CN116610335A - Vehicle control device, vehicle control method, and recording medium - Google Patents

Vehicle control device, vehicle control method, and recording medium Download PDF

Info

Publication number
CN116610335A
CN116610335A CN202310091809.9A CN202310091809A CN116610335A CN 116610335 A CN116610335 A CN 116610335A CN 202310091809 A CN202310091809 A CN 202310091809A CN 116610335 A CN116610335 A CN 116610335A
Authority
CN
China
Prior art keywords
vehicle
program
update
area
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310091809.9A
Other languages
Chinese (zh)
Inventor
加藤久浩
伯川弘昭
相吉泽怜
猪股孝幸
川俣圣寿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honda Motor Co Ltd
Original Assignee
Honda Motor Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2022137520A external-priority patent/JP2023118654A/en
Application filed by Honda Motor Co Ltd filed Critical Honda Motor Co Ltd
Publication of CN116610335A publication Critical patent/CN116610335A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

Provided are a vehicle control device, a vehicle control method, and a recording medium. Reliability relating to updating of a program for controlling a vehicle is ensured. The vehicle control device is provided with: a vehicle control unit that performs control of a vehicle by executing a vehicle start program for starting the vehicle; a storage unit having a rewrite-limiting area in which the vehicle-starting program is stored and in which rewriting is limited, and a rewritable area in which the vehicle-starting program is stored in a rewritable manner; a communication unit that communicates with an external device; and a program updating unit configured to execute an update process of storing a vehicle start update program for updating the vehicle start program received by the communication unit in the rewritable region, wherein the vehicle control unit executes the vehicle start program stored in the rewritable region, and executes the vehicle start program stored in the rewritable region when the update process of the program updating unit is not completed normally.

