THE LINUX FOUNDATION PROJECTS
search
Category

Blog

Dec 03
ELISA project workshop - Munich, Germany 2025

Recap: ELISA Workshop – Munich, Germany 2025

By Blog, Workshop

The ELISA Workshop Munich 2025 took place November 18-20 at the Red Hat office in Grasbrunn, Germany, bringing together project members, contributors, and industry partners for three days of focused collaboration.

Welcome & Introductions Gabriele Paoloni, Red Hat; Kate Stewart, Linux Foundation; Philipp Ahmann, ETAS GmbH

The ELISA Workshop opened with a welcome note from organizers who introduced logistics, guidelines, and expectations for collaboration, including the code of conduct and Chatham House Rule options. Participants from industry, academia, and open source communities briefly introduced themselves, reflecting a diverse range of expertise in safety-critical systems, Linux engineering, certification, and research.

Ask Me Anything – New Contributor Onboarding Gabriele Paoloni, Red Hat; Philipp Ahmann, ETAS GmbH

The “Ask Me Anything about ELISA or the Use of OSS in Safety-Critical Applications” session, led by Gabriele Paoloni and Philipp Ahmann, offered participants an open space to address foundational questions about applying Linux and open source software in safety-critical systems. The conversation clarified why live Q&A remains valuable beyond static FAQs, explored the challenges of using Linux in complex safety contexts, and outlined how ELISA approaches requirements, standards, tooling, and system understanding. 

The session also highlighted common misconceptions such as the idea of producing a “safe Linux”and reinforced the importance of context, collaboration, and evolving industry practices when integrating OSS into safety-relevant applications.

Research questions and publication directions of Aerospace WG Martin Halle, Hamburg University of Technology – Institute of Aircraft Systems Engineering, Matthew Weber, Boeing

This session outlined key research questions for the Aerospace Working Group, focusing on where Linux is currently used in aerospace and space systems, how regulations affect its adoption, and which topics should lead to future white papers. The speakers also introduced shared use cases and tools supporting this work and invited contributors with domain expertise to help advance upcoming publications.

Towards Practical Program Verification for the Linux Kernel Keisuke NISHIMURA, Inria

The session “Towards Practical Program Verification for the Linux Kernel,” presented by Keisuke Nishimura, Jean-Pierre Lozi, and Julia Lawall, introduced foundational concepts of deductive program verification and demonstrated their application through a case study on the kernel function. The speakers highlighted challenges in specifying correct behavior, automating loop invariants, and preparing verification-ready code, and outlined research efforts aimed at making large-scale kernel verification more practical.

Towards a More Sustainable and Secure Software Tooling in Free/Libre Open Source Software Environments Stefan Tatschner, Fraunhofer AISEC

The session “Towards a More Sustainable and Secure Software Tooling in Free/Libre Open Source Software Environments”, presented by Dr. Stefan Tatschner (Fraunhofer AISEC), explored how software sustainability and security intersect in FLOSS ecosystems. Building on his PhD work, Dr. Tatschner discussed how vague or overly complex specifications and fragmented development practices can lead to inconsistent, insecure implementations, illustrated through studies of QUIC stacks and X.509 libraries. He showed how dependency analysis and graph-based metrics can help identify critical projects whose health has a disproportionate impact on the ecosystem.

Introducing SW Requirements in the Linux kernel development process: status and next steps Gabriele Paoloni, Red Hat; Kate Stewart, Linux Foundation; Chuck Wolber, Boeing

The session “Introducing SW Requirements in the Linux Kernel Development Process: Status and Next Steps”, presented by Gabriele Paoloni (Red Hat), Kate Stewart (Linux Foundation), and Chuck Wolber (Boeing), explored how to bring structured software requirements into the Linux kernel’s distributed, maintainer-driven development model. The speakers highlighted gaps in existing documentation and explained how missing explicit intent increases technical debt and complicates safety and certification work. They proposed testable, SPDX-based requirement annotations that live alongside the code to improve clarity, traceability, and review. The talk also summarized feedback from kernel maintainers and outlined ongoing experiments and next steps to refine the approach and drive broader adoption.

Exploring possibilities for integrating StrictDoc with ELISA’s requirements template approach for the Linux kernel Tobias Deiminger, Linutronix; Stanislav Pankevich, Reflex Aerospace

The session “Exploring Possibilities for Integrating StrictDoc with ELISA’s Requirements Template Approach for the Linux Kernel”, presented by Tobias Deiminger (Linutronix GmbH) and Stanislav Pankevich (Reflex Aerospace GmbH), demonstrated how the StrictDoc tool can support structured, traceable requirements workflows for kernel development. The speakers introduced StrictDoc’s capabilities, showed how it is already used at Linutronix for certification-driven projects, and walked through a live prototype integrating SPDX-based requirements directly from kernel source files. They highlighted how StrictDoc can link requirements, code, and tests while enabling validation and drift detection. The session emphasized that such tooling could strengthen documentation quality, improve traceability, and complement ELISA’s efforts to introduce maintainable requirements practices into the kernel ecosystem.

Architectures for Linux in Railway Safety Applications Florian Wühr, Red Hat; Daniel Weingaertner, Red Hat

The session “Architectures for Linux in Railway Safety Applications”, presented by Florian Wühr and Dr. Daniel Weingärtner (Senior Software Engineers, Red Hat EMEA Field CTO Office), explored how Linux-based platforms can be used in modern railway safety systems. They outlined Red Hat’s involvement in the “AutomatedTrain” research project and discussed applying high-performance, Linux-based platforms for autonomous and safety-related rail use cases. The talk covered relevant safety standards and SIL levels, key certification and interoperability challenges in Europe, and compared architectural options (containers, hypervisors, redundancy/diversity) for mixed-criticality railway applications.

Hypervisors are scary, so why use them for enabling Linux for Safety Applications Aqib Javaid, Elektrobit

The session explained why hypervisors, though often viewed as complex or risky, are valuable for enabling Linux in safety-critical systems. Aqib Javaid clarified common misconceptions such as hypervisors being slow or unusable for safety and showed how modern hardware support and open-source options like Xen and L4 make them practical and certifiable. He demonstrated how hypervisors provide strong isolation and allow a small safety monitor to supervise Linux, adding protection without modifying the kernel.

Open Functional Safety: Safety-Qualified Lifecycle with Sphinx Christopher Zimmer, innotec GmbH

The session “Open Functional Safety: Safety-Qualified Lifecycle with Sphinx” was presented by Christopher Zimmer (innotec GmbH). He showed how an open-source toolchain centered on Sphinx can support a full, safety-qualified development lifecycle for smaller companies and open source projects that can’t afford heavy commercial tooling. The talk also outlined how to classify and qualify such tools so they can be used in standards-compliant functional safety workflows.

AGL SDV SoDeV Insights Naoto Yamaguchi, AISIN; Harunobu Kurokawa, Renesas

The session “AGL SDV SoDeV Insights,” presented by Naoto Yamaguchi (AISIN) and Harunobu Kurokawa (Renesas), shared progress on Automotive Grade Linux’s Software-Defined Vehicle initiative. The speakers outlined SoDeV’s goal of decoupling hardware and software using open-source technologies like hypervisors, VirtIO, and unified HMI frameworks to enable reusable, scalable in-vehicle software. They also discussed early prototypes, planned architecture, and open challenges particularly around safety and integrating monitoring in virtualized systems.

Best Practices in Open Source and Standards – Evaluation of Example Projects Simone Weiss, Linutronix

The session presented work from ELISA’s WG Lighthouse OSS on identifying open-source “best practices” and mapping them to quality/safety standards. Simone showed how a common evaluation template was applied to Xen and Yocto, revealing both strong governance/CI practices and recurring issues like fragmented documentation, and outlined plans for a maturity model to rate project process quality.

