1、BSI Standards PublicationIntelligent transport systems Cooperative ITSPart 6: Core system risk assessment methodologyPD ISO/TR 17427-6:2015National forewordThis Published Document is the UK implementation of ISO/TR 17427-6:2015. The UK participation in its preparation was entrusted to TechnicalCommi
2、ttee EPL/278, Intelligent transport systems.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standard
3、s Institution 2015.Published by BSI Standards Limited 2015ISBN 978 0 580 87423 9ICS 03.220.01; 35.240.60Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy Committee on 30 Novemb
4、er 2015.Amendments/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD ISO/TR 17427-6:2015 ISO 2015Intelligent transport systems Cooperative ITS Part 6: Core system risk assessment methodologySystmes intelligents de transport Systmes intelligents de transport coopratifs Partie
5、6: Mthodologie dvaluation du risque dun systme principalTECHNICAL REPORTISO/TR17427-6Reference numberISO/TR 17427-6:2015(E)First edition2015-11-01PD ISO/TR 17427-6:2015ISO/TR 17427-6:2015(E)ii ISO 2015 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2015, Published in SwitzerlandAll rights reser
6、ved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
7、 at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgPD ISO/TR 17427-6:2015ISO/TR 17427-6:2015(E)Foreword ivIntroduction vi1 Scop
8、e . 12 Terms and definitions . 13 Abbreviated terms 24 How to use this Technical Report 24.1 Acknowledgements . 24.2 C-ITS Core System risks 34.3 Core System overview 54.4 Non Core System risks . 65 Tools to assess risk . 75.1 General . 75.1.1 Technology risk . 75.1.2 Technical risk 75.1.3 Financial
9、 risk . 75.1.4 Liability 75.2 Operational phases of risk assessment 75.3 Risk evaluation explanation 85.4 Categorization of risk . 106 Risks for the core system 116.1 Risks associated with an individual Core System 116.1.1 Timely deployment 116.1.2 Relationships between Core Systems and external ent
10、erprises .126.1.3 Adequate operations and maintenance personnel .136.2 Risks associated with multiple Core Systems .136.2.1 Role and makeup of the Core Certification Authority 146.2.2 External support system (ESS) for security 166.2.3 Operations and maintenance (O the predominant commercial paradigm
11、 within the jurisdiction in which the deployment is instantiated; the size of the transport network covered by the deployment; the complexity of the transport network covered by the deployment; the extent of service provision covered by the instantiation.The political paradigm probably has the great
12、est impact. Some jurisdictions are very centralized, while others are, in some way or the other decentralized and/or federated. Some countries organize as a single monolithic jurisdiction, others are organized as a federation of jurisdictions (states), others somewhere in-between. Some countries are
13、 associated into political groups of countries where the member states are the paramount jurisdictions and the central jurisdiction is controlled by the will of unanimity or majority, sometimes both.The practical effect of this on the management of the transport network is significant. A monolithic
14、jurisdiction (for example, Great Britain, France, China), while they may have regional Departments of Transport (DoT), have a centralized controlling DoT which determines policy and strategy. In some jurisdictions, this may be one of centralized control with management of all core strategic policies
15、, including transport, managed by the central government for example, China which has one super Ministry of Transportation of the Peoples Republic of China including the former Ministry of Communications, Civil Aviation Administration, State Post Bureau, China Maritime Safety Administration and (sin
16、ce 2013) the Ministry of Railways. Federated states (for example, USA, Australia) that have their own DoTs and central policy, in some cases, may be determined centrally and imposed locally by a combination of regulations for consistency across the country, and by control of the allotment of financi
17、al resources to implement central policies/strategies (for example, USA), or may be determined locally and brought to the central DoT for agreement by consensus where achievable (for example, Australia, Switzerland).In combination with the constraints and opportunities of the political paradigm is t
18、he commercial paradigm that it fosters. In nearly all countries, the transport environment, and especially the road network, is state funded and controlled. Highways may be totally state funded from taxation, or outsourced to commercial or pseudo-commercial organizations to fund the development of a
19、utoroutes/highways/and infrastructures such as tunnels and bridges, increasingly a combination of both, but the paradigm is almost globally managed by the jurisdiction. However, whether this is the local jurisdictional state or the National DoT varies considerably, and in cases such as Europe, while
20、 there may be a European “Directorate General” MOVE (Mobility and Transport), it is the National Member States whose DoTs are paramount, and whose policies vary from one member state to another. Some jurisdictions are sympathetic to the provision of commercial services (including C-ITS service provi
21、sions), while others are hostile and consider commercialisation to be potentially a safety risk. Most will live with some compromise that suits the local community, but those compromises will vary from jurisdiction to jurisdiction.The other factors that are most important in shaping the shape of C-I
22、TS deployment are the size and complexity of the transport network, and in particular, the road network. In countries such as USA, ISO 2015 All rights reserved 3PD ISO/TR 17427-6:2015ISO/TR 17427-6:2015(E)the network is so complex, with many different layers of governance, and many different local p
23、olitical and commercial environments, and the size, both in terms of road pavement kilometres/miles and in the number of road users, so vast, that would make a monolithic Core System impracticable. However, other countries, such as Australia, although the size of the territory is 80 % the size of US
24、A, because the road network is only 12 % of the size of that in USA and serves a population of 7 % of that of USA, a single monolithic National core system may seem to be the only viable arrangement to support C-ITS service provision.The principle causes of risks, both technical and cost risks, will
25、 be generally similar in each jurisdiction which encourages and supports C-ITS vehicle and highway systems, but the quantifiable or assessable risk will vary to some extent in each case, and each jurisdiction, core system operator, and application service (2.2) provider, will need to make their own
26、risk assessment. This Technical Report, therefore, does not provide a calculated global risk assessment for C-ITS, but identifies the principal causes of risk, and provides a consistent way for a jurisdiction, core system operator, or application service provider, to assess the risks that they face.
