00:00:00
foreign
00:00:07
Consulting webinar on the finally
00:00:10
released standard on software update
00:00:12
engineering the ISO 24089
00:00:16
my name is Tobias pills and here with
00:00:19
Osiris Consulting I'm a consultant and
00:00:21
an expert in cyber security and software
00:00:23
update management system
00:00:27
this slide I want to show you quickly a
00:00:29
bit of our portfolio being at the cyber
00:00:32
security management system on the
00:00:35
executive and management level or also
00:00:38
being it being compliant to the unr155
00:00:42
or the iso SAE 2144 as well as software
00:00:47
update management system with the unr156
00:00:50
and the now release their the ISO 24089
00:00:55
we also do then engineering and
00:00:57
development
00:00:59
where we support with gap analyzers but
00:01:02
also the Tara the cyber security concept
00:01:05
and also for instance cyber security
00:01:07
supplier management
00:01:09
on the other side we have all the topics
00:01:12
surrounding the academy meaning for the
00:01:15
different ACP levels different trainings
00:01:17
and then also certification together
00:01:20
with the turf Rhineland as well as the
00:01:23
on-demand trainings and the on-demand
00:01:26
video platform where you can watch
00:01:28
videos
00:01:30
and surrounding cyber security of course
00:01:34
we do zombies and all the other aspects
00:01:38
such as a spice project and quality
00:01:42
management but also functional safety
00:01:44
and systems engineering
00:01:47
now let's jump a bit into the comparison
00:01:51
also and which is really important with
00:01:53
the regulation here comparison between
00:01:57
the iso 2489 and the unr156 so the
00:02:02
regulation of course is mandatory to
00:02:04
follow so as soon as you fall under this
00:02:08
regulation in this case for software
00:02:10
updates and in this case being an oem
00:02:13
then of course you have to be compliant
00:02:16
to this mandatory regulation which is um
00:02:21
and disregard giving out requirements
00:02:23
for how to handle software updates and
00:02:27
if you're not compliant then this could
00:02:29
lead to a sales ban in one of the unece
00:02:32
or even all of the human ECE member
00:02:35
countries
00:02:36
in comparison then we have the iso 2489
00:02:40
as a standard a state-of-the-art
00:02:42
reference done by the industry which can
00:02:46
be a baseline for implementing software
00:02:49
updates and the management system
00:02:50
surrounding it and then it could also
00:02:53
for instance help in court by supporting
00:02:57
with showing that you have adhered to
00:03:00
the requirements however it has been
00:03:01
said has to be said that the
00:03:04
requirements you might find in this ISO
00:03:07
standard are not the same requirements
00:03:09
that you will find in the urine r156 so
00:03:13
there's a bit of overlap but then you
00:03:15
might have different focuses or even
00:03:17
really entirely different requirements
00:03:19
so just following the one does not
00:03:22
necessarily mean that you're already 100
00:03:23
compliant to the other so you really
00:03:26
need to look at both documents and of
00:03:30
course depending on what you need to be
00:03:32
compliant against to really look at the
00:03:34
details of these requirements
00:03:38
looking at the Timeline so basically
00:03:41
also from our last video the timeline in
00:03:44
general and especially in the beginning
00:03:45
now has not changed so we had the CD
00:03:48
version of the iso we had the
00:03:51
publication of the URL 156 and we had
00:03:54
this version and now on the standard so
00:03:57
February 2023 so this month there is the
00:04:01
release finally first edition of the iso
00:04:04
and so this is really the the important
00:04:07
Milestone here while on the urinal level
00:04:09
we had this mandatory for new vehicle
00:04:12
types since July 2022 and then mandatory
00:04:17
for new vehicles from July 2024 but
00:04:20
here's also an update now based on
00:04:24
this here we put here the the reference
00:04:27
here also so you can check it out from
00:04:29
the Euro Lex and and here legal
00:04:32
perspective from the EU that for small
00:04:34
series manufacturers the timeline and
00:04:37
the timings have been shifted for two
00:04:39
years so now you can see up here it's
00:04:41
two years longer than uh it was before
00:04:45
to give the small serious manufacturer
00:04:48
enough lead time to be compliant towards
00:04:51
the requirements
00:04:56
and with this let's jump into some
00:04:59
general points here so in total we have
00:05:02
nine Clauses in the standard we have 95
