ISO 24089: software update engineering, explained
Software updates got their own engineering standard in February 2023. ISO 24089 does not tell you which update platform to buy — it defines what an organisation must be able to do before it changes the software in a vehicle. Here is what the standard covers, and how it relates to UN R156.
Why software updates got their own standard
For most of the industry's history, changing the software in a vehicle was an event: a technician, a cable, a workshop bay. Software-defined vehicles turned it into a continuous capability — the same change may reach a production line, a dealer network and a customer's driveway, and the organisation shipping it is accountable for every copy. The regulation arrived first: UN Regulation No. 156 entered into force in January 2021 and made a Software Update Management System a condition of vehicle type approval — in the EU, approval has been refused for new vehicle types since July 2022, and from July 2024 non-compliant new vehicles can no longer be registered, sold or enter into service.
The engineering answer came two years later. ISO 24089, Road vehicles — Software update engineering, was published in February 2023 (first edition, with a minor amendment in 2024) under ISO's road-vehicles committee (ISO/TC 22/SC 32). It is deliberate about what it is not: it does not prescribe specific technologies or solutions, and the development of the vehicle-function software itself is outside its scope. What it defines is the discipline around the change — how an organisation plans, builds, verifies, distributes and documents changes to vehicle software after its initial development.
What ISO 24089 actually covers
The scope is wider than most people expect. The standard specifies requirements and recommendations for software update engineering on both the organisational and the project level, and applies to vehicles, vehicle systems, ECUs, infrastructure, and the assembly and deployment of software update packages after initial development. It is not written for vehicle manufacturers alone: the scope states that the organisations involved can include manufacturers, suppliers, and their subsidiaries or partners.
The body of the standard is six requirement clauses: organisational level, project level, infrastructure level, vehicle and vehicle-systems level, software update packages, and software update campaigns. Each follows the same internal pattern — objectives, requirements and recommendations, and defined work products — which is what makes the standard auditable rather than aspirational: for every clause there is something an assessor can ask to see.
The vocabulary is precise in ways that matter. A software update campaign is the sequence of identifying targets, resolving recipients, distributing packages and monitoring and documenting the results; a software update operation is the receipt, installation and activation of a package in a vehicle, system or ECU. And the defined distribution methods are wired, wireless or hardware replacement — this is an update standard, not an over-the-air standard. A workshop reflash over a cable is governed by exactly the same engineering discipline.
ISO 24089 and UN R156: the how and the what
UN R156 defines a Software Update Management System as a systematic approach defining organisational processes and procedures to comply with the requirements for delivery of software updates. The manufacturer's SUMS is assessed by an approval authority and receives a Certificate of Compliance valid for at most three years — and without a valid certificate, no vehicle type approval. The regulation's demands are concrete: every software version uniquely identified with integrity validation data, update authenticity and integrity protected, compatibility with the target vehicle configuration verified before delivery, and type-approval-relevant software identified by RXSWIN — readable in a standardised way at least through the OBD port, or declared to the authority instead.
One nuance is worth being precise about: R156 never mentions ISO 24089. The regulation predates the standard by two years, and a full-text search finds no ISO reference at all. The pairing of the two is established industry practice rather than a formal requirement — though it is being formalised in one direction: a UNECE task force has worked on adding ISO 24089 references and a mapping table to the regulation's interpretation document. The practical division of labour stands regardless: the regulation states what must be true; the standard describes an engineering practice for how an organisation makes it true.
Where functional safety and cybersecurity meet
ISO 24089 has exactly three normative references: ISO 26262-6 and 26262-8 — the software-development and supporting-process parts of the functional-safety standard — and ISO/SAE 21434, cybersecurity engineering. The selection is deliberately narrow: referencing two parts rather than the whole ISO 26262 series lets organisations that do not apply the full series still conform. The message in that choice is that a software update sits exactly where functional safety and cybersecurity meet: it changes safety-relevant behaviour, over a channel an attacker would love to own.
The cybersecurity coupling runs in both directions. ISO 24089 borrows the organisational-level/project-level structure that ISO/SAE 21434 established, and UN R155 — the cybersecurity sibling of R156 — explicitly catalogues threats to vehicle update procedures in its Annex 5. The update process is not just governed; it is an attack surface in its own right, which is why the engineering of updates and the securing of the diagnostic channel end up being the same programme of work.
