JP4599952B2 - Program rewriting system and vehicle computer system - Google Patents

Description

  The present invention relates to a technique for rewriting a program of a computer system mounted on a vehicle.

  Conventionally, in a vehicle, a program of a computer system (hereinafter referred to as a vehicle computer system) installed in the vehicle can be rewritten in an on-board state in which a memory storing the program is mounted on an electronic device. (See, for example, Patent Documents 1, 2, and 3).

As a form of the program rewriting system for performing the program rewriting in this on-board state, a program supply device that supplies a program to be rewritten to the vehicle computer system is connected to the vehicle computer system by a connector via a communication line There are a wired communication type (for example, see Patent Document 1) and a wireless communication type in which the program supply device and the vehicle computer system are connected by wireless communication (for example, see Patent Documents 2 and 3).
JP 2001-123874 A JP 2004-28000 A JP 2000-207219 A

  By the way, in the wired communication type program rewriting system, in a specific maintenance work place such as a factory or a dealer, an operator manually connects the vehicle computer system and the program supply device outside the vehicle with a connector, and the program rewriting is performed. It will be conducted under the supervision of the worker. For this reason, it is unlikely that a third party will act improperly on the vehicle during program rewriting, and there is no particular concern regarding the crime prevention of the vehicle.

  However, in the case of a wireless communication type program rewriting system, it is assumed that the program is rewritten outside a specific place such as a dealer or factory, and during the program rewriting, the worker must always be the vehicle user. It is not always in the passenger compartment or around the vehicle. For example, in a situation where no one is monitoring the vehicle, a computer program related to a crime prevention function such as a security function for detecting and alarming a vehicle door lock function or an illegal act on the vehicle in a vehicle computer system is provided. When the rewriting process is performed, the crime prevention function realized by the program becomes invalid, and the crime prevention property of the vehicle is lowered. For this reason, in a wireless communication type program rewriting system, it is desired to be able to perform program rewriting while ensuring the security of the vehicle.

  Therefore, an object of the present invention is to enable rewriting of a program while ensuring the security of a vehicle in a wireless communication type vehicle program rewriting system.

  The program rewriting system according to claim 1, which has been made to achieve the above object, wirelessly communicates with a vehicle computer system (a computer system mounted on a vehicle) and the vehicle computer system and rewrites the vehicle computer system. This is a wireless communication type program rewriting system comprising a program supply means outside the vehicle for transmitting a target program. The vehicle computer system is configured to rewrite the program in the memory (that is, the program to be executed) with the program transmitted from the program supply means.

In particular, this program rewriting system is a program determining means for determining whether or not the program to be rewritten is a computer program related to the crime prevention function of the vehicle before the vehicle computer system rewrites the program in the memory. If, rewriting performed to prohibit the vehicle's and determines monitoring presence determining means for determining whether the monitored to the user, the process of rewriting the program of the computer associated with the vehicle computer system security functions of the vehicle are performed And prohibiting means.
In this program rewriting system, when it is determined by the program determination means that the program to be rewritten is not a computer program related to the crime prevention function of the vehicle, the program in the memory is rewritten in the vehicle computer system. In addition, when the program determination unit determines that the program to be rewritten is a computer program related to the security function of the vehicle, the monitoring presence determination unit determines that the vehicle is not being monitored by the user. In such a case, the rewrite execution prohibiting means prohibits the vehicle computer system from executing the process of rewriting the computer program related to the vehicle crime prevention function.

  According to such a program rewriting system of claim 1, the process of rewriting the computer program related to the security function of the vehicle is performed when it is determined that the vehicle is being monitored by the user. . For this reason, in a situation where the user is not monitoring the vehicle, a process of rewriting a computer program related to the security function of the vehicle is performed, and the security function realized by the program is invalidated. It can be avoided. Therefore, according to the program rewriting system of claim 1, it is possible to rewrite the program while ensuring the security of the vehicle.

  The monitoring presence / absence determining means can be configured to determine that the vehicle is being monitored by the user when it is detected that the user is in the vehicle interior or the vicinity of the vehicle. Whether or not the user is in the vehicle interior or the vicinity of the vehicle is determined using, for example, an ecological recognition sensor using infrared rays or the like, a seat load sensor that detects a load applied to the seat, or the like. A user can be asked a question using a display, a sound generation device, or the like, and a determination can be made based on a response by the user's key operation to the question.

Next, the program rewriting system according to claim 2 is a wireless communication type program rewriting system as well as the program rewriting system according to claim 1.
In particular, the program rewriting system according to claim 2 is provided with monitoring reminding notification means, and the monitoring reminding notification means performs processing for rewriting a computer program related to the security function of the vehicle in the vehicle computer system. In such a case, a notification that prompts the user of the vehicle to monitor the vehicle is given.

  According to such a program rewriting system of claim 2, it is related to a crime prevention function of the vehicle in a situation where the user is not monitoring the vehicle by notifying the user to monitor the vehicle. It is possible to avoid the process of rewriting the computer program. Therefore, the program rewriting system according to claim 2 can also rewrite the program while ensuring the security of the vehicle.

Next, the program rewriting system according to claim 3 is also a wireless communication type program rewriting system, similar to the program rewriting system according to claim 1 or 2.
In particular, the program rewriting system of claim 3 is provided with a security function enabling means, and the security function enabling means performs a process of rewriting a computer program not related to the security function of the vehicle in the vehicle computer system. In such a case, the computer related to the security function of the vehicle is operated so that the security function becomes effective.

According to such a program rewriting system of claim 3, when a process of rewriting a computer program not related to the vehicle security function is performed, the computer related to the vehicle security function can be operated by the user. Regardless, the security function will be activated. Therefore, the program rewriting system according to claim 3 can also rewrite the program while ensuring the security of the vehicle.
In addition, the vehicle computer system of Claims 12-14 has the characteristic similar to Claims 1-3, and there exists an effect equivalent to Claims 1-3.

In addition, in the program rewriting system according to claims 1 to 3, as the crime prevention function of the vehicle, as described in claim 4, a door lock function of the vehicle and a security function that detects and warns the illegal act on the vehicle; Either or both of these are conceivable. If the computer related to the security function of the vehicle is a computer related to the door lock function of the vehicle, the security function enabling means of claim 3 may be configured to cause the computer to perform the door lock. If the computer related to the security function of the vehicle is a computer related to the security function of the vehicle, the security function enabling means according to claim 3 sets the computer in a security set state in which the security function is effective. What is necessary is just to comprise so that it may act | operate.
Further, the program rewriting system according to claim 5 is a wireless communication type program rewriting system as well as the program rewriting system according to claims 1 to 3. The program rewriting system according to claim 5 includes monitoring presence / absence determining means similar to that of the program rewriting system according to claim 1, and the monitoring presence / absence determining means determines that the vehicle is not being monitored by the user. The rewrite execution prohibiting means prohibits execution of processing for rewriting a computer program related to a vehicle security function in the vehicle computer system. Further, the crime prevention function of the vehicle is one or both of a door lock function of the vehicle and a security function that detects and alerts an illegal act on the vehicle. Therefore, the process of rewriting the computer program related to the vehicle crime prevention function (especially the door lock function and / or the security function) is performed when it is determined that the vehicle is being monitored by the user. Therefore, the program can be rewritten while securing the crime prevention property of the vehicle.

Next, in the program rewriting system according to claim 6 , in the program rewriting system according to claims 1 to 5 , the state setting means rewrites the vehicle state before the vehicle computer system rewrites the program. The vehicle computer system rewrites the program after the setting process by the state setting means is completed.

According to the program rewriting system of the sixth aspect , the state of the vehicle is automatically set to a state suitable for rewriting the program by the state setting means, and the program is rewritten after the setting is completed. As a result, the program can be rewritten with high reliability without depending on human work.
Further, the program rewriting system according to claim 7 is a wireless communication type program rewriting system as well as the program rewriting system according to claims 1 to 3. The program rewriting system of claim 7 includes monitoring presence / absence judging means and rewriting execution prohibiting means similar to those of the program rewriting system of claim 5, and status setting means similar to that of the program rewriting system of claim 6. The vehicle computer system rewrites the program after the setting process by the state setting unit is completed. For this reason, there exists an effect similar to the effect described about Claim 5 and Claim 6.

  By the way, the state setting means can be configured to prohibit the operation of the specific device as the setting process, and specifically, for example, configured to cut off the power supply to the specific device. can do. In addition, it is preferable that the specific device whose operation is prohibited is a device that consumes a relatively large amount of current.

  According to this configuration, it is possible to prevent the battery voltage from fluctuating due to the operation of a specific device during the program rewriting, and thus the power supply voltage supplied to the computer to be reprogrammed from fluctuating. The vehicle state can be set to a state suitable for rewriting the program.

  If the vehicle computer system includes a plurality of computers, the state setting means supplies power to the computer related to the program rewriting as the setting process, and at least one or more not related to the program rewriting. The power supply to the computer can be cut off.

