2025 börjar lida mot sitt slut. Vår omvärld är dock fortsatt full av utmaningar för företag och individer. Addalot skänker även i år pengar till välgörenhet istället för julklappar.
Vi uppskattar SOS-Barnbyar och deras verksamhet för barn och deras uppväxt och i år fokuserar de på att få barn i utsatta områden tillbaka till skolan . Vi hoppas på ett gott slut på 2025 och ser med tillförsikt mot 2026 – fullt av nya möjligheter!

]]>
This years SCSSS was run as an one day workshop within the large SafeComp conference.
Below follows a summary with some personal highlights from the presentations two keynotes and six presentations.
Please check the conference web for access to all presentations
The workshop kicked off with the keynote, “Assuring Safety in the Face of the Unpredictable” by Mario Trapp, Fraunhofer. A main concept was that you had to take into account a triad of aspects when working with safety for new AI systems:

Towards the end of his talk he looked at the potential analogy of a set of intelligent systems interacting with each other and with humans to a society, where the systems could be governed by rules and laws similar to our current society.

William Zeng, from Roben with his presentation “Automotive Overview on System Safety Standards and Practices for ICVs and NEVs in China: A different approach” gave a very interesting insight into the fantastic dynamism of the Chinese car industry, how they had in a very short time become a major driver in the industry. It is well worth to look a the detailed examples presented in the slides. Here is just one example of Xiaomi entry into the car market:

Michael Wagner from ECR.AI “Embracing Change: LLM Use in Safety Engineering” first gave an overview of possibilities and pitfalls with LLM models:

Then he looked at the possibility to use formal proof checkers to check the output of LLM models.

Lunch was served together with all the other participants from SafeComp.

The afternoon started with a tutorial by Hans Liwång, KTH/Försvarshögskolan on “Interaction between technical and social system for the defense and security”. Hans started with observations about the importance of training and preparedness for survivability in naval warfare based on the Falkland conflict. The military safety is always a balance between safety and being able to continue to operate and achieve the target. There is no safe state as for a passenger car when standing still.

He also pointed out the value of giving people the ability to utilize the systems outside the safety limits in emergency situations, which might run contrary to how we think about safety to always keep the system within safe operational conditions.
AI Safety Assurance in the Automotive Domain – Standards Mapping and Application for an AI-Based SoC Estimation Function by Fredrik Warg; RISE gave an overview of how AI and safety research and standards have exploded in the last years.


Ali Nouri, Volvo Cars talked about “AI-enabled DevSafeOps for Autonomous Driving Software”. I was specially impressed by the breath of Ali’s research into how AI would impact all aspect of safety development. It will be interesting to follow this research in the future.

Filip Strand, KTH talked about his PH.D. work on Countering wildfire risk with AI-enabled sensor platforms so that the machines could avoid stones etc. that could lead to sparks causing fires. One major problem here was to create enough training data of relevant terrain that is labeled.

One idea that came up in the discussion was to rather use a program to generate images to train on. This should be possible as there is a limited number of elements in the terrain, however they have infinite many shapes and are randomly distributed. The generator could generate a labeled image that the IA could train on and as it is already labeled there is no “human” interaction.
Adapting ISO 21448 SOTIF for Mobile Machinery: A Forestry Automation Case Study by Aria Mirzai, RISE looked at applying SOTIF to a Shuttle transporting logs from a harvester along pre-mapped forest roads to drop-off point.


The workshop ended with a buffet receptions at the Stockholm Townhall sponsored for SafeComp by Stockholm City. Here our foreign guests could try out most Swedish specialties; pickled herrings, meat balls, graved salmon and many more.

