JP2022179940A - Electronic controller and method for controlling electronic controller - Google Patents

Abstract

To appropriately suppress or prevent functions to safety change of control according to passage of time.SOLUTION: An electronic controller is for controlling a vehicle by built-in software, and includes: a control amount calculation unit for calculating a control amount of a vehicle; and a passage addressing unit for outputting a control amount for suppressing or preventing functions of the vehicle on the basis of the control amount calculated by the control amount calculation unit. The passage addressing unit determines passage information including information on an active time of the electronic controller, diagnoses the seriousness for the safety on the basis of the result of the determination, and determines the control amount for suppressing or preventing functions of the vehicle on the basis of the diagnosed seriousness.SELECTED DRAWING: Figure 1

Description

TECHNICAL FIELD The present invention relates to an electronic control device, and more particularly to technology for countermeasures against changes over time.

In an automatic driving system, there is a method of providing an evaluation value calculation unit that compares a control target value and a control result detection value, calculates an evaluation value of a driving plan, and suspends automatic driving control based on the evaluation value and the evaluation threshold.

As background arts in this technical field, there are the following prior arts. Patent Document 1 (Japanese Patent Application Laid-Open No. 2020-175893) discloses a driving plan generation unit that generates a driving plan of a vehicle including a control target value of the vehicle according to the position on the target route, a driving plan, the position of the vehicle, the vehicle Based on the surrounding road environment and the running state of the vehicle, a driving control unit that performs automatic operation control of the vehicle, a detection value acquisition unit that acquires the control result detection value by the automatic operation control of the vehicle, a control target value and control An evaluation value calculation unit that calculates the evaluation value of the driving plan based on the comparison result with the result detection value, and the necessity of interrupting the automatic driving control based on the evaluation value of the driving plan and the evaluation threshold. An automatic driving system comprising a determining unit and an information providing unit that provides automatic driving control interruption information to the vehicle occupant or other vehicles around the vehicle when it is determined that the automatic driving control needs to be interrupted. are described (see abstract).

Patent Document 2 (Japanese Patent Application Laid-Open No. 2020-27652) discloses a center device that manages data to be written to a plurality of electronic control devices mounted on a vehicle, and updates data among the plurality of electronic control devices. an update data storage unit that stores update data for a target device, a data distribution unit that distributes the update data to the vehicle, and identification information of the target vehicle to be updated using the update data; and an individual vehicle configuration information storage unit that stores update state information relating to an update completion state and an update in-progress state as update states obtained from the plurality of target vehicles; and an update state management section for statistically managing the update state information of (see claim 1).

JP 2020-175893 A JP 2020-27652 A

However, although an automatic driving device is composed of multiple sensors, a navigation system, a processing unit in an ECU, and a vehicle driving device that is the output destination of the control amount, in Patent Document 1, the controllability risk value is determined at the completion of development. It does not take into consideration the complex system quality changes over time caused by variations and changes in multiple devices and ECUs (including software incorporated in the ECU), and control safety associated with complex error changes. Responding to change is difficult.

In addition, in vehicles with advanced driving support functions, automatic driving functions, etc., it is necessary to maintain performance by regular maintenance and maintenance such as updating software to the latest state. It is possible to grasp the update implementation and update status of the program, but in the environment where the vehicle is placed, there may be cases where maintenance such as software updates and maintenance of performance due to regular maintenance are not performed perfectly, and the original function of the vehicle cannot be maintained. or performance may not be exhibited.

The present invention seeks to solve or ameliorate at least one of these or related problems.

A representative example of the invention disclosed in the present application is as follows. That is, an electronic control device that controls a vehicle with built-in software, comprising: a control amount calculation unit that calculates a control amount of the vehicle; a progress countermeasure unit for outputting the inhibited control amount, wherein the progress counter measure unit determines progress information including information regarding the operation time of the electronic control unit, and based on the result of the determination, determines the severity of safety. is diagnosed, and a control amount for suppressing or deterring the function of the vehicle is determined based on the diagnosed severity.