27、While this Technical Report can provide tools for deployers and enablers of C-ITS service provision to assess the general risks that face any implementers of a core system to support C-ITS, there can also be specific risks specialized to a jurisdiction or implementation that are very location or ins
28、tantiation specific that are not covered in this Technical Report (for example, the communications and environmental issues in the Australian outback or Siberia), so there is a general section towards the end of this report which reminds the deployer/enabler to consider additional local aspects, (bu
29、t does not provide specific tools for their assessment). Generally, however, the principal causes of risk inherent in most C-ITS instantiations have been included and tools identified to consistently assess them.Another alternative for consideration is to rely on autonomous safety systems coupled wi
30、th whatever the commercial sector develops in terms of C-ITS vehicle-highway systems (perhaps funded by advertising). In these circumstances, it is the tools available to application service providers to assess their risk exposure that are relevant, and the principle risk to the jurisdiction/adminis
31、tration in these circumstances are the risks of doing nothing.The evolution of C-ITS on a V2V basis, without the need for Core Systems as casual encounter C-ITS presents different issues of risk. While these casual or commercial C-ITS options clearly bring additional benefits over a current, non C-I
32、TS service environment, their utility will be limited in scope and the client system will be limited. In any event, the roll out will most probably be significantly slower and many of the life-saving, injury mitigation benefits significantly deferred or even lost altogether. However, in some jurisdi
33、ctions, such routes, can provide the only feasible, or best, option. In these circumstances, it will be important for the jurisdiction, even if not funding or getting involved in deployment, to at least ensure that such solutions are not proprietarily locked to the extent that safety of life and int
34、eroperability and transport system efficiency benefits are impaired, and such jurisdictions would be wise to consider how they will achieve this goal. (Requiring adherence to International Standards is recommended as a first step.)This Technical Report does not address issues of risk that do not inv
35、olve Core Systems.The principle environment that this Risk Assessment Technical Report is designed to embrace are C-ITS vehicle and highway systems where there is some institutional involvement and support, probably often by the direct or indirect provision of core system support, and it is the risk
36、s associated with the deployment of Core Systems that provide the focus of this Technical Report.A common definition of a risk is the probability that a decision or action will result in a negative or un- wanted consequence, where the probability of each possible outcome is known or can be estimated
37、. In this Technical Report, risks will be identified along with a discussion of their potential impact on deployment. Each risk will have a qualitative discussion of its impact (e.g. high, medium, or low impact) and its likelihood (e.g. high, medium or low likelihood) that the risk will materialize.
38、 For each deployment/proposed deployment, actions or mitigation measures will then need to be listed as a part of the assessment.Table 1 summarizes the high core system risks based on the combination of impact and likelihood. More detail on these and all other identified risks are provided in Clause
39、 6.4 ISO 2015 All rights reservedPD ISO/TR 17427-6:2015ISO/TR 17427-6:2015(E)Table 1 High core system risksSubclause Subject6.1.1 Timely deployment6.1.2 Relationships between Core Systems and external enterprises6.2.1 Role and makeup of a Core Certification Authority6.2.2 External Support System (ES
40、S) for security6.2.3 Operations and maintenance (O communications that facilitate data exchange; Core Systems, which provide the functionality needed to enable data exchange between and among mobile and fixed transportation users; support systems, including security credentials certificate and regis
41、tration authorities that allow devices and systems to establish trust relationships.The Core Systems main mission is to enable safety, mobility and environmental communications-based applications for both mobile and non-mobile users.See ISO/TR 17427-2 for a more detailed explanation of the framework
42、 and overview of C-ITS service provision.See ISO/TR 17427-3 for a more detailed explanation of the concept of operations for C-ITS Core Systems, and ISO 17427-1 for explanation of the roles and responsibilities involved in C-ITS service provision.Within the C-ITS vehicle and highway systems environm
43、ent, the core system concept distinguishes communications mechanisms from data exchange, and from the services needed, to facilitate the data exchange. The core system supports the C-ITS vehicle and highway systems environment by being responsible for providing the services needed to facilitate the
44、data exchanges. The contents of the data exchange are determined by applications unless the data exchange is used as part of the facilitation process between the user and the core system. ISO 2015 All rights reserved 5PD ISO/TR 17427-6:2015ISO/TR 17427-6:2015(E)The core system provides the functiona
45、lity required to support safety, mobility, and environmental applications. This same functionality can also enable commercial applications but that is not a driving factor for the development of the core system. The primary function of the core system is the facilitation of communications between sy
46、stem users and many of the communications must also be very secure. The core system can also provide data distribution and network support services depending on the needs of the core system deployment.A critical factor driving the conceptual view of the core system and the entire C-ITS vehicle and h
47、ighway systems environment is the level of trustworthiness between communicating parties. A complicating factor is the need to maintain the privacy of participants, though not necessarily exclusively through anonymous communication. ISO/TR 14827-7 will address privacy aspects of C-ITS service provis
48、ion in greater detail. ISO/TR 17428-8 will address Liability issues in greater detail.4.4 Non Core System risksThis Technical Report is focused on risk assessment in respect of Core Systems deployment. The risks associated with in-vehicle systems is not assessed, and such systems, may it be OEM or a
49、ftermarket, need to face the same risk assessment processes used to assess risk for any vehicle safety equipment.Some see the evolution of C-ITS as possible on a V2V basis, without the need for Core Systems and such casual encounter C-ITS is indeed possible and the technology proven. Another alternative for consideration is to rely on autonomous safety systems coupled with whatever the commercial sector develops in terms of C-ITS vehicle-highway systems (pe