Automotive

Over-The-Air upgrade: How to develop the concept successfully

Adam Kozłowski

Head of Automotive R&D

Marcin Wiśniewski

Head of Automotive Business Development

January 27, 2022

•

5 min read

Schedule a consultation with automotive software experts

July 2021, Porsche recalls 43 000 of its newest EVs: Taycan and Taycan Cross. Why? Due to software issues resulting in power loss. How could this have been prevented while reducing costs and fixing the defects in one go on all cars? The answer is short and comes from the mouths of everyone working in the automotive industry: Over-The-Air Upgrade.

Although hard to implement correctly, the cost of not having the ability to remotely upgrade software and firmware in the vehicle is huge. Today it’s not the question of „IF” and „WHEN”, (since the automotive industry has long known the answers to these questions), today it’s the question of „HOW”.

Upgrading a GPS or infotainment application is one thing, but upgrading the vehicle's firmware is another. And it does not matter whether it's a car, an e-scooter, or a smartphone. The principles are always the same. We will try to outline them in this article.

Let's start from the beginning - what are the core benefits of the over-the-air upgrade.

OTA allows for remote diagnosis. Initial diagnosis done remotely helps with better planning of repairs, as well as with predictive maintenance – both giving a better customer experience and reducing the cost for the OEMs, especially during the warranty period.

The upgrade can also happen on the production line while waiting for shipment. The vehicle always has the newest stable version of the firmware and software, reducing the amount of manual work required for the whole vehicle lifecycle.

The only part of the car life cycle where the Over-The-Air Upgrade is not really useful is aftersales.

Key benefits of implementing an over-the-air upgrade are:

An ability to remain compliant with evolving industry standards through vehicle lifetime.
It helps to reduce warranty and recall costs by reducing service center visits or help desk calls for the vehicle (it also works on the production line, while waiting for shipment).
The vehicle always has the newest stable version of the firmware and software, reducing the amount of manual work required for the whole vehicle lifecycle.
An ability to resolve issues remotely, so the customer doesn’t have to waste time traveling on-site.
An ability to update multiple vehicles simultaneously, reducing time required to update the whole fleet.

SOTA - the most common implementation of over-the-air upgrade

SOTA is used widely by almost every OEM to update navigation systems (maps, POIs) and sometimes other infotainment applications, like voice assistance. As opposed to the firmware update, the failure of the software update is rarely critical to vehicle operations. It can result in inconvenience when due to update failure, the navigation system crashes or fails to display a map.

This is also the part that makes the customer experience bad if SOTA is done without due diligence because the software makes the infotainment appealing and responsive . And yet no one likes slow or difficult-to-use applications or services. Especially when they're intended to boost driving satisfaction.

Firmware over-the-air-upgrade is a different beast

With FOTA, we play a much more demanding game. That’s why it’s important to separate software updates from firmware updates.

First, it’s just easier for a developer to focus on his part of the job, the specific application. Secondly, the firmware part is riskier and more complex, and the update might not be required that often.

The complication comes partially from the idea of replacing the Operating System of the ECUSoC and partially from the criticality of the systems. Computers controlling engine operations, ESPTC, gearbox, or electronic chassis controller are required for safe and reliable operations of the vehicle.

Firmware Over-The-Air Update Failure in the update process, resulting in critical fault of this kind of subsystem, in most cases, makes the vehicle inoperable, beyond repair capabilities of regular users. The cost of restoring the vehicle to an operational state is fully on the manufacturer’s side. This is obviously the scenario that should be avoided at all costs.

Key requirements for implementation of (F)OTA successfully

Automatic recovery corrupted updates

Firmware updates should be atomic. The whole process should be successful, or the system should automatically roll back to the previous/ existing version of the software. The problem does not have to be caused by a bug in the original image – the package can be corrupted in transit, or the transfer might be interrupted and result in a partial package being in the process.