ADVANTAGE OF THE INVENTION According to one aspect of the present invention, functions can be appropriately suppressed or inhibited with respect to changes in safety of control over time. Problems, configurations, and effects other than those described above will be clarified by the following description of the embodiments.

1 is a system configuration diagram of an integrated ECU according to Example 1 of the present invention; FIG. FIG. 11 is a block diagram showing the configuration of a transition countermeasure unit according to the first embodiment; FIG. 2 is a diagram showing the concept of software determination according to the first embodiment; FIG. 4 is a diagram showing the contents of risk evaluation determination information in Example 1. FIG. 7 is a flow chart of progress information recording processing of the first embodiment; 7 is a flow chart of progress information recording processing of the first embodiment; 4 is a flow chart of a running time risk level diagnosis parameter selection process of the first embodiment; 4 is a flowchart of ignition-on time risk degree parameter selection processing of the first embodiment; 7 is a flowchart of software warranty period risk degree diagnostic parameter selection processing of the first embodiment; 6 is a flowchart of unauthorized access determination processing according to the first embodiment; FIG. 11 is a system configuration diagram of an integrated ECU of Example 2; FIG. 10 is a flowchart of software update processing according to the second embodiment; FIG.

In the embodiment of the present invention, the risk over time is evaluated using the information over time in the electronic control device that controls the behavior of the vehicle with built-in software, and the function suppression range and the function suppression amount are determined according to the elapsed time and the travel distance, Ensure optimum safety. Risk assessment is combined with risk evaluation of control safety change countermeasures classified by function restraint range using methods such as bathtub curves (Weibull distribution) to estimate unknown risk changes and software warranty period. By determining the suppression range, the risk value change according to the progress is considered, the function is suppressed or suppressed, and the occupant is warned. This ensures optimum safety.
<Example 1>
Hereinafter, embodiments of the present invention will be described with reference to the drawings.

FIG. 1 is a system configuration diagram of the integrated ECU 101 of the first embodiment.

The integrated ECU 101 includes a vehicle position recognition unit 102, a road environment recognition unit 103, a running state recognition unit 104, a progress information recording processing unit 105, a control amount calculation unit 106, a progress countermeasure unit 107, a control amount output unit 109, and a detection value processing unit. 117 and a software update processing unit 120 .

The detected value processing unit 117 integrates information input from the external sensor 113, the internal sensor 114, the GPS receiving unit 115, and the navigation system 116, and outputs the information to the vehicle position recognition unit 102, the road environment recognition unit 103, and the driving state recognition unit 104. output to

The external sensor 113 is a device that acquires information outside the vehicle, such as LiDAR, radar, and ultrasonic sensors. The internal sensor 114 is a sensor such as a throttle sensor and a steering sensor that detects the operation of the passenger, and a sensor that detects the behavior of the vehicle such as speed and acceleration. GPS receiver 115 receives signals from positioning satellites and measures positions. The navigation system 116 has map information and provides the integrated ECU 101 with the map information.

Vehicle position recognition unit 102 uses information from external sensor 113 , internal sensor 114 , GPS receiver 115 and navigation system 116 to recognize the vehicle position on the map. The road environment recognition unit 103 uses information from the external sensor 113, the internal sensor 114, the GPS receiver unit 115, and the navigation system 116 to recognize the road environment (eg, lanes, signs, traffic lights, etc.) during travel. The running state recognizing unit 104 uses information from the external sensor 113, the internal sensor 114, the GPS receiving unit 115, and the navigation system 116 to recognize the running state of the vehicle (vehicle speed, acceleration, yaw rate, tilt, etc.).

The progress information recording processing unit 105 manages inspection records.

The control amount calculation unit 106 calculates the control amount of the vehicle based on the outputs from the vehicle position recognition unit 102 , the road environment recognition unit 103 and the running state recognition unit 104 . The progress countermeasure unit 107 refers to the progress information 202 of the progress information recording processing unit 105 and changes the control amount of the vehicle. The control amount output unit 109 converts the control amount calculated by the control amount calculation unit 106 and the vehicle control amount changed by the transition countermeasure unit 107 into a command signal to the actuator command ECU 118, and outputs the command signal to the actuator command ECU 118. The information is output to the output device 123 to be output to the passenger or outside the vehicle.

