Computer-based systems may fail catastrophically for a variety of reasons. Assurance processes for safety-related systems have focused primarily on the risks from random hardware faults, design faults, and operator error. Where failures are triggered by unpredictable events such as an unexpected combination of inputs, or one or more operator errors, safety analysts may assume such events are independent and/or stochastic. That assumption cannot be sustained if there is a credible threat of any form of cyber attack, because an attacker might be able to create any desired pattern of unlikely events. Consequently, no safety-related system can be considered adequately safe unless it is also adequately secure against cyber-attack, and this raises issues that need to be considered throughout the safety life-cycle.