Beyond the OS: What else is required for safe automotive applications? Isaac Trefz, Elektrobit

The session “Beyond the OS: What Else Is Required for Safe Automotive Applications?” highlighted that making Linux safe is only one part of building a safety-compliant automotive system. Isaac Trefz (Elektrobit) explained that safe applications also require qualified compilers and libraries, safe IPC, reliable rendering paths, hypervisors, hardware support, and proper monitoring/watchdog mechanisms. Using examples like telltales and ADAS functions, he showed how these system-level elements must work together.

BASIL Luigi Pellecchia, Red Hat

The session “BASIL,” presented by Luigi Pellecchia (Red Hat), introduced BASIL as a tool for managing traceability across requirements, code, and tests in safety-critical projects. Luigi highlighted recent updates improved SPDX SBOM export, graphical traceability views, expanded test-framework support, and a new AI-assisted requirement generator. He also outlined a proposal for a configurable traceability scanner that pulls structured data from multiple repositories, aiming to simplify and standardize traceability workflows in open-source safety development.

Continuous Compliance in Safety-Critical Open Source Projects Rinat Shagisultanov, InfoMagnus

The session “Continuous Compliance in Safety-Critical Open Source Projects,” presented by Rinat Shagisultanov (InfoMagnus), showed how safety-annotated SBOMs—using SPDX 3 and its emerging safety profile can automate functional-safety traceability. Rinat explained how tools like BASIL generate these SBOMs and how the OpenCC platform performs semantic diffs, impact analysis, and audit logging inside CI/CD pipelines.

Industry Safety Level(s) vs. Aerospace Use Cases Matthew Weber, Boeing

The session “Industry Safety Level(s) vs. Aerospace Use Cases,” presented by Matthew Weber (Boeing), explained how civil aerospace develops and certifies aircraft software using DO-178C safety levels (DAL A–E), and how these compare conceptually to ASIL/SIL levels in other industries. He walked through the aircraft lifecycle, showed how safety levels drive required artifacts and rigor, and illustrated everything with example use cases and early Linux-based demos (like a safety-aware “cabin light” and NASA CFS-based scenarios).

Linux Virtual Address Space Safety Alessandro Carminati, Red Hat

The session “Linux Virtual Address Space Safety,” presented by Alessandro Carminati (Red Hat), explored how Linux’s virtual memory design especially Virtual Memory Areas (VMAs) and the global linear mapping creates subtle safety risks in mixed-criticality systems. He walked through the VMA lifecycle, showed how the linear map lets kernel and user pages sit side-by-side (enabling accidental cross-domain corruption), and reviewed current defenses and why they’re aimed at security/debugging rather than deterministic functional safety.

Behind the Scenes: Elisa Yocto meta-layer and the ELISA CI infrastructure Sudip Mukherjee, Codethink

The session “Behind the Scenes: ELISA Yocto Meta-Layer and the ELISA CI Infrastructure,” presented by Sudip Mukherjee (Codethink), gave a concise behind-the-scenes look at how ELISA’s Yocto meta-layer and CI system are built and maintained. Sudip explained how the team created a standardized Docker-based build environment, added nightly CI builds, shared sstate caching, and automated testing with QEMU and OpenQA. He also highlighted ongoing work to keep the AGL-based demo app building reliably and invited other working groups to adopt the shared CI to ensure reproducible, stable builds.

The SPDX Safety Profile Release Candidate – towards standardised safety supply chain documentation Nicole Pappler, AlektoMetis

The session “The SPDX Safety Profile Release Candidate – Towards Standardised Safety Supply Chain Documentation” by Nicole Pappler (AlektoMetis) presented the new SPDX 3.1 safety profile, which extends the core SPDX model with safety-specific concepts like requirements, verifications, and evidence links. Nicole explained how this enables standardized, machine-readable safety documentation across the software supply chain, improving traceability, impact analysis, and compliance for safety-critical industries using open source.

Drawing an open source safety-critical landscape Philipp Ahmann, ETAS GmbH

The session “Drawing an Open Source Safety-Critical Landscape” by Philipp Ahmann (ETAS) outlined the need for a clear map of the growing ecosystem of safety-critical open source projects. Philipp proposed building a structured landscape covering OSs, hypervisors, tools, frameworks, simulators, and industry domains to show how projects relate, where they fit, and where gaps or collaboration opportunities exist. The goal is to give the community a central, easy-to-navigate view of safety-critical open source efforts.

In short:

The Munich workshop highlighted the rapid progress and growing cohesion of the safety-critical open source ecosystem. Over three days, contributors shared tools, research, architectures, requirements approaches, and CI practices all reinforcing that using Linux in regulated environments requires aligned methods, clear documentation, traceability, and strong cross-community collaboration.

With active participation from industry, academia, and open-source projects, the workshop wrapped up with renewed momentum and a shared commitment to push ELISA’s technical work forward.

Note: Presentation Slides can be accessed here

Would like to see the photos from the meetup? Check here.

Check the workshop playlist in the ELISA YouTube.

Interested to host the next ELISA workshop?

The ELISA Project hosts workshops on a regular basis to gather the project community to accelerate technical collaboration and output, and plan for future goals. It is intended as a technical community collaboration forum to advance the mission of the ELISA Project. More specifically, the Workshop series provide the avenue to: 

  • Explore ideas about approaches, processes, tooling, and testing that can be incorporated into building safety-critical applications and systems  
  • Exchange perspectives and feedback from the Linux kernel, safety, and other adjacent open source project communities
  • Provide updates about the various Working Groups’ current activities and priorities and future roadmaps
  • Enable real-time collaboration to make more accelerated progress on current work streams 
  • Define and articulate near-term technical goals and priorities
  • Educate and onboard new community members
  • Activate and increase engagement and contributions from a broader range of contributors
  • The workshops are generally held in person to facilitate more open discussions and real-time collaboration. Virtual access can be provided if there is sufficient interest.

Contact us to discuss hosting a workshop.

Nov 26
Getting Started with the ELISA Project What You Need to Know

Getting Started with the ELISA Project: What You Need to Know

By Blog

What Is Enabling Linux In Safety Applications (ELISA) Project?

The Enabling Linux In Safety Applications (ELISA) Project aims to make it easier for companies to build and certify Linux-based safety-critical applications, systems whose failure could result in loss of human life, significant property damage or environmental damage. ELISA members are working together to define and maintain a common set of tools and processes that can help companies demonstrate that a specific Linux-based system meets the necessary safety requirements for certification. ELISA is also working with certification authorities and standardization bodies in multiple industries to establish how Linux can be used as a component in safety-critical systems.

The Project participants are in close collaboration with other open source projects with a safety-critical analysis focus such as the Xen Project and the Zephyr Project. In addition, the ELISA community members also interact with open source projects with safety-critical relevance and comparable system architecture consideration such as Automotive Grade Linux, SOAFEE, and the SDV Working Group. Beyond those, there have been outreach and interactions with the Yocto Project, SPDX, Real-Time Linux and the Linaro communities.

Working Groups and Technical Structure

The Project is made up of horizontal Working Groups such as Safety Architecture, Linux Features, Tool Investigation, Open Source Engineering Process, and Systems, as well as vertical use case based Working Groups in Aerospace, Automotive, and Medical Devices domains. These Working Groups collaborate to produce an exemplary reference system. Linux Features, Architecture and Code Improvements should be integrated into the reference system directly. Tools and Engineering Process should serve the reproducible product creation. Medical, Automotive, Aerospace and additional future WG use cases should be able to strip down the reference system to their use case demands.

