Energetika-VDS Request a Quote

Research

Why Firmware Flashing Belongs in Production

Published 2026-03-18

Field-flashing has hidden costs that production-side flashing eliminates.

Summary

  • Field-flashing scrap rates are hidden until you measure them.
  • Configuration drift between units is invisible at handoff and expensive at integration.
  • Signed firmware enforcement is hard to bolt on after production starts.
  • Per-unit firmware-hash logging is a CRA-readiness requirement.

Field-flashing scrap

Teams that flash firmware after the unit ships from PCBA assembly often underreport scrap. A unit that fails to take firmware on the integrator's bench gets reworked, returned, or thrown away, and the cost lands on a different ledger than PCBA cost.

When scrap is measured end to end, post-production flashing scrap commonly runs 1 to 4 percent. On a 1000 unit batch, that is 10 to 40 units of avoidable rework or loss. Production-side flashing pushes that rate below 0.5 percent on most lines because the failure mode is caught at the test station, not at the integrator.

Configuration drift

Units flashed in different sessions, with different firmware revisions, by different operators, drift in configuration. Calibration values, network settings, debug flags. The drift is invisible at handoff and expensive at integration when one unit behaves differently from the next.

Production-side flashing brings every unit through the same flashing sequence with the same firmware hash, the same provisioning template, the same signed bootloader. Configuration drift drops to zero.

Signed firmware enforcement

Bolting on signed-bootloader enforcement after a product is in production is painful. The fuse burn, the key handoff, the verification cycle, all have to be retrofit into a flow that was not designed for them.

Designing the production line around signed firmware from the start makes this trivial. The bootloader writes first with the signing key reference, the application writes second with hash verification, the eFuse burns third to lock the chain.

CRA-readiness

The Cyber Resilience Act expects per-unit firmware traceability. A unit shipped today may need a security update three years from now, and the manufacturer has to know which firmware version it shipped with.

Production-side flashing logs the firmware hash against the serial number on a database. Field-flashing does not produce that log unless the integrator builds one separately, which they usually do not.

When production-side flashing pays off

Roughly: any product where firmware revisions are stable enough to commit to a production batch, and where the per-unit cost of field-flashing or configuration drift is measurable. For most connected industrial, building automation, energy, and access control products, that threshold passes early in NPI.

For products where firmware is changing weekly during NPI, hold off on production-side flashing until the bootloader and signing keys stabilize, then move it inline.

Sources

  • IPC industry reports on production test and flashing rates
  • Espressif, "Secure Boot v2" production documentation
  • NXP, "Secure boot and trust provisioning" production guides

Quote programmed and tested units

If this research matches your product situation, send files and we will scope production.

Request a Quote View Capabilities