The software update processing unit 120 updates the progress determination information 119 and the risk determination information 121 according to instructions input from the inspection equipment 122 . The progress determination information 119 is inspection time information and internal parameters of the software update processing unit 120 . The risk determination information 121 is information used when software update risk is determined.

FIG. 2 is a block diagram showing the configuration of the progress countermeasure unit 107. As shown in FIG.

The progress countermeasure unit 107 has a risk evaluation determination information input unit 203 , a progress determination processing unit 204 , a risk degree diagnosis unit 205 and a countermeasure processing unit 206 .

The risk evaluation determination information input unit 203 reads the risk evaluation determination information 201 ( FIG. 4 ) and outputs it to the risk degree diagnosis unit 205 . The progress determination processing unit 204 determines which of the initial state, the stable period, and the excess period is based on the acquired progress information of the progress information 202, and acquires the control amount calculation parameter from the progress determination information 119. . The risk degree diagnosis unit 205 selects the risk evaluation determination risk degree determination parameter selection 601 from the progress determination processing unit 204 and the risk evaluation determination information input unit. The countermeasure processing unit 206 acquires processing details from the risk evaluation determination information 201 according to the severity of the risk, based on the diagnosis results from the progress determination processing unit 204 and the risk degree diagnosis unit 205 .

The progress information 202 includes the cumulative ignition-on time and the cumulative running time. The progress information 202 is recorded in the progress information recording process (Fig. 5), and is recorded in the progress information recording process (Fig. 6), the running time risk degree diagnostic parameter selection process (Fig. 7), and the ignition on time risk degree parameter selection process (Fig. 8) is read out.

FIG. 3 is a diagram showing the concept of software judgment, and FIG. 4 is a diagram showing the contents of the risk evaluation judgment information 201. As shown in FIG.

As shown in FIG. 3, the software executed by the integrated ECU 101 of this embodiment is classified into software 301 with a wide range of influence, software 302 with a medium range of influence, and software 303 with a narrow range of influence. For example, the software 301 with a wide range of influence is automatic driving software that requires a high level of safety regarding the essential control of the vehicle. Software 302 with a medium range of influence is brake and steering control software related to vehicle control. The software 303 with a narrow range of influence includes indicator light control software that is unrelated to vehicle control and has a low level of safety, torque sensor detection software that has alternative means, and the like.

A function suppression range 304 is defined for the software 301, 302, and 303, and when a problem occurs in the software at each level, the software within the defined function suppression range 304 stops operating. A wide range A including software 301 , 302 , and 303 is defined for software 301 having a wide range of influence. A range B that includes software 302 and 303 is defined for the software 302 having a moderate range of influence. A range C that includes only the software 303 is defined for the software 303 with a narrow range of influence.

For example, as shown in FIG. 4, if a defect is found in the automatic driving software that has a wide range of influence, it will be in a transitional state related to a high safety level, a danger display will be output, and the automatic driving software among the software 301 to 303 All software involved stops functioning. Also, if a defect is found in the external world detection software with a medium range of influence and the external camera cannot detect it, it becomes a transitional state related to a medium safety level, a warning display is output, and one of the software 302 and 303 All software related to the external world detection software stops functioning, but software with a wide range of influence (for example, automatic driving software) 301 changes the automatic driving level and continues to operate. If a defect is found in the indicator light control software, which has a narrow range of influence, it becomes a transitional state with a low impact on the safety level, outputs a caution display, and outputs all software related to the indicator light control software out of the software 303. stops functioning, but the software 301 with a wide range of influence and the software 302 with a medium range of influence continue to operate.

In this way, the software malfunction determines the control amount that inhibits or inhibits the function of the vehicle step by step or partially.

The severity levels shown in FIG. 4 may vary depending on not only the software type but also the equipment controlled by the software and the running speed of the vehicle.

FIG. 5 is a flowchart of progress information recording processing executed by the progress information recording processing unit 105 . The progress information recording processor 105 calculates the ignition-on time and the running time, and records them in the progress information 202 .

