# Automotive Regulations and Type Approval

**UNECE WP.29, EU AI Act, and Compliance Pathways**

Author: Milin Patel  
Institution: Hochschule Kempten - University of Applied Sciences

---

## Learning Objectives

1. Understand UNECE WP.29 regulations for cybersecurity and software updates
2. Analyze EU AI Act implications for autonomous vehicles
3. Map ISO standards to regulatory requirements
4. Navigate the type approval process

## 1. Regulatory Landscape Overview

### Key Regulations for Autonomous Vehicles

| Regulation | Scope | Effective | Region |
|------------|-------|-----------|--------|
| UNECE R155 | Cybersecurity Management | July 2022 (new types) | EU, Japan, Korea |
| UNECE R156 | Software Update Management | July 2022 (new types) | EU, Japan, Korea |
| UNECE R157 | Automated Lane Keeping Systems | Jan 2021 | EU |
| EU AI Act | AI System Requirements | 2025-2027 (phased) | EU |
| EU General Safety Regulation | Vehicle Safety | July 2022 | EU |

### Regulatory Bodies

- **UNECE WP.29**: World Forum for Harmonization of Vehicle Regulations
- **EU Commission**: European Union legislative body
- **Type Approval Authorities**: National bodies (KBA in Germany, VCA in UK)

In [None]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
from dataclasses import dataclass, field
from typing import List, Dict, Optional
from datetime import datetime, date

print("Regulatory Analysis Tools Loaded")

## 2. UNECE R155: Cybersecurity Management System

### Requirements Overview

R155 mandates that vehicle manufacturers implement a **Cybersecurity Management System (CSMS)** covering:

1. **Organizational processes** for cybersecurity
2. **Risk assessment** for vehicle types
3. **Threat mitigation** measures
4. **Incident response** capabilities
5. **Supply chain** security management

In [None]:
@dataclass
class CSMSRequirement:
    """CSMS requirement per UNECE R155."""
    id: str
    category: str
    requirement: str
    evidence_needed: List[str]
    iso_21434_mapping: str

# R155 CSMS Requirements
csms_requirements = [
    CSMSRequirement(
        id="R155-7.2.2.1",
        category="Organizational",
        requirement="Processes for managing cybersecurity across vehicle lifecycle",
        evidence_needed=["Cybersecurity policy", "Process documentation", "Roles and responsibilities"],
        iso_21434_mapping="Clause 5 (Organizational cybersecurity management)"
    ),
    CSMSRequirement(
        id="R155-7.2.2.2",
        category="Risk Management",
        requirement="Identify and manage cybersecurity risks for vehicle types",
        evidence_needed=["TARA results", "Risk treatment plans", "Residual risk acceptance"],
        iso_21434_mapping="Clause 8 (Risk assessment methods)"
    ),
    CSMSRequirement(
        id="R155-7.2.2.3",
        category="Verification",
        requirement="Verify effectiveness of security measures through testing",
        evidence_needed=["Penetration test reports", "Vulnerability scans", "Code reviews"],
        iso_21434_mapping="Clause 10 (Validation and verification)"
    ),
    CSMSRequirement(
        id="R155-7.2.2.4",
        category="Monitoring",
        requirement="Monitor and respond to cybersecurity incidents",
        evidence_needed=["Incident response plan", "Monitoring capabilities", "PSIRT process"],
        iso_21434_mapping="Clause 13 (Cybersecurity monitoring)"
    ),
    CSMSRequirement(
        id="R155-7.2.2.5",
        category="Supply Chain",
        requirement="Manage cybersecurity risks from suppliers",
        evidence_needed=["Supplier agreements", "Component security requirements", "Audit records"],
        iso_21434_mapping="Clause 7 (Distributed cybersecurity activities)"
    )
]

print("UNECE R155 CSMS Requirements")
print("=" * 80)
for req in csms_requirements:
    print(f"\n{req.id}: {req.category}")
    print(f"  Requirement: {req.requirement}")
    print(f"  ISO 21434 Mapping: {req.iso_21434_mapping}")
    print(f"  Evidence: {', '.join(req.evidence_needed)}")

### R155 Annex 5: Threat Mitigations

R155 Annex 5 lists specific threats that must be addressed.

