Bringing Functional Safety to the SBOM: Automating Compliance with the SPDX Safety Profile

Functional safety is crucial for open-source components used in safety-critical domains like automotive, medical, and industrial control. However, the current practice for managing the Safety Case—the collection of documents (requirements, tests, analyses, and evidence) proving compliance with standards like IEC 61508 or ISO 26262—is manual, chaotic, and inefficient. These artifacts are often fragmented across proprietary lifecycle systems, spreadsheets, or PDFs, leading to broken traceability and overwhelming manual effort in the supply chain. This talk introduces the SPDX Functional Safety Profile, a critical extension built on the upcoming SPDX 3.1 specification. We will demonstrate how this profile moves the entire Safety Case into a single, standardized, and machine-readable exchange format. The profile achieves this by introducing new classes beyond the SPDX Core: - REQUIREMENT: Capturing functional, non-functional, and design needs. - VERIFICATION: Defining specifications for tests, reviews, and analyses. - EVIDENCE: Storing test reports, build logs, and compliance evidence. Attendees will learn how to use machine-readable relationships to trace requirements through the V-Model, connecting code, design documents, and test results automatically. This profile is the key to building an automated, auditable, and tool-agnostic safety documentation pipeline, finally delivering the ability to exchange comprehensive Safety SBOMs across complex, multi-party supply chains.