CN112346756A - Electric power steering control device - Google Patents

Electric power steering control device Download PDF

Info

Publication number
CN112346756A
CN112346756A CN202010766713.4A CN202010766713A CN112346756A CN 112346756 A CN112346756 A CN 112346756A CN 202010766713 A CN202010766713 A CN 202010766713A CN 112346756 A CN112346756 A CN 112346756A
Authority
CN
China
Prior art keywords
rewriting
electric power
power steering
information
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010766713.4A
Other languages
Chinese (zh)
Inventor
大岛忠介
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nidec Elesys Corp
Original Assignee
Nidec Elesys Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2020030787A external-priority patent/JP2021024555A/en
Application filed by Nidec Elesys Corp filed Critical Nidec Elesys Corp
Publication of CN112346756A publication Critical patent/CN112346756A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/66Updates of program code stored in read-only memory [ROM]
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B62LAND VEHICLES FOR TRAVELLING OTHERWISE THAN ON RAILS
    • B62DMOTOR VEHICLES; TRAILERS
    • B62D5/00Power-assisted or power-driven steering
    • B62D5/04Power-assisted or power-driven steering electrical, e.g. using an electric servo-motor connected to, or forming part of, the steering gear
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B62LAND VEHICLES FOR TRAVELLING OTHERWISE THAN ON RAILS
    • B62DMOTOR VEHICLES; TRAILERS
    • B62D5/00Power-assisted or power-driven steering
    • B62D5/04Power-assisted or power-driven steering electrical, e.g. using an electric servo-motor connected to, or forming part of, the steering gear
    • B62D5/0457Power-assisted or power-driven steering electrical, e.g. using an electric servo-motor connected to, or forming part of, the steering gear characterised by control features of the drive means as such
    • B62D5/046Controlling the motor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/654Updates using techniques specially adapted for alterable solid state memories, e.g. for EEPROM or flash memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/656Updates while running

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Chemical & Material Sciences (AREA)
  • Combustion & Propulsion (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Power Steering Mechanism (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides an electric power steering control device which can be rewritten. Control program information to be executed by the CPU (21) is stored in a ROM (41), and rewriting information transmitted from an OTA center (30) is stored in an external memory (51). The rewriting information is stored in the external memory (51) even while the CPU (21) is executing the control program information, and when a predetermined condition is satisfied, the rewriting information stored in the external memory (51) is read out, and the control program information of the ROM (41) is rewritten with the rewriting information. Then, the CPU (21) performs auxiliary control in which the rewritten rewriting information is an execution target.

