As software-defined and AI-enabled systems become increasingly central to industries such as automotive, robotics, industrial automation and aerospace, ensuring the safety, reliability, and compliance of Linux-based platforms is more important than ever.

“Linux plays a foundational role in modern, software-defined systems, including those that must meet stringent safety requirements,” said Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation. “NVIDIA’s leadership in accelerated computing, AI, and software platforms brings deep technical expertise to the ELISA community. Their engagement will help drive forward scalable, safety-focused approaches to using Linux in increasingly complex systems.”

NVIDIA joins existing premier members Boeing and Redhat.

ELISA Project General Members include AISIN, arm, Bosch, Canonical, Codethink, Elektrobit, EMQ, Honda, Huawei, Linutronix, Lynx Software Technologies, Nissan Motor Corporation and WindRiver. Associate members Automotive Grade Linux, KernelCI, Institute of Aircraft Systems Engineering and The Regensburg University of Applied Sciences. Learn more about membership here.

 Safety-Critical Software

Open Source Summit North America, scheduled for May 18-20 in Minneapolis, Minnesota, will host a Safety-Critical Software track that features technical sessions, case studies, and cross-industry collaboration initiatives presented by ELISA Project members, ambassadors and contributors. Register here for early-bird pricing by March 24.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks.

For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

For more information:

Maemalynn Meanor

The Linux Foundation

Systems and Automotive – Philipp Ahmann discussed advancements in aligning Linux with functional safety requirements for automotive and system-level applications.

Safety Architecture – Gabriele Paoloni (Red Hat) presented ongoing architectural work supporting safety use cases.

Linux Features for Safety-Critical Systems – Alessandro Carminati (NVIDIA) outlined kernel and feature-level progress enabling dependable Linux deployments.

The second day focused on use-case driven Working Groups and SIGs:

Aerospace – Matthew Weber (The Boeing Company) shared updates on Linux in aerospace systems.

Space Grade Linux – Ramon Roche (The Linux Foundation) discussed the evolution of Space Grade Linux and its relationship with ELISA.

BASIL & Tools WG Evolution – Luigi Pellecchia (Red Hat) highlighted progress in tooling and traceability efforts.

Lighthouse SIG – Philipp Ahmann provided insights into cross-domain collaboration and coordination.

The event concluded with closing reflections and a forward-looking discussion on collaboration opportunities in 2026.

Continuing the Work

The WG & SIG Annual Updates are more than a status review, they are a coordination point for the year ahead. As Linux adoption in safety-critical systems continues to expand across automotive, aerospace, industrial, and emerging domains, ELISA remains committed to open collaboration, practical tooling, and shared technical foundations.

Thank you to all speakers, contributors, and attendees who helped make the 2026 updates a success.

We look forward to another year of advancing Linux in safety-critical environments together.

Session Highlights:

Aspects of Dependable Linux Systems – Kate Stewart (Linux Foundation), Philipp Ahmann (Etas GmbH (BOSCH))

Kate and Philipp discussed how Linux is increasingly used in safety-critical and regulated industries that rely on dependable and robust software. They explained that these industries follow formal standards for requirements, verification, and change management, but such standards are not well known within the open source kernel community. The session highlighted that while the Linux kernel already contains many good development practices, important artifacts like requirements, tests, and documentation are not yet connected in a structured way. The speakers highlighted the need for shared approaches rather than isolated company efforts to make Linux safer and easier to analyze in complex systems. The speakers encouraged collaboration on improving traceability, clarity, and maintainability to support dependable Linux-based systems.

NVIDIA Approach for Achieving ASIL B Qualified Linux: minimizing expectations from upstream kernel processes -Igor Stoppa (NVIDIA)

In this talk, Igor Stoppa presented NVIDIA’s approach for achieving ASIL-B qualified Linux while minimizing the impact on upstream kernel developers and processes. Unlike traditional safety strategies that require modifying or qualifying large parts of the kernel, NVIDIA proposes mechanisms that isolate and contain safety-relevant components so the wider kernel does not need to be safety-qualified. The approach focuses on reducing dependencies, avoiding burdens on maintainers, and enabling qualification without requiring upstream developers to become safety experts. Igor outlined techniques such as resource partitioning, thread capabilities, and memory pools to ensure verifiable safety behavior without intrusive kernel changes. The goal is to support safety use cases in automotive and robotics while keeping upstream integration feasible and low-friction.

