While there are a number of possible safety certifications depending on exactly which sub-field of the whole transportation we are talking about, the most popular and widely used for automobiles is the Automotive Safety Integrity Level (ASIL) delineated in the ISO 26262 (Road vehicles – Functional safety") which is in turn a derivative from IEC61508.

It has 4 levels from A to D, with A being the weakest one, used for items such as external lighting, where the risk in case of failure is relatively limited while D is the strongest one used for stuff like ABS brakes and ECU, where a failure is very likely to result in injuries or even death, think ECU randomly accellerating with full power during a turn or ABS completely preventing you to brake while doing an emergency brake (on the dry).
Most automotive Electronics falls somewhere in the middle at ASIL B or C.

The first hurdle to clear for ASIL (at least for the highest levels) is that the certification does not only cover the item in itself, but also the whole development process, this requires formally documenting how and why requirements are formulated, how the development process is carried out in order to fill those requirements, and so on.
All of this is very, very, very far from how the linux kernel in particular, and most general purpose software in general is developed, so a full certification of the entire kernel "as is" is basically unthinkable.

The second problem is that for the higher levels of ASIL ( namely C and D) extensive failure analysis is required, to identify all the possible failure modes and how these could affect the safety of the entire vehicle and what mitigations are put in place so that such failure does not lead to catastrophic consequences. Doing such a detailed analysis on a project with the scale of the entire kernel (with upwards of 20 milion lines of code) is basically unthinkable.

The final issue (and probably the biggest) is that all these analyses and documentation requirements do no apply to the kernel itself (or rather to any single component) but to the complete product being developed (the entire ECU for example, and not to the processor running the firmware alone). And thus need to be tailored to each specific case, and can not be just done once.

Now all of this work is only valid for a single point in time ( a specific kernel release for example), a significant chunk of the process must be re-done for all subsequent releases as it must be shown that the changes do not interact negatively with the rest of the design

Now the linux kernel could at some point meet all requirement for use in an ASIL certified product at the lower levels (A or B) i dont belive there is any incentive in adopting it in priducts with higher ratings, as it will be much, much cheaper, safer and faster to develop something from scratch that just include the necessary stuff, minimizing the potential failure points

Sure you can. You can run a collision-detection test to see if the control inputs from the algorithm are predicted to hit anything, and engage emergency measures if so. The test must necessarily be lower-level and more stable than the algorithm, obviously. That should also make it cheaper to do.

If the inputs are unknown or the objective is unclear, then you can't evaluate the quality of its solution. However, certain inputs are knowable, as are certain constraints and when they're about to be violated.

I think whatever OS is hosting VM with a safety-critical guest must also be certified for safety-critical applications, as a bug or failure in the host/hypervisor can invalidate the testing & assumptions made by the guest.

what I mean with "not supervisable" (I am not english native, so I picked a bad word probably), is that there is no easy way to decide if the data coming out makes sense. Other than running another instance and see whether they are agree.

with machine learning you can make little assumptions what you get as answer,

in both cases Linux support would help.

Wow. That's a lot.

First, a deep learning network is basically a systolic processing graph, which typically can be evaluated in deterministic time. I presume there are some deep learning networks with feedback, that can take a non-deterministic amount of time to converge, but that doesn't seem like a practical architecture for realtime control applications.

Second, it doesn't follow that algorithms "not supervisable", in terms of their answer therefore don't need a RTOS, if that's what you're saying. The RTOS exists to ensure that threads get their requisite amount of processing time & resources, so they maintain the necessary degree of responsiveness.

As for what to do when your self-driving pilot produces some bad output or otherwise outright fails, there ought to be a lower-level obstacle avoidance system that tries to safely bring the vehicle to a stop. Even with redundancy, you still need that for an algorithm operating safety-critical machinery with an unconstrained set of inputs.

That's basically what I'm talking about. Maybe these chips aren't used directly for training, but at least for testing new algorithms and deep learning models.

Some parts of the self-driving, ie the highlevel stuff is:

- not what you called hard realtime
- not really feasible to predict what it should do and thus supervise

ie. you get away without a RTOS, and you can't use safety measures except the most generic ones - like to run 2-3 separate hardware instances and cross-check.

(And of course, they want to run their hardware in some sever-racks for AI-training and testing)

So, are those "neural processing units" of Jim Keller's design, or some derivative thereof?

I'm honestly surprised by this, since I'd read someone claim that Linux isn't capable of being certified for self-driving. So, I wonder why they'd bother with Linux support, unless it's like just for the convenience of internal software development (e.g. testing the deep learning models and algorithms).

Most people seem to think that completely autonomous "killer" drones need to be incredibly sophisticated machines to be useful in real-world combat scenarios.

As a matter of fact I know how a certain class of autonomous "suicide bomber" drones already put to very effective, tide-turning use in a recent real war are built by a certain country:

that makes it even more bizzare that Tesla is able to run its so called "Full Self-Driving" software on Linux