Virtual machine (VM) approach to embedded system hot update

US 10,360,020 B2
Filed: 04/11/2017
Issued: 07/23/2019
Est. Priority Date: 04/11/2017
Status: Active Grant

First Claim

Patent Images

1. A software updating apparatus that operates on an electric vehicle, comprising:

a memory;

a hardware interface in communication with a system of the electric vehicle, wherein the system controls a function of the electric vehicle;

reserved resources for loading and testing an updated version of an active operating system (OS) of the electric vehicle;

a processor in communication with the memory, wherein the processor;

deploys a first virtual machine (VM) that executes a first operating system, the first OS being the active OS for the system of the electric vehicle;

deploys a second VM in the reserved resources that executes the updated version of the first OS; and

deploys a third VM that executes a backup copy of the first OS, the backup copy being used for hot swapping the active OS executed by the first OS in case of a failure of the first OS or the first VM; and

a hypervisor in communication with the first VM, the second VM, the third VM, and the hardware interface, wherein the hypervisor;

receives an input from the hardware interface and forwards the input to the first VM executing the first OS and the second VM executing the updated version of the first OS;

receives a first output from the first VM and forwards the first output to the hardware interface for controlling the function of the electric vehicle;

receives a second output from the second VM and blocks the second output from being sent to the hardware interface such that the second output is not used for controlling the function of the electric vehicle;

compares the first output and the second output;

in response to the comparison, deploys, based on one or more rules, the updated version of the first OS executed by the second VM as the active OS and deconstructs a connection between the first VM and the hypervisor;

updates the third VM to the updated version of the first OS and assign the third VM as a backup version of the active OS executed by the second VM, the updated version of the first OS in the third VM being used for hot swapping the active OS executed by the second VM in case of a failure of the second VM or a failure of the active OS in the second VM; and

reserves resources of the first VM for a future update of the active OS being executed by the second VM.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems of an electrical vehicle and the operations thereof are provided. Embodiments include an electric vehicle, rechargeable electric vehicle, and/or hybrid-electric vehicle and associated systems. The electric vehicle includes a computing system with a processor executing two or more virtual machines that operate, install, execute, spin down, delete, etc. one or more versions of software, e.g., the operating system. A hypervisor can communicate with the virtual machines (VMs) and function as an intermediary between the VMs and one or more hardware interfaces that communicate with one or more hardware functions of the electric vehicle. The hypervisor can transfer inputs to the two or more VMs from the hardware interfaces, even if one or more of the VMs is operating updated software that has not been verified. Outputs from the VMs can be transferred to the hardware interfaces, unless the software is unverified.

Citations

10 Claims

1. A software updating apparatus that operates on an electric vehicle, comprising:
- a memory;
  
  a hardware interface in communication with a system of the electric vehicle, wherein the system controls a function of the electric vehicle;
  
  reserved resources for loading and testing an updated version of an active operating system (OS) of the electric vehicle;
  
  a processor in communication with the memory, wherein the processor;
  
  deploys a first virtual machine (VM) that executes a first operating system, the first OS being the active OS for the system of the electric vehicle;
  
  deploys a second VM in the reserved resources that executes the updated version of the first OS; and
  
  deploys a third VM that executes a backup copy of the first OS, the backup copy being used for hot swapping the active OS executed by the first OS in case of a failure of the first OS or the first VM; and
  
  a hypervisor in communication with the first VM, the second VM, the third VM, and the hardware interface, wherein the hypervisor;
  
  receives an input from the hardware interface and forwards the input to the first VM executing the first OS and the second VM executing the updated version of the first OS;
  
  receives a first output from the first VM and forwards the first output to the hardware interface for controlling the function of the electric vehicle;
  
  receives a second output from the second VM and blocks the second output from being sent to the hardware interface such that the second output is not used for controlling the function of the electric vehicle;
  
  compares the first output and the second output;
  
  in response to the comparison, deploys, based on one or more rules, the updated version of the first OS executed by the second VM as the active OS and deconstructs a connection between the first VM and the hypervisor;
  
  updates the third VM to the updated version of the first OS and assign the third VM as a backup version of the active OS executed by the second VM, the updated version of the first OS in the third VM being used for hot swapping the active OS executed by the second VM in case of a failure of the second VM or a failure of the active OS in the second VM; and
  
  reserves resources of the first VM for a future update of the active OS being executed by the second VM.
- View Dependent Claims (2, 3, 4)
- - 2. The vehicle of claim 1, wherein the hypervisor evaluates two or more comparisons to determine if the updated version of the first OS in the second VM should become the active OS.
  - 3. The vehicle of claim 1, wherein the one or more rules include one or more of an update identifier, a time for evaluation indicating a time required to validate operation of the updated version of the first OS, a number of evaluations indicating a number of comparisons of outputs required to validate operation of the updated version of the first OS, and a failure rate indicating a maximum number of errors to validate operation of the updated version of the first OS.
  - 4. The vehicle of claim 3, wherein the one or more rules includes the update identifier, the update identifier being a globally unique identifier of the updated version of the first OS executing in the second VM or an identifier of one or more components within the updated version of the first OS.