Description

Vehicle control device, vehicle control method, and recording medium
Technical Field
The invention relates to a vehicle control device, a vehicle control method, and a recording medium.
Background
In recent years, the safety of traffic has been improved or CO 2 For the purpose of exhaust reduction, the functions of software for controlling the vehicle are enriched. Further, a technique of updating a program executed by an ECU (Electronic Control Unit: electronic control unit) mounted on a vehicle has been proposed. For example, patent document 1 discloses a configuration in which a storage unit storing a program includes a vehicle control program storage area storing a control program and a 2 nd program storage area storing an update program that is an updated version of the control program. According to this configuration, even during execution of the control program, the update program can be stored in the storage unit, and the restriction on the timing of the update program can be reduced.
Prior art literature
Patent literature
Patent document 1: japanese patent application laid-open No. 2019-144669
Disclosure of Invention
Problems to be solved by the invention
The software for controlling the vehicle includes an important program for performing basic operations of the vehicle. When such a program is damaged, the operation of the vehicle is greatly affected. Therefore, it is required to ensure reliability in relation to the processing of the update program.
The present invention has been made in view of such a background, and an object thereof is to ensure reliability in relation to updating of a program for controlling a vehicle.
Means for solving the problems
One aspect for achieving the above object is a vehicle control device, comprising: a vehicle control unit that performs control of a vehicle by executing a vehicle start program for starting the vehicle; a storage unit having a rewrite-limiting area in which the vehicle-starting program is stored and in which rewriting is limited, and a rewritable area in which the vehicle-starting program is stored in a rewritable manner; a communication unit that communicates with an external device; and a program updating unit that executes an update process of storing a vehicle start update program for updating the vehicle start program received by the communication unit in the rewritable region, wherein the vehicle control unit executes the vehicle start program stored in the rewritable region, and executes the vehicle start program stored in the rewritable region when the update process of the program updating unit is not completed normally.
ADVANTAGEOUS EFFECTS OF INVENTION
According to the above configuration, even when an obstacle occurs in updating the program for starting the vehicle, the vehicle can be started by using the program stored in the area where the rewriting is restricted. Thereby, reliability relating to updating of the program for controlling the vehicle can be ensured.
Drawings
Fig. 1 is a schematic configuration diagram of a control system of a vehicle.
Fig. 2 is a diagram showing an outline structure of the program management system.
Fig. 3 is a block diagram showing a main part configuration of the control system in embodiment 1.
Fig. 4 is a schematic diagram showing a configuration example of the storage unit in embodiment 1.
Fig. 5 is a flowchart showing the operation of the control system in embodiment 1.
Fig. 6 is a flowchart showing the operation of the control system in embodiment 1.
Fig. 7 is a schematic diagram showing a configuration example of a storage unit in embodiment 2.
Fig. 8 is a flowchart showing the operation of the control system in embodiment 2.
Fig. 9 is a flowchart showing the operation of the control system in embodiment 2.
Fig. 10 is a flowchart showing the operation of the control system in embodiment 2.
Description of the reference numerals
1 … control system (vehicle control device), 2 … center ECU,12 … TCU (communication unit), 19 … DLC (communication unit), 20 … zone ECU,20a … zone 1 ECU,20B … zone 2 ECU,20c … zone 3 ECU,30 a, 30B, 30c, 30d, 30e, 30f, 30g, 30h, 30i, 30j, 30k, 30l, 30m, 30n … ECU,41 … power relay, 51 … program execution unit (vehicle control unit), 52 … update execution unit (program update unit), 53a … storage unit, 61a … guide area (rewrite restriction area), 62 … program storage area (rewritable area), the 67 … program stores the 1 st area (rewritable area), the 68 … program stores the 2 nd area (rewritable area), the 72 … vehicle-starting program, the 73 … vehicle-starting program, the 74 … abnormality occurrence information, the 81 … master guidance record, the 82 … vehicle-starting program, the 85, 86 … vehicle-starting program, the 87A, 87B … abnormality occurrence information, the 88A, 88B … update information, the 100 … program management system, the 110 … server, the 120 … vehicle diagnostic device, the 201 … update control unit, the 202 … update data receiving unit, the 203 … update data control unit, and the V … vehicle.
Detailed Description
Fig. 1 is a diagram showing a control system 1 of a vehicle.
The control system 1 includes a central ECU2 that performs overall control and information processing of the vehicle. Hereinafter, the vehicle on which the control system 1 is mounted is referred to as a host vehicle. Specifically, the host vehicle is a vehicle V described later. The central ECU2 is connected to communication lines including communication lines 4a, 4b, and 4 c. The central ECU2 functions as a gateway that manages the transmission and reception of communication data between these communication lines. Further, a TCU (Telematics Control Unit: telematics control unit) 12, which is a wireless device conforming to the communication standard of the mobile communication system, is connected to the central ECU2. The central ECU2 performs OTA (Over The Air) management using The TCU 12. OTA management contains controls related to: a process of downloading an update program of an in-vehicle device provided in a vehicle from a server outside the vehicle, and a process of applying the downloaded update program to the in-vehicle device. Further, DLC (Data Link Connector: data link connector) 19 is connected to the central ECU2. The DLC19 can be connected to a diagnostic device or the like described later.
The 1 st zone ECU20a, the 2 nd zone ECU20b, and the 3 rd zone ECU20c are connected to the communication lines 4a, 4b, and 4c, respectively. The number and types of ECUs connected to the 1 st zone ECU20a, the 2 nd zone ECU20b, and the 3 rd zone ECU20c are not limited, and in the present embodiment, one configuration example is shown. In this example, the ECU30a, 30b, 30c are connected to the 1 st zone ECU20 a. The 2 nd zone ECU20b is connected to the ECUs 30d, 30e, 30f, 30g, 30h, 30i, 30j, 30k. The 3 rd zone ECU20c is connected to the ECUs 30l, 30m, 30n.
Hereinafter, the 1 st zone ECU20a, the 2 nd zone ECU20b, and the 3 rd zone ECU20c are also collectively referred to as zone ECU20, and the ECUs 30a to 30n are also collectively referred to as ECU30.
The ECU30 may include, for example, an MPU (Map Positioning Unit: map positioning unit), an MVC-ECU (MVC; multi View Camera: multi view camera), a PKS-ECU (PKS; parking Support), and/or an ADAS-ECU (ADAS; advanced Driver-assistance System), and other ECUs that control operations of various devices and sensors provided in the vehicle. Such devices and sensors may include a travel motor for causing the host vehicle to travel, an operator such as an accelerator or a brake, a VSA device (VSA; vehicle Stability Assist: vehicle stability support system), a battery, a lamp body such as a headlight, a window motor for driving a door or window, an actuator for driving a door lock mechanism, a door lock sensor, a door opening/closing sensor, a temperature sensor, an off-vehicle camera, an in-vehicle camera, and the like.
To each of the zone ECU20, a plurality of ECU30 disposed in the same zone of the body space of the host vehicle, or a plurality of ECU30 that control the operation of devices or sensors disposed in the same zone are connected.
In addition, other control devices or equipment may be connected to the central ECU2 in addition to the zone ECU 20. Such a control device or equipment can include an ICB (Infotainment Control Box: infotainment control box), a speaker, a microphone, a dashboard, a steering switch, a GNSS (GNSS; global Navigation Satellite System: global navigation satellite system) sensor, a touch panel, and the like.
In the present embodiment, the communication lines 4a, 4b, and 4c are constituted by, for example, CAN buses that perform communication conforming to the CAN communication standard. Hereinafter, the communication lines 4a, 4b, and 4c are also collectively referred to as communication lines 4. Here, the communication line 4 corresponds to an in-vehicle network in the present disclosure. Further, the zone ECU20 connected with the communication line 4 corresponds to a plurality of electronic control devices in the present disclosure.
The zone ECU20 connected to the communication line 4 transmits data to be transmitted to the communication line 4 through one frame or as a series of frames according to the CAN communication standard according to the related art. Each frame transmitted according to the CAN communication standard includes an identification code (ID), and each zone ECU20 that has received the frame determines whether or not the frame is a frame transmitted to itself, based on the ID included in the frame.
Fig. 2 is a diagram showing an outline structure of the program management system 100.
The program management system 100 is a system capable of updating programs executed by various ECUs constituting the control system 1. The program management system 100 includes a server 110 and a vehicle diagnostic device 120.
The server 110 is connected to the control system 1 via a communication network N.
The communication network N includes, for example, a cellular communication network, a Wi-Fi (registered trademark) network, bluetooth (registered trademark), the internet, a WAN (Wide Area Network: wide area network), a LAN (Local Area Network: local area network), a public line, an operator device, a private line, a base station, and the like, and a base station B is illustrated in fig. 2. By performing cellular communication between the TCU12 provided in the control system 1 and the base station B, data communication is performed with an external device via the communication network N.
The control system 1 performs communication with the server 110 through the TCU12, whereby update data for updating programs executed by various ECUs of the control system 1 can be downloaded from the server 110. The unit of the control system 1 that downloads the update data from the server 110 and updates the program corresponds to the above-described OTA. The server 110 corresponds to an example of an external device of the control system 1. The TCU12 corresponds to an example of the communication section.
The vehicle diagnostic device 120 is a device provided in a dealer or a maintenance factory that processes the vehicle V on which the control system 1 is mounted. The vehicle diagnostic device 120 is connected to the DLC19 included in the control system 1 via a cable. The control system 1 can update a program executed by the control system 1 by performing communication with the vehicle diagnostic device 120. The vehicle diagnostic device 120 can be used as an example of an external device, and the DLC19 can be used as an example of a communication unit.
Here, the update of the program of the ECU means that the program executed by the ECU is rewritten to a different version of the program. The update of the program of the ECU may include data referred to when the ECU executes the program together with the program, and/or data generated or changed by the execution of the program. The update of the program of the ECU sometimes includes rewriting the program executed by the ECU to a program of a different version.
[ embodiment 1 ]
First, embodiment 1 of the present disclosure will be described.
Fig. 3 is a block diagram showing a main part configuration of the control system 1 in embodiment 1. Fig. 3 shows a part of the configuration of the control system 1 related to the update of the program, and does not prevent the control system 1 from having a configuration not shown in fig. 3.
The control system 1 includes a processor and a storage unit for each ECU including the central ECU2, the zone ECU20, and the ECU 30. The processor is composed of, for example, a CPU (Central Processing Unit: central processing unit), an MCU (Micro Controller Unit: micro control unit), and an MPU (Micro Processor Unit: micro processing unit). The storage unit stores a program executed by the processor and data processed by the processor in a nonvolatile manner. The storage unit is, for example, a ROM (Read Only Memory). The ECU may also include a RAM (Random Access Memory: random access memory) that forms a work area for temporarily storing programs and data. The ECU may be constituted by an integrated circuit integrally provided with a processor, ROM, and RAM. The ECU may have a configuration in which the processor, the ROM, and the RAM are each independent hardware.
The central ECU2 includes an update control unit 201 as a function unit related to the update of the program. The update control unit 201 may be hardware provided in the central ECU 2. The update control unit 201 may be a functional unit realized by cooperation of software and hardware by executing a program by a processor of the central ECU 2.
The update control unit 201 includes an update data reception unit 202 and an update data control unit 203. The update data receiving unit 202 controls the TCU12, and receives update data for updating a program from the server 110. The update data control unit 203 controls the processing of various ECU update programs including the central ECU2, using the update data received by the update data receiving unit 202.
In fig. 3, the 2 nd area ECU20b is shown as a control target of the update control unit 201, but this is an example. The number of ECUs to be controlled by the update control unit 201 is not limited. The update control unit 201 controls the update of a program executed by at least a part of the ECU included in the control system 1. The update control unit 201 may control the update of a program executed by all or substantially all of the ECUs included in the control system 1.
As an example of the ECU that updates the program according to the control of the update control unit 201, the zone 2 ECU20b will be described in this embodiment.
The zone 2 ECU20b includes a program execution unit 51, an update execution unit 52, and a storage unit 53. The storage unit 53 corresponds to the storage unit described above. The program execution unit 51 executes the program stored in the storage unit 53. The program execution unit 51 can also be said to indicate the function of the processor itself provided in the 2 nd area ECU20 b. The program execution unit 51 corresponds to an example of a vehicle control unit. The control system 1 corresponds to an example of a vehicle control device. The storage unit 53 stores the program executed by the program execution unit 51 and data associated with the program. The update execution unit 52 updates the program stored in the storage unit 53. The update execution unit 52 corresponds to an example of a program update unit.
In the vehicle V, the control targets of the zone 2 ECU20b are the ECUs 30d to 30k shown in fig. 1. Examples of the ECUs 30d to 30k include ECUs that control the lamp body, window motor, door sensor, door lock mechanism, and ESL of the vehicle V. The ECUs 30d to 30k include, for example, ECUs that control a wiper motor, a window washing motor, and a power relay 41. In the present embodiment, the ECU30k is described as the ECU that controls the power supply relay 41.