  According to this configuration, it is possible to prevent a computer not related to the program rewriting and a device controlled by the computer from operating during the program rewriting. As a result, the battery voltage is reduced during the program rewriting. It is possible to prevent the power supply voltage supplied to the computer to be rewritten from fluctuating, and the vehicle state can be set to a state suitable for rewriting the program.

  Although it is most preferable to cut off the power supply to all computers that are not related to program rewriting, if not, devices that consume a large amount of current among computers not related to program rewriting are selected. It is effective if the power supply to the computer to be controlled is preferentially cut off.

  The state setting means can be configured to invalidate the operation of the power switch of the vehicle as the setting process. The vehicle power switch is a so-called ignition switch.

  According to this configuration, even if the power switch of the vehicle is operated during rewriting of the program, power is not supplied to the device that is normally energized by the operation, so the battery voltage fluctuates and the program is changed. The power supply voltage supplied to the computer to be rewritten can be prevented from fluctuating, and the vehicle state can be set to a state suitable for rewriting the program.

The state setting means can be configured to invalidate an operation for operating a specific device as the setting process.
According to this configuration, even if an operation for operating a specific device is performed during rewriting of the program, power is not supplied to a device that is normally energized by the operation, so the battery voltage fluctuates. Thus, it is possible to prevent the power supply voltage supplied to the computer to be reprogrammed from fluctuating, and the vehicle state can be set to a state suitable for rewriting the program. For example, the state setting means includes an operation for operating a starter motor for starting the engine, an operation for operating a door lock motor wirelessly, an operation for operating a power window, an operation for lighting a light, and an operation for operating a wiper. And at least one of the operations for operating the window washer motor can be configured to be invalidated. This is because any of the operations activates a device having a relatively large current consumption.

Next, in the program rewriting system according to claim 8 , in the program rewriting system according to claims 6 and 7 , the state setting means sets the state of the vehicle within a range in which the door lock function of the vehicle operates normally. Is configured to do.

According to such a program rewriting system of the eighth aspect, the program rewriting of the vehicle computer system can be performed without deteriorating the crime prevention property even when the vehicle user is absent. That is, if the state setting means is set so that the door lock function of the vehicle is not activated, the door lock of the vehicle cannot be performed and the security of the vehicle is lowered.

Further, in the program rewriting system according to claim 9 , in the program rewriting system according to claims 6 and 7 , the state setting means has a normal security function for detecting the vehicle state and detecting an illegal act on the vehicle. It is comprised so that it may set within the range which operates.

According to the program rewriting system of claim 9 as described above, the program rewriting of the vehicle computer system can be carried out without deteriorating crime prevention even in the situation where the vehicle user is absent. That is, if the state setting means is set so that the security function of the vehicle is not activated, the crime prevention property of the vehicle is lowered.

Next, in a program rewriting system according to a tenth aspect , in the program rewriting system according to the first to ninth aspects, a state determining unit is provided, and the state determining unit is provided before the vehicle computer system rewrites the program. In addition, it is determined whether or not the state of the vehicle is inappropriate for rewriting the program. In this program rewriting system, the vehicle computer system is configured to stop the rewriting of the program if the state determining means determines that the state of the vehicle is inappropriate for the rewriting of the program. Yes.

According to such a program rewriting system of claim 10 , whether or not the state of the vehicle is inappropriate for rewriting the program is automatically determined by the state determining means. Reliable program rewriting can be realized without reliance.
Further, the program rewriting system according to claim 11 is a wireless communication type program rewriting system as well as the program rewriting system according to claims 1 to 3. The program rewriting system of claim 11 includes monitoring presence / absence judging means and rewriting execution prohibiting means similar to those of the program rewriting system of claim 5, and state judging means similar to that of the program rewriting system of claim 10. The vehicle computer system is configured to stop the rewriting of the program if the state determining means determines that the state of the vehicle is inappropriate for the rewriting of the program. For this reason, there exists an effect similar to the effect described in Claim 5 and Claim 10.

  The state determination means includes, for example, a voltage of a battery (vehicle battery) mounted on the vehicle, a deterioration state of the battery, and a power supply voltage supplied to a computer to be rewritten or a unit on which the computer is mounted. And the outside temperature of the vehicle, the room temperature of the vehicle, the elapsed time since the vehicle engine stopped, the key operation position in the ignition key cylinder of the vehicle, the current position of the vehicle, and the location where the vehicle exists Based on at least one of the emergency information in the vehicle, it can be configured to determine whether or not the state of the vehicle is inappropriate for rewriting the program.

  In other words, if the voltage of the in-vehicle battery is not within the specified range, it can be determined that the state is inappropriate for rewriting the program. If the battery is deteriorated, the power supplied to the computer to be rewritten Since the voltage may not be stable, it can be determined that the state is inappropriate for rewriting the program. Even when the power supply voltage supplied to the computer to which the program is to be rewritten or the unit on which the computer is mounted is not within the specified range, it can be determined that the state is inappropriate for rewriting the program. If the outside air temperature of the vehicle is not within the specified range, the room temperature of the vehicle is not within the specified range, or if the elapsed time since the vehicle engine has stopped has not reached a certain time, the program is rewritten. Since there is a possibility that the ambient temperature of the target computer is not suitable for program rewriting, it can be determined that the program is not suitable for rewriting. In addition, if the key operation position in the ignition key cylinder of the vehicle is operated to a position different from the position that should be set when rewriting the program, power is supplied to extra equipment that is not related to rewriting the program. Since the battery voltage may fluctuate due to being supplied, it can be determined that the state is inappropriate for rewriting the program. For example, when a program is rewritten in a state where the key operation position is in the OFF (off) position, the key operation position is set to the ACC (accessory) position, the IG (ignition) position, or the ST (start) position. If operated, it can be determined that the program is inappropriate for rewriting. Also, if the current position of the vehicle is a place where a strong electric field is generated, such as directly under a TV tower, on a highway, on a congested road, or near an accident site, it is not suitable for rewriting the program. It can be determined that there is. In addition, it is inappropriate to rewrite the program if it is detected during or immediately after the occurrence of an earthquake or immediately after the occurrence of a large-scale disaster by emergency information at the location where the vehicle is located. It can be determined that it is in a state.

  Hereinafter, a program rewriting system according to an embodiment to which the present invention is applied will be described with reference to the drawings. In addition, the program rewriting system of this embodiment rewrites the program of a vehicle computer system in an on-board state.

First, FIG. 1 is a configuration diagram showing a program rewriting system of the embodiment.
As shown in FIG. 1, a program rewriting system of this embodiment includes a vehicle computer system 1 mounted on a vehicle, and an information center (hereinafter simply referred to as a center) 3 that transmits the program to be rewritten to the vehicle computer system 1. It consists of.

  The vehicle computer system 1 includes a communication terminal 7 for performing wireless communication with the center 3 via a communication network 5, a plurality of electronic control units (hereinafter referred to as ECUs) 11 to 26, ..., actuators controlled by these ECUs, It comprises various devices such as a display 31 and sensors and switches that allow the ECU to input various types of vehicle information.

  Here, as the ECU, an engine ECU 11 that controls the engine, a vehicle behavior ECU 12 that performs control for stabilizing the behavior of the vehicle, an airbag ECU 13 that controls the airbag, the traveling speed of the vehicle, and the inter-vehicle distance from the preceding vehicle. Cruise ECU 14 that performs control to keep constant, navigation ECU 15 that controls navigation functions, meter ECU 16 that controls the meter of the vehicle, each in-vehicle corresponding to each key position other than the OFF (off) position in the ignition key cylinder of the vehicle Key power management ECU 17 that performs control to supply power from the in-vehicle battery to the power line, light system management ECU 18 that controls headlights, turn lamps, and the like, and each power line other than the power line that controls power supply by the key power management ECU 17 In-vehicle battery A power management ECU 19 that controls the supply of electric power from the vehicle, an air conditioner ECU 20 that controls the air conditioner device, and locking / unlocking control (that is, control of the door lock function) of each opening / closing part such as a vehicle door or luggage room (trunk) Door system management ECU 21, security ECU 22 that controls a security function that detects and alerts a vehicle to unauthorized actions, display ECU 23 that controls display 31, and control that generates various guidance sounds from a sound generator (not shown). There are a voice guidance ECU 24, a browser ECU 25 that controls the browser function in cooperation with the communication terminal 7, the navigation ECU 15, the display ECU 23, and the like, and an audio ECU 26 that controls AV equipment (not shown).

  The engine ECU 11, the vehicle behavior ECU 12, the airbag ECU 13, the cruise ECU 14, the navigation ECU 15, the meter ECU 16, and the key power management ECU 17 are communicably connected via a first communication line 33.

  In addition, the navigation ECU 15, the meter ECU 16, the key power management ECU 17, the light system management ECU 18, the power management ECU 19, the air conditioner ECU 20, the door system management ECU 21, and the security ECU 22 can communicate via the second communication line 35. It is connected to the.

