ISO 24089:2023
(Main)Road vehicles — Software update engineering
Road vehicles — Software update engineering
This document specifies requirements and recommendations for software update engineering for road vehicles on both the organizational and the project level. This document is applicable to road vehicles whose software can be updated. The requirements and recommendations in this document apply to vehicles, vehicle systems, ECUs, infrastructure, and the assembly and deployment of software update packages after the initial development. This document is applicable to organizations involved in software update engineering for road vehicles. Such organizations can include vehicle manufacturers, suppliers, and their subsidiaries or partners. This document establishes a common understanding for communicating and managing activities and responsibilities among organizations and related parties. The development of software for vehicle functions, except for software update engineering, is outside the scope of this document. Finally, this document does not prescribe specific technologies or solutions for software update engineering.
Véhicules routiers — Ingénierie de mise à jour du logiciel
General Information
Buy Standard
Standards Content (Sample)
© ISO 2022 – All rights reserved
2022-09-06
ISO/DISFDIS 24089:2022(E)
2022-10-12
ISO TC 22/SC 32/WG 12
Secretariat: JISC
Road vehicles – Software update engineering
DIS stage
Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to change
without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which
they are aware and to provide supporting documentation.
---------------------- Page: 1 ----------------------
ISO/DISFDIS 24089:2022(E)
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of
this publication may be reproduced or utilized otherwise in any form or by any means, electronic or
mechanical, including photocopying, or posting on the internet or an intranet, without prior written
permission. Permission can be requested from either ISO at the address below or ISO’s member body in the
country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.orgwww.iso.org
Published in Switzerland
© ISO 2022 – All rights reserved
ii © ISO 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/DISFDIS 24089:2022(E)
Contents
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 General terminology . 1
3.2 Terms related to the software update operation . 5
4 Organizational level requirements . 5
4.1 Objectives . 5
4.2 General . 6
4.3 Requirements and recommendations . 6
4.4 Work products . 9
5 Project level requirements . 9
5.1 Objectives . 9
5.2 General . 9
5.3 Requirements and recommendations . 9
5.4 Work products . 11
6 Infrastructure level requirements . 11
6.1 Objectives . 11
6.2 General . 11
6.3 Requirements and recommendations . 11
6.4 Work products . 13
7 Vehicle and vehicle systems level requirements . 13
7.1 Objectives . 13
7.2 General . 14
7.3 Requirements and recommendations . 14
7.4 Work products . 17
8 Software update package requirements . 17
8.1 Objectives . 17
8.2 General . 17
8.3 Requirements and recommendations . 18
8.4 Work products . 20
9 Software update campaign requirements . 20
9.1 Objectives . 20
9.2 General . 20
9.3 Requirements and recommendations . 20
9.4 Work products . 25
Bibliography . 26
© ISO 2022 – All rights reserved iii
© ISO 2022 – All rights
reserved
---------------------- Page: 3 ----------------------
ISO/DISFDIS 24089:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights
identified during the development of the document will be in the Introduction and/or on the ISO list of patent
declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 22, Road Vehicles, Subcommittee SC 32,
Electrical and electronic components and general system aspects.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2022 – All rights reserved
iv © ISO 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/DISFDIS 24089:2022(E)
Introduction
Electronic control units and software of increasing complexity have become essential to the operation of road
vehicles in recent years. This software is often updated to increase functionality and maintain the safety and
cybersecurity of road vehicles.
Today, in-vehicle software is updated in a workshop by skilled persons or automatically over-the-air by the
vehicle user. With the increased frequency of software update campaigns, it is important to have individual
vehicle configuration information. Therefore, the establishment and application of software update
engineering is important to ensure software quality, cybersecurity, and safety.
Software update engineering activities occur throughout the lifecyclelife cycle of vehicles.
This document provides vocabulary, objectives, requirements, and guidelines related to software update
engineering as a foundation for common understanding throughout the supply chain. By applying
requirements and recommendations in this document, the following benefits can be achieved for software
update engineering:
-— safety and cybersecurity are addressed in software update operations in road vehicles;
-— establishment of processes, including goal setting, planning, auditing, process monitoring, process
measurement, and process improvement;
-— shared awareness of safety and cybersecurity among related parties.