First, the progress information recording processing unit 105 determines whether it is time to start learning progress information (501). For example, progress information acquisition is initiated when the vehicle is shipped from the factory or when the vehicle is handed over to the user.

Next, the progress information recording processing unit 105 acquires the current date and time (502), and adds the ignition ON time (503). For example, the energization time of the integrated ECU 101 since the previous progress information recording process is executed is added. Regardless of whether the vehicle is stopped or running, components placed in the engine room are exposed to the engine temperature while the engine is running. If the difference between the ignition-on time and the engine operating time is large, such as in a hybrid vehicle, instead of the ignition-on time, the engine operating time may be calculated in order to accurately evaluate the thermal effect of the engine.

Next, the progress information recording processing unit 105 determines whether the vehicle is running based on whether a vehicle speed pulse is detected (504). If the vehicle is running, the running time is added (505), and if the vehicle is not running, the running time is not added (506).

After that, the calculated ignition ON time and running time are recorded in the elapsed information 202 (507).

FIG. 6 is a flowchart of progress information recording processing executed by the progress countermeasure unit 107 . The progress countermeasure unit 107 determines the risk evaluation determination risk, diagnoses the running time risk, diagnoses the ignition-on risk, diagnoses the software warranty period risk, and determines processing according to the severity.

The risk evaluation judgment information input unit 203 acquires the risk evaluation judgment information 201 (601). Next, the risk degree diagnosis unit 205 refers to the risk evaluation judgment information 201 and selects risk evaluation judgment risk degree judgment parameters (602).

The progress determination processing unit 204 acquires the progress information 202 (603), and selects a travel time risk degree diagnosis parameter (604). The details of the travel time risk degree diagnosis parameter selection process will be described with reference to FIG. Select 605 an ignition on-risk degree diagnostic parameter. Details of the ignition on-risk degree diagnostic parameter selection process will be described with reference to FIG. Select 606 software warranty period risk diagnostic parameters. The details of the software warranty period risk level diagnostic parameter selection process will be described with reference to FIG.

After the processes of the progress determination processing unit 204 and the risk degree diagnosis unit 205 are completed, the countermeasure processing unit 206 branches the processing according to the severity of the risk evaluation determination risk degree determination parameter (607). If the severity level is dangerous, the controlled variable output unit 109 outputs a danger display to the output device 123, and the actuator command ECU 118 suppresses or inhibits the function of range A (608).
On the other hand, if the severity level is a warning, the controlled variable output unit 109 outputs a warning display to the output device 123, and the actuator command ECU 118 suppresses or inhibits the functions in range B (609). If the seriousness level is caution, the control amount output unit 109 outputs a caution display to the output device 123, and the actuator command ECU 118 suppresses or inhibits the function of range C (610).

FIG. 7 is a flow chart of the running time risk degree diagnostic parameter selection process executed by the progress determination processing unit 204 .

First, the progress determination processing unit 204 acquires the running time from the progress information input 202 (702).

Next, the progress determination processing unit 204 determines whether the running time is within the initial range (703). If the running time is within the initial range, the progress determination processing unit 204 acquires the initial state control amount calculation parameter (704). Depending on the suppression state of the initial range, the initial range state may be displayed or a warning light may be turned on.

Next, the progress determination processing unit 204 determines whether the running time is within the stable quality range (705). If the running time is within the stable quality range, the progress determination processing unit 204 acquires a stable quality state control amount calculation parameter (706). In addition, when the initial setting display and the lighting of the warning light are performed due to the suppression of the permitted speed of the automatic driving control and the suspension of the automatic driving, the suppression, display, and lighting of these are stopped.

Next, the progress determination processing unit 204 determines whether the running time exceeds the warranty period (707). If the running time exceeds the warranty period, the progress determination processing unit 204 acquires a stable quality state control amount calculation parameter (708).

