Do You Know the Different OTA Approaches in the Vehicle?
Comparison of OTA Update Strategies
Over-The-Air (OTA) software updates are now an integral part of many consumer electronics products. Apps on smartphones and tablets are supplied with updates practically every day. Applications as well as the firmware of the devices can thus be updated continuously and easily directly at the end user.
In the automotive sector, software updates "Over-The-Air" have already been implemented in some cases, but the functionality is then usually restricted to certain ECUs or parts of the vehicle software. Due to the increasing complexity of vehicle software and its importance for functionality, the need for software updates is growing - even for safety-relevant applications/functions.
Since today's vehicles can contain more than 100 ECUs, an optimal implementation is a real challenge. Vehicle functions distributed over several ECUs must be updated via so-called update campaigns, consisting of update packages for all affected ECUs. This can lead to sometimes complex update scenarios in the vehicle. It is essential that the update processes run automatically, unattended and completely reliably. In the event of an error, it must be ensured at all times that the vehicle can be returned to an operational state, if necessary by completely restoring the previous software version.
Focus on AUTOSAR Classic ECUs
Flash Bootloader as Optimal Addition
This also brings ECUs based on the AUTOSAR Classic basic software into focus, such as door control units from the body domain. These ECUs usually have a so-called Flash Bootloader, which is used to update the application software including the AUTOSAR basic software on the ECU via diagnostics.
Flash Bootloaders have been used for many years to program an ECU software or to update it later in its life cycle. They are comparatively small and yet highly optimized programs that are addressed via diagnostics and erase and rewrite the flash memory. Updates via the Flash Bootloader take place during development, production and in the service shop. At the time of the update, the full bandwidth of the corresponding bus system can be used. In any case, programming takes place in a safe state of the vehicle.
For the use case of "Over-The-Air" software updates, a Flash Bootloader is also an optimal addition (Figure 1).
Figure 1: Software update via Flash Bootloader
The new software is transferred wirelessly to the vehicle and temporarily stored on a central ECU, here called a "Connectivity ECU", with sufficiently large memory. As soon as the software is to be uploaded to the target ECU in a safe state, the connectivity ECU starts the update process and loads the software update to the target ECU via a diagnostic sequence - just as the service shop diagnostic tester would do.
Two Limiting Factors in OTA Scenarios
1. During the update process, the vehicle remains in a safe state and cannot be used. This "down time" of the vehicle is usually strictly limited by the OEM for the benefit of customer convenience - this has a considerable influence on the scope or size of the updates.
2. The ECUs involved in the update process must be supplied with power. The remaining capacity of the battery therefore sets a strict limit for the duration of the update.
Houston, We Have NO Problem!
The Way To the Efficient Update Campaign
As already mentioned, there is no alternative to the possibility of restoring a previous software status in the event of a faulty update. Therefore, in extreme cases, a complete reprogramming and rollback of all ECUs involved in the update campaign is required. The above-mentioned limiting factors of downtime and battery capacity restrict the possibilities of a Flash Bootloader in the OTA scenario.
Another possibility is to transfer the data to the respective target ECUs already during normal operation, i.e. while the vehicle is in motion, with storage in a memory area separate from the driving application (Figure 2). The data is not necessarily stored temporarily in the connectivity ECU. Instead, the received data is passed directly to the target ECUs.
This approach has the following advantages:
The transfer time of the update to the target ECU in the safe vehicle state is being saved.
Restoring the previous software is possible without further data transmission.
Figure 2: Software download while driving
With concepts that rely on appropriate hardware support for switching between software versions, activation times can be reduced to a minimum. The vehicle therefore remains ready for operation at all times despite the software update.
With Release 19-11, AUTOSAR Classic has published requirements for a Firmware Over-The-Air (FOTA) solution that enables data transfer while the vehicle is still in motion. However, no corresponding basic software module has yet been introduced to the standard.
Vector was an early adopter of FOTA with MICROSAR Classic and has already been offering an extension to the MICROSAR basic software for software download since 2018 that meets the AUTOSAR requirements in particular.
To Be Continued
Two further parts of this article series will deal with the following topics:
Memory partitioning and version switching approaches
Software download within MICROSAR Classic
Don't miss the continuation of this series! Follow us on the social media channels and you will be one of the first readers.