WO2024070483A1 - Control system - Google Patents

Control system Download PDF

Info

Publication number
WO2024070483A1
WO2024070483A1 PCT/JP2023/031869 JP2023031869W WO2024070483A1 WO 2024070483 A1 WO2024070483 A1 WO 2024070483A1 JP 2023031869 W JP2023031869 W JP 2023031869W WO 2024070483 A1 WO2024070483 A1 WO 2024070483A1
Authority
WO
WIPO (PCT)
Prior art keywords
update
software
execution
divided
electronic control
Prior art date
Application number
PCT/JP2023/031869
Other languages
French (fr)
Japanese (ja)
Inventor
僚一朗 矢船
肇 小堀
Original Assignee
株式会社アドヴィックス
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社アドヴィックス filed Critical 株式会社アドヴィックス
Publication of WO2024070483A1 publication Critical patent/WO2024070483A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Definitions

  • the present invention relates to a control system installed in a vehicle.
  • Patent Document 1 discloses a system that has the function of updating software in a storage device provided in an in-vehicle electronic control device.
  • a Tester when updating software, a Tester is connected to an in-vehicle network to which multiple electronic control devices are connected.
  • the Tester pre-stores update software for the electronic control device to be updated. Therefore, when the Tester is connected to the in-vehicle network, the Tester transmits the update software to the electronic control device to be updated via the in-vehicle network.
  • the software in the storage device in the electronic control device is rewritten with the update software.
  • the system includes an information processing device that acquires the update software transmitted to the vehicle from the data center.
  • the information processing device transmits the update software to the electronic control device to be updated via an in-vehicle network.
  • the information processing device transmits encrypted update software to the electronic control device to increase the confidentiality of the information. Therefore, the execution device of the electronic control device decrypts the received update software and writes the decrypted update software to the storage device.
  • the object of the present invention is to prevent the time required for software update from increasing when the information processing device transmits encrypted update software to the electronic control device via an in-vehicle network to update the software in the storage device of the electronic control device.
  • a control system for solving the above problem includes an information processing device that acquires update software transmitted to the vehicle from outside the vehicle by wireless communication, and a global network that communicatively connects a plurality of electronic control devices to the information processing device, and is configured to be able to update software in a storage device provided in a first electronic control device among the plurality of electronic control devices.
  • the control system includes a first execution device and a second execution device.
  • the first execution device decrypts the first divided update software, which is one of the pieces of update software divided and transmitted by the information processing device to the global network.
  • the second execution device decrypts the second divided update software, which is one of the pieces of update software divided and transmitted by the information processing device to the global network.
  • the first update divided software decrypted by the first execution device and the second update divided software decrypted by the second execution device are each written to the storage device of the first electronic control device.
  • the information processing device divides the update software acquired by the information processing device into multiple pieces, and transmits the divided update software, which is the update split software, to the first electronic control device via a global network.
  • the execution device decrypts the first update split software.
  • the execution device then writes the decrypted first update split software to the storage device.
  • the information processing device cannot transmit the second update split software.
  • the information processing device goes into a standby state. The longer the information processing device goes into a standby state in this way, the longer it takes to update the software in the storage device of the first electronic control device.
  • the first execution device decrypts the first update divided software. While the first execution device is decrypting the first update divided software in this manner, the second execution device waits for the second update divided software from the information processing device. Therefore, while the first execution device is decrypting the first update divided software, the second execution device can decrypt the second update divided software transmitted from the information processing device. As a result, the time that the information processing device is in the above-mentioned standby state can be shortened.
  • the control system described above can prevent the time required for software update from becoming long.
  • FIG. 1 is a schematic configuration diagram showing a vehicle equipped with a control system according to a first embodiment and a data center provided outside the vehicle.
  • FIG. 2 (A) is a diagram showing the first half of the processing flow executed by the information processing device of the control system of the first embodiment, (B) is a diagram showing the first half of the processing flow executed by the first electronic control device of the control system, and (C) is a diagram showing the first half of the processing flow executed by the second electronic control device of the control system.
  • FIG. 3 (A) is a diagram showing the latter half of the processing flow executed by the information processing device, (B) is a diagram showing the latter half of the processing flow executed by the first electronic control device, and (C) is a diagram showing the latter half of the processing flow executed by the second electronic control device.
  • FIG. 4 (A) to (D) are timing charts showing how software in a storage device included in a first brake ECU corresponding to the first electronic control device is updated.
  • FIG. 5 is a schematic diagram showing the configuration of a control system according to the third embodiment.
  • FIG. 7 is a diagram showing the processing flow executed by the information processing device of the control system of the third embodiment
  • (B) is a diagram showing the processing flow executed by the first execution device of the first electronic control device of the control system
  • (C) is a diagram showing the processing flow executed by the second execution device of the first electronic control device.
  • FIG. 8 is a schematic diagram showing the configuration of a control system according to the fourth embodiment.
  • FIG. 9 (A) is a diagram showing a part of the processing flow executed by an information processing device of the control system of the fourth embodiment, (B) is a diagram showing a part of the processing flow executed by a first electronic control device of the control system, and (C) is a diagram showing a part of the processing flow executed by a second electronic control device of the control system.
  • ECU electronice control unit
  • ECU Electronice Control Unit
  • FIG. 1 illustrates a vehicle 10 and a data center 100 provided outside the vehicle 10 .
  • the data center 100 is configured to be able to transmit and receive various types of information to and from the vehicle 10 via the external vehicle network 200. That is, the data center 100 transmits and receives various types of information to and from the vehicle 10 by wireless communication.
  • the vehicle 10 is equipped with multiple ECUs, which will be described in more detail later.
  • update software is prepared to update the software in the storage device of one of the multiple ECUs
  • the data center 100 transmits the update software to the vehicle 10 via the external vehicle network 200.
  • the ECU to be updated the ECU whose software is to be updated.
  • the vehicle 10 includes a control system 15 and an actuator.
  • the actuators of the vehicle 10 include a first actuator 11 and a second actuator 12.
  • the first actuator 11 and the second actuator 12 operate to adjust the braking force generated in the vehicle 10.
  • the control system 15 includes a communication device 20 and an information processing device 30.
  • the communication device 20 is an interface on the vehicle side for transmitting and receiving information to and from the data center 100.
  • the information processing device 30 is configured to be able to communicate with the communication device 20 via the local network 41.
  • the local network 41 is a network for transmitting and receiving information only between the information processing device 30 and the communication device 20.
  • the information processing device 30 acquires the update software transmitted from the data center 100 to the vehicle 10 by wireless communication.
  • the information processing device 30 includes an execution device 31, a storage device 32, and a storage device 33.
  • the execution device 31 is a CPU
  • the storage device 32 is a non-volatile memory
  • the storage device 33 is a volatile memory.
  • the storage device 32 stores the software executed by the execution device 31.
  • the storage device 33 temporarily stores the information transmitted from the communication device 20 via the local network 41. That is, when the data center 100 transmits information identifying the ECU to be updated and the update software to the vehicle 10, the communication device 20 receives the information transmitted by the data center 100. The communication device 20 then transmits the received information to the information processing device 30 via the local network 41. Then, the execution device 31 of the information processing device 30 stores the information received via the local network 41, i.e., the information identifying the ECU to be updated and the update software, in the storage device 33.
  • the control system 15 includes a global network 42 and multiple ECUs.
  • the global network 42 is an in-vehicle network that connects the information processing device 30 and the multiple ECUs so that they can communicate with each other.
  • the global network 42 is a CAN bus.
  • CAN is an abbreviation for "Controller Area Network.”
  • the multiple ECUs include a first braking ECU 60 and a second braking ECU 70.
  • the first braking ECU 60 and the second braking ECU 70 are ECUs that adjust the braking force generated in the vehicle 10.
  • the first braking ECU 60 operates the first actuator 11.
  • the second braking ECU 70 operates the second actuator 12.
  • the multiple ECUs also include ECUs 50 other than the braking ECU 60.
  • the control system 15 is equipped with a local network 43 for transmitting and receiving information only between the first brake ECU 60 and the second brake ECU 70.
  • the local network 43 is configured so that its communication speed is higher than the communication speed of the global network 42. Therefore, when transmitting and receiving information between the first brake ECU 60 and the second brake ECU 70, the control system 15 can use either the global network 42 or the local network 43.
  • Each of the ECUs includes an execution device, a storage device, and a storage unit.
  • the execution device is a CPU
  • the storage device is a non-volatile memory
  • the storage device is a volatile memory.
  • the storage device stores software executed by the execution device.
  • the storage device temporarily stores the results of calculations by the execution device, etc.
  • the execution device 61 of the first brake ECU 60 controls the first actuator 11 by executing software in the memory device 62.
  • the execution device 61 temporarily stores the results of calculations performed to control the first actuator 11 in the storage device 63.
  • the execution device 71 of the second brake ECU 70 controls the second actuator 12 by executing software in the memory device 72.
  • the execution device 71 temporarily stores the results of calculations performed to control the second actuator 12 in the storage device 73.
  • ⁇ Software update process> a method of updating software in a storage device provided in a brake ECU will be described.
  • the ECU to be updated is the first brake ECU 60
  • the first brake ECU 60 corresponds to the "first electronic control device”
  • the second brake ECU 70 corresponds to the "second electronic control device.”
  • the execution device 61 of the first brake ECU 60 corresponds to the "first execution device”
  • the execution device 71 of the second brake ECU 70 corresponds to the "second execution device.”
  • Figures 2(A) and 3(A) show the processing routine executed by the execution device 31 of the information processing device 30.
  • Figures 2(B) and 3(B) show the processing routine executed by the execution device 61 of the first brake ECU 60.
  • Figures 2(C) and 3(C) show the processing routine executed by the execution device 71 of the second brake ECU 70.
  • the processing routine shown in Figures 2(B) and 3(B) is the processing routine executed by the first electronic control device
  • the processing routine shown in Figures 2(C) and 3(C) is the processing routine executed by the second electronic control device.
  • the execution unit 31 of the information processing device 30 acquires the update software for the first brake ECU 60, it starts executing the processing routine shown in FIG. 2(A) and FIG. 3(A).
  • the execution unit 31 requests both the first brake ECU 60 and the second brake ECU 70 to change the control mode of the execution unit from normal mode to update mode.
  • the normal mode is the control mode when controlling the actuator.
  • the update mode is the control mode when updating the software of the storage device.
  • step S13 the execution device 31 of the information processing device 30 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 70 that the mode change has been completed. If the execution device 31 has received the notification from both the first brake ECU 60 and the second brake ECU 70 (S13: YES), the process proceeds to step S15. On the other hand, if the execution device 31 has not received the notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S13: NO), the process returns to step S11. In other words, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 70 to change the mode until it receives the notification from both the first brake ECU 60 and the second brake ECU 70.
  • step S101 the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S101: YES), the process proceeds to step S103. On the other hand, if the execution device 61 has not received a mode change request (S101: NO), the execution device 61 repeats the judgment of step S101 until the request is received. In step S103, the execution device 61 resets itself, changes the control mode to the update mode, and restarts. Then, in step S105, the execution device 61 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed.
  • the execution device 61 transmits the notification to the information processing device 30 via the global network 42.
  • the execution device 61 starts erasing the pre-update software from the storage device 62.
  • the execution device 61 then transitions to step S109.
  • step S201 the execution device 71 of the second brake ECU 70 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 71 receives a mode change request (S201: YES), the process proceeds to step S203. On the other hand, if the execution device 71 has not received a mode change request (S201: NO), the execution device 71 repeats the judgment of step S201 until the request is received. In step S203, the execution device 71 resets itself, changes the control mode to the update mode, and restarts. Next, in step S205, the execution device 71 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed. Specifically, the execution device 71 transmits the notification to the information processing device 30 via the global network 42. Then, the execution device 71 transitions the process to step S207.
  • step S15 the execution unit 31 of the information processing device 30 sets a count M to 1.
  • the execution unit 31 then divides the update software for the first brake ECU 60 into N pieces, where "N" is an integer equal to or greater than 3.
  • step S17 the execution unit 31 transmits the Mth update split software, which is one of the N pieces of update software, to the first brake ECU 60 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the first brake ECU 60 via the global network 42. Note that if the count M is 1, the execution unit 31 transmits the encrypted first update split software to the first brake ECU 60.
  • step S19 the execution unit 31 of the information processing device 30 increments the count M by 1.
  • the execution unit 31 transmits the Mth update split software, which is one of the N pieces of divided update software, to the second brake ECU 70 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the second brake ECU 70 via the global network 42.
  • the update split software transmitted to the second brake ECU 70 here is different from the update split software transmitted to the first brake ECU 60 in step S17. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software to the second brake ECU 70.
  • step S23 the execution unit 31 of the information processing device 30 increments the count M by 1.
  • step S25 the execution unit 31 determines whether the transmission of the update divided software has been completed. In this embodiment, if the count M is greater than the number of divisions N, the execution unit 31 determines that the transmission of N pieces of update divided software has been completed. On the other hand, if the count M is equal to or less than the number of divisions N, the execution unit 31 determines that the transmission of the update divided software has not been completed because there is update divided software among the N pieces of update divided software that has not yet been transmitted. Then, if the execution unit 31 has completed the transmission of the update divided software (S25: YES), the processing proceeds to step S27. On the other hand, if the execution unit 31 has not completed the transmission of the update divided software (S25: NO), the processing returns to step S17. That is, the execution unit 31 continues the transmission of the update divided software.
  • step S109 the execution unit 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software from the global network 42. If the count M is 1, the execution unit 61 determines whether or not it has received the first update divided software. If the execution unit 61 has received the Mth update divided software (S109: YES), it transitions to step S111. On the other hand, if the execution unit 61 has not received the Mth update divided software (S109: NO), it repeats the determination in step S109 until it receives the Mth update divided software.
  • step S111 the execution device 61 of the first brake ECU 60 decrypts the Mth update split software received from the information processing device 30. Then, in step S113, the execution device 61 writes the Mth update split software that it has decrypted into the storage device 62. For example, if the count M is 1, the execution device 61 decrypts the first update split software and writes the decrypted first update split software into the storage device 62. The execution device 61 then transitions to step S115.
  • step S207 the execution unit 71 of the second brake ECU 70 determines whether or not it has received the Mth update divided software from the global network 42. If the count M is 2, the execution unit 71 determines whether or not it has received the second update divided software. If the execution unit 71 has received the Mth update divided software (S207: YES), the process proceeds to step S209. On the other hand, if the execution unit 71 has not received the Mth update divided software (S207: NO), the execution unit 71 repeatedly executes the determination in step S207 until it receives the Mth update divided software.
  • step S209 the execution unit 71 of the second brake ECU 70 decrypts the Mth update split software received from the information processing device 30. Then, in step S211, the execution unit 71 transmits the decrypted Mth update split software to the first brake ECU 60 via the local network 43. For example, when the count M is 2, the execution unit 71 decrypts the second update split software and transmits the decrypted second update split software to the first brake ECU 60 via the local network 43. The execution unit 71 then transitions to step S213.
  • step S213 the execution unit 71 of the second brake ECU 70 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has been completed (S213: YES), the execution unit 71 proceeds to step S215. On the other hand, if the update has not been completed (S213: NO), the execution unit 71 returns the process to step S207. In other words, the execution unit 71 repeatedly executes the processes from step S207 to step S211 until the software update of the storage device 62 has been completed.
  • step S115 the execution device 61 of the first brake ECU 60 determines whether or not it has received the decrypted Mth update split software from the second brake ECU 70 via the local network 43. If the execution device 61 has received the Mth update split software from the second brake ECU 70 (S115: YES), the processing proceeds to step S117. On the other hand, if the execution device 61 has not received the Mth update split software from the second brake ECU 70 (S115: NO), the execution device 61 repeatedly executes the determination of step S115 until it receives the Mth update split software from the second brake ECU 70.
  • step S117 the execution device 61 writes the decrypted Mth update split software received from the second brake ECU 70 to the storage device 62. For example, if the count M is 2, when the execution device 61 receives the decrypted second update divided software from the second brake ECU 70 via the local network 43, it writes the second update divided software to the storage device 62. After that, the execution device 61 transitions the process to step S119.
  • step S119 the execution unit 61 of the first brake ECU 60 determines whether the software update of the storage device 62 has been completed. If the update has been completed (S119: YES), the execution unit 61 proceeds to step S121. On the other hand, if the update has not been completed (S119: NO), the execution unit 61 returns the process to step S109. In other words, the execution unit 61 repeatedly executes the processes from step S109 to step S117 until the software update of the storage device 62 is completed.
  • step S27 the execution device 31 of the information processing device 30 requests both the first brake ECU 60 and the second brake ECU 70 to change the control mode of the execution device from the update mode to the normal mode.
  • step S29 the execution device 31 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 70 that the mode change has been completed. If the execution device 31 has received the above notification from both the first brake ECU 60 and the second brake ECU 70 (S29: YES), it ends the processing routine shown in Figures 2(A) and 3(A).
  • the execution device 31 determines whether the execution device 31 has received the above notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S29: NO). If the execution device 31 has not received the above notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S29: NO), it returns the processing to step S27. That is, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 70 to change modes until the execution device 31 receives the above notification from both the first brake ECU 60 and the second brake ECU 70.
  • step S121 the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S121: YES), the process proceeds to step S123. On the other hand, if the execution device 61 has not received a mode change request (S121: NO), the execution device 61 repeats the judgment of step S121 until a request is received. In step S123, the execution device 61 resets itself, changes the control mode from the update mode to the normal mode, and restarts. Next, in step S125, the execution device 61 transmits a notification to the information processing device 30 that the change from the update mode to the normal mode has been completed. Thereafter, the execution device 61 ends the processing routine shown in FIG. 2(B) and FIG. 3(B).
  • step S215 the execution device 71 of the second brake ECU 70 determines whether or not a mode change request has been received from the information processing device 30. If the execution device 71 receives a mode change request (S215: YES), the process proceeds to step S217. On the other hand, if the execution device 71 has not received a mode change request (S215: NO), the execution device 71 repeats the determination in step S215 until a request is received. In step S217, the execution device 71 resets itself, changes the control mode from the update mode to the normal mode, and restarts.
  • step S219 the execution device 71 transmits a notification to the information processing device 30 that the change from the update mode to the normal mode has been completed. Thereafter, the execution device 71 ends the processing routine shown in FIG. 2(C) and FIG. 3(C).
  • the software of the storage device 72 of the second brake ECU 70 may be updated.
  • the second brake ECU 70 since the second brake ECU 70 is the ECU to be updated, the second brake ECU 70 corresponds to the "first electronic control device” and the first brake ECU 60 corresponds to the "second electronic control device.”
  • the execution device 71 of the second brake ECU 70 corresponds to the "first execution device” and the execution device 61 of the first brake ECU 60 corresponds to the "second execution device.” Therefore, the execution device 71 of the second brake ECU 70 executes the processing routines shown in Figures 2(B) and 3(B), and the execution device 61 of the first brake ECU 60 executes the processing routines shown in Figures 2(C) and 3(C).
  • the pre-update software begins to be erased from the storage device 62.
  • the update software is divided into six pieces. That is, six pieces of update divided software A1 to A6 are generated.
  • the encrypted first update divided software A1 is transmitted to the first brake ECU 60 via the global network 42.
  • the encrypted second update divided software A2 is transmitted to the second brake ECU 70 via the global network 42.
  • the first brake ECU 60 When the first brake ECU 60 receives the first update divided software A1, the first update divided software A1 is decrypted. In the example shown in FIG. 4, the process of deleting the update divided software is executed until timing t15. Therefore, from timing t15, writing of the decrypted first update divided software A1 to the storage device 62 begins.
  • the second brake ECU 70 when the second brake ECU 70 receives the second update divided software A2 via the global network 42, the second brake ECU 70 decodes the second update divided software A2. That is, even while the first brake ECU 60 is decoding the first update divided software A1, the second brake ECU 70 can decode the second update divided software A2.
  • the second brake ECU 70 decodes the second update divided software A2, as shown in FIGS. 4(B) and (D), the decoded second update divided software A2 is transmitted to the first brake ECU 60 via the local network 43 from timing t14.
  • the first brake ECU 60 writes the first update divided software A1 to the storage device 62, and then starts writing the second update divided software A2 to the storage device 62.
  • the information processing device 30 transmits the encrypted third update divided software A3 to the first brake ECU 60. At this time, the third update divided software A3 is also transmitted to the first brake ECU 60 via the global network 42. Next, the information processing device 30 transmits the encrypted fourth update divided software A4 to the second brake ECU 70. At this time, the fourth update divided software A4 is also transmitted to the second brake ECU 70 via the global network 42.
  • the third update divided software A3 is decrypted. Then, the decrypted third update divided software A3 is written to the storage device 62.
  • the second brake ECU 70 When the second brake ECU 70 receives the fourth update divided software A4, it decodes the fourth update divided software A4. That is, even while the first brake ECU 60 is decoded the third update divided software A3, the second brake ECU 70 can decode the fourth update divided software A4.
  • the decoded fourth update divided software A4 is transmitted to the first brake ECU 60 via the local network 43.
  • the third update divided software A3 is written to the storage device 62
  • the fourth update divided software A4 is written to the storage device 62.
  • the information processing device 30 transmits the encrypted fifth update divided software A5 to the first brake ECU 60. At this time, the fifth update divided software A5 is also transmitted to the first brake ECU 60 via the global network 42. After the fifth update divided software A5 is transmitted, the information processing device 30 transmits the encrypted sixth update divided software A6 to the second brake ECU 70. At this time, the sixth update divided software A6 is also transmitted to the second brake ECU 70 via the global network 42.
  • the fifth update divided software A5 is decrypted. Then, the decrypted fifth update divided software A5 is written to the storage device 62.
  • the second brake ECU 70 When the second brake ECU 70 receives the sixth update divided software A6, it decodes the sixth update divided software A6. That is, even while the first brake ECU 60 is decoded the fifth update divided software A5, the second brake ECU 70 can decode the sixth update divided software A6.
  • the decoded sixth update divided software A6 is transmitted to the first brake ECU 60 via the local network 43.
  • the fifth update divided software A5 is written to the storage device 62
  • the sixth update divided software A6 is written to the storage device 62. This completes the software update of the storage device 62.
  • the information processing device 30 transmits the first update divided software A1 to the first brake ECU 60, it transmits the next update divided software (in this case, the second update divided software A2) to the second brake ECU 70. Then, while the execution device 61 of the first brake ECU 60 is decrypting the first update divided software A1, the execution device 71 of the second brake ECU 70 can decrypt the second update divided software A2. That is, the information processing device 30 does not need to wait for the transmission of the second update divided software A2 until the decoding of the first update divided software A1 is completed. That is, the time during which the information processing device 30 is in a state of waiting for the transmission of the update divided software can be shortened. Therefore, when updating the software of the storage device 62 of the first brake ECU 60, the control system 15 can suppress the time required for updating the software from becoming long.
  • the next update divided software in this case, the second update divided software A2
  • the execution device 71 of the second brake ECU 70 can decrypt the second update divided software A2. That is, the information
  • the second brake ECU 70 transmits the decrypted divided update software to the first brake ECU 60 via the local network 43. This reduces the time required for transmission compared to transmitting the divided update software between the second brake ECU 70 and the first brake ECU 60 via the global network 42. This contributes to reducing the time required for software updates.
  • Second Embodiment A second embodiment of the control system will be described with reference to Fig. 5.
  • the second embodiment differs from the first embodiment in that the update division software is not directly transmitted from the information processing device to the second electronic control unit.
  • the differences from the first embodiment will be mainly described, and the same reference numerals will be used to designate the same components as those in the first embodiment, and duplicated description will be omitted.
  • Figure 5(A) shows a portion of the processing routine executed by the execution device 31 of the information processing device 30.
  • Figure 5(B) shows a portion of the processing routine executed by the execution device 61 of the first brake ECU 60.
  • Figure 5(C) shows a portion of the processing routine executed by the execution device 71 of the second brake ECU 70.
  • the processing routine shown in Figure 5(B) is a portion of the processing routine executed by the first electronic control device
  • the processing routine shown in Figure 5(C) is a portion of the processing routine executed by the second electronic control device.
  • step S15A the execution device 31 of the information processing device 30 sets a count M to 1.
  • the execution device 31 divides the update software for the first brake ECU 60 into N pieces.
  • N is an integer equal to or greater than 3.
  • step S17A the execution device 31 transmits the Mth update divided software, which is one of the N pieces of update software, to the first brake ECU 60 via the global network 42.
  • the execution device 31 transmits the encrypted Mth update divided software to the first brake ECU 60 via the global network 42. Note that if the count M is 1, the execution device 31 transmits the encrypted first update divided software to the first brake ECU 60.
  • step S19A the execution unit 31 of the information processing device 30 increments the count M by 1.
  • the execution unit 31 transmits the Mth update split software, which is one of the divided update software, to the first brake ECU 60 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the first brake ECU 60 via the global network 42.
  • the update split software transmitted to the first brake ECU 60 here is different from the update split software transmitted to the first brake ECU 60 in step S17A. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software to the second brake ECU 70.
  • step S23A the execution unit 31 of the information processing device 30 increments the counter M by 1.
  • step S25A the execution unit 31 determines whether or not the transmission of the N pieces of update divided software has been completed, similar to step S25 shown in FIG. 2(A) and FIG. 3(A). If there is any update divided software among the N pieces of update divided software that has not yet been transmitted (S25A: NO), the execution unit 31 returns the process to step S17A. That is, the execution unit 31 continues transmitting the update divided software. On the other hand, if the execution unit 31 has completed the transmission of the N pieces of update divided software (S25A: YES), the process proceeds to step S27 shown in FIG. 2(A) and FIG. 3(A). The process flow from step S27 onwards is the same as in the first embodiment.
  • the execution device 61 of the first brake ECU 60 sequentially executes the processes from step S101 to step S107 shown in FIG. 2(B) and FIG. 3(B). Then, in step S131 as shown in FIG. 5(B), the execution device 61 judges whether or not the Mth update divided software transmitted by the information processing device 30 in step S17A has been received from the global network 42. If the count M is 1, the execution device 61 judges whether or not the first update divided software A1 has been received. If the execution device 61 has received the Mth update divided software (S131: YES), the process proceeds to step S133. On the other hand, if the execution device 61 has not received the Mth update divided software (S131: NO), the execution device 61 repeatedly executes the judgment of step S131 until the Mth update divided software is received.
  • step S133 the execution unit 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software transmitted by the information processing unit 30 in step S21A from the global network 42. If the count M is 2, the execution unit 61 determines whether or not it has received the second update divided software A2. If the execution unit 61 has received the Mth update divided software (S133: YES), it transitions to step S135. On the other hand, if the execution unit 61 has not received the Mth update divided software (S133: NO), it repeats the determination of step S133 until it receives the Mth update divided software.
  • step S135 the execution device 61 of the first brake ECU 60 transmits the Mth update divided software received in step S133 to the second brake ECU 70 via the local network 43. For example, if the first brake ECU 60 receives the first update divided software A1 and the second update divided software A2, the execution device 61 transmits only the second update divided software A2 of the first update divided software A1 and the second update divided software A2 to the second brake ECU 70 via the local network 43.
  • step S137 the execution device 61 of the first brake ECU 60 decrypts the Mth update split software received in step S131. That is, of the two update split software received from the information processing device 30, the execution device 61 decrypts the update split software that has not been transmitted to the second brake ECU 70.
  • step S139 the execution device 61 writes the Mth update split software that it has decrypted into the storage device 62. The execution device 61 then transitions to step S141.
  • the execution unit 71 of the second brake ECU 70 sequentially executes the processes from step S201 to S205 shown in FIG. 2(C) and FIG. 3(C). Then, in step S231 as shown in FIG. 5(C), the execution unit 71 judges whether or not the Mth update divided software has been received via the local network 43. If the count M is 2, the execution unit 71 judges whether or not the second update divided software A2 has been received.
  • the update divided software received here is the update divided software transmitted by the information processing device 30 in step S21A. If the execution unit 71 receives the Mth update divided software (S231: YES), the process proceeds to step S233. On the other hand, if the execution unit 71 has not received the Mth update divided software (S231: NO), the execution unit 71 repeatedly executes the judgment of step S231 until the Mth update divided software is received.
  • step S233 the execution device 71 of the second brake ECU 70 decrypts the received Mth update split software. Then, in step S235, the execution device 71 transmits the decrypted Mth update split software to the first brake ECU 60 via the local network 43. For example, if the count M is 2, the execution device 71 decrypts the second update split software A2 and transmits the decrypted second update split software A2 to the first brake ECU 60 via the local network 43. The execution device 71 then transitions to step S237.
  • step S237 the execution unit 71 of the second brake ECU 70 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has not been completed (S237: NO), the execution unit 71 returns the process to step S231. That is, the execution unit 71 repeatedly executes the processes from step S231 to step S235 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S237: YES), the execution unit 71 transitions the process to step S215 shown in FIG. 2(C) and FIG. 3(C). The process flow from step S215 onwards is the same as in the first embodiment.
  • step S141 the execution device 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software from the second brake ECU 70 via the local network 43. If the execution device 61 has received the Mth update divided software (S141: YES), the process proceeds to step S143. On the other hand, if the execution device 61 has not received the Mth update divided software (S141: NO), the execution device 61 repeatedly executes the determination of step S141 until it receives the Mth update divided software.
  • step S143 the execution device 61 of the first brake ECU 60 writes the Mth update divided software received in step S141 to the storage device 62. That is, the execution device 61 writes the decoded Mth update divided software transmitted from the second brake ECU 70 to the storage device 62.
  • step S145 the execution device 61 determines whether the software update of the storage device 62 is complete. If the update is not complete (S145: NO), the execution device 61 returns the process to step S131. That is, the execution device 61 repeatedly executes the processes from step S131 to step S143 until the software update of the storage device 62 is complete. On the other hand, if the update is complete (S145: YES), the execution device 61 transitions the process to step S121 shown in FIG. 2(B) and FIG. 3(B). The process flow from step S121 onwards is the same as that in the first embodiment.
  • the information processing device 30 When updating the software in the storage device 62 of the first brake ECU 60, the information processing device 30 divides the update software into N pieces. The information processing device 30 transmits the N pieces of update divided software to the first brake ECU 60, which is the ECU to be updated, via the global network 42. In this embodiment, two pieces of update divided software are transmitted to the first brake ECU 60 via the global network 42.
  • the first brake ECU 60 transmits one of the two pieces of update split software received to the second brake ECU 70 via the local network 43.
  • the first brake ECU 60 also decrypts the update split software that was not transmitted to the second brake ECU 70.
  • the update split software decrypted by the execution device 61 is then written to the storage device 62.
  • the second brake ECU 70 decodes the update split software received via the local network 43.
  • the decoded update split software is then sent to the first brake ECU 60 via the local network 43.
  • the first brake ECU 60 writes the decoded update split software received via the local network 43 to the storage device 62.
  • the software in the storage device 62 of the first brake ECU 60 is updated.
  • the second update divided software A2 can also be decoded in the second brake ECU 70. That is, the information processing device 30 does not need to wait for the transmission of the second update divided software A2 until the decoding of the first update divided software A1 is completed. That is, the time during which the information processing device 30 is in a state of waiting for the transmission of update divided software can be shortened. Therefore, when updating the software of the storage device 62 of the first brake ECU 60, the control system 15 can prevent the time required for the software update from becoming long.
  • the information processing device 30 does not need to directly transmit some of the N pieces of divided software updates to the second brake ECU 70 that is not the ECU to be updated. Furthermore, in this embodiment, it is possible to obtain effects equivalent to the effects (1-2) and (1-3) of the first embodiment.
  • the third embodiment differs from the first embodiment in that the ECU to be updated is a multi-core processor equipped with multiple execution devices.
  • the ECU to be updated is a multi-core processor equipped with multiple execution devices.
  • the control system 15B of this embodiment will be described with reference to FIG.
  • the control system 15B includes a communication device 20, an information processing device 30, and a plurality of ECUs.
  • the plurality of ECUs are configured to be able to communicate with the information processing device 30 via a global network 42.
  • the plurality of ECUs include an ECU 80 and an ECU 50.
  • the ECU 80 is a braking ECU that controls an actuator to adjust the braking force generated in the vehicle 10.
  • the ECU 80 is a multi-core processor.
  • the ECU 80 includes a first execution unit 81A, a second execution unit 81B, a memory device 82, and a storage unit 83.
  • the first execution unit 81A and the second execution unit 81B are CPUs
  • the memory device 82 is a non-volatile memory
  • the storage device 83 is a volatile memory.
  • the storage unit 82 stores software executed by the first execution unit 81A and the second execution unit 81B.
  • Fig. 7(A) shows a processing routine executed by the execution unit 31 of the information processing device 30.
  • Fig. 7(B) shows a processing routine executed by the first execution unit 81A of the ECU 80.
  • Fig. 7(C) shows a processing routine executed by the second execution unit 81B of the ECU 80.
  • step S41 the execution unit 31 requests the ECU 80 to change the control mode of the execution unit from the normal mode to the update mode.
  • step S43 the execution unit 31 determines whether it has received both a first notification that the control mode of the first execution unit 81A has been changed to the update mode and a second notification that the control mode of the second execution unit 81B has been changed to the update mode. If the execution unit 31 has received both the first notification and the second notification (S43: YES), it proceeds to step S45.
  • the execution unit 31 determines whether the execution unit 31 has not received at least one of the first notification and the second notification (S43: NO). If the execution unit 31 has not received at least one of the first notification and the second notification (S43: NO), it returns the processing to step S41. That is, the execution unit 31 continues to request the ECU 80 to change the mode until it receives both the first notification and the second notification.
  • step S151A the first execution unit 81A of the ECU 80 judges whether the ECU 80 has received a mode change request from the information processing device 30. If the ECU 80 has received a mode change request (S151A: YES), the first execution unit 81A shifts the process to step S153A. On the other hand, if the ECU 80 has not received a mode change request (S151A: NO), the first execution unit 81A repeats the judgment of step S151A until the ECU 80 receives the request. In step S153A, the first execution unit 81A resets itself, changes the control mode to the update mode, and restarts.
  • step S155A the first execution unit 81A transmits a first notification to the information processing device 30 indicating that the change from the normal mode to the update mode has been completed.
  • step S157A the first execution unit 81A starts erasing the pre-update software from the storage device 82. The first execution unit 81A then transitions to step S159A.
  • step S151B the second execution unit 81B of the ECU 80 judges whether the ECU 80 has received a mode change request from the information processing device 30. If the ECU 80 has received a mode change request (S151B: YES), the second execution unit 81B shifts the process to step S153B. On the other hand, if the ECU 80 has not received a mode change request (S151B: NO), the second execution unit 81B repeats the judgment of step S151B until the ECU 80 receives the request. In step S153B, the second execution unit 81B resets itself, changes the control mode to the update mode, and restarts.
  • step S155B the second execution unit 81B transmits a second notification to the information processing device 30 indicating that the change from the normal mode to the update mode has been completed. Then, the second execution unit 81B shifts the process to step S159B.
  • step S45 the execution unit 31 of the information processing device 30 sets a count M to 1.
  • the execution unit 31 then divides the update software for the ECU 80 into N pieces, where "N" is an integer equal to or greater than 3.
  • step S47 the execution unit 31 transmits the Mth update divided software, which is one of the divided update software, to the ECU 80 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update divided software to the ECU 80 via the global network 42. Note that if the count M is 1, the execution unit 31 transmits the encrypted first update divided software A1 to the ECU 80.
  • step S49 the execution unit 31 of the information processing device 30 increments the count M by 1.
  • the execution unit 31 transmits the Mth update split software, which is one of the divided update software, to the ECU 80 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the ECU 80 via the global network 42.
  • the update split software transmitted to the ECU 80 here is different from the update split software transmitted to the ECU 80 in step S47. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software A2 to the ECU 80.
  • step S53 the execution unit 31 of the information processing device 30 increments the counter M by 1.
  • step S55 the execution unit 31 determines whether or not the transmission of the update split software has been completed, similar to step S25 shown in Figures 2 (A) and 3 (A). If the transmission of the update split software has been completed (S55: YES), the execution unit 31 proceeds to step S57. On the other hand, if the transmission of the update split software has not been completed (S55: NO), the execution unit 31 returns the process to step S47. That is, the execution unit 31 continues transmitting the update split software to the ECU 80.
  • step S159A the first execution unit 81A of the ECU 80 determines whether the ECU 80 has received the Mth update divided software.
  • the update divided software received here is the Mth update divided software transmitted by the information processing device 30 in step S47. If the count M is 1, the first execution unit 81A determines whether the first update divided software has been received. If the ECU 80 has received the Mth update divided software (S159A: YES), the first execution unit 81A transitions the process to step S161A. On the other hand, if the ECU 80 has not received the Mth update divided software (S159A: NO), the first execution unit 81A repeats the determination of step S159A until the Mth update divided software is received.
  • step S161A the first execution unit 81A of the ECU 80 decrypts the Mth update split software received by the ECU 80 in step S159A. Then, in step S163A, the first execution unit 81A writes the Mth update split software that it has decrypted to the storage device 82. For example, if the count M is 1, the first execution unit 81A decrypts the first update split software A1 and writes the decrypted first update split software A1 to the storage device 82.
  • step S165A the first execution unit 81A of the ECU 80 determines whether the software update of the storage device 82 is complete. If the update is complete (S165A: YES), the first execution unit 81A proceeds to step S167A. On the other hand, if the update is not complete (S165A: NO), the first execution unit 81A returns to step S159A. In other words, the first execution unit 81A repeatedly executes steps S159A to S163A until the software update of the storage device 82 is complete.
  • step S159B the second execution unit 81B of the ECU 80 determines whether the ECU 80 has received the Mth update split software.
  • the update split software received here is the Mth update split software transmitted by the information processing device 30 in step S51. If the count M is 2, the second execution unit 81B determines whether the ECU 80 has received the second update split software. If the ECU 80 has received the Mth update split software (S159B: YES), the second execution unit 81B transitions the process to step S161B. On the other hand, if the ECU 80 has not received the Mth update split software (S159B: NO), the second execution unit 81B repeatedly executes the determination of step S159B until the ECU 80 receives the Mth update split software.
  • step S161B the second execution unit 81B of the ECU 80 decrypts the Mth update split software received in step S159B. Then, in step S161B, the second execution unit 81B writes the Mth update split software that it has decrypted to the storage device 62. For example, if the count M is 2, the second execution unit 81B decrypts the second update split software A2 and writes the decrypted second update split software A2 to the storage device 62.
  • step S165B the second execution unit 81B of the ECU 80 determines whether the software update of the storage device 82 has been completed. If the update has been completed (S165B: YES), the second execution unit 81B proceeds to step S167B. On the other hand, if the update has not been completed (S165B: NO), the second execution unit 81B returns the process to step S159B. In other words, the second execution unit 81B repeatedly executes the processes from step S159B to step S163B until the software update of the storage device 82 is completed.
  • step S57 the execution unit 31 of the information processing device 30 requests the ECU 80 to change the control mode of the execution unit from the update mode to the normal mode.
  • step S59 the execution unit 31 determines whether or not it has received both the third notification that the control mode of the first execution unit 81A has been changed to the normal mode and the fourth notification that the control mode of the second execution unit 81B has been changed to the normal mode. If the execution unit 31 has received both the third notification and the fourth notification from the ECU 80 (S59: YES), it ends the processing routine shown in FIG. 7(A). On the other hand, if the execution unit 31 has not received at least one of the third notification and the fourth notification (S59: NO), it returns the processing to step S57. That is, the execution unit 31 continues to request the ECU 80 to change the mode until it receives both the third notification and the fourth notification.
  • step S167A the first execution unit 81A resets itself, changes the control mode from update mode to normal mode, and restarts.
  • step S169A the first execution unit 81A transmits a third notification to the information processing device 30 indicating that the change from update mode to normal mode has been completed. Thereafter, the first execution unit 81A ends the processing routine shown in FIG. 7(B).
  • step S167B the second execution unit 81B resets itself, changes the control mode from the update mode to the normal mode, and restarts.
  • step S169B the second execution unit 81B transmits a fourth notification to the information processing device 30 indicating that the change from the update mode to the normal mode has been completed. Thereafter, the second execution unit 81B ends the processing routine shown in FIG. 7(C).
  • the information processing device 30 When updating software in the storage device 82 of the ECU 80, the information processing device 30 divides the update software into N pieces. The information processing device 30 transmits the N pieces of update divided software to the ECU 80 via the global network 42. In this embodiment, two pieces of update divided software are transmitted to the ECU 80 via the global network 42.
  • one of the two received update split software is processed by the first execution unit 81A, while the remaining one is processed by the second execution unit 81B. That is, the first execution unit 81A decrypts one of the two update split software and writes it to the storage device 82. The second execution unit 81B decrypts the other of the two update split software and writes it to the storage device 82. By repeating this series of processes, the software in the storage device 82 of the ECU 80 is updated.
  • the ECU 80 which is the ECU to be updated, is a multi-core processor. Therefore, for example, while the first execution unit 81A is decrypting the first update divided software A1, the second execution unit 81B can update the second update divided software A2. Therefore, the information processing device 30 does not have to wait for the transmission of the second update divided software A2 until the decryption of the first update divided software A1 is complete. In other words, the time that the information processing device 30 is in a state waiting for the transmission of update divided software can be shortened. Therefore, when updating software in the storage device 82 of the ECU 80, the control system 15B can prevent the time required for the software update from becoming long.
  • the control system 15C includes a communication device 20, an information processing device 30, and a plurality of ECUs.
  • the plurality of ECUs are configured to be able to communicate with the information processing device 30 via a global network 42.
  • the plurality of ECUs include a first braking ECU 60 and a second braking ECU 90.
  • the first braking ECU 60 operates the first actuator 11.
  • the second braking ECU 90 operates the second actuator 12.
  • the plurality of ECUs may include ECUs other than the first braking ECU 60 and the second braking ECU 90.
  • the first brake ECU 60 and the second brake ECU 90 can transmit and receive various information via the local network 43C.
  • the communication speed of the local network 43C is higher than the communication speed of the global network 42.
  • the first brake ECU 60 includes an execution device 61 , a memory device 62 , and a storage device 63 .
  • the second brake ECU 90 includes an execution device 91, a storage device 92, and a storage device 93.
  • the execution device 91 is a CPU
  • the storage device 92 is a non-volatile memory
  • the storage device 93 is a volatile memory.
  • the storage device 92 is divided into a first storage unit 921 and a second storage unit 922.
  • the first storage unit 921 stores software executed by the execution device 91.
  • the second storage unit 922 does not store software executed by the execution device 91.
  • ⁇ Software update process> a method of updating software in a storage device provided in a brake ECU will be described.
  • the ECU to be updated is the first brake ECU 60
  • the first brake ECU 60 corresponds to the "first electronic control device”
  • the second brake ECU 90 corresponds to the "second electronic control device”.
  • the execution device 61 of the first brake ECU 60 corresponds to the "first execution device”
  • the execution device 91 of the second brake ECU 90 corresponds to the "second execution device”.
  • Figure 9 (A) shows a part of the processing routine executed by the execution device 31 of the information processing device 30.
  • Figure 9 (B) shows a part of the processing routine executed by the execution device 61 of the first brake ECU 60.
  • Figure 9 (C) shows a part of the processing routine executed by the execution device 91 of the second brake ECU 90.
  • the processing routine shown in Figure 9 (B) is a part of the processing routine executed by the first electronic control device
  • the processing routine shown in Figure 9 (C) is a part of the processing routine executed by the second electronic control device.
  • step S81 the execution unit 31 requests both the first brake ECU 60 and the second brake ECU 90 to change the control mode of the execution unit from the normal mode to the update mode.
  • step S83 the execution device 31 of the information processing device 30 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 90 that the mode change has been completed. If the execution device 31 has received the notification from both the first brake ECU 60 and the second brake ECU 90 (S83: YES), the process proceeds to step S85. On the other hand, if the execution device 31 has not received the notification from at least one of the first brake ECU 60 and the second brake ECU 90 (S83: NO), the process returns to step S81. In other words, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 90 to change the mode until it receives the notification from both the first brake ECU 60 and the second brake ECU 90.
  • step S181 the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S181: YES), the process proceeds to step S183. On the other hand, if the execution device 61 has not received a mode change request (S181: NO), the execution device 61 repeats the judgment of step S181 until a request is received. In step S183, the execution device 61 resets itself, changes the control mode to the update mode, and restarts. Then, in step S185, the execution device 61 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed. In the next step S187, the execution device 61 starts erasing the pre-update software from the storage device 62. After that, the execution device 61 proceeds to step S189.
  • step S281 the execution device 91 of the second brake ECU 90 determines whether or not a mode change request has been received from the information processing device 30. If the execution device 91 receives a mode change request (S281: YES), the process proceeds to step S283. On the other hand, if the execution device 91 has not received a mode change request (S281: NO), the execution device 91 repeatedly executes the determination of step S281 until a request is received. In step S283, the execution device 91 resets itself, changes the control mode to the update mode, and restarts. Next, in step S285, the execution device 91 transmits a notification to the information processing device 30 that the change from normal mode to update mode has been completed. Then, the execution device 91 proceeds to step S287.
  • step S85 the execution unit 31 of the information processing device 30 sets a counter M to 1.
  • the execution unit 31 then divides the update software for the first brake ECU 60 into N pieces, where "N" is an integer equal to or greater than 3.
  • step S87 the execution unit 31 transmits the Mth update divided software, which is one of the N pieces of update software, to the second brake ECU 90 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update divided software to the second brake ECU 90 via the global network 42.
  • step S89 the execution unit 31 of the information processing device 30 increments the counter M by 1.
  • step S91 the execution unit 31 determines whether the transmission of the update split software has been completed, similar to step S25 shown in FIG. 2(A) and FIG. 3(A). If the transmission of the update split software has been completed (S91: YES), the execution unit 31 proceeds to step S27 shown in FIG. 2(A) and FIG. 3(A). The flow of processing from step S27 onwards is the same as in the first embodiment. On the other hand, if the transmission of the update split software has not been completed (S91: NO), the execution unit 31 returns the processing to step S87. That is, the execution unit 31 continues transmitting the update split software to the second brake ECU 90.
  • step S287 the execution device 91 of the second brake ECU 90 determines whether or not the Mth update divided software has been received from the global network 42. If the execution device 91 has received the Mth update divided software (S287: YES), the execution device 91 writes the Mth update divided software to the second storage unit 922 and proceeds to step S289. On the other hand, if the execution device 91 has not received the Mth update divided software (S287: NO), the execution device 91 repeatedly executes the determination of step S287 until the Mth update divided software is received.
  • step S289 the execution device 91 of the second brake ECU 90 decrypts the Mth update divided software stored in the second storage unit 922. Then, in step S291, the execution device 91 transmits the decrypted Mth update divided software to the first brake ECU 60 via the local network 43. Then, the execution device 91 transitions the process to step S293.
  • step S293 the execution unit 91 of the second brake ECU 90 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has not been completed (S293: NO), the execution unit 91 returns the process to step S287. That is, the execution unit 91 repeatedly executes the processes from step S287 to step S291 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S293: YES), the execution unit 91 proceeds to step S215 shown in Figures 2 (C) and 3 (C). The process flow from step S215 onwards is the same as in the first embodiment.
  • step S189 the execution device 61 of the first brake ECU 60 determines whether or not it has received the decoded Mth update divided software from the second brake ECU 90 via the local network 43. If the execution device 61 has received the Mth update divided software from the second brake ECU 90 (S189: YES), the process proceeds to step S191. On the other hand, if the execution device 61 has not received the Mth update divided software from the second brake ECU 90 (S189: NO), the execution device 61 repeats the determination of step S189 until it receives the Mth update divided software from the second brake ECU 90. In step S191, the execution device 61 writes the decoded Mth update divided software received from the second brake ECU 90 to the storage device 62. Then, the execution device 61 proceeds to step S193.
  • step S193 the execution unit 61 of the first brake ECU 60 determines whether the software update of the storage device 62 has been completed. If the update has not been completed (S193: NO), the execution unit 61 returns the process to step S189. That is, the execution unit 61 repeatedly executes the processes of steps S189 and S191 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S193: YES), the execution unit 61 proceeds to step S121 shown in Figures 2 (B) and 3 (B). The process flow from step S121 onwards is the same as in the first embodiment.
  • the second brake ECU 90 corresponding to the second electronic control device includes not only the first storage unit 921 but also the second storage unit 922 as a storage unit. Therefore, the information processing device 30 transmits the encrypted update software to the second brake ECU 90 via the global network 42. In the second brake ECU 90, the received update software is stored in the second storage unit 922. When updating the software of the storage unit 62 of the first brake ECU 60, the execution device 91 of the second brake ECU 90 decrypts the update software stored in the second storage unit 922 and transmits the decrypted update software to the first brake ECU 60 via the local network 43C. In the first brake ECU 60, the decrypted update software received via the local network 43C is written to the storage unit 62.
  • the communication speed of the local network 43C is higher than the communication speed of the global network 42. Therefore, the time required to update the software in the storage device 62 of the first brake ECU 60 can be shortened by the time required to transmit the update software to the first brake ECU 60 via the local network 43 .
  • the information processing device 30 may transmit the update software to the second brake ECU 90 without dividing it.
  • the division number N which is the number into which the information processing device 30 divides the update software, may be any even number other than 2 as long as it is equal to or greater than 2. In the above embodiments, the division number N, which is the number into which the information processing device 30 divides the update software, may be an odd number equal to or greater than 2.
  • the execution device 71 of the second brake ECU 70 may complete transmission of N pieces of update divided software. In such a case, the execution device 71 of the second brake ECU 70 may transition to step S215 in response to a request from the information processing device 30 to return the control mode to the normal mode.
  • the number of execution devices provided in the ECU 80 may be three or more.
  • the ECU 80 also includes a third execution device, while the first execution device 81A is decrypting the first update divided software A1 and the second execution device 81B is decrypting the second update divided software A2, the third execution device can also decrypt the third update divided software A3.
  • the number of ECUs that can communicate with the ECU to be updated (first ECU) via the local network is only one.
  • the number of ECUs that can communicate with the first ECU via the local network may be two or more.
  • the information processing device 30 can also transmit three pieces of update split software to the ECU to be updated. Then, of the three pieces of update split software, the ECU to be updated transmits the second update split software A2 to the second ECU via the local network, and transmits the third update split software A3 to the third ECU via the local network.
  • the second ECU and the third ECU decrypt the update split software received via the local network, and transmit the decrypted update split software to the first ECU via the local network.
  • the first ECU decrypts the first update split software A1 of the three pieces of update split software, and writes the first update split software A1 to its own storage device. Additionally, the first ECU writes the decrypted update split software received via the local network to its own storage device.
  • the number of ECUs that can communicate with the ECU to be updated (first ECU) via the local network is only one.
  • the number of ECUs that can communicate with the first ECU via the local network may be two or more.
  • the information processing device 30 transmits the first update divided software A1 to the first ECU, transmits the second update divided software A2 to the second ECU, and transmits the third update divided software A3 to the third ECU.
  • the first update divided software A1 is decrypted and the first update divided software A1 is written to its own storage device.
  • the update divided software received via the global network 42 is decrypted, and the decrypted update divided software is sent to the first ECU via the local network. Then, in the first ECU, the decrypted update divided software received via the local network is also written to its own storage device.
  • the ECU to be updated is a braking ECU that adjusts the braking force generated by the vehicle 10, but this is not limited to the above.
  • Any ECU other than a braking ECU may be the ECU to be updated as long as it is capable of communicating with the information processing device 30 via the global network 42.
  • a drive ECU that controls the power source of the vehicle 10, such as an engine or a driving motor may be the ECU to be updated, or an ECU that controls an actuator that adjusts the steering angle of the wheels may be the ECU to be updated.
  • an ADASECU may be the ECU to be updated.
  • ADAS stands for "Advanced Driver Assistance System.”
  • the information processing device 30 and ECU that make up the control system are not limited to those equipped with a CPU and ROM and that execute software processing.
  • the information processing device 30 and ECU may have any of the following configurations (a) to (c).
  • the processor includes a CPU and memory such as RAM and ROM.
  • the memory stores program code or instructions configured to cause the CPU to execute processes.
  • Memory i.e., computer-readable media, includes any available media that can be accessed by a general-purpose or special-purpose computer.
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • (c) Equipped with a processor that executes part of the various processes in accordance with a computer program, and a dedicated hardware circuit that executes the remaining part of the various processes.
  • the term "at least one” used in this specification means “one or more” of the desired options.
  • the term “at least one” used in this specification means “only one option” or “both of two options” if the number of options is two.
  • the term “at least one” used in this specification means “only one option” or “any combination of two or more options” if the number of options is three or more.
  • An information processing device that acquires update software transmitted to the vehicle from outside the vehicle via wireless communication; A plurality of electronic control units; a global network that connects the plurality of electronic control devices and the information processing device in a communicable state; a local network for transmitting and receiving information only between a first electronic control unit and a second electronic control unit among the plurality of electronic control units, the communication speed of the local network is faster than the communication speed of the global network;
  • the first electronic control unit has a first execution device and a storage device in which software executed by the first execution device is written
  • the second electronic control unit has a second execution device, a first storage unit in which software to be executed by the second execution device is written, and a second storage unit in which the software to be executed by the second execution device is not written,
  • the second electronic control device has not only a first memory unit but also a second memory unit as a memory unit. Therefore, the information processing device transmits the encrypted update software to the second electronic control device via the global network.
  • the received update software is stored in the second memory unit.
  • the execution device of the second electronic control device decrypts the update software stored in the second memory unit and transmits the decrypted update software to the first electronic control device via the local network.
  • the communication speed of the local network is higher than the communication speed of the global network. Therefore, the time required to update the software in the memory device of the first electronic control device can be shortened by the amount of time required to transmit the update software to the first electronic control device via the local network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

