Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F8/00—Arrangements for software engineering
  • G06F8/60—Software deployment
  • G06F8/65—Updates
  • G06F8/656—Updates while running
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F8/00—Arrangements for software engineering
  • G06F8/60—Software deployment
  • G06F8/65—Updates
• • B—PERFORMING OPERATIONS; TRANSPORTING
  • B60—VEHICLES IN GENERAL
  • B60L—PROPULSION OF ELECTRICALLY-PROPELLED VEHICLES; SUPPLYING ELECTRIC POWER FOR AUXILIARY EQUIPMENT OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRODYNAMIC BRAKE SYSTEMS FOR VEHICLES IN GENERAL; MAGNETIC SUSPENSION OR LEVITATION FOR VEHICLES; MONITORING OPERATING VARIABLES OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRIC SAFETY DEVICES FOR ELECTRICALLY-PROPELLED VEHICLES
  • B60L50/00—Electric propulsion with power supplied within the vehicle
  • B60L50/50—Electric propulsion with power supplied within the vehicle using propulsion power supplied by batteries or fuel cells
  • B60L50/53—Electric propulsion with power supplied within the vehicle using propulsion power supplied by batteries or fuel cells in combination with an external power supply, e.g. from overhead contact lines
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F15/00—Digital computers in general; Data processing equipment in general
  • G06F15/76—Architectures of general purpose stored program computers
  • G06F15/78—Architectures of general purpose stored program computers comprising a single central processing unit
  • G06F15/7803—System on board, i.e. computer system on one or more PCB, e.g. motherboards, daughterboards or blades
• • B—PERFORMING OPERATIONS; TRANSPORTING
  • B60—VEHICLES IN GENERAL
  • B60Y—INDEXING SCHEME RELATING TO ASPECTS CROSS-CUTTING VEHICLE TECHNOLOGY
  • B60Y2200/00—Type of vehicle
  • B60Y2200/90—Vehicles comprising electric prime movers
  • B60Y2200/91—Electric vehicles
• • B—PERFORMING OPERATIONS; TRANSPORTING
  • B60—VEHICLES IN GENERAL
  • B60Y—INDEXING SCHEME RELATING TO ASPECTS CROSS-CUTTING VEHICLE TECHNOLOGY
  • B60Y2200/00—Type of vehicle
  • B60Y2200/90—Vehicles comprising electric prime movers
  • B60Y2200/92—Hybrid vehicles
• • Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
  • Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
  • Y02T10/00—Road transport of goods or passengers
  • Y02T10/60—Other road transportation technologies with climate change mitigation effect
  • Y02T10/70—Energy storage systems for electromobility, e.g. batteries
• • Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
  • Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
  • Y02T10/00—Road transport of goods or passengers
  • Y02T10/60—Other road transportation technologies with climate change mitigation effect
  • Y02T10/7072—Electromobility specific charging systems or methods for batteries, ultracapacitors, supercapacitors or double-layer capacitors

Definitions

• TITLE Digital system update process.
• the invention relates to a method for updating a digital system in a vehicle, in particular in a motor vehicle.
• a digital system in a vehicle comprises one or more on-board computers communicating with one another via one or more on-board buses.
• an on-board computer generally comprises a permanent memory for storing at least permanent digital data, firmware and / or a computer program.
• the on-board computer generally also comprises a random access memory for storing variable digital data, and at least one processor for writing and / or reading the variable digital data in random access memory by executing the computer program from all or part of the permanent digital data and variable digital data.
• An update of the digital system consists of modifying digital content in the permanent memory of at least one on-board computer.
• Document FR2775363 discloses a vehicle computer suitable for being connected to a stored data update tool, but it is preferable to stop the vehicle to connect the update tool.
• Document FR3011651 discloses a method for updating a vehicle computer using an interface box, however the implementation of the method requires stopping the vehicle to connect the box.
• Document FR2775371 discloses a method for downloading an update file in rewritable memory of a vehicle computer.
• Today a wide range of wireless remote transmission possibilities provide opportunities for downloading update files into on-board vehicle control units without having to plug a physical connector into the vehicle.
• the known methods and devices still require a more or less extended duration of the vehicle to update a data or program file in an on-board control-command unit.
• Writing from a remote server to rewritable memory of an on-board control unit requires more time than to conventional computer or mobile phone memory. Stopping the vehicle is still recommended to avoid an unexpected change in driving behavior of the vehicle, linked to the update.
• There is a need to reduce to minimum a control-command unit update time, in particular to reduce the downtime of the vehicle to a minimum, to switch from a previous on-board control-command unit configuration to a new configuration by updating program or data day.
• Document EP2249251A1 discloses an update device comprising a server, an on-board control unit in a vehicle, communication means for connecting the server and on-board control unit, in which when the server executes a process of rewriting a program of the on-board control unit via the communication means, the server determines whether or not to execute the rewrite of the program by referring to a memory content of the control unit on-board control. If an abnormality or communication breakdown occurs during the rewrite task, the rewrite process is not completed, a reset is performed, the previous program is started.
• the device disclosed by the document cited above has many drawbacks, including in particular that of postponing to an intolerably distant date the update of the on-board control unit in the event of anomalies and / or repeated communication breaks. .
• Such cases can occur in a vehicle, for example when it is under a tunnel or in an underground car park, for example also in the event of a drop in voltage on the on-board electrical network of the vehicle to which telecommunications are sensitive and writing in rewritable memory, which also consumes a lot of electricity.
• Each attempt to rewrite a program necessary for the operation of the vehicle renders the vehicle unavailable until the rewritten program or the previous program is started depending on whether the rewriting was performed correctly or not.
• the subject of the invention is a method for updating a digital system in a vehicle comprising an on-board client computer, in particular of the multimedia type, capable of communicating with a server. remote, an on-board control unit connected, directly or indirectly, to the customer computer by an on-board communication network, and an electrical energy storage device for supplying the on-board computer and on-board control-command unit
• the process is remarkable in that it includes:
• the computer is said to be a customer in that it differs from the control-command unit by its ability to process media or support other than control-commands of actuators and sensors of the vehicle, as for example to process a download using the FTP protocol.
• the processing resources of the client computer to download an update file, the resources necessary for the update in the control unit are reduced, and therefore its cost, an effect which is all the more advantageous.
• an on-board digital system generally includes many control units.
• the download time is completely transparent for the control unit because the latter is not affected by the download.
• the electric energy storage device capable of being recharged during the download ensures not to disturb not only the download, but also other electrical consumers of the vehicle by the electricity consumption of the download.
• a multimedia calculator is an example of a customer calculator.
• the on-board instrumentation and control unit is connected, directly or indirectly, to the customer computer, it is therefore any type of control unit regardless of the way in which it is connected to the customer computer, whether by for example directly by a communication link, or again via a gateway computer and communication links, or else by both ways.
• the client computer is interfaced with a remote server and directly or indirectly controls the various steps of the method according to the invention, for example it indirectly distributes a part of the downloaded file intended for certain control-command units.
• on-board vehicles for which distribution is controlled by the customer computer and then managed by the gateway computer are examples of the downloaded file intended for certain control-command units.
• the client computer constantly stores a download progress point so as to stop the download when an effective or risky degradation of communication with the remote server is detected, and resumes the download from the point of progress stored when it detects a disappearance of effective or risky degradation of communication with the remote server.
• the causes of effective communication degradation are multiple, passage of the vehicle through a tunnel or in an underground car park, interruption by another priority process over the download, failure of the remote server or others.
• the device for accumulating electrical energy that cannot be recharged is considered by the method to constitute a condition for detecting risky degradation of communication with the remote server.
• the electric energy storage device is considered to be able to be recharged if the heat engine is rotating.
• the rotating heat engine can, for example, recharge the electrical energy storage device by means of an alternator or an alternator starter.
• the electric energy storage device is considered to be able to be recharged if the electric traction battery is connected to an external electric recharging network. This case can occur not only for a purely electric traction vehicle, but also for a plug-in hybrid vehicle on an external electrical network or by means of the heat engine.
