logo
stripes
logo
stripes

Scope of UNECE R156

UNECE Regulation No. 156 (R156) applies to manufacturers seeking type approval for road vehicles that include software capable of being updated after production. It defines the requirements for establishing and maintaining a Software Update Management System (SUMS) and for ensuring that each software update campaign is secure, traceable, and properly authorized.

1. Vehicle Categories Covered

  • Applies to categories M, N, and O under the 1958 Agreement (passenger, goods, and trailer vehicles).
  • Applies to vehicles where software or firmware updates can alter functionality, calibration, or cybersecurity posture.
  • Includes ECUs, gateways, communication modules, and safety-critical controllers capable of receiving updates directly or indirectly.
  • Does not apply to purely mechanical or fixed-function components that cannot be updated in service.

2. Software in Scope

  • Vehicle software: embedded ECU firmware, middleware, and configuration data affecting operation or safety.
  • Support software: update agents, diagnostic applications, back-end update servers, and tools that influence update behavior.
  • Data packages: configuration and calibration data distributed through the update pipeline.

3. Lifecycle Coverage

R156 requires SUMS coverage across the entire lifecycle: from software creation to distribution, installation, verification, and monitoring. Activities must remain under controlled processes and documented evidence.

  • Software development and packaging (alignment with ISO 24089).
  • Approval of update campaigns (planning and risk review).
  • Secure delivery, installation, and post-update validation.
  • Operational monitoring, issue handling, and rollback management.
  • Feedback of lessons learned into process improvement.

4. Organizational Obligations

  • Maintain an approved Software Update Management System demonstrating competence, governance, and continuous improvement.
  • Ensure traceability between software versions, vehicles, VINs, and update campaigns.
  • Keep records of all updates, validations, and communications for the lifetime of the vehicle.
  • Provide evidence that updates do not negatively affect compliance with R155 (cybersecurity) or safety regulations.

5. Exclusions and Boundaries

  • Manufacturers must define clear boundaries for in-scope software and out-of-scope legacy elements.
  • Supplier-owned or third-party software is within scope if it is installed, distributed, or updated under the OEM’s control.
  • Updates related solely to non-regulated infotainment features may be excluded, but documentation must justify the decision.

6. Relationship to Other Regulations

  • R155: Ensures that cybersecurity risks of updates are managed under the CSMS; R156 provides the operational means to deploy fixes securely.
  • R10: Electromagnetic compatibility must remain unaffected by software changes.
  • National variants: Local authorities may extend scope (e.g., over-the-air privacy rules, data retention).
Disclaimer: This section summarizes the scope of UNECE R156 for educational purposes. For official definitions and applicability, refer to the regulation text and your national type-approval authority.