The wiper motor is a motor that operates a wiper of the vehicle V. The window washing motor is a motor for driving the window washing pump. The window washing pump is driven by a window washing motor, and sprays a window washing liquid to the front window of the vehicle V.
The power relay 41 is a circuit that performs switching for switching a power supply state in which power is supplied from a battery mounted on the vehicle V. The ECU30k controls the power relay 41 based on the signal output from the 2 nd area ECU20b, and switches between a power-on state in which power from the battery is supplied to each part of the control system 1 and a power-off state in which power supply to at least a part of the control system 1 is stopped. The power relay 41 is, for example, a contact relay. The power relay 41 may also be an element called a solid state relay or a semiconductor relay, or other switching element.
Here, the power-on state refers to a state in which the vehicle V can run by operating the driving device of the vehicle V. The driving device is, for example, a motor or an internal combustion engine that drives the vehicle. For example, a case where the vehicle V is traveling, a case where the vehicle V is stopped and the driving device is operated, and a state where the driving device can be operated are included in the power-on state. On the other hand, the power-off state is a state in which at least the driving device of the vehicle V is stopped, and the starting process is required to operate the driving device. In the power-off state, the control system 1 may stop the components other than the driving device.
For example, when the drive device includes an internal combustion engine, the power-off state includes a state in which the internal combustion engine is stopped and a state in which a motor or the like that starts the internal combustion engine is not operated. In addition, for example, in the case where the driving device includes a motor, the power-off state refers to a state in which the supply of electric power to the motor is stopped and the control of the driving state of the motor is stopped. In the power-off state, a plurality of ECUs including the center ECU2 and the zone 2 ECU20b may also be operating.
Here, the operation of the control system 1 to transition from the power-off state to the power-on state is referred to as starting. In order to start the vehicle V, the power relay 41 needs to be turned on and off by the 2 nd area ECU20b controlling the ECU30 k.
Fig. 4 is a schematic diagram showing a configuration example of the storage section 53.
The storage unit 53 has a nonvolatile memory area. The storage unit 53 stores the program and the data in the storage area so as to be rewritable. The storage unit 53 is constituted by, for example, a semiconductor memory device or a magnetic recording apparatus. Specifically, the storage unit 53 is constituted by a flash ROM or EEPROM (Electrically Erasable Programmable ROM: electrically erasable programmable read only memory). In the following description, the program and data stored in the storage unit 53 are described as a program. That is, the program mentioned in the following description includes data referred to, generated, or processed when the processor executes the program. The entirety of these programs and data can also be referred to as software. That is, the program management system 100 has a function of managing and updating software of the control system 1 mounted on the vehicle V.
The storage area of the storage unit 53 is logically divided into a plurality of areas. That is, the storage 53 is provided with a guide area 61 and a program storage area 62. The guide area 61 and the program storage area 62 each store a program. The guide area 61 is an area in which overwriting by the update execution section 52 is restricted or prohibited. The guide area 61 corresponds to an example of the overwrite restricting area. Therefore, the update execution unit 52 does not perform a process of updating the program stored in the guide area 61. In contrast, the program storage area 62 is an area that can be rewritten by the update execution unit 52. The program storage area 62 corresponds to an example of the rewritable area. The update execution unit 52 can execute a process of causing the program storage area 62 to store a new program and a process of updating the program stored in the program storage area 62. The guide area 61 does not have to be completely prohibited from being rewritten, and may be an area set so as not to be a processing target of rewriting the program or data by the update execution unit 52. For example, the control of the vehicle diagnostic device 120 connected by the central ECU2 or via the DLC19 is not prevented from overwriting the guide area 61.
The write restriction for the boot area 61 may be a hardware-based restriction or a software-based restriction. For example, in the case where the boot area 61 and the program storage area 62 are provided in the storage area of the same semiconductor storage device, the restriction on the boot area 61 is realized by updating the specification or software of the execution unit 52. In addition, for example, in the case where the boot area 61 and the program storage area 62 are storage areas of different semiconductor storage devices, the restriction on the boot area 61 may be realized by hardware.
Boot area 61 stores boot loader 71. The boot loader 71 is a program that is executed by the program execution unit 51 at the beginning when the 2 nd ECU20b starts the vehicle V. The program execution unit 51 executes the boot loader 71 to perform initialization and the like necessary for the processing of the program execution unit 51. The program execution unit 51 reads and executes the vehicle starting program 73 stored in the program storage area 62 by the function of the boot loader 71.
The program storage area 62 stores programs executed by the program execution unit 51. The program storage area 62 stores a vehicle starting program 73. The vehicle start program 73 includes a program for controlling the ECU30k by the zone 2 ECU20b to actuate the power relay 41 to start the vehicle V. The vehicle starting program 73 may include a function of controlling an engine starter, not shown, and the like.
The vehicle starting program 73 includes one or more programs for performing basic actions of the vehicle V. That is, the vehicle start program 73 includes functions necessary for starting, running, and stopping the vehicle V. For example, the vehicle starting program 73 includes functions related to control of the door lock mechanism and the ESL.
Further, the functions of the vehicle starting program 73 include control that is required to be executed during running of the vehicle V according to law or the like. For example, the vehicle start program 73 includes a function related to control of lighting of the lamp body of the vehicle V, a function related to control of the wiper motor, and a function related to control of the window washing motor.
The functions of the vehicle start program 73 may include functions necessary for updating the programs in the control system 1. For example, the vehicle starting program 73 may include a function of performing communication with the server 110 via the TCU12 and a function of performing communication with the vehicle diagnostic device 120 via the DLC 19.
The vehicle starting program 73 may include a program related to a function that is not necessary for traveling of the vehicle V. For example, the vehicle starting program 73 may include a function related to accessibility for improving convenience of the user and a function related to infotainment for improving entertainment of the user. Specifically, the functions of the vehicle starting program 73 may include a function of opening/closing a door in a hands-free manner, a function of performing a show by lighting a cabin space of the vehicle V, and the like.
The boot area 61 stores a vehicle start program 72 in addition to the boot loader 71. The vehicle start program 72 is a program executed by the program execution unit 51 and controlled by the program execution unit 51, similarly to the vehicle start program 73. The vehicle starting program 72 includes one or more programs for executing basic operations of the vehicle V, similarly to the vehicle starting program 73. Specifically, the control includes functions required for starting, running, and stopping the vehicle V, and control required to be executed during running of the vehicle V according to law or the like. Therefore, by the program execution unit 51 executing the vehicle start program 72, at least the vehicle V can be started and the vehicle V can be driven.
The vehicle starting program 72 may be a program that does not include a function related to accessibility for improving convenience of the user or a function related to infotainment for improving entertainment of the user among the functions realized by the vehicle starting program 73. In this case, since the storage capacity for storing the vehicle start program 72 is smaller than the vehicle start program 73, the storage capacity of the guide area 61 can be suppressed.
The vehicle starting program 73 stored in the program storage area 62 can be updated by updating the function of the execution unit 52. In contrast, the vehicle start program 72 stored in the guide area 61 is not updated by the update execution unit 52. For example, the vehicle start program 72 is kept stored in the guide area 61 without being changed when the vehicle V leaves the factory. Therefore, the vehicle starting program 72 is in a protected state regardless of the operation of the update execution unit 52. In the update process in which the update execution unit 52 updates the vehicle start program 73, the control system 1 can start the vehicle V and run the vehicle V by executing the vehicle start program 72 by the program execution unit 51 even when some failure occurs.
Fig. 5 and 6 are flowcharts showing the operation of the control system 1. Fig. 5 shows a process of updating the vehicle starting program 73 stored in the program storage area 62. Steps S14 to S16 in fig. 5 correspond to an example of the update process.
The update data reception unit 202 transmits a request to the server 110 via the TCU12 (step S11). The request of step S11 is a request for updating an update program of a program stored in the ECU, for example, a request for transmitting a vehicle control update program for updating the vehicle starting program 73.
The update data receiving unit 202 downloads the program transmitted by the server 110 in response to the request of step S11 from the server 110, and temporarily stores the program in a storage area (not shown) (step S12). Here, since the update data control unit 203 starts the update process, it waits for the power supply of the vehicle V to be switched off. That is, the update data control unit 203 determines whether or not the vehicle V is switched to the power-off state (step S13). While the vehicle V is not switched to the power-off state (step S13; no), the update data control unit 203 waits in step S13.
When it is determined that the vehicle V is switched to the power-off state (yes in step S13), the update execution unit 52 starts the update process under the control of the update data control unit 203 (step S14).
In the update process, the update execution unit 52 causes the program storage area 62 to store the vehicle control update program downloaded in step S12 (step S15). The update execution unit 52 executes the installation of the vehicle starting program 73 stored in the program storage area 62 by using the vehicle control update program stored in the program storage area 62 (step S16). The process of step S16 corresponds to a process of updating the vehicle starting program 73 to a new version of the vehicle starting program 73.
The update execution unit 52 performs a process of confirming that the installation is completed normally (step S17). In step S17, the update execution unit 52 confirms that the installed program is in a state that can be normally executed by the program execution unit 51. For example, the update execution unit 52 calculates the hash value of the updated vehicle start program 73, and compares the hash value downloaded from the server 110 together with the vehicle control update program with the calculated hash value, thereby confirming the normality of the updated vehicle start program 73.
Based on the result of the processing in step S17, the update execution unit 52 determines whether or not the installation of the vehicle starting program 73 is completed normally (step S18). When the installation is completed normally (step S18; yes), the update execution unit 52 executes activation of the installed program (step S19), and the present process ends. The activation includes settings related to the execution of the updated program.
When it is determined that the installation of the vehicle starting program 73 is not completed normally (step S18; no), the update execution unit 52 writes the abnormality occurrence information 74 to the program storage area 62 (step S20).
The abnormality generation information 74 is information indicating that the update process of the vehicle starting program 73 is not completed normally. The abnormality generation information 74 may be, for example, a flag. In this case, in step S20, the update execution unit 52 writes the abnormality occurrence information 74 in the state that the flag of the abnormality occurrence information 74 is valid. When the abnormality occurrence information 74 is stored in the program storage area 62, the program execution unit 51 does not execute the vehicle start program 73 at the time of starting. This can prevent the vehicle starting program 73 from executing a possibly abnormal operation.
Fig. 6 shows the operation related to the start of the 2 nd area ECU20 b.
The program executing unit 51 reads and executes the boot loader 71 stored in the boot area 61 (step S31). Next, the program execution unit 51 refers to the program storage area 62 (step S32), and determines whether or not the abnormality occurrence information 74 is stored (step S33). When the abnormality occurrence information 74 is not stored (step S33; no), the program execution unit 51 executes the vehicle starting program 73 stored in the program storage area 62 (step S34). The program execution unit 51 executes the vehicle start program 73 to switch the power relay 41 by the ECU30k, thereby starting the vehicle V (step S35). Thus, the control system 1 can control the functions necessary for the running of the vehicle V, and the vehicle V is brought into the power-on state.
When the abnormality occurrence information 74 is stored in the program storage area 62 (step S33; yes), the program execution unit 51 executes the vehicle starting program 72 stored in the guidance area 61 (step S36). The program execution unit 51 executes the vehicle start program 72 to switch the power relay 41 by the ECU30k, thereby starting the vehicle V (step S37).
In this case, the update control unit 201 or the program execution unit 51 notifies of the occurrence of an abnormality (step S38). The abnormality occurrence notification is a notification indicating that the update process of the vehicle starting program 73 is not completed normally.