• the on-board communication network comprises a first on-board link connected to the customer computer, a second on-board link connected to the on-board control unit and a gateway computer connected to the customer computer and to the on-board control unit, an execution of the installation step of all or part of the distributed file downloaded in the control-command unit onboard by the computer gateway, allows the on-board control unit to be relieved of installation tasks, thus keeping the on-board control unit fully available for its control-command tasks, for any control-command unit of which at least one processor is indirectly linked to the customer computer via the gateway.
• an execution of the installation step of all or part of the file downloaded in the on-board control unit, by the gateway computer makes it possible to unload the on-board control unit from installation tasks, thus keeping the control unit On-board instrumentation and control fully available for its monitoring and control tasks, in particular for any instrumentation and control unit indirectly linked to the customer computer via the gateway.
• the method consists in making the on-board control unit operate on a first bank of rewritable memory while the installation step is being carried out. applied to a second rewritable memory bank.
• a brief stop of the vehicle may be sufficient because the availability of the control unit during the download, distribution and installation steps above, allows the vehicle to be left running until the stop, then carried out simply to avoid the user of the vehicle to be surprised by a change in behavior during operation of the vehicle.
• the method comprises a step of pre-downloading descriptive data, which will make it possible to characterize the digital contents of the downloaded files and to dynamically configure the user experience during each update.
• the downloaded file obtained at the end of the downloading step includes other descriptive data, which will in particular make it possible to secure the content.
• digital files downloaded for control units directly connected to the customer computer are directly connected to the customer computer.
• At least part of the pre-downloaded descriptive data includes configuration metadata.
• the method comprises at least one step of verifying at least one activation condition, said at least one activation condition being a function of at least part of the descriptive data, which allows dynamic configuration. to say a diversified and dynamic management of the update campaigns, which can thus be defined upstream in a disembarked way.
• At least one of said steps of the digital system update method comprises a sub-step of interaction between the man-machine interface apparatus and the user via the man-machine interface apparatus. according to a specific mode of interaction, in particular as a function of said step in progress. For example, user comfort is further enhanced when the activation step requires consent from a user of the vehicle to be performed.
• the subject of the invention is also a digital system embedded in a vehicle comprising an on-board client computer capable of communicating with a remote server, an on-board control-command unit connected to the client computer by an on-board communication network, each supplied by a device. for accumulating electrical energy, characterized in that the on-board customer computer and the on-board control unit are programmed to execute the method according to the invention.
• the on-board communication network comprises a first on-board bus connected to the customer computer, a second on-board bus connected to the on-board control unit, and a gateway computer connected to the two said on-board buses, so that the gateway computer is programmed to perform the installation step in accordance with the method.
• the subject of the invention is also a motor vehicle comprising an on-board digital system according to the invention.
• FIG. 1 schematically shows a vehicle comprising a digital system on which the invention is implemented
• FIG. 2 shows pre-download sequence and download sequence steps within the method according to the invention
• FIG. 3 shows the distribution and installation steps for a first type of on-board computer
• FIG. 4 shows distribution and installation steps for a second type of on-board computer
• FIG. 5 shows the distribution and installation diagram for a third type of on-board computer
• FIG. 6 shows the activation steps for a first type of updated on-board computer
• FIG. 7 shows activation steps for a second type of updated on-board computer.
• FIG. 1 shows a vehicle 4 comprising a digital system in which the invention is implemented.
• the digital system comprises at least two on-board computers 10,
• a man-machine interface device 12 equipped with one or more screens, can include a communication coupler on the on-board bus 5.
• the customer on-board computer 10 Customer on-board computer 10 comprises one or more processors and a memory capacity sized to give it computing resources suitable for processing large digital information, such as that necessary for the pictographic display and the perception of human commands by the on-board bus 5 or by direct connection to the man-machine interface device 12, to exchanges with other on-board computers of the digital system, to communication outside the vehicle, and to the execution of level computer programs operational and / or application.
• the customer on-board computer 10 Customer on-board computer 10 is for example often designated by the acronym IVI (In-Vehicle Infotainment).
• IVI Intelligent Visual Informationtainment
• the customer on-board computer 10 can be fitted to the customer's on-board computer 10 with one or more sockets 3 of the USB, OBD or other type.
• a USB type socket 3 allows, for example, transfers of files stored or to be stored in the memory of a USB key. It is also possible to equip the customer on-board computer 10 with means of communication by air OTA (Over The Air in English), to establish communications 1, for example to an 802.11 type standard with a remote server 101.
• air OTA Over The Air in English
• control-command units Apart from the customer computer 10, the other computers are on-board control-command units, which can be of three different types.
• the second type designating the control units indirectly linked to the customer computer 10 via the gateway computer 21, they are therefore in the secure zone and of a more basic nature, their memories are preferably of internal double bank nature (two banks of rewritable executable memory eg Flash, EEPROM) or external memory type.
• the third type designates hybrid computers which have two processors, one therefore being in connection with the customer computer 10 and the other in connection with the gateway computer 21.
• the on-board computer 21 is of the gateway type (GW for Gâte Way in English).
• the on-board computer 21 makes it possible to exchange digital information between the first on-board bus 5 and a second on-board bus 6 of the digital system.
• the digital system comprises one or more onboard computers 31, 32, 33 arranged to communicate with each other and with the onboard computer 21, on the second onboard bus 6.
• the onboard computer (s) 31, 32, 33 are of the UCE type (acronym for Electronic Control Unit).
• an electronic control unit comprises one or more outputs each connected to an actuator of the vehicle, a communication coupler on the on-board bus 6, and an electronic digital processing circuit for controlling, in a known manner. itself, moreover, by means of firmware, the actuator (s) as a function of digital data circulating on the on-board communication bus 6.
• Each on-board computer 31, 32, 33 constituting an electronic control unit can also include one or more inputs connected to sensors and / or control units of the vehicle, to execute the firmware.
• the on-board bus 6 is represented in a simplified manner in FIG. 1, it can comprise several branches connected to each other by secondary gateways not shown and without particular impact on the operation of the invention.
• the digital system of the vehicle 4 can also include an on-board computer 11 which comprises means of communication by air at a longer distance than, for example, that of the 802.11 standard.
• the means of communication by air (OTA) of the on-board computer 11, make it possible for example in a manner known per se moreover, to establish a communication 2 by cellular telephone network of version 4G or higher with a remote server 102, identical, separate and or connected to the remote server 101.
• the on-board computer 11 can envisaged for the on-board computer 11, such as, for example, purely by way of illustration and not exhaustive, a satellite communication mode or a mixed mode of downlink wireless communication and of upstream GSM communication.
• the on-board computer 11 is not necessarily distinct from the on-board computer 10.
• digital system versions can be envisaged in which the customer on-board computer 10 on the customer's on-board computer
• the on-board computer 11 integrates the functionalities of the on-board computer 11.
• the on-board computer 11 is connected to the on-board customer computer 10 on-board customer computer 10 by the bus 5 or by a direct link, to allow the customer onboard computer 10 to benefit from its long-distance communication possibilities.
• the on-board computer 11 is then for example of the type often designated by the acronym IVC (In-Vehicle Communication in English for Communication In the Vehicle).
• the digital system of the vehicle 4 can also include an on-board computer 22 without direct impact on the operation of the vehicle, and for this reason connected to the on-board bus 5.
• the digital system of the vehicle 4 can also include an on-board computer 23 of the electronic control unit type with high digital processing capacity, for example to supervise and / or manage several functions of the vehicle 4.
• the on-board computer 23 is used. then connected to the on-board bus 5 to process data without direct impact on the operation of the vehicle or data on which
• the computer 23 is connected to the on-board bus 5 to process data with an impact on the operation of the vehicle.
