logo
stripes
logo
stripes

UNECE R156 – Software Update Management (Overview)

UNECE Regulation No. 156 (R156) establishes requirements for a Software Update Management System (SUMS) and the controlled delivery of software and data updates to vehicles. Together with R155 (cybersecurity/CSMS), R156 is a prerequisite for vehicle type approval in regions adopting UN regulations (e.g., EU, UK, JP, KR).

Purpose

R156 ensures manufacturers can plan, package, approve, deliver, verify, and record software updates securely across a vehicle’s service life. It focuses on organizational capability (SUMS) and evidence that updates are performed in a controlled, auditable, and secure manner.

Key Concepts

  • SUMS: Policies, roles, processes, tools, and records governing updates.
  • Secure Update Chain: Authenticity, integrity, anti-rollback, and eligibility checks.
  • Campaign Management: Planning, approvals, staged rollout, communications.
  • Post-Update Validation: Functional checks, telemetry/health, issue handling.
  • Traceability: End-to-end records of who/what/when/where for every update.

Relationship to Standards

Manufacturers commonly implement R156 using ISO 24089 (software update engineering) for the technical process, and align with ISO/SAE 21434 for cybersecurity risk treatment and controls. R156 operationalizes many corrective actions identified under R155.

What Authorities Typically Expect

  • Documented and operational SUMS (policy, roles, competence, toolchain control).
  • Evidence of secure packaging & signing, chain-of-trust, anti-rollback.
  • Campaign approvals, rollout plans, dealer/customer communications.
  • Post-update validation, telemetry criteria, and rollback strategies.
  • Complete records for auditability (per vehicle/applicability, timestamps, outcomes).

Typical Outputs / Evidence

  • SUMS description (scope, governance, roles, KPIs, improvement cycle).
  • Update process/procedures (planning → approval → rollout → validation).
  • Signing policy, key management, and verification specifications.
  • Campaign dossiers (eligibility, dependencies, staged rollout, comms templates).
  • Post-update validation plans, results, telemetry dashboards.
  • Update records per VIN/ECU/software item; rollback/abort logs where applicable.
Disclaimer: This page provides an introductory summary of UNECE R156. For authoritative requirements, consult the official regulation text and guidance from your approval authority.