Note: This is the second of a two-part series on over-the-air engine updates. The first installment, “OTA engine updates give fleets uptime flexibility,” can be found here.
Anyone who’s ever updated a phone or laptop knows there’s some risk involved with potentially “bricking” the device. However, Ash Makki, Volvo Trucks North America product marketing manager, calls such an outcome with a truck ECU “extremely unlikely.”
“The few times we have seen this,” he says, “it was usually due to a driver or technician interrupting the update by violating the preconditions.”
Preconditions of the truck are almost universally standard: The truck should be safely parked on fairly level ground and in an area with a cell connection; the key should be in the “on” position with the engine off; the parking brake needs to be engaged and there needs to be at least 12.5 volts on the battery.
Andrew Dondlinger, Navistar’s vice president of Connected Services, says you can never completely rule out the possibility of an update causing a shut down, but he says the process of updating the engine is “low-risk” and is not as similar to updating a phone as it appears.
During a truck re-flash, the piece that’s being updated is the code that runs the engine, he says, not the code that runs the ECU – what would be considered the truck’s operating system.
“We generally don’t see the ‘operating system’ of the ECUs changing. It’s really just the calibration or how the engine is supposed to operate,” Dondlinger says. “On an iPhone, you have so many settings and so many user-installed apps that sometimes one of those apps or a setting could cause the installation of that update to fail.”
Since all the software on the ECU is contained and controlled by the engine manufacturer, Dondlinger says there’s a very low chance of a flash crippling the vehicle.
“Because there’s a lot less variability – we control everything that’s on that ECU – we don’t see the kind of issues you have on the iPhone side of the world,” he says.
Engine updates also differ from cell phone and laptop updates in their frequency.
“We’re only looking at two, maybe three, major software packages that get pushed a year. We don’t see this as something [fleets are] going to have to monitor and every week there’s going to be a new update,” Daimler Trucks North America Product Strategy Manager for Connectivity Lauren Attinasi says. “Apple, I feel like, pushes new updates to the phone every couple weeks.”
New Detroit updates, Attinasi adds, also contain information found in previous updates. So, if a driver were to skip one (or several), it wouldn’t preclude them from initiating an update to a newer version.
As an added layer of protection, the previous layer of engine calibrations are never changed until the ECU recognizes that the transfer of new data is successful.
Cummins Marketing Communications Manager – Digital Accelerator Anuj Shah says Cummins maintains the original software in the cloud throughout the update process, which allows operators to reverse an update if needed.
“Should any problem occur, the previous version can be restored to the ECM, minimizing any risk of interruption to the driver’s schedule,” he says. “An operator may decide after an update is installed that they want to roll back or restore the software to the previous version. Within a certain amount of time, that option is available. The operator can re-approve the installation process via the in-cab display.”
The connected truck
Historically, telematics have only reported information out. Remote updates now put the truck on the receiving end of information, but that doesn’t necessarily open a potential access point for the tech-savvy with bad intentions.
“This is the first time where you have a communication outside going to the vehicle,” Attinasi says, adding Detroit has built in multiple layers of encryption to protect the data feed and the ECM.
Since the connection is encrypted, Makki says the ECU’s vulnerability to hacking is limited.
“The entire Remote Programming process had to pass a very strict [Threat Analysis and Risk Assessment] analysis,” he says. “The design is very secure. All update packages are fully encrypted.”
Dondlinger says Navistar’s security features have been designed to prevent hacking, adding the company doesn’t publish them as part of its effort to prevent would-be hackers from finding ways around it.
“It’s like if a safe cracker knows the architecture of a safe, they can find the right place to drill it,” he says.
Attinasi says Detroit solicited the help of third-party hackers to identify any weaknesses in the system before it was widely rolled out and has never had an incident of a successful on-road ECM hack.
“The only way a software package can be created is through our secure mechanisms … through our Detroit Campaign Team,” she says. “We are not changing the way our software packages are being written and prescribed. We’re adding the additional security layers around it to really make sure there isn’t a chance of additional intrusion.”