This control system 15 comprises an information processing device 30, a plurality of ECUs 50, 60, 70, and a global network 42. When updating software in a storage device 62 of a first control ECU 60, the information processing device 30 divides update software into a plurality of pieces and transmits the divided pieces of the update software to the global network 42. A first divided piece of update software, which is one of the pieces of update software divided and transmitted by the information processing device 30, is decoded by an execution device 61. A second divided piece of update software, which is one of the pieces of update software divided and transmitted by the information processing device 30, is decoded by the execution device 71. Each of the first and second decoded and divided pieces of update software is written in the storage device 62.

Description

制御システムControl System
 本発明は、車両に設けられる制御システムに関する。 The present invention relates to a control system installed in a vehicle.
 特許文献1は、車載の電子制御装置が備える記憶装置のソフトウェアを更新する機能を有するシステムを開示している。当該システムでは、ソフトウェアを更新する際に、複数の電子制御装置が接続されている車載ネットワークにTesterが接続される。Testerには、更新対象の電子制御装置向けの更新用ソフトウェアが予め格納されている。そのため、車載ネットワークにTesterが接続されると、当該Testerが車載ネットワークを介して更新用ソフトウェアを更新対象の電子制御装置に送信する。これにより、当該電子制御装置では、記憶装置のソフトウェアが更新用ソフトウェアに書き換えられる。 Patent Document 1 discloses a system that has the function of updating software in a storage device provided in an in-vehicle electronic control device. In this system, when updating software, a Tester is connected to an in-vehicle network to which multiple electronic control devices are connected. The Tester pre-stores update software for the electronic control device to be updated. Therefore, when the Tester is connected to the in-vehicle network, the Tester transmits the update software to the electronic control device to be updated via the in-vehicle network. As a result, the software in the storage device in the electronic control device is rewritten with the update software.
特開2018-120438号公報JP 2018-120438 A
 近年、電子制御装置が備える記憶装置のソフトウェアを、車外のデータセンタから無線通信によって車両に送信された更新用ソフトウェアに更新するシステムが開発されている。当該システムは、データセンタから車両に送信された更新用ソフトウェアを取得する情報処理装置を備えている。ソフトウェアを更新する場合、情報処理装置は、車載ネットワークを介して更新対象の電子制御装置に更新用ソフトウェアを送信する。このとき、情報処理装置は、情報の機密性を高めるために、暗号化された更新用ソフトウェアを電子制御装置に送信する。そのため、電子制御装置の実行装置は、受信した更新用ソフトウェアを復号し、復号済みの更新用ソフトウェアを記憶装置に書き込むことになる。本発明の目的は、暗号化された更新用ソフトウェアを情報処理装置が車載ネットワークを介して電子制御装置に送信することによって、当該電子制御装置の記憶装置のソフトウェアを更新する場合において、ソフトウェアの更新に要する時間が長くなることを抑制することである。 In recent years, a system has been developed that updates the software in a storage device provided in an electronic control device with update software transmitted to the vehicle by wireless communication from a data center outside the vehicle. The system includes an information processing device that acquires the update software transmitted to the vehicle from the data center. When updating software, the information processing device transmits the update software to the electronic control device to be updated via an in-vehicle network. At this time, the information processing device transmits encrypted update software to the electronic control device to increase the confidentiality of the information. Therefore, the execution device of the electronic control device decrypts the received update software and writes the decrypted update software to the storage device. The object of the present invention is to prevent the time required for software update from increasing when the information processing device transmits encrypted update software to the electronic control device via an in-vehicle network to update the software in the storage device of the electronic control device.
 上記課題を解決するための制御システムは、車両の外部から無線通信によって前記車両に送信された更新用ソフトウェアを取得する情報処理装置と、複数の電子制御装置と前記情報処理装置とを通信可能に接続するグローバルネットワークと、を備え、前記複数の電子制御装置のうちの第1電子制御装置が備える記憶装置のソフトウェアを更新可能に構成されたシステムである。当該制御システムは、第1実行装置及び第2実行装置を備えている。前記第1電子制御装置の前記記憶装置のソフトウェアを、前記情報処理装置が取得した前記第1電子制御装置向けの更新用ソフトウェアに更新する場合、前記情報処理装置は、前記更新用ソフトウェアを複数に分割し、分割した更新用ソフトウェアを、暗号化された状態で前記グローバルネットワークに送信する。前記第1実行装置は、前記情報処理装置が分割して前記グローバルネットワークに送信した更新用ソフトウェアのうちの1つである第1更新用分割ソフトウェアを復号する。記第2実行装置は、前記情報処理装置が分割して前記グローバルネットワークに送信した更新用ソフトウェアのうちの1つである第2更新用分割ソフトウェアを復号する。前記第1実行装置が復号した前記第1更新用分割ソフトウェア、及び、前記第2実行装置が復号した前記第2更新用分割ソフトウェアの各々を、前記第1電子制御装置の前記記憶装置に書き込む。 A control system for solving the above problem includes an information processing device that acquires update software transmitted to the vehicle from outside the vehicle by wireless communication, and a global network that communicatively connects a plurality of electronic control devices to the information processing device, and is configured to be able to update software in a storage device provided in a first electronic control device among the plurality of electronic control devices. The control system includes a first execution device and a second execution device. When updating the software in the storage device of the first electronic control device to update software for the first electronic control device acquired by the information processing device, the information processing device divides the update software into multiple pieces and transmits the divided update software to the global network in an encrypted state. The first execution device decrypts the first divided update software, which is one of the pieces of update software divided and transmitted by the information processing device to the global network. The second execution device decrypts the second divided update software, which is one of the pieces of update software divided and transmitted by the information processing device to the global network. The first update divided software decrypted by the first execution device and the second update divided software decrypted by the second execution device are each written to the storage device of the first electronic control device.
 情報処理装置が取得した更新用ソフトウェアを複数に分割し、分割した更新用ソフトウェアである更新用分割ソフトウェアを情報処理装置がグローバルネットワークを介して第1電子制御装置に送信する場合を考える。この場合、第1電子制御装置では、複数の更新用分割ソフトウェアのうち、第1更新用分割ソフトウェアを受信すると、実行装置が当該第1更新用分割ソフトウェアを復号する。そして、当該実行装置が、復号済みの第1更新用分割ソフトウェアを記憶装置に書き込む。この間、第1電子制御装置の実行装置は、次の更新用ソフトウェアである第2更新用分割ソフトウェアが送信されてきても、第2更新用分割ソフトウェアを復号する処理を実行できない。そのため、情報処理装置は、第2更新用分割ソフトウェアを送信できない。つまり、情報処理装置が待機状態になる。このように情報処理装置が待機状態になる時間が長いほど、第1電子制御装置の記憶装置のソフトウェアの更新に要する時間が長くなる。 Consider a case where the information processing device divides the update software acquired by the information processing device into multiple pieces, and transmits the divided update software, which is the update split software, to the first electronic control device via a global network. In this case, when the first electronic control device receives the first update split software from the multiple update split software, the execution device decrypts the first update split software. The execution device then writes the decrypted first update split software to the storage device. During this time, even if the execution device of the first electronic control device receives the second update split software, which is the next update software, it cannot execute the process of decrypting the second update split software. Therefore, the information processing device cannot transmit the second update split software. In other words, the information processing device goes into a standby state. The longer the information processing device goes into a standby state in this way, the longer it takes to update the software in the storage device of the first electronic control device.
 上記制御システムでは、情報処理装置が第1更新用分割ソフトウェアをグローバルネットワークに送信すると、第1実行装置が、第1更新用分割ソフトウェアを復号する。このように第1実行装置が第1更新用分割ソフトウェアを復号している間、第2実行装置は、情報処理装置からの第2更新用分割ソフトウェアを待っている。そのため、第1実行装置が第1更新用分割ソフトウェアを復号している場合に、第2実行装置は、情報処理装置から送信された第2更新用分割ソフトウェアを復号できる。その結果、情報処理装置が上記のような待機状態になる時間を短くできる。 In the above control system, when the information processing device transmits the first update divided software to the global network, the first execution device decrypts the first update divided software. While the first execution device is decrypting the first update divided software in this manner, the second execution device waits for the second update divided software from the information processing device. Therefore, while the first execution device is decrypting the first update divided software, the second execution device can decrypt the second update divided software transmitted from the information processing device. As a result, the time that the information processing device is in the above-mentioned standby state can be shortened.
 したがって、上記制御システムは、第1電子制御装置の記憶装置のソフトウェアを更新する場合において、ソフトウェアの更新に要する時間が長くなることを抑制できる。 Therefore, when updating software in the storage device of the first electronic control device, the control system described above can prevent the time required for software update from becoming long.
図1は、第1実施形態の制御システムを備える車両と、車両の外部に設けられているデータセンタとを示す概略構成図である。FIG. 1 is a schematic configuration diagram showing a vehicle equipped with a control system according to a first embodiment and a data center provided outside the vehicle. 図2において、(A)は第1実施形態の制御システムの情報処理装置で実行される処理の流れの前半部分を示す図であり、(B)は当該制御システムの第1電子制御装置で実行される処理の流れの前半部分を示す図であり、(C)は当該制御システムの第2電子制御装置で実行される処理の流れの前半部分を示す図である。In Figure 2, (A) is a diagram showing the first half of the processing flow executed by the information processing device of the control system of the first embodiment, (B) is a diagram showing the first half of the processing flow executed by the first electronic control device of the control system, and (C) is a diagram showing the first half of the processing flow executed by the second electronic control device of the control system. 図3において、(A)は当該情報処理装置で実行される処理の流れの後半部分を示す図であり、(B)は当該第1電子制御装置で実行される処理の流れの後半部分を示す図であり、(C)は当該第2電子制御装置で実行される処理の流れの後半部分を示す図である。In Figure 3, (A) is a diagram showing the latter half of the processing flow executed by the information processing device, (B) is a diagram showing the latter half of the processing flow executed by the first electronic control device, and (C) is a diagram showing the latter half of the processing flow executed by the second electronic control device. 図4において、(A)~(D)は、当該第1電子制御装置に相当する第1制動ECUが備える記憶装置のソフトウェアを更新する様子を示すタイミングチャートである。In FIG. 4, (A) to (D) are timing charts showing how software in a storage device included in a first brake ECU corresponding to the first electronic control device is updated. 図5において、(A)は第2実施形態の制御システムの情報処理装置で実行される処理の流れの一部を示す図であり、(B)は当該制御システムの第1電子制御装置で実行される処理の流れの一部を示す図であり、(C)は当該制御システムの第2電子制御装置で実行される処理の流れの一部を示す図である。In Figure 5, (A) is a diagram showing a part of the processing flow executed by an information processing device of the control system of the second embodiment, (B) is a diagram showing a part of the processing flow executed by a first electronic control device of the control system, and (C) is a diagram showing a part of the processing flow executed by a second electronic control device of the control system. 図6は、第3実施形態の制御システムを示す概略構成図である。FIG. 6 is a schematic diagram showing the configuration of a control system according to the third embodiment. 図7において、(A)は第3実施形態の制御システムの情報処理装置で実行される処理の流れを示す図であり、(B)は当該制御システムの第1電子制御装置の第1実行装置が実行する処理の流れを示す図であり、(C)は当該第1電子制御装置の第2実行装置が実行する処理の流れを示す図である。In Figure 7, (A) is a diagram showing the processing flow executed by the information processing device of the control system of the third embodiment, (B) is a diagram showing the processing flow executed by the first execution device of the first electronic control device of the control system, and (C) is a diagram showing the processing flow executed by the second execution device of the first electronic control device. 図8は、第4実施形態の制御システムを示す概略構成図である。FIG. 8 is a schematic diagram showing the configuration of a control system according to the fourth embodiment. 図9において、(A)は第4実施形態の制御システムの情報処理装置で実行される処理の流れの一部を示す図であり、(B)は当該制御システムの第1電子制御装置で実行される処理の流れの一部を示す図であり、(C)は当該制御システムの第2電子制御装置で実行される処理の流れの一部を示す図である。In Figure 9, (A) is a diagram showing a part of the processing flow executed by an information processing device of the control system of the fourth embodiment, (B) is a diagram showing a part of the processing flow executed by a first electronic control device of the control system, and (C) is a diagram showing a part of the processing flow executed by a second electronic control device of the control system.
 (第1実施形態)
 以下、制御システムの第1実施形態を図1~図4に従って説明する。本明細書では、電子制御装置を「ECU」と記載する。「ECU」は「Electronic Control Unit」の略記である。 First Embodiment
A first embodiment of the control system will be described below with reference to Figures 1 to 4. In this specification, the electronic control unit is referred to as "ECU.""ECU" is an abbreviation of "Electronic Control Unit."
 図1は、車両10と、車両10の外部に設けられているデータセンタ100とを図示している。
 <データセンタ>
 データセンタ100は、車外ネットワーク200を介して車両10と各種の情報の送受信ができるように構成されている。すなわち、データセンタ100は、無線通信によって車両10と各種情報の送受信を行う。 FIG. 1 illustrates a vehicle 10 and a data center 100 provided outside the vehicle 10 .
<Data Center>
The data center 100 is configured to be able to transmit and receive various types of information to and from the vehicle 10 via the external vehicle network 200. That is, the data center 100 transmits and receives various types of information to and from the vehicle 10 by wireless communication.
 詳しくは後述するが、車両10は複数のECUを備えている。複数のECUのうちの何れかのECUの記憶装置のソフトウェアを更新するための更新用ソフトウェアが用意できた場合、データセンタ100は、車外ネットワーク200を介して当該更新用ソフトウェアを車両10に送信する。なお、車両10に設けられている複数のECUのうち、ソフトウェアを更新するECUを「更新対象ECU」という。 The vehicle 10 is equipped with multiple ECUs, which will be described in more detail later. When update software is prepared to update the software in the storage device of one of the multiple ECUs, the data center 100 transmits the update software to the vehicle 10 via the external vehicle network 200. Of the multiple ECUs provided in the vehicle 10, the ECU whose software is to be updated is referred to as the "ECU to be updated."
 <車両>
 車両10は、制御システム15とアクチュエータとを備えている。車両10は、アクチュエータとして、第1アクチュエータ11と第2アクチュエータ12とを備えている。第1アクチュエータ11及び第2アクチュエータ12は、車両10で発生する制動力を調整すべく作動する。 <Vehicles>
The vehicle 10 includes a control system 15 and an actuator. The actuators of the vehicle 10 include a first actuator 11 and a second actuator 12. The first actuator 11 and the second actuator 12 operate to adjust the braking force generated in the vehicle 10.
 <制御システム>
 制御システム15は、通信装置20と情報処理装置30とを備えている。通信装置20は、データセンタ100との情報を送受信するための車両側のインターフェースである。 <Control System>
The control system 15 includes a communication device 20 and an information processing device 30. The communication device 20 is an interface on the vehicle side for transmitting and receiving information to and from the data center 100.
 情報処理装置30は、ローカルネットワーク41を介して通信装置20と通信できるように構成されている。ローカルネットワーク41は、情報処理装置30と通信装置20との間のみで情報の送受信を行うためのネットワークである。 The information processing device 30 is configured to be able to communicate with the communication device 20 via the local network 41. The local network 41 is a network for transmitting and receiving information only between the information processing device 30 and the communication device 20.
 情報処理装置30は、データセンタ100から無線通信によって車両10に送信された更新用ソフトウェアを取得する。具体的には、情報処理装置30は、実行装置31と、記憶装置32と、格納装置33とを備えている。例えば、実行装置31はCPUであり、記憶装置32は不揮発性のメモリであり、格納装置33は揮発性のメモリである。記憶装置32は、実行装置31によって実行されるソフトウェアを記憶している。格納装置33は、通信装置20からローカルネットワーク41を介して送信された情報を一時的に格納する。すなわち、データセンタ100が、更新対象ECUを特定する情報及び更新用ソフトウェアを車両10に送信すると、通信装置20が、データセンタ100が送信した情報を受信する。そして、通信装置20は、受信した情報を、ローカルネットワーク41を介して情報処理装置30に送信する。すると、情報処理装置30の実行装置31は、ローカルネットワーク41を介して受信した情報、すなわち更新対象ECUを特定する情報及び更新用ソフトウェアを格納装置33に記憶させる。 The information processing device 30 acquires the update software transmitted from the data center 100 to the vehicle 10 by wireless communication. Specifically, the information processing device 30 includes an execution device 31, a storage device 32, and a storage device 33. For example, the execution device 31 is a CPU, the storage device 32 is a non-volatile memory, and the storage device 33 is a volatile memory. The storage device 32 stores the software executed by the execution device 31. The storage device 33 temporarily stores the information transmitted from the communication device 20 via the local network 41. That is, when the data center 100 transmits information identifying the ECU to be updated and the update software to the vehicle 10, the communication device 20 receives the information transmitted by the data center 100. The communication device 20 then transmits the received information to the information processing device 30 via the local network 41. Then, the execution device 31 of the information processing device 30 stores the information received via the local network 41, i.e., the information identifying the ECU to be updated and the update software, in the storage device 33.
 制御システム15は、グローバルネットワーク42と、複数のECUとを備えている。グローバルネットワーク42は、情報処理装置30と複数のECUとを通信可能に接続する車内ネットワークである。例えば、グローバルネットワーク42はCANバスである。CANは「Controller Area Network」の略記である。 The control system 15 includes a global network 42 and multiple ECUs. The global network 42 is an in-vehicle network that connects the information processing device 30 and the multiple ECUs so that they can communicate with each other. For example, the global network 42 is a CAN bus. CAN is an abbreviation for "Controller Area Network."
 複数のECUは、第1制動ECU60と、第2制動ECU70とを含んでいる。第1制動ECU60及び第2制動ECU70は、車両10で発生する制動力を調整するECUである。第1制動ECU60は、第1アクチュエータ11を作動させる。第2制動ECU70は、第2アクチュエータ12を作動させる。なお、複数のECUは、制動ECU60以外の他のECU50も含んでいる。 The multiple ECUs include a first braking ECU 60 and a second braking ECU 70. The first braking ECU 60 and the second braking ECU 70 are ECUs that adjust the braking force generated in the vehicle 10. The first braking ECU 60 operates the first actuator 11. The second braking ECU 70 operates the second actuator 12. The multiple ECUs also include ECUs 50 other than the braking ECU 60.
 制御システム15は、第1制動ECU60と第2制動ECU70との間のみで情報の送受信を行うためのローカルネットワーク43を備えている。ローカルネットワーク43は、その通信速度がグローバルネットワーク42の通信速度よりも高くなるように構成されている。そのため、制御システム15では、第1制動ECU60と第2制動ECU70との間で情報の送受信を行う場合、グローバルネットワーク42を使うこともできるし、ローカルネットワーク43を使うこともできる。 The control system 15 is equipped with a local network 43 for transmitting and receiving information only between the first brake ECU 60 and the second brake ECU 70. The local network 43 is configured so that its communication speed is higher than the communication speed of the global network 42. Therefore, when transmitting and receiving information between the first brake ECU 60 and the second brake ECU 70, the control system 15 can use either the global network 42 or the local network 43.
 <ECU>
 複数のECUは、実行装置と記憶装置と格納装置とをそれぞれ備えている。例えば、実行装置はCPUであり、記憶装置は不揮発性のメモリであり、格納装置は揮発性のメモリである。記憶装置には、実行装置が実行するソフトウェアが記憶される。格納装置には、実行装置の演算結果などが一時的に記憶される。 <ECU>
Each of the ECUs includes an execution device, a storage device, and a storage unit. For example, the execution device is a CPU, the storage device is a non-volatile memory, and the storage device is a volatile memory. The storage device stores software executed by the execution device. The storage device temporarily stores the results of calculations by the execution device, etc.
 詳しくは、第1制動ECU60の実行装置61は、記憶装置62のソフトウェアを実行することによって第1アクチュエータ11を制御する。実行装置61は、第1アクチュエータ11を制御するために演算した結果を格納装置63に一時的に記憶する。 In more detail, the execution device 61 of the first brake ECU 60 controls the first actuator 11 by executing software in the memory device 62. The execution device 61 temporarily stores the results of calculations performed to control the first actuator 11 in the storage device 63.
 第2制動ECU70の実行装置71は、記憶装置72のソフトウェアを実行することによって第2アクチュエータ12を制御する。実行装置71は、第2アクチュエータ12を制御するために演算した結果を格納装置73に一時的に記憶する。 The execution device 71 of the second brake ECU 70 controls the second actuator 12 by executing software in the memory device 72. The execution device 71 temporarily stores the results of calculations performed to control the second actuator 12 in the storage device 73.
 <ソフトウェアの更新処理>
 本実施形態では、制動ECUが備える記憶装置のソフトウェアを更新する手法について説明する。更新対象ECUが第1制動ECU60である場合、第1制動ECU60が「第1電子制御装置」に対応し、第2制動ECU70が「第2電子制御装置」に対応する。また、第1制動ECU60の実行装置61が「第1実行装置」に対応し、第2制動ECU70の実行装置71が「第2実行装置」に対応する。 <Software update process>
In this embodiment, a method of updating software in a storage device provided in a brake ECU will be described. When the ECU to be updated is the first brake ECU 60, the first brake ECU 60 corresponds to the "first electronic control device" and the second brake ECU 70 corresponds to the "second electronic control device." In addition, the execution device 61 of the first brake ECU 60 corresponds to the "first execution device" and the execution device 71 of the second brake ECU 70 corresponds to the "second execution device."
 図2及び図3を参照し、第1制動ECU60の記憶装置62のソフトウェアを更新する際の一連の処理の流れを説明する。図2(A)及び図3(A)は情報処理装置30の実行装置31が実行する処理ルーチンを示している。図2(B)及び図3(B)は第1制動ECU60の実行装置61が実行する処理ルーチンを示している。図2(C)及び図3(C)は第2制動ECU70の実行装置71が実行する処理ルーチンを示している。すなわち、図2(B)及び図3(B)に示す処理ルーチンが第1電子制御装置で実行される処理ルーチンであり、図2(C)及び図3(C)に示す処理ルーチンが第2電子制御装置で実行される処理ルーチンであるとも云える。 With reference to Figures 2 and 3, a series of processing steps when updating the software of the storage device 62 of the first brake ECU 60 will be described. Figures 2(A) and 3(A) show the processing routine executed by the execution device 31 of the information processing device 30. Figures 2(B) and 3(B) show the processing routine executed by the execution device 61 of the first brake ECU 60. Figures 2(C) and 3(C) show the processing routine executed by the execution device 71 of the second brake ECU 70. In other words, it can be said that the processing routine shown in Figures 2(B) and 3(B) is the processing routine executed by the first electronic control device, and the processing routine shown in Figures 2(C) and 3(C) is the processing routine executed by the second electronic control device.
 情報処理装置30の実行装置31は、第1制動ECU60向けの更新用ソフトウェアを取得すると、図2(A)及び図3(A)に示す処理ルーチンの実行を開始する。ステップS11において、実行装置31は、実行装置の制御モードを通常モードから更新モードに変更することを第1制動ECU60及び第2制動ECU70の双方に要求する。通常モードとは、アクチュエータを制御する際の制御モードである。更新モードは、記憶装置のソフトウェアを更新する際の制御モードである。 When the execution unit 31 of the information processing device 30 acquires the update software for the first brake ECU 60, it starts executing the processing routine shown in FIG. 2(A) and FIG. 3(A). In step S11, the execution unit 31 requests both the first brake ECU 60 and the second brake ECU 70 to change the control mode of the execution unit from normal mode to update mode. The normal mode is the control mode when controlling the actuator. The update mode is the control mode when updating the software of the storage device.
 次のステップS13において、情報処理装置30の実行装置31は、モードの変更が完了した旨の通知を第1制動ECU60及び第2制動ECU70の何れもから受信したか否かを判定する。実行装置31は、第1制動ECU60及び第2制動ECU70の何れもから上記通知を受信している場合(S13:YES)、処理をステップS15に移行する。一方、実行装置31は、第1制動ECU60及び第2制動ECU70のうちの少なくとも一方から上記通知を受信していない場合(S13:NO)、処理をステップS11に戻す。すなわち、実行装置31は、第1制動ECU60及び第2制動ECU70の何れもから上記通知を受信するまで、第1制動ECU60及び第2制動ECU70にモード変更を要求し続ける。 In the next step S13, the execution device 31 of the information processing device 30 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 70 that the mode change has been completed. If the execution device 31 has received the notification from both the first brake ECU 60 and the second brake ECU 70 (S13: YES), the process proceeds to step S15. On the other hand, if the execution device 31 has not received the notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S13: NO), the process returns to step S11. In other words, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 70 to change the mode until it receives the notification from both the first brake ECU 60 and the second brake ECU 70.
