COMPLIANCE · UNECE
UNECE R156
Build the Software Update Management System OEM programmes need — update authorisation, dependency analysis, RxSWIN traceability, and evidence retention aligned with ISO 24089.
WHAT IS UNECE R156?
UNECE R156 is the binding regulation that requires OEMs to operate a Software Update Management System and demonstrate safe, traceable in-vehicle software updates.
CONTEXT
R156 governs software-update integrity across the vehicle lifecycle — from update authorisation and dependency analysis to RxSWIN identification and evidence retention. It pairs with ISO 24089 for software-update engineering and with R155 for cybersecurity of update mechanisms.
WHAT ENGINEERING TEAMS PRODUCE
Outputs that go into the evidence chain
- 01
Documented Software Update Management System covering processes, roles, and governance
- 02
Software update authorisation workflows with documented decision criteria
- 03
Dependency analysis evidence — software, hardware, certification, and type-approval impact
- 04
RxSWIN identification and traceability across software versions and Vehicle Types
- 05
Evidence that updates are safe to install across affected configurations
- 06
Failure-handling, rollback, and re-flashing evidence
- 07
Records retention for the regulatory period
WHERE TEAMS STRUGGLE
Friction points that show up at audit time
SUMS scope blurs across cybersecurity (R155), safety (ISO 26262), and software engineering processes
RxSWIN granularity is interpreted differently across programmes — too coarse or too fine to be useful
Dependency analysis is fragmented across requirements, calibration, and certification artefacts
Update authorisation decisions are made in meetings; the decision rationale is hard to retrieve later
Records retention obligations outlast the original engineering team's involvement
HOW AGNILE AND KAVACH HELP
Engineering evidence prepared for review
We support evidence preparation, structure work products, and help engineering teams ready themselves for assessment discussions. Final review and approval rest with the relevant authority.
KAVACH connects software-update evidence to cybersecurity work products so update authorisation can be reasoned about with traceable inputs
RxSWIN identification linked to architecture context — versioning stays grounded in vehicle reality
Engineer-in-the-loop review for update authorisation decisions; AI-assisted acceleration is configurable
Agnile Embedded Software and Cybersecurity Engineering services support SUMS process design and audit-readiness reviews
RELATED RESOURCES
Detailed reference reading
EMBEDDED SOFTWARE
Secure Automotive Device Driver Development: From MCAL to Complex Device Drivers
Cybersecurity patterns for MCAL and Complex Device Driver development — the ISR security checklist, requirements by driver layer, and the integration tradeoffs.
Read article →
CYBERSECURITY
UNECE R155 Compliance Roadmap: From CSMS Audit to Type Approval
A practical 12–18 month UNECE R155 compliance roadmap for vehicle programmes — CSMS audit, Annex 5 threats, Type Approval, and post-2024 enforcement reality.
Read article →
FAQ
Common questions about UNECE R156
Move from architecture to UNECE R156 evidence with engineers who do this work.
Bring a programme scope. We'll show where KAVACH fits cleanly, where integration work is, and what evidence is already in good shape for review.