Description

Electric power steering control device
Technical Field
The present invention relates to an electric power steering control device capable of rewriting (rewriting) a control program, for example.
Background
In recent years, a large number of devices are equipped with a microprocessor (CPU or MPU) and perform predetermined control in accordance with a control program stored in a storage device such as a memory. In vehicles such as automobiles, a plurality of Electronic Control Units (ECUs) mounted thereon execute software programs developed in accordance with specifications to Control the target vehicle.
For the purposes of adding functions, changing specifications, improving performance, and the like, such a control program (software program) is modified by adding a new control algorithm or the like after development. For example, patent document 1 describes an automotive control device that, in order to perform early rewriting of control software that corresponds to performance improvement, is provided with: a rewritable nonvolatile memory which is built in a computer for controlling a vehicle and stores control processing information; and a storage assisting unit that sets a non-rewritable area in the nonvolatile memory and rewrites control processing information of the rewritable area to new control processing information.
On the other hand, in the electronic control unit ECU, there is also a problem that the battery voltage decreases during the updating of the control program, and the updating is interrupted, thereby failing to rewrite the control program. To cope with such a problem, for example, patent document 2 discloses a control device as follows: whether the engine can be started is determined based on the determination result of whether the in-vehicle control device that is updating the control program is present when the instruction signal for starting the engine is acquired.
Patent document 1: japanese Kohyo patent No. WO99/17976
Patent document 2: japanese patent No. 6465258
Since the conventional ECU includes a storage unit including a nonvolatile memory or the like for storing the control program, when rewriting is performed to update the control program to a new execution program, the storage unit is set to a write mode, and thus the control program cannot be read. As a result, the following problems occur: the rewriting information transmitted in the control cannot be stored based on the control stop of the ECU.
That is, in the case where there is one memory, when rewriting information is received, control is temporarily stopped, the memory is shifted to the rewrite mode, and then rewriting information is written. In the case of a conventional vehicle or the like, rewriting by a dealer is limited in such a situation that rewriting information is performed.
In the CPU of patent document 1, a normal program for executing normal control and an information rewriting program used when information is rewritten are stored in a memory space, and the information rewriting program is started during rewriting of information, and the operation of the normal program is stopped, thereby rewriting information by the information rewriting program. Therefore, when there is a request for information processing for executing control from the vehicle network, the operation of the program is normally stopped in rewriting information based on the information rewriting program, and therefore there is a problem as follows: the request for information processing from the vehicle network cannot be handled, and the update program after information rewriting cannot be downloaded.
The control device described in patent document 2 avoids an engine start failure in accordance with a start operation by using a control program before update held in a memory when the update of the control program fails, but patent document 2 does not disclose a response to a network security request accompanying the spread of a vehicle (networked vehicle) having an internet connection function in recent years.
For example, when vulnerability of network security is discovered and a security patch is installed by updating a control program, if the update fails, a new threat against the vulnerability may be generated, which may cause a great damage to user assets including vehicles.
Disclosure of Invention
The present invention has been made in view of the above problems, and an object thereof is to provide an electric power steering control device including: the rewriting can be performed at high speed and easily, and when the rewriting fails, the rewriting can be performed again by notifying the outside of the failure.
As one means for achieving the above object and solving the above problems, the following configuration is provided. That is, an exemplary 1 st aspect of the present invention is an electric power steering control device that drives an electric motor to assist and control a steering wheel operation of a driver of a vehicle or the like, the electric power steering control device including: a control unit that executes the assist control; a 1 st storage unit that stores control program information to be executed by the control unit; and a 2 nd storage unit that stores rewriting information transmitted from the outside, the rewriting information being stored in the 2 nd storage unit even while the control unit is executing the control program information, wherein the control unit performs a rewriting step of reading the rewriting information stored in the 2 nd storage unit and rewriting the control program information in the 1 st storage unit with the rewriting information after a predetermined condition is satisfied, and performs auxiliary control for setting the rewriting information rewritten in the rewriting step as an execution target.
An exemplary 2 nd aspect of the present invention is an electric power steering system including the electric power steering control device of the above exemplary 1 st aspect.
According to the present invention, even while the control unit continues assist control, rewriting information transmitted from the outside can be stored, and rewriting can be prepared. Further, even during the control operation, it is possible to prepare rewriting without interrupting the assist control, perform rewriting at a timing based on a predetermined condition, and start steering assist using updated rewriting information.
Further, even if the rewriting fails, the rewriting information can be requested to be downloaded again, and the functions of the apparatus can be degenerated and transferred to a professional administrator.
Drawings
Fig. 1 is a diagram showing an overall configuration of a vehicle management system that manages a vehicle system including an electric assist control device according to embodiment 1 of the present invention.
Fig. 2 is a diagram showing a detailed configuration of a motor control device as an electronic control unit ECU of the electric power steering control device.
Fig. 3 is a flowchart showing a rewriting process procedure in the motor control device of the electric power steering control device according to embodiment 1.
Fig. 4 is a diagram showing a schematic configuration of an electric assist system including the electric assist control device according to embodiment 1.
Fig. 5 is a diagram showing the configuration of a control unit and a memory in a motor control unit (ECU) of the electric power steering control device according to embodiment 2.
Fig. 6 is a diagram showing a detailed configuration of a motor control device as an electronic control unit ECU of the electric power steering control device according to embodiment 3.
Fig. 7 is a flowchart showing a rewriting process procedure in the motor control device of the electric power steering control device of embodiment 3.
Description of the reference symbols
1: a vehicle management system; 5: a vehicle system; 7a, 37a, 77 a: a motor control unit (ECU); 10: a vehicle; 11: a communication control unit (TCU); 13: a Gateway (GW); 15: an electric motor; 17H, 17L: a CAN signal line; 20: a communication Network (NW); 21. 71: a control unit (CPU); 23: an inverter control unit; 24: an inverter circuit; 25: a data bus; 26: a filter; 27: a power supply relay; 28: a power generation unit; 30: an OTA center; 31: a communication unit; 32: a compression section; 33: a difference generation unit; 35: a self-hold signal; 41. 81, 83: a ROM; 43: a RAM; 45: an IG voltage detection unit; 47: CANI/F; 51: an external memory; 55: a rotation sensor; 57: a torque sensor; 58: an ignition switch (IG-SW); 59: a vehicle speed sensor; 60: an electric power steering system; 62: a steering wheel; 63: a rotating shaft; 64: a reduction gear; 66: a pinion gear; 67: a rack shaft; BT: a battery; c: and a capacitor.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
[ embodiment 1 ]