 図2(B)及び図3(B)に示すように、ステップS101において、第1制動ECU60の実行装置61は、モード変更の要求を情報処理装置30から受信したか否かを判定する。実行装置61は、モード変更の要求を受信した場合(S101:YES)、処理をステップS103に移行する。一方、実行装置61は、モード変更の要求を受信していない場合(S101:NO)、要求を受信するまでステップS101の判定を繰り返し実行する。ステップS103において、実行装置61は、自身をリセットし、制御モードを更新モードに変更して再起動する。続いてステップS105において、実行装置61は、通常モードから更新モードへの変更が完了した旨の通知を情報処理装置30に送信する。具体的には、実行装置61は、当該通知を、グローバルネットワーク42を介して情報処理装置30に送信する。次のステップS107において、実行装置61は、記憶装置62から更新前のソフトウェアの消去を開始する。その後、実行装置61は処理をステップS109に移行する。 2(B) and 3(B), in step S101, the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S101: YES), the process proceeds to step S103. On the other hand, if the execution device 61 has not received a mode change request (S101: NO), the execution device 61 repeats the judgment of step S101 until the request is received. In step S103, the execution device 61 resets itself, changes the control mode to the update mode, and restarts. Then, in step S105, the execution device 61 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed. Specifically, the execution device 61 transmits the notification to the information processing device 30 via the global network 42. In the next step S107, the execution device 61 starts erasing the pre-update software from the storage device 62. The execution device 61 then transitions to step S109.
 図2(C)及び図3(C)に示すように、ステップS201において、第2制動ECU70の実行装置71は、モード変更の要求を情報処理装置30から受信したか否かを判定する。実行装置71は、モード変更の要求を受信した場合(S201:YES)、処理をステップS203に移行する。一方、実行装置71は、モード変更の要求を受信していない場合(S201:NO)、要求を受信するまでステップS201の判定を繰り返し実行する。ステップS203において、実行装置71は、自身をリセットし、制御モードを更新モードに変更して再起動する。続いてステップS205において、実行装置71は、通常モードから更新モードへの変更が完了した旨の通知を情報処理装置30に送信する。具体的には、実行装置71は、当該通知を、グローバルネットワーク42を介して情報処理装置30に送信する。そして、実行装置71は処理をステップS207に移行する。 2(C) and 3(C), in step S201, the execution device 71 of the second brake ECU 70 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 71 receives a mode change request (S201: YES), the process proceeds to step S203. On the other hand, if the execution device 71 has not received a mode change request (S201: NO), the execution device 71 repeats the judgment of step S201 until the request is received. In step S203, the execution device 71 resets itself, changes the control mode to the update mode, and restarts. Next, in step S205, the execution device 71 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed. Specifically, the execution device 71 transmits the notification to the information processing device 30 via the global network 42. Then, the execution device 71 transitions the process to step S207.
 図2(A)及び図3(A)に示すように、ステップS15において、情報処理装置30の実行装置31は、計数Mとして1を設定する。すると、実行装置31は、第1制動ECU60向けの更新用ソフトウェアをN個に分割する。「N」は3以上の整数である。そして、ステップS17において、実行装置31は、N個に分割した更新用ソフトウェアのうちの1つである第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第1制動ECU60に送信する。この際、実行装置31は、暗号化された第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第1制動ECU60に送信する。なお、計数Mが1である場合、実行装置31は、暗号化された第1更新用分割ソフトウェアを第1制動ECU60に送信する。 2(A) and 3(A), in step S15, the execution unit 31 of the information processing device 30 sets a count M to 1. The execution unit 31 then divides the update software for the first brake ECU 60 into N pieces, where "N" is an integer equal to or greater than 3. In step S17, the execution unit 31 transmits the Mth update split software, which is one of the N pieces of update software, to the first brake ECU 60 via the global network 42. At this time, the execution unit 31 transmits the encrypted Mth update split software to the first brake ECU 60 via the global network 42. Note that if the count M is 1, the execution unit 31 transmits the encrypted first update split software to the first brake ECU 60.
 ステップS19において、情報処理装置30の実行装置31は、計数Mを1だけインクリメントする。次のステップS21において、実行装置31は、N個に分割した更新用ソフトウェアのうちの1つである第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第2制動ECU70に送信する。この際、実行装置31は、暗号化された第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第2制動ECU70に送信する。ここで第2制動ECU70に送信する更新用分割ソフトウェアは、ステップS17で第1制動ECU60に送信した更新用分割ソフトウェアとは別の更新用分割ソフトウェアである。なお、計数Mが2である場合、実行装置31は、暗号化された第2更新用分割ソフトウェアを第2制動ECU70に送信する。 In step S19, the execution unit 31 of the information processing device 30 increments the count M by 1. In the next step S21, the execution unit 31 transmits the Mth update split software, which is one of the N pieces of divided update software, to the second brake ECU 70 via the global network 42. At this time, the execution unit 31 transmits the encrypted Mth update split software to the second brake ECU 70 via the global network 42. The update split software transmitted to the second brake ECU 70 here is different from the update split software transmitted to the first brake ECU 60 in step S17. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software to the second brake ECU 70.
 ステップS23において、情報処理装置30の実行装置31は、計数Mを1だけインクリメントする。次のステップS25において、実行装置31は、更新用分割ソフトウェアの送信が完了したか否かを判定する。本実施形態では、実行装置31は、計数Mが分割数Nよりも大きい場合、N個の更新用分割ソフトウェアの送信が完了したと判定する。一方、実行装置31は、計数Mが分割数N以下である場合、N個の更新用分割ソフトウェアの中に未だ送信していない更新用分割ソフトウェアがあるため、更新用分割ソフトウェアの送信が完了していないと判定する。そして、実行装置31は、更新用分割ソフトウェアの送信が完了した場合(S25:YES)、処理をステップS27に移行する。一方、実行装置31は、更新用分割ソフトウェアの送信が完了していない場合(S25:NO)、処理をステップS17に戻す。すなわち、実行装置31は、更新用分割ソフトウェアの送信を続行する。 In step S23, the execution unit 31 of the information processing device 30 increments the count M by 1. In the next step S25, the execution unit 31 determines whether the transmission of the update divided software has been completed. In this embodiment, if the count M is greater than the number of divisions N, the execution unit 31 determines that the transmission of N pieces of update divided software has been completed. On the other hand, if the count M is equal to or less than the number of divisions N, the execution unit 31 determines that the transmission of the update divided software has not been completed because there is update divided software among the N pieces of update divided software that has not yet been transmitted. Then, if the execution unit 31 has completed the transmission of the update divided software (S25: YES), the processing proceeds to step S27. On the other hand, if the execution unit 31 has not completed the transmission of the update divided software (S25: NO), the processing returns to step S17. That is, the execution unit 31 continues the transmission of the update divided software.
 図2(B)及び図3(B)に示すように、ステップS109において、第1制動ECU60の実行装置61は、第M更新用分割ソフトウェアをグローバルネットワーク42から受信したか否かを判定する。計数Mが1である場合、実行装置61は、第1更新用分割ソフトウェアを受信したか否かを判定する。実行装置61は、第M更新用分割ソフトウェアを受信した場合(S109:YES)、処理をステップS111に移行する。一方、実行装置61は、第M更新用分割ソフトウェアを受信していない場合(S109:NO)、第M更新用分割ソフトウェアを受信するまでステップS109の判定を繰り返し実行する。 As shown in Figures 2 (B) and 3 (B), in step S109, the execution unit 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software from the global network 42. If the count M is 1, the execution unit 61 determines whether or not it has received the first update divided software. If the execution unit 61 has received the Mth update divided software (S109: YES), it transitions to step S111. On the other hand, if the execution unit 61 has not received the Mth update divided software (S109: NO), it repeats the determination in step S109 until it receives the Mth update divided software.
 ステップS111において、第1制動ECU60の実行装置61は、情報処理装置30から受信した第M更新用分割ソフトウェアを復号する。そしてステップS113において、実行装置61は、自身で復号した第M更新用分割ソフトウェアを記憶装置62に書き込む。例えば計数Mが1である場合、実行装置61は、第1更新用分割ソフトウェアを復号し、復号済みの第1更新用分割ソフトウェアを記憶装置62に書き込む。その後、実行装置61は処理をステップS115に移行する。 In step S111, the execution device 61 of the first brake ECU 60 decrypts the Mth update split software received from the information processing device 30. Then, in step S113, the execution device 61 writes the Mth update split software that it has decrypted into the storage device 62. For example, if the count M is 1, the execution device 61 decrypts the first update split software and writes the decrypted first update split software into the storage device 62. The execution device 61 then transitions to step S115.
 図2(C)及び図3(C)に示すように、ステップS207において、第2制動ECU70の実行装置71は、第M更新用分割ソフトウェアをグローバルネットワーク42から受信したか否かを判定する。計数Mが2である場合、実行装置71は、第2更新用分割ソフトウェアを受信したか否かを判定する。実行装置71は、第M更新用分割ソフトウェアを受信した場合(S207:YES)、処理をステップS209に移行する。一方、実行装置71は、第M更新用分割ソフトウェアを受信していない場合(S207:NO)、第M更新用分割ソフトウェアを受信するまでステップS207の判定を繰り返し実行する。 As shown in Figures 2 (C) and 3 (C), in step S207, the execution unit 71 of the second brake ECU 70 determines whether or not it has received the Mth update divided software from the global network 42. If the count M is 2, the execution unit 71 determines whether or not it has received the second update divided software. If the execution unit 71 has received the Mth update divided software (S207: YES), the process proceeds to step S209. On the other hand, if the execution unit 71 has not received the Mth update divided software (S207: NO), the execution unit 71 repeatedly executes the determination in step S207 until it receives the Mth update divided software.
 ステップS209において、第2制動ECU70の実行装置71は、情報処理装置30から受信した第M更新用分割ソフトウェアを復号する。そしてステップS211において、実行装置71は、復号した第M更新用分割ソフトウェアを、ローカルネットワーク43を介して第1制動ECU60に送信する。例えば計数Mが2である場合、実行装置71は、第2更新用分割ソフトウェアを復号し、復号済みの第2更新用分割ソフトウェアを、ローカルネットワーク43を介して第1制動ECU60に送信する。その後、実行装置71は処理をステップS213に移行する。 In step S209, the execution unit 71 of the second brake ECU 70 decrypts the Mth update split software received from the information processing device 30. Then, in step S211, the execution unit 71 transmits the decrypted Mth update split software to the first brake ECU 60 via the local network 43. For example, when the count M is 2, the execution unit 71 decrypts the second update split software and transmits the decrypted second update split software to the first brake ECU 60 via the local network 43. The execution unit 71 then transitions to step S213.
 ステップS213において、第2制動ECU70の実行装置71は、第1制動ECU60の記憶装置62のソフトウェアの更新が完了したか否かを判定する。実行装置71は、更新が完了した場合(S213:YES)、処理をステップS215に移行する。一方、実行装置71は、更新が完了していない場合(S213:NO)、処理をステップS207に戻す。すなわち、実行装置71は、記憶装置62のソフトウェアの更新が完了するまで、ステップS207からステップS211までの処理を繰り返し実行する。 In step S213, the execution unit 71 of the second brake ECU 70 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has been completed (S213: YES), the execution unit 71 proceeds to step S215. On the other hand, if the update has not been completed (S213: NO), the execution unit 71 returns the process to step S207. In other words, the execution unit 71 repeatedly executes the processes from step S207 to step S211 until the software update of the storage device 62 has been completed.
 図2(B)及び図3(B)に示すように、ステップS115において、第1制動ECU60の実行装置61は、ローカルネットワーク43を介して第2制動ECU70から復号済みの第M更新用分割ソフトウェアを受信したか否かを判定する。実行装置61は、第2制動ECU70から第M更新用分割ソフトウェアを受信した場合(S115:YES)、処理をステップS117に移行する。一方、実行装置61は、第2制動ECU70から第M更新用分割ソフトウェアを受信していない場合(S115:NO)、第2制動ECU70から第M更新用分割ソフトウェアを受信するまでステップS115の判定を繰り返し実行する。ステップS117において、実行装置61は、第2制動ECU70から受信した復号済みの第M更新用分割ソフトウェアを記憶装置62に書き込む。例えば計数Mが2である場合、実行装置61は、復号済みの第2更新用分割ソフトウェアを第2制動ECU70からローカルネットワーク43を介して受信すると、当該第2更新用分割ソフトウェアを記憶装置62に書き込む。その後、実行装置61は処理をステップS119に移行する。 As shown in Figures 2 (B) and 3 (B), in step S115, the execution device 61 of the first brake ECU 60 determines whether or not it has received the decrypted Mth update split software from the second brake ECU 70 via the local network 43. If the execution device 61 has received the Mth update split software from the second brake ECU 70 (S115: YES), the processing proceeds to step S117. On the other hand, if the execution device 61 has not received the Mth update split software from the second brake ECU 70 (S115: NO), the execution device 61 repeatedly executes the determination of step S115 until it receives the Mth update split software from the second brake ECU 70. In step S117, the execution device 61 writes the decrypted Mth update split software received from the second brake ECU 70 to the storage device 62. For example, if the count M is 2, when the execution device 61 receives the decrypted second update divided software from the second brake ECU 70 via the local network 43, it writes the second update divided software to the storage device 62. After that, the execution device 61 transitions the process to step S119.
 ステップS119において、第1制動ECU60の実行装置61は、記憶装置62のソフトウェアの更新が完了したか否かを判定する。実行装置61は、更新が完了した場合(S119:YES)、処理をステップS121に移行する。一方、実行装置61は、更新が完了していない場合(S119:NO)、処理をステップS109に戻す。すなわち、実行装置61は、記憶装置62のソフトウェアの更新が完了するまで、ステップS109からステップS117までの処理を繰り返し実行する。 In step S119, the execution unit 61 of the first brake ECU 60 determines whether the software update of the storage device 62 has been completed. If the update has been completed (S119: YES), the execution unit 61 proceeds to step S121. On the other hand, if the update has not been completed (S119: NO), the execution unit 61 returns the process to step S109. In other words, the execution unit 61 repeatedly executes the processes from step S109 to step S117 until the software update of the storage device 62 is completed.
 図2(A)及び図3(A)に示すように、ステップS27において、情報処理装置30の実行装置31は、実行装置の制御モードを更新モードから通常モードに変更することを第1制動ECU60及び第2制動ECU70の何れにも要求する。ステップS29において、実行装置31は、モードの変更が完了した旨の通知を第1制動ECU60及び第2制動ECU70の何れもから受信したか否かを判定する。実行装置31は、第1制動ECU60及び第2制動ECU70の何れからも上記通知を受信している場合(S29:YES)、図2(A)及び図3(A)に示す処理ルーチンを終了する。一方、実行装置31は、第1制動ECU60及び第2制動ECU70のうちの少なくとも一方から上記通知を受信していない場合(S29:NO)、処理をステップS27に戻す。すなわち、実行装置31は、第1制動ECU60及び第2制動ECU70の何れからも上記通知を受信するまで、第1制動ECU60及び第2制動ECU70にモード変更を要求し続ける。 As shown in Figures 2(A) and 3(A), in step S27, the execution device 31 of the information processing device 30 requests both the first brake ECU 60 and the second brake ECU 70 to change the control mode of the execution device from the update mode to the normal mode. In step S29, the execution device 31 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 70 that the mode change has been completed. If the execution device 31 has received the above notification from both the first brake ECU 60 and the second brake ECU 70 (S29: YES), it ends the processing routine shown in Figures 2(A) and 3(A). On the other hand, if the execution device 31 has not received the above notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S29: NO), it returns the processing to step S27. That is, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 70 to change modes until the execution device 31 receives the above notification from both the first brake ECU 60 and the second brake ECU 70.
 図2(B)及び図3(B)に示すように、ステップS121において、第1制動ECU60の実行装置61は、モード変更の要求を情報処理装置30から受信したか否かを判定する。実行装置61は、モード変更の要求を受信した場合(S121:YES)、処理をステップS123に移行する。一方、実行装置61は、モード変更の要求を受信していない場合(S121:NO)、要求を受信するまでステップS121の判定を繰り返し実行する。ステップS123において、実行装置61は、自身をリセットし、制御モードを更新モードから通常モードに変更して再起動する。続いてステップS125において、実行装置61は、更新モードから通常モードへの変更が完了した旨の通知を情報処理装置30に送信する。その後、実行装置61は図2(B)及び図3(B)に示す処理ルーチンを終了する。 2(B) and 3(B), in step S121, the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S121: YES), the process proceeds to step S123. On the other hand, if the execution device 61 has not received a mode change request (S121: NO), the execution device 61 repeats the judgment of step S121 until a request is received. In step S123, the execution device 61 resets itself, changes the control mode from the update mode to the normal mode, and restarts. Next, in step S125, the execution device 61 transmits a notification to the information processing device 30 that the change from the update mode to the normal mode has been completed. Thereafter, the execution device 61 ends the processing routine shown in FIG. 2(B) and FIG. 3(B).
 図2(C)及び図3(C)に示すように、ステップS215において、第2制動ECU70の実行装置71は、モード変更の要求を情報処理装置30から受信したか否かを判定する。実行装置71は、モード変更の要求を受信した場合(S215:YES)、処理をステップS217に移行する。一方、実行装置71は、モード変更の要求を受信していない場合(S215:NO)、要求を受信するまでステップS215の判定を繰り返し実行する。ステップS217において、実行装置71は、自身をリセットし、制御モードを更新モードから通常モードに変更して再起動する。続いてステップS219において、実行装置71は、更新モードから通常モードへの変更が完了した旨の通知を情報処理装置30に送信する。その後、実行装置71は図2(C)及び図3(C)に示す処理ルーチンを終了する。 2(C) and 3(C), in step S215, the execution device 71 of the second brake ECU 70 determines whether or not a mode change request has been received from the information processing device 30. If the execution device 71 receives a mode change request (S215: YES), the process proceeds to step S217. On the other hand, if the execution device 71 has not received a mode change request (S215: NO), the execution device 71 repeats the determination in step S215 until a request is received. In step S217, the execution device 71 resets itself, changes the control mode from the update mode to the normal mode, and restarts. Next, in step S219, the execution device 71 transmits a notification to the information processing device 30 that the change from the update mode to the normal mode has been completed. Thereafter, the execution device 71 ends the processing routine shown in FIG. 2(C) and FIG. 3(C).
 なお、制御システム15では、第2制動ECU70の記憶装置72のソフトウェアを更新することもある。この場合、第2制動ECU70が更新対象ECUとなるため、第2制動ECU70が「第1電子制御装置」に対応し、第1制動ECU60が「第2電子制御装置」に対応することになる。また、第2制動ECU70の実行装置71が「第1実行装置」に対応し、第1制動ECU60の実行装置61が「第2実行装置」に対応することになる。そのため、第2制動ECU70の実行装置71が図2(B)及び図3(B)に示す処理ルーチンを実行し、第1制動ECU60の実行装置61が図2(C)及び図3(C)に示す処理ルーチンを実行する。 In addition, in the control system 15, the software of the storage device 72 of the second brake ECU 70 may be updated. In this case, since the second brake ECU 70 is the ECU to be updated, the second brake ECU 70 corresponds to the "first electronic control device" and the first brake ECU 60 corresponds to the "second electronic control device." In addition, the execution device 71 of the second brake ECU 70 corresponds to the "first execution device" and the execution device 61 of the first brake ECU 60 corresponds to the "second execution device." Therefore, the execution device 71 of the second brake ECU 70 executes the processing routines shown in Figures 2(B) and 3(B), and the execution device 61 of the first brake ECU 60 executes the processing routines shown in Figures 2(C) and 3(C).
 <本実施形態の作用及び効果>
 図4を参照し、第1制動ECU60の記憶装置62のソフトウェアを更新する際の作用を説明する。ここでは、説明理解の便宜上、更新用分割ソフトウェアの分割数Nが6であるものとする。 <Actions and Effects of the Present Embodiment>
4, a description will be given of an operation when updating the software in the storage device 62 of the first brake ECU 60. For ease of understanding, it is assumed here that the division number N of the divided software for updating is six.
 記憶装置62のソフトウェアを更新する場合、図4(C)に示すように、第1制動ECU60では、タイミングt11から、更新前のソフトウェアが記憶装置62から消去され始める。すると、情報処理装置30では、更新用ソフトウェアが6個に分割される。すなわち、6個の更新用分割ソフトウェアA1~A6が生成される。そして、図4(A)及び(B)に示すように、タイミングt12から、暗号化された第1更新用分割ソフトウェアA1がグローバルネットワーク42を介して第1制動ECU60に送信される。続いて、図4(A)及び(D)に示すように、情報処理装置30では、タイミングt13から、暗号化された第2更新用分割ソフトウェアA2がグローバルネットワーク42を介して第2制動ECU70に送信される。 When updating the software in the storage device 62, as shown in FIG. 4(C), in the first brake ECU 60, from timing t11, the pre-update software begins to be erased from the storage device 62. Then, in the information processing device 30, the update software is divided into six pieces. That is, six pieces of update divided software A1 to A6 are generated. Then, as shown in FIGS. 4(A) and (B), from timing t12, the encrypted first update divided software A1 is transmitted to the first brake ECU 60 via the global network 42. Next, as shown in FIGS. 4(A) and (D), in the information processing device 30, from timing t13, the encrypted second update divided software A2 is transmitted to the second brake ECU 70 via the global network 42.
 第1制動ECU60では、第1更新用分割ソフトウェアA1を受信すると、第1更新用分割ソフトウェアA1が復号される。図4に示す例では、更新用分割ソフトウェアを消去する処理がタイミングt15まで実行される。そのため、タイミングt15から、復号済みの第1更新用分割ソフトウェアA1の記憶装置62への書き込みが開始される。 When the first brake ECU 60 receives the first update divided software A1, the first update divided software A1 is decrypted. In the example shown in FIG. 4, the process of deleting the update divided software is executed until timing t15. Therefore, from timing t15, writing of the decrypted first update divided software A1 to the storage device 62 begins.
 一方、第2制動ECU70では、グローバルネットワーク42を介して第2更新用分割ソフトウェアA2を受信すると、第2更新用分割ソフトウェアA2が復号される。すなわち、第1制動ECU60で第1更新用分割ソフトウェアA1を復号している間でも、第2制動ECU70で第2更新用分割ソフトウェアA2の復号を行うことができる。第2制動ECU70では、第2更新用分割ソフトウェアA2が復号されると、図4(B)及び(D)に示すように、タイミングt14から、復号済みの第2更新用分割ソフトウェアA2が、ローカルネットワーク43を介して第1制動ECU60に送信される。図4(C)に示すように、第1制動ECU60では、第1更新用分割ソフトウェアA1が記憶装置62に書き込まれた後、第2更新用分割ソフトウェアA2の記憶装置62への書き込みが開始される。 On the other hand, when the second brake ECU 70 receives the second update divided software A2 via the global network 42, the second brake ECU 70 decodes the second update divided software A2. That is, even while the first brake ECU 60 is decoding the first update divided software A1, the second brake ECU 70 can decode the second update divided software A2. When the second brake ECU 70 decodes the second update divided software A2, as shown in FIGS. 4(B) and (D), the decoded second update divided software A2 is transmitted to the first brake ECU 60 via the local network 43 from timing t14. As shown in FIG. 4(C), the first brake ECU 60 writes the first update divided software A1 to the storage device 62, and then starts writing the second update divided software A2 to the storage device 62.
 第1制動ECU60での第2更新用分割ソフトウェアA2の記憶装置62への書き込みが完了すると、情報処理装置30では、暗号化された第3更新用分割ソフトウェアA3が第1制動ECU60に送信される。この際も、第3更新用分割ソフトウェアA3は、グローバルネットワーク42を介して第1制動ECU60に送信される。続いて、情報処理装置30では、暗号化された第4更新用分割ソフトウェアA4が第2制動ECU70に送信される。この際も、第4更新用分割ソフトウェアA4は、グローバルネットワーク42を介して第2制動ECU70に送信される。 When the writing of the second update divided software A2 to the storage device 62 in the first brake ECU 60 is completed, the information processing device 30 transmits the encrypted third update divided software A3 to the first brake ECU 60. At this time, the third update divided software A3 is also transmitted to the first brake ECU 60 via the global network 42. Next, the information processing device 30 transmits the encrypted fourth update divided software A4 to the second brake ECU 70. At this time, the fourth update divided software A4 is also transmitted to the second brake ECU 70 via the global network 42.
 第1制動ECU60では、第3更新用分割ソフトウェアA3を受信すると、第3更新用分割ソフトウェアA3が復号される。そして、復号済みの第3更新用分割ソフトウェアA3が記憶装置62に書き込まれる。 When the first brake ECU 60 receives the third update divided software A3, the third update divided software A3 is decrypted. Then, the decrypted third update divided software A3 is written to the storage device 62.
 第2制動ECU70では、第4更新用分割ソフトウェアA4を受信すると、第4更新用分割ソフトウェアA4が復号される。すなわち、第1制動ECU60で第3更新用分割ソフトウェアA3が復号されている間でも、第2制動ECU70では第4更新用分割ソフトウェアA4の復号を行うことができる。第4更新用分割ソフトウェアA4が復号されると、復号済みの第4更新用分割ソフトウェアA4が、ローカルネットワーク43を介して第1制動ECU60に送信される。第1制動ECU60では、第3更新用分割ソフトウェアA3が記憶装置62に書き込まれた後に、第4更新用分割ソフトウェアA4が記憶装置62に書き込まれる。 When the second brake ECU 70 receives the fourth update divided software A4, it decodes the fourth update divided software A4. That is, even while the first brake ECU 60 is decoded the third update divided software A3, the second brake ECU 70 can decode the fourth update divided software A4. When the fourth update divided software A4 is decoded, the decoded fourth update divided software A4 is transmitted to the first brake ECU 60 via the local network 43. In the first brake ECU 60, the third update divided software A3 is written to the storage device 62, and then the fourth update divided software A4 is written to the storage device 62.
 第1制動ECU60による第4更新用分割ソフトウェアA4の記憶装置62への書き込みが完了すると、情報処理装置30では、暗号化された第5更新用分割ソフトウェアA5が第1制動ECU60に送信される。この際も、第5更新用分割ソフトウェアA5は、グローバルネットワーク42を介して第1制動ECU60に送信される。第5更新用分割ソフトウェアA5が送信されると、情報処理装置30では、暗号化された第6更新用分割ソフトウェアA6が第2制動ECU70に送信される。この際も、第6更新用分割ソフトウェアA6は、グローバルネットワーク42を介して第2制動ECU70に送信される。 When the first brake ECU 60 has completed writing the fourth update divided software A4 to the storage device 62, the information processing device 30 transmits the encrypted fifth update divided software A5 to the first brake ECU 60. At this time, the fifth update divided software A5 is also transmitted to the first brake ECU 60 via the global network 42. After the fifth update divided software A5 is transmitted, the information processing device 30 transmits the encrypted sixth update divided software A6 to the second brake ECU 70. At this time, the sixth update divided software A6 is also transmitted to the second brake ECU 70 via the global network 42.
 第1制動ECU60では、第5更新用分割ソフトウェアA5を受信すると、第5更新用分割ソフトウェアA5が復号される。そして、復号済みの第5更新用分割ソフトウェアA5が記憶装置62に書き込まれる。 When the first brake ECU 60 receives the fifth update divided software A5, the fifth update divided software A5 is decrypted. Then, the decrypted fifth update divided software A5 is written to the storage device 62.
