As software becomes increasingly complex in embedded and safety-critical systems - from automotive to aerospace - the need for traceable, verifiable, and auditable software supply chains has never been greater. Ensuring that every software component, dependency, and change is accounted for is essential not only for security and quality assurance but also for meeting the rigorous demands of functional safety standards.
 

The SPDX Safety Profile extends the widely adopted SPDX (Software Package Data Exchange) standard - now formalized as ISO/IEC 5962:2021 - to support functional safety use cases. It introduces structured, machine-readable metadata that enables traceability between software components, requirements, tests, and safety evidence - facilitating both human understanding and automated tooling.

This talk introduces the SPDX Safety Profile, explores its integration with examples using the Zephyr Project and StrictDoc, and demonstrates how it can be used to automate compliancewith safety standards such as IEC 61508, ISO 26262, and related domain-specific regulations.
 

Attendees will gain insight into how SPDX can serve as a foundation for building traceability graphs, generating safety documentation, and integrating with pipelines to support continuous compliance.
 

By leveraging the SPDX Safety Profile, developers and safety engineers can streamline and therefore efficiently exchange and maintain safety documentation, ensuring that compliance artifacts - such as safety analyses, safety plans, software requirements specifications, tool qualification records, traceability matrices, and safety case arguments - are both traceable and efficiently maintained throughout the software lifecycle.

This approach not only reduces manual effort and risk of error but also promotes reuse of safety evidence across projects and organizations, fostering a more scalable and collaborative safety engineering process.

The Safety Case itself becomes a Safety SBOM - a structured, machine-readable artifact that can be exchanged just like any other SBOM. Since SBOMs are already the de facto standard for sharing software supply chain information, this approach aligns safety engineering with security practices and enhances interoperability across tools and organizations.

Short Bio:

Nicole Pappler is a leading expert in functional safety and open-source compliance, with over a decade of experience in safety-critical software and embedded systems. She is a co-founder of AlektoMetis, a consultancy specializing in functional safety, cybersecurity, and certification support across industries such as automotive, industrial automation, and medical devices.

Nicole serves as the Functional Safety Manager for the Zephyr Project, where she leads efforts to align the Zephyr RTOS with international safety standards like IEC 61508. She is also an active contributor to several open-source initiatives, including ELISA (Enabling Linux in Safety Applications), the SPDX Functional Safety sub group, and the OpenChain Project, where she advocates for trustworthy, certifiable open-source software in regulated environments.

A frequent speaker at international conferences such as FOSDEM and the Open Source Summit, Nicole is known for her thought leadership in bridging the gap between open-source innovation and rigorous safety requirements. Her work aims to enable developers and organizations to build safe, secure, and certifiable systems using open technologies.

Friday, September 26, 11.30 AM