The Project’s Technical Steering Committee (TSC) oversees the Working Group activities and coordinates cross Working Group collaboration to drive the technical direction of the Project. You can interact with the TSC by subscribing to its public forum and attending its biweekly meeting that’s open to the public by default. The mission of the Project is to define and maintain a common set of elements, processes and tools that can be incorporated into Linux-based, safety-critical systems amenable to safety certification.

Ways to Participate in the ELISA Project

There are many ways to connect with the key participants of the Project. You can join the regularly scheduled meetings, such as the bi-weekly Technical Forum meeting, the public Technical Steering Committee meeting, or the public meetings of any Working Group. Another way to connect is to subscribe to the mailing list and introduce yourself on the mailing list forum. To facilitate closer interaction, you can also attend upcoming events, such as the bi-annual in-person ELISA Workshop when members and contributors gather to collaborate and plan for future goals.

Participation is open to anyone – individuals, employees of non-member companies, and members of the ELISA Project. The project offers access to public meetings, mailing lists, events, GitHub and many other public resources.

Quick links:

Ambassadors and Community Support

ELISA Ambassadors are technical leaders who are passionate about the mission of the ELISA Project, recognized for their expertise in functional safety and Linux kernel development, and willing to help others learn about the community and how to contribute. The Ambassador Program brings together technical leaders to educate others on the mission and goals of the ELISA Project, raise awareness, promote Working Group analysis results, engage with the safety and Linux kernel community, and onboard new contributors. Ambassadors are qualified to speak on behalf of the ELISA Project at conferences and meetups, contribute tutorials and blogs, and help mentor new contributors.

ELISA Ambassadors are positioned as thought leaders through ELISA Project and Linux Foundation channels and gain visibility in the open source community. Would like to know more? Check here.

Membership and Collaboration

As with all open source collaborative projects hosted by The Linux Foundation, participation is open to individuals, non-members, and member companies. Companies join the ELISA Project to demonstrate thought leadership, build alliances, define processes and best practices, and support services such as governance, project management, infrastructure, tooling, events, and marketing.

Non-profit organizations, open source projects and government entities are welcome to join the Project as Associate Members. Associate Members contribute research, code development, documentation, and collaboration with Working Groups. A prospective Associate Member will be asked to provide evidence or plans for contribution before approval by the Governing Board.

If you are interested in membership, visit the Join ELISA page or contact: membership@elisa.tech

Next Steps

The ELISA Project brings together a diverse community of contributors who share a common goal: enabling the use of Linux in safety-critical applications through open collaboration, shared processes, and industry engagement. Whether you join meetings, participate in Working Groups, contribute code and documentation, follow events, or connect through the mailing lists and Ambassador Program, there are many accessible ways to get involved. By engaging with the community, you can help advance the tools, practices, and understanding needed to support Linux in safety-critical systems and contribute to the ongoing progress of the Project.

Nov 18
Linux Plumbers Conference: Tokyo, Japan 2025

ELISA Project at Linux Plumbers Conference: Tokyo, Japan 2025

By Blog, Industry Conference

The Linux Plumbers Conference, the premier event for developers working deep in the Linux plumbing layer is coming to Tokyo on December 11–13. This year offers a hybrid format with sessions hosted onsite at Toranomon Hills Forum and remote participation available.

The ELISA Project will be there as part of the Safe Systems with Linux Microconference, where community members are collaborating with kernel developers to improve how Linux supports systems with safety-critical requirements. The MC will explore real progress in linking code, requirements, and tests to reduce technical debt, improve traceability, and support dependable kernel development. Early pilots in subsystems like TRACING have already uncovered and resolved previously unknown issues a strong signal that this approach can benefit more of the kernel.

If you are attending LPC, remember to join the discussions at Safe Systems Linux Microconference.

Session Highlights:

Aspects of Dependable Linux Systems – Kate Stewart (Linux Foundation), Philipp Ahmann (Etas GmbH (BOSCH)) – 12 Dec 2025, 10:00

In regulated industries, Linux is widely used due to its strong software capabilities in areas such as dependability, reliability, and robustness. These industries follow best practices in terms of processes for requirements, design, verification, and change management. These processes are defined in standards that are typically not accessible to the open source kernel community.

However, since these standards represent best practices, they can be incorporated into structured development environments like the Linux kernel even without the knowledge of such standards. The kernel development process is trusted in critical infrastructure systems as it already covers many process elements directly or indirectly.

The purpose of this session is to initiate a discussion on what is currently available and what may be missing in order to enhance the dependability and robustness of Linux kernel-based systems. How can the artifacts be connected? Where are the appropriate places to maintain them? And who is the best responsible for each element of the development lifecycle?

NVIDIA Approach for Achieving ASIL B Qualified Linux: minimizing expectations from upstream kernel processes -Igor Stoppa (nvidia) -12 Dec 2025, 10:10am

Unlike the typical path chosen for attempting to use Linux in safety applications, the approach developed by NVIDIA strives to avoid placing any burden on upstream maintainers and developers. Upstream maintainers should not have to become safety experts, nor the linux kernel should become encumbered by verbose descriptions of what the code does, for it to achieve safety. We want to start a discussion about how we achieve this, and how it can coexist with upstream processes.

Applying Program Verification to Linux Kernel Code: Challenges, Practices, and Automation – Keisuke Nishimura – 12 Dec 2025, 10:35

To maintain software safety, defining specifications and ensuring that implementations meet them are both important. The former has become popular in the Linux kernel in various ways [1,2], while the latter still depends on developers’ manual effort. Recent advances in techniques and tools, however, have made it feasible to systematically apply program verification to Linux kernel code.

In this talk, we share our experience and practices from ongoing work on verifying task-scheduler code of the Linux kernel. We illustrate the challenges we encountered and how verification can be effectively applied in practice, through case studies (e.g., [3,4]) where proving the correctness of certain kernel features resulted in uncovering real bugs (e.g., [5,6]). Furthermore, we present our work to automate this process as much as possible, making verification more practical and scalable. Our goal is to explore how verification can be made a practical part of the Linux kernel development process.

[1] https://lore.kernel.org/all/20250614134858.790460-1-sashal@kernel.org/ “Kernel API Specification Framework”
[2] https://lore.kernel.org/all/20250910170000.6475-1-gpaoloni@redhat.com/ “Add testable code specifications”
[3] Julia Lawall, Keisuke Nishimura, and Jean-Pierre Lozi. 2024. Should We Balance? Towards Formal Verification of the Linux Kernel Scheduler. SAS 2024.
[4] Julia Lawall, Keisuke Nishimura, and Jean-Pierre Lozi. 2025. Understanding Linux Kernel Code through Formal Verification: A Case Study of the Task-Scheduler Function select_idle_core. OLIVIERFEST ’25.
[5] https://lore.kernel.org/all/20231030172945.1505532-1-keisuke.nishimura@inria.fr/ “sched/fair: Fix the decision for load balance”
[6] https://lore.kernel.org/all/20231214175551.629945-1-keisuke.nishimura@inria.fr/ “sched/fair: take into account scheduling domain in select_idle_smt()”

Defining and maintaining requirements in the Linux Kernel – Chuck Wolber, Gabriele Paoloni (Red Hat), Kate Stewart (Linux Foundation) – 12 Dec 2025, 11:00

Last year in Vienna we held a session about “Improving kernel design documentation and involving experts”.
Following such session the ELISA Architecture working group drafted an initial template for the SW Requirements definition, started documenting the expected behaviour for different functions in the TRACING subsystem and made upstream contribution accordingly and finally also started reviewing and adopting a framework for formally specifying kernel APIs (developed and proposed by Sasha Levin [1]).
This session aims to present the latest updates and to involve the experts to define the best next steps for having a path to introduce and maintain requirements in the Kernel (and link them to tests and other verification measures)

[1] https://lore.kernel.org/all/20250711114248.2288591-1-sashal@kernel.org/

KUnit Testing Insufficiencies – Matthew Whitehead (The Boeing Company) – 12 Dec 2025, 12:00

High-integrity applications require rigorous testing to ensure both reliability and compliance with industry standards. Current testing frameworks for the Linux kernel, such as KUnit, face challenges in scalability and integration, particularly in environments with strict certification requirements.