 第2制動ECU70では、第6更新用分割ソフトウェアA6を受信すると、第6更新用分割ソフトウェアA6が復号される。すなわち、第1制動ECU60で第5更新用分割ソフトウェアA5が復号されている間でも、第2制動ECU70では第6更新用分割ソフトウェアA6の復号を行うことができる。第6更新用分割ソフトウェアA6が復号されると、復号済みの第6更新用分割ソフトウェアA6が、ローカルネットワーク43を介して第1制動ECU60に送信される。第1制動ECU60では、第5更新用分割ソフトウェアA5が記憶装置62に書き込まれた後に、第6更新用分割ソフトウェアA6が記憶装置62に書き込まれる。これにより、記憶装置62のソフトウェアの更新が完了する。 When the second brake ECU 70 receives the sixth update divided software A6, it decodes the sixth update divided software A6. That is, even while the first brake ECU 60 is decoded the fifth update divided software A5, the second brake ECU 70 can decode the sixth update divided software A6. When the sixth update divided software A6 is decoded, the decoded sixth update divided software A6 is transmitted to the first brake ECU 60 via the local network 43. In the first brake ECU 60, the fifth update divided software A5 is written to the storage device 62, and then the sixth update divided software A6 is written to the storage device 62. This completes the software update of the storage device 62.
 本実施形態では、以下に示す効果を得ることができる。
 (1-1)情報処理装置30は、第1更新用分割ソフトウェアA1を第1制動ECU60に送信すると、次の更新用分割ソフトウェア(この場合、第2更新用分割ソフトウェアA2)を第2制動ECU70に送信する。そして、第1制動ECU60の実行装置61が、第1更新用分割ソフトウェアA1を復号している間、第2制動ECU70の実行装置71は、第2更新用分割ソフトウェアA2を復号できる。すなわち、情報処理装置30は、第1更新用分割ソフトウェアA1の復号が完了するまで、第2更新用分割ソフトウェアA2の送信を待たなくてもよい。つまり、情報処理装置30が更新用分割ソフトウェアの送信を待機する状態になる時間を短くできる。したがって、制御システム15は、第1制動ECU60の記憶装置62のソフトウェアを更新する場合において、ソフトウェアの更新に要する時間が長くなることを抑制できる。 In this embodiment, the following effects can be obtained.
(1-1) When the information processing device 30 transmits the first update divided software A1 to the first brake ECU 60, it transmits the next update divided software (in this case, the second update divided software A2) to the second brake ECU 70. Then, while the execution device 61 of the first brake ECU 60 is decrypting the first update divided software A1, the execution device 71 of the second brake ECU 70 can decrypt the second update divided software A2. That is, the information processing device 30 does not need to wait for the transmission of the second update divided software A2 until the decoding of the first update divided software A1 is completed. That is, the time during which the information processing device 30 is in a state of waiting for the transmission of the update divided software can be shortened. Therefore, when updating the software of the storage device 62 of the first brake ECU 60, the control system 15 can suppress the time required for updating the software from becoming long.
 (1-2)制御システム15では、複数の実行装置61,71で分担して更新用分割ソフトウェアを復号する。そのため、1つの実行装置のみでN個の更新用分割ソフトウェアの復号を行う場合と比較し、ソフトウェアの更新時での実行装置の負担を低減できる。 (1-2) In the control system 15, multiple execution devices 61, 71 share the task of decrypting the update divided software. Therefore, the burden on the execution devices during software updates can be reduced compared to when only one execution device decrypts N pieces of update divided software.
 (1-3)第2制動ECU70は、復号済みの更新用分割ソフトウェアを、ローカルネットワーク43を介して第1制動ECU60に送信する。そのため、第2制動ECU70と第1制動ECU60との間でグローバルネットワーク42を介して更新用分割ソフトウェアを送信する場合と比較し、送信に要する時間を短くできる。これにより、ソフトウェアの更新に要する時間の短縮に貢献できる。 (1-3) The second brake ECU 70 transmits the decrypted divided update software to the first brake ECU 60 via the local network 43. This reduces the time required for transmission compared to transmitting the divided update software between the second brake ECU 70 and the first brake ECU 60 via the global network 42. This contributes to reducing the time required for software updates.
 (第2実施形態)
 制御システムの第2実施形態を図5に従って説明する。なお、第2実施形態では、情報処理装置から第2電子制御装置に更新用分割ソフトウェアが直接送信されない点などが第1実施形態と異なっている。以下の説明においては、第1実施形態と相違する部分について主に説明するものとし、第1実施形態と同一の部材構成には同一符号を付して重複説明を省略するものとする。 Second Embodiment
A second embodiment of the control system will be described with reference to Fig. 5. The second embodiment differs from the first embodiment in that the update division software is not directly transmitted from the information processing device to the second electronic control unit. In the following description, the differences from the first embodiment will be mainly described, and the same reference numerals will be used to designate the same components as those in the first embodiment, and duplicated description will be omitted.
 図5を参照し、第1制動ECU60の記憶装置62のソフトウェアを更新する際の一連の処理の流れを説明する。図5(A)は情報処理装置30の実行装置31が実行する処理ルーチンの一部を示している。図5(B)は第1制動ECU60の実行装置61が実行する処理ルーチンの一部を示している。図5(C)は第2制動ECU70の実行装置71が実行する処理ルーチンの一部を示している。すなわち、図5(B)に示す処理ルーチンが第1電子制御装置で実行される処理ルーチンの一部であり、図5(C)に示す処理ルーチンが第2電子制御装置で実行される処理ルーチンの一部であるとも云える。 With reference to Figure 5, a series of processing steps when updating software in the memory device 62 of the first brake ECU 60 will be described. Figure 5(A) shows a portion of the processing routine executed by the execution device 31 of the information processing device 30. Figure 5(B) shows a portion of the processing routine executed by the execution device 61 of the first brake ECU 60. Figure 5(C) shows a portion of the processing routine executed by the execution device 71 of the second brake ECU 70. In other words, it can be said that the processing routine shown in Figure 5(B) is a portion of the processing routine executed by the first electronic control device, and the processing routine shown in Figure 5(C) is a portion of the processing routine executed by the second electronic control device.
 情報処理装置30の実行装置31は、第1制動ECU60向けの更新用ソフトウェアを取得すると、図2(A)及び図3(A)に示したステップS11及びステップS13の処理を順に実行する。続いて、図5(A)に示すようにステップS15Aにおいて、情報処理装置30の実行装置31は、計数Mとして1を設定する。すると、実行装置31は、第1制動ECU60向けの更新用ソフトウェアをN個に分割する。「N」は3以上の整数である。そして、ステップS17Aにおいて、実行装置31は、N個に分割した更新用ソフトウェアのうちの1つである第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第1制動ECU60に送信する。この際、実行装置31は、暗号化された第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第1制動ECU60に送信する。なお、計数Mが1である場合、実行装置31は、暗号化された第1更新用分割ソフトウェアを第1制動ECU60に送信する。 When the execution device 31 of the information processing device 30 acquires the update software for the first brake ECU 60, it sequentially executes the processes of steps S11 and S13 shown in FIG. 2(A) and FIG. 3(A). Next, in step S15A as shown in FIG. 5(A), the execution device 31 of the information processing device 30 sets a count M to 1. Then, the execution device 31 divides the update software for the first brake ECU 60 into N pieces. "N" is an integer equal to or greater than 3. Then, in step S17A, the execution device 31 transmits the Mth update divided software, which is one of the N pieces of update software, to the first brake ECU 60 via the global network 42. At this time, the execution device 31 transmits the encrypted Mth update divided software to the first brake ECU 60 via the global network 42. Note that if the count M is 1, the execution device 31 transmits the encrypted first update divided software to the first brake ECU 60.
 ステップS19Aにおいて、情報処理装置30の実行装置31は、計数Mを1だけインクリメントする。次のステップS21Aにおいて、実行装置31は、分割した更新用ソフトウェアのうちの1つである第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第1制動ECU60に送信する。この際、実行装置31は、暗号化された第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第1制動ECU60に送信する。ここで第1制動ECU60に送信する更新用分割ソフトウェアは、ステップS17Aで第1制動ECU60に送信した更新用分割ソフトウェアとは別の更新用分割ソフトウェアである。なお、計数Mが2である場合、実行装置31は、暗号化された第2更新用分割ソフトウェアを第2制動ECU70に送信する。 In step S19A, the execution unit 31 of the information processing device 30 increments the count M by 1. In the next step S21A, the execution unit 31 transmits the Mth update split software, which is one of the divided update software, to the first brake ECU 60 via the global network 42. At this time, the execution unit 31 transmits the encrypted Mth update split software to the first brake ECU 60 via the global network 42. The update split software transmitted to the first brake ECU 60 here is different from the update split software transmitted to the first brake ECU 60 in step S17A. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software to the second brake ECU 70.
 ステップS23Aにおいて、情報処理装置30の実行装置31は、計数Mを1だけインクリメントする。次のステップS25Aにおいて、実行装置31は、図2(A)及び図3(A)に示したステップS25と同様に、N個の更新用分割ソフトウェアの送信が完了したか否かを判定する。実行装置31は、N個の更新用分割ソフトウェアの中に未だ送信していない更新用分割ソフトウェアがある場合(S25A:NO)、処理をステップS17Aに戻す。すなわち、実行装置31は、更新用分割ソフトウェアの送信を続行する。一方、実行装置31は、N個の更新用分割ソフトウェアの送信が完了した場合(S25A:YES)、処理を図2(A)及び図3(A)に示したステップS27に移行する。ステップS27以降の処理の流れは、第1実施形態の場合と同様である。 In step S23A, the execution unit 31 of the information processing device 30 increments the counter M by 1. In the next step S25A, the execution unit 31 determines whether or not the transmission of the N pieces of update divided software has been completed, similar to step S25 shown in FIG. 2(A) and FIG. 3(A). If there is any update divided software among the N pieces of update divided software that has not yet been transmitted (S25A: NO), the execution unit 31 returns the process to step S17A. That is, the execution unit 31 continues transmitting the update divided software. On the other hand, if the execution unit 31 has completed the transmission of the N pieces of update divided software (S25A: YES), the process proceeds to step S27 shown in FIG. 2(A) and FIG. 3(A). The process flow from step S27 onwards is the same as in the first embodiment.
 第1制動ECU60の実行装置61は、図2(B)及び図3(B)に示したステップS101からステップS107までの処理を順に実行する。そして、図5(B)に示すようにステップS131において、実行装置61は、ステップS17Aで情報処理装置30が送信した第M更新用分割ソフトウェアをグローバルネットワーク42から受信したか否かを判定する。計数Mが1である場合、実行装置61は、第1更新用分割ソフトウェアA1を受信したか否かを判定する。実行装置61は、第M更新用分割ソフトウェアを受信した場合(S131:YES)、処理をステップS133に移行する。一方、実行装置61は、第M更新用分割ソフトウェアを受信していない場合(S131:NO)、第M更新用分割ソフトウェアを受信するまでステップS131の判定を繰り返し実行する。 The execution device 61 of the first brake ECU 60 sequentially executes the processes from step S101 to step S107 shown in FIG. 2(B) and FIG. 3(B). Then, in step S131 as shown in FIG. 5(B), the execution device 61 judges whether or not the Mth update divided software transmitted by the information processing device 30 in step S17A has been received from the global network 42. If the count M is 1, the execution device 61 judges whether or not the first update divided software A1 has been received. If the execution device 61 has received the Mth update divided software (S131: YES), the process proceeds to step S133. On the other hand, if the execution device 61 has not received the Mth update divided software (S131: NO), the execution device 61 repeatedly executes the judgment of step S131 until the Mth update divided software is received.
 ステップS133において、第1制動ECU60の実行装置61は、ステップS21Aで情報処理装置30が送信した第M更新用分割ソフトウェアをグローバルネットワーク42から受信したか否かを判定する。計数Mが2である場合、実行装置61は、第2更新用分割ソフトウェアA2を受信したか否かを判定する。実行装置61は、第M更新用分割ソフトウェアを受信した場合(S133:YES)、処理をステップS135に移行する。一方、実行装置61は、第M更新用分割ソフトウェアを受信していない場合(S133:NO)、第M更新用分割ソフトウェアを受信するまでステップS133の判定を繰り返し実行する。 In step S133, the execution unit 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software transmitted by the information processing unit 30 in step S21A from the global network 42. If the count M is 2, the execution unit 61 determines whether or not it has received the second update divided software A2. If the execution unit 61 has received the Mth update divided software (S133: YES), it transitions to step S135. On the other hand, if the execution unit 61 has not received the Mth update divided software (S133: NO), it repeats the determination of step S133 until it receives the Mth update divided software.
 ステップS135において、第1制動ECU60の実行装置61は、ステップS133で受信した第M更新用分割ソフトウェアを、ローカルネットワーク43を介して第2制動ECU70に送信する。例えば第1制動ECU60が第1更新用分割ソフトウェアA1及び第2更新用分割ソフトウェアA2を受信した場合、実行装置61は、第1更新用分割ソフトウェアA1及び第2更新用分割ソフトウェアA2のうち、第2更新用分割ソフトウェアA2のみをローカルネットワーク43を介して第2制動ECU70に送信する。 In step S135, the execution device 61 of the first brake ECU 60 transmits the Mth update divided software received in step S133 to the second brake ECU 70 via the local network 43. For example, if the first brake ECU 60 receives the first update divided software A1 and the second update divided software A2, the execution device 61 transmits only the second update divided software A2 of the first update divided software A1 and the second update divided software A2 to the second brake ECU 70 via the local network 43.
 ステップS137において、第1制動ECU60の実行装置61は、ステップS131で受信した第M更新用分割ソフトウェアを復号する。すなわち、実行装置61は、情報処理装置30から受信した2つの更新用分割ソフトウェアのうち、第2制動ECU70に送信していないほうの更新用分割ソフトウェアを復号する。次のステップS139において、実行装置61は、自身で復号した第M更新用分割ソフトウェアを記憶装置62に書き込む。そして、実行装置61は処理をステップS141に移行する。 In step S137, the execution device 61 of the first brake ECU 60 decrypts the Mth update split software received in step S131. That is, of the two update split software received from the information processing device 30, the execution device 61 decrypts the update split software that has not been transmitted to the second brake ECU 70. In the next step S139, the execution device 61 writes the Mth update split software that it has decrypted into the storage device 62. The execution device 61 then transitions to step S141.
 第2制動ECU70の実行装置71は、図2(C)及び図3(C)に示したステップS201からS205までの処理を順に実行する。そして、図5(C)に示すようにステップS231において、実行装置71は、ローカルネットワーク43を介して第M更新用分割ソフトウェアを受信したか否かを判定する。計数Mが2である場合、実行装置71は、第2更新用分割ソフトウェアA2を受信したか否かを判定する。ここで受信する更新用分割ソフトウェアは、ステップS21Aで情報処理装置30が送信した更新用分割ソフトウェアである。実行装置71は、第M更新用分割ソフトウェアを受信した場合(S231:YES)、処理をステップS233に移行する。一方、実行装置71は、第M更新用分割ソフトウェアを受信していない場合(S231:NO)、第M更新用分割ソフトウェアを受信するまでステップS231の判定を繰り返し実行する。 The execution unit 71 of the second brake ECU 70 sequentially executes the processes from step S201 to S205 shown in FIG. 2(C) and FIG. 3(C). Then, in step S231 as shown in FIG. 5(C), the execution unit 71 judges whether or not the Mth update divided software has been received via the local network 43. If the count M is 2, the execution unit 71 judges whether or not the second update divided software A2 has been received. The update divided software received here is the update divided software transmitted by the information processing device 30 in step S21A. If the execution unit 71 receives the Mth update divided software (S231: YES), the process proceeds to step S233. On the other hand, if the execution unit 71 has not received the Mth update divided software (S231: NO), the execution unit 71 repeatedly executes the judgment of step S231 until the Mth update divided software is received.
 ステップS233において、第2制動ECU70の実行装置71は、受信した第M更新用分割ソフトウェアを復号する。そしてステップS235において、実行装置71は、復号した第M更新用分割ソフトウェアを、ローカルネットワーク43を介して第1制動ECU60に送信する。例えば計数Mが2である場合、実行装置71は、第2更新用分割ソフトウェアA2を復号し、復号済みの第2更新用分割ソフトウェアA2を、ローカルネットワーク43を介して第1制動ECU60に送信する。その後、実行装置71は処理をステップS237に移行する。 In step S233, the execution device 71 of the second brake ECU 70 decrypts the received Mth update split software. Then, in step S235, the execution device 71 transmits the decrypted Mth update split software to the first brake ECU 60 via the local network 43. For example, if the count M is 2, the execution device 71 decrypts the second update split software A2 and transmits the decrypted second update split software A2 to the first brake ECU 60 via the local network 43. The execution device 71 then transitions to step S237.
 ステップS237において、第2制動ECU70の実行装置71は、第1制動ECU60の記憶装置62のソフトウェアの更新が完了したか否かを判定する。実行装置71は、更新が完了していない場合(S237:NO)、処理をステップS231に戻す。すなわち、実行装置71は、記憶装置62のソフトウェアの更新が完了するまで、ステップS231からステップS235までの処理を繰り返し実行する。一方、実行装置71は、更新が完了した場合(S237:YES)、処理を図2(C)及び図3(C)に示したステップS215に移行する。ステップS215以降の処理の流れは、第1実施形態の場合と同様である。 In step S237, the execution unit 71 of the second brake ECU 70 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has not been completed (S237: NO), the execution unit 71 returns the process to step S231. That is, the execution unit 71 repeatedly executes the processes from step S231 to step S235 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S237: YES), the execution unit 71 transitions the process to step S215 shown in FIG. 2(C) and FIG. 3(C). The process flow from step S215 onwards is the same as in the first embodiment.
 図5(B)に示すように、ステップS141において、第1制動ECU60の実行装置61は、ローカルネットワーク43を介して第M更新用分割ソフトウェアを第2制動ECU70から受信したか否かを判定する。実行装置61は、第M更新用分割ソフトウェアを受信した場合(S141:YES)、処理をステップS143に移行する。一方、実行装置61は、第M更新用分割ソフトウェアを受信していない場合(S141:NO)、第M更新用分割ソフトウェアを受信するまでステップS141の判定を繰り返し実行する。 As shown in FIG. 5(B), in step S141, the execution device 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software from the second brake ECU 70 via the local network 43. If the execution device 61 has received the Mth update divided software (S141: YES), the process proceeds to step S143. On the other hand, if the execution device 61 has not received the Mth update divided software (S141: NO), the execution device 61 repeatedly executes the determination of step S141 until it receives the Mth update divided software.
 ステップS143において、第1制動ECU60の実行装置61は、ステップS141で受信した第M更新用分割ソフトウェアを記憶装置62に書き込む。すなわち、実行装置61は、第2制動ECU70から送信されてきた復号済みの第M更新用分割ソフトウェアを記憶装置62に書き込む。そしてステップS145において、実行装置61は、記憶装置62のソフトウェアの更新が完了したか否かを判定する。実行装置61は、更新が完了していない場合(S145:NO)、処理をステップS131に戻す。すなわち、実行装置61は、記憶装置62のソフトウェアの更新が完了するまで、ステップS131からステップS143までの処理を繰り返し実行する。一方、実行装置61は、更新が完了した場合(S145:YES)、処理を図2(B)及び図3(B)に示したステップS121に移行する。ステップS121以降の処理の流れは、第1実施形態の場合と同様である。 In step S143, the execution device 61 of the first brake ECU 60 writes the Mth update divided software received in step S141 to the storage device 62. That is, the execution device 61 writes the decoded Mth update divided software transmitted from the second brake ECU 70 to the storage device 62. Then, in step S145, the execution device 61 determines whether the software update of the storage device 62 is complete. If the update is not complete (S145: NO), the execution device 61 returns the process to step S131. That is, the execution device 61 repeatedly executes the processes from step S131 to step S143 until the software update of the storage device 62 is complete. On the other hand, if the update is complete (S145: YES), the execution device 61 transitions the process to step S121 shown in FIG. 2(B) and FIG. 3(B). The process flow from step S121 onwards is the same as that in the first embodiment.
 <本実施形態の作用及び効果>
 本実施形態の作用及び効果のうち、第1実施形態と相違する部分を中心に説明する。
 第1制動ECU60の記憶装置62のソフトウェアを更新する場合、情報処理装置30では、更新用ソフトウェアがN個に分割される。情報処理装置30では、N個の更新用分割ソフトウェアが、グローバルネットワーク42を介して更新対象ECUである第1制動ECU60に送信される。本実施形態では、更新用分割ソフトウェアが2つずつグローバルネットワーク42を介して第1制動ECU60に送信される。 <Actions and Effects of the Present Embodiment>
Among the functions and effects of this embodiment, the following description will focus on the differences from the first embodiment.
When updating the software in the storage device 62 of the first brake ECU 60, the information processing device 30 divides the update software into N pieces. The information processing device 30 transmits the N pieces of update divided software to the first brake ECU 60, which is the ECU to be updated, via the global network 42. In this embodiment, two pieces of update divided software are transmitted to the first brake ECU 60 via the global network 42.
 第1制動ECU60では、受信した2つの更新用分割ソフトウェアのうちの1つが、ローカルネットワーク43を介して第2制動ECU70に送信される。また、第1制動ECU60では、第2制動ECU70に送信しなかった更新用分割ソフトウェアが復号される。そして、実行装置61が復号した更新用分割ソフトウェアが、記憶装置62に書き込まれる。 The first brake ECU 60 transmits one of the two pieces of update split software received to the second brake ECU 70 via the local network 43. The first brake ECU 60 also decrypts the update split software that was not transmitted to the second brake ECU 70. The update split software decrypted by the execution device 61 is then written to the storage device 62.
 一方、第2制動ECU70では、ローカルネットワーク43を介して受信した更新用分割ソフトウェアが復号される。そして、復号済みの更新用分割ソフトウェアが、ローカルネットワーク43を介して第1制動ECU60に送信される。第1制動ECU60では、ローカルネットワーク43を介して受信した復号済みの更新用分割ソフトウェアが記憶装置62に書き込まれる。 Meanwhile, the second brake ECU 70 decodes the update split software received via the local network 43. The decoded update split software is then sent to the first brake ECU 60 via the local network 43. The first brake ECU 60 writes the decoded update split software received via the local network 43 to the storage device 62.
 こうした一連の処理を繰り返すことにより、第1制動ECU60の記憶装置62のソフトウェアが更新される。
 本実施形態では、第1制動ECU60で第1更新用分割ソフトウェアA1が復号されている間、第2制動ECU70でも第2更新用分割ソフトウェアA2を復号できる。すなわち、情報処理装置30は、第1更新用分割ソフトウェアA1の復号が完了するまで、第2更新用分割ソフトウェアA2の送信を待たなくてもよい。つまり、情報処理装置30が更新用分割ソフトウェアの送信を待機する状態になる時間を短くできる。したがって、制御システム15は、第1制動ECU60の記憶装置62のソフトウェアを更新する場合において、ソフトウェアの更新に要する時間が長くなることを抑制できる。 By repeating this series of processes, the software in the storage device 62 of the first brake ECU 60 is updated.
In this embodiment, while the first update divided software A1 is being decoded in the first brake ECU 60, the second update divided software A2 can also be decoded in the second brake ECU 70. That is, the information processing device 30 does not need to wait for the transmission of the second update divided software A2 until the decoding of the first update divided software A1 is completed. That is, the time during which the information processing device 30 is in a state of waiting for the transmission of update divided software can be shortened. Therefore, when updating the software of the storage device 62 of the first brake ECU 60, the control system 15 can prevent the time required for the software update from becoming long.
 また、本実施形態では、情報処理装置30は、N個の更新用分割ソフトウェアのうちの一部を、更新対象ECUではない第2制動ECU70に直接送信しなくてもよい。
 さらに、本実施形態では、上記第1実施形態の効果(1-2)及び(1-3)と同等の効果を得ることができる。 Furthermore, in this embodiment, the information processing device 30 does not need to directly transmit some of the N pieces of divided software updates to the second brake ECU 70 that is not the ECU to be updated.
Furthermore, in this embodiment, it is possible to obtain effects equivalent to the effects (1-2) and (1-3) of the first embodiment.
 (第3実施形態)
 制御システムの第3実施形態を図6及び図7に従って説明する。なお、第3実施形態では、更新対象ECUが、複数の実行装置を備えたマルチコアプロセッサである点などが第1実施形態と異なっている。以下の説明においては、上記複数の実施形態と相違する部分について主に説明するものとし、上記複数の実施形態と同一の部材構成には同一符号を付して重複説明を省略するものとする。 Third Embodiment
A third embodiment of the control system will be described with reference to Figures 6 and 7. The third embodiment differs from the first embodiment in that the ECU to be updated is a multi-core processor equipped with multiple execution devices. In the following description, differences from the above embodiments will be mainly described, and the same reference numerals will be used to designate the same components as those in the above embodiments, and duplicated descriptions will be omitted.
 <制御システム>
 図6を参照し、本実施形態の制御システム15Bを説明する。
 制御システム15Bは、通信装置20と、情報処理装置30と、複数のECUとを備えている。複数のECUは、グローバルネットワーク42を介して情報処理装置30と通信可能に構成されている。複数のECUは、ECU80及びECU50を含んでいる。例えば、ECU80は、車両10で発生する制動力を調整すべくアクチュエータを制御する制動ECUである。 <Control System>
The control system 15B of this embodiment will be described with reference to FIG.
The control system 15B includes a communication device 20, an information processing device 30, and a plurality of ECUs. The plurality of ECUs are configured to be able to communicate with the information processing device 30 via a global network 42. The plurality of ECUs include an ECU 80 and an ECU 50. For example, the ECU 80 is a braking ECU that controls an actuator to adjust the braking force generated in the vehicle 10.
 ECU80は、マルチコアプロセッサである。ECU80は、第1実行装置81Aと、第2実行装置81Bと、記憶装置82と、格納装置83とを備えている。例えば、第1実行装置81A及び第2実行装置81BはCPUであり、記憶装置82は不揮発性のメモリであり、格納装置83は揮発性のメモリである。記憶装置82には、第1実行装置81A及び第2実行装置81Bによって実行されるソフトウェアが記憶される。 The ECU 80 is a multi-core processor. The ECU 80 includes a first execution unit 81A, a second execution unit 81B, a memory device 82, and a storage unit 83. For example, the first execution unit 81A and the second execution unit 81B are CPUs, the memory device 82 is a non-volatile memory, and the storage device 83 is a volatile memory. The storage unit 82 stores software executed by the first execution unit 81A and the second execution unit 81B.
 <ソフトウェアの更新処理>
 図7を参照し、ECU80が備える記憶装置82のソフトウェアを更新する一連の処理の流れを説明する。図7(A)は情報処理装置30の実行装置31が実行する処理ルーチンを示している。図7(B)はECU80の第1実行装置81Aが実行する処理ルーチンを示している。図7(C)はECU80の第2実行装置81Bが実行する処理ルーチンを示している。 <Software update process>
A flow of a series of processes for updating software in the storage device 82 of the ECU 80 will be described with reference to Fig. 7. Fig. 7(A) shows a processing routine executed by the execution unit 31 of the information processing device 30. Fig. 7(B) shows a processing routine executed by the first execution unit 81A of the ECU 80. Fig. 7(C) shows a processing routine executed by the second execution unit 81B of the ECU 80.
