This paper presents our work-in-progress on approaches (in terms of Standards, Conceptual Framework, Risk-Based Model and Terminology) that were created by the scholars to combine safety and security requirement engineering.
Modern cyber-physical systems are found in important domains such as smart grid, automobiles, medical devices, building automation, avionics, nuclear plants, etc. Hence, they are increasingly prone to security violations. Often such vulnerabilities occur as a result of contradictory requirements between the safety/real-time properties and the security needs of the system. Many safety-critical systems have security issues (e.g. in a railway network management system), so communication between a train coordinator and train drivers must be authorized to ensure safe operation of the railway. Other systems may not have direct safety implications (e.g. an online banking system) but have security aspects with critical consequences.
As described in Axelrod  , there are major cultural and orientation differences between software engineers responsible for safety-critical software-intensive systems and those responsible for security-critical systems. This is in large due to the requirement for security-critical systems to protect sensitive information (such as non-public personal information, and health-related data), intellectual property, versus the need to ensure that safety-critical systems (such as avionics software and software running on industrial control systems) do not harm people or the environment because these orientations are so different, and may have little overlap. The threats to these systems, their vulnerabilities and the consequences of breaches, malfunctions and failure are also very different.
The development of cyber-physical systems where safety and security are important aspects follows the same approach for assessing risk involved with the systems. In the safety field, the benefits of a system and its features have to be balanced against the possible accidental harm it might impose, while the security field needs to consider such benefits against possible malicious harm.
To clarify the difference between the meaning of safety and security, we referred to a study done by Cambacédès and Chaudet  which clarifies the differentiation of meaning of the two words in industrial and academic sectors. The study is focused on twelve industrial sectors that have created standards for safety and security, which have been linguistically analyzed in relation to safety and security concepts. The study points out the gap and the differences between the ways which each of the industrial sectors follows. For example, chemical industry has different safety and security concepts compared to power grid industry. The study also included the variations of concepts of safety and security as shown in Table 1.
Because we live in the Internet of Things (IoT) era where almost everything is connected to the networks, legacy techniques and standards have become unable to cope with the rapid change in terms of understanding and studying the environment of the Internet and the potential risks and challenges that may arise when current systems that work in isolated environments are connected to the network. This pushed the different industrial organisations to increase the pace at which standards and measures are improved like in the SCADA nuclear industry. For example, new standards were issued at the beginning of 2014 in the
Table 1. Explicit and exclusive definitions of security and safety in the literature  .
draft document IEC 62645 for security compatible standards after serious potential risks were recognised.
It is essential, when implementing critical safety software, that this software is able to verify whether the system is safe or not and it is usually on a high level of verifiability. This is not an easy process as the software systems could be complicated and therefore it would be difficult to determine whether they are truly safe or not. The goals of such standards can be summarised in the three following points:
“Development” is the process of putting the new system through the process of defining potential risks and threats in order to discover them and set out a methodology to avoid them. “Operational management” is the process of evaluating risks and threats which have been controlled to reach a higher degree of safety for the system. It also sets out a clear guide that explains every part of the system and how to interact with it, and trains the users on how to use the system. “Certification” is the process of proving the claimed system that has been developed is a safety system and to determine the degree of its safety.
Safety-critical and security-critical software systems are dynamic and interactive resulting in having unintentional hazards. The upgrading process is continuous as the main objective of monitoring the residual risk and its compliance to the standards and certificate  .
In this article, we will conduct a survey according to the standards and approaches that combine safety and security. Combining safety and security models have been under focus from different perspective and areas. Some researchers focused on developing the architectural framework while others focused on narrowing down the gap between the definitions and terminology adaptation in both safety and security or narrowing down techniques and tools used in the system development life cycle.
