Overview of ISO 24089: Software Update Processes in Vehicles
This overview delves into the ISO 24089 standard, focusing on the engineering processes related to software updates in vehicles. It covers the background, scope, coverage, and key terminology, highlighting the importance of safe and secure software updates in modern vehicles.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
ISO 24089 An overview Nick Russell (BlackBerry), Suzanne Lightman (NIST) UNECE WP.29 GRVA CS/OTA IWG #26 2023-06-09
Background Work started in 2019 in response to the split of CS and OTA into (what would eventually become) UN R155 and UN R156 Some initial content was taken from an early draft of ISO/SAE 21434 Standard finally published in February 2023 National involvement: AT, CA, CN, DE, FR, GB, IT, JP, KR, SE, US, plus others Industry involvement: OEMs, Tier 1 vendors, Tier 2 vendors Just as ISO/SAE 21434 provides the how for UN R155, ISO 24089 provides the how for UN R156 Due care and attention made during development of ISO 24089 to ensure alignment with, and provide as much coverage of, UN R156 requirements
Whats covered? Functionality in both the vehicle and infrastructure that relate to software updates Including tools used to deliver updates e.g. handheld devices All series-production road vehicles that have updateable software Regardless of whether vehicle is electric, connected, autonomous, etc. All software update delivery methods and application types Wired and wireless (OTA) software updates Technology neutral! Hardware updates i.e. swapping out of components Application of updates performed automatically by the vehicle itself and those requiring a skilled person
Scope Focus on engineering processes Goal oriented approach No detailed technical requirements or prescribed solutions In scope In scope Terminology Process requirements for software updates Risk analysis Construct software update environment Conduct software update campaign Work products to achieve safe and secure software updates Guidance on clarification of responsibility for activities Out of scope Out of scope Indicators in instrument panel Data format for software update package Communication protocols within the vehicle and between the vehicle and off board systems Software itself to be delivered Detailed specification, architecture or implementation of software update system/infrastructure Detailed specification or implementation of tools used at dealer/workshop to update ECU software Numerical criteria for performance of software update
Some important terms Infrastructure Processes and information systems managing any combination of software update operations, software update campaigns, documentation, and vehicle configuration information, including both digital and manual activities Note 1 to entry: Infrastructure can include any combination of servers, tools, and manual activities used in the software update operation. Software update package Set of software and associated metadata that is intended to be deployed to one or more vehicles, vehicle systems, or electronic control units (ECUs) Vehicle configuration information Comprehensive accounting of hardware versions, software versions and configuration parameters in a vehicle Software update campaign Sequence of identifying targets and resolving recipients; distributing software update packages; and monitoring and documenting results of software update operations Recipient Individual instance of a vehicle, vehicle system, or electronic control unit (ECU) that receives a software update package during a software update campaign Target One or more classes of vehicles, vehicle systems, or electronic control units (ECUs) determined by vehicle configuration information Receipt Step in the software update operation when a tool, vehicle, vehicle system, or electronic control unit (ECU) receives a software update package Installation Step in the software update operation when the relevant parts of a software update package are written to a vehicle, vehicle system, or electronic control unit (ECU) but are not yet activated Activation Step in the software update operation when the relevant parts of an installed software update package become executable on a vehicle, vehicle system, or electronic control unit (ECU) Very precise and specific terms used throughout the standard! Equivalent to Software update in UN R156 Similar to Vehicle type in UN R156 (context dependent) Combination of both covered by Execution in UN R156 See back-up slides for a rough mapping of UN R156 terms to ISO 24089 terms
Content structure Organizational processes Similar structure to ISO/SAE 21434 Software update project processes Normative references to: ISO/SAE 21434 for cybersecurity ISO 26262 (parts 6 and 8) for functional safety Combination of above ensures all code and hardware developed with proper attention to safety & security Infrastructure functions Vehicle and vehicle system functions Software update package assembly Software update campaign Preparation Execution
Content overview: Organizational processes Standard requirements for organizational processes but specialised for software update engineering Processes and rules To conform with this standard and normative references Continuous improvement Information sharing Supporting processes Document management Configuration management Requirements management Quality management Auditing
Content overview: SW update project processes Software update project First of the terminology Defined by targets and can cover multiple updates Requires: Plan Documentation Assignment of roles and responsibilities Tailoring Typically needed in the following cases: Organizations who create updates but do not distribute them to vehicles Organizations who have different relationship to vehicles e.g. vehicle bodybuilders Interoperability Integrity
Content overview: Infra. & vehicle/vehicle sys. funcs. Covers functions that must exist to conform with the requirements of the standard and to be able to do software update engineering Both in the organization s infrastructure and the vehicle Note: only infrastructure that supports software update activities Solution neutral Many requirements include a note that can be either on the vehicle or in the infrastructure or both Tools considered part of infrastructure Functions include: Management of vehicle configuration information Identification of dependencies and compatibility Communication of software update campaigns Resolving targets into recipients Ensuring integrity of software update packages & contents Processing software update packages Support for software update distribution methods Ensuring safe vehicle state
Content overview: SW update package assembly Creation of software update packages Contains code and associated metadata Software update packages determine many parts of the software update campaign Targets Compatibility, dependencies, constraints and conditions Necessary actions e.g. by vehicle user, skilled person Packages must be verified and validated before being approved for release
Content overview: SW update campaigns Three phases Preparation Execution Completion Must have a plan Resolve targets into recipients Communication with interested parties e.g. vehicle user Results
Conclusion ISO 24089 developed by the automotive industry Provides state-of-the-art best practice for managing wired and OTA software updates to series production road vehicles Due diligence made to ensure alignment with requirements of UN R156 Also complements 1998 CP s recommendations on CS and OTA ISO 24089 citation in the interpretation document to UN R156 provides useful industry alignment between international regulation and international standard Eases conformance and compliance for the automotive industry Assists assessments/audits by Technical Services/National Approval Authorities, providing smoother ride to Type Approval
Back-up slides Further information
Mapping of terms between UN R156 and ISO 24089 UN R156 definition 2.1. "Vehicle type" means vehicles which do not differ in at least the following: (a) The manufacturer s designation of the vehicle type; (b) Essential aspects of the design of the vehicle type with respect to software update processes. Match type Associated ISO 24089:2023 definition(s) Loose Depending on context, can be either of: 3.1.12 recipient 3.1.22 target 2.2. "RX Software Identification Number (RXSWIN)" means a dedicated identifier, defined by the vehicle manufacturer, representing information about the type approval relevant software of the Electronic Control System contributing to the Regulation N X type approval relevant characteristics of the vehicle. 2.3. "Software update" means a package used to upgrade software to a new version including a change of the configuration parameters. None - Close 3.1.20 software update package 2.4. "Execution" means the process of installing and activating an update that has been downloaded. Compound Covered under the combination of the following: 3.2.2 installation 3.2.3 activation 2.5. "Software Update Management System (SUMS)" means a systematic approach defining organizational processes and procedures to comply with the requirements for delivery of software updates according to this Regulation. Loose 3.1.18 software update engineering 2.6. "Vehicle user" means a person operating or driving the vehicle, a vehicle owner, an authorised representative or employee of a fleet manager, an authorised representative or employee of the vehicle manufacturer, or an authorized technician. Close 3.1.26 vehicle user 2.7. "Safe state" means an operating mode in case of a failure of an item without an unreasonable level of risk. Close 3.1.13 safe vehicle state 2.8. "Software" means the part of an Electronic Control System that consists of digital data and instruction. 2.9. "Over-the-Air (OTA) update" means any method of making data transfers wirelessly instead of using a cable or other local connection. Close 3.1.15 software Loose Covered under 3.1.17 software update distribution method 2.10. "System" means a set of components and/or sub-systems that implement a function of functions. 2.11. "Integrity validation data" means a representation of digital data, against which comparisons can be made to detect errors or changes in the data. This may include checksums and hash values. Loose 3.1.25 vehicle system None -