Product Design Suite 2019 X Force 2019 X64.exe.iso
Tatsuya Deals
UN Regulation No. 155 is increasing the pressure on the automotive industry to address cybersecurity. The industry is taking action: New resources are being allocated to the topic, responsibilities are being assigned, and specialists are urgently sought everywhere. At present, their main task is to provide truly reliable answers. For example, on the question: What does UN Regulation No. 155 require of actors in the automotive industry?
There is no way around systematically dealing with UN Regulation No. 155 in the entire automotive value chain in order to be able to do business and be competitive. Cybersecurity in product development is becoming a key factor for the success of the entire organization.
The UNECE WP.29 deals with the harmonization of vehicle regulations for vehicles and vehicle equipment. One of the most important recent regulations is the UNECE Regulation No 155 concerning the approval of vehicles with regards to cybersecurity and Cyber Security Management System.
Within the WP.29 there are six permanent working parties, which deal with specific topics around the vehicle. The GRVA is one of these working parties and deals with automated and connected vehicles. This working party is also the starting point for the UN R155 as well as for the UN Regulation No. 156 (for more information see our topic page UN Regulation No 156 & SUMS).
In simple terms, the evidence that one has worked along a standard could be used in court to verify whether something is developed according to the industry standard and way of working, just by using an ISO standard as a reference.
In the case of the automotive industry and the UNECE Regulation No 155, these are binding requirements that must be complied with in order to obtain type approval and therefore market access. A lack of compliance with the regulation can consequently lead to a sales ban in the corresponding area of application (in case of UNR 155 over 60 countries already are adopting the regulation).
Different than ISO/SAE 21434, which does not explicitly specify particular processes (but requires compliance and the establishment of work products to ensure compliance), UN R155 requires the setup and implementation of a management system that focuses on cybersecurity along the vehicle (the so called Cybersecurity Management System or short CSMS). You can also read our article on how to establish a Cybersecurity Management System CSMS.
The Cyber Security Management System is of central importance for ensuring the cybersecure organization in the automotive industry. Moreover, the CSMS provides basis for the Certificate of Compliance for CSMS, i.e. the auditing and the corresponding official certification.
For this purpose, the VDA (the German Association of the Automotive Industry) has released a questionnaire (still in draft status, finalization is still pending; The Red Book will be released soon), which is intended to provide an initial basis for the audit protocol as a rudimentary checklist. Here, the requirements are taken and reformulated into questions or scenarios on how to cover the requirements for CSMS.
How is auditing carried out in accordance with UNECE Regulation No. 155? Two entities are relevant here. Firstly, the official approval authority (such as the Federal Motor Transport Authority under the Federal Ministry of Transport and Digital Infrastructure), and secondly, an institution at the technical level.
Moreover, companies are becoming aware that ISO/SAE 21434 is not only about the product, but also about projects and the entire organization. Similarly, the UN R155 covers not only the product but also product development and the organization.
On the other hand, it is all about the product and type approvals. The objective here: ensuring the design of the vehicle architecture, risk assessment and implementation of adequate security controls.
The UN Regulation No. 155 came into force at the beginning of 2021, and two dates are binding: from July 2022, the requirements within the UNECE member countries (from the 1958 Agreement) will apply to all new vehicle types for type approval, and from July 2024 they will apply to all vehicles.
The main reason for this is that vehicle approval in the USA is not synonymous with approval in the member countries. This means that vehicles authorized for use in the USA cannot be brought onto the global market or the market of the UNECE member countries on the basis of this approval.
In general, market entry is possible without a type approval along a certain regulation, such as the UN R155. After market entry, however, the Approval Authority of the respective country reserves the right to carry out compliance tests in order to recall the vehicle in the event of possible non-compliance.
For countries that do not belong to the scope of the 1958 Agreement (see above), such as countries included in the 1998 Agreement, it might become possible to implement the requirements specified in the scope of the 1958 Agreement through so-called GTRs (global technical regulations).
