Updates of firmware over the air (FOTA) is an innovation pioneered by Tesla in 2012 with the Model S. Since then, few automakers have followed in its footsteps. That is, until now.
Nio has embraced the FOTA concept in 2018. It is a part of all of its current vehicles and will be in the ET7 announced earlier this year at Nio Day. It touches “everything;” anytime a system in a car needs to be updated, it’s done via FOTA. In fact, Sapna Todwal, Senior Engineering Manager at Nio, says it is the only car company that has developed a full end-to-end FOTA rollout entirely in-house.
With a simple update through FOTA, its customers experience flashy new features, even significant updates—such as the Nio Pilot system and battery power improvements—without going to a service center. These updates cover everything from the in-car infotainment features to overall improvement at the system level, including vehicle dynamics, handling, driving quality, and driving assistance. Effectively, the company’s FOTA infrastructure gives it the chance to improve the user experience continuously while providing rapid feedback to user input.
Here are the top five things Todwal says you should know about Nio’s FOTA rollout.
It is more complicated than you might think: The whole software/firmware update process in a vehicle is very different from what we regularly see, e.g., in a smartphone update. Being a typical vehicle that consists of many ECUs (electronic control units), the Nio ES8 itself has about 35 ECUs. So, the update process needs to manage updating all these ECUs to the targeted firmware and any other application-level update, thereby requiring every FOTA rollout to plan and mitigate failures for any of these ECUs.
Order matters: It’s not just the variety of ECUs that typically need to be updated in the vehicle FOTA process, but it’s also the order of flashing these ECUs that’s very critical for a successful FOTA process. For example, some of the ECUs are connected to the car’s electric powertrain, so its EPT ECUs require the HV (high-voltage) battery to be turned off before flashing. If too many of these EPT ECUs are flashed in a sequence, it will drain the low-voltage battery, rendering the FOTA process unsuccessful. So, the trick is to interlace the EPT and non-EPT ECUs so that the HV battery is not turn off for a long time.
Three-step process: The end-to-end FOTA process can be divided into three distinct steps: download, validation, and then update. The download step takes care of downloading the individual update packages for all the ECUs to be updated. The validation step makes sure the downloaded packages are the right packages, without any corruption or security issues. Both of these steps happen in the background, without the user even being aware, and can take anywhere from a few minutes to a few days or even weeks to complete, depending on the new firmware’s size to be updated. The user is notified about the latest software update only after completing the download and validation steps. This is when the user is asked to schedule the update. The scheduling is critical as the car needs to be parked and not drivable for the update duration. Once the update process kicks in, it takes care of checking the conditions of each of the ECUs, flashing them, and then doing the post-programming step. After all, the ECUs are flashed in the specified order, the vehicle reboots and comes back up with the new flashy software, and it’s ready to be drivable again.
Constant backend monitoring: Each FOTA rollout is managed very diligently from the backend. The first two steps, download and validation, are triggered independently on the pool of cars to be updated. This means there is constant reporting from the vehicles back to the backend on the status of both of these steps. Similarly, during the update step, the backend is notified about the individual ECUs as and when they are being updated. The whole process is tracked very near to the backend. Other reports are also regularly being sent from the car to the backend about the software versions on all the ECUs so that a decision can be made if the car needs an update or if a certain ECU has an unexpected version due to a part change. In any case, the whole FOTA infrastructure has an actual on-device implementation. Still, an equally substantial off-device piece and a dedicated team manage each rollout and take actions in real-time.
What can go wrong: While the update step during FOTA makes the car undrivable until all the ECUs are updated, if there is a critical or irrecoverable failure during this step, the car is stranded or immobile until an on-field technician can come to rescue. Every FOTA rollout is rehearsed on hundreds of cars, before doing a big rollout in the field for the company’s more than 75,000 customer cars, to make sure it is hit with these critical failures on very few vehicles. Interestingly, when Nio deployed the FOTA process in the field in 2018, its success rate was only between 60-70%; now that’s gone up to 99% and getting better with each rollout.
Sapna Todwal, Senior Engineering Manager at Nio, wrote this article for Futurride. Todwal has over 15 years of product development experience, including bringing several products and subsystems from development through manufacturing into the market. She brings strategic planning and management experience from companies like Western Digital, HP, and Palm—and now leads firmware engineering for the next-generation platform at Nio.
More on Nio: