Insight: Analisis Implementasi Contractor Safety Management System (C

About the Authors and This Research

This study was conducted by E. Ekawati (h-index: 3, cumulative citations: 16), B. Kurniawan, and Z. A. Suery, occupational health and safety (OHS) researchers from Indonesia's academic community. The research employed a qualitative descriptive design with in-depth interviews, involving two primary informants and three triangulation informants at the CCAI Semarang facility.

CCAI represents a classic multinational consumer goods supply chain environment: its facility simultaneously manages contractors across three risk categories—low, medium, and high—which directly parallels the outsourced manufacturing and maintenance structures common among Taiwan's automotive component manufacturers. The study's focus on the "pre-job phase" (the preparation stage covering qualification review, document verification, and safety requirement confirmation before work begins) maps closely to the supplier pre-qualification and TARA (Threat Analysis and Risk Assessment) pre-work stages required under ISO/SAE 21434.

Core Findings: The "Uniform Document" Flaw and Four Implementation Variables

The research concluded that while CCAI's CSMS was reasonably well-designed at the procedural level, it harbored a systemic execution flaw: all contractors, regardless of their risk category, were required to submit identical compliance document formats. This administrative uniformity effectively diluted the scrutiny applied to high-risk contractors.

Finding 1: Document Compliance Requirements Were Not Differentiated by Risk Level

Contractors performing high-pressure equipment maintenance faced the same documentation requirements as those providing low-risk general services. The research explicitly recommends designing differentiated document review processes by risk category, ensuring that risk management resources are concentrated where the actual exposure lies. This is not merely a procedural refinement—the 7 fatality incidents across 2013–2014 illustrate the consequence of sustained under-scrutiny in high-risk pre-job phases.

Finding 2: Four Variables Determine CSMS Implementation Effectiveness

Through structured interviews, the researchers identified four variables that determine whether a CSMS actually functions as intended: (1) bureaucratic structure—whether procedures are clear and consistently followed; (2) communication—whether all stakeholders genuinely understand the requirements; (3) resources—whether sufficient personnel and tools are allocated; and (4) implementor disposition—whether management actively supports system execution rather than treating it as a compliance formality. CCAI scored positively on management disposition and communication clarity, but showed gaps in resource allocation and document system design.

Finding 3: Pre-Job Phase Failures Have Direct Incident Consequences

The 4 contractor fatalities in 2013 and 3 in 2014 are the research's grounding data points. The study argues that when pre-job phase compliance mechanisms fail to adequately screen high-risk contractors, downstream monitoring—however thorough—cannot fully compensate for risk factors embedded in the preparation stage. This "upstream failure, downstream consequence" logic is structurally identical to how cybersecurity vulnerabilities in automotive supplier onboarding eventually manifest as system-level incidents.

Implications for Taiwan's Automotive Cybersecurity (AUTO) Practice

Taiwan's automotive component manufacturers pursuing TISAX certification or ISO/SAE 21434 compliance face a structurally analogous challenge: how to design genuinely differentiated cybersecurity review mechanisms for suppliers and contractors at different risk levels.

ISO/SAE 21434 Chapter 15 requires companies to assess supplier cybersecurity capabilities and design monitoring intensity proportionate to each supplier's influence on vehicle systems. However, Winners Consulting's practical observations indicate that a common early implementation error among Taiwan manufacturers is applying identical cybersecurity document checklists to all suppliers—precisely the "one-size-fits-all" pattern identified in the CCAI study.

UNECE WP.29 (UN R155) explicitly requires OEMs and Tier 1 suppliers to establish a supply chain-covering Cybersecurity Management System (CSMS). The effectiveness of this system depends substantially on whether supplier tiering mechanisms are operationally real—not merely taxonomic labels on a spreadsheet. If differentiated tiering does not translate into differentiated document requirements and review depth, the CSMS contains the same structural vulnerability identified in the CCAI case.

Three specific areas require immediate attention from Taiwan automotive enterprises:

• Operational supplier risk tiering: Classification criteria must directly map to document review depth, not function as abstract labels.
• Standardized pre-engagement cybersecurity confirmation procedures: Aligned with ISO/SAE 21434 Clause 15.3, a repeatable pre-qualification checklist must be established and maintained.
• Cross-system integration: Cybersecurity tiering logic should be integrated into existing quality management systems, preventing cybersecurity review from operating as an isolated compliance exercise.

Winners Consulting's Approach: Building Differentiated Supply Chain Cybersecurity Review

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) supports Taiwan's automotive supply chain manufacturers in achieving TISAX certification, implementing ISO/SAE 21434 standards, and meeting UNECE WP.29 vehicle cybersecurity regulatory requirements. Based on this study's findings regarding the systemic risk of uniform document requirements, Winners Consulting recommends the following three-phase action plan within a 7–12 month implementation cycle:

1. Months 1–3: Supplier Risk Tiering Inventory and Differentiated Document Design
   Apply ISO/SAE 21434 Chapter 15 to conduct cybersecurity impact assessments of existing supplier lists, establishing three-tier classification criteria (low, medium, high). Simultaneously design differentiated cybersecurity document checklists for each tier: high-risk suppliers should provide TARA summaries, penetration testing reports, and incident notification procedure confirmations; low-risk suppliers should provide basic cybersecurity policy declarations.
2. Months 4–8: Pre-Engagement Cybersecurity Confirmation SOP Standardization
   Establish a repeatable pre-engagement supplier cybersecurity confirmation SOP aligned with TISAX assessment standards (VDA ISA). This SOP should cover: self-assessment questionnaires, document verification checklists, 30-day remediation period mechanisms for nonconformities, and on-site audit trigger conditions for high-risk suppliers.
3. Months 9–12: Implementation Effectiveness Monitoring and Annual Review Mechanism
   Referencing the CCAI study's four implementation variables, establish quantitative monitoring indicators: supplier document compliance rate, nonconformity remediation completion rate, and on-site audit coverage rate for high-risk suppliers. Implement an annual supply chain cybersecurity review mechanism to ensure ongoing CSMS compliance with UNECE WP.29 continuous improvement requirements.