Applying Program Verification to Linux Kernel Code: Challenges, Practices, and Automation – Keisuke Nishimura

In this talk, Keisuke Nishimura presented ongoing work on applying deductive program verification to Linux kernel code, with a focus on the task scheduler. He explained that while the kernel is increasingly gaining specifications, checking that implementations satisfy them still relies heavily on manual effort. Using case studies, he showed how formal verification of scheduler functions can uncover real semantic bugs and increase confidence in functional correctness. The talk also covered practical challenges, such as writing formal specifications, handling loops with invariants, and preparing minimal, verifiable code extracted from large kernel files. Keisuke concluded by outlining automation efforts for code extraction and invariant inference, with the goal of making formal verification a more scalable and practical part of the Linux kernel development process.

Defining and maintaining requirements in the Linux Kernel – Chuck Wolber, Gabriele Paoloni (Red Hat), Kate Stewart (Linux Foundation)

Last year in Vienna the speakers of this talk held a session about “improving kernel design documentation and involving experts”. Following this, the ELISA Architecture working group drafted an initial template for the SW Requirements definition and started documenting the expected behaviour for different functions in the TRACING subsystem.

The work also included reviewing and adopting a framework for formally specifying kernel APIs.

This session aimed to present the latest updates and involve the experts to define the best next steps for having a path to introduce and maintain requirements in the kernel.

The discussion focused on how to document code, show value, address maintainer comments, and link requirements to tests and other verification measures.

KUnit Testing Insufficiencies – Matthew Whitehead (The Boeing Company)

This talk examined the limitations of KUnit when testing small, isolated units of Linux kernel code for high-integrity applications. Matthew Whitehead showed how the current KUnit approach struggles with scalability, system-state dependence, and the lack of built-in mocking or faking needed for low-level testing. Because KUnit tests are built into the kernel, they require full kernel builds, multiple kernels for large test sets, and slow write–execute–observe cycles. He demonstrated how creating isolated tests often requires patches, duplicated code, and extensive setup, which leads to high maintenance costs. The session highlighted the need for unit test capabilities that support out-of-tree compilation, user-space execution, and automatic integration of mocks.

Exploring possibilities for integrating StrictDoc with ELISA’s requirements template approach for the Linux kernel – Tobias Deiminger (Linutronix GmbH)

This talk demonstrated how ELISA’s proposed Linux kernel requirements template could be realized using the StrictDoc model and tooling. Tobias Deiminger showed how StrictDoc can parse requirement templates inlined in Linux source code, merge them with sidecar metadata files, and render traceable documents linking requirements, code, and tests. He highlighted that StrictDoc already fulfills most ELISA needs, including SPDX-REQ tags and structured traceability, while gaps remain around hash-based drift detection. The presentation included a live walkthrough using a demo repository and discussed StrictDoc’s broader model (requirements, design, tests, user stories) compared to ELISA’s current low-level focus. The talk concluded with the proposal that StrictDoc add hash generation and compatibility tweaks, while ELISA could list StrictDoc as a reference tool for kernel developers.

BASIL: Open Source Traceability for Safety-Critical Systems” – Luigi Pellecchia

This talk introduces BASIL – The FuSa Spice, a web-based tool that helps manage traceability for large, fast-evolving projects like the Linux kernel. Luigi Pellecchia explains how safety standards require traceability across requirements, code, tests, documentation, and test results, but these artifacts are spread across many repositories and CI systems (e.g., Linux Test Project, man-pages, CKI, KernelCI). BASIL proposes “traceability as code”: a single configuration file defines which repositories to scan, how to extract work items (requirements, tests, results), and how they relate to each other. From this, BASIL can automatically build and update traceability matrices, integrate data from external test infrastructures, and export results in formats such as SPDX. The session shows how this approach makes traceability and compliance more repeatable, automatable, and sustainable for the Linux kernel ecosystem.

