Creating and maintaining a safety critical project comes with a lot of challenges. A central issue is keeping your documentation, starting from planning and guideline documents, down to requirements, safety analysis, reviews and tests, consistent and up to date. These artefacts often have their own lifecycle and are natively managed in different tools, with usually great traceability capabilities regarding dependencies between these artefacts as long as you stay within one tool or within a (usually propriety) tool family of one single tool vendor. Currently the resulting traceability gaps between these tools are handled either by the popular engineering tools like MS Excel or methods like “search for identical names”, depending highly on manual maintenance.
Using SPDX relationships, the upcoming Safety Profile in SPDX 3.1 will provide a model to represent all these dependencies as a knowledge model that can be used both to analyze possible impacts after a change (be it because of a security update or functional variants of your product), provide evidence of completeness and compliance as a Safety SBOM or simply keep track of your product variants.
Nicole Pappler, Senior Safety Expert at AlektoMetis, gave a presentation, “Application of the Upcoming SPDX Safety Profile,” at the Critical Software Summit, which took place at Open Source Summit Europe in September. Check out the presentation here.
Watch the other sessions from the Critical Software Summit on the ELISA Youtube Channel here.
Stay tuned by subscribing to the ELISA Project newsletter or connect with us on X, LinkedIn or mailing lists to talk with community and TSC members.