Open Source And Automotive Safety Critical Systems: What Are The Tradeoffs ?
As discussed in “Linux Beat IBM IBM, Will Open-Source Software Beat Waymo And TeslaTSLA,” the power of open source systems to crowd-source innovation across a community has been demonstrated with a whole host of IT applications such as linux, wordpress, and others. In the area of autonomous vehicles, “Will A Small Open-Source Effort From Japan Disrupt The Autonomous Space ?” outlined a fledgling open-source effort in Japan called Autoware. One of the most interesting comments from the Autoware team was the ongoing challenges of maintaining a coherent software system while dealing with a variety of contributors. Maintaining a coherent software system is very important for safety-critical applications. Further, in “Is Automotive CyberSecurity a National Defense Issue ?” we discuss the potential of autonomous vehicles to not only cause issues for the safety of the driver, but the potential for an advisory to turn fleets of vehicles into robots of mass destruction. Thus, the stakes become even higher.
In the context of safety and cybersecurity, there seems to be an inherent conflict between safety critical applications and open-source environments. It raises a number of important questions:
What level of validation is sufficient from unknown contributors ?
Does the contributor have to be trusted, at least in terms of competence ?
What if the person contributing is an adversary ?
Does it really make sense to expose the code to the world ? even to adversaries with evil intent ?
Who pays for all of this validation anyway ? For complex safety critical systems, the validation task can become very expensive very quickly.
For safety-critical and cybersecurity issues, the general response from the open-source advocates is that the very opennessess of the system ensures its resistance to malice as well as quickly catching bugs.
The stability of the core linux platform is often used as a demonstration of this point-of-view. This point-of-view may well have a great deal of validity, but is dependent on a large set of active producers and consumers. This is analogous to deep financial markets. For example, equity markets for US public stocks are so deep and wide that the price discovery process has a great deal of stability. However, this is not the case for “over-the-counter” stocks or irregular assets ? It is well known that these asset classes can have a great deal of instability. In open-source terms, what about situations where there are not a large number of producers and consumers ?
In technology, there is always a startup period during which the large producer and consumer ecosystem is not mature, or there are market applications where the markets are not naturally very large (ex: autonomous mining ?). In this context, is the Linux real-time OS market big and deep enough to safely support safety critical automotive applications ? How many people in the world really understand the full extent of AV safety ? Good question.
“Open-source platforms are not appropriate for safety-critical applications within Automotive. Beyond the safety and cybersecurity validation issues, the natural velocity of software updates does not match the needs of the automotive marketplace,” says John Wall, Sr. VP SVP, Head of QNX at Blackberry.
Blackberry, transformed from a cell phone provider to an enterprise software company, is a leading supplier of operating systems for automobiles today. Thus, they have a vested interest in this point-of-view. However, John’s points are well taken. The hyper-rates of open-source updates which may work for consumer applications do not mesh well when the cost of validation is very large.
Where does this leave us ?
It would seem that for safety critical systems smaller trusted consortiums which make the active engineering tradeoff between innovation velocity and validation costs makes a great deal of sense. In addition, in this structure, contribution equity and consortium stability issues can be much more easily managed. When this process can reach “escape” velocity in terms of the producers/consumers, there is a potential path to a more open system. In automotive, Automotive Grade Linux (AGL) has some of these characteristics with a foundation of a small number of founding members. In fact, with “Automotive Grade Linux Releases UCB 9.0 Software Platform,” the AGL foundation just announces a large platform release. While largely focused on the infotainment systems, AGL claims support for ADAS as well as advanced AVs.
Will AGL reach “escape” velocity for safety critical systems ? Time will tell.
I am a seasoned scientist who has had significant roles in the world of academia, startups, and fortune 500 companies. Early in my career, I designed complex computer systems as a CPU designer at DEC. They were very difficult to validate and the cost for failure was very high. Realizing the utility of solving this problem, I transitioned to become an executive at Cadence Design Systems where I ran groups which solved the validation problem. Along the way, I have successfully built successful startups in areas such wireless power, machine learning, and low-power electronics design. Most recently, I have leveraged nearly 35 years of experience to build an academic research team to focus on the AV Safety problem. I have a BS (1984) and MS (1985) from CMU and Phd from Harvard University (1994).