The discussions at LPC 2025 made it clear that building safer and more dependable Linux-based systems is a shared challenge and a shared opportunity. Across all sessions, common themes emerged: improving traceability, defining clearer requirements, strengthening testing practices, and exploring scalable approaches to verification. These conversations reflect exactly what ELISA is working toward: enabling the broader community to confidently use Linux in safety-critical and high-integrity environments.

If you are interested in these topics, we invite you to learn more about the ELISA Project and get involved. Learn more about the ELISA project and working groups.

Driving Safety Forward: Lessons Learned From Deploying OSS in Real-world Automotive was presented by Jaylin Yu from EMQ and focused on practical experience deploying open source software in mass-production vehicles. The session examined how OSS can meet automotive safety and security expectations when combined with strong community engagement, academic collaboration, and production-driven validation.

Examples included MQTT-based remote diagnostics, actor-based system design, and the use of advanced stateful fuzzing techniques to uncover concurrency, race conditions, and protocol-level issues. Jaylin highlighted how software supply-chain decisions and dependency misuse can escalate into system-wide failures in safety-critical environments.

The talk also explored post-deployment challenges such as suspend-to-RAM behavior, file-descriptor exhaustion, time synchronization, and observability gaps in Linux-based systems. Overall, the session delivered, field-tested guidance for building secure, traceable, and reliable OSS-based software-defined vehicle platforms.

DO-330 Qualification of Enhanced LLVM Structural Coverage Tool – Minji Park & Seojin Kim, The Boeing Company

DO-330 Qualification of Enhanced LLVM Structural Coverage Tool was presented by Minji Park and Seojin Kim from The Boeing Company and focused on qualifying an open source structural coverage tool for use in safety-critical avionics software.

The session explained why structural coverage is mandatory under RTCA DO-178C and how verification tools themselves must be qualified under RTCA DO-330 to produce trusted evidence. The speakers described Boeing’s efforts to qualify an enhanced LLVM coverage (llvm-cov) tool, targeting statement, decision, and modified condition/decision coverage (MC/DC) required for higher software assurance levels. The session covered key details including how line and branch coverage were aligned with DO-178C objectives through source formatting, pipeline instrumentation, and toolchain integration.

The talk also outlined the determination of Tool Qualification Level (TQL 5), required qualification artifacts, and validation and verification activities needed to support certification. The session concluded with challenges of qualifying open source tools such as version changes, object code coverage, and regulatory submission and how Boeing is addressing them to enable compliant use of OSS in avionics systems.

Introduction and Consideration of Temporal Partitioning in Avionics With Open Source Eco-System – Haesun Kim & Gihwan Kwon, The Boeing Company

Introduction and Consideration of Temporal Partitioning in Avionics With an Open Source Ecosystem was presented by Haesun Kim and Gihwan Kwon from The Boeing Company and examined how ARINC 653 enables safe and deterministic operation in integrated modular avionics (IMA) systems.

The session introduced the motivation for adopting ARINC 653, comparing traditional federated avionics architectures with IMA approaches that rely on strict temporal and spatial partitioning. Key technical details covered the ARINC 653 two-tier scheduling model, including module-level scheduling across partitions and rate-monotonic process scheduling within each partition.

The speakers discussed gaps between ARINC 653 requirements and current open-source operating systems, highlighting challenges in scheduling, process management, and health monitoring. The talk concluded with Boeing’s ongoing collaboration with open-source communities and future work to bridge these gaps and enable compliant, safety-critical avionics systems built on open-source technologies

Smarter Code, Sneakier Risks: Supply Chain Security in the Age of AI – Lavakush Biyani, Harness

Smarter Code, Sneakier Risks: Supply Chain Security in the Age of AI was presented by Lavakush Biyani from Harness and examined how AI-powered coding tools are reshaping software development while introducing new supply chain security risks. The session explained how AI-generated code can unknowingly introduce vulnerabilities through insecure patterns, outdated libraries, or hallucinated dependencies that attackers can exploit.

The session covered real-world examples of dependency confusion, AI-suggested non-existent packages, and the reuse of vulnerable dependency versions due to limited model context. The speakers introduced practical detection techniques such as analyzing code changes, generating AI Bills of Materials (AIBOMs), tracking dependency drift, and monitoring build behavior.

The session concluded with guidance on integrating these security checks into CI/CD pipelines, enabling DevSecOps teams to manage AI-driven risks without slowing development velocity.

