Complete Learning Module

Safety & Cybersecurity Co-Engineering

10 chapters Learn how ISO 26262 and ISO/SAE 21434 work together: aligning HARA with TARA, sharing the item definition and assumptions register, resolving safety-versus-security conflicts, and meeting UNECE R155/R156 type-approval gates.

Start Learning View Curriculum

How You Learn

Video and text stay in sync. As you scroll through the chapter, the video jumps to the matching explanation automatically.

Scroll SyncVideo follows your reading position

Click to JumpClick any cue to jump the video

Chapter NavNavigate from video or content

BookmarksSave sections, resume anytime

iso26262.academy/concepts/safety-&-cybersecurity-co-engineering

...

Saved

08:12

Ch 2

Synced to reading position

Learning Objectives

Align HARA with TARA

Run hazard and threat analyses in parallel and reconcile their parameters so safety and security risk ratings stay consistent.

Share work products correctly

Maintain one item definition, system boundary, and assumptions register across both disciplines instead of divergent copies.

Resolve safety-security conflicts

Apply structured principles when availability and access goals collide with restriction and authentication requirements.

Trace attacks to safety goals

Connect attack paths to specific hazardous events and identify which security controls underpin which safety goals.

Chapters

Why Safety Needs Security

Establishes that in connected vehicles a deliberate manipulation can violate a safety goal, making cybersecurity a precondition for functional safety rather than a separate concern.

ISO 26262 vs ISO/SAE 21434

Compares scope, risk metrics, lifecycles, and work products of the two standards, clarifying what each owns and where the item definition and architecture must be shared.

HARA vs TARA

Sets the two parallel risk analyses side by side, showing how to align their inputs, parameters, and outputs so they reinforce rather than contradict each other.

Shared Work Products

Maps the artefacts that safety and security teams exchange or jointly own across the lifecycle, anchored by a shared assumptions register and a common verification interface.

Conflicts & Trade-offs

Examines the structural tension where safety favours availability and simple access while security favours restriction and authentication, then gives principles for resolving it.

Co-Engineering Process

Lays out the integrated workflow that synchronises the ISO 26262 and ISO/SAE 21434 lifecycles through aligned milestones, joint reviews, and a defined organisational interface.

Attack Paths to Hazards

Traces threats through the system to safety hazards, connecting attack trees with fault trees and reframing security controls as enablers of safety goals.

UNECE R155/R156 & CSMS

Covers the regulatory framework in which a Cybersecurity Management System (CSMS) and Software Update Management System (SUMS) are mandatory for type approval and gate the safety release.

Worked Example

Runs a connected Integrated Chassis Control Module (ICCM) at ASIL D through parallel HARA and TARA snippets, a resolved conflict, and the shared requirements both analyses produce.

Organisation & Pitfalls

Catalogues the organisational anti-patterns and technical pitfalls that derail co-engineering, closing with a good-practice checklist for sustaining alignment.

Diagrams & Visuals

Standards Landscape

Maps how ISO 26262 and ISO/SAE 21434 relate, what each owns, and where the shared item and architecture interface sits.

HARA vs TARA Comparator

Side-by-side view of inputs, parameters, and outputs of the two risk analyses, with the points where they feed each other.

Attack Path to Hazard Flow

Traces an attacker from entry point through the system to a violated safety goal, linking attack steps to hazardous events.

Shared Work Products Matrix

Lifecycle grid of artefacts that are exchanged, jointly owned, or independently produced by the safety and security teams.

R155/R156 Process Map

Shows how CSMS and SUMS activities flow into type approval and gate the safety release for connected vehicles.

Safety vs Security Conflict Resolver

Walks a concrete tension (authentication gating a safe-state transition) to a balanced design decision.

Worked Example

Integrated Chassis Control Module (ICCM)

An ASIL D ECU managing brake-by-wire and electric power steering on a connected vehicle is taken through parallel HARA and TARA, a resolved conflict, and the shared requirements both analyses generate.

Item: ICCM with brake-by-wire and EPS torque assist, CAN FD with SecOC message authentication, UDS over DoIP and OBD-II, OTA via the gateway ECU.
HARA: unintended full braking and unintended EPS torque both rate S3/E4/C3 to ASIL D with quantified safety goals.
TARA: CAN injection of brake commands maps to the braking hazard at CAL 3; a malicious OTA payload reaches CAL 4.
Conflict: workshops need open diagnostic access while security demands a locked-down ECU, resolved with role-gated UDS sessions.
Shared requirements: message authentication on brake and steer frames satisfies both a safety goal and a cybersecurity goal.

