How do you use XP in a safety- or security-critical project? Some of the rules change because the number one value becomes safety or security. As a hospital software team I met put it, "If we make a mistake, babies die." More than XP is needed in life-critical situations.
A system isn't certifiably secure unless it has been built with a set of security principles in mind and has been audited by a security expert. While compatible with XP, these practices have to be incorporated into the team's daily work. For example, refactorings have to preserve the security of the system as well as its functionality.
Avionics and medical systems are audited before they are allowed to be deployed. XP's principle of flow suggests that auditing should not be a phase at the end of a project. Auditing should happen early and often. The instructions to auditors such as DO-178B explicitly allow software development lifecycles other than a strict waterfall. Here is an example from the Food and Drug Adminstration's "Guidance for FDA Reviewers and Industry Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices":
"There are a variety of life cycle models, such as: waterfall, spiral, evolutionary, incremental, top-down functional decomposition (or stepwise refinement), formal transformation, etc. Medical device software may be produced using any of these or other models, as long as adequate risk management activities and feedback processes are incorporated into the model selected."
Building an ongoing relationship with your auditor improves your chances of a successful audit.
Traceability, the ability to link what has changed in a system to why it changed, is built into XP, although the information isn't routinely recorded. The only change to implement traceability is to make a physical record of this information. If I am changing this line of code, it is because I wrote that test which is a part of that system-level test which came from that story which was scheduled May 24 and was ready to deploy on May 28. Your auditor will tell you what format to use in saving this information.