 before it's actually a line 1088 00:31:26.125 --> 00:31:27.833 of holes in a stack of cheese. 1089 00:31:28.041 --> 00:31:31.083 So the amount of paperwork is by design. 1090 00:31:31.083 --> 00:31:33.250 It's like redundancy also in the process. 1091 00:31:33.750 --> 00:31:35.041 The things you have to do 1092 00:31:35.041 --> 00:31:36.875 and why you do them are there. 1093 00:31:37.625 --> 00:31:39.166 How verbose it has to be and how much 1094 00:31:39.166 --> 00:31:41.375 knowledge you have to have to do it is 1095 00:31:41.375 --> 00:31:43.250 they haven't figured out a 1096 00:31:43.250 --> 00:31:44.666 more efficient way to do it. 1097 00:31:44.666 --> 00:31:45.125 You know what I mean? 1098 00:31:45.375 --> 00:31:47.916 Like the formalism is the most effective 1099 00:31:47.916 --> 00:31:49.666 way they've known how that 1100 00:31:49.666 --> 00:31:50.833 doesn't mean it's perfect. 1101 00:31:51.250 --> 00:31:53.041 But yeah, the gist is there. 1102 00:31:53.333 --> 00:31:55.750 In the case of like the plane had an 1103 00:31:55.750 --> 00:31:57.875 engine go out and it was able to recover 1104 00:31:57.875 --> 00:31:59.666 and still go all the way or something to 1105 00:31:59.666 --> 00:32:01.500 the destination, you would call that an 1106 00:32:01.500 --> 00:32:02.458 issue and not a failure. 1107 00:32:02.666 --> 00:32:04.250 Like this is just because I thought we 1108 00:32:04.250 --> 00:32:05.500 would catch issues and verification 1109 00:32:05.500 --> 00:32:06.541 because I'm naive and I 1110 00:32:06.541 --> 00:32:07.541 never worked in the industry. 1111 00:32:08.041 --> 00:32:10.625 We said that a failure is a loss of life, 1112 00:32:11.125 --> 00:32:12.583 injuries or equipment. 1113 00:32:12.583 --> 00:32:13.916 So an engine failure is not a failure. 1114 00:32:13.916 --> 00:32:15.333 So that would have been a failure because 1115 00:32:15.333 --> 00:32:17.625 it caused a damage of equipment, but we 1116 00:32:17.625 --> 00:32:19.125 would have treated it as a low. 1117 00:32:19.125 --> 00:32:20.875 But that's not a big deal. 1118 00:32:20.875 --> 00:32:22.416 Like it is a failure because the engine 1119 00:32:22.416 --> 00:32:23.625 went out and it is a failure. 1120 00:32:23.833 --> 00:32:25.333 And then we have to decide was that 1121 00:32:25.333 --> 00:32:26.833 engine going out just hey, 1122 00:32:26.833 --> 00:32:27.958 we said it's one in a million. 1123 00:32:28.458 --> 00:32:29.458 This was the one in a million. 1124 00:32:29.708 --> 00:32:30.166 You know, there was a 1125 00:32:30.166 --> 00:32:31.333 crack in the engine blade. 1126 00:32:31.750 --> 00:32:33.458 They just have a crack after a million 1127 00:32:33.458 --> 00:32:35.500 hours and it can happen. 1128 00:32:35.750 --> 00:32:39.375 I happen to have the IEC 61508 page 1129 00:32:39.375 --> 00:32:42.166 Wikipedia page open and they define some 1130 00:32:42.166 --> 00:32:43.541 words that are very fun. 1131 00:32:44.125 --> 00:32:45.708 Frequent is many times in lifetime. 1132 00:32:46.541 --> 00:32:48.541 So speaking of relationships, if you're 1133 00:32:48.541 --> 00:32:49.708 having frequent intercourse, 1134 00:32:50.375 --> 00:32:51.833 you know what it means now. 1135 00:32:51.833 --> 00:32:53.208 It's a couple times in your lifetime. 1136 00:32:53.208 --> 00:32:54.375 Well, it's failures for years. 1137 00:32:55.291 --> 00:32:55.875 I don't know if that's 1138 00:32:55.875 --> 00:32:56.625 what you want to call it. 1139 00:32:56.875 --> 00:32:58.333 Probable is several times in lifetime. 1140 00:32:58.666 --> 00:32:59.916 Occasional is once in lifetime. 1141 00:33:00.333 --> 00:33:02.208 Remote is unlikely in lifetime. 1142 00:33:02.208 --> 00:33:03.916 Improbable is very unlikely to occur. 1143 00:33:04.375 --> 00:33:05.125 Incredible is cannot 1144 00:33:05.125 --> 00:33:06.333 believe that it could occur. 1145 00:33:06.333 --> 00:33:07.083 And then the consequence 1146 00:33:07.083 --> 00:33:08.291 categories is four of them. 1147 00:33:08.291 --> 00:33:09.250 Then catastrophic, which 1148 00:33:09.250 --> 00:33:10.375 is multiple loss of life. 1149 00:33:10.625 --> 00:33:12.208 Critical loss of a single life. 1150 00:33:12.666 --> 00:33:14.500 Marginal, major injuries to one or more 1151 00:33:14.500 --> 00:33:15.750 persons and negligible 1152 00:33:15.750 --> 00:33:16.958 minor injuries at worst. 1153 00:33:17.166 --> 00:33:19.125 So it would not even mean negligible if 1154 00:33:19.125 --> 00:33:20.500 there was an engine failure, but they 1155 00:33:20.500 --> 00:33:21.500 still managed to land where 1156 00:33:21.500 --> 00:33:22.416 they were going to go anyway. 1157 00:33:23.166 --> 00:33:23.375 Exactly. 1158 00:33:23.500 --> 00:33:24.083 Chances are people wouldn't 1159 00:33:24.083 --> 00:33:25.291 even know on the plane. 1160 00:33:25.583 --> 00:33:27.708 And that's the system working. 1161 00:33:27.708 --> 00:33:28.000 That's interesting. 1162 00:33:28.333 --> 00:33:29.083 Even though a component 1163 00:33:29.083 --> 00:33:30.875 failed, if that makes sense. 1164 00:33:31.333 --> 00:33:32.250 Yeah. 1165 00:33:32.666 --> 00:33:32.875 Yeah. that makes sense. 1166 00:33:33.333 --> 00:33:34.625 So in the reason we want to give 1167 00:33:34.625 --> 00:33:36.458 ourselves all that margin is because 1168 00:33:36.458 --> 00:33:37.416 everything can fail. 1169 00:33:37.416 --> 00:33:39.125 Like an engine blade can fail, but also 1170 00:33:39.125 --> 00:33:41.416 the person whose job it was to review 1171 00:33:41.416 --> 00:33:42.958 that you did it right 1172 00:33:42.958 --> 00:33:44.041 could have missed something. 1173 00:33:44.041 --> 00:33:45.583 They didn't have enough coffee that day. 1174 00:33:45.583 --> 00:33:46.333 They didn't sleep well. 1175 00:33:46.583 --> 00:33:49.583 They missed something that they had an 1176 00:33:49.583 --> 00:33:50.541 opportunity to catch. 1177 00:33:50.916 --> 00:33:53.083 So we give ourselves all this margin. 1178 00:33:53.458 --> 00:33:55.583 They used an LLM to review the thing. 1179 00:33:56.000 --> 00:33:56.208 Yeah. 1180 00:33:56.333 --> 00:33:58.083 Another thing is that only really end 1181 00:33:58.083 --> 00:33:59.833 products are safety certified. 