Records & Traceability

UNECE R156 requires complete, accurate, and tamper-resistant records for every software update. This page outlines how to establish end-to-end traceability from change request to in-field result, so you can demonstrate conformity during audits and incident investigations.

Purpose

• Prove that updates were authorized, secure, eligible, and correctly installed.
• Enable root-cause analysis, rollback decisions, and regulatory reporting.
• Maintain per-VIN and per-software-item history across the lifecycle.

Traceability Model (End-to-End)

Maintain bidirectional links between these entities (stable IDs, timestamps, owners):

• Change ⇄ Build ⇄ Package & Signature ⇄ Campaign ⇄ Eligibility Decision ⇄ VIN/ECU Outcome ⇄ Post-Update Validation
• Include toolchain versions, hashes, key IDs, and approver identities at each step.

Minimum Record Set (Per Campaign)

• Authorization: approvals, roles, segregation evidence, policy references.
• Artifacts: binaries, manifests, SBOM, hashes, signatures, signer IDs, timestamps.
• Eligibility: rules used, VIN/ECU targeting snapshots, dependency checks, market constraints.
• Rollout: cohorts, start/stop times, pause/resume/rollback triggers and decisions.
• Validation: acceptance criteria, results, dashboards/screenshots with dates.
• Comms: dealer bulletins, customer notices, authority filings (ids, dates, locales).

Minimum Record Set (Per VIN / ECU)

• VIN, ECU ID, software item ID, prior version → new version.
• Eligibility decision (rule version, dependency status) with timestamp.
• Install outcome (success/fail/partial), error codes, retries, duration.
• Signature/verification result, anti-rollback counter state.
• Post-update health snapshot (key DTC summary, self-tests).
• Rollback/abort flag and linkage to incident ticket if applicable.

Integrity, Authenticity & Non-Repudiation

• Store hashes of artifacts and signature metadata (algorithm, key ID, time).
• Protect logs at rest (append-only/WORM or signed logs); keep clock sync evidence.
• Retain key lifecycle events (rotation, revocation) that affect verification.

Retention & Access Control

• Define retention per market (vehicle lifetime + legal buffer); document purging rules.
• Restrict access on a least-privilege basis; audit all access and exports.
• Encrypt sensitive fields (e.g., device credentials) and separate PII from technical logs when possible.

Privacy & Data Minimization

• Log only what is necessary to prove conformance and support investigations.
• Maintain a data inventory and DPIA/records of processing where required.
• Expose self-service export/delete pathways where mandated by local law.

Tooling & Process Controls

• Evidence Index: single, navigable index of all artifacts with stable IDs and owners.
• Versioned schemas: strict schemas for campaign/VIN records; validate on write.
• Automation: auto-attach signatures, hashes, and tool versions from CI/CD.
• Backups: immutable, geo-redundant backups; periodic restoration drills.

Reporting & Dashboards

• Per-campaign KPIs: success rate, retry/abort rate, install duration, post-update incident rate.
• Compliance widgets: % VINs updated, lagging cohorts, unresolved failures, rollback count.
• Export packs: time-stamped snapshots for authorities (PDF/CSV with manifest and hashes).

Practical Do / Don’t

Typical Outputs / Evidence

• Evidence Index (IDs, owners, versions, applicability) and schema definitions.
• Campaign archives (artifacts, manifests, hashes, signatures, approvals).
• Eligibility snapshots and per-VIN/ECU outcomes with validation results.
• Immutable logs/WORM snapshots; key lifecycle and clock-sync records.
• Privacy/retention policy, access control audit logs, and export packs for authorities.