• the computer 23 can also be connected to the computer 10 by a direct link 7 (for example via CAN, FTP, Ethernet protocol) and to the gateway computer by an on-board communication bus 8
• the customer on-board computer 10 Customer on-board computer 10 and at least one of the on-board computers 21, 22, 23 connected to the on-board bus 5, in particular the on-board computer 21, host a distributed computer program, comprising computer instructions for implementing the updating method explained below, when the distributed computer program is executed by the computers on which it is hosted.
• the steps of the method described in the following figures are divided into three phases, namely the first phase of exchanges between a remote server 101 and the client onboard computer 10, containing steps of pre-downloading descriptive data and downloading digital content.
• the second phase of exchanges between the customer on-board computer 10 and a type of on-board computer 20, 30, 23, (indirectly via the gateway computer 21 for the second or second computers).
• FIG. 2 shows process steps according to the invention for pre-downloading and downloading digital content from a remote download server 101
• a transition 1001 is validated when the existence of an update to be carried out is signaled, in particular via interface software with the outside world , in memory of the client on-board computer 10 by the remote server 101 and that the vehicle 4 is in satisfactory conditions to perform a pre-download.
• the client on-board computer 10 constitutes a download client on-board computer with regard to the digital system update process disclosed.
• the existence of an update to be carried out results from an upstream process known per se elsewhere.
• the fact that the vehicle 4 has a sufficient level of connectivity to a telecommunications network generates a satisfactory condition for performing a pre-download A state of the vehicle 4 when it is electrically powered or with rechargeable hybrid propulsion, in which it is connected to an electrical battery recharging network, or if it is in motion, in which it is in a deceleration phase, generates a satisfactory condition for pre-download. A state of the vehicle 4 when it is thermal propulsion or hybrid propulsion, in which its internal combustion engine is running, generates a satisfactory condition for performing a pre-download, whether the vehicle is running or stationary.
• a validation of the transition 1001 passes the method to a step 1002 which consists in pre-downloading descriptive data of the content to be downloaded.
• These descriptive data include for example the VIN number (Vehicle Identification Number in English), the address of the digital contents to download (for example URL), the ordering list of the contents to download, configuration metadata specifying in particular the mode of interaction without user request (background) or with user request (foreground).
• the client on-board computer 10 begins by sending a pre-download request to the server 101 then stores the descriptive content data in buffer memory as they arrive.
• the pre-download request contains in particular a VIN number of the vehicle 4 to which the on-board computer 10 belongs.
• the customer on-board computer 10 checks in particular that the descriptive data received does indeed correspond to the specifications of the vehicle identified by the VIN number.
• a transition 10101 is validated when the server receives the pre-download request sent by the client on-board computer 10 in the pre-download step 1002.
• a validation of the transition 10101 passes the method into a step 10102 which consists in sending the descriptive data of the content to be downloaded to the onboard computer 10.
• the remote server 101 can use the FTP protocol to transfer the descriptive data under form of file or UDP on a telecommunication channel available by electromagnetic waves, 802.11, cellular telephony, ad hoc network (WANET, MANET, VANET ...) or other, the most appropriate depending on whether the vehicle is stationary or in movement, and / or depending on the environment of the vehicle 4, ie the telecommunication means available in its location.
• a wired telecommunication channel 802.3 over Ethernet cable or Power Line Carrier
• step 1002 executed in the onboard computer 10 consists in storing in internal memory the files or frames received from the server 101 directly by means of communications 1 on a telecommunications coupler specific to the on-board computer 10, or indirectly via another server 102 at the heart of the cellular telephone network, another on-board computer 11 (IVC) dedicated to telecommunications and an on-board bus 5.
• IVC on-board computer 11
• a transition 1003 is validated in the event of loss by the vehicle 4 of a satisfactory condition for performing a pre-download.
• the loss of satisfactory condition may result from a loss of connectivity to the telecommunications network, for example when the vehicle passes through a tunnel or enters an area with poor network coverage.
• the loss of satisfactory condition may result from a shutdown of the internal combustion engine when the vehicle 4 is thermal propulsion or non-rechargeable hybrid propulsion, for example when the driver leaves the vehicle to buy a baguette.
• a battery power cut can also constitute a loss of satisfactory condition.
• a validation of the transition 1003 passes the method to a step 1004 which consists in placing the on-board computer on standby for satisfactory conditions in order to perform a pre-download.
• the customer on-board computer 10 can use an STR (acronym for the English expression Suspend To RAM) type method relating to the management of the energy making it possible to suspend the execution of the processes and to memorize their state in order to restore them identically after switching off the on-board computer.
• STR for the English expression Suspend To RAM
• a transition 1005 is validated when all the conditions satisfactory to the pre-download are found, reconnection to a telecommunications network for example at the exit of the tunnel, restart of the heat engine, for example on the return of the driver with his French baguette.
• Validating the transition 1005 returns the process to step 1002, which consists of informing the server 101 of its availability and continuing to store the descriptive data sent by the server 101.
• the server 101 simply remains on standby in step 10102 in a manner usually provided for in the FTP and UDP protocols to resume the transmission where it was interrupted.
• a transition 1007 is validated when all the descriptive data have been stored in the buffer memory of the on-board computer 10.
• a validation of the transition 1007 passes the method into a step 1008 which consists in downloading digital content comprising descriptive data characterizing them (in particular security data linked in particular to secure content intended for computers of the first type (in an unsecured zone). ) or to a gateway computer 21 for the purpose of updating a second type or hybrid computer (in this case these data contain, for example, information on the recipient of the update, of the target of the update.
• the computer embeds arched client 10 begins by sending a download request to the server 101, for example on the FTP port of the on-board computer 10 when the FTP protocol is used, or via another port depending on the type of communication (Wifi, Ethernet, etc.).
• a transition 10103 is validated when the server receives the download request sent by the client onboard computer 10 in step 1008.
• a validation of the transition 10103 passes the method into a step 10104 which consists in transmitting the required contents to the on-board computer 10.
• the remote server preferably uses an FTP type protocol to transfer the contents in the form of. one or more files on an available telecommunications channel similar to the procedure of step 10102.
• step 1008 is executed in onboard computer 10, in a manner comparable to step 1002 of pre-download with storage in internal buffer memory.
• the use in particular of the FTP protocol on a port of the IVI allows execution in parallel without interruption with steps of other telecommunication methods on other ports or using other protocols. For example, if the customer on-board computer 10 receives on the on-board bus 5 from the on-board computer 11 or from an OBD diagnostic socket, frames linked to a remote or local diagnostic process, executed in parallel, the frames are simply routed, in particular internally from the customer on-board computer 10, without the need to interrupt step 1008 at any time.
• the computer 10 performs various checks on the downloaded files, such as, for example, checks on the conformity of the files with the data. descriptions of content previously received in pre-download step 1002, and / or known parity checks on frames received to convey the downloaded files.
• a transition 1009 is validated in the event of loss by the vehicle 4 of a satisfactory condition for performing a download.
• the loss of satisfactory condition may here again result from a loss of connectivity to the telecommunications network, from stopping the internal combustion engine when the vehicle 4 is with thermal propulsion or non-rechargeable hybrid propulsion, or from a disconnection of the internal combustion engine. battery charging station when the vehicle 4 is electrically propelled.
• Transition 1009 can also be validated in the event of negative control on a downloaded file.
• Validation of the transition 1009 causes the process to pass into a step 1010 which consists in placing the onboard computer on standby for satisfactory conditions in order to continue carrying out the download.
• step 1010 the computer 10 keeps a pointer to the last correctly downloaded file.
• a transition 1011 is validated when all the conditions satisfying the download are found, for example: reconnection to a telecommunications network, restarting of the internal combustion engine for a thermal vehicle, reconnection to a charging station battery for an electric vehicle, as in step 1005.
• Validating the transition 1011 returns the process to step 1008, which consists of informing the server 101 of its availability and continuing to store the files sent by the server 101.
• the client on-board computer 10 sends the server 101 a reference to the last correctly downloaded file, whether this is following an interruption in satisfactory conditions of the vehicle or following a negative check on a file being downloaded.