Frequently Asked Questions

How does the CCAI "uniform document" finding specifically apply to Taiwan automotive suppliers' CSMS execution?

The CCAI study's central defect—applying identical compliance document formats to all contractor risk levels—is directly transferable to Taiwan's automotive cybersecurity context. When implementing ISO/SAE 21434 Chapter 15 supply chain management requirements, if Taiwan manufacturers do not design differentiated review documents based on each supplier's cybersecurity impact level, the tiering logic of the CSMS becomes functionally meaningless. A Tier 1 supplier developing ECU firmware should face substantially more rigorous document requirements than a supplier providing general office services. Winners Consulting recommends establishing three-tier differentiated document checklists aligned with VDA ISA requirements during the preparation phase, rather than applying a single cybersecurity policy declaration across all suppliers.

What are the most common compliance gaps in supply chain management when Taiwan enterprises pursue TISAX certification?

Based on Winners Consulting's practical observations, the most frequent nonconformities in TISAX audits within supply chain management fall into two categories: first, supplier cybersecurity capability assessment processes lack repeatable SOPs and rely heavily on individual judgment; second, supplier classification criteria are not directly linked to contract terms, meaning high-risk suppliers are flagged but actual review intensity does not increase correspondingly. TISAX assessment standards (VDA ISA 6.0) require enterprises to demonstrate systemic supplier management mechanisms—not merely submit static supplier lists. Enterprises should build auditable execution records against each specific requirement of ISO/SAE 21434 Clause 15.3 from the earliest implementation stage.

What are TISAX certification's core requirements, and how should Taiwan automotive suppliers plan their implementation?

TISAX (Trusted Information Security Assessment Exchange), developed by the German Association of the Automotive Industry (VDA), has become a practical prerequisite for entering European automotive supply chains. Core requirements encompass three areas: information security management system establishment, prototype protection, and supply chain cybersecurity management, assessed against VDA ISA 6.0. Taiwan suppliers are advised to follow a three-phase implementation: Months 1–3, conduct a GAP Analysis against VDA ISA questions; Months 4–9, build systems and documentation covering ISMS policies, risk assessment processes, and supplier management SOPs; Months 10–12, conduct internal audits and submit the formal assessment application. Total implementation duration is approximately 10–12 months, adjusted for organizational scale and existing system maturity.

What resources does implementing a TISAX-compliant supplier tiering review mechanism require, and what are the expected benefits?

Based on Winners Consulting's advisory experience, mid-sized automotive component manufacturers (200–500 employees) implementing TISAX-compliant supplier tiering review mechanisms should anticipate the following resource requirements: internal cybersecurity personnel (at minimum one dedicated staff member), external consulting fees, and system tool procurement (such as GRC platforms or document management systems). Expected benefits include: upon TISAX certification completion, manufacturers can typically enter directly into qualified supplier lists for first-tier European OEMs, shortening new customer review cycles; additionally, differentiated supplier tiering mechanisms effectively reduce cybersecurity incident risk from high-risk outsourced operations. As the CCAI study's logic demonstrates, front-loaded systematic review investment consistently costs less than post-incident handling and business disruption.

Why choose Winners Consulting for Automotive Cybersecurity (AUTO) advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) specializes in TISAX certification advisory and ISO/SAE 21434 implementation for Taiwan's automotive supply chain, with integrated consulting capabilities spanning UNECE WP.29, ISO/SAE 21434, and VDA ISA frameworks. Unlike general IT security consultants, Winners Consulting deeply understands automotive OT environment characteristics and vehicle system attack surfaces, enabling integration of TARA methodology with supply chain management requirements into executable implementation plans. For the "uniform document" systemic risk identified in the CCAI research, Winners Consulting provides end-to-end services covering supplier risk tiering design, differentiated review document establishment, and annual review mechanism construction. A complimentary mechanism diagnostic is available as the starting point, reducing enterprises' initial implementation barriers for achieving TISAX compliance within 7–12 months.

日本語版

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2016年にインドネシアで実施されたフィールド研究から、台湾の自動車サプライチェーン企業にとって直接適用可能な重要な知見を導き出しました。コカ・コーラ・アマティル・インドネシア（CCAI）スマラン工場を対象としたこの研究は、すべてのリスクレベルの請負業者に対して同一の文書コンプライアンス要件を適用する「一律適用」の慣行が、安全管理システム全体のリスク分別機能を失わせることを実証しました。2013年の4件、2014年の3件の死亡事故は、準備段階（pre-job phase）における体系的失敗の具体的な結果です。この構造的問題は、TISAXおよびISO/SAE 21434に基づくサプライヤーサイバーセキュリティ審査において、台湾企業が直面する課題と高度に類似しています。