Detecting Double Free With BPF – Bojun Seo, LG Electronics

Detecting Double Free With BPF was presented by Bojun Seo from LG Electronics and addressed the challenges of detecting double free vulnerabilities in C and C++ programs, particularly in production and embedded environments.

The session explained why traditional tools such as Valgrind and AddressSanitizer often struggle in real-world systems due to high overhead and their tendency to alter memory behavior, leading to hard-to-reproduce Heisenbugs. The session also covered a novel detection approach using BPF and uprobes to trace memory allocation and deallocation events without modifying the target process’s memory footprint.

The tool tracks allocation counters and captures stack traces in BPF maps, reporting double frees with significantly lower runtime and memory overhead. Through live demonstrations and real code examples, the talk showed how this lightweight BPF-based approach improves reliability and practicality for detecting double free errors in performance-sensitive embedded systems.

Telco Supply Chain Security: Implementing ISO 18974 & SBOM – Haksung Jang, SK Telecom

Telco Supply Chain Security: Implementing ISO/IEC 18974 & SBOM was presented by Haksung Jang from SK Telecom and focused on managing growing software supply chain risks in the rapidly evolving telecom industry.

The talk explained how increased reliance on open source in 5G, cloud-native, and software-defined networks has amplified dependency complexity and reduced visibility, creating serious security challenges. Key technical details covered the adoption of ISO/IEC 18974 (Open Source Security Assurance) as a standardized framework for vulnerability management, governance, and third-party assurance across telecom supply chains.

The session highlighted SBOM implementation using standards such as SPDX and CycloneDX, emphasizing automated generation, validation, and integration into CI/CD pipelines to enable rapid vulnerability response and regulatory compliance. Drawing from SK Telecom’s real-world OSPO experience and OpenChain Telco Work Group activities, the talk provided practical guidance on policy design, supplier collaboration, and building a trusted, standards-based telecom software ecosystem.

Key Takeaways:

The ELISA Project’s presence at Open Source Summit Seoul 2025 showed how open source is now essential in safety-critical and regulated systems.

Across automotive, avionics, embedded, AI, and telecom sessions, speakers demonstrated that open source can meet strict safety and security requirements when supported by strong processes and standards. Talks highlighted the importance of verification, deterministic system design, and low-overhead runtime analysis for real-world deployments. Supply chain security emerged as a shared priority, with SBOMs, AIBOMs, and international standards enabling visibility and trust.

Overall, the sessions reinforced that safety, security, and open collaboration must advance together.

What’s Next?

If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

By parsing /proc/iomem, my test program can:

1. Identify which physical regions are safe to work with (like RAM already allocated to my process),
2. Avoid regions that are reserved for hardware or critical firmware,
3. Adapt dynamically to different machines and configurations.

This is especially important for multi-architecture support. While examples here often look like x86 (because /dev/mem has a long history there), the concept of mapping I/O regions isn’t x86-specific. On ARM, RISC-V, or others, you’ll see different labels… But the principle remains exactly the same.

In short: /proc/iomem is your treasure map, and the first rule of treasure hunting is “don’t blow up the ship while digging for gold.”

The Problem of Contiguous Physical Pages

Up to this point, my work focused on single-page operations. I wasn’t hand-picking physical addresses or trying to be clever about where memory came from. Instead, the process was simple and safe:

1. Allocate a buffer in userspace, using mmap() so it’s page-aligned,
2. Touch the page to make sure the kernel really backs it with physical memory,
3. Walk /proc/self/pagemap to trace which physical pages back the virtual address in the buffer.

This gives me full visibility into how my userspace memory maps to physical memory. Since the buffer was created through normal allocation, it’s mine to play with, there’s no risk of trampling over the kernel or other userspace processes.

This worked beautifully for basic tests:

• Pick a single page in the buffer,
• Run a tiny read/write cycle through /dev/mem,
• Verify the result,
• Nothing explodes.

But then came the next challenge: What if a read or write crosses a physical page boundary?

Why boundaries matter

The Linux VFS layer doesn’t treat a read or write syscall as one giant, indivisible action. Instead, it splits large operations into chunks, moving through pages one at a time.