ICCM HARA / TARA Alignment

HE-01 Unintended full braking (ASIL D) maps to TS-01 CAN injection (CAL 3)

Unlock the full alignment table and resolved conflict

Master Safety & Cybersecurity Co-Engineering

Work through aligning ISO 26262 with ISO/SAE 21434, from HARA and TARA reconciliation to UNECE R155/R156 type approval.

Start Learning Now

10 Chapters2 Standards AlignedHARA + TARAR155/R156 Ready

Learning Objectives

Align HARA with TARA

Run hazard and threat analyses in parallel and reconcile their parameters so safety and security risk ratings stay consistent.

Share work products correctly

Maintain one item definition, system boundary, and assumptions register across both disciplines instead of divergent copies.

Resolve safety-security conflicts

Apply structured principles when availability and access goals collide with restriction and authentication requirements.

Trace attacks to safety goals

Connect attack paths to specific hazardous events and identify which security controls underpin which safety goals.

Chapters

Why Safety Needs Security

Establishes that in connected vehicles a deliberate manipulation can violate a safety goal, making cybersecurity a precondition for functional safety rather than a separate concern.

ISO 26262 vs ISO/SAE 21434

Compares scope, risk metrics, lifecycles, and work products of the two standards, clarifying what each owns and where the item definition and architecture must be shared.

HARA vs TARA

Sets the two parallel risk analyses side by side, showing how to align their inputs, parameters, and outputs so they reinforce rather than contradict each other.

Shared Work Products

Maps the artefacts that safety and security teams exchange or jointly own across the lifecycle, anchored by a shared assumptions register and a common verification interface.

Conflicts & Trade-offs

Examines the structural tension where safety favours availability and simple access while security favours restriction and authentication, then gives principles for resolving it.

Co-Engineering Process

Lays out the integrated workflow that synchronises the ISO 26262 and ISO/SAE 21434 lifecycles through aligned milestones, joint reviews, and a defined organisational interface.

Attack Paths to Hazards

Traces threats through the system to safety hazards, connecting attack trees with fault trees and reframing security controls as enablers of safety goals.

UNECE R155/R156 & CSMS

Covers the regulatory framework in which a Cybersecurity Management System (CSMS) and Software Update Management System (SUMS) are mandatory for type approval and gate the safety release.

Worked Example

Runs a connected Integrated Chassis Control Module (ICCM) at ASIL D through parallel HARA and TARA snippets, a resolved conflict, and the shared requirements both analyses produce.

Organisation & Pitfalls

Catalogues the organisational anti-patterns and technical pitfalls that derail co-engineering, closing with a good-practice checklist for sustaining alignment.

Diagrams & Visuals

Standards Landscape

Maps how ISO 26262 and ISO/SAE 21434 relate, what each owns, and where the shared item and architecture interface sits.

HARA vs TARA Comparator

Side-by-side view of inputs, parameters, and outputs of the two risk analyses, with the points where they feed each other.

Attack Path to Hazard Flow

Traces an attacker from entry point through the system to a violated safety goal, linking attack steps to hazardous events.

Shared Work Products Matrix

Lifecycle grid of artefacts that are exchanged, jointly owned, or independently produced by the safety and security teams.

R155/R156 Process Map

Shows how CSMS and SUMS activities flow into type approval and gate the safety release for connected vehicles.

Safety vs Security Conflict Resolver

Walks a concrete tension (authentication gating a safe-state transition) to a balanced design decision.

Integrated Chassis Control Module (ICCM)

Item: ICCM with brake-by-wire and EPS torque assist, CAN FD with SecOC message authentication, UDS over DoIP and OBD-II, OTA via the gateway ECU.

HARA: unintended full braking and unintended EPS torque both rate S3/E4/C3 to ASIL D with quantified safety goals.

TARA: CAN injection of brake commands maps to the braking hazard at CAL 3; a malicious OTA payload reaches CAL 4.

Conflict: workshops need open diagnostic access while security demands a locked-down ECU, resolved with role-gated UDS sessions.

Shared requirements: message authentication on brake and steer frames satisfies both a safety goal and a cybersecurity goal.