Professional Documents
Culture Documents
An Empirical Study On The Current and Future Challenges of Automotive Software Release and Configuration Management
An Empirical Study On The Current and Future Challenges of Automotive Software Release and Configuration Management
An Empirical Study On The Current and Future Challenges of Automotive Software Release and Configuration Management
Abstract—Current automotive trends, such as autonomous and vehicle, model-based development has been adopted by most
connected driving, are mainly enabled by embedded software suppliers and original equipment manufacturers (OEMs) for the
that is deployed on a network of several, often more than development of ECUs and software. It makes efficient and early
one hundred, electronic control units. These software parts are
responsible for many complex tasks concerning safety, comfort, testing of the models possible within the development process,
energy management, and vehicle dynamics. Currently, they are leading to cost savings. During the different development
deployed to the units at the end of the assembly line. Although phases, however, a high number of tools is involved that handle
a new software baseline of electronic control units is released various views and abstraction levels. No single integrated
in regular terms, normally six months, updates during after- design environment is capable of handling all requirements
sales are mostly conducted only in urgent cases, such as recall
campaigns. Upcoming over-the-air services will enable more for designing and verifying the embedded system [11]. This
frequent updates to fix bugs and add new functionality. The leads to modelling consistency problems, especially when
possible alternatives of engines, chassis, and customer wishes dealing with variant-rich systems and different life cycles.
lead to a high number of existing vehicle variants, so that As a consequence, testing and validation plays an important
the management of releases and configurations becomes more role to ensure the required quality of the embedded hardware
complex and costly.
In a survey, we asked participants from different automotive and software, and the safety of occupants. For that purpose,
institutions about the current state of practice, and the challenges test processes and methods for automotive embedded system
they face during release development and management. This development have been developed [13].
paper presents and discusses the main results of this survey: Nowadays, most innovations in the automotive domain
We have identified that field updates will be deployed more are realized in software. Within 30 years, the complexity of
frequently in the future, and that over-the-air communication
is an efficient way to realize them. The reported main update software that is deployed on a single car has increased from
reasons are bug fixes and function improvement. However, the zero to more than ten million lines of code. Up to 40 % of
shortening release and update cycles, the increasing number of the production costs of a car are attributed to electronics and
variants, and the multidisciplinarity in the automotive field are software [6]. A recent study in a car manufacturing company
major challenges requiring suitable processes, methods, and tools has also exposed the still ongoing increase of software usage
to achieve software that operates correctly.
Index Terms—software maintenance, system validation, auto- and complexity [1]. This increase of software complexity in
motive engineering, configuration management, multidimensional vehicles leads to many challenges concerning the design, the
systems quality assurance and the maintenance, which are for example
discussed by Broy [6]. With the recent introduction of software
I. I NTRODUCTION over-the-air updates (SOTA) for infotainment and navigation
Since the introduction of the first electronic ignition systems systems, and the wish of OEMs to expand the application of
in cars in the 1970s, the amount of electronics in vehicles has this update technology to more safety-critical functions and
constantly been increased, driven by the growing number of to whole product lines, the issues of release and configuration
electronic components on an integrated circuit, formulated in management get even more accentuated.
Moore’s law [15]. Different mechanical function realisations We have conducted a survey to identify whether the above
have been replaced by Electronic Control Units (ECUs), mentioned development poses a real challenge in the automotive
and new modules for more comfort and safety have been industry. The survey is composed of various questions about
progressively added to vehicles. Nowadays, the on-board update and release management, SOTA, current and future
network of electronic systems together with the required power consistency issues, as well as the flexibility in exploring
supply and management build the modern electric/electronic a multi-domain design space, e.g. of both hardware and
(E/E) architecture. software. Different companies and institutions from the German
Due to this rising number of parts of E/E architectures and the automotive industry participated in it. The results show that
increasing number of distributed software components inside a updates in the field, especially the SOTA case, will play
a major role in the mobility of the future. However, their
expansion is accompanied by critical consistency challenges
arising mainly from the high number of system variants and
the wide multidisciplinarity involved in the development teams. Client
We have presented the initial results of this in a technical Internet
report [14].
The remainder of this paper is structured as follows:
Section II presents an overview on foundations and state-of-the-
Wireless
art. The conducted survey is introduced in Section III, followed Access Point Server
by a discussion of the results in Section IV. After giving an (OEM)
overview on related work in Section V, we conclude the report
with a summary and future work in Section VI.
II. F OUNDATIONS Figure 2: Client-server architecture of a SOTA network
In this chapter, main background knowledge about software
release and configuration management with special focus on
SOTA updates is summarized. availability of an update and is asked to bring the car to the
next workshop. Depending on the bug severity and the kind of
A. Software Updates the visited workshop, the bug fix is sent from the OEM before
1) Software Release Management in Engineering: Releases or while the car is in the workshop. When the software update
in the automotive domain are regularly implemented and is ready, it is flashed on the target ECU through the On-Board-
flashed at the end of the assembly line or during workshop Diagnose (OBD) interface. Each ECU update can take about
visits. Individual changes are implemented separately and 15–90 minutes [12]. Depending on the safety criticality of the
collected during a phase of normally six months. These update, the technician may also need to test the flashed ECU
changes are documented and tracked inside a so called codeline through e.g. performing a diagnosis via OBD or functional
diagram, exemplarily depicted in Figure 1, describing the main tests. The described update process needs both the owner and
development branch with the evolution of system releases. technician to invest time and effort, which produces high costs
Between the regular release phases, intermediate releases are and some customer’s inconvenience.
mostly only developed for fixing severe bugs. In all other cases, 3) Software over-the-Air Updates: A SOTA system is
rigidity of the release schedule is compulsory, otherwise the typically built according to a client-server architecture, as
organization risks to lose the benefits of a common baseline. depicted in Figure 2. The server allows the OEM to deploy
Updates, i.e. flashing during usage in the field, for safety- updates to the clients, which are the SOTA processing units
critical functions are primarily only provided to fix severe bugs of vehicles. A client connects to the server through a wireless
because of the required effort and induced public interest. access point, downloads the software update binaries and
2) Traditional Software Updates: Automotive software distributes them through the internal bus systems to the
updates are traditionally done in workshops, mostly for fixing appropriate ECUs.
a severe bug. First, the driver is informed by mail about the The first vehicles with an over the air updates capability are
already in the market. The main use case is for less safety-
critical systems like infotainment applications and navigation
Legend maps. Like the US car company Tesla, which offers updates
for the autopilot remotely, many OEMs want to introduce
/branch Branch SOTA also for safety-critical applications. Wireless bug fixes
/bugFix bugfix would enable important cost savings as reported by Bird
feature Function
merge et al. [4], who predict that the total worldwide OEM cost
1.0 Version savings from SOTA updates are expected to reach $35 billion
/maint 1.1 in 2022. However, SOTA updates are accompanied by some
merge important challenges. In addition to the security risks arising
branch from opening the car to the outer environment with the threat
/main Feature A 1.0 Feature B 2.0 of reprogramming its embedded systems, the high number of
variants within automotive product lines makes it difficult to
keep the consistency of the models and views involved in the
Release 1 Release 2 development and validation of new releases.
Answer Count
No answer 1
20
15
Figure 4: Work segments of participants 12
9 10
10 8
6
maintain software (57 %) and hardware (45 %) components. In 4 3
addition, an important part of the participants is responsible for 2 2
0
E/E systems (35 %) or E/E architectures (33 %). The sum of 0
percentages for the answer alternatives exceeds 100 % because ar ar r
Ye Ye ear Ye
ar ear sw
e
multiple answers were allowed as multiple systems or one 1/ 1/ 2/Y 3/ 3/Y o an
heterogeneous system with different parts can be partially < > N
developed by the same person. Figure 6: Frequency of system releases during development
B. Identified Current Challenges and for products in the field
1) Variant Management: The number of variants managed
by the participants, defined as the number of system/product times a year, as depicted by the light-colored bars in Figure 6.
derivations at the same time, is diverse, as shown in Figure 5. This shows that most automotive systems in the field still get no
Most of the participants (35 %) maintain a small number of or seldom new releases. One potential reason for the different
variants (less than 10), whereas 25 % are responsible for more release frequencies is the dependence on the functionality of
than 50 system variants. Another 33 % manage between 10 and the component to be updated. For example, an update of the
50 variants. When managing more than one system, participants navigation system software will potentially be performed more
were asked to give an estimated mean value of the variants frequently than an update of a more safety-critical component
numbers of all managed systems. or even the hardware of a sensor. Nevertheless, this is only
2) Software Release Frequencies: New releases of auto- a hypothesis, which one would have to confirm by analyzing
motive software during the development normally deal with the correlation between type of the updated product and the
corrections of bugs or system optimizations through changing release frequency.
the models or the requirements, and are usually unavoidable 3) Software Update Frequencies: In this survey, an update
during each product development. The participants reported is defined as an installed new release or a change which has
that already during the development of their products many been added to the system in the field. According to most
new releases in form of new E/E states are created. 59 % and participants, the frequency of field updates is still very low and
therefore the majority of the participants indicated a number of estimated at once a year or less as shown in Figure 7. Those
more than three releases per year, as it is shown in Figure 6. reported frequencies are for the most part in concordance with
In contrast, the frequency of releases of new E/E states for those of after sales releases as depicted in Figure 6. In fact,
products in the field is more diverse and overall lower. About 80 % of the participants who reported conducting field updates
65 % of the participants responded with a release frequency less than once a year also revealed that they develop at most
between less than once a year and twice a year, while 16 % one release annually. Additionally, 69 % of those who develop
indicated that their product gets a new release more than three annual updates stated that releases are developed at most twice
a year. Nevertheless, the update frequencies of products in the
field are overall lower than those of releases. As a hypothesis
< 10 18 for future studies, we formulate that the number of releases
10 – 20 8 for products in the field is usually higher than the number of
executed updates, as already indicated by this comparison.