• the server 101 simply remains on standby in step 10104 in the manner usually provided for in the protocols of the FTP type in order to resume the transmission where it was interrupted as soon as the on-board computer 10, to send the file to be downloaded following the last correctly downloaded file.
• a transition 1013 is validated when the finished download is signaled to the client on-board computer 10 by the remote server 101, the downloaded files therefore include all the new digital content of the update, this content is therefore full.
• a validation of the transition 1013 passes the method to a step 1014 which consists in sending to the server 101 an acknowledgment of good reception preferably accompanied by a download report carried out. After sending the acknowledgment of receipt, accompanied, depending on the case of implementation, by the download report carried out, the computer 10 returns to the standby step of the method, that is to say waiting for the next transition of the process. process.
• the steps executed by the customer on-board computer 10 from the transition 1001 to the transition 1013 can be interrupted many times by the transitions 1003 and / or 1009, without interfering with the operation of the vehicle 4.
• the two phases pre-downloading and downloading are limited to storage in the vehicle, for example here in the on-board computer 10, of the content useful for updating the digital system. It is irrelevant whether the progress of steps 1002 to 1014 lasts a few minutes or several days, because steps 1002 to 1014 are executed in masked time with respect to the operation of the vehicle.
• the two phases of the method which have just been explained above are thus implemented in mode connected to the outside world without endangering the state of charge of the electric battery (s) of the vehicle, recharged by the combustion engine. internal rotating for a thermal or hybrid vehicle, or recharged by the recharging station to which the electric or rechargeable hybrid vehicle is connected.
• a transition 10105 is validated when the server 101 receives the acknowledgment of receipt, accompanied, depending on the case of implementation, by the download report performed.
• a validation of the transition 10105 passes the method into a step 10106 which consists in recording the acknowledgment of good receipt, accompanied, depending on the case of implementation, by the download report carried out, in a database for logging download states. for a set of vehicles managed by the server 101 in terms of updates to digital systems in said vehicles.
• the server 101 then returns to the standby step for the steps of the method described above, in a manner known also in addition for the servers usually capable of processing several methods in parallel.
• At least one of said steps of the digital system update method may include a sub-step of interaction between the man-machine interface apparatus 12 and the user via the man-interface apparatus. machine 12 according to a specific mode of interaction, in particular as a function of said step in progress.
• the pre-downloaded descriptive data can include metadata (of type xml by example) of configuration of the human-machine interface device 12.
• These configuration metadata are transmitted by the customer on-board computer 10 to the human-machine interface device 12 by internal direct link (shown, but not referenced) and stored in a dynamic configuration management module, also called proxy HMI, at the end of step 1008.
• the man-machine interface device 12 is hosted by the client on-board computer 10.
• the configuration metadata characterize the digital content for updating an on-board computer because they define the mode of interaction between the man-machine interface device 12 and the user during the distribution, installation and activation of the associated digital content. Indeed, for each step of the update and depending on the digital content, a policy of diversified management of the update campaigns can thus be defined upstream in an unloaded manner and thus propose modes of interaction between the device. man-machine interface 12 and the user via the man-machine interface device 12 which are different depending on the update concerned and the step being updated of the digital system. Indeed, the customer on-board computer 10 intervening throughout the content distribution, installation and activation process, it is aware of the update step in progress.
• the different modes of interaction with the user in particular by means of a screen of the man-machine interface device 12, take, for example, the form of an agreement which can be requested from the user by means of a virtual button displayed on the HMI on which the user must press, or of information to the user in the form of text, or still be invisible to the user, for example if it is a critical campaign.
• the configuration metadata characterizing the digital content for updating an on-board computer can also define the vehicle conditions required to trigger the interaction between the man-machine interface device 12 and the user.
• the condition will require, for example, that the engine is off and the mode of interaction by request for consent will therefore not be offered to the user.
• the activation phase than at the end of the mission, that is to say at the end of the trip, once the engine has been switched off.
• FIG. 3 shows method steps in accordance with the invention for performing a distribution and installation of digital content inside the digital system (on board in English) from the customer on-board computer 10.
• the steps now described are executed disconnected from the outside world (off board in English). More precisely, the distribution and installation phase illustrated by FIG. 3 are carried out with a view to updating a first type of on-board computer 20 corresponding to one of the on-board computers 11, 21, 22 directly connected to the on-board bus 5 to which the client on-board computer 10 is connected.
• the latter 11, 21, 22 are each equipped with sufficient computer resources to process the downloaded content intended for it.
• a transition 1015 is validated when the existence of a complete digital content to update an on-board computer is signaled in memory of the customer on-board computer 10 by internal notification and that the vehicle 4 is in satisfactory condition for distributing and installing digital content within the digital system.
• This complete digital content takes in particular the form of a list of the digital content downloaded, knowing that the sequence of the contents in the list does not necessarily have an order linked to the types of computers, for example two consecutive contents can be intended for computers of different types (like the sequence following first type then second type then first type then second type then third type then second type, for example).
• the two phases of the process relating to the distribution and installation of the contents in one or more on-board computers, not requiring a connection to the outside, the vehicle 4 is in satisfactory conditions when the vehicle 4 is able to supply power.
• the computers of the digital system concerned with the distribution and installation of content that is to say for example to maintain a sufficient level of charge of the batteries, internal combustion engine running for a thermal vehicle, batteries connected to a station charge for an electric vehicle.
• Validation of the transition 1015 causes the process to go to a step 1016 in which the customer on-board computer 10 distributes a first digital content downloaded in internal buffer memory to the internal buffer memory of the on-board computer 20.
• the customer on-board computer 10 begins by defining the on-board computer recipient of the digital content by reading the descriptive data of the content which characterizes said content, then sends a distribution request to the recipient on-board computer then begins to distribute the digital content to this computer.
• the target computer to be updated by this digital content is of the first type 20, namely one of the computers 11, 21, 22 connected to the customer computer 10 directly via the on-board bus 5 and therefore the computer recipient of the digital content is identified as being the target computer in question 11, 21, 22.
• a transition 2001 is validated when it receives the distribution request sent by the client on-board computer 10 at step 1016 of distribution
• the client on-board computer 10 can use the CAN or FTP protocols to distribute the digital content, in this case this content is secure here (encapsulation (s)) since this computer is not in a secure zone and comprises descriptive security data downloaded to the destination computer 20, in this case via the onboard bus 5, independently of the level of connectivity to a telecommunications network since these steps are executed disconnected from the outside world.
• a validation of the 2001 transition causes the method to pass into a step 2002 which consists in storing the digital content in the destination computer 20.
• the step 2002 for storing the digital content is executed in the recipient computer 20, it is a matter of de-encapsulating the secure content and then verifying that the content is well intended for said computer 20 (otherwise, as in any case of failure during a step, there is rejection and memory erasure, as explained for the activation phase in the remainder of the text, in this case the buffer memory ) then to store in the internal buffer memory of the destination computer 20 the files or frames received from the client computer 10 via the on-board bus 5.
• a transition 1017 is validated when the finished distribution of the digital content is signaled to the client computer 10 by the recipient on-board computer 20, in this case via the bus 5. Indeed, even if the client computer 10 knows when it has finished distributing, the signal from the destination computer 20 confirms to it that everything has been received.
• a validation of the transition 1017 passes the method to a step 1018 which consists in sending an installation request to the recipient computer 20.
• the client on-board computer 10 sends an installation request to the recipient computer 20 via the on-board bus 5.
• a 2003 transition is validated when the recipient computer 20 receives the installation request sent by the client on-board computer 10 in step 1018.
• a validation of the 2003 transition causes the process to pass into a step 2004 which consists for the recipient computer 20 in directly installing for itself the digital content previously stored in its internal buffer memory, then in particular in notifying the client computer 10 of the completion. of the installation.
