JP2023145880A - In-vehicle update apparatus, in-vehicle update system, control method related to program update of in-vehicle control apparatus - Google Patents

Abstract

To implement appropriate control for program update of an in-vehicle control apparatus.SOLUTION: An in-vehicle update apparatus 24 is configured to, in the case of acquiring an update program to be applied to a target ECU 22a from a program providing apparatus 12 and in the case of saving save data stored in a storage unit of the in-vehicle update apparatus 24 to a non-target ECU 22b, select the non-target ECU 22b that satisfies a first condition. The in-vehicle update apparatus 24 is configured to, when an allowable amount of data to be saved to the non-target ECU 22b that satisfies the first condition satisfies a second condition, transmit, as a first process, at least a part of the save data to the non-target ECU22b, or execute a second process different from the first process when the allowable amount of data to be saved to the non-target ECU 22b that satisfies the first condition does not satisfy the second condition.SELECTED DRAWING: Figure 1

Description

The present disclosure relates to data processing technology, and particularly relates to a control method for updating a program of an in-vehicle update device, an in-vehicle update system, and an in-vehicle control device.

If the free space in the storage section of the in-vehicle update device is insufficient for the size of the update program to be applied to the in-vehicle control device, the data stored in the storage section of the in-vehicle update device may be transferred to an external server or to a non-update target. A technique has been proposed in which the update program is stored in the storage section of the in-vehicle update device by increasing the free space in the storage section of the in-vehicle update device by evacuating the update program to the in-vehicle control device (for example, see Patent Document 1).

Japanese Patent Application Publication No. 2020-152154

However, the vehicle-mounted control devices that are not subject to update may include those that are not suitable as data save destinations from the viewpoint of rewriting lifespan and the like.

The present disclosure has been made in view of these problems, and one purpose is to provide a technique for realizing suitable control regarding program updates of an on-vehicle control device.

In order to solve the above problems, an in-vehicle update device according to an aspect of the present disclosure acquires an update program transmitted from an external server outside the vehicle, and performs processing for updating the program of an in-vehicle control device installed in the vehicle. The present invention is an in-vehicle update device that performs updating, and includes a storage unit that stores an update program, and a control unit that controls transmission of the update program to an in-vehicle control device that is an update target. When the control unit acquires an update program from an external server and when the saved data stored in the storage unit should be saved to an in-vehicle control device that is not an update target and is not an update target in-vehicle control device, The control unit selects a non-update on-vehicle control device that satisfies the first condition, and selects the first As the process, at least a part of the saved data is transmitted to the non-updated in-vehicle control device, and if the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, A second process different from the first process is executed.

Another aspect of the invention is an on-vehicle update system. This in-vehicle update system is an in-vehicle update system that acquires an update program sent from an external server outside the vehicle and performs processing to update the program of the in-vehicle control device installed in the vehicle, and the update program is stored. and a control unit that controls transmission of the update program to the in-vehicle control device to be updated. When the control unit acquires an update program from an external server and when the saved data stored in the storage unit should be saved to an in-vehicle control device that is not an update target and is not an update target in-vehicle control device, The control unit selects a non-update on-vehicle control device that satisfies the first condition, and selects the first As the process, at least a part of the saved data is transmitted to the non-updated in-vehicle control device, and if the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, A second process different from the first process is executed.

Yet another aspect of the present invention is a control method for updating a program of a vehicle-mounted control device. This method acquires an update program transmitted from an external server outside the vehicle, performs processing for updating the program of an in-vehicle control device installed in the vehicle, and includes a storage unit in which the update program is stored. A computer installed in a vehicle executes a process for controlling transmission of an update program to an on-vehicle control device to be updated, and the computer obtains an update program from an external server as the control process, and If the saved data stored in the storage unit should be saved to a non-updated on-vehicle control device other than the updated on-vehicle control device, the non-updated on-vehicle control device that satisfies the first condition is selected, and the computer As a process to be controlled, if the amount of data that can be saved to the in-vehicle control device that is not subject to update that satisfies the first condition satisfies the second condition, as a first process, at least part of the saved data is subject to non-update. If the amount that can be saved to the non-updated vehicle control device that satisfies the first condition does not satisfy the second condition, a second process different from the first process is executed. .

Note that any combination of the above components and expressions of the present disclosure converted between a computer program, a recording medium on which a computer program is recorded, a vehicle equipped with an in-vehicle update device, etc. are also valid as aspects of the present disclosure. It is.

According to the technology of the present disclosure, it is possible to realize suitable control regarding program updates of a vehicle-mounted control device.

1 is a block diagram showing the configuration of an in-vehicle update system according to a first embodiment; FIG. FIG. 2 is a block diagram showing detailed functional blocks of the ECU and in-vehicle update device shown in FIG. 1. FIG. FIG. 3 is a diagram illustrating an example of multiple types of data stored in a storage unit of the in-vehicle update device and saved data. It is a flowchart which shows the processing of the in-vehicle update device of a 1st example. It is a flowchart which shows the processing of the in-vehicle update device of a 1st example. 6 is a flowchart showing details of the evacuation destination ECU setting process in S120 of FIG. 5. FIG. It is a flowchart which shows the process of the in-vehicle update device of 2nd Example. It is a flowchart which shows the process of the in-vehicle update device of 2nd Example. It is a flowchart which shows the process of the in-vehicle update device of 2nd Example. It is a flowchart which shows the process of the in-vehicle update device of 3rd Example. It is a flowchart which shows the process of the in-vehicle update device of 3rd Example. It is a flowchart which shows the process of the in-vehicle update device of 3rd Example. It is a block diagram showing the composition of the in-vehicle update system of a modification. It is a block diagram showing the composition of the in-vehicle update system of a modification.

The main body of the apparatus or method in the present disclosure includes a computer. When this computer executes the program, the main functions of the apparatus or method of the present disclosure are realized. A computer includes, as its main hardware configuration, a processor that operates according to a program. The type of processor does not matter as long as it can implement a function by executing a program. A processor is composed of one or more electronic circuits including a semiconductor integrated circuit (IC) or a large scale integration (LSI). Although it is called an IC or LSI here, the name changes depending on the degree of integration, and may be called a system LSI, VLSI (Very Large Scale Integration), or ULSI (Ultra Large Scale Integration). Field Programmable Gate Array (FPGA), which is programmed after the LSI is manufactured, or a reconfigurable logic device that allows the reconfiguration of junction relationships within the LSI or the setup of circuit sections within the LSI can also be used for the same purpose. Further, the processor may include at least one of an SoC (System on a Chip), an MPU (Micro Processor Unit), and an MCU (Micro Controller Unit). A plurality of electronic circuits may be integrated on one chip or may be provided on a plurality of chips. A plurality of chips may be integrated into one device, or may be provided in a plurality of devices. The program may be recorded in a computer-readable non-temporary storage medium such as a ROM (Read Only Memory), an optical disk, or a hard disk drive, or may be stored in a computer-readable temporary storage such as a RAM (Random Access Memory). It may also be recorded on a medium. The program may be stored in advance on a recording medium, or may be supplied to a recording medium or a storage medium via a wide area communication network including the Internet.

<First example>
FIG. 1 is a block diagram showing the configuration of an in-vehicle update system 10 according to a first embodiment. Each block shown in the block diagram of the present disclosure can be realized in terms of hardware by elements and mechanical devices such as the CPU and memory of a computer, and in terms of software by a computer program, etc.; , depicts the functional blocks realized by their cooperation. Those skilled in the art will understand that these functional blocks can be implemented in various ways by combining hardware and software.