In [None]:
# R155 Annex 5 Threat Categories
annex5_threats = {
    "Back-end servers": [
        "Abuse of privileges by staff",
        "Unauthorized internet access to server",
        "Unauthorized physical access",
        "Attack on backend via shared network"
    ],
    "Communication channels": [
        "Spoofing of messages",
        "Eavesdropping on communications",
        "Denial of service attacks",
        "Man-in-the-middle attacks"
    ],
    "Update procedures": [
        "Compromise of update process",
        "Denial of legitimate updates",
        "Manipulation of update content"
    ],
    "External connectivity": [
        "Manipulation via remote access",
        "Extraction of proprietary data",
        "Manipulation of vehicle functions"
    ],
    "Data/code": [
        "Extraction of cryptographic keys",
        "Manipulation of software",
        "Unauthorized access to personal data"
    ],
    "Physical": [
        "Tampering with hardware",
        "Replacement of components",
        "Manipulation via diagnostic port"
    ]
}

print("R155 Annex 5: Threat Categories")
print("=" * 60)
total_threats = 0
for category, threats in annex5_threats.items():
    print(f"\n{category} ({len(threats)} threats):")
    for threat in threats:
        print(f"  - {threat}")
    total_threats += len(threats)
print(f"\nTotal threats to address: {total_threats}")

## 3. UNECE R156: Software Update Management System

### SUMS Requirements

R156 mandates a **Software Update Management System (SUMS)** for:

1. Safe execution of software updates
2. Maintaining vehicle compliance after updates
3. Recording software versions and update history

In [None]:
@dataclass
class SUMSRequirement:
    """SUMS requirement per UNECE R156."""
    id: str
    requirement: str
    applies_to: str  # "OEM", "OTA", "Both"

sums_requirements = [
    SUMSRequirement(
        "R156-7.1.1",
        "Document processes for software identification and updates",
        "Both"
    ),
    SUMSRequirement(
        "R156-7.1.2",
        "Identify software versions affecting type approval",
        "Both"
    ),
    SUMSRequirement(
        "R156-7.1.3",
        "Verify software authenticity and integrity",
        "Both"
    ),
    SUMSRequirement(
        "R156-7.1.4",
        "Protect software update process from manipulation",
        "Both"
    ),
    SUMSRequirement(
        "R156-7.2.1",
        "Assess if update affects type approval before deployment",
        "Both"
    ),
    SUMSRequirement(
        "R156-7.2.2",
        "Record RXSWIN (software identification number)",
        "Both"
    ),
    SUMSRequirement(
        "R156-OTA-1",
        "Ensure safe vehicle state before/during/after OTA update",
        "OTA"
    ),
    SUMSRequirement(
        "R156-OTA-2",
        "Inform user about update and obtain consent",
        "OTA"
    ),
    SUMSRequirement(
        "R156-OTA-3",
        "Ensure vehicle can perform update safely (power, connectivity)",
        "OTA"
    ),
    SUMSRequirement(
        "R156-OTA-4",
        "Ability to recover from failed update",
        "OTA"
    )
]

print("UNECE R156 SUMS Requirements")
print("=" * 70)
print(f"{'ID':<15} {'Applies To':<10} Requirement")
print("-" * 70)
for req in sums_requirements:
    print(f"{req.id:<15} {req.applies_to:<10} {req.requirement[:45]}...")

## 4. EU AI Act: Implications for Automotive

### Risk Classification

The EU AI Act classifies AI systems by risk level. Autonomous driving systems are **high-risk**.