• installing is meant to prepare for future activation, that is to say in this case if the recipient computer 20 is dual bank, the content is copied therein. digital new in the inactive bank, and if the ECU only has a buffer memory, nothing more needs to be done.
• a transition 1019 is validated when the completed installation is signaled to the client computer 10 by the recipient on-board computer 20 via the bus 5, in particular by means of the reception of the installation completion notification sent by the destination computer 20.
• the installation of the digital content in the destination computer 20 is therefore completed.
• the validation of the transition 1019 passes the method to a step 1020 which consists of verifying whether or not there is other digital content to be installed in the digital system.
• transition 1021 If there is another digital content to be installed in the digital system, that is to say on an on-board computer 11, 21, 22, the transition 1021 is validated when another digital content to be installed is detected in the list downloaded digital content. Validating transition 1021 returns the process to step 1016.
• the transition 1023 is validated. and passes the method to a step 1024 which consists in going to the phase of verifying the conditions for activating the digital content of the current update campaign sending a notification of the end of installation to the configuration management module dynamic HMI-proxy.
• This request to the HMI-proxy will determine the activation conditions required according to the digital content and / or the computers, that is to say for example the need or not for user agreement, dynamic conditions predefined upstream, in particular to the creation of the campaign.
• the computer 10 After this phase of distribution and installation for a first type of computer, the computer 10 returns to the process standby step, this may be a wait for the end of the mission or for example a wait for the end of mission combined with a user agreement in particular, but it will not be possible to return to the distribution phase as long as the process has not been completed, that is to say as long as the update campaign has not been completed.
• FIG. 4 shows the process steps according to the invention for carrying out a distribution and an installation of digital content inside the digital system (on board in English) from the customer on-board computer 10.
• the steps now described are also performed disconnected from the outside world (off board in English) More precisely, the phase distribution and installation illustrated in FIG. 4 are carried out with a view to updating a second type of on-board computer 30 corresponding to a computer indirectly connected to the customer on-board computer 10 through the gateway computer 21 and equipped with sufficient computer resources to process the downloaded content intended for it, in this case one of the onboard computers 31, 32, 33 connected to the second onboard bus 6.
• step 1015 is validated when the existence of a complete digital content to update an on-board computer is signaled in memory of the customer on-board computer 10 and that the vehicle 4 is in satisfactory condition for carrying out a distribution and an installation of digital content within the digital system.
• this complete digital content notably takes the form of a list of downloaded digital content, knowing that the sequence of content in the list does not necessarily have to be linked to the types of calculators. Since the two phases of the method relating to the distribution and installation of digital content in one or more on-board computers, not requiring any connection to the outside, the vehicle 4 is in satisfactory condition when the vehicle 4 is able to operate. supply the computers of the digital system concerned with the distribution and installation of content, that is to say for example to maintain a sufficient level of charge of the batteries, internal combustion engine running for a thermal vehicle, batteries connected to a charging station for an electric vehicle.
• a validation of the transition 1015 passes the method to a step 1016 in which the customer on-board computer 10 distributes a first digital content downloaded in internal buffer memory to the on-board computer 21.
• the customer on-board computer 10 begins by defining the on-board computer recipient of the digital content by reading descriptive data of the content, then sends a distribution request to the recipient on-board computer 21 then begins to distribute the digital content to it.
• the target computer to be updated by this digital content is of the second type 30, namely one of the computers 31, 32, 33 on the on-board bus 6 and connected to the customer computer 10 via the gateway computer 21 and in fact the recipient computer of the digital content is identified as being the gateway computer 21.
• a transition 2101 is validated when it 21 receives the distribution request sent by the customer on-board computer 10 at the distribution step 1016
• the customer on-board computer 10 can for example use the CAN, FTP, Ethernet protocols, for distributing the digital content to the gateway computer 21, in this case via the onboard bus 5, independently of the level of connectivity to a telecommunications network since these steps are performed disconnected from the outside world.
• a validation of the transition 2101 passes the method to a step 2102 which consists in storing the digital content in the gateway computer 21.
• the step 2102 for storing the digital content is executed in the gateway computer 21, it is a matter of storing in the internal buffer memory of the gateway computer 21 the files or frames received from the client computer 10 via the on-board bus 5.
• a transition 1017 is validated when the completion of the distribution of the digital content to the gateway computer 21 is signaled to the client computer 10 by the gateway computer 21, in this case via bus 5.
• a validation of the transition 1017 passes the method to a step 1018 which consists in sending an installation request to the target computer 30.
• the client on-board computer 10 sends an installation request to the destination gateway computer 21, in this case via the on-board bus 5.
• this digital content appears as content intended for the gateway computer 21, the customer computer 10 is therefore not in direct connection with the target computer, but with the gateway computer 21 and the latter will activate the computers 30 as explained below.
• a transition 2103 is validated when the gateway computer 21 has received the installation request sent in step 1018.
• the validation of the transition 2103 therefore passes the method to a step 2104 in which the on-board gateway computer 21 defines the target computer 30 of the content (as a function of the descriptive data of the secure content) and 30 distributes the digital content that it 21 had stored in internal buffer memory
• the gateway destination on-board computer 21 begins by sending a distribution request to the target computer 30 defined, in this case via the on-board bus 6, then begins to distribute the digital content to this target computer 30.
• the target computer to be updated by this digital content is of the first type 30, namely one of the computers 31, 32, 33 connected to the gateway computer 21, in particular via the on-board bus 6.
• a transition 3001 is validated when the gateway computer 30 receives the distribution request sent by the gateway computer 21 in the distribution step 2104.
• the gateway on-board computer 21 can use the CAN, FTP, Ethernet protocols to distribute the digital content to the target computer 30 via the on-board bus 6, independently of the level of connectivity to a telecommunications network since these steps are executed disconnected from the outside world.
• a validation of the transition 3001 passes the method to a step 3002 which consists in storing the digital content in the target computer 30.
• the step 3002 of storing the digital content is executed in the target computer 30, it is a matter of storing in inactive internal memory in the event of a target computer 30 double bank and otherwise in the external memory of the target computer 30 the files or frames received from the gateway computer 21, in this case via the on-board bus 6.
• the storage in external memory does not occupy all of the external memory , but only part of the external memory, which makes it possible to have both in the external memory of the destination computer the current digital content, that is to say of a past version (but still active at this step of the process), this one not being erased, and this new digital content of the update.
• This storage in external memory of the past content will allow later in the process, during the activation phase, a backup for possible rollback if necessary.
• a transition 2105 is validated when the distribution of the digital content completed is signaled to the gateway computer 21 by the target on-board computer 30, in this case via the bus 6.
• a validation of the transition 2105 causes the process to pass into a step 2106 which, for the gateway computer 21, consists in sending a request to install the target computer to the target computer 30.
• the on-board gateway computer 21 sends a request d installation of the target computer to the target computer 30 in this case via the on-board bus 6.
• a transition 3003 is validated when the target computer 30 receives the target computer installation request sent by the gateway computer 21 in step 2106.
• a validation of the transition 3003 causes the process to pass into an installation step 3004 which consists for the target computer 30 in constituting a backup of the current content by copying, that is, depending on the nature of the memory of the computer 30, the missing elements, namely those of the current content that do not change with the update, in the inactive bank in the case of a double-bank internal memory, or, in the case of external memory, by copying the entire digital content current in the external memory of the target computer 30, then in particular to notify the gateway computer 21 of the completion of the installation.
• the term “install” is understood to mean preparing for future activation, and in particular for a second type computer 30 with external memory, it is a matter of saving the current content therein to allow possible rollback.
• a simple switching is sufficient and avoids having to save using a third-party copy.
• the target computer 30 is a double bank, the elements of the current content of the computer 30 present in the active bank which have not been updated and therefore did not appear in the inactive bank are copied into the inactive bank. the new digital contents, and if the target computer 30 has only external memory, all the elements of the current content of the computer 30 (present in the current active memory) are copied therein.