1182 00:34:00.083 --> 00:34:01.875 So like in an airplane, it might be like 1183 00:34:01.875 --> 00:34:03.583 a weather radar or something like that. 1184 00:34:03.583 --> 00:34:05.375 You will have a safety certified weather 1185 00:34:05.375 --> 00:34:06.958 radar that this is a whole 1186 00:34:06.958 --> 00:34:09.000 component or a whole item. 1187 00:34:09.000 --> 00:34:10.541 And this is one of those blurry things 1188 00:34:10.541 --> 00:34:11.958 where it depends on the 1189 00:34:11.958 --> 00:34:13.666 industry and how it's integrated. 1190 00:34:13.666 --> 00:34:15.125 So like you might ship a 1191 00:34:15.125 --> 00:34:16.541 safety qualified thing. 1192 00:34:16.541 --> 00:34:18.208 It still needs to be integrated correctly 1193 00:34:18.208 --> 00:34:20.166 into the rest of the airplane. 1194 00:34:20.791 --> 00:34:22.666 But your real time operating system is 1195 00:34:22.666 --> 00:34:24.875 not really something that just is safety 1196 00:34:24.875 --> 00:34:27.125 certified because it's just a 1197 00:34:27.125 --> 00:34:28.750 component of a larger system. 1198 00:34:29.041 --> 00:34:30.416 And context matters. 1199 00:34:30.750 --> 00:34:33.083 As you explained the definition of this, 1200 00:34:33.083 --> 00:34:34.458 I'm having a special thought for the 1201 00:34:34.458 --> 00:34:36.208 people who installed the AC in my 1202 00:34:36.208 --> 00:34:38.583 apartment, and it is blowing cold hair 1203 00:34:38.583 --> 00:34:41.416 directly out the door of the room. 1204 00:34:41.625 --> 00:34:42.083 Oh, nice. 1205 00:34:42.333 --> 00:34:43.416 Therefore, it is completely inefficient 1206 00:34:43.416 --> 00:34:45.125 if you have the door even slightly open, 1207 00:34:45.125 --> 00:34:46.791 which you need to if you have cats. 1208 00:34:47.625 --> 00:34:49.750 So, yes, I know what you mean, James. 1209 00:34:50.041 --> 00:34:51.708 It's not critical for sure. 1210 00:34:52.083 --> 00:34:54.000 Yeah, but this is one of those areas 1211 00:34:54.000 --> 00:34:55.375 where context matters. 1212 00:34:55.375 --> 00:34:57.458 It's only as good as 1213 00:34:57.458 --> 00:34:59.333 what they bounded it to be. 1214 00:34:59.541 --> 00:35:01.750 And when we have things like libraries or 1215 00:35:01.750 --> 00:35:04.000 tools, they're just a piece of the 1216 00:35:04.000 --> 00:35:05.166 process along the way. 1217 00:35:05.500 --> 00:35:07.416 And when we have a programming language 1218 00:35:07.416 --> 00:35:09.666 or a compiler, those are just tools. 1219 00:35:10.000 --> 00:35:12.500 Those are a way of achieving the system 1220 00:35:12.500 --> 00:35:14.166 that we are building, which means they 1221 00:35:14.166 --> 00:35:16.375 can't by themselves really be safe. 1222 00:35:16.833 --> 00:35:18.916 But there are safe ways that you can use 1223 00:35:18.916 --> 00:35:21.833 them to build something on top of that. 1224 00:35:22.125 --> 00:35:24.166 What you can do is you can spend a lot of 1225 00:35:24.166 --> 00:35:26.750 effort and design your library, your real 1226 00:35:26.750 --> 00:35:28.333 time operating system, your compiler, 1227 00:35:28.583 --> 00:35:31.416 your language, up to a safety standard. 1228 00:35:31.625 --> 00:35:34.041 So you can say it has checked all the 1229 00:35:34.041 --> 00:35:35.375 boxes that you need to. 1230 00:35:35.375 --> 00:35:37.625 We have documents and requirements and 1231 00:35:37.625 --> 00:35:40.833 traceability that say, we've conformed up 1232 00:35:40.833 --> 00:35:43.250 to the standard for this piece, which 1233 00:35:43.250 --> 00:35:44.791 means then if you're building a larger 1234 00:35:44.875 --> 00:35:46.708 system, you can make a very compelling 1235 00:35:46.708 --> 00:35:48.791 case like, hey, we're using tools and 1236 00:35:48.791 --> 00:35:50.541 components that were up to the standard. 1237 00:35:50.541 --> 00:35:52.708 So even though we didn't do it, it was 1238 00:35:52.708 --> 00:35:55.000 done up to a standard, which means that 1239 00:35:55.000 --> 00:35:57.250 we can confidently use it versus if you 1240 00:35:57.250 --> 00:35:58.833 just found something on the street and 1241 00:35:58.833 --> 00:36:00.625 integrated it, you have no idea that 1242 00:36:00.625 --> 00:36:02.750 that's up to a standard or not. 1243 00:36:02.750 --> 00:36:04.208 Yeah, I guess that's something that's 1244 00:36:04.250 --> 00:36:06.791 difficult to conceptualize for people who 1245 00:36:06.791 --> 00:36:07.958 don't do engineering. 1246 00:36:08.375 --> 00:36:10.041 But that's also why you don't need to 1247 00:36:10.041 --> 00:36:13.000 test every single copy of a component 1248 00:36:13.000 --> 00:36:13.750 that you make, 1249 00:36:14.000 --> 00:36:14.958 especially software, I guess. 1250 00:36:15.208 --> 00:36:18.375 But you design it, you test a sample. 1251 00:36:18.375 --> 00:36:19.291 It's all probability. 1252 00:36:19.666 --> 00:36:21.500 Not everything you use has been tested 1253 00:36:21.500 --> 00:36:23.166 for thousands of hours, right? 1254 00:36:23.500 --> 00:36:24.708 Not the copy you have. 1255 00:36:24.708 --> 00:36:26.333 And for these really critical industries, 1256 00:36:26.625 --> 00:36:28.875 especially like government ones, like if 1257 00:36:28.875 --> 00:36:32.041 you buy bolts from someone, you might 1258 00:36:32.416 --> 00:36:34.541 destructively test some percentage of 1259 00:36:34.541 --> 00:36:36.166 those bolts to make sure that the bolts 1260 00:36:36.166 --> 00:36:37.541 match the spec from the vendor. 1261 00:36:37.541 --> 00:36:38.708 And then over time, you 1262 00:36:38.708 --> 00:36:40.416 might sample less of them. 1263 00:36:40.666 --> 00:36:44.000 But then if you ever find one that fails, 1264 00:36:44.375 --> 00:36:45.916 you might massively increase. 1265 00:36:45.916 --> 00:36:49.375 So you might be testing to failure 1% or 1266 00:36:49.375 --> 00:36:50.958 10% of your bolts, 1267 00:36:50.958 --> 00:36:52.625 depending on how critical it is. 1268 00:36:52.625 --> 00:36:54.916 This is exactly how self-checkout works 1269 00:36:54.916 --> 00:36:56.625 in one of the stores that I go to. 1270 00:36:57.000 --> 00:37:00.000 You can self-scan everything, and then 1271 00:37:00.000 --> 00:37:01.458 they will randomly check you. 1272 00:37:01.791 --> 00:37:04.041 And if they ever catch you with an 1273 00:37:04.041 --> 00:37:05.666 article you haven't scanned in your cart, 1274 00:37:06.125 --> 00:37:07.375 then they will check you a lot more. 1275 00:37:07.791 --> 00:37:08.875 So it's the same idea. 1276 00:37:09.083 --> 00:37:09.666 It's statistical. 1277 00:37:10.041 --> 00:37:11.666 This is statistical sampling. 