Static code analysis (SCA) is now inexpensive and developer-friendly enough to live inside everyday open-source workflows. This session shows how a lightweight, CI-first SCA pipeline can both raise code quality --- by catching defects before they land --- and generate the audit evidence IEC 61508 and IEC 62443 demand. A single documented run (ruleset, findings, deviation log) already fills part of the SIL/SL paperwork. 

We position SCA beside the rest of the life-cycle: it is the micro-lens that verifies the code-level assumptions set by requirements and architecture, uncovers bug classes dynamic tests miss, enforces layer boundaries, and feeds traceability. We will also share tactics that let communities adopt SCA without slowing down: pre-tuned rule sets, a yellow-flag deviation lane, and incremental, baseline-aware analysis that keeps feedback times short. 

Our call to action is simple --- make static analysis a merge gate instead of an afterthought. The funding model is just as practical: community developers contribute code; safety stewards curate rules and approve deviations; commercial users sponsor SaaS runners, licences, and maintainer/steward time; independent assessors package the evidence for certification. The result is a win-win: sponsors cut risk, the project gains quality and free tooling, and FOSS maintains its trademark velocity while meeting modern safety and security standards.

Co-author: 

Nicola Vetrini, BUGSENG

Short Bio:

Roberto Bagnara coauthored more than 50 papers on programming languages, static analysis and other techniques for software verification published in international journals and conference proceedings. He has been the inspirer and the principal architect of several open-source software projects in the above mentioned research domains, among which the Parma Polyhedra Library (PPL), a library of numerical abstractions especially targeted at applications in the field of analysis and verification of hardware and software systems. 

Roberto is a full professor of Computer Science at the University of Parma, where he teaches courses on operating systems, the development of critical systems, and (automated) software verification. He 
started working on embedded systems' software in 1984, first at the University of Bologna (medical devices) and then at CERN (particle physics apparata) where he worked with Tim Berners-Lee. He is a 
member of the MISRA C and MISRA SQM Working Groups and is also a member of the ISO JTC1/SC22/WG14 international standardization working group for the C programming language. Roberto Bagnara is a co-founder and the Functional Safety Manager of BUGSENG.

Thursday, September 25, 11.30 AM