  The navigation ECU 15, the display ECU 23, the voice guidance ECU 24, the browser ECU 25, and the audio ECU 26 are communicably connected via a third communication line 37.

Furthermore, the ECUs connected to different communication lines can communicate with each other using the navigation ECU 15 as a gateway.
Although not shown in the figure because it is general, each of the ECUs 11 to 26,... Is provided with at least one or a plurality of microcomputers (microcomputers) and a memory. And in each ECU11-26, ..., the operation | movement of the ECU is implement | achieved when a microcomputer runs the program stored in memory.

  On the other hand, the communication unit 41 for performing wireless communication with the vehicle computer system 1 via the communication network 5 is transmitted to the center 3, and a program to be rewritten is transmitted to the communication unit 41. And a control unit 42 for acquiring data transmitted by the system 1.

  The communication network 5 is an information communication network that links the vehicle computer system 1, the center 3, and a vehicle user (hereinafter referred to as a user), such as a telephone network or the Internet.

Next, main parts of the ECU will be described with reference to FIGS.
First, as shown in FIG. 2, the door system management ECU 21 includes a driver seat courtesy switch (SW) 43 that detects the open / closed state of the driver's seat door, a passenger seat courtesy switch 44 that detects the open / closed state of the passenger seat door, Right rear seat courtesy switch 45 for detecting the open / closed state of the right rear seat door, left rear seat courtesy switch 46 for detecting the open / closed state of the left rear seat door, and opening / closing of the luggage room opening / closing section (hereinafter referred to as luggage door) A luggage courtesy switch 47 for detecting a state, a communication device 48 for wireless communication with a portable device as an electronic key carried by the user, and an operation for locking and unlocking the driver's seat door A seat door lock motor 50, a passenger door lock motor 51 that locks and unlocks the passenger seat door, and a right rear seat door lock that unlocks and unlocks the right rear seat door. And Kumota 52, a left rear seat door lock motor 53 to lock and unlock the left rear seat door, are connected to the luggage lock motor 54 to lock and unlock the luggage door.

  Each of the lock motors 50 to 54 is provided with a lock position switch for detecting a locked / unlocked state (locked state or unlocked state) to be locked and unlocked. Are input to the door system management ECU 21.

  Then, the door system management ECU 21 detects the open / closed state of each door including the luggage door of the vehicle based on the signals from the courtesy switches 43 to 47, and uses the signals from the lock position switches to open and close each door. Detect the lock state.

  The door system management ECU 21 receives the wireless operation signal transmitted from the portable device by the communication device 48 when the user operates the lock button or the unlock button provided on the portable device.

  Further, the door system management ECU 21 drives the lock motors 50 to 54 in the normal direction or the reverse direction in accordance with the received wireless operation signal or a command sent from another ECU via the communication line 35. Lock or unlock each door of the vehicle.

  In addition, the door system management ECU 21 includes, for example, a mechanical key inserted into a key cylinder provided on the driver's seat door and a twisting operation, or a locking / unlocking knob provided on the vehicle interior side of the driver's seat door. When the driver's seat door is manually locked or unlocked by being operated, this is detected by a signal from the lock position switch provided in the driver's seat door lock motor 50, and the lock motor 51 of the other door is detected. By driving ˜54, doors other than the driver's seat door are brought into the same locked / unlocked state as the driver's seat door.

  Next, as shown in FIG. 3, the security ECU 22 includes an intrusion sensor 60 that detects that a person has entered the vehicle interior using infrared rays, ultrasonic waves, or the like as a security sensor for detecting fraudulent acts on the vehicle. An inclination sensor 61 for detecting the inclination of the vehicle and a vibration sensor 62 for detecting the vibration of the vehicle are connected. Further, the security ECU 22 includes an acoustic alarm device 64 composed of a horn and a buzzer for warning the vehicle of illegal acts outside the vehicle, and a security indicator 65 for displaying and alarming the illegal acts on the vehicle. And are connected.

  For example, when the security ECU 22 is notified by the door system management ECU 21 that all the doors have been locked in accordance with the wireless operation described above, the security ECU 22 enters the security set state. When it is detected, the tilt sensor 61 detects that the vehicle is tilted by a predetermined angle or more, or the vibration sensor 62 detects that a vibration of a predetermined level or more is generated in the vehicle, the acoustic alarm device 64 is driven. While generating an alarm sound, the security indicator 65 displays a display content such as a message indicating that an illegal act has occurred. In addition, the security ECU 22 requests the navigation ECU 15 to notify the communication terminal 7 to the center 3 wirelessly that an illegal act has been performed on the vehicle. Then, the center 3 notifies a communication device such as a mobile phone or a personal computer owned by the user that an illegal act has been performed on the vehicle by e-mail or telephone voice.

  Next, as shown in FIG. 4, the air conditioner ECU 20 is connected to an outside air temperature sensor 67 that detects an outside air temperature that is a temperature outside the vehicle, and an inside air temperature sensor 68 that detects an inside air temperature that is the temperature inside the vehicle interior. Yes.

  The air conditioner ECU 20 detects the outside air temperature and the inside air temperature based on signals from the sensors 67 and 68, and controls an air conditioner device including a heat exchange compressor (not shown) and a blower blower motor based on the detection result. To do.

  Next, as shown in FIG. 5, the key power management ECU 17 includes a key inserted into the ignition key cylinder of the vehicle in an OFF (off) position, an ACC (accessory) position, an IG (ignition) position, and an ST (start) position. A key position switch 70 for detecting which key position is operated, and each power line in the vehicle corresponding to each key position other than the OFF position, that is, the power line 71 of the ACC system, the IG1 system Switching device (for example, an electromagnetic relay or a semiconductor relay) 76 that switches connection / disconnection between each of the power supply line 72, the power supply line 73 of the IG2 system, and the power supply line 74 of the starter system and the plus terminal of the in-vehicle battery 75. , 77, 78, 79 are connected.

  The key power management ECU 17 detects a key operation position (hereinafter simply referred to as a key operation position) in the ignition key cylinder based on a signal from the key position switch 70, and the detection result and the communication line 33 from another ECU. , 35 in accordance with a command sent through each of the switching devices 76-79, the power supply lines 71-74 are connected to or disconnected from the positive terminal of the battery 75. .

  Each power line 71 to 74 is supplied with electric power from the battery 75 when connected to the positive terminal of the battery 75. The power line 72 of the IG1 system and the power line 73 of the IG2 system are both power lines that are supplied with power from the battery 75 when the key is operated to the IG position. In the case of the power line 72, when the key is further operated to the ST position (that is, when the starter motor operates), the connection with the battery 75 is cut off. On the other hand, since the connection with the battery 75 is continued even if the key is operated to the ST position, it is a separate system. On the other hand, in FIG. 5, the reference numerals 80 to 83 are fuses provided for the respective power supply lines 71 to 74, and the reference numerals 84 are attached to the respective power supply lines 71 to 74. It is a common fuse.

  Next, as shown in FIG. 6, the power management ECU 19 includes a current sensor 86 that detects a current flowing through the battery 75, a temperature sensor 87 that detects the temperature of the battery 75, and a key power management ECU 17 that controls power supply. Switching devices (for example, electromagnetic relays and semiconductor relays) SR1 to SRn for switching connection / disconnection between each of the power supply lines L1 to Ln other than the power supply lines 71 to 74 and the plus terminal of the battery 75 are connected.

  Then, the power management ECU 19 detects the value of the voltage (battery voltage) of the battery 75 input through the fuse 88, and the current flowing through the battery 75 and the temperature of the battery 75 by signals from the sensors 86 and 87. Furthermore, the deterioration state of the battery 75 is determined by applying these detection results to a predetermined calculation formula or data map. Note that the deterioration state of the battery 75 may be determined based on the electrolyte concentration in the battery 75.

  Further, the power management ECU 19 performs each of the switching operations according to the key operation position information sent from the key power management ECU 17 via the communication line 35 and the commands sent from other ECUs via the communication line 35. By turning on / off the devices SR1 to SRn, the power supply lines L1 to Ln are connected to the positive terminal of the battery 75 or disconnected from the positive terminal.

  Similarly to the power supply lines 71 to 74 described above, when each power supply line L1 to Ln is connected to the plus terminal of the battery 75, power is supplied from the battery 75. Further, in FIG. 6, the reference numeral 89 is a fuse common to the power supply lines L1 to Ln.

  Next, in the program rewriting system of this embodiment, when rewriting the program of the microcomputer mounted in any ECU constituting the vehicle computer system, the contents of the rewriting control operation performed by the apparatus having the program rewriting control function Will be described with reference to FIGS.

  In addition, as a device having a program rewriting management function, a function that can be linked with a microcomputer of each ECU via communication lines 33 to 37, a function that determines a vehicle state necessary for program rewriting in cooperation with each ECU, Provided with a function for setting a vehicle state necessary for program rewriting and notifying instructions in cooperation with each ECU and a function for instructing an HMI (Human Machine Interface) for a series of program rewriting flows In the present embodiment, since it is easy to collect information, the navigation ECU 15 (specifically, a microcomputer incorporated therein) is a device having a program rewriting control function.