KUnit tests, which are currently the most widely accepted and used solution for testing Linux kernel source code, have a number of drawbacks in the way they are built and executed. The KUnit framework lacks feature parity with other modern unit test frameworks, making it difficult to achieve comprehensive and robust low-level test coverage. Furthermore, the way KUnit tests are built and executed creates a lack of scalability, which is necessary to create and maintain the many thousands of tests that will be required to verify functionality in a robust, complete, and automatable way.

KUnit tests are integrated into the Linux binary. This requires building the kernel and running it to execute the tests. Additionally, the high volume of tests needed for adequate coverage would increase the size of the kernel beyond what is manageable. This makes it necessary to divide the tests so that multiple kernels with different sets of tests are built. This, in turn, necessitates additional analysis to prove that the changes made in each of these individual kernel builds do not negatively impact the fidelity of the tests for the targeted features. Considering the lengthy build and execution times, along with the need to build and analyze multiple kernels, it is evident that scaling up to the creation and maintenance of thousands of tests poses significant challenges.

In addition to the scalability issues, KUnit lacks essential features needed for testing highly reliable systems. It does not provide a consistent, maintainable, and automatable way to isolate small sections of code. This is crucial for low-level testing and coverage. For example, consider a function A that has dependencies on three other functions, B, C, and D. When testing function A, the results of functions B, C, and D may influence the execution path in function A. However, it is not desirable to actually test the implementation of functions B, C, and D. In most common unit test environments, it is straightforward to create either a fake or mock implementation of those functions in the test file, or to link to an object file that contains a fake or mock of those functions. In KUnit, achieving “mocking” (or at least a similar effect) requires creating a patch that modifies the kernel. The simplest approach is to use conditional compilation macros that are controlled through kernel configuration to generate mock versions of the tested function’s dependencies. Every time a mock or fake is used, it must be manually created and maintained through patches. When this effort is multiplied by thousands of tests, the maintenance burden becomes evident.

Topics for discussion:

  • Addition of unit test capabilities (extending KUnit or otherwise) that allow the compilation and testing of small, isolated sections of the Linux kernel source out of tree.
  • Ability to test Linux kernel source in tests that run in user space (requires the aforementioned compilation out of tree with external tools).
  • Integration of mocking of test dependencies (preferably automatically).

Exploring possibilities for integrating StrictDoc with ELISA’s requirements template approach for the Linux kernel – Tobias Deiminger (Linutronix GmbH) – 12 Dec 2025, 12:25

The ELISA project currently works on bringing the Linux kernel closer to safety compliance by proposing enhancements to the kernel documentation. This includes a model expressed as requirement templates inlined to source code. At the same time, comparable efforts with a similar goal are also ongoing in the wider open-source ecosystem. For example, the Zephyr OS is using the FLOSS StrictDoc model and tool to capture and process requirements. Another example is Linutronix who reached IEC 62443 4-2 security certification by using StrictDoc to trace requirements, design and tests for their Debian based IGLOS Secure Beacon embedded system.

This talk picks up the work of ELISA and compares it to a typical StrictDoc setup with the intention to show that both efforts could be joined. While ELISA focuses on the model and assumes tools will emerge from the community, StrictDoc both defines a similar model and provides mature tooling to validate and render requirements, design and tests. We’ll see that the majority of the needs set by ELISA are already fulfilled by StrictDoc. Notably, ELISA’s SPDX-REQ-* tags can be represented and parsed with StrictDoc’s “Parsing SDoc nodes from source code comments” feature. The remaining gap is drift detection, i.e. to store the hash sum over project ID, source file, requirement text and proximal code with the intention to signal a human to check if requirement and code still align when some of the criteria changes. StrictDoc knows meta data, content and proximal code by function name, class name and line ranges, but has no hash generation built in yet. However, StrictDoc is advanced in defining language constructs as part of the model (functions, classes, test cases). It is also advanced in applicability, where for example OEM requirements and OSS project requirements can be linked together in one compatible model and in consequence can be processed and validated by the same tool in a single run. Various input/output format converters exist and customization of validation is next on the roadmap.

The talk concludes with the proposal that StrictDoc could close its gaps by implementing hash generation, optimizing ELISA requirement template parsing and by setting up conformity tests to maintain compatibility. ELISA could in turn list StrictDoc as one of their reference tools, and kernel developers will be invited to try it in their workflow.

BASIL: Open Source Traceability for Safety-Critical Systems” – Luigi Pellecchia – 12 Dec 2025, 12:40

Ensuring traceability and compliance remains a major challenge in the development of safety-critical systems. BASIL — The FuSa Spice — is an open-source tool from the ELISA Project that helps engineers manage traceability across documentation, requirements, implementation, testing, and safety evidence. Designed to integrate seamlessly with existing tools and test infrastructures, BASIL offers a practical and extensible solution to support functional safety assessments and audits.
This talk introduces BASIL’s architecture and key features, illustrates its application in real-world safety workflows, and highlights opportunities for community collaboration. Attendees will discover how BASIL brings openness, automation, and transparency to traceability management in safety-critical software projects.

Tooling and Sharing Traceability Discussion – Luigi Pellecchia, Matthew Whitehead (The Boeing Company), Tobias Deiminger (Linutronix GmbH) – 12 Dec 2025, 12:55

Open Discussion based on previous agenda items

Wrap up and next steps – Kate Stewart (Linux Foundation), Philipp Ahmann (Etas GmbH (BOSCH)) – 12 Dec 2025, 13:20

Learn more about the sessions here.

To register check here.

Nov 13

Robotics and Space Grade Linux at ROSCon 2025 Singapore

By Blog, Industry Conference, Space Grade Linux

The Space Grade Linux (SGL) team participated in ROSCon 2025, held in Singapore from October 27-29, to engage directly with the global robotics community and strengthen collaboration across open-source robotics and space technology. The event brought together more than 1,000 attendees from research institutions, industry, and open source projects, representing one of the most diverse and active developer ecosystems in robotics today.

ROSCon serves as the primary annual conference for the Robot Operating System (ROS) ecosystem. ROS is an open-source middleware framework that powers a wide range of robotics platforms, from industrial manipulators and autonomous vehicles to aerial and space systems. It is hosted by the Open Source Robotics Alliance (OSRA), an independent non-profit organization that supports the growth, governance, and long-term sustainability of the ROS ecosystem. ROSCon provides a space for developers, researchers, and organizations to collaborate, share experiences, and learn about the latest advances in robotics software.

The Space Grade Linux (SGL) initiative, launched in December 2024, is hosted under the Enabling Linux in Safety Applications (ELISA) project, an open collaboration within the Linux Foundation. ELISA’s mission is to help industries build Linux-based systems for use in safety-critical domains such as automotive, medical, industrial, aerospace, and now space. By providing a forum for companies and research groups to define safety frameworks, develop tooling, and share best practices, ELISA enables projects like Space Grade Linux to leverage the strengths of open-source development while meeting the rigorous requirements of mission-critical environments. Through this collaboration, the SGL community benefits from ELISA’s established processes for safety analysis, continuous integration testing, and compliance documentation, creating a strong foundation for future space-ready Linux systems.