Fig. 1 shows an overall configuration of a vehicle management system that manages a vehicle system including an electric power steering control device according to embodiment 1 of the present invention. The vehicle management system 1 shown in fig. 1 updates software by OTA (Over-the-air) for function change, function addition, and the like of an Electronic Control Unit (ECU) in a vehicle system 5 mounted on a vehicle 10.
The vehicle system 5 is connected to the OTA center 30 via a communication Network (NW) 20. The communication Network (NW)20 is, for example, a digital communication Network such as the internet, a mobile phone Network, and a wireless LAN (Local Area Network).
The OTA center 30 includes a communication unit 31, a compression unit 32, and a difference generation unit 33. The difference generation unit 33 generates difference data between the control program before update (also referred to as the old program or the SW before update) and the control program after update (also referred to as the rewriting information or the SW after update) as the control programs of the plurality of ECUs in the vehicle system 5. Hereinafter, the rewrite will be sometimes abbreviated as rewrite.
The compression unit 32 compresses the difference data generated by the difference generation unit 33 to generate difference compressed data. The compression unit 32 compresses the differential data and encrypts the data. The generated differential compressed data is transmitted to the vehicle system 5 by the communication unit 31 via the communication Network (NW) 20. By compressing and transmitting the differential data of the control program before and after the update instead of the control program itself in this way, it is possible to transmit data to the vehicle system 5 with a reduced amount of transmission data, a reduced communication cost, and a shortened communication time.
The in-vehicle system 5 includes a communication Control Unit (TCU) 11, a Gateway (GW) 13, and the like. The TCU 11 receives data from the OTA center 30, decrypts the encrypted received data, and then transmits to the gateway 13.
The gateway 13 and the ECUs (terminal ECUs) 7a to 7n are connected via a CAN (Controller Area Network) as an in-vehicle Network. The in-vehicle network is not limited to CAN, and may be a network such as Ethernet (registered trademark).
The gateway 13 performs data relay processing from the TCU 11 to the ECUs 7a to 7n according to the CAN communication protocol. The gateway 13 may store the decrypted data (differential restored data) as a control program for the in-vehicle system 5 of all the ECUs 7a to 7n, and may transmit them to the ECUs 7a to 7n, respectively, instead of simply relaying the data.
Authentication of the reception data from the OTA center 30 may also be performed at the stage of transmitting the reception data from the TCU 11 to the gateway 13. That is, the gateway 13 may perform error correction based on an error correction code transmitted together with the differential data by performing not only storing and differential restoration of the data received by the TCU 11 but also authentication processing or the like, and thereby may confirm whether or not the differential data has been normally received.
Next, an electric power steering control device (EPS) of the present embodiment, which is one of a plurality of ECUs included in the vehicle system described above, will be described. Fig. 2 is a detailed configuration of a motor control device as an electronic control unit ECU of the electric power steering control device.
The ECU 7a shown in fig. 2 as a motor control device (EPS control device) is configured to include: a control unit (CPU)21 for controlling the entire apparatus, for example, including a microprocessor; an inverter control unit 23 that generates a motor drive signal based on a control signal from the CPU21 and functions as an FET drive circuit; and an inverter circuit 24, which is a motor driving unit that supplies a predetermined driving current to the electric motor 15.
The inverter circuit 24 is supplied with power for driving the motor from the external battery BT via the filter 26 and the power supply relay 27. The filter 26 is composed of an electrolytic capacitor and a coil, not shown, and absorbs noise and the like contained in the power supply supplied to the motor control unit (ECU)7a to smooth the power supply voltage. The power supply relay 27 is configured to be able to cut off the electric power from the battery BT, and is configured by, for example, a mechanical relay or a semiconductor relay. The filter 26 may be included in the inverter circuit 24.
The electric motor 15 is a 3-phase brushless DC motor having 3-phase windings (Ua, Va, Wa)15a composed of U-phase, V-phase, and W-phase. The inverter circuit 24 for driving the electric motor 15 is a FET bridge circuit including semiconductor switching elements (FETs 1 to 6).
The switching elements (FETs 1 to 6) are also referred to as power elements, and for example, Semiconductor switching elements such as MOSFETs (Metal-Oxide Semiconductor Field-Effect transistors) and IGBTs (Insulated Gate Bipolar transistors) are used.
Switching elements (FETs 1 to 6) constituting the inverter circuit 24 are provided corresponding to the electric motors 15, respectively. That is, FETs 1 and 2 correspond to the U-phase, FETs 3 and 4 correspond to the V-phase, and FETs 5 and 6 correspond to the W-phase.
In the inverter circuit 24, the drain terminals of the FETs 1, 3, and 5 are connected to the power supply side, and the source terminals are connected to the drain terminals of the FETs 2, 4, and 6. The source terminals of the FETs 2, 4, 6 are connected to the Ground (GND) side.
Thus, the motor control device 7a has a single inverter structure including a set of 3-phase windings (Ua, Va, Wa) and a set of inverters for supplying drive currents to the 3-phase windings.
The motor control device (ECU)7a performs data communication with other control units (ECUs) via CAN signal lines (CAN communication buses) 17H and 17L connected to a vehicle-mounted network (CAN) that transmits and receives various information of the vehicle 10, based on a CAN protocol. The CAN signal lines 17H and 17L are two-wire communication lines including CAN-H lines and CAN-L lines used in the CAN protocol.
The motor control unit (ECU)7a includes a ROM (Read Only Memory) 41 and an external Memory 51 as two storage units for storing a control program, and the external Memory 51 has a function as a 2 nd ROM different from the ROM 41. The ROM41 stores a control program executed (currently being executed) by the CPU 21. The CPU21 reads out and executes a control program stored in the ROM41 to perform various processes related to power steering, communication with other ECUs, and the like.
The external memory 51 stores rewriting information for rewriting the control program stored in the ROM41, adding update data, new data, and the like. A RAM (Random Access Memory) 43 is used as a Random Access Memory for temporarily storing various data necessary for the control of the CPU 21.
The ROM41 and the external Memory 51 are, for example, Electrically writable and Erasable EEPROM (Electrically Erasable and Programmable Read Only Memory) or Electrically rewritable flash Memory. Further, the ROM41 and the RAM 43 may be built in the CPU21 as shown in fig. 2, or may be disposed outside the CPU 21.
The CPU21, the external memory 51, an IG voltage detection unit 45 described later, and the CANI/F47 are connected to each other via a data bus 25. The electric motor 15 is mounted with a rotation sensor 55 for detecting a rotational position of a rotor (rotor), and an output signal from the rotation sensor 55 is input to the CPU21 as rotation information.
Next, a rewriting process in the electric power steering control device (EPS) of the present embodiment will be described. Fig. 3 is a flowchart showing a rewriting process procedure in the motor control device of the electric power steering control device of the present embodiment.
The control unit (CPU)21 of the motor control apparatus (ECU)7a determines in step S11 of fig. 3 whether or not a rewrite request command (rewrite start request command) has been received via the CANI/F47 by the CAN 17 as the in-vehicle network. In the case where a rewrite request is received, in step S13, the contents of the rewrite request command are analyzed, and it is determined whether the parameter that is the target of the rewrite request is a full write area or a partial write area, based on the analysis result of the rewrite request command.
In the next step S15, the CPU21 determines whether the rewrite request command requests a software update by wireless communication (OTA) or requests direct rewrite by a medium other than wireless, for example, a conventional wired connection. If there is a conventional rewrite request, the process proceeds to step S39.
In the case where there is an OTA-based rewriting request, the CPU21 saves rewriting information (rewriting data) transmitted by the OTA center 30 in the external memory 51 in step S17. Here, the CPU21 accesses the control program stored in the ROM41, and stores the rewriting data in the external memory 51 while continuing the predetermined process even while executing the process. As a result, it is possible to prepare for rewriting without interrupting the assist control of the power steering.