For example:

• I request 10 KB from /dev/mem,
• The first 4 KB comes from physical page A,
• The next 4 KB comes from physical page B,
• The last 2 KB comes from physical page C.

If the driver mishandles the transition between pages, I’d never notice unless my test forces it to cross that boundary. It’s like testing a car by only driving in a straight line: Everything looks fine… Until you try to turn the wheel.

To properly test /dev/mem, I need a buffer backed by at least two physically contiguous pages. That way, a single read or write naturally crosses from one physical page into the next… exactly the kind of situation where subtle bugs might hide.

And that’s when the real nightmare began.

Why this is so difficult

At first, this seemed easy. I thought:

“How hard can it be? Just allocate a buffer big enough, like 128 KB, and somewhere inside it, there must be two contiguous physical pages.”

Ah, the sweet summer child optimism. The harsh truth: modern kernels actively work against this happening by accident. It’s not because the kernel hates me personally (though it sure felt like it). It’s because of its duty to prevent memory fragmentation.

When you call brk() or mmap(), the kernel:

1. Uses a buddy allocator to manage blocks of physical pages,
2. Actively spreads allocations apart to keep them tidy,
3. Reserves contiguous ranges for things like hugepages or DMA.

From the kernel’s point of view:

• This keeps the system stable,
• Prevents large allocations from failing later,
• And generally makes life good for everyone.

From my point of view? It’s like trying to find two matching socks in a dryer while it is drying them.

Playing the allocation lottery

My first approach was simple: keep trying until luck strikes.

1. Allocate a 128 KB buffer,
2. Walk /proc/self/pagemap to see where all pages landed physically,
3. If no two contiguous pages are found, free it and try again.

Statistically, this should work eventually. In reality? After thousands of iterations, I’d still end up empty-handed. It felt like buying lottery tickets and never even winning a free one.

The kernel’s buddy allocator is very good at avoiding fragmentation. Two consecutive physical pages are far rarer than you’d think, and that’s by design.

Trying to confuse the allocator

Naturally, my next thought was:

“If the allocator is too clever, let’s mess with it!”

So I wrote a perturbation routine:

• Allocate a pile of small blocks,
• Touch them so they’re actually backed by physical pages,
• Free them in random order to create “holes.”

The hope was to trick the allocator into giving me contiguous pages next time. The result? It sometimes worked, but unpredictably. 4k attempts gave me >80% success. Not reliable enough for a test suite where failures must mean a broken driver, not a grumpy kernel allocator.

The options I didn’t want

There are sure-fire ways to get contiguous pages:

• Writing a kernel module and calling alloc_pages().
• Using hugepages.
• Configuring CMA regions at boot.

But all of these require special setup or kernel cooperation. My goal was a pure userspace test, so they were off the table.

A new perspective: software MMU

Finally, I relaxed my original requirement. Instead of demanding two pages that are both physically and virtually contiguous, I only needed them to be physically contiguous somewhere in the buffer.

From there, I could build a tiny software MMU:

• Find a contiguous physical pair using /proc/self/pagemap,
• Expose them through a simple linear interface,
• Run the test as if they were virtually contiguous.

This doesn’t eliminate the challenge, but it makes it practical. No kernel hacks, no special boot setup, just a bit of clever user-space logic.

From Theory to Test Code

All this theory eventually turned into a real test tool, because staring at /proc/self/pagemap is fun… but only for a while. The test lives here:

github.com/alessandrocarminati/devmem_test

It’s currently packaged as a Buildroot module, which makes it easy to run on different kernels and architectures without messing up your main system. The long-term goal is to integrate it into the kernel’s selftests framework, so these checks can run as part of the regular Linux testing pipeline. For now, it’s a standalone sandbox where you can:

• Experiment with /dev/mem safely (on a test machine!),
• Play with /proc/self/pagemap and see how virtual pages map to physical memory,
• Try out the software MMU idea without needing kernel modifications.

And expect it still work in progress.

Ask Me Anything – New Contributor Onboarding Gabriele Paoloni, Red Hat; Philipp Ahmann, ETAS GmbH

The “Ask Me Anything about ELISA or the Use of OSS in Safety-Critical Applications” session, led by Gabriele Paoloni and Philipp Ahmann, offered participants an open space to address foundational questions about applying Linux and open source software in safety-critical systems. The conversation clarified why live Q&A remains valuable beyond static FAQs, explored the challenges of using Linux in complex safety contexts, and outlined how ELISA approaches requirements, standards, tooling, and system understanding. 