Since 1998, several GTRs have already been published (e.g. for pedestrian safety as well as regulations concerning hydrogen and fuel cell vehicles). Therefore, it is thinkable that the UN R155 will be treated accordingly, which could simplify a homogenization with countries which do not belong to the UNECE Member Countries along the 1958 Agreement. However, type approval requirements are not in scope of the 1998 Agreements and its GTRs.
We have already learned that an important aspect of UN Regulation No. 155 is the introduction of a certified Cybersecurity Management System as part of the consideration of cybersecurity aspects in the type approval process. Can we therefore conclude that UN R155 is actually only an issue for OEMs?
The OEMs must demonstrate that the CSMS is managed along the entire value chain and are accountable for it. Consequently, all players involved need to be aware of potential risks and gaps, from Tier 1 till Tier n supplier level. This means that suppliers must also work in compliance with the CSMS principles.
Moreover, an audit or the Certificate of Compliance for CSMS is required and must be obtained at least every three years. To build a link to type approval: This CSMS certification is the prerequisite for type approval in the first place. Then there are the additional detailed requirements relating to the product. As creation and implementation of new organization wide rules and processes can be painfully slow, it is advisable to take the necessary steps at an early stage.
Since a considerable proportion of cybersecurity-relevant components of the vehicle still come via suppliers, it becomes obvious very quickly that they are widely involved in the multidimensional requirements of UN R155.
What sounds like a simple question to which Google could provide a quick answer is a multidimensional and far-reaching undertaking that involves the entire organization as well as technical details of the product along the entire lifecycle at several levels.
At this point, based on our experience (regardless of organizational structure and size of the enterprise), we have to state: Please be sure to plan for sufficient staff, resources and, above all, time to be able to handle this extremely demanding task. Unfortunately, we repeatedly receive inquiries based on unrealistic assumptions.
The CSMS is the benchmark and starting point for type approval. Accordingly, in practice, this is where the main attention is paid. Without the corresponding Certificate of Compliance for the CSMS, the actual type approval cannot even be initiated.
It is important to understand the current cybersecurity processes as comprehensively as possible. For this, it is helpful to perform a gap analysis (see our ISO/SAE 21434 Gap Analysis). Especially if ISO/SAE 21434 principles are already established in the organization.
It is important here to consistently follow the relevant timeline. Type approval should be available at the start of production (SOP). Type approval can take up to three months. Before the actual type approval, the CoC for the CSMS must be available. You should also plan a processing time (incl. audit) of three months for this in any case.
It is important to mention here again that UN R155 is nevertheless not a subject purely for the OEM. Tier-N suppliers also need to ensure that cybersecurity principles are systematically embedded in their organizations.
To sum it up: The sooner OEMs and especially Tier-N suppliers (who are always at risk of approaching this too late) address the issue of CSMS the better. Cybersecurity requirements are to be seen here as a pure time issue: The earlier a systematic approach is taken, the fewer issues will occur later in the rollout or audit.
Product manufacturers often struggle to understand true system performance until very late in the design process. Mechanical, electrical, and other subsystems are validated against their specific requirements within the systems engineering process, but full-system testing and validation comes late, leading to rework and design changes that are riskier and more costly than those made early on.
As the world's most famous and widely used Multibody Dynamics (MBD) software, Adams improves engineering efficiency and reduces product development costs by enabling early system-level design validation. Engineers can evaluate and manage the complex interactions between disciplines including motion, structures, actuation, and controls to better optimize product designs for performance, safety, and comfort. Along with extensive analysis capabilities, Adams is optimized for large-scale problems, taking advantage of high performance computing environments.
Utilizing multibody dynamics solution technology, Adams runs nonlinear dynamics in a fraction of the time required by FEA solutions. Loads and forces computed by Adams simulations improve the accuracy of FEA by providing better assessment of how they vary throughout a full range of motion and operating environments.
b37509886e