JP2023118652A - Program management apparatus, program management method, and recording medium - Google Patents

Abstract

To ease restrictions on timing to update a program of a vehicle.SOLUTION: A program management apparatus includes: a communication unit which communicates with an external device located outside a vehicle; a control unit which executes a vehicle control program for controlling the vehicle; a program storage first region for storing a vehicle control program; a program storage second region for storing a vehicle control program; a program storage third region for storing an irrelevant program for performing a control that is irrelevant to driving the vehicle; and a program update unit configured to execute: first processing that causes at least one of the program storage first region and the program storage second region to store a vehicle control update program to be used for updating the vehicle control program, the vehicle control update program being received by the communication unit; and second processing that causes the program storage third region to store a non-control update program which is used for updating the irrelevant program, the non-control update program being received by the communication unit.SELECTED DRAWING: Figure 3

Description

The present invention relates to a program management device, program management method, and recording medium.

In recent years, with the aim of improving traffic safety and reducing CO ₂ emissions, the functions of vehicle control software have been enhanced. Techniques have been proposed for updating a program executed by an ECU (Electronic Control Unit) mounted on a vehicle. For example, in Patent Document 1, a storage unit for storing a program includes a vehicle control program storage area for storing a control program and a second program storage area for storing an update program that is an updated version of the control program. disclosed. According to this configuration, it is possible to store the update program in the storage unit even while the control program is being executed, and it is possible to reduce restrictions on the timing of updating the program.

JP 2019-144669 A

As described in Patent Document 1, a configuration in which a plurality of storage areas for storing programs is provided requires a large storage capacity compared to the size of the programs. BACKGROUND ART Advances in vehicle control technology and infotainment have increased the number and complexity of programs used in vehicles. Therefore, there is a problem that a large-capacity storage device must be installed in the vehicle in order to provide a plurality of storage areas for storing programs. Moreover, even if a large-capacity storage device is adopted, there is a possibility that the storage capacity will be insufficient when updating the program.
The present invention has been made in view of such a background, and reduces restrictions on the timing of updating programs used in vehicles by means of a technique that makes it difficult for the storage area to become extremely large or to cause a shortage of the storage area. for the purpose.

In one aspect for achieving the above object, a communication unit that communicates with an external device existing outside the vehicle, a control unit that executes a vehicle control program for controlling the vehicle, and the vehicle control program. a first program storage area for storing; a second program storage area for storing the vehicle control program; a third program storage area for storing a non-participating program for performing control not involved in driving the vehicle; and the communication a first process for storing, in at least one of the program storage first area or the program storage second area, the vehicle control update program received by the unit and used for updating the vehicle control program; a program update unit that executes a second process of storing, in the third program storage area, a non-control update program used for updating the non-participation program received by the program management apparatus.

According to the above configuration, while the vehicle control program is being updated, the vehicle control program is held in an area that is not affected by the update, so it is possible to reduce restrictions on the timing of updating the program. Since the third program storage area for storing the non-controlled update program is not duplicated, it is possible to suppress an increase in the capacity of the storage area. Therefore, it is possible to suppress an increase in the capacity of the storage area for storing the program of the vehicle, and to avoid the shortage of the storage area for storing the program.

FIG. 1 is a schematic configuration diagram of a vehicle control system. FIG. 2 is a diagram showing a schematic configuration of the program management system. FIG. 3 is a block diagram showing the main configuration of the control system. FIG. 4 is a schematic diagram showing a configuration example of a data storage unit. FIG. 5 is a sequence diagram showing operations of the program management system. FIG. 6 is a flow chart showing the operation of the control system. FIG. 7 is a flow chart showing the operation of the control system. FIG. 8 is a flow chart showing the operation of the control system. FIG. 9 is a flow chart showing the operation of the control system. FIG. 10 is a timing chart showing an example of vehicle state transition. FIG. 11 is a flow chart showing the operation of the control system in the modified example. FIG. 12 is a flow chart showing the operation of the control system in the modified example.

FIG. 1 is a diagram showing a control system 1 for a vehicle.
The control system 1 includes a central ECU 2 that performs general vehicle control and information processing. Hereinafter, the vehicle on which the control system 1 is mounted is referred to as the own vehicle. The self-vehicle is specifically a vehicle V which will be described later. The central ECU 2 is connected to communication lines including communication lines 4a, 4b, 4c. The central ECU 2 implements a function of a gateway that manages transmission and reception of communication data between these communication lines. The central ECU 2 is also connected to a TCU (Telematics Control Unit) 12, which is a wireless device conforming to the communication standards of the mobile communication system. The central ECU 2 uses the TCU 12 to perform OTA (Over The Air) management. OTA management includes control related to a process of downloading an update program for an in-vehicle device provided in the vehicle from a server outside the vehicle and a process of applying the downloaded update program to the in-vehicle device.

A first zone ECU 20a, a second zone ECU 20b, and a third zone ECU 20c are connected to the communication lines 4a, 4b, and 4c, respectively. ECUs 30a, 30b and 30c are connected to the first zone ECU 20a, and ECUs 30d, 30e and 30f are connected to the second zone ECU 20b. Further, ECUs 30g, 30h, and 30i are connected to the third zone ECU 20c.

Hereinafter, the first zone ECU 20a, the second zone ECU 20b, and the third zone ECU 20c are collectively referred to as the zone ECU 20, and the ECUs 30a, 30b, 30c, 30d, 30e, 30f, 30g, 30h, and 30i are collectively referred to as the ECU 30. shall be

The ECU 30 includes, for example, an MPU (Map Positioning Unit), an MVC-ECU (MVC; Multi View Camera), a PKS-ECU (PKS; Parking Support), and/or an ADAS-ECU (ADAS; Advanced Driver-Assistance System), and In addition, an ECU that controls the operation of various devices and sensors provided in the host vehicle may be included. Such devices and sensors include driving motors that drive the vehicle, controllers such as accelerators and brakes, VSA devices (VSA: Vehicle Stability Assist), batteries, lights such as headlamps, and door windows that drive Window motors, actuators that drive door lock mechanisms, door lock sensors, door open/close sensors, temperature sensors, exterior cameras, interior cameras, etc. may be included.

The zone ECUs 20 are connected to a plurality of ECUs 30 arranged in the same section of the body space of the host vehicle, or a plurality of ECUs 30 controlling the operations of devices and sensors arranged in the same section.

In addition to the zone ECU 20, the central ECU 2 may be connected to other control devices and devices. Such control devices and devices may include an ICB (Infotainment Control Box), a speaker, a microphone, a meter panel, a steering switch, a GNSS (Global Navigation Satellite System) sensor, a touch panel, and the like.

In this embodiment, the communication lines 4a, 4b, and 4c are configured by, for example, a CAN bus that performs communication conforming to the CAN communication standard. Hereinafter, the communication lines 4a, 4b, and 4c are collectively referred to as the communication line 4 as well. Here, the communication line 4 corresponds to the in-vehicle network in the present disclosure. Also, the zone ECU 20 connected to the communication line 4 corresponds to a plurality of electronic control units in the present disclosure.

The zone ECU 20 connected to the communication line 4 transmits data to be transmitted to the communication line 4 in one frame or as a train of multiple frames according to the CAN communication standard according to the prior art. In accordance with the CAN communication standard, each transmitted frame includes an identification code (ID), and each zone ECU 20 that receives the frame transmits the frame to itself based on the ID included in the frame. frame.

FIG. 2 is a diagram showing a schematic configuration of the program management system 100. As shown in FIG.
The program management system 100 is a system that enables updating of programs executed by various ECUs that constitute the control system 1 . A program management system 100 includes a server 110 and a vehicle diagnostic device 120 .

The server 110 is connected with the control system 1 by a communication network N. FIG.
The communication network N is, for example, a cellular communication network, a Wi-Fi (registered trademark) network, Bluetooth (registered trademark), the Internet, a WAN (Wide Area Network), a LAN (Local Area Network), a public line, a provider device, a dedicated line. , base stations, etc., and base station B is illustrated in FIG. The TCU 12 provided in the control system 1 executes cellular communication with the base station B, thereby executing data communication with an external device through the communication network N. FIG.

The control system 1 can download update data for updating programs executed by various ECUs of the control system 1 from the server 110 by communicating with the server 110 through the TCU 12 . The means by which the control system 1 downloads the update data from the server 110 to update the program corresponds to the OTA described above. The server 110 corresponds to an example of an external device of the control system 1 . The TCU 12 corresponds to an example of a communication unit.