Space Grade Linux brings together experts from aerospace, robotics, and embedded Linux to create an open, safety-focused operating system platform for space applications. The project aims to make Linux reliable and predictable in environments where failure is not an option, while remaining fully open and collaborative. The initiative serves as a bridge between the robotics and space communities, where shared principles such as real-time performance, autonomy, and open collaboration are essential.

This year’s conference featured the first live hardware demonstration of a Microchip-based implementation of Space Grade Linux running Space ROS, presented by Rob Woolley (Wind River). The demo highlighted how the same open technologies that enable robust automotive and industrial systems are now being adapted for the extreme reliability and determinism required in space applications.

Ramón Roche, SGL group lead, delivered a Lightning Talk inviting developers working in space and robotics to join the SGL community’s monthly meetings. He emphasized the importance of collaboration across domains, encouraging experts from aerospace, automotive, and embedded Linux to work together toward a unified ecosystem for open and certifiable space software.

In his technical session, Rob Woolley gave an in-depth presentation on OpenEmbedded and its role as the build foundation for both Automotive Grade Linux and Space Grade Linux. His talk outlined the ongoing integration work between Space ROS and SGL, and discussed plans to establish Space Grade Linux as a standalone foundation project under the Linux Foundation umbrella.

The event provided valuable opportunities for in-person discussions between developers, researchers, and maintainers working at the intersection of ROS, Linux, and aerospace systems. The SGL team will continue collaborating with the ROS and Space ROS communities to advance open standards, reliability, and interoperability in mission-critical robotics.

Nov 11
ELISA Project - Open Source Summit: Tokyo, Japan 2025

ELISA Project at Open Source Summit: Tokyo, Japan 2025

By Ambassadors, Blog, Critical Software Summit, Safety-Critical Software Summit

Open Source Summit is the place to connect directly with the people shaping open source – maintainers, developers, and community leaders, while learning from their experience and insights. It’s an opportunity to discover emerging technologies, explore practical solutions you can apply immediately, and collaborate on ideas and code that drive projects forward. Whether you’re looking to grow your skills, expand your network, or advance your career, the summit offers a unique environment to learn, contribute, and be part of the momentum powering the future of open source.

ELISA project will be represented by our community members at the Safety Critical Track.

This track explores the intersection of open source and safety standards, covering best practices for regulatory compliance, security updates, and safety engineering. Sessions will delve into requirements traceability, quality assessments, safety analysis methodologies, and technical development for safety-critical systems. Learn more.

Track Highlights:

1. Keynote: Space Grade Linux: Building a Safer, Open Source Future for Space Systems – Ramon Roche, General Manager, Dronecode Foundation

As launch cadence increases and development cycles tighten, the space industry turns to open source to meet the moment. Enter Space Grade Linux (SGL) — an initiative under the ELISA Project aimed at creating a reusable, safety-aware Linux foundation for spaceflight systems.

This talk will introduce the goals and current status of SGL, highlighting three foundational focus areas:
1. Kernel Configuration – Defining a shared starting point for space-focused Linux systems, emphasizing predictability, determinism, and traceability.
2. Booting into Linux: Exploring the safety-critical implications of system bring-up and strategies for improving reliability in space-grade deployments.
3. Userspace Strategy – Discussing early-stage decisions around minimal runtime environments, supervision, and what a safe, maintainable userspace might look like.

Attendees will get a hands-on overview of what’s already available in the GitHub repository, including a Yocto-based reference implementation and working kernel configuration. More importantly, they’ll learn how to get involved — through technical contributions, architecture discussions, or community collaboration.

2. A Human-Centric Quality Assurance Process for Open Source Software Projects – Wendi Urribarri & Carlos Ramirez, Woven by Toyota – Wednesday December 10, 2025 11:10 – 11:50 JST

As autonomous systems become part of our daily environments, ensuring software quality is critical, especially when defects can cause physical harm. In safety-critical domains like automotive, functional safety must be supported by development processes that ensure high quality and reliability, not only for embedded systems but also, in some cases, for software tools.

This talk presents an approach to support quality assurance of open source software projects. What sets this effort apart is the proposed integration of a human-centric quality strategy, rooted in human-error research informed by cognitive psychology and human factors, in the development process of these projects. We introduce a defect prediction engine designed to anticipate common error modes, enabling proactive defect prevention, focused code reviews, and targeted documentation checks. Our approach offers a fresh perspective on improving software quality across domains while aligning with the expectations of safety-critical frameworks.

3. Comparison and Proposal of Vulnerability Management Approaches in Yocto-Based Linux for the CRA – Akihiko Takahashi, Fujitsu Limited – Wednesday December 10, 2025 12:00 – 12:40 JST

Fujitsu has long provided multilateral support for SPDX, especially through activities in Yocto and SPDX. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. In 2024, We joined OpenSSF to enhance the security and trustworthiness of the global software supply chain. This marked a step forward in our continued dedication to this mission.

Due to the EU CRA, manufacturers in the EU will be obligated to report vulnerabilities starting in September 2026. In the context of Yocto, several vulnerability management approaches are being considered, such as cve-check, yocto-vex-check, and third-party tools. However, as of now, there is no clearly established best practice.
In this session, we will apply these vulnerability management approaches to practical use cases relevant to manufacturers covered by the CRA. The comparison includes the use of SBOMs and VEX to evaluate the effectiveness of each method. Through this analysis, we will clarify the strengths and challenges of vulnerability management in Yocto-based Linux and propose which approach is most suitable depending on the context.

4. Driving Safety Forward: Lessons Learned From Deploying OSS in Real-world Automotive – Jaylin Yu, EMQ – Wednesday December 10, 2025 14:00 – 14:40 JST

While OSS in Automotive is seen as the holy grail to solve SDV complexity challenges with faster time to market and higher performance, it still lacks practical real-world examples and showcases that address OSS usage in compliance with the stringent safety and security demands of Automotive.
In this talk, the author shares his real-world story of bringing OSS into mass production vehicles. This includes the impact of a healthy open-source community and how academic research helped solve security gaps, leading to increased system stability. This also embraces the impact of the software supply chain, providing a proven approach, refined through failures, helping to lower dependency risk for MQTT-based remote vehicle diagnostics.
The session is rounded out by highlighting the link between system utilities and safety functions, covering time synchronization, dependency management, and data integrity within a Linux system, which impact the selection of a file system, and what happens when a customer suddenly requires STR.
The audience will leave the session with a holistic impression of what to consider when creating a secure, safe, OSS-based SDV automotive system.

5. Decoding Safe(ty) Linux Architectural Approaches for Critical Systems – Philipp Ahmann, Etas GmbH – Wednesday December 10, 2025 14:50 – 15:30 JST

For years, diverse interpretations about what it means to “enable Linux in safety applications” exist – an observation spanning multiple industries but particularly pronounced in automotive. With its long history of Linux adoption (like AGL) and current software-defined vehicle (SDV) innovation challenges, the automotive sector is undergoing a transition by both manufacturers and suppliers seeking to implement Linux also in safety critical production systems.

This presentation intends to resolve confusion around the terminology “safety Linux” versus “safe Linux”, clarifying where safety responsibility is allocated to Linux itself versus handled at the system level. By examining architectural system concepts currently implemented in products or under development, the author cuts through marketing rhetoric to provide clear distinctions between approaches. It showcases solutions employed by distributors and identifies crucial elements for safety argumentation like watchdog & monitoring.

Attendees will gain practical insights for evaluating safety approaches in Linux-based systems, including key questions to ask when assessing different safety concepts.