]]>
Lunds Tekniska Högskola LTH kommer genom en donation från företaget Addalot att inrätta ett stipendium inom området software engineering (programvaruteknik). Donationens avsikt är att hedra minnet av Q-Labs (numera kallade Addalot) alltför tidigt bortgångne grundare Geir Fagerhus.
Syftet med stipendiet är att belöna särskilt framstående examensarbeten som kopplar samman forskning inom software engineering med konkreta behov i industrin.
Geir Fagerhus, som startade Q-Labs i Lund 1989, var en entreprenör och pionjär med en unik förmåga att identifiera och realisera affärsmöjligheter inom software engineering.
Geir hade också ett stort intresse av att koppla samman industri med akademin och ”bridging the gap” var en av hans slogans. Som en del av denna strategi etablerade Q-Labs kontor nära universitet och organisationer som var framstående inom programvaruteknik som Fraunhofer Institute i Kaiserslautern och universiteten i Lund och Maryland.
Han etablerade också samarbeten med några av världens vid den tiden mest framstående forskare (Harlan Mills, Victor Basili, Dieter Rombach, Bill Curtis och Claes Wohlin) och etablerade en ”rådgivande styrelse” för Q-Labs, där många av dem hade en plats. Vidare lyckades Geir skapa nyckelroller för Q-Labs i europeiska forskningsprojekt, t.ex. REBOOT och PERFECT.
Geir var alltid på jakt efter nya tekniker och att omsätta dessa i praktisk nytta. Detta skedde då ofta i direkt samarbete med grundarna av teknikerna. Detta ledde till att Q-Labs introducerade modeller som Cleanroom Software Engineering och CMM för Ericsson och andra kunder.

Stipendiet är riktat till studenter på LTH, det universitet som Q-Labs under åren hade störst haft mest utbyte med, och kommer att delas ut årligen under minst fem år. Pristagare blir den/de som genomfört det examensarbete i datavetenskap med inriktning mot software engineering och som på bästa sätt återspeglar Geirs anda. Prissumman är på 10 000 kr per examensarbete och kommer att delas ut på LTH:s examenshögtid.
Bedömningskriterier för stipendiet är:
En bedömningsgrupp med två företrädare från institutionen för datavetenskap och en representant från Addalot föreslår och motiverar beslut om pristagare. LTH:s rektor beslutar om pristagare. Examensarbeten avslutade under 2025 kommer vara de första att komma på fråga för detta stipendium.
]]>The whitepaper will help you understand:
The Automotive SPICE® (A-SPICE) framework has established itself as a critical process capability model within the automotive industry. It provides best practices for structured system development.
A-SPICE has gained widespread popularity among Original Equipment Manufacturers (OEMs) and Tier 1 suppliers, who often rely on A-SPICE assessments to evaluate the capabilities of their suppliers.
Version 4.0 of A-SPICE was released late 2023. In short, the new version includes clean up, removing unused areas and harmonizing terms, and strengthening of the plug-in concept, adding two new concepts “hardware” and machine learning” as complement to the existing software process group.
Ten process areas have been removed. They belong to the categories of acquisition (six process areas), support (three process areas) and supply (one process area). Theses process areas were seldom used so these changes that at first appear to be large, in reality is rather small.
Figure 1: A-SPICE version 3.1 with the ten removed process areas market
To make the A-SPICE model more relevant for the industry three new process groups with in total ten new process areas have been added. The new process groups are:
Figure 2: A-SPICE version 4.0 with the added ten process areas market
With this new version scoping has become more intriguing. Before there was basic and extended scope and the only process area that was possible to de-select was ACQ.4. In version 4 there are three different scope types.
Figure 3: A-SPICE version 4.0 with the different process areas marked with scope type
Each organization need to analyse their scope. For A-SPICE assessments the sponsor defines the scope. BASE is always mandatory, then minimum one of the PLUG INS must be selected and finally the FLEX process areas shall be applied as relevant. ACQ.4 supplier monitoring and SPL.2 Product release will likely be the most applied process areas followed by MAN.5 Risk management.
Examples:
In all cases FLEX additions might be relevant.
Figure 4: The three types of categories for scoping A-SPICE process areas
The detailed changes include many aspects like: model adjustments, improved language for increased understanding and slim lining some base/generic practices. Some changes will have significant impact on organizations working to meet A-SPICE expectations.
In summary 4 generic practices are removed, which means that if you assess 15 process areas it becomes 60 generic practices less.
In summary the main changes are related to the plug-in concept with the addition of new process group and process areas.
But for companies with VDA scope, the main changes will be the detailed changes since they will not be affected by the removal/addition of process areas.
Out of the different detailed changes the “Strategy to CL2” and “added component test” are probably the main changes to consider.
In addition, there are change in the guidelines for how to conduct A-SPICE assessments. But this relevant for assessors is maybe a topic for afuture article.
]]>Den 13de upplagan av SCSSS (Scandinavian Conferenc on System and Software Safety) kommer genomföras som workshop till den europeiska konferensen SafeComp som i år gästar Stockholm.