The vehicle diagnosis device 120 is a device installed in a dealer or a maintenance shop that handles the vehicle V on which the control system 1 is mounted. The vehicle diagnostic device 120 is connected by a cable to a DLC (Data Link Connector) (not shown) of the control system 1 . The control system 1 can update a program executed by the control system 1 by communicating with the vehicle diagnosis device 120 .

Here, updating the program of the ECU refers to rewriting the program executed by the ECU into a program of a different version. Updating the program of the ECU may include rewriting, together with the program, data referenced when the ECU executes the program and/or data generated or changed by executing the program. Updating the program of the ECU may include rewriting the program executed by the ECU to the same version of the program.

FIG. 3 is a block diagram showing the main configuration of the control system 1. As shown in FIG. FIG. 3 shows a part of the configuration related to program update in the control system 1, and the control system 1 may be provided with configurations not shown in FIG.

In the control system 1, each ECU including the central ECU 2, the zone ECU 20, and the ECU 30 includes a processor and a memory. The processor is composed of, for example, a CPU (Central Processing Unit), an MCU (Micro Controller Unit), and an MPU (Micro Processor Unit). The storage unit non-volatilely stores programs executed by the processor and data processed by the processor. The storage unit is, for example, a ROM (Read Only Memory). The ECU may also include a RAM (Random Access Memory) forming a work area for temporarily storing programs and data. The ECU may be composed of an integrated circuit integrally including a processor, ROM, and RAM. Further, the ECU may have a configuration in which each of the processor, ROM, and RAM is provided as independent hardware.

The central ECU 2 includes an update control unit 201 and a data processing unit 211 as functional units related to program update. The update control unit 201 and the data processing unit 211 may be hardware provided in the central ECU 2 . Also, the update control unit 201 and the data processing unit 211 may be functional units realized by cooperation of software and hardware when the processor of the central ECU 2 executes programs.

The update control unit 201 has an update data reception unit 202 and an update data control unit 203 . Update data receiving unit 202 controls TCU 12 to receive update data for updating the program from server 110 . The update data control unit 203 uses the update data received by the update data reception unit 202 to control the process of updating the programs of various ECUs including the central ECU 2 .

Although FIG. 3 illustrates the central ECU 2, the first zone ECU 20a, the second zone ECU 20b, and the ECU 30d as targets to be controlled by the update control unit 201, this is an example. The number of ECUs to be controlled by the update control unit 201 is not limited. The update control unit 201 controls updating of programs executed by at least some of the ECUs included in the control system 1 . The update control unit 201 may control updating of programs by all or almost all ECUs included in the control system 1 .

The data processing unit 211 has an update execution unit 212 and a data storage unit 213 . The data storage unit 213 corresponds to the storage unit described above. The data storage unit 213 stores programs executed by the central ECU 2 and data related to the programs. Update execution unit 212 updates the program stored in data storage unit 213 . The update execution unit 212 corresponds to an example of a program update unit.

The first zone ECU 20a includes an update executing section 51a and a data storage section 52a. The data storage unit 52a stores programs executed by the first zone ECU 20a and data related to these programs. The update execution unit 51a updates the program stored in the data storage unit 52a.
The second zone ECU 20b includes an update executing section 51b and a data storage section 52b. The data storage unit 52b stores programs executed by the second zone ECU 20b and data related to these programs. The update execution unit 51b updates the program stored in the data storage unit 52b.

A specific example of the ECU 30d is an entry ECU. The entry ECU is connected to an LF/RF antenna (not shown) for wireless communication with the electronic key of the vehicle. An electronic key is an electronic device having a wireless communication function, and is called a smart key or FOB key. The entry ECU processes user access to the control system 1 from outside the vehicle in cooperation with other in-vehicle ECUs, and realizes so-called smart entry operation.

The ECU 30d includes an update executing section 51c and a data storage section 52c. The data storage unit 52c stores programs executed by the ECU 30d and data related to these programs. The update execution unit 51c updates the program stored in the data storage unit 52c.

Here, when the update execution units 51a, 51b, and 51c are not distinguished, they are referred to as the update execution unit 51. FIG. The update execution unit 51 may include an update execution unit provided in an ECU (not shown in FIG. 3) in addition to the update execution units 51a, 51b, and 51c. Similarly, data storage units 52a, 52b, and 52c are referred to as data storage unit 52 when they are not distinguished from each other. The data storage unit 52 may include the data storage units 52a, 52b, and 52c as well as the data storage unit 52 provided in the ECU (not shown in FIG. 3). The update execution unit 51 corresponds to an example of a program update unit.

FIG. 3 shows an ECU 30a and an ECU 30b as examples of the ECUs 30 connected to the first zone ECU 20a. In this embodiment, the ECU 30a is an ECU that controls driving of the own vehicle and can be called a driving device. In this embodiment, the ECU 30a is an ECU that receives the operation of the drive source of the host vehicle, and includes a shift device 25a and a drive source 25b. The ECU 30b can be called a steering operator. The ECU 30b includes an SSSW (Start-Stop Switch) 27a and a shift SW (SWitch) 27b. The SSSW 27a and the shift SW 27b are provided at positions where the user who drives the vehicle V can operate them.

The drive source 25b is a power source that drives the vehicle V, and is a motor, an internal combustion engine, or a combination of a motor and an internal combustion engine. The shift device 25a controls a transmission mechanism that transmits the output of the drive source 25b to the drive wheels of the vehicle V according to the operation of the shift SW 27b. If the drive source 25b is composed only of a motor, the shift device 25a may not be a device that controls the transmission mechanism. For example, the shift device 25a may be a circuit that supplies current to the drive source 25b or a circuit that controls the rotation of the drive source 25b.

FIG. 4 is a schematic diagram showing a configuration example of the data storage unit 213. As shown in FIG. The data storage unit 52 can have the same configuration as the data storage unit 213 .

The data storage unit 213 corresponds to the storage unit described above and has a nonvolatile storage area. The data storage unit 213 rewritably stores programs and data in a storage area. The data storage unit 213 is configured by, for example, a semiconductor storage device or a magnetic recording device. As a specific example, the data storage unit 213 is composed of a flash ROM or an EEPROM (Electrically Erasable Programmable ROM). In the following description, the programs and data stored in the data storage unit 213 and the data storage unit 52 are referred to as programs. That is, a program referred to in the following description includes data that is referenced, generated, or processed when the program is executed by a processor. The entirety of these programs and data can be called software. That is, the program management system 100 has a function of managing and updating the software of the control system 1 installed in the vehicle V. FIG.

The storage area of the data storage unit 213 is logically divided into a plurality of areas. Each area of the data storage unit 213 and the programs stored in the data storage unit 213 are specified by addresses of the data storage unit 213 .

The data storage unit 213 includes a boot sector 61, an A-side boot image storage area 62, a B-side boot image storage area 63, a common area 64, a spare area 65, a check area 66, a program storage first area 70, and a program A second storage area 75 is provided. The common area 64 corresponds to an example of a third program storage area.

As described above, data storage unit 52 is configured similarly to data storage unit 213 . That is, the data storage unit 52 includes a boot sector 61, an A-side boot image storage area 62, a B-side boot image storage area 63, a common area 64, a spare area 65, a check area 66, a program storage first area 70, and , a program storage second area 75 is provided. Here, as an example, the use of the data storage unit 213 by the central ECU 2 will be described. The use of the data storage unit 52a by the first zone ECU 20a, the use of the data storage unit 52b by the second zone ECU 20b, and the use of the data storage unit 52c by the ECU 30d are performed in the same manner as the use of the data storage unit 213. The same applies to the use of the data storage unit 52 by other ECUs.

The storage area of the data storage unit 213 is classified into an A side and a B side. The A-side boot image storage area 62 and the program storage first area 70 belong to the A-side. A B-side boot image storage area 63 and a second program storage area 75 belong to the B-side. The boot sector 61, common area 64, spare area 65 and check area 66 belong to neither the A side nor the B side.

The A-side storage area and the B-side storage area store programs independently of each other. The central ECU 2 can perform various operations required of the central ECU 2 using programs stored in either one of the A-side and B-side storage areas. In other words, the central ECU 2 can operate as the central ECU 2 if the program is normally stored in either the A side or the B side of the data storage unit 213 .

When updating the program stored in the data storage unit 213, the update execution unit 212 selects either the A side or the B side.
As an example, a case where the update execution unit 212 selects side A and updates the program will be described. In this example, the update execution unit 212 executes processing of writing a new program into the first program storage area 70, and then executes processing of confirming that the program has been written normally. Here, if writing of the program to the first program storage area 70 fails, the update execution unit 212 needs to update the program again. The central ECU 2 cannot control the vehicle V by executing the program written in the first program storage area 70 until the update of the program in the first program storage area 70 is normally completed. However, the central ECU 2 can control the vehicle V by executing the program stored in the second program storage area 75 . The same applies when the update execution unit 212 selects the B side. In this way, when the data storage unit 213 updates the program for either the A side or the B side, the executable program is stored in the other side. do not have a large impact. Therefore, restrictions on the timing of updating the program are eased, and it is not impossible to update the program while the vehicle V is running, for example.