00:05:04
requirements and 10 recommendations we
00:05:08
also have around 14 reference standards
00:05:11
and 26 work products in total which is
00:05:15
of course as with other standards the
00:05:17
iso SAE 2144 just the work products you
00:05:21
need to have in order to Showcase your
00:05:25
compliance to this in one form or
00:05:27
another
00:05:28
so these are some of the the key facts
00:05:31
of the standard and now let's jump in
00:05:34
into a bit of the content so of course
00:05:37
we're going to start with the scope the
00:05:39
normative references some some standards
00:05:41
in there on on csms and also functional
00:05:45
safety and some terms and definitions
00:05:47
but then of course where the
00:05:49
requirements begin organization level
00:05:51
project level infrastructure level
00:05:53
vehicle level software update packaging
00:05:56
and last but not least the
00:06:00
um campaign that you use to roll out
00:06:02
everything and then of course here then
00:06:04
you can see that also a bit in a graphic
00:06:06
saying you have the surrounding
00:06:08
organizational project level but then
00:06:10
also having the packages having the
00:06:12
vehicles and rolling out the software
00:06:15
update packages
00:06:17
it's not just all kind of of course
00:06:18
correlates and and is dependent on each
00:06:21
other
00:06:22
but and this is also important to say
00:06:24
here you also depend on the the the
00:06:29
supply chain where you say okay what is
00:06:32
that an oem is doing what is it that
00:06:34
maybe a supplier is doing a supplier
00:06:36
responsible for a software update what
00:06:39
it is that the supplier is doing is just
00:06:41
giving it maybe a software update
00:06:43
package to the OEM because the OM roles
00:06:45
that Etc so of course this has to be
00:06:47
considered and then in the end of course
00:06:50
the End customer needs to be informed
00:06:52
needs to give approval for the software
00:06:54
update to be installed and things like
00:06:56
that so let's say in in this chain here
00:06:59
there's a lot of things to to consider
00:07:01
and to do
00:07:04
let's jump a bit into the content
00:07:07
starting with a governance and
00:07:10
organizational activities so of course
00:07:12
in this let's say top-down approach and
00:07:16
then there's this top-down view you look
00:07:18
into what is necessary on a high level
00:07:21
to to comply and what governance and
00:07:23
what goals do I need to set myself so uh
00:07:26
compliance to to csms ISO SE 2144 is
00:07:31
important also some parts of the 2662
00:07:34
for functional safety are mentioned here
00:07:36
but then of course there's
00:07:38
um continuous Improvement
00:07:40
but also information sharing and also
00:07:43
having policies and managing vehicle
00:07:46
information configuration and and inform
00:07:49
and and and all kinds of other
00:07:51
information documentation of you that
00:07:53
need that in order also to uh be
00:07:56
prepared for Audits and show okay that
00:07:59
is uh that are my processes this is how
00:08:01
they are running this is a document
00:08:03
supporting that also with the work
00:08:05
products and then saying okay I'm ready
00:08:07
to to share or show that I'm adhering to
00:08:10
the requirements
00:08:12
and then when we look at the project
00:08:15
level of course uh you're planning
00:08:17
different updates uh projects different
00:08:19
software update projects you look at
00:08:21
okay what is it that I'm doing in the
00:08:24
project do I tailor something do I have
00:08:26
then the rationells for the tailoring
00:08:28
but also do I have roles and
00:08:31
responsibilities defined and also I need
00:08:34
to make sure that I have an
00:08:35
interoperability between the
00:08:37
infrastructure and the vehicle and or
00:08:39
the systems that I can really smoothly
00:08:42
roll out my software updates onto my my
00:08:45
target
00:08:47
so those are really important factors to
00:08:49
to cover here
00:08:50
and then going more into let's say a bit
00:08:53
more technical details here so looking
00:08:56
at the infrastructure functions and the
00:08:59
software update so basically this talks
00:09:02
about the infrastructure with what
00:09:05
software updates are rolled out in
00:09:07
campaigns how to manage also cyber
00:09:09
security risk for an infrastructure how
00:09:12
to manage the information on the
00:09:14
infrastructure and how to distribute the
00:09:17
packages as well as also together with
00:09:20
the vehicles uh your targets for
00:09:22
instance how do I manage failures of the
00:09:25