Since the failure rate curve (so-called bathtub curve) has a higher failure rate than the stable quality range in the initial range and the over warranty period range, the operation is changed by changing the parameters in the initial range, the stable quality range, and the over warranty period range. For example, in the initial range, if there is a difference in the braking control of the automatic driving support system or anti-skid system due to changes in sensor error due to familiarization of system components and fine dust accumulated on the sensor surface, the straightness of the vehicle will be affected. is impaired. In particular, when other vehicles are approaching or when the width of the lane is narrow, the upper limit of the control-permitted vehicle speed is changed to a lower speed to ensure safety.

In the stable quality range, the quality of the system components that change over time as the vehicle travels is stabilized, so the upper limit of the control-permitted vehicle speed is relaxed.

When the warranty period for system components expires, there is a possibility that erroneous communication will occur due to an increase in system detection errors or deterioration of communication wiring between control devices. Therefore, in the same way as the initial state control amount, the warranty expiration state control amount is applied, and the upper limit of the control permission vehicle speed of the automatic driving support, the skid prevention device, and the braking control device is changed to a lower speed side, or the control is suppressed or suppressed. to ensure safety.

However, when proper maintenance and parts replacement are performed through regular maintenance, in the inspection mode of FIG. be applied.

FIG. 8 is a flowchart of ignition-on time risk degree parameter selection processing executed by progress determination processing unit 204 .

First, the progress determination processing unit 204 acquires the ignition ON time from the progress information 202 (802).

Next, the progress determination processing unit 204 determines whether the ignition ON time is within the initial range (803). If the ignition-on time is within the initial range, the progress determination processing unit 204 acquires an initial state control amount calculation parameter (804).

Next, the progress determination processing unit 204 determines whether the ignition ON time is within the stable quality range (805). If the ignition-on time is within the stable quality range, the progress determination processing unit 204 acquires a stable quality state control amount calculation parameter (806).

Next, the progress determination processing unit 204 determines whether the ignition ON time has exceeded the warranty period (807). If the ignition-on time exceeds the warranty period, the progress determination processing unit 204 acquires a stable quality state control amount calculation parameter (808).

It determines whether the ignition ON time is within the initial range, whether it is within the stable quality range, or whether it exceeds the warranty period, so even if the quality of components in the engine room changes over time due to the engine temperature, the control state will be maintained. Suppress or suppress the amount of control that allows safe driving. Regarding the ignition-on time, as described above, when proper maintenance and parts replacement are performed through regular maintenance, in the inspection mode of FIG. Update the time so that the stable quality state control quantity is applied.

FIG. 9 is a flowchart of the software warranty period risk degree diagnostic parameter selection process executed by the progress determination processing unit 204 .

First, the progress determination processing unit 204 acquires the current date and time (902).

Next, the progress determination processing unit 204 determines whether it is within the software warranty period (903). If the current date and time have exceeded the software warranty period, the progress determination processing unit 204 acquires the post-software warranty period control amount calculation parameter (904). After the software warranty period has elapsed, the control amount is suppressed or suppressed by the control amount calculation parameter, and the suppression/suppression state is indicated by a warning light.

Some software, such as the operating system, has a warranty period as a countermeasure against hacking. Control may become impossible.

For example, when the software warranty period has expired, in order to ensure safety, the upper limit of the automatic driving control permission vehicle speed is changed to the low speed side, or the control is suppressed or restrained to ensure safety. Examples of control suppression or suppression include: These suppressing or suppressing operations may be performed singly or in combination.
・Prohibit the steering device control of the lane departure prevention support system.
・Prohibit hands-free driving and change the automatic driving control execution condition to the driver holding the steering wheel.
・Although automatic tracking control of the preceding vehicle is implemented during automatic driving, steering operation that accompanies lane changes is prohibited.
・Restrict automated driving range from the range including general roads to expressways.
・When it is determined that the security risk of the power steering ECU and the control brake ECU is high and the security risk of the ADAS controller is low, the integrated control by the three ECUs is changed to the single control by the ADAS controller only.
・Prohibit any of the external world recognition (vehicle position recognition, road sign recognition, driving state recognition) used for automatic driving control either singly or in combination.

As for the degree of software warranty period risk, in the same way as described above, when the software is updated due to regular maintenance, the progress information recording processing unit 105 updates the software warranty period and applies the control amount after the software warranty period has elapsed. to exclude.

