Brussels / 3 & 4 February 2024


Application of the SPDX Safety Profile in the Safety Scope of the Zephyr Project

Creating and maintaining a safety critical project comes with a lot of challenges. One central issue is keeping your documentation, starting from planning and guideline documents, down to requirements, safety analysis, reviews and tests, consistent and up to date. These project artefacts often have their own lifecycle and are natively managed in different tools, with usually great traceability capabilities regarding dependencies between these artefacts as long as you stay within one tool or within a (usually propriety) tool family of one single tool vendor. Currently the resulting traceability gaps between these tools are handled either by the popular engineering tools like MS Excel or methods like “search for identical names”, depending highly on manual maintenance. Using SPDX relationships, the upcoming Safety Profile in SPDX 3.1 will provide a model to represent all these dependencies as a knowledge model that can be used both to analyse possible impacts after a change (be it because of a security update or functional variants of your product), provide evidence of completeness and compliance as a Safety SBOM or simply keep track of your product variants. In this talk we will provide both an introduction to the SPDX Safety Profile as well as a real life example using StrictDoc and the Zephyr Project’s Functional Safety scope.


Photo of Nicole Pappler Nicole Pappler
Photo of Stanislav Pankevich Stanislav Pankevich