Figure 1 shows the overview of this document.
Organizational processes
Software update project processes
Vehicle &
Infrastructure
vehicle system
functions
functions
Software update package assembly
Software update campaign
Preparation Execution
© ISO 2022 – All rights reserved v
© ISO 2022 – All rights
reserved
---------------------- Page: 5 ----------------------
ISO/DISFDIS 24089:2022(E)
Figure 1 – — Overview of this document
In this document, clauses are structured using the following approach:
-— each process is defined and implemented before it is executed;
-— each process is established, documented, and maintained.
This document describes the following activities:
-— implementation of organizational level processes for software update engineering;
-— implementation of software update project level processes for each software update project;
-— definitions of functions for the vehicle and infrastructure to support the activities and processes of this
document;
-— assembly of software update packages using functions in the infrastructure;
-— preparation and execution of software update campaigns using functions in the vehicle and infrastructure.
© ISO 2022 – All rights reserved
vi © ISO 2022 – All rights reserved
---------------------- Page: 6 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 24089:2022(E)
Road vehicles – Software update engineering
1 Scope
This document specifies requirements and recommendations for software update engineering for road
vehicles on both the organizational and the project level.
This document is applicable to road vehicles whose software can be updated.
The requirements and recommendations in this document apply to vehicles, vehicle systems, ECUs,
infrastructure, and the assembly and deployment of software update packages after the initial development.
This document is applicable to organizations involved in software update engineering for road vehicles. Such
organizations can include vehicle manufacturers, suppliers, and their subsidiaries or partners.
This document establishes a common understanding for communicating and managing activities and
responsibilities among organizations and related parties.
The development of software for vehicle functions, except for software update engineering, is outside the
scope of this document.
Finally, this document does not prescribe specific technologies or solutions for software update engineering.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 26262-6, Road Vehicles ---vehicles — Functional Safety ---safety — Part 6: Product development at the
software level
ISO 26262-8, Road Vehicles ---vehicles — Functional Safety ---safety — Part 8: Supporting processes
ISO/SAE 21434, Road vehicles ---— Cybersecurity Engineering engineering
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1 General terminology
3.1.1
compatibility
capability of software (3.1.15) to be executable on vehicle systems (3.1.25) without conflicts
Note 1 to entry: Compatibility can be checked by vehicle configuration information (3.1.24).
© ISO 2022 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/FDIS 24089:2022(E)
3.1.2
condition
criteria required for a software update operation (3.1.19) to be completed successfully
Note 1 to entry: Conditions can include compatibility (3.1.1), safe vehicle state (3.1.13), in-vehicle resources (3.1.11), and
external resources.
EXAMPLE The presence of a skilled person (3.1.14) during a software update operation (3.1.19).
3.1.3
corrective action
action to eliminate or contain a problem or failure
3.1.4
cybersecurity
road vehicle cybersecurity
context in which assets are sufficiently protected against threat scenarios to vehicle systems (3.1.25) of road
vehicles and infrastructure (3.1.10) required to support software update engineering (3.1.18)
Note 1 to entry: In this document, for the sake of brevity, the term cybersecurity is used instead of road vehicle
cybersecurity.
[SOURCE: ISO/SAE 21434:2021, 3.1.9, modified – "— “to items of road vehicles, their functions and their
electrical or electronic components"” has been replaced by "“to vehicle systems of road vehicles and
infrastructure required to support software update engineering"” and the Note 1 to entry has been modified.]
3.1.5
cybersecurity risk
effect of uncertainty on cybersecurity (3.1.4) expressed in terms of attack feasibility and impact
[SOURCE: ISO/SAE 21434:2021, 3.1.29]
3.1.6
dependency
effect of software (3.1.15) for one vehicle system (3.1.25) on the same or other vehicle systems (3.1.25)
Note 1 to entry: A dependency can generate a condition (3.1.2) in the metadata of a software update package (3.1.20).
EXAMPLE A communication interface between two electronic control units (ECUs) (3.1.7).
3.1.7
ECU
electronic control unit
ECU
embedded device in a vehicle whose software (3.1.15) can be updated
3.1.8
functional safety
absence of unreasonable risk due to hazards caused by malfunctioning behaviour of vehicle systems (3.1.25)
© ISO 2022 – All rights reserved
2 © ISO 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/FDIS 24089:2022(E)
[SOURCE: ISO 26262-1:2018, 3.67, modified –— “E/E” was replaced "E/E" with "by “vehicle"]”.]