Boot sector 61 stores a boot loader. A boot loader is a program that is first executed by the processor of the central ECU 2 when the central ECU 2 starts up. The processor executes the processes necessary for the basic operation of the central ECU 2 by executing the bootloader. Boot sector 61 stores active program designation data 61a. The active program designation data 61a is contained in the bootloader or stored in an area referred to by the bootloader. The active program designation data 61a is data for designating whether the program executed by the central ECU 2 following the bootloader is the A-side program or the B-side program. Specifically, the active program designation data 61 a is the address of the boot image stored in the A-side boot image storage area 62 or the address of the boot image stored in the B-side boot image storage area 63 .

A boot image is a basic control program which the processor of central ECU2 runs following a boot loader. The A-side boot image storage area 62 stores a boot image used when executing the program stored in the first program storage area 70 . The A-side boot image storage area 62 stores a start address 62a. The start address 62a is, for example, the start address of the program stored in the A-side program area 71 included in the first program storage area 70. FIG. The B-side boot image storage area 63 stores a boot image used when executing the program stored in the second program storage area 75 . The B-side boot image storage area 63 stores a start address 63a. The start address 63a is, for example, the start address of the program stored in the B-side program area 76 included in the second program storage area 75. FIG.

The program storage first area 70 includes an A-side program area 71 , a spare area 72 , an A-side user area 73 and a spare area 74 . The A-side program area 71 and the A-side user area 73 store programs.

The A-side program area 71 and the A-side user area 73 are areas for storing programs for controlling the vehicle V by the ECU. The A-side user area 73 may store a program that is executed by the ECU and is not directly related to the control of the vehicle V. FIG.

The spare area 72 is used to extend the storage capacity of the A-side program area 71 . When the update execution unit 212 stores a program in the A-side program area 71 and the storage capacity of the A-side program area 71 is insufficient, the spare area 72 becomes an extended area of the A-side program area 71 . In this case, the update executing section 212 stores the program in the A-side program area 71 and the spare area 72 . The spare area 74 is used to expand the storage capacity of the A-side user area 73 . When the update execution unit 212 stores a program in the A-side user area 73, the spare area 74 becomes an extended area of the A-side user area 73 when the storage capacity of the A-side user area 73 is insufficient. In this case, the update executing section 212 stores the program in the A-side user area 73 and the spare area 74 . Spare areas 72 and 74 correspond to an example of a program spare storage first area.

The program storage second area 75 includes a B-side program area 76 , a spare area 77 , a B-side user area 78 and a spare area 79 . Side B program area 76 and side B user area 78 store programs.

The B-side program area 76 and the B-side user area 78 are areas for storing programs for controlling the vehicle V by the ECU. The B-side user area 78 may store a program that is executed by the ECU and is not directly related to control of the vehicle V. FIG.

The spare area 77 is used to extend the storage capacity of the B-side program area 76 . When the update execution unit 212 stores a program in the B-side program area 76 and the storage capacity of the B-side program area 76 is insufficient, the spare area 77 becomes an extended area of the B-side program area 76 . In this case, the update executing section 212 stores the program in the B-side program area 76 and the spare area 77 . The spare area 79 is used to expand the storage capacity of the B-side user area 78 . When the update execution unit 212 stores a program in the B-side user area 78 and the storage capacity of the B-side user area 78 is insufficient, the spare area 79 becomes an extended area of the B-side user area 78 . In this case, the update executing section 212 stores the program in the B-side user area 78 and the spare area 79 . Spare areas 77 and 79 correspond to an example of a program spare storage first area.

Common area 64 is a storage area for storing programs that are not involved in vehicle V control. The spare area 65 is used to extend the storage capacity of the common area 64 . When the update execution unit 212 stores the program in the common area 64 and the storage capacity of the B-side user area 78 is insufficient, the spare area 65 becomes an extended area of the common area 64 . The check area 66 stores program error detection data stored in the data storage unit 213 . The spare area 65 corresponds to an example of a third program spare storage area.

The programs stored in the A-side program area 71, the A-side user area 73, the B-side program area 76, and the B-side user area 78 are programs for controlling the vehicle V. FIG. This is called a vehicle control program. The vehicle control program is involved in control related to running of the vehicle V and control essential when the vehicle V runs. The subjects that execute the vehicle control program are the central ECU 2, the first zone ECU 20a, the second zone ECU 20b, the ECU 30d, and other ECUs, which correspond to an example of the control section. For example, a program for the central ECU 2 to execute the operations described with reference to FIGS. 5 to 9 is included in the vehicle control program. Therefore, the data storage unit 213 corresponds to an example of the recording medium of the present invention. Of the programs that the control system 1 downloads from the server 110, the program and data for updating the vehicle control program are called a vehicle control update program. A control system 1 configured to store these programs corresponds to an example of a program management device.

Programs stored in common area 64 are referred to as non-participating programs. Of the processes executed by the control system 1, the non-participating program does not participate in the control related to the travel of the vehicle V and the control essential for the travel of the vehicle V. FIG.
Of the programs that the control system 1 downloads from the server 110, the programs and data for updating the non-participation programs are called non-control update programs.

Here, the control related to running of the vehicle V includes control related to acceleration, deceleration, stopping, and steering of the vehicle V. FIG. For example, the control related to traveling of the vehicle V includes controlling the vehicle V based on the user's operation to steer or drive the vehicle. Further, the control related to running of the vehicle V includes control executed by the ADAS function and the PKS function without being based on the user's operation. Further, the control that is essential when the vehicle V runs includes control for operating auxiliary machines necessary for the vehicle V to run. The auxiliaries are, for example, a meter panel, a lamp body of the vehicle V, a wiper, a window washer, an air conditioner, and the like. Controls essential for running the vehicle V include controlling cameras and radar devices to perform ADAS and PKS functions.

Non-participating programs stored in common area 64 include, for example, programs related to infotainment functions provided by control system 1 . A program related to the infotainment function is, for example, an application program related to entertainment. Specifically, as infotainment functions, music playback, reception and listening to radio broadcasts, sending and receiving e-mails, reception and viewing of television broadcasts, information retrieval using networks such as the Internet, execution of video games, and others functions related to the entertainment of Also, for example, the non-participating program includes a program related to the function of placing an order or making a reservation with an external service provider by communicating with a server outside the vehicle V based on the operation of the touch panel mounted on the vehicle V. . An external service provider is, for example, a provider of sales of goods including food and drink, delivery of goods including food and drink, car wash service, cleaning service, ticket sales or ticket reservation service, and other services.

The programs stored in the A-side user area 73 and the B-side user area 78 are programs installed according to the instructions of the user who gets into the vehicle V. FIG. For example, when the user designates a desired program to be installed by operating the touch panel and instructs installation of the designated program, the update data receiving unit 202 downloads the designated program from the server 110 . Update data control unit 203 stores the program downloaded by update data receiving unit 202 in data A-side user area 73 or B-side user area 78 provided in the ECU executing this program.

The programs stored in the A-side user area 73 and the B-side user area 78 are programs specified by the manufacturer of the vehicle V or the dealer of the vehicle V in particular. A program of this kind is, for example, a program that has been officially certified or reviewed for installation in the vehicle V by the manufacturer of the vehicle V or the dealer of the vehicle V. FIG.

The programs stored by A-side user area 73 and B-side user area 78 may include non-participating programs. In other words, the A-side user area 73 and the B-side user area 78 store programs specified by the vehicle V manufacturer or the vehicle V dealer among the vehicle control programs and non-participating programs. On the other hand, programs not specified by the manufacturer of the vehicle V or the dealer of the vehicle V are not stored in the A-side user area 73 and the B-side user area 78 . Such programs are called third party programs. Third party programs are stored in common area 64 . The common area 64 can be said to be an area for storing third party non-participating programs.

FIG. 5 is a sequence diagram showing operations of the program management system 100. As shown in FIG.
Steps SA11-SA20 show the operation of the control system 1, and steps SB11-SB14 show the operation of the server 110. FIG. 6, 7, 8 and 9 are flow charts showing in detail the operation of the control system 1 in step SA20 of FIG.
5 to 9 show processing related to the operation of the control system 1 updating the program.