FIG. 10 is a flowchart of unauthorized access determination processing executed by the progress determination processing unit 204 .

First, the progress determination processing unit 204 acquires the current date and time (1102). Next, the progress determination processing unit 204 determines whether it is within the software warranty period (1103). If the current date and time have exceeded the software warranty period, the progress determination processing unit 204 starts counting known minor security attacks from the outside (1104). Then, if the count value is equal to or greater than the predetermined value, the progress determination processing unit 204 acquires the post-software warranty period control amount calculation parameter (1106).

As described above, according to the first embodiment, the safety of vehicle behavior control is improved according to changes in system configuration products over time (fitting in joints, changes in backlash, etc.) and changes in security vulnerability due to software warranty expiration. Functions can be appropriately suppressed or inhibited in response to changes.

In addition, since the functions of the vehicle are suppressed or inhibited according to the software support deadline, a certain level of safety can be ensured even in places where support is not available.

In addition, since the function of the vehicle is suppressed or inhibited according to the count value of the security attack, a certain level of safety can be ensured even with old software.

In addition, since the functions of the vehicle are suppressed or inhibited in stages, even when the performance is degraded, the vehicle can operate within a safe range. Moreover, since the functions of the vehicle are partially suppressed or inhibited, the equipment can be operated within a safe range. For example, speed control can be enabled even if autopilot is deactivated.

<Example 2>
Next, Example 2 of the present invention will be described. In a second embodiment, software is updated over-the-air OTA. In the second embodiment, description of the same configuration and processing as in the first embodiment is omitted.

FIG. 11 is a system configuration diagram of the integrated ECU 101 of the second embodiment.

The integrated ECU 101 includes a vehicle position recognition unit 102, a road environment recognition unit 103, a running state recognition unit 104, a progress information recording processing unit 105, a control amount calculation unit 106, a progress countermeasure unit 107, a control amount output unit 109, and a detection value processing unit. 117 , a software update processing unit 120 and a receiving unit 131 .

The receiving unit 131 is connected to the radio antenna 130 and receives information from the outside. The software update processing unit 120 updates the software inside the integrated ECU 101 based on the information received by the receiving unit 131 .

FIG. 12 is a flowchart of software update processing.

First, the software update processing unit 120 determines whether to start the inspection mode (1001). For example, when the inspection device 122 is connected to the OBD 2 or when a special operation for starting the inspection mode is performed, it is determined that the inspection mode has started. When the inspection mode is started, the software is manually updated (1002) based on the operation of the mechanic.

On the other hand, if the inspection mode is not started, it is determined whether to start position information determination (1003). For example, if the vehicle position cannot be acquired from the GPS receiver 115, the software update process is terminated without starting position information determination. On the other hand, when the position information is acquired (1004), it is determined whether or not the vehicle is in a predetermined automatic updateable area (1005). As a result, if the position of the vehicle is within the area where automatic updating is possible (YES in 1006), the software is automatically updated by OTA (1007). On the other hand, if the position of the vehicle is outside the area where automatic updating is possible (NO in 1006), automatic software update is suspended (1008). For example, if the area is connected to a highly reliable network, it is possible to prevent intrusion of unauthorized software by automatically updating the software.

As described above, according to the second embodiment, the software is updated via wireless communication, so the software can be updated without regular maintenance, and safety can be maintained.

It should be noted that the present invention is not limited to the embodiments described above, but includes various modifications and equivalent configurations within the scope of the appended claims. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and the present invention is not necessarily limited to those having all the described configurations. Also, part of the configuration of one embodiment may be replaced with the configuration of another embodiment. Moreover, the configuration of another embodiment may be added to the configuration of one embodiment. Further, additions, deletions, and replacements of other configurations may be made for a part of the configuration of each embodiment.

In addition, each configuration, function, processing unit, processing means, etc. described above may be realized by hardware, for example, by designing a part or all of them with an integrated circuit, and the processor realizes each function. It may be realized by software by interpreting and executing a program to execute.