First, FIG. 7 is a flowchart showing the entire flow of the rewrite control operation performed by the navigation ECU 15.
As shown in FIG. 7, the navigation ECU 15 performs program rewrite start determination processing (S110), download processing for downloading a program from the center 3 (S120), and transition processing to program rewrite mode (S130) as rewrite control operations. ), A vehicle state confirmation process for confirming whether the vehicle state is suitable for rewriting the program (S140), and a vehicle state setting process for setting the vehicle state to a state suitable for rewriting the program (S150). ), A security ensuring process for ensuring crime prevention during program rewriting (S155), and a program rewriting process (S160) for causing a microcomputer to be rewritten (hereinafter also referred to as a target microcomputer) to rewrite the program. And writing the program The program rewriting completion confirmation process (S170) for confirming whether or not the program rewriting has been normally completed, and the program rewriting completion notification process (S180) for notifying the user and the center 3 that the program rewriting has been normally completed. carry out. The order of the program rewrite start determination process (S110) and the program download process (S120) may be interchanged.

Next, FIG. 8 is a flowchart showing the contents of the program rewrite start determination process.
As shown in FIG. 8, the navigation ECU 15 first communicates with the center 3 via the communication terminal 7 in S210, so that the center 3 (specifically, the control unit 42) updates the program to be rewritten (that is, updated). To determine whether there is a new version of the program. For example, when there is a program rewrite request notification from the center 3, it is determined in S210 that there is a rewrite target program. When it is detected that the user has operated the operation button of the navigation device or the like to input whether or not the program needs to be updated, the center 3 is inquired as to whether or not there is a program to be rewritten, and the reply is made. Based on this, it may be determined whether there is a program to be rewritten. Further, the center 3 may be periodically inquired about whether or not there is a program to be rewritten regardless of a user operation.

  If it is determined that there is no program to be rewritten in the center 3 (S210: NO), the processing is terminated as it is, but if it is determined that there is a program to be rewritten (S210: YES), the process proceeds to the next S220. Then, the center 3 is inquired about the contents of the program to be rewritten (for example, which ECU is executed by which microcomputer of which ECU and its version information).

  Next, in S230, whether or not it is necessary to download the program based on the information obtained from the center 3 in response to the inquiry in S220 (in other words, whether or not it is really necessary to rewrite the program). ).

  If it is not necessary to download the program (S230: NO), the process is terminated as it is, but if it is necessary to download the program (S230: YES), the process proceeds to S235, where the program is rewritten for the security-related ECU. Judge whether or not.

  In the present embodiment, the security-related ECUs are the door system management ECU 21 and the security ECU 22, which are mounted on the door system management ECU 21 and mounted on the security ECU 22. The microcomputer controls the door lock function. The microcomputer that controls the security function corresponds to a computer related to the security function of the vehicle. In S235, if the program to be rewritten in the center 3 (that is, the program downloaded from the center 3) is a program executed by a microcomputer installed in any of the ECUs 21 and 22, the security-related ECU Judge that it is a program rewrite.

  Here, if it is determined in S235 that the program is not rewritten for the security-related ECU (S235: NO), the process proceeds to S240, and the program download mode is entered. Then, the navigation ECU 15 starts the download process shown in FIG.

  If it is determined in S235 that the program is to be rewritten for the security-related ECU (S235: YES), the process proceeds to S245 to notify the user to monitor the vehicle. This is because the door lock function or the security function, which is a crime prevention function, does not normally operate by performing the program rewriting for the microcomputers of the crime prevention related ECUs 21 and 22.

  In S245 and in each process described later, the notification to the user is instructed to the display ECU 23 to display a message or icon of notification contents on the display 31 or to the voice guidance ECU 24 to notify from the sounding device. Generate a voice of the contents, or instruct the center 3 to send an e-mail, telephone voice or the like from the center 3 to a pre-registered communication device such as a mobile phone or a personal computer owned by the user. Is implemented. Further, for example, in S245, a message such as “Please stay in the vehicle or near the vehicle until the program rewriting is completed” is issued to the user.

  Then, in subsequent S250, the user is notified of a warning that the crime prevention performance is reduced by executing the program rewriting. For example, if the target microcomputer is a microcomputer of the security ECU 22, a message that the security function will no longer operate is issued, and if the target microcomputer is a microcomputer of the door system management ECU 21, the door lock is now started. A message is displayed that the door lock may be released without the function working properly.

Next, in S260, it is determined whether or not the user is accompanying the vehicle (that is, whether or not the user is in the vehicle interior or the vicinity of the vehicle).
For example, in this S260, a command is given to the display ECU 23 and the voice guidance ECU 24 to ask the user whether or not he / she is present by the display on the display 31 and the sound from the sounding device, and the user's answer to the question It is determined whether or not the user is accompanying the vehicle by a response by a key operation or the like. Further, whether or not the user is accompanying the vehicle may be determined using, for example, a seat load sensor that detects a load applied to the seat of the driver's seat or another seat.

  If it is determined in S260 that the user is accompanying the vehicle, it is determined that the vehicle is being monitored by the user, the process proceeds to S240, and the program download mode is entered. Then, the navigation ECU 15 starts the download process shown in FIG.

If it is determined in S260 that the user is not accompanied by the vehicle, it is determined that the vehicle is not monitored by the user, and the process proceeds to S265.
In step S265, the user is notified that the program is not to be rewritten. Thereafter, in step S270, the program rewriting is stopped and the process is terminated.

Next, as shown in FIG. 9, when the navigation ECU 15 starts the download process, first, in S310, the user is notified that the program will be downloaded.
In step S320, the function of the device related to the download is restricted.

  That is, in order to ensure the wireless communication capability and the computer processing load related to program download, for example, the audio ECU 26 or the display ECU 23 is instructed to prohibit the operation of the AV system in general (that is, the AV system When an operation is performed, the function corresponding to the operation is not performed). In addition to such function restrictions, the user is notified of the contents of restrictions related to the operation of the AV equipment.

  During the download, a warning message such as “cannot be used” may be displayed on the display 31 when the restriction content notified to the user in S320 is operated. Also, the user may be notified of the scheduled download completion time during the execution of S320 or the download.

  In step S330, in order to ensure the continuation of the operation of the computer related to the program download, an instruction is given to the key power management ECU 17 and the power management ECU 19 to download the program regardless of the user's power key operation. The power supply to the devices (for example, the navigation ECU 15 and the communication terminal 7, the display ECU 23 and the display 31 for notifying the user) is continued.

Next, in S340, the program to be rewritten is downloaded from the center 3.
Then, in the next S350, it is determined whether or not the download has been completed normally by performing an inspection such as a parity check on the downloaded data. If the download has been completed normally (S350: YES) In the next S360, the user is notified that the download has been completed, and a download completion notification is transmitted to another ECU in order to release the function restriction implemented in S320. That is, when the other ECU receives the download completion notification, the other ECU cancels the prohibition of the function performed based on the command issued by the navigation ECU 15 in S320.

  Thereafter, the process proceeds to S370, and the process shifts to the program rewrite mode. Then, the navigation ECU 15 starts the transition process to the program rewrite mode shown in FIG.

  If it is determined in S350 that the download has not been completed normally (S350: NO), the process proceeds to S380, the counter N is incremented (+1), and the value of the counter N is incremented in S390. It is determined whether or not the specified value N1 has been reached. The initial value of the counter N is 0.

  If the value of the counter N has not reached the specified value N1 (S390: NO), the process returns to S340 and the program is downloaded again. If it is determined in S390 that the value of the counter N has reached the specified value N1 (S390: YES), the process is terminated as it is. Even when the process ends in this way, a download completion notification is transmitted to another ECU in order to release the function restriction performed in S320.

  On the other hand, when the navigation ECU 15 shifts to the program download mode, in parallel with the processing of FIG. 9, the navigation ECU 15 gives commands to the key power management ECU 17 and the power management ECU 19, so that the door system management ECU 21 and the security ECU 22, and the ECU 21, The electric power supply to the electric load related to 22 is continued, and a command is given to the door system management ECU 21 and the security ECU 22 to hold the control state of each lock motor 50 to 54 by the door system management ECU 21. The security ECU 22 keeps the security set / unset state.

  For this reason, during the download of the program, the locked / unlocked state of the door and the security set / unset state previously set by the user are secured, and contrary to the user's will during the download of the program. The door is locked and the security set state is released, and the security is not reduced.

Note that the program download in S340 may be started after confirming that there is no more than a certain load on the computer or wireless communication capability involved in the download.
In addition, for example, between S320 and S330, it is determined whether or not the user has permitted the start of download by a button operation or voice input by the user. You may make it cancel a download while canceling | releasing a restriction | limiting.

  The ECU that downloads the program and the ECU that stores the downloaded program may be different from the navigation ECU 15 (that is, a device having a program rewriting control function).