For example, the abnormality occurrence notification is performed for a user who gets on a driver seat or other seat of the vehicle V. Regarding the content of the abnormality occurrence notification, for example, a user is guided to request re-execution of the update of the vehicle start program 73, the vehicle start program 73 is updated by the vehicle diagnostic device 120 in the dealer or the repair shop of the vehicle V, or the like. In step S38, for example, a text or an image is displayed on a touch panel mounted on the vehicle V, or a sound is outputted from a speaker mounted on the vehicle V to perform notification.
After the notification of the occurrence of the abnormality, the update control unit 201 or the program execution unit 51 transmits an abnormality occurrence signal to the external device (step S39). The abnormality generation signal is a signal indicating that the update process of the vehicle starting program 73 is not completed normally. The abnormality occurrence notification is transmitted to the server 110 through the TCU12, or to the vehicle diagnostic device 120 via the DLC19, for example. In step S39, the abnormality occurrence notification may be transmitted to a smart phone or a personal computer registered in the control system 1.
By transmitting the abnormality occurrence signal from the control system 1 to the server 110 or other devices, for example, it is possible to make support regarding repair or re-update of the vehicle start program 73 from the dealer or the repair factory of the vehicle V to the user who drives the vehicle V.
[ embodiment 2 ]
Next, embodiment 2 of the present disclosure will be described.
Fig. 7 is a schematic diagram showing a configuration example of the storage unit 53A in embodiment 2. The storage portion 53A is provided in the 2 nd area ECU20b instead of the storage portion 53 shown in fig. 3 and 4. The configuration and function of the control system 1 in embodiment 2 are common to embodiment 1 except for the difference between the storage unit 53 and the storage unit 53A and the difference in operation related to the difference. In the following description, the structures described in embodiment 1 are denoted by the same reference numerals as those in embodiment 1, and illustration and description thereof are omitted.
The storage unit 53A has a nonvolatile memory area. The storage unit 53A stores the program and the data in the storage area so as to be rewritable. The storage unit 53A is constituted by a semiconductor memory device or a magnetic recording apparatus, specifically, a flash ROM or an EEPROM, similarly to the storage unit 53.
The storage area of the storage unit 53A is logically divided into a plurality of areas. That is, the storage 53A is provided with a boot area 61A, A, a B-side boot image storage area 65, a B-side boot image storage area 66, a program storage 1 st area 67, and a program storage 2 nd area 68. These areas each store a program.
The guide area 61A stores a main guide record 81 and a vehicle start program 82. The guide area 61A is configured in the same manner as the guide area 61 except that the program stored in the guide area 61A is different from the guide area 61.
The master boot record 81 is a program that is executed by the program execution unit 51 at the beginning when the 2 nd zone ECU20b starts the vehicle V. The program execution unit 51 refers to the master boot record 81, and the master boot record 81 includes data and the like specifying a program to be executed by the program execution unit 51 immediately after the program corresponding to the boot loader 71 and the program corresponding to the boot loader 71. The program execution unit 51 executes the program included in the main boot record 81, thereby performing initialization and the like necessary for the processing of the program execution unit 51. The program execution unit 51 reads and executes the boot program 83 or the boot program 84 by the function of the boot loader 71.
The a-plane boot image storage area 65 stores a boot program 83. The B-side boot image storage area 66 stores a boot program 84.
The boot program 83 is a program for executing the basic operation of the 2 nd area ECU20b and starting the execution of the vehicle starting program 85. The boot routine 84 is a routine for executing the basic operation of the 2 nd area ECU20b and starting the execution of the vehicle start routine 86.
Therefore, the program execution unit 51 executes the boot program 83 and the vehicle start program 85 or the boot program 84 and the vehicle start program 86 immediately after the main boot record 81.
The program storage 1 st area 67 stores a vehicle starting program 85. The program storage 2 nd area 68 stores a vehicle starting program 86. The vehicle start program 85 is the same program as the vehicle start program 73. The same applies to the vehicle starting program 86. Further, the program storage 1 st area 67 is capable of storing abnormality generation information 87A and update information 88A. The program storage 2 nd area 68 can store abnormality generation information 87B and update information 88B.
That is, the vehicle start programs 85 and 86 include a program for operating the ECU30k by the zone 2 ECU20b to switch the power relay 41 and start the vehicle V. The vehicle starting programs 85 and 86 may include a function of controlling an engine starter, not shown, and the like.
The vehicle starting programs 85, 86 include one or more programs for performing basic actions of the vehicle V. In other words, the vehicle starting programs 85 and 86 include functions necessary for starting and stopping the vehicle V. For example, the vehicle starting programs 85 and 86 include functions for controlling the door lock mechanism 33 and the ESL 34. The functions of the vehicle starting programs 85 and 86 include control that is required to be executed during running of the vehicle V according to law and the like. For example, the vehicle starting programs 85 and 86 include a function of controlling lighting of the lamp body, a function of controlling the wiper motor, and a function of controlling the window washing motor.
The functions of the vehicle starting programs 85, 86 may include functions necessary for updating the programs in the control system 1. For example, the vehicle starting programs 85 and 86 may include a function of performing communication with the server 110 via the TCU12 and a function of performing communication with the vehicle diagnostic device 120 via the DLC 19.
The vehicle starting programs 85 and 86 may include programs related to functions that are not necessary for the running of the vehicle V. For example, the vehicle starting programs 85 and 86 may include functions related to accessibility for improving convenience of the user and functions related to infotainment for improving entertainment of the user. Specifically, the functions of the vehicle starting programs 85 and 86 may include a function of opening/closing a door in a hands-free manner, a function of performing a show by lighting a cabin space of the vehicle V, and the like.
The vehicle start program 85 and the vehicle start program 86 are each a program suitable for the 2 nd area ECU20 b. The vehicle starting program 85 and the vehicle starting program 86 may be the same program or may be different programs. For example, the vehicle starting program 85 and the vehicle starting program 86 are the same kind of programs, and are programs of different versions. Suppose that the vehicle start program 86 is an example of a newer version than the vehicle start program 85. In this example, the vehicle start program 86 is a program in which a modified version of the function is added to the vehicle start program 85. The vehicle starting program 86 is a program that eliminates the drawbacks and vulnerabilities of the vehicle starting program 85, for example.
The guide area 61A stores a vehicle start program 82 in addition to the main guide record 81. The vehicle start program 82 is a program executed by the program execution unit 51 and controlled by the program execution unit 51, similarly to the vehicle start programs 85 and 86.
The vehicle starting program 82 includes one or more programs for executing basic operations of the vehicle V, similarly to the vehicle starting programs 85 and 86. Specifically, the control includes functions required for starting, running, and stopping the vehicle V, and control required to be executed during running of the vehicle V according to law or the like. Therefore, by the program execution unit 51 executing the vehicle start program 82, at least the vehicle V can be started and the vehicle V can be driven.
The vehicle starting program 82 may be a program that does not include a function related to accessibility for improving convenience of the user or a function related to infotainment for improving entertainment of the user among the functions implemented by the vehicle starting programs 85 and 86. In this case, since the storage capacity for storing the vehicle starting program 82 is smaller than the vehicle starting programs 85 and 86, the storage capacity of the guide area 61A can be suppressed.
The storage area of the storage section 53A is classified into a face a and a face B. The a-plane boot image storage area 65 and the program storage 1 st area 67 belong to the a-plane. The B-side boot image storage area 66 and the program storage 2 nd area 68 belong to the B-side. The guide region 61A does not belong to either the a-plane or the B-plane.
The storage area of the a-plane and the storage area of the B-plane store programs independently of each other. The program execution unit 51 realizes various functions of the 2 nd area ECU20B by using a program stored in a memory area of either one of the a-plane and the B-plane. When the program execution unit 51 selects the a-plane, the program execution unit 51 executes the boot program 83 and the vehicle start program 85 immediately after the main boot record 81. In this case, the program execution unit 51 can control each unit including the power relay 41 without executing the program on the B-plane. That is, if the program is normally stored in either one of the a-plane and the B-plane in the storage portion 53A, the program execution portion 51 can execute the operation as the 2 nd area ECU 20B.
When updating the program stored in the storage unit 53A, the update execution unit 52 selects one of the surfaces a and B. As an example, assume a case where a program of a newer version than the vehicle starting program 85 stored in the program storage 1 st area 67 is provided by the server 110. In this case, the update execution unit 52 updates the vehicle starting program 86 stored in a different storage area from the vehicle starting program 85. The update execution unit 52 downloads a vehicle control update program for updating the vehicle start program 86 from the server 110, and updates the program stored in the program storage 2 nd area 68 based on the vehicle control update program. Thereafter, the update execution unit 52 changes the setting so that the program execution unit 51 executes the vehicle starting program 86 as a new version.
The program storage 1 st area 67 and the program storage 2 nd area 68 are areas that can be rewritten by the update execution unit 52. The program storage 1 st area 67 and the program storage 2 nd area 68 correspond to an example of a rewritable area. Therefore, the update execution unit 52 can execute a process of storing a new program and a process of updating a stored program with respect to the program storage 1 st area 67 and the program storage 2 nd area 68.
The guide area 61A is an area in which overwriting is restricted or prohibited, similarly to the guide area 61. The guide area 61A corresponds to an example of the overwrite restricting area. Therefore, the update execution unit 52 does not perform a process of updating the program stored in the guide area 61A. Specifically, the vehicle start program 82 is not the object of the update process executed by the update execution unit 52. For example, the vehicle start program 82 is maintained in a state stored in the guide area 61A without being changed when the vehicle V leaves the factory. The guide area 61A is not necessarily completely prohibited from being rewritten, and may be set as an area that is not the target of the processing of rewriting the program or data by the update execution unit 52. For example, the control of the vehicle diagnostic device 120 connected by the central ECU2 or via the DLC19 is not prevented from overwriting the guide area 61A.
The a-plane boot image storage area 65 and the B-plane boot image storage area 66 are not the targets of the update execution unit 52 for rewriting the program. For example, the a-plane boot image storage area 65 and the B-plane boot image storage area 66 may be areas in which the rewriting of the update execution unit 52 is restricted, similarly to the boot area 61A.
The vehicle starting program 73 stored in the program storage area 62 can be updated by updating the function of the execution unit 52. In contrast, the vehicle start program 82 stored in the guide area 61A is not updated by the update execution unit 52. Therefore, the vehicle starting program 82 is in a protected state regardless of the operation of the update execution unit 52. In the update process of the update execution unit 52 to update the vehicle starting programs 85, 86, even when some failure occurs, the control system 1 can start the vehicle V and run the vehicle V by executing the vehicle starting program 82 by the program execution unit 51.
Fig. 8, 9 and 10 are flowcharts showing the operation of the control system 1 according to embodiment 2. Fig. 8 and 9 show a process of updating the vehicle starting programs 85, 86 stored in the storage unit 53A. Fig. 9 is a modification of the operation shown in fig. 8. Steps S14, S41 to S44 in fig. 8 correspond to an example of the update process. Steps S46, S43 to S44 in fig. 9 correspond to an example of the update process.
Steps S11 to S14 and S17 to S19 in fig. 8 are similar to those in fig. 5, and therefore, the description thereof is omitted here.
As shown in fig. 8, after the update process is started in step S14, the update execution unit 52 determines either the program storage 1 st area 67 or the program storage 2 nd area 68 as an area to be updated (step S41). The update execution unit 52 generates update information and stores the update information in the storage unit 53A (step S42). The update information is information indicating whether or not the program on the side that is not updated is suitable for use. The update execution unit 52 generates update information based on the cause of the update process.
As an example, the update execution unit 52 will be described as updating the vehicle starting program 85 stored in the 1 st area 67. In this case, the update execution unit 52 selects the program storage 1 st area 67 as the area to be updated in step S41. The update execution unit 52 generates update information 88B for the vehicle start program 86 stored in the program storage 2 nd area 68 of the area that is not the update target, and stores the update information in the program storage 2 nd area 68. The update information 88B indicates whether the vehicle starting program 86 is suitable for use. When the cause of the update process corresponds to the elimination of the trouble or vulnerability of the vehicle starting program 86, the update execution unit 52 generates update information 88B indicating that the vehicle starting program 86 is unsuitable for use. In addition, when the cause of the update process does not correspond to the elimination of the trouble or vulnerability of the vehicle starting program 86, update information 88B indicating that the vehicle starting program 86 is suitable for use is generated. The cause of the update process can be determined based on, for example, additional information transmitted from the server 110 to the control system 1 together with the vehicle control update program. In this case, when the vehicle control update program is transmitted to the control system 1, the server 110 transmits additional information indicating the cause of the update process to the control system 1. Similarly, when the vehicle starting program 86 stored in the program storage 2 nd area 68 is updated, the update execution unit 52 generates update information 88A indicating whether or not the vehicle starting program 85 is suitable for use, and stores the generated update information in the program storage 1 st area 67. The update information 88A, 88B may be a code indicating the cause of the update processing.