In FIG. 5, steps SA11 to SA19 are executed by update data receiving section 202. FIG. The control system 1 acquires vehicle information of the vehicle V (step SA11). The vehicle information is information for the server 110 to identify the type of program and version of the program compatible with the control system 1 . The vehicle information includes, for example, the vehicle identification number of the vehicle V, the type of ECU that the control system 1 has, and the version of the program installed in the ECU. The control system 1 acquires information possessed by the control system 1 and information possessed by the ECUs connected to the control system 1, and organizes them into one unit of vehicle information.

The control system 1 requests program update information from the server 110 (step SA12). The program update information is information about programs already stored in the control system 1 . Specifically, the program update information includes the names and versions of updatable programs among programs already stored in the control system 1 . Also. The program update information is a program that can be used by the control system 1 and may include information on a program that is not stored in the control system 1 . In this case, the program update information includes the name of the program that can be used in the control system 1 and information indicating the outline of the program. At step SA12, the control system 1 transmits the vehicle information acquired at step SA11 to the server 110 when requesting the program update information. Requests for program update information and vehicle information for vehicle V are received by server 110 .

The server 110 searches a database (not shown) for a program corresponding to the vehicle V based on the request sent by the control system 1 and the vehicle information of the vehicle V (step SB11). In this database, server 110 stores programs corresponding to a plurality of vehicles, including vehicle V. FIG. The database may be provided by the server 110 or may be a database server connected to the server 110 via the communication network N. FIG.

Server 110 generates program update information based on the results of searching the database (step SB11), and transmits the program update information to control system 1 (step SB12). This program update information is received by the control system 1 .

Control system 1 updates the receivable list based on the program update information received from server 110 (step SA13). The receivable list is a list of programs that control system 1 can download from server 110 . The receivable list is a list including programs that can be updated among the programs already stored in the control system 1 and programs that are usable by the control system 1 and are not stored in the control system 1. . The receivable list includes program names and program types or outlines.

The control system 1 and the server 110 repeatedly execute the operations of steps SA11 to SA13 and steps SB11 to SB13 at preset intervals. Thereby, the control system 1 can maintain a state of holding the latest receivable list regarding the program corresponding to the vehicle V. FIG.

The update of the program in the control system 1 is started by the user operating the touch panel or the like. When the user performs an operation related to updating the program, the control system 1 accepts the user's operation (step SA14). The control system 1 displays the receivable list, for example, on a display mounted on the vehicle V in response to the user's operation (step SA15). Here, the control system 1 determines whether or not the user instructs to download the program (step SA16). The user selects a program to be downloaded by operating the touch panel, for example, and instructs download of the selected program. The control system 1 waits in step SA16 while no instruction to download the program is given (step SA16; NO).

If the download of the program is instructed (step SA16; YES), the control system 1 identifies the program to be downloaded based on the user's instruction (step SA17). Control system 1 requests server 110 to download the specified program (step SA18). A request for download by the control system 1 is received by the server 110 .

Server 110 transmits the program requested by control system 1 to control system 1 (step SB14). The program transmitted by the server 110 includes at least one of a vehicle control update program for updating or newly installing a vehicle control program and a non-controlling update program for updating or newly installing a non-participating program. include. The control system 1 downloads the program transmitted by the server 110 (step SA19). Subsequently, the control system 1 executes installation processing (step SA20). The installation process includes storing the program downloaded in step SA19 in data storage unit 52 or data storage unit 213. FIG. The installation process also includes executing the vehicle control update program and/or the non-control update program to render the vehicle control program and/or non-participation program executable by the ECU. After installation, the program is stored in the data storage unit 52 or the data storage unit 213 in a state executable by the ECU.

6 and 7 show details of the installation process. 6 and 7, first processing and second processing to be described later are executed by the update execution unit 212 or the update execution unit 51, and the other operations are executed by the update data control unit 203. FIG. In the following description, a case where the update execution unit 212 executes the first process and the second process will be described as an example, but the update execution unit 51 can also execute similar operations.

The update data control unit 203 determines whether or not there are a plurality of programs to be installed in the control system 1 (step SA31). For example, when there are multiple programs downloaded in step SA19, the update data control unit 203 determines that there are multiple programs to be installed (step SA31; YES). In this case, the update data control unit 203 proceeds to step SA51, which will be described later.

When it is determined that there is one program to be installed (step SA31; NO), the update data control unit 203 determines whether or not the program to be installed is an uncontrolled update program (step SA32). If the program to be installed is not the non-controlled update program (step SA32; NO), update data control unit 203 identifies the target ECU for program installation (step SA33). At step SA33, the update data control unit 203 selects an ECU to be installed from among the central ECU 2, the first zone ECU 20a, the second zone ECU 20b, the ECU 30d, and other ECUs. Subsequently, the ECU identified by update data control unit 203 executes a first process (step SA34) of installing the vehicle control update program. Details of the first process will be described later with reference to FIG. After executing the first process, the control system 1 ends this process.

On the other hand, if the program to be installed is a non-controlled update program (step SA32; YES), update data control unit 203 identifies the target ECU for program installation (step SA35). The operation of step SA35 is similar to that of step SA33.
The update data control unit 203 shifts to a standby state to wait for the second process in order to cause the ECU identified in step SA35 to execute the second process (step SA36). The second process is a process in which the update execution unit 212 or the update execution unit 51 installs the uncontrolled update program. The update data control unit 203 determines whether or not an operation has been performed to turn the ignition off (IG_OFF) of the vehicle V in the standby state (step SA37).

The ignition off of the vehicle V refers to a state in which the drive source 25b of the vehicle V is stopped. For example, when the drive source 25b includes an internal combustion engine, the ignition-off state is a state in which the internal combustion engine stops operating. Further, for example, when the drive source 25b includes a motor, the ignition-off state is a state in which the power supply to the motor is stopped and the control of the driving state of the motor is stopped. The ignition off state can be rephrased as a power off state.

On the other hand, the ignition ON state is a state in which the ignition is not OFF, and refers to a state in which the drive source 25b of the vehicle V is in operation or operable. For example, when the drive source 25b includes an internal combustion engine, the ignition-on state means that the internal combustion engine is in operation. Further, for example, when the drive source 25b includes a motor, the ignition-on state is a state in which power is being supplied to the motor, or the driving state of the motor is being controlled. The operations of FIGS. 5, 6 and 7 are started when the vehicle V is in the ignition ON state.
The operation of turning the vehicle V into the ignition-off state when the ignition is on and the operation of turning the vehicle V into the ignition-on state when the ignition is off are, for example, operations of the SSSW 27a by the user. The ignition-on state can be rephrased as a power-on state.

If the operation to turn off the ignition of the vehicle V is not performed (step SA37; NO), the update data control unit 203 waits. If the vehicle V is operated to turn off the ignition (step SA37; YES), the update data control unit 203 notifies the user (step SA38). The notification of step SA38 informs the user that the ignition of the vehicle V will not be turned on until the installation of the program is completed. In step SA38, the update data control unit 203 makes a notification by displaying characters or images on a display mounted on the vehicle V, for example. Further, the update data control unit 203 may notify by outputting a sound from a speaker mounted on the vehicle V in step SA38.

After making the notification, the update data control unit 203 determines whether or not an operation has been performed to turn the ignition off of the vehicle V (step SA39). If the operation to turn off the ignition of the vehicle V is not performed (step SA39; NO), the update data control unit 203 waits. If the vehicle V is operated to turn off the ignition (step SA39; YES), the update data control unit 203 sets the ignition on (IG_ON) limit (step SA40). The ignition-on restriction is a restriction that prevents the vehicle V from entering the ignition-on state until the second process is completed. When the central ECU 2 sets the ignition ON limit, the control system 1 maintains the ignition OFF state even when the SSSW 27a is operated. When the ignition ON limit is not set, the control system 1 shifts to the ignition ON state when the SSSW 27a is operated in the ignition OFF state.

Subsequently, the second process (step SA41) of installing the non-controlled update program is executed by the ECU identified by the update data control unit 203 in step SA35. Details of the second process will be described later with reference to FIG. After completing the second process, update data control unit 203 cancels the ignition-on restriction (step SA42). Based on the operation of the SSSW 27a, the update data control unit 203 determines whether or not the vehicle V has shifted to the ignition ON state under the control of the first zone ECU 20a (step SA43). If the vehicle V has not transitioned to the ignition-on state (step SA43; NO), the update data control unit 203 waits. If the vehicle V has switched to the ignition ON state (step SA43; YES), the update data control unit 203 terminates this process.