2. Combining Safety and Security in Terms of Standards and Approach
New standards were created to deal with software-intensive systems: cyber- physical systems and shared-control systems    . These modern standards define the nature of maintaining (considering its software systems legacy, and connecting these systems to the network is highly risky because they lose the security engineering resistance), or building these systems from scratch to match the requirements of safety and security engineering. Not only that, new laws such as Cyber-security Act of 2012 appeared  . This bill addresses the threats and weaknesses in critical systems that are connected to the network and tries to take over them.
High-Assurance Cyber Military Systems (HACMS) Clean-Slate Approach, was introduced based on the highest quality results for critical systems regarding the safety and security engineering specifications DARPA  , through the use of a rigid language for mathematical representation or a semi-automated executable code synthesis to get formal functions, which are machine-checkable proofed leading to having code that meets with functional specification as well as security and safety specifications (Figure 1), where the blue squares represent formal specification, the most important synthesizer component, for a domain-specific is the synthesizer which takes the safety and security policies of an element, a functional specification, a description of the target hardware, resource constraints, and the description of the specific environment for the system to run in.
ISO 14971, standard addresses manufacturing medical devices and developing the software for them  . It also aims to integrate the process of risk management and an early stage of design, to produce evidence that their risk assessment process  has considered and addressed both intentional risks and unintentional hazards of the medical device with appropriate security controls as part of the device’s design. Medical device manufacturers should consider the malicious activity during the early phases of the requirements engineering.
The draft guidance  titled “Management of Cyber-Security in Medical and Hospital Network”, discusses the security risks against medical devices and imposes procedures to implement safeguards in order to reduce and avoid hazards related to device failure due to a malicious attack.
3. Combining Safety and Security in Terms of Conceptual Framework
A new approach has been found, through research that is currently being used to deal with safety “Unintentional” accident and security “Intentional” risk in systems that directly interact with the environment, like the new generation of nuclear power plants  . This method is called defense in depth (DiD) and used artifact term “Systems Theory”  . The systems that use DiD analysis get the results as a preventive plan based on the application of more than one safety layer to face more than one accident. These safety layers are a result of the nature
Figure 1. HACMS clean-slate approach, adapted from  .
of the system itself. DiD method can be summarized in four essential phases: Prevention, Control, Protection, and Mitigation respectively. It is important to mention that this analysis will be performed in compatibility with the comprehensive overview specified in safety and security goals which affect the safety policy that prioritises the requirements in case of a conflict as in safety requirement the term “Constraints” is used. It describes limitations on how the goals can be achieved. But requirement refers to the behavior required to satisfy the system’s goals  .
Cambacédès and Chaudet focused on building SEMA referential framework  . The motivation behind this was to reveal the ambiguity of safety and security terms as researches focused on revising and analysing technical reports published by official bodies from several industries from safety and security perspective as well as academic researches. The second reason is that there are industries that overlap with each other and therefore it was important to reveal the ambiguity in each and every industry. Furthermore, to better reveal the ambiguity, definitions and terminologies were addressed separately and reflected upon SEMA Framework resulting in the ability of narrowing between the different industries from safety and security perspectives.
In 2007, Novak et al. proposed a complete life-cycle model  . And demonstrated the life-cycle model of safety and security to serve in building automation and control systems (BACS) by using guidelines for network hazards and threats linking the reflections on both safety and security requirements.
4. Combining Safety and Security in Terms of Risk-Based Model
Mayer et al.  propose security requirements engineering process that consists of the following four steps: context analysis and asset identification, security goal determination, refinement of these goals to security requirements, and countermeasures selection. Both of the latter two steps are based on a risk analysis approach named model-based information system security risk management (ISSRM). Thereby, Mayer et al. propose to make use of Yu’s i*   requirements engineering techniques, which can also be used to deal with security requirements  . The proposed method by Mayer et al. comprises security requirements elicitation driven by a risk analysis method. It also supports analyzing security requirements through context and asset analysis.
Eames and Moffett presented an integrated process to take the potential conflicts or synergies between safety and security requirements into account. In 2005, the SafSec methodology was used as a unified risk assessment framework aiming at reducing the effort, cost and timescales associated with certification of modular systems  .
