Bridging Cybersecurity and Safety in Ongoing Mission-Critical Programmes: Real-world Challenges and an Integration Workflow

Zoe Smith

Engineering System Owner Software and Cyber, Submarine Delivery Agency

Nagaratna Hegde

Software Safety and Cybersecurity Consultant, Sanvi Software Limited

Dr Stephen Willoughby

Software Assurance Manager, Rolls-Royce Submarines

As cybersecurity becomes a regulatory priority within safety-critical software-based systems, organisations must respond—even when system designs are mature, and project timelines are fixed. This presentation explores the real-world challenges of implementing cybersecurity in safety-critical software assurance for large-scale ongoing programmes, where regulatory expectations evolve mid-cycle.

Drawing on both academic literature and practical experience within a UK defence submarine programme, the talk outlines common technical and organisational challenges at the intersection of cybersecurity and safety. These include conflicting assurance objectives, unclear ownership of risks, the difficulties of applying new regulatory expectations retrospectively, and cultural challenges —particularly the shift in mindset required for established safety, and cyber security engineers to cross-train and collaborate effectively.

To address these challenges, a structured workflow was developed and applied within an ongoing programme. This workflow supports safety and cybersecurity teams in performing effective gap analysis, identifying ALARP justifications, and demonstrating compliance to updated regulations while maintaining the established framework and rigour of the original safety case.

This approach —shared across internal and external working groups —offers a replicable model for other high-integrity sectors facing similar pressures. The talk will be of value to engineers, assurance leads, system owners, and programme managers navigating safety-security integration in complex, evolving environments.

About Zoe Smith

Zoe Smith is an Engineering System Owner specialising in Cyber and Software assurance, with over 20 years of experience in communications, information security, civil nuclear, government and submarines. Zoe has led numerous security and system assessments, driving process improvements and risk mitigation strategies across the full lifecycle. Zoe chairs numerous security working groups encompassing a complex stakeholder organisation, promoting ‘secure by design’ compliance, working practice innovations, best practice and risk management for operation technology. Zoe also co-chairs the Cyber Security Safety Working Group within one of the UK’s Defence Programmes, where she leads cross-functional efforts to embed cybersecurity into safety-critical systems. Zoe is passionate about driving a pragmatic approach for security and software forward with the aim of delivering a safe and secure product on time and in budget.

About Nagaratna Hegde

Nagaratna Hegde is a Chartered Engineer and the founder of Sanvi Software Limited, a consultancy specialising in software and systems engineering, functional safety, and product security assurance. With over 20 years of experience in high-assurance sectors—including civil nuclear, aerospace, rail, defence, submarines, and finance—she supports organisations in navigating complex engineering challenges while ensuring compliance with international safety and security standards. She has led numerous software and systems assessments, driving process improvements and risk mitigation strategies across the full lifecycle. Nagaratna conducts software audits of the supply chain on behalf of the UK Ministry of Defence, helping assure the integrity and compliance of critical software components in complex procurement programmes. She also co-chairs a cross-industry Cyber Security Safety Working Group, leading collaborative efforts to embed cybersecurity into safety-critical systems. Nagaratna is passionate about bridging the gap between engineering rigour and real-world constraints, working closely with clients, suppliers, and regulators to deliver compliant and practical solutions.

About Dr Stephen Willoughby

Steve has over 30 years of experience in quality assurance, particularly within the software domain, and is recognised within Rolls-Royce for his leadership in software assurance and auditing practices. His direct contributions to the development of the software certification process, which forms part of the case study within our talk, align closely with the subject matter of the presentation. Steve also previously presented at HISC 2024 and brings valuable continuity and depth to the discussion. His participation in this presentation will strengthen our delivery, especially in the area of software quality assurance and its intersection with cybersecurity and safety.