 情報処理装置30の実行装置31は、ECU80向けの更新用ソフトウェアを取得すると、図7(A)に示す処理ルーチンの実行を開始する。ステップS41において、実行装置31は、実行装置の制御モードを通常モードから更新モードに変更することをECU80に要求する。次のステップS43において、実行装置31は、第1実行装置81Aの制御モードが更新モードに変更された旨の第1通知と、第2実行装置81Bの制御モードが更新モードに変更された旨の第2通知との何れをも受信したか否かを判定する。実行装置31は、第1通知と第2通知との何れをも受信した場合(S43:YES)、処理をステップS45に移行する。一方、実行装置31は、第1通知及び第2通知のうち少なくとも一方を受信していない場合(S43:NO)、処理をステップS41に戻す。すなわち、実行装置31は、第1通知及び第2通知の何れをも受信できるまでモード変更をECU80に要求し続ける。 When the execution unit 31 of the information processing device 30 acquires the update software for the ECU 80, it starts executing the processing routine shown in FIG. 7(A). In step S41, the execution unit 31 requests the ECU 80 to change the control mode of the execution unit from the normal mode to the update mode. In the next step S43, the execution unit 31 determines whether it has received both a first notification that the control mode of the first execution unit 81A has been changed to the update mode and a second notification that the control mode of the second execution unit 81B has been changed to the update mode. If the execution unit 31 has received both the first notification and the second notification (S43: YES), it proceeds to step S45. On the other hand, if the execution unit 31 has not received at least one of the first notification and the second notification (S43: NO), it returns the processing to step S41. That is, the execution unit 31 continues to request the ECU 80 to change the mode until it receives both the first notification and the second notification.
 図7(B)に示すように、ステップS151Aにおいて、ECU80の第1実行装置81Aは、モード変更の要求を情報処理装置30からECU80が受信したか否かを判定する。第1実行装置81Aは、モード変更の要求をECU80が受信した場合(S151A:YES)、処理をステップS153Aに移行する。一方、第1実行装置81Aは、モード変更の要求をECU80が受信していない場合(S151A:NO)、要求をECU80が受信するまでステップS151Aの判定を繰り返し実行する。ステップS153Aにおいて、第1実行装置81Aは、自身をリセットし、制御モードを更新モードに変更して再起動する。続いてステップS155Aにおいて、第1実行装置81Aは、通常モードから更新モードへの変更が完了した旨の第1通知を情報処理装置30に送信する。次のステップS157Aにおいて、第1実行装置81Aは、記憶装置82から更新前のソフトウェアの消去を開始する。その後、第1実行装置81Aは処理をステップS159Aに移行する。 7B, in step S151A, the first execution unit 81A of the ECU 80 judges whether the ECU 80 has received a mode change request from the information processing device 30. If the ECU 80 has received a mode change request (S151A: YES), the first execution unit 81A shifts the process to step S153A. On the other hand, if the ECU 80 has not received a mode change request (S151A: NO), the first execution unit 81A repeats the judgment of step S151A until the ECU 80 receives the request. In step S153A, the first execution unit 81A resets itself, changes the control mode to the update mode, and restarts. Next, in step S155A, the first execution unit 81A transmits a first notification to the information processing device 30 indicating that the change from the normal mode to the update mode has been completed. In the next step S157A, the first execution unit 81A starts erasing the pre-update software from the storage device 82. The first execution unit 81A then transitions to step S159A.
 図7(C)に示すように、ステップS151Bにおいて、ECU80の第2実行装置81Bは、モード変更の要求を情報処理装置30からECU80が受信したか否かを判定する。第2実行装置81Bは、モード変更の要求をECU80が受信した場合(S151B:YES)、処理をステップS153Bに移行する。一方、第2実行装置81Bは、モード変更の要求をECU80が受信していない場合(S151B:NO)、要求をECU80が受信するまでステップS151Bの判定を繰り返し実行する。ステップS153Bにおいて、第2実行装置81Bは、自身をリセットし、制御モードを更新モードに変更して再起動する。続いてステップS155Bにおいて、第2実行装置81Bは、通常モードから更新モードへの変更が完了した旨の第2通知を情報処理装置30に送信する。そして、第2実行装置81Bは処理をステップS159Bに移行する。 As shown in FIG. 7(C), in step S151B, the second execution unit 81B of the ECU 80 judges whether the ECU 80 has received a mode change request from the information processing device 30. If the ECU 80 has received a mode change request (S151B: YES), the second execution unit 81B shifts the process to step S153B. On the other hand, if the ECU 80 has not received a mode change request (S151B: NO), the second execution unit 81B repeats the judgment of step S151B until the ECU 80 receives the request. In step S153B, the second execution unit 81B resets itself, changes the control mode to the update mode, and restarts. Next, in step S155B, the second execution unit 81B transmits a second notification to the information processing device 30 indicating that the change from the normal mode to the update mode has been completed. Then, the second execution unit 81B shifts the process to step S159B.
 図7(A)に示すように、ステップS45において、情報処理装置30の実行装置31は、計数Mとして1を設定する。すると、実行装置31は、ECU80向けの更新用ソフトウェアをN個に分割する。「N」は3以上の整数である。そして、ステップS47において、実行装置31は、分割した更新用ソフトウェアのうちの1つである第M更新用分割ソフトウェアを、グローバルネットワーク42を介してECU80に送信する。この際、実行装置31は、暗号化された第M更新用分割ソフトウェアを、グローバルネットワーク42を介してECU80に送信する。なお、計数Mが1である場合、実行装置31は、暗号化された第1更新用分割ソフトウェアA1をECU80に送信する。 As shown in FIG. 7(A), in step S45, the execution unit 31 of the information processing device 30 sets a count M to 1. The execution unit 31 then divides the update software for the ECU 80 into N pieces, where "N" is an integer equal to or greater than 3. Then, in step S47, the execution unit 31 transmits the Mth update divided software, which is one of the divided update software, to the ECU 80 via the global network 42. At this time, the execution unit 31 transmits the encrypted Mth update divided software to the ECU 80 via the global network 42. Note that if the count M is 1, the execution unit 31 transmits the encrypted first update divided software A1 to the ECU 80.
 ステップS49において、情報処理装置30の実行装置31は、計数Mを1だけインクリメントする。次のステップS51において、実行装置31は、分割した更新用ソフトウェアのうちの1つである第M更新用分割ソフトウェアを、グローバルネットワーク42を介してECU80に送信する。この際、実行装置31は、暗号化された第M更新用分割ソフトウェアを、グローバルネットワーク42を介してECU80に送信する。ここでECU80に送信する更新用分割ソフトウェアは、ステップS47でECU80に送信した更新用分割ソフトウェアとは別の更新用分割ソフトウェアである。なお、計数Mが2である場合、実行装置31は、暗号化された第2更新用分割ソフトウェアA2をECU80に送信する。 In step S49, the execution unit 31 of the information processing device 30 increments the count M by 1. In the next step S51, the execution unit 31 transmits the Mth update split software, which is one of the divided update software, to the ECU 80 via the global network 42. At this time, the execution unit 31 transmits the encrypted Mth update split software to the ECU 80 via the global network 42. The update split software transmitted to the ECU 80 here is different from the update split software transmitted to the ECU 80 in step S47. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software A2 to the ECU 80.
 ステップS53において、情報処理装置30の実行装置31は、計数Mを1だけインクリメントする。次のステップS55において、実行装置31は、図2(A)及び図3(A)に示したステップS25と同様に、更新用分割ソフトウェアの送信が完了したか否かを判定する。実行装置31は、更新用分割ソフトウェアの送信が完了した場合(S55:YES)、処理をステップS57に移行する。一方、実行装置31は、更新用分割ソフトウェアの送信が完了していない場合(S55:NO)、処理をステップS47に戻す。すなわち、実行装置31は、更新用分割ソフトウェアのECU80への送信を続行する。 In step S53, the execution unit 31 of the information processing device 30 increments the counter M by 1. In the next step S55, the execution unit 31 determines whether or not the transmission of the update split software has been completed, similar to step S25 shown in Figures 2 (A) and 3 (A). If the transmission of the update split software has been completed (S55: YES), the execution unit 31 proceeds to step S57. On the other hand, if the transmission of the update split software has not been completed (S55: NO), the execution unit 31 returns the process to step S47. That is, the execution unit 31 continues transmitting the update split software to the ECU 80.
 図7(B)に示すように、ステップS159Aにおいて、ECU80の第1実行装置81Aは、第M更新用分割ソフトウェアをECU80が受信したか否かを判定する。ここで受信する更新用分割ソフトウェアは、ステップS47で情報処理装置30が送信した第M更新用分割ソフトウェアである。計数Mが1である場合、第1実行装置81Aは、第1更新用分割ソフトウェアを受信したか否かを判定する。第1実行装置81Aは、第M更新用分割ソフトウェアをECU80が受信した場合(S159A:YES)、処理をステップS161Aに移行する。一方、第1実行装置81Aは、第M更新用分割ソフトウェアをECU80が受信していない場合(S159A:NO)、第M更新用分割ソフトウェアを受信するまでステップS159Aの判定を繰り返し実行する。 As shown in FIG. 7B, in step S159A, the first execution unit 81A of the ECU 80 determines whether the ECU 80 has received the Mth update divided software. The update divided software received here is the Mth update divided software transmitted by the information processing device 30 in step S47. If the count M is 1, the first execution unit 81A determines whether the first update divided software has been received. If the ECU 80 has received the Mth update divided software (S159A: YES), the first execution unit 81A transitions the process to step S161A. On the other hand, if the ECU 80 has not received the Mth update divided software (S159A: NO), the first execution unit 81A repeats the determination of step S159A until the Mth update divided software is received.
 ステップS161Aにおいて、ECU80の第1実行装置81Aは、ステップS159AでECU80が受信した第M更新用分割ソフトウェアを復号する。そしてステップS163Aにおいて、第1実行装置81Aは、自身が復号した第M更新用分割ソフトウェアを記憶装置82に書き込む。例えば計数Mが1である場合、第1実行装置81Aは、第1更新用分割ソフトウェアA1を復号し、復号済みの第1更新用分割ソフトウェアA1を記憶装置82に書き込む。 In step S161A, the first execution unit 81A of the ECU 80 decrypts the Mth update split software received by the ECU 80 in step S159A. Then, in step S163A, the first execution unit 81A writes the Mth update split software that it has decrypted to the storage device 82. For example, if the count M is 1, the first execution unit 81A decrypts the first update split software A1 and writes the decrypted first update split software A1 to the storage device 82.
 ステップS165Aにおいて、ECU80の第1実行装置81Aは、記憶装置82のソフトウェアの更新が完了したか否かを判定する。第1実行装置81Aは、更新が完了した場合(S165A:YES)、処理をステップS167Aに移行する。一方、第1実行装置81Aは、更新が完了していない場合(S165A:NO)、処理をステップS159Aに戻す。すなわち、第1実行装置81Aは、記憶装置82のソフトウェアの更新が完了するまで、ステップS159AからステップS163Aまでの処理を繰り返し実行する。 In step S165A, the first execution unit 81A of the ECU 80 determines whether the software update of the storage device 82 is complete. If the update is complete (S165A: YES), the first execution unit 81A proceeds to step S167A. On the other hand, if the update is not complete (S165A: NO), the first execution unit 81A returns to step S159A. In other words, the first execution unit 81A repeatedly executes steps S159A to S163A until the software update of the storage device 82 is complete.
 図7(C)に示すように、ステップS159Bにおいて、ECU80の第2実行装置81Bは、第M更新用分割ソフトウェアをECU80が受信したか否かを判定する。ここで受信する更新用分割ソフトウェアは、ステップS51で情報処理装置30が送信した第M更新用分割ソフトウェアである。計数Mが2である場合、第2実行装置81Bは、第2更新用分割ソフトウェアをECU80が受信したか否かを判定する。第2実行装置81Bは、第M更新用分割ソフトウェアをECU80が受信した場合(S159B:YES)、処理をステップS161Bに移行する。一方、第2実行装置81Bは、第M更新用分割ソフトウェアをECU80が受信していない場合(S159B:NO)、第M更新用分割ソフトウェアをECU80が受信するまでステップS159Bの判定を繰り返し実行する。 As shown in FIG. 7(C), in step S159B, the second execution unit 81B of the ECU 80 determines whether the ECU 80 has received the Mth update split software. The update split software received here is the Mth update split software transmitted by the information processing device 30 in step S51. If the count M is 2, the second execution unit 81B determines whether the ECU 80 has received the second update split software. If the ECU 80 has received the Mth update split software (S159B: YES), the second execution unit 81B transitions the process to step S161B. On the other hand, if the ECU 80 has not received the Mth update split software (S159B: NO), the second execution unit 81B repeatedly executes the determination of step S159B until the ECU 80 receives the Mth update split software.
 ステップS161Bにおいて、ECU80の第2実行装置81Bは、ステップS159Bで受信した第M更新用分割ソフトウェアを復号する。そしてステップS161Bにおいて、第2実行装置81Bは、自身が復号した第M更新用分割ソフトウェアを記憶装置62に書き込む。例えば計数Mが2である場合、第2実行装置81Bは、第2更新用分割ソフトウェアA2を復号し、復号済みの第2更新用分割ソフトウェアA2を記憶装置62に書き込む。 In step S161B, the second execution unit 81B of the ECU 80 decrypts the Mth update split software received in step S159B. Then, in step S161B, the second execution unit 81B writes the Mth update split software that it has decrypted to the storage device 62. For example, if the count M is 2, the second execution unit 81B decrypts the second update split software A2 and writes the decrypted second update split software A2 to the storage device 62.
 ステップS165Bにおいて、ECU80の第2実行装置81Bは、記憶装置82のソフトウェアの更新が完了したか否かを判定する。第2実行装置81Bは、更新が完了した場合(S165B:YES)、処理をステップS167Bに移行する。一方、第2実行装置81Bは、更新が完了していない場合(S165B:NO)、処理をステップS159Bに戻す。すなわち、第2実行装置81Bは、記憶装置82のソフトウェアの更新が完了するまで、ステップS159BからステップS163Bまでの処理を繰り返し実行する。 In step S165B, the second execution unit 81B of the ECU 80 determines whether the software update of the storage device 82 has been completed. If the update has been completed (S165B: YES), the second execution unit 81B proceeds to step S167B. On the other hand, if the update has not been completed (S165B: NO), the second execution unit 81B returns the process to step S159B. In other words, the second execution unit 81B repeatedly executes the processes from step S159B to step S163B until the software update of the storage device 82 is completed.
 図7(A)に示すように、ステップS57において、情報処理装置30の実行装置31は、実行装置の制御モードを更新モードから通常モードに変更することをECU80に要求する。ステップS59において、実行装置31は、第1実行装置81Aの制御モードが通常モードに変更された旨の第3通知、及び、第2実行装置81Bの制御モードが通常モードに変更された旨の第4通知の何れをも受信したか否かを判定する。実行装置31は、第3通知及び第4通知の何れをもECU80から受信している場合(S59:YES)、図7(A)に示す処理ルーチンを終了する。一方、実行装置31は、第3通知及び第4通知のうちの少なくとも一方を受信していない場合(S59:NO)、処理をステップS57に戻す。すなわち、実行装置31は、第3通知及び第4通知の何れをも受信できるまでモード変更をECU80に要求し続ける。 7(A), in step S57, the execution unit 31 of the information processing device 30 requests the ECU 80 to change the control mode of the execution unit from the update mode to the normal mode. In step S59, the execution unit 31 determines whether or not it has received both the third notification that the control mode of the first execution unit 81A has been changed to the normal mode and the fourth notification that the control mode of the second execution unit 81B has been changed to the normal mode. If the execution unit 31 has received both the third notification and the fourth notification from the ECU 80 (S59: YES), it ends the processing routine shown in FIG. 7(A). On the other hand, if the execution unit 31 has not received at least one of the third notification and the fourth notification (S59: NO), it returns the processing to step S57. That is, the execution unit 31 continues to request the ECU 80 to change the mode until it receives both the third notification and the fourth notification.
 図7(B)に示すように、ECU80の第1実行装置81Aは、モード変更の要求をECU80が受信すると、処理をステップS167Aに移行する。ステップS167Aにおいて、第1実行装置81Aは、自身をリセットし、制御モードを更新モードから通常モードに変更して再起動する。続いてステップS169Aにおいて、第1実行装置81Aは、更新モードから通常モードへの変更が完了した旨の第3通知を情報処理装置30に送信する。その後、第1実行装置81Aは図7(B)に示す処理ルーチンを終了する。 As shown in FIG. 7(B), when the ECU 80 receives a request to change modes, the first execution unit 81A of the ECU 80 transitions to step S167A. In step S167A, the first execution unit 81A resets itself, changes the control mode from update mode to normal mode, and restarts. Then, in step S169A, the first execution unit 81A transmits a third notification to the information processing device 30 indicating that the change from update mode to normal mode has been completed. Thereafter, the first execution unit 81A ends the processing routine shown in FIG. 7(B).
 図7(C)に示すように、ECU80の第2実行装置81Bは、モード変更の要求をECU80が受信すると、処理をステップS167Bに移行する。ステップS167Bにおいて、第2実行装置81Bは、自身をリセットし、制御モードを更新モードから通常モードに変更して再起動する。続いてステップS169Bにおいて、第2実行装置81Bは、更新モードから通常モードへの変更が完了した旨の第4通知を情報処理装置30に送信する。その後、第2実行装置81Bは図7(C)に示す処理ルーチンを終了する。 As shown in FIG. 7(C), when the ECU 80 receives a request to change the mode, the second execution unit 81B of the ECU 80 transitions to step S167B. In step S167B, the second execution unit 81B resets itself, changes the control mode from the update mode to the normal mode, and restarts. Then, in step S169B, the second execution unit 81B transmits a fourth notification to the information processing device 30 indicating that the change from the update mode to the normal mode has been completed. Thereafter, the second execution unit 81B ends the processing routine shown in FIG. 7(C).
 <本実施形態の作用及び効果>
 本実施形態の作用及び効果のうち、第1実施形態と相違する部分を中心に説明する。
 ECU80の記憶装置82のソフトウェアを更新する場合、情報処理装置30では、更新用ソフトウェアがN個に分割される。情報処理装置30では、N個の更新用分割ソフトウェアが、グローバルネットワーク42を介してECU80に送信される。本実施形態では、更新用分割ソフトウェアが2つずつグローバルネットワーク42を介してECU80に送信される。 <Actions and Effects of the Present Embodiment>
Among the functions and effects of this embodiment, the following description will focus on the differences from the first embodiment.
When updating software in the storage device 82 of the ECU 80, the information processing device 30 divides the update software into N pieces. The information processing device 30 transmits the N pieces of update divided software to the ECU 80 via the global network 42. In this embodiment, two pieces of update divided software are transmitted to the ECU 80 via the global network 42.
 ECU80では、受信した2つの更新用分割ソフトウェアのうちの1つが第1実行装置81Aによって処理される一方、残りの1つが第2実行装置81Bによって処理される。すなわち、第1実行装置81Aは、2つの更新用分割ソフトウェアのうちの一方を復号し、自身が復号した更新用分割ソフトウェアを記憶装置82に書き込む。第2実行装置81Bは、2つの更新用分割ソフトウェアのうちの他方を復号し、自身が復号した更新用分割ソフトウェアを記憶装置82に書き込む。こうした一連の処理を繰り返すことにより、ECU80の記憶装置82のソフトウェアが更新される。 In the ECU 80, one of the two received update split software is processed by the first execution unit 81A, while the remaining one is processed by the second execution unit 81B. That is, the first execution unit 81A decrypts one of the two update split software and writes it to the storage device 82. The second execution unit 81B decrypts the other of the two update split software and writes it to the storage device 82. By repeating this series of processes, the software in the storage device 82 of the ECU 80 is updated.
 本実施形態では、更新対象ECUであるECU80がマルチコアプロセッサである。そのため、例えば第1実行装置81Aが第1更新用分割ソフトウェアA1を復号している間、第2実行装置81Bが第2更新用分割ソフトウェアA2を更新できる。そのため、情報処理装置30は、第1更新用分割ソフトウェアA1の復号が完了するまで、第2更新用分割ソフトウェアA2の送信を待たなくてもよい。つまり、情報処理装置30が更新用分割ソフトウェアの送信を待機する状態になる時間を短くできる。したがって、制御システム15Bは、ECU80の記憶装置82のソフトウェアを更新する場合において、ソフトウェアの更新に要する時間が長くなることを抑制できる。 In this embodiment, the ECU 80, which is the ECU to be updated, is a multi-core processor. Therefore, for example, while the first execution unit 81A is decrypting the first update divided software A1, the second execution unit 81B can update the second update divided software A2. Therefore, the information processing device 30 does not have to wait for the transmission of the second update divided software A2 until the decryption of the first update divided software A1 is complete. In other words, the time that the information processing device 30 is in a state waiting for the transmission of update divided software can be shortened. Therefore, when updating software in the storage device 82 of the ECU 80, the control system 15B can prevent the time required for the software update from becoming long.
 さらに、本実施形態では、N個の更新用分割ソフトウェアを復号するために複数のECUを用いなくてもよい。そのため、更新対象ECUと、ソフトウェアの更新を補助するECUとの間でのローカルネットワークを用いた通信を行わなくてもよくなる。 Furthermore, in this embodiment, it is not necessary to use multiple ECUs to decrypt N pieces of divided software for updating. Therefore, it is not necessary to communicate using a local network between the ECU to be updated and the ECU that assists in updating the software.
 (第4実施形態)
 制御システムの第4実施形態を図8及び図9に従って説明する。以下の説明においては、上記複数の実施形態と相違する部分について主に説明するものとし、上記複数の実施形態と同一の部材構成には同一符号を付して重複説明を省略するものとする。 Fourth Embodiment
A fourth embodiment of the control system will be described with reference to Figures 8 and 9. In the following description, differences from the above-described embodiments will be mainly described, and the same components as those in the above-described embodiments will be denoted by the same reference numerals and will not be described again.
 <制御システム>
 図8を参照し、本実施形態の制御システム15Cを説明する。
 制御システム15Cは、通信装置20と、情報処理装置30と、複数のECUとを備えている。複数のECUは、グローバルネットワーク42を介して情報処理装置30と通信可能に構成されている。複数のECUは、第1制動ECU60と、第2制動ECU90とを含んでいる。第1制動ECU60は第1アクチュエータ11を作動させる。第2制動ECU90は第2アクチュエータ12を作動させる。複数のECUは、第1制動ECU60及び第2制動ECU90以外の他のECUを含んでいてもよい。 <Control System>
A control system 15C of this embodiment will be described with reference to FIG.
The control system 15C includes a communication device 20, an information processing device 30, and a plurality of ECUs. The plurality of ECUs are configured to be able to communicate with the information processing device 30 via a global network 42. The plurality of ECUs include a first braking ECU 60 and a second braking ECU 90. The first braking ECU 60 operates the first actuator 11. The second braking ECU 90 operates the second actuator 12. The plurality of ECUs may include ECUs other than the first braking ECU 60 and the second braking ECU 90.
 第1制動ECU60と第2制動ECU90とは、ローカルネットワーク43Cを介して各種の情報を送受信可能である。ローカルネットワーク43Cの通信速度は、グローバルネットワーク42の通信速度よりも高い。 The first brake ECU 60 and the second brake ECU 90 can transmit and receive various information via the local network 43C. The communication speed of the local network 43C is higher than the communication speed of the global network 42.
 第1制動ECU60は、実行装置61と、記憶装置62と、格納装置63とを備えている。
 第2制動ECU90は、実行装置91と、記憶装置92と、格納装置93とを備えている。例えば、実行装置91はCPUであり、記憶装置92は不揮発性のメモリであり、格納装置93は揮発性のメモリである。記憶装置92は、第1記憶部921と第2記憶部922とに区分けされている。第1記憶部921には、実行装置91に実行されるソフトウェアが記憶される。第2記憶部922には、実行装置91に実行されるソフトウェアが記憶されていない。 The first brake ECU 60 includes an execution device 61 , a memory device 62 , and a storage device 63 .
The second brake ECU 90 includes an execution device 91, a storage device 92, and a storage device 93. For example, the execution device 91 is a CPU, the storage device 92 is a non-volatile memory, and the storage device 93 is a volatile memory. The storage device 92 is divided into a first storage unit 921 and a second storage unit 922. The first storage unit 921 stores software executed by the execution device 91. The second storage unit 922 does not store software executed by the execution device 91.
 <ソフトウェアの更新処理>
 本実施形態では、制動ECUが備える記憶装置のソフトウェアを更新する手法について説明する。更新対象ECUが第1制動ECU60である場合、第1制動ECU60が「第1電子制御装置」に対応し、第2制動ECU90が「第2電子制御装置」に対応する。また、第1制動ECU60の実行装置61が「第1実行装置」に対応し、第2制動ECU90の実行装置91が「第2実行装置」に対応する。 <Software update process>
In this embodiment, a method of updating software in a storage device provided in a brake ECU will be described. When the ECU to be updated is the first brake ECU 60, the first brake ECU 60 corresponds to the "first electronic control device", and the second brake ECU 90 corresponds to the "second electronic control device". In addition, the execution device 61 of the first brake ECU 60 corresponds to the "first execution device", and the execution device 91 of the second brake ECU 90 corresponds to the "second execution device".
 図9を参照し、第1制動ECU60の記憶装置62のソフトウェアを更新する際の一連の処理の流れを説明する。図9(A)は情報処理装置30の実行装置31が実行する処理ルーチンの一部を示している。図9(B)は第1制動ECU60の実行装置61が実行する処理ルーチンの一部を示している。図9(C)は第2制動ECU90の実行装置91が実行する処理ルーチンの一部を示している。すなわち、図9(B)に示す処理ルーチンが第1電子制御装置で実行される処理ルーチンの一部であり、図9(C)に示す処理ルーチンが第2電子制御装置で実行される処理ルーチンの一部であると云える。 With reference to Figure 9, the flow of a series of processes when updating the software of the memory device 62 of the first brake ECU 60 will be described. Figure 9 (A) shows a part of the processing routine executed by the execution device 31 of the information processing device 30. Figure 9 (B) shows a part of the processing routine executed by the execution device 61 of the first brake ECU 60. Figure 9 (C) shows a part of the processing routine executed by the execution device 91 of the second brake ECU 90. In other words, the processing routine shown in Figure 9 (B) is a part of the processing routine executed by the first electronic control device, and the processing routine shown in Figure 9 (C) is a part of the processing routine executed by the second electronic control device.
 情報処理装置30の実行装置31は、第1制動ECU60向けの更新用ソフトウェアを取得すると、図9(A)に示す処理ルーチンの実行を開始する。ステップS81において、実行装置31は、実行装置の制御モードを通常モードから更新モードに変更することを第1制動ECU60及び第2制動ECU90の双方に要求する。 When the execution unit 31 of the information processing device 30 acquires the update software for the first brake ECU 60, it starts executing the processing routine shown in FIG. 9(A). In step S81, the execution unit 31 requests both the first brake ECU 60 and the second brake ECU 90 to change the control mode of the execution unit from the normal mode to the update mode.
 次のステップS83において、情報処理装置30の実行装置31は、モードの変更が完了した旨の通知を第1制動ECU60及び第2制動ECU90の何れをもから受信したか否かを判定する。実行装置31は、第1制動ECU60及び第2制動ECU90の何れをもから上記通知を受信している場合(S83:YES)、処理をステップS85に移行する。一方、実行装置31は、第1制動ECU60及び第2制動ECU90のうちの少なくとも一方から上記通知を受信していない場合(S83:NO)、処理をステップS81に戻す。すなわち、実行装置31は、第1制動ECU60及び第2制動ECU90の何れをもから上記通知を受信するまで、第1制動ECU60及び第2制動ECU90にモード変更を要求し続ける。 In the next step S83, the execution device 31 of the information processing device 30 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 90 that the mode change has been completed. If the execution device 31 has received the notification from both the first brake ECU 60 and the second brake ECU 90 (S83: YES), the process proceeds to step S85. On the other hand, if the execution device 31 has not received the notification from at least one of the first brake ECU 60 and the second brake ECU 90 (S83: NO), the process returns to step S81. In other words, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 90 to change the mode until it receives the notification from both the first brake ECU 60 and the second brake ECU 90.
 図9(B)に示すように、ステップS181において、第1制動ECU60の実行装置61は、モード変更の要求を情報処理装置30から受信したか否かを判定する。実行装置61は、モード変更の要求を受信した場合(S181:YES)、処理をステップS183に移行する。一方、実行装置61は、モード変更の要求を受信していない場合(S181:NO)、要求を受信するまでステップS181の判定を繰り返し実行する。ステップS183において、実行装置61は、自身をリセットし、制御モードを更新モードに変更して再起動する。続いてステップS185において、実行装置61は、通常モードから更新モードへの変更が完了した旨の通知を情報処理装置30に送信する。次のステップS187において、実行装置61は、記憶装置62から更新前のソフトウェアの消去を開始する。その後、実行装置61は処理をステップS189に移行する。 As shown in FIG. 9B, in step S181, the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S181: YES), the process proceeds to step S183. On the other hand, if the execution device 61 has not received a mode change request (S181: NO), the execution device 61 repeats the judgment of step S181 until a request is received. In step S183, the execution device 61 resets itself, changes the control mode to the update mode, and restarts. Then, in step S185, the execution device 61 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed. In the next step S187, the execution device 61 starts erasing the pre-update software from the storage device 62. After that, the execution device 61 proceeds to step S189.
 図9(C)に示すように、ステップS281において、第2制動ECU90の実行装置91は、モード変更の要求を情報処理装置30から受信したか否かを判定する。実行装置91は、モード変更の要求を受信した場合(S281:YES)、処理をステップS283に移行する。一方、実行装置91は、モード変更の要求を受信していない場合(S281:NO)、要求を受信するまでステップS281の判定を繰り返し実行する。ステップS283において、実行装置91は、自身をリセットし、制御モードを更新モードに変更して再起動する。続いてステップS285において、実行装置91は、通常モードから更新モードへの変更が完了した旨の通知を情報処理装置30に送信する。そして、実行装置91は処理をステップS287に移行する。 As shown in FIG. 9(C), in step S281, the execution device 91 of the second brake ECU 90 determines whether or not a mode change request has been received from the information processing device 30. If the execution device 91 receives a mode change request (S281: YES), the process proceeds to step S283. On the other hand, if the execution device 91 has not received a mode change request (S281: NO), the execution device 91 repeatedly executes the determination of step S281 until a request is received. In step S283, the execution device 91 resets itself, changes the control mode to the update mode, and restarts. Next, in step S285, the execution device 91 transmits a notification to the information processing device 30 that the change from normal mode to update mode has been completed. Then, the execution device 91 proceeds to step S287.
 図9(A)に示すように、ステップS85において、情報処理装置30の実行装置31は、計数Mとして1を設定する。すると、実行装置31は、第1制動ECU60向けの更新用ソフトウェアをN個に分割する。「N」は3以上の整数である。そして、ステップS87において、実行装置31は、N個に分割した更新用ソフトウェアのうちの1つである第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第2制動ECU90に送信する。この際、実行装置31は、暗号化された第M更新用分割ソフトウェアを、グローバルネットワーク42を介して第2制動ECU90に送信する。 As shown in FIG. 9 (A), in step S85, the execution unit 31 of the information processing device 30 sets a counter M to 1. The execution unit 31 then divides the update software for the first brake ECU 60 into N pieces, where "N" is an integer equal to or greater than 3. Then, in step S87, the execution unit 31 transmits the Mth update divided software, which is one of the N pieces of update software, to the second brake ECU 90 via the global network 42. At this time, the execution unit 31 transmits the encrypted Mth update divided software to the second brake ECU 90 via the global network 42.
 ステップS89において、情報処理装置30の実行装置31は、計数Mを1だけインクリメントする。次のステップS91において、実行装置31は、図2(A)及び図3(A)に示したステップS25と同様に、更新用分割ソフトウェアの送信が完了したか否かを判定する。実行装置31は、更新用分割ソフトウェアの送信が完了した場合(S91:YES)、処理を図2(A)及び図3(A)に示したステップS27に移行する。ステップS27以降の処理の流れは、第1実施形態の場合と同様である。一方、実行装置31は、更新用分割ソフトウェアの送信が完了していない場合(S91:NO)、処理をステップS87に戻す。すなわち、実行装置31は、更新用分割ソフトウェアの第2制動ECU90への送信を続行する。 In step S89, the execution unit 31 of the information processing device 30 increments the counter M by 1. In the next step S91, the execution unit 31 determines whether the transmission of the update split software has been completed, similar to step S25 shown in FIG. 2(A) and FIG. 3(A). If the transmission of the update split software has been completed (S91: YES), the execution unit 31 proceeds to step S27 shown in FIG. 2(A) and FIG. 3(A). The flow of processing from step S27 onwards is the same as in the first embodiment. On the other hand, if the transmission of the update split software has not been completed (S91: NO), the execution unit 31 returns the processing to step S87. That is, the execution unit 31 continues transmitting the update split software to the second brake ECU 90.
 図9(C)に示すように、ステップS287において、第2制動ECU90の実行装置91は、第M更新用分割ソフトウェアをグローバルネットワーク42から受信したか否かを判定する。実行装置91は、第M更新用分割ソフトウェアを受信した場合(S287:YES)、当該第M更新用分割ソフトウェアを第2記憶部922に書き込み、処理をステップS289に移行する。一方、実行装置91は、第M更新用分割ソフトウェアを受信していない場合(S287:NO)、第M更新用分割ソフトウェアを受信するまでステップS287の判定を繰り返し実行する。 As shown in FIG. 9(C), in step S287, the execution device 91 of the second brake ECU 90 determines whether or not the Mth update divided software has been received from the global network 42. If the execution device 91 has received the Mth update divided software (S287: YES), the execution device 91 writes the Mth update divided software to the second storage unit 922 and proceeds to step S289. On the other hand, if the execution device 91 has not received the Mth update divided software (S287: NO), the execution device 91 repeatedly executes the determination of step S287 until the Mth update divided software is received.
 ステップS289において、第2制動ECU90の実行装置91は、第2記憶部922に記憶した第M更新用分割ソフトウェアを復号する。そしてステップS291において、実行装置91は、復号した第M更新用分割ソフトウェアを、ローカルネットワーク43を介して第1制動ECU60に送信する。そして、実行装置91は処理をステップS293に移行する。 In step S289, the execution device 91 of the second brake ECU 90 decrypts the Mth update divided software stored in the second storage unit 922. Then, in step S291, the execution device 91 transmits the decrypted Mth update divided software to the first brake ECU 60 via the local network 43. Then, the execution device 91 transitions the process to step S293.
 ステップS293において、第2制動ECU90の実行装置91は、第1制動ECU60の記憶装置62のソフトウェアの更新が完了したか否かを判定する。実行装置91は、更新が完了していない場合(S293:NO)、処理をステップS287に戻す。すなわち、実行装置91は、記憶装置62のソフトウェアの更新が完了するまで、ステップS287からステップS291までの処理を繰り返し実行する。一方、実行装置91は、更新が完了した場合(S293:YES)、図2(C)及び図3(C)に示したステップS215に移行する。ステップS215以降の処理の流れは、第1実施形態の場合と同様である。 In step S293, the execution unit 91 of the second brake ECU 90 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has not been completed (S293: NO), the execution unit 91 returns the process to step S287. That is, the execution unit 91 repeatedly executes the processes from step S287 to step S291 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S293: YES), the execution unit 91 proceeds to step S215 shown in Figures 2 (C) and 3 (C). The process flow from step S215 onwards is the same as in the first embodiment.
 図9(B)に示すように、ステップS189において、第1制動ECU60の実行装置61は、ローカルネットワーク43を介して第2制動ECU90から復号済みの第M更新用分割ソフトウェアを受信したか否かを判定する。実行装置61は、第2制動ECU90から第M更新用分割ソフトウェアを受信した場合(S189:YES)、処理をステップS191に移行する。一方、実行装置61は、第2制動ECU90から第M更新用分割ソフトウェアを受信していない場合(S189:NO)、第2制動ECU90から第M更新用分割ソフトウェアを受信するまでステップS189の判定を繰り返し実行する。ステップS191において、実行装置61は、第2制動ECU90から受信した復号済みの第M更新用分割ソフトウェアを記憶装置62に書き込む。そして、実行装置61は処理をステップS193に移行する。 As shown in FIG. 9B, in step S189, the execution device 61 of the first brake ECU 60 determines whether or not it has received the decoded Mth update divided software from the second brake ECU 90 via the local network 43. If the execution device 61 has received the Mth update divided software from the second brake ECU 90 (S189: YES), the process proceeds to step S191. On the other hand, if the execution device 61 has not received the Mth update divided software from the second brake ECU 90 (S189: NO), the execution device 61 repeats the determination of step S189 until it receives the Mth update divided software from the second brake ECU 90. In step S191, the execution device 61 writes the decoded Mth update divided software received from the second brake ECU 90 to the storage device 62. Then, the execution device 61 proceeds to step S193.
 ステップS193において、第1制動ECU60の実行装置61は、記憶装置62のソフトウェアの更新が完了したか否かを判定する。実行装置61は、更新が完了していない場合(S193:NO)、処理をステップS189に戻す。すなわち、実行装置61は、記憶装置62のソフトウェアの更新が完了するまで、ステップS189及びステップS191の処理を繰り返し実行する。一方、実行装置61は、更新が完了した場合(S193:YES)、図2(B)及び図3(B)に示したステップS121に移行する。ステップS121以降の処理の流れは、第1実施形態の場合と同様である。 In step S193, the execution unit 61 of the first brake ECU 60 determines whether the software update of the storage device 62 has been completed. If the update has not been completed (S193: NO), the execution unit 61 returns the process to step S189. That is, the execution unit 61 repeatedly executes the processes of steps S189 and S191 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S193: YES), the execution unit 61 proceeds to step S121 shown in Figures 2 (B) and 3 (B). The process flow from step S121 onwards is the same as in the first embodiment.
 <本実施形態の作用及び効果>
 第2電子制御装置に対応する第2制動ECU90は、記憶部として、第1記憶部921だけではなく第2記憶部922をも備えている。そのため、情報処理装置30は、暗号化された更新用ソフトウェアを、グローバルネットワーク42を介して第2制動ECU90に送信する。第2制動ECU90では、受信した更新用ソフトウェアが第2記憶部922に格納される。そして、第1制動ECU60の記憶装置62のソフトウェアを更新する場合、第2制動ECU90の実行装置91は、第2記憶部922に記憶された更新用ソフトウェアを復号し、復号済みの更新用ソフトウェアを、ローカルネットワーク43Cを介して第1制動ECU60に送信する。そして、第1制動ECU60では、ローカルネットワーク43Cを介して受信した復号済みの更新用ソフトウェアが記憶装置62に書き込まれる。 <Actions and Effects of the Present Embodiment>
The second brake ECU 90 corresponding to the second electronic control device includes not only the first storage unit 921 but also the second storage unit 922 as a storage unit. Therefore, the information processing device 30 transmits the encrypted update software to the second brake ECU 90 via the global network 42. In the second brake ECU 90, the received update software is stored in the second storage unit 922. When updating the software of the storage unit 62 of the first brake ECU 60, the execution device 91 of the second brake ECU 90 decrypts the update software stored in the second storage unit 922 and transmits the decrypted update software to the first brake ECU 60 via the local network 43C. In the first brake ECU 60, the decrypted update software received via the local network 43C is written to the storage unit 62.
 ここで、ローカルネットワーク43Cの通信速度は、グローバルネットワーク42の通信速度よりも高い。
 そのため、更新用ソフトウェアを、ローカルネットワーク43を介して第1制動ECU60に送信する分、第1制動ECU60の記憶装置62のソフトウェアの更新に要する時間を短くできる。 Here, the communication speed of the local network 43C is higher than the communication speed of the global network 42.
Therefore, the time required to update the software in the storage device 62 of the first brake ECU 60 can be shortened by the time required to transmit the update software to the first brake ECU 60 via the local network 43 .
 <変更例>
 上記複数の実施形態は、以下のように変更して実施することができる。上記複数の実施形態及び以下の変更例は、技術的に矛盾しない範囲で互いに組み合わせて実施することができる。 <Example of change>
The above-described embodiments may be modified as follows: The above-described embodiments and the following modifications may be combined with each other to the extent that they are not technically inconsistent.
 ・第4実施形態において、第2制動ECU90の第2記憶部922の記憶容量が大きいのであれば、情報処理装置30は、更新用ソフトウェアを分割することなく第2制動ECU90に送信してもよい。 - In the fourth embodiment, if the storage capacity of the second storage unit 922 of the second brake ECU 90 is large, the information processing device 30 may transmit the update software to the second brake ECU 90 without dividing it.
 ・上記複数の実施形態において、情報処理装置30が更新用ソフトウェアを分割する数である分割数Nは、2以上の偶数であれば、2以外であってもよい。
 ・上記複数の実施形態において、情報処理装置30が更新用ソフトウェアを分割する数である分割数Nは、2以上であれば奇数であってもよい。例えば第1実施形態において、第2制動ECU70の実行装置71がステップS207の判定を繰り返している間に、情報処理装置30によるN個の更新用分割ソフトウェアの送信が完了することがある。このような場合、第2制動ECU70の実行装置71は、制御モードを通常モードに戻すことが情報処理装置30から要求されたことを契機に、処理をステップS215に移行するとよい。 In the above embodiments, the division number N, which is the number into which the information processing device 30 divides the update software, may be any even number other than 2 as long as it is equal to or greater than 2.
In the above embodiments, the division number N, which is the number into which the information processing device 30 divides the update software, may be an odd number equal to or greater than 2. For example, in the first embodiment, while the execution device 71 of the second brake ECU 70 is repeating the determination of step S207, the information processing device 30 may complete transmission of N pieces of update divided software. In such a case, the execution device 71 of the second brake ECU 70 may transition to step S215 in response to a request from the information processing device 30 to return the control mode to the normal mode.
 ・第3実施形態において、ECU80が備える実行装置の数は3つ以上であってもよい。例えばECU80が第3実行装置も備えている場合、第1更新用分割ソフトウェアA1を第1実行装置81Aが復号しており、且つ第2更新用分割ソフトウェアA2を第2実行装置81Bが復号している間では、第3実行装置は、第3更新用分割ソフトウェアA3を復号することもできる。 - In the third embodiment, the number of execution devices provided in the ECU 80 may be three or more. For example, if the ECU 80 also includes a third execution device, while the first execution device 81A is decrypting the first update divided software A1 and the second execution device 81B is decrypting the second update divided software A2, the third execution device can also decrypt the third update divided software A3.
 ・上記第2実施形態では、更新対象ECU(第1ECU)とはローカルネットワークを介して通信できるECUの数は1つのみである。しかし、第1ECUとはローカルネットワークを介して通信できるECUの数は2以上であってもよい。第1ECUとはローカルネットワークを介して通信できるECUとして、第2ECUと第3ECUとが設けられている場合を例にして説明する。この場合、情報処理装置30は、3つの更新用分割ソフトウェアを更新対象ECUに送信することもできる。すると、更新対象ECUは、3つの更新用分割ソフトウェアのうち、第2更新用分割ソフトウェアA2を、ローカルネットワークを介して第2ECUに送信し、第3更新用分割ソフトウェアA3を、ローカルネットワークを介して第3ECUに送信する。第2ECU及び第3ECUでは、ローカルネットワークを介して受信した更新用分割ソフトウェアが復号され、復号済みの更新用分割ソフトウェアがローカルネットワークを介して第1ECUに送信される。第1ECUでは、3つの更新用分割ソフトウェアのうちの第1更新用分割ソフトウェアA1が復号され、当該第1更新用分割ソフトウェアA1が自身の記憶装置に書き込まれる。また、第1ECUでは、ローカルネットワークを介して受信した復号済みの更新用分割ソフトウェアも自身の記憶装置に書き込まれる。 - In the second embodiment, the number of ECUs that can communicate with the ECU to be updated (first ECU) via the local network is only one. However, the number of ECUs that can communicate with the first ECU via the local network may be two or more. An example will be described in which a second ECU and a third ECU are provided as ECUs that can communicate with the first ECU via the local network. In this case, the information processing device 30 can also transmit three pieces of update split software to the ECU to be updated. Then, of the three pieces of update split software, the ECU to be updated transmits the second update split software A2 to the second ECU via the local network, and transmits the third update split software A3 to the third ECU via the local network. The second ECU and the third ECU decrypt the update split software received via the local network, and transmit the decrypted update split software to the first ECU via the local network. The first ECU decrypts the first update split software A1 of the three pieces of update split software, and writes the first update split software A1 to its own storage device. Additionally, the first ECU writes the decrypted update split software received via the local network to its own storage device.
 ・上記第1実施形態では、更新対象ECU(第1ECU)とはローカルネットワークを介して通信できるECUの数は1つのみである。しかし、第1ECUとはローカルネットワークを介して通信できるECUの数は2以上であってもよい。第1ECUとはローカルネットワークを介して通信できるECUとして、第2ECUと第3ECUとが設けられている場合を例にして説明する。この場合、情報処理装置30は、第1更新用分割ソフトウェアA1を第1ECUに送信し、第2更新用分割ソフトウェアA2を第2ECUに送信し、第3更新用分割ソフトウェアA3を第3ECUに送信する。第1ECUでは、第1更新用分割ソフトウェアA1が復号され、当該第1更新用分割ソフトウェアA1が自身の記憶装置に書き込まれる。第2ECU及び第3ECUでは、グローバルネットワーク42を介して受信した更新用分割ソフトウェアが復号され、復号済みの更新用分割ソフトウェアがローカルネットワークを介して第1ECUに送信される。すると、第1ECUでは、ローカルネットワークを介して受信した復号済みの更新用分割ソフトウェアも自身の記憶装置に書き込まれる。 In the first embodiment, the number of ECUs that can communicate with the ECU to be updated (first ECU) via the local network is only one. However, the number of ECUs that can communicate with the first ECU via the local network may be two or more. An example will be described in which a second ECU and a third ECU are provided as ECUs that can communicate with the first ECU via the local network. In this case, the information processing device 30 transmits the first update divided software A1 to the first ECU, transmits the second update divided software A2 to the second ECU, and transmits the third update divided software A3 to the third ECU. In the first ECU, the first update divided software A1 is decrypted and the first update divided software A1 is written to its own storage device. In the second ECU and the third ECU, the update divided software received via the global network 42 is decrypted, and the decrypted update divided software is sent to the first ECU via the local network. Then, in the first ECU, the decrypted update divided software received via the local network is also written to its own storage device.
 ・上記複数の実施形態では、更新対象ECUが、車両10で発生する制動力を調整する制動ECUである場合について説明したが、これに限らない。グローバルネットワーク42を介して情報処理装置30と通信できるECUであれば、制動ECU以外のECUを更新対象ECUとしてもよい。例えば、エンジンや走行用モータなどの車両10の動力源を制御する駆動ECUを、更新対象ECUとしてもよいし、車輪の舵角を調整するアクチュエータを制御するECUを更新対象ECUとしてもよい。また、ADASECUを更新対象ECUとしてもよい。「ADAS」とは「先進運転支援システム」である。 - In the above embodiments, the ECU to be updated is a braking ECU that adjusts the braking force generated by the vehicle 10, but this is not limited to the above. Any ECU other than a braking ECU may be the ECU to be updated as long as it is capable of communicating with the information processing device 30 via the global network 42. For example, a drive ECU that controls the power source of the vehicle 10, such as an engine or a driving motor, may be the ECU to be updated, or an ECU that controls an actuator that adjusts the steering angle of the wheels may be the ECU to be updated. In addition, an ADASECU may be the ECU to be updated. "ADAS" stands for "Advanced Driver Assistance System."
 ・制御システムを構成する情報処理装置30及びECUは、CPUとROMとを備えて、ソフトウェア処理を実行するものに限らない。すなわち、情報処理装置30及びECUは、以下(a)~(c)の何れかの構成であればよい。 The information processing device 30 and ECU that make up the control system are not limited to those equipped with a CPU and ROM and that execute software processing. In other words, the information processing device 30 and ECU may have any of the following configurations (a) to (c).
 (a)コンピュータプログラムに従って各種処理を実行する一つ以上のプロセッサを備えていること。プロセッサは、CPU並びに、RAM及びROMなどのメモリを含んでいる。メモリは、処理をCPUに実行させるように構成されたプログラムコード又は指令を格納している。メモリ、すなわちコンピュータ可読媒体は、汎用又は専用のコンピュータでアクセスできるあらゆる利用可能な媒体を含んでいる。 (a) Having one or more processors that execute various processes according to a computer program. The processor includes a CPU and memory such as RAM and ROM. The memory stores program code or instructions configured to cause the CPU to execute processes. Memory, i.e., computer-readable media, includes any available media that can be accessed by a general-purpose or special-purpose computer.
 (b)各種処理を実行する一つ以上の専用のハードウェア回路を備えていること。専用のハードウェア回路としては、例えば、特定用途向け集積回路、すなわちASIC又はFPGAを挙げることができる。なお、ASICは、「Application Specific Integrated Circuit」の略記であり、FPGAは、「Field Programmable Gate Array」の略記である。 (b) Equipped with one or more dedicated hardware circuits that execute various processes. Examples of dedicated hardware circuits include application specific integrated circuits, i.e. ASIC or FPGA. ASIC is an abbreviation for "Application Specific Integrated Circuit" and FPGA is an abbreviation for "Field Programmable Gate Array."
 (c)各種処理の一部をコンピュータプログラムに従って実行するプロセッサと、各種処理のうちの残りの処理を実行する専用のハードウェア回路とを備えていること。
 なお、本明細書において使用される「少なくとも1つ」という表現は、所望の選択肢の「1つ以上」を意味する。一例として、本明細書において使用される「少なくとも1つ」という表現は、選択肢の数が2つであれば「1つの選択肢のみ」又は「2つの選択肢の双方」を意味する。他の例として、本明細書において使用される「少なくとも1つ」という表現は、選択肢の数が3つ以上であれば「1つの選択肢のみ」又は「2つ以上の任意の選択肢の組み合わせ」を意味する。 (c) Equipped with a processor that executes part of the various processes in accordance with a computer program, and a dedicated hardware circuit that executes the remaining part of the various processes.
The term "at least one" used in this specification means "one or more" of the desired options. As an example, the term "at least one" used in this specification means "only one option" or "both of two options" if the number of options is two. As another example, the term "at least one" used in this specification means "only one option" or "any combination of two or more options" if the number of options is three or more.
 <他の技術的思想>
 上記複数の実施形態及び変更例から把握できる技術的思想を付記として記載する。
 (付記1)車両の外部から無線通信によって当該車両に送信された更新用ソフトウェアを取得する情報処理装置と、
 複数の電子制御装置と、
 前記複数の電子制御装置と前記情報処理装置とを通信可能な状態で接続するグローバルネットワークと、
 前記複数の電子制御装置のうちの第1電子制御装置と第2電子制御装置との間のみで情報の送受信を行うためのローカルネットワークと、を備え、
 前記ローカルネットワークの通信速度は、前記グローバルネットワークの通信速度よりも速く、
 前記第1電子制御装置は、第1実行装置と、同第1実行装置が実行するソフトウェアが書き込まれた記憶装置と、を有し、
 前記第2電子制御装置は、第2実行装置と、同第2実行装置が実行するソフトウェアが書き込まれた第1記憶部と、同第2実行装置が実行するソフトウェアが書き込まれていない第2記憶部と、を有し、
 前記第1電子制御装置の前記記憶装置のソフトウェアを、前記情報処理装置が取得した前記第1電子制御装置向けの更新用ソフトウェアに更新する場合、
   前記情報処理装置は、前記更新用ソフトウェアを、前記グローバルネットワークを介して前記第2電子制御装置に送信し、
  前記第2実行装置は、前記グローバルネットワークを介して受信した前記更新用ソフトウェアを前記第2記憶部に書き込み、当該第2記憶部に書き込んだ前記更新用ソフトウェアを復号し、復号済みの当該更新用ソフトウェアを、前記ローカルネットワークを介して前記第1電子制御装置に送信し、
  前記第1実行装置は、前記ローカルネットワークを介して受信した更新用ソフトウェアを前記記憶装置に書き込む、制御システム。 <Other technical ideas>
The technical ideas that can be understood from the above-described embodiments and modifications will be described as supplementary notes.
(Supplementary Note 1) An information processing device that acquires update software transmitted to the vehicle from outside the vehicle via wireless communication;
A plurality of electronic control units;
a global network that connects the plurality of electronic control devices and the information processing device in a communicable state;
a local network for transmitting and receiving information only between a first electronic control unit and a second electronic control unit among the plurality of electronic control units,
the communication speed of the local network is faster than the communication speed of the global network;
The first electronic control unit has a first execution device and a storage device in which software executed by the first execution device is written,
the second electronic control unit has a second execution device, a first storage unit in which software to be executed by the second execution device is written, and a second storage unit in which the software to be executed by the second execution device is not written,
When updating the software of the storage device of the first electronic control device to update software for the first electronic control device acquired by the information processing device,
The information processing device transmits the update software to the second electronic control device via the global network,
the second execution device writes the update software received via the global network into the second storage unit, decrypts the update software written in the second storage unit, and transmits the decrypted update software to the first electronic control device via the local network;
The first execution device writes the update software received via the local network into the storage device.
 第2電子制御装置は、記憶部として、第1記憶部だけではなく第2記憶部をも備えている。そのため、情報処理装置は、暗号化された更新用ソフトウェアを、グローバルネットワークを介して第2電子制御装置に送信する。第2電子制御装置では、受信した更新用ソフトウェアが第2記憶部に格納される。そして、第1電子制御装置の記憶装置のソフトウェアを更新する場合、第2電子制御装置の実行装置は、第2記憶部に記憶された更新用ソフトウェアを復号し、復号済みの更新用ソフトウェアを、ローカルネットワークを介して第1電子制御装置に送信する。ローカルネットワークの通信速度は、グローバルネットワークの通信速度よりも高い。そのため、更新用ソフトウェアを、ローカルネットワークを介して第1電子制御装置に送信する分、第1電子制御装置の記憶装置のソフトウェアの更新に要する時間を短くできる。
  The second electronic control device has not only a first memory unit but also a second memory unit as a memory unit. Therefore, the information processing device transmits the encrypted update software to the second electronic control device via the global network. In the second electronic control device, the received update software is stored in the second memory unit. Then, when updating the software in the memory device of the first electronic control device, the execution device of the second electronic control device decrypts the update software stored in the second memory unit and transmits the decrypted update software to the first electronic control device via the local network. The communication speed of the local network is higher than the communication speed of the global network. Therefore, the time required to update the software in the memory device of the first electronic control device can be shortened by the amount of time required to transmit the update software to the first electronic control device via the local network.

Claims (6)

  1.  車両の外部から無線通信によって前記車両に送信された更新用ソフトウェアを取得する情報処理装置と、複数の電子制御装置と前記情報処理装置とを通信可能に接続するグローバルネットワークと、を備え、
     前記複数の電子制御装置のうちの第1電子制御装置が備える記憶装置のソフトウェアを更新可能に構成された制御システムであって、
     第1実行装置及び第2実行装置を備え、
     前記第1電子制御装置の前記記憶装置のソフトウェアを、前記情報処理装置が取得した前記第1電子制御装置向けの更新用ソフトウェアに更新する場合、
      前記情報処理装置は、前記更新用ソフトウェアを複数に分割し、分割した更新用ソフトウェアを、暗号化された状態で前記グローバルネットワークに送信し、
      前記第1実行装置は、前記情報処理装置が分割して前記グローバルネットワークに送信した更新用ソフトウェアのうちの1つである第1更新用分割ソフトウェアを復号し、
      前記第2実行装置は、前記情報処理装置が分割して前記グローバルネットワークに送信した更新用ソフトウェアのうちの1つである第2更新用分割ソフトウェアを復号し、
      前記第1実行装置が復号した前記第1更新用分割ソフトウェア、及び、前記第2実行装置が復号した前記第2更新用分割ソフトウェアの各々を、前記第1電子制御装置の前記記憶装置に書き込む
     制御システム。     An information processing device that acquires update software transmitted to the vehicle from outside the vehicle by wireless communication; and a global network that communicatively connects a plurality of electronic control devices and the information processing device,
    A control system configured to be able to update software of a storage device included in a first electronic control device among the plurality of electronic control devices,
    A first execution device and a second execution device,
    When updating the software of the storage device of the first electronic control device to update software for the first electronic control device acquired by the information processing device,
    the information processing device divides the update software into a plurality of pieces, and transmits the divided update software in an encrypted state to the global network;
    the first execution device decrypts a first divided update software, which is one of the update software pieces divided and transmitted to the global network by the information processing device;
    the second execution device decrypts a second divided update software, which is one of the update software pieces divided and transmitted to the global network by the information processing device;
    a control system that writes, into the storage device of the first electronic control device, each of the first update divided software decrypted by the first execution device and the second update divided software decrypted by the second execution device.
  2.  前記第1実行装置は前記第1電子制御装置の実行装置であり、
     前記第2実行装置は、前記複数の電子制御装置のうちの第2電子制御装置の実行装置であり、
     前記制御システムは、前記第1電子制御装置と前記第2電子制御装置との間のみで情報の送受信を行うためのローカルネットワークをさらに備え、
     前記第2実行装置は、前記第2電子制御装置が受信した前記第2更新用分割ソフトウェアを復号し、復号済みの当該第2更新用分割ソフトウェアを、前記ローカルネットワークを介して前記第1電子制御装置に送信し、
     前記第1実行装置は、前記第1電子制御装置が受信した前記第1更新用分割ソフトウェアの復号と、復号済みの前記第1更新用分割ソフトウェアの前記記憶装置への書き込みと、前記ローカルネットワークを介して受信した前記第2更新用分割ソフトウェアの前記記憶装置への書き込みと、を実行する
     請求項1に記載の制御システム。     the first execution unit is an execution unit of the first electronic control unit;
    the second execution device is an execution device of a second electronic control device among the plurality of electronic control devices;
    The control system further includes a local network for transmitting and receiving information only between the first electronic control unit and the second electronic control unit,
    the second execution device decrypts the second update divided software received by the second electronic control device and transmits the decrypted second update divided software to the first electronic control device via the local network;
    The control system of claim 1, wherein the first execution device decrypts the first update split software received by the first electronic control device, writes the decrypted first update split software to the storage device, and writes the second update split software received via the local network to the storage device.
  3.  前記情報処理装置は、前記第1更新用分割ソフトウェアを、前記グローバルネットワークを介して前記第1電子制御装置に送信すること、及び、前記第2更新用分割ソフトウェアを、前記グローバルネットワークを介して前記第2電子制御装置に送信することを実行し、
     前記第1実行装置は、自身が復号した前記第1更新用分割ソフトウェアを前記記憶装置に書き込んだ後、前記第2電子制御装置が前記ローカルネットワークを介して前記第1電子制御装置に送信した前記第2更新用分割ソフトウェアを前記記憶装置に書き込む
     請求項2に記載の制御システム。     the information processing device transmits the first update divided software to the first electronic control unit via the global network, and transmits the second update divided software to the second electronic control unit via the global network;
    The control system described in claim 2, wherein the first execution device writes the first update split software that it has decrypted into the storage device, and then writes the second update split software that the second electronic control device sent to the first electronic control device via the local network into the storage device.
  4.  前記情報処理装置は、前記第2更新用分割ソフトウェアの前記記憶装置への書き込みが完了した後、分割した更新用ソフトウェアのうちの1つである第3更新用分割ソフトウェアを、前記グローバルネットワークを介して前記第1電子制御装置に送信し、
     前記第1実行装置は、前記第2更新用分割ソフトウェアの前記記憶装置への書き込みが完了した後に、前記第3更新用分割ソフトウェアを復号し、当該第3更新用分割ソフトウェアを前記記憶装置に書き込む
     請求項3に記載の制御システム。     after writing of the second divided software update to the storage device is completed, the information processing device transmits a third divided software update, which is one of the divided software updates, to the first electronic control unit via the global network;
    The control system of claim 3 , wherein the first execution device decrypts the third update split software and writes the third update split software to the storage device after writing of the second update split software to the storage device is completed.
  5.  前記情報処理装置は、前記第1更新用分割ソフトウェア及び前記第2更新用分割ソフトウェアの何れをも、前記グローバルネットワークを介して前記第1電子制御装置に送信し、
     前記第1実行装置は、
     前記グローバルネットワークを介して受信した前記第1更新用分割ソフトウェアを復号し、当該第1更新用分割ソフトウェアを前記記憶装置に書き込み、
     前記グローバルネットワークを介して受信した前記第2更新用分割ソフトウェアを、前記ローカルネットワークを介して前記第2電子制御装置に送信し、
     前記ローカルネットワークを介して前記第2電子制御装置から受信した前記第2更新用分割ソフトウェアを前記記憶装置に書き込み、
     前記第2実行装置は、前記ローカルネットワークを介して前記第1電子制御装置から受信した前記第2更新用分割ソフトウェアを復号し、復号済みの当該第2更新用分割ソフトウェアを、前記ローカルネットワークを介して前記第1電子制御装置に送信する
     請求項2に記載の制御システム。     the information processing device transmits both the first update divided software and the second update divided software to the first electronic control device via the global network;
    The first execution device is
    decrypting the first update divided software received via the global network and writing the first update divided software into the storage device;
    The second update divided software received via the global network is transmitted to the second electronic control unit via the local network;
    writing the second update divided software received from the second electronic control unit via the local network into the storage device;
    The control system described in claim 2, wherein the second execution device decrypts the second update split software received from the first electronic control device via the local network, and transmits the decrypted second update split software to the first electronic control device via the local network.
  6.  前記第1電子制御装置が、前記第1実行装置及び前記第2実行装置を有し、
     前記第1実行装置は、前記第1更新用分割ソフトウェアを復号し、当該第1更新用分割ソフトウェアを前記記憶装置に書き込み、
     前記第2実行装置は、前記第2更新用分割ソフトウェアを復号し、当該第2更新用分割ソフトウェアを前記記憶装置に書き込む
     請求項1に記載の制御システム。     the first electronic control unit has the first execution unit and the second execution unit,
    the first execution device decrypts the first update divided software and writes the first update divided software into the storage device;
    The control system according to claim 1 , wherein the second execution device decrypts the second update divided software and writes the second update divided software into the storage device.
PCT/JP2023/031869 2022-09-27 2023-08-31 Control system WO2024070483A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022-153828 2022-09-27
JP2022153828A JP2024048009A (en) 2022-09-27 2022-09-27 Control System