• a transition 2107 is validated when the completed installation is signaled to the gateway computer 21 by the target on-board computer 30, in this case via the bus 6, in particular by receiving the installation completion notification from the target computer 30.
• the installation of the digital content in the target computer 30 is therefore completed without error.
• a validation of the transition 2107 passes the method into a step 2108 which consists in sending, as a function of the installation completion notification, to the customer computer 10 the status (correct or incorrect) of the installation of the target computer. 30. After sending the status, the gateway computer 21 returns to the process standby step.
• a transition 1019 is validated upon receipt of the correct installation status issued by the gateway computer 21.
• the validation of the transition 1019 passes the method to a step 1020 which consists of verifying whether or not there is other digital content to be installed in the digital system.
• the transition 1021 is validated when another digital content to be installed is detected in the list of downloaded digital content.
• the validation of the transition 1021 causes the process to loop back to step 1016.
• the transition 1023 is validated. and passes the method to a step 1024 which consists of moving to the phase of verifying the conditions for activating the digital content of the current update campaign by sending a notification of the end of installation to the module for managing the digital content.
• dynamic HMI-proxy configurations As previously described in Figure 3, this request to the HMI-proxy will determine the activation conditions required according to the digital content and / or the computers, that is to say for example the need or not for user agreement.
• computer 10 After this distribution and installation phase for a second type of computer, computer 10 returns to the process standby step, so it is a matter of waiting for the activation conditions, but it will not be possible to return to phase distribution as long as the process is not completed, that is to say as long as the update campaign is not completed.
• FIG. 5 schematically illustrates the method according to the invention for carrying out a distribution and an installation of digital content inside the digital system (on board in English) from the customer on-board computer 10.
• the steps now described are performed disconnected from the outside world (off board in English).
• the distribution and installation phase that is the subject of FIG. 5 is carried out with a view to updating a third type of on-board computer 23 of hybrid type corresponding to on-board computer 23, which in this case is a display.
• This third type of computer is called hybrid because it comprises two processors and each processor is considered to be a computer of a different type, as shown in the figure.
• a first processor is a computer of the first type and is connected to the customer on-board computer 10 in this case via the secure link 7 (the on-board bus 5 connecting the hybrid computer 23 to the customer computer 10 is not used here, but could represent a variant) of which the port on the first processor side is secure
• the second processor is a computer of the second type and is connected to the gateway onboard computer 21 via the bus 8.
• the direct link 7 is not always open, that is to say that advantageously the secure communication port located on the first processor is by default closed, preventing any data communication by this link.
• this hybrid computer 23 could include other parts. This hybrid computer 23 is equipped with sufficient computer resources to process the downloaded content intended for it.
• the content distribution and installation phase in a hybrid computer 23 implements the related steps as described above for a computer of the first type, in FIG. 3, and a second computer, in FIG. 4, the update therefore comprises two distinct downloaded digital contents each characterized by its distinct descriptive data.
• the first content secure, will designate a recipient computer 23, as if it were of the first type, and the second content a gateway recipient computer for an update of the target computer 23, as if it were of the second type.
• the solid arrow between the customer computer 10 and the gateway computer 21 represents the exchanges between these two computers during the distribution and installation phase of the second content for which the gateway computer 21 is recipient while the hybrid computer 23 is the target.
• the solid line arrow between the gateway computer 21 and the hybrid computer 23 represents the exchanges between these two computers during the distribution and installation phase of the second content for which the gateway computer 21 is the recipient while the computer hybrid 23 is target.
• This computer being of the third type, at the end of the installation of this second content, an intermediate step is carried out in which the second processor sends a request to open the secure port to the first processor, internally of the hybrid computer. 23 This sending of an opening request is illustrated by the dotted line arrow between the gateway computer 21 and the hybrid computer 23. Once the port is open, the rest of the steps in the distribution and installation phase of the first content can then proceed as previously described in Figure 3, in this case via link 7.
• the solid arrow between the customer computer 10 and the first processor of the hybrid computer 23 represents the phase of distribution and installation of the first content in the first part of the external memory of the hybrid computer 23 as the destination and target computer.
• the process steps in question are therefore similar to those implemented for a first type computer as described in Figure 3
• each target computer is up to date, which therefore means for a computer of the first type that it includes the new content. digital in its internal inactive bank or in its buffer memory and for a computer of the second type that it includes the new digital content in its external memory or in its internal inactive bank, and therefore both at the same time in the case of a calculator of the third type.
• FIG. 6 shows the process steps according to the invention for activating a target on-board computer of the first type after installation. The steps now described are also executed disconnected from the outside world (off board in English). More precisely, the activation phase illustrated by FIG. 6 is carried out with a view to updating a first type of on-board computer 20 corresponding to one of the on-board computers 11, 21, 22 directly connected to the on-board bus 5 on which the client on-board computer 10 is connected, and each equipped with sufficient computer resources to process the downloaded content intended for it.
• step 1024 for sending a notification of the end of installation of the digital content of the update campaign for the method executed in the on-board computer 10 a transition 1025 is validated when the vehicle 4 is in the conditions. activation required by the update campaign. These conditions are determined by the HMI-proxy dynamic configuration management module, on the basis of the descriptive data (metadata) sent to the HMI-proxy dynamic configuration management module.
• each computer has its own activation conditions, some of which are common (end of mission) and some more precise (user agreement: foreground), in particular in the case of computers of the second type 30
• a satisfactory condition for carrying out the activation of the update of the computer of the first type 20 can be generated by the fact for the vehicle 4 of being at the end of the mission, that is to say that the engine has just been stopped.
• a validation of the transition 1025 causes the process to pass into a step 1026 which consists in triggering the activation of the target on-board computer (and destination at the same time, since this computer is of the first type) 20.
• the customer on-board computer 10 begins by defining the target on-board computer 20 by reading the digital content characterized by its descriptive data which contains this indication, then issuing an activation request to the target on-board computer 20.
• the target computer to be updated by this digital content is of the first type 20, namely one of the computers 11, 21, 22 connected to the customer computer 10 directly via the on-board bus 5 and in fact the target computer of the digital content, therefore to be activated, is identified as being the target computer in question 11, 21, 22.
• a 2011 transition is validated when the target on-board computer 20 receives the activation request sent by the on-board computer client 10 in activation trigger step 1026.
• the client on-board computer 10 can use the CAN, FTP, Ethernet protocols to send the activation request to the destination computer 20 via the on-board bus 5, independently of the level of connectivity to a telecommunications network since these steps are executed. disconnected from the outside world.
• Validation of the 2011 transition takes the process to a step 2012 which consists in activating the digital content installed in step 3004 in the recipient computer 20, then in particular in notifying the client computer 10 of the completion of the activation, knowing that this notification can be a success notification or an activation failure notification.
• activate it is understood, for a computer of the first type, to pass from the current content to the new content by switching in the event of a double bank and otherwise by updating the internal current memory in the event of an internal buffer memory. In this case, this notification is routed by means of bus 5.
• a transition 1027 is validated when the report of successful activation of the digital content, sent by the target on-board computer 20 in step 2012, is received. by the customer calculator 10.
• a validation of the transition 1027 passes the method into a step 1028 which consists of generating an internal activation report relating to the activated digital content in question and verifying whether or not there is other digital content to be installed in the digital system
• a transition 1029 is validated if there is other digital content to be installed in the digital system, that is to say on an on-board computer 11, 21, 22 , 30, 31, 32, 33 whatever it is.
• the transition 1029 is therefore validated when such other digital content to be installed is detected in the list of downloaded digital content.
• Validating transition 1029 returns the process to step 1026.
• the transition 1030 is validated. and passes the method to a step 1031 which consists for the client computer 10 in sending an end of campaign notification of the current update to the target computer 20. It is therefore after the successful activation of all the computers. targets 20, 30, 23 of the list, that this end of campaign notification is sent to each of the target computers 20, 30, 23. Each of the computers (except the last) therefore waited on standby to receive this notification which confirms successful completion of all update campaign activations. In fact, this notification cannot be sent before if one of the computers does not succeed in activating it, as will be explained later.