1278 00:37:11.958 --> 00:37:13.375 It's exactly the same thing as we have 1279 00:37:13.375 --> 00:37:15.041 sampling-based 1280 00:37:15.041 --> 00:37:16.791 profilers and things like that. 1281 00:37:16.791 --> 00:37:18.291 You hope that you make enough 1282 00:37:18.291 --> 00:37:20.625 statistically relevant samples and you 1283 00:37:20.625 --> 00:37:22.625 get reasonable data out, or at least 1284 00:37:22.625 --> 00:37:24.000 enough data to go on. 1285 00:37:24.000 --> 00:37:25.583 And then you have to decide how much data 1286 00:37:25.583 --> 00:37:26.916 is enough data to go on. 1287 00:37:27.125 --> 00:37:27.666 But it's probably 1288 00:37:27.666 --> 00:37:30.291 terrifying to folks who cannot... 1289 00:37:30.625 --> 00:37:31.083 I don't know. 1290 00:37:31.083 --> 00:37:32.041 Part of me is like that. 1291 00:37:32.041 --> 00:37:34.041 Part of me is like, "No, we need zero 1292 00:37:34.041 --> 00:37:35.958 failure, not just the small number. 1293 00:37:36.375 --> 00:37:38.666 We can't rely on maths for this." 1294 00:37:38.666 --> 00:37:39.833 But there is no zero failure. 1295 00:37:39.833 --> 00:37:41.041 I mean, I'm divorced, so I know. 1296 00:37:42.833 --> 00:37:43.125 Yep. 1297 00:37:43.125 --> 00:37:44.000 At the end of the day, 1298 00:37:44.000 --> 00:37:45.208 everything is statistical. 1299 00:37:46.166 --> 00:37:46.875 I know. 1300 00:37:47.375 --> 00:37:49.083 And this is why just adding safety 1301 00:37:49.083 --> 00:37:50.333 afterwards, especially for any 1302 00:37:50.333 --> 00:37:53.458 non-trivial component, like a compiler or 1303 00:37:53.458 --> 00:37:54.708 an operating system or something like 1304 00:37:54.708 --> 00:37:56.750 that, going back and trying to make a 1305 00:37:56.750 --> 00:37:59.125 safety case for this or putting together 1306 00:37:59.125 --> 00:38:01.375 that paperwork so someone can use it is 1307 00:38:01.375 --> 00:38:04.625 often so difficult that it's just easier 1308 00:38:04.625 --> 00:38:06.666 to start over and do it 1309 00:38:06.666 --> 00:38:07.541 the right way from scratch. 1310 00:38:07.958 --> 00:38:10.083 Well, explain that to folks using C++. 1311 00:38:11.666 --> 00:38:12.708 This is all I'm thinking about. 1312 00:38:12.958 --> 00:38:13.708 Do you have something 1313 00:38:13.708 --> 00:38:15.166 else in mind with that slide? 1314 00:38:15.541 --> 00:38:15.916 What do you mean? 1315 00:38:16.500 --> 00:38:17.208 Just add safety. 1316 00:38:17.208 --> 00:38:18.708 For me, it's like all the papers around, 1317 00:38:18.708 --> 00:38:20.541 "Oh, we can add safety to C++," but 1318 00:38:20.541 --> 00:38:22.208 actually not really. 1319 00:38:22.208 --> 00:38:23.166 And starting over is like 1320 00:38:23.166 --> 00:38:24.500 Rust or some other languages. 1321 00:38:25.041 --> 00:38:25.291 Yeah. 1322 00:38:25.291 --> 00:38:26.291 I mean, what I was going to say is just 1323 00:38:26.291 --> 00:38:27.625 components, because this is one of those 1324 00:38:27.625 --> 00:38:30.000 like, "Hey, why can't I just use some 1325 00:38:30.000 --> 00:38:31.666 library as part of this?" 1326 00:38:31.666 --> 00:38:32.250 Like, it's good. 1327 00:38:32.250 --> 00:38:33.291 I've been using it for a while. 1328 00:38:33.625 --> 00:38:34.333 Why can't I say it? 1329 00:38:34.333 --> 00:38:36.666 It's because you can't make reasonable 1330 00:38:36.666 --> 00:38:37.791 statistical assumptions 1331 00:38:37.791 --> 00:38:38.666 about something that... 1332 00:38:39.208 --> 00:38:40.833 Because what we've said in the process is 1333 00:38:40.833 --> 00:38:43.000 if we don't know that you've done it this 1334 00:38:43.000 --> 00:38:45.416 way, then we can't say that it fails a 1335 00:38:45.416 --> 00:38:46.416 normal amount for 1336 00:38:46.416 --> 00:38:48.000 software developed in this way. 1337 00:38:48.541 --> 00:38:50.541 And when we throws the other math that 1338 00:38:50.541 --> 00:38:52.000 we're doing to decide, "Is 1339 00:38:52.000 --> 00:38:53.125 this system good enough?" 1340 00:38:53.458 --> 00:38:55.125 It throws all of those numbers off, or it 1341 00:38:55.125 --> 00:38:55.958 just makes it like an 1342 00:38:55.958 --> 00:38:57.166 unsolvable equation. 1343 00:38:57.666 --> 00:38:59.166 But for that, like for your whole 1344 00:38:59.166 --> 00:39:00.875 homegrown network stack that you're 1345 00:39:00.875 --> 00:39:02.750 making, do you take that into account? 1346 00:39:02.750 --> 00:39:04.333 Do you like not use certain libraries 1347 00:39:04.333 --> 00:39:05.375 because they haven't been 1348 00:39:05.375 --> 00:39:06.250 developed the right way? 1349 00:39:06.583 --> 00:39:06.791 No. 1350 00:39:07.208 --> 00:39:07.958 No, because I'm not 1351 00:39:07.958 --> 00:39:10.000 developing for safety critical. 1352 00:39:10.333 --> 00:39:11.000 And if I was... 1353 00:39:11.250 --> 00:39:12.333 Because it's not safety critical. 1354 00:39:12.333 --> 00:39:13.916 Yeah, it's not because it's one of those 1355 00:39:13.916 --> 00:39:16.041 things that I might do some of the 1356 00:39:16.041 --> 00:39:18.333 detailed design work that might leave 1357 00:39:18.333 --> 00:39:19.291 some breadcrumbs that 1358 00:39:19.291 --> 00:39:20.875 might make it possible later. 1359 00:39:21.583 --> 00:39:23.750 But you wouldn't, because even though all 1360 00:39:23.750 --> 00:39:24.750 the stuff that I'm saying about 1361 00:39:24.750 --> 00:39:26.291 functional safety is good, and I think 1362 00:39:26.291 --> 00:39:29.000 it's a good way of doing it, it is overly 1363 00:39:29.000 --> 00:39:31.708 burdensome for most applications. 1364 00:39:32.166 --> 00:39:34.625 If the cost of failure is low enough... 1365 00:39:34.916 --> 00:39:36.375 If you need a light switch that's 1366 00:39:36.375 --> 00:39:37.333 remotely controlled 1367 00:39:37.333 --> 00:39:38.291 or whatever, that's... 1368 00:39:38.833 --> 00:39:39.541 Yeah, you don't need all 1369 00:39:39.541 --> 00:39:40.666 the safety critical stuff. 1370 00:39:40.666 --> 00:39:42.083 Because the failure is you 1371 00:39:42.083 --> 00:39:42.583 don't have light switches. 1372 00:39:42.583 --> 00:39:43.583 Because that's the other thing, is you 1373 00:39:43.583 --> 00:39:44.875 have to say what could go wrong. 1374 00:39:45.083 --> 00:39:45.666 And if the cost... 1375 00:39:45.708 --> 00:39:47.833 If anyone wanted to use my network stack 1376 00:39:47.833 --> 00:39:49.500 in safety critical, then 1377 00:39:49.500 --> 00:39:51.125 yes, I would have to say that. 1378 00:39:51.125 --> 00:39:52.583 But right now, it's research. 