RSS_Auto_Poster
Well-known member
Written by Paul Weissler
Reprogrammableonboard modules have been in automotive use for more than a quartercentury. But as electronic controlsinhabit virtually every system today, anyone with a late-model vehicle knows that at some point, one or more ofits electronic control systems will need to be "reflashed" with newsoftware often more than once. In fact,even where the problem may be all-mechanical, including bearing knock, it can be ameliorated by new software for the engine computer. While some ofthe reflashes are for customer satisfaction items, such as the air conditioningsystem that won"t maintain set temperature, an increasing number are safetyrelated. At best, perhaps 70% of theurgent notifications of a safety recallbring the customer into the dealership, and both government and industry arelooking for ways to bring it as close to 100% as possible. With autonomous driving on the horizon, the securityand safety aspects create a new urgency for the ability to perform updates on atimeline that doesn"t wait for the leisurely pace of a service appointment atthe dealership. Tesla success with OTA Tesla"s recentuse of over-the-air (OTA) reprogramming has been successful, butthis emergent OEM has a comparatively small owner base and that makes vehicleidentification a simpler task. Thetypical Tesla reflash takes 45 minutes, but because the vehicles are electricdrive, they can be reprogrammed during a recharge. Vehicles powered by gasoline and dieselengines face the more difficult issue of assessing battery state of charge toensure it is high enough to complete the reflash. Some automotive reflashes require so much time (perhaps more than aday) that presently the only way they can be made is with the car in a shop,using a proprietary factory tool or an SAE J2534 "Pass-Thru." Such reprogramming also includes use of adedicated battery charger made for the specific purpose, so it produces a "clean" currentflow that is free of electrical noise ("ripple") that could cause theoperation to fail. Because the carmakersare responsible for updates, they maystart to install capacitors to smooth out the ripples from the charging system, making OTAs more feasible. A related factoris available bandwidth, which could be subject to considerable change over acellular network. That"s why Teslarecommends its updates be performed withWiFi. Additionally, the OEM would have to design updates for piecemeal reflashing, so they can be installedincrementally as the system and needed battery capacity are available. This issue goes beyond the need of a singlemodule. Many updates are lengthy becauseof the design of the data bus in which it is installed. The update itself may apply for just the one module, but other modules onthe bus may need to know about it, whether because there are new messages theymust recognize, or know to ignore. All suppliers of infotainment/ onboardcommunications and WiFi are working with car makers to develop systems with OTAreprogramming function comparable to Tesla, but the larger and more diverse thevehicle base, the more complex the task. There have been reports that several makers will begin to do some OTAthis year. Security is No. 1 issue Russ Christensen, Director of Automotive Solutions Architecture for Wind River, a systemssupplier in this area, said the No. 1 issue has become security. It begins at each end (the source of the update atone, likely a cloud server, and the car"s infotainment system at the other) soeach is talking to a known authority. In the car that authority usually would be the telematics/gatewaymodule. The key to security is in thearchitecture, he said, telling Automotive Engineering that presently suchappendages as the smartphone and watch, and keyless entry, hitherto not soconsidered, can be "threatvectors" into the car. He addedthat the CAN bus (Controller Area Network) was not designed for encryption,although there are some strategies for accomplishing that. Also required isa way to get an authenticated payload (the updated software) to the car andhaving an electronic "place" to hold it,Christensen said. A manifest comes downwith all updates; the car says okay, a signature comes from the cloud and the carvalidates it. The first update is thendischarged to the ECU. Which raises thisissue: if the installation fails, the system needs to be able to activate a"restore" function to get the system back to original setting. If there are three updates in the manifest,and the failure occurs during the third, there may need to be a removalfunction, so the system reflashes backto the original state. "None ofthis is hard," Christensen noted. "We just need the vehicle design tobe able to do it." He cited theexample of an "atomic update,"where all updates must be installed at once or none should be. Bypassing owner OK Christenson cited banking industry money transfers asan example of the way installations must be executed with secure protocols,where a scheduled data transfer must be completed instantaneously, or theentire transaction goes back to its previous state. When there is anurgent safety update, the comparatively slow pace that includes ownerevaluation and approval may need a work-around. There might be have to be a provision for abrogating authorization,although that would be a last resort for an OEM. A critical aspectof the entire challenge of OTA updating is identifying the vehicleconfiguration. Many OEMs right now do nothave software configuration matrixes at a sufficient level of confidence toalways be certain of the right software for all vehicles. "The manufacturer can"t even rely on theVIN once the car has left the assembly line," Christensen said, and certainlynot if a module has been replaced.
