I think the whole topic "Patchmanagement/Patchtesting" splits in 4 subtopics:

1. General issues (thing who addresses everyone)

2. Issues for the create of a patch

3. Issues for SCADA/Process Control vendors

4. Issus for SCADA/Process Control customers, plant owners or plant admins

 to 1.: - the patches must be tested

        - how a test environment should look like (but these could also be different for vendor and customer)

        - ....

to 2.: - addresses e.g. Microsoft, Networkmanagment vendors, Antivirus vendors... and SCADA/Process Control vendors, if they have patches

        - how to inform the customer about a new patch, a consistent format would be good

        - active or passive information

        - how fast, after a bug was found a patch must be released

        - how could patch creators help SCADA/Process Control vendors, to get patches earlier

        - .....

to 3.: - vendors should perform compatibility test with patches for 3rd party they use or allow

        - how fast, after a patch has released, the vendor must allocate information

        - a consistent form for the information from all vendors

        - a consistent wording from all vendors

        - .....

to 4.: - plant owners should perform compatibility test with patches

        - a patchmanagement and patch enrollment strategy

        - security strategies, the have some time for patching, and could wait a little bit

        - ......