The in-vehicle update system 10 includes a program providing device 12 and a vehicle 14. The program providing device 12 and the vehicle 14 are connected via a communication network 16. The communication network 16 may include a fourth generation mobile communication system (4G), a fifth generation mobile communication system (5G), the Internet, etc.

The program providing device 12 is a server that provides the vehicle 14 with a computer program (hereinafter referred to as an "update program") for updating a computer program executed by the on-vehicle control device of the vehicle 14. The program providing device 12 is also called an OTA (Over The Air) server. In the first embodiment, the on-vehicle control device of the vehicle 14 is an ECU (Electronic Control Unit). The program providing device 12 includes a storage unit 18 that stores various data. As will be described later, the storage unit 18 serves as a save destination for save data.

The vehicle 14 includes an external communication device 20, a plurality of ECUs 22, an on-vehicle update device 24, a removable storage device 26, and a display device 28. Each device in the vehicle 14 is connected via a known in-vehicle network such as Ethernet (registered trademark), CAN (Controller Area Network), MOST (Media Oriented Systems Transport) (registered trademark).

The external communication device 20 communicates with a device external to the vehicle 14 by wireless communication. For example, the external communication device 20 receives data transmitted from the program providing device 12 and inputs the received data to the in-vehicle update device 24. Further, the external communication device 20 transmits data output from the on-vehicle update device 24 to the program providing device 12.

The plurality of ECUs 22 can also be said to be an on-vehicle control device. The plurality of ECUs 22 include an ECU that controls the behavior of the vehicle 14, and also includes an ECU that manages various information. For example, the plurality of ECUs 22 may include an engine control ECU, a brake control ECU, a steering control ECU, an automatic driving controller, an IVI (In-Vehicle Infotainment) device, and the like. Each of the plurality of ECUs 22 includes a processor (such as a CPU), and when the processor executes a computer program stored in advance, functions defined by the computer program are exhibited.

Regarding application of one update program, the plurality of ECUs 22 are classified into update target ECUs 22a and non-update target ECUs 22b. The update target ECU 22a is an ECU whose existing program is to be updated by an update program, or in other words, an ECU to which the update program is applied. The non-update target ECU 22b is an ECU to which the update program is not applied.

The in-vehicle update device 24 is a computer that acquires an update program transmitted from the program providing device 12 via the external communication device 20 and executes a process for updating the program of the ECU 22 using the update program. The in-vehicle update device 24 may be implemented as an ECU. The in-vehicle update device 24 can also be called an OTA management ECU.

The removable storage device 26 is also called a removable medium, and is an external recording medium that can be removed by an occupant of the vehicle 14. The removable storage device 26 may be, for example, a USB flash drive. The display device 28 displays various information. The display device 28 may be, for example, an HMI (Human Machine Interface) device such as a car navigation display.

FIG. 2 is a block diagram showing detailed functional blocks of the ECU 22 and the in-vehicle update device 24 shown in FIG. The configuration of the ECU 22 shown in FIG. 2 is common to a plurality of ECUs 22. The ECU 22 includes an in-vehicle communication section 30, a control section 32, and a storage section 34. The in-vehicle communication unit 30 transmits and receives data to and from the in-vehicle update device 24 via the in-vehicle network.

The storage unit 34 stores data that is referenced or updated by the control unit 32. At least a portion of the storage unit 34 is constituted by a rewritable nonvolatile memory (for example, an EEPROM or a flash memory). Therefore, the storage unit 34 has an upper limit on the number of times it can be rewritten (also referred to as the number of writes), that is, it has a rewrite life.

The storage unit 34 includes a first storage area 36 and a second storage area 38. One of the first storage area 36 and the second storage area 38 serves as a surface (operating surface) that holds the computer program executed by the control unit 32, and the other surface serves as a surface (non-operating surface) on which the update program is reflected. becomes. If the computer program on the non-operating side is updated, the next time it is started up, the computer program will be switched between the active side and the non-operating side. Thereby, the control unit 32 executes the updated computer program and exhibits the updated function. As a modification, the ECU 22 may write the update program to another storage area of the storage unit 34. The ECU 22 may perform an internal process of updating the program on the startup surface of the storage unit 34 using an update program while the vehicle is stopped (while the ECU 22 is not operating). Further, the ECU 22 may write the update program into the free space of the storage unit 34, or may perform internal processing while the vehicle is stopped (while the ECU 22 is not in operation) so as to operate with the update program the next time the ECU 22 operates. .

The control unit 32 controls the operation of its own device according to a computer program stored in the storage unit 34, and also controls the operation of an external device to be controlled (such as an actuator). The control unit 32 is realized by a processor (such as a CPU) of the ECU 22, and the functions of the control unit 32 are performed by the processor of the ECU 22 executing a computer program stored in the storage unit 34 (operation side).

The in-vehicle update device 24 includes an in-vehicle communication section 40, an input/output IF 42, a control section 44, and a storage section 46. The in-vehicle communication unit 40 transmits and receives data to and from the plurality of ECUs 22 via the in-vehicle network. The input/output IF 42 is an interface that connects with the external communication device 20, the removable storage device 26, and the display device 28. The input/output IF 42 may include interfaces of different standards depending on the device to be connected.

The storage unit 46 stores a computer program (hereinafter also referred to as "update control program") that controls the operation of the in-vehicle update device 24. Furthermore, the storage unit 46 temporarily stores at least a portion of the update program.

The control unit 44 executes processing related to updating the computer program of the ECU 22 in accordance with the update control program stored in the storage unit 46, in other words, executes processing related to application of the update program to the ECU 22. The control unit 44 is realized by a processor (such as a CPU) of the in-vehicle update device 24, and the functions of the control unit 44 are performed when the processor of the in-vehicle update device 24 executes an update control program stored in the storage unit 46. Ru.

The control unit 44 controls transmission of the update program to the update target ECU 22a. The control unit 44 of the first embodiment controls the first Select the in-vehicle control device that is not to be updated and satisfies the following conditions. The case where the saved data stored in the storage section 46 should be saved to the non-update target ECU 22b can also be said to be the case where the storage section 46 does not have a free space to store the update program. The first condition will be described later.

When the amount that can be saved to the non-update target ECU 22b that satisfies the first condition satisfies the second condition, the control unit 44 performs a first process to non-update at least a portion of the save data stored in the storage unit 46. It is transmitted to the update target ECU 22b. On the other hand, if the amount that can be saved to the non-update target ECU 22b that satisfies the first condition does not satisfy the second condition, a second process different from the first process is executed. The control unit 44 stores at least a portion of the update program acquired from the program providing device 12 in the area of the storage unit 46 where the transmitted saved data was stored.

The above second condition is that the amount that can be evacuated to the non-update target ECU 22b that satisfies the first condition is greater than or equal to a predetermined threshold. The second condition in the first embodiment is that the amount that can be saved to the non-update target ECU 22b that satisfies the first condition is greater than or equal to the value that allows the update program to be stored in the storage unit 46 of the in-vehicle update device 24. It is. Specifically, the second condition is that the total value of the amount that can be saved to the non-update target ECU 22b that satisfies the first condition and the free space of the storage unit 46 of the in-vehicle update device 24 is equal to or larger than the size of the update program. This is what happens.