Date written: 21-Jan-2016 12:24 EST
More of this article on the SAE International Website
ID: 1801
Reprogrammableonboard modules have been in automotive use for more than a quartercentury. But as electronic controlsinhabit virtually every system today, anyone with a late-model vehicle knows that at some point, one or more ofits electronic control systems will need to be "reflashed" with newsoftware often more than once. In fact,even where the problem may be all-mechanical, including bearing knock, it can be ameliorated by new software for the engine computer. While some ofthe reflashes are for customer satisfaction items, such as the air conditioningsystem that won"t maintain set temperature, an increasing number are safetyrelated. At best, perhaps 70% of theurgent notifications of a safety recallbring the customer into the dealership, and both government and industry arelooking for ways to bring it as close to 100% as possible. With autonomous driving on the horizon, the securityand safety aspects create a new urgency for the ability to perform updates on atimeline that doesn"t wait for the leisurely pace of a service appointment atthe dealership. Tesla success with OTA Tesla"s recentuse of over-the-air (OTA) reprogramming has been successful, butthis emergent OEM has a comparatively small owner base and that makes vehicleidentification a simpler task. Thetypical Tesla reflash takes 45 minutes, but because the vehicles are electricdrive, they can be reprogrammed during a recharge. Vehicles powered by gasoline and dieselengines face the more difficult issue of assessing battery state of charge toensure it is high enough to complete the reflash. Some automotive reflashes require so much time (perhaps more than aday) that presently the only way they can be made is with the car in a shop,using a proprietary factory tool or an SAE J2534 "Pass-Thru." Such reprogramming also includes use of adedicated battery charger made for the specific purpose, so it produces a "clean" currentflow that is free of electrical noise ("ripple") that could cause theoperation to fail. Because the carmakersare responsible for updates, they maystart to install capacitors to smooth out the ripples from the charging system, making OTAs more feasible. A related factoris available bandwidth, which could be subject to considerable change over acellular network. That"s why Teslarecommends its updates be performed withWiFi. Additionally, the OEM would have to design updates for piecemeal reflashing, so they can be installedincrementally as the system and needed battery capacity are available. This issue goes beyond the need of a singlemodule. Many updates are lengthy becauseof the design of the data bus in which it is installed. The update itself may apply for just the one module, but other modules onthe bus may need to know about it, whether because there are new messages theymust recognize, or know to ignore. All suppliers of infotainment/ onboardcommunications and WiFi are working with car makers to develop systems with OTAreprogramming function comparable to Tesla, but the larger and more diverse thevehicle base, the more complex the task. There have been reports that several makers will begin to do some OTAthis year. Security is No. 1 issue Russ Christensen, Director of Automotive Solutions Architecture for Wind River, a systemssupplier in this area, said the No. 1 issue has become security. It begins at each end (the source of the update atone, likely a cloud server, and the car"s infotainment system at the other) soeach is talking to a known authority. In the car that authority usually would be the telematics/gatewaymodule. The key to security is in thearchitecture, he said, telling Automotive Engineering that presently suchappendages as the smartphone and watch, and keyless entry, hitherto not soconsidered, can be "threatvectors" into the car. He addedthat the CAN bus (Controller Area Network) was not designed for encryption,although there are some strategies for accomplishing that. Also required isa way to get an authenticated payload (the updated software) to the car andhaving an electronic "place" to hold it,Christensen said. A manifest comes downwith all updates; the car says okay, a signature comes from the cloud and the carvalidates it. The first update is thendischarged to the ECU. Which raises thisissue: if the installation fails, the system needs to be able to activate a"restore" function to get the system back to original setting. If there are three updates in the manifest,and the failure occurs during the third, there may need to be a removalfunction, so the system reflashes backto the original state. "None ofthis is hard," Christensen noted. "We just need the vehicle design tobe able to do it." He cited theexample of an "atomic update,"where all updates must be installed at once or none should be. Bypassing owner OK Christenson cited banking industry money transfers asan example of the way installations must be executed with secure protocols,where a scheduled data transfer must be completed instantaneously, or theentire transaction goes back to its previous state. When there is anurgent safety update, the comparatively slow pace that includes ownerevaluation and approval may need a work-around. There might be have to be a provision for abrogating authorization,although that would be a last resort for an OEM. A critical aspectof the entire challenge of OTA updating is identifying the vehicleconfiguration. Many OEMs right now do nothave software configuration matrixes at a sufficient level of confidence toalways be certain of the right software for all vehicles. "The manufacturer can"t even rely on theVIN once the car has left the assembly line," Christensen said, and certainlynot if a module has been replaced.
Date written: 21-Jan-2016 12:24 EST
More of this article on the SAE International Website
ID: 1801