The update execution unit 52 stores the vehicle control update program downloaded in step S12 in the update target area (step S43). The update execution unit 52 executes the installation of the vehicle start program stored in the update target area by using the vehicle control update program stored in step S43 (step S44). The process of step S44 is the same as step S16.
In the determination in step S18, when it is determined that the installation is not completed normally, the update execution unit 52 stores the abnormality occurrence information in the update target area. For example, when the process of updating the vehicle starting program 85 is not completed normally, the update execution unit 52 stores the abnormality occurrence information 87A in the program storage 1 st area 67, which is the area to be updated, in step S45.
Fig. 8 shows the following operations in the same manner as fig. 5: the waiting-for-update-data control unit 203 switches off the power supply of the vehicle V, and executes update processing after the power supply of the vehicle V is switched off. Since the storage unit 53A has the storage area on the a-side and the storage area on the B-side, even when the power of the vehicle V is turned on, the update process can be performed without affecting the reliability of the program. Fig. 9 shows the operation in this case.
In fig. 9, steps S11, S12, S17 to S19, and S43 to S45 are operations common to fig. 8, and therefore, the description thereof is omitted.
As shown in fig. 9, after the update data reception unit 202 downloads the program in step S12, the update execution unit 52 selects a storage area and starts the update process (step S46). In step S46, the update execution unit 52 selects, as the update processing target, the area on the side on which the final update date and time is earlier, of the storage area on the a-side and the storage area on the B-side of the storage unit 53A. In detail, the update execution unit 52 determines the final update date and time of the program storage 1 st area 67 and the program storage 2 nd area 68. The final update date and time of the program storage 1 st area 67 is the date and time when the program stored in the program storage 1 st area 67 was last updated. The final update date and time of program storage area 2 68 is also the same. The update execution unit 52 compares the final update date and time of the program storage 1 st area 67 and the program storage 2 nd area 68, and selects an area having an earlier final update date and time. In step S46, the update execution unit 52 may generate update information by the same process as in step S42, and store the update information in the storage area on the unselected side.
After step S46, the update execution unit 52 moves to step S43.
When the update execution unit 52 determines that the installation is completed normally in the determination of step S18 (step S18; yes), the update data control unit 203 determines whether or not there is an operation to turn off the power supply to the vehicle V (step S47). The determination in step S47 may be the same as in step S13. Alternatively, in step S47, the update data control unit 203 may determine whether or not an operation to turn off the power supply to the vehicle V is instructed. That is, instead of actually switching the power supply of the vehicle V off, an operation to instruct the off may be determined. As such an operation, for example, an operation of an ignition switch of the vehicle V is given.
The update data control unit 203 waits until the power supply to the vehicle V is switched off (step S47; no). When it is determined that the power supply to the vehicle V is turned off (yes in step S47), the update data control unit 203 performs a process of requesting the user for approval of the activation (step S48). For example, in step S48, the update data control unit 203 performs one or more of a process of displaying a message requesting approval of update on the touch panel mounted on the vehicle V and a process of outputting a sound message requesting approval of update from the speaker mounted on the vehicle V. Here, in step S48, the update data control unit 203 may display an icon or the like for an operation for allowing the user to perform an operation to agree with the icon or the like on the touch panel.
The update data control section 203 determines whether or not an operation of approving the update is performed by the user (step S49). The operation of agreeing to update is, for example, an operation for a touch panel. When it is determined that the operation of agreeing with the update is not performed (step S49; no), the update data control unit 203 ends the present process. In this case, the update data control unit 203 performs the operation of step S48 each time the power of the vehicle V is turned off thereafter.
When the update approval operation is performed (yes in step S49), the update execution unit 52 executes activation of the installed program under the control of the update data control unit 203 (step S19), and the present process is terminated. In step S19, the update execution unit 52 sets the program installed in step S44 so as to be executed when the power of the vehicle V is turned on next time.
The update execution unit 52 and the update data control unit 203 may alternatively execute any one of the operations of fig. 8 and 9.
The update execution unit 52 and the update data control unit 203 may be configured to be able to execute both the operations of fig. 8 and 9 and to selectively execute either one of them. For example, when the cause of the update process corresponds to the elimination of the trouble or vulnerability of the vehicle starting program 86, the update data control unit 203 may execute the operation of fig. 8. In this case, the update execution unit 52 and the update data control unit 203 execute the operations of fig. 8 or 9 when the cause of the update process does not correspond to the elimination of the trouble or vulnerability of the vehicle starting program 86. In the update processing of the program, it is necessary to consider a case where the original program cannot be executed by overwriting the program stored in the update storage unit 53A. In the case where both the program stored in the program storage 1 st area 67 and the program stored in the program storage 2 nd area 68 are in a state where there is no obstacle even if the program execution unit 51 executes the program, neither of them is updated, and the reliability is not affected. In this case, the storage unit 53A stores executable programs in both the program storage 1 st area 67 and the program storage 2 nd area 68. Therefore, even if the power supply to the vehicle V is not turned off, the program can be updated without affecting the reliability of the program. In this case, the operation of fig. 9 has an advantage that the update process can be executed while the power of the vehicle V is turned on.
Fig. 10 shows the operation related to the start of the 2 nd area ECU20 b. The operations of fig. 10 can be executed both in the case where the update of the program is executed according to fig. 8 and in the case where the update is executed according to fig. 9.
The program executing unit 51 refers to the Master Boot Record (MBR) 81, and selects and executes the boot program 83 or the boot program 84 (step S51). In step S51, the program execution unit 51 selects either one of the a-plane boot image storage area 65 and the B-plane boot image storage area 66, that is, either one of the a-plane and the B-plane. For example, the program execution unit 51 compares the final update dates and times of the vehicle start program 85 and the vehicle start program 86 by the functions of the programs included in the main guide record 81. In this case, the program execution unit 51 selects a region on the side of the a-side and the B-side in which the vehicle starting program on the side of which the final update date and time is newer is stored.
In the following, a case where the program execution unit 51 selects and executes the program on the a-plane in step S51 will be described as an example. The operation of the program execution unit 51 when selecting the program on the B-plane is understood similarly.
When the program execution unit 51 executes the boot program 83 in step S51, the program storage 1 st area 67 is referred to (step S52), and it is determined whether or not the abnormality occurrence information 87A is stored (step S53).
When the abnormality occurrence information 87A is not stored (step S53; no), the program execution unit 51 executes the vehicle starting program 85 stored in the program storage 1 st area 67 (step S54). The program execution unit 51 executes the vehicle start program 85 to switch the power relay 41 by the ECU30k, thereby starting the vehicle V (step S55). Thus, the control system 1 can control the functions necessary for the running of the vehicle V, and the vehicle V is brought into the power-on state.
When the abnormality occurrence information 87A is stored in the program storage 1 st area 67 (step S53; yes), the program execution unit 51 refers to the update information 88B (step S55). In step S55, the program execution unit 51 refers to the update information 88B stored in the program storage 2 nd area 68, which is the storage area on the side not referred to in step S52.
The program execution unit 51 determines whether the vehicle starting program 86 in the 2 nd area 68 can be stored with the program based on the update information 88B referred to in step S55 (step S57).
When it is determined that the vehicle starting program 86 is available (step S57; yes), the program execution unit 51 executes the vehicle starting program 86 (step S58). The program execution unit 51 executes the vehicle start program 86 to switch the power relay 41 by the ECU30k, thereby starting the vehicle V (step S59). Thus, the control system 1 can control the functions necessary for the running of the vehicle V, and the vehicle V is brought into the power-on state.
After that, the update control unit 201 or the program execution unit 51 notifies 1 st of the occurrence of the abnormality (step S60). The abnormality occurrence 1 st notification is a notification indicating that the update process of the vehicle-starting program 85 is not normally completed, and is a notification that is made in the case where the vehicle-starting program 86 is executable. The notification method of the abnormality occurrence 1 st notification is the same as that of the abnormality occurrence notification executed in step S38.
When it is determined that the vehicle starting program 86 is not available (step S57; no), the program executing unit 51 executes the vehicle starting program 82 stored in the guide area 61A (step S61). The program execution unit 51 executes the vehicle start program 82 to switch the power relay 41 by the ECU30k, thereby starting the vehicle V (step S62). Thus, the control system 1 can control the functions necessary for the running of the vehicle V, and the vehicle V is brought into the power-on state.
After that, the update control unit 201 or the program execution unit 51 notifies the occurrence of the abnormality 2 (step S60). The abnormality occurrence 2 nd notification is a notification indicating that the update process of the vehicle-starting program 85 is not normally completed and that the vehicle-starting program 86 is not suitable for use. The abnormality occurrence 1 st notification is notified when one of the vehicle starting programs 85, 86 stored in the storage unit 53A is normally usable and the update process of the other is unsuccessful. This situation can be eliminated by re-performing the update process. In contrast, the abnormality occurrence 2 nd notification indicates that both the vehicle starting programs 85, 86 stored in the storage unit 53A are unsuitable for use, in other words, the vehicle V is started by the emergency vehicle starting program 82. The vehicle starting program 82 is a program having a function of satisfying a criterion for safe running of the vehicle V, but has fewer functions than the vehicle starting programs 85 and 86. Therefore, it is desirable to deal with the state in which the vehicle V is started by the vehicle starting program 82 as soon as possible. For example, it is desirable to update or repair at least one of the vehicle starting programs 85, 86 by connecting the vehicle diagnostic device 120 to the DLC19 in a dealer or a repair factory of the vehicle V.
Thus, the abnormality generation 1 st notification is, for example, content that prompts the user to resume the update processing. In contrast, the abnormality occurrence notification 2 is, for example, a content that requires the user to perform the processing as soon as possible. Therefore, the mode in which the abnormality generates the 1 st notification and the mode in which the abnormality generates the 2 nd notification are desirably modes having differences in the degree to which the user can clearly distinguish them. The notification method of the abnormality occurrence 2 nd notification can employ the same method as the abnormality occurrence 1 st notification executed in step S60.
After the notification of the occurrence of the abnormality 2 nd, the update control unit 201 or the program execution unit 51 transmits an abnormality occurrence signal to the external device (step S64). The abnormality generation signal is the same as the signal transmitted in step S39.
The above embodiment shows a specific example of the present invention, and is not limited to the mode of applying the present invention.
In the above embodiment, the description has been given of the operation of the control system 1 in the case where the vehicle start programs 72, 85, 86 stored in the storage units 53, 53A are updated according to the vehicle control update program downloaded from the server 110. The present invention is not limited to this, and for example, the operations shown in fig. 5 or 8 may be executed when the control system 1 receives a vehicle control update program from the vehicle diagnostic device 120 connected to the DLC 19. That is, the operations of the above-described embodiments may be applied to a case where the control system 1 acquires the vehicle control update program from the vehicle diagnostic apparatus 120 as an external apparatus and updates the vehicle start program.
In the above embodiment, the case where the vehicle starting programs 72, 85, 86 executed by the zone 2 ECU20b included in the control system 1 are updated is described as an example. This is an example. For example, the configuration of the storage units 53 and 53A and the operations of the program execution unit 51 and the update execution unit 52 described in the present embodiment can be applied to the central ECU2 or another ECU.
In the above embodiment, the example in which the present invention is applied to the update process of the vehicle start program required for updating the start of the vehicle V has been described. This is an example, and the configuration and operation of the present embodiment can be applied to update processing for updating a program related to the function of the vehicle V.