  Next, as shown in FIG. 10, when the navigation ECU 15 starts the transition process to the program rewrite mode, first, in S410, the functions and operations in the vehicle when the program rewrite is started are restricted to the user. In addition, the contents of the restriction, the time required to complete the program rewriting, and the scheduled end time are notified. The contents of the restriction notified to the user in S420 are the functions and operations that are restricted by the processes of S620 and S630 in FIG.

  Then, in subsequent S420, it is determined whether or not a cancel instruction from the user is within a predetermined time. If there is no cancel instruction (S420: NO), the process proceeds to S430, and the process proceeds to a vehicle state confirmation process. Then, the navigation ECU 15 starts the vehicle state confirmation process shown in FIG.

  If there is a cancel instruction from the user (S420: YES), the process proceeds to S440, the program rewriting is stopped, and the process is ended as it is. For this reason, the cancel operation by the user is accepted until the process of transferring the downloaded program to the ECU on which the target microcomputer is mounted is started.

  Note that the cancel operation for the user to issue a cancel instruction may be an operation on the in-vehicle device such as an operation button or a touch operation on the display screen, or voice input, or the user may own a mobile phone or personal When a contact device such as a computer is used to make a web operation or contact the center 3 by e-mail or telephone, a cancel instruction is notified to the vehicle computer system via the center 3. On the other hand, the determination in S420 may be deleted, and the process may directly proceed to the vehicle state confirmation process.

  Next, as shown in FIG. 11, when the navigation ECU 15 starts the vehicle state confirmation process, first, in S510, an ECU having a function of measuring the elapsed time since the engine stopped (in this embodiment, the engine The measured elapsed time is acquired from the ECU 11) by in-vehicle wired communication, and it is determined whether or not the elapsed time is equal to or longer than a predetermined time T1.

  If the elapsed time from the engine stop is equal to or longer than the predetermined time T1 (S510: YES), the process proceeds to S515 as it is, but if the elapsed time from the engine stop is not equal to or longer than the predetermined time T1 (S510: NO) After waiting until the time reaches a certain time T1, the process proceeds to S515.

  The fixed time T1 is set to a cooling time that is considered necessary for a microcomputer (target microcomputer) that is scheduled to be rewritten by the program downloaded from the center 3 at this time. Further, when waiting until the elapsed time from the engine stop reaches a certain time T1, the remaining time or waiting may be notified to the user.

  Next, in S515, a command is given to the key power management ECU 17 so that power from the battery 75 is supplied to the air conditioner ECU 20, at least the outside air temperature sensor 67, and the inside air temperature sensor 68 regardless of the user's power key operation. To do. Then, a command is given to the air conditioner ECU 20 by in-vehicle wired communication to measure the outside air temperature and the inside air temperature, and the measurement result is acquired from the air conditioner ECU 20. Further, in S515, it is determined whether or not the outside air temperature is within a specified range from the minimum specified value M1min to the maximum specified value M1max. If the outside temperature is within the specified range (S515: YES), the process proceeds to the next S520. Then, it is determined whether or not the inside air temperature is within a specified range from the minimum specified value M2min to the maximum specified value M2max. If it is determined that the inside air temperature is within the specified range (S520: YES), the process proceeds to S525. Note that the outside air temperature and the inside air temperature may be measured, for example, at the timing immediately after the start of the process of FIG.

  In S525, information on the current battery voltage and the deterioration state of the battery 75 is acquired from the power management ECU 19 by in-vehicle wired communication with the power management ECU 19. Further, in S525, it is determined whether or not the battery voltage is equal to or higher than a specified value V1 that is considered to have no trouble in executing the program rewriting. If it is equal to or higher than the specified value V1 (S525: YES), In step S530, it is determined whether or not the battery 75 is deteriorated (that is, whether or not the deterioration state of the battery 75 is sufficient to prevent the program rewriting). If it is determined that the battery 75 has not deteriorated (S530: YES), the process proceeds to S535.

  In S535, a command is given to the key power management ECU 17 or the power management ECU 19 so that power from the battery 75 is supplied to an ECU (hereinafter also referred to as a target ECU) on which the target microcomputer is mounted. Then, a command is given to the target ECU, the power supply voltage actually supplied to the target ECU is measured, and the measurement result is transmitted. Further, in S535, it is determined whether or not the power supply voltage actually supplied to the target ECU is equal to or higher than a specified value V2 that is considered to have no problem in executing the program rewriting. If so (S535: YES), the process proceeds to S540. Instead of the power supply voltage supplied to the target ECU, information on the power supply voltage supplied to the target microcomputer is acquired from the target ECU, and it is determined whether or not the power supply voltage is within a specified value range. You may do it.

  In S540, the current position of the vehicle is detected by receiving a GPS signal from a GPS satellite, and the detected current position is referenced with reference to map information or road information provided wirelessly from the center 3 or another information center. Determines whether or not there is no problem in performing the program rewrite. And, for example, if the current position of the vehicle is a place where a strong electric field is generated, such as directly under a TV tower, or on a highway, on a traffic jam road, or near an accident site, there will be no problem with rewriting the program. The determination is made (S540: YES), and the process proceeds to S545.

  In S545, it communicates with the center 3 or another information center to determine whether or not there is emergency information at the place where the vehicle exists, and if there is emergency information, based on the information, It is determined whether a disaster warning or the like (for example, a warning that an earthquake has occurred or has just occurred, or that a large-scale disaster has occurred) has been issued. If there is no disaster warning or the like (S545: YES), it is determined that there is no problem in executing the program rewriting, and the process proceeds to S550.

  In S550, as in S420 of FIG. 10, it is determined whether or not the cancel instruction from the user is within a certain time. If there is no cancel instruction (S550: NO), the vehicle state condition is OK in the next S560. (That is, the condition necessary for executing the program rewrite is satisfied), and the user is notified of this. Then, the process proceeds to S565, and the process proceeds to a vehicle state setting process. Then, the navigation ECU 15 starts the vehicle state setting process shown in FIG.

  On the other hand, if “NO” is determined in any one of S515 and S520, that is, it is determined that the outside air temperature is not within the specified range (S515: NO), or the inside temperature is not within the specified range. If it is determined (S520: NO), the process proceeds to S570, waits for a predetermined time T2, and the counter N is incremented in the subsequent S575. Then, in the next S580, it is determined whether or not the value of the counter N has reached the specified value N2. If the value of the counter N has not reached the specified value N2 (S580: NO), the process returns to S515, If the value of the counter N reaches the specified value N2 (S580: YES), the process proceeds to S585. The initial value of the counter N is 0.

  That is, when the temperature condition determined in S515 and S520 is not satisfied, it is determined again whether or not the temperature condition is satisfied after a certain time T2 elapses. When the number of times reaches N2, the temperature condition is no longer expected to be satisfied, and it is determined that the state of the vehicle is inappropriate for rewriting the program, and the process proceeds to S585.

  In addition, when it is determined as “NO” in any of the above S525 to S545, that is, whether it is determined that the battery voltage is not equal to or higher than the specified value V1 (S525: NO), or whether it is determined that the battery 75 is deteriorated ( S530: NO), whether to determine that the power supply voltage supplied to the target ECU is not equal to or higher than the specified value V2 (S535: NO), or whether it is determined that the current position of the vehicle is a place that hinders rewriting of the program (S540: NO), even when it is determined that a disaster warning or the like has been issued (an emergency has occurred) (S545: NO), the vehicle state is determined to be inappropriate for rewriting the program. Then, the process proceeds to S585.

  In S585, the user is notified that the vehicle state condition necessary for executing the program rewriting is not satisfied, and the program rewriting is stopped in the subsequent S590. Then, the process is finished as it is.

  If it is determined in S550 that there is a cancel instruction from the user (S550: YES), the process proceeds to S590, the program rewriting is stopped, and the process is terminated.

  In S585, the user may be notified of the contents of the condition that has not been satisfied. Further, the failure of the vehicle state condition may be notified by a horn, a buzzer, a hazard blink, a light on / flash, or the like. Also, before proceeding from S550 to S560, the confirmation process for all conditions (S510 to 545) may be performed again just in case.

  Next, as shown in FIG. 12, when the navigation ECU 15 starts the vehicle state setting process, first, in S605, an instruction is given to the key power management ECU 17 and the power management ECU 19 to supply power to all ECUs in the vehicle computer system. Further, a diagnostic code that is currently stored in each ECU is transmitted to all ECUs other than the navigation ECU 15. Then, the diagnostic code from each ECU and the diagnostic code currently stored in the ECU 15 are stored in the memory as the diagnostic code immediately before program rewriting.

Then, in the next S610, the following notification is given to all other ECUs as a preparation notification before starting the program rewriting.
That is, starting rewriting of the program to all other ECUs, target identification information indicating which ECU of which ECU the target microcomputer is, and operation being prohibited by the processing of S620 and S630 described later And the prohibited content information indicating the ECU and the electric load.