The CPU21 determines in step S19 whether or not the reception of the rewriting data has ended normally. When the reception of the rewriting data is normally ended, it is determined in step S21 whether or not a predetermined condition is satisfied. The predetermined condition is, for example, a case where it is determined that the vehicle 10 is stopped based on information from the vehicle speed sensor 59, a case where assist control is stopped, a case where it is determined that the IG-SW (ignition switch) 58 is off based on information from the IG voltage detection unit 45, a case where it is determined that the engine is idling stopped, or the like.
Ignition switch (IG-SW)58 has one end connected to battery BT and the other end connected to IG voltage detection unit 45. The IG voltage detection unit 45 AD-converts an Ignition (IG) voltage value supplied via the IG-SW 58 and inputs the AD-converted IG voltage value to the CPU21 as a digital IG voltage value.
When the above-described predetermined condition is satisfied, the CPU21 checks the adequacy of the received rewriting data in step S23. Here, the validity of the rewriting data is monitored by, for example, a CRC (Cyclic Redundancy Check) signal as an error detection value signal. Alternatively, the checksum in the rewriting data is confirmed, and if the checksums do not match, it is determined that the data is abnormal or that the communication with the OTA center is not normally performed. If normal operation is not performed even if the checksums match, it is determined that the rewriting data is not normal.
If it is determined in step S25 that the rewrite data is appropriate, the CPU21 backs the rewrite control area to the RAM 43 in step S27. This means that, in the rewrite mode based on the rewrite data, the program for rewriting is loaded into the RAM 43, and preparation for rewriting to the rewritten control information is performed on the RAM 43. On the other hand, in step S25, when it is determined that the rewriting data is not appropriate when storing the rewriting data, the rewriting is interrupted.
The CPU21 performs rewriting of the contents of the ROM41 with the reprogramming write data loaded in step S27 in the next step S29. Then, in step S31, normality of the rewriting data itself is judged. For example, the integrity of the rewriting data and the presence or absence of malicious tampering of the rewriting data are determined by using a known signature authentication technique.
If the rewriting data is normal, the CPU21 determines in step S35 whether the rewriting based on the rewriting data is normally ended, and if not, returns the process to step S29 to retry (retry) the rewriting based on the rewriting data.
If it is determined in step S31 that the rewriting data is not normal, the CPU21 returns the control program executed by the CPU21 (the old program for which normal operation has been confirmed, which has been stored in the ROM41 before rewriting) saved in advance in the external memory 51 to the ROM41 in step S33. This enables recovery from normal operation of the motor control unit (ECU)7 a.
When the external memory 51 is used at a position where the old program is to be saved as described above, both the rewriting information and the saved control program information are stored in the external memory 51, and although the memory capacity of the external memory 51 increases, the use of the external memory can reduce the cost. Further, an external memory other than the external memory 51 may be prepared, and the old program may be saved in the external memory.
As the rewriting, there are a method of rewriting the entire control program before update and a method of rewriting a part of the control program with a new control program (rewrite program). In the partial rewriting, there are a method of rewriting a part of parameters of the control program before the update, a method of correcting a part of defects of the control program before the update, a method of partially rewriting control map data of the control program before the update, and the like.
By such partial rewriting, the rewriting time can be shortened, and the data communication path can be effectively used (congestion can be prevented). In addition, unnecessary information can be excluded as rewriting information.
Fig. 4 is a schematic configuration of an electric power steering system including an electric power steering control device according to embodiment 1 of the present invention. The electric power steering system 60 of fig. 4 includes a motor Control Unit (ECU)7a as an Electronic Control Unit (ECU), a steering wheel 62 as a steering member, a rotary shaft 63 connected to the steering wheel 62, a pinion gear 66, a rack shaft 67, and the like.
The rotary shaft 63 is engaged with a pinion 66 provided at a front end thereof. The rotational motion of the rotating shaft 63 is converted into linear motion of the rack shaft 67 by the pinion 66, and the pair of wheels 65a and 65b provided at both ends of the rack shaft 67 are steered at an angle corresponding to the displacement amount of the rack shaft 67.
A torque sensor 57 that detects a steering torque when the steering wheel 62 is operated is provided on the rotating shaft 63, and the detected steering torque is transmitted to a motor control unit (ECU)7 a. The motor control unit (ECU)7a generates a motor drive signal based on signals such as the steering torque acquired by the torque sensor 57 and the vehicle speed from the vehicle speed sensor 59 (see fig. 1), and outputs the signal to the electric motor 15.
An assist torque for assisting steering of the steering wheel 62 is output from the electric motor 15 to which the motor drive signal is input, and the assist torque is transmitted to the rotary shaft 63 via the reduction gear 64. As a result, the rotation of the rotary shaft 63 is assisted by the torque generated by the electric motor 15, thereby assisting the steering wheel operation of the driver.
As described above, the electric power steering control apparatus according to embodiment 1 has the following configuration: even while the control unit is executing the control program, the rewriting information is stored in the external memory, rewritten into the rewriting information under a predetermined condition, and thereafter, auxiliary control is performed in which the rewriting information is set as an execution target.
That is, since the rewriting information as the updated control program is stored even while the control program is being executed, the control unit can prepare for rewriting without interrupting the assist control during the control operation.
As a result, the early change to the latest control program for improving the performance of the vehicle and the like does not need to be made via a dealer and the like, and therefore, the change can be easily made at a low cost even after the vehicle is sold. Further, by storing the rewriting information in the external memory, the cost can be reduced compared to a configuration in which a plurality of memories are provided in the CPU.
As the rewriting, for example, according to the content of a start request command received through a CAN (Controller Area Network), it is possible to perform rewriting based on a sequence (sequence) corresponding to rewriting by wireless communication (OTA) or rewriting using a medium other than wireless (wired). Further, by rewriting in accordance with the command, the timing of rewriting becomes clear, and it is possible to prevent unnecessary information from being updated by rewriting.
Further, as the predetermined condition for rewriting the control program based on the rewriting information, it is performed when an ignition switch of a vehicle or the like is turned off, when the engine is in an idle stop, or the like, and thus it is possible to perform rewriting while ensuring safety and start steering assistance using the updated rewriting information.
Further, when the validity of the rewriting information cannot be confirmed or when rewriting based on the rewriting information fails, the information in the ROM is overwritten with control program information that is backed off in advance, whereby the validity of the rewriting information transmitted from the outside (OTA center) can be monitored and reliability as auxiliary control data can be ensured.
Further, the ROM can continue the assist control by the control program for which the normal operation has been confirmed by rewriting the ROM again (returning to the old program) based on the control program information for which the normal operation has been confirmed.
Further, if the rewriting information transmitted from the outside and stored in the predetermined memory has validity, the content of the ROM in which the control program is stored may not be rewritten, and the rewriting information stored in the predetermined memory may be directly used as the execution target to perform the assist control.