6. LF Energy 101: How Open Source Is Powering the Digital Energy Transition – Darshan Chawda & Nao Nishijima, Hitachi -Wednesday December 10, 2025 16:40 – 17:20 JST

The current energy sector must shift from legacy control systems, which are rigid and hardware-bound, to digital, software-defined systems that enable greater sustainability, resilience, and intelligence. To support this transformation, LF Energy, a Linux Foundation initiative, has empowered industrial partners for over seven years to collaborate through community-driven OSS projects, accelerating innovation across the digital energy ecosystem.

This talk offers a beginner-friendly introduction to LF Energy and its key projects, with a demo highlighting their role in virtualizing substations, forecasting energy, and simplifying operations through automation. These projects show how IT and AI technologies enhance grid safety, which is critical because failures in energy systems can disrupt public infrastructure. However, unlike pure IT systems, energy infrastructure relies heavily on physical hardware, making large-scale digital adoption more complex. LF Energy’s open innovation model, focused on IT/OT convergence, helps overcome these barriers by enabling redundancy, virtualization, and collaborative development, which leads to a more reliable and intelligent energy future.

Learn more about the event and register here.

Nov 06

ELISA seminar recap : Introduction to Requirements Engineering – Pete Brink, UL Solutions

By Blog, Seminar Series

Pete Brink from UL Solutions led an ELISA seminar on the basics of requirements engineering. He explained why teams write requirements, how to know when you are “done,” and how safety-critical work raises the bar. Requirements describe what a system must do and how well it must do it, not how to implement it. They can be functional (including safety and security behavior) or non-functional (performance, resource, thermal, mechanical, usability, and similar constraints). Pete stressed an iterative process: elicit from stakeholders, analyze and validate, write the spec, verify requirement quality, and then do architecture, design, coding, and testing. Testing spans unit, component, integration, and acceptance to prove the requirements were fulfilled. He noted that language is imprecise, so clarity, atomicity, unique IDs, status, allocation, and traceability are essential. Text can be supported with diagrams and models (semi-formal); full formal notation is used rarely. Tooling in practice often includes markdown in GitHub; community tools like StrictDoc and others are emerging, but traceability remains hard.

Pete showed weak vs. improved requirements, fixing ambiguity like “regular intervals” and splitting “and/should” into separate, testable statements with precise timing and tolerances. He introduced EARS (Easy Approach to Requirements Syntax) to give simple, consistent sentence patterns, including ubiquitous, event-driven, state-driven, and optional-feature forms (useful for things like debug vs. release or hardware variants). Detail should match criticality: too little raises risk; too much raises cost. Open source adds challenges because code often exists first; teams may derive requirements from observed behavior or refactor to align with clearer, testable specs. In Q&A, attendees discussed automotive vs. aerospace use of formal methods, handling hardware variants and build types, and authoring options like LaTeX and Sphinx.

The core message: write clear, atomic, testable requirements, keep them implementation-free, manage them with discipline, and iterate whenever design and testing reveal issues.

ELISA Project Seminar Series focuses on hot topics related to ELISA’s mission to define and maintain a common set of elements, processes and tools that can be incorporated into Linux-based, safety-critical systems amenable to safety certification. Speakers are members, contributors and thought leaders from the ELISA Project and surrounding communities. Each seminar comprises a 45-minute presentation and a 15-minute Q&A, and it’s free to attend.

Watch the previous Seminar series here.

Oct 22
ELISA project at the OSS Europe 2025 - Blog 4

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 4

By Blog, Critical Software Summit, Industry Conference, Safety-Critical Software Summit

The ELISA Project participated in Open Source Summit Europe 2025 (August 25–27, Amsterdam), the premier gathering for open source developers, technologists, and community leaders. With over 2,000 attendees representing 900+ organizations, the event showcased the strength, diversity, and innovation of the ecosystem.

For ELISA (Enabling Linux in Safety Applications), the summit was an invaluable opportunity to engage with developers, architects, and functional safety experts working at the intersection of Linux and safety-critical systems. ELISA was featured prominently in the Safety-Critical Software Summit, where sessions explored topics such as kernel safety, automotive innovation, and compliance and trust in regulated environments.

Sessions covered a wide range of important topics, including kernel safety (identifying weaknesses, fault propagation, and Linux as a safety element out of context), automotive innovation (safe platforms, prototyping frameworks, and software-defined vehicles), and compliance and trust (continuous compliance, traceability, and statistical methods in safety analysis). These talks reflected the growing maturity of the ecosystem and highlighted the shared challenges the community is tackling from technical methodologies to regulatory alignment.

This week we highlight two talks from the Safety Critical Summit session:

Shifting Safety Techniques To a Statistical World – Imanol Allende & Nicholas Mc Guire

As safety-critical systems grow ever more complex, the traditional deterministic mindset that has long guided safety engineering is reaching its limits. In their Open Source Summit Europe 2025 talk, “Shifting Safety Techniques to a Statistical World,” Imanol Allende (Codethink) and Nicholas Mc Guire (OpenTech) challenge conventional assumptions about how we design and assure safety in modern systems.

Today’s high-performance, interconnected platforms from autonomous vehicles to adaptive software systems exhibit inherent non-determinism. Their behavior cannot always be broken down and analyzed piece by piece, as Descartes’ reductionist approach once suggested. Instead, these systems display emergent properties that arise from complex interactions, requiring a more holistic lens.

Imanol and Nicholas argue that the next evolution in safety engineering lies in statistical system analysis. Approaches such as Probabilistic Worst Case Execution Time (pWCET) and Statistical Path Coverage offer promising ways to quantify and manage uncertainty in highly dynamic environments. These methods shift assurance from absolute determinism toward probabilistic confidence, reflecting the true behavior of modern computing platforms.

The talk outlines both the limitations of traditional safety techniques and the opportunities of statistical methods, emphasizing what will be needed methodologically, technically, and culturally for such approaches to gain acceptance within the functional safety domain.

In conclusion, this session invites the safety community to embrace uncertainty not as a flaw, but as a measurable feature of complex systems and to evolve its tools and thinking accordingly.

Engineering Trust: Formulating Continuous Compliance for Open Source – Paul Albertella & Kaspar Matas, Codethink

In this session, “Engineering Trust: Formulating Continuous Compliance for Open Source,” Paul Albertella and Kaspar Matas (Codethink) argue that software requirements, as commonly practiced, are broken. High-level requirements often collapse into feature wish lists; low-level requirements drift into after-the-fact narratives. Formal process models tend to treat the dynamism of FOSS as a defect—yet that very fluidity is a core strength and the result is that project intent and expectations get lost in the noise.

Enter the Eclipse Trustable Software Framework (TSF): a lightweight, continuous compliance framework built by and for open source. TSF lets projects organize and evidence their own objectives not only those imposed by standards while remaining workflow-agnostic and requiring only git. By managing objectives, reasoning, and artifacts alongside code, TSF closes the gap between paper processes and real engineering practice.

TSF’s distinctive outcome is an automated, transparent, traceable body of evidence quantified by a confidence score. That score helps teams decide where to focus next and gives consumers a concrete way to evaluate their trust in the software. Evidence can reference code, tests, results, and validators; hashes and links keep the graph consistent as projects evolve and CI runs.

The talk walks through TSF’s model and usage, then shows how its statements, evidence, and objectives can be mapped to functional safety standards (e.g., IEC 61508 or ISO 26262) to support certification and ongoing assessment. The message is pragmatic: keep the agility of open source, but capture intent and proof continuously so compliance becomes a living activity, not a one-off paperwork sprint.

MISRA C and C++ in OSS: Yes, We Can! – Roberto Bagnara, BUGSENG / University of Parma

In his presentation, “MISRA C and C++ in OSS: Yes, We Can!”, Roberto Bagnara (BUGSENG / University of Parma) challenged a long-standing assumption: that safety- and security-critical software written in C or C++ is fundamentally incompatible with open source development.