If it is determined that there are a plurality of programs to be installed (step SA31; YES), the update data control unit 203 determines whether or not the programs to be installed include an uncontrolled update program (step SA51). If the program to be installed does not include a non-control update program (step SA51; NO), the update data control unit 203 selects one vehicle control program to be processed from among the one or more vehicle control update programs to be installed. Select an update program (step SA52). Update data control unit 203 identifies the target ECU for installing the program selected in step SA52 (step SA54). The processing of step SA54 is similar to that of step SA33. Subsequently, the ECU identified by update data control unit 203 executes a first process (step SA54) of installing the vehicle control update program. The first process is the same process as step SA34, and details thereof will be described later with reference to FIG. After executing the first process, the update data control unit 203 determines whether installation of all downloaded programs has been completed (step SA55). If it is determined that the installation of all programs has been completed (step SA55; YES), the control system 1 terminates this process. If it is determined that there is a program that has not been installed yet (step SA55; NO), the update data control unit 203 returns to step SA52.

If the program to be installed includes an uncontrolled update program (step SA51; YES), the update data control unit 203 shifts to a standby state for waiting for the second process (step SA56). The second process is a process in which the update execution unit 212 or the update execution unit 51 installs the uncontrolled update program. The update data control unit 203 determines whether or not an operation has been performed to turn off the ignition of the vehicle V in the standby state (step SA57).

If the operation to turn off the ignition of the vehicle V is not performed (step SA57; NO), the update data control unit 203 waits. If the vehicle V is operated to turn off the ignition (step SA57; YES), the update data control unit 203 notifies the user (step SA58). The notification of step SA58 is the same as that of step SA38.

After making the notification, the update data control unit 203 determines whether or not an operation has been performed to turn the ignition off of the vehicle V (step SA59). If the operation to turn off the ignition of the vehicle V is not performed (step SA59; NO), the update data control unit 203 waits. If the vehicle V is operated to turn off the ignition (step SA59; YES), the update data control unit 203 sets an ignition-on limit (step SA60).

The update data control unit 203 selects one program to be processed from one or more uncontrolled update programs to be installed (step SA61). Update data control unit 203 identifies the target ECU for installation of the selected uncontrolled update program (step SA62). The processing of step SA62 is similar to that of step SA35. Subsequently, the ECU identified by update data control unit 203 executes a second process (step SA63) of installing the non-controlled update program. The second process is the same process as step SA41, and the details thereof will be described later with reference to FIG.

After the second process, the update data control unit 203 determines whether installation of all downloaded uncontrolled update programs is completed (step SA64). If there is an uncontrolled update program that has not yet been installed, the update data control unit 203 determines that installation of all uncontrolled update programs has not been completed (step SA64; NO). In this case, the update data control unit 203 returns to step SA61.

If it is determined that installation of all non-controlled update programs has been completed (step SA64; YES), update data control unit 203 cancels the ignition-on restriction (step SA65). Based on the operation of the SSSW 27a, the update data control unit 203 determines whether or not the vehicle V has shifted to the ignition ON state under the control of the first zone ECU 20a (step SA66). If the vehicle V has not transitioned to the ignition ON state (step SA66; NO), the update data control unit 203 waits. When the vehicle V has switched to the ignition ON state (step SA66; YES), the update data control unit 203 starts installing the vehicle control update program.

The update data control unit 203 selects one vehicle control update program to be processed from one or more vehicle control update programs to be installed (step SA67). Update data control unit 203 identifies the target ECU for installation of the program selected in step SA67 (step SA68). The processing of step SA68 is similar to that of step SA33. Subsequently, the ECU identified by update data control unit 203 executes a first process (step SA69) of installing the vehicle control update program. The first process is the same process as step SA34. After executing the first process, update data control unit 203 determines whether installation of all the downloaded vehicle control update programs has been completed (step SA70). If it is determined that installation of all vehicle control update programs has been completed (step SA70; YES), the control system 1 terminates this process. If it is determined that there is a vehicle control update program that has not yet been installed (step SA70; NO), update data control section 203 returns to step SA67.

In the processing of FIGS. 6 and 7, if there are a plurality of programs to be installed and the vehicle control update program is not included among them, the update execution unit 212 executes step SA66 and then steps SA67 to SA70. to skip.

FIG. 8 is a flowchart showing details of the first process. The first process is a process executed by the update execution unit 212 and the update execution unit 51, and an example executed by the update execution unit 212 will be described here.

The update executing unit 212 selects an area for installing the vehicle control update program from the program storage first area 70 and the program storage second area 75 (step SA101). At step SA101, the update executing unit 212 selects either the A side or the B side of the data storage unit 213. FIG. Furthermore, the update executing unit 212 selects either the program area or the user area. In other words, in step SA101, the update executing section 212 selects any one of the A-side program area 71, the A-side user area 73, the B-side program area 76, and the B-side user area 78. FIG.

In step SA101, update executing unit 212 first selects either program storage first area 70 or program storage second area 75. FIG. When the program storage first area 70 is selected, the update executing section 212 further selects either the A-side program area 71 or the A-side user area 73 based on the type of program to be installed. When the B-side program area 76 is selected, the update execution unit 212 further selects either the B-side program area 76 or the B-side user area 78 based on the type of program to be installed.

In step SA101, if the program stored in the first program storage area 70 and the program stored in the second program storage area 75 are the same, the update execution unit 212 updates either side A or side B. according to the preset settings. This operation is performed when the first program storage area 70 and the second program storage area 75 store the same version of the same program and both programs are normal. If there is a problem with the program stored in either the first program storage area 70 or the second program storage area 75, the update executing section 212 selects the area storing the program with the problem in step SA101. do. If the program stored in the first program storage area 70 and the program stored in the second program storage area 75 have different versions, the update executing unit 212 replaces the area storing the old version of the program with , is selected in step SA101.

Update executing unit 212 compares the storage capacity of the area selected in step SA101 with the size of the vehicle control update program to be installed (step SA102). The storage capacity of the area selected in step SA101 is, for example, the total storage capacity of the overwritable area in the selected area and the free space in the selected area. The size of a program is, for example, the data amount of the program or the storage capacity occupied by the program when stored in the data storage unit 213 .

The update executing unit 212 determines whether or not the storage capacity is insufficient based on the result of the comparison in step SA102 (step SA103). If the storage capacity of the area selected in step SA101 is not insufficient (step SA103; NO), the update executing unit 212 proceeds to step SA107, which will be described later.

If it is determined that the storage capacity of the area selected in step SA101 is insufficient (step SA103; YES), the update executing unit 212 uses the spare area corresponding to the selected area to increase the storage capacity of the area selected in step SA101. is extended (step SA104). For example, when the A-side program area 71 is selected in step SA101, the update execution unit 212 determines to use the spare area 72 for installing the vehicle control update program, thereby expanding the storage capacity of the A-side program area 71. do.

The update executing unit 212 compares the area after the storage capacity is expanded in step SA104 with the size of the program, and determines whether or not the storage capacity is insufficient (step SA105). If the storage capacity is sufficient (step SA105; NO), the update execution unit 212 proceeds to step SA107, which will be described later.

If it is determined that the storage capacity is insufficient (step SA105; YES), the update executing unit 212 divides the common area 64 and uses the divided areas to restore the first program storage area 70 and the second program storage area 75. Expand (step SA106). At step SA106, the update executing unit 212 divides the common area 64 into two divided areas. The update executing unit 212 sets one of the two divided areas as an extension area for extending the A-side program area 71 or the A-side user area 73 of the first program storage area 70 . Also, the update execution unit 212 sets one of the two divided areas as an extension area for extending the B-side program area 76 or the B-side user area 78 of the second program storage area 75 . Furthermore, the update executing unit 212 expands the area selected in step SA101 using one of the divided areas obtained in step SA106. As a result, the storage capacity of the program installation area is expanded using the spare area and the extension area. After that, the update executing unit 212 proceeds to step SA107.

At step SA107, the update execution unit 212 installs the program (step SA107). Specifically, update execution unit 212 stores the program in the area selected in step SA101 or the entire area obtained by extending the selected area.

Subsequently, the update executing unit 212 performs processing to confirm that the installation has been completed normally (step SA108). At step SA108, the update executing unit 212 confirms that the installed program is in a state in which it can be normally executed by the central ECU 2. For example, the update execution unit 212 confirms the identity of the program and data written in the data storage unit 213 by calculating and comparing hash values. The update executing unit 212 may update the error detection data stored in the check area 66 in step SA108.

The update execution unit 212 activates the installed program (step SA109). Activation is a process of setting the program installed by the control system 1 to run. For example, the update executing unit 212 rewrites the active program designation data 61a in step SA109. The update executing unit 212 rewrites the active program designation data 61a so that the central ECU 2 executes the latest vehicle control program written in the data storage unit 213 by the processing of steps SA101-SA107. Specifically, the active program designation data 61a is rewritten to designate the side selected in step SA101 between the A side and the B side of the data storage unit 213. FIG.