• a 2013 transition is validated when the target computer 20 receives the end of campaign notification sent by the customer computer 10 in step 1031.
• a validation of the 2013 transition causes the process to pass into a step 2014 which consists in erasing the past digital content, now inactive at this stage of the process, and once this erasure has been completed, to notify the client computer 10 of the “ready for a new” status. update 'of the target computer 20
• a transition 1032 is validated when the client computer 10 has received all the “ready” status notifications sent by each target computer 20 or more. recipient 30 at step 2014 or 2114.
• a validation of the transition 1032 passes the method into a step 1033 which consists in generating an overall campaign success report, the generated report being updated by successive aggregations at each “ready” status of target computer 20 or recipient 21. Once all the notifications from each computer 20, 30, 23 in the list have been sent, the global report generated at this step 2014 will be complete, this report then being sent to the remote server 101 or 102 (not shown in FIG. 6 ).
• a transition 1034 is validated when the digital content activation failure notification, sent by the target on-board computer 20 in step 2012, is received by the client computer 10.
• a validation of the transition 1034 passes the method into a step 1035 which consists in triggering a general rollback of all the computers of the digital system which is the subject of the update campaign.
• general rollback is meant return to the initial state before the start of the campaign.
• the customer on-board computer 10 begins with defining all the recipient on-board computers forming the subject of the update campaign, then issuing a rollback request to each of these defined recipient on-board computers 20, 21, 23.
• the target computer defined and therefore having to perform the rollback is of the first type 20, namely one of the computers 11, 21, 22 connected to the customer computer 10 directly via the on-board bus 5.
• the 2015 transition is validated when the target on-board computer 20 receives the backtrack request sent by the client on-board computer 10 at step 1035.
• this notification is sent by means of the bus 5. It should be remembered that at this stage of the method the past digital content is still present in the external memory of the target computer 20 (which is now inactive if the activation of the new, replacement content was successful, and still active. otherwise), this one not being erased, and the new digital content of the update, now activated if its activation was successful.
• a validation of the 2015 transition takes the process to a 2016 step which consists of going back, that is to say reactivating the past digital content, therefore rendering the new digital content inactive if it does not. was not already, and once this rollback has been completed, notify the customer computer 10.
• a transition 1036 is validated when the customer computer 10 receives the notification of completion of rollback sent by the target computer 20 in step 2016.
• a validation of the transition 1036 passes the method into a step 1037 which consists in generating a campaign failure report then, once this report is complete, to be notified to the target computer 20 of the end of the campaign, the generated report being updated by successive aggregations to each target computer 20 having performed its rollback.
• the transition 2017 is then validated when the target on-board computer 20 receives the end of campaign notification sent by the client on-board computer 10 in step 1037. In this case, this notification is sent to the means of the bus 5. It should be remembered that at this stage of the method, the past digital content reactivated and the new digital content inactive are still present in the external memory of the target computer 20.
• a validation of the 2017 transition takes the process to a 2018 step which consists of erasing the new digital content of the update, now inactive at this stage of the process, to therefore keep only the past content reactivated, and once this erasure completed to notify the client computer 10 of the “ready for a next campaign” status of the target computer 20.
• a transition 1038 is validated when the client computer 10 receives the "ready for a next campaign" status notification sent by the target computer 20 in step 2018.
• a validation of the transition 1038 passes the method into a step 1039 which consists in generating an overall campaign failure report, this report once complete, then being transmitted to the remote server 101 or 102 (not shown in FIG. 6) .
• the overall campaign failure report generated in step 1039 is updated by successive aggregations of the notifications received from each computer defined in step 1035. Once all the notifications from each computer 20, 21 (for the gateway 21 several notifications are possible since the update could include contents intended for the gateway as such (for itself as a gateway) and contents having a target 30 or 23), 23 defined in step 1035 have been sent, the global report generated at this step 1039 will then be complete.
• the customer computer 10 After this activation phase, whether successful or not, for a first type of computer, the customer computer 10 returns to the process standby step, the same for the target computer 20, then will turn off.
• FIG. 7 shows process steps according to the invention for activating a target on-board computer of the second type after installation. The steps now described are also executed disconnected from the outside world (off board in English). More precisely, the activation phase illustrated by FIG. 7 is carried out with a view to updating a second type of on-board computer 30 corresponding to one of the on-board computers 31, 32, 33 connected to the on-board gateway computer 21, at l 'species via bus 6, and each equipped with sufficient computer resources to process the downloaded content intended for it.
• the dynamic configuration management module also called proxy HMI
• a satisfactory condition for activating the update of the computer of the second type 30 can, as previously described in FIG. 6, be generated by the fact for the vehicle 4 of being at the end of the mission and once at the end of the mission to have requested and then obtained the user's agreement by means of a virtual button displayed on I ⁇ HM 12.
• this user request is preferred for this second type of computer 30 because their update is less instantaneous and requires blocking the restart of the engine, which requires alerting the user. Thus, once the user agreement has been obtained, restarting the engine is prohibited.
• a validation of the transition 1025 passes the method into a step 1026 which consists in triggering the activation of the on-board computer receiving the content, namely the gateway computer 21 since the target here is a computer of the second type 30, that is to say - say located in a secure area behind the gangway.
• the client on-board computer 10 begins by defining the destination on-board computer 21 by reading the downloaded digital content characterized by its descriptive data which contains this indication, then sending an activation request to the recipient on-board computer, here gateway 21.
• the target computer to be updated by this digital content is of the second type 30, located behind the gateway, the identified recipient of the digital content is therefore the gateway, the client computer 10 ignoring that the target is a computer of the second type, namely one of the computers 31, 32, 33 and in fact the recipient computer to which to send the activation request is identified as being the gateway computer 21.
• a transition 2111 is validated when the gateway computer 21 receives the activation request sent by the client on-board computer 10 in step 1026 of activation trigger.
• the client on-board computer 10 can use the CAN, FTP, Ethernet protocols to send this request to the destination computer 21 via the on-board bus 5, independently of the level of connectivity to a telecommunications network since these steps are executed disconnected from the world. outside.
• a validation of the transition 2111 passes the method to a step 2112 which essentially consists in triggering the activation of the target on-board computer 30.
• the gateway on-board computer 21 begins by defining the target on-board computer 30, in the species by reading the download list which for example takes the form of a table with the update status for each computer row, then by issuing an activation request to the target on-board computer 30.
• the target computer to be updated that is to say whose digital content must be activated, is of the second type 30, namely one of the computers 31, 32, 33 indirectly connected to the customer computer 10 via the gateway computer 21.
• a transition 3011 is validated when the gateway computer 30 receives the activation request sent by the gateway computer 21 at step 2112.
• a validation of the transition 3011 passes the method to a step 3012 which consists in activating the digital content installed in step 3004 in the target computer 30, then in particular in notifying the gateway computer 21 of the completion of the activation, knowing that this notification can be a success notification or an activation failure notification.
• Activation consists in the case of dual bank internal memory to be switched from the active (current) bank to the other (containing the new digital content) bank and in the case of an external memory to transfer the new digital content from external memory to internal memory.
• a transition 1027 is validated when a notification of successful activation, notified by the gateway computer 21 at step 2112, is received by the customer calculator 10.
• a validation of the transition 1027 passes the method into a step 1028 which consists in generating an internal activation report, which will be completed on each receipt of a notification relating to a new activated digital content, and in verifying whether or not it exists. other digital content to be installed in the digital system.
• a transition 1029 is validated if there is other digital content to be installed in the digital system, that is to say on any on-board computer whatsoever. .
• the transition 1029 is therefore validated when other digital content to be installed is detected in the list of downloaded digital content.
• Validating transition 1029 returns the process to step 1026.