1379 00:39:53.000 --> 00:39:53.291 So like... 1380 00:39:53.625 --> 00:39:55.708 It's a good tip about anxiety in general. 1381 00:39:55.708 --> 00:39:56.291 What could go... 1382 00:39:56.291 --> 00:39:57.291 Like asking yourself the question, what 1383 00:39:57.291 --> 00:39:58.166 could actually go wrong? 1384 00:39:58.416 --> 00:39:59.541 I mean, it's not gonna 1385 00:39:59.541 --> 00:40:01.500 immediately make your body go calm. 1386 00:40:01.958 --> 00:40:02.416 But it does... 1387 00:40:02.875 --> 00:40:04.541 Sometimes for me, it helps to run through 1388 00:40:04.541 --> 00:40:05.750 the actual scenarios. 1389 00:40:06.083 --> 00:40:08.250 Especially things in relation with cars. 1390 00:40:08.250 --> 00:40:08.666 I do that too. 1391 00:40:08.666 --> 00:40:09.500 I keep reminding myself 1392 00:40:09.500 --> 00:40:10.666 cars are made for idiots. 1393 00:40:11.000 --> 00:40:12.250 They're trying to avoid lawsuits. 1394 00:40:12.708 --> 00:40:13.416 They have standards. 1395 00:40:14.083 --> 00:40:16.500 The failure modes are not that terrible. 1396 00:40:16.875 --> 00:40:17.833 And if they are, then 1397 00:40:17.833 --> 00:40:18.958 it's someone else's problem. 1398 00:40:18.958 --> 00:40:19.708 Because I'm not here 1399 00:40:19.708 --> 00:40:20.583 to deal with it anymore. 1400 00:40:20.958 --> 00:40:22.791 So that helps me a bunch. 1401 00:40:22.791 --> 00:40:23.791 I mean, that's one of those things that's 1402 00:40:23.791 --> 00:40:26.708 in this formalism is there's a FEA or 1403 00:40:26.708 --> 00:40:27.916 FMEA, which is a failure 1404 00:40:27.916 --> 00:40:29.250 modes and effect analysis. 1405 00:40:29.708 --> 00:40:31.541 Which is basically you just sit down and 1406 00:40:31.541 --> 00:40:33.583 you brainstorm all the possible ways. 1407 00:40:33.833 --> 00:40:35.875 Anything could go wrong at any layer. 1408 00:40:36.125 --> 00:40:38.041 And then you game it out. 1409 00:40:38.333 --> 00:40:40.041 Usually in like a tree, basically of 1410 00:40:40.041 --> 00:40:42.000 like, if this fails and this fails and 1411 00:40:42.000 --> 00:40:44.333 this fails and this fails, how many steps 1412 00:40:44.333 --> 00:40:46.333 do I have to go to get to death? 1413 00:40:46.625 --> 00:40:48.750 Or like, does it ever terminate in death? 1414 00:40:49.166 --> 00:40:50.250 And then you work backwards. 1415 00:40:50.250 --> 00:40:52.041 And if you go, oh, if this one resistor 1416 00:40:52.041 --> 00:40:55.541 fails, death, then you go well, then that 1417 00:40:55.541 --> 00:40:57.791 resistor needs to not fail more often 1418 00:40:57.791 --> 00:40:58.791 than this, because that 1419 00:40:58.791 --> 00:41:00.625 becomes like the limiting reactant. 1420 00:41:00.625 --> 00:41:03.083 Yeah, for my entire system. 1421 00:41:03.125 --> 00:41:05.166 It's like a cause. 1422 00:41:05.625 --> 00:41:07.708 The causal profiler where you can like, 1423 00:41:07.708 --> 00:41:08.958 if you want to find how to make your 1424 00:41:08.958 --> 00:41:11.541 program go faster, you can just instead 1425 00:41:11.541 --> 00:41:13.083 make some components go slower. 1426 00:41:13.583 --> 00:41:15.125 And then it tells you what actually 1427 00:41:15.125 --> 00:41:17.500 benefits the most from being optimized. 1428 00:41:17.750 --> 00:41:18.000 Interesting. 1429 00:41:18.458 --> 00:41:19.416 And it's kind of the same thing of 1430 00:41:19.416 --> 00:41:20.708 identifying causality. 1431 00:41:20.708 --> 00:41:22.000 Like this is the thing that we should 1432 00:41:22.000 --> 00:41:24.250 invest our safety budget into, like, I 1433 00:41:24.250 --> 00:41:24.708 don't know, or 1434 00:41:24.708 --> 00:41:26.666 equipment or parts, whatever. 1435 00:41:26.666 --> 00:41:26.958 Exactly. 1436 00:41:27.208 --> 00:41:28.375 I don't have the words to talk about 1437 00:41:28.375 --> 00:41:29.583 this, but you get what I mean. 1438 00:41:29.750 --> 00:41:30.041 Yeah. 1439 00:41:30.041 --> 00:41:31.750 But it's also like a neat approach of 1440 00:41:31.750 --> 00:41:33.458 analysis, because you might realize, oh, 1441 00:41:33.458 --> 00:41:34.708 I have a fail safe, so I 1442 00:41:34.708 --> 00:41:35.791 don't have to worry about it. 1443 00:41:35.791 --> 00:41:37.375 But then you go through this analysis and 1444 00:41:37.375 --> 00:41:38.875 you realize that one component could 1445 00:41:38.875 --> 00:41:41.291 knock out both your primary and your 1446 00:41:41.291 --> 00:41:42.125 secondary and you go, 1447 00:41:42.416 --> 00:41:43.500 oh, I guess I have no. 1448 00:41:43.875 --> 00:41:44.666 And then you have a spuff. 1449 00:41:45.083 --> 00:41:46.333 And like, it's a balance too, where you 1450 00:41:46.333 --> 00:41:48.083 go, there's no point in having this 1451 00:41:48.083 --> 00:41:50.250 redundancy, because it doesn't get me 1452 00:41:50.250 --> 00:41:51.500 anything, because it only 1453 00:41:51.500 --> 00:41:53.291 prevents here downwards. 1454 00:41:53.291 --> 00:41:54.500 And that's so unlikely 1455 00:41:54.500 --> 00:41:55.833 that it doesn't make sense. 1456 00:41:55.833 --> 00:41:58.125 So like, a lot of designing for safety is 1457 00:41:58.125 --> 00:41:59.916 actually throwing out anything you 1458 00:41:59.916 --> 00:42:01.541 possibly can, because the fewer 1459 00:42:01.541 --> 00:42:03.541 components are there to fail, that 1460 00:42:03.541 --> 00:42:04.541 doesn't need to be there. 1461 00:42:04.750 --> 00:42:06.416 The easier it is to prove that it either 1462 00:42:06.416 --> 00:42:07.625 does work or things like that. 1463 00:42:07.916 --> 00:42:09.500 So I guess that's where having nice 1464 00:42:09.500 --> 00:42:10.875 requirements comes in, because you can 1465 00:42:10.875 --> 00:42:12.166 actually point back, you 1466 00:42:12.166 --> 00:42:13.500 know, why do we even have this? 1467 00:42:13.500 --> 00:42:14.916 And then you can go back and exactly why 1468 00:42:14.916 --> 00:42:16.041 you do and see if you 1469 00:42:16.041 --> 00:42:17.000 can actually get rid of it. 1470 00:42:17.250 --> 00:42:17.458 Exactly. 1471 00:42:17.958 --> 00:42:20.333 And yeah, so working backwards is almost 1472 00:42:20.333 --> 00:42:21.916 always harder than just 1473 00:42:21.916 --> 00:42:24.000 rewriting for any non trivial thing. 1474 00:42:24.250 --> 00:42:24.458 True. 1475 00:42:24.791 --> 00:42:26.666 But the Rust compiler is 1476 00:42:26.666 --> 00:42:28.541 a fairly rare exception. 1477 00:42:28.833 --> 00:42:31.750 As far as off the shelf software goes, it 1478 00:42:31.750 --> 00:42:34.500 was a software project that a ton of 1479 00:42:34.500 --> 00:42:36.750 diligence was done on along the way, 1480 00:42:37.083 --> 00:42:39.000 there were documentations of what it was 1481 00:42:39.000 --> 00:42:39.958 supposed to do and what 1482 00:42:39.958 --> 00:42:41.125 it was not supposed to do. 1483 00:42:41.750 --> 00:42:43.041 Documentation of the decisions that were 1484 00:42:43.041 --> 00:42:44.666 made when they were made, who they were 1485 00:42:44.666 --> 00:42:46.750 made by who they were checked by, there 1486 00:42:46.750 --> 00:42:49.166 were reviews of code and decisions. 1487 00:42:49.791 --> 00:42:51.625 There's been continuous integration 1488 00:42:51.666 --> 00:42:53.250 testing that's automated 1489 00:42:53.250 --> 00:42:55.541 continuously since it's existed. 1490 00:42:55.541 --> 00:42:57.666 This has all been in writing in public 1491 00:42:57.916 --> 00:43:00.458 with a linear get history that you can go 1492 00:43:00.458 --> 00:43:01.958 back and look at the decisions all the 1493 00:43:01.958 --> 00:43:03.583 way back to before 1.0. 1494 00:43:03.583 --> 00:43:05.375 If that sounds like everything that I've 1495 00:43:05.375 --> 00:43:06.375 been talking about for 1496 00:43:06.375 --> 00:43:08.250 functional safety so far, it is. 1497 00:43:08.875 --> 00:43:10.958 And Rust didn't do this because it was 1498 00:43:10.958 --> 00:43:12.958 trying to aim for safety critical. 1499 00:43:13.291 --> 00:43:13.916 It was doing this 1500 00:43:13.916 --> 00:43:15.458 because it's good engineering. 1501 00:43:15.958 --> 00:43:16.166 Yeah. 1502 00:43:16.291 --> 00:43:17.791 And you just do these things for things 1503 00:43:17.791 --> 00:43:19.000 that are important to get right. 1504 00:43:19.416 --> 00:43:21.208 Mozilla realized that from like a more 1505 00:43:21.208 --> 00:43:23.333 safety perspective, or just a good 1506 00:43:23.375 --> 00:43:25.333 engineering culture perspective. 1507 00:43:25.791 --> 00:43:28.041 So they had this culture of setting the 1508 00:43:28.041 --> 00:43:30.375 project up like that, and it actually 1509 00:43:30.375 --> 00:43:32.125 laid a huge amount of the breadcrumbs. 1510 00:43:32.125 --> 00:43:33.125 And this is one of those things that I 1511 00:43:33.125 --> 00:43:34.958 realized when we were having those 1512 00:43:34.958 --> 00:43:36.916 initial discussions at Ferris of how 1513 00:43:36.916 --> 00:43:38.791 reasonable is it to have a safety 1514 00:43:38.791 --> 00:43:39.958 critical Rust compiler. 1515 00:43:39.958 --> 00:43:41.500 And I go, look, the Rust project is 1516 00:43:41.500 --> 00:43:43.416 checking so many of the boxes that 1517 00:43:43.416 --> 00:43:46.291 they're probably doing this better than a 1518 00:43:46.291 --> 00:43:47.875 lot of folks who are doing safety 1519 00:43:47.875 --> 00:43:49.500 critical stuff, or at least they have a 1520 00:43:49.500 --> 00:43:52.375 more cohesive approach to it for doing 1521 00:43:52.375 --> 00:43:53.083 these kind of things. 1522 00:43:53.083 --> 00:43:55.041 And it why it was so quick. 1523 00:43:55.291 --> 00:43:56.375 There was like two years of convincing 1524 00:43:56.375 --> 00:43:57.750 people that it was a good idea to do. 1525 00:43:58.208 --> 00:43:59.333 And then once people got on board, it 1526 00:43:59.333 --> 00:44:01.833 took them about two years from when I 1527 00:44:01.833 --> 00:44:04.000 left to when they had the first qualified 1528 00:44:04.000 --> 00:44:04.916 version of the compiler. 1529 00:44:05.166 --> 00:44:07.541 And like for an off the shelf open source 1530 00:44:07.541 --> 00:44:10.250 component to go from nothing to safety 1531 00:44:10.250 --> 00:44:12.666 qualified in that time is like bonkers 1532 00:44:12.666 --> 00:44:15.333 quick in the safety critical industry. 1533 00:44:15.333 --> 00:44:17.583 And it's because Rust had a lot of this 1534 00:44:17.583 --> 00:44:19.500 safety case already made, which meant you 1535 00:44:19.500 --> 00:44:20.833 didn't have to go back and rewrite huge 1536 00:44:20.833 --> 00:44:22.375 chunk of it, you had to 1537 00:44:22.375 --> 00:44:24.083 define how it should be used. 1538 00:44:24.666 --> 00:44:26.291 And then make sure that you had all of 1539 00:44:26.291 --> 00:44:28.708 your justification in one place in a way 1540 00:44:28.708 --> 00:44:30.125 that is palatable for 1541 00:44:30.125 --> 00:44:31.375 where it was going to be used. 1542 00:44:31.375 --> 00:44:33.375 And it wasn't easy Ferris, and I'm sure 1543 00:44:33.375 --> 00:44:34.125 the other two compiler 1544 00:44:34.125 --> 00:44:35.875 vendors put a ton of effort into it. 1545 00:44:36.083 --> 00:44:39.916 But it became viable, because so much of 1546 00:44:39.916 --> 00:44:42.000 that had been done the right way, along 1547 00:44:42.000 --> 00:44:44.208 the way, right, that level of formalism 1548 00:44:44.208 --> 00:44:46.666 and just doing best practices is really 1549 00:44:46.666 --> 00:44:47.833 at the end of the day, all functional 1550 00:44:47.833 --> 00:44:50.750 safety is is it's just a formalized way 1551 00:44:50.750 --> 00:44:52.833 of requiring you to do what is 1552 00:44:52.833 --> 00:44:54.291 considered the best practices. 1553 00:44:54.791 --> 00:44:56.125 And you do them either because it's 1554 00:44:56.125 --> 00:44:57.791 required to ship a product in that 1555 00:44:57.791 --> 00:44:59.500 industry, or because you go, well, this 1556 00:44:59.500 --> 00:45:01.583 is the best way that we know how to do 1557 00:45:01.583 --> 00:45:03.125 these things so far. 1558 00:45:03.375 --> 00:45:04.875 And someday, if there's an easier, faster 1559 00:45:04.875 --> 00:45:05.958 way to do it, that'll 1560 00:45:05.958 --> 00:45:07.000 get switched to two. 1561 00:45:07.208 --> 00:45:10.166 But today, just considering all of the 1562 00:45:10.166 --> 00:45:11.666 potential failures and that everything 1563 00:45:11.666 --> 00:45:12.791 fails, this is generally 1564 00:45:12.791 --> 00:45:14.791 just the best way they know how. 1565 00:45:15.250 --> 00:45:18.333 So for folks who do not benefit directly 1566 00:45:18.333 --> 00:45:20.500 from safety critical stuff, a good 1567 00:45:20.500 --> 00:45:23.875 takeaway from this episode is that the 1568 00:45:23.875 --> 00:45:27.333 Rust compiler project has been held and 1569 00:45:27.333 --> 00:45:29.666 continues to be held to higher standards 1570 00:45:29.666 --> 00:45:31.791 than like most open source projects. 