[ 2 nd embodiment ]
An electric power steering control device according to embodiment 2 of the present invention will be described. The overall configuration of a vehicle management system that manages a vehicle system including the electric power steering control device according to embodiment 2 is the same as that of the vehicle management system shown in fig. 1 except for the memory configuration described later, and therefore, the illustration and description thereof are omitted.
Fig. 5 shows the configuration of a control unit and a memory in a motor control unit (ECU)77a of the electric power steering control apparatus according to embodiment 2. The control unit (CPU)71 is connected to two storage units (ROM1(81) and ROM2(83)) via a bus 85. The ROM1, 2 is, for example, an Electrically writable and Erasable EEPROM (Electrically Erasable and Programmable Read Only Memory) or an Electrically rewritable flash Memory.
Both ROMs 1, 2 can store control programs sent from the OTA center and via the gateway. The CPU 71 switchably accesses any of the ROMs 1, 2, reads out a control program stored in the ROM, and executes the control program, thereby performing various processes related to the power steering, communication with another ECU, and the like.
More specifically, the CPU 71 executes the assist control by using, as an execution target, information in the ROM in which a control program that is newly updated based on the rewriting information transmitted from the OTA center, among the control programs stored in the ROMs 1 and 2, is stored.
That is, the latest rewritten program is set as the latest program, and the ROM storing the program is determined as the execution target to perform control. The ROM after the restart is also determined based on the same setting contents as described above.
Thus, by merely switching to the ROM in which the latest rewriting information is written, it is possible to quickly shift to execution of the assist control based on the latest rewriting information while continuing the control operation by the CPU.
As described above, according to embodiment 2, by replacing the whole ROM storing the control program to be controlled and selecting the ROM storing the latest rewriting information to perform the control operation, it is possible to store the newly updated rewriting information in the other ROM even while the control program is being executed. Then, another ROM is selected, and control based on the rewriting information stored in this ROM is performed, whereby assist control based on the latest rewriting information can be continued all the time.
Thus, embodiment 2 employs a memory configuration in which two memories are held by the same control unit, and thus, by merely switching to a memory in which rewriting information is written without rewriting a newly received control program to another memory, for example, when the same predetermined condition as that in embodiment 1 is satisfied, execution of auxiliary control based on the latest updated rewriting information can be quickly switched.
In embodiment 2, the following structure may be adopted: when rewriting based on rewriting information fails, the control program is transferred to assist control in which the control program before update based on rewriting is an execution target. In this way, even when the update to the latest control program fails, the control program before update stored in the ROM1 or the ROM2 is targeted for execution, and the assist control by the old program can be easily returned.
Further, a configuration may be adopted in which the state of success or failure of rewriting can be notified to the outside of the electric power steering control device. Thus, in the case where the rewriting fails, by notifying this to, for example, the gateway GW13 or the OTA center 30, it is possible to request downloading of the rewriting information again.
Further, since the electric power steering system includes the electric power steering control device according to embodiment 1 or 2 described above, since rewriting information as an updated control program is stored even while the electric power steering control device is executing the control program, it is possible to rewrite the control program without interrupting assist control even during a control operation. Then, the steering assist can be continued using the updated latest control program information (rewriting information).
[ embodiment 3 ]
An electric power steering control device according to embodiment 3 of the present invention will be described. The overall configuration of a vehicle management system that manages a vehicle system including the electric power steering control device according to embodiment 3 is the same as that of the vehicle management system shown in fig. 1, and therefore, illustration and description thereof are omitted.
Fig. 6 shows a configuration of a motor control device (EPS control device) of the electric power steering control device of the present embodiment. In fig. 6, the same components as those of the motor control device shown in fig. 2 are denoted by the same reference numerals, and the description thereof will be omitted.
Fig. 7 is a flowchart showing a rewriting process procedure in the motor control device of the electric power steering control device of the present embodiment. Here, as The rewriting process, FOTA (Firmware Over-The-Air software upgrade of a mobile terminal) is performed, which is to update Firmware of an electronic control unit ECU mounted on a vehicle by wireless communication.
The control unit (CPU)21 of the motor control device (ECU)37a shown in fig. 6 determines whether or not a rewrite request command (rewrite start request command) has been received via the in-vehicle network (CAN 17) in step S41 of fig. 7. In the case where there is a rewrite request, in step S43, the rewrite information (rewrite data) transmitted by the OTA center 30 is received and stored in the external memory 51.
As a result, the rewriting information (for example, a security patch, an update program, and other correction programs as a correction program for a security hole) transmitted by the OTA center 30 and downloaded by the gateway GW13 can be installed in the motor control device 37a as the target ECU.
In step S45, the CPU21 checks the validity of the stored rewriting data, and determines whether or not the rewriting success has been achieved. Here, whether or not rewriting is successful is determined, for example, based on monitoring the adequacy of rewriting data based on an error detection value signal (CRC signal), the presence or absence of data abnormality based on a checksum in rewriting data, or whether or not communication with the OTA center is normal.
When determining that rewriting has failed, such as the rewriting data being abnormal, the CPU21 stores the content of the rewriting failure in a nonvolatile memory, such as the ROM41, in step S47. When the rewriting is successful, the content of the successful rewriting is stored in the nonvolatile memory in the same manner (step S49). Thus, the success or failure status of rewriting is recorded in the memory.
In the case where the rewriting is successful, the CPU21 determines in step S51 whether the IG-SW (ignition switch) 58 is off or not, based on the information from the IG voltage detection unit 45. If the IG-off is determined to be in a safe state with the vehicle 10 stopped, the rewriting of the control program written in the control area of the ROM41 with the rewriting data stored in step S43 is performed in step S53.
On the other hand, when the rewrite has failed, the CPU21 determines in step S59 whether or not rewriting (retry) by the rewrite data is possible. If the retry is possible, the process returns to step S43, and the rewriting information (rewriting data) is received again.
If it is determined that the retry is impossible, in step S61, a process of returning the control program to the old program before the rewrite failure by rollback (rollback) is performed in accordance with the determination of the CPU21 of the motor control device 37a as the target ECU.
After confirming that the IG-SW 58 is in the on state in step S55, the CPU21 notifies the outside (here, the gateway GW13 functioning as an OTA master) of the success/failure state of rewriting recorded in the nonvolatile memory as described above (step S57). Then, the gateway GW13 notifies the OTA center 30 of the success or failure status of rewriting in step S63.
In order to continue the operation of the CPU21 even after the IG-SW 58 is turned off, the motor control device 37a of the present embodiment has a power supply generation unit 28 that generates the power supply of the CPU21 based on the logical sum of the ignition signal of the IG-SW 58 and the self-hold signal 35 from the CPU21, as shown in fig. 6. The CPU21 is also provided with a capacitor C for holding the self-hold signal 35 to the power supply generation unit 28 for a predetermined time even if the CPU21 is reset.