The session also highlighted common misconceptions such as the idea of producing a “safe Linux”and reinforced the importance of context, collaboration, and evolving industry practices when integrating OSS into safety-relevant applications.

Research questions and publication directions of Aerospace WG Martin Halle, Hamburg University of Technology – Institute of Aircraft Systems Engineering, Matthew Weber, Boeing

This session outlined key research questions for the Aerospace Working Group, focusing on where Linux is currently used in aerospace and space systems, how regulations affect its adoption, and which topics should lead to future white papers. The speakers also introduced shared use cases and tools supporting this work and invited contributors with domain expertise to help advance upcoming publications.

Towards Practical Program Verification for the Linux Kernel Keisuke NISHIMURA, Inria

The session “Towards Practical Program Verification for the Linux Kernel,” presented by Keisuke Nishimura, Jean-Pierre Lozi, and Julia Lawall, introduced foundational concepts of deductive program verification and demonstrated their application through a case study on the kernel function. The speakers highlighted challenges in specifying correct behavior, automating loop invariants, and preparing verification-ready code, and outlined research efforts aimed at making large-scale kernel verification more practical.

Towards a More Sustainable and Secure Software Tooling in Free/Libre Open Source Software Environments Stefan Tatschner, Fraunhofer AISEC

The session “Towards a More Sustainable and Secure Software Tooling in Free/Libre Open Source Software Environments”, presented by Dr. Stefan Tatschner (Fraunhofer AISEC), explored how software sustainability and security intersect in FLOSS ecosystems. Building on his PhD work, Dr. Tatschner discussed how vague or overly complex specifications and fragmented development practices can lead to inconsistent, insecure implementations, illustrated through studies of QUIC stacks and X.509 libraries. He showed how dependency analysis and graph-based metrics can help identify critical projects whose health has a disproportionate impact on the ecosystem.

Introducing SW Requirements in the Linux kernel development process: status and next steps Gabriele Paoloni, Red Hat; Kate Stewart, Linux Foundation; Chuck Wolber, Boeing

The session “Introducing SW Requirements in the Linux Kernel Development Process: Status and Next Steps”, presented by Gabriele Paoloni (Red Hat), Kate Stewart (Linux Foundation), and Chuck Wolber (Boeing), explored how to bring structured software requirements into the Linux kernel’s distributed, maintainer-driven development model. The speakers highlighted gaps in existing documentation and explained how missing explicit intent increases technical debt and complicates safety and certification work. They proposed testable, SPDX-based requirement annotations that live alongside the code to improve clarity, traceability, and review. The talk also summarized feedback from kernel maintainers and outlined ongoing experiments and next steps to refine the approach and drive broader adoption.

Exploring possibilities for integrating StrictDoc with ELISA’s requirements template approach for the Linux kernel Tobias Deiminger, Linutronix; Stanislav Pankevich, Reflex Aerospace

The session “Exploring Possibilities for Integrating StrictDoc with ELISA’s Requirements Template Approach for the Linux Kernel”, presented by Tobias Deiminger (Linutronix GmbH) and Stanislav Pankevich (Reflex Aerospace GmbH), demonstrated how the StrictDoc tool can support structured, traceable requirements workflows for kernel development. The speakers introduced StrictDoc’s capabilities, showed how it is already used at Linutronix for certification-driven projects, and walked through a live prototype integrating SPDX-based requirements directly from kernel source files. They highlighted how StrictDoc can link requirements, code, and tests while enabling validation and drift detection. The session emphasized that such tooling could strengthen documentation quality, improve traceability, and complement ELISA’s efforts to introduce maintainable requirements practices into the kernel ecosystem.

