The first episode of this miniseries put an overview of the new UN ECE R156 regulation and related standard ISO 24089. This episode will focus on the management systems for the Software update required by them, so called SUMS (Software Update Management Systems). How is going to take place in every organization and its relationship with others management systems.


Miniseries history

  • EP.1 Overview of UN R156 and ISO:24089
  • EP.2 Enfoque en los sistemas de gestión de actualizaciones de software (SUMS)
  • EP.3 Focus on vehicle requirements (RXsWIN & VTA)
  • … Do not hesitate to contact us for new blog post ideas.

Vehicles and management systems a long story


The automotive industry should already comply with requirements related to multiples management systems. From Quality management: IATF 1649, ASPICE or ISO 9001, or even security specific: ISMS (ISO 27001). Added to these well know management systems two newcomers are requested by the authorities: CSMS, Cyber Security Management Systems for Road vehicles UN R155 (aligned with ISO/SAE 21434 practices) and the SUMS. The transversality and the dependence between each management systems are explained and showed in the Blogpost “[ISO/SAE 21434] A management story”. Thus, the focus in today’s blogpost is made on the SUMS.

Adding another management systems could be considered as more processes and superfluous documents to follow. But the reality is the opposite it allows to precisely specify requirements and processes linked to Software update to improve vehicles safety, security, and reliability.

SUMS suggested structure is based on both UN R156 and ISO 24089 (currently still in FDIS release) requirements illustrated in figure below, can be compared to the CSMS structure with three typical abstraction level. The suggested approach allows to define a concise and clear document structure.

The clause identifiers [Cl-X] references ISO 24089 sections for implementation guidance. Thus, they are subject to adjustments by the official release planned for mid 2023. Below the introduction to the three suggested documentation levels to be considered for SUMS establishment and operation

Governance level:

This category represents the top-level companies’ directives. These directives set companies foundations, visions as well as top management commitment. In the context of ISO 24089 and R156 the directive contains a high-level descriptions of SUMS processes at organization level and the proof that the company complies with ISO 24089 and/or UNECE R156

Nivel de organización

At organization level, processes introduced on the directive are specified. These processes include but are not limited to:

  • Supporting processes (document management)
  • Privacy management (the companies must ensure the privacy of customer data)
  • Gestión de la configuración
  • Change management process

Project level

At project level, processes are split in five categories: Generic project processes, Infrastructure processes required for the SW update, Vehicle processes required for the SW update, Software update package processes and finally software update campaign processes. These categories allow to ensure that both the infrastructure pushing the update and the vehicle getting access and processing it are ready prior to the deployment.

Generic project processes: describes and ensure that the organization develop and maintain a plan for each software update projects. This includes:

  • Process that describes the Software update project plan
  • Tailoring activities process
  • Documentation of processes to preserve integrity of software metadata, …

Infrastructure processes: describes the infrastructure’s requirement to ensure a safe, secure, and reliable software update. This includes:

  • Managing cybersecurity risk
  • Managing vehicle configuration information
  • Performing software update campaigns
  • Processing software update packages

Vehicle and vehicle systems level describes the functionality required in and for vehicle or vehicle systems. This includes

  • Managing Safety and cybersecurity risk for software update in the vehicle (Reference to ISO 26262, ISO 21448, and ISO/SAE 21343)
  • Managing vehicle configuration item
  • Communicating to vehicle user the software update campaign information

Software update package development: describes how the software update package are verified and validates and which vehicle’s type or system will receive this update package. If all elements are conformed the software update package is approved for release. This includes

  • Documentation of verification and validation made
  • Documentation of targets, contents, and compatibility
  • Documentation of approval release

Software update campaign operations: describes the update procedure from the preparation to the completion of the campaign. This includes:

  • Listing Software update campaign preparation results
  • Listing Software update campaign execution results
  • Logging the purpose of the campaign (target vehicles, end date, …)

SUMS Certificate for OEM

Vehicles manufactures shall certify their SUMS by an Approval Authority. The certification is based on an assessment with the Approval Authority or the Technical Service that demonstrates they have all necessary processes to comply with the UN ECE R156 regulation. Passing this assessment gives a “Certificate of Compliance for SUMS. This certificate has a validity of 3 years. After that the Approval Authority or its Technical service shall proceed to a new assessment to renew or issue a new certificate.

SUMS continuous improvement / assessment

SUMS needs to be continuously improved, based on internal/external feedback. This improvement process allows to ensure that the management system correspond to the company needs and is correctly operated throughout company activities and projects.

The manufacturer shall inform the Approval Authority or its Technical service in case of modification/improvement of the management system that shall affect the relevance of the certificate of compliance.

Cómo puede CertX apoyar su hoja de ruta para el cumplimiento de la normativa

Como organismo de certificación reconocido en toda la industria de la automoción, CertX puede apoyar a su organización desde diferentes perspectivas, dependiendo de su madurez y posición en las cadenas de suministro. A continuación, un breve resumen de los servicios prestados por nuestro equipo dedicado a la ciberseguridad y a la actualización del software:

Apoyo educativo para ingenieros y directivos

  • Formación de sensibilización: sesiones/talleres a medida sobre los procedimientos de actualización del software y las actividades y técnicas relacionadas con la ciberseguridad
  • Formación certificable: ISO/SAE 24089 Automotive Software Update Red Belt (A-SURB), ISO/SAE 21434 Automotive Cyber Security Red Belt (A-CSRB)

Análisis de carencias y evaluación previa para identificar los puntos débiles

  • Evaluación del cumplimiento actual de los requisitos ISO 24089 y UN R156 y/o ISO/SAE 21434 y UN R155 R156, ya sea a nivel de organización (SUMS/CSMS) o de producto (artefactos específicos del producto)
    • Para que el OEM prepare la auditoría/evaluación de conformidad con las autoridades de homologación
    • Para que los proveedores estén preparados con los próximos requisitos de los OEM

Servicios de apoyo para el diseño y la aplicación del proceso SUMS/CSMS

  • Apoyo a la integración de las nuevas prácticas en los sistemas de la organización, garantizando una transferencia de conocimientos segura a los equipos operativos
    • Por lo general, se basa en los resultados/conclusiones del análisis inicial de las deficiencias

En el futuro: ISO 24089 - Certificaciones SUMS

  • Evaluación independiente y reconocida de su marco de procesos relacionados con la actualización de SW ISO/SAE 24089 que apoya la negociación de UN R156

If you have any questions about the new regulatory situations around SW updates in the automotive industry, or any other open points about how the application of relevant standards and certification could be used for compliance, please do not hesitate to contact our experts

Disclaimer: This article is subject to modification and improvement when ISO standardization committees will release the official version of ISO 24089.

This article is only a brief introduction to the SUMS requirements suggested by the UN R156 and the ISO 24089. At CertX, we can provide you with further support to integrate the Software update management Systems, SUMS, in your actual management systems.