In the above embodiment, the description has been made of the example in which the abnormality occurrence notification, the abnormality occurrence 1 st notification, or the abnormality occurrence 2 nd notification is performed when the installation of the vehicle starting program is not normally completed. This is an example. The program execution unit 51 may, for example, notify that the update process is successful when the vehicle starting program updated by the update process is executed, that is, when the update process is successful. Further, a signal indicating that the update process is successful may be transmitted to the external device.
The configuration of the control system 1 shown in the above embodiment is an example, and the type of ECU, the number of ECUs, and the configuration of the device to be controlled by the ECU included in the control system 1 can be variously changed.
Fig. 1 and 3 are diagrams showing an outline configuration of the functional configuration of each device of the program management system 100, which is distinguished by the main processing contents in order to easily understand the present application, and are not limited to the configuration of the device. The processes shown in fig. 5, 6, 8, 9, and 10 may be executed by one program or may be executed by a plurality of programs.
The vehicle V is, for example, a four-wheel vehicle, but the type of the vehicle V is not particularly limited, and may be a large-sized vehicle, a commercial vehicle, a two-wheel vehicle, a three-wheel vehicle, or the like. The configuration of each part in the control system 1 can be arbitrarily changed.
The above embodiment supports the following structure.
(structure 1) a vehicle control device, wherein the vehicle control device includes: a vehicle control unit that performs control of a vehicle by executing a vehicle start program for starting the vehicle; a storage unit having a rewrite-limiting area in which the vehicle-starting program is stored and in which rewriting is limited, and a rewritable area in which the vehicle-starting program is stored in a rewritable manner; a communication unit that communicates with an external device; and a program updating unit that executes an update process of storing a vehicle start update program for updating the vehicle start program received by the communication unit in the rewritable region, wherein the vehicle control unit executes the vehicle start program stored in the rewritable region, and executes the vehicle start program stored in the rewritable region when the update process of the program updating unit is not completed normally.
According to the vehicle control device of the configuration 1, even when an update of the vehicle start program causes an obstacle, the vehicle can be started by using the vehicle start program stored in the area where the rewriting is restricted. Since the vehicle starting program stored in the area where the rewriting is restricted is not an updated object, the program is maintained in an executable state. Therefore, a situation in which the vehicle starting program cannot be executed can be reliably avoided, and thus, reliability relating to updating of the program for controlling the vehicle can be ensured.
(configuration 2) the vehicle control device according to configuration 1, wherein the vehicle starting program includes a power relay control program for controlling a power relay of the vehicle.
According to the vehicle control device of the configuration 2, it is possible to ensure reliability concerning updating of the program for controlling the power supply relay of the vehicle.
(configuration 3) in the vehicle control device according to configuration 1 or 2, the program updating unit stores abnormality occurrence information indicating that the update process is not completed normally in the storage unit when the update process is not completed normally.
According to the vehicle control device of the configuration 3, by storing the information indicating that the update process is not completed normally, the vehicle start-up program for which the update process is not completed normally can be reliably identified. For example, when the vehicle control unit starts and executes the vehicle start program, it is possible to prevent the execution of the vehicle start program for which the update process is not normally completed. Therefore, with respect to the update of the program for controlling the vehicle, higher reliability can be ensured.
(configuration 4) in the vehicle control device according to configuration 3, when the abnormality occurrence information is stored in the storage unit, the vehicle control unit executes the vehicle starting program stored in the rewriting limitation area.
According to the vehicle control device of the configuration 4, it is possible to distinguish the vehicle starting program for which the update process is not normally completed, based on the abnormality occurrence information. Thus, the vehicle is started by using the vehicle starting program stored in the area where the rewriting is restricted, without executing the vehicle starting program unsuitable for execution. Therefore, with respect to the update of the program for controlling the vehicle, higher reliability can be ensured.
The vehicle control device according to any one of the configurations 1 to 4 includes a notification unit that notifies an abnormality occurrence notification indicating that the update process is not completed normally, and the notification unit executes the abnormality occurrence notification when the vehicle control unit executes the vehicle starting program stored in the rewriting limitation area.
According to the vehicle control device of the configuration 5, the user can be notified of the state of the vehicle by notifying that the update process of the vehicle starting program is not completed normally. This notification can cause, for example, the re-execution of the update process of the vehicle starting program and the repair of the vehicle starting program. Therefore, even when an obstacle is generated in updating the program for controlling the vehicle, the user can perform more appropriate processing.
(configuration 6) in the vehicle control device according to configuration 5, when the notification unit performs the notification of the occurrence of the abnormality, an abnormality occurrence signal indicating that the update process has not been completed normally is transmitted to the external device via the communication unit.
According to the vehicle control device of the configuration 6, it is possible to notify the external device that the update process of the vehicle starting program is not completed normally. By this notification, it is possible to detect or record by the external device that the update process of the vehicle starting program is not completed normally. Thus, for example, the re-execution of the update process of the vehicle starting program or the repair of the vehicle starting program can be supported from the outside to the user.
(configuration 7) in the vehicle control device according to configuration 1, the storage unit includes, in the rewritable region, a 1 st storage region in which the vehicle start program and the vehicle start update program are stored, and a 2 nd storage region in which the vehicle start program and the vehicle start update program are stored, and the program update unit executes the update processing in which the vehicle start update program is stored in at least one of the 1 st storage region and the 2 nd storage region, and when the update processing in which the vehicle start update program is stored in the 2 nd storage region is not normally completed, the update processing information indicating that the update processing is not normally completed is stored in the 1 st storage region.
According to the vehicle control device of the configuration 7, the vehicle start-up program can be held without affecting the updated region during the update of the vehicle start-up program, and therefore, it is not necessary to limit the timing of the update program, and it is possible to reduce the restriction of the timing of the update program, since the update of the program is prevented from being hindered. When an obstacle occurs in the update process, the vehicle can be started by using the vehicle start program stored in the area where the rewriting is restricted. That is, even in a state where both the update of the vehicle starting program that is not normally completed and the update of the vehicle starting program that is not updated are not suitable for execution, the vehicle can be started. Further, it is possible to distinguish the vehicle starting program for which the update process is not normally completed based on the abnormality occurrence information. Thus, the vehicle can be started by using the vehicle starting program stored in the area where the rewriting is restricted, without executing the vehicle starting program unsuitable for execution. Therefore, the vehicle can be reliably started, and higher reliability can be ensured with respect to updating of the program for controlling the vehicle.
(configuration 8) in the vehicle control device according to configuration 7, when the vehicle start program is stored in the 1 st storage area and the 2 nd storage area, the vehicle control unit selects and executes the vehicle start program stored in the 1 st storage area or the vehicle start program stored in the 2 nd storage area based on the abnormality occurrence information.
According to the vehicle control device of the structure 8, the vehicle start-up program for which the update process is not normally completed is discriminated based on the abnormality occurrence information. Thus, the vehicle can be started by using the vehicle starting program stored in the area where the rewriting is restricted, without executing the vehicle starting program unsuitable for execution. Therefore, the vehicle can be reliably started, and higher reliability can be ensured with respect to updating of the program for controlling the vehicle.
(configuration 9) the vehicle control device according to configuration 7 or configuration 8 includes a notification unit configured to notify that the update process is not completed normally, and when the vehicle control unit executes the vehicle starting program stored in the 1 st storage area based on the abnormality occurrence information, the notification unit notifies 1 st of abnormality occurrence.
According to the vehicle control device of the configuration 9, the user can be notified of the state of the vehicle by notifying that the update process of the vehicle starting program is not completed normally. This notification can cause, for example, the re-execution of the update process of the vehicle starting program. Therefore, even when an obstacle is generated in updating the program for controlling the vehicle, the user can perform more appropriate processing.
(configuration 10) in the vehicle control device according to configuration 9, when the vehicle control unit executes the vehicle starting program stored in the rewriting limitation area, the notification unit performs an abnormality occurrence 2 notification different from the abnormality occurrence 1 notification.
According to the vehicle control device of the configuration 10, it is possible to notify that both the vehicle starting program, of which the update is not normally completed, and the vehicle starting program, of which the update is not performed, are in a state unsuitable for execution. Since the abnormality occurrence 2 notification is different from the abnormality occurrence 1 notification that causes the re-execution of the update process of the vehicle-starting program, it is possible to notify the user that a more rapid process is required.
(configuration 11) in the vehicle control device according to configuration 10, when the notification unit executes the notification of the abnormality occurrence 2, an abnormality occurrence signal indicating that the update process has not been completed normally is transmitted to the external device via the communication unit.
According to the vehicle control device of the configuration 11, it is possible to notify the external device that the update process of the vehicle starting program is not completed normally and that the vehicle starting program that is not updated is also in a state unsuitable for execution. Thus, for example, the re-execution of the update process of the vehicle starting program or the repair of the vehicle starting program can be supported from the outside to the user.
The vehicle control method according to the present invention (configuration 12) is a vehicle control method using a vehicle control device that includes a communication unit that communicates with an external device that is present outside a vehicle, and a storage unit that stores a vehicle start program for starting the vehicle, wherein the storage unit is provided with a rewrite-limiting area that stores the vehicle start program and limits rewriting, and a rewritable area that stores the vehicle start program so as to be able to rewrite, and performs an update process that stores a vehicle start update program received by the communication unit for updating the vehicle start program in the rewritable area, and executes the vehicle start program stored in the rewritable area to start the vehicle when the update process is not normally completed.
According to the vehicle control method of the structure 12, even when an update of the vehicle start program causes an obstacle, the vehicle can be started by using the vehicle start program stored in the area where the rewriting is restricted. Since the vehicle starting program stored in the area where the rewriting is restricted is not an updated object, the program is maintained in an executable state. Therefore, a situation in which the vehicle starting program cannot be executed can be reliably avoided, and thus, reliability relating to updating of the program for controlling the vehicle can be ensured.
(configuration 13) a recording medium that is a non-transitory computer-readable recording medium storing a program executed by a computer that controls a vehicle control device that includes a communication unit that communicates with an external device that is present outside a vehicle, and a storage unit that stores a vehicle starting program for starting the vehicle, wherein the storage unit is provided with a rewrite-limit area that stores the vehicle starting program and limits rewriting, and a rewritable area that stores the vehicle starting program in a rewritable manner, the program causing the computer to execute: an update process of storing a vehicle start update program for updating the vehicle start program received by the communication unit in the rewritable area is executed, and the vehicle is started by executing the vehicle start program stored in the rewritable area, and when the update process is not completed normally, the vehicle start program stored in the rewritable area is executed.
According to the program recorded on the recording medium of the configuration 13, even when an update of the vehicle start program causes an obstacle, the vehicle can be started by using the vehicle start program stored in the area where the rewriting is restricted. Since the vehicle starting program stored in the area where the rewriting is restricted is not an updated object, the program is maintained in an executable state. Therefore, a situation in which the vehicle starting program cannot be executed can be reliably avoided, and thus, reliability relating to updating of the program for controlling the vehicle can be ensured.