5. Combining Safety and Security in Terms of Terminology
Avizienis et al.  addressed taxonomy of dependable and security by defining dependability from the security perspective and explained the means that could help achieve dependability in security. Furthermore, the researchers focused on taxonomy of threats, taxonomy of faults, and pathology of failure in the sense of explaining the terminologies but did not reflect them on a model.
Firesmith    addressed the terminology of the taxonomy of safety and security as addressed by other researchers but what makes his researches different is that he focused on narrowing down the gap between safety engineering and security engineering through the implementation of information model that relies on integrating and linking safety and security while maintaining survivability and established underlying foundational concepts between them and safety concepts and relations using UML. Furthermore, in his latest work  he redefined safety engineering and security engineering from his definitions so, the size of the comparison is clearly shown in the definitions he proposed and has also worked on enhancing it in tutorials  .
6. Summary and Further Work
The meaning of the terms―security and safety varies considerably from one context to another, leading to potential ambiguities. These ambiguities are very problematic in the critical infrastructure of the protection domain, which involves multiple actors and engineering disciplines. Avoiding misunderstandings caused by the ambiguities during the early stages of system design and risk assessment can be benefited. It also helps to ensure a more consistent and complete risk coverage. The researchers have explored integration between safety and security through using different structured approaches, so they can thereby act as an interface for active interactions in risk and hazard management in terms of universal coverage, finding solutions for differences and contradictions which can be overcome by integrating the safety and security domains and using a unified system analysis approach that will result in analysis centrality.
In the future work, we would conduct a survey exploring technical languages that were created by the scholars to combine safety and security requirement engineering and accident analysis technique languages.
 Ludovic, P.-C. and Chaudet, C. (2010) The SEMA Referential Framework: Avoiding Ambiguities in the Terms “Security” and “Safety”. International Journal of Critical Infrastructure Protection, 3, 55-66.
 Firesmith, D.G. (2010) Engineering Safety and Security-Related Requirements for Software-Intensive Systems: Tutorial Summary. Proceedings of the 32nd ACM/ IEEE International Conference on Software Engineering, 2, 1-44.
 Line, M.B., Nordland, O., Rostad, L. and Tondel, I.A. (2006) Safety vs. Security? Proceedings of the 8th International Conference on Probabilistic Safety Assessment & Management (PSAM), ASME Press, New Orleans.
 Novak, T., Treytl, A. and Palensky, P. (2007) Common Approach to Functional Safety and System Security in Building Automation and Control Systems. IEEE Conference on Emerging Technologies and Factory Automation, Patras, 25-28 September 2007, 1141-1148.
 Mayer, N., Rifaut, A. and Dubois, E. (2005) Towards a Risk-Based Security Requirements Engineering Framework. Workshop on Requirements Engineering for Software Quality. Proceeding of Requirements Engineering for Software Quality, 5, 89-104.
 Yu, E.S.K. (1997) Towards Modelling and Reasoning Support for Early-Phase Requirements Engineering. Proceedings of the 3rd IEEE International Symposium on Requirements Engineering, Annapolis, 6-10 January 1997, 266-235.
 Yu, E. and Liu, L. (2001) Modelling Trust For System Design Using the I* Strategic Actors Framework. In: Falcone, R., Singh, M. and Tan, Y., Eds., Trust in Cyber-Societies. Springer, Berlin, 175-194.
 Liu, L., Yu, E. and Mylopoulos, J. (2003) Security and Privacy Requirements Analysis within a Social Setting. IEEE International Requirements Engineering Conference, Monterey Bay, 12 September 2003, 151-161.
 Eames, D. and Moffett, J. (1999) The Integration of Safety and Security Requirements. International Conference on Computer Safety, Reliability, and Security, Toulouse, 27-29 September 1999, 468-480.
 Avizienis, A., Laprie, J.C., Randell, B. and Landwehr, C. (2004) Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing, 1, 11-33.