1571 00:45:32.125 --> 00:45:32.958 Otherwise, this effort 1572 00:45:32.958 --> 00:45:33.916 wouldn't have been possible. 1573 00:45:34.375 --> 00:45:34.833 Is that correct? 1574 00:45:35.208 --> 00:45:36.041 Yeah, I definitely agree. 1575 00:45:36.041 --> 00:45:36.541 It's definitely not 1576 00:45:36.541 --> 00:45:37.708 the only one up there. 1577 00:45:37.708 --> 00:45:40.250 But it's definitely one that did enough 1578 00:45:40.250 --> 00:45:42.083 of the right things along the way. 1579 00:45:42.875 --> 00:45:45.250 Just because that it became really 1580 00:45:45.250 --> 00:45:46.791 seriously viable for that. 1581 00:45:47.000 --> 00:45:48.208 The other thing is I also have a lot of 1582 00:45:48.208 --> 00:45:49.125 folks asked like, Hey, 1583 00:45:49.541 --> 00:45:51.125 Rust is better than C, right? 1584 00:45:51.125 --> 00:45:51.875 Why isn't everyone 1585 00:45:51.875 --> 00:45:54.500 immediately switching to Rust, right? 1586 00:45:54.500 --> 00:45:55.041 Especially now because 1587 00:45:55.041 --> 00:45:56.125 it's safety critical. 1588 00:45:56.125 --> 00:45:57.166 Why is not everyone 1589 00:45:57.166 --> 00:45:58.375 just switching immediately? 1590 00:45:59.000 --> 00:45:59.583 And the answer is like 1591 00:45:59.583 --> 00:46:01.500 these industries just move slow. 1592 00:46:02.208 --> 00:46:03.583 And one of those things is we've already 1593 00:46:03.583 --> 00:46:05.291 said every component can fail. 1594 00:46:05.791 --> 00:46:08.041 So even if C has failure modes, that's 1595 00:46:08.083 --> 00:46:09.208 actually less of a big 1596 00:46:09.208 --> 00:46:10.291 deal than you might think. 1597 00:46:10.541 --> 00:46:12.708 Because if we know all of the failure 1598 00:46:12.708 --> 00:46:15.083 modes, we can just say don't do that. 1599 00:46:15.583 --> 00:46:16.541 So like, that's what things 1600 00:46:16.541 --> 00:46:17.833 like miseries standards are. 1601 00:46:17.833 --> 00:46:19.958 And we go, there are known deficiencies 1602 00:46:19.958 --> 00:46:21.916 in the language or the compilers that 1603 00:46:21.916 --> 00:46:22.750 make up the language 1604 00:46:22.750 --> 00:46:23.541 and things like that. 1605 00:46:23.916 --> 00:46:25.500 And so we'll just set a checklist of 1606 00:46:25.500 --> 00:46:27.958 rules that just say if you see, you must 1607 00:46:27.958 --> 00:46:29.750 make sure you never do this, you never do 1608 00:46:29.750 --> 00:46:30.583 this, you always do 1609 00:46:30.583 --> 00:46:31.541 this, you never do this. 1610 00:46:31.875 --> 00:46:33.708 And you either have a machine validate 1611 00:46:33.708 --> 00:46:35.250 that's always true, like a static 1612 00:46:35.250 --> 00:46:37.458 analyzer, or you have a human check it, 1613 00:46:37.458 --> 00:46:39.208 or you set up a coding standard that says 1614 00:46:39.208 --> 00:46:42.458 you never use triple function pointers or 1615 00:46:42.458 --> 00:46:43.583 something like that, because they're so 1616 00:46:43.583 --> 00:46:46.125 easy to get wrong that you you avoid them 1617 00:46:46.125 --> 00:46:47.250 and things like that. 1618 00:46:47.250 --> 00:46:48.666 Is the M in Misra for mitigate? 1619 00:46:49.208 --> 00:46:50.000 I don't think so. 1620 00:46:50.458 --> 00:46:52.041 It's some automotive standards. 1621 00:46:52.041 --> 00:46:53.041 I have no idea what Misra 1622 00:46:53.125 --> 00:46:54.666 stands for off the top of my head. 1623 00:46:54.666 --> 00:46:56.375 That's the thing with new things is you 1624 00:46:56.375 --> 00:46:58.583 can't mitigate unknown failures. 1625 00:46:59.125 --> 00:47:01.083 You can only mitigate known failures. 1626 00:47:01.500 --> 00:47:02.958 And as much nice things as I've said 1627 00:47:03.000 --> 00:47:04.708 about Rust, it will have failures and 1628 00:47:04.708 --> 00:47:07.083 we'll find soundness issues or issues 1629 00:47:07.083 --> 00:47:08.958 with the compiler or ways that are 1630 00:47:08.958 --> 00:47:11.250 integrated or on certain platforms, there 1631 00:47:11.250 --> 00:47:12.958 are certain issues and things like that, 1632 00:47:13.041 --> 00:47:16.291 that you can't generally mitigate unknown 1633 00:47:16.291 --> 00:47:18.333 failure modes, which means there's always 1634 00:47:18.333 --> 00:47:21.250 sort of a risk reward benefit of, hey, 1635 00:47:21.250 --> 00:47:23.125 even if this is way better, there's some 1636 00:47:23.125 --> 00:47:24.708 risk of switching to it because it will 1637 00:47:24.708 --> 00:47:26.833 remove a bunch of failure modes, but it 1638 00:47:26.833 --> 00:47:29.000 will add in some unknown failure modes 1639 00:47:29.291 --> 00:47:30.500 that now are harder to 1640 00:47:30.500 --> 00:47:32.416 quantify until we found them. 1641 00:47:33.083 --> 00:47:34.666 That's something anyone who's tried to 1642 00:47:34.666 --> 00:47:36.208 drive adoption for us 1643 00:47:36.208 --> 00:47:37.708 that a company can rate with. 1644 00:47:38.041 --> 00:47:38.625 Yeah, yeah. 1645 00:47:38.916 --> 00:47:39.708 And it's all risk. 1646 00:47:39.708 --> 00:47:41.208 That's a good engineering thing to be 1647 00:47:41.208 --> 00:47:43.666 considering is balancing risk and reward. 1648 00:47:43.958 --> 00:47:45.375 But yeah, yeah, safety critical. 1649 00:47:45.666 --> 00:47:47.541 The wheels move even slowly, 1650 00:47:47.541 --> 00:47:48.625 but they do move. 1651 00:47:49.000 --> 00:47:50.666 Speaking of wheels, a misres stands for 1652 00:47:50.666 --> 00:47:51.750 the motor industry 1653 00:47:51.750 --> 00:47:53.875 software reliability association. 1654 00:47:54.333 --> 00:47:54.958 There you go. 1655 00:47:54.958 --> 00:47:55.125 Yeah. 1656 00:47:55.625 --> 00:47:58.875 And back in the day, C was a huge 1657 00:47:58.875 --> 00:48:00.416 improvement over assembly. 