Feature-rich vehicles have transformed contemporary automobiles into a vast landscape of high-performance computing systems, cutting-edge devices, intricate sensors and actuators. As a consequence, the significance of functional safety has reached unprecedented levels.

What is functional safety?

Automotive functional safety involves putting in place protective measures to eliminate or reduce the severity of hazards that may arise due to failures of a vehicle. This is critical to ensuring the safety and reliability of automotive systems, protecting both the occupants of the vehicle and others on the road.

About the ISO 26262

Introduced in 2011 and revised in 2018, ISO 26262 outlines the criteria necessary to attain functional safety across the entire lifecycle of a product. This standard offers a specialized, risk-driven methodology for determining Automotive Safety Integrity Levels (ASILs), spanning from ASIL-A (demanding minimal risk reduction) to ASIL-D (mandating significant risk reduction) in the automotive domain. It covers various aspects including risk assessment, safety goals, risk reduction measures, validation and verification processes.

How eSync OTA Facilitates Functional Safety

But first, What is eSync OTA?

eSync is a bi-directional software update and data pipeline designed for managing software updates and data across diverse edge devices in a vehicle. It is built on the standardized, multi-vendor approach released as a specification from eSync Alliance, enabling a secure and efficient way to manage software updates and data gathering across different vehicle brands and models.

eSync Architecture includes -

• eSync Server — which acts as the central hub in the cloud, storing updates, managing the update delivery and data gathering processes, and communicating with vehicles.
• eSync Client — Resides within the vehicle, coordinating with the designated eSync Server for updates and with the eSync Agent(s) for device software installation and status.
• eSync Agents — comprise of small software programs embedded in individual devices, handling specific update tasks and device communication.

eSync OTA seamlessly accommodates various edge devices, spanning Quality Management to ASIL A and ASIL-D levels, ensuring secure and efficient software updates while maintaining functional safety in the automotive domain. The module’s safety requirements, including the “Communication Manager Function,” establish a robust framework with mutual authentication and encryption algorithms, forming the foundation for a secure and reliable communication during updates.

Functions Within eSync OTA that Support Functional Safety

Download Payload from the eSync Server

eSync guarantees a secure and reliable connection to the eSync Server for the verification and downloading of software updates. Additionally, eSync prioritizes user consent, enhancing the safety functions of the entire system. Before initiating the download of new software updates, eSync conducts thorough checks on available memory and system policies, ensuring that downloads consistently occur under safe conditions.

Ensuring Payload Integrity

eSync conducts rigorous signature checks on the downloaded payload, providing a robust guarantee for the reliability of updates. In addition, eSync incorporates download retries in the event of disconnections or failed integrity checks, further fortifying the safety and dependability of downloaded payloads.

A Multi-Layered Approach for Secure Transfer and Installation of Updates

The Transfer stage encompasses informing the vehicle operator, and scrutinizing policies before transferring encrypted payloads to designated eSync Agent(s). Each in-vehicle payload transfer to the designated eSync Agent necessitates the execution of a payload integrity check, ensuring the accurate and secure transmission of data without any loss or compromise. This meticulous process enables eSync Agent(s) to confidently and securely install updates on the respective edge device(s).

Comprehensive Install Function

The “Install” function acts as the guardian of the installation process. It checks policies, broadcasts “DO NOT DISTURB” messages, and verifies signatures. With configurable retries and rollback management, it ensures a fail-safe approach. In case of failure, the agent restores the device to a known good state, concluding with memory cleanup.

Building Fail-Safe Updates via Rollback Management

eSync supports comprehensive rollback management to handle update failure cases. eSync Agents can rollback to the previous version of the software from the metadata information or request the eSync Client to download the previous version of the software from the eSync Server to revert the ECU software to the last known good version if no backup software version is available.

Building Fail-Safe Updates via Dependency Management

eSync’s Atomicity and Sequence features address functional safety challenges in software updates for remote edge devices. Treating update packages as cohesive units and maintaining a sequence for component installations ensure a fail-safe approach, minimizing risks and aligning with functional safety principles.

Verifying Update before and after the Flash Process

eSync implements rigorous flash update checks to guarantee the precise software component is updated within the specified Electronic Control Unit (ECU) program memory. The eSync Agent conducts meticulous data integrity verification using the SHA256 algorithm. It calculates the SHA256 hash of the program stored in the ECU memory and cross-references it with the provided SHA256 value. The ECU is only rebooted to integrate the new update if the values align, thereby fortifying the reliability and safety of the update being loaded into the ECU.

Real-Time Insights for Enhanced Safety

Status monitoring plays a crucial role in upholding functional safety standards. Through continuous tracking and reporting of device status during Over-The-Air (OTA) updates, it offers real-time insights that enable proactive intervention, mitigating risks associated with compromised software. This approach not only improves overall awareness but also plays a key role in maintaining memory integrity and data consistency. It achieves this by isolating memory sectors, thereby preventing inadvertent writing of programs to corrupted sectors and contributing to a more robust system.

Mitigating Risks Effectively

Rollback functionality in eSync addresses the critical challenge of recovering from failed updates. With a sophisticated mechanism and configurable retries, it ensures the resilience of OTA updates. Explicit rollback instructions within the metadata guarantee a reliable and safe software update process, empowering automakers with confidence.

A Holistic Approach to Functional Safety

eSync’s safety mechanisms cover a wide array of requirements. From dynamic tree updates to TLS mutual authentication and secure communication channels, every step is meticulously managed. Vehicle operators are informed and empowered to consent to installations, while failsafe features like rollback management add an extra layer of reliability.

In conclusion, eSync OTA serves as a transformative solution for OEMs and Tire-1s who are in the pursuit of ensuring functional safety in automotive systems. Its adaptability, robust safety requirements, and multi-layered safety functions create a comprehensive framework. From secure communication to fail-safe updates and real-time monitoring, eSync OTA sets new standards, ensuring the integrity, security, and reliability of the entire software update process.