3.1.9
functional safety risk
combination of the probability of occurrence of harm and the severity of that harm
[SOURCE: ISO 26262-1:2018, 3.128, modified –— The term has been modified from "“risk"” to "“functional
safety risk"” for the scope of this document].]
3.1.10
infrastructure
processes and information systems managing any combination of software update operations (3.1.19),
software update campaigns (3.1.16), documentation, and vehicle configuration information (3.1.24), including
both digital and manual activities
Note 1 to entry: Infrastructure can include any combination of servers, tools, and manual activities used in the software
update operation (3.1.19).
3.1.11
in-vehicle resource
vehicle or electronic control unit (ECU) (3.1.47) available properties relevant for software update engineering
(3.1.18)
EXAMPLE Available or remaining computational power, network capacity, RAM capacity, storage capacity, or battery
capacity.
3.1.12
recipient
individual instance of a vehicle, vehicle system (3.1.25), or ECUelectronic control unit (ECU) (3.1.7) that receives
a software update package (3.1.20) during a software update campaign (3.1.16)
3.1.13
safe vehicle state
vehicle operating mode based on conditions (3.1.2) for performing software update operations (3.1.19) without
an unreasonable level of risk
Note 1 to entry: Safe vehicle state can be different depending on the conditions (3.1.2) required for the software update
package (3.1.20).
Note 2 to entry: Safe vehicle state can vary based on the software update operation (3.1.19) step being performed.
EXAMPLE The motor is off, the parking brake is applied.
3.1.14
skilled person
individual with relevant technical education, training or experience to execute software update operations
(3.1.19)
Note 1 to entry: A skilled person can be a mechanic in a workshop.
© ISO 2022 – All rights reserved 3
© ISO 2022 – All rights
reserved
---------------------- Page: 9 ----------------------
ISO/FDIS 24089:2022(E)
Note 2 to entry: A skilled person can be authorized or certified for their specialisedspecialized training or be a skilled
vehicle user (3.1.26).
[SOURCE: ISO 10209:2022, 3.14.36, modified – the— The phrase “to enable them to perceive risks and avoid
hazards occurring during use of a product” has been replaced by “to execute software update operations”]”.]
3.1.15
software
computer programs and associated data intended for installation (3.2.2) on vehicles, vehicle systems (3.1.25),
or electronic control units (ECUs) (3.1.7), that may be dynamically written or modified during execution
[SOURCE: NIST SP 800-53, modified - added "— The phrase “intended for installation on vehicles, vehicle
systems, or electronic control units (ECUs"])” was added.]
3.1.16
software update campaign
sequence of identifying targets (3.1.23) and resolving recipients (3.1.12); distributing software update
packages (3.1.20); and monitoring and documenting results of software update operations (3.1.19)
3.1.17
software update distribution method
mechanism for delivery of a software update package (3.1.20) during a software update campaign (3.1.16)
Note 1 to entry: The software update distribution method can be wired (e.g. tool, USB flash drive), wireless (e.g. cellular
or Wi-Fi) or hardware replacement.
Note 2 to entry: Hardware replacement can be replacing an ECUelectronic control unit (ECU) (3.1.7) with the effect of
software (3.1.15) version replacement.
3.1.18
software update engineering
application of a systematic and managed approach to the processes of planning, development, and
deployment of software update packages (3.1.20)
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.3810, modified - changed "— “disciplined, quantifiable" to "” was
replaced by “and managed",”, and changed "“development, operation and maintenance of software" to "” was
replaced by “processes of development, planning, and deployment of software update packages"]”.]
3.1.19
software update operation
steps involved in receipt (3.2.1), installation (3.2.2),) and activation (3.2.3) of software update packages
(3.1.20) in a vehicle, vehicle systems (3.1.25), or electronic control units (ECUs) (3.1.7)
3.1.20
software update package
set of software (3.1.15) and associated metadata that is intended to be deployed to one or more vehicles,
vehicle systems (3.1.25), or electronic control units (ECUs) (3.1.7)
3.1.21
software update project
© ISO 2022 – All rights reserved
4 © ISO 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/FDIS 24089:2022(E)
set of software update engineering (3.1.18) activities for one or more targets (3.1.23)
Note 1 to entry: Activities can include developing or adapting the infrastructure (3.1.10), vehicle capabilities, or processes
described in this document.