Sedan det grundades 1979 av den europeiska Workshop om industriella datorsystem, teknisk kommitté 7 för tillförlitlighet, säkerhet och säkerhet (EWICS TC7), har SafeComp bidragit till framstegen av den senaste tekniken i pålitlig tillämpning av datorer i säkerhetsrelaterade och säkerhetskritiska system. SafeComp är en årlig internationell konferens som täcker de senaste industriella erfarenheterna och nya trender inom områdena säkerhet, säkerhet och tillförlitligheten hos kritiska datortillämpningar. SafeComp ger stora möjligheter att byta insikter och erfarenhet av nya metoder, tillvägagångssätt och praktiska lösningar. Det är ett enkelspårigt konferens utan parallella sessioner, vilket gör det enkelt nätverk.
Den 44:e upplagan av SafeComp ger en unik tillfälle att utforska och diskutera säkerhetsutmaningar kritiska datorsystem. Säkerhet är mer relevant än någonsin, med utökade möjligheter för (semi-) autonomt cyberfysiskt system (CPS), interagerar med människor i olika roller och agerande i mer öppenhet miljöer. Temat 2025 är ”Managing säkerhet i en tid av mjukvarudefinierad datoranvändning kontinuum.” Säkerhetsteknik måste noggrant undersöka konsekvenserna av programvarans ökande komplexitet definierade datorsystem, som de blir alltmer ansluten, interagerar med stödjande digitala infrastrukturer, fyllda med AI och försedda med mer avancerade perceptionssystem.
The Scandinavian Conference on Systems and Software Safety (SCSSS) has become a central meeting place for Scandinavian safety experts from industry, public and academic organizations. Collaborating with other important relevant organizations, such as the Swedish Network for System Safety, SAFER and the Swedish Electromobility Centre, SCSSS has managed to gather roughly 100 participants, primarily safety engineers from industry, each year since 2013. The conference features presentations from industry and academia, with a strong emphasis on networking.
]]>
A lot of interesting research and development is currently ongoing in this field in order to create methods for process improvements, assessments and standardization of safety critical software and systems. With this conference, the organizers want to gather stakeholders for discussions and to create an inspiring environment for exchanging ideas and knowledge.
“The distribution between industry and academia is well balanced and help to inspire and network, which is the purpose of the conference” says Even-André Karlsson, Addalot representative in the program committee.
Keynote speakers were Johan Hellsing from Heart Aerospace presenting the ES-30 aircraft with a unique Electric Hybrid Propulsion System (EHPS),
and Anton Nytén, Etteplan talking about safety challenges in the battery market.
In addition to the two keynotes there were a set of shorter presentations from various speakers. Below is a list of the different topics that were covered:
In the evening there was a social dinner for more relaxed and informal time to nework.
The full program can be found at the conference web site and there you can also find all presentations to be downloaded.
In 2025 the conference will be in Stockholm, and we will shortly announce a call for presentations.
]]>Manufacturers and importers that provide products with digital elements in the EU market will have to comply with the Cyber Resilience Act (CRA). This article contains some general practical advice on the implementation of requirements found in the CRA. Note that it is important for each company to make their own analysis and fulfillment of any regulation, including the CRA. This whitepaper is not a complete overview of the CRA and is not legal advice.
The CRA applies to “products with digital elements whose intended, or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.” [Article 2.1], which is most any product that contains software. There are exceptions for products that are already regulated through existing legislation, such as in automotive and medicine. Open source projects are also exempted from complying to the CRA, but importantly this exception does not extend to the use of open source components in commercial products (see section on SBOM and open source below).
The CRA differentiates between critical and non-critical products, where critical products include products such as routers, microcontrollers, operating systems and industrial automation and control systems. Critical products are expected to be certified by a third party while non-critical products will be self-certified by manufacturers or importers.
The requirements in the CRA include (but are not limited to):
Secure development means that cybersecurity is considered in all phases of product development. This can be contrasted to trying to fix cybersecurity after the product has been developed, which will never be as effective or efficient. Products that are developed according to a secure software development lifecycle (SSDL) are said to be secure by design.
Security testing complements secure development by providing feedback and information on the security status of the product. There are many different types of security testing, where the most common include vulnerability testing and penetration testing. Security review includes re-evaluating previous risk assessments when appropriate.
Vulnerability management means continuously evaluating and managing vulnerabilities as they are discovered.
An essential part of any cybersecurity work is fixing discovered vulnerabilities together with continuous improvement. The CRA makes it mandatory to provide security patches in a timely fashion and free of charge.
A software bill of material (SBOM) is essentially a “list of ingredients” for software. The reason this is important to provide, is that it provides transparency to possible risks and vulnerability through third party components. It is important to note that a provider of a product is responsible for that product, including third party components and open source components. This means that manufacturers need to apply cybersecurity practices not only on their own work, but also do due diligence on their supply chain.

