UNECE Roots‍

The United Nations Economic Commission for Europe (UNECE) is one of the five United Nations regional commissions, administered by the Economic and Social Council (ECOSOC). It was established in 1947 to help rebuild postwar Europe, develop economic activity and strengthen economic relations among European countries and between Europe and the rest of the world. Despite the complexity of this period, numerous consensuses were reached on numerous harmonization and standardization agreements were done.

Since the early 1990s UNECE has focused on assisting the countries of Central and Eastern Europe, Caucasus and Central Asia with their transition process and their integration into the global economy. Today, UNECE with its 56 member States provides a multilateral platform for policy making, dialogue, the development of international legal instruments, standards, best practices and economic and technical expertise.

The Inland Transport Committee (ITC) was set up in 1947 under UNECE, in the same year when UNECE was founded, to support the reconstruction of transport infrastructures in post-war Europe. Over the years, it has specialized in a harmonized and sustainable development of all modes of inland transport.

WP.29 is one of the 18 working parties of UNECE under ITC and its role is to work on three Agreements which are the agreements of 1958, 1998 and 1997. UN r155 regulation adopts the 1958 agreement. The work coordination of WP.29 is done by the steering committee¹.

In light blue boxes above, 6 subsidiary working groups of WP.29 are given. Here, the GR prefix is coming from the French acronym “Groupe de Rapporteurs” which is the equivalent of working party. Under the GR that UN r155 is concerned, the GRVA, the Automated Autonomous and Connected Vehicles, there are several informal working groups which are given below. The one who is responsible for the UN r155 regulation is Cybersecurity and Software updates.

• Electro-Mechanical Braking (EMB)
• Acceleration Control for Pedal Error (ACPE)
• Task Force on fitness for ADS of GRVA Regulations and GTRs (TF ADS)
• ADAS
• SIG on UN Regulation No. 157
• Functional Requirements for Automated and Autonomous Vehicles (FRAV)
• DSSAD / EDR
• GRVA - WebEx (2019 Q1)
• Validation Method for Automated Driving (VMAD)
• CyberSecurity and (OTA) software updates (CS/OTA)
• Automatically Commanded Steering Function (ACSF)
• Modular Vehicle Combinations (MVC)
• Automatic Emergency Braking and Lane Departure Warning Systems (AEBS/LDWS)

1958 Agreement Regulations : Scope & Provisions

The regulations that are annexed to 1958 agreement² must have certain scope and provisions³. The scope shall cover road vehicles, non-road mobile machinery as well as their parts and equipment. The provisions are given below. The last two ones are optional.

• Technical requirements and alternative requirements as appropriate,
• Test methods by which performance requirements that are to be demonstrated,
• The conditions for granting Type Approvals,
• The conditions for the reciprocal recognition of the Type Approvals granted,
• Provisions for the marking of vehicles, their equipment and parts to facilitate Contracting,
• Parties to identify and verify the vehicles to be registered in their country,
• The conditions for ensuring the conformity of production (COP),
• Conditions for in service conformity (optional),
• Conditions for recyclability of vehicles (optional)

These provisions can also be considered as common high-level objectives that shall be ensured by these regulations, but only if the regulations are entirely applied. It is important to know what we should expect from the UNECE regulations to understand how we should comply with it.

It is good exercise to make links between the clauses of UN r155 and these provisions. Certainly, one of the highest impact provisions is the reciprocal recognition. This makes a both positive and a negative impact on the adoption of UN r155 by nations.

UNDERSTANDING UN r155

UN r155 has two main parts; the CSMS (Cybersecurity Management System) at organisation level and cybersecurity at vehicle Level. Cybersecurity management system includes the requirements for the organisational level cybersecurity processes. These processes are required to perform the cybersecurity activities under discipline and obtain the required outcomes at project level. Certain cybersecurity processes are listed as below:

• Cybersecurity Project Management
• Risk Management
• Vulnerability Management
• Cybersecurity Testing
• Event Monitoring
• Incident Management
• Serial Life Management
• Supplier Management

The CSMS process given above will have corresponding cybersecurity activities at project level as below:

• Cybersecurity Project Plan
• TARA
• Vulnerability Analysis
• Cybersecurity Verification & Validation
• Event Monitoring evidences
• Incident Response Plan/Report
• Serial Life activities
• Supplier follow-up evidences

The activities listed above have to be carried out in discipline and the associated work products be created with quality. ISO/SAE 21434 is the right text to achieve these two objectives. Refer to our ISO/SAE 21434 page for more information.

COMPLYING with UN r155

UN r155 compliance process starts with addressing an application to the type approval authority in the contracting party. The scope of the type approval is identified with respect to the vehicle type and categories listed in the regulation and also the market targeted by the manufacturer. UN r155 compliance is now a must-have and a prerequisite to comply with other regulations like UN r156, UN r157 and GSR II (General Safety Regulation) but does not cover the whole world. Therefore, the manufacturers (OEMs) should have an adequate compliance strategy as the UN r155 compliance requires significant effort and budget. 2 to 3 years is barely sufficient with the presence of sufficient resources.

The next step will be the approval of the CSMS. It requires implementation and integration of the cybersecurity processes that ensure managed cybersecurity risk throughout the entire life-cycle of the product and the supply chain. This is very well explained in ISO/SAE 21434 and audit criteria are available in ISO PAS 5112. An audit report is generated that shows the maturity of the CSMS as well the gaps and the action plan if it is not successful. Generally, the next step, which is the technical validation of the cybersecurity at product level, will not be possible if the CSMS is not approved.

The technical validation will consist of literally testing the cybersecurity features of the product with respect to the threats that are listed in UN r155 annex 5. In fact, this will also show whether the CSMS which is approved in the previous phase is respected or not.

The last phase is the assessment of the findings. The cybersecurity assessment must be carried out independently. Therefore, it must not be same entity that performed the cybersecurity validation. If the assessment is positive, the type approval is granted as planned in the initial phase. Now the manufacturer may directly bring the approved products to the markets which mutually recognize the type approval without further testing.

‍conclusion‍

All UN regulations and related documents are open source and available in UNECE. Therefore it is advised to go through UN r155 regulation and Un r155 interpretation document to be informed about its structure and the requirements.

Obtaining a CSMS and a vehicle type certification from national authorities is a complex and highly demanding activity that requires participation of all units in an entity. It is recommended to get an adequate consultancy support to save time and energy.

See also our Use Case on UN r155 Compliance for more information on how UN r155 regulation is applied.

REFERENCES

[1] https://unece.org/sites/default/files/2022-07/ECE_TRANS_289_Rev.1_E_corrected.pdf

[2] https://unece.org/un-regulations-addenda-1958-agreement

[3] https://unece.org/transport/publications/road-map-accession-and-implementation-theunited-nations-1958-and-1997