Note 2 to entry: A software update project can encompass multiple software update campaigns (3.1.16).
3.1.22
tailor, verb
to omit or perform an activity in a different manner compared to its description in this document
[SOURCE: ISO/SAE 21434:2021, 3.1.32]
3.1.23
target
one or more classes of vehicles, vehicle systems (3.1.25), or electronic control units (ECUs) (3.1.7) determined
by vehicle configuration information (3.1.24)
3.1.24
vehicle configuration information
comprehensive accounting of hardware versions, software (3.1.15) versions, and configuration parameters in
a vehicle
3.1.25
vehicle system
functional group of one or more electronic control units (ECUs) (3.1.7) and attached hardware
Note 1 to entry: Attached hardware can be, for example, a sensor, actuator, or light, etc. that is not an ECU (3.1.7).
EXAMPLE Braking system or infotainment system.
3.1.26
vehicle user
person operating, driving, owning or managing a vehicle
Note 1 to entry: A vehicle user can be a skilled person (3.1.14).
3.2 Terms related to the software update operation
3.2.1
receipt
step in the software update operation (3.1.19) when a tool, vehicle, vehicle system (3.1.25), or ECUelectronic
control unit (ECU) (3.1.7) receives a software update package (3.1.20)
EXAMPLE 1 Downloading a software update package (3.1.20).
EXAMPLE 2 Transferring a software update package (3.1.20) using a tool.
3.2.2
installation
© ISO 2022 – All rights reserved 5
© ISO 2022 – All rights
reserved
---------------------- Page: 11 ----------------------
ISO/FDIS 24089:2022(E)
step in the software update operation (3.1.19) when the relevant parts of a software update package (3.1.20)
are written to a vehicle, vehicle system (3.1.25), or ECUelectronic control unit (ECU) (3.1.7) but are not yet
activated (3.2.3)
3.2.3
activation
step in the software update operation (3.1.19) when the relevant parts of an installed (3.2.2) software update
package (3.1.20) become executable on a vehicle, vehicle system (3.1.25), or ECUelectronic control unit (ECU)
(3.1.7)
EXAMPLE 1 A new automated driving function is installed (3.2.2) and ready for execution, but is only executed after the
vehicle user (3.1.26) starts the function.
EXAMPLE 2 The relevant parts of a software update package (3.1.20) for a vehicle, vehicle system (3.1.25),, or ECU
(3.1.7) are installed (3.2.2) and executed immediately after activation without user interaction.
4 Organizational level requirements
4.1 Objectives
The objectives of this clause are to ensure that the following are performed:
a) establishing organization-specific rules and processes for software update engineering;
b) adopting quality management, functional safety management, and cybersecurity management for
software update engineering;
c) instituting and maintaining a continuous improvement process for software update engineering;
d) establishing an information sharing policy for software update engineering; and
e) performing an organizational audit for process compliance.
4.2 General
This clause covers the responsibility of the organization engaged in software update engineering to have
governance in place so that the processes for software update engineering can conform to the requirements
of this document. Governance includes compliance with required ISO standards as well as organizational
activities such as continuous improvement, information sharing, and supporting processes. This clause also
establishes auditing requirements for this document.
4.3 Requirements and recommendations
4.3.1 Governance
4.3.1.1 If the organization performs software update engineering activities, then this document applies.
4.3.1.2 The organization shall establish, document, and maintain rules and processes for software update
engineering to:
- — enable the implementation of the requirements of this document;
© ISO 2022 – All rights reserved
6 © ISO 2022 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/FDIS 24089:2022(E)
- — support the execution of the corresponding activities, including the assignment of resources and
responsibilities across all those involved in the software update engineering activities;
- — confirm conformance with the requirements of this document.
NOTE 1 These rules and processes cover vehicle systems that are affected by software update engineering activities.
NOTE 2 These rules and processes cover the infrastructure used for software update engineering activities.
EXAMPLE Process definitions, technical rules, guidelines, methods, and templates.
