More Horsepower with the Click of a Download
as Master Control Unit (MCU) and gateway to the outside world, sending telemetry data and
receiving software updates over-the-air. The first and simplest approach would be to add a
flashing unit to the MCU which then could flash ECUs with software updates downloaded over
the air. This would require only little change to the E/E design. A second approach would be to
move away from silicon defined ECUs to software defined ECUs adding the possibility to change
only certain parameters rather than having to flash the whole ECU. This however would require
the ECUs to be small computers and increase the cost to produce them. With the OEMs being
very price sensitive, this will probably not be feasible. The third approach is reducing the
functionality of the ECUs and moving the software into the Head Unit. This is described further
in the subsequent “A Better Head Unit” section.
Connectivity, or rather the lack of it, poses another interesting challenge to the OTA process.
Interestingly this has been solved for Mobile Device Management (MDM) where software
updates are often interrupted by weak or lost mobile signals. The MDM-Software takes care of it
and retries until the whole update package has been downloaded to the device. Various
conditions must be met before an update can take place. This is certainly true in a car where
updates may only be applied while the car is parked. Users must be allowed to defer updating,
unless the update is critical. Updates might only be relevant to a certain range of vehicles or only
to vehicles in certain countries. All these requirements are fulfilled by, and therefore make widely
used and commercially proven MDM-Solutions hot candidates for OTA in the automotive arena.
One prominent example where OTA could have saved the OEM a lot of money is the worldwide
recall of 850,000 Audi A4 cars in 20146 to fix one parameter in the airbag control software. This
faulty parameter could have prevented the airbags from firing under certain conditions.
Assuming a cost of $170 to $200 per recalled car7 means that fixing that airbag parameter cost
Audi anywhere between $144.5M to $170M.
3.
A BETTER HEAD UNIT
Referring to an earlier statement, better security can best be achieved by redesigning the Head
Unit and the electronic and electrical components of the car; moving away from a monolithic
piece of software and a car full of specialized ECUs connected by a bus towards a modular and
lightweight approach. One possibility is to replace the ECUs with simple, standardized
input/output units or more intelligent sensors programmed much like the I/O of a Raspberry PI
device. This approach would move the current logic from the ECU to a virtualized environment
running on a hypervisor residing in the Head Unit now serving as Master Control Unit. The
communication bus can be reduced to an Ethernet-based network. One of the distinct properties
6http://www.reuters.com/article/2014/10/23/audi-recall-idUSL6N0SI4CR20141023
7http://blogs.wsj.com/corporate-intelligence/2014/07/24/2-4-billion-29-million-cars-the-
numbers-behind-gms-year-of-recalls/
- 96 -
December 2015