In this way, the in-vehicle update device 24 can appropriately determine the save destination when saving existing data stored in the storage unit 46 in order to secure a storage area for the update program. Furthermore, if the evacuable amount is not sufficient even if the non-update target ECU 22b is included, a second process different from the first process of transmitting at least a part of the save data to the non-update target ECU 22b is executed. As a result, even if the amount that can be saved is not sufficient even when including the non-update target ECU 22b, appropriate measures can be taken.

Furthermore, the control unit 44 stores a part of the update program in the removable storage device 26 as a second process. As a result, if the evacuation capacity is not sufficient even if the non-update target ECU 22b is included, the removable storage device 26 connected by the occupant of the vehicle 14 is used as a storage destination for the update program, thereby increasing the applicability of the update program. can be increased.

FIG. 3 shows an example of multiple types of data stored in the storage unit 46 of the in-vehicle update device 24 and saved data. (1) The failure/abnormality code may be one in which the control unit 44 receives data transmitted from each of the plurality of ECUs 22, extracts the failure/abnormality code included in the data, and stores it in the storage unit 46. Further, the failure/abnormality code may be output by the control unit 44 by performing a self-diagnosis function of its own device and based on the result of the self-diagnosis. (2) The security information may be information indicating the security state of the in-vehicle update device 24.

(3) The freeze frame data may be a record of all data flowing through the in-vehicle network when an abnormality occurred in the vehicle 14. For example, the freeze frame data may be a record of data (CAN message, Ethernet frame, etc.) flowing through the in-vehicle network at that time when the control unit 44 extracts a failure/abnormality code. (4) The log data of the update process may record information regarding the progress status when the control unit 44 transmits the update program to the ECU 22 (update target ECU 22a). (5) The communication log data may be log data of communication flowing through the in-vehicle network, which is recorded by the control unit 44.

The saved data is data that can be saved from the storage unit 46 of the in-vehicle update device 24 to the storage unit of an external device of the in-vehicle update device 24. The data saved from the storage unit 46 of the in-vehicle update device 24 to the storage unit 18 of the program providing device 12 includes (4) update processing log data and (5) communication log data. Furthermore, the data saved from the storage unit 46 of the on-vehicle update device 24 to the storage unit 34 of the non-update target ECU 22b includes (3) freeze frame data.

In the first embodiment, the in-vehicle update device 24 uses four selection conditions shown below as selection conditions 1 to 4 as the above-mentioned first condition. Using these four selection conditions, the in-vehicle update device 24 selects ECUs (hereinafter also referred to as "evacuation destination ECUs") that can be the destination of evacuation data from among the non-update target ECUs 22b, and also selects one The priorities of the above evacuation destination ECUs are determined. As a modification, the in-vehicle update device 24 may use some of the four selection conditions, or may change the selection order.

Selection condition 1: Considering the number of rewrites (in other words, rewriting life) of the storage unit 34 of the non-update target ECU 22b, only non-update target ECUs 22b with a certain margin or more are selected as evacuation destination ECUs. In other words, non-update target ECUs 22b whose number of rewrites deviates from a predetermined allowable range are excluded from the evacuation destination ECUs. Note that among the evacuation destination ECUs, a higher priority may be given to an ECU with a larger number of rewrites remaining.

Selection condition 2: Exclude non-update target ECUs 22b whose heat generation state deviates from a predetermined allowable range from the evacuation destination ECUs.
Selection condition 3: Exclude non-update target ECUs 22b whose CPU usage rate continuously deviates from a predetermined allowable range from the evacuation destination ECUs.
Selection condition 4: Among the evacuation destination ECUs, those with lower power consumption are given higher priority. Thereby, the amount of power consumed by the entire vehicle can be reduced.

It should be noted that each time the in-vehicle update device 24 should determine the evacuation destination ECU from among the non-update target ECUs 22b, the in-vehicle update device 24 obtains information from the non-update target ECUs 22b such as (1) whether or not it can be rewritten (or the permissible number of rewrites), (2) the heat generation state, ( 3) CPU usage rate and (4) power consumption may be acquired. Alternatively, once the in-vehicle update device 24 acquires this information from the non-update target ECU 22b, it stores the acquired information in the storage unit 46, and when determining the evacuation destination ECU from next time onwards, the information stored in the storage unit 46 in advance is stored in the storage unit 46. The evacuation destination ECU may be determined by referring to the information. Further, at the time of system construction, information on ECUs 22 that can be selected as evacuation destination ECUs or information on ECUs 22 that cannot be selected as evacuation destination ECUs may be determined in advance and stored in the storage unit 46.

The in-vehicle update device 24 disconnects the removable storage device from the vehicle 14 when the storage area for the update program cannot be secured even after taking into account the free space of the evacuation destination ECU (that is, the amount of data saved to the evacuation destination ECU). request to the crew. Then, some data of the update program is stored in the removable storage device.

Note that if all data of the update program is placed in a removable storage device, there is a risk that the update program may be tampered with. To prevent this, only part of the data of the update program is stored in the removable storage device. Furthermore, if saved data (freeze frame data, log data, etc.) is stored in a removable storage device, the saved data cannot be restored if the removable storage device is removed, so the saved data is not stored in the removable storage device.

The operation of the in-vehicle update device 24 having the above configuration will be explained.
FIG. 4 is a flowchart showing the processing of the in-vehicle update device 24 of the first embodiment. The control unit 44 of the in-vehicle update device 24 acquires the update information transmitted from the program providing device 12 (S100). The update information includes the model number of the ECU 22 to be updated (in other words, identification information of the ECU 22a to be updated) and the size of the update program. The control unit 44 of the in-vehicle update device 24 derives the size (in other words, data capacity) of the update program based on the acquired update information (S101).

The control unit 44 compares the size of the update program with the free space of the local storage unit 46. If the size of the update program is less than or equal to the free space of the storage unit 46 (Y in S102), the control unit 44 transmits data requesting provision of the update program to the program providing device 12, and the data sent from the program providing device 12 is The updated update program data is acquired and stored in the storage unit 46 (S103).

The control unit 44 transmits the update program stored in the storage unit 46 to the update target ECU 22a, and instructs the control unit 32 of the update target ECU 22a to apply the update program (S104). The control unit 32 of the update target ECU 22a that has acquired (received) the update program executes the update program application process at a predetermined timing. For example, the control unit 32 updates the computer program stored on the non-operating surface of the storage unit 34 based on the update program. At the next startup, the control unit 32 sets the previously inactive surface to which the updated program has been applied as a new operational surface, and executes various controls based on the updated computer program stored in the new operational surface. .

If the size of the update program is larger than the free space of the storage unit 46 (N in S102), the control unit 44 of the in-vehicle update device 24 determines the maximum capacity of saved data that can be transmitted from the in-vehicle update device 24 to the program providing device 12 (hereinafter referred to as (Also called "maximum evacuation capacity.") The maximum save capacity may be included in the update information provided by the program providing device 12, and the control unit 44 may extract the maximum save capacity to the program providing device 12 from the update information. Alternatively, the control unit 44 may specify the maximum save capacity to the program providing device 12 by inquiring the program providing device 12.

