Update Engineering (GB/T 44496)

GB/T 44496 emphasizes a controlled, secure, and traceable approach to software/data updates for vehicles delivered to the China market. This page outlines a practical, non-normative engineering flow aligned with ISO 24089 and consistent with UNECE R156, while integrating cybersecurity expectations from GB/T 44495 / ISO/SAE 21434.

Objectives

• Ensure authenticity, integrity, and eligibility of every update.
• Enable staged campaigns with pause/rollback and auditable outcomes.
• Maintain end-to-end traceability per campaign and per VIN/ECU.
• Respect China-specific governance (localization, data residency, retention).

End-to-End Process (Engineering View)

1. Plan — scope/ECUs/markets, risk reviews (GB/T 44495, ISO 26262, EMC), comms & rollback criteria.
2. Package & Sign — build artifacts, manifests/SBOM, provenance; sign per policy, record hashes & signer IDs.
3. Approve — gated reviews (security/safety/compliance), segregation of duties, freeze campaign dossier.
4. Deliver — OTA or service-tool paths with authenticated transport and rate/eligibility controls.
5. Install — on-vehicle signature & version checks, anti-rollback, transactional update (A/B or equivalent).
6. Validate — functional/safety smoke, DTC/health checks, telemetry KPIs; trigger containment if thresholds breach.
7. Record — per-VIN outcomes, error codes, timing, verification results; immutable/signed logs.
8. Improve — lessons learned to SUMS/CSMS, supplier contracts, training, and test depth.

Chain of Trust (Integrity & Authenticity)

• PKI & keys: root/intermediate/signing keys in HSM; rotation/revocation procedures; auditable usage logs.
• What is signed: binaries, manifests, eligibility rules, dependency graphs, SBOM, and release notes.
• On-vehicle verification: secure boot anchors, signature/hash checks, monotonic counters for anti-rollback.
• Provenance: store build IDs, tool versions, commit hashes; prefer reproducibility for critical components.

Eligibility & Dependencies

• VIN/ECU targeting, market/region, hardware rev, prerequisite software, charging/power/network preconditions.
• Enforce checks on both backend and vehicle; snapshot rule versions used per VIN decision.
• Define downgrade exceptions with explicit signed waivers and enhanced verification.

Campaign Engineering

• Staged rollout: canary → phased cohorts; KPI thresholds to pause/resume or rollback.
• Operational guards: concurrency limits, retry/backoff logic, server capacity protection.
• Comms packs: dealer bulletins, customer notices (CN localization), regulator notifications where required.

Dealer & Service Tool Path

• Tool attestation/version control; authenticated access; audit logs and revocation capability.
• Offline/USB workflows: signed media, checksum verification, post-install scan attached to VIN record.
• Quick-guide checklists to reduce human error; escalation contacts/time windows.

Backend & Transport Controls

• Mutual authentication, integrity at rest/in transit, replay protection, rate limiting.
• Secrets management for servers and CI/CD; narrow scopes and time-bound credentials.
• Environment separation (dev/test/prod) and change approvals for pipelines.

China Context: Privacy, Residency & Localization

• Minimize personal data in telemetry; document lawful basis and retention for CN markets.
• Record storage locations (CN/on-prem/hosted) and cross-border transfer rules if applicable.
• Localize labels/indices and critical comms (EN/中文) for audits, dealers, and customers.

Assurance & Testing

• Static/dynamic analysis of update agents & parsers; fuzz manifests/transport; adversarial tests for eligibility/rollback.
• HIL/SIL automation for variant coverage; golden baselines; toolchain version capture.
• Key lifecycle drills (rotation/revocation) and disaster recovery exercises.

KPIs (Engineering & Ops)

• Success/abort rates, verification failures, median/95th install time, retry rates.
• Post-update incident rate, DTC regressions, rollback count; MTTR for corrective packages.
• Gate effectiveness (defects found pre- vs post-rollout); signing/verification error rate.

Typical Outputs / Evidence

• SUMS description (CN scope), signing/PKI policy, HSM attestations; access & audit logs.
• Campaign dossiers: scope, eligibility rules, dependencies, approvals, comms, KPI thresholds.
• Signed package set with manifests, SBOM, hashes, signatures, provenance records.
• Per-VIN/ECU outcomes, verification results, duration, retries, post-update health snapshots.
• Immutable/signed logs, key lifecycle events, and restoration drill reports.
• Lessons-learned and CAPA items; updated procedures and training coverage.