Engineering Decision Dashboard
Product and cybersecurity architecture understanding package generated from Markdown-derived requirements.
Confirmed Engineering Conclusions
This table is horizontally scrollable. Use the bottom scrollbar to view all columns.
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| ECA ECU product identity and AMT platform context | Confirmed | 3299216_1.md function statements; system_identity.md | Stabilizes review-board naming | Confirm final product designation/variant |
| Cybersecurity concept and evidence package are in scope | Confirmed | Cybersecurity and process requirements | Makes this an architecture/security baseline, not a brochure | Confirm approval workflow |
Inferred Conclusions
This table is horizontally scrollable. Use the bottom scrollbar to view all columns.
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| Secure diagnostics, update and key/certificate handling apply to the ECU | Inferred | UDS, flash/IVD and certificate/key requirements | Drives security services and trust-boundary design | Confirm exact allocation |
Customer-Confirmation Conclusions
This table is horizontally scrollable. Use the bottom scrollbar to view all columns.
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| SecOC/SDT-style protection is needed for selected data flows | Requires Confirmation | Secure communication requirements | Blocks final interface-security allocation | Customer must identify protected signals |
Architecture Risks
This table is horizontally scrollable. Use the bottom scrollbar to view all columns.
| Risk | Area | Impact | Mitigation / Next Step | Owner |
|---|---|---|---|---|
| Unconfirmed item boundary | Architecture | Asset, interface and TARA allocation can shift | Run item-definition workshop | OEM + Supplier |
| Unconfirmed SecOC/SDT scope | Interface | Vehicle-data authenticity/freshness cannot close | Map protected signals and freshness model | OEM |
Security Risks
This table is horizontally scrollable. Use the bottom scrollbar to view all columns.
| Risk | Area | Impact | Mitigation / Next Step | Owner |
|---|---|---|---|---|
| Unconfirmed diagnostic role model | Security | Privileged services may be under- or over-controlled | Define roles, services, certificates and lockout | OEM + Supplier |
| Unconfirmed update/key ownership | Security | Signing, rollback, PKI and HSM decisions remain open | Confirm update sequence, key hierarchy and HSM capability | OEM + Supplier |
Required Next Decisions
This table is horizontally scrollable. Use the bottom scrollbar to view all columns.
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| ECA ECU product identity and AMT platform context | Confirmed | 3299216_1.md function statements; system_identity.md | Stabilizes review-board naming | Confirm final product designation/variant |
| Cybersecurity concept and evidence package are in scope | Confirmed | Cybersecurity and process requirements | Makes this an architecture/security baseline, not a brochure | Confirm approval workflow |
| Secure diagnostics, update and key/certificate handling apply to the ECU | Inferred | UDS, flash/IVD and certificate/key requirements | Drives security services and trust-boundary design | Confirm exact allocation |
| SecOC/SDT-style protection is needed for selected data flows | Requires Confirmation | Secure communication requirements | Blocks final interface-security allocation | Customer must identify protected signals |
Evidence
Detailed conclusion register
Engineering Decision Dashboard
Confirmed engineering conclusions
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| ECA ECU product identity and AMT platform context | Confirmed | 3299216_1.md function statements; system_identity.md | Stabilizes review-board naming | Confirm final product designation/variant |
| Cybersecurity concept and evidence package are in scope | Confirmed | Cybersecurity and process requirements | Makes this an architecture/security baseline, not a brochure | Confirm approval workflow |
Inferred conclusions
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| Secure diagnostics, update and key/certificate handling apply to the ECU | Inferred | UDS, flash/IVD and certificate/key requirements | Drives security services and trust-boundary design | Confirm exact allocation |
Customer-confirmation conclusions
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| SecOC/SDT-style protection is needed for selected data flows | Requires Confirmation | Secure communication requirements | Blocks final interface-security allocation | Customer must identify protected signals |
Architecture risks
| Risk | Area | Impact | Mitigation / Next Step | Owner |
|---|---|---|---|---|
| Unconfirmed item boundary | Architecture | Asset, interface and TARA allocation can shift | Run item-definition workshop | OEM + Supplier |
| Unconfirmed SecOC/SDT scope | Interface | Vehicle-data authenticity/freshness cannot close | Map protected signals and freshness model | OEM |
Security risks
| Risk | Area | Impact | Mitigation / Next Step | Owner |
|---|---|---|---|---|
| Unconfirmed diagnostic role model | Security | Privileged services may be under- or over-controlled | Define roles, services, certificates and lockout | OEM + Supplier |
| Unconfirmed update/key ownership | Security | Signing, rollback, PKI and HSM decisions remain open | Confirm update sequence, key hierarchy and HSM capability | OEM + Supplier |
Required next decisions
| Conclusion | Status | Evidence | Impact | Decision Needed |
|---|---|---|---|---|
| ECA ECU product identity and AMT platform context | Confirmed | 3299216_1.md function statements; system_identity.md | Stabilizes review-board naming | Confirm final product designation/variant |
| Cybersecurity concept and evidence package are in scope | Confirmed | Cybersecurity and process requirements | Makes this an architecture/security baseline, not a brochure | Confirm approval workflow |
| Secure diagnostics, update and key/certificate handling apply to the ECU | Inferred | UDS, flash/IVD and certificate/key requirements | Drives security services and trust-boundary design | Confirm exact allocation |
| SecOC/SDT-style protection is needed for selected data flows | Requires Confirmation | Secure communication requirements | Blocks final interface-security allocation | Customer must identify protected signals |
Detailed conclusion register
Working system: Electric Clutch Actuator (ECA) Control ECU - TRATON GW AMT Gearbox Platform. Conclusions are graded and traced to requirement evidence.