Claims (13)

1. A vehicle control apparatus, wherein,
the vehicle control device includes:
a vehicle control unit that performs control of a vehicle by executing a vehicle start program for starting the vehicle;
a storage unit having: a rewriting limitation area in which the vehicle starting program is stored and the rewriting is limited; and a rewritable area in which the vehicle starting program is stored in a rewritable manner;
a communication unit that communicates with an external device; and
a program updating unit that performs an updating process of storing the vehicle start-up update program received by the communication unit for updating the vehicle start-up program in the rewritable region,
the vehicle control unit executes the vehicle starting program stored in the rewritable region, and executes the vehicle starting program stored in the rewritable region when the update process by the program update unit is not completed normally.
2. The vehicle control apparatus according to claim 1, wherein,
the vehicle starting program includes a power relay control program that controls a power relay of the vehicle.
3. The vehicle control apparatus according to claim 1, wherein,
The program updating unit stores abnormality generation information indicating that the update process is not completed normally in the storage unit when the update process is not completed normally.
4. The vehicle control apparatus according to claim 3, wherein,
when the abnormality generation information is stored in the storage unit, the vehicle control unit executes the vehicle starting program stored in the rewriting limitation area.
5. The vehicle control apparatus according to any one of claims 1 to 4, wherein,
the vehicle control device includes a notification unit that notifies an abnormality occurrence notification indicating that the update process is not completed normally,
when the vehicle control unit executes the vehicle starting program stored in the rewriting limitation area, the notification unit executes the abnormality occurrence notification.
6. The vehicle control apparatus according to claim 5, wherein,
when the notification unit performs the notification of the occurrence of the abnormality, an abnormality occurrence signal indicating that the update process has not been completed normally is transmitted to the external device via the communication unit.
7. The vehicle control apparatus according to claim 1, wherein,
The storage unit includes, in the rewritable region: a 1 st storage area storing the vehicle start program and the vehicle start update program; and a 2 nd storage area storing the vehicle start program and the vehicle start update program,
the program updating section performs the updating process of storing the update program for vehicle start in at least one of the 1 st memory area and the 2 nd memory area,
when the update process of storing the update program for vehicle start in the 2 nd storage area is not completed normally, abnormality generation information indicating that the update process is not completed normally is stored in the 1 st storage area.
8. The vehicle control apparatus according to claim 7, wherein,
when the 1 st storage area and the 2 nd storage area store the vehicle start program, the vehicle control unit selects and executes the vehicle start program stored in the 1 st storage area or the vehicle start program stored in the 2 nd storage area based on the abnormality generation information.
9. The vehicle control apparatus according to claim 7 or 8, wherein,
The vehicle control device includes a notification unit configured to notify that the update process is not completed normally,
when the vehicle control unit executes the vehicle starting program stored in the 1 st storage area based on the abnormality occurrence information, the notification unit notifies 1 st of abnormality occurrence.
10. The vehicle control apparatus according to claim 9, wherein,
when the vehicle control unit executes the vehicle starting program stored in the rewriting limitation area, the notification unit performs an abnormality occurrence 2 notification different from the abnormality occurrence 1 notification.
11. The vehicle control apparatus according to claim 10, wherein,
when the notification section performs the notification of the abnormality occurrence 2, an abnormality occurrence signal indicating that the update process is not normally completed is transmitted to the external device through the communication section.
12. A vehicle control method using a vehicle control device provided with: a communication unit that communicates with an external device that is present outside the vehicle; and a storage unit storing a vehicle starting program for starting the vehicle, wherein,
The storage unit is provided with: a rewriting limitation area in which the vehicle starting program is stored and the rewriting is limited; and a rewritable area in which the vehicle starting program is stored in a rewritable manner,
an update process of storing the vehicle start update program received by the communication unit for updating the vehicle start program in the rewritable area is executed,
the vehicle is started by executing the vehicle starting program stored in the rewritable region,
when the update process is not completed normally, the vehicle start program stored in the rewrite-limit area is executed.
13. A recording medium storing a program executed by a computer for controlling a vehicle control apparatus, the vehicle control apparatus comprising: a communication unit that communicates with an external device that is present outside the vehicle; and a storage unit storing a vehicle starting program for starting the vehicle, wherein,
the storage unit is provided with a rewrite limiting area in which the vehicle starting program is stored and in which rewrite is limited; and a rewritable area in which the vehicle starting program is stored in a rewritable manner,
The program causes the computer to execute:
an update process of storing the vehicle start update program received by the communication unit for updating the vehicle start program in the rewritable area is executed,
the vehicle is started by executing the vehicle starting program stored in the rewritable region,
when the update process is not completed normally, the vehicle start program stored in the rewrite-limit area is executed.
CN202310091809.9A 2022-02-15 2023-01-28 Vehicle control device, vehicle control method, and recording medium Pending CN116610335A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2022-021064 2022-02-15
JP2022-137520 2022-08-31
JP2022137520A JP2023118654A (en) 2022-02-15 2022-08-31 Vehicle control apparatus, vehicle control method, and recording medium