  Thereafter, all the microcomputers of the ECU including the navigation ECU 15 are the items related to the operation of the target microcomputer among the items (failure detection items) whose abnormality is being monitored, the functions represented by the prohibited content information, the ECU Even if there is an abnormality in the item related to the electric load, it is not judged as an abnormality. That is, the preparation notification in S610 is a command for preventing an item that does not operate normally by rewriting the program from being determined as abnormal.

  Next, the navigation ECU 15 gives a command to the key power management ECU 17 and the power management ECU 19 in S615 to notify the device related to the rewriting of the program (specifically, the navigation ECU 15 and the target ECU and the user). The power supply to the ECU and its related equipment) is continued.

  Then, in the next S620, a command is given to the key power management ECU 17 and the power management ECU 19 to cut off the power supply to at least one device not related to the rewriting of the program (in other words, having no effect). Let

  For example, if the target microcomputer is the microcomputer of the engine ECU 11, the supply of power is cut off to ECUs other than the ECU that continues to supply power in S615, such as the vehicle behavior ECU 12 and the airbag ECU 13. Further, power supply to an electric fan for engine cooling, an ABS actuator, or the like, which consumes a large amount of current during operation and easily causes fluctuations in battery voltage during operation, is cut off.

  However, in S620, power is continuously supplied to the door system management ECU 21 and the security ECU 22, and the door lock function by the door system management ECU 21 and the security function by the security ECU 22 are being rewritten. It is designed to operate normally. For this reason, if the target ECU is neither the door system management ECU 21 nor the security ECU 22, the door unlocking / unlocking state and security set previously set by the user even during the execution of the program renewal started thereafter. / Unset state is maintained, and during program rewriting, the door locking and security set state are released against the user's will and the crime prevention property is not lowered.

  Next, navigation ECU15 gives the instruction | command which inhibits the operation | movement of the apparatus which consumption current becomes large temporarily or regularly by operating to SCU which controls the apparatus in S630. By this command, for example, an operation of operating a starter motor for starting the engine or an operation of operating the lock motors 50 to 54 of each door to the unlock side wirelessly (that is, operation of the unlock button of the portable device). In addition, the operation for operating the power window, the operation for turning on the light and the indoor lighting, the operation for operating the wiper, and the operation for operating the window washer motor are invalid. Further, in S630, by giving a command to the key power management ECU 17, the key operation (corresponding to the operation of the power switch of the vehicle) in the ignition key cylinder is invalidated. That is, even if a key in the ignition key cylinder is operated and the key operation position is changed, power is not supplied to a device that is normally energized by the operation.

  Next, in S640, it is determined whether or not the state setting in S615 to S630 has been completed. Here, if there is an acknowledgment response indicating that the operation is performed in accordance with the instruction from all the ECUs that have provided the instruction in S615 to S630, it is determined that the state setting is completed.

  If it is determined that the state setting has been completed (S640: YES), the process proceeds to S650 to restrict the user to the completion of the state setting and the processing of S620 and S630 as in S410 of FIG. The function to be performed and the content of the operation (especially what operation is invalidated) are notified. Then, it progresses to S660 and transfers to the security ensuring process. Then, navigation ECU15 will start the security ensuring process shown in FIG.

  If it is determined in S640 that the state setting has not been completed (S640: NO), the process proceeds to S670 to notify the user that the state setting has not been successful (setting failure), Thereafter, the program rewriting is stopped in S680, and the processing is ended as it is.

  After notifying the user in S650, the same determination as in S420 of FIG. 10 or S550 of FIG. 11 is performed, and if there is a cancel instruction from the user, the program rewriting may be stopped. good.

  Next, as shown in FIG. 13, when the navigation ECU 15 starts the security ensuring process, first, in S710, it communicates with the door system management ECU 21 and the security ECU 22, and the security function by the ECUs 21, 22 is set to the effective side. It is determined whether or not it is set (that is, whether or not all doors of the vehicle are in the door lock state and in the security set state), and both in the door lock state and the security set state If not (S710: NO), the process proceeds to S715 to the user to operate the door lock and security set (in this embodiment, the door lock is performed by wireless operation, and more specifically, the door is operated by operating the lock button of the portable device). Lock)).

  Then, in the next S720, it communicates with the door system management ECU 21 and the security ECU 22 to determine whether the user has operated the door lock and the security set (that is, whether the door is locked and the security set state is entered). If the operation is not performed (S720: NO), the process proceeds to S725 to determine whether or not the door is in a closed state where all the doors of the vehicle are closed.

  If it is determined in S725 that the door is closed (S725: YES), the process proceeds to S730, and it is determined whether or not the program rewriting to be performed this time is a program rewriting for a security-related ECU. In S730, if the program downloaded from the center 3 in S340 of FIG. 9 is a program executed by a microcomputer installed in any of the ECUs 21 and 22, it is determined that the program is rewritten for the security-related ECU. To do.

  If it is determined in S730 that the program is not rewritten for the security-related ECU (S730: NO), the process proceeds to S735 to give a command to the door system management ECU 21 and the security ECU 22, and the two ECUs 21. , 22 are operated so that the crime prevention function is effective. That is, the door system management ECU 21 locks all the doors, and the security ECU 22 is shifted to the security set state.

Then, the process proceeds to S740, and the program rewrite process is performed. Then, the navigation ECU 15 starts the program rewriting process shown in FIG.
Further, when it is determined in S730 that the program is rewritten for the security-related ECU (S730: YES), the process proceeds to S750, and the user is accompanied by the vehicle again as in S260 of FIG. (That is, whether or not the user is in the vehicle interior or the vicinity of the vehicle).

  If it is determined that the user is accompanied by the vehicle (S750: YES), the process proceeds to S755, and the user is notified to monitor the vehicle in the same manner as S245 in FIG. , The process proceeds to S740 to shift to the program rewriting process.

  On the other hand, if it is determined in S725 that the door is not closed (any door is open) (S725: NO), or if it is determined in S750 that the user is not accompanied by the vehicle ( In S750: NO), since the crime prevention property cannot be ensured, the program shifts to S760 and the program rewriting is stopped. Then, in the next S765, the user is notified that the program rewriting has been stopped, and then the process is terminated.

  If it is determined in S710 that the door is locked and the security set is set (S710: YES), or if it is determined in S720 that the user has operated the door lock and security set (S720: YES). ), The process proceeds to S740 as it is (that is, with the door locked state and the security set state maintained), and proceeds to the program rewriting process.

  Next, as shown in FIG. 14, when the navigation ECU 15 starts the program rewriting process, first, in S801, an instruction is given to the target ECU and stored in the memory to be rewritten (that is, the memory of the target microcomputer). Among the stored data, specific type data such as a learning value, a customized setting value, and a vehicle mileage value that should be continuously retained after rewriting the program is saved in another storage medium. The other storage medium (that is, the save destination of the specific type data) is not limited to the other memory provided in the target ECU, and is provided in another ECU connected to the target ECU via a communication line. Or a memory existing in the center 3 may be used.

  In step S803, the target ECU is instructed to start a program rewrite process, and the rewrite target program downloaded from the center 3 is transferred to the target ECU. Then, in the target ECU, the microcomputer sequentially receives the program to be rewritten, and rewrites the program in the memory with the received program.

  When it is detected by the notification from the target ECU that the program rewriting process has been completed in the target ECU, the process proceeds to S805, and the program rewriting completion confirmation process is performed. Then, the navigation ECU 15 starts the confirmation process of program rewriting completion shown in FIG.

  Then, as shown in FIG. 15, when the navigation ECU 15 starts the confirmation process of program rewriting completion, first, in S810, the version information of the rewritten program is acquired from the target ECU, and the version information is downloaded from the center 3. Check if it matches the version information of the selected program.

  Next, in S820, the specific type data saved in S801 in FIG. 14 is re-stored in the memory in which the program is rewritten (that is, the memory of the target microcomputer) in the target ECU.

  Then, in the next S830, a notification for canceling the processing of the command issued in S610 to S630 in FIG. By this cancellation notification, the vehicle state before the process of FIG. 12 is performed is returned.

  Next, in S840, a diagnosis code currently stored in each ECU is obtained from each other ECU by the same procedure as in S605 of FIG. In the subsequent S850, the obtained diagnostic code of each ECU (that is, the diagnostic code after program rewriting) and the diagnostic code of each ECU stored in S605 of FIG. If the two match, the process proceeds to S870 as it is. If the two do not match, the contents that did not match are stored in S860. After that, the process proceeds to S870. Note that the processes in S840 and S850 are for confirming whether or not the command (preparation notice) issued to each ECU in S610 in FIG.

  In S870, it is determined whether or not the program rewriting has been normally completed. Specifically, a command is given to the target ECU, the rewritten program is transmitted, it is determined whether or not the program and the program downloaded from the center 3 match, and both programs match. If the match of the version information is confirmed in S810, it is determined that the program rewriting has been normally completed, the process proceeds to S880, and the program rewriting completion notification process is performed. Then, the navigation ECU 15 starts the program rewriting completion notification process shown in FIG.

  If it is determined in S870 that the program rewriting has not been completed normally (S870: NO), the process proceeds to S890, and the user has not completed the program rewriting normally (unsuccessful program rewriting). ) And then the process ends.

  If it is determined in S870 that the program rewriting has not been completed normally, the process may be performed again from the process of FIG. 11 up to a predetermined number of times. Further, when it is determined that the program rewriting has been normally completed, the battery voltage is checked. If it is determined that the battery 75 is weak, the starter motor is driven to start the engine, and the battery 75 due to idling. May be charged and the user may be notified of this.

  Next, as shown in FIG. 16, when the navigation ECU 15 starts a program rewriting completion notification process, first, in S910, the user is notified that the program rewriting has been normally completed. At this time, it may be notified that the restriction content notified in S650 of FIG. 12 is released. Further, the normal completion of the program rewriting may be notified by means that the user can check near the vehicle, such as a horn, a buzzer, a hazard blinking, or a light on / flashing.

  Then, in the next S920, when the user gets on the next time, a command is sent to the relevant ECU so that the rewriting of the program is normally completed is displayed on the display 31 or outputted by sound from the sounding device. Give it.

  Finally, in S930, the microcomputer to which the program has been rewritten this time and the number of program rewrites for the microcomputer are stored, and the stored contents are also notified to the center 3, and then the processing is performed. Exit.

In the present embodiment, the center 3 corresponds to the program supply means, the processes of S260 in FIG. 8 and S750 in FIG. 13 correspond to the monitoring presence / absence determination means, and S270 in FIG. 8 and S760 in FIG. Each process corresponds to rewrite execution prohibition means. Each process of S245 of FIG. 8 and S755 of FIG. 13 corresponds to the monitoring reminder notification means, and the process of S735 of FIG. 13 corresponds to the crime prevention function enabling means. Further, the processing of S615 to S630 in FIG. 12 corresponds to the state setting unit, and the processing of S510 to S545 and S570 to S580 in FIG. 11 corresponds to the state determination unit. Each process of S235 in FIG. 8 and S730 in FIG. 13 corresponds to a program determination unit.

  In the program rewriting system of the present embodiment as described above, when the program rewriting to the security-related ECUs 21 and 22 is to be performed, the vehicle is monitored by the user through the processes of S260 in FIG. 8 and S750 in FIG. Is determined (whether or not the user is accompanied by the vehicle), and when it is determined that the vehicle is not monitored by the user (S260: NO or S750: NO), the program rewriting is stopped. (S 270 or S 760), the program rewriting process is prohibited from being executed by the security-related ECUs 21 and 22.

  For this reason, in the situation where the user is not monitoring the vehicle, the security-related ECUs 21 and 22 perform processing to rewrite the program, and the security functions (door lock function and security function) realized by the program are invalidated. It can avoid that crime prevention falls. Therefore, according to the program rewriting system of the present embodiment, the program can be rewritten while securing the crime prevention property of the vehicle.

  Furthermore, in the program rewriting system of the present embodiment, when the program rewriting to the security-related ECUs 21 and 22 is to be performed, the vehicle is sent to the user by the processes of S245 of FIG. 8 and S755 of FIG. Notifications are urged to monitor. For this reason, when the process which rewrites a program is implemented by ECU21, 22 related to crime prevention, and the crime prevention function implement | achieved by the program becomes invalid, it can prevent that a user leaves | separates from a vehicle.

  Further, in the program rewriting system of the present embodiment, when program rewriting for ECUs other than the security-related ECUs 21 and 22 is performed, the process of S735 in FIG. And the ECU 22 is shifted to the security set state. For this reason, it is possible to ensure the crime prevention property during the execution of the program rewriting related to the ECUs other than the crime prevention ECUs 21 and 22.

  Further, according to the program rewriting system of the present embodiment, the vehicle computer system 1 rewrites the program of the vehicle state by the processing of S615 to S630 in FIG. 12 before rewriting the program. Is automatically set to a state suitable for the program, and the program is rewritten after the setting is completed. With this setting, even if an operation unrelated to program rewriting is performed during program rewriting, power is not supplied to devices that would otherwise be energized by that operation. Therefore, it is possible to prevent the power supply voltage supplied to the target ECU or the target microcomputer from fluctuating. For this reason, it is possible to realize highly reliable program rewriting without relying on the work of fuse removal and confirmation by a person, and in turn, avoiding malfunction of the computer and ECU replacement due to program rewriting failure. And increase in cost and waste can be prevented.

  In particular, the program rewriting system of this embodiment is a wireless communication type rewriting system in which the vehicle computer system 1 communicates wirelessly with the center 3 to which the program is supplied. The computer system 1 is required to be able to rewrite the program with high reliability, but the request can be satisfied.

  In the program rewriting system of the present embodiment, as described above, the door lock function by the door system management ECU 21 and the security function by the security ECU 22 are normally operated even during the program rewriting. Therefore, even if the user is absent, crime prevention performance does not deteriorate.

  Further, in the program rewriting system of the present embodiment, the functions restricted by the processes of S620 and S630 in FIG. 12 and the contents of operations are notified to the user by the processes of S410 in FIG. 10 and S650 in FIG. Therefore, it is possible to prevent the user from misunderstanding that a malfunction has occurred.

  Furthermore, in the program rewriting system of the present embodiment, it is automatically determined whether or not the state of the vehicle is inappropriate for performing the rewriting of the program by the processing of S510 to S545 and S570 to S580 of FIG. If the program is judged to be inappropriate and the program is judged to be in an inappropriate state, the program rewrite is stopped, so that more reliable program rewrite can be realized more reliably without relying on human confirmation. Can do. In the confirmation process of FIG. 11, for example, it is also determined whether or not the key operation position has changed, and when it is determined that the key operation position has changed, the process may proceed to S585.

  As mentioned above, although one Embodiment of this invention was described, this invention is not limited to such Embodiment at all, Of course, in the range which does not deviate from the summary of this invention, it can implement in a various aspect. .

  For example, in the program rewriting system of the above embodiment, the navigation ECU 15 among the ECUs mounted on the vehicle is a device having a program rewriting control function, but the center 3 functions as a device having a program rewriting control function. You may comprise as follows. That is, since the center 3 can also communicate with each ECU of the vehicle via the communication terminal 7 and the navigation ECU 15 and the communication lines 33 to 37, information is collected from each ECU and the above-described various determinations are performed. The various commands described above may be issued.

  Further, for example, even when there is no security function and only the door system management ECU 21 is the security-related ECU, the same configuration as in the above embodiment can be made. Conversely, it is not common for the security-related ECU to have only the security ECU 22 without the door lock function by the actuator (lock motor), but even in such a configuration, the configuration is the same as in the above embodiment. It ’s fine.

  On the other hand, the program and the determination reference value for realizing the above-described rewrite control operation of FIG. 7 may be provided in the vehicle computer system 1 in advance, or downloaded to the vehicle computer system 1 from the outside of the vehicle (center 3). You may make it.

  In the program rewriting system of the above embodiment, when the program is being rewritten on the vehicle side, when the security ECU 22 detects an illegal act on the vehicle and performs a warning operation by the acoustic alarm device 64 or the like. Any ECU (for example, an ECU having a program rewriting control function or a target ECU) determines whether or not the program rewriting process can be continued based on the battery voltage and the like, and determines that the situation cannot be continued. In such a case, the program rewrite process is temporarily interrupted, and if it can be determined that the program rewrite process can be performed within a certain period of time, the program rewrite process is continued. Otherwise, cancel the program rewrite as it is It may be configured to.

It is a block diagram showing the program rewriting system of embodiment. It is explanatory drawing explaining door system management ECU. It is explanatory drawing explaining security ECU. It is explanatory drawing explaining air-conditioner ECU. It is explanatory drawing explaining key power supply management ECU. It is explanatory drawing explaining power supply management ECU. It is a flowchart showing the whole flow of the rewriting control operation implemented by navigation ECU (device which has a program rewriting supervision function). It is a flowchart showing the content of the start determination process of program rewriting. It is a flowchart showing the content of the download process of a program. It is a flowchart showing the content of the transfer process to program rewrite mode. It is a flowchart showing the content of the confirmation process of a vehicle state. It is a flowchart showing the content of the setting process of a vehicle state. It is a flowchart showing the content of the security ensuring process. It is a flowchart showing the content of the program rewriting process. It is a flowchart showing the content of the confirmation process of program rewriting completion. It is a flowchart showing the content of the notification process of a program rewriting completion.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Vehicle computer system, 3 ... Center, 5 ... Communication network, 7 ... Communication terminal, 11 ... Engine ECU, 12 ... Vehicle behavior ECU, 13 ... Airbag ECU, 14 ... Cruise ECU, 15 ... Navigation ECU, 16 ... Meter ECU, 17 ... key power management ECU, 18 ... light system management ECU, 19 ... power management ECU, 20 ... air conditioner ECU, 21 ... door system management ECU, 22 ... security ECU, 23 ... display ECU, 24 ... voice guidance ECU, 25 ... Browser ECU, 26 ... Audio ECU, 31 ... Display, 33-37 ... Communication line, 41 ... Communication part, 42 ... Control part, 43 ... Driver seat courtesy switch, 44 ... Passenger seat courtesy switch, 45 ... Right rear seat Courtesy switch, 46 ... Left rear seat courtesy switch, 47 ... Luggage carte Switch, 48 ... Communicator, 50 ... Driver door lock motor, 51 ... Passenger door lock motor, 52 ... Right rear seat door lock motor, 53 ... Left rear seat door lock motor, 54 ... Luggage lock motor, 60 ... Intrusion Sensor: 61 ... Tilt sensor, 62 ... Vibration sensor, 64 ... Acoustic alarm device, 65 ... Security indicator, 67 ... Outside air temperature sensor, 68 ... Inside air temperature sensor, 70 ... Key position switch, 71-74, L1-Ln ... Power source Line, 75 ... Battery, 76-79, SR1-SRn ... Switching device, 86 ... Current sensor, 87 ... Temperature sensor