C and C++ have powered decades of system software efficient, portable, and close to the hardware but their origins in the 1970s also carry forward deep weaknesses. Undefined and unspecified behaviors, lack of runtime checks, and a “trust the programmer” philosophy make them risky foundations for modern critical systems. When open source software becomes part of automotive, aerospace, or industrial platforms, these risks demand a structured mitigation and that’s where MISRA C and MISRA C++ come in.

MISRA defines safe subsets of C and C++, guiding developers away from dangerous constructs and toward predictable, reviewable code. These rules are not about finding bugs, but about preventing entire classes of failures by design. Mandatory rules prevent undefined behavior; advisory rules promote clarity and verifiability. Importantly, deviations are allowed if they are justified, documented, and demonstrably safe.

Roberto highlighted real-world experience applying MISRA to major open source projects such as Xen, Zephyr, and Trusted Firmware, where compliance was achieved through a combination of training, tailoring, and tooling the “three T’s.” His team’s static analysis tool ECLAIR integrates MISRA checking into continuous integration, helping projects track compliance as they evolve.

The results are encouraging: projects once reporting millions of rule violations now maintain near-complete compliance, with violations justified or eliminated and regressions automatically detected.

The key insight: safety and openness are not mutually exclusive. With collaboration, tailored guidelines, and the right tools, even complex open source ecosystems can move toward MISRA-aligned development building a foundation of trustable, verifiable software for the systems that matter most.

What’s Next?

Together, these perspectives point to a pragmatic future: combine statistical assurance, continuous evidence, and disciplined coding subsets to make safety an ongoing, collaborative property of open source.

If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Oct 09
ELISA project recap blog from the Open Source Summit - Part 3

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 3

By Blog, Critical Software Summit, Industry Conference, Safety-Critical Software Summit

The ELISA Project participated in Open Source Summit Europe 2025 (August 25–27, Amsterdam), the premier gathering for open source developers, technologists, and community leaders. With over 2,000 attendees representing 900+ organizations, the event showcased the strength, diversity, and innovation of the ecosystem.

For ELISA (Enabling Linux in Safety Applications), the summit was an invaluable opportunity to engage with developers, architects, and functional safety experts working at the intersection of Linux and safety-critical systems. ELISA was featured prominently in the Safety-Critical Software Summit, where sessions explored topics such as kernel safety, automotive innovation, and compliance and trust in regulated environments.

Sessions covered a wide range of important topics, including kernel safety (identifying weaknesses, fault propagation, and Linux as a safety element out of context), automotive innovation (safe platforms, prototyping frameworks, and software-defined vehicles), and compliance and trust (continuous compliance, traceability, and statistical methods in safety analysis). These talks reflected the growing maturity of the ecosystem and highlighted the shared challenges the community is tackling from technical methodologies to regulatory alignment.

This week we highlight two talks from the Safety Critical Summit session:

Insights Into the Safe Open Source Vehicle Core Project for SDV – Philipp Ahmann, Etas GmbH (BOSCH)

The Safe Open Source Vehicle Core (S-Core) project, presented by Philipp Ahmann of ETAS (Bosch), is a collaborative, code-first effort to build a safety-certifiable middleware stack for software-defined vehicles (SDVs). Targeting the layers above the operating system, S-Core complements ELISA’s work and aims for ISO 26262, ASPICE, and ISO 21434 compliance. It supports POSIX-based systems like Automotive Grade Linux and Zephyr, is developed in C++ and Rust, and offers a VS Code-based dev environment with containerized builds.

Using a docs-as-code workflow with Sphinx, PlantUML, and Bazel, S-Core tightly links documentation, code, and testing through automated CI. Modules such as IPC, logging, and data persistence are under active development, with contributions from 70+ developers across 10+ companies.

Following a V-model safety process, S-Core builds in traceability, audits, and ASIL-B-level rigor, while distributors will handle final certification and integration. With a 0.5 release planned for late 2025 and 1.0 in 2026, the project is establishing a shared, open, and certifiable foundation for the next generation of safety-critical automotive software.

AutoSD: A Linux Development and Prototyping Framework for the Automotive Community – Alessandro Carminati & Gabriele Paoloni, Red Hat

AutoSD presented by Alessandro Carminati and Gabriele Paoloni (Red Hat) is an upstream, community-driven Linux distribution for automotive, backed by the CentOS Automotive SIG and serving as a public preview of Red Hat’s in-vehicle OS. Built on CentOS Stream, AutoSD adds automotive essentials: a real-time tuned Linux kernel, OSTree for transactional, rollback-safe updates, and containerized mixed-criticality so safety functions can run alongside infotainment without interference. A docs-as-code + CI approach keeps code, tests, and documentation aligned; images are declaratively built (YAML) via the Automotive Image Builder/OSBuild toolchain, and shipped as a binary distro for fast, reproducible onboarding.

A major focus is hardware enablement without the usual pain. If a SoC/board is already supported, you can boot prebuilt images and prototypes immediately. If drivers are upstream, contributors can add and maintain support in AutoSD under an upstream-first policy. For newly supported silicon, teams can evaluate quickly using a vendor BSP (“Frankenbuild”) but are encouraged to move to out-of-tree modules built against AutoSD’s stable kernel ABI for a maintainable, near-production path while upstreaming progresses.

Safety is treated as architecture, not afterthought: namespaces/cgroups isolate workloads, containers enforce domain boundaries, the kernel is real-time tuned, and intensive stress/fuzz testing (e.g., syzkaller + KASan) underpins freedom-from-interference claims. In Red Hat’s commercial in-vehicle OS, the same model maps to ASIL-B safety partitions (with a hardware watchdog and hardware-specific certification), while AutoSD remains the open, rapid-prototyping lane. Tightly aligned with communities like ELISA and Eclipse SDV, AutoSD offers a reference framework the industry can actually build on: contribute patches, enable new SoCs, propose features, and help shape a secure, updatable, and certifiable Linux base for software-defined vehicles.

What’s Next?

If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Oct 07
ELISA project at Open Source Summit Europe 2025

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 2

By Blog, Critical Software Summit, Safety-Critical Software Summit

The ELISA Project participated in Open Source Summit Europe 2025 (August 25–27, Amsterdam), the premier gathering for open source developers, technologists, and community leaders. With over 2,000 attendees representing 900+ organizations, the event showcased the strength, diversity, and innovation of the ecosystem.

For ELISA (Enabling Linux in Safety Applications), the summit was an invaluable opportunity to engage with developers, architects, and functional safety experts working at the intersection of Linux and safety-critical systems. ELISA was featured prominently in the Safety-Critical Software Summit, where sessions explored topics such as kernel safety, automotive innovation, and compliance and trust in regulated environments.

Sessions covered a wide range of important topics, including kernel safety (identifying weaknesses, fault propagation, and Linux as a safety element out of context), automotive innovation (safe platforms, prototyping frameworks, and software-defined vehicles), and compliance and trust (continuous compliance, traceability, and statistical methods in safety analysis). These talks reflected the growing maturity of the ecosystem and highlighted the shared challenges the community is tackling from technical methodologies to regulatory alignment.

This week we highlight two talks from the Safety Critical Summit session:

BASIL – What’s New, What’s Next – Luigi Pellecchia, Red Hat

At the Open Source Summit Amsterdam, during the Safety-Critical track, Luigi Pellecchia, Principal Software Quality Engineer at Red Hat and member of the ELISA Technical Steering Committee, presented the session “BASIL – What’s New, What’s Next.” BASIL is an open source tool designed to build and maintain requirements traceability for safety-critical systems in a collaborative environment. It helps engineers link requirements, test specifications, test cases, justifications, and documents into a unified traceability matrix. The tool features a web interface, a REST API for automation, and supports test execution through both built-in and external infrastructures. It also tracks all changes, manages users with fine-grained permissions, and exports full SPDX-based design SBOMs, ensuring complete traceability from design to verification.