Publications (1)

Publication Number Publication Date
CN116610335A true CN116610335A (en) 2023-08-18

Family

ID=87675244

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310091809.9A Pending CN116610335A (en) 2022-02-15 2023-01-28 Vehicle control device, vehicle control method, and recording medium

Country Status (1)

Country Link
CN (1) CN116610335A (en)

Similar Documents

Publication Publication Date Title
US20240103841A1 (en) Vehicle controller, program updating method, and non-transitory storage medium that stores program for updating program
WO2018079006A1 (en) Control device, program update method, and computer program
WO2018142751A1 (en) Control device, program update method, and computer program
JP6465258B1 (en) Control device, control method, and computer program
JP6702269B2 (en) Control device, control method, and computer program
JP2018195932A (en) System for vehicle performing processing of encryption key and electronic control equipment
WO2018230084A1 (en) Updating control device, control method, and computer program
JP2019034652A (en) Control device, control method, and computer program
JP6547904B2 (en) CONTROL DEVICE, PROGRAM UPDATE METHOD, AND COMPUTER PROGRAM
US11945453B2 (en) Onboard device, information generating method, non-transitory storage medium, and vehicle
KR20070076201A (en) Rom program update system and method do electron control unit in vehicles
JP6795389B2 (en) In-vehicle data updater
CN116610335A (en) Vehicle control device, vehicle control method, and recording medium
US20220308857A1 (en) Control device and terminal device
US20230256983A1 (en) Vehicle controller, vehicle control method and recording medium
US20230195445A1 (en) On-board device, information processing method, and computer program
CN115454462A (en) OTA manager, system, method, non-transitory storage medium, and vehicle
CN115514742A (en) OTA manager, center, system, method, non-transitory storage medium
JP2023118654A (en) Vehicle control apparatus, vehicle control method, and recording medium
CN114115931A (en) Software updating device, software updating method, non-temporary storage medium, and vehicle
CN113986259A (en) Server, software update device, vehicle, software update system, control method, and non-temporary storage medium
US20230259351A1 (en) Program management device, program management method, and recording medium
US20240104218A1 (en) Control apparatus and control method
US20220004375A1 (en) Software update device, software update method, non-transitory storage medium, and vehicle
CN113961214A (en) Software updating device, updating control method, non-temporary storage medium, server, OTA host and center

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination