The first episode of this miniseries put an overview of the new UN ECE R156 regulation and related standard ISO 24089. This episode will focus on the management systems for the Software update required by them, so called SUMS (Software Update Management Systems). How is going to take place in every organization and its relationship with others management systems.


Miniseries history

  • EP.1 Overview of UN R156 and ISO:24089
  • EP.2 Fokus auf Software-Update-Management-Systeme (SUMS)
  • EP.3 Focus on vehicle requirements (RXsWIN & VTA)
  • … Do not hesitate to contact us for new blog post ideas.

Vehicles and management systems a long story


The automotive industry should already comply with requirements related to multiples management systems. From Quality management: IATF 1649, ASPICE or ISO 9001, or even security specific: ISMS (ISO 27001). Added to these well know management systems two newcomers are requested by the authorities: CSMS, Cyber Security Management Systems for Road vehicles UN R155 (aligned with ISO/SAE 21434 practices) and the SUMS. The transversality and the dependence between each management systems are explained and showed in the Blogpost “[ISO/SAE 21434] A management story”. Thus, the focus in today’s blogpost is made on the SUMS.

Adding another management systems could be considered as more processes and superfluous documents to follow. But the reality is the opposite it allows to precisely specify requirements and processes linked to Software update to improve vehicles safety, security, and reliability.

SUMS suggested structure is based on both UN R156 and ISO 24089 (currently still in FDIS release) requirements illustrated in figure below, can be compared to the CSMS structure with three typical abstraction level. The suggested approach allows to define a concise and clear document structure.

The clause identifiers [Cl-X] references ISO 24089 sections for implementation guidance. Thus, they are subject to adjustments by the official release planned for mid 2023. Below the introduction to the three suggested documentation levels to be considered for SUMS establishment and operation

Governance level:

This category represents the top-level companies’ directives. These directives set companies foundations, visions as well as top management commitment. In the context of ISO 24089 and R156 the directive contains a high-level descriptions of SUMS processes at organization level and the proof that the company complies with ISO 24089 and/or UNECE R156

Ebene der Organisation

At organization level, processes introduced on the directive are specified. These processes include but are not limited to:

  • Supporting processes (document management)
  • Privacy management (the companies must ensure the privacy of customer data)
  • Konfigurationsmanagement
  • Change management process

Project level

At project level, processes are split in five categories: Generic project processes, Infrastructure processes required for the SW update, Vehicle processes required for the SW update, Software update package processes and finally software update campaign processes. These categories allow to ensure that both the infrastructure pushing the update and the vehicle getting access and processing it are ready prior to the deployment.

Generic project processes: describes and ensure that the organization develop and maintain a plan for each software update projects. This includes:

  • Process that describes the Software update project plan
  • Tailoring activities process
  • Documentation of processes to preserve integrity of software metadata, …

Infrastructure processes: describes the infrastructure’s requirement to ensure a safe, secure, and reliable software update. This includes:

  • Managing cybersecurity risk
  • Managing vehicle configuration information
  • Performing software update campaigns
  • Processing software update packages

Vehicle and vehicle systems level describes the functionality required in and for vehicle or vehicle systems. This includes

  • Managing Safety and cybersecurity risk for software update in the vehicle (Reference to ISO 26262, ISO 21448, and ISO/SAE 21343)
  • Managing vehicle configuration item
  • Communicating to vehicle user the software update campaign information

Software update package development: describes how the software update package are verified and validates and which vehicle’s type or system will receive this update package. If all elements are conformed the software update package is approved for release. This includes

  • Documentation of verification and validation made
  • Documentation of targets, contents, and compatibility
  • Documentation of approval release

Software update campaign operations: describes the update procedure from the preparation to the completion of the campaign. This includes:

  • Listing Software update campaign preparation results
  • Listing Software update campaign execution results
  • Logging the purpose of the campaign (target vehicles, end date, …)

SUMS Certificate for OEM

Vehicles manufactures shall certify their SUMS by an Approval Authority. The certification is based on an assessment with the Approval Authority or the Technical Service that demonstrates they have all necessary processes to comply with the UN ECE R156 regulation. Passing this assessment gives a “Certificate of Compliance for SUMS. This certificate has a validity of 3 years. After that the Approval Authority or its Technical service shall proceed to a new assessment to renew or issue a new certificate.

SUMS continuous improvement / assessment

SUMS needs to be continuously improved, based on internal/external feedback. This improvement process allows to ensure that the management system correspond to the company needs and is correctly operated throughout company activities and projects.

The manufacturer shall inform the Approval Authority or its Technical service in case of modification/improvement of the management system that shall affect the relevance of the certificate of compliance.

Wie kann CertX Ihren Fahrplan für die Einhaltung von Vorschriften unterstützen?

Als anerkannte Zertifizierungsstelle in der Automobilindustrie kann CertX Ihr Unternehmen aus verschiedenen Blickwinkeln unterstützen, je nach Reifegrad und Position innerhalb der Lieferketten. Im Folgenden finden Sie eine kurze Zusammenfassung der Dienstleistungen, die von unserem Team für Cybersicherheit und SW-Update angeboten werden:

Ausbildungsunterstützung für Ingenieure und Manager

  • Sensibilisierungsschulung: maßgeschneiderte Sitzungen/Workshops zu SW-Aktualisierungsverfahren und Aktivitäten und Techniken im Bereich der Cybersicherheit
  • Zertifizierbare Ausbildung: ISO/SAE 24089 Automotive Software Update Red Belt (A-SURB), ISO/SAE 21434 Automotive Cyber Security Red Belt (A-CSRB)

Gap-Analyse und Pre-Assessment zur Identifizierung von Schwachstellen

  • Bewertung der aktuellen Übereinstimmung mit den Anforderungen von ISO 24089 und UN R156 und/oder ISO/SAE 21434 und UN R155 R156, entweder auf organisatorischer Ebene (SUMS/CSMS) oder auf Produktebene (produktspezifische Artefakte)
    • Für OEM zur Vorbereitung der Konformitätsprüfung/-bewertung mit den Zulassungsbehörden
    • Für die Bereitschaft der Lieferanten mit kommenden Anforderungen von OEM

Unterstützende Dienstleistungen für die Gestaltung und Implementierung von SUMS/CSMS-Prozessen

  • Unterstützung bei der Integration neuer Praktiken in die Organisationssysteme, Gewährleistung einer sicheren Übergabe an die operativen Teams Wissenstransfer
    • In der Regel auf der Grundlage der ersten Ergebnisse der Lückenanalyse

In der Zukunft: ISO 24089 - SUMS-Zertifizierungen

  • Unabhängige und anerkannte Bewertung Ihres SW-Update-Prozesses im Rahmen von ISO/SAE 24089 zur Unterstützung der UN R156-Verhandlungen

If you have any questions about the new regulatory situations around SW updates in the automotive industry, or any other open points about how the application of relevant standards and certification could be used for compliance, please do not hesitate to contact our experts

Disclaimer: This article is subject to modification and improvement when ISO standardization committees will release the official version of ISO 24089.

This article is only a brief introduction to the SUMS requirements suggested by the UN R156 and the ISO 24089. At CertX, we can provide you with further support to integrate the Software update management Systems, SUMS, in your actual management systems.