20 – 50 9
The current time span for which field updates are offered is
50 – 100 5 reported by 35 % of the participants to be relatively short and
> 100 8 ranges between one and three years. This is probably a kind
of after-sales guarantee for repairing all potential malfunctions
No answer 3
or bugs directly by the OEM. Nevertheless, 20 % offer field
updates for at least 7 years. As a hypothesis, introducing SOTA
updates may increase this time span to the whole vehicle life
Figure 5: Number of variants managed by the participants cycle. Almost all participants (94 %) agreed that field updates
< Annually 20 Very relevant 16
Annually 13 Relevant 10
Semiannually 3 Rather relevant 16
Monthly 3 Less relevant 3
> Monthly 0 Barely relevant 4
No answer 12 No answer 2
with short life cycles will gain more importance for seamless majority agreed that security is considered as a main concern
connected mobility. for SOTA updates. However, answering the question whether
The participants agreed that the main reasons for current license relevant updates, i.e. updates that need to conform
updates are bug fixes (88 % agreement) and function improve- with a national or international licensing norm or law, will
ment (67 % agreement). Costs optimization and component represent an important part in this case, a stronger variance
availability are, according to the questionnaire responses, less of the answers could be observed. Nevertheless, the majority
relevant reasons for an update than the ones mentioned above. agreed that the license relevant updates will play an important
4) Consistency of Software Updates: In order to ensure role in the future.
compatibility of updates with the existing E/E environment, 5) Multi-Domain System Design: During the development
consistency checks are essential and determine the update of complex automotive systems, the question whether to
quality and safety. 45 % of the participants reported that these realize a function in software, hardware or mechanical parts
checks are representing at least 50 % of the work effort needed is frequently posed, especially when going from the system
to solve occurring inconsistencies. Compared to the validation requirements to system design. The decision is mainly taken
of the initial product, the majority of the participants reported after initially analyzing the design space and evaluating
that the effort to validate an update is equal (29 %) or even less different possibilities. When considering only hardware and
(33 %). Nevertheless, 28 % revealed that this effort is higher software, this methodology is known as hardware/software
or much higher than within the initial validation process. codesign. Allowing the engineers to distribute the function
The participants were asked for the main reasons for parts over an enhanced design space of hardware, software or
inconsistencies of their products that occur in their development mechanical components is an important factor for a successful
processes (see Table I). Most of them stated that a high number design and an optimized product. Only around half of the
of variants is the most important reason for inconsistencies participants reported that they have enough degrees of freedom
(71 %), followed by missing methods and methodologies (53 %) to make this decision, but 82 % revealed that this freedom of
and the high interdisciplinarity in the development process. decision is important for their institution, as shown in Figure 8.
To discover the arising inconsistencies, Hardware-in-the-Loop As expected, the majority of the survey participants agreed
testing is a commonly used method in the industry, as agreed that a higher decision tolerance has a strong influence on the
by the majority of the survey participants (80 %). quality, the efficiency and the maintenance of the product, as
shown in the second half of Table II.
Regarding SOTA updates, we presented three statements to
which the participants could indicate their agreement, shown in C. Future Challenges
the first half of Table II. Most of the participants (77 %) revealed The answers to the survey indicate that the frequency of field
that their institution is currently working on the introduction updates will significantly increase in the upcoming five to ten
of SOTA updates with different grades of intensity. Also, the years, as illustrated in Figure 9. Updates in short cycles of less
than a year will become more important. Possible reasons for
this predicted development are an increasing number of services
Reason Agreement
and functions of vehicles that are based on software, and more
High variants number 71 % synchronization needs due to distributed development groups.
Missing methods 53 % This can result in a more error-prone development making bug
High multi-disciplinarity 53 % fixes during use necessary. Furthermore, the customer’s wishes
High documentation efforts 47 % for innovations and individualization demand for software
High communcation efforts 43 % updates in shorter and longer terms. These demands have
to be confirmed in a further study.
Table I: Agreement with reasons for inconsistencies during Besides, the reasons for the updates will partially change.
product developmen (ordered by degree of agreement) While bug fixes and function improvement will continue to
fully agree rather rather fully
disagree
agree agree disagree disagree
Current state and future of SOTA updates in the automotive industry
My institution currently addresses the introduction of SOTA intensively. 23.5 27.5 25.5 5.9 2.0 3.9
Security plays an important role in the introduction of SOTA. 66.7 17.6 3.9 0.0 0.0 2.0
License relevant updates will represent an important part of SOTA updates. 13.7 19.6 21.6 15.7 9.8 3.9
Table II: Participant’s agreement with specific statements (in percent of all participants, highest value per statement boldfaced)