Architectures for Linux in Railway Safety Applications Florian Wühr, Red Hat; Daniel Weingaertner, Red Hat

The session “Architectures for Linux in Railway Safety Applications”, presented by Florian Wühr and Dr. Daniel Weingärtner (Senior Software Engineers, Red Hat EMEA Field CTO Office), explored how Linux-based platforms can be used in modern railway safety systems. They outlined Red Hat’s involvement in the “AutomatedTrain” research project and discussed applying high-performance, Linux-based platforms for autonomous and safety-related rail use cases. The talk covered relevant safety standards and SIL levels, key certification and interoperability challenges in Europe, and compared architectural options (containers, hypervisors, redundancy/diversity) for mixed-criticality railway applications.

Hypervisors are scary, so why use them for enabling Linux for Safety Applications Aqib Javaid, Elektrobit

The session explained why hypervisors, though often viewed as complex or risky, are valuable for enabling Linux in safety-critical systems. Aqib Javaid clarified common misconceptions such as hypervisors being slow or unusable for safety and showed how modern hardware support and open-source options like Xen and L4 make them practical and certifiable. He demonstrated how hypervisors provide strong isolation and allow a small safety monitor to supervise Linux, adding protection without modifying the kernel.

Open Functional Safety: Safety-Qualified Lifecycle with Sphinx Christopher Zimmer, innotec GmbH

The session “Open Functional Safety: Safety-Qualified Lifecycle with Sphinx” was presented by Christopher Zimmer (innotec GmbH). He showed how an open-source toolchain centered on Sphinx can support a full, safety-qualified development lifecycle for smaller companies and open source projects that can’t afford heavy commercial tooling. The talk also outlined how to classify and qualify such tools so they can be used in standards-compliant functional safety workflows.

AGL SDV SoDeV Insights Naoto Yamaguchi, AISIN; Harunobu Kurokawa, Renesas

The session “AGL SDV SoDeV Insights,” presented by Naoto Yamaguchi (AISIN) and Harunobu Kurokawa (Renesas), shared progress on Automotive Grade Linux’s Software-Defined Vehicle initiative. The speakers outlined SoDeV’s goal of decoupling hardware and software using open-source technologies like hypervisors, VirtIO, and unified HMI frameworks to enable reusable, scalable in-vehicle software. They also discussed early prototypes, planned architecture, and open challenges particularly around safety and integrating monitoring in virtualized systems.

Best Practices in Open Source and Standards – Evaluation of Example Projects Simone Weiss, Linutronix

The session presented work from ELISA’s WG Lighthouse OSS on identifying open-source “best practices” and mapping them to quality/safety standards. Simone showed how a common evaluation template was applied to Xen and Yocto, revealing both strong governance/CI practices and recurring issues like fragmented documentation, and outlined plans for a maturity model to rate project process quality.

Beyond the OS: What else is required for safe automotive applications? Isaac Trefz, Elektrobit

The session “Beyond the OS: What Else Is Required for Safe Automotive Applications?” highlighted that making Linux safe is only one part of building a safety-compliant automotive system. Isaac Trefz (Elektrobit) explained that safe applications also require qualified compilers and libraries, safe IPC, reliable rendering paths, hypervisors, hardware support, and proper monitoring/watchdog mechanisms. Using examples like telltales and ADAS functions, he showed how these system-level elements must work together.

BASIL Luigi Pellecchia, Red Hat

The session “BASIL,” presented by Luigi Pellecchia (Red Hat), introduced BASIL as a tool for managing traceability across requirements, code, and tests in safety-critical projects. Luigi highlighted recent updates improved SPDX SBOM export, graphical traceability views, expanded test-framework support, and a new AI-assisted requirement generator. He also outlined a proposal for a configurable traceability scanner that pulls structured data from multiple repositories, aiming to simplify and standardize traceability workflows in open-source safety development.

Continuous Compliance in Safety-Critical Open Source Projects Rinat Shagisultanov, InfoMagnus

The session “Continuous Compliance in Safety-Critical Open Source Projects,” presented by Rinat Shagisultanov (InfoMagnus), showed how safety-annotated SBOMs—using SPDX 3 and its emerging safety profile can automate functional-safety traceability. Rinat explained how tools like BASIL generate these SBOMs and how the OpenCC platform performs semantic diffs, impact analysis, and audit logging inside CI/CD pipelines.