Here, the predetermined time is a time from after the CPU21 is reset for switching the software while the ignition signal is off until the CPU21 is started again and the CPU21 outputs the self-hold signal 35.
The power supply generation unit 28 converts the battery voltage + B supplied from the battery BT into a voltage +5V of a logic level necessary for the operation of a control circuit such as the CPU21, and supplies the voltage to the CPU 21.
In this way, by adopting the following configuration, it is possible to continue supplying power to the CPU, restart the CPU, output the self-hold signal again, and continue the operation: when the ignition signal is turned off, the hardware continues the self-hold signal from the CPU when the CPU is reset after the software is switched.
As a result, even if the SW reset is performed after the rewriting operation in the off state of the ignition signal, the self-holding port output is not turned off, the CPU can be restarted, and the success or failure state of the rewriting operation can be notified to the outside, so that the OTA sequence of the entire vehicle can be continued.
As described above, the electric power steering control apparatus according to embodiment 3 can reliably notify the outside of the success or failure of FOTA by recording the success or failure of the rewriting as the status of success or failure. As a result, when FOTA fails, it is possible to urge the outside to perform FOTA again.
This makes it possible to quickly respond to a control program or the like even if a vulnerability of system security or a security failure called a security hole is found, and a user can always use the latest function by the latest control program.
Further, in the case where a security patch that solves a problem by updating the control program cannot be installed due to a failure of FOTA, the user can safely take the vehicle to a maintenance factory, a dealer, or the like by displaying the situation on, for example, a display of car navigation to let the user know it.
When the rewriting fails, the control command values of Advanced Driving Assistance System (ADAS), steering, and the like may be set to less than 100%, and the assist may be continued by the degenerate motor drive. This makes it possible to continue the minimum auxiliary function for moving the vehicle to a dealer or the like while limiting the function having vulnerability such as a function of controlling the vehicle by communicating with an external ECU, such as an ADAS system.
The recording of the success or failure state of rewriting to the nonvolatile memory is not limited to the above example. For example, when the process from the reception of the rewriting information from the outside to the rewriting of the programming information of the control area by the rewriting information is composed of a plurality of stages, the success or failure state of the rewriting may be recorded in the OTA center, the gateway GW, or the target ECU at the timing of transition to each process stage.
In this way, for example, the OTA progress status of each of the plurality of processing stages can be grasped, such as a stage (stage 1) in which the download of the rewriting information is completed, a stage (stage 2) in which the installation of the rewriting information is completed, and a stage (stage 3) in which the rewriting based on the rewriting information is completed.
In addition, the following structure may be adopted: when the electric power steering control device is in the operation stop state and is recovered from the operation stop state, the OTA processing is restarted from the processing stage corresponding to the operation stop state recorded in the memory among the plurality of processing stages.
This makes it clear at which stage (phase) of the OTA process the rewrite has failed, and thus, it is possible to easily and reliably cope with the rewrite and the like. That is, since the processing can be restarted from the processing stage corresponding to the operation stop among the recorded processing stages, for example, when the electric power steering control device is in an operation stop state (system stop) due to a sudden battery drop (battery cut), the OTA processing can be terminated more efficiently in a shorter time than when the processing is restarted from the beginning.
Further, by adopting a configuration in which the restart is not notified to the outside when the process cannot be restarted from the operation stop state, the transmission source of the re-write information such as the OTA center can easily determine the failure of the OTA.
[ 4 th embodiment ]
An electric power steering control device according to embodiment 4 of the present invention will be described. In embodiment 4 as well, the overall configuration of a vehicle management system that manages a vehicle system including an electric power steering control device is the same as the vehicle management system shown in fig. 1, and a motor control device (ECU) that is an electronic control unit ECU of the electric power steering control device is the same as the motor control device shown in fig. 2, and therefore, illustration and description thereof are omitted.
The electric power steering control device according to embodiment 4 includes: an encryption unit that encrypts rewriting information transmitted by the OTA center 30 and downloaded by the gateway GW13 when the rewriting information is stored in the external memory 51; and a decryption section that decrypts the encrypted rewriting information when the rewriting information is read out from the external memory 51 to rewrite the control program stored in the ROM41 with the rewriting information.
Here, the CPU21 is provided with an encryption unit and a decryption unit (not shown) for performing predetermined encryption processing and decryption processing. Examples of Encryption/decryption methods used include an AES (Advanced Encryption Standard) method, a DES (Data Encryption Standard) method, and an RSA method. In addition, when the CPU21 has an encryption/decryption function, these functions may be used, or the re-programmed information may be encrypted and decrypted by using a value unique to the electric motor used in the electric power steering control apparatus.
As the encryption of the rewriting information, a method of encrypting the entire rewriting information at one time or a method of dividing the rewriting information into a plurality of parts (blocks) and encrypting each block may be considered.
When encrypting each block, for example, predetermined codes (rewriting codes) may be added to the head and end of each block, and the rewriting information may be encrypted in units of blocks sandwiched by the codes. In the case of encryption by this method, after a start code indicating the start of a block is erased, encrypted information is written into a memory, and at the end of encryption of information of the entire block, an end code indicating the end of the block is erased.
Thus, when neither of the start code and the end code is erased, or when only one code is erased and the other code remains, it can be determined that the encryption of the information of the block sandwiched by these codes is not completed (encryption fails).
Thus, by encrypting and decrypting the rewriting information stored in the external memory, the secrecy of the rewriting information can be maintained, so that illegal decoding and illegal tampering can be prevented, and the security of the rewriting information can be improved.
Further, by dividing the rewriting information into block units and encrypting and decrypting each block, when rewriting information, it is possible to encrypt and decrypt the rewriting information in units corresponding to the RAM capacity of the CPU that temporarily stores the rewriting information, and it is possible to suppress the stress on the memory that stores the control program information to be executed.
In each of the above embodiments, the ROM41 may be a nonvolatile memory (e.g., NVRAM (Non-Volatile RAM)), or may be composed of a code flash memory area for storing the control program and a data flash memory area for storing the control data.
The present invention is not limited to the above-described embodiments, and various modifications are possible. For example, a unit for monitoring the ambient temperature of a memory for storing the rewriting information may be provided, and the rewriting based on the rewriting information may not be performed when the ambient temperature exceeds the operation guaranteed temperature of the memory.
In this way, it is possible to monitor whether or not the memory in which the rewriting information is stored is within an assumed temperature range (operation guaranteed temperature), and it is possible to ensure the reliability of the rewriting information stored in the memory based on the monitoring result. Thus, it is possible to ensure assist control based on normal rewrite information and improvement in reliability.