Recent developments in BASIL include support for SPDX traceability export, import of requirements in multiple formats (CSV, JSON, YAML, StrictDoc, SPDX), and the ability to scan and import test repositories using TMT (Test Management Tool). The system now offers enhanced user management, allowing admins to clone permission sets, configure email servers for password resets, and simplify collaboration on shared components. New integrations include LAVA, enabling users to list, map, and trigger test runs from external infrastructures like GitLab CI, GitHub Actions, KernelCI, and Testing Farm. BASIL also introduces AI-assisted authoring, where large language models help draft test specifications and cases directly from selected document sections. Additional improvements include re-enabled end-to-end and API testing, broader browser compatibility, and better usability in shared environments.

In his demo, Luigi showcased how BASIL lets users select a reference document, break it into sections, and map traceable items on top. The system visualizes coverage and gaps, links tests to requirements, and executes or imports test results seamlessly. It can generate a design SBOM capturing the full traceability structure useful for ISO 26262 and similar compliance audits.

Looking ahead, the roadmap includes hierarchical document mapping, multi-reference document support, and baseline snapshots for point-in-time reviews. The team plans to migrate to PostgreSQL for scalability, improve file and folder management, enhance LAVA plugin templates, and align with the SPDX Safety Profile 3.1 specification. A PDF export option for assessors is also under consideration.

BASIL continues to evolve as a cornerstone in open source safety-critical development bringing together transparency, automation, and compliance readiness. 

From Chaos to Control: Overcoming C and C++’s Inherent Unsafety – Assaf Tzur-El, Simple. Technology

In this talk, Assaf Tzur-El argues that the languages’ twin hazards are unsafety (buffer overflows, lifetime misuse, races) and unpredictability (undefined/unspecified/implementation-defined behavior). A “simple” line can become a CVE; a runtime divide-by-zero may legally do anything; evaluation order of f(a(), b(), c()) can change between calls; even fundamentals like sizeof(long) and char signedness vary. Calls to “just use Rust” collide with reality: massive legacy codebases, entrenched toolchains, domain constraints (real-time, performance, low-level access), and developer expertise mean wholesale migration isn’t practical.

The pragmatic path is discipline + enforcement. Discipline comes from structured guidelines MISRA C / MISRA C++ which codify dos and don’ts across categories (mandatory/required/advisory), with ~80% decidable by tools. Enforcement comes from wiring those rules into your pipeline: static analysis (e.g., clang-tidy/Sonar/Klocwork), -Wall -Werror, and CI gating. 

Assaf illustrates how MISRA’s seemingly vague rules (e.g., “switch shall be appropriately structured”) unpack into precise checks (always have default), and how apparent collisions (e.g., “no unreachable code”) resolve once you read the rationale. Around that core, adopt defensive programming (“trust no input”), Secure-by-Design practices, and standards awareness (ISO 26262 et al.) to make failures rarer and more predictable when they do happen.

What’s Next?

The Safety-Critical track showed how open source is moving from complexity to control. BASIL is helping teams build clear, verifiable links between requirements, tests, and results bringing real traceability to safety-critical development. At the same time, Assaf Tzur-El reminded us that while C and C++ aren’t going away, we can make them safer through guidelines like MISRA, static analysis, and a defensive coding mindset.

Together, these talks highlight a shared goal: making open source software more reliable and trustworthy for safety-critical use. Stay tuned for more session highlights, and consider joining ELISA working groups to help advance safe, open software for all.

Sep 24
open source summit - Europe - 2025

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 1

By Blog, Critical Software Summit, Industry Conference, Linux Foundation, Safety-Critical Software Summit

The ELISA Project participated in Open Source Summit Europe 2025 (August 25–27, Amsterdam), the premier gathering for open source developers, technologists, and community leaders. With over 2,000 attendees representing 900+ organizations, the event showcased the strength, diversity, and innovation of the ecosystem.

For ELISA (Enabling Linux in Safety Applications), the summit was an invaluable opportunity to engage with developers, architects, and functional safety experts working at the intersection of Linux and safety-critical systems. ELISA was featured prominently in the Safety-Critical Software Summit, where sessions explored topics such as kernel safety, automotive innovation, and compliance and trust in regulated environments.

Sessions covered a wide range of important topics, including kernel safety (identifying weaknesses, fault propagation, and Linux as a safety element out of context), automotive innovation (safe platforms, prototyping frameworks, and software-defined vehicles), and compliance and trust (continuous compliance, traceability, and statistical methods in safety analysis). These talks reflected the growing maturity of the ecosystem and highlighted the shared challenges the community is tackling from technical methodologies to regulatory alignment.

This week we highlight two talks from the Safety Critical Summit session:

Looking at Linux as a SEooC – Kate Stewart, The Linux Foundation; Nicole Pappler, AlektoMetis & Chuck Wolber, The Boeing Company

Linux is increasingly deployed in safety-critical systems as a Safety Element out of Context (SEooC), yet its scale and rapid evolution, thousands of contributors and near-continuous upstream change pose unique assurance challenges. This talk explains what SEooC means in practice, why it should be understood as a “safety element with assumed context,” and the implications for integrators: a SEooC is not plug-and-play. System developers remain responsible for confirming compatibility, reviewing the safety manual and assumptions of use, ensuring traceability to their own requirements, configuring the element correctly, and validating it within their specific hazard and timing constraints. We frame the work through design assurance hazard identification, design mitigation via requirements-based engineering, and implementation assurance highlighting current gaps between kernel behavior and requirements-derived tests. 

The session outlines community efforts to close those gaps: defining low-level Linux kernel requirements with maintainer sign-off; advancing coverage (statement, decision, MC/DC) using LLVM-based kernel coverage and object-code mapping; and packaging evidence with an SPDX functional-safety profile. Speakers also address non-determinism (focusing on deterministic outcomes, minimal configurations) and introduce knaf for call-tree analysis from specific entry points. 

Overall, these efforts show how scaling requirements, testing, and coverage within open collaboration can yield reusable evidence, strengthen kernel reliability, and align with a substantial portion of DO-178C DAL A objectives across industries.

Identifying Safety Weaknesses and Fault Propagation in the Linux Kernel – Igor Stoppa, NVIDIA

With growing interest in using Linux in safety-critical domains such as automotive, traditional functional safety practices need to be applied to an open source environment. One such practice is fault injection, where failures are deliberately introduced to study how the system reacts.

This talk by Igor Stoppa, NVIDIA, introduced a tool and methodology for injecting controlled faults into Linux kernel data structures. The goal is to uncover subtle forms of degradation that may not trigger a crash but can compromise safety goals, such as delayed system responses. By running repeatable experiments, the approach makes it possible to check whether safety mechanisms detect and report problems consistently and within required timing constraints.

The work highlights both the challenges of applying safety analysis to a large, fast-moving project like the Linux kernel and the opportunities to integrate such testing into the regular release process. Over time, this could provide valuable data on fault propagation, improve kernel reliability, and strengthen Linux’s role in safety-critical applications.

What’s Next?

The Safety-Critical Software track at Open Source Summit Europe 2025 highlighted the important progress being made toward making Linux a reliable choice in regulated and safety-sensitive domains. From exploring Linux as a Safety Element out of Context to fault injection techniques that expose hidden weaknesses, these discussions show how the community is tackling complex challenges with rigor and collaboration. 

To learn more, be sure to check our upcoming blogs where we will cover more sessions from the track. If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.