Industry Safety Level(s) vs. Aerospace Use Cases Matthew Weber, Boeing

The session “Industry Safety Level(s) vs. Aerospace Use Cases,” presented by Matthew Weber (Boeing), explained how civil aerospace develops and certifies aircraft software using DO-178C safety levels (DAL A–E), and how these compare conceptually to ASIL/SIL levels in other industries. He walked through the aircraft lifecycle, showed how safety levels drive required artifacts and rigor, and illustrated everything with example use cases and early Linux-based demos (like a safety-aware “cabin light” and NASA CFS-based scenarios).

Linux Virtual Address Space Safety Alessandro Carminati, Red Hat

The session “Linux Virtual Address Space Safety,” presented by Alessandro Carminati (Red Hat), explored how Linux’s virtual memory design especially Virtual Memory Areas (VMAs) and the global linear mapping creates subtle safety risks in mixed-criticality systems. He walked through the VMA lifecycle, showed how the linear map lets kernel and user pages sit side-by-side (enabling accidental cross-domain corruption), and reviewed current defenses and why they’re aimed at security/debugging rather than deterministic functional safety.

Behind the Scenes: Elisa Yocto meta-layer and the ELISA CI infrastructure Sudip Mukherjee, Codethink

The session “Behind the Scenes: ELISA Yocto Meta-Layer and the ELISA CI Infrastructure,” presented by Sudip Mukherjee (Codethink), gave a concise behind-the-scenes look at how ELISA’s Yocto meta-layer and CI system are built and maintained. Sudip explained how the team created a standardized Docker-based build environment, added nightly CI builds, shared sstate caching, and automated testing with QEMU and OpenQA. He also highlighted ongoing work to keep the AGL-based demo app building reliably and invited other working groups to adopt the shared CI to ensure reproducible, stable builds.

The SPDX Safety Profile Release Candidate – towards standardised safety supply chain documentation Nicole Pappler, AlektoMetis

The session “The SPDX Safety Profile Release Candidate – Towards Standardised Safety Supply Chain Documentation” by Nicole Pappler (AlektoMetis) presented the new SPDX 3.1 safety profile, which extends the core SPDX model with safety-specific concepts like requirements, verifications, and evidence links. Nicole explained how this enables standardized, machine-readable safety documentation across the software supply chain, improving traceability, impact analysis, and compliance for safety-critical industries using open source.

Drawing an open source safety-critical landscape Philipp Ahmann, ETAS GmbH

The session “Drawing an Open Source Safety-Critical Landscape” by Philipp Ahmann (ETAS) outlined the need for a clear map of the growing ecosystem of safety-critical open source projects. Philipp proposed building a structured landscape covering OSs, hypervisors, tools, frameworks, simulators, and industry domains to show how projects relate, where they fit, and where gaps or collaboration opportunities exist. The goal is to give the community a central, easy-to-navigate view of safety-critical open source efforts.

In short:

The Munich workshop highlighted the rapid progress and growing cohesion of the safety-critical open source ecosystem. Over three days, contributors shared tools, research, architectures, requirements approaches, and CI practices all reinforcing that using Linux in regulated environments requires aligned methods, clear documentation, traceability, and strong cross-community collaboration.

With active participation from industry, academia, and open-source projects, the workshop wrapped up with renewed momentum and a shared commitment to push ELISA’s technical work forward.

Note: Presentation Slides can be accessed here

Would like to see the photos from the meetup? Check here.

Check the workshop playlist in the ELISA YouTube.

Interested to host the next ELISA workshop?

The ELISA Project hosts workshops on a regular basis to gather the project community to accelerate technical collaboration and output, and plan for future goals. It is intended as a technical community collaboration forum to advance the mission of the ELISA Project. More specifically, the Workshop series provide the avenue to: 

• Explore ideas about approaches, processes, tooling, and testing that can be incorporated into building safety-critical applications and systems  
• Exchange perspectives and feedback from the Linux kernel, safety, and other adjacent open source project communities
• Provide updates about the various Working Groups’ current activities and priorities and future roadmaps
• Enable real-time collaboration to make more accelerated progress on current work streams 
• Define and articulate near-term technical goals and priorities
• Educate and onboard new community members
• Activate and increase engagement and contributions from a broader range of contributors
• The workshops are generally held in person to facilitate more open discussions and real-time collaboration. Virtual access can be provided if there is sufficient interest.

Contact us to discuss hosting a workshop.