4.3.1.3 The organization shall establish, implement, and maintain software update engineering activities in
accordance with applicable content of:
- — ISO/SAE 21434;
- — ISO 26262-6;
- — ISO 26262-8.
NOTE Other parts of ISO 26262 series can provide guidance on how to identify applicable content and how to conform
with ISO 26262-6 and ISO 26262-8.
EXAMPLE ISO 26262-3 can be used to show that ISO 26262-6 is not applicable if the software update operation is
classification QM (quality management).
4.3.2 Continuous improvement
4.3.2.1 The organization shall establish, perform, and maintain a continuous improvement process for
software update engineering activities.
EXAMPLE 1 Evaluating, applying, and communicating lessons learned.
EXAMPLE 2 Improvements from previous or similar software update projects, field monitoring and observations.
EXAMPLE 3 Key performance indicator (KPI) for continuous improvement process is the number of failures.
4.3.2.2 The organization shall establish, perform, and maintain a process to verify that after any change to its
software update engineering processes, the processes still meet the requirements of this document.
4.3.3 Information sharing
4.3.3.1 The organization shall establish, perform, and maintain a policy for sharing information both inside
and outside the organization concerning software update engineering activities.
NOTE The policy can include what information is shared, with whom the information is shared, when the information
is shared, and how to permit sharing of information.
EXAMPLE Information being shared can include:
- — schedule for the software update campaign;
- — content description;
© ISO 2022 – All rights reserved 7
© ISO 2022 – All rights
reserved
---------------------- Page: 13 ----------------------
ISO/FDIS 24089:2022(E)
- — possible implication of the software update campaign including safety or cybersecurity-relevant items;
- — duration the vehicle or its functions are unavailable;
- — reason for the software update campaign;
- — treatment of sensitive or personal information;
- — documentation about the software update campaign;
- — license and intellectual property information.
4.3.4 Supporting processes
4.3.4.1 The organization shall establish, implement, and maintain a document management process for
software update engineering activities to handle the work products required by this document.
EXAMPLE IATF 16949 can be applied.
4.3.4.2 The organization shall establish, implement, and maintain a requirements management process for
software update engineering activities.
EXAMPLE ISO/IEC 26551.
4.3.4.3 The organization should consider privacy implications of the activities required by this document.
NOTE Activities in this document can involve personal information.
EXAMPLE 1 Information on privacy can be found in ISO/IEC 27701 and ISO/IEC 29100.
EXAMPLE 2 Customer personally identifiable information included in software update campaigns.
4.3.4.4 The organization shall establi
...
FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 24089
ISO/TC 22/SC 32
Road vehicles — Software update
Secretariat: JISC
engineering
Voting begins on:
2022-10-31
Véhicules routiers — Ingénierie de mise à jour du logiciel
Voting terminates on:
2022-12-26
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/FDIS 24089:2022(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO 2022
---------------------- Page: 1 ----------------------
ISO/FDIS 24089:2022(E)
FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 24089
ISO/TC 22/SC 32
Road vehicles — Software update
Secretariat: JISC
engineering
Voting begins on:
Véhicules routiers — Ingénierie de mise à jour du logiciel
Voting terminates on:
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/FDIS 24089:2022(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN
DARDS TO WHICH REFERENCE MAY BE MADE IN
ii
© ISO 2022 – All rights reserved
NATIONAL REGULATIONS. © ISO 2022
---------------------- Page: 2 ----------------------
ISO/FDIS 24089:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 General terminology . 1
3.2 Terms related to the software update operation. 5
4 Organizational level requirements . 5
4 .1 Obje c t i ve s . 5
4.2 General . 5
4.3 Requirements and recommendations . 6
4.3.1 Governance . 6
4 . 3 . 2 C ont i nuou s i mpr ovement . 6
4.3.3 Information sharing . 6
4.3.4 Supporting processes . 7
4.3.5 Auditing . 8
4.4 Work products . 8
5 Project level requirements .8
5 .1 Obje c t i ve s . 8
5.2 General . 8
5.3 Requirements and recommendations . 9
5.3.1 Project management . 9
5.3.2 Tailoring and rationale . 9
5.3.3 Interoperability . 9
5.3.4 Integrity . 10
5.4 Work products . 10
6 Infrastructure level requirements .10
6 .1 Obje c t i ve s . 10
6.2 General . 10
6.3 Requirements and recommendations . 11
6.3.1 Managing risk . . 11
6.3.2 Managing vehicle configuration information . 11
6.3.3 Communicating software update campaign information . 11
6.3.4 Processing software update packages.12
6.4 Work products .12
7 Vehicle and vehicle systems level requirements .13
7.1 Obje c t i ve s . 13
7.2 General .13
7.3 Requirements and recommendations . 13
7.3.1 Managing risks . 13
7.3.2 Managing vehicle configuration information . 14
7.3.3 Communicating software update campaign information . 14
7.3.4 Processing software update packages. 14
7.4 Work products . 16
8 Software update package requirements .16
8 .1 Obje c t i ve s . 16
8.2 General . 17
8.3 Requirements and recommendations . 17
8.3.1 Identification of targets and the contents for the software update package . 17
8.3.2 Assembly of the software update package . 18
8.3.3 Verification and validation of the software update package . 18
iii
© ISO 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/FDIS 24089:2022(E)
8.3.4 Approval for release of the software update package . 18
8.4 Work products . 19
9 Software update campaign requirements .19
9.1 Obje c t i ve s . 19
9.2 General . 19
9.3 Requirements and recommendations . 19
9.3.1 Software update campaign preparation . 19
9.3.2 Software update campaign execution . 21
9.3.3 Software update campaign completion . 23
9.4 Work products . 23
Bibliography .24
iv
© ISO 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 24089:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and nongovernmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 22, Road Vehicles, Subcommittee SC 32,
Electrical and electronic components and general system aspects.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2022 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/FDIS 24089:2022(E)
Introduction
Electronic control units and software of increasing complexity have become essential to the operation
of road vehicles in recent years. This software is often updated to increase functionality and maintain
the safety and cybersecurity of road vehicles.
Today, in-vehicle software is updated in a workshop by skilled persons or automatically over-the-air by
the vehicle user. With the increased frequency of software update campaigns, it is important to have
individual vehicle configuration information. Therefore, the establishment and application of software
update engineering is important to ensure software quality, cybersecurity, and safety.
Software update engineering activities occur throughout the life cycle of vehicles.
This document provides vocabulary, objectives, requirements, and guidelines related to software
update engineering as a foundation for common understanding throughout the supply chain. By
applying requirements and recommendations in this document, the following benefits can be achieved
for software update engineering:
— safety and cybersecurity are addressed in software update operations in road vehicles;
— establishment of processes, including goal setting, planning, auditing, process monitoring, process
measurement, and process improvement;
— shared awareness of safety and cybersecurity among related parties.
Figure 1 shows the overview of this document.
Figure 1 — Overview of this document
In this document, clauses are structured using the following approach:
— each process is defined and implemented before it is executed;
— each process is established, documented and maintained.
vi
© ISO 2022 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 24089:2022(E)
This document describes the following activities:
— implementation of organizational level processes for software update engineering;
— implementation of software update project level processes for each software update project;
— definitions of functions for the vehicle and infrastructure to support the activities and processes of
this document;
— assembly of software update packages using functions in the infrastructure;
— preparation and execution of software update campaigns using functions in the vehicle and
infrastructure.
vii
© ISO 2022 – All rights reserved
---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 24089:2022(E)
Road vehicles — Software update engineering
1 Scope
This document specifies requirements and recommendations for software update engineering for road
vehicles on both the organizational and the project level.
This document is applicable to road vehicles whose software can be updated.
The requirements and recommendations in this document apply to vehicles, vehicle systems, ECUs,
infrastructure, and the assembly and deployment of software update packages after the initial
development.
This document is applicable to organizations involved in software update engineering for road vehicles.
Such organizations can include vehicle manufacturers, suppliers, and their subsidiaries or partners.
This document establishes a common understanding for communicating and managing activities and
responsibilities among organizations and related parties.
The development of software for vehicle functions, except for software update engineering, is outside
the scope of this document.