Information such as programs, tables, and files that implement each function can be stored in storage devices such as memories, hard disks, SSDs (Solid State Drives), or recording media such as IC cards, SD cards, and DVDs.

In addition, the control lines and information lines indicate those considered necessary for explanation, and do not necessarily indicate all the control lines and information lines necessary for mounting. In practice, it can be considered that almost all configurations are interconnected.

101 Integrated ECU
102 Vehicle position recognition unit 103 Road environment recognition unit 104 Driving state recognition unit 105 Progress information recording processing unit 106 Control amount calculation unit 107 Progress countermeasure unit 109 Control amount output unit 113 External sensor 114 Internal sensor 115 GPS receiving unit 116 Navigation system 117 Detection Value processing unit 118 Actuator command ECU
119 progress determination information 120 software update processing unit 121 risk determination information 122 inspection equipment 123 output device 130 radio antenna 131 reception unit 201 risk evaluation determination information 202 progress information 203 risk evaluation determination information input unit 204 progress determination processing unit 205 degree of risk Diagnosis unit 206 Countermeasure processing unit 301 Software 302 Software 303 Software 304 Function suppression range

Claims (13)

An electronic control device that controls a vehicle with embedded software,
a control amount calculation unit that calculates the control amount of the vehicle;
a transition countermeasure unit that outputs a control amount that suppresses or inhibits the function of the vehicle based on the control amount calculated by the control amount calculation unit;
The transitional measures department
Determining progress information including information about the operating time of the electronic control unit;
Diagnose the severity of safety based on the result of the determination,
An electronic control unit that determines a control amount for suppressing or suppressing a function of the vehicle based on the diagnosed degree of severity. The electronic control device according to claim 1,
The electronic control device, wherein the progress countermeasure unit determines the controlled variable based on a failure rate curve. The electronic control device according to claim 2,
The electronic control device, wherein the transition countermeasure section suppresses or inhibits the function of the vehicle until the operating time of the electronic control device exceeds a first predetermined threshold value. The electronic control device according to claim 3,
The electronic control device, wherein the transition countermeasure unit suppresses and releases the suppression of the function of the vehicle after the operation time of the electronic control device exceeds the first predetermined threshold value. The electronic control device according to claim 2,
The electronic control device, wherein the transition countermeasure section suppresses or inhibits the function of the vehicle after the operating time of the electronic control device exceeds a second predetermined threshold value. The electronic control device according to claim 1,
The electronic control device, wherein the transition countermeasure unit determines a control amount for suppressing or deterring the function of the vehicle based on a support period of software installed in the electronic control device. The electronic control device according to claim 6,
A software update processing unit that updates the support deadline in accordance with the update of the software;
The electronic control device according to claim 1, wherein the transition countermeasure unit cancels the suppression and suppression of the functions of the vehicle within the latest updated support period. The electronic control device according to claim 6,
The electronic control device according to claim 1, wherein the transition countermeasure unit determines a control amount for suppressing or suppressing the function of the vehicle based on the counted number of security attacks after the support period has passed. The electronic control device according to claim 1,
An electronic control device comprising an update processing unit that updates software via wireless communication. The electronic control device according to claim 9,
The electronic control unit, wherein the update processing unit determines whether to update the software using vehicle position information. The electronic control device according to claim 10,
The electronic control unit, wherein the update processing unit acquires vehicle position information from a satellite positioning system. The electronic control device according to claim 1,
The electronic control device, wherein the transition countermeasure section suppresses or suppresses the function of the vehicle step by step or partially. A control method for an electronic control device that controls a vehicle with embedded software,
The electronic control unit includes a control amount calculation unit that calculates a control amount of the vehicle, and a transition countermeasure unit that outputs a control amount that suppresses or suppresses the function of the vehicle based on the control amount calculated by the control amount calculation unit. and
The control method is
The progress countermeasure unit determines progress information including information about the operating time of the electronic control device,
The transitional measures unit diagnoses the severity of safety based on the result of the determination,
The control method, wherein the progress countermeasure unit determines a control amount for suppressing or suppressing the function of the vehicle based on the diagnosed severity.

Images