software update campaign and things like
00:09:26
that
00:09:28
then we look at the vehicle or systems
00:09:32
and ECU requirements where we say okay
00:09:34
what is the functionality that needs to
00:09:37
be covered how do I cover and manage the
00:09:39
risks there's of course also risks on
00:09:42
the vehicle and and with the software
00:09:43
update packages being being implemented
00:09:46
and installed how is this all processed
00:09:49
on the vehicle and Order system and then
00:09:52
also how our failures then handled how
00:09:55
is that if the software update fails or
00:09:57
something like this what is it that that
00:09:59
I can do that I have to do in order to
00:10:02
let's say also
00:10:04
um don't bring the the vehicle into an
00:10:07
unsafe State and things like that
00:10:09
then we talk a bit about assembling the
00:10:12
software update packaging so especially
00:10:14
let's say what what needs to be inside
00:10:16
the package and then how do I verify and
00:10:19
validate the software package and then
00:10:21
with all this say what what what is it
00:10:24
that needs to be inside the packages
00:10:28
depending also on the Target and then
00:10:30
having also a release and an approval
00:10:33
that the software update package can be
00:10:35
released and rolled out
00:10:38
and then preparing the software update
00:10:40
campaign saying okay connecting uh the
00:10:42
the steps also from above mentioned
00:10:45
requirements and and chapters and saying
00:10:47
okay have I prepared everything
00:10:49
identifying the targets rolling out the
00:10:52
software updates looking as everything
00:10:53
working out and then finalizing the
00:10:56
software update campaign maybe
00:10:58
terminating it in case of failure and
00:11:01
and doing things like that and of course
00:11:03
always seeing that I can also have like
00:11:05
a thorough of documentation of what has
00:11:07
happened with with the update campaign
00:11:09
and the rollout
00:11:11
so yeah these are let's say a summary of
00:11:14
of what is run about described in these
00:11:17
chapters
00:11:19
now um looking at
00:11:22
um the the thing more from a cons
00:11:25
constructive uh construction perspective
00:11:28
so we started with chapters one two
00:11:29
three with General points and uh which
00:11:32
are pretty standard to to a lot of or
00:11:34
all of ISO standards and then again
00:11:37
looking at organizational level
00:11:39
responsibilities for the organization
00:11:42
looking at project level how is it that
00:11:45
the project needs to be set up what
00:11:46
needs to be taken care of in this
00:11:49
special project for a software update
00:11:51
and then looking at the infrastructure
00:11:54
how is it does it need to be developed
00:11:57
how is it handling the the emanating
00:12:00
the software updates what has to be
00:12:03
looked at from the vehicle and systems
00:12:05
perspective how is my software update
00:12:08
package really
00:12:10
um doing what needs to be inside is it
00:12:12
tested and then what it is and
00:12:15
connecting again these these points and
00:12:18
and rolling out preparing and rolling
00:12:20
out the software update packages within
00:12:23
this campaign until finalization
00:12:27
so this is basically the the overview of
00:12:30
of around about the requirements that
00:12:32
will be in there all in all there is a
00:12:35
let's say yeah some chapters have more
00:12:38
requirements other chapters have not so
00:12:39
many requirements but uh let's say most
00:12:42
most requirements most chapters or
00:12:45
descriptions are in the last one for the
00:12:48
software update campaign but here again
00:12:51
it connects a lot of dots and and also
00:12:54
lives on the requirements that that have
00:12:57
been described before in the other
00:13:00
chapters kind of like tying everything
00:13:02
together and making sure that you roll
00:13:05
out a very good and solid sophisticated
00:13:08
software update
00:13:10
and that you have managed everything
00:13:13
that's around it
00:13:20
and then what we wanted to talk about
00:13:22
here is also a bit about the
00:13:24
similarities of the software update
00:13:27
managing and and here the iso when it
00:13:29
comes to cyber security management
00:13:31
system functional safety but also
00:13:33
information security management system
00:13:35
because there's there are some examples
00:13:38
where you can say oh yeah I know this
00:13:39
already from this standard or based on
00:13:42
that and then also with the references
00:13:44
in within the iso 24089 this reference
00:13:48
to other standards you can see okay