Confirmed by Requirements
- The ECU controls an electric clutch actuator via CAN and a 1kHz PWM wake-up signal, with closed-loop position control and error handling.
- Status: Confirmed
- Evidence basis: REQ-AUTO-00064; REQ-AUTO-00065; REQ-AUTO-00066; REQ-AUTO-00078; REQ-AUTO-00079; REQ-AUTO-00088; REQ-AUTO-00089; REQ-AUTO-00090 (showing 8 of 149)
- Impact: Architecture, Interface
- A cybersecurity concept with risk-assessment input, control derivation, V&V evidence and OEM residual-risk approval is a mandatory deliverable.
- Status: Confirmed
- Evidence basis: REQ-AUTO-00001; REQ_SEC_0002; REQ-AUTO-00006; REQ_SEC_0003; REQ_SEC_0022; REQ-AUTO-00009; REQ_SEC_0023; REQ_SEC_0024 (showing 8 of 52)
- Impact: Process, Security
- UDS-based diagnostic access (including Authentication 0x29) is in scope for the ECU.
- Status: Confirmed
- Evidence basis: req-6.20; REQ-AUTO-00282; REQ-AUTO-00290; REQ_UDS-0051; REQ_UDS-0051; REQ-AUTO-00298; REQ-AUTO-00299; REQ-AUTO-00310 (showing 8 of 309)
- Impact: Security, Interface
Strongly Inferred
- Secure software update / flash with authenticity and integrity verification and bootloader state control is required.
- Status: Inferred
- Evidence basis: REQ-AUTO-00203; REQ-AUTO-00279; REQ-AUTO-00290; REQ-AUTO-00298; REQ-AUTO-00317; REQ-AUTO-00322; REQ-AUTO-00323; REQ-AUTO-00324 (showing 8 of 30)
- Impact: Architecture, Security
- Key and certificate handling (provisioning, validation, lifecycle) underpins authentication and secure communication.
- Status: Inferred
- Evidence basis: REQ_SEC_0016; REQ_SEC_0019; REQ-AUTO-00335; REQ-AUTO-00340; REQ-AUTO-00445; REQ_UDS-0038; REQ_UDS-0068; REQ_UDS-0070 (showing 8 of 69)
- Impact: Security, Interface
- Security-relevant vehicle data needs authenticity, integrity and freshness protection (SecOC/SDT-style).
- Status: Inferred
- Evidence basis: REQ-AUTO-00410; REQ-AUTO-00889; REQ-AUTO-00890; REQ-AUTO-00992; REQ-AUTO-00993; REQ-AUTO-00994; REQ-AUTO-00995; REQ-AUTO-00997 (showing 8 of 85)
- Impact: Security, Interface
Requires Customer Confirmation
- Exact diagnostic role model, service list, lockout and rate-limiting behaviour.
- Status: Requires Confirmation
- Evidence basis: req-6.20; REQ-AUTO-00282; REQ-AUTO-00290; REQ_UDS-0051; REQ_UDS-0051; REQ-AUTO-00298; REQ-AUTO-00299; REQ-AUTO-00310 (showing 8 of 309)
- Impact: Security, Interface
- Update-sequence ownership, signing chain, rollback policy and backend responsibilities.
- Status: Requires Confirmation
- Evidence basis: REQ-AUTO-00203; REQ-AUTO-00279; REQ-AUTO-00290; REQ-AUTO-00298; REQ-AUTO-00317; REQ-AUTO-00322; REQ-AUTO-00323; REQ-AUTO-00324 (showing 8 of 30)
- Impact: Security, Process
- Key hierarchy, HSM/protected-storage capability, PKI ownership and certificate lifecycle.
- Status: Requires Confirmation
- Evidence basis: REQ_SEC_0016; REQ_SEC_0019; REQ-AUTO-00335; REQ-AUTO-00340; REQ-AUTO-00445; REQ_UDS-0038; REQ_UDS-0068; REQ_UDS-0070 (showing 8 of 69)
- Impact: Security, Architecture
- Which signals require SecOC/SDT, the protection profile, and the ECU boundary/item definition for TARA.
- Status: Requires Confirmation
- Evidence basis: REQ-AUTO-00410; REQ-AUTO-00889; REQ-AUTO-00890; REQ-AUTO-00992; REQ-AUTO-00993; REQ-AUTO-00994; REQ-AUTO-00995; REQ-AUTO-00997 (showing 8 of 85)
- Impact: Security, Architecture
Main Architecture Risks
- The ECU item boundary and variant scope are not finally confirmed, so interface and asset allocation remain provisional.
- Update/bootloader and application state ownership is split across supplier, backend and OEM and is not yet allocated.
- Hardware security capability (HSM/protected storage) is assumed but not confirmed, affecting key-protection design.
Main Security Risks
- Diagnostics can unlock privileged functions; without a confirmed role model the access-control design cannot be finalized.
- A weak or unconfirmed update signing chain would allow attacker-controlled software onto the ECU.
- Unallocated SecOC/SDT scope leaves vehicle-data authenticity and freshness undefined.
Recommended Next Actions
- Run an item-definition and diagnostic-role workshop with the customer to close the top open decisions.
- Confirm the secure-update architecture (signing, rollback, ownership) and key/PKI model.
- Confirm SecOC/SDT signal scope and protection profile, then complete TARA and update traceability with approved decisions.