The control unit 44 compares the total value of the free capacity of the local storage unit 46 and the maximum save capacity to the program providing device 12 (also referred to as "total free capacity") and the size of the update program. If the size of the update program is less than or equal to the total free space (Y in S105), the control unit 44 saves the saved data in the storage unit 46 (including, for example, update processing log data and communication log data) to the program providing device 12. and stored in the storage unit 18 of the program providing device 12. The size of the saved data may be, for example, the same size as the maximum save capacity of the program providing device 12. The control unit 44 deletes the saved data sent to the program providing device 12 from the local storage unit 46 (S106).

The control unit 44 acquires the update program sent from the program providing device 12 and stores it in the storage unit 46 (S107). The control unit 44 transmits the update program stored in the storage unit 46 to the update target ECU 22a, and instructs the control unit 32 of the update target ECU 22a to apply the update program (S108). The control unit 44 deletes the update program stored in the storage unit 46 (S109). The control unit 44 acquires the saved data sent to the program providing device 12 in S106 from the program providing device 12, and stores the saved data in the storage unit 46 again (S110).

If the size of the update program is larger than the total free space (N in S105), the process shown in FIG. 5 is executed. FIG. 5 is also a flowchart showing the processing of the in-vehicle update device 24 of the first embodiment, and is a flowchart showing a continuation of FIG. 4.

The control unit 44 of the in-vehicle update device 24 selects a save destination ECU that can be the destination of the save data from among the non-update target ECUs 22b (S120). FIG. 6 is a flowchart showing details of the evacuation destination ECU setting process in S120 of FIG. Based on the update information acquired in S100 of FIG. 4, the control unit 44 excludes the update target ECU 22a from among the plurality of ECUs 22 and specifies the remaining ECU 22 as a non-update target ECU 22b. The control unit 44 creates a candidate list indicating the identified one or more non-update target ECUs 22b as candidates for the evacuation destination ECU (S130).

The control unit 44 selects one non-update target ECU 22b to be determined from the candidate list as a determination target ECU (S131). The control unit 44 transmits data inquiring about whether rewriting is possible (or the permissible number of rewritings (the number of times rewriting will be permitted in the future)) to the ECU to be determined, and acquires data regarding whether rewriting is possible transmitted from the ECU to be determined. If the storage unit 34 of the determination target ECU cannot be rewritten (or if the number of times the storage unit 34 is allowed to be rewritten is less than or equal to a predetermined tolerance value) (N in S132), the control unit 44 selects the determination target ECU from the candidate list. Delete (S133). If the storage unit 34 of the determination target ECU is rewritable (or if the allowable number of rewrites of the storage unit 34 is greater than the allowable value) (Y in S132), the control unit 44 leaves the determination target ECU in the candidate list. If there is an undetermined non-update target ECU 22b in the candidate list (Y in S134), the process returns to S131, and if all non-update target ECUs 22b in the candidate list have been determined (S134, N), the process returns to S135. move on.

As a modification, the storage unit 46 of the in-vehicle update device 24 may store the number of times the storage unit 34 of each of the plurality of ECUs 22 has been rewritten. The control unit 44 of the in-vehicle update device 24 may increase the number of times the storage unit 34 of each ECU 22 is rewritten each time the data in the storage unit 34 of each ECU 22 is updated. Further, the storage unit 46 may store an allowable number of rewriting times in the storage unit 34 of each of the plurality of ECUs 22. This allowable value may be a value that is less than or equal to a predetermined upper limit number of times of rewriting. The control unit 44 may specify the number of times the storage unit 34 of the ECU to be determined is rewritten, which is stored in the storage unit 46 . If the number of rewrites in the storage unit 34 of the ECU to be determined is greater than the predetermined allowable value (N in S132), the control unit 44 may delete the ECU to be determined from the candidate list (S133). If the number of rewrites in the storage unit 34 of the ECU to be determined is less than or equal to the allowable value (Y in S132), the control unit 44 may leave the ECU to be determined in the candidate list.

The control unit 44 selects one non-update target ECU 22b to be determined from the candidate list as a determination target ECU (S135). The control unit 44 transmits data inquiring about the heat generation state (for example, temperature of the CPU, etc.) to the ECU to be determined, and acquires data regarding the heat generation state transmitted from the ECU to be determined. If the heat generation state of the determination target ECU is higher than the predetermined tolerance value (N in S136), the control unit 44 deletes the determination target ECU from the candidate list (S137). If the heat generation state of the ECU to be determined is below the allowable value (Y in S136), the control unit 44 leaves the ECU to be determined in the candidate list. If there is an undetermined non-update target ECU 22b in the candidate list (Y at S138), the process returns to S135, and if all non-update target ECUs 22b in the candidate list have been determined (S138, N), the process goes to S139. move on.

The control unit 44 selects one non-update target ECU 22b as a determination target ECU from the candidate list (S139). The control unit 44 transmits data inquiring about the CPU usage rate to the ECU to be determined, and acquires data regarding the CPU usage rate transmitted from the ECU to be determined. If the CPU usage rate of the ECU to be determined is higher than the predetermined allowable value (N in S140), the control unit 44 deletes the ECU to be determined from the candidate list (S141). If the CPU usage rate of the ECU to be determined is less than or equal to the allowable value (Y in S140), the control unit 44 leaves the ECU to be determined in the candidate list. If there is an undetermined non-update target ECU 22b in the candidate list (Y in S142), the process returns to S139, and if all non-update target ECUs 22b in the candidate list have been determined (S142 N), the process returns to S143. move on.

If the non-update target ECU 22b remains in the candidate list (Y in S143), the control unit 44 determines the non-update target ECU 22b remaining in the candidate list as the evacuation destination ECU. The control unit 44 specifies the power consumption of each evacuation destination ECU stored in advance in the storage unit 46. The control unit 44 gives priority to the plurality of evacuation destination ECUs in descending order of power consumption (S144). If no non-update target ECU 22b remains in the candidate list (N at S143), the process at S144 is skipped.

Returning to FIG. 5, the control unit 44 specifies the maximum capacity of save data (maximum save capacity) that can be transmitted from the in-vehicle update device 24 to each save destination ECU. For example, the control unit 44 may inquire of each evacuation destination ECU about the free capacity of the storage unit 34, and specifies the free capacity of the storage unit 34 transmitted from each evacuation destination ECU as the maximum evacuation capacity for each evacuation destination ECU. You may. The control unit 44 derives the total free capacity of the free capacity of the local storage unit 46, the maximum save capacity to the program providing device 12, and the maximum save capacity to each save destination ECU. The control unit 44 compares the size of the update program and the total free space.

If the size of the update program is less than or equal to the total free space (Y in S121), the control unit 44 sends the saved data (including, for example, update process log data and communication log data) to the program providing device 12, and The information is stored in the storage unit 18 of the providing device 12. Further, the control unit 44 transmits the save data (including, for example, freeze frame data) to each save destination ECU, and causes the save data to be stored in the storage unit 34 of each save destination ECU. The size of the save data transmitted to each save destination ECU may be the same size as the maximum save capacity of each save destination ECU. The control unit 44 deletes the saved data sent to the program providing device 12 from the local storage unit 46, and also deletes the saved data sent to each save destination ECU from the storage unit 46 (S122).

In addition, in the determination in S121, the control unit 44 derives the number of priorities from which data must be saved to the destination ECU in order to make the total free space equal to or greater than the size of the update program. You may. The control unit 44 may transmit the save data from the save destination ECU with the first priority to the save destination ECUs up to the derived priority. For example, if it is necessary to save data to the evacuation destination ECUs with the first to third priorities in order to make the total free space equal to or greater than the size of the update program, the control unit 44 The save data is transmitted from the save destination ECU to the save destination ECU with the third priority.