Claims (23)

1. An electric power steering control device for assisting a steering wheel operation of a driver of a vehicle or the like by driving an electric motor,
the electric power steering control device includes:
a control unit that executes the assist control;
a 1 st storage unit that stores control program information to be executed by the control unit; and
a 2 nd storage unit for storing rewriting information transmitted from the outside,
the control unit stores the rewriting information in the 2 nd storage unit while the control unit is executing the control program information, and performs a rewriting step of reading the rewriting information stored in the 2 nd storage unit and rewriting the control program information in the 1 st storage unit with the rewriting information after a predetermined condition is satisfied, and performs assist control for executing the rewriting information rewritten in the rewriting step.
2. The electric power steering control apparatus according to claim 1,
the predetermined condition includes a time when the vehicle or the like is stopped or a time when the assist control is stopped.
3. The electric power steering control apparatus according to claim 1,
the rewriting process is started after receiving a rewriting start request command from an in-vehicle network of the vehicle or the like.
4. The electric power steering control apparatus according to claim 1,
the rewriting step includes a step of rewriting a portion of the 1 st control program.
5. The electric power steering control apparatus according to claim 1,
the electric power steering control device further includes:
a unit that saves the rewriting information to the 2 nd storage unit and saves the control program information to the 2 nd storage unit in advance; and
a unit for confirming the validity of the rewriting information,
when the validity cannot be confirmed or when rewriting based on the rewriting information fails, the control program information saved in the 2 nd storage unit overwrites the information in the 1 st storage unit with the control program information.
6. The electric power steering control apparatus according to claim 1,
the electric power steering control device further includes:
a 3 rd storage unit for saving the control program information in advance; and
a unit for confirming the validity of the rewriting information,
when the validity cannot be confirmed or when rewriting based on the rewriting information fails, the control program information saved in the 3 rd storage unit overwrites the information in the 1 st storage unit with the control program information.
7. The electric power steering control apparatus according to any one of claims 1 to 6,
the electric power steering control device further includes a means for monitoring at least the ambient temperature of the 2 nd storage unit,
and not performing the rewriting process based on the rewriting information when the ambient temperature exceeds the operation guaranteed temperature of the 2 nd storage unit.
8. The electric power steering control apparatus according to any one of claims 1 to 5,
the 1 st storage unit is a memory built in the control unit, and the 2 nd storage unit is an external memory provided outside the control unit.
9. The electric power steering control apparatus according to claim 6,
the 1 st storage unit is a memory built in the control unit, and the 2 nd and 3 rd storage units are external memories provided outside the control unit.
10. The electric power steering control apparatus according to claim 1,
any one of the 1 st storage unit and the 2 nd storage unit is built in the control unit and is configured to be capable of storing control program information to be executed by the control unit,
the control unit executes the assist control by setting, as an execution target, control program information that is newly updated based on the rewriting information, from among the control program information stored in the 1 st storage unit and the 2 nd storage unit.
11. The electric power steering control apparatus according to claim 10,
when the rewriting based on the rewriting information fails, the control unit shifts to assist control in which the control program information before update based on the rewriting fails to be executed.
12. An electric power steering control device for assisting a steering wheel operation of a driver of a vehicle or the like by driving an electric motor,
the electric power steering control device includes:
a control unit that executes the assist control;
a 4 th storage unit that stores control program information to be executed by the control unit; and
a 5 th storage part for storing rewriting information transmitted from the outside,
the control unit stores the rewriting information in a 5 th storage unit even while the control unit is executing the control program information, and performs assist control in which the rewriting information stored in the 5 th storage unit is an execution target after a predetermined condition is satisfied.
13. The electric power steering control apparatus according to claim 1 or 12,
the electric power steering control device further includes a notification unit configured to notify an outside of the electric power steering control device of a success or failure state of rewriting based on the rewriting information.
14. The electric power steering control apparatus according to claim 13,
the electric power steering control device further includes:
a 1 st storage unit that stores a status of success or failure of the rewriting; and
a unit that determines an on state and an off state of an ignition signal based on an ignition voltage value supplied via an ignition switch of the vehicle or the like,
the notification unit notifies the success or failure state stored in the 1 st storage unit to the outside when the ignition signal is in the on state.
15. The electric power steering control apparatus according to claim 13,
the electric power steering control device further includes:
a power supply generation unit that generates an operation power supply of the control unit based on an ignition signal based on an ignition voltage value supplied via an ignition switch of the vehicle or the like and a self-hold signal from the control unit; and
and an input continuation unit that continues the input of the self-hold signal to the power supply generation unit for a predetermined time.
16. The electric power steering control apparatus according to claim 15,
the predetermined time is a time from when the control unit is reset when the ignition signal is in the off state until the control unit that has at least been activated again outputs the self-hold signal.
17. The electric power steering control apparatus according to claim 1 or 12,
when the rewriting success/failure state is a state in which the rewriting has failed, one or more control command values related to the driving assistance function of the vehicle or the like are set to control command values corresponding to predetermined degeneration control.
18. The electric power steering control apparatus according to claim 9 or 12,
the rewriting information is encrypted by a predetermined encryption method when stored in the external memory or the 5 th storage unit, and decrypted by a predetermined decryption method when read out from the external memory or the 5 th storage unit.
19. The electric power steering control apparatus according to claim 18,
the encryption and the decryption are performed by dividing the rewriting information into block units.
20. The electric power steering control apparatus according to claim 1 or 12,
the electric power steering control device further includes a 2 nd storage unit configured to record a state of success or failure of the rewriting at a timing of transition to each of the processing stages.
21. The electric power steering control apparatus according to claim 20,
when the electric power steering control device is returned from the operation-stopped state, the predetermined process is restarted from the process stage corresponding to the operation-stopped state recorded in the 2 nd storage unit among the plurality of process stages.
22. The electric power steering control apparatus according to claim 21,
when the restart cannot be performed, the restart is notified to the outside.
23. An electric power steering system having the electric power steering control apparatus of any one of claims 1 to 22.
CN202010766713.4A 2019-08-06 2020-08-03 Electric power steering control device Pending CN112346756A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2019-144730 2019-08-06
JP2019144730 2019-08-06
JP2020-030787 2020-02-26
JP2020030787A JP2021024555A (en) 2019-08-06 2020-02-26 Electric power steering control device

Publications (1)

Publication Number Publication Date
CN112346756A true CN112346756A (en) 2021-02-09

Family

ID=74358290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010766713.4A Pending CN112346756A (en) 2019-08-06 2020-08-03 Electric power steering control device

Country Status (1)

Country Link
CN (1) CN112346756A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009087107A (en) * 2007-10-01 2009-04-23 Hitachi Ltd Control system for vehicle
JP2011000894A (en) * 2009-06-16 2011-01-06 Fujitsu Ten Ltd Control device and control method
CN108027753A (en) * 2015-09-29 2018-05-11 日立汽车系统株式会社 On-vehicle control apparatus, program updating system and program renewal software
CN108701064A (en) * 2016-03-02 2018-10-23 住友电气工业株式会社 Program updating system, method for updating program and computer program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009087107A (en) * 2007-10-01 2009-04-23 Hitachi Ltd Control system for vehicle
JP2011000894A (en) * 2009-06-16 2011-01-06 Fujitsu Ten Ltd Control device and control method
CN108027753A (en) * 2015-09-29 2018-05-11 日立汽车系统株式会社 On-vehicle control apparatus, program updating system and program renewal software
CN108701064A (en) * 2016-03-02 2018-10-23 住友电气工业株式会社 Program updating system, method for updating program and computer program

Similar Documents

Publication Publication Date Title
JP2021024555A (en) Electric power steering control device
JP6675271B2 (en) Gateway device, in-vehicle network system, and firmware update method
JP6682019B2 (en) Program update system and program writing device
JP7280412B2 (en) GATEWAY DEVICE, IN-VEHICLE NETWORK SYSTEM AND FIRMWARE UPDATE METHOD
WO2020179592A1 (en) Vehicle-mounted updating device, update processing program, and program updating method
CN111480141A (en) Method and device for updating software of a motor vehicle control device
CN110809755B (en) electronic control system
JP6855918B2 (en) Vehicle systems and electronic control devices that process encryption keys
WO2019116922A1 (en) Onboard updating device, program, and method for updating program or data
CN112346756A (en) Electric power steering control device
JP3972429B2 (en) Memory rewriting device for vehicle control
CN115145650A (en) Information processing apparatus, storage medium, and information processing method
US20220276851A1 (en) Vehicle controller, updated program, program updating system, and writing device
US20220300612A1 (en) Security processing device
WO2021081268A1 (en) Remote memory diagnostics
US20220342652A1 (en) Ota master, method, and non-transitory storage medium
JP7506766B2 (en) Electronic Control Unit
JP7287871B2 (en) Electric power steering controller
JP5432315B2 (en) Electronic control device for vehicle
US20240004633A1 (en) Electronic control device
CN113935011A (en) Method for executing a secure boot sequence of a control device
US20240020386A1 (en) Control apparatus
KR101233591B1 (en) Tuning protection method and apparatus for electronic control unit
CN115244505A (en) Information processing apparatus, program update system, and program update method
CN118355387A (en) Method and device for checking the integrity of data stored in a non-volatile memory of an electronic control unit of a vehicle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination