Abstract
This RFC proposes the creation of a Safety Group within the LLVM project, similar to the existing Security Group. The group would serve as a community-driven forum to address the challenges of using LLVM in safety-critical systems development, such as those governed by ISO 26262 (automotive), DO-178C (aerospace), or EN 50128 (railways). It would focus on enabling qualified use of LLVM components through shared infrastructure, quality best practices, documentation, collaboration, and long-term planning.
Motivation
LLVM is increasingly adopted in safety-critical domains, but it currently lacks an organized space to address the specific needs of functional safety, such as:
- Compiler qualification under ISO 26262 or equivalent standards
- Toolchain confidence arguments and documentation
- Traceability, change management, and release discipline
- Integration of safety-relevant artifacts and practices
- Coordinated engagement with users in regulated industries
Technical talk at AsiaLLVM 2025
At AsiaLLVM 2025, I presented a technical talk titled “LLVM in the Automotive Industry: Bringing Functional Safety to Open Source”, explaining the importance and interest in addressing an open, upstream qualification of LLVM. One of the proposals is to create a dedicated “Safety Group” that would allow collaboration and open up opportunities for new contributors, institutions, and organizations with safety-critical use cases.
Summary of the talk: (Note: the recording and the slides will be published here)
- Safety-critical industries such as automotive, medical, and aerospace increasingly rely on complex software, with systems like ADAS and autonomous driving demanding extreme levels of assurance. Safety standards like ISO 26262 require that tools used in the development of such systems, including compilers, be justified through “confidence in use”, a structured argument that they do not introduce or fail to detect defects.
- Compiler infrastructures like LLVM are at the heart of the development of these systems, but the components of LLVM are not qualified upstream. While some vendors have performed private qualification of their LLVM-based compilers, these efforts are fragmented, costly, and duplicative. At the same time, LLVM does not currently have structured quality evidence aligned with safety standards, making qualification difficult to scale or reuse.
- At AsiaLLVM 2025, I presented these challenges and argued that a shared, open approach to qualification could reduce duplication and enhance trust. This RFC proposes creating a Safety Group within LLVM to serve as a forum for systematically addressing these concerns.
Proposal
We propose forming an LLVM Safety Group as an interest-driven working group. Its scope would include:
- Providing a central forum for discussing safety-related topics in LLVM.
- Developing guidance and documentation on using LLVM in safely-related developments.
- Collaborating on common infrastructure (e.g., qualification kits, coverage tools, test suites, formal methods).
- Identifying areas of the codebase where safety-relevant improvements may be needed
- Coordinating with upstream maintainers on proposed safety-driven contributions.
- Facilitating interaction with companies, tool vendors, quality and safety auditors, where appropriate.
The group would not enforce policy or process, or maintain exclusive control over any part of LLVM. Instead, it would serve as a bridge between safety users and the existing LLVM project structure.
Other open source projects (e.g., Zephyr RTOS, Eclipse Foundation, Linux Foundation,…) have created dedicated working groups to coordinate safety-related activities and collaborate on standards alignment.
Initial steps for the Safety Group
If this RFC is accepted, the Safety Group could begin with the following concrete actions:
- Create a dedicated Discourse category or tag for safety-related discussions.
- Hold a public kickoff call to gather interested contributors and align on short-term priorities.
- Propose an initial scope for qualification (e.g., What components of the infrastructure? What parts of LLVM core? Specific frontend(s)? What target(s)?).
- Propose specifications and mechanisms for traceability with tests.
- Propose solutions for analysis of bug reports, such as marking safety-relevant bugs or commits and defining countermeasures or workarounds.
- Identify 1–2 low-risk upstream patches that could improve safety posture (e.g., test coverage, documentation).
- Compile existing safety-relevant work from vendors, research, and prior art to identify common gaps and reusable patterns.
- Draft an initial “Safety Users Guide to LLVM” or “LLVM Safety Manual”, a lightweight document mapping LLVM use cases to common safety concerns and outlining some known usage assumptions or constraints.
These steps are intended to be non-disruptive and collaborative. They are focused on gathering shared knowledge, creating infrastructure that benefits all users (safety-critical or not), and building trust.
Deliverables
Focus areas might include:
- Reference process for qualification, including validation and audit.
- Common confidence argument templates or evidence patterns.
- Proposals for traceability mechanisms (e.g., bidirectional mapping between specs and tests) across versions.
- Analysis of known issues and proposal of workarounds or countermeasures, where appropriate.
- Safety manual for LLVM components.
Participation and Format
We envision the group as open to all interested community members, including:
- Contributors from safety-critical industries.
- Tool vendors and integrators.
- Compiler engineers with experience in verification.
- Academics and researchers in compilers and reliability.
Discussions would take place primarily via:
- A new category on LLVM Discourse.
- Periodic virtual meetings or ad hoc working sessions.
- Collaborative documents and open RFCs.
Open Questions
- What is your opinion on the interest of this Safety Group? Do you, as part of the LLVM community, see its creation as useful and understandable, and as a collaborative opportunity?
- If Yes:
- Should the group interface with other existing LLVM working groups (e.g., release engineering, security)?
- Should the group propose changes to release practices to aid qualification?
- Should the group support other areas or topics than those mentioned in this RFC to give more value to the LLVM community?