00:13:50
there's really some some connection just
00:13:53
needs to work together
00:13:54
so of course we have the tailoring and
00:13:57
also distributed activities if you
00:13:59
tailor something away you need to have a
00:14:01
rationale for why you're doing this and
00:14:03
then maybe somebody else is doing that
00:14:05
so leading also into distributed
00:14:07
activities and figuring out who does
00:14:10
what with uh with with which on let's
00:14:14
say the project site who's responsible
00:14:16
for what with this which is also very
00:14:19
known to to be described and needs to be
00:14:22
happening if you look at other standards
00:14:24
then we look at preserving the Integrity
00:14:27
of the software of course the Integrity
00:14:30
of the software update package of the
00:14:32
metadata so this is of course very
00:14:35
important so is it also for having the
00:14:38
software update packages for instance on
00:14:41
the infrastructure and there you could
00:14:44
have for instance connections to the
00:14:46
isms or
00:14:48
I.T security and things like that way
00:14:51
say I have the security of the
00:14:53
infrastructure covered and therefore I
00:14:55
also take care of the software update
00:14:57
packages
00:14:59
but then of course always is about risks
00:15:03
cyber security risks for the vehicle for
00:15:05
the infrastructure so identifying and
00:15:07
managing these risks and
00:15:10
um being really here also in connection
00:15:12
with the iso SAE 2144 looking at what
00:15:16
are my risks here for the vehicle how do
00:15:19
I cover it how do I manage it what it is
00:15:21
that I need to do and then in comparison
00:15:23
here also on on that level on the
00:15:26
vehicle level what are my software
00:15:28
update operations do I need to look at
00:15:32
it from a functional safety perspective
00:15:34
is a software update
00:15:36
um does it have the possibility to
00:15:39
influence my functional safety but also
00:15:41
does it have the the do the operations
00:15:44
have the possibility to influence my
00:15:47
cyber security so I might have to take a
00:15:50
look at this in the Tara as well so here
00:15:52
you also have the connections to
00:15:54
functional safety and cyber security
00:15:56
management system
00:16:02
so and then last but not least here's a
00:16:05
short overview on some of these
00:16:07
standards so we have the functional
00:16:09
safety standard we have also standard
00:16:12
for system life cycle we have the isms
00:16:15
standard we have the configuration
00:16:17
management standard and quality
00:16:20
management standard so of course if
00:16:22
you're in in the in the automotive
00:16:24
sector and if you're involved with let's
00:16:27
say the the management systems and so on
00:16:29
and so forth there's a lot of things
00:16:31
that you will already have seen or know
00:16:33
and then last but not least cyber
00:16:36
security management system so a lot of
00:16:38
these things get mentioned in the
00:16:40
standard and are also of course if you
00:16:42
integrate or if you're building up a
00:16:45
management a software update management
00:16:46
system then you also need to integrate
00:16:48
this into the whole of your other
00:16:50
Management Systems in order for it to
00:16:52
interact smoothly together
00:17:00
and now since of course there's always
00:17:03
this compliance perspective with the
00:17:05
regulation and the the iso can of course
00:17:08
support this but I think it's always
00:17:11
important to really
00:17:13
um focus also on on the things that that
00:17:15
can be happening here when it comes to
00:17:18
let's say more these
00:17:20
um the the the legal perspective but
00:17:22
also on on things that really need to be
00:17:25
covered from the regulatory side because
00:17:27
the software update management system
00:17:29
itself really lives in this environment
00:17:31
of of of regulations and and
00:17:34
requirements to comply to so of course
00:17:37
here again which comes from the unr156
00:17:39
the certificate of compliance so really
00:17:42
saying okay am I ready are my processes
00:17:45
ready can I showcase that my process
00:17:47
already so to to reach the certificate
00:17:49
of compliance that I'm
00:17:52
I'm ready for for the car and and that I
00:17:55
can uh do that in in production and
00:17:57
things like that to to in order to cover
00:18:00
software updates then of course you
00:18:02
could have penalties uh and and fines
00:18:06
um depending on whether or not well you
00:18:08
said yes we are at hearing or we have a
00:18:10
management system but then you don't or
00:18:12
your your management system is not
00:18:14
thoroughly set up so you might run into
00:18:16
to trouble where something happens that
00:18:19
that might lead to a penalty or so from
00:18:22
for instance from a customer
00:18:24
um perspective towards it towards the
00:18:26
supplier
00:18:27
then you have the product liability of
00:18:29
course in looking at how am I liable to
00:18:33
things that are happening to problems
00:18:35
that are happening with my software
00:18:37
update packages with my software update
00:18:39
processes things like that so it really
00:18:41
ask the question okay how am I
00:18:43
responsible
00:18:44
and then of course let's say a legal
00:18:47
perspective to say okay do I adhere to
00:18:50
EU law to the UNR regulation and and
00:18:53
what it is is it that I'm doing and do I
00:18:57
um
00:18:58
fulfill all the the legal requirements
00:19:00
here because if I don't I might face a
00:19:04
Salesman and I think that is really
00:19:06
something that needs to be
00:19:09
um needs to be covered here and needs to
00:19:12
be considered when I figure out okay I
00:19:15
have this I need to be compliant but I'm
00:19:17
not so what are the results and how do I
00:19:20
prevent this from happening
00:19:22
so this is all in all a bit of an of an
00:19:25
overview here on on let's say more more
00:19:27
legal regulating
00:19:29
aspects and and things that that need to
00:19:31
be covered when we talk about a software
00:19:33
update management system not So Much
00:19:36
from the iso perspective but of course
00:19:38
the the iso can support in Rolling
00:19:40
certain things out and and meeting
00:19:42
requirements
00:19:45
now if you're interested in this and say
00:19:48
well we might have to implement
00:19:50
something or we're somewhat connected to
00:19:52
a software update management system we
00:19:54
need to be compliant to the standard or
00:19:56
the UNR regulation then we can support
00:19:59
you in this looking at your processes
00:20:02
looking at what it is that you're having
00:20:03
or what what it is that you really need
00:20:05
to set up from the beginning and see how
00:20:08
we can support this doing a gap analysis
00:20:11
or something similar so that is
00:20:14
something where you can contact us and
00:20:16
then we'll we'll take a look at what it
00:20:18
is that you need
00:20:20
so thank you very much on this short
00:20:24
um outlook here on the newly released
00:20:27
ISO 24089 for software update
00:20:30
engineering
00:20:32
um here's just a bit of an overview on
00:20:34
what it is that we are that we're doing
00:20:36
so we have the academy the Consulting
00:20:39
and the Audits and assessments so
00:20:41
various activities on what Osiris
00:20:44
Consulting is doing for
00:20:46
um
00:20:47
cyber security software update
00:20:49
management system Etc we had the book if
00:20:53
you have seen this it is sold out by now
00:20:56
but this is already something where you
00:20:58
might have gotten to known as you have
00:21:00
the book maybe already or you have you
00:21:02
know somebody who could borrow it to you
00:21:04
then we also have the um video platform
00:21:08
where you can see a lot of videos on a
00:21:11
lot of topics relating to cyber security
00:21:14
in the automotive sector as well as
00:21:16
software updates and other topics and we
00:21:20
have also now bundled the ACP level of
00:21:22
videos into a video bundle where you can
00:21:25
watch it at your own time at your own
00:21:27
pace and then use that for preparation
00:21:31
for the ACP one certification
00:21:36
we are also working on a workbook where
00:21:39
this can be seen for as a as an update
00:21:42
to the book that was mentioned and the
00:21:45
way we will let's say bring a more
00:21:48
detailed view on what it is that needs
00:21:50
to be done when it comes to cyber
00:21:52
security
00:21:56
so thank you very much and thank you for
00:21:58
your interest in the iso 24089 I hope I
00:22:02
could really give you a short update on
00:22:04
what it is that needs to be taken care
00:22:06
of what are the requirements but also
00:22:09
how this relates into the bigger picture
00:22:11
of management system other standards and
00:22:14
the regulation on how to manage and roll
00:22:18
out software updates
00:22:20
and with this I say thank you very much
00:22:23
and wish you all the best and hope to
00:22:27
see you soon at one of our events or
00:22:29
maybe if um you have need for consulting
00:22:33
or support always feel free to contact
00:22:37
us in this regard and thank you very
00:22:39
much and take care
