Why Ignoring Firmware Over-The-Air (FOTA) Updates in Automotive ECU can be a Costly Mistake
Your smartphone has the capability to download the latest OS version over the air (using wireless connectivity without being physically plugged).
A similar remote device management model is also very popularly deployed for automotive and other IoT based automation systems.
This is necessary to effectively manage and update the latest software packages in all the electronic components.
This remote software management feature is called a Firmware Over-The-Air (FOTA) or Over-The-Air (OTA) updates.
While we considered the example of smartphone with respect to over the air upgrade, the criticality of these updates is much higher in automotive.
Let’s have a look at some car recall instances that highlight the need for FOTA and also doing it right.
Perils of Not making OTA/FOTA Part of your Product Development Process at the Design Phase
Till now, we have only talked about the details of FOTA update process but to understand its impact, we need to understand the perils of its absence.
Let’s start with a few examples:
- In 2015, Fiat Chrysler had to recall 1.4 million cars after its electronic system was hacked. The hackers were able to almost paralyze the vehicle by disabling the brakes. It caused major embarrassment to the OEM.
- Tesla also faced the heat when its vehicles’ electronic system was hacked by security hackers in September 2016.
- In yet another incident, Fiat Chrysler released an over-the-air (OTA) update that made the infotainment system reboot every 30-40 seconds. To make the matters worse, customers were not even given the option to decline the update or roll back to an earlier version.
Moral of the story- You just not got to do the OTA but also do it right.
From cost overheads because of recalls to damage in reputation, absence of FOTA is undoubtedly quite detrimental to any automotive OEM.
Now that we know how important Firmware Over-The-Air Upgrade is to the automotive OEMs; Let’s have a look at how the manual software update process looked like and why the need was felt for FOTA.
How Manual Automotive ECU Firmware Update Works?
The electronic control units are interconnected using a specific type of a network interface/Bus (CAN, LIN, MOST, FlexRay etc.). The manual firmware update is performed with the help of a module that is connected to the automotive ECU externally.
Such a module will act as gateway for software updates. The firmware updates for the control units will be received by this gateway module over the in-vehicle network.
The process may sound simple but when we factor in the large number of automotive ECUs for each update, issue of compatibility of control units from different vendors and frequency of updates, we will find ourselves confronted with numerous operational challenges.
Here is a brief snapshot of a possible scenario of manual firmware update:
A firmware update is usually required to release a new version of the software, resolve a bug or potential security threat or may be to release a new feature.
If the ECU has been sourced from a supplier, they may be requested to release an update.
After the software update release is ready, the supplier will ship it to the automotive OEM who will test it for QA and approve the version for the release.
Next, the OEM will contact the different dealers as well as the customers over mail or call and inform them about the update. In the meanwhile, the OEM will also send the software update to the dealers.
The customers will now have to visit the dealer and get the control unit updated. At the service center, the mechanic will connect the automotive ECU reprogramming tool to the vehicle’s network bus and access the control unit to be updated.
For this entire process, the dealer will charge the OEM for recall labor.
Sound Too complicated, slow and costly, right!
And this is where Firmware Over-The-Air (FOTA) update has an edge and is a value-add process.
How Firmware Over-The-Air Update Works
In the times of Connected Cars, ADAS and Electric Vehicles, automotive ECU software influence a lot of critical features of the vehicle.
All this have made the software updates of automotive control unit more critical and more frequent.
Thus we got in touch with our IoT consultants to understand more in-depth the application of Firmware over the Air (FOTA) updates for automotive applications.
Essentially, FOTA update is a 3 step process. It starts with designing the update package, update delivery management and ends with automotive ECU re-flashing.
Let’s explore each one of them:
- Update Package Generation: This is the 1st stage of FOTA update. The software update package is generated that contains the code to fix the identified control unit issue or to integrate the new feature.The update can be aimed at a specific firmware component in the device or to update the entire device itself.The different components of the FOTA update package can be Bootloader software, Firmware configuration and application firmware.
Once the firmware build is ready with the intended changes, a FOTA image is generated with the necessary security settings and checksum code, which helps to ensure code integrity during installation in the target device. This generated image is also tested locally to ensure reliability of the firmware update.
- Update Package Delivery Management: After the update package, containing the bug fixes or new feature, is generated; it is pushed to a distribution platform. This platform may be controlled by the automotive OEMs or the vendor.The versioning of the software is handled by this platform along with the delivery of the software package to the intended car model and control unit.The dealers can easily get the update package from the centralized platform. Such an arrangement ensures that the software package does not need to be distributed to the dealers separately. Hence, the time-to-market is reduced significantly.
- Performing the FOTA Update: The above two steps did not involve the vehicle as the process was being carried out by OEMs and vendors. However, the last step of FOTA update requires the vehicle to be able to accept the update and execute it. And for this, a component (Telematics Control Unit to be precise) is required that can establish a connection with the update server.At the device side, FOTA can be triggered in two ways. First, via the Delivery Management system or the device can itself choose to check if an update firmware is available in the server. A time interval can be defined for this.Once the firmware update image is available, the device initiates a download from the server via secure channel. The device then checks for the integrity of the downloaded image by calculating and verify the checksum of the package.
After the package integrity is verified, the device authenticates the source of the image and then proceeds to update the device. Post the update, the devices sends notification to the server with the updated version number.
Here, the onus is on the OEMs to integrate a control unit in the car that can serve as a client to download the update and execute in on the intended vehicle ECU.
Future of FOTA in Automotive
The automotive industry has evolved along the lines of the mobile phone industry in terms of software. Updating the automotive ECUs is no longer optional; for certain scenarios, it is indispensable.
And as the updates are getting more frequent, the OEMs cannot expect customers to visit the dealer for every update.
FOTA has to be made a regular feature in a vehicle as it will not only help the customers but also help save the OEMs on manpower and other costs. Customer delight due to reduction in time required for vehicles to be in a garage or service station for software updates will be a bonus.