Internet connectivity consistency

Parts of the firmware being updated, especially ones regarding device to network connectivity, should never break away if the SoC is connected to the internet – otherwise, the next version might be never installed automatically. It’s important especially if the device does not have a way to notify the user about the problem or allow them to reconfigure the network settings.

Code provenance, code identity, code compatibility and code integrity – security of the executed program

Firmware update in most cases regards critical systems . The wireless update is tempting, but it must be secure, especially regarding verifying the identity of authors of change and source of the update – as well as if the code was not replaced or altered during transit. If the edge device can cryptographically confirm code signs, it can be installed. Additionally, there should be a way for the update system to confirm if the package is built for that specific it’s being installed on.

Secure communication medium for package transport

All channels used for the update should be secure. Ideally, it should be a mutual TLS, but even a regular secure TLS connection is sufficient as long as the whole path is secure (both local connection and in the cloud).

[NICE-TO-HAVE] Sending OTA firmware updates in chunks and partial updates support

It’s easier to handle updates that are sent in chunks. When the connection is unstable, the whole download process does not have to be repeated. Additionally, if partial updates are supported, a small update takes less time to install and less bandwidth to transfer.

[NICE-TO-HAVE] Separate base system layer from the installed software

If the application and data layer is not part of the firmware update, it’s easier to develop the applications, safely update the system without breaking the data, and securely update the system without breaking the applications. Combined with partial updates, it also helps with making updates faster.

Opposite to the chip flashing using a wired connection, the failure is not really an option – if the device cannot boot, even to some basic OS functions, it is bricked – unless you are an expert with specialistic hardware, it may be really hard to directly write new firmware to the chip to overwrite the faulty or broken version.

And what if a broken package is written to the device?

Does not matter if it was a human error, device issue, or just really bad luck – in the end, the important part is to make sure the user does not end up with a broken vehicle. The battle-tested solution for this problem is AB filesystems – or AB slots.

The idea is rather simple – system areas in storage are duplicated. Graphically speaking, there are two fully operational versions of the system being installed simultaneously on the single device, and there is a programmatical switch in the bootloader which selects the OS to start.

In regular operation, a single system, let’s call it “A”, is being continuously used while the other one, “B”, is the exact copy of the “A”, but works as a backup. If the “A” fails to start, the bootloader switches to the other version. During the update, the inactive partition is overwritten with the update packages – either whole partition or subset of files, depending on the type of update. If the update finishes and the checksum of the result is correct, as the last step, the bootloader configuration is changed to run from the “B” slot, and the device restarts.

As previously stated – if something fails, the bootloader, after a failed attempt, will switch back to the previous, working version. This makes this approach safe, allowing us to retry the upgrade process. Otherwise, the update is successful and there are two approaches:

Leave the old version on the other partition and remain to boot from the slot selected after the update process.
Copy the contents of the upgraded partition to the other slot t o have two copies of the same version .

The same approach is used in modern smartphones, and as a direct continuation, the same approach was selected for Android Automotive OS – which is a Google Android Open-Source Project (AOSP) implementation-specific for the automotive industry.

Currently, both Volvo (including, of course, Polestar) and General Motors use AAOS for their newest vehicles as an infotainment system. Being an open system, a lot of applications can be developed for cars from different OEMs and leverage the bigger, open market – plus of course, the code is open source, and a lot of work on things like upgrade system (OTA), application delivery, connection to subsystems (air conditioning, navigation, interior buttons) is already finished and can be reused.

Building using open and tested frameworks and code is just easier – and a proven way to update both application and system is an asset when starting from scratch with new infotainment firmware and software.

Data powertrain in automotive: Complete end-to-end solution

We power your entire data journey, from signals to solutions

Check our offer

Blog

Check related articles

Read our blog and stay informed about the industry's latest trends and solutions.

How Porsche developed a digital twin to win the race for the virtual car concept

NASA used a precursor to these technologies to bring the Apollo 13 astronauts back to Earth. Lockheed Martin claims these types of solutions are one of six game-changing technologies in the defense industry. The opinion-forming Gartner includes them in its list of ten strategic technologies that can streamline corporate decision-making processes. When Porsche and Volkswagen Group reach for them, it’s a signal for the automotive industry to become interested in digital twin technology for good.

Although the concept of a digital twin had been developing in the space industry since the 1970s, it was not until the 1990s that it was first mentioned in the literature (the book entitled Mirror World, by David Gelernter). In industry, the technology was recognized even later, 30 years after the Apollo mission, when the authority in the field of PLM - Michael Grieves - disseminated it.

Today, the technology, which was officially named Digital Twin by NASA just over 10 years ago, is placed on the pinnacle of key solutions at the convergence of the virtual and real world. It works well wherever there is a high number of failures, work of coupled systems, and where the production process is long and burdened with numerous risks.

The automotive industry is one of these sectors, as demonstrated by the virtual car concept developed by Porsche for the new Taycan. What is a digital twin and what benefits does it bring?

test prototypes for their functionality, durability and user expectations;
predict defects and analyze possible design errors;
save time and financial means;
reduce design and production risks;
improve monitoring capabilities of vehicle fleets;
and best of all - it enables continuous product improvement, as it often collects data from not only one, but thousands of objects. This makes it learn faster and predict defects more precisely, as it is based on knowledge gathered from a vast number of sources.

In the case of cars, these could be sensors from dozens of systems spanning the entire vehicle lifecycle: from research and development to the manufacturing plant and OTA updates , to connected services .

„Chassis twin” - a virtual car concept developed by Porsche for TaycanThe „chassis twin” project has been in the process of development at Porsche for the past three years and then it was continued by the CARIAD company (the Volkswagen Group's vehicle software provider). The air suspension of the new Porsche Taycan was chosen as the main object.

Why the chassis and not the entire car? Because it is this part of the vehicle that is subjected to the most strain, especially on racetracks.

Porsche engineers used intelligent neural algorithms to centrally analyze the data, and in-car sensor data was collected not only from Porsche cars but also from Volkswagen Group vehicles. This increased the data pool by over 20 times. The "chassis twin" concept enables chassis loads to be detected, even if they are not noticeable inside the cabin, and notify the driver before faults appear, even when no suspicious sound or vibration has yet been noted by the driver or mechanic.

The data collected by the vehicles is sent via Porsche Connect to a central system in the cloud , where an algorithm calculates the relevant durability and vehicle operation thresholds for the whole fleet of vehicles to create a baseline. When these are possibly exceeded, the driver of a specific vehicle receives a notification via Porsche Communication Management (PCM), that the chassis may require inspection. Looped into the computational work, the algorithm recommends not only the type of service needed but also the scope of work to be carried out in the service center.
By removing a faulty or overloaded component early on, the driver will not only be able to avert potential malfunctions, but also keep the vehicle in better overall condition.

In the future, based on a vehicle's digital usage history, Porsche or a partner insurance broker can offer extended warranties and better services to the driver . The data can be classified, analyzed, and used not only for repairs to a specific vehicle but to predict life-cycle events for the entire product. This allows Porsche to create new services and features, and to test different scenarios for the development of a particular vehicle line. Thus, it saves the time and resources required to bring ill-conceived solutions into reality.

The other possible use case is that drivers themselves can use the data collected by the digital twin to negotiate with the prospective buyer. The buyer can view the vehicle's overall condition and chassis service history.
As for drivers' concerns about their own privacy, the manufacturer assures that it collects data anonymously and the system does not store any information that could identify the driver directly. The future of the concepts digitization of the automotive industry is gaining pace year after year. The digital twin concept may prove to be one of the key technologies that will push software-defined vehicles to new tracks and help companies create safer cars, provide new services and increase vehicle lifespan.

So far, half of the Taycan users have signed up for the Porsche pilot program, which collects data from the chassis of their sporty electric cars. In 2022, the program is to launch at a test level, and only sensor data directly from the mechatronic components will be evaluated. In the future, the concept is to reach its full potential, making it possible, among other things, to calculate the wear and tear of specific components without the need for physical measuring devices.

How will the "chassis twin" model developed by Porsche work out ? The future will tell. What is certain is that a return to the past is only possible in the movies. In 2022, Volkswagen is commencing an era in which a virtual equivalent will soon await the driver, in addition to their actual real vehicle.

How to simplify the process of building production-ready AI services and reduce the time for resource management in the automotive industry?

While the automotive industry is rapidly changing by adopting a software-first strategy, like in other sectors, automotive enterprises struggle with productionizing AI and ML R&D projects. Machine Learning and Data Science teams face numerous challenges, including determining the proper technology, automating workflows, managing computing resources, managing data, and building solutions meeting internal regulations. All these issues can complicate the project even before the kick-off.

So, how do we support AI teams to overcome typical challenges and enable ML engineers and Data Scientists to focus on creating and bringing artificial intelligence algorithms to production?

The implementation of a dedicated deployment platform is a solution that is well suited for the automotive industry . In particular, it allows you to:

accelerate the productionization of AI and ML applications;
provide an easy and quick project and user onboarding;
simplify access to data and computing resources;
ensure high scalability -even when the number of accounts far exceeds thousands of users.

To illustrate the process of working on the platform, let's have a look at a project that the Grape Up expert team had the opportunity to implement.

Building AI and ML deployment platform using proven cloud-native technologies - practical use case

Our client - a well-recognized sports car manufacturer - set us the goal of designing a reliable and extensible architecture capable of handling hundreds of customer accounts for the platform. Tools were to be selected for the project to ensure the scalability and flexibility of operations. The idea was to provide fast and efficient production of AI/ML software .

Along with building the platform architecture leveraging Terraform orchestrating Cloud Formation scripts, Grape Up ensured efficient migration of existing environments. The solution was integrated with Continuous Integration pipelines and the E2E tests set. To reap the benefits of high-quality performance in multiple regions worldwide, the platform was hosted on the AWS cloud.

Results?

An AI Deployment Platform was delivered , which was capable of managing a huge number of AI/ML projects and allowed for streamlined processes to create, test, and deploy artificial intelligence and machine learning models into production for Data Science teams.

Developers were guided through the company's deployment processes and supported with reusable blueprints that could be leveraged at the initial steps of the development.

The cloud-native toolkit that was created provided flexibility and agility, at the same time supporting innovation in the vendor's operations. After introducing improvements to the platform, the customer could reduce the code by 80%, while retaining high quality and testability.

All those solutions allowed AI software development teams to work more efficiently and reduce time-to-market for new products and services.

How OEMs can leverage subscription business model

The subscription business model outperforms the non-subscription business as we observe the shift from ownership towards usership. The success of services like Netflix for movies, Spotify for music, Microsoft Game Pass for video games quickly spreads outside from the entertainment industry. For industries based on the services, not on physical products, the shift from one-time or reoccurring payment to subscription-based service is easier.

Not-so-warm welcome for subscription model in automotive

It’s harder to justify monthly payments for the service if it enables the device or feature already present in the product you have already paid for. The huge backlash in media happened in a reaction to BMW’s announcement in 2020 that the company has been considering selling heated seats as a subscription-based feature.

Most of the criticism was associated with the fact that the overall price of the car was the same, and obviously, it was already equipped with the electric pad in the seat, while there was no additional software for handling the feature - it was just enabling and disabling the button. Some of the journalists even called that “simple-feature-as-a-service.” That resulted in nightmarish marketing for the idea and postponed the implementation of similar models by other OEMs, encouraging them to rethink the risk of making similar announcements.

Subscription business models become new normal

But in the last few years, a lot has changed. People get used to the subscription payment model appreciating its benefits. Also, more and more features in the car are based on the software , so it’s just easier to justify additional payment over the initial vehicle purchase. The overall reception of the idea shifted from mostly negative to neutral or positive.

At this point, customers understand that sometimes building-in hardware that is not activated can be cheaper than making hundreds of configuration versions. Also, the vehicle manufacturers start to learn how to better advertise the benefits of the subscription business model and how to better pick the features that fit this kind of model. It also enabled certain flexibility if this is a corporate vehicle, with basic default configuration, and the driver would like to add Apple CarPlay or enable additional convenience features, like opening the car with the smartphone.

How OEMs can successfully implement a subscription model

For OEMs planning to start with this business model, the moment for building a platform supporting subscription-based services is now. Not just the payment system, because the subscription business model is based on the idea that the feature can be enabled and disabled on the fly, basically making Connected Car a key requirement , while OTA makes it much more robust long-term .

It all starts with requirements. Let’s try first to distinguish typical types of feature purchase for a vehicle:

Standard equipment (automatically activated in production phase)
Runtime - associated with the driver or limited-time licenses
Lifetime - associated with the vehicle, does not expire
- Purchased on an initial configuration in a dealership
- Purchased aftersales (either in dealership or online)
Subscription - associated with driver or vehicle, can expire
- Automatic re-subscription (e.g., no end time)
- Manual re-subscription (e.g., end time after X months)

The other key aspect is offering differentiation between countries, regions, and continents. The same feature may be available as a subscription in the EU while only available as a one-time purchase in the USA.

To make the offer complete, the manufacturer may allow buying a custom offer specific to geographical location - for example, the additional package offered when the driver enters Nürburgring - 24 hours of additional racing time-tracking features.

Building a system for the new model

Our system has to handle all those use cases. To accomplish that, we need to build a solution in which the scheduler (sometimes called cron, from the name of Linux job scheduler) is the core component. It is responsible for triggering notifications or events at specific periods - for example, resubscription notification monthly, to trigger the payment, or license cancellation event after a configured period.

The scheduler itself is just a single, small part of the system. The other important piece is the database for storing the subscription status and the API backend for retrieving and updating the values. Consistency is crucial, as the feature getting disabled by mistake leads to a bad user experience.

The system has to be connected to the vehicle . In most cases, this is done asynchronously through queues like Kafka or RabbitMQ. This gives better stability and reliability than direct connections.

Lastly, we need to ensure that the feature is actually enabled or disabled in the vehicle. This means the vehicle has to receive the correct, unique license for that feature when it’s enabled, and revoke it when it is disabled (alternatively, the license can be automatically pushed every, for example, 30 days, with expiration time set to 33-35 days, to prevent feature loss when connectivity or payment problems occur.

To avoid building an additional retry mechanism into the licensing system itself, it’s better to update the feature state using Digital Twin. In this case, the digital representation of the vehicle is updated with the new license, and it is then responsible to synchronize itself with the vehicle when the internet connection to the car is available. This makes the system conformant to the single-responsibility principle, so the license system does not have to know or understand the vehicle connectivity.

That’s the basic architecture of our system for handling licenses and subscriptions of digital services. Obviously, that’s just the beginning. For OEMs, where the scale of digital business grows exponentially, the next important topic would be the reliability of the system. For that, scaling to meet the demand is important, as well as caching the current state of licenses to avoid complex queries.

Apart from that, this is enough to start with the feature activation and deactivation and handling subscriptions. Of course, it must be connected to mobile apps and online stores for purchases and to payment systems, but those are already used by most enterprises.

Is this really the future? It seems like we can’t avoid it anymore, especially with shared mobility growth, the ability to unlock temporarily additional features is tempting. Imagine grabbing a Ferrari for a weekend to take it to the track, enabling an additional 50HP and an advanced AI for measuring your times and proposing a better moment to break before the turn and accelerate afterward. And paying for only 2 days. This may make all the difference in convincing customers to the new subscription business models.