Cyber Resilience Act Requirements Standards Mapping – Joint Research Centre & ENISA Joint Analysis
In summary, the standards ETSI EN 303 645, ISO 27001 and IEC 62443 all have some overlap with the CRA, with ETSI EN 303 645 being the closest match. It is important to note that CRA is outcome driven rather than prescriptive and this is also the proper way to tackle cybersecurity. It is more important to understand what we are trying to achieve, than to implement something for the sole reason of compliance. This is also a strength of ETSI EN 303 645: “The provisions are primarily outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products.” (ETSI EN 303 645 V2.1.1 page 5). Even if a standard can provide assistance and guidance, it is always important to implement security that is appropriate for a product rather than blindly following a standard.
Companies that do not work with critical products will self-certify to the CRA. On one hand, there is a benefit of not having the cost of third party certification. On the other hand, the business risk of non-compliance still needs to be managed, as the fines are significant, up to EUR 15 000 000. Therefore it is reasonable to implement an internal audit and compliance control to manage the risk. However, traditional audits are often manual, which makes them costly, time consuming and only possible to execute occasionally. This is at odds with modern software development that emphasizes automation and agility when it comes to changes. A solution to this is to integrate the compliance controls into the development of the software, creating automatic controls of activities that are connected to CRA compliance. The human decisions of what solutions to implement for specific requirements are still needed, but the control that the implementation is still being followed can be automated and continuous, instantly detecting if some requirements are being violated. Compliance violations can happen e.g. if a certain test has not been executed, if an external web page has been moved or some feature is missing from the product. Continuous monitoring of compliance will make life easier both for business risk management as well as software development.
Please contact us if you want help with understanding the CRA legislation, how it will affect your company and how you can integrate compliance into existing workflow. We provide workshops where your employees will get the chance to understand the challenges and provide solutions that work for your company and your products, as well as assistance and feedback on your journey towards CRA compliance.
]]>The conference is organized by Addalot, KTH ICES and Swedish Electromobility Centre and has become the central meeting place for Scandinavian safety experts from different industries. It is an opportunity to share experiences and make new contacts. There will be an overview day followed by a day of parallel sessions with in-depth presentations and discussions about different challenges, techniques, standards and methods. We aim for a good mix of participants and presentations from different industries and researchers.
The conference program is now ready and registration is available.
This year we are proud to announce two keynotes:
by Anton Nytén, Etteplan
As the global demand for energy storage solutions surges, the battery market is experiencing unprecedented growth. From electric vehicles to renewable energy storage, batteries play a pivotal role in shaping our sustainable future. However, this rapid expansion brings forth critical safety considerations that cannot be overlooked.