In [None]:
ai_act_classification = {
    "Unacceptable Risk": {
        "description": "Prohibited AI systems",
        "examples": ["Social scoring", "Real-time biometric identification (with exceptions)"],
        "automotive_relevance": "Not applicable to automotive"
    },
    "High Risk": {
        "description": "Strict requirements, conformity assessment required",
        "examples": ["Safety components of products", "Biometric identification"],
        "automotive_relevance": "ADAS and AV systems are HIGH RISK (Annex III, point 2)"
    },
    "Limited Risk": {
        "description": "Transparency obligations",
        "examples": ["Chatbots", "Emotion recognition"],
        "automotive_relevance": "Driver monitoring (emotion recognition) may fall here"
    },
    "Minimal Risk": {
        "description": "No specific requirements",
        "examples": ["Spam filters", "AI-enabled video games"],
        "automotive_relevance": "Infotainment AI features"
    }
}

print("EU AI Act Risk Classification")
print("=" * 70)
for level, details in ai_act_classification.items():
    print(f"\n{level}")
    print(f"  {details['description']}")
    print(f"  Automotive: {details['automotive_relevance']}")

In [None]:
# High-Risk AI Requirements (Article 8-15)
high_risk_requirements = [
    {
        "article": "Article 9",
        "title": "Risk Management System",
        "requirement": "Establish and maintain risk management throughout AI lifecycle",
        "iso_mapping": "ISO 21448 (SOTIF), ISO 26262, ISO/PAS 8800"
    },
    {
        "article": "Article 10",
        "title": "Data Governance",
        "requirement": "Training data must be relevant, representative, and free from errors",
        "iso_mapping": "ISO/PAS 8800 (Data quality)"
    },
    {
        "article": "Article 11",
        "title": "Technical Documentation",
        "requirement": "Comprehensive documentation enabling conformity assessment",
        "iso_mapping": "ISO 26262 Part 8 (Supporting processes)"
    },
    {
        "article": "Article 12",
        "title": "Record Keeping",
        "requirement": "Automatic logging of AI system operation",
        "iso_mapping": "ISO 21448 (Runtime monitoring)"
    },
    {
        "article": "Article 13",
        "title": "Transparency",
        "requirement": "Instructions for use enabling understanding of AI output",
        "iso_mapping": "XAI requirements"
    },
    {
        "article": "Article 14",
        "title": "Human Oversight",
        "requirement": "Enable human oversight and intervention",
        "iso_mapping": "SAE J3016 (Driver roles), ISO 21448"
    },
    {
        "article": "Article 15",
        "title": "Accuracy, Robustness, Cybersecurity",
        "requirement": "Appropriate levels throughout lifecycle",
        "iso_mapping": "ISO 21434 (Cybersecurity), ISO 21448 (Robustness)"
    }
]

print("EU AI Act: High-Risk AI Requirements")
print("=" * 80)
for req in high_risk_requirements:
    print(f"\n{req['article']}: {req['title']}")
    print(f"  Requirement: {req['requirement']}")
    print(f"  ISO Mapping: {req['iso_mapping']}")

## 5. Standards to Regulation Mapping

In [None]:
def create_mapping_matrix():
    """Create standards to regulations mapping matrix."""
    standards = ["ISO 26262", "ISO 21448", "ISO/SAE 21434", "ISO/PAS 8800"]
    regulations = ["R155 (Cybersecurity)", "R156 (Software)", "R157 (ALKS)", "EU AI Act"]
    
    # Mapping: 0=No relation, 1=Supporting, 2=Primary compliance path
    mapping = np.array([
        [1, 2, 2, 1],  # ISO 26262
        [1, 1, 2, 2],  # ISO 21448
        [2, 1, 1, 1],  # ISO/SAE 21434
        [0, 0, 1, 2],  # ISO/PAS 8800
    ])
    
    fig, ax = plt.subplots(figsize=(10, 6))
    
    im = ax.imshow(mapping, cmap='YlGn', aspect='auto')
    
    ax.set_xticks(range(len(regulations)))
    ax.set_yticks(range(len(standards)))
    ax.set_xticklabels(regulations, rotation=45, ha='right')
    ax.set_yticklabels(standards)
    
    # Add text annotations
    labels = {0: "-", 1: "Supporting", 2: "Primary"}
    for i in range(len(standards)):
        for j in range(len(regulations)):
            text = labels[mapping[i, j]]
            color = 'white' if mapping[i, j] == 2 else 'black'
            ax.text(j, i, text, ha='center', va='center', color=color, fontsize=9)
    
    ax.set_title('ISO Standards to Regulations Mapping', fontsize=12, fontweight='bold')
    plt.tight_layout()
    plt.show()

create_mapping_matrix()

## 6. Type Approval Process

### Steps for Type Approval with CSMS/SUMS

In [None]:
type_approval_steps = [
    {
        "phase": "1. CSMS Certificate",
        "description": "OEM obtains CSMS certificate from approval authority",
        "duration": "3-6 months",
        "activities": [
            "Submit CSMS documentation",
            "Demonstrate processes and capabilities",
            "Pass audit by technical service"
        ],
        "validity": "3 years (renewable)"
    },
    {
        "phase": "2. SUMS Certificate",
        "description": "OEM obtains SUMS certificate (if OTA updates planned)",
        "duration": "2-4 months",
        "activities": [
            "Submit SUMS documentation",
            "Demonstrate update process safety",
            "Show rollback capabilities"
        ],
        "validity": "3 years (renewable)"
    },
    {
        "phase": "3. Vehicle Type Assessment",
        "description": "Assess specific vehicle type against R155/R156",
        "duration": "2-4 months per type",
        "activities": [
            "Submit TARA and risk treatment",
            "Provide test evidence",
            "Demonstrate compliance for vehicle type"
        ],
        "validity": "Per vehicle type"
    },
    {
        "phase": "4. Type Approval",
        "description": "Receive type approval certificate",
        "duration": "1-2 months",
        "activities": [
            "Final review by approval authority",
            "Certificate issuance",
            "Registration in databases"
        ],
        "validity": "Linked to CSMS/SUMS validity"
    },
    {
        "phase": "5. Post-Approval",
        "description": "Ongoing compliance and monitoring",
        "duration": "Continuous",
        "activities": [
            "Monitor for new vulnerabilities",
            "Report incidents to authority",
            "Assess updates for type approval impact"
        ],
        "validity": "Vehicle lifetime"
    }
]

print("Type Approval Process for R155/R156")
print("=" * 70)
for step in type_approval_steps:
    print(f"\n{step['phase']}")
    print(f"  {step['description']}")
    print(f"  Duration: {step['duration']}")
    print(f"  Validity: {step['validity']}")
    print(f"  Activities:")
    for activity in step['activities']:
        print(f"    - {activity}")

In [None]:
def visualize_approval_timeline():
    """Visualize type approval timeline."""
    fig, ax = plt.subplots(figsize=(14, 6))
    
    phases = [
        ("CSMS Preparation", 0, 4),
        ("CSMS Audit", 4, 2),
        ("SUMS Preparation", 3, 3),
        ("SUMS Audit", 6, 1.5),
        ("Vehicle Type TARA", 2, 6),
        ("Security Testing", 5, 4),
        ("Type Assessment", 8, 3),
        ("Approval", 11, 1),
    ]
    
    colors = ['#2196f3', '#1976d2', '#4caf50', '#388e3c', '#ff9800', '#f57c00', '#9c27b0', '#7b1fa2']
    
    for i, (name, start, duration) in enumerate(phases):
        ax.barh(i, duration, left=start, height=0.6, color=colors[i], alpha=0.8, edgecolor='black')
        ax.text(start + duration/2, i, name, ha='center', va='center', fontsize=9, fontweight='bold')
    
    ax.set_yticks(range(len(phases)))
    ax.set_yticklabels(['' for _ in phases])
    ax.set_xlabel('Months', fontsize=11)
    ax.set_title('Type Approval Timeline (Typical)', fontsize=12, fontweight='bold')
    ax.set_xlim(-0.5, 13)
    ax.grid(axis='x', alpha=0.3)
    
    # Add milestone markers
    milestones = [(6, 'CSMS Certificate'), (7.5, 'SUMS Certificate'), (12, 'Type Approval')]
    for x, label in milestones:
        ax.axvline(x=x, color='red', linestyle='--', alpha=0.5)
        ax.text(x, len(phases)-0.5, label, rotation=90, va='bottom', ha='right', fontsize=8, color='red')
    
    plt.tight_layout()
    plt.show()

visualize_approval_timeline()

## 7. Compliance Checklist

In [None]:
@dataclass
class ComplianceItem:
    """Compliance checklist item."""
    category: str
    item: str
    r155: bool
    r156: bool
    ai_act: bool
    evidence: str

compliance_checklist = [
    ComplianceItem("Organization", "Cybersecurity policy documented", True, False, True, "Policy document"),
    ComplianceItem("Organization", "Roles and responsibilities defined", True, True, True, "RACI matrix"),
    ComplianceItem("Organization", "Competency management", True, False, True, "Training records"),
    ComplianceItem("Risk Management", "TARA performed", True, False, True, "TARA report"),
    ComplianceItem("Risk Management", "Risk treatment plan", True, False, True, "Treatment records"),
    ComplianceItem("Development", "Secure development lifecycle", True, True, True, "Process docs"),
    ComplianceItem("Development", "Security requirements specified", True, False, True, "Requirements spec"),
    ComplianceItem("Verification", "Security testing performed", True, False, True, "Test reports"),
    ComplianceItem("Verification", "Penetration testing", True, False, False, "Pentest report"),
    ComplianceItem("Data", "Training data quality assessed", False, False, True, "Data quality report"),
    ComplianceItem("Data", "Bias analysis performed", False, False, True, "Bias report"),
    ComplianceItem("Updates", "SUMS documented", False, True, False, "SUMS documentation"),
    ComplianceItem("Updates", "RXSWIN assigned", False, True, False, "Version registry"),
    ComplianceItem("Updates", "Rollback capability", False, True, False, "Test evidence"),
    ComplianceItem("Monitoring", "Incident response process", True, False, True, "IRP document"),
    ComplianceItem("Monitoring", "Logging capabilities", True, True, True, "System specs"),
    ComplianceItem("Supply Chain", "Supplier security requirements", True, False, True, "Contracts"),
    ComplianceItem("Documentation", "Technical documentation", True, True, True, "Tech docs"),
    ComplianceItem("Human Oversight", "Intervention capabilities", False, False, True, "Design docs"),
]

# Create DataFrame for display
df_checklist = pd.DataFrame([
    {
        'Category': item.category,
        'Item': item.item,
        'R155': 'X' if item.r155 else '',
        'R156': 'X' if item.r156 else '',
        'AI Act': 'X' if item.ai_act else '',
        'Evidence': item.evidence
    }
    for item in compliance_checklist
])

print("Compliance Checklist")
print("=" * 90)
print(df_checklist.to_string(index=False))

## 8. Key Takeaways

### Regulatory Compliance Strategy

1. **Start with ISO standards**: ISO 26262, ISO 21448, ISO/SAE 21434 provide the technical framework
2. **Map to regulations**: Use standards compliance to demonstrate regulatory compliance
3. **Obtain certificates early**: CSMS/SUMS certificates are prerequisites for type approval
4. **Plan for EU AI Act**: High-risk classification means additional requirements

### Timeline Considerations

| Milestone | Typical Duration |
|-----------|------------------|
| CSMS Certificate | 3-6 months |
| SUMS Certificate | 2-4 months |
| Vehicle Type Approval | 2-4 months per type |
| Total (first vehicle) | 8-14 months |

### Regional Considerations

- **EU**: R155/R156 mandatory since July 2024 for all new vehicles
- **Japan/Korea**: Adopted UNECE regulations
- **USA**: No federal equivalent yet; NHTSA guidance only
- **China**: GB/T standards (similar scope, different framework)

## References

1. UNECE R155 - Cybersecurity and Cybersecurity Management System
2. UNECE R156 - Software Update and Software Update Management System
3. UNECE R157 - Automated Lane Keeping Systems
4. EU AI Act - Regulation on Artificial Intelligence (2024)
5. EU 2019/2144 - General Safety Regulation