FIG. 9 is a flowchart showing details of the second process. The second process is a process executed by the update execution unit 212 and the update execution unit 51, and an example executed by the update execution unit 212 will be described here.

The area in which the update execution unit 212 installs the uncontrolled update program is the common area 64 . The update executing unit 212 compares the storage capacity of the common area 64 with the size of the uncontrolled update program to be installed (step SA111). The storage capacity of the common area 64 is, for example, the sum of the overwritable area in the common area 64 and the free space in the common area 64 . The size of the uncontrolled update program is, for example, the amount of data of the uncontrolled update program or the storage capacity occupied by the uncontrolled update program when stored in the data storage unit 213 .

The update executing unit 212 determines whether or not the storage capacity is insufficient based on the result of the comparison in step SA111 (step SA112). If the storage capacity does not run short (step SA112; NO), the update executing unit 212 proceeds to step SA114, which will be described later.

If it is determined that the storage capacity of the common area 64 is insufficient (step SA112; YES), the update executing unit 212 expands the storage capacity of the common area 64 using the spare area 65 (step SA113).

At step SA114, the update execution unit 212 installs the uncontrolled update program (step SA114). Specifically, the update executing unit 212 stores the uncontrolled update program in the common area 64 .

Subsequently, the update executing unit 212 performs processing to confirm that the installation has been completed normally (step SA115). At step SA115, the update executing unit 212 confirms that the installed non-controlled update program is in a state in which the central ECU 2 can normally execute it. For example, the update execution unit 212 confirms the identity of the uncontrolled update program and the data written in the data storage unit 213 by calculating and comparing hash values. The update execution unit 212 may update the error detection data stored in the check area 66 in step SA115.

The update execution unit 212 activates the installed program (step SA116). Activation is a process of setting the control system 1 to execute an installed uncontrolled update program.

FIG. 10 is a timing chart showing an example of state transition of the vehicle V when the operations shown in FIGS. 5 to 9 are executed. In the timing chart of FIG. 10, symbol (a) indicates the operating state of the SSSW 27a. Symbol (b) indicates the OTA execution state. OTA refers to the actions of the control system 1 downloading and installing uncontrolled updates. Symbol (c) indicates the power supply state of vehicle V. FIG. Symbol (d) indicates the control state of vehicle V. FIG. In the figure, the symbol T indicates time, and the horizontal axis corresponds to the passage of time.

Time T0 is the point in time when the control system 1 starts downloading the uncontrolled update program. The vehicle V has the ignition on while the control system 1 downloads the non-control update program. Further, the vehicle V may be running or may be stopped.

When the download ends at time T1, the control system 1 waits for the ignition off operation. Here, when the user operates the SSSW 27a at time T2-T3, the control system 1 executes notification in response to this operation. The operation of the SSSW 27a includes the user pressing the SSSW 27a and the user stopping pressing the SSSW 27a. Therefore, the control system 1 detects completion of the operation of the SSSW 27a when the user stops pressing the SSSW 27a at time T3. Since the SSSW 27a is an operation to stop the function of the vehicle V, the vehicle V is stopped at the time T2.

Notification by the control system 1 corresponds to the processing of steps SA38 and SA58. After making the notification, the control system 1 waits for further operation of the SSSW 27a.

When the user operates the SSSW 27a at time T4-T5, the vehicle V shifts to the ignition off state upon completion of the operation of the SSSW 27a. After shifting to the ignition off state at time T5, the control system 1 activates the ECU in the ignition off state. The time T6 at which the ECU is activated may be slightly later than the time T5. At time T5, the control system 1 may shift the vehicle V to the ignition off state while maintaining the state where the ECU is activated.

After the ECU is activated at time T6, the control system 1 sets the ignition ON limit. Therefore, after time T6, the vehicle V is in a state in which it cannot run. This state is shown in FIG. 10 as a vehicle load state.

From time T6, the control system 1 performs installation of uncontrolled updates. After installing the uncontrolled update program, the control system 1 executes activation from time T7. After completing the activation, the control system 1 waits for the operation of the SSSW 27a. When the SSSW 27a is operated at time T8-T9, the control system 1 shifts to the ignition ON state. When the ignition is turned on, the vehicle V can run. The vehicle V may travel or continue to stop.

There is no limit to the length of time T6-T8. For example, the user may get off the vehicle V after operating the SSSW 27a at time T5. In this case, the user may operate the SSSW 27a after a long time has passed since time T5.

In FIGS. 6, 7, and 10, examples have been described in which the operation of the SSSW 27a triggers the notification by the control system 1. FIG. Specifically, in steps SA37 and SA57, the control system 1 determines whether or not the SSSW 27a is operated, and when the SSSW 27a is operated, an example is described in which notification is given in steps SA38 and SA58. This is just an example, and the trigger for notification is not limited to the operation of the SSSW 27a. For example, the trigger for the notification by the control system 1 may be an operation for preparing to get off the vehicle. The getting-off preparation operation is an operation for estimating that the user will get off the vehicle V. FIG. For example, the operation for getting off the vehicle is to enter the P position by operating the shift SW 27b, operate the parking brake, and open and close the door. In this case, in steps SA37 and SA57, the control system 1 determines whether or not there is an operation to prepare for getting off the vehicle, and if the operation to prepare for getting off has been performed, the notification of steps SA38 and SA58 is executed. In this case, the operations at times T2 to T3 in FIG. 10 are omitted.

The above embodiment shows a specific example to which the present invention is applied, and does not limit the form to which the invention is applied.

In the above-described embodiment, an example in which the control system 1 installs the non-control update program in the common area 64 among the programs downloaded from the server 110 was shown. This is just an example. For example, the control system 1 can download a program based on the operation of the user who is the owner or user of the vehicle V, and based on the operation of the borrowed user who is either the owner or the user of the vehicle V It may be configured to distinguish between the downloaded program and the downloaded program. Control system 1 stores the vehicle control update program downloaded based on the operation of the user who is the owner or user of vehicle V in first program storage area 70 or second program storage area 75 . The control system 1 installs the downloaded program in the common area 64 based on the borrowing user's operation, regardless of whether it is a vehicle control update program or a non-control update program. An owner or user corresponds to an example of a first user. A borrowing user corresponds to an example of a second user.

In addition, the control system 1 installs the non-control update program downloaded based on the operation of the user who is the owner or user of the vehicle V in the common area 64 . The control system 1 installs the uncontrolled update program downloaded based on the borrowing user's operation in the visitor common area provided in the common area 64 . In other words, a part of the common area 64 is used to form the visitor common area. An uncontrolled update program downloaded based on the operation of the user who is the owner or user of the vehicle V is installed in an area other than the visitor common area in the common area 64 .

In this case, the control system 1 is configured to be able to determine whether or not the user operating the vehicle V is the owner or user of the vehicle V. FIG. For example, the control system 1 can preliminarily register the owner or user of the vehicle V, and can execute processing for determining whether or not the user who operates the vehicle V is the registered owner or user. is. A borrowing user refers to a user who is neither the registered owner of the vehicle V nor the user. For example, a borrowing user is a user who borrows a vehicle V from the owner or user of the vehicle V. When the vehicle V is used for car sharing between individuals, the car sharing user corresponds to the borrowing user.

The operation of the control system 1 in this case will be described as a modified example.
11 and 12 are flow charts showing the operation of the control system 1 in the modified example. FIG. 11 shows the first process, and FIG. 12 shows the second process. In FIG. 11, the same step numbers as in FIG. 8 are assigned to the same processes as in FIG. 8, and description thereof is omitted. In addition, in FIG. 12, the same step numbers as in FIG. 9 are attached to the same processing as in FIG. 9, and description thereof is omitted.

In the first process shown in FIG. 11, the update execution unit 212 determines whether the vehicle control update program to be installed is a program downloaded according to the operation of the user who is the owner or user of the vehicle V. is determined (step SA131). Here, the operation is an operation on a touch panel mounted on the vehicle V, for example. If the program is a vehicle control update program downloaded according to the operation of the user who is the owner or user of vehicle V (step SA131; YES), update execution unit 212 proceeds to step SA101. On the other hand, if it is a vehicle control update program downloaded according to the borrowing user's operation (step SA131; NO), the update executing unit 212 sets the installation area to the common area 64, and proceeds to step SA107.

In the second process shown in FIG. 12, the update executing unit 212 determines whether the uncontrolled update program to be downloaded is a program downloaded according to the operation of the user who is the owner or user of the vehicle V. is determined (step SA141). If it is an uncontrolled update program downloaded according to the operation of the user who is the owner or user of the vehicle V (step SA141; YES), the update executing unit 212 proceeds to step SA142. In step SA142, the update execution unit 212 selects an area other than the visitor common area in the common area 64, that is, the owner storage area, as an area to be installed. After that, the update executing unit 212 proceeds to step SA111.