In this presentation, we delve into the dynamic landscape of the emerging battery market. We explore the latest advancements in lithium-ion, solid-state, and beyond. But beyond performance metrics and energy density, safety remains paramount. The talk will thus address the critical importance of robust safety protocols, from cell design to manufacturing and end-of-life management where topics such as thermal management, the impact of the regulatory framework and risk mitigation strategies will be discussed.
by Johan Hellsing, Heart Aerospace
Heart Aerospace mission is to decarbonize and democratize air travel. For this, we are developing the ES-30 aircraft and a unique Electric Hybrid Propulsion System (EHPS). The ES-30 will rely on batteries for shorter full-electric flights and will rely on turbine engines as energy reserve and for extended trips. The electric propulsion system introduces a new level of aerospace electrification in terms of installed power, and the hybrid propulsion system introduces a new level of system complexity. On top of this, every sub-system in the aircraft has to be designed to support full-electric aviation. The minimum level of system safety which will be required for an approved aircraft design is available in the EASA’s CS-25 Certification Specifications along with the EHPS Special Condition E-19. This keynote speech will cover some of the main aspects of how Heart Aerospace is planning to meet the aviation system safety standards, comparing EHPS to traditional solutions across the system and subsystem levels.
]]>Geir was an entrepreneur out at the fingertips with the passion of seeing and realizing business opportunities. In 1989, after launching Q-Labs in Lund in southern Sweden he soon aimed for Q-Labs to go globally – and not many years later Q-Labs had offices in Germany and in the US.
Geir also had high interest to link industry with academia and “bridging the gap” was one of his slogans. As part of this strategy Q-Labs establieshed offices close to the strong software engineering universities and organizations such as Fraunhofer Institute in Kaiserslautern and the Universities of Lund and Maryland.
He also established cooperations with with some of the world’s at the time most prominent researchers (Harlan Mills, Victor Basili, Dieter Rombach, Bill Curtis and Claes Wohlin) and settled an “advisory board” for Q-Labs, where many of them had a seat. Furthermore, Geir managed for Q-Labs to get key roles in European Research Projects, e.g. REBOOT and PERFECT.
Geir was always on the outlook for new technology and opportunities, establishing co-operation with the founders of the technologies. This led Q-Labs to to introduce models such as Cleanroom Software Engineering and CMM to Ericsson and other customers.
After establishing a handful of offices globally, Geir wanted to keep the company together with his so called “One company approach”. Many of us holds treasured memories of meetings with Geir joining in from different parts of the world…
Geir at the 25 years – ”open house” event, with new and old Q-Labs employees celebrated at Ideon Science Park in, Lund– where it all started.
After Q-Labs Geir engaged himself in:
Geir enthusiasm was also present outside work. He became a passionate marathon runner and the last years he became an Eco-farmer at Malta, among other things producing olive oil.
Many people in the software engineering world and the software industry as such have many things to thank Geir for. Not only because of challenging work opportunities, advancements of software business but also for him showing what can be achieved through a what a can-do mentality.
Geir could personify a Whynotters (and drag the Yesbutters with him).
So please join us in honoring Geir – best by really conquer your dreams, as well in work as in life in general.
]]>