Turning risky remote commands into safe, predictable workflows.
One of the most critical functions during the lifecycle of a connected device is sending and managing commands like Firmware Over-The-Air (FOTA) updates, configurations or any other custom commands to devices remotely.
Unlike standard SaaS apps where 'Undo' is easy, IoT commands carry a physical risk.
Pushing an incompatible file or losing connection during a command can permanently damage ("brick") the device hardware.
The team needed a safer way to send remote commands to connected devices.
Previously, our internal engineering team performed these high-risk operations using a custom-built Python tool. This workflow was fraught with usability issues.
No way to avoid wrong file selection or asset selection. It allowed whatever the user was doing, even if it's wrong.
Engineers worked under the constant stress that a single mistake could disable a fleet of vehicles.
What if we could turn this moment of distress into the power of control?
😖→😤
Let's begin from the start and see how we achieved it.
This project was started as a separate module for Vec-TR.
Vec-TR is a comprehensive SaaS platform developed by Vecmocon to manage the lifecycle, monitoring, and configuration of connected vehicles and IoT devices.
It includes different modules, each with their own functions, and command center was going to be one of the critical functionality of this app.
At the heart of this ecosystem lies the VIM (Vehicle Intelligence Module). Think of the VIM as the "brain" of the connected vehicle. Physically installed on the asset, it acts as a central gateway, aggregating critical telemetry data from sub-components like the Battery Management System (BMS) and Motor Controller.
The communication flow is bi-directional, creating a constant feedback loop
The VIM constantly pushes health and status data to the cloud, which Vec-TR visualizes for the user.
Downstream (Command & Control)
This was our design focus. The user needs to send complex instructions—such as configuration changes or firmware updates—from the Vec-TR web dashboard back to the VIM.
While the team was facing a lot of problems, those all could be categorized into three categories.
There were three main problems that the team was facing.
Decentralized Data & Version Chaos
Firmware files existed in a fragmented state, often shared via chat or stored on local drives. This lack of a "Single Source of Truth" made version control nearly impossible, leading to a high risk of engineers manually handing off and deploying outdated or unverified code.
High Cognitive Load & Lack of Guardrails
The workflow relied entirely on human vigilance to prevent disasters. Without system-level validation, it was dangerously easy to select an incompatible file or target the wrong vehicle. Crucially, the lack of a "Testing Ground" meant engineers had to push updates directly to production without a safe staging environment.
Operational Blindness (The "Black Box" Problem)
Once a command was triggered via the script, it entered a void. Engineers had no real-time visibility into the campaign's progress and, most critically, lacked an "Emergency Brake." If a deployment started failing, there was no way to pause or abort the operation, leaving the fleet vulnerable until the script finished.
Final Design and Details
No way to avoid wrong file selection or asset selection. It allowed whatever the user was doing, even if it's wrong.
Engineers worked under the constant stress that a single mistake could disable a fleet of vehicles.
No way to avoid wrong file selection or asset selection. It allowed whatever the user was doing, even if it's wrong.
The risk management and control design strategy
I introduced 'Positive Friction' in the workflow so that memory load shifts from the user to the system.
While sending a command to the device, the user's mindset is "I need to be careful. I am changing how a machine behaves." Let's see how.
Manage Files like Pro
Structured Metadata Ingestion
We replaced raw file dumps with a structured flow that captures critical versioning and hardware compatibility tags, ensuring the system can validate every file upon entry.
Default-to-Safe Staging
Uploaded files enter an "Inactive" state by default. This introduces positive friction, forcing a deliberate review moment to prevent accidental deployment of unverified firmware.
Role-Based Activation
To establish accountability, files cannot be used immediately. A distinct "Activation" step is required, ensuring only authorized leads can clear a firmware version for field deployment.
Structured Metadata Ingestion
We replaced raw file dumps with a structured flow that captures critical versioning and hardware compatibility tags, ensuring the system can validate every file upon entry.
Default-to-Safe Staging
Uploaded files enter an "Inactive" state by default. This introduces positive friction, forcing a deliberate review moment to prevent accidental deployment of unverified firmware.
Role-Based Activation
To establish accountability, files cannot be used immediately. A distinct "Activation" step is required, ensuring only authorized leads can clear a firmware version for field deployment.
Structured Metadata Ingestion
We replaced raw file dumps with a structured flow that captures critical versioning and hardware compatibility tags, ensuring the system can validate every file upon entry.
Default-to-Safe Staging
Uploaded files enter an "Inactive" state by default. This introduces positive friction, forcing a deliberate review moment to prevent accidental deployment of unverified firmware.
Role-Based Activation
To establish accountability, files cannot be used immediately. A distinct "Activation" step is required, ensuring only authorized leads can clear a firmware version for field deployment.
Create Commands with Confidence
Progressive Wizard Flow
We broke the complex task into a linear, four-step process. This progressive disclosure reduces cognitive load and keeps the user focused on one decision at a time.