On the other hand, if it is an uncontrolled update program downloaded according to the borrowing user's operation (step SA141; NO), the update executing unit 212 sets the installation area to the visitor common area provided in the common area 64. (step SA143). After that, the update executing unit 212 proceeds to step SA114.

In this modification, a program installed intentionally by the owner or user of vehicle V and a program intentionally installed by the borrowing user are installed in different storage areas in data storage unit 213 . Therefore, the programs can be distinguished depending on whether the user instructing the installation is the owner or the user. For example, it is possible to delete the program or restrict the execution of the program only for the program installed intentionally by the borrowing user. Further, for example, it is possible to allocate a spare area to a storage area for storing programs installed intentionally by the owner or user of the vehicle V. FIG. Therefore, the program installed by the borrowing user in the vehicle V rented by car sharing between individuals can be managed according to the intention of the owner or user of the vehicle V. FIG.

Further, in the above-described embodiment and modification, a configuration has been described in which the vehicle control update program or the non-control update program is downloaded from the server 110 to the control system 1 by the user operating the touch panel or the like. This is an example, and for example, the control system 1 may download the vehicle control update program from the server 110 without requiring user's operation. Alternatively, the configuration may be such that the control system 1 downloads the non-control update program from the server 110 without requiring user's operation. In these cases, the control system 1 may be configured to install the downloaded vehicle control update program and/or the non-control update program based on the user's operation. Further, the control system 1 may install the vehicle control update program without user's operation.

In the above embodiments and modifications, an example in which the control system 1 operates as a program management device has been described. Specifically, the control system 1 includes data storage units 52 and 213 that store vehicle control programs and non-participation programs, and manages updates of the vehicle control programs and non-participation programs. This is an example, for example, the program management device may be configured as a part of the control system 1, or an external device connected to the control system 1 may function as the program management device. good too.

Also, the configuration of the control system 1 shown in the above embodiment is an example, and the types of ECUs included in the control system 1, the number of ECUs, and the configuration of devices controlled by the ECUs can be changed in various ways.

1 and 3 are diagrams showing schematic configurations in which the functional configuration of each device of the program management system 100 is classified according to the main processing content for easy understanding of the present invention. It does not limit the configuration. Each process shown in FIGS. 5 to 9 and FIGS. 11 to 12 may be executed by one program or may be executed by a plurality of programs.

The above embodiment supports the following configurations.

(Configuration 1) A communication unit that communicates with an external device existing outside the vehicle, a control unit that executes a vehicle control program for controlling the vehicle, and a first program storage area that stores the vehicle control program. a program storage second area for storing the vehicle control program; a program storage third area for storing a non-participating program for performing control not involved in driving the vehicle; a first process of storing a vehicle control update program used for updating the vehicle control program in at least one of the program storage first area and the program storage second area; A program management apparatus comprising: a program update unit that executes a second process of storing a non-control update program used for updating a participating program in the third program storage area.
According to the program management device of configuration 1, by duplicating the area for storing the vehicle control program for controlling the vehicle, the vehicle control program can be held in an area that is not affected by the update while the vehicle control program is being updated. . Therefore, there is no need to limit the timing of updating the program in case there is a problem with updating the program. Therefore, restrictions on the timing of updating the program can be reduced. Further, by not duplicating the third program storage area for storing the non-controlled update program, it is possible to suppress the increase in capacity of the storage area. Further, by making the third program storage area different from the first program storage area and the second program storage area, the storage of the non-control update program reduces the time required for storing the vehicle control program. The area will not run out of capacity. Therefore, it is possible to suppress an increase in the capacity of the storage area for storing the program of the vehicle, and to avoid the shortage of the storage area for storing the program.

(Arrangement 2) The program management device according to Arrangement 1, wherein the program storage first area comprises a program spare storage first area, and the program storage second area comprises a program spare storage second area.
According to the program management device of configuration 2, it is possible to cope with the lack of storage capacity of the storage area for storing the vehicle control update program.

(Arrangement 3) The program update unit updates at least a part of the vehicle control update program to the program backup when the storage capacity of the first program storage area or the second program storage area is insufficient in the first process. The program management device according to configuration 2, wherein the program is stored in the first storage area or the second program spare storage area.
According to the program management device of configuration 3, when the storage capacity of the storage area for storing the vehicle control update program is insufficient, the vehicle control update can be performed by using the first program spare storage area or the second program spare storage area. Programs can be memorized. This avoids a situation where the vehicle control program cannot be updated due to insufficient storage capacity.

(Configuration 4) The program management device according to any one of Configurations 1 to 3, wherein the third program storage area includes a third program spare storage area.
According to the program management device of configuration 4, it is possible to cope with the lack of storage capacity of the storage area for storing the uncontrolled update program.

(Configuration 5) The program update unit stores at least part of the non-controlled update program in the third program spare storage area when the storage capacity of the third program storage area is insufficient in the second process. , the program management device according to the configuration 4.
According to the program management device of configuration 5, when the storage capacity of the storage area for storing the non-controlled update program is insufficient, the non-controlled update program can be stored by using the third program spare storage area. As a result, it is possible to avoid a situation in which the non-participating program cannot be updated due to lack of storage capacity.

(Configuration 6) Any one of configuration 1 to configuration 5, wherein when the first process and the second process are executable, the program update unit executes the first process after the second process is completed. 2. The program management device according to item 1.
According to the program management device of configuration 6, by processing the non-control update program before the vehicle control update program, if a problem occurs in the update of the program using the non-control update program, the control of the vehicle can be performed. It is possible to prevent related vehicle control programs from being affected.

(Arrangement 7) The control unit can set a power-on state in which a drive source of the vehicle can be controlled and a power-off state in which the drive source is not controlled as the power state of the vehicle, and the program update unit 7. The program management apparatus according to any one of configurations 1 to 6, wherein when the device executes the second processing, the switching to the power-on state is set not to occur until the second processing is completed.
According to the program management device of configuration 7, the vehicle is kept in the power-off state until the second process is completed. As a result, the vehicle does not execute the second program while the non-participating program is being updated by the non-controlling update program, and the non-participating program can be updated more reliably.

(Arrangement 8) When the control unit switches from the power-on state to the power-off state in a state in which the program update unit can start the second process, there is a period during which the control unit cannot switch to the power-on state. 8. The program management device according to configuration 7, notifying that.
According to the program management device of the configuration 8, by notifying the user that there is a period during which the vehicle cannot be used before the period occurs, the influence on the convenience of the user due to the update of the program is minimized. can be done.

(Arrangement 9) When the storage capacity of the first program storage area or the second program storage area is insufficient in the first process, the program update unit uses the third program storage area to create an expansion area. 9. The program management device according to any one of configurations 1 to 8, wherein at least part of the vehicle control update program is stored in the extension area.
According to the program management device of configuration 9, it is possible to avoid a situation in which the vehicle control program cannot be updated due to insufficient storage capacity.

(Arrangement 10) The program update unit divides the third program storage area into two divided areas, one of the divided areas being the extended area corresponding to the first program storage area, and the other divided area. The program management device according to configuration 9, wherein the area is the extension area corresponding to the second program storage area.
According to the program management device of configuration 10, the storage area can be expanded so that the difference in storage capacity between the first program storage area and the second program storage area does not increase. Therefore, it is possible to maintain a state in which the storage areas for storing the vehicle control programs are appropriately duplicated.

(Arrangement 11) The program update unit stores the vehicle control update program received from the communication unit based on the operation of the first user registered in the vehicle in the first program storage area or the second program storage area. any one of configuration 1 to configuration 10, wherein the vehicle control update program received from the communication unit based on an operation by a second user different from the first user is stored in the third program storage area. The program management device according to .
According to the program management device of configuration 11, the vehicle control update program is processed differently depending on whether the download of the vehicle control update program is executed by the intention of the first user or by the intention of the second user. can let Accordingly, different processing can be performed on the downloaded vehicle control update program depending on who is the user who instructed the download, thereby facilitating maintenance and management of the program.

(Configuration 12) The program update unit includes the uncontrolled update program received from the communication unit based on the operation of the first user and the uncontrolled update program received from the communication unit based on the operation of the second user. 12. The program management device according to configuration 11, wherein the update program and the update program are stored in different storage areas in the third program storage area.
According to the program management device of configuration 12, different processing can be performed on the downloaded uncontrolled update program depending on who is the user who instructed the download, and maintenance and management of the program can be easily performed. .