Claims (14)

A computer system mounted on a vehicle (hereinafter referred to as a vehicle computer system), and wireless program communication with the vehicle computer system, and a program supply means outside the vehicle for transmitting a program to be rewritten to the vehicle computer system, In the program rewriting system configured to rewrite the program in the memory with the program transmitted from the program supply means, the vehicle computer system,
Program determining means for determining whether the program to be rewritten is a computer program related to a security function of the vehicle before the vehicle computer system rewrites the program in the memory;
Monitoring presence / absence determining means for determining whether or not the vehicle is monitored by a user;
And a rewriting conducted inhibiting means for inhibiting that the process of rewriting the program of the computer associated with prior Symbol vehicle computer system security functions of the vehicle is performed,
If it is determined by the program determination means that the program to be rewritten is not a computer program related to the security function of the vehicle, the program in the memory is rewritten in the vehicle computer system,
The program determination means determines that the rewrite target program is a computer program related to the crime prevention function of the vehicle, and the vehicle is not monitored by the monitoring presence determination means. If it is determined, the rewriting execution prohibiting means prohibits the vehicle computer system from executing a process of rewriting a computer program related to the security function of the vehicle. system. A computer system mounted on a vehicle (hereinafter referred to as a vehicle computer system), and wireless program communication with the vehicle computer system, and a program supply means outside the vehicle for transmitting a program to be rewritten to the vehicle computer system, In the program rewriting system configured to rewrite the program in the memory with the program transmitted from the program supply means, the vehicle computer system,
A monitoring reminder notification for notifying a user of the vehicle to monitor the vehicle when a process of rewriting a computer program related to the security function of the vehicle is performed in the vehicle computer system Having means,
Program rewriting system characterized by A computer system mounted on a vehicle (hereinafter referred to as a vehicle computer system), and wireless program communication with the vehicle computer system, and a program supply means outside the vehicle for transmitting a program to be rewritten to the vehicle computer system, In the program rewriting system configured to rewrite the program in the memory with the program transmitted from the program supply means, the vehicle computer system,
When a process of rewriting a computer program not related to the security function of the vehicle is performed in the vehicle computer system, a security system for operating the computer related to the security function of the vehicle so that the security function becomes effective Having function enabling means,
Program rewriting system characterized by In the program rewriting system according to any one of claims 1 to 3,
The crime prevention function is both or one of a door lock function of the vehicle and a security function for detecting and warning an illegal act on the vehicle,
Program rewriting system characterized by A computer system mounted on a vehicle (hereinafter referred to as a vehicle computer system), and wireless program communication with the vehicle computer system, and a program supply means outside the vehicle for transmitting a program to be rewritten to the vehicle computer system, In the program rewriting system configured to rewrite the program in the memory with the program transmitted from the program supply means, the vehicle computer system,
Monitoring presence / absence determining means for determining whether or not the vehicle is monitored by a user;
When it is determined by the monitoring presence / absence determining means that the vehicle is not being monitored by the user, a process of rewriting a computer program related to the security function of the vehicle is performed in the vehicle computer system. Rewriting implementation prohibition means to prohibit,
The crime prevention function is both or one of a door lock function of the vehicle and a security function for detecting and warning an illegal act on the vehicle,
Program rewriting system characterized by The program rewriting system according to any one of claims 1 to 5,
Before the vehicle computer system performs rewriting of the program, it comprises state setting means for performing setting processing for setting the state of the vehicle to a state suitable for rewriting of the program,
The vehicle computer system is configured to rewrite a program after completion of the setting process by the state setting means;
Program rewriting system characterized by A computer system mounted on a vehicle (hereinafter referred to as a vehicle computer system), and wireless program communication with the vehicle computer system, and a program supply means outside the vehicle for transmitting a program to be rewritten to the vehicle computer system, In the program rewriting system configured to rewrite the program in the memory with the program transmitted from the program supply means, the vehicle computer system,
Monitoring presence / absence determining means for determining whether or not the vehicle is monitored by a user;
When it is determined by the monitoring presence / absence determining means that the vehicle is not being monitored by the user, a process of rewriting a computer program related to the security function of the vehicle is performed in the vehicle computer system. Rewrite prohibition means to prohibit,
State setting means for performing a setting process for setting the state of the vehicle to a state suitable for rewriting the program before the vehicle computer system performs rewriting of the program,
The vehicle computer system is configured to rewrite a program after completion of the setting process by the state setting means;
Program rewriting system characterized by In the program rewriting system according to claim 6 or 7,
The state setting means sets the state of the vehicle within a range in which a door lock function of the vehicle normally operates;
Program rewriting system characterized by In the program rewriting system according to claim 6 or 7,
  The state setting means sets the state of the vehicle within a range in which a security function for detecting and alarming an illegal act on the vehicle normally operates;
  Program rewriting system characterized by The program rewriting system according to any one of claims 1 to 9,
Before the vehicle computer system performs rewriting of the program, comprising a state determination means for determining whether or not the state of the vehicle is inappropriate for rewriting of the program,
The vehicle computer system is configured to stop rewriting of the program if the state determining means determines that the state of the vehicle is inappropriate for rewriting the program;
Program rewriting system characterized by A computer system mounted on a vehicle (hereinafter referred to as a vehicle computer system), and wireless program communication with the vehicle computer system, and a program supply means outside the vehicle for transmitting a program to be rewritten to the vehicle computer system, In the program rewriting system configured to rewrite the program in the memory with the program transmitted from the program supply means, the vehicle computer system,
Monitoring presence / absence determining means for determining whether or not the vehicle is monitored by a user;
When it is determined by the monitoring presence / absence determining means that the vehicle is not being monitored by the user, a process of rewriting a computer program related to the security function of the vehicle is performed in the vehicle computer system. Rewrite prohibition means to prohibit,
A state determination unit that determines whether or not the state of the vehicle is inappropriate for rewriting the program before the vehicle computer system performs rewriting of the program,
The vehicle computer system is configured to stop rewriting of the program if the state determining means determines that the state of the vehicle is inappropriate for rewriting the program;
Program rewriting system characterized by A computer system (hereinafter referred to as a vehicle computer system) mounted on a vehicle that wirelessly communicates with a program supply unit outside the vehicle, receives a program to be rewritten from the program supply unit, and stores the program to be rewritten in a memory. Because
  Program determining means for determining whether or not the program to be rewritten is a computer program related to the security function of the vehicle before the vehicle computer system rewrites the program in the memory;
  Monitoring presence / absence determining means for determining whether or not the vehicle is monitored by a user;
  Rewriting execution prohibiting means for prohibiting execution of processing for rewriting a computer program related to the security function of the vehicle in the vehicle computer system,
  If it is determined by the program determination means that the program to be rewritten is not a computer program related to the security function of the vehicle, a rewriting process of the program in the memory is performed,
  The program determination means determines that the rewrite target program is a computer program related to the crime prevention function of the vehicle, and the vehicle is not monitored by the monitoring presence determination means. The vehicle computer system prohibits execution of a process of rewriting a computer program related to the security function of the vehicle by the rewrite execution prohibiting means. system. A computer system (hereinafter referred to as a vehicle computer system) mounted on a vehicle that wirelessly communicates with a program supply unit outside the vehicle, receives a program to be rewritten from the program supply unit, and stores the program to be rewritten in a memory. Because
  A monitoring reminder notice for notifying a user of the vehicle to monitor the vehicle when a process of rewriting a computer program related to the security function of the vehicle is performed in the vehicle computer system Having means,
  A vehicle computer system characterized by the above. A computer system (hereinafter referred to as a vehicle computer system) mounted on a vehicle that wirelessly communicates with a program supply unit outside the vehicle, receives a program to be rewritten from the program supply unit, and stores the program to be rewritten in a memory. Because
  When a process of rewriting a computer program not related to the security function of the vehicle is performed in the vehicle computer system, the security system that operates the computer related to the security function of the vehicle so that the security function is effective Having function enabling means,
  A vehicle computer system characterized by the above.

Images