Where the requirements land at the ECU
The quietly radical part of ISO 24089 is that vehicle configuration information — the comprehensive accounting of hardware versions, software versions and configuration parameters in a vehicle — is a first-class engineering object, with named requirement subclauses at both the infrastructure level and the vehicle level. Campaign targets are determined by configuration information; recipients are resolved against it; compatibility is proven against it. You cannot campaign what you cannot enumerate — the record is not paperwork after the fact, it is the mechanism that makes a safe campaign possible.
At the ECU, the requirements become the reflashing sequence itself. The UDS services that carry an update — RequestDownload, TransferData, RequestTransferExit — are defined in ISO 14229-1's upload/download functional unit, and the same standard defines boot software as the software executing from a dedicated area of ECU memory — an area not erased during a normal programming sequence: the component that makes an interrupted update recoverable rather than fatal. R156 adds the operational guarantees for over-the-air execution — a failed update must end in a restored previous version or a safe vehicle state. We walked through that choreography, and what a production bootloader must guarantee, in the reflashing article.
Starting without a compliance project
The practical way into ISO 24089 is not a two-year compliance programme; it is a gap analysis. No accredited certification scheme against the standard is established — assessment bodies offer gap analyses and their own conformity certificates instead — and they structure the assessment the way the standard is structured: the organisational management level on one axis, the lifecycle of actual projects on the other, with a document review of existing procedures against the clause requirements. Most organisations discover the same thing: the update mechanism is in better shape than the update record.
That suggests the order of work. The record first — vehicle configuration information and a complete account of what was updated, where, when and with what result — because that is what both R156's auditors and ISO 24089's work products keep returning to. The process second. The platform last. The mechanism side of that equation is a solved problem: a production-grade flash bootloader with signed packages and zero units bricked since 2016 is what Autotech Bootloader has delivered in serial production, and the record side is exactly what our UN R156 readiness checklist walks through.
Key takeaways
- ISO 24089 (first edition February 2023, amended 2024) defines software update engineering at the organisational and project level — deliberately technology-neutral, prescribing no platform or solution.
- It applies to suppliers and partners as well as vehicle manufacturers, and to wired, wireless and hardware-replacement updates alike — it is an update standard, not an OTA standard.
- UN R156 makes a certified Software Update Management System a type-approval condition — in the EU for new vehicle types since July 2022, with non-compliant new vehicles barred from registration and sale from July 2024 — and its Certificate of Compliance is valid for at most three years.
- R156 itself never cites ISO 24089 — the pairing is industry practice, with a UNECE task force mapping the standard into the regulation's interpretation document.
- The standard's normative references are exactly ISO 26262-6/-8 and ISO/SAE 21434, and vehicle configuration information is a first-class engineering object: knowing exactly what runs on each vehicle is the precondition for a safe campaign.
Common questions
Is ISO 24089 mandatory for vehicle type approval?
No. Type approval hinges on UN R156, which requires a Software Update Management System and its Certificate of Compliance. ISO 24089 is a voluntary engineering standard: R156 never cites it, and no accredited certification scheme against it is established — assessment bodies offer gap analyses and their own conformity certificates instead. The pairing of the two is industry practice, and a UNECE task force has worked on mapping the standard into R156's interpretation document.
What is the difference between ISO 24089 and UN R156?
UN R156 is a regulation: it states what must be true for type approval — a certified Software Update Management System, protected update integrity, RXSWIN identifiers and a complete update record — and has been in force since January 2021. ISO 24089 is an engineering standard: it describes how an organisation structures the work, from organisational and project processes down to packages and campaigns. The regulation demands; the standard describes a practice that can meet the demand.
Does ISO 24089 apply to suppliers or only to vehicle manufacturers?
Both. The scope addresses organisations involved in software update engineering for road vehicles, and states explicitly that this can include vehicle manufacturers, suppliers, and their subsidiaries or partners. A supplier that assembles or deploys software update packages is doing software update engineering, and the organisational and project-level requirements apply to that work.
What is an RXSWIN?
The RX Software Identification Number, defined in UN R156: a dedicated identifier, defined by the vehicle manufacturer, representing information about the type-approval-relevant software of an electronic control system. R156 requires each RXSWIN to be easily readable in a standardised way, at least via the OBD port — or, where RXSWINs are not held on the vehicle, the manufacturer must declare the software versions to the approval authority instead.