1658 00:48:00.958 --> 00:48:02.541 Like there was a long time that a lot of 1659 00:48:02.541 --> 00:48:04.541 anything embedded would have been written 1660 00:48:04.541 --> 00:48:06.333 in assembly and things like that. 1661 00:48:06.333 --> 00:48:08.833 And having structured programming like C 1662 00:48:08.833 --> 00:48:11.833 has was maybe even a bigger step up. 1663 00:48:11.833 --> 00:48:13.958 Like the gap between assembly and C is 1664 00:48:13.958 --> 00:48:15.500 probably larger in safety 1665 00:48:15.500 --> 00:48:17.833 than the gap from C to Rust. 1666 00:48:18.208 --> 00:48:19.625 I definitely think there's benefit of 1667 00:48:19.625 --> 00:48:22.458 that second step, but like C was the 1668 00:48:22.458 --> 00:48:24.750 newer safer alternative when a lot of 1669 00:48:24.750 --> 00:48:26.666 these standards were being written, where 1670 00:48:26.666 --> 00:48:28.875 they'd say you need to use a language 1671 00:48:28.875 --> 00:48:31.250 with structured data and structured 1672 00:48:31.250 --> 00:48:34.583 control flow and not assembly because it 1673 00:48:34.583 --> 00:48:37.666 was new, but it was a market improvement 1674 00:48:37.666 --> 00:48:39.750 over getting things right more often. 1675 00:48:40.625 --> 00:48:40.833 Yeah. 1676 00:48:40.833 --> 00:48:42.250 Safety critical is one of my areas where 1677 00:48:42.250 --> 00:48:43.000 like I will talk 1678 00:48:43.000 --> 00:48:44.458 anyone's ear off anytime. 1679 00:48:44.750 --> 00:48:46.000 And this is like just barely 1680 00:48:46.000 --> 00:48:47.833 scratching the surface of it. 1681 00:48:48.291 --> 00:48:50.416 But yeah, we'll have others about it. 1682 00:48:50.625 --> 00:48:51.833 I'm sure someone else is 1683 00:48:51.833 --> 00:48:52.875 bound to ask a questions. 1684 00:48:53.250 --> 00:48:54.166 We'll have followups. 1685 00:48:54.166 --> 00:48:54.541 I'm sure. 1686 00:48:54.791 --> 00:48:55.000 Yeah. 1687 00:48:55.000 --> 00:48:55.958 Please do ask questions. 1688 00:48:55.958 --> 00:48:57.625 This is one of those areas where like I 1689 00:48:57.625 --> 00:49:00.083 want questions because it's so niche. 1690 00:49:00.083 --> 00:49:01.208 There's so many more people who have 1691 00:49:01.208 --> 00:49:01.916 heard of it, but 1692 00:49:01.916 --> 00:49:03.208 never worked in this area. 1693 00:49:03.458 --> 00:49:04.833 So they've heard things like, oh, you 1694 00:49:04.833 --> 00:49:05.625 have to do all this paperwork. 1695 00:49:05.875 --> 00:49:06.583 You have to do all this. 1696 00:49:06.583 --> 00:49:08.500 It has no value, whatever, but they've 1697 00:49:08.500 --> 00:49:09.875 never worked in those areas and they 1698 00:49:09.875 --> 00:49:11.750 don't really get why you would do that. 1699 00:49:11.750 --> 00:49:13.000 Or they've only worked on the periphery 1700 00:49:13.000 --> 00:49:14.500 of those industries where they weren't 1701 00:49:14.500 --> 00:49:16.208 the ones like coming up with the plans. 1702 00:49:16.208 --> 00:49:16.833 They don't know why 1703 00:49:16.833 --> 00:49:17.833 the plan is like that. 1704 00:49:17.833 --> 00:49:19.625 They just saw a stack of paperwork that 1705 00:49:19.625 --> 00:49:21.708 they had to do and didn't understand why 1706 00:49:21.708 --> 00:49:22.791 you were doing that. 1707 00:49:23.000 --> 00:49:24.500 This is one of those things that all of 1708 00:49:24.500 --> 00:49:26.416 my excitement about this is on sort of 1709 00:49:26.416 --> 00:49:28.375 like the theoretical intent of 1710 00:49:28.375 --> 00:49:30.125 functional safety in practice. 1711 00:49:30.125 --> 00:49:32.208 It's going to suck more than the intent 1712 00:49:32.208 --> 00:49:33.708 in the same way that there's the 1713 00:49:33.708 --> 00:49:35.000 scientific method for 1714 00:49:35.000 --> 00:49:36.041 scientific research. 1715 00:49:36.041 --> 00:49:37.375 And we say, this is the best way we know 1716 00:49:37.375 --> 00:49:39.166 how to do science is to 1717 00:49:39.166 --> 00:49:40.250 follow the scientific method. 1718 00:49:40.791 --> 00:49:42.583 But then you have authors out there who 1719 00:49:42.583 --> 00:49:44.083 are like, well, I have to get published. 1720 00:49:44.083 --> 00:49:46.083 And so they're P hacking the hell out of 1721 00:49:46.083 --> 00:49:47.833 their studies or finding just the right 1722 00:49:47.833 --> 00:49:49.250 way to arrange the data where it looks 1723 00:49:49.250 --> 00:49:51.083 significant so that they can publish and 1724 00:49:51.083 --> 00:49:52.041 so they can put stuff out. 1725 00:49:52.458 --> 00:49:53.458 You can do the exact same 1726 00:49:53.458 --> 00:49:54.583 thing with functional safety. 1727 00:49:54.833 --> 00:49:55.833 You can like, ah, I've 1728 00:49:55.833 --> 00:49:56.666 checked all the boxes. 1729 00:49:56.666 --> 00:49:57.666 I'm allowed to sell it now. 1730 00:49:58.000 --> 00:50:01.541 But you just check the boxes and you've 1731 00:50:01.541 --> 00:50:03.916 kind of missed the whole point of it. 1732 00:50:04.125 --> 00:50:04.833 This is one of those, 1733 00:50:05.166 --> 00:50:06.291 it's like that in any field. 1734 00:50:06.625 --> 00:50:08.625 But I definitely think if you just check 1735 00:50:08.625 --> 00:50:09.666 the box, it's not really, 1736 00:50:09.666 --> 00:50:10.625 it's just a lot overhead. 1737 00:50:10.625 --> 00:50:12.000 There's very little value unless you 1738 00:50:12.000 --> 00:50:13.833 like, take it to heart why 1739 00:50:13.833 --> 00:50:15.166 you are doing these things. 1740 00:50:15.416 --> 00:50:17.875 But if you really do approach it with 1741 00:50:17.875 --> 00:50:19.666 that mindset, especially with like the 1742 00:50:19.666 --> 00:50:21.166 knowledge of how bad it can get if you 1743 00:50:21.166 --> 00:50:23.416 don't, then it's still an imperfect 1744 00:50:23.458 --> 00:50:25.958 system, but it's still a useful system. 1745 00:50:25.958 --> 00:50:28.666 And it's like continuous because even 1746 00:50:28.666 --> 00:50:30.541 once you ship a product and it's 1747 00:50:30.541 --> 00:50:32.625 integrated somewhere, you still want 1748 00:50:32.625 --> 00:50:34.833 feedback from your customers, right, to 1749 00:50:35.000 --> 00:50:37.000 integrate the next versions and like to 1750 00:50:37.000 --> 00:50:38.000 maintenance recalls, 1751 00:50:38.000 --> 00:50:39.125 whatever you need to do. 1752 00:50:39.458 --> 00:50:41.416 Yeah, it's something that doesn't end. 1753 00:50:41.416 --> 00:50:42.750 Like there are new versions of this 1754 00:50:42.750 --> 00:50:43.875 standard of all these 1755 00:50:43.875 --> 00:50:45.125 standards regularly. 1756 00:50:45.583 --> 00:50:47.750 And you get to pay lots of Swiss francs 1757 00:50:47.750 --> 00:50:50.000 for the newest versions of all these from 1758 00:50:50.000 --> 00:50:51.791 international standards organizations. 