5. A method for updating software controlling a function of an electric vehicle, comprising:
- executing a first virtual machine (VM), a second VM, and a hypervisor,reserving resources for loading and testing an updated version of an active operating system (OS) of the electric vehicle, the first VM executing a first operating system (OS) that is the active OS for controlling the function of the electric vehicle;
  
  deploying the second VM in the reserved resources and executing the updated version of the first OS in the second VM;
  
  deploying, by a third VM, a backup copy of the first OS, the backup copy being used for hot swapping the active OS in case of a failure of the first OS or the first VM;
  
  receiving an input from a hardware interface that is in communication with a system of the electric vehicle, wherein the system controls the function of the vehicle;
  
  forwarding the input to the first VM and the second VM;
  
  receiving a first output from the first VM and forwarding the first output to the hardware interface for controlling the function of the electric vehicle;
  
  receiving a second output from the second VM and blocking the second output from being sent to the hardware interface so that the second output does not control the function of the vehicle;
  
  comparing the first output to the second output for a predetermined amount of time;
  
  deploying, based on the comparison and one or more rules, the updated version of the first OS executed by the second VM as the active OS and deconstructing a connection between the first VM and the hypervisor;
  
  updating the third VM to the updated version of the first OS and assigning the third VM as a backup version of the active OS executed by the second VM that is used for hot swapping the active OS executed by the second VM in case of a failure of the second VM or a failure of the active OS executed by the second VM; and
  
  reserving resources of the first VM for a future update of the active OS being executed by the second VM.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5, wherein the one or more rules include one or more of an update identifier, the update identifier being a globally unique identifier of the updated version of the first OS executing in the second VM or an identifier of one or more components within the updated version of the first OS, a time for evaluation indicating a time required to validate operation of the updated version of the first OS, a number of evaluations indicating a number of comparisons of outputs required to validate operation of the updated version of the first OS, and a failure rate indicating a maximum number of errors to validate operation of the updated version of the first OS.
  - 7. The method of claim 5, further comprising:
    - evaluating two or more comparisons to determine if the the updated version of the first OS should become the active OS.

8. A non-transitory computer readable medium having stored thereon instructions that cause a processor of an electric vehicle to conduct a method for updating the operating system of the processor, the method comprising:
- executing a first virtual machine (VM), the first VM executing a first operating system (OS) that is an active OS for controlling a function of the electric vehicle;
  
  reserving resources for loading and testing an updated version of the active OS of the electric vehicle;
  
  deploying a second VM in the reserved resources and executing the updated version of the first OS in the second VM;
  
  deploying a third VM in the reserved resources;
  
  executing, by the third VM, a backup copy of the first OS, the backup copy being used for hot swapping the active OS in case of a failure of the first OS or the first VM;
  
  receiving, by a hypervisor, an input from a hardware interface that is in communication with a system of the electric vehicle, wherein the system controls the function of the vehicle;
  
  forwarding the input to the first VM and the second VM;
  
  receiving a first output from the first VM and forwarding the first output to the hardware interface for controlling the function of the electric vehicle;
  
  receiving a second output from the second VM and blocking the second output from being sent to the hardware interface so that the second output does not control the function of the vehicle;
  
  comparing the first output to the second output for a predetermined amount of time;
  
  deploying, based on the comparison and one or more rules, the updated version of the first OS in the second VM as the active OS and deconstructing a connection between the first VM and the hypervisor;
  
  updating the third VM to the updated version of the first OS and assigning the third VM as a backup version of the active OS executed by the second VM, the backup version of the active OS being used for hot swapping the active OS executed by the second VM in case of a failure of the second VM or a failure of the active OS executed by the second VM; and
  
  reserving resources of the first VM for a future update of the active OS being executed by the second VM.
- View Dependent Claims (9, 10)
- - 9. The non-transitory computer readable medium of claim 8, wherein the one or more rules include one or more of an update identifier, the update identifier being a globally unique identifier of the updated version of the first OS executing in the second VM or an identifier of one or more components within the second OS, a time for evaluation indicating a time required to validate operation of the updated version of the first OS, a number of evaluations indicating a number of comparisons of outputs required to validate operation of the updated version of the first OS, and a failure rate indicating a maximum number of errors provided to validate operation of the updated version of the first OS.
  - 10. The non-transitory computer readable medium of claim 8, wherein the method further comprises:
    - evaluating two or more comparisons to determine if the second OS should become the active OS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NIO Technology Company Limited (NIO, Inc. (China))
Original Assignee
Nio Usa Inc. (NIO, Inc. (China))
Inventors
Hirshberg, Yanir
Primary Examiner(s)
Morshed, Hossain M

Application Number

US15/484,469
Publication Number

US 20180293067A1
Time in Patent Office

833 Days
Field of Search

717170
US Class Current
CPC Class Codes

G06F 2009/45579   I/O management, e.g. provid...

G06F 8/656   while running

G06F 9/45558   Hypervisor-specific managem...

Virtual machine (VM) approach to embedded system hot update

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual machine (VM) approach to embedded system hot update

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links