USE CASE: UN r155 CompliancE‍

Client:

• ‍‍Road Vehicle  Manufacturer (OEM)

Size:

• ‍‍100 .. 5000 employees

Demand:

• UN r155 CSMS + homologation (type approval)
• ISO/SAE 21434 compliance
• Supplier follow-up for cybersecurity compliance and distributed activities.

Required Inputs from Client

• Bearing costs and effort to contact UN r155 homologation authorities,
• Budget allocation for personnel, tooling and cybersecurity activities,
• Access to required resources of the client and the suppliers (documentation, tools, experts etc.),
• Client participation to the definition of the vehicle type, electronic architecture, cybersecurity zones and cybersecurity related components,
• Client participation to project meetings and trainings,
• Being ready to absorb additional workload in all life cycle of the product especially conception, development, verification and validation.

Estimated Duration:

• 1-3 years

Planning and execution

UN r155 compliance process starts with addressing an application to the type approval authority in the contracting party (nation). The scope of the type approval is identified with respect to the vehicle type and categories listed in the regulation and also the market targeted by the manufacturer. UN r155 compliance opens the way for significant opportunities for the manufacturer (OEM) but does not cover the whole world. Therefore, manufacturer should make its decisions and investments intelligently to optimize the resources. UN r155 compliance requires significant effort, budget and time. 2 to 3 years is barely sufficient with the presence of adequate resources.

The next step is the approval of the CSMS. It requires implementation and integration of the cybersecurity processes that ensure managed cybersecurity risk throughout the entire life cycle of the product and the supply chain. This is very well explained in ISO/SAE 21434 and audit criteria are available in ISO PAS 5112. An audit report is generated that shows the maturity of the CSMS as well the gaps and the action plan if it is not successful. Generally, the next step which is the technical validation of the cybersecurity at product level will not be possible if CSMS is not approved.

The technical validation consists of literally testing the cybersecurity features of the product with respect to the threats that are listed in UN r155 annex 5. In fact, this also shows whether the CSMS which is approved in the previous phase is respected or not. The work products that are created during the development and testing according to ISO/SAE 21434 will accompany the cybersecurity validation.

The last phase is the assessment of the findings. The cybersecurity assessment must be carried out independently. Therefore, it must not be the same entity that performed the cybersecurity validation. If the assessment is positive, the type approval is granted as planned in the initial phase. Now the manufacturer may directly bring the approved products to the markets which mutually recognize the type approval without further testing.

Conclusion

Obtaining a CSMS and a vehicle type certification from national authorities is a complex and highly demanding activity that requires participation of all units in an entity. It is recommended to get an adequate consultancy support to save time and energy.

See also our page on UN r155 Regulation for more information.