Vehicle Over-the-Air Updates, or OTA updates for short, are a key attribute of modern vehicles. The trend towards software defined vehicles require increased use of, and richer capabilities of OTA updates. This blog post explores first a retrospective history of OTA, current approaches in use and their many limitations. Then looking forward, it explores the extended capabilities of OTA required to address the modern needs of the software-defined vehicle.
What is OTA (Over-The-Air Update)?
In general, Over-the-Air update or OTA Update refers to updating vehicle software, usually by reprogramming nonvolatile memory or “flash” chips inside various subsystems. In years past, only dealers were able to update software during service appointments. Using hard-wired connections and often specialty hardware, dealers could query and then update software, either to restore damaged software, install bug fixes, or in some cases install new software versions.
Over time, as vehicles became connected, more and more vehicles gained the capability to download some kinds of software updates remotely, or “over the air”.
These OTA updates could be delivered by a local Wifi network, or over a cellular network connection. A later section explores the tradeoffs about connectivity choices later between the different wireless delivery approaches.
Retrospective Look at Current State of Vehicle OTA
The current state of OTA in the past, and in the present for many vehicles often provides an approach that is limited in many ways. This first section explores a retrospective look at the current landscape of OTA and touches on many of these limitations.
Background environment for OTA updates
Even though many drivers may not realize it, conventional vehicles all contain software throughout the vehicle. In fact, current vehicles are embedded systems that often contain an incredible amount of software, with leading edge vehicles containing as much as 100 million lines of code, compared to only 14 million in a 787 Dreamliner aircraft.
Most of this software is deeply embedded in electronic control units (ECUs) that are rarely updated, or in some cases are impossible to update. One reason for the significant complexity in software updates for cars is that in typical vehicles, many of these ECUs carry out only a single function or manage a single subsystem, such as the windows, braking, emissions control and so on. An additional complexity arises because these ECUs are typically developed by many different subcontractors (“tier 1” suppliers) within a signal car or truck. This means achieving OTA updates today often requires the involvement of other manufacturers
Many conventional vehicles typically do have some limited capabilities to do a software update in some of their systems. In many vehicles today, most of the focus of OTA updates are the IVI and Navigation systems, and in some cases ADAS systems. This allows updates to navigation maps, or adding new features to the entertainment system, for example. Generally these updates are infrequent, perhaps 1-2 times per year and are often not required updates by drivers
Some leading edge connected cars, especially those from Tesla, Rivian, Mercedes, and some Chinese manufacturers, offer richer update capabilities in which some additional features can be updated by OTA, though today this is a small fraction of the vehicles on the road.
Vehicle OTA is much different than in mobile devices
The OTA update process to deliver a software update to their smartphone is familiar to most people, who get updates to phone apps, device firmware, operating systems, and—more and more frequently— to address security vulnerabilities. Installing these updates is usually straightforward with the device notifying the user that new software is ready and making the process quick and easy over the internet.
But there are major differences between a smartphone and a connected vehicle that change the way software updates are downloaded, delivered, and installed. A critical type of difference are the safety and reliability needs of vehicles. Cars and trucks are required to have safety certification and updates need to be especially careful to ensure existing safety measures are not undermined. Moreover, unlike smartphones that have rich abstraction of hardware and software, coupled with modern software designs, most vehicles on the road today were not architected to be updatable.
Drivers are also less accustomed to accepting OTA updates to their vehicles as historically relatively few vehicles were connected cars, compared to their other devices. The good news is manufacturers can use consumers’ experience with updating mobile devices to teach drivers how OTA updates work and encourage their users to perform updates in their cars as frequently.
Finally, vehicle architectures are much more complicated than those found in mobile devices, including electronics and software from many different manufacturers, and often multiple sources of components, to ensure supply chain sourcing flexibility.
Infrequent updates
Today, updates in the vast majority of vehicles are infrequent, typically only once or twice a year for most vehicles. This may be the fastest cadence possible for existing legacy vehicles since the sheer complexity of coordinating software across many different third party subsystem vendors makes it challenging to achieve updates very frequently. As we shift to software-defined vehicles, that will no longer be a viable approach.
Inconsistent usage of wireless networks
In the past, and still the case today for many vehicles, OTA updates are not offered at all. Instead a trip to the dealer is required to update new software.
For those vehicles that do allow remote updates, usually these are only offered over WiFi, requiring drivers to connect to their home, work, or other Wifi network to download the updates once or twice a year. Again, with infrequent non-essential updates that are not mission-critical, this limitation may be a viable tradeoff.
More and more, vehicles are being outfitted with a cellular connection, increasingly 4G/LTE connectivity. Some vehicles allow selected updates to be downloaded over LTE, such as for mission critical updates, but even vehicles with LTE typically do not allow larger, non-critical updates to be downloaded over LTE. Consider Tesla, for example, which is known for offering frequent updates to its vehicles. In most cases, Tesla only offers updates to be downloaded over WiFi.
Limited subsystems being updated
The majority of updates to vehicles today are to the “head unit” also known as the In-Vehicle Infotainment (IVI) system, comprising the entertainment and navigation system. That system, while important to the driver and passenger experience, is not at the same level of safety-criticality as other vehicle systems.
A smaller fraction of updates are applied to other systems such as ADAS. Given the rapid evolution of ADAS capabilities, OEMs will need to provide updates to improve safety, reduce shortcomings that are found, or improve ADAS performance. With the addition of new advanced driver assistance systems (ADAS) features – some of them required by law in some geographies – we should expect this type of update to become more frequent.
Another less frequent category are updates to other vehicle systems, whether for powertrain/engine tuning, battery management systems in EVs, or other areas. Due to the deeply embedded nature of those subsystems, updates to those systems after production are currently rare.
Limited capability to avoid failures
Avoiding failures during updates is crucial to ensuring a positive customer experience. In recent years, there have been many examples of cars being immobilized by failed updates, spanning several different OEM brands. It can be devastating to customer loyalty to have an update fail to the point where the car needs to be towed to the dealership for a software reset. Unfortunately, that has very publicly occurred in a number of cases in recent months.
There are technologies that can be used to provide fault tolerance to avoid a failed update making the car inoperative—or “bricking the car”, as the expression goes—but not every vehicle has these capabilities.
Differences between Electric Vehicles (EV) and Conventional Gasoline or Diesel Vehicles
One requirement for OTA updates is the vehicle needs to be on. This may seem obvious, but it introduces some specific constraints based on the vehicle type. In particular, what does it mean, specifically, to be “on”?
In conventional gasoline or diesel (Internal Combustion Engine, or ICE) vehicles, typically the electrical systems are not fully operational unless the engine is actually running. Indeed, most vehicles offer an “accessory mode” which allows some limited subsystems like the radio and windows to be operational when parked. However, in that mode, most of the vehicle subsystems are still not powered. This is either because they need to be powered by the engine, or are connected to engine operation in some way.
EVs by their very nature do not need to be started to be in full operation. In general, EVs have multiple systems that are always on and monitoring various subsystems, such as battery charge. But more importantly, an EV can turn on all the vehicle systems without starting an engine. So a parked EV can turn on full operation without driver assistance and even can turn on inside a garage or other enclosure safely, which a gasoline/ICE engine cannot.
So while both vehicles can be updated, the practical details of their electronics and power system mean that an OTA update to an ICE vehicle is more complicated and requires more active driver involvement
Looking to the Future: OTA in the SDV Era
As we move into the era of software-defined vehicles the need to provide over the air updates is more critical than ever. SDVs are more capable with modern, abstracted HW/SW interfaces, and more functionality implemented in software than dedicated HW. Having more updatable ECU’s, faster innovation cycles, more frequent updates, more types of software, all mean that OTA for SDVs is more important than ever. A successful SDV must have a solution that enables easy, efficient, cost-effective, frequent, reliable OTA updates. Let’s look at some of the new requirements that SDVs will bring, including those that offer new capabilities over time instead of just a one-time sale at the dealer.