After completing S122, the process returns to S107 in FIG. In this case, in S110, the saved data sent to the program providing device 12 is acquired from the program providing device 12 and stored again in the local storage unit 46. Further, the save data transmitted to the save destination ECU is acquired from the save destination ECU and stored again in the local storage unit 46.

If the size of the update program is larger than the total free space including the maximum evacuation capacity for all evacuation destination ECUs (N in S121), the control unit 44 downloads content (images, etc.) that instructs to connect the removable storage device 26. ) is transmitted to the display device 28 and displayed (S123). Note that a voice instructing to connect the removable storage device 26 may be output from a speaker (not shown). When the control unit 44 detects that the removable storage device 26 is connected to the in-vehicle update device 24, it acquires the free space of the removable storage device 26.

If the free space of the removable storage device 26 is equal to or greater than the predetermined threshold (Y in S124), the process proceeds to S122. This threshold value may be, for example, the size of the update program, and an appropriate value may be determined based on the developer's knowledge or the results of experiments using the in-vehicle update system 10. The control unit 44 determines whether the total free capacity of the storage unit 46 and the free capacity of the removable storage device 26 is equal to or larger than the size of the update program.

If the total free capacity of the storage unit 46 and the free capacity of the removable storage device 26 is less than the size of the update program, the control unit 44 executes the process of S122. That is, the control unit 44 transmits the saved data to the program providing device 12 and stores it in the storage unit 18 of the program providing device 12. The control unit 44 deletes the saved data sent to the program providing device 12 from the local storage unit 46. Further, the control unit 44 transmits the save data to each save destination ECU, and causes the save data to be stored in the storage unit 34 of each save destination ECU. The control unit 44 deletes the saved data transmitted to each save destination ECU from the storage unit 46. On the other hand, if the total free capacity of the storage unit 46 and the free capacity of the removable storage device 26 is equal to or larger than the size of the update program, the control unit 44 skips the process of S122. In this case, the update program data can be distributed and saved in the free space of the storage unit 46 and the free space of the removable storage device 26 without having to save the saved data.

Thereafter, the process returns to S107 in FIG. In S107, the control unit 44 stores, in the storage unit 46, data of the update program that can be stored in the local storage unit 46 from the viewpoint of free space. The control unit 44 transmits some data of the update program that cannot be stored in the storage unit 46 to the removable storage device 26 to be stored therein. In S108, the control unit 44 transmits the update program data stored in the local storage unit 46 to the update target ECU 22a, and also transmits the update program data stored in the removable storage device 26 to the update target ECU 22a. If the process of S122 is executed first, that is, if the saved data is saved, the process of S110 is executed. That is, the control unit 44 acquires the saved data sent to the program providing device 12 from the program providing device 12, also obtains the saved data sent to the saved destination ECU from the saved destination ECU, and stores the saved data in the storage unit. 46. If the process of S122 has not been executed first, the process of S110 is skipped.

Returning to FIG. 5, if the removable storage device 26 is not connected to the in-vehicle update device 24, or if the free space of the removable storage device 26 is less than a predetermined threshold (N in S124), the process in this figure is ended, That is, processing related to application of the update program to the ECU 22 is stopped. This is because a storage area for temporarily storing the update program cannot be secured.

<Second example>
Regarding the second embodiment of the present disclosure, the points that are different from the first embodiment will be mainly explained, and the explanation of the common points will be omitted. It goes without saying that the features of the second embodiment can be arbitrarily combined with the features of the first embodiment and the features of the modified example. Among the constituent elements of the second embodiment, constituent elements that are the same as or correspond to those of the first embodiment will be described with the same reference numerals as appropriate.

The configuration of each device in the in-vehicle update system 10 of the second embodiment is the same as that of the first embodiment (FIGS. 1 and 2). The control unit 44 of the in-vehicle update device 24 of the second embodiment performs a process for updating the computer program of the update target ECU 22a (hereinafter also referred to as "update process of the update target ECU 22a") when the degree of danger in driving the vehicle 14 is high. call). The suspension may be a temporary suspension (in other words, suspension) or a permanent suspension (in other words, discontinuation).

Specifically, the vehicle 14 may be provided with a biological information sensor (not shown) that measures biological information (heartbeat, respiration, etc.) of the occupant. From the perspective of ensuring the life safety of the occupant after an accident, the control unit 44 of the in-vehicle update device 24 derives the degree of risk based on the biometric information of the occupant measured by the biometric information sensor, and updates the vehicle according to the degree of risk. It may also be determined whether or not the target ECU 22a can be updated. For example, if the occupant is lightly injured, the control unit 44 may derive a relatively low degree of risk and continue the update processing of the update target ECU 22a. On the other hand, if the occupant's condition is serious, the control unit 44 may derive a relatively high degree of risk and stop the update processing of the update target ECU 22a.

When an emergency call is executed automatically or in response to an operation by an occupant, the control unit 44 may detect this and derive a relatively high degree of risk. Furthermore, when an operation by the occupant indicating a high degree of danger is input (for example, pressing an SOS button, etc.), the control unit 44 may detect this and derive a relatively high degree of danger. . Further, the control unit 44 may determine the degree of risk depending on the failure state or accident state of the vehicle 14. For example, the control unit 44 may determine the degree of risk based on the presence or absence and degree of failure of the plurality of ECUs 22. Further, the control unit 44 may determine the degree of risk based on whether or not the airbag is activated.

Further, the control unit 44 detects that an event with a high accident risk has occurred while the vehicle 14 is running, based on image data taken by a camera (not shown) and data acquired from the ECU 22 that manages the running state of the vehicle 14. Good too. This event includes, for example, a pedestrian running out or sudden braking in the vehicle 14. From the viewpoint of preventing accidents, the control unit 44 may stop the update process of the update target ECU 22a when an event with a high risk of an accident, such as a pedestrian running out or sudden braking, is detected. On the other hand, when an event with low risk is detected, such as when the distance between vehicles is short, the control unit 44 may continue the update process of the update target ECU 22a. Note that the control unit 44 may derive the degree of risk of the vehicle 14 based on a rule, or may derive it using deep learning or a neural network.

According to the in-vehicle update device 24 of the second embodiment, when the degree of danger in driving the vehicle 14 is high, by stopping the processing related to the program update of the ECU 22, the in-vehicle equipment (for example, the ECU 22, the in-vehicle update device 24, etc.) and the in-vehicle network It is possible to avoid an increase in the load on the vehicle 14 and improve the safety of the vehicle 14.

FIG. 7 is a flowchart showing the processing of the in-vehicle update device 24 of the second embodiment. Here, when the vehicle 14 is in a predetermined accident state (including a situation where an accident has occurred and a situation where the risk of an accident is high) as a state where the degree of danger in driving the vehicle 14 is high, the update processing of the program of the ECU 22a to be updated is stopped. . S201, S202, S203, S204, and S208 in FIG. 7 correspond to S100, S101, S102, S103, and S104 in FIG.

If the predetermined accident state exists before the start of the update process (Y in S200), the control unit 44 of the in-vehicle update device 24 ends the process shown in this figure, that is, does not start the update program acquisition and application process. If it is not a predetermined accident state (N in S200), the control unit 44 acquires update information from the program providing device 12 (S201), and derives the size of the update program (S202). If the size of the update program is less than or equal to the free space of the storage unit 46 (Y in S203), the control unit 44 acquires the update program from the program providing device 12 and stores it in the storage unit 46 (S204).

If a predetermined accident state is detected at this time (Y in S205), the control unit 44 stops the update processing of the update target ECU 22a (S206). That is, the control unit 44 stops acquiring the update program or stops transmitting the update program to the update target ECU 22a. If the condition is not a predetermined accident state (N at S205) and the update program is being acquired (Y at S207), the process returns to S204. When acquisition of the update program is completed (N in S207), the control unit 44 transmits the update program to the update target ECU 22a, and instructs the control unit 32 of the update target ECU 22a to apply the update program (S208).

If a predetermined accident state is detected at this time (Y in S209), the control unit 44 stops the update processing of the update target ECU 22a (S206). That is, the control unit 44 instructs the control unit 32 of the update target ECU 22a to stop transmitting the update program to the update target ECU 22a, or to stop the update program application process. Note that since the update program is reflected on the non-operating surface of the storage unit 34 of the ECU 22a to be updated, even if the reflection of the update program is stopped midway, no problem will occur in the operation of the ECU 22a to be updated. If it is not in a predetermined accident state (N in S209) and the update program is being sent (Y in S210), the process returns to S208. If the transmission of the update program is completed (N in S210), the process in this figure ends.

If the size of the update program is larger than the free space of the storage unit 46 (N in S203), the process shown in FIG. 8 is executed. FIG. 8 is also a flowchart showing the processing of the in-vehicle update device 24 of the second embodiment, and is a flowchart showing a continuation of FIG. 7. S220, S221, S225, S228, S231, and S232 in FIG. 8 correspond to S105, S106, S107, S108, S109, and S110 in FIG.

If the size of the update program is less than or equal to the total free capacity of the storage unit 46 and the program providing device 12 (Y in S220), the control unit 44 transmits the saved data in the storage unit 46 to the program providing device 12, and The saved data is deleted from the storage unit 46 (S221).

If a predetermined accident state is detected at this time (Y in S222), the control unit 44 stops the update processing of the update target ECU 22a (S223). That is, the control unit 44 stops transmitting the saved data to the program providing device 12. If it is not a predetermined accident state (N at S222) and the evacuation data is being transmitted (Y at S224), the process returns to S221. When the transmission of the saved data is completed (N in S224), the control unit 44 acquires the update program from the program providing device 12 and stores it in the storage unit 46 (S225).

If a predetermined accident state is detected at this time (Y in S226), the control unit 44 stops the update processing of the update target ECU 22a (S223). That is, the control unit 44 stops acquiring the update program or stops transmitting the update program to the update target ECU 22a. If the condition is not a predetermined accident state (N at S226) and the update program is being acquired (Y at S227), the process returns to S225. When acquisition of the update program is completed (N in S227), the control unit 44 transmits the update program to the update target ECU 22a, and instructs the control unit 32 of the update target ECU 22a to apply the update program (S228).

If a predetermined accident state is detected at this time (Y in S229), the control unit 44 stops the update processing of the update target ECU 22a (S223). That is, the control unit 44 instructs the control unit 32 of the update target ECU 22a to stop transmitting the update program to the update target ECU 22a, or to stop the update program application process. If it is not in a predetermined accident state (N in S229) and the update program is being sent (Y in S230), the process returns to S228. When the transmission of the update program is completed (N in S230), the control unit 44 deletes the update program stored in the storage unit 46 (S231). The control unit 44 acquires the saved data sent to the program providing device 12 in S221 from the program providing device 12, and stores the saved data in the storage unit 46 again (S232).

If the size of the update program is larger than the total free space (N in S220), the process shown in FIG. 9 is executed. FIG. 9 is also a flowchart showing the processing of the in-vehicle update device 24 of the second embodiment, and is a flowchart showing a continuation of FIG. 8. S240, S241, S242, S246, and S247 in FIG. 9 are the same as S120, S121, S122, S123, and S124 in FIG. 5, which have already been explained, so their explanation will be omitted. Note that the details of the evacuation destination ECU selection process in S240 are the process shown in FIG. 6 of the first embodiment.

In S242, when a predetermined accident state is detected while transmitting the evacuation data to the external device (Y in S243), the control unit 44 stops the update process of the update target ECU 22a (S244). That is, the control unit 44 stops transmitting the save data to the program providing device 12 and the save destination ECU. If it is not a predetermined accident state (N at S243) and the evacuation data is being transmitted (Y at S245), the process returns to S242. If the transmission of the saved data is completed (N at S245), the process returns to S225 in FIG.

<Third Example>
Regarding the third embodiment of the present disclosure, the points that are different from the first embodiment will be mainly explained, and the explanation of the common points will be omitted. It goes without saying that the features of the third embodiment can be combined in any desired manner with the features of the other embodiments and the features of the modified examples. Among the components of the third embodiment, components that are the same as or correspond to those of the first embodiment will be described with the same reference numerals as appropriate.

The vehicle 14 of the third embodiment is an electric vehicle (EV). The control unit 44 of the in-vehicle update device 24 periodically acquires data on the remaining battery level of the vehicle 14 from the ECU 22 that manages the battery state of the vehicle 14. When the remaining battery level of the vehicle 14 is less than a predetermined threshold, the control unit 44 stops the process for updating the computer program of the ECU 22 to be updated. This threshold value may be a ratio to a full charge, and an appropriate value may be determined based on the developer's knowledge or the results of experiments using the in-vehicle update system 10.

According to the in-vehicle update device 24 of the third embodiment, when the remaining battery level of the vehicle 14 is low, processing related to program updates of the ECU 22 is stopped, thereby reducing power consumption of the in-vehicle devices (for example, the ECU 22, the in-vehicle update device 24, etc.). The safety of the vehicle 14 can be improved. Further, it becomes easier to maintain the state of the vehicle 14 in a state in which it can travel a certain distance.

FIG. 10 is a flowchart showing the processing of the in-vehicle update device 24 of the third embodiment. S300 to S310 in FIG. 10 correspond to S200 to S210 in FIG. 7 described in the second embodiment. However, in S305 and S309, the control unit 44 of the in-vehicle update device 24 determines whether the remaining battery level of the vehicle 14 is less than a predetermined threshold, which is different from the process of the second embodiment (FIG. 7). The processing in other steps in FIG. 10 is the same as the processing in the second embodiment (FIG. 7).

FIG. 11 is also a flowchart showing the operation of the in-vehicle update device 24 of the third embodiment, and is a flowchart showing a continuation of FIG. 10. S320 to S332 in FIG. 11 correspond to S220 to S232 in FIG. 8 described in the second embodiment. However, in S322, S326, and S329, the control unit 44 of the in-vehicle update device 24 differs from the process of the second embodiment (FIG. 8) in that it determines whether the remaining battery level of the vehicle 14 is less than a predetermined threshold. different. The processing in other steps in FIG. 11 is the same as the processing in the second embodiment (FIG. 8).

FIG. 12 is also a flowchart showing the operation of the in-vehicle update device 24 of the third embodiment, and is a flowchart showing a continuation of FIG. 11. S340 to S345 in FIG. 12 correspond to S240 to S245 in FIG. 9 described in the second embodiment. However, in S343, the control unit 44 of the in-vehicle update device 24 determines whether the remaining battery level of the vehicle 14 is less than a predetermined threshold, which is different from the process of the second embodiment (FIG. 9). The processing in other steps in FIG. 12 is the same as the processing in the second embodiment (FIG. 9).

As a modification of the third embodiment, the vehicle 14 may be an emergency vehicle (also called an emergency vehicle) equipped with warning means (for example, a siren, a warning light, etc.). When the vehicle 14 is in the emergency response state, the control unit 44 of the in-vehicle update device 24 acquires data indicating that the vehicle 14 is in the emergency response state from the ECU 22 that manages the state of the vehicle 14. The emergency response state may be a state in which the alarm means is activated. For example, the emergency response state may include a state in which a siren is activated and a state in which a warning light is turned on or flashed.

The control unit 44 may stop the process for updating the computer program of the ECU 22 to be updated when the vehicle 14 is in an emergency response state (for example, when the alarm means is in operation). According to this aspect, it is possible to prevent the program update of the ECU 22 from interfering with the emergency response of the emergency vehicle, and, for example, it is possible to preferentially execute emergency response communications.

As a further variation of the third embodiment, the vehicle 14 may be an emergency vehicle equipped with warning means and an electric vehicle. The control unit 44 of the in-vehicle update device 24 performs processing for updating the computer program of the ECU 22 to be updated when the remaining battery level of the vehicle 14 is less than a predetermined threshold or when the vehicle 14 is in an emergency response state. may be stopped.

The present disclosure has been described above based on the first to third embodiments. Those skilled in the art will understand that these examples are merely illustrative, and that various modifications can be made to the combinations of the constituent elements or treatment processes of the examples, and that such modifications are also within the scope of the present disclosure. By the way.

A modification will be explained. FIG. 13 is a block diagram showing the configuration of a modified in-vehicle update system 10. The vehicle 14 may further include a storage management ECU 50 and an in-vehicle common storage 52. The storage management ECU 50 is an ECU that provides storage management functions and interface functions. A vehicle common storage 52 and a removable storage device 26 are connected to the storage management ECU 50 . The in-vehicle common storage 52 is a storage shared by a plurality of in-vehicle devices (ECU 22, in-vehicle update device 24, etc.). The in-vehicle update device 24 is connected to the in-vehicle common storage 52 via a bus such as an in-vehicle network. The control unit 44 of the in-vehicle update device 24 accesses the in-vehicle common storage 52 and the removable storage device 26 via the storage management ECU 50.

In this modification, the control unit 44 of the in-vehicle update device 24 stores various data including the update program in the in-vehicle common storage 52. In the embodiment, the control unit 44 determines the manner of acquiring and transmitting the update program based on the free space of the local storage unit 46, but in this modification, the control unit 44 determines the mode of acquisition and transmission of the update program based on the free space of the in-vehicle common storage 52. Decide how to obtain and send updates based on The free space in the vehicle common storage 52 may be a free space in a storage area allocated to the vehicle update device 24 in the vehicle common storage 52 .

Note that when the in-vehicle common storage 52 is provided, the in-vehicle update device 24 may be able to use both the storage unit 46 within the device and the in-vehicle common storage 52 as storage areas. In this case, the control unit 44 of the in-vehicle update device 24 may determine the mode of acquisition and transmission of the update program based on both the free space in the storage unit 46 and the free space in the in-vehicle common storage 52. For example, the control unit 44 may use only the storage unit 46 as a storage area for the update program if the free space in the storage unit 46 is equal to or larger than the size of the update program. Further, if the free space of the storage section 46 is less than the size of the update program, but the free space of the in-vehicle common storage 52 is greater than or equal to the size of the update program, the control section 44 transfers the update program between the storage section 46 and the in-vehicle common storage. 52, or the update program may be stored only in the in-vehicle common storage 52. Furthermore, if the free space of the storage section 46 is less than the size of the update program, but the total of the free space of the storage section 46 and the free space of the in-vehicle common storage 52 is greater than or equal to the size of the update program, the control section 44 may The update program may be stored separately in the storage unit 46 and the in-vehicle common storage 52.

Another modification will be explained. FIG. 14 is a block diagram showing the configuration of a modified in-vehicle update system 10. The vehicle 14 may further include an on-vehicle common storage 52 and a display system ECU 54. The display system ECU 54 is an ECU that controls display content on the display device 28, and is an ECU that executes processing related to IVI, for example. A removable storage device 26 is connected to the display system ECU 54. The in-vehicle update device 24 is connected to an in-vehicle common storage 52 and a display system ECU 54 via a bus such as an in-vehicle network, and is also connected to a removable storage device 26 via the display system ECU 54.

Also in this modification, the control unit 44 of the in-vehicle update device 24 stores various data including the update program in the in-vehicle common storage 52. Also in this modification, the control unit 44 determines the manner of acquiring and transmitting the update program based on the free space of the in-vehicle common storage 52. Note that the in-vehicle common storage 52 may be configured to be directly connected to the in-vehicle update device 24.

Yet another modification will be described. Although not mentioned in the above embodiment, the control unit 44 of the in-vehicle update device 24 may select the non-update target ECU 22b as a temporary storage destination for the update program. For example, the control unit 44 may send at least a part of the update program provided from the program providing device 12 to the non-update target ECU 22b and have it stored, and may transmit each of the divided update programs to the non-update target ECU 22b and the removable update program. It may also be transmitted to and stored in the storage device 26. If the update program is split, check that the split update program has correct data using CRC (Cyclic Redundancy Check), etc., and if it is confirmed that the data is correct, the split update program Each of the update programs may be transmitted to the update target ECU 22a.

The plurality of functions included in the in-vehicle update device 24 in each of the above embodiments may be distributed and implemented in a plurality of devices. Then, by coordinating these plurality of devices as a system, processing similar to the processing of the in-vehicle update device 24 of each embodiment may be realized.

Any combination of the embodiments and variations described above are also useful as embodiments of the present disclosure. A new embodiment resulting from a combination has the effects of each of the combined embodiments and modifications. Furthermore, it will be understood by those skilled in the art that the functions to be fulfilled by the respective constituent elements described in the claims are realized by each constituent element shown in the embodiments and modified examples alone or by their cooperation.