• the transition 1030 is validated. and passes the method to a step 1031 which consists for the client computer 10 in sending an end of campaign notification of the current update to the gateway recipient computer 21. It is therefore after the successful activation of all the computers. targets 20, 30, 23 of the list, that this end of campaign notification is sent to each of the recipient computers 20, 21, 23. Each of the computers (in this case except the last) therefore waited on standby to receive this notification which confirms the success of all activations of the update campaign. In fact, this end-of-campaign notification cannot be sent before if one of the computers fails to activate it, as will be explained below.
• a transition 2113 is validated when the end of campaign notification, sent by the client on-board computer 10 in step 1031, is received by the computer gateway 21.
• a validation of the transition 2113 passes the method to a step 2114 which consists in sending an end of campaign notification to the target computer 30.
• a transition 3013 is validated when the target computer 30 receives the end of campaign notification sent by the gateway computer 21 at step 2114.
• a validation of the transition 3013 passes the method to a step 3014 which consists in erasing (whether in the bank of the internal inactive memory or in the external memory) the past digital content, now inactive at this step of the method, and a once this erasure has been completed, notify the gateway computer 21 of the “ready for a next campaign” status of the target computer 30.
• Receipt of this notification of the “ready for a next campaign” status by the gateway computer 21 finalizes step 2114 with a return by the gateway computer 21 to the client computer 10 of the “ready for a next campaign” status, the gateway computer playing. here a role of mailbox. It should be remembered that in internal EEPROM memory, a non-emptied bank cannot be rewritable, hence the importance of erasing for a next update campaign.
• a transition 1032 is validated when the client computer 10 receives the last notification of the status “ready for a next campaign” sent by the last one. calculator from the list in step 2114 or 2014.
• a validation of the transition 1032 passes the method into a step 1033 which consists in generating an overall campaign success report, the generated report being updated by successive aggregations at each “ready” status of target computer 20 or recipient 21. Once all the notifications from each computer 20, 30, 23 in the list have been sent, the global report generated at this step 2014 will be complete, this report then being sent to the remote server 101 or 102 (not shown in FIG. 7 ).
• step 2112 ends with a notification of failure of the activation by the gateway computer 21 to be sent back to the customer computer 10. and from step 1026 for triggering activation executed by the client computer 10, a transition 1034 is validated as soon as the notification of activation failure is received by the client computer 10
• a validation of the transition 1034 passes the method into a step 1035 which consists in triggering a general rollback of all the computers of the digital system which is the subject of the update campaign.
• general rollback is meant return to the initial state before the start of the campaign.
• the customer on-board computer 10 begins by defining all the recipient on-board computers that are the subject of the update campaign, then in sending a backtracking request to each of these defined destination onboard computers 20, 21, 23.
• the target computer is of the second type 30 but the client computer 10 only knows that the defined recipient is the gateway computer 21, the return request is therefore sent to the gateway computer 21 From step 2112 for triggering activation executed by the gateway computer 21, a transition 2115 is validated when the return request, sent by the client on-board computer 10 at step 1035, is received by the gateway computer 21 .
• a validation of the transition 2115 passes the method into a step 2116 which consists first of all in triggering the return back of the target computer 30 by sending a request to go back to the target computer 30 (will therefore be sent sequentially following the method for each target computer 30 defined in step 1035).
• the transition 3015 is validated when the target computer 30 receives the backtrack request sent by the gateway computer 21 in step 2116. In this case, this request is routed by means of the bus 6
• a validation of the transition 3015 passes the method to a step 3016 which consists of performing the rollback, therefore rendering inactive the new digital content if it was not already, and once this rollback has been completed at notify the gateway computer 21 by sending a return to the initial state report.
• This rollback is done by switching, which switches back to the other bank, in the case of dual bank internal memory and by restoring the digital content saved in the case of external memory.
• the reception of this return to the initial state report by the gateway computer 21 finalizes step 2116 with a return by the gateway computer 21 to the customer computer 10 of the return to the initial state report, the gateway computer 21 playing here a mailbox role.
• a transition 1036 is validated when the customer computer 10 receives the return to the initial state report sent by the gateway computer 21 in step 2116
• a validation of the transition 1036 passes the method into a step 1037 which consists in generating a campaign failure report which will be completed by successive aggregations on each reception of a return to the initial state report (originating from each computer defined at step 1035), then once all the notifications from all the target computers defined in step 1035 have been received, the campaign failure report generated at this step 1037 will be complete, and the campaign end notification sent to each of the destination computers defined in step 1035.
• this report is complete (that is to say once all the computers defined in step 1035 returned to the initial state) the destination gateway computer 21 is notified of the end of the campaign
• the transition 2117 is then validated when the on-board gateway recipient computer 21 receives the notification of the end of campaign sent by the client on-board computer 10 in step 1037.
• this notification is sent by means of the bus 5.
• a validation of the transition 2117 passes the method into a step 2118 which consists first of sending a request to erase the new digital content of the update, now inactive at this step of the method, so as to keep only the past content reactivated (initial before update).
• the transition 3017 is validated when the target computer 30 receives the backtrack request sent by the gateway computer 21 in step 2118. In this case, this request is routed by means of the bus 6
• a validation of the transition 3017 passes the method into a step 3018 which consists in erasing the new digital content of the update if it was not already, and once this erasure has been completed, notifying the gateway computer thereof. 21 by sending a status "ready for a next campaign". The reception of this “ready” status by the gateway computer 21 finalizes step 2118 with a sending by the gateway computer 21 to the customer computer 10 of the “ready for a next campaign” status of the target computer 30, the gateway computer 21 acting here. a mailbox role.
• a transition 1038 is validated when the client computer 10 receives the "ready for a next campaign" status notification sent by the gateway computer 21 in step 2118.
• a validation of the transition 1038 passes the method into a step 1039 which consists in generating an overall campaign failure report, this report once complete, then being transmitted to the remote server 101 or 102 (not shown in FIG. 7) and releasing the restart ban.
• the overall campaign failure report generated in step 1039 is updated by successive aggregations of the notifications received from each computer defined in step 1035.
• step 1035 Once all the notifications from each computer 20, 21 (for the gateway 21, several notifications are possible since the update could include content intended for the gateway as such (for itself as a gateway) and contents having a target 30 or 23), 23 defined in step 1035 will have been sent, the global report generated in this step 1039 will then be complete.
• the past digital content has been erased in order to be ready for a next campaign and to prevent, for security reasons, any reversion to the previous version.
• a step of the method when a step of the method does not end as expected, the method remains blocked in this step and a timeout can be provided, for example in the client computer 10 or gateway 21, at the end of which a failure is detected. to then initiate a reset of the entire digital system, as defined above, with notification of the failure to the server.

Landscapes

• Engineering & Computer Science (AREA)
• General Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Software Systems (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• Life Sciences & Earth Sciences (AREA)
• Sustainable Development (AREA)
• Sustainable Energy (AREA)
• Power Engineering (AREA)
• Transportation (AREA)
• Mechanical Engineering (AREA)
• Information Transfer Between Computers (AREA)
• Remote Monitoring And Control Of Power-Distribution Networks (AREA)
• Stored Programmes (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=69811119

Family Applications (1)

Country Status (7)

Families Citing this family (2)

Family Cites Families (13)

• 2019
  • 2019-11-29 FR FR1913530A patent/FR3103926B1/fr active Active
• 2020
  • 2020-11-24 EP EP20808154.7A patent/EP4066103A1/de active Pending
  • 2020-11-24 KR KR1020227022355A patent/KR20220108129A/ko active Search and Examination
  • 2020-11-24 US US17/776,630 patent/US11928458B2/en active Active
  • 2020-11-24 WO PCT/EP2020/083141 patent/WO2021105089A1/fr unknown
  • 2020-11-24 CN CN202080084016.9A patent/CN114746838A/zh active Pending
  • 2020-11-24 JP JP2022529428A patent/JP2023503288A/ja active Pending

Also Published As

Similar Documents

Legal Events