Frequent updates
In recent years, automotive manufacturers have either worked to bring control of their software in house, or at least to require their subsystem makers to comply with standards and expose their software for updates. Competition is also driving the need for updates. The leading edge of automakers like Tesla, Mercedes, BMW, and some Chinese makers are offering much more frequent updates to their drivers. Industry analyst reports found that in recent years most updates provide new features, with bug fixes ranking second and growing, and finally security cybersecurity updates the third most common type..
SDVs will have more frequent updates as the amount of software content in cars increases, but more importantly as cars are designed with OTA updates in mind. OTA can also be tightly linked with cloud-native development and CI/CD pipelines to support modern development practices,
Updating more ECU’s
SDVs will also update more parts of the car. Today the largest recipient of over the air updates is the “head unit” or IVI system which includes navigation and user interface. It is perhaps understandable that the big screen interface to the driver is the place that is rapidly changing, and offers opportunities for evolving driver experiences and new functionality via the user interface..
However, the landscape for OTA is growing. As advanced driver assistance systems (ADAS) are getting more intelligent, they will also need to evolve and adapt as algorithms and models improve. The ADAS computer is currently the second most frequent recipient of updates.
But SDVs can do much more. The potential to connect components over modern networks, such as automotive ethernet, also unlocks the ability to perform functions not initially present at manufacture and initial sale. Reconfiguring networks via dynamic over the air provisioning is one way that new services can be offered to drivers later. Leveraging protocols initially designed for the internet but extended with new security standards and details related to time-sensitive content present in vehicles unlocks the power of vehicles to function more like a “data center on wheels”
And the opportunity continues with SDVs. While updates were previously limited to firmware updates of a few components, more systems are now becoming updatable, spanning from body and chassis systems, to powertrain, security, and battery management systems for EVs.
Multimodal
Unlike today when most OTA updates are often a firmware update to an embedded ECU, software updates in SDVs will be more diverse and include different kinds of software, not just firmware. This will put greater demands on managing dependencies in OTA updates for SDVs. We call this “multi-modal” and that’s why we refer to Sonatus Updater as delivering “xOTA” capabilities.
For example, as ADAS systems evolve, updating machine learning models to improve recognition, safety and driver experience will be more frequent. As networks expand, provisioning and performance optimization will be necessary as new features are added, making updates to network configuration more frequent. Software today delivered as part of firmware or tightly embedded is increasingly being deployed as containers.
More flexibility in network choices
While today the majority of updates are delivered over Wi Fi to reduce cost given their significant data size, that will likely evolve. As OTA becomes more frequent and increasingly deliver safety enhancements, we expect that there will be a mixture of time-sensitive or safety-critical updates that are delivered over LTE/cellular network connections while larger, or less critical ones will be offered only via WiFi. This will require more deliberate planning to manage the complexity of this new mixture.
Managing huge update data sizes / Delta updates
The size of OTA updates is itself an important aspect because wireless data transfer costs can be significant. The brute force approach of delivering the entire software payload over the air are prohibitive via LTE, yet some updates may require it. Approaches like sending only the change or “delta” from the current version may be one means to reduce data traffic transmission. But these approaches require a rich model of the current software to understand the baseline of the update.
Compression will also be critical to reduce data payload size. Advances in compression can further reduce the transfer size and may need to be tuned to recognize the wide range of data profiles which may not all compress equally well with the same algorithm.
Managing failures
Managing failures will also be critical. The leaders in this space are already employing approaches such as A/B partitions to ensure that a failover image can be maintained, or a failed update does not corrupt the car. But these approaches require active management and further add to update complexity.
Learn more
OTA updates are a critical aspect of SDV and a rapidly evolving space. It will only get more important over time and so it needs to be an area of ongoing innovation. Sonatus, for our part, announced Sonatus Updater, which provides solutions to many of these technical challenges. Watch for more information in the months ahead about OTA as we work to accelerate the shift to software defined vehicles.