Finally, this document does not prescribe specific technologies or solutions for software update
engineering.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 262626, Road vehicles — Functional safety — Part 6: Product development at the software level
ISO 262628, Road vehicles — Functional safety — Part 8: Supporting processes
ISO/SAE 21434, Road vehicles — Cybersecurity engineering
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 General terminology
3.1.1
compatibility
capability of software (3.1.15) to be executable on vehicle systems (3.1.25) without conflicts
Note 1 to entry: Compatibility can be checked by vehicle configuration information (3.1.24).
1
© ISO 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/FDIS 24089:2022(E)
3.1.2
condition
criteria required for a software update operation (3.1.19) to be completed successfully
Note 1 to entry: Conditions can include compatibility (3.1.1), safe vehicle state (3.1.13), in-vehicle resources (3.1.11),
and external resources.
EXAMPLE The presence of a skilled person (3.1.14) during a software update operation.
3.1.3
corrective action
action to eliminate or contain a problem or failure
3.1.4
cybersecurity
road vehicle cybersecurity
context in which assets are sufficiently protected against threat scenarios to vehicle systems (3.1.25) of
road vehicles and infrastructure (3.1.10) required to support software update engineering (3.1.18)
Note 1 to entry: In this document, for the sake of brevity, the term cybersecurity is used instead of road vehicle
cybersecurity.
[SOURCE: ISO/SAE 21434:2021, 3.1.9, modified — “to items of road vehicles, their functions and their
electrical or electronic components” has been replaced by “to vehicle systems of road vehicles and
infrastructure required to support software update engineering” and the Note 1 to entry has been
modified.]
3.1.5
cybersecurity risk
effect of uncertainty on cybersecurity (3.1.4) expressed in terms of attack feasibility and impact
[SOURCE: ISO/SAE 21434:2021, 3.1.29]
3.1.6
dependency
effect of software (3.1.15) for one vehicle system (3.1.25) on the same or other vehicle systems (3.1.25)
Note 1 to entry: A dependency can generate a condition (3.1.2) in the metadata of a software update package
(3.1.20).
EXAMPLE A communication interface between two electronic control units (ECUs) (3.1.7).
3.1.7
ECU
electronic control unit
embedded device in a vehicle whose software (3.1.15) can be updated
3.1.8
functional safety
absence of unreasonable risk due to hazards caused by malfunctioning behaviour of vehicle systems
(3.1.25)
[SOURCE: ISO 26262-1:2018, 3.67, modified — “E/E” was replaced by “vehicle”.]
3.1.9
functional safety risk
combination of the probability of occurrence of harm and the severity of that harm
[SOURCE: ISO 26262-1:2018, 3.128, modified — The term has been modified from “risk” to “functional
safety risk” for the scope of this document.]
2
© ISO 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/FDIS 24089:2022(E)
3.1.10
infrastructure
processes and information systems managing any combination of software update operations (3.1.19),
software update campaigns (3.1.16), documentation, and vehicle configuration information (3.1.24),
including both digital and manual activities
Note 1 to entry: Infrastructure can include any combination of servers, tools, and manual activities used in the
software update operation.
3.1.11
in-vehicle resource
vehicle or electronic control unit (ECU) (3.1.7) available properties relevant for software update
engineering (3.1.18)
EXAMPLE Available or remaining computational power, network capacity, RAM capacity, storage capacity,
or battery capacity.
3.1.12
recipient
individual instance of a vehicle, vehicle system (3.1.25), or electronic control unit (ECU) (3.1.7) that
receives a software update package (3.1.20) during a software update campaign (3.1.16)
3.1.13
safe vehicle state
vehicle operating mode based on conditions (3.1.2) for performing software update operations (3.1.19)
without an unreasonable level of risk
Note 1 to entry: Safe vehicle state can be different depending on the conditions (3.1.2) required for the software
update package (3.1.20).
Note 2 to entry: Safe vehicle state can vary based on the software update operation step being performed.
EXAMPLE The motor is off, the parking brake is applied.
3.1.14
skilled person
individual with relevant technical education, training or experience to execute software update
operations (3.1.19)
Note 1 to entry: A skilled person can be a mechanic in a workshop.
Note 2 to entry: A skilled person can be authorized or certified for their specialized training or be a skilled vehicle
user (3.1.26).
[SOURCE: ISO 10209:2022, 3.14.36, modified — The phrase “to enable them to perceive risks and
avoid hazards occurring during use of a product” has been replaced by “to execute software update
operations”.]
3.1.15
software
computer programs and associated data intended for installation (3.2.2) on vehicles, vehicle systems
(3.1.25), or electronic control units (ECUs) (3.1.7), that may be dynamically written or modified during
execution
[SOURCE: NIST SP 800-53, modified — The phrase “intended for installation on vehicles, vehicle
systems, or electronic control units (ECUs)” was added.]
3.1.16
software update campaign
sequence of identifying targets (3.1.23) and resolving recipients (3.1.12); distributing software update
packages (3.1.20); and monitoring and documenting results of software update operations (3.1.19)
3
© ISO 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/FDIS 24089:2022(E)
3.1.17
software update distribution method
mechanism for delivery of a software update package (3.1.20) during a software update campaign
(3.1.16)
Note 1 to entry: The software update distribution method can be wired (e.g. tool, USB flash drive), wireless (e.g.
cellular or WiFi) or hardware replacement.
Note 2 to entry: Hardware replacement can be replacing an electronic control unit (ECU) (3.1.7) with the effect of
software (3.1.15) version replacement.
3.1.18
software update engineering
application of a systematic and managed approach to the processes of planning, development, and
deployment of software update packages (3.1.20)
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.3810, modified — “disciplined, quantifiable” was replaced by
“and managed”, and “development, operation and maintenance of software” was replaced by “processes
of development, planning, and deployment of software update packages”.]
3.1.19
software update operation
steps involved in receipt (3.2.1), installation (3.2.2) and activation (3.2.3) of software update packages
(3.1.20) in a vehicle, vehicle systems (3.1.25), or electronic control units (ECUs) (3.1.7)
3.1.20
software update package
set of software (3.1.15) and associated metadata that is intended to be deployed to one or more vehicles,
vehicle systems (3.1.25), or electronic control units (ECUs) (3.1.7)
3.1.21
software update project
set of software update engineering (3.1.18) activities for one or more targets (3.1.23)
Note 1 to entry: Activities can include developing or adapting the infrastructure (3.1.10), vehicle capabilities, or
processes described in this document.
Note 2 to entry: A software update project can encompass multiple software update campaigns (3.1.16).
3.1.22
tailor
to omit or perform an activity in a different manner compared to its description in this document
[SOURCE: ISO/SAE 21434:2021, 3.1.32]
3.1.23
target
one or more classes of vehicles, vehicle systems (3.1.25), or electronic control units (ECUs) (3.1.7)
determined by vehicle configuration information (3.1.24)
3.1.24
vehicle configuration information
comprehensive accounting of hardware versions, software (3.1.15) versions and configuration
parameters in a vehicle
3.1.25
vehicle system
functional group of one or more electronic control units (ECUs) (3.1.7) and attached hardware
Note 1 to entry: Attached hardware can be, for example, a sensor, actuator or light, that is not an ECU.
EXAMPLE Braking system or infotainment system.
4
© ISO 2022 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/FDIS 24089:2022(E)
3.1.26
vehicle user
person operating, driving, owning or managing a vehicle
Note 1 to entry: A vehicle user can be a skilled person (3.1.14).
3.2 Terms related to the software update operation
3.2.1
receipt
step in the software update operation (3.1.19) when a tool, vehicle, vehicle system (3.1.25), or electronic
control unit (ECU) (3.1.7) receives a software update package (3.1.20)
EXAMPLE 1 Downloading a software update package.
EXAMPLE 2 Transferring a software update package using a tool.
3.2.2
installation
step in the software update operation (3.1.19) when the relevant parts of a software update package
(3.1.20) are written to a vehicle, vehicle system (3.1.25), or electronic control unit (ECU) (3.1.7) but are
not yet activated (3.2.3)
3.2.3
activation
step in the software update operation (3.1.19) when the relevant parts of an installed (3.2.2) software
update package (3.1.20) become executable on a vehicle, vehicle system (3.1.25), or electronic control unit
(ECU) (3.1.7)
EXAMPLE 1 A new automated driving function is installed (3.2.2) and ready for execution, but is only executed
after the vehicle user (3.1.26) starts the function.
EXAMPLE 2 The relevant parts of a software update package for a vehicle, ve
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.