1759 00:50:52.166 --> 00:50:54.833 But like the core concepts have been the 1760 00:50:54.833 --> 00:50:56.791 same for for very long, but they are 1761 00:50:56.791 --> 00:50:58.500 always changing of like, hey, you know, 1762 00:50:58.666 --> 00:50:59.875 Misra is starting to come up with rules 1763 00:50:59.875 --> 00:51:01.291 for Rust, where they say like, okay, 1764 00:51:01.291 --> 00:51:02.541 well, the Misra rules were there. 1765 00:51:03.041 --> 00:51:04.916 Here's how they apply to Rust. 1766 00:51:05.375 --> 00:51:05.916 And there was some 1767 00:51:05.916 --> 00:51:07.625 informal analysis a while back. 1768 00:51:08.000 --> 00:51:09.291 But now Misra actually has like an 1769 00:51:09.291 --> 00:51:11.000 addendum document to their most recent 1770 00:51:11.000 --> 00:51:12.791 standard that says of all the rules we 1771 00:51:12.791 --> 00:51:15.541 said these ones do apply to Rust, these 1772 00:51:15.541 --> 00:51:18.000 ones only apply to unsafe Rust, you know, 1773 00:51:18.000 --> 00:51:19.625 those kind of things where they are 1774 00:51:19.625 --> 00:51:21.791 actually taking that feedback into 1775 00:51:21.791 --> 00:51:23.833 account because they realize the industry 1776 00:51:23.833 --> 00:51:25.541 is moving in that direction. 1777 00:51:25.833 --> 00:51:26.416 That's hilarious, 1778 00:51:26.416 --> 00:51:28.083 because there's a Misra Rust 1779 00:51:29.125 --> 00:51:30.916 repository on GitHub from PoliSync. 1780 00:51:31.833 --> 00:51:32.958 And they're saying because of the 1781 00:51:32.958 --> 00:51:34.666 proprietary nature of the Misra C 1782 00:51:34.666 --> 00:51:36.166 specification, the description of each 1783 00:51:36.166 --> 00:51:37.125 rule has been emitted. 1784 00:51:37.708 --> 00:51:39.500 So you get to like the number or the 1785 00:51:39.500 --> 00:51:42.125 identifier of the rule and whether it 1786 00:51:42.125 --> 00:51:43.708 applies to Rust, like whether you get it 1787 00:51:43.708 --> 00:51:45.625 for free in Rust or not, but you don't 1788 00:51:45.625 --> 00:51:46.958 get to know what it is. 1789 00:51:46.958 --> 00:51:48.000 Yeah, this is one of those things like 1790 00:51:48.000 --> 00:51:49.458 61508 is like that too. 1791 00:51:49.666 --> 00:51:51.125 There is no public version, there's no 1792 00:51:51.125 --> 00:51:53.291 legally public version of 61508. 1793 00:51:53.291 --> 00:51:55.041 The fact that you pay hundreds of euros 1794 00:51:55.041 --> 00:51:57.958 per document goes towards the people who 1795 00:51:57.958 --> 00:51:59.416 are writing and maintaining that 1796 00:51:59.416 --> 00:52:02.250 document, which is on one hand, I guess 1797 00:52:02.250 --> 00:52:03.083 you have to figure out how to 1798 00:52:03.125 --> 00:52:04.458 fund those industries somehow. 1799 00:52:04.875 --> 00:52:06.083 On the other hand, it's also very 1800 00:52:06.083 --> 00:52:08.083 frustrating that you can't look at all of 1801 00:52:08.083 --> 00:52:10.125 this in public all of the time. 1802 00:52:10.500 --> 00:52:12.125 Like I could even if I had citations for 1803 00:52:12.125 --> 00:52:13.833 a lot of the stuff on here, if you didn't 1804 00:52:13.833 --> 00:52:16.875 pay 600 euros to get that volume of the 1805 00:52:16.875 --> 00:52:17.625 standard, you wouldn't be 1806 00:52:17.625 --> 00:52:18.583 able to see that citation. 1807 00:52:18.833 --> 00:52:20.500 And so the Misra Rust stuff is like that 1808 00:52:20.500 --> 00:52:22.125 where they can say, well, look, there are 1809 00:52:22.125 --> 00:52:24.208 however many items and we can just say 1810 00:52:24.208 --> 00:52:26.708 does it apply or not, but we can't 1811 00:52:26.708 --> 00:52:28.208 reproduce the tax of the Misra standard 1812 00:52:28.208 --> 00:52:30.583 because it's like a paid standard. 1813 00:52:30.875 --> 00:52:31.208 That's a whole 1814 00:52:31.208 --> 00:52:32.375 conversation for another day. 1815 00:52:32.375 --> 00:52:33.791 And I don't love that aspect of 1816 00:52:33.791 --> 00:52:36.583 functional safety, but having worked at 1817 00:52:36.583 --> 00:52:38.250 companies where I had access to the whole 1818 00:52:38.250 --> 00:52:41.041 volume of standards or I paid hundreds or 1819 00:52:41.041 --> 00:52:42.875 thousands of euros to get access to those 1820 00:52:42.875 --> 00:52:44.916 standards, that part sucks. 1821 00:52:45.583 --> 00:52:47.333 And I don't know a way around it, but 1822 00:52:47.333 --> 00:52:48.875 that's like a whole other topic. 1823 00:52:58.750 --> 00:53:00.250 This episode is sponsored by Depot: 1824 00:53:00.250 --> 00:53:01.541 the build acceleration platform 1825 00:53:01.541 --> 00:53:02.416 that's on a mission to 1826 00:53:02.416 --> 00:53:04.000 make all builds near instant. 1827 00:53:04.250 --> 00:53:05.458 If you're tired of watching your builds 1828 00:53:05.458 --> 00:53:06.375 and GitHub actions crawl 1829 00:53:06.375 --> 00:53:07.083 like the modern day 1830 00:53:07.083 --> 00:53:08.250 equivalent of paint drying, 1831 00:53:08.583 --> 00:53:09.458 give Depot's GitHub 1832 00:53:09.458 --> 00:53:10.625 Actions runners a try. 1833 00:53:11.000 --> 00:53:12.166 They're up to 10X faster 1834 00:53:12.166 --> 00:53:13.500 with unlimited concurrency, 1835 00:53:13.500 --> 00:53:14.916 faster caching, support for 1836 00:53:14.916 --> 00:53:16.291 Linux, macOS, and Windows, 1837 00:53:16.291 --> 00:53:17.166 and they plug right into 1838 00:53:17.166 --> 00:53:18.083 other Depot optimizations 1839 00:53:18.375 --> 00:53:19.958 like accelerated container image builds 1840 00:53:19.958 --> 00:53:21.375 and remote caching for Bazel, 1841 00:53:21.666 --> 00:53:23.458 Turborepo, Gradle, and more. 1842 00:53:23.833 --> 00:53:24.791 Depot was built by developers 1843 00:53:24.791 --> 00:53:25.958 who were tired of wasting time 1844 00:53:25.958 --> 00:53:27.250 waiting on builds instead of shipping. 1845 00:53:27.541 --> 00:53:28.375 It's made for teams 1846 00:53:28.375 --> 00:53:29.291 that wanna move faster 1847 00:53:29.291 --> 00:53:30.291 and stay focused on 1848 00:53:30.291 --> 00:53:31.333 what actually matters. 1849 00:53:31.625 --> 00:53:32.958 That's why companies like PostHog 1850 00:53:32.958 --> 00:53:33.958 use Depot to cut build 1851 00:53:33.958 --> 00:53:35.291 times from over three hours 1852 00:53:35.291 --> 00:53:36.500 to just three minutes, 1853 00:53:36.500 --> 00:53:37.458 saving tens of thousands 1854 00:53:37.458 --> 00:53:38.708 of build hours every week. 1855 00:53:39.000 --> 00:53:39.958 Start your free 7 1856 00:53:39.958 --> 00:53:41.083 day trial at depot.dev 1857 00:53:41.083 --> 00:53:42.166 and let them know we sent you.