The techniques described in the examples and modifications may be specified by the aspects described in each item below.
[Item 1]
An in-vehicle update device that acquires an update program transmitted from an external server outside the vehicle and performs processing for updating a program of an in-vehicle control device installed in the vehicle,
a storage unit in which the update program is stored;
a control unit that controls transmission of the update program to the in-vehicle control device to be updated;
Equipped with
The control unit acquires the update program from the external server, and saves the saved data stored in the storage unit to an in-vehicle control device that is not an update target other than the in-vehicle control device that is an update target. select the in-vehicle control device to be updated that satisfies the first condition,
If the amount of data that can be saved to the in-vehicle control device that is a non-update target that satisfies the first condition satisfies a second condition, the control unit may, as a first process, save at least a portion of the saved data to the non-update target. If the amount that can be saved to the target in-vehicle control device and the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, a second process different from the first process is performed. execute the process,
In-vehicle update device.
According to this in-vehicle update device, when existing data is saved in order to secure a storage area for an update program, the save destination can be appropriately determined. In addition, if the amount of data that can be saved is not sufficient even if the in-vehicle control device that is not to be updated is included, a second process that is different from the first process that transmits at least a part of the saved data to the in-vehicle control device that is not to be updated is performed. By executing the process, it is possible to take appropriate measures even when the amount that can be saved is not sufficient even if the in-vehicle control device that is not to be updated is included.
[Item 2]
As the second process, the control unit stores a part of the update program in a removable storage device.
The in-vehicle update device described in item 1.
According to this in-vehicle update device, if the amount of backup that can be saved is insufficient even if the in-vehicle control device that is not subject to update is included, the removable storage device is used as a storage destination for the update program, thereby increasing the applicability of the update program. can be increased.
[Item 3]
The control unit stops the process for updating the program of the in-vehicle control device to be updated when the degree of danger in driving the vehicle is high.
The in-vehicle update device according to item 1 or 2.
According to this in-vehicle update device, when there is a high degree of danger while driving the vehicle, processing related to updating the program of the in-vehicle control device is stopped, thereby avoiding an increase in the load on the in-vehicle equipment and improving vehicle safety. be able to.
[Item 4]
The vehicle is an electric vehicle,
When the remaining battery level of the vehicle is less than a predetermined threshold, the control unit stops processing for updating the program of the in-vehicle control device to be updated.
The in-vehicle update device according to any one of items 1 to 3.
According to this in-vehicle update device, when the vehicle's battery level is low, processing related to program updates of the in-vehicle control device is stopped, thereby suppressing power consumption of in-vehicle equipment and improving vehicle safety. can. Furthermore, it becomes easier to maintain the vehicle in a state in which it can travel a certain distance.
[Item 5]
An in-vehicle update system that acquires an update program sent from an external server outside the vehicle and performs processing for updating a program in an in-vehicle control device installed in the vehicle,
a storage unit in which the update program is stored;
a control unit that controls transmission of the update program to the in-vehicle control device to be updated;
Equipped with
The control unit acquires the update program from the external server, and saves the saved data stored in the storage unit to an in-vehicle control device that is not an update target other than the in-vehicle control device that is an update target. select the in-vehicle control device to be updated that satisfies the first condition,
If the amount of data that can be saved to the in-vehicle control device that is a non-update target that satisfies the first condition satisfies a second condition, the control unit may, as a first process, save at least a portion of the saved data to the non-update target. If the amount that can be saved to the target in-vehicle control device and the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, a second process different from the first process is performed. execute the process,
In-vehicle update system.
According to this in-vehicle update system, when existing data is saved in order to secure a storage area for update data, the save destination can be appropriately determined. In addition, if the amount of data that can be saved is not sufficient even if the in-vehicle control device that is not to be updated is included, a second process that is different from the first process that transmits at least a part of the saved data to the in-vehicle control device that is not to be updated is performed. By executing the process, it is possible to take appropriate measures even when the amount that can be saved is not sufficient even if the in-vehicle control device that is not to be updated is included.
[Item 6]
The vehicle acquires an update program transmitted from an external server outside the vehicle, performs processing for updating a program of an in-vehicle control device installed in the vehicle, and includes a storage unit in which the update program is stored. an on-board computer executes processing for controlling transmission of the update program to the in-vehicle control device to be updated;
The computer obtains the update program from the external server as the controlling process, and saves the saved data stored in the storage unit to a non-update target other than the update target in-vehicle control device. If the on-vehicle control device should be saved, select the in-vehicle control device that is not to be updated and satisfies the first condition;
As the controlling process, when the amount of data that can be saved to the in-vehicle control device that is a non-update target that satisfies the first condition satisfies a second condition, the computer controls, as the first process, at least one of the saved data. If the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, the first processing and performs a different second process,
A control method for updating a program of an in-vehicle control device.
According to this control method, when existing data is saved in order to secure a storage area for updated data, the save destination can be appropriately determined. In addition, if the amount of data that can be saved is not sufficient even if the in-vehicle control device that is not to be updated is included, a second process that is different from the first process that transmits at least a part of the saved data to the in-vehicle control device that is not to be updated is performed. By executing the process, it is possible to take appropriate measures even when the amount that can be saved is not sufficient even if the in-vehicle control device that is not to be updated is included.

Reference Signs List 10 in-vehicle update system, 12 program providing device, 14 vehicle, 18 storage unit, 22 ECU, 22a update target ECU, 22b non-update target ECU, 24 in-vehicle update device, 26 removable storage device, 44 control unit, 46 storage unit.

Claims (6)

An in-vehicle update device that acquires an update program transmitted from an external server outside the vehicle and performs processing for updating a program of an in-vehicle control device installed in the vehicle,
a storage unit in which the update program is stored;
a control unit that controls transmission of the update program to the in-vehicle control device to be updated;
Equipped with
The control unit acquires the update program from the external server, and saves the saved data stored in the storage unit to an in-vehicle control device that is not an update target other than the in-vehicle control device that is an update target. select the in-vehicle control device to be updated that satisfies the first condition,
If the amount of data that can be saved to the in-vehicle control device that is a non-update target that satisfies the first condition satisfies a second condition, the control unit may, as a first process, save at least a portion of the saved data to the non-update target. If the amount that can be saved to the target in-vehicle control device and the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, a second process different from the first process is performed. execute the process,
In-vehicle update device. As the second process, the control unit stores a part of the update program in a removable storage device.
The in-vehicle update device according to claim 1. The control unit stops the process for updating the program of the in-vehicle control device to be updated when the degree of danger in driving the vehicle is high.
The in-vehicle update device according to claim 1 or 2. The vehicle is an electric vehicle,
When the remaining battery level of the vehicle is less than a predetermined threshold, the control unit stops processing for updating the program of the in-vehicle control device to be updated.
The in-vehicle update device according to any one of claims 1 to 3. An in-vehicle update system that acquires an update program sent from an external server outside the vehicle and performs processing for updating a program in an in-vehicle control device installed in the vehicle,
a storage unit in which the update program is stored;
a control unit that controls transmission of the update program to the in-vehicle control device to be updated;
Equipped with
The control unit acquires the update program from the external server, and saves the saved data stored in the storage unit to an in-vehicle control device that is not an update target other than the in-vehicle control device that is an update target. select the in-vehicle control device to be updated that satisfies the first condition,
If the amount of data that can be saved to the in-vehicle control device that is a non-update target that satisfies the first condition satisfies a second condition, the control unit may, as a first process, save at least a portion of the saved data to the non-update target. If the amount that can be saved to the target in-vehicle control device and the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, a second process different from the first process is performed. execute the process,
In-vehicle update system. The vehicle acquires an update program transmitted from an external server outside the vehicle, performs processing for updating a program of an in-vehicle control device installed in the vehicle, and includes a storage unit in which the update program is stored. an on-board computer executes processing for controlling transmission of the update program to the in-vehicle control device to be updated;
The computer obtains the update program from the external server as the controlling process, and saves the saved data stored in the storage unit to a non-update target other than the update target in-vehicle control device. If the on-vehicle control device should be saved, select the in-vehicle control device that is not to be updated and satisfies the first condition;
As the controlling process, when the amount of data that can be saved to the in-vehicle control device that is a non-update target that satisfies the first condition satisfies a second condition, the computer controls, as the first process, at least one of the saved data. If the amount that can be saved to the non-updated in-vehicle control device that satisfies the first condition does not satisfy the second condition, the first processing and performs a different second process,
A control method for updating a program of an in-vehicle control device.

Images