Publications (1)

Publication Number Publication Date
WO2024070483A1 true WO2024070483A1 (en) 2024-04-04

Family

ID=90477359

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/031869 WO2024070483A1 (en) 2022-09-27 2023-08-31 Control system

Country Status (2)

Country Link
JP (1) JP2024048009A (en)
WO (1) WO2024070483A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015146520A (en) * 2014-02-03 2015-08-13 株式会社デンソー relay system
WO2022130700A1 (en) * 2020-12-16 2022-06-23 日立Astemo株式会社 Electronic control device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015146520A (en) * 2014-02-03 2015-08-13 株式会社デンソー relay system
WO2022130700A1 (en) * 2020-12-16 2022-06-23 日立Astemo株式会社 Electronic control device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAKESHI FUKUNAGA, KEI HIRAKI: "Fast single stream secure transport using AES-CTR mode", IEICE TECHNICAL REPORT, CPSY, IEICE, JP, vol. 115, no. 174 (CPSY2015-27), 11 September 2015 (2015-09-11), JP, pages 137 - 142, XP009553843 *

Also Published As

Publication number Publication date
JP2024048009A (en) 2024-04-08

Similar Documents

Publication Publication Date Title
US20180341476A1 (en) Software updating device, software updating system, and software updating method
JP2022550446A (en) Customized root process for individual applications
JP2024015111A (en) Software update device, update control method, update control program, and ota master
WO2024070483A1 (en) Control system
US11995429B2 (en) Software update device, update control method, non-transitory storage medium, and server
JP7452452B2 (en) OTA master, software update control method and update control program, vehicle equipped with OTA master
JP2022187646A (en) Ota master, system, method, program, and vehicle
US11281455B2 (en) Apparatus for over the air update for vehicle and method therefor
WO2024062897A1 (en) Control system and software update method
JP7380468B2 (en) Software update device, update control method, update control program, server, OTA master and center
US11972248B2 (en) Controlling software update of electronic control units mounted on a vehicle
WO2024062898A1 (en) Brake control device, and software updating method
US11947950B2 (en) Center, OTA master, method, non-transitory storage medium, and vehicle
US20220405083A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle
US20220391193A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle
US11954480B2 (en) Center, OTA master, system, method, non-transitory storage medium, and vehicle
US11947951B2 (en) Center, distribution control method, and non-transitory storage medium
JP7355061B2 (en) Center, OTA master, system, distribution method, distribution program, and vehicle
JP7484814B2 (en) Vehicle electronic control device and update program
WO2022244588A1 (en) Electronic control device for vehicles, updating program, and data structure
JP2022170949A (en) Control device and data rewriting method
JP2024048008A (en) Electronic control device and software update method
JP2022126194A (en) Ota master, center, system, method, program, and vehicle
JP2024005741A (en) Electronic control unit, vehicle control system, and vehicle control method
JP2022109039A (en) Center, update management method, and update management program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23871723

Country of ref document: EP

Kind code of ref document: A1