Contextual Verification
Selecting a firmware file loads a detail card showing version metadata. This allows users to verify file compatibility in situ without navigating away to a different screen.
Intelligent Guardrails
The system disables incompatible assets or those already running tasks. Tooltips explain the "Why," preventing errors before they happen and building user trust in the system logic.
Scalable Asset Targeting
Designed for both precision and volume. Users can select specific devices for beta testing or utilize pre-defined Asset Groups to deploy updates to thousands of vehicles in a single click.
Flexible Execution Triggers
Accommodates different operational risks. "Immediate" mode executes instantly, while "Manual" mode stages the command, requiring a secondary authorization.
Timeout Thresholds
To prevent infinite retry loops that drain vehicle batteries, users define strict timeout periods. This ensures "zombie" commands don't clog the network if a device fails to respond.
Pre-Flight Safety Check
Before final execution, a comprehensive summary screen shows all choices. This is the final "fail-safe", allowing users to spot checks and prune specific assets just before committing.
Progressive Wizard Flow
We broke the complex task into a linear, four-step process. This progressive disclosure reduces cognitive load and keeps the user focused on one decision at a time.
Contextual Verification
Selecting a firmware file loads a detail card showing version metadata. This allows users to verify file compatibility in situ without navigating away to a different screen.
Intelligent Guardrails
The system disables incompatible assets or those already running tasks. Tooltips explain the "Why," preventing errors before they happen and building user trust in the system logic.
Scalable Asset Targeting
Designed for both precision and volume. Users can select specific devices for beta testing or utilize pre-defined Asset Groups to deploy updates to thousands of vehicles in a single click.
Flexible Execution Triggers
Accommodates different operational risks. "Immediate" mode executes instantly, while "Manual" mode stages the command, requiring a secondary authorization.
Timeout Thresholds
To prevent infinite retry loops that drain vehicle batteries, users define strict timeout periods. This ensures "zombie" commands don't clog the network if a device fails to respond.
Pre-Flight Safety Check
Before final execution, a comprehensive summary screen shows all choices. This is the final "fail-safe", allowing users to spot checks and prune specific assets just before committing.
Progressive Wizard Flow
We broke the complex task into a linear, four-step process. This progressive disclosure reduces cognitive load and keeps the user focused on one decision at a time.
Contextual Verification
Selecting a firmware file loads a detail card showing version metadata. This allows users to verify file compatibility in situ without navigating away to a different screen.
Intelligent Guardrails
The system disables incompatible assets or those already running tasks. Tooltips explain the "Why," preventing errors before they happen and building user trust in the system logic.
Scalable Asset Targeting
Designed for both precision and volume. Users can select specific devices for beta testing or utilize pre-defined Asset Groups to deploy updates to thousands of vehicles in a single click.
Flexible Execution Triggers
Accommodates different operational risks. "Immediate" mode executes instantly, while "Manual" mode stages the command, requiring a secondary authorization.
Timeout Thresholds
To prevent infinite retry loops that drain vehicle batteries, users define strict timeout periods. This ensures "zombie" commands don't clog the network if a device fails to respond.
Pre-Flight Safety Check
Before final execution, a comprehensive summary screen shows all choices. This is the final "fail-safe", allowing users to spot checks and prune specific assets just before committing.
View Command Status with Ease
Real-Time Campaign Observability
We designed a "Macro-to-Micro" view. Users get an instant health check via summary charts while retaining the ability to drill down into individual device logs for debugging.
Prominent Action States
For commands requiring manual confirmation, we used high-contrast visual hierarchy. The "Trigger" action is elevated to the top, ensuring operators never miss a pending deployment.
Intervention & Recovery Tools
Reality is messy. We built granular controls allowing users to Abort runaways, Retry specific failures, or Edit pending commands without needing to scrap the entire batch.
Real-Time Campaign Observability
We designed a "Macro-to-Micro" view. Users get an instant health check via summary charts while retaining the ability to drill down into individual device logs for debugging.
Prominent Action States
For commands requiring manual confirmation, we used high-contrast visual hierarchy. The "Trigger" action is elevated to the top, ensuring operators never miss a pending deployment.
Intervention & Recovery Tools
Reality is messy. We built granular controls allowing users to Abort runaways, Retry specific failures, or Edit pending commands without needing to scrap the entire batch.
Real-Time Campaign Observability
We designed a "Macro-to-Micro" view. Users get an instant health check via summary charts while retaining the ability to drill down into individual device logs for debugging.
Prominent Action States
For commands requiring manual confirmation, we used high-contrast visual hierarchy. The "Trigger" action is elevated to the top, ensuring operators never miss a pending deployment.
Intervention & Recovery Tools
Reality is messy. We built granular controls allowing users to Abort runaways, Retry specific failures, or Edit pending commands without needing to scrap the entire batch.
