In the last decade, co-engineering for safety and security of industrial software-based systems has attracted a serious effort by industry and from academia. Many international safety standards, e.g. ISO 61508, ISO 26262, etc. have evolved to take account of cyber-risks. A sustained effort has been allocated to defining software life-cycle models, which combine well-established models used for safety and security. A monolithic combined life-cycle model, in which safety and security are considered together at all stages, is an obvious option.

This approach, however, has serious problems: it requires the organisational “silos” (i.e. the safety and security teams) to interact very closely (possibly to be merged), which in turn is difficult given the “cultural differences” between safety and security silos and may even requires a major organisational change. Less disruptive approaches to co-engineering emerged, too. An example is SAE J3061, “Surface Vehicle Recommended Practice”, in which the safety and security lifecycles are operated by their respective “silos”, but the processes are synchronised at predefined “integrated communication points”, undertaken by a small third-party team.

The talk will provide some details about the current practices and about the research effort the author is aware of on developing a cost-effective co-engineering process for safety and security. The talk will also refer to own work in an on-going research and innovation project dealing with co-engineering for safety and security.