(Arrangement 13) When the storage capacity of the first program storage area or the second program storage area is insufficient in the first process, the program update unit updates the second user's operation in the third program storage area. 13. The program management device according to configuration 12, wherein at least part of the vehicle control update program is stored in an area for storing the non-control update program received by the communication unit based on the above.
According to the program management device of configuration 13, the vehicle control update program downloaded based on the registered first user's instruction is prioritized over the non-control update program downloaded based on the second user's instruction, You can allocate storage capacity. Therefore, more important vehicle control updates can be downloaded and installed more reliably.

(Arrangement 14) A program management method using a program management device comprising a communication unit that communicates with an external device existing outside a vehicle, and a storage unit, wherein the storage unit controls the vehicle. a first program storage area for storing a vehicle control program for driving the vehicle; a second program storage area for storing the vehicle control program; 3 areas are provided, and the vehicle control update program received by the communication unit and used for updating the vehicle control program is stored in at least one of the first program storage area and the second program storage area. A program management method that performs a first process and a second process of storing, in the third program storage area, a non-control update program that is received by the communication unit and is used to update the non-participation program.
According to the program management method of configuration 14, since the area for storing the vehicle control program for controlling the vehicle is duplicated, the vehicle control program can be held in an area that is not affected by the update while the vehicle control program is being updated. Therefore, there is no need to limit the timing of updating the program in case there is a problem with updating the program. Therefore, restrictions on the timing of updating the program can be reduced. Further, by not duplicating the third program storage area for storing the non-controlled update program, it is possible to suppress the increase in capacity of the storage area. Further, by making the third program storage area different from the first program storage area and the second program storage area, the storage of the non-control update program reduces the time required for storing the vehicle control program. The area will not run out of capacity. Therefore, it is possible to suppress an increase in the capacity of the storage area for storing the program of the vehicle, and to avoid the shortage of the storage area for storing the program.

(Arrangement 15) A recording medium storing a program executed by a computer that controls a program management device comprising: a communication unit that communicates with an external device that exists outside a vehicle; includes a first program storage area for storing a vehicle control program for controlling the vehicle, a second program storage area for storing the vehicle control program, and a non-control area for performing control not involved in driving the vehicle. a program storage third area for storing a participating program, wherein the computer stores the vehicle control update program received by the communication unit and used for updating the vehicle control program in the program storage first area; Alternatively, a first process of storing in at least one of the second program storage areas, and storing the uncontrolled update program received by the communication unit and used for updating the non-participating programs in the third program storage area A recording medium for storing a program for executing a second process to be stored.
According to the program stored in the recording medium of configuration 15, the area for storing the vehicle control program for controlling the vehicle is duplicated. can hold Therefore, there is no need to limit the timing of updating the program in case there is a problem with updating the program. Therefore, restrictions on the timing of updating the program can be reduced. Further, by not duplicating the third program storage area for storing the non-controlled update program, it is possible to suppress the increase in capacity of the storage area. Further, by making the third program storage area different from the first program storage area and the second program storage area, the storage of the non-control update program reduces the time required for storing the vehicle control program. The area will not run out of capacity. Therefore, it is possible to suppress an increase in the capacity of the storage area for storing the program of the vehicle, and to avoid the shortage of the storage area for storing the program.

DESCRIPTION OF SYMBOLS 1... Control system (program management apparatus), 2... Central ECU (control part), 12... TCU (communication part), 20... Zone ECU (control part), 20a... 1st zone ECU (control part), 20b... 3rd 2-zone ECU (control section) 20c... 3rd zone ECU (control section) 25a...shift device 25b...drive source 27a...SSSW 27b...shift SW 30, 30a, 30b, 30c, 30e, 30f, 30g, 30h, 30i...ECU 30d...ECU (control unit) 51, 51a, 51b, 51c, 212...Update execution unit (program update unit) 52, 52a, 52b, 52c, 213...Data storage unit 61 Boot sector 62 Side A boot image storage area 63 Side B boot image storage area 64 Common area (third program storage area) 65 Spare area (third program spare storage area) 66 Check 70... First program storage area 71... A-side program area 72, 74... Spare area (first program spare storage area) 73... A-side user area 75... Second program storage area 76... B-side program area 77, 79 Reserve area (second program reserve storage area) 78 B-side user area 100 Program management system 110 Server 120 Vehicle diagnosis device 201 Update control unit 202 ... update data receiving unit, 203 ... update data control unit, 211 ... data processing unit, V ... vehicle.

Claims (15)

a communication unit that communicates with an external device existing outside the vehicle;
a control unit that executes a vehicle control program for controlling the vehicle;
a program storage first area for storing the vehicle control program;
a program storage second area for storing the vehicle control program;
a program storage third area for storing a non-participating program for performing control that does not involve driving the vehicle;
a first process for storing the vehicle control update program received by the communication unit and used for updating the vehicle control program in at least one of the first program storage area and the second program storage area; a program update unit that executes a second process of storing, in the third program storage area, the non-control update program that is received by the communication unit and is used to update the non-participation program;
A program management device comprising: 2. The program management apparatus according to claim 1, wherein said program storage first area comprises a program spare storage first area, and said program storage second area comprises a program spare storage second area. The program update unit stores at least part of the vehicle control update program in the first program spare storage area when the storage capacity of the first program storage area or the second program storage area is insufficient in the first process. 3. The program management device according to claim 2, wherein the program is stored in said program spare storage second area. 3. The program management apparatus according to claim 2, wherein said program storage third area comprises a program spare storage third area. 5. The program update unit stores at least part of the non-controlled update program in the third program spare storage area when the storage capacity of the third program storage area is insufficient in the second process. The program management device according to . 2. The program management apparatus according to claim 1, wherein said program updating unit executes said first process after said second process is completed when said first process and said second process are executable. The control unit is capable of setting, as a power supply state of the vehicle, a power-on state in which a drive source of the vehicle can be controlled and a power-off state in which the drive source is not controlled,
2. The program management apparatus according to claim 1, wherein when said program update unit executes said second process, it is set not to switch to said power-on state until said second process is completed. The control unit notifies that there is a period in which switching to the power-on state is not possible when the power-on state is switched to the power-off state while the program update unit is capable of starting the second process. 8. The program management apparatus according to claim 7. When the storage capacity of the first program storage area or the second program storage area is insufficient in the first process, the program update unit forms an extension area using the third program storage area, 2. The program management device according to claim 1, wherein at least part of said vehicle control update program is stored in an expansion area. The program update unit divides the third program storage area into two divided areas, one of the divided areas being the extension area corresponding to the first program storage area, and the other divided area being the program storage area. 10. The program management device according to claim 9, wherein said extended area corresponds to said second storage area. The program update unit stores the vehicle control update program received from the communication unit based on an operation of a first user registered in the vehicle in the first program storage area or the second program storage area. 11. The program storage device according to any one of claims 1 to 10, wherein the vehicle control update program received from the communication unit based on an operation by a second user different from the first user is stored in the third program storage area. program management equipment. The program update unit updates the uncontrolled update program received from the communication unit based on the first user's operation and the uncontrolled update program received from the communication unit based on the second user's operation. 12. The program management apparatus according to claim 11, wherein said program storage third area is stored in a different storage area. When the storage capacity of the first program storage area or the second program storage area is insufficient in the first process, the program update unit performs the communication in the third program storage area based on the second user's operation. 13. The program management device according to claim 12, wherein at least part of said vehicle control update program is stored in an area for storing said non-control update program received by said unit. A program management method using a program management device comprising a communication unit that communicates with an external device existing outside a vehicle, and a storage unit,
in the storage unit,
a program storage first area for storing a vehicle control program for controlling the vehicle;
a program storage second area for storing the vehicle control program;
a program storage third area for storing a non-participating program for performing control that does not involve driving the vehicle;
provided,
a first process for storing the vehicle control update program received by the communication unit and used for updating the vehicle control program in at least one of the first program storage area and the second program storage area; A program management method, comprising: executing a second process of storing, in the third program storage area, a non-control update program received by a communication unit and used for updating the non-participation program. A recording medium storing a program executed by a computer that controls a program management device that includes a communication unit that communicates with an external device that exists outside the vehicle, and a storage unit,
The storage unit contains
a program storage first area for storing a vehicle control program for controlling the vehicle;
a program storage second area for storing the vehicle control program;
a program storage third area for storing a non-participating program for performing control that does not involve driving the vehicle;
is provided,
A first process of causing the computer to store, in at least one of the first program storage area and the second program storage area, the vehicle control update program received by the communication unit and used for updating the vehicle control program. and a recording medium storing a program for executing a second process of storing, in the program storage third area, a non-control update program used for updating the non-participation program received by the communication unit.

Images