As discussed in “Linux Beat IBM
In the context of safety and cybersecurity, there seems to be an inherent conflict between safety critical applications and open-source environments. It raises a number of important questions:
- What level of validation is sufficient from unknown contributors ?
- Does the contributor have to be trusted, at least in terms of competence ?
- What if the person contributing is an adversary ?
- Does it really make sense to expose the code to the world ? even to adversaries with evil intent ?
- Who pays for all of this validation anyway ? For complex safety critical systems, the validation task can become very expensive very quickly.
For safety-critical and cybersecurity issues, the general response from the open-source advocates is that the very opennessess of the system ensures its resistance to malice as well as quickly catching bugs.
The stability of the core linux platform is often used as a demonstration of this point-of-view. This point-of-view may well have a great deal of validity, but is dependent on a large set of active producers and consumers. This is analogous to deep financial markets. For example, equity markets for US public stocks are so deep and wide that the price discovery process has a great deal of stability. However, this is not the case for “over-the-counter” stocks or irregular assets ? It is well known that these asset classes can have a great deal of instability. In open-source terms, what about situations where there are not a large number of producers and consumers ?
In technology, there is always a startup period during which the large producer and consumer ecosystem is not mature, or there are market applications where the markets are not naturally very large (ex: autonomous mining ?). In this context, is the Linux real-time OS market big and deep enough to safely support safety critical automotive applications ? How many people in the world really understand the full extent of AV safety ? Good question.
“Open-source platforms are not appropriate for safety-critical applications within Automotive. Beyond the safety and cybersecurity validation issues, the natural velocity of software updates does not match the needs of the automotive marketplace,” says John Wall, Sr. VP SVP, Head of QNX at Blackberry.
Blackberry, transformed from a cell phone provider to an enterprise software company, is a leading supplier of operating systems for automobiles today. Thus, they have a vested interest in this point-of-view. However, John’s points are well taken. The hyper-rates of open-source updates which may work for consumer applications do not mesh well when the cost of validation is very large.
Where does this leave us ?
It would seem that for safety critical systems smaller trusted consortiums which make the active engineering tradeoff between innovation velocity and validation costs makes a great deal of sense. In addition, in this structure, contribution equity and consortium stability issues can be much more easily managed. When this process can reach “escape” velocity in terms of the producers/consumers, there is a potential path to a more open system. In automotive, Automotive Grade Linux (AGL) has some of these characteristics with a foundation of a small number of founding members. In fact, with “Automotive Grade Linux Releases UCB 9.0 Software Platform,” the AGL foundation just announces a large platform release. While largely focused on the infotainment systems, AGL claims support for ADAS as